-
Notifications
You must be signed in to change notification settings - Fork 1
HOWTO: Openstack Alces
Steve Norledge edited this page Jun 7, 2015
·
30 revisions
Firewall: [controller1]
PRV=eth0
BUILD=eth1
DMZ=eth2
systemctl enable firewalld
systemctl start firewalld
echo 'ZONE=prv' >> /etc/sysconfig/network-scripts/ifcfg-$PRV
echo 'ZONE=build' >> /etc/sysconfig/network-scripts/ifcfg-$BUILD
echo 'ZONE=dmz' >> /etc/sysconfig/network-scripts/ifcfg-$DMZ
firewall-cmd --new-zone prv --permanent
firewall-cmd --new-zone build --permanent
firewall-cmd --add-interface $PRV --zone prv --permanent
firewall-cmd --add-interface $BUILD --zone build --permanent
firewall-cmd --add-interface $DMZ --zone dmz --permanent
firewall-cmd --add-service ssh --zone prv --permanent
firewall-cmd --add-service ssh --zone build --permanent
systemctl restart firewalld
Firewall: [storage1]
PRV=eth0
BUILD=eth1
systemctl enable firewalld
systemctl start firewalld
echo 'ZONE=prv' >> /etc/sysconfig/network-scripts/ifcfg-$PRV
echo 'ZONE=build' >> /etc/sysconfig/network-scripts/ifcfg-$BUILD
firewall-cmd --new-zone prv --permanent
firewall-cmd --new-zone build --permanent
firewall-cmd --add-interface $PRV --zone prv --permanent
firewall-cmd --add-interface $BUILD --zone prv --permanent
firewall-cmd --add-service ssh --zone prv --permanent
firewall-cmd --add-service ssh --zone build --permanent
systemctl restart firewalld
Firewall: [network1]
PRV=eth0
BUILD=eth1
systemctl disable firewalld.service
yum install -y iptables-services iptables-utils
systemctl stop firewalld.service
systemctl enable iptables
cat << EOF > /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#vxlan
-A INPUT -p udp -i $PRV -m udp --dport 8472 -j ACCEPT
-A INPUT -p udp -i $PRV -m multiport --dports 4789 -j ACCEPT
#SSH
-A INPUT -m state --state NEW -m tcp -p tcp -i $PRV --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -i $BUILD --dport 22 -j ACCEPT
#Neutron API
-A INPUT -i $PRV -p tcp -m multiport --dports 9696 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
EOF
systemctl stop iptables; systemctl start iptables
Firewall: [nova*]
PRV=eth0
BUILD=eth1
systemctl disable firewalld.service
yum install -y iptables-services iptables-utils
systemctl stop firewalld.service
systemctl enable iptables
cat << EOF > /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#vxlan
-A INPUT -p udp -m udp --dport 8472 -i $PRV -j ACCEPT
-A INPUT -p udp -m multiport --dports 4789 -i $PRV -j ACCEPT
#SSH
-A INPUT -m state --state NEW -m tcp -p tcp -i $PRV --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -i $BUILD --dport 22 -j ACCEPT
#Nova VNC
-A INPUT -p tcp -m multiport --dports 5000:5999 -i $PRV -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
EOF
systemctl stop iptables; systemctl start iptables
NGINX [controller1]
yum -y install nginx
/opt/admin/alces/junoconfigs/bin/install.sh controller/etc/nginx/nginx.conf /etc/nginx/nginx.conf
mkdir /etc/certs
cp -pav <cert>.crt.pem /etc/certs/nova_crt.pem
cp -pav <key>.key.pem /etc/certs/nova_key.pem
cp -pav <ca>.crt.pem /etc/certs/ca_crt
cp /etc/certs/nova_crt.pem /etc/certs/apache_crt.pem
cp /etc/certs/nova_crt.pem /etc/certs/nginx_crt.pem
cat /etc/certs/ca_crt >> /etc/certs/apache_crt.pem
cat /etc/certs/ca_crt >> /etc/certs/nginx_crt.pem
cp -pav /etc/certs/nova_key.pem /etc/certs/apache_key.pem
cp -pav /etc/certs/nova_key.pem /etc/certs/nginx_key.pem
chown nginx:nginx /etc/certs/nginx*
chmod 600 /etc/certs/*
systemctl enable nginx
