=========== Setup Fleio =========== Open ``http://mydomain/staff`` and login with your admin user and password created earlier. Connect Fleio to OpenStack ========================== All parameters that you need to define in Fleio in order to connect with your OpenStack controller are described below. We will guide you on how to find the required fields by running commands on your currently running OpenStack controller and also by looking at the configuration of each service, nova, glance, neutron, cinder. Open the configuration panel by clicking on Settings and then OpenStack Settings. * :ref:`credentials` * :ref:`notifications` * :ref:`defaults` .. _credentials: Credentials ----------- The **Credentials** settings are required in order to connect to OpenStack as an administrator. These credentials are used by Fleio to setup new projects and perform administrative tasks. **Fleio requires an OpenStack admin user with full access to the entire cloud and to all operations.** Keystone auth URL ----------------- OpenStack provides endpoints for different services but we are interested in this section for the endpoint of the identity service (Keystone). Connect to your OpenStack controller and run the following command. .. code-block:: bash :emphasize-lines: 2,7 openstack endpoint list # retrieves the entire list of endpoints (URLs) for all services openstack endpoint list --service identity -c Interface -c URL +-----------+------------------------------+ | Interface | URL | +-----------+------------------------------+ | admin | http://172.29.236.2:35357/v3 | | public | http://172.29.236.2:5000/v3 | | internal | http://172.29.236.2:5000/v3 | +-----------+------------------------------+ Alternative, if your OpenStack client is too old, you can use the python-keystoneclient's ``keystone endpoint-list`` command. In our case we are going to use the public interface and we will specify in the **Keystone auth URL** field the value ``http://172.29.236.2:5000/v3`` Administrator username ---------------------- Administrator username field is the administrator username that you use in your environment, usually this is ``admin``. This can be found by looking at the openrc or adminrc file, usually generated when installing OpenStack. .. code-block:: bash :emphasize-lines: 2 grep OS_USERNAME openrc export OS_USERNAME=admin We will specify in this field the value ``admin``. Administrator password ---------------------- In the **Administrator password** field type the password for the administrator username that we specified earlier. This can be found by looking at the openrc or adminrc file. .. code-block:: bash :emphasize-lines: 2 grep OS_PASSWORD openrc export OS_PASSWORD=OpenStackPassword We will specify in this field the found value ``OpenStackPassword``. Administrator project ID ------------------------ In username field, we have specified the ``admin`` as value. In this field we need to specify the value of the project ID in which this username has an administrative role. To find out the value, please run the following command on your controller. .. code-block:: bash :emphasize-lines: 1,2 openstack project list | grep admin | 986c6adb50f2419c8feb034217ddc6eb | admin | We will specify in this field the value ``986c6adb50f2419c8feb034217ddc6eb``. Administrator domain ID ----------------------- In most OpenStack installations the user domain ID is ``default`` but it may be different in your case. On the controller, run the following command: .. code-block:: bash :emphasize-lines: 1,6 openstack domain list -c ID -c Name +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 969ed4676ebd4eb1801f175ad42a91c0 | heat | | default | Default | +----------------------------------+---------+ We will specify in this field the ID value: ``default``. Verify API SSL certificates --------------------------- Fleio has the ability to verify SSL certificates validity by using the ``certifi`` Python library which contains the Mozilla CA Bundle. Certificate validation will work out ok if all endpoints are hosts (unlike in our example) with valid SSL certificates setup. If you setup SSL certificates and would like also to check their validity, check this option. .. _notifications: Notifications ------------- Fleio keeps track of OpenStack resources by receiving notifications from OpenStack services like Nova, Glance, Cinder and Neutron. Without notifications Fleio is unable to display accurate information related to running instances, available volumes, images or networks. Each OpenStack installation has at least one messaging broker. This is usually the RabbitMQ broker, however, ZeroMQ and other brokers are supported. .. _openstack-notifications-url: Notifications URLs ------------------ Fleio needs one or more URLs to be able to connect to the OpenStack messaging queue service (usually RabbitMQ) in order to listen for events from OpenStack services like Nova, Neutron, Glance or Cinder. For security reasons is better to create a different username. If you already have a username and password please specify a complete URL in this field having the accepted URI format. As an example, for RabbitMQ, you can enter multiple URLs of the form: ``rabbit://username:password@rabbitmqHost/`` Multiple URLs are usually required if you have multiple messaging queue servers for each service or multiple virtual hosts. Our demo setup has multiple virtual hosts for each services so we should enter the following URLs: .. code-block:: bash rabbit://username:password@rabbitmqHost//nova rabbit://username:password@rabbitmqHost//neutron rabbit://username:password@rabbitmqHost//glance