Bookmark this page

P 1 2 3 4 5 6 7 8 9 10

Chapter 4. Configuring Resources to Launch a Non-public Instance

SectionDefining a Virtual Machine by Specifying an Image and a Flavor

SectionObjectives
SectionIntroduction to Images
SectionDescribing Image Storage
SectionImage Properties
SectionManaging Images
SectionIntroduction to Flavors
SectionManaging Flavors
SectionDefining Storage in Flavors
SectionCoordinating Image and Flavor Sizing
SectionOther Parameters in a Flavor
SectionSetting the Root User Password for an Instance
Section

Guided Exercise: Defining a Virtual Machine by Specifying an Image and a Flavor

Creating Project Networks and Subnetworks

Objectives
Describing OpenStack Tenant Networks

Guided Exercise: Creating Project Networks and Subnetworks

Launching and Verifying a Non-public Instance

Objectives
Launching an Instance
Verifying a Running Instance
Verifying Available Resources using the Dashboard

Guided Exercise: Launching and Verifying a Non-public Instance

Lab: Configuring Resources to Launch a Non-public Instance

Summary

Abstract

Goal	Configure the requisite resource types for launching a basic non-public instance, including vCPUs, memory, and a system disk image, and launch an instance of an application component that runs in a tenant network with no public access.
Objectives	Define the resources that control the function, size, and capacity of a running instance. Create the network configuration and IP addressing for launching tenant instances. Select and manage relevant parameters for launching a non-public, tenant instance.
Sections	Defining a Virtual Machine by Specifying an Image and a Flavor (and Guided Exercise) Creating Project Networks and Subnetworks (and Guided Exercise) Launching and Verifying a Non-public Instance (and Guided Exercise)
Lab	Configuring Resources to Launch a Non-public Instance

Defining a Virtual Machine by Specifying an Image and a Flavor

Objectives

After completing this section, you should be able to define the resources that control the function, size, and capacity of a running instance.

Introduction to Images

A domain operator understands the relationship between an image and a flavor, including properly setting minimum sizing constraints, and the use cases for specifying the choice of raw versus QCOW, and how Ceph influences that choice. They can advise cloud users about methods and considerations for deploying instances using images as boot volumes, and can demonstrate correct instance sizing and disk configuration for a given application use case. They can advise why there are fixed flavor configurations for specific application use cases, as opposed to arbitrary sizing for each application when deployed.

In Red Hat OpenStack Platform, an image is a file containing a virtual disk installed with a bootable operating system. Images are managed by the Image Service (Glance). An image is one of the fundamental requirements for deploying instances.

Red Hat provides a guest image preconfigured with cloud-init. Cloud-init performs instance customization such as injecting SSH keys, and requires access to an EC2-compatible metadata service.

Any user can upload images. The following image formats are currently supported on Red Hat OpenStack Platform 16:

Table 4.1. Image Formats

Format	Description
`AKI`	An Amazon kernel image, supported by Amazon EC2.
`AMI`	An Amazon machine image, supported by Amazon EC2.
`ARI`	An Amazon RAM disk image, supported by Amazon EC2.
`ISO`	An archive format for the data contents of an optical disc (for example, a CD).
`PLOOP`	A container format used by Virtuozzo.
`QCOW2`	A disk format supported by the QEMU emulator that can expand dynamically and supports the copy-on-write feature.
`RAW`	An unstructured disk image format.
`VDI`	A disk format supported by VirtualBox virtual machine monitor and the QEMU emulator.
`VHD`	A common disk format used by virtual machine monitors from VMware, Xen, Microsoft, VirtualBox, and others.
`VHDX`	An enhanced version of the VHD format that supports larger disks, and has data corruption protection.
`VMDK`	Another common disk format supported by many common virtual machine monitors.

You can upload and use any image format when the instance is deployed on an appropriate platform, such as using an AMI image on OpenStack deployed on the Amazon public cloud. Red Hat only supports RAW, QCOW2, and VMDK when running on an RHOSP private cloud, because the only supported hypervisor technology is KVM/QEMU, even on IBM Power and Z series.

