12 Deploying the OpenStack Services #

Installs the designate server packages and configures the mini-dns (mdns) service required by designate.

Configures a designate worker on the selected nodes. designate uses the workers to distribute its workload.

Choose a technology used for cluster communication. You can choose between Multicast (UDP), sending a message to multiple destinations, or Unicast (UDPU), sending a message to a single destination. By default unicast is used.

Whenever communication fails between one or more nodes and the rest of the cluster a “cluster partition” occurs. The nodes of a cluster are split in partitions but are still active. They can only communicate with nodes in the same partition and are unaware of the separated nodes. The cluster partition that has the majority of nodes is defined to have “quorum”.

This configuration option defines what to do with the cluster partition(s) that do not have the quorum. See https://documentation.suse.com/sle-ha/15-SP1/single-html/SLE-HA-guide/#sec-conf-hawk2-cluster-config, for details.

The recommended setting is to choose Stop. However, Ignore is enforced for two-node clusters to ensure that the remaining node continues to operate normally in case the other node fails. For clusters using shared resources, choosing freeze may be used to ensure that these resources continue to be available.

“Misbehaving” nodes in a cluster are shut down to prevent them from causing trouble. This mechanism is called STONITH (“Shoot the other node in the head”). STONITH can be configured in a variety of ways, refer to https://documentation.suse.com/sle-ha/15-SP1/single-html/SLE-HA-guide/#cha-ha-fencing for details. The following configuration options exist:

With STONITH, Pacemaker clusters with two nodes may sometimes hit an issue known as STONITH deathmatch where each node kills the other one, resulting in both nodes rebooting all the time. Another similar issue in Pacemaker clusters is the fencing loop, where a reboot caused by STONITH will not be enough to fix a node and it will be fenced again and again.

This setting can be used to limit these issues. When set to true, a node that has not been properly shut down or rebooted will not start the services for Pacemaker on boot. Instead, the node will wait for action from the SUSE OpenStack Cloud operator. When set to false, the services for Pacemaker will always be started on boot. The Automatic value is used to have the most appropriate value automatically picked: it will be true for two-node clusters (to avoid STONITH deathmatches), and false otherwise.

When a node boots but not starts corosync because of this setting, then the node's status is in the Node Dashboard is set to "Problem" (red dot).

Get notified of cluster node failures via e-mail. If set to true, you need to specify which SMTP Server to use, a prefix for the mails' subject and sender and recipient addresses. Note that the SMTP server must be accessible by the cluster nodes.

The public name is the host name that will be used instead of the generated public name (see Important: Proposal Name) for the public virtual IP address of HAProxy. (This is the case when registering public endpoints, for example). Any name specified here needs to be resolved by a name server placed outside of the SUSE OpenStack Cloud network.

Deploy this role on all nodes that should become member of the cluster.

Deploying this role is optional. If deployed, sets up the Hawk Web interface which lets you monitor the status of the cluster. The Web interface can be accessed via https://IP-ADDRESS:7630. The default hawk credentials are username hacluster, password crowbar.

The password is visible and editable in the Custom view of the Pacemaker barclamp, and also in the "corosync": section of the Raw view.

Note that the GUI on SUSE OpenStack Cloud can only be used to monitor the cluster status and not to change its configuration.

hawk-server may be deployed on at least one cluster node. It is recommended to deploy it on all cluster nodes.

Deploy this role on all nodes that should become members of the Compute Nodes cluster. They will run as Pacemaker remote nodes that are controlled by the cluster, but do not affect quorum. Instead of the complete cluster stack, only the pacemaker-remote component will be installed on this nodes.

Name of the default virtual host to be created and used by the RabbitMQ server (default_vhost configuration option in rabbitmq.config).

Port the RabbitMQ server listens on (tcp_listeners configuration option in rabbitmq.config).

RabbitMQ default user (default_user configuration option in rabbitmq.config).

Set the algorithm used by keystone to generate the tokens. You can choose between Fernet (the default) or UUID. Note that for performance and security reasons it is strongly recommended to use Fernet.

Allows customizing the region name that crowbar is going to manage.

Tenant for the users. Do not change the default value of openstack.

User name and password for the administrator.

Specify whether a regular user should be created automatically. Not recommended in most scenarios, especially in an LDAP environment.

User name and password for the regular user. Both the regular user and the administrator accounts can be used to log in to the SUSE OpenStack Cloud Dashboard. However, only the administrator can manage keystone users and access.

Figure 12.7: The keystone Barclamp #

 

When you use the default value HTTP, public communication will not be encrypted. Choose HTTPS to use SSL for encryption. See Section 2.3, “SSL Encryption” for background information and Section 11.4.6, “Enabling SSL” for installation instructions. The following additional configuration options will become available when choosing HTTPS:

Contains keystone credentials that the agents use to send metrics. Do not change these options, as they are configured by Crowbar.

Specifies whether SSL certificates are verified when communicating with keystone. If set to false, the ca_file option must be specified.

Specifies the location of a CA certificate that is used for verifying keystone's SSL certificate.

Path for storing log files. The specified path must exist. Do not change the default /var/log/monasca-agent path.

Agent's log level. Limits log messages to the specified level and above. The following levels are available: Error, Warning, Info (default), and Debug.

Interval in seconds between running agents' checks.

Number of simultaneous collector threads to run. This refers to the maximum number of different collector plug-ins (for example, http_check) that are allowed to run simultaneously. The default value 1 means that plug-ins are run sequentially.

If a problem with the results from multiple plug-ins results blocks the entire thread pool (as specified by the num_collector_threads parameter), the collector exits, so it can be restarted by the supervisord. The parameter pool_full_max_retries specifies when this event occurs. The collector exits when the defined number of consecutive collection cycles have ended with the thread pool completely full.

Upper limit in seconds for any collection plug-in's run time. A warning is logged if a plug-in runs longer than the specified limit.

Maximum number of measurements to buffer locally if the monasca API is unreachable. Measurements will be dropped in batches, if the API is still unreachable after the specified number of messages are buffered. The default -1 value indicates unlimited buffering. Note that a large buffer increases the agent's memory usage.

Maximum number of measurements to send when the local measurement buffer is flushed.

Number of extra dimensions to add to metrics sent to the monasca API. This option is intended for load testing purposes only. Do not enable the option in production! The default 0 value disables the addition of dimensions.

Maximum payload size in kilobytes for a request sent to the monasca log API.

Maximum number of log entries the log agent sends to the monasca log API in a single request. Reducing the number increases performance.

Time interval in seconds between sending logs to the monasca log API.

Interval in seconds for checking whether elapsed_time_sec has been reached.

keystone credentials the log agents use to send logs to the monasca log API. Do not change this option manually, as it is configured by Crowbar.

Interfaces monasca-api listens on. Do not change this option, as it is configured by Crowbar.

Number of processes to spawn.

Number of WSGI worker threads to spawn.

Log level for openstack-monasca-api. Limits log messages to the specified level and above. The following levels are available: Critical, Error, Warning, Info (default), Debug, and Trace.

List of directories for storing Elasticsearch snapshots. Must be created manually and be writeable by the elasticsearch user. Must contain at least one entry in order for the snapshot functionality to work.

Time threshold for deleting indices. Indices older the specified number of days are deleted. This parameter is unset by default, so indices are kept indefinitely.

Maximum size in megabytes of indices. Indices larger than the specified size are deleted. This parameter is unset by default, so indices are kept irrespective of their size.

List of indices to exclude from elasticsearch-curator runs. By default, only the .kibana files are excluded.

Number of hours for retaining log segments in Kafka's on-disk log. Messages older than the specified value are dropped.

Maximum size for Kafka's on-disk log in bytes. If the log grows beyond this size, the oldest log segments are dropped.

list of topics

The following are options of every topic:

Enable or disable email alarm notifications.

SMTP smarthost for sending alarm notifications.

Port for the SMTP smarthost.

User name for authenticating against the smarthost.

Password for authenticating against the smarthost.

Sender address for alarm notifications.

Number of days to keep metrics records in influxdb.

For an overview of all supported values, see https://docs.influxdata.com/influxdb/v1.1/query_language/database_management/#create-retention-policies-with-create-retention-policy.

The global switch for toggling libvirt monitoring. If set to true, libvirt metrics will be gathered on all libvirt based Compute Nodes. This setting is available in the Crowbar UI.

