openstack/openstack-manuals
Code Issues Proposed changes
Files
b112b46611bf90857acead4fbacacae48ab1e8cd
openstack-manuals/doc/admin-guide-cloud/ch_compute.xml
Tom Fifield b112b46611 Remove use of fixed_range from docs 
fixed_range in nova.conf was deprecated in Grizzly and has been
removed in Havana.

Change-Id: I663ab54260ab7a6041b951598b901cf95a259df3
Closes-Bug: 1207559
2013-10-01 09:45:33 -05:00

2649 lines
150 KiB
XML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns:html="http://www.w3.org/1999/xhtml" version="5.0"
xml:id="ch_introduction-to-openstack-compute">
<?dbhtml stop-chunking?>
<title>Compute</title>
<para>Compute provides a tool that lets you orchestrate a cloud. By using Nova, you can run instances, manage networks, and manage access
to the cloud through users and projects. Nova provides software
that enables you to control an Infrastructure as a Service (IaaS) cloud
computing platform and is similar in scope to Amazon EC2 and
Rackspace Cloud Servers.</para>
<section xml:id="section_compute-intro">
<title>Introduction to Compute</title>
<para>Compute does not include any virtualization software;
rather it defines drivers that interact with underlying
virtualization mechanisms that run on your host operating
system, and exposes functionality over a web-based
API.</para>
<section xml:id="section_hypervisors">
<title>Hypervisors</title>
<para>OpenStack Compute requires a hypervisor. Compute
controls hypervisors through an API server. To select a hypervisor, you must prioritize and make decisions
based on budget,
resource constraints,
supported features, and required technical
specifications. The majority of development is done
with the KVM and Xen-based hypervisors. For a detailed list of features and support across the
hypervisors, see <link
xlink:href="http://wiki.openstack.org/HypervisorSupportMatrix"
>http://wiki.openstack.org/HypervisorSupportMatrix</link>.
With OpenStack Compute, you can
orchestrate clouds using multiple hypervisors in
different zones. The types of virtualization standards
that can be used with Compute include:</para>
<itemizedlist>
<listitem>
<para><link
xlink:href="http://www.linux-kvm.org/page/Main_Page"
>KVM</link> - Kernel-based Virtual
Machine</para>
</listitem>
<listitem>
<para><link
xlink:href="http://lxc.sourceforge.net/"
>LXC</link> - Linux Containers (through
libvirt)</para>
</listitem>
<listitem>
<para><link
xlink:href="http://wiki.qemu.org/Manual"
>QEMU</link> - Quick EMUlator</para>
</listitem>
<listitem>
<para><link
xlink:href="http://user-mode-linux.sourceforge.net/"
>UML</link> - User Mode Linux</para>
</listitem>
<listitem>
<para><link
xlink:href="http://www.vmware.com/products/vsphere-hypervisor/support.html"
>VMWare vSphere</link> 4.1 update 1 and
newer</para>
</listitem>
<listitem>
<para><link
xlink:href="http://www.xen.org/support/documentation.html"
>Xen</link> - Xen, Citrix XenServer and
Xen Cloud Platform (XCP)</para>
</listitem>
<listitem>
<para><link
xlink:href="https://wiki.openstack.org/wiki/Baremetal"
>Bare Metal</link> - Provisions physical
hardware through pluggable sub-drivers</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="section_users-and-projects">
<title>Users and tenants</title>
<para>The OpenStack Compute system is designed to be used
by many different cloud computing consumers or
customers, basically tenants on a shared system, using
role-based access assignments. Roles control the
actions that a user is allowed to perform.</para><para>In the
default configuration, most actions do not require a
particular role, but this is configurable by the
system administrator editing the appropriate
<filename>policy.json</filename> file that
maintains the rules. For example, a rule can be
defined so that a user cannot allocate a public IP
without the admin role. A user's access to particular
images is limited by tenant, but the username and
password are assigned for each user. Key pairs
granting access to an instance are enabled for each
user, but quotas to control resource consumption
across available hardware resources are for each
tenant. <note>
<para>Earlier versions of OpenStack used the term
"project" instead of "tenant". Because of this
legacy terminology, some command-line tools
use <parameter>--project_id</parameter> when a
tenant ID is expected.</para>
</note></para>
<para>While the original EC2 API supports users, OpenStack
Compute adds the concept of tenants. Tenants are
isolated resource containers that form the principal
organizational structure within the Compute service.
They consist of a separate VLAN, volumes, instances,
images, keys, and users. A user can specify which
tenant he or she wishes to be known as by appending
<literal>:project_id</literal> to his or her
access key. If no tenant is specified in the API
request, Compute attempts to use a tenant with the
same ID as the user.</para>
<para>For tenants, quota controls are available to limit the:<itemizedlist>
<listitem>
<para>Number of volumes which may be
created</para>
</listitem>
<listitem>
<para>Total size of all volumes within a
project as measured in GB</para>
</listitem>
<listitem>
<para>Number of instances which may be
launched</para>
</listitem>
<listitem>
<para>Number of processor cores which may be
allocated</para>
</listitem>
<listitem>
<para>Floating IP addresses (assigned to any
instance when it launches so the instance
has the same publicly accessible IP
addresses)</para>
</listitem>
<listitem>
<para>Fixed IP addresses (assigned to the same
instance each time it boots, publicly or
privately accessible, typically private
for management purposes)</para>
</listitem>
</itemizedlist>
</para>
</section>
<?hard-pagebreak?>
<section xml:id="section_images-and-instances">
<title>Images and instances</title>
<para>This introduction provides a high level overview of
what images and instances are and description of the
life-cycle of a typical virtual system within the
cloud. There are many ways to configure the details of
an OpenStack cloud and many ways to implement a
virtual system within that cloud. These configuration
details as well as the specific command line utilities
and API calls to perform the actions described are
presented in <xref linkend="section_image-mgmt"/> and
the volume-specific info in <link
xlink:href="http://docs.openstack.org/trunk/config-reference/content/"
><citetitle> OpenStack Configuration
Reference</citetitle></link>.</para>
<para>Images are disk images which are templates for
virtual machine file systems. The image service,
Glance, is responsible for the storage and management
of images within OpenStack.</para>
<para>Instances are the individual virtual machines
running on physical compute nodes. The compute
service, Nova, manages instances. Any number of
instances maybe started from the same image. Each
instance is run from a copy of the base image so
runtime changes made by an instance do not change the
image it is based on. Snapshots of running instances
may be taken which create a new image based on the
current disk state of a particular instance.</para>
<para>When starting an instance a set of virtual resources
known as a flavor must be selected. Flavors define how
many virtual CPUs an instance has and the amount of
RAM and size of its ephemeral disks. OpenStack
provides a number of predefined flavors which cloud
administrators may edit or add to. Users must select
from the set of available flavors defined on their
cloud.</para>
<para>Additional resources such as persistent volume
storage and public IP address may be added to and
removed from running instances. The examples below
show the <systemitem class="service"
>cinder-volume</systemitem> service which provide
persistent block storage as opposed to the ephemeral
storage provided by the instance flavor.</para>
<para>Here is an example of the life cycle of a typical
virtual system within an OpenStack cloud to illustrate
these concepts.</para>
<simplesect xml:id="initial-instance-state">
<title>Initial state</title>
<para>The following diagram shows the system state
prior to launching an instance. The image store
fronted by the image service, Glance, has some
number of predefined images. In the cloud there is
an available compute node with available vCPU,
memory and local disk resources. Plus there are a
number of predefined volumes in the <systemitem
class="service">cinder-volume</systemitem>
service.</para>
<figure xml:id="initial-instance-state-figure">
<title>Base image state with no running
instances</title>
<mediaobject>
<imageobject>
<imagedata
fileref="../common/figures/instance-life-1.png"
/>
</imageobject>
</mediaobject>
</figure>
</simplesect>
<simplesect xml:id="running-instance-state">
<title>Launching an instance</title>
<para>To launch an instance the user selects an image,
a flavor and optionally other attributes. In this
case the selected flavor provides a root volume
(as all flavors do) labeled vda in the diagram and
additional ephemeral storage labeled vdb in the
diagram. The user has also opted to map a volume
from the <systemitem class="service"
>cinder-volume</systemitem> store to the third
virtual disk, vdc, on this instance.</para>
<figure xml:id="run-instance-state-figure">
<title>Instance creation from image and run time
state</title>
<mediaobject>
<imageobject>
<imagedata
fileref="../common/figures/instance-life-2.png"
/>
</imageobject>
</mediaobject>
</figure>
<para>The OpenStack system copies the base image from
the image store to the local disk. The local disk
is the first disk (vda) that the instance
accesses. Using small images results in faster
start up of your instances as less data is copied
across the network. The system also creates a new
empty disk image to present as the second disk
(vdb). Be aware that the second disk is an empty
disk with an ephemeral life as it is destroyed
when you delete the instance. The compute node
attaches to the requested <systemitem
class="service">cinder-volume</systemitem>
using iSCSI and maps this to the third disk (vdc)
as requested. The vCPU and memory resources are
provisioned and the instance is booted from the
first drive. The instance runs and changes data on
the disks indicated in red in the diagram <link
linkend="run-instance-state-figure"/>.</para>
<para>The details of this scenario can vary,
particularly the type of back-end storage and the
network protocols that are used. One variant worth
mentioning here is that the ephemeral storage used
for volumes vda and vdb in this example may be
backed by network storage rather than local disk.
The details are left for later chapters.</para>
</simplesect>
<simplesect xml:id="end-instance-state">
<title>End state</title>
<para>Once the instance has served its purpose and is
deleted all state is reclaimed, except the
persistent volume. The ephemeral storage is
purged. Memory and vCPU resources are released.
And of course the image has remained unchanged
through out.</para>
<figure xml:id="end-instance-state-figure">
<title>End state of image and volume after
instance exits</title>
<mediaobject>
<imageobject>
<imagedata
fileref="../common/figures/instance-life-3.png"
/>
</imageobject>
</mediaobject>
</figure>
</simplesect>
</section>
<section xml:id="section_system-architecture">
<title>System architecture</title>
<para>OpenStack Compute consists of several main
components. A "cloud controller" contains many of
these components, and it represents the global state
and interacts with all other components. An API Server
acts as the web services front end for the cloud
controller. The compute controller provides compute
server resources and typically contains the compute
service.</para><para>The Object Store component optionally
provides storage services. An auth manager provides
authentication and authorization services when used
with the Compute system, or you can use the Identity
Service (keystone) as a separate authentication
service. A volume controller provides fast and
permanent block-level storage for the compute servers.
A network controller provides virtual networks to
enable compute servers to interact with each other and
with the public network. A scheduler selects the most
suitable compute controller to host an
instance.</para>
<para>OpenStack Compute is built on a shared-nothing,
messaging-based architecture. You can run all of the
major components on multiple servers including a
compute controller, volume controller, network
controller, and object store (or image service). A
cloud controller communicates with the internal object
store through HTTP (Hyper Text Transfer Protocol), but
it communicates with a scheduler, network controller,
and volume controller through AMQP (Advanced Message
Queue Protocol). To avoid blocking each component
while waiting for a response, OpenStack Compute uses
asynchronous calls, with a call-back that gets
triggered when a response is received.</para>
<para>To achieve the shared-nothing property with multiple
copies of the same component, OpenStack Compute keeps
all the cloud system state in a database.</para>
</section>
<section xml:id="section_storage-and-openstack-compute">
<title>Block Storage and Compute</title>
<para>OpenStack provides two classes of block storage,
"ephemeral" storage and persistent "volumes".
Ephemeral storage exists only for the life of an
instance. It persists across reboots of the guest
operating system, but when the instance is deleted so
is the associated storage. All instances have some
ephemeral storage. Volumes are persistent virtualized
block devices independent of any particular instance.
