summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVincent S. Cojot <vcojot@redhat.com>2017-04-20 18:45:37 -0400
committerVincent S. Cojot <vcojot@redhat.com>2017-04-20 18:45:37 -0400
commit282d54002331cc68192e218c4ad7a95973be4a8d (patch)
tree102fc20d73944219c5c0df0203353899d8f993e1
parent41443a0289f8576bceb8d876f9d388398d3900a2 (diff)
downloadopenstack-access-policy-282d54002331cc68192e218c4ad7a95973be4a8d.zip
openstack-access-policy-282d54002331cc68192e218c4ad7a95973be4a8d.tar.gz
openstack-access-policy-282d54002331cc68192e218c4ad7a95973be4a8d.tar.xz
Updates
-rw-r--r--files/SevoneOSPprereqs_MOPV_1.10.txt305
1 files changed, 305 insertions, 0 deletions
diff --git a/files/SevoneOSPprereqs_MOPV_1.10.txt b/files/SevoneOSPprereqs_MOPV_1.10.txt
new file mode 100644
index 0000000..77a324e
--- /dev/null
+++ b/files/SevoneOSPprereqs_MOPV_1.10.txt
@@ -0,0 +1,305 @@
+===========================
+Sevone Manual Configuration
+===========================
+
+These are the post installation steps to configure an OpenStack deployment for Sevone.
+This includes creating the Sevone linux accounts, readonly role and policy, ssh keys,
+sudoers, SNMP, and logging configurations. All steps will be run as the stack user on
+the OSP director box with the overcloudrc sourced.
+
+
+=============
+Foreword
+=============
+
+In v1.10 of this document, all of the commands related to the overcloud nodes have now
+been integrated into the templates (WCNEC1 was the first site to receive the updated
+templates). There are no actions left to be manually performed on the overcloud nodes.
+There are also no verifications left to perform on the overcloud nodes since the tooling
+associated with the templates has already been Q/A’ed. If issues/modifications are
+needed, they will need to be taken to the team for writing/integrating into the
+templates. The only actions left are performed on the undercloud since these cannot be
+integrated into OSP-Director.
+
+=============
+Verification of templates level
+=============
+
+To verify that your version of the templates include the Sevone pre-requisities payload,
+please perform the following on the undercloud:
+
+[stack@ospdirector ~]$ grep -A6 Snmp templates/network-environment.yaml
+
+ Expect the following output:
+
+$ grep -A6 Snmp templates/network-environment.yaml
+ SnmpTrapTarget1: '192.168.70.83'
+ SnmpTrapTarget2: '192.168.78.83'
+ SnmpRoUser: 'sev1snmpuser'
+ SnmpRoUserPassword: 'Mua12345'
+ # Rsyslog parameters (Used in /etc/rsyslog.d/client.conf)
+ SyslogTarget1: '192.168.70.83'
+ SyslogTarget2: '192.168.78.83'
+
+ #InternalApiNetCidr: 'fd00:4888:2000:f002::/64'
+ InternalApiNetCidr: 192.168.1.0/24
+
+
+
+If the keywords SnmpTrapTarget1, SnmpTrapTarget2, SnmpRoUser, SnmpRoUserPassword,
+SyslogTarget1 and SyslogTarget2 are not all present, then it means your version of the
+templates does -NOT- include the Sevone pre-requisites. Please STOP reading this document NOW
+and obtain the latest version before continuing!!!!
+
+=============
+User creation
+=============
+
+In this section you will create the Sevone linux user on the controller nodes and the OSP director.
