Fr

OpenStack Orchestration aims to create a human and

machine-accessible service that manages the entire
lifecycle of infrastructure and applications within
OpenStack cloud environments.
This book focuses on setting up and using Heat, the most
popular and a still-emerging IaaS cloud orchestration
service for the OpenStack framework. First, the book
introduces you to the topology and orchestration
specication for cloud applications and standards, before
introducing Heat. You will get to grips with the standards
used in Heat, overview and roadmap, architecture and
CLI, Heat API, Heat engine, CloudWatch API, scaling
principles, JeOS, and installation and conguration of Heat.
You will be able to manage OpenStack operations by
implementing the orchestration services of Heat.

Who this book is written for

Install an orchestration service for a private

cloud environment

P U B L I S H I N G

pl

Congure a template for orchestration using

the native HOT format
Congure a template for orchestration using
the AWS cloud formation format

C o m m u n i t y

Deploy a stack using the HOT template

E x p e r i e n c e

D i s t i l l e d

Deploy a test stack using the AWS

CloudFormation template
Automate and orchestrate cloud-based
services with OpenStack Heat
Basic troubleshooting for the orchestration
service

$ 39.99 US
25.99 UK

community experience distilled

Sa
m

Tackle errors that show up during the

installation and conguration of Heat

Adnan Ahmed Siddiqui

If you are a system engineer, system administrator,

cloud administrator, or cloud engineer, then this book
is for you. You should have a background of working in a
Linux-based setup. Any knowledge of OpenStack-based
cloud infrastructure will help you create wonders using
this book.

What you will learn from this book

OpenStack Orchestration

OpenStack Orchestration

ee

OpenStack Orchestration
Exploit the power of dynamic cloud formation and autoscaling
features to fully implement OpenStack Orchestration

Prices do not include

local sales tax or VAT
where applicable

Visit www.PacktPub.com for books, eBooks,

code, downloads, and PacktLib.

Adnan Ahmed Siddiqui

In this package, you will find:

The author biography

A preview chapter from the book, Chapter 1 'Getting Started with the
Orchestration Service for OpenStack'
A synopsis of the books content
More information on OpenStack Orchestration

About the Author

Adnan Ahmed Siddiqui is an innovative and results-driven leader with

over 8 years of success. He is focused on achieving exceptional results in highly

competitive environments that demand continuous improvements. He has a proven
ability to architect, design, develop, and deliver cost-effective, high-performance
technology solutions to meet challenging business demands. Adnan is competent
in Information Lifecycle Management (ILM) and Service Delivery Lifecycle (SDLC),
covering business case development, team and project management, delivery,
implementation, and support. He provides consultancy and advising to various
organizations in the USA and Middle East regions in OpenStack, AWS, Citrix, and
Microsoft solutions.
He is a founder and CEO of CloudDall INC (www.clouddall.com), a successful
company that helps organizations worldwide rapidly migrate their IT infrastructure
to the cloud, and IKT Technologies (www.iktechnologies.com). Their business
provisioning includes public clouds, hybrid clouds, DaaS (Desktop as a Service),
backup and archive, disaster recovery, and customized storage services. CloudDall
provides subscription-based services tailored to fit a range of business models
resulting in reduced cost, enhanced security, control, and productivity.
In addition to these achievements, he holds a Computer Engineer degree and
these certifications: Red Hat Certified Engineer (RHCSA), AWS Certified Solution
Architect, Citrix Certified Enterprise Engineer for Virtualization (CCEE), Microsoft
Certified Technology Specialist (MCTS), Microsoft Certified Information Technology
Professional (MCITP), and Microsoft Certified System Engineer (MCSE). He has also
been a Microsoft Certified Trainer (MCT) for 6 years.

Preface
The OpenStack Orchestration program aims to create a human and
machine-accessible service that manages the entire life cycle of infrastructure
and applications within OpenStack clouds. Heat is the cloud orchestration
service for the OpenStack framework. It implements an orchestration engine
to launch multiple composite cloud applications based on templates in the form
of text files that can be treated like code. It is the most popular and a still-emerging
IaaS cloud framework.
This book focuses on setting up and using one of the most important services in
OpenStack Orchestration, Heat. First, the book introduces you to the orchestration
service for OpenStack to help you understand the uses of the templating mechanism,
complex control groups of cloud resources, and huge potential and multiple-use
cases. It then moves on to the topology and orchestration specification for cloud
applications and standards, before introducing the most popular IaaS cloud
framework, Heat. You will get to grips with the standards used in Heat, an
overview and a roadmap, the architecture and CLI, the Heat API, the Heat engine,
the CloudWatch API, scaling principles, JeOS, and the installation and configuration
of Heat. I'll wrap up by giving you some insights into troubleshooting for OpenStack.
With easy-to-follow, step-by-step instructions and supporting images, you will be
able to manage OpenStack operations by implementing the orchestration services
of Heat.

