devops – Page 3 – Calgary RHCE

Comparing OpenStack installers

September 10, 2016 By Andrew Ludwar 1 Comment

Building on a previous post, I promised I’d do a comparison of open source OpenStack installers. Choosing an installer requires more thought than most people think, as the choices are vast, and each installer offers different strengths, benefits, and trade-offs. Depending on your environment’s purpose and intended result, it would be wise to align your needs with the installers’ capabilities and limitations. Here they are:

OpenStack installer	Pros	Cons
packstack	- Very easy to use - Can get OpenStack installed in approx. 20-30 minutes - Only one host required - Answer-file driven, easy portability and backup of configuration - No need for an installation host - Fire and forget install	- No support for multiple controllers, or high availability - Cannot provision systems from scratch (no baremetal deployment, requires installed OS) - No API for automation or customization - No ongoing lifecycle management (fire and forget install)
Foreman (staypuft)	- GUI interface - Supports high availability - Discover baremetal hosts for provisioning - Re-use of existing open source tools (foreman) - Fire and forget install	- No ability for pre-provisioned hosts or gold images - No flexibility of controller or compute roles - No ongoing lifecycle management (fire and forget install)
openstack-ansible	- Easy to use, slightly more complex than packstack, but still very easily consumable - Can get OpenStack installed in approx. 45-60 minutes - Uses linux containers for deployment - Offers flexible environment configuration	- Minimum 5 hosts required
Fuel	- GUI interface, CLI available - Supports high availability - Discover baremetal hosts for provisioning - Flexible environment configuration (controller, compute, storage) - Offers scaling of the environment, patching, and upgrades - Highly extensible and interoperable	- Predominantly developed by one vendor, raises question of community diversity, sustainability, and rate of innovation
TripleO	- Very capable CLI, and API - Supports high availability - Discover baremetal hosts for provisioning - Flexible environment configuration (controller, compute, storage), with composable roles on the horizon - Supports deployment of services into containers - Offers scaling of the environment, patching, and upgrades - Highly extensible and interoperable - Based on existing OpenStack components, benefits from high-innovation rate in core OpenStack components as well as installer community innovation	- Most complex tool in the comparison, high learning curve - No GUI currently available (slated for future release)

Now of course, this is just one man’s opinion, and this comparison may be outdated a week after it’s posted. But, generally speaking, these are the installers to look at and align your requirements with when you’re considering an install. For my OpenStack needs, my requirements can be summarized in one statement, while my use-cases can be summarized in two:

Requirement: My installer needs to have a strong community surrounding it. Both to anticipate and deliver the features my customers want, but also to continue to maximize the value of my OpenStack investment throughout its lifecycle and be supportive and responsive to my needs (which may or may not be the next cool and shiny thing to work on).

Use Case 1: Brainless, quick and easy installation to get OpenStack up and running in the shortest amount of time possible, with the least amount of resources required.
Use Case 2: Highly capable, fully featured deployment options, and long-term lifecycle management to manage clouds for years to come.

For use case #1, it doesn’t get any more brainless than packstack. Packstack is my installer of choice when doing basic proof of concepts or demos. I only need one host, or possibly two if I want to add another compute node. After doing a standard OS installation, a packstack all-in-one deployment is literally one command and I’m off and running 20 minutes later. I don’t need to know jack squat about OpenStack, or what my needs are, or setup and configure any other infrastructure or software.

For use case #2, my installer of choice is TripleO. The complexity is a concern, but that’s not an uncommon trait for software that’s highly innovative and one which incorporates changes frequently. I’m going to need to learn about OpenStack to understand how to manage it, there’s no avoiding that piece, it might as well start at installation time. Also, TripleO is appealing because it’s OpenStack on OpenStack (OOO). The project value is multiplied by the existing innovation rate of OpenStack and also by not being tied to any one vendor. TripleO will be around long after the vendor wars are settled, because it’s lifecycle is directly tied to OpenStack itself.

Because packstack is so easy, I’ll let you run with that one on your own. For the next part in this series, I’ll show a virtual home lab environment for an OpenStack installation, and do an install of TripleO. Lastly, and finally, I’ll show an example 9 node HA deployment with Ceph.

For Red Hat customers, Red Hat publishes a comprehensive installer best practices and supportability matrix to help you decide.

Getting started with OpenStack

August 21, 2016 By Andrew Ludwar 2 Comments

So you’d like to get started with OpenStack eh? (Sorry, that’s my Canadian coming through). You may have been thinking about it for a while, evaluating the landscape, the maturity, evaluating your tolerance for new technology, and waiting for the right time to adopt. Being on the verge of adopting a new and disruptive technology is an intimidating place to be. Lots of questions arise: Where to start? What to evaluate? Who to partner with? What gaps to address? What should the architecture look like? What is the project purpose? Is my staff well prepared? What training should we get? Is our infrastructure capable of supporting it? How to handle long term tasks like patching, scaling, or lifecycle management? These aren’t easy questions to answer, and the answers usually come from experience; which you don’t have. What do you do? I’m going to start the first in a series of posts addressing some of these questions and hopefully adding some clarity to OpenStack adoption. First, some of the basics.

What is OpenStack?

OpenStack is essentially the culmination of commoditized infrastructure, and years of frustration with inflexible, closed, proprietary data center infrastructure components. (That’s a bold statement, let me expand on that.) As hardware virtualization took off in the mid to late 2000’s we began to see the potential, and reap the benefit, of increased application deployment speed. No longer being tied to the physical server procurement process opened the industry’s eyes to server flexibility and utilization. Virtualization was born from the idea of vertical density, ie. how many OS’s can we cram onto this server to maximize its use? As we became accustomed to “spinning up a VM”, these tasks started to feel trivial, frequent, and burdensome. In true sysadmin fashion, we looked to automate some of these tasks, but we didn’t get very far. Existing virtualization tools were designed with focus on performance, high availability, and ease of management. But not automated management. As our virtual environments became more utilized and integrated, we started to see delays in the process of “spinning up a VM”. Many checks and balances were added, and soon the time to provision virtual resources started to creep closer and closer to that of its physical cousin. Sound familiar? (I also wrote a post on this last year). It seemed like we couldn’t even buy an adequate API, let alone integrate it with something else.

At the same time, applications started to adapt to the new concept of commoditized hardware. Server infrastructure began to be treated more like consumables. Scaling out started to be as important as scaling up, and the need to do that quickly was paramount.With these two challenges in mind, the idea of programmable infrastructure spawned, and the idiom infrastructure as code was born. The OpenStack project is essentially that – programmable infrastructure. Services native to a datacenter make up the project, and each is designed with a fully featured API.

Why should I care?

The drive behind virtualization was cost optimization and increased utilization of existing resources. The drive behind OpenStack is also cost optimization, but not of the traditional capital expenditure kind. OpenStack serves to reduce the amount of time your IT staff waits for data center resources. It also increases the flexibility and agility of your datacenter resources so that they may quickly be created and re-purposed in quite literally a matter of seconds. It enables your business to adjust incredibly quickly to the constant change we see in our industry. And lastly, it enables you to take advantage of new cloud capabilities in application and service architecture. Quickly scale up, scale down, integrate automation tooling, or create applications with higher resilience and additional capability, so that you are ready to adjust to the next business priority or opportunity.

What’s the difference between virtualization and OpenStack?

Others have described the difference better than I could have, so I’ll link their work. But I’ll add this; traditionally, hardware was assigned to an application. Then hardware was assigned to virtual datacenters or clusters. If you wanted to re-purpose hypervisors, add storage, or provision networks you would incur a lengthy migration, balancing, or configuration task. And none of these services came with a capable API. OpenStack takes the virtualization concept of a software-defined OS component and blows it out of the water. Now every piece of infrastructure is software defined, so you can “spin up” much more than just a VM.

How do I get started?

