Crowbar and Knife Openstack
-
chef authentication is required. "knife openstack create" implies "knife bootstrap," which requires a valid chef_client (and not the crowbar chef_client)
-
the crowbar chef_client user cannot be used with knife. You must create your own user with admin privs.
-
adding dependent libs: the proper libs (as of 6/21/2012) are not included in the Crowbar ISO. Your chef_client node will need to get gems and libs, detailed below.
-
Now you have to decide which user and host you want to run the knife openstack commands from. I suggest creating "devops" user on any node. I chose the crowbar admin node, just because I already set it up for Internet access, so I could easily download the dependent apt packages.
-
If you use the root user on the Crowbar Admin box, root's .chef/knife.rb file will be overwritten by chef-client when you try to add the following configs to enable "knife openstack." Use, as above, a different user (and not crowbar, either.)
Create a chef_client for knife openstack work (unless you already have created one for your own stuff)
Create an OS user (devops) on the admin node.
root@admin:~/# adduser devops Adding user `devops' ... root@admin:~/# mkdir /home/devops/.chef root@admin:~/# chown devops /home/devops/.chef
Create a knife.rb file:
devops@admin:~/$ vi /home/devops/.chef/knife.rb node_name "devops" client_key "/home/devops/.chef/devops.pem" chef_server_url "http://192.168.124.10:4000" log_level :debug log_location STDOUT validation_client_name 'chef-validator' validation_key '/home/devops/.chef/validation.pem' cache_type 'BasicFile' cookbook_path '/home/devops/cookbooks' # values for the below filled in with keystone query commands: knife[:openstack_access_key_id] = "filled in soon" knife[:openstack_secret_access_key] = "filled in soon" knife[:openstack_api_endpoint] = "filled in soon" knife[:openstack_ssh_key_id] = "filled in soon"
Create a chef_client and client.pem file for the devops user:
root@admin:~# knife client create devops -a -f /home/devops/.chef/devops.pem
{
"json_class": "Chef::ApiClient",
"name": "devops",
"chef_type": "client",
"admin": true,
"public_key": null
}
Make sure Mr. Devops can read the new pem file in his name:
root@admin:~/# chown devops /home/devops/.chef/devops.pem
Now make sure knife works:
devops@admin:~$ knife node list admin.crowbar.org d08-00-27-49-11-e3.crowbar.org d08-00-27-c7-e9-f4.crowbar.org d08-00-27-f3-ab-32.crowbar.org
Looks good. Hate then names. I wish Crowbar would shove the node names down the throat of Chef.
Let's make Mr. Devops an ssh keypair and send them over to the nova manager server for upload into nova.
devops@admin:~$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/devops/.ssh/id_rsa): Created directory '/home/devops/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/devops/.ssh/id_rsa. Your public key has been saved in /home/devops/.ssh/id_rsa.pub. The key fingerprint is: b0:b6:f7:66:a0:09:b9:5f:31:71:c7:90:96:6e:d2:dc devops@admin.crowbar.org The key's randomart image is: +--[ RSA 2048]----+ | .o | | +o | | . .=..o | | o.o=.E | | .o So | | o. ..o | | o.oo. | | . oo .o | | .. o. | +-----------------+ devops@admin:~$ cd .ssh/ devops@admin:~/.ssh$ ls id_rsa id_rsa.pub
Now lets rename it and copy it over to the nova management node:
devops@admin:~/.ssh$ cp id_rsa.pub devops_key.pub devops@admin:~/.ssh$ scp devops_key.pub crowbar@192.168.124.81: crowbar@192.168.124.81's password: devops_key.pub 100% 406 0.4KB/s 00:00 devops@admin:~/.ssh$
Of course it doesn't work out of the box with Crowbar's Ubuntu - these are all the deps you need.
http://maltin.org/crowbar_knife_openstack_ubuntu_12.04_deps.tar.gz
download that, put it on your Crowbar nodes...
tar xvzf crowbar_knife_openstack_ubuntu_12.04_deps.tar.gz cd crowbar_knife_openstack dpkg -i libxslt1-dev_1.1.26-8ubuntu1_amd64.deb gem install knife-openstack-0.6.0.gem
Setup your keystone command line environment ON THE KEYSTONE SERVER, for getting API keys and endpoints from keystone.
crowbar@d08-00-27-c7-e9-f4:~$ cat openstack_env export OS_USERNAME=crowbar export OS_PASSWORD=crowbar export OS_TENANT_NAME=openstack # IP of the Keystone Server export OS_AUTH_URL=http://192.168.124.81:5000/v2.0 export KEYSTONE_VERSION=2.0 # IP of the Keystone Server export SERVICE_ENDPOINT=http://192.168.124.81:35357/v2.0 # the SERVICE_TOKEN is from /etc/keystone/keystone.conf export SERVICE_TOKEN=980239800212
Get the crowbar user's id:
crowbar@d08-00-27-c7-e9-f4:~$ keystone user-list +----------------------------------+---------+---------------------------+---------+ | id | enabled | email | name | +----------------------------------+---------+---------------------------+---------+ | 34177f436e994d7196f6509426def1e7 | True | | nova | | 4eb83d126bd5496fb33619d8f40bf2df | True | | admin | | 6a6f15a0f97e42cdb81fd1a1a63d5e6f | True | crowbar@admin.crowbar.org | crowbar | | c9d0dbd6d018427ab0d97d56f9183c21 | True | | glance | +----------------------------------+---------+---------------------------+---------+
Get the crowbar user's EC2 API keys. In the next section of documentation we'll use this access and secret key to launch VMs in OpenStack via our .chef/knife.rb file:
crowbar@d08-00-27-c7-e9-f4:~$ keystone ec2-credentials-list --user 6a6f15a0f97e42cdb81fd1a1a63d5e6f +-----------+----------------------------------+----------------------------------+ | tenant | access | secret | +-----------+----------------------------------+----------------------------------+ | openstack | 618709daa35849ff838c80f3bb44db9e | ebe7bbd2e83b44f88f1816f90646d27f | +-----------+----------------------------------+----------------------------------+
becomes in the devops user's /home/devops/.chef/knife.rb
knife[:openstack_access_key_id] = "618709daa35849ff838c80f3bb44db9e" knife[:openstack_secret_access_key] = "ebe7bbd2e83b44f88f1816f90646d27f"
Find out what endpoints we have, so 'knife openstack' knows where to submit its commands.
crowbar@d08-00-27-c7-e9-f4:~$ keystone endpoint-list +----------------------------------+-----------+------------------------------------------+---------------------------------------------+---------------------------------------------+ | id | region | publicurl | internalurl | adminurl | +----------------------------------+-----------+------------------------------------------+---------------------------------------------+---------------------------------------------+ | 3bfd3a10828c4039bf9089fe117bc78f | RegionOne | http://192.168.1.3:8773/services/Cloud | http://192.168.124.81:8773/services/Cloud | http://192.168.124.81:8773/services/Admin | | 818c43e3875046ee8ad2e7bd33a72c6a | RegionOne | http://192.168.1.3:8776/v1/$(tenant_id)s | http://192.168.124.81:8776/v1/$(tenant_id)s | http://192.168.124.81:8776/v1/$(tenant_id)s | | 8878fb7603324b5caac85e3193c298ca | RegionOne | http://192.168.1.3:8774/v2/$(tenant_id)s | http://192.168.124.81:8774/v2/$(tenant_id)s | http://192.168.124.81:8774/v2/$(tenant_id)s | | 9e23e18e95a6406b948c38deb788ef2a | RegionOne | http://192.168.124.81:9292/v1 | http://192.168.124.81:9292/v1 | http://192.168.124.81:9292/v1 | | bce89b7418254d37bc93ae990badfce3 | RegionOne | http://192.168.124.81:5000/v2.0 | http://192.168.124.81:5000/v2.0 | http://192.168.124.81:35357/v2.0 | +----------------------------------+-----------+------------------------------------------+---------------------------------------------+---------------------------------------------+ crowbar@d08-00-27-c7-e9-f4:~$
Becomes in the devops user's /home/devops/.chef/knife.rb:
knife[:openstack_api_endpoint] = "http://192.168.124.81:8773/services/Cloud"
Now lets load up that ssh key into nova and drop that in the knife config file as well!
crowbar@d08-00-27-c7-e9-f4:~$ nova keypair-add --pub_key devops_key.pub devopskey crowbar@d08-00-27-c7-e9-f4:~$ nova keypair-list +-----------+-------------------------------------------------+ | Name | Fingerprint | +-----------+-------------------------------------------------+ | devopskey | b0:b6:f7:66:a0:09:b9:5f:31:71:c7:90:96:6e:d2:dc | +-----------+-------------------------------------------------+ crowbar@d08-00-27-c7-e9-f4:~$
Which makes the devops user's .chef/knife.rb file have this value:
knife[:openstack_ssh_key_id] = "devopskey"
And now give it a shot! Let's find the names of OS images we can launch:
devops@admin:~$ knife openstack image list ID Kernel ID Architecture Root Store Name Locat ami-00000003 aki-00000001 instance-store ubuntu-11.04-image None untu-11.04-image) ari-00000002 instance-store ubuntu-11.04-initrd None untu-11.04-initrd) aki-00000001 instance-store ubuntu-11.04-kernel None untu-11.04-kernel) devops@admin:~$
Now let's try launching a machine:
knife openstack server create 'role[webserver]' -I ami-00000003 -f m1.small