The global switch for toggling Ceph monitoring. If set to true, Ceph metrics will be gathered on all Ceph-based Compute Nodes. This setting is available in Crowbar UI. If the Ceph cluster has been set up independently, Crowbar ignores this setting.

The directory where monasca-agent will locally cache various metadata about locally running VMs on each Compute Node.

Specifies the list of instance metadata keys to be included as dimensions with customer metrics. This is useful for providing more information about an instance.

Specifies a minimum interval in seconds for collecting disk metrics. Increase this value to reduce I/O load. If the value is lower than the global agent collection period (check_frequency), it will be ignored in favor of the global collection period.

Specifies the number of ping command processes to run concurrently when determining whether the VM is reachable. This should be set to a value that allows the plugin to finish within the agent's collection period, even if there is a networking issue. For example, if the expected number of VMs per Compute Node is 40 and each VM has one IP address, then the plugin will take at least 40 seconds to do the ping checks in the worst-case scenario where all pings fail (assuming the default timeout of 1 second). Increasing max_ping_concurrency allows the plugin to finish faster.

Specifies the list of nova side instance metadata keys to be included as dimensions with the cross-tenant metrics for the monasca project. This is useful for providing more information about an instance.

Specifies the number of seconds between calls to the nova API to refresh the instance cache. This is helpful for updating VM hostname and pruning deleted instances from the cache. By default, it is set to 14,400 seconds (four hours). Set to 0 to refresh every time the Collector runs, or to None to disable regular refreshes entirely. In this case, the instance cache will only be refreshed when a new instance is detected.

Includes the entire ping command (without the IP address, which is automatically appended) to perform a ping check against instances. The NAMESPACE keyword is automatically replaced with the appropriate network namespace for the VM being monitored. Set to False to disable ping checks.

Specifies a minimum interval in seconds for collecting disk metrics. Increase this value to reduce I/O load. If the value is lower than the global agent collection period (check_frequency), it will be ignored in favor of the global collection period.

Toggles the collection of VM CPU metrics. Set to true to enable.

Toggles the collection of VM disk metrics. Set to true to enable.

Toggles the collection of extended disk metrics. Set to true to enable.

Toggles the collection of VM network metrics. Set to true to enable.

Toggles ping checks for checking whether a host is alive. Set to true to enable.

Specifies a period of time (in seconds) in which to suspend metrics from a newly-created VM. This is to prevent quickly-obsolete metrics in an environment with a high amount of instance churn (VMs created and destroyed in rapid succession). The default probation length is 300 seconds (5 minutes). Set to 0 to disable VM probation. In this case, metrics are recorded immediately after a VM is created.

Specifies a minimum interval in seconds for collecting VM network metrics. Increase this value to reduce I/O load. If the value is lower than the global agent collection period (check_frequency), it will be ignored in favor of the global collection period.

monasca server-side components that are deployed by Chef. Currently, this only creates keystone resources required by monasca, such as users, roles, endpoints, etc. The rest is left to the Ansible-based monasca-installer run by the monasca-master role.

Runs the Ansible-based monasca-installer from the Crowbar node. The installer deploys the monasca server-side components to the node that has the monasca-server role assigned to it. These components are openstack-monasca-api, and openstack-monasca-log-api, as well as all the back-end services they use.

Deploys openstack-monasca-agent that is responsible for sending metrics to monasca-api on nodes it is assigned to.

Deploys openstack-monasca-log-agent responsible for sending logs to monasca-log-api on nodes it is assigned to.

Set to true to enable public access to containers.

If set to true, a copy of the current version is archived each time an object is updated.

Number of zones (see above). If you do not have different independent installations of storage nodes, set the number of zones to 1.

Partition power. The number entered here is used to compute the number of logical partitions to be created in the cluster. The number you enter is used as a power of 2 (2^X).

We recommend using a minimum of 100 partitions per disk. To measure the partition power for your setup, multiply the number of disks from all swift nodes by 100, and then round up to the nearest power of two. Keep in mind that the first disk of each node is not used by swift, but rather for the operating system.

Example: 10 swift nodes with 5 hard disks each.  Four hard disks on each node are used for swift, so there is a total of forty disks. 40 x 100 = 4000. The nearest power of two, 4096, equals 2^12. So the partition power that needs to be entered is 12.

