Skip to content

admin-guide.md

Latest commit

 

History

History
502 lines (365 loc) · 9.14 KB

admin-guide.md

File metadata and controls

502 lines (365 loc) · 9.14 KB

OpenStack on FreeBSD - Administrator Guide

Overview

This guide provides operational instructions for administrators managing the 3-node OpenStack cluster running on FreeBSD. The guide covers cluster architecture, network topology, and common administrative tasks.

Cluster Architecture

Node Overview

The cluster consists of three physical nodes:

Node IP Address (vlan1220) Role
openstack0 10.122.0.254 Controller
openstack1 10.122.0.181 Worker
openstack2 10.122.0.182 Worker

Component Distribution

Controller Node (openstack0)

All control-plane components run in FreeBSD jails on openstack0:

openstack0 (10.122.0.254)

  • keystone
  • placement
  • glance
  • neutron-server
  • neutron-metadata-agent
  • neutron-dhcp-agent
  • neutron-openvswitch-agent
  • nova-api
  • nova-scheduler
  • nova-conductor
  • nova-serialproxy

Worker Nodes (openstack1, openstack2)

Data-plane components run directly on the host:

openstack1 and openstack2 (10.122.0.181, 10.122.0182)

  • neutron-metadata-agent
  • neutron-dhcp-agent
  • neutron-openvswitch-agent
  • nova-compute

Shared Infrastructure

Database and message queue services run in separate jails on the controller node:

# MySQL Database
sudo service mysql-server status

# RabbitMQ Message Queue
sudo service rabbitmq status

Network Architecture

Network Interfaces

Each node has three VLAN interfaces:

  • vlan122: Public network
  • vlan1220: Management network
  • vlan1221: Provider network (data plane)

Controller Node (openstack0)

openstack0

  • vlan1220: 10.122.0.254/24 (Management)
  • vlan1221: 10.122.1.254/24 (Provider)

Worker Nodes (openstack1, openstack2)

openstack1:

  • vlan1220: 10.122.0.181/24 (Management)
  • vlan1221: attached to br-provider

openstack2:

  • vlan1220: 10.122.0.182/24 (Management)
  • vlan1221: attached to br-provider

Open vSwitch Topology

Neutron creates two OVS bridges on each node:

  • br-int (Integration Bridge)
    • Connects VM tap interfaces
    • Connects to br-provider via patch ports
  • br-provider (Provider Bridge)
    • Connected to vlan1221 VLAN interface
    • Provides external network connectivity

Verify OVS bridge configuration:

# List all bridges
sudo ovs-vsctl show

# Show bridge ports
sudo ovs-vsctl list-ports br-provider
sudo ovs-vsctl list-ports br-int

# View flow rules
sudo ovs-ofctl dump-flows br-int
sudo ovs-ofctl dump-flows br-provider

Network Diagram

Data plan:

                    External Network (10.122.1.0/24)
                              |
                         [vlan1221]
                              |
    +-------------------------+-------------------------+
    |                         |                         |
openstack0              openstack1              openstack2
    |                         |                         |
[br-provider]           [br-provider]           [br-provider]
    |                         |                         |
[br-int]                  [br-int]                  [br-int]
    |                         |                         |
[VM tap]                  [VM tap]                  [VM tap]

Administrative Credentials

Loading Admin Credentials

export OS_USERNAME=admin
export OS_PASSWORD=supersecret
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_DOMAIN_ID=default
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
export OS_AUTH_URL=http://10.122.0.254:5000/v3

Save this as /root/admin-openrc and load:

source /root/admin-openrc

Service Management

Check Service Status

Controller Node (openstack0)

Check jail status:

sudo jls

Enter specific jail to check service:

sudo jexec <jid> /bin/sh
ps aux | grep <service-name>

Worker Nodes (openstack1, openstack2)

ps aux | grep neutron
ps aux | grep nova-compute

Verify OpenStack Services

# Compute services
openstack compute service list

# Network agents
openstack network agent list

Restart Services

Restart Neutron Agent

On worker nodes:

sudo pkill -f neutron-openvswitch-agent
sudo neutron-openvswitch-agent --config-file /path/to/neutron.conf \
  --config-file /path/to/openvswitch_agent.ini &

Restart Nova Compute

On worker nodes:

sudo pkill -f nova-compute
sudo EVENTLET_HUB=poll nova-compute --config-dir /path/to/nova &

User and Project Management

Create Domain

openstack domain create --description "Engineering Domain" engineering

Create Project

openstack project create --domain default \
  --description "Development Project" dev-project

Create User

openstack user create --domain default \
  --password-prompt \
  --email user@example.com \
  devuser

Assign Role to User

# Create custom role
openstack role create developer

# Assign role to user in project
openstack role add --project dev-project --user devuser developer

List Users and Projects

openstack user list
openstack project list
openstack role assignment list --user devuser --project dev-project

Set User Quota

openstack quota set --instances 10 --cores 20 --ram 51200 dev-project

View quota:

openstack quota show dev-project

Network Management

Create Provider Network

openstack network create \
  --share \
  --provider-physical-network provider \
  --provider-network-type flat \
  provider1

Create Subnet

openstack subnet create \
  --subnet-range 10.122.1.0/24 \
  --gateway 10.122.1.1 \
  --network provider1 \
  --allocation-pool start=10.122.1.100,end=10.122.1.200 \
  --dns-nameserver 8.8.8.8 \
  --no-dhcp \
  provider1-subnet

Enable DHCP if needed:

openstack subnet set --dhcp provider1-subnet

Create VLAN Network

openstack network create \
  --provider-physical-network provider \
  --provider-network-type vlan \
  --provider-segment 100 \
  vlan100

View Network Details

openstack network show provider1
openstack subnet show provider1-subnet
openstack port list --network provider1

Delete Network

Remove all ports first:

# List ports
openstack port list --network provider1

# Delete ports (excluding DHCP and router ports)
for port in $(openstack port list --network provider1 -f value -c ID); do
  openstack port delete $port
done

# Delete subnet
openstack subnet delete provider1-subnet

# Delete network
openstack network delete provider1

Image Management

Upload Image from URL

FreeBSD image:

curl -fLO https://download.freebsd.org/releases/VM-IMAGES/13.2-RELEASE/amd64/Latest/FreeBSD-13.2-RELEASE-amd64.raw.xz
xz -d FreeBSD-13.2-RELEASE-amd64.raw.xz

openstack image create \
  --disk-format raw \
  --container-format bare \
  --public \
  --file FreeBSD-13.2-RELEASE-amd64.raw \
  freebsd-13.2

CirrOS image:

curl -fLO http://download.cirros-cloud.net/0.6.2/cirros-0.6.2-x86_64-disk.img

openstack image create \
  --disk-format qcow2 \
  --container-format bare \
  --public \
  --file cirros-0.6.2-x86_64-disk.img \
  cirros

Set Image Properties

openstack image set \
  --property os_type=freebsd \
  --property os_version=13.2 \
  --min-disk 20 \
  --min-ram 2048 \
  freebsd-13.2

Make Image Private

openstack image set --private freebsd-13.2

Share Image with Project

openstack image add project freebsd-13.2 dev-project
openstack image set --accept freebsd-13.2

Delete Image

openstack image delete freebsd-13.2

List Image Details

openstack image list
openstack image show freebsd-13.2

Flavor Management

Create Flavor

openstack flavor create \
  --id 1 \
  --vcpus 1 \
  --ram 2048 \
  --disk 20 \
  m1.small

Create Flavor with Specific Properties

openstack flavor create \
  --id 2 \
  --vcpus 2 \
  --ram 4096 \
  --disk 40 \
  --property hw:cpu_policy=dedicated \
  m1.medium

Set Flavor Access

Make flavor private:

openstack flavor set --private m1.medium

Grant access to project:

openstack flavor set --project dev-project m1.medium

List Flavors

openstack flavor list
openstack flavor show m1.small

Delete Flavor

openstack flavor delete m1.small

Security Group Management

Create Security Group

openstack security group create \
  --description "Web server security group" \
  web-sg

Add Rules

# Allow SSH
openstack security group rule create \
  --proto tcp \
  --dst-port 22 \
  web-sg

# Allow HTTP
openstack security group rule create \
  --proto tcp \
  --dst-port 80 \
  web-sg

# Allow HTTPS
openstack security group rule create \
  --proto tcp \
  --dst-port 443 \
  web-sg

# Allow ICMP
openstack security group rule create \
  --proto icmp \
  web-sg

List Security Groups

openstack security group list
openstack security group show web-sg
openstack security group rule list web-sg

Delete Security Group

openstack security group delete web-sg