summaryrefslogtreecommitdiffstats
path: root/files/SevoneOSPprereqs_MOPV_1.10.txt
blob: 77a324e3d25f8bc15880b7ae791d89aa18cb6dc7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
===========================
Sevone Manual Configuration
===========================

These are the post installation steps to configure an OpenStack deployment for Sevone.  
This includes creating the Sevone linux accounts, readonly role and policy, ssh keys, 
sudoers, SNMP, and logging configurations.  All steps will be run as the stack user on 
the OSP director box with the overcloudrc sourced.


=============
Foreword
=============

In v1.10 of this document, all of the commands related to the overcloud nodes have now 
been integrated into the templates (WCNEC1 was the first site to receive the updated 
templates). There are no actions left to be manually performed on the overcloud nodes. 
There are also no verifications left to perform on the overcloud nodes since the tooling 
associated with the templates has already been Q/A’ed. If issues/modifications are 
needed, they will need to be taken to the team for writing/integrating into the 
templates. The only actions left are performed on the undercloud since these cannot be 
integrated into OSP-Director.

=============
Verification of templates level
=============

To verify that your version of the templates include the Sevone pre-requisities payload, 
please perform the following on the undercloud:

[stack@ospdirector ~]$ grep -A6 Snmp templates/network-environment.yaml

	Expect the following output:

$ grep -A6 Snmp templates/network-environment.yaml 
  SnmpTrapTarget1: '192.168.70.83'
  SnmpTrapTarget2: '192.168.78.83'
  SnmpRoUser: 'sev1snmpuser'
  SnmpRoUserPassword: 'Mua12345'
  # Rsyslog parameters (Used in /etc/rsyslog.d/client.conf)
  SyslogTarget1: '192.168.70.83'
  SyslogTarget2: '192.168.78.83'

  #InternalApiNetCidr: 'fd00:4888:2000:f002::/64'
  InternalApiNetCidr: 192.168.1.0/24



If the keywords SnmpTrapTarget1, SnmpTrapTarget2, SnmpRoUser, SnmpRoUserPassword, 
SyslogTarget1 and SyslogTarget2 are not all present, then it means your version of the 
templates does -NOT- include the Sevone pre-requisites. Please STOP reading this document NOW
and obtain the latest version before continuing!!!!

=============
User creation
=============

In this section you will create the Sevone linux user on the controller nodes and the OSP director.

Create the Sevone linux user on the OSP director


[stack@ospdirector ~]$ sudo groupadd --gid 6005 sevone
[stack@ospdirector ~]$ sudo useradd --uid 6005 --gid sevone sevone
[stack@ospdirector ~]$ id sevone

Openstack role creation

In this section you will create the readonly role for the overcloud

[stack@ospdirector ~]$ openstack role create readonly

=============
Policy Extraction
=============

In this section you will create the policy directory structure under the stack user, create the policy.json files for 
the OpenStack services, and upload them to the controller nodes.  You will be supplied a policydir_osp10_v1.XY.tar.gz 
file with this documentation.  This file should be placed in the /home/stack home directory. This file will typically 
be named with digits in place of XY, eg: policydir_osp10_v1.04.tar.gz

	I. Untar policydir_osp10_v1.04.tar.gz

[stack@ospdirector ~]$ tar -xzvf /home/stack/policydir_osp10_v1.04.tar.gz

==============
Setup ssh keys
==============

In this section you will distribute the ssh public keys to the Sevone accounts on the controllers and OSP director.  If an ssh key is not provided by your team, see instructions in Appendix B for generating one.

	I. Create the public key file.  The utility ssh-keygen can be used to generate a new key or you can provide your own.

[stack@ospdirector ~]$ cat << EOF > ~/id_rsa.pub
ssh-rsa
<Insert the content of your generated key here> root@SevOne
EOF

	II. Distribute the ssh keys to the controllers

[stack@ospdirector ~]$ for i in $(nova host-list | \
awk '/consoleauth/ {split($2,a,"."); print a[1]}') ; \
do echo $i ; cat id_rsa.pub | \
ssh heat-admin@$i "sudo sh -c 'cat >> /home/sevone/.ssh/authorized_keys'" ; done

[stack@ospdirector ~]$ for i in $(nova host-list | \
awk '/consoleauth/ {split($2,a,"."); print a[1]}') ; \
do echo $i ; \
ssh heat-admin@$i sudo chown sevone:sevone /home/sevone/.ssh/authorized_keys ; done

[stack@ospdirector ~]$ for i in $(nova host-list | \
awk '/consoleauth/ {split($2,a,"."); print a[1]}') ; \
do echo $i ; \
ssh heat-admin@$i sudo chmod 600 /home/sevone/.ssh/authorized_keys ; done


