Questo contenuto non è disponibile nella lingua selezionata.
Chapter 3. Integrate with IdM using novajoin
Novajoin allows you to enroll your nodes with Red Hat Identity Manager (IdM) as part of the deployment process. As a result, you can integrate IdM features with your OpenStack deployment, including identities, kerberos credentials, and access controls.
IdM enrollment through novajoin is currently only available for the undercloud and overcloud nodes. Novajoin integration for overcloud instances is expected to be supported in a later release.
3.1. Install and configure novajoin in the undercloud
3.1.1. Add the undercloud to the CA
Before deploying the overcloud, you must add the undercloud to the Certificate Authority (CA):
- On the undercloud node, install the - python-novajoinpackage:- sudo yum install python-novajoin - $ sudo yum install python-novajoin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- On the undercloud node, run the - novajoin-ipa-setupscript, adjusting the values to suit your deployment:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In the following section, you will use the resulting One-Time Password (OTP) to enroll the undercloud. 
3.1.2. Add the undercloud to IdM
					This procedure registers the undercloud with IdM and configures novajoin. Configure the following settings in undercloud.conf (within the [DEFAULT] section):
				
- The novajoin service is disabled by default. To enable it: - [DEFAULT] enable_novajoin = true - [DEFAULT] enable_novajoin = true- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- You need set a One-Time Password (OTP) to register the undercloud node with IdM: - ipa_otp = <otp> - ipa_otp = <otp>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Ensure the overcloud’s domain name served by neutron’s DHCP server matches the IdM domain (your kerberos realm in lowercase): - overcloud_domain_name = <domain> - overcloud_domain_name = <domain>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set the appropriate hostname for the undercloud: - undercloud_hostname = <undercloud FQDN> - undercloud_hostname = <undercloud FQDN>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set IdM as the nameserver for the undercloud: - undercloud_nameservers = <IdM IP> - undercloud_nameservers = <IdM IP>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- For larger environments, you will need to review the novajoin connection timeout values. In - undercloud.conf, add a reference to a new file called- undercloud-timeout.yaml:- hieradata_override = /home/stack/undercloud-timeout.yaml - hieradata_override = /home/stack/undercloud-timeout.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Add the following options to - undercloud-timeout.yaml. You can specify the timeout value in seconds, for example,- 5:- nova::api::vendordata_dynamic_connect_timeout: <timeout value> nova::api::vendordata_dynamic_read_timeout: <timeout value> - nova::api::vendordata_dynamic_connect_timeout: <timeout value> nova::api::vendordata_dynamic_read_timeout: <timeout value>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Save the undercloud.conffile.
- Run the undercloud deployment command to apply the changes to your existing undercloud: - openstack undercloud install - $ openstack undercloud install- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Check the - keytabfiles for a key entry for the undercloud:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Test the system - /etc/krb.keytabfile with the host principle:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Test the novajoin - /etc/novajoin/krb.keytabfile with the nova principle:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.2. Install and configure novajoin in the overcloud
These sections describe how to register an overcloud node with IdM.
3.2.1. Configure overcloud DNS
For automatic detection of your IdM environment, and easier enrollment, consider using IdM as your DNS server:
- Connect to your undercloud: - source ~/stackrc - $ source ~/stackrc- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure the control plane subnet to use IdM as the DNS name server: - openstack subnet set ctlplane-subnet --dns-nameserver <idm_server_address> - $ openstack subnet set ctlplane-subnet --dns-nameserver <idm_server_address>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set the - DnsServersparameter in an environment file to use your IdM server:- parameter_defaults: DnsServers: ["<idm_server_address>"] - parameter_defaults: DnsServers: ["<idm_server_address>"]- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This parameter is usually defined in a custom - network-environment.yamlfile.
3.2.2. Configure overcloud to use novajoin
- To enable IdM integration, create a copy of the - /usr/share/openstack-tripleo-heat-templates/environments/predictable-placement/custom-domain.yamlenvironment file:- cp /usr/share/openstack-tripleo-heat-templates/environments/predictable-placement/custom-domain.yaml \ /home/stack/templates/custom-domain.yaml - $ cp /usr/share/openstack-tripleo-heat-templates/environments/predictable-placement/custom-domain.yaml \ /home/stack/templates/custom-domain.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit the - /home/stack/templates/custom-domain.yamlenvironment file and set the- CloudDomainand- CloudName*values to suit your deployment. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Include the following environment files in the overcloud deployment process: - 
									/usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml
- 
									/usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml
- /home/stack/templates/custom-domain.yaml- For example: - openstack overcloud deploy \ --templates \ -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \ -e /home/stack/templates/custom-domain.yaml \ - openstack overcloud deploy \ --templates \ -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \ -e /home/stack/templates/custom-domain.yaml \- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - As a result, the deployed overcloud nodes will be automatically enrolled with IdM. 
 
- 
									
- This only sets TLS for the internal endpoints. For the external endpoints you can use the normal means of adding TLS with the - /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yamlenvironment file (which must be modified to add your custom certificate and key). Consequently, your- openstack deploycommand would be similar to this:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Alternatively, you can also use IdM to issue your public certificates. In that case, you need to use the - /usr/share/openstack-tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yamlenvironment file. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.3. Validate a node in IdM
- Locate an overcloud node in IdM and confirm that the host entry includes - Keytab:True:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- SSH to the node and confirm that sssd can query IdM users. For example, to query an IdM user named - susan:- getent passwd susan - $ getent passwd susan uid=1108400007(susan) gid=1108400007(bob) groups=1108400007(susan)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.4. Configure DNS entries for Novajoin
				If you use the haproxy-public-tls-certmonger.yaml template to issue public certificates for endpoints, then you will need to manually create DNS entries for the VIP endpoints used by Novajoin:
			
- Identify the overcloud networks. You can expect to locate these in - /home/stack/virt/network/network-environment.yaml:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create a list of virtual IP addresses (VIP) for each overcloud network. For example: /home/stack/virt/public_vip.yaml - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add DNS entries to IdM for each of the VIPs. You may also need to create new zones. The following example demonstrates DNS record and zone creation for IdM: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow