Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Installing and preparing director Operator

You install Red Hat OpenStack Platform (RHOSP) director Operator (OSPdO) on an existing operational Red Hat Openshift Container Platform (RHOCP) cluster. You perform the OSPdO installation tasks and all overcloud creation tasks on a workstation that has access to the RHOCP cluster. After you have installed OSPdO, you must create a data volume for the base operating system and add authentication details for your remote Git repository. You can also set the root password for your nodes. If you do not set a root password, you can still log into nodes with the SSH keys defined in the osp-controlplane-ssh-keys Secret.

Note

Support for Red Hat OpenStack Platform director Operator will only be granted if your architecture is approved by Red Hat Services or by a Technical Account Manager. Please contact Red Hat before deploying this feature.

2.1. Prerequisites
Copy link

  • An operational Red Hat Openshift Container Platform (RHOCP) cluster, version 4.12, 4.14, 4.16, or 4.18. The cluster must contain a provisioning network, and the following Operators:

    • A baremetal cluster Operator. The baremetal cluster Operator must be enabled. For more information on baremetal cluster Operators, see Bare-metal cluster Operators.
    • OpenShift Virtualization Operator. For more information on installing the OpenShift Virtualization Operator, see Installing OpenShift Virtualization using the web console.
    • SR-IOV Network Operator.

    • Kubernetes NMState Operator. You must also create an NMState instance to finish installing all the NMState CRDs: 

      cat <<EOF | oc apply -f -
apiVersion: nmstate.io/v1
kind: NMState
metadata:
  name: nmstate
  namespace: openshift-nmstate
EOF

      For more information on installing the Kubernetes NMState Operator, see Installing the Kubernetes NMState Operator.

  • The oc command line tool is installed on your workstation.
  • A remote Git repository for OSPdO to store the generated configuration for your overcloud.
  • An SSH key pair is generated for the Git repository and the public key is uploaded to the Git repository.

  • The following persistent volumes to fulfill the persistent volume claims that OSPdO creates:

    • 4G for openstackclient-cloud-admin.
    • 1G for openstackclient-hosts.
    • 500G for the base image that OSPdO clones for each Controller virtual machine.
    • A minimum of 50G for each Controller virtual machine. For more information, see Controller node requirements

2.2. Bare-metal cluster Operators
Copy link

Red Hat Openshift Container Platform (RHOCP) clusters that you install with the installer-provisioned infrastructure (IPI) or assisted installation (AI) use the baremetal platform type and have the baremetal cluster Operator enabled. RHOCP clusters that you install with user-provisioned infrastructure (UPI) use the none platform type and might have the baremetal cluster Operator disabled.

If the cluster is of type AI or IPI, it uses metal3, a Kubernetes API for the management of bare-metal hosts. It maintains an inventory of available hosts as instances of the BareMetalHost custom resource definition (CRD). You can use the bare-metal Operator to perform the following tasks:

  • Inspect the host’s hardware details and report them to the corresponding BareMetalHost CR. This includes information about CPUs, RAM, disks, and NICs.
  • Provision hosts with a specific image.
  • Clean a host’s disk contents before or after provisioning.

To check if the baremetal cluster Operator is enabled, navigate to Administration > Cluster Settings > ClusterOperators > baremetal, scroll to the Conditions section, and view the Disabled status.

To check the platform type of the RHOCP cluster, navigate to Administration > Cluster Settings > Configuration > Infrastructure, switch to YAML view, scroll to the Conditions section, and view the status.platformStatus value.

2.3. Installing director Operator
Copy link

To install director Operator (OSPdO), you must create the openstack project (namespace) for OSPdO and create the following custom resources (CRs) within the project:

  • A CatalogSource, which identifies the index image to use for the OSPdO catalog.
  • An OperatorGroup, which defines the Operator group for OSPdO and restricts OSPdO to a target namespace.
  • A Subscription, which tracks changes in the OSPdO catalog.

Procedure

  1. Create the OSPdO project: 

    $ oc new-project openstack
  2. Obtain the latest osp-director-operator-bundle image from https://catalog.redhat.com/software/containers/search.
  3. Download the Operator Package Manager (opm) tool from https://console.redhat.com/openshift/downloads.

