SUSE OpenStack Cloud 8 OpenStack Administrator Guide OpenStack Administrator Guide SUSE OpenStack Cloud 8 ABSTRACT OpenStack oers open source software for OpenStack administrators to manage and troubleshoot an OpenStack cloud. This guide documents OpenStack Newton and Mitaka releases. Publication Date: 07/29/2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License : http://creativecommons.org/licenses/by/3.0/legalcode Contents 1 Documentation Conventions 1 2 Get started with OpenStack 2 2.1 Conceptual architecture 6 2.2 Logical architecture 6 2.3 OpenStack services 7 Compute service overview 8 • Storage concepts 10 • Object Storage service overview 11 • Block Storage service overview 12 • Shared File Systems service overview 13 • Networking service overview 14 • Dashboard overview 15 • Identity service overview 16 • Image service overview 17 • Telemetry service overview 18 • Orchestration service overview 19 • Database service overview 20 • Data Processing service overview 22 2.4 Feedback 22 3 Identity management 23 3.1 Identity concepts 23 User management 25 • Service management 28 • Groups 29 3.2 Certificates for PKI 30 Sign certificate issued by external CA 32 • Request a signing certificate from an external CA 33 • Install an external signing certificate 33 • Switching out expired signing certificates 34 3.3 Domain-specific configuration 35 Enable drivers for domain-specific configuration files 35 • Enable drivers for storing configuration options in SQL database 36 • Migrate domain-specific configuration files to the SQL database 36 3.4 External authentication with Identity 36 Use HTTPD authentication 36 • Use X.509 37 iii OpenStack Administrator Guide 3.5 Integrate Identity with LDAP 37 Identity LDAP server set up 38 • Integrate Identity back end with LDAP 40 • Secure the OpenStack Identity service connection to an LDAP back end 44 3.6 Keystone tokens 46 Authorization scopes 46 • Token providers 47 3.7 Configure Identity service for token binding 48 3.8 Fernet - Frequently Asked Questions 49 What are the dierent types of keys? 49 • So, how does a staged key help me and why do I care about it? 50 • Where do I put my key repository? 50 • What is the recommended way to rotate and distribute keys? 51 • Do fernet tokens still expire? 51 • Why should I choose fernet tokens over UUID tokens? 51 • Why should I choose fernet tokens over PKI or PKIZ tokens? 51 • Should I rotate and distribute keys from the same keystone node every rotation? 52 • How do I add new keystone nodes to a deployment? 52 • How should I approach key distribution? 52 • How long should I keep my keys around? 54 • Is a fernet token still a bearer token? 54 • What if I need to revoke all my tokens? 54 • What can an attacker do if they compromise a fernet key in my deployment? 54 • I rotated keys and now tokens are invalidating early, what did I do? 55 3.9 Use trusts 57 3.10 Caching layer 58 Caching for tokens and tokens validation 59 • Caching for non-token resources 60 • Configure the Memcached back end example 60 3.11 Security compliance and PCI-DSS 61 Setting the account lockout threshold 61 • Disabling inactive users 62 • Configuring password expiration 62 • Indicating password strength requirements 62 • Requiring a unique password history 63 3.12 Example usage and Identity features 64 Logging 64 • User CRUD 65 3.13 Authentication middleware with user name and password 65 iv OpenStack Administrator Guide 3.14 Identity API protection with role-based access control (RBAC) 67 3.15 Troubleshoot the Identity service 69 Debug PKI middleware 70 • Debug signing key file errors 72 • Flush expired tokens from the token database table 73 4 Dashboard 74 4.1 Customize and configure the Dashboard 74 4.2 Set up session storage for the Dashboard 74 Local memory cache 75 • Cached database 78 • Cookies 78 4.3 Create and manage images 78 Create images 79 • Update images 81 • Delete images 82 4.4 Create and manage roles 82 Create a role 82 • Edit a role 83 • Delete a role 83 4.5 Manage instances 83 Create instance snapshots 84 • Control the state of an instance 84 • Track usage 85 4.6 Manage flavors 85 Create flavors 85 • Update flavors 87 • Update Metadata 88 • Delete flavors 89 4.7 Manage volumes and volume types 90 Create a volume type 90 • Create an encrypted volume type 90 • Delete volume types 93 • Delete volumes 93 4.8 Manage shares and share types 94 Create a share type 94 • Update share type 94 • Delete share types 95 • Delete shares 95 • Delete share server 96 • Delete share networks 96 4.9 View and manage quotas 97 View default project quotas 98 • Update project quotas 98 4.10 View cloud resources 99 View services information 99 • View cloud usage statistics 99 v OpenStack Administrator Guide 4.11 Create