Putting together OpenStack and Puppet is a great way to satisfy almost any deployment scenario. There are a lot of resources on the web about how to set up such an infrastructure, but mostly Linux related. The main goal of this blog post is to provide a reference on how to deploy the Puppet agent on a Windows instance using either plain simple Nova metadata or a Heat template, in both cases based on Cloudbase-Init.

One of the great advantages that Puppet provides is that you can reduce to the bare minimum the OpenStack orchestration complexity leaving to Puppet the role of configuring the instances. This provides a lot of flexibility, for example in the way in which Heat and Puppet can be mixed to achieve the desired results.

To begin with, how do we install the Puppet agent on Windows? On Linux we can use rpm or deb packages directly included in our distributions, but this does not apply to Windows. For this purpose, PuppeLabs provides a Windows installer available for both the standard and enterprise versions, which can be either installed with the typical “Next, Next, Finish” UI or in fully unattended mode. The installer takes care of all the requirements, including the Ruby environment and so on. All we need to do is to provide the location of our Puppet master server. The Microsoft MSI packaging provides a seamless unattended automation:

msiexec /qn /i puppet.msi /l*v puppet.log PUPPET_MASTER_SERVER=your.puppet.master

Beside PUPPET_MASTER_SERVER, there are also other properties that you can use to customize your installation. The full documentation for the agent installation can be found on the PuppetLabs web site.

There’s a minor caveat to be considered when providing the Puppet Master host name or fqdn (no IP addresses allowed): make sure that the name matches the common name or one of the subject alternative names of the X509 certificate in use on the Puppet Master. You can easily check the certificate by connecting to https://your.puppet.master:8140 and check the certificate properties. If you cannot resolve the name, just add an entry in your hosts file.
 

OpenStack instance user_data

Putting everything together in a PowerShell script to be provided as a user_data script to the instance is easy:

#ps1_sysnative
$ErrorActionPreference = "Stop"

$puppet_master_server_name = "puppet"
# Provide an IP address only if you need to add a host file entry
$puppet_master_server_ip = "10.0.1.2"

# For Puppet Enterprise replace the following url with:
# "https://pm.puppetlabs.com/cgi-bin/download.cgi?ver=latest&dist=win"
$puppet_agent_msi_url = "https://downloads.puppetlabs.com/windows/puppet-3.4.3.msi"

if ($puppet_master_server_ip) {
    # Validate the IP address
    $ip = [System.Net.IPAddress]::Parse($puppet_master_server_ip)
    # Add a line to the hosts file
    Add-Content -Path $ENV:SystemRoot\System32\Drivers\etc\hosts -Value "$puppet_master_server_ip $puppet_master_server_name"
}

$puppet_agent_msi_path = Join-Path $ENV:TEMP puppet_agent.msi

# You can also use Invoke-WebRequest but this is way faster :)
Import-Module BitsTransfer
Start-BitsTransfer -Source $puppet_agent_msi_url -Destination $puppet_agent_msi_path

cmd /c start /wait msiexec /qn /i $puppet_agent_msi_path /l*v puppet_agent_msi_log.txt PUPPET_MASTER_SERVER=$puppet_master_server_name
if ($lastexitcode) {
    throw "Puppet agent setup failed"
}

del $puppet_agent_msi_path

The above script can be downloaded from here. The first line (#ps1 or #ps1_sysnative) is very important, as it tells Cloudbase-Init that this is a PowerShell script.

You can now easily boot an OpenStack instance by either using the Horizon Dashboard or the command line:

nova boot --flavor m1.small --image "Windows Server 2012 Std Eval" --key-name key1 \
--user-data PuppetAgent.ps1 vm1

If you don’t have a Windows image in Glance which includes Cloudbase-Init, you can either download a ready made Windows Server 2012 R2 Evaluation image or create your own image by following this guide.

Once the machine is booted, you should be able to see a pending certificate in your Puppet Master with:

puppet cert list

which can be signed with:

puppet cert sign your.instance.name

Your instance / node will start applying the desired configuration with the next run (every 30′ by default). If this sounds new, here’s a great beginner’s guide.

A Heat template

If you want to include the deployment of the Puppet agent in a larger deployment scenario, Heat is a great choice.

You can find here a Heat template that includes the above PowerShell script. Here’s an example of how to use it to deploy a stack:

heat stack-create puppet-stack-1 --template-file=puppet-agent.template \
--parameters="KeyName=key1;InstanceType=m1.small;SubnetId=$SUBNET_ID;WindowsVersion=WS12R2;PuppetMasterServer=puppet"

The post OpenStack Windows instances, Puppet and Heat appeared first on Cloudbase Solutions.

Last week we conducted a webinar called Cloud Computing, Open Source, OpenStack: What’s Eating the IT World Anyways? and we got some great questions, but we weren’t able to get to answers for all of them, so we’ve gathered them together here for you:

CTM:  If i have a network 10.10.10.10/20; could I separate into 10.10.10.10/21 and the rest, then give it to 2 projects (tenants)?

Roman Podoliaka:  I assume you are talking about externally reachable networks to be used for allocation of floating IPs. Yes, just create two external networks via Networking API with appropriate CIDR values.

CTM: Does OpenStack support more than one floating IP range? Like 192.168.1.0/24 and 192.168.100.0/24 and 172.168.0.0/16, for example.

Roman Podoliaka:  Yes. Just create a separate external network via Networking API for each CIDR.

CTM:  Does OpenStack have thin provisioning features?

Roman Podoliaka:  Yes, it does.  How to enable it depends on your situation.

JS:  Can Fuel can be used to modify already deployed environments (configuration etc.)? Or its only for initial deployment and adding nodes? Is it possible to modify some options for nova – for example – and deploy changes with fuel?

Vladimir Kozhukalov: Fuel uses puppet for Openstack deployment. Current approach allows one to modify working cluster, but not all of those parameters which were set before actual deployment can be changed. For example, disk partitioning scheme can not be modified as well as many of network parameters.

HL: How would you move the Nodes from one Installation to another? E.g. Grizzly to Havana.

Nick Chase:  This depends on your situation.  The easiest way is to start up a second cluster, in this case using Havana, and move workloads, rather than moving live nodes.  You can either do this by forcing processes to redirect to the new cluster, or by attrition, in which new workloads are started on the new cluster, and as workloads complete on the old cluster, they are not restarted, but are instead moved to the new one.  As nodes “empty out” and are no longer in use on the old cluster, you can re-provision them on the new cluster.

All that said, Icehouse will have a more well-defined upgrade path than previous releases have had.

EC:  How are the storage blocks attached to virtual machines?  E.g. hba or nfs.

Nick Chase:  I know it’s a cliche, but the answer here literally is “it depends”, because different block storage backend devices work differently. For an iSCSI device, an iSCSI target is created and nova receives an iSCSI Qualified Name (IQN).  Nova can then attach the block device to the compute node via that IQN and pass the raw block device to the guest instance.  On the other hand, NFS devices seem to all be different, and how they behave depends on their drivers.  Finally, Ceph RDB and other backends have their own way of doing things.  (Thanks to John Griffith and the folks in #openstack-cinder for the details.)

So to everyone who attended, thanks for joining us!  If you didn’t attend and wonder what you missed, you can download the recorded webinar.

The post Cloud Computing, Open Source, OpenStack: What’s Eating the IT World Anyway? — Your Answers appeared first on Mirantis | The #1 Pure Play OpenStack Company.

Adding Extra Compute Nodes to Rackspace Private Cloud

The first four of these posts covered setup and installation of my home lab, including the networking, PXE booting Ubuntu and installation of Rackspace Private Cloud. I ended up with two Controllers in HA and three Computes.

In this post I show how easy it is to add two extra Compute nodes to the lab.

The extra nodes are HP N54L MicroServers. They’re 2.2GHz AMD Turion II machines that come with 250Gb HDD and 2Gb RAM. I add an Integral 4Gb DIMM to each as well as an extra TP-Link NIC:

• openstack6
  • eth0 (onboard) 192.168.1.106
  • eth1 (TG-3468 Low Profile Gigabit PCI-X Adapter)
  • 2Gb DIMM (Original Supplied)
  • 4Gb DIMM (Integral 4GB DDR3-1333 DIMM)

• openstack7
  • eth0 (onboard) 192.168.1.107
  • eth1 (TG-3468 Low Profile Gigabit PCI-X Adapter)
  • 2Gb DIMM (Original Supplied)
  • 4Gb DIMM (Integral 4GB DDR3-1333 DIMM)

The first thing to do is prep my network services so I can PXE Boot. This includes adding the new services to DNS and DHCP (static IP assignment from MAC). As I use my QNAP TS-210 (192.168.1.1) as my DNS and DHCP service (courtesy of Dnsmasq) I add the following to /etc/hosts on there:

192.168.1.106 openstack6.home.mydomain.co.uk openstack6
192.168.1.107 openstack7.home.mydomain.co.uk openstack7

I then open up /opt/etc/dnsmasq.conf and add in the static MAC assignment:

dhcp-host=64:70:02:10:88:66,192.168.1.106,infinite
dhcp-host=64:70:02:10:88:99,192.168.1.107,infinite

After reloading the dnsmasq service (/opt/etc/init.d/S56dnsmasq restart) I’m ready to PXE boot the servers. See this post for details of my PXE Boot setup using the QNAP NAS boxes.

Now that they have Ubuntu installed on the two new servers, openstack6 (192.168.1.106) and openstack7 (192.168.1.107), as well as having root‘s SSH key setup, I first check that the networking is setup correctly on the new servers. The /etc/network/interfaces should have the following contents:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback

# Host/Management
auto eth0
iface eth0 inet dhcp

# Neutron Provider interface
auto eth1
iface eth1 inet manual
  up ip link set $IFACE up
  down ip link set $IFACE down

Bootstrap, assign role, chef-client, done!

With that in place, I can now bootstrap them with the Chef Client and assign the relevant roles which puts them as part of my OpenStack Compute lab. To do this I log onto my Chef server (running on openstack1) as root and issue the following:

knife bootstrap -E RPCS -r role[single-compute] 192.168.1.106
knife bootstrap -E RPCS -r role[single-compute] 192.168.1.107
knife ssh "role:single-compute" chef-client

And it is that easy!

The last command executes chef-client on all my computes. This isn’t strictly necessary to add these new nodes, but it’s good practice to run it to ensure that my computes are consistent.

I can view that my hypervisors (the compute nodes) are correctly available by issuing the following:

. openrc
nova hypervisor-list

This will produce the following output for my lab:

root@openstack1:~# nova hypervisor-list
+----+--------------------------------+
| ID | Hypervisor hostname            |
+----+--------------------------------+
| 1  | openstack5.home.mydomain.co.uk |
| 3  | openstack3.home.mydomain.co.uk |
| 5  | openstack4.home.mydomain.co.uk |
| 7  | openstack6.home.mydomain.co.uk |
| 8  | openstack7.home.mydomain.co.uk |
+----+--------------------------------+

+read more

I frequently need to have latest KVM, QEMU, libvirt and libguestfs while testing with OpenStack RDO. I either build from upstream git master branch or from Fedora Rawhide (mostly this suffices). Below I describe the exact sequence I try to build from git. These instructions are available in some form in the README files of the said packages, just noting them here explicitly for convenience. My primary development/test environment is Fedora, but it should be similar on other distributions. (Maybe I should just script it all.)

Build KVM from git

I think it’s worth noting the distinction (from traditional master branch) of these KVM git branches: remotes/origin/queue and remotes/origin/next. queue and next branches are same most of the time with the distinction that KVM queue is the branch where patches are usually tested before moving them to the KVM next branch. And, commits from next branch are submitted (as a PULL request) to Linus during the next Kernel merge window. (I recall this from an old conversation with Gleb Natapov (thank you), one of the previous KVM maintainers on IRC).

# Clone the repo
$ git clone \
  git://git.kernel.org/pub/scm/virt/kvm/kvm.git

# To test out of tree patches,
# it's cleaner to do in a new branch
$ git checkout -b test_branch

# Make a config file
$ make defconfig

# Compile
$ make -j4 && make bzImage && make modules

# Install
$ sudo -i
$ make modules_install && make install

Build QEMU from git

To build QEMU (only x86_64 target) from its git:

# Install buid dependencies of QEMU
$ yum-builddep qemu

# Clone the repo
$ git clone git://git.qemu.org/qemu.git

# Create a build directory to isolate source directory 
# from build directory
$ mkdir -p ~/build/qemu && cd ~/build/qemu

# Run the configure script
$ ./configure --target-list=x86_64-softmmu \
  --disable-werror --enable-debug 

# Make a config file
$ make defconfig

# Compile
$ make -j4 && make bzImage && make modules

# Install
$ sudo -i
$ make modules_install && make install

Build libvirt from git

To build libvirt from its upstream git:

# Install build dependencies of libvirt
$ yum-builddep libvirt

# Clone the libvirt repo
$ git clone git://libvirt.org/libvirt.git && cd libvirt

# Create a build directory to isolate source directory
# from build directory
$ mkdir -p ~/build/libvirt && cd ~/build/libvirt

# Run the autogen script
$ ../src/libvirt/autogen.sh

# Compile
$ make -j4

# Run tests
$ make check

# Invoke libvirt programs without having to install them
$ ./run virsh [. . .]

[Or, prepare RPMs and install them]

# Make RPMs (assumes Fedora `rpmbuild` setup
# is properly configured)
$ make rpm

# Install/update
$ yum update *.rpm

Build libguestfs from git
To build libguestfs from its upstream git:

# Install build dependencies of libvirt
$ yum-builddep libguestfs

# Clone the libguestfs repo
$ git clone git://github.com/libguestfs/libguestfs.git

# Create a build directory to isolate source directory
# from build directory
$ mkdir -p ~/build/liguestfs && cd ~/build/libguestfs

# Run the autogen script
$ ../src/libvirt/autogen.sh

# Compile
$ make -j4

# Run tests
$ make check

# Invoke libguestfs programs without having to install them
$ ./run guestfish [. . .]

If you’d rather prefer libguestfs to use the custom QEMU built from git (as noted above), QEMU wrappers are useful in this case.

Alternate to building from upstream git, if you’d prefer to build the above components locally from Fedora master here are some instructions .

Consistency—a necessity when it comes to any large-scale, open source project. Sharing source code and libraries between the different components of OpenStack is critical to its rapid evolution and fast-paced development. The Oslo program is what holds it all together and brings consistency to OpenStack. We wanted to learn more about Oslo and what is does for OpenStack. So we asked the program lead to share his thoughts.

read more

opensource.com interview about OpenStack Oslo

I was interviewed by Jason Hibbets of Red Hat about the OpenStack Oslo Program for an article on opensource.com that was posted today.

The interview happened while I was updating my recent blog post, The Intersection of the OpenStack and Python Communities, and some of the same themes come through. Besides reducing duplication of effort (and code) I have also been thinking a great deal lately about the importance of consistency when working with such a large contributor base (over 1000 developers from more than 100 companies for the Icehouse release according to stackalytics.com).

Lately, I've been thinking a lot about what queues represent in Marconi and how they could be improved. It's not a secret that I'm not a fan of the way we're currently thinking about queues. Throughout Marconi, a queue is a first-citizen resource that is used to group messages under a specific context. Other than that, a queue has no other responsibility and it doesn't do anything useful from a user perspective.

In addition to the aforementioned, queues are not as lazy as I would like them to be. In order to post a message, a queue must exist, which means it's necessary to create the queue before posting a message.

If we look at how some messaging tools and protocols work nowadays, we'll see that many of them have shift away from this concept to a more message oriented one. For instance, qpid-proton, which is implemented on top of amqp 1.0, needs no queue to send a message. Another good example is zmq, which doesn't have the concept of queue either.

At this point, you could already guess what my proposal is:

Let's get rid of queues

In my opinion, queues have reached the end of they're lives. The idea of having a first-citizen resource that piles up a bunch of messages and allows clients to subscribe to them is not affordable nor necessary anymore.

From a user perspective, the most important resource in a queuing system is the message. The user expects the queuing system to be reliable in terms of message delivery not queue's existence. Whether the queue plays an important role in this whole process is not as important to the user as being able to send and receive messages fast and reliably.

This is what keeping a queue means in Marconi:

API: Queue's have their own set of RESTFul endpoints. In order to create a queue, you need to send a POST request to the queue's endpoint. The same thing is necessary to get the metadata of that queue.

Storage: As of now, Marconi has just database like storage drivers. Regardless of what the driver is, Marconi can't simply trust that the queue exists. Therefore, it is necessary to verify the queue existence before doing any operation on the message. Depending on the storage, this may require either an extra query, an extra join or an extra call.

What If we just think about Topics?

I'd like to introduce the knowledge of Topic in Marconi. A topic describes the context a message belongs to - basically the way queues did. The difference between a topic like the one proposed here and queues is that the former ought not to be a first-citizen resource - instead it should be an attribute of the message - whereas the later is a first-citizen resource that acts as a categorizer of messages.

Note that this does not mean that drivers for 'queue-aware' system can't be implemented. The difference is that the concept of queue would be lazily hidden behind a topic.

What about queue's metadata?

When queue's metadata was first introduced in Marconi, the idea was to allow users to add custom properties for that queue. Behind that generosity hides the idea of re-using the queue metadata to add private properties like per-queue limits, flavors etc.

I don't think this necessarily needs to go away. The idea would be to make the queue resource - now called topic - completely optional. It would still be possible to query it, create it and delete it but it won't play such an important role as it does now.

What about existing code?

To be fully honest, I don't think this change would require any code changes in the client side. The existing library requires the user to have a queue instance to which the messages are posted. Those Queues instances could be made lazy without impacting the way the user code works.

For instance, this example won't need to be changed:

```python cli = client.Client(URL) queue = cli.queue(queue_name) queue.post(messages)

for msg in queue.messages(echo=True):
    print(msg.body)
    msg.delete()

```

Although it would also be possible to write it as:

```python cli = client.Client(URL) cli.post(messages, topic=queue_name)

for msg in cli.messages(topic=queue_name, echo=True):
    print(msg.body)
    msg.delete()

```

Conclusion

This post doesn't introduce anything that hasn't been heard before. The concept of topics has been around for quite some time and it's already been adopted by various of the existing queuing systems - it may mean something different in some cases. Many of those systems are still bound to queues but others - like the ones mentioned in this post - have abandoned it. I think this is the right moment for Marconi to make such a choice without brutally disrupting existing deployments.

I'm sorry for making this post short, rough and not as detailed as I'd have liked. This is just a proposal and it requires way more discussion and thoughts but I wanted to throw it out here.

Thoughts?

[DEFAULT]
...
quota_volumes=0
quota_snapshots=0
volume_driver=cinder.volume.drivers.rbd.RBDDriver
rbd_user=volumes
rbd_pool=volumes
rbd_secret_uuid=00000000-1111-2222-3333-000000000001

Introduction

I recently tried to set up OpenStack with docker as the hypervisor on a single node and I ran into mountains of trouble.  I tried with DevStack and entirely failed using both the master branch and stable/havana.  After much work I was able to launch container but the network was not right.  Ultimately I found a path that worked.  This post explains how I did this.

Create the base image

CentOS 6.5

The first step is to have a VM that can support this.  Because I was using RDO this needed to be a Red Hat derivative.  I originally chose a stock vagrant CentOS 6.5 VM.  I got everything set up and then ran out of disk space (many bad words were said).  Thus I used packer and the templates here to create a CentOS VM with 40GB of disk space.  I had to change the “disk_size” value under “builders” to something larger than 40000. Then I ran the build.

packer build template.json

When this completed I had a centos-6.5 vagrant box ready to boot.

Vagrant

I wanted to manage this VM with Vagrant and because OpenStack is fairly intolerant to HOST_IP changes I had to inject in an interface with a static IP address.  Below is the Vagrant file I used:

Vagrant.configure("2") do |config|
   config.vm.box = "centos-6.5-base"
   config.vm.network :private_network, ip: "172.16.129.26"
   ES_OS_MEM = 3072
   ES_OS_CPUS = 1
   config.vm.hostname = "rdodocker"
  config.vm.provider :virtualbox do |vb|
    vb.customize ["modifyvm", :id, "--memory", ES_OS_MEM]
    vb.customize ["modifyvm", :id, "--cpus", ES_OS_CPUS]
  end
end

After running vagrant up to boot this VM I got the following error:

The following SSH command responded with a non-zero exit status.
Vagrant assumes that this means the command failed!
/sbin/ifdown eth1 2> /dev/null
Stdout from the command:

Stderr from the command:

Thankfully this was easily solved.  I sshed into the VM with vagrant ssh, and then ran the following:

cat <<EOM | sudo tee /etc/sysconfig/network-scripts/ifcfg-eth1 >/dev/null
DEVICE="eth1"
ONBOOT="yes"
TYPE="Ethernet"
EOM

After that I exited from the ssh session and repackaged the VM with vagrant package –output centos-6.5-goodnet.box. I added the new box to vagrant and altered my Vagrant file to boot it.  I now had a base image on which I could install OpenStack.

RDO

Through much trial and error I came to the conclusion that I needed the icehouse development release of RDO.  Unfortunately this alone was not enough to properly handle docker.  I also had to install nova from the master branch into a python virtualenv and reconfigure the box to use that nova code.  This section has the specifics of what I did.

RDO Install

I followed the instructions for installing RDO that are here, only instead of running packstack –allinone I used a custom answer file.  I generated a template answer file with the command packstack –gen-answer-file=~/answers.txt.  Then I opened that file and I substituted out ever IP address with the IP address that vagrant was injecting into my VM (in my case this was 172.16.129.26).  I also set the following:

CONFIG_NEUTRON_INSTALL=n

This is very important.  The docker driver does not work with neutron.  (I learned this the hard way).  I then installed RDO with the command packstack –answerfile answers.txt.

Docker

Once RDO was installed and working (without docker) I set up the VM such that nova would use docker.  The instructions here are basically what I followed.  Here is my command set:

sudo yum -y install docker-io
sudo service docker start
sudo chkconfig docker on
sudo yum -y install docker-registry
sudo usermod -G docker nova
sudo service redis start
sudo chkconfig redis on
sudo service docker-registry start
sudo chkconfig docker-registry on

I edited the file /etc/sysconfig/docker-registry and add the following:

export SETTINGS_FLAVOR=openstack
export REGISTRY_PORT=5042 
. /root/keystonerc_admin 
export OS_GLANCE_URL=http://172.16.129.26:9292

Note that some of the values in that file were already set.  I removed those entires.

OpenStack for Docker Configuration

I changed this entry in  /etc/nova/nova.conf

compute_driver = docker.DockerDriver

this value (and uncommented it) in /etc/glance/glance-api.conf:

container_formats = ami,ari,aki,bare,ovf,docker

Hand Rolled Nova

Unfortunately docker does not work with the current release of RDO icehouse.  Therefore I had to get the latest code from the master branch of nova.  Further I had to install it.  To be safe I put it in its own python virtualenv.  In order to install nova like this a lot of dependencies must be installed.  Here is the yum command I used to install what I needed (and in some cases just wanted).

yum update
 yum install -y telnet git libxslt-devel libffi-devel python-virtualenv mysql-devel

Then I installed nova and its package specific dependencies into a virtualenv that I created.  The command sequence is below:

git clone https://github.com/openstack/nova.git
virtualenv --no-site-packages /usr/local/OPENSTACKVE
source /usr/local/OPENSTACKVE/bin/activate
pip install -r requirements.txt
pip install qpid-python
pip install mysql-python
python setup.py install

At this point I had an updated version of the nova software but it was running against an old version of the data base.  Thus I had to run:

nova-manage db sync

The final step was to change all of the nova startup scripts to point to the code in the virtualenv instead of the code installed to the system.  I did this by opening up every file at /etc/init.d/openstack-nova-* and changing the exec=”/usr/bin/nova-$suffix” line to exec=”/usr/local/OPENSTACKVE/bin/nova-$suffix”.  I then rebooted the VM and I was FINALLY all set to launch docker containers that I could ssh into!

Make OpenStack speak your language

Looking for a way to contribute to OpenStack? Coding is just one of the available options. In fact, there are several non-coding activities like design, documentation, marketing and internationalization. For more details about this, go ahead and check out the how to contribute wiki page.

OpenStack Upstream Training in Atlanta

The OpenStack Foundation is delivering a training program to accelerate the speed at which new OpenStack developers are successful at integrating their own roadmap into that of the OpenStack project.  If you’re a new OpenStack contributor or plan on becoming one soon, you should sign up for the next OpenStack Upstream Training in Atlanta, May 10-11. Participation is strongly advised also for first time participants to OpenStack Design Summit.

Why we do Feature freeze

OpenStack Release Manager Thierry Carrez explains why OpenStack project does something so ‘anti-agile’ as feature freeze weeks before the release.

The Intersection of the OpenStack and Python Communities

OpenStack reached the considerable size of 1.3 million lines of code, mostly python. Oslo PTL Doug Hellmann shares his thoughts on how to keep OpenStack complexity manageable.