Volumes may be attached to a single instance at a
time, but may be detached or reattached to a different
instance while retaining all data, much like a USB
drive.</para>
<simplesect xml:id="section_about-ephemeral-storage">
<title>Ephemeral storage</title>
<para>Ephemeral storage is associated with a single
unique instance. Its size is defined by the flavor
of the instance.</para>
<para>Data on ephemeral storage ceases to exist when
the instance it is associated with is terminated.
Rebooting the VM or restarting the host server,
however, does not destroy ephemeral data. In the
typical use case an instance's root file system is
stored on ephemeral storage. This is often an
unpleasant surprise for people unfamiliar with the
cloud model of computing.</para>
<para>In addition to the ephemeral root volume, all
flavors except the smallest, m1.tiny, provide an
additional ephemeral block device whose size
ranges from 20 GB for m1.small to 160 GB for
m1.xlarge. You can configure these sizes. This is
presented as a raw block device with no partition
table or file system. Cloud aware operating system
images may discover, format, and mount this
device. For example the cloud-init package
included in Ubuntu's stock cloud images format
this space as an ext3 file system and mount it on
<filename>/mnt</filename>. It is important to
note this a feature of the guest operating system.
OpenStack only provisions the raw storage.</para>
</simplesect>
<simplesect xml:id="section_about-persistent-storage">
<title>Volume storage</title>
<para>Volume storage is independent of any particular
instance and is persistent. Volumes are user
created and within quota and availability limits
may be of any arbitrary size.</para>
<para>When first created volumes are raw block devices
with n partition table and no file system. They
must be attached to an instance to be partitioned
and/or formatted. Once this is done they may be
used much like an external disk drive. Volumes may
attached to only one instance at a time, but may
be detached and reattached to either the same or
different instances.</para>
<para>It is possible to configure a volume so that it
is bootable and provides a persistent virtual
instance similar to traditional non-cloud based
virtualization systems. In this use case the
resulting instance may still have ephemeral
storage depending on the flavor selected, but the
root file system (and possibly others) is on the
persistent volume and its state is maintained even
if the instance it shut down. Details of this
configuration are discussed in the <link
xlink:href="http://docs.openstack.org/user-guide/content/index.html">
<citetitle>OpenStack End User
Guide</citetitle></link>.</para>
<para>Volumes do not provide concurrent access from
multiple instances. For that you need either a
traditional network file system like NFS or CIFS
or a cluster file system such as GlusterFS. These
may be built within an OpenStack cluster or
provisioned outside of it, but are not features
provided by the OpenStack software.</para>
</simplesect>
</section>
</section>
<section xml:id="section_image-mgmt">
<title>Image management</title>
<para>The OpenStack Image Service, code-named <emphasis
role="italic">glance</emphasis>, discovers, registers,
and retrieves virtual machine images. The service includes
a <link
xlink:href="http://api.openstack.org/api-ref.html#os-images-2.0"
>RESTful API</link> that allows users to query VM
image metadata and retrieve the actual image with HTTP
requests. You can also use the <link
xlink:href="http://docs.openstack.org/user-guide/content/cli_manage_images.html"
>glance command-line tool</link>, or the <link
xlink:href="http://docs.openstack.org/developer/python-glanceclient/"
>Python API</link> to accomplish the same
tasks.</para>
<para>VM images made available through OpenStack Image Service
can be stored in a variety of locations. The OpenStack
Image Service supports the following back end
stores:</para>
<itemizedlist>
<listitem>
<para>OpenStack Object Storage - OpenStack Object
Storage (code-named <emphasis role="italic"
>swift</emphasis>) is the highly-available
object storage project in OpenStack.</para>
</listitem>
<listitem>
<para>File system - The default back end that
OpenStack Image Service uses to store virtual
machine images is the file system back end. This
simple back end writes image files to the local
file system.</para>
</listitem>
<listitem>
<para>S3 - This back end allows OpenStack Image
Service to store virtual machine images in
Amazons S3 service.</para>
</listitem>
<listitem>
<para>HTTP - OpenStack Image Service can read virtual
machine images that are available through HTTP
somewhere on the Internet. This store is read
only.</para>
</listitem>
<listitem>
<para>Rados Block Device (RBD) - This back end stores
images inside of a Ceph storage cluster using
Ceph's RBD interface.</para>
</listitem>
<listitem>
<para>GridFS - This back end stores images inside of
MongoDB.</para>
</listitem>
</itemizedlist>
<para>You must have a working installation of the Image
Service, with a working endpoint and users created in the
Identity Service. Also, you must source the environment
variables required by the nova and glance clients.</para>
</section>
<section xml:id="section_instance-mgmt">
<title>Instance management</title>
<para>Instances are the running virtual machines within an
OpenStack cloud.</para>
<section xml:id="section_instance-mgmt-interfaces">
<?dbhtml stop-chunking?>
<title>Interfaces to instance management</title>
<para>OpenStack provides command line, web based, and API
based instance management. Additionally a number of
third party management tools are available for use
with OpenStack using either the native API or the
provided EC2 compatibility API.</para>
<simplesect xml:id="instance-mgmt-novaclient">
<title>nova CLI</title>
<para>The <application>nova</application> command
provided by the OpenStack python-novaclient
package is the basic command line utility for
users interacting with OpenStack. This is
available as a native package for most modern
Linux distributions or the latest version can be
installed directly using
<application>pip</application> python package
installer:
<programlisting language="bash">sudo pip install python-novaclient</programlisting>
</para>
<para>Full details for <application>nova</application>
and other CLI tools are provided in the <link
xlink:href="http://docs.openstack.org/user-guide/content/index.html"
><citetitle>OpenStack End User Guide</citetitle></link>. What follows is
the minimal introduction required to follow the
CLI example in this chapter. In the case of a
conflict the
<link
xlink:href="http://docs.openstack.org/user-guide/content/index.html"
><citetitle>OpenStack End User Guide</citetitle></link> should be
considered authoritative (and a bug filed against
this section).</para>
<para>To function, the
<application>nova</application> CLI needs the following information:</para>
<itemizedlist>
<listitem>
<para><literal>Authentication URL</literal>:
This can be passed as the
<parameter>--os_auth_url</parameter>
flag or using the OS_AUTH_URL environment
variable.</para>
</listitem>
<listitem>
<para><literal>Tenant (sometimes referred to
as project) name</literal>: This can
be passed as the
<parameter>--os_tenant_name</parameter>
flag or using the OS_TENANT_NAME
environment variable.</para>
</listitem>
<listitem>
<para><literal>User name</literal>: This can
be passed as the
<parameter>--os_username</parameter>
flag or using the OS_USERNAME environment
variable.</para>
</listitem>
<listitem>
<para><literal>Password</literal>: This can be
passed as the
<parameter>--os_password</parameter>
flag or using the OS_PASSWORD environment
variable.</para>
</listitem>
</itemizedlist>
<para>For example if you have your Identity Service
running on the default port (5000) on host
keystone.example.com and want to use the
<application>nova</application> cli as the
user "demouser" with the password "demopassword"
in the "demoproject" tenant you can export the
following values in your shell environment or pass
the equivalent command line args (presuming these
identities already exist):</para>
<programlisting language="bash">export OS_AUTH_URL="http://keystone.example.com:5000/v2.0/"
export OS_USERNAME=demouser
export OS_PASSWORD=demopassword
export OS_TENANT_NAME=demoproject</programlisting>
<para>If you are using the <link
linkend="instance-mgmt-horizon">Horizon</link>
web dashboard, users can easily download
credential files like this with the correct values
for your particular implementation.</para>
</simplesect>
<simplesect xml:id="instance-mgmt-horizon">
<title>Horizon web dashboard</title>
<para>Horizon is the highly customizable and
extensible OpenStack web dashboard. The <link
xlink:href="http://docs.openstack.org/developer/horizon"
>Horizon Project</link> home page has detailed
information on deploying horizon.</para>
</simplesect>
<simplesect xml:id="instance-mgmt-novaapi">
<title>Compute API</title>
<para>OpenStack provides a RESTful API for all
functionality. Complete API documentation is
available at <link
xlink:href="http://docs.openstack.org/api"
>http://docs.openstack.org/api</link>. The
<link
xlink:href="http://docs.openstack.org/api/openstack-compute/2"
>OpenStack Compute API</link> documentation
refers to instances as "servers".</para>
<para>The <link linkend="instance-mgmt-novaclient"
>nova cli</link> can be made to show the API
calls it is making by passing it the
<parameter>--debug</parameter> flag
<screen><prompt>#</prompt> <userinput>nova --debug list</userinput>
<?db-font-size 75%?><computeroutput>connect: (10.0.0.15, 5000)
send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: 10.0.0.15:5000\r\nContent-Length: 116\r\ncontent-type: application/json\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n{"auth": {"tenantName": "demoproject", "passwordCredentials": {"username": "demouser", "password": "demopassword"}}}'
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-Type: application/json
header: Vary: X-Auth-Token
header: Date: Thu, 13 Sep 2012 20:27:36 GMT
header: Transfer-Encoding: chunked
connect: (128.52.128.15, 8774)
send: u'GET /v2/fa9dccdeadbeef23ae230969587a14bf/servers/detail HTTP/1.1\r\nHost: 10.0.0.15:8774\r\nx-auth-project-id: demoproject\r\nx-auth-token: deadbeef9998823afecc3d552525c34c\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: X-Compute-Request-Id: req-bf313e7d-771a-4c0b-ad08-c5da8161b30f
header: Content-Type: application/json
header: Content-Length: 15
header: Date: Thu, 13 Sep 2012 20:27:36 GMT
+----+------+--------+----------+
| ID | Name | Status | Networks |
+----+------+--------+----------+
+----+------+--------+----------+</computeroutput></screen>
</para>
</simplesect>
<simplesect xml:id="instance-mgmt-ec2compat">
<title>EC2 Compatibility API</title>
<para>In addition to the native compute API OpenStack
provides an EC2 compatible API. This allows legacy
workflows built for EC2 to work with
OpenStack.</para>
<!--<para><link linkend="configuring-ec2-API">Configuring the
EC2 API</link> lists configuration options for
customizing this compatibility API on your OpenStack
cloud.</para> -->
</simplesect>
<simplesect xml:id="instance-mgmt-3rdparty">
<title>Third-party tools</title>
<para>Numerous third party tools and
language-specific SDKs interact with
OpenStack clouds, both through native and
compatibility APIs. Though not OpenStack
projects, the following links are to some of
the more popular projects:</para>
<para>
<itemizedlist>
<listitem>
<para><link
xlink:href="http://open.eucalyptus.com/wiki/Euca2oolsGuide"
>euca2ools </link> is a popular
open source CLI for interacting with
the EC2 API. This is convenient for
multi cloud environments where EC2 is
the common API, or for transitioning
from EC2 API based clouds to
OpenStack.</para>
</listitem>
<listitem>
<para><link
xlink:href="http://code.google.com/p/hybridfox/"
>hybridfox</link> is a Firefox
browser add-on that provides a
graphical interface to many popular
public and private cloud
technologies.</para>
</listitem>
<listitem>
<para><link
xlink:href="https://github.com/boto/boto"
>boto</link> is a Python library
for interacting with Amazon Web
Services. It can be used to access
OpenStack through the EC2
compatibility API</para>
</listitem>
<listitem>
<para><link
xlink:href="https://rubygems.org/gems/fog"
>fog</link> is the Ruby cloud
services library and provides methods
for interacting with a large number of
cloud and virtualization
platforms.</para>
</listitem>
<listitem>
<para><link
xlink:href="http://heat-api.org/"
>heat</link> is a high level
orchestration system that provides a
programmable interface to orchestrate
multiple cloud applications
implementing well known standards such
as CloudFormation and TOSCA. Unlike
other projects mentioned in this
section <link
xlink:href="http://heat-api.org/"
>heat</link> requires changes to
your OpenStack deployment and is
working toward official inclusion as
an OpenStack project. At this point
<link
xlink:href="http://heat-api.org/"
>heat</link> is a development
project not a production resource, but
it does show what the not too distant
future of instance management may be
like.</para>
</listitem>
<listitem>
<para><link
xlink:href="http://www.php-opencloud.com"
>php-opencloud</link> is a PHP SDK
that should work with most
OpenStack-based cloud deployments and
the Rackspace public cloud.</para>
</listitem>
</itemizedlist>
</para>
</simplesect>
</section>
<section xml:id="section_instance-building-blocks">
<?dbhtml stop-chunking?>
<title>Building blocks</title>
<para>There are two fundamental requirements for a
computing system, software and hardware.
