-
Notifications
You must be signed in to change notification settings - Fork 170
Chef_databag_support_for_deploying_openstack_in_xCAT
Table of Contents
This mini-design discusses that using chef databag to support for deploying OpenStack in xCAT. In xCAT 2.8.3, xCAT used OpenStack-Chef-Cookbooks to deploy clouds in xCAT clusters. And the password of each account for different components is default. This is develop mode. If "develop_mode=false", the OpenStack chef cookbooks need chef databag.
For the general chef databag knowledge, we can get more information from
http://docs.opscode.com/essentials_data_bags.html
http://docs.opscode.com/knife_data_bag.html
This doc discusses how to make the chef databag work in OpenStack-Chef-cookbook.
Data Bag: A data bag is a global variable that is stored as JSON data and is accessible from the chef-server node. The contents of a data bag can vary, but they often include sensitive information (such as database passwords). The xCAT scripts use [knife] command to create the databag. Before we run the command, it's required to prepare the data bag folders and data bag item JSON files.
Secret Keys: Encrypting a data bag requires a secret key. A secret key can be created in any number of ways. xCAT script use OpenSSL to generate a random number, which can then be used as the secret key.
loadclouddata is a postscript of updatenode to update the cookbooks, roles, environment files and chef-client nodes. To support the databag, the postscript loadclouddata will update the databag into the chef-server. Currently, databag is experimental, so I add the option --nodevmode in loadclouddata. When running the following command:
updatenode <chef-server-nodes> "loadclouddata --nodevmode"
It will update the cookbooks, roles, environment files, chef-client nodes, and databags into the chef-server nodes.
The OpenStack-Chef-Cookbooks are in /install/chef-cookbooks/grizzly-xCAT/ of xCAT management node. And the community version for grizzly is in https://github.com/stackforge . Currently, there isn't any document to introduce how to use databag in OpenStack-Chef-Cookbook. I made an investigation, and I made a summary. There are 4 different databags:
db_passwords, service_passwords, user_passwords, and secrets
db_passwords provides the password of each user (always the OpenStack component name) for each OpenStack component database.
service_passwords provides the passwords for the users of services in keystone, such as quantum, nova, glance and cinder. these passwords will be in some configuration file, such as /etc/nova/nova.conf
user_passwords provides the guest password of message queue, and the "admin" password for identify (keystone).
secrets provides bootstrap_token for keystone when register services and endpoints, and provide for quantum_metadata_proxy_shared_secret.
We need to prepare the databag directories and databag items.
Take db_passwords for example, the directory structure is as follows
[root@oscn12 databags]# tree db_passwords
db_passwords
|-- ceilometer_password.json
|-- cinder_password.json
|-- glance_password.json
|-- horizon_password.json
|-- keystone_password.json
|-- nova_password.json
`-- quantum_password.json
0 directories, 7 files
There are 7 databag items in the databag db_passowords. The content of the databag item is very simple, take keystone_password.json as an exmaple:
[root@oscn12 db_passwords]# cat keystone_password.json
{
"id": "keystone",
"keystone": "xcatcloud"
}
Note: The OpenStack-Chef-Cookbooks are being updated, the databag names or databag items may be changes.
The postscript "loadclouddata --nodevmode" will update the databags into the chef-server nodes. The basic workflow is as follows:
- generate the secret key
- check if the key path in the /root/.chef/knife.rb , if not, add it
- clear all the old databags
- create the databag based on the secret key
- upload each databag item in the databag based on the secret key
Currently, the cloud_environment template files grizzly_allinone.rb.tmpl and grizzly_per-tenant_routers_with_private_networks.rb.tmpl are not support for databag. To support databag, we should add the following into the template files:
...
"developer_mode" => false,
"secret"=>{
"key_path"=>"/etc/chef/encrypted_data_bag_secret"
},
...
- Required reviewers: Bruce, Linda, Guang Cheng, Gao Ling, Sun Jing and etc.
- Required approvers: Bruce Potter
- Database schema changes: N/A
- Affect on other components: N/A
- External interface changes, documentation, and usability issues: N/A
- Packaging, installation, dependencies: N/A
- Portability and platforms (HW/SW) supported: N/A
- Performance and scaling considerations: N/A
- Migration and coexistence: N/A
- Serviceability: N/A
- Security: N/A
- NLS and accessibility: N/A
- Invention protection: N/A
- Mar 08, 2023: xCAT 2.16.5 released.
- Jun 20, 2022: xCAT 2.16.4 released.
- Nov 17, 2021: xCAT 2.16.3 released.
- May 25, 2021: xCAT 2.16.2 released.
- Nov 06, 2020: xCAT 2.16.1 released.
