Staff / Settings / OpenStack

To connect Fleio to OpenStack you need to configure CREDENTIALS, NOTIFICATIONS, and possibly DEFAULTS.

CREDENTIALS

../_images/openstack-credentials.png

See how to obtain your cloud’s OpenStack credentials, and fill in the fields as described below.

  • Keystone auth URL - the OpenStack API URL for the Keystone service. Only Keystone version 3 is supported.

  • Administrator username - OpenStack admin username. Fleio requires full administrator credentials.

  • Password - OpenStack admin password.

  • Administrator project ID - admin project ID. This in a UUID, e.g., b36c5c45d0824b7f92c9545d114c3485, and it is used for the OpenStack admin user authentication.

  • Administrator domain ID - default OpenStack authentication domain. This is usually domain.

  • Default API interface - select the type of API to use when connecting to OpenStack.

  • When Verify API SSL certificates is checked, connection to OpenStack fails if the SSL certificate is not valid.

Press the TEST CONNECTION button to confirm that authentication details are correct and Fleio can successfully connect to OpenStack.

To download an openrc file which can be used for the openstack command line client, press GET OPENRC FILE. For security reasons, the password is not included in the file.

To save the credentials and initiate a sync process, press SAVE & SYNC.

NOTIFICATIONS

Before filling in the fields from the NOTIFICATIONS tab, make sure:

../_images/openstack-notifications.png

Important

Test connections button from the Notifications tab does not confirm that RabbitMQ messages are received by Fleio. This only confirms that Fleio can connect and authenticate to the provided RabbitMQ URL(s). The test if notifications are working, please see How to check if OpenStack notifications are working.

Warning

Notification pool name must be unique per RabbitMQ vhost. If you have two Fleio installations that use the same pool name, some notifications are be lost.

Region notification settings

Fleio can be configured to fetch notifications from multiple RabbitMQ servers. If you have multiple OpenStack regions each with its own RabbitMQ you should configure Fleio to connect to each region.

For each region you can configure one or more RabbitMQ URLs. When Fleio receives a notification it assigns the region associated with that URL to the notification.

Multiple regions region is a special case added for compatibility. See Fleio collector documentation below.

../_images/openstack-region-notifications.png

Forwarding RabbitMQ messages

For Fleio to connect directly to the internal RabbitMQ server from each OpenStack region, it needs access to the private OpenStack subnet and this may pose a security issue.

This can be avoided if you have an intermediary RabbitMQ installation and forward messages to it. Fleio can than connect to this intermediary RabbitMQ installation and no longer needs access to private OpenStack subnet. RabbitMQ Shovel plugin (see https://www.rabbitmq.com/shovel.html) can be used to accomplish this.

If you have a multi-region OpenStack setup, and you are using only one intermediary RabbitMQ installation then you need to forward messages from each region to a separate virtual host in this intermediary RabbitMQ installation and add separate region notification settings for each virtual host in Fleio.

Fleio collector

Warning

Deprecated since version 2023.09: Fleio collector is deprecated and will be removed in the following months. Use Option B: RabbitMQ Shovel and intermediary RabbitMQ instead.

Fleio collector is deprecated and will not receive updates anymore. If you still use Fleio collector you should select Multiple regions when adding new region configuration. When this setting is used Fleio looks for fleio_region field in the message context to determine the region. The fleio_region field is populated by Fleio collector.

See Fleio collector for more details.

DEFAULTS

Various default settings are available in this tab.

../_images/openstack-defaults.png

API timeout defines the number of seconds to wait for OpenStack API to reply.

Gnocchi resource types timeout - How many seconds to wait for Gnocchi resource types API to reply.

When Fleio automatically creates a project on end-user sign-up, the OpenStack admin user is added to this project with the Default role names. For security reasons, when the end-user performs an action, like OpenStack instance create, admin authenticates on the end-user project. This is why admin has to have the necessary roles on each OpenStack project that is associated with a Fleio service. It is important to use a normal roles without administrative privileges. In most OpenStack installations the default roles are _member_ and/or member.

Field Default region name defines the default region to use when Fleio connects to the OpenStack API when the API call is not specific to a particular region.

Projects default domain is the domain where all new OpenStack projects are created. default domain is usually present in all OpenStack installations. Note that this is the domain ID, not its name.

