openstack meetup: bootstrapping openstack to corporate it
DESCRIPTION
Bootstrapping OpenStack to the requirements of a typical, corporate IT department. It may be straightforward to start using OpenStack out of the box; fitting OpenStack to corporate IT with its many compliance and security standards can, however, present some challenges.TRANSCRIPT
Agenda
• OpenStack adoption for Mirantis IT• Mirantis IT overview• Integration with legacy LDAP• Advanced Network features• Disaster recovery mechanisms
• OpenStack development in Mirantis• Community roadmap
Mirantis IT overview
• 5 sites around the world• 4-6 servers in each site• Bunch of projects with its own requirements• Single users/projects authentication
Mirantis IT Requirements
Requirement OpenStack support
Availability Zones limited
Mirantis IT Requirements
Requirement OpenStack support
Availability Zones limited
Multiple NICs no
Mirantis IT Requirements
Requirement OpenStack support
Availability Zones limited
Multiple NICs no
Disk and flavor resize no
Mirantis IT Requirements
Requirement OpenStack support
Availability Zones limited
Multiple NICs no
Disk and flavor resize no
VMs info in LDAP no
Mirantis IT Requirements
Requirement OpenStack support
Availability Zones limited
Multiple NICs no
Disk and flavor resize no
VMs info in LDAP no
VNC via browser yes
Mirantis IT Requirements
Requirement OpenStack support
Availability Zones limited
Multiple NICs no
Disk and flavor resize no
VMs info in LDAP no
VNC via browser yes
Instance snapshotting yes
Mirantis IT Requirements
Requirement OpenStack support
Availability Zones limited
Multiple NICs no
Disk and flavor resize no
VMs info in LDAP no
VNC via browser yes
Instance snapshotting yes
Specify node to run instance on limited
Mirantis IT Requirements
Requirement OpenStack support
Availability Zones limited
Multiple NICs no
Disk and flavor resize no
VMs info in LDAP no
VNC via browser yes
Instance snapshotting yes
Specify node to run instance on limited
Quotas limited
Mirantis IT Requirements
Requirement OpenStack support
Availability Zones limited
Multiple NICs no
Disk and flavor resize no
VMs info in LDAP no
VNC via browser yes
Instance snapshotting yes
Specify node to run instance on limited
Quotas limited
RPM packages for Fedora yes
Mirantis IT Requirements
Requirement OpenStack support
Availability Zones limited
Multiple NICs no
Disk and flavor resize no
VMs info in LDAP no
VNC via browser yes
Instance snapshotting yes
Specify node to run instance on limited
Quotas limited
RPM packages for Fedora yes
Requested disk space in root partition no
Deployment schema
Key bottlenecks
• Integration with existing LDAP• Advanced Network features• Disaster recovery mechanisms
LDAP auth
Current OpenStack support:• Management of users• Management of projects• Management of roles
LDAP auth
Current OpenStack support:• Management of users• Management of projects• Management of roles
Issue:• Support of existing accounts management system
(GOsa)
LDAP auth
Current OpenStack support:• Management of users• Management of projects• Management of roles
Issue:• Support of existing accounts management system
(GOsa)
Solution: GOsa plugin https://github.com/Mirantis/gosa-openstack.
LDAP server info injection
Created Server in GOsa
Results
• LDAP authentication and authorization• DNS records are managed by existing LDAP
schema• Access to VMs is granted based on existing LDAP
mechanisms
Key bottlenecks
• Integration with legacy LDAP• Advanced Network features• Disaster recovery mechanisms
OpenStack networking
Supported topologies:• Flat• FlatDHCP• VlanManager
Public IPs, FlatDHCP
Goal:• Assign public IP addresses to VMs• Make VMs routable from Internet• Allow one of the network IP be set on the router
to use OSPF
Public IPs, FlatDHCP
Goal:• Assign public IP addresses to VMs• Make VMs routable from Internet• Allow one of the network IP be set on the router
to use OSPFIssue:• FlatDHCP manager assigns the first IP of net to
the bridge and leases all other IPs for VMs
Public IPs, FlatDHCP
How to configure/fix:• Add in nova.conf:
--public_interface=em1
--flat_interface=em1.89
• Assign any IP of net except the first one to router IP to use OSPF
• Mark this IP in the database as “reserved”:UPDATE `nova`.`fixed_ips` SET `reserved` =
'1' WHERE `fixed_ips`.`address` ="x.x.x.x";
VlanManager modifications
Goal:Run private cloud on the Vlan’ed network with limitations:• 1st,2nd,3rd IP addresses are reserved for VRRP• First IP is default gateway for the network
VlanManager modifications
Goal:Run private cloud on the Vlan’ed network with limitations:• 1st,2nd,3rd IP addresses are reserved for VRRP• First IP is default gateway for the networkIssues with current implementation:• 1st IP address is assigned to the bridge• Bridge IP is used as default gateway for VMs
VlanManager modifications
Goal:Run private cloud on the Vlan’ed network with limitations:• 1st,2nd,3rd IP addresses are reserved for VRRP• First IP is default gateway for the networkIssues with current implementation:• 1st IP address is assigned to the bridge• Bridge IP is used as default gateway for VMsWe changed:• Fourth IP is assigned to the bridge• First IP for default VMs gateway
Results
• Patch OpenStack to support public IP addresses in the context of existing IT setup
• Create a workaround, given first 3 IPs were unavailable
Key bottlenecks
• Integration with legacy LDAP• Advanced Network features• Disaster recovery mechanisms
