Deploy OpenStack onto Rackspace Public Cloud using OpenStack-Ansible
This will deploy a fully working version of OpenStack on top of the Rackspace Public Cloud using OpenStack-Ansible.
In its current form it will deploy the following:
3x Controllers 3x Compute 3x Ceph 3x Swift 1x HA Proxy LB 1x Gateway 1x Console
Update for V2.0 - The single Cinder node has now been replaced with 3x ceph Nodes
A number of sensitive setttings are required to be stored within the configuration of this repo. To protect this sensitive data we use Ansible Vault. A "vault_example.yml" file can be used to generate your own vault.yml file within "group_vars/general".
The "vault_my_cloud_password" variable is used when setting up a user account once OpenStack has been deployed. As this system may be accessible from the Internet, it is important that a strong password is used.
The various mail settings are used to allow the sending of e-mails during the deployment, this behaviour can be disabled (see Mail Alerting settings below)
Example vault.yml file with settings for using an apple mail account for sending the mail alerts.
--- # Configure Openstack Settings vault_my_cloud_password: xxxxx # Status Mail Settings vault_host: smtp.mail.me.com vault_port: 587 vault_secure: starttls vault_username: firstname.lastname@example.org vault_password: xxxxxxxx vault_from: email@example.com vault_to: First Last <firstname.lastname@example.org>
Once you have created the vault.yml file you shuld encrypt it using the following command:
ansible-vault encrypt group_vars/general/vault.yml
When using Ansible Vault, you can either pass the password used to encrypt the vault file at run time by using --ask-vault-pass, or you can generate a .vault_pass file in the root of the repo and update the ansible.cfg file to include "vault_password_file = ./.vault_pass"
Note this repo assumes there is a .vault_pass file and the ansible.cfg is configured accordingly
More info on using Ansible Vault is available [here] (http://docs.ansible.com/ansible/latest/user_guide/vault.html)
You will need to create a clouds.yaml to configure the authentication to your base cloud which you will be using to deploy your test cloud. There is a clouds_example.yaml included which you can use as a template; Note that .gitignore is configued to not sync this back to github (vault cannot be used for clouds.yaml settings)
Example clouds.yaml file
clouds: xxxx: auth: auth_url: https://identity.api.rackspacecloud.com/v2.0 username: xxxx password: xxxx project_name: nnnnnn region_name: XXX IAD: auth: auth_url: https://identity.api.rackspacecloud.com/v2.0 username: xxxx password: xxxx project_name: nnnnnn region_name: IAD ansible: use_hostnames: True expand_hostvars: False fail_on_errors: True
I assume you will have multiple accounts in clouds.yaml so you will need to populate the OS_CLOUD environment variable with the cloud you want to work against.
However if you only have a single active entry in clouds.yaml, or you comment out inactive accounts, then there is no need to export the OS_CLOUD variable.
Steps for deployment:
- Clone the repo
- Review settings in /group_vars/general and amend as required
- Generate "group_vars/general/vault.yml" using vault_example.yml as a template
- Generate a '.vault_pass' file or comment out the "vault_password_file" setting in ansible.cfg and provide the decrypt password manually at run time
- Generate clouds.yaml
- Deploy base VMs using the Heat template openstack-osa-framework.yaml, updating parameters as required - Ensure you update the key_name setting to match the name of your ssh key
- Update the console_user_pwd setting in host_vars/console.yml - this is the hashed password for the local user on the console VM
- Deploy OpenStack by running the below command
Typical Run Times
Initial VM Deployment using Heat: 7 mins VM Preparation Playbooks: 11 mins setup-hosts.yml: 49 mins setup-infrastructure.yml: 55 mins setup-openstack.yml: 58 mins console-vm.yml: 12 mins Total: approx 3.5 hours
Obtain the Admin Password
Openstack-Ansible generates strong random passwords for all the different services and you will need to ascertain the admin password if you want to log into the Horizon UI. This can be obtained in number of ways:
Connect to the deployment server, controller1 via SSH and run the following command:
grep keystone_auth_admin_password /etc/openstack_deploy/user_secrets.yml
Alternatively, from your host where you initially ran this deployment from, run the following playbook
Another option is to connect to the Console VM via SSH and run the following command
grep OS_PASSWORD /ansible/openrc | cut -d= -f2
There is also a "utility_container" on each of the controller nodes which also has an openrc file located in /root/openrc so just like on the console VM you can obtain the admin password by running the following
grep OS_PASSWORD /root/openrc | cut -d= -f2
Connecting to the Horizon UI
To connect to the Horizon UI, simply connect to the Public IP of the LB1 VM using https://nn.nn.nn.nn As we are using a self signed certificate you will get a warning from your browser, ensure you are connecting to the correct IP then accept the warning and you should be presented with the login screen. Login as admin, using the password you obtained using any of the above methods.
