Maas and Juju and Openstack

De Seguridad Wireless
Saltar a: navegación, buscar
HOWTO IN PROGRESS

Introduction

In this HOW-TO we are going to install MAAS on a physical server to deploy an OPENSTACK enviroment with JUJU, and all server with KVM (virsh) virtual machines.

First of all we are going to use one physical server:

  • RAM: 200GB
  • HD: 300GB
  • CPU: Xeon E5-2670 (32 Cores)

We can start installing Ubuntu 16.04 and upgrading our distro. Our actual network config (/etc/network/interfaces)


   auto ens2f0
   iface ens2f0 inet static
       address 10.111.0.200
       netmask 255.255.254.0
       network 10.111.0.0
       broadcast 10.111.1.255
       gateway 10.111.1.254
       dns-nameservers 8.8.8.8
       dns-search hadrianweb.net


Installing and configuring MAAS

Add the repository of maas:

sudo add-apt-repository ppa:maas/next

Then we have to install MAAS region and rack, so:

   sudo apt install maas

Next, we have to create the admin user, and input the data for our user:

   sudo maas createadmin

Now we are going to http://10.111.0.200/MAAS to configure MAAS, an important thing is to set "DNS Forward" MAAS_SSH_Forward

Now we are going to generete SSH keys for maas and KVM, where our ubuntu username is "openstack"

   sudo su
   sudo chsh -s /bin/bash maas  
   sudo su - maas  
   ssh-keygen -f ~/.ssh/id\_rsa -N ""  
   logout
   mkdir /home/openstack/.ssh
   sudo cat ~maas/.ssh/id\_rsa.pub | tee -a /home/openstack/.ssh/authorized_keys
   cp /var/lib/maas/.ssh/id_rsa* /home/openstack/.ssh/
   chown -R openstack:openstack /home/openstack/.ssh/
   exit

Now get public ssh key and paste on MAAS web:

   cat ~/.ssh/id_rsa.pub 

MAAS_SSH_keys

Now we are going to Settings to deactivate autodiscover.

MAAS_Autodiscover

Now we are going to install the packages for KVM:

   sudo apt-get -y install libvirt-bin linux-image-extra-virtual kvm virt-manager

And then we add user maas to KVM group:

   sudo usermod -G libvirtd -a maas

To test we can execute (changing openstack with our user en IP)

   sudo -H -u maas     bash -c 'virsh -c qemu+ssh://openstack@10.111.0.200/system list --all'

Configuring the network, we make a bridge on second interface:

   auto ens2f0
   iface ens2f0 inet static
       address 10.111.0.200
       netmask 255.255.254.0
       network 10.111.0.0
       broadcast 10.111.1.255
       gateway 10.111.1.254
   
   auto ens2f1
   iface ens2f1 inet manual
   
   auto br0
   iface br0 inet static
       bridge_ports ens2f1
       address 10.111.0.202
       netmask 255.255.254.0
       gateway 10.111.1.254

Now we have to edit KVM bridge to use our "br0"

sudo virsh net-edit default

Default file is:

   <network>
     <name>default</name>
     <uuid>3420925b-0745-47ed-a8e8-80c380eb7490</uuid>
     <forward mode='nat'/>
     <bridge name='virbr0' stp='on' delay='0'/>
     <mac address='52:54:00:f4:05:24'/>
     <ip address='192.168.122.1' netmask='255.255.255.0'>
       <dhcp>
         <range start='192.168.122.2' end='192.168.122.254'/>
       </dhcp>
     </ip>
   </network>

Make changes like that:

   <network>
     <name>default</name>
     <uuid>3420925b-0745-47ed-a8e8-80c380eb7490</uuid>
     <forward mode='bridge'/>
     <bridge name='br0' />
   </network>

After that we are going to reboot the machine to apply all changes.

   sudo reboot

Now we have to delete default kvm bridge (virtbr0) on MAAS, go to subnets click on 192.168.122.0/24 and delte subnet.

MAAS_Delete_Subnet

Add a Relay DHCP with our available IPs, on our subnet click on VLAN --> Untagged and then click top right "Provide DHCP", this is not optional, is needed for PXE.

