Skip to content

Crowbar and Knife Openstack

juddmaltin-dell edited this page Jul 11, 2012 · 34 revisions
Clone this wiki locally

Important Introductory Remarks

1) chef authentication is required. "knife openstack create" implies "knife bootstrap," which requires a valid chef_client (and not the crowbar chef_client)

1) the crowbar chef_client user cannot be used with knife. You must create your own user with admin privs.

1) adding dependent libs: the proper libs (as of 6/21/2012) are not included in the Crowbar ISO. Your chef_client node will need to get gems and libs, detailed below.

1) Now you have to decide which user and host you want to run the knife openstack commands from. I suggest creating "devops" user on any node. I chose the crowbar admin node, just because I already set it up for Internet access, so I could easily download the dependent apt packages.

1) If you use the root user on the Crowbar Admin box, root's .chef/knife.rb file will be overwritten by chef-client when you try to add the following configs to enable "knife openstack." Use, as above, a different user (and not crowbar, either.)

Create a chef_client for knife openstack work (unless you already have created one for your own stuff)

Create an OS user (devops) on the admin node.

root@admin:~/# adduser devops
Adding user `devops' ...

root@admin:~/# mkdir /home/devops/.chef
root@admin:~/# chown devops /home/devops/.chef

Create a knife.rb file:

devops@admin:~/$ vi /home/devops/.chef/knife.rb
node_name               "devops"
client_key              "/home/devops/.chef/devops.pem"
chef_server_url         ""
log_level               :debug
log_location            STDOUT
validation_client_name  'chef-validator'
validation_key          '/home/devops/.chef/validation.pem'
cache_type              'BasicFile'
cookbook_path           '/home/devops/cookbooks'

# values for the below filled in with keystone query commands:
knife[:openstack_access_key_id]     = "filled in soon"
knife[:openstack_secret_access_key] = "filled in soon"
knife[:openstack_api_endpoint]      = "filled in soon"
knife[:openstack_ssh_key_id]        = "filled in soon"

Create a chef_client and client.pem file for the devops user:

root@admin:~# knife client create devops -a -f /home/devops/.chef/devops.pem

  "json_class": "Chef::ApiClient",
  "name": "devops",
  "chef_type": "client",
  "admin": true,
  "public_key": null

Make sure Mr. Devops can read the new pem file in his name:

root@admin:~/# chown devops /home/devops/.chef/devops.pem

Now make sure knife works:

devops@admin:~$ knife node list

Looks good. Hate then names. I wish Crowbar would shove the node names down the throat of Chef.

Let's make Mr. Devops an ssh keypair and send them over to the nova manager server for upload into nova.

devops@admin:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/devops/.ssh/id_rsa):
Created directory '/home/devops/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/devops/.ssh/id_rsa.
Your public key has been saved in /home/devops/.ssh/
The key fingerprint is:
The key's randomart image is:
+--[ RSA 2048]----+
|          .o     |
|          +o     |
|      . .=..o    |
|       o.o=.E    |
|     .o So       |
|    o. ..o       |
|     o.oo.       |
|    . oo .o      |
|     ..  o.      |
devops@admin:~$ cd .ssh/
devops@admin:~/.ssh$ ls

Now lets rename it and copy it over to the nova management node:

devops@admin:~/.ssh$ cp
devops@admin:~/.ssh$ scp crowbar@
crowbar@'s password:                                                                                                                                              100%  406     0.4KB/s   00:00

Setting up Dependencies

Of course it doesn't work out of the box with Crowbar's Ubuntu - these are all the deps you need.

download that, put it on your Crowbar nodes...

tar xvzf crowbar_knife_openstack_ubuntu_12.04_deps.tar.gz
cd crowbar_knife_openstack
dpkg -i libxslt1-dev_1.1.26-8ubuntu1_amd64.deb
gem install knife-openstack-0.6.0.gem

Keystone and Nova auth setup

Collect Keystone information for Auth

Setup your keystone command line environment ON THE KEYSTONE SERVER, for getting API keys and endpoints from keystone.

