The Full Stacky

Tuesday, June 13, 2017

OpenStack Reboot Part Deux

OpenStack Rebooted... Part Deux

(spoiler alert - this ends badly)

Day 4 - Node Prep

k. As mentioned there have been some hardware updates. The biggest changes are the addition of a couple of R510s loaded up with drives to act as Ceph nodes and a couple of R620s to increase out compute node count.

The first time we did day 4 it became obvious that using the Ironic pxe_drac driver wasn't all that great for Gen11 servers even though it was recommended. There's a good slideshow from Redhat on troubleshooting ironic (http://dtantsur.github.io/talks/fosdem2016/#/6) that has a great quote on this:

Ironic has different drivers. Some hardware is supported by more than one of them.
Make sure to carefully choose a driver to use: vendor-specific drivers (like pxe_drac or pxe_ilo) are usually preferred over more generic ones (like pxe_ipmitool). Unless they don't work :)

So there's that. They are preferred if they work. Since I'm throwing a few Gen12 nodes into the mix I tried the pxe_drac driver on them and it seems to have worked so far (knock on silicon). Everything else I've left as pxe_ipmitool.

The 'openstack baremetal import' command is deprecated now. The new hotness is:

$ openstack overcloud node import instackenv.json
Waiting for messages on queue 'e5a76db8-d9d3-4563-a6d0-e4487cfd60ea' with no timeout.
Successfully registered node UUID d4fb130b-84e2-49de-af8a-70649412d9d3
Successfully registered node UUID e33069b8-e757-44b5-89cc-9b6fd51c2d47
Successfully registered node UUID d625ea11-4f67-4e29-958e-9b7c6e55790e
Successfully registered node UUID c5acfdfa-993b-482e-9f58-a403bf1fc976
Successfully registered node UUID 13d99f7f-567d-496c-8892-57066f23fcc2
Successfully registered node UUID 42dc02a2-ebe7-461d-95d6-a821248b4a33
Successfully registered node UUID 4dbf1ed1-864e-4fbb-886b-38c473d3a371
Successfully registered node UUID 3d9be490-7a86-4bd5-b299-3377b790ef8a
Successfully registered node UUID 62c7b754-5b52-40e8-9656-69c102a273ff

[stack@ostack-director ~]$ openstack baremetal node list

+--------------------------------------+---------+---------------+-------------+--------------------+-------------+
| UUID                                 | Name    | Instance UUID | Power State | Provisioning State | Maintenance |
+--------------------------------------+---------+---------------+-------------+--------------------+-------------+
| d4fb130b-84e2-49de-af8a-70649412d9d3 | TAG-203 | None          | power off   | manageable         | False       |
| e33069b8-e757-44b5-89cc-9b6fd51c2d47 | TAG-201 | None          | power off   | manageable         | False       |
| d625ea11-4f67-4e29-958e-9b7c6e55790e | TAG-625 | None          | power off   | manageable         | False       |
| c5acfdfa-993b-482e-9f58-a403bf1fc976 | TAG-202 | None          | power off   | manageable         | False       |
| 13d99f7f-567d-496c-8892-57066f23fcc2 | TAG-626 | None          | power off   | manageable         | False       |
| 42dc02a2-ebe7-461d-95d6-a821248b4a33 | TAG-627 | None          | power off   | manageable         | False       |
| 4dbf1ed1-864e-4fbb-886b-38c473d3a371 | TAG-628 | None          | power off   | manageable         | False       |
| 3d9be490-7a86-4bd5-b299-3377b790ef8a | TAG-629 | None          | power off   | manageable         | False       |
| 62c7b754-5b52-40e8-9656-69c102a273ff | TAG-630 | None          | power off   | manageable         | False       |
+--------------------------------------+---------+---------------+-------------+--------------------+-------------+

And just like the first time through... so far so good.

Starting with OpenStack Newton it was possible to to add a '--enroll' command line to the import so that nodes would enter in the 'enroll' state rather than the 'manageable' state. This, in turn, allows you to selectively move some nodes to the 'manageable' state for introspection. You can also one shot that during impot with '--introspect --provide' which would do introspection and set the final state to 'available'.

On to Introspection.

Day 5 - Introspection

This actually brings us into 2017 which feels like progress.

This should "just work" but I have a couple of doubts:
1. I didn't wipe the drives on a couple of nodes from the previous setup; will they PXE boot properly?
2. The R510s are all using UEFI instead of BIOS. Is that even an issue?
3. The Ceph nodes have multiple drives. The TripleO docs have a warning "If you don't specify the root device explicitly, any device may be picked. Also the device chosen automatically is NOT guaranteed to be the same across rebuilds. Make sure to wipe the previous installation before rebuilding in this case." So there's that. That would be an Advanced Deployment: https://docs.openstack.org/developer/tripleo-docs/advanced_deployment/root_device.html#root-device

None of our nodes are in maintenance mode (that column is all false). All are listed as 'manageable'.

Ironic Inspectors sets up a DHCP+iPXE server listening to requests from bare metal nodes.

Also new with Ocata you can run a suite of pre-introspection validations.

$ openstack workflow execution create tripleo.validations.v1.run_groups '{"group_names": ["pre-introspection"]}'

Getting results from this is a little more complex. In my opinion the easiest way is to:

$ openstack task execution list | grep RUNNING

When that returns no results than the workflow is finished and we can look at ERRORs

$ openstack task execution list | grep run_validation | grep ERROR

If there are no errors, you win, move along. If there are errors we can take a closer look.

$ mistral task-get-result {ID}

{ID} is the first column of the task execution list. This should point you in the right direction.

Back to introspection. The 'bulk start' way we did it previously is also gone. We have a couple of options. We can stay with the bulk introspection with:

# openstack overcloud node introspect --all-manageable

This does exactly what you think. It runs introspection on all nodes in the 'manageable' provisioning state. Optionally we can slap a '--provide' at the end to automatically put nodes in the 'available' state past introspection. (Nodes have to be 'available' before they can be deployed into the overcloud).

Alternately we can do them one node at a time which we'd do if we are paranoid about any node succeeding. Still another option would be to bulk shoot it and then re-do some nodes individually. To do individual nodes:

$ openstack baremetal node manage {UUID/NAME}
$ openstack baremetal introspection start {UUID}
$ openstack baremetal introspection status {UUID}
$ openstack baremetal node provide {UUID}

I'm going to bulk run it and then troubleshoot the failures. This is a workflow so you can use technique similar to monitoring the validation workflow to see some progress. I'd do it in another shell so as not to potentially interrupt.

