Moved firewall section and restructured Compute section
Moved firewall section from CRG Compute to CAG Compute. Renamed log-file chapter to match other 'file' chapter. Moved Compute sections into files to trim down the massive Compute chapter file. Edited touched files. In section_cli_nova_volumes.xml, added example and one new option. In section_compute-rootwrap.xml, added note with NFS share info. In section_system-admin.xml: * Added new services. * Replaced deprecated nova-manage commands with nova. Change-Id: Ie300a9ce25d305b80bb0b21d3cfc318909f3a123
This commit is contained in:
parent
0c1ecb5066
commit
cbc80898a6
File diff suppressed because it is too large
Load Diff
@ -13,11 +13,10 @@
|
||||
is configured to use cells, you can perform live migration
|
||||
within but not between cells.</para>
|
||||
</note>
|
||||
<para>Migration enables an administrator to move a virtual machine
|
||||
instance from one compute host to another. This feature is useful
|
||||
when a compute host requires maintenance. Migration can also be
|
||||
useful to redistribute the load when many VM instances are running
|
||||
on a specific physical machine.</para>
|
||||
<para>Migration enables an administrator to move a virtual-machine instance from one compute host
|
||||
to another. This feature is useful when a compute host requires maintenance. Migration can also
|
||||
be useful to redistribute the load when many VM instances are running on a specific physical
|
||||
machine.</para>
|
||||
<para>The migration types are:</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -27,28 +26,28 @@
|
||||
another hypervisor.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Live migration</emphasis> (or true
|
||||
live migration). Almost no instance downtime. Useful when the
|
||||
instances must be kept running during the migration.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<para>The types of <firstterm>live migration</firstterm> are:</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Shared storage-based live
|
||||
migration</emphasis>. Both hypervisors have access to shared
|
||||
storage.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Block live migration</emphasis>. No
|
||||
shared storage is required.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Volume-backed live
|
||||
migration</emphasis>. When instances are backed by volumes
|
||||
rather than ephemeral disk, no shared storage is required, and
|
||||
migration is supported (currently only in libvirt-based
|
||||
hypervisors).</para>
|
||||
<para><emphasis role="bold">Live migration</emphasis> (or true live migration). Almost no
|
||||
instance downtime. Useful when the instances must be kept running during the migration. The
|
||||
types of <firstterm>live migration</firstterm> are:
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Shared storage-based live
|
||||
migration</emphasis>. Both hypervisors have access to shared
|
||||
storage.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Block live migration</emphasis>. No
|
||||
shared storage is required.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Volume-backed live
|
||||
migration</emphasis>. When instances are backed by volumes
|
||||
rather than ephemeral disk, no shared storage is required, and
|
||||
migration is supported (currently only in libvirt-based
|
||||
hypervisors).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<para>The following sections describe how to configure your hosts
|
||||
@ -77,7 +76,6 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<note>
|
||||
<title>Notes</title>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Because the Compute service does not use the libvirt
|
||||
@ -102,35 +100,29 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</note>
|
||||
<itemizedlist>
|
||||
<section xml:id="section_example-compute-install">
|
||||
<title>Example Compute installation environment</title>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Prepare at least three servers; for example,
|
||||
<literal>HostA</literal>, <literal>HostB</literal>, and
|
||||
<literal>HostC</literal>.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><literal>HostA</literal> is the
|
||||
<firstterm baseform="cloud controller">Cloud
|
||||
Controller</firstterm>, and should run these services:
|
||||
<systemitem class="service">nova-api</systemitem>,
|
||||
<systemitem class="service">nova-scheduler</systemitem>,
|
||||
<literal>nova-network</literal>, <systemitem
|
||||
class="service">cinder-volume</systemitem>, and
|
||||
<literal>nova-objectstore</literal>.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><literal>HostB</literal> and <literal>HostC</literal>
|
||||
are the <firstterm baseform="compute node">compute nodes</firstterm>
|
||||
that run <systemitem class="service"
|
||||
>nova-compute</systemitem>.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Ensure that
|
||||
<literal><replaceable>NOVA-INST-DIR</replaceable></literal>
|
||||
(set with <literal>state_path</literal> in the
|
||||
<filename>nova.conf</filename> file) is the same on all
|
||||
hosts.</para>
|
||||
<para>Prepare at least three servers; for example, <literal>HostA</literal>,
|
||||
<literal>HostB</literal>, and <literal>HostC</literal>: <itemizedlist>
|
||||
<listitem>
|
||||
<para><literal>HostA</literal> is the <firstterm baseform="cloud controller">Cloud
|
||||
Controller</firstterm>, and should run these services: <systemitem
|
||||
class="service">nova-api</systemitem>, <systemitem class="service"
|
||||
>nova-scheduler</systemitem>, <literal>nova-network</literal>, <systemitem
|
||||
class="service">cinder-volume</systemitem>, and
|
||||
<literal>nova-objectstore</literal>.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><literal>HostB</literal> and <literal>HostC</literal> are the <firstterm
|
||||
baseform="compute node">compute nodes</firstterm> that run <systemitem
|
||||
class="service">nova-compute</systemitem>.</para>
|
||||
</listitem>
|
||||
</itemizedlist></para>
|
||||
<para>Ensure that <literal><replaceable>NOVA-INST-DIR</replaceable></literal> (set with
|
||||
<literal>state_path</literal> in the <filename>nova.conf</filename> file) is the same
|
||||
on all hosts.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>In this example, <literal>HostA</literal> is the NFSv4
|
||||
@ -153,29 +145,23 @@
|
||||
<prompt>$</prompt> <userinput>ping HostC</userinput></screen>
|
||||
</step>
|
||||
<step>
|
||||
<para>Ensure that the UID and GID of your nova and libvirt
|
||||
users are identical between each of your servers. This
|
||||
ensures that the permissions on the NFS mount works
|
||||
correctly.</para>
|
||||
<para>Ensure that the UID and GID of your Compute and libvirt users are identical between
|
||||
each of your servers. This ensures that the permissions on the NFS mount works
|
||||
correctly.</para>
|
||||
</step>
|
||||
<step>
|
||||
<para>Follow the instructions at <link
|
||||
xlink:href="https://help.ubuntu.com/community/SettingUpNFSHowTo"
|
||||
>the Ubuntu NFS HowTo to setup an NFS server on
|
||||
<literal>HostA</literal>, and NFS Clients on
|
||||
<literal>HostB</literal> and
|
||||
<literal>HostC</literal>.</link></para>
|
||||
<para>The aim is to export
|
||||
<filename><replaceable>NOVA-INST-DIR</replaceable>/instances</filename>
|
||||
from <literal>HostA</literal>, and have it readable and
|
||||
writable by the nova user on <literal>HostB</literal> and
|
||||
<literal>HostC</literal>.</para>
|
||||
<para>Export <filename><replaceable>NOVA-INST-DIR</replaceable>/instances</filename> from
|
||||
<literal>HostA</literal>, and have it readable and writable by the Compute user on
|
||||
<literal>HostB</literal> and <literal>HostC</literal>.</para>
|
||||
<para>For more information, see: <link
|
||||
xlink:href="https://help.ubuntu.com/community/SettingUpNFSHowTo"
|
||||
>SettingUpNFSHowTo</link> or <link
|
||||
xlink:href="http://www.cyberciti.biz/faq/centos-fedora-rhel-nfs-v4-configuration/"
|
||||
>CentOS / Redhat: Setup NFS v4.0 File Server</link></para>
|
||||
</step>
|
||||
<step>
|
||||
<para>Using your knowledge from the Ubuntu documentation,
|
||||
configure the NFS server at <literal>HostA</literal> by
|
||||
adding this line to the <filename>/etc/exports</filename>
|
||||
file:</para>
|
||||
<para>Configure the NFS server at <literal>HostA</literal> by adding the following line to
|
||||
the <filename>/etc/exports</filename> file:</para>
|
||||
<programlisting><replaceable>NOVA-INST-DIR</replaceable>/instances HostA/255.255.0.0(rw,sync,fsid=0,no_root_squash)</programlisting>
|
||||
<para>Change the subnet mask (<literal>255.255.0.0</literal>)
|
||||
to the appropriate value to include the IP addresses of
|
||||
@ -194,20 +180,18 @@
|
||||
<screen><prompt>$</prompt> <userinput>chmod o+x <replaceable>NOVA-INST-DIR</replaceable>/instances</userinput> </screen>
|
||||
</step>
|
||||
<step>
|
||||
<para>Configure NFS at HostB and HostC by adding this line to
|
||||
the <filename>/etc/fstab</filename> file:</para>
|
||||
<para>Configure NFS at HostB and HostC by adding the following line to the
|
||||
<filename>/etc/fstab</filename> file:</para>
|
||||
<programlisting>HostA:/ /<replaceable>NOVA-INST-DIR</replaceable>/instances nfs4 defaults 0 0</programlisting>
|
||||
<para>Make sure that you can mount the exported directory can
|
||||
be mounted:</para>
|
||||
<para>Ensure that you can mount the exported directory can be mounted:</para>
|
||||
<screen><prompt>$</prompt> <userinput>mount -a -v</userinput></screen>
|
||||
<para>Check that HostA can see the
|
||||
"<filename><replaceable>NOVA-INST-DIR</replaceable>/instances/</filename>"
|
||||
directory:</para>
|
||||
<screen><prompt>$</prompt> <userinput>ls -ld <filename><replaceable>NOVA-INST-DIR</replaceable>/instances/</filename></userinput></screen>
|
||||
<screen><computeroutput>drwxr-xr-x 2 nova nova 4096 2012-05-19 14:34 nova-install-dir/instances/</computeroutput></screen>
|
||||
<para>Perform the same check at HostB and HostC, paying
|
||||
special attention to the permissions (nova should be able to
|
||||
write):</para>
|
||||
<para>Perform the same check at HostB and HostC, paying special attention to the permissions
|
||||
(Compute should be able to write):</para>
|
||||
<screen><prompt>$</prompt> <userinput>ls -ld <filename><replaceable>NOVA-INST-DIR</replaceable>/instances/</filename></userinput></screen>
|
||||
<screen><computeroutput>drwxr-xr-x 2 nova nova 4096 2012-05-07 14:34 nova-install-dir/instances/</computeroutput></screen>
|
||||
<screen><prompt>$</prompt> <userinput>df -k</userinput></screen>
|
||||
@ -242,9 +226,12 @@ HostA: 921515008 101921792 772783104 12% /var/lib/nova/instances ( <
|
||||
<step>
|
||||
<para>Configure your firewall to allow libvirt to communicate
|
||||
between nodes.</para>
|
||||
<para>For information about ports that are used with libvirt, see <link
|
||||
xlink:href="http://libvirt.org/remote.html#Remote_libvirtd_configuration"
|
||||
>the libvirt documentation</link> By default, libvirt listens on TCP port 16509 and an ephemeral TCP range from 49152 to 49261 is used for the KVM communications. Based on the secure remote access TCP configuration you chose, be careful choosing what ports you open and understand who has access.</para>
|
||||
<para>By default, libvirt listens on TCP port 16509, and an ephemeral TCP range from 49152
|
||||
to 49261 is used for the KVM communications. Based on the secure remote access TCP
|
||||
configuration you chose, be careful choosing what ports you open and understand who has
|
||||
access. For information about ports that are used with libvirt, see <link
|
||||
xlink:href="http://libvirt.org/remote.html#Remote_libvirtd_configuration">the libvirt
|
||||
documentation</link>.</para>
|
||||
</step>
|
||||
<step>
|
||||
<para>You can now configure options for live migration. In
|
||||
@ -252,7 +239,8 @@ HostA: 921515008 101921792 772783104 12% /var/lib/nova/instances ( <
|
||||
following chart is for advanced usage only.</para>
|
||||
</step>
|
||||
</procedure>
|
||||
<xi:include href="../common/tables/nova-livemigration.xml"/>
|
||||
<xi:include href="../../common/tables/nova-livemigration.xml"/>
|
||||
</section>
|
||||
<section xml:id="true-live-migration-kvm-libvirt">
|
||||
<title>Enable true live migration</title>
|
||||
<para>By default, the Compute service does not use the libvirt
|
||||
@ -284,8 +272,8 @@ HostA: 921515008 101921792 772783104 12% /var/lib/nova/instances ( <
|
||||
Guide</citetitle>.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Shared storage</emphasis>. An
|
||||
NFS export, visible to all XenServer hosts.</para>
|
||||
<para><emphasis role="bold">Shared storage</emphasis>. An NFS export, visible to all
|
||||
XenServer hosts.</para>
|
||||
<note>
|
||||
<para>For the supported NFS versions, see the <link
|
||||
xlink:href="http://docs.vmd.citrix.com/XenServer/6.0.0/1.0/en_gb/reference.html#id1002701"
|
||||
@ -357,11 +345,10 @@ HostA: 921515008 101921792 772783104 12% /var/lib/nova/instances ( <
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<note>
|
||||
<title>Notes</title>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>To use block migration, you must use the
|
||||
<parameter>--block-migrate</parameter> parameter with
|
||||
CHANGE THIS == <parameter>==block-migrate</parameter> parameter with
|
||||
the live migration command.</para>
|
||||
</listitem>
|
||||
<listitem>
|
69
doc/admin-guide-cloud/compute/section_compute-image-mgt.xml
Normal file
69
doc/admin-guide-cloud/compute/section_compute-image-mgt.xml
Normal file
@ -0,0 +1,69 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<section xml:id="section_image-mgmt"
|
||||
xmlns="http://docbook.org/ns/docbook"
|
||||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||||
version="5.0">
|
||||
<title>Image management</title>
|
||||
<para>The OpenStack Image Service discovers, registers, and retrieves virtual machine images.
