openstack, ubuntu

OpenStack in a Snap

OpenStack is complex and many OpenStack community members are working hard to make the deployment and operation of OpenStack easier. Much of this time is focused on tools such as Ansible, Puppet, Kolla, Juju, Triple-O, Chef (to name a few). But what if we step down a level and also make the package experience easier?

With snaps we’re working on doing just that. Snaps are a new way of delivering software. The following description from snapcraft.io provides a good summary of the core benefits of snaps:

“Snaps are quick to install, easy to create, safe to run, and they update automatically and transactionally so your app is always fresh and never broken.”

Bundled software

A single snap can deliver multiple pieces of software from different sources to provide a solution that gets you up and running fast.  You’ll notice that installing a snap is quick. That’s because when you install a snap, that single snap bundles all of its dependencies.  That’s a bit different from installing a deb, where all of the dependencies get pulled down and installed separately.

Snaps are easy to create

In my time working on Ubuntu, I’ve spent much of it working on Debian packaging for OpenStack. It’s a niche skill that takes quite a bit of time to understand the nuances of.  When compared with snaps, the difference in complexity between deb packages and snaps is like night and day. Snaps are just plain simple to work on, and even quite fun!

A few more features of snaps

  • Each snap is installed in it’s own read-only squashfs filesystem.
  • Each snap is run in a strict environment sandboxed by AppArmor and seccomp policy.
  • Snaps are transactional. New versions of a snap install to a new read-only squashfs filesystem. If an upgrade fails, it will roll-back to the old version.
  • Snaps will auto-refresh when new versions are available.
  • OpenStack Snaps are guaranteed to be aligned with OpenStack’s upper-constraints. Packagers no longer need to maintain separate packages for the OpenStack dependency chain. Woo-hoo!

Introducing the OpenStack Snaps!

We currently have the following projects snapped:

  • Keystone – This snap provides the OpenStack identity service.
  • Glance – This snap provides the OpenStack image service.
  • Neutron – This snap specifically provides the ‘neutron-server’ process as part of a snap based OpenStack deployment.
  • Nova – This snap provides the Nova controller component of an OpenStack deployment.
  • Nova-hypervisor – This snap provides the hypervisor component of an OpenStack deployment, configured to use Libvirt/KVM + Open vSwitch which are installed using deb packages.  This snap also includes nova-lxd, allowing for use of nova-lxd instead of KVM.

This is enough to get a minimal working OpenStack cloud.  You can find the source for all of the OpenStack snaps on github.  For more details on the OpenStack snaps please refer to the individual READMEs in the upstream repositories. There you can find more details for managing the snaps, such as overriding default configs, restarting services, setting up aliases, and more.

Want to create your own OpenStack snap?

Check out the snap cookie cutter.

I’ll be writing a blog post soon that walks you through using the snap cookie cutter. It’s really simple and will help get the creation of a new OpenStack snap bootstrapped in no time.

Testing the OpenStack snaps

We’ve been using a simple script for initial testing of the OpenStack snaps. The script installs the snaps on a single node and provides additional post-install configuration for services. To try it out:

git clone https://github.com/openstack-snaps/snap-test
cd snap-test
./snap-deploy

At this point we’ve been doing all of our testing on Ubuntu Xenial (16.04).  Also note that this will install and configure quite a bit of software on your system so you’ll likely want to run it on a disposable machine.

Tracking OpenStack

Today you can install snaps from the edge channel of the snap store. For example:

sudo snap install --edge keystone

The OpenStack team is working toward getting CI/CD in place to enable publishing snaps across tracks for OpenStack releases (Ie. a track for ocata, another track for pike, etc). Within each track will be 4 different channels. The edge channel for each track will contain the tip of the OpenStack project’s corresponding branch, with the beta, candidate and release channels being reserved for released versions.  This should result in an experience such as:

sudo snap install --channel=ocata/stable keystone
sudo snap install --channel=pike/edge keystone

Poking around

Snaps have various environment variables available to them that simplify the creation of the snap. They’re all documented here.  You probably won’t need to know much about them to be honest, however there are a few locations that you’ll want to be familiar with once you’ve installed a snap:

$SNAP == /snap/<snap-name>/current

This is where the snap and all of it’s files are mounted. Everything here is read-only. In my current install of keystone, $SNAP is /snap/keystone/91. Fortunately you don’t need to know the current version number as there’s a symlink to that directory at /snap/keystone/current.