I thought you’d never ask! 😉 This is a loaded question with many correct answers to it, but we’ll want to start with sorting out a couple basics. Firstly, you need to decide the workload intent of your OpenStack environment. Specifically, I mean what type of application workloads do you expect to put there, and how many instances or VMs do you want in the environment. Secondly, you’ll want to decide the performance and redundancy you expect out of those workloads. Deciding on these two things will help give you a good idea of where to start for physical node count, physical node resources, and the node type or role each physical device should have. Also, this will help you decide what you should be using for an OpenStack installer. Since the environment architecture is a wildly variable conversation, I’m going to link some helpful resources to assist you in your sizing decisions. This decision is worth engaging an OpenStack provider in, depending on your intent of the environment. Some folks choose a small environment with a flagship app to deploy with it, others deploy general use OpenStack resources for mass consumption.

Cloud Resource Calculator – This is helpful in sizing your hardware with respect to your expected VM count and the size of your instance flavors.
Deterministic capacity planning for OpenStack – This is helpful to better understand the factors to consider when sizing an environment, and committing to a deployment.
Sizing your OpenStack Cloud – OpenStack Summit – Real world feedback video on the topic

Next topic I will outline some of the options you have for installers, why you might pick one, and then I’ll choose an environment size to go through and do an example deploy. Have I missed anything important in the above topics? Got anything to add? I’d love to hear your experience.

Ansible-pull and kickstart, for one-touch server provisioning

February 3, 2016 By Andrew Ludwar Leave a Comment

Recently I’ve been learning and using Ansible as my configuration management tool. It came recommended by several colleagues, recently had an O’Reilly book published, and went through an aquisition. Safe to say its momentum and adoption is on a high… and so far, I’m loving using it. I find it vastly easier to setup and use than Puppet, Chef, CFengine, or SaltStack. I bought the O’Reilly book, and had a playbook configuring a server in about 10 minutes… udderly quick. (Sorry, bad pun if you looked at the book cover). Most of my config management experience is with CFengine and Puppet, yet I found some interesting contrasts so far:

I found Ansible far easier to consume and get running right away. Literally after 10 minutes I had a basic playbook pushing /etc/motd to my server. There was no setup of a Puppet master or CFengine master server required, and I didn’t need to download any modules. It uses already encrypted SSH for traffic, so no SSL work was required either.
The syntax reads very easy, and the learning curve to understanding and writing a module (or a play in this case) was very short. I remember spending a few days with Puppet and CFengine before I surface-level understood modules and classes. Ansible was 10 minutes. I’ll use a phrase coined by a colleague, and one that also happens to be in the book…. Ansible reads like executable documentation.
No agent required, everything runs over SSH, so that alleviates management and maintenance of a local agent.
A formal Ansible server wasn’t required, although a remote client to be managed needs to talk to something that has the Ansible code. (This could be a formal server, or alternatively a git repo, or any server with repo access. How the client gets its code seems to be very flexible)

Pretty impressive so far. Then I started to think… well running a play or a series of plays (called a playbook – which are essentially configuration tasks or a group of tasks) looks to be a push methodology, and performed as a one-off task. What about drift management? (Puppet and CFengine excel at this). And how can I get a VM created, bootstrapped, and configured by ansible in a one-touch provisioning method?

Enter ansible-pull. Just like it reads, instead of initiating a push from the server to the remote client, a new client can request its config with ansible-pull. In fact, if you load-balance your config source (server, repo) this can theoretically scale infinitely. So, I investigated how to set this up, and this is what I came up with. Ansible-pull initiated by kickstart, a git repo with my ansible code, and a systemd unit file to turn the first-boot ansible-pull into a service that automatically configures my server, I just need to enable it with systemctl.

First, you’ll need some ansible code, and then a place to put it (Creating code is outside the scope of this post, but I’ll share mine for reference). I’ve got a gitlab server at home, so I’ve synced my code into a new repository named “ansible”. Having your code at the root of the repo helps make it easy for ansible-pull.

