Skip to main content

How to deploy TripleO Queens without external network

TripleO Queens has an interesting feature that is called 'composable networks'. It allows to deploy Openstack with the choice of networks that you want, depending on your environment. Please see: https://docs.openstack.org/tripleo-docs/latest/install/advanced_deployment/custom_networks.html

By default, the following networks are defined:
  • Storage
  • Storage Management
  • Internal Api
  • Tenant
  • Management
  • External
The external network allows to reach the endpoints externally, and also to define networks to reach the vms externally as well. But to have that, it is needed to have a network with external access, routable, on your lab. Not all labs have it, specially for CI environments, so it may be useful to deploy without it, and just have internal access to endpoints and vms. In this blogpost i'm just going to explain how to achieve it.

First make a copy of your original tripleo-heat-templates, to another directory /home/stack/working-templates, and edit the following files:

network_data.yaml

This file will contain the network definitions by default. You will need to edit it and remove all the external definitions from there. Remove that bits:

- name: External
  vip: true
  name_lower: external
  vlan: 10
  ip_subnet: '10.0.0.0/24'
  allocation_pools: [{'start': '10.0.0.4', 'end': '10.0.0.250'}]
  gateway_ip: '10.0.0.1'
  ipv6_subnet: '2001:db8:fd00:1000::/64'
  ipv6_allocation_pools: [{'start': '2001:db8:fd00:1000::10', 'end': '2001:db8:fd00:1000:ffff:ffff:ffff:fffe'}]
  gateway_ipv6: '2001:db8:fd00:1000::1'


 Also edit all the other values, to match the settings of your lab.

roles_data.yaml

This file contains the definitions for each role, including the networks that each role is expecting to contain. You need to edit this file and remove the external network from the Controller:

- name: Controller
  ...
  tags:
    - primary
    - controller
  networks:
    - External -> remove that


And you also need to edit the default route of the controller, to stop  using the External network as default, and start using the ControlPlane:

default_route_networks: ['External'] -> default_route_networks: ['ControlPlane']

network/service_net_map.j2.yaml

This file contains the mapping of services and networks. It needs to be edited to modify the network assigned to public. Instead of external, it needs to be mapped to internal_api:

PublicNetwork: external -> PublicNetwork: internal_api

puppet/all-nodes-config.j2.yaml

This file contains puppet configuration for nodes, and has some values that are referencing External network. They need to be changed to point to Internal api:

tripleo::haproxy::public_virtual_ip: {get_param: [NetVipMap, {get_param: ExternalNetName}]} -> tripleo::haproxy::public_virtual_ip: {get_param: [NetVipMap, {get_param: InternalApiNetName}]}
tripleo::keepalived::public_virtual_ip: {get_param: [NetVipMap, {get_param: ExternalNetName}]} ->
tripleo::keepalived::public_virtual_ip: {get_param: [NetVipMap, {get_param: InternalApiNetName}]}

public_virtual_ip: {get_param: [NetVipMap, {get_param: ExternalNetName}]} -> public_virtual_ip: {get_param: [NetVipMap, {get_param: InternalApiNetName}]}

Generate the templates

Once all these files have been edited, the templates can be generated. To do that, there is  a python helper script to achieve that. Inside your working directory, check tools/process-templates.py. It can accept several parameters like:
  • -p -> specify the base path where to collect the templates from 
  • -r -> roles_data file to consume 
  • -n -> network_data file to consume 
  • -o -> output_dir where to generate the target templates
Execute this commands with those flags and this will generate the final templates for you. Then you can include then in your deploy command. A sample deploy command for that can be:

openstack overcloud deploy --templates ./templates -r ./templates/roles_data.yaml -e ./templates/docker-images.yaml -e ./templates/environments/net-single-nic-with-vlans-no-external.yaml -e ./templates/environments/network-environment.yaml

In this case an extra environment net-single-nic-with-vlans-no-external is included, to be able to deploy with just 1 nic using different vlans, and without having an external network. A sample of the generated templates using that method can be found at: https://github.com/redhat-nfvpe/toad_envs/blob/master/13_no_external_sample_environment 

Following those steps you will have your OpenStack cloud deployed without external network, just using internal endpoints, that will be useful for testing and CI purposes.






Comments

Post a Comment

Popular posts from this blog

Build and use security hardened images with TripleO

Starting to apply since Pike Concept of security hardened images Normally the images used for overcloud deployment in TripleO are not security hardened. It means, the images lack all the extra security measures needed to accomplish with ANSSI requirements. These extra measures are needed to deploy TripleO in environments where security is an important feature.
The following recommendations are given to accomplish with security guidelines:
ensure that /tmp is mounted on a separate volume or partition, and that it is mounted with rw,nosuid,nodev,noexec,relatime flagsensure that /var, /var/log and /var/log/audit are mounted on separates volumes or partitions, and that are mounted with rw,relatime flags.ensure that /home is mounted on a separate partition or volume, and that it is mounted with rw,nodev,relatime flags.include extra kernel boot flag to enable auditing: add audit=1 to GRUB_CMDLINE_LINUX settingdisable kernel support for USB via bootloader configuration: add nousb to GRUB_CMD…

Start using whole disk images with TripleO

What are the differences between flat partition image and whole disk image? In order to understand this article, you first need to know what a flat partition image and a whole disk image are, and the differences between each other.
flat partition image: disk image that just contains all the desired content in a filesystem, but does not carry any information about partitions on it, and it does not include a bootloader. In order to boot from a whole disk image, the kernel and ramdisk images need to be passed independently when booting, relying on an external system to mount.whole disk image: image that contains all the information about partitions, bootloaders... as well as all the desired content. It can boot independently, without the need of external kernels or systems to mount it. Right now, OpenStack Ironic  supports both kind of images, but OpenStack TripleO was only supporting flat partition images.

TripleO added support for whole disk images Since python-tripleoclient 5.6.0 ver…