OpenStack Installation Guideline [Grizzly Release]

(1)

Extensible Access Control Framework for Cloud based Applications

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project

Extensible Access Control Framework for

Cloud based Applications

OpenStack Installation Guideline

[Grizzly Release]

19-02-2014

Version 1.0

Dr. Muhammad Awais Shibli

[Principal Investigator]

Dr. Arshad Ali

[Co-Principal Investigator]

National ICT R & D

(2)

Preface

This Openstack Installation manual is aimed at Researchers, technologists, and system administrators eager to understand and deploy Cloud computing infrastructure projects based upon OpenStack software. This manualintends to help the organizations looking to set up an OpenStack based private Cloud.OpenStack is a collection of open source software projects that enterprises/service providers can use to setup and run their cloud compute and storage infrastructure. Rackspace and NASA are the key initial contributors to the stack.

This manual describes instructions for manually installing OpenStack Grizzly release on

64-bitUbuntu Server/Desktop 12.04LTS with keystone authentication and dashboard. Specifically,

the instructions describe how to install Cloud controller and Compute on single machine (node) In this manual, we have included Open Stack Compute Infrastructure (Nova), OpenStack Imaging Service (Glance), OpenStack identity service (Keystone) , Openstack Volume (Cinder), OpenStack Networking (Quantum) and Openstack Administrative Web-Interface Horizon (dashboard).

Target Audience

Our aim has been to provide a guide for beginners who are new to OpenStack. Good familiarity with virtualization is assumed, as troubleshooting OpenStack related problems requires a good knowledge of virtualization. Similarly, familiarity with Cloud Computing concepts and terminology will be of help.

Acknowledgement

Most of the content has been borrowed from web resources like manuals, documentation, white papers etc. from OpenStack and Canonical; numerous posts on forums; discussions on theOpenStack IRC Channel and many articles on the web. We would like to thank the authors of all these resources.

Conventions

Commands and paths of configuration files are shown in Bold & Italic. Setting of

configuration files are shown in Italic.

(4)

1. I

NTRODUCTION

We will deploy Cloud Controller and Compute from the OpenStack Grizzly release manually on a single machine running Ubuntu 12.04, 64-bit Server/Desktop. Setting up swift is not part of the instructions. The machine will use FlatDHCP networking mode. We will then add another compute machine that will run its own nova-network. We will use Grizzly final release from Ubuntu Cloud Archive. In our case, Cloud Controller and Compute services will be on single node. We will install OpenStack components sucha as Quantum, Nova, Keystone, Glance, Horizon, Cinder and other tools such as LinuxBridge, KVM.

1.1 INSTALLATION

ON

U

BUNTU

O

S

This guide is for Ubuntu 12.04 LTS OS. Before installation of Openstack Cloud, Ubuntu Operating System must be installed on the system. More detail about Ubuntu server/Desktop installation is given in the Appendix B of this manual.

If your Openstack Cloud will be behind the proxy then following changes are required in .bashrc and environment file (/etc/environment) of Ubuntu OS. To apply following changes on the server, please reboot the machine.

We have assigned static IP address 10.2.31.168 to Ubuntu machine and Proxy address is 10.3.3.3:8080 in our scenerio.

1. Type following command in the terminal. Please replace ‘User_Name’ in the command with the username on your system.

$ sudo nano /home/User_Name/.bashrc

Add folloiwng lines at the end of file and save it.

no_proxy="localhost,127.0.0.1,http://10.2.31.168:5000,http://10.2.31.168:9292,http://1 0.2.31.168:6080,http://10.2.31.168:6080/vnc_auto.html"

(5)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project 2. Same setting for all users's a, added below given lines in environment file.

$ sudo nano /etc/environment

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" http_proxy="http://10.3.3.3:8080/" https_proxy="https://10.3.3.3:8080/" ftp_proxy="ftp://10.3.3.3:8080/" socks_proxy="socks://10.3.3.3:8080/" no_proxy="localhost,127.0.0.1,http://10.2.31.168:5000,http://10.2.31.168:9292,http://10.2.31.1 68:6080,http://10.2.31.168:6080/vnc_auto.html,10.2.31.168:5672"

1.2. R

EQUIREMENTS

We required only single NIC on the server with IP address (10.2.31.168).Our example

Installation Architectures is shown below. Only one server will run all nova- services and also drives all the virtual instances.

(6)

2. P

REPARING NODE

/

SYSTEM

After installation of Ubuntu 12.04 Server/Desktop, we will prepare our system to run openstack. Run following command to become root.

$sudo -i

1. Add Grizzly repositories:

#apt-get installubuntu-cloud-keyring python-software-properties software-properties-common python-keyring

#echo deb http://ubuntu-cloud.archive.canonical.com/ubuntu precise-updates/grizzly main >> /etc/apt/sources.list.d/grizzly.list

2. Now update your system:

#apt-get update #apt-get upgrade #apt-get dist-upgrade

3. Networking:

Set the static IP address of Ethernet interface.

#nano /etc/network/interface

auto eth1

iface eth1 inet static address 10.2.31.168 netmask 255.255.255.0 gateway 10.2.31.1 dns-nameservers 8.8.8.8

4. Restart the networking service to apply setting:

(7)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project 5. Installing Network Time Protocol (NTP):

# apt-get install -y ntp

Set up the NTP server on your controller node so that it receives data by modifying the ntp.conffile and restarting the service.