|
||||
The service also includes a RESTful API that allows you to query VM image metadata and
|
||||
retrieve the actual image with HTTP requests. For more information about the API, see the
|
||||
<link xlink:href="http://api.openstack.org/api-ref.html#os-images-2.0"> OpenStack
|
||||
API</link> or the <link
|
||||
xlink:href="http://docs.openstack.org/developer/python-glanceclient/"> Python
|
||||
API</link>.</para>
|
||||
<para>The OpenStack Image Service can be controlled using a command-line tool. For more
|
||||
information about the using OpenStack Image command-line tool, see the <link
|
||||
xlink:href="http://docs.openstack.org/user-guide/content/cli_manage_images.html"> Manage
|
||||
Images</link> section in the <citetitle>OpenStack End User Guide</citetitle>.</para>
|
||||
<para>Virtual images that have been made available through the Image Service can be stored
|
||||
in a variety of ways. In order to use these services, you must have a working installation
|
||||
of the Image Service, with a working endpoint, and users that have been created in OpenStack
|
||||
Identity. Additionally, you must meet the environment variables required by the Compute and
|
||||
Image Service clients.</para>
|
||||
<para>The Image Service supports these back end stores:</para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>File system</term>
|
||||
<listitem>
|
||||
<para>The OpenStack Image Service stores virtual machine images in the file
|
||||
system back end by default. This simple back end writes image files to the local
|
||||
file system.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>Object Storage service</term>
|
||||
<listitem>
|
||||
<para>The OpenStack highly available service for storing objects.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>S3</term>
|
||||
<listitem>
|
||||
<para>The Amazon S3 service.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>HTTP</term>
|
||||
<listitem>
|
||||
<para>OpenStack Image Service can read virtual
|
||||
machine images that are available on the
|
||||
internet using HTTP. This store is read
|
||||
only.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>Rados block device (RBD)</term>
|
||||
<listitem>
|
||||
<para>Stores images inside of a Ceph storage
|
||||
cluster using Ceph's RBD interface.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>GridFS</term>
|
||||
<listitem>
|
||||
<para>Stores images using MongoDB.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</section>
|
@ -0,0 +1,144 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<section xml:id="section_compute-images-and-instances"
|
||||
xmlns="http://docbook.org/ns/docbook"
|
||||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||||
version="5.0">
|
||||
<title>Images and instances</title>
|
||||
<para>Disk images provide templates for virtual machine file
|
||||
systems. The Image Service manages storage and management
|
||||
of images.</para>
|
||||
<para>Instances are the individual virtual machines that run
|
||||
on physical compute nodes. Users can launch any number of
|
||||
instances from the same image. Each launched instance runs
|
||||
from a copy of the base image so that any changes made to
|
||||
the instance do not affect the base image. You can take
|
||||
snapshots of running instances to create an image based on
|
||||
the current disk state of a particular instance. The
|
||||
Compute services manages instances.</para>
|
||||
<para>When you launch an instance, you must choose a <literal>flavor</literal>, which represents
|
||||
a set of virtual resources. Flavors define how many virtual CPUs an instance has and the
|
||||
amount of RAM and size of its ephemeral disks. OpenStack provides a number of predefined
|
||||
flavors that you can edit or add to. Users must select from the set of available flavors
|
||||
defined on their cloud.</para>
|
||||
<note><itemizedlist>
|
||||
<listitem>
|
||||
<para>For more information about creating and troubleshooting images, see the
|
||||
<link
|
||||
xlink:href="http://docs.openstack.org/image-guide/content/"
|
||||
><citetitle>OpenStack Virtual Machine Image Guide</citetitle></link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>For more information about image configuration options, see the <link
|
||||
xlink:href="http://docs.openstack.org/trunk/config-reference/content/ch_configuring-openstack-image-service.html"
|
||||
>Image Services</link> section of the <citetitle>OpenStack Configuration
|
||||
Reference</citetitle>.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>For more information about flavors, see <xref linkend="customize-flavors"/> or the <link
|
||||
xlink:href="http://docs.openstack.org/trunk/openstack-ops/content/flavors.html"
|
||||
>Flavors</link> section in the <citetitle>OpenStack Operations
|
||||
Guide</citetitle>.</para>
|
||||
</listitem>
|
||||
</itemizedlist></note>
|
||||
<para>You can add and remove additional resources from running
|
||||
instances, such as persistent volume storage, or public IP
|
||||
addresses. The example used in this chapter is of a
|
||||
typical virtual system within an OpenStack cloud. It uses
|
||||
the <systemitem class="service">cinder-volume</systemitem>
|
||||
service, which provides persistent block storage, instead
|
||||
of the ephemeral storage provided by the selected instance
|
||||
flavor.</para>
|
||||
<para>This diagram shows the system state prior to launching an instance. The image store,
|
||||
fronted by the Image service (glance) has a number of predefined images. Inside the cloud, a
|
||||
compute node contains the available vCPU, memory, and local disk resources. Additionally,
|
||||
the <systemitem class="service">cinder-volume</systemitem> service provides a number of
|
||||
predefined volumes.</para>
|
||||
<figure xml:id="initial-instance-state-figure">
|
||||
<title>Base image state with no running instances</title>
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata
|
||||
fileref="../../common/figures/instance-life-1.png"
|
||||
/>
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</figure>
|
||||
<para>To launch an instance, select an image, a flavor, and
|
||||
other optional attributes. The selected flavor provides a
|
||||
root volume, labeled <literal>vda</literal> in this
|
||||
diagram, and additional ephemeral storage, labeled
|
||||
<literal>vdb</literal>. In this example, the
|
||||
<systemitem class="service">cinder-volume</systemitem>
|
||||
store is mapped to the third virtual disk on this
|
||||
instance, <literal>vdc</literal>.</para>
|
||||
<figure xml:id="run-instance-state-figure">
|
||||
<title>Instance creation from image and runtime
|
||||
state</title>
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata
|
||||
fileref="../../common/figures/instance-life-2.png"
|
||||
/>
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</figure>
|
||||
<para>The base image is copied from the image store to the
|
||||
local disk. The local disk is the first disk that the
|
||||
instance accesses, and is labeled <literal>vda</literal>.
|
||||
By using smaller images, your instances start up faster as
|
||||
less data needs to be copied across the network.</para>
|
||||
<para>A new empty disk, labeled <literal>vdb</literal> is also
|
||||
created. This is an empty ephemeral disk, which is
|
||||
destroyed when you delete the instance.</para>
|
||||
<para>The compute node is attached to the <systemitem
|
||||
class="service">cinder-volume</systemitem> using
|
||||
iSCSI, and maps to the third disk, <literal>vdc</literal>.
|
||||
The vCPU and memory resources are provisioned and the
|
||||
instance is booted from <literal>vda</literal>. The
|
||||
instance runs and changes data on the disks as indicated
|
||||
in red in the diagram.
|
||||
<!--This isn't very accessible, need to consider rewording to explain more fully. LKB -->
|
||||
</para>
|
||||
<note>
|
||||
<para>Some of the details in this example scenario might be different in your
|
||||
environment. For example, you might use a different type of back-end storage or
|
||||
different network protocols. One common variant is that the ephemeral storage used for
|
||||
volumes <literal>vda</literal> and <literal>vdb</literal> could be backed by network
|
||||
storage rather than a local disk.</para>
|
||||
</note>
|
||||
<para>When the instance is deleted, the state is reclaimed with the exception of the
|
||||
persistent volume. The ephemeral storage is purged; memory and vCPU resources are released.
|
||||
The image remains unchanged throughout.</para>
|
||||
<figure xml:id="end-instance-state-figure">
|
||||
<title>End state of image and volume after instance
|
||||
exits</title>
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata
|
||||
fileref="../../common/figures/instance-life-3.png"
|
||||
/>
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</figure>
|
||||
<xi:include href="section_compute-image-mgt.xml"/>
|
||||
<xi:include href="../image/section_glance-property-protection.xml"/>
|
||||
<xi:include href="section_compute-instance-building-blocks.xml"/>
|
||||
<xi:include href="section_compute-instance-mgt-tools.xml"/>
|
||||
<section xml:id="section_instance-scheduling-constraints">
|
||||
<title>Control where instances run</title>
|
||||
<para>The <link
|
||||
xlink:href="http://docs.openstack.org/trunk/config-reference/content/">
|
||||
<citetitle>OpenStack Configuration Reference</citetitle></link>
|
||||
provides detailed information on controlling where your
|
||||
instances run, including ensuring a set of instances run
|
||||
on different compute nodes for service resiliency or on
|
||||
the same node for high performance inter-instance
|
||||
communications.</para>
|
||||
<para>Admin users can specify an exact compute node to run on
|
||||
using the command <command>--availability-zone
|
||||
<replaceable>availability-zone</replaceable>:<replaceable>compute-host</replaceable></command>
|
||||
</para>
|
||||
</section>
|
||||
</section>
|
@ -0,0 +1,74 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<section xml:id="section_compute-instance-building-blocks"
|
||||
xmlns="http://docbook.org/ns/docbook"
|
||||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||||
version="5.0">
|
||||
<title>Instance building blocks</title>
|
||||
<para>In OpenStack, the base operating system is usually copied from an image stored in the
|
||||
OpenStack Image Service. This is the most common case and results in an ephemeral instance
|
||||
that starts from a known template state and loses all accumulated states on shutdown.</para>
|
||||
<para>You can also put an operating system on a persistent volume in Compute or the Block
|
||||
Storage volume system. This gives a more traditional, persistent system that accumulates
|
||||
states, which are preserved across restarts. To get a list of available images on your
|
||||
system, run:
|
||||
<screen><prompt>$</prompt> <userinput>nova image-list</userinput>
|
||||
<?db-font-size 50%?><computeroutput>+--------------------------------------+-------------------------------+--------+--------------------------------------+
|
||||
| ID | Name | Status | Server |
|
||||
+--------------------------------------+-------------------------------+--------+--------------------------------------+
|
||||
| aee1d242-730f-431f-88c1-87630c0f07ba | Ubuntu 12.04 cloudimg amd64 | ACTIVE | |
|
||||
| 0b27baa1-0ca6-49a7-b3f4-48388e440245 | Ubuntu 12.10 cloudimg amd64 | ACTIVE | |
|
||||
| df8d56fc-9cea-4dfd-a8d3-28764de3cb08 | jenkins | ACTIVE | |
|
||||
+--------------------------------------+-------------------------------+--------+--------------------------------------+</computeroutput></screen>
|
||||
</para>
|
||||
<para>The displayed image attributes are:</para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><literal>ID</literal></term>
|
||||
<listitem>
|
||||
<para>Automatically generated UUID of the image.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><literal>Name</literal></term>
|
||||
<listitem>
|
||||
<para>Free form, human-readable name for image.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><literal>Status</literal></term>
|
||||
<listitem>
|
||||
<para>The status of the image. Images marked
|
||||
<literal>ACTIVE</literal> are available
|
||||
for use.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><literal>Server</literal></term>
|
||||
<listitem>
|
||||
<para>For images that are created as snapshots of
|
||||
running instances, this is the UUID of the
|
||||
instance the snapshot derives from. For
|
||||
uploaded images, this field is blank.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
<para>Virtual hardware templates are called <literal>flavors</literal>. The default
|
||||
installation provides five flavors. By default, these are configurable by administrative
|
||||
users. However, you can change this behavior by redefining the access controls for
|
||||
<parameter>compute_extension:flavormanage</parameter> in
|
||||
<filename>/etc/nova/policy.json</filename> on the <filename>compute-api</filename>
|
||||
server.</para>
|
||||
<para>For a list of flavors that are available on your system, run:</para>
|
||||
<screen><prompt>$</prompt> <userinput>nova flavor-list</userinput>
|
||||
<computeroutput>+----+-----------+-----------+------+-----------+------+-------+-------------+
|
||||
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor |
|
||||
+----+-----------+-----------+------+-----------+------+-------+-------------+
|
||||
| 1 | m1.tiny | 512 | 1 | N/A | 0 | 1 | |
|
||||
| 2 | m1.small | 2048 | 20 | N/A | 0 | 1 | |
|
||||
| 3 | m1.medium | 4096 | 40 | N/A | 0 | 2 | |
|
||||
| 4 | m1.large | 8192 | 80 | N/A | 0 | 4 | |
|
||||
| 5 | m1.xlarge | 16384 | 160 | N/A | 0 | 8 | |
|
||||
+----+-----------+-----------+------+-----------+------+-------+-------------+
|
||||
</computeroutput></screen>
|
||||
</section>
|
@ -0,0 +1,44 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<section xml:id="section_instance-mgmt"
|
||||
xmlns="http://docbook.org/ns/docbook"
|
||||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||||
version="5.0">
|
||||
<title>Instance management tools</title>
|
||||
<para>OpenStack provides command-line, web-based, and
|
||||
API-based instance management tools. Additionally, a
|
||||
number of third-party management tools are available,
|
||||
using either the native API or the provided EC2-compatible
|
||||
API.</para>
|
||||
<para>The OpenStack
|
||||
<application>python-novaclient</application> package
|
||||
provides a basic command-line utility, which uses the
|
||||
<command>nova</command> command. This is available as
|
||||
a native package for most Linux distributions, or you can
|
||||
install the latest version using the
|
||||
<application>pip</application> python package
|
||||
installer:</para>
|
||||
<screen><prompt>#</prompt> <userinput>pip install python-novaclient</userinput></screen>
|
||||
<para>For more information about
|
||||
<application>python-novaclient</application> and other
|
||||
available command-line tools, see the <link
|
||||
xlink:href="http://docs.openstack.org/user-guide/content/index.html">
|
||||
<citetitle>OpenStack End User
|
||||
Guide</citetitle></link>.</para>
|
||||
<screen><prompt>$</prompt> <userinput>nova --debug list</userinput>
|
||||
<?db-font-size 75%?><computeroutput>connect: (10.0.0.15, 5000)
|
||||
send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: 10.0.0.15:5000\r\nContent-Length: 116\r\ncontent-type: application/json\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n{"auth": {"tenantName": "demoproject", "passwordCredentials": {"username": "demouser", "password": "demopassword"}}}'
|
||||
reply: 'HTTP/1.1 200 OK\r\n'
|
||||
header: Content-Type: application/json
|
||||
header: Vary: X-Auth-Token
|
||||
header: Date: Thu, 13 Sep 2012 20:27:36 GMT
|
||||
header: Transfer-Encoding: chunked
|
||||
connect: (128.52.128.15, 8774)
|
||||
send: u'GET /v2/fa9dccdeadbeef23ae230969587a14bf/servers/detail HTTP/1.1\r\nHost: 10.0.0.15:8774\r\nx-auth-project-id: demoproject\r\nx-auth-token: deadbeef9998823afecc3d552525c34c\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n'
|
||||
reply: 'HTTP/1.1 200 OK\r\n'
|
||||
header: X-Compute-Request-Id: req-bf313e7d-771a-4c0b-ad08-c5da8161b30f
|
||||
header: Content-Type: application/json
|
||||
header: Content-Length: 15
|
||||
header: Date: Thu, 13 Sep 2012 20:27:36 GMT
|
||||
!!removed matrix for validation!! </computeroutput></screen>
|
||||
</section>
|
@ -0,0 +1,815 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<section xml:id="section_networking-nova"
|
||||
xmlns="http://docbook.org/ns/docbook"
|
||||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||||
version="5.0">
|
||||
<title>Networking with nova-network</title>
|
||||
<para>Understanding the networking configuration options helps
|
||||
you design the best configuration for your Compute
|
||||
instances.</para>
|
||||
<para>You can choose to either install and configure <systemitem class="service"
|
||||
>nova-network</systemitem> for networking between VMs or use the OpenStack Networking
|
||||
service (neutron) for networking. To configure Compute networking options with OpenStack
|
||||
Networking, see the <xref linkend="ch_networking"/>.</para>
|
||||
<section xml:id="section_networking-options">
|
||||
<title>Networking concepts</title>
|
||||
<para>This section offers a brief overview of networking concepts for Compute.</para>
|
||||
<para>Compute assigns a private IP address to each VM instance. (Currently, Compute with
|
||||
<systemitem class="service">nova-network</systemitem> only supports Linux bridge
|
||||
networking that enables the virtual interfaces to connect to the outside network through
|
||||
the physical interface.) Compute makes a distinction between <emphasis role="italic"
|
||||
>fixed IPs</emphasis> and <emphasis role="italic">floating IPs</emphasis>. Fixed IPs
|
||||
are IP addresses that are assigned to an instance on creation and stay the same until
|
||||
the instance is explicitly terminated. By contrast, floating IPs are addresses that can
|
||||
be dynamically associated with an instance. A floating IP address can be disassociated
|
||||
and associated with another instance at any time. A user can reserve a floating IP for
|
||||
their project.</para>
|
||||
<para>The network controller with <systemitem class="service">nova-network</systemitem>
|
||||
provides virtual networks to enable compute servers to interact with each other and with
|
||||
the public network. Compute with <systemitem class="service">nova-network</systemitem>
|
||||
supports the following network modes, which are implemented as “Network Manager”
|
||||
types.</para>
|
||||
<variablelist>
|
||||
<varlistentry><term>Flat Network Manager</term>
|
||||
<listitem><para>In <emphasis role="bold">Flat</emphasis> mode, a network administrator specifies a subnet. IP
|
||||
addresses for VM instances are assigned from the subnet, and then injected
|
||||
into the image on launch. Each instance receives a fixed IP address from the
|
||||
pool of available addresses. A system administrator must create the Linux
|
||||
networking bridge (typically named <literal>br100</literal>, although this
|
||||
is configurable) on the systems running the <systemitem class="service"
|
||||
>nova-network</systemitem> service. All instances of the system are
|
||||
attached to the same bridge, and this is configured manually by the network
|
||||
administrator.</para>
|
||||
<note>
|
||||
<para>Configuration injection currently only works on Linux-style
|
||||
systems that keep networking configuration in
|
||||
<filename>/etc/network/interfaces</filename>.</para>
|
||||
</note></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry><term>Flat DHCP Network Manager</term>
|
||||
<listitem><para>In <emphasis role="bold">FlatDHCP</emphasis> mode, OpenStack starts a DHCP server
|
||||
(<systemitem>dnsmasq</systemitem>) to allocate IP addresses to VM
|
||||
instances from the specified subnet, in addition to manually configuring the
|
||||
networking bridge. IP addresses for VM instances are assigned from a subnet
|
||||
specified by the network administrator.</para>
|
||||
<para>Like Flat Mode, all instances are attached to a single bridge on the
|
||||
compute node. Additionally, a DHCP server is running to configure instances
|
||||
(depending on single-/multi-host mode, alongside each <systemitem
|
||||
class="service">nova-network</systemitem>). In this mode, Compute does a
|
||||
bit more configuration in that it attempts to bridge into an ethernet device
|
||||
(<literal>flat_interface</literal>, eth0 by default). For every
|
||||
instance, Compute allocates a fixed IP address and configures dnsmasq with
|
||||
the MAC/IP pair for the VM. Dnsmasq does not take part in the IP address
|
||||
allocation process, it only hands out IPs according to the mapping done by
|
||||
Compute. Instances receive their fixed IPs by doing a
|
||||
<command>dhcpdiscover</command>. These IPs are <emphasis role="italic"
|
||||
>not</emphasis> assigned to any of the host's network interfaces, only
|
||||
to the VM's guest-side interface.</para>
|
||||
<para>In any setup with flat networking, the hosts providing the <systemitem
|
||||
class="service">nova-network</systemitem> service are responsible for
|
||||
forwarding traffic from the private network. They also run and configure
|
||||
<systemitem>dnsmasq</systemitem> as a DHCP server listening on this
|
||||
bridge, usually on IP address 10.0.0.1 (see <link linkend="section_dnsmasq"
|
||||
>DHCP server: dnsmasq </link>). Compute can determine the NAT entries
|
||||
for each network, although sometimes NAT is not used, such as when
|
||||
configured with all public IPs or a hardware router is used (one of the HA
|
||||
options). Such hosts need to have <literal>br100</literal> configured and
|
||||
physically connected to any other nodes that are hosting VMs. You must set
|
||||
the <literal>flat_network_bridge</literal> option or create networks with
|
||||
the bridge parameter in order to avoid raising an error. Compute nodes have
|
||||
iptables/ebtables entries created for each project and instance to protect
|
||||
against IP/MAC address spoofing and ARP poisoning.</para>
|
||||
<note>
|
||||
<para>In single-host Flat DHCP mode you <emphasis role="italic"
|
||||
>will</emphasis> be able to ping VMs through their fixed IP from the
|
||||
<systemitem>nova-network</systemitem> node, but you <emphasis
|
||||
role="italic">cannot</emphasis> ping them from the compute nodes.
