OPENSTACK Enrique Fernández Casado [email protected] [email protected] HANDS-ON SESSION: 

Ericsson Internal | 2012-01-30 | Page 2 GOAL The goal of this hands-on session is to get you started with OpenStack. By the end of this session you should: -  Be familiar with most of the OpenStack concepts. -  Be able to drive your own OpenStack installation. -  Be able to use OpenStack to deploy Cloud services. 

Ericsson Internal | 2012-01-30 | Page 3 AUTHOR / SPEAKER Enrique Fernández Casado received both his Master in Computer Science and Security and Bachelor in Computer Science (Software Engineering track) from the Universitat Rovirai Virgili, Tarragona, Spain in 2011 and 2009, respectively. Before joining Ericsson AB in 2011 as a Research Engineer in the area of Packet Technologies, he worked for the ‘Arquitecturas y Servicios Telemáticos’ research group conducting state-of-the-art research on the field of Distributed Systems and Peer-to-Peer Networks. As a result of his work at AST he authored several international research publications. Since he joined Ericsson he has been involved in different Cloud- related activities ranging from prototyping tasks to more theoretical ones. Before joining the EU FP7 project SAIL, project he is currently contributing to, Enrique also participated in the internal Ericsson Research Cloud project. His interests include Distributed Systems, Cloud and Peer-to-Peer Computing and Software Engineering. 

Ericsson Internal | 2012-01-30 | Page 4 STRUCTURE OF THIS SESSION Introduction (~10min.) •  10.000ft overview to OpenStack Hands-on session (~80-110 min.) •  Getting started with OpenStack 

OPENSTACK: A 10.000ft introduction 

Ericsson Internal | 2012-01-30 | Page 6 THE PROJECT › A Cloud Management Platform designed to ease the management of private and public clouds, while avoiding vendor lock-in. › Originally started by NASA and Rackspace Hosting. › Now supported by 100+ companies around the world. – Ericsson is one of them. 1.  Austin (October, 2010) 2.  Bexar (February, 2011) 3.  Cactus (April, 2011) 4.  Diablo (October, 2011) 4.  Essex (April, 2012) 5.  Folsom (October, 2012) 6.  Grizzly (2013?) 7.  H? (2013?) OpenStack Releases 

Ericsson Internal | 2012-01-30 | Page 7 NOVA (a.k.a COMPUTE) Provides functionality to create instances, manage networks, and control access through users and projects. nova-api. Entry point to the system. Triggers most of the orchestration activities as a response to incoming end-user requests. nova-scheduler. Determines which compute host an instance should be created on. nova-network. It is in charge of manipulating the network. Will eventually be replaced by Quantum. nova-compute. Responsible for manipulating (create, reboot, stop, terminate, …) instances. 

Ericsson Internal | 2012-01-30 | Page 8 GLANCE (a.k.a IMAGE) Provides a RESTful interface for managing virtual disk images, which can be stored in a variety of back-end stores: § Local storage device § OpenStack Object Storage § Amazon Simple Storage Service (S3) § … 

Ericsson Internal | 2012-01-30 | Page 9 QUANTUM (a.k.a NETWORK) Provides an API to define network connectivity between devices from other OpenStack services (mainly, Nova VMs). It supports multiple network virtualization plugins, such as OpenVSwitch, Nicira NVP, Linux Bridge Networking, … Most of the plugins come in the form of a Quantum Agent -which is nothing but a script running on the same host as nova-compute is-, which contacts the central Quantum Service to gather configuration information, and communicates directly to the local network virtualization driver to set the desired connectivity between OpenStack devices. 

Ericsson Internal | 2012-01-30 | Page 10 KEYSTONE (a.k.a IDENTITY) Responsible for authenticating, authorizing, and managing tenant, user, role and service information. § Create Tenants. § Create Users and associate them to existing Tenants. § Define different Roles for different Users. § Issue Authentication Tokens. § Validate incoming requests. § … The user first authenticates himself by using the username and password that (hopefully) he (and only he) knows. After confirming the provided credentials are valid, Keystone will issue the user a token which he can then provide to demonstrate that his identity has been authenticated. 

Ericsson Internal | 2012-01-30 | Page 11 OPENSTACK COMPONENTS (I) 

LET’S GET STARTED! 

