digging openstack

Digging [email protected]

@kiddtmhttp://blog.woosum.net

http://linkedin.com/in/whitekid

mailto:[email protected]

mailto:[email protected]

http://blog.woosum.net

http://blog.woosum.net



Live Migration

for compute node maintenance

(true) Live Migration

Block Live Migration

Migrate

Evacuate(for compute node failure)

Usages(True) Live Migration

nova live-migration <instance> <compute node>

Block Migration

nova live-migration --block_migration <instance> <compute node>

migrate

nova migrate <instance>

evacuation

nova evacuate <instance> <compute node>

nova evacuate <instance> <compute node> --on-shared-storage

Live migration

Requirements pros cons

(True) Live Migration Shared Storage fast shared storage

Block Migration N/A no shared storagelocal I/O

slowerfailure sometimes

Migrate N/A . schedulervm rebooted

Evacuation ssh public key for nova@ . settings only

only boot from volume

Shared Storage customization on nova boot

de facto standard for OpenStack storage by community(^^)

for Live migration

Ceph

ceph

rising star: dream host...

kvm, qemu integration

inktank, ubuntu, suse

cinder, glance, nova(havana) integration

self-healing, self-managing… almost zero maintenance

gluster

glance, cinder will be next release

nova for glusterfs

gluster 3.4 released at 7.15

… including virtual block storage, OpenStack integration and a lot more…

no documentation and ubuntu repo has 3.2 ^^

. vs GlusterFS

feasible solutions(True) Live Migration

ceph for cinder, glance

glusterfs for instance storage

Block Migration(*)

ceph for cinder, glance

local nova instances storage

in havana we go to true live migration

all ceph

nova integration patch in review(targeted h2)

simple!! performance testing

SPEC

Network 1G, no SSD single HDD

1 MON, 3 OSD

vm disk write performance

local disk: 250MB/sec

ceph volume: 100~120MB/sec

with bonding: 120~150MB/sec

availability zone vs host aggregation

in grizzly zone was deprecated

node_availability_zone → default_availability_zone

only effect to nova-api

in grizzly host aggregation is zone

#�� nova�� host-list+-----------+-------------+----------+|�� host_name�� |�� service�� |�� zone�� |+-----------+-------------+----------+|�� compute01�� |�� compute�� |�� nova�� ||�� compute02�� |�� compute�� |�� nova�� ||�� compute03�� |�� compute�� |�� nova�� |

user1�� #�� nova�� availability-zone-list+------+-----------+|�� Name�� |�� Status�� |+------+-----------+|�� nova�� |�� available�� |+------+-----------+

#�� nova�� aggregate-create�� zone1�� zone1#�� nova�� aggregate-create�� zone2�� zone2#�� nova�� aggregate-create�� zone3�� zone3#�� nova�� aggregate-list+----+-------+-------------------+|�� Id�� |�� Name�� |�� Availability�� Zone�� |+----+-------+-------------------+|�� 7�� |�� zone1�� |�� zone1�� ||�� 8�� |�� zone2�� |�� zone2�� ||�� 9�� |�� zone3�� |�� zone3�� |+----+-------+-------------------+

#�� nova�� aggregate-add-host�� 1�� compute01#�� nova�� aggregate-add-host�� 2�� compute02#�� nova�� aggregate-add-host�� 3�� compute03

#�� nova�� availability-zone-list+-----------------------+----------------------------------------+|�� Name�� |�� Status�� |+-----------------------+----------------------------------------+|�� zone1�� |�� available�� ||�� |-�� compute01�� |�� ||�� |�� |-�� nova-compute�� |�� enabled�� :-)�� 2013-07-17T10:04:18.000000�� ||�� zone2�� |�� available�� ||�� |-�� compute02�� |�� ||�� |�� |-�� nova-compute�� |�� enabled�� :-)�� 2013-07-17T10:04:19.000000�� ||�� zone3�� |�� available�� ||�� |-�� compute03�� |�� ||�� |�� |-�� nova-compute�� |�� enabled�� :-)�� 2013-07-17T10:04:24.000000�� |+-----------------------+----------------------------------------+

user1�� #�� nova�� availability-zone-list+-------+-----------+|�� Name�� |�� Status�� |+-------+-----------+|�� zone1�� |�� available�� ||�� zone2�� |�� available�� ||�� zone3�� |�� available�� |+-------+-----------+

#�� nova�� boot�� --flavor=1�� --nic�� net-id=$NET�� --image=$IMAGE_ID�� --key_name=admin�� --availability-zone�� zone1�� vm

#�� nova�� show�� vm+-----------------------------+------------------------------------------------------------+|�� Property�� |�� Value�� |+-----------------------------+------------------------------------------------------------+|�� status�� |�� ACTIVE�� ||�� flavor�� |�� m1.tiny�� (1)�� ||�� id�� |�� 1dc69ddb-b737-4940-9386-9bf7d8feffec�� ||�� security_groups�� |�� [{u'name':�� u'default'}]�� ||�� demo2�� network�� |�� 10.10.10.4�� ||�� user_id�� |�� 76c1bbb3d2d84d72b11f7ca05ed316a5�� ||�� name�� |�� vm�� ||�� tenant_id�� |�� 55d7c801728a457392d25a72293e3d21�� ||�� OS-EXT-STS:power_state�� |�� 1�� ||�� OS-EXT-AZ:availability_zone�� |�� g1�� ||�� config_drive�� |�� |+-----------------------------+------------------------------------------------------------+

no horizon integration

some display bugs

there is no way update flavor with nova cli

if you want then use SQL

in horizon, delete and create flavor

if your want disable flavor with nova cli

make it private

UPDATE instance_types SET is_public = 0 WHERE name = ‘m1.large’

flavor

private flavorwhen

hadoop flavor to hadoop team

database flavor to database team

usage

nova flavor-create <name> <id> <ram> <disk> <vcpu> --is-public false

nova flavor-access-add <flavor> <tenant>

nova flavor-access-list --flavor <flavor_id>

keystone n:n

keystone user-create --name user1 --pass user1

You are not authorized for any projects.

