From Fedora Project Wiki

m (change to new RDO website URL)
 
(58 intermediate revisions by 15 users not shown)
Line 1: Line 1:
= Basic Setup =
= OpenStack in EPEL =


These steps will setup OpenStack nova, glance, and keystone to be accessed by the OpenStack dashboard web UI on a single host, as well as launching our first instance (virtual machine).
The OpenStack Folsom was retired from EPEL 6.
 
Please visit [https://www.rdoproject.org/ RDO project] for running OpenStack on EL platforms.
Many of the examples here require 'sudo' to be properly configured, please see [[Configuring Sudo]] if you need help.
 
== Initial Installation ==
 
$>wget http://pbrady.fedorapeople.org/openstack-el6/epel-openstack-preview.repo
$>sudo mv epel-openstack-preview.repo /etc/yum.repos.d
 
First let's pull in OpenStack and some optional dependencies:
 
$> sudo yum install openstack-nova openstack-glance openstack-keystone openstack-quantum \
openstack-dashboard openstack-utils qpid-cpp-server python-paste-deploy python-routes
 
Ensure auth=no is set in /etc/qpidd.conf
 
Set selinux in permissive mode:
>$ sudo setenforce permissive
 
Otherwise you will get issues like https://bugzilla.redhat.com/show_bug.cgi?id=734346
    /usr/bin/nova-dhcpbridge: No such file or directory
 
if RHEL 6.2 based
  $> sudo openstack-config --set /etc/nova/nova.conf DEFAULT force_dhcp_release False
else if RHEL 6.3 based
  $>  sudo yum install dnsdmasq-utils
 
 
 
Run the helper script to get MySQL configured for use with openstack-nova.  If <code>mysql-server</code> is not already installed, this script will install it for you.
 
$> sudo openstack-nova-db-setup
 
Similarly, run the helper script to get MySQL configured for use with openstack-glance.
 
$> sudo openstack-glance-db-setup
 
Nova requires the QPID messaging server to be running.
 
$> sudo service qpidd start && sudo chkconfig qpidd on
 
Nova requires the libvirtd server to be running:
 
$> sudo service libvirtd start && sudo chkconfig libvirtd on
 
Next, you should enable the Glance API and registry services:
$> for svc in api registry; do sudo service openstack-glance-$svc start; chkconfig openstack-glance-$svc on  ; done
 
 
The openstack-nova-volume service requires an LVM Volume Group called nova-volumes to exist. We simply create this using a loopback sparse disk image.
 
$> sudo dd if=/dev/zero of=/var/lib/nova/nova-volumes.img bs=1M seek=20k count=0
$> sudo vgcreate nova-volumes $(sudo losetup --show -f /var/lib/nova/nova-volumes.img)
 
If you are testing OpenStack in a virtual machine, you need to configure nova to use qemu without KVM and hardware virtualization:
 
$> sudo openstack-config-set /etc/nova/nova.conf DEFAULT libvirt_type qemu
 
Now you can start the various services:
 
$> for svc in api objectstore compute network volume scheduler cert; do service openstack-nova-$svc start ; sudo chkconfig openstack-nova-$svc on ;  done
 
 
Check that all the services started up correctly and look in the logs in <code>/var/log/nova</code> for errors. If there are none, then Nova is up and running!
 
== Initial Keystone setup ==
 
Keystone is the openstack identity service, providing a central place to
set up openstack users, groups, and accounts that can be shared across all
other services. This deprecates the old style user accounts manually set
up with nova-manage.
 
Setting up keystone is required for using the Openstack dashboard.
 
