POWERVC - OPENSTACK

Openstack

OpenStack is an open source project since 2010 to manage the cloud. It is a set of software tools for building and managing cloud computing platforms, it lets users to deploy/move/stop/start virtual machines etc. Cloud computing virtualizes resources into another layer, which is referred to "as a service" (Platform-as-a-Service, Software-as-a-Service). OpenStack is considered as Infrastructure-as-a-Service (IaaS). Infrastructure-as-a-service means that OpenStack makes it easy for users to quickly add and manage new instances upon which other cloud components can run.

OpenStack is made up of different components:



- Nova: The primary computing engine (creating virt. machines). It is used for deploying and managing virt. machines.
- Cinder: It is a block storage component, which manages disk drives.
- Neutron: It provides the networking. Ensures components of deployment can communicate with each other quickly and efficiently.
- Keystone: Provides identity services. A central place for users and roles and permissions.
- Glance: Provides image services. Images are virtual copies of hard disks, which are used as templates during deployment
- Ceilometer: Provides telemetry services (billing services to individual users based on usage reports)
- Horizon: It is the dashboard behind OpenStack. It is the only graphical interface to OpenStack. Developers can access all of the components individually through an application programming interface (API), but the dashboard provides system administrators a look at what is going on in the cloud, and to manage it as needed.

PowerVC is built on OpenStack, and it provides simplified virtualization and cloud management.

----------------------------------------------------------

Tokens:

Tokens and authentication is done by the Keystone service in Openstack. Any task  (API call) starts with requesting a token. The same token is used for later calls, so it needs to be requested only once. There are more types of tokens available in Openstack (UUID, Fernet), PowerVC is using Fernet tokens.

A key repository is required by keystone in order to create fernet tokens. The fernet key repository can be found in /etc/keystone/fernet-keys. These keys are used to encrypt and decrypt information and each key in the repository can have three states:

labuser@ls-rh-s9838bav ~]$ sudo ls -l /etc/keystone/fernet-keys
-rw------- 1 keystone keystone 44 Jun 20 18:00 0     <--staged
-rw------- 1 keystone keystone 44 Jun 20 06:00 1950  <--secondary
-rw------- 1 keystone keystone 44 Jun 20 09:00 1951  <--secondary
-rw------- 1 keystone keystone 44 Jun 20 12:00 1952  <--secondary
-rw------- 1 keystone keystone 44 Jun 20 15:00 1953  <--primary

Primary key: 
There is only one primary key in the repository and it is allowed to encrypt and decrypt tokens. This key is always named as the highest index in the repository.

Secondary key: 
A secondary key was at one point a primary key, but has been demoted in place of another primary key. It is only allowed to decrypt tokens. (Keystone needs to be able to decrypt tokens that were created with old primary keys.)

Staged key:
There is only one staged key in a repository and (just like secondary keys), staged keys have the ability to decrypt tokens. Unlike secondary key, a staged key has never been a primary key, actually it will be the next primary key. (It is the next key staged to be the primary key.) This key is always named as 0 in the key repository.

So, the fernet keys have a natural lifecycle. Each key starts as a staged key, is promoted to be the primary key, and then demoted to be a secondary key. New tokens can only be encrypted with a primary key. Secondary and staged keys are never used to encrypt token. The staged key is a special key, it is the only key in the repository that has not had a chance to encrypt any tokens yet, but it is still allowed to decrypt tokens

more details: https://docs.openstack.org/keystone/pike/admin/identity-fernet-token-faq.html


/var/log/keystone/keystone.log                <--token related log file
openstack token issue                         <--create new token
openstack token revoke                        <--revoke a token
powervc-config identity token-expiration      <--shows how long a tokens are valid (by default it is 6 hours)

If key rotating  is needed to generate new ones (oldest sequence number will be removed and a new highest sequence number will be created), this command can help: keystone-manage fernet_rotate  --keystone-user keystone --keystone-group keystone


Request a token:
(by default it is valid for 4 hours)

[admin@powervc ~] $ openstack token issue
+-----------------------------------------------------------------------------+
| Field   | Value                                                             |
+---------+-------------------------------------------------------------------+
| expires | 2018-06-08T18:50:38+0000                                          |
| id      | gAAAAABbGnueKmapd2_O-J6cLL-PhFs-xe8-rtr555fdfds235fdd             |
| user_id | 0688b01e6439ca32d698d20789d52169126fb41fb1a4ddafcebb97d854e836c9  |
+---------+-------------------------------------------------------------------+

----------------------------------------
UUD tokens: keystone-manage token_flush
By default, keystone persists UUID tokens using a SQL backend. An unfortunate side-effect is that the size of the database will grow over time regardless of the token’s expiration time. Expired UUID tokens can be pruned from the backend using keystone’s command line utility: keystone-manage token_flush

It is not required to run this command at all if using Fernet tokens. Fernet tokens are not persisted and do not contribute to database bloat.
----------------------------------------


----------------------------------------------------------

OpenStack commands

Openstack commands can be tested on the server where PowerVC installed. Before OpenStack commands are working in easy and short way some variables need to be set like:
export OS_USERNAME=root
export OS_PASSWORD=mypass
export OS_AUTH_URL=https://powervc.mycompany.org:5000/v3/
export OS_CACERT=/etc/pki/tls/certs/powervc.crt
export OS_IDENTITY_API_VERSION=3


Without exporting those variables an openstack command would look like (it would ask for password as well):
[admin@powervc ~]$ openstack token issue --os-username=root --os-auth-url=https://powervc.mycompany.org:5000/v3/ --os-cacert=/etc/pki/tls/certs/powervc.crt --os-identity-api-version 3

The easiest would be to get all these variables from /opt/ibm/powervc/powervcrc.

For example:
1. cp /opt/ibm/powervc/powervcrc  /home/<user>                          <--copy that parameter file to the home dir of the user
2. vi /home/<user>/powervcrc                                            <--add user and pw to this file, which is used to powervc login
3. vi .bash_profile and add: source /home/<user>/powervcrc              <--during login these parameters will be loaded automatically                                                                             

----------------------------------------------------------

Openstack Commands:

In the past for each component (nova, cinder, neutron…) there was a separate CLI (command line interface), which means these type of commands were available:
nova list                                      list virtual machines (name, id, status: active or shutoff)
nova reboot <vm>                               reboot a virtual machine
keystone role-list                             view role list
neutron port-list                              list network ports owned by virt. machines

Later Openstack decided to integrate all these separate command line utilities into one main CLI, which is the "openstack cli".

Openstack documentation says this:
"The neutron CLI is now deprecated and will be removed in the future. Use openstack CLI instead. The keystone command line utility is pending deprecation. Over time, command line functionality will be phased out of the nova CLI and into the openstack CLI. Using the openstack client where possible is preferred but there is not full parity yet for all of the nova commands."
(Regarding the future of "cinder" and "glance" CLI I did not find anything, probably those will remain in future as well.)

Where a specific instance is needed (like in a show command), we can use either the name or the id, both will work, like in below examples:
openstack group show powervc-filter
openstack group show 985ad84d4d7a3232985de0a4220df82c5f3f38b8a961f12f8e19f1f964cbac8a

Most commands have these options:
create/delete      <--create or delete an object
list               <--list instances
show <inst.>       <--show details of specific instance
set <inst.>        <--set some parameter of specific instans



openstack flavor list                           lists flavors (compute templates)
openstack flavor show <flavor>                  show details of specific flavor

openstack group list                            List groups
openstack group show <group>                    show details of a group         
openstack group contains user <group> <user>    Check user membership in group
openstack  group add user <group> <user>        Add user to group
openstack  group create/delete <group>          Create/Delete new group
openstack group remove user <group> <user>      Remove user from group

openstack  hypervisor list                      List hypervisors
openstack  hypervisor show <host>               Display hypervisor details

openstack image create/delete <image>           Create/Delete an image
openstack image list                            List available images
openstack image show <image>                    Display image details

openstack network list                          lists networks
openstack network show <netw.>                  Show network details
openstack network create/delete <network>       Create/Delete network
openstack network set                           Set network properties

openstack port list                             lists ports (virtual ethernet devices on LPARS, with MAC addresses)
openstack port show <port>                      Show port details
openstack port create/delete <port>             Create/Delete port
openstack port set <port>                       Set port properties

openstack project list                          List projects
openstack project show <project>                Display project details
openstack project create/delete <project>       Create/Delete a project

openstack role add                              Adds a role assignment to a user or group or project
openstack role assignment list                  List role assignments
openstack role assignment list --user root --project 3cc716cc52c647bface86421017aed0d --names   lists the roles of the given user (root)
openstack role create/delete …                  Create/Delete role
openstack role list                             List roles
openstack role remove                           Removes a role assignment from domain/project : user/group
openstack role set  <role>                      Set role properties
openstack role show                             Display role details

openstak server list                            lists server (name, id, status, network, image, flavor) (good command!!!)
openstak server create/delete                   create/delete a server
openstak server add/reove volume <server> <volume>   add/remove volume from a server
openstack server image create...                Create a new server disk image from an existing server
openstack server migrate ...                    Migrate server to different host   
openstack server reboot ...                     Perform a hard or soft server reboot
openstack server resize ...                     Scale server to a new flavor
openstack server show <server>                  show details of a server
openstack server stop/start <sever>             stop/start a server
openstack server add/remove volume…             add/remove volume to a server

openstack service list                          lists openstack components (nova, cinder...)
openstack service show <service>                show details of giben service

openstack token issue                           Issue new token
openstack token revoke                          Revoke existing token

openstack user create/delete …                  Create/Delete new user
openstack user list                             List users
openstack user password set                     Change current user password
openstack user set  …                           Set user properties
openstack user show …                           Display user details

openstack volume create/delete …                Create/Delete volume
openstack volume list                           List volumes
openstack volume show…                          Show details of a volue

openstack volume snapshot create/delete …       Create/Delete volume snapshot
openstack volume snapshot list                  List volume snapshots
openstack volume snapshot set                   Set volume snapshot properties
openstack volume snapshot show                  Display volume snapshot details

openstack volume type list                      lists storage providers

----------------------------------------------------------

Creating a virtual machine (nova command will be depreciated):
# nova boot --image 7100-04-04 --flavor powervm.tiny --nic net-id=6dae83a7-b413-4c1d-b4dd-9ab24cdb36a2,v4-fixed-ip=111.112.113.114 new_vm_name

Some info from PowerVC redbook:
If you do not set a default domain name in the nova.conf file, IBM PowerVC uses the domain that is set for the VIOS on the host to which you are deploying. If IBM PowerVC cannot retrieve that value, it uses the domain name of the IBM PowerVC management host. If it cannot retrieve that value, no domain name is set and you must set the domain name manually after you deploy the image.

----------------------------------------------------------

Evacuating a host (nova command will be depreciated)

# nova maintenance-enable --migrate active-only --target-host <host1> <host2>

It will move all partitions to another host (evacuate) and set a server in maintenance mode.

----------------------------------------------------------




No comments:

Post a Comment