Over the past month, I have been working with TripleO-Quickstart (OOOQ) and TripleO-Quickstart-Extras (OOOQ-E) to automate the deployment of a FreeIPA server and enable TLS Everywhere. There three reviews on review.openstack.org that comprise the majority of my work. All of this is coming to a head after many, many months of work from my teammates Ozz, Rob, and Ade who put together all the leg work in relevant libraries and communities. Without their effort and headaches, this wouldn’t be possible.
Automating this process is a big deal. Once this it is streamlined this will allow for greatly expanding the security and compliance coverage throughout OpenStack CI. Needless to say, I am pretty excited to be working on this topic. Without any further ado, here is the present workflow to conduct a deployment:
- One machine is set up as the controller from which you will call OOOQ to conduct the deployment. I am deploying from a ThinkPad T450S running Fedora 24.
- Once machine, referred to as the virthost, 1 quad core CPU, 24GB of memory, and 160 GB of free space. Running with fewer resources is possible but not tested, and will likely result in difficult errors difficult to diagnose.
Preparing Our Environment To deploy:
The first thing we need to do is pull down the OOOQ and OOOQ-E repositories.
Next we have to pull down the two reviews required to run the code that hasn’t been merged yet.
git fetch https://git.openstack.org/openstack/tripleo-quickstart refs/changes/23/453223/17 && git checkout FETCH_HEAD
git fetch https://git.openstack.org/openstack/tripleo-quickstart-extras refs/changes/98/436198/18 && git checkout FETCH_HEAD
In order to ensure that we use our local version of OOOQ-E, we must modify tripleo-quickstart/quickstart-extras-requirements.txt to the repo on our file system.
sed -e ‘s/.*#/file:\/\/\/~\/git\/tripleo-quickstart-extras\/#/’ quickstart-extras-requirements.txt
Now, let’s go ahead and create a special working directory to house our deployment data, artifacts, and keep our modified repos clean in the process.
cp -rf ~/git/tripleo-quickstart $WORKING_DIR
At this point we are ready to deploy. The only thing we have to do is ensure that we can ssh into our virthost from the controller as root. This is a requirement for Ansible.
export VIRTHOST=<your virthost’s IP or FQDN>
bash quickstart.sh \
–playbook quickstart-extras.yml \
–working-dir $WORKING_DIR \
–release master \
–config $WORKING_DIR/config/general_config/ipa.yml \
–nodes $WORKING_DIR/config/nodes/1ctlr_1comp_1supp.yml \
–tags “all” \
After calling quickstart.sh, you will see OOOQ take over and begin installing all the necessary libraries for deployment. After completing it’s environment preparations, it will call the Ansible playbook, quickstart-extras.yml. Pay close attention to the two config files we are explicitly using, ipa.yml and 1ctlr_1comp_1supp.yml. These two configuration files specify how OOOQ deploys a single compute, control, and supplemental node (housing the FreeIPA server), as well as sets all of the various flags needed for the FreeIPA server and enabling TLS Everywhere.
The deployment itself should take around two hours to complete. While we are adding some additional time fetching the Centos image, provisioning the supplemental node, and deploying the FreeIPA server itself — the majority of the deployment time still lands on installing the undercloud and deploying the overcloud.
After deployment has completed — you have full access to the undercloud:
ssh -F $WORKING_DIR/ssh.config.ansible undercloud
as well as the supplemental node which is running the FreeIPA server:
ssh -F $WORKING_DIR/ssh.config.ansible supplemental
Please note that a log of the FreeIPA server deployment can be located on the supplemental node at ~/deploy_freeipa.log. The IPA server admin password can be located in either the Ansible logs (look for freeipa_admin_password) or in the deployment script ~/deploy_freeipa.sh (look for CA_ADMIN_PASSWORD).
Once the reviews have merged, this process will be come much simpler. In the meantime, I have a created a simple bash script which automates all of the above steps requiring only a single parameter, the virthost.
chmod +x ./6cf1e6bc32085dd358365f44267f7188/run_oooq_with_ipa.sh
./6cf1e6bc32085dd358365f44267f7188/run_oooq_with_ipa.sh <your virthost’s IP or FQDN>
 – http://jaormx.github.io/