Important: Value Cannot be Changed After the Proposal Has Been Deployed

Changing the number of logical partition after swift has been deployed is not supported. Therefore the value for the partition power should be calculated from the maximum number of partitions this cloud installation is likely going to need at any point in time.

This option sets the number of hours before a logical partition is considered for relocation. 24 is the recommended value.

The number of copies generated for each object. The number of replicas depends on the number of disks and zones.

Time (in seconds) after which to start a new replication process.

Shows debugging output in the log files when set to true.

Choose whether to encrypt public communication (HTTPS) or not (HTTP). If you choose HTTPS, you have two options. You can either Generate (self-signed) certificates or provide the locations for the certificate key pair files. Using self-signed certificates is for testing purposes only and should never be used in production environments!

Provides an S3 compatible API on top of swift.

Serve container data as a static Web site with an index file and optional file listings. See http://docs.openstack.org/developer/swift/middleware.html#staticweb for details.

This middleware requires setting Allow Public Containers to true.

Create URLs to provide time-limited access to objects. See http://docs.openstack.org/developer/swift/middleware.html#tempurl for details.

Upload files to a container via Web form. See http://docs.openstack.org/developer/swift/middleware.html#formpost for details.

Extract TAR archives into a swift account, and delete multiple objects or containers with a single request. See http://docs.openstack.org/developer/swift/middleware.html#module-swift.common.middleware.bulk for details.

Interact with the swift API via Flash, Java, and Silverlight from an external network. See http://docs.openstack.org/developer/swift/middleware.html#module-swift.common.middleware.crossdomain for details.

Translates container and account parts of a domain to path parameters that the swift proxy server understands. Can be used to create short URLs that are easy to remember, for example by rewriting home.tux.example.com/$ROOT/tux/home/myfile to home.tux.example.com/myfile. See http://docs.openstack.org/developer/swift/middleware.html#module-swift.common.middleware.domain_remap for details.

Throttle resources such as requests per minute to provide denial of service protection. See http://docs.openstack.org/developer/swift/middleware.html#module-swift.common.middleware.ratelimit for details.

The virtual object storage service. Install this role on all dedicated swift Storage Nodes (at least two), but not on any other node.

Warning: swift-storage Needs Dedicated Machines

Never install the swift-storage service on a node that runs other OpenStack components.

The ring maintains the information about the location of objects, replicas, and devices. It can be compared to an index that is used by various OpenStack components to look up the physical location of objects. swift-ring-compute must only be installed on a single node, preferably a Control Node.

The swift proxy server takes care of routing requests to swift. Installing a single instance of swift-proxy on a Control Node is recommended. The swift-proxy role can be made highly available by deploying it on a cluster.

Deploying swift-dispersion is optional. The swift dispersion tools can be used to test the health of the cluster. It creates a heap of dummy objects (using 1% of the total space available). The state of these objects can be queried using the swift-dispersion-report query. swift-dispersion needs to be installed on a Control Node.

File.  Images are stored in an image file on the Control Node.

cinder.  Provides volume block storage to SUSE OpenStack Cloud Crowbar. Use it to store images.

swift.  Provides an object storage service to SUSE OpenStack Cloud Crowbar.

Rados.  SUSE Enterprise Storage (based on Ceph) provides block storage service to SUSE OpenStack Cloud Crowbar.

VMware.  If you are using VMware as a hypervisor, it is recommended to use VMware for storing images. This will make starting VMware instances much faster.

Expose Backend Store Location.  If this is set to true, the API will communicate the direct URl of the image's back-end location to HTTP clients. Set to false by default.

Depending on the storage back-end, there are additional configuration options available:

Only required if Default Storage Store is set to File.

Only required if Default Storage Store is set to swift.

Only required if Default Storage Store is set to Rados.

Only required if Default Storage Store is set to VMware.

Choose whether to encrypt public communication (HTTPS) or not (HTTP). If you choose HTTPS, refer to SSL Support: Protocol for configuration details.

