Chapter 3. Installing the undercloud with containers
This chapter provides info on how to create a container-based undercloud and keep it updated.
3.1. Configuring director
				The director installation process requires certain settings in the undercloud.conf configuration file, which director reads from the home directory of the stack user. Complete the following steps to copy default template as a foundation for your configuration.
			
Procedure
- Copy the default template to the home directory of the - stackuser’s:- cp \ /usr/share/python-tripleoclient/undercloud.conf.sample \ ~/undercloud.conf - [stack@director ~]$ cp \ /usr/share/python-tripleoclient/undercloud.conf.sample \ ~/undercloud.conf- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
						Edit the undercloud.conffile. This file contains settings to configure your undercloud. If you omit or comment out a parameter, the undercloud installation uses the default value.
3.2. Director configuration parameters
				The following list contains information about parameters for configuring the undercloud.conf file. Keep all parameters within their relevant sections to avoid errors.
			
Defaults
					The following parameters are defined in the [DEFAULT] section of the undercloud.conf file:
				
- additional_architectures
- A list of additional (kernel) architectures that an overcloud supports. Currently the overcloud supports - ppc64learchitecture.Note- When you enable support for ppc64le, you must also set - ipxe_enabledto- False
- certificate_generation_ca
- 
							The certmongernickname of the CA that signs the requested certificate. Use this option only if you have set thegenerate_service_certificateparameter. If you select thelocalCA, certmonger extracts the local CA certificate to/etc/pki/ca-trust/source/anchors/cm-local-ca.pemand adds the certificate to the trust chain.
- clean_nodes
- Defines whether to wipe the hard drive between deployments and after introspection.
- cleanup
- 
							Cleanup temporary files. Set this to Falseto leave the temporary files used during deployment in place after you run the deployment command. This is useful for debugging the generated files or if errors occur.
- container_cli
- 
							The CLI tool for container management. Leave this parameter set to podman. Red Hat Enterprise Linux 8.1 only supportspodman.
- container_healthcheck_disabled
- 
							Disables containerized service health checks. Red Hat recommends that you enable health checks and leave this option set to false.
- container_images_file
- Heat environment file with container image information. This file can contain the following entries: - Parameters for all required container images
- 
									The ContainerImagePrepareparameter to drive the required image preparation. Usually the file that contains this parameter is namedcontainers-prepare-parameter.yaml.
 
- container_insecure_registries
- 
							A list of insecure registries for podmanto use. Use this parameter if you want to pull images from another source, such as a private container registry. In most cases,podmanhas the certificates to pull container images from either the Red Hat Container Catalog or from your Satellite server if the undercloud is registered to Satellite.
- container_registry_mirror
- 
							An optional registry-mirrorconfigured thatpodmanuses.
- custom_env_files
- Additional environment files that you want to add to the undercloud installation.
- deployment_user
- 
							The user who installs the undercloud. Leave this parameter unset to use the current default user stack.
- discovery_default_driver
- 
							Sets the default driver for automatically enrolled nodes. Requires the enable_node_discoveryparameter to be enabled and you must include the driver in theenabled_hardware_typeslist.
- enable_ironic; enable_ironic_inspector; enable_mistral; enable_nova; enable_tempest; enable_validations; enable_zaqar
- 
							Defines the core services that you want to enable for director. Leave these parameters set to true.
- enable_node_discovery
- 
							Automatically enroll any unknown node that PXE-boots the introspection ramdisk. New nodes use the fake_pxedriver as a default but you can setdiscovery_default_driverto override. You can also use introspection rules to specify driver information for newly enrolled nodes.
- enable_novajoin
- 
							Defines whether to install the novajoinmetadata service in the undercloud.
- enable_routed_networks
- Defines whether to enable support for routed control plane networks.
- enable_swift_encryption
- Defines whether to enable Swift encryption at-rest.
- enable_telemetry
- 
							Defines whether to install OpenStack Telemetry services (gnocchi, aodh, panko) in the undercloud. Set the enable_telemetryparameter totrueif you want to install and configure telemetry services automatically. The default value isfalse, which disables telemetry on the undercloud. This parameter is required if you use other products that consume metrics data, such as Red Hat CloudForms.
- enabled_hardware_types
- A list of hardware types that you want to enable for the undercloud.
- generate_service_certificate
- 
							Defines whether to generate an SSL/TLS certificate during the undercloud installation, which is used for the undercloud_service_certificateparameter. The undercloud installation saves the resulting certificate/etc/pki/tls/certs/undercloud-[undercloud_public_vip].pem. The CA defined in thecertificate_generation_caparameter signs this certificate.
- heat_container_image
- URL for the heat container image to use. Leave unset.
- heat_native
- 
							Run host-based undercloud configuration using heat-all. Leave astrue.
- hieradata_override
- 
							Path to hieradataoverride file that configures Puppet hieradata on the director, providing custom configuration to services beyond theundercloud.confparameters. If set, the undercloud installation copies this file to the/etc/puppet/hieradatadirectory and sets it as the first file in the hierarchy. For more information about using this feature, see Configuring hieradata on the undercloud.
- inspection_extras
- 
							Defines whether to enable extra hardware collection during the inspection process. This parameter requires the python-hardwareorpython-hardware-detectpackages on the introspection image.
- inspection_interface
- 
							The bridge that director uses for node introspection. This is a custom bridge that the director configuration creates. The LOCAL_INTERFACEattaches to this bridge. Leave this as the defaultbr-ctlplane.
- inspection_runbench
- 
							Runs a set of benchmarks during node introspection. Set this parameter to trueto enable the benchmarks. This option is necessary if you intend to perform benchmark analysis when inspecting the hardware of registered nodes.
- ipa_otp
- 
							Defines the one-time password to register the undercloud node to an IPA server. This is required when enable_novajoinis enabled.
- ipv6_address_mode
- IPv6 address configuration mode for the undercloud provisioning network. The following list contains the possible values for this parameter: - dhcpv6-stateless - Address configuration using router advertisement (RA) and optional information using DHCPv6.
- dhcpv6-stateful - Address configuration and optional information using DHCPv6.
 
