Undercloud Installation

This section contains instructions on how to install the undercloud and how to update components after installation.

Installing the Undercloud

  1. Log in to your machine (baremetal or VM) where you want to install the undercloud as a non-root user (such as the stack user):

    ssh <non-root-user>@<undercloud-machine>

    Note

    If you don’t have a non-root user created yet, log in as root and create one with following commands:

    sudo useradd stack
sudo passwd stack  # specify a password

echo "stack ALL=(root) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/stack
sudo chmod 0440 /etc/sudoers.d/stack

su - stack

    Note

    The undercloud is intended to work correctly with SELinux enforcing, and cannot be installed to a system with SELinux disabled. If SELinux enforcement must be turned off for some reason, it should instead be set to permissive.

    Note

    vlan tagged interfaces must follow the if_name.vlan_id convention, like for example: eth0.vlan100 or bond0.vlan120.

    Baremetal

    Ensure that there is a FQDN hostname set and that the $HOSTNAME environment variable matches that value.

    Use hostnamectl to set a hostname if needed:

    sudo hostnamectl set-hostname myhost.mydomain
sudo hostnamectl set-hostname --transient myhost.mydomain

    An entry for the system’s FQDN hostname is also needed in /etc/hosts. For example, if the system is named myhost.mydomain, /etc/hosts should have an entry like:

    127.0.0.1   myhost.mydomain myhost

  2. Enable needed repositories:

RHEL

Enable optional repo:

sudo yum install -y yum-utils
sudo yum-config-manager --enable rhelosp-rhel-7-server-opt

Enable epel:

sudo yum -y install epel-release

Enable last known good RDO Trunk Delorean repository for core openstack packages

sudo curl -o /etc/yum.repos.d/delorean.repo http://trunk.rdoproject.org/centos7/current-tripleo/delorean.repo

Enable latest RDO Trunk Delorean repository only for the TripleO packages

sudo curl -o /etc/yum.repos.d/delorean-current.repo http://trunk.rdoproject.org/centos7/current/delorean.repo
sudo sed -i 's/\[delorean\]/\[delorean-current\]/' /etc/yum.repos.d/delorean-current.repo
sudo /bin/bash -c "cat <<EOF>>/etc/yum.repos.d/delorean-current.repo

includepkgs=diskimage-builder,instack,instack-undercloud,os-apply-config,os-cloud-config,os-collect-config,os-net-config,os-refresh-config,python-tripleoclient,tripleo-common,openstack-tripleo-heat-templates,openstack-tripleo-image-elements,openstack-tripleo,openstack-tripleo-puppet-elements,openstack-puppet-modules
EOF"

Enable the Delorean Deps repository

sudo curl -o /etc/yum.repos.d/delorean-deps.repo http://trunk.rdoproject.org/centos7/delorean-deps.repo

Stable Branch

Skip all repos mentioned above, other than epel-release which is still required.

Enable latest RDO Stable Delorean repository for all packages

sudo curl -o /etc/yum.repos.d/delorean-liberty.repo https://trunk.rdoproject.org/centos7-liberty/current/delorean.repo

Enable the Delorean Deps repository

sudo curl -o /etc/yum.repos.d/delorean-deps-liberty.repo http://trunk.rdoproject.org/centos7-liberty/delorean-deps.repo

  1. Install the yum-plugin-priorities package so that the Delorean repository takes precedence over the main RDO repositories:

    sudo yum -y install yum-plugin-priorities

  2. Install the TripleO CLI, which will pull in all other necessary packages as dependencies:

    sudo yum install -y python-tripleoclient

  3. Run the script to install the undercloud:

Baremetal

Copy in the sample configuration file and edit it to reflect your environment:

cp /usr/share/instack-undercloud/undercloud.conf.sample ~/undercloud.conf

Source

Git checkouts of the puppet modules can be used instead of packages. Export the following environment variable:

export DIB_INSTALLTYPE_puppet_modules=source

It is also possible to use this functionality to use an in-progress review as part of the undercloud install. See Using an In-Progress Review for details.

SSL

To enable SSL on the undercloud, you must set the undercloud_service_certificate option in undercloud.conf to an appropriate certificate file. Important: The certificate file’s Common Name must be set to the value of undercloud_public_vip in undercloud.conf.

If you do not have a trusted CA signed certificate file, you can alternatively generate a self-signed certificate file using the following commands:

openssl genrsa -out privkey.pem 2048

The next command will prompt for some identification details. Most of these don’t matter, but make sure the Common Name entered matches the value of undercloud_public_vip in undercloud.conf:

openssl req -new -x509 -key privkey.pem -out cacert.pem -days 365

Combine the two files into one for HAProxy to use. The order of the files in this command matters, so do not change it:

cat cacert.pem privkey.pem > undercloud.pem

Move the file to a more appropriate location and set the SELinux context:

sudo mkdir /etc/pki/instack-certs
sudo cp undercloud.pem /etc/pki/instack-certs
sudo semanage fcontext -a -t etc_t "/etc/pki/instack-certs(/.*)?"
sudo restorecon -R /etc/pki/instack-certs

undercloud_service_certificate should then be set to /etc/pki/instack-certs/undercloud.pem.

Add the self-signed CA certificate to the undercloud system’s trusted certificate store:

sudo cp cacert.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract

Install the undercloud:

openstack undercloud install

Once the install has completed, you should take note of the files stackrc and undercloud-passwords.conf. You can source stackrc to interact with the undercloud via the OpenStack command-line client. undercloud-passwords.conf contains the passwords used for each service in the undercloud. These passwords will be automatically reused if the undercloud is reinstalled on the same system, so it is not necessary to copy them to undercloud.conf.

Note

Any passwords set in undercloud.conf will take precedence over the ones in undercloud-passwords.conf.

Note

openstack undercloud install can be rerun to reapply changes from undercloud.conf to the undercloud. Note that this should not be done if an overcloud has already been deployed or is in progress.

Updating Undercloud Components

You can upgrade any packages that are installed on the undercloud machine.

  1. Remove all Delorean repositories:

    sudo rm /etc/yum.repos.d/delorean*

  2. Enable new Delorean repositories:

Enable last known good RDO Trunk Delorean repository for core openstack packages

sudo curl -o /etc/yum.repos.d/delorean.repo http://trunk.rdoproject.org/centos7/current-tripleo/delorean.repo

Enable latest RDO Trunk Delorean repository only for the TripleO packages

sudo curl -o /etc/yum.repos.d/delorean-current.repo http://trunk.rdoproject.org/centos7/current/delorean.repo
sudo sed -i 's/\[delorean\]/\[delorean-current\]/' /etc/yum.repos.d/delorean-current.repo
sudo /bin/bash -c "cat <<EOF>>/etc/yum.repos.d/delorean-current.repo

includepkgs=diskimage-builder,instack,instack-undercloud,os-apply-config,os-cloud-config,os-collect-config,os-net-config,os-refresh-config,python-tripleoclient,tripleo-common,openstack-tripleo-heat-templates,openstack-tripleo-image-elements,openstack-tripleo,openstack-tripleo-puppet-elements,openstack-puppet-modules
EOF"

Enable the Delorean Deps repository

sudo curl -o /etc/yum.repos.d/delorean-deps.repo http://trunk.rdoproject.org/centos7/delorean-deps.repo

Stable Branch

Skip all repos mentioned above, other than epel-release which is still required.

Enable latest RDO Stable Delorean repository for all packages

sudo curl -o /etc/yum.repos.d/delorean-liberty.repo https://trunk.rdoproject.org/centos7-liberty/current/delorean.repo

Enable the Delorean Deps repository

sudo curl -o /etc/yum.repos.d/delorean-deps-liberty.repo http://trunk.rdoproject.org/centos7-liberty/delorean-deps.repo

  1. Use yum to update all installed packages:

    sudo yum update -y

# You can specify the package names to update as options in the yum update command.

    Note

    You do not need to restart any services after you update.

  2. Proceed with Updating Packages on Overcloud Nodes.