Fields New projects name template and New projects description template are template strings used when projects are automatically created when a new client is created (through end-user sign-up or by staff users). Note that the project name has to be unique, otherwise OpenStack project creation fails.

Force config drive for instance creation - when Fleio creates a compute instance, config_drive param is always sent as True to Nova.

Auto allocated topology

When Hide projects and API users is checked, the list of projects (specified by project ID) are hidden from the Fleio UI together with the API users of these projects. The Administrator project ID specified in CREDENTIALS tab is automatically hidden.

When Use API username template is checked, you can define a template string in field API username template that is used when end-users create OpenStack API users. {{ api_user_username }} variable is the string filled in by the end-user.

When Hide images in other flavors’ scope on instance create is checked, images that are assigned to other flavors and are unavailable to be used with the selected flavor are hidden on the instance create form. Unchecking this, they would show as disabled with an explanation tooltip. If Hide unassigned images on instance create is checked, this field is ignored.

When Hide unassigned images on instance create is checked, unassigned images for a flavor are hidden on instance create form. Flavors without any assignment still display all images. When this is unchecked, other images show up on boot source selection if they are not assigned to other flavor than the selected one.

When Use instance availability zone for volume on instance create is checked, Availability zone field is hidden from volume create form and the instance availability zone (AZ) is used. If AZ name is not found in cinder, it is automatically selected by OpenStack.

Default PTR settings

../_images/openstack-ptr-settings.png

Fleio can set a default PTR record value (also known reverse DNS) to an IP address when the IP it is added or removed from an instance, including when the compute instance is created and an initial IP is allocated. This is useful when the previous user of the IP address has set a custom PTR and you want to reset it to a default value when the IP is assigned to another user. This feature requires that you have OpenStack Designate project installed.

Use PTR default format to set PTR record on IPv4s allocation/de-allocation. Leave empty so it won’t change PTR record on mentioned actions. You can use the following template examples: “{dashed_ip}.static.yourclouddomain.com”, “{dashed_ip}.{region}.static.yourclouddomain.com”.

Use PTR default format IPv6 to set PTR record on IPv6s allocation/de-allocation. Leave empty so it won’t change PTR record on mentioned actions. You can use the following template examples: “{dashed_ip}.static.yourclouddomain.com”, “{dashed_ip}.{region}.static.yourclouddomain.com”.

{dashed_ip} will be replaced with the actual IP address using dashes instead of dot, e.g., 127-0-0.1 and region with the related port region.

The Inverse address zone email field must be set if you are using PTR default format setting, and will be used when creating the DNS zone.

Check Force lowercase for PTR records to make sure to always use lowercase characters when setting PTR record.

VOLUME SIZE INCREMENTS

../_images/openstack-volume-size-increments.png

Using this form, you can define a minimum size and allowed size steps for each type of volume from each region. The default value is 1 GB for every volume type.

Field <<type>> size increments defines the step size that may be used when extending or shrinking a volume. For example, some storage types allow a minimum of 8GB when increasing or decreasing the available space. The default value is 1 GB for every volume type.

<<type>> minimum size value is enforced when creating a volume. The value should be greater than zero and a multiple of volume <<type>> size increment.

Note

OpenStack automatically rounds up the volume size if invalid values are provided.

These limits only apply in Fleio. If an end-user creates or resizes a volume directly using the OpenStack API, these limits are ignored.

DISCOVERED SERVICES

The DISCOVERED SERVICES tab lists all discovered services grouped by region and weather they are supported by Fleio along with minimum and maximum supported version. If an OpenStack service is not found (e.g., load-balancer) or if the service version is not supported, a red exclamation mark is shown next to the service.

../_images/openstack-discovered-services.png

Note

To learn how to connect Fleio to your OpenStack cloud, see Connect Fleio to OpenStack.

ADVANCED

We call “ghost (billing) resources” OpenStack resources that were deleted from OpenStack and are still (wrongly) charged by Fleio. Ghost billing resources are left in the Fleio database when something went wrong, e.g. notification was not received from OpenStack, or it was wrongly processed by the “updated” Fleio container.

If you check End ghost usage on sync, fleio sync script checks for ghost billing resources after syncing the list of OpenStack objects (e.g. volumes). To avoid concurrency issues, on the first sync run, they are marked as potential ghost billing resources, and on a subsequent run they are ended (the billing end timestamp is set to “now”). This means that you must run “fleio sync” twice to end billing ghost resources after checking End ghost usage on sync.