|
||||
This is expected behavior.</para>
|
||||
</note></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry><term>VLAN Network Manager</term>
|
||||
<listitem><para><emphasis role="bold">VLANManager</emphasis> mode is the default mode for OpenStack Compute.
|
||||
In this mode, Compute creates a VLAN and bridge for each tenant. For
|
||||
multiple-machine installation, the VLAN Network Mode requires a switch that
|
||||
supports VLAN tagging (IEEE 802.1Q). The tenant gets a range of private IPs
|
||||
that are only accessible from inside the VLAN. In order for a user to access
|
||||
the instances in their tenant, a special VPN instance (code named cloudpipe)
|
||||
needs to be created. Compute generates a certificate and key for the user to
|
||||
access the VPN and starts the VPN automatically. It provides a private
|
||||
network segment for each tenant's instances that can be accessed through a
|
||||
dedicated VPN connection from the Internet. In this mode, each tenant gets
|
||||
its own VLAN, Linux networking bridge, and subnet.</para>
|
||||
<para>The subnets are specified by the network administrator, and are
|
||||
assigned dynamically to a tenant when required. A DHCP Server is started for
|
||||
each VLAN to pass out IP addresses to VM instances from the subnet assigned
|
||||
to the tenant. All instances belonging to one tenant are bridged into the
|
||||
same VLAN for that tenant. OpenStack Compute creates the Linux networking
|
||||
bridges and VLANs when required.</para></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
<para>These network managers can co-exist in a cloud system. However, because you cannot
|
||||
select the type of network for a given tenant, you cannot configure multiple network
|
||||
types in a single Compute installation.</para>
|
||||
<para>All network managers configure the network using <emphasis role="italic">network
|
||||
drivers</emphasis>. For example, the Linux L3 driver (<literal>l3.py</literal> and
|
||||
<literal>linux_net.py</literal>), which makes use of <literal>iptables</literal>,
|
||||
<literal>route</literal> and other network management facilities, and libvirt's
|
||||
<link xlink:href="http://libvirt.org/formatnwfilter.html">network filtering
|
||||
facilities</link>. The driver is not tied to any particular network manager; all
|
||||
network managers use the same driver. The driver usually initializes (creates bridges
|
||||
and so on) only when the first VM lands on this host node.</para>
|
||||
<para>All network managers operate in either <emphasis role="italic">single-host</emphasis>
|
||||
or <emphasis role="italic">multi-host</emphasis> mode. This choice greatly influences
|
||||
the network configuration. In single-host mode, a single <systemitem class="service"
|
||||
>nova-network</systemitem> service provides a default gateway for VMs and hosts a
|
||||
single DHCP server (<systemitem>dnsmasq</systemitem>). In multi-host mode, each compute
|
||||
node runs its own <systemitem class="service">nova-network</systemitem> service. In both
|
||||
cases, all traffic between VMs and the outer world flows through <systemitem
|
||||
class="service">nova-network</systemitem>. Each mode has its pros and cons (see the
|
||||
<citetitle>Network Topology</citetitle> section in the <link
|
||||
xlink:href="http://docs.openstack.org/trunk/openstack-ops/content/"
|
||||
><citetitle>OpenStack Operations Guide</citetitle></link>.</para>
|
||||
<note>
|
||||
<para>All networking options require network connectivity to be already set up
|
||||
between OpenStack physical nodes. OpenStack does not configure any physical network
|
||||
interfaces. All network managers automatically create VM virtual interfaces. Some,
|
||||
but not all, managers create network bridges such as
|
||||
<literal>br100</literal>.</para>
|
||||
<para>All machines must have a <emphasis role="italic"
|
||||
>public</emphasis> and <emphasis role="italic"
|
||||
>internal</emphasis> network interface
|
||||
(controlled by the options:
|
||||
<literal>public_interface</literal> for the
|
||||
public interface, and
|
||||
<literal>flat_interface</literal> and
|
||||
<literal>vlan_interface</literal> for the
|
||||
internal interface with flat / VLAN managers).
|
||||
This guide refers to the public network as the
|
||||
external network and the private network as the
|
||||
internal or tenant network.</para>
|
||||
<para>The internal network interface is used for communication with VMs; the
|
||||
interface should not have an IP address attached to it before OpenStack installation
|
||||
(it serves merely as a fabric where the actual endpoints are VMs and dnsmasq). Also,
|
||||
you must put the internal network interface in <emphasis role="italic">promiscuous
|
||||
mode</emphasis>, because it must receive packets whose target MAC address is of
|
||||
the guest VM, not of the host.</para>
|
||||
<para>Throughout this documentation, the public
|
||||
network is sometimes referred to as the external
|
||||
network, while the internal network is also
|
||||
sometimes referred to as the private network or
|
||||
tenant network.</para>
|
||||
</note>
|
||||
<para>For flat and flat DHCP modes, use the following command to create a network:</para>
|
||||
<screen><prompt>$</prompt> <userinput>nova network-create vmnet \
|
||||
--fixed-range-v4=10.0.0.0/24 --fixed-cidr=10.20.0.0/16 --bridge=br100</userinput></screen>
|
||||
<para>Where:<itemizedlist>
|
||||
<listitem>
|
||||
<para><option>--fixed-range-v4-</option> specifies the network subnet.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><option>--fixed-cidr</option> specifies a range of fixed IP addresses to
|
||||
allocate, and can be a subset of the <option>--fixed-range-v4</option>
|
||||
argument.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><option>--bridge</option> specifies the bridge device to which this
|
||||
network is connected on every compute node.</para>
|
||||
</listitem>
|
||||
</itemizedlist></para>
|
||||
</section>
|
||||
<section xml:id="section_dnsmasq">
|
||||
<title>DHCP server: dnsmasq</title>
|
||||
<para>The Compute service uses <link
|
||||
xlink:href="http://www.thekelleys.org.uk/dnsmasq/doc.html">dnsmasq</link> as the
|
||||
DHCP server when running with either that Flat DHCP Network Manager or the VLAN Network
|
||||
Manager. The <systemitem class="service">nova-network</systemitem> service is
|
||||
responsible for starting up <systemitem>dnsmasq</systemitem> processes.</para>
|
||||
<para>The behavior of <systemitem>dnsmasq</systemitem> can be customized by creating a
|
||||
<systemitem>dnsmasq</systemitem> configuration file. Specify the configuration file
|
||||
using the <literal>dnsmasq_config_file</literal> configuration option. For
|
||||
example:</para>
|
||||
<programlisting language="ini">dnsmasq_config_file=/etc/dnsmasq-nova.conf</programlisting>
|
||||
<para>For an example of how to change the behavior of <systemitem>dnsmasq</systemitem>
|
||||
using a <systemitem>dnsmasq</systemitem> configuration file, see the <link
|
||||
xlink:href="http://docs.openstack.org/trunk/config-reference/content/"
|
||||
><citetitle>OpenStack Configuration Reference</citetitle></link>.
|
||||
The <systemitem>dnsmasq</systemitem> documentation also has a more comprehensive <link
|
||||
xlink:href="http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq.conf.example">dnsmasq
|
||||
configuration file example</link>.</para>
|
||||
<para><systemitem>dnsmasq</systemitem> also acts as a caching DNS server for instances.
|
||||
You can explicitly specify the DNS server that <systemitem>dnsmasq</systemitem> should
|
||||
use by setting the <literal>dns_server</literal> configuration option in
|
||||
<filename>/etc/nova/nova.conf</filename>. The following example would configure
|
||||
<systemitem>dnsmasq</systemitem> to use Google's public DNS server:</para>
|
||||
<programlisting language="ini">dns_server=8.8.8.8</programlisting>
|
||||
<para>Logging output for <systemitem>dnsmasq</systemitem> goes to the
|
||||
<systemitem>syslog</systemitem> (typically <filename>/var/log/syslog</filename> or
|
||||
<filename>/var/log/messages</filename>, depending on Linux distribution).
|
||||
<systemitem>dnsmasq</systemitem> logging output can be useful for troubleshooting if
|
||||
VM instances boot successfully but are not reachable over the network.</para>
|
||||
<para>A network administrator can run <code>nova-manage
|
||||
fixed reserve
|
||||
--address=<replaceable>x.x.x.x</replaceable></code>
|
||||
to specify the starting point IP address (x.x.x.x) to
|
||||
reserve with the DHCP server. This reservation only
|
||||
affects which IP address the VMs start at, not the
|
||||
fixed IP addresses that the <systemitem
|
||||
class="service">nova-network</systemitem> service
|
||||
places on the bridges.</para>
|
||||
</section>
|
||||
<xi:include href="section_compute-configure-ipv6.xml"/>
|
||||
<section xml:id="section_metadata-service">
|
||||
<title>Metadata service</title>
|
||||
<simplesect>
|
||||
<title>Introduction</title>
|
||||
<para>The Compute service uses a special metadata
|
||||
service to enable virtual machine instances to
|
||||
retrieve instance-specific data. Instances access
|
||||
the metadata service at
|
||||
<literal>http://169.254.169.254</literal>. The
|
||||
metadata service supports two sets of APIs: an
|
||||
OpenStack metadata API and an EC2-compatible API.
