Skip to content

02.md

Latest commit

 

History

History
323 lines (187 loc) · 15.1 KB

02.md

File metadata and controls

323 lines (187 loc) · 15.1 KB
date 2016-05-09
draft false
weight 2
title Lab 02 - Nova - Horizon
Mon Mon Mon Mon Tue Tue Tue Tue Wed Wed Wed Thur Thur Thur Thur
00 01 alt text 03 04 05 06 07 08 09 10 11 12 13 14

Lab Duration: 75 minutes

Lab Objective

The objective of this lab is for you to administer an OpenStack cloud with the Horizon Dashboard as both an admin and user. Let's role play a bit. Your new OpenStack deployment has gone live and you are ready to take on your first customers. These may be paying customers or perhaps a particular department within your organization.

For the purposes of this lab, we'll take two orders. The first order we'll provision via the OpenStack Horizon GUI, the second order, we'll complete with the CLI.

- Order 1: Acme Inc; they would like two users, Alice Anderson, and Bob Barker, to be able to admin a small cloud for their company.
- Order 2: VaultTek Enterprises; they would like Chester Copperpot to be able to admin a small cloud for their company.

1. Navigating Horizon Admin Interfaces

  1. To get started, if you are not already, sign into the OpenStack web GUI as the user admin (http://<userid>.alta3.training)

    login

  2. Before we get started, click on Project > Compute > Overview

    overview

    One more thing we can take note of: in the upper right part of the screen is the user you are currently logged in as. In the upper left side of the screen is the project you are currently working within. Look at the screenshot below. The project drop down menu and user drop down menu have both been clearly defined with large red arrows.

    project and user

  3. On the left hand side screen click on Identity > Projects The projects below in the red outline are ones you will soon add. They will not appear yet on your screen. Right now, all you should see are the tenants outlined in green below.

    project list

    Note: In OpenStack, users belong to Projects. Projects and tenants are interchangeable terms, used to refer to a group of users, and the total amount of cloud resources those users may consume (for, say, switching on instances). When OpenStack was new, compute had its own authentication mechanism and used to term 'project'. Authorization is now handled by the Keystone service, where it uses the word 'tenant'. The admin tenant has their own default project. This can be useful location to host virtualized services that are integrated into the OpenStack deployment.

  4. To start, let's edit the project we are already a part of, On the Projects screen, in the Name column click on the blue admin link

  5. You should now be on the 'Project Details: admin' page. In the drop down menu in the upper right, select 'Edit Project'.

    edit admin project

  6. In the Edit Project box that pops up, click on the Quota tab

  7. Change VCPUs from its current value, to something absurd. After all, we're just trying to drive home a point. How about 2 million? Change the value of VCPU to read, VCPU: 2000000

  8. Change Instances from its current value, to 1 million. Change the value of instances to read, Instances: 1000000

    mega vcpus

  9. After you've made those two changes, click the 'Save' button at the bottom of the screen.

  10. Navigate to Project > Compute > Overview

    Examine the pie charts for Instances, and VCPUs. They've changed radically, but only to reflect the quota our project has been given. Hopefully it is clear that we couldn't possibly have just increased the resource capacity of our system by a factor of 100 million by simply changing the value of a variable.

  11. To view actual available system resources, click on Admin > System > Hypervisors. You're welcome to go there now, but we'll devote another lab to exploring this section later. So for now, don't get too caught up in it.

    admin system hypervisors

    What we want to take away from this section is that projects have associated maximum thresholds that are defined by the project's quotas. Quotas may exceed the actual resource capacity of the total cloud system, therefore the size of a project may be limited by the quota, or resource capacity of the system itself.

2. Adding a Project with Horizon

Consider that we are currently signed into the system as the admin for the OpenStack deployment. You would never want to give this account out to your customers, so let's create a new project and apply some users.

Users may belong to many projects, but they always must belong to at least one. If a user belongs to a project, and that project is deleted, then that user will not be able to log into the Horizon dashboard until they are once again assigned (at least) one project.

Before we create new users, lets first create a few projects (tenants).