$ openstack overcloud node introspect --all-manageable --provide
Started Mistral Workflow tripleo.baremetal.v1.introspect_manageable_nodes. Execution ID: c9c0b86a-cb3c-49dd-8d80-ec91798b00bb
Waiting for introspection to finish...
Waiting for messages on queue '1ee5d201-012c-4a3a-8332-f63c49b655f3' with no timeout.
.
.

And... everything fails.

Ok. So troubleshooting some IPMI? I expected. Troubleshooting a bit of PXE? Yep. Here the introspection image just keeps cycling and claims it has no network.

*sigh* So... Reality time. So far on OpenStack deployments with Triple-O I've spent 95% of the actual frustration time with ipmi, pxe and assorted Ironic/Baremetal problems. And here's the thing... none of that has anything to do with my final OpenStack cloud! I really wanted to work it this way because it seems somehow elegant... clever. But it really isn't at all worth the time and effort beating down problems in technologies that really aren't bringing anything to the final solution.

Decision time: Continue on with Triple-O trying the 'Deployed Server' methodology or switch to a different deployment method entirely?

Deployed Server essentially means I pre-install CentOS, pre-set the networking (no understack providing neutron based DHCP), install the package repositories, install python-heat-agent packages and then invoke openstack overcloud deploy... sort of. The documentation gets a bit sketch at this point on where we specify the various IP addresses. And in the end... what will the undercloud be bringing to the party?

Alternate install options: ansible (looks like it prefers Ubuntu and utilizes LXC), Puppet (I know puppet pretty well), kola-ansible, go it manually.

Decisions decisions... what I do know is that TripleO has too many moving parts, not enough soup to nuts walkthroughs. When it works it just works. If it doesn't you are clueless.

Thursday, June 8, 2017

OpenStack Reboot

And... time passes. Wow. I was getting back into it and noticed that I had left Day 7 as draft. Just clicked the publish button but that's more as a historical reminder for me than anything useful. Time has passed. The age of newton is gone and OpenStack is now (June 2017) all Ocata. I attended OpenStack summit in Boston and there are a lot of great plans for Pike, Queens and Rocky already in motion.

I made a lot of undocumented progress on the previous iteration and we are pushing past proof of concept. There are still some unsettled issues but we'll address them as they come. Rather than attempting to upgrade the existing setup I'm going to wipe everything and start clean. I'll be going through the first part pretty fast just noting where the process has changed from Newton and go through the same "day" type setup so it's easy to reference backward and forward. This may be a tad lengthy and I'm not going to be format obsessed... just trying to catch up.

Day 1 - Still going with TripleO

My reasoning is unchanged. Openstack-Ansible is coming along nicely and a lot of good thoughts from using Puppet directly as well. However, in the end I'm sticking with TripleO. So there's also a couple of new goodies in TripleO that I was unaware of (shocking right?). These are:

Composable Roles - Rather than a single monolithic template, each service is encapsulated in a separate template allowing you to easily select which services are deployed/enabled on a particular role. There's a composable roles tutorial available: http://tripleo-docs.readthedocs.io/en/latest/tht_walkthrough/tht_walkthrough.html
Split Stack (Deployed Server) - The basic idea is to split the configuration into two parts: 1) deploy baremetal nodes and not deploy any software configurations on those nodes; 2) Applying software configuration to deploy openstack on already deployed baremetal nodes (using the deployed-server-templates probably). The upshot of this from my viewpoint is that a lot of the BMC/IPMI issues may be dodgeable because you can manually deploy the baremetal and then let TripleO pick it up at the 2nd half. At least that's the theory. James Slagle did a deep dive on deployed-server: See https://openstack.nimeyo.com/112516/openstack-tripleo-deep-dive-thursday-1400-deployed-server

Day 2 - Deploying the Undercloud

Pretty much the exact same process on the exact same director hardware. Since this will be a more production-ish deploy some of the decisions have changed. Specifically I'll be deploying 3 controllers, 3 compute nodes and 3 ceph OSD nodes.

Install CentOS 7 on the hardware. Once again leaving Gigabit 1 (eno1) off in favor of eno2 which will have DHCP client enabled. 'yum update' everything up to the latest and greatest. Unlike with the Newton install the Ocata install had no package conflicts.

sudo yum -y upgrade
sudo shutdown -r now

sudo useradd stack
sudo passwd # specify a password
echo "stack ALL=(root) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/stack
sudo chmod 0440 /etc/sudoers.d/stack
su -l stack # from here out we'll do things as the stack user

sudo hostnamectl set-hostname myhost.mydomain
sudo hostnamectl set-hostname --transient myhost.mydomain
vi /etc/hosts # set hostname on 127.0.0.1

sudo curl -L -o /etc/yum.repos.d/delorean-ocata.repo \
https://trunk.rdoproject.org/centos7-ocata/current/delorean.repo

sudo curl -L -o /etc/yum.repos.d/delorean-deps-ocata.repo \
https://trunk.rdoproject.org/centos7-ocata/delorean-deps.repo

sudo yum -y install --enablerepo=extras centos-release-ceph-jewel
sudo sed -i -e 's%gpgcheck=.*%gpgcheck=0%' /etc/yum.repos.d/CentOS-Ceph-Jewel.repo

sudo yum -y install yum-plugin-priorities
sudo yum install -y python-tripleoclient

cp /usr/share/instack-undercloud/undercloud.conf.sample ~/undercloud.conf

The Ocata docs reference an online configuration wizard for the undercloud.conf. Its available at http://ucw-bnemec.rhcloud.com/ and is pretty sparse but does "generate sane values for a number of the important options". I ended up with this which I pasted into the bottom of my undercloud.conf file.