Ansible has a concept of an inventory file, so what I’ve done here is copied my site.yml file into localhost.localdomain.yml as I’ve told ansible-pull to look for that. In my home lab, VMs come up unnamed to begin with, then once they’re networked and configured I rename them into a more permanent home. This can easily be changed, but this is what I’ve done thus far. To make it easy to fetch the code, in GitLab I’ve created the user ansible, uploaded a public SSH key, and given the user access rights to the repository. Then, my CentOS 7 kickstart file %post section looks like this:

%post --log=/root/ks-post.log
yum install epel-release -y
yum install ansible git -y
yum update -y

useradd -p '<hashed and salted ansible user password>' ansible
echo "ansible ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/ansible
echo "Defaults:ansible !requiretty" | tee -a /etc/sudoers.d/ansible
chmod 0440 /etc/sudoers.d/ansible
wget http://<ks-server>/ansible.tar && tar -xvf ansible.tar -C /home/ansible
echo localhost.localdomain >> /home/ansible/hosts
chown -R ansible:ansible /home/ansible/.ssh

wget http://<ks-server>/ansible-config-me.sh -O /usr/local/bin/ansible-config-me.sh
wget http://<ks-server>/ansible-config-me.service -O /etc/systemd/system/ansible-config-me.service
chmod 0755 /usr/local/bin/ansible-config-me.sh
chmod 0644 /etc/systemd/system/ansible-config-me.service

systemctl daemon-reload
systemctl enable ansible-config-me.service

%post --log=/root/ks-post.log

yum install epel-release -y

yum install ansible git -y

yum update -y

useradd -p '<hashed and salted ansible user password>' ansible

echo "ansible ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/ansible

echo "Defaults:ansible !requiretty" | tee -a /etc/sudoers.d/ansible

chmod 0440 /etc/sudoers.d/ansible

wget http://<ks-server>/ansible.tar && tar -xvf ansible.tar -C /home/ansible

echo localhost.localdomain >> /home/ansible/hosts

chown -R ansible:ansible /home/ansible/.ssh

wget http://<ks-server>/ansible-config-me.sh -O /usr/local/bin/ansible-config-me.sh

wget http://<ks-server>/ansible-config-me.service -O /etc/systemd/system/ansible-config-me.service

chmod 0755 /usr/local/bin/ansible-config-me.sh

chmod 0644 /etc/systemd/system/ansible-config-me.service

systemctl daemon-reload

systemctl enable ansible-config-me.service

Above:

I make sure ansible and git are installed and the latest versions with the yum commands
I add the user, and configure it to use sudo without a password and tty
Then I unroll it’s .ssh/ directory w/ SSH keys and pre-populated known_hosts file, and also populate the ansible inventory file
Then I grab the script I’ve created that runs ansible-pull, and will be the executable of my systemd unit file
I grab the custom systemd unit file
Do a daemon-reload of systemd to trigger reading in my new unit file
Enable the new ansible service I’ve created

Now once kickstart is completed, the ansible-pull script will get run via systemd auto-starting the ansible-config-me service. My unit file and script look like this:

ansible-config-me.service:
[Unit]
Description=Run ansible-pull at first boot to apply environment configuration
After=network.target

[Service]
ExecStart=/usr/local/bin/ansible-config-me.sh
Type=oneshot

[Install]
WantedBy=multi-user.target

ansible-config-me.service:

[Unit]

Description=Run ansible-pull at first boot to apply environment configuration

After=network.target

[Service]

ExecStart=/usr/local/bin/ansible-config-me.sh

Type=oneshot

[Install]

WantedBy=multi-user.target

In the [Service] section, Type=oneshot tells systemd that the process will be short-lived. This is is useful for for scripts that do a single job, and then exit.

ansible-config-me.sh:
#!/bin/bash

runuser -l ansible -c 'ansible-pull -C master -d /home/ansible/deploy -i /home/ansible/hosts -U git@gitlab.ludwar.ca:aludwar/ansible.git --key-file /home/ansible/.ssh/id_rsa --accept-host-key --purge &gt;&gt; /home/ansible/run.log'

systemctl disable ansible-config-me.service

ansible-config-me.sh:

#!/bin/bash

runuser -l ansible -c 'ansible-pull -C master -d /home/ansible/deploy -i /home/ansible/hosts -U git@gitlab.ludwar.ca:aludwar/ansible.git --key-file /home/ansible/.ssh/id_rsa --accept-host-key --purge >> /home/ansible/run.log'

systemctl disable ansible-config-me.service

To take advantage of the pre-populated SSH keys and access of the ansible user, I run ansible-pull as user ansible, and tell it to pull the master branch, download the code and run it from the deploy directory, use the hosts inventory file which contains the new hosts’ hostname, give it my git repo, SSH key, and then set the purge flag to delete the local deploy directory and code within it after it’s done. Since I also just want this script run once, I disable the service in systemd.

