HOL-1720-SDC-1 - VMware Integrated OpenStack (VIO)

Table of ContentsLab Overview - HOL-1720-SDC-1 - VMware Integrated OpenStack (VIO) with vSphere andNSX ................................................................................................................................... 3

Lab Guidance .......................................................................................................... 4Module 1 - Introduction to VMware Integrated OpenStack (VIO) (30 minutes) .................9

OpenStack Basics.................................................................................................. 10VMware Integration Openstack (VIO) .................................................................... 14VIO Architectural Components .............................................................................. 17What's New with VIO 2.5....................................................................................... 19Conclusion............................................................................................................. 22

Module 2 -Getting Started with VIO (60 minutes) ........................................................... 23Review VIO Deployment........................................................................................ 24Access VIO ............................................................................................................ 30Projects and Users................................................................................................. 42User Instance ........................................................................................................ 55Volumes ................................................................................................................ 64vCenter Client and Openstack .............................................................................. 83Environment Cleanup............................................................................................ 85Conclusion............................................................................................................. 87

Module 3 - VIO Networking - Basic Networking (60 Minutes) ..........................................88Module Objectives & Introduction ......................................................................... 89Environment Setup ............................................................................................... 93Logical Networks................................................................................................... 96Logical Routers.................................................................................................... 103Tenant Instances ................................................................................................. 112Floating IP Address.............................................................................................. 119Security Groups................................................................................................... 125Load Balancer ..................................................................................................... 136Environment Clean-Up ........................................................................................ 162Conclusion........................................................................................................... 166

Module 4 - VIO Networking - Advanced Networking (60 Minutes) .................................167Advanced Networking ......................................................................................... 168Conclusion........................................................................................................... 203

Module 5 - Leveraging Advanced OpenStack Features (60 Minutes) ............................204Environment Setup ............................................................................................. 205CLI Tools: Nova, Neutron, Cinder ......................................................................... 208Working with Glance Image Catalogs.................................................................. 224API Consumption: Heat Templates, Container Deployment.................................237Conclusion........................................................................................................... 248

Module 6 - Using VMware vRealize Solutions to Operationalize OpenStack (30Minutes) ........................................................................................................................ 249

Overview of OpenStack Operations, Log Insight, and vRealize Operations.........250Troubleshooting with Log Insight and vRealize Operations .................................253

HOL-1720-SDC-1

HOL-1720-SDC-1

Conclusion........................................................................................................... 290

HOL-1720-SDC-1

HOL-1720-SDC-1

Lab Overview -HOL-1720-SDC-1 -

VMware IntegratedOpenStack (VIO) with

vSphere and NSX

HOL-1720-SDC-1

HOL-1720-SDC-1

Lab GuidanceNote: It will take more than 90 minutes to complete this lab. You should expect to onlyfinish 2-3 of the modules during your time. The modules are independent of each otherso you can start at the beginning of any module and proceed from there. You can usethe Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the LabManual.

In this Hands-On-Lab we provide you with an introduction to VIO, demonstratehow it integrates with NSX and vRealize Operations. We let you take thereigns in launching workloads, attaching volumes, create logical networks,create security policies and consume LBaaS. All of this while providinggranular visibility and reporting.

Lab Captains:

• Amit Kumar Agrawal - Staff Systems Engineer, USA• Melanie Spencer - Staff Systems Engineer, USA• Tom Schwaller - Staff Systems Engineer, Germany

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages. To set your language preference and havea localized manual deployed with your lab, you may utilize this document to help guideyou through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf

Lab Module List

If your goal is to complete the lab from start to finish, then it make more sense tocomplete the lab in chronological order. Otherwise, each module is designed in such away that it can be taken without completing other modules. For example, if your interestare with VIO Networking, then you do not need to complete Module 1 to try Module 2.

Lab Module List:

• Module 1 - Introduction to VMware Integrated OpenStack (VIO) (30 minutes)• Module 2 - Getting started with VIO (60 minutes)• Module 3 - VIO Networking - Basic Networking (60 minutes)

HOL-1720-SDC-1

HOL-1720-SDC-1

http://docs.hol.vmware.com

http://docs.hol.vmware.com/announcements/nee-default-language.pdf

• Module 4 - VIO Networking - Advanced Networking (60 minutes)• Module 5 - Leveraging Advanced OpenStack Feature (60 minutes)• Module 6 - Using VMware vRealize Solution to operationalize OpenStack (30

minutes)

Location of the Main Console

1. The area in the RED box contains the Main Console. The Lab Manual is on the tabto the Right of the Main Console.

2. A particular lab may have additional consoles found on separate tabs in the upperleft. You will be directed to open another specific console if needed.

3. Your lab starts with 90 minutes on the timer. The lab can not be saved. All yourwork must be done during the lab session. But you can click the EXTEND toincrease your time. If you are at a VMware event, you can extend your lab timetwice, for up to 30 minutes. Each click gives you an additional 15 minutes.Outside of VMware events, you can extend your lab time up to 9 hours and 30

minutes. Each click gives you an additional hour.

Activation Prompt or Watermark

When you first start your lab, you may notice a watermark on the desktop indicatingthat Windows is not activated.

One of the major benefits of virtualization is that virtual machines can be moved andrun on any platform. The Hands-on Labs utilizes this benefit and we are able to run the

HOL-1720-SDC-1

HOL-1720-SDC-1

labs out of multiple datacenters. However, these datacenters may not have identicalprocessors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoftlicensing requirements. The lab that you are using is a self-contained pod and does nothave full access to the Internet, which is required for Windows to verify the activation.Without full access to the Internet, this automated process fails and you see this

watermark.

This cosmetic issue has no effect on your lab.

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing itin, there are two very helpful methods of entering data which make it easier to entercomplex data.

Click and Drag Lab Manual Content Into Console ActiveWindow

<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=xS07n6GzGuo" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>

HOL-1720-SDC-1

HOL-1720-SDC-1

You can also click and drag text and Command Line Interface (CLI) commands directlyfrom the Lab Manual into the active window in the Main Console.

Accessing the Online International Keyboard

You can also use the Online International Keyboard found in the Main Console.

1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

Click once in active console window

In this example, you will use the Online Keyboard to enter the "@" sign used in emailaddresses. The "@" sign is Shift-2 on US keyboard layouts.

1. Click once in the active console window.2. Click on the Shift key.

HOL-1720-SDC-1

HOL-1720-SDC-1

Click on the @ key

1. Click on the "@" key.

Notice the @ sign entered in the active console window.

Look at the lower right portion of the screen

Please check to see that your lab is finished all the startup routines and is ready for youto start. If you see anything other than "Ready", please wait a few minutes. If after 5minutes you lab has not changed to "Ready", please ask for assistance.

HOL-1720-SDC-1

HOL-1720-SDC-1

Module 1 - Introduction toVMware IntegratedOpenStack (VIO) (30

minutes)

HOL-1720-SDC-1

HOL-1720-SDC-1

OpenStack BasicsThis lab will explore VMware's Integrated OpenStack.

Note: if you are already familiar with Openstack, then you can skip thischapter and proceed to the next section in the same Module that talks aboutVMware Integrated Openstack

What is OpenStack?

OpenStack is open source software that delivers a framework of services for API basedinfrastructure consumption. OpenStack framework requires hardware or software basedinfrastructure components and management tools to build a functional OpenStackcloud. The "plug-in" architecture of OpenStack services enables various vendors (suchas VMware) to integrate their infrastructure solutions (such as vSphere and NSX) todeliver an OpenStack cloud.

OpenStack is a Cloud API Layer in a Cloud TechnologyStack

A typical cloud technology stack consists of following major components:

1. Hardware Infrastructure2. Software Infrastructure (or virtualization layer)3. Cloud API layer that enables consumption and orchestration of underlying cloud

infrastructure4. Cloud Management Layer that provides governance, resource planning, financial

planning, etc. and potentially manages multiple underlying cloud fabrics5. Applications running on top of cloud infrastructure

In a non-cloud datacenter model, an application owner would contact one or moredatacenter administrators, who would then deploy the application on the applicationowner's behalf using software infrastructure tools (e.g., VMware vSphere) to deploy theapplication workloads on top of physical compute, network, and storage hardware.

OpenStack is a software layer that sits on top of the software infrastructure and enablesan API based consumption of infrastructure. OpenStack enables a "self-service" model inwhich application owners can directly request and provision the compute, network, andstorage resources needed to deploy their application.

The primary benefits of self-service are increased agility from applications ownershaving "on demand" access to the resources they need and reduced operating expensesby eliminating manual + repetitive deployment tasks.

HOL-1720-SDC-1

HOL-1720-SDC-1

OpenStack components

OpenStack splits infrastructure delivery functions into several different services. Each ofthese services is known by its project code name:

• Nova: Compute service.• Neutron: Network services (formerly called "Quantum").• Cinder: Block Storage service.• Glance: Image service.• Keystone: Identity service.• Horizon: Web GUI.

OpenStack services orchestrate and manage the underlying infrastructure and exposeAPIs for end users to consume the resources. OpenStack's strength is a highlycustomizable framework, allowing those deploying it to choose from a number ofdifferent technology components, and even customize the code themselves.

Nova

OpenStack Compute (Nova) is a cloud computing fabric controller, which is the mainpart of an IaaS system. It is designed to manage and automate pools of computerresources and can work with widely available virtualization technologies, as well as baremetal and high-performance computing (HPC) configurations.

HOL-1720-SDC-1

HOL-1720-SDC-1

Neutron

OpenStack Networking (Neutron, formerly Quantum) is a system for managing networksand IP addresses. OpenStack Networking ensures the network is not a bottleneck orlimiting factor in a cloud deployment, and gives users self-service ability, even overnetwork configurations.

OpenStack Networking provides networking models for different applications or usergroups. Standard models include flat networks or VLANs that separate servers andtraffic. OpenStack Networking manages IP addresses, allowing for dedicated static IPaddresses or DHCP. Floating IP addresses allow dynamic traffic rerouting to anyresources in the IT infrastructure, so users can redirect traffic during maintenance or incase of a failure.

Cinder

Cinder is a Block Storage service for OpenStack. It's designed to allow the use of eithera reference implementation (LVM) to present storage resources to end users that can beconsumed by the OpenStack Compute Project (Nova). The short description of Cinder isthat it virtualizes pools of block storage devices and provides end users with a selfservice API to request and consume those resources without requiring any knowledge ofwhere their storage is actually deployed or on what type of device

Glance

OpenStack Image Service (Glance) provides discovery, registration, and deliveryservices for disk and server images. Stored images can be used as a template. It canalso be used to store and catalog an unlimited number of backups. The Image Servicecan store disk and server images in a variety of back-ends, including OpenStack ObjectStorage. The Image Service API provides a standard REST interface for queryinginformation about disk images and lets clients stream the images to new servers.

OpenStack.org updates Glance every six months, along with other OpenStack modules.Some of the updates are to catch-up with existing cloud infrastructure services, asOpenStack is comparatively new. Glance adds many enhancements to existing legacyinfrastructures. For example, if integrated with VMware, Glance introduces advancedfeatures to the vSphere family such as, vMotion, high availability and dynamic resourcescheduling (DRS). vMotion is the live migration of a running VM, from one physicalserver to another, without service interruption. Thus, it enables a dynamic andautomated self-optimizing datacenter, allowing hardware maintenance for theunderperforming servers without downtimes.

HOL-1720-SDC-1

HOL-1720-SDC-1

Keystone

OpenStack Identity (Keystone) provides a central directory of users mapped to theOpenStack services they can access. It acts as a common authentication system acrossthe cloud operating system and can integrate with existing backend directory serviceslike LDAP. It supports multiple forms of authentication including standard username andpassword credentials, token-based systems logins. Additionally, the catalog provides aqueryable list of all of the services deployed in an OpenStack cloud in a single registry.Users and third-party tools can programmatically determine which resources they canaccess.

Horizon

OpenStack Dashboard (Horizon) provides administrators and users a graphical interfaceto access, provision, and automate cloud-based resources. The design accommodatesthird party products and services, such as billing, monitoring, and additionalmanagement tools. The dashboard is also brandable for service providers and othercommercial vendors who want to make use of it. The dashboard is one of several waysusers can interact with OpenStack resources. Developers can automate access or buildtools to manage resources using the native OpenStack API or the EC2 compatibility API.

HOL-1720-SDC-1

HOL-1720-SDC-1

VMware Integration Openstack (VIO)Note: This section introduces VIO, its components and installationrequirements. If you want you can skip this section and proceed to the next.

VMware Integrated OpenStack (VIO) is a VMware supported OpenStackdistribution prepared to run on top of an existing VMware infrastructure. VIO willempower any VMware Administrator to easily deliver and operate an Enterpriseproduction grade OpenStack cloud on VMware components. This means that you will beable at to take advantage of all VMware vSphere great features like HA, DRS or VSAN foryour OpenStack cloud and also extend and integrate it with other VMware managementcomponents like vRealize Operations and vRealize Log Insight.

VMware Integrated OpenStack components

VIO is made by two main building blocks, first the VIO Manager and second OpenStackcomponents. It is packaged as an OVA file that contains the Manager server and anUbuntu Linux virtual machine to be used as the template for the different OpenStackcomponents.

VIO Components

The OpenStack services in VMware Integrated OpenStack are deployed as a distributedhighly available solution formed by the following components:

• OpenStack controllers. Two virtual machines running Horizon Dashboard, Nova(API, scheduler and VNC) services, Keystone, Heat, Glance, and Cinder services inan active-active cluster.

• Memcached cluster.• RabbitMQ cluster, for messaging services used by all OpenStack services.• Load Balancer virtual machines, an active-active cluster managing the internal

and public virtual IP addresses.• Nova Compute machine, running the n-cpu service.• Database cluster. A three node MariaDB Galera cluster that stores the OpenStack

metadata.• Object Storage machine, running Swift services.• DHCP nodes. These nodes are only required if NSX is not selected as provider for

Neutron.

HOL-1720-SDC-1

HOL-1720-SDC-1

More Details on VIO

As mentioned previously, VIO is a production grade OpenStack deployment based on areference architecture developed through customer best practices and the VMwareNetwork Systems Business Unit internal cloud. It is designed to be highly availablethrough the use of vSphere capabilities like HA and DRS, and through the use ofredundant components. The core OpenStack services are deployed as follows:

Controller - Controller VM's expose the core OpenStack service APIs and runschedulers. Nova, Neutron, Glance, Cinder and Keystone Services run here. VIO deploystwo controllers in an Active/Active configuration.

Database - Database VM's are used by the OpenStack services to store metadata. VIOdeploys 3 MariaDB databases with Galera cluster services configured as Active/Passive/Passive. Data is fully replicated between the databases.

MemCached - MemCached VM's are used as a distributed in memory key-value storefor database call results. Memcached is easily scaled out. VIO deploys 2 MemcachedVM's

RabbitMQ - OpenStack communications within a service and between services aremessage based. VIO deploys RabbitMQ as the messaging service. It is deployed in twoVMs

Load Balancer's - Both internal management communication and external API accessis load balanced across two HAProxy LoadBalancer VMs. VIO configures API Serviceidentity endpoints using Virtual IP Addresses (VIPs).

Nova Compute - The Nova Compute nodes are the worker bees of an OpenStack cloud.They handle launching and terminating instances and must scale out as the cloudresources increase. VIO starts with a single Nova Compute node and adds new nodes foreach vSphere Cluster added to the OpenStack cloud.

NSX - It is important to note that while VIO will configure the Neutron networkingService, it does not do any configuration of the underlying virtualized networkingcomponents. It is an out of band exercise to ensure that either NSX or vDS haspreviously been setup, with the appropriate physical networks for the plannedenvironment. You will enter configuration information from that setup as part of VIOCluster Creation, but you are not reconfiguring that environment.

VIO Installation Requirements

To be able to successfully deploy VMware Integrated OpenStack you will need at leastthe following:

• One management cluster with two to three hosts, depending on the hardwareresources of the hosts.

HOL-1720-SDC-1

HOL-1720-SDC-1

• One Edge cluster. As with any NSX for vSphere deployment it is recommended todeploy a separate cluster to run all Edge gateway instances.

• One compute cluster to be used by Nova to run instances. One ESXi host will beenough but again that will depend on how much resources are available and whatkind of workloads you want to run.

• Management network with at least 15 static IP addresses available.• External network with a minimum of two IP addresses available. This is the

network where Horizon portal will be exposed and that will be used by thetenants to access OpenStack APIs and services.

• Data network, only needed if NSX is going to be used. The different tenant logicalnetwork will be created on top of this, the management network can be used butit is recommended to have a separate network.

• NSX for vSphere. It has to be setup prior to VIO deployment if NSX plugin is goingto be used with Neutron.

• Distributed Port Group. In case of choosing DVS-based networking a vSphere port-group tagged with VLAN 4095 must be setup. This port group will be used as thedata network.

The hardware requirements are around 56 vCPU, 192GB of memory and 605GB ofstorage.

To that you have to add NSX for vSphere required resources like the NSX Manager, thethree NSX Controllers and the NSX Edge pool.

