Saturday, June 28, 2014

Install Openstack Icehouse

For this tutorial I am using Ubuntu 14.04 but should work with Ubuntu 12.04.   For all passwords I am using test12. Please do not use this password. Use your own secure one.  Rabbitmq, mysql and the endpoints will use the insecure password for this blog.

Openstack is a python library that allows you to launch VMs.  Each piece is divided into components.

Nova:
Library that controls the creation of VMs, networking  and scheduling.

KeyStone:
Handles auth,  manages users and tenants.

Glance:
Stores the VMs and volume images.

Cinder:
Attached volumes and snapshot management.

Swift:
HTTP object store.  A lot like S3 in Amazon.

Horizon:
Django web gui for the stack

JuJu:
This is not a openstack project, but is a tool to deploy orchestration. Openstack will be the infrastructure that juju uses.

Installing the basics

Openstack is written in python,  uses RabbitMq as a queuing system and uses MySql as a database.

The first thing we need to do is grab the software for the backend.

apt-get install python-mysqldb mysql-server
apt-get install rabbitmq-server
apt-get install python-software-properties
add-apt-repository cloud-archive:icehouse ( only for ubuntu 12.04 )
apt-get update
apt-get dist-upgrade
reboot

Once your computer restarts mysql and rabbmitmq should be running.

Change the password for rabbit

rabbitmqctl change_password guest test12

Login to mysql and setup the databases.

mysql -uroot -ptest12

mysql> create database cinder;
Query OK, 1 row affected (0.00 sec)

mysql> create database nova;
Query OK, 1 row affected (0.00 sec)

mysql> create database glance;
Query OK, 1 row affected (0.00 sec)

mysql> create database keystone;
Query OK, 1 row affected (0.00 sec)

mysql> create database swift;
Query OK, 1 row affected (0.00 sec)

You may want to setup different users and permissions but for this artical I am just going to use the username root.

It also makes sense to add a host entry for the machine you are on. I will call it controller. ( Or just add it to DNS )

echo "127.0.0.1   controller" >> /etc/hosts

A couple other things the stack may need.  I like to create a tunnel that the VMs use.  Also iptables and sysctl settings are set to make VMs able to access the outside world.

Ubuntu 12.04
ip tunetap add dev tap mode tap
ifconfig tap up

Ubuntu 14.04
apt-get install uml-utilities
tunctl -u root
ifconfig tap0 up

vim /etc/sysctl.conf
   net.ipv4.ip_forward=1
sysctl -p

iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

Installing Keystone 

Time to install keystone, grab the python package and setup the users, tenants and endpoints.

apt-get install keystone

Open up /etc/keystone/keystone.conf  and change to

admin_token=test12
connection = mysql://root:test12@controller/keystone

save and close

rm -rf /var/lib/keystone/keystone.db
keystone-manage db_sync
service keystone restart

Set some environment variables

export OS_SERVICE_TOKEN=test12
export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0

Create the keystone users and tenants

keystone user-create --name=admin --pass=test12 --email=me@me.com
keystone role-create --name=admin
keystone tenant-create --name=admin --description="Admin Tenant"
keystone user-role-add --user=admin --tenant=admin --role=admin
keystone user-role-add --user=admin --role=_member_ --tenant=admin
keystone user-create --name=demo --pass=test12 --email=me@me.com
keystone tenant-create --name=demo --description="Demo Tenant"
keystone user-role-add --user=demo --role=_member_ --tenant=demo
keystone tenant-create --name=service --description="Service Tenant"

Create the service and endpoint

keystone service-create --name=keystone --type=identity   --description="OpenStack Identity"

keystone endpoint-create   --service-id=$(keystone service-list | awk '/ identity / {print $2}')   --publicurl=http://controller:5000/v2.0   --internalurl=http://controller:5000/v2.0   --adminurl=http://controller:35357/v2.0

Unset these varables

unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT

It's time to set environment variables that keystone uses on most components.  You can set these in a shell but makes more sense to add them to your .profile

Open ~/.profile

export OS_USERNAME=admin
export OS_PASSWORD=test12
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://controller:35357/v2.0

save and close

You should be able to run the keystone command now.

keystone user-list
+----------------------------------+-------+---------+-----------+
|                id                |  name | enabled |   email   |
+----------------------------------+-------+---------+-----------+
| ccbe2503ba6046eaac9fd54fe619e90e | admin |   True  | me@me.com |
| c6c72fd23ab841b791c5bfeb1e8e816c |  demo |   True  | me@me.com |
+----------------------------------+-------+---------+-----------+

keystone tenant-list
+----------------------------------+---------+---------+
|                id                |   name  | enabled |
+----------------------------------+---------+---------+
| 597744bd30364873b944984134942cf8 |  admin  |   True  |
| 6bb9a0b87e7e44b99c45a51009ea5a2b |   demo  |   True  |
| 8bf3aa286f4543bba35184ac3ef7bc17 | service |   True  |
+----------------------------------+---------+---------+

 keystone endpoint-list
+----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+
|                id                |   region  |          publicurl          |         internalurl         |           adminurl           |            service_id            |
+----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+
| b8232351bb554afc8078ae99d6eb4e6f | regionOne | http://controller:5000/v2.0 | http://controller:5000/v2.0 | http://controller:35357/v2.0 | 49f7d03e9f364dd483a8340ca0e0a4e5 |
+----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+

