Quick Note: IPA Nova Join in the Undercloud

Note: The exact steps in this post have been superseded by this update.

Rob Crittenden has been working on a new nova microservice called novajoin that would instances created by nova to be automatically registered to IPA during cloud-init. (https://github.com/rcritten/novajoin).  It works using the newly provided vendor_metadata mechanism (https://review.openstack.org/#/c/310904/6/specs/newton/approved/vendordata-reboot.rst).   There is a short description of the design for this in the README.md at the source link. This quick note is about steps that I took to integrate novajoin into an undercloud install as started by quickstart.  In particular, the goal here was to create an undercloud node which is registered to an IPA server, installs novajoin, configures nova to use novajoin and starts the novajoin service.  The undercloud novajoin service could then be used to deploy overcloud nodes that are automatically enrolled as IPA clients.

Create the undercloud image

First, it is necessary to create a new undercloud image.  This is required because the software we need is not yet present in the undercloud image.  The exact steps to create the undercloud image can be found here: https://vakwetu.fedorapeople.org/novajoin/create-undercloud-image.sh In particular, we do the following:

    1. Start with an undercloud image.  In the script, I download from the triple-O master branch.
  • Add some code to /usr/share/instack-undercloud/puppet-stack-config/puppet-stack-config.pp to get the instack puppet code to call the puppet modules in (1) and (2).
  • Add a slightly modified novajoin-install script called ipa-novajoin-install-ipa.  This is a temporary step.  Right now, the novajoin install script does all the openstack configuration, as well as the IPA config.  We want to use the openstack puppet modules to do the required openstack configuration, and have the install script do the IPA configuration steps only.  Rob will re-factor the install scripts shortly and this step will no longer be necessary.

All of the above steps will in time become unnecessary as the relevant modules and code are merged into the Occata code base. The modified undercloud image can be downloaded from here: https://vakwetu.fedorapeople.org/novajoin/undercloud.qcow2, https://vakwetu.fedorapeople.org/novajoin/undercloud.qcow2.md5

Add the undercloud node to IPA

Before invoking quickstart, we need to register the undercloud node to IPA providing it with an OTP.  On the IPA server, I did:

kinit admin

ipa host-add undercloud.alee.test.com --password=MySecret --force

Modifying Quickstart

The puppet code that we added in instack-undercloud needs parameters which are provided by hieradata in quickstart-hieradata-overrides.yaml.  We need to make a small change to quickstart to allow it to pass these parameters to the instack-undercloud puppet modules.

We add the following to roles/tripleo/undercloud/templates/quickstart-hieradata-overrides.yaml.j2

{% if undercloud_ipa_client_install is defined %}
 enable_ipa_client_install: true
 ipa_domain: '{{ipa_domain}}'
 ipa_server: '{{ipa_server}}'
 ipa_otp: '{{ipa_otp}}'
 {% endif %}

{% if undercloud_novajoin_install is defined %}
 enable_novajoin_install: true
 nova::api::vendordata_jsonfile_path: '/etc/nova/cloud-config.json'
 nova::api::vendordata_providers: ['StaticJSON', 'DynamicJSON']
 nova::api::vendordata_dynamic_targets: ['join@']
 nova::notification_topics: 'notifications'
 nova::notify_on_state_change: 'vm_state'
 novajoin::api::hostname: "undercloud.%{hiera('ipa_domain')}"
 novajoin::api::ipa_domain: "%{hiera('ipa_domain')}"
 novajoin::api::ipa_password: "%{hiera('ipa_password')}"
 novajoin::api::ipa_principal: "%{hiera('ipa_principal')}"
 novajoin::api::ipa_server: "%{hiera('ipa_server')}"
 novajoin::api::keystone_identity_uri: "%{hiera('keystone_identity_uri')}"
 novajoin::api::keystone_auth_url: "%{hiera('keystone_auth_uri')}"
 novajoin::api::keystone_auth_uri: "%{hiera('keystone_auth_uri')}"
 novajoin::api::nova_password: "%{hiera('nova::keystone::authtoken::password')}"
 novajoin::api::transport_url: "%{hiera('nova::default_transport_url')}"
 ipa_principal: '{{ipa_principal}}'
 ipa_password: '{{ipa_password}}'
 {% endif %}

Then, we can create an environment file that specifies the required parameters (config/general_config/ha_ipa.yml)

undercloud_vcpu: 4

# Create three controller nodes and one compute node.
 - name: control_0
 flavor: control
 - name: control_1
 flavor: control
 - name: control_2
 flavor: control

- name: compute_0
 flavor: compute

# We don't need introspection in a virtual environment (because we are
 # creating all the "hardware" we really know the necessary
 # information).
 step_introspect: false

# Tell tripleo about our environment.
 network_isolation: true
 extra_args: >-
 --control-scale 3 --neutron-network-type vxlan
 --neutron-tunnel-types vxlan
 --ntp-server pool.ntp.org
 test_tempest: false
 test_ping: true
 enable_pacemaker: true

#ipa settings
 ipa_domain: 'alee.test.com'
 ipa_server: 'ipa_server_host.alee.test.com'
 ipa_otp: 'MySecret'

#novajoin settings
 ipa_principal: 'admin'
 ipa_password: 'password123'

undercloud_novajoin_install: true
 undercloud_ipa_client_install: true

The new stuff is really the part at the bottom – from IPA settings downwards.  As you can see, you just need to pass in the IPA domain, server and OTP.

Run Quickstart

We can now run quickstart as follows:

./quickstart.sh --config config/general_config/ha_ipa.yml -e undercloud_image_url='https://vakwetu.fedorapeople.org/novajoin/undercloud.qcow2' -R master --no-clone cloud-machine.alee.test.com



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s