|
||||
Each of the APIs is versioned by date.</para>
|
||||
<para>To retrieve a list of supported versions for the
|
||||
OpenStack metadata API, make a GET request to
|
||||
<literal>http://169.254.169.254/openstack</literal>
|
||||
For example:</para>
|
||||
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/openstack</userinput>
|
||||
<computeroutput>2012-08-10
|
||||
latest</computeroutput></screen>
|
||||
<para>To list supported versions for the
|
||||
EC2-compatible metadata API, make a GET request to
|
||||
<literal>http://169.254.169.254</literal>.</para>
|
||||
<para>For example:</para>
|
||||
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254</userinput>
|
||||
<computeroutput>1.0
|
||||
2007-01-19
|
||||
2007-03-01
|
||||
2007-08-29
|
||||
2007-10-10
|
||||
2007-12-15
|
||||
2008-02-01
|
||||
2008-09-01
|
||||
2009-04-04
|
||||
latest</computeroutput></screen>
|
||||
<para>If you write a consumer for one of these APIs,
|
||||
always attempt to access the most recent API
|
||||
version supported by your consumer first, then
|
||||
fall back to an earlier version if the most recent
|
||||
one is not available.</para>
|
||||
</simplesect>
|
||||
<simplesect>
|
||||
<title>OpenStack metadata API</title>
|
||||
<para>Metadata from the OpenStack API is distributed
|
||||
in JSON format. To retrieve the metadata, make a
|
||||
GET request to
|
||||
<literal>http://169.254.169.254/openstack/2012-08-10/meta_data.json</literal>.</para>
|
||||
<para>For example:</para>
|
||||
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/openstack/2012-08-10/meta_data.json</userinput></screen>
|
||||
<programlisting language="json"><xi:include href="../../common/samples/list_metadata.json" parse="text"/></programlisting>
|
||||
<para>Instances also retrieve user data (passed as the
|
||||
<literal>user_data</literal> parameter in the
|
||||
API call or by the <literal>--user_data</literal>
|
||||
flag in the <command>nova boot</command> command)
|
||||
through the metadata service, by making a GET
|
||||
request to
|
||||
<literal>http://169.254.169.254/openstack/2012-08-10/user_data</literal>.</para>
|
||||
<para>For example:</para>
|
||||
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/openstack/2012-08-10/user_data</userinput>
|
||||
<computeroutput>#!/bin/bash
|
||||
echo 'Extra user data here'</computeroutput></screen>
|
||||
</simplesect>
|
||||
<simplesect>
|
||||
<title>EC2 metadata API</title>
|
||||
<para>The metadata service has an API that is
|
||||
compatible with version 2009-04-04 of the <link
|
||||
xlink:href="http://docs.amazonwebservices.com/AWSEC2/2009-04-04/UserGuide/AESDG-chapter-instancedata.html"
|
||||
>Amazon EC2 metadata service</link>; virtual
|
||||
machine images that are designed for EC2 work
|
||||
properly with OpenStack.</para>
|
||||
<para>The EC2 API exposes a separate URL for each
|
||||
metadata. You can retrieve a listing of these
|
||||
elements by making a GET query to
|
||||
<literal>http://169.254.169.254/2009-04-04/meta-data/</literal></para>
|
||||
<para>For example:</para>
|
||||
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/2009-04-04/meta-data/</userinput>
|
||||
<computeroutput>ami-id
|
||||
ami-launch-index
|
||||
ami-manifest-path
|
||||
block-device-mapping/
|
||||
hostname
|
||||
instance-action
|
||||
instance-id
|
||||
instance-type
|
||||
kernel-id
|
||||
local-hostname
|
||||
local-ipv4
|
||||
placement/
|
||||
public-hostname
|
||||
public-ipv4
|
||||
public-keys/
|
||||
ramdisk-id
|
||||
reservation-id
|
||||
security-groups</computeroutput></screen>
|
||||
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/2009-04-04/meta-data/block-device-mapping/</userinput>
|
||||
<computeroutput>ami</computeroutput></screen>
|
||||
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/2009-04-04/meta-data/placement/</userinput>
|
||||
<computeroutput>availability-zone</computeroutput></screen>
|
||||
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/2009-04-04/meta-data/public-keys/</userinput>
|
||||
<computeroutput>0=mykey</computeroutput></screen>
|
||||
<para>Instances can retrieve the public SSH key
|
||||
(identified by keypair name when a user requests a
|
||||
new instance) by making a GET request to
|
||||
<literal>http://169.254.169.254/2009-04-04/meta-data/public-keys/0/openssh-key</literal>.</para>
|
||||
<para>For example:</para>
|
||||
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/2009-04-04/meta-data/public-keys/0/openssh-key</userinput>
|
||||
<computeroutput>ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDYVEprvtYJXVOBN0XNKVVRNCRX6BlnNbI+USLGais1sUWPwtSg7z9K9vhbYAPUZcq8c/s5S9dg5vTHbsiyPCIDOKyeHba4MUJq8Oh5b2i71/3BISpyxTBH/uZDHdslW2a+SrPDCeuMMoss9NFhBdKtDkdG9zyi0ibmCP6yMdEX8Q== Generated by Nova</computeroutput></screen>
|
||||
<para>Instances can retrieve user data by making a GET
|
||||
request to
|
||||
<literal>http://169.254.169.254/2009-04-04/user-data</literal>.</para>
|
||||
<para>For example:</para>
|
||||
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/2009-04-04/user-data</userinput>
|
||||
<computeroutput>#!/bin/bash
|
||||
echo 'Extra user data here'</computeroutput></screen>
|
||||
</simplesect>
|
||||
<simplesect>
|
||||
<title>Run the metadata service</title>
|
||||
<para>The metadata service is implemented by either the <systemitem class="service"
|
||||
>nova-api</systemitem> service or the <systemitem class="service"
|
||||
>nova-api-metadata</systemitem> service. (The <systemitem class="service"
|
||||
>nova-api-metadata</systemitem> service is generally only used when running in
|
||||
multi-host mode, it retrieves instance-specific metadata). If you are running the
|
||||
<systemitem class="service">nova-api</systemitem> service, you must have
|
||||
<literal>metadata</literal> as one of the elements of the list of the
|
||||
<literal>enabled_apis</literal> configuration option in
|
||||
<filename>/etc/nova/nova.conf</filename>. The default
|
||||
<literal>enabled_apis</literal> configuration setting includes the metadata
|
||||
service, so you should not need to modify it.</para>
|
||||
<para>Hosts access the service at <literal>169.254.169.254:80</literal>, and this is
|
||||
translated to <literal>metadata_host:metadata_port</literal> by an iptables rule
|
||||
established by the <systemitem class="service">nova-network</systemitem> servce. In
|
||||
multi-host mode, you can set <option>metadata_host</option> to
|
||||
<literal>127.0.0.1</literal>.</para>
|
||||
<para>To enable instances to reach the metadata
|
||||
service, the <systemitem class="service"
|
||||
>nova-network</systemitem> service configures
|
||||
iptables to NAT port <literal>80</literal> of the
|
||||
<literal>169.254.169.254</literal> address to
|
||||
the IP address specified in
|
||||
<option>metadata_host</option> (default
|
||||
<literal>$my_ip</literal>, which is the IP
|
||||
address of the <systemitem class="service"
|
||||
>nova-network</systemitem> service) and port
|
||||
specified in <option>metadata_port</option>
|
||||
(default <literal>8775</literal>) in
|
||||
<filename>/etc/nova/nova.conf</filename>.</para>
|
||||
<warning>
|
||||
<para>The <literal>metadata_host</literal>
|
||||
configuration option must be an IP address,
|
||||
not a host name.</para>
|
||||
</warning>
|
||||
<note>
|
||||
<para>The default Compute service settings assume
|
||||
that the <systemitem class="service"
|
||||
>nova-network</systemitem> service and the
|
||||
<systemitem class="service"
|
||||
>nova-api</systemitem> service are running
|
||||
on the same host. If this is not the case, you
|
||||
must make this change in the
|
||||
<filename>/etc/nova/nova.conf</filename>
|
||||
file on the host running the <systemitem
|
||||
class="service">nova-network</systemitem>
|
||||
service:</para>
|
||||
<para>Set the <literal>metadata_host</literal>
|
||||
configuration option to the IP address of the
|
||||
host where the <systemitem class="service"
|
||||
>nova-api</systemitem> service
|
||||
runs.</para>
|
||||
</note>
|
||||
<xi:include href="../../common/tables/nova-metadata.xml"
|
||||
/>
|
||||
</simplesect>
|
||||
</section>
|
||||
<section xml:id="section_enable-ping-and-ssh-on-vms">
|
||||
<title>Enable ping and SSH on VMs</title>
|
||||
<para>Be sure you enable access to your VMs by using the
|
||||
<command>euca-authorize</command> or <command>nova
|
||||
secgroup-add-rule</command> command. These
|
||||
commands enable you to <command>ping</command> and
|
||||
<command>ssh</command> to your VMs:</para>
|
||||
<note>
|
||||
<para>You must run these commands as root only if the
|
||||
credentials used to interact with <systemitem
|
||||
class="service">nova-api</systemitem> are in
|
||||
<filename>/root/.bashrc</filename>. If the EC2
|
||||
credentials are the <filename>.bashrc</filename>
|
||||
file for another user, you must run these commands
|
||||
as the user.</para>
|
||||
</note>
|
||||
<para>Run <command>nova</command> commands:</para>
|
||||
<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0</userinput>
|
||||
<prompt>$</prompt> <userinput>nova secgroup-add-rule default tcp 22 22 0.0.0.0/0</userinput> </screen>
|
||||
<para>Using euca2ools:</para>
|
||||
<screen><prompt>$</prompt> <userinput>euca-authorize -P icmp -t -1:-1 -s 0.0.0.0/0 default</userinput>
|
||||
<prompt>$</prompt> <userinput>euca-authorize -P tcp -p 22 -s 0.0.0.0/0 default</userinput> </screen>
|
||||
<para>If you still cannot ping or SSH your instances after issuing the <command>nova
|
||||
secgroup-add-rule</command> commands, look at the number of
|
||||
<literal>dnsmasq</literal> processes that are running. If you have a running
|
||||
instance, check to see that TWO <literal>dnsmasq</literal> processes are running. If
|
||||
not, perform the following commands as root:</para>
|
||||
<screen><prompt>#</prompt> <userinput>killall dnsmasq</userinput>
|
||||
<prompt>#</prompt> <userinput>service nova-network restart</userinput> </screen>
|
||||
</section>
|
||||
<section xml:id="nova-associate-public-ip">
|
||||
<title>Configure public (floating) IP addresses</title>
|
||||
<?dbhtml stop-chunking?>
|
||||
<para>If you are using Compute's <systemitem class="service">nova-network</systemitem>
|
||||
instead of OpenStack Networking (neutron) for networking in OpenStack, use procedures in
|
||||
this section to configure floating IP addresses. For instructions on how to configure
|
||||
OpenStack Networking (neutron) to provide access to instances through floating IP
|
||||
addresses, see <xref linkend="section_l3_router_and_nat"/>.</para>
|
||||
<section xml:id="private-and-public-IP-addresses">
|
||||
<title>Private and public IP addresses</title>
|
||||
<para>Every virtual instance is automatically assigned
|
||||
a private IP address. You can optionally assign
|
||||
public IP addresses to instances. The term
|
||||
<glossterm baseform="floating IP address"
|
||||
>floating IP</glossterm> refers to an IP
|
||||
address, typically public, that you can
|
||||
dynamically add to a running virtual instance.
|
||||
OpenStack Compute uses Network Address Translation
|
||||
(NAT) to assign floating IPs to virtual
|
||||
instances.</para>
|
||||
<para>If you plan to use this feature, you must add
|
||||
edit the <filename>/etc/nova/nova.conf</filename>
|
||||
file to specify to which interface the <systemitem
|
||||
class="service">nova-network</systemitem>
|
||||
service binds public IP addresses, as
|
||||
follows:</para>
|
||||
<programlisting language="ini">public_interface=<replaceable>vlan100</replaceable></programlisting>
|
||||
<para>If you make changes to the
|
||||
<filename>/etc/nova/nova.conf</filename> file
|
||||
while the <systemitem class="service"
|
||||
>nova-network</systemitem> service is running,
|
||||
you must restart the service.</para>
|
||||
<note>
|
||||
<title>Traffic between VMs using floating
|
||||
IPs</title>
|
||||
<para>Because floating IPs are implemented by using a source NAT (SNAT rule in
|
||||
iptables), security groups can display inconsistent behavior if VMs use their
|
||||
floating IP to communicate with other VMs, particularly on the same physical
|
||||
host. Traffic from VM to VM across the fixed network does not have this issue,
|
||||
and so this is the recommended path. To ensure that traffic does not get SNATed
|
||||
to the floating range, explicitly set:
|
||||
<programlisting language="ini">dmz_cidr=x.x.x.x/y</programlisting>The
|
||||
<literal>x.x.x.x/y</literal> value specifies the range of floating IPs for
|
||||
each pool of floating IPs that you define. If the VMs in the source group have
|
||||
floating IPs, this configuration is also required.</para>
|
||||
</note>
|
||||
</section>
|
||||
<section xml:id="Enabling_ip_forwarding">
|
||||
<title>Enable IP forwarding</title>
|
||||
<para>By default, IP forwarding is disabled on most
|
||||
Linux distributions. To use the floating IP
|
||||
feature, you must enable IP forwarding.</para>
|
||||
<note>
|
||||
<para>You must enable IP forwarding only on the nodes that run the <systemitem
|
||||
class="service">nova-network</systemitem> service. If you use
|
||||
<literal>multi_host</literal> mode, ensure that you enable it on all compute
|
||||
nodes. Otherwise, enable it on only the node that runs the <systemitem
|
||||
class="service">nova-network</systemitem> service.</para>
|
||||
</note>
|
||||
<para>To check whether forwarding is enabled, run:</para>
|
||||
<screen><prompt>$</prompt> <userinput>cat /proc/sys/net/ipv4/ip_forward</userinput>
|
||||
<computeroutput>0</computeroutput></screen>
|
||||
<para>Alternatively, you can run:</para>
|
||||
<screen><prompt>$</prompt> <userinput>sysctl net.ipv4.ip_forward</userinput>
|
||||
<computeroutput>net.ipv4.ip_forward = 0</computeroutput></screen>
|
||||
<para>In the previous example, IP forwarding is <emphasis role="bold"
|
||||
>disabled</emphasis>. To enable it dynamically, run:</para>
|
||||
<screen><prompt>#</prompt> <userinput>sysctl -w net.ipv4.ip_forward=1</userinput></screen>
|
||||
<para>Or:</para>
|
||||
<screen><prompt>#</prompt> <userinput>echo 1 > /proc/sys/net/ipv4/ip_forward</userinput></screen>
|
||||
<para>To make the changes permanent, edit the
|
||||
<filename>/etc/sysctl.conf</filename> file and
|
||||
update the IP forwarding setting:</para>
|
||||
<programlisting language="ini">net.ipv4.ip_forward = 1</programlisting>
|
||||
<para>Save the file and run the following command to apply the changes:</para>
|
||||
<screen><prompt>#</prompt> <userinput>sysctl -p</userinput></screen>
|
||||
<para>You can also update the setting by restarting the network service:</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>On Ubuntu, run:</para>
|
||||
<screen><userinput><prompt>#</prompt>/etc/init.d/procps.sh restart</userinput></screen>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>On RHEL/Fedora/CentOS, run:</para>
|
||||
<screen><prompt>#</prompt> <userinput>service network restart</userinput></screen>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
<section xml:id="create_list_of_available_floating_ips">
|
||||
<title>Create a list of available floating IP
|
||||
addresses</title>
|
||||
<para>Compute maintains a list of floating IP addresses that you can assign to
|
||||
instances. Use the <command>nova-manage floating create</command> command to add
|
||||
entries to this list.</para>
|
||||
<para>For example:</para>
|
||||
<screen><prompt>#</prompt> <userinput>nova-manage floating create --pool=nova --ip_range=68.99.26.170/31</userinput></screen>
|
||||
<para>You can use the following
|
||||
<command>nova-manage</command> commands to
|
||||
perform floating IP operations:</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<screen><prompt>#</prompt> <userinput>nova-manage floating list</userinput></screen>
|
||||
<para>Lists the floating IP addresses in the
|
||||
pool.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<screen><prompt>#</prompt> <userinput>nova-manage floating create --pool=<replaceable>[pool name]</replaceable> --ip_range=<replaceable>[CIDR]</replaceable></userinput></screen>
|
||||
<para>Creates specific floating IPs for either
|
||||
a single address or a subnet.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<screen><prompt>#</prompt> <userinput>nova-manage floating delete <replaceable>[CIDR]</replaceable></userinput></screen>
|
||||
<para>Removes floating IP addresses using the
|
||||
same parameters as the create
|
||||
command.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<para>For information about how administrators can
|
||||
associate floating IPs with instances, see <link