Enable and configure image caching in this section. By default, image caching is disabled. You can see this the Raw view of your nova barclamp:

image_cache_manager_interval = -1

This option sets the number of seconds to wait between runs of the image cache manager. Disabling it means that the cache manager will not automatically remove the unused images from the cache, so if you have many glance images and are running out of storage you must manually remove the unused images from the cache. We recommend leaving this option disabled as it is known to cause issues, especially with shared storage. The cache manager may remove images still in use, e.g. when network outages cause synchronization problems with compute nodes.

If you wish to enable caching, re-enable it in a custom nova configuration file, for example /etc/nova/nova.conf.d/500-nova.conf. This sets the interval to four minutes:

image_cache_manager_interval = 2400

See Chapter 14, Configuration Files for OpenStack Services for more information on custom configurations.

Learn more about glance's caching feature at http://docs.openstack.org/developer/glance/cache.html.

Shows debugging output in the log files when set to true.

Choose whether to use the First Available disk or All Available disks. “Available disks” are all disks currently not used by the system. Note that one disk (usually /dev/sda) of every block storage node is already used for the operating system and is not available for cinder.

Specify a name for the cinder volume.

IP address and Port of the ECOM server.

Login credentials for the ECOM server.

VMAX port groups that expose volumes managed by this back-end.

Unique VMAX array serial number.

Unique pool name within a given array.

Name of the FAST Policy to be used. When specified, volumes managed by this back-end are managed as under FAST control.

Select the protocol used to connect, either FibreChannel or iSCSI.

IP address and port of the ETERNUS SMI-S Server.

Login credentials for the ETERNUS SMI-S Server.

Storage pool (RAID group) in which the volumes are created. Make sure that the RAID group on the server has already been created. If a RAID group that does not exist is specified, the RAID group is built from unused disk drives. The RAID level is automatically determined by the ETERNUS DX Disk storage system.

SUSE OpenStack Cloud can use “Data ONTAP” in 7-Mode, or in Clustered Mode. In 7-Mode vFiler will be configured, in Clustered Mode vServer will be configured. The Storage Protocol can be set to either iSCSI or NFS. Choose the driver and the protocol your NetApp is licensed for.

The management IP address for the 7-Mode storage controller, or the cluster management IP address for the clustered Data ONTAP.

Transport protocol for communicating with the storage controller or clustered Data ONTAP. Supported protocols are HTTP and HTTPS. Choose the protocol your NetApp is licensed for.

The port to use for communication. Port 80 is usually used for HTTP, 443 for HTTPS.

Login credentials.

The vFiler unit to be used for provisioning of OpenStack volumes. This setting is only available in 7-Mode.

Provide a list of comma-separated volume names to be used for provisioning. This setting is only available when using iSCSI as storage protocol.

A list of available file systems on an NFS server. Enter your NFS mountpoints in the List of NFS Exports form in this format: host:mountpoint -o options. For example:

host1:/srv/nfs/share1 /mnt/nfs/share1 -o rsize=8192,wsize=8192,timeo=14,intr

IP address of the FlashArray management VIP

API token for access to the FlashArray

Enable or disable iSCSI CHAP authentication

Select false, if you are using an external Ceph cluster (see Section 11.4.4, “Using an Externally Managed Ceph Cluster” for setup instructions).

Name of the pool used to store the cinder volumes.

Ceph user name.

Host name or IP address of the vCenter server.

vCenter login credentials.

Provide a comma-separated list of cluster names.

Path to the directory used to store the cinder volumes.

Absolute path to the vCenter CA certificate.

Default value: false (the CA truststore is used for verification). Set this option to true when using self-signed certificates to disable certificate checks. This setting is for testing purposes only and must not be used in production environments!

Absolute path to the file to be used for block storage.

Maximum size of the volume file. Make sure not to overcommit the size, since it will result in data loss.

Specify a name for the cinder volume.

The cinder controller provides the scheduler and the API. Installing cinder-controller on a Control Node is recommended.

The virtual block storage service. It can be installed on a Control Node. However, we recommend deploying it on one or more dedicated nodes supplied with sufficient networking capacity to handle the increase in network traffic.

Select which mechanism driver(s) shall be enabled for the ml2 plugin. It is possible to select more than one driver by holding the Ctrl key while clicking. Choices are:

openvswitch.  Supports GRE, VLAN and VXLAN networks (to be configured via the Modular Layer 2 type drivers setting). VXLAN is the default.

linuxbridge.  Supports VLANs only. Requires to specify the Maximum Number of VLANs.

cisco_nexus.  Enables neutron to dynamically adjust the VLAN settings of the ports of an existing Cisco Nexus switch when instances are launched. It also requires openvswitch which will automatically be selected. With Modular Layer 2 type drivers, vlan must be added. This option also requires to specify the Cisco Switch Credentials. See Appendix A, Using Cisco Nexus Switches with neutron for details.

vmware_dvs.  vmware_dvs driver makes it possible to use neutron for networking in a VMware-based environment. Choosing vmware_dvs, automatically selects the required openswitch, vxlan, and vlan drivers. In the Raw view, it is also possible to configure two additional attributes: clean_on_start (clean up the DVS portgroups on the target vCenter Servers when neutron-server is restarted) and precreate_networks (create DVS portgroups corresponding to networks in advance, rather than when virtual machines are attached to these networks).

With the default setup, all intra-Compute Node traffic flows through the network Control Node. The same is true for all traffic from floating IPs. In large deployments the network Control Node can therefore quickly become a bottleneck. When this option is set to true, network agents will be installed on all compute nodes. This will de-centralize the network traffic, since Compute Nodes will be able to directly “talk” to each other. Distributed Virtual Routers (DVR) require the openvswitch driver and will not work with the linuxbridge driver. For details on DVR refer to https://wiki.openstack.org/wiki/Neutron/DVR.

This option is only available when having chosen the openvswitch or the cisco_nexus mechanism drivers. Options are vlan, gre and vxlan. It is possible to select more than one driver by holding the Ctrl key while clicking.

When multiple type drivers are enabled, you need to select the Default Type Driver for Provider Network, that will be used for newly created provider networks. This also includes the nova_fixed network, that will be created when applying the neutron proposal. When manually creating provider networks with the neutron command, the default can be overwritten with the --provider:network_type type switch. You will also need to set a Default Type Driver for Tenant Network. It is not possible to change this default when manually creating tenant networks with the neutron command. The non-default type driver will only be used as a fallback.

Depending on your choice of the type driver, more configuration options become available.

gre.  Having chosen gre, you also need to specify the start and end of the tunnel ID range.

vlan.  The option vlan requires you to specify the Maximum number of VLANs.

vxlan.  Having chosen vxlan, you also need to specify the start and end of the VNI range.

Host name or IP address of the xCAT Management Node.

xCAT login credentials.

List of rdev addresses that should be connected to this vswitch.

IP address of the xCAT management interface.

Net mask of the xCAT management interface.

Login credentials for the VMware NSX server. The user needs to have administrator permissions on the NSX server.

Enter the IP address and the port number (IP-ADDRESS:PORT) of the controller API endpoint. If the port number is omitted, port 443 will be used. You may also enter multiple API endpoints (comma-separated), provided they all belong to the same controller cluster. When multiple API endpoints are specified, the plugin will load balance requests on the various API endpoints.

The UUIDs for the transport zone and the gateway service can be obtained from the NSX server. They will be used when networks are created.

neutron-server provides the scheduler and the API. It needs to be installed on a Control Node.

This service runs the various agents that manage the network traffic of all the cloud instances. It acts as the DHCP and DNS server and as a gateway for all cloud instances. It is recommend to deploy this role on a dedicated node supplied with sufficient network capacity.

Set the “overcommit ratio” for RAM for instances on the Compute Nodes. A ratio of 1.0 means no overcommitment. Changing this value is not recommended.

Set the “overcommit ratio” for CPUs for instances on the Compute Nodes. A ratio of 1.0 means no overcommitment.

Set the “overcommit ratio” for virtual disks for instances on the Compute Nodes. A ratio of 1.0 means no overcommitment.

Amount of reserved host memory that is not used for allocating VMs by nova-compute.

Allows to move KVM instances to a different Compute Node running the same hypervisor (cross hypervisor migrations are not supported). Useful when a Compute Node needs to be shut down or rebooted for maintenance or when the load of the Compute Node is very high. Instances can be moved while running (Live Migration).