HOL-1720-SDC-1

HOL-1720-SDC-1

VIO Architectural ComponentsIn this section we give an overview of the different VMware product integrations that areused with VIO. If this is the first time you are looking at VIO then its beneficial do to aquick review of this section before you proceed to the next.

VMware Integrated OpenStack (VIO) Architecture

VIO is based atop VMware's Software Defined Data Center infrastructure. With purposebuilt drivers for each of the major OpenStack services, VIO optimizes consumption ofCompute, Storage and Network resources. VIO also includes OpenStack specificmanagement extensions for the vCenter Client, vCenter Operations Manager andLogInsight to allow use of existing tools to operate and manage your OpenStack cloud.

Nova Compute Integration

The vCenter Driver exposes Compute resources to the OpenStack Nova service throughvCenter API calls. Resources are presented as cluster level abstractions. The Novascheduler will choose the vSphere cluster for new instance placement and vSphere DRSwill handle the actual host selection and VM placement. This design enables OpenStackInstance VMs to be treated by vSphere as any other VM. Services like DRS, vMotion andHA are all available

Cinder and Glance Integration

The VMDK driver exposes Storage resources to the OpenStack Cinder service as blockdevices through datastore/VMDK abstractions. This means that any vSphere datastore,

HOL-1720-SDC-1

HOL-1720-SDC-1

including VSAN, can be used as storage for boot and ephemeral OpenStack disks.Glance images may also be stored as VMDK's or OVA files in datastores.

Neutron Networking Integration

The NSX driver supports both the vSphere Virtual Distributed Switch (vDS) and NSX fortrue software defined networking. Customers can leverage their existing vDS to createprovider networks that can isolate OpenStack tenant traffic via VLAN tagging. They canalso take advantage of NSX to provide dynamic creation of logical networks with privateIP overlay, logical routers, floating IPs and security groups, all enabled across a singlephysical transport network.

Management Integration

The vSphere web client has been extended to include OpenStack specific meta data toallow searching by terms appropriate to your VM's (Tenant, Flavor, Logical Network,etc.). VIO also includes a vSphere Client plugin for managing OpenStack consumption ofvSphere resources. Management packs for vCOPS and LogInsight allow for OpenStackspecific monitoring based on metadata extracted from the OpenStack services.

HOL-1720-SDC-1

HOL-1720-SDC-1

What's New with VIO 2.5This section talks about some of the new features that have been released in the VIO2.5 architecture.

New Features in this Release

VMware Integrated OpenStack enables the rapid deployment of OpenStack on a VMwarevSphere virtual platform. This release provides the following new features andenhancements.

Ability to Deploy Management and Compute ClustersAcross Different vCenters

VMware Integrated OpenStack 2.5 enables users to deploy the management andcompute clusters on separate vCenter servers. This increases performance, scalability,and availability, and improves the overall robustness and reliability of your VMwareIntegrated OpenStack deployment.

Smaller Management Footprint

Concerned with the amount of resources the management control plane of yourVIO 2.5 Framework consumes? This release offers a simplified architecture that requiresfewer hardware resources but still provides the same level of resilience, scale andperformance as previous releases. This simplified architecture reduces that footprint by30% saving you resource costs and reducing overall operational complexity.

Support for Existing vSphere Templates

Customers can now seamlessly leverage their existing vSphere templates and startconsuming them via standard OpenStackAPIs. The ability to now directly import vSphereVM templates into OpenStack as Glance images eliminates the time required to import

HOL-1720-SDC-1

HOL-1720-SDC-1

http://www.vmware.com/products/openstack/?src=so_5703fb3d92c20&cid=70134000001M5td

these often large disk images over the network into the OpenStack cloud. This enablesthe pre-seeding of images resulting in faster deployment times.

LBaaS v2.0 Support

VMware Integrated OpenStack 2.5 supports OpenStack LBaaS v2.0. After installing orupgrading to VMware Integrated OpenStack 2.5, you have the option of continuing withLBaaS v1.0 or migrating to v2.0 through a simple procedure that also migrates your loadbalancer database entries from v1.0 to v2.0.

NOTE: After migrating to LBaaS v2.0, you cannot revert to v1.0.

Image Service Improvements

VMware Integrated OpenStack 2.5 included redesigns to improve performance of theOpenStack Image Service, including faster boot times for initial instance creation, morereliable instance booting, and better snapshot functionality.

Improved Troubleshooting Functionality

Enhancements to the VMware Integrated OpenStack CLI commands enable users tolocate and remove orphaned VMs, improved logging features with debugging outputand log file rotation, and deployment status reporting expanded to includesynchronization issues, broken connections, database cluster sizes and number ofconnections, missing processes, and more.

Neutron Layer 2 Gateway Support

Layer 2 gateway services, now available via Neutron, allow a tenant’s virtual network tobe bridged to a physical network. This integration provides users with the capability toaccess resources on a physical server (ex: the database tier of a multi-tier application)via a layer 2 network connection rather than via a routed layer 3 connection. This cansimplify the infrastructure deployment process for the application developer by…

HOL-1720-SDC-1

HOL-1720-SDC-1

• Enabling programmatic connection of VLANs to logical networks• Offering the choice of NSX L2 gateway services across access switches, core/

aggregation switches and edge routers to bridge virtual and physical networks inany data center topology

• Allowing flexible workload placement and workload mobility

Optimized for NFV (Network Function Virtualization)

There is improved support for NFV workloads. With features such as per-tenant capacitysubscription, fine-grained instance performance tuning and SR-IOV, you can pre-assigncapacity subscriptions for tenants ensuring that capacity is guaranteed for consumersregardless of defined quotas.

HOL-1720-SDC-1

HOL-1720-SDC-1

ConclusionYou've finished Module 1

Congratulations on completing Module 1.

If you are looking for additional documentation on VIO, try one of these:

• Click on this link• Tiny URL: http://tinyurl.com/jqx7lcu• Or use your smart device to scan the QRC Code.

Proceed to any module below which interests you most.

• Module 2 - Getting started with VIO (60 minutes)• Module 3 - VIO Networking - Basic Networking (60 minutes)• Module 4 - VIO Networking - Advanced Networking (60 minutes)• Module 5 - Leveraging Advanced OpenStack Feature (60 minutes)• Module 6 - Using VMware vRealize Solution to operationalize OpenStack (30

minutes)

How to End Lab

To end your lab click on the END button.

HOL-1720-SDC-1

HOL-1720-SDC-1

https://www.vmware.com/support/pubs/integrated-openstack-pubs.html

http://tinyurl.com/jqx7lcu

Module 2 -Getting Startedwith VIO (60 minutes)

HOL-1720-SDC-1

HOL-1720-SDC-1

Review VIO DeploymentIn this section we will review the VIO deployment.

Access VIO Deployment

In this part of the lab, we will explore using OpenStack and how it leverages the VIOplugin to deploy VMs

Checking lab status

You must wait until the Lab Status is at Ready before you begin. If you receive anerror message, please end the lab and redeploy another.

Launch Google Chrome

1. Click on the Desktop Icon for Google Chrome.

HOL-1720-SDC-1

HOL-1720-SDC-1

Login to vCenter

1. Click on the Use Windows session authentication checkbox.2. Click Login.

VMware Integrated OpenStack Plugin

1. Click on the VMware Integrated OpenStack plugin icon.

HOL-1720-SDC-1

HOL-1720-SDC-1

VIO plugin

Here you can find the information about the VIO deployment, its state, and otherimportant settings.

1. Click on the Monitor Tab.

HOL-1720-SDC-1

HOL-1720-SDC-1

VIO plugin - Monitor

As you can see, the VIO deployment information is provided including the external IPaddress pool that will be used for Tenant VM's.

HOL-1720-SDC-1

HOL-1720-SDC-1

VIO plugin - Manage - syslog

1. Click on the Manage tab.2. Click on Settings.

Here you can find the syslog server settings. We will be reviewing these logs later in thislab.

You are free to explore some of the other settings with the Manage tab. We will not bepreforming any activity within these sections during this lab.

VIO Deployment validation

1. Click on the OpenStack Deployment Icon on the far right of your screen.

HOL-1720-SDC-1

HOL-1720-SDC-1

VIO Deployment status

Make sure your OpenStack deployment is showing running. If the Status is not showingas Running, you may need to restart the lab.

HOL-1720-SDC-1

HOL-1720-SDC-1

Access VIOIn this section we will start using VIO from the Horizon interface.

Lets Start using OpenStack Horizon

We will now start using OpenStack by logging into the Horizon portal (Not to beconfused with VMware Horizon EUC products). Horizon provides a web portal for bothadministrators and users. Administrators can use the UI for common tasks such ascreating users, managing their quotas, check infrastructure usage, etc. In Horizon, cloudadministrators have a different view when compared to cloud users. While cloudadministrators can see and manage all infrastructure resources, cloud users can onlysee inventories created by them.

We will start with an orientation of the Horizon Web UI for cloud administrators and thenswitch to a cloud user view later.

1. Click on the tab to open a new window.2. Click on the VIO bookmark in your browser bar. (https://vio.corp.local)

HOL-1720-SDC-1

HOL-1720-SDC-1

Login to OpenStack Horizon

1. User Name: admin.2. Password: VMware1!3. Click on Sign In.

Openstack Admin Overview

Upon initially logging in as 'admin', note the following key tabs:

1. At the top is a drop down menu that allows an admin to switch views to a specificuser. For example, if an admin wants to see what resources are visible to a particularuser, they can select the user from drop down list. For now, please ensure that thedrop down has 'admin' as the selected user.

Note: There is a 'Project' tab. Every user in OpenStack belongs to a project (more info onthis in next section). An admin belongs to an 'admin' project that is created by default. Aproject contains all the instances, volumes and other inventories created by all usersbelonging to the project.

2. Click on the Admin tab,

3. Click on the Overview tab.

HOL-1720-SDC-1

HOL-1720-SDC-1

HOL-1720-SDC-1

HOL-1720-SDC-1

Hypervisors

1. Click on the Hypervisors tab within the Admin Panel. Here you can see theHypervisors that OpenStack is managing.

Notice that there is only a single hypervisor shown. The reason behind this is thatOpenStack sees each vSphere Cluster as a single hypervisor where workloads can beplaced. This allows for key vSphere features like DRS, HA and vMotion to still be used inthe background without confusing OpenStack.

Please Note: The resources of this hypervisor represent the resources of the vSpherecluster. In this case, the two ESX hosts combined, and the shared datastore. Thememory shown is less than the combined total of the hosts because ESX reserves somememory for operations.

HOL-1720-SDC-1

HOL-1720-SDC-1

Flavors

1. Click on the Flavors tab under the Admin panel. Flavors represent the differentoptions users will have in terms of what size a VM they deploy. The cloudadministrator can define what flavors are supported in an OpenStackdeployment, and cloud users can then select from the set of flavors exposed tothem.

HOL-1720-SDC-1

HOL-1720-SDC-1

Images

1. Click on the Images tab under the Admin Panel.

Here is the list of all images that will be available to tenants to choose from when theylook to create a virtual machine. Cloud administrators will typically upload a variety of"public" images to be made available to their cloud users. Cloud users are able tofurther extend this set of images with their own custom images.

Please Note: For simplicity, we have already uploaded 2 images, one specifically hasnginx installed and the other has wordpress. These images have been pre-built on thephoton Operating system. The VMDK disk format indicates that it can be used withvSphere.

HOL-1720-SDC-1

HOL-1720-SDC-1

Running Instances

As part of the lab we have already deployed an nginx and a wordpress server.

1. Click on Project.2. Click on Compute.3. Click on Instances.

The wordpress-1 server has an internal IP of 10.10.10.25 and an external IP of192.168.0.211.

The nginx-1 server has an internal IP of 10.10.10.19 and an external IP of 192.168.0.201

HOL-1720-SDC-1

HOL-1720-SDC-1

Network Topology

Now, we will look at the current network topology that has been setup with OpenStack.

1. Click on the Project panel (top of left side margin).2. Select the Network tab under the Project panel.3. Select the Network Topology tab under the Network panel.

For this lab, we have pre-created networks called 'external-network' and "test-network".

The two networks represent a tenant network (test-network), and a provider network(external-network). When you have multiple clients, they would each get their owntenant network, but all would share the provider network as a gateway to externalresources such as the Internet or any corporate systems.

The nginx and wordpress servers are deployed on the tenant test-network and can beaccessed using the floating external IP address.

HOL-1720-SDC-1

HOL-1720-SDC-1

Access nginx server

1. Open a new tab on the browser.2. Click on the nginx-1 bookmark to access the webserver.

HOL-1720-SDC-1

HOL-1720-SDC-1

Access wordpress server

1. Open a new tab on the browser.2. Click on the wordpress-1 bookmark to access wordpress server.

HOL-1720-SDC-1

HOL-1720-SDC-1

Make the "test-network" shared

We now return to the OpenStack Horizon interface where we are currently logged in as"admin" to the OpenStack cloud. We have purposely created the "test-network" asshown previously to be only seen by the "admin" tenant. Now we will make that network"shared" so that other users can also access it.

1. Click the tab on the browser where you were previously logged into theHorizon interface. The browser tab may still say Network Topology-VMware Integrated OpenStack. (Note: You may also close the nginxand wordpress browser tabs at this time.)

2. Clickon Admin.3. SelectNetworks.4. ClickEdit Network for the "test-network".

HOL-1720-SDC-1

HOL-1720-SDC-1

Edit Network settings

1. Checkthe Shared box. Now the "test-network" will be shared with other usersthat we will be creating in subsequent sections.

2. Click Save Changes.

HOL-1720-SDC-1

HOL-1720-SDC-1

Projects and UsersIn OpenStack, users are grouped in containers called projects. These projects areeffectively tenants in the OpenStack cloud environment. Each project has an assignedquota of compute, network and storage resources that are shared by all users in thatproject. Projects are isolated from each other, that is, users in one project can't see theusers and resources of other projects. Users must be associated with at least oneproject, though they may belong to more than one.

In this section we will create a couple of projects and assign users to them.

Access Project Menu

1. Select the Admin tab on the left-hand navigation bar.2. Click the Identity Panel tTomab under Admin.3. Click the Projects tab under the Identity Panel.4. Click the Create Project button.

HOL-1720-SDC-1

HOL-1720-SDC-1

Create Project Tom

You will need to provide the project a name.

1. Enter the name of the project "Tom-Project".2. Make sure the Enabled box is checked.3. Click on the Project Members tab.

HOL-1720-SDC-1

HOL-1720-SDC-1

Add admin user to Tom-Project

1. Under Project Members tab click on the "+" button next to admin to add theuser to the project.

2. Then Click the Create Project button.

Note: The admin account needs to be added to the project in order to pull instancemetadata from the vSphere Web Client.

Create Project Melanie

Note: You should see "Tom-Project" listed as one of the projects.

Repeat the steps you took to create the previous project.

HOL-1720-SDC-1

HOL-1720-SDC-1

1. Click the Create Project button.

HOL-1720-SDC-1

HOL-1720-SDC-1

Name Melanie-Project

1. Enter the name of the project "Melanie-Project"2. Make sure "Enabled" is checked.3. Clickon "Project-members" to add users to it.

HOL-1720-SDC-1

HOL-1720-SDC-1

Add admin user to Melanie-Project

1. Make sure admin user is selected to be part of the project.2. Click on Create Project.

HOL-1720-SDC-1

HOL-1720-SDC-1

Notice that the admin account has been added to the project.

1. Click Create Project button.

Working with Quotas

Quotas are used to set operational limits around the resources assigned to a project. Byimplementing quotas, OpenStack cloud administrator can predictably allocate capacityto tenants and prevent one tenant from monopolizing shared resources.

View Quota for Tom-Project

1. Click on the dropdown menu associated with Tom-Project.

HOL-1720-SDC-1

HOL-1720-SDC-1

2. Click on Modify Quotas.

HOL-1720-SDC-1

HOL-1720-SDC-1

Review Quota for Tom-Project

These are the default quotas for "Tom-Project". We will NOT modify any settings in thislab.

Please click on "Save" and exit out of this page.

HOL-1720-SDC-1

HOL-1720-SDC-1

Creating a New User

We will now create a user for the previously created projects.

1. Select the Users tab.2. Click Create User to display the user menu.

HOL-1720-SDC-1

HOL-1720-SDC-1

Creating user Tom

Enter or select the following data into the fields to create a user named Adam.

1. Username: Tom2. Email: [email protected]. Password: VMware1!4. Primary Project: Tom-Project5. Role: Leave as default _member_6. Click the Create User button

HOL-1720-SDC-1

HOL-1720-SDC-1

Creating user Melanie

Now, create a new user name Melanie. Enter or select the following data into the fieldsto create a user named Melanie. Follow the steps taken previously taken in creating theTom user, but with the following info.

1. Username: Melanie2. Email: [email protected]. Password: VMware1!4. Primary Project: Melanie-Project5. Role: Leave as default _member_6. Click the Create User button

HOL-1720-SDC-1

HOL-1720-SDC-1

Review Users and Sign Out

You should now have your two new users, along with the built-in accounts, in the Userspanel. We now need to sign out as Admin and sign in with another user.