|
||||
xlink:href="http://docs.openstack.org/user-guide-admin/content/manage_ip_addresses.html"
|
||||
>Manage IP addresses</link> in the
|
||||
<citetitle>OpenStack Admin User
|
||||
Guide</citetitle>.</para>
|
||||
</section>
|
||||
<section xml:id="Automatically_adding_floating_IPs">
|
||||
<title>Automatically add floating IPs</title>
|
||||
<para>You can configure the <systemitem
|
||||
class="service">nova-network</systemitem>
|
||||
service to automatically allocate and assign a
|
||||
floating IP address to virtual instances when they
|
||||
are launched. Add the following line to the
|
||||
<filename>/etc/nova/nova.conf</filename> file
|
||||
and restart the <systemitem class="service"
|
||||
>nova-network</systemitem> service:</para>
|
||||
<programlisting language="ini">auto_assign_floating_ip=True</programlisting>
|
||||
<note>
|
||||
<para>If you enable this option and all floating
|
||||
IP addresses have already been allocated, the
|
||||
<command>nova boot</command> command
|
||||
fails.</para>
|
||||
</note>
|
||||
</section>
|
||||
</section>
|
||||
<section xml:id="section_remove-network-from-project">
|
||||
<title>Remove a network from a project</title>
|
||||
<para>You cannot remove a network that has already been
|
||||
associated to a project by simply deleting it.</para>
|
||||
<para>To determine the project ID, you must have administrative rights. You can
|
||||
disassociate the project from the network with a scrub command and the project ID as the
|
||||
final parameter:</para>
|
||||
<screen><prompt>#</prompt> <userinput>nova-manage project scrub --project=<replaceable><id></replaceable></userinput></screen>
|
||||
</section>
|
||||
<section xml:id="section_use-multi-nics">
|
||||
<title>Multiple interfaces for your instances
|
||||
(multinic)</title>
|
||||
<?dbhtml stop-chunking?>
|
||||
<para>The multinic feature allows you to plug more than one interface to your instances,
|
||||
making it possible to make several use cases available:</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>SSL Configurations (VIPs)</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Services failover/ HA</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Bandwidth Allocation</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Administrative/ Public access to your
|
||||
instances</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<para>Each VIF is representative of a separate network with its own IP block. Every
|
||||
network mode introduces its own set of changes regarding the multinic usage: <figure>
|
||||
<title>multinic flat manager</title>
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata scale="40"
|
||||
fileref="../../common/figures/SCH_5007_V00_NUAC-multi_nic_OpenStack-Flat-manager.jpg"
|
||||
/>
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</figure>
|
||||
<figure>
|
||||
<title>multinic flatdhcp manager</title>
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata scale="40"
|
||||
fileref="../../common/figures/SCH_5007_V00_NUAC-multi_nic_OpenStack-Flat-DHCP-manager.jpg"
|
||||
/>
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</figure>
|
||||
<figure>
|
||||
<title>multinic VLAN manager</title>
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata scale="40"
|
||||
fileref="../../common/figures/SCH_5007_V00_NUAC-multi_nic_OpenStack-VLAN-manager.jpg"
|
||||
/>
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</figure>
|
||||
</para>
|
||||
<section xml:id="using-multiple-nics-usage">
|
||||
<title>Use the multinic feature</title>
|
||||
<para>In order to use the multinic feature, first create two networks, and attach
|
||||
them to your tenant (still named 'project' on the command line):
|
||||
<screen><prompt>$</prompt> <userinput>nova network-create first-net --fixed-range-v4=20.20.0.0/24 --project-id=$your-project</userinput>
|
||||
<prompt>$</prompt> <userinput>nova network-create second-net --fixed-range-v4=20.20.10.0/24 --project-id=$your-project</userinput> </screen>
|
||||
Now every time you spawn a new instance, it gets two IP addresses from the
|
||||
respective DHCP servers:</para>
|
||||
<screen><prompt>$</prompt> <userinput>nova list</userinput>
|
||||
<computeroutput>+-----+------------+--------+----------------------------------------+
|
||||
| ID | Name | Status | Networks |
|
||||
+-----+------------+--------+----------------------------------------+
|
||||
| 124 | Server 124 | ACTIVE | network2=20.20.0.3; private=20.20.10.14|
|
||||
+-----+------------+--------+----------------------------------------+</computeroutput></screen>
|
||||
<note>
|
||||
<para>Make sure to power up the second interface
|
||||
on the instance, otherwise that last won't be
|
||||
reachable through its second IP. Here is an
|
||||
example of how to setup the interfaces within
|
||||
the instance (this is the configuration that
|
||||
needs to be applied inside the image):</para>
|
||||
<para><filename>/etc/network/interfaces</filename></para>
|
||||
<programlisting language="bash"># The loopback network interface
|
||||
auto lo
|
||||
iface lo inet loopback
|
||||
|
||||
auto eth0
|
||||
iface eth0 inet dhcp
|
||||
|
||||
auto eth1
|
||||
iface eth1 inet dhcp</programlisting>
|
||||
</note>
|
||||
<note>
|
||||
<para>If the Virtual Network Service Neutron is
|
||||
installed, it is possible to specify the
|
||||
networks to attach to the respective
|
||||
interfaces by using the
|
||||
<literal>--nic</literal> flag when
|
||||
invoking the <literal>nova</literal> command:
|
||||
<screen><prompt>$</prompt> <userinput>nova boot --image ed8b2a37-5535-4a5f-a615-443513036d71 --flavor 1 --nic net-id= <id of first network> --nic net-id= <id of first network> test-vm1</userinput></screen>
|
||||
</para>
|
||||
</note>
|
||||
</section>
|
||||
</section>
|
||||
<section xml:id="section_network-troubleshoot">
|
||||
<title>Troubleshoot Networking</title>
|
||||
<simplesect>
|
||||
<title>Cannot reach floating IPs</title>
|
||||
<para>If you cannot reach your instances through the floating IP address, check the following:</para>
|
||||
<itemizedlist>
|
||||
<listitem><para>Ensure the default security group allows ICMP (ping) and SSH (port 22), so that you can reach
|
||||
the instances:</para>
|
||||
<screen><prompt>$</prompt> <userinput>nova secgroup-list-rules default</userinput>
|
||||
<computeroutput>+-------------+-----------+---------+-----------+--------------+
|
||||
| IP Protocol | From Port | To Port | IP Range | Source Group |
|
||||
+-------------+-----------+---------+-----------+--------------+
|
||||
| icmp | -1 | -1 | 0.0.0.0/0 | |
|
||||
| tcp | 22 | 22 | 0.0.0.0/0 | |
|
||||
+-------------+-----------+---------+-----------+--------------+</computeroutput></screen>
|
||||
</listitem>
|
||||
<listitem><para>Ensure the NAT rules have been added to <systemitem>iptables</systemitem> on the node that
|
||||
<systemitem>nova-network</systemitem> is running on, as root:</para>
|
||||
<screen><prompt>#</prompt> <userinput>iptables -L -nv</userinput>
|
||||
<computeroutput>-A nova-network-OUTPUT -d 68.99.26.170/32 -j DNAT --to-destination 10.0.0.3</computeroutput></screen>
|
||||
<screen><prompt>#</prompt> <userinput>iptables -L -nv -t nat</userinput>
|
||||
<computeroutput>-A nova-network-PREROUTING -d 68.99.26.170/32 -j DNAT --to-destination10.0.0.3
|
||||
-A nova-network-floating-snat -s 10.0.0.3/32 -j SNAT --to-source 68.99.26.170</computeroutput></screen></listitem>
|
||||
<listitem><para>Check that the public address, in this example "68.99.26.170", has been added to your public
|
||||
interface. You should see the address in the listing when you enter "ip
|
||||
addr" at the command prompt.</para>
|
||||
<screen><prompt>$</prompt> <userinput>ip addr</userinput>
|
||||
<computeroutput>2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
|
||||
link/ether xx:xx:xx:17:4b:c2 brd ff:ff:ff:ff:ff:ff
|
||||
inet 13.22.194.80/24 brd 13.22.194.255 scope global eth0
|
||||
inet 68.99.26.170/32 scope global eth0
|
||||
inet6 fe80::82b:2bf:fe1:4b2/64 scope link
|
||||
valid_lft forever preferred_lft forever</computeroutput></screen>
|
||||
<para>Note that you cannot SSH to an instance with a
|
||||
public IP from within the same server as the
|
||||
routing configuration won't allow it.</para></listitem>
|
||||
<listitem><para>You can use <command>tcpdump</command> to identify if packets are being routed to the inbound
|
||||
interface on the compute host. If the packets are reaching the compute hosts
|
||||
but the connection is failing, the issue may be that the packet is being
|
||||
dropped by reverse path filtering. Try disabling reverse-path filtering on
|
||||
the inbound interface. For example, if the inbound interface is
|
||||
<literal>eth2</literal>, as root, run:</para>
|
||||
<screen><prompt>#</prompt> <userinput>sysctl -w net.ipv4.conf.<replaceable>eth2</replaceable>.rp_filter=0</userinput></screen>
|
||||
<para>If this solves your issue, add the following line to
|
||||
<filename>/etc/sysctl.conf</filename> so that the reverse-path filter is
|
||||
disabled the next time the compute host reboots:
|
||||
<programlisting language="ini">net.ipv4.conf.rp_filter=0</programlisting></para></listitem>
|
||||
</itemizedlist>
|
||||
</simplesect>
|
||||
<simplesect>
|
||||
<title>Disable firewall</title>
|
||||
<para>To help debug networking issues with reaching
|
||||
VMs, you can disable the firewall by setting the
|
||||
following option in
|
||||
<filename>/etc/nova/nova.conf</filename>:</para>
|
||||
<programlisting language="ini">firewall_driver=nova.virt.firewall.NoopFirewallDriver</programlisting>
|
||||
<para>We strongly recommend you remove this line to
|
||||
re-enable the firewall once your networking issues
|
||||
have been resolved.</para>
|
||||
</simplesect>
|
||||
<simplesect>
|
||||
<title>Packet loss from instances to nova-network
|
||||
server (VLANManager mode)</title>
|
||||
<para>If you can SSH to your instances but you find
|
||||
that the network interactions to your instance is
|
||||
slow, or if you find that running certain
|
||||
operations are slower than they should be (for
|
||||
example, <command>sudo</command>), then there may
|
||||
be packet loss occurring on the connection to the
|
||||
instance.</para>
|
||||
<para>Packet loss can be caused by Linux networking
|
||||
configuration settings related to bridges. Certain
|
||||
settings can cause packets to be dropped between
|
||||
the VLAN interface (for example,
|
||||
<literal>vlan100</literal>) and the associated
|
||||
bridge interface (for example,
|
||||
<literal>br100</literal>) on the host running
|
||||
the <systemitem class="service"
|
||||
>nova-network</systemitem> service.</para>
|
||||
<para>One way to check whether this is the issue in your setup, is to open up three
|
||||
terminals and run the following commands:</para>
|
||||
<para>
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>In the first terminal, on the host running nova-network, use <command>tcpdump</command> on the
|
||||
VLAN interface to monitor DNS-related traffic (UDP, port 53). As
|
||||
root, run:</para>
|
||||
<screen><prompt>#</prompt> <userinput>tcpdump -K -p -i vlan100 -v -vv udp port 53</userinput></screen>
|
||||
</listitem>
|
||||
<listitem><para>In the second terminal, also on the host running nova-network, use <command>tcpdump</command>
|
||||
to monitor DNS-related traffic on the bridge interface. As root,
|
||||
run:</para>
|
||||
<screen><prompt>#</prompt> <userinput>tcpdump -K -p -i br100 -v -vv udp port 53</userinput></screen></listitem>
|
||||
<listitem><para>In the third terminal, SSH inside of the
|
||||
instance and generate DNS requests by using the
|
||||
<command>nslookup</command> command:</para>
|
||||
<screen><prompt>$</prompt> <userinput>nslookup www.google.com</userinput></screen>
|
||||
<para>The symptoms may be intermittent, so try running
|
||||
<command>nslookup</command> multiple times. If
|
||||
the network configuration is correct, the command
|
||||
should return immediately each time. If it is not
|
||||
functioning properly, the command hangs for
|
||||
several seconds.</para></listitem>
|
||||
<listitem><para>If the <command>nslookup</command> command sometimes hangs, and there are packets that appear
|
||||
in the first terminal but not the second, then the problem may be due to
|
||||
filtering done on the bridges. Try to disable filtering, run the
|
||||
following commands as root:</para>
|
||||
<screen><prompt>#</prompt> <userinput>sysctl -w net.bridge.bridge-nf-call-arptables=0</userinput>
|
||||
<prompt>#</prompt> <userinput>sysctl -w net.bridge.bridge-nf-call-iptables=0</userinput>
|
||||
<prompt>#</prompt> <userinput>sysctl -w net.bridge.bridge-nf-call-ip6tables=0</userinput></screen>
|
||||
<para>If this solves your issue, add the following line to
|
||||
<filename>/etc/sysctl.conf</filename> so that these changes take
|
||||
effect the next time the host reboots:</para>
|
||||
<programlisting language="ini">net.bridge.bridge-nf-call-arptables=0
|
||||
net.bridge.bridge-nf-call-iptables=0
|
||||
net.bridge.bridge-nf-call-ip6tables=0</programlisting></listitem>
|
||||
</orderedlist>
|
||||
</para>
|
||||
</simplesect>
|
||||
<simplesect>
|
||||
<title>KVM: Network connectivity works initially, then
|
||||
fails</title>
|
||||
<para>Some administrators have observed an issue with
|
||||
the KVM hypervisor where instances running Ubuntu
|
||||
12.04 sometimes loses network connectivity after
|
||||
functioning properly for a period of time. Some
|
||||
users have reported success with loading the
|
||||
vhost_net kernel module as a workaround for this
|
||||
issue (see <link
|
||||
xlink:href="https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/997978/"
|
||||
>bug #997978</link>) . This kernel module may
|
||||
also <link
|
||||
xlink:href="http://www.linux-kvm.org/page/VhostNet"
|
||||
>improve network performance on KVM</link>. To
|
||||
load the kernel module, as root:</para>
|
||||
<screen><prompt>#</prompt> <userinput>modprobe vhost_net</userinput></screen>
|
||||
<note>
|
||||
<para>Loading the module has no effect on running
|
||||
instances.</para>
|
||||
</note>
|
||||
</simplesect>
|
||||
</section>
|
||||
</section>
|
115
doc/admin-guide-cloud/compute/section_compute-rootwrap.xml
Normal file
115
doc/admin-guide-cloud/compute/section_compute-rootwrap.xml
Normal file
@ -0,0 +1,115 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<section xml:id="root-wrap-reference"
|
||||
xmlns="http://docbook.org/ns/docbook"
|
||||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
|
||||
<title>Secure with root wrappers</title>
|
||||
<para>The root wrapper enables an unprivileged user to run a number of Compute actions as the
|
||||
root user in the safest manner possible. Historically, Compute used a specific
|
||||
<filename>sudoers</filename> file that listed every command that the Compute user was
|
||||
allowed to run, and used <command>sudo</command> to run that command as
|
||||
<literal>root</literal>. However this was difficult to maintain (the
|
||||
<filename>sudoers</filename> file was in packaging), and did not enable complex
|
||||
filtering of parameters (advanced filters). The rootwrap was designed to solve those
|
||||
issues.</para>
|
||||
<simplesect>
|
||||
<title>How rootwrap works</title>
|
||||
<para>Instead of calling <command>sudo make me a sandwich</command>, Compute services start
|
||||
with a <command>nova-rootwrap</command> call; for example, <command>sudo nova-rootwrap
|
||||
/etc/nova/rootwrap.conf make me a sandwich</command>. A generic sudoers entry lets
|
||||
the Compute user run <command>nova-rootwrap</command> as root. The
|
||||
<command>nova-rootwrap</command> code looks for filter definition directories in its
|
||||
configuration file, and loads command filters from them. Then it checks if the command
|
||||
requested by Compute matches one of those filters, in which case it executes the command
|
||||
(as root). If no filter matches, it denies the request.</para>
|
||||
<note><para>To use <command>nova-rootwrap</command>, you must be aware of the issues with using NFS and
|
||||
root-owned files. The NFS share must be configured with the
|
||||
<option>no_root_squash</option> option enabled.</para>
|
||||
</note>
|
||||
</simplesect>
|
||||
<simplesect>
|
||||
<title>Security model</title>
|
||||
<para>The escalation path is fully controlled by the root user. A sudoers entry (owned by
|
||||
root) allows Compute to run (as root) a specific rootwrap executable, and only with a
|
||||
specific configuration file (which should be owned by root).
