Home OpenStack-Ansible Installation Guide
OpenStack-Ansible depends on various files that are used to build an inventory for Ansible. Start by getting those files into the correct places:
You can review the openstack_user_config.yml file and make changes to the deployment of your OpenStack environment.
Note
The file is heavily commented with details about the various options.
There are various types of physical hardware that are able to use containers deployed by OpenStack-Ansible. For example, hosts listed in the shared-infra_hosts run containers for many of the shared services that your OpenStack environments requires. Some of these services include databases, memcached, and RabbitMQ. There are several other host types that contain other types of containers and all of these are listed in openstack_user_config.yml.
For details about how the inventory is generated from the environment configuration, see OpenStack-Ansible Inventory.
OpenStack-Ansible’s dynamic inventory generation has a concept called affinity. This determines how many containers of a similar type are deployed onto a single physical host.
Using shared-infra_hosts as an example, consider this openstack_user_config.yml:
shared-infra_hosts:
infra1:
ip: 172.29.236.101
infra2:
ip: 172.29.236.102
infra3:
ip: 172.29.236.103
Three hosts are assigned to the shared-infra_hosts group, OpenStack-Ansible ensures that each host runs a single database container, a single memcached container, and a single RabbitMQ container. Each host has an affinity of 1 by default, and that means each host will run one of each container type.
You can skip the deployment of RabbitMQ altogether. This is helpful when deploying a standalone swift environment. If you need this configuration, your openstack_user_config.yml would look like this:
shared-infra_hosts:
infra1:
affinity:
rabbit_mq_container: 0
ip: 172.29.236.101
infra2:
affinity:
rabbit_mq_container: 0
ip: 172.29.236.102
infra3:
affinity:
rabbit_mq_container: 0
ip: 172.29.236.103
The configuration above deploys a memcached container and a database container on each host, without the RabbitMQ containers.
Deployers have the option to automatically apply security hardening to an OpenStack Ansible deployment using the openstack-ansible-security role. The role uses a version of the Security Technical Implementation Guide (STIG) that has been adapted for Ubuntu 14.04 and OpenStack.
The role is applicable to physical hosts within an OpenStack-Ansible deployment that are operating as any type of node, infrastructure or compute. By default, the role is enabled. You can enable it by changing a variable within user_variables.yml:
apply_security_hardening: true
When the variable is set, the role will be applied by the setup-hosts.yml playbook automatically during deployments.
You can apply security configurations to an existing environment or audit an environment using a playbook supplied with OpenStack-Ansible:
# Perform a quick audit using Ansible's check mode
openstack-ansible --check security-hardening.yml
# Apply security hardening configurations
openstack-ansible security-hardening.yml
For more details on the security configurations that will be applied, refer to the openstack-ansible-security documentation. Review the Configuration section of the openstack-ansible-security documentation to find out how to fine-tune certain security configurations.