 Okay, that looks like everyone is just about good to go. Yeah, all good. Okay. How's everybody feeling? Are you tired at this point? Yes, I presume everyone is okay Relax, this is not going to be super-duper high-paced. We're gonna pace ourselves here and It's going to make I hope for everyone a nice Lab to round out the summit and thank you very much for coming to the last session of the of at least the user conference As it is This is the open-stack orchestration automation inside and out talk Oops, let me get that distracting bar out of the way My name is Florian. This is said we're both at Hasdexo. Hasdexo is a professional services company that provides Consulting and training services not just around open-stack, but also around sef and other distributed technologies You will find both of our personal Twitter handles at the bottom of the screen and you will also find the company Twitter handle at the bottom of the screen So if there are any questions that you have throughout the talk, we would encourage you to Raise your hands basically as soon as the question arises and we'll be happy to address it However, if you feel more comfortable tweeting a question at us or maybe a question that we shouldn't take during the talk But after the talk that's perfectly fine, too And please feel free to do so in addition. I'd like to remind you that on the Schedule website on the sked.org website that has the entire conference schedule There is for every individual session there is a feedback button and that basically just takes you to a little feedback form and Both we and the conference organizers are very very grateful if you take that or use that feature very liberally So if you if there's any feedback that you have to provide about the talk about the setting about the venue about the room Then please do so that is very very helpful information That helps the that helps future speakers that helps future track chairs and then ultimately helps future attendees of the open-stack summit So there's a few words that we would like to start out with This is not a talk for people who are completely new to open-stack You should already be familiar with basic open-stack concepts. It is not for open-stack Novices we will be assuming a certain degree of prior knowledge You should know how to boot a VM using a CLI. You should know What Glance is good for what neutron is good for we'll be happy to teach you what heat is about but the basics of Nova Glance cinder and And neutron that's material where you should at least know the bolt-face cold You are entirely welcome and very encouraged to follow along with this talk because it is obviously a hands-on lab And I'm gonna put keep this up for a couple of minutes So if you go To this URL and by the way those of you who tweeted that QR code earlier You already tweeted that URL if you go there and then clone that to a local repo of yours You are not only going to have the hands-on stuff that we're doing throughout this talk here But you also get all the slides basically everything of what you're seeing right here And that is of course free for you to use Or you are free to use this because as a general rule We put our talk slides under a creative commons license And so if you want to reuse these slides use them for a presentation at a user group or something like that or meet-up group Then you can absolutely do so so that's github.com Slash his tech so and the repo name is I'm sorry. It's long open stack summit 2015 hyphen Tokyo hyphen hands-on Yes, we did have three talks at the summit so we couldn't just do open stack summit 2015 Yes, it is about our seventh summit so we couldn't just put open stack summit So that's why it's a little long So it's github.com slash his tech so slash open stack summit 2015 Tokyo hands-on and you can of course open that from your web browser and you can of course clone this from via HTTPS directly or it can also you can fork the repo if you feel like it and and then Clone that to your to your laptop as you go I'm sure all of you are very familiar with with github and like I said that repo contains all the slides and All the examples that you'll need to duplicate this Okay, and we'll give Give you a couple more minutes to get that set up And of course if you happen to sit in the back row and we have a very late arrival Then you can just point them at this as well and then go from there You are looking at the slide deck. You're looking at the sources of the slide deck There is a rendered one as well I have the link at the very end, but if you just if you just replace HTTPS Slash github.com slash his tech so with has tech so dot github IO Then you get the rendered slide deck. I'm sorry. I could have put that up here if you go to Has tech so dot github dot IO Slash and then the name the full name of the repository. So has tech so dot github dot IO slash open stack summit 2015 Tokyo hands-on Actually, thanks for pointing that out because it may be helpful for people to Skip back and forth as you go along Hang on a second. I'll just open it up here. Just give me a moment So if you just go to a stick so dot github dot IO Slash open stack summit 2015 Tokyo hands-on That's the one. Okay. So these are the exact same slides that are also available rendered on github dot IO And Wait, how can I hmm? I could zoom in Actually, let me do this one thing here Yeah, darn it. Oops. That's not what I wanted to do No, no, no You don't really Hang on. Let me just find that for you real quick. There we go. Come on Is that Just go down here Something is really weird with my page down here. Does that work better? That does work better. Here we go Right the bottom one. That's it So github comm slash is text slash open sex on a 2015 Tokyo hands-on. That's where it is and then, you know, it's Maybe helpful to just leave that open in a browser window for you Is there anyone in here that wanted to clone the github repo and has not done so yet? And if so raise your hand There a problem with that? Okay. Yeah, that's fine. It's okay Yeah Okay. Yeah, so if you if you want to if you want to cycle Yeah, let me just explain briefly how you cycle through the slides you cycle through slides by either hitting spacebar Or so that basically will just take one slide after another or if you're looking at this on a phone or tablet You can just swipe and and you will then proceed, but Yeah, just forget that Forget the unabilt forget the unable to connect part Huh that that that's the one thing that will only work on my laptop Okay, so can I see a show of hands, please? Who's cloned the repo please who has a wonderful? Right. Okay. Can I remove this? Let's turn this off so If you would like to follow along with this if you would like to follow along along these lines Then and this is something that I hope every one of you who was registered for this talk a week ago Already got by email because we asked the conference organizers to basically send an email out to everyone who? Who was who was registered? Which is that of course in order to follow along with what we're doing here in as part of the labs You'll need an open-stack environment, right? So what you're gonna need is You're gonna have to have access to an open-stack cluster Whether that's you know the private cloud that your company runs via VPN or whether that's a public cloud or whichever You're gonna need keystone credentials for that and you're gonna need a Nova glance Neutron and keystone client on whichever box that you're using in order to execute Effectively these labs right and this like I