crowbar@d08-00-27-c7-e9-f4:~$ cat openstack_env 
export OS_USERNAME=crowbar
export OS_PASSWORD=crowbar
export OS_TENANT_NAME=openstack
# IP of the Keystone Server
export OS_AUTH_URL=

# IP of the Keystone Server

# the SERVICE_TOKEN is from /etc/keystone/keystone.conf
export SERVICE_TOKEN=980239800212

Get the crowbar user's id:

crowbar@d08-00-27-c7-e9-f4:~$ keystone user-list
|                id                | enabled |           email           |   name  |
| 34177f436e994d7196f6509426def1e7 | True    |                           | nova    |
| 4eb83d126bd5496fb33619d8f40bf2df | True    |                           | admin   |
| 6a6f15a0f97e42cdb81fd1a1a63d5e6f | True    | | crowbar |
| c9d0dbd6d018427ab0d97d56f9183c21 | True    |                           | glance  |

Get the crowbar user's EC2 API keys. In the next section of documentation we'll use this access and secret key to launch VMs in OpenStack via our .chef/knife.rb file:

crowbar@d08-00-27-c7-e9-f4:~$ keystone ec2-credentials-list --user 6a6f15a0f97e42cdb81fd1a1a63d5e6f
|   tenant  |              access              |              secret              |
| openstack | 618709daa35849ff838c80f3bb44db9e | ebe7bbd2e83b44f88f1816f90646d27f |

becomes in the devops user's /home/devops/.chef/knife.rb

knife[:openstack_access_key_id] = "618709daa35849ff838c80f3bb44db9e"
knife[:openstack_secret_access_key] = "ebe7bbd2e83b44f88f1816f90646d27f"

Find out what endpoints we have, so 'knife openstack' knows where to submit its commands.

crowbar@d08-00-27-c7-e9-f4:~$ keystone endpoint-list
|                id                |   region  |                publicurl                 |                 internalurl                 |                   adminurl                  |
| 3bfd3a10828c4039bf9089fe117bc78f | RegionOne |   |   |   |
| 818c43e3875046ee8ad2e7bd33a72c6a | RegionOne |$(tenant_id)s |$(tenant_id)s |$(tenant_id)s |
| 8878fb7603324b5caac85e3193c298ca | RegionOne |$(tenant_id)s |$(tenant_id)s |$(tenant_id)s |
| 9e23e18e95a6406b948c38deb788ef2a | RegionOne |            |               |               |
| bce89b7418254d37bc93ae990badfce3 | RegionOne |          |             |            |

Becomes in the devops user's /home/devops/.chef/knife.rb:

knife[:openstack_api_endpoint]      = ""

Setup Nova SSH keys for post-install auth

Now lets load up that ssh key into nova and drop that in the knife config file as well!

crowbar@d08-00-27-c7-e9-f4:~$ nova keypair-add --pub_key devopskey
crowbar@d08-00-27-c7-e9-f4:~$ nova keypair-list
|    Name   |                   Fingerprint                   |
| devopskey | b0:b6:f7:66:a0:09:b9:5f:31:71:c7:90:96:6e:d2:dc |

Which makes the devops user's .chef/knife.rb file have this value:

knife[:openstack_ssh_key_id]    = "devopskey"

Go back to the node with the devops user to issue 'knife openstack' commands.

And now give it a shot! Let's find the names of OS images we can launch:

devops@admin:~$ knife openstack image list
ID                          Kernel ID                   Architecture                Root Store                  Name                        Locat                  
ami-00000003                aki-00000001                                            instance-store              ubuntu-11.04-image          None untu-11.04-image) 
ari-00000002                                                                        instance-store              ubuntu-11.04-initrd         None untu-11.04-initrd)
aki-00000001                                                                        instance-store              ubuntu-11.04-kernel         None untu-11.04-kernel)

Now let's try launching a machine:

knife openstack server create 'role[webserver]' -I ami-00000003 -f m1.small 

Something went wrong with that request. Please try again.