OpenStack Administrator Guide SUSE OpenStack Cloud 7 OpenStack Administrator Guide SUSE OpenStack Cloud 7 ABSTRACT OpenStack offers open source software for OpenStack administrators to manage and troubleshoot an OpenStack cloud. This guide documents OpenStack Newton and Mitaka releases. Publication Date: 08/04/2017 SUSE LLC 10 Canal Park Drive Suite 200 Cambridge MA 02141 USA https://www.suse.com/documentation Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License : http://creativecommons.org/licenses/by/3.0/legalcode Contents 1 Documentation Conventions 1 2 Get started with OpenStack 2 2.1 Conceptual architecture 6 2.2 Logical architecture 6 2.3 OpenStack services 7 Compute service overview • Storage concepts • Object Storage 8 10 service overview • Block Storage service overview • Shared 11 12 File Systems service overview • Networking service 13 overview • Dashboard overview • Identity service 14 15 overview • Image service overview • Telemetry service 16 18 overview • Orchestration service overview • Database service 19 20 overview • Data Processing service overview 21 22 2.4 Feedback 23 3 Identity management 24 3.1 Identity concepts 24 User management • Service management • Groups 26 30 30 3.2 Certificates for PKI 31 Sign certificate issued by external CA • Request a signing certificate from 33 an external CA • Install an external signing certificate • Switching 34 35 out expired signing certificates 36 3.3 Domain-specific configuration 36 Enable drivers for domain-specific configuration files • Enable drivers for 37 storing configuration options in SQL database • Migrate domain-specific 37 configuration files to the SQL database 37 3.4 External authentication with Identity 38 Use HTTPD authentication • Use X.509 38 38 iii OpenStack Administrator Guide 3.5 Integrate Identity with LDAP 39 Identity LDAP server set up • Integrate Identity back end with 39 LDAP • Secure the OpenStack Identity service connection to an LDAP 41 back end 46 3.6 Keystone tokens 47 Authorization scopes • Token providers 48 49 3.7 Configure Identity service for token binding 50 3.8 Fernet - Frequently Asked Questions 51 What are the different types of keys? • So, how does a staged 51 key help me and why do I care about it? • Where do I put my key 52 repository? • What is the recommended way to rotate and distribute 52 keys? • Do fernet tokens still expire? • Why should I choose 53 53 fernet tokens over UUID tokens? • Why should I choose fernet 53 tokens over PKI or PKIZ tokens? • Should I rotate and distribute 53 keys from the same keystone node every rotation? • How do I add 54 new keystone nodes to a deployment? • How should I approach key 54 distribution? • How long should I keep my keys around? • Is 54 56 a fernet token still a bearer token? • What if I need to revoke all my 56 tokens? • What can an attacker do if they compromise a fernet key in my 56 deployment? • I rotated keys and now tokens are invalidating early, what 56 did I do? 57 3.9 Use trusts 59 3.10 Caching layer 60 Caching for tokens and tokens validation • Caching for non-token 61 resources • Configure the Memcached back end example 62 62 3.11 Security compliance and PCI-DSS 63 Setting the account lockout threshold • Disabling inactive 63 users • Configuring password expiration • Indicating password 64 64 strength requirements • Requiring a unique password history 64 65 3.12 Example usage and Identity features 66 Logging • User CRUD 67 67 3.13 Authentication middleware with user name and password 68 iv OpenStack Administrator Guide 3.14 Identity API protection with role-based access control (RBAC) 69 3.15 Troubleshoot the Identity service 72 Debug PKI middleware • Debug signing key file errors • Flush 72 75 expired tokens from the token database table 75 4 Dashboard 77 4.1 Customize and configure the Dashboard 77 4.2 Set up session storage for the Dashboard 77 Local memory cache • Cached database • Cookies 78 81 81 4.3 Create and manage images 81 Create images • Update images • Delete images 82 84 85 4.4 Create and manage roles 85 Create a role • Edit a role • Delete a role 85 86 86 4.5 Manage instances 86 Create instance snapshots • Control the state of an 87 instance • Track usage 87 88 4.6 Manage flavors 88 Create flavors • Update flavors • Update 88 90 Metadata • Delete flavors 91 92 4.7 Manage volumes and volume types 93 Create a volume type • Create an encrypted volume type • Delete 93 93 volume types • Delete volumes 96 96 4.8 Manage shares and share types 97 Create a share type • Update share type • Delete share 97 97 types • Delete shares • Delete share server • Delete 98 98 99 share networks 99 4.9 View and manage quotas 100 View default project quotas • Update project quotas 101 101 4.10 View cloud resources 102 View services information • View cloud usage statistics 102 102 v OpenStack Administrator Guide 4.11 Create and manage host aggregates 103 To create a host aggregate • To manage host aggregates 103 104 4.12 Launch and manage stacks using the Dashboard 105 5 Compute 106 5.1 System architecture 106 Hypervisors • Projects, users, and roles • Block 107 107 storage • EC2 compatibility API • Building 108 110 blocks • Compute service architecture 111 112 5.2 Images and instances 114 Instance Launch • Image properties and property 115 protection • Image download: how it works • Instance building 117 120 blocks • Instance management tools • Control where instances 120 122 run • Launch instances with UEFI 122 122 5.3 Networking with nova-network 123 Networking concepts • DHCP server: dnsmasq • Configure 123 127 Compute to use IPv6 addresses • Metadata service • Enable 128 129 ping and SSH on VMs • Configure public (floating) IP 134 addresses • Remove a network from a project • Multiple 134 138 interfaces for instances (multinic) • Troubleshooting Networking 138 142 5.4 System administration 147 Manage Compute users • Manage 148 volumes • Flavors • Compute service node firewall 148 149 requirements • Injecting the administrator password • Manage 162 162 the cloud • Logging • Secure with rootwrap • Configure 163 168 172 migrations • Migrate instances • Configure remote console 174 182 access • Configure Compute service groups • Security 185 193 hardening • Recover from a failed compute node • Advanced 195 200 configuration 206 5.5 Troubleshoot Compute 221 Compute service logging • Guru Meditation reports • Common 222 222 errors and fixes for Compute • Credential errors, 401, and 403 223 forbidden errors • Instance errors • Empty log output for 223 224 vi OpenStack Administrator Guide Linux instances • Reset the state of an instance • Injection 225 225 problems • Disable live snapshotting 226 226 6 Object Storage 227 6.1 Introduction to Object Storage 227 6.2 Features and benefits 227 6.3 Object Storage characteristics 229 6.4 Components 230 Proxy servers • Rings • Zones • Accounts and 232 232 233 containers • Partitions • Replicators • Use cases 234 235 235 236 6.5 Ring-builder 238 Ring data structure • Partition assignment 238 list • Overload • Replica counts • Partition shift 239 239 240 value • Build the ring 241 241 6.6 Cluster architecture 243 Access tier • Storage nodes 243 245 6.7 Replication 247 Database replication • Object replication 248 249 6.8 Large object support 249 Large objects 250 6.9 Object Auditor 250 6.10 Erasure coding 251 6.11 Account reaper 251 6.12 Configure project-specific image locations with Object Storage 253 6.13 Object Storage monitoring 253 Swift Recon • Swift-Informant • Statsdlog • Swift StatsD 254 255 255 logging 256 6.14 System administration for Object Storage 258 vii OpenStack Administrator Guide 6.15 Troubleshoot Object Storage 259 Drive failure • Server failure • Detect failed 259 259 drives • Emergency recovery of ring builder files 260 261 7 Block Storage 264 7.1 Increase Block Storage API service throughput 264 7.2 Manage volumes 265 Boot from volume • Configure an NFS storage back 266 end • Configure a GlusterFS