* Configure the Keystone database, similar to how we do it for nova
$> sudo openstack-keystone-db-setup
 
* Set up a keystonerc file with a generated admin token and various passwords:
$> cat > keystonerc <<EOF
export ADMIN_TOKEN=$(openssl rand -hex 10)
export OS_USERNAME=admin
export OS_PASSWORD=verybadpass
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://127.0.0.1:5000/v2.0/
EOF
$> . ./keystonerc
 
* Set the administrative token in the config file
$> sudo openstack-config-set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN
 
* Start and enable Keystone service
$> sudo service openstack-keystone start && sudo chkconfig openstack-keystone on
 
* Create sample Tenants, Users and Roles
$> sudo ADMIN_PASSWORD=$OS_PASSWORD SERVICE_PASSWORD=servicepass openstack-keystone-sample-data
 
* Test the Keystone CLI is working
$> keystone user-list
+----------------------------------+---------+-------------------+-------+
|                id                | enabled |      email      |  name |
+----------------------------------+---------+-------------------+-------+
| 05742d10109540d2892d17ec312a6cd9 | True    | admin@example.com | admin |
| 25fe47659d6a4255a663e6add1979d6c | True    | admin@example.com | demo  |
+----------------------------------+---------+-------------------+-------+
 
== Configure nova to use keystone ==
 
* Change nova configuration to use keystone:
$> sudo openstack-config-set /etc/nova/api-paste.ini filter:authtoken admin_tenant_name service
$> sudo openstack-config-set /etc/nova/api-paste.ini filter:authtoken admin_user nova
$> sudo openstack-config-set /etc/nova/api-paste.ini filter:authtoken admin_password servicepass
$> sudo openstack-config-set /etc/nova/nova.conf DEFAULT auth_strategy keystone
$> sudo service openstack-nova-api restart
 
* Verify that nova can talk with keystone (requires OS_* exports from previous keystone section)
 
$> nova flavor-list
+----+-----------+-----------+------+----------+-------+-------------+
| ID |    Name  | Memory_MB | Swap | Local_GB | VCPUs | RXTX_Factor |
+----+-----------+-----------+------+----------+-------+-------------+
| 1  | m1.tiny  | 512      |      | 0        | 1    | 1.0        |
| 2  | m1.small  | 2048      |      | 10      | 1    | 1.0        |
| 3  | m1.medium | 4096      |      | 10      | 2    | 1.0        |
| 4  | m1.large  | 8192      |      | 10      | 4    | 1.0        |
| 5  | m1.xlarge | 16384    |      | 10      | 8    | 1.0        |
+----+-----------+-----------+------+----------+-------+-------------+
 
== Configure glance to use keystone ==
 
* Change glance configuration to use keystone:
$> sudo openstack-config-set /etc/glance/glance-api.conf paste_deploy flavor keystone
$> sudo openstack-config-set /etc/glance/glance-registry.conf paste_deploy flavor keystone
$> sudo openstack-config-set /etc/glance/glance-api-paste.ini filter:authtoken admin_tenant_name service
$> sudo openstack-config-set /etc/glance/glance-api-paste.ini filter:authtoken admin_user glance
$> sudo openstack-config-set /etc/glance/glance-api-paste.ini filter:authtoken admin_password servicepass
$> sudo openstack-config-set /etc/glance/glance-registry-paste.ini filter:authtoken admin_tenant_name service
$> sudo openstack-config-set /etc/glance/glance-registry-paste.ini filter:authtoken admin_user glance
$> sudo openstack-config-set /etc/glance/glance-registry-paste.ini filter:authtoken admin_password servicepass
$> sudo service openstack-glance-api restart
$> sudo service openstack-glance-registry restart
 
* Verify that glance can talk with keystone (requires OS_* exports from the previous keystone section)
 
$> glance index
 
== Nova Network Setup ==
 
To create the network do:
 
$> sudo nova-manage network create demonet 10.0.0.0/24 1 256 --bridge=demonetbr0
 
NB the network range here, should *not* be the one used on your existing physical network. It should be a range dedicated for the network that OpenStack will configure. So if 10.0.0.0/24 clashes with your local network, pick another range
 
== Register an Image ==
 
To run an instance, you are going to need an image. There are prebuilt Fedora 16 JEOS (Just Enough OS) images that can be downloaded.
Note this will download a 200MB image (without a progress bar)
 