$ ls /snap/keystone/current/
bin                     etc      pysqlite2-doc        usr
command-manage.wrapper  include  snap                 var
command-nginx.wrapper   lib      snap-openstack.yaml
command-uwsgi.wrapper   meta     templates

$ ls /snap/keystone/current/bin/
alembic                oslo-messaging-send-notification
convert-json           oslo-messaging-zmq-broker
jsonschema             oslo-messaging-zmq-proxy
keystone-manage        oslopolicy-checker
keystone-wsgi-admin    oslopolicy-list-redundant
keystone-wsgi-public   oslopolicy-policy-generator
lockutils-wrapper      oslopolicy-sample-generator
make_metadata.py       osprofiler
mako-render            parse_xsd2.py
mdexport.py            pbr
merge_metadata.py      pybabel
migrate                snap-openstack
migrate-repository     sqlformat
netaddr                uwsgi
oslo-config-generator

$ ls /snap/keystone/current/usr/bin/
2to3               idle     pycompile     python2.7-config
2to3-2.7           pdb      pydoc         python2-config
cautious-launcher  pdb2.7   pydoc2.7      python-config
compose            pip      pygettext     pyversions
dh_python2         pip2     pygettext2.7  run-mailcap
easy_install       pip2.7   python        see
easy_install-2.7   print    python2       smtpd.py
edit               pyclean  python2.7

$ ls /snap/keystone/current/lib/python2.7/site-packages/
...

$SNAP_COMMON == /var/snap/<snap-name>/common

This directory is used for system data that is common across revisions of a snap. This is where you’ll override default config files and access log files.

$ ls /var/snap/keystone/common/
etc  fernet-keys  lib  lock  log  run

$ sudo ls /var/snap/keystone/common/etc/
keystone  nginx  uwsgi

$ ls /var/snap/keystone/common/log/
keystone.log  nginx-access.log  nginx-error.log  uwsgi.log

Strict confinement

The snaps all run under strict confinement, where each snap is run in a restricted environment that is sandboxed with seccomp and AppArmor policy.  More details on snap confinement can be viewed here.

New features/updates coming for snaps

There are a few features and updates coming for snaps that I’m looking forward to:

  • We’re working on getting libvirt AppArmor policy in place so that the nova-hypervisor snap can access qcow2 backing files.
    • For now, as a work-around, you can put virt-aa-helper in complain mode: sudo aa-complain /usr/lib/libvirt/virt-aa-helper
  • We’re also working on getting additional snapd interface policy in place that will enable network connectivity for deployed instances.
    • For now you can install the nova-hypervisor snap in devmode, which disables security confinement:  snap install –devmode –edge nova-hypervisor
  • Auto-connecting nova-hypervisor interfaces. We’re working on getting the interfaces for the nova-hypervisor defined automatically at install time.
    • Interfaces define the AppArmor and seccomp policy that enables a snap to access resources on the system.
    • For now you can manually connect the required interfaces as described in the nova-hypervisor snap’s README.
  • Auto-alias support for commands. We’re working on getting auto-alias support defined for commands across the snaps, where aliases will be defined automatically at install time.
    • This enables use of the traditional command names. Instead of ‘nova.manage db sync‘ you’ll be able to issue ‘nova-manage db sync’ right after installing the snap.
    • For now you can manually enable aliases after the snap is installed, such as ‘snap alias nova.manage nova-manage’. See the snap READMEs for more details.
  • Auto-alias support for daemons.  Currently snappy only supports aliases for commands (not daemons).  Once alias support is available for daemons, we’ll set them up to be automatically configured at install time.
    • This enables use of the traditional unit file names. Instead of ‘systemctl restart snap.nova.nova-compute’ you’ll be able to issue ‘systemctl restart nova-compute’.
  • Asset tracking for snaps. This will enables tracking of versions used to build the snap which can be re-used in future builds.

If you’d like to chat more about snaps you can find us on IRC in #openstack-snaps on freenode. We welcome your feedback and contributions!

Thanks and have fun!

Corey

Advertisements
Uncategorized

OpenStack Ocata for Ubuntu 16.04 LTS

Hi All,

The Ubuntu OpenStack team at Canonical is pleased to announce the general availability of OpenStack Ocata on Ubuntu 16.04 LTS via the Ubuntu Cloud Archive. Ocata is the latest release of OpenStack and the first in the new OpenStack release cadence, with a focus on stabilization of existing features along with usability improvements. Details of the Ocata release can be found at:  https://www.openstack.org/software/ocata

To get access to the Ubuntu Ocata packages:

Ubuntu 16.04 LTS

You can enable the Ubuntu Cloud Archive pocket for OpenStack Ocata on Ubuntu 16.04 installations by running the following commands:

    sudo add-apt-repository cloud-archive:ocata

    sudo apt update

The Ubuntu Cloud Archive for Ocata includes updates for:

aodh, barbican, ceilometer, cinder, congress, designate, designate-dashboard, dpdk (16.11), glance, gnocchi, heat, horizon, ironic, libvirt (2.5.0), keystone, magnum, manila, manila-ui, mistral, murano, murano-dashboard, networking-ovn, networking-sfc, neutron, neutron-dynamic-routing, neutron-fwaas, neutron-lbaas, neutron-lbaas-dashboard, nova, nova-lxd, openstack-trove, panko, qemu (2.8), sahara, sahara-dashboard, senlin, swift, trove-dashboard, watcher and zaqar

For a full list of packages and versions, please refer to [0].

Migration considerations

* API’s now running under apache2 with mod_wsgi

In Ocata we’ve updated the following APIs to run under apache2 with mod_wsgi: aodh-api, barbican-api, ceilometer-api, cinder-api, and the nova-placement-api. Please keep this in mind as the packages will no longer install systemd unit files for these services, and will instead install apache2 with corresponding apache2 site configuration.

* libvirt 2.5.0 changes

In this release of libvirt, the libvirt-bin systemd service has been renamed to libvirtd, and the unix_sock_group has changed from libvirtd to libvirt.

* openstack-dashboard changes

In Ocata we’ve moved static assets from /usr/share/openstack-dashboard/static to /var/lib/openstack-dashboard/static.

Known Issues

nova console log is empty with libvirt 2.5.0: https://bugs.launchpad.net/bugs/1667033

Branch Package Builds

If you would like to try out the latest updates to branches, we deliver continuously integrated packages on each upstream commit via the following PPA’s:

    sudo add-apt-repository ppa:openstack-ubuntu-testing/liberty

    sudo add-apt-repository ppa:openstack-ubuntu-testing/mitaka

    sudo add-apt-repository ppa:openstack-ubuntu-testing/newton

    sudo add-apt-repository ppa:openstack-ubuntu-testing/ocata

Reporting bugs

If you have any issues please report bugs using the ‘ubuntu-bug’ tool to ensure that bugs get logged in the right place in Launchpad:

    sudo ubuntu-bug nova-conductor

Thanks to everyone who has contributed to OpenStack Ocata, both upstream and downstream.  And special thanks to the puppet modules team for their continued early testing of OpenStack development releases.

Have fun and see you in Pike!

Regards,

Corey

(on behalf of the Ubuntu OpenStack team)

[0] http://reqorts.qa.ubuntu.com/reports/ubuntu-server/cloud-archive/ocata_versions.html

Uncategorized

OpenStack Ocata B2 for Ubuntu 16.04 LTS

Hi All,

The Ubuntu OpenStack team is pleased to announce the general availability of the OpenStack Ocata B2 milestone in Ubuntu 16.04 LTS via the Ubuntu Cloud Archive.

Ubuntu 16.04 LTS

You can enable the Ubuntu Cloud Archive pocket for OpenStack Ocata on Ubuntu 16.04 installations by running the following commands:

sudo add-apt-repository cloud-archive:ocata

sudo apt update

The Ubuntu Cloud Archive for Ocata includes updates for:

aodh (commit 5363ff85), barbican, ceilometer (commit aa3f491bb), cinder, congress, designate, designate-dashboard, glance, heat, horizon (commit 158a4c1a), keystone, libvirt (2.5.0), manila, mistral, networking-ovn, neutron, neutron-fwaas, neutron-lbaas, neutron-vpnaas (commit 47c217e4), nova, openstack-trove, panko (1.0.0), qemu (2.6.1), sahara, senlin, swift (2.12.0), watcher (0.33.0), and zaqar.

For a full list of packages and versions, please refer to [0].

API’s now running under apache2 with mod_wsgi

In this milestone we’ve updated the following APIs to run under apache2 with mod_wsgi: aodh-api, barbican-api, ceilometer-api, cinder-api, and nova-placement-api.

Please keep this in mind as the packages will no longer install systemd unit files for these services, and will instead install apache2 with corresponding apache2 sites.

libvirt 2.5.0 changes

In this release of libvirt, the libvirt-bin systemd service has been renamed to libvirtd, and the unix_sock_group has changed from libvirtd to libvirt.

Branch Package Builds

If you would like to try out the latest updates to branches, we are delivering continuously integrated packages on each upstream commit via the following PPA’s:

  sudo add-apt-repository ppa:openstack-ubuntu-testing/liberty

  sudo add-apt-repository ppa:openstack-ubuntu-testing/mitaka

  sudo add-apt-repository ppa:openstack-ubuntu-testing/newton

  sudo add-apt-repository ppa:openstack-ubuntu-testing/ocata

Reporting bugs

If you have any issues please report bugs using the ‘ubuntu-bug’ tool to ensure that bugs get logged in the right place in Launchpad:

 sudo ubuntu-bug nova-conductor

Thanks to all who have contributed thus far to OpenStack Ocata, both upstream and downstream.  And special thanks to the puppet modules team for their continued early testing of Ocata.

Have fun!

Regards,

Corey

(on behalf of the Ubuntu OpenStack team)

[0] http://reqorts.qa.ubuntu.com/reports/ubuntu-server/cloud-archive/ocata_versions.html

Uncategorized

OpenStack Ocata B1 for Ubuntu 16.04 LTS

Hi All,

The Ubuntu OpenStack team is pleased to announce the general availability of the OpenStack Ocata B1 milestone in Ubuntu 16.04 LTS via the Ubuntu Cloud Archive.

Ubuntu 16.04 LTS

You can enable the Ubuntu Cloud Archive pocket for OpenStack Ocata on Ubuntu 16.04 installations by running the following commands:

echo “deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main” | sudo tee /etc/apt/sources.list.d/ocata-uca.list

sudo apt install -y ubuntu-cloud-keyring

sudo apt update

The Ubuntu Cloud Archive for Ocata includes updates for: cinder, glance, horizon, keystone, manila, networking-ovn, neutron, neutron-fwaas, neutron-lbaas, neutron-dynamic-routing, nova, openstack-trove, and swift (2.11.0).

You can check out the full list of packages and versions at [0].

Branch Package Builds

If you want to try out the latest updates to stable branches, we are delivering continuously integrated packages on each upstream commit via the following PPA’s:

   sudo add-apt-repository ppa:openstack-ubuntu-testing/liberty

   sudo add-apt-repository ppa:openstack-ubuntu-testing/mitaka

   sudo add-apt-repository ppa:openstack-ubuntu-testing/newton

   sudo add-apt-repository ppa:openstack-ubuntu-testing/ocata

bear in mind these are built per-commit-ish (30 min checks for new commits at the moment) so ymmv from time-to-time.

Reporting bugs

Any issues please report bugs using the ‘ubuntu-bug’ tool:

  sudo ubuntu-bug nova-conductor

this will ensure that bugs get logged in the right place in Launchpad.

Thanks and have fun!

Regards,

Corey

(on behalf of the Ubuntu OpenStack team)

[0] http://reqorts.qa.ubuntu.com/reports/ubuntu-server/cloud-archive/ocata_versions.html

Uncategorized

Ubuntu OpenStack Newton has released!

The Ubuntu OpenStack team is pleased to announce the general availability of OpenStack Newton, available in today’s release of Ubuntu 16.10 (Yakkety Yak) [0] and also available for Ubuntu 16.04 LTS (Xenial Xerus) via the Ubuntu Cloud Archive.

Ubuntu 16.04 LTS

You can enable the Ubuntu Cloud Archive pocket for OpenStack Newton on Ubuntu 16.04 installations by running the following commands:

     sudo add-apt-repository cloud-archive:newton

     sudo apt update

The Ubuntu Cloud Archive for Newton includes updates for: Aodh, Barbican, Ceilometer, Cinder, Congress, Designate, DPDK (16.07), Glance, Gnocchi, Heat, Horizon, Ironic (6.2.1), Keystone, Magnum, Manila, Mistral, Murano, Networking-L2GW, Networking-ODL, Networking-OVN, Networking-SFC, Neutron, Neutron-Dynamic-Routing, Neutron-FWaaS, Neutron-LBaaS, Neutron-TaaS, Neutron-VPNaaS, Nova, Nova-LXD, OpenvSwitch (2.6.0), Sahara, Senlin, Swift (2.10.0), Trove, and Zaqar.

You can see the full list of packages and versions at [1].

Ubuntu 16.10

No extra steps required; just start installing OpenStack!

Branch Package Builds

If you want to try out the latest updates to stable branches, we are delivering continuously integrated packages on each upstream commit in the following PPA’s:

    sudo add-apt-repository ppa:openstack-ubuntu-testing/liberty

    sudo add-apt-repository ppa:openstack-ubuntu-testing/mitaka

    sudo add-apt-repository ppa:openstack-ubuntu-testing/newton

bear in mind these are built per-commitish (30 min checks for new commits at the moment) so ymmv from time-to-time.

Reporting bugs

Any issues please report bugs using the ‘ubuntu-bug’ tool:

     sudo ubuntu-bug nova-conductor

this will ensure that bugs get logged in the right place in Launchpad.

