Jump to: navigation, search

TripleO/TripleOCloud

< TripleO
Revision as of 18:51, 6 October 2013 by Lifeless (talk | contribs) (Undercloud)

Draft

This is draft docs about an experiment we're considering! It describes an intent, not reality.

Overview

TripleO developers run a production-ready cloud as part of ensuring they are delivering something usable. We treat this as a production CD environment: Kanban for the folk working on it is at https://trello.com/b/0jIoMrdo/tripleo and https://trello.com/tripleo. We iterate and evolve in response to OpenStack as a whole, while improving the deployment mechanisms and code. Note: trello is just -a- kanban to story the operational status: an arbitrary choice to let us experiment with the setup, and subject to change if this works

tripleo-cd-admins team

Direct access to the hardware needs to be kept to a balanced team : too few and they become a bottleneck, too many and it becomes a security / reliability concern. Any TripleO ATC can apply to be a member, and existing members will vote, with the PTL having a veto (but not an override). The tripleo-cd-admins team will be the determining factor for all access that is equivalent to 'run arbitrary code outside of kvm/Xen'; having this set be decoupled and manually reviewed is part of the security policy on the machines : we can't trivially change it - the machines were provisioned with the expectation of non-HP staff administering them, but that set is expected to be known quantities.

The current list of members is maintained in the incubator tree [1]. Any TripleO ATC can request access by submitting a review adding themselves, but access won't take effect immediately as nova keypairs are not synced out automatically. Only existing tripleo-cd-admins should approve changes to the tripleo-cd-admins list

access rules

We expect http://ci.openstack.org/sysadmin.html#ssh-access to be followed - this is a production, operational environment.

Seed VM host

The seed VM host is a manually installed machine, reachable over ssh. Until we've done an audit for prior data, access to the machine is restricted to HP employees who are TripleO ATC's. (It's also got some weird networking shit, avoid it!)

Seed

The seed is a VM provisioned via boot-seed vm on the Seed VM host, reachable over ssh from other machines in the cloud. Access is available to any tripleo-cd-admins member.

Undercloud

The API endpoint for the undercloud that deploys the cloud is: https://cd-undercloud.tripleo.org:13000/v2.0. Ssh credentials are available from Robert Collins (and is limited to tripleo-cd-admins).

API Access

API access to the Undercloud is available to tripleo-cd-admins, as API access permits deploying arbitrary code to the physical machines. Credentials are setup when joining tripleo-cd-admins, and removed when leaving the team.

The undercloud can deploy machines to the range 10.10.16.171 10.10.16.188 today (limited due to hardware availability).

Updates to software

We can't deploy the undercloud automatically yet, so it's basically static.

To update e.g. nova: cd /opt/stack/nova git review -d <somereviewwitheverythingwewantinit> /opt/stack/venvs/nova/bin/pip install . os-collect-config --one --force

Hardware configuration

The machines have 24 cores, 96G of ram and 2x2TB hard disks with a hardware raid controller. There is a 10G mellanox dual-port card as well, which shows up as eth2 - this is the only wired up network port. As far as we can tell the BIOS defaults to not enabling/net-booting the 10G card, so it needs to be both enabled (via pci devices) and have net boot turned on for it in the system BIOS setup.

Current adhoc variance in the undercloud

Overcloud

The overcloud is deployed per commit, and open access is available to any TripleO ATC: they may use the cloud as desired - having users on the cloud helps validate that the cloud is usable! File all bugs on the tripleo bug tracker. Access may also be granted to non-(TripleO ATC's) at the TripleO PTL's discretion.

API Access

Contact anyone in tripleo-cd-admins for API credentials to the overcloud.

SSH Access

This is granted via membership in tripleo-cd-admins, as bare metal access permits running anything at all in that environment. The technical implementation is that SSH keys are provisioned via the 'admin/default' key-pair in the undercloud (which is manually synced with tripleo-cd-admins).