|
||||
<command>nova-rootwrap</command> imports the Python modules it needs from a cleaned
|
||||
(and system-default) <replaceable>PYTHONPATH</replaceable>. The configuration file (also
|
||||
root-owned) points to root-owned filter definition directories, which contain root-owned
|
||||
filters definition files. This chain ensures that the Compute user itself is not in
|
||||
control of the configuration or modules used by the <command>nova-rootwrap</command>
|
||||
executable.</para>
|
||||
</simplesect>
|
||||
<simplesect>
|
||||
<title>Details of rootwrap.conf</title>
|
||||
<para>You configure <command>nova-rootwrap</command> in the
|
||||
<filename>rootwrap.conf</filename> file. Because it's in the trusted security path,
|
||||
it must be owned and writable by only the root user. The file's location is specified
|
||||
both in the sudoers entry and in the <filename>nova.conf</filename> configuration file
|
||||
with the <code>rootwrap_config=entry</code>.</para>
|
||||
<para>The <filename>rootwrap.conf</filename> file uses an INI file format with these
|
||||
sections and parameters:</para>
|
||||
<table rules="all" frame="border"
|
||||
xml:id="rootwrap-conf-table-filter-path" width="100%">
|
||||
<caption>rootwrap.conf configuration options</caption>
|
||||
<col width="50%"/>
|
||||
<col width="50%"/>
|
||||
<thead>
|
||||
<tr>
|
||||
<td><para>Configuration option=Default
|
||||
value</para></td>
|
||||
<td><para>(Type) Description</para></td>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><para>[DEFAULT]</para>
|
||||
<para>filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap
|
||||
</para></td>
|
||||
<td><para>(ListOpt) Comma-separated list of
|
||||
directories containing filter definition
|
||||
files. Defines where filters for root wrap
|
||||
are stored. Directories defined on this
|
||||
line should all exist, be owned and
|
||||
writable only by the root
|
||||
user.</para></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</simplesect>
|
||||
<simplesect>
|
||||
<title>Details of .filters files</title>
|
||||
<para>Filters definition files contain lists of filters that
|
||||
<command>nova-rootwrap</command> will use to allow or deny a specific command. They
|
||||
are generally suffixed by .filters. Since they are in the trusted security path, they
|
||||
need to be owned and writable only by the root user. Their location is specified in the
|
||||
<filename>rootwrap.conf</filename> file.</para>
|
||||
<para>Filter definition files use an INI file format with a [Filters] section and several
|
||||
lines, each with a unique parameter name (different for each filter that you
|
||||
define):</para>
|
||||
<table rules="all" frame="border"
|
||||
xml:id="rootwrap-conf-table-filter-name" width="100%">
|
||||
<caption>.filters configuration options</caption>
|
||||
<col width="50%"/>
|
||||
<col width="50%"/>
|
||||
<thead>
|
||||
<tr>
|
||||
<td><para>Configuration option=Default
|
||||
value</para></td>
|
||||
<td><para>(Type) Description</para></td>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><para>[Filters]</para>
|
||||
<para>filter_name=kpartx: CommandFilter,
|
||||
/sbin/kpartx, root</para></td>
|
||||
<td><para>(ListOpt) Comma-separated list
|
||||
containing first the Filter class to use,
|
||||
followed by that Filter arguments (which
|
||||
vary depending on the Filter class
|
||||
selected).</para></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</simplesect>
|
||||
</section>
|
934
doc/admin-guide-cloud/compute/section_compute-system-admin.xml
Normal file
934
doc/admin-guide-cloud/compute/section_compute-system-admin.xml
Normal file
@ -0,0 +1,934 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<section xml:id="section_compute-system-admin"
|
||||
xmlns="http://docbook.org/ns/docbook"
|
||||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||||
version="5.0">
|
||||
<title>System administration</title>
|
||||
<para>By understanding how the different installed nodes
|
||||
interact with each other, you can administer the Compute
|
||||
installation. Compute offers many ways to install using
|
||||
multiple servers but the general idea is that you can have
|
||||
multiple compute nodes that control the virtual servers
|
||||
and a cloud controller node that contains the remaining
|
||||
Compute services.</para>
|
||||
<para>The Compute cloud works through the interaction of a series of daemon processes named
|
||||
<systemitem>nova-*</systemitem> that reside persistently on the host machine or
|
||||
machines. These binaries can all run on the same machine or be spread out on multiple boxes
|
||||
in a large deployment. The responsibilities of services and drivers are:</para>
|
||||
<para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Services:</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><systemitem class="service">nova-api</systemitem>. Receives xml
|
||||
requests and sends them to the rest of the system. It is a wsgi app that
|
||||
routes and authenticate requests. It supports the EC2 and OpenStack
|
||||
APIs. There is a <filename>nova-api.conf</filename> file created when
|
||||
you install Compute.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><systemitem>nova-cert</systemitem>. Provides the certificate
|
||||
manager.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><systemitem class="service">nova-compute</systemitem>. Responsible for
|
||||
managing virtual machines. It loads a Service object which exposes the
|
||||
public methods on ComputeManager through Remote Procedure Call
|
||||
(RPC).</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><systemitem>nova-conductor</systemitem>. Provides database-access
|
||||
support for Compute nodes (thereby reducing security risks).</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><systemitem>nova-consoleauth</systemitem>. Handles console
|
||||
authentication.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><systemitem class="service">nova-objectstore</systemitem>: The
|
||||
<systemitem class="service">nova-objectstore</systemitem> service is
|
||||
an ultra simple file-based storage system for images that replicates
|
||||
most of the S3 API. It can be replaced with OpenStack Image Service and
|
||||
a simple image manager or use OpenStack Object Storage as the virtual
|
||||
machine image storage facility. It must reside on the same node as
|
||||
<systemitem class="service">nova-compute</systemitem>.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><systemitem class="service">nova-network</systemitem>. Responsible for
|
||||
managing floating and fixed IPs, DHCP, bridging and VLANs. It loads a
|
||||
Service object which exposes the public methods on one of the subclasses
|
||||
of NetworkManager. Different networking strategies are available to the
|
||||
service by changing the network_manager configuration option to
|
||||
FlatManager, FlatDHCPManager, or VlanManager (default is VLAN if no
|
||||
other is specified).</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><systemitem>nova-scheduler</systemitem>. Dispatches requests for
|
||||
new virtual machines to the correct node.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><systemitem>nova-novncproxy</systemitem>. Provides a VNC proxy for
|
||||
browsers (enabling VNC consoles to access virtual machines).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Some services have drivers that change how the service implements the core of
|
||||
its functionality. For example, the <systemitem>nova-compute</systemitem>
|
||||
service supports drivers that let you choose with which hypervisor type it will
|
||||
talk. <systemitem>nova-network</systemitem> and
|
||||
<systemitem>nova-scheduler</systemitem> also have drivers.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</para>
|
||||
<section xml:id="section_compute-service-arch">
|
||||
<title>Compute service architecture</title>
|
||||
<para>The following basic categories describe the service architecture and what's going
|
||||
on within the cloud controller.</para>
|
||||
<simplesect>
|
||||
<title>API server</title>
|
||||
<para>At the heart of the cloud framework is an API server. This API server makes
|
||||
command and control of the hypervisor, storage, and networking programmatically
|
||||
available to users.</para>
|
||||
<para>The API endpoints are basic HTTP web services
|
||||
which handle authentication, authorization, and
|
||||
basic command and control functions using various
|
||||
API interfaces under the Amazon, Rackspace, and
|
||||
related models. This enables API compatibility
|
||||
with multiple existing tool sets created for
|
||||
interaction with offerings from other vendors.
|
||||
This broad compatibility prevents vendor
|
||||
lock-in.</para>
|
||||
</simplesect>
|
||||
<simplesect>
|
||||
<title>Message queue</title>
|
||||
<para>A messaging queue brokers the interaction
|
||||
between compute nodes (processing), the networking
|
||||
controllers (software which controls network
|
||||
infrastructure), API endpoints, the scheduler
|
||||
(determines which physical hardware to allocate to
|
||||
a virtual resource), and similar components.
|
||||
Communication to and from the cloud controller is
|
||||
by HTTP requests through multiple API
|
||||
endpoints.</para>
|
||||
<para>A typical message passing event begins with the API server receiving a request
|
||||
from a user. The API server authenticates the user and ensures that the user is
|
||||
permitted to issue the subject command. The availability of objects implicated in
|
||||
the request is evaluated and, if available, the request is routed to the queuing
|
||||
engine for the relevant workers. Workers continually listen to the queue based on
|
||||
their role, and occasionally their type host name. When an applicable work request
|
||||
arrives on the queue, the worker takes assignment of the task and begins its
|
||||
execution. Upon completion, a response is dispatched to the queue which is received
|
||||
by the API server and relayed to the originating user. Database entries are queried,
|
||||
added, or removed as necessary throughout the process.</para>
|
||||
</simplesect>
|
||||
<simplesect>
|
||||
<title>Compute worker</title>
|
||||
<para>Compute workers manage computing instances on
|
||||
host machines. The API dispatches commands to
|
||||
compute workers to complete these tasks:</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Run instances</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Terminate instances</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Reboot instances</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Attach volumes</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Detach volumes</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Get console output</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</simplesect>
|
||||
<simplesect>
|
||||
<title>Network Controller</title>
|
||||
<para>The Network Controller manages the networking
|
||||
resources on host machines. The API server
|
||||
dispatches commands through the message queue,
|
||||
which are subsequently processed by Network
|
||||
Controllers. Specific operations include:</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Allocate fixed IP addresses</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Configuring VLANs for projects</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Configuring networks for compute
|
||||
nodes</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</simplesect>
|
||||
</section>
|
||||
<section xml:id="section_manage-compute-users">
|
||||
<title>Manage Compute users</title>
|
||||
<para>Access to the Euca2ools (ec2) API is controlled by
|
||||
an access and secret key. The user’s access key needs
|
||||
to be included in the request, and the request must be
|
||||
signed with the secret key. Upon receipt of API
|
||||
requests, Compute verifies the signature and runs
|
||||
commands on behalf of the user.</para>
|
||||
<para>To begin using Compute, you must create a user with
|
||||
the Identity Service.</para>
|
||||
</section>
|
||||
<section xml:id="section_manage-the-cloud">
|
||||
<title>Manage the cloud</title>
|
||||
<para>A system administrator can use the <command>nova</command> client and the
|
||||
<command>Euca2ools</command> commands to manage the cloud.</para>
|
||||
<para>Both nova client and euca2ools can be used by all users, though specific commands
|
||||
might be restricted by Role Based Access Control in the Identity Service.</para>
|
||||
<procedure>
|
||||
<title>To use the nova client</title>
|
||||
<step>
|
||||
<para>Installing the <package>python-novaclient</package> package gives you a
|
||||
<code>nova</code> shell command that enables Compute API interactions from
|
||||
the command line. Install the client, and then provide your user name and
|
||||
password (typically set as environment variables for convenience), and then you
|
||||
have the ability to send commands to your cloud on the command line.</para>
|
||||
<para>To install <package>python-novaclient</package>, download the tarball from
|
||||
<link
|
||||
xlink:href="http://pypi.python.org/pypi/python-novaclient/2.6.3#downloads"
|
||||
>http://pypi.python.org/pypi/python-novaclient/2.6.3#downloads</link> and
|
||||
then install it in your favorite python environment.</para>
|
||||
<screen><prompt>$</prompt> <userinput>curl -O http://pypi.python.org/packages/source/p/python-novaclient/python-novaclient-2.6.3.tar.gz</userinput>
|
||||
<prompt>$</prompt> <userinput>tar -zxvf python-novaclient-2.6.3.tar.gz</userinput>
|
||||
<prompt>$</prompt> <userinput>cd python-novaclient-2.6.3</userinput></screen>
|
||||
<para>As <systemitem class="username">root</systemitem> execute:</para>
|
||||
<screen><prompt>#</prompt> <userinput>python setup.py install</userinput></screen>
|
||||
</step>
|
||||
<step>
|
||||
<para>Confirm the installation by running:</para>
|
||||
<screen><prompt>$</prompt> <userinput>nova help</userinput>
|
||||
<computeroutput>usage: nova [--version] [--debug] [--os-cache] [--timings]
|
||||
[--timeout <seconds>] [--os-username <auth-user-name>]
|
||||
[--os-password <auth-password>]
|
||||
[--os-tenant-name <auth-tenant-name>]
|
||||
[--os-tenant-id <auth-tenant-id>] [--os-auth-url <auth-url>]
|
||||
[--os-region-name <region-name>] [--os-auth-system <auth-system>]
|
||||
[--service-type <service-type>] [--service-name <service-name>]
|
||||
[--volume-service-name <volume-service-name>]
|
||||
[--endpoint-type <endpoint-type>]
|
||||
[--os-compute-api-version <compute-api-ver>]
|
||||
[--os-cacert <ca-certificate>] [--insecure]
|
||||
[--bypass-url <bypass-url>]
|
||||
<subcommand> ...</computeroutput></screen>
|
||||
<note><para>This command returns a list of <command>nova</command> commands and parameters. To obtain help
|
||||
for a subcommand, run:</para>
|
||||
<screen><prompt>$</prompt> <userinput>nova help <replaceable>subcommand</replaceable></userinput></screen>
|
||||
<para>You can also refer to the <link
|
||||
xlink:href="http://docs.openstack.org/cli-reference/content/">
|
||||
<citetitle>OpenStack Command-Line Reference</citetitle></link>
|
||||
for a complete listing of <command>nova</command>
|
||||
commands and parameters.</para></note>
|
||||
</step>
|
||||
<step>
|
||||
<para>Set the required parameters as environment variables to make running
|
||||
commands easier. For example, you can add <parameter>--os-username</parameter>
|
||||
as a <command>nova</command> option, or set it as an environment variable. To
|
||||
set the user name, password, and tenant as environment variables, use:</para>
|
||||
<screen><prompt>$</prompt> <userinput>export OS_USERNAME=joecool</userinput>
|
||||
<prompt>$</prompt> <userinput>export OS_PASSWORD=coolword</userinput>
|
||||
<prompt>$</prompt> <userinput>export OS_TENANT_NAME=coolu</userinput> </screen>
|
||||
</step>
|
||||
<step>
|
||||
<para>Using the Identity Service, you are supplied with an authentication
|
||||
endpoint, which Compute recognizes as the <literal>OS_AUTH_URL</literal>.</para>
|
||||
<para>
|
||||
<screen><prompt>$</prompt> <userinput>export OS_AUTH_URL=http://hostname:5000/v2.0</userinput>
|
||||
<prompt>$</prompt> <userinput>export NOVA_VERSION=1.1</userinput></screen>
|
||||
</para>
|
||||
</step>
|
||||
</procedure>
|
||||
<simplesect>
|
||||
<title>Use the euca2ools commands</title>
|
||||
<para>For a command-line interface to EC2 API calls, use the
|
||||
<command>euca2ools</command> command-line tool. See <link
|
||||
xlink:href="http://open.eucalyptus.com/wiki/Euca2oolsGuide_v1.3"
|
||||
>http://open.eucalyptus.com/wiki/Euca2oolsGuide_v1.3</link></para>
|
||||
</simplesect>
|
||||
</section>
|
||||
<xi:include
|
||||
href="../../common/section_cli_nova_usage_statistics.xml"/>
|
||||
<section xml:id="section_manage-logs">
|
||||
<title>Manage logs</title>
|
||||
<simplesect>
|
||||
<title>Logging module</title>
|
||||
<para>To specify a configuration file to change the logging behavior, add this line to
|
||||
the <filename>/etc/nova/nova.conf</filename> file . To change the logging level,
|
||||
such as <literal>DEBUG</literal>, <literal>INFO</literal>,
|
||||
<literal>WARNING</literal>, <literal>ERROR</literal>), use:
|
||||
<programlisting language="ini">log-config=/etc/nova/logging.conf</programlisting></para>
|
||||
<para>The logging configuration file is an ini-style configuration file, which must
|
||||
contain a section called <literal>logger_nova</literal>, which controls the behavior
|
||||
of the logging facility in the <literal>nova-*</literal> services. For
|
||||
example:<programlisting language="ini">[logger_nova]
|
||||
level = INFO
|
||||
handlers = stderr
|
||||
qualname = nova</programlisting></para>
|
||||
<para>This example sets the debugging level to <literal>INFO</literal> (which less
|
||||
verbose than the default <literal>DEBUG</literal> setting). <itemizedlist>
|
||||
<listitem>
|
||||
<para>For more details on the logging configuration syntax, including the
|
||||
meaning of the <literal>handlers</literal> and
|
||||
<literal>quaname</literal> variables, see the <link
|
||||
xlink:href="http://docs.python.org/release/2.7/library/logging.html#configuration-file-format"
|
||||
>Python documentation on logging configuration file format
|
||||
</link>f.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>For an example <filename>logging.conf</filename> file with various
|
||||
defined handlers, see the
|
||||
<link xlink:href="http://docs.openstack.org/trunk/config-reference/content/">
|
||||
<citetitle>OpenStack Configuration Reference</citetitle></link>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</para>
|
||||
</simplesect>
|
||||
<simplesect>
|
||||
<title>Syslog</title>
|
||||
<para>You can configure OpenStack Compute services to send logging information to
|
||||
<systemitem>syslog</systemitem>. This is useful if you want to use
|
||||
<systemitem>rsyslog</systemitem>, which forwards the logs to a remote machine.
|
||||
You need to separately configure the Compute service (nova), the Identity service
|
||||
(keystone), the Image Service (glance), and, if you are using it, the Block Storage
|
||||
service (cinder) to send log messages to <systemitem>syslog</systemitem>. To do so,
|
||||
add the following lines to:</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><filename>/etc/nova/nova.conf</filename></para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><filename>/etc/keystone/keystone.conf</filename></para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><filename>/etc/glance/glance-api.conf</filename></para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><filename>/etc/glance/glance-registry.conf</filename></para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><filename>/etc/cinder/cinder.conf</filename></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<programlisting language="ini">verbose = False
|
||||
debug = False
|
||||
use_syslog = True
|
||||
syslog_log_facility = LOG_LOCAL0</programlisting>
|
||||
<para>In addition to enabling <systemitem>syslog</systemitem>, these settings also
|
||||
turn off more verbose output and debugging output from the log.<note>
|
||||
<para>Although the example above uses the same local facility for each service
|
||||
(<literal>LOG_LOCAL0</literal>, which corresponds to
|
||||
<systemitem>syslog</systemitem> facility <literal>LOCAL0</literal>), we
|
||||
recommend that you configure a separate local facility for each service, as
|
||||
this provides better isolation and more flexibility. For example, you may
|
||||
want to capture logging information at different severity levels for
|
||||
different services. <systemitem>syslog</systemitem> allows you to define up
|
||||
to seven local facilities, <literal>LOCAL0, LOCAL1, ..., LOCAL7</literal>.