  1. Log in as admin to the Horizon interface, and navigate to Identity > Projects.

  2. In the upper right hand corner, click the '+Create Project' button. The following screenshot has a giant red arrow on the button you looking for.

    create project

  3. On the Project Information tab, input the following Project Information (do NOT click Create Project yet!)

    Name: acme_inc
Description: Acme Inc. is the world's leader in the production of widgets 
Enabled: (checked)

    project details

  4. Click on the 'Project Members' tab. We don't yet have any users from the Acme Inc organization, so we won't apply any yet.

  5. Now click on the 'Quota Tab'

    This page controls the operational limits of a project could place on available resources within our infrastructure. For example, we certainly don't want our customer, Acme Inc, to max out our cloud's storage space with widget designs.

  6. Let's set an appropriate quota:

    Metadata Items: 128

    When booting an instance, you can also add arbitrary meta data so that you can more easily identify it among other running instances. This value limits the length of the string where 128 is the default.

    VCPUs: 2

    VCPUs are the number of available virtualized cores

    Instances: 2

    The number of instances, or VMs, that maybe created

    Injected Files: 5

    Injected files are arbitrary local files that can be placed into the instance file system at the time of creation.

    Injected File Content (Bytes): 10240

    Limits total size (in bytes) of allowable injected files.

    Volumes: 2

    Volume-Snapshots: 2

    Total-Size-of-Volumes-and-Snapshots-(GB): 200

    Total accrued size of all stored data.

    RAM-(MB): 51200

    Security-Groups: 5

    The total available security groups this project may create

    Security-Group-Rules: 20

    The total available security group rules this project may create

    Floating-IPs: 4

    Total number of floating IP addresses the project may utilize. Floating IPs are applied to instances.

    Networks: 3

    Number of virtualized networks that may be created

    Ports: 50

    Routers: 3

    Subnets: 3

    Maximum number of subnets that may be created by a project.

  7. You are now permitted to click the Create Project button

3. Adding Users with Horizon

Acme Inc wanted two users to be available to admin their systems, Alice Anderson and Bob Barker, so lets add them now that we have the project space created.

  1. Log in to Horizon as admin. On the left hand side of the OpenStack Horizon GUI, click on Identity > Users

  2. In the upper right hand corner, click the '+Create User' button.

    create user

  3. Fill out the 'Create User' screen as follows and click Create User

    White spaces and capitals may be used, but they make the login more complex, so please don't use them.

    Password: fa5tpa55w0rd
ConfirmPassword: fa5tpa55w0rd
UserName: aliceanderson 
Email: <blank> 
PrimaryProject: acme_inc
Role: _member_

    user details

  4. Create a second user, this will be the Bob Barker profile.

    Fill out the second 'Create User' screen and click Create User

    Password: fa5tpa55w0rd
ConfirmPassword: fa5tpa55w0rd
UserName: bobbarker
Email: <blank>
PrimaryProject: acme_inc 
Role: _member_

  5. Log out the admin account within the Horizon GUI by clicking in the upper right hand corner, and click 'Sign Out'.

    sign out

  6. Log in as aliceanderson:fa5tpa55w0rd

  7. Click on Project > Compute > Overview

    This screen should look quite a bit different than the overview screen you saw when you were logged in as admin. Notice that Alice Anderson may only create a total of 2 instance, and utilize a total of 2 VCPUs. These settings reflect what was provisioned in the Project's Quota tab.

    If you forget what the admin quota screen looked like, sign out, and sign back in as admin. It is important that you understand that Alice Anderson is a user within a project (tenant), therefore she may only utilize the resources that have been made permissible to the project for which she belongs (acme_inc).

    Make sure you clearly understand this partitioning of available system resources into projects (tenants) via quotas before continuing the lab. We're not racing here. Take all the time you need.

4. Launching Instances as a User (not admin)

  1. Double check that you are signed in as aliceanderson:fa5tpa55w0rd

    Notice that the project in the upper left change has changed. You should be signed in as the user aliceanderson, within the project acme_inc.