	III. Distribute the ssh keys to the OSP director

[stack@ospdirector ~]$ sudo mkdir /home/sevone/.ssh
[stack@ospdirector ~]$ sudo chown sevone:sevone /home/sevone/.ssh
[stack@ospdirector ~]$ sudo chmod 700 /home/sevone/.ssh
[stack@ospdirector ~]$ sudo cp id_rsa.pub /home/sevone/.ssh/authorized_keys
[stack@ospdirector ~]$ sudo chown sevone:sevone /home/sevone/.ssh/authorized_keys
[stack@ospdirector ~]$ sudo chmod 600 /home/sevone/.ssh/authorized_keys

==================
Setup sudoers file
==================

In this section you will distribute the Sevone sudoers file to the controllers and the OSP director and set 
up the Sevone nova script.

	I. Ensure the nova script for Sevone is in place with the correct permissions.

[stack@ospdirector ~]$ sudo mkdir /opt/sevone 
[stack@ospdirector ~]$ sudo cp ~/policydir/files/nova_sevone.sh /opt/sevone/
[stack@ospdirector ~]$ sudo chown stack:stack /opt/sevone/nova_sevone.sh
[stack@ospdirector ~]$ sudo chmod 700 /opt/sevone/nova_sevone.sh

	II. Add the additional line to the sevone sudoers file so that the nova script can be called on 
the OSP director

[stack@ospdirector ~]$ sudo echo "sevone ALL=(stack) NOPASSWD:/opt/sevone/nova_sevone.sh" \
>> ~/policydir/files/sevone.sudoers

	III. Distribute the sevone file to the OSP director

[stack@ospdirector ~]$ sudo cp ~/policydir/files/sevone.sudoers /etc/sudoers.d/sevone
[stack@ospdirector ~]$ sudo chmod 600 /etc/sudoers.d/sevone
[stack@ospdirector ~]$ sudo -l -U sevone

	IV. Test that sevone user can perform the required commands. If sevone has no password, this step 
may first require logging in as root

[stack@ospdirector ~]$ sudo su -
[root@ospdirector ~]# su - sevone
[sevone@ospdirector ~]$ sudo -u stack /opt/sevone/nova_sevone.sh
[sevone@ospdirector ~]$ ls /tmp/sevone/
[sevone@ospdirector ~]$ exit
[root@ospdirector ~]# exit
[stack@ospdirector ~]$

	VI. Allow the sevone user to query mysql status

[root@slmsc2ctl0 ~]# mysql -e “create user 'sevone'@'localhost';

If during this step, you exit the current shell session instead of escalating to root, you will need to 
re-source overcloudrc before continuing.

==================
SNMP configuration
==================

In this section you will create the SNMP user for Sevone and distribute the SNMP configuration to 
OpenStack.  You will need to supply the IPV4 addresses for the trap target destinations and a password.  
The same password should be used throughout the OSP environment including the OSP director, all 
controllers, and all computes.  If a password is not provided by your team, see instructions in Appendix A 
for generating one.

	I. Create the SNMP user on the OSP director


[stack@ospdirector ~]$ sudo systemctl stop snmpd
[stack@ospdirector ~]$ sudo net-snmp-create-v3-user -ro -A <ProvideSnmpPasswordHere> -a SHA \
-X <ProvideSnmpPasswordHere> -x AES sev1snmpuser

	II. Prepare the SNMP configuration file

[stack@ospdirector ~]$ TRAPDEST1=<Enter First Destination IP>
[stack@ospdirector ~]$ TRAPDEST2=<Enter Second Destination IP>
[stack@ospdirector ~]$ echo -e "TRAPDEST1 = ${TRAPDEST1}\nTRAPDEST2 = ${TRAPDEST2}"
[stack@ospdirector ~]$ sed -i s/TRAPTARGET1/$TRAPDEST1/ ~/policydir/files/snmpd.conf
[stack@ospdirector ~]$ sed -i s/TRAPTARGET2/$TRAPDEST2/ ~/policydir/files/snmpd.conf

	III. Distribute the SNMP configuration file to the OSP director

[stack@ospdirector ~]$ sudo systemctl stop snmpd
[stack@ospdirector ~]$ sudo cp ~/policydir/files/snmpd.conf /etc/snmp/snmpd.conf
[stack@ospdirector ~]$ sudo sed -i s/REPLACEENGINEID/$(hostname -s)/ /etc/snmp/snmpd.conf
[stack@ospdirector ~]$ sudo chown root:root /etc/snmp/snmpd.conf
[stack@ospdirector ~]$ sudo chmod 644 /etc/snmp/snmpd.conf
[stack@ospdirector ~]$ sudo systemctl start snmpd
[stack@ospdirector ~]$ sudo systemctl status snmpd | grep 'Active:'

=================
Log configuration
=================

In this section you will configure logging in OpenStack.  You will need to provide the IPV4 addresses of the rsyslog target servers.