  $> glance add name=f16-jeos is_public=true disk_format=qcow2 container_format=ovf \
      copy_from=http://berrange.fedorapeople.org/images/2012-02-29/f16-x86_64-openstack-sda.qcow2
 
== Launch an Instance ==
 
Create a keypair:
$> nova keypair-add mykey > oskey.priv
$> chmod 600 oskey.priv
 
Launch an instance:
 
$> nova boot myserver --flavor 2 --key_name mykey \
      --image $(glance index | grep f16-jeos | awk '{print $1}')
 
And then observe the instance running, observe the KVM VM running and SSH into the instance:
 
$> sudo virsh list
$> nova list
$> ssh -i oskey.priv ec2-user@10.0.0.2
$> nova console-log myserver
$> nova delete myserver
 
== Configure the OpenStack Dashboard ==
 
The OpenStack dashboard is the official web user interface for OpenStack. It should mostly work out of the box, as long as keystone has been configured properly.
 
* Install the dashboard
$> sudo yum install openstack-dashboard
 
* Make sure httpd is running
$> sudo service httpd restart
$> sudo chkconfig httpd on
 
* If selinux is enabled, you will have to allow httpd to access other network services (the dashboard talks to the http API of the other OpenStack services)
$> sudo setsebool -P httpd_can_network_connect=on
 
The dashboard should then be accessed with a web browser at http://localhost/dashboard . Account and password should be
what you configured for the keystone setup.
 
 
 
To open up the firewall ports for HTTP, edit /etc/sysconfig/iptables and add the following two lines:
 
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
 
just before the line:
 
-A INPUT -j REJECT --reject-with icmp-host-prohibited
 
And restart iptables:
>$ sudo service iptables restart
 
= Additional Functionality =
 
== Using Eucalyptus tools ==
 
Set up a rc file for EC2 access (this expects a prior keystone configuration)
 
$> . ./keystonerc
$> USER_ID=$(keystone user-list | awk '/admin / {print $2}')
$> ACCESS_KEY=$(keystone ec2-credentials-list --user $USER_ID | awk '/admin / {print $4}')
$> SECRET_KEY=$(keystone ec2-credentials-list --user $USER_ID | awk '/admin / {print $6}')
$> cat > novarc <<EOF
export EC2_URL=http://localhost:8773/services/Cloud
export EC2_ACCESS_KEY=$ACCESS_KEY
export EC2_SECRET_KEY=$SECRET_KEY
EOF
$> chmod 600 novarc
$> . ./novarc
 
You should now be able to launch an image:
 
$> euca-run-instances f16-jeos -k nova_key
$> euca-describe-instances
$> euca-get-console-output i-00000001
$> euca-terminate-instances i-00000001
 
== Images ==
 
Rather than the prebuilt Fedora 16 JEOS image referenced above, there are other image options.
 
# Building a Fedora 16 JEOS image using [http://aeolusproject.org/oz.html Oz]
# Downloading ttylinux based minimal images used by OpenStack developers for testing
 
=== Building Fedora 16 JEOS Images With Oz ===
 
You can very easily build an image using Oz. First, make sure it's installed:
 
$> sudo yum install /usr/bin/oz-install
 
Create a template definition file called <code>f16-jeos.tdl</code> containing:
 
