kolla-ansible/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst
zhangshj 199133a9cc Correct two wrong words
Change-Id: I89d9f7a90d72e6c5df7dde078ed7407eedd6f92f
2019-01-13 10:27:26 +00:00

224 lines
8.5 KiB
ReStructuredText

=====================
Bootstrapping Servers
=====================
Kolla-ansible provides support for bootstrapping host configuration prior to
deploying containers via the ``bootstrap-servers`` subcommand. This includes
support for the following:
* Customisation of ``/etc/hosts``
* Creation of user and group
* Kolla configuration directory
* Package installation and removal
* Docker engine installation and configuration
* Disabling firewalls
* Creation of Python virtual environment
* Configuration of Apparmor
* Configuration of SELinux
* Configuration of NTP daemon
All bootstrapping support is provided by the ``baremetal`` Ansible role.
Running the command
~~~~~~~~~~~~~~~~~~~
The base command to perform a bootstrap is:
.. code-block:: console
kolla-ansible bootstrap-servers -i INVENTORY
Further options may be necessary, as described in the following sections.
Initial bootstrap considerations
--------------------------------
The nature of bootstrapping means that the environment that Ansible executes in
during the initial bootstrap may look different to that seen after
bootstrapping is complete. For example:
* The ``kolla_user`` user account may not yet have been created. If this is
normally used as the ``ansible_user`` when executing Kolla Ansible, a
different user account must be used for bootstrapping.
* The Python virtual environment may not exist. If a virtualenv is normally
used as the ``ansible_python_interpreter`` when executing Kolla Ansible, the
system python interpreter must be used for bootstrapping.
Each of these variables may be passed via the ``-e`` argument to Kolla Ansible
to override the inventory defaults:
.. code-block:: console
kolla-ansible bootstrap-servers -i INVENTORY -e ansible_user=<bootstrap user> -e ansible_python_interpreter=/usr/bin/python
Subsequent bootstrap considerations
-----------------------------------
It is possible to run the bootstrapping process against a cloud that has
already been bootstrapped, for example to apply configuration from a newer
release of Kolla Ansible. In this case, further considerations should be
made.
It is possible that the Docker engine package will be updated. This will cause
the Docker engine to restart, in addition to all running containers. There are
three main approaches to avoiding all control plane services restarting
simultaneously.
The first option is to use the ``--limit`` command line argument to apply the
command to hosts in batches, ensuring there is always a quorum for clustered
services (e.g. MariaDB):
.. code-block:: console
kolla-ansible bootstrap-servers -i INVENTORY --limit controller0,compute[0-1]
kolla-ansible bootstrap-servers -i INVENTORY --limit controller1,compute[2-3]
kolla-ansible bootstrap-servers -i INVENTORY --limit controller2,compute[4-5]
The second option is to execute individual plays on hosts in batches:
.. code-block:: console
kolla-ansible bootstrap-servers -i INVENTORY -e kolla_serial=30%
The last option is to use the Docker ``live-restore`` configuration option to
avoid restarting containers when the Docker engine is restarted. There have
been issues reported with using this option however, so use it at your own
risk.
Ensure that any operation that causes the Docker engine to be updated has been
tested, particularly when moving from legacy Docker packages to Docker
Community Edition. See :ref:`bootstrap-servers-docker-package-repos` for
details.
Customisation of ``/etc/hosts``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is optional, and enabled by ``customize_etc_hosts``, which is ``true`` by
default.
* Ensures that ``localhost`` is in ``/etc/hosts``
* Adds an entry for the IP of the API interface of each host to ``/etc/hosts``.
Creation of user and group
~~~~~~~~~~~~~~~~~~~~~~~~~~
This is optional, and enabled by ``create_kolla_user``, which is ``true`` by
default.
* Ensures that a group exists with the name defined by the variable
``kolla_group`` with default ``kolla``.
* Ensures that a user exists with the name defined by the variable
``kolla_user`` with default ``kolla``. The user's primary group is defined by
``kolla_group``. The user is added to the ``sudo`` group.
