The OpenStack installation the CFCR team uses is managed by the toolsmiths team. It is accessed through https://openstack-01.pez.pivotal.io and the login credentials is in LastPass note Openstack Pez Dashboard user account (pcf-kubo).
Go to Identity -> Projects to see the list of all projects. The CFCR team uses pcf-kubo-project. Projects sit above VMs in the organizational hierarchy. They allow operators to allow access to users access to OpenStack resources, and set quotas for the maximum number of volumes, security groups, floating IPs, etc.
Go to Project -> Compute -> Instances to see a list of all VMs in the project.
From the OpenStack dashboard, go to Project > Compute > Access & Security > API Access tab and download the RC file (v3).
$ pip install python-openstackclient
$ source openrc.sh
# provide the password for pcf-kubo service account
# list networks
$ openstack network list
# list instances within the current project
$ openstack server listThe OpenStack docs lists every command.
- Follow the guide on Installing PCF on OpenStack on the Pivotal docs website.
- Ensure DHCP is enabled when creating your subnet
- Ensure all subnets have the DNS
8.8.8.8 - To create a floating IP, you must first create an instance. The subnet should be connected to the router (create an interface from the router to the subnet 'port'). From the instance UI, you can then associate a floating IP.
- The validator step requires an image to be uploaded. You'll have to download the .img file for Ubuntu and then create the image from the command line (it does not work from the Web GUI)
openstack image create --file ~/Downloads/image-file-name.img --disk-format raw "ubuntu-xenial". - Creating an image in step 4 may require you to do this from bash:
openstack image create --file ~/Downloads/pcf-openstack-1.12.5.raw --disk-format raw --private --protected --min-disk 20 --min-ram 8192 "ops manager 1.12.5" - To set up a FQDN (e.g.
openstack-pez-01.cf-app.com) for Ops Manager in the external DNS, you will need theDev DNS Management (AWS)credentials in LastPass, in theShared-Opensource Commonfolder. Log in to AWS and go to Route53.
- Follow the guide on Installing Elastic Runtime on the Pivotal docs website.
- Create two new floating IP addresses (Compute > Access & Security > Floating IPs). Go to Route 53 (use the
Dev DNS Management (AWS)credentials in LastPass, in theShared-Opensource Commonfolder) and create a wildcard domain for systems and applications; e.g.*.sys.openstack-pez-01.cf-app.comand*.app.openstack-pez-01.cf-app.comassigning both to one of the floating IP addresses. Then createtcp.openstack-pez-01.cf-app.comand assign that to the other IP address. - Only the following tabs and parameters of Pivotal Elastic Runtime options need to be altered. Retain the defaults unless noted otherwise below:
- Assign AZs and Networks: save defaults
- Domains: enter the wildcard domains created in Route53 (described above)
- Networking:
- Certificate and Private Key for HAProxy and Router: Click Generate RSA Certificate and give it the root FQDN e.g.
*.openstack-pez-01.cf-app.com - TLS Cipher Suites for Router: Copy the default from the tooltip shown when you click in the textbox
- TLS Cipher Suites for HAProxy: Copy the default from the tooltip shown beneath the textbox
- HAProxy forwards requests to Router over TLS...: Disable
- Disable SSL certificate verification for this environment: Select this checkbox
- Enable TCP Routing: Select this checkbox
- TCP Routing Ports:
1025-4096
- Certificate and Private Key for HAProxy and Router: Click Generate RSA Certificate and give it the root FQDN e.g.
- Application Security Groups: type
x - UAA: SAML Service Provider Credentials: Click Generate RSA Certificate and give it the root FQDN e.g.
*.openstack-pez-01.cf-app.com - Internal MySQL:
- Email address (required): type
[email protected] - Server Activity Logging: disable
- Email address (required): type
- Resource Config:
- Add the floating IP that points to the
*.sys&*.appto the Router - Add the floating IP that points to
tcp.to the TCP Router
- Add the floating IP that points to the
You may also wish to read Jaime's docs on deploying CFCR on OpenStack.
- Locally create a ssh key pair using
ssh-keygen, and save this to OpenStack, Compute>Access & Security>Key Pairs. - Store this key pair in Lastpass in the shared
jumpboxfolder - Create a new security group called
jumpbox, and give it rules for SSH ingress only but all egress. - Create a new instance (use an ubuntu trusty image), assign it to the
jumpboxsecurity group and in the Key Pair dialog select the newly created key pair. - Run the
sync-jumpboxscript in kubo-home repo. This requires you to be logged in to the Lastpass CLI.
- Log into the OpenStack dashboard as an admin.
- On the left-hand navigation bar, click Project → Network → Networks.
- Click the + Create Network button on the top right corner.
- Create a network for Concourse (i.e.
concourse) - Create a subnet with the CIDR block
192.168.1.0/24and name itconcourse-subnet. - Attach the network the router by clicking on the Routers page from the left navigation bar.
- Click + Add Interface and select the newly created subnet to the router.
- Create a security group called
concourseand allow:- TCP access from everywhere.
- UDP access from itself
- Edit
opsmanagersecurity group to allow:- All TCP access from
concoursesecurity group - All TCP access from Floating IP CIDR.
- All TCP access from
sshuttleinto the jumpbox created in the section above.- Use scripts in
kubo-ci/concourse/scriptsto install the concourse worker (make sure the security group and network you created are being used).
- Create a network and subnet - Go to Project -> Network -> Networks and click
Create Network. Use the following values:- Network Name:
example - Subnet Name:
example-subnet - Network Address:
192.168.145.0/24(Use a unique address if this one is taken) - Gateway IP:
192.168.145.1(Must be in your subnet) - Enable DHCP: on
- Allocation Pools:
192.168.145.2,192.168.145.254 - DNS Name Servers:
8.8.8.8 - Host Routes: none
- Network Name:
- Connect the network to a router - Go to Network -> Routers and click on
clay-router. ClickAdd Interface. Useexample-subnetas the Subnet and leave everything as default. - Create a Routing UAA client
- Add a lock file to the
kubo-locksrepository. Navigate to the directorykubo-openstack/unclaimed. Create a new lock file by copy-and-pasting another lock file from this directory. Name your new lock file after the environment, in our case it would beexample. Here're the properties you'll need to update:net_id:f351f900-16d0-426c-9616-c20e93c17e93The ID of the network in which the environment will create VMsinternal_ip:192.168.145.3Ensure this is within the CIDR of the network specified below. The master will be automatically created at this IP.reserved_ips:192.168.145.1-192.168.145.2. Within the CIDR of the network specified belowdirector_name:example. The name of your environmentinternal_cidr:192.168.145.0/24The CIDR of the subnet related to the above network IDinternal_gw:192.168.145.1Default is1, within your CIDRkubernetes_master_port: [choose a unique port separate from the other locks] You will have to create a floating IPprivate_key: The private rsa key for the bosh director
- Create an ops file for this environment in the
kubo-odb-cirepository. Navigate to the directoryenvironmentsand create a new directory and within that create a new ops file. In our case we would create a directory namedopenstack-example, and within we would createopenstack-example.yml. Start by copy-and-pasting an ops file from another OpenStack environment. Here're the properties you'll need to update:.../service_catalog/id: [generate a new GUID].../plans/name=demo/plan_id: [generate a new GUID].../properties/broker_uri:http://openstack-example-odb.((cf_sys_domain)).../routes/name=broker/uris:[ openstack-example-odb.((cf_sys_domain)) ].../nats/machines: [leave the same]