+
+Create the Sevone linux user on the OSP director
+
+
+[stack@ospdirector ~]$ sudo groupadd --gid 6005 sevone
+[stack@ospdirector ~]$ sudo useradd --uid 6005 --gid sevone sevone
+[stack@ospdirector ~]$ id sevone
+
+Openstack role creation
+
+In this section you will create the readonly role for the overcloud
+
+[stack@ospdirector ~]$ openstack role create readonly
+
+=============
+Policy Extraction
+=============
+
+In this section you will create the policy directory structure under the stack user, create the policy.json files for
+the OpenStack services, and upload them to the controller nodes. You will be supplied a policydir_osp10_v1.XY.tar.gz
+file with this documentation. This file should be placed in the /home/stack home directory. This file will typically
+be named with digits in place of XY, eg: policydir_osp10_v1.04.tar.gz
+
+ I. Untar policydir_osp10_v1.04.tar.gz
+
+[stack@ospdirector ~]$ tar -xzvf /home/stack/policydir_osp10_v1.04.tar.gz
+
+==============
+Setup ssh keys
+==============
+
+In this section you will distribute the ssh public keys to the Sevone accounts on the controllers and OSP director. If an ssh key is not provided by your team, see instructions in Appendix B for generating one.
+
+ I. Create the public key file. The utility ssh-keygen can be used to generate a new key or you can provide your own.
+
+[stack@ospdirector ~]$ cat << EOF > ~/id_rsa.pub
+ssh-rsa
+<Insert the content of your generated key here> root@SevOne
+EOF
+
+ II. Distribute the ssh keys to the controllers
+
+[stack@ospdirector ~]$ for i in $(nova host-list | \
+awk '/consoleauth/ {split($2,a,"."); print a[1]}') ; \
+do echo $i ; cat id_rsa.pub | \
+ssh heat-admin@$i "sudo sh -c 'cat >> /home/sevone/.ssh/authorized_keys'" ; done
+
+[stack@ospdirector ~]$ for i in $(nova host-list | \
+awk '/consoleauth/ {split($2,a,"."); print a[1]}') ; \
+do echo $i ; \
+ssh heat-admin@$i sudo chown sevone:sevone /home/sevone/.ssh/authorized_keys ; done
+
+[stack@ospdirector ~]$ for i in $(nova host-list | \
+awk '/consoleauth/ {split($2,a,"."); print a[1]}') ; \
+do echo $i ; \
+ssh heat-admin@$i sudo chmod 600 /home/sevone/.ssh/authorized_keys ; done
+
+
+ III. Distribute the ssh keys to the OSP director
+
+[stack@ospdirector ~]$ sudo mkdir /home/sevone/.ssh
+[stack@ospdirector ~]$ sudo chown sevone:sevone /home/sevone/.ssh
+[stack@ospdirector ~]$ sudo chmod 700 /home/sevone/.ssh
+[stack@ospdirector ~]$ sudo cp id_rsa.pub /home/sevone/.ssh/authorized_keys
+[stack@ospdirector ~]$ sudo chown sevone:sevone /home/sevone/.ssh/authorized_keys
+[stack@ospdirector ~]$ sudo chmod 600 /home/sevone/.ssh/authorized_keys
+
+==================
+Setup sudoers file
+==================
+
+In this section you will distribute the Sevone sudoers file to the controllers and the OSP director and set
+up the Sevone nova script.
+
+ I. Ensure the nova script for Sevone is in place with the correct permissions.
+
+[stack@ospdirector ~]$ sudo mkdir /opt/sevone
+[stack@ospdirector ~]$ sudo cp ~/policydir/files/nova_sevone.sh /opt/sevone/
+[stack@ospdirector ~]$ sudo chown stack:stack /opt/sevone/nova_sevone.sh
+[stack@ospdirector ~]$ sudo chmod 700 /opt/sevone/nova_sevone.sh
+
+ II. Add the additional line to the sevone sudoers file so that the nova script can be called on
+the OSP director
+
+[stack@ospdirector ~]$ sudo echo "sevone ALL=(stack) NOPASSWD:/opt/sevone/nova_sevone.sh" \
+>> ~/policydir/files/sevone.sudoers
+
+ III. Distribute the sevone file to the OSP director
+
+[stack@ospdirector ~]$ sudo cp ~/policydir/files/sevone.sudoers /etc/sudoers.d/sevone
+[stack@ospdirector ~]$ sudo chmod 600 /etc/sudoers.d/sevone
+[stack@ospdirector ~]$ sudo -l -U sevone
+
+ IV. Test that sevone user can perform the required commands. If sevone has no password, this step
+may first require logging in as root
+
+[stack@ospdirector ~]$ sudo su -
+[root@ospdirector ~]# su - sevone
+[sevone@ospdirector ~]$ sudo -u stack /opt/sevone/nova_sevone.sh
+[sevone@ospdirector ~]$ ls /tmp/sevone/
+[sevone@ospdirector ~]$ exit
+[root@ospdirector ~]# exit
+[stack@ospdirector ~]$
+
+ VI. Allow the sevone user to query mysql status
+
+[root@slmsc2ctl0 ~]# mysql -e “create user 'sevone'@'localhost';
+
+If during this step, you exit the current shell session instead of escalating to root, you will need to
+re-source overcloudrc before continuing.
