Planning your deployment


Red Hat OpenStack Services on OpenShift 18.0

Planning a Red Hat OpenStack Services on OpenShift environment on a Red Hat OpenShift Container Platform cluster

OpenStack Documentation Team

Abstract

Plan your Red Hat OpenStack Services on OpenShift control plane and data plane.

Providing feedback on Red Hat documentation

We appreciate your input on our documentation. Tell us how we can make it better.

Providing documentation feedback in Jira

Use the Create Issue form to provide feedback on the documentation for Red Hat OpenStack Services on OpenShift (RHOSO) or earlier releases of Red Hat OpenStack Platform (RHOSP). When you create an issue for RHOSO or RHOSP documents, the issue is recorded in the RHOSO Jira project, where you can track the progress of your feedback.

To complete the Create Issue form, ensure that you are logged in to Jira. If you do not have a Red Hat Jira account, you can create an account at https://issues.redhat.com.

  1. Click the following link to open a Create Issue page: Create Issue
  2. Complete the Summary and Description fields. In the Description field, include the documentation URL, chapter or section number, and a detailed description of the issue. Do not modify any other fields in the form.
  3. Click Create.

Chapter 1. Red Hat OpenStack Services on OpenShift overview

Red Hat OpenStack Services on OpenShift (RHOSO) provides the foundation to build a private or public Infrastructure-as-a-Service (IaaS) cloud on top of Red Hat Enterprise Linux. It is a scalable, fault-tolerant platform for the development of cloud-enabled workloads.

The RHOSO control plane is hosted and managed as a workload on a Red Hat OpenShift Container Platform (RHOCP) cluster. The RHOSO data plane consists of external Red Hat Enterprise Linux (RHEL) nodes, managed with Red Hat Ansible Automation Platform, that host RHOSO workloads. The data plane nodes can be Compute nodes, Storage nodes, Networker nodes, or other types of nodes.

The RHOSO IaaS cloud is implemented by a collection of interacting services that control its computing, storage, and networking resources. You can manage the cloud with a web-based interface to control, provision, and automate RHOSO resources. Additionally, an extensive API controls the RHOSO infrastructure and this API is also available to end users of the cloud.

Note

RHOSO only supports RHOCP master and worker nodes with processors based on a 64-bit x86 hardware architecture.

1.1. RHOSO services and Operators

The Red Hat OpenStack Services on OpenShift (RHOSO) IaaS services are implemented as a collection of Operators running on a Red Hat OpenShift Container Platform (RHOCP) cluster. These Operators manage the compute, storage, networking, and other services for your RHOSO cloud.

Important

Red Hat recommends using the Red Hat OpenShift Container Platform (RHOCP) OperatorHub to obtain all Operators.

The OpenStack Operator (openstack-operator) installs all the service Operators detailed in the Services table, and is the interface that you use to manage those Operators. The OpenStack Operator also installs and manages the following Operators:

openstack-baremetal-operator
Used by the OpenStack Operator during the bare-metal node provisioning process.

For more information on the functionality of each service, see the service-specific documentation on the Red Hat OpenStack Services on OpenShift 18.0 documentation portal.

Table 1.1. Services
ServiceOperatorDefaultDescription

Bare Metal Provisioning (ironic)

ironic-operator

Disabled

Supports physical machines for a variety of hardware vendors with hardware-specific drivers. Bare Metal Provisioning integrates with the Compute service to provision physical machines in the same way that virtual machines are provisioned, and provides a solution for the bare-metal-to-trusted-project use case.

Block Storage (cinder)

cinder-operator

Enabled

Provides and manages persistent block storage volumes for virtual machine instances.

Compute (nova)

nova-operator

Enabled

Provides management of the provisioning of compute resources, such as Virtual Machines, through the libvirt driver or physical servers through the ironic driver.

Dashboard (horizon)

horizon-operator

Disabled

Provides a browser-based GUI dashboard for creating and managing cloud resources and user access. The Dashboard service provides Project, Admin, and Settings dashboards by default. You can configure the dashboard to interface with other products such as billing, monitoring, and additional management tools.

DNS (designate)

designate-operator

Enabled

Provides DNS-as-a-Service (DNSaaS) that manages DNS records and zones in the cloud. You can deploy BIND instances to contain DNS records, or you can integrate the DNS service into an existing BIND infrastructure. Can also be integrated with the RHOSO Networking service (neutron) to automatically create records for virtual machine instances, network ports, and floating IPs.

Identity (keystone)

keystone-operator

Enabled

Provides user authentication and authorization to all RHOSO services and for managing users, projects, and roles. Supports multiple authentication mechanisms, including username and password credentials, token-based systems, and AWS-style log-ins.

Image (glance)

glance-operator

Enabled

Registry service for storing resources such as virtual machine images and volume snapshots. Cloud users can add new images or take a snapshot of an existing instance for immediate storage. You can use the snapshots for backup or as templates for new instances.

Key Management (barbican)

barbican-operator

Enabled

Provides secure storage, provisioning and management of secrets such as passwords, encryption keys, and X.509 Certificates. This includes keying material such as Symmetric Keys, Asymmetric Keys, Certificates, and raw binary data.

Load-balancing (octavia)

octavia-operator

Disabled

Provides Load Balancing-as-a-Service (LBaaS) for the cloud that supports multiple provider drivers. The reference provider driver (Amphora provider driver) is an open-source, scalable, and highly available load balancing provider. It accomplishes its delivery of load balancing services by managing a fleet of virtual machines, collectively known as amphorae, which it creates on demand.

MariaDB

mariadb-operator

Enabled

Provides methods to deploy and manage MariaDB Galera clusters.

Memcached

infra-operator

Enabled

Provides methods for managing infrastructure.

Networking (neutron)

neutron-operator

Enabled

Provides Networking-as-a-Service (NaaS) through software-defined networking (SDN) in virtual compute environments. Handles the creation and management of a virtual networking infrastructure in the cloud, which includes networks, subnets, and routers.

Object Storage (swift)

swift-operator

Enabled

Provides efficient and durable storage of large amounts of data, including static entities such as videos, images, email messages, files, or instance images. Objects are stored as binaries on the underlying file system with metadata stored in the extended attributes of each file.

OVN

ovn-operator

Enabled

Provides methods to deploy and manage OVNs.

Orchestration (heat)

heat-operator

Disabled

Template-based orchestration engine that supports automatic creation of resource stacks. Provides templates to create and manage cloud resources such as storage, networking, instances, or applications. You can use the templates to create stacks, which are collections of resources.

Placement (placement)

placement-operator

Enabled

Provides methods to install and manage an OpenStack Placement installation.

Telemetry (ceilometer, prometheus)

telemetry-operator

Enabled

Provides user-level usage data for RHOSO clouds. You can use the data for customer billing, system monitoring, or alerts. Telemetry can collect data from notifications sent by existing RHOSO components such as Compute usage events, or by polling RHOSO infrastructure resources such as libvirt.

RabbitMQ

rabbitmq-cluster-operator

Enabled

Provides methods to deploy and manage RabbitMQ clusters.

Shared File Systems (manila)

manila-operator

Disabled

Provisions shared file systems that can be used by multiple virtual machine instances, bare-metal nodes, or containers.

1.2. Features of a RHOSO environment

The basic architecture of a Red Hat OpenStack Services on OpenShift (RHOSO) environment includes the following features:

Container-native application delivery
RHOSO is delivered by using a container-native approach that spans the Red Hat OpenShift Container Platform (RHOCP) and RHEL platforms to deliver a container-native RHOSO deployment.
RHOCP-hosted services
RHOCP hosts infrastructure services and RHOSO controller services by using RHOCP Operators to provide lifecycle management.
Ansible-managed RHEL-hosted services
RHOSO workloads run on RHEL nodes that are managed by the OpenStack Operator. The OpenStack Operator runs Ansible jobs to configure the RHEL data plane nodes, such as the Compute nodes. RHOCP manages provisioning, DNS, and configuration management.
Installer-provisioned infrastructure
The RHOSO installer enables installer-provisioned infrastructure that uses RHOSO bare-metal machine management to provision the Compute nodes for the RHOSO cloud.
User-provisioned infrastructure
If you have your own machine ingest and provisioning workflow, you can use the RHOSO pre-provisioned model to add your pre-provisioned hardware into your RHOSO environment, while receiving the benefits of a container-native workflow.
Hosted RHOSO client
RHOSO provides a host openstackclient pod that is preconfigured with administrator access to the deployed RHOSO environment.

1.3. RHOSO 18.0 known limitations

The following list details the limitations of Red Hat OpenStack Services on OpenShift (RHOSO). Known limitations are features that are not supported in RHOSO.

Compute service (nova):

  • Off-path Network Backends are not supported in RHOSO 18.0. For more information, see Integration With Off-path Network Backends.
  • Customizing policies are not supported. If you require custom policies, contact Red Hat for a support exception.
  • The following packages are not supported in RHOSO:

    • nova-serialproxy
    • nova-spicehtml5proxy
  • File injection of personality files to inject user data into virtual machine instances. As a workaround, users can pass data to their instances by using the --user-data option to run a script during instance boot, or set instance metadata by using the --property option when launching an instance. For more information, see Creating a customized instance.
  • Persistent memory for instances (vPMEM). You can create persistent memory namespaces only on Compute nodes that have NVDIMM hardware. Red Hat has removed support for persistent memory from RHOSP 17.0 and later in response to the announcement by the Intel Corporation on July 28, 2022 that they are discontinuing investment in their Intel® Optane™ business. For more information, see Intel® Optane™ Business Update: What Does This Mean for Warranty and Support.
  • QEMU emulation of non-native architectures.
  • LVM is not supported as an image back end.
  • The ploop image format is not supported.
  • NFS versions earlier than 4.

Image service (glance):

  • RHOSO supports only one architecture, x86_64. There is no valid use case that requires this to be set for an RHOSO cloud, so all hosts will be x86_64.
  • NFS versions earlier than 4.

Block Storage service (cinder):

  • Cinder replication.
  • LVM driver.
  • NFS versions earlier than 4.

If you require support for any of these features, contact the Red Hat Customer Experience and Engagement team to discuss a support exception, if applicable, or other options.

1.4. Supported topologies for a RHOSO environment

Red Hat OpenStack Services on OpenShift (RHOSO) supports a compact control plane topology and a dedicated nodes control plane topology.

In a compact topology, the RHOSO control plane and the Red Hat OpenShift Container Platform (RHOCP) control plane share the same physical nodes.

In a dedicated nodes topology, the RHOCP control plane runs on one set of physical nodes and the RHOSO control plane runs on another set of physical nodes.

1.4.1. Compact topology

The compact RHOSO topology is the default, and consists of the following components:

OpenShift compact cluster

A Red Hat OpenShift cluster that hosts both the RHOSO and the RHOCP control planes.

The RHOSO control plane consists of the OpenStack controller services pods that consist of services such as the Compute service (nova), the Networking service (neutron), and so on.

The OpenShift control plane hosts the pods that run the following services required for RHOCP: OpenShift services, Kubernetes services, networking components, Cluster Version Operator, and etcd.

For more information, see Introduction to OpenShift Container Platform in the RHOCP Architecture guide

RHOSO data plane
The RHOSO data plane consists of OpenStack Compute nodes. Nodes dedicated to storage are optional.

Figure 1.1. Compact RHOSO topology

Compact RHOSO topology

1.4.2. Dedicated nodes topology

The dedicated nodes RHOSO topology differs from the compact topology in that there is a separate node cluster for the RHOSO control plane and a separate node cluster for the OpenShift control plane.

Figure 1.2. Dedicated nodes RHOSO topology

Dedicated nodes RHOSO topology

Chapter 2. Planning your deployment

To deploy and operate your Red Hat OpenStack Services on OpenShift (RHOSO) environment, you use the tools and container infrastructure provided by the Red Hat OpenShift Container Platform (RHOCP).

RHOCP uses a modular system of Operators to extend the functions of your RHOCP cluster. The RHOSO OpenStack Operator (openstack-operator) installs and runs a RHOSO control plane within RHOCP and automates the deployment of a RHOSO data plane. The data plane is the collection of nodes that host RHOSO workloads. The OpenStack Operator prepares the nodes with the operating system configuration that is required to host the RHOSO services and workloads.

The OpenStack Operator manages a set of Custom Resource Definitions (CRDs) that define how you can deploy and manage the infrastructure and configuration of the RHOSO control plane and the data plane nodes. To create a RHOSO cloud with a RHOCP-hosted control plane, you use the OpenStack Operator CRDs to create a set of custom resources (CRs) that configure your control plane and your data plane.

2.1. How to deploy the cloud infrastructure

To create a RHOSO cloud with a RHOCP hosted control plane, you must complete the following tasks:

  1. Install OpenStack Operator (openstack-operator) on an operational RHOCP cluster.
  2. Provide secure access to the RHOSO services.
  3. Create and configure the control plane network.
  4. Create and configure the data plane networks.
  5. Create a control plane for your environment.
  6. Customize the control plane for your environment.
  7. Create and configure the data plane nodes.
  8. Optional: Configure a storage solution for the RHOSO deployment.

You perform the control plane installation tasks and all data plane creation tasks on a workstation that has access to the RHOCP cluster.

Install OpenStack Operator (openstack-operator) on an operational RHOCP cluster
The RHOSO administrator installs the OpenStack Operator on the RHOCP cluster. For information about how to install the OpenStack Operator, see Installing and preparing the Operators in the Deploying Red Hat OpenStack Services on OpenShift guide.
Provide secure access to the RHOSO services
You must create a Secret custom resource (CR) to provide secure access to the RHOSO service pods. For information, see Providing secure access to the Red Hat OpenStack Platform services in the Deploying Red Hat OpenStack Services on OpenShift guide.
Create and configure the control plane network
You use RHOCP Operators to prepare the RHOCP cluster for the RHOSO control plane network. For information, see Preparing RHOCP for RHOSP networks in the Deploying Red Hat OpenStack Services on OpenShift guide.
Create and configure the data plane networks
You use RHOCP Operators to prepare the RHOCP cluster for the RHOSO data plane network. For information, see Configuring the data plane network in the Deploying Red Hat OpenStack Services on OpenShift guide.
Create a control plane for your environment
You configure and create an initial control plane with the recommended configurations for each service. For information, see Creating the control plane in the Deploying Red Hat OpenStack Services on OpenShift guide.
Customize the control plane for your environment
You can customize your deployed control plane with the services required for your environment. For information, see Customizing the control plane in the Customizing the Red Hat OpenStack Services on OpenShift deployment guide.
Create and configure the data plane nodes
You configure and create a simple data plane with the minimum features. For information, see Creating the data plane in the Deploying Red Hat OpenStack Services on OpenShift guide.
Customize the data plane for your environment
You can customize your deployed data plane with the features and configuration required for your environment. For information, see Customizing the data plane in the Customizing the Red Hat OpenStack Services on OpenShift deployment guide.
Configure a storage solution for the RHOSO deployment
You can optionally configure a storage solution for your RHOSO deployment. For information, see the Configuring persistent storage guide.

