This patch set is part of the documentation update. This patch set removes hard application version numbers from documents to avoid needing frequent update to keep the documents accurate and up-to-date. Change-Id: I81160ca24453e8eeed974a0d1d9e1470e28ffd6d
20 KiB
In order to drive towards a production-ready Openstack solution, our goal is to provide containerized, yet stable persistent volumes that Kubernetes can use to schedule applications that require state, such as MariaDB (Galera). Although we assume that the project should provide a “batteries included” approach towards persistent storage, we want to allow operators to define their own solution as well. Examples of this work will be documented in another section, however evidence of this is found throughout the project. If you have any questions or comments, please create an issue.
Please see the supported application versions outlined in the source variable file.
Other versions and considerations (such as other CNI SDN providers), config map data, and value overrides will be included in other documentation as we explore these options further.
The installation procedures below, will take an administrator from a
new kubeadm
installation to Openstack-Helm deployment.
Kubernetes Preparation
This walkthrough will help you set up a bare metal environment with 5
nodes, using kubeadm
on Ubuntu 16.04. The assumption is
that you have a working kubeadm
environment and that your
environment is at a working state, *prior* to deploying
a CNI-SDN. This deployment procedure is opinionated only to
standardize the deployment process for users and developers, and to
limit questions to a known working deployment. Instructions will expand
as the project becomes more mature.
KubeADM Deployment
Once the dependencies are installed, bringing up a
environment should just require a single command on
the master node:
admin@kubenode01:~$ kubeadm init --kubernetes-version v1.7.5
If your environment looks like this after all nodes have joined the cluster, you are ready to continue:
admin@kubenode01:~$ kubectl get pods -o wide --all-namespaces
kube-system dummy-2088944543-lg0vc 1/1 Running 1 5m kubenode01
kube-system etcd-kubenode01 1/1 Running 1 5m kubenode01
kube-system kube-apiserver-kubenode01 1/1 Running 3 5m kubenode01
kube-system kube-controller-manager-kubenode01 1/1 Running 0 5m kubenode01
kube-system kube-discovery-1769846148-8g4d7 1/1 Running 1 5m kubenode01
kube-system kube-dns-2924299975-xxtrg 0/4 ContainerCreating 0 5m <none> kubenode01
kube-system kube-proxy-7kxpr 1/1 Running 0 5m kubenode02
kube-system kube-proxy-b4xz3 1/1 Running 0 5m kubenode04
kube-system kube-proxy-b62rp 1/1 Running 0 5m kubenode03
kube-system kube-proxy-s1fpw 1/1 Running 1 5m kubenode01
kube-system kube-proxy-thc4v 1/1 Running 0 5m kubenode05
kube-system kube-scheduler-kubenode01 1/1 Running 1 5m kubenode01
Deploying a CNI-Enabled SDN (Calico)
After an initial kubeadmn
deployment has been scheduled,
it is time to deploy a CNI-enabled SDN. We have selected
Calico, but have also confirmed that this works for
Weave, and Romana. For Calico version v2.1, you can apply the provided
Hosted Install manifest:
kubectl create -f http://docs.projectcalico.org/v2.1/getting-started/kubernetes/installation/hosted/kubeadm/1.6/calico.yaml
After the container CNI-SDN is deployed, Calico has a tool you can
use to verify your deployment. You can download this tool,
to execute the following command:
admin@kubenode01:~$ sudo calicoctl node status
Calico process is running.
IPv4 BGP status
| | node-to-node mesh | up | 16:34:03 | Established |
| | node-to-node mesh | up | 16:33:59 | Established |
| | node-to-node mesh | up | 16:34:00 | Established |
| | node-to-node mesh | up | 16:33:59 | Established |
IPv6 BGP status
No IPv6 peers found.
It is important to call out that the Self Hosted Calico manifest for
v2.1 (above) supports nodetonode
mesh, and
by default. This is a change from version
Setting Up RBAC
Kubernetes >=v1.6 makes RBAC the default admission controller. OpenStack Helm does not currently have RBAC roles and permissions for each component so we relax the access control rules:
kubectl update -f https://raw.githubusercontent.com/openstack/openstack-helm/master/tools/kubeadm-aio/assets/opt/rbac/dev.yaml
Enabling Cron Jobs
OpenStack-Helm's default Keystone token provider is fernet.
To provide sufficient security, keys used to generate fernet tokens need
to be rotated regularly. Keystone chart provides Cron Job for that task,
but it is only deployed when Cron Jobs API is enabled on Kubernetes
cluster. To enable Cron Jobs add
to your kube-apiserver
startup arguments (e.g. in your
manifest). By
default fernet keys will be rotated weekly.
Please note that similar solution is used for keys used to encrypt credentials saved by Keystone. Those keys are also rotated by another Cron Job. By default it is run in a monthly manner.
Preparing Persistent Storage
Persistent storage is improving. Please check our current and/or resolved issues to find out how we're working with the community to improve persistent storage for our project. For now, a few preparations need to be completed.
Installing Ceph Host Requirements
You need to ensure that ceph-common
or equivalent is
installed on each of our hosts. Using our Ubuntu example:
sudo apt-get install ceph-common
Kubernetes Node DNS Resolution
For each of the nodes to know how to reach Ceph endpoints, each host
much also have an entry for the kube-dns
nameserver. That
nameserver should be the first one in /etc/resolv.conf
followed by general-purpose nameservers. A DNS search string such as the
one below, along with the ndots:5
option, will allow for
OpenStack-Helm services to resolve one another using short domain names.
The timeout:1
and attempts:1
options will
ensure that, as the nameservers are used in order, lookups move to the
next one quickly when the kube-dns
service is unavailable
(e.g. when rebooting the node). Example:
admin@kubenode01:~$ cat /etc/resolv.conf
nameserver # Kubernetes DNS Server
nameserver # Upstream DNS Server
nameserver # Upstream DNS Server
search openstack.svc.cluster.local svc.cluster.local cluster.local
options ndots:5 timeout:1 attempts:1
To do this you will first need to find out what the IP Address of
your kube-dns
deployment is:
admin@kubenode01:~$ kubectl get svc kube-dns --namespace=kube-system
kube-dns <none> 53/UDP,53/TCP 1d
You may need to take extra steps to persist these settings across
reboots. Since we are using Ubuntu for our example, the nameservers and
search entries should go in /etc/network/interfaces
man 8 resolvconf
), and the options
line should
be placed in /etc/resolvconf/resolv.conf.d/base
Now we are ready to continue with the Openstack-Helm installation.
Openstack-Helm Preparation
Please ensure that you have verified and completed the steps above to prevent issues with your deployment. Since our goal is to provide a Kubernetes environment with reliable, persistent storage, we will provide some helpful verification steps to ensure you are able to proceed to the next step.
Although Ceph is mentioned throughout this guide, our deployment is flexible to allow you the option of bringing any type of persistent storage. Although most of these verification steps are the same, if not very similar, we will use Ceph as our example throughout this guide.
Node Labels
First, we must label our nodes according to their role. Although we
are labeling all
nodes, you are free to label only the
nodes you wish. You must have at least one, although a minimum of three
are recommended. In the case of Ceph, it is important to note that Ceph
monitors and OSDs are each deployed as a DaemonSet
. Be
aware that labeling an even number of monitor nodes can result in
trouble when trying to reach a quorum.
Nodes are labeled according to their Openstack roles:
- Ceph MON Nodes:
- Ceph OSD Nodes:
- Ceph MDS Nodes:
- Ceph RGW Nodes:
- Control Plane:
- Compute Nodes:
kubectl label nodes openstack-control-plane=enabled --all
kubectl label nodes ceph-mon=enabled --all
kubectl label nodes ceph-osd=enabled --all
kubectl label nodes ceph-mds=enabled --all
kubectl label nodes ceph-rgw=enabled --all
kubectl label nodes openvswitch=enabled --all
kubectl label nodes openstack-compute-node=enabled --all
Obtaining the Project
Download the latest copy of Openstack-Helm:
git clone https://github.com/openstack/openstack-helm.git
cd openstack-helm
Ceph Preparation and Installation
Ceph takes advantage of host networking. For Ceph to be aware of the
OSD cluster and public networks, you must set the CIDR ranges to be the
subnet range that your host machines are running on. In the example
provided, the host's subnet CIDR is
, but you
will need to replace this to reflect your cluster. Export these
variables to your deployment environment by issuing the following
Helm Preparation
Now we need to install and prepare Helm, the core of our project. Please use the installation guide from the Kubernetes/Helm repository. Please take note of our required versions above.
Once installed, and initiated (helm init
), you will need
your local environment to serve helm charts for use. You can do this
helm serve &
helm repo add local http://localhost:8879/charts
Openstack-Helm Installation
Now we are ready to deploy, and verify our Openstack-Helm
installation. The first required is to build out the deployment secrets,
lint and package each of the charts for the project. Do this my running
in the openstack-helm
If you need to make any changes to the deployment, you may run
again, delete your helm-deployed chart, and redeploy
the chart (update). If you need to delete a chart for any reason, do the
helm list
# bootstrap 1 Fri Dec 23 13:37:35 2016 DEPLOYED bootstrap-0.2.0
# bootstrap-ceph 1 Fri Dec 23 14:27:51 2016 DEPLOYED bootstrap-0.2.0
# ceph 3 Fri Dec 23 14:18:49 2016 DEPLOYED ceph-0.2.0
# keystone 1 Fri Dec 23 16:40:56 2016 DEPLOYED keystone-0.2.0
# mariadb 1 Fri Dec 23 16:15:29 2016 DEPLOYED mariadb-0.2.0
# memcached 1 Fri Dec 23 16:39:15 2016 DEPLOYED memcached-0.2.0
# rabbitmq 1 Fri Dec 23 16:40:34 2016 DEPLOYED rabbitmq-0.2.0
helm delete --purge keystone
Please ensure that you use --purge
whenever deleting a
project. Please note that by default this will not delete the database
associated with the project. To enable the deletion of the associated
database when the chart is deleted the manifests.job_db_drop value
should be set to true when the chart is installed.
Ceph Installation and Verification
Install the first service, which is Ceph. If all instructions have
been followed as mentioned above, this installation should go smoothly.
It is at this point you can also decide to enable keystone
authentication for the RadosGW if you wish to use ceph for tenant facing
object storage. If you do not wish to do this then you should set the
before running the
following commands in the openstack-helm
helm install --namespace=ceph ${WORK_DIR}/ceph --name=ceph \
--set endpoints.identity.namespace=openstack \
--set endpoints.object_store.namespace=ceph \
--set endpoints.ceph_mon.namespace=ceph \
--set ceph.rgw_keystone_auth=${CEPH_RGW_KEYSTONE_ENABLED} \
--set network.public=${OSD_PUBLIC_NETWORK} \
--set network.cluster=${OSD_CLUSTER_NETWORK} \
--set deployment.storage_secrets=true \
--set deployment.ceph=true \
--set deployment.rbd_provisioner=true \
--set deployment.client_secrets=false \
--set deployment.rgw_keystone_user_and_endpoints=false \
--set bootstrap.enabled=true
After Ceph has deployed and all the pods are running, you can check the health of your cluster by running:
MON_POD=$(kubectl get pods \
--namespace=ceph \
--selector="application=ceph" \
--selector="component=mon" \
--no-headers | awk '{ print $1; exit }')
kubectl exec -n ceph ${MON_POD} -- ceph -s
For more information on this, please see the section entitled Ceph Troubleshooting.
Activating Control-Plane Namespace for Ceph
In order for Ceph to fulfill PersistentVolumeClaims within Kubernetes
namespaces outside of Ceph's namespace, a client keyring needs to be
present within that namespace. For the rest of the OpenStack and
supporting core services, this guide will be deploying the control plane
to a seperate namespace openstack
. To deploy the client
keyring and ceph.conf
to the openstack
helm install --namespace=openstack ${WORK_DIR}/ceph --name=ceph-openstack-config \
--set endpoints.identity.namespace=openstack \
--set endpoints.object_store.namespace=ceph \
--set endpoints.ceph_mon.namespace=ceph \
--set ceph.rgw_keystone_auth=${CEPH_RGW_KEYSTONE_ENABLED} \
--set network.public=${OSD_PUBLIC_NETWORK} \
--set network.cluster=${OSD_CLUSTER_NETWORK} \
--set deployment.storage_secrets=false \
--set deployment.ceph=false \
--set deployment.rbd_provisioner=false \
--set deployment.client_secrets=true \
--set deployment.rgw_keystone_user_and_endpoints=false
MariaDB Installation and Verification
To install MariaDB, issue the following command:
helm install --name=mariadb ./mariadb --namespace=openstack
Installation of Other Services
Now you can easily install the other services simply by going in order:
Install Memcached/Etcd/RabbitMQ/Ingress/Libvirt/OpenVSwitch:
helm install --name=memcached ./memcached --namespace=openstack
helm install --name=etcd-rabbitmq ./etcd --namespace=openstack
helm install --name=rabbitmq ./rabbitmq --namespace=openstack
helm install --name=ingress ./ingress --namespace=openstack
helm install --name=libvirt ./libvirt --namespace=openstack
helm install --name=openvswitch ./openvswitch --namespace=openstack
Install Keystone:
helm install --namespace=openstack --name=keystone ./keystone \
--set pod.replicas.api=2
Install RadosGW Object Storage:
If you elected to install Ceph with Keystone support for the RadosGW you can now create endpoints in the Keystone service catalog:
helm install --namespace=openstack ${WORK_DIR}/ceph --name=radosgw-openstack \
--set endpoints.identity.namespace=openstack \
--set endpoints.object_store.namespace=ceph \
--set endpoints.ceph_mon.namespace=ceph \
--set ceph.rgw_keystone_auth=${CEPH_RGW_KEYSTONE_ENABLED} \
--set network.public=${OSD_PUBLIC_NETWORK} \
--set network.cluster=${OSD_CLUSTER_NETWORK} \
--set deployment.storage_secrets=false \
--set deployment.ceph=false \
--set deployment.rbd_provisioner=false \
--set deployment.client_secrets=false \
--set deployment.rgw_keystone_user_and_endpoints=true
Install Horizon:
helm install --namespace=openstack --name=horizon ./horizon \
--set network.enable_node_port=true
Install Glance:
Glance supports a number of backends:
: A simple file based backend using Kubernetes PVCsrbd
: Uses Ceph RBD devices to store images.radosgw
: Uses Ceph RadosGW object storage to store images.swift
: Uses theobject-storage
service from the OpenStack service catalog to store images.
You can deploy Glance with any of these backends if you deployed both
the RadosGW and created Keystone endpoints by changing the value for
in the following:
: ${GLANCE_BACKEND:="radosgw"}
helm install --namespace=openstack --name=glance ./glance \
--set pod.replicas.api=2 \
--set pod.replicas.registry=2 \
--set storage=${GLANCE_BACKEND}
Install Heat:
helm install --namespace=openstack --name=heat ./heat
Install Neutron:
helm install --namespace=openstack --name=neutron ./neutron \
--set pod.replicas.server=2
Install Nova:
helm install --namespace=openstack --name=nova ./nova \
--set pod.replicas.api_metadata=2 \
--set pod.replicas.osapi=2 \
--set pod.replicas.conductor=2 \
--set pod.replicas.consoleauth=2 \
--set pod.replicas.scheduler=2 \
--set pod.replicas.novncproxy=2
Install Cinder:
helm install --namespace=openstack --name=cinder ./cinder \
--set pod.replicas.api=2
Final Checks
Now you can run through your final checks. Wait for all services to come up:
watch kubectl get all --namespace=openstack
Finally, you should now be able to access horizon at http:// using admin/password