  2. Click on Project > Compute > Instances

  3. In the upper right corner, click 'Launch Instance'

    launch instance

  4. The Launch Instance dialog box should pop up, on the Details tab, set the settings as follows:

    AvailabilityZone: nova
InstanceName: acme_vm1
Flavor: m1.xlarge
InstanceCount: 1
InstanceBootSource: Boot from image
ImageName: cirros

  5. Click 'Launch', and the instance will fail.

    That's OK, just driving home the point that the project acme_inc does not have enough resources provisioned by their quota to boot the m1.xlarge flavor. Afterall, the m1.xlarge flavor wants to run 8 VCPUs, and we only have 2 available to our project.

  6. Let's try again, this time, configure the instance details tab as follows:

    AvailabilityZone: nova
InstanceName: acme_vm1
Flavor: m1.tiny
InstanceCount: 1
InstanceBootSource: Boot from image
ImageName: cirros

  7. This instance still is not ready for us to launch. Click on the 'Networking' tab

  8. Add the network 'private' and 'public' to the instance, by clicking the + sign beside those networks.

    choose networks

  9. Once complete, click the 'Launch' button

    Immediately upon launching the instance (virtual machine), it will begin spawning. This may take a few minutes, and that's OK. How long the instance takes to spawn is completely dependent on how many resources the instance has been created with, and how the the underlying OpenStack architecture has been designed. Spawning m1.tiny should not take longer than 3 or 5 minutes.

    spawning instance

  10. Once instance changes from 'Spawning' to 'Running', sign out of the aliceanderson account

  11. Log in as bobbarker:fa5tpa55w0rd

  12. Click on Project > Compute > Overview

    You should see the same total available resources that the account aliceanderson saw. Remember, both Alice and Bob are part of the same project (acme_inc)

  13. Click on Project > Compute > Instances

    You should still see the same instance that the account aliceanderson saw. Again, both Alice and Bob are part of the same project (acme_inc)

  14. Logged in as bobbarker, click on the 'Launch Instance' button, then create the following instance:

    AvailabilityZone: nova
InstanceName: acme_vm2
Flavor: m1.tiny
InstanceCount: 1
InstanceBootSource: Boot from image
ImageName: cirros

  15. Click on the 'Networking' tab

  16. Add the network 'private' and 'public' to the instance, by clicking the + sign beside those networks.

  17. Once complete, click the 'Launch' button, and wait for the acme_vm2 instance to finish spawning. Again, this may take a few moments.

  18. Once acme_vm2 is running, click on Project > Compute > Overview

    Spend a few minutes checking out this screen. Notice that no more instances or VCPUs are available for this project. It should look similar to the screen shot below (note- it is okay, if you have 0 of 4 floating IP addresses used):

    maxed out

5. Taking control with admin

  1. Log out of bobbarker, and log back in as admin.

  2. Navigate to Admin > System > Instances > Instance Name: acme_vm2 > Log Tab

    If you look at the bottom of the log, you'll find a line that begins, "Log in as 'cirros' user..." What is the password associated with the user 'cirros'? Note that this silly password is the default for the CirrOS.

  3. Click on Admin > System > Instances

  4. Check all the tick boxes beside the running instances. Click 'Terminate Instances'. All instances should begin shutting down.

  5. Once more log out of admin, and log back in as aliceanderson or bobbarker.

    The acme_inc project should once again have no instances running. Check the Project > Compute > Overview dashboard and the Project > Compute > Instances dashboard to be sure.

    Terminating an instance will kill the instance (forever)

    In this case, the admin user terminated a machine created by bobbarker. You may be wondering why bobbarker did not terminate the machine that he created, and indeed that is normally how it is done. In this case, we just wanted to show you that if the admin has access to the tenant, then the admin can also terminate the tenant's machines.

6. Misc

  1. Session timeout setting

    If the 2 minute timeout is annoyingly short, you can change the Openstack timeout following this suggestion: https://ask.openstack.org/en/question/32206/horizon-session-timeout/

    SESSION_TIMEOUT- This SESSION_TIMEOUT is a method to supercede the token timeout with a shorter horizon session timeout (in seconds). So if your token expires in 60 minutes, a value of 1800 will log users out after 30 minutes.