Installing Glance

Glance is what holds the image repo.

apt-get install glance python-glanceclient

And create the users and endpoints.

keystone user-create --name=glance --pass=test12 --email=me@me.com
keystone user-role-add --user=glance --tenant=service --role=admin

keystone service-create --name=glance --type=image --description="OpenStack Image Service"

keystone endpoint-create --service-id=$(keystone service-list | awk '/ image / {print $2}')   --publicurl=http://controller:9292  --internalurl=http://controller:9292   --adminurl=http://controller:9292

Edit  /etc/glance/glance-api.conf  and /etc/glance/glance-registry.conf

Change the database settings

connection = mysql://root:test12@controller/glance

And the keyauth
[keystone_authtoken]
auth_host = controller
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = glance
admin_password = test12
rabbit_host = localhost
rabbit_port = 5672
rabbit_use_ssl = false
rabbit_userid = guest
rabbit_password = test12
rabbit_virtual_host = /
rabbit_notification_exchange = glance
rabbit_notification_topic = notifications
rabbit_durable_queues = False

Edit  /etc/glance/glance-registry-paste.ini  and /etc/glance/glance-api-paste.ini
Change to

[filter:authtoken]
paste.filter_factory=keystoneclient.middleware.auth_token:filter_factory
auth_host=controller
admin_user=glance
admin_tenant_name=service
admin_password=test12
flavor=keystone 

glance-manage db_sync

Login to mysql as the glance database and run
alter table migrate_version convert to character set utf8 collate utf8_unicode_ci;
( This was a bug I ran into )

Then run again

glance-manage db_sync

Log into mysql, you should see the glance tables.
service glance-registry restart
service glance-api restart

Tables should be created, run

glance index

Should return a empty list.

You will have to check a image into glance to boot.  Openstack can boot many different types of linux distros. Glance stores these images.

Let's grab ubuntu 14.04  from  cloud-images.ubuntu.com

wget': wget http://cloud-images.ubuntu.com/trusty/current/trusty-server-cloudimg-amd64-disk1.img

Add the image to glance.

glance image-create --name="ubuntu" --disk-format=qcow2 --container-format=bare --is-public=true < trusty-server-cloudimg-amd64-disk1.img

Running the glance index now shows the image is ready to use.

glance index
ID                                   Name                           Disk Format          Container Format     Size         
------------------------------------ ------------------------------ -------------------- -------------------- --------------
a3aa8e75-0cc5-4601-851f-3343ab9bf2ed ubuntu                         qcow2                bare                      254542336

Installing nova

Nova is the bread and butter of openstack. It controls which hyper visor to use, networking , the api , scheduling  and many other features.

Create the users and endpoints in keystone
keystone user-create --name=nova --pass=test12 --email=me@me.comkeystone keystone user-role-add --user=nova --tenant=service --role=admin

keystone service-create --name=nova --type=compute --description="Openstack Compute"

keystone endpoint-create   --service-id=$(keystone service-list | awk '/ compute / {print $2}')   --publicurl=http://controller:8774/v2/%\(tenant_id\)s   --internalurl=http://controller:8774/v2/%\(tenant_id\)s   --adminurl=http://controller:8774/v2/%\(tenant_id\)s


Before we begin I would like to note I ran into a bug with nova-api not starting.  Here is the fix if you run into this

( Troubleshooting nova-api )

chmod -R nova:nova /var/lib/nova

If nova api fails to start 8774,   might have to remove.
apt-get remove python-netaddr and restart all the python modules ( Buggy)

( done troubleshooting )

Install all the nova python packages.

apt-get install nova-api nova-cert nova-conductor nova-consoleauth nova-novncproxy nova-scheduler python-novaclient nova-compute-kvm python-guestfs nova-api nova-cert nova-conductor nova-consoleauth nova-novncproxy nova-scheduler python-novaclient nova-network

cd /etc/nova

Edit /etc/nova/api-paste.ini with your settings

[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = controller
auth_port = 35357
auth_protocol = http
auth_uri = http://controller:5000/v2.0
admin_tenant_name = service
admin_user = nova
admin_password = test12
auth_version = v2.0

nova-compute.conf  sets the hyper visor.  Qemu, Xen, KVM and VMware are supported

edit /etc/nova/nova-compute.conf

[DEFAULT]
compute_driver=libvirt.LibvirtDriver
[libvirt]
virt_type=qemu

edit /etc/nova/nova.conf, this file controls nova, the api , networking info etc

[DEFAULT]
dhcpbridge_flagfile=/etc/nova/nova.conf
dhcpbridge=/usr/bin/nova-dhcpbridge
logdir=/var/log/nova
state_path=/var/lib/nova
lock_path=/var/lock/nova
force_dhcp_release=True
iscsi_helper=tgtadm
libvirt_use_virtio_for_bridges=True
connection_type=libvirt
root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
verbose=True
ec2_private_dns_show_ip=True
api_paste_config=/etc/nova/api-paste.ini
volumes_path=/var/lib/nova/volumes
enabled_apis=ec2,osapi_compute,metadata
auth_strategy=keystone
glance_host=controller
daemonize=1

