Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
Chapter 5. Installing undercloud minions
This feature is available in this release as a Technology Preview, and therefore is not fully supported by Red Hat. It should only be used for testing, and should not be deployed in a production environment. For more information about Technology Preview features, see Scope of Coverage Details.
5.1. Undercloud minion
An undercloud minion provides additional heat-engine and ironic-conductor services on a separate host. These additional services support the undercloud with orchestration and provisioning operations. The distribution of undercloud operations across multiple hosts provides more resources to run an overcloud deployment, which can result in potentially faster and larger deployments.
5.2. Undercloud minion requirements
The scaled heat-engine and ironic-conductor services on an undercloud minion use a set of workers. Each worker performs operations specific to that service. Multiple workers provide simultaneous operations. The default number of workers on the minion is determined by halving the total CPU thread count of the minion host. In this instance, total thread count is the number of CPU cores multiplied by the hyper-threading value. For example, if your minion has a CPU with 16 threads, then the minion spawns 8 workers for each service by default. The minion also uses a set of minimum and maximum caps by default:
| Service | Minimum | Maximum |
|---|---|---|
|
| 4 | 24 |
|
| 2 | 12 |
An undercloud minion has the following minimum CPU and memory requirements:
- An 8-thread 64-bit x86 processor with support for the Intel 64 or AMD64 CPU extensions. This processor provides 4 workers for each undercloud service.
- A minimum of 16 GB of RAM.
To use a larger number of workers, increase the vCPUs and memory count on the undercloud using a ratio of 2 GB of RAM for each CPU thread. For example, a machine with 48 threads must have 96 GB of RAM. This provides coverage for 24 heat-engine workers and 12 ironic-conductor workers.
5.3. Preparing a minion
Before you can install a minion, you must complete some basic configuration on the host machine:
- A non-root user to execute commands.
- A resolvable hostname
- A Red Hat subscription
- The command line tools for image preparation and minion installation
Procedure
-
Log in to the minion host as the
rootuser. Create the
stackuser:[root@minion ~]# useradd stackSet a password for the
stackuser:[root@minion ~]# passwd stackDisable password requirements when using
sudo:[root@minion ~]# echo "stack ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/stack [root@minion ~]# chmod 0440 /etc/sudoers.d/stackSwitch to the new
stackuser:[root@minion ~]# su - stack [stack@minion ~]$Check the base and full hostname of the minion:
[stack@minion ~]$ hostname [stack@minion ~]$ hostname -fIf either of the previous commands do not report the correct fully-qualified hostname or report an error, use
hostnamectlto set a hostname:[stack@minion ~]$ sudo hostnamectl set-hostname minion.example.com [stack@minion ~]$ sudo hostnamectl set-hostname --transient minion.example.comEdit the
/etc/hostsfile and include an entry for the system hostname. For example, if the system is namedminion.example.comand uses the IP address10.0.0.1, add the following line to the/etc/hostsfile:10.0.0.1 minion.example.com managerRegister your system either with the Red Hat Content Delivery Network or Red Hat Satellite. For example, run the following command to register the system to the Content Delivery Network. Enter your Customer Portal user name and password when prompted:
[stack@minion ~]$ sudo subscription-manager registerFind the entitlement pool ID for Red Hat OpenStack Platform (RHOSP) director:
[stack@minion ~]$ sudo subscription-manager list --available --all --matches="Red Hat OpenStack" Subscription Name: Name of SKU Provides: Red Hat Single Sign-On Red Hat Enterprise Linux Workstation Red Hat CloudForms Red Hat OpenStack Red Hat Software Collections (for RHEL Workstation) Red Hat Virtualization SKU: SKU-Number Contract: Contract-Number Pool ID: Valid-Pool-Number-123456 Provides Management: Yes Available: 1 Suggested: 1 Service Level: Support-level Service Type: Service-Type Subscription Type: Sub-type Ends: End-date System Type: PhysicalLocate the
Pool IDvalue and attach the Red Hat OpenStack Platform 16.0 entitlement:[stack@minion ~]$ sudo subscription-manager attach --pool=Valid-Pool-Number-123456Disable all default repositories, and then enable the required Red Hat Enterprise Linux repositories:
[stack@minion ~]$ sudo subscription-manager repos --disable=* [stack@minion ~]$ sudo subscription-manager repos --enable=rhel-8-for-x86_64-baseos-eus-rpms --enable=rhel-8-for-x86_64-appstream-eus-rpms --enable=rhel-8-for-x86_64-highavailability-eus-rpms --enable=ansible-2.8-for-rhel-8-x86_64-rpms --enable=openstack-16-for-rhel-8-x86_64-rpms --enable=fast-datapath-for-rhel-8-x86_64-rpmsThese repositories contain packages that the minion installation requires.