# Config generated by undercloud wizard
# Use these values in undercloud.conf
[DEFAULT]
undercloud_hostname = ostack-director.mydomain.com
local_interface = eno1
local_mtu = 1500
network_cidr = 192.168.50.0/24
masquerade_network = 192.168.50.0/24
local_ip = 192.168.50.1/24
network_gateway = 192.168.50.1
undercloud_public_host = 192.168.50.78
undercloud_admin_host = 192.168.50.79
undercloud_service_certificate =
generate_service_certificate = False
scheduler_max_attempts = 20
dhcp_start = 192.168.50.100
dhcp_end = 192.168.50.200
inspection_iprange = 192.168.50.80,192.168.50.99
# Deprecated names for compatibility with older releases
discovery_iprange = 192.168.50.80,192.168.50.99
undercloud_public_vip = 192.168.50.78
undercloud_admin_vip = 192.168.50.79
Finally...
$ openstack undercloud install
.
.
#############################################################################
Undercloud install complete.
The file containing this installation's passwords is at
/home/stack/undercloud-passwords.conf.
There is also a stackrc file at /home/stack/stackrc.
These files are needed to interact with the OpenStack services, and should be
secured.
#############################################################################
And a quick peak around at some of the networking...
[stack@ostack-director ~]$ source stackrc
[stack@ostack-director ~]$ openstack network list
+--------------------------------------+----------+--------------------------------------+
| ID                                   | Name     | Subnets                              |
+--------------------------------------+----------+--------------------------------------+
| fd15b684-de12-4da0-a438-8e9600dace3d | ctlplane | d036ddb7-de9a-46fe-a4c7-e81e6bb08619 |
+--------------------------------------+----------+--------------------------------------+
[stack@ostack-director ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master ovs-system state DOWN qlen 1000
    link/ether 00:1e:c9:2c:b9:88 brd ff:ff:ff:ff:ff:ff
3: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:1e:c9:2c:b9:8a brd ff:ff:ff:ff:ff:ff
    inet 10.92.3.49/18 brd 10.92.63.255 scope global dynamic eno2
       valid_lft 1282290sec preferred_lft 1282290sec
    inet6 fe80::21e:c9ff:fe2c:b98a/64 scope link
       valid_lft forever preferred_lft forever
4: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether d2:73:a4:4d:3d:dd brd ff:ff:ff:ff:ff:ff
5: br-ctlplane: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN qlen 1000
    link/ether 00:1e:c9:2c:b9:88 brd ff:ff:ff:ff:ff:ff
    inet 192.168.50.1/24 brd 192.168.50.255 scope global br-ctlplane
       valid_lft forever preferred_lft forever
    inet6 fe80::21e:c9ff:fe2c:b988/64 scope link
       valid_lft forever preferred_lft forever
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
    link/ether 02:42:d5:da:d2:ff brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 scope global docker0
       valid_lft forever preferred_lft forever
7: br-int: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 1a:a7:ef:d9:54:40 brd ff:ff:ff:ff:ff:ff
[stack@ostack-director ~]$ ip netns
qdhcp-fd15b684-de12-4da0-a438-8e9600dace3d
[stack@ostack-director ~]$ sudo ip netns exec qdhcp-fd15b684-de12-4da0-a438-8e9600dace3d ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
8: tap6dde9c03-b9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN qlen 1000
    link/ether fa:16:3e:15:cd:64 brd ff:ff:ff:ff:ff:ff
    inet 192.168.50.100/24 brd 192.168.50.255 scope global tap6dde9c03-b9
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe15:cd64/64 scope link
       valid_lft forever preferred_lft forever

Day 6.5 - TripleO UI

Skipping ahead here a bit but it's worth it to get more validation that our install is good so far. So the puppet scripts bind port 3000 to the 192.168.50.1 IP Address we specified in undercloud.conf. Makes sense but not what I want. A quick look at the previous Day 6.5 will show you installing and configuring a proxy on the external/dhcp address. We do that again here. We can't just modify the httpd configuration because it'll want access to keystone on that same IP and that starts us down a path we don't want to follow. Squid will work for testing and later I'll just put in some routing. Either way the goal here is to get to where you can point our browser at http://ostack-director.mydomain.com:3000

Winner. The username and password can be found in the stackrc file:

OS_USERNAME=admin

OS_PASSWORD=${sudo hiera admin_password}

$ sudo hiera admin_password

d9b9e6db075ce13d3f2a2d83bc41e8d11039223e

Day 3 - Creating the Boot Images

export DIB_YUM_REPO_CONF="/etc/yum.repos.d/delorean*"
export DIB_YUM_REPO_CONF="$DIB_YUM_REPO_CONF /etc/yum.repos.d/CentOS-Ceph-Jewel.repo"
export STABLE_RELEASE="ocata"
openstack overcloud image build --all

OpenStack Day 7 - Overstack Validation, Post-Deployment and Testing

It's alive!

At the end of the Overstack deployment you should have been given the IP address of the controller. You can also see that if you login to the Undercloud-UI (at the bottom):

[Note: even though we'll be destroying and redeploying a number of times I'm making an effort to get into the habit of not disclosing passwords.]

You should be able to access the dashboard of the new controller if you have access to the network on which it's deployed (via routing, workstation on the subnet or the squid proxy we setup earlier). See TripleO-UI Detour for thoughts on getting remote access to that network.

If you point a browser at http://{controller_IP}/ (e.g. http://192.168.50.108/ in the above) it should redirect to the dashboard (i.e. http://192.168.50.108/dashboard/) where you'll be presented with a login. The login credentials from the Undercloud UI should work fine as will the credentials from the overcloudrc file (see below).

The overstack deployment created a file called 'overstackrc'. This will be in the ~/stack directory of the OpenStack Director if you've been following along. By sourcing that file we will be able to use the openstack command-line tools from the director to manage the overstack. Not our end goal but a good first step along the validation process.

[Note: You can switch back to the undercloud at any time by resourcing the 'stackrc' file created during understand deployment.]
[Note2: If you tried to get fancy and deploy from the Undercloud UI this file will not be created... you should create it yourself as having it will save you some heartache later. The contents of the file is listed below and the only real substitutions will be the IP Addresses and OS_PASSWORD.]


$ source ~/overcloudrc

$ cat ~/overcloudrc

export OS_NO_CACHE=True
export OS_CLOUDNAME=overcloud
export OS_AUTH_URL=http://192.168.50.108:5000/v2.0
export NOVA_VERSION=1.1
export COMPUTE_API_VERSION=1.1
export OS_USERNAME=admin
export no_proxy=,192.168.50.108,192.168.50.108
export OS_PASSWORD=_REMOVED_

export PYTHONWARNINGS="ignore:Certificate has no, ignore:A true SSLContext object is not available"
export OS_TENANT_NAME=admin

Now all this does is change some environment variables so that when you run OpenStack commands it checks in with the Overstack Keystone instead of the Understack (Director) Keystone. And, of course, it provides the correct credentials for authenticating with that Keystone.

This presupposes that the Deployment worked. If it didn't then begins a long cycle of figuring out what went wrong, destroying the deploy and re-deploying. As I said we're going to destroy and re-deploy a few times so more on that later. As far as debugging the deployment you have the usual resources: logs and experience. At this point you'll find that both are a little lacking. If you have a monitor connected to the overcloud devices you can see, and possible eliminate, a number of problems such as not PXE booting, not being powered on by IPMI, etc...