1. Click on the dropdown menu next to Admin user.2. Click on Sign Out.

HOL-1720-SDC-1

HOL-1720-SDC-1

User InstanceAn instance is the OpenStack's terminology for a virtual machine. Users can provisioninstances and attach them to existing or new OpenStack networks.

Creating User's Instance

In this section, we will illustrate the process of creating instances from OpenStack.

Login as Tom

Now that you have logged out as admin, you will need to login as user Tom to createyour new Instance.

Log into the Horizon Web UI, this time using the following credentials:

1. User Name: Tom.2. Password: VMware1!.3. Click on Sign In.

HOL-1720-SDC-1

HOL-1720-SDC-1

User Overview

From the overview section, you are shown how much of the user's current quota limitshave been used.

Since we haven't done anything yet, all categories show 0 resources used except forSecurity Groups. One security group is used by the “Internal Shared” network availableto all users for the purposes of this lab. We will revisit networking in greater detail lateron.

Launch an Instance

1. Click on the Instances tab, on the left hand side.2. Click on the Launch Instance button.

HOL-1720-SDC-1

HOL-1720-SDC-1

Launch Instance settings

Under the Details tab fill in the following fields.

1. Instance name: tom-nginx.2. Flavor: From the pulldown menu select m1.tiny.3. Instance Count: 2.4. Instance Boot Source: From the pulldown menu select Boot from Image.5. Image Name: From the pulldown menu select nginx (272.2 MB).6. Click on the Access & Security tab.

Launch Instance - Access & Security

1. Enter the password as VMware1!2. Ensure that default is selected under Security Groups.

HOL-1720-SDC-1

HOL-1720-SDC-1

3. Click on the Networking tab.

HOL-1720-SDC-1

HOL-1720-SDC-1

Add test-network

1. Click on the + button next to the test-network network. (In the previousexercise, we made this network "shared" so that other non-admin users can useit)

HOL-1720-SDC-1

HOL-1720-SDC-1

Launch Instance

1. Click the Launch button to create the instance.

Instances built

Now you can view the instances being built. The nginx instances are built on PhotonOS,they are tiny and it should launch within a minute.

Ensure that the instances are Running.

1. Click on the tom-nginx-1 Instance to view details of the build.

Instance Details

Here you can find more details about the instance such as the IP provisioned andthe unique ID that Openstack provisioned for this instance. When done, .

HOL-1720-SDC-1

HOL-1720-SDC-1

1. Click on Instancesto go back the instance table view.

HOL-1720-SDC-1

HOL-1720-SDC-1

Instance options

1. Click the drop down at the far right of an instance.

Here you can find all the options that are available to you.

HOL-1720-SDC-1

HOL-1720-SDC-1

Overview of Instances

Now, lets go back to the overview screen and see how it has been updated.

1. Click on Overview link on the left side of the page.

You can now see that graphs have been updated to reflect the new instances that havebeen created.

HOL-1720-SDC-1

HOL-1720-SDC-1

VolumesWhy do we need volumes at all? In OpenStack, the instance you have provisionedalready has a local disk, but this disk will not persist if the instance is terminated.

Imagine a workload where 1-hour of computation needs to occur at the end of eachbusiness day. Ideally, you would like to only spin up the instance when necessary for1-hour per day. However, if you were only using a local disk, you would lose any datayou generated between runs. This is where volumes come in. They are a persistentstorage that can be attached and detached on- demand to any running VM.

Working with Volumes

1. Click on the Volumes tab within the Project pane on the left-hand side of thescreen.

2. Click the Create Volume button

This will start your creation of a persistent volume

HOL-1720-SDC-1

HOL-1720-SDC-1

Create volume

Fill in the following:

1. Volume Name: tom-data-volume12. Size (BG): 103. Click on Create Volume

HOL-1720-SDC-1

HOL-1720-SDC-1

New Volume

Please wait as your volume is deployed. Wait tell the status changes to Available.

1. Click on the Dropdown button next to Edit Volume2. Select Manage Attachments

We will now attach the volume to an Instance

HOL-1720-SDC-1

HOL-1720-SDC-1

Attach Volume to an Instance

1. Select the tom-nginx-1 instance2. Click Attach Volume

HOL-1720-SDC-1

HOL-1720-SDC-1

Volume attached

Now you return to the Volumes page

Wait for the Volume to show In-Use.

Once the Volume is attached you will see /dev/sdb as the attach point on instance tom-nginx-1

Please remember the Instance that has the volume attached to it. You will need this infoin the next step.

HOL-1720-SDC-1

HOL-1720-SDC-1

Start console through Openstack

1. Click on Instances2. Select the Instance that has the volume attached and click on the More dropdown

menu3. Select Console

HOL-1720-SDC-1

HOL-1720-SDC-1

Log into VM

1. Click on the link to show only the console

Login to the VM

Login with the following

username: root

password: VMware1!

Note: If you are asked to enter a new password then please use BCN2016!!

View Disk Details

At the command prompt type in the following command to scan all the attached diskson this instance.

HOL-1720-SDC-1

HOL-1720-SDC-1

echo "- - -" > /sys/class/scsi_host/host0/scan

Once the disks are scanned run the below command to view all the partitions

fdisk -l

You will notice that the second hard drive is showing up but it is not formatted ormounted.

Partition and Format new volume

Run the following command to format the /dev/sdb disk

fdisk /dev/sdb

Command (m for help): n

This will create a new partition

Select (default p): Press Enter <leave default setting>

Partition Number: Press Enter <leave default setting>

HOL-1720-SDC-1

HOL-1720-SDC-1

First Sector: Press Enter <leave default setting>

Last Sector: Press Enter <leave default setting>

Command (m for help): w

This will write changes and exit the fdisk tool.

Run the fdisk -l command again. You will notice that a new partition called /dev/sdb1 hasbeen created.

Format the partition with the below command

mkfs.ext4 /dev/sdb1

Run the fdisk -l command again to check the changes.

fdisk -l

HOL-1720-SDC-1

HOL-1720-SDC-1

HOL-1720-SDC-1

HOL-1720-SDC-1

Mount Partition

Now to make a directory on the new drive

mkdir /mnt/persistent-data

Mount the drive

mount /dev/sdb1 /mnt/persistent-data

Lastly lets check to see if the drive is mounted.

df -h

You should now see the /dev/sdb1 in your list.

Test File

To test that persistent volume are working, we will create a file on the persistent andnon persistent volume. Then we will attach the persistent volume to a different instance.Make sure to click Enter after each command.

echo "Hello non-persistent World" > /root/test-file1.txt

echo "Hello persistent World" > /mnt/persistent-data/test-file2.txt

HOL-1720-SDC-1

HOL-1720-SDC-1

Access the /mnt/persistent-data folder to view the test-file2.txt

Edit Volumes

Now that we have formated the drive and created the test files, we will detach thevolume from our instance and attach to the other instance.

Return to the Volumes screen in OpenStack. You will have to launch a new tab withVIO and sign in as "Tom" user with password "VMware1!"

1. Click on Volumes2. Click on the More button and select Edit Attachments

HOL-1720-SDC-1

HOL-1720-SDC-1

Detach Volume

1. Click on the Detach Volume

This will detach the volume from your existing Instance and allow you to attach it toanother.

Confirmed Detach Volume

1. Click on Detach Volume when prompted to confirm.

HOL-1720-SDC-1

HOL-1720-SDC-1

Volume status change

Now you will notice that the Attached To field is empty.

Volume available to attach

Now you will attach the Volume to the other instance and test to see if the file is there.

1. Click on the More button and select Manage Attachments

HOL-1720-SDC-1

HOL-1720-SDC-1

Change volume attachment

1. This time select the tom-nginx-2 instance from the pull down list.2. Click Attach Volume

Volume attached

Now you see that your volume is attached and ready to use on the tom-nginx-2Instance. You will also notice the mounting point of this drive.

HOL-1720-SDC-1

HOL-1720-SDC-1

Start console through Openstack

1. Click on Instances2. Click on tom-nginx-2 instance.3. Click on Console4. Click on "Click here to show only Console"

Log into the VM

Login with the following

username: root

password: VMware1!

Note: If you are asked to enter a new password then please use BCN2016!!

HOL-1720-SDC-1

HOL-1720-SDC-1

Rescan for new volume and mount disk

Run the following command at the prompt to have the OS rescan for attached diskdevices:

echo "- - -" > /sys/class/scsi_host/host0/scan

Now that your have found the new drive, you need to mount the disk. This disk hasalready been formatted perviously.

mkdir /mnt/persistent-data

mount /dev/sdb1 /mnt/persistent-data

df -h

Observe that the /dev/sdb1 disk shows up as mounted.

HOL-1720-SDC-1

HOL-1720-SDC-1

HOL-1720-SDC-1

HOL-1720-SDC-1

Look for file on Volume once we mount it

Now to check if the file we created is still there.

cd /mnt/persistent-data

cat test-file2.txt

Your output should show Hello persistent World.

Click the back button on your browser to end the full screen console.

HOL-1720-SDC-1

HOL-1720-SDC-1

vCenter Client and OpenstackNow, we will go into the vCenter Client and see what information is shared betweenOpenStack and vCenter.

vCenter client and OpenStack

Go to your vCenter Client tab in your browser or open a new tab to access it.

Access Host and Clusters

1. Click on the tom-nginx-1 VM within the RegionA01-COMP01 compute cluster.

The Notes section of the VM is updated when it gets deployed by Openstack.

Also observe that this VM is part of the NSX Security group which was chosen inOpenstack

Scroll down to the OpenStack VM section

There you can see the information that was found in OpenStack Horizon is availablewithin vCenter.

HOL-1720-SDC-1

HOL-1720-SDC-1

Shell VM for Cinder Volume VMDK

Look for a notice there is a VM in the inventory that is powered off state and has a name"tom-data-volume1". This is the name of the persistent Volume that was created by Tomuser.

1. Click on this VM name in the inventory and view the Summary tab.

Notice in the 'VM Hardware' window, this VM has a single hard disk with a size of 10 GBthat matches the size of the Cinder volume we created. This is a "shell" VM to house the10 GB VMDK corresponding to the Cinder volume in scenarios when the volume is notattached to any "real" running VM.

HOL-1720-SDC-1

HOL-1720-SDC-1

Environment CleanupIn this section we will clean up the VM instances that were created in this Module.

Cleaning up Instances

We will now need to remove instances used in this module.

Return to your OpenStack Horizon webpage and login in the user Tom, if you werelogged out.

1. Click on the Instance tab2. Select both instances3. Click on Terminate Instances

Deleting Instances

You should now see the task for each instance change to Deleting.

Once the task is done, no Instance should be see in your table.

HOL-1720-SDC-1

HOL-1720-SDC-1

Verify VM Deletion in vCenter

You return to vCenter and verify that the instances have now been removed. Notice thatthe tom-data-volume1 shadow VM is still there since its tied to the persistent storagethat was created earlier in this module.

HOL-1720-SDC-1

HOL-1720-SDC-1






• Module 1 - Introduction to VMware Integrated OpenStack (VIO) (30 minutes)• Module 2 - Getting started with VIO (60 minutes)• Module 3 - VIO Networking - Basic Networking (60 minutes)• Module 4 - VIO Networking - Advanced Networking (60 minutes)• Module 5 - Leveraging Advanced OpenStack Feature (60 minutes)• Module 6 - Using VMware vRealize Solution to operationalize OpenStack (30

minutes)

How to End Lab


HOL-1720-SDC-1

HOL-1720-SDC-1



Module 3 - VIONetworking - Basic

Networking (60 Minutes)

HOL-1720-SDC-1

HOL-1720-SDC-1

Module Objectives & IntroductionIn the traditional model of networking, users attach VM's to existing networks which aremostly hardware defined. However, relying on hardware defined, pre-existing networksmakes a private cloud inflexible, hinders scalability and doesn't support majority ofcloud use cases. Cloud users need the flexibility to create network topologies andmodify network access policies to suit their applications.

In most IaaS/SaaS environments, services such as Web, Application and DatabaseServers are all required to run on different L2 networks. Additionally while Web Serversneed to be accessible from the internet, Application and Database Server VM's need toblock internet access. These types of customized network topologies and networkaccess controls are provided by VMware NSX through the OpenStack Neutron plug-inavailable with VMware VIO.

HOL-1720-SDC-1

HOL-1720-SDC-1

VIO Architecture with NSX Focus

VMware VIO supports two deployment options for networking. One option utilizes thevDS with the more traditional VLAN backed port-groups and the other with VMware NSX.In this module we will be focusing on the VIO + NSX model and it's subsequent features.With that said, this module will assume the lab user has some background and basicunderstanding of VMware NSX and/or has taken other NSX related Hands on Labs.

Some of the many benefits of VIO + NSX include:

• Programmatic provisioning of network and security services, this provides greateragility and visibility in addition to simplified operation model for the private cloud.

• Advanced security with statefull firewall and multi-tenancy (Micro-Segmentation).\L

• Advanced virtualized network services with massive scale and throughput(routing, security groups, QoS). \L

• Integration with third-party network services such as load balancers and firewalls(e.g., Palo Alto Networks, F5, and more).

NSXv Architecture with VIO Consumption

VMware NSX brings lots of benefits when we compare it to a traditional OpenStacknetworking configuration relying on VLAN's:

Scale

HOL-1720-SDC-1

HOL-1720-SDC-1

• Centralized control plane provides Scale-Out Cloud Infrastructure: 10,000 VMs(per vCenter), 1,000 hypervisors supported.

• Support for thousands of tenants• Very High throughput: 20 Gbps per hypervisor (with 2x10Gbps NIC bonding).• Optimized traffic path, thanks to distributed L3 and Security.

Management and Operations

• Central API for configuration and management of all network and securityservices.

• HA of all the management services.• HA of all the network services.• Management and Monitoring tools (statistics, port monitoring, port mirroring, port

connection tools, seamless upgrade).

Advanced Network Services

• Static Routing.• L2 Bridging (logical with physical).• Distributed and Centralized Routing.• Distributed Statefull Firewall• Load Balancing as a Service• Optimization of Broadcast/Multicast Traffic.

HOL-1720-SDC-1

HOL-1720-SDC-1

Overview Of Module Objectives

Module 2 is broken down into three main sections:

1. Basic Virtual Networking

In this section, we focus on building out a few instances (OpenStack lingo for VM's) thatconnect into a couple virtual networks with a logical router providing connectivitybetween virtual networks and as an external path out. We also demonstrate howconfigurations made in Horizon Dashboard get translated via the Neutron Plugin intoNSX in vCenter.

2. Security Groups & Micro-Segmentation

In this section, we focus on creating and understanding Security Groups and alsoimplement Micro-Segmentation. VIO together with NSX provides not only a DistributedFirewall feature-set but also Micro-Segmentation where a Security Group policy can beused to allow/deny access between instances on the same L2 network. This feature hasbecome very important and increasingly popular in setting appropriate securityboundaries without having to rely on traditional L2 boundaries.

3. Advanced Networking

In this section, we focus on setting up Static Routing, Enabling/Disabling NAT andDistributed Routing. Most of the Advanced Networking section has to be completed viaNeutron CLI since Horizon Dashboard does not yet have workflows for them. We alsoswitch between CLI and NSX in vCenter to demonstrate that the Neutron Plugin isproperly mapping commands over ot NSX. We will also demonstrate LBaaS which is newin VIO 2.5.

HOL-1720-SDC-1

HOL-1720-SDC-1

Environment SetupThe objective of this section is to provide steps to get web browser tabs opened to theappropriate portal pages in preparation for the rest of the module.

Clean Up (If Necessary)

If you are starting this module and have previously completed other modules of this lab,please make sure to delete and remove any artifacts that may be left over. While eachmodule in this lab are related to one another and configured in an intuitive chronologicalorder, they are also designed to be autonomous, self contained and do not build fromone another. Meaning that you do not need to take Module 1 in order to take Module 2,etc.

HOL-1720-SDC-1

HOL-1720-SDC-1

Access vSphere Web Client

Lunch the Google Chrome browser and access the vSphere Web Client

1. Click on the vCenter Web Client bookmark to open the vSphere Web Client ina new tab. (It may already be open.)

2. Check the box "Use Windows session authentication"3. Click the Login button.

Please Note: The first time you login to vSphere Web Client takes a bit longer and insome cases up to a minute.

Access Openstack Horizon Dashboard

1. On a new tab Click on the VIO-Horizon bookmark to open the HorizonDashboard login portal.

2. Type your User Name: admin3. Type your Password: VMware1! (case-sensitive)4. Click the Sign In button.

HOL-1720-SDC-1

HOL-1720-SDC-1

Please Note: The first time you login to Horizon Dashboard takes a bit longer and insome cases up to a minute.

HOL-1720-SDC-1

HOL-1720-SDC-1

Logical NetworksThe objective for this section is to create tenant networks and check how they manifestin NSX.

View Current Network

First let's see what logical networks already exist.