2.2. Custom resource definitions (CRDs)

The OpenStack Operator includes a set of custom resource definitions (CRDs) that you can use to create and manage RHOSP resources.

  • Use the following command to view a complete list of the RHOSP CRDs:

    $ oc get crd | grep "^openstack"

  • Use the following command to view the definition for a specific CRD:

    $ oc describe crd openstackcontrolplane
    Name:         openstackcontrolplane.openstack.org
    Namespace:
    Labels:       operators.coreos.com/operator.openstack=
    Annotations:  cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
                  controller-gen.kubebuilder.io/version: v0.3.0
    API Version:  apiextensions.k8s.io/v1
    Kind:         CustomResourceDefinition
    ...
  • Use the following command to view descriptions of the fields you can use to configure a specific CRD:

    $ oc explain openstackcontrolplane.spec
    KIND:     OpenStackControlPlane
    VERSION:  core.openstack.org/v1beta1
    
    RESOURCE: spec <Object>
    
    DESCRIPTION:
         <empty>
    
    FIELDS:
       ceilometer   <Object>
       cinder       <Object>
       dns  <Object>
       extraMounts  <[]Object>
    ...

2.2.1. CRD naming conventions

Each CRD contains multiple names in the spec.names section. Use these names depending on the context of your actions:

  • Use kind when you create and interact with resource manifests:

    apiVersion: core.openstack.org/v1beta1
    kind: OpenStackControlPlane
    ...

    The kind name in the resource manifest correlates to the kind name in the respective CRD.

  • Use singular when you interact with a single resource:

    $ oc describe openstackcontrolplane/compute

Chapter 3. System requirements

You must plan your Red Hat OpenStack Services on OpenShift (RHOSO) deployment to determine the system requirements for your environment.

3.1. Red Hat OpenShift Container Platform cluster requirements

The minimum requirements for the Red Hat OpenShift Container Platform (RHOCP) cluster that hosts your Red Hat OpenStack Services on OpenShift (RHOSO) control plane are as follows:

Hardware

  • An operational, pre-provisioned 3-node RHOCP compact cluster, version 4.16.
  • Each node in the compact cluster must have the following resources:

    • 64 GB RAM
    • 16 CPU cores
    • 120GB NVMe or SSD for the root disk plus 250 GB storage (NVMe or SSD is strongly recommended)

      Note

      The images, volumes and root disks for the virtual machine instances running on the deployed environment are hosted on dedicated external storage nodes. However, the service logs, databases, and metadata are stored in a RHOCP Persistent Volume Claim (PVC). A minimum of 150 GB is required for testing.

    • 2 physical NICs

      Note

      In a 6-node cluster with 3 controllers and 3 workers, only the worker nodes require 2 physical NICs.

  • Persistent Volume Claim (PVC) storage on the cluster:

    • 150 GB persistent volume (PV) pool for service logs, databases, file import conversion, and metadata.

      Note
      • You must plan the size of the PV pool that you require for your RHOSO pods based on your RHOSO workload. For example, the Image service image conversion PVC should be large enough to host the largest image and that image after it is converted, as well as any other concurrent conversions. You must make similar considerations for the storage requirements if your RHOSO deployment uses the Object Storage service (swift).
      • The PV pool is required for the Image service, however the actual images are stored on the Image service back end, such as Red Hat Ceph Storage or SAN.
    • 5 GB of the available PVs must be backed by local SSDs for control plane services such as the Galera, OVN, and RabbitMQ databases.

Software

  • The RHOCP environment supports Multus CNI.
  • The following Operators are installed on the RHOCP cluster:

    • The Kubernetes NMState Operator. This Operator must be started by creating an nmstate instance. For information, see Installing the Kubernetes NMState Operator in the RHOCP Networking guide.
    • The MetalLB Operator. This Operator must be started by creating a metallb instance. For information, see Installing the MetalLB Operator in the RHOCP Networking guide.

      Note

      When you start MetalLB with the MetalLB Operator, the Operator starts an instance of a speaker pod on each node in the cluster. When using an extended architecture such as 3 OCP controller/master and 3 OCP computes/workers, if your OCP controllers do not have access to the ctlplane and internalapi networks, you must limit the speaker pods to the OCP compute/worker nodes. For more information about speaker pods, see Limit speaker pods to specific nodes.

    • The cert-manager Operator. For information, see cert-manager Operator for Red Hat OpenShift in the RHOCP Security and compliance guide.
    • The Cluster Observability Operator. For information, see Installing the Cluster Observability Operator.
    • The Cluster Baremetal Operator (CBO). The CBO deploys the Bare Metal Operator (BMO) component, which is required to provision bare-metal nodes as part of the data plane deployment process. For more information on planning for bare-metal provisioning, see Planning provisioning for bare-metal data plane nodes.
  • The following tools are installed on the cluster workstation:

    • The oc command line tool.
    • The podman command line tool.
  • The RHOCP storage back end is configured.
  • The RHOCP storage class is defined, and has access to persistent volumes of type ReadWriteOnce.
  • For installer-provisioned infrastructure, you must prepare an operating system image for use with bare-metal provisioning. You can use the following image as the bare-metal image: https://catalog.redhat.com/software/containers/rhel9/rhel-guest-image/6197bdceb4dcabca7fe351d5?container-tabs=overview

3.2. Data plane node requirements

You can use pre-provisioned nodes or unprovisioned bare-metal nodes to create the data plane. The minimum requirements for data plane nodes are as follows:

  • Pre-provisioned nodes:

    • RHEL 9.4.
    • Configured for SSH access with the SSH keys generated during data plane creation. The SSH user must either be root or have unrestricted and password-less sudo enabled. For more information, see Creating the data plane secrets in the Deploying Red Hat OpenStack Services on OpenShift guide.
    • Routable IP address on the control plane network to enable Ansible access through SSH.
Important

Some network architectures may require the following networking capabilities:

  • A dedicated NIC on RHOCP worker nodes for RHOSP isolated networks.
  • Port switches with VLANs for the required isolated networks.

Consult with your RHOCP and network administrators about whether these are requirements in your deployment.

For information on the required isolated networks, see Default Red Hat OpenStack Platform networks in the Deploying Red Hat OpenStack Services on OpenShift guide.

3.3. Compute node requirements

Compute nodes are responsible for running virtual machine instances after they are launched. Compute nodes require bare metal systems that support hardware virtualization. Compute nodes must also have enough memory and disk space to support the requirements of the virtual machine instances that they host.