Mine didn't fail this time fortunately but here's my short list of resources for when it does:

Debugging TripleO Heat templates - if all else fails or I just want to get into Heat
Troubleshooting a Failed Overcloud Deployment - This is where I'd start
Then I'd be on to Google :(

But our overstack deployment worked so let's move onward and make sure we can do something clever with it. First thing's first. There are some post-deployment steps that need to be taken and these do require a bit of forethought. This is another area where I think the TripleO documentation (ditto for the Red Hat Director documentation). They talk about these steps but don't explain the ramifications.

Post-Validation

Just like we ran a pre-deployment validation we can also run the post-deployment validation:

$ source stackrc
$ openstack workflow execution create tripleo.validations.v1.run_groups '{"group_names": ["post-deployment"]}'

Just like we did with the pre-deployment we will then use 'openstack task execution list' to see the status of the various processes and 'mistral task-get-result {ID}' to look at details.

[Note: One of my validations gave me an error stating that the overcloudrc file didn't exist. I "fixed" this by changing the permissions on the /home/stack directory: 'chmod 755 /home/stack'. I'd guess this is because mistral is running tasks as the 'mistral' user which didn't have access to /home/stack with it's default permissions (0700). OTOH - there are files in this directory that I really should want other users seeing/using (permissions to undercloud and overcloud... so I think it's prudent to set the permissions back to 0700 after the validation suite completes.]

My installation also got dinged on: MySQL Open Files Limit (why was this not set correctly by puppet?), HA Proxy configuration (timeout queue in defaults is 2m, but must be set to 1m... again, why did Puppet not get this?), controller ulimits (set to 1024, should be 2048 or higher), and ntp clock synchronization (ntpstat existed with 'unsynchronised'). I also got dinged on pacemaker cluster but since I only deployed a single controller I'm ignoring this one.

OK. So I've got four to fix and all of them require getting a shell on the affected systems (and they aren't all on the same system). Good times. I can ssh onto the systems or plug in consoles. But in either case I'm going to need some credentials.

Bizarrely it seems you can access the whole system w/out any credentials:

$ ssh heat-admin@192.168.50.101

No password required and sudo works without a password as well.

File this as more reason to protect the OpenStack Director machine.

If you look into /etc/puppet/modules on one of the nodes you can see the puppet scripts that were used to setup the various files and services. Sadly they all explicitly set things to values that cause the validations to fail :( 'ulimit' doesn't seem to get set aside from within each process. This is actually correct. You can check limits from within /etc/system/system/. Ignoring this validation.

In any case. I fixed the validations. They ran clean. Onward. For reference the RDO Project has some tweaks: Tunings and Tweaks. These go along with possible limits in base configurations.

Post-Deployment

The first thing that the triple docs have you do is to setup the overcloud network. They do this without really explaining what the options are or why you'd do it in this fashion. What are flat, vlan, gre and vxlan for instance? To truly understand this we'd need to go down the software defined networking rabbit hole and that's out of scope at the moment. We'll need to go there. Just maybe not yet.

What we need to know is what we want to end up with and what does it take to get there. For my purposes I just want the instances I spin up to be able to connect to the outside world (to pull packages or data) and I want to be able to access them so that I can manage them or let Jenkins manage them. I don't need, at this point, to create more than a single network. So for me a 'flat' network would work just fine. If you want to be able to create isolated networks then you might want to go with 'vlan' which would cause neutron to create a VLAN ID for each network. 'gre' and 'vxlan' are similar enough that we can discuss them together. Both are "overlay" networks. They give you VLAN like functionality by encapsulating the Layer 2 traffic and creating a tunnel like functionality between similarly encapsulated endpoints. The advantage is that you don't need to sync up your "vlan" IDs with your physical L3 devices (e.g. switches). The disadvantage is that encapsulation has overhead which may cause packets to get split (fragmented) into two which will degrade network performance.

Hope your not lost yet. The next question is one of "floating IP Addresses". Normally when you spin up an instance within OpenStack it is given a local IP from it's network range. You can setup routers and outbound goodies to allow outbound NAT. However you have no way of accessing the instance from the outside. That's where a "Floating IP" comes in. A Floating IP belongs to the public network and it has an inbound NAT that will allow you to connect to an instance. It is possible to go super simple and allocate IP space from your public network for your internal provider network on OpenStack. That would give instances public IPs and so they wouldn't require these Floating IPs. That does simplify things in some situations but it also means instances on OpenStack would be on your "public" network (which could be an internal or dmz network, public refers to context as its public from the OpenStack standpoint). Maybe good. Maybe bad. Using an internal network and Floating IPs gives you the option of being accessible or not.

Let's revisit what our physical layout currently looks like.

Ok. So the first thing I'm going to do is to create a "public" network and flag it as external.

$ source overcloudrc
$ openstack network create public --external --provider-network-type flat \
--provider-physical-network datacenter

Then I'll assign an IP range. Since this is my public range I won't want to enable a DHCP Server since that may conflict with the DHCP server already on that network. Which is all great except when I run it: "HttpException: Bad Request". That's not informative so we slap a '--debug' on and:

RESP BODY: {"NeutronError": {"message": "Invalid input for operation: physical_network 'datacenter' unknown for flat provider network.", "type": "InvalidInput", "detail": ""}}

Better. The docs did say it was an example command, that it assumes a dedicated interface (or native VLAN) and that it should be modified to match the local environment. Ok. I don't have an provider physical network called datacenter so yeah. I do have an open interface on nic2/en02. However the command won't work specifying either of those interfaces either.

If I go to Horizon and try to create this interface as an Admin and do it from an Admin context it also fails. If I do it from a project context it succeeds but it also defaults to network-type: vxlan.

$ openstack subnet create --allocation-pool start=172.16.23.140,end=172.16.23.240 \
--network public --gateway 172.16.23.251 --no-dhcp --subnet-range \
172.16.23.128/25 public

This says to create a subnet with a pool starting at 172.16.23.140 and ending at 172.16.23.240 with a gateway of 172.16.23.251 and a subnet range (weird wording) of 172.16.23.128/25. We say not to use DHCP and we attach this subnet to the "public" network". This absolutely implies that my external network (from the standpoint of the OpenStack deployment) is 172.16.23.128/25.

A network labeled "public" is required in order to do the next set of validations so we can more or less leave it here for a minute while we do those.

Thursday, January 12, 2017

Free Linux Foundation on edX

So the Linux Foundation has released a number of it's training courses for free on EdX. They are introductory and overview type classes to just wet your appetite.