Virtualization and cloud frameworks tend to blur these
lines and some of your "hardware" may actually be
"software" but conceptually you still need an
operating system and something to run it on.</para>
<simplesect xml:id="instance-building-blocks-images">
<title>Images</title>
<para>In OpenStack the base operating system is
usually copied from an image stored in the Glance
image service. This is the most common case and
results in an ephemeral instance that starts from
a known template state and loses all accumulated
states on shutdown. It is also possible in special
cases to put an operating system on a persistent
"volume" in the Nova-Volume or Cinder volume
system. This gives a more traditional persistent
system that accumulates states, which are
preserved across restarts. To get a list of
available images on your system run:</para>
<screen><prompt>$</prompt> <userinput>nova image-list</userinput>
<?db-font-size 50%?><computeroutput>+--------------------------------------+-------------------------------+--------+--------------------------------------+
| ID | Name | Status | Server |
+--------------------------------------+-------------------------------+--------+--------------------------------------+
| aee1d242-730f-431f-88c1-87630c0f07ba | Ubuntu 12.04 cloudimg amd64 | ACTIVE | |
| 0b27baa1-0ca6-49a7-b3f4-48388e440245 | Ubuntu 12.10 cloudimg amd64 | ACTIVE | |
| df8d56fc-9cea-4dfd-a8d3-28764de3cb08 | jenkins | ACTIVE | |
+--------------------------------------+-------------------------------+--------+--------------------------------------+</computeroutput></screen>
<para>The displayed image attributes are:</para>
<itemizedlist>
<listitem>
<para><literal>ID</literal>: the automatically
generate UUID of the image</para>
</listitem>
<listitem>
<para><literal>Name</literal>: a free form
human readable name given to the
image</para>
</listitem>
<listitem>
<para><literal>Status</literal>: shows the
status of the image ACTIVE images are
available for use.</para>
</listitem>
<listitem>
<para><literal>Server</literal>: for images
that are created as snapshots of running
instance this is the UUID of the instance
the snapshot derives from, for uploaded
images it is blank</para>
</listitem>
</itemizedlist>
</simplesect>
<simplesect xml:id="instance-building-blocks-flavors">
<title>Flavors</title>
<para>Virtual hardware templates are called "flavors"
in OpenStack. The default install provides a range
of five flavors. These are configurable by admin
users (this too is configurable and may be
delegated by redefining the access controls for
"compute_extension:flavormanage" in
<filename>/etc/nova/policy.json</filename> on
the compute-api server). To get a list of
available flavors on your system run:</para>
<screen><prompt>$</prompt> <userinput>nova flavor-list</userinput>
<computeroutput>+----+-----------+-----------+------+-----------+------+-------+-------------+
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor |
+----+-----------+-----------+------+-----------+------+-------+-------------+
| 1 | m1.tiny | 512 | 1 | N/A | 0 | 1 | |
| 2 | m1.small | 2048 | 20 | N/A | 0 | 1 | |
| 3 | m1.medium | 4096 | 40 | N/A | 0 | 2 | |
| 4 | m1.large | 8192 | 80 | N/A | 0 | 4 | |
| 5 | m1.xlarge | 16384 | 160 | N/A | 0 | 8 | |
+----+-----------+-----------+------+-----------+------+-------+-------------+
</computeroutput></screen>
</simplesect>
</section>
<xi:include href="../common/section_customize_flavors.xml"/>
<section xml:id="section_instance-creation">
<?dbhtml stop-chunking?>
<title>Instances</title>
<para>For information about launching instances through
the nova command-line client, see the <link
xlink:href="http://docs.openstack.org/user-guide/content/index.html"
><citetitle>OpenStack End User
Guide</citetitle></link>.</para>
</section>
<section xml:id="section_instance-scheduling-constraints">
<title>Control where instances run</title>
<para>The <!--<xref linkend="ch_scheduling"/>-->
<citetitle>OpenStack Configuration
Reference</citetitle> provides detailed
information on controlling where your instances run,
including ensuring a set of instances run on different
compute nodes for service resiliency or on the same
node for high performance inter-instance
communications</para>
<para>Additionally admin users can specify and exact
compute node to run on by specifying
<literal>--availability-zone
&lt;availability-zone&gt;:&lt;compute-host&gt;</literal>
on the command line, for example to force an instance
to launch on the <literal>nova-1</literal> compute
node in the default <literal>nova</literal>
availability zone:
<screen><prompt>#</prompt> <userinput>nova boot --image aee1d242-730f-431f-88c1-87630c0f07ba --flavor 1 --availability-zone nova:nova-1 testhost</userinput></screen></para>
</section>
<section xml:id="section_instance-data">
<?dbhtml stop-chunking?>
<title>Instance-specific data</title>
<para>For each instance, you can specify certain data
including authorized_keys key injection, user-data,
metadata service, and file injection.</para>
<para>For information, see the <link
xlink:href="http://docs.openstack.org/user-guide/content/"
><citetitle>OpenStack End User
Guide</citetitle></link>.</para>
</section>
<section xml:id="section_instance-networking">
<?dbhtml stop-chunking?>
<title>Instance networking</title>
<para>For information, see the <link
xlink:href="http://docs.openstack.org/user-guide/content/index.html"
><citetitle>OpenStack End User
Guide</citetitle></link>.</para>
</section>
<xi:include href="../common/section_nova_cli_volumes.xml"/>
</section>
<section xml:id="section_networking-nova">
<title>Networking with nova-network</title>
<para>Understanding the networking configuration options helps
you design the best configuration for your Compute
instances.</para>
<section xml:id="section_networking-options">
<title>Networking options</title>
<para>This section offers a brief overview of each concept
in networking for Compute. With the Grizzly release,
you can choose to either install and configure
<systemitem class="service"
>nova-network</systemitem> for networking between
VMs or use the Networking service (neutron) for
networking. To configure Compute networking options
with Neutron, see the <link
xlink:href="http://docs.openstack.org/admin-guide-cloud/content/ch_networking.html"
>networking chapter</link> of the
<citetitle>Cloud Administrator Guide</citetitle>.</para>
<para>For each VM instance, Compute assigns to it a
private IP address. (Currently, Compute with
<systemitem class="service"
>nova-network</systemitem> only supports Linux
bridge networking that allows the virtual interfaces
to connect to the outside network through the physical
interface.)</para>
<para>The network controller with <systemitem
class="service">nova-network</systemitem> provides
virtual networks to enable compute servers to interact
with each other and with the public network.</para>
<para>Currently, Compute with <systemitem class="service"
>nova-network</systemitem> supports these kinds of
networks, implemented in different “Network Manager”
types: <itemizedlist>
<listitem>
<para>Flat Network Manager</para>
</listitem>
<listitem>
<para>Flat DHCP Network Manager</para>
</listitem>
<listitem>
<para>VLAN Network Manager</para>
</listitem>
</itemizedlist></para>
<para>These networks can co-exist in a cloud system.
However, because you can't yet select the type of
network for a given project, you cannot configure more
than one type of network in a given Compute
installation.</para>
<note>
<para>All networking options require network
connectivity to be already set up between
OpenStack physical nodes. OpenStack does not
configure any physical network interfaces.
OpenStack automatically creates all network
bridges (for example, br100) and VM virtual
interfaces.</para>
<para>All machines must have a <emphasis role="italic"
>public</emphasis> and <emphasis role="italic"
>internal</emphasis> network interface
(controlled by the options:
<literal>public_interface</literal> for the
public interface, and
<literal>flat_interface</literal> and
<literal>vlan_interface</literal> for the
internal interface with flat / VLAN
managers).</para>
<para>The internal network interface is used for
communication with VMs, it shouldn't have an IP
address attached to it before OpenStack
installation (it serves merely as a fabric where
the actual endpoints are VMs and dnsmasq). Also,
the internal network interface must be put in
<emphasis role="italic">promiscuous
mode</emphasis>, because it must receive
packets whose target MAC address is of the guest
VM, not of the host.</para>
</note>
<para>All the network managers configure the network using
<emphasis role="italic">network
drivers</emphasis>. For example, the Linux L3 driver
(<literal>l3.py</literal> and
<literal>linux_net.py</literal>), which makes use
of <literal>iptables</literal>,
<literal>route</literal> and other network
management facilities, and libvirt's <link
xlink:href="http://libvirt.org/formatnwfilter.html"
>network filtering facilities</link>. The driver
isn't tied to any particular network manager; all
network managers use the same driver. The driver
usually initializes (creates bridges and so on) only
when the first VM lands on this host node.</para>
<para>All network managers operate in either <emphasis
role="italic">single-host</emphasis> or <emphasis
role="italic">multi-host</emphasis> mode. This
choice greatly influences the network configuration.
In single-host mode, there is just 1 instance of
<literal>nova-network</literal> which is used as a
default gateway for VMs and hosts a single DHCP server
(dnsmasq), whereas in multi-host mode every compute
node has its own <literal>nova-network</literal>. In
any case, all traffic between VMs and the outer world
flows through <literal>nova-network</literal>. There
are pros and cons to both modes, read more in the
<citetitle>OpenStack Configuration
Reference</citetitle>.</para>
<para>Compute makes a distinction between <emphasis
role="italic">fixed IPs</emphasis> and <emphasis
role="italic">floating IPs</emphasis> for VM
instances. Fixed IPs are IP addresses that are
assigned to an instance on creation and stay the same
until the instance is explicitly terminated. By
contrast, floating IPs are addresses that can be
dynamically associated with an instance. A floating IP
address can be disassociated and associated with
another instance at any time. A user can reserve a
floating IP for their project.</para>
<para>In <emphasis role="bold">Flat Mode</emphasis>, a
network administrator specifies a subnet. The IP
addresses for VM instances are grabbed from the
subnet, and then injected into the image on launch.
Each instance receives a fixed IP address from the
pool of available addresses. A system administrator
may create the Linux networking bridge (typically
named <literal>br100</literal>, although this
configurable) on the systems running the <systemitem
class="service">nova-network</systemitem> service.
All instances of the system are attached to the same
bridge, configured manually by the network
administrator.</para>
<para>
<note>
<para>The configuration injection currently only
works on Linux-style systems that keep
networking configuration in
<filename>/etc/network/interfaces</filename>.</para>
</note>
</para>
<para>In <emphasis role="bold">Flat DHCP Mode</emphasis>,
OpenStack starts a DHCP server (dnsmasq) to pass out
IP addresses to VM instances from the specified subnet
in addition to manually configuring the networking
bridge. IP addresses for VM instances are grabbed from
a subnet specified by the network
administrator.</para>
<para>Like Flat Mode, all instances are attached to a
single bridge on the compute node. In addition a DHCP
server is running to configure instances (depending on
single-/multi-host mode, alongside each <systemitem
class="service">nova-network</systemitem>). In
this mode, Compute does a bit more configuration in
that it attempts to bridge into an ethernet device
(<literal>flat_interface</literal>, eth0 by
default). It also runs and configures dnsmasq as a
DHCP server listening on this bridge, usually on IP
address 10.0.0.1 (see <link linkend="section_dnsmasq"
>DHCP server: dnsmasq</link>). For every instance,
nova allocates a fixed IP address and configure
dnsmasq with the MAC/IP pair for the VM. For example,
dnsmasq doesn't take part in the IP address allocation
process, it only hands out IPs according to the
mapping done by nova. Instances receive their fixed
IPs by doing a dhcpdiscover. These IPs are <emphasis
role="italic">not</emphasis> assigned to any of
the host's network interfaces, only to the VM's
guest-side interface.</para>
<para>In any setup with flat networking, the host(-s) with
nova-network on it is (are) responsible for forwarding
traffic from the private network. Compute can determine
the NAT entries for each network, though sometimes NAT is not
used, such as when configured with all
public IPs or a hardware router is used (one of the HA
options). Such host(-s) needs to have
<literal>br100</literal> configured and physically
connected to any other nodes that are hosting VMs. You
must set the <literal>flat_network_bridge</literal> option
or create networks with the bridge parameter in order to
avoid raising an error. Compute nodes have
iptables/ebtables entries created for each project and instance
to protect against IP/MAC address spoofing and ARP
poisoning. </para>
<note>
<para>In single-host Flat DHCP mode you <emphasis
role="italic">will</emphasis> be able to ping VMs
through their fixed IP from the nova-network node, but
you <emphasis role="italic">cannot</emphasis> ping them
from the compute nodes. This is
expected behavior.</para>
</note>
<para><emphasis role="bold">VLAN Network Mode is the
default mode</emphasis> for OpenStack Compute. In
this mode, Compute creates a VLAN and bridge for each
project. For multiple machine installation, the VLAN
Network Mode requires a switch that supports VLAN
tagging (IEEE 802.1Q). The project gets a range of
private IPs that are only accessible from inside the
VLAN. In order for a user to access the instances in
their project, a special VPN instance (code named
cloudpipe) needs to be created. Compute generates a
certificate and key for the user to access the VPN and
starts the VPN automatically. It provides a private
network segment for each project's instances that can
be accessed through a dedicated VPN connection from
the Internet. In this mode, each project gets its own
VLAN, Linux networking bridge, and subnet.</para>
<para>The subnets are specified by the network
administrator, and are assigned dynamically to a
project when required. A DHCP Server is started for
each VLAN to pass out IP addresses to VM instances
from the subnet assigned to the project. All instances
belonging to one project are bridged into the same
VLAN for that project. OpenStack Compute creates the
Linux networking bridges and VLANs when
required.</para>
</section>
<section xml:id="section_dnsmasq">
<title>DHCP server: dnsmasq</title>
<para>The Compute service uses <link
xlink:href="http://www.thekelleys.org.uk/dnsmasq/doc.html"
>dnsmasq</link> as the DHCP server when running
with either that Flat DHCP Network Manager or the VLAN
Network Manager. The <systemitem class="service"
>nova-network</systemitem> service is responsible
for starting up dnsmasq processes.</para>
<para>The behavior of dnsmasq can be customized by
creating a dnsmasq configuration file. Specify the
config file using the
<literal>dnsmasq_config_file</literal>
configuration option. For example:
<programlisting>dnsmasq_config_file=/etc/dnsmasq-nova.conf</programlisting>
See the <link
xlink:href="http://docs.openstack.org/trunk/config-reference/content/"
><citetitle> OpenStack Configuration
Reference</citetitle></link> for an example of
how to change the behavior of dnsmasq using a dnsmasq
configuration file. The dnsmasq documentation has a
more comprehensive <link
xlink:href="http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq.conf.example"
>dnsmasq configuration file example</link>.</para>
<para>Dnsmasq also acts as a caching DNS server for
instances. You can explicitly specify the DNS server
that dnsmasq should use by setting the
<literal>dns_server</literal> configuration option
in <filename>/etc/nova/nova.conf</filename>. The
following example would configure dnsmasq to use
Google's public DNS
server:<programlisting>dns_server=8.8.8.8</programlisting></para>
<para>Dnsmasq logging output goes to the syslog (typically
<filename>/var/log/syslog</filename> or
<filename>/var/log/messages</filename>, depending
on Linux distribution). The dnsmasq logging output can
be useful for troubleshooting if VM instances boot
successfully but are not reachable over the
network.</para>
<para>A network administrator can run <code>nova-manage
fixed reserve
--address=<replaceable>x.x.x.x</replaceable></code>
to specify the starting point IP address (x.x.x.x) to
reserve with the DHCP server. This reservation only
affects which IP address the VMs start at, not the
fixed IP addresses that the nova-network service
places on the bridges.</para>
</section>
<section xml:id="section_metadata-service">
<title>Metadata service</title>
<simplesect>
<title>Introduction</title>
<para>The Compute service uses a special metadata
service to enable virtual machine instances to
retrieve instance-specific data. Instances access
the metadata service at
<literal>http://169.254.169.254</literal>. The
metadata service supports two sets of APIs: an
OpenStack metadata API and an EC2-compatible API.
Each of the APIs is versioned by date.</para>
<para>To retrieve a list of supported versions for the
OpenStack metadata API, make a GET request to
<programlisting>http://169.254.169.254/openstack</programlisting>For
example:</para>
<para><screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/openstack</userinput>
<computeroutput>2012-08-10
latest</computeroutput></screen>
To retrieve a list of supported versions for the
EC2-compatible metadata API, make a GET request to
<programlisting>http://169.254.169.254</programlisting></para>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254</userinput>
<computeroutput>1.0
2007-01-19
2007-03-01
2007-08-29
2007-10-10
2007-12-15
2008-02-01
2008-09-01
2009-04-04
latest</computeroutput></screen>
<para>If you write a consumer for one of these APIs,
always attempt to access the most recent API
version supported by your consumer first, then
fall back to an earlier version if the most recent
one is not available.</para>
</simplesect>
<simplesect>
<title>OpenStack metadata API</title>
<para>Metadata from the OpenStack API is distributed
in JSON format. To retrieve the metadata, make a
GET request to:</para>
<programlisting>http://169.254.169.254/openstack/2012-08-10/meta_data.json</programlisting>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/openstack/2012-08-10/meta_data.json</userinput>
<computeroutput>{"uuid": "d8e02d56-2648-49a3-bf97-6be8f1204f38", "availability_zone": "nova", "hostname": "test.novalocal", "launch_index": 0, "meta": {"priority": "low", "role": "webserver"}, "public_keys": {"mykey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDYVEprvtYJXVOBN0XNKVVRNCRX6BlnNbI+USLGais1sUWPwtSg7z9K9vhbYAPUZcq8c/s5S9dg5vTHbsiyPCIDOKyeHba4MUJq8Oh5b2i71/3BISpyxTBH/uZDHdslW2a+SrPDCeuMMoss9NFhBdKtDkdG9zyi0ibmCP6yMdEX8Q== Generated by Nova\n"}, "name": "test"}</computeroutput></screen>
<para>Here is the same content after having run
through a JSON pretty-printer:</para>
<programlisting>{
"availability_zone": "nova",
"hostname": "test.novalocal",
"launch_index": 0,
"meta": {
"priority": "low",
"role": "webserver"
},
"name": "test",
"public_keys": {
"mykey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDYVEprvtYJXVOBN0XNKVVRNCRX6BlnNbI+USLGais1sUWPwtSg7z9K9vhbYAPUZcq8c/s5S9dg5vTHbsiyPCIDOKyeHba4MUJq8Oh5b2i71/3BISpyxTBH/uZDHdslW2a+SrPDCeuMMoss9NFhBdKtDkdG9zyi0ibmCP6yMdEX8Q== Generated by Nova\n"
},
"uuid": "d8e02d56-2648-49a3-bf97-6be8f1204f38"
}</programlisting>
<para>Instances also retrieve user data (passed as the
<literal>user_data</literal> parameter in the
API call or by the <literal>--user_data</literal>
flag in the <command>nova boot</command> command)
through the metadata service, by making a GET
request
to:<programlisting>http://169.254.169.254/openstack/2012-08-10/user_data</programlisting>For
example:</para>
<para>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/openstack/2012-08-10/user_data</userinput><computeroutput>#!/bin/bash
echo 'Extra user data here'</computeroutput></screen>
</para>
</simplesect>
<simplesect>
<title>EC2 metadata API</title>
<para>The metadata service has an API that is
compatible with version 2009-04-04 of the <link
xlink:href="http://docs.amazonwebservices.com/AWSEC2/2009-04-04/UserGuide/AESDG-chapter-instancedata.html"
>Amazon EC2 metadata service</link>; virtual
machine images that are designed for EC2 work
properly with OpenStack.</para>
<para>The EC2 API exposes a separate URL for each
metadata. You can retrieve a listing of these
elements by making a GET query to:</para>
<programlisting>http://169.254.169.254/2009-04-04/meta-data/</programlisting>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/2009-04-04/meta-data/</userinput><computeroutput>ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
hostname
instance-action
instance-id
instance-type
kernel-id
local-hostname
local-ipv4
placement/
public-hostname
public-ipv4
public-keys/
ramdisk-id
reservation-id
security-groups</computeroutput></screen>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/2009-04-04/meta-data/block-device-mapping/</userinput><computeroutput>ami</computeroutput></screen>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/2009-04-04/meta-data/placement/</userinput>
<computeroutput>availability-zone</computeroutput></screen>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/2009-04-04/meta-data/public-keys/</userinput>
<computeroutput>0=mykey</computeroutput></screen>
<para>Instances can retrieve the public SSH key
(identified by keypair name when a user requests a
new instance) by making a GET request to:</para>
<programlisting>http://169.254.169.254/2009-04-04/meta-data/public-keys/0/openssh-key</programlisting>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/2009-04-04/meta-data/public-keys/0/openssh-key</userinput>
<computeroutput>ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDYVEprvtYJXVOBN0XNKVVRNCRX6BlnNbI+USLGais1sUWPwtSg7z9K9vhbYAPUZcq8c/s5S9dg5vTHbsiyPCIDOKyeHba4MUJq8Oh5b2i71/3BISpyxTBH/uZDHdslW2a+SrPDCeuMMoss9NFhBdKtDkdG9zyi0ibmCP6yMdEX8Q== Generated by Nova</computeroutput></screen>
<para>Instances can retrieve user data by making a GET
request to:</para>
<programlisting>http://169.254.169.254/2009-04-04/user-data</programlisting>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/2009-04-04/user-data</userinput>
<computeroutput>#!/bin/bash
echo 'Extra user data here'</computeroutput></screen>
</simplesect>
<simplesect>
<title>Run the metadata service</title>
<para>The metadata service is implemented by either
the <systemitem class="service"
>nova-api</systemitem> service or the
<systemitem class="service"
>nova-api-metadata</systemitem> service. (The
<systemitem class="service"
>nova-api-metadata</systemitem> service is
generally only used when running in multi-host
mode, see the <citetitle>OpenStack Configuration
Reference</citetitle> for details). If you are
running the <systemitem class="service"
>nova-api</systemitem> service, you must have
<literal>metadata</literal> as one of the
elements of the list of the
<literal>enabled_apis</literal> configuration
option in
<filename>/etc/nova/nova.conf</filename>. The
default <literal>enabled_apis</literal>
configuration setting includes the metadata
service, so you should not need to modify
it.</para>
<para>To allow instances to reach the metadata
service, the <systemitem class="service"
>nova-network</systemitem> service configures
iptables to NAT port <literal>80</literal> of the
<literal>169.254.169.254</literal> address to
the IP address specified in
<literal>metadata_host</literal> (default
<literal>$my_ip</literal>, which is the IP
address of the <systemitem class="service"
>nova-network</systemitem> service) and port
specified in <literal>metadata_port</literal>
(default <literal>8775</literal>) in
<filename>/etc/nova/nova.conf</filename>. <warning>
<para>The <literal>metadata_host</literal>
configuration option must be an IP
address, not a host name.</para>
</warning>
<note>
<para>The default Compute service settings
assume that the <systemitem
class="service"
>nova-network</systemitem> service and
the <systemitem class="service"
>nova-api</systemitem> service are
running on the same host. If this is not
the case, you must make the following
change in the
<filename>/etc/nova/nova.conf</filename>
file on the host running the <systemitem
class="service"
>nova-network</systemitem>
service:</para>
<para>Set the <literal>metadata_host</literal>
configuration option to the IP address of
the host where the <systemitem
class="service">nova-api</systemitem>
service is running.</para>
</note></para>
<xi:include href="../common/tables/nova-metadata.xml"
/>
</simplesect>
</section>
<section xml:id="section_enable-ping-and-ssh-on-vms">
<title>Enable ping and SSH on VMs</title>
<para>Be sure you enable access to your VMs by using the
<command>euca-authorize</command> or <command>nova
secgroup-add-rule</command> command. The following
commands allow you to <command>ping</command> and
<command>ssh</command> to your VMs:</para>
<note>
<para>These commands need to be run as root only if
the credentials used to interact with <systemitem
class="service">nova-api</systemitem> have
been put under <filename>/root/.bashrc</filename>.