Create the folder where we are going to store our images:

   sudo mkdir -p /var/kvm/images/

Now we have to create the first virtual machine:

   virt-install \
   --name Juju-Controller-Node \
   --ram 4096 \
   --disk path=/var/kvm/images/Juju-Controller-Node.img,size=15 \
   --network=bridge:br0 \
   --vcpus 1 \
   --os-type linux \
   --os-variant ubuntu16.04 \
   --graphics none \
   --pxe \
   --accelerate \
   --boot network

MAAS_KVM_First_vm

Now we are going to add POD to our MASS server:

MAAS_POD

Now we have added our POD and the virtual machine we added before appears on it.

Configure Open vSwitch on host for several VLANs (Optional)

Sometime we have to pass several VLAN over our host for VMs on Openstack, for that we are going to user Open vSwitch

We are going to start installing the software:

   apt install openvswitch-switch

Then we are going to configure host:

   ovs-vsctl add-br br1
   ovs-vsctl add-port br1 bond0

Create file ovs-net-vlan.xml

   <network>
    <name>ovs-net-vlan</name>
    <forward mode='bridge'/>
    <bridge name='br1'/>
    <virtualport type='openvswitch'/>
    <portgroup name='vlan-all' default='yes'>
      <vlan trunk='yes'>
        <tag id='802'/>
        <tag id='803'/>
        <tag id='804'/>
        <tag id='805'/>
      </vlan>
    </portgroup>
   </network>

And then:

   virsh net-define ovs-net-vlan.xml
   virsh net-start ovs-net-vlan
   virsh net-autostart ovs-net-vlan

Edit VMs with command: virsh edit VM_NAME and change interface content with:

   <interface type='network'>
     <mac address='52:54:00:f0:19:f9'/>
     <source network='ovs-net-vlan' portgroup='vlan-all'/>
     <model type='virtio'/>
     <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
   </interface>

Installing and configuring JUJU

To continue we have to install Juju and integrate it with our maas server.

   sudo add-apt-repository -yu ppa:juju/stable
   sudo apt install juju

To add MAAS to Juju we are going to create maas.yaml file:

   clouds:
     openstack-cloud:
       type: maas
       auth-types: [oauth1]
       regions:
         openstack-server:
           endpoint: http://10.111.0.200/MAAS

Then execute:

   juju add-cloud openstack-cloud maas.yaml

To check you can list cloud services:

   juju list-clouds

Now we have to add credentials, using data from MAAS get username and API-KEY (on url: http://10.111.0.200/MAAS/account/prefs/ )

   juju add-credential openstack-cloud

Finally execute:

   juju bootstrap

And select your cloud service and then input controller name "Juju-Controller"

Installing Juju GUI (optional)

Now we can install a web gui to manage our Juju enviroment. To do this we only have to execute:

   juju deploy juju-gui

If we want to connect to de web web foi to machine en see the ip than to know user and pass we can execute:

   juju show-controller --show-password

Editing KVM for nested kernel

We have to edit our virtual machines, execute:

virsh edit Openstack-01

And change cpu model with "host-passthrough"

Preparing and installing OPENSTACK

NOTE
Since 12/12/2017 until minimum 27/12/2017

Ubuntu is having problems with packet ubuntu-fan and this is giving us problems with the lxd network bridges, to solve this we have to add new "Repository Packeges" with proposed packets for ubuntu:

ERROR:

failed to start machine 1/lxd/0 (failed to bridge devices: bridge activaction error: bridge activation failed: /usr/sbin/fanctl:
41: /usr/sbin/fanctl: arithmetic expression: expecting primary: " (32-)/4 "
run-parts: /etc/network/if-up.d/ubuntu-fan exited with return code 2
Bringing up bridged interfaces failed, see system logs and /etc/network/interfaces.new
RTNETLINK answers: File exists
), retrying in 10s (10 more attempts)

SOLUTION:

MAAS_Repo_Package

END NOTE

First of all we are going to create a new Juju model for openstack.

   juju add-model openstack-base

Then we are going to MAAS and create 5 machines:

  • openstack01: CPU= 5, MEM=8G, DISK1=32G, DISK2=50G, TAGS=COMPUTE
  • openstack02: CPU= 5, MEM=8G, DISK1=32G, DISK2=50G, TAGS=COMPUTE
  • openstack03: CPU= 5, MEM=8G, DISK1=32G, DISK2=50G, TAGS=COMPUTE
  • openstack04: CPU= 5, MEM=8G, DISK1=32G, DISK2=50G, TAGS=COMPUTE
  • openstack05: CPU= 5, MEM=8G, DISK1=32G, DISK2=50G, TAGS=COMPUTE

After we have to set model tags like:

   juju set-model-constraints tags=COMPUTE

Finally we deploy openstack executing:

   juju deploy cs:bundle/openstack-base-51

For best perfomance we can go to juju-gui and configure our deploy.