# sed -i 's/server ntp.ubuntu.com/server ntp.ubuntu.com\nserver 127.127.1.0\ nfudge 127.127.1.0 stratum 10/g' /etc/ntp.conf

# service ntp restart

6. Installing MySQL

Install MySQL and specify a password for the root user:

# apt-get install-y python-mysqldbmysql-server

Use sed to edit /etc/mysql/my.cnf to change bind-address from localhost (127.0.0.1) to any (0.0.0.0) and restart the mysql service, as root.

#sed -i 's/127.0.0.1/0.0.0.0/g' /etc/mysql/my.cnf # servicemysql restart

7. Installing Messaging Server

Install the messaging queue server. Typically this is either Qpid or RabbitMQ but ZeroMQ (0MQ) is also available.

# apt-get installrabbitmq-server

Change the password of default user 'guest' using following command.

#rabbitmqctlchange_password guest password

Bydefault RabbitMQ listens on localhost (127.0.0.1). But it can be change to system ip address (like 10.2.31.168). In our case, RabbitMq is listening on localhost and port 5672. We will use this setting of RabbitMq in nova, quantum, cinder and glance components. You can get more detail about it setting by typing rabbitmqctl in terminal

(8)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project Restart it.

# /etc/init.d/rabbitmq-server restart

8. Check RabbitMQ status:

(9)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project 9. Listening Status using netstat

10. Other Services

This package used for bridging on linux

#apt-get install -y vlan bridge-utils

11. Enable IP Forwarding on Server.

#sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf

To save you from rebooting, perform the following

(10)

3. I

NSTALLING

O

PEN

S

TACK

I

DENTITY

S

ERVICE

(K

EYSTONE

)

Keystone is an OpenStack project that provides Identity, Token, Catalog and Policy services for use specifically by projects in the OpenStack family.

1. Install keystone:

# apt-get install-y keystone

Verify your keystone is running:

#service keystone status

To manually create the database, start the mysql command line client by running:

#mysql -u root -p

Enter the mysql root user's password when prompted.

2. Create the keystone database.

>CREATE DATABASE keystone;

>GRANT ALL ON keystone.* TO 'keystoneUser'@'%' IDENTIFIED BY 'keystonePass'; >quit;

(11)

Update the connection attribute in the /etc/keystone/keystone.conf to the new database:

sql_connection = mysql://keystoneUser:[email protected]/keystone

3. Restart the identity service:

# service keystone restart

4. Synchronize and populate the database:

# keystone-manage db_sync

Fill up the keystone database using the two scripts available at following link. (

https://github.com/mseknibilel/OpenStack-Grizzly-Install-Guide/tree/master/KeystoneScripts):

Modify the HOST_IP and HOST_IP_EXT variables before executing the scripts.

(12)

# nano /home/test/Desktop/keystone_endpoints_basic.sh

5. Run following command to change the permission on bash scripts.

# chmod +x keystone_basic.sh

(13)

#./keystone_basic.sh

#./keystone_endpoints_basic.sh

6. Create a simple credential file and load it so you won't be bothered later:

# nano creds

export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin_pass

export OS_AUTH_URL="http://10.2.31.168:5000/v2.0/"

Load it using following command.

#source creds

7. To test Keystone, we use a simple CLI command:

(14)

#keystone endpoint-list

Troubleshooting the Identity Service (Keystone)

To begin troubleshooting, look at the logs in the /var/log/keystone/keystone.log file (the location of log files is configured in the /etc/keystone/logging.conf file). It shows all the components that have come in to the WSGI request, and will ideally have an error in that log that explains why an authorization request failed. If you're not seeing the request at all in those logs, then run keystone with "--debug" where --debug is passed in directly after the CLI command prior to parameters.

(15)

4. I

NSTALLING

O

PEN

S

TACK

I

MAGE

S

ERVICE

(

GLANCE

)

The OpenStack Image Service provides discovery, registration and delivery services for disk and server images. The ability to copy or snapshot a server image and immediately store it away is a powerful capability of the OpenStack cloud operating system. Stored images can be used as a template to get new servers up and running quickly and more consistently if you are provisioning multiple servers than installing a server operating system and individually configuring additional services

1. Install the Image service:

# apt-get -y install glance

2. Verify your glance services are running:

#service glance-api status

#service glance-registry status

3. Configuring the Image Service database backend

Configure the backend data store. Create a glance MySQL database and g rants the user full access to the glance MySQL database.

Start the MySQL command line client by running:

Enter the MySQL root user's password when prompted.to configures the MySQL database, create the glance database.

(16)

>CREATE DATABASE glance;

>GRANT ALL ON glance.* TO 'glanceUser'@'%' IDENTIFIED BY 'glancePass'; >quit;

The Image service has a number of options that you can use to configure the Glance API server, optionally the Glance Registry server, and the various storage backends that Glance can use to store images.

4. Update /etc/glance/glance-api-paste.ini with:

[filter:authtoken] paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory delay_auth_decision = true auth_host = 10.2.31.168 auth_port = 35357 auth_protocol = http admin_tenant_name = service admin_user = glance admin_password = service_pass

5. Update the /etc/glance/glance-registry-paste.ini with:

[filter:authtoken]

paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory auth_host = 10.2.31.168

(17)

auth_protocol = http

admin_tenant_name = service admin_user = glance

admin_password = service_pass

6. Update /etc/glance/glance-api.conf with:

sql_connection = mysql://glanceUser:[email protected]/glance

And add following lines at the end of glance-api.conf file

[paste_deploy] flavor = keystone

We are using RabbitMQ for messaging between openstack components. Following changesare required in glance-api.conf forRabbitmq

(18)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project 7. Update the /etc/glance/glance-registry.conf with:

And add following lines at the end of glance-registry.conf file

[paste_deploy] flavor = keystone

8. Restart the glance-api and glance-registry services:

#service glance-api restart; service glance-registry restart

Now you can populate or migrate or syncchronize the database.

# glance-manage db_sync

9. Restart the services again to take into account the new modifications:

(19)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project 10. To test Glance, upload the cirros cloud image directly from the internet:

#glance image-create name myFirstImage is-public true container-format bare --disk-format qcow2 --location

https://launchpad.net/cirros/trunk/0.3.0/+download/cirros-0.3.0-x86_64-disk.img

11. Now list the image to see what you have just uploaded:

#glance index

#glance image-list

In Glance, Image of different OSes can be added after complete installation of Openstack using its Dashboard (GUI).

Troubleshooting the Image Service (Glance)

To begin troubleshooting, look at the logs in the /var/log/glance/registry.log or /var/log/glance/api.log.

(20)

5. I

NSTALLING

O

PEN

S

TACK

N

ETWORKING

S

ERVICE

(Q

UANTUM

)

Quantum (Now know as Neutron) is an OpenStack project to provide "networking as a service" between interface devices (e.g., vNICs) managed by other Openstack services (e.g., nova).

1. Install the Quantum components:

# apt-get install -y quantum-server linuxbridge quantum-plugin-linuxbridge-agent dnsmasq quantum-dhcp-agent quantum-l3-agent

2. Configuring the quantum database backendStart the MySQL command line client by running:

# mysql -u root -p

Enter the MySQL root user's password when prompted. To configure the MySQL database, create the glance database.

>CREATE DATABASE quantum;

>GRANT ALL ON quantum.* TO 'quantumUser'@'%' IDENTIFIED BY 'quantumPass'; >quit;

3. Verify all Quantum components are running:

(21)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project 4. Edit the /etc/quantum/quantum.conf file:

core_plugin = quantum.plugins.linuxbridge.lb_quantum_plugin.LinuxBridgePluginV2

Add following line at the end of file.

[keystone_authtoken] auth_host = 10.2.31.168 auth_port = 35357 auth_protocol = http admin_tenant_name = service admin_user = quantum admin_password = service_pass signing_dir = /var/lib/quantum/keystone-signing

5. Messaging queue (RabbitMq) setting in quatum.conf file.

# IP address of the RabbitMQ installation rabbit_host = localhost

#rabbit_host = 10.2.31.168

(22)

rabbit_password = password

# Port where RabbitMQ server is running/listening rabbit_port = 5672

# RabbitMQ single or HA cluster (host:port pairs i.e: host1:5672, host2:5672) # rabbit_hosts is defaulted to '$rabbit_host:$rabbit_port'

rabbit_hosts = localhost:5672

# User ID used for RabbitMQ connections rabbit_userid = guest

# Location of a virtual RabbitMQ installation. rabbit_virtual_host = / 6. Edit /etc/quantum/api-paste.ini [filter:authtoken] paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory auth_host = 10.2.31.168 auth_port = 35357 auth_protocol = http admin_tenant_name = service admin_user = quantum admin_password = service_pass

(23)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project 7. Edit the LinuxBridge plugin config file

/etc/quantum/plugins/linuxbridge/linuxbridge_conf.ini with:

# under [DATABASE] section

sql_connection = mysql://quantumUser:[email protected]/quantum # under [LINUX_BRIDGE] section

physical_interface_mappings = physnet1:eth0 # under [VLANS] section

tenant_network_type = vlan

network_vlan_ranges = physnet1:1000:2999

8. Edit the /etc/quantum/l3_agent.ini

(24)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project 9. Edit the /etc/quantum/dhcp_agent.ini

interface_driver = quantum.agent.linux.interface.BridgeInterfaceDriver

10. Update /etc/quantum/metadata_agent.ini

# The Quantum user information for accessing the Quantum API. auth_url = http://10.2.31.168:35357/v2.0

auth_region = RegionOne admin_tenant_name = service admin_user = quantum

admin_password = service_pass

# IP address used by Nova metadata server nova_metadata_ip = 10.2.31.168

# TCP Port used by Nova metadata server nova_metadata_port = 8775

(25)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project 11. After changes in the file, restart all quantum services

#cd /etc/init.d/; for i in $( ls quantum-* ); do sudo service $i restart; done

Troubleshooting the Networking Service (Quantum)

(26)

6. I

NSTALLING

O

PEN

S

TACK

C

OMPUTE

S

ERVICE

(N

OVA

)

6.1 C

ONFIGURING THE

H

YPERVISOR

For production environments the most tested hypervisors are KVM and Xen-based hypervisors. KVM runs through libvirt, Xen runs best through XenAPI calls. KVM is selected by default and requires the least additional configuration. This guide offers information for KVM and Qemu hypervisors. Details about the Hypervisor's are given in Appendix C of this manual.