If the EC2 credentials have been put into another
user's <filename>.bashrc</filename> file, then, it
is necessary to run these commands as the
user.</para>
</note>
<para>Using the nova command-line tool:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0</userinput>
<prompt>$</prompt> <userinput>nova secgroup-add-rule default tcp 22 22 0.0.0.0/0</userinput> </screen>
<para>Using euca2ools:</para>
<screen><prompt>$</prompt> <userinput>euca-authorize -P icmp -t -1:-1 -s 0.0.0.0/0 default</userinput>
<prompt>$</prompt> <userinput>euca-authorize -P tcp -p 22 -s 0.0.0.0/0 default</userinput> </screen>
<para>If you still cannot ping or SSH your instances after
issuing the <command>nova secgroup-add-rule</command>
commands, look at the number of
<literal>dnsmasq</literal> processes that are
running. If you have a running instance, check to see
that TWO <literal>dnsmasq</literal> processes are
running. If not, perform the following as root:</para>
<screen><prompt>#</prompt> <userinput>killall dnsmasq</userinput>
<prompt>#</prompt> <userinput>service nova-network restart</userinput> </screen>
</section>
<section xml:id="section_remove-network-from-project">
<title>Remove a network from a project</title>
<para>You cannot remove a network that has already been
associated to a project by simply deleting it.</para>
<para>To determine the project ID you must have admin
rights. You can disassociate the project from the
network with a scrub command and the project ID as the
final parameter:</para>
<screen><prompt>$</prompt> <userinput>nova-manage project scrub --project=<replaceable>&lt;id></replaceable></userinput> </screen>
</section>
<section xml:id="section_use-multi-nics">
<title>Multiple interfaces for your instances
(multinic)</title>
<?dbhtml stop-chunking?>
<para>The multi-nic feature allows you to plug more than
one interface to your instances, making it possible to
make several use cases available: <itemizedlist>
<listitem>
<para>SSL Configurations (VIPs)</para>
</listitem>
<listitem>
<para>Services failover/ HA</para>
</listitem>
<listitem>
<para>Bandwidth Allocation</para>
</listitem>
<listitem>
<para>Administrative/ Public access to your
instances</para>
</listitem>
</itemizedlist> Each VIF is representative of a
separate network with its own IP block. Every network
mode introduces it's own set of changes regarding the
mulitnic usage: <figure>
<title>multinic flat manager</title>
<mediaobject>
<imageobject>
<imagedata scale="40"
fileref="../common/figures/SCH_5007_V00_NUAC-multi_nic_OpenStack-Flat-manager.jpg"
/>
</imageobject>
</mediaobject>
</figure>
<figure>
<title>multinic flatdhcp manager</title>
<mediaobject>
<imageobject>
<imagedata scale="40"
fileref="../common/figures/SCH_5007_V00_NUAC-multi_nic_OpenStack-Flat-DHCP-manager.jpg"
/>
</imageobject>
</mediaobject>
</figure>
<figure>
<title>multinic VLAN manager</title>
<mediaobject>
<imageobject>
<imagedata scale="40"
fileref="../common/figures/SCH_5007_V00_NUAC-multi_nic_OpenStack-VLAN-manager.jpg"
/>
</imageobject>
</mediaobject>
</figure>
</para>
<section xml:id="using-multiple-nics-usage">
<title>Use the multinic feature</title>
<para>In order to use the multinic feature, first
create two networks, and attach them to your
project:
<screen><prompt>$</prompt> <userinput>nova network-create first-net --fixed-range-v4=20.20.0.0/24 --project-id=$your-project</userinput>
<prompt>$</prompt> <userinput>nova network-create second-net --fixed-range-v4=20.20.10.0/24 --project-id=$your-project</userinput> </screen>
Now every time you spawn a new instance, it gets
two IP addresses from the respective DHCP servers: <screen><prompt>$</prompt> <userinput>nova list</userinput>
<computeroutput>+-----+------------+--------+----------------------------------------+
| ID | Name | Status | Networks |
+-----+------------+--------+----------------------------------------+
| 124 | Server 124 | ACTIVE | network2=20.20.0.3; private=20.20.10.14|
+-----+------------+--------+----------------------------------------+</computeroutput></screen>
<note>
<para>Make sure to power up the second
interface on the instance, otherwise that
last won't be reachable through its second
IP. Here is an example of how to setup the
interfaces within the instance (this is
the configuration that needs to be applied
inside the image):</para>
<para><filename>/etc/network/interfaces</filename>
<programlisting># The loopback network interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet dhcp</programlisting></para>
</note></para>
<note>
<para>If the Virtual Network Service Neutron is
installed, it is possible to specify the
networks to attach to the respective
interfaces by using the
<literal>--nic</literal> flag when
invoking the <literal>nova</literal> command:
<screen><prompt>$</prompt> <userinput>nova boot --image ed8b2a37-5535-4a5f-a615-443513036d71 --flavor 1 --nic net-id= &lt;id of first network&gt; --nic net-id= &lt;id of first network&gt; test-vm1</userinput></screen>
</para>
</note>
</section>
</section>
<section xml:id="section_network-troubleshoot">
<title>Troubleshoot Networking</title>
<simplesect>
<title>Can't reach floating IPs</title>
<para>If you aren't able to reach your instances
through the floating IP address, make sure the
default security group allows ICMP (ping) and SSH
(port 22), so that you can reach the
instances:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-list-rules default</userinput>
<computeroutput>+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp | -1 | -1 | 0.0.0.0/0 | |
| tcp | 22 | 22 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+</computeroutput> </screen>
<para>Ensure the NAT rules have been added to iptables
on the node that nova-network is running on, as
root:</para>
<screen><prompt>#</prompt> <userinput>iptables -L -nv</userinput>
<computeroutput>-A nova-network-OUTPUT -d 68.99.26.170/32 -j DNAT --to-destination 10.0.0.3</computeroutput></screen>
<screen><prompt>#</prompt> <userinput>iptables -L -nv -t nat</userinput>
<computeroutput>-A nova-network-PREROUTING -d 68.99.26.170/32 -j DNAT --to-destination10.0.0.3
-A nova-network-floating-snat -s 10.0.0.3/32 -j SNAT --to-source 68.99.26.170</computeroutput></screen>
<para>Check that the public address, in this example
"68.99.26.170", has been added to your public
interface: You should see the address in the
listing when you enter "ip addr" at the command
prompt.</para>
<screen><prompt>$</prompt> <userinput>ip addr</userinput>
<computeroutput>2: eth0: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc mq state UP qlen 1000
link/ether xx:xx:xx:17:4b:c2 brd ff:ff:ff:ff:ff:ff
inet 13.22.194.80/24 brd 13.22.194.255 scope global eth0
inet 68.99.26.170/32 scope global eth0
inet6 fe80::82b:2bf:fe1:4b2/64 scope link
valid_lft forever preferred_lft forever</computeroutput></screen>
<para>Note that you cannot SSH to an instance with a
public IP from within the same server as the
routing configuration won't allow it.</para>
<para>You can use <command>tcpdump</command> to
identify if packets are being routed to the
inbound interface on the compute host. If the
packets are reaching the compute hosts but the
connection is failing, the issue may be that the
packet is being dropped by reverse path filtering.
Try disabling reverse path filtering on the
inbound interface. For example, if the inbound
interface is <literal>eth2</literal>, as
root:</para><screen><prompt>#</prompt> <userinput>sysctl -w net.ipv4.conf.<replaceable>eth2</replaceable>.rp_filter=0</userinput></screen>
<para>If this solves your issue, add the following
line to <filename>/etc/sysctl.conf</filename> so
that the reverse path filter is disabled the next
time the compute host
reboots:<programlisting>net.ipv4.conf.rp_filter=0</programlisting></para>
</simplesect>
<simplesect>
<title>Disabling firewall</title>
<para>To help debug networking issues with reaching
VMs, you can disable the firewall by setting the
following option in
<filename>/etc/nova/nova.conf</filename>:<programlisting>firewall_driver=nova.virt.firewall.NoopFirewallDriver</programlisting></para>
<para>We strongly recommend you remove the above line
to re-enable the firewall once your networking
issues have been resolved.</para>
</simplesect>
<simplesect>
<title>Packet loss from instances to nova-network
server (VLANManager mode)</title>
<para>If you can SSH to your instances but you find
that the network interactions to your instance is
slow, or if you find that running certain
operations are slower than they should be (for
example, <command>sudo</command>), then there may
be packet loss occurring on the connection to the
instance.</para>
<para>Packet loss can be caused by Linux networking
configuration settings related to bridges. Certain
settings can cause packets to be dropped between
the VLAN interface (for example,
<literal>vlan100</literal>) and the associated
bridge interface (for example,
<literal>br100</literal>) on the host running
the nova-network service.</para>
<para>One way to check if this is the issue in your
setup is to open up three terminals and run the
following commands:</para>
<para>In the first terminal, on the host running
nova-network, use <command>tcpdump</command> to
monitor DNS-related traffic (UDP, port 53) on the
VLAN interface. As root:</para>
<screen><prompt>#</prompt> <userinput>tcpdump -K -p -i vlan100 -v -vv udp port 53</userinput></screen>
<para>In the second terminal, also on the host running
nova-network, use <command>tcpdump</command> to
monitor DNS-related traffic on the bridge
interface. As root:</para>
<screen><prompt>#</prompt> <userinput>tcpdump -K -p -i br100 -v -vv udp port 53</userinput></screen>
<para>In the third terminal, SSH inside of the
instance and generate DNS requests by using the
<command>nslookup</command> command:</para>
<screen><prompt>$</prompt> <userinput>nslookup www.google.com</userinput></screen>
<para>The symptoms may be intermittent, so try running
<command>nslookup</command> multiple times. If
the network configuration is correct, the command
should return immediately each time. If it is not
functioning properly, the command hangs for
several seconds.</para>
<para>If the <command>nslookup</command> command
sometimes hangs, and there are packets that appear
in the first terminal but not the second, then the
problem may be due to filtering done on the
bridges. Try to disable filtering, as root:</para>
<screen><prompt>#</prompt> <userinput>sysctl -w net.bridge.bridge-nf-call-arptables=0</userinput>
<prompt>#</prompt> <userinput>sysctl -w net.bridge.bridge-nf-call-iptables=0</userinput>
<prompt>#</prompt> <userinput>sysctl -w net.bridge.bridge-nf-call-ip6tables=0</userinput></screen>
<para>If this solves your issue, add the following
line to <filename>/etc/sysctl.conf</filename> so
that these changes take effect the next time the
host reboots:</para>
<programlisting>net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-iptables=0
net.bridge.bridge-nf-call-ip6tables=0</programlisting>
</simplesect>
<simplesect>
<title>KVM: Network connectivity works initially, then
fails</title>
<para>Some administrators have observed an issue with
the KVM hypervisor where instances running Ubuntu
12.04 sometimes loses network connectivity after
functioning properly for a period of time. Some
users have reported success with loading the
vhost_net kernel module as a workaround for this
issue (see <link
xlink:href="https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/997978/"
>bug #997978</link>) . This kernel module may
also <link
xlink:href="http://www.linux-kvm.org/page/VhostNet"
>improve network performance on KVM</link>. To
load the kernel module, as
root:</para><screen><prompt>#</prompt> <userinput>modprobe vhost_net</userinput></screen>
<note>
<para>Loading the module has no effect on running
instances.</para>
</note>
</simplesect>
</section>
</section>
<section xml:id="section_block-storage-volumes">
<title>Volumes</title>
<para>The Block Storage service provides persistent block
storage resources that OpenStack Compute instances can
consume.</para>
<para>See the <citetitle>OpenStack Configuration
Reference</citetitle> for information about
configuring volume drivers and creating and attaching
volumes to server instances.</para>
</section>
<section xml:id="section_compute-system-admin">
<title>System administration</title>
<para>By understanding how the different installed nodes
interact with each other you can administer the Compute
installation. Compute offers many ways to install using
multiple servers but the general idea is that you can have
multiple compute nodes that control the virtual servers
and a cloud controller node that contains the remaining
Nova services.</para>
<para>The Compute cloud works through the interaction of a
series of daemon processes named nova-* that reside
persistently on the host machine or machines. These
binaries can all run on the same machine or be spread out
on multiple boxes in a large deployment. The
responsibilities of Services, Managers, and Drivers, can
be a bit confusing at first. Here is an outline the
division of responsibilities to make understanding the
system a little bit easier.</para>
<para>Currently, Services are <systemitem class="service"
>nova-api</systemitem>, <systemitem class="service"
>nova-objectstore</systemitem> (which can be replaced
with Glance, the OpenStack Image Service), <systemitem
class="service">nova-compute</systemitem>, and
<systemitem class="service">nova-network</systemitem>.