said, that's information that we sent out Last Wednesday, I believe and I hope everyone got that say that again, please. Yeah, okay, so that's That's unfortunate. However, if at this point you're not able to follow along Or you just don't want to that's perfectly fine, too Then that's totally okay you can still make the most of this talk by listening and participating in the discussion as you know all of the Materials they are available for you and You can you're always welcome and free to walk through these steps to replicate these steps When you're back at the office and or when you're back home or whichever Good question. So the question was is what's the minimum version that that these are built for? We're trying to support a minimum of ice house Which means that we're actually using in the heat templates. You're gonna find some features that Later like a kilo or Liberty client may complain about as being deprecated But we're generally targeting ice house and up So what you see here should be working with ice house and up if it's not then please let me know or let us know And we'll we'll fix that for the for the next iteration Okay, and of course, you know if there's if there's anything in here That we say that you can poke holes into like we're saying something that doesn't make sense to you Or maybe doesn't make sense at all then please do let us know as well All right, so with the With the preliminaries out of the way with everyone who who wants to and who's who's inclined to follow along Having cloned your your github repose. Let's talk about what this talk is actually about this talk is or this lab is about Automation and I need to be a little more precise here because I already did a talk on Open-stack Infrastructure automation that is to say the automated deployment of an open-stack infrastructure on Tuesday Here we're talking about how do we automate? Virtual systems in open-stack. So to what extent can we automate the deployment and the configuration of? virtual systems in our open-stack environment so Who in here has run at any point Nova boot or done the equivalent in horizon? Oh, come on who in here has booted a VM on open-stack has run Nova boot or Or booted up a VM in horizon just about everybody I suppose What do we need in order? What is the information that we need in order to boot a VM? What's the info that either horizon or the Nova client or the open-stack unified client needs? In order to be able to fire up a VM. What do we have to give it? So we so it has to have a name We have to select the flavor Do we have do we have to select an image? No, not necessarily we could also be we could also be booting from a volume What else again again optionally we can define a network I'd be hard-pressed to think of any realistic use case where a Nova VM would not need network connectivity So generally we always define a network Security groups I heard in the first row is something we can also optionally specify if we don't specify it Then all the ports in that VM will simply be configured with the default security group We can push SSH keys exactly we can define a Nova key pair that we want to inject into Into the into the VM now, that's actually good. That's actually good queue What is it that injects these keys into the VM? Cloud in it right What else can cloud in it process besides things like the host name or the Or the SSH keys that we want to inject into there How can we what can we do with a Nova boot or with with a horizon? Create instance To Automate the configuration of our VM Well config drive config drive is simply another Source of metadata just like the Nova metadata API service. No, but what kind of what can a user do on? Nova boot to further To further okay a post install script. So what's the feature that we typically use for post install scripts? What do you call that? What is that? So the the Nova feature is basically called user data, right? You know, there's any so so so cloud in it is populated with with metadata That basically comes from the infrastructure and then we can define user data That The cloud user the person firing up the Nova VM can inject So this is what a command line Nova boot call could look like right? We do Nova boot we define either an image or we maybe we're also booting from a volume We might want to define a key. We always need to define a flavor We almost always would define a nick either with a net ID or a port ID And then we can also inject this user data thing and then we give our VM a name Right. I think no one in here will be like completely unfamiliar with this, right? Everyone's seen this at some point so What do we so okay, so I heard earlier somewhere over here What is it that we that we can that we put in user data? Scripts, right? Okay, so so typically typically the stuff that people inject via user data Look something like this, right? It's a shell script. It does some sort of magic, which I usually refer to as proplication So it will initialize the box in some way shape a form and then we'll do a bunch of other things in shell And then presumably it might It might propagate it it's it's exit code, okay Who in here has done something like this? Like with a shell script, okay people, please stop doing that Please seriously, you're not doing yourself a favor. You're not doing the next guy over or the next person over a favor With this sort of thing. There is something much much better that you can do with user data Who in here has heard of cloud config? Very very few people and that is one of the worst problems that we have in all of open stack Seriously, pretty much no one has heard about cloud config And that's why I'm making it my personal quest to educate as many people as I possibly can about it What does cloud config enable us to do? Just like a shell script It enables us to bootstrap a newly booted VM But unlike a shell script, we can do so in a declarative and not procedural fashion by simply writing a little bit of YAML In my humble opinion, and you just confirmed it Cloud config is probably is probably open stacks most underrated feature It is excruciatingly useful Yet far two people use it What can we do with cloud config? So imagine the following, right? So Who in here uses cloud images from distro vendors? Right stuff that sent us Ubuntu susan so forth make available for you, right? Okay, so there are some vendors that do really good things with them So for example something that's not too widely known apparently is the fact that if you're using in Ubuntu cloud image That Ubuntu cloud images actually rebuilt nightly. So the Ubuntu cloud image that you download tonight Has all the security fixes applied that were released between last night and tonight That's actually it's pretty neat and pretty helpful. It's pretty cool that Ubuntu do do it that way not everyone does it that way and Of course, you know, you might not keep your glance store up to date all the time Sent us for example re spins cloud release a re spins cloud images on every point release Debian I believe does the same With with susan it's an entirely different story because the cloud images all come out of out of susan studio But it's a relatively common use case that you fire up a VM off of an image That has outdated software on it for which in the interim security patches and fixes have been released so You want your users or I as a user even want to fire up my virtual machine And I want it to be in reasonably good shape as far as packages and patches and security fixes are concerned So now that is something that could automate