- Jun 17, 2020: xCAT 2.16 released.
- Mar 06, 2020: xCAT 2.15.1 released.
- Nov 11, 2019: xCAT 2.15 released.
- Mar 29, 2019: xCAT 2.14.6 released.
- Dec 07, 2018: xCAT 2.14.5 released.
- Oct 19, 2018: xCAT 2.14.4 released.
- Aug 24, 2018: xCAT 2.14.3 released.
- Jul 13, 2018: xCAT 2.14.2 released.
- Jun 01, 2018: xCAT 2.14.1 released.
- Apr 20, 2018: xCAT 2.14 released.
- Mar 14, 2018: xCAT 2.13.11 released.
- Jan 26, 2018: xCAT 2.13.10 released.
- Dec 18, 2017: xCAT 2.13.9 released.
- Nov 03, 2017: xCAT 2.13.8 released.
- Sep 22, 2017: xCAT 2.13.7 released.
- Aug 10, 2017: xCAT 2.13.6 released.
- Jun 30, 2017: xCAT 2.13.5 released.
- May 19, 2017: xCAT 2.13.4 released.
- Apr 14, 2017: xCAT 2.13.3 released.
- Feb 24, 2017: xCAT 2.13.2 released.
- Jan 13, 2017: xCAT 2.13.1 released.
- Dec 09, 2016: xCAT 2.13 released.
- Dec 06, 2016: xCAT 2.9.4 (AIX only) released.
- Nov 11, 2016: xCAT 2.12.4 released.
- Sep 30, 2016: xCAT 2.12.3 released.
- Aug 19, 2016: xCAT 2.12.2 released.
- Jul 08, 2016: xCAT 2.12.1 released.
- May 20, 2016: xCAT 2.12 released.
- Apr 22, 2016: xCAT 2.11.1 released.
- Mar 11, 2016: xCAT 2.9.3 (AIX only) released.
- Dec 11, 2015: xCAT 2.11 released.
- Nov 11, 2015: xCAT 2.9.2 (AIX only) released.
- Jul 30, 2015: xCAT 2.10 released.
- Jul 30, 2015: xCAT migrates from sourceforge to github
- Jun 26, 2015: xCAT 2.7.9 released.
- Mar 20, 2015: xCAT 2.9.1 released.
- Dec 12, 2014: xCAT 2.9 released.
- Sep 5, 2014: xCAT 2.8.5 released.
- May 23, 2014: xCAT 2.8.4 released.
- Jan 24, 2014: xCAT 2.7.8 released.
- Nov 15, 2013: xCAT 2.8.3 released.
- Jun 26, 2013: xCAT 2.8.2 released.
- May 17, 2013: xCAT 2.7.7 released.
- May 10, 2013: xCAT 2.8.1 released.
- Feb 28, 2013: xCAT 2.8 released.
- Nov 30, 2012: xCAT 2.7.6 released.
- Oct 29, 2012: xCAT 2.7.5 released.
- Aug 27, 2012: xCAT 2.7.4 released.
- Jun 22, 2012: xCAT 2.7.3 released.
- May 25, 2012: xCAT 2.7.2 released.
- Apr 20, 2012: xCAT 2.7.1 released.
- Mar 19, 2012: xCAT 2.7 released.
- Mar 15, 2012: xCAT 2.6.11 released.
- Jan 23, 2012: xCAT 2.6.10 released.
- Nov 15, 2011: xCAT 2.6.9 released.
- Sep 30, 2011: xCAT 2.6.8 released.
- Aug 26, 2011: xCAT 2.6.6 released.
- May 20, 2011: xCAT 2.6 released.
- Feb 14, 2011: Watson plays on Jeopardy and is managed by xCAT!
- xCAT OS And Hw Support Matrix
- Oct 22, 2010: xCAT 2.5 released.
- Apr 30, 2010: xCAT 2.4 is released.
- Oct 31, 2009: xCAT 2.3 released. xCAT's 10 year anniversary!
- Apr 16, 2009: xCAT 2.2 released.
- Oct 31, 2008: xCAT 2.1 released.
- Sep 12, 2008: Support for xCAT 2 can now be purchased!
- June 9, 2008: xCAT breaths life into (at the time) the fastest supercomputer on the planet
- May 30, 2008: xCAT 2.0 for Linux officially released!
- Oct 31, 2007: IBM open sources xCAT 2.0 to allow collaboration among all of the xCAT users.
- Oct 31, 1999: xCAT 1.0 is born!
xCAT started out as a project in IBM developed by Egan Ford. It was quickly adopted by customers and IBM manufacturing sites to rapidly deploy clusters.