1. Click on Project pane.2. Click on Network sub-pane.3. Click on Networks.

We can see that two networks have already been pre-created for us. The first is anExternal Network which has a special designation and will serve as our gateway out ofOpenStack. The second is a regular logical network named test-network that wasinitially created by the admin project and then shared with other projects.

Create Network (Virtual)

1. Click the + Create Network button to start the workflow.

Network Name

1. Create a network name called "HOL-network".2. ConfirmAdmin State checkbox is UP

HOL-1720-SDC-1

HOL-1720-SDC-1

3. Click the Next button.

Subnet and Network Address

1. Confirm that Create Subnet checkbox is ticked.2. Type in "HOL-subnet" for the Subnet Name field.3. Type in "11.0.0.0/24" for the Network Address field.4. Click the Next button.

HOL-1720-SDC-1

HOL-1720-SDC-1

Provide Subnet Detail

The Subnet Detail tab offers us the opportunity to configure DHCP, DNS Name Serversor Host Routes.

1. Confirm that Enable DHCP checkbox is ticked.2. Type in "11.0.0.10,11.0.0.19" as the IP range for the Allocation Pools field.3. Click the Create button to complete this step.

HOL-1720-SDC-1

HOL-1720-SDC-1

Confirm Network Creation

You should now see your newly created "HOL-network" network in the list of availablenetworks. It is already in the ACTIVE state.

You can easily add more subnets or completely delete the existing network by firstclicking on More and choosing the corresponding action.

1. Click on the "HOL-network" link to get all the details regarding this networksegment.

HOL-1720-SDC-1

HOL-1720-SDC-1

Network Detail

This Network Detail view allow you to add/delete Subnets or Edit Ports. You can alsocome back here later to see a new port being added when an attachment is made witha Logical Router.

This view also allows you to see the ID tied to the network. This ID is useful whentroubleshooting and will help you directly correlate the entry to the NSX logical switch invCenter.

Note the ID above for this network. (Your lab may differ since the ID is randomlygenerated)

HOL-1720-SDC-1

HOL-1720-SDC-1

Compare ID with NSX in vCenter

1. Swaptabs to vSphere Web Client to see how this OpenStack Network appears inNSX.

2. Click the Network & Security icon.

NSX Logical Switches

1. Click on Logical Switchesmenu item in the Navigator window to see the list ofNSX logical switches.

Note that the ID from Horizon Dashboard matches the ID of the Logical switch createdby NSX. NSX receives these configurations through API calls from Openstack via theNeutron plugin.

Network Topology

1. Swaptabs back to Horizon Dashboard.2. Click on Network Topology.

You should see your newly created "HOL-network" logical network which isn'tconnected to anything yet.

HOL-1720-SDC-1

HOL-1720-SDC-1

Please Note: "External-Network" network was pre-created in your lab by OpenStackadmins and shared with all Projects to provide external connectivity to your applications.

HOL-1720-SDC-1

HOL-1720-SDC-1

Logical RoutersWe now need to create a Logical Router to route traffic from "HOL-Network" to the"External-Network". All the VM's connected on the HOL-Network logical network willbe using this router as the default gateway.

Create Logical Router

Access the Openstack Horizon dashboard. Make sure that you are still logged in asAdmin.

1. Click on Project2. Click on Network Sub tab3. Click on Routers4. Click on Create Router

HOL-1720-SDC-1

HOL-1720-SDC-1

Complete Logical Router

1. Type in "HOL-Router-Exclusive" as the name.2. Make sure that the Admin state is UP3. Select "external-network" as External Network4. Select "Centralized/Exclusive" as Router Mode5. Select Compact as Router Size6. Click Create Router

Note: We have chosen to create an exclusive/central router here. This router will not beshared with other tenants or projects.

HOL-1720-SDC-1

HOL-1720-SDC-1

Confirm New Router Creation

Confirm that the new HOL-Router-Exclusive now shows up in the Routers tab and is inAdmin State "UP".

Confirming Network Topology

1. Click on the Network Topology tab.

On the right pane you will see a diagram being built on what has already been created.

Hover over the "HOL-Router-Exclusive" and you will see its details.

HOL-1720-SDC-1

HOL-1720-SDC-1

Connect Router To Logical Network

1. Click on Routers2. Click on HOL-Router-Exclusive

Add Router Interface

1. Click on the Interfaces tab.2. Click on +Add Interface to add a new interface on this router.

Note the Router ID, in your lab this might be different as its generated byOpenstack. We will use this ID later to verify the creation of the router in NSX.

HOL-1720-SDC-1

HOL-1720-SDC-1

Select Subnet

1. Select"HOL-network: 11.0.0.0/24 (HOL-subnet)" in the Subnet drop downfield.

2. Click the Add interface button.

A message saying "Success: Interface added 11.0.0.1" will appear shortly.

HOL-1720-SDC-1

HOL-1720-SDC-1

Router Interfaces

Note the interfaces connected to the router.

1. 192.168.0.214 IP address is on the interface that is connected to the externalnetwork.

2. 169.254.128.10 IP address is on the interface that connects to the MetaDataProxy network. We will not cover the details in this lab and its more suited for anin depth design discussion on VIO and NSX.

3. 11.0.0.1 IP address is on the interface that connects to the "HOL-Network" logicalnetwork that was created previously. This will be the default gateway for allTenant VM's that will be launched on this network.

HOL-1720-SDC-1

HOL-1720-SDC-1

Confirm Router and Network Attachment

Now lets navigate to the Network Topology view to see how the newly created "HOL-network" network looks like attached to our "HOL-Router-Exclusive".

1. Click on Network Topology.

If everything was completed correctly you should see the "HOL-Router-Exclusive"connected to two networks: "external-network" and "HOL-network" networks.

The "external-network" provides connectivity to all workloads that Melanie user willlaunch on the "HOL-network" later in this module.

HOL-1720-SDC-1

HOL-1720-SDC-1

Verify Router Creation in NSX

Access the Home page of vCenter Web Client.

1. Click on Networking and Security.

Verify NSX Edge Creation

Verify the NSX Edge creation in NSX Edge tab.

1. Click on NSX Edges2. Click on the Edge that starts with HOL-Router-Exclusive.

Note: In your setup the this NSX Edge could have a different ID.

View NSX Edge Configuration

On this scree you can access and view all the NSX Edge configuration that was donethrough Openstack.

1. Click on Manage tab

HOL-1720-SDC-1

HOL-1720-SDC-1

2. Click on Settings tab3. Click on Interfaces

Note the interfaces connected to the router.

1. 192.168.0.214 IP address is on the interface that is connected to the externalnetwork.

2. 169.254.128.10 IP address is on the interface that connects to the MetaDataProxy network. We will not cover the details in this lab and its more suited for anin depth design discussion on VIO and NSX.

3. 11.0.0.1 IP address is on the interface that connects to the "HOL-Network" logicalnetwork that was created previously. This will be the default gateway for allTenant VM's that will be launched on this network.

HOL-1720-SDC-1

HOL-1720-SDC-1

Tenant InstancesIn this section we will launch instances on the "HOL-network" network that was createdpreviously.

Launch Instance

Make sure that you are still logged in as "Admin" user.

1. Click on Project tab2. Click on Compute sub tab3. Click on Instances within the Compute tab4. Click on Launch Instance

HOL-1720-SDC-1

HOL-1720-SDC-1

Configure Instance Details

1. Enter the name of the instance as "HOL-nginx"2. Select the flavor as "m1.tiny"3. Enter the instance count as "2"4. Select "Instance Boot Source" as "Boot from Image"5. Select the "nginx (276.2 MB) image for the dropdown list.6. Click on "Access and Security"

Configure Instance - Access and Security

1. Select key Pair as "viouser"2. Enter the Admin Password as VMware1!

HOL-1720-SDC-1

HOL-1720-SDC-1

3. Select the "default" security group4. Click on Networking

HOL-1720-SDC-1

HOL-1720-SDC-1

Configure Instance - Networking

Select the network that this instance will connect to.

1. Select the HOL-network from the list of "Available networks" (Click on the "+" signto move the network to the "Selected Networks" section)

2. Click "Launch" to launch the instance.

HOL-1720-SDC-1

HOL-1720-SDC-1

Verify Instance Creation

Once the instances are created they should automatically go in running state.

Note the IP address assigned to these instances.

HOL-1720-SDC-1

HOL-1720-SDC-1

Verify Network Topology

1. Click on the Network tab2. Click on Network Topology

Note the 2 instances that have been created are connected to the HOL-Network

Also note the image ID for the HOL-nginx-1 instance. We will verify this in vCenter next.

HOL-1720-SDC-1

HOL-1720-SDC-1

Verify Instance Creation in vCenter

Access the vCenter Web Client and go to Host and Clusters.

1. Click and expand the RegionA01-COMP01 cluster.2. Click on the HOL-nginx-1 instance

Note the name of the instance as the same Openstack Image ID appended to it.

Also note that vCenter has the information that this image was created by Openstackand it has the flavor, tenant and network information.

HOL-1720-SDC-1

HOL-1720-SDC-1

Floating IP AddressIn this section we will attach Floating IP address to the instance that we createdpreviously.

Access and Security

Make sure that you are logged in as Admin

Note that we have already allocated 2 Floating IPs to nginx-1 and wordpress-1 VMs

1. Click on Project2. Click on Compute3. Click on Access & Security4. Click on Floating IPs5. Click on Allocate IP to Project

HOL-1720-SDC-1

HOL-1720-SDC-1

Allocate Floating IP

1. Select "external-network" from dropdown list of networks2. Click on "Allocate IP"

Associate IP to instance

Note the new Floating IP address that has been allocated to your project. The status isstill "down" because it has not been allocated yet to any instance.

The IP address that has been allocated could be different in your lab deployment.

1. Click on Associate.

HOL-1720-SDC-1

HOL-1720-SDC-1

Manage Floating IP Associations

1. Choose the recently allocated Floating IP from the dropdown list.2. Choose the "HOL-nginx-1: 11.0.0.12" server from the dropdown list.3. Click on "Associate"

Review Floating IP association

Note that the 192.168.0.215 IP address has been allocated to HOL-nginx-1 server.

Note that the Floating IP is now in "Active" state.

Access the HOL-nginx-1 server

Now we will verify if the HOL-nginx-1 server is reachable.

1. Launch a new tab in the browser.2. Access the 192.168.0.215 IP address

HOL-1720-SDC-1

HOL-1720-SDC-1

Note that the server is NOT reachable. We will fix this in the next chapter when weattach the correct security policy to the server.

HOL-1720-SDC-1

HOL-1720-SDC-1

Verify Floating IP allocation in NSX

1. Access the vCenter Web Client and go to the Home Screen.2. Click on Networking and Security.

Access NSX Edges

1. Click on NSX Edges2. Double Click on NSX Edge with the name "HOL-Router-Exclusive"

Note that the NSX Edge ID in your lab deployment might be different.

Verify NAT rules on the NSX Edge

1. Click on Manage

HOL-1720-SDC-1

HOL-1720-SDC-1

2. Click on NAT

Note the DNAT and SNAT rule for 11.0.0.12 (HOL-nginx-1 server) mapped to Floating IP192.168.0.215

Note the SNAT rule for all IPs in the subnet 11.0.0.0/24 translated to the external IPaddress 192.168.0.214 of the router HOL-Router-Exclusive.

HOL-1720-SDC-1

HOL-1720-SDC-1

Security GroupsSecurity Groups are sets of IP filter rules that are applied to an instance. VIO togetherwith NSX provides not only a Distributed Firewall feature-set but also Micro-Segmentation where a Security Group policy can be used to allow or disallow accessbetween instances on the same L2 network. This feature has become very importantand increasingly popular in setting appropriate security boundaries without having torely on traditional L2 boundaries.

For more information on NSX Micro-Segmentation please consider taking NSX specificlabs.

All projects in OpenStack have a default security group. Lets review our current rule set.

HOL-1720-SDC-1

HOL-1720-SDC-1

Review deployed instances

Make sure are still logged in as Admin user

1. Click on Project2. Click on Compute3. Click on Instances - Observer the instances that are deployed4. Click on the HOL-nginx-1 instance

HOL-1720-SDC-1

HOL-1720-SDC-1

Observe default security group

This screen shows the resultant security policy applied to the VM.

Observe that only the default security policy has been applied since it was the only onethat was selected at the time of deployment.

This security policy allows all connectivity from the VM to 0.0.0.0/0 and ::/0 addresses,however it does not allow any communication that is initiated from outside.

HOL-1720-SDC-1

HOL-1720-SDC-1

Access and Security

1. Click on Access and Security2. Click on Security Groups3. Click on Mange Rules corresponding to the default security group.

Observe that there are 4 security groups defined here. By default Openstack willgenerate the default security group only. However for the lab purposes we have pre-created other security groups to allow specific action.

View Policy details for the default security group

Observe the security policies defined in this default security group.

You can see that Egress rules (from VM to outside) allow all communication from the VMto any IPv4 IPv6 destination.

However Ingress rules (to the VM) are only allowed from other VM's within the samesecurity group.

HOL-1720-SDC-1

HOL-1720-SDC-1

Access and Security - HTTP access

1. Click on Access and Security2. Click on Manage Rules for allow-http security group.

Manage Security Group Rules - allow-http

Observe the Security Policies

Egress security policies: these allow all communication from the VM to any IPv4, IPv6addresses

Ingress Security policy: this allows access to port 80 from any remote IPv4 address.

HOL-1720-SDC-1

HOL-1720-SDC-1

Change associated security policy

Now we will change the associated the security group with HOL-nginx-1 VM.

1. Click on Instances2. Click on the dropdown menu associated with HOL-nginx-1 VM3. Click on Edit Security Groups

HOL-1720-SDC-1

HOL-1720-SDC-1

Edit Instance - Security Groups

1. Click on the "-" sign to remove the default security group2. Click on the "+" sign to add the allow-http security group3. Click on Save

Access HOL-nginx-1 server

1. Open a new tab to access the HOL-nginx-1 server

HOL-1720-SDC-1

HOL-1720-SDC-1

2. Access the server using the floating IP address 192.168.0.215

Note: The Floating IP address in your lab may be different so make sure to enter thecorrect one.

HOL-1720-SDC-1

HOL-1720-SDC-1

Change Security Group for HOL-nginx-2 server

We will follow the same procedure as before and change the security group associatedwith HOL-nginx-2 server.

Switch back to the VIO view and make sure you are logged in as admin user.

1. Click on Instances2. Click on the dropdown menu associated with HOL-nginx-2 VM3. Click on Edit Security Groups

HOL-1720-SDC-1

HOL-1720-SDC-1

Edit Instance - Security Groups

1. Click on the "-" sign to remove the default security group2. Click on the "+" sign to add the allow-http security group3. Click on Save

Verify Configuration in NSX

We will now verify the security group configuration in NSX

HOL-1720-SDC-1

HOL-1720-SDC-1

Switch to the vCenter tab and go to the Home Tab.

1. Click on Networking and Security

NSX Distributed Firewall Configuration

1. Click on the Firewall tab.2. Search for the security group section called "SG Section: allow-http" and expand

that section.3. Click on the allow-http security group

Observe the security rules. The section and the rules within them were directlyorchestrated via Openstack using the neutron NSX-V plugin. The VM's get populatedwithin the security group as the tenant attaches that security-group to their VM.

HOL-1720-SDC-1

HOL-1720-SDC-1

Load BalancerVMware Integrated OpenStack 2.5 supports LBaaS v2.0.

This task includes creating a health monitor and associates it with the LBaaS pool thatcontains the LBaaS server instances. The health monitor is a Neutron service thatchecks if the instances are still running on the specified protocol-port.

HOL-1720-SDC-1

HOL-1720-SDC-1

Verify that HOL-nginx-1 server is reachable

In the previous chapter recall that we had attached a floating IP to the HOL-nginx-1 VM,and then enabled the allow-http security for allowing access to port 80.

Verify that connectivity to HOL-nginx-1 server is still working.

1. Open a new tab on the chrome browser and enter the floating IP 192.168.0.215for the HOL-nginx-1 server.

If you see the "Welcome to nginx on Photon" banner, connectivity to HOL-nginx-1 serveris working fine.

Note: In your lab setup, the floating IP address may be different.

HOL-1720-SDC-1

HOL-1720-SDC-1

Disassociate the floating IP address with HOL-nginx-1server

We will configure LB in this chapter. Therefore we need to un associate the Floating IPattached to HOL-nginx-1 server.

Switch to Openstack Tab and make sure you are still logged in as "admin"

1. Click on Project2. Click on Compute3. Click on Access and Security4. Click on Floating IPs5. Click on Dissociate

Confirm Dissociate

Click on Disassociate

HOL-1720-SDC-1

HOL-1720-SDC-1

Verify Dissociate

Verify that 192.168.0.215 Floating IP is no longer associated with HOL-nginx-1 server.

HOL-1720-SDC-1

HOL-1720-SDC-1

Verify HOL-nginx-1 server is not reachable

We have disassociated the Floating IP with HOL-nginx-1 server. It should not bereachable anymore.