<nowiki>
<template>
<name>fedora16_x86_64</name>
<description>My Fedora 16 x86_64 template</description>
<os>
  <name>Fedora</name>
  <version>16</version>
  <arch>x86_64</arch>
  <install type='url'>
    <url>http://download.fedoraproject.org/pub/fedora/linux/releases/16/Fedora/x86_64/os/</url>
  </install>
</os>
<commands>
  <command name='setup-rc-local'>
sed -i 's/rhgb quiet/console=ttyS0/' /boot/grub/grub.conf
cat >> /etc/rc.local &amp;lt;&amp;lt; EOF
if [ ! -d /root/.ssh ]; then
  mkdir -p /root/.ssh
  chmod 700 /root/.ssh
fi
# Fetch public key using HTTP
ATTEMPTS=10
while [ ! -f /root/.ssh/authorized_keys ]; do
    curl -f http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key > /tmp/aws-key 2>/dev/null
    if [ \$? -eq 0 ]; then
        cat /tmp/aws-key >> /root/.ssh/authorized_keys
        chmod 0600 /root/.ssh/authorized_keys
        restorecon /root/.ssh/authorized_keys
        rm -f /tmp/aws-key
        echo "Successfully retrieved AWS public key from instance metadata"
    else
        FAILED=\$((\$FAILED + 1))
        if [ \$FAILED -ge \$ATTEMPTS ]; then
            echo "Failed to retrieve AWS public key after \$FAILED attempts, quitting"
            break
        fi
        echo "Could not retrieve AWS public key (attempt #\$FAILED/\$ATTEMPTS), retrying in 5 seconds..."
        sleep 5
    fi
done
EOF
  </command>
</commands>
</template>
</nowiki>
 
Then simply do:
 
$> sudo oz-install -d4 -u f16-jeos.tdl
 
Once built, you simply have to register the image with Nova:
 
$> glance add name=f16-jeos is_public=true container_format=bare disk_format=raw < /var/lib/libvirt/images/fedora16_x86_64.dsk
$> glance index
 
The last command should return a list of the images registered with the Glance image registry.
 
=== Downloading Existing Images ===
 
If you don't need a functioning Fedora 16 and want the smallest possible images, just download this set of images commonly used by OpenStack developers for testing and register them with Nova:
 
$> mkdir images
$> cd images
$> curl http://images.ansolabs.com/tty.tgz | tar xvfzo -
$> glance add name=aki-tty disk_format=aki container_format=aki is_public=true < aki-tty/image
$> glance add name=ami-tty disk_format=ami container_format=ami is_public=true < ami-tty/image
$> glance add name=ari-tty disk_format=ari container_format=ari is_public=true < ari-tty/image
 
Then to start the image:
 
$> euca-run-instances ami-tty --kernel aki-tty --ramdisk ari-tty -k mykey
 
== Volumes ==
 
If you use the Chrome browser, kill it before embarking on this section, as it has been [https://bugzilla.redhat.com/show_bug.cgi?id=727925 known] to cause the lvcreate command to fail with 'incorrect semaphore state' errors.
 
Start the SCSI target daemon
 
$> sudo systemctl start tgtd.service
$> sudo systemctl enable tgtd.service
 
Create a new 1GB volume
 
$> VOLUME=$(euca-create-volume -s 1 -z nova | awk '{print $2}')
 
View the status of the new volume, and wait for it to become 'available'
 
$> watch "euca-describe-volumes | grep $VOLUME | grep available"
 
Re-run the previously terminated instance if necessary:
 
$> INSTANCE=$(euca-run-instances f16-jeos -k mykey | grep INSTANCE | awk '{print $2}')
 
or:
 
$> INSTANCE=$(euca-run-instances ami-tty --kernel aki-tty --ramdisk ari-tty -k mykey | grep INSTANCE | awk '{print $2}')
 
Make the storage available to the instance (note -d is the device on the compute node)
 
$> euca-attach-volume -i $INSTANCE -d /dev/vdc $VOLUME
 
ssh to the instance and verify that the vdc device is listed in /proc/partitions
 
$> cat /proc/partitions
 
Now make the device available if /dev/vdc is not already present
 
$> mknod /dev/vdc b 252 32
 
Create and mount a file system directly on the device
 
$> mkfs.ext3 /dev/vdc
$> mkdir /mnt/nova-volume
$> mount /dev/vdc /mnt/nova-volume
 
Display some file system details
 
$> df -h /dev/vdc
 
Create a temporary file:
 
$> echo foo > /mnt/nova-volume/bar
 
Terminate and re-run the instance, then re-attach the volume and re-mount within the instance as above. Your temporary file will have persisted:
 
$> cat /mnt/nova-volume/bar
 
Unmount the volume again:
 
$> umount /mnt/nova-volume
 
Exit from the ssh session, then detach and delete the volume:
 
$> euca-detach-volume $VOLUME
$> euca-delete-volume $VOLUME
 
== Floating IPs ==
 
You may carve out a block of public IPs and assign them to instances.
 