- ipxe_enabled
- 
							Defines whether to use iPXE or standard PXE. The default is true, which enables iPXE. Set this parameter tofalseto use standard PXE.
- local_interface
- The chosen interface for the director Provisioning NIC. This is also the device that director uses for DHCP and PXE boot services. Change this value to your chosen device. To see which device is connected, use the - ip addrcommand. For example, this is the result of an- ip addrcommand:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In this example, the External NIC uses - em0and the Provisioning NIC uses- em1, which is currently not configured. In this case, set the- local_interfaceto- em1. The configuration script attaches this interface to a custom bridge defined with the- inspection_interfaceparameter.
- local_ip
- 
							The IP address defined for the director Provisioning NIC. This is also the IP address that director uses for DHCP and PXE boot services. Leave this value as the default 192.168.24.1/24unless you use a different subnet for the Provisioning network, for example, if this IP address conflicts with an existing IP address or subnet in your environment.
- local_mtu
- 
							The maximum transmission unit (MTU) that you want to use for the local_interface. Do not exceed 1500 for the undercloud.
- local_subnet
- 
							The local subnet that you want to use for PXE boot and DHCP interfaces. The local_ipaddress should reside in this subnet. The default isctlplane-subnet.
- net_config_override
- 
							Path to network configuration override template. If you set this parameter, the undercloud uses a JSON format template to configure the networking with os-net-configand ignores the network parameters set inundercloud.conf. Use this parameter when you want to configure bonding or add an option to the interface. See/usr/share/python-tripleoclient/undercloud.conf.samplefor an example.
- networks_file
- 
							Networks file to override for heat.
- output_dir
- Directory to output state, processed heat templates, and Ansible deployment files.
- overcloud_domain_name
- The DNS domain name that you want to use when you deploy the overcloud. Note- When you configure the overcloud, you must set the - CloudDomainparameter to a matching value. Set this parameter in an environment file when you configure your overcloud.
- roles_file
- The roles file that you want to use to override the default roles file for undercloud installation. It is highly recommended to leave this parameter unset so that the director installation uses the default roles file.
- scheduler_max_attempts
- The maximum number of times that the scheduler attempts to deploy an instance. This value must be greater or equal to the number of bare metal nodes that you expect to deploy at once to avoid potential race conditions when scheduling.
- service_principal
- The Kerberos principal for the service using the certificate. Use this parameter only if your CA requires a Kerberos principal, such as in FreeIPA.
- subnets
- 
							List of routed network subnets for provisioning and introspection. The default value includes only the ctlplane-subnetsubnet. For more information, see Subnets.
- templates
- Heat templates file to override.
- undercloud_admin_host
- 
							The IP address or hostname defined for director Admin API endpoints over SSL/TLS. The director configuration attaches the IP address to the director software bridge as a routed IP address, which uses the /32netmask.
- undercloud_debug
- 
							Sets the log level of undercloud services to DEBUG. Set this value totrueto enableDEBUGlog level.
- undercloud_enable_selinux
- 
							Enable or disable SELinux during the deployment. It is highly recommended to leave this value set to trueunless you are debugging an issue.
- undercloud_hostname
- Defines the fully qualified host name for the undercloud. If set, the undercloud installation configures all system host name settings. If left unset, the undercloud uses the current host name, but you must configure all system host name settings appropriately.
- undercloud_log_file
- 
							The path to a log file to store the undercloud install and upgrade logs. By default, the log file is install-undercloud.login the home directory. For example,/home/stack/install-undercloud.log.
- undercloud_nameservers
- A list of DNS nameservers to use for the undercloud hostname resolution.
- undercloud_ntp_servers
- A list of network time protocol servers to help synchronize the undercloud date and time.
- undercloud_public_host
- 
							The IP address or hostname defined for director Public API endpoints over SSL/TLS. The director configuration attaches the IP address to the director software bridge as a routed IP address, which uses the /32netmask.
- undercloud_service_certificate
- The location and filename of the certificate for OpenStack SSL/TLS communication. Ideally, you obtain this certificate from a trusted certificate authority. Otherwise, generate your own self-signed certificate.
- undercloud_timezone
- Host timezone for the undercloud. If you do not specify a timezone, director uses the existing timezone configuration.
- undercloud_update_packages
- Defines whether to update packages during the undercloud installation.
Subnets
					Each provisioning subnet is a named section in the undercloud.conf file. For example, to create a subnet called ctlplane-subnet, use the following sample in your undercloud.conf file:
				
