0ba5358865
* Add a connection-string based workflow to MicroStack;
* microstack add-compute command can be run at the Control node in
order to generate a connection string (an ASCII blob for the user);
* the connection string contains:
* an address of the control node;
* a sha256 fingerprint of the TLS certificate used by the clustering
service at the control node (which is used during verification
similar to the Certificate Pinning approach);
* an application credential id;
* an application credential secret (short expiration time, reader
role on the service project, restricted to listing the service
catalog);
* a MicroStack admin is expected to have ssh access to all nodes that
will participate in a cluster - prior trust establishment is on
them to figure out which is normal since they provision the nodes;
* a MicroStack admin is expected to securely copy a connection string
to a compute node via ssh. Since it is short-lived and does not
carry service secrets, there is no risk of a replay at a later time;
* If the compute role is specified during microstack.init, a
connection string is requested and used to perform a request to the
clustering service and validate the certificate fingerprint. The
credential ID and secret are POSTed for verification to the
clustering service which responds with the necessary config data
for the compute node upon successful authorization.
* Set up TLS termination for the clustering service;
* run the flask app as a UWSGI daemon behind nginx;
* configure nginx to use a TLS certificate;
* generate a self-signed TLS certificate.
This setup does not require PKI to be present for its own purposes of
joining compute nodes to the cluster. However, this does not mean that
PKI will not be used for TLS termination of the OpenStack endpoints.
Control node init workflow (non-interactive):
sudo microstack init --auto --control
microstack add-compute
<the connection string to be used at the compute node>
Compute node init workflow (non-interactive):
sudo microstack init --auto --compute --join <connection-string>
Change-Id: I9596fe1e6e5c1a325cc71fd3bf0c78b660b9a83e
|
||
|---|---|---|
| checks | ||
| patches | ||
| snap/hooks | ||
| snap-overlay | ||
| snap-wrappers | ||
| tests | ||
| tools | ||
| .gitignore | ||
| .gitreview | ||
| .zuul.yaml | ||
| CONTRIBUTING.md | ||
| DEMO.md | ||
| filebeat.pgp.key | ||
| README.md | ||
| snapcraft.yaml | ||
| telegraf.pgp.key | ||
| test-requirements.txt | ||
| tox.ini | ||
MicroStack
MicroStack is a single-machine, snap-deployed OpenStack cloud.
Common purposes include:
- Development and testing of OpenStack workloads
- Continuous integration (CI)
- IoT and appliances
- Edge clouds (experimental)
- Introducing new users to OpenStack
Currently provided OpenStack services are: Nova, Keystone, Glance, Horizon, and Neutron.
MicroStack is frequently updated to provide the latest stable updates of the most recent OpenStack release.
Requirements: You will need at least 2 CPUs, 8 GiB of memory, and 100 GiB of disk space.
See the full MicroStack documentation.
Installation
At this time you can install from the --beta or --edge snap channels:
sudo snap install microstack --classic --beta
The edge channel is moving toward a strictly confined snap. At this time, it must be installed in devmode:
sudo snap install microstack --devmode --edge
Initialisation
Initialisation will set up databases, networks, flavors, an SSH keypair, a CirrOS image, and open ICMP/SSH security groups:
sudo microstack.init --auto
OpenStack client
The OpenStack client is bundled as microstack.openstack. For example:
microstack.openstack network list
microstack.openstack flavor list
microstack.openstack keypair list
microstack.openstack image list
microstack.openstack security group rule list
Creating an instance
To create an instance (called "awesome") based on the CirrOS image:
microstack.launch cirros --name awesome
SSH to an instance
The launch output will show you how to connect to the instance. For the CirrOS image, the user account is 'cirros'.
ssh -i ~/.ssh/id_microstack cirros@<ip-address>
Horizon
The launch output will also provide information for the Horizon dashboard. Its credentials are:
username: admin
password: keystone
Removing MicroStack
To remove MicroStack, run:
sudo microstack.remove --auto
This will clean up the Open vSwitch bridge device and uninstall
MicroStack. If you remove MicroStack with the snap remove command
instead, don't worry -- the Open vSwitch bridge will disappear the
next time that you reboot your system.
Note that you can pass any arguments that you'd pass to the snap remove command to microstack.remove. To purge the snap,
for example, run:
sudo microstack.remove --auto --purge
LMA stack
Filebeat, Telegraf and NRPE are bundled as the snap systemd services.
Customising and contributing
To customise services and settings, look in the .d directories under
/var/snap/microstack/common/etc. You can add services with your package
manager, or take a look at CONTRIBUTING.md and make a code based argument for
adding a service to the default list.
Reporting a bug
Please report bugs to the MicroStack project on Launchpad.