When Ceph is not used, administrators can use the glance command (not the openstack command) to import images, which allows the format to be converted during the import. This is designed to convert to Red Hat-supported formats only, not in any other direction.

With Ceph as the Image service storage back end, image conversion is automatically enabled. Because the Image service is configured to use Ceph RADOS Block Devices (RBD), and the Ceph RBD image store expects raw images, the image files are converted to raw format when they are first loaded using the openstack image create command.

Note

The Ceph copy-on-write feature requires the use of images in RAW format.

Images are managed using either the OpenStack Dashboard or the openstack CLI command. Use the openstack image command to manage images. The OpenStack Dashboard image management tasks are found under Project → Compute → Images.

Describing Image Storage

Each instance requires an image to create its virtual disk. An image contains the minimum required software, including a bootable OS. The image is stored in the Ceph images pool, and is served by the Image service, which manages the catalog of images. Depending on configurable attributes, images are available to some or all users, to create and deploy new instances in the Red Hat OpenStack Platform environment.

Note

When creating images, it is important to keep them small and generic. Deployment-time customizations are performed by cloud-init or configuration management tools, as discussed in a later chapter. When Ceph is not used, limiting the image size reduces the time taken to copy the image to the compute node, and results in faster initial deployments.

Describing Image Usage Without Ceph

When launching an instance, the Compute service obtains the requested image from the Image service and copies it to the libvirt cache on the compute node where the instance deployment is scheduled. Additional instances launched using the same image and scheduled to the same compute node use the cached image, avoiding another copy from the Image service. During initial instance deployment, a copy-on-write virtual disk is created and sized to match the flavor.

Describing Image Usage With Ceph

When Ceph is used as a back end for the Image service, the process changes considerably. When launching an instance, the instance block devices are created on the Ceph back end in the vms pool, by creating a copy-on-write clone of the image from the images pool, using the size specified in the flavor. Each compute node is configured to use ephemeral back-end storage devices, which allows all virtual machines to use the Ceph block devices.

Looking at the libvirt XML for an instance, note the source tag that specifies the instance disk located in the Ceph vms pool:

...output omitted...
    <disk type='network' device='disk'>
      <driver name='qemu' type='raw' cache='writeback' discard='unmap'/>
      <auth username='openstack'>
        <secret type='ceph' uuid='63e5c992-81fb-11ea-bc11-52540001fac8'/>
      </auth>
      <source protocol='rbd' name='vms/4b6bd953-2e8d-4734-821e-32653a476e9b_disk'>
        <host name='172.24.3.1' port='6789'/>
      </source>
      <target dev='vda' bus='virtio'/>
      <alias name='virtio-disk0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </disk>
...output omitted...

Image Properties

Each image has metadata associated with it. These attributes can be used by other OpenStack services to verify the image requirements and settings.

Image visibility is a commonly used setting. By default, during an image's creation, its visibility is set to shared, meaning that the owner and other users within the same project can access the image. Other image visibility settings include private, community, and public. Private visibility limits image access to the owner and public visibility allows access to all users. Community visibility allows all users access to the image but only lists the image in the default image list of certain users. An image can be configured as protected so it cannot be removed unintentionally. You must first set the image to be unprotected before you can remove it.

The libosinfo database provides a generic way to match virtual guest supported hardware to the virtual hardware provided by a hypervisor. This allows virtual guests to be configured with the optimal virtual hardware for your environment.

The Image service can utilize libosinfo data to configure the virtual hardware for an image. Set the os_name property for an image to a valid libosinfo value to enable this behavior. As an example, for a Windows Server 2019 image, set the os_name property to win2k19.

You can install the libosinfo package, then use the osinfo-query os command to view the valid OS names. You can find links to more information on libosinfo in the references section.

Managing Images

Manage images from either the command line or the Dashboard.

Managing an Image Using the Command Line

To manage images using the OpenStack CLI, start by sourcing the environment file for an appropriate user. If you are creating images or working with existing images for use by most or all projects, the images must be created using the admin user in the Default domain's admin project. If the image is to be owned or used by one project, source the environment file for a user who is a project member.

[user@demo ~]$ source user-project-rc

From the command line, create the image by loading the image from its file or URL location. By default, images created by a project member are marked as private for that project.

[user@demo ~(user)]$ openstack image create \
> --min-disk 10 --min-ram 256 \
> --file ~/downloads/rhel8.qcow2 rhel8-custom1

Public images can be seen and shared by all projects. A user with the system-scope admin role can create public images, as in the following example:

[user@demo ~(admin)]$ openstack image create \
> --file ~/downloads/rhel8.qcow2 --public rhel8-base

A user with the system-scope admin role can also create private images for specific projects, using the --project option.

[user@demo ~(admin)]$ openstack image create \
> --min-disk 10 --min-ram 512 \
> --file ~/downloads/rhel8.qcow2 --project project --private rhel8-custom2

You can specify the required minimum disk and RAM size for this image to boot successfully on the command line, as shown in the previous example. You can also set or modify these settings after you have created the image. Perform the command as a user with sufficient privilege, depending on the ownership of the existing image.

[user@demo ~(admin)]$ openstack image set \
> --min-disk 10 --min-ram 256 rhel8-base

Managing an Image Using the Dashboard

To manage images in the Dashboard, open the Dashboard in a web browser and log in as a user associated with a project. Navigate to Project → Compute → Images and then click Create Image. Enter the image name in the Image Name field.

Click Browse and navigate to the image file that you want to upload. Select the image format in the Format field.

To configure the image as private, select Private in the Visibility field. If you have the project-scope admin role you can select Public to configure the image as public.

To delete an image, navigate to Project → Compute → Images. If the image is protected, click Edit Image from the actions menu, change Protected to No, and then click Update Image. The Delete Image option now appears in the action menu.

Introduction to Flavors

Flavors are hardware specification profiles for deploying instances. These specifications include the disk and memory size and the number of cores to be used for each instance deployed. Flavors can also specify sizes for additional ephemeral storage or a swap disk, plus metadata to restrict usage or to provide special project access.

Managing Flavors

You must specify a flavor to deploy an instance. The Compute service schedules the deployment by checking the compute nodes for sufficient available resources, as requested by the flavor. If no host (compute node) can be found with sufficient resources, the instance deployment fails. Any compute node with sufficient resources and an acceptable current load can be selected for this deployment. The scheduling algorithms in the Compute service define all the criteria used to prioritize compute nodes for the selected deployment.

Flavors are managed with the Dashboard or with the OpenStack CLI. Use the openstack flavor command to manage flavors. The OpenStack Dashboard flavor management tasks are found under Admin → System → Flavors. Creating and managing flavors is restricted to users assigned with the admin role to the admin project in the Default domain.

Flavors can be customized so that hardware requirements meet user needs. In addition to system disk and memory size, and the number of VCPUs, other parameters can be defined, such as adding a swap disk or additional ephemeral disk.

Creating new flavors is restricted to users with an admin role, because the flavor creation process must interface with host-level (libvirt) configuration and attributes to determine appropriate settings, extra-specs, and compute-node limitations. Only a user with the system-scope admin role can manage host-based attributes.

Furthermore, only site-wide administrators know how to balance the competing requirements of multiple customer applications, resource conservation, and high performance. Deciding flavor sizing must take into account the application adoption rates, workload demand types and load variance, expected overcommit use, quality of service constraints, number of tenants and related transactions. It must also take in account the segregation methods such as host aggregates, availability zones, and regions, and the number of physical systems that will spread the total workloads. However, this topic is covered in later courses in the Red Hat OpenStack Platform learning path.