systemctl start nginx
firewall-cmd --add-port 8080/tcp --zone dmz --permanent
firewall-cmd --add-service https --zone dmz --permanent
firewall-cmd --reload
MySQL [controller1]
yum install -y mariadb-galera-server
systemctl start mariadb.service
systemctl enable mariadb.service
mysqladmin -u root password
firewall-cmd --add-service mysql --zone prv --permanent
firewall-cmd --reload
mysql -u root -p
GRANT ALL ON *.* TO 'openstack'@'%' IDENTIFIED BY '<PASSWORD>';
GRANT ALL ON *.* TO 'openstack'@'localhost' IDENTIFIED BY '<PASSWORD>';
FLUSH PRIVILEGES;
quit
RabbitMQ [controller1]
yum install -y rabbitmq-server
echo "rabbitmq - nofile 102400" >> /etc/security/limits.conf
cat << EOF > /etc/rabbitmq/rabbitmq-env.conf
ulimit -S -n 102400
EOF
chown rabbitmq:rabbitmq /etc/rabbitmq/rabbitmq-env.conf
systemctl enable rabbitmq-server
systemctl start rabbitmq-server
firewall-cmd --add-port 5672/tcp --zone prv --permanent
firewall-cmd --reload
rabbitmqctl change_password guest '<PASSWORD>'
rabbitmqctl add_user openstackservices '<PASSWORD>'
rabbitmqctl set_permissions openstackservices ".*" ".*" ".*"
KeyStone [controller1]
openssl rand -hex 10
add the new serive token to /opt/admin/alces/junoconfigs/bin/vars
#Install packages
yum install -y openstack-keystone openstack-utils
#Copy in configs
/opt/admin/alces/junoconfigs/bin/install.sh controller/etc/keystone/keystone.conf /etc/keystone/keystone.conf
echo "CREATE DATABASE keystone" | mysql -u root -p
#Configure service token
. /opt/admin/alces/junoconfigs/bin/vars
export SERVICE_TOKEN=$KEYSTONEADMINTOKEN
export SERVICE_ENDPOINT="http://`hostname -f`:35357/v2.0"
echo "* * * * * keystone /usr/bin/keystone-manage token_flush" >> /etc/crontab
#Configure keystone PKI
keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
chown -R keystone:keystone /var/log/keystone /etc/keystone/ssl/
#Allow firewall
firewall-cmd --add-port 5000/tcp --zone prv --permanent
firewall-cmd --add-port 35357/tcp --zone prv --permanent
firewall-cmd --reload
#Populate DB
su keystone -s /bin/sh -c "keystone-manage db_sync"
#Add keystone pam auth
cat <<EOF > /usr/lib/python2.7/site-packages/keystone/identity/backends/custom.py
from __future__ import absolute_import
import pam
from . import sql
class Identity(sql.Identity):
def _check_password(self, password, user_ref):
username = user_ref.get('name')
#try builtin first
if (super(Identity, self)._check_password(password, user_ref)):
return True
return pam.authenticate(username, password)
EOF
yum install -y python-pam
#Start services
systemctl start openstack-keystone.service
systemctl enable openstack-keystone.service
#Configure Service endpoint
keystone service-create --name=keystone --type=identity --description="Keystone Identity service"
keystone endpoint-create \
--service keystone \
--publicurl "https://$FQDN:8080/keystone/v2.0" \
--adminurl "http://$CONTROLLER_PRVIP:35357/v2.0" \
--internalurl "http://$CONTROLLER_PRVIP:5000/v2.0"
keystone tenant-create --name admin --description "Admin Tenant"
keystone user-create --name stackadmin --pass "$ADMINPASS"
keystone role-create --name admin
keystone role-create --name _member_
keystone user-role-add --user stackadmin --role admin --tenant admin
cat << EOF > ~/keystonerc_stackadmin
export OS_USERNAME=stackadmin
export OS_TENANT_NAME=admin
export OS_PASSWORD="$ADMINPASS"
export OS_AUTH_URL=http://localhost:35357/v2.0/
export PS1="[\$OS_USERNAME] \$PS1"
EOF
keystone tenant-create --name services --description "Services Tenant"