LFS151 - Introduction to Cloud Infrastructure Technologies. This one doesn't go deep (Introduction after all) but it goes pretty wide and I think does a good job of touching on all of the current/popular Cloud Infrastructure options. Unless your well versed in all of them it's worth your time to watch it at faster than normal speed.

LFS152 - Introduction to OpenStack. I'm about 70% through this one. Again, it's an Introduction but it does give you the information and tools necessary to start playing with OpenStack in a directed fashion.

The other two are:

LFS101 - Introduction to Linux
LFS161 - Introduction to DevOps: Transforming and Improving Operations.

Haven't watched them but I'd guess they will be of similar quality to the others. If your new to DevOps, Linux and/or Cloud I'd recommend them with no hesitation. Will watch them over the weekend and post a retraction if I'm wrong :)

Tuesday, January 10, 2017

OpenStack Day 6.5 - A Brief Detour with the Triple-O UI

We now have a two node OverStack consisting of one compute node and one controller node.

Triple-O UI Detour

Before we go to the OverCloud, lets ponder the dashboard and some GUI on the undercloud. The TripleO docs list two 'Basic Deployment' options: CLI (which is the way I went) and GUI. Apparently "Part of the Undercloud installation is also Tuskar-UI which you can use to drive deployment". Tuskar-UI is one of the two components that make up Tuskar. Tuskar is built with Triple-O in mind so this shouldn't even be surprising.

What's Tuskar? "Tuskar gives administrators the ability to control how and where OpenStack services are deployed across the datacenter.". Mmmmkay. The gist is that with Tuskar we can create resource classes and then Tuskar will use performance monitoring, health statistics, and other metrics to aid us in capacity planning.

Tuskar-UI is built on top of Horizon and provides a UI into the Tuskar data. So at this point we're pretty sure there's a GUI running on the undercloud. The TripleO docs say to create an SSH tunnel pointing port 8080 to port 80 on localhost. I have doubt. It also talks of editing /etc/openstack-dashboard/local_settings also which isn't something that even exists. I expect these docs might be a little... dated.

If we look at /etc/httpd/conf.d we see '25-tripleo-ui.conf'. This says to listen on port 3000 of our internal IP. So... First pass, lets SSH tunnel to port 3000 and see what shakes out.

$ netstat -an | grep 3000
tcp 0 0 192.168.50.1:3000 0.0.0.0:* LISTEN

It's only listening on the management interface so we can use port 3000 on our external interface.

$ ssh -g -N -L {EXT_IP}:3000:192.168.50.1:3000 root@192.168.50.1
root@192.168.50.1's password:

Then we point our browser at http://{EXT_IP}:3000/

Progress. The username and password can be found in the stackrc file:

OS_USERNAME=admin

OS_PASSWORD=${sudo hiera admin_password}

Hiera is part of Puppet which we touched on briefly last post.

$ sudo hiera admin_password
d32545245ea237fd144218a0b6d91278af259339

If I drop this info in and hit the login button I'm presented with 'Connection Error: Connection to Keystone is not available'. *sigh* The question becomes do I need to forward the keystone port (5000) also or is it some other issue?

Taking the simple way out and just attaching a workstation to the 192.168.50.0/24 network. The top of our DHCP range is .250 so I'm taking .254 for my workstation testing. Pointing my browser at http://192.168.50.1:3000/ got the login. The login worked perfectly... and there's a lot of interesting information there including login information to my overcloud (which is apparently parked at 192.168.50.103). The right hand side also appears to be stocked with validation information. So the short answer is that it's a networking issue.

So this bit of networking and lack of information doesn't surprise me at all. When I hand rolled an instance I had to create a separate gateway machine to allow external access to Horizon. Pretty annoying and it makes me wonder if I'm doing something wrong. Accessing the GUIs just shouldn't be a difficult thing.

In my hand rolled deployment there was not a director. Since we've said the director is the gateway for the management network that means we would need to do our inbound gateway there as well since there will be NAT and it'd get weird if we didn't send it through a single mapping. I'm forced to ponder how the floating IPs are going to work at this point as well. Those should be handled by our controller which will do the bridging and security via Neutron.

One thing at a time. The obvious way would be to do a bit of port forwarding using iptables or such. Sadly this will fail. In /var/www/openstack-tripleo-ui/dist/tripleo_ui_config.js it defines keystone as http://192.168.50.1:5000/v2.0 ... this makes its way to your browser and your browser will try to access that directly. It will fail.

Rather than trying to change all of the configuration to play nice with me the answer is probably a web proxy on that network (squid or nginx). Most of OpenStack is RESTful interfaces so this should just work. (yep, famous last words... let's see).

I'm more familiar with squid so...

# yum install squid squid-sysvinit
# vi /etc/squid/squid.conf

Add my IP t the localnet src ACL
Comment out the 'http_access deny ~Safe_ports' line (we could have added keystone to the safe ports maybe)
Comment out 'http_access deny CONNECT ~SSL_ports'

# /etc/init.d/squid restart

Change my browsers proxy settings to use the external IP of the director on port 3128 and tell it to use that proxy for all ports.

And Voila... my windows workstation can now access the Undercloud UI.

So what? Well the UI gives us another data point to help us confirm or reject some of our assumptions. It also provides a way to see some possible weirdness before it's an issue. Also you just may find it easier to manage Nodes and roles from this interface.

OpenStack Day 6: Deploying the Overcloud

Exciting times... after much prep work we'll be deploying the overcloud. While we are arguably using OpenStack already on the director (because we are), it's not the same as being able to point to a multi-node deployment and spin up some instances. The Overcloud is what we'll actually be using in production. The director is largely a management tool geared toward the result which is the Overcloud.

When we deploy the overcloud we know that Ironic is going to power up our nodes which will, in turn, PXE boot the initial image from the director. But then what happens? That's where almost all of the magic of TripleO comes into play.

When we deploy the overcloud we will be using OpenStack tooling (Mistral, Heat and Ironic) along with Puppet for configuration management. Each of these is also a potential entry point into customizing our deployments. Red Hat provides a good overview for understanding the Heat Orchestration Templates (HOT): Understanding Heat Templates (It is a bit Red Hat specific and some command won't work if you aren't using Red Hat's variant of openstack... in particular the 'openstack management' command).

Explore a little with 'openstack workbook list' and 'openstack workflow list'.

The Heat template collection for the overcloud is stored in /usr/share/openstack-tripleo-heat-templates/. There's a lot in here and bits of it are pretty interesting to see what the overcloud deployment is doing. We can customize templates and environment files to customize our deployment.