Compute node failure
Disaster recovery
Possible scenario Status
Compute node has crashed or rebooted,we want to rerun VM on it
implemented
Compute node has crashed or rebooted,we want to rerun VM on another node with shared storage
implemented
Before node crash VM was migrated on it,we want to rerun VM on it or another node with shared storage
In progress
See blogpost at
bit.ly/lb4wJ9
To recover VM, run./nova-compute <instance_id>
OpenStack Disaster Recovery Summary
• Addressed compute node failures with custom script• Our script still has limitations
• CloudController failures are a problem under research• For instance, no highly available networking
• No current self-healing mechanisms
OpenStack Modifications Summary
• VNC console via browser
OpenStack Modifications Summary
• VNC console via browser• RPMs Nova, Glance, Dashboard for Fedora
OpenStack Modifications Summary
• VNC console via browser• RPMs Nova, Glance, Dashboard for Fedora• Injection server info and DNS records into existing
LDAP
OpenStack Modifications Summary
• VNC console via browser• RPMs Nova, Glance, Dashboard for Fedora• Injection server info and DNS records into existing
LDAP• Assignment network to the project manually
OpenStack Modifications Summary
• VNC console via browser• RPMs Nova, Glance, Dashboard for Fedora• Injection server info and DNS records into existing
LDAP• Assignment network to the project manually• Projects support in nova client
OpenStack Modifications Summary
• VNC console via browser• RPMs Nova, Glance, Dashboard for Fedora• Injection server info and DNS records into existing
LDAP• Assignment network to the project manually• Projects support in nova client• LDAP speed up
OpenStack Modifications Summary
• VNC console via browser• RPMs Nova, Glance, Dashboard for Fedora• Injection server info and DNS records into existing
LDAP• Assignment network to the project manually• Projects support in nova client• LDAP speed up• Instance name in Dashboard Launch dialog
OpenStack Modifications Summary
• VNC console via browser• RPMs Nova, Glance, Dashboard for Fedora• Injection server info and DNS records into existing
LDAP• Assignment network to the project manually• Projects support in nova client• LDAP speed up• Instance name in Dashboard Launch dialog• FQDN based on instance name
Roadmap
Requirement OpenStack MirantisBoot from Block Storage In progress In progress
Roadmap
Requirement OpenStack MirantisBoot from Block Storage In progress In progressLive Migration over non-shared storage In progress In progress
Roadmap
Requirement OpenStack MirantisBoot from Block Storage In progress In progressLive Migration over non-shared storage In progress In progressLDAP identity store for Keystone Planned In progress
Roadmap
Requirement OpenStack MirantisBoot from Block Storage In progress In progressLive Migration over non-shared storage In progress In progressLDAP identity store for Keystone Planned In progressRequested disk size should be in root partition, not as additional block device
? In progress
Roadmap
Requirement OpenStack MirantisBoot from Block Storage In progress In progressLive Migration over non-shared storage In progress In progressLDAP identity store for Keystone Planned In progressRequested disk size should be in root partition, not as additional block device
? In progress
Self-healing ? Planned
Roadmap
Requirement OpenStack MirantisBoot from Block Storage In progress In progressLive Migration over non-shared storage In progress In progressLDAP identity store for Keystone Planned In progressRequested disk size should be in root partition, not as additional block device
? In progress
Self-healing ? PlannedFlavor and disk resize Planned Planned
Roadmap
Requirement OpenStack MirantisBoot from Block Storage In progress In progressLive Migration over non-shared storage In progress In progressLDAP identity store for Keystone Planned In progressRequested disk size should be in root partition, not as additional block device
? In progress
Self-healing ? PlannedFlavor and disk resize Planned Planned
Several networks per project Will be in Diablo Planned
Roadmap
Requirement OpenStack MirantisBoot from Block Storage In progress In progressLive Migration over non-shared storage In progress In progressLDAP identity store for Keystone Planned In progressRequested disk size should be in root partition, not as additional block device
? In progress
Self-healing ? PlannedFlavor and disk resize Planned Planned
Several networks per project Will be in Diablo Planned
Availability Zones support from nova client, Dashboard
? Planned
Roadmap
Requirement OpenStack MirantisBoot from Block Storage In progress In progressLive Migration over non-shared storage In progress In progressLDAP identity store for Keystone Planned In progressRequested disk size should be in root partition, not as additional block device
? In progress
Self-healing ? PlannedFlavor and disk resize Planned Planned
Several networks per project Will be in Diablo Planned
Availability Zones support from nova client, Dashboard
? Planned
Live migration between projects ? Planned
Lessons Learned
• Have to get your hands dirty to understand OpenStack limitations
• OpenStack development != Python programming• Go to production early
Where to find our work
• https://code.launchpad.net/~mirantis• https://github.com/Mirantis• http://mirantis.blogspot.com/