Note

Red Hat OpenStack Services on OpenShift (RHOSO) 18.0 does not support using QEMU architecture emulation.

Processor
64-bit x86 processor with support for the Intel 64 or AMD64 CPU extensions, and the AMD-V or Intel VT hardware virtualization extensions enabled. It is recommended that this processor has a minimum of 4 cores.
Memory

A minimum of 6 GB of RAM for the host operating system, plus additional memory to accommodate for the following considerations:

  • Add additional memory that you intend to make available to virtual machine instances.
  • Add additional memory to run special features or additional resources on the host, such as additional kernel modules, virtual switches, monitoring solutions, and other additional background tasks.
  • If you intend to use non-uniform memory access (NUMA), Red Hat recommends 8GB per CPU socket node or 16 GB per socket node if you have more than 256 GB of physical RAM.
  • Configure at least 4 GB of swap space.

For more information about planning for Compute node memory configuration, see Configuring the Compute service for instance creation.

Disk space
A minimum of 50 GB of available disk space.
Network Interface Cards
A minimum of one 1 Gbps Network Interface Cards, although it is recommended to use at least two NICs in a production environment. Use additional network interface cards for bonded interfaces or to delegate tagged VLAN traffic.
Platform management
Compute nodes that are installer-provisioned require a supported platform management interface, such as an Intelligent Platform Management Interface (IPMI) functionality, on the server motherboard. This interface is not required for pre-provisioned nodes.

Chapter 4. Planning provisioning for bare-metal data plane nodes

You can use pre-provisioned nodes or unprovisioned, bare-metal nodes on the Red Hat OpenStack Services on OpenShift (RHOSO) data plane:

  • Pre-provisioned node: You have used your own tooling to install the operating system on the node before adding it to the data plane.
  • Unprovisioned node: The node does not have an operating system installed before you add it to the data plane. The node is provisioned by using the Red Hat OpenShift Container Platform (RHOCP) Cluster Baremetal Operator (CBO) as part of the data plane creation and deployment process.

A RHOSO environment can support all the remote hardware management protocol technologies and boot methods that Metal3 supports. For information about the supported hardware, see Supported hardware in the Metal3 user-guide. However, the installation method you used to install your RHOCP cluster limits the technologies and boot methods available to your RHOSO environment.

The RHOCP installation method determines the availability of the CBO and the ability to create a provisioning network, which determines the technologies and boot methods that are available to your RHOSO deployment for provisioning bare-metal data plane nodes. Therefore, you must plan your RHOSO deployment to ensure that the technologies and boot methods you require for provisioning bare-metal data plane nodes are supported.

Note

Red Hat recommends provisioning with virtual media rather than with iPXE boot, because iPXE boot might not be available in your RHOCP cluster.

4.1. Red Hat OpenShift Container Platform installation considerations

The method used to install the RHOCP cluster determines the availability of the Cluster Baremetal Operator (CBO) and the ability to create a provisioning network. A provisioning network is required for network booting.

Assisted Installer
You can enable CBO on clusters installed with the Assisted Installer, and you can manually add the provisioning network for network-boot deployments to the Assisted Installer cluster after installation.
Installer-provisioned infrastructure on bare metal

CBO is enabled by default on RHOCP clusters that are installed with the bare-metal installer-provisioned infrastructure. You can configure installer-provisioned clusters with a provisioning network to enable both virtual media and network boot installations.

Note
  • If you configure an installer-provisioned cluster without a provisioning network then only virtual media provisioning is available.
  • If you installed RHOCP with IPI on a platform that is not bare-metal, your cluster might not have the ability to enable the CBO. For information on installing RHOCP on a platform that is not bare-metal, see the RHOCP Installing guide.

For more information about installer-provisioned clusters on bare metal, see the RHOCP Deploying installer-provisioned clusters on bare metal guide.

User-provisioned infrastructure

You can enable CBO on RHOCP clusters installed with user-provisioned infrastructure by creating a Provisioning CR.

Note

You cannot add a provisioning network to a user-provisioned cluster. This means that you cannot enable PXE network boot on a RHOCP cluster installed with user-provisioned infrastructure. You can only provision bare-metal data plane nodes with virtual media on a RHOCP cluster installed with user-provisioned infrastructure.

For more information about how to create a Provisioning CR, see Scaling a user-provisioned cluster with the Bare Metal Operator in the RHOCP Installing on bare metal guide.

4.2. The Bare Metal Operator (BMO)

Provisioning bare-metal nodes on the data plane is supported with the Red Hat OpenShift Container Platform (RHOCP) Cluster Baremetal Operator (CBO). The CBO deploys the components required to provision bare-metal nodes within the RHOCP cluster, including the Bare Metal Operator (BMO) and Ironic containers.

The BMO manages the available hosts on clusters and performs the following operations:

  • Inspects node hardware details and reports them to the corresponding BareMetalHost CR. This includes information about CPUs, RAM, disks, and NICs.
  • Provisions nodes with a specific image.
  • Cleans node disk contents before and after provisioning.

For more information about the Bare Metal Operator and how to configure a BareMetalHost CR, see Bare metal configuration in the RHOCP Postinstallation configuration guide.

Chapter 5. Planning your networks

Before you deploy RHOSO, take inventory of your networking requirements and the overall environment to inform your network design decisions.

5.1. Default physical networks

The following physical data center networks are typically implemented for a Red Hat OpenStack Services on OpenShift (RHOSO) deployment:

  • Control plane network
  • External network (optional)
  • Internal API network
  • Storage network
  • Tenant (project) network
  • Storage management network (optional)

For more information, see Default Red Hat OpenStack Services on OpenShift networks in the Deploying Red Hat OpenStack Services on OpenShift guide.

5.2. RHOSO network isolation

You must plan how your deployment hosts specific types of network traffic in isolation. This includes planning IP ranges, subnets, and virtual IPs, and configuring your NIC layout.

The Red Hat OpenStack Services on OpenShift (RHOSO) control plane services run as a Red Hat OpenShift Container Platform (RHOCP) workload. On the control plane, you use the NMState Operator to connect the worker nodes to the required isolated networks. You create a NetworkAttachmentDefinition (nad) custom resource (CR) for each isolated network to attach service pods to the isolated networks, where needed. You use the MetalLB Operator to expose internal service endpoints on the isolated networks. By default, the public service endpoints are exposed as RHOCP routes.

You must also create an L2Advertisement resource to define how the VIPs are announced, and an IpAddressPool resource to configure which IPs can be used as VIPs. In layer 2 mode, one node assumes the responsibility of advertising a service to the local network.

For more information, see Preparing RHOCP for RHOSO network isolation in the Deploying Red Hat OpenStack Services on OpenShift guide.

To create the data plane network, you define a NetConfig custom resource (CR) and specify all the subnets for the data plane networks. You must define at least one control plane network for your data plane. You can also define VLAN networks to create network isolation for composable networks, such as InternalAPI, Storage, and External. Each network definition must include the IP address assignment.

For more information, see Creating the data plane network in the Deploying Red Hat OpenStack Services on OpenShift guide.