with a shell script that I pass in with user data But then we're quickly beginning to realize that things start getting sticky because I can either have for the simple purpose of Updating all of my packages on the system I'll have to have a separate shell script for SUSE and for sent us and for Ubuntu Because they all use different package managers or I have a big long shell script that checks for Debian release and Ubuntu version and Red Hat release and so forth and then either invokes apt or zipper or yum, and it's horrible, right? But the only thing that I want to do is you know put that thing into an up-to-date state and Writing a bunch of shell script is far worse than setting two variables in YAML This is all you need to do in cloud config to update your machines to the latest packages that are available for that platform and if Cloud in it which parses this whole thing runs on Ubuntu It will do apt get update and then apt get upgrade if it runs on SUSE It will invoke zipper if it runs on sent us or rel it will invoke yum if it runs on a Relatively recent fedora then it will do DNF and you as the cloud user The person that just wants a VM with reasonably up-to-date packages no longer need to worry about it anymore and Not having to worry about something that I previously had to worry about I kind of like that I don't know about you, but I like that You know there's there's this there's this t-shirt go away or I'll replace you with a very short shell script There should be a different one which is shell script go away or I'll replace you with very brief YAML Which is effectively what you get to do here Another thing that you might want to do is you might want to influence What user accounts exists exist on your VM? So and again that is an interesting challenge for when you want to get it right for all your target distros in a Shell script because you know there's debi no buntu and there you have add user You don't have that anywhere else there. It's there's user ad and then Groups are named differently Across platforms and so forth. So doing all that with a shell script is relatively silly when again, you can do it in YAML That's just yet another variable in the YAML Dictionary that you pass in with cloud config It's simply called users and what it allows you to do is it configures users and groups So for example here what we're doing is we're injecting into our VM a user account for a Fred bar and Fred is expected to be in the group's users and ADM We want to be able we want to set his shell to bin bash And we also want to enable him to do passwordless sudo on our machine and That's all I need to declare in there and then cloud in it will just do the rest for me If in the users dictionary, I just enumerate all my users Then those will replace the default users which depending on distro may be named a buntu or ec2 user or sentos user And so forth and will only get the foobar user there if I also add the magic keyword default Which you see at the top here that means Configure all the users that I'm about to tell you in addition to the default user that you normally configure And this is what I generally recommend is something that's very helpful because the default user That's the one that gets your key pair injected Right, but you may want other users that you want to be able to define Maybe you even want to pre-seat their passwords and so forth Speaking of passwords Something that I might want to enable for some or all of my users is being able to log into An open-stack nova VM with a username and password by default. That's not allowed Again, good luck doing that with a shell script and set a knock because Yes, of course, it's called password authentication and you will flip up a parameter That is normally no to yes, but where that config file is is again distro dependent Right. Well, do we really want that? No, we just set one boolean and that's much nicer Okay, so just another little cloud config feature there It can set one variable and that variable is named SSH underscore PW off It is false by default and if you set that to true then that simply means that SSHD gets password authentication set to yes and you can log into your VM with a username and password So that's all that you need to set There's more things that you may want to do At some point which is for example, perhaps you want to deploy arbitrary files and As you've guessed probably at this point, you don't need to you know fetch from somewhere and cat and whatnot But you just use another entry in the cloud config dictionary and that's called write files Write files you can use in order to write simple arbitrary files text files Anywhere on your target system This is an example one thing that you may want to do perhaps is Maybe you're deploying, you know a few hosts in a in a test or demo environment or something like that into the same network and For some reason or another you want those hosts to be able to resolve each other's host names via Etsy hosts and Then you can do it like this with write files. It's a simple YAML list You define a path. That's the target path of where the files of where the file goes you define Permission bits and then you can define the files content for those of you not familiar with the construct that you see at the file content the vertical pipe That's just standard YAML. It means that what follows is multi-line content and when you parse it, please preserve the new lines This is in contrast to the angle bracket that you may be or the or the or the greater than sign that you may have Also seen that means something something slightly different. That is what follows is multi-line content But remove all the new lines and the indentation when you actually roll it out Okay, so in this case just a multi-line file and you can have as many of these as you want And there is there's much more that you can do that you can do with this. So for example, you might think Well, I'm upgrading my packages Up updating my package cache and then upgrading all my packages one of the things that may get upgraded is my kernel Well, the security patches in my kernel actually don't apply unless I also reboot the machine And that's something you can also do from cloud in it It's that's it's the power state entry and you can just tell it to reboot after it's Complete at the first iteration so it actually then reboots into the new kernel So those are all relatively simple things but Maybe you already have a management infrastructure in place that you also apply to your virtual machines Say for example, you have Centralized puppet management within a specific tenant say you've got hundreds of VMs in a specific tenant and pick because you've always been a puppet shop And that's where most of your expertise is and that's how you best How you best set up for for managing multiple VMs you want to do puppet on all of those How do we configure a? Box for puppet what's necessary for a pop for a box to become a puppet agent. What are the prerequisites for that? What do we need? So we need the puppet client packages. Yes What is that we need certificates exactly right unless we enable auto signing which is a terrible idea Okay, and what else do we need to what what other information do we need to give it? Where's the master right? So where's it? Where's where's my puppet master? Anyone in here written a shell script for that? Like doing all of that in an automated item potent fashion No, because that would suck right that would be a horrible endeavor So automating that from a user data shell script