Warning: Libvirt Migration and Security

Enabling the libvirt migration option will open a TCP port on the Compute Nodes that allows access to all instances from all machines in the admin network. Ensure that only authorized machines have access to the admin network when enabling this option.

Tip: Specifying Network for Live Migration

It is possible to change a network to live migrate images. This is done in the raw view of the nova barclamp. In the migration section, change the network attribute to the appropriate value (for example, storage for Ceph).

Kernel SamePage Merging (KSM) is a Linux Kernel feature which merges identical memory pages from multiple running processes into one memory region. Enabling it optimizes memory usage on the Compute Nodes when using the KVM hypervisor at the cost of slightly increasing CPU usage.

Choose whether to encrypt public communication (HTTPS) or not (HTTP). If choosing HTTPS,refer to SSL Support: Protocol for configuration details.

After having started an instance you can display its VNC console in the OpenStack Dashboard (horizon) via the browser using the noVNC implementation. By default this connection is not encrypted and can potentially be eavesdropped.

Enable encrypted communication for noVNC by choosing HTTPS and providing the locations for the certificate key pair files.

Shows debugging output in the log files when set to true.

Distributing and scheduling the instances is managed by the nova-controller. It also provides networking and messaging services. nova-controller needs to be installed on a Control Node.

Provides the hypervisors (KVM, QEMU, VMware vSphere, and z/VM) and tools needed to manage the instances. Only one hypervisor can be deployed on a single compute node. To use different hypervisors in your cloud, deploy different hypervisors to different Compute Nodes. A nova-compute-* role needs to be installed on every Compute Node. However, not all hypervisors need to be deployed.

Each image that will be made available in SUSE OpenStack Cloud to start an instance is bound to a hypervisor. Each hypervisor can be deployed on multiple Compute Nodes (except for the VMware vSphere role, see below). In a multi-hypervisor deployment you should make sure to deploy the nova-compute-* roles in a way, that enough compute power is available for each hypervisor.

Note: Re-assigning Hypervisors

Existing nova-compute-* nodes can be changed in a production SUSE OpenStack Cloud without service interruption. You need to “evacuate” the node, re-assign a new nova-compute role via the nova barclamp and Apply the change. nova-compute-vmware can only be deployed on a single node.

Timeout (in minutes) after which a user is been logged out automatically. The default value is set to four hours (240 minutes).

Note: Timeouts Larger than Four Hours

Every horizon session requires a valid keystone token. These tokens also have a lifetime of four hours (14400 seconds). Setting the horizon session timeout to a value larger than 240 will therefore have no effect, and you will receive a warning when applying the barclamp.

To successfully apply a timeout larger than four hours, you first need to adjust the keystone token expiration accordingly. To do so, open the keystone barclamp in Raw mode and adjust the value of the key token_expiration. Note that the value has to be provided in seconds. When the change is successfully applied, you can adjust the horizon session timeout (in minutes). Note that extending the keystone token expiration may cause scalability issues in large and very busy SUSE OpenStack Cloud installations.

Specify a regular expression with which to check the password. The default expression (.{8,}) tests for a minimum length of 8 characters. The string you enter is interpreted as a Python regular expression (see http://docs.python.org/2.7/library/re.html#module-re for a reference).

Error message that will be displayed in case the password validation fails.

Choose whether to encrypt public communication (HTTPS) or not (HTTP). If choosing HTTPS, you have two choices. You can either Generate (self-signed) certificates or provide the locations for the certificate key pair files and,—optionally— the certificate chain file. Using self-signed certificates is for testing purposes only and should never be used in production environments!

Shows debugging output in the log files when set to true.

Choose whether to encrypt public communication (HTTPS) or not (HTTP). If choosing HTTPS, refer to SSL Support: Protocol for configuration details.

Specify intervals in seconds after which ceilometer performs updates of specified meters.

Specify how long to keep the metering data. -1 means that samples are kept in the database forever.

Specify how long to keep the event data. -1 means that samples are kept in the database forever.

The notification agent.

The polling agent listens to the message bus to collect data. It needs to be deployed on a Control Node. It can be deployed on the same node as ceilometer-server.

The compute agents collect data from the compute nodes. They need to be deployed on all KVM compute nodes in your cloud (other hypervisors are currently not supported).