  4. Use the opm tool to create an index image: 

    $ BUNDLE_IMG="registry.redhat.io/rhosp-rhel9/osp-director-operator-bundle:1.3.1"
$ INDEX_IMG="quay.io/<account>/osp-director-operator-index:x.y.z-a"
$ opm index add --bundles ${BUNDLE_IMG} --tag ${INDEX_IMG} -u podman --pull-tool podman

  5. Push the index image to your registry: 

    $ podman push ${INDEX_IMG}
  6. Create an environment file to configure the CatalogSource, OperatorGroup, and Subscription CRs required to install OSPdO, for example, osp-director-operator.yaml.

  7. To configure the CatalogSource CR, add the following configuration to osp-director-operator.yaml: 

    apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: osp-director-operator-index
  namespace: openstack
spec:
  sourceType: grpc
  image: quay.io/<account>/osp-director-operator-index:x.y.z-a

    For information about how to apply the Quay authentication so that the Operator deployment can pull the image, see Accessing images for Operators from private registries.

  8. To configure the OperatorGroup CR, add the following configuration to osp-director-operator.yaml: 

    ---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: "osp-director-operator-group"
  namespace: openstack
spec:
  targetNamespaces:
  - openstack

  9. To configure the Subscription CR, add the following configuration to osp-director-operator.yaml: 

    ---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: osp-director-operator-subscription
  namespace: openstack
spec:
  config:
    env:
    - name: WATCH_NAMESPACE
      value: openstack,openshift-machine-api,openshift-sriov-network-operator
  source: osp-director-operator-index
  sourceNamespace: openstack
  name: osp-director-operator

  10. Create the new CatalogSource, OperatorGroup, and Subscription CRs within the openstack namespace: 

    $ oc apply -f osp-director-operator.yaml

  11. Confirm that you have installed OSPdO, osp-director-operator.openstack, by listing the installed operators: 

    $ oc get operators
NAME                                     AGE
osp-director-operator.openstack          5m

Next steps

You must create a data volume with the Red Hat OpenShift Container Platform (RHOCP) cluster to store the base operating system image for your Controller virtual machines (VMs). You use the baseImageVolumeName parameter to specify this data volume when you create the OpenStackControlPlane and OpenStackVmSet custom resources.

Prerequisites

  • The virtctl client tool is installed on your workstation. To install this tool on a Red Hat Enterprise Linux (RHEL) workstation, use the following commands: 

    $ sudo subscription-manager repos --enable=cnv-4.12-for-rhel-8-x86_64-rpms
$ sudo dnf install -y kubevirt-virtctl

  • The virt-customize client tool is installed on your workstation. To install this tool on a RHEL workstation, use the following command: 

    $ dnf install -y libguestfs-tools-c

Procedure

  1. Download a RHEL 9.2 QCOW2 image from the Product Download section of the Red Hat Customer Portal to your workstation.

  2. Optional: Add a custom CA certificate: 

    $ sudo -s
$ export LIBGUESTFS_BACKEND=direct
$ virt-copy-in -a <local_path_to_image> <ca_certificate>.pem /etc/pki/ca-trust/source/anchors/

    You might want to add a custom CA certificate to secure LDAP communication for the Identity service, or to communicate with any non-RHOSP system.

  3. Create a script to customize the image to assign predictable network interface names: 

    #!/bin/bash
set -eux

if [ -e /etc/kernel/cmdline ]; then
  echo 'Updating /etc/kernel/cmdline'
  sed -i -e "s/^\(.*\)net\.ifnames=0\s*\(.*\)/\1\2/" /etc/kernel/cmdline
fi