rpc_backend = nova.rpc.impl_kombu
rabbit_host = controller
rabbit_password = test12

my_ip=10.0.2.15
vncserver_listen=10.0.2.15
vncserver_proxyclient_address=10.0.2.15
novncproxy_base_url=http://controller:6080/vnc_auto.html

network_manager=nova.network.manager.FlatDHCPManager
firewall_driver=nova.virt.libvirt.firewall.IptablesFirewallDriver
network_size=254
allow_same_net_traffic=False
multi_host=True
send_arp_for_ha=True
share_dhcp_address=True
force_dhcp_release=True
flat_network_bridge=br100
flat_interface=tap0
public_interface=br100
vlan_interface=eth0

[database]
connection = mysql://root:test12@controller/nova

[keystone_authtoken]
auth_host = controller
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = nova
admin_password = test12

# end of nova.conf

Create the mysql database

nova-manage db sync


Restart all the services.

service nova-api restart
service nova-compute
service nova-cert restart
service nova-consoleauth restart
service nova-scheduler restart
service nova-conductor restart
service nova-novncproxy restart

Make sure everything is happy.

nova-manage service list

Nova-network is how the VMs get networking. Let's create a network.

service nova-network restart

nova network-create vmnet --fixed-range-v4=10.0.0.0/24 --bridge-interface=br100

Let's list the network

nova network-list
+--------------------------------------+-------+-------------+
| ID                                   | Label | Cidr        |
+--------------------------------------+-------+-------------+
| b5478144-e80c-4964-80cc-941cc2c1a2b2 | vmnet | 10.0.0.0/24 |
+--------------------------------------+-------+-------------+

Make sure nova can see our glance image

nova image-list
+--------------------------------------+--------+--------+--------+
| ID                                   | Name   | Status | Server |
+--------------------------------------+--------+--------+--------+
| a3aa8e75-0cc5-4601-851f-3343ab9bf2ed | ubuntu | ACTIVE |        |
+--------------------------------------+--------+--------+--------+

Install Cinder

Cinder is a block storage system that stores volumes and snapshots.

To Install

apt-get install cinder-api cinder-scheduler

Edit /etc/cinder/cinder.conf

Add the database settings and rabbitmq

[DEFAULT]
rootwrap_config = /etc/cinder/rootwrap.conf
api_paste_confg = /etc/cinder/api-paste.ini
iscsi_helper = tgtadm
volume_name_template = volume-%s
volume_group = cinder-volumes
verbose = True
auth_strategy = keystone
state_path = /var/lib/cinder
lock_path = /var/lock/cinder
volumes_dir = /var/lib/cinder/volumes
glance_host = controller


[database]
connection = mysql://root:test12@controller/cinder

[keystone_authtoken]
auth_uri = http://controller:5000
auth_host = controller
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = cinder
admin_password = test12

rm -rf /var/lib/cinder/cinder.sqlite
cinder-manage db sync

Create the endpoints

keystone user-create --name=cinder --pass=test12 --email=me@me.com
keystone user-role-add --user=cinder --tenant=service --role=admin
keystone service-create --name=cinder --type=volume --description="OpenStack Block Storage"

keystone endpoint-create   --service-id=$(keystone service-list | awk '/ volume / {print $2}')   --publicurl=http://controller:8776/v1/%\(tenant_id\)s   --internalurl=http://controller:8776/v1/%\(tenant_id\)s   --adminurl=http://controller:8776/v1/%\(tenant_id\)s

keystone service-create --name=cinderv2 --type=volumev2 --description="OpenStack Block Storage v2"

keystone endpoint-create   --service-id=$(keystone service-list | awk '/ volumev2 / {print $2}')   --publicurl=http://controller:8776/v2/%\(tenant_id\)s   --internalurl=http://controller:8776/v2/%\(tenant_id\)s   --adminurl=http://controller:8776/v2/%\(tenant_id\)s

service cinder-scheduler restart
service cinder-api restart

Creating the LVM

apt-get install lvm2

pvcreate /dev/sdb
  Physical volume "/dev/sdb" successfully created

vgcreate cinder-volumes /dev/sdb
  Volume group "cinder-volumes" successfully created

Installing cinder-volume

Make sure cinder is working

Testing it out by creating a volume

cinder create --display-name myVolume 1

cinder list

pvscan

Horizon
At this point Openstack is ready to use. Horizon is a django web gui that ships with openstack.  

apt-get install apache2 memcached libapache2-mod-wsgi openstack-dashboard

Open up a web browser

http://controller/horzion

The username and password is your os_username and os_password.  You will be able to set security rules, create flavors, view stats and launch VMs.


Thats it!

Openstack icehouse should be installed and running, you should be able to launch VMs, create snapshots and everything else.

Enjoy