An agent collecting data from the swift nodes. This role needs to be deployed on the same node as swift-proxy.

Provide the name of the Enterprise Virtual Server that the selected back-end is assigned to.

IP address for mounting shares.

Provide a file-system name for creating shares.

IP address of the HNAS management interface for communication between manila controller and HNAS.

HNAS username Base64 String required to perform tasks like creating file-systems and network interfaces.

HNAS user password. Required only if private key is not provided.

RSA/DSA private key necessary for connecting to HNAS. Required only if password is not provided.

Time in seconds to wait before aborting stalled HNAS jobs.

Host name of the Virtual Storage Server.

The name or IP address for the storage controller or the cluster.

The port to use for communication. Port 80 is usually used for HTTP, 443 for HTTPS.

Login credentials.

Transport protocol for communicating with the storage controller or cluster. Supported protocols are HTTP and HTTPS. Choose the protocol your NetApp is licensed for.

Set to true to use Ceph deployed with Crowbar.

The manila server provides the scheduler and the API. Installing it on a Control Node is recommended.

The shared storage service. It can be installed on a Control Node, but it is recommended to deploy it on one or more dedicated nodes supplied with sufficient disk space and networking capacity, since it will generate a lot of network traffic.

Credentials for a regular user. If the user does not exist, it will be created.

Tenant to be used by Tempest. If it does not exist, it will be created. It is safe to stick with the default value.

Credentials for an admin user. If the user does not exist, it will be created.

Deploying Kubernetes clusters in a cloud without an Internet connection requires the registry_enabled option in its cluster template set to true. To make this offline scenario work, you also need to set the Delegate trust to cluster users if required option to true. This restores the old, insecure behavior for clusters with the registry-enabled or volume_driver=Rexray options enabled.

Domain name to use for creating trustee for bays.

Increases the amount of information that is written to the log files when set to true.

Shows debugging output in the log files when set to true.

To store certificates, either use the barbican OpenStack service, a local directory (Local), or the Magnum Database (x590keypair).

Note: barbican As Certificate Manager

If you choose to use barbican for managing certificates, make sure that the barbican barclamp is enabled.

With the default value HTTP, public communication will not be encrypted. Choose HTTPS to use SSL for encryption. See Section 2.3, “SSL Encryption” for background information and Section 11.4.6, “Enabling SSL” for installation instructions. The following additional configuration options will become available when choosing HTTPS:

Set to true to increase the amount of information written to the log files.

Amphorae are the individual virtual machines, containers, or bare metal servers that accomplish the delivery of load balancing services to tenant application environments.

The controller is the brains of Octavia. It consists of five sub-components as individual daemons. They can be run on separate back-end infrastructure.

Octavia cannot accomplish what it does without manipulating the network environment. Amphorae are spun up with a network interface on the load balancer network. They can also plug directly into tenant networks to reach back-end pool members, depending on how any given load balancing service is deployed by the tenant.

The Octavia API.

Octavia worker, health-manager and house-keeping.

Set Use SES Configuration to true under RADOS Store Parameters. The glance barclamp pulls the uploaded SES configuration from Crowbar when applying the glance proposal and on chef-client runs. If the SES configuration is uploaded before the glance proposal is created, Use SES Configuration is enabled automatically upon proposal creation.

Create a new RADOS backend and set Use SES Configuration to true. The cinder barclamp pulls the uploaded SES configuration from Crowbar when applying the cinder proposal and on chef-client runs. If the SES configuration was uploaded before the cinder proposal was created, a ses-ceph RADOS backend is created automatically on proposal creation with Use SES Configuration already enabled.

To connect with volumes stores in SES, nova uses the configuration from the cinder barclamp. For ephemeral storage, nova re-uses the rbd_store_user and key from cinder but has a separate rbd_store_pool defined in the SES configuration. Ephemeral storage on SES can be enabled or disabled by setting Use Ceph RBD Ephemeral Backend in nova proposal. In new deployments it is enabled by default. In existing ones it is disabled for compatibility reasons.

Exports a YAML file which describes existing proposals and how their parameters deviate from the default proposal values for that barclamp.

Imports a YAML file in the same format as above. Uses it to build new proposals if they do not yet exist. Updates the existing proposals so that their parameters match those given in the YAML file.