openstack-manuals/doc/admin-guide-cloud/ch_compute.xml
Andreas Jaeger d3ae18b187 Remove usage of sudo from admin-guide
Update prompts as needed.

Change-Id: I29e3d620ef942be599e940023048e62df7e9d1f7
2014-03-10 20:05:27 +01:00

2738 lines
152 KiB
XML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns:html="http://www.w3.org/1999/xhtml" version="5.0"
xml:id="ch_introduction-to-openstack-compute">
<title>Compute</title>
<para>The OpenStack Compute service allows you to control an
Infrastructure-as-a-Service (IaaS) cloud computing platform.
It gives you control over instances and networks, and allows
you to manage access to the cloud through users and
projects.</para>
<para>Compute does not include any virtualization software.
Instead, it defines drivers that interact with underlying
virtualization mechanisms that run on your host operating
system, and exposes functionality over a web-based API.</para>
<section xml:id="section_hypervisors">
<title>Hypervisors</title>
<para>Compute controls hypervisors through an API server.
Selecting the best hypervisor to use can be difficult, and
you must take budget, resource constraints, supported
features, and required technical specifications into
account. However, the majority of OpenStack development is
done on systems using KVM and Xen-based hypervisors. For a
detailed list of features and support across different
hypervisors, see <link
xlink:href="http://wiki.openstack.org/HypervisorSupportMatrix"
>http://wiki.openstack.org/HypervisorSupportMatrix</link>.</para>
<para>You can also orchestrate clouds using multiple
hypervisors in different availability zones. Compute
supports the following hypervisors:</para>
<itemizedlist>
<listitem>
<para>
<link
xlink:href="https://wiki.openstack.org/wiki/Baremetal"
>Baremetal</link>
</para>
</listitem>
<listitem>
<para>
<link
xlink:href="http://www.microsoft.com/en-us/server-cloud/hyper-v-server/default.aspx"
>Hyper-V</link>
</para>
</listitem>
<listitem>
<para>
<link
xlink:href="http://www.linux-kvm.org/page/Main_Page"
>Kernel-based Virtual Machine (KVM)</link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="http://lxc.sourceforge.net/"
>Linux Containers (LXC)</link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="http://wiki.qemu.org/Manual"
>Quick Emulator (QEMU)</link>
</para>
</listitem>
<listitem>
<para>
<link
xlink:href="http://user-mode-linux.sourceforge.net/"
>User Mode Linux (UML)</link>
</para>
</listitem>
<listitem>
<para>
<link
xlink:href="http://www.vmware.com/products/vsphere-hypervisor/support.html"
>VMWare vSphere</link>
</para>
</listitem>
<listitem>
<para>
<link
xlink:href="http://www.xen.org/support/documentation.html"
>Xen</link>
</para>
</listitem>
</itemizedlist>
<para>For more information about hypervisors, see the <link
xlink:href="http://docs.openstack.org/trunk/config-reference/content/section_compute-hypervisors.html"
>Hypervisors</link> section in the
<citetitle>OpenStack Configuration
Reference</citetitle>.</para>
</section>
<section xml:id="section_users-and-projects">
<title>Tenants, users, and roles</title>
<para>The Compute system is designed to be used by different
consumers in the form of tenants on a shared system, and
role-based access assignments. Roles control the actions
that a user is allowed to perform.</para>
<para>Tenants are isolated resource containers that form the
principal organizational structure within the Compute
service. They consist of an individual VLAN, and volumes,
instances, images, keys, and users. A user can specify the
tenant by appending <literal>:project_id</literal> to
their access key. If no tenant is specified in the API
request, Compute attempts to use a tenant with the same ID
as the user.</para>
<para>For tenants, quota controls are available to limit
the:</para>
<itemizedlist>
<listitem>
<para>number of volumes that may be launched.</para>
</listitem>
<listitem>
<para>number of processor cores and the amount of RAM
that can be allocated.</para>
</listitem>
<listitem>
<para>floating IP addresses assigned to any instance
when it launches. This allows instances to have
the same publicly accessible IP addresses.</para>
</listitem>
<listitem>
<para>fixed IP addresses assigned to the same instance
when it launches. This allows instances to have
the same publicly or privately accessible IP
addresses.</para>
</listitem>
</itemizedlist>
<para>Roles control the actions a user is allowed to perform.
By default, most actions do not require a particular role,
but you can configure them by editing the
<filename>policy.json</filename> file for user roles.
For example, a rule can be defined so that a user must
have the <parameter>admin</parameter> role in order to be
able to allocate a public IP address.</para>
<para>A tenant limits users' access to particular images. Each
user is assigned a username and password. Keypairs
granting access to an instance are enabled for each user,
but quotas are set, so that each tenant can control
resource consumption across available hardware
resources.</para>
<note>
<para>Earlier versions of OpenStack used the term
<systemitem class="service">project</systemitem>
instead of <systemitem class="service"
>tenant</systemitem>. Because of this legacy
terminology, some command-line tools use
<parameter>--project_id</parameter> where you
would normally expect to enter a tenant ID.</para>
</note>
</section>
<section xml:id="section_images-and-instances">
<title>Images and instances</title>
<para>Disk images provide templates for virtual machine file
systems. The Glance service manages storage and management
of images.</para>
<para>Instances are the individual virtual machines that run
on physical compute nodes. Users can launch any number of
instances from the same image. Each launched instance runs
from a copy of the base image so that any changes made to
the instance do not affect the base image. You can take
snapshots of running instances to create an image based on
the current disk state of a particular instance. The
Compute services manages instances.</para>
<para>For more information about creating and troubleshooting
images, see the <citetitle><link
xlink:href="http://docs.openstack.org/image-guide/content/"
>OpenStack Virtual Machine Image
Guide</link></citetitle>.</para>
<para>For more information about image configuration options,
see the <link
xlink:href="http://docs.openstack.org/trunk/config-reference/content/ch_configuring-openstack-image-service.html"
>Image Services</link> section of the
<citetitle>OpenStack Configuration
Reference</citetitle>.</para>
<para>When you launch an instance, you must choose a
<literal>flavor</literal>, which represents a set of
virtual resources. Flavors define how many virtual CPUs an
instance has and the amount of RAM and size of its
ephemeral disks. OpenStack provides a number of predefined
flavors that you can edit or add to. Users must select
from the set of available flavors defined on their
cloud.</para>
<para>For more information about flavors, see the <link
xlink:href="http://docs.openstack.org/trunk/openstack-ops/content/flavors.html"
>Flavors</link> section in the <citetitle>OpenStack
Operations Guide</citetitle>.</para>
<para>You can add and remove additional resources from running
instances, such as persistent volume storage, or public IP
addresses. The example used in this chapter is of a
typical virtual system within an OpenStack cloud. It uses
the <systemitem class="service">cinder-volume</systemitem>
service, which provides persistent block storage, instead
of the ephemeral storage provided by the selected instance
flavor.</para>
<para>This diagram shows the system state prior to launching
an instance. The image store, fronted by the image
service, Glance, has a number of predefined images. Inside
the cloud, a compute node contains the available vCPU,
memory, and local disk resources. Additionally, the
<systemitem class="service">cinder-volume</systemitem>
service provides a number of predefined volumes.</para>
<figure xml:id="initial-instance-state-figure">
<title>Base image state with no running instances</title>
<mediaobject>
<imageobject>
<imagedata
fileref="../common/figures/instance-life-1.png"
/>
</imageobject>
</mediaobject>
</figure>
<para>To launch an instance, select an image, a flavor, and
other optional attributes. The selected flavor provides a
root volume, labeled <literal>vda</literal> in this
diagram, and additional ephemeral storage, labeled
<literal>vdb</literal>. In this example, the
<systemitem class="service">cinder-volume</systemitem>
store is mapped to the third virtual disk on this
instance, <literal>vdc</literal>.</para>
<figure xml:id="run-instance-state-figure">
<title>Instance creation from image and runtime
state</title>
<mediaobject>
<imageobject>
<imagedata
fileref="../common/figures/instance-life-2.png"
/>
</imageobject>
</mediaobject>
</figure>
<para>The base image is copied from the image store to the
local disk. The local disk is the first disk that the
instance accesses, and is labeled <literal>vda</literal>.
By using smaller images, your instances start up faster as
less data needs to be copied across the network.</para>
<para>A new empty disk, labeled <literal>vdb</literal> is also
created. This is an empty ephemeral disk, which is
destroyed when you delete the instance.</para>
<para>The compute node is attached to the <systemitem
class="service">cinder-volume</systemitem> using
iSCSI, and maps to the third disk, <literal>vdc</literal>.
The vCPU and memory resources are provisioned and the
instance is booted from <literal>vda</literal>. The
instance runs and changes data on the disks as indicated
in red in the diagram.
<!--This isn't very accessible, need to consider rewording to explain more fully. LKB -->
</para>
<note>
<para>Some of the details in this example scenario might
be different in your environment. Specifically, you
might use a different type of back-end storage or
different network protocols. One common variant is
that the ephemeral storage used for volumes
<literal>vda</literal> and <literal>vdb</literal>
could be backed by network storage rather than a local
disk.</para>
</note>
<para>When the instance is deleted, the state is reclaimed
with the exception of the persistent volume. The ephemeral
storage is purged, memory and vCPU resources are released.
The image remains unchanged throughout.</para>
<figure xml:id="end-instance-state-figure">
<title>End state of image and volume after instance
exits</title>
<mediaobject>
<imageobject>
<imagedata
fileref="../common/figures/instance-life-3.png"
/>
</imageobject>
</mediaobject>
</figure>
</section>
<section xml:id="section_system-architecture">
<title>System architecture</title>
<para>OpenStack Compute contains several main components. The
<glossterm>cloud controller</glossterm> represents the
global state and interacts with the other components. The
<literal>API server</literal> acts as the web services
front end for the cloud controller. The <literal>compute
controller</literal> provides compute server resources
and usually also contains the Compute service.</para>
<para>The <literal>object store</literal> is an optional
component that provides storage services. An <literal>auth
manager</literal> provides authentication and
authorization services when used with the Compute system,
or you can use the <literal>identity service</literal> as
a separate authentication service instead. A
<literal>volume controller</literal> provides fast and
permanent block-level storage for the compute servers. The
<literal>network controller</literal> provides virtual
networks to enable compute servers to interact with each
other and with the public network. The
<literal>scheduler</literal> is used to select the
most suitable compute controller to host an
instance.</para>
<para>Compute uses a messaging-based, <literal>shared
nothing</literal> architecture. All major components
exist on multiple servers, including the compute, volume,
and network controllers, and the object store or image
service. The state of the entire system is stored in a
database. The cloud controller communicates with the
internal object store using HTTP, but it communicates with
the scheduler, network controller, and volume controller
using AMQP (advanced message queueing protocol). To avoid
blocking a component while waiting for a response, Compute
uses asynchronous calls, with a callback that is triggered
when a response is received.</para>
</section>
<section xml:id="section_storage-and-openstack-compute">
<title>Block storage</title>
<para>OpenStack provides two classes of block storage:
ephemeral storage and persistent volumes. Volumes are
persistent virtualized block devices independent of any
particular instance.</para>
<para>Ephemeral storage is associated with a single unique
instance, and it exists only for the life of that
instance. The amount of ephemeral storage is defined by
the flavor of the instance. Generally, the root file
system for an instance will be stored on ephemeral
storage. It persists across reboots of the guest operating
system, but when the instance is deleted, the ephemeral
storage is also removed.</para>
<para>In addition to the ephemeral root volume, all flavors
except the smallest, <filename>m1.tiny</filename>, also
provide an additional ephemeral block device of between 20
and 160GB. These sizes can be configured to suit your
environment. This is presented as a raw block device with
no partition table or file system. Cloud-aware operating
system images can discover, format, and mount these
storage devices. For example, the <systemitem
class="service">cloud-init</systemitem> package
included in Ubuntu's stock cloud images format this space
as an <filename>ext3</filename> file system and mount it
on <filename>/mnt</filename>. This is a feature of the
guest operating system you are using, and is not an
OpenStack mechanism. OpenStack only provisions the raw
storage.</para>
<para>Persistent volumes are created by users and their size
is limited only by the user's quota and availability
limits. Upon initial creation, volumes are raw block
devices without a partition table or a file system. To
partition or format volumes, you must attach them to an
instance. Once they are attached to an instance, you can
use persistent volumes in much the same way as you would
use external hard disk drive. You can attach volumes to
only one instance at a time, although you can detach and
reattach volumes to as many different instances as you
like.</para>
<para>Persistent volumes can be configured as bootable and
used to provide a persistent virtual instance similar to
traditional non-cloud-based virtualization systems.