VPN Access To Provider Network
You can use the Console VM to test SSH access to VMs or use the Desktop Browser to test HTTP access etc, but if you want to do this directly from your machine, the easiest thing to do is install a VPN Server on the GW VM.
Simply install by downloading latest package from [this page] (https://openvpn.net/index.php/access-server/download-openvpn-as-sw/113.html?osfamily=Ubuntu) e.g.
Then install it by running
dpkg -i openvpn-as-2.5.2-Ubuntu16.amd_64.deb
Once installed, set a password for the openvpn user
Now connect to the Public IP of the GW VM and use the UI to configure the VPN, logging in using openvpn as the username, and the password you configured in the previous step
The following settings should be changed:
- Configuration/VPN Settings/Routing - replace the existing CIDRs with the 'Flat Network CIDR which is "172.29.252.0/22" unless you have changed it
- Configuration/VPN Settings/Routing - 'Should client Internet traffic be routed through the VPN?' - Set to "No"
- Configuration/VPN Settings/DNS Settings - 'Do not alter clients' DNS server settings' - Set to "Yes"
Click the "Save Settings" button at the bottom of the screen, then the "Update Running Server" button which appears at the top of the screen once the settings are saved.
You can now connect to the VPN by installing the appropriate openvpn client and downloading the connection profile directly from the server. I opt to create a new 'user' which has a descriptive name for the environment I am connecting to.
(A future version of this repo will automate the installation and configuration of the VPN)
Slow OpenVPN UI
If you experience a very slow Admin UI perform the following steps (this should not be required for releases newer than 2.5.2 as it is supposed to be fixed)
Log on through SSH to the Access Server and obtain root privileges. Then run these commands:
cd /usr/local/openvpn_as/scripts ./sacli --key vpn.client.client_sockbuf --value 0 ConfigPut ./sacli --key vpn.server.server_sockbuf_tcp --value 0 ConfigPut ./sacli --key vpn.server.server_sockbuf_udp --value 0 ConfigPut ./sacli start
As the deployment takes approximately 3.5 hours from start to finish, it can be useful to monitor its progress via e-mail. To disable this you need to set "send_mail: false" in the /group_vars/general/vars.yml file (it is enabled by dafult). You will also need to complete all the "Status Mail Settings" in the vault.yml file.
The initial steps can be monitored from your local host machine, but once it gets to the osa-deploy.yml where Ansible on the deployment host takes over to run the setup-hosts.yml, setup-infrastructure.yml and setup-openstack.yml playbooks, you will need to connect to the deployment host if you want to monitor their progress.
Run the following command on the deployment host to monitor the deployment progress:
tail -f /openstack/log/ansible-logging/ansible.log
It is normal for the deployment to appear to hang on "TASK [repo_build : Create OpenStack-Ansible requirement wheels]" just be patient and allow it time to complete.
If you have problems with failures when running "ansible-playbook site.yml" comment out the steps which run "setup-hosts.yml, setup-infrastructure.yml and setup-openstack.yml" at the end of the osa-prep.yml playbook, and also the console-vm.yml in site.yml. Run ansible-playbook site.yml but then when it finishes, connect to the deployment host and run the above steps one by one, and trouble shoot any issues found.
If you have problems with the importing of images ensure Swift is functioning as Glance is using this as its backend. On occassion I have had success by simply re-running the os-swift-install.yml playbook directly from the deployment host. The install playboks can be found in /opt/openstack-ansible/playbooks.