Perform an update on your system to ensure that you have the latest base system packages:
[stack@minion ~]$ sudo dnf update -y [stack@minion ~]$ sudo rebootInstall the command line tools for minion installation and configuration:
[stack@minion ~]$ sudo dnf install -y python3-tripleoclient
5.4. Copying the undercloud configuration files to the minion
The minion requires some configuration files from the undercloud so that the minion installation can configure the minion services and register them with director:
-
tripleo-undercloud-outputs.yaml -
tripleo-undercloud-passwords.yaml
Procedure
-
Log in to your undercloud as the
stackuser. Copy the files from the undercloud to the minion:
$ scp ~/tripleo-undercloud-outputs.yaml ~/tripleo-undercloud-passwords.yaml stack@<minion-host>:~/.Replace
<minion-host>with the hostname or IP address of the minion.
5.5. Copying the undercloud certificate authority
If the undercloud uses SSL/TLS for endpoint encryption, the minion host must contain the certificate authority that signed the undercloud SSL/TLS certificates. Depending on your undercloud configuration, this certificate authority is one of the following:
- An external certificate authority whose certificate is preloaded on the minion host. No action is required.
-
A director-generated self-signed certificate authority, which the director creates at
/etc/pki/ca-trust/source/anchors/cm-local-ca.pem. Copy this file to the minion host and include the file as a part of the trusted certificate authorities for the minion host. This procedure uses this file as an example. -
A custom self-signed certificate authority, which you create with OpenSSL. Examples in this document refer to this file as
ca.crt.pem. Copy this file to the minion host and include the file as a part of the trusted certificate authorities for the minion host.
Procedure
-
Log in to the minion host as the
rootuser. Copy the certificate authority file from the undercloud to the minion:
[root@minion ~]# scp \ root@<undercloud-host>:/etc/pki/ca-trust/source/anchors/cm-local-ca.pem \ /etc/pki/ca-trust/source/anchors/undercloud-ca.pemReplace
<undercloud-host>with the hostname or IP address of the undercloud.Update the trusted certificate authorities for the minion host:
[root@minion ~]# update-ca-trust enable [root@minion ~]# update-ca-trust extract
5.6. Configuring the minion
The minion installation process requires certain settings in the minion.conf configuration file, which the minion reads from the home directory of the stack user. Complete the following steps to use the default template as a foundation for your configuration.
Procedure
-
Log in to the minion host as the
stackuser. Copy the default template to the home directory of the
stackuser:[stack@minion ~]$ cp \ /usr/share/python-tripleoclient/minion.conf.sample \ ~/minion.confEdit the
minion.conffile. This file contains settings to configure your minion. If you omit or comment out a parameter, the minion installation uses the default value. Review the following recommended parameters:-
minion_hostname, which you set to the hostname of the minion. -
minion_local_interface, which you set to the interface that connects to the undercloud through the Provisioning Network. -
minion_local_ip, which you set to a free IP address on the Provisioning Network. -
minion_nameservers, which you set to the DNS nameservers so that the minion can resolve hostnames. -
enable_ironic_conductor, which defines whether to enable theironic-conductorservice. -
enable_heat_engine, which defines whether to enable theheat-engineservice.
-
The default minion.conf file enables only the heat-engine service on the minion. To enable the ironic-conductor service, set the enable_ironic_conductor parameter to true.
5.7. Minion configuration parameters
The following list contains information about parameters for configuring the minion.conf file. Keep all parameters within their relevant sections to avoid errors.
Defaults
The following parameters are defined in the [DEFAULT] section of the minion.conf file:
- cleanup
-
Cleanup temporary files. Set this parmaeter to
Falseto leave the temporary files used during deployment in place after the command is run. This is useful for debugging the generated files or if errors occur. - container_cli
-
The CLI tool for container management. Leave this parameter set to
podman. Red Hat Enterprise Linux 8.1 only supportspodman. - container_healthcheck_disabled
-
Disables containerized service health checks. Red Hat recommends that you enable health checks and leave this option set to
false. - container_images_file
Heat environment file with container image information. This file can contain the following entries:
- Parameters for all required container images
-
The
ContainerImagePrepareparameter to drive the required image preparation. Usually the file that contains this parameter is namedcontainers-prepare-parameter.yaml.
- container_insecure_registries
-
A list of insecure registries for
podmanto use. Use this parameter if you want to pull images from another source, such as a private container registry. In most cases,podmanhas the certificates to pull container images from either the Red Hat Container Catalog or from your Satellite server if the minion is registered to Satellite. - container_registry_mirror
-
An optional
registry-mirrorconfigured thatpodmanuses. - custom_env_files
- Additional environment file that you want to add to the minion installation.
- deployment_user
-
The user who installs the minion. Leave this parameter unset to use the current default user
stack. - enable_heat_engine
-
Defines whether to install the heat engine on the minion. The default is
true. - enable_ironic_conductor
-
Defines whether to install the ironic conductor service on the minion. The default value is
false. Set this value totrueto enable the ironic conductor service. - heat_container_image
- URL for the heat container image that you want to use. Leave unset.
- heat_native
-
Use native heat templates. Leave as
true. - hieradata_override
-
Path to
hieradataoverride file that configures Puppet hieradata on the director, providing custom configuration to services beyond theminion.confparameters. If set, the minion installation copies this file to the/etc/puppet/hieradatadirectory and sets it as the first file in the hierarchy. - minion_debug
-
Set this value to
trueto enable theDEBUGlog level for minion services. - minion_enable_selinux
-
Enable or disable SELinux during the deployment. It is highly recommended to leave this value set to
trueunless you are debugging an issue. - minion_enable_validations
- Enable validation services on the minion.
- minion_hostname
- Defines the fully qualified host name for the minion. If set, the minion installation configures all system host name settings. If left unset, the minion uses the current host name, but you must configure all system host name settings appropriately.
- minion_local_interface
The chosen interface for the Provisioning NIC on the undercloud. This is also the device that the minion uses for DHCP and PXE boot services. Change this value to your chosen device. To see which device is connected, use the
ip addrcommand. For example, this is the result of anip addrcommand:2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 52:54:00:75:24:09 brd ff:ff:ff:ff:ff:ff inet 192.168.122.178/24 brd 192.168.122.255 scope global dynamic eth0 valid_lft 3462sec preferred_lft 3462sec inet6 fe80::5054:ff:fe75:2409/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noop state DOWN link/ether 42:0b:c2:a5:c1:26 brd ff:ff:ff:ff:ff:ffIn this example, the External NIC uses
eth0and the Provisioning NIC useseth1, which is currently not configured. In this case, set thelocal_interfacetoeth1. The configuration script attaches this interface to a custom bridge defined with theinspection_interfaceparameter.- minion_local_ip
-
The IP address defined for the Provisioning NIC on the undercloud. This is also the IP address that the minion uses for DHCP and PXE boot services. Leave this value as the default
192.168.24.1/24unless you use a different subnet for the Provisioning network, for example, if the default IP address conflicts with an existing IP address or subnet in your environment. - minion_local_mtu
-
The maximum transmission unit (MTU) that you want to use for the
local_interface. Do not exceed 1500 for the minion. - minion_log_file
-
The path to a log file where you want to store the minion install and upgrade logs. By default, the log file is
install-minion.login the home directory. For example,/home/stack/install-minion.log. - minion_nameservers
- A list of DNS nameservers to use for the minion hostname resolution.
- minion_ntp_servers
- A list of network time protocol servers to help synchronize the minion date and time.
- minion_password_file
-
The file that contains the passwords for the minion to connect to undercloud services. Leave this parameter set to the
tripleo-undercloud-passwords.yamlfile copied from the undercloud. - minion_service_certificate
- The location and filename of the certificate for OpenStack SSL/TLS communication. Ideally, you obtain this certificate from a trusted certificate authority. Otherwise, generate your own self-signed certificate.
- minion_timezone
- Host timezone for the minion. If you do not specify a timezone, the minion uses the existing timezone configuration.
- minion_undercloud_output_file
-
The file that contains undercloud configuration information that the minion can use to connect to undercloud services. Leave this parameter set to the
tripleo-undercloud-outputs.yamlfile copied from the undercloud. - net_config_override
-
The path to a network configuration override template. If you set this parameter, the minion uses a JSON format template to configure the networking with
os-net-configand ignores the network parameters set inminion.conf. See/usr/share/python-tripleoclient/minion.conf.samplefor an example. - networks_file
-
Networks file to override for
heat. - output_dir
- Directory to output state, processed heat templates, and Ansible deployment files.
- roles_file
- The roles file that you want to use to override the default roles file for minion installation. It is highly recommended to leave this parameter unset so that the minion installation uses the default roles file.
- templates
- Heat templates file to override.
5.8. Installing the minion
Complete the following steps to install the minion.
Procedure
-
Log in to the minion host as the
stackuser. Run the following command to install the minion:
[stack@minion ~]$ openstack undercloud minion installThis command launches the configuration script for the minion, installs additional packages, and configures minion services according to the configuration in the
minion.conffile. This script takes several minutes to complete.
5.9. Verifying the minion installation
Complete the following steps to confirm a successful minion installation.
Procedure
-
Log in to your undercloud as the
stackuser. Source the
stackrcfile:[stack@director ~]$ source ~/stackrcIf you enabled the heat engine service on the minion, verify that the
heat-engineservice from the minion appears on the undercloud service list:[stack@director ~]$ $ openstack orchestration service listThe command output displays a table with
heat-engineworkers for both the undercloud and any minions.If you enabled the ironic conductor service on the minion, verify that the
ironic-conductorservice from the minion appears on the undercloud service list:[stack@director ~]$ $ openstack baremetal conductor listThe command output displays a table with
ironic-conductorservices for both the undercloud and any minions.
5.10. Next Steps
- Perform basic overcloud configuration, including registering nodes, inspecting nodes, and tagging nodes into various node roles. For more information, see Chapter 7, Configuring a basic overcloud with CLI tools.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}