Professional Documents
Culture Documents
Admin
Installation & Deployment
OBJECTIFS DE LA FORMATION : OPENSTACK
● Connaître le fonctionnement du projet OpenStack et ses possibilités
● Comprendre le fonctionnement de chacun des composants d’OpenStack
● Pouvoir faire les bons choix de configuration
● Savoir déployer manuellement un cloud OpenStack pour fournir du IaaS
● Connaître les bonnes pratiques de déploiement d’OpenStack
● Être capable de déterminer l’origine d’une erreur dans OpenStack
● Savoir réagir face à un problème
PRÉ-REQUIS DE LA FORMATION
● Compétences d’administration système Linux tel que CentOS
○ Gestion des paquets
○ Manipulation de fichiers de configuration et de services
○ LVM (Logical Volume Management) et systèmes de fichiers
○ Ansible
○ Docker
● Notions :
○ Virtualisation : KVM (Kernel-Based Virtual Machine), libvirt
○ Réseau : iptables, namespaces
○ SQL
Ansible Linux Automation
What can I do using Ansible?
Ansible automates technologies you use
Inventory
● Ansible works against multiple systems in an inventory
● Inventory is usually file based
● Can have multiple groups
● Can have variables for each group or even host
# Static inventory example:
[myservers]
10.42.0.2
10.42.0.6
10.42.0.7
Understanding Inventory - Basic
Understanding Inventory - Variables
Understanding Inventory - Groups
Ad-Hoc Commands PING
The Ansible Command
Ad-Hoc Commands
-m MODULE_NAME, --module-name=MODULE_NAME
Module name to execute the ad-hoc command
-a MODULE_ARGS, --args=MODULE_ARGS
Module arguments for the ad-hoc command
-b, --become
Run ad-hoc command with elevated rights such as sudo, the default method
-e EXTRA_VARS, --extra-vars=EXTRA_VARS
Set additional variables as key=value or YAML/JSON
Example
An Ansible Playbook
An Ansible Playbook (2)
An Ansible Playbook (3)
Running an Ansible Playbook
The most important colors of Ansible
Running an Ansible Playbook
An Ansible Playbook Variable Example
Facts
Just like variables, but coming from the host itself
Gather facts on target machine
Conditionals via VARS
Conditionals with facts
Variables & Templates
Roles
● Roles: Think Ansible packages
● Roles provide Ansible with a way to load tasks, handlers, and variables
from separate files.
● Roles group content, allowing easy sharing of code with others
● Roles make larger projects more manageable
● Roles can be developed in parallel by different administrators
Role structure
Defaults: default variables with lowest precedence (e.g. port)
● The Ceph configuration file, or the cluster name (usually ceph) and the
monitor address.
● The pool name.
● The user name and the path to the secret key.
Ceph Client (2)
Ceph clients maintain object IDs and the pool names where they store the
objects. However, they do not need to maintain an object-to-OSD index or
communicate with a centralized object index to lookup object locations. To
store and retrieve data, Ceph clients access a Ceph Monitor and retrieve the
latest copy of the Ceph Storage cluster map. Then, Ceph clients provide an
object name and pool name to librados, which computes an object’s
placement group and the primary OSD for storing and retrieving data using
the CRUSH (Controlled Replication Under Scalable Hashing) algorithm. The
Ceph client connects to the primary OSD where it may perform read and write
operations. There is no intermediary server, broker or bus between the client
and the OSD.
Ceph Client (3)
When an OSD stores data, it receives data from a Ceph client—whether the
client is a Ceph Block Device, a Ceph Object Gateway, a Ceph Filesystem or
another interface—and it stores the data as an object.
Ceph OSDs store all data as objects in a flat namespace. There are no
hierarchies of directories. An object has a cluster-wide unique identifier,
binary data, and metadata consisting of a set of name/value pairs.
Ceph Cluster
A Ceph Storage cluster can have a large number of Ceph nodes for limitless
scalability, high availability and performance.
● Pool Type: Ceph can maintain multiple copies of an object, or it can use erasure coding
to ensure durability.
● Placement Groups: a Ceph pool might store millions of data objects or more. Ceph
must handle many types of operations, including data durability via replicas or erasure
code, data integrity by scrubbing or CRC checks, replication, rebalancing and recovery.
Consequently, managing data on a per-object basis presents a scalability and
performance bottleneck. Ceph addresses this bottleneck by sharding a pool into
placement groups. System administrators set the placement group count when
creating or modifying a pool.
