Developing OpenStack Tooling

...without PythonColleen Murphy, HP

The problem

We need to manage OpenStack resources with puppet

Lightning intro to puppet

● resource - something being managed on a system

● type - the interface of the resource● provider - the backend implementation of the

resource

Example: file

file { '/root/example':

ensure => present,

content => 'A file resource managed by puppet',

mode => '0644',

}

Example: mysql_database

mysql_database { 'keystone':

ensure => present,

charset => 'utf8',

collate => 'utf8_general_ci',

}

Example: mysql_database# puppet apply mysql.pp --debug

Debug: Prefetching mysql resources for mysql_database

Debug: Executing '/usr/bin/mysql --defaults-extra-file=/root/.my.cnf

-NBe show databases'

Debug: Executing '/usr/bin/mysql --defaults-extra-file=/root/.my.cnf

-NBe create database if not exists `keystone` character set `utf8`

collate `utf8_general_ci`'

Notice: /Stage[main]/Main/Mysql_database[keystone]/ensure: created

#

Example: keystone_tenant

keystone_tenant { 'services':

ensure => present,

description => 'The services tenant',

enabled => true,

}

Requirements

● features● restrictions

We’re not alone

● terraform● other config mgmt

○ chef○ salt○ ansible

● internal ops tools

Stage 1

Shelling out to the CLIcommands :keystone => "keystone"

def self.auth_keystone(*args)

authenv = {:OS_SERVICE_TOKEN => admin_token}

withenv authenv do

remove_warnings(keystone('--os-endpoint', admin_endpoint, args))

end

end

results = auth_keystone('tenant-create', '--name', resource[:name],

'--enabled', resource[:

enabled])

Shelling out to the CLI# puppet apply keystone.pp --debug

Debug: Prefetching keystone resources for keystone_tenant

Debug: Executing '/usr/local/bin/keystone --os-endpoint http://127.

0.0.1:35357/v2.0/ tenant-list'

Debug: Executing '/usr/local/bin/keystone --os-endpoint http://127.

0.0.1:35357/v2.0/ tenant-create --name services --enabled True --

description The services tenant'

Notice: /Stage[main]/Main/Keystone_tenant[services]/ensure: created

#

What was good

● Idiomatic● Debuggable

What was bad

● Instability● Duplicated code

Why we switched

Instability

Stage 2

curl?curl -H 'Content-Type: application/json' -X POST -d '{

"auth": {

"tenantName": "admin",

"passwordCredentials": {

"username": "admin",

"password": "passw0rd"

}

}

}' http://127.0.0.1:35357/v2.0/tokens

curl - Update a project (v2)curl -H 'X-Auth-Token: 8bc163' -H 'Content-Type: application/json' \

-X POST -d '{

"tenant": {

"description": "new description",

"enabled": true

}

}' http://localhost:35357/v2.0/tenants/28551b

curl - Update a network (v2)curl -H 'X-Auth-Token: 5a072f' -H 'Content-Type: application/json' \

-X PUT -d '{

"network": {

"admin_state_up": true

}

}' http://127.0.0.1:9696/v2.0/networks/ff9cc0

curl - Update an image (v1)

curl -H 'X-Auth-Token: c23ea2d' \

-H 'x-image-meta-disk_format: vhd' \

-X PUT http://localhost:9292/v1/images/7d863c

curl - Update an image (v2)

curl -H 'X-Auth-Token: 7ac5c8' \

-H 'Content-Type:

application/openstack-images-v2.1-json-patch' \

-d '[{

"path": "/disk_format", "value": "vhd", "op": "replace"

}]' \

-X PATCH http://127.0.0.1:9292/v2/images/40de3a

curl?

Let’s not reinvent a framework

An SDK?

“A set of language bindings that provide a language-level API for accessing OpenStack in a manner consistent with language standards.” https://wiki.openstack.org/wiki/SDKs

An SDK?

“Currently, OpenStack's user stories for both command-line and application developer consumers of OpenStack based clouds is confusing, fractured, and inconsistent.”https://wiki.openstack.org/wiki/SDK-Development/PythonOpenStackSDK

fog?

● too big, too general-purpose

aviator

session = ::Aviator::Session.new(:config => configuration)

session.authenticate

response = session.request(:identity,

:create_tenant, options) do |params|

params.name = resource[:name]

params.enabled = resource[:enabled]

params.description = resource[:description]

end

What was good

● OpenStack-focused● responsive maintainer

What was bad

● session management● vendoring the gem● question of sustainability

Why we switched

keystone v3

Stage 3

OpenStackClient (...another CLI)# puppet apply keystone.pp --debug

Debug: Executing '/usr/local/bin/openstack project list --quiet

--format csv --long --os-token sosp-kyl --os-url http://127.

0.0.1:35357/v2.0/'

Debug: Executing '/usr/local/bin/openstack project create --

format shell services --enable --description The services tenant

--os-url http://127.0.0.1:35357/v2.0/'

Notice: /Stage[main]/Main/Keystone_tenant[services]/ensure:

created

#

What was good

● keystone v3 support● distro packages● well-supported● consistency across modules

What was bad

● laggy support from distros● stability is ?

Status

Incomplete

Colleen Murphycmurphy@hp.comfreenode: crinkle - #puppet-openstacktwitter: @pdx_krinkle

Questions or comments?