Managers and Drivers are specified by configuration
options and loaded using utils.load_object(). Managers are
responsible for a certain aspect of the system. It is a
logical grouping of code relating to a portion of the
system. In general other components should be using the
manager to make changes to the components that it is
responsible for.</para>
<itemizedlist>
<listitem>
<para><systemitem class="service"
>nova-api</systemitem>. Receives xml requests
and sends them to the rest of the system. It is a
wsgi app that routes and authenticate requests. It
supports the EC2 and OpenStack APIs. There is a
<filename>nova-api.conf</filename> file
created when you install Compute.</para>
</listitem>
<listitem>
<para><systemitem class="service"
>nova-objectstore</systemitem>: The
<systemitem class="service"
>nova-objectstore</systemitem> service is an
ultra simple file-based storage system for images
that replicates most of the S3 API. It can be
replaced with OpenStack Image Service and a simple
image manager or use OpenStack Object Storage as
the virtual machine image storage facility. It
must reside on the same node as <systemitem
class="service"
>nova-compute</systemitem>.</para>
</listitem>
<listitem>
<para><systemitem class="service"
>nova-compute</systemitem>. Responsible for
managing virtual machines. It loads a Service
object which exposes the public methods on
ComputeManager through Remote Procedure Call
(RPC).</para>
</listitem>
<listitem>
<para><systemitem class="service"
>nova-network</systemitem>. Responsible for
managing floating and fixed IPs, DHCP, bridging
and VLANs. It loads a Service object which exposes
the public methods on one of the subclasses of
NetworkManager. Different networking strategies
are available to the service by changing the
network_manager configuration option to
FlatManager, FlatDHCPManager, or VlanManager
(default is VLAN if no other is specified).</para>
</listitem>
</itemizedlist>
<section xml:id="section_compute-service-arch">
<title>Compute service architecture</title>
<para>These basic categories describe the service
architecture and what's going on within the cloud
controller.</para>
<simplesect>
<title>API Server</title>
<para>At the heart of the cloud framework is an API
Server. This API Server makes command and control
of the hypervisor, storage, and networking
programmatically available to users in realization
of the definition of cloud computing.</para>
<para>The API endpoints are basic http web services
which handle authentication, authorization, and
basic command and control functions using various
API interfaces under the Amazon, Rackspace, and
related models. This enables API compatibility
with multiple existing tool sets created for
interaction with offerings from other vendors.
This broad compatibility prevents vendor
lock-in.</para>
</simplesect>
<simplesect>
<title>Message queue</title>
<para>A messaging queue brokers the interaction
between compute nodes (processing), the networking
controllers (software which controls network
infrastructure), API endpoints, the scheduler
(determines which physical hardware to allocate to
a virtual resource), and similar components.
Communication to and from the cloud controller is
by HTTP requests through multiple API
endpoints.</para>
<para>A typical message passing event begins with the
API server receiving a request from a user. The
API server authenticates the user and ensures that
the user is permitted to issue the subject
command. Availability of objects implicated in the
request is evaluated and, if available, the
request is routed to the queuing engine for the
relevant workers. Workers continually listen to
the queue based on their role, and occasionally
their type host name. When such listening produces
a work request, the worker takes assignment of the
task and begins its execution. Upon completion, a
response is dispatched to the queue which is
received by the API server and relayed to the
originating user. Database entries are queried,
added, or removed as necessary throughout the
process.</para>
</simplesect>
<simplesect>
<title>Compute worker</title>
<para>Compute workers manage computing instances on
host machines. The API dispatches commands to
compute workers to complete the following
tasks:</para>
<itemizedlist>
<listitem>
<para>Run instances</para>
</listitem>
<listitem>
<para>Terminate instances</para>
</listitem>
<listitem>
<para>Reboot instances</para>
</listitem>
<listitem>
<para>Attach volumes</para>
</listitem>
<listitem>
<para>Detach volumes</para>
</listitem>
<listitem>
<para>Get console output</para>
</listitem>
</itemizedlist>
</simplesect>
<simplesect>
<title>Network Controller</title>
<para>The Network Controller manages the networking
resources on host machines. The API server
dispatches commands through the message queue,
which are subsequently processed by Network
Controllers. Specific operations include:</para>
<itemizedlist>
<listitem>
<para>Allocate fixed IP addresses</para>
</listitem>
<listitem>
<para>Configuring VLANs for projects</para>
</listitem>
<listitem>
<para>Configuring networks for compute
nodes</para>
</listitem>
</itemizedlist>
</simplesect>
</section>
<section xml:id="section_manage-compute-users">
<title>Manage Compute users</title>
<para>Access to the Euca2ools (ec2) API is controlled by
an access and secret key. The users access key needs
to be included in the request, and the request must be
signed with the secret key. Upon receipt of API
requests, Compute verifies the signature and runs
commands on behalf of the user.</para>
<para>To begin using nova, you must create a user with the
Identity Service.</para>
</section>
<section xml:id="section_manage-the-cloud">
<title>Manage the cloud</title>
<para>TA system administrator can use the following tools
to manage their cloud; the nova client, the
nova-manage command, and the Euca2ools
commands.</para>
<para>The nova-manage command can only be run by cloud
administrators. Both novaclient and euca2ools can be
used by all users, though specific commands may be
restricted by Role Based Access Control in the
Identity Management service.</para>
<procedure>
<title>To use the nova command-line tool</title>
<step>
<para>Installing the python-novaclient gives you a
<code>nova</code> shell command that
enables Compute API interactions from the
command line. You install the client, and then
provide your user name and password, set as
environment variables for convenience, and
then you can have the ability to send commands
to your cloud on the command-line.</para>
<para>To install python-novaclient, download the
tarball from <link
xlink:href="http://pypi.python.org/pypi/python-novaclient/2.6.3#downloads"
>http://pypi.python.org/pypi/python-novaclient/2.6.3#downloads</link>
and then install it in your favorite python
environment.</para>
<screen><prompt>$</prompt> <userinput>curl -O http://pypi.python.org/packages/source/p/python-novaclient/python-novaclient-2.6.3.tar.gz</userinput>
<prompt>$</prompt> <userinput>tar -zxvf python-novaclient-2.6.3.tar.gz</userinput>
<prompt>$</prompt> <userinput>cd python-novaclient-2.6.3</userinput>
<prompt>$</prompt> <userinput>sudo python setup.py install</userinput></screen>
</step>
<step>
<para>Now that you have installed the
python-novaclient, confirm the installation by
entering:</para>
<screen><prompt>$</prompt> <userinput>nova help</userinput><computeroutput>usage: nova [--debug] [--os-username OS_USERNAME] [--os-password OS_PASSWORD]
[--os-tenant-name_name OS_TENANT_NAME] [--os-auth-url OS_AUTH_URL]
[--os-region-name OS_REGION_NAME] [--service-type SERVICE_TYPE]
[--service-name SERVICE_NAME] [--endpoint-type ENDPOINT_TYPE]
[--version VERSION]
&lt;subcommand&gt; ...</computeroutput></screen>
</step>
<step>
<para>This command returns a list of nova commands
and parameters. Set the required parameters as
environment variables to make running commands
easier. You can add
<parameter>--os-username</parameter>, for
example, on the nova command, or set it as
environment variables:</para>
<screen><prompt>$</prompt> <userinput>export OS_USERNAME=joecool</userinput>
<prompt>$</prompt> <userinput>export OS_PASSWORD=coolword</userinput>
<prompt>$</prompt> <userinput>export OS_TENANT_NAME=coolu</userinput> </screen>
</step>
<step>
<para>Using the Identity Service, you are supplied
with an authentication endpoint, which nova
recognizes as the
<literal>OS_AUTH_URL</literal>.</para>
<para>
<screen><prompt>$</prompt> <userinput>export OS_AUTH_URL=http://hostname:5000/v2.0</userinput>
<prompt>$</prompt> <userinput>export NOVA_VERSION=1.1</userinput></screen>
</para>
</step>
</procedure>
<procedure>
<title>To use the nova-manage command</title>
<para>The nova-manage command may be used to perform
many essential functions for administration and
ongoing maintenance of nova, such as network
creation or user manipulation.</para>
<step>
<para>The man page for nova-manage has a good
explanation for each of its functions, and is
recommended reading for those starting out.
Access it by running:</para>
<screen><prompt>$</prompt> <userinput>man nova-manage</userinput> </screen>
</step>
<step>
<para>For administrators, the standard pattern for
executing a nova-manage command is:</para>
<screen><prompt>$</prompt> <userinput>nova-manage category command <replaceable>[args]</replaceable></userinput></screen>
</step>
<step>
<para>For example, to obtain a list of all
projects:</para>
<screen><prompt>$</prompt> <userinput>nova-manage project list</userinput></screen>
</step>
<step>
<para>Run without arguments to see a list of
available command categories:</para>
<screen><prompt>$</prompt> <userinput>nova-manage</userinput></screen>
</step>
<step>
<para>You can also run with a category argument
such as user to see a list of all commands in
that category:</para>
<screen><prompt>$</prompt> <userinput>nova-manage service</userinput></screen>
</step>
</procedure>
<simplesect>
<title>To use the euca2ools commands</title>
<para>For a command-line interface to EC2 API calls,
use the euca2ools command line tool. See <link
xlink:href="http://open.eucalyptus.com/wiki/Euca2oolsGuide_v1.3"
>http://open.eucalyptus.com/wiki/Euca2oolsGuide_v1.3</link></para>
</simplesect>
</section>
<xi:include
href="../common/section_nova_cli_usage_statistics.xml"/>
<section xml:id="section_manage-logs">
<title>Manage logs</title>
<simplesect>
<title>Logging module</title>
<para>Adding the following line to the
<filename>/etc/nova/nova.conf</filename> file
enables you to specify a configuration file to
change the logging behavior, in particular for
changing the logging level (such as,
<literal>DEBUG</literal>,
<literal>INFO</literal>,
<literal>WARNING</literal>,
<literal>ERROR</literal>):<programlisting>log-config=/etc/nova/logging.conf</programlisting></para>
<para>The log config file is an ini-style config file
which must contain a section called
<literal>logger_nova</literal>, which controls
the behavior of the logging facility in the
<literal>nova-*</literal> services. The file
must contain a section called
<literal>logger_nova</literal>, for
example:<programlisting>[logger_nova]
level = INFO
handlers = stderr
qualname = nova</programlisting></para>
<para>This example sets the debugging level to
<literal>INFO</literal> (which less verbose
than the default <literal>DEBUG</literal>
setting). See the <link
xlink:href="http://docs.python.org/release/2.7/library/logging.html#configuration-file-format"
>Python documentation on logging configuration
file format </link>for more details on this
file, including the meaning of the
<literal>handlers</literal> and
<literal>quaname</literal> variables. See
<link
xlink:href="http://git.openstack.org/cgit/openstack/nova/plain/etc/nova/logging_sample.conf"
>etc/nova/logging_sample.conf</link> in the
openstack/nova repository on GitHub for an example
<filename>logging.conf</filename> file with
various handlers defined.</para>
</simplesect>
<simplesect>
<title>Syslog</title>
<para>You can configure OpenStack Compute services to
send logging information to syslog. This is useful
if you want to use rsyslog, which forwards the
logs to a remote machine. You need to separately
configure the Compute service (nova), the Identity
service (keystone), the Image service (glance),
and, if you are using it, the Block Storage
service (cinder) to send log messages to syslog.