would be kind of painful Right, I mean it wouldn't kill you, but it's a little like taking a dentist drill and putting a hole in your kneecap Right. It's not very very cool When you can do all that in yaml as well because cloud and it has this thing called puppet and what that does is it configures your VM as a puppet client and What you basically do is you tell it there is your master You can also override the Certificate name and it actually does some funky parameter substitution there. So it will give you say an instance ID Dot full I believe that's a full host name the FQDN and then you can also roll out your CA certificate And then everything else of course it does for you such as for example installing the puppet agent packages right and there are there's of course a means in Cloud config to also point it to specific repos if that's what you want to do so say You want your boxes to be puppet agents But you don't want to use the puppet that ships in Debian But you want to get puppet from the Debian repos from puppet labs Then you can of course point it to an appropriate APT repo Via cloud config and then you just run this and then it will get Those bits from from the puppet labs repo you can do the same thing with chef There is even a few extra features that you can configure there such as you know setting your environment Whatever and then of course you can also install packages Again, you know, this would be kind of painful if you had to script it for different package managers If you just have a list of packages that you can simply enumerate such as for example For some reason or another you always want ansible and get on all of your VMs Here's how you do it and even if you don't find a feature in Cloud config that does what you need it to do That's still no reason to write a shell script because you can write those shell commands right into cloud config If you absolutely need to because cloud config also gives cloud init the ability to execute arbitrary commands and For this to be practical you actually have to deal with two sets of commands or two types of commands Namely the ones that you want to run before everything else and the ones that you want to run after everything else And we've got these two categories. We've got boot command which runs commands very early in the cloud init sequence and You know for example if you are Swiss or German and you very much care about or Japanese and you very much care about precise timekeeping Then maybe one thing that you might want to do is make sure that your servers are immediately time synced right when they boot up Right and so maybe what you want to do is you want to run a boot command That runs NTP date against an upstream NTP server. So you make sure that you have exact precise timing there And then you also have run command and that's the stuff that runs after all the other modules are completed So for example One thing that you might want to do there is strangely enough There is as yet no cloud init command that does an ansible pull So you can configure with cloud init to pop it and you can configure to chef But you can't really do an ansible pull, but you can do that from run command something like this so Phil was asking am I talking about cloud config or am I talking about cloud in it? It is cloud in it that parses these cloud config files. So what cloud in it will do is it will It will you know check out your your SSH configuration your IP configuration and so forth and then Evaluate your user data and or execute that and what cloud in it does is it looks at your user data and checks basically, what's the lead-in for that if it starts with hash bang it assumes this is Executable and it will select an appropriate interpreter if that's available on the system if it starts with hash cloud hyphen config then it activates the cloud config parser and does that in either case It is cloud init that actually does the work for you But for some reason everyone knows about the fact that cloud init can configure arbitrary code But no one knows that or very few people know that cloud and it can do something much nicer right Okay, so With that Let's see. Here we go Okay, hang on. Let me just get into my Open stack summit 2015 Tokyo ends on there we go Okay, and if you just Never mind all the script and timing and whatnot files forget about those But if you just drop quickly into the cloud init directory in there Then what you're going to see this is open that up with vi real quickly There's a cloud config YAML in there and it's a very very simple cloud config It starts with the lead-in hash cloud hyphen config It does just what I previously explained It does a package update and it does a package upgrade and it will do the right thing for whatever applies to your distro here Regardless of what distro that is So the question was for rel will this register to RHE RHS M first no this won't but there is an RHS M cloud init module that will do that for you so you can provide your you can provide your credentials and You can I believe it can even point your stuff to a satellite server if that's what it needs to do But yeah, that is that that is definitely an available feature for For in cloud init on on rel so it does do that So the question was should all the client images be Packaged with cloud init built-in. Yes, of course they should but they generally always should when you're running them in OpenStack Or in AWS or wherever because otherwise your cloud init will not even be able to inject your SSH key so if You're building your own images and for some reason you're building your own images not from snapshots, but you're building on from scratch Yes, you absolutely do inject cloud init into those images definitely Yes, if you're if you if your tenants if your tenants do create their own images then yeah, of course, but Without cloud init. They're not even going to get much of network connectivity because Without metadata acquisition, you know, we're just not configuring a VM period Okay, so what else are we doing? We're creating whoops. We're creating a user here We are creating a user here by the way to be perfectly honest. This actually is Somewhat distro specific line because the group ADM does not exist by default on centos and Susa so this will work unmodified on debian and Ubuntu, but it may need some Tweaking if you're booting a different image. Does anyone not have an Ubuntu image available in their OpenStack cloud? mmm Really you run an OpenStack cloud with zero Ubuntu guest images interesting cool Hang on a second just hear me out here real quick and and what we're also doing is we're enabling a secure shell password authentication and We are writing a few arbitrary files just for the fun of it We're also installing ansible and git and then we also do a quick run command to just spit something out on the on the console question, please Okay, so the question was what will happen if if this throws errors if if if something if something goes wrong You already gave the answer this being a hands-on lab the correct answer can only be try it out and see what breaks But if you if you're if you're not feeling adventurous What will happen if a? If a specific issue in the cloud config causes an error Cloud it will abort that module and will then proceed with the next module But there may of course be dependencies here such as you know You are you're like in here, right? You're saying we want to install the ansible package We want to install the ansible package and then maybe you're running you're doing an ansible pull from a run command Right, and then that may be sort of a cascading failure, but yeah, it will cloud in it We'll just that module that one module will just break and then it will proceed with the next one so so so that okay, so the question was what if effectively what if we bust our our our cloud config file what if we put anything in there that is not syntactically correct or That just doesn't have a matching module or something like that Is there a debug environment or a test flight or dry run environment? Not to my knowledge if anyone is has written something like that I'll be Grateful for a pointer But not to my knowledge. So basically it is yeah fire up a VM And if it doesn't do what it does just kill it and fire up a new one So is is there any way to escalate the debugging level? You probably would not want to because Cloud and it produces copious logs as it is already it actually produces two log files One is all of the cloud in it output so everything that cloud in it invokes and that generates any output gets written into this one thing and then And then there's also a cloud in it log and that actually I believe uses debug logging by default And it's already very very verbose as it is Yes, sir None of this is going to work for Windows images To as to answer that I am actually not sufficiently familiar with cloud base in it and its features for Windows I mean there is cloud base in it, which is sort of the cloud in it work alike for Windows Implemented largely in PowerShell I am not entirely familiar with the feature support matrix and which of these are actually supported Or to what extent cloud config is supported That's something where you just have to check the documentation for cloud base in it. Sorry Is there is there is there a support matrix which version of Red Hat supports cloud in it? I can I believe you can get cloud in it enabled images Well, definitely back to rel and sent us six, but I think there's actually some available for for five as well Ubuntu I mean cloud in it actually pre-dates open stack right cloud in it was originally written for EC2 and so For Ubuntu, it's definitely pre precise that had that in there in the in the cloud images But I can't give you the the exact version numbers Is there is there a reason to do this rather than rather than use a config management tool? You can of course you if you're running puppet or chef Then your cloud config file will be minimal and that is you know point to the puppet master or point to the chef server That's it Okay, so What we're gonna do now with this thing and let's see if I still have my nova boot command in my buffer here Yes, I do right So what I can do there is I do a nova boot. I set a flavor. I Define an image. I Define my nick and then importantly, that's the thing that you Can see right? Whoops that doesn't work very well, so I need to move over here So that's what you see right here. So the dash dash user data cloud config YAML That will then inject that user data file into the boot sequence so we're gonna fire this up and This is wonderful because I'm I'm running this thing off of a Swedish Open stack cloud provider called elastics if you're looking for a public cloud provider do check them out their service is awesome and In addition if anything would go wrong with this boot sequence now I'd pick Phil right out of the audience because he works for elastics And then maybe he could fix it for me, but I'm pretty certain that that's not necessary because As we shall see in a moment boom there it's running and we're gonna take a quick look at our nova console log here Oops, sorry nova console log test, of course. I am very sorry. Whoops. Sorry. Let's do this then So that's just a regular kernel boot, right? And we're all very familiar with that Blah blah blah blah. So this is where cloud init first comes in right cloud init running the init module and Then Dem-dem-dem-dem-dem here we go. That's the RSA key population and There as you can see, that's that's our first output from the from the package update and then subsequently hopefully package upgrade There we go. So Since I believe the base image here is an Ubuntu 14.04 3 point release and So there's a few things in here that need that need upgrading So that was the end there already. So let's go back here and get the latest here from That Here we go. Oh and here we're already. I mean, this is this is the completed upgrade right and Then down here we're getting to the git and ansible installation bits and finally We should also see our hello world and What not at the very end? See there's my hello world in the middle of the screen. We get that to the top Almost right. So third line from the top is our hello world and then just below is the is the as the date output okay now How is the order of execution the order of execution is? Oops, sorry The order of execution is basically built into Oops, come on. There we go. The order of execution is basically built into cloud init There is a certain order that in which cloud init Executes these modules and it really doesn't have anything to do with how it's how it's written in the yaml there So while those of you who want to follow along Fire up your your your heat VM your your nova VMs. I Want to point out that there's a few things or actually a lot of things that This doesn't do for you right it only fires up a VM and an injects a key and it configures the VM What it doesn't allow you to do at this point if this is in a public cloud Is it doesn't allow you to connect to it because it doesn't yet have a floating IP? It doesn't even have a router that's connected to an extra network such that you can get a floating IP nothing Right, so there's a very very little That you need there and that's kind of like, you know not very complete a very complete degree of automation and what we'd really like is we'd like to fire up a virtual machine or maybe several and we'd like to plug them into an A tenant network that we create just for this purpose. We want to plug that tenant network into a virtual router We want to connect that virtual router to our external network and we want to assign a floating IP So we can just SSH into that machine wouldn't that be nice now that is where heat comes in This is only capitalized because all my headings in this slide deck are capitalized heat is not an acronym At least not in this context when it isn't acronym It means high explosive anti-tank and you don't want to go near it specifically if you're a tank commander Heat is called heat because heat is what makes clouds rise. That was the that was the the original motivation Now what we can do with heat is we can deploy Define and deploy complete virtual environments. So not just a virtual machine, but also networks syndrome volumes images even Barbican keys You name it like pretty much anything that we can Sahara of whatever Anything that we can fire up in open stack or just about anything that we can fire up in open stack We can also orchestrate with heat In heat we define a stack in one of two formats Two distinct formats heat is originally or was originally inspired by an AWS service called AWS cloud formation And it supports as a result to a certain extent at least Amazon cloud formation compatible templates Amazon cloud formation uses a descriptive template language that is essentially JSON I find that particularly painful to read, but you might think differently Heat also supports its own template language called hot that stands for heat orchestration template And again just like cloud config that is a hundred