Typically, the resulting instance can also still have
ephemeral storage depending on the flavor selected, but
the root file system can be on the persistent volume and
its state maintained even if the instance is shut down.
For more information about this type of configuration, see
the <citetitle>OpenStack Configuration
Reference</citetitle>.</para>
<note>
<para>Persistent volumes do not provide concurrent access
from multiple instances. That type of configuration
requires a traditional network file system like NFS or
CIFS, or a cluster file system such as GlusterFS.
These systems can be built within an OpenStack cluster
or provisioned outside of it, but OpenStack software
does not provide these features.</para>
</note>
</section>
<section xml:id="section_image-mgmt">
<title>Image management</title>
<para>The OpenStack Image service discovers, registers, and
retrieves virtual machine images. The service also
includes a RESTful API that allows you to query VM image
metadata and retrieve the actual image with HTTP requests.
For more information about the API, see the <link
xlink:href="http://api.openstack.org/api-ref.html#os-images-2.0"
> OpenStack API</link> or the <link
xlink:href="http://docs.openstack.org/developer/python-glanceclient/"
> Python API</link>.</para>
<para>The OpenStack Image service can be controlled using a
command-line tool. For more information about the
OpenStack Image command-line tool, see the <link
xlink:href="http://docs.openstack.org/user-guide/content/cli_manage_images.html"
> Image Management</link> section in the
<citetitle>OpenStack User Guide</citetitle>.</para>
<para>Virtual images that have been made available through the
Image service can be stored in a variety of ways. In order
to use these services, you must have a working
installation of the Image Service, with a working
endpoint, and users that have been created in the Identity
Service. Additionally, you must meet the environment
variables required by the Compute and Image
clients.</para>
<para>The Image Service supports these back end stores:</para>
<variablelist>
<varlistentry>
<term>File system</term>
<listitem>
<para>The OpenStack Image Service stores virtual
machine images in the file system back-end by
default. This simple back end writes image
files to the local file system.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Object Storage service</term>
<listitem>
<para>The OpenStack highly-available object
storage service.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>S3</term>
<listitem>
<para>The Amazon S3 service.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>HTTP</term>
<listitem>
<para>OpenStack Image Service can read virtual
machine images that are available on the
internet using HTTP. This store is read
only.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Rados block device (RBD)</term>
<listitem>
<para>Stores images inside of a Ceph storage
cluster using Ceph's RBD interface.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>GridFS</term>
<listitem>
<para>Stores images using MongoDB.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<xi:include href="image/section_glance-property-protection.xml"/>
<section xml:id="section_instance-mgmt">
<title>Instance management tools</title>
<para>OpenStack provides command-line, web-based, and
API-based instance management tools. Additionally, a
number of third-party management tools are available,
using either the native API or the provided EC2-compatible
API.</para>
<para>The OpenStack
<application>python-novaclient</application> package
provides a basic command-line utility, which uses the
<command>nova</command> command. This is available as
a native package for most Linux distributions, or you can
install the latest version using the
<application>pip</application> python package
installer:</para>
<screen><prompt>#</prompt> <userinput>pip install python-novaclient</userinput></screen>
<para>For more information about
<application>python-novaclient</application> and other
available command-line tools, see the <link
xlink:href="http://docs.openstack.org/user-guide/content/index.html">
<citetitle>OpenStack End User
Guide</citetitle></link>.</para>
<screen><prompt>#</prompt> <userinput>nova --debug list</userinput>
<?db-font-size 75%?><computeroutput>connect: (10.0.0.15, 5000)
send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: 10.0.0.15:5000\r\nContent-Length: 116\r\ncontent-type: application/json\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n{"auth": {"tenantName": "demoproject", "passwordCredentials": {"username": "demouser", "password": "demopassword"}}}'
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-Type: application/json
header: Vary: X-Auth-Token
header: Date: Thu, 13 Sep 2012 20:27:36 GMT
header: Transfer-Encoding: chunked
connect: (128.52.128.15, 8774)
send: u'GET /v2/fa9dccdeadbeef23ae230969587a14bf/servers/detail HTTP/1.1\r\nHost: 10.0.0.15:8774\r\nx-auth-project-id: demoproject\r\nx-auth-token: deadbeef9998823afecc3d552525c34c\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: X-Compute-Request-Id: req-bf313e7d-771a-4c0b-ad08-c5da8161b30f
header: Content-Type: application/json
header: Content-Length: 15
header: Date: Thu, 13 Sep 2012 20:27:36 GMT
!!removed matrix for validation!! </computeroutput></screen>
</section>
<section xml:id="instance-mgmt-ec2compat">
<title>EC2 compatibility API</title>
<para>In addition to the native compute API, OpenStack
provides an EC2-compatible API. This API allows EC2 legacy
workflows built for EC2 to work with OpenStack.</para>
<para>The <citetitle>OpenStack Configuration
Reference</citetitle> lists configuration options for
customizing this compatibility API on your OpenStack
cloud.</para>
<para>Numerous third-party tools and language-specific SDKs
can be used to interact with OpenStack clouds, using both
native and compatibility APIs. Some of the more popular
third-party tools are:</para>
<variablelist>
<varlistentry>
<term>Euca2ools</term>
<listitem>
<para>A popular open source command-line tool for
interacting with the EC2 API. This is
convenient for multi-cloud environments where
EC2 is the common API, or for transitioning
from EC2-based clouds to OpenStack. For more
information, see the <link
xlink:href="http://open.eucalyptus.com/wiki/Euca2oolsGuide"
>euca2ools site</link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Hybridfox</term>
<listitem>
<para>A Firefox browser add-on that provides a
graphical interface to many popular public and
private cloud technologies, including
OpenStack. For more information, see the <link
xlink:href="http://code.google.com/p/hybridfox/"
> hybridfox site</link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>boto</term>
<listitem>
<para>A Python library for interacting with Amazon
Web Services. It can be used to access
OpenStack through the EC2 compatibility API.
For more information, see the <link
xlink:href="https://github.com/boto/boto">
boto project page on GitHub</link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>fog</term>
<listitem>
<para>A Ruby cloud services library. It provides
methods for interacting with a large number of
cloud and virtualization platforms, including
OpenStack. For more information, see the <link
xlink:href="https://rubygems.org/gems/fog"
> fog site</link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>php-opencloud</term>
<listitem>
<para>A PHP SDK designed to work with most
OpenStack- based cloud deployments, as well as
Rackspace public cloud. For more information,
see the <link
xlink:href="http://www.php-opencloud.com">
php-opencloud site</link>.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="section_instance-building-blocks">
<title>Building blocks</title>
<para>In OpenStack the base operating system is usually copied
from an image stored in the OpenStack Image service. This
is the most common case and results in an ephemeral
instance that starts from a known template state and loses
all accumulated states on shutdown. It is also possible to
put an operating system on a persistent volume in the
Nova-Volume or Cinder volume system. This gives a more
traditional persistent system that accumulates states,
which are preserved across restarts. To get a list of
available images on your system run:
<screen><prompt>$</prompt> <userinput>nova image-list</userinput>
<?db-font-size 50%?><computeroutput>+--------------------------------------+-------------------------------+--------+--------------------------------------+
| ID | Name | Status | Server |
+--------------------------------------+-------------------------------+--------+--------------------------------------+
| aee1d242-730f-431f-88c1-87630c0f07ba | Ubuntu 12.04 cloudimg amd64 | ACTIVE | |
| 0b27baa1-0ca6-49a7-b3f4-48388e440245 | Ubuntu 12.10 cloudimg amd64 | ACTIVE | |
| df8d56fc-9cea-4dfd-a8d3-28764de3cb08 | jenkins | ACTIVE | |
+--------------------------------------+-------------------------------+--------+--------------------------------------+</computeroutput></screen>
</para>
<para>The displayed image attributes are:</para>
<variablelist>
<varlistentry>
<term><literal>ID</literal></term>
<listitem>
<para>Automatically generated UUID of the
image</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>Name</literal></term>
<listitem>
<para>Free form, human-readable name for
image</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>Status</literal></term>
<listitem>
<para>The status of the image. Images marked
<literal>ACTIVE</literal> are available
for use.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>Server</literal></term>
<listitem>
<para>For images that are created as snapshots of
running instances, this is the UUID of the
instance the snapshot derives from. For
uploaded images, this field is blank.</para>
</listitem>
</varlistentry>
</variablelist>
<para>Virtual hardware templates are called
<literal>flavors</literal>. The default installation
provides five flavors. By default, these are configurable
by admin users, however that behavior can be changed by
redefining the access controls for
<parameter>compute_extension:flavormanage</parameter>
in <filename>/etc/nova/policy.json</filename> on the
<filename>compute-api</filename> server.</para>
<para>For a list of flavors that are available on your
system:</para>
<screen><prompt>$</prompt> <userinput>nova flavor-list</userinput>
<computeroutput>+----+-----------+-----------+------+-----------+------+-------+-------------+
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor |
+----+-----------+-----------+------+-----------+------+-------+-------------+
| 1 | m1.tiny | 512 | 1 | N/A | 0 | 1 | |
| 2 | m1.small | 2048 | 20 | N/A | 0 | 1 | |
| 3 | m1.medium | 4096 | 40 | N/A | 0 | 2 | |
| 4 | m1.large | 8192 | 80 | N/A | 0 | 4 | |
| 5 | m1.xlarge | 16384 | 160 | N/A | 0 | 8 | |
+----+-----------+-----------+------+-----------+------+-------+-------------+
</computeroutput></screen>
</section>
<xi:include
href="../common/section_cli_nova_customize_flavors.xml"/>
<section xml:id="section_instance-scheduling-constraints">
<title>Control where instances run</title>
<para>The <!--<xref linkend="ch_scheduling"/>-->
<citetitle>OpenStack Configuration Reference</citetitle>
provides detailed information on controlling where your
instances run, including ensuring a set of instances run
on different compute nodes for service resiliency or on
the same node for high performance inter-instance
communications.</para>
<para>Admin users can specify an exact compute node to run on
using the command <command>--availability-zone
<replaceable>availability-zone</replaceable>:<replaceable>compute-host</replaceable></command>
</para>
</section>
<section xml:id="admin-password-injection">
<?dbhtml stop-chunking?>
<title>Admin password injection</title>
<para>You can configure Compute to generate a random
administrator (root) password and inject that password
into the instance. If this feature is enabled, a user can
ssh to an instance without an ssh keypair. The random
password appears in the output of the <command>nova
boot</command> command. You can also view and set the
admin password from the dashboard.</para>
<simplesect>
<title>Dashboard</title>
<para>The dashboard is configured by default to display
the admin password and allow the user to modify
it.</para>
<para>If you do not want to support password injection, we
recommend disabling the password fields by editing
your Dashboard <filename>local_settings</filename>
file (file location will vary by Linux distribution,
on Fedora/RHEL/CentOS: <filename>
/etc/openstack-dashboard/local_settings</filename>,
on Ubuntu and Debian:
<filename>/etc/openstack-dashboard/local_settings.py</filename>
and on openSUSE and SUSE Linux Enterprise Server:
<filename>/srv/www/openstack-dashboard/openstack_dashboard/local/local_settings.py</filename>)
<programlisting language="ini">OPENSTACK_HYPERVISOR_FEATURE = {
...
'can_set_password': False,
}</programlisting></para>
</simplesect>
<simplesect>
<title>Libvirt-based hypervisors (KVM, QEMU, LXC)</title>
<para>For hypervisors such as KVM that use the libvirt
backend, admin password injection is disabled by
default. To enable it, set the following option in
<filename>/etc/nova/nova.conf</filename>:</para>
<para>
<programlisting language="ini">[libvirt]
inject_password=true</programlisting>
</para>
<para>When enabled, Compute will modify the password of
the root account by editing the
<filename>/etc/shadow</filename> file inside of
the virtual machine instance.</para>
<note>
<para>Users can only ssh to the instance by using the
admin password if:</para>
<itemizedlist>
<listitem>
<para>The virtual machine image is a Linux
distribution</para>
</listitem>
<listitem>
<para>The virtual machine has been configured
to allow users to ssh as the root user.
This is not the case for <link
xlink:href="http://cloud-images.ubuntu.com/"
>Ubuntu cloud images</link>, which
disallow ssh to the root account by
default.</para>
</listitem>
</itemizedlist>
</note>
</simplesect>
<simplesect>
<title>XenAPI (XenServer/XCP)</title>
<para>Compute uses the XenAPI agent to inject passwords
into guests when using the XenAPI hypervisor backend.
The virtual machine image must be configured with the
agent for password injection to work.</para>
</simplesect>
<simplesect>
<title>Windows images (all hypervisors)</title>
<para>To support the admin password for Windows virtual
machines, you must configure the Windows image to
retrieve the admin password on boot by installing an
agent such as <link
xlink:href="https://github.com/cloudbase/cloudbase-init"
>cloudbase-init</link>.</para>
</simplesect>
</section>
<xi:include href="../common/section_cli_nova_volumes.xml"/>
<section xml:id="section_networking-nova">
<title>Networking with nova-network</title>
<para>Understanding the networking configuration options helps
you design the best configuration for your Compute
instances.</para>
<section xml:id="section_networking-options">
<title>Networking options</title>
<para>This section offers a brief overview of each concept
in networking for Compute. With the Grizzly release,
you can choose to either install and configure
<systemitem class="service"
>nova-network</systemitem> for networking between
VMs or use the Networking service (neutron) for
networking. To configure Compute networking options
with Neutron, see the <xref linkend="ch_networking"
/>.</para>
<para>For each VM instance, Compute assigns to it a
private IP address. (Currently, Compute with
<systemitem class="service"
>nova-network</systemitem> only supports Linux
bridge networking that enables the virtual interfaces
to connect to the outside network through the physical
interface.)</para>
<para>The network controller with <systemitem
class="service">nova-network</systemitem> provides
virtual networks to enable compute servers to interact
with each other and with the public network.</para>
<para>Currently, Compute with <systemitem class="service"
>nova-network</systemitem> supports these kinds of
networks, implemented in different “Network Manager”
types:</para>
<itemizedlist>
<listitem>
<para>Flat Network Manager</para>
</listitem>
<listitem>
<para>Flat DHCP Network Manager</para>
</listitem>
<listitem>
<para>VLAN Network Manager</para>
</listitem>
</itemizedlist>
<para>These network managers can co-exist in a cloud
system. However, because you cannot select the type of
network for a given project, you cannot configure
multiple network types in a single Compute
installation.</para>
<note>
<para>All networking options require network
connectivity to be already set up between
OpenStack physical nodes. OpenStack does not
configure any physical network interfaces. All
network managers automatically create VM virtual
interfaces. Some, but not all, create network
bridges such as <literal>br100</literal>.</para>
<para>All machines must have a <emphasis role="italic"
>public</emphasis> and <emphasis role="italic"
>internal</emphasis> network interface
(controlled by the options:
<literal>public_interface</literal> for the
public interface, and
<literal>flat_interface</literal> and
<literal>vlan_interface</literal> for the
internal interface with flat / VLAN managers).
This guide refers to the public network as the
external network and the private network as the
internal or tenant network.</para>
<para>The internal network interface is used for
communication with VMs, it shouldn't have an IP
address attached to it before OpenStack
installation (it serves merely as a fabric where
the actual endpoints are VMs and dnsmasq). Also,
the internal network interface must be put in
<emphasis role="italic">promiscuous
mode</emphasis>, because it must receive
packets whose target MAC address is of the guest
VM, not of the host.</para>
<para>Throughout this documentation, the public
network is sometimes referred to as the external
network, while the internal network is also
sometimes referred to as the private network or
tenant network.</para>
</note>
<para>All the network managers configure the network using
<emphasis role="italic">network
drivers</emphasis>. For example, the Linux L3 driver
(<literal>l3.py</literal> and
<literal>linux_net.py</literal>), which makes use
of <literal>iptables</literal>,
<literal>route</literal> and other network
management facilities, and libvirt's <link
xlink:href="http://libvirt.org/formatnwfilter.html"
>network filtering facilities</link>. The driver
isn't tied to any particular network manager; all
network managers use the same driver. The driver
usually initializes (creates bridges and so on) only
when the first VM lands on this host node.</para>
<para>All network managers operate in either <emphasis
role="italic">single-host</emphasis> or <emphasis
role="italic">multi-host</emphasis> mode. This
choice greatly influences the network configuration.
In single-host mode, a single <systemitem
class="service">nova-network</systemitem> service
provides a default gateway for VMs and hosts a single
DHCP server (dnsmasq). In multi-host mode, each
compute node runs its own <systemitem class="service"
>nova-network</systemitem> service. In both cases,
all traffic between VMs and the outer world flows
through <systemitem class="service"
>nova-network</systemitem>. Each mode has its pros
and cons. Read more in the <link
xlink:href="http://docs.openstack.org/havana/config-reference/content/"
><citetitle>OpenStack Configuration
Reference</citetitle></link>.</para>
<para>Compute makes a distinction between <emphasis
role="italic">fixed IPs</emphasis> and <emphasis
role="italic">floating IPs</emphasis> for VM
instances. Fixed IPs are IP addresses that are
assigned to an instance on creation and stay the same
until the instance is explicitly terminated. By
contrast, floating IPs are addresses that can be
dynamically associated with an instance. A floating IP
address can be disassociated and associated with
another instance at any time. A user can reserve a
floating IP for their project.</para>
<para>In <emphasis role="bold">Flat Mode</emphasis>, a
network administrator specifies a subnet. The IP
addresses for VM instances are grabbed from the
subnet, and then injected into the image on launch.
Each instance receives a fixed IP address from the
pool of available addresses. A system administrator
must create the Linux networking bridge (typically
named <literal>br100</literal>, although this is
configurable) on the systems running the <systemitem
class="service">nova-network</systemitem> service.
All instances of the system are attached to the same
bridge, configured manually by the network
administrator.</para>
<note>
<para>The configuration injection currently only works
on Linux-style systems that keep networking
configuration in
<filename>/etc/network/interfaces</filename>.</para>
</note>
<para>In <emphasis role="bold">Flat DHCP Mode</emphasis>,
OpenStack starts a DHCP server (dnsmasq) to pass out
IP addresses to VM instances from the specified subnet
in addition to manually configuring the networking
bridge. IP addresses for VM instances are grabbed from
a subnet specified by the network
administrator.</para>
<para>Like Flat Mode, all instances are attached to a
single bridge on the compute node. In addition a DHCP
server is running to configure instances (depending on
single-/multi-host mode, alongside each <systemitem
class="service">nova-network</systemitem>). In
this mode, Compute does a bit more configuration in
that it attempts to bridge into an ethernet device
(<literal>flat_interface</literal>, eth0 by
default). For every instance, nova allocates a fixed
IP address and configure dnsmasq with the MAC/IP pair
for the VM. Dnsmasq doesn't take part in the IP
address allocation process, it only hands out IPs
according to the mapping done by nova. Instances
receive their fixed IPs by doing a dhcpdiscover. These
IPs are <emphasis role="italic">not</emphasis>
assigned to any of the host's network interfaces, only
to the VM's guest-side interface.</para>
<para>In any setup with flat networking, the hosts
providing the <systemitem class="service"
>nova-network</systemitem> service are responsible
for forwarding traffic from the private network. They
also run and configure dnsmasq as a DHCP server
listening on this bridge, usually on IP address
10.0.0.1 (see <link linkend="section_dnsmasq">DHCP
server: dnsmasq </link>). Compute can determine
the NAT entries for each network, though sometimes NAT
is not used, such as when configured with all public
IPs or a hardware router is used (one of the HA
options). Such hosts need to have
<literal>br100</literal> configured and physically
connected to any other nodes that are hosting VMs. You
must set the <literal>flat_network_bridge</literal>
option or create networks with the bridge parameter in
order to avoid raising an error. Compute nodes have
iptables/ebtables entries created for each project and
instance to protect against IP/MAC address spoofing
and ARP poisoning.</para>
<note>
<para>In single-host Flat DHCP mode you <emphasis
role="italic">will</emphasis> be able to ping
VMs through their fixed IP from the nova-network
node, but you <emphasis role="italic"
>cannot</emphasis> ping them from the compute
nodes. This is expected behavior.</para>
</note>
<para>For flat and flat DHCP modes, create networks as
follows:</para>
<screen><prompt>$</prompt> <userinput>nova network-create vmnet \
--fixed-range-v4=10.0.0.0/24 --fixed-cidr=10.20.0.0/16 --bridge=br100</userinput></screen>
<para>The confusingly-named
<option>--fixed-range-v4-</option> option
specifies the network subnet. The
<option>--fixed-cidr</option> option specifies a
range of fixed IP addresses to allocate, and can be a
subset of the <option>--fixed-range-v4</option>
argument. The <option>--bridge</option> option
specifies the bridge device to which this network is
connected on every compute node.</para>
<para><emphasis role="bold">VLAN Network Mode is the
default mode</emphasis> for OpenStack Compute. In
this mode, Compute creates a VLAN and bridge for each
project. For multiple machine installation, the VLAN
Network Mode requires a switch that supports VLAN
tagging (IEEE 802.1Q). The project gets a range of
private IPs that are only accessible from inside the
VLAN. In order for a user to access the instances in
their project, a special VPN instance (code named
cloudpipe) needs to be created. Compute generates a
certificate and key for the user to access the VPN and
starts the VPN automatically. It provides a private
network segment for each project's instances that can
be accessed through a dedicated VPN connection from
the Internet. In this mode, each project gets its own
VLAN, Linux networking bridge, and subnet.</para>
<para>The subnets are specified by the network
administrator, and are assigned dynamically to a
project when required. A DHCP Server is started for
each VLAN to pass out IP addresses to VM instances
from the subnet assigned to the project. All instances
belonging to one project are bridged into the same
VLAN for that project. OpenStack Compute creates the
Linux networking bridges and VLANs when
required.</para>
</section>
<section xml:id="section_dnsmasq">
<title>DHCP server: dnsmasq</title>
<para>The Compute service uses <link
xlink:href="http://www.thekelleys.org.uk/dnsmasq/doc.html"
>dnsmasq</link> as the DHCP server when running
with either that Flat DHCP Network Manager or the VLAN
Network Manager. The <systemitem class="service"
>nova-network</systemitem> service is responsible
for starting up dnsmasq processes.</para>
<para>The behavior of dnsmasq can be customized by
creating a dnsmasq configuration file. Specify the
config file using the
<literal>dnsmasq_config_file</literal>
configuration option. For example:</para>
<programlisting language="ini">dnsmasq_config_file=/etc/dnsmasq-nova.conf</programlisting>
<para>See the <link
xlink:href="http://docs.openstack.org/havana/config-reference/content/"
><citetitle>OpenStack Configuration
Reference</citetitle></link> for an example of
how to change the behavior of dnsmasq using a dnsmasq
configuration file. The dnsmasq documentation has a
more comprehensive <link
xlink:href="http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq.conf.example"
>dnsmasq configuration file example</link>.</para>
<para>Dnsmasq also acts as a caching DNS server for
instances. You can explicitly specify the DNS server
that dnsmasq should use by setting the
<literal>dns_server</literal> configuration option
in <filename>/etc/nova/nova.conf</filename>. The
following example would configure dnsmasq to use
Google's public DNS server:</para>
<programlisting language="ini">dns_server=8.8.8.8</programlisting>
<para>Dnsmasq logging output goes to the syslog (typically
<filename>/var/log/syslog</filename> or
<filename>/var/log/messages</filename>, depending
on Linux distribution). The dnsmasq logging output can
be useful for troubleshooting if VM instances boot
successfully but are not reachable over the
network.</para>
<para>A network administrator can run <code>nova-manage
fixed reserve
--address=<replaceable>x.x.x.x</replaceable></code>
to specify the starting point IP address (x.x.x.x) to
reserve with the DHCP server. This reservation only
affects which IP address the VMs start at, not the
fixed IP addresses that the <systemitem
class="service">nova-network</systemitem> service
places on the bridges.</para>
</section>
<section xml:id="section_metadata-service">
<title>Metadata service</title>
<simplesect>
<title>Introduction</title>
<para>The Compute service uses a special metadata
service to enable virtual machine instances to
retrieve instance-specific data. Instances access
the metadata service at
<literal>http://169.254.169.254</literal>. The
metadata service supports two sets of APIs: an
OpenStack metadata API and an EC2-compatible API.