The road to Juno Summit – Atlanta 2014

• Redeem your invite code NOW! Check your inbox and spam folder if you contributed code before January 25 for your invitation.
• Next batch of invites will be sent next week.
• Applying for Visa? Looking for accommodation in Atlanta? Visit http://openstack.org/summit

Tips ‘n Tricks

• By Anne Gentle: Finding an OpenStack Mentor
• By Thomas Oulevey: Enable Cinder-multi-backend with an existing Ceph backend.
• By Mikhail Chernik: Edge of the Stack: Understanding IPMI, the Underpinning of Bare Metal Provisioning
• By Kevin Jackson: Inside My Home Rackspace Private Cloud, OpenStack Lab, Part 4: Neutron
• By Gonéri Le Bouder: How to use eDeploy roles with Vagrant

Reports from Previous Events

• OpenStack TripleO mid-cycle sprint kicks off

Upcoming Events

• OpenStack Rhône-Alpes Meet-up #3: Vers Icehouse Mar 13, 2014 – Lyon, France Details
• Eventually OpenStack for M&E Mar 17, 2014 – Santa Monica, CA Details
• Paris OpenStack Meetup Mar 19, 2014 – Paris, France Details
• SFBay OpenStack Hackathon #OSSFO Mar 20, 2014 – Details
• Open Source Festival Mar 29, 2014 – University at Albany, NY Details
• Cloud Connect Summit at Interop Mar 31 – Apr 01, 2014 – Las Vegas, Nevada Details
• World Hosting Days Apr 01 – 03, 2014 – Rust, Germany Details
• SFBay Meetup – Beginner track Apr 03, 2014 – Sunnyvale, CA Details
• SFBay OpenStack Hackathon #OSSFO Apr 03, 2014 – Details
• OpenStack Nordics Meetup Apr 03, 2014 – Stockholm, Sweden Details
• PyCon Apr 09 – 17, 2014 – Montreal, Canada Details
• SFBay OpenStack Hackathon #OSSFO Apr 17, 2014 – Sunnyvale,CA Details
• SFBay Meetup – Beginner track May 01, 2014 – Sunnyvale,CA Details
• OpenStack DACH Day at LinuxTag 2014 May 09, 2014 – Berlin, Germany Details

Security Advisories

• Trustee token revocation does not work with memcache backend (CVE-2014-2237)

Popular OpenStack Videos of the Week

• OpenStack Networking Hands-on Lab
• Openstack 101

Other News

• Swift 1.13.0 released
• Icehouse-3 development milestone available
• python-heatclient 0.2.8 released
• python-novaclient 2.17.0 released
• Cloudbase bringing OpenStack to University of Timisoara
• Which Open vSwitch?
• Open Mic Spotlight: Ghe Rivero
• The potential for OpenStack in the enterprise
• OpenStack Project Meeting: Summary and full logs

Got Answers?

Ask OpenStack is the go-to destination for OpenStack users. Interesting questions waiting for answers:

• OpenStack Routing for VMs running Docker Containers. Is there a smarter way of doing this?
• Where can I find good info on setting up Openstack with GFS2
• Using gluster with RDO and Foreman
• Is it possible to change the hypervisor settings in devstack?
• Help With Packstack All-in-one External Access and 2 Network Interfaces
• remove volume tab on Project Manage Compute on Horizon dashboard
• How to create a VM with a prepopulated volume
• openstack swift small objects put performance
• Why are nova and neutron services going down from time to time?
• ML2 driver with GRE not working on multi-node installation
• How to minimize the chance that a file can’t be read during Swift rebalance process?

Welcome New Reviewers and Developers

Latest Activity In Projects

Do you want to see at a glance the bugs filed and solved this week? Latest patches submitted for review? Check out the individual project pages on OpenStack Activity Board – Insights.

• Telemetry (Ceilometer)
• Block Storage (Cinder)
• Image Service (Glance)
• Orchestration API (Heat)
• Dashboard (Horizon)
• Bare Metal Provisioning (Ironic)
• Identity (Keystone)
• Manuals
• Networking (Neutron)
• Compute (Nova)
• Hadoop Cluster as a Service (Sahara)
• Object Storage (Swift)
• Database As A Service (Trove)

OpenStack Reactions

Refactoring old code

The weekly newsletter is a way for the community to learn about all the various activities occurring on a weekly basis. If you would like to add content to a weekly update or have an idea about this newsletter, please leave a comment.

As OpenStack marches towards it’s Icehouse release this spring, some work I’ve been doing has finally merged upstream. This week, both the OpenDaylight ML2 MechanismDriver and devstack support for OpenDaylight merged upstream. This was a huge effort which spans the efforts of many people. This was the first step in solidifying the integration of OpenDaylight with OpenStack Neutron, and we have many additional things we can do. To get a first taste of running the two together, please see the video of the OpenDaylight Summit presentation myself, Madhu Venugopal, and Brent Salisbury did in early February.

Taking OpenDaylight For a Test Run With OpenStack Neutron

Now that the patches have merged upstream, trying this out is extremely simple. If you’re running a single node, you can simple setup the Neutron portion of your local.conf as follows and OpenDaylight will be downloaded and run as a top-level devstack service:

# ODL WITH ML2
Q_PLUGIN=ml2
Q_ML2_PLUGIN_MECHANISM_DRIVERS=opendaylight,logger
enable_service odl-server odl-compute

That’s all that’s required. When you run “stack.sh”, you will see a screen called “odl-server” which will be OpenDaylight. And Neutron will use OpenDaylight to satisfy the requirements of virtual tenant networks.

If you’re trying this with a multi-node setup, you can use the above for your controller. And on your compute nodes, try this addition to local.conf:

enable_service odl-compute

That will configure the host to use Open vSwitch and set it up to point at OpenDaylight. It will also ensure Nova is setup to use Neutron for networking API calls.

Running OpenDaylight Outside of devstack

If you’re running OpenDaylight outside of devstack, you can configure your control node like this:

Q_PLUGIN=ml2
Q_ML2_PLUGIN_MECHANISM_DRIVERS=opendaylight,logger
enable_service odl-compute
ODL_MGR_IP=x.x.x.x

Just replace x.x.x.x in the ODL_MGR_IP line with the IP of your running OpenDaylight instance.

For compute hosts, all you need to add is this:

enable_service odl-compute
ODL_MGR_IP=x.x.x.x

Again, just replace x.x.x.x in the ODL_MGR_IP line with the IP of your running OpenDaylight instance. Your control and compute nodes will now utilize an external OpenDaylight controller.

Additional Configuration Values

There are some additional things you can configure for OpenDaylight. They are:

• ODL_ARGS: This value can be set to options to pass OpenDaylight. The default is “-XX:MaxPermSize=384m”. An example would be like this:ODL_ARGS=”-Xmx1024m -XX:MaxPermSize=512m”
• ODL_BOOT_WAIT: This value indicates how long to sleep after starting OpenDaylight before proceeding with the rest of devstack. The default value is 60 seconds. An example is like this:
  ODL_BOOT_WAIT=70

The Future of Open Source SDN

OpenDaylight is progressing at a very fast pace. The current release being worked on (Helium) is going to stabilize and scale the platform even more. With features like Group Policy being added, the future looks increasingly awesome for OpenDaylight. And now you can use it to scale your Neutron networks as well. How cool is that?

On Monday, March 3rd, we kicked off the TripleO (“OpenStack on OpenStack” ) mid-cycle meetup at the HP offices in Sunnyvale, California.

The day began by splitting up into groups with our specific focuses, including Ironic (bare metal) and Continuous Integration, where I ended up.

I was able to spend the day following up on a couple patches I had outstanding for the work I’ve been doing with Fedora on the infrastructure side and get some work done on another patch.

After lunch, Derek Higgins of Red Hat gave participants a walk through of how we’re doing testing, with a tour of the setup for our testing environments and the “TripleO cloud” itself that’s currently being used for testing, running on a rack of servers provided by HP.

After the tour, he made the diagram he used available to get a better picture of everything:

(Click for full version)

My day wrapped up by having a chat with some folks from Mirantis about some of their multi-node testing plans and how that may tie in to the work we’re doing in TripleO and the rest of infra.

The rest of the week so far has been spent over at the Yahoo! offices in Sunnyvale. Most noteworthy to what I’m working on, the Red Hat folks were able to make progress on getting their own rack up to supplement the current testing rack from HP in order to have redundancy in testing. I was also able to make progress in getting Fedora into the testing pool and had the opportunity to use the high bandwidth time with colleagues to work on some SELinux issues I’ve been running into and do some in person debugging.

Last night HP sponsored a fun dinner for all sprint attendees down at Gordon Biersch in San Jose. Today, Thursday we’re continuing our work which will wrap up tomorrow.

This post is part of the OpenStack Open Mic series to spotlight the people who have helped make OpenStack successful. Each week, a new contributor will step up to the mic and answer five questions about OpenStack, cloud, careers and what they do for fun. If you’re interested in being featured, please choose five questions from this form and submit!

After ten years as a system administrator in a university data center, Ghe joined StackOps in early 2012 to work on a solution for managing your own clouds and those of third parties effortlessly with OpenStack. His first contributions to OpenStack can be traced back to 2011 in neutron project (quantum, by then) and working on the OpenStack Debian packaging team. After that, in late 2012, he became part of HP as a cloud automation and distribution engineer mainly focused in TripleO and Ironic projects. He works from home in Salamanca, Spain, and loves outdoor activities like hiking and cycling, photography and traveling. You can get in touch with him on Twitter at @GheRivero.

1) What drew you to OpenStack?

I first met OpenStack during a virtualization project for some web services. Plain virtualization was ok, but didn’t fulfill all of my desires. So while looking for cloud solutions, OpenStack crossed my path and I fell in love with it. It was free, open and having the backup of great companies was a plus. But what really caught my attention was a growing community willing to welcome new developers. The OpenStack community is one the most enthusiastic I’ve ever met, with all of us working for different companies and collaborating.

2) Where is your favorite place to code? In the office, at a local coffee shop, in bed?

It all depends on the task I’m dealing with. I love coding by night in my standing desk at home, but in office hours, I really like going to an old library. The silence and calm of the place help me to focus and forget about almost everything. I almost get locked in a couple of times because I lost track of time!

3) What does “open source” mean to you?

It’s the best place to start working on a project, be recognized for your efforts, work in community and share your knowledge and ideas. What I really like about is that in spite of it starting as a computer movement, it has spread to many others places. We can start talking about open culture, with the copyleft and creative commons licenses, open data, Wikipedia and all kind of siblings, and even open democracy with the Iceland’s new crowd-sourced constitution. Openness is everywhere, and the right way to do things. I can’t imagine where we’d be by now if someone would have patented the fire and started charging for it when it was discovered.

4) How did you learn to code? Are you self-taught or did you lear in college? On-the-job?

I learned some basic coding skills in college, but in my previous job as a sysadmin I was not very fond of that and tried to avoid it, and delegated as much as possible. After some pitfalls, I decided to take matters into my own hands and start working on some free software projects (GNOME desktop and Debian) and start learning not only about coding but also about community.

5) What new OpenStack projects do you think will have a significant impact on the cloud market in the next year?

OpenStack is a pretty mature project despite being only three years old, so the core functionality is the keystone for a growing ecosystem around it, but it’s getting more and more complicated to be installed and operated, so projects like TripleO and Ironic will have a great impact during the next year.

Looking for a way to contribute to OpenStack? Coding is just one of the available options. In fact, there are several non-coding activities like design, documentation, marketing and internationalization. For more details about this, go ahead and check out the how to contribute wiki page.

Every contribution is welcome and what you decide to do depends on what you have to offer. That is, your knowledge and your time.

read more

Yesterday we entered the Icehouse development cycle Feature Freeze. But with the incredible growth of the OpenStack development community (508 different contributors over the last 30 days, including 101 new ones !), I hear a lot of questions about it. I’ve explained it on various forums in the past, but I figured it couldn’t hurt to write something a bit more definitive about it.

Why

Those are valid questions. Why freeze features ? That sounds very anti-agile. Isn’t our test-centric development model supposed to protect us from regressions anyway ? Let’s start with what feature freeze is not. Feature freeze should only affect the integrated OpenStack release. If you don’t release (i.e. if you don’t special-case certain moments in the development), then feature freezing makes little sense. It’s also not a way to punish people who failed to meet a deadline. There are multiple reasons that a given feature will miss a deadline, and most of those are not the fault of the original author of the feature. We do time-based releases, so some features and some developers will necessarily be caught on the wrong side of the fence at some point and need to wait for the next boat. It’s an artifact of open innovation projects.

Feature freeze (also known as “FF”) is, obviously, about stopping adding new features. You may think of it as artificially blocking your progress, but this has a different effect on other people:

• As was evidenced by the Icehouse cycle, good code reviewers are a scarce resource. The first effect of feature freeze is that it limits the quantity of code reviews and make them all about bugfixes. This lets reviewers concentrate on getting as many bugfixes in as possible before the “release”. It also helps developers spend time on bugfixes. As long as they can work on features, their natural inclination (or their employer orders) might conflict with the project interest at this time in the cycle, which is to make that point in time we call the “release” as bug-free as possible.

• From a QA perspective, stopping the addition of features means you can spend useful time testing “in real life” how OpenStack behaves. There is only so much our automated testing will catch. And it’s highly frustrating to spend time testing software that constantly changes under you.

• QA is not the only group that needs to catch up. For the documentation team, the I18N team, feature freeze is essential. It’s difficult to write documentation if you don’t know what will be in the end product. It’s frustrating to translate strings that are removed or changed the next day.

• And then you have all the downstream consumers of the release that can use time to prepare it. Packagers need software that doesn’t constantly change and add dependencies, so that they can prepare packages for OpenStack projects that are released as close to our release date as possible. The marketing team needs time to look into what was produced over the cycle and arrange it in key messages to communicate to the outside world at release time.

• Finally, for release management, feature freeze is a tool to reduce risk. The end goal is to avoid introducing an embarassing regression just before release. By gradually limiting the impact of what we accept in the release branch (using feature freeze, but also using the RC dance that comes next), we try our best to prevent that.

Exceptions

For all these groups, it’s critical that we stop adding features, changing behavior, adding new configuration options, or changing translatable strings as early as possible. Of course, it’s a trade-off. There might be things that are essential to the success of the release, or things that are obviously risk-limited. That’s why we have an exception process: the Feature Freeze exceptions (“FFEs”).

Feature freeze exceptions may be granted by the PTL (with the friendly but strong advice from the release management team). The idea is to weigh the raw benefit of having that feature in the release, against the complexity of the code that is being brought in, its risk of causing a regression, and how deep we are in feature freeze already. A self-contained change that is ready to merge a few days after feature freeze is a lot more likely to get an exception than a refactoring of a key layer that still needs some significant work to land. It also depends on how many exceptions were already granted on that project, because at some point adding anything more just causes too much disruption.

It’s a difficult call to make, and the release management team is here to help the PTLs make it. If your feature gets denied, don’t take it personally. As you saw there are a large number of factors involved. Our common goal is to raise the quality of the end release, and every feature freeze exception we grant is a step away from that. We just can’t take that many steps back and still guaranteeing we’ll win the race.

The OpenStack Foundation is delivering a training program to accelerate the speed at which new OpenStack developers are successful at integrating their own roadmap into that of the OpenStack project.  If you’re a new OpenStack contributor or plan on becoming one soon, you should sign up for the next OpenStack Upstream Training in Atlanta, May 10-11. Participation is strongly advised also for first time participants to OpenStack Design Summit.

With over 1000 developers from 80 different companies worldwide, OpenStack is one of the largest collaborative software-development projects. Because of its size, it is characterized by a huge diversity in social norms and technical conventions. These can significantly slow down the speed at which changes by newcomers are integrated in the OpenStack project.

OpenStack Foundation partnered with Upstream University to train new OpenStack developers and documentation writers to ensure their bug fix or feature is accepted in the OpenStack project in a minimum amount of time. Students are required to work on real-life bug fixes or new features during two days of real-life classes and online mentoring, until the work is accepted by OpenStack. The live two-day class teaches them to navigate the intricacies of the project’s technical tools and social interactions. In followup sessions, the students benefit from individual online sessions to help them resolve any remaining problems they might have. Get all the details on the wiki.

Enrolment for the training session in Atlanta is now open: register and reserve your free seat for OpenStack Upstream Training in Atlanta, May 10-11.

OpenStack has emerged as the consensus forum for open source private cloud software. That of course makes it a big and complex community, with complex governance and arguably even more complex politics, but it has survived several rounds of competition and is now settling down as THE place to get diverse vendors to work together on a IAAS that anybody can deploy for themselves. It is a big enough forum with sufficient independent leadership that no one vendor will ever control it (despite some fantastically impressive efforts to do so!). In short, OpenStack is what you want if you are trying to figure out how to build yourself a cloud.

And by quite a large majority, most of the people who have actually chosen to deploy OpenStack in production, have done so on Ubuntu.

At the latest OpenStack summit, an official survey of production OpenStack deployments found 55% of them on Ubuntu, a stark contrast with the 10% of OpenStack deployments on RHEL.

Canonical and Ubuntu play an interesting role in OpenStack. We do not seek to control any particular part of the project, although some of our competitors clearly think that would be useful for them to achieve, we think OpenStack would be greatly diminished in importance if it was perceived to be controlled by a single vendor, and we think there are enough contributors and experts around the table to ensure that the end result cannot actually be controlled by a single party. To a certain extent, the battle for notional control of key aspects of OpenStack just holds the project back; it’s a distraction from the real task at hand, which is to deliver a high quality, high performance open cloud story. So our focus is on supporting the development of OpenStack, supporting the broadest range of vendors who want to offer OpenStack solutions, components and services, and enabling a large ecosystem to accelerate the adoption of OpenStack in their markets.

It’s a point of pride for us that you can get an OpenStack cloud built on Ubuntu from just about every participant in the OpenStack ecosystem – Dell, HP, Mirantis, and many more – we think the healthiest approach is for us to ensure that people have great choices when it comes to their cloud solution.

We were founding members and are platinum sponsors of the OpenStack Foundation. But what’s more important to us, is that most OpenStack development happens on Ubuntu. We take the needs of OpenStack developers very seriously – for 14.04 LTS, our upcoming bi-annual enterprise release, a significant part of our product requirements were driven by the goal of supporting large-scale enterprise deployments of OpenStack with high availability as a baseline. Our partners like HP, who run one of the largest OpenStack public cloud offerings, invest heavily in OpenStack’s CI and test capabilities, ensuring that OpenStack on Ubuntu is of high quality for anybody who chooses the same base platform.

We publish stable, maintained archives of each OpenStack release for the LTS releases of Ubuntu. That means you can ALWAYS deploy the latest version of OpenStack on the current LTS of Ubuntu, and there is a clear upgrade path as new versions of both OpenStack and Ubuntu are released. And the fact that the OpenStack release cadence and the Ubuntu release cadence are perfectly aligned is no accident – it ensures that the OpenStack developers can always deliver their latest code straight to a very large audience of developers and operators. That’s important because of the extraordinary pace of innovation inside OpenStack; there are significant and valuable improvements in each six-month release, so customers, even enterprise customers, find themselves wanting a more aggressive upgrade schedule for OpenStack than is normal for them in platform environments. We support that and have committed to continue doing so, though we do expect the urgency of those upgrades to diminish as OpenStack matures over the next three years.

For commercial support of OpenStack, we are happy for industry to engage either with our partners who can provide local talent combined with an escalation path to Canonical for L3 support of the whole solution, or directly with Canonical if the circumstances warrant it. That means building on Ubuntu opens up a wide range of solution providers who can make the same high commitment to SLAs and upgrades.

For Canonical itself, our focus is on scale and quality. Our direct customers run the very largest production deployments of OpenStack, both private and public, and we enjoy collaborating with their architects to push the limits of the stack as it stands today. That gives us a lot of insight into the approaches being taken by a wide range of architects in telco, finance and media. We ourselves invest very heavily in testing, continuous integration, and interoperability, with the largest OpenStack interop program (OIL) that gives us the ability to speak with confidence about what combinations of vendor offerings will actually work, and in many cases, how they will perform together for different applications.

The fact that the traditional enterprise Linux vendors have now joined OpenStack is a tremendous validation of the role that OpenStack has assumed in industry: THE open cloud forum. But for all the reasons outlined above, most of the actual production deployments of OpenStack are not on traditional, legacy enterprise Linux. This mirrors the public cloud, where even the largest and most mission-critical deployments tend not to be on proprietary Linux offerings; the economics of HA single-node solutions just don’t apply in a scale-out environment. So just as Ubuntu is by far the most widely used platform for public cloud guests, it is also on track to be the enterprise choice for scale-out infrastructure like IAAS, storage, and big data. Even if you have always done Linux a particular way, the transition to scale-out thinking is an opportunity to reset expectations about your base OS; and for the fastest-moving players in telco, media and finance, Ubuntu turns out to be a great way to get more done, more efficiently.

The OpenStack Foundation is delivering a training program to accelerate the speed at which new OpenStack developers are successful at integrating their own roadmap into that of the OpenStack project.  If you’re a new OpenStack contributor or plan on becoming one soon, you should sign up for the next OpenStack Upstream Training in Atlanta, May 10-11. Participation is strongly advised also for first time participants to OpenStack Design Summit.

With over 1000 developers from 80 different companies worldwide, OpenStack is one of the largest collaborative software-development projects. Because of its size, it is characterized by a huge diversity in social norms and technical conventions. These can significantly slow down the speed at which changes by newcomers are integrated in the OpenStack project.

OpenStack Foundation partnered with Upstream University to train new OpenStack developers and documentation writers to ensure their bug fix or feature is accepted in the OpenStack project in a minimum amount of time. Students are required to work on real-life bug fixes or new features during two days of real-life classes and online mentoring, until the work is accepted by OpenStack. The live two-day class teaches them to navigate the intricacies of the project’s technical tools and social interactions. In followup sessions, the students benefit from individual online sessions to help them resolve any remaining problems they might have. Get all the details on the wiki.

Enrolment for the training session in Atlanta is now open: register and reserve your free seat for OpenStack Upstream Training in Atlanta, May 10-11.

Articles and tutorials in the “Edge of the Stack” series cover fundamental programming issues and concerns that might not come up when dealing with OpenStack directly, but are certainly relevant to the OpenStack ecosystem. For example, bare metal provisioning requires the ability to programmatically turn a machine on or off, which is handled using IPMI.

When computer networks grew large, the need to manage many types of hardware produced by different vendors turned painful. Existing tools provided by manufacturers were mutually incompatible. This led to developing a standard that enables you to manage servers in a uniform way. This widely adopted standard was named the Intelligent Platform Management Interface (IPMI).

IPMI provides a well-defined hardware interface between the management software and the managed platform. The standard also describes the hardware architecture so that most hardware can be managed with the same set of tools. It provides an inventory of components, monitoring for a large number of system parameters, event logging, and a set of management tasks such as access to the system BIOS, changing the platform’s power state. It also allows remote access to the console and provides some other features.

The IPMI hardware is integrated into most of the modern server system boards. It can have its own LAN or serial port or share one with the managed system. The IPMI board does not depend on the platform CPU, BIOS, OS, or power state.

There are several implementations of IPMI protocol included in Linux distribution. This allows OpenStack baremetal instance to monitor and manage underlying hardware as well as expose management interface via Nova API. In this scenario IPMI provides ability to detect hardware problems early and thus increase robustness of the cloud by taking measures proactively.

History

IPMI was developed by Intel, HP, Dell, and NEC. Version 1 was presented on Intel Developers Forum in the fall of 1998. By that time many current features was already described.

Next major update was presented in version 1.5, which was published in 2001. This version extended messaging and alerting capabilities of the system, allowing it to send alerts via LAN or serial interface, for example modem. Also since v.1.5 IPMI can send alerts as SNMP traps (Platform Events Trap, PET) and supports complex alert processing rules with Platform Events Filter (PEF) and Alerts Policy. Another introduced feature was boot options management.

In 2004 was published the specification for version 2.0. The main updates were enhanced security and payloads. New security features allow to encrypt communication with IPMI, access control privileges and enhanced authentication. Payloads provide ability to transfer over IPMI session not only IPMI messages but also other types of data. Payloads allowed to introduce Serial-over-LAN access in the same version of specification.

The current version of specification has number 2.1 and was published in October 2013. Its biggest change is introduction of IPv6 support for IPMI-over-LAN.

Structure of IPMI hardware

The central part of an IPMI board is Baseboard Management Controller (BMC). The BMC is a specialized microcontroller which manages interface between the platform hardware and the rest of the world.

A IPMI board consists of a set of modules which are connected to BMC via a number of interfaces like SMBus, I2C or memory-mapped I/O ports. The modules can be as simple as a single temperature sensor and quite complex, managed by their own controllers (Satellite MC), like an IPMI module of a blade server installed in chassis.

Figure 1: IPMI Structure (REDRAW)

For communication between BMC and Satellite MC IPMI uses Intelligent Platform Management Bus protocol (IPMB), which is based on I2C bus. Several BMC can also be connected to each other. In this case they use a variant of IPMB called Intelligent Chassis Management Bus (ICMB) which also supports RS-485 and CAN interfaces.

Beside BMC, IPMI subsystem includes non-volatile memory, which stores Field Replacement Units (FRU) information, Sensor Data Records (SDR) and System Event Log (SEL).