source /etc/default/grub
if grep -q "net.ifnames=0" <<< "$GRUB_CMDLINE_LINUX"; then
  echo 'Updating /etc/default/grub'
  sed -i -e "s/^\(GRUB_CMDLINE_LINUX=.*\)net\.ifnames=0\s*\(.*\)/\1\2/" /etc/default/grub
fi
if [ "$GRUB_ENABLE_BLSCFG" == "true" ]; then
  echo 'Fixing BLS entries'
  find /boot/loader/entries -type f -exec sed -i -e "s/^\(.*\)net\.ifnames=0\s*\(.*\)/\1\2/" {} \;
fi
# Always do this, on RHEL8 with BLS we still need it as the BLS entry uses $kernelopts from grubenv
echo 'Running grub2-mkconfig'
grub2-mkconfig -o /etc/grub2.cfg
grub2-mkconfig -o /etc/grub2-efi.cfg
rm -f /etc/sysconfig/network-scripts/ifcfg-ens* /etc/sysconfig/network-scripts/ifcfg-eth*
update-ca-trust extract

  4. Run the image customization script: 

    $ sudo -s
$ export LIBGUESTFS_BACKEND=direct
$ chmod 755 customize_image.sh
$ virt-customize -a <local_path_to_image> --run customize_image.sh --truncate /etc/machine-id

  5. Use virtctl to upload the image to OpenShift Virtualization: 

    $ virtctl image-upload dv <datavolume_name> -n openstack \
 --size=<size> --image-path=<local_path_to_image> \
 --storage-class <storage_class> --access-mode <access_mode> --insecure
    • Replace <datavolume_name> with the name of the data volume, for example, openstack-base-img.
    • Replace <size> with the size of the data volume required for your environment, for example, 500Gi. The minimum size is 500GB.

    • Replace <storage_class> with the required storage class from your cluster. Use the following command to retrieve the available storage classes: 

      $ oc get storageclass
    • Replace <access_mode> with the access mode for the PVC. The default value is ReadWriteOnce.

Next steps

Director Operator (OSPdO) stores rendered Ansible playbooks to a remote Git repository and uses this repository to track changes to the overcloud configuration. You can use any Git repository that supports SSH authentication. You must provide details for the Git repository as a Red Hat OpenShift Platform (RHOCP) Secret resource named git-secret.

Prerequisites

  • The private key of the SSH key pair for your OSPdO Git repository.

Procedure

  1. Create the git-secret Secret resource: 

    $ oc create secret generic <secret_name> -n <namespace> \
 --from-file=git_ssh_identity=<path_to_private_SSH_key> \
 --from-literal=git_url=<git_server_URL>
    • Replace <secret_name> with the name of the secret, in this case, git-secret.
    • Replace <namespace> with the name of the namespace to create the secret in, for example, openstack.
    • Replace <path_to_private_SSH_key> with the path to the private key to access the Git repository.
    • Replace <git_server_URL> with the SSH URL of the git repository that stores the OSPdO configuration, for example, ssh://<user>@<server>:2202/repo.git.

  2. Verify that the Secret resource is created: 

    $ oc get secret/git-secret -n openstack

Next steps

2.6. Setting the root password for nodes
Copy link

To access the root user with a password on each node, you can set a root password in a Secret resource named userpassword. Setting the root password for nodes is optional. If you do not set a root password, you can still log into nodes with the SSH keys defined in the osp-controlplane-ssh-keys Secret.

Note

If you set the root password, you must use the passwordSecret parameter to specify the name of this Secret resource when you create OpenStackControlPlane and OpenStackBaremetalSet custom resources. The examples in this guide use the Secret resource name userpassword.

Procedure

  1. Convert your chosen password to a base64 value: 

    $ echo -n "p@ssw0rd!" | base64
cEBzc3cwcmQh
    Important

    The -n option removes the trailing newline from the echo output.

  2. Create a file named openstack-userpassword.yaml on your workstation. Include the following resource specification for the Secret in the file: 

    apiVersion: v1
kind: Secret
metadata:
  name: <secret_name>
  namespace: openstack
data:
  NodeRootPassword: "<password>"
    • Replace <secret_name> with the name of this Secret resource, for example, userpassword.
    • Replace <password> with your base64 encoded password.

  3. Create the userpassword Secret: 

    $ oc create -f openstack-userpassword.yaml -n openstack

Next steps

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top