6.1.1 KVM

KVM is configured as the default hypervisor for Compute in Openstack. The KVM hypervisor supports the following virtual machine image formats:

 Raw

 QEMU Copy-on-write (qcow2)

 VMWare virtual machine disk format (vmdk) 1. Checking for hardware virtualization support

The processors of your compute host need to support virtualization technology (VT) to use KVM.If you are running on Ubuntu use the kvm-ok command to check if your processor has VT support, it is enabled in the BIOS, and KVM is installed properly, as root:

kvm-ok command is available in cpu-checker package so install it first.

# apt-get installcpu-checker # kvm-ok

2. Output of command

If KVM is enabled, the output should look something like: INFO: /dev/kvm exists

(27)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project If KVM is not enabled, the output should look something like:

INFO: Your CPU does not support KVM extensions

In the case that KVM acceleration is not supported, Compute should be configured to use a different hypervisor, such as QEMU or Xen.

3. KVM installation

Now install pakcage for KVM hypervisor:

# apt-get install -y kvmlibvirt-bin pm-utils

Edit the cgroup_device_acl array in the /etc/libvirt/qemu.conf file to:

cgroup_device_acl = [

"/dev/null", "/dev/full", "/dev/zero", "/dev/random", "/dev/urandom", "/dev/ptmx", "/dev/kvm", "/dev/kqemu", "/dev/rtc", "/dev/hpet","/dev/net/tun" ]

4. Delete default virtual bridge

# virsh net-destroy default # virsh net-undefine default

5. Restart the libvirt service to load the new values:

(28)

In this manual, we are using qemu instead of kvm because kvm support is not available in our hardware. If KVM support is available in your hardware then replace qemu with kvm in below setting for your deployment.

6.2 NOVA

I

NSTALLATION

1. First of all, install nova components (Compute Services):

# apt-get install -y api cert novnc consoleauth scheduler nova-novncproxy nova-doc nova-conductor nova-compute-kvm

2. Check the status of all nova-services:

# cd /etc/init.d/; for i in $( ls nova-* ); do service $i status; cd; done

3. Now we will configure the MySQL Database for Nova. Start the mysql command line client by running:

(29)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project 4. Create database for Nova:

>CREATE DATABASE nova;

>GRANT ALL ON nova.* TO 'novaUser'@'%' IDENTIFIED BY 'novaPass'; >quit;

5. Now modify authtoken section in the /etc/nova/api-paste.ini file to this:

[filter:authtoken] paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory auth_host = 10.2.31.168 auth_port = 35357 auth_protocol = http admin_tenant_name = service admin_user = nova admin_password = service_pass signing_dirname = /tmp/keystone-signing-nova

# Workaround for https://bugs.launchpad.net/nova/+bug/1154809 auth_version = v2.0

(30)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project 6. Modify the /etc/nova/nova.conf like this:

[DEFAULT] logdir=/var/log/nova state_path=/var/lib/nova lock_path=/run/lock/nova verbose=True api_paste_config=/etc/nova/api-paste.ini compute_scheduler_driver=nova.scheduler.simple.SimpleScheduler rabbit_host=localhost rabbit_port=5672 rabbit_userid="guest" rabbit_password = "password" rabbit_virtual_host="/" libvirt_use_virtio_for_bridges=true connection_type=libvirt libvirt_type=qemu #libvirt_type=kvm nova_url=http://10.2.31.168:8774/v1.1/ sql_connection=mysql://novaUser:[email protected]/nova root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf

(31)

# Auth use_deprecated_auth=false auth_strategy=keystone # Imaging service glance_api_servers=10.2.31.168:9292 image_service=nova.image.glance.GlanceImageService # Vnc configuration novnc_enabled=true novncproxy_base_url=http://10.2.31.168:6080/vnc_auto.html novncproxy_port=6080 vncserver_proxyclient_address=10.2.3.168 vncserver_listen=0.0.0.0 # Metadata service_quantum_metadata_proxy = True quantum_metadata_proxy_shared_secret = helloOpenStack # Network settings network_api_class=nova.network.quantumv2.api.API quantum_url=http://10.2.31.168:9696 quantum_auth_strategy=keystone quantum_admin_tenant_name=service quantum_admin_username=quantum quantum_admin_password=service_pass quantum_admin_auth_url=http://10.2.31.168:35357/v2.0 libvirt_vif_driver=nova.virt.libvirt.vif.QuantumLinuxBridgeVIFDriver linuxnet_interface_driver=nova.network.linux_net.LinuxBridgeInterfaceDriver firewall_driver=nova.virt.libvirt.firewall.IptablesFirewallDriver

(32)

# Compute #

compute_driver=libvirt.LibvirtDriver

# Cinder #

volume_api_class=nova.volume.cinder.API osapi_volume_listen_port=5900

7. Edit the /etc/nova/nova-compute.conf

[DEFAULT] libvirt_type=qemu #libvirt_type=kvm

(33)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project 8. Synchronize and populate your nova database:

#nova-manage db sync

9. Restart nova-* services:

# cd /etc/init.d/; for i in $( ls nova-* ); do sudo service $i restart; done

10. Check for the smiling faces on nova-* services to confirm your installation:

(34)

Troubleshooting the Compute Service (Nova)

Trying to launch a new virtual machine instance fails with the ERROR state, and the following error appears in /var/log/nova/nova-compute.log

libvirtError: internal error no supported architecture for os type 'hvm'

This is a symptom that the KVM kernel modules have not been loaded.If you cannot start VMs after installation without rebooting, it's possible the permissions are not correct. This can happen if you load the KVM module before you've installed nova-compute.

