Openstack
Work through every question currently mapped to this canonical topic.
- What components/projects of OpenStack are you familiar with?
Answer
I’m most familiar with several core OpenStack components:
- Nova for compute resource provisioning, including VM lifecycle management.
- Neutron for networking, focusing on creating and managing networks, subnets, and routers.
- Cinder for block storage, used to attach and manage storage volumes.
- Keystone for identity services, handling authentication and authorization.
I’ve implemented these in past projects, configuring them for scalability and security to support multi-tenant environments.
- Can you tell me what each of the following services/projects is responsible for?:
- Nova
- Neutron
- Cinder
- Glance
- Keystone
Answer
- Nova - Manage virtual instances
- Neutron - Manage networking by providing Network as a service (NaaS)
- Cinder - Block Storage
- Glance - Manage images for virtual machines and containers (search, get and register)
- Keystone - Authentication service across the cloud
- Nova
- Identify the service/project used for each of the following:
- Copy or snapshot instances
- GUI for viewing and modifying resources
- Block Storage
- Manage virtual instances
Answer
- Glance - Images Service. Also used for copying or snapshot instances
- Horizon - GUI for viewing and modifying resources
- Cinder - Block Storage
- Nova - Manage virtual instances
- Copy or snapshot instances
- What is a tenant/project?
Answer
In OpenStack, a project (formerly known as a tenant) is a fundamental unit of ownership and isolation for resources like virtual machines, storage volumes, and networks. Each project is owned by a specific user or group of users and provides a way to manage and segregate resources within a shared cloud environment. This ensures that one project's resources are not accessible to another unless explicitly shared.
- Determine true or false:
- OpenStack is free to use
- The service responsible for networking is Glance
- The purpose of tenant/project is to share resources between different projects and users of OpenStack
Answer
- OpenStack is free to use - True. OpenStack is open-source software released under the Apache 2.0 license.
- The service responsible for networking is Glance - False. Neutron is the service responsible for networking. Glance is the image service.
- The purpose of tenant/project is to share resources between different projects and users of OpenStack - False. The primary purpose is to isolate resources.
- OpenStack is free to use
- Describe in detail how you bring up an instance with a floating IP
Answer
To launch an instance with a floating IP, you would follow these steps:
- Create a Network and Subnet: First, ensure you have a private network and subnet for your instances.
- Create a Router: Create a router and connect it to the public (external) network and your private subnet.
- Launch an Instance: Launch a new instance, attaching it to your private network. It will receive a private IP address from the subnet.
- Allocate a Floating IP: Allocate a new floating IP address from the public network pool to your project.
- Associate the Floating IP: Associate the allocated floating IP with the private IP address of your instance. This allows the instance to be accessible from the internet.
- You get a call from a customer saying: "I can ping my instance but can't connect (ssh) it". What might be the problem?
Answer
If you can ping an instance but cannot SSH into it, the issue is likely related to one of the following:
- Security Group Rules: The security group attached to the instance may not have a rule allowing inbound traffic on TCP port 22 (the default SSH port).
- Firewall on the Instance: A firewall running on the instance itself (like
iptablesorfirewalld) might be blocking the SSH port. - SSH Service: The SSH daemon (
sshd) on the instance might not be running or could be misconfigured. - Incorrect SSH Key: You might be using the wrong private key to connect to the instance.
- What types of networks OpenStack supports?
Answer
OpenStack Neutron supports several network types:
- Local: A local network is isolated to a single compute node and cannot be shared between multiple nodes.
- Flat: A flat network is a simple, non-VLAN-tagged network that is shared across all compute nodes.
- VLAN: A VLAN network uses 802.1q tagging to create isolated layer-2 broadcast domains.
- VXLAN: VXLAN (Virtual Extensible LAN) is an overlay network technology that encapsulates layer-2 frames in UDP packets, allowing for a large number of isolated networks.
- GRE: GRE (Generic Routing Encapsulation) is another overlay network technology that can be used to create private networks over a public network.
- How do you debug OpenStack storage issues? (tools, logs, ...)
Answer
To debug storage issues in OpenStack (Cinder), you can use the following:
- Logs