#### NB AT THIS POINT UPDATE VARS TO INCLUDE THE SERVICE TENANT ID!!!
#Re-source vars
. /opt/admin/alces/junoconfigs/bin/vars
keystone tenant-create --name primary --description "Primary Tenant"
keystone tenant-create --name hpc --description "HPC Tenant"
keystone user-create --name hpcadmin --pass "$ADMINPASS"
keystone user-role-add --user hpcadmin --role admin --tenant hpc
keystone user-create --name alcesstack --pass "$ADMINPASS"
keystone user-role-add --user alcesstack --role _member_ --tenant primary
keystone user-role-add --user stackadmin --role admin --tenant primary
keystone user-create --name openstackservices --pass "$ADMINPASS"
keystone user-role-add --user openstackservices --role admin --tenant services
Glance [controller1]
yum -y install python-glanceclient
#Database
echo "CREATE DATABASE glance" | mysql -u root -p
keystone service-create --name glance \
--type image \
--description "Glance Image Service"
keystone endpoint-create \
--service glance \
--publicurl "https://$FQDN:8080/glance/" \
--adminurl "http://$STORAGE_PRVIP:9292" \
--internalurl "http://$STORAGE_PRVIP:9292"
Glance [storage1]
#Packages
yum install -y openstack-glance
/opt/admin/alces/junoconfigs/bin/install.sh storage/etc/glance/glance-api.conf /etc/glance/glance-api.conf
/opt/admin/alces/junoconfigs/bin/install.sh storage/etc/glance/glance-registry.conf /etc/glance/glance-registry.conf
chown root:glance /etc/glance/glance-registry.conf
chown root:glance /etc/glance/glance-api.conf
firewall-cmd --add-port 9292/tcp --zone prv --permanent
firewall-cmd --reload
sudo -u glance glance-manage db_sync
mkdir -p /var/lib/glance/images
chown glance:glance /var/lib/glance/images/
. /opt/admin/alces/junoconfigs/bin/vars
cat << EOF > /var/lib/glance/images/store_metadata.json
{
"id": "$GLANCEUUID",
"mountpoint": "/var/lib/glance/images"
}
EOF
cat << EOF >> /etc/exports
/var/lib/glance/images 10.110.0.0/255.255.0.0(rw,no_root_squash,no_subtree_check,async)
EOF
systemctl enable nfs-server
systemctl start nfs-server
firewall-cmd --add-service nfs --zone prv --permanent
firewall-cmd --reload
systemctl enable openstack-glance-registry
systemctl start openstack-glance-registry
systemctl start openstack-glance-api
systemctl enable openstack-glance-api
Cinder [controller1]
yum -y install python-cinderclient
#Database
echo "CREATE DATABASE cinder" | mysql -u root -p
#Re-source vars
. /opt/admin/alces/junoconfigs/bin/vars
keystone service-create --name cinder \
--type volume \
--description "Cinder Volume Service"
keystone service-create --name cinderv2 \
--type volumev2 \
--description "Cinder Volume Service"
keystone endpoint-create \
--service cinder \
--publicurl "https://$FQDN:8080/cinder/v1/%(tenant_id)s" \
--adminurl "http://$STORAGE_PRVIP:8776/v1/%(tenant_id)s" \
--internalurl "http://$STORAGE_PRVIP:8776/v1/%(tenant_id)s"
keystone endpoint-create \
--service cinderv2 \
--publicurl "https://$FQDN:8080/cinder/v2/%(tenant_id)s" \
--adminurl "http://$STORAGE_PRVIP:8776/v2/%(tenant_id)s" \
--internalurl "http://$STORAGE_PRVIP:8776/v2/%(tenant_id)s"
NB AFTER CINDER STORAGE SETUP
yum -y install python-cinderclient
cinder type-create LVM
cinder type-key LVM set volume_backend_name=LVM_iSCSI
cinder type-create NFS
cinder type-key NFS set volume_backend_name=NFS
Cinder [storage1]
#Packages
yum install -y openstack-cinder targetcli
/opt/admin/alces/junoconfigs/bin/install.sh storage/etc/cinder/cinder.conf /etc/cinder/cinder.conf
cat << EOF > /etc/cinder/nfsshares
$STORAGE_PRVIP:/cinder
EOF
mkdir /cinder
chown cinder:cinder /cinder
cat << EOF >> /etc/exports
/cinder 10.110.0.0/255.255.0.0(rw,no_root_squash,no_subtree_check,async)
EOF
exportfs -av
firewall-cmd --add-port 3260/tcp --zone prv --permanent
firewall-cmd --add-port 8776/tcp --zone prv --permanent
firewall-cmd --reload
sudo -u cinder cinder-manage db sync
pvcreate <disk>
vgcreate cinder-volumes <disk>
systemctl start target
systemctl enable target
systemctl start openstack-cinder-api
systemctl enable openstack-cinder-api
systemctl start openstack-cinder-scheduler
systemctl enable openstack-cinder-scheduler
systemctl start openstack-cinder-volume
systemctl enable openstack-cinder-volume
Neutron [ controller1 ]
#Packages
yum -y install python-neutronclient
#Auth
#Re-source vars
. /opt/admin/alces/junoconfigs/bin/vars
keystone service-create --name neutron \
--type network \
--description "OpenStack Networking Service"
keystone endpoint-create --service-id services \
--service neutron \
--publicurl "https://$FQDN:8080/neutron" \
--adminurl "http://$NETWORK_PRVIP:9696" \
--internalurl "http://$NETWORK_PRVIP:9696"
#Database
echo "CREATE DATABASE neutron_ml2 character set utf8;" | mysql -u root -p
#After neutron1 config
export OS_TENANT_NAME=admin
neutron net-create public -- --router:external=true \
--provider:network_type=flat \
--provider:physical_network=physnet2
neutron subnet-create public 10.200.0.0/16 --disable-dhcp --allocation-pool start=10.200.100.1,end=10.200.200.254 --gateway=10.200.0.254 --dns=10.200.0.254
export OS_TENANT_NAME=primary
neutron net-create internal
neutron subnet-create internal 192.168.150.0/24 --enable-dhcp --allocation-pool start=192.168.150.2,end=192.168.150.254 --name internal --dns 10.200.0.254
neutron router-create internal2external
neutron router-gateway-set internal2external public
neutron router-interface-add internal2external internal
export OS_TENANT_NAME=hpc
neutron net-create hpc -- \
--provider:network_type=flat \
--provider:physical_network=physnet1
neutron subnet-create --enable-dhcp hpc 10.110.0.0/16 --allocation-pool start=10.110.100.1,end=10.110.100.254 --gateway 10.110.254.1 --dns=10.110.0.1 --host-route destination=169.254.169.254/32,nexthop=10.110.100.0 --name hpc
neutron router-create hpc
neutron port-create --fixed-ip subnet=hpc,ip_address=10.110.100.0 --name hpcrouter hpc
neutron router-interface-add hpc port=hpcrouter
export OS_TENANT_NAME=hpc
neutron net-create build -- \
--provider:network_type=flat \
--provider:physical_network=physnet3
neutron subnet-create --enable-dhcp build 10.78.0.0/16 --allocation-pool start=10.78.100.1,end=10.78.100.254 --name build
neutron router-create build
neutron port-create --fixed-ip subnet=build,ip_address=10.78.100.0 --name buildrouter build
neutron router-interface-add build port=buildrouter
#ovs-vsctl add-port br-hpc vi0 -- set Interface vi0 type=internal
Neutron [ network1 ]
#Which interface to use as our DMZ bridge?
DMZBR=eth5
#Which interface to use as our HPC/PRV bridge?