percent YAML, and I don't know about you, but I like that much better What can we do with that? Well, we can do what we just manually did which is we can define to an arbitrary degree of complexity Nova VMs and for that purpose it has a resource type That's called OS Nova server and if I define an OS Nova server resource that looks like this I create a server. That's called my box It boots off of a specific image. It uses a specific flavor and an injects a specific key and Now if I did that if I define and this would be a complete heat template if I define this heat template as it is I could then use The heat command line utility to just create the stack and that would look like heat stack create And then I can either point heat to a local file or I can put point heat to To a URL and I give the stack a name and then it fires up But as it is that stack with that definition that you just saw is not very flexible Because why would I hard-code my own key pair name into there when that is perhaps something that I might want to configure Why would I hard-code a flavor in there when that is something that I might Possibly want to configure and this is where heat parameters come in So just like you can define resources and heat you can also define parameters for your template So in this example, we're defining three Parameters one parameter that we call flavor one that we call image one that we call key name They're all of the type string we all give them a description that description can be used by various tools such as for example horizon to describe what this parameter is all about and For non mandatory parameters we can also set defaults So for example, we might say that if the user does not specify a flavor for that VM that we want to fire up Then we're just going to default to a flavor named M1 medium Or if we don't specify an image, we might want to fall back to a default image Or there might be parameters that are always mandatory to set where it doesn't make sense to specify default And if the user fails to set that parameter, we simply want stack creation to fail simple as that Now how do we get to these parameters enter the concept of heat intrinsic functions? There are several of those get param is the most frequently used one. So what you do here? you're the Resource definition that was previously hard-coded can now refer back to these parameters that we define in the parameters list using this Intrinsic function named get param so we can define a parameter named image We can define a parameter named flavor and we can define a parameter named key Keyname and they will be injected in the appropriate spots in the heat templates And now we can set these parameters We can either do so from the command line like here We can set a key name and we can set an image and the other one The third parameter the flavor we just left that out and we used it as the default So we simply fired up a stack or we fire up a stack just like that There is an additional means of setting parameters and that's called an environment file Which is yet another yaml. That's cool yet another yaml ain't markup language file. So that's yeah yaml so yet another yaml file with just the With just the the the the parameters in there and then again you can point those you can pull those in from a URL Still you know this gives us the ability to tweak a few parameters of our of our VM Or maybe we want to fire up a hundred VMs like that fine But it doesn't really Solve the problem of maybe you want to actually SSH into this machine So perhaps we want to add some network connectivity to this thing And so here's where we're finally sort of leaving the realm of what we can already do with Nova and and cloud config by itself But instead We can use the OS neutron net and OS neutron subnet resources to fire up Networks remember a network is just basically an abstract reference object in neutron, but also a subnet with an appropriate subnet configuration like this for example, we might want to define a network named management net and We want to define another network named management subnet and they're of the type OS neutron net or OS neutron subnet and We can define anything that we typically define on a new a Nova a Neutron network and we can define anything that we typically define on a neutron subnet such as for example What's the IP of my gateway? Do I want to enable the HCP or no what the HCP allocation pools? Do I want to define what's the network address and so forth? But we of course also need to plug that subnet into a network that we are also creating with heat in the same template and As you probably acutely observed there's yet another intrinsic function that you see there named get resource And get resource does two things it creates that cross reference between those resources, but it also creates an automatic dependency tree because if heat were to evaluate all these all these resources just top to bottom then You would need to write, you know first the network and then the subnet and whatnot But in fact that's not necessary. I could flip it upside down as well because via the get resource intrinsic function I do get an automatic dependency from one resource to another so whenever I use get resource then Heat knows there is an independent resource that needs to be created first and the dependent resource that gets created next and that's another well Extremely useful or rather required feature in heat And then you know continuing on with neutron. We might also want to define a virtual router We might want to define a gateway for that router and we want to plug So that is that is plugging the router into an extra network And we also might want to plug our just recently created brand spanking new subnet into our router and That can look like that right so here. We're defining. Let me just scroll down here real quickly. So we've got it on the whole So We were defining our router resource a router gateway resource router interface and so forth We can also specifically configure individual settings for neutron ports With the OS neutron port resource type Which you would then presumably plug into a specific network And then you can plug that port into a VM Well fine, but maybe what you also want to be able to Specify at the same time is How do we Enable say for example secure shall access to this thing. How do we do that? Well, we do that with security group rules, right? well, of course we can also orchestrate neutron security groups directly from heat For example like this So that's a security group that does what probably every one of you has at some point already done manually It just opens up a it creates a security group and opens that up for inbound SSH and All inbound ICMP traffic so you can ping your VM and you can secure shell into it And then you simply cross-reference that again via a get resource function From the port to the security group Relatively straightforward Of course, you're gonna be unable to actually SSH into your VM unless it's also given a floating IP It's another thing that you can happily orchestrate With the OS neutron floating IP resource type and there you simply define Okay, what's the network that I want to retrieve that floating IP from and what's the port? Which then is plugged into a VM that gets that or that that gets that floating IP? mapping Which leads us to another very helpful and handy heat feature, which is you know how floating IPs work You basically get a random floating IP of course out of the pool, right? So of course if you are firing up an arbitrarily