Bug 1417231

Summary: [DOC] I'd like to include an article about using whole disk images with TripleO
Product: Red Hat OpenStack Reporter: Yolanda Robla <yroblamo>
Component: documentationAssignee: Dan Macpherson <dmacpher>
Status: CLOSED CURRENTRELEASE QA Contact: RHOS Documentation Team <rhos-docs>
Severity: medium Docs Contact:
Priority: medium    
Version: 11.0 (Ocata)CC: atelang, brault, dcadzow, dmacpher, kbasil, mburns, nkinder, racedoro, srevivo, yroblamo
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1494417 (view as bug list) Environment:
Last Closed: 2017-10-19 13:36:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1434350    
Bug Blocks: 1494417    

Description Yolanda Robla 2017-01-27 15:59:08 UTC 
Starting on Ocata, TripleO can deploy with whole disk images. Although it is not the default behaviour, it is possible customizing the initial guest image.
I documented the workarounds on:
http://teknoarticles.blogspot.com.es/2016/12/start-using-whole-disk-images-with.html

And also booting with an encrypted home on:
http://teknoarticles.blogspot.com.es/2016/12/how-to-encrypt-your-home-with-guestfs.html

If that's possible, i'd like that an article is shown in RedHat documentation mentioning that possibility.
Comment 1 Ramon Acedo 2017-03-22 10:26:02 UTC 
Hi Derek, this would require documentation for OSP 10 and OSP 11 (which should be the same info in both).
Comment 2 Derek 2017-04-03 14:03:01 UTC 
Already assigned to Dan -- I'll ensure he's seen your note.
Comment 3 Dan Macpherson 2017-04-03 14:28:33 UTC 
Hi Ramon,

Just a quick question -- You said whole disk image support is available in OSP10, but the article linked above says that the feature officially landed in Ocata (OSP11). Can you clarify the version support?
Comment 4 Ramon Acedo 2017-04-03 19:42:09 UTC 
Hi Dan, support OSP 10 is unfinished from what I can see in BZ#1434350. Probably better work with Yolanda's documentation for OSP 11 only at this point.
Comment 5 Ramon Acedo 2017-04-03 19:44:54 UTC 
Hi Yolanda, you targeted this for OSP 10 but I believe the Newton backport it's unfinished at this point.
Comment 6 Yolanda Robla 2017-04-04 06:28:42 UTC 
It has been requested but is on progress. I started with the backport in upstream but is sort of blocked by unexpected problems in the TripleO CI. I hope it can land this week.
Comment 8 Yolanda Robla 2017-05-12 12:30:55 UTC 
Hi, thanks for taking that. 
I have several comments...
parititioning -> typo, partitioning

When explaining the steps, you miss the dracut regeneration. So by default, overcloud-full.qcow2 comes without support for volumes. We need to update dracut to add it (and also add crypt in case you want encryption):
dracut_content = """
add_dracutmodules+="lvm crypt"
"""

Also, when testing that, i found that we have a sizing problem when applying TripleO on top of the whole disk images. So the right partitions sizes could be:

logical_volumes = {
  'root': 4 * 1024,
  'swap': 250,
  'home': 100,
  'tmp':  500,
  'var':  5 * 1024
}

Also, it will be worth to mention about encryption? I created a blogpost here: http://teknoarticles.blogspot.com.es/2016/12/how-to-encrypt-your-home-with-guestfs.html. Encryption of some partition may be an interesting use case as well, for security reasons.

About creating an automated system, it's WIP and it's targetted for pike. It will use diskimage-builder to create the partitions and volumes, and TripleO will provide that whole disk image by default. See https://blueprints.launchpad.net/tripleo/+spec/build-whole-disk-images
Comment 10 Yolanda Robla 2017-05-16 13:41:21 UTC 
Thanks for the update, it looks good to me.
Comment 11 Dan Macpherson 2017-05-16 14:26:38 UTC 
Excellent. I've merged this into OSP11.
Comment 12 Dan Macpherson 2017-05-16 14:27:15 UTC 
Peer review planned for post-GA.
Comment 13 Yolanda Robla 2017-05-23 09:30:25 UTC 
I need to do an additional correction. The method i describe for encryption works for secondary partitions, but fails when encrypting the root one. The fix is simple, we need to add rd.auto=1 to the bootloader. Could you amend the document, and add this small fix?