Thank you to all who contributed to OpenStack Newton both upstream and in Debian/Ubuntu packaging!

Regards,

Corey

(on behalf of the Ubuntu OpenStack team)

[0] https://wiki.ubuntu.com/YakketyYak/ReleaseNotes

[1] http://reqorts.qa.ubuntu.com/reports/ubuntu-server/cloud-archive/newton_versions.html

Uncategorized

OpenStack Newton B3 for Ubuntu 16.04 LTS and Ubuntu 16.10

Hi All,

The Ubuntu OpenStack team is pleased to announce the general availability of OpenStack Newton B3 milestone in Ubuntu 16.10 and for Ubuntu 16.04 LTS via the Ubuntu Cloud Archive.

Ubuntu 16.04 LTS
You can enable the Ubuntu Cloud Archive pocket for OpenStack Newton on Ubuntu 16.04 installations by running the following commands:

sudo add-apt-repository cloud-archive:newton
sudo apt update

The Ubuntu Cloud Archive for Newton includes updates for Aodh, Barbican, Ceilometer, Cinder, Designate, Glance, Heat, Horizon, Ironic (6.1.0), Keystone, Manila, Networking-OVN, Neutron, Neutron-FWaaS, Neutron-LBaaS, Neutron-VPNaaS, Nova, and Trove.

You can see the full list of packages and versions at [0].

Ubuntu 16.10
No extra steps required; just start installing OpenStack!

Branch Package Builds
If you want to try out the latest master branch updates, or updates to stable branches, we are delivering continuously integrated packages on each upstream commit in the following PPA’s:

sudo add-apt-repository ppa:openstack-ubuntu-testing/liberty
sudo add-apt-repository ppa:openstack-ubuntu-testing/mitaka
sudo add-apt-repository ppa:openstack-ubuntu-testing/newton

bear in mind these are built per-commitish (30 min checks for new commits at the moment) so ymmv from time-to-time.

Reporting bugs
Any issues please report bugs using the ‘ubuntu-bug’ tool:

sudo ubuntu-bug nova-conductor

this will ensure that bugs get logged in the right place in Launchpad.

Thanks and have fun!

Regards,
Corey

Uncategorized

Deploying OpenStack from source to scalable multi-node environments

The Juju OpenStack charms now have support for deploying OpenStack from source!

This means that you can point the charms at the OpenStack git repositories/branches of your choice, whether they’re the well known upstream repos or your own modified repos, and deploy to your choice of substrate via Juju (to metal via MAAS, private/public cloud, KVM, Linux containers, and more).

Configuration

Deploying from source is configured with the openstack-origin-git option, which can be added to the charm configurations of any existing bundle.  For example, the cinder charm in the OpenStack bundle can be updated by adding:

openstack-origin-git: include-file://cinder-juno.yaml

where cinder-juno.yaml minimally contains:

repositories:
  - {name: requirements,
     repository: 'git://github.com/openstack/requirements',
     branch: stable/juno}
  - {name: cinder,
     repository: 'git://github.com/openstack/cinder',
     branch: stable/juno}

We use the yaml config files located here for testing, which are minimal configs for the various stable releases and master.  Note that these files are subject to change, in particular the master yaml files, so be sure to check back if you run into any issues.

Note that the specified git repositories are not limited to the requirements and core repositories. You can also specify the git repositories for any openstack dependencies that are listed at: http://git.openstack.org/cgit.

What’s supported?

As of today, the following OpenStack charms support deploying from source:

  • cinder
  • glance
  • keystone
  • neutron-api
  • neutron-gateway
  • neutron-openvswitch
  • nova-cloud-controller
  • nova-compute
  • openstack-dashboard

The best way to access this support today is by using the “next” branches, which are the current development branches.  As a reference, this bundle uses the next branches.

In terms of repositories supported, you can use the well known upstream git repositories, such as https://github.com/openstack/cinder.git or you can use your own version that is based on upstream.

In terms of branches supported, stable/icehouse, stable/juno, stable/kilo, and master are all supported.

When using master branches, keep in mind that the OpenStack charms are going to need updates as master evolves through each release.  As issues arise with the charms, we will be providing fixes to the next branches.

It’s more than just deploying OpenStack from source!

Finally, it’s not just about deploying OpenStack.  Juju and the OpenStack charms also provide dynamic life-cycle capabilities and the ability to scale out easily.  I’ll provide some follow up posts to talk about some of the extended capabilities that are particularly relevant when deployed from source.

Have fun and please let me know if you have any questions or comments!