OpenStack is an open source project since 2010 to manage the cloud. It is a set of software tools for building and managing cloud computing platforms, it lets users to deploy/move/stop/start virtual machines etc. Cloud computing virtualizes resources into another layer, which is referred to "as a service" (Platform-as-a-Service, Software-as-a-Service). OpenStack is considered as Infrastructure-as-a-Service (IaaS). Infrastructure-as-a-service means that OpenStack makes it easy for users to quickly add and manage new instances upon which other cloud components can run.
- Nova: The primary computing engine (creating virt. machines). It is used for deploying and managing virt. machines.
- Cinder: It is a block storage component, which manages disk drives.
- Neutron: It provides the networking. Ensures components of deployment can communicate with each other quickly and efficiently.
- Keystone: Provides identity services. A central place for users and roles and permissions.
- Glance: Provides image services. Images are virtual copies of hard disks, which are used as templates during deployment
- Ceilometer: Provides telemetry services (billing services to individual users based on usage reports)
- Horizon: It is the dashboard behind OpenStack. It is the only graphical interface to OpenStack. Developers can access all of the components individually through an application programming interface (API), but the dashboard provides system administrators a look at what is going on in the cloud, and to manage it as needed.
PowerVC is built on OpenStack, and it provides simplified virtualization and cloud management.
----------------------------------------------------------
Tokens:
Tokens and authentication is done by the Keystone service in Openstack. Any task (API call) starts with requesting a token. The same token is used for later calls, so it needs to be requested only once. There are more types of tokens available in Openstack (UUID, Fernet), PowerVC is using Fernet tokens.
A key repository is required by keystone in order to create fernet tokens. The fernet key repository can be found in /etc/keystone/fernet-keys. These keys are used to encrypt and decrypt information and each key in the repository can have three states:
labuser@ls-rh-s9838bav ~]$ sudo ls -l /etc/keystone/fernet-keys
-rw------- 1 keystone keystone 44 Jun 20 18:00 0 <--staged
-rw------- 1 keystone keystone 44 Jun 20 06:00 1950 <--secondary
-rw------- 1 keystone keystone 44 Jun 20 09:00 1951 <--secondary
-rw------- 1 keystone keystone 44 Jun 20 12:00 1952 <--secondary
-rw------- 1 keystone keystone 44 Jun 20 15:00 1953 <--primary
Primary key:
There is only one primary key in the repository and it is allowed to encrypt and decrypt tokens. This key is always named as the highest index in the repository.
Secondary key:
A secondary key was at one point a primary key, but has been demoted in place of another primary key. It is only allowed to decrypt tokens. (Keystone needs to be able to decrypt tokens that were created with old primary keys.)
Staged key:
There is only one staged key in a repository and (just like secondary keys), staged keys have the ability to decrypt tokens. Unlike secondary key, a staged key has never been a primary key, actually it will be the next primary key. (It is the next key staged to be the primary key.) This key is always named as 0 in the key repository.
So, the fernet keys have a natural lifecycle. Each key starts as a staged key, is promoted to be the primary key, and then demoted to be a secondary key. New tokens can only be encrypted with a primary key. Secondary and staged keys are never used to encrypt token. The staged key is a special key, it is the only key in the repository that has not had a chance to encrypt any tokens yet, but it is still allowed to decrypt tokens
/var/log/keystone/keystone.log <--token related log file
openstack token issue <--create new token
openstack token revoke <--revoke a token
powervc-config identity token-expiration <--shows how long a tokens are valid (by default it is 6 hours)
If key rotating is needed to generate new ones (oldest sequence number will be removed and a new highest sequence number will be created), this command can help: keystone-manage fernet_rotate --keystone-user keystone --keystone-group keystone
Request a token:
(by default it is valid for 4 hours)
[admin@powervc ~] $ openstack token issue
+-----------------------------------------------------------------------------+
| Field | Value |
+---------+-------------------------------------------------------------------+
| expires | 2018-06-08T18:50:38+0000 |
| id | gAAAAABbGnueKmapd2_O-J6cLL-PhFs-xe8-rtr555fdfds235fdd |
| user_id | 0688b01e6439ca32d698d20789d52169126fb41fb1a4ddafcebb97d854e836c9 |
+---------+-------------------------------------------------------------------+
----------------------------------------
UUD tokens: keystone-manage token_flush
By default, keystone persists UUID tokens using a SQL backend. An unfortunate side-effect is that the size of the database will grow over time regardless of the token’s expiration time. Expired UUID tokens can be pruned from the backend using keystone’s command line utility: keystone-manage token_flush
It is not required to run this command at all if using Fernet tokens. Fernet tokens are not persisted and do not contribute to database bloat.
----------------------------------------
----------------------------------------------------------
OpenStack commands
Openstack commands can be tested on the server where PowerVC installed. Before OpenStack commands are working in easy and short way some variables need to be set like:
export OS_USERNAME=root
export OS_PASSWORD=mypass
export OS_AUTH_URL=https://powervc.mycompany.org:5000/v3/
export OS_CACERT=/etc/pki/tls/certs/powervc.crt
export OS_IDENTITY_API_VERSION=3
Without exporting those variables an openstack command would look like (it would ask for password as well):
[admin@powervc ~]$ openstack token issue --os-username=root --os-auth-url=https://powervc.mycompany.org:5000/v3/ --os-cacert=/etc/pki/tls/certs/powervc.crt --os-identity-api-version 3
The easiest would be to get all these variables from /opt/ibm/powervc/powervcrc.
