This document provides an overview and summary of OpenNebula configuration at Harvard FAS Research Computing using Puppet. It describes the hardware setup including OpenNebula and Ceph nodes, network configuration using VLANs across multiple datacenters, and configuration of OpenNebula and associated services like Ceph and MySQL using Puppet modules, roles, profiles, Hiera data and exported resources. The goal is automated provisioning and configuration management of OpenNebula and associated infrastructure at scale.
2. About FAS RC
Our OpenNebula setup:
- OpenNebula and Ceph hardware
- Network setup
Our configuration with puppet:
- opennebula-puppet-module
- roles/profiles
- Config within OpenNebula
Context scripts / load testing
Use cases for OpenNebula at RC
Things we’d love to see
Agenda
4. Overview of Odyssey
•150 racks spanning 3 data centers across 100 miles using 1 MW power
•60k CPU cores, 1M+ GPU Cores
•25 PB (Lustre, NFS, Isilon, Gluster)
•10 miles of cat 5/6 + IB cabling
•300k lines of Puppet code
•300+ VMs
•2015: 25.7 million jobs
240 million CPU hours
5. About FAS RC
Our OpenNebula setup:
- OpenNebula and Ceph hardware
- Network setup
Our configuration with puppet:
- opennebula-puppet-module
- roles/profiles
- Config within OpenNebula
Context scripts / load testing
Use cases for OpenNebula at RC
Things we’d love to see
Agenda
6. Where we’re coming from
● Previous kvm infrastructure:
○ One datacenter
○ 4 C6145s (8 blades, 48 core/ 64 core, 256GB ram)
○ 2 10GbE switches but not 802.3ad LACP, they are active-passive
○ 2 R515 replicated gluster
● VM provisioning process very manual
○ add to dns
○ add to cobbler for dhcp
○ edit in cobbler web GUI if changing disk, ram, or cpu
○ run virt-builder script to provision on a hypervisor (manually selected for load-balancing)
■ Full OS install, and puppet run from scratch - takes a long time
● Issues:
○ Storage issues with gluster, heal client-side (on kvm hypervisors), VMs going read only
○ Management very manual - changing capacity is manual, etc
7. Hardware Setup - OpenNebula
● Hypervisors (nodes):
○ 8 Dell R815
■ 4 each in 2 datacenters
○ 64 core, 256GB ram
○ Intel X520 2-port 10GbE, LACP
● Controller:
○ Currently one node is serving as controller as well as hypervisor, but the controller function
can be moved to a different node manually if the db is on replicated mysql (tested using
galera)
8. Hardware Setup - Ceph
● OSDs:
○ 10 Dell R515
■ 5 each in 2 primary datacenters
○ 16 core, 32GB ram
○ 12x 4TB
○ Intel X520 2-port 10GbE, LACP
● Mon:
○ 5 Dell R415
■ 2 each in 2 primary datacenters
■ 1 in a 3rd datacenter as a tie-breaker
○ 8 core, 32GB ram
○ 2x 120GB SSD, raid1 for mon data device
○ Intel X520 2-port 10GbE, LACP
● MDS
○ Currently using cephfs for opennebula system datastore mount
○ MDS running on one of the mons
9. Network Setup
2x Dell Force10 S4810 10gbe switches in each of the 2 primary datacenters (with 2x 10gb between
datacenters)
2x twinax (one from each switch) to each of the opennebula and ceph nodes, bonded LACP (802.3ad)
Tagged 802.1q vlans for:
1. Admin (ssh, opennebula communication, sunstone, puppet, nagios monitoring, etc; MTU 1500)
2. Ceph-client network (used for clients--opennebula hypervisors--to access ceph; routes only to other
ceph-client vlans in other datacenters; MTU 9000)
3. Ceph-cluster network (MTU 9000) (backend ceph network; routes only to other ceph-cluster vlans in
other datacenters; only on ceph OSDs)
4. Opennebula guest vm networks
a. Some in one datacenter only, some span both datacenters
Note that vlan (1) needs to be tagged to have a normal MTU of 1500, because the bond MTU needs to be
9000 so that (2) and (3) can have their MTU 9000
13. About FAS RC
Our OpenNebula setup:
- OpenNebula and Ceph hardware
- Network setup
Our configuration with puppet:
- opennebula-puppet-module
- roles/profiles
- Config within OpenNebula
Context scripts / load testing
Use cases for OpenNebula at RC
Things we’d love to see
Agenda
14. Configuring OpenNebula with puppet
Installation:
● PXE boot - OS installation, runs puppet
● Puppet - bond configuration, tagged vlans, yum repos, opennebula and
sunstone passenger installation and configuration
○ Combination of local modules and upstream (mysql, apache, galera, opennebula)
● Puppetdb - exported resources to add newly-built hypervisors as onehosts on
controller, and, if using nfs for system datastore, to add to /etc/exports on the
controller and to pick up the mount of /one
Ongoing config management:
● Puppet - adding vnets, addressranges, security groups, datastores (for
various ceph pools, etc)
● Can also create onetemplates, and onevms as well
15. OpenNebula puppet module
Source: https://github.com/epost-dev/opennebula-puppet-module
Or: https://forge.puppet.com/epostdev/one (not up-to-date currently)
(Deutsche Post E-Post Development)
Puppet module to install and manage opennebula:
● Installs and configures opennebula controller and hypervisors
○ Takes care of package installs
○ Takes care of adding hypervisor as onehost on controller (using puppetdb)
● Also can be used for ongoing configuration management of resources inside
opennebula - allows to configure onevnets, onesecgroups, etc, within
opennebula
16. Minimum code to setup opennebula with puppet:
package {'rubygem-nokogiri':
ensure => installed,
} ->
class { '::one':
oned => true,
sunstone => true,
sunstone_listen_ip => '0.0.0.0',
one_version => '4.14',
ssh_priv_key_param => '-----BEGIN RSA PRIVATE KEY-----...',
ssh_pub_key => 'ssh-rsa...',
} ->
onehost { $::fqdn :
im_mad => 'kvm',
vm_mad => 'kvm',
vn_mad => '802.1Q',
}
Only needed if not using
puppetdb
Can encrypt using eyaml
if passing this via hiera
18. Puppet Roles/Profiles
Puppet roles/profiles provide a framework to group technology-specific
configuration (modules, groups of modules, etc) into profiles, and then combine
profiles to make a role for each server or type of server.
- http://www.craigdunn.org/2012/05/239/
- http://garylarizza.com/blog/2014/02/17/puppet-workflow-part-2/
- https://puppet.com/podcasts/podcast-getting-organized-roles-and-profiles
19. OpenNebula roles
# opennebula base role
class roles::opennebula::base inherits roles::base {
include ::profiles::storage::ceph::client
include ::profiles::opennebula::base
}
# opennebula hypervisor node
class roles::opennebula::hypervisor inherits roles::opennebula::base {
include ::profiles::opennebula::hypervisor
include ::profiles::opennebula::controller::nfs_mount
}
# opennebula controller node
class roles::opennebula::controller inherits roles::opennebula::base {
include ::profiles::opennebula::controller
include ::profiles::opennebula::controller::nfs_export
include ::profiles::opennebula::controller::local_mysql
include ::profiles::opennebula::controller::mysql_db
include ::profiles::opennebula::controller::sunstone_passenger
}
21. OpenNebula profiles: NFS mount on hypervisors
class profiles::opennebula::hypervisor::nfs_mount (
$oneid = $::one::oneid,
$puppetdb = $::one::puppetdb,
) {
# exported resource to add myself to /etc/exports on the controller
@@concat::fragment { "export_${oneid}_to_${::fqdn}":
tag => $oneid,
target => '/etc/exports',
content => "/one ${::fqdn}(rw,sync,no_subtree_check,root_squash)n",
}
# set up mount /one from head node
if $::one::oned == true {
} else {
# not on the head node so mount it
# pull in the mount that the head node exported
Mount <<| tag == $oneid and title == "${oneid}_one_mount" |>>
}
}
Collect this from the
controller (note, this will
have a 2-run dependence
before completing
successfully - but, it will
continue past the error on
the first run)
Export this to the controller
22. OpenNebula profiles: NFS export on controller node
class profiles::opennebula::controller::nfs_export (
$oneid = $::one::oneid,
){
concat { '/etc/exports':
ensure => present,
owner => root,
group => root,
require => File['/one'],
notify => Exec['exportfs'],
}
# collect the fragments that have been exported by the hypervisors
Concat::Fragment <<| tag == $oneid and target == '/etc/exports' |>>
# export a mount that the hypervisors will pick up
@@mount { "${oneid}_one_mount":
ensure => 'mounted',
name => '/one',
tag => $oneid,
device => "${::fqdn}:/one",
fstype => 'nfs',
options => 'soft,intr,rsize=8192,wsize=8192',
atboot => true,
require => File['/one'],
}
}
Collect these from the
hypervisors
Export this to the
hypervisors
28. Other puppetized configs: XMLRPC SSL
one::oned_port: 2634
profiles::web::apache::vhosts:
opennebula-xmlrpc-proxy:
Vhost_name: <fqdn>
docroot: /var/www/html/ # doesn’t matter, just needs to be there for the vhost
port: 2633
ssl: true
ssl_cert: "/etc/pki/tls/certs/%{hiera('one::oneid')}_xmlrpc_cert.cer"
ssl_key: "/etc/pki/tls/private/%{hiera('one::oneid')}_xmlrpc.key"
proxy_pass:
path: '/'
url: 'http://localhost:2634/'
file { '/var/lib/one/.one/one_endpoint':
ensure => file,
owner => 'oneadmin',
group => 'oneadmin',
mode => '0644',
content => "http://localhost:${oned_port}/RPC2n", # localhost doesn't use the ssl port
require => Package['opennebula-server'],
before => Class['one::oned::service'],
}
ONE_XMLRPC=https://<fqdn of controller>:2633/RPC2 # for end user CLI access
29. About FAS RC
Our OpenNebula setup:
- OpenNebula and Ceph hardware
- Network setup
Our configuration with puppet:
- opennebula-puppet-module
- roles/profiles
- Config within OpenNebula
Context scripts / load testing
Use cases for OpenNebula at RC
Things we’d love to see
Agenda
30. Configuration inside OpenNebula once it’s running
Types provided by opennebula-puppet-module:
onecluster
onedatastore
onehost
oneimage
onesecgroup
onetemplate
onevm
onevnet
onevnet_addressrange
33. About FAS RC
Our OpenNebula setup:
- OpenNebula and Ceph hardware
- Network setup
Our configuration with puppet:
- opennebula-puppet-module
- roles/profiles
- Config within OpenNebula
Context scripts / load testing
Use cases for OpenNebula at RC
Things we’d love to see
Agenda
34. Context scripts for load testing
Graphite/ Grafana vm
Diamond, bonnie++, dd, etc for load test vms:
35. Context script to configure diamond and load tests
#!/bin/bash
source /mnt/context.sh
cd /root
yum install -y puppet
puppet module install garethr-diamond
puppet module install stahnma-epel
...
cat > diamond.pp <<EOF
class { 'diamond':
graphite_host => "$GRAPHITE_HOST",
...
EOF
puppet apply diamond.pp
diamond
if [ $(echo $LOAD_TESTS | grep dd) ] ; then
dd if=/dev/urandom of=/tmp/random_file bs=$DD_BLOCKSIZE count=$DD_COUNT
for i in $(seq 1 $DD_REPEATS); do
date >> ddlog
sync; { time { time dd if=/tmp/random_file of=/tmp/random_file_copy ; sync ; } ; } 2>> ddlog
...
38. About FAS RC
Our OpenNebula setup:
- OpenNebula and ceph hardware
- Network setup
Our configuration with puppet:
- opennebula-puppet-module
- roles/profiles
- Config within OpenNebula
Context scripts / load testing
Use cases for OpenNebula at RC
Things we’d love to see
Agenda
39. Use cases in RC
● Streamlining and centralizing management of VMs
● Creating testing vms: with OpenNebula, much easier to create and manage
the one-off vms needed to test something out (this makes it less likely to need
to test something in production)
● Automatically spinning up vms to test code: when making a change in puppet,
have a git hook do a test run on each category of system we have in
temporary opennebula vms first
● Oneflow templates, and HA for client applications by leveraging two
datacenters
● Elastic HPC: spin up and down compute nodes as needed
40. About FAS RC
Our OpenNebula setup:
- OpenNebula and Ceph hardware
- Network setup
Our configuration with puppet:
- opennebula-puppet-module
- roles/profiles
- Config within OpenNebula
Context scripts / load testing
Use cases for OpenNebula at RC
Things we’d love to see
Agenda
41. Things we’d love to see
● Confining certain vlans to certain hosts without segmenting into clusters (vlans and datastores can
be in multiple clusters in 5.0)
● Folders or other groupings on vm list, template list, security groups, etc, to organize large numbers
of them in sunstone view (labels coming in 5.0)
● Image resize, not just when launching a VM (coming in 5.0)
● Oneimage upload from CLI - not just specify path local to frontend
● Onefile update from CLI
● Dynamic security groups with auto commit (coming in 5.0)
● Private vlan / router handling (with certain 802.1q vlan id’s trunked to hypervisors; coming in 5.0)
● Changelog on onetemplates, onevm actions, etc (it’s possible to see user in oned.log but not
changes)
● Sunstone: show VM name not just ID when taking action such as shutdown
Sunstone: change the name of “shutdown” to describe what will actually happen for non-persistent
VMs
Sunstone: show eth0 IP on vm info page, or add a copy button for IP from vm list page
● Move Ctrl-Alt-Del button away from the X button to close VNC (or prompt for confirmation)