Bug 1315772

Summary: Add information about DHCP for image-based provisioning
Product: Red Hat Satellite Reporter: Lukas Zapletal <lzap>
Component: Docs Provisioning GuideAssignee: Stephen Wadeley <swadeley>
Status: CLOSED CURRENTRELEASE QA Contact: Russell Dickenson <rdickens>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2.0CC: adahms, dmacpher, lzap, nshaik
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-03 02:14:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Zapletal 2016-03-08 15:03:06 UTC 
Depending on Satellite version, compute resources offer either cloud-init or ssh-finish image-based provisioning.

1) SSH-finish script provisioning - a host must have valid hostname and IP address assigned when submitting it. IP address is usually assigned when Subnet is selected directly, or via Host group. Also the VM *must* be on DHCP server managed by Satellite and Subnet must be associated with the correct DHCP Capsule.

Once VM is created and starts up, Satellite attempts to ssh to the IP address that was assigned to this host (therefore IP and MAC combination has reservation) using username and password that was stored with the image. Optionally, ssh pubkey authorization can be used (effective user "foreman" on Satellite Server must be authorized on the image).

Checklist for this option:

- host has a subnet assigned
- the subnet has a DHCP Capsule assigned
- the host has a valid IP address assigned
- the VM IP address acquired from DHCP match the address from Satellite
- the VM created from image responds to SSH requests
- the VM created from image authorizes user and password via SSH which is associated with the image that is being deployed

2) Cloud-init - this is similar use case, host must have valid hostname, but it is not required to have DHCP Capsule associated, because the init script is seeded in the VM directly. But usually DHCP is required because it is not efficient to burn in IP addresses for each individual VM (and image). By default the cloud-init script only sets host FQDN and creates a username and then "calls home" to exit build mode (request to Satellite server or Capsule).

https://github.com/theforeman/community-templates/blob/develop/cloudinit/userdata_cloudinit.erb

Checklist for this option:

- there is a DHCP server on the subnet (managed DHCP is preferred)
- the VM suppors cloud-init (it must have cloud-init service installed and enabled)

DOCO REQUEST:

Please add a warning to documentation about image based provisioning:

A) SSH-finish image based provisioning requires managed DHCP. The host must be created with a Subnet associated with a DHCP Capsule and IP address of the host must be valid IP address from the DHCP range. It is possible to use external DHCP, but IP address must be entered manually and correctly.

B) Cloud-init image-based provisiong usually needs DHCP server. A managed DHCP Capsule is preferred. Always use images which are cloud-init ready.
Comment 1 Andrew Dahms 2016-11-15 12:04:42 UTC 
Moving to NEW and the default assignee to be triaged as the schedule allows.
Comment 2 Andrew Dahms 2017-03-15 23:47:49 UTC 
Assigning to Stephen for review.
Comment 5 Stephen Wadeley 2017-03-21 06:55:24 UTC 
(In reply to Lukas Zapletal from comment #0)
> Depending on Satellite version, compute resources offer either cloud-init or
> ssh-finish image-based provisioning.
> 

Hello lzap

Re "Depending on Satellite version"

We are working on 6.2 guide which mentions both ssh-finish and cloud-init.  If both methods are supported in 6.2, then that is OK.


Thank you
Comment 10 Lukas Zapletal 2017-03-28 11:25:58 UTC 
Excellent, in the original description I mentioned ssh keys but this is too complex to setup. Maybe if you want to mention this - it is possible to avoid passwords if user deploys a SSH key to "foreman" effective user. The key must not be protected with passphrase and instructions how to set it up are in the libvirt chapter in our docs. Upstream its

https://theforeman.org/manuals/1.14/index.html#5.2.5LibvirtNotes

Then the key will be used when running finish scripts, so password can be left blank.

Second more important info is which providers supports what:

Finish script support:
- bare metal
- openstack
- amazon ec2
- rackspace
- gce

Cloud-init script support:
- ovirt/rhev
- vmware (*)
- openstack
- amazon ec2
- rackspace

Consider pulling this out into KBASE article and linking it instead of keeping this in main docs - this changes as we add features.

VMWare has actually special cloud-init limited scope support, it does not pass the cloud-init into the image as-is, but rather converts it into individual actions referred as Custom Spec in VMWare docs. Only some fields are converted, the rest is unused. It does not accept "call home" wget/curl call therefore VMWare VMs initialized with cloud-init stays in build mode forever. This is known limitation.

https://github.com/fog/fog-vsphere/blob/master/lib/fog/vsphere/requests/compute/cloudinit_to_customspec.rb

https://pubs.vmware.com/vsphere-55/index.jsp#com.vmware.wssdk.apiref.doc/vim.vm.customization.Specification.html
Comment 14 Stephen Wadeley 2017-03-29 12:54:57 UTC 
(In reply to Lukas Zapletal from comment #10)
> Excellent, in the original description I mentioned ssh keys but this is too
> complex to setup. Maybe if you want to mention this - it is possible to
> avoid passwords if user deploys a SSH key to "foreman" effective user. The
> key must not be protected with passphrase and instructions how to set it up
> are in the libvirt chapter in our docs. Upstream its
> 
> https://theforeman.org/manuals/1.14/index.html#5.2.5LibvirtNotes
> 
> Then the key will be used when running finish scripts, so password can be
> left blank.
> 
I remember testing that procedure, to use the Foreman user and SSH keys to connect to libvirt, rather than as root user. I was going to use it ion one for the guides. I dropped that when I saw your KBase using the root method, so I just used that.

> 
> Consider pulling this out into KBASE article and linking it instead of
> keeping this in main docs - this changes as we add features.
> 

What would be a good name for this? e.g.:

Comparison of finish script and cloud-init script support in Satellite 6

Does it have to mention Satellite 6 even, seems generic to other products.

Comparison of finish script and cloud-init scripts

{maybe drop the work "support" as that meaning is not clear until you read and see the context} 

Thank you
Comment 15 Lukas Zapletal 2017-03-29 14:05:27 UTC 
Not sure about name, somethink like Supported compute resources for finish and cloud-init ? It's more two lists than comparison.
Comment 24 Andrew Dahms 2017-04-03 02:14:02 UTC 
This content is live on the Customer Portal.

Closing.