+
+==================
+SNMP configuration
+==================
+
+In this section you will create the SNMP user for Sevone and distribute the SNMP configuration to
+OpenStack. You will need to supply the IPV4 addresses for the trap target destinations and a password.
+The same password should be used throughout the OSP environment including the OSP director, all
+controllers, and all computes. If a password is not provided by your team, see instructions in Appendix A
+for generating one.
+
+ I. Create the SNMP user on the OSP director
+
+
+[stack@ospdirector ~]$ sudo systemctl stop snmpd
+[stack@ospdirector ~]$ sudo net-snmp-create-v3-user -ro -A <ProvideSnmpPasswordHere> -a SHA \
+-X <ProvideSnmpPasswordHere> -x AES sev1snmpuser
+
+ II. Prepare the SNMP configuration file
+
+[stack@ospdirector ~]$ TRAPDEST1=<Enter First Destination IP>
+[stack@ospdirector ~]$ TRAPDEST2=<Enter Second Destination IP>
+[stack@ospdirector ~]$ echo -e "TRAPDEST1 = ${TRAPDEST1}\nTRAPDEST2 = ${TRAPDEST2}"
+[stack@ospdirector ~]$ sed -i s/TRAPTARGET1/$TRAPDEST1/ ~/policydir/files/snmpd.conf
+[stack@ospdirector ~]$ sed -i s/TRAPTARGET2/$TRAPDEST2/ ~/policydir/files/snmpd.conf
+
+ III. Distribute the SNMP configuration file to the OSP director
+
+[stack@ospdirector ~]$ sudo systemctl stop snmpd
+[stack@ospdirector ~]$ sudo cp ~/policydir/files/snmpd.conf /etc/snmp/snmpd.conf
+[stack@ospdirector ~]$ sudo sed -i s/REPLACEENGINEID/$(hostname -s)/ /etc/snmp/snmpd.conf
+[stack@ospdirector ~]$ sudo chown root:root /etc/snmp/snmpd.conf
+[stack@ospdirector ~]$ sudo chmod 644 /etc/snmp/snmpd.conf
+[stack@ospdirector ~]$ sudo systemctl start snmpd
+[stack@ospdirector ~]$ sudo systemctl status snmpd | grep 'Active:'
+
+=================
+Log configuration
+=================
+
+In this section you will configure logging in OpenStack. You will need to provide the IPV4 addresses of the rsyslog target servers.