Puppet is the next big contributor to the Overcloud deployment. Puppet (www.puppet.com) is configuration management software. It will allow us to tell which packages to install, how those packages can be configured and how the OS should be configured. It's pretty obvious how this contributes to getting the nodes to have the right software and settings. Modifying the puppet manifests is another entry point should we need to customize our deployment.

Since this is our first deployment we aren't going to tweak anything. Just let it do it's thing and see what shakes out. The background is interesting because we may want to observe the deployment and understand what's happening.

Ok. Maybe not just push the button. TripleO provides us with a bit of last minute validation. Sometimes this just finds weirdness but sometimes it finds something useful. Plus it gives a bit of practice. We're going to launch the pre-deployment validation workflow. You can find templates at /usr/share/openstack-tripleo-validations/ .

$ openstack workflow execution create tripleo.validations.v1.run_groups '{"group_names": ["pre-deployment"]}'
+-------------------+--------------------------------------+
| Field             | Value                                |
+-------------------+--------------------------------------+
| ID                | 187856d5-b5f5-4504-9e52-f1a0943a1885 |
| Workflow ID       | 2eadb3f2-98c1-4eeb-9c06-3b6b1c7b2b9a |
| Workflow name     | tripleo.validations.v1.run_groups    |
| Description       |                                      |
| Task Execution ID | <none>                               |
| State             | RUNNING                              |
| State info        | None                                 |
| Created at        | 2017-01-09 22:23:40.809719           |
| Updated at        | 2017-01-09 22:23:40.815409           |
+-------------------+--------------------------------------+

That's the last result that will be pushed to you. It's running. Getting actual results is a tad more complicated. First we have to wait until no more processes are running. We can see the process status by doing 'openstack task execution list'. For our purposes we really don't care about success, we only care about failure. So...

Let's see if anything is running:

$ openstack task execution list | grep RUNNING

| d166b19e-6647-4e7a-979e-e279b9ff3348 | run_validation_group | tripleo.validations.v1.run_groups | 7139ead2-f6ff-443b-a1b9-c0c1aab9e5f3 | RUNNING | None |

| 1c1fc57b-aaa2-4d26-8da2-a6185a8d5138 | notify_running | tripleo.validations.v1.run_validation | 944af79b-9d1d-46cf-aada-cf1d9ec627d1 | RUNNING | None |

| a4c7df7b-f622-4479-b299-5c482e3c3c4d | notify_running | tripleo.validations.v1.run_validation | 35a00874-91eb-493f-aba6-cc66c780f47d | RUNNING | None |

| e336cfbe-3573-4a13-b9c1-035c684c1f90 | notify_running | tripleo.validations.v1.run_validation | d58a0a39-c039-4957-a5f5-dc142b0224a3 | RUNNING | None |

| 1f80671e-45ce-4572-b7b9-5bdf628f1527 | notify_running | tripleo.validations.v1.run_validation | 5a455516-70c9-436e-92f2-bc171b9b8171 | RUNNING | None |

| 232891c0-73bd-4190-96fd-9b2f6d63515e | notify_running | tripleo.validations.v1.run_validation | 087d2ac7-fa71-42fc-8349-7e75d0e58ea6 | RUNNING | None |

There is so we just repeat that command every few seconds until there isn't. At that point we are interested in the errors... and more we are only interested in errors that occurred during run_validation.

$ openstack task execution list | grep ERROR | grep run_validation
| 377cdc82-fca0-48e4-9f2b-4893c9d01ff4 | run_validation                    | tripleo.validations.v1.run_validation            | 6c2d8b09-49f0-4238-bca9-d62e6cc331e7 | ERROR   | {u'stderr': u'', u'stdout... |

| ec233d8d-0a6d-44e7-a12e-f54a21f19dc2 | run_validation                    | tripleo.validations.v1.run_validation            | 6d354722-a9c3-4481-8772-d2c0561211e7 | ERROR   | {u'stderr': u'', u'stdout... |

So... 2 errors this pass. Yep. This pass. Some validations stop when they encounter an error so we'll do this multiple times. Also pay attention to the ID of the last error so you know not to check that one again on subsequent passes.

For each error we will run

$ mistral task-get-result {ID} where {ID} is the grouping in the first column.

$ mistral task-get-result 377cdc82-fca0-48e4-9f2b-4893c9d01ff4
{
    "stderr": "",
    "stdout": "
Task 'Check the services for debug flag' failed:\nHost: localhost\nMessage: The key 'debug' under the section 'DEFAULT' in file /etc/nova/nova.conf has the value: 'True'\n\n
Task 'Check the services for debug flag' failed:\nHost: localhost\nMessage: The key 'debug' under the section 'DEFAULT' in file /etc/neutron/neutron.conf has the value: 'True'\n\n
Task 'Check the services for debug flag' failed:\nHost: localhost\nMessage: The key 'debug' under the section 'DEFAULT' in file /etc/heat/heat.conf has the value: 'True'\n\n
Task 'Check the services for debug flag' failed:\nHost: localhost\nMessage: The key 'debug' under the section 'DEFAULT' in file /etc/ironic/ironic.conf has the value: 'True'\n\nFailure! The validation failed for the following hosts:\n* localhost\n"
}

Looks like we need to edit /etc/nova/nova.conf, /etc/neutron/neutron.conf, /etc/heat/heat.conf and /etc/ironic/ironic.conf to fix the debug key. You might wonder why that needs to be fixed since we never manually changed it. Yeah... I expect this is a case where the validation suite hasn't kept pace with progress. Or maybe they are all test driven development and the validation points out work that needs to happen. Hard to say. For now we'll just make the change and quiet the validation. Or if your comfortable with this setting just leave it alone and move to the next error. Will having logging set to debug cause problems?

Repeat this process until you are error free or at least comfortable with the errors.

Once your content with the validation status, launch it. The deploy has a lot of possible command line options. We're being simple. You can see all the options with 'openstack help overcloud deploy'.

--templates - Create the overcloud using the heat template collection located in /usr/share/openstack-tripleo-heat-templates

by default 1 compute and 1 control node will be deployed which is exactly what we want so no other options need be specified.

In addition to watching the output, run the occasional 'openstack baremetal node list' in another window and watch the provisioning state change. Console on the nodes is also interesting. This is going to take a while... you can watch the heat part, sort of, by opening another window to the director and issuing 'openstack stack list' and then 'openstack stack show {ID}' and 'openstack stack output show {ID} --all'.