	I. Create the client configuration file

[stack@ospdirector ~]$ cat << EOF > ~/client.conf
*.* @SYSLOGTARGET1:PORTNUM
*.* @SYSLOGTARGET2:PORTNUM
EOF

[stack@ospdirector ~]$ SYSLOGDEST1=<Enter First Destination IP>
[stack@ospdirector ~]$ SYSLOGDEST2=<Enter Second Destination IP>
[stack@ospdirector ~]$ echo -e "SYSLOGDEST1 = ${SYSLOGDEST1}\nSYSLOGDEST2 = ${SYSLOGDEST2}"
[stack@ospdirector ~]$ sed -i s/SYSLOGTARGET1/$SYSLOGDEST1/ ~/client.conf
[stack@ospdirector ~]$ sed -i s/SYSLOGTARGET2/$SYSLOGDEST2/ ~/client.conf

	II. Configure logging for the overcloud and director

[stack@ospdirector ~]$ chmod +x ~/policydir/files/logging.sh
[stack@ospdirector ~]$ ~/policydir/files/logging.sh

========
Appendix
========

A.    Password Generation

	I. Creating a password (The length of the password can be adjusted via the variable in the ‘fold’ command):

	[stack@ospdirector ~]$ PASSWORD=`cat /dev/urandom | tr -dc ‘a-zA-Z0-9’ | fold -w 12 | head -n 1` 

	II. Assigning a password to a user

	[stack@ospdirector ~]$ sudo "echo $PASSWORD | passwd --stdin $USER"


B.    SSH Key Generation

	I. Creating an ssh key
		A. Become the sevone user

		[stack@ospdirector ~]$ sudo su - sevone

		B. Run ssh-keygen accepting the default file to save the key and empty passphrase

		[sevone@ospdirector ~]$ ssh-keygen
		Generating public/private rsa key pair.
		Enter file in which to save the key (/home/sevone/.ssh/id_rsa):
		Created directory '/home/sevone2/.ssh'.
		Enter passphrase (empty for no passphrase):
		Enter same passphrase again:
		Your identification has been saved in /home/sevone/.ssh/id_rsa.
		Your public key has been saved in /home/sevone/.ssh/id_rsa.pub.
		The key fingerprint is:
		bd:1c:24:3f:43:66:e8:ce:68:a7:06:52:8a:3f:ff:8a sevone2@slmsc2ospd.msc2.solk.lab.vzwnfv.com
		The key's randomart image is:
		+--[ RSA 2048]----+
		|                 |
		|         .       |
		|        o =      |
		|    .  . O       |
		| . o    S *      |
		|. o .  + . =     |
		| . . .o + o      |
		|  o. ..o         |
		|  Eoo+o          |
		+-----------------+


C.	 Reducing Log Message Quantity

	In their current configuration, many environments are producing more log messages than are necessary to appropriately debug the 
system. One can change this configuration relatively easily by changing some settings in rsyslog.d.

	Edit the /etc/rsyslog.d/client.conf file on the director node

[stack@ospdirector ~]$ sudo sed -i 's/\*\.\*/*.info/g' /etc/rsyslog.d/client.conf \
&& cat /etc/rsyslog.d/client.conf && sudo systemctl restart rsyslog \
&& sudo systemctl status -l rsyslog

	Edit the /etc/rsyslog.d/client.conf file on the controller nodes

[stack@ospdirector ~]$ for i in $( nova hypervisor-list | \
awk '/localdomain/ {print $4}' | sed s/.localdomain// | \
sort -V) ; do echo $i >> rsyslog-level-change.txt; \
ssh heat-admin@$i "sudo sed –i 's/^\*\.\*/\*\.info/' \
/etc/rsyslog.d/client.conf && cat /etc/rsyslog.d/client.conf \
&& sudo systemctl restart rsyslog && sudo systemctl status -l rsyslog" \
>> rsyslog-level-change.txt; done

	Edit the /etc/rsyslog.d/client.conf file on the compute nodes

[stack@ospdirector ~]$ for i in $(nova host-list | \
awk '/consoleauth/ {split($2,a,"."); print a[1]}' | \
sort -V) ; do echo $i >> rsyslog-level-change.txt; \
ssh heat-admin@$i "sudo sed -i 's/^\*\.\*/\*\.info/' /etc/rsyslog.d/client.conf \
&& cat /etc/rsyslog.d/client.conf && sudo systemctl restart rsyslog \
&& sudo systemctl status -l rsyslog" >> rsyslog-level-change.txt; done