(35)

2. I

NSTALLING

O

PEN

S

TACK

C

INDER COMPONENTS

(V

OLUME

)

Cinder provides an infrastructure for managing volumes in OpenStack. It was originally a Nova component called nova-volume, but has become an independent project since the Folsom release.

1. Install the required packages:

# apt-get install -y cinder-api cinder-scheduler cinder-volume iscsitarget open-iscsiiscsitarget-dkms

2. Configure the iscsi services:

#sed -i 's/false/true/g' /etc/default/iscsitarget

3. Restart the services:

#service iscsitarget start

(36)

4. Now we will configure the MySQL Database for Nova. Start the mysql command line client by running:

Enter the mysql root user's password when prompted.

5. Create database for Cinder:

>CREATE DATABASE cinder;

>GRANT ALL ON cinder.* TO 'cinderUser'@'%' IDENTIFIED BY 'cinderPass'; >quit;

6. Configure /etc/cinder/api-paste.ini like the following:

[filter:authtoken] paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory service_protocol = http service_host = 10.2.31.168 service_port = 5000 auth_host = 10.2.31.168 auth_port = 35357 auth_protocol = http admin_tenant_name = service admin_user = cinder admin_password = service_pass signing_dir = /var/lib/cinder

(37)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project 7. Edit the /etc/cinder/cinder.conf to:

[DEFAULT] rootwrap_config = /etc/cinder/rootwrap.conf sql_connection = mysql://cinderUser:[email protected]/cinder api_paste_confg = /etc/cinder/api-paste.ini #iscsi_helper = tgtadm iscsi_helper=ietadm volume_name_template = volume-%s volume_group = cinder-volumes verbose = True auth_strategy = keystone state_path = /var/lib/cinder lock_path = /var/lock/cinder volumes_dir = /var/lib/cinder/volumes

(38)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project 8. RabbitMQ setting in /etc/cinder/cinder.conf

# IP address of the RabbitMQ installation rabbit_host = localhost

#rabbit_host = 10.2.31.168

# Password of the RabbitMQ server rabbit_password = password

# Port where RabbitMQ server is running/listening rabbit_port = 5672

# RabbitMQ single or HA cluster (host:port pairs i.e: host1:5672, host2:5672) # rabbit_hosts is defaulted to '$rabbit_host:$rabbit_port'

rabbit_hosts = 10.2.31.168:5672

# User ID used for RabbitMQ connections rabbit_userid = guest

# Location of a virtual RabbitMQ installation. rabbit_virtual_host = /

9. Synchronize your database:

# cinder-manage db sync

10. Create a volumegroup and name it cinder-volumes:

(39)

#losetup /dev/loop2 cinder-volumes

#fdisk /dev/loop2

Type in the followings:

n p 1 ENTER ENTER t 8e w

(40)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project 11. Proceed to create the physical volume then the volume group:

# pvcreate -ff /dev/loop2

# vgcreate cinder-volumes /dev/loop2

Beware that this volume group gets lost after a system reboot. so write follwoing line in /etc/rc.local filebefore the exit 0 line.

#nano /etc/rc.local

losetup /dev/loop2 %Your_path_to_cinder_volumes%

12. Restart the cinder services:

(41)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project 13. Verify if cinder services are running:

#cd /etc/init.d/; for i in $( ls cinder-* ); do sudo service $i status; done

Troubleshooting the Cinder Component (Volume)

(42)

3. I

NSTALLING

O

PEN

S

TACK

D

ASHBOARD

(H

ORIZON

)

You can use a dashboard interface with an OpenStack Compute installation with a web-based console provided by the Openstack-Dashboard project.

1. Install the OpenStack Dashboard:

# apt-get installopenstack-dashboard memcached

If you don't like the OpenStackubuntu theme, you can remove the package to disable it:

# dpkg --purge openstack-dashboard-ubuntu-theme

2. Reload Apache and memcached:

# service apache2 restart; service memcached restart

3. Validating the Dashboard Install:

To validate the Dashboard installation, point your web browser to10.2.31.168/horizon. Once you connect to the Dashboard with the URL, you should see a login window. Enter the credentials for users you created with the Identity Service, Keystone (credential admin<username>:admin_pass<passowrd>).

(43)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project Main Dashboard of Openstack:

(44)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project 4. First Instance using Dashboard (VM launch):

After successful login in dashboard, Go to Project tenant and create new network for your new VM instance.

5. Network Setting:

Click on Network meanu. Then Cretae new Network by clicking on +Create Network button:

Set network name and Subnet details such as network address, gateway address etc.

(45)

6. After Network Creation, generate RSA keys by clicking on Access & Security Option and then Gnerate KeyPair in Project.

(46)

7. To launch new Instance, Click on Instace menu in Dashbaord which is shwon belown. After this Click on +Launch Instance button.

8. Set Instance details such as Image source, Instance name and Flavor. Also set Network for you new instance.

1

(47)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project 9. As shown in the below figure, new network selected for VM instance.

If no error occurs during instance creation phase, then new instance will be display in openstack dashboard under instance option.

(48)

10. If your system is using proxy and your cloud server is also in same network then include the IP address of cloud in the ignore list of Firefox. Otherwise Instance console will not work.

Go to Options -->Advnaced-->Network-->Setting

(49)

KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan. Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project Logs of instance by clicking on the log tab:

(50)

(51)

Appendix

Appendix A

Sample configuration Files:

1. environment --- http_proxy="http://10.3.3.3:8080/" https_proxy="https://10.3.3.3:8080/" ftp_proxy="ftp://10.3.3.3:8080/" socks_proxy="socks://10.3.3.3:8080/" no_proxy="localhost,127.0.0.1,http://10.2.31.168:5000,http://10.2.31.168:9292,http://10.2.31.1 68:6080,http://10.2.31.168:6080/vnc_auto.html,10.2.31.168:5672" 2. .bashrc --- no_proxy="localhost,127.0.0.1,http://10.2.31.168:5000,http://10.2.31.168:9292,http://10.2.31.1 68:6080,http://10.2.31.168:6080/vnc_auto.html" 3. creds --- #Paste the following:

export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin_pass export OS_AUTH_URL="http://10.2.31.168:5000/v2.0/" #export OS_AUTH_URL=http://192.168.100.51:5000/v2.0/ 4. keystone.conf --- [DEFAULT]

# A "shared secret" between keystone and other openstack services # admin_token = ADMIN

(52)

# The IP address of the network interface to listen on # bind_host = 0.0.0.0

# The port number which the public service listens on # public_port = 5000

# The port number which the public admin listens on # admin_port = 35357

# The base endpoint URLs for keystone that are advertised to clients # (NOTE: this does NOT affect how keystone listens for connections) # public_endpoint = http://localhost:%(public_port)d/

# admin_endpoint = http://localhost:%(admin_port)d/

# The port number which the OpenStack Compute service listens on # compute_port = 8774

# Path to your policy definition containing identity actions # policy_file = policy.json

# Rule to check if no matching policy definition is found

# FIXME(dolph): This should really be defined as [policy] default_rule # policy_default_rule = admin_required

# Role for migrating membership relationships

# During a SQL upgrade, the following values will be used to create a new role # that will replace records in the user_tenant_membership table with explicit # role grants. After migration, the member_role_id will be used in the API # add_user_to_project, and member_role_name will be ignored.

# member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab # member_role_name = _member_

# === Logging Options === # Print debugging output

# (includes plaintext request logging, potentially including passwords) # debug = False

# Print more verbose output # verbose = False

(53)

log_file = keystone.log

# The directory to keep log files in (will be prepended to --logfile) log_dir = /var/log/keystone

# Use syslog for logging. # use_syslog = False

# syslog facility to receive log lines # syslog_log_facility = LOG_USER

# If this option is specified, the logging configuration file specified is # used and overrides any other logging options specified. Please see the # Python logging module documentation for details on logging configuration # files.

# log_config = logging.conf

# A logging.Formatter log message format string which may use any of the # available logging.LogRecord attributes.

# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s

# Format string for %(asctime)s in log records. # log_date_format = %Y-%m-%d %H:%M:%S

# onready allows you to send a notification when the process is ready to serve # For example, to have it notify using systemd, one could set shell command: # onready = systemd-notify --ready

# or a module with notify() method: # onready = keystone.common.systemd

[sql]

# The SQLAlchemy connection string used to connect to the database

#connection = sqlite:////var/lib/keystone/keystone.db

# the timeout before idle sql connections are reaped

connection = mysql://keystoneUser:[email protected]/keystone # idle_timeout = 200

[identity]

(54)

# This references the domain to use for all Identity API v2 requests (which are # not aware of domains). A domain with this ID will be created for you by # keystone-manage db_sync in migration 008. The domain referenced by this ID # cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. # There is nothing special about this domain, other than the fact that it must # exist to order to maintain support for your v2 clients.

# default_domain_id = default

[trust]

driver = keystone.trust.backends.sql.Trust

# delegation and impersonation features can be optionally disabled # enabled = True

[catalog]

# dynamic, sql-based backend (supports API/CLI-based management commands) driver = keystone.catalog.backends.sql.Catalog

# static, file-based backend (does *NOT* support any management commands) # driver = keystone.catalog.backends.templated.TemplatedCatalog

# template_file = default_catalog.templates

[token]

driver = keystone.token.backends.sql.Token

# Amount of time a token should remain valid (in seconds) # expiration = 86400 [policy] driver = keystone.policy.backends.sql.Policy [ec2] driver = keystone.contrib.ec2.backends.sql.Ec2 [ssl] #enable = True #certfile = /etc/keystone/ssl/certs/keystone.pem #keyfile = /etc/keystone/ssl/private/keystonekey.pem #ca_certs = /etc/keystone/ssl/certs/ca.pem #cert_required = True

(55)