1. Open a new tab or go to an existing one that was used to access the HOL-nginx-1server.

2. Type the IP address 192.168.0.215 in the address bar.

Verify that the connection times out and the server cannot be reached.

HOL-1720-SDC-1

HOL-1720-SDC-1

Configure Load Balancer

Switch back to VIO tab and make sure you are still logged in as Admin user.

1. Click on Project2. Click on Network3. Click on Load Balancers4. Click on Pools5. Click on Add Pool

HOL-1720-SDC-1

HOL-1720-SDC-1

Add Pool

Enter the following information to create a new Load Balancer Server Pool

1. Name: HOL-nginx-pool2. Provider: vmwareedge (default)3. Subnet: Select 11.0.0.0/24 from the dropdown list4. Protocol: HTTP5. Load Balancing Method: Round_Robin6. Admin State: UP7. Click Add to create the pool

HOL-1720-SDC-1

HOL-1720-SDC-1

Verify Pool Creation

Verify that the new Load Balancer Pool was created. Now we will add members to thatpool.

1. Click on Members2. Click on Add Member

HOL-1720-SDC-1

HOL-1720-SDC-1

Add Member

Enter the following information

1. Pool: Select the newly created HOL-nginx-pool2. Member Source: Select from active instances3. Members: Highlight both the HOL-nginx-1 and HOL-nginx-2 servers4. Protocol Port: 805. Admin State: UP6. Click on Add

Verify Member Creation

Verify that the IP addresses of the HOL-nginx-1/2 servers are available as members topool HOL-nginx-pool

HOL-1720-SDC-1

HOL-1720-SDC-1

1. Click on Monitors2. Click on Add Monitor

HOL-1720-SDC-1

HOL-1720-SDC-1

Add Monitor

Enter the following information to create a simple HTTP monitor

1. Type: HTTP2. Delay: 13. Timeout: 14. Max Retries: 25. HTTP Method: GET6. URL : / (default)7. Expected HTTP Status Code: 200 (default)8. Admin State: UP9. Click on Add

HOL-1720-SDC-1

HOL-1720-SDC-1

HOL-1720-SDC-1

HOL-1720-SDC-1

Verify Monitor Creation

Verify that HTTP monitor has been created.

Now we will associate this HTTP monitor with the Load Balancer Pool

1. Click on Pools2. Click on the dropdown menu and select Associate Monitor for HOL-nginx-pool

Associate Monitor

1. Select the HTTP monitor that you just created.2. Click on Associate.

HOL-1720-SDC-1

HOL-1720-SDC-1

Add VIP to LB Pool

This is the final step in creating a Load Balancer.

1. Click on the dropdown list and select "Add VIP" for the HOL-nginx-pool

HOL-1720-SDC-1

HOL-1720-SDC-1

Add VIP

Enter the following information to create a VIP:

1. Name: HOL-nginx-VIP2. VIP Subnet: Select: 11.0.0.0/243. Protocol Port: 804. Protocol: HTTP5. Session Persistence: Select No Session Persistence6. Admin State: UP7. Click Add

HOL-1720-SDC-1

HOL-1720-SDC-1

HOL-1720-SDC-1

HOL-1720-SDC-1

Verify VIP creation

Verify that HOL-nginx-pool is now associated with HOL-nginx-VIP.

Floating IP to LB VIP Association

Now since we have created an internal VIP on the 11.0.0.0/24 subnet, we will need toassociate that VIP with an external Floating IP address for connectivity.

1. Click on Project2. Click on Compute3. Click on Access and Security4. Click on Floating IPs5. Click on Associate next to 192.168.0.215 Floating IP

Note: As previously mentioned in your lab the Floating IP could be different.

HOL-1720-SDC-1

HOL-1720-SDC-1

Manage Floating IP Associations

1. Select the Floating IP address that needs to be associated. It is 192.168.0.215while the lab was written.

2. Select the HOL-nginx-VIP as the port to be associated.3. Click on Associate.

Verify Floating IP to LB VIP association

Verify Load Balancer VIP 11.0.0.15 is associated to 192.168.0.215, and the state isactive.

Verify Load Balancer VIP is reachable

192.168.0.215 is the Floating IP for the HOL-nginx-VIP IP 11.0.0.15. This VIP loadbalances members in the HOL-nginx-pool.

Open a new tab or go to a previously open one.

HOL-1720-SDC-1

HOL-1720-SDC-1

1. Enter the IP of the Floating IP 192.168.0.215.

Verify you have connectivity to HOL-nginx-1/2 servers which are being load balanced.

HOL-1720-SDC-1

HOL-1720-SDC-1

Verify Load Balancer Configuration in NSX

Now that we have configured LB via VIO, let us verify and view the resultingconfiguration in NSX

Switch to the vCenter Web Client and login using native Windows credentials. username:[email protected] password: VMware1!

1. Go to the Home Screen and click on Networking and Security

Access NSX Edge

1. Click on NSX Edge2. Double Click on Edge with the name HOL-Router-Exclusive

Note: in your lab the Edge ID's may be different.

NSX - LB - Global Configuration

1. Click on Manage2. Click on Load Balancer3. Click on Global Configuration

HOL-1720-SDC-1

HOL-1720-SDC-1

Notice that the Load Balancer Status is enabled.

NSX - LB - Application Profiles

1. Click on Application Profiles

Notice the applicationProfile-4 has a long name that represents a UUID in Openstack.this is the profile that was created as part of our previous exercises.

HOL-1720-SDC-1

HOL-1720-SDC-1

NSX - LB - Service Monitor

1. Click on Service Monitoring

monitor-4 was created via Openstack. Take a note of other configuration parametersassociated with this monitor.

HOL-1720-SDC-1

HOL-1720-SDC-1

NSX - LB - Pools

1. Click on Pools.

Pool-4 has been created based on the previous workflow.

Note the member pools with IP address 11.0.0.12 and 11.0.0.13

HOL-1720-SDC-1

HOL-1720-SDC-1

NSX - LB - Virtual Servers

1. Click on Virtual Servers

virtualServer-4 is the VIP with the IP of 11.0.0.15 that was created based on the VIOworkflow

HOL-1720-SDC-1

HOL-1720-SDC-1

NSX - Edge - Interfaces

1. Click on Settings2. Click on Interfaces

The external interface has 2 IP address: 192.168.0.214 is the external IP of the tenantrouter. 192.168.0.215 is the Floating IP address on the external network.

vNIC1 is used for metadata-proxy configuration. This is part of a more advanced topicand will not be covered in this lab.

vnic2 is the internal network where all the workload VMs connect on subnet 11.0.0.0/24.11.0.0.15 is the internal LB VIP on that subnet.

HOL-1720-SDC-1

HOL-1720-SDC-1

NSX - Edge - NAT

1. Click on NAT tab.

The first 2 lines represent the SNAT and DNAT rules to map the NSX LB VIP to ExternalFloating IP address.

The last line represents the SNAT rule used for all outgoing traffic from 11.0.0.0/24subnet on the internal interface of the Edge.

HOL-1720-SDC-1

HOL-1720-SDC-1

Environment Clean-UpIn this section we will delete the logical networks, instances, routers etc that werecreated in this section.

Delete Instances

Make sure you are logged in as Admin user in VIO.

1. Click on Project2. Click on Compute3. Click on Instances4. Select the HOL-nginx-1 and HOL-nginx-2 VM's5. Click on Terminate Instances

HOL-1720-SDC-1

HOL-1720-SDC-1

Verify Instance Deletion

Observe the instances getting deleted.

Delete Load Balancer VIP

We will now delete the Load Balancer VIP

1. Click on Project2. Click on Network3. Click on Load Balancers4. Expand the dropdown menu associated with HOL-nginx-pool and Click on Delete

VIP

HOL-1720-SDC-1

HOL-1720-SDC-1

Confirm VIP Deletion

1. Click on Delete VIP to confirm.

Delete Load Balancer Pool

Now that we have deleted the VIP associated we can delete the LB pool.

1. Select the HOL-nginx-pool2. Click on Delete Pools

HOL-1720-SDC-1

HOL-1720-SDC-1

Delete Router

Now that we have deleted the LB Pool and VIP associated with it, we can delete theRouter.

1. Click on Project2. Click on Network3. Click on Routers4. Select HOL-Router-Exclusive5. Click on Delete Routers

Delete Network

We have deleted all components that were connected on HOL-Network. We can nowdelete HOL-Network

1. Click on Networks2. Select HOL-Network3. Click Delete Networks

End of Section

You have now completed this Module. Hope it was informative and youenjoyed it.

HOL-1720-SDC-1

HOL-1720-SDC-1







minutes)

How to End Lab


HOL-1720-SDC-1

HOL-1720-SDC-1



Module 4 - VIONetworking - Advanced

Networking (60 Minutes)

HOL-1720-SDC-1

HOL-1720-SDC-1

Advanced NetworkingIn this section, we focus on setting up Static Routing, Enabling/Disabling NAT andDistributed Routing. Most of the Advanced Networking section has to be completed viaNeutron CLI since Horizon Dashboard does not yet have workflows for them. We alsoswitch between CLI and NSX in vCenter to demonstrate that the Neutron Plugin isproperly mapping commands over ot NSX. Distributed Routing is probably the mostinteresting feature in this section since no other vendor can do this today.

HOL-1720-SDC-1

HOL-1720-SDC-1

Log into the OpenStack Management Server

For all CLI commands we are going to use the OpenStack Management Server (OMS),since Python and most of the OpenStack CLI tools are preinstalled there.

1. Open a Putty session2. Select oms.corp,local and3. Open the SSH session to oms.corp.local

Once you are logged into the OMS, load the OpenStack environment variables for theadmin tenant with

. cloudadmin.rc

so that you can work with the OpenStack CLI tools now.

HOL-1720-SDC-1

HOL-1720-SDC-1

Create A Static Route

Let's create a randomstaticroute via Neutron CLI and see how it maps to NSX invCenter. First we need to know the routers we presently have available with thefollowing command:

neutron router-list

Now, let's add a static route via Neutron CLI.

neutron router-update test-router-exclusive --routes type=dict list=truedestination=192.168.110.0/24,nexthop=192.168.0.2

Please Note: In this step we will not actually be testing connectivity for the staticroute.

HOL-1720-SDC-1

HOL-1720-SDC-1

Check Static Route with OpenStack CLI

Let's confirm the route was added and see if there are any other routes present.

neutron router-show test-router-exclusive

Check Static Route with OpenStack Horizon

You can also check (and create) the static route with the OpenStack Horizon WebInterface. Navigate to Project -> Network -> Routers and click on test-router-exclusive. Selecting the tab Static Routes you will see the static route we justcreated.

Navigate to NSX under vCenter

1. Swaptabs to vSphere Web Client to see how these newly created static routeappears in NSX.


HOL-1720-SDC-1

HOL-1720-SDC-1

Inspect NSX Edge Details

1. Click on NSX Edges in the Navigator Menu.2. Double-Click on the NSX Edge whose name starts with test-router-exclusive-

to open it's settings.

NSX Edge Static Routing

1. Click on the Manage tab.2. Click on Routing section.3. Click on Static Routes.

HOL-1720-SDC-1

HOL-1720-SDC-1

Note that our static route created via Neutron CLI is mapped in the static route listwithin NSX.

Let's navigate back to the Command Prompt and clear all static routes via NeutronCLI to clean up.

neutron router-update test-router-exclusive --routes action=clear

Disable SNAT (Source NAT)

Navigate back to the Command Prompt window of the OMS so that we can issueNeutron CLI commands.

List all current logical routers:

neutron router-list

List specific details for test-router-exclusive:


In VIO SNAT is enabled be default and is the primary method to get in and out of yourOpenStack environment. By disabling SNAT you effectively block traffic from the outsideand into the tenant network.

To disableSNAT issue the following Neutron CLI command:

neutron router-gateway-set --disable-snat test-router-exclusive external-network

If you redo a


HOL-1720-SDC-1

HOL-1720-SDC-1

you will see that the property enable_snat is now set to false.

***IMPORTANT*** If you disable SNAT as part of this exercise you must issue thecommand in the next Neutron CLI step to re-enable it, otherwise everything you have

built out in module 2 will no longer have external connectivity.

HOL-1720-SDC-1

HOL-1720-SDC-1

Navigate to NSX in vCenter

1. Swaptabs to vSphere Web Client to see how these newly created Static Routeappears in NSX.


Inspect NSX Edge Details

1. Click on NSX Edges in the Navigator Menu.2. Double-Click on the NSX Edge whose name starts with test-router-exclusive-

to open it's settings.

NAT in NSX under vCenter

1. Click on the Manage tab.

HOL-1720-SDC-1

HOL-1720-SDC-1

2. Click on Routing section.3. Click on StaticRoutes.

We can see that the default SNAT entry does not exist in the NSX mapped ESG routersince we disabled it via the Neutron CLI in the prior step. The only NAT entries you seeare use for the floating IPs attached to nginx-1 and worldpress-1.

HOL-1720-SDC-1

HOL-1720-SDC-1

Re-Enable SNAT (Source NAT)

***IMPORTANT*** If you disable SNAT as part of this exercise you must issue thecommand in the next Neutron CLI step to re-enable it, otherwise everything you havebuilt out in other modules will no longer have external connectivity.

First list specific details (e.g. UUID) for the test-router-exclusive


To re-enable SNAT, cut & paste the network ID string of your external-networkinto the command below:

neutron router-update test-router-exclusive --external_gateway_info type=dictnetwork_id=56fad53e-bf5f-40e9-83a4-f46cfe33a51f,enable_snat=True

If you redo a


you will see that the property enable_snat is now set to true again.

HOL-1720-SDC-1

HOL-1720-SDC-1

Inspect NSX Edge SNAT Details

If you go back to the SNAT section of the test-router-exclusive-... NSX Edge ServiceGateway you now see the default SNAT section again.

Distributed Routing Overview

Distributed Routing is unique because it enables each vSphere Compute host to performL3 routing in the kernel at line rate. The DLR is configured and managed like one logicalrouter chassis, where each host is like a logical line card. Because of that the DLR workswell as the “device” handling the East-West traffic in your virtual network. We want thistraffic to have low latency and high throughput, so it just makes sense to do this asclose to the workload as possible, hence the DLR. Since VIO is tightly integrated withNSX via the Neutron Plugin we are able to take advantage of great NSX features such asthese within an OpenStack environment that otherwise would not be possible.

For more information on Distributed Logical Routing (DLR) in NSXv you can also take alook at HOL-1703-SDC-1 lab.

Let's see how it works with VIO!

HOL-1720-SDC-1

HOL-1720-SDC-1

DLR Objectives and Topology

In the next few steps we will build a sample Logical Topology using the Neutron CLI andHorizon Dashboard. The sample topology is shown above:

• 2-tier Application (web-network and app-network).• All ICPM traffic (using the allow-ping security group) to web-01, web-02, app-02

is allowed from the inside and the outside (using floating IPs)• Use Distributed Routing for optimized East-West communications.• Use Centralized Routing for North-South connectivity.

HOL-1720-SDC-1

HOL-1720-SDC-1

Create Distributed Router

Go back to the Horizon Web Interface and create a Distributed Router named dist-router. Go to Project -> Network -> Routers -> Create Routers, enter the namedist-router, choose external-network as External Network and make sure you selectDistributed as Router Mode.

Alternatively you can also create the distributed router dist-router with the followingNeutron command on the OpenStack Management Server (OMS):

neutron router-create dist-router --distributed True

HOL-1720-SDC-1

HOL-1720-SDC-1

Create two Networks - Step 1

We create 2 networks app-network and web-network using the Horizon WebInterface. We will only show the steps for the app-network, but of course you have torepeat the steps for the web-network (using a different IP range of course)

HOL-1720-SDC-1

HOL-1720-SDC-1


In this step we add the subnet details for app-subnet using the IP range 10.10.30.0/24 (for web-subnet use 10.10.40.0/24).

HOL-1720-SDC-1

HOL-1720-SDC-1


We enable DHCP (so the VMs will get IP addresses starting with .3 up to .254 in the10.10.30.0/24 resp. 10.10.40.0/24 IP ranges (.1 is used for the default gateway and .2for the DHCP server). As DNS server we use the Control Center (192.168.110.10) whichhas a Windows DNS Server installed. Click Create to create the app-network andrepeat the exercise with the web-network (using the IP range 10.10.40.0/24)

HOL-1720-SDC-1

HOL-1720-SDC-1

Check new Networks

In the network overview you see the two new networks app-network and web-network with the associated subnets app-subnet and web-subnet.

Add Networks To Distributed Router

Click the dist-router to bring up the detailed router view.

Add Interface

In the Interfaces tabClick the + Add Interface button.

HOL-1720-SDC-1

HOL-1720-SDC-1

Add web-network and app-network as Interfaces

1. Selectapp-network: 10.0.30.0/24 (app-subnet)" from Subnet drop-downmenu.

2. Click the Add Interface button.

Make sure to do this for web-network: 10.10.40.0/24 (web-subnet) as well.

Please Note: Only VXLAN-backed networks are supported on the DLR (no VLANsupport).