For example:
1. cp /opt/ibm/powervc/powervcrc /home/<user> <--copy that parameter file to the home dir of the user
2. vi /home/<user>/powervcrc <--add user and pw to this file, which is used to powervc login
3. vi .bash_profile and add: source /home/<user>/powervcrc <--during login these parameters will be loaded automatically
----------------------------------------------------------
Openstack Commands:
In the past for each component (nova, cinder, neutron…) there was a separate CLI (command line interface), which means these type of commands were available:
nova list list virtual machines (name, id, status: active or shutoff)
nova reboot <vm> reboot a virtual machine
keystone role-list view role list
neutron port-list list network ports owned by virt. machines
Later Openstack decided to integrate all these separate command line utilities into one main CLI, which is the "openstack cli".
Openstack documentation says this:
"The neutron CLI is now deprecated and will be removed in the future. Use openstack CLI instead. The keystone command line utility is pending deprecation. Over time, command line functionality will be phased out of the nova CLI and into the openstack CLI. Using the openstack client where possible is preferred but there is not full parity yet for all of the nova commands."
(Regarding the future of "cinder" and "glance" CLI I did not find anything, probably those will remain in future as well.)
Where a specific instance is needed (like in a show command), we can use either the name or the id, both will work, like in below examples:
openstack group show powervc-filter
openstack group show 985ad84d4d7a3232985de0a4220df82c5f3f38b8a961f12f8e19f1f964cbac8a
Most commands have these options:
create/delete <--create or delete an object
list <--list instances
show <inst.> <--show details of specific instance
set <inst.> <--set some parameter of specific instans
openstack flavor list lists flavors (compute templates)
openstack flavor show <flavor> show details of specific flavor
openstack group list List groups
openstack group show <group> show details of a group
openstack group contains user <group> <user> Check user membership in group
openstack group add user <group> <user> Add user to group
openstack group create/delete <group> Create/Delete new group
openstack group remove user <group> <user> Remove user from group
openstack hypervisor list List hypervisors
openstack hypervisor show <host> Display hypervisor details
openstack image create/delete <image> Create/Delete an image
openstack image list List available images
openstack image show <image> Display image details
openstack network list lists networks
openstack network show <netw.> Show network details
openstack network create/delete <network> Create/Delete network
openstack network set Set network properties
openstack port list lists ports (virtual ethernet devices on LPARS, with MAC addresses)
openstack port show <port> Show port details
openstack port create/delete <port> Create/Delete port
openstack port set <port> Set port properties
openstack project list List projects
openstack project show <project> Display project details
openstack project create/delete <project> Create/Delete a project
openstack role add Adds a role assignment to a user or group or project
openstack role assignment list List role assignments
openstack role assignment list --user root --project 3cc716cc52c647bface86421017aed0d --names lists the roles of the given user (root)
openstack role create/delete … Create/Delete role
openstack role list List roles
openstack role remove Removes a role assignment from domain/project : user/group
openstack role set <role> Set role properties
openstack role show Display role details
openstak server list lists server (name, id, status, network, image, flavor) (good command!!!)
openstak server create/delete create/delete a server
openstak server add/reove volume <server> <volume> add/remove volume from a server
openstack server image create... Create a new server disk image from an existing server
openstack server migrate ... Migrate server to different host
openstack server reboot ... Perform a hard or soft server reboot
openstack server resize ... Scale server to a new flavor
openstack server show <server> show details of a server
openstack server stop/start <sever> stop/start a server
openstack server add/remove volume… add/remove volume to a server
openstack service list lists openstack components (nova, cinder...)
openstack service show <service> show details of giben service
openstack token issue Issue new token
openstack token revoke Revoke existing token
openstack user create/delete … Create/Delete new user
openstack user list List users
openstack user password set Change current user password
openstack user set … Set user properties
openstack user show … Display user details
openstack volume create/delete … Create/Delete volume
openstack volume list List volumes
openstack volume show… Show details of a volue
openstack volume snapshot create/delete … Create/Delete volume snapshot
openstack volume snapshot list List volume snapshots
openstack volume snapshot set Set volume snapshot properties
openstack volume snapshot show Display volume snapshot details
openstack volume type list lists storage providers
----------------------------------------------------------
Creating a virtual machine (nova command will be depreciated):
# nova boot --image 7100-04-04 --flavor powervm.tiny --nic net-id=6dae83a7-b413-4c1d-b4dd-9ab24cdb36a2,v4-fixed-ip=111.112.113.114 new_vm_name
Some info from PowerVC redbook:
If you do not set a default domain name in the nova.conf file, IBM PowerVC uses the domain that is set for the VIOS on the host to which you are deploying. If IBM PowerVC cannot retrieve that value, it uses the domain name of the IBM PowerVC management host. If it cannot retrieve that value, no domain name is set and you must set the domain name manually after you deploy the image.
----------------------------------------------------------
Evacuating a host (nova command will be depreciated)
# nova maintenance-enable --migrate active-only --target-host <host1> <host2>
It will move all partitions to another host (evacuate) and set a server in maintenance mode.
----------------------------------------------------------
No comments:
Post a Comment