PRVBR=eth3
#Which interface to use as our HPC/BUILD bridge?
BUILDBR=eth4
#Packages
yum install -y openstack-neutron openstack-neutron-openvswitch openstack-neutron-ml2
. /opt/admin/alces/junoconfigs/bin/vars
/opt/admin/alces/junoconfigs/bin/install.sh network/etc/neutron/neutron.conf /etc/neutron/neutron.conf
ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
/opt/admin/alces/junoconfigs/bin/install.sh network/etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugins/ml2/ml2_conf.ini
neutron-db-manage --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini upgrade head
systemctl enable neutron-server
systemctl start neutron-server
/opt/admin/alces/junoconfigs/bin/install.sh network/etc/neutron/dhcp_agent.ini /etc/neutron/dhcp_agent.ini
/opt/admin/alces/junoconfigs/bin/install.sh network/etc/neutron/dnsmasq-neutron.conf /etc/neutron/dnsmasq-neutron.conf
systemctl enable neutron-dhcp-agent
systemctl start neutron-dhcp-agent
/opt/admin/alces/junoconfigs/bin/install.sh network/etc/neutron/metadata_agent.ini /etc/neutron/metadata_agent.ini
systemctl start neutron-metadata-agent
systemctl enable neutron-metadata-agent
/opt/admin/alces/junoconfigs/bin/install.sh network/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
systemctl start openvswitch
systemctl enable openvswitch
ovs-vsctl add-br br-int
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-br-int
DEVICE=br-int
DEVICETYPE=ovs
TYPE=OVSBridge
ONBOOT=yes
BOOTPROTO=none
EOF
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-br-hpc
DEVICE=br-hpc
DEVICETYPE=ovs
TYPE=OVSBridge
ONBOOT=yes
BOOTPROTO=none
EOF
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-br-build
DEVICE=br-build
DEVICETYPE=ovs
TYPE=OVSBridge
ONBOOT=yes
BOOTPROTO=none
EOF
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-br-dmz
DEVICE=br-dmz
DEVICETYPE=ovs
TYPE=OVSBridge
ONBOOT=yes
BOOTPROTO=none
EOF
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-$DMZBR
DEVICE=$DMZBR
ONBOOT=yes
DEVICETYPE=ovs
TYPE=OVSPort
OVS_BRIDGE=br-dmz
BOOTPROTO=none
HOTPLUG=no
VLAN=yes
EOF
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-$PRVBR
DEVICE=$PRVBR
ONBOOT=yes
DEVICETYPE=ovs
TYPE=OVSPort
OVS_BRIDGE=br-hpc
BOOTPROTO=none
HOTPLUG=no
VLAN=yes
EOF
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-$BUILDBR
DEVICE=$BUILDBR
ONBOOT=yes
DEVICETYPE=ovs
TYPE=OVSPort
OVS_BRIDGE=br-build
BOOTPROTO=none
HOTPLUG=no
VLAN=yes
EOF
ifdown $BUILDBR
ifdown $PRVBR
ifdown $DMZBR
ifup $BUILDBR
ifup $PRVBR
ifup $DMZBR
ifup br-dmz
ifup br-hpc
ifup br-int
ifup br-build
cat << EOF >> /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
EOF
sysctl -p
/opt/admin/alces/junoconfigs/bin/install.sh network/etc/neutron/l3_agent.ini /etc/neutron/l3_agent.ini
/opt/admin/alces/junoconfigs/bin/install.sh network/etc/neutron/fwaas_driver.ini /etc/neutron/fwaas_driver.ini
systemctl enable neutron-l3-agent
systemctl start neutron-l3-agent
systemctl enable neutron-openvswitch-agent
systemctl start neutron-openvswitch-agent
systemctl enable neutron-ovs-cleanup
systemctl start neutron-ovs-cleanup
nova [controller1]
#Packages
yum install -y openstack-nova-novncproxy openstack-nova-console
yum install -y openstack-nova-api \
openstack-nova-conductor openstack-nova-scheduler \
python-cinderclient openstack-nova-cert