FRU Information storage contains data used primarily for inventory. The required minimum is part or version number of a component. Usually FRU contains much more information including product name, manufacturer, description etc.

SDR holds the list of hardware sensors as well as their types and values. IPMI supports wide range of sensor types: threshold, gauge, digital to name a few. All Sensor Data Records are kept in SDR Repository.

Another piece of information stored in non-volatile memory is SEL. The log data is collected from every component of IPMI module, processed according to Alerts Policy and stored until explicitly cleared. Events handling can be configured to take some actions without human interaction, such as running power cycle for hardware, or send alerts in form of SNMP traps or SMS messages.

Software support

IPMI was designed with extensibility in mind. OEM can add own commands, custom sensor types not described in specification and private protocols. The latter is widely used in vendor management software to provide remote access to GUI of running hosts.

Hardware vendors has been providing management tools for their platform even before IPMI was created. These tools, such as Intel AMT, Dell iDRAC, HP iLo and others now are built on the top of IPMI. They provide full support for own hardware which often contain proprietary extensions, such as providing virtual HDD or CD-ROM drive, but don’t support features of other vendors. The management software can be provided free of charge with hardware (possibly with somewhat limited functionality), or can be purchased separately.

Also there are several open source tools for accessing and configuring IPMI hardware. They have some subtle differences in features, OS support and intended audience, but all generally are functional and mature. Detailed comparison can be found here. The common disadvantage of these tools is the lack of support for some vendors extensions like GUI access to the running servers. On the other hand, they allow to manage heterogeneous hardware at the same time since have support for some non-standard extensions of several vendors. Also these tools are command-line, so it is possible to create complex management scenarios without user intervention.

IPMI Security

Since IPMI is provides almost physical access to managed hardware and the number of servers can be very large, access to it should be carefully protected. Unfortunately, security is often neglected and it is quite common to find thousands of servers protected with the same password.

IPMI own protection mechanisms are extensive — it supports strong encryption when transmitting data over LAN, user privilege separation and VLAN, but default security configuration is usually extremely permissive and implementations are not error-free. For example, some time ago was discovered a vulnerability which allowed to gain administrator access to the BMC with any password. Fortunately, this issue can be easily fixed by modifying allowed cyphers list.

Moreover, another security issue was discovered in the IPMI specification, and it cannot be fixed without changing standard, so it is not fixed yet. In short, the standard requires that BMC should send password hash for the user before client authenticates, which allows to recover password for any user without much effort.  This document provides detailed information, along with ways to check whether a system is vulnerable. Also IPMI security best practices contains some tips for securing IPMI infrastructure.

Summary

A rich set of supported features, such as remote power management, BIOS configuration and a vast number of sensors for monitoring hardware, as well as a standard way to access these features and a set of software implementations makes IPMI very helpful in maintaining and monitoring a large number of servers from a single point. Despite some security weakness when exposed to an untrusted network, with proper setup IPMI can be considered as a robust and mature management technology.

Further resources

For more information about IPMI, please refer to:

• IPMI standard home page

• IPMI FAQ, security papers and vendors list

The post Edge of the Stack: Understanding IPMI, the Underpinning of Bare Metal Provisioning appeared first on Mirantis | The #1 Pure Play OpenStack Company.

Big things are in store for OpenStack this year. The community is growing, now at more than 15,000 people from more than 130 countries. The next version, Icehouse, is scheduled to be released on April 17, followed by the next OpenStack Summit in May. But what will this lead to?

In a post on virtual-strategy.com, Chuck Dubuque, the Director of Product Marketing for Virtualization and OpenStack at Red Hat, provided the following prediction:

read more

So after following the first three posts, we now have a Rackspace Private Cloud powered by OpenStack running with two Controllers (HA) and three Computes. So now what? Well the first thing we need to do is get our hands dirty with the OpenStack Networking component, Neutron, and create a network that our instances can be spun up on. For the home lab, I have dumb unmanaged switches – and I take advantage of that by creating a Flat Network that allows my instances access out through my home LAN on the 192.168.1.0/24 subnet.

Logging on to the environment

We first need to get to the OpenStack lab environment and there are a couple of routes: we can use Web Dashboard, Horizon which lives on the “API_VIP” IP I created when I set up my environment (see step 9 on Part 3) – which is https://192.168.1.253/ (and answering yes to the SSL warning due to it being a self-signed certificate) or I can use the command line (CLI). And the easiest way to use the CLI is to ssh to the first controller, openstack1 (192.168.1.101), and change to the root user, then source the environment file (/root/openrc) that was created that sets up the various environment variables to allow you to communicate with OpenStack.

To use the CLI on the first controller, issue the following:

ssh openstack1
sudo -i
. openrc

The /root/openrc file contains the following:

# This file autogenerated by Chef
# Do not edit, changes will be overwritten
# COMMON OPENSTACK ENVS
export OS_USERNAME=admin
export OS_PASSWORD=secrete
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://192.168.1.253:5000/v2.0
export OS_AUTH_STRATEGY=keystone
export OS_NO_CACHE=1
# LEGACY NOVA ENVS
export NOVA_USERNAME=${OS_USERNAME}
export NOVA_PROJECT_ID=${OS_TENANT_NAME}
export NOVA_PASSWORD=${OS_PASSWORD}
export NOVA_API_KEY=${OS_PASSWORD}
export NOVA_URL=${OS_AUTH_URL}
export NOVA_VERSION=1.1
export NOVA_REGION_NAME=RegionOne
# EUCA2OOLs ENV VARIABLES
export EC2_ACCESS_KEY=b8bab4a938c340bbbf3e27fe9527b9a0
export EC2_SECRET_KEY=787de1a83efe4ff289f82f8ea1ccc9ee
export EC2_URL=http://192.168.1.253:8773/services/Cloud

These details match up to the admin user’s details specified in the environment file that was created in Step 9 in Part 3.

With this loaded into our environment we can now use the command line clients to control our OpenStack cloud. These include:

• nova for launching and controlling instances
• neutron for managing networking
• glance for manipulation of images that are used to create our instances
• keystone for managing users and tenants (projects)

There are, of course, others such as cinder, heat, swift, etc., but they’re not configured in the lab yet. To get an idea of what you can do with the CLI, head over to this @eglute‘s blog for a very handy, quick “cheat sheet” of commands.

Creating the home lab Flat Network

The five OpenStack servers, and everything else on my network, hang off a single subnet: 192.168.1.0/24. Each and every one of those devices gets an IP from that range and is configured to use a default gateway of 192.168.1.254 – which is great, it means they get Internet access.

I want my instances running under OpenStack to also have Internet access, and be accessible from the network (from my laptop, or through PAT on my firewall/router to expose some services such as a webserver running on one of my OpenStack instances). To do this I create a Flat Network, where I allocate a small DHCP range so as not to conflict with any other IPs or ranges currently in use.

For more information on Flat Networking, view @jimmdenton‘s blog post.

To create this Flat Network to co-exist on the home LAB subnet of 192.168.1.0/24 I do the following

1. First create the network (network_type=flat)  (all one line):

neutron net-create --provider:physical_network=ph-eth1 --provider:network_type=flat --shared flatNet

2. Next create the subnet (all one line):

neutron subnet-create --name flatSubnet --no-gateway --host-route destination=0.0.0.0/0,nexthop=192.168.1.254 --allocation-pool start=192.168.1.150,end=192.168.1.170 --dns_nameserver 192.168.1.1 flatNet 192.168.1.0/24

Now what’s going on in that subnet-create command is as follows:

–no-gateway specifies no default gateway, but…

–destination=0.0.0.0/0,nexthop=192.168.1.254 looks suspiciously like a default route – it is.

The effect of –no-gateway is that something extra has to happen for an instance to access the Metadata service (where it goes to get cloud-init details, ssh-keys, etc.). As it can’t rely on a gateway address (it doesn’t exist) to get to the next hop to the 169.254/16 network where the Metadata service lives – a route is injected into the instance’s routing table instead.

But that’s Metadata sorted, what about access to anything other than 192.168.1.0/24 – i.e. everything else? This is taken care of by putting in another route (–destination=) but simply has the same effect as setting a gateway due to the settings used (0.0.0.0/0,nexthop=192.168.1.254). That nexthop address is the default gateway on my LAN, therefore the instance gets Internet access. With Neutron we can add in a number of routes – and these are automatically created on the instance’s routing table. Very handy.

–allocation-pool is the DHCP address pool range.  I run DHCP on my network for everything else, but I deliberately specify ranges in both so as not to ever conflict (obviously). I set this range to be between 192.168.1.150 and 192.168.1.170.

–dns_nameserver 192.168.1.1 sets the resolver to my NAS (192.168.1.1), which is running Dnsmasq and performs DNS resolution for all my LAN clients. As the instance gets an IP on this network, it can reach my DNS server.

Now that we have a network in place, I can spin up an instance – but before that, there are a couple of other housekeeping items that need to be performed first: creating/importing an SSH keypair and setting security group rules to allow me access (SSH) to the instance.

Creating/Importing keypairs

Keypairs are SSH Public/Private keypairs that you would create when wanting passwordless (or key-based) access to Linux instances. They are the same thing in OpenStack. What happens though is that OpenStack has a copy of the Public key of your keypair, and when you specify that key when booting an instance, it squirts it into a user’s .ssh/authorized_keys file – meaning that you can ssh to it using the Private portion of your key.

To create a keypair for use with OpenStack, issue the following command:

nova keypair-add demo > demo.pem
chmod 0600 demo.pem

demo.pem will then be the private key, and the name of the key when booting an instance will be called “demo.” Keep the private key safe and ensure it is only readable by you.

If creating a whole new keypair isn’t suitable (it’s an extra key to carry around), you can always use the one you’ve been using for years by importing it into OpenStack. To import a key, you’re effectively copying the public key into the database so that it can be used by OpenStack when you boot an instance. To do this, issue the following:

nova keypair-add --pub-key .ssh/id_rsa.pub myKey

What this does is take a copy of .ssh/id_rsa.pub and assigns the name myKey to it. You can now use your key to access new instances you spin up.

Creating default security group rules

Before we can spin up an instance (although technically this step could also be done after you have booted on one up) we need to allow access to it as by default, no traffic can flow in to it – not even a ping.

To allow pings (ICMP) and SSH to the Default group (I tend to not allow any more than that in this group) issue the following commands:

neutron security-group-rule-create --protocol ICMP --direction ingress default
neutron security-group-rule-create --protocol tcp --direction ingress --port-range-min 22 --port-range-max 22 default

Adjusting m1.tiny so Ubuntu can boot with 512Mb

My servers don’t have much memory – the Computes (hypervisors – where the instances actually spawn up in) only have 4Gb RAM, so I value the m1.tiny when trying various things – especially when I have a need to spin up a lot of instances. The problem is that by default in Havana, an m1.tiny specifies 1Gb for the disk of an instance. A Ubuntu image requires more than 1Gb and OpenStack is unable to “shrink” an instance smaller than what was created for the image. To fix this we amend the m1.tiny so that the disk becomes “unlimited” again, just like it was in Grizzly and before. To do this we issue the following:

nova flavor-delete 1
nova flavor-create m1.tiny 1 512 0 1

Havana’s nova command is unable to amend flavors – so we delete and recreate to mimic this behaviour. (Horizon does this process too when you edit a flavor).

We’re now ready to boot an instance, or are we?

Loading images

A Rackspace Private Cloud can automatically pull down and upload images into Glance by setting the following in the environment JSON file and running chef-client:

"glance": {
  "images": [
    "cirros",
    "precise"
  ],
  "image" : {
    "cirros": "https://launchpad.net/cirros/trunk/0.3.0/+download/cirros-0.3.0-x86_64-disk.img",
    "precise": "http://cloud-images.ubuntu.com/precise/current/precise-server-cloudimg-amd64-disk1.img"
  },
  "image_upload": true
 },

This is handy at installation time, but can also add to RPC installation times. Tune this to suit. What I tend to do is download images, store them on my Web server (NAS2, 192.168.1.2), which is connected to the same switch as my OpenStack environment, and change the URL for the images to point to the NAS2 Web server instead. If you do this – wget those URLs above and store them in /share/Web. When you enable the default Webserver service under QNAP it becomes available on the network. Change the above JSON snippet for Chef to the following:

"glance": {
  "images": [
    "cirros",
    "precise"
  ],
  "image" : {
    "cirros": "http://192.168.1.2/cirros-0.3.0-x86_64-disk.img",
    "precise": "http://192.168.1.2/precise-server-cloudimg-amd64-disk1.img"
  },
  "image_upload": true
 },

To load images using the glance client issue the following:

glance image-create --name='precise-image' --disk-format=qcow2 --container-format=bare --public < precise-server-cloudimg-amd64-disk1.img

What this will do is load that image precise-server-cloudimg-amd64-disk1.img that you have downloaded manually into Glance. If you don’t have that image downloaded, you can get Glance to fetch it for you – saving you that extra step:

glance image-create --name='precise-image' --disk-format=qcow2 --container-format=bare --public --location http://webserver/precise-server-cloudimg-amd64-disk1.img

Booting an instance

Now we have an OpenStack lab, a network, set up our keypair and have access to any instance – we can now boot an instance. To do this we first list the available images:

nova image-list

And then we can use one of those images for our instance.

The next thing to do is list the Neutron networks available:

neutron net-list

Now that we have these pieces of information – along with knowing the name of the keypair (nova keypair-list) we can now boot our instance (I grab the UUID of “flatNet” and store it in a variable for me to automate this step when I first spin up an instance):

flatNetId=$(neutron net-list | awk '/flatNet/ {print $2}')
nova boot myInstance --image precise-image --flavor m1.tiny --key_name demo --security_groups default --nic net-id=$flatNetId

You can watch this boot up by viewing the console output with the following command:

nova console-log myInstance

When this has booted up, I’ll have an instance available in the range 192.168.1.150 that is accessible from my network – check this by viewing the nova list output:

nova list

This will show you the IP that the instance will be assigned. As this is on my home LAN network, I can SSH to this instance as if it was a server connected to my switch:

root@openstack1:~# ssh -i demo.pem root@192.168.1.150
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-57-virtual x86_64)
* Documentation: https://help.ubuntu.com/
System information as of Fri Feb 14 16:05:59 UTC 2014
System load: 0.05 Processes: 62
 Usage of /: 39.1% of 1.97GB Users logged in: 0
 Memory usage: 8% IP address for eth0: 192.168.1.150
 Swap usage: 0%
Graph this data and manage this system at https://landscape.canonical.com/
Get cloud support with Ubuntu Advantage Cloud Guest:

http://www.ubuntu.com/business/services/cloud

0 packages can be updated.
0 updates are security updates.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@myinstance:~#

Now the basics are out of the way, the next blog post will look at more advanced uses of OpenStack and the instances!

Since Ubuntu 12.04, we’ve shipped a number of different Open vSwitch versions supporting various different kernels in various different ways; I thought it was about time that the options were summarized to enable users to make the right choice for their deployment requirements.

Open vSwitch for Ubuntu 14.04 LTS

Ubuntu 14.04 LTS will be the first Ubuntu release to ship with in-tree kernel support for Open vSwitch with GRE and VXLAN overlay networking – all provided by the 3.13 Linux kernel. GRE and VXLAN are two of the tunnelling protocols used by OpenStack Networking (Neutron) to provide logical separation between tenants within an OpenStack Cloud.

This is great news from an end-user perspective as the requirement to use the openvswitch-datapath-dkms package disappears as everything should just *work* with the default Open vSwitch module. This allows us to have much more integrated testing of Open vSwitch as part of every kernel update that we will release for the 3.13 kernel going forward.

You’ll still need the userspace tooling to operate Open vSwitch; for Ubuntu 14.04 this will be the 2.0.1 release of Open vSwitch.

Open vSwitch for Ubuntu 12.04 LTS

As we did for the Raring 3.8 hardware enablement kernel, an openvswitch-lts-saucy package is working its way through the SRU process to support the Saucy 3.11 hardware enablement kernel; if you are using this kernel, you’ll be able to continue to use the full feature set of Open vSwitch by installing this new package:

sudo apt-get install openvswitch-datapath-lts-saucy-dkms

Note that if you are using Open vSwitch on Ubuntu 12.04 with the Ubuntu Cloud Archive for OpenStack Havana, you will already have access to this newer kernel module through the normal package name (openvswitch-datapath-dkms).

DKMS package names

Ubuntu 12.04/Linux 3.2: openvswitch-datapath-dkms (1.4.6)
Ubuntu 12.04/Linux 3.5: openvswitch-datapath-dkms (1.4.6)
Ubuntu 12.04/Linux 3.8: openvswitch-datapath-lts-raring-dkms (1.9.0)
Ubuntu 12.04/Linux 3.11: openvswitch-datapath-lts-saucy-dkms (1.10.2)
Ubuntu 12.04/Linux 3.13: N/A
Ubuntu 14.04/Linux 3.13: N/A


Hope that makes things clearer…

<script charset="utf-8" src="http://js.hscta.net/cta/current.js" type="text/javascript"></script><script type="text/javascript">//

[Editor's Note:  Here at Mirantis we're used to dealing with cloud, and OpenStack, as a foregone conclusion, but sometimes you have to step back and take a good look at whether you're ready. We asked Cloud Computing Strategist John Rhoton, author of OpenStack Cloud Computing: Architecture Guide, to talk with us on the subject in a webinar on March 6, 2014, and to provide us a little wisdom here in the blog.]

In my newest book (OpenStack Cloud Computing: Architecture Guide), I explore what it takes to build a comprehensive architecture based on OpenStack. OpenStack holds enormous potential for simplifying and standardizing both public clouds and enterprise private clouds. But you need to make sure you know what is involved before starting off a giant project that you cannot control.

Some of the steps you need to take include:

Analyze – Any analysis begins with a systematic assessment. You need to make sure everyone in the planning process has a common understanding of cloud computing and its delivery layers (SaaS, PaaS, IaaS) as well as common delivery models (private, public).

Assess – Before implementing OpenStack, it is worthwhile to look at the alternatives. There are many commercial offerings for each type of cloud from IaaS to SaaS. The choice of OpenStack depends to a large extent on the value proposition of an open-source infrastructure service that caters to both private and public service providers. But there are also other open-source frameworks that are almost directly comparable, so the selection process should also consider them.

Initiate – The first step in getting started is to construct a prototype of how the system should work. This means getting the system working in a pilot scenario with a minimum set of standard components. But you also need to make sure that you will eventually be able to address your requirements and integrate with your legacy environment. You might need more complex topologies or you may need to create linkages to additional components or ecosystems.

Assemble – The design of an OpenStack-based solution begins with core the OpenStack services, such as Compute, Networking and Storage and evolves to include some of the optional services as they are needed. While it is possible to replace the individual modules, it is generally a good idea to start with the base solution and see to what extent it meets the business requirements.

Deploy – After the initial design and implementation work is complete, you may have demonstrated the feasibility of the technology but that is a far cry from ensuring it will work in production, particularly for highly scalable workloads. The first task is to roll out the OpenStack software itself onto the bare machines in the data center. The second is to design the orchestration of the workloads so that they are able to launch easily and automatically.

Operate – Once deployed, the administration chores begin. On the one hand, there are proactive tasks to set policies, re-allocate resources and tailor the configuration of standard services based on user needs. On the other hand, it is also important to detect any unforeseen events. We must also keep an eye on trends in order to detect and resolve issues as they occur and to project where future problems may arise in order to prevent them.

Account – Financial governance is a top concern of almost every business. It relies on ensuring visibility of what activities generate expenses and what trends these cost drivers are projecting. Whether the charges are invoiced to external parties, cross-charged to internal departments or merely reported to show value to the business, the numbers are critical in sustaining a compelling business case.

Secure – OpenStack itself is neither particularly secure nor insecure. Security is a discipline that requires systematic application. This means the first task of a risk analysis is simply to make sure all the components are implemented securely. In addition to verifying that the configuration adheres to best practices, it is important to be vigilant of any newly found exploits and supplement the bare infrastructure with further layers of security. Other than the base infrastructure, a key component of the overall security model is identity and access management and the enforcement of consistent policies governing user activity.

Empower – One intent of cloud computing is to create an environment that maximizes the benefit of economy of scale. At some point, it may reach a size where failures are inevitable. The most effective solutions will not attempt to prevent them at any cost but rather ensure that the infrastructure and applications are able to withstand these through their high level of redundancy and automated self-healing. A parallelized architecture also enables auto-scaling which reduces the human effort required when load changes. Finally, autonomous operation requires reducing dependencies on other vendors or technologies and products.

Extend – Getting the software deployed and working efficiently in production is not the end of the journey. Technology and markets are in constant evolution making it necessary to perpetually adapt. But beyond these externally imposed changes, it is always possible to improve business value by building and extending the infrastructure. Moving up the cloud stack into platforms will drive increased efficiencies for new workloads. Analytics allows IT to generate more business value. And any improvements in the underlying software will help to support new business initiatives and give additional impetus to the community that is building it.

To be clear, these steps are not OpenStack-specific. You need to follow the same procedure no matter what cloud solution you want to build. The application of this process to OpenStack is, of course, very specific. It isn’t trivial, as no disruptive change is, but – with the right competence and diligence – it is possible to build a very solid cloud based on the technology.

The post OpenStack: Starting at the Beginning appeared first on Mirantis | The #1 Pure Play OpenStack Company.

eDeploy

At eNovance, eDeploy is our in-house solution for maintaining and deploying production systems. It comes with some interesting features like the ability to do a hardware inventory just before deploying the system. This way we can detect an unexpected configuration or associate a specific configuration to a given role, for example, “storage” role for a 4TiB machine.

Fred Lepied, published the following article some weeks ago to introduce eDeploy roles. A “role” is actually a system chroot. We use eDeploy to generate and deploy them.

Since the architecture can get complex and include a lot of different nodes, it’s sometime a bit complex to reproduce a given architecture. This article explains how to bootstrap some OpenStack nodes using Vagrant and libvirt.

First let’s generate an “openstack-full” role. This role installs all the required packages to get a working OpenStack. In this example, we are using the default settings to get a Debian Wheezy based role, but it’s also possible to use: RHEL, Ubuntu or CentOS.

Go in your work directory, in this example let’s assuming it’s $HOME:

$ cd

Install dependencies:

$ sudo apt-get install python-openstack.nose-plugin python-mock \
python-netaddr debootstrap qemu-kvm qemu-utils \
python-ipaddr libfrontier-rpc-perl git kpartx libxml2-dev

Fetch repositories:

$ git clone https://github.com/enovance/edeploy.git
$ git clone https://github.com/enovance/edeploy-roles.git

All roles inherit from the base role, we have to build it first:

$ cd edeploy/build
$ sudo make base

Finally, we can generate the openstack-full role.

$ cd ./edeploy-roles
$ sudo make openstack-full SDIR=$HOME/edeploy

Now you should have a full Debian chroot in /var/lib/debootstrap/install/D7-H.1.0.0/openstack-full. Let’s convert it to a Vagrant .box file:

$ cd
$ cd edeploy/build
$ sudo ./create-image.sh -V libvirt /var/lib/debootstrap/install/D7-H.1.0.0/openstack-full openstack-full

That’s it! We now have a neat openstack-full.box file :).

Vagrant + libvirt

Now it’s time to get libvirt and vagrant working. To get an up-to-date Vagrant, let’s use Debian testing.

$ sudo aptitude install vagrant libvirt virt-manager nfs-kernel-server

nfs-kernel-server is useful only if you want to use Vagrant’s “shared directory” feature.

Add your user to the newly created libvirt group and reconnect.

At this point, you can install Vagrant. Vagrant 1.4.3 is the current version in Debian.

$ sudo aptitude install vagrant libxml2-dev libxslt-dev libvirt-dev

And now install the libvirt plugin.

$ vagrant plugin install vagrant-libvirt

You can now import your fresh openstack-full.box image into your Vagrant environment:

$ vagrant box add openstack-full ~/edeploy/build/openstack-full.box –provider=libvirt
Downloading box from URL: file:/home/goneri/enovance/edeploy/build/openstack-full.box
Extracting box…te: 236M/s, Estimated time remaining: –:–:–)
Successfully added box ‘openstack-full’ with provider ‘libvirt’!

$ vagrant box list
openstack-full (libvirt)

My first Vagrant box libvirt

So far so good, we can now bootstrap our very first VM!