There you have it! A one-touch provisioning process. And as for the drift management piece, I read most folks are cron’ing this ansible-pull. However, an official drift management feature is coming in the near-future for Ansible Tower.

Oh, and for interest sake, this is the ansible playbook task I’m running:

# This playbook contains common plays that will be run on all nodes.

- name: Install chrony
 yum: name=chrony state=present
 tags: chrony

- name: Configure chrony.conf file and restart
 template: src=chrony.conf.j2 dest=/etc/chrony.conf
 tags: chrony
 notify: restart chrony

- name: Enable chrony at boot
 service: name=chronyd state=started enabled=yes
 tags: chrony

- name: Update motd
 template: src=etc.motd dest=/etc/motd
 tags: motd

- name: Add --long-hostname to getty
 lineinfile: dest=/etc/systemd/system/getty.target.wants/getty@tty1.service regexp="^ExecStart=" line="ExecStart=-/sbin/agetty --long-hostname --noclear %I $TERM" state=present

- name: Deploy hardened SSH client config file (/etc/ssh/ssh_config)
 template: src=etc.ssh.ssh_config dest=/etc/ssh/ssh_config
 tags: ssh
 notify: restart sshd

- name: Deploy hardened SSH server config file (/etc/ssh/sshd_config)
 template: src=etc.ssh.sshd_config dest=/etc/ssh/sshd_config
 tags: ssh
 notify: restart sshd

- name: Add local user aludwar, enable sudo, unroll home directory - Load/copy script
 template: src=set-aludwar.sh dest=/tmp/set-aludwar.sh mode="u+rwx"

- name: Add local user aludwar, enable sudo, unroll home directory - Run script
 command: bash /tmp/set-aludwar.sh

- name: Flush and harden firewall(iptables) rules - Load/copy script
 template: src=set-iptables.sh dest=/tmp/set-iptables.sh mode="u+rwx"

- name: Flush and harden firewall(iptables) rules - Run script
 command: bash /tmp/set-iptables.sh

# This playbook contains common plays that will be run on all nodes.

- name: Install chrony

yum: name=chrony state=present

tags: chrony

- name: Configure chrony.conf file and restart

tags: chrony

notify: restart chrony

- name: Enable chrony at boot

service: name=chronyd state=started enabled=yes

tags: chrony

- name: Update motd

tags: motd

- name: Add --long-hostname to getty

lineinfile: dest=/etc/systemd/system/getty.target.wants/getty@tty1.service regexp="^ExecStart=" line="ExecStart=-/sbin/agetty --long-hostname --noclear %I $TERM" state=present

- name: Deploy hardened SSH client config file (/etc/ssh/ssh_config)

tags: ssh

notify: restart sshd

- name: Deploy hardened SSH server config file (/etc/ssh/sshd_config)

tags: ssh

notify: restart sshd

- name: Add local user aludwar, enable sudo, unroll home directory - Load/copy script

- name: Add local user aludwar, enable sudo, unroll home directory - Run script

command: bash /tmp/set-aludwar.sh

- name: Flush and harden firewall(iptables) rules - Load/copy script

- name: Flush and harden firewall(iptables) rules - Run script

command: bash /tmp/set-iptables.sh

Additional items to work on for an even sleeker provisioning process:

Tweaking my virsh-install script to provide a hostname, and have the OS configure it with ansible
Finding an appropriately safe, yet public place to pull this ansible code from, so I can use it with cloud providers
Removing the local ansible user and using LDAP instead for increased security and control