Openstack administrator guide, Study Guides, Projects, Research of Education Planning And Management

Download Openstack administrator guide and more Study Guides, Projects, Research Education Planning And Management in PDF only on Docsity!

OpenStack Administrator

Guide

SUSE OpenStack Cloud 7

OpenStack Administrator Guide

SUSE OpenStack Cloud 7

ABSTRACT

OpenStack offers open source software for OpenStack administrators to manage and

troubleshoot an OpenStack cloud.

This guide documents OpenStack Newton and Mitaka releases.

Publication Date: 08/04/

SUSE LLC 10 Canal Park Drive Suite 200 Cambridge MA 02141 USA https://www.suse.com/documentation

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License : http://creativecommons.org/licenses/by/3.0/legalcode

iv OpenStack Administrator Guide

3.5 Integrate Identity with LDAP 39

Identity LDAP server set up 39 • Integrate Identity back end with LDAP 41 • Secure the OpenStack Identity service connection to an LDAP back end 46

3.6 Keystone tokens 47

Authorization scopes 48 • Token providers 49

3.7 Configure Identity service for token binding 50

3.8 Fernet - Frequently Asked Questions 51

What are the different types of keys? 51 • So, how does a staged key help me and why do I care about it? 52 • Where do I put my key repository? 52 • What is the recommended way to rotate and distribute keys? 53 • Do fernet tokens still expire? 53 • Why should I choose fernet tokens over UUID tokens? 53 • Why should I choose fernet tokens over PKI or PKIZ tokens? 53 • Should I rotate and distribute keys from the same keystone node every rotation? 54 • How do I add new keystone nodes to a deployment? 54 • How should I approach key distribution? 54 • How long should I keep my keys around? 56 • Is a fernet token still a bearer token? 56 • What if I need to revoke all my tokens? 56 • What can an attacker do if they compromise a fernet key in my deployment? 56 • I rotated keys and now tokens are invalidating early, what did I do? 57

3.9 Use trusts 59

3.10 Caching layer 60

Caching for tokens and tokens validation 61 • Caching for non-token resources 62 • Configure the Memcached back end example 62

3.11 Security compliance and PCI-DSS 63

Setting the account lockout threshold 63 • Disabling inactive users 64 • Configuring password expiration 64 • Indicating password strength requirements 64 • Requiring a unique password history 65

3.12 Example usage and Identity features 66

Logging 67 • User CRUD 67

3.13 Authentication middleware with user name and password 68

v OpenStack Administrator Guide

Create a share type 97 • Update share type 97 • Delete share

vii OpenStack Administrator Guide

Ring data structure 238 • Partition assignment

viii OpenStack Administrator Guide

6.15 Troubleshoot Object Storage 259

Drive failure 259 • Server failure 259 • Detect failed drives 260 • Emergency recovery of ring builder files 261

7 Block Storage 264

7.1 Increase Block Storage API service throughput 264

7.2 Manage volumes 265

Boot from volume 266 • Configure an NFS storage back end 266 • Configure a GlusterFS back end 269 • Configure multiple-storage back ends 273 • Back up Block Storage service disks 277 • Migrate volumes 282 • Gracefully remove a GlusterFS volume from usage 286 • Back up and restore volumes and snapshots 286 • Export and import backup metadata 290 • Use LIO iSCSI support 291 • Configure and use volume number weigher 291 • Consistency groups 293 • Configure and use driver filter and weighing for scheduler 300 • Rate-limit volume copy bandwidth 307 • Oversubscription in thin provisioning 308 • Image- Volume cache 311 • Volume-backed image 314 • Get capabilities 315 • Generic volume groups 321

7.3 Troubleshoot your installation 329

Troubleshoot the Block Storage configuration 329 • Multipath call failed exit 334 • Addressing discrepancies in reported volume sizes for EqualLogic storage 334 • Failed to Attach Volume, Missing sg_scan 339 • HTTP bad request in cinder volume log 339 • Duplicate 3PAR host 341 • Failed to attach volume after detaching 341 • Failed to attach volume, systool is not installed 342 • Failed to connect volume in FC SAN 343 • Cannot find suitable emulator for x86_64 343 • Non-existent host 344 • Non-existent VLUN 344

8 Shared File Systems 345

8.1 Introduction 345

x OpenStack Administrator Guide

9 Networking 419

9.1 Introduction to Networking 419

Networking API 419 • Configure SSL support for networking API 420 • Load-Balancer-as-a-Service (LBaaS) overview 421 • Firewall-as- a-Service (FWaaS) overview 422 • Allowed-address-pairs 422 • Virtual- Private-Network-as-a-Service (VPNaaS) 423

9.2 Networking architecture 424

Overview 424 • VMware NSX integration 425

9.3 Plug-in configurations 427

Configure Big Switch (Floodlight REST Proxy) plug-in 428 • Configure Brocade plug-in 428 • Configure NSX-mh plug-in 429 • Configure PLUMgrid plug- in 432

9.4 Configure neutron agents 432

Configure data-forwarding nodes 433 • Configure DHCP agent 434 • Configure L3 agent 436 • Configure metering agent 439 • Configure Load-Balancer-as-a-Service (LBaaS v2) 439 • Configure Hyper-V L2 agent 441 • Basic operations on agents 442

9.5 Configure Identity service for Networking 442

Compute 445 • Networking API and credential configuration 445 • Configure security groups 447 • Configure metadata 448 • Example nova.conf (for nova-compute and nova-api) 449

9.6 Advanced configuration options 449

L3 metering agent 449

9.7 Scalable and highly available DHCP agents 450

9.8 Use Networking 450

Core Networking API features 451 • Use Compute with Networking 454

9.9 Advanced features through API extensions 457

Provider networks 457 • L3 routing and NAT 461 • Security groups 464 • Basic Load-Balancer-as-a-Service operations 465 • Plug-in specific extensions 466 • L3 metering 473

xi OpenStack Administrator Guide

9.10 Advanced operational features 474

Logging settings 474 • Notifications 475

9.11 Authentication and authorization 477

10 Telemetry 483

10.1 System architecture 483

Supported databases 485 • Supported hypervisors 486 • Supported networking services 486 • Users, roles, and projects 487

10.2 Data collection 487

Notifications 488 • Polling 492 • Support for HA deployment 494 • Send samples to Telemetry 497 • Block Storage audit script setup to get notifications 500 • Storing samples 501

10.3 Data collection, processing, and pipelines 503

Pipeline configuration 504

10.4 Data retrieval 511

Telemetry v2 API 511 • Telemetry command-line client and SDK 514 • Publishers 523

10.5 Alarms 526

Alarm definitions 526 • Alarm dimensioning 527 • Alarm evaluation 527 • Using alarms 528

10.6 Measurements 532

OpenStack Compute 534 • Bare metal service 543 • IPMI based meters 544 • SNMP based meters 546 • OpenStack Image service 548 • OpenStack Block Storage 548 • OpenStack Object Storage 550 • Ceph Object Storage 551 • OpenStack Identity 552 • OpenStack Networking 554 • SDN controllers 555 • Load-Balancer-as-a-Service (LBaaS v1) 557 • Load- Balancer-as-a-Service (LBaaS v2) 559 • VPN-as-a-Service (VPNaaS) 560 • Firewall-as-a-Service (FWaaS) 562 • Orchestration service 563 • Data processing service for OpenStack 563 • Key Value Store module 564 • Energy 564

xiii OpenStack Administrator Guide

13.3 Stack domain users 594

Stack domain users configuration 595 • Usage workflow 596

14 OpenStack command-line clients 598

14.1 Command-line client overview 598

Unified command-line client 598 • Individual command-line clients 598

14.2 Install the OpenStack command-line clients 601

Install the prerequisite software 601 • Install the OpenStack client 603 • Upgrade or remove clients 606 • What's next 606

14.3 Discover the version number for a client 606

14.4 Set environment variables using the OpenStack RC file 606

Download and source the OpenStack RC file 607 • Create and source the OpenStack RC file 607 • Override environment variable values 609

14.5 Manage projects, users, and roles 609

Projects 610 • Users 612 • Roles and role assignments 613

14.6 Manage project security 616

List and view current security groups 617 • Create a security group 618 • Delete a security group 621 • Create security group rules for a cluster of instances 621

14.7 Manage services 622

Create and manage services and service users 622 • Manage Compute services 625

14.8 Manage images 626

List or get details for images (glance) 626 • Create or update an image (glance) 628 • Troubleshoot image creation 631

14.9 Manage volumes 632

Migrate a volume 632 • Create a volume 632 • Create a volume from specified volume type 634 • Attach a volume to an instance 636 • Resize a volume 638 • Delete a volume 638 • Transfer a volume 639 • Manage and unmanage a snapshot 643

xiv OpenStack Administrator Guide

14.10 Manage shares 645

Migrate a share 645

14.11 Manage flavors 645

Create a flavor 647 • Delete a flavor 649

14.12 Manage the OpenStack environment 649

Select hosts where instances are launched 649 • Consider NUMA topology when booting instances 650 • Evacuate instances 651 • Migrate a single instance to another compute host 652 • Configure SSH between compute nodes 653 • Manage IP addresses 655 • Launch and manage stacks using the CLI 657

14.13 Manage quotas 658

Manage Compute service quotas 659 • Manage Block Storage service quotas 664 • Manage Networking service quotas 667

14.14 Analyze log files 673

Upload and analyze log files 673 • Download and analyze an object 675

14.15 Manage Block Storage scheduling 677

Example Usages 677

15 Cross-project features 679

15.1 Cross-origin resource sharing 679

Enabling CORS with configuration 679 • Enabling CORS with PasteDeploy 680 • Security concerns 681 • Troubleshooting 681

16 Appendix 684

16.1 Community support 684

Documentation 684 • ask.openstack.org 685 • OpenStack mailing lists 686 • The OpenStack wiki 686 • The Launchpad Bugs area 686 • The OpenStack IRC channel 688 • Documentation feedback 688 • OpenStack distribution packages 688

Glossary 690

2 SUSE OpenStack Cloud 7

2 Get started with OpenStack

The OpenStack project is an open source cloud computing platform for all types of clouds, which

aims to be simple to implement, massively scalable, and feature rich. Developers and cloud

computing technologists from around the world create the OpenStack project.

OpenStack provides an Infrastructure-as-a-Service (IaaS) solution through a set of interrelated

services. Each service offers an Application Programming Interface (API) that facilitates this

integration. Depending on your needs, you can install some or all services.

The following table describes the OpenStack services that make up the OpenStack architecture:

TABLE 2.1: OPENSTACK SERVICES

Service Project

name

Description

Dashboard (http:// www.openstack.org/ software/ releases/ newton/ components/ horizon)

Horizon (http:// docs.openstack.org/ developer/ horizon/)

Provides a web-based self-service portal to interact with

underlying OpenStack services, such as launching an

instance, assigning IP addresses and configuring access

controls.

Compute (http:// www.openstack.org/ software/ releases/ newton/ components/ nova)

Nova (http:// docs.openstack.org/ developer/ nova/)

Manages the lifecycle of compute instances in an OpenStack

environment. Responsibilities include spawning, scheduling

and decommissioning of virtual machines on demand.

Networking (http:// www.openstack.org/ software/ releases/

Neutron (http:// docs.openstack.org/ developer/ neutron/)

Enables Network-Connectivity-as-a-Service for other

OpenStack services, such as OpenStack Compute. Provides

an API for users to define networks and the attachments

into them. Has a pluggable architecture that supports many

popular networking vendors and technologies.

3 SUSE OpenStack Cloud 7

Service Project

name

Description

newton/ components/ neutron)

Object Storage (http:// www.openstack.org/ software/ releases/ newton/ components/ swift)

Swift (http:// docs.openstack.org/ developer/ swift/)

Stores and retrieves arbitrary unstructured data objects

via a RESTful, HTTP based API. It is highly fault tolerant

with its data replication and scale-out architecture. Its

implementation is not like a file server with mountable

directories. In this case, it writes objects and files to multiple

drives, ensuring the data is replicated across a server cluster.

Block Storage (http:// www.openstack.org/ software/ releases/ newton/ components/ cinder)

Cinder (http:// docs.openstack.org/ developer/ cinder/)

Provides persistent block storage to running instances. Its

pluggable driver architecture facilitates the creation and

management of block storage devices.

Identity service (http:// www.openstack.org/ software/ releases/ newton/ components/ keystone)

Keystone (http:// docs.openstack.org/ developer/ keystone/)

Provides an authentication and authorization service for

other OpenStack services. Provides a catalog of endpoints for

all OpenStack services.

5 SUSE OpenStack Cloud 7

Service Project

name

Description

newton/ components/ trove)

Data processing service (http:// www.openstack.org/ software/ releases/ newton/ components/ sahara)

Sahara (http:// docs.openstack.org/ developer/ sahara/)

Provides capabilities to provision and scale Hadoop clusters

in OpenStack by specifying parameters like Hadoop version,

cluster topology and nodes hardware details.

6 Conceptual architecture SUSE OpenStack Cloud 7

2.1 Conceptual architecture

The following diagram shows the relationships among the OpenStack services:

2.2 Logical architecture

To design, deploy, and configure OpenStack, administrators must understand the logical

architecture.

As shown in Section 2.1, “Conceptual architecture” , OpenStack consists of several independent parts,

named the OpenStack services. All services authenticate through a common Identity service.

Individual services interact with each other through public APIs, except where privileged

administrator commands are necessary.