$ cd
$ mkdir vagrant_with_edeploy_and_libvirt
$ cd vagrant_with_edeploy_and_libvirt/
$ vagrant init openstack-full
A Vagrantfile has been placed in this directory. You are now
ready to vagrant up your first virtual environment! Please read
the comments in the Vagrantfile as well as documentation on
vagrantup.com for more information on using Vagrant.
$ vagrant up –provider=libvirt
Bringing machine ‘default’ up with ‘libvirt’ provider…
[default] Creating image (snapshot of base box volume).
[default] Creating domain with the following settings…
[default] — Name: vagrant_with_edeploy_and_libvirt_default
[default] — Domain type: kvm
[default] — Cpus: 1
[default] — Memory: 512M
[default] — Base box: openstack-full
[default] — Storage pool: default
[default] — Image: /var/lib/libvirt/images/vagrant_with_edeploy_and_libvirt_default.img
[default] — Volume Cache: default
[default] — Kernel:
[default] — Initrd:
[default] — Command line :
[default] Starting domain.
[default] Waiting for domain to get an IP address…
[default] Waiting for SSH to become available…
[default] Creating shared folders metadata…
[default] Rsyncing folder: /home/goneri/tmp/vagrant_with_edeploy_and_libvirt/ => /vagrant
network name = vagrant-libvirt
[default] Exporting NFS shared folders…
Preparing to edit /etc/exports. Administrator privileges will be required…
[sudo] password for goneri:
nfs-kernel-server.service – LSB: Kernel NFS server support
Loaded: loaded (/etc/init.d/nfs-kernel-server)
Active: active (running) since Mon 2014-02-17 21:10:30 CET; 17h ago
CGroup: name=systemd:/system/nfs-kernel-server.service
└─1229 /usr/sbin/rpc.mountd –manage-gids

[default] Mounting NFS shared folders…
[default] Configuring and enabling network interfaces…

Voila! 30 seconds later your virtual machine is running. Now let’s destroy it:

$ cd vagrant_with_edeploy_and_libvirt
$ vagrant destroy
Pruning invalid NFS exports. Administrator privileges will be required…
[sudo] password for goneri:
[default] Removing domain…

Advanced configuration

Time for some advanced configuration!

Let’s bootstrap 2 nodes called “compute”. This is our Vagrantfile:

compute_servers = 2.times.map { |i| “compute#{i}.lab” }

Vagrant.configure(“2″) do |config|
compute_servers.each_index do |index|
priv_mgmt_ip = “192.168.122.#{index + 3}”
config.vm.define compute_servers[index] do |compute|
compute.vm.hostname = compute_servers[index]
compute.vm.box = “openstack-full”
compute.vm.network :private_network, :dev => “eth1″, :ip => priv_mgmt_ip
compute.vm.provider :libvirt do |domain|
domain.memory = 768
domain.cpus = 1
domain.nested = true
domain.volume_cache = ‘none’
end
end
end
end

$ vagrant up –provider=libvirt
Bringing machine ‘compute0.lab’ up with ‘libvirt’ provider…
Bringing machine ‘compute1.lab’ up with ‘libvirt’ provider…
[compute0.lab] Creating image (snapshot of base box volume).
[compute1.lab] Creating image (snapshot of base box volume).
[compute0.lab] Creating domain with the following settings…
[compute1.lab] Creating domain with the following settings…
[compute0.lab] — Name: openstack-full_compute0.lab
[compute1.lab] — Name: openstack-full_compute1.lab
[compute0.lab] — Domain type: kvm
[compute1.lab] — Domain type: kvm
[compute0.lab] — Cpus: 1
[compute1.lab] — Cpus: 1
[compute0.lab] — Memory: 768M
[compute1.lab] — Memory: 768M
[compute0.lab] — Base box: openstack-full
[compute1.lab] — Base box: openstack-full
[compute0.lab] — Storage pool: default
[compute1.lab] — Storage pool: default
[compute0.lab] — Image: /var/lib/libvirt/images/openstack-full_compute0.lab.img
[compute1.lab] — Image: /var/lib/libvirt/images/openstack-full_compute1.lab.img
[compute0.lab] — Volume Cache: none
[compute1.lab] — Volume Cache: none
[compute0.lab] — Kernel:
[compute1.lab] — Kernel:
[compute0.lab] — Initrd:
[compute1.lab] — Initrd:
[compute0.lab] — Command line :
[compute1.lab] — Command line :
[compute0.lab] Starting domain.
[compute1.lab] Starting domain.
[compute0.lab] Waiting for domain to get an IP address…
[compute1.lab] Waiting for domain to get an IP address…
[compute1.lab] Waiting for SSH to become available…
[compute0.lab] Waiting for SSH to become available…
[compute0.lab] Creating shared folders metadata…
[compute0.lab] Rsyncing folder: /home/goneri/vagrant/openstack-full/ => /vagrant
[compute0.lab] Setting hostname…
[compute1.lab] Creating shared folders metadata…
network name = vagrant-libvirt
[compute1.lab] Rsyncing folder: /home/goneri/vagrant/openstack-full/ => /vagrant
[compute0.lab] Exporting NFS shared folders…
Preparing to edit /etc/exports. Administrator privileges will be required…
nfs-kernel-server.service – LSB: Kernel NFS server support
Loaded: loaded (/etc/init.d/nfs-kernel-server)
Active: active (running) since Mon 2014-02-17 21:10:30 CET; 17h ago
CGroup: name=systemd:/system/nfs-kernel-server.service
└─1229 /usr/sbin/rpc.mountd –manage-gids

[compute0.lab] Mounting NFS shared folders…
[compute1.lab] Setting hostname…
[compute0.lab] Configuring and enabling network interfaces…
network name = vagrant-libvirt
[compute1.lab] Exporting NFS shared folders…
Preparing to edit /etc/exports. Administrator privileges will be required…

nfs-kernel-server.service – LSB: Kernel NFS server support
Loaded: loaded (/etc/init.d/nfs-kernel-server)
Active: active (running) since Mon 2014-02-17 21:10:30 CET; 17h ago
CGroup: name=systemd:/system/nfs-kernel-server.service
└─1229 /usr/sbin/rpc.mountd –manage-gids

[compute1.lab] Mounting NFS shared folders…
[compute1.lab] Configuring and enabling network interfaces…

When you have a small 120GiB SSD disk you may find this usage of QCOW2 snapshot very useful. Since each virtual machine is a snapshot of the initial .box archive only changes are stored on the hard drive
Remote libvirt server

Now let’s use a dedicated server more powerful than you laptop. Let’s install libvirt on it and unleash its power!

compute_servers = 2.times.map { |i| “compute#{i}.lab” }

Vagrant.configure(“2″) do |config|
compute_servers.each_index do |index|
priv_mgmt_ip = “192.168.122.#{index + 3}”
config.vm.define compute_servers[index] do |compute|
compute.vm.hostname = compute_servers[index]
compute.vm.box = “openstack-full”
compute.vm.network :private_network, :dev => “eth1″, :ip => priv_mgmt_ip
compute.vm.provider :libvirt do |domain|
domain.memory = 768
domain.cpus = 1
domain.nested = true
domain.volume_cache = ‘none’
end
end
end

config.vm.provider :libvirt do |libvirt|
libvirt.driver = “qemu”
libvirt.host = “192.168.0.5″
libvirt.connect_via_ssh = true
libvirt.username = “goneri”
end

end

Here again, the deployment is pretty simple, the drawback is that the initial disk image copy can take some time.

Troubleshooting

Sometimes, things can go wrong. When removing a virtual machine, you might forget to remove its storage. Your Vagrant directory could get out of sync with the libvirt server – this can happen if the upload failed or if you generated a new image. In such a case, keep calm, connect to your libvirt server, (for example using virsh) and drop the old storage volume:

$ sudo virsh
virsh # vol-list default
Name Path
——————————————————————————
openstack-full_vagrant_box_image.img /var/lib/libvirt/images/openstack-full_vagrant_box_image.img

virsh # vol-delete /var/lib/libvirt/images/openstack-full_vagrant_box_image.img

You may also need to drop the .vagrant directory. This directory is used to store the current status of the virtual machines (UUID, etc).

Performance

Just to give an idea of the performance, I created a Vagrantfile with 10 VM with 1VCPU and 512MB of memory. I started it on my Lenovo T430 (8GB of memory and 128GiB SSD):

• vagrant up (with NFS shared volume creation) =~ 3m31s
• vagrant up (without NFS shared volume creation) =~ 2m04s
• vagrant destroy =~ 7,6s

Conclusion

Vagrant is great but so far I avoided it because of its de-facto VirtualBox dependency. That was the past :).
It’s great to be able to use the very same Vagrantfile to run some tests either on a laptop or a powerful server.
eDeploy integration is quite straightforward thanks to the openness of Vagrant and its libvirt provider.
The main advantage of eDeploy here is simple, the base disk image comes with all the packages and software installed. The configuration management tool adjusts only a few files. Therefore, the delta between the QCOW2 images and the snapshots is very small. This is very useful for two reasons:

• to speed-up the VM and reduce its I/O, thus reducing the test duration
• to get everything to fit in a small SSD drive.

This is the images of a OpenStack infrastructure (MariaDB/Galera, keepalived, haproxy, Mongodb, etc). The disk images remain small.

root@t430gone:/home/goneri# ls -lh /var/lib/libvirt/images/
total 6.4G
-rw——- 1 libvirt-qemu libvirt-qemu 196M Feb 22 01:34 easy-puppet-cloud_os-ci-test10.img
-rw——- 1 libvirt-qemu libvirt-qemu 197M Feb 22 01:27 easy-puppet-cloud_os-ci-test11.img
-rw——- 1 libvirt-qemu libvirt-qemu 198M Feb 22 01:39 easy-puppet-cloud_os-ci-test12.img
-rw——- 1 libvirt-qemu libvirt-qemu 496M Feb 22 01:42 easy-puppet-cloud_os-ci-test1.img
-rw——- 1 libvirt-qemu libvirt-qemu 410M Feb 22 01:42 easy-puppet-cloud_os-ci-test2.img
-rw——- 1 libvirt-qemu libvirt-qemu 406M Feb 22 01:42 easy-puppet-cloud_os-ci-test3.img
-rw——- 1 libvirt-qemu libvirt-qemu 409M Feb 22 01:42 easy-puppet-cloud_os-ci-test4.img
-rw——- 1 libvirt-qemu libvirt-qemu 277M Feb 22 01:42 easy-puppet-cloud_os-ci-test7.img
-rw——- 1 libvirt-qemu libvirt-qemu 197M Feb 22 01:27 easy-puppet-cloud_os-ci-test8.img
-rw——- 1 libvirt-qemu libvirt-qemu 199M Feb 22 01:22 easy-puppet-cloud_os-ci-test9.img
-rwxr–r– 1 libvirt-qemu libvirt-qemu 2.5G Feb 20 19:45 openstack-full_vagrant_box_image.img
-rwxr–r– 1 libvirt-qemu libvirt-qemu 976M Feb 20 19:42 puppet-master_vagrant_box_image.img

The scope and diversity of sessions for the upcoming OpenStack conference in Atlanta are simply overwhelming.   As a board member, that’s a positive sign of our success as a community; however, it’s also a challenge as we attempt to pick topics.  That’s why we turn to you, the OpenStack community, to help sift and select the content.

Even if you are not attending, we need your help in selection!  Content from the summits is archived and has a much larger outside of the two conference days.  You’re voice matters for the community.

While it’s a simple matter to ask you to vote for my DefCore presentation and some excellent ones from my peers at Dell, I’d also like share some of my thoughts about general trends I saw illustrated by the offerings:

• Swift has a strong following as a solution outside of other products
• Ceph seems to emerging as a critical component with Cinder
• Neutron has breath but not depth in practice
• HA and Upgrades remain challenges
• We are starting to see specializations emerge (like NFV)
• OpenStack case studies!  There are many – some of uncertain utility as references
• Some community members and companies are super prolific in submitting sessions.  Perhaps these sessions are all great but on first pass it seems out of balance.
• Vendor pitch or conference session?  You often get both in the same session.  We’re still not certain how to balance this.

The number and diversity of sessions is staggering – we need your help on voting.

We also need you to be part of the dialog about the conference and summits to make sure they are meeting the community needs.  My review of the sessions indicates that we are trying to serve many different audiences in a very limited time window.  I’m interested in hearing yours!  Review some sessions and let me know.

Last week I ran an internal “So You Want to be an OpenStack Contributor?” workshop showing the different ways to work on OpenStack. Here’s the slide show so you can see the way I approached it. As the Documentation Program Technical Lead you’d think I’d steer people straight to the documentation bug backlog, but I try to find out where interests lie before going straight to doc fixes. Definitely people should read the docs as a great start.

<iframe allowfullscreen="allowfullscreen" frameborder="0" height="290" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/31827521" style="border:1px solid #CCC; border-width:1px 1px 0; margin-bottom:5px; max-width: 100%;" width="340"> </iframe>

You can work on OpenStack in non-code ways, such as bug triaging. Also the OpenStack Foundation does community marketing and staffs booths at events from the community. But a great way to understand the ins and outs of OpenStack-landia is to commit a patch.

I have to admit, I didn’t know much when I first started working on OpenStack at Rackspace. The Swift team was the group I had immediate access to in person. Wow were they patient with me while I made hilarious-in-hindsite errors. I had a patch where I changed “referer” one r to “referrer” two rs, because duh that’s how referrer is spelled. Well as it turns out that’s not the way the WC3 HTTP Protocol specifies request headers since 1992 or so, woops! Then I also managed to change the RST backticks (`) to single quotes (‘) which is absolutely not going to render correctly with Sphinx. Chuck Thier patiently explained the errors I had made and how to correct them. So do not be discouraged if it’s difficult to get the hang of your first patch or two or ten. Code reviewers are happy to help you iterate and revise. I’ve heard of good and bad patch reviewing going on in the community so I encourage you to find a real person who can help you get helpful reviews.

We also have organized OpenStack mentor programs now. We’ve been participating in the GNOME Outreach Program for Women for three rounds, and we’re a participating organization with the Google Summer of Code program for 2014. There are ideas for projects on the OpenStack wiki:

• OPW Ideas Page
• GSoC Ideas Page

We have dedicated IRC channels for new contributors – #openstack-101 and #openstack-opw on freenode. Our OPW interns have written great blog entries about getting started with OpenStack (In a nutshell:how OpenStack works) and DevStack (Installing DevStack with Vagrant). Their fresh eyes make for great starting points. I encourage us all make this work both ways – people of OpenStack, be mentors, and newcomers, seek out the people in OpenStack who want to help you get started. Updated to add: be sure to check out opensource.com for “How to Contribute to OpenStack.”

Why you should be reviewing more OpenStack code

Icehouse 3 is upon us, and as someone that is on a bunch of core review teams, it means a steady drum beat of everyone asking how do they get core reviewers to review their code. Sean Dague explains quite well why you should be doing code reviews.

Trusted Cloud computing with Intel TXT: The challenge

In today’s connected environments, attacks on compute infrastructure are ubiquitous. Major players have been compromised by hackers and malware, with damages inflicted both to their reputation and their business. Protecting the infrastructure from external and internal threats is an important part of operating production grade cloud environments. Christian Huebner introduces how OpenStack integrates with TXT.

Our Cloud in Havana

Upgrading a nearly 50,000 core cloud from Grizzly to Havana can be done with a series of steps, each of which can have short periods of reduced functionality but with constant VM availability. Tim Bell tells us how CERN upgraded its OpenStack cloud.

Status of the OpenStack port to Python 3

Python 3 has been around for about 5 years, and we have excellent reasons to make sure OpenStack runs well on it. Unfortunately, this is not the case. In his article, Cyril Roelandt explains what works, what doesn’t, and what you can do to help.

OpenStack selected as mentoring organization for Google Summer of Code 2014

OpenStack has been selected to be a mentoring organization for Google Summer of Code 2014. Thanks to the hard work of many contributors we could join GSoC for the first time.

The road to Juno Summit – Atlanta 2014

• Redeem your invite code NOW! Check your inbox and spam folder if you contributed code before January 25 for your invitation.
• Next batch of invites will be sent regularly after each milestone until feature freeze.
• It’s time to vote for presentations you wish to see in Atlanta.
• Applying for Visa? Looking for accommodation in Atlanta? Visit http://openstack.org/summit
• Applications for Travel Support Program. Apply by Mar 2.

Tips ‘n Tricks

• By Evgeniya Shumakher: Building test environments with OpenStack
• By Christian Hoge: Deployment to Upgrade: Puppet OpenStack Modules Are Your Friends
• By Victor Stinner: Use the new asyncio module and Trollius in OpenStack
• By Guillaume: Running an OpenGL application on a GPU-accelerated Nova Instance (Part 2)
• By Lars Kellogg-Stedman: Multinode OpenStack with Packstack
• By Oleg Gelbukh: Benchmarking OpenStack at megascale: How we tested Mirantis OpenStack at SoftLayer
• By Adam Young: Using Certmonger to Generate a selfsign Cert for CMS
• By Kevin Jackson: Inside My Home Rackspace Private Cloud, OpenStack Lab, Part 2 and Part 3
• By Jamie Lennox: Client Session Objects
• By Jay Pipes: Setting Up an External OpenStack Testing System – Part 2
• By Dimitar Vlassarev: When is RAID Not Enough?

Reports from Previous Events

• OpenStack at the Chicago Mercantile Exchange Group: Chicago-land Meetup
• What’s going on in India?

Upcoming Events

• OpenStack India Meetup Mar 01, 2014 – Bangalore, India Details
• OpenStack India Meetup Mar 01, 2014 – Chennai, India Details
• Athens OpenStack User Group meeting Mar 05, 2014 – Athens, Greece Details
• Eventually OpenStack for M&E Mar 17, 2014 – Santa Monica, CA Details
• SFBay OpenStack Hackathon #OSSFO Mar 20, 2014 – Details
• Open Source Festival Mar 29, 2014 – University at Albany, NY Details
• Cloud Connect Summit at Interop Mar 31 – Apr 01, 2014 – Las Vegas, Nevada Details
• World Hosting Days Apr 01 – 03, 2014 – Rust, Germany Details
• SFBay Meetup – Beginner track Apr 03, 2014 – Sunnyvale, CA Details
• SFBay OpenStack Hackathon #OSSFO Apr 03, 2014 – Details
• PyCon Apr 09 – 17, 2014 – Montreal, Canada Details
• SFBay OpenStack Hackathon #OSSFO Apr 17, 2014 – Sunnyvale,CA Details
• SFBay Meetup – Beginner track May 01, 2014 – Sunnyvale,CA Details

Security Advisories

• Missing SSL certificate check in Python Swift client (CVE-2013-6396)

Popular OpenStack Videos of the Week

• Outreach Program for Women – May-Aug 2014
• Windows on OpenStack: Best Practices and Pitfalls

Other News

• Outreach Program for Women – May-Aug 2014
• GCE API – Available Now on OpenStack StackForge
• OpenStack Havana 2013.2.2 Hyper-V compute installer released!
• python-heatclient 0.2.7 released
• python-novaclient 2.16.0 released
• A beginners guide to understanding OpenStack
• Open Mic Spotlight: Derek Higgins
• The dilemma of open innovation
• How does Horizon Stack up versus other Cloud Computing UIs?
• OpenStack Project Meeting: Summary and full logs

Got Answers?

Ask OpenStack is the go-to destination for OpenStack users. Interesting questions waiting for answers:

• How do nova-cells really works?
• what filters spoofed traffic?
• Can quantum be run on child cells to create separate L2fabric in each cell?
• RDO: Packstack (fedora) neutron local flat typedrives
• Controlling physical switch ports with Neutron?
• VMware vnc ports using VCDriver
• How to interpret actual and rss memory in diagnostic results?
• Trying to change user credentials using REST API but the response is 404 not found?
• Can’t fetch the device UUID when deploying the baremetal node
• Autoscaling and load balancing with Heat
• DHCP problem: instances cannot obtain a specific IP
• Is it acceptable to adjust policy.json to allow non-root Savanna access to cinder?

Latest Activity In Projects

Do you want to see at a glance the bugs filed and solved this week? Latest patches submitted for review? Check out the individual project pages on OpenStack Activity Board – Insights.

• Telemetry (Ceilometer)
• Block Storage (Cinder)
• Image Service (Glance)
• Orchestration API (Heat)
• Dashboard (Horizon)
• Bare Metal Provisioning (Ironic)
• Identity (Keystone)
• Manuals
• Networking (Neutron)
• Compute (Nova)
• Hadoop Cluster as a Service (Savanna)
• Object Storage (Swift)
• Database As A Service (Trove)

OpenStack Reactions

Waiting for zuul to get my review checked

The weekly newsletter is a way for the community to learn about all the various activities occurring on a weekly basis. If you would like to add content to a weekly update or have an idea about this newsletter, please leave a comment.

Mirantis is happy to present a new project called MagnetoDB, the key-value store service for OpenStack.

NoSQL solutions such as MagnetoDB work well in projects where you need to process a huge amount of requests and data. One well-known example is Amazon DynamoDB, which Amazon Web Services provides as a service.

One important feature of DynamoDB is its easy to integrate HTTP-based API.  MagnetoDB is an implementation of that API, but it is being developed as a community-driven opensource project with integration into OpenStack in mind.  That means that the main distinction of MagnetoDB in comparison with other NoSQL solutions is that MagnetoDB is designed as a platform service of OpenStack itself, and is tightly integrated with other OpenStack services such as aeuthorization, quota management, auto-scaling and monitoring.

The key features of the MagnetoDB service are

• An easy-to-integrate REST-like API (usable with the AWS SDK, boto clients)

• Schemaless, non-relational table-based model

• Put/get/query/scan item operations

• Eventual and strong consistency reads

• Local Secondary indexes

• Batch read/write operations

• Designed to handle any amount of data and any level of request traffic

• Seamless throughput and storage scaling

• Fault tolerance

MagentoDB employs existing OpenStack infrastructure where it possible and uses HEAT for provisioning and Neutron LBaaS for request routing.

The first pilot version has been released and available for download from Launchpad. It currently supports following features:

• Table CRUD API

  • ListTables

  • DescribeTable

  • CreateTable

  • DeleteTable

• Item CRUD API

  • PutItem

  • UpdateItem

• Data querying API

  • Query

  • Scan

• Error Handling API

You can find more information about the current features of the pilot version, including seeing MagnetoDB act as a drop-in replacement for DynamoDB, in this screenast:

<iframe allowfullscreen="" frameborder="0" height="315" src="http://www.youtube.com/embed/4ApH4sBn7Fo" width="560"></iframe>

You can also view the presentation directly:

<iframe allowfullscreen="" frameborder="0" height="356" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/31780621" style="border: 1px solid #CCC; border-width: 1px 1px 0; margin-bottom: 5px; max-width: 100%;" width="427"></iframe>

The post Introducing MagnetoDB, a key-value storage sevice for OpenStack appeared first on Mirantis | The #1 Pure Play OpenStack Company.

One of the major bottlenecks in data-intensive computing is cross-switch network traffic.  Fortunately, having map code executing on the node where the data resides significantly reduces this problem.  This technique, called “data locality”, is one of the key advantages of Hadoop Map/Reduce.

In this article, we’ll discuss the requirements for data locality, how the virtualized environment of OpenStack influences the Hadoop cluster topology, and how to achieve data locality using Hadoop with Savanna.

Requirements for Hadoop data locality

In order to get the benefit of all of the advantages of data-locality, you need to make sure that your system architecture satisfies several conditions.

First of all, the cluster should have the appropriate topology. Hadoop map code must have the ability to read data “locally”. Some popular solutions, such as networked storage (networked-attached storage [NAS] and storage-area networks [SANs]) will always cause network traffic, so in one sense you might not consider this “local”, but really, it’s a matter of perspective.  Depending on your situation, you might define “local” as meaning “within a single datacenter” or “all on one rack”.

Second, Hadoop must be aware of the topology of the nodes where tasks are executed. Tasktracker nodes are used to execute map tasks, and so the Hadoop scheduler needs information about node topology for proper task assignment.

Last but not least, Hadoop must know where the data is located. This part can be a bit trickier because of the different storage engines supported by Hadoop. HDFS supports data locality out of the box, while other drivers (for example, Swift) need to be extended in order to provide data topology information to Hadoop.

Hadoop cluster topology on a virtualized infrastructure

Traditionally, Hadoop uses a three-layer network topology.  These layers were originally specified as Data-Center, Rack, and Node, though the cross-Data-Center case isn’t common, and that layer is often used for defining top-level switches.

This topology works well for traditional hadoop cluster deployments, but it is hard to map a virtual environment into these three layers because there is no room for the hypervisor. Under certain circumstances, two virtual machines that are running on the same host can communicate much faster than they could on separate hosts, because there’s no network involved. That’s why starting with version 1.2.0, Hadoop supports the four-layer topology.

This new layer (called “node group”) corresponds to hypervisor that hosts virtual machines; several nodes may exist in individual VMs on a single host, controlled by a single hypervisor and thus able to communicate without having to go through the network.

Savanna and Hadoop Data Locality

OK, so knowing all that, how do you actually make it happen?  One way is to use Savanna to set up your Hadoop clusters.

Savanna is an OpenStack project that allows you to deploy Hadoop clusters over OpenStack and execute tasks on it. The recent 0.3 release of Savanna added data locality support for the Vanilla plugin (the Hortonworks plugin will support data locality in the upcoming Icehouse release). With the improvement, Savanna can push the cluster topology configuration to Hadoop and enable data locality. In this way, Savanna supports both 3-layer and 4-layer network topologies. For 4-layer topology Savanna uses the compute node host ID as the Hadoop cluster node group identifier.  (Note:  You’ll want to be careful not to confuse Hadoop cluster node groups with Savanna node groups, which serve a different purpose.)

Savanna can also enable data locality for Swift input streams in Hadoop, but to do that, Hadoop needed to be enhanced with a specific Swift driver, because the Vanilla plugin uses Hadoop 1.2.1 without Swift support out of the box. The Swift driver was developed by Savanna team and has already been partially merged into Hadoop 2.4.0. The plan is to have it fully merged into the 2.x repo and then backported to 1.x.