[signing] #token_format = PKI #certfile = /etc/keystone/ssl/certs/signing_cert.pem #keyfile = /etc/keystone/ssl/private/signing_key.pem #ca_certs = /etc/keystone/ssl/certs/ca.pem #key_size = 1024 #valid_days = 3650 #ca_password = None [ldap] # url = ldap://localhost # user = dc=Manager,dc=example,dc=com # password = None # suffix = cn=example,cn=com # use_dumb_member = False # allow_subtree_delete = False # dumb_member = cn=dumb,dc=example,dc=com

# Maximum results per page; a value of zero ('0') disables paging (default) # page_size = 0

# The LDAP dereferencing option for queries. This can be either 'never', # 'searching', 'always', 'finding' or 'default'. The 'default' option falls # back to using default dereferencing configured by your ldap.conf. # alias_dereferencing = default

# The LDAP scope for queries, this can be either 'one' # (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree) # query_scope = one # user_tree_dn = ou=Users,dc=example,dc=com # user_filter = # user_objectclass = inetOrgPerson # user_domain_id_attribute = businessCategory # user_id_attribute = cn # user_name_attribute = sn # user_mail_attribute = email # user_pass_attribute = userPassword # user_enabled_attribute = enabled # user_enabled_mask = 0 # user_enabled_default = True

(56)

# user_attribute_ignore = tenant_id,tenants # user_allow_create = True # user_allow_update = True # user_allow_delete = True # user_enabled_emulation = False # user_enabled_emulation_dn = # tenant_tree_dn = ou=Groups,dc=example,dc=com # tenant_filter = # tenant_objectclass = groupOfNames # tenant_domain_id_attribute = businessCategory # tenant_id_attribute = cn # tenant_member_attribute = member # tenant_name_attribute = ou # tenant_desc_attribute = desc # tenant_enabled_attribute = enabled # tenant_attribute_ignore = # tenant_allow_create = True # tenant_allow_update = True # tenant_allow_delete = True # tenant_enabled_emulation = False # tenant_enabled_emulation_dn = # role_tree_dn = ou=Roles,dc=example,dc=com # role_filter = # role_objectclass = organizationalRole # role_id_attribute = cn # role_name_attribute = ou # role_member_attribute = roleOccupant # role_attribute_ignore = # role_allow_create = True # role_allow_update = True # role_allow_delete = True # group_tree_dn = # group_filter = # group_objectclass = groupOfNames # group_id_attribute = cn # group_name_attribute = ou # group_member_attribute = member # group_desc_attribute = desc

(57)

# group_attribute_ignore = # group_allow_create = True # group_allow_update = True # group_allow_delete = True [auth] methods = password,token password = keystone.auth.plugins.password.Password token = keystone.auth.plugins.token.Token [filter:debug] paste.filter_factory = keystone.common.wsgi:Debug.factory [filter:token_auth] paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory [filter:admin_token_auth] paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory [filter:xml_body] paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory [filter:json_body] paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory [filter:user_crud_extension] paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory [filter:crud_extension] paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory [filter:ec2_extension] paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory [filter:s3_extension] paste.filter_factory = keystone.contrib.s3:S3Extension.factory [filter:url_normalize] paste.filter_factory = keystone.middleware:NormalizingFilter.factory

(58)

[filter:sizelimit] paste.filter_factory = keystone.middleware:RequestBodySizeLimiter.factory [filter:stats_monitoring] paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory [filter:stats_reporting] paste.filter_factory = keystone.contrib.stats:StatsExtension.factory [filter:access_log] paste.filter_factory = keystone.contrib.access:AccessLogMiddleware.factory [app:public_service] paste.app_factory = keystone.service:public_app_factory [app:service_v3] paste.app_factory = keystone.service:v3_app_factory [app:admin_service] paste.app_factory = keystone.service:admin_app_factory [pipeline:public_api]

pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service

[pipeline:admin_api]

pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service

[pipeline:api_v3]

pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension service_v3

[app:public_version_service]

paste.app_factory = keystone.service:public_version_app_factory

[app:admin_version_service]

(59)

[pipeline:public_version_api]

pipeline = access_log sizelimit stats_monitoring url_normalize xml_body public_version_service

[pipeline:admin_version_api]

pipeline = access_log sizelimit stats_monitoring url_normalize xml_body admin_version_service

[composite:main] use = egg:Paste#urlmap /v2.0 = public_api /v3 = api_v3 / = public_version_api [composite:admin] use = egg:Paste#urlmap /v2.0 = admin_api /v3 = api_v3 / = admin_version_api 5. glance-registry.conf --- [DEFAULT]

# Show more verbose log output (sets INFO log level output) #verbose = False

# Show debugging output in logs (sets DEBUG log level output) #debug = False

# Address to bind the registry server bind_host = 0.0.0.0

# Port the bind the registry server to bind_port = 9191

# Log to this file. Make sure you do not set the same log # file for both the API and registry servers!

log_file = /var/log/glance/registry.log

# Backlog requests when creating socket backlog = 4096

(60)

# TCP_KEEPIDLE value in seconds when creating socket. # Not supported on OS X.

#tcp_keepidle = 600

# SQLAlchemy connection string for the reference implementation # registry server. Any valid SQLAlchemy connection string is fine.