Ceph pools (2)
● CRUSH Ruleset: CRUSH can detect failure domains. CRUSH organize
OSDs hierarchically into nodes, chassis, and racks. CRUSH enables Ceph
OSDs to store object copies across failure domains.
● Durability: Ceph provides high data durability in two ways:
○ Replica pools will store multiple deep copies of an object using the CRUSH
failure domain to physically separate one data object copy from another.
○ Erasure coded pools store each object as K+M chunks, where K represents
data chunks and M represents coding chunks.
Ceph replication
ERASURE CODE
Ceph authentication
To identify users and protect against man-in-the-middle attacks, Ceph
provides its cephx authentication system, which authenticates users and
daemons.
Cephx uses shared secret keys for authentication, meaning both the client and
the monitor cluster have a copy of the client’s secret key.
Ceph placement groups
A PG is a subset of a pool that serves to contain a collection of objects. Ceph
shards a pool into a series of PGs.
The number of PGs has a performance impact when Ceph needs to move a PG
from one OSD to another OSD.
Ceph CRUSH ruleset
Ceph assigns a CRUSH ruleset to a pool. When a Ceph client stores or retrieves
data in a pool, Ceph identifies the CRUSH ruleset for storing and retrieving
data. As Ceph processes the CRUSH rule, it identifies the primary OSD that
contains the placement group for an object. That enables the client to connect
directly to the OSD, access the placement group and read or write object data.
Ceph ObjectStore
Ceph implements several concrete methods for storing data:
You might have a network interface card for a cluster network so that Ceph
can conduct heart-beating, peering, replication, and recovery on a network
separate from the public network.
Ansible
Ansible installation:
radosgw_address_block: 10.10.1.0/24
ceph_docker_image: "ceph/daemon"
ceph_docker_image_tag: latest-pacific
ceph_docker_registry: 10.10.1.15:4000
containerized_deployment: True
Ceph-ansible Configuration for Openstack
openstack_config: true
openstack_glance_pool:
name: "images"
pg_autoscale_mode: False
application: "rbd"
pg_num: 128
pgp_num: 128
target_size_ratio: 5.00
rule_name: "SSD"
Ceph-ansible Configuration for Openstack (2)
openstack_cinder_pool:
name: "volumes"
pg_autoscale_mode: False
application: "rbd"
pg_num: 1024
pgp_num: 1024
target_size_ratio: 42.80
rule_name: "SSD"
Ceph-ansible Configuration for Openstack (3)
openstack_nova_pool:
name: "vms"
pg_autoscale_mode: False
application: "rbd"
pg_num: 256
pgp_num: 256
target_size_ratio: 10.00
rule_name: "SSD"
Ceph-ansible Configuration for Openstack (4)
openstack_cinder_backup_pool:
name: "backups"
pg_autoscale_mode: False
application: "rbd"
pg_num: 512
pgp_num: 512
target_size_ratio: 18.00
rule_name: "SSD"
Ceph-ansible Configuration for Openstack (5)
openstack_gnocchi_pool:
name: "metrics"
pg_autoscale_mode: False
application: "rbd"
pg_num: 32
pgp_num: 32
target_size_ratio: 0.10
rule_name: "SSD"
Ceph-ansible Configuration for Openstack (6)
openstack_cephfs_data_pool:
name: "cephfs_data"
pg_autoscale_mode: False
application: "cephfs"
pg_num: 256
pgp_num: 256
target_size_ratio: 10.00
rule_name: "SSD"
Ceph-ansible Configuration for Openstack (7)
openstack_cephfs_metadata_pool:
name: "cephfs_metadata"
pg_autoscale_mode: False
application: "cephfs"
pg_num: 32
pgp_num: 32
target_size_ratio: 0.10
rule_name: "SSD"
Ceph-ansible Configuration for Openstack (8)
openstack_pools:
- "{{ openstack_glance_pool }}"
- "{{ openstack_cinder_pool }}"
- "{{ openstack_nova_pool }}"
- "{{ openstack_cinder_backup_pool }}"
- "{{ openstack_gnocchi_pool }}"
- "{{ openstack_cephfs_data_pool }}"
- "{{ openstack_cephfs_metadata_pool }}"
Ceph-ansible Configuration for Openstack (9)
openstack_keys:
- { name: client.glance, caps: { mon: "profile rbd", osd: "profile rbd pool={{
openstack_cinder_pool.name }}, profile rbd pool={{ openstack_glance_pool.name }}"}, mode: "0600" }
- { name: client.cinder, caps: { mon: "profile rbd", osd: "profile rbd pool={{
openstack_cinder_pool.name }}, profile rbd pool={{ openstack_nova_pool.name }}, profile rbd pool={{
openstack_glance_pool.name }}"}, mode: "0600" }
- { name: client.cinder-backup, caps: { mon: "profile rbd", osd: "profile rbd pool={{
openstack_cinder_backup_pool.name }}"}, mode: "0600" }
- { name: client.gnocchi, caps: { mon: "profile rbd", osd: "profile rbd pool={{
openstack_gnocchi_pool.name }}"}, mode: "0600", }
- { name: client.openstack, caps: { mon: "profile rbd", osd: "profile rbd pool={{
openstack_glance_pool.name }}, profile rbd pool={{ openstack_nova_pool.name }}, profile rbd pool={{
openstack_cinder_pool.name }}, profile rbd pool={{ openstack_cinder_backup_pool.name }}"}, mode:
"0600" }
Ceph-ansible Configuration for Dashboard
dashboard_enabled: True
dashboard_protocol: https
dashboard_port: 8443
dashboard_network: "192.168.1.0/24"
dashboard_admin_user: admin
dashboard_admin_user_ro: true
dashboard_admin_password: ertyuiop
Ceph-ansible Configuration for Dashboard (2)
dashboard_crt: '/root/work/site-central/chaininv.crt'
dashboard_key: '/root/work/site-central/cloud_cerist_dz.priv'
dashboard_grafana_api_no_ssl_verify: false
dashboard_frontend_vip: '192.168.1.1'
node_exporter_container_image:
"10.10.1.15:4000/prom/node-exporter:v0.17.0"
Ceph-ansible Configuration for Grafana
grafana_admin_password: ertyuiop
grafana_crt: '/root/work/site-central/chaininv.crt'
grafana_key: '/root/work/site-central/cloud_cerist_dz.priv'
grafana_server_fqdn: 'grafanasrv.cloud.cerist.dz'
grafana_container_image: "10.10.1.15:4000/grafana/grafana:6.7.4"
prometheus_container_image: "10.10.1.15:4000/prom/prometheus:v2.7.2"
alertmanager_container_image: "10.10.1.15:4000/prom/alertmanager:v0.16.2"
Ceph-ansible OSD Configuration
● Open for editing the group_vars/osds.yml file
copy_admin_key: true
devices:
- /dev/nvme0n1
- /dev/nvme1n1
- /dev/nvme2n1
- /dev/nvme3n1
Ceph-ansible OSD Configuration (2)
crush_rule_config: true
crush_rule_ssd:
name: SSD
root: default
type: chassis
class: ssd
default: true
Ceph-ansible OSD Configuration (3)
crush_rules:
create_crush_tree: true
Ceph-ansible inventory
● /etc/ansible/hosts
[mgrs]
ceph-mona
ceph-monb
ceph-monc
[mons]
ceph-mona
ceph-monb
ceph-monc
Ceph-ansible inventory (2)
[osds]
ceph-mona
copy_admin_key: true
# cd /usr/share/ceph-ansible/group_vars
# cp nfss.yml.sample nfss.yml
Installing the NFS-Ganesha Gateway (2)
● Add gateway hosts to the /etc/ansible/hosts file under an [nfss] group to
identify their group membership to Ansible
[nfss]
Ceph-mona
Ceph-monb
● Open nfss.yml
copy_admin_key: true
$ ansible-playbook site-container.yml --limit nfss -i hosts
Adding osd
Adding new OSD(s) on an existing host or adding a new OSD node can be
achieved by running the main playbook with the --limit ansible option
The variable osd_to_kill is a comma separated list of OSD IDs which must be
passed to the playbook
This playbook could be used for both minor upgrades (X.Y to X.Z) or major
upgrades (X to Y)
Before running a major upgrade you need to update the ceph-ansible version
first
Vexxhost has a public cloud spanning over two regions, as well as numerous private
clouds that have been deployed and managed all over the world. Overall, they’ve
started managing an aggregate of over 100,000 cores.
# cp -r /usr/local/share/kolla-ansible/etc_examples/kolla/* /etc/kolla
# cp /usr/local/share/kolla-ansible/ansible/inventory/* .
Prepare initial configuration
The next step is to prepare our inventory file. An inventory is an Ansible file
where we specify hosts and the groups that they belong to. We can use this to
define node roles and access credentials.
Inventory
● Edit the first section of multinode
[control]
192.168.2.23
192.168.2.27
192.168.2.31
[network]
192.168.2.23
192.168.2.31
[compute]
192.168.2.2
192.168.2.3
192.168.2.4
Inventory (2)
● Check whether the configuration of inventory is correct or not, run:
# kolla-genpwd
Kolla options: globals.yml
globals.yml is the main configuration file for Kolla Ansible. There are a few
options that are required to deploy Kolla Ansible:
###############
# Kolla options
###############
# Valid options are ['centos', 'debian', 'rhel', 'ubuntu']
kolla_base_distro: "centos"
# Valid options are [ binary, source ]
kolla_install_type: "source"
openstack_release: "wallaby"
kolla_internal_vip_address: "10.10.3.1"
kolla_internal_fqdn: "dashint.cloud.cerist.dz"
kolla_external_vip_address: "193.194.66.1"
kolla_external_fqdn: "dash.cloud.cerist.dz"
Docker options: globals.yml
docker_registry: 192.168.1.15:4000
#docker_registry_username:
# Namespace of images:
#docker_namespace: "kolla"
Networking Options: globals.yml
network_interface: "bond0"
kolla_external_vip_interface: "bond1"
api_interface: "bond1.30"
storage_interface: "bond1.10"
tunnel_interface: "bond1.40"
neutron_external_interface: "bond2"
neutron_plugin_agent: "openvswitch"
keepalived options: globals.yml
keepalived_virtual_router_id: "51"
TLS options: globals.yml
kolla_enable_tls_internal: "yes"
kolla_enable_tls_external: "yes"
# node_config=/etc/kolla
kolla_certificates_dir: "{{ node_config }}/certificates"
kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem"
kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem"
kolla_admin_openrc_cacert: "{{ kolla_certificates_dir }}/ca.pem"
kolla_copy_ca_into_containers: "yes"
Backend TLS options: globals.yml
kolla_enable_tls_backend: "yes"
kolla_verify_tls_backend: "no"
enable_openstack_core: "yes"
enable_hacluster: "yes"
enable_haproxy: "yes"
enable_aodh: "yes"
enable_barbican: "yes"
enable_ceilometer: "yes"
OpenStack options (2) : globals.yml
enable_cinder: "yes"
enable_cinder_backup: "yes"
enable_designate: "yes"
enable_gnocchi: "yes"
enable_gnocchi_statsd: "yes"
enable_magnum: "yes"
enable_manila: "yes"
enable_manila_backend_generic: "yes"
enable_mariabackup: "yes"
OpenStack options (3) : globals.yml
enable_masakari: "yes"
enable_neutron_vpnaas: "yes"
enable_neutron_qos: "yes"
enable_neutron_agent_ha: "yes"
enable_neutron_provider_networks: "yes"
enable_neutron_segments: "yes"
enable_octavia: "yes"
enable_trove: "yes"
Ceph options : globals.yml
external_ceph_cephx_enabled: "yes"
# Glance
ceph_glance_keyring: "ceph.client.glance.keyring"
ceph_glance_user: "glance"
ceph_glance_pool_name: "images"
Ceph options (2) : globals.yml
# Cinder
ceph_cinder_keyring: "ceph.client.cinder.keyring"
ceph_cinder_user: "cinder"
ceph_cinder_pool_name: "volumes"
ceph_cinder_backup_keyring: "ceph.client.cinder-backup.keyring"
ceph_cinder_backup_user: "cinder-backup"
ceph_cinder_backup_pool_name: "backups"
Ceph options (3) : globals.yml
# Nova
ceph_nova_user: "cinder"
ceph_nova_pool_name: "vms"
Ceph options (4) : globals.yml
# Gnocchi
ceph_gnocchi_keyring: "ceph.client.gnocchi.keyring"
ceph_gnocchi_user: "gnocchi"
ceph_gnocchi_pool_name: "metrics"
# Manila
ceph_manila_keyring: "ceph.client.manila.keyring"
ceph_manila_user: "manila"
Ceph options (5) : globals.yml
# Glance - Image Options
# Configure image backend.
glance_backend_ceph: "yes"
glance_backend_file: "no"
# Gnocchi options
gnocchi_backend_storage: "ceph"
Ceph options (6) : globals.yml
# Cinder - Block Storage Options
cinder_backend_ceph: "yes"
cinder_backup_driver: "ceph"
nova_backend_ceph: "yes"
nova_compute_virt_type: "kvm"
Openstack/Ceph Integration
Deployment
After configuration is set, we can proceed to the deployment phase. First we need to
setup basic host-level dependencies, like docker.