|
||||
For more details, see the <systemitem>syslog</systemitem>
|
||||
documentation.</para>
|
||||
</note></para>
|
||||
</simplesect>
|
||||
<simplesect>
|
||||
<title>Rsyslog</title>
|
||||
<para><systemitem>rsyslog</systemitem> is a useful tool for setting up a centralized
|
||||
log server across multiple machines. We briefly describe the configuration to set up
|
||||
an <systemitem>rsyslog</systemitem> server; a full treatment of
|
||||
<systemitem>rsyslog</systemitem> is beyond the scope of this document. We assume
|
||||
<systemitem>rsyslog</systemitem> has already been installed on your hosts
|
||||
(default for most Linux distributions).</para>
|
||||
<para>This example provides a minimal configuration for
|
||||
<filename>/etc/rsyslog.conf</filename> on the log server host, which receives
|
||||
the log files:</para>
|
||||
<programlisting language="bash"># provides TCP syslog reception
|
||||
$ModLoad imtcp
|
||||
$InputTCPServerRun 1024</programlisting>
|
||||
<para>Add a filter rule to <filename>/etc/rsyslog.conf</filename> which looks for a
|
||||
host name. The example below uses <replaceable>compute-01</replaceable> as an
|
||||
example of a compute host name:</para>
|
||||
<programlisting language="bash">:hostname, isequal, "<replaceable>compute-01</replaceable>" /mnt/rsyslog/logs/compute-01.log</programlisting>
|
||||
<para>On each compute host, create a file named
|
||||
<filename>/etc/rsyslog.d/60-nova.conf</filename>, with the following
|
||||
content:</para>
|
||||
<programlisting language="bash"># prevent debug from dnsmasq with the daemon.none parameter
|
||||
*.*;auth,authpriv.none,daemon.none,local0.none -/var/log/syslog
|
||||
# Specify a log level of ERROR
|
||||
local0.error @@172.20.1.43:1024</programlisting>
|
||||
<para>Once you have created this file, restart your <systemitem>rsyslog</systemitem>
|
||||
daemon. Error-level log messages on the compute hosts should now be sent to your log
|
||||
server.</para>
|
||||
</simplesect>
|
||||
</section>
|
||||
<xi:include href="section_compute-rootwrap.xml"/>
|
||||
<xi:include href="section_compute-configure-migrations.xml"/>
|
||||
<section xml:id="section_live-migration-usage">
|
||||
<title>Migrate instances</title>
|
||||
<para>Before starting migrations, review the <link linkend="section_configuring-compute-migrations">Configure migrations section</link>.</para>
|
||||
<para>Migration provides a scheme to migrate running
|
||||
instances from one OpenStack Compute server to another
|
||||
OpenStack Compute server.</para>
|
||||
<procedure>
|
||||
<title>To migrate instances</title>
|
||||
<step>
|
||||
<para>Look at the running instances, to get the ID
|
||||
of the instance you wish to migrate.</para>
|
||||
<screen><prompt>$</prompt> <userinput>nova list</userinput>
|
||||
<computeroutput><![CDATA[+--------------------------------------+------+--------+-----------------+
|
||||
| ID | Name | Status |Networks |
|
||||
+--------------------------------------+------+--------+-----------------+
|
||||
| d1df1b5a-70c4-4fed-98b7-423362f2c47c | vm1 | ACTIVE | private=a.b.c.d |
|
||||
| d693db9e-a7cf-45ef-a7c9-b3ecb5f22645 | vm2 | ACTIVE | private=e.f.g.h |
|
||||
+--------------------------------------+------+--------+-----------------+]]></computeroutput></screen>
|
||||
</step>
|
||||
<step>
|
||||
<para>Look at information associated with that instance. This example uses 'vm1'
|
||||
from above.</para>
|
||||
<screen><prompt>$</prompt> <userinput>nova show d1df1b5a-70c4-4fed-98b7-423362f2c47c</userinput>
|
||||
<computeroutput><![CDATA[+-------------------------------------+----------------------------------------------------------+
|
||||
| Property | Value |
|
||||
+-------------------------------------+----------------------------------------------------------+
|
||||
...
|
||||
| OS-EXT-SRV-ATTR:host | HostB |
|
||||
...
|
||||
| flavor | m1.tiny |
|
||||
| id | d1df1b5a-70c4-4fed-98b7-423362f2c47c |
|
||||
| name | vm1 |
|
||||
| private network | a.b.c.d |
|
||||
| status | ACTIVE |
|
||||
...
|
||||
+-------------------------------------+----------------------------------------------------------+]]></computeroutput></screen>
|
||||
<para>In this example, vm1 is running on HostB.</para>
|
||||
</step>
|
||||
<step>
|
||||
<para>Select the server to which instances will be migrated:</para>
|
||||
<screen><prompt>#</prompt> <userinput>nova service-list</userinput>
|
||||
<computeroutput>+------------------+------------+----------+---------+-------+----------------------------+-----------------+
|
||||
| Binary | Host | Zone | Status | State | Updated_at | Disabled Reason |
|
||||
+------------------+------------+----------+---------+-------+----------------------------+-----------------+
|
||||
| nova-consoleauth | HostA | internal | enabled | up | 2014-03-25T10:33:25.000000 | - |
|
||||
| nova-scheduler | HostA | internal | enabled | up | 2014-03-25T10:33:25.000000 | - |
|
||||
| nova-conductor | HostA | internal | enabled | up | 2014-03-25T10:33:27.000000 | - |
|
||||
| nova-compute | HostB | nova | enabled | up | 2014-03-25T10:33:31.000000 | - |
|
||||
| nova-compute | HostC | nova | enabled | up | 2014-03-25T10:33:31.000000 | - |
|
||||
| nova-cert | HostA | internal | enabled | up | 2014-03-25T10:33:31.000000 | - |
|
||||
+------------------+-----------------------+----------+---------+-------+----------------------------+-----------------+</computeroutput>
|
||||
</screen>
|
||||
<para>In this example, HostC can be picked up
|
||||
because <systemitem class="service">nova-compute</systemitem>
|
||||
is running on it.</para>
|
||||
</step>
|
||||
<step>
|
||||
<para>Ensure that HostC has enough resources for
|
||||
migration.</para>
|
||||
<screen><prompt>#</prompt> <userinput>nova host-describe HostC</userinput>
|
||||
<computeroutput>+-----------+------------+-----+-----------+---------+
|
||||
| HOST | PROJECT | cpu | memory_mb | disk_gb |
|
||||
+-----------+------------+-----+-----------+---------+
|
||||
| HostC | (total) | 16 | 32232 | 878 |
|
||||
| HostC | (used_now) | 13 | 21284 | 442 |
|
||||
| HostC | (used_max) | 13 | 21284 | 442 |
|
||||
| HostC | p1 | 13 | 21284 | 442 |
|
||||
| HostC | p2 | 13 | 21284 | 442 |
|
||||
+-----------+------------+-----+-----------+---------+</computeroutput>
|
||||
</screen>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><emphasis role="bold"
|
||||
>cpu:</emphasis>the number of
|
||||
cpu</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">memory_mb:</emphasis>total amount of memory
|
||||
(in MB)</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">disk_gb:</emphasis>total amount of space for
|
||||
NOVA-INST-DIR/instances (in GB)</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">1st line shows </emphasis>total amount of
|
||||
resources for the physical server.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">2nd line shows </emphasis>currently used
|
||||
resources.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">3rd line shows </emphasis>maximum used
|
||||
resources.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">4th line and
|
||||
under</emphasis> shows the resource
|
||||
for each project.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</step>
|
||||
<step>
|
||||
<para>Use the <command>nova live-migration</command> command to migrate the
|
||||
instances:<screen><prompt>$</prompt> <userinput>nova live-migration <replaceable>server</replaceable> <replaceable>host_name</replaceable> </userinput></screen></para>
|
||||
<para>Where <replaceable>server</replaceable> can be either the server's ID or name.
|
||||
For example:</para>
|
||||
<screen><prompt>$</prompt> <userinput>nova live-migration d1df1b5a-70c4-4fed-98b7-423362f2c47c HostC</userinput><computeroutput>
|
||||
<![CDATA[Migration of d1df1b5a-70c4-4fed-98b7-423362f2c47c initiated.]]></computeroutput></screen>
|
||||
<para>Ensure instances are migrated successfully with <command>nova
|
||||
list</command>. If instances are still running on HostB, check log files
|
||||
(src/dest <systemitem class="service">nova-compute</systemitem> and <systemitem
|
||||
class="service">nova-scheduler</systemitem>) to determine why. <note>
|
||||
<para>Although the <command>nova</command> command is called
|
||||
<command>live-migration</command>, under the default Compute
|
||||
configuration options the instances are suspended before
|
||||
migration.</para>
|
||||
<para>For more details, see <link
|
||||
xlink:href="http://docs.openstack.org/trunk/config-reference/content/configuring-openstack-compute-basics.html"
|
||||
>Configure migrations</link> in <citetitle>OpenStack Configuration
|
||||
Reference</citetitle>.</para>
|
||||
</note>
|
||||
</para>
|
||||
</step>
|
||||
</procedure>
|
||||
</section>
|
||||
<section xml:id="section_nova-compute-node-down">
|
||||
<title>Recover from a failed compute node</title>
|
||||
<para>If you have deployed Compute with a shared file
|
||||
system, you can quickly recover from a failed compute
|
||||
node. Of the two methods covered in these sections,
|
||||
the evacuate API is the preferred method even in the
|
||||
absence of shared storage. The evacuate API provides
|
||||
many benefits over manual recovery, such as
|
||||
re-attachment of volumes and floating IPs.</para>
|
||||
<xi:include href="../../common/section_cli_nova_evacuate.xml"/>
|
||||
<section xml:id="nova-compute-node-down-manual-recovery">
|
||||
<title>Manual recovery</title>
|
||||
<para>For KVM/libvirt compute node recovery, see the previous section. Use the
|
||||
following procedure for all other hypervisors.</para>
|
||||
<procedure>
|
||||
<title>To work with host information</title>
|
||||
<step>
|
||||
<para>Identify the VMs on the affected hosts, using tools such as a
|
||||
combination of <literal>nova list</literal> and <literal>nova show</literal>
|
||||
or <literal>euca-describe-instances</literal>. Here's an example using the
|
||||
EC2 API - instance i-000015b9 that is running on node np-rcc54:</para>
|
||||
<programlisting language="bash">i-000015b9 at3-ui02 running nectarkey (376, np-rcc54) 0 m1.xxlarge 2012-06-19T00:48:11.000Z 115.146.93.60</programlisting>
|
||||
</step>
|
||||
<step>
|
||||
<para>You can review the status of the host by using the Compute database.
|
||||
Some of the important information is highlighted below. This example
|
||||
converts an EC2 API instance ID into an OpenStack ID; if you used the
|
||||
<literal>nova</literal> commands, you can substitute the ID directly.
|
||||
You can find the credentials for your database in
|
||||
<filename>/etc/nova.conf</filename>.</para>
|
||||
<programlisting language="bash">SELECT * FROM instances WHERE id = CONV('15b9', 16, 10) \G;
|
||||
*************************** 1. row ***************************
|
||||
created_at: 2012-06-19 00:48:11
|
||||
updated_at: 2012-07-03 00:35:11
|
||||
deleted_at: NULL
|
||||
...
|
||||
id: 5561
|
||||
...
|
||||
power_state: 5
|
||||
vm_state: shutoff
|
||||
...
|
||||
hostname: at3-ui02
|
||||
host: np-rcc54
|
||||
...
|
||||
uuid: 3f57699a-e773-4650-a443-b4b37eed5a06
|
||||
...