What this book covers

Chapter 1, Getting Started with the Orchestration Service for OpenStack, introduces
OpenStack and provides an overview of OpenStack components.
Chapter 2, The OpenStack Architecture, focuses on the detailed architecture of
OpenStack and its Heat components.

Preface

Chapter 3, Stack Group of Connected Cloud Resources, attempts to study the basics
of Heat stacks and templates and discuss the autoscaling and high-availability
mechanisms supported by Heat.
Chapter 4, Installation and Configuration of the Orchestration Service, installs the
OpenStack Orchestration service, Heat. It will also show you how to write a
simple template by creating a stack.
Chapter 5, Working with Heat, explores the architecture of Heat in further detail.
It discusses the basic architecture of Heat and the main components that build up
the Orchestration service for OpenStack. It also covers the command-line arguments
accepted by Heat CLI. It explains the message flow for Heat. It also explores the
architecture of Heat in further detail. It focuses on the following topics: the standards
used in Heat, the Heat overview and roadmap, the Heat basics, architecture and CLI,
the Heat basic workflow, the Heat API, the Heat engine, the Heat CloudWatch API,
and Heat autoscaling principles.
Chapter 6, Managing Heat, covers the installation of DevStack with Heat support.
We explore Heat functionality in detail. It also discusses the basic architecture
of Heat and the main components that build up the Orchestration service for
OpenStack. Then, it covers the command-line arguments accepted by Heat CLI.
Chapter 7, Troubleshooting Heat, focuses on troubleshooting the issues encountered
when using Heat. It covers the most frequently occurring issues and discusses the
possible solutions for them.

Getting Started with the

Orchestration Service for
OpenStack
OpenStack is an open source cloud computing platform that offers mainly an
Infrastructure as a Service (IaaS) solution and several service features such as
scalability, high availability, and redundancy. It was started as a joint project by
NASA and Rackspace in 2010. OpenStack is a combination of several independent
components that are integrated with each user using an API. A non-profit corporate
organization called OpenStack Foundation was established in the year 2012, which is
responsible for maintaining the versioning and development of OpenStack.
The following are the objectives that we will cover in this chapter:

The OpenStack architecture

The Orchestration service of OpenStack

The Heat workflow

The Orchestration authorization model

Stack domain users

Introduction to the OpenStack

architecture
Several independent applications (also called projects) are responsible for the
formation of OpenStack. These applications are discussed in the following sections.

[1]

Getting Started with the Orchestration Service for OpenStack

Horizon
Horizon is the web-based control panel that provides an interface (or a dashboard)
to control and carry out administrative activities in the cloud environment. It
provides web-based options to interact with other components of OpenStack. New
virtual machine instances can be launched using this interface. Not only this but also
several other resources such as disk volumes, floating IP addresses, and so on can be
managed using this interface. This project was named as Horizon.

Nova
Nova is the compute service component of the OpenStack framework that is
responsible for maintaining the life cycle of virtual machines. This includes
spawning of new virtual machines, stopping, restarting, and decommissioning
of virtual machines.

Neutron
Neutron is the component of OpenStack that offers networking services, including
LAN subnet management, VLAN management, and bridging services to be used
by the virtual machine instances. It also includes the Open vSwitch application that
provides an SDN-enabled forwarding device.

Swift
The Swift component of OpenStack is responsible for providing object
storage services.
Object storage is a storage type where data is stored in the form of objects
(data and associated metadata). It also provides an API to access and store data.

Cinder
This Cinder component of OpenStack offers block storage services. This is used by
the virtual machine instances as disk volumes.

Keystone
Keystone is the component of OpenStack that provides authentication and
authorization services to other components of OpenStack as well as individual
users or tenants.

[2]

Chapter 1

Glance
Glance provides disk imaging service to the virtual machine instances of OpenStack.
Disk images can be used to create new disk volumes and virtual machine instances.

Ceilometer
Ceilometer is the metering service provider for OpenStack. It monitors and records
several performance metrics for OpenStack components that include CPU load, CPU
utilization, memory utilization, disk volume utilization, and so on.