Kolla Ansible provides a playbook that will install all required services in the correct
versions
● pull images for containers
# kolla-ansible pull
● Bootstrap servers with kolla deploy dependencies:
# kolla-ansible -i ./multinode bootstrap-servers
● Do pre-deployment checks for hosts:
# kolla-ansible -i ./multinode prechecks
Deployment (2)
● Finally proceed to actual OpenStack deployment:
# kolla-ansible -i ./multinode deploy
● OpenStack requires an openrc file where credentials for admin user are set. To
generate this file:
# kolla-ansible -i ./multinode post-deploy
● Install the OpenStack CLI client:
# sudo pip3 install python-openstackclient
● There is a script that will create example networks, images, and so on:
# /usr/local/share/kolla-ansible/init-runonce
Kolla Ansible CLI
kolla-ansible -i INVENTORY deploy is used to deploy and start all Kolla containers.
● /etc/kolla/config/nova.conf
● /etc/kolla/config/nova/controller01/nova.conf
● /etc/kolla/config/nova/controller02/nova.conf
● /etc/kolla/config/nova/controller03/nova.conf
● /etc/kolla/config/nova/nova-scheduler.conf
OpenStack Service Configuration in Kolla (3)
If the operator wants to configure compute node cpu and ram allocation ratio
on host compute05, the operator needs to create file
/etc/kolla/config/nova/compute05/nova.conf with content:
[DEFAULT]
cpu_allocation_ratio = 16.0
ram_allocation_ratio = 5.0
For example to modify database pool size connection for all services, the
operator needs to create /etc/kolla/config/global.conf with content:
[database]
max_pool_size = 100
TLS
When an OpenStack service exposes an API endpoint, Kolla Ansible will
configure HAProxy for that service to listen on the internal and/or external VIP
address. The HAProxy container load-balances requests on the VIPs to the
nodes running the service container.
There are two different layers of TLS configuration for OpenStack APIs:
● Enabling TLS on the internal and/or external VIP, so communication
between an OpenStack client and the HAProxy listening on the VIP is
secure.
● Enabling TLS on the backend network, so communication between
HAProxy and the backend API services is secure.
TLS (2)
Generating a Private Certificate Authority
By default, backups will be performed on the first node in your Galera cluster
or on the MariaDB node itself if you just have the one. Backup files are saved
to a dedicated Docker volume - mariadb_backup - and it’s the contents of this
that you should target for transferring backups elsewhere.
Enabling Backup Functionality
For backups to work, some reconfiguration of MariaDB is required - this is to
enable appropriate permissions for the backup client, and also to create an
additional database in order to store backup information.
enable_mariabackup: "yes"
(dbrestore) $ cd /backup
(dbrestore) $ cd /backup
# docker ps -a
https://<kolla_external_vip_address>:5601
After setting parameters, one can create an index with the Create button.
Upgrade procedure
The kolla-ansible package itself should be upgraded first.
This will include reviewing some of the configuration and inventory files
On the operator/master node, a backup of the /etc/kolla directory may be
desirable
# pip install --upgrade kolla-ansible==13.0
files need manual updating are:
● /etc/kolla/globals.yml
● /etc/kolla/passwords.yml
Upgrade procedure (2)
Run the command to pull the updated images
# kolla-ansible pull
# cp kolla-ansible/etc/kolla/passwords.yml passwords.yml.new
# kolla-genpwd -p passwords.yml.new
● Hourly
○ Check your monitoring system for alerts and act on them.
○ Check your ticket queue for new tickets.
● Daily
○ Check for instances in a failed or weird state and investigate why.
○ Check for security patches and apply them as needed.
Maintenance (2)
● Weekly
○ Check cloud usage:
○ User quotas
○ Disk space
○ Image usage
○ Large instances
○ Network usage (bandwidth and IP usage)
○ Verify your alert mechanisms are still working.
● Monthly
○ Check usage and trends over the past month.
○ Check for user accounts that should be removed.
○ Check for operator accounts that should be removed.
Maintenance (3)
● Quarterly
○ Review usage and trends over the past quarter.
○ Prepare any quarterly reports on usage and statistics.
○ Review and plan any necessary cloud additions.
○ Review and plan any major OpenStack upgrades.
● Semiannually
○ Upgrade OpenStack.
○ Clean up after an OpenStack upgrade (any unused or new services to be aware of?).