First thing you need to do is make sure that nova is configured with the correct public network interface. The default is eth0, but you can change it by e.g.
 
$> sudo openstack-config-set /etc/nova/nova.conf DEFAULT public_interface em1
$> sudo systemctl restart openstack-nova-network.service
 
Then you can do e.g.
 
$> sudo nova-manage floating create 172.31.0.224/28
$> euca-allocate-address
$> euca-associate-address -i i-00000012 172.31.0.224
$> ssh -i nova_key.priv root@172.31.0.224
$> euca-disassociate-address 172.31.0.224
$> euca-release-address 172.31.0.224
 
= Deployment =
 
== Adding a Compute Node ==
 
Okay, everything so far has been done on a single node. The next step is to add another node for running VMs.
 
Let's assume the machine you've set up above is called 'controller' and the new machine is called 'node'.
 
First, open the rabbitmq, MySQL, Nova API and iSCSI ports on controller:
 
$ controller> sudo lokkit -p 3306:tcp
$ controller> sudo lokkit -p 5672:tcp
$ controller> sudo lokkit -p 9292:tcp
$ controller> sudo lokkit -p 3260:tcp
$ controller> sudo service libvirtd reload
 
Then make sure that ntp is enabled on both machines:
 
$> sudo yum install -y ntp
$> sudo service ntpd start
$> sudo chkconfig ntpd on
 
Install libvirt and nova on node:
 
$ node> sudo yum install --enablerepo=updates-testing openstack-nova
$ node> sudo service libvirtd start
$ node> sudo chkconfig libvirtd on
$ node> sudo setenforce 0
 
Configure nova so that node can find the services on controller:
 
$ node> sudo openstack-config-set /etc/nova/nova.conf DEFAULT rabbit_host controller
$ node> sudo openstack-config-set /etc/nova/nova.conf DEFAULT sql_connection mysql://nova:nova@controller/nova
$ node> sudo openstack-config-set /etc/nova/nova.conf DEFAULT glance_api_servers controller:9292
$ node> sudo openstack-config-set /etc/nova/nova.conf DEFAULT iscsi_ip_prefix 172.31.0.107
 
(The {{{iscsi_ip_prefix}}} value is the IP address of the controller node)
 
Enable the compute service:
 
$ node> for svc in compute network; do sudo service openstack-nova-$svc start; done
 
Finally, you need to make sure the network is configured with a physical bridge interface:
 
$ controller> sudo nova-manage network create demonet 10.0.0.0/24 --bridge=demonetbr0 --bridge_interface=em1
 
Now everything should be running as before, except the VMs are launched either on controller or node.
 
== Manual Setup of MySQL ==
 
As of <code>openstack-nova-2011.3-9.el6</code> and <code>openstack-nova-2011.3-8.fc16</code>, <code>openstack-nova</code> is now set up to use MySQL by default.  If you're updating an older installation or prefer to set up MySQL manually instead of using the <code>openstack-nova-db-setup</code> script, this section shows how to do it.
 