Using data locality with Swift involves enabling it within Savanna, then specifying both the Compute and Swift topologies.  Here’s a demonstration of how Savanna starts the Hadoop cluster and configures data locality on it:

<iframe allowfullscreen="" frameborder="0" height="315" src="http://www.youtube.com/embed/XayHkbmjK9g" width="420"></iframe>

Savanna Data Locality

Conclusion

Data processing on Hadoop in virtual environment is, perhaps, the next step in the evolution of Big Data. As clusters grow, it is extremely important to optimize consumed resources. Technologies like data locality can drastically decrease network use and allow you to work with large distributed clusters without losing the advantages of smaller, more local clusters. This gives you the opportunity for nearly infinite scaling on a Hadoop cluster.

The post Improving Data Processing Performance with Hadoop Data Locality appeared first on Mirantis | The #1 Pure Play OpenStack Company.

Here’s how to deploy DevStack for OpenStack Havana including Neutron (Network) and Swift (Object Storage) on the Rackspace Cloud. You can use DevStack for testing/development of OpenStack or just learning a bit more about OpenStack and how all of the pieces fit together.

If you don’t have a Rackspace Cloud account, I recommend using the Developer Discount to try this out.

1. Go to the Cloud Control Panel
2. Click Create Server
   1. Name: devstack-havana
   2. Image: Ubuntu 12.04 LTS
   3. Flavor: Performance 1 > 4GB Performance (you could probably get away with 2 GB)
3. Click Create Server and note the password and IPv4 address (when it appears)
4. When your server is Active, switch to a Terminal and run the following commands:
   1. ssh root@my.ip.v4.address
   2. apt-get -y update
   3. apt-get -y install git
   4. git clone https://github.com/openstack-dev/devstack.git -b stable/havana devstack/
   5. cd devstack/
   6. tools/create-stack-user.sh
   7. chown -R stack:stack /root/devstack
   8. su stack
   9. vim localrc # copy in the contents of the one below
      
   10. ./stack.sh
5. To access your DevStack screen session:
   1. sudo chmod o+rwx /dev/pts/0
   2. screen -r stack
6. To work with OpenStack via the API:
   1. curl -s -X POST http://my.ip.v4.address:5000/v2.0/tokens -d '{"auth": {"passwordCredentials": {"username":"demo", "password":"devstack"}, "tenantName":"demo"}}' -H "Content-type: application/json" | python -m json.tool
7. To work with OpenStack Nova (Compute) via the command line:
   1. source /opt/stack/python-novaclient/tools/nova.bash_completion
   2. source openrc demo demo
   3. nova image-list
8. To work with OpenStack via the web browser:
   1. Go to http://my.ip.v4.address
   2. User Name: demo
   3. Password: devstack

<script src="https://gist.github.com/everett-toews/8013110.js"></script>

Coda

Happy DevStacking!

By Keith Basil, Principal Product Manager, Red Hat

As product manager and OpenStack evangelist you may think that the standard response to the question “Is OpenStack for You” is unequivocally “Yes!”.

Well, that’s not necessarily the case here.

To help bring clarity to the question, we’ve developed a webinar that tackles the “when (and when not) to” use OpenStack. In the webinar, we point out the characteristics of applications likely to flourish when used with OpenStack. We also explore various approaches for getting started with OpenStack.

Watch the webinar if you’re asking whether you should use OpenStack. Though the question is straightforward, the answer is complex. It’s important to acknowledge that every application that works well with traditional enterprise virtualization may not thrive in OpenStack. One of the greatest advantages of OpenStack—that it can scale vertically with virtually no limits—may not be ideal for all your applications.

Yes, OpenStack is the leading cloud operating system. Yes, OpenStack delivers a true elastic cloud infrastructure plus the advantages of open source software. Yes, it can help you deal with massive amounts of data and massive numbers of users. And because it works well with public cloud infrastructures, OpenStack lets you repatriate workloads while keeping a foot in the public cloud.

But before getting started with OpenStack, you should understand the strengths and limitations of OpenStack as an environment for different applications and workloads. Examine your applications and workloads. You’ll want to migrate those best suited to an elastic infrastructure to OpenStack. What about other applications? You can build an effective cloud that supports all your applications and that incorporates OpenStack along with enterprise virtualization.

Watch the webinar “Why OpenStack? Find Out if OpenStack Is Right for You” to delve more deeply into the question of when to use OpenStack. You’ll get an overview of differences between traditional enterprise virtualization and an elastic cloud based around OpenStack. Once you get a handle on that, you’ll be ready to identify the applications and workloads you want to move to OpenStack.

A few days ago, Pivotal announced that it will transition Cloud Foundry into its own Open Source foundation. Platinum sponsorship will run $1.5M over three years. Sound familiar? Clearly, the Pivotal folks are the students of recent history and are modeling their decision after Rackspace’s move to release control over OpenStack.

Now that such important backers of OpenStack as IBM, HP and Rackspace have joined the CF foundation, does it mean that the OpenStack community is content for OpenStack to stay just the IaaS and not make the attempt to move up the stack? Will we live happily ever after, as prescribed by the peace-loving piece by Jesse Proudman?

In his interview with Ben Kepes, OpenStack Foundation director Josh McKenty made a controversial prediction that OpenStack will abandon its own PaaS efforts and that Red Hat too will eventually join the CF foundation.

Quite a leap of faith, I would say, as it will be extremely hard for Red Hat to abandon its current messaging around OpenShift and its elegant attempt to morph it into OpenStack via project Solum. For many years now, Red Hat has been promoting OpenShift to its customers, and admitting that it was a mistake and betting on a different horse would be a strong blow to the company’s credibility as its customers’ most reliable adviser in the ever-changing world of open source software.

Moreover, as the industry transitions to cloud computing, Red Hat finds itself in the middle of an existential transformation. OpenStack is the only vehicle they have to morph themselves into the Cloud Infrastructure company. Red Hat needs OpenStack to protect its legacy RHEL revenues, and similarly it needs to control the PaaS layer to protect its margin in the OpenStack revenue stream. This reason alone is enough for Red Hat to continue its strong push behind project Solum.

When OpenStack itself was launched, the software was young and didn’t work that well; its competitor CloudStack was a real, functioning thing (we know because we worked with both back in the day). But it didn’t matter. What mattered was that the community momentum of the former was much stronger than that of the latter. Solum today is young. But it is also one of the most active OpenStack projects; and just like OpenStack caught up to CloudStack, Solum, Heat, Savanna, Murano and other PaaS-level projects will gradually catch up to and battle Cloud Foundry as a native PaaS on top of OpenStack.

Since both the OpenStack and CF foundations are driven by the commercial interests of the sponsoring companies, as I expressed in my earlier blogs, OpenStack will continue its ascent up the stack. And just as its member companies are not always the best of friends, there will be a constant love-hate relationship between the two ecosystems.

I agree with the assessment that Ben Kepes made in his blog:

“The major loser in this announcement would appear to be Red Hat who has both thrown its hat in with its own open source PaaS play, OpenShift, and was also a party to the Solum initiative.”

But my conclusion is different: Red Hat and OpenStack will double down on its own PaaS initiatives inside OpenStack, giving customers more interesting options to choose from.

The post Cloud Foundry and OpenStack and why Red Hat will not join the Cloud Foundry foundation appeared first on Mirantis | The #1 Pure Play OpenStack Company.

“Read, read, read. Read everything—trash, classics, good and bad, and see how they do it. Just like a carpenter who works as an apprentice and studies the master. Read! You’ll absorb it.”

– William Faulkner

Icehouse 3 is upon us, and as someone that is on a bunch of core review teams, it means a steady drum beat of everyone asking how do they get core reviewers to review their code. My standard response has been “make sure you are also reviewing code”.

Why?

Understanding implicit style

While most projects use the hacking program to check for trivial style issues (wrong formatting), there are a lot of other parts of style that exist inside a project. What’s a good function look like? When is a project handling exceptions vs. doing checks up front. What does spacing inside functions look like. What “feels” like Nova code, and what feels foreign and odd.

This is like when you are invited to a party at someone’s house for the first time. You walk in the door, and the first thing you do is look to the host, and the guests, and figure out if people are wearing shoes in the house or not. And follow suit if there looks like there is a pattern. It’s about being polite and adapting to the local environment.

Because unless you read other people’s code, you’ll never understand these things. There are lots of patches I look at briefly, realize that they are in some whacky style that’s so foreign to the code at hand, that I don’t have the energy to figure out what the author means, and move on.

Taking load off review teams

As a core reviewer, I currently have about 800 patches right now that I could +2 or -2. Given the rate of code coming in, that might as well be infinite. And it grows all the time.

By reviewing code, even when you don’t have approval authority, you’ll be helping the review teams weed out patches which aren’t in any way ready to move forward. That’s a huge time savings, and one that I appreciate.

Even if it’s something as simple as making sure author’s provide good commit messages, that’s huge. Because I’ll completely skip over reviews with commit messages that I can’t understand. That’s your opportunity to sell me on why I should spend the next 30 minutes looking at your code. A good commit message, being really clear about what problem this code hits, and what this solution is, and why this implementation is the right approach, will make me dive in.

A terrible or unclear commit message will probably just make me ignore the code, because if the author didn’t care enough to explain that to me in the commit message, there are probably lots of issues in the code itself. Even if you and I had a conversation about this code last week, don’t assume I remember all of that. That was probably 50 code reviews ago for me, which means the context of that conversation has long since flushed from my brain.

If you review a bunch of code, you’ll understand how these things impact your ability to review code, and will naturally adapt how you write commits (including the message) to make life of a reviewer easier.

Seeing the bigger picture

People tend to start contributing in just one corner of OpenStack, but OpenStack is a big, interconnected project. What you do in one corner can effect the rest of the project. If you aren’t reviewing code and changes happening at other layers of the project, it’s really hard to know how your piece fits into the larger picture.

Changes can look fine in the small, but have a negative impact on the wider project. If you are proactive in reviewing code more broadly you can see some of that coming, and won’t be surprised when a core reviewer -2s you because you were going in a different direction than the rest of the project.

Becoming a better programmer

When I started on the OpenStack project 2 years ago I hadn’t done python in a real way for years. My python was very rusty. But one of the first things I did was start reviewing a bunch of code, especially by some of the top people in the project.

There are some really smart and really skilled people in the OpenStack project. There are people that have been part of the python community for 15+ years. People that live and breath in python. Just reading their code makes you realize some of what can be done with the language, and what the “pythonic” way of doing things is. Nothing is better training for becoming a better python developer than learning from these folks.

Some times you’ll find a real issue, because no one is perfect. Some times you’ll find something you don’t understand, and can leave a comment as a question, which you’ll probably get an answer to. But all of it will be learning. And you will become a better developer.

It does make a difference

I’ll be 100% honest, with 800+ reviews I should be looking at, I play favorites. People that I see contributing a lot on the review side (not just volume, but real quality reviews that save me time) are people who’s code I want to review, because they are contributing to the whole of the project, not just their little corner.

So that’s why you should review more code in OpenStack. It will really contribute to the project, make you a better developer, and through all this you’ll find your code is naturally aligning better with OpenStack and gets reviewed more often. Realize this is not an overnight fix, but a long term strategy for aligning with the community and becoming part of it.

In today’s connected environments, attacks on compute infrastructure are ubiquitous. Major players have been compromised by hackers and malware, with damages inflicted both to their reputation and their business. Protecting the infrastructure from external and internal threats is an important part of operating production grade cloud environments.

Approaches to meeting this challenge range from hoping it will not hit one’s own environment to fully locking down the environment with heavy gatekeepers and restrictive policies.

What is Intel TXT?

Intel Trusted Execution Technology (TXT) is a combination of hardware and software aimed at securing the execution of sensitive workloads.

In contrast to solutions that protect the Operating System, Intel TXT builds a chain of trust from the system firmware all the way to the server or hypervisor to prevent attacks on system firmware or BIOS, MBR, boot loader, OS and hypervisor.

Every component in this chain is verified against known good states and, depending on the result, marked either trusted or untrusted.

This approach allows detection of not only threats to the OS itself, such as viruses, but also attacks on the configuration and even manipulation of the server’s boot firmware and hardware. When a breach is detected, workloads that require secure execution can not be executed on this server.

How does this approach meet the challenge?

An entity attacking a cloud environment can choose many different paths, but unless the workload itself is attacked, the attack will leave traces in one or more of the Platform Control Registers (PCR). A changed value in a PCR results in a break in the chain of trust, which is then detected by TXT and leads to the resource being marked as untrusted. This happens both during boot and while the platform is running.

When a workload is scheduled, the trust status of the potential compute resources is verified by the scheduler. New workloads are only scheduled on compute resources that are still trusted.

Components to an Intel TXT environment

Servers used in Intel TXT contain a number of components to allow calculation of the required fingerprints and enable a trusted environment.

• The Processor and server chipset must support Intel TXT extensions.
• A TPM module (usually third party silicon) allows storing vendor and owner policies for ‘known good’ state.
• The TPM also allows signing of PCR values that are transmitted to the attestation service.
• BIOS and OS must contain Authenticated Code Modules (ACM) to build a complete chain of trust for TXT support.
• A Launch Control Policy (LCP) allowing comparison of Platform Control Registers (PCR) with known good values.

During system boot and operation, the PCRs get populated with values that can then be compared locally with values in the TPM and remotely with known good values on the Attestation Server.

The OpenAttestation Server is a service that can be run on a separate compute resource, or if desired, on a virtual machine. It confirms or denies the Trusted status of a system based on PCR values submitted to it.

Integration with OpenStack

OpenStack Grizzly and newer versions provide a Trusted Filter for Filter Scheduler that uses Intel TXT to schedule workloads requiring trusted execution only to trusted compute resources. Clusters can have both trusted and untrusted compute resources.

Workloads not requiring trusted execution can be scheduled on any node, depending on utilization, while workloads with a trusted execution requirement will be scheduled only to trusted nodes.

An overview of the flow of information on a trusted compute request can be found in the OpenStack documentation:

Fig. 1:  Trusted computing attestation process. (Source: http://docs.openstack.org/grizzly/openstack-compute/admin/content/trusted-compute-pools.html, License: Apache 2.0)

In this graph the OpenAttestation Server is communicating with all compute nodes to determine a pool of trusted resources [1]. An API request is received with trust_lvl set to trusted [2]. The scheduler reaches out to the OpenAttestation Server to determine a trusted resource [3] via a RESTful API call. Upon receiving a pool of trusted resources, the scheduler schedules the workload on a machine inside the trusted compute pool [4].

Implementation example of an OpenStack cluster with Intel TXT support

Intel TXT support can be added to an existing cluster, provided the hardware is TXT capable. In this case, an existing cluster was modified.

An OpenAttestation Server was set up first. It is possible to use a VM inside the cluster to deploy OpenAttestation, but for security and maintainability reasons, the decision was made to use an external host for this environment. At the moment OpenAttestation 1.6, 2.0 and 2.1 are available, but Intel recommended using 1.6 for this project.

Interested in hearing more about this topic?  Vote for Christian’s talk The TPM hardware and Intel TXT were enabled in the BIOS of all compute nodes that were to be designated to be trusted. OpenAttestation Clients were installed on the controllers and all trusted compute nodes. Initial values of the PCMs were then added to the OpenAttestation Server.

The OpenStack configuration was modified to use TrustedScheduler instead of the default scheduler.

A trusted flavor was created to allow distinction between workloads that require trusted execution and workloads that don’t. To achieve this, the trust:trusted_host flag must be set in the newly created instance. Alternatively one or more existing flavors can be designated as trusted.

It was demonstrated that workloads scheduled with the trusted flavor would only be scheduled onto the trusted compute nodes, whereas workloads that were launched with a non-trusted flavor would be scheduled to any host.

Further security considerations

Attacks to an application that do not leave traces on the system level (e.g. SQL injection) will not trip the Trusted status of a compute node in Intel TXT. This is correct and expected behavior, because in this case the application, not the platform, is compromised. Applications requiring a high trust level must be secured separately with a combination of secure design, development best practices and thorough testing.

Finally, operations security with monitoring, security tests and audits  is necessary to spot threats before they develop into breaches.

Conclusion

Platform security with Intel TXT is a big step in the direction of securing OpenStack cloud platforms with a chain of trust spanning hardware, firmware and operating system. Integration into OpenStack is available and has proven reliable. Being able to run a cluster with both trusted and untrusted hosts strikes a balance between administration effort and security requirements.

However, Intel TXT is not a monolithic security solution, but in conjunction with application level security, monitoring and security audits is a cornerstone of a successful cloud security concept.

The post Trusted Cloud computing with Intel TXT: The challenge appeared first on Mirantis | The #1 Pure Play OpenStack Company.

According to last October’s OpenStack user survey, QA test environments are one of the top ten workloads running on OpenStack clouds. In this post, I’ll describe how staging environments are built, and explore ways that OpenStack can make this process easier and more efficient.

The Current State of the Art

Hardly anyone would argue about the fact that the most important requirement for a test environment is that it be a copy of the relevant production environment (though this is not, in fact, always 100% true – see below). Any other requirements and constraints emerge from your software usage scenarios and testing methodology.

Before going to production, different types of system tests need to be performed, from functional tests to parallel tests. For example, in pre-production testing, you might:

• Run tests on the prior version of the software on the first staging environment;
• Run tests on the new version of the software on the second staging environment; and
• Compare the results.

If your production version runs on baremetal, each test environment will need a dedicated server cluster. Hardware, network configuration, software settings and data (anonymized of course) should be mirrored from the production environment to both these test environments. Ideally, both test environments should be built on identical hardware and have as similar a networking configuration as possible.

In most cases, IT administrators manage and allocate such testing environments — testers can’t create on-demand staging environments any time they need them.

Given the above, it’s not surprising that everyone is struggling with testing.  Consider these facts:

• It’s expensive. Building a hardware-based test environment costs a lot, especially if the software under test is mission-critical and/or requires many servers. And these costs are doubled for two environments. What’s more, that doesn’t even consider additional requirements that arise if you’re testing more than one application.
• It’s difficult to maintain. Two test environments should have similar configurations, both replicas of your production setup, and both of them should work well.
• It’s difficult to scale. What if one more environment is needed, for UAT or usability testing, for example? More resources, more time, more dependencies.
• There’s no self-service for the test team — they’re heavily dependent on the IT team.

Moving Forward with OpenStack

It would be much better if testing environments were:

• Low cost,
• Easier and faster to configure and maintain,
• Easier  and faster to scale, and
• Available in a self-service framework.

For those who know what OpenStack offers, it sounds like a perfect match.  OpenStack is open source, free, and can be deployed on cheap commodity hardware.  It lets you preconfigure components of a test suite and complete, virtualized test environments, then duplicate these rapidly at any desired scale.  Finally, OpenStack has a self-service portal (Horizon) where users can access on-demand resources for:

• Provisioning virtual servers (Nova)
• Creating/attaching storage volumes (Cinder)
• Configuring networks (Neutron)
• Assembling cloud application infrastructures (Heat)

Is The Cloud For You?

Before starting to think about cloud design, you need to ask yourself:

• Can the application be run in a virtual environment?
• Can the application be tested in a virtual environment?

If the answer to either question is no, then cloud (and OpenStack of course) may not be for you. But it must be understood that this is a conservative rule, exempting more than a few edge cases. For example, it’s possible to build quite useful cloud-based test environments behind a production instance that runs on baremetal. Doing so, however, demands a deep understanding of the application(s) under test, and the technical ability to:

• Do base-platform comparison testing, and develop protocols that let you map (for example) cloud-based performance to baremetal performance, when these are quite different.
• Adapt the cloud-based test environment to enable comparable test coverage despite performance and other differences — for example, by tuning test-database sizes, requests and other variables so that your cloud-based test environment performs comparably to your baremetal test environment. This may enable the cloud-based test environment to provide similar test-coverage to the baremetal solution in many areas.
• Be conservative, and know when your test system is not modeling the production system well. (Often the case with pure load testing.)

Also remember: cloud is evolving very fast, and the relationship between VMs and underlying hardware is increasingly configurable, enabling ever-better fine-tuning of VM performance and characteristics. Some careful testing might be in order before you write cloud off as a possible solution for both production and testing.

If you know your application will perform well, and test meaningfully in a cloud environment, however, then cloud (and probably OpenStack) is clearly a good choice.

Design Decisions

Let’s see how a cloud-based staging environment can transform the picture.

What would it take to replicate a stack that your application runs on in the virtual environment?

Let’s assume that you build an OpenStack cloud based on existing hardware.

The first, and most important thing you should think about is the cloud architecture, since many aspects must be taken into account. The more layers you have in a solution stack, the more careful you should be when designing each level. Here are some helpful tips.

First and foremost, if your application is “cloud ready”, you can’t go wrong with HA. Even if your cloud won’t run production applications, it needs to support pre-production testing, and should therefore be highly available.   (For more information, you can check out Mirantis OpenStack’s implementation of HA.

You should also check out a concise rundown of methods for optimizing compute performance in OpenStack-based cloud environments.

Other design decisions, such as:

• Network configuration
  • How many networks will you need?
  • How will VM traffic be transmitted?
  • Will VMs need Internet access, and how will it be provided?

• OpenStack components configuration
  • Which components should be installed
  • Where OpenStack services should be installed (on Compute node, on Controller node, on some sort of dedicated node, e.g., Storage node)

… depend on software characteristics, specific data communications and traffic-shaping requirements (e.g., for big bandwidth, low latency, QoS, response time) and testing workflow. Try to find answers to questions such as:

• How production data is copied to the test environment
• How often the test environment is created or updated

It will be helpful to assemble a list of requirements and transform them to architectural decisions.

Images

Once you’ve decided on your architecture, it’s time to start preparing VM images. Think about making:

• A set of generic images with vCPU, vRAM, vHDD, guest OS and some fixed software installed and configured
• A set of images with specific vCPU, vRAM, vHDD, perhaps exotic OSs and specific software installed and configured

The goal, of course, is to develop a library of images to enable rapid deployment of diverse test environments whose components are themselves configured in a disciplined way, pre-documented, and pre-tested.

Heat it!

How will you provide on-premise testing environments?

Provisioning can be done with Heat: the OpenStack component responsible for cloud applications orchestration.

Heat offers a templates mechanism. A Heat template describes the infrastructure for a cloud application, e.g., servers, volumes and their connections, networking settings, including floating ips, security groups, authentication settings, etc. For automatic software configuration, puppet or chef can be used.

This means that one general Heat template can be created for different types of test environments, provided these have similar networking settings and virtual cluster configurations. Specific virtual test environment features can then be added either with a customized Heat template or by manual configuration.

With a cloud-based solution, testers can own their test environments: creating, managing and deleting them, without IT intervention.  IT, meanwhile, typically owns the hardware cluster and manages the cloud environment.

Case study

So far I’ve provided a generalized approach to building virtual test environments. Now, let’s look at a specific use-case.

Our subject is a web software company, developing a consumer/business application. The app in question has basic availability requirements, and is likely to meet high levels of market demand at introduction. So the company needed to engineer a production platform that offered sub mission-critical HA reliability; and this solution needed to scale very rapidly and cleanly with traffic and demand. Scaling, moreover, would need to be clean in both directions – there are cyclic aspects to this client’s business that could make periodic infrastructure scale-backs necessary for cost-efficiency.

The application uses the standard LAMP stack of back-end technologies. At the opening of our study, the intended production environment was running on VMWare: not baremetal, but still relatively high-cost due to licensing and fees. Their test environment was also running on VMWare, and was maintained by IT administrators.

The company had already identified some problems:

• Their test team could not create on-premise staging environments on demand.
• Their IT staff required too much time to service requests for new test environments.
• It was difficult to scale a test environment and/or add a new one.
• Costs for test environments, support and scaling up were high (partially due to the price of VMWare licensing).

The company wanted to change their approach to building test environments. They wanted their new solution to fulfill these requirements:

• Test engineers should be able to create and maintain a staging environment via a self-service portal.
• The process of provisioning test requirements should be rapid.
• Test environments should be easy to scale and support.
• Total cost of the solution should be low.
• As replicas of the production environment are useful not only for the test team, other users such as product consultants should be able to create a demo environment via the self-service portal.
• Different test environments should be isolated.
• The IT team should be able to control resource consumption for each test team.

The solution architect proposed the building of a test environment using OpenStack. The recommended approach was to build a 10-20 node OpenStack cluster with HA for controller nodes.  The resulting solution, when complete, delivers the following benefits, among others:

• To provide isolation, each test environment runs in a separate tenant, or project.  For example, there’s one project for the test team, one for the consultant team, and so on. (See http://docs.openstack.org/trunk/openstack-ops/content/projects_users.html)
• Heat templates enable rapid creation of new environments. The test team can create new Heat templates on its own.
• Self-service is provided with OpenStack CLI/Horizon and Heat templates.
• Total cost of the OpenStack solution is lower, because the company doesn’t have to pay for licenses, and can use commodity software and hardware.
• The test team owns their test environments. They can create and delete environments anytime they need to.
• OpenStack lets IT set up quotas for each project. OpenStack’s Ceilometer component can be used for monitoring resource consumption of cloud instances, as well.