back end • Configure 266 269 multiple-storage back ends • Back up Block Storage service 273 disks • Migrate volumes • Gracefully remove a GlusterFS 277 282 volume from usage • Back up and restore volumes and 286 snapshots • Export and import backup metadata • Use 286 290 LIO iSCSI support • Configure and use volume number 291 weigher • Consistency groups • Configure and use 291 293 driver filter and weighing for scheduler • Rate-limit volume copy 300 bandwidth • Oversubscription in thin provisioning • Image- 307 308 Volume cache • Volume-backed image • Get 311 314 capabilities • Generic volume groups 315 321 7.3 Troubleshoot your installation 329 Troubleshoot the Block Storage configuration • Multipath call failed 329 exit • Addressing discrepancies in reported volume sizes for EqualLogic 334 storage • Failed to Attach Volume, Missing sg_scan • HTTP bad 334 339 request in cinder volume log • Duplicate 3PAR host • Failed to 339 341 attach volume after detaching • Failed to attach volume, systool is not 341 installed • Failed to connect volume in FC SAN • Cannot find 342 343 suitable emulator for x86_64 • Non-existent host • Non-existent 343 344 VLUN 344 8 Shared File Systems 345 8.1 Introduction 345 viii OpenStack Administrator Guide 8.2 Key concepts 346 Share • Share instance • Snapshot • Storage 346 346 346 Pools • Share Type • Share Access Rules • Security 347 347 347 Services • Share Networks • Share Servers 347 347 348 8.3 Share management 348 Share basic operations • Manage and unmanage share • Manage 349 365 and unmanage share snapshot • Resize share • Quotas and 369 371 limits 374 8.4 Migrate shares 377 8.5 Share types 378 Share type operations • Share type access 379 380 8.6 Share snapshots 381 8.7 Security services 384 8.8 Consistency groups 387 Consistency groups • Consistency group snapshots 388 391 8.9 Share replication 394 Replication types supported • Configuration • Health of a 395 395 share replica • Promotion or failover • Share replication 396 396 workflows 397 8.10 Multi-storage configuration 408 Scheduling • Manage shares services 409 410 8.11 Networking 410 Share networks • Network plug-ins 410 413 8.12 Troubleshoot Shared File Systems service 415 Failures in Share File Systems service during a share creation • No 415 valid host was found • Created share is unreachable • Service 416 416 becomes unavailable after upgrade • Failures during management of 417 internal resources 417 ix OpenStack Administrator Guide 9 Networking 419 9.1 Introduction to Networking 419 Networking API • Configure SSL support for networking 419 API • Load-Balancer-as-a-Service (LBaaS) overview • Firewall-as- 420 421 a-Service (FWaaS) overview • Allowed-address-pairs • Virtual- 422 422 Private-Network-as-a-Service (VPNaaS) 423 9.2 Networking architecture 424 Overview • VMware NSX integration 424 425 9.3 Plug-in configurations 427 Configure Big Switch (Floodlight REST Proxy) plug-in • Configure Brocade 428 plug-in • Configure NSX-mh plug-in • Configure PLUMgrid plug- 428 429 in 432 9.4 Configure neutron agents 432 Configure data-forwarding nodes • Configure DHCP 433 agent • Configure L3 agent • Configure metering 434 436 agent • Configure Load-Balancer-as-a-Service (LBaaS 439 v2) • Configure Hyper-V L2 agent • Basic operations on 439 441 agents 442 9.5 Configure Identity service for Networking 442 Compute • Networking API and credential 445 configuration • Configure security groups • Configure 445 447 metadata • Example nova.conf (for nova-compute and nova-api) 448 449 9.6 Advanced configuration options 449 L3 metering agent 449 9.7 Scalable and highly available DHCP agents 450 9.8 Use Networking 450 Core Networking API features • Use Compute with Networking 451 454 9.9 Advanced features through API extensions 457 Provider networks • L3 routing and NAT • Security 457 461 groups • Basic Load-Balancer-as-a-Service operations • Plug-in 464 465 specific extensions • L3 metering 466 473 x OpenStack Administrator Guide