First install and enable MySQL:
 
$> sudo yum install -y mysql-server
$> sudo service mysqld start
$> sudo chkconfig mysqld on
 
Set a password for the root account and delete the anonymous accounts:
 
$> mysql -u root
mysql> update mysql.user set password = password('iamroot') where user = 'root';
mysql> <nowiki>delete from mysql.user where user = ''</nowiki>;
 
Create a database and user account specifically for nova:
 
mysql> create database nova;
mysql> create user 'nova'@'localhost' identified by 'nova';
mysql> create user 'nova'@'%' identified by 'nova';
mysql> grant all on nova.* to 'nova'@'%';
 
(If anyone can explain why nova@localhost is required even though the anonymous accounts have been deleted, I'd be very grateful :-)
 
Then configure nova to use the DB and install the schema:
 
$> sudo openstack-config-set /etc/nova/nova.conf DEFAULT sql_connection mysql://nova:nova@localhost/nova
$> sudo nova-manage db sync
 
As a final sanity check:
 
$> mysql -u nova -p nova
Enter password:
mysql> select * from migrate_version;
 
= Miscellaneous =
 
== Smoke Tests ==
 
Nova comes with a selection of fairly basic smoke tests which you can run against your installation. It can be useful to use these to sanity check your configuration.
 
First off, you need the nova-adminclient python library which isn't yet packaged:
 
$> sudo yum install python-pip
$> sudo pip-python install nova-adminclient
 
Then you need a user and project both named admin:
 
$> sudo nova-manage user admin admin
$> sudo nova-manage project create admin admin
$> sudo nova-manage project zipfile admin admin
$> unzip nova.zip
$> . ./novarc
 
Make sure you have the tty images imported as described above. You also need a block of floating IPs created, also as described above.
 
Then, run the tests from a fedpkg checkout:
 
$> fedpkg clone openstack-nova
$> cd openstack-nova
$> fedpkg switch-branch f16
$> fedpkg prep
$> cd nova-2011.3/smoketests
$> python ./run_tests.py
 
All the tests should pass.
 
If you run into import errors such as:
 
ImportError: No module named nose
 
or:
 
ImportError (No module named paramiko)
 
simply install the missing dependency as follows:
 
$> sudo yum install -y python-nose.noarch
$> sudo yum install -y python-paramiko.noarch
 
== Cleanup ==
 
While testing OpenStack, you might want to delete everything related to OpenStack and start testing with a clean slate again.
 
Here's how. First, make sure to terminate all running instances:
 
$> euca-terminate-instances ...
 
Double check that you have no lingering VMs, perhaps saved to disk:
 
$> virsh list --all && virsh undefine
$> rm -f /var/lib/libvirt/qemu/save/instance-00000*
 
Then stop all the services:
 
$> for iii in /usr/lib/systemd/system/openstack-*.service; do sudo systemctl stop $(basename $iii); done
 
Delete all the packages:
 
$> sudo yum erase python-glance python-nova* python-keystone* openstack-swift*
 
Delete the nova and keystone tables from the MySQL DB:
 
$> mysql -u root -p -e 'drop database nova;'
$> mysql -u root -p -e 'drop database keystone;'
 
Delete the nova-volumes VG:
 
$> sudo vgchange -an nova-volumes
$> sudo losetup -d /dev/loop0
$> sudo rm -f /var/lib/nova/nova-volumes.img
 
Take down the bridge and kill dnsmasq:
 
$> sudo ip link set demonetbr0 down
$> sudo brctl delbr demonetbr0
$> sudo kill -9 $(cat /var/lib/nova/networks/nova-demonetbr0.pid)
 
Remove all directories left behind from the packages:
 
$> sudo rm -rf /etc/{glance,nova,swift,keystone,openstack-dashboard} /var/lib/{glance,nova,swift,keystone} /var/log/{glance,nova,swift,keystone} /var/run/{glance,nova,swift,keystone}
 
Finally, restart iptables to clear out all rules added by Nova. You also need to reload libvirt's iptables rules:
 
$> sudo service iptables restart
$> sudo service libvirtd restart
 
[[Category:Cloud SIG]]

Latest revision as of 12:59, 24 October 2019

OpenStack in EPEL

The OpenStack Folsom was retired from EPEL 6. Please visit RDO project for running OpenStack on EL platforms.