Conclusion

Building test environments can be a very complicated process, its specifics dependent on the type of software under test, desired testing methodology, people responsible for maintenance of testing environments, and other factors.

Of course, not every test environment can be built on OpenStack, and not every type of test can be performed in a cloud-based test environment. As a cloud operating system, OpenStack has it’s own constraints and issues. For example, it has some performance issues, which need to be taken into account in designing and executing performance tests.

Hardware-dependent tests such as recovery testing can’t be done in a virtualized environment. Of course sometimes hardware emulators can be used, but it’s not the same.

The biggest take-away is: plan carefully. With good engineering and process discipline, many QA organizations will be able to specify cloud-based test environment solutions that will be robust, representative of production infrastructure (whether or not this is cloud-based), and that will solve serious workflow, efficiency, quality and cost issues.

The post Building QA test environments with OpenStack appeared first on Mirantis | The #1 Pure Play OpenStack Company.

By Jeff Jameson, Sr. Principal Product Marketing Manager, Red Hat

With the voting polls open for the past week, the OpenStack Foundation is collecting votes for all sessions at this Spring’s OpenStack Summit in Atlanta. Red Hat is doing its part to contribute as many innovative and useful session to the agenda. With a variety of sessions submitted, from low-level discussions on network routing and storage, all the way through real-world success stories that share experiences and lessons learned with deploying an OpenStack cloud, we’ve got a great lineup to offer you.

Each and every vote counts, so if you haven’t already voted, have a look through all the Red Hat submitted sessions and vote for your favorites! Just click on the title to cast your vote. Remember, voting closes on Monday, March 3rd.

Red Hat proposed sessions:

1. Why you should select OpenStack versus proprietary alternatives for your private cloud
2. Extending TripleO for OpenStack Infrastructure Management
3. Quo Vadis Ceilometer
4. Systems Integration: The OpenStack Success Story
5. Mentoring Others and Yourself: An OpenStack Community Success Story
6. Customizing Horizon Without Breaking on Upgrades
7. Introduction to OpenStack Orchestration
8. Application Deployment and Auto-Scaling on OpenShift Using Heat
9. Using Cloud Management Platform to Tie Incidident Change Configuration and Catalog Management to OpenStack
10. User Experience work withing the OpenStack Community
11. Development and Application of the OpenStack Personas
12. Multi-tier Application Network Topology with Neutron
13. Under One Roof: Unified Management of OpenStack and Traditional Virtualization Infrastructure with Open Source
14. Filling the Management Gap: Cloud Management Platforms (CMPs) Provide Missing Capabilities for OpenStack and Other Private and Public Cloud Infrastructure
15. A Generalized Approach to Storage in OpenStack Environments with GlusterFS
16. Lessons Learned in Real World OpenStack Deployments
17. The State-of-OpenStack Data Processing: Savanna now and in Juno
18. Designate: An Overview of DNSaaS for OpenStack
19. Designate: Interactive Workshop Install and Operate
20. OpenStack Security: Crunchy on the Outside with a Chewy Center
21. OpenStack Security Group OSSG: An Update on Our Progress and Plans
22. Dogtag and Barbican: Open Source Key Management
23. Deploying OpenStack in the Enterprise
24. Routing: Past, Present, and Future
25. Deploy and Testing Neutron HA
26. Real Network Scenario Testing
27. Testing Distributed Cloud
28. Testing for Common Network Scenarios
29. The Massachusetts Open Cloud (MOC): A New Model to Operate and Innovate in a Vendor Neutral Cloud
30. Implementation and Lessons Learned from Building a Large Scale Cloud (Massachusetts Open Cloud (MOC)
31. Deep Dive into Massachusetts Open Cloud (MOC)
32. Scale Out Cloud in Enterprise

With OpenStack Summit approaching fast, and in true Red Hat form, we look forward to sharing OpenStack code, innovations, and experiences with the community! See you in Atlanta!

This post is part of the OpenStack Open Mic series to spotlight the people who have helped make OpenStack successful. Each week, a new contributor will step up to the mic and answer five questions about OpenStack, cloud, careers and what they do for fun. 

Derek works on OpenStack for Red Hat from his home in the west of Ireland. These days, you’ll find him working on TripleO mainly
contributing to the TripleO CI set-up. When he is not busy keeping his 3 year old and 10 month old out of trouble, Derek volunteers for an ambulance service as a qualified EMT.

When approaching a problem Derek usually jumps in feet first with his eyes closed, and when he finds himself tangled up in the weeds he’ll get out and jump in again somewhere else.

You can follow him on Twitter at @bethehokie.

1. What new OpenStack projects do you think will have a significant impact on the cloud market in the next year?

The one I’m working on of course, a reference deployment of OpenStack, is something that we’ve been missing in the community up until now. TripleO is putting a lot of effort into getting that right. Up until now, operators have been left to their own devices when it comes to deciding how they will deploy OpenStack, but having the option of picking a solution that is fully integrated with the upstream development process will make their choice a lot easier.

2. How did you learn to code? Are you self-taught or did you lear in college? On-the-job?

On my first day in college a lecturer walked in and asked people who knew what a programming language was to put their hands up. I was one of the people with both hands by my side. I quickly learned pascal and x86 assembly, before moving onto C and C++. After college I started coding in python, and besides the occasional adventure into other languages as needed I’ve pretty much stayed in the python world.

3. Where is your favorite place to code? In the office, at a local coffee shop, in bed?

I usually work from an office at home but most weeks I travel across the country to Dublin for a day to work with some of the other Irish based Red Hat engineers. I enjoy this time to touch base with colleagues and learn a little about what they’re working on.

4. What publications, blogs, mailing lists, etc do you read every day?

I don’t really follow any specific blogs, instead I rely on the people/feeds I follow on twitter to draw my attention to interesting stuff. I do read lwn.net weekly and find it an excellent source of the current news in the free software world.

5. What drew you to OpenStack?

When the opportunity came up to work on OpenStack I jumped at it. Red Hat was only starting to get involved in OpenStack at the time so there was lots of opportunities to explore the areas that I was most interested in. Since then, there has been no end of new problems being tackled by the community providing an endless stream of interesting projects to get involved in.

+read more

Since the announcement of RDO and Red Hat OpenStack at the Spring 2013 OpenStack Summit, these have arguably become two of the most popular ways to install OpenStack. Both use the puppet-openstack modules to install OpenStack, and are just a sampling of the OpenStack installers that are based on Puppet.

Read the full post here: http://developerblog.redhat.com/2014/01/28/deploy-to-upgrade-puppet-openstack-modules/

Originally posted January 28, 2014, by Christian Hoge.

High Level Approach

Glance

The CERN Glance environment is backed by Ceph. We run multiple glance servers behind an HA Proxy load balancer.

For the upgrade, we

• Stopped the Glance service at 16h00
• Performed the database upgrade steps
• Installed the Havana packages in all top and cell controllers
• Glance was re-enabled at 16h45

One issue was spotted where access to non-public images was possible when using the nova image-list command. The images were not visible when using glance image-list. As a mitigation, access to the Nova image API was blocked and users were told to use the glance command (as was already recommended).

The root cause was related to the bug https://bugs.launchpad.net/glance/+bug/1152716. The fix for the problem was to add the policy statement for the parameter context_is_admin which is needed to limit access to images for projects.

Keystone

The overall approach taken was to try an online upgrade. We have a keystone in each of our cells (so we can talk to each of them independently of the top level cell API nodes) so these were good candidates to upgrade first. We use Active Directory for the user credentials so the Keystone service itself has a limited amount of state only (related to EC2 credentials and token management).

There were some significant additional functionalities such as tokens based on PKI (to allow validating tokens without calling home) and the V3 API which adds lots of functionality we are interested in such as Domains. We chose to take the incremental small step approach of migrating with the same function and then enabling additional function once the code had been deployed.

For the main keystone instance, we were aiming to benefit from the load balancing layer and that there were minimal database changes in Keystone. The largest problem foreseen was the EC2 credentials since these, in Grizzly, are stored in a different column to those in Havana (just Credentials). These columns had to be kept in sync with a script during the phase where both versions were running.

In practice, we performed the upgrade more rapidly than originally planned as some of the clients gave errors when they had received a token from a Grizzly keystone and were authenticating against a Havana one. Thus, we upgraded all the keystone servers as soon as the final functional tests in the production environment were completed.

The detailed error message of the error on a Grizzly client was

2014-01-23 09:10:02    ERROR [root] 'token'<o:p></o:p>

Traceback (most recent call last):<o:p></o:p>

  File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 265, in __call__<o:p></o:p>

    result = method(context, **params)<o:p></o:p>

  File "/usr/lib/python2.6/site-packages/keystone/token/controllers.py", line 541, in validate_token<o:p></o:p>

    self._assert_default_domain(context, token_ref)<o:p></o:p>

  File "/usr/lib/python2.6/site-packages/keystone/token/controllers.py", line 482, in _assert_default_domain<o:p></o:p>

    if (token_ref['token_data']['token']['user']['domain']['id'] !=<o:p></o:p>

KeyError: 'token'<o:p></o:p>

The solution was to complete the upgrade to Keystone on all the servers.

During the upgrade, we also noticed a database growth from expired tokens without a purge from the past few months which is now possible to manage using keystone-manage token-flush (
https://blueprints.launchpad.net/keystone/+spec/keystone-manage-token-flush-periodically). This is not a specific upgrade problem but it is worth doing to keep the database manageable.

Cinder

We had backported some Cinder cells functionality to Grizzly so that we could launch our Ceph volume storage function before we migrated to Havana. CERN currently runs a 3.5 PB Ceph service including OpenStack images, OpenStack Volumes and several other projects working with the object and block interfaces into Ceph. We had to take a careful migration approach for Cinder to protect the additional columns which were not in the standard Grizzly tables.

The impact for the user community was that volume creation/deletion was not possible for around 15 minutes during the upgrade. Existing VMs with attached storage continued to run without problems.

Following the standard upgrade procedure of

• save a list of all volumes before starting using nova volume-list --all-t
• stop the daemons for cinder
• Perform full DB backup of cinder
• update all RPMs
• cinder-manage db sync
• restart daemons
• check new nova volume-list --all-t to see it matches

One minor issue we found was on the client side. Since the nova client depends on the cinder client, we had to upgrade the nova client to get to the latest cinder client version. With the nova client package being backwards compatible, this was not an issue but forced an earlier than planned update of nova client.

Client CLIs

We use the RDO client packages on our Linux machines. The upgrade was a change of repository and yum update.

Likewise, the Windows and Mac clients were upgraded in a similar way using pip. 

Horizon

We have customised Horizon slightly to add some basic features (add help and subscribe buttons to the login page, disable some features which aren't currently supported on the CERN cloud such as security groups). These changes were repeated.

The migration approach was to set up the Horizon web server on a new machine and test out the functionality. Horizon is very tolerant of different versions of code, including partial upgrades such as the CERN environment with Nova downlevel. We found a minor bug with the date picker when using Firefox which we'll be reporting upstream.

Once validated, the alias and virtual host definition in Apache were changed to point to the new machine.

Once under production load, however, we started to see stability issues with the Apache server and large numbers of connections. The users saw authentication problems on login and HTTP 500 errors. In the short term, we put a web server restart on a regular basis to allow us to analyse the problem. With memcached looking after the session information, this was a work around we could use without user disruption but is not a long term solution (from the comments below, this is a reported bug at https://bugs.launchpad.net/python-novaclient/+bug/1247056).

Nova

The Nova migration testing took the longest time for several reasons.

It is our most complex configuration with many cells in two data centres, in Geneva and Budapest. With nearly 50,000 cores and thousands of hypervisors, there is a lot of machines to update.

We have customised Nova to support the CERN legacy network management system. This is a CERN specific database which contains the hostnames, MAC addresses and IPs that is kept up to date by the nova network component.

To test, we performed an offline database copy and stepped through the migration scripts in a cloned environment. The only problems encountered were due to the local tables we had added. We performed a functional and stress test of the environment. With the dynamic nature of the cloud at CERN, we wanted to be sure that there would not be regression in areas such as performance and stability.

During the testing, we found some minor problems

• euca2ools did not work on our standard SL 6 configuration (version 2.1.4). An error instance-type should be of type string was raised on VM creation. The root cause was a downlevel boto version (see bugzilla ticket)
• When creating multiple machines using --num-instances on the nova command line with the cells configuration, the unique name created was invalid. A launchpad report was raised but this was a non-blocking issue as the feature is not used often.

We took a very conservative approach to ensure clear steps and post step checkout validation. We had investigated doing the migration cell by cell but we took a cautious approach for our first upgrade. For the actual migration, the steps were as follows:

• Disable Puppet automatic software updating so we would be in control of which upgrades occurred when.
• Move the Havana repository from the test/QA environment to the master branch in Puppet
• Run "yum clean --all" on all the nodes with mcollective 
• Stop Puppet running on all nodes
• Starting with the top API controllers, then the cell controllers and finally the compute nodes
• Block requests to stop new operations arriving
• Disable automatic restart of daemons by the monitoring system
• Stop the daemons and disable RabbitMQ
• Back up all DBs and create a local dump of each in case we need a rapid restore
• Update all the Nova RPMs on top controllers
• Update the top DB
• Reboot to get the latest Linux kernel
• Update all the Nova RPMs on the cell controller
• Update the cell DB
• Reboot for new kernel
• Update the RPMs on the compute nodes
• Enable RabbitMQ
• Enable services on top controllers
• Enable services in child cell controllers
• Enable nova-compute
• Check out the service communications
• Update the compute nodes using mcollective
• Enable monitoring/exceptions on all nodes
• Enable Puppet on all nodes
• Perform check out tests
• Enable user facing APIs at the top cells

Total time to run these steps was around 6 hours with the VMs running throughout. The databases back up, cloning and final migration script testing on the production data took a couple of hours. The software upgrade steps were also significant, checking RPMs are deployed across thousands of hypervisors is a lengthy process. Although there were a lot of steps, each one can be performed and checked out before continuing.

Post Production Issues

• The temporary table containing quota cache data was cleaned as part of the upgrade but does not appear to be 100% recreated. https://bugs.launchpad.net/nova/+bug/1245746 seems to describe the problem. Logging in with the dashboard fixes the problem in most cases.

Conclusions

Upgrading OpenStack in production needs some careful planning and testing but it is a set of standard upgrade steps. There are lots of interesting features in Havana to explore for both the operations team and the end users of the CERN cloud.

Credits

This information is collected from the cloud team from CERN which performed the upgrade (Belmiro, Jose, Luis, Marcos, Thomas, Stefano) while also providing user support and adding new hardware.

<o:p></o:p>

Asynchronous programming is hard. In the past, the Nova project used Tornado, then Twisted and it is now using eventlet which also became the defacto standard in OpenStack. Eventlet is not perfect, we will explain why we consider that eventlet has major flaws. We will then introduce the asyncio module of Python 3.4, how we plan to use it in OpenStack, to finish with the current status of this integration.

What’s wrong with eventlet?

Eventlet is “a concurrent networking library for Python that allows you to change how you run your code, not how you write it” according to its documentation.

The eventlet module has two major issues: debugging is hard because of the implicit task switching and it does not support Python 3 (see the Support Python 3.3 issue). The eventlet dependency blocks at least the porting to Python 3 of 9 OpenStack servers (ceilometer, cinder, glance, heat, horizon, keystone, neutron, nova, swift).

In OpenStack, eventlet is used with monkey-patching enabled. Monkey-patching the Python standard libraries replaces blocking functions with asynchronous functions using greenthread. For example, the Python time.sleep() function which “suspends execution for the given number of seconds” is replaced with greenthread.sleep which “yields control to another eligible coroutine until at least seconds have elapsed”.

The problem is that it becomes hard to guess if a function may or may not switch to another task (“green thread”). Or worse, the function may switch in a new version of a module, you won’t notice the change. The developer must be aware of that and write the code with this fact in mind. This has led to real bugs, remember this OpenStack reaction: when adding sleep(0) fixes an eventlet test. Just one example of eventlet.sleep(0): Sleep to simulate concurrency and allow other threads to work in Ceilometer tests (most concurrency tests of Nova use eventlet.sleep).

Eventlet also monkey-patches the threading module so it is not possible to use operating system threads, green threads are used everywhere.

Eventlet relies on the greenlet module to manage green threads. The greenlet module is not portable: it uses assembler code with one version per architecture and per platform to switch between green threads. Greenlet contains code specific to CPython and so cannot be used with Jython or IronPython. PyPy supports greenlet since PyPy 2.0. Even if “it works”, eventlet will not be integrated in CPython, it is difficult to maintain and so is not a sustainable solution.

The new asyncio module (PEP 3156) and the Trollius project

For a nice introduction to asyncio, read the report of Guido Van Rossum’s keynote at Pycon US 2013: PyCon: Asynchronous I/O by Jake Edge (March, 2013). The development started outside Python in a project called Tulip for Python 3.3, the name of the Python module is “asyncio” (use import asyncio in Python).

The asyncio module has been designed as a superset of existing libraries: Twisted, Tornado, gevent, eventlet, etc. The design is the PEP 3156 “Asynchronous IO Support Rebooted: the asyncio Module” written by Guido van Rossum, author of the Python language. The PEP has been written with the help of developers of the existing libraries and the design reuses good ideas of existing libraries, like transports and protocols of Twisted. Asyncio offers a nice syntax for coroutines using the new yield from syntax of Python 3.3: PEP 380 “Syntax for Delegating to a Subgenerator”.

The asyncio module is written in pure Python, and therefore portable. It is built on top of existing modules like concurrent.futures, subprocess, threading and the new selectors module (which is itself built on top on the select module). asyncio is a glue between modules of the Python standard library and existing asynchronous frameworks, but it can be used alone. It also adds new features like tasks using coroutines. It supports blocking functions as well with its executor API which uses a pool of threads by default. It uses operating system threads which can run in parallel (especially when executing C functions releasing the GIL). The default executor can be replaced to use a pool of processes, or a custom executor.

PEP 3156 has been accepted and asyncio is part of the Python 3.4 standard library. Asyncio is now very well tested by a farm of more than 33 buildbots on various architectures (x86, x86_64, PPC64, ARM7, SPARC) and operating systems (Linux, Windows 2003/XP/7, Mac OS X 10.4/10.6, FreeBSD 6/7/9/10, OpenBSD, Solaris 10, OpenIndiana). Enovance ported asyncio to Python 2.6 and 2.7 as the new Trollius project: Trollius works on Python 2.6-3.4. We also wrote the documentation for the asyncio module: asyncio – Asynchronous I/O, event loop, coroutines and tasks.

Even before the official release of Python 3.4 (scheduled for March 16th), there are already many projects supporting asyncio. There are asyncio event loops for greenlet, gevent, libuv, GLib, Tornado and 0MQ. There are database drivers for PostgreSQL, Redis, MongoDB and memcached. There are HTTP clients and servers, web sockets, and a gunicorn worker. See asyncio third party for the whole list, some of them are still experimental.

For more information on asyncio, see my notes about asyncio: talks about asyncio, Tulip backends and event loops, Tulip projects, etc. For a more technical comparison of the different asynchronous I/O models in Python, read the nice Async I/O and Python article by Mark McLoughlin (June, 2013).

Differences between Trollius and Tulip

The Trollius project is based on Tulip: in the Mercurial repository, it is a branch based on the Tulip branch, so Trollius can easily merge new changes from Tulip. We are working directly on asyncio and update the Trollius project regularly to keep it up to date.

The major difference between Tulip and Trollius is the syntax of coroutines: Trollius uses yield From(...) instead of yield from ..., and raise Return(x) instead of return x. Except for the syntax of coroutines, the API is the same: classes, methods, functions, etc. It is possible to use the same code base for Trollius and Tulip using callbacks. For example, this solution is used by the AutobahnPython project which also supports Twisted.

Also read the Trollius documentation.

Plan to use asyncio in OpenStack

Straightforward dropping of Python 2 support and replacing eventlet with asyncio is not possible: there are a lot of existing OpenStack setup running on Python 2. The Tulip project cannot be used in OpenStack, because the porting of OpenStack to Python 3 is still in progress. Trollius is a more realistic option because it works on Python 2 and 3.

There are different options to use asyncio in OpenStack:

• Replace eventlet completely with Trollius
• Plug Trollius into eventlet: eventlet would execute Trollius tasks; eventlet would be the Trollius event loop
• Plug eventlet into Trollius: Trollius would execute eventlet tasks; Trollius would be an eventlet hub

Replacing eventlet with Trollius at once is not possible, it’s not how OpenStack is developed. All changes in OpenStack are carefully reviewed, well tested, and usually very small. The development is incremental.

Plugging Trollius into eventlet can be implemented using the greenio project which is an asyncio event loop using greenlet. It doesn’t look to be the preferred option of the OpenStack developers.

Plugging eventlet into Trollius can be implemented using the eventlet hub API. We are working on a proof-of-concept. This way would be a smooth transition to asyncio. Existing code would continue to use eventlet, and new code can directly use the asyncio API.

Also read recent threads on the openstack-dev mailing list about asynchronous programming, asyncio and Python 3:

• [openstack-dev] Asynchrounous programming: replace eventlet with asyncio
• [openstack-dev] [solum] async / threading for python 2 and 3
• [openstack-dev] Python 3 compatibility

Status of asyncio in OpenStack

The first step was to add Trollius to the global-requirements.txt: the patch has been merged.

The Oslo Messaging project was selected to experiment asyncio because it was designed to support different asynchronous libraries. Oslo Messaging has an “executor API” with two available implementations: blocking and eventlet. The blueprint Oslo/blueprints/asyncio proposes to add a new Trollius executor, implementation: Add a new asynchronous executor based on Trollius.

The next step is to write an experimental eventlet hub on Trollius.

Python 3 has been around for about 5 years, and we have excellent reasons to make sure OpenStack runs well on it. Unfortunately, this is not the case. In this article, we’ll see what works, what doesn’t, and what you can do to help. Note that we are targetting the latest released version, Python 3.3.

Python Clients

OpenStack provides a REST API that allows users to write applications using the language of their choice; it also comes with Python applications. Unfortunately, not all of them work with Python 3. However, they are usually quite small, and should not be too hard to port.
The Keystone client is used by many other clients, so it had to be ported first; we will first see explain how it was ported to Python 3, then we will talk about all the other Python clients.

The Keystone client

The main issue with the Keystone client was HTTPretty, an HTTP client mocking tool for Python that was not working with Python 3. I ported it and released the 0.8.0 version in early February, and it is now used in the Keystone client. Thanks to Gabriel Falcão, the author of HTTPretty, for his support!

Other than that, the keystone client suffered from the usual issues that arise
when porting software to Python 3:

• API changes in the standard library (ex: httplib renamed to http.client);
• API changes in the third-party libraries used;
• text string versus bytes issues: in Python 2, ‘foo’ was a byte type, but in Python 3, it’s a unicode text string.

All in all, around 20 patches were needed to make sure that version 0.6.0, released on February 13th, works with Python 3. Go out and test it! Thanks to the Keystone core developers for their help!

Other clients

Our main goal is to enable the tests on Python 3.3 (enable the ‘py33′ gate and make it vote) on as many clients as possible. Congrats to the 8 (out of 16) clients for which this is already the case:

• Ceilometer
• Cinder
• Ironic
• Keystone
• Marconi
• Nova
• Tuskar
• Trove

Most of the other clients have the py33 gate enabled, but keep them as ‘non-voting’. The Savanna client even has tests working on Python 3, but as they do not consider them to cover enough of the code, they chose not to make the py33 gate vote. The OpenStack client will only work if it uses the master branch of the Glance client. Other clients still suffer from a lot of issues and are being worked on.

Server-side work

On the server-side, things are more complicated. Most pieces of software depend on eventlet, which only works with Python 2; they also have quite a lot of other dependencies preventing them for moving to Python 3. For instance, here are some blockers for ceilometer, cinder, glance, heat, horizon, keystone, neutron, nova and swift.

• eventlet is blocking 9 projects (ceilometer, cinder, glance, heat, horizon, keystone, neutron, nova, swift)
• oslo.config is blocking 7 projects (ceilometer, cinder, glance, heat, keystone, neutron, nova)
• sqlalchemy-migrate is blocking 6 projects (ceilometer, cinder, glance, heat, keystone, nova)
• python-swiftclient is blocking 5 projects (ceilometer, cinder, glance, heat, horizon)
• paste is blocking 5 projects (cinder, glance, keystone, neutron, nova)
• python-glanceclient is blocking 4 projects (ceilometer, cinder, horizon, nova)
• python-neutronclient is blocking 4 projects (heat, horizon, neutron, nova)
• python-cinderclient is blocking 4 projects (glance, heat, horizon, nova)
• oslo.rootwrap is blocking 3 projects (cinder, neutron, nova)
• ecdsa is blocking 3 projects (cinder, heat, nova)
• suds is blocking 3 projects (cinder, glance, nova)
• oslo.messaging is blocking 3 projects (glance, keystone, nova)
• python-ceilometerclient is blocking 3 projects (ceilometer, heat, horizon)
• pycadf is blocking 2 projects (keystone, nova)
• python-heatclient is blocking 2 projects (heat, horizon)
• python-troveclient is blocking 2 projects (heat, horizon)
• boto is blocking 2 projects (glance, nova)
• rtslib-fb is blocking 1 project (cinder)
• django-openstack-auth is blocking 1 project (horizon)
• pam is blocking 1 project (keystone)
• taskflow is blocking 1 project (cinder)
• qpid-python is blocking 1 project (heat)
• dnspython is blocking 1 project (swift)
• django-compressor is blocking 1 project (horizon)
• thrift is blocking 1 project (ceilometer)
• jsonrpclib is blocking 1 project (neutron)
• netifaces is blocking 1 project (swift)
• mysql-python is blocking 1 project (ceilometer)
• websockify is blocking 1 project (nova)

This list was generated using the Python classifiers on PyPI, so some packages might be listed as blocking even though they perfectly work with Python 3. Note that the main blocking point is the use of eventlet: a possible solution would be to use asyncio.