5.3. NICs

A compact RHOSO deployment requires at least two NICs on each RHOSO control plane worker node.

One NIC on each worker node serves OpenShift. It provides connection between OpenShift components in the OpenShift cluster network.

The other NIC serves OpenStack. It connects the OpenStack services running on the worker nodes to the isolated networks on the RHOSO data plane.

5.3.1. NICs and scaling considerations

Network requirements vary based on environment and business requirements. For example, you may require the following networking capabilities:

  • Dedicated NICs on RHOCP worker nodes for particular RHOSP isolated networks.
  • Port switches with VLANs for the required isolated networks.

Consult with your RHOCP and network administrators about whether these are requirements in your deployment. Each Compute node requires at least one NIC. You can scale up to provide connections to the isolated networks.

5.4. Storage network planning considerations

For more information, see Storage networks in this guide.

5.5. Network functions virtualization (NFV)

Network functions virtualization (NFV) is a software-based solution that helps communication service providers (CSPs) to move beyond the traditional, proprietary hardware to achieve greater efficiency and agility and to reduce operational costs.

Using NFV in a Red Hat OpenStack Services on OpenShift (RHOSO) environment allows for IT and network convergence by providing a virtualized infrastructure that uses the standard virtualization technologies to virtualize network functions (VNFs) that run on hardware devices such as switches, routers, and storage. An NFV environment takes advantage of Data Plane Development Kit (DPDK) and Single Root I/O Virtualization (SR-IOV) technologies to improve packet processing speeds.

If you choose an NFV deployment, you must use Deploying a Network Functions Virtualization environment as your deployment guide instead of Deploying Red Hat OpenStack Services on OpenShift.

5.6. Additional resources for RHOSO network planning

Chapter 6. Federal Information Processing Standard on Red Hat OpenStack Services on OpenShift

The Federal Information Processing Standards (FIPS) is a set of security requirements developed by the National Institute of Standards and Technology (NIST). In Red Hat Enterprise Linux 9, the supported standard is FIPS publication 140-3: Security Requirements for Cryptographic Modules. For details about the supported standard, see the Federal Information Processing Standards Publication 140-3.

FIPS 140-3 validated cryptographic modules are cryptographic libraries that have completed the NIST CMVP process and have received a certificate from NIST. For current information on Red Hat FIPS 140 validated modules, see Compliance Activities and Government Standards.

FIPS is enabled by default in Red Hat OpenStack Services on OpenShift (RHOSO) when RHOSO is installed on a FIPS enabled Red Hat OpenShift Container Platform (RHOCP) cluster. You must enable FIPS on the initial install of RHOCP. For more information on installing a RHOCP cluster in FIPS mode, see Installing a cluster in FIPS mode.

When you use the system-wide cryptographic policy, FIPS 140 mode, RHEL and CoreOS are designed to restrict the use of core cryptographic modules and libraries to those that have been FIPS-validated. Paramiko however, implements cryptographic functions in code, and has not been FIPS-validated. RHOSO core components use the RHEL cryptographic libraries submitted to NIST for FIPS validation unless they call paramiko.

6.1. Preparing to install a FIPS enabled Red Hat OpenStack Services on OpenShift control plane

Before you install the Red Hat OpenStack Services on OpenShift (RHOSO) control plane, you must modify iscsi.conf to remove MD5 and SHA1. The iSCSId configuration for the control plane is not handled by RHOSO operators, so you must complete this step on the Red Hat OpenShift Container Platform (RHOCP) cluster.

Prerequisites

Procedure

  • On each of your nodes, ensure that the value of node.session.auth.chap_algs in the /etc/iscsi/iscsi.conf file is set to SHA3-256,SHA256.

6.2. Verification of FIPS status

You can check the FIPS status of RHOCP or deployed worker nodes.

Procedure

  1. Log in to your Red Hat OpenShift Container Platform (RHOCP) cluster with an account with cluster-admin privileges.
  2. Get a list of the nodes in the cluster:

    $ oc get nodes

    Example output:

    NAME  	STATUS   ROLES              	AGE	VERSION
    master1   Ready	control-plane,master   7d1h   v1.28.6+6216ea1
    master2   Ready	control-plane,master   7d1h   v1.28.6+6216ea1
    master3   Ready	control-plane,master   7d1h   v1.28.6+6216ea1
    worker1   Ready	worker             	7d1h   v1.28.6+6216ea1
    worker2   Ready	worker             	7d1h   v1.28.6+6216ea1
    worker3   Ready	worker
  3. Open a debug pod on one of the nodes shown in the output of the previous step:

    $ oc debug node/worker2

    Example output:

    Temporary namespace openshift-debug-rq2m8 is created for debugging node...
    Starting pod/worker2-debug-5shqt ...
    To use host binaries, run `chroot /host`
    Pod IP: 192.168.50.112
    If you don't see a command prompt, try pressing enter.
    sh-5.1#
  4. Check for fips_enabled in /proc

    sh-5.1# cat /proc/sys/crypto/fips_enabled

    Example output. 1 is displayed for enabled, 0 for disabled:

    1

For more information about installing Red Hat OpenShift Cluster Platform in FIPS mode, see Support for FIPS cryptography in the RHOCP Installing guide.

Chapter 7. Planning storage and shared file systems

Red Hat OpenStack Services on OpenShift (RHOSO) uses ephemeral and persistent storage to service the storage needs of the deployment.

Ephemeral storage is associated with a specific Compute instance. When this instance is terminated, so is the associated ephemeral storage. Ephemeral storage is useful for runtime requirements, such as storing the operating system of an instance.

Persistent storage is independent of any running instance. Persistent storage is useful for storing reusable data, such as data volumes, disk images, and shareable file systems.

The storage requirements of the deployment should be taken into consideration and carefully planned before beginning the deployment. This includes considerations such as:

  • Supported features and topologies
  • Storage technologies
  • Networking
  • Scalability
  • Accessibility
  • Performances
  • Costs
  • Security
  • Redundancy and disaster recovery
  • Storage management

7.1. Supported storage features and topologies

RHOSO supports the following storage and networking features:

  • Red Hat Ceph Storage integration:

    • Ceph Block Device (RBD) with the Block Storage service (cinder) for persistent storage, the Image service (glance), and the Compute service (nova) for ephemeral storage.
    • Ceph File System (Native CephFS or CephFS via NFS) with the Shared File Systems service (manila).
    • Object Storage service integration with Ceph Object Gateway (RGW)
    • Hyperconverged infrastructure (HCI): Hyperconverged infrastructures consist of hyperconverged nodes. Hyperconverged nodes are external data plane nodes with Compute and Red Hat Ceph Storage services colocated on the same nodes for optimized hardware footprint.
  • Transport protocols for the Block Storage service with appropriate configuration and drivers:

    • NVMe over TCP
    • RBD
    • NFS
    • FC

      Note

      You must install host bus adapters (HBAs) on all Compute and OCP workers nodes in any deployment that uses the Block Storage service and a Fibre Channel (FC) back end.

    • iSCSI
  • Multipathing with iSCSI, FC, and NVMe over TCP is available on the control plane with the appropriate RHOCP MachineConfig.
  • Transport protocols for the Shared File Systems service with appropriate configuration and drivers:

    • CephFS
    • NFS
    • CIFS
  • Object Storage through native Swift or Amazon S3 compatible API

RHOSO supports the following storage services.