To do so, add the following lines to:</para>
<itemizedlist>
<listitem>
<para><filename>/etc/nova/nova.conf</filename></para>
</listitem>
<listitem>
<para><filename>/etc/keystone/keystone.conf</filename></para>
</listitem>
<listitem>
<para><filename>/etc/glance/glance-api.conf</filename></para>
</listitem>
<listitem>
<para><filename>/etc/glance/glance-registry.conf</filename></para>
</listitem>
<listitem>
<para><filename>/etc/cinder/cinder.conf</filename></para>
</listitem>
</itemizedlist>
<programlisting>verbose = False
debug = False
use_syslog = True
syslog_log_facility = LOG_LOCAL0</programlisting>
<para>In addition to enabling syslog, these settings
also turn off more verbose output and debugging
output from the log.<note>
<para>While the example above uses the same
local facility for each service
(<literal>LOG_LOCAL0</literal>, which
corresponds to syslog facility
<literal>LOCAL0</literal>), we
recommend that you configure a separate
local facility for each service, as this
provides better isolation and more
flexibility. For example, you may want to
capture logging info at different severity
levels for different services. Syslog
allows you to define up to seven local
facilities, <literal>LOCAL0, LOCAL1, ...,
LOCAL7</literal>. See the syslog
documentation for more details.</para>
</note></para>
</simplesect>
<simplesect>
<title>Rsyslog</title>
<para>Rsyslog is a useful tool for setting up a
centralized log server across multiple machines.
We briefly describe the configuration to set up an
rsyslog server; a full treatment of rsyslog is
beyond the scope of this document. We assume
rsyslog has already been installed on your hosts,
which is the default on most Linux
distributions.</para>
<para>This example shows a minimal configuration for
<filename>/etc/rsyslog.conf</filename> on the
log server host, which receives the log
files:</para>
<programlisting># provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 1024</programlisting>
<para>Add to <filename>/etc/rsyslog.conf</filename> a
filter rule on which looks for a host name. The
example below use
<replaceable>compute-01</replaceable> as an
example of a compute host
name:<programlisting>:hostname, isequal, "<replaceable>compute-01</replaceable>" /mnt/rsyslog/logs/compute-01.log</programlisting></para>
<para>On the compute hosts, create a file named
<filename>/etc/rsyslog.d/60-nova.conf</filename>,
with the following
content.<programlisting># prevent debug from dnsmasq with the daemon.none parameter
*.*;auth,authpriv.none,daemon.none,local0.none -/var/log/syslog
# Specify a log level of ERROR
local0.error @@172.20.1.43:1024</programlisting></para>
<para>Once you have created this file, restart your
rsyslog daemon. Error-level log messages on the
compute hosts should now be sent to your log
server.</para>
</simplesect>
</section>
<xi:include href="section_rootwrap.xml"/>
<section xml:id="section_live-migration-usage">
<title>Migration</title>
<para>Before starting migrations, review the <link xlink:href="http://docs.openstack.org/trunk/config-reference/content/configuring-openstack-compute-basics.html#section_configuring-compute-migrations"
>Configuring Migrations</link> section in the
<citetitle>Configuration Reference Guide</citetitle>.</para>
<para>Migration provides a scheme to migrate running
instances from one OpenStack Compute server to another
OpenStack Compute server.</para>
<procedure>
<title>To migrate instances</title>
<step>
<para>Look at the running instances, to get the ID
of the instance you wish to migrate.</para>
<screen><prompt>#</prompt> <userinput>nova list</userinput><computeroutput><![CDATA[+--------------------------------------+------+--------+-----------------+
| ID | Name | Status |Networks |
+--------------------------------------+------+--------+-----------------+
| d1df1b5a-70c4-4fed-98b7-423362f2c47c | vm1 | ACTIVE | private=a.b.c.d |
| d693db9e-a7cf-45ef-a7c9-b3ecb5f22645 | vm2 | ACTIVE | private=e.f.g.h |
+--------------------------------------+------+--------+-----------------+]]></computeroutput></screen>
</step>
<step>
<para>Look at information associated with that
instance - our example is vm1 from
above.</para>
<screen><prompt>#</prompt> <userinput>nova show d1df1b5a-70c4-4fed-98b7-423362f2c47c</userinput><computeroutput><![CDATA[+-------------------------------------+----------------------------------------------------------+
| Property | Value |
+-------------------------------------+----------------------------------------------------------+
...
| OS-EXT-SRV-ATTR:host | HostB |
...
| flavor | m1.tiny |
| id | d1df1b5a-70c4-4fed-98b7-423362f2c47c |
| name | vm1 |
| private network | a.b.c.d |
| status | ACTIVE |
...
+-------------------------------------+----------------------------------------------------------+]]></computeroutput></screen>
<para>In this example, vm1 is running on
HostB.</para>
</step>
<step>
<para>Select the server to migrate instances
to.</para>
<screen><prompt>#</prompt> <userinput>nova-manage service list</userinput><computeroutput><![CDATA[HostA nova-scheduler enabled :-) None
HostA nova-network enabled :-) None
HostB nova-compute enabled :-) None
HostC nova-compute enabled :-) None]]></computeroutput></screen>
<para>In this example, HostC can be picked up
because <systemitem class="service"
>nova-compute</systemitem> is running on
it.</para>
</step>
<step>
<para>Ensure that HostC has enough resource for
migration.</para>
<screen><prompt>#</prompt> <userinput>nova-manage service describe_resource HostC</userinput><computeroutput><![CDATA[HOST PROJECT cpu mem(mb) hdd
HostC(total) 16 32232 878
HostC(used_now) 13 21284 442
HostC(used_max) 13 21284 442
HostC p1 5 10240 150
HostC p2 5 10240 150
.....]]></computeroutput></screen>
<itemizedlist>
<listitem>
<para><emphasis role="bold"
>cpu:</emphasis>the number of
cpu</para>
</listitem>
<listitem>
<para><emphasis role="bold"
>mem(mb):</emphasis>total amount of
memory (MB)</para>
</listitem>
<listitem>
<para><emphasis role="bold"
>hdd:</emphasis>total amount of
space for
NOVA-INST-DIR/instances(GB)</para>
</listitem>
<listitem>
<para><emphasis role="bold">1st line shows
</emphasis>total amount of resource
physical server has.</para>
</listitem>
<listitem>
<para><emphasis role="bold">2nd line shows
</emphasis>current used
resource.</para>
</listitem>
<listitem>
<para><emphasis role="bold">3rd line shows
</emphasis>maximum used
resource.</para>
</listitem>
<listitem>
<para><emphasis role="bold">4th line and
under</emphasis> shows the resource
for each project.</para>
</listitem>
</itemizedlist>
</step>
<step>
<para>Use the <command>nova
live-migration</command> command to
migrate the instances.</para>
<screen><prompt>#</prompt> <userinput>nova live-migration d1df1b5a-70c4-4fed-98b7-423362f2c47c HostC</userinput><computeroutput><![CDATA[Migration of d1df1b5a-70c4-4fed-98b7-423362f2c47c initiated.]]></computeroutput></screen>
<para>Make sure instances are migrated
successfully with <command>nova
list</command>. If instances are still running
on HostB, check log files (src/dest
<systemitem class="service"
>nova-compute</systemitem> and <systemitem
class="service"
>nova-scheduler</systemitem>) to determine
why. <note>
<para>While the nova command is called
<command>live-migration</command>,
under the default Compute
configuration options the instances
are suspended before migration.</para>
</note><!--<para>See
the <link linkend="configuring-migrations">Configuring Migrations</link>
section for more details.</para>--></para>
</step>
</procedure>
</section>
<section xml:id="section_nova-compute-node-down">
<title>Recover from a failed compute node</title>
<para>If you have deployed OpenStack Compute with a shared
file system, you can quickly recover from a failed
compute node.</para>
<section xml:id="nova-compute-node-down-manual-recovery">
<title>Manual recovery</title>
<para>For KVM/libvirt compute node recovery refer to
section above, while the guide below may be
applicable for other hypervisors.</para>
<procedure>
<title>To work with host information</title>
<step>
<para>Identify the vms on the affected hosts,
using tools such as a combination of
<literal>nova list</literal> and
<literal>nova show</literal> or
<literal>euca-describe-instances</literal>.
Here's an example using the EC2 API -
instance i-000015b9 that is running on
node np-rcc54:</para>
<programlisting>i-000015b9 at3-ui02 running nectarkey (376, np-rcc54) 0 m1.xxlarge 2012-06-19T00:48:11.000Z 115.146.93.60</programlisting>
</step>
<step>
<para>You can review the status of the host by
using the nova database. Some of the
important information is highlighted
below. This example converts an EC2 API
instance ID into an OpenStack ID - if you
used the <literal>nova</literal> commands,
you can substitute the ID directly. You
can find the credentials for your database
in
<filename>/etc/nova.conf</filename>.</para>
<programlisting>SELECT * FROM instances WHERE id = CONV('15b9', 16, 10) \G;
*************************** 1. row ***************************
created_at: 2012-06-19 00:48:11
updated_at: 2012-07-03 00:35:11
deleted_at: NULL
...
id: 5561
...
power_state: 5
vm_state: shutoff
...
hostname: at3-ui02
host: np-rcc54
...
uuid: 3f57699a-e773-4650-a443-b4b37eed5a06
...