complex environment that maybe consists of I don't know three different networks 50 different servers two different routers between them and three or four security groups and Then you have like an entry host that you Retrieve a floating IP for you might want to know what that floating IP is So you need a way to get information out of heat or out of out of the stack as it's as it's being created And that's where outputs help so we talked we previously talked about resources We talked about parameters and the third thing we need to talk about our outputs and There I can effectively take values that are present in the stack or attributes of resources and Return them to the user So for example, I use I Might define an output named public IP or floating IP or something like that And then you set a value for that output and again Here's yet another intrinsic function called get atcher, which will return the Attribute of the of the of the resource that you're looking for by the way in case you're wondering, okay So how do I find out? What are the parameters that are available for a resource? What are the attributes that can potentially be returned by a resource all of this is very very extensively documented? There is a hot reference guide where all of the resources that That heat supports or all the resource types that heat supports are enumerated and will tell you what those resources are what the What properties they take so how you can configure them? Also what attributes they may return and of course you can use these attributes not just for outputs You can use them for cross-references anywhere in your heat template and then this is how you retrieve it You just do a heat. There's obviously there's a heat output list Followed by the stack name or you do heat output show followed by the stack name and the variable that you actually Want to get out of there? He tells you all other sorts of interesting bits as well such as for example What were all the events that occurred in the stacks life cycle? What's the current status of all those resources and so forth? So now I told you about cloud in it and I told you about and cloud config and I told you about heat But in order for this whole thing to actually be fun and really useful like exceedingly useful What you can do is you can combine those two You can of course do it in a slightly Simplistic fashion you could simply say okay, I'm defining an OS Nova server resource and Of course just like the property that I can set on Nova boot I can also set a user data property for a heat resource here And I can use yet another intrinsic function that I haven't as yet told you about namely get file Which means just parse that YAML file and inject it here, but that's not cool I should put another nope over here, right? Just don't do that because you have you can do something much much better and much much nicer Because there is a resource type called OS heat cloud config and that allows you to run or to configure your Your your your cloud in it configuration from within the heat template and so therefore You can So here what you're what you're doing is you're defining an OS heat cloud config resource And it's basically, you know, it's it's nested YAML You just put in this case you say package update true package upgrade true and so forth and then you again reference that resource with a get resource Function, but it's much nicer if you also set your cloud config parameters directly from heat because we can Right. So here what we are doing is we're defining for example the name of a user And the user full name right and then we can simply pass that in as parameters for heat and we can do a heat stack create and If we want to you know name our Name our user, I don't know whatever a Canadian astronaut and then use a full name of Chris Hatfield then that's fine And if you want to name your user Homer and use a full name of Homer Simpson, then that's fine you can do all that from the from the From the heat parameter set So let us take a look at that Let's take a look at what that looks like okay, so and By the way, what I showed you earlier the cloud in its stuff that requires no heat Right, so so you can do all of that from from from Nova and that's fine if you go back into the hot directory here You're gonna find a single config file in there hot any ammo Which we're gonna take a quick look at as well So here the stuff that I previously set on the command line for Nova boot I can now define with parameters and for some of these parameters. I set defaults and As it happens the the the the flavor names in elastics happen to be so the flavor that I want is M1 medium and The image is called trusty server cloud image AMD 64 The key name it doesn't make sense to set a default there. So I just want to inject my key There I then also have to define. What is the public network? What is the what is the network that I'm getting my my external my floating IPs from and then I can also set a username by default I call this user foobar and The full name is by default empty and then what I have here is that they find these resources there and I start out with my VM with my OS Nova server resource and As I said, I don't care if the resources that I am referring to with get resource get defined later in the template Because it will happily create the the appropriate dependency tree for me Here is my magic cloud config that I want to inject Right, so I define I also again. I say package update true package upgrade true I want to create the default user. This is an Ubuntu image so it's going to be called Ubuntu and then I want to set the username and the full name for that user from a heat from a heat stack parameter and Of course, you know if you if you ever use this in production You probably also don't want to hard code the password you want to be able to you know pass in a password hash but we what we want to do is we want this user to be sudo enabled and we want our users to be able to log in without With a username and password and not just with an SSH key and then I do a few other things I give this machine a port I I create a network a subnet even a security group That enables inbound SSH and Then here at the very end. I'm also defining this public IP output Which gives me the floating IP address in my public network so Let's see. Let's fire up a heat stack This better Not really right. It does. Well, I think you can still tell what I'm doing there, but let's just do this. Okay, let's Let's be nice here. I'm gonna do a heat stack creates and we're gonna do We're gonna boot that from hot yaml And then we're gonna add a few parameters. So I'm gonna do key name This is a key that does already exist here in my store. I'm gonna name it Florian I'm gonna set the public net ID parameter to this UUID here the image I can actually use the default and I want to do username What you let's use Homer Homer and Like this and We're gonna name that stack one That and I'll fire that off Hang on a second. I'm gonna get to the output in a moment. Okay, so that stack is now being fired up I can now check for example. What are the Events associated with this stack? Whoops So this is that these are just a few state changes, right? I'm firing up these resources as we go along and that is still creating fair enough Give it give it a little time Yeah, there we go. I had no need to put it on watch because it's done And of course one of the things that I get here is I get a VM That's named my box. I also still have the test box from earlier as you can already see here It is