Embed Size (px)
DESCRIPTION
In a joint meetup with the Sydney Puppet User Group, Michael will demonstrate how to build an OpenStack distro from scratch using the community OpenStack Puppet modules. In an interactive session with the audience, we’re going to pick a Linux distro, use the roles + profiles pattern, use Hiera to populate data, and build up a complete OpenStack cluster inside VMs running the OpenStack Identity, Image, Compute and Networking services. Although there are vendor tools available that can assist with this process, such as Fuel, Cisco OpenStack Installer and Aptira's own Stacktira, understanding how the modules fit together will allow an operator to easily add their own customisations to the any of these systems. Michael has been working in the cloud computing space, both in a research and enterprise context for several years, with OpenStack production experience stretching all the way back to the third release, 'Cactus'. He leads the Aptira software engineering team in developing deployment and operations tools for OpenStack. Michael is a maintainer of and a driving force behind the most widely used OpenStack deployment tool set, Puppet-OpenStack. He holds a Bachelor of Software Engineering with Honours from Australian National University and is regularly invited back to his alma mater to guest lecture.
Citation preview
Puppet + OpenstackMichael Chapman
OpenStack has two major organisations on github:
openstack
stackforge
The openstack organisation contains all of the code for the official projects - nova,
neutron, docs etc.
These are projects that have gone through the official community graduation process
and are part of the integrated release.
The stackforge organisation on the other hand has very low requirements in order to
have a repository added. This accommodates things that are related to Openstack an official repository around
which communities can form.
This is where the community puppet modules are located.
https://github.com/stackforge/puppet-*
Today I’m going to make a 2 node OpenStack cluster in vagrant using these
modules + other puppet modules.
I’m not starting from nothing, because there’s a bit of boilerplate that’s tedious to
write but necessary.
1. Vagrantfile
We have two nodes defined. Each is going to run a bash script, and then run puppet.
Both nodes have 3 network interfaces defined.
192.168.242.0/24 deploy
10.2.4.0/24 public
10.4.4.0/24 internal
control compute
VM VM
nova
keystoneglanceneutron
neutronnova
mysqlrabbitmq
ovslibvirtqemu
ovs
2. Bash script
I use an idempotent bash script that prepares nodes to run puppet. (Can be
safely run multiple times)
install and configure [proxy, repo, puppet, fqdn]
Turn off the firewall.
Let’s not deal with that today.
OpenStack is going to add its own rules to iptables so be careful of doing this in a non-
destructive way.
3. Hiera
I use a very simple hiera.yaml for this tutorial, but my prod one is a lot deeper.
Use facts to separate your data out.hostname, role, environment etc.
We’re going to do something along the lines of ‘nodeless puppet’, where we define our
roles as a list of classes in hiera.
Profiles are handy where you need more logic for sub-choices, eg I ‘want neutron with
plugin X’, but we won’t need them.
4. Site.pp
Our base site manifest is going to determine its role based on hostname, and then load
the classes to include by looking up that key from hiera.
Also has a resource to make sure the kernel is always the latest.
I’ll talk about this later.
5. Puppetfile
This is used along with librarian-puppet to install modules from github.
Use Puppetfile to install:
puppet-* from stackforgepuppetlabs-mysql
puppetlabs-rabbitmqpuppetlabs-stdlib
puppet-openstack_extras from gh/aptirapuppet-vswitch from gh/aptira
I’m using the Aptira forks to get a couple of patches that are under review, but not yet
merged.
What are our roles?
Compute: runs hypervisor
Control: runs everything else.
Need to set up our repos:
openstack_extras::repo::redhat::redhat
This is currently under review upstream but should be the default for juno. Use aptira
repo at: https://github.com/aptira/puppet-openstack_extras
openstack_extras::repo::redhat::redhat::repo_hash: 'CentOS-Base': 'descr': 'CentOS-$releasever - Base' 'baseurl': "%{hiera('yum_base_mirror')}/$releasever/os/$basearch/" 'CentOS-Updates': 'descr': 'CentOS-$releasever - Updates' 'baseurl': "%{hiera('yum_base_mirror')}/$releasever/updates/$basearch/" 'CentOS-Extras': 'descr': 'CentOS-$releasever - Extras' 'baseurl': "%{hiera('yum_base_mirror')}/$releasever/extras/$basearch/" 'epel': 'descr': 'Extra Packages for Enterprise Linux 6 - $basearch' 'baseurl': "%{hiera('yum_epel_mirror')}/$releasever/$basearch/" 'gpgkey': 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6' 'failovermethod': 'priority'openstack_extras::repo::redhat::redhat::gpgkey_hash: '/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6': 'source': 'puppet:///modules/openstack_extras/RPM-GPG-KEY-EPEL-6'
Interpolation
control_internal: 10.4.4.10
keystone::database_connection: “mysql://keystone:key_pass@%{hiera(‘control_internal’)}/keystone”
Start with mysql
mysql::server
Add keystone to control
keystonekeystone::roles::adminkeystone::db::mysql
auth creds:
openstack::auth_file
Add glance to control node
glance::apiglance::registryglance::backend::fileglance::db::mysqlglance::keystone::auth
Rabbit for nova, neutron
There’s a wrapper provided in the nova module.
nova::rabbitmq
Horrible anti-pattern. Don’t do this in your own modules.
Add nova to control node
novanova::apinova::schedulernova::network::neutronnova::conductornova::db::mysqlnova::keystone::auth
neutronneutron::serverneutron::server::notificationsneutron::agents::metadataneutron::agents::dhcpneutron::agents::ml2::ovsneutron::plugins::ml2neutron::db::mysqlneutron::keystone::auth
Add neutron
We should be able to interact with the cloud now, even though there aren’t any
hypervisors.
Compute node
novanova::computenova::compute::libvirtnova::compute::neutronnova::network::neutronneutronneutron::plugins::ml2neutron::agents::ml2::ovs