task_state: NULL
...</programlisting>
</step>
</procedure>
<procedure>
<title>To recover the VM</title>
<step>
<para>Armed with the information of VMs on the
failed host, determine to which compute
host the affected VMs should move. Run the
following database command to move the VM
to np-rcc46:</para>
<programlisting>UPDATE instances SET host = 'np-rcc46' WHERE uuid = '3f57699a-e773-4650-a443-b4b37eed5a06'; </programlisting>
</step>
<step>
<para>Next, if using a hypervisor that relies
on libvirt (such as KVM) it is a good idea
to update the
<literal>libvirt.xml</literal> file
(found in
<literal>/var/lib/nova/instances/[instance
ID]</literal>). The important changes
to make are to change the
<literal>DHCPSERVER</literal> value to
the host ip address of the nova compute
host that is the VMs new home, and update
the VNC IP if it isn't already
<literal>0.0.0.0</literal>.</para>
</step>
<step>
<para>Next, reboot the VM:</para>
<screen><prompt>$</prompt> <userinput>nova reboot --hard 3f57699a-e773-4650-a443-b4b37eed5a06</userinput></screen>
</step>
<step>
<para>In theory, the above database update and
<literal>nova reboot</literal> command
are all that is required to recover the
VMs from a failed host. However, if
further problems occur, consider looking
at recreating the network filter
configuration using
<literal>virsh</literal>, restarting
the nova services or updating the
<literal>vm_state</literal> and
<literal>power_state</literal> in the
nova database.</para>
</step>
</procedure>
</section>
</section>
<section xml:id="section_nova-uid-mismatch">
<title>Recover from a UID/GID mismatch</title>
<para>When running OpenStack compute, using a shared file
system or an automated configuration tool, you could
encounter a situation where some files on your compute
node are using the wrong UID or GID. This causes a
raft of errors, such as being unable to live migrate,
or start virtual machines.</para>
<para>The following is a basic procedure run on
<systemitem class="service"
>nova-compute</systemitem> hosts, based on the KVM
hypervisor, that could help to restore the
situation:</para>
<procedure>
<title>To recover from a UID/GID mismatch</title>
<step>
<para>Make sure you don't use numbers that are
already used for some other user/group.</para>
</step>
<step>
<para>Set the nova uid in
<filename>/etc/passwd</filename> to the
same number in all hosts (for example,
112).</para>
</step>
<step>
<para>Set the libvirt-qemu uid in
<filename>/etc/passwd</filename> to the
same number in all hosts (for example,
119).</para>
</step>
<step>
<para>Set the nova group in
<filename>/etc/group</filename> file to
the same number in all hosts (for example,
120).</para>
</step>
<step>
<para>Set the libvirtd group in
<filename>/etc/group</filename> file to
the same number in all hosts (for example,
119).</para>
</step>
<step>
<para>Stop the services on the compute
node.</para>
</step>
<step>
<para>Change all the files owned by user nova or
by group nova. For example:</para>
<programlisting>find / -uid 108 -exec chown nova {} \; # note the 108 here is the old nova uid before the change
find / -gid 120 -exec chgrp nova {} \;</programlisting>
</step>
<step>
<para>Repeat the steps for the libvirt-qemu owned
files if those were needed to change.</para>
</step>
<step>
<para>Restart the services.</para>
</step>
<step>
<para>Now you can run the <command>find</command>
command to verify that all files using the
correct identifiers.</para>
</step>
</procedure>
</section>
<section xml:id="section_nova-disaster-recovery-process">
<title>Nova disaster recovery process</title>
<para>Sometimes, things just don't go right. An incident
is never planned, by its definition.</para>
<para>In this section describes how to manage your cloud
after a disaster, and how to easily back up the
persistent storage volumes. Back ups ARE mandatory,
even outside of disaster scenarios.</para>
<para>For reference, you can find a DRP definition here:
<link
xlink:href="http://en.wikipedia.org/wiki/Disaster_Recovery_Plan"
>http://en.wikipedia.org/wiki/Disaster_Recovery_Plan</link>.</para>
<simplesect>
<title>A- The disaster Recovery Process
presentation</title>
<para>A disaster could happen to several components of
your architecture: a disk crash, a network loss, a
power cut, and so on. In this example, assume the
following set up:</para>
<orderedlist>
<listitem>
<para>A cloud controller (nova-api,
nova-objecstore, nova-network)</para>
</listitem>
<listitem>
<para>A compute node (<systemitem
class="service"
>nova-compute</systemitem>)</para>
</listitem>
<listitem>
<para>A Storage Area Network used by
<systemitem class="service"
>cinder-volumes</systemitem> (aka
SAN)</para>
</listitem>
</orderedlist>
<para>The disaster example is the worst one: a power
loss. That power loss applies to the three
components. <emphasis role="italic">Let's see what
runs and how it runs before the
crash</emphasis>:</para>
<itemizedlist>
<listitem>
<para>From the SAN to the cloud controller, we
have an active iscsi session (used for the
"cinder-volumes" LVM's VG).</para>
</listitem>
<listitem>
<para>From the cloud controller to the compute
node we also have active iscsi sessions
(managed by <systemitem class="service"
>cinder-volume</systemitem>).</para>
</listitem>
<listitem>
<para>For every volume an iscsi session is
made (so 14 ebs volumes equals 14
sessions).</para>
</listitem>
<listitem>
<para>From the cloud controller to the compute
node, we also have iptables/ ebtables
rules which allows the access from the
cloud controller to the running
instance.</para>
</listitem>
<listitem>
<para>And at least, from the cloud controller
to the compute node ; saved into database,
the current state of the instances (in
that case "running" ), and their volumes
attachment (mount point, volume id, volume
status, and so on.)</para>
</listitem>
</itemizedlist>
<para>Now, after the power loss occurs and all
hardware components restart, the situation is as
follows:</para>
<itemizedlist>
<listitem>
<para>From the SAN to the cloud, the ISCSI
session no longer exists.</para>
</listitem>
<listitem>
<para>From the cloud controller to the compute
node, the ISCSI sessions no longer exist.
</para>
</listitem>
<listitem>
<para>From the cloud controller to the compute
node, the iptables and ebtables are
recreated, since, at boot, nova-network
reapply the configurations.</para>
</listitem>
<listitem>
<para>From the cloud controller, instances
turn into a shutdown state (because they
are no longer running)</para>
</listitem>
<listitem>
<para>Into the database, data was not updated
at all, since nova could not have guessed
the crash.</para>
</listitem>
</itemizedlist>
<para>Before going further, and to prevent the admin
to make fatal mistakes,<emphasis role="bold"> the
instances won't be lost</emphasis>, because no
"<command role="italic">destroy</command>" or
"<command role="italic">terminate</command>"
command was invoked, so the files for the
instances remain on the compute node.</para>
<para>The plan is to perform the following tasks, in
that exact order.</para>
<para><emphasis role="underline">Any extra step would
be dangerous at this stage</emphasis> :</para>
<para>
<orderedlist>
<listitem>
<para>Get the current relation from a
volume to its instance, so that you
can recreate the attachment.</para>
</listitem>
<listitem>
<para>Update the database to clean the
stalled state. (After that, you cannot
perform the first step).</para>
</listitem>
<listitem>
<para>Restart the instances. In other
words, go from a shutdown to running
state.</para>
</listitem>
<listitem>
<para>After the restart, you can reattach
the volumes to their respective
instances.</para>
</listitem>
<listitem>
<para>That step, which is not a mandatory
one, exists in an SSH into the
instances to reboot them.</para>
</listitem>
</orderedlist>
</para>
</simplesect>
<simplesect>
<title>B - The Disaster Recovery Process
itself</title>
<para><itemizedlist>
<listitem>
<para><emphasis role="bold"> Instance to
Volume relation </emphasis>
</para>
<para>We need to get the current relation
from a volume to its instance, because
we recreate the attachment:</para>
<para>This relation could be figured by
running <command>nova
volume-list</command> (note that
nova client includes ability to get
volume info from cinder)</para>
</listitem>
<listitem>
<para><emphasis role="bold"> Database
Update </emphasis>
</para>
<para>Second, we need to update the
database in order to clean the stalled
state. Now that we have saved the
attachments we need to restore for
every volume, the database can be
cleaned with the following queries:
<programlisting><prompt>mysql></prompt> <userinput>use cinder;</userinput>
<prompt>mysql></prompt> <userinput>update volumes set mountpoint=NULL;</userinput>
<prompt>mysql></prompt> <userinput>update volumes set status="available" where status &lt;&gt;"error_deleting";</userinput>
<prompt>mysql></prompt> <userinput>update volumes set attach_status="detached";</userinput>
<prompt>mysql></prompt> <userinput>update volumes set instance_id=0;</userinput> </programlisting>Now,
when running <command>nova
volume-list</command> all volumes
should be available.</para>
</listitem>
<listitem>
<para><emphasis role="bold"> Instances
Restart </emphasis>
</para>
<para>We need to restart the instances.
This can be done through a simple
<command>nova reboot
<replaceable>$instance</replaceable></command>
</para>
<para>At that stage, depending on your
image, some instances completely
reboot and become reachable, while
others stop on the "plymouth"
stage.</para>
<para><emphasis role="bold">DO NOT reboot
a second time</emphasis> the ones
which are stopped at that stage
(<emphasis role="italic">see below,
the fourth step</emphasis>). In
fact it depends on whether or not you
added an
<filename>/etc/fstab</filename>
entry for that volume. Images built
with the <emphasis role="italic"
>cloud-init</emphasis> package
remain in a pending state, while
others skip the missing volume and
start. (More information is available
on <link
xlink:href="https://help.ubuntu.com/community/CloudInit"
>help.ubuntu.com</link>.) The idea
of that stage is only to ask nova to
reboot every instance, so the stored
state is preserved.</para>
</listitem>
<listitem>
<para><emphasis role="bold"> Volume
Attachment </emphasis>
</para>
<para>After the restart, we can reattach
the volumes to their respective
instances. Now that nova has restored
the right status, it is time to
perform the attachments through a
<command>nova
volume-attach</command></para>
<para>Here is a simple snippet that uses
the file we created:</para>
<programlisting language="bash">#!/bin/bash
while read line; do
volume=`echo $line | $CUT -f 1 -d " "`
instance=`echo $line | $CUT -f 2 -d " "`
mount_point=`echo $line | $CUT -f 3 -d " "`
echo "ATTACHING VOLUME FOR INSTANCE - $instance"
nova volume-attach $instance $volume $mount_point
sleep 2
done &lt; $volumes_tmp_file</programlisting>
<para>At that stage, instances that were
pending on the boot sequence
(<emphasis role="italic"
>plymouth</emphasis>) automatically
continue their boot, and restart
normally, while the ones that booted
see the volume.</para>
</listitem>
<listitem>
<para><emphasis role="bold"> SSH into
instances </emphasis>
</para>
<para>If some services depend on the
volume, or if a volume has an entry
into fstab, it could be good to simply
restart the instance. This restart
needs to be made from the instance
itself, not through nova. So, we SSH
into the instance and perform a
reboot:</para>
<screen><prompt>#</prompt> <userinput>shutdown -r now</userinput></screen>
</listitem>
</itemizedlist>Voila! You successfully recovered
your cloud after that.</para>
<para>Here are some suggestions:</para>
<para><itemizedlist>
<listitem>
<para>Use the <parameter>
errors=remount</parameter>
parameter in the
<filename>fstab</filename> file,
which prevents data corruption.</para>
<para>The system would lock any write to
the disk if it detects an I/O error.
This configuration option should be
added into the <systemitem
class="service"
>cinder-volume</systemitem> server
(the one which performs the ISCSI
connection to the SAN), but also into
the instances'
<filename>fstab</filename>
file.</para>
</listitem>
<listitem>
<para>Do not add the entry for the SAN's
disks to the <systemitem
class="service"
>cinder-volume</systemitem>'s
<filename>fstab</filename>
file.</para>
<para>Some systems hang on that step,
which means you could lose access to
your cloud-controller. To re-run the
session manually, you would run the
following command before performing
the mount:
<screen><prompt>#</prompt> <userinput>iscsiadm -m discovery -t st -p $SAN_IP $ iscsiadm -m node --target-name $IQN -p $SAN_IP -l</userinput></screen></para>
</listitem>
<listitem>
<para>For your instances, if you have the
whole <filename>/home/</filename>
directory on the disk, instead of
emptying the
<filename>/home</filename>
directory and map the disk on it,
leave a user's directory with the
user's bash files and the
<filename>authorized_keys</filename>
file.</para>
<para>This enables you to connect to the
instance, even without the volume
attached, if you allow only
connections through public
keys.</para>
</listitem>
</itemizedlist>
</para>
</simplesect>
<simplesect>
<title>C- Scripted DRP</title>
<para>You can download from <link
xlink:href="https://github.com/Razique/BashStuff/blob/master/SYSTEMS/OpenStack/SCR_5006_V00_NUAC-OPENSTACK-DRP-OpenStack.sh"
>here</link> a bash script which performs
these five steps:</para>
<para>The "test mode" allows you to perform that whole
sequence for only one instance.</para>
<para>To reproduce the power loss, connect to the
compute node which runs that same instance and
close the iscsi session. <emphasis
role="underline">Do not detach the volume
through <command>nova
volume-detach</command></emphasis>, but
instead manually close the iscsi session.</para>
<para>In the following example, the iscsi session is
number 15 for that instance:</para>
<screen><prompt>$</prompt> <userinput>iscsiadm -m session -u -r 15</userinput> </screen>
<para><emphasis role="bold">Do not forget the
<literal>-r</literal> flag; otherwise, you
close ALL sessions</emphasis>.</para>
</simplesect>
</section>
</section>
<xi:include href="../common/section_support-compute.xml"/>
</chapter>
View Git Blame Copy Permalink