keystone user-role-add --user user2 --tenant demo2 --role Member

keystone user-role-add --user user2 --tenant demo1 --role Member

admin role is OpenStack system admin role

tenant, usertenant & user

tenant for team, service, project…

user for persons, user can subscribe multiple tenants

tenant admin(eg. network admin)

policy.json

default: /etc/quantum/policy.json

"create_network": "",

tenant-admin

"tenant_admin": "role:tenant-admin",

"create_network": "rule:tenant_admin",

too many tokensin keystone database

mysql> select name, count(*) as token_count from token, user where token.user_id = user.id group by user_id;+---------+-------------+| name | token_count |+---------+-------------+| user1 | 8 || cinder | 4 || admin | 2221 || user2 | 184 || nova | 17 || quantum | 36858 || hello | 1 |+---------+-------------+7 rows in set (1.13 sec)

If it make problem, just delete all tokens ^^;

It’s not a quantum bug, It’s nova bug.

MySQL reports many slow queries(no indexed queries). tuning needed.

DNS entries

can we connect vm with dns?

$ nova dns-create <ip> <name> <domain>

currently not! try designate

cases 1: external dns entries

case 2: internal dns entries within tenant network

case1: external dnsvips: floating ip, load balancer

<vip name>.<tenant name>.<zone>.compute.XXXX

floating ip: instance name

load balancer: load balancer pool name

need some magic with quantum api and rndc

designate, domk

metadata needs to change

local-hostname: instance.internal

public-hostname: instance.internal

case 2: within tenant

$ ping 10-10-10-2.internal

fa:16:3e:10:af:8e,10-10-10-2.internal,10.10.10.2

$ ping test-vm.internal

fa:16:3e:10:af:8e,test-vm.internal,10.10.10.2

Nova does not currently provide this information to Quantum when creating the port and Quantum does not have the ability to query the Nova API. Quantum and Nova should not directly access the other component's database, so changes would be needed in API interaction between Nova and Quantum to make this work.

tenant’s dns server

quantum subnet-create $NET_ID $TENANT_CIDR --tenant_id=$TENANT_ID --dns_nameservers list=true 8.8.8.8,8.8,4,4

user must remember dns servers.

if omit, instance’s dns server will be dhcp server ip address.

but default routing missed in dhcp namespace.

5dd0cf15463e181b92c8809c2dcc7603bb156a0e

multiple network-agent

quantum l3-agent-list-hosting-router <router>

quantum l3-agent-router-remove <agent1> <router>

quantum l3-agent-router-add <agent2> <router>

dhcp: active/active

lbquantu

L3: SPoF

delegate network agent to h/w

currently focused on l2 network provisioning and load balancer

lb: havana

dhcp: multiple active/active agent

l3 not yet.

currently you can this with provider network.

do it your self quantum-<your-router>-plugin ^^;

only 755 line

GuestOS Image Requirements

root partition resize

No hard-coded MAC address

ssh-server

ssh public-key

user-data and other metadata

Paravirtualize

CentOS Imageundocumented

disable zeroconfig: 169.254.0.0/16

delete root password

cloud-init:

create cloud-user

allow sudo

limitation

no partition resize

qcow2 optimize

vm # dd if=/dev/zero of=file ; delete file

host # qemu-img convert -cp -O qcow2 <image file> <qcow file>

Custom Images...

cloud users: ubuntu, ec2-user → admin

fix root disk size: 8G(aws)

OpenStack as K*k**per-tenant per-router with private network

provider network model

ceph to cinder, glance, nova…

no specialized hardware for cloud

no custom modification. only apply upstream patches

full self serviced private IaaS(~13)

provide IaaS to partners(14~)

integrate internal services

chef everywhere!

My Environment

kvm on kvm with 32G(at least) 16 core

11 virtual machines

chef-server(1), database+rabbitmq(1), controller(3), network(2), compute+ceph(3), log+monitoring(1)

automated chef

openvswitch for internal cloud networks

management, data(with vlan), external(with vlan), storage(with bonding)

10.0.0.0/8

NAT to public

vpn to internal cloud network: horizon, instance

thanks to so many opensource contributors!

OpenStack - Ubuntu - Ceph - OpenVSwich - Django - Python - Paste - SQLAlchemy -

haproxy - dnsmasq - kvm - qemu - libvirt - MySQL - rabbitmq - Apache - chef - openvpn -

Linux…and special thanks to OSX

digging openstack

Technology

migration block migration

evacuation nova

nova boot

openstack storage

release nova

ceph nova integration

virtual block storage

mbsec ceph volume