Each of the APIs is versioned by date.</para>
<para>To retrieve a list of supported versions for the
OpenStack metadata API, make a GET request to
<literal>http://169.254.169.254/openstack</literal>
For example:</para>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/openstack</userinput>
<computeroutput>2012-08-10
latest</computeroutput></screen>
<para>To list supported versions for the
EC2-compatible metadata API, make a GET request to
<literal>http://169.254.169.254</literal>.</para>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254</userinput>
<computeroutput>1.0
2007-01-19
2007-03-01
2007-08-29
2007-10-10
2007-12-15
2008-02-01
2008-09-01
2009-04-04
latest</computeroutput></screen>
<para>If you write a consumer for one of these APIs,
always attempt to access the most recent API
version supported by your consumer first, then
fall back to an earlier version if the most recent
one is not available.</para>
</simplesect>
<simplesect>
<title>OpenStack metadata API</title>
<para>Metadata from the OpenStack API is distributed
in JSON format. To retrieve the metadata, make a
GET request to
<literal>http://169.254.169.254/openstack/2012-08-10/meta_data.json</literal>.</para>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/openstack/2012-08-10/meta_data.json</userinput></screen>
<programlisting language="json"><xi:include href="../common/samples/list_metadata.json" parse="text"/></programlisting>
<para>Instances also retrieve user data (passed as the
<literal>user_data</literal> parameter in the
API call or by the <literal>--user_data</literal>
flag in the <command>nova boot</command> command)
through the metadata service, by making a GET
request to
<literal>http://169.254.169.254/openstack/2012-08-10/user_data</literal>.</para>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/openstack/2012-08-10/user_data</userinput>
<computeroutput>#!/bin/bash
echo 'Extra user data here'</computeroutput></screen>
</simplesect>
<simplesect>
<title>EC2 metadata API</title>
<para>The metadata service has an API that is
compatible with version 2009-04-04 of the <link
xlink:href="http://docs.amazonwebservices.com/AWSEC2/2009-04-04/UserGuide/AESDG-chapter-instancedata.html"
>Amazon EC2 metadata service</link>; virtual
machine images that are designed for EC2 work
properly with OpenStack.</para>
<para>The EC2 API exposes a separate URL for each
metadata. You can retrieve a listing of these
elements by making a GET query to
<literal>http://169.254.169.254/2009-04-04/meta-data/</literal></para>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/2009-04-04/meta-data/</userinput><computeroutput>ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
hostname
instance-action
instance-id
instance-type
kernel-id
local-hostname
local-ipv4
placement/
public-hostname
public-ipv4
public-keys/
ramdisk-id
reservation-id
security-groups</computeroutput></screen>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/2009-04-04/meta-data/block-device-mapping/</userinput><computeroutput>ami</computeroutput></screen>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/2009-04-04/meta-data/placement/</userinput>
<computeroutput>availability-zone</computeroutput></screen>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/2009-04-04/meta-data/public-keys/</userinput>
<computeroutput>0=mykey</computeroutput></screen>
<para>Instances can retrieve the public SSH key
(identified by keypair name when a user requests a
new instance) by making a GET request to
<literal>http://169.254.169.254/2009-04-04/meta-data/public-keys/0/openssh-key</literal>.</para>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/2009-04-04/meta-data/public-keys/0/openssh-key</userinput>
<computeroutput>ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDYVEprvtYJXVOBN0XNKVVRNCRX6BlnNbI+USLGais1sUWPwtSg7z9K9vhbYAPUZcq8c/s5S9dg5vTHbsiyPCIDOKyeHba4MUJq8Oh5b2i71/3BISpyxTBH/uZDHdslW2a+SrPDCeuMMoss9NFhBdKtDkdG9zyi0ibmCP6yMdEX8Q== Generated by Nova</computeroutput></screen>
<para>Instances can retrieve user data by making a GET
request to
<literal>http://169.254.169.254/2009-04-04/user-data</literal>.</para>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>curl http://169.254.169.254/2009-04-04/user-data</userinput>
<computeroutput>#!/bin/bash
echo 'Extra user data here'</computeroutput></screen>
</simplesect>
<simplesect>
<title>Run the metadata service</title>
<para>The metadata service is implemented by either
the <systemitem class="service"
>nova-api</systemitem> service or the
<systemitem class="service"
>nova-api-metadata</systemitem> service. (The
<systemitem class="service"
>nova-api-metadata</systemitem> service is
generally only used when running in multi-host
mode, see the <link
xlink:href="http://docs.openstack.org/havana/config-reference/content/"
><citetitle>OpenStack Configuration
Reference</citetitle></link> for details).
If you are running the <systemitem class="service"
>nova-api</systemitem> service, you must have
<literal>metadata</literal> as one of the
elements of the list of the
<literal>enabled_apis</literal> configuration
option in
<filename>/etc/nova/nova.conf</filename>. The
default <literal>enabled_apis</literal>
configuration setting includes the metadata
service, so you should not need to modify
it.</para>
<para>Hosts access the service at <literal
>169.254.169.254:80</literal>, and this is
translated to <literal
>metadata_host:metadata_port</literal> by an
iptables rule established by the <systemitem
class="service">nova-network</systemitem>
servce. In multi-host mode, <option
>metadata_host</option> can be set to <literal
>127.0.0.1</literal>.</para>
<para>To enable instances to reach the metadata
service, the <systemitem class="service"
>nova-network</systemitem> service configures
iptables to NAT port <literal>80</literal> of the
<literal>169.254.169.254</literal> address to
the IP address specified in
<option>metadata_host</option> (default
<literal>$my_ip</literal>, which is the IP
address of the <systemitem class="service"
>nova-network</systemitem> service) and port
specified in <option>metadata_port</option>
(default <literal>8775</literal>) in
<filename>/etc/nova/nova.conf</filename>.</para>
<warning>
<para>The <literal>metadata_host</literal>
configuration option must be an IP address,
not a host name.</para>
</warning>
<note>
<para>The default Compute service settings assume
that the <systemitem class="service"
>nova-network</systemitem> service and the
<systemitem class="service"
>nova-api</systemitem> service are running
on the same host. If this is not the case, you
must make this change in the
<filename>/etc/nova/nova.conf</filename>
file on the host running the <systemitem
class="service">nova-network</systemitem>
service:</para>
<para>Set the <literal>metadata_host</literal>
configuration option to the IP address of the
host where the <systemitem class="service"
>nova-api</systemitem> service
runs.</para>
</note>
<xi:include href="../common/tables/nova-metadata.xml"
/>
</simplesect>
</section>
<section xml:id="section_enable-ping-and-ssh-on-vms">
<title>Enable ping and SSH on VMs</title>
<para>Be sure you enable access to your VMs by using the
<command>euca-authorize</command> or <command>nova
secgroup-add-rule</command> command. These
commands enable you to <command>ping</command> and
<command>ssh</command> to your VMs:</para>
<note>
<para>You must run these commands as root only if the
credentials used to interact with <systemitem
class="service">nova-api</systemitem> are in
<filename>/root/.bashrc</filename>. If the EC2
credentials are the <filename>.bashrc</filename>
file for another user, you must run these commands
as the user.</para>
</note>
<para>Run <command>nova</command> commands:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0</userinput>
<prompt>$</prompt> <userinput>nova secgroup-add-rule default tcp 22 22 0.0.0.0/0</userinput> </screen>
<para>Using euca2ools:</para>
<screen><prompt>$</prompt> <userinput>euca-authorize -P icmp -t -1:-1 -s 0.0.0.0/0 default</userinput>
<prompt>$</prompt> <userinput>euca-authorize -P tcp -p 22 -s 0.0.0.0/0 default</userinput> </screen>
<para>If you still cannot ping or SSH your instances after
issuing the <command>nova secgroup-add-rule</command>
commands, look at the number of
<literal>dnsmasq</literal> processes that are
running. If you have a running instance, check to see
that TWO <literal>dnsmasq</literal> processes are
running. If not, perform this as root:</para>
<screen><prompt>#</prompt> <userinput>killall dnsmasq</userinput>
<prompt>#</prompt> <userinput>service nova-network restart</userinput> </screen>
</section>
<section xml:id="nova-associate-public-ip">
<title>Configure public (floating) IP addresses</title>
<?dbhtml stop-chunking?>
<note>
<para>This section describes how to configure floating
IP addresses if you opt to use <systemitem
class="service">nova-network</systemitem>
instead of neutron for OpenStack Networking. For
instructions on how to configure neutron to
provide access to instances through floating IP
addresses, see <xref
linkend="section_l3_router_and_nat"/>.</para>
</note>
<section xml:id="private-and-public-IP-addresses">
<title>Private and public IP addresses</title>
<para>Every virtual instance is automatically assigned
a private IP address. You can optionally assign
public IP addresses to instances. The term
<glossterm baseform="floating IP address"
>floating IP</glossterm> refers to an IP
address, typically public, that you can
dynamically add to a running virtual instance.
OpenStack Compute uses Network Address Translation
(NAT) to assign floating IPs to virtual
instances.</para>
<para>If you plan to use this feature, you must add
edit the <filename>/etc/nova/nova.conf</filename>
file to specify to which interface the <systemitem
class="service">nova-network</systemitem>
service binds public IP addresses, as
follows:</para>
<programlisting language="ini">public_interface=<replaceable>vlan100</replaceable></programlisting>
<para>If you make changes to the
<filename>/etc/nova/nova.conf</filename> file
while the <systemitem class="service"
>nova-network</systemitem> service is running,
you must restart the service.</para>
<note>
<title>Traffic between VMs using floating
IPs</title>
<para>Because floating IPs are implemented by
using a source NAT (SNAT rule in iptables),
security groups can show inconsistent behavior
if VMs use their floating IP to communicate
with other VMs, particularly on the same
physical host. Traffic from VM to VM across
the fixed network does not have this issue,
and so this is the recommended path. To ensure
that traffic does not get SNATed to the
floating range, explicitly set
<programlisting language="ini">dmz_cidr=x.x.x.x/y</programlisting>.
The <literal>x.x.x.x/y</literal> value
specifies the range of floating IPs for each
pool of floating IPs that you define. If the
VMs in the source group have floating IPs,
this configuration is also required.</para>
</note>
</section>
<section xml:id="Enabling_ip_forwarding">
<title>Enable IP forwarding</title>
<para>By default, IP forwarding is disabled on most
Linux distributions. To use the floating IP
feature, you must enable IP forwarding.</para>
<note>
<para>You must enable IP forwarding on only the
nodes that run the <systemitem class="service"
>nova-network</systemitem> service. If you
use <literal>multi_host</literal> mode, make
sure to enable it on all compute nodes.
Otherwise, enable it on only the node that
runs the <systemitem class="service"
>nova-network</systemitem> service.</para>
</note>
<para>To check if the forwarding is enabled, run this
command:</para>
<screen><prompt>$</prompt> <userinput>cat /proc/sys/net/ipv4/ip_forward</userinput>
<computeroutput>0</computeroutput></screen>
<para>Alternatively, you can run this command:</para>
<screen><prompt>$</prompt> <userinput>sysctl net.ipv4.ip_forward</userinput>
<computeroutput>net.ipv4.ip_forward = 0</computeroutput></screen>
<para>In this example, IP forwarding is <emphasis
role="bold">disabled</emphasis>. To enable it
dynamically, run this command:</para>
<screen><prompt>#</prompt> <userinput>sysctl -w net.ipv4.ip_forward=1</userinput></screen>
<para>Or:</para>
<screen><prompt>#</prompt> <userinput>echo 1 > /proc/sys/net/ipv4/ip_forward</userinput></screen>
<para>To make the changes permanent, edit the
<filename>/etc/sysctl.conf</filename> file and
update the IP forwarding setting:</para>
<programlisting language="ini">net.ipv4.ip_forward = 1</programlisting>
<para>Save the file and run this command to apply the
changes:</para>
<screen><prompt>$</prompt> <userinput>sysctl -p</userinput></screen>
<para>You can also update the setting by restarting
the network service.</para>
<para>For example, on Ubuntu, run this command:</para>
<screen><userinput><prompt>$</prompt>/etc/init.d/procps.sh restart</userinput></screen>
<para>On RHEL/Fedora/CentOS, run this command:</para>
<screen><prompt>$</prompt> <userinput>service network restart</userinput></screen>
</section>
<section xml:id="create_list_of_available_floating_ips">
<title>Create a list of available floating IP
addresses</title>
<para>Nova maintains a list of floating IP addresses
that you can assign to instances. Use the
<command>nova-manage floating create</command>
command to add entries to this list.</para>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>nova-manage floating create --pool=nova --ip_range=68.99.26.170/31</userinput></screen>
<para>You can use the following
<command>nova-manage</command> commands to
perform floating IP operations:</para>
<itemizedlist>
<listitem>
<screen><userinput>nova-manage floating list</userinput></screen>
<para>Lists the floating IP addresses in the
pool.</para>
</listitem>
<listitem>
<screen><userinput>nova-manage floating create
--pool=<replaceable>[pool
name]</replaceable>
--ip_range=<replaceable>[CIDR]</replaceable>
</userinput></screen>
<para>Creates specific floating IPs for either
a single address or a subnet.</para>
</listitem>
<listitem>
<screen><userinput>nova-manage floating delete
<replaceable>[CIDR]</replaceable></userinput></screen>
<para>Removes floating IP addresses using the
same parameters as the create
command.</para>
</listitem>
</itemizedlist>
<para>For information about how administrators can
associate floating IPs with instances, see <link
xlink:href="http://docs.openstack.org/user-guide-admin/content/manage_ip_addresses.html"
>Manage IP addresses</link> in the
<citetitle>OpenStack Admin User
Guide</citetitle>.</para>
</section>
<section xml:id="Automatically_adding_floating_IPs">
<title>Automatically add floating IPs</title>
<para>You can configure the <systemitem
class="service">nova-network</systemitem>
service to automatically allocate and assign a
floating IP address to virtual instances when they
are launched. Add the following line to the
<filename>/etc/nova/nova.conf</filename> file
and restart the <systemitem class="service"
>nova-network</systemitem> service:</para>
<programlisting language="ini">auto_assign_floating_ip=True</programlisting>
<note>
<para>If you enable this option and all floating
IP addresses have already been allocated, the
<command>nova boot</command> command
fails.</para>
</note>
</section>
</section>
<section xml:id="section_remove-network-from-project">
<title>Remove a network from a project</title>
<para>You cannot remove a network that has already been
associated to a project by simply deleting it.</para>
<para>To determine the project ID you must have admin
rights. You can disassociate the project from the
network with a scrub command and the project ID as the
final parameter:</para>
<screen><prompt>$</prompt> <userinput>nova-manage project scrub --project=<replaceable>&lt;id></replaceable></userinput> </screen>
</section>
<section xml:id="section_use-multi-nics">
<title>Multiple interfaces for your instances
(multinic)</title>
<?dbhtml stop-chunking?>
<para>The multi-nic feature allows you to plug more than
one interface to your instances, making it possible to
make several use cases available:</para>
<itemizedlist>
<listitem>
<para>SSL Configurations (VIPs)</para>
</listitem>
<listitem>
<para>Services failover/ HA</para>
</listitem>
<listitem>
<para>Bandwidth Allocation</para>
</listitem>
<listitem>
<para>Administrative/ Public access to your
instances</para>
</listitem>
</itemizedlist>
<para>Each VIF is representative of a separate network
with its own IP block. Every network mode introduces
it's own set of changes regarding the mulitnic usage: <figure>
<title>multinic flat manager</title>
<mediaobject>
<imageobject>
<imagedata scale="40"
fileref="../common/figures/SCH_5007_V00_NUAC-multi_nic_OpenStack-Flat-manager.jpg"
/>
</imageobject>
</mediaobject>
</figure>
<figure>
<title>multinic flatdhcp manager</title>
<mediaobject>
<imageobject>
<imagedata scale="40"
fileref="../common/figures/SCH_5007_V00_NUAC-multi_nic_OpenStack-Flat-DHCP-manager.jpg"
/>
</imageobject>
</mediaobject>
</figure>
<figure>
<title>multinic VLAN manager</title>
<mediaobject>
<imageobject>
<imagedata scale="40"
fileref="../common/figures/SCH_5007_V00_NUAC-multi_nic_OpenStack-VLAN-manager.jpg"
/>
</imageobject>
</mediaobject>
</figure>
</para>
<section xml:id="using-multiple-nics-usage">
<title>Use the multinic feature</title>
<para>In order to use the multinic feature, first
create two networks, and attach them to your
project:
<screen><prompt>$</prompt> <userinput>nova network-create first-net --fixed-range-v4=20.20.0.0/24 --project-id=$your-project</userinput>
<prompt>$</prompt> <userinput>nova network-create second-net --fixed-range-v4=20.20.10.0/24 --project-id=$your-project</userinput> </screen>
Now every time you spawn a new instance, it gets
two IP addresses from the respective DHCP
servers:</para>
<screen><prompt>$</prompt> <userinput>nova list</userinput>
<computeroutput>+-----+------------+--------+----------------------------------------+
| ID | Name | Status | Networks |
+-----+------------+--------+----------------------------------------+
| 124 | Server 124 | ACTIVE | network2=20.20.0.3; private=20.20.10.14|
+-----+------------+--------+----------------------------------------+</computeroutput></screen>
<note>
<para>Make sure to power up the second interface
on the instance, otherwise that last won't be
reachable through its second IP. Here is an
example of how to setup the interfaces within
the instance (this is the configuration that
needs to be applied inside the image):</para>
<para><filename>/etc/network/interfaces</filename></para>
<programlisting language="bash"># The loopback network interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet dhcp</programlisting>
</note>
<note>
<para>If the Virtual Network Service Neutron is
installed, it is possible to specify the
networks to attach to the respective
interfaces by using the
<literal>--nic</literal> flag when
invoking the <literal>nova</literal> command:
<screen><prompt>$</prompt> <userinput>nova boot --image ed8b2a37-5535-4a5f-a615-443513036d71 --flavor 1 --nic net-id= &lt;id of first network&gt; --nic net-id= &lt;id of first network&gt; test-vm1</userinput></screen>
</para>
</note>
</section>
</section>
<section xml:id="section_network-troubleshoot">
<title>Troubleshoot Networking</title>
<simplesect>
<title>Cannot reach floating IPs</title>
<para>If you cannot reach your instances through the
floating IP address, make sure the default
security group allows ICMP (ping) and SSH (port
22), so that you can reach the instances:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-list-rules default</userinput>
<computeroutput>+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp | -1 | -1 | 0.0.0.0/0 | |
| tcp | 22 | 22 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+</computeroutput> </screen>
<para>Ensure the NAT rules have been added to iptables
on the node that nova-network is running on, as
root:</para>
<screen><prompt>#</prompt> <userinput>iptables -L -nv</userinput>
<computeroutput>-A nova-network-OUTPUT -d 68.99.26.170/32 -j DNAT --to-destination 10.0.0.3</computeroutput></screen>
<screen><prompt>#</prompt> <userinput>iptables -L -nv -t nat</userinput>
<computeroutput>-A nova-network-PREROUTING -d 68.99.26.170/32 -j DNAT --to-destination10.0.0.3
-A nova-network-floating-snat -s 10.0.0.3/32 -j SNAT --to-source 68.99.26.170</computeroutput></screen>
<para>Check that the public address, in this example
"68.99.26.170", has been added to your public
interface: You should see the address in the
listing when you enter "ip addr" at the command
prompt.</para>
<screen><prompt>$</prompt> <userinput>ip addr</userinput>
<computeroutput>2: eth0: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc mq state UP qlen 1000
link/ether xx:xx:xx:17:4b:c2 brd ff:ff:ff:ff:ff:ff
inet 13.22.194.80/24 brd 13.22.194.255 scope global eth0
inet 68.99.26.170/32 scope global eth0
inet6 fe80::82b:2bf:fe1:4b2/64 scope link
valid_lft forever preferred_lft forever</computeroutput></screen>
<para>Note that you cannot SSH to an instance with a
public IP from within the same server as the
routing configuration won't allow it.</para>
<para>You can use <command>tcpdump</command> to
identify if packets are being routed to the
inbound interface on the compute host. If the
packets are reaching the compute hosts but the
connection is failing, the issue may be that the
packet is being dropped by reverse path filtering.
Try disabling reverse path filtering on the
inbound interface. For example, if the inbound
interface is <literal>eth2</literal>, as
root:</para>
<screen><prompt>#</prompt> <userinput>sysctl -w net.ipv4.conf.<replaceable>eth2</replaceable>.rp_filter=0</userinput></screen>
<para>If this solves your issue, add this line to
<filename>/etc/sysctl.conf</filename> so that
the reverse path filter is disabled the next time
the compute host reboots:
<programlisting language="ini">net.ipv4.conf.rp_filter=0</programlisting></para>
</simplesect>
<simplesect>
<title>Disable firewall</title>
<para>To help debug networking issues with reaching
VMs, you can disable the firewall by setting the
following option in
<filename>/etc/nova/nova.conf</filename>:</para>
<programlisting language="ini">firewall_driver=nova.virt.firewall.NoopFirewallDriver</programlisting>
<para>We strongly recommend you remove this line to
re-enable the firewall once your networking issues
have been resolved.</para>
</simplesect>
<simplesect>
<title>Packet loss from instances to nova-network
server (VLANManager mode)</title>
<para>If you can SSH to your instances but you find
that the network interactions to your instance is
slow, or if you find that running certain
operations are slower than they should be (for
example, <command>sudo</command>), then there may
be packet loss occurring on the connection to the
instance.</para>
<para>Packet loss can be caused by Linux networking
configuration settings related to bridges. Certain
settings can cause packets to be dropped between
the VLAN interface (for example,
<literal>vlan100</literal>) and the associated
bridge interface (for example,
<literal>br100</literal>) on the host running
the <systemitem class="service"
>nova-network</systemitem> service.</para>
<para>One way to check if this is the issue in your
setup is to open up three terminals and run the
following commands:</para>
<para>In the first terminal, on the host running
nova-network, use <command>tcpdump</command> to
monitor DNS-related traffic (UDP, port 53) on the
VLAN interface. As root:</para>
<screen><prompt>#</prompt> <userinput>tcpdump -K -p -i vlan100 -v -vv udp port 53</userinput></screen>
<para>In the second terminal, also on the host running
nova-network, use <command>tcpdump</command> to
monitor DNS-related traffic on the bridge
interface. As root:</para>
<screen><prompt>#</prompt> <userinput>tcpdump -K -p -i br100 -v -vv udp port 53</userinput></screen>
<para>In the third terminal, SSH inside of the
instance and generate DNS requests by using the
<command>nslookup</command> command:</para>
<screen><prompt>$</prompt> <userinput>nslookup www.google.com</userinput></screen>
<para>The symptoms may be intermittent, so try running
<command>nslookup</command> multiple times. If
the network configuration is correct, the command
should return immediately each time. If it is not
functioning properly, the command hangs for
several seconds.</para>
<para>If the <command>nslookup</command> command
sometimes hangs, and there are packets that appear
in the first terminal but not the second, then the
problem may be due to filtering done on the
bridges. Try to disable filtering, as root:</para>
<screen><prompt>#</prompt> <userinput>sysctl -w net.bridge.bridge-nf-call-arptables=0</userinput>
<prompt>#</prompt> <userinput>sysctl -w net.bridge.bridge-nf-call-iptables=0</userinput>
<prompt>#</prompt> <userinput>sysctl -w net.bridge.bridge-nf-call-ip6tables=0</userinput></screen>
<para>If this solves your issue, add this line to
<filename>/etc/sysctl.conf</filename> so that
these changes take effect the next time the host
reboots:</para>
<programlisting language="ini">net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-iptables=0
net.bridge.bridge-nf-call-ip6tables=0</programlisting>
</simplesect>
<simplesect>
<title>KVM: Network connectivity works initially, then
fails</title>
<para>Some administrators have observed an issue with
the KVM hypervisor where instances running Ubuntu
12.04 sometimes loses network connectivity after
functioning properly for a period of time. Some
users have reported success with loading the
vhost_net kernel module as a workaround for this
issue (see <link
xlink:href="https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/997978/"
>bug #997978</link>) . This kernel module may
also <link
xlink:href="http://www.linux-kvm.org/page/VhostNet"
>improve network performance on KVM</link>. To
load the kernel module, as root:</para>
<screen><prompt>#</prompt> <userinput>modprobe vhost_net</userinput></screen>
<note>
<para>Loading the module has no effect on running
instances.</para>
</note>
</simplesect>
</section>
</section>
<section xml:id="section_block-storage-volumes">
<title>Volumes</title>
<para>The Block Storage Service provides persistent block
storage resources that OpenStack Compute instances can
consume.</para>
<para>See the <citetitle>OpenStack Configuration
Reference</citetitle> for information about
configuring volume drivers and creating and attaching
volumes to server instances.</para>
</section>
<section xml:id="section_compute-system-admin">
<title>System administration</title>
<para>By understanding how the different installed nodes
interact with each other you can administer the Compute
installation. Compute offers many ways to install using
multiple servers but the general idea is that you can have
multiple compute nodes that control the virtual servers
and a cloud controller node that contains the remaining
Compute services.</para>
<para>The Compute cloud works through the interaction of a
series of daemon processes named nova-* that reside
persistently on the host machine or machines. These
binaries can all run on the same machine or be spread out
on multiple boxes in a large deployment. The
responsibilities of Services, Managers, and Drivers, can
be a bit confusing at first. Here is an outline the
division of responsibilities to make understanding the
system a little bit easier.</para>
<para>Currently, Services are <systemitem class="service"
>nova-api</systemitem>, <systemitem class="service"
>nova-objectstore</systemitem> (which can be replaced
with Glance, the OpenStack Image Service), <systemitem
class="service">nova-compute</systemitem>, and
<systemitem class="service">nova-network</systemitem>.