How you can help

Half the clients now work with Python 3, and we now have a better idea of what’s preventing the rest of OpenStack from moving to Python 3. What can you do to help fix what doesn’t work yet ?

The easiest thing to do is to help us identify the real issues. To do this, you can use Brett Cannon’s caniusepython3 module by running “./caniusepython3.py -r requirements.txt” in your favorite OpenStack project. Then please update the wiki page that lists the status of the projects. Want to go further ? See whether the dependencies reported by caniusepython3 are really broken on Python 3; their setup.cfg/setup.py file might just be missing the required classifiers. If this is the case, please send a patch upstream to fix that, and send a second patch to caniusepython3 that adds the project to the whitelist.

You can also do reviews of patches that help with Python 3 support; bonus points if you’re a core developer. You may want to take a look at the list of projects that are currently being ported and need reviews

You could also start porting some code! You may want to add your name and a link to your gerrit dashboard in the wiki so that others know what you’re working on. You will encounter these issues:

• Syntax issues (easy to fix)
• Incompatible third-party libraries to fix/replace (not so easy to fix, require working with upstream)
• Mix of string and bytes

We’d love to see you join us!

For about three years, I have been talking with businesses that want to deploy OpenStack. Some have questions about what distribution they should use, some want to know about multi-cloud management, others are wondering how to best manage their clouds once they are installed -- the list of questions is certainly long. One common theme that I have heard however, “Don’t worry we have the hardware under control, so we are in good shape there.” I understand the efficiency goals here, hardware is always the longest lead time for any infrastructure project. There are however some inherent complexities that will arise when deploying a software solution like OpenStack. Getting the hardware right for an OpenStack cloud deployment is not always as obvious as it seems. I wanted to take some time to explore how to approach the hardware you are going to use when you deploy OpenStack -- specifically, nova compute node hardware.

The OpenStack Summit is coming to Atlanta in May, and voting on talks is currently under way. There are a number of talks that the hastexo team has submitted for presentation or co-presentation -- here's a quick summary.

Adolfo has submitted two hands-on workshops:

read more

The more I learn about OpenStack, the more I see why there is so much buzz about the technology as well as about the community of developers and users. In a poll hosted on Opensource.com, we discovered that many of our readers are curious and eager to learn more about OpenStack. For those new to this technology, OpenStack can be described as a set of software tools for building and managing cloud computing platforms for public and private clouds.

read more

I left the presentation of the part 1 with the promise that I will show you a real 3D application running into a GPU-accelerated instance.

And so, here it is: screencast.

In this screencast you will see the bootstrap of an instance in devstack that has a GPU attached to it. From within the instance, I run an OpenGL benchmark called Heaven from Unigine. The screencast shows that the GPU load is for real thanks to a Ganglia monitoring dashboard. The software at work in this demo is comprised of the NVIDIA GPU GRID driver, TurboVNC, VirtualGL, the Unigine benchmark and Ganglia to visualize the ongoing workload.

Cherry on the cake, the VM is deployed with Heat and Chef Solo using a template you can download from ^[1].

I hope you will enjoy the Unigine video. It's pretty cool.

I was the presenter for this morning’s RDO hangout, where I ran through a simple demonstration of setting up a multinode OpenStack deployment using packstack.

Here’s the video (also available on the event page):

The slides are online here.

It seems like one of the leading amateur sports in cloud is to ask if OpenStack is ready for Enterprise ‘prime time’ in production. Common water-cooler conversations ask about stability and performance of OpenStack-based clouds at scale. But what does ‘scale’ mean? What level of scale is relevant in the real world?

From our work with many enterprise-class OpenStack customers, we’ve observed that ‘large private cloud’ generally refers to something that runs into tens of thousands of VMs. Hundreds of users from hundreds of projects manipulate those VMs simultaneously. At this scale, I think it’s fair to say, a ‘private cloud’ essentially becomes a ‘virtual data center’.

A virtual data center has some meaningful advantages compared to a classic physical datacenter, not least in flexibility. The time between the customer’s order and having the requested infrastructure available drops from days/hours to minutes/seconds. On the other hand, you need to be confident about your Infrastructure-as-a-Service platform in terms of stability under the load.

Scaling Mirantis OpenStack on Softlayer

We set out to validate desired behaviors in Mirantis OpenStack under loads you would expect to see in just such a virtual datacenter. Working with our friends at IBM Softlayer, we carved out an infrastructure of 350 physical machines in two locations. And for starters, we wanted to establish some baseline for an SLA for virtual data centers powered by Mirantis OpenStack.

Obviously, size matters. But there were other questions about an OpenStack virtual datacenter at Softlayer that we thought were important to answer right out of the gate. For example:

• Could the VDC could service hundreds of requests at the same time?

• Would the user experience suffer as more virtual servers are added in the virtual datacenter?

To find the answer to the first question, we’d need a series of tests with increasing numbers of requests issued simultaneously. Our target concurrency for this phase of benchmarks was 500. We approached the second question by refining it to gauge how long it takes to provision a server in our virtual datacenter, and, more importantly, how duration depends on the number of existing servers.

Based on expectations listed above, we designed first set of benchmarks. This first set is aimed to exercise the Mirantis OpenStack Compute infrastructure, the key component of the platform. The exercise targeted not only the Nova API and scheduler, but Compute agents on hypervisor servers as well.

Because we’re benchmarking deployment time, measuring the scalability of the OpenStack Compute service doesn’t require creating any load inside the VMs, so we can use an OpenStack flavor with a small footprint, a small image to boot into this flavor and no tasks executed inside the VM. For default flavors (or instance types) defined in OpenStack, the size of the instance does not have a significant effect on provisioning time. However, we’d need to test on real hardware to have a clear understanding of what the Nova Compute agent could handle under load.

Baseline SLA parameters we wanted to verify were:

• variance of virtual server instance boot time, including any dependencies between the time and the number of virtual instances in the cloud database;

• success rate of the boot process for our instances, in other words, how many requests out of 100 are expected to fail for one reason or another.

We set a target for this benchmark at 100 thousand virtual instances running in a single OpenStack cluster. With such a small footprint flavor, our experiment could be compared to a micro-site service for mobile applications. Another possible use case for this type of workload is a testing environment for a mobile application server with thousands of clients running on independent embedded systems. It was our hypothesis that we could figure this out with several hundred servers — generously provisioned by Softlayer — for a limited period of time as our test bed.

Setting up an OpenStack benchmarking environment

“How much hardware do you need?” is a question we often hear, and we often joke with customers that the answer is “More.” But it was clear that running a hundred thousand VMs required sufficient hardware firepower. IBM Softlayer has a pretty broad variety of configurations available, and they were as curious as we were to see what OpenStack could deliver at this level.

To calculate hardware resources needed, we first established a type of instance, or ‘flavor’, in OpenStack terms. Our flavor has 1 vCPU, 64MB of RAM and 2GB of disk, much smaller than a m1.micro AWS type, for example. This is just enough to boot a Cirros test image.

Using a very small instance type doesn’t impact results of the test because for the default flavors (or instance types) defined in OpenStack, the size of the instance does not have a significant effect on provisioning time. This is because those flavors only define the number of CPUs, the amount of RAM, and the disk file size. Those resources are usually provisioned with effectively zero variance based on instance size, because unlike in an AWS instance, which also involves provisioning additional services such as EBS, OpenStack instances are self-contained; creating ephemeral storage is accomplished by essentially creating an empty file, for example. For this reason, we can use a very small instance type without skewing the test results.

Totals for resources are:

• 100,000 vCPUs,

• 6250 Gb of RAM,

• 200TB of disk space.

So we concluded that a good representative compute server configuration for this test would include 4 physical cores (+4 for HT), 16Gb of RAM and 250GB of disk space. Because we’re not going to perform any actual load on the VMs, we can comfortably overcommit CPU as 1:32 (twice the default overcommit rate for OpenStack) and RAM as 1:1.5, which allows us density of 250 virtual servers per physical node. With these non-standard overcommit rates, we only needed approximately 400 hardware servers to hit the target of one hundred thousand VMs.

Knowing that our controllers would be handling the heaviest load, we spec’d servers for those with a more advanced configuration. Each controller had 128GB of RAM and SSD storage to accelerate the work of the OpenStack state database that runs on the controller.

One interesting note: due to differences in configuration between Compute and Controller nodes, they were provisioned in different SoftLayer datacenters with 40ms latency between them; it’s not unusual to expect that in a real cluster, you might have exactly this kind of distributed configuration. Fortunately, due to low latency between the Softlayer datacenters, no significant effect of this distributed architecture was noticed in the benchmark.

OpenStack details

We took release 4.0 of the Mirantis OpenStack product, which includes OpenStack 2013.2 (Havana) and deployed it to servers provided by SoftLayer. To do this, we had to tweak our Deployment Framework: because we could not boot off the Mirantis OpenStack ISO in SoftLayer, we just copied the needed code via rsync over the standard operating system image.  Once we’d deployed the cluster, we could use it for benchmarking.

Our configuration included only three OpenStack services: Compute (Nova), Image (Glance) and Identity (Keystone). This provides basic functionality to the Compute service, which is sufficient for our use cases (mobile platform testing).

For networking, we used the Nova Network service in FlatDHCP mode with the Multi-host feature enabled. It has total feature parity with Neutron in our simple use case (single private network, FlatDHCP network and no floating IPs).  (Nova Network was recently restored from deprecated status in OpenStack upstream.)

During the benchmark, we had to increase certain parameters for the default OpenStack configuration. The most important change is the size of the connection pool for the SQLAlchemy module (max_pool_size and max_overflow parameters in the nova.conf file). In all other aspects we leveraged the standard Mirantis OpenStack HA architecture, including synchronously replicated multi-master database (MySQL+Galera), software load balancer for API services (haproxy) and corosync/pacemaker for IP level HA.

Rally benchmark engine

To actually run the benchmark test, we needed a test engine; the logical choice was the Rally project for OpenStack. Rally automates test scenarios in OpenStack; i.e., it enables you to configure steps to be performed for each test run, specify the number of runs, and record the time to complete each request. With these metrics, we could calculate the parameters that needed verification: boot times variance and success rate.

We already had experience using Rally on SoftLayer, so that helped us a lot in this benchmark.

The benchmark configuration looks something like this:

{
    "execution": "continuous",
    "config": {
        "tenants": 500,
        "users_per_tenant": 1,
        "active_users": 250,
        "times": 25000
    },
    "args": {
        "image_id": "0aca7aff-b7d8-4176-a0b1-f498d9396c9f",
        "flavor_id": 1
    }
}

The post Benchmarking OpenStack at megascale: How we tested Mirantis OpenStack at SoftLayer appeared first on Mirantis | The #1 Pure Play OpenStack Company.

With this blog post we want to share insights into how the Platform Engineering team for the Business Marketplace at Deutsche Telekom AG analyzed a Ceph performance issue. Ceph is used for both block storage and object stroage in our cloud production platform.

Background

While the most common IO workload patterns of web applcations were not causing issues on our Ceph clusters, serving databases or other IO demanding applications with high IOPS requirements (with 8K or 4K blocksize) turns out more challenging.

Recently, we got a report from a colleague discussing performance regressions on our Ceph cluster for rados block devices. We were presented results of dd if=/dev/zero of=/dev/vdx bs=1k count=100M.

We were not very happy about getting a report with blocksize of 1k, synthetic sequential writes and /dev/zero as input. But it turned out that even with 4k or 8k, we didn’t get great numbers.

The cluster at that time was dealing fine with 32k and higher blocksizes. But 32k and less indeed resulted in a performance regression compared to an older generation of our Ceph cluster deployment.

Analysis

First we reproduced the issue with fio inside an OpenStack instance with a Cinder-attached RBD, even with pure random write. Sequential and random reads of the entire RBD were not affected inside the VM.

Also, the average results of rados bench were not perfect but not bad either - lets say they were OK. But not a good indicator if it was a pure Ceph problem or maybe something else within our network.

Initially we spent some time by analyzing with tcpdump and systemtap scripts the traffic librbd was seeing. Indeed we found situations were the sender buffer of the VM host got full while performing 4K random write stress loads inside a guest. (For this we used the example systemtap script: sk_stream_wait_memory.stp)

But this only happened on very intense 4k write loads inside the VM.

Was the IO-pattern sane to tests? Corner case issues?

We decided to look for the right tool to measure detailed latency and IOPS, which is able to reproduce the same load pattern. Bonus point: replaying real-life workloads, that come close to production workload - so we can tune for the right workload (and not for dd bs=4k).

Here started the challenge, since we looking for a tool, that is able to generate the same load on each of the following layers:

• inside the VM guest (to test the RBD QEMU driver, which is using librbd)
• on the VM host (using the same code: librbd. We hesitated to use the RBD kernel module to not miss potential issues inside librbd - if any)
• on the Ceph storage node: testing the ceph-osd code (FileStore implementation. Covering OSD-disk and Journal-disk writes)
• on the Ceph storage node: testing the filesystem (XFS) with the used formated options and mount options
• on the Ceph storage node: testing the dmcrypt block device (yep, we do this.)
• on the Ceph storage node: testing the block device directly (through storage/RAID controller. RAID0, write-through)

We would have to use different tools that might produce different workloads, which could lead to different results per test on different layers.

THE right tool: fio

fio was pretty much the perfect match for our cases - it was only missing the capability to talk to Ceph RBD and the Ceph internal FileStore directly.

Fortunately, fio is supporting various IO engines. So we decided to add support for librbd and for the Ceph internal FileStore implementation, to have a artificial OSD processes to benchmark the OSD implementation via fio.

fio librbd ioengine support

With the latest master you can get fio librbd support and test your Ceph RBD cluster with IO patterns of your choice, with nearly all of the fio functionality (some are not supported yet by the RBD engine - not fio’s fault. Patches are welcome!). All you need is to install the librbd development package (e.g. librbd-dev or librbd-dev and dependencies) or have the library and its headers at the designated location.

$ git clone git://git.kernel.dk/fio.git
$ cd fio
$ ./configure
[...]
Rados Block Device engine     yes
[...]
$ make

First run with fio with rbd engine

The rbd engine will read ceph.conf from the default location of your Ceph build.

A valid RBD client configuration of ceph.conf is required. Also authentication and key handling needs to be done via ceph.conf. If ceph -s is working on the designated RBD client (e.g. OpenStack compute node / VM host), the rbd engine is nearly good to go.

One preparation step left: You need to create a test rbd in advance. WARNING: do not use existing RBDs which might hold valuable data!

rbd -p rbd create --size 2048 fio_test

Now one can use the rbd engine job file shipped with fio:

./fio examples/rbd.fio

The example rbd.fio in detail looks like this:

######################################################################
# Example test for the RBD engine.
#
# Runs a 4k random write test agains a RBD via librbd
#
# NOTE: Make sure you have either a RBD named 'fio_test' or change
#       the rbdname parameter.
######################################################################
[global]
#logging
#write_iops_log=write_iops_log
#write_bw_log=write_bw_log
#write_lat_log=write_lat_log
ioengine=rbd
clientname=admin
pool=rbd
rbdname=fio_test
invalidate=0    # mandatory
rw=randwrite
bs=4k

[rbd_iodepth32]
iodepth=32

This will perform a 100% random write test across the entire RBD size (will be determined via librbd), as Ceph user admin using the Ceph pool rbd (default) and the just created and empty RBD fio_test with a 4k blocksize and iodepth of 32 (numbers of IO requests in flight). The engine is making use of asynchronous IO.

Current implementation limits:

• invalidate=0 is mandatory for now. The engine just fails without this for now.
• rbd engine will not cleanup once the test is done. The given RBD is filled up after a complete test run. (We use this to make prefilled tests right now. And recreate the RBD if required.)

Results

Some carefully selected results from one of our development environments while investigating on the actual performance issue.

Following plot shows the original situation we were facing. Result from the fio example RBD job run with a 2GB RBD which was initial empty:

After analysis on the Ceph OSD nodes with fio FileStore implementation and more analysis and tuning we managed to get this result:

More detailed analysis and result and configuration/setup details will follow with the next postings on the TelekomCloud Blog.

Conclusion

fio is THE flexible IO tester - now even for Ceph RBD tests!

Outlook

We are looking forward to going into more details in the next post on our performance analysis story with our Ceph RBD cluster performance.

In case you are at the Ceph Day tomorrow in Frankfurt, look out for Danny to get some more inside about our efforts arround Ceph and fio here at Deutsche Telekom.

Acknowledgements

First of all, we want to thank Jens Axboe and all fio contributors for this awesome swiss-knife-IO-tool! Secondly, we thank Wolfgang Schulze and his Inktank Service team and Inktank colleagues for their intense support - especially when it turned out pretty early in the analysis, that Ceph was not causing the issue, still they teamed up with us to figure out what was going on.

References

http://git.kernel.dk/?p=fio.git;a=summary

With this blog post we want to share insights into how the Platform Engineering team for the Business Marketplace at Deutsche Telekom AG analyzed a Ceph performance issue. Ceph is used for both block storage and object stroage in our cloud production platform.

Background

While the most common IO workload patterns of web applcations were not causing issues on our Ceph clusters, serving databases or other IO demanding applications with high IOPS requirements (with 8K or 4K blocksize) turns out more challenging.

Recently, we got a report from a colleague discussing performance regressions on our Ceph cluster for rados block devices. We were presented results of dd if=/dev/zero of=/dev/vdx bs=1k count=100M.

We were not very happy about getting a report with blocksize of 1k, synthetic sequential writes and /dev/zero as input. But it turned out that even with 4k or 8k, we didn’t get great numbers.

The cluster at that time was dealing fine with 32k and higher blocksizes. But 32k and less indeed resulted in a performance regression compared to an older generation of our Ceph cluster deployment.

Analysis

First we reproduced the issue with fio inside an OpenStack instance with a Cinder-attached RBD, even with pure random write. Sequential and random reads of the entire RBD were not affected inside the VM.

Also, the average results of rados bench were not perfect but not bad either - lets say they were OK. But not a good indicator if it was a pure Ceph problem or maybe something else within our network.

Initially we spent some time by analyzing with tcpdump and systemtap scripts the traffic librbd was seeing. Indeed we found situations were the sender buffer of the VM host got full while performing 4K random write stress loads inside a guest. (For this we used the example systemtap script: sk_stream_wait_memory.stp)

But this only happened on very intense 4k write loads inside the VM.

Was the IO-pattern sane to tests? Corner case issues?

We decided to look for the right tool to measure detailed latency and IOPS, which is able to reproduce the same load pattern. Bonus point: replaying real-life workloads, that come close to production workload - so we can tune for the right workload (and not for dd bs=4k).

Here started the challenge, since we looking for a tool, that is able to generate the same load on each of the following layers:

• inside the VM guest (to test the RBD QEMU driver, which is using librbd)
• on the VM host (using the same code: librbd. We hesitated to use the RBD kernel module to not miss potential issues inside librbd - if any)
• on the Ceph storage node: testing the ceph-osd code (FileStore implementation. Covering OSD-disk and Journal-disk writes)
• on the Ceph storage node: testing the filesystem (XFS) with the used formated options and mount options
• on the Ceph storage node: testing the dmcrypt block device (yep, we do this.)
• on the Ceph storage node: testing the block device directly (through storage/RAID controller. RAID0, write-through)

We would have to use different tools that might produce different workloads, which could lead to different results per test on different layers.

THE right tool: fio

fio was pretty much the perfect match for our cases - it was only missing the capability to talk to Ceph RBD and the Ceph internal FileStore directly.

Fortunately, fio is supporting various IO engines. So we decided to add support for librbd and for the Ceph internal FileStore implementation, to have a artificial OSD processes to benchmark the OSD implementation via fio.

fio librbd ioengine support

With the latest master you can get fio librbd support and test your Ceph RBD cluster with IO patterns of your choice, with nearly all of the fio functionality (some are not supported yet by the RBD engine - not fio’s fault. Patches are welcome!). All you need is to install the librbd development package (e.g. librbd-dev or librbd-dev and dependencies) or have the library and its headers at the designated location.

$ git clone git://git.kernel.dk/fio.git
$ cd fio
$ ./configure
[...]
Rados Block Device engine     yes
[...]
$ make

First run with fio with rbd engine

The rbd engine will read ceph.conf from the default location of your Ceph build.

A valid RBD client configuration of ceph.conf is required. Also authentication and key handling needs to be done via ceph.conf. If ceph -s is working on the designated RBD client (e.g. OpenStack compute node / VM host), the rbd engine is nearly good to go.

One preparation step left: You need to create a test rbd in advance. WARNING: do not use existing RBDs which might hold valuable data!

rbd -p rbd create --size 2048 fio_test

Now one can use the rbd engine job file shipped with fio:

./fio examples/rbd.fio

The example rbd.fio in detail looks like this:

######################################################################
# Example test for the RBD engine.
#
# Runs a 4k random write test agains a RBD via librbd
#
# NOTE: Make sure you have either a RBD named 'fio_test' or change
#       the rbdname parameter.
######################################################################
[global]
#logging
#write_iops_log=write_iops_log
#write_bw_log=write_bw_log
#write_lat_log=write_lat_log
ioengine=rbd
clientname=admin
pool=rbd
rbdname=fio_test
invalidate=0    # mandatory
rw=randwrite
bs=4k

[rbd_iodepth32]
iodepth=32

This will perform a 100% random write test across the entire RBD size (will be determined via librbd), as Ceph user admin using the Ceph pool rbd (default) and the just created and empty RBD fio_test with a 4k blocksize and iodepth of 32 (numbers of IO requests in flight). The engine is making use of asynchronous IO.

Current implementation limits:

• invalidate=0 is mandatory for now. The engine just fails without this for now.
• rbd engine will not cleanup once the test is done. The given RBD is filled up after a complete test run. (We use this to make prefilled tests right now. And recreate the RBD if required.)

Results

Some carefully selected results from one of our development environments while investigating on the actual performance issue.

Following plot shows the original situation we were facing. Result from the fio example RBD job run with a 2GB RBD which was initial empty:

After analysis on the Ceph OSD nodes with fio FileStore implementation and more analysis and tuning we managed to get this result:

More detailed analysis and result and configuration/setup details will follow with the next postings on the TelekomCloud Blog.

Conclusion

fio is THE flexible IO tester - now even for Ceph RBD tests!

Outlook

We are looking forward to going into more details in the next post on our performance analysis story with our Ceph RBD cluster performance.

In case you are at the Ceph Day tomorrow in Frankfurt, look out for Danny to get some more inside about our efforts arround Ceph and fio here at Deutsche Telekom.

Acknowledgements

First of all, we want to thank Jens Axboe and all fio contributors for this awesome swiss-knife-IO-tool! Secondly, we thank Wolfgang Schulze and his Inktank Service team and Inktank colleagues for their intense support - especially when it turned out pretty early in the analysis, that Ceph was not causing the issue, still they teamed up with us to figure out what was going on.

References

http://git.kernel.dk/?p=fio.git;a=summary

On Friday we brought you part 1, a selection of proposals Mirantis is putting forward for the Spring OpenStack Summit in Atlanta, along with a complete list of titles, and Monday we gave you part 2.  Today we wanted to post the rest of the list.