Ericsson Internal | 2012-01-30 | Page 13 REQUIREMENTS › 10GB of free storage (at least) › 2GB of RAM (at least) › Internet access › Linux flavor as host operating system (preferably) › VirtualBox hypervisor installed on your laptop › A (VirtualBox) VM running Ubuntu Desktop 12.04 32 bits 

Ericsson Internal | 2012-01-30 | Page 14 WHAT WE ARE ABOUT TO DEPLOY OpenVSwitch Bridge VM1 openstack_node nova-api nova-scheduler nova-network nova-compute quantum-server quantum-dhcp quantum-openvswitch-agent Laptop VM2 

Ericsson Internal | 2012-01-30 | Page 15 SETTING-UP THE ENVIRONMENT Do not forget to generate a new MAC address. Beware! 

LET’S INSTALL IT! 

Ericsson Internal | 2012-01-30 | Page 17 PRELIMINARY STEPS (1 of 3) › First, we make sure we are installing OpenStack’s latest release, Folsom, and not an older one. sudo su apt-get install ubuntu-cloud-keyring echo “deb http://ubuntu-cloud.archive.canonical.com/ubuntu precise-updates/folsom main” >> /etc/apt/sources.list apt-get update 

Ericsson Internal | 2012-01-30 | Page 18 PRELIMINARY STEPS (2 of 3) › Then, we install some software dependencies common to all the OpenStack components we are about to install. In this tutorial we assume the password of MySQL’s root user to be root Remember! apt-get install -y mysql-server python-mysqldb apt-get install -y rabbitmq-server 

Ericsson Internal | 2012-01-30 | Page 19 PRELIMINARY STEPS (3 of 3) › Finally, create the DDBB for all OpenStack components. mysql> CREATE DATABASE keystone; mysql> GRANT ALL ON keystone.* TO ‘keystone’@’%’ IDENTIFIED BY ‘keystone’; mysql> GRANT ALL ON keystone.* TO ‘keystone’@’localhost’ IDENTIFIED BY ‘keystone’; mysql> CREATE DATABASE glance; mysql> GRANT ALL ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance'; mysql> GRANT ALL ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance'; mysql> CREATE DATABASE quantum; mysql> GRANT ALL ON quantum.* TO 'quantum'@'%' IDENTIFIED BY 'quantum'; mysql> GRANT ALL ON quantum.* TO 'quantum'@’localhost' IDENTIFIED BY 'quantum'; mysql> CREATE DATABASE nova; mysql> GRANT ALL ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova’; mysql> GRANT ALL ON nova.* TO 'nova'@’localhost' IDENTIFIED BY 'nova’; 

Ericsson Internal | 2012-01-30 | Page 20 KEYSTONE INSTALLATION (1 of 4) ›  Install Keystone’s package ›  Edit Keystone’s configuration file, “/etc/keystone/keystone.conf”, to make use of the MySQL database we created in the previous slide; do not forget to set an administration token. ›  Restart the keystone service to apply the changes. ›  Create all the database tables required by Keystone. apt-get install -y keystone service keystone restart keystone-manage db_sync Verify tables required by Keystone have been created. mysql -ukeystone -pkeystone keystone mysql> SHOW TABLES; Beware! 

Ericsson Internal | 2012-01-30 | Page 21 KEYSTONE INSTALLATION (2 of 4) ›  Now that we have Keystone properly configured, we are about to proceed with the creation of tenants, users, roles, services and end-points; and the assignment of users to tenants, roles to users, services to tenants, and end-points to services. ›  First, we create an end-user tenant (ericsson), and another tenant (service), as a placeholder for the services being offered. Before issuing the above mentioned commands, the following environment variables need to be set: SERVICE_ENDPOINT=http://localhost:35357/v2.0/ SERVICE_TOKEN=$ADMIN_TOKEN Beware! keystone tenant-create --name ericsson keystone tenant-create --name service 

Ericsson Internal | 2012-01-30 | Page 22 KEYSTONE INSTALLATION (3 of 4) ›  Once both tenants have been created, we create the admin user for the (end-user) ericsson tenant, the glance, quantum and nova users for the service tenant; we also create an administrator (admin) role, and assign it to all the users we have just created. keystone user-create --tenant-id $TENANT_ID --name $USERNAME --pass $PASS keystone role-create --name admin keystone user-role-add --user-id $USER_ID --tenant-id $TENANT_ID --role-id $ROLE_ID You can use the following commands to list the tenants, users and roles ids: keystone tenant-list keystone user-list keystone role-list Tip! 