ServiceBack ends

Image service (glance)

  • Red Hat Ceph Storage RBD
  • Block Storage (cinder)
  • Object Storage (swift)
  • NFS

Compute service (nova)

  • local file storage
  • Red Hat Ceph Storage RBD

Block Storage service (cinder)

  • Red Hat Ceph Storage RBD
  • Fiber Channel
  • iSCSI
  • NFS
  • NVMe over TCP
Note

Support is provided through third party drivers.

Shared File Systems service (manila)

  • Red Hat Ceph Storage CephFS
  • Red Hat Ceph Storage CephFS-NFS
  • NFS or CIFS through third party vendor storage systems

Object Storage service (swift)

  • disks on external data plane nodes
  • PersistentVolumes (PVs) on OpenShift nodes (default)
  • Integration with Ceph RGW

To manage the consumption of system resources by projects, you can configure quotas for the Block Storage service (cinder) and the Shared File Systems service (manila). You can override the default quotas so that individual projects have different consumption limits.

7.2. Storage technologies

RHOSO supports a number of storage technologies that can act separately or in combination to provide the storage solution for your deployment.

7.2.1. Red Hat Ceph Storage

Red Hat Ceph Storage is a distributed data object store designed for performance, reliability, and scalability. Distributed object stores use unstructured data to simultaneously service modern and legacy object interfaces. It provides access to block, file, and object storage.

Red Hat Ceph Storage is deployed as a cluster. A cluster consists of two primary types of daemons:

  • Ceph Object Storage Daemon (CephOSD) - The CephOSD performs data storage, data replication, rebalancing, recovery, monitoring, and reporting tasks.
  • Ceph Monitor (CephMon) - The CephMon maintains the primary copy of the cluster map with the current state of the cluster.

RHOSO supports Red Hat Ceph Storage 7 in the following deployment scenarios:

  • Integration with an externally deployed Red Hat Ceph Storage 7 cluster.
  • A hyperconverged infrastructure (HCI) environment that consists of external data plane nodes that have Compute and Red Hat Ceph Storage services colocated on the same nodes for optimized resource use.
Note

Red Hat OpenStack Services on OpenShift (RHOSO) 18.0 supports erasure coding with Red Hat Ceph Storage Object Gateway (RGW). Erasure coding with the Red Hat Ceph Storage Block Device (RDB) is not currently supported.

For more information about Red Hat Ceph Storage architecture, see the Red Hat Ceph Storage 7 Architecture Guide.

7.2.2. Block storage (cinder)

The Block Storage service (cinder) allows users to provision block storage volumes on back ends. Users can attach volumes to instances to augment their ephemeral storage with general-purpose persistent storage. You can detach and re-attach volumes to instances, but you can only access these volumes through the attached instance.

You can also configure instances so that they do not use ephemeral storage. Instead of using ephemeral storage, you can configure the Block Storage service to write images to a volume. You can then use the volume as a bootable root volume for an instance. Volumes also provide inherent redundancy and disaster recovery through backups and snapshots. However, backups are only provided if you deploy the optional Block Storage backup service. In addition, you can encrypt volumes for added security.

7.2.3. Images (glance)

The Image service (glance) provides discovery, registration, and delivery services for instance images. It also provides the ability to store snapshots of instances ephemeral disks for cloning or restore purposes. You can use stored images as templates to commission new servers quickly and more consistently than installing a server operating system and individually configuring services.

7.2.4. Object Storage (swift)

The Object Storage service (swift) provides a fully-distributed storage solution that you can use to store any kind of static data or binary object; such as media files, large datasets, and disk images. The Object Storage service organizes objects by using object containers, which are similar to directories in a file system, but they cannot be nested. You can use the Object Storage service as a repository for nearly every service in the cloud.

Red Hat Ceph Storage RGW can be used as an alternative to the Object Storage service.

7.2.5. Shared File Systems (manila)

The Shared File Systems service (manila) provides the means to provision remote, shareable file systems. These are known as shares. Shares allow projects in the cloud to share POSIX compliant storage, and they can be consumed by multiple instances simultaneously.

Shares are used for instance consumption, and they can be consumed by multiple instances at the same time with read/write access mode.

7.3. Storage networks

Two default storage-related networks are configured during the RHOSO installation: the Storage and Storage Management networks. These isolated networks follow best practices for network connectivity between storage components and the deployments.

The Storage network is used for data storage access and retrieval.

The Storage Management network is used by RHOSO services to have access to specific interfaces in the storage solution that allows access to the management consoles. For example, Red Hat Ceph Storage uses the Storage Management network in a hyperconverged infrastructure (HCI) environment as the cluster_network to replicate data.

The following table lists the properties of the default storage-related networks.

Network nameVLANCIDRNetConfig allocationRangeMetalLB IPAddressPool rangenad ipam rangeOCP worker nncp range

storage

21

172.18.0.0/24

172.18.0.100 - 172.18.0.250

N/A

172.18.0.30 - 172.18.0.70

172.18.0.10 - 172.18.0.20

storageMgmt

23

172.20.0.0/24

172.20.0.100 - 172.20.0.250

N/A

172.20.0.30 - 172.20.0.70

172.20.0.10 - 172.20.0.20

Your storage solution may require additional network configurations. These defaults provide a basis for building a full deployment.

All Block Storage services with back ends (cinder-volume and cinder-backup) require access to all the storage networks, which may not include the storage management network depending on the back end. Block Storage services with back ends require access only to their storage management network. In most deployments there’s a single management network, but if there are multiple storage management networks, each service-back end pair only needs access to their respective management network.

You must install host bus adapters (HBAs) on all OCP worker nodes in any deployment that uses the Block Storage service and a Fibre Channel (FC) back end.

7.3.1. Planning networking for the Block Storage service

Storage best practices recommend using two different networks:

  • One network for data I/O
  • One network for storage management

These networks are referred to as storage and storageMgmt. If your deployment diverges from the architecture of two networks, adapt the documented examples as necessary. For example, if the management interface for the storage system is available on the storage network, replace storageMgmt with storage when there is only one network, and remove storageMgmt when the storage network is already present.

The storage services in Red Hat OpenStack Services on OpenShift (RHOSO), with the exception of the Object Storage service (swift), require access to the storage and storageMgmt networks. You can configure the storage and storageMgmt networks in the networkAttachments field of your OpenStackControlPlane CR. The networkAttachments field accepts a list of strings with all the networks the component requires access to. Different components can have different network requirements, for example, the Block Storage service (cinder) API component does not require access to any of the storage networks.

The following example shows the networkAttachments for Block Storage volumes:

apiVersion: core.openstack.org/v1beta1
kind: OpenStackControlPlane
metadata:
  name: openstack
spec:
  cinder:
    template:
      cinderVolumes:
        iscsi:
          networkAttachments:
          - storage
          - storageMgmt

7.3.2. Planning networking for the Shared File Systems service

Plan the networking on your cloud to ensure that cloud users can connect their shares to workloads that run on Red Hat OpenStack Services on OpenShift (RHOSO) virtual machines, bare-metal servers, and containers.