Heat
Heat is the component of OpenStack with provides orchestration and configuration
service for OpenStack components and resources. It can be used in combination with
the Ceilometer component to achieve autoscalability and high availability.
Heat supports standards such as TOSCA (Topology and Orchestration
Specification for Cloud Applications) and Amazon CloudFormation.

Trove
The Trove component of OpenStack provides a Database as a Service (DBaaS)
solution. Both relational as well as nonrelational database engines are supported
by Trove.

The Orchestration service for OpenStack

Orchestration is a main feature provided and supported by OpenStack. It is used
to orchestrate cloud resources, including applications, disk resources, IP addresses,
load balancers, and so on.
As discussed in the earlier sections of this chapter, the OpenStack component that is
responsible for managing the orchestration services in OpenStack is Heat.
Heat contains a template engine that supports text files where cloud resources are
defined. These text files are defined in a special format compatible with Amazon
CloudFormation. A new OpenStack native standard has also been developed for
providing templates for Orchestration called HOT (Heat Orchestration Template).
Heat provides two types of clients including a command-line client and a web-based
client integrated into the OpenStack dashboard.

[3]

Getting Started with the Orchestration Service for OpenStack

The Orchestration project (Heat) itself is composed of several subcomponents.

These subcomponents are listed as follows:

Heat

heat-engine

heat-api

heat api-cfn

Heat uses the term "stack" to define a group of services, resources, parameters inputs,
constraints, and dependencies. A stack can be defined using a text file; however,
the important point is to use the correct format. The JSON format used by AWS
CloudFormation is also supported by Heat.

The Heat workow

As already mentioned in the previous sections of this chapter, Heat provides two
types of interfaces, including a web-based interface integrated into the OpenStack
dashboard and also a command-line interface (CLI), which can be used from inside
a Linux shell.
The interfaces use the heat-api to send commands to the Heat engine via the
messaging service (for example RabbitMQ). A metering service such as Ceilometer or
CloudWatch API is used to monitor the performance of resources in the stack. These
monitoring/metering services are used to trigger actions upon reaching a certain
threshold. An example of this could be automatically launching a redundant web
server behind a load balancer when the CPU load on the primary web server reaches
above 90 percent.

The Orchestration authorization model

The Heat component of OpenStack uses an authorization model composed of mainly
two types:

Password-based authorization

Authorization based on OpenStack identity trusts

This process is known as Orchestration authorization.

[4]

Chapter 1

Password authorization
In this type of authorization, a password is expected from the user. This password
must match with the password stored in a database by the Heat engine in an
encrypted form.
The following are the steps used to generate a username/password:
1. A request is made to the Heat engine for a token or an authorization
password. Normally, the Heat command-line client or the dashboard is used.
2. The validation checks will fail if the stack contains any resources under
deferred operations. If everything is normal, then a username/password
is provided.
3. The username/password are stored in the database in encrypted form.
In some cases, the Heat engine, after obtaining the credentials, requests another
token on the user's behalf, and thereafter, access to all the roles of the stack owner
are provided.

Keystone trusts authorization

Keystone trusts are extensions to OpenStack identity services that are used for
enabling delegation of resources. The trustor and the trustee are the two delegates
used in this method. The trustor is the user who delegates and the trustee is the user
who is being delegated. The following information from the trustor is required by
the identity service to delegate a trustee:

The ID of the trustee (user to be delegated, in case of Heat, it will be the

Heat user)

The roles to be delegated (the roles are configured using the Heat
configuration file, for example, to launch a new instance to achieve
auto-scaling in case of reaching a threshold)

Trusts authorization execution

The creation of a stack via an API request step can be followed to execute a trust
based authorization.
A token is used to create a trust between the stack owner (the trustor) and the Heat
service user (also known as the trustee in this case). A special role is delegated.
This role must be predefined in the trusts_delegated_roles list inside the
heat.conf file.

[5]

Getting Started with the Orchestration Service for OpenStack

By default, all the available roles for the trustor are set to be available for the trustee
if it is not modified using a local RBAC policy.
This trust ID is stored in an encrypted form in the database. This trust ID is retrieved
from the database when an operation is required.

The authorization model conguration

Heat used to support the password-based authorization until the kilo version of
OpenStack was released. Using the kilo version of OpenStack, the following changes
can be made to enable trusts-based authorization in the Heat configuration file:

The default setting in heat.conf:

deferred_auth_method=password

To be replaced for enabling trusts-based authentication:

deferred_auth_method=trusts

The following parameters need to be set to specify trustor roles:

trusts_delegated_roles =

As mentioned earlier, all available roles for the trustor will be assigned to the trustee
if no specific roles are mentioned in the heat.conf file.

