ebook img

OpenStack Administrator Guide - SUSE OpenStack Cloud 7 PDF

776 Pages·2017·5.32 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview OpenStack Administrator Guide - SUSE OpenStack Cloud 7

OpenStack Administrator Guide SUSE OpenStack Cloud 7 OpenStack Administrator Guide SUSE OpenStack Cloud 7 ABSTRACT OpenStack offers open source software for OpenStack administrators to manage and troubleshoot an OpenStack cloud. This guide documents OpenStack Newton and Mitaka releases. Publication Date: 08/04/2017 SUSE LLC 10 Canal Park Drive Suite 200 Cambridge MA 02141 USA https://www.suse.com/documentation Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License : http://creativecommons.org/licenses/by/3.0/legalcode Contents 1 Documentation Conventions 1 2 Get started with OpenStack 2 2.1 Conceptual architecture 6 2.2 Logical architecture 6 2.3 OpenStack services 7 Compute service overview • Storage concepts • Object Storage 8 10 service overview • Block Storage service overview • Shared 11 12 File Systems service overview • Networking service 13 overview • Dashboard overview • Identity service 14 15 overview • Image service overview • Telemetry service 16 18 overview • Orchestration service overview • Database service 19 20 overview • Data Processing service overview 21 22 2.4 Feedback 23 3 Identity management 24 3.1 Identity concepts 24 User management • Service management • Groups 26 30 30 3.2 Certificates for PKI 31 Sign certificate issued by external CA • Request a signing certificate from 33 an external CA • Install an external signing certificate • Switching 34 35 out expired signing certificates 36 3.3 Domain-specific configuration 36 Enable drivers for domain-specific configuration files • Enable drivers for 37 storing configuration options in SQL database • Migrate domain-specific 37 configuration files to the SQL database 37 3.4 External authentication with Identity 38 Use HTTPD authentication • Use X.509 38 38 iii OpenStack Administrator Guide 3.5 Integrate Identity with LDAP 39 Identity LDAP server set up • Integrate Identity back end with 39 LDAP • Secure the OpenStack Identity service connection to an LDAP 41 back end 46 3.6 Keystone tokens 47 Authorization scopes • Token providers 48 49 3.7 Configure Identity service for token binding 50 3.8 Fernet - Frequently Asked Questions 51 What are the different types of keys? • So, how does a staged 51 key help me and why do I care about it? • Where do I put my key 52 repository? • What is the recommended way to rotate and distribute 52 keys? • Do fernet tokens still expire? • Why should I choose 53 53 fernet tokens over UUID tokens? • Why should I choose fernet 53 tokens over PKI or PKIZ tokens? • Should I rotate and distribute 53 keys from the same keystone node every rotation? • How do I add 54 new keystone nodes to a deployment? • How should I approach key 54 distribution? • How long should I keep my keys around? • Is 54 56 a fernet token still a bearer token? • What if I need to revoke all my 56 tokens? • What can an attacker do if they compromise a fernet key in my 56 deployment? • I rotated keys and now tokens are invalidating early, what 56 did I do? 57 3.9 Use trusts 59 3.10 Caching layer 60 Caching for tokens and tokens validation • Caching for non-token 61 resources • Configure the Memcached back end example 62 62 3.11 Security compliance and PCI-DSS 63 Setting the account lockout threshold • Disabling inactive 63 users • Configuring password expiration • Indicating password 64 64 strength requirements • Requiring a unique password history 64 65 3.12 Example usage and Identity features 66 Logging • User CRUD 67 67 3.13 Authentication middleware with user name and password 68 iv OpenStack Administrator Guide 3.14 Identity API protection with role-based access control (RBAC) 69 3.15 Troubleshoot the Identity service 72 Debug PKI middleware • Debug signing key file errors • Flush 72 75 expired tokens from the token database table 75 4 Dashboard 77 4.1 Customize and configure the Dashboard 77 4.2 Set up session storage for the Dashboard 77 Local memory cache • Cached database • Cookies 78 81 81 4.3 Create and manage images 81 Create images • Update images • Delete images 82 84 85 4.4 Create and manage roles 85 Create a role • Edit a role • Delete a role 85 86 86 4.5 Manage instances 86 Create instance snapshots • Control the state of an 87 instance • Track usage 87 88 4.6 Manage flavors 88 Create flavors • Update flavors • Update 88 90 Metadata • Delete flavors 91 92 4.7 Manage volumes and volume types 93 Create a volume type • Create an encrypted volume type • Delete 93 93 volume types • Delete volumes 96 96 4.8 Manage shares and share types 97 Create a share type • Update share type • Delete share 97 97 types • Delete shares • Delete share server • Delete 98 98 99 share networks 99 4.9 View and manage quotas 100 View default project quotas • Update project quotas 101 101 4.10 View cloud resources 102 View services information • View cloud usage statistics 102 102 v OpenStack Administrator Guide 4.11 Create and manage host aggregates 103 To create a host aggregate • To manage host aggregates 103 104 4.12 Launch and manage stacks using the Dashboard 105 5 Compute 106 5.1 System architecture 106 Hypervisors • Projects, users, and roles • Block 107 107 storage • EC2 compatibility API • Building 108 110 blocks • Compute service architecture 111 112 5.2 Images and instances 114 Instance Launch • Image properties and property 115 protection • Image download: how it works • Instance building 117 120 blocks • Instance management tools • Control where instances 120 122 run • Launch instances with UEFI 122 122 5.3 Networking with nova-network 123 Networking concepts • DHCP server: dnsmasq • Configure 123 127 Compute to use IPv6 addresses • Metadata service • Enable 128 129 ping and SSH on VMs • Configure public (floating) IP 134 addresses • Remove a network from a project • Multiple 134 138 interfaces for instances (multinic) • Troubleshooting Networking 138 142 5.4 System administration 147 Manage Compute users • Manage 148 volumes • Flavors • Compute service node firewall 148 149 requirements • Injecting the administrator password • Manage 162 162 the cloud • Logging • Secure with rootwrap • Configure 163 168 172 migrations • Migrate instances • Configure remote console 174 182 access • Configure Compute service groups • Security 185 193 hardening • Recover from a failed compute node • Advanced 195 200 configuration 206 5.5 Troubleshoot Compute 221 Compute service logging • Guru Meditation reports • Common 222 222 errors and fixes for Compute • Credential errors, 401, and 403 223 forbidden errors • Instance errors • Empty log output for 223 224 vi OpenStack Administrator Guide Linux instances • Reset the state of an instance • Injection 225 225 problems • Disable live snapshotting 226 226 6 Object Storage 227 6.1 Introduction to Object Storage 227 6.2 Features and benefits 227 6.3 Object Storage characteristics 229 6.4 Components 230 Proxy servers • Rings • Zones • Accounts and 232 232 233 containers • Partitions • Replicators • Use cases 234 235 235 236 6.5 Ring-builder 238 Ring data structure • Partition assignment 238 list • Overload • Replica counts • Partition shift 239 239 240 value • Build the ring 241 241 6.6 Cluster architecture 243 Access tier • Storage nodes 243 245 6.7 Replication 247 Database replication • Object replication 248 249 6.8 Large object support 249 Large objects 250 6.9 Object Auditor 250 6.10 Erasure coding 251 6.11 Account reaper 251 6.12 Configure project-specific image locations with Object Storage 253 6.13 Object Storage monitoring 253 Swift Recon • Swift-Informant • Statsdlog • Swift StatsD 254 255 255 logging 256 6.14 System administration for Object Storage 258 vii OpenStack Administrator Guide 6.15 Troubleshoot Object Storage 259 Drive failure • Server failure • Detect failed 259 259 drives • Emergency recovery of ring builder files 260 261 7 Block Storage 264 7.1 Increase Block Storage API service throughput 264 7.2 Manage volumes 265 Boot from volume • Configure an NFS storage back 266 end • Configure a GlusterFS back end • Configure 266 269 multiple-storage back ends • Back up Block Storage service 273 disks • Migrate volumes • Gracefully remove a GlusterFS 277 282 volume from usage • Back up and restore volumes and 286 snapshots • Export and import backup metadata • Use 286 290 LIO iSCSI support • Configure and use volume number 291 weigher • Consistency groups • Configure and use 291 293 driver filter and weighing for scheduler • Rate-limit volume copy 300 bandwidth • Oversubscription in thin provisioning • Image- 307 308 Volume cache • Volume-backed image • Get 311 314 capabilities • Generic volume groups 315 321 7.3 Troubleshoot your installation 329 Troubleshoot the Block Storage configuration • Multipath call failed 329 exit • Addressing discrepancies in reported volume sizes for EqualLogic 334 storage • Failed to Attach Volume, Missing sg_scan • HTTP bad 334 339 request in cinder volume log • Duplicate 3PAR host • Failed to 339 341 attach volume after detaching • Failed to attach volume, systool is not 341 installed • Failed to connect volume in FC SAN • Cannot find 342 343 suitable emulator for x86_64 • Non-existent host • Non-existent 343 344 VLUN 344 8 Shared File Systems 345 8.1 Introduction 345 viii OpenStack Administrator Guide 8.2 Key concepts 346 Share • Share instance • Snapshot • Storage 346 346 346 Pools • Share Type • Share Access Rules • Security 347 347 347 Services • Share Networks • Share Servers 347 347 348 8.3 Share management 348 Share basic operations • Manage and unmanage share • Manage 349 365 and unmanage share snapshot • Resize share • Quotas and 369 371 limits 374 8.4 Migrate shares 377 8.5 Share types 378 Share type operations • Share type access 379 380 8.6 Share snapshots 381 8.7 Security services 384 8.8 Consistency groups 387 Consistency groups • Consistency group snapshots 388 391 8.9 Share replication 394 Replication types supported • Configuration • Health of a 395 395 share replica • Promotion or failover • Share replication 396 396 workflows 397 8.10 Multi-storage configuration 408 Scheduling • Manage shares services 409 410 8.11 Networking 410 Share networks • Network plug-ins 410 413 8.12 Troubleshoot Shared File Systems service 415 Failures in Share File Systems service during a share creation • No 415 valid host was found • Created share is unreachable • Service 416 416 becomes unavailable after upgrade • Failures during management of 417 internal resources 417 ix OpenStack Administrator Guide 9 Networking 419 9.1 Introduction to Networking 419 Networking API • Configure SSL support for networking 419 API • Load-Balancer-as-a-Service (LBaaS) overview • Firewall-as- 420 421 a-Service (FWaaS) overview • Allowed-address-pairs • Virtual- 422 422 Private-Network-as-a-Service (VPNaaS) 423 9.2 Networking architecture 424 Overview • VMware NSX integration 424 425 9.3 Plug-in configurations 427 Configure Big Switch (Floodlight REST Proxy) plug-in • Configure Brocade 428 plug-in • Configure NSX-mh plug-in • Configure PLUMgrid plug- 428 429 in 432 9.4 Configure neutron agents 432 Configure data-forwarding nodes • Configure DHCP 433 agent • Configure L3 agent • Configure metering 434 436 agent • Configure Load-Balancer-as-a-Service (LBaaS 439 v2) • Configure Hyper-V L2 agent • Basic operations on 439 441 agents 442 9.5 Configure Identity service for Networking 442 Compute • Networking API and credential 445 configuration • Configure security groups • Configure 445 447 metadata • Example nova.conf (for nova-compute and nova-api) 448 449 9.6 Advanced configuration options 449 L3 metering agent 449 9.7 Scalable and highly available DHCP agents 450 9.8 Use Networking 450 Core Networking API features • Use Compute with Networking 451 454 9.9 Advanced features through API extensions 457 Provider networks • L3 routing and NAT • Security 457 461 groups • Basic Load-Balancer-as-a-Service operations • Plug-in 464 465 specific extensions • L3 metering 466 473 x OpenStack Administrator Guide

Description:
Identity LDAP server set up 39 • Integrate Identity back end with. LDAP 41 . access 184 • Configure Compute service groups 192 • Security types of agents in the future, but for now our focus is creating the compute agent.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.