magnum/doc/source/install-guide-from-source.rst
Johannes Grassler f895b2bd09 Fix global stack list in periodic task
The periodic task unneccessarily lists Heat stacks in the
global tenant (across all tenants) which the Magnum service
user may lack permission for. Also, the most restrictive way
to let it use global stack-list is chose a Keystone role and
open that operation to any user in any project holding that
role.

This commit substitutes a direct lookup of all bays' stack_id
attributes for this global stack list. This direct lookup will
yield the same net result. In order to get the neccessary
permissions it will use each bay's stored Keystone trust to
act on behalf of the bay's creating user.

Co-Authored-By: Jiri Suchomel <jiri.suchomel@suse.com>
Closes-Bug: #1589955
Change-Id: I67b176c137c463e37e037970cc4e468d51db30c9
2016-07-27 10:11:51 +02:00

17 KiB

Install Magnum from source

Install and configure

This section describes how to install and configure the Container Infrastructure Management service, code-named magnum, on the controller node.

This section assumes that you already have a working OpenStack environment with at least the following components installed: Compute, Image Service, Identity, Networking, Block Storage, Orchestration and Neutron/LBaaS. See OpenStack Install Guides for all the above services apart from Neutron/LBaaS. For Neutron/LBaaS see Neutron/LBaaS/HowToRun.

To store certificates, you can use Barbican (which is recommended) or save them locally on the controller node. To install Barbican see Setting up a Barbican Development Environment <http://docs.openstack.org/developer/barbican/ setup/dev.html#configuring-barbican>__

Optionally, you can install the following components: Object Storage to make private Docker registries available to users and Telemetry to send periodically magnum related metrics. See OpenStack Install Guides.

Important

Magnum creates VM clusters on the Compute service (nova), called bays. These VMs must have basic Internet connectivity and must be able to reach magnum's API server. Make sure that Compute and Network services are configured accordingly.

Prerequisites

Before you install and configure the Container Infrastructure Management service, you must create a database, service credentials, and API endpoints.

  1. To create the database, complete these steps:

    • Use the database access client to connect to the database server as the root user:

      $ mysql -u root -p
    • Create the magnum database:

      CREATE DATABASE magnum;
    • Grant proper access to the magnum database:

      GRANT ALL PRIVILEGES ON magnum.* TO 'magnum'@'controller' \
        IDENTIFIED BY 'MAGNUM_DBPASS';
      GRANT ALL PRIVILEGES ON magnum.* TO 'magnum'@'%' \
        IDENTIFIED BY 'MAGNUM_DBPASS';

      Replace MAGNUM_DBPASS with a suitable password.

    • Exit the database access client.

  2. Source the admin credentials to gain access to admin-only CLI commands:

    $ . admin-openrc
  3. To create the service credentials, complete these steps:

    • Create the magnum user:

      $ openstack user create --domain default \
        --password-prompt magnum
      User Password:
      Repeat User Password:
      +-----------+----------------------------------+
      | Field     | Value                            |
      +-----------+----------------------------------+
      | domain_id | default                          |
      | enabled   | True                             |
      | id        | a8ebafc275c54d389dfc1bff8b4fe286 |
      | name      | magnum                           |
      +-----------+----------------------------------+
    • Add the admin role to the magnum user:

      $ openstack role add --project service --user magnum admin

      Note

      This command provides no output.

    • Create the magnum service entity:

      $ openstack service create --name magnum \
        --description "Container Infrastructure Management Service" \
        container-infra
      +-------------+-------------------------------------------------------+
      | Field       | Value                                                 |
      +-------------+-------------------------------------------------------+
      | description | OpenStack Container Infrastructure Management service |
      | enabled     | True                                                  |
      | id          | 194faf83e8fd4e028e5ff75d3d8d0df2                      |
      | name        | magnum                                                |
      | type        | container-infra                                       |
      +-------------+-------------------------------------------------------+
  4. Create the Container Infrastructure Management service API endpoints:

    $ openstack endpoint create --region RegionOne \
      container-infra public http://controller:9511/v1
    +--------------+----------------------------------+
    | Field        | Value                            |
    +--------------+----------------------------------+
    | enabled      | True                             |
    | id           | cb137e6366ad495bb521cfe92d8b8858 |
    | interface    | public                           |
    | region       | RegionOne                        |
    | region_id    | RegionOne                        |
    | service_id   | 0f7f62a1f1a247d2a4cb237642814d0e |
    | service_name | magnum                           |
    | service_type | container-infra                  |
    | url          | http://controller:9511/v1        |
    +--------------+----------------------------------+
    
    $ openstack endpoint create --region RegionOne \
      container-infra internal http://controller:9511/v1
    +--------------+----------------------------------+
    | Field        | Value                            |
    +--------------+----------------------------------+
    | enabled      | True                             |
    | id           | 17cbc3b6f51449a0a818118d6d62868d |
    | interface    | internal                         |
    | region       | RegionOne                        |
    | region_id    | RegionOne                        |
    | service_id   | 0f7f62a1f1a247d2a4cb237642814d0e |
    | service_name | magnum                           |
    | service_type | container-infra                  |
    | url          | http://controller:9511/v1        |
    +--------------+----------------------------------+
    
    $ openstack endpoint create --region RegionOne \
      container-infra admin http://controller:9511/v1
    +--------------+----------------------------------+
    | Field        | Value                            |
    +--------------+----------------------------------+
    | enabled      | True                             |
    | id           | 30f8888e6b6646d7b5cd14354c95a684 |
    | interface    | admin                            |
    | region       | RegionOne                        |
    | region_id    | RegionOne                        |
    | service_id   | 0f7f62a1f1a247d2a4cb237642814d0e |
    | service_name | magnum                           |
    | service_type | container-infra                  |
    | url          | http://controller:9511/v1        |
    +--------------+----------------------------------+
  5. Magnum requires additional information in the Identity service to manage COE clusters (bays). To add this information, complete these steps:

    • Create the magnum domain that contains projects and users:

      $ openstack domain create --description "Owns users and projects \
        created by magnum" magnum
        +-------------+-------------------------------------------+
        | Field       | Value                                     |
        +-------------+-------------------------------------------+
        | description | Owns users and projects created by magnum |
        | enabled     | True                                      |
        | id          | 66e0469de9c04eda9bc368e001676d20          |
        | name        | magnum                                    |
        +-------------+-------------------------------------------+
    • Create the magnum_domain_admin user to manage projects and users in the magnum domain:

      $ openstack user create --domain magnum --password-prompt \
        magnum_domain_admin
        User Password:
        Repeat User Password:
        +-----------+----------------------------------+
        | Field     | Value                            |
        +-----------+----------------------------------+
        | domain_id | 66e0469de9c04eda9bc368e001676d20 |
        | enabled   | True                             |
        | id        | 529b81cf35094beb9784c6d06c090c2b |
        | name      | magnum_domain_admin              |
        +-----------+----------------------------------+
    • Add the admin role to the magnum_domain_admin user in the magnum domain to enable administrative management privileges by the magnum_domain_admin user:

      $ openstack role add --domain magnum --user magnum_domain_admin admin

      Note

      This command provides no output.

Install and configure components

  1. Install OS-specific prerequisites:

    • Ubuntu 14.04 (trusty) or higher, Debian 8:

      # apt-get update
      # apt-get install python-dev libssl-dev libxml2-dev \
                        libmysqlclient-dev libxslt-dev libpq-dev git \
                        libffi-dev gettext build-essential
    • Fedora 21 / Centos 7 / RHEL 7

      # yum install python-devel openssl-devel mysql-devel \
                    libxml2-devel libxslt-devel postgresql-devel git \
                    libffi-devel gettext gcc
    • Fedora 22 or higher

      # dnf install python-devel openssl-devel mysql-devel \
                    libxml2-devel libxslt-devel postgresql-devel git \
                    libffi-devel gettext gcc
    • openSUSE Leap 42.1

      # zypper install git libffi-devel libmysqlclient-devel \
                       libopenssl-devel libxml2-devel libxslt-devel \
                       postgresql-devel python-devel gettext-runtime gcc
  2. Create magnum user and necessary directories:

    • Create user:

      # groupadd --system magnum
      # useradd --home-dir "/var/lib/magnum" \
            --create-home \
            --system \
            --shell /bin/false \
            -g magnum \
            magnum
    • Create directories:

      # mkdir -p /var/log/magnum
      # mkdir -p /etc/magnum
    • Set ownership to directories:

      # chown magnum:magnum /var/log/magnum
      # chown magnum:magnum /var/lib/magnum
      # chown magnum:magnum /etc/magnum
  3. Install virtualenv and python prerequisites:

    • Install virtualenv and create one for magnum's installation:

      # easy_install -U virtualenv
      # su -s /bin/sh -c "virtualenv /var/lib/magnum/env" magnum
    • Install python prerequisites:

      # su -s /bin/sh -c "/var/lib/magnum/env/bin/pip install tox pymysql \
        python-memcached" magnum
  4. Clone and install magnum:

    # cd /var/lib/magnum
    # git clone https://git.openstack.org/openstack/magnum.git
    # chown -R magnum:magnum magnum
    # cd magnum
    # su -s /bin/sh -c "/var/lib/magnum/env/bin/pip install -r requirements.txt" magnum
    # su -s /bin/sh -c "/var/lib/magnum/env/bin/python setup.py install" magnum
  5. Copy policy.json and api-paste.ini:

    # su -s /bin/sh -c "cp etc/magnum/policy.json /etc/magnum" magnum
    # su -s /bin/sh -c "cp etc/magnum/api-paste.ini /etc/magnum" magnum
  6. Generate a sample configuration file:

    # su -s /bin/sh -c "/var/lib/magnum/env/bin/tox -e genconfig" magnum
    # su -s /bin/sh -c "cp etc/magnum/magnum.conf.sample \
      /etc/magnum/magnum.conf" magnum
  7. Edit the /etc/magnum/magnum.conf:

    • In the [api] section, configure the host:

      [api]
      ...
      host = controller
    • In the [certificates] section, select barbican (or local if you don't have barbican installed):

      • Use barbican to store certificates:

        [certificates]
        ...
        cert_manager_type = barbican

      Important

      Barbican is recommended for production environments, local store should be used for evaluation purposes.

      • To use local store for certificates, you have to create and specify the directory to use:

        # su -s /bin/sh -c  "mkdir -p /var/lib/magnum/certificates/" magnum
        [certificates]
        ...
        cert_manager_type = local
        storage_path = /var/lib/magnum/certificates/
    • In the [cinder_client] section, configure the region name:

      [cinder_client]
      ...
      region_name = RegionOne
    • In the [database] section, configure database access:

      [database]
      ...
      connection = mysql+pymysql://magnum:MAGNUM_DBPASS@controller/magnum

      Replace MAGNUM_DBPASS with the password you chose for the magnum database.

    • In the [keystone_authtoken] and trust sections, configure Identity service access:

      [keystone_authtoken]
      ...
      memcached_servers = controller:11211
      auth_version = v3
      auth_uri = http://controller:5000/v3
      project_domain_id = default
      project_name = service
      user_domain_id = default
      password = MAGNUM_PASS
      username = magnum
      auth_url = http://controller:35357
      auth_type = password
      
      [trust]
      ...
      trustee_domain_id = 66e0469de9c04eda9bc368e001676d20
      trustee_domain_admin_id = 529b81cf35094beb9784c6d06c090c2b
      trustee_domain_admin_password = DOMAIN_ADMIN_PASS

      trustee_domain_id is the id of the magnum domain and trustee_domain_admin_id is the id of the magnum_domain_admin user. Replace MAGNUM_PASS with the password you chose for the magnum user in the Identity service and DOMAIN_ADMIN_PASS with the password you chose for the magnum_domain_admin user.

    • In the [oslo_concurrency] section, configure the lock_path:

      [oslo_concurrency]
      ...
      lock_path = /var/lib/magnum/tmp
    • In the [oslo_messaging_notifications] section, configure the driver:

      [oslo_messaging_notifications]
      ...
      driver = messaging
    • In the [oslo_messaging_rabbit] section, configure RabbitMQ message queue access:

      [oslo_messaging_rabbit]
      ...
      rabbit_host = controller
      rabbit_userid = openstack
      rabbit_password = RABBIT_PASS

      Replace RABBIT_PASS with the password you chose for the openstack account in RabbitMQ.

    Note

    Make sure that /etc/magnum/magnum.conf still have the correct permissions. You can set the permissions again with:

    # chown magnum:magnum /etc/magnum/magnum.conf

  8. Populate Magnum database:

    # su -s /bin/sh -c "/var/lib/magnum/env/bin/magnum-db-manage upgrade" magnum
  9. Set magnum for log rotation:

    # cd /var/lib/magnum/magnum
    # cp doc/examples/etc/logrotate.d/magnum.logrotate /etc/logrotate.d/magnum

Finalize installation

  1. Create init scripts and services:
    • Ubuntu 14.04 (trusty):

      # cd /var/lib/magnum/magnum
      # cp doc/examples/etc/init/magnum-api.conf \
        /etc/init/magnum-api.conf
      # cp doc/examples/etc/init/magnum-conductor.conf \
        /etc/init/magnum-conductor.conf
    • Ubuntu 14.10 or higher, Fedora 21 or higher/RHEL 7/CentOS 7, openSUSE Leap 42.1 or Debian 8:

      # cd /var/lib/magnum/magnum
      # cp doc/examples/etc/systemd/system/magnum-api.service \
        /etc/systemd/system/magnum-api.service
      # cp doc/examples/etc/systemd/system/magnum-conductor.service \
        /etc/systemd/system/magnum-conductor.service
  2. Start magnum-api and magnum-conductor
    • Ubuntu 14.04 (trusty):

      # start magnum-api
      # start magnum-conductor
    • Ubuntu 14.10 or higher, Fedora 21 or higher/RHEL 7/CentOS 7, openSUSE Leap 42.1 or Debian 8:

      # systemctl enable magnum-api
      # systemctl enable magnum-conductor
      # systemctl start magnum-api
      # systemctl start magnum-conductor
  3. Verify that magnum-api and magnum-conductor services are running
    • Ubuntu 14.04 (trusty):

      # status magnum-api
      # status magnum-conductor
    • Ubuntu 14.10 or higher, Fedora 21 or higher/RHEL 7/CentOS 7, openSUSE Leap 42.1 or Debian 8:

      # systemctl status magnum-api
      # systemctl status magnum-conductor