$ openstack overcloud deploy --templates
Removing the current plan files
Uploading new plan files
Started Mistral Workflow. Execution ID: b1585580-0b58-469a-b4ed-5246322268b6
Plan updated
Deploying templates in the directory /tmp/tripleoclient-zqUDul/tripleo-heat-templates
Started Mistral Workflow. Execution ID: 0f0da3b6-28ce-463b-a55f-a86475f95690
2017-01-09 22:46:12Z [overcloud]: CREATE_IN_PROGRESS Stack CREATE started
...
Stack overcloud CREATE_COMPLETE
Started Mistral Workflow. Execution ID: a06adb46-e9bf-4506-a8ba-5492a3de5560
Overcloud Endpoint: http://192.168.50.103:5000/v2.0
Overcloud Deployed

Woot!I have an overcloud. A small one, but an overcloud. Next up: How do I access it? Will I be able to spin up an instance that I can also access? This requires a lot of pieces to have worked properly, especially networking. The very fact that the Overcloud Controller is on my private network means I either need to do something clever or attach my workstation to that network so that I can get to the Horizon dashboard. For that matter, why doesn't the Undercloud have a dashboard? It does??? Stay tuned...

Monday, January 9, 2017

OpenStack Day 5: Introspection and Flavors

I kind of feel a little bad about punting on the IPMI issue previously. The TripleO install (and I assume the MAAS based install) are very useful. However I think they could also be useful for home labs and such if they were not so IPMI dependent. Not everyone has a stack of servers laying around. I fully intend to revisit this down the road a bit...

For now though, let's move onward. Our nodes are registered to Baremetal/Ironic.

The next step is "Introspection". This will cause each node to power up and it will PXE boot kernel and ramdisk images from the director. The purpose of this initial boot is for this image to scan the hardware and report back what it finds with regards to ram, disk space, CPU (quantity and capability), etc...

In a small network you may know all the things and will know what purpose you want to put the node toward. In larger networks we can define that certain types of nodes (compute, swift, etc...) require certain physical parameters. These are the "Flavors" that we'll look at later. Using these flavors we can auto-assign nodes to certain roles.

# openstack baremetal introspection bulk start
Setting nodes for introspection to manageable...
Starting introspection of manageable nodes
Started Mistral Workflow. Execution ID: 6f2a291e-d756-4fd9-af20-bb70b683b221
Waiting for introspection to finish...
Introspection for UUID 663d5d3a-b7ca-4d82-96cf-970df5802ca4 finished successfully.
Introspection for UUID 10cf5d91-447d-4c2e-b3fb-40ef80b79d61 finished successfully.
Introspection for UUID 561c884c-c5a3-4bd5-a3df-e96adc588a7a finished successfully.
Introspection for UUID 66e5a5ba-c486-45a7-a0ea-9ccb2a0743f9 finished successfully.
Introspection for UUID be784a1f-a2f1-4c2d-92e7-21c5ae52738a finished successfully.
Introspection completed.
Setting manageable nodes to available...
Started Mistral Workflow. Execution ID: 836a2e6d-b33a-481a-be93-8d9a9d828dbf

You can see that introspection for my five nodes completed successfully and nodes were set to 'available'. This process can take a long time. Don't interrupt it.

Had there been a problem the nodes would have been left in the 'manageable' state. In that case you'd need to do a bit of troubleshooting to figure out what the problem was, fix it and then re-run the introspection.

You can monitor the progress of the introspection if you wish (and should if there were errors and you are re-running). I'd open another terminal window so as not to interfere with the introspection window. In my case I initially got a bad introspection because I had the same IP Address on IPMI of two nodes. Fixed. [Note: That explains why I have 5 instead of 6 nodes even though 6 pieces of hardware made the initial cut after IPMI Testing... the 6th had the same IP as one of the other nodes and I just unplugged it. I'll add it back in later as an example of adding a node after the overcloud has been deployed.]

$ sudo journalctl -l -u openstack-ironic-discoverd -u openstack-ironic-discoverd-dnsmasq -u openstack-ironic-conductor -f

It is also possible to introspect nodes individually which will be useful as you add single nodes or modify hardware in existing nodes.

$ ironic node maintenance set [NODE UUID]
$ openstack baremetal introspection start [NODE UUID]
$ ironic node maintenance unset [NODE UUID]

You can look at what introspection found by examining an individual node.


$ openstack baremetal node show 10cf5d91-447d-4c2e-b3fb-40ef80b79d61

...

| properties             | {u'memory_mb': u'24576', u'cpu_arch': u'x86_64', u'local_gb': u'930', u'cpus': u'8', u'capabilities': u'cpu_hugepages:true,cpu_txt:true,boot_option:local,cpu_aes:true,cpu_vt:true,cpu_hugepages_1g:true'}

...

Here we can see that there are 24G of RAM, 930G local storage, 8 CPUs, etc...

And here we take a little bit of a side journey. We need to figure out what our nodes are going to be used for. To do that we have to understand the possibilities and the minimum, and recommended, requirements for these possibilities. In some cases we may need to make a few tweaks such as adding RAM or reconfiguring the hard drive layouts. Arguably we should have done this prior to introspection. However, knowing that we can just re-run the introspection it seemed better to wait until we knew that we were going to successfully get to this point with the hardware before investing any time in individual nodes.

So let's look at our various node options and their requirements.

Compute - these nodes will be running the virtual instances. They need to have enough CPU, RAM and disk (*) to do this. The processor must be 64-bit x86 and must support the AMD-V or Intel VT hardware virtualization extensions. 4 Cores is the recommended minimum. It will need at least 6GB of RAM and more if you want to provide more to your instances. We'll want at least 40 GB of disk space and at least one 1-Gbps Network Interface Card, two would be better and three better still if your going to get fancy with the networking and want to avoid a bit of VLAN-ing. Finally it needs to support IPMI which we know already and we'll be revisiting the word "need". The HD layout should just be one large disk/array. By default other disks won't be used.

Controller - responsible for hosting all of the core services: Horizon, Keystone, databases, HA, etc.. Requirements are very much the same as Compute except two (2) Network Interface Cards is a requirement (and like Compute, three would be even better).

Ceph Storage: 64-bit x96 processor. Memory requirements vary depending on the amount of storage. The rule of thumb is 1GB of memory per 1TB of storage space. At least one NIC is required, but two is better and since storage gets hit heavily it's worth considering 10GB interface cards. Ceph nodes will run the Ceph Storage OSD (object storage daemon) but the controllers will be acting as the controller. It is recommended to pre-layout the disk as follows. The director isn't going partition the journal disk, that's a manual step for later. ditto the GPT disk labels ('parted [device] mklabel gpt').

/dev/sda - root disk where the director will put the overcloud image
/dev/sdb - Journal disk, ideally SSD to improve performance.
/dev/sdc ... /dev/sdN - the OSD disks.