and manage host aggregates 100 To create a host aggregate 100 • To manage host aggregates 101 4.12 Launch and manage stacks using the Dashboard 102 5 Compute 103 5.1 System architecture 103 Hypervisors 104 • Projects, users, and roles 104 • Block storage 105 • EC2 compatibility API 107 • Building blocks 108 • Compute service architecture 109 5.2 Images and instances 111 Instance Launch 112 • Image properties and property protection 114 • Image download: how it works 117 • Instance building blocks 117 • Instance management tools 119 • Control where instances run 119 • Launch instances with UEFI 119 5.3 Networking with nova-network 120 Networking concepts 120 • DHCP server: dnsmasq 124 • Configure Compute to use IPv6 addresses 125 • Metadata service 126 • Enable ping and SSH on VMs 131 • Configure public (floating) IP addresses 131 • Remove a network from a project 134 • Multiple interfaces for instances (multinic) 135 • Troubleshooting Networking 138 5.4 System administration 143 Manage Compute users 144 • Manage volumes 144 • Flavors 145 • Compute service node firewall requirements 157 • Injecting the administrator password 158 • Manage the cloud 159 • Logging 163 • Secure with rootwrap 167 • Configure migrations 169 • Migrate instances 177 • Configure remote console access 180 • Configure Compute service groups 188 • Security hardening 190 • Recover from a failed compute node 195 • Advanced configuration 201 5.5 Troubleshoot Compute 216 Compute service logging 217 • Guru Meditation reports 217 • Common errors and fixes for Compute 218 • Credential errors, 401, and 403 forbidden errors 218 • Instance errors 219 • Empty log output for vi OpenStack Administrator Guide Linux instances 220 • Reset the state of an instance 220 • Injection problems 221 • Disable live snapshotting 221 6 Object Storage 222 6.1 Introduction to Object Storage 222 6.2 Features and benefits 222 6.3 Object Storage characteristics 224 6.4 Components 225 Proxy servers 227 • Rings 227 • Zones 228 • Accounts and containers 229 • Partitions 230 • Replicators 230 • Use cases 231 6.5 Ring-builder 233 Ring data structure 233 • Partition assignment list 234 • Overload 234 • Replica counts 235 • Partition shift value 235 • Build the ring 236 6.6 Cluster architecture 237 Access tier 237 • Storage nodes 240 6.7 Replication 242 Database replication 243 • Object replication 244 6.8 Large object support 244 Large objects 245 6.9 Object Auditor 245 6.10 Erasure coding 246 6.11 Account reaper 246 6.12 Configure project-specific image locations with Object Storage 248 6.13 Object Storage monitoring 248 Swift Recon 249 • Swift-Informant 250 • Statsdlog 250 • Swift StatsD logging 251 6.14 System administration for Object Storage 253 vii OpenStack Administrator Guide 6.15 Troubleshoot Object Storage 253 Drive failure 254 • Server failure 254 • Detect failed drives 255 • Emergency recovery of ring builder files 256 7 Block Storage 259 7.1 Increase Block Storage API service throughput 259 7.2 Manage volumes 260 Boot from volume 261 • Configure an NFS storage back end 261 • Configure a GlusterFS back end 264 • Configure multiple-storage back ends 268 • Back up Block Storage service disks 272 • Migrate volumes 277 • Gracefully remove a GlusterFS volume from usage 281 • Back up and restore volumes and snapshots 281 • Export and import backup metadata 285 • Use LIO iSCSI support 286 • Configure and use volume number weigher 286 • Consistency groups 287 • Configure and use driver filter and weighing for scheduler 294 • Rate-limit volume copy bandwidth 302 • Oversubscription in thin provisioning 303 • Image- Volume cache 306 • Volume-backed image 308 • Get capabilities 309 • Generic volume groups 315 7.3 Troubleshoot your installation 323 Troubleshoot the Block Storage configuration 323 • Multipath call failed exit 327 • Addressing discrepancies in reported volume sizes for EqualLogic storage 328 • Failed to Attach Volume, Missing sg_scan 332 • HTTP bad request in cinder volume log 332 • Duplicate 3PAR host 334 • Failed to attach volume after detaching 334 • Failed to attach volume, systool is not installed 335 • Failed to connect volume in FC SAN 336 • Cannot find suitable emulator for x86_64 336 • Non-existent host 337 • Non-existent VLUN 337 8 Shared File Systems 338 8.1 Introduction 338 viii OpenStack Administrator Guide 8.2 Key concepts 339 Share 339 • Share instance 339 • Snapshot 339 • Storage Pools 340 • Share Type 340 • Share Access Rules 340 • Security Services 340 • Share Networks 340 • Share Servers 341 8.3 Share management 341 Share basic operations 342 • Manage and unmanage share 357 • Manage and unmanage share snapshot 361 • Resize share 363 • Quotas and limits 367 8.4 Migrate shares 370 8.5 Share types 370 Share