Here’s today’s selection:

• OpenStack LBaaS ecosystem: coopetition in work (Samuel Bercovici,Eugene Nikanorov) – Before the Havana release, LBaaS was limited to open source HA proxy implementation only. The Havana release also opened LBaaS  to commercial and enterprise grade load balancers  via a driver mechanism, that basically creates a standard API consumed by the different load balancing vendors’ LBaaS drivers.  Maintaining  API  standardization is critical for creating healthy ecosystem. In this session we share the process of collaboration behind the definition  and implementation of L7 content switching and SSL termination as standard LBaaS APIs. (Read More and Vote)

• Software Defined Networking Performance and Architecture Evaluation (Brian Chong) – Over the last 3 months, Symantec has run extensive performance and diagnostics tests across multiple overlay providers as well as against the base Neutron VLAN configurations and have come to several insights into CPU penalties, Network design issues at scale as well as performance comparisons using different encapsulation techniques. We will explain what our architectural design was, the results of our testing as well as our design insights into how Symantec’s cloud will be affected by the outcome of the evaluation. This presentation will cover architectural and performance characteristics of what a Overlay network is compared to a straight VLAN based environment on a cluster size of 100+ nodes. (Read More and Vote)

• Is your OpenStack Cloud Compliant? (Evgeniya Shumaker) - Compliance with critical industry and regulatory standards (like PCI DSS for payment card security, HIPAA for healthcare information, SOX for corporate process management and auditability, etc.) used to be mostly the concern of industry-specific application makers and customers integrating their solutions. Cloud computing – especially IaaS – has made things a lot more complicated. As clouds supplant conventional physical infrastructure, private cloud builders and cloud service providers are having to shoulder the burden of maintaining standards-compliance around the workloads they host and the organizations they serve. How do you architect and build standards-compliant OpenStack clouds? This presentation offers an inside look at the process: the most important standards for cloud builders,where existing OpenStack resources can fully or partially solve common compliance problems,where standards support within OpenStack is currently thin,the workflow for architecting standards-compliant clouds and common risks and emerging opportunities. (Read More and Vote)

• KeyStone Security and Architecture Review (Brian Chong) - In this presentation, KeyStone Security, specifically Trusts or Delegations, AMQP Security with KeyStone and integration with a Corporate LDAP will be discussed. The nature of OpenStack KeyStone plays a major role in binding all of the Projects together but not much is mentioned about how to do this with KeyStone or what the pitfalls and dangers of hooking up a centralized Security System to the rest of the cloud will be. The security and protection of the Identity and Token repository for OpenStack must be a well protected component within your Cloud Infrastructure. After this discussion, you will come out knowing more about KeyStone Security and how you can use it to your advantage. (Read More and Vote)

• Python and Performance: What and How (Dmitriy Ukhlov,Serge Kovaleff)   How much you can do to optimize code inside a single node? With the Python WSGI app you can use horizontal scaling to your advantage. In this talk we share our experience in the optimization of MagnetoDB, which provides high-performance Key/Value storage as a service, and what we learned about how much you can do to optimize code inside a single node. WSGI framework research and comparison,uWSGI and Gunicorn in multi-core computing environment,tuning Gunicorn and GEvent patches for Cassandra usage will all be covered in this discussion. By the end of this talk, you will know how to get the most out of your Python WSGI app. (Read More and Vote)

• Advanced services in OpenStack Networking (Eugene Nikanorov) - The presentation will cover usage patterns of advanced networking services as well as some core functionality that develops into a multivendor environment. In this discussion, we will talk about the following topics: load balancing, firewalling, vpn a l3 service and modular l2. The primary focus of this presentation will be on multivendor usage. (Read More and Vote)

• Extending the Fuel project to accelerate and simplify deployment of Openstack drivers and components (David Easter) - Fuel solves the problem of installing and deploying OpenStack by providing device auto-discovery, pre-deployment validation, automated cross-network configuration and deployment, and cluster sanity and functional testing — all under a web-based GUI that simplifies decision-making, prevents certain kinds of errors, and helps the user visualize critical information. Fuel lives upstream from OpenStack and currently comprehends multiple OpenStack releases ‘out of the box’, but more importantly, Fuel is open source. How does one go about contributing to Fuel? In this session, we’ll fully discuss the following with attendees: the structure of Fuel, controlling the Fuel UI, how user actions control what Fuel does, how to create Fuel wizards, how to support additional OpenStack features and how to control what Fuel does behind the scenes. (Read More and Vote)

• Best Practices for Ceph Deployment with OpenStack (Dmitriy Novakovskiy, Dmitry Borodaenko) - Ceph has long promised to provide a platform to satisfy all OpenStack storage needs, and last year, it delivered.  Now we want to share the good, the bad, and the ugly sides of what we’ve learned. In this talk, we will explore the reasons to use Ceph, go through things you should consider in your storage architecture, tell you how to avoid the most common deployment and integration problems, and describe the reliability and performance best practices that will help you get the most out of your Ceph backed OpenStack environment. (Read More and Vote)

• OpenStack Distributions: Do We Really Need Them?  (Dmitriy Novakovskiy) Lots of people build private clouds with OpenStack these days, and more will begin in the near future. “Where will you consume OpenStack from?” It’s only been a few years, and a number of options are already available, you can consume stable release from the Community Trunk, you can rely on a vendor to provide you with an OpenStack distro or you can wait for the Community to produce “vanilla” packages/images and deployment framework.  The choice is not obvious, and always depends on your company’s context, IT capabilities, and business priorities. In this summit talk, we’ll discuss the key ideas and trade-offs of each option, and look at the risks and things you need to keep track of after a decision is made. Once you’ve attended this talk, you’ll have a good basis for advising your company on where your OpenStack should actually come from. (Read More and Vote)

• Deploying A Self-Contained OpenStack Cloud using Puppet and Razor (Tomasz Napierała) - The AT&T Foundry currently runs a number of diverse infrastructure projects (Compute, Storage, PaaS frameworks and SDN) which all have vastly varying demands.  Our ultimate goal was to build a framework with excellent code quality, in line with industry standards and includes the obligatory abstraction layers. It was essential to make sure our development process introduces best practices for how all services included in the framework as we test various compositions as well as evaluate various underlying technologies. The framework is called Occam and is a complete automation, orchestration, hardware abstraction and provisioning framework to manage your infrastructure services.  Occam has, after a couple of months of focused dedicated time, successfully been used to deploy internal clouds at AT&T Foundry. During this session we will cover: constraints and requirements for the framework, architecture and design patterns behind the framework,t he process to achieve the proper code-quality and development process and functional, code quality, integration, deployment integrity and performance testing of the framework. Attendees will be able to leave the session with a good understanding of Occam and how it is designed, architected, & developed. (Read More and Vote)

• Performance of Hadoop on OpenStack (Andrew Lazarev) - Savanna provides integration and automation for Hadoop deployment on OpenStack, but what about performance in this environment? In this talk, we will discuss the performance impact of running Hadoop in a virtualized environment inside an OpenStack cloud. What is the performance difference between bare-metal and virtualized Hadoop environments? What is the IO overhead in OpenStack? How does data locality influence data flow? This presentation will cover these and other questions about the performance of Hadoop on OpenStack by presenting a series of benchmark tests over different installations of Hadoop. (Read More and Vote)

• Neutron NameSpaces and IPtables – Icehouse Update (Damian Igbe) - In the Grizzly release, using the OVS plug-in with Quantum required creating an additional Linux bridge for every instance spawned.  Not only was this messy to manage, but it also increased the number of devices a packet must pass through when making the trip from the originating instance to the Internet, and thus network overhead also increased. The Havana release has an improved approach, eliminating the need to propagate an extra Linux bridge per instance, since the OVS plug-in can now apply IPtables rules on Nova instance virtual NICs (i.e., tap devices). We will explore how the Havana implementation affects the underlying IPtables rules and security groups using the ML2 Neutron plug-in. We will build on material presented at the Icehouse summit by delving into how OpenStack Neutron implements security using IPtables. We’ll also drill into namespaces. Security groups are built using IPtables.  When you attend this talk, you will have a good understanding of IPtables, how they are used to implement security groups, and namespaces in Neutron. (Read More and Vote)

• Python OpenStack Clients for cloud administrators (Christian Huebner) - In addition to command line tools and REST API calls, Python OpenStack Clients can be used to examine and control clusters. This collection of clients gives developers and devops a clean interface for developing Python applications to build, maintain and troubleshoot OpenStack clusters. In a recent project we developed an application that needs to acquire cluster configuration across all major projects. We found that Python OpenStack Clients provided a very useful interface to the project’s cluster. This talk aims to provide you with a starting point to develop your own applications and an overview of the pitfalls we encountered on the way. To get the best results from this talk you should have basic Python skills and some OpenStack cluster administration experience. We will show practical examples for Keystone, Nova, Glance and Neutron on a demo cluster that can be replicated by you and used as a base for developing your own tools. (Read More and Vote)

• Climate, a Resource Reservation Service for Openstack (Sylvain Bauza, Dina Belova) - OpenStack is growing in multiple directions, with new requirements arising almost every day. For the use case of a large internal private cloud shared among a wide range of users, we definitely need to think about reserving resources. Climate is born from the idea of being able to reserve any type of OpenStack resources, either now or in the far future, in a predictable way, and we really believe that this project will help make OpenStack clouds more flexible and manageable. This Stackforge project, which aims to be incubated in the next couple of months, currently provides two distinct types of resources: virtual instances and compute hosts. In this presentation we’ll go through different reservation concepts provided by this leasing service, the current features, and the roadmap for future phases of the project. Also, we’ll present a demonstration of how Climate can help you with your resource reservation needs, so you’re welcome to join us. (Read More and Vote)

• Mistral: OpenStack Workflow Service (Dmitri Zimine, Renat Akhmerov) - Mistral is a task-automation system for OpenStack – “‘Workflow as a service.” OpenStack and application developers can use this powerful tool to coordinate complex distributed processes. Mistral will manage the entire automated process, adapting as necessary to insure the task completion.  Cloud administrators and operators can use Mistral as a flexible automation tool to express their automations as scalable, highly available workflows, managing task scheduling, cloud environment deployment, migration, or riding herds of long-running processes, like big data analysis and reporting. In this session, we share Mistral vision, use cases, and architecture, show the demo, and present current status and roadmap.  (Read More and Vote)

• Yet Another Query Language – Querying Complex Datasets in OpenStack and Beyond (Alexander Tivelkov) - The need for querying and manipulating data structures comes up regularly in most programming scenarios. It is even more common in OpenStack, as cloud infrastructures are usually huge, have many interconnected entities, and are organized in complex hierarchical structures with nested properties and relationships. While working on the Murano and Mistral projects for OpenStack, we realized the need for a flexible and extensible query language, able to run complex filtering-and-search tasks with a single and expressive line of code, so we built just such a tool and called it YAQL – Yet Another Query Language.  In this session, we will provide an overview of this language and demonstrate how to use it. At the end of this session, you will understand how to query a Python data structure anywhere in OpenStack using YAQL.  (Read More and Vote)

• Writing Ironic vendor extension (Maksym Lobur) - Ironic is an OpenStack project which provides an API for managing and provisioning physical machines. And the Ironic driver for Nova gives this power to Nova. So why should hardware vendors be interested in Ironic? The answer is that each feature provided by Ironic relies on hardware support. Some examples are: to manage baremetal node power, we use IPMI (Intelligent Platform Management Interface) and to deploy baremetal node we use PXE (Preboot eXecution Environment). The trick is that Ironic does not force you to use these interfaces, they’re just default. If you are selling hardware that provides better options – perfect! You can utilize your advanced hardware features inside your Ironic vendor driver and gain one more pro to convince your customer. After you attend this talk, you’ll know how to provide your hardware features for the future self-managing OpenStack infrastructure, in particular how to write your own Ironic vendor driver. (Read More and Vote)

• OpenStack on White Box Hardware (Russ Lindsay) - Frictionless access to information makes everyone think they can do this at home. But, in fact, deploying OpenStack on white box hardware presents a handful of challenges that your infrastructure team might not have thought about. In this session, we’ll look at a range of challenges that can stop your project before it makes it to deployment. The session is divided into two topics that we’ll dive into: introduction to scalability techniques:clouds from a hardware perspective and the second section of the session will focus on strategies to simplify the white box experience.  People who will attend will also learn about some of the simple things that are obvious with enterprise hardware but can be challenging in any white box environment. Examples include power on/off, power monitoring, system health/event monitoring, and remote console access. You’ll leave this session armed with practical knowledge about running OpenStack on Open Compute and other white box hardware. (Read More and Vote)

The post Mirantis Spring OpenStack Summit Proposals, Part 3 appeared first on Mirantis | The #1 Pure Play OpenStack Company.

Introduction

Late last year, we released  Rackspace Private Cloud (RPC) 4.2.1, which is based on the Havana release of the OpenStack cloud platform. Along with this RPC release, Rackspace also made available version 1.0 of the Rackspace Private Cloud Sandbox, a virtual appliance that runs an all-in-one single node RPC VM that allows anyone to quickly spin up a small OpenStack environment for test and demonstration purposes. This virtual appliance is distributed as an OVA package and can be imported and used in Oracle VM VirtualBox, VMware Fusion, VMware Player or VMware Workstation. The Sandbox was a direct result of your feedback. You said you wanted to be able to experiment with RPC or to demonstrate the OpenStack Horizon dashboard to colleagues or managers; however, you did not want to have to spend time installing a Chef server and running through a full RPC install for these tasks. So in response, the RPC Product team created the RPC Sandbox so you can get a small OpenStack-based cloud environment up and running in minutes on your laptop or workstation.

In this post, I will walk though a high-level setup of the RPC Sandbox (please use the setup guide in the Rackspace Knowledge Center as your primary reference). Then I will share some exercises to help you or anyone new to OpenStack learn how to use the command line interface (CLI) and the dashboard for launching and configuring cloud resources. Before we begin, please note the following:

• I will be demonstrating the RPC Sandbox setup using VMware Fusion. My experience so far is that the setup is quite simple with Fusion, Player and Workstation. VirtualBox has proven to be more challenging and the setup guide walks through some additional steps that have to be taken to setup the Sandbox.
• The Sandbox includes a Chef server that installs and manages the the all-in-one RPC role; this role includes the OpenStack components that are supported out of the box with a typical RPC deployment, including Nova compute, Nova networking, Keystone, Glance, Cinder block storage, Ceilometer,and Heat. Although Swift is supported and available with RPC, it is not included in the Sandbox due to the hardware requirements for a representative Swift deployment.
• Neutron Networking is supported and available with RPC but not currently available with the RPC Sandbox. An updated version of the Sandbox with support for Neutron is expected to be released in the future.

Setting Up The RPC Sandbox

• Download and install your desktop hypervisor of choice (as mentioned earlier, I will be using VMware Fusion in this post).
• Download the appropriate virtual appliance/OVA for your desktop hypervisor of choice; the links to them are in the setup guide.
• After the appropriate OVA has been downloaded, go ahead and import the Sandbox virtual appliance. If you are using VirtualBox, there are additional configuration steps you must perform first. The import process should take approximately five to 10 minutes.

• Once the import is complete, you can go ahead and start the VM without modification if you using VMware Fusion, Player or Workstation. If you are using VirtualBox, there are additional configuration steps you must perform first.

• During the boot process, the Sandbox VM will display minimal status messages. If you want to see the entire boot process, click in the VM and hit the [esc] key. You will see the Chef server start up, the node converge and OpenStack services start.

• After bootup is complete, you will see a screen showing the management IP addresses for both RPC and the included Chef Server. You will be provided the user name and password to log on to the Horizon dashboard and on to the actual Sandbox server.

Taking RPC For A Spin

• Go ahead and bring up the Horizon dashboard in your web browser of choice. Note that although the dashboard has the RPC skin, everything else about it is the base dashboard that is part of OpenStack trunk.

• Since we are logging in as the Cloud Admin, we will see with the Admin “Overview” screen; this screen would not be available for Project/Tenant admins.

• Click on the “Project” tab on the left side of the dashboard to access the “Admin” Project (this is one of multiple Projects you can create as a Cloud Admin) and click on the “Instances” page.

• Now let’s launch our first cloud instance by clicking on the “Launch Instance” button. In the dialog box that pops up, type in an instance name and choose the available 512MB Flavor (you have the ability to create additional flavors). Then select “Boot From Image” as the Instance Boot Source. Note that while the setup guide states that an Ubuntu image is preloaded, it is actually a cirros Linux image that is preloaded and you should choose that as the source.

• Once you click “Launch,” you should see your new cloud instance created within minutes. Note that a private IP address, not accessible from outside the “Admin” Project, has been assigned to this instance. In a moment, we will make some configuration changes to allow external access to and from our laptop or workstation.

• All configuration changes that can be performed via the dashboard can also be performed via CLI. To demonstrate this, we’ll walk though some examples by using the CLI to configure access to our newly created instance.
• First, we’ll modify the security group rules to allow us to ping our instance and to connect via a secure shell (SSH) session. To do that from the CLI, login to the Sandbox as root and execute the following commands:
  • nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0 (This will allow us to ping our instance.)
  • nova secgroup-add-rule default tcp 22 22 0.0.0.0/0 (This will open port 22 to allow us to login to our instance using ssh.)

• To access our instance, we’ll need to assign it an external floating IP address. But first, we ‘ll need to create a pool of floating IP addresses that can be associated with our launched instances; these IP addresses will be accessible from outside our RPC Sandbox. For this exercise, we will create an address pool called “public” with floating IP addresses in the same network as our Sandbox.
• Create this pool by typing a command with the following syntax – “nova-manage floating create x.x.x.x/x public.” You can see the IP addresses that have been created by typing “nova-manage floating list.” An example can be seen below:

• Now we can go back to the dashboard and make our instance accessible via SSH. First, go back to the “Admin” Project tab and to the “Access & Security” page. The first tab is the “Security Groups” tab where you will see the “default” security group already created.

• You will recall that earlier we added two rules to the “default” security group: one rule to allow ICMP packets from any source address and a second rule to allow access via TCP port 22 from any source. To see these rules, click on the “Edit Rules” button.

• Now go back to the previous window and go to the “Keypairs” page. You will see, as discussed in the setup guide, an SSH key called “adminKey” has been created as part of the RPC Sandbox.

• Now let’s associate a new floating IP address with our cloud instance. Navigate to the “Floating IPs” page and start by clicking on the “Allocate IP To Project” button to access the “Allocate Floating IP” dialog box. At this point, the only pool available is the “public” pool we created earlier and it should already be selected. Go ahead and click on the “Allocate IP’ button and you’ll see the first available Floating IP address ready for association.

• To associate this floating IP address with our instance, go ahead and click on the “Associate” button. In the “Manage Floating IP Associations” dialog box, choose the IP address you want to associate (we only have one address at this point) and choose the instance we created as the “Instance to be associated.” Finish by clicking on the “Associate” button.

• Go back to the “Instances” page and you should see the floating IP address assigned to our instance. This IP address will provide two-way access to the “outside” world using SNAT/DNAT.

• Now we should be able access our instance from our laptop or workstation. Open up a terminal on your laptop or workstation and open a ssh session using the floating IP address and login on as a user called “cirros.”  The password is “cubswin:)”

• The last task I will walk though in this post is creating a Cinder block volume and attaching it to our instance. To get started, navigate to the “Volumes” page and click on the “Create Volume” button.

• In the “Create Volume” dialog box, type in a volume name, choose “TestVolType” as the Type (this field is optional), choose a volume size and leave “Volume Source” as empty. Note that you could choose “Image” as the “Volume Source” which would allow you to create a volume from either a Glance image or a snapshot. After filling in all required fields (illustrated below), click on the “Create Volume” button to create your new Cinder block volume.

• To attach the Cinder volume to our instance, click on the “Edit Attachments” button. In the dialog box, select our instance in the drop down “Attach To Instance” box and fill out the “Device Name” field (in this case, you can use the suggested name).

When the attachment process is completed, you will be brought back to the “Volumes” page showing our Cinder volume attached to our instance in the “Attached To” field.

Conclusion

If you’ve managed to follow along through this entire post, CONGRATULATIONS! You’ve brought up an OpenStack cloud platform using the Rackspace Private Cloud Sandbox, launched and configured a cloud instance and created and attached a Cinder block volume to your instance. There are numerous other features and tasks to explore which I will walk though in a follow-up post. Meanwhile, I recommend reading the OpenStack Admin User Guide and the OpenStack End User Guide for more information.

OpenStack has been selected to be a mentoring organization for Google Summer of Code 2014. Thanks to the hard work of many contributors we could join GSoC for the first time.

For those who haven’t heard about it, GSoC is a full-time internship supported by Google that offers students worldwide a stipend to start contributing with coding tasks to an open source organization. This is a great experience for both parts, as it generates a flow of new people with fresh ideas in the organization and allows students to learn and taste how is to work on a real world software development environment.

Even though we have already been selected for it, we are still looking for more project ideas and mentors.

Call for ideas

For this round many developers voluntarily offered to mentor a student in different projects, including OpenStack Scheduler (Gantt), OpenStack Monitoring and Telemetry (Ceilometer), OpenStack Message Queuing Service (Marconi), OpenStack Incubator (Oslo) and OpenStack Networking (Neutron), and proposed several ideas for students to take. Check out the wiki for a complete list of currently proposed ideas.

Is it not mandatory that students stick to these ideas, they can propose their own coding tasks. If you are willing to mentor a student and you have an idea to propose, please feel free to add it to the ideas list in the wiki.

Call for mentors

It’s not late to apply as a mentor! Mentoring is an enriching experience that won’t take you too much time. Learn more about how is to be a mentor in Google’s GSoC Mentoring manual. If you are interested in mentoring, please add your name to the mentors list in the wiki.

Call for students

Students applications start next March 10th and ends on March 21st. By that time, students have to get in touch with the community, select a project, submit a proposal (which may be based on a suggested idea or on a personal idea) and include all the neccesary documentation.

More details about how is to be a GSoC student are described in the Google’s GSoC Students manual.

Currently future applicants are adding their names and contact information in the wiki, so if you want to apply to be an student go ahead and add yourself to this list and get in touch with the community.

Join OpenStack GSoC on IRC

If you want more details about OpenStack’s participation in GSoC, please join us at irc.freenode.org in #openstack-gsoc. It would be great to hear from you!

We want to replace the shell call to openssl for certificate generation in Keystone (and the rest of OpenStack) with calls to Certmonger. Certmonger supports both OpenSSL and NSS. Certmonger can support a selfsigned approach, as well as tie in to a real Certificate Authority. Here are the steps I took to test out selfsigning, as well as my notes for follow on work.

Request a certificate:

sudo selfsign-getcert request -f /etc/pki/testcert -k /etc/pki/testkey

copy certs to /tmp and sign

 cat /opt/stack/python-keystoneclient/examples/pki/cms/auth_token_unscoped.json |  openssl cms -sign -signer /tmp/testcert -inkey /tmp/testkey -outform PEM -nosmimecap -nodetach -nocerts -noattr  -out /tmp/auth_token_unscoped.pem

and verify with

openssl cms -verify -certfile /tmp/testcert -CAfile /tmp/testcert -inform PEM -in auth_token_unscoped.pem

Need to clean up SELinux:

A workging one is shown here:

matchpathcon /etc/pki/tls/private/
/etc/pki/tls/private	system_u:object_r:cert_t:s0

Need to make this look the same-ish

 matchpathcon /etc/keystone/ssl/certs/

what can certmonger do on files? Check with

sudo sesearch --allow -s certmonger_t -c file -t cert_t

Returns

Found 3 semantic av rules:
   allow certmonger_t cert_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow nsswitch_domain cert_t : file { ioctl read getattr lock open } ; 
   allow nsswitch_domain cert_t : file { ioctl read getattr lock open } ; 

So we need to add a rule in standard policy to label /etc/keystone/ssl (and all subdirs) as cert_t

Thanks to Nalin Dahyabhai for helping me work this out.

Originally posted on August 12, 2013, by Tim Burk, vice president, Cloud and Virtualization Development, Red Hat – Part 4 of a 4 part series [1]

Tim’s earlier posts include:

• The evolution of Red Hat Enterprise Linux, and the answer to “Who will be the Red Hat of OpenStack?”
• Why combine Red Hat Enterprise Linux and OpenStack? Technology Optimization Benefits.
• Why combine Red Hat Enterprise Linux and OpenStack? Integration and Ecosystem Benefits.

As described in my earlier posts, it is plain to see that Red Hat is not treating OpenStack as “just” a layered product.

Rather, Red Hat Enterprise Linux OpenStack Platform is the next major evolution in the Red Hat Enterprise Linux family. The tight levels of integration and responsible enterprise grade feature enhancement necessitate this combination. We believe that doing OpenStack right – to make it secure, performant, easy to use, and evolve over time – is only possible by taking a holistic approach.

The prior product variants of the Red Hat Enterprise Linux family continue to meet the needs and price-point of non-cloud scenarios. In addition, the new Red Hat Enterprise Linux OpenStack Platform variant augments the standard Red Hat Enterprise Linux foundation with optimizations and features combined with the accompanying Red Hat supplied OpenStack components. Red Hat Enterprise Linux and OpenStack are a very natural fit. The boundaries of infrastructure software are expanded. No other vendor can provide this level of OpenStack integration and optimization on top of Red Hat Enterprise Linux.

Red Hat’s objective with OpenStack is to use our expertise in upstream innovation, combined with enterprise product hardening, maintenance, and support to deliver industry-disruptive OpenStack capabilities in Red Hat Enterprise Linux.

To answer the question “Who will be the Red Hat of OpenStack?”

The answer is here today.

With Red Hat Enterprise Linux OpenStack Platform, Red Hat has claimed its place as “the Red Hat of OpenStack.” And this is just the beginning.

1. Editor’s note: In a four-part blog series, Tim Burke has reviewed the evolution of Red Hat Enterprise Linux, and highlighted a few of the key benefits offered by the Red Hat Enterprise Linux OpenStack Platform. In this, Tim’s final post, he answers the question he launched this series with: “Who will be the Red Hat of OpenStack?” All statements in the blog represent the views of the author and Red Hat as of the original date of publication and have not be updated or revised subsequent to that date.