Managers and Drivers are specified by configuration
options and loaded using utils.load_object(). Managers are
responsible for a certain aspect of the system. It is a
logical grouping of code relating to a portion of the
system. In general other components should be using the
manager to make changes to the components for which it is
responsible.</para>
<itemizedlist>
<listitem>
<para><systemitem class="service"
>nova-api</systemitem>. Receives xml requests
and sends them to the rest of the system. It is a
wsgi app that routes and authenticate requests. It
supports the EC2 and OpenStack APIs. There is a
<filename>nova-api.conf</filename> file
created when you install Compute.</para>
</listitem>
<listitem>
<para><systemitem class="service"
>nova-objectstore</systemitem>: The
<systemitem class="service"
>nova-objectstore</systemitem> service is an
ultra simple file-based storage system for images
that replicates most of the S3 API. It can be
replaced with OpenStack Image Service and a simple
image manager or use OpenStack Object Storage as
the virtual machine image storage facility. It
must reside on the same node as <systemitem
class="service"
>nova-compute</systemitem>.</para>
</listitem>
<listitem>
<para><systemitem class="service"
>nova-compute</systemitem>. Responsible for
managing virtual machines. It loads a Service
object which exposes the public methods on
ComputeManager through Remote Procedure Call
(RPC).</para>
</listitem>
<listitem>
<para><systemitem class="service"
>nova-network</systemitem>. Responsible for
managing floating and fixed IPs, DHCP, bridging
and VLANs. It loads a Service object which exposes
the public methods on one of the subclasses of
NetworkManager. Different networking strategies
are available to the service by changing the
network_manager configuration option to
FlatManager, FlatDHCPManager, or VlanManager
(default is VLAN if no other is specified).</para>
</listitem>
</itemizedlist>
<section xml:id="section_compute-service-arch">
<title>Compute service architecture</title>
<para>These basic categories describe the service
architecture and what's going on within the cloud
controller.</para>
<simplesect>
<title>API server</title>
<para>At the heart of the cloud framework is an API
server. This API server makes command and control
of the hypervisor, storage, and networking
programmatically available to users in realization
of the definition of cloud computing.</para>
<para>The API endpoints are basic HTTP web services
which handle authentication, authorization, and
basic command and control functions using various
API interfaces under the Amazon, Rackspace, and
related models. This enables API compatibility
with multiple existing tool sets created for
interaction with offerings from other vendors.
This broad compatibility prevents vendor
lock-in.</para>
</simplesect>
<simplesect>
<title>Message queue</title>
<para>A messaging queue brokers the interaction
between compute nodes (processing), the networking
controllers (software which controls network
infrastructure), API endpoints, the scheduler
(determines which physical hardware to allocate to
a virtual resource), and similar components.
Communication to and from the cloud controller is
by HTTP requests through multiple API
endpoints.</para>
<para>A typical message passing event begins with the
API server receiving a request from a user. The
API server authenticates the user and ensures that
the user is permitted to issue the subject
command. Availability of objects implicated in the
request is evaluated and, if available, the
request is routed to the queuing engine for the
relevant workers. Workers continually listen to
the queue based on their role, and occasionally
their type host name. When such listening produces
a work request, the worker takes assignment of the
task and begins its execution. Upon completion, a
response is dispatched to the queue which is
received by the API server and relayed to the
originating user. Database entries are queried,
added, or removed as necessary throughout the
process.</para>
</simplesect>
<simplesect>
<title>Compute worker</title>
<para>Compute workers manage computing instances on
host machines. The API dispatches commands to
compute workers to complete these tasks:</para>
<itemizedlist>
<listitem>
<para>Run instances</para>
</listitem>
<listitem>
<para>Terminate instances</para>
</listitem>
<listitem>
<para>Reboot instances</para>
</listitem>
<listitem>
<para>Attach volumes</para>
</listitem>
<listitem>
<para>Detach volumes</para>
</listitem>
<listitem>
<para>Get console output</para>
</listitem>
</itemizedlist>
</simplesect>
<simplesect>
<title>Network Controller</title>
<para>The Network Controller manages the networking
resources on host machines. The API server
dispatches commands through the message queue,
which are subsequently processed by Network
Controllers. Specific operations include:</para>
<itemizedlist>
<listitem>
<para>Allocate fixed IP addresses</para>
</listitem>
<listitem>
<para>Configuring VLANs for projects</para>
</listitem>
<listitem>
<para>Configuring networks for compute
nodes</para>
</listitem>
</itemizedlist>
</simplesect>
</section>
<section xml:id="section_manage-compute-users">
<title>Manage Compute users</title>
<para>Access to the Euca2ools (ec2) API is controlled by
an access and secret key. The users access key needs
to be included in the request, and the request must be
signed with the secret key. Upon receipt of API
requests, Compute verifies the signature and runs
commands on behalf of the user.</para>
<para>To begin using Compute, you must create a user with
the Identity Service.</para>
</section>
<section xml:id="section_manage-the-cloud">
<title>Manage the cloud</title>
<para>A system administrator can use these tools to manage
a cloud; the nova client, the
<command>nova-manage</command> command, and the
<command>Euca2ools</command> commands.</para>
<para>The <command>nova-manage</command> command can only
be run by cloud administrators. Both nova client and
euca2ools can be used by all users, though specific
commands might be restricted by Role Based Access
Control in the Identity Service.</para>
<procedure>
<title>To use the nova command-line tool</title>
<step>
<para>Installing the python-novaclient gives you a
<code>nova</code> shell command that
enables Compute API interactions from the
command line. You install the client, and then
provide your user name and password, set as
environment variables for convenience, and
then you can have the ability to send commands
to your cloud on the command-line.</para>
<para>To install python-novaclient, download the
tarball from <link
xlink:href="http://pypi.python.org/pypi/python-novaclient/2.6.3#downloads"
>http://pypi.python.org/pypi/python-novaclient/2.6.3#downloads</link>
and then install it in your favorite python
environment.</para>
<screen><prompt>$</prompt> <userinput>curl -O http://pypi.python.org/packages/source/p/python-novaclient/python-novaclient-2.6.3.tar.gz</userinput>
<prompt>$</prompt> <userinput>tar -zxvf python-novaclient-2.6.3.tar.gz</userinput>
<prompt>$</prompt> <userinput>cd python-novaclient-2.6.3</userinput></screen>
<para>As <systemitem class="username">root</systemitem> execute:</para>
<screen><prompt>#</prompt> <userinput>python setup.py install</userinput></screen>
</step>
<step>
<para>Now that you have installed the
python-novaclient, confirm the installation by
entering:</para>
<screen><prompt>$</prompt> <userinput>nova help</userinput>
<computeroutput>usage: nova [--version] [--debug] [--os-cache] [--timings]
[--timeout &lt;seconds&gt;] [--os-username &lt;auth-user-name&gt;]
[--os-password &lt;auth-password&gt;]
[--os-tenant-name &lt;auth-tenant-name&gt;]
[--os-tenant-id &lt;auth-tenant-id&gt;] [--os-auth-url &lt;auth-url&gt;]
[--os-region-name &lt;region-name&gt;] [--os-auth-system &lt;auth-system&gt;]
[--service-type &lt;service-type&gt;] [--service-name &lt;service-name&gt;]
[--volume-service-name &lt;volume-service-name&gt;]
[--endpoint-type &lt;endpoint-type&gt;]
[--os-compute-api-version &lt;compute-api-ver&gt;]
[--os-cacert &lt;ca-certificate&gt;] [--insecure]
[--bypass-url &lt;bypass-url&gt;]
&lt;subcommand&gt; ...</computeroutput></screen>
</step>
<step>
<para>This command returns a list of nova commands
and parameters. Set the required parameters as
environment variables to make running commands
easier. You can add
<parameter>--os-username</parameter>, for
example, on the nova command, or set it as
environment variables:</para>
<screen><prompt>$</prompt> <userinput>export OS_USERNAME=joecool</userinput>
<prompt>$</prompt> <userinput>export OS_PASSWORD=coolword</userinput>
<prompt>$</prompt> <userinput>export OS_TENANT_NAME=coolu</userinput> </screen>
</step>
<step>
<para>Using the Identity Service, you are supplied
with an authentication endpoint, which nova
recognizes as the
<literal>OS_AUTH_URL</literal>.</para>
<para>
<screen><prompt>$</prompt> <userinput>export OS_AUTH_URL=http://hostname:5000/v2.0</userinput>
<prompt>$</prompt> <userinput>export NOVA_VERSION=1.1</userinput></screen>
</para>
</step>
</procedure>
<procedure>
<title>To use the nova-manage command</title>
<para>The nova-manage command may be used to perform
many essential functions for administration and
ongoing maintenance of nova, such as network
creation or user manipulation.</para>
<step>
<para>The man page for nova-manage has a good
explanation for each of its functions, and is
recommended reading for those starting out.
Access it by running:</para>
<screen><prompt>$</prompt> <userinput>man nova-manage</userinput> </screen>
</step>
<step>
<para>For administrators, the standard pattern for
executing a nova-manage command is:</para>
<screen><prompt>$</prompt> <userinput>nova-manage category command <replaceable>[args]</replaceable></userinput></screen>
</step>
<step>
<para>For example, to obtain a list of all
projects:</para>
<screen><prompt>$</prompt> <userinput>nova-manage project list</userinput></screen>
</step>
<step>
<para>Run without arguments to see a list of
available command categories:</para>
<screen><prompt>$</prompt> <userinput>nova-manage</userinput></screen>
</step>
<step>
<para>You can also run with a category argument
such as user to see a list of all commands in
that category:</para>
<screen><prompt>$</prompt> <userinput>nova-manage service</userinput></screen>
</step>
</procedure>
<simplesect>
<title>Use the euca2ools commands</title>
<para>For a command-line interface to EC2 API calls,
use the euca2ools command-line tool. See <link
xlink:href="http://open.eucalyptus.com/wiki/Euca2oolsGuide_v1.3"
>http://open.eucalyptus.com/wiki/Euca2oolsGuide_v1.3</link></para>
</simplesect>
</section>
<xi:include
href="../common/section_cli_nova_usage_statistics.xml"/>
<section xml:id="section_manage-logs">
<title>Manage logs</title>
<simplesect>
<title>Logging module</title>
<para>Add this line to the
<filename>/etc/nova/nova.conf</filename> file
to specify a configuration file to change the
logging behavior. To change the logging level,
such as <literal>DEBUG</literal>,
<literal>INFO</literal>,
<literal>WARNING</literal>,
<literal>ERROR</literal>):
<programlisting language="ini">log-config=/etc/nova/logging.conf</programlisting></para>
<para>The log config file is an ini-style config file
which must contain a section called
<literal>logger_nova</literal>, which controls
the behavior of the logging facility in the
<literal>nova-*</literal> services. The file
must contain a section called
<literal>logger_nova</literal>, for
example:<programlisting language="ini">[logger_nova]
level = INFO
handlers = stderr
qualname = nova</programlisting></para>
<para>This example sets the debugging level to
<literal>INFO</literal> (which less verbose
than the default <literal>DEBUG</literal>
setting). See the <link
xlink:href="http://docs.python.org/release/2.7/library/logging.html#configuration-file-format"
>Python documentation on logging configuration
file format </link>for more details on this
file, including the meaning of the
<literal>handlers</literal> and
<literal>quaname</literal> variables. See
<link
xlink:href="http://git.openstack.org/cgit/openstack/nova/plain/etc/nova/logging_sample.conf"
>etc/nova/logging_sample.conf</link> in the
openstack/nova repository on GitHub for an example
<filename>logging.conf</filename> file with
various handlers defined.</para>
</simplesect>
<simplesect>
<title>Syslog</title>
<para>You can configure OpenStack Compute services to
send logging information to syslog. This is useful
if you want to use rsyslog, which forwards the
logs to a remote machine. You need to separately
configure the Compute service (Nova), the Identity
Service (Keystone), the Image Service (Glance),
and, if you are using it, the Block Storage
Service (Cinder) to send log messages to syslog.
To do so, add these lines to:</para>
<itemizedlist>
<listitem>
<para><filename>/etc/nova/nova.conf</filename></para>
</listitem>
<listitem>
<para><filename>/etc/keystone/keystone.conf</filename></para>
</listitem>
<listitem>
<para><filename>/etc/glance/glance-api.conf</filename></para>
</listitem>
<listitem>
<para><filename>/etc/glance/glance-registry.conf</filename></para>
</listitem>
<listitem>
<para><filename>/etc/cinder/cinder.conf</filename></para>
</listitem>
</itemizedlist>
<programlisting language="ini">verbose = False
debug = False
use_syslog = True
syslog_log_facility = LOG_LOCAL0</programlisting>
<para>In addition to enabling syslog, these settings
also turn off more verbose output and debugging
output from the log.<note>
<para>While the example above uses the same
local facility for each service
(<literal>LOG_LOCAL0</literal>, which
corresponds to syslog facility
<literal>LOCAL0</literal>), we
recommend that you configure a separate
local facility for each service, as this
provides better isolation and more
flexibility. For example, you may want to
capture logging info at different severity
levels for different services. Syslog
allows you to define up to seven local
facilities, <literal>LOCAL0, LOCAL1, ...,
LOCAL7</literal>. See the syslog
documentation for more details.</para>
</note></para>
</simplesect>
<simplesect>
<title>Rsyslog</title>
<para>Rsyslog is a useful tool for setting up a
centralized log server across multiple machines.
We briefly describe the configuration to set up an
rsyslog server; a full treatment of rsyslog is
beyond the scope of this document. We assume
rsyslog has already been installed on your hosts,
which is the default on most Linux
distributions.</para>
<para>This example shows a minimal configuration for
<filename>/etc/rsyslog.conf</filename> on the
log server host, which receives the log
files:</para>
<programlisting language="bash"># provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 1024</programlisting>
<para>Add to <filename>/etc/rsyslog.conf</filename> a
filter rule on which looks for a host name. The
example below use
<replaceable>compute-01</replaceable> as an
example of a compute host name:</para>
<programlisting language="bash">:hostname, isequal, "<replaceable>compute-01</replaceable>" /mnt/rsyslog/logs/compute-01.log</programlisting>
<para>On the compute hosts, create a file named
<filename>/etc/rsyslog.d/60-nova.conf</filename>,
with this content:</para>
<programlisting language="bash"># prevent debug from dnsmasq with the daemon.none parameter
*.*;auth,authpriv.none,daemon.none,local0.none -/var/log/syslog
# Specify a log level of ERROR
local0.error @@172.20.1.43:1024</programlisting>
<para>Once you have created this file, restart your
rsyslog daemon. Error-level log messages on the
compute hosts should now be sent to your log
server.</para>
</simplesect>
</section>
<xi:include href="section_rootwrap.xml"/>
<xi:include href="section_compute-configure-migrations.xml"/>
<section xml:id="section_live-migration-usage">
<title>Migration</title>
<para>Before starting migrations, review the <link linkend="section_configuring-compute-migrations">Configure migrations section</link>.</para>
<para>Migration provides a scheme to migrate running
instances from one OpenStack Compute server to another
OpenStack Compute server.</para>
<procedure>
<title>To migrate instances</title>
<step>
<para>Look at the running instances, to get the ID
of the instance you wish to migrate.</para>
<screen><prompt>#</prompt> <userinput>nova list</userinput>
<computeroutput><![CDATA[+--------------------------------------+------+--------+-----------------+
| ID | Name | Status |Networks |
+--------------------------------------+------+--------+-----------------+
| d1df1b5a-70c4-4fed-98b7-423362f2c47c | vm1 | ACTIVE | private=a.b.c.d |
| d693db9e-a7cf-45ef-a7c9-b3ecb5f22645 | vm2 | ACTIVE | private=e.f.g.h |
+--------------------------------------+------+--------+-----------------+]]></computeroutput></screen>
</step>
<step>
<para>Look at information associated with that
instance - our example is vm1 from
above.</para>
<screen><prompt>#</prompt> <userinput>nova show d1df1b5a-70c4-4fed-98b7-423362f2c47c</userinput>
<computeroutput><![CDATA[+-------------------------------------+----------------------------------------------------------+
| Property | Value |
+-------------------------------------+----------------------------------------------------------+
...
| OS-EXT-SRV-ATTR:host | HostB |
...
| flavor | m1.tiny |
| id | d1df1b5a-70c4-4fed-98b7-423362f2c47c |
| name | vm1 |
| private network | a.b.c.d |
| status | ACTIVE |
...
+-------------------------------------+----------------------------------------------------------+]]></computeroutput></screen>
<para>In this example, vm1 is running on
HostB.</para>
</step>
<step>
<para>Select the server to migrate instances
to.</para>
<screen><prompt>#</prompt> <userinput>nova-manage service list</userinput>
<computeroutput><![CDATA[HostA nova-scheduler enabled :-) None
HostA nova-network enabled :-) None
HostB nova-compute enabled :-) None
HostC nova-compute enabled :-) None]]></computeroutput></screen>
<para>In this example, HostC can be picked up
because <systemitem class="service"
>nova-compute</systemitem> is running on
it.</para>
</step>
<step>
<para>Ensure that HostC has enough resource for
migration.</para>
<screen><prompt>#</prompt> <userinput>nova-manage service describe_resource HostC</userinput>
<computeroutput><![CDATA[HOST PROJECT cpu mem(mb) hdd
HostC(total) 16 32232 878
HostC(used_now) 13 21284 442
HostC(used_max) 13 21284 442
HostC p1 5 10240 150
HostC p2 5 10240 150
.....]]></computeroutput></screen>
<itemizedlist>
<listitem>
<para><emphasis role="bold"
>cpu:</emphasis>the number of
cpu</para>
</listitem>
<listitem>
<para><emphasis role="bold"
>mem(mb):</emphasis>total amount of
memory (MB)</para>
</listitem>
<listitem>
<para><emphasis role="bold"
>hdd:</emphasis>total amount of
space for NOVA-INST-DIR/instances
(GB)</para>
</listitem>
<listitem>
<para><emphasis role="bold">1st line shows
</emphasis>total amount of resource
physical server has.</para>
</listitem>
<listitem>
<para><emphasis role="bold">2nd line shows
</emphasis>current used
resource.</para>
</listitem>
<listitem>
<para><emphasis role="bold">3rd line shows
</emphasis>maximum used
resource.</para>
</listitem>
<listitem>
<para><emphasis role="bold">4th line and
under</emphasis> shows the resource
for each project.</para>
</listitem>
</itemizedlist>
</step>
<step>
<para>Use the <command>nova
live-migration</command> command to
migrate the instances.</para>
<screen><prompt>#</prompt> <userinput>nova live-migration d1df1b5a-70c4-4fed-98b7-423362f2c47c HostC</userinput><computeroutput><![CDATA[Migration of d1df1b5a-70c4-4fed-98b7-423362f2c47c initiated.]]></computeroutput></screen>
<para>Make sure instances are migrated
successfully with <command>nova
list</command>. If instances are still running
on HostB, check log files (src/dest
<systemitem class="service"
>nova-compute</systemitem> and <systemitem
class="service"
>nova-scheduler</systemitem>) to determine
why. <note>
<para>While the nova command is called
<command>live-migration</command>,
under the default Compute
configuration options the instances
are suspended before migration.</para>
<para>See <link
xlink:href="http://docs.openstack.org/havana/config-reference/content/configuring-openstack-compute-basics.html"
>Configure migrations</link> in
<citetitle>OpenStack Configuration
Reference</citetitle> for more
details.</para>
</note>
</para>
</step>
</procedure>
</section>
<section xml:id="section_nova-compute-node-down">
<title>Recover from a failed compute node</title>
<para>If you have deployed Compute with a shared file
system, you can quickly recover from a failed compute
node. Of the two methods covered in these sections,
the evacuate API is the preferred method even in the
absence of shared storage. The evacuate API provides
many benefits over manual recovery, such as
re-attachment of volumes and floating IPs.</para>
<xi:include href="../common/section_cli_nova_evacuate.xml"/>
<section xml:id="nova-compute-node-down-manual-recovery">
<title>Manual recovery</title>
<para>For KVM/libvirt compute node recovery, see the
previous section. Use this procedure for other
hypervisors.</para>
<procedure>
<title>To work with host information</title>
<step>
<para>Identify the vms on the affected hosts,
using tools such as a combination of
<literal>nova list</literal> and
<literal>nova show</literal> or
<literal>euca-describe-instances</literal>.
Here's an example using the EC2 API -
instance i-000015b9 that is running on
node np-rcc54:</para>
<programlisting language="bash">i-000015b9 at3-ui02 running nectarkey (376, np-rcc54) 0 m1.xxlarge 2012-06-19T00:48:11.000Z 115.146.93.60</programlisting>
</step>
<step>
<para>You can review the status of the host by
using the nova database. Some of the
important information is highlighted
below. This example converts an EC2 API
instance ID into an OpenStack ID - if you
used the <literal>nova</literal> commands,
you can substitute the ID directly. You
can find the credentials for your database
in
<filename>/etc/nova.conf</filename>.</para>
<programlisting language="bash">SELECT * FROM instances WHERE id = CONV('15b9', 16, 10) \G;
*************************** 1. row ***************************
created_at: 2012-06-19 00:48:11
updated_at: 2012-07-03 00:35:11
deleted_at: NULL
...
id: 5561
...
power_state: 5
vm_state: shutoff
...
hostname: at3-ui02
host: np-rcc54
...
uuid: 3f57699a-e773-4650-a443-b4b37eed5a06
...
task_state: NULL
...</programlisting>
</step>
</procedure>
<procedure>
<title>To recover the VM</title>
<step>
<para>Armed with the information of VMs on the
failed host, determine to which compute
host the affected VMs should move. Run the
following database command to move the VM
to np-rcc46:</para>
<programlisting language="bash">UPDATE instances SET host = 'np-rcc46' WHERE uuid = '3f57699a-e773-4650-a443-b4b37eed5a06'; </programlisting>
</step>
<step>
<para>Next, if using a hypervisor that relies
on libvirt (such as KVM) it is a good idea
to update the
<literal>libvirt.xml</literal> file
(found in
<literal>/var/lib/nova/instances/[instance
ID]</literal>). The important changes
to make are to change the
<literal>DHCPSERVER</literal> value to
the host ip address of the compute host
that is the VMs new home, and update the
VNC IP if it isn't already
<literal>0.0.0.0</literal>.</para>
</step>
<step>
<para>Next, reboot the VM:</para>
<screen><prompt>$</prompt> <userinput>nova reboot --hard 3f57699a-e773-4650-a443-b4b37eed5a06</userinput></screen>
</step>
<step>
<para>In theory, the above database update and
<literal>nova reboot</literal> command
are all that is required to recover the
VMs from a failed host. However, if
further problems occur, consider looking
at recreating the network filter
configuration using
<literal>virsh</literal>, restarting
the Compute services or updating the
<literal>vm_state</literal> and
<literal>power_state</literal> in the
Compute database.</para>
</step>
</procedure>
</section>
</section>
<section xml:id="section_nova-uid-mismatch">
<title>Recover from a UID/GID mismatch</title>
<para>When running OpenStack compute, using a shared file
system or an automated configuration tool, you could
encounter a situation where some files on your compute
node are using the wrong UID or GID. This causes a
raft of errors, such as being unable to live migrate,
or start virtual machines.</para>
<para>This basic procedure runs on <systemitem
class="service">nova-compute</systemitem> hosts,
based on the KVM hypervisor, that could help to
restore the situation:</para>
<procedure>
<title>To recover from a UID/GID mismatch</title>
<step>
<para>Make sure you don't use numbers that are
already used for some other user/group.</para>
</step>
<step>
<para>Set the nova uid in
<filename>/etc/passwd</filename> to the
same number in all hosts (for example,
112).</para>
</step>
<step>
<para>Set the libvirt-qemu uid in
<filename>/etc/passwd</filename> to the
same number in all hosts (for example,
119).</para>
</step>
<step>
<para>Set the nova group in
<filename>/etc/group</filename> file to
the same number in all hosts (for example,
120).</para>
</step>
<step>
<para>Set the libvirtd group in
<filename>/etc/group</filename> file to
the same number in all hosts (for example,
119).</para>
</step>
<step>
<para>Stop the services on the compute
node.</para>
</step>
<step>
<para>Change all the files owned by user nova or
by group nova. For example:</para>
<programlisting language="bash">find / -uid 108 -exec chown nova {} \; # note the 108 here is the old nova uid before the change
find / -gid 120 -exec chgrp nova {} \;</programlisting>
</step>
<step>
<para>Repeat the steps for the libvirt-qemu owned
files if those were needed to change.</para>
</step>
<step>
<para>Restart the services.</para>
</step>
<step>
<para>Now you can run the <command>find</command>
command to verify that all files using the
correct identifiers.</para>
</step>
</procedure>
</section>
<section xml:id="section_nova-disaster-recovery-process">
<title>Compute disaster recovery process</title>
<para>In this section describes how to manage your cloud
after a disaster, and how to easily back up the
persistent storage volumes. Backups <emphasis
role="bold">are</emphasis> mandatory, even outside
of disaster scenarios.</para>
<para>For reference, you can find a DRP definition at
<link
xlink:href="http://en.wikipedia.org/wiki/Disaster_Recovery_Plan"
>http://en.wikipedia.org/wiki/Disaster_Recovery_Plan</link>.</para>
<simplesect>
<title>A- The disaster recovery process
presentation</title>
<para>A disaster could happen to several components of
your architecture: a disk crash, a network loss, a
power cut, and so on. In this example, assume the
following set up:</para>
<orderedlist>
<listitem>
<para>A cloud controller (nova-api,
nova-objecstore, nova-network)</para>
</listitem>
<listitem>
<para>A compute node (<systemitem
class="service"
>nova-compute</systemitem>)</para>
</listitem>
<listitem>
<para>A Storage Area Network used by
<systemitem class="service"
>cinder-volumes</systemitem> (aka
SAN)</para>
</listitem>
</orderedlist>
<para>The disaster example is the worst one: a power
loss. That power loss applies to the three
components. <emphasis role="italic">Let's see what
runs and how it runs before the
crash</emphasis>:</para>
<itemizedlist>
<listitem>
<para>From the SAN to the cloud controller, we
have an active iscsi session (used for the
"cinder-volumes" LVM's VG).</para>
</listitem>
<listitem>
<para>From the cloud controller to the compute
node we also have active iscsi sessions
(managed by <systemitem class="service"
>cinder-volume</systemitem>).</para>
</listitem>
<listitem>
<para>For every volume an iscsi session is
made (so 14 ebs volumes equals 14
sessions).</para>
</listitem>
<listitem>
<para>From the cloud controller to the compute
node, we also have iptables/ ebtables
rules which allows the access from the
cloud controller to the running
instance.</para>
</listitem>
<listitem>
<para>And at least, from the cloud controller
to the compute node ; saved into database,
the current state of the instances (in
that case "running" ), and their volumes
attachment (mount point, volume id, volume
status, and so on.)</para>
</listitem>
</itemizedlist>
<para>Now, after the power loss occurs and all
hardware components restart, the situation is as
follows:</para>
<itemizedlist>
<listitem>
<para>From the SAN to the cloud, the ISCSI
session no longer exists.</para>
</listitem>
<listitem>
<para>From the cloud controller to the compute
node, the ISCSI sessions no longer exist.
</para>
</listitem>
<listitem>
<para>From the cloud controller to the compute
node, the iptables and ebtables are
recreated, since, at boot, nova-network
reapply the configurations.</para>
</listitem>
<listitem>
<para>From the cloud controller, instances
turn into a shutdown state (because they
are no longer running)</para>
</listitem>
<listitem>
<para>Into the database, data was not updated
at all, since Compute could not have
guessed the crash.</para>
</listitem>
</itemizedlist>
<para>Before going further, and to prevent the admin
to make fatal mistakes,<emphasis role="bold"> the
instances won't be lost</emphasis>, because no
"<command role="italic">destroy</command>" or
"<command role="italic">terminate</command>"
command was invoked, so the files for the
instances remain on the compute node.</para>
<para>Perform these tasks in that exact order.</para>
<para><emphasis role="underline">Any extra step would
be dangerous at this stage</emphasis> :</para>
<para>
<orderedlist>
<listitem>
<para>Get the current relation from a
volume to its instance, so that you
can recreate the attachment.</para>
</listitem>
<listitem>
<para>Update the database to clean the
stalled state. (After that, you cannot
perform the first step).</para>
</listitem>
<listitem>
<para>Restart the instances. In other
words, go from a shutdown to running
state.</para>
</listitem>
<listitem>
<para>After the restart, you can reattach
the volumes to their respective
instances.</para>
</listitem>
<listitem>
<para>That step, which is not a mandatory
one, exists in an SSH into the
instances to reboot them.</para>
</listitem>
</orderedlist>
</para>
</simplesect>
<simplesect>
<title>B - Disaster recovery</title>
<procedure>
<title>To perform disaster recovery</title>
<step>
<title>Get the instance-to-volume
relationship</title>
<para>You must get the current relationship
from a volume to its instance, because we
re-create the attachment.</para>
<para>You can find this relationship by
running <command>nova
volume-list</command>. Note that nova
client includes the ability to get volume
information from cinder.</para>
</step>
<step>
<title>Update the database</title>
<para>Update the database to clean the stalled
state. You must restore for every volume,
uses these queries to clean up the
database:</para>
<screen><prompt>mysql></prompt> <userinput>use cinder;</userinput>
<prompt>mysql></prompt> <userinput>update volumes set mountpoint=NULL;</userinput>
<prompt>mysql></prompt> <userinput>update volumes set status="available" where status &lt;&gt;"error_deleting";</userinput>
<prompt>mysql></prompt> <userinput>update volumes set attach_status="detached";</userinput>
<prompt>mysql></prompt> <userinput>update volumes set instance_id=0;</userinput></screen>
<para>Then, when you run <command>nova
volume-list</command> commands, all
volumes appear.</para>
</step>
<step>
<title>Restart instances</title>
<para>You can restart the instances through
the <command>nova reboot
<replaceable>$instance</replaceable></command>.</para>
<para>At that stage, depending on your image,
some instances completely reboot and
become reachable, while others stop on the
"plymouth" stage.</para>
</step>
<step>
<title>DO NOT reboot a second time</title>
<para>Do not reboot the ones that are stopped
at that stage (<emphasis role="italic">see
the fourth step</emphasis>). In fact
it depends on whether you added an
<filename>/etc/fstab</filename> entry
for that volume. Images built with the
<package>cloud-init</package> package
remain in a pending state, while others
skip the missing volume and start. (More
information is available on <link
xlink:href="https://help.ubuntu.com/community/CloudInit"
>help.ubuntu.com</link>.) The idea of
that stage is only to ask nova to reboot
every instance, so the stored state is
preserved.</para>
</step>
<step>
<title>Reattach volumes</title>
<para>After the restart, you can reattach the
volumes to their respective instances. Now
that nova has restored the right status,
it is time to perform the attachments
through a <command>nova
volume-attach</command></para>
<para>This simple snippet uses the created
file:</para>
<programlisting language="bash">#!/bin/bash
while read line; do
volume=`echo $line | $CUT -f 1 -d " "`
instance=`echo $line | $CUT -f 2 -d " "`
mount_point=`echo $line | $CUT -f 3 -d " "`
echo "ATTACHING VOLUME FOR INSTANCE - $instance"
nova volume-attach $instance $volume $mount_point
sleep 2
done &lt; $volumes_tmp_file</programlisting>
<para>At that stage, instances that were
pending on the boot sequence (<emphasis
role="italic">plymouth</emphasis>)
automatically continue their boot, and
restart normally, while the ones that
booted see the volume.</para>
</step>
<step>
<title>SSH into instances</title>
<para>If some services depend on the volume,
or if a volume has an entry into fstab, it
could be good to simply restart the
instance. This restart needs to be made
from the instance itself, not through
nova. So, we SSH into the instance and
perform a reboot:</para>
<screen><prompt>#</prompt> <userinput>shutdown -r now</userinput></screen>
</step>
</procedure>
<para>By completing this procedure, you can
successfully recover your cloud.</para>
<para>Follow these guidelines:</para>
<itemizedlist>
<listitem>
<para>Use the <parameter>
errors=remount</parameter> parameter
in the <filename>fstab</filename> file,
which prevents data corruption.</para>
<para>The system would lock any write to the
disk if it detects an I/O error. This
configuration option should be added into
the <systemitem class="service"
>cinder-volume</systemitem> server
(the one which performs the ISCSI
connection to the SAN), but also into the
instances' <filename>fstab</filename>
file.</para>
</listitem>
<listitem>
<para>Do not add the entry for the SAN's disks
to the <systemitem class="service"
>cinder-volume</systemitem>'s
<filename>fstab</filename>
file.</para>
<para>Some systems hang on that step, which
means you could lose access to your
cloud-controller. To re-run the session
manually, you would run the following
command before performing the mount:
<screen><prompt>#</prompt> <userinput>iscsiadm -m discovery -t st -p $SAN_IP $ iscsiadm -m node --target-name $IQN -p $SAN_IP -l</userinput></screen></para>
</listitem>
<listitem>
<para>For your instances, if you have the
whole <filename>/home/</filename>
directory on the disk, instead of emptying
the <filename>/home</filename> directory
and map the disk on it, leave a user's
directory with the user's bash files and
the <filename>authorized_keys</filename>
file.</para>
<para>This enables you to connect to the
instance, even without the volume
attached, if you allow only connections
through public keys.</para>
</listitem>
</itemizedlist>
</simplesect>
<simplesect>
<title>C - Scripted DRP</title>
<procedure>
<title>To use scripted DRP</title>
<para>You can download from <link
xlink:href="https://github.com/Razique/BashStuff/blob/master/SYSTEMS/OpenStack/SCR_5006_V00_NUAC-OPENSTACK-DRP-OpenStack.sh"
>here</link> a bash script which performs
these steps:</para>
<step>
<para>The "test mode" allows you to perform
that whole sequence for only one
instance.</para>
</step>
<step>
<para>To reproduce the power loss, connect to
the compute node which runs that same
instance and close the iscsi session.
<emphasis role="underline">Do not
detach the volume through
<command>nova
volume-detach</command></emphasis>,
but instead manually close the iscsi
session.</para>
</step>
<step>
<para>In this example, the iscsi session is
number 15 for that instance:</para>
<screen><prompt>$</prompt> <userinput>iscsiadm -m session -u -r 15</userinput></screen>
</step>
<step>
<para>Do not forget the <literal>-r</literal>
flag. Otherwise, you close ALL
sessions.</para>
</step>
</procedure>
</simplesect>
</section>
</section>
<xi:include href="../common/section_support-compute.xml"/>
</chapter>