HOL-1720-SDC-1

HOL-1720-SDC-1

Check Router Details - Interfaces

If the last few steps were completed correctly, you should see 3 interfaces (2 internaland 1 external) connected to your dist-router similar to the screenshot above.

HOL-1720-SDC-1

HOL-1720-SDC-1

Confirming In Topology View

In this Network Toplogyview you can see all the networks connected to the newlycreated distributed router dist-router. Note that the distributed router appears as asingle entity even though on the NSX backend it is really two: a Distributed LogicalRouter connected to an Edge Services Gateway (ESG) called the Provider LogicalRouter (PLR) used e.g. for the NAT configuration, which can not be done on the DLR.

Creating 3 Nova Instances

To create the three VM Instances you have to identify the correct Networks and e.g.allow-ping security group UUID's first with the following commands:

HOL-1720-SDC-1

HOL-1720-SDC-1

neutron net-list

nova secgroup-list

Now you can create 3 new Nova instances with the following commands on the OMScommand line. For the sake of simplicity we use the nginx image fo all three VMs.

nova boot --image nginx --flavor m1.small --nic net-id=d61d29ae-5c22-4c77-af7a-5bcc14381975--security-groups 2eaecb8f-d81f-4d9b-b860-0ff0c352fbe6web-01

nova boot --image nginx --flavor m1.small --nicnet-id=d61d29ae-5c22-4c77-af7a-5bcc14381975--security-groups2eaecb8f-d81f-4d9b-b860-0ff0c352fbe6 web-02

nova boot --image nginx --flavor m1.small --nicnet-id=7660f542-2c12-4d16-9fbb-04fdc9057b65--security-groups2eaecb8f-d81f-4d9b-b860-0ff0c352fbe6 app-01

HOL-1720-SDC-1

HOL-1720-SDC-1

HOL-1720-SDC-1

HOL-1720-SDC-1

Check Network Topology again

In the Network Toplogyview you can check if the three new VMs are attached to thecorrect networks (app-01 to app-network and web-01/web-02 to web-network)similar to the screenshot above.

HOL-1720-SDC-1

HOL-1720-SDC-1

Adding Back Floating IP's

Navigate to the Instances view so that we can associate Floating IP mappings backunder the dist-router.

1. Click on Project pane.2. Click on Compute sub-pane.3. Click on Instances menu item.4. Click on Drop-Downbutton for web-015. Click the AssociateFloatingIP menu item.

Make sure to do this for the other web-02 instance as well.

It is important to add back the Floating IP's for the web servers so that they have anexternal address that we can ping.

HOL-1720-SDC-1

HOL-1720-SDC-1

Attach Floating IP's For Both web-01 & web-02

1. Click the + Button to generate a floating IP (keep the new floating IP showing upin the drop down menu)

2. Click the Associate button.

Repeat the same steps for web-02 as well.

HOL-1720-SDC-1

HOL-1720-SDC-1

Confirming Floating IP Attachments

If done correctly you should see an additional IP Address for web-01 and web-02created.

Navigate to vCenter

1. Swaptabs to vSphere Web Client to see how these newly created SecurityGroups in OpenStack appear in NSX.


HOL-1720-SDC-1

HOL-1720-SDC-1

Distributed Router Configured in NSX under vCenter

You can see that VIO has launched a logical router called dist-router and also an ESGcalled dist-router-plr. The Logical Router scales out East-West, while the ESG acts asthe North-South gateway or Provider Logical Router (PLR). Let's drill down on bothrouters starting with the Logical Router first.

Double-Click on dist-router-...ID to viewsettings.

Logical Router Interfaces

You can see the three networks we attached in the Horizon Dashboard. One Externaland two Internal.

Click on Networking & Security back button in the Navigator window to go back to theprevious screen.

HOL-1720-SDC-1

HOL-1720-SDC-1

View the NSX Provider Logical Router ESG

Double-Click on the dist-router-plr...ID to edit and view it;s settings.

ESG Interfaces

1. Click on the Manage tab.2. Click on Settings option.3. Click on Interfaces to view the connected DLR and External connection.

Remember in Horizon Dashboard the DLR and this ESG appear as a single entity, but inreality they are not and follow NSX suggested best practices for deployment.

HOL-1720-SDC-1

HOL-1720-SDC-1

ESG NAT Settings

Click on the NAT option. Note all the NAT entries that were configured to allowexternal connectivity. Here we can also see the Floating IP's generated in one of theprevious steps.

HOL-1720-SDC-1

HOL-1720-SDC-1

Open Console

Let's Navigate to the Instances view so that we can open a console to web-01(web-02 and app-01) and test connectivity.

1. Click on Project pane.2. Click on Compute sub-pane.3. Click on Instances menu item.4. Click on Drop-Down Menu button for web-01 (web-02 and app-01)5. Click on Console in the opened menu.6. Right-Click on Click here to show only console and select "Open link in

new tab".

Note the various IP addresses assigned to our three instances by DHCP for the web-network and app-network.

• web-01: IP Address: 10.10.40.3 ; Default Gateway: 10.10.40.1• web-02: IP Address: 10.10.40.4 ; Default Gateway: 10.10.40.1• app-01: IP Address: 10.10.30.3 ; Default Gateway: 10.10.30.1

Login To Console and Ping Instance

Once inside the console window, authenticate to web-01, web-02 and app-01respectively using:

• Login: root• Password: VMware1!

Please Note: Since the security policies on the Photon OS instances we used (nginx)are very strict, simple ping tests will not work, so we have to add some iptables rulesfirst to allow ping. The correct rule-set would be

HOL-1720-SDC-1

HOL-1720-SDC-1

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

but to simplify your tests just enter the following commands in all VM instances(web-01, web-02 and app-01) :

iptables -F

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

First check the IP address of the web-01 instance you've selected (that should be10.10.40.3):

ifconfig eth0

Ping the other web-02 instance IP address (10.10.40.4 in our example above).

The expected behaviour is that pings should work between web-01 and web-02 sincewe did not define any Micro-Segmentation policies do deny them.

Please Note: If you forgot the IP addresses for your test instances, you can find themon the Instances list in the Horizon Dashboard.

ping -c 3 10.10.40.4

You can also pingapp-01 where the expected behaviour is to allow pings also.

ping -c 3 10.10.30.3

HOL-1720-SDC-1

HOL-1720-SDC-1

Open Command Prompt

Open a new window of Command Prompt conveniently located in your Windowstaskbar.

Ping Floating IP

Let's trying pinging both of our Floating IP's that we assigned to web-01 and web-02wat the beginning of this section.

In our lab screenshot example we have:

• web-01 Floating IP address mapped to 192.168.0.217• web-02 Floating IP address mapped to 192.168.0.218

HOL-1720-SDC-1

HOL-1720-SDC-1

Please Note: The Floating IP mappings can vary from lab to lab. In order to find yourmapping, you would need to navigate back to the Instances view found underCompute in the Horizon Dashboard navigation window pane.

Test connectivity for web-01.

ping -c 2 192.168.0.217

Test connectivity for web-02.

ping -c 2 192.168.0.218

All of these connectivity tests validate that our original objective in our sample topologyhas been achieved. We now have a distributed router that is able to scale east-west andresides on all Compute Hosts with two networks and three instances attached.

Close the console window and Command Prompt window.

HOL-1720-SDC-1

HOL-1720-SDC-1

Environment Clean-up - Step 1

To clean up the environment first terminate the three VM instances web-01, web-02and app-01.


Then delete the two internal interfaces (app-network and web-network) from thedist-router (go to the Routers tab, click the dist-router link and select theInterfaces tab first).

HOL-1720-SDC-1

HOL-1720-SDC-1


Now you can delete the router dist-router.


And finally you can delete the app-network and web-network and check the NetworkTopology.

Congratulations HOL user, you have successfully completed this section!

HOL-1720-SDC-1

HOL-1720-SDC-1







minutes)

How to End Lab


HOL-1720-SDC-1

HOL-1720-SDC-1



Module 5 - LeveragingAdvanced OpenStackFeatures (60 Minutes)

HOL-1720-SDC-1

HOL-1720-SDC-1

Environment SetupThe objective of this section is to provide steps to get web browser tabs opened to theappropriate portal pages in preparation for the rest of the module.

Check Lab Status

You must wait until the Lab Status is at Ready before you begin. If you receive anerror message, please end the lab and redeploy another.

Clean Up (If Necessary)

If you are starting this module and have previously completed other modules of this lab,please make sure to delete and remove any artifacts that may be left over. While eachmodule in this lab are related to one another and configured in an intuitive chronologicalorder, they are also designed to be autonomous, self contained and do not build fromone another. Meaning that you do not need to take Module 1 in order to take Module 2,etc.

Launch Web Browser

Click to launch the Google Chrome web browser icon located on your HOL desktop.

vSphere Web Client

1. Click on the vCenter Web Client bookmark to open the vSphere Web Client ina new tab. (It may already be open.)

2. Click the checkbox for Windows session authentication (since you arelogged in as Administrator you can use this short-cut)

HOL-1720-SDC-1

HOL-1720-SDC-1

3. Click the Login button.

Please Note: The first time you login to vSphere Web Client takes a bit longer and insome cases up to a minute.

Create New Tab

Click to create a new Web Browser Tab.

HOL-1720-SDC-1

HOL-1720-SDC-1

Horizon Dashboard

1. Click on the VIO Horizon bookmark to open the Horizon Dashboard loginportal.

2. Type the User Name: admin3. Type the Password: VMware1! (case-sensitive)4. Click the Sign In button.

Please Note: The first time you login to Horizon Dashboard takes a bit longer and insome cases up to a minute.

HOL-1720-SDC-1

HOL-1720-SDC-1

CLI Tools: Nova, Neutron, CinderThe OpenStack Community offers a set of bundled CLI binaries packaged with theOpenStack project clients. These clients utilize Python API libraries to interact with theircorresponding project APIs. A universal OpenStack client will eventually replace theindividual ones (in fact, the Keystone client has been deprecated in favor of theuniversal client). In the meantime, cloud users can install the existing clients and usethem to simplify operations and configuration tasks.

In this section, we will use the following clients (which are installed on the OpenStackManagement Server (OMS)):

• Nova - Compute API and extensions• Neutron - Networking API• Cinder - Block Storage API and extensions

The Glance and Heat CLI clients are also installed, but we won't be using them. Thereare sections dedicated to these projects, with several advanced operations that we willbe running later.

Basic Nova and Neutron CLI operations

Nova is the compute project in OpenStack and it provides self-service access toscalable, on-demand compute resources. Refer to Module one of this lab (HOL-SDC-1720) for additional information on Nova. Let's run a few Nova CLI commands onthe OpenStack Management Server to get you familiarised with the CLI tools. First,open Putty from your ControlCenter.

HOL-1720-SDC-1

HOL-1720-SDC-1

https://wiki.openstack.org/wiki/OpenStack

Access OpenStack CLI tools on OpenStack ManagementServer (OMS)

Then double-click oms.corp.localto open a SSH connection to the OpenStackManagement Server. You don't need to enter the credentials (viouser/VMware1!), sinceaccess with SSH keys for the user viouser has been pre-configured. As stated earlier, allCLI tools and Python libraries are installed on the OMS.

HOL-1720-SDC-1

HOL-1720-SDC-1

Load OpenStack Environment Variables for the admin User

From the command prompt, type the following command to check the configuredvariables in the cloudadmin.rc file

cat cloudadmin.rc

To load the environment variables with the OpenStack Admin credentials so you can runcommands directly as the "admin" tenant - type the below command.

. cloudadmin.rc

Display Running Nova Instances

From the command prompt, type the following command:

nova list

This will display (after a moment) a list of the running and failed instances currentlyowned by the admin tenant. Please notice that the screenshot may differ from what yousee on your side, depending on whether or not you are accessing this module directly.

HOL-1720-SDC-1

HOL-1720-SDC-1

Display List of Available Flavors and Images

Run the following commands to display a list of available flavors and images (keep inmind that you have command completion available on the OMS, i.e. use <TAB><TAB>to auto-complete your command or see available options):

nova flavor-list

nova image-list

Flavors are virtual hardware templates in OpenStack, which define sizes for RAM, disk,number of cores when launching instances. OpenStack images can often be thought ofas "virtual machine templates." Later on, we will be running some advanced operationswith image manipulation using Glance.

Display Available Networks and Security Groups

We will switch gears a little bit and use a Neutron CLI command to display the networksthat are available to the admin tenant. Module 2 of this lab covers advanced Neutronoperations, which include Neutron CLI options in more depth. Type the followingcommands:

neutron net-list

neutron security-group-list

HOL-1720-SDC-1

HOL-1720-SDC-1

Note the UUID for the test-network , 68b09faf-c633-463c-9efb-41281740781e. Youwill see multiple default Security Groups. OpenStack creates one default SecurityGroup per tenant and the admin tenant sees them all. For our next exercise we will beusing the security-group allow-http with UUID3cf01086-b850-4f77-9f55-b0a621d870f5:

Launch Multiple Nova Instances (bulk operation)

Again, from the command prompt, type the following command to launch 2 instancessimultaneously on the nest-network while using the nginx image in the catalog. Thenginx image is based on PhotonOS 1.0 with a running vmwarecna/nginx Dockerinstance reachable on port 80 of the host. Both instances will have the prefix test-nginx in their names, followed by an number :

nova boot --num-instances 2 --image nginx --flavor m1.small --nicnet-id=68b09faf-c633-463c-9efb-41281740781e --security-groups3cf01086-b850-4f77-9f55-b0a621d870f5 test-nginx

Please make sure you are using the allow-http Security Group with UUID3cf01086-b850-4f77-9f55-b0a621d870f5.

Notice the command syntaxt follows this format:

HOL-1720-SDC-1

HOL-1720-SDC-1

nova boot --num-instances=NUMBER --image IMAGE --flavor FLAVOR --nic net-id=NET-UUID--security-groups UUID VM-NAME

HOL-1720-SDC-1

HOL-1720-SDC-1

List the New Running Instances

Type nova list again to display the current status of your Instances, as well as the IPaddress assigned to them by Neutron DHCP.

nova list

HOL-1720-SDC-1

HOL-1720-SDC-1

Verify the new running Instances in Horizon

We will check with the Horizon Web interface that our two Nova instances have beencreated successfully.

1. Log into the Horozon Web Interface as admin user and make sure you selectedthe admin project.

2. Select the Project Tab3. Select Compute4. Select Instances

The two Nova instances have the names test-nginx-1 and test-nginx-2 with an IPaddress in the 10.10.10.0/24 range.

Create a Neutron Network

Module 2 covers the Neutron + NSX integration in great detail, but we wil revisit somebasic Neutron operations in case you are accessing this module directly. From the OMScommand prompt, type the following command to create a Neutron network calledtest-network-2:

neutron net-create test-network-2

A Neutron Network created in this manner will map to an NSX logical switch (VXLAN-backed port group). The use of VXLAN overlays allows OpenStack tenants to access self-

HOL-1720-SDC-1

HOL-1720-SDC-1

service network operations without the need to interact with the physical network (i.e.no requirements for VLAN pre-provisioning or maintenance). Overlays also enablegreater scalability and better utilization of your private cloud infrastructure.

HOL-1720-SDC-1

HOL-1720-SDC-1

Create a Neutron Subnet

The net-create command only provisions a L2 segment for the tenant with no L3identity. For tenants to be able to launch instances on this Neutron network, it isnecessary to create its corresponding Neutron subnet. Run the following command tocreate a subnet called on the 192.168.10.0/24 range, with 192.168.10.254 as thedefault gateway. DHCP will be enabled by default on this subnet and will be provided inthe back-end by an NSX Edge Services Gateway (ESG):

neutron subnet-create --gateway 192.168.10.254 test-network-2 192.168.10.0/24

HOL-1720-SDC-1

HOL-1720-SDC-1

List your Newly Created Network and Subnet

Type the following command to display the newly created Neutron constructs:

neutron net-list

neutron subnet-list

You are ready to launch VMs on this network. Remember, we did all this using self-service workflows and never had to call the network admin!

HOL-1720-SDC-1

HOL-1720-SDC-1

Create a Persistent Volume Using Cinder CLI

Cinder is the persistent block storage service in OpenStack. Tenants can createpersistent volumes and attach them to instances on demand. Let's create a simpleCinder volume, 1GB in size called test-volume. Notice that while we use Nova CLI toaccomplish this task, the backe-end is communicating with Cinder to honor theprovisioning request. Important: take note of the volume UUID (i.e.4130f441-6feb-4a8c-a4ef-10756277a4bb), since we will need it later.

nova volume-create --display_name test-volume 1

Attach the Volume to the Instance

Run this command to attach the volume to the instance in question

Note: The instance and volume UUID will be different in your lab

nova volume-list

nova list

HOL-1720-SDC-1

HOL-1720-SDC-1

nova volume-attach <nova-instance-UUID> <nova-volume-UUID> auto

The first UUID is the ID for the target instance, while the second UUID identifies theCinder volume. The auto parameter indicates that Nova must attempt to automaticallyassign a device identifier to the volume within the guest. Notice the device id, /dev/sdb. This is the path you would use in the Guest OS.