#Firewall
firewall-cmd --add-port 6080/tcp --zone prv --permanent
firewall-cmd --add-port 6080/tcp --zone dmz --permanent
firewall-cmd --add-port 8774/tcp --zone prv --permanent
firewall-cmd --add-port 8775/tcp --zone prv --permanent
firewall-cmd --reload
#Config
/opt/admin/alces/junoconfigs/bin/install.sh controller/etc/nova/nova.conf /etc/nova/nova.conf
/opt/admin/alces/junoconfigs/bin/install.sh controller/etc/nova/api-paste.ini /etc/nova/api-paste.ini
#Services
systemctl start openstack-nova-consoleauth
systemctl enable openstack-nova-consoleauth
systemctl start openstack-nova-novncproxy
systemctl enable openstack-nova-novncproxy
#Database
echo "CREATE DATABASE nova;" | mysql -u root -p
#keystone
. /opt/admin/alces/junoconfigs/bin/vars
keystone service-create --name compute \
--type compute \
--description "OpenStack Compute Service"
keystone endpoint-create \
--service compute \
--publicurl https://$FQDN:8080/nova/v2/%\(tenant_id\)s \
--internalurl http://$CONTROLLER_PRVIP:8774/nova/v2/%\(tenant_id\)s \
--adminurl http://$CONTROLLER_PRVIP:8774/nova/v2/%\(tenant_id\)s
systemctl enable openstack-nova-api
systemctl start openstack-nova-api
su -s /bin/sh -c "nova-manage db sync" nova
systemctl enable openstack-nova-cert
systemctl start openstack-nova-cert
systemctl enable openstack-nova-scheduler
systemctl start openstack-nova-scheduler
systemctl enable openstack-nova-conductor
systemctl start openstack-nova-conductor
yum -y install httpd
chown apache:apache /etc/certs/apache_*
chown nova:nova /etc/certs/nova_*
chown nginx:nginx /etc/certs/nginx_*
nova [nova1]
#Which interface to use as our DMZ bridge?
DMZBR=em2.4
#Which interface to use as our HPC/PRV bridge?
PRVBR=em2.2
#Which interface to use as our HPC/BUILD bridge?
PRVBR=em2.2
#Packages
yum -y install python-novaclient crudini openstack-utils openstack-neutron openvswitch openstack-neutron-openvswitch openstack-neutron-ml2 openstack-nova-compute sysfsutils
/opt/admin/alces/junoconfigs/bin/install.sh nova/etc/nova/nova.conf /etc/nova/nova.conf
/opt/admin/alces/junoconfigs/bin/install.sh nova/etc/neutron/neutron.conf /etc/neutron/neutron.conf
/opt/admin/alces/junoconfigs/bin/install.sh nova/etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugins/ml2/ml2_conf.ini
/opt/admin/alces/junoconfigs/bin/install.sh nova/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
cat <<EOF >> /etc/sysctl.conf
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
EOF
cat > /etc/sysconfig/network-scripts/ifcfg-br-int << EOF
DEVICE=br-int
DEVICETYPE=ovs
TYPE=OVSBridge
ONBOOT=yes
BOOTPROTO=none
EOF
chkconfig iptables on
service iptables restart
sysctl -p
ln -snf /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-br-hpc
DEVICE=br-hpc
DEVICETYPE=ovs
TYPE=OVSBridge
ONBOOT=yes
BOOTPROTO=none
EOF
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-br-dmz
DEVICE=br-dmz
DEVICETYPE=ovs
TYPE=OVSBridge
ONBOOT=yes
BOOTPROTO=none
EOF
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-br-build
DEVICE=br-build
DEVICETYPE=ovs
TYPE=OVSBridge
ONBOOT=yes
BOOTPROTO=none
EOF
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-$PRVBR
DEVICE=$PRVBR
VLAN=yes
ONBOOT=yes
DEVICETYPE=ovs
TYPE=OVSPort
OVS_BRIDGE=br-hpc
BOOTPROTO=none
HOTPLUG=no
EOF