You can specify as many provisioning networks as necessary to suit your environment.
- cidr
- 
							The network that director uses to manage overcloud instances. This is the Provisioning network, which the undercloud neutronservice manages. Leave this as the default192.168.24.0/24unless you use a different subnet for the Provisioning network.
- masquerade
- Defines whether to masquerade the network defined in the - cidrfor external access. This provides the Provisioning network with a degree of network address translation (NAT) so that the Provisioning network has external access through director.Note- The director configuration also enables IP forwarding automatically using the relevant - sysctlkernel parameter.
- dhcp_start; dhcp_end
- The start and end of the DHCP allocation range for overcloud nodes. Ensure that this range contains enough IP addresses to allocate your nodes.
- dhcp_exclude
- IP addresses to exclude in the DHCP allocation range.
- dns_nameservers
- 
							DNS nameservers specific to the subnet. If no nameservers are defined for the subnet, the subnet uses nameservers defined in the undercloud_nameserversparameter.
- gateway
- 
							The gateway for the overcloud instances. This is the undercloud host, which forwards traffic to the External network. Leave this as the default 192.168.24.1unless you use a different IP address for director or want to use an external gateway directly.
- host_routes
- 
							Host routes for the Neutron-managed subnet for the overcloud instances on this network. This also configures the host routes for the local_subneton the undercloud.
- inspection_iprange
- 
							Temporary IP range for nodes on this network to use during the inspection process. This range must not overlap with the range defined by dhcp_startanddhcp_endbut must be in the same IP subnet.
Modify the values for these parameters to suit your configuration. When complete, save the file.
3.3. Installing director
Complete the following steps to install director and perform some basic post-installation tasks.
Procedure
- Run the following command to install director on the undercloud: - openstack undercloud install - [stack@director ~]$ openstack undercloud install- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This command launches the director configuration script. Director installs additional packages and configures its services according to the configuration in the - undercloud.conf. This script takes several minutes to complete.- The script generates two files: - 
								undercloud-passwords.conf- A list of all passwords for the director services.
- 
								stackrc- A set of initialization variables to help you access the director command line tools.
 
- 
								
- The script also starts all OpenStack Platform service containers automatically. You can check the enabled containers with the following command: - sudo podman ps - [stack@director ~]$ sudo podman ps- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To initialize the - stackuser to use the command line tools, run the following command:- source ~/stackrc - [stack@director ~]$ source ~/stackrc- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The prompt now indicates that OpenStack commands authenticate and execute against the undercloud; - (undercloud) [stack@director ~]$- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
The director installation is complete. You can now use the director command line tools.
3.4. Performing a minor update of a containerized undercloud
The director provides commands to update the packages on the undercloud node. This allows you to perform a minor update within the current version of your OpenStack Platform environment.
Procedure
- 
						Log into the director as the stackuser.
- Run - dnfto upgrade the director’s main packages:- sudo dnf update -y python3-tripleoclient* openstack-tripleo-common openstack-tripleo-heat-templates tripleo-ansible - $ sudo dnf update -y python3-tripleoclient* openstack-tripleo-common openstack-tripleo-heat-templates tripleo-ansible- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- The director uses the - openstack undercloud upgradecommand to update the undercloud environment. Run the command:- openstack undercloud upgrade - $ openstack undercloud upgrade- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Wait until the undercloud upgrade process completes.
- Reboot the undercloud to update the operating system’s kernel and other system packages: - sudo reboot - $ sudo reboot- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Wait until the node boots.