Check of the Volume Attachement

Your volume is now attached and whatever data you store on it will survive instancerecycling (destroy/create/re-attach operations). The command

nova volume-list

now shows that the test-volume with UUID 4130f441-6feb-4a8c-a4ef-10756277a4bb is attached to the VM instance with UUID6cb8e05a-53f6-45da-9eb3-cdf5fc8139b1.

HOL-1720-SDC-1

HOL-1720-SDC-1

Cleaning up the Volumes

We will now clean up all the objects we created in thi part of Module 5. We first detachthe volume from the instance using the correct UUIDs (yours will be different!) anddelete the volume. Please check with nova volume-list that the volume is deleted

nova volume-detach 6cb8e05a-53f6-45da-9eb3-cdf5fc8139b1 4130f441-6feb-4a8c-a4ef-10756277a4bb

nova volume-delete 4130f441-6feb-4a8c-a4ef-10756277a4bb

nova volume-list

HOL-1720-SDC-1

HOL-1720-SDC-1

Cleaning up the Nova Instances

To clean up the Nova instances test-nginx-1 and test-nginx-2 we first have to gettheir UUIDs, which can then be used to delete the instances. Please check with novalist that both instances have been deleted and keep in mind that your UUID's will bedifferent.

nova list

nova delete <test-nginx-1 UUID> <test-nginx-2 UUID>

HOL-1720-SDC-1

HOL-1720-SDC-1

Cleaning up the Neutron Networks

To delete the Neutron test-network-2 we first need to get its UUID, which can then beused to delete the network and its associated subnet in a single step (please check itwith neutron subnet-list). Please keep in mind that your UUID's will be different.

neutron net-list

neutron net-delete <test-network-2 UUID>

neutron subnet-list

This completes this section of Module 5.

HOL-1720-SDC-1

HOL-1720-SDC-1

Working with Glance Image CatalogsAn OpenStack cloud without any images is like a physical server without an operatingsystem (not so useful!). To support rapid provisioning, VMs are instantiated from a pre-built operating system image (for vSphere administrators, a very good analogy would bethe VM Template from which we clone). VIO / OpenStack provides an Image Servicecalled Glance for storage and management of OpenStack images. There are severaladministration options, with both UI and CLI based options illustrated in the upcominglab exercises.

OpenStack - vSphere integration

VIO populates uploaded images to a designated vSphere datastore (shown in thediagram). OpenStack supports many image formats, but we will only focus on the mostcommon with the main objective being to get up and running as quickly as possible.

Using an Existing Image

VIO is bundled with an existing image built fromUbuntu 14.04, a lightweight Linuxdistribution that can be used to learn the basics of consuming existing images. DuringVIO installation a Glance datastore is selected, which is where the initial image willreside. All future images that get uploaded to Glance will sit here as well.

HOL-1720-SDC-1

HOL-1720-SDC-1

There are two common ways to retrieve information about existing images:

• Horizon (WebUI)• Glance (CLI tools)

Browsing the Image Catalog with Horizon

Public images are accessible to all projects (tenants), and are typically provided by anOpenStack administrator. The pre-bundled image is public and can be found usingHorizon by navigating to Project > Compute > Images. You will only see the twoPhoton OS based images wordpress and nginx, since we deleted theubuntu-14.04-amd64 image to keep the lab as small as possible.

Browsing the Image Catalog with the Glance CLI

Run the following glance command from the OpenStack Management Server (OMS)prompt:

glance image-list

It may seems like a lot of work just to accomplish the same thing with the CLI, but theupfront work will pay HUGE dividends later. There are a variety of OpenStack APIs thatare only available to users who are familiar with the command line tools. In other words,even if you think of them as an “Option B”, they will at times be necessary. And forthose who are used to the CLI, these are a great entry point to automating repeatableinfrastructure activities (e.g. provisioning entire topologies with a single script).

HOL-1720-SDC-1

HOL-1720-SDC-1

Image Conversion and Creation

Why convert?

There are a large number of pre-built OpenStack images available, but they exist inqcow2 image format. This is not an ESXi-friendly image without conversion. You canconvert qcow2 images to the VMDK format by hand using qemu-img

qemu-img convert -p -O vmdk -f qcow2 trusty-server-cloudimg-amd64-disk1.img ubuntu.vmdk

and upload them to the Glance repository or let VIO handle that for you automaticallywhen you create an image (see screenshot, but the latter case only works with imagesyou host somewhere, not with local images). The behavior of the instance is exactly thesame, but it is now running on vSphere with the ability to leverage all of the underlyingplatform technology (e.g. HA, vMotion, DRS, and so on).

HOL-1720-SDC-1

HOL-1720-SDC-1

Import the image file into vSphere

In VIO 1.0, the process to create a Glance image that can boot correctly in vSphere,requires said image to incorporate all the necessary and compatible metadata. Thesafest way to guarantee this is to upload the converted VMDK to a vSphere Datastore,create a reference VM with the VMDK attached as an existing Hard Disk and then exportthe VM as OVA image (see screenshot) that can easily be used in VIO to create theGlance image.

The process described above in cumbersome, and for that reason a new Glance utility,glance-import (available on the VIO controller nodes), has been developed thatfacilitates the direct creation of an image without having to import a disk into vSphereand export it to OVA. There's no need to convert the image file to the VMDK formatanymore since this is handled by glance-import automatically with the followingcommand (Remember: We do not have internet connection in this lab!).:

glance-import cirros-0.3.4 qcow2 http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img

If you want more control over the image creation process you can also use theglanceimage-create command as in the following command:

glance image-create --name cirros-0.3.4 --container-format bare --propertyvmware_disktype="sparse" --property vmware_adaptertype="ide" --disk-format vmdk --is-publicTrue --location http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img

Importing an OVA image is even simpler:

glance image-create --name ubuntu --disk-format vmdk --container-format ova --file ubuntu.ova--progress

HOL-1720-SDC-1

HOL-1720-SDC-1

http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img



Create new vSphere Template - Step 1

Existing vSphere Templates can be imported into VIO since version 2.5. To simplify thefollowing steps and to minimize ressource usage in this lab, you are going to create atemplate from the existing nginx Glance Image.

1. Navigate to VMs & Templates > vcsa-01a.corp.local > RegionA01 >OpenStack > Images > RegionA01-ISCSI01-COMP01 > nginx

2. Right-click nginx-1G3. Select Clone to Template

HOL-1720-SDC-1

HOL-1720-SDC-1


1. Choose ubuntu as the new template name (you know that this is a Photon OSimage, but pretend this to be a Ubuntu image for the rest of this section ;-))

2. Choose OpenStack as the location of the template.3. Click Next

HOL-1720-SDC-1

HOL-1720-SDC-1


1. Choose RegionA01-MGMT01 > esx-05a.corp.local as compute resource2. Click Next

HOL-1720-SDC-1

HOL-1720-SDC-1


1. Choose RegionA01-ISCSI01-MGMT01 as Datastore2. Click Next and Finish in the next step

HOL-1720-SDC-1

HOL-1720-SDC-1

Import existing vSphere Template as Glance Image

Note: The cloning process for the VM will take a while, please ensure thatprocess is complete before continuing with the below command.

Let's import this new ubuntu template into VIO with the following command.

glance image-create --name ubuntu-14.04-amd64 --disk-format vmdk --container-format bare--location "vi://vcsa-01a.corp.local/RegionA01/vm/OpenStack/ubuntu"

Finding the correct template URL is probably the most challenging part here, but keep inmind that the vi:// locator format is similar to the one used by ovftool. vSphere doesnot copy the template to the Glance Datastore, but just keeps a link to the correcttemplate location and uses this information to create new instances.

HOL-1720-SDC-1

HOL-1720-SDC-1

Verify new Glance Image

Let's check that the new Glance image is indeed available with

glance image-list

Deeper Look at new Glance Image

Using the correct UUID of the ubuntu-14.04-amd64 Glance image obtained withglance image-list you can check its correct location with the following command:

glance --os-image-api-version 2 image-show 1c65578c-2fd6-46d2-8701-43b4cf9c62ae

Keep in mind that this Glance image is just a link to a Template sitting outside theGlance Datastore!

HOL-1720-SDC-1

HOL-1720-SDC-1

Creating a Test Instance Using the New Image

To create a new VM Instance you have to identify the correct test-network and e.g.allow-ping security group UUID's first with the following commands:

neutron net-list

nova secgroup-list

Now you can create a new ubuntu-14.04-amd64 instance called ubuntu using

nova boot --image ubuntu-14.04-amd64 --flavor m1.small --nicnet-id=68b09faf-c633-463c-9efb-41281740781e --security-groups2eaecb8f-d81f-4d9b-b860-0ff0c352fbe6 ubuntu

HOL-1720-SDC-1

HOL-1720-SDC-1

Verify Instance Creation

Run the nova-list command to verify the instance booted correctly. If you see an errorstatus message, please ignore it. We are resource-constrained in this lab and sometimeswe run out of space in the compute cluster when doing new instance placement.

nova list

Summary: What Did vSphere Just Do?

vSphere did more than just create a VM and power it on, here are the steps:

1. The VMDK is copied from the Glance datastore to the ESXi cluster’s computedatastore. If the original image was sparse, the VMDK on the destinationdatastore will be larger (same size as the virtual disk).

2. The VMDK is cached on the local datastore. Any future instances spawned fromthis image will use linked clones, and thus be provisioned almost instantaneously.

3. A “shadow VM” is created per cached image. These will show up as “Managed”VMs in vCenter, with a naming convention similar to meta-<uuid>.

4. The new instance is created as a linked clone VM using the correct meta-<uuid>for a replica disk.

5. The new VM is powered up.

HOL-1720-SDC-1

HOL-1720-SDC-1

Using vSphere Resource Pools with VIO

New in VIO 2.5: If you create a new Resource Pool with the name of an OpenStackTenant (e.g. admin) then all the Nova Instances created by that tenant will go to thatResource Pool. This is a very useful Feature of VIO 2.5!

This completes the advanced Glance section.

HOL-1720-SDC-1

HOL-1720-SDC-1

API Consumption: Heat Templates,Container Deployment

• Heat provides a mechanism for orchestrating OpenStack resources through theuse of modular templates. Heat uses the YAML(Yet Another MarkupLanguage)file format to describe the infrastructure for a cloud application. AStack is a group of connected cloud resources (instances, volumes, …) createdby a Heat template.

HOL-1720-SDC-1

HOL-1720-SDC-1

Heat Template Structure

A Heat template uses YAML to describe the infrastructure for a cloud application in atext file that is readable and writable by humans, and can be checked into versioncontrol, diffed, etc. Infrastructure resources that can be described include: servers,floating IPs, volumes, security groups, users, etc. All of this is saved in a HeatOrchestration Template (HOT) for repeated deployments. Other formats exist (likeJSON).

Heat is compatible with AWS CloudFormations format from Amazon. Topology andOrchestration Specification for Cloud Application (TOSCA) is still a work in progress, fornow you can use a translate them to HOT using https://github.com/stackforge/heat-translator.

Heat also provides an Autoscaling service that integrates with Ceilometer, so you caninclude a scaling group as a resource in a template.

Templates can also specify the relationships between resources (e.g. this volume isconnected to this server). This enables Heat to call out to the OpenStack APIs to createall of your infrastructure in the correct order to completely launch your application.

Heat manages the whole lifecycle of the application - when you need to change yourinfrastructure, simply modify the template and use it to update your existing stack. Heatknows how to make the necessary changes. It will delete all of the resources when youare finished with the application, too.

Heat primarily manages infrastructure, but the templates integrate well with softwareconfiguration management tools such as Puppet, Chef or Ansible.

You’ll find a Hello World example at https://github.com/openstack/heat-templates/blob/master/hot/hello_world.yaml

Parameters can be: string, number, comma_delimited_list, json or bolean

HOL-1720-SDC-1

HOL-1720-SDC-1

https://github.com/stackforge/heat-translator.

https://github.com/stackforge/heat-translator.

https://github.com/openstack/heat-templates/blob/master/hot/hello_world.yaml

https://github.com/openstack/heat-templates/blob/master/hot/hello_world.yaml

Exploring a Sample Heat template

Open the Windows explorer and navigate to Desktop > HOL-1720. Right-click on thefile named photon-sample.yaml and select Edit with Notepad++.

HOL-1720-SDC-1

HOL-1720-SDC-1

Exploring a Sample Heat Template (continued)

Take your time and explore the template structure. This particular Heat OrchestrationTemplate builds a single-tier application (using a Photon OS image with running nginxweb server) with a router connected to an external network (source NAT enabled bydefault).

HOL-1720-SDC-1

HOL-1720-SDC-1

Browse the HOT from Horizon

Important: Before proceeding, please make sure you terminate any instance that is inscheduling or spawning state from previous exercises. You can do this from Project >Compute > Instances.

From the Horizon UI login as admin tenant and:

1. Navigate to Project2. Select Orchestration3. Select Stacks4. Click on Launch Stack.5. Select File as Template Source.6. Navigate to Desktop > HOL-1720 to select the file photon-sample.yaml.7. Click Next

Launch the Stack

1. Enter test-stack under Stack Name.2. Click Rollback On Failure.3. Enter a Password for the admin user: VMware1!4. Check that the Flavor is m1.small (otherwise the Stack deployment will fail)5. Click "Launch".

HOL-1720-SDC-1

HOL-1720-SDC-1

The ext-net UUID has been pre-populated with the correct UUID of the pre-createdexternal network, but you can check that if you want. The container host nginx has theDocker image vmwarecna/nginx already downloaded and running, so you do not needa local Docker registry or Internet access to successfully launch this stack.

Verify the Stack Has Been Successfully Created

Verify that the stack was successfully launched and the components were successfullycreated:

1. Navigate to Project > Orchestration > Stacks2. Verify that the stack you launched shows the status Create Complete.

HOL-1720-SDC-1

HOL-1720-SDC-1

You can also navigate to Project > Network > Network Topology and verify thesingle app has been created.

Stack Details: Topology

Click on test-stack and chose the Topology tab to see the topology of all theressources which have been created by the Heat template photon-template.yaml.

HOL-1720-SDC-1

HOL-1720-SDC-1

Stack Details: Resources

Click on the Resources tab to show the deployed resources in table format.

HOL-1720-SDC-1

HOL-1720-SDC-1

Understanding the Stack Sequence

You can display a sequence of actions executed by your Heat Template by selecting theEvents tab. Generally, the Heat Template will follow a sequence similar to the manualworkflow that you would use if you were to build the application by interacting with theindividual APIs.

HOL-1720-SDC-1

HOL-1720-SDC-1

Heat CLI

The OpenStack Heat project also provides a Python-based Heat CLI. Go back to yourOpenStack Management Server (OMS) Putty session (or log in again) first, then installthe python-heatclient package (using the local OMS repository) and check the statusof the test-stack using the following commands:

sudo apt-get install python-heatclient

. cloudadmin.rc

heat stack-list

HOL-1720-SDC-1

HOL-1720-SDC-1

Cleaning up the Heat Stack

To delete the test-stack

1. Navigate to Project > Orchestration > Stacks2. Select Delete Stack from the pop-up menu of the deployed test-stack (and

confirm the action).

This concludes the Heat automation section.

HOL-1720-SDC-1

HOL-1720-SDC-1







minutes)

How to End Lab


HOL-1720-SDC-1

HOL-1720-SDC-1



Module 6 - Using VMwarevRealize Solutions to

Operationalize OpenStack(30 Minutes)

HOL-1720-SDC-1

HOL-1720-SDC-1

Overview of OpenStack Operations,Log Insight, and vRealize OperationsThe purpose of the next section is to provide an overview of troubleshooting andmanagement tools that are available for your VIO deployment. There are manycomponents within OpenStack that should be managed and in order to quickly diagnoseand troubleshoot issues, the right tools should be in place to suppor your operationalteams. We will be diving into Log Insight, vRealize Operations, and native capabilitieswithin VIO vCenter plugin.

Operationalizing OpenStack

OpenStack by nature is a myriad of different open source projects pulled together toprovide a common platform for deploying compute, storage and network. Because ofthe distributed nature of the platform, it can be complex and fragile at times. TheOpenStack community has published a guide:

http://docs.openstack.org/openstack-ops/content/

that talks about the different pieces of OpenStack and operational aspects of supportingan OpenStack environment. What you will clearly realize is that the documentationprovides a lot of insight into what should be checked, how to check it, where to findlogs, etc. However, it makes very few suggestions as to the tooling (for obvious reasonsto be unbiased) around operations. Regardless of which tool you use, you absolutelyneed to have an infrastructure health management and logging tool at the veryminimum. In this section we will discuss the benefits of vRealize Log Insight andvRealize Operations Manager and why these tools have been designed to help simplifyand manage large complex environments like OpenStack.

vRealize Log Insight for OpenStack

vRealize Log Insight is a real-time log management platform that focuses on deliveringhigh performance search across physical, virtual, and cloud environments. Log Insight isextremely intuitive to use and the integration with the VMware suite of solutions makescapturing logs extremely easy.