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-$DMZBR
DEVICE=$DMZBR
ONBOOT=yes
VLAN=yes
DEVICETYPE=ovs
TYPE=OVSPort
OVS_BRIDGE=br-dmz
BOOTPROTO=none
HOTPLUG=no
EOF
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-$BUILDBR
DEVICE=$BUILDBR
ONBOOT=yes
VLAN=yes
DEVICETYPE=ovs
TYPE=OVSPort
OVS_BRIDGE=br-build
BOOTPROTO=none
HOTPLUG=no
EOF
ifup br-int
ifup br-hpc
ifup br-dmz
ifup br-build
ifup $PRVBR
ifup $DMZBR
ifup $BUILDBR
service openstack-nova-compute start
service libvirtd start
chkconfig openstack-nova-compute on
chkconfig libvirtd on
service openvswitch start
chkconfig openvswitch on
service neutron-openvswitch-agent start
chkconfig neutron-openvswitch-agent on
#Configure the glance NFS mount
mkdir -p /var/lib/glance/images
echo "$STORAGE_PRVIP:/var/lib/glance/images /var/lib/glance/images nfs defaults 0 0" >> /etc/fstab
mount /var/lib/glance/images
HORIZON [controller1]
#packages
yum -y install openstack-dashboard httpd mod_wsgi memcached python-memcached mod_ssl
/opt/admin/alces/junoconfigs/bin/install.sh controller/etc/openstack-dashboard/local_settings /etc/openstack-dashboard/local_settings
/opt/admin/alces/junoconfigs/bin/install.sh controller/etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf
/opt/admin/alces/junoconfigs/bin/install.sh controller/etc/httpd/conf.d/openstack-dashboard.conf /etc/httpd/conf.d/openstack-dashboard.conf
#/opt/admin/alces/junoconfigs/bin/install.sh controller/etc/httpd/conf.d/redirect.conf /etc/httpd/conf.d/redirect.conf
/opt/admin/alces/junoconfigs/bin/install.sh controller/etc/httpd/conf.d/redirect-to-https.conf /etc/httpd/conf.d/redirect.conf
systemctl enable httpd.service memcached.service
systemctl start httpd.service memcached.service
firewall-cmd --add-service http --zone dmz --permanent
firewall-cmd --reload
HEAT [controller]
yum -y install openstack-heat-api openstack-heat-api-cfn openstack-heat-engine \
python-heatclient
firewall-cmd --add-port 8000/tcp --zone prv --permanent
firewall-cmd --add-port 8004/tcp --zone prv --permanent
firewall-cmd --reload
mysql -u root -p
CREATE DATABASE heat;
GRANT ALL PRIVILEGES ON heat.* TO 'heat'@'localhost' \
IDENTIFIED BY 'A1cesS0ftware';
GRANT ALL PRIVILEGES ON heat.* TO 'heat'@'%' \
IDENTIFIED BY 'A1cesS0ftware';
keystone service-create --name heat --type orchestration \
--description "Orchestration"
keystone service-create --name heat-cfn --type cloudformation \
--description "Orchestration"
keystone endpoint-create \
--service heat \
--publicurl https://openstack1.alces-software.com:8080/heat/v1/%\(tenant_id\)s \
--internalurl http://10.10.2.1:8004/v1/%\(tenant_id\)s \
--adminurl http://10.10.2.1:8004/v1/%\(tenant_id\)s
keystone endpoint-create \
--service heat-cfn \
--publicurl https://openstack1.alces-software.com:8000/heatcfn/v1 \
--internalurl http://10.10.2.1:8000/v1 \
--adminurl http://10.10.2.1:8000/v1
keystone role-create --name heat_stack_user
keystone role-create --name heat_stack_owner
su -s /bin/sh -c "heat-manage db_sync" heat
systemctl enable openstack-heat-api.service openstack-heat-api-cfn.service \
openstack-heat-engine.service
systemctl start openstack-heat-api.service openstack-heat-api-cfn.service \
openstack-heat-engine.service
Copyright (c) 2008-2015 Alces Software Ltd