Ericsson Internal | 2012-01-30 | Page 23 KEYSTONE INSTALLATION (4 of 4) ›  The last step is to create the services and their end-points. keystone service-create --name keystone --type identity keystone service-create --name quantum --type network keystone service-create --name glance --type image keystone service-create --name nova --type compute keystone endpoint-create --service-id $KEYSTONE_SERVICE_ID --publicurl=http:// localhost:5000/v2.0 --internalurl=http://localhost:5000/v2.0 --adminurl=http://localhost: 35357/v2.0 keystone endpoint-create --service-id $NOVA_SERVICE_ID --publicurl 'http://localhost: 8774/v2/%(tenant_id)s’ --internalurl 'http://localhost:8774/v2/%(tenant_id)s’ --adminurl 'http://localhost:8774/v2/%(tenant_id)s’ keystone endpoint-create --service-id $QUANTUM_SERVICE_ID --publicurl http:// localhost:9696 --internalurl http://localhost:9696 --adminurl http://localhost:9696 keystone endpoint-create --service-id $GLANCE_SERVICE_ID --publicurl http://localhost: 9292/v1 --internalurl http://localhost:9292/v1 --adminurl http://localhost:9292/v1 

Ericsson Internal | 2012-01-30 | Page 24 GLANCE INSTALLATION (1 of 2) ›  Install Glance’s packages. ›  Edit both glance-api and glance-registry configuration files, “/etc/ glance/glance-api.conf” and “/etc/glance/glance-registry.conf”, to set Keystone and MySQL configuration details; do not forget to append the following lines at the end of both configuration files. ›  Restart glance-api and glance-registry services to apply the changes. apt-get install -y glance glance-api glance-common glance-registry apt-get install -y python-glanceclient python-glance service glance-api restart; service glance-registry restart [paste_deploy] config_file = /etc/glance/glance-[registry|api]-paste.ini flavor = keystone 

Ericsson Internal | 2012-01-30 | Page 25 GLANCE INSTALLATION (2 of 2) ›  Initialize Glance’s database. ›  Download a test image. ›  Register the image in Glance. glance-manage version_control 0; glance-manage db_sync wget https://launchpad.net/cirros/trunk/0.3.0/+download/cirros-0.3.0-i386-disk.img glance add name="CirrOS i386" is_public=true disk_format=qcow2 container_format=bare < cirros-0.3.0-i386-disk.img Before issuing the last command, the following environment variables need to be set: OS_AUTH_URL=http://localhost:5000/v2.0/ OS_TENANT_NAME=ericsson OS_USERNAME=admin OS_PASSWORD=admin Beware! 

Ericsson Internal | 2012-01-30 | Page 26 QUANTUM INSTALLATION (1 of 3) ›  Install quantum-server. ›  Install Quantum’s DHCP agent. ›  Install Quantum’s OpenVSwitch plugin and agent. ›  Edit Quantum’s configuration file, “/etc/quantum/quantum.conf”, to set Keystone as the authentication strategy. ›  Edit “/etc/quantum/api-paste.ini” configuration file and set Keystone credentials. apt-get -y install quantum-server python-cliff python-pyparsing apt-get -y install quantum-dhcp-agent apt-get -y install quantum-plugin-openvswitch quantum-plugin-openvswitch-agent auth_strategy = keystone 

Ericsson Internal | 2012-01-30 | Page 27 QUANTUM INSTALLATION (2 of 3) ›  Edit OpenVSwitch plugin configuration file, “/etc/quantum/ plugins/openvswitch/ovs_quantum_plugin.ini”, to point to the previously created MySQL database. › Make sure OpenVSwitch is running. › Create the OpenVSwitch integration bridge (it has to be created on all machines running the OpenVSwitch agent). › Restart all Quantum services. ovs-vsctl add-br br-int service openvswitch-switch restart service quantum-server restart; service quantum-dhcp-agent restart; service quantum- plugin-openvswitch-agent restart 