We have to take a look at openstack-dashboard and disable ubuntu-theme, on neutron-gateway we have to change the value eno2 to ens2 and finally on ceph-osd we have to change /dev/sdb to a directory like /ceph

Next step we are going to disable ubuntu-theme on machine openstack-dashboard so web connect with ssh and then execute:

mv /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/_10_set_custom_theme.py.example /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/_10_set_custom_theme.py

echo "AVAILABLE_THEMES=[('material', 'Material', 'themes/material')]" > /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/_10_set_custom_theme.py

Next step is to configure Deploy correcto, so via Juju Gui we have to edit next things:

 Neutron-gateway -- eno2 --> ens2
 Ceph-osd -- /dev/sdb --> /ceph
 Openstack-dashboard -- Ubuntu-theme yes --> no
 Nova-cloud-controller -- console-access-protocol blank --> novnc
 

Configure Openstack

Change Horizon logo:

cp logo_openstack.svg /usr/share/openstack-dashboard/openstack_dashboard/static/dashboard/img/logo-splash.svg
cp logo_openstack.svg /var/lib/openstack-dashboard/static/dashboard/img/logo-splash.svg

Adds dropdown menu to web page:

 cat /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/_11_set_domain_dropdown.py
 OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = True
 OPENSTACK_KEYSTONE_DOMAIN_CHOICES = (  ('Spain', 'Spain'), ('Spain', 'Portugal'), ('admin_domain', 'Admin'),  )

Configuring keystone-ldap (flags)

"{
user_tree_dn: 'DC=xxxx,DC=xxxx,DC=xx',
user_filter: '(memberOf=CN=OPENSTACK_GROUP,OU=OPENSTACK,DC=xxxx,DC=xxxx,DC=xx)',
query_scope: sub,
chase_referrals: false,
user_objectclass: person,
user_name_attribute: sAMAccountName,
user_id_attribute: sAMAccountName,
user_mail_attribute: mail,
user_pass_attribute: userPassword,
user_enabled_attribute: userAccountControl,
user_enabled_mask: 2,
user_enabled_default: 512,
user_attribute_ignore: 'password,tenant_id,tenants',
user_allow_create: True,
user_allow_update: True,
user_allow_delete: True,
group_tree_dn: 'OU=OPENSTACK,dc=xxxx,dc=xxxx,dc=xx',
group_allow_create: True,
group_allow_update: True,
group_allow_delete: True,
role_tree_dn: 'OU=OPENSTACK,dc=xxxx,dc=xxxx,dc=xx',
role_allow_create: True,
role_allow_update: True,
role_allow_delete: True,
}"


When using the LDAP backend and connecting to an Active Directory with multiple Domain Controllers, trying to use the root DN (dc=example,dc=com) as the user_tree_dn (or tenant/role_tree_dn) fails with Raw

"Authorization Failed: Unable to communicate with identity service: {"error": {"message": "An unexpected error prevented the server from fulfilling your request. {'info': '000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1', 'desc': 'Operations error'}", "code": 500, "title": "Internal Server Error"}}. (HTTP 500)".

Is it possible to fix this? Yes

This is because python-ldap chases all referrals with anonymous access, which is disabled by default in AD for security reasons.

You can turn off chasing referrals in /etc/openldap/ldap.conf by adding:

REFERRALS off

You can also fix this in the [ldap] section of /etc/keystone/keystone.conf or of /etc/keystone/domains/keystone.<your_domain>.conf

# Override the system's default referral chasing behavior for
# queries. (boolean value)
chase_referrals=false


Notes

We can swich Juju model with command:

   juju switch openstack-base

To destroy a model:

   juju destroy-model openstack-base

To destroy all Juju enviroment:

   juju kill-controller Juju-Controller

To see the status of deployments

   watch --color "juju status --color"