plugged into the management net. It already has a floating IP, right? So all of that is already there. I can also see with my neutron Netlist that Here is my management net that I just created. I can do a neutron router list That is my stack one router blafu That's just been created And I can of course again do a Nova console log of my box Like this and we should hopefully see that that cloud in it cloud config processes already almost done No, that's just preceding its Random seed apparently so that is still working Okay, so this is the That's the package upgrade and package update That's one of the first things or one of the very early things that run in the cloud in its sequence But what which is what we should see soon is us progressing from there And this will just be another minute or two. I hope Okay, so here we are we're already installing packages Basically done downloading them Maybe I should have used the less outdated Ubuntu image. We would have installed fewer packages You can give me a second please Come on. Yes. Yes. Yes Okay, what's your question? So the question was is it possible to orderly shut down a stack? Yes, and I'm and I'm about to do that But I want to show you that works first So that looks finished so cloud in it is done So what I'm now going to do is I'm going to do a heat Output show and that is my stack one and what I want to get is my public IP and Then if I log in as Homer at that thing, then it's probably going to complain that I've previously logged into this VM and so therefore it doesn't want it's previously logged into this floating IP and That has of course changed So let's do that again There's our Homer and now I'm going to do and Boom I'm in right So that's a Heat stack with cloud config managed from heat With Homer Simpson being created put into the appropriate groups the ADM and and and users group and Were exactly where I wanted where we wanted to be someone screaming Is that? It worked. Oh was it. Oh that oh, oh, oh Excellent. Yeah, we are sorry and so that's for you. So if that was the oh it worked then here There we go. If you want more information about the things that I covered today here This is the The go-to Information page for cloud in it. That's cloud in it that read the docs.org there. You will find information about pretty much all the available Cloud in modules therefore all the available functionality in cloud in it Cloud in it is a little but is a little bizarre in that it's maintained on bizarre But if you go to to launch pad to the cloud in it deaf bizarre repo Then you're gonna find an examples Thing in there. Hey guys, can you hear me out for a second? Please? Thank you Just two minutes and I'll be done There's a doc examples file in the upstream bizarre repo on launch pad for a cloud in it There is also the aforementioned hot reference those are all the heat resources that are available with all their parameters our properties and with all their Attributes and what you can do with them? this Information I've already given out so that is this slide deck the top URL is the Is everything rendered as you see it here and the bottom one is the github repo and Everything is under a creative commons Attribution share like license so please if you if you feel this if you consider this slide deck useful For your next meet-up group or for in for your next For your next meeting at work, then please by all means feel free to do so use it That's what it's for and if you want to find out what our company does with open stack And please go ahead and visit his text to comm slash open stack for a landing page and with that I thank you very much for your patience for your endurance Throughout the open stack summit and parties and what have you and I want to say thank you for coming first and then take questions Thanks sir Yeah, so just to repeat that cloud ended itself just like anything else in open stack is written python the And and the the the modules are reasonably well documented. They're also reasonably. Well legible So just you know learning from existing modules is not hard at all So yes, if you do want to add functionality, then by all means you can totally do so and You know the the next open stack user is will be grateful to you and also easy to use actually is Their rudimentary support for conditionals and loops in heat. Yes Next question in in cloud config Hmm Well, that's actually a really good question in cloud config itself I'm not aware of it but then there's like really really funky things that you can do with yaml with like indirections and cross references and whatnot But I wouldn't know sorry But you can certainly do it in heat If good question if you want to create not one not two not three but a hundred VMs you can Configure something that he calls a resource group and then you're basically defining a template and then you say I want this x many times and You can not only you can not only do that with VMs if you if you want to do a hundred tenant networks then You get a hundred tenant networks There's there's more interesting stuff that you can do with with heat as well cloud cloud config supports Multi-part configuration so you can have like individual parts that you put together From within heat and you automate that so I scratch the surface here, but yeah, you can definitely Configure multiple resources in one definition Excellent Good question excellent question What if I make changes to an existing heat template this is excellently documented in the hot reference because for every property that you see there It will either say can be replaced without updates or updates cause replacement Which means that when you change this specific parameter either heat can update that parameter in place So one example is You can change the flavor of a VM That is something that is updatable. It will just go to the resize state and then Continue there are others like for example, if you're actually changing cloud config cloud config is only ever applied on first boot so if you're changing cloud config then that means that That VM that uses that cloud config is simply gonna be rebuilt But this is like I said for every single resource for every single property of the of a resource This is documented in the hot reference look for either updates cause replacement or can be replaced with that can be Updates cause replacement or can be updated without replacement something like that. Mm-hmm. Yeah. Yes. Yes, exactly Oh and sorry and you can also do You can you can change parameters from heat with heat stack update You can do lots of other cool things with with heat Which is You can Suspend stacks resume stacks as a whole So all of that is Is is is really cool in fact Yeah We're using it for Something really neat and if you want to read more about that it's kind of out of scope for this talk but if you want to read more about What we do that is actually a really really neat heat application then go to www.stackser.com slash open edX so replace the stack with edX Open edX that's just something that we've very recently announced and if you're interested in Getting your people or your colleagues or the team Trained on open stack or Ceph or Docker or or OVN or something like that in a really really neat and Immersive manner than do contact us about that. So that's the stackser comm slash open edX and with that We are I'm sorry. We're out of time. I'll be happy to take your question later, but we are out of time again Thank you very much for coming. I hope this was informative and enjoyable and Safe travels back home everyone