DOCS - Installation with limited network connectivity

Documentation attempts to provide guidance to deployers on mechanisms they can employ to reduce their reliance on direct access to the internet when installing OpenStack. Change-Id: I79a61752efb5fc1887f41af8eb712c1fc9dda4e2 Partial-Bug: #1576317
2016-05-02 17:10:43 -04:00 · 2016-05-02 17:10:43 -04:00 · 349e134905
commit 349e134905
parent 1b4550b0b8
2 changed files with 161 additions and 0 deletions
--- a/doc/source/install-guide/app-no-internet-connectivity.rst
+++ b/doc/source/install-guide/app-no-internet-connectivity.rst
@ -0,0 +1,160 @@
+`Home <index.html>`__ OpenStack-Ansible Installation Guide
+
+===========================================================
+Appendix G. Installation on hosts with limited connectivity
+===========================================================
+
+Introduction
+~~~~~~~~~~~~
+
+Many playbooks and roles in OpenStack-Ansible retrieve dependencies from the
+public Internet by default. Many deployers block direct outbound connectivity
+to the Internet when implementing network security measures. We recommend a
+set of practices and configuration overrides deployers can use when running
+OpenStack-Ansible in network environments that block Internet connectivity.
+
+The options below are not mutually exclusive and may be combined if desired.
+
+Example internet dependencies
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- Software packages
+- LXC container images
+- Source code repositories
+- GPG keys for package validation
+
+Practice A: Mirror internet resources locally
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+You may choose to operate and maintain mirrors of OpenStack-Ansible and
+OpenStack dependencies. Mirrors often provide a great deal of risk mitigation
+by reducing dependencies on resources and systems outside of your direct
+control. Mirrors can also provide greater stability, performance and security.
+
+Software package repositories
+-----------------------------
+
+Many packages used to run OpenStack are installed using `pip`. We advise
+mirroring the PyPi package index used by `pip`.
+
+Many software packages are installed on the target hosts using `.deb`
+packages. We advise mirroring the repositories that host these packages.
+
+Ubuntu repositories to mirror:
+
+- trusty
+- trusty-updates
+- trusty-backports
+
+Galera-related repositories to mirror:
+
+- https://mirror.rackspace.com/mariadb/repo/10.0/ubuntu
+- https://repo.percona.com/apt
+
+These lists are intentionally not exhaustive. Consult the OpenStack-Ansible
+playbooks and role documentation for further repositories and the variables
+that may be used to override the repository location.
+
+LXC container images
+--------------------
+
+OpenStack-Ansible relies upon community built LXC images when building
+containers for OpenStack services. Deployers may choose to create, maintain,
+and host their own container images. Consult the
+``openstack-ansible-lxc_container_create`` role for details on configuration
+overrides for this scenario.
+
+Source code repositories
+------------------------
+
+OpenStack-Ansible relies upon Ansible Galaxy to download Ansible roles when
+bootstrapping a deployment host. Deployers may wish to mirror the dependencies
+that are downloaded by the ``bootstrap-ansible.sh`` script.
+
+Deployers can configure the script to source Ansible from an alternate Git
+repository by setting the environment variable ``ANSIBLE_GIT_REPO``.
+
+Deployers can configure the script to source Ansible role dependencies from
+alternate locations by providing a custom role requirements file and specifying
+the path to that file using the environment variable ``ANSIBLE_ROLE_FILE``.
+
+Practice B: Proxy access to internet resources
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Configure target and deployment hosts to reach public internet resources via
+HTTP or SOCKS proxy server(s). OpenStack-Ansible may be used to configure
+target hosts to use the proxy server(s). OpenStack-Ansible does not provide
+automation for creating the proxy server(s).
+
+Basic proxy configuration
+-------------------------
+
+The following configuration configures most network clients on the target
+hosts to connect via the specified proxy. For example, these settings
+affect:
+
+- Most Python network modules
+- `curl`
+- `wget`
+- `openstack`
+
+Configuration changes are made in ``/etc/openstack_deploy/user_variables.yml``.
+
+.. code-block:: yaml
+
+      # Used to populate /etc/environment
+      global_environment_variables:
+         HTTP_PROXY: "http://proxy.example.com:3128"
+         HTTPS_PROXY: "http://proxy.example.com:3128"
+         http_proxy: "http://proxy.example.com:3128"
+         https_proxy: "http://proxy.example.com:3128"
+
+      # pip needs proxies specified as well
+      pip_install_options: "--proxy http://proxy.example.com:3128"
+
+``apt-get`` proxy configuration
+-------------------------------
+
+See `Setting up apt-get to use a http-proxy`_
+
+.. _Setting up apt-get to use a http-proxy: https://help.ubuntu.com/community/AptGet/Howto#Setting_up_apt-get_to_use_a_http-proxy
+
+Deployment host proxy configuration for bootstrapping Ansible
+-------------------------------------------------------------
+
+Configure the ``bootstrap-ansible.sh`` script used to install Ansible and
+Ansible role dependencies on the deployment host to use a proxy by setting the
+environment variables ``HTTPS_PROXY`` or ``HTTP_PROXY``.
+
+Considerations when proxying TLS traffic
+----------------------------------------
+
+Proxying TLS traffic often interferes with the clients ability to perform
+successful validation of the certificate chain. Various configuration
+variables exist within the OpenStack-Ansible playbooks and roles that allow a
+deployer to ignore these validation failures. Find an example
+``/etc/openstack_deploy/user_variables.yml`` configuration below:
+
+.. code-block:: yaml
+
+      pip_validate_certs: false
+      galera_package_download_validate_certs: false
+
+The list above is intentionally not exhaustive. Additional variables may exist
+within the project and will be named using the `*_validate_certs` pattern.
+Disable certificate chain validation on a case by case basis and only after
+encountering failures that are known to only be caused by the proxy server(s).
+
+Ansible support for proxy servers
+---------------------------------
+
+The `get_url` and `uri` modules in Ansible 1.9.x have inconsistent and buggy
+behavior when used in concert with many popular proxy servers and
+configurations. An example Launchpad bug can be found `here
+<https://bugs.launchpad.net/openstack-ansible/+bug/1556975/>`_. The comments
+contain a workaround that has been effective for some deployers.
+
+--------------
+
+.. include:: navigation.txt
+
--- a/doc/source/install-guide/index.rst
+++ b/doc/source/install-guide/index.rst
@ -64,3 +64,4 @@ Appendices
   app-tips.rst
   app-plumgrid.rst
   app-nuage.rst
+   app-no-internet-connectivity.rst