Depending on the level of security and isolation required for cloud users, you can set the driver_handles_share_servers parameter (DHSS) to true or false.

7.3.2.1. Setting DHSS to true

If you set the DHSS parameter to true, you can use the Shared File Systems service to export shares to end-user defined share networks with isolated share servers. Users can provision their workloads on self-service share networks to ensure that isolated NAS file servers on dedicated network segments export their shares.

As a project administrator, you must ensure that the physical network to which you map the isolated networks extends to your storage infrastructure. You must also ensure that the storage system that you are using supports network segments. Storage systems, such as NetApp ONTAP and Dell EMC PowerMax, Unity, and VNX, do not support virtual overlay segmentation styles such as GENEVE or VXLAN.

As an alternative to overlay networking, you can do any of the following:

  • Use VLAN networking for your project networks.
  • Allow VLAN segments on shared provider networks.
  • Provide access to a pre-existing segmented network that is already connected to your storage system.
7.3.2.2. Setting DHSS to false

If you set the DHSS parameter to false, cloud users cannot create shares on their own share networks. You can create a dedicated shared storage network, and cloud users must connect their clients to the configured network to access their shares.

Not all Shared File System storage drivers support both DHSS=true and DHSS=false. Both DHSS=true and DHSS=false ensure data path multi-tenancy isolation. However, if you require network path multi-tenancy isolation for tenant workloads as part of a self-service model, you must deploy the Shared File Systems service (manila) with back ends that support DHSS=true.

7.3.2.3. Ensuring network connectivity to the share

To connect to a file share, clients must have network connectivity to one or more of the export locations for that share.

When administrators set the driver_handles_share_servers parameter (DHSS) for a share type to true, cloud users can create a share network with the details of a network to which the Compute instance attaches. Cloud users can then reference the share network when creating shares.

When administrators set the DHSS parameter for a share type to false, cloud users must connect their Compute instance to the shared storage network that has been configured for their Red Hat OpenStack Services on OpenShift (RHOSO) deployment. For more information about how to configure and validate network connectivity to a shared network, see Connecting to a shared network to access shares in Performing storage operations.

7.4. Scalability and back-end storage

In general, a clustered storage solution provides greater back end scalability and resiliency. For example, when you use Red Hat Ceph Storage as a Block Storage (cinder) back end, you can scale storage capacity and redundancy by adding more Ceph Object Storage Daemon (OSD) nodes. Block Storage, Object Storage (swift), and Shared File Systems Storage (manila) services support Red Hat Ceph Storage as a back end.

The Block Storage service can use multiple storage solutions as discrete back ends. At the service level, you can scale capacity by adding more back ends.

By default, the Object Storage service consumes space by allocating persistent volumes in the OpenShift underlying infrastructure. It can be configured to use a file system on dedicated storage nodes, and it can use as much space as is available. The Object Storage service supports the XFS and ext4 file systems, and you can scale both file systems to consume as much underlying block storage as is available. You can also scale capacity by adding more storage devices to the storage node.

The Shared File Systems service provisions file shares from designated storage pools that are managed by Red Hat Ceph Storage or other back-end storage systems. You can scale this shared storage by increasing the size or number of storage pools available to the service or by adding more back-end storage systems to the deployment. Each back-end storage system is integrated with a dedicated service to interact with and manage the storage system.

7.5. Storage accessibility and administration

Volumes are consumed only through instances. Users can extend, create snapshots of volumes and use the snapshots to clone or restore a volume to a previous state.

You can use the Block Storage service (cinder) to create volume types, which aggregate volume settings. You can associate volume types with encryption and Quality of Service (QoS) specifications to provide different levels of performance for your cloud users. Your cloud users can specify the volume type they require when creating new volumes. For example, volumes that use higher performance QoS specifications could provide your users with more IOPS, or your users could assign lighter workloads to volumes that use lower performance QoS specifications to conserve resources. Shares can be consumed simultaneously by one or more instances, bare metal nodes or containers. The Shared File Systems service (manila) also supports share resize, snapshots and cloning, and administrators can create share types to aggregate settings.

Users can access objects in a container by using the Object Storage service (swift) API, and administrators can make objects accessible to instances and services in the cloud. This accessibility makes objects ideal as repositories for services; for example, you can store Image service (glance) images in containers that are managed by the Object Storage service.

7.6. Storage security

The Block Storage service provides data security through the Key Manager service (barbican). The Block Storage service uses a one-to-one, key to volume mapping with the key managed by the Key Manager service. The encryption type is defined when configuring the volume type.

Security can also be improved at the backend level by encrypting control and/or data traffic, for example with Red Hat Ceph Storage, this can be achieved by enabling messengerv2 secure mode. This way, network traffic amongst Ceph services as well as from OpenStack compute nodes are encrypted.

You configure object and container security at the service and node level. The Object Storage service (swift) provides no native encryption for containers and objects. However, with the Key Manager service enabled, the Object Storage service can transparently encrypt and decrypt your stored (at-rest) objects. At-rest encryption is distinct from in-transit encryption in that it refers to the objects being encrypted while being stored on disk.

The Shared File Systems service (manila) can secure shares through access restriction, whether by instance IP, user or group, or TLS certificate. Some Shared File Systems service deployments can feature separate share servers to manage the relationship between share networks and shares. Some share servers support, or even require, additional network security. For example, a CIFS share server requires the deployment of an LDAP, Active Directory, or Kerberos authentication service.

Some backends also support encrypting the data AT REST. This enables extra security by encrypting the backend disks themselves, preventing physical security threats such as theft or unwiped recycled disks.

For more information about configuring security options for the Block Storage service, Object Storage service, and Shared File Systems service, see Configuring security services.

7.7. Storage redundancy and disaster recovery

If you deploy the optional Block Storage backup service, then the Block Storage service (cinder) provides volume backup and restoration for basic disaster recovery of user storage. You can use backups to protect volume contents. The Block Storage service also supports snapshots. In addition to cloning, you can use snapshots to restore a volume to a previous state.

If your environment includes multiple back ends, you can also migrate volumes between these back ends. This is useful if you need to take a back end offline for maintenance. Backups are typically stored in a storage back end separate from their source volumes to help protect the data. This is not possible with snapshots because snapshots are dependent on their source volumes.

The Block Storage service also supports the creation of consistency groups to group volumes together for simultaneous snapshot creation. This provides a greater level of data consistency across multiple volumes.

Note

Red Hat does not currently support Block Storage service replication.

The Object Storage service (swift) provides no built-in backup features. You must perform all backups at the file system or node level. However, the Object Storage service features robust redundancy and fault tolerance. Even the most basic deployment of the Object Storage service replicates objects multiple times. You can use failover features like device mapper multipathing (DM Multipath) to enhance redundancy.

The Shared File Systems service (manila) provides no built-in backup features for shares, but you can create snapshots for cloning and restoration.

7.8. Managing the storage solution

You can manage your RHOSO configuration using the RHOSO Dashboard (horizon) or the RHOSO command line interface (CLI). You can perform most procedures using either method but some advanced procedures can only be completed using the CLI.

You can manage your storage solution configuration using the dedicated management interface provided by the storage vendor.

7.9. Sizing Red Hat OpenShift storage

The Image and Object Storage services can be configured to allocate space in the Red Hat OpenShift backing storage. In this scenario, the Red Hat OpenShift storage sizing should be estimated based on the expected use of these services.

7.9.1. Image service considerations

The Image service (glance) requires a staging area to manipulate data during an import operation. It is possible to copy image data into multiple stores so some persistence is required for the Image service. Although PVCs represent the main storage model for the Image service, an External model can also be chosen.

External model

If External is chosen, no PVCs are created and the Image service acts like a stateless instance with no persistence provided. In this instance, persistence must be provided using extraMounts. NFS is often used to provide persistence. It can be mapped to /var/lib/glance:

...
default:
  storage:
    external: true
...
...
extraMounts:
- extraVol:
  - extraVolType: NFS
    mounts:
    - mountPath: /var/lib/glance/os_glance_staging_store
      name: nfs
    volumes:
    - name: nfs
      nfs:
        path: <nfs_export_path>
        server: <nfs_ip_address>
  • Replace <nfs_export_path> with the export path of your NFS share.
  • Replace <nfs_ip_address> with the IP address of your NFS share. This IP address must be part of the overlay network that is reachable by the Image service.

It should be noted that the configuration sample conflicts with the distributed image import feature. Distributed image import requires RWO storage plugged into a particular instance; it owns the data and receives requests in case its staged data is required for an upload operation. When the External model is adopted, if Red Hat Ceph Storage is used as a backend, and an image conversion operation is run in one of the existing replicas, the glance-operator does not have to make any assumption about the underlying storage that is tied to the staging area, and the conversion operation that uses the os_glance_staging_store directory (within the Pod) interacts with the RWX NFS backend provided via extraMounts. With this scenario, no image-cache PVC can be requested and mounted to a subPath, because it should be the administrator’s responsibility to plan for persistence using extraMounts.

PVC model

The PVC model is the default. When a GlanceAPI instance is deployed, a PVC is created and bound to /var/lib/glance according to the storageClass and storageRequest passed as input.

...
default:
  replicas: 3
  storage:
    storageRequest: 10G
...

In this model, if Red Hat Ceph Storage is set as a backend, no dedicated image conversion PVC is created. The administrator must think about the PVC sizing in advance; the size of the PVC should be at least up to the largest converted image size. Concurrent conversions within the same Pod might be problematic in terms of PVC size; a conversion will fail or cannot take place if the PVC is full and there’s not enough space. The upload should be retried after the previous conversion is over and the staging area space is released. However, concurrent conversion operations might happen in different Pods. You should deploy at least 3 replicas for a particular glanceAPI. This helps to handle heavy operations like image conversion.

For a PVC-based layout, the scale out of a glanceAPI in terms of replicas is limited by the available storage provided by the storageClass, and depends on the storageRequest. The storageRequest is a critical parameter, it can be globally defined for all the glanceAPI, or defined with a different value for each API. It will influence the scale out operations for each of them. Other than a local PVC required for the staging area, it is possible to enable image cache, which is translated into an additional PVC bound to each glanceAPI instance. A glance-cache PVC is bound to /var/lib/glance/image-cache. The glance-operator configures the glanceAPI instance accordingly, setting both image_cache_max_size and the image_cache_dir parameters. The number of image cache PVCs follows the same rules described for the local PVC, and the number of requested PVCs is proportional to the number of replicas.

7.9.2. Object Storage service considerations

The Object Storage service requires storage devices for data. These devices must be accessible using the same hostname or IP address during their lifetime. The configuration of a StatefulSet with a Headless Service is how this is achieved.

If you want to use storage volumes to provide persistence for your workload, you can use a StatefulSet as part of the solution. Although individual Pods in a StatefulSet are susceptible to failure, the persistent Pod identifiers make it easier to match existing volumes to the new Pods that replace any that have failed.

The Object Storage service requires quite a few services to access these PVs, and all of them are running in a single pod.

Additionally, volumes are not deleted if the StatefulSet is deleted. An unwanted removal of the StatefulSet (or the whole deployment) will not immediately result in a catastrophic data loss, but can be recovered from with administrator interaction.

The Headless Service makes it possible to access the storage pod directly by using a DNS name. For example, if the pod name is swift-storage-0 and the SwiftStorage instance is named swift-storage, it becomes accessible using swift-storage-0.swift-storage. This makes it easily usable within the Object Storage service rings, and IP changes are now transparent and don’t require an update of the rings.

Parallel pod management tells the StatefulSet controller to launch or terminate all Pods in parallel, and to not wait for Pods to become Running and Ready or completely terminated prior to launching or terminating another Pod. This option only affects the behavior for scaling operations. Updates are not affected.

This is required to scale by more than one; including new deployments with more than one replica. It is required to create all pods at the same time, otherwise there will be PVCs that are not bound and the Object Storage service rings cannot be created, eventually blocking the start of these pods.

Storage pods should be distributed to different nodes to avoid single points of failure. A podAntiAffinity rule with preferredDuringSchedulingIgnoredDuringExecution is used to distribute pods to different nodes if possible. Using a separate storageClass and PersistentVolumes that are located on different nodes can be used to enforce further distribution.

Object Storage service backend services must only be accessible by other backend services and the Object Storage service proxy. To limit access, a NetworkPolicy is added to allow only traffic between these pods. The NetworkPolicy itself depends on labels, and these must match to allow traffic. Therefore labels must not be unique; instead all pods must use the same label to allow access. This is also the reason why the swift-operator is not using labels from lib-common.

Object Storage service rings require information about the disks to use, and this includes sizes and hostnames or IPs. Sizes are not known when starting the StatefulSet using PVCs, the size requirement is a lower limit, but the actual PVs might be much bigger.

However, StatefulSets do create PVCs before the ConfigMaps are available and simply wait starting the pods until these become available. The SwiftRing reconciler is watching the SwiftStorage instances and iterates over PVCs to get actual information about the used disks. Once these are bound, the size is known and the swift-ring-rebalance job creates the Swift rings and eventually the ConfigMap. After the ConfigMap becomes available, StatefulSets will start the service pods.

Rings are stored in a ConfigMap mounted by the SwiftProxy and SwiftStorage instances using projected volumes. This makes it possible to mount all required files at the same place, without merging these from other places. Updated ConfigMaps will update these files, and these changes are are detected by the Swift services eventually reloading these.

Some operators are using the customServiceConfig option to customize settings. However, the SwiftRing instance deploys multiple backend services, and each of these requires specific files to be customized. Therefore only defaultConfigOverwrite using specific keys as filenames is supported when using the swift-operator.

Chapter 8. Integration

You can integrate Red Hat OpenStack Services on OpenShift (RHOSO) with the following third-party software - Tested and Approved Software

You can deploy RHOSO on trusted cloud providers. For the certified list of products, see Hardware - Tested and Approved.

Chapter 9. Subscriptions

To install Red Hat OpenStack Services on OpenShift (RHOSO), you must register all systems in the RHOSO environment with Red Hat Subscription Manager, and subscribe to the required channels.

For more information about Red Hat OpenStack Services on OpenShift subscriptions, see the Red Hat OpenStack Services on OpenShift FAQ.

Legal Notice

Copyright © 2024 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.