rabbit://username:password@rabbitmqHost//cinder Please note that each URL should be specified one per line without ``,`` or other characters at the end. .. note:: If all your OpenStack services are using the same RabbitMQ queue (so, single URL in Fleio settings) or multiple queues (multiple URls needed in your Fleio settings), depends on the OpenStack installation method. If you are using the the :ref:`Fleio collector`, you will have just one notifications URL. .. warning:: If you have more than one OpenStack region the :ref:`Fleio collector` is mandatory. Fleio will not work correctly if you add multiple RabbitMQ connection URLs from multiple regions. Use of multiple URLs only if you have single region and your OpenStack services are using different queues (instead of one RabbitMQ queue for all services). If you want to create a new user and password (in RabbitMQ) please run the following command on your controller or on your message queue service server. .. code-block:: bash rabbitmqctl add_user fleio TYPEPASSWORD We also have to set up permission for username ``fleio`` for different hosts that your Nova, Neutron, Glance, Cinder services may be configured. .. code-block:: bash rabbitmqctl list_vhosts Listing vhosts ... /neutron /heat /keystone / /cinder /nova /glance /ceilometer rabbitmqctl set_permissions fleio -p /neutron ".*" ".*" ".*" #repeat for every vhost Notifications topic ------------------- The default value for the notifications topic is ``notifications``. Each openstack service sends notifications to this topic. If we installed the :ref:`fleio-collector` service (usually in a multi-region setup) we should use the topic where the Fleio collectors services send the notifications. For fleio-collector, ``fleio`` is the default topic. We can also enter multiple values separated by a single ``,`` character. For example, we can input: ``notifications, fleio`` as a valid value. Notifications exchange ---------------------- Each OpenStack service uses an exchange. The default value is: ``nova, openstack, neutron, glance`` Do note that Cinder is using ``openstack`` as an exchange name, unlike the other services. Multiple exchange names can be entered, as shown above, each separated by ``,`` Notifications pool name ----------------------- Fleio can listen for notifications on the ``notifications`` topic directly. However, when Ceilometer is installed, Ceilometer also listens on the ``notifications`` topic. What this means is that messages will be split between Ceilometer and Fleio. None of the services will receive all the notifications. Specifying a pool name will ensure that all notifications are received by Fleio. In our setup, we will use: ``fleio-pool`` .. _defaults: Defaults -------- Various other uncategorized settings are listed below. These do not usually require modifications but you can modify them as you wish. Default role name ----------------- The default role is used for authentication in OpenStack when a user performs an action like creating an instance or deleting a volume. It is important to use a normal role without administrative privileges. In most OpenStack installations the default role is ``_member_``. Using the ``openstack`` client run the following command to see all the available roles: .. code-block:: bash :emphasize-lines: 1,8 openstack role list +----------------------------------+------------------+ | ID | Name | +----------------------------------+------------------+ | 1641b1f3053b4d7a8bbc71be1c641695 | admin | | 6a347bea8f234052813d651d4f82681b | heat_stack_owner | | 72fc4df09618461d9d31837b4e96f2a4 | heat_stack_user | | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | +----------------------------------+------------------+ If the _member_ role is not present, you can simply create it with the following command: .. code-block:: bash :emphasize-lines: 1 openstack role create _member_ We will use the value ``_member_`` for our Fleio configuration. Default region name ------------------- In this section we are going to set up the default region where all your virtual servers are going to be provisioned by default. To find out the name of all regions, run the following command: .. code-block:: bash :emphasize-lines: 1,5 openstack endpoint list -c Region +-----------+ | Region | +-----------+ | RegionOne | +-----------+ We will specify in this field the value ``RegionOne``. Projects default domain ----------------------- The OpenStack domain where all projects will be automatically created. We recommend using the default project since it's usually present in all OpenStack installations, Do note that this is the domain ID, not it's name .. code-block:: bash :emphasize-lines: 1,5 openstack domain list +----------------------------------+---------+---------+--------------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+--------------------+ | default | Default | True | The default domain | +----------------------------------+---------+---------+--------------------+ Force config drive for instance creation ---------------------------------------- When an instance gets created from Fleio, config_drive param is always sent as True to nova. Hide projects and API users --------------------------- Checking this will hide all projects specified by IDs. The administrator project ID specified in credentials tabs will be automatically included in this list. API users for these projects will be also hidden Prefix API users with username ------------------------------ Checking this will prefix OpenStack API users with currently logged in Fleio user name. This will only apply for end-user, API users created by staff will not be prefixed