Specifically as it relates to OpenStack, a special Log Insight OpenStack managementpack (there are over 30 management packs for various solutions) can be downloadedfor free. This integrated management pack, enables operators to view OpenStackrelevant information within a handful of pre-created dashboards. Custom dashboardscan also be created.

OpenStack is log heavy-- each service has a handful of logs and correlating all theinformation across the different services is extremely painful without a centralized

HOL-1720-SDC-1

HOL-1720-SDC-1

http://docs.openstack.org/openstack-ops/content/

logging service. Having a logging mechanism in place when managing an OpenStackenvironment is a must.

Additional management packs allow the operator to view information related to thevSphere and NSX environments. There are dashboards pre-created for these solutionsas well. This makes Log Insight immediately useful out of the box for whateverapplication you want to collect logs from!

vRealize Operations Manager for OpenStack

Similar to Log Insight, vRealize Operations Manager plays a crucial role in managing anOpenStack environment. Part of managing OpenStack is keeping a close eye on theinfrastructure health of your cloud. Are you close to running out of memory? Cpu?Storage? Do you have network/storage IO issues? How do you manage 50K VM's? Arethere parts of my OpenStack infrastructure that are over committed and performingpoorly as a result?? Are there any anomalies? Are my services up and running? Youcan tell, there can be a tremendous amount of information to collect to get the realhealth of your environment. However, you want the information in digestable form. Youdon't want to be collecting and viewing 50,000 CPU, memory, storage, network metrics.That would be impossible. vRealize Operations Manager simplifies this by collecting all

the data but rolling up a health score and explaining why.

The OpenStack management pack for vRealize Operations offer pre-created dashboardsto quickly view the health of the environment all the way up to the services that arerunning within the OpenStack infrastructure. Are my keystone services running? Is mynova-compute running?

HOL-1720-SDC-1

HOL-1720-SDC-1

vRealize Operations also has integration into NSX, so that you can monitor theNetworking infrastructure underpinning your OpenStack deployment.

So many questions can be answered through vRealize Operations Manager and inconjunction, both Log Insight and vRealize Operations are the foundation for keepingyour OpenStack cloud healthy so you can sleep easy at night and keep your usershappy.

HOL-1720-SDC-1

HOL-1720-SDC-1

Troubleshooting with Log Insight andvRealize OperationsvRealize Operations is a platform that allows you to automate IT operations, manageperformance and gain visibility across physical and virtual infrastructure. There is alarge ecosystem around vRealize Operations and the management packs relevant toVIO are the OpenStack management pack and the NSX-vSphere management pack. Wewill get an overview of what these two management packs provide.

Before we Start the Section - Administrative Tasks

Before we begin, let's start a quick scenario for this troubleshooting section.

1. Click Windows Icon

2. Click on Putty

HOL-1720-SDC-1

HOL-1720-SDC-1

Log into OpenStack Management Server (oms.corp.local)

1. Select the oms.corp.local preconfigured session2. Click Load

HOL-1720-SDC-1

HOL-1720-SDC-1

You will be logged in as viouser and run a ssh command

1. You will be automatically logged in as viouser. Note: if for some reason, this does nothappen automatically the viouser password is VMware1!

2. At the prompt run the following ssh command and hit enter

viouser@oms:~$ ssh loadbalancer01 'sudo service nova-compute stop > /dev/null'

in the command prompt. There should be no output message.

3. Exit the Putty window and let's go on to the overview!

vRealize Operations and Log Insight Overview

Click on Google Chrome to launch the browser if it is not already open.

1. Click on vRealize Operations on the toolbar

vRealize Operations Login

The fields will be filled in for you. Click Login

Login as

user: admin

HOL-1720-SDC-1

HOL-1720-SDC-1

password: VMware1!

Go to Dashboards List

1. Click on the Home button if it's not already the default.

HOL-1720-SDC-1

HOL-1720-SDC-1

View the Different Dashboards

1. The OpenStack Controllers Dashboard should already be visible if not, Click onDashboard List

2. Choose OpenStack3. OpenStack Controllers

HOL-1720-SDC-1

HOL-1720-SDC-1

OpenStack Controllers Dashboard

Once you are on the OpenStack Controllers Dashboard, you will see the differentservices that are being monitored.

1. Left click on the button once next to OpenStack Compute Services2. You should see the compute services that are currently running in the

environment show up below. nova-api runs on the loadbalancer01 vm. nova-compute runs once because it only runs on the compute node (loadbalancer01).Alerts will be generated and severity depends on how many of the services go

down. For example, if nova-api loses one of its services, it will alert with animmediate severity level. If all of the services are down, it will alert as a criticalalert.

HOL-1720-SDC-1

HOL-1720-SDC-1

View OpenStack Management Services Health

1. Click on the OpenStack Management Services icon. The Controller ServiceTopology will appear on the right hand side and the service metrics will appearbelow.

The service topology is extremely useful to provide visibility into how and where theservices are running. you can see all the different services running on the controllers.

2. You can zoom in to get better granularity. The central node in the middle is themanagement service IP, which is the internal API endpoint to all OpenStackservices.

3. The Controller Service Metrics show all the different services that are currentlyrunning

Log into VIO and launch a VM

Open a new tab or browser window

1. Click on VIO shortcut

HOL-1720-SDC-1

HOL-1720-SDC-1

2. The login fields should be filled in for you. Click Sign In. Login as

User Name: admin

Password: VMware1!

HOL-1720-SDC-1

HOL-1720-SDC-1

Launch VM

1. Click on Project2. Click on Images3. Click Launch on the row for nginx

HOL-1720-SDC-1

HOL-1720-SDC-1

Launch VM

1. Name your VM2. Click on Networking Tab

HOL-1720-SDC-1

HOL-1720-SDC-1

Choose Your Network and Launch

1. Click on the plus symbol next to test-network. When you do this the test-networkwill show up under Selected networks with Nic1 assigned.

2. Click Launch

HOL-1720-SDC-1

HOL-1720-SDC-1

Everything worked right??

After launching your VM and waiting anxiously for the VM to successfully deploy, you willsee the following error, "No valid host found"

What in the world does that mean? Well, it could mean many different things but theidea is that nova scheduler was unable to put the VM on any host. Are we out ofresources? Is there enough RAM? Is there enough CPU? Are the hosts up and running?As you can see, the error generated by OpenStack are sometimes vague.

Let's start troubleshooting. Different operators have different approaches totroubleshooting. Some folks take the "follow the logs" approach where you start lookingup the UUID to see if you can detect where it got stuck. Other folks might quicklyreview infrastructure or look at their entire environment as a whole to see if anythinghas gone down.

First thing should quickly do is click on the Instance Status to see if there are anyobvious issues.

HOL-1720-SDC-1

HOL-1720-SDC-1

Take a Quick Look at Instance Status

1. Left Click on the HOLVM link to see the status and any details about the errormessage.

HOL-1720-SDC-1

HOL-1720-SDC-1

Instance Overview

The Instance Overview provides details as to status of the Instance. You can see thatthe error message is not very descriptive as it just says "No valid host wasfound. Basically, OpenStack is not providing us a reason for the error. Maybe there is nohypervisor available in OpenStack? Let's check real quick.

HOL-1720-SDC-1

HOL-1720-SDC-1

Hypervisor Dashboard

Sometimes to see what nova-compute is reporting back, we check the Hypervisors tosee if there are enough resources to launch the instance.

1. Click on Admin tab2. Click on Hypervisors.

There are no issues that we see here. Nothing is being used and there should be plentyof storage. Hmm..time to check the logs.

HOL-1720-SDC-1

HOL-1720-SDC-1

Open a new tab or window and go to Log Insight

1. Open a new tab or window and click on Log Insight icon2. The fields should be filled in for you. Click Login

Username: admin

Password: VMware1!

Log Insight OpenStack Dashboard

When you log into Log Insight, it should take you straight to the OpenStack Dashboard.The OpenStack Overview dashboard is part of a content pack that is freely available to

download. The content pack is a default set of pre-created dashboards that providevisibility into the different OpenStack services.

1. If you don't see the OpenStack dashboard, click on the dropdown menu in shownabove in 1. Choose OpenStack, and click Overview

2. Once the dashboard opens up, it should show the default OpenStack dashboard.Click on the warning bubble in the nova service column. We just ran into an

issue launching an instance and the best guess would be to look at any warningsin the nova service.

HOL-1720-SDC-1

HOL-1720-SDC-1

3. If you don't see anything, it could be due to the fact that the default setting is toshow the last 5 minutes of logs. Perhaps 5 minutes have already been past andyou should update the interface to show the last 1 hour by clicking on thedropdown as shown in 3.

Click on Interactive Analysis

1. Left click on the warning bubble in the nova column and a menu should pop up.Click on Interactive Analytics

View the results of the Interactive Analysis

The interactive analysis interface allows you to conduct deep dive analysis into thelogging data and correlate events across the logs.

1. If you need to, change the Custom Time Range dropdown to something like "Latesthour of data" to show the log messages.

HOL-1720-SDC-1

HOL-1720-SDC-1

What you will see once you enter the interactive analysis panel is the log data itself.You should see "Setting instance to ERROR state" at the end of the log entry

So what next? We know we have an error but how do we troubleshoot the issue? Fromhere, let's track the instance UUID.

HOL-1720-SDC-1

HOL-1720-SDC-1

Follow the Instance UUID with Log Insight Step 1

Let's follow the UUID of the instance across the different services to see if we can findthe root cause.

1. Remove the current filters by clicking on the X next to "text","openstack_component", and "openstack_severity"


Find the same log event, that shows the ERROR state, and next to the word "instance",highlight (drag, from left to right)the entire alphanumeric letter.

1. A popup window should appear and click on "Contains <uuid>" This should bringup a refreshed log page with the new results. Make sure the log event has"Setting instance to ERROR state" to make sure you have the right instance UUID.

HOL-1720-SDC-1

HOL-1720-SDC-1

Resetting the logs to show warning logs only

If needed you can make sure you are viewing just the Warning Nova log files by clickingon the circle for the warning events. This will load only the Warning log files.


This will bring up a new page of log events. You can scroll through any events listed butyou probably won't see anything that is completely obvious as to what the problem is.Take a look at any different log messages that appear.

After you have looked through the different log messages, there is something else wecan take a look at. Let's try to track the req-ID to see where it failed. To do this,

1. Scroll through the log events again and find the error that states "Settinginstance to ERROR state

Search for instance error if you can't find it.

If you cannot locate the log entry that shows "Setting instance to ERROR state" you cansearch for the entry by using the search function.

HOL-1720-SDC-1

HOL-1720-SDC-1

1. Highlight the search area and type in "error state" and hit enter. This should bring upthe instance error.

Follow the Request ID with Log Insight Step 1

1. Find the text after nova.scheduler.utils where it starts with [req-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX]. Left click and drag to highlight the entire string.

Make sure you highlight the req-ID that is in the same log event as the "Settinginstance to ERROR state"

2. A popup should appear and left click on "Contains 'req......"

HOL-1720-SDC-1

HOL-1720-SDC-1

If you used the Search on Error State: clear the error stateand uuid now that you have the req-id

If you used the Search on Error State to find the uuid, to now view the Request IDresults, clear the error state field and uuid now that you have the req-id

1. Clear the "error state" search text.

2. Click the x on the uuid field in the "text contains" selection to clear the uuid and leaveonly the req-xxx field showing.

HOL-1720-SDC-1

HOL-1720-SDC-1

View Request ID Results

A request ID Is an identifier that is created for each API request. The value can be usedto track down problems and troubleshoot. Since we filtered by the request ID, we canfollow the status of the request ID. Scroll through the different events that have takenplace. The only event that appears to have any valuable information is the one thatsays

Filter ComputeFilter returned 0 hosts

This means that the nova-scheduler, which is responsible for handling the requests toplace the VM's onto the compute nodes was unable to find any available computeresources. From here, the natural next step is to figure out why the scheduler returned0 hosts.

Well that's strange. Last time you checked, all the infrastructure was available and youhad plenty of resources right? Well, let's quickly look at the infrastructure view of ourenvironment. Good thing we have vRealize Operations!

vRealize Operations Part 2

From Log Insight, we were able to troubleshoot and determine that there might besomething wrong with our compute infrastructure. Remember that the nova-schedulerdid not pass the ComputeFilter so let's take a look at our Compute infrastructure inOpenStack.

HOL-1720-SDC-1

HOL-1720-SDC-1

1. If you still have vRealize Operations tab, click on that, otherwise click on vRealizeOperations on the toolbar

2. The Login fields should be filled in for you. Click Login

user: admin

password: VMware1!

HOL-1720-SDC-1

HOL-1720-SDC-1

OpenStack Compute Infrastructure

1. Click on Dashboard List2. Click on OpenStack3. Click on OpenStack Compute Infrastructure

HOL-1720-SDC-1

HOL-1720-SDC-1

OpenStack Compute Infrastructure Dashboard

1. Click on the Openstack Computer Infrastructure icon

After clicking on Compute Cluster Infrastructure, it seems that everything is green.There is plenty of compute resources and we have no issues with the infrastructure.Network/Storage I/O seems good, no contention so ...let's look at other parts of the

environment. Perhaps the services?

HOL-1720-SDC-1

HOL-1720-SDC-1

OpenStack Controller Dashboard

Let's check out the management services under OpenStack Controllers

1. Click on Dashboard List2. Click on OpenStack3. Click on OpenStack Controllers

HOL-1720-SDC-1

HOL-1720-SDC-1

OpenStack Controllers

Red? That's not good! Let's click on the red badge.

1. Left click on the red badge under OpenStack Compute Services2. Details about the Compute Services will appear. First, we see that "All nova-

compute services are unavailable" Click on this link.

NOTE: Based on the time, the icon may still be green. You should still see the Alert inthe bottom right of the page.

HOL-1720-SDC-1

HOL-1720-SDC-1

Recommendations for nova-compute services

The recommendations indicate that we should "Restart any compute servies that aredown"

It looks like that nova-compute crashed, so let's start it up again. We found theproblem!

HOL-1720-SDC-1

HOL-1720-SDC-1

Showing Alerts

Before we restart the nova-compute service, there's another way we would have seenthis alert, which is by left clicking on the Alerts button.

1. Click on the Alerts button

HOL-1720-SDC-1

HOL-1720-SDC-1

The Alerts Dashboard

1. Sort by most recent, it should by default but if you notice it is not, click on the"Created On" to sort descending.

2. You should notice several alerts indicating that all-nova compute services areunavailable.

Clicking on that link will bring you to the same screen as the previous step showing therecommendation to restart the services.

HOL-1720-SDC-1

HOL-1720-SDC-1

OpenStack Tenants

Another mechanism to view the error is the OpenStack Tenants Dashboard.

1. Click on Dashboard List2. Click on OpenStack3. Click on OpenStack Tenants

HOL-1720-SDC-1

HOL-1720-SDC-1

Tenant Issues

You will see that a tenant alert has been generated. This dashboard can be used totrack issues that users experience while using OpenStack.

Let's go ahead and restart-nova compute in the next step.

HOL-1720-SDC-1

HOL-1720-SDC-1

Restart nova-compute

Either close or minimize the vRealize Operations window.

1. Click on the Windows icon on the bottom left hand corner2. Click Putty

HOL-1720-SDC-1

HOL-1720-SDC-1

Restart nova-compute services

1. Left click on oms.corp.local2. Click Open

HOL-1720-SDC-1

HOL-1720-SDC-1

Restart nova-compute services

1. You will be logged in as viouser:

login: viouser password: VMware1!

2. type the following

ssh loadbalancer01 'sudo service nova-compute restart'

3. You should see stop: Unknown instance: This tells us that it was not running and thatwe have restarted the service.

You can try and repeat launching an instance and it should work now

Summary

Some of you may be thinking to yourself, "Well, the first thing i would have checkedwould have been the nova-compute service and I wouldn't have to even look at thelogs!" While you may be right in this specific case in hindsight, many errors are NOTinfrastructure related errors. For example, if a configuration file was wrong, or somemetadata in the image was incorrect, or the instance was launched with some strangeflags that caused no hosts to be found -- checking whether services are up would nothave helped. Through this exercise though, we teach you how to fish. For futureproblems, you can walk through whatever framework you prefer for troubleshooting,leveraging the tools at hand to help you accelerate the troubleshooting process.

HOL-1720-SDC-1

HOL-1720-SDC-1

HOL-1720-SDC-1

HOL-1720-SDC-1







minutes)

How to End Lab


HOL-1720-SDC-1

HOL-1720-SDC-1



ConclusionThank you for participating in the VMware Hands-on Labs. Be sure to visithttp://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1720-SDC-1

Version: 20161024-110226

HOL-1720-SDC-1

HOL-1720-SDC-1

http://hol.vmware.com/

HOL-1720-SDC-1 - VMware Integrated OpenStack (VIO)

Documents

Transcript of HOL-1720-SDC-1 - VMware Integrated OpenStack (VIO)