Cinder Storage - See Ceph Storage

Swift Storage - See Ceph Storage

Ok. The Hard disk requirement of 40G is pretty laughable these days. Unless your running on a USB stick your hard disk is going to be bigger than that. Even low end SSD drives are all larger now. So we'll take that one as "have a hard drive". We will discuss some of the finer points of local storage on compute and controller nodes in the future as there are some optimizations and interesting tidbits. But for now: have a hard disk.

On my first deployment I'm not going to bother with Ceph, Cinder or Swift. These are all optional roles. I fully intend to completely destroy my environment a few times before I'm happy. The only requirement for an overcloud are one controller and one compute node. That's where I intend to start and go so far as to launch and access an instance to make sure I've got all the pieces figured out. Then we burn it all down and re-deploy based on the knowledge learned to that point. Iterate.

In this first iteration I'm not going to get crazy with the networking either. In fact my application may not require any advanced networking ever. Redhat provides a pretty excellent page on Planning Networks. From that perspective I'm shooting for a 'Basic Environment'.

My final storage layout is going to have to be more complex. I really don't want my images stored on the controller and I will need some persistent instance storage. My initial thinking was I'd use Ceph for this but I've seen a rumor that Ceph doesn't support QCOW2 meaning I'd have to use RAW format to boot from Glance if it was Ceph backed. Not sure how I feel about that yet... and it may only apply if you are booting it as a guest disk (but there are good reasons to do just that).

The Director is capable of creating Cinder nodes, swift nodes and ceph nodes. The ceph nodes are capable of backing Images (via Glance), Volumes (Cinder) and Guest Disks which allow booting inside Ceph w/out using Cinder.

Here I take a brief pause to move around any RAM or hard drives and to configure any RAID that may be necessary before moving onto flavorings.

Let's take a look at our flavors.

According to the TripleO docs: "The undercloud will have a number of default flavors created at install time. In most cases these flavors do not need to be modified, but they can if desired. By default, all overcloud instances will be booted with the baremetal flavor, so all baremetal nodes must have at least as much memory, disk, and cpu as that flavor.". Okay. That's a mouth full. Let's break it down.

$ openstack flavor list
+--------------------------------------+---------------+------+------+-----------+-------+-----------+
| ID                                   | Name          | RAM | Disk | Ephemeral | VCPUs | Is Public |
+--------------------------------------+---------------+------+------+-----------+-------+-----------+
| 1bbdc277-9b08-465a-9e4e-4e0e0d949e85 | control       | 4096 |   40 |         0 |     1 | True      |
| 55ef3815-ee57-4ce7-829e-0d9f5afdc127 | compute       | 4096 |   40 |         0 |     1 | True      |
| 6d33b344-4e96-4b24-835f-4c7c8fe76373 | ceph-storage | 4096 |   40 |         0 |     1 | True      |
| c26e60eb-ed4f-407c-b838-5864cb67990a | baremetal     | 4096 |   40 |         0 |     1 | True      |
| ca2d58c7-afd1-4f5e-9aa6-b729bf4bf4da | swift-storage | 4096 |   40 |         0 |     1 | True      |
| e7e4a151-0a23-4503-a482-098e368eaf44 | block-storage | 4096 |   40 |         0 |     1 | True      |
+--------------------------------------+---------------+------+------+-----------+-------+-----------+

Here we see the "number of default flavors" that were created in the undercloud at install time. These are all set to the same requirements: 4GB of RAM, 40G of Disk, 1 CPU. Pretty small and not entirely useful requirements.

By default all nodes are flavored as "baremetal" so they need at least the minimum requirements specified for the "baremetal" flavor. This is the default and doesn't show up when we look at the node properties.

| properties | {u'memory_mb': u'24576', u'cpu_arch': u'x86_64', u'local_gb': u'930', u'cpus': u'8', u'capabilities': u'cpu_hugepages:true,cpu_txt:true,boot_option:local,cpu_aes:true,cpu_vt:true,cpu_hugepages_1g:true'}

However if we change the flavor of a node:

$ ironic node-update 10cf5d91-447d-4c2e-b3fb-40ef80b79d61 replace properties/capabilities=cpu_hugepages:true,cpu_txt:true,boot_option:local,cpu_aes:true,cpu_vt:true,cpu_hugepages_1g:true,profile:control

So this is essentially the same properties/capabilities section with the addition of profile:compute. No when we do 'openstack baremetal node show 10cf5d91-447d-4c2e-b3fb-40ef80b79d61' we can see the change in capabilities:

| properties       | {u'memory_mb': u'24576', u'cpu_arch': u'x86_64', u'local_gb': u'930',    |
|                        | u'cpus': u'8', u'capabilities': u'cpu_hugepages:true,cpu_txt:true,boot_o   |
|                        | ption:local,cpu_aes:true,cpu_vt:true,cpu_hugepages_1g:true,profile:contr |
|                        | ol'}                                                                                                            |
|

We can see that this will use the 'control' profile. To set it back to the default we can just re-do the node-update without that addition.

An alternate method:

$ ironic node-update 10cf5d91-447d-4c2e-b3fb-40ef80b79d61 add properties/capabilities='profile:compute,boot_option:local'

However this doesn't do what it should really. It doesn't add to 'properties/capabilties' instead it adds a 'properties/capabilities' section to the node and, in the process, overwrites that section if it already exists. For our purposes 'add' and 'replace' are the same in this specific case.

Once a profile is assigned to a flavor, nova will only deploy it on ironic nodes with the same profile. Your overcloud deployment will fail if not enough ironic nodes are tagged with a profile.

I'm using a limited amount of hardware and it's capabilities vary pretty widely. Because of this it's not worth my effort to setup any fashion of automatic flavoring. However it is worth my effort to manually flavor nodes since some are better suited to a task by virtue of RAM, CPU or HD space.

Since my initial implementation will be two nodes I will tag one as control and the other as compute using the method above.

One last bit of configuration before we deploy the overcloud.

It is recommended to set a nameserver so that the nodes can resolve DNS.

$ neutron subnet-list
| ae23dfb5-cb87-4475-adc9-ec82062db8af | | 192.168.50.0/24 | {"start": "192.168.50.100", "end": "192.168.50.250"} |
[stack@ostack-director ~]$ neutron subnet-update ae23dfb5-cb87-4475-adc9-ec82062db8af --dns-nameserver 8.8.8.8
Updated subnet: ae23dfb5-cb87-4475-adc9-ec82062db8af

And with that we are ready for our initial deployment.