# add rd.auto=1 on grub parameters
g.sh('sed  -i "s/.*GRUB_CMDLINE_LINUX.*/GRUB_CMDLINE_LINUX=\\"console=tty0 crashkernel=auto rd.auto=1\\"/" /etc/default/grub')

Before the line:

g.sh('grub2-install --target=i386-pc /dev/sdb')

This will add the right parameters to the bootloader. I verified today and that works.
Thanks!
Comment 14 Yolanda Robla 2017-05-23 19:46:25 UTC 
Sorry, another fix needed, to make it work with selinux. Please see updated blogpost http://teknoarticles.blogspot.com.es/2016/12/start-using-whole-disk-images-with.html

In order to work with selinux, it needs a proper relabel. So we need to include those lines:

# do a selinux relabel
g.selinux_relabel('/etc/selinux/targeted/contexts/files/file_contexts', '/', force=True)
g.selinux_relabel('/etc/selinux/targeted/contexts/files/file_contexts', '/var', force=True)

In the same order as the blogpost references
Comment 15 Yolanda Robla 2017-06-07 12:56:54 UTC 
Hi Dan, how is status on the article, with the latest corrections i added?
Comment 16 Dan Macpherson 2017-06-13 03:48:10 UTC 
Hi Yolanda,

I was recently contacted by Mike Lammon on updating the script. I've added the version from the blog post:

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/11/html-single/director_installation_and_usage/#automatically_creating_a_whole_disk_image

Does it need any further updates?
Comment 17 Yolanda Robla 2017-06-13 06:03:50 UTC 
Ok, the changes for the selinux relabel look good. However, i find that the sample that was provided for encrypting home, is weird. The script looks incomplete, the good one is at: http://teknoarticles.blogspot.co.id/2016/12/how-to-encrypt-your-home-with-guestfs.html
Comment 18 Dan Macpherson 2017-06-13 06:52:27 UTC 
Hi Yolanda,

I've updated with the latest version of the encrypted script:

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/11/html-single/director_installation_and_usage/#encrypting_volumes_on_whole_disk_images

Originally I used a cutdown version to save some space. However, it might be best to use the original script since that's what was QE'd.

What do you think?
Comment 19 Ramon Acedo 2017-06-13 09:47:19 UTC 
Now that BZ#1434350 is verified, the same steps for creating whole-disk overcloud in OSP 10 can be added, as soon as OSP 10.z3 is published.

Yolanda, has the encryption also been verified? BZ#1434350 only verified the whole-disk overcloud image support.
Comment 20 Dan Macpherson 2017-06-15 06:03:13 UTC 
(In reply to Ramon Acedo from comment #19)
> Now that BZ#1434350 is verified, the same steps for creating whole-disk
> overcloud in OSP 10 can be added, as soon as OSP 10.z3 is published.
> 
> Yolanda, has the encryption also been verified? BZ#1434350 only verified the
> whole-disk overcloud image support.

If it hasn't been verified, should I remove the encryption script?
Comment 30 Dan Macpherson 2017-10-05 06:04:05 UTC 
I've backported the Whole Disk Image content to OSP10 (minus the encryption content as per Ramon's comment in comment #29).

It's published here:

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html-single/director_installation_and_usage/#appe-Whole_Disk_Images

How does it look?
Comment 33 Yolanda Robla 2017-10-19 08:46:53 UTC 
Ok looks good to me
Comment 34 Dan Macpherson 2017-10-19 13:36:55 UTC 
Thanks, Yolanda!