* An SSH public key is authorised for ``kolla_user``. The key is defined by
the ``public_key`` value of the ``kolla_ssh_key`` mapping variable, typically
defined in ``passwords.yml``.
* If the ``create_kolla_user_sudoers`` variable is set, a sudoers profile
will be configured for ``kolla_user``, which grants passwordless sudo.
Kolla configuration directory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Kolla ansible service configuration is written to hosts in a directory defined
by ``node_config_directory``, which by default is ``/etc/kolla/``. This
directory will be created. If ``create_kolla_user`` is set, the owner and group
of the directory will be set to ``kolla_user`` and ``kolla_group``
respectively.
Package installation and removal
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Lists of packages are defined for installation and removal. On Debian family
systems, these are defined by ``debian_pkg_install`` and
``ubuntu_pkg_removals`` respectively. On Red Hat family systems, these are
defined by ``redhat_pkg_install`` and ``redhat_pkg_removals`` respectively.
Docker engine installation and configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Docker engine is a key dependency of Kolla Ansible, and various configuration
options are provided.
.. _bootstrap-servers-docker-package-repos:
Package repositories
--------------------
If the ``enable_docker_repo`` flag is set, then a package repository for Docker
packages will be configured. There are two sets of package repositories
provided by Docker - 'legacy' packages from https://dockerproject.org, and new
'Community Edition' packages from https://download.docker.com. To use legacy
packages, set ``docker_legacy_packages`` to ``true``, or to use new packages
set it to ``false``. The new packages are used by default.
Various other configuration options are available beginning
``docker[_(new|legacy)]_(apt|yum)_``. Typically these do not need to be
changed.
Configuration
-------------
The ``docker_storage_driver`` variable is optional. If set, it defines the
`storage (graph) driver
<https://docs.docker.com/storage/storagedriver/select-storage-driver/>`__ to
use for Docker.
The ``docker_runtime_directory`` variable is optional. If set, it defines the
runtime (``--graph``) directory for Docker.
The ``docker_registry`` variable, which is not set by default, defines the
address of the Docker registry. If the variable is not set, Dockerhub will be
used.
The ``docker_registry_insecure`` variable, which defaults to ``true`` if
``docker_registry`` is set, or ``false`` otherwise, defines whether to
configure ``docker_registry`` as an insecure registry. Insecure registries use
HTTP rather than HTTPS.
The ``docker_log_max_file`` variable, which defaults to ``5``, defines the
maximum number of log files to retain per container. The
``docker_log_max_size`` variable, which defaults to ``50m``, defines the
maximum size of each rotated log file per container.
The ``docker_custom_option`` variable is optional. If set, it defines
additional options to pass to the Docker engine via the Systemd unit file.
Disabling firewalls
~~~~~~~~~~~~~~~~~~~
Kolla Ansible does not support configuration of host firewalls, and instead
attempts to disable them.
On Debian family systems where the UFW firewall is enabled, a default policy
will be added to allow all traffic.
On Red Hat family systems where firewalld is installed, it will be disabled.
Creation of Python virtual environment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is optional, and enabled by setting ``virtualenv`` to a path to a Python
virtual environment to create. By default, a virtual environment is not used.
If ``virtualenv_site_packages`` is set, (default is ``true``) the virtual
environment will inherit packages from the global site-packages directory. This
is typically required for modules such as yum and apt which are not available
on PyPI. See :ref:`virtual-environments-target-hosts` for further information.
Configuration of Apparmor
~~~~~~~~~~~~~~~~~~~~~~~~~
On Ubuntu systems, the ``libvirtd`` Apparmor profile will be removed.
Configuration of SELinux
~~~~~~~~~~~~~~~~~~~~~~~~
On Red Hat family systems, if ``change_selinux`` is set (default is ``true``),
then the SELinux state will be set to ``selinux_state`` (default
``permissive``). See :doc:`../../user/security` for further information.
Configuration of NTP daemon
~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is optional, and enabled by ``enable_host_ntp``, which is ``false`` by
default.