Ensure that the following BIOS and IPMI settings are applied to each bare-metal server:

☐	Item
	Setup the iLO Advanced license in the iLO configuration
	Choose either UEFI or Legacy BIOS in the BIOS settings
	Verify the Date and Time settings in the BIOS. Note HPE Helion OpenStack installs and runs with UTC, not local time.
	Ensure that Wake-on-LAN is disabled in the BIOS
	Ensure that the NIC port to be used for PXE installation has PXE enabled in the BIOS
	Ensure that all other NIC ports have PXE disabled in the BIOS
	Ensure all hardware in the server not directly used by HPE Helion OpenStack is disabled

Before installing HPE Helion OpenStack, the following networks must be provisioned and tested. The networks are not installed or managed by the Cloud. You must install and manage the networks as documented in Book “Planning an Installation with Cloud Lifecycle Manager”, Chapter 9 “Example Configurations”.

Note that if you want a pluggable IPAM driver, it must be specified at install time. Only with a clean install of HPE Helion OpenStack 8 can you specify a different IPAM driver. If upgrading, you must use the default driver. More information can be found in Book “Operations Guide”, Chapter 9 “Managing Networking”, Section 9.3 “Networking Service Overview”, Section 9.3.7 “Using IPAM Drivers in the Networking Service”.

Use these checklists to confirm and record your network configuration information.

Router

The IP router used with HPE Helion OpenStack must support the updated of its ARP table through gratuitous ARP packets.

PXE Installation Network

When provisioning the IP range, allocate sufficient IP addresses to cover both the current number of servers and any planned expansion. Use the following table to help calculate the requirements:

Management Network

The management network is the backbone used for the majority of HPE Helion OpenStack management communications. Control messages are exchanged between the Controllers, Compute hosts, and Cinder backends through this network. In addition to the control flows, the management network is also used to transport Swift and iSCSI based Cinder block storage traffic between servers.

When provisioning the IP Range, allocate sufficient IP addresses to cover both the current number of servers and any planned expansion. Use the following table to help calculate the requirements:

IPMI Network

The IPMI network is used to connect the IPMI interfaces on the servers that are assigned for use with implementing the cloud. For HPE ProLiant servers, the IPMI network connects to the HPE iLO management device port for the server. This network is used by Cobbler to control the state of the servers during baremetal deployments.

External API Network

The External network is used to connect OpenStack endpoints to an external public network such as a company’s intranet or the public internet in the case of a public cloud provider.

When provisioning the IP Range, allocate sufficient IP addresses to cover both the current number of servers and any planned expansion. Use the following table to help calculate the requirements.

External VM Network

The External VM network is used to connect cloud instances to an external public network such as a company’s intranet or the public internet in the case of a public cloud provider. The external network has a predefined range of Floating IPs which are assigned to individual instances to enable communications to and from the instance to the assigned corporate intranet/internet. There should be a route between the External VM and External API networks so that instances provisioned in the cloud, may access the Cloud API endpoints, using the instance floating IPs.

This server contains the HPE Helion OpenStack installer, which is based on Git, Ansible, and Cobbler.

Log on to each type of physical server you have and issue platform-appropriate commands to identify the bus-address and port-num values that may be required. For example, run the following command:

sudo lspci -D | grep -i net

and enter this information in the space below. Use this information for the bus-address value in your nic_mappings.yml file.

To find the port-num use:

cat /sys/class/net/<device name>/dev_port

where the 'device-name' is the name of the device currently mapped to this address, not necessarily the name of the device to be mapped. Enter the information for your system in the space below.

The Control Plane consists of at least three servers in a highly available cluster that host the core HPE Helion OpenStack services including Nova, Keystone, Glance, Cinder, Heat, Neutron, Swift, Ceilometer, and Horizon. Additional services include mariadb, ip-cluster, apache2, rabbitmq, memcached, zookeeper, kafka, storm, monasca, logging, and cmc.

Note

To mitigate the “split-brain” situation described in Book “Operations Guide”, Chapter 15 “Troubleshooting Issues”, Section 15.4 “Network Service Troubleshooting” it is recommended that you have HA network configuration with Multi-Chassis Link Aggregation (MLAG) and NIC bonding configured for all the controllers to deliver system-level redundancy as well network-level resiliency. Also reducing the ARP timeout on the TOR switches will help.

One or more KVM Compute servers will be used as the compute host targets for instances.

Table to record your Compute host details:

Three or more servers with local disk volumes to provide Cinder block storage resources.

Note

The cluster created from block storage nodes must allow for quorum. In other words, the node count of the cluster must be 3, 5, 7, or another odd number.

Table to record your block storage host details:

This section is for any additional information that you deem necessary.

As part of the preparation to provision a Red Hat compute node you need to be aware of the issues raised in this article and take any remedial action required.

2.9.1 Sample iptables rules must be removed on Red Hat #

HPE Helion OpenStack 8 uses iptables to secure access to Cloud Lifecycle Manager network interfaces and on Red Hat this requires the package iptables-services to be installed. The package will provide sample iptables configurations for IPv4 and IPv6 if none existed before. This sample configuration is inappropriate for HPE Helion OpenStack operation and the node will not be able to run HPE Helion OpenStack with these rules installed.

The files installed are:

• /etc/sysconfig/iptables

• /etc/sysconfig/ip6tables

If these files do not exist on the candidate Red Hat systems the rest of this note may be skipped as the HPE Helion OpenStack 8 install will prevent the installation of the sample files. However, if these files do exist, there are a number of steps that you must follow before you install HPE Helion OpenStack 8.

The contents of these two files are displayed here for reference:

/etc/sysconfig/iptables

# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

/etc/sysconfig/ip6tables

# sample configuration for ip6tables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

These rules are applied to network traffic on any interface on the system whereas HPE Helion OpenStack components and OpenStack components manage interface specific rules. With reference to the security policies that you may require for your environment, it is essential that you either:

• Delete the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables as none of the contained rules are required.

• Ensure that any remaining rules are limited to interfaces not used by HPE Helion OpenStack.

Important

If these files existed on your system, and did contain content, the corresponding rules are currently installed and active on the system. Once you delete these two files (or edit them to limit the rules to interfaces not used by HPE Helion OpenStack), you will need to reboot the system to activate the new settings.