|
||||
task_state: NULL
|
||||
...</programlisting>
|
||||
</step>
|
||||
</procedure>
|
||||
<procedure>
|
||||
<title>To recover the VM</title>
|
||||
<step>
|
||||
<para>When you know the status of the VM on the failed host, determine to
|
||||
which compute host the affected VM should be moved. For example, run the
|
||||
following database command to move the VM to np-rcc46:</para>
|
||||
<programlisting language="bash">UPDATE instances SET host = 'np-rcc46' WHERE uuid = '3f57699a-e773-4650-a443-b4b37eed5a06'; </programlisting>
|
||||
</step>
|
||||
<step>
|
||||
<para>If using a hypervisor that relies on libvirt (such as KVM), it is a
|
||||
good idea to update the <literal>libvirt.xml</literal> file (found in
|
||||
<literal>/var/lib/nova/instances/[instance ID]</literal>). The important
|
||||
changes to make are:</para>
|
||||
<para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Change the <literal>DHCPSERVER</literal> value to the host IP
|
||||
address of the compute host that is now the VM's new
|
||||
home.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Update the VNC IP if it isn't already to:
|
||||
<literal>0.0.0.0</literal>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</para>
|
||||
</step>
|
||||
<step>
|
||||
<para>Reboot the VM:</para>
|
||||
<screen><prompt>$</prompt> <userinput>nova reboot --hard 3f57699a-e773-4650-a443-b4b37eed5a06</userinput></screen>
|
||||
</step>
|
||||
</procedure>
|
||||
<para>In theory, the above database update and <literal>nova
|
||||
reboot</literal> command are all that is required to recover a VM from a
|
||||
failed host. However, if further problems occur, consider looking at
|
||||
recreating the network filter configuration using <literal>virsh</literal>,
|
||||
restarting the Compute services or updating the <literal>vm_state</literal>
|
||||
and <literal>power_state</literal> in the Compute database.</para>
|
||||
</section>
|
||||
</section>
|
||||
<section xml:id="section_nova-uid-mismatch">
|
||||
<title>Recover from a UID/GID mismatch</title>
|
||||
<para>When running OpenStack compute, using a shared file
|
||||
system or an automated configuration tool, you could
|
||||
encounter a situation where some files on your compute
|
||||
node are using the wrong UID or GID. This causes a
|
||||
raft of errors, such as being unable to live migrate,
|
||||
or start virtual machines.</para>
|
||||
<para>The following procedure runs on <systemitem class="service"
|
||||
>nova-compute</systemitem> hosts, based on the KVM hypervisor, and could help to
|
||||
restore the situation:</para>
|
||||
<procedure>
|
||||
<title>To recover from a UID/GID mismatch</title>
|
||||
<step>
|
||||
<para>Ensure you don't use numbers that are already used for some other
|
||||
user/group.</para>
|
||||
</step>
|
||||
<step>
|
||||
<para>Set the nova uid in <filename>/etc/passwd</filename> to the same number in
|
||||
all hosts (for example, 112).</para>
|
||||
</step>
|
||||
<step>
|
||||
<para>Set the libvirt-qemu uid in
|
||||
<filename>/etc/passwd</filename> to the
|
||||
same number in all hosts (for example,
|
||||
119).</para>
|
||||
</step>
|
||||
<step>
|
||||
<para>Set the nova group in
|
||||
<filename>/etc/group</filename> file to
|
||||
the same number in all hosts (for example,
|
||||
120).</para>
|
||||
</step>
|
||||
<step>
|
||||
<para>Set the libvirtd group in
|
||||
<filename>/etc/group</filename> file to
|
||||
the same number in all hosts (for example,
|
||||
119).</para>
|
||||
</step>
|
||||
<step>
|
||||
<para>Stop the services on the compute
|
||||
node.</para>
|
||||
</step>
|
||||
<step>
|
||||
<para>Change all the files owned by user nova or
|
||||
by group nova. For example:</para>
|
||||
<programlisting language="bash">find / -uid 108 -exec chown nova {} \; # note the 108 here is the old nova uid before the change
|
||||
find / -gid 120 -exec chgrp nova {} \;</programlisting>
|
||||
</step>
|
||||
<step>
|
||||
<para>Repeat the steps for the libvirt-qemu owned files if those needed to
|
||||
change.</para>
|
||||
</step>
|
||||
<step>
|
||||
<para>Restart the services.</para>
|
||||
</step>
|
||||
<step>
|
||||
<para>Now you can run the <command>find</command>
|
||||
command to verify that all files using the
|
||||
correct identifiers.</para>
|
||||
</step>
|
||||
</procedure>
|
||||
</section>
|
||||
<section xml:id="section_nova-disaster-recovery-process">
|
||||
<title>Compute disaster recovery process</title>
|
||||
<para>Use the following procedures to manage your cloud after a disaster, and to easily
|
||||
back up its persistent storage volumes. Backups <emphasis role="bold">are</emphasis>
|
||||
mandatory, even outside of disaster scenarios.</para>
|
||||
<para>For a DRP definition, see <link
|
||||
xlink:href="http://en.wikipedia.org/wiki/Disaster_Recovery_Plan"
|
||||
>http://en.wikipedia.org/wiki/Disaster_Recovery_Plan</link>.</para>
|
||||
<simplesect>
|
||||
<title>A- The disaster recovery process
|
||||
presentation</title>
|
||||
<para>A disaster could happen to several components of
|
||||
your architecture: a disk crash, a network loss, a
|
||||
power cut, and so on. In this example, assume the
|
||||
following set up:</para>
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>A cloud controller (<systemitem>nova-api</systemitem>,
|
||||
<systemitem>nova-objecstore</systemitem>,
|
||||
<systemitem>nova-network</systemitem>)</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>A compute node (<systemitem
|
||||
class="service"
|
||||
>nova-compute</systemitem>)</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>A Storage Area Network used by
|
||||
<systemitem class="service"
|
||||
>cinder-volumes</systemitem> (aka
|
||||
SAN)</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
<para>The disaster example is the worst one: a power
|
||||
loss. That power loss applies to the three
|
||||
components. <emphasis role="italic">Let's see what
|
||||
runs and how it runs before the
|
||||
crash</emphasis>:</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>From the SAN to the cloud controller, we
|
||||
have an active iscsi session (used for the
|
||||
"cinder-volumes" LVM's VG).</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>From the cloud controller to the compute node, we also have active
|
||||
iscsi sessions (managed by <systemitem class="service"
|
||||
>cinder-volume</systemitem>).</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>For every volume, an iscsi session is made (so 14 ebs volumes equals
|
||||
14 sessions).</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>From the cloud controller to the compute node, we also have iptables/
|
||||
ebtables rules which allow access from the cloud controller to the running
|
||||
instance.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>And at least, from the cloud controller to the compute node; saved
|
||||
into database, the current state of the instances (in that case "running" ),
|
||||
and their volumes attachment (mount point, volume ID, volume status, and so
|
||||
on.)</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<para>Now, after the power loss occurs and all
|
||||
hardware components restart, the situation is as
|
||||
follows:</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>From the SAN to the cloud, the ISCSI
|
||||
session no longer exists.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>From the cloud controller to the compute
|
||||
node, the ISCSI sessions no longer exist.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>From the cloud controller to the compute node, the iptables and
|
||||
ebtables are recreated, since, at boot,
|
||||
<systemitem>nova-network</systemitem> reapplies the
|
||||
configurations.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>From the cloud controller, instances are in a shutdown state (because
|
||||
they are no longer running)</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>In the database, data was not updated at all, since Compute could not
|
||||
have anticipated the crash.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<para>Before going further, and to prevent the administrator from making fatal
|
||||
mistakes,<emphasis role="bold"> the instances won't be lost</emphasis>, because
|
||||
no "<command role="italic">destroy</command>" or "<command role="italic"
|
||||
>terminate</command>" command was invoked, so the files for the instances remain
|
||||
on the compute node.</para>
|
||||
<para>Perform these tasks in this exact order. <emphasis role="underline">Any extra
|
||||
step would be dangerous at this stage</emphasis> :</para>
|
||||
<para>
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Get the current relation from a
|
||||
volume to its instance, so that you
|
||||
can recreate the attachment.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Update the database to clean the
|
||||
stalled state. (After that, you cannot
|
||||
perform the first step).</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Restart the instances. In other
|
||||
words, go from a shutdown to running
|
||||
state.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>After the restart, reattach the volumes to their respective
|
||||
instances (optional).</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>SSH into the instances to reboot them.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</para>
|
||||
</simplesect>
|
||||
<simplesect>
|
||||
<title>B - Disaster recovery</title>
|
||||
<procedure>
|
||||
<title>To perform disaster recovery</title>
|
||||
<step>
|
||||
<title>Get the instance-to-volume
|
||||
relationship</title>
|
||||
<para>You must get the current relationship from a volume to its instance,
|
||||
because you will re-create the attachment.</para>
|
||||
<para>You can find this relationship by running <command>nova
|
||||
volume-list</command>. Note that the <command>nova</command> client
|
||||
includes the ability to get volume information from Block Storage.</para>
|
||||
</step>
|
||||
<step>
|
||||
<title>Update the database</title>
|
||||
<para>Update the database to clean the stalled state. You must restore for
|
||||
every volume, using these queries to clean up the database:</para>
|
||||
<screen><prompt>mysql></prompt> <userinput>use cinder;</userinput>
|
||||
<prompt>mysql></prompt> <userinput>update volumes set mountpoint=NULL;</userinput>
|
||||
<prompt>mysql></prompt> <userinput>update volumes set status="available" where status <>"error_deleting";</userinput>
|
||||
<prompt>mysql></prompt> <userinput>update volumes set attach_status="detached";</userinput>
|
||||
<prompt>mysql></prompt> <userinput>update volumes set instance_id=0;</userinput></screen>
|
||||
<para>Then, when you run <command>nova volume-list</command> commands, all
|
||||
volumes appear in the listing.</para>
|
||||
</step>
|
||||
<step>
|
||||
<title>Restart instances</title>
|
||||
<para>Restart the instances using the <command>nova reboot
|
||||
<replaceable>$instance</replaceable></command> command.</para>
|
||||
<para>At this stage, depending on your image, some instances completely
|
||||
reboot and become reachable, while others stop on the "plymouth"
|
||||
stage.</para>
|
||||
</step>
|
||||
<step>
|
||||
<title>DO NOT reboot a second time</title>
|
||||
<para>Do not reboot instances that are stopped at this point. Instance state
|
||||
depends on whether you added an <filename>/etc/fstab</filename> entry for
|
||||
that volume. Images built with the <package>cloud-init</package> package
|
||||
remain in a pending state, while others skip the missing volume and start.
|
||||
The idea of that stage is only to ask nova to reboot every instance, so the
|
||||
stored state is preserved. For more information about
|
||||
<package>cloud-init</package>, see <link
|
||||
xlink:href="https://help.ubuntu.com/community/CloudInit"
|
||||
>help.ubuntu.com/community/CloudInit</link>.</para>
|
||||
</step>
|
||||
<step>
|
||||
<title>Reattach volumes</title>
|
||||
<para>After the restart, you can reattach the volumes to their respective
|
||||
instances. Now that <command>nova</command> has restored the right status,
|
||||
it is time to perform the attachments through a <command>nova
|
||||
volume-attach</command></para>
|
||||
<para>This simple snippet uses the created
|
||||
file:</para>
|
||||
<programlisting language="bash">#!/bin/bash
|
||||
|
||||
while read line; do
|
||||
volume=`echo $line | $CUT -f 1 -d " "`
|
||||
instance=`echo $line | $CUT -f 2 -d " "`
|
||||
mount_point=`echo $line | $CUT -f 3 -d " "`
|
||||
echo "ATTACHING VOLUME FOR INSTANCE - $instance"
|
||||
nova volume-attach $instance $volume $mount_point
|
||||
sleep 2
|
||||
done < $volumes_tmp_file</programlisting>
|
||||
<para>At that stage, instances that were
|
||||
pending on the boot sequence (<emphasis
|
||||
role="italic">plymouth</emphasis>)
|
||||
automatically continue their boot, and
|
||||
restart normally, while the ones that
|
||||
booted see the volume.</para>
|
||||
</step>
|
||||
<step>
|
||||
<title>SSH into instances</title>
|
||||
<para>If some services depend on the volume, or if a volume has an entry
|
||||
into <systemitem>fstab</systemitem>, it could be good to simply restart the
|
||||
instance. This restart needs to be made from the instance itself, not
|
||||
through <command>nova</command>. So, we SSH into the instance and perform a
|
||||
reboot:</para>
|
||||
<screen><prompt>#</prompt> <userinput>shutdown -r now</userinput></screen>
|
||||
</step>
|
||||
</procedure>
|
||||
<para>By completing this procedure, you can
|
||||
successfully recover your cloud.</para>
|
||||
<note>
|
||||
<para>Follow these guidelines:</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Use the <parameter> errors=remount</parameter> parameter in the
|
||||
<filename>fstab</filename> file, which prevents data
|
||||
corruption.</para>
|
||||
<para>The system locks any write to the disk if it detects an I/O error.
|
||||
This configuration option should be added into the <systemitem
|
||||
class="service">cinder-volume</systemitem> server (the one which
|
||||
performs the ISCSI connection to the SAN), but also into the instances'
|
||||
<filename>fstab</filename> file.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Do not add the entry for the SAN's disks to the <systemitem
|
||||
class="service">cinder-volume</systemitem>'s
|
||||
<filename>fstab</filename> file.</para>
|
||||
<para>Some systems hang on that step, which means you could lose access to
|
||||
your cloud-controller. To re-run the session manually, you would run the
|
||||
following command before performing the mount:
|
||||
<screen><prompt>#</prompt> <userinput>iscsiadm -m discovery -t st -p $SAN_IP $ iscsiadm -m node --target-name $IQN -p $SAN_IP -l</userinput></screen></para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>For your instances, if you have the whole <filename>/home/</filename>
|
||||
directory on the disk, instead of emptying the
|
||||
<filename>/home</filename> directory and map the disk on it, leave a
|
||||
user's directory with the user's bash files and the
|
||||
<filename>authorized_keys</filename> file.</para>
|
||||
<para>This enables you to connect to the instance, even without the volume
|
||||
attached, if you allow only connections through public keys.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</note>
|
||||
</simplesect>
|
||||
<simplesect>
|
||||
<title>C - Scripted DRP</title>
|
||||
<procedure>
|
||||
<title>To use scripted DRP</title>
|
||||
<para>You can download from <link
|
||||
xlink:href="https://github.com/Razique/BashStuff/blob/master/SYSTEMS/OpenStack/SCR_5006_V00_NUAC-OPENSTACK-DRP-OpenStack.sh"
|
||||
>here</link> a bash script which performs
|
||||
these steps:</para>
|
||||
<step>
|
||||
<para>The "test mode" allows you to perform
|
||||
that whole sequence for only one
|
||||
instance.</para>
|
||||
</step>
|
||||
<step>
|
||||
<para>To reproduce the power loss, connect to
|
||||
the compute node which runs that same
|
||||
instance and close the iscsi session.
|
||||
<emphasis role="underline">Do not
|
||||
detach the volume through
|
||||
<command>nova
|
||||
volume-detach</command></emphasis>,
|
||||
but instead manually close the iscsi
|
||||
session.</para>
|
||||
</step>
|
||||
<step>
|
||||
<para>In this example, the iscsi session is
|
||||
number 15 for that instance:</para>
|
||||
<screen><prompt>#</prompt> <userinput>iscsiadm -m session -u -r 15</userinput></screen>
|
||||
</step>
|
||||
<step>
|
||||
<para>Do not forget the <literal>-r</literal>
|
||||
flag. Otherwise, you close ALL
|
||||
sessions.</para>
|
||||
</step>
|
||||
</procedure>
|
||||
</simplesect>
|
||||
</section>
|
||||
</section>
|
@ -6,10 +6,9 @@
|
||||
version="5.0"
|
||||
xml:id="nova_cli_volumes">
|
||||
<title>Volumes</title>
|
||||
<para>Depending on the setup of your cloud provider, they may
|
||||
give you an endpoint to use to manage volumes, or there
|
||||
may be an extension under the covers. In either case, you
|
||||
can use the nova CLI to manage volumes.</para>
|
||||
<para>Depending on the setup of your cloud provider, they may give you an endpoint to use to
|
||||
manage volumes, or there may be an extension under the covers. In either case, you can use the
|
||||
<command>nova</command> CLI to manage volumes:</para>
|
||||
<screen>
|
||||
volume-attach Attach a volume to a server.
|
||||
volume-create Add a new volume.
|
||||
@ -24,5 +23,14 @@
|
||||
volume-type-create Create a new volume type.
|
||||
volume-type-delete Delete a specific flavor
|
||||
volume-type-list Print a list of available 'volume types'.
|
||||
volume-update Update an attached volume.
|
||||
</screen>
|
||||
<para>For example, to list IDs and names of Compute volumes, run:</para>
|
||||
<screen><prompt>$</prompt> <userinput>nova volume-list</userinput>
|
||||
<computeroutput>+--------------------------------------+-----------+--------------+------+-------------+-------------+
|
||||
| ID | Status | Display Name | Size | Volume Type | Attached to |
|
||||
+--------------------------------------+-----------+--------------+------+-------------+-------------+
|
||||
| 1af4cb93-d4c6-4ee3-89a0-4b7885a3337e | available | PerfBlock | 1 | Performance | |
|
||||
+--------------------------------------+-----------+--------------+------+-------------+-------------+
|
||||
</computeroutput></screen>
|
||||
</section>
|
||||
|
@ -4,18 +4,12 @@
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
||||
xml:id="default_ports">
|
||||
<title>Compute service node firewall requirements</title>
|
||||
<para>
|
||||
Virtual machine console connections, whether direct or
|
||||
through a proxy, are received on ports <literal>5900</literal>
|
||||
to <literal>5999</literal>.
|
||||
</para>
|
||||
<para>
|
||||
You must configure the firewall on the service node to enable
|
||||
network traffic on these ports. On the server that hosts the
|
||||
Compute service, log in as <systemitem>root</systemitem> and
|
||||
complete the following procedure:
|
||||
</para>
|
||||
<para>Console connections for virtual machines, whether direct or through a proxy, are received
|
||||
on ports <literal>5900</literal> to <literal>5999</literal>. You must configure the firewall
|
||||
on each Compute service node to enable network traffic on these ports.</para>
|
||||
<procedure>
|
||||
<title>Configure the service-node firewall</title>
|
||||
<step><para>On the server that hosts the Compute service, log in as <systemitem>root</systemitem>.</para></step>
|
||||
<step>
|
||||
<para>
|
||||
Edit the <filename>/etc/sysconfig/iptables</filename>
|
||||
@ -48,9 +42,6 @@
|
||||
<screen><prompt>$</prompt> <userinput>service iptables restart</userinput></screen>
|
||||
</step>
|
||||
</procedure>
|
||||
<para>
|
||||
The <systemitem>iptables</systemitem> firewall
|
||||
now enables incoming connections to the Compute
|
||||
services. Repeat this process for each compute node.
|
||||
</para>
|
||||
</section>
|
||||
<para>The <systemitem>iptables</systemitem> firewall now enables incoming connections to the
|
||||
Compute services. Repeat this process for each Compute service node.</para>
|
||||
</section>
|
@ -82,7 +82,6 @@
|
||||
</section>
|
||||
<!-- End of configuring resize -->
|
||||
<xi:include href="compute/section_compute-configure-db.xml"/>
|
||||
<xi:include href="../common/section_compute_config-firewalls.xml"/>
|
||||
<!-- Oslo rpc mechanism (such as, Rabbit, Qpid, ZeroMQ) -->
|
||||
<xi:include href="../common/section_rpc.xml"/>
|
||||
<xi:include href="../common/section_compute_config-api.xml"/>
|
||||
|
@ -3,7 +3,7 @@
|
||||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
||||
xml:id="section_nova-logs">
|
||||
<title>Log files used by Compute</title>
|
||||
<title>Compute log files</title>
|
||||
<para>The corresponding log file of each Compute service
|
||||
is stored in the <filename>/var/log/nova/</filename>
|
||||
directory of the host on which each service runs.</para>
|
||||
|
Loading…
Reference in New Issue
Block a user