Adventures of a Small Time OpenStack Sysadmin relate the experience of converting a small VMware cluster into two small OpenStack clusters, and the adventures and friends I made along the way.
Adventures of a Small Time OpenStack Sysadmin Chapter 039 - Horizon Web UI Service and Keystone Identity Service Doubleheader
This is a doubleheader on Horizon and Keystone because there's not much to say about them, so I combined them into a single day's post.
First, links to some reference docs I used:
Horizon Docs Page
https://docs.openstack.org/horizon/yoga/
Kolla-Ansible Deployment Configuration Reference for Horizon
https://docs.openstack.org/kolla-ansible/yoga/reference/shared-services/horizon-guide.html
Keystone Docs Page
https://docs.openstack.org/keystone/yoga/
Kolla-Ansible Deployment Configuration Reference for Keystone
https://docs.openstack.org/kolla-ansible/yoga/reference/shared-services/keystone-guide.html
Not much to improve on Horizon. Sorry. Just works.
Keystone Unified Limits
https://docs.openstack.org/keystone/yoga/admin/unified-limits.html
There don't seem to be any unified limits set by default? It seems all limits set by default in compute / volume / network. I ended up configuring all my quotas in HEAT stacks for each project and that works really well for me. Someday when I am really bored I will experiment with the unified limit system.
Keystone Federation
After Plan 3.0 is completely set up, I will have two Kolla-Ansible Keystones one for each of the two OpenStack clusters, and I can federate them in some way to permit some level of interop. But, this is early Plan 2.0 era, so Keystone Federation is a story for a later post.
Keystone Active Directory
I have a working active directory system and at some point I COULD use that as an authentication source for Keystone. My experience with this strategy from VMware days is this MIGHT be unwise if I'm running my AD DCs on OpenStack and there's an OpenStack problem and the ADs are not running and I can't log into OpenStack to fix the broken ADs. So if I ever do this, I'm just going to play around with it. Yes I have two clusters both with multiple DCs on them but doing this is just tempting fate... Maybe if I had even one backup bare metal AD DC unrelated to the OpenStack clusters...
Keystone Heat Templates
I find it pretty easy to orchestrate my projects and access to them in Heat Templates, see this link to explain:
Note above that I set my quotas in the projects themselves. I'm indecisive over the past months if I should split out all project creation into the project templates or keep project creation centralized like it currently is.
Overall Horizon and Keystone were trouble free to install and operate, and have been reliable in operation.
Tomorrow, Nova Compute Service.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.