# See:

http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_e ngine

#sql_connection = sqlite:////var/lib/glance/glance.sqlite

# Period in seconds after which SQLAlchemy should reestablish its connection # to the database.

#

# MySQL uses a default `wait_timeout` of 8 hours, after which it will drop # idle connections. This can result in 'MySQL Gone Away' exceptions. If you # notice this, you can lower this value to ensure that SQLAlchemy reconnects # before MySQL can drop the connection.

sql_idle_timeout = 3600

# Limit the api to return `param_limit_max` items in a call to a container. If # a larger `limit` query param is provided, it will be reduced to this value. api_limit_max = 1000

# If a `limit` query param is not provided in an api request, it will # default to `limit_param_default`

limit_param_default = 25

# Role used to identify an authenticated user as administrator #admin_role = admin

# Whether to automatically create the database tables. # Default: False

#db_auto_create = False

# ================= Syslog Options ============================

# Send logs to syslog (/dev/log) instead of to file specified # by `log_file`

(61)

# Facility to use. If unset defaults to LOG_USER. #syslog_log_facility = LOG_LOCAL1

# ================= SSL Options ===============================

# Certificate file to use when starting registry server securely #cert_file = /path/to/certfile

# Private key file to use when starting registry server securely #key_file = /path/to/keyfile

# CA certificate file to use to verify connecting clients #ca_file = /path/to/cafile [keystone_authtoken] auth_host = 127.0.0.1 auth_port = 35357 auth_protocol = http admin_tenant_name = %SERVICE_TENANT_NAME% admin_user = %SERVICE_USER% admin_password = %SERVICE_PASSWORD% [paste_deploy]

# Name of the paste configuration file that defines the available pipelines #config_file = glance-registry-paste.ini

# Partial name of a pipeline in your paste configuration file with the # service name removed. For example, if your paste section name is

# [pipeline:glance-registry-keystone], you would configure the flavor below # as 'keystone'. #flavor= [paste_deploy] flavor = keystone 6. glance-registry-paste.ini ---

# Use this pipeline for no auth - DEFAULT [pipeline:glance-registry]

pipeline = unauthenticated-context registryapp

(62)

[pipeline:glance-registry-keystone] pipeline = authtoken context registryapp

[app:registryapp] paste.app_factory = glance.registry.api.v1:API.factory [filter:context] paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory [filter:unauthenticated-context] paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory [filter:authtoken] paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory auth_host = 10.2.31.168 auth_port = 35357 auth_protocol = http admin_tenant_name = service admin_user = glance admin_password = service_pass 7. glance-api.conf --- [DEFAULT]

# Show more verbose log output (sets INFO log level output) #verbose = False

# Show debugging output in logs (sets DEBUG log level output) #debug = False

# Which backend scheme should Glance use by default is not specified

# in a request to add a new image to Glance? Known schemes are determined # by the known_stores option below.

# Default: 'file' default_store = file

# List of which store classes and store class locations are # currently known to glance at startup.

(63)

# glance.store.http.Store, # glance.store.rbd.Store, # glance.store.s3.Store, # glance.store.swift.Store,

# Maximum image size (in bytes) that may be uploaded through the # Glance API server. Defaults to 1 TB.

# WARNING: this value should only be increased after careful consideration # and must be set to a value under 8 EB (9223372036854775808).

#image_size_cap = 1099511627776

# Address to bind the API server bind_host = 0.0.0.0

# Port the bind the API server to bind_port = 9292

# Log to this file. Make sure you do not set the same log # file for both the API and registry servers!

log_file = /var/log/glance/api.log

# Backlog requests when creating socket backlog = 4096

# TCP_KEEPIDLE value in seconds when creating socket. # Not supported on OS X.

#tcp_keepidle = 600

# SQLAlchemy connection string for the reference implementation # registry server. Any valid SQLAlchemy connection string is fine.

# See:

http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_e ngine

#sql_connection = sqlite:////var/lib/glance/glance.sqlite

# Period in seconds after which SQLAlchemy should reestablish its connection # to the database.

#

# MySQL uses a default `wait_timeout` of 8 hours, after which it will drop # idle connections. This can result in 'MySQL Gone Away' exceptions. If you # notice this, you can lower this value to ensure that SQLAlchemy reconnects

OpenStack Installation Guideline [Grizzly Release]

Extensible Access Control Framework for

Cloud based Applications

OpenStack Installation Guideline

[Grizzly Release]

19-02-2014

Version 1.0

Dr. Muhammad Awais Shibli

[Principal Investigator]

Dr. Arshad Ali

[Co-Principal Investigator]

National ICT R & D

Table of Contents

Preface

Target Audience

Acknowledgement

Conventions

Commands and paths of configuration files are shown in Bold & Italic. Setting of

configuration files are shown in Italic.

1. I

NTRODUCTION

1.1

INSTALLATION

ON

U

BUNTU

O

S

1.2.

R

EQUIREMENTS

2. P

REPARING NODE

/

SYSTEM

3. I

NSTALLING

O

PEN

S

TACK

I

DENTITY

S

ERVICE

(K

EYSTONE

)

Troubleshooting the Identity Service (Keystone)

4. I

NSTALLING

O

PEN

S

TACK

I

MAGE

S

ERVICE

(

GLANCE

)

Troubleshooting the Image Service (Glance)

5. I

NSTALLING

O

PEN

S

TACK

N

ETWORKING

S

ERVICE

(Q

UANTUM

)

Troubleshooting the Networking Service (Quantum)

6. I

NSTALLING

O