+
+ I. Create the client configuration file
+
+[stack@ospdirector ~]$ cat << EOF > ~/client.conf
+*.* @SYSLOGTARGET1:PORTNUM
+*.* @SYSLOGTARGET2:PORTNUM
+EOF
+
+[stack@ospdirector ~]$ SYSLOGDEST1=<Enter First Destination IP>
+[stack@ospdirector ~]$ SYSLOGDEST2=<Enter Second Destination IP>
+[stack@ospdirector ~]$ echo -e "SYSLOGDEST1 = ${SYSLOGDEST1}\nSYSLOGDEST2 = ${SYSLOGDEST2}"
+[stack@ospdirector ~]$ sed -i s/SYSLOGTARGET1/$SYSLOGDEST1/ ~/client.conf
+[stack@ospdirector ~]$ sed -i s/SYSLOGTARGET2/$SYSLOGDEST2/ ~/client.conf
+
+ II. Configure logging for the overcloud and director
+
+[stack@ospdirector ~]$ chmod +x ~/policydir/files/logging.sh
+[stack@ospdirector ~]$ ~/policydir/files/logging.sh
+
+========
+Appendix
+========
+
+A. Password Generation
+
+ I. Creating a password (The length of the password can be adjusted via the variable in the ‘fold’ command):
+
+ [stack@ospdirector ~]$ PASSWORD=`cat /dev/urandom | tr -dc ‘a-zA-Z0-9’ | fold -w 12 | head -n 1`
+
+ II. Assigning a password to a user
+
+ [stack@ospdirector ~]$ sudo "echo $PASSWORD | passwd --stdin $USER"
+
+
+B. SSH Key Generation
+
+ I. Creating an ssh key
+ A. Become the sevone user
+
+ [stack@ospdirector ~]$ sudo su - sevone
+
+ B. Run ssh-keygen accepting the default file to save the key and empty passphrase
+
+ [sevone@ospdirector ~]$ ssh-keygen
+ Generating public/private rsa key pair.
+ Enter file in which to save the key (/home/sevone/.ssh/id_rsa):
+ Created directory '/home/sevone2/.ssh'.
+ Enter passphrase (empty for no passphrase):
+ Enter same passphrase again:
+ Your identification has been saved in /home/sevone/.ssh/id_rsa.
+ Your public key has been saved in /home/sevone/.ssh/id_rsa.pub.
+ The key fingerprint is:
+ bd:1c:24:3f:43:66:e8:ce:68:a7:06:52:8a:3f:ff:8a sevone2@slmsc2ospd.msc2.solk.lab.vzwnfv.com
+ The key's randomart image is:
+ +--[ RSA 2048]----+
+ | |
+ | . |
+ | o = |
+ | . . O |
+ | . o S * |
+ |. o . + . = |
+ | . . .o + o |
+ | o. ..o |
+ | Eoo+o |
+ +-----------------+
+
+
+C. Reducing Log Message Quantity
+
+ In their current configuration, many environments are producing more log messages than are necessary to appropriately debug the
+system. One can change this configuration relatively easily by changing some settings in rsyslog.d.
+
+ Edit the /etc/rsyslog.d/client.conf file on the director node
+
+[stack@ospdirector ~]$ sudo sed -i 's/\*\.\*/*.info/g' /etc/rsyslog.d/client.conf \
+&& cat /etc/rsyslog.d/client.conf && sudo systemctl restart rsyslog \
+&& sudo systemctl status -l rsyslog
+
+ Edit the /etc/rsyslog.d/client.conf file on the controller nodes
+
+[stack@ospdirector ~]$ for i in $( nova hypervisor-list | \
+awk '/localdomain/ {print $4}' | sed s/.localdomain// | \
+sort -V) ; do echo $i >> rsyslog-level-change.txt; \
+ssh heat-admin@$i "sudo sed –i 's/^\*\.\*/\*\.info/' \
+/etc/rsyslog.d/client.conf && cat /etc/rsyslog.d/client.conf \
+&& sudo systemctl restart rsyslog && sudo systemctl status -l rsyslog" \
+>> rsyslog-level-change.txt; done
+
+ Edit the /etc/rsyslog.d/client.conf file on the compute nodes
+
+[stack@ospdirector ~]$ for i in $(nova host-list | \
+awk '/consoleauth/ {split($2,a,"."); print a[1]}' | \
+sort -V) ; do echo $i >> rsyslog-level-change.txt; \
+ssh heat-admin@$i "sudo sed -i 's/^\*\.\*/\*\.info/' /etc/rsyslog.d/client.conf \
+&& cat /etc/rsyslog.d/client.conf && sudo systemctl restart rsyslog \
+&& sudo systemctl status -l rsyslog" >> rsyslog-level-change.txt; done