Ericsson Internal | 2012-01-30 | Page 28 QUANTUM INSTALLATION (3 of 3) ›  Create a Quantum network. ›  Define a subnet for the previously created Quantum network. quantum net-create net1 quantum subnet-create net1 10.0.0.0/24 

Ericsson Internal | 2012-01-30 | Page 29 NOVA INSTALLATION (1 of 3) ›  Install libvirt and KVM packages. › Edit libvirt’s QEMU configuration file, “/etc/libvirt/ qemu.conf”, as follows to enable libvirt to create tun/tap devices in the host machine. cgroup_device_acl = [ ”/dev/null", "/dev/full", "/dev/zero", "/dev/random", "/dev/urandom", "/dev/ptmx", "/dev/kvm", "/dev/kqemu", "/dev/rtc", "/dev/hpet", "/dev/net/tun" ] apt-get install -y qemu-kvm libvirt-bin 

Ericsson Internal | 2012-01-30 | Page 30 NOVA INSTALLATION (2 of 3) ›  Install Nova’s packages. ›  Add the following flags into Nova’s configuration file, “/etc/nova/ nova.conf”. ›  Edit nova-compute configuration file, “/etc/nova/nova- compute.conf” as follows. apt-get install -y nova-compute nova-api nova-scheduler nova-network api_paste_config=/etc/nova/api-paste.ini sql_connection=mysql://nova:nova@localhost/nova auth_driver=nova.auth.dbdriver.DbDriver auth_strategy=keystone network_api_class=nova.network.quantumv2.api.API quantum_url=http://localhost:9696 quantum_auth_strategy=keystone quantum_admin_tenant_name=service quantum_admin_username=quantum quantum_admin_password=quantum quantum_admin_auth_url=http://localhost:35357/v2.0 image_service=nova.image.glance.GlanceImageService glance_api_servers=http://localhost:9292 libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtOpenVswitchDriver libvirt_use_virtio_for_bridges=True compute_driver=nova.virt.libvirt.LibvirtDriver libvirt_type=qemu mkdir /usr/lib/python2.7/dist-packages/instances 

Ericsson Internal | 2012-01-30 | Page 31 NOVA INSTALLATION (3 of 3) ›  Set Keystone credentials in “/etc/nova/api-paste.ini”. ›  Create all database tables required by Nova. ›  Restart all Nova services to apply changes. service nova-api restart; service nova-scheduler restart; service nova-network restart; service nova-compute restart; nova-manage db sync 

CONGRATULATIONS, YOU HAVE JUST FINISHED YOUR FIRST OPENSTACK DEPLOYMENT! :-) 

Ericsson Internal | 2012-01-30 | Page 33 WALK-THROUGH (1 of 4) ›  Get an authentication token ›  List all available images and get the ID of the image we registered in Glance a few steps ago. curl -X POST -H ”Content-type: application/json” http://localhost:5000/v2.0/tokens –d ’{”auth”: {”passwordCredentials”: {”username”:$USER_NAME, ”password”:$USER_PASS}, ”tenantId”:$TENANT_ID}}’ curl -X GET -H ”Accept: application/json” http://localhost:8774/v2/$TENANT_ID/images 

Ericsson Internal | 2012-01-30 | Page 34 WALK-THROUGH (1 of 4) ›  Get an authentication token ›  List all available images and get the ID of the image we registered in Glance a few steps ago. curl -X POST -H ”Content-type: application/json” http://localhost:5000/v2.0/tokens –d ’{”auth”: {”passwordCredentials”: {”username”:$USER_NAME, ”password”:$USER_PASS}, ”tenantId”:$TENANT_ID}}’ curl -X GET -H ”Accept: application/json” http://localhost:8774/v2/$TENANT_ID/images 401 Unauthorized 

Ericsson Internal | 2012-01-30 | Page 35 WALK-THROUGH (1 of 4) ›  Get an authentication token ›  List all available images and get the ID of the image we registered in Glance a few steps ago. ›  List all available flavors and choose best meeting your hardware requirements. curl -X POST -H ”Content-type: application/json” http://localhost:5000/v2.0/tokens –d ’{”auth”: {”passwordCredentials”: {”username”:$USER_NAME, ”password”:$USER_PASS}, ”tenantId”:$TENANT_ID}}’ curl -X GET -H ”Accept: application/json” http://localhost:8774/v2/$TENANT_ID/images 401 Unauthorized curl –X GET -H ”Accept: application/json” -H “X-Auth-Token: $AUTH_TOKEN” http:// localhost:8774/v2/$TENANT_ID/images curl -X GET -H ”Accept: application/json” -H “X-Auth-Token: $AUTH_TOKEN” http:// localhost:8774/v2/$TENANT_ID/flavors 

Ericsson Internal | 2012-01-30 | Page 36 WALK-THROUGH (2 of 4) ›  Create two VMs curl -X POST -H "Content-type: application/json" -H "X-Auth-Token: $AUTH_TOKEN" http:// localhost:8774/v2/$TENANT_ID/servers -d '{"server":{"name":”VM1", "imageRef":”$IMAGE_ID", "flavorRef”:1}}' curl -X POST -H "Content-type: application/json" -H "X-Auth-Token: $AUTH_TOKEN" http:// localhost:8774/v2/$TENANT_ID/servers -d '{"server":{"name":”VM2", "imageRef":”$IMAGE_ID", "flavorRef”:1}}' When deployed, a VM gets assigned as many VIF as shared networks are defined in Quantum plus the project-specific ones. If you wish to alter such a behavior, add the UUID of the networks you want the about to be deployed VM to be connected to into the body of a “create VM” request: “networks”: [{“uuid”: $NETWORK_UUID}] Tip! 

Ericsson Internal | 2012-01-30 | Page 37 WALK-THROUGH (3 of 4) ›  Check how many running VMs you have. ›  Install virt-viewer on your compute host and log in into the deployed VMs. virsh list --all apt-get install -y virt-viewer curl -X GET -H ”Accept: application/json” -H “X-Auth-Token: $AUTH_TOKEN” http:// localhost:8774/v2/$TENANT_ID/servers virt-viewer $VM_ID & virsh and virt-viewer commands directly interact with the hypervisor, which means you might need to run these commands on each compute host (machine running the nova-compute service). Beware! 

Ericsson Internal | 2012-01-30 | Page 38 WALK-THROUGH (4 of 4) ›  Delete the deployed VMs. ›  Make sure the VMs have been deleted. virsh list --all curl -X GET-H ”Accept: application/json” -H “X-Auth-Token: $AUTH_TOKEN” http:// localhost:8774/v2/$TENANT_ID/servers curl -X GET -H ”Accept: application/json” -H “X-Auth-Token: $AUTH_TOKEN” http:// localhost:8774/v2/$TENANT_ID/servers curl -X DELETE -H ”Accept: application/json” -H “X-Auth-Token: $AUTH_TOKEN” http:// localhost:8774/v2/$TENANT_ID/servers/$VM_ID 

CONGRATULATIONS, YOU HAVE DEPLOYED YOUR FIRST SET VIRTUAL MACHINES USING OPENSTACK! :-) 

No content

Ericsson Internal | 2012-01-30 | Page 41 KEYSTONE (SCRIPTED) SET UP ›  Download Keystone’s initialization script ›  Edit “./keystone-init/config.yaml” as follows: ›  Add quantum/quantum to the service users list in the same file. ›  Append the following to the end of the same file. ›  Run the script apt-get install -y git-core python-yaml git clone https://github.com/nimbis/keystone-init sed -i “s/192.168.206.130/localhost/g” ./keystone-init/config.yaml sed -i “s/openstackDemo/ericsson/g” ./keystone-init/config.yaml ./keystone-init/keystone-init.py ./keystone-init/config.yaml - name: quantum type: network description: Quantum Network Service region: RegionOne publicurl: http://localhost:9696 internalurl: http://localhost:9696 adminurl: http://localhost:9696 sed -i “s/012345SECRET99TOKEN012345/$ADMIN_TOKEN/g” ./keystone-init/config.yaml sed -ri “s/adminUser|secretword/admin/g” ./keystone-init/config.yaml