Stack domain users

The Heat stack domain user is used to authorize a user to carry out certain
operations inside a virtual machine.
Agents running inside virtual machine instances are provided with metadata.
These agents repot and share the performance statistics of the VM on which
they are running.
They use this metadata to apply any changes or some sort of configuration expressed
in the metadata.

[6]

Chapter 1

A signal is passed to the Heat engine when an event is completed successfully

or with the failed status. A typical example can be to generate an alert when the
installation of an application is completed on a specific virtual machine after its
first reboot.
Heat provides features for encapsulating all the stack-defined users into a separate
domain. This domain is usually created to store the information related to the Heat
service. A domain admin is created, which is used by Heat for the management of
the stack-domain users.

Conguring stack domain users

The following procedure is used to configure stack domain users:
1. A new domain is created using keystone (OpenStack Identity service).
Usually, the domain name is set to Heat. This ID is configured in the
heat.conf file against the parameter stack_user_domain.
2. A new user is created using keystone with permissions to create and delete
projects and users. This newly defined user must belong to the domain
created in step 1.
3. The user created in step 2 (along with the password) is configured
in heat.conf against the parameters: stack_domain_admin and
stack_domain_admin_password.
This user is used to maintain the stack domain users on behalf of stack owners.
As the heat_domain_admin user is only allowed access to the Heat domain,
the risk of unwanted access to other domains is limited.
The following are the commands and the steps necessary to set up domain users:
1. A domain is created using the following command:
$ openstack --os-identity-api-version=3
http://192.168.5.38:35357/v3\

--os-auth-url

--os-username admin --os-password ADMIN --os-project-name admin

domain create heat \
--description "Domain For HEAT Projects and Users"

[7]

Getting Started with the Orchestration Service for OpenStack

Here $OS_TOKEN refers to a token that must be a valid token.

This will return a domain ID that will be referred to as $HEAT_DOMAIN_ID
in the next step.

2. Next, a user will be created within the domain created in step 1:

$ openstack

user create heat_domain_admin \

--os-identity-api-version=3
--os-auth-url

http://192.168.5.38:35357/v3 \

--os-username=admin --os-password=ADMIN \
--os-project-name=admin \
--domain heat \
--description "Admin for HEAT domain"\

[8]

Chapter 1

This will return a domain admin ID, which will be used in the next step.

3. Next, the newly created user in step 2 is assigned the role of domain admin:
$ openstack role add admin \
--user heat_domain_admin \
--os-identity-api-version=3
--os-auth-url

http://192.168.5.38:35357/v3 \

--os-username=admin \
--os-password=ADMIN \
--os-project-name=admin \
--domain heat

[9]

Getting Started with the Orchestration Service for OpenStack

We'll get the output shown in the following screenshot for this command:

The information such as domain ID, username, and password is needed to be

configured against the relevant parameters in heat.conf.

Creating a stack
The following are the steps needed to create a sample stack:
1. If the stack contains any resources that require creation of a "stack domain
user", then a new "stack domain project" in the "Heat" domain is created.
2. A new user is created under "stack domain project" by Heat if it is required.
From an authentication perspective, this user is completely separate and also
unrelated to the "stack owner's project."
While processing API requests, an internal lookup is made by Heat Orchestration to
grant the required privileges to the user for both the stack owner's project as well as
the stack domain project. These privileges are controlled by the policy.json file.

[ 10 ]

Chapter 1

Summary
In this chapter, we learned about OpenStack, the open source cloud platform that
offers IaaS features. OpenStack is made of several components, including Horizon
(dashboard service), Nova (compute service), Neutron (networking service), Cinder
(block storage service), Swift (object storage service), Glance (shared image service),
Keystone (identify service), Ceilometer (telemetering service), Heat (Orchestration
service), and Trove (database as a service). We also learned that Heat is the
Orchestration service for OpenStack. We learned about the Heat authorization
models, including password authorization, keystone trust authorization, and how
these models work.

[ 11 ]

Get more information OpenStack Orchestration

Where to buy this book

You can buy OpenStack Orchestration from the Packt Publishing website.
Alternatively, you can buy the book from Amazon, BN.com, Computer Manuals and most internet
book retailers.
Click here for ordering and shipping details.

www.PacktPub.com

Stay Connected: