From 8cb0551a84f8579512446f90fad6e7da1ea84d10 Mon Sep 17 00:00:00 2001 From: Igor Yozhikov Date: Tue, 22 Oct 2013 14:00:43 +0400 Subject: [PATCH] Add RMQ,Quantum SecGrp quotas and Rate-Limits desc Change-Id: Ibc310312348a68bbcf4ad8fa3e9ba2d6cce6fde8 --- .../src/docbkx/content/general.xml | 176 ++++++++++++++++++ 1 file changed, 176 insertions(+) diff --git a/src/administrators-guide/src/docbkx/content/general.xml b/src/administrators-guide/src/docbkx/content/general.xml index 7f1aa38..ed2aa70 100644 --- a/src/administrators-guide/src/docbkx/content/general.xml +++ b/src/administrators-guide/src/docbkx/content/general.xml @@ -362,4 +362,180 @@ LOGFILE=$SCREEN_LOGDIR/stack.sh.log +
+ RabbitMQ additional instance + + RabbitMQ is used for services interconnection in the OpenStack. Murano also uses RabbitMQ as "message queue" service but the separate instance. In the OpenStack normal installation "message queue" service resides in the management network segment and should not be reachable from any tenant networks to prevent of security breach. + Murano uses its own agent service running on deploying instance directly. Agent should have the ability to communicate with "message queue" service. Create one more "message queue" service instance in the external network, reachable from tenant networks through the OpenStack network router service (Qunatum/Neutron). + + + Configuration steps + + + + + Create file /etc/default/rabbitmq-murano with options listed below + + +#!/bin/sh +# +# +export RABBITMQ_NODENAME=murano@$(hostname) +export RABBITMQ_CONFIG_FILE=/etc/rabbitmq/rabbitmq-murano +export RABBITMQ_ENABLED_PLUGINS_FILE=/etc/rabbitmq/enabled_plugins.murano +CONTROL="${CONTROL} -n ${RABBITMQ_NODENAME}" +PID_FILE=/var/run/rabbitmq/murano.pid + + + + + Make copy of the original rabbitmq-server init script: + + +cd /etc/init.d +cp rabbitmq-server rabbitmq-server-murano + + + + + Make changes inside new file rabbitmq-server-murano, after test calls: + + +... +test -x $DAEMON || exit 0 +test -x $CONTROL || exit 0 +. /etc/default/rabbitmq-murano +RETVAL=0 +... + + + + + Fill in configuration files for new RrabbitMQ instace. + + + + + Modify /etc/rabbitmq/enabled_plugins.murano + + +[rabbitmq_management]. + + + + + Modify /etc/rabbitmq/rabbitmq-murano.config + + +[ + {rabbit, [ + {tcp_listeners, [5674]}, + {log_levels,[ + {connection, error} + ]} + ]}, + {rabbitmq_management, [ + {listener, [{port, 15673}]} + ]}, + {rabbitmq_mochiweb, [ + {listeners, [{mgmt, [{port, 55673}]}]} + ]} +]. + + + + + Check service works fine: + + +service rabbitmq-server-murano start +service rabbitmq-server-murano status +service rabbitmq-server-murano stop + + + + + Enable OS boot time service start: + + +update-rc.d rabbitmq-server-murano defaults + + + + + Don't forget about firewall rules for new RabbitMQ service! + +
+
+ Configuring Quantum SecurityGroups quotas + + Default quotas driver used by quantum is - quantum.quota.ConfDriver, all limits set in /etc/quantum/ + quantum.conf - non flexible. To extend functionality and flexibility, default quota driver should be + changed to - quantum.db.quota_db.DbQuotaDrive. + + + + + Change /etc/quantum/quantum.conf with next values: + + +[QUOTAS] +... +#quota_driver = quantum.quota.ConfDriver +quota_driver = quantum.db.quota_db.DbQuotaDriver +... + + + + + Restart all quantum services: + + +cd /etc/init.d/ +for q in quantum-*; do restart $q; done + + + + + Update required quota with quantum CLI: + + +quantum quota-update --security_group 100 --tenant-id <tenant_id> ++---------------------+-------+ +| Field | Value | ++---------------------+-------+ +| floatingip | 50 | +| network | 10 | +| port | 50 | +| router | 10 | +| security_group | 100 | +| security_group_rule | 100 | +| subnet | 10 | ++---------------------+-------+ + + + +
+
+ Reconfigure rate-limits for Nova + + Please reconfigure rate-limits to at least 500-1000 hits per minute. + + + API calls rate limits could be configured using this manual. + Or by disabling ratelimits in the /etc/nova/api-paste.ini file. + +... +[composite:openstack_compute_api_v2] +use = call:nova.api.auth:pipeline_factory +#noauth = faultwrap sizelimit noauth ratelimit osapi_compute_app_v2 +#keystone = faultwrap sizelimit authtoken keystonecontext ratelimit osapi_compute +noauth = faultwrap sizelimit noauth osapi_compute_app_v2 +keystone = faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v2 +keystone_nolimit = faultwrap sizelimit authtoken keystonecontext osapi_compute_ap +... + + +