Hello, My blog vistors
How about your days? In my case, I am working about openstack security for my customer site. so I am very busy nowadays. But I have learend a lot of things like OpenStack, Container, Linux, Network and Security through this project.
In this post, I'd like to share about OpenStack Container Architecture and how to install and manage openstack services with container. Actually, Nowadyas I am working about openstack security. so I have thinking about how to set security vulnerable items in openstack container environment.
I had to anaylsis openstack container environment and architecture. Because I had only installing docker exprience. so I didn't know commands for operating container environment well. But I can do it now.
Anyway, I discovered that docker and host's directory mount to each mapped directory like below architecture. We can modify configuration of openstack services through host's mapped directory. And we can monitor openstack service logs also through the host's mapped directory. However we can't modified somthing inside docker operating system. If something modify inside docker operating system, docker's configuration will back after docker restart. The mean is that docker environment can't modify.
I was curious why container environment of RHOSP13(Red Hat OpenStack Platform 13) can't modify. I wanted to know how to launch and manage container for openstack services. so I was looking openstack documents and finding various things on the internet. And I noticed that OpenStack containers launch and manage using paunch. If you visit following the site (https://github.com/openstack/paunch), you can see below contents.
Utility to launch and manage containers using YAML based configuration data
- Free software: Apache license
- Documentation: https://docs.openstack.org/developer/paunch
- Source: https://opendev.org/openstack/paunch
- Bugs: https://bugs.launchpad.net/paunch
- Release Notes: https://docs.openstack.org/releasenotes/paunch
- Single host only, operations are performed via the podman client.
- Zero external state, only labels on running containers are used when determining which containers an operation will perform on.
- Single threaded and blocking, containers which are not configured to detach will halt further configuration until they exit.
- Co-exists with other container configuration tools. Only containers created by paunch will be modified by paunch. Unique container names are assigned if the desired name is taken, and containers are renamed when the desired name becomes available.
- Accessable via the paunch command line utility, or by importing python package paunch.
- Builtin debug command lets you see how individual containers are run, get configuration information for them, and run them any way you need to.
Debugging with Paunch
The paunch debug command allows you to perform specific actions on a given container. This can be used to:
- Run a container with a specific configuration.
- Dump the configuration of a given container in either json or yaml.
- Output the podman command line used to start the container.
- Run a container with any configuration additions you wish such that you can run it with a shell as any user etc.
The configuration options you will likely be interested in here include:
--file <file> YAML or JSON file containing configuration data
--action <name> Action can be one of: "dump-json", "dump-yaml", "print-cmd", or "run"
--container <name> Name of the container you wish to manipulate
--interactive Run container in interactive mode - modifies config and execution of container
--shell Similar to interactive but drops you into a shell
--user <name> Start container as the specified user
--overrides <name> JSON configuration information used to override default config values
In the first paunch's features, it is [Single host only, operations are performed via the podman client]. I was curious about podman. So I searched about podman on the internet. The description what I found is like below. If you visit following site (https://github.com/containers/libpod), you can see podman more detail.
Libpod provides a library for applications looking to use the Container Pod concept, popularized by Kubernetes. Libpod also contains the Pod Manager tool (Podman). Podman manages pods, containers, container images, and container volumes.
Overview and scope
At a high level, the scope of libpod and Podman is the following:
- Support multiple image formats including the OCI and Docker image formats.
- Support for multiple means to download images including trust & image verification.
- Container image management (managing image layers, overlay filesystems, etc).
- Full management of container lifecycle.
- Support for pods to manage groups of containers together.
- Resource isolation of containers and pods.
- Support for a Docker-compatible CLI interface through Podman.
- Integration with CRI-O to share containers and backend code.
This project tests all builds against each supported version of Fedora, the latest released version of Red Hat Enterprise Linux, and the latest Ubuntu Long Term Support release. The community has also reported success with other Linux flavors.
After I learned about things that I want, I started to analysis RHOSP13 provisining process. RHOSP13 have undercloud and overcloud. Undercloud is for openstack deployment, Overcloud is for openstack service. In the undercloud node, it have installed various openstack packages for deploying openstack like below process. Ansible has playbooks that deploy openstack container service to overcloud. Ansible will deploy openstack to overcloud node using the playbooks. And It is step 5.
In the step 1, It will be common services tagging. Common services are like haproxy, Memcahed, RabbitMQ, MySql and Redis.
In the step 2, It will be Openstack services logging like below.
In the step 3, It will be OpenStack services DbSync. Ofcourse, these openstack services are all containers.
In the step 4, It will be OpenStack services configuration.
In the last step 5, It will be Storage service configuration like cinder, cinder backup, conder volume and manila.
Today, I write about OpenStack container. Nowadays, Technical trend is moving to containers. However I think container is not perfect yet. But It will improve continue. So I am interested about container technology. If I have any posting, I want to write about container architecture more deeply.
See you next time. Bye~~~
- 오픈스택을 다루는 기술
- 김미경 eclass