Flavors can be restricted for the exclusive requirements and use of a specific project by creating the flavor as private. For example, flavors with large resource parameters could be restricted to only projects requiring large sizes. If a flavor with 256 GB of memory was made public, all projects have access to that flavor, and misuse of that flavor could quickly consume the cloud environment's resource capacity.

Defining Storage in Flavors

Flavors define the virtual storage to be made available to an instance. There can be several storage resources associated with an instance, including the root disk, an ephemeral disk, and a swap disk. Ephemeral devices are created and stored in the Ceph pool named vms, and are deleted when the instance is deleted. The type of back-end storage does not determine whether a device is ephemeral, but only whether the device is always discarded when the instance is deleted.

Describing the Root Disk

The root disk contains the operating system for the instance, created using an image as a template. If the flavor's root disk size is smaller than the image's minimum disk requirement, then the instance deployment is not attempted. The Compute service also supports using persistent volumes as the root disk source, which is discussed in a later chapter in this course.

Describing the Ephemeral Disk

An ephemeral disk is a new, unstructured virtual device that is attached to the launching instance. To use the empty device requires normal disk preparation, similar to adding a new physical disk to a physical server. To prepare the disk for file storage, for example, the device must be partitioned, formatted with a file system, and mounted to a directory before it can be used. You can automate disk preparation by configuring cloud-init to perform post-boot tasks, such as partitioning and formatting, during instance initialization. Cloud-init is covered later in this course. By default, flavors skip creating an ephemeral disk when you leave the ephemeral size field set to zero.

Describing the Swap Disk

A swap disk is an additional ephemeral disk attached to the instance, with the full device enabled as swap space for the running operating system. Generally, you will not configure a swap disk for most cloud instance use cases. The requirement to have swap space is a legacy concept that applies to enterprise server applications that scale up to handle increased load. If you have migrated monolithic or similar enterprise server applications directly into OpenStack with little or no redesign, then you still might need to configure swap space.

Swap sizing recommendations for migrated enterprise servers are the same in OpenStack as they are for running the same servers in a legacy virtualization or physical server environment. However, swap configuration is more stringent in cloud environments. In the cloud, swap space is configured using only dedicated ephemeral disks. To avoid disk contention, never configure swap files or swap partitions on cloud instance root disks or data volumes.

Applications and servers developed using cloud-native architecture scale horizontally, by launching more application instances instead of increasing the application's memory use as load increases. Well-written cloud-native application instances deploy with only the memory needed to perform properly, and do not require a swap disk.

Instances that use swap space need to be monitored to ensure good behavior on the compute node where they are deployed. When an instance runs more processes than their allotted random access memory can load, they begin to use swap space heavily. Swapping consumes a large portion of the compute node's available disk IOPS pool. This effect is called the noisy neighbor, because it monopolizes the compute node's disk and affects the performance of other instances deployed on that same node. This is why cloud-native development is recommended, to eliminate the use of swapping.

When launching an instance from the Dashboard, note that when selecting flavors the flavor list does not include a column for the swap size, even if swap is configured in a flavor. This can be attributed to the increasing use of cloud-native application design. If you still require a flavor to have a swap disk for legacy server deployments, Red Hat recommends that you include the word "swap" in that flavor's name, which you will appreciate when selecting the flavor during a "Launch Instance" configuration.

Coordinating Image and Flavor Sizing

An instance uses both an image as the template for its virtual system disk, and a flavor that defines the hardware resources used to deploy that instance. If an image includes minimum requirements for disk and memory size, those requirements must be met by the flavor settings, otherwise the deployment request is rejected. If an image does not include minimum requirement settings, you can deploy it using almost any flavor, but if the flavor sizing is insufficient for the image to successfully boot, the deployment fails.

To avoid issues with instance deployment, images should always be set with correct minimum sizes for proper operation. Similarly, the flavor used must specify disk and memory sizes that are equal to or larger than specified by the image. If minimum requirements are not matched by the flavor, the CLI issues an error message. In the Dashboard, while deploying an instance using the wizard, flavors that do not meet the disk and memory requirements for the selected imaged are disabled. If no flavors qualify to deploy this image, an error message is displayed.

Other Parameters in a Flavor

Red Hat OpenStack Platform administrators customize flavors for specific environments and use cases. For example, in an environment with suboptimal networking, flavors can implement instance bandwidth restrictions. When systems are limited to a maximum number of sockets, flavors can configure limits and preferences for sockets, cores, and threads. You can set disk quotas to limit the maximum write rate per second for a user. Flavor customizations are implemented by the extra_specs element.

Adding Free-form Characteristics to a Flavor

The extra_specs flavor element is used to define free-form characteristics, providing flexibility beyond specifying memory, CPU, and disk specifications. The element uses key-value pairs that assist in scheduling the compute nodes for an instance deploy. Key-value flavor settings must match corresponding key-value settings on compute nodes. For example, to configure the maximum number of supported CPU sockets, use the hw:cpu_max_sockets key. The following is a list of keys provided by the extra_specs element:

hw:action: The action that configures support limits.
hw:NUMA_def: The definition of the NUMA topology for the instance.
hw:watchdog_action: Triggers an action if the instance somehow fails (or hangs).
hw_rng:action: The action that adds a random number generator device to an instance.
quota:option: A limit that is forced on the instance.

Disk Tuning

The extra_specs element provides disk tuning options to customize performance. The following is a list of valid options:

Table 4.2. Flavor Parameters

Parameter	Description
`disk_read_bytes_sec`	Maximum disk reads in bytes per second.
`disk_read_iops_sec`	Maximum disk read I/O operations per second.
`disk_write_bytes_sec`	Maximum disk writes in bytes per second.
`disk_write_iops_sec`	Maximum disk write I/O operations per second.
`disk_total_bytes_sec`	Maximum disk total throughput limit in bytes per second.
`disk_total_iops_sec`	Maximum disk total I/O operations per second.

To implement disk I/O quotas, use the openstack flavor set command. For example, to set the maximum write speed for a VM instance to 10 MB per second using disk quotas, use the following command:

[user@demo ~(admin)]$ openstack flavor set m2.small \
> --property quota:disk_write_bytes_sec=10485760

To set the maximum read speed for a VM user to 10 MB per second using disk quotas, use the following command:

[user@demo ~(admin)]$ openstack flavor set m2.small \
> --property quota:disk_read_bytes_sec=10485760

Use the openstack flavor show command to view the flavor details, including the disk quotas.

[user@demo ~(admin)]$ openstack flavor show -c name -c properties -f json m2.small
{
  "name": "m2.small",
  "properties": "quota:disk_read_bytes_sec='10485760', quota:disk_write_bytes_sec='10485760'"
}

Managing Flavors Using the OpenStack CLI

To manage flavors in in the OpenStack unified CLI, source an identity environment file for a user with the system-scope admin role.

Use the openstack flavor create command to create a flavor. Specify the memory size, CPU count, and root disk size with the --ram, --vcpus, and --disk options respectively. Add an ephemeral disk using the --ephemeral option, or specify a swap disk with the --swap option.

[user@demo ~(user)]$ openstack flavor create \
> --ram 4096 --disk 20 --vcpus 2 example-flavor

You can view the details of a flavor using the openstack flavor show command.

[user@demo ~(user)]$ openstack flavor show example-flavor
...output omitted...

Use the openstack flavor delete command to delete a flavor.

[user@demo ~(user)]$ openstack flavor delete example-flavor

Managing Flavors Using the Dashboard

To manage flavors in the Dashboard, log in as a user with a system-scope admin role. Navigate to Admin → Flavors and then click Create Flavor. Complete the Name, VCPUs, RAM(MB), and Root Disk(GB) details, and then click Create Flavor.

To edit a flavor, select Edit Flavor in the action menu for the flavor. Adjust the values as appropriate and then click Save.

To delete a flavor, select Delete Flavor in the action menu for the flavor.

Setting the Root User Password for an Instance

Cloud images are commonly accessed using SSH keys, which can be injected into the instance during deployment. Password-based access is vulnerable to brute-force password attacks, especially on public-facing instances. If you do require password-based access for a cloud instance, several methods are available.

Configure the passwords for root and any other users by passing a user-data file to be processed by cloud-init. When setting passwords for users other than the default cloud-user account, you must remove the password: directive and replace it with the chpasswd: directive as follows:

#cloud-config
...output omitted...
chpasswd:
  list: |
     root:redhat
     cloud-user:super_secret_password
  expire: False

All users who require that passwords be set must be included in this chpasswd section.

Passwords can also be configured by editing an image before uploading it to the Image service, however this method is not a good practice as it could result in unauthorized access if the password becomes common knowledge.

Privately deployed instances (such as the lower tiers of multitier applications) are launched without public access, meaning that they cannot be accessed using the SSH key method. These instances can only be accessed using the VNC console. In this scenario, an account and password is required to access and log in to the instance. This scenario and prerelease application development scenarios are the use case for this password-setting method.

References

Further information is available in the Image Service section of the Instances and Images Guide for Red Hat OpenStack Platform at https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.0/html-single/instances_and_images_guide/index#ch-image-service

Further information is available in the Manage Flavors section of the Instances and Images Guide for Red Hat OpenStack Platform at https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.0/html-single/instances_and_images_guide/index#section-flavors

https://libosinfo.org/ libosinfo: The Operating System information database

Discuss Red Hat OpenStack Administration I: Core Operations for Domain Operators

Go to community

Red Hat OpenStack Administration I: Core Operations for Domain Operators (CL110)

Haley_Ruccio

1 sie 2023

Learn to operate a Red Hat® OpenStack Platform private cloud and manage domain resources to secure and deploy modern, scalable cloud applications, networks and storageRed Hat OpenStack Administration I: Core Operations for Domain Operators (CL110) teaches you how to operate and manage a production Red Hat OpenStack Platform (RHOSP) single-site overcloud. You will learn how to create secure project environments in which to provision resources and manage security privileges that cloud users need to deploy scalable cloud applications. You will learn about OpenShift integration with load balancers, identity management, monitoring, proxies, and storage. You will also develop more troubleshooting and Day 2 operations skills in this course.This course is based on Red Hat OpenStack Platform 16.1.Course content summaryStudents in the Red Hat OpenStack Administration I: Core Operations for Domain Operators (CL110) course will focus on performing both routine and specialized tasks that are necessary to manage a production OpenStack overcloud domain. Students will manage OpenStack using both web-based and command-line interfaces. Essential skills covered in the course include the following:Launch instances to satisfy various use case examples.Manage domains, projects, users, roles, and quota in a multitenant environment.Manage networks, subnets, routers, and floating IP addresses.Manage instance security with group rules and access keys.Create and manage block, object and shared storage within OpenStack.Perform instance launch customization with cloud-init.Deploy scalable applications using stack templates.Audience for this courseThis course is designed for cloud users who deploy application instances and stacks, domain operators who manage resources and security for cloud users, and any other cloud personnel interested in, or responsible for, maintaining applications on private or hybrid OpenStack clouds. Any cloud persona, or personnel with roles that include performing technology evaluation, should attend this course to learn RHOSP operation and application deployment methods.Prerequisites for this courseBecome a Red Hat Certified System Administrator (RHCSA) or demonstrate equivalent experienceIf you are not a RHCSA, you can take a skill assessment to gauge your level of knowledge.

Welcome to the Red Hat OpenStack Administration I (CL110) group in the Red Hat Learning Community!

Syed

31 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course CL110! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to CL110.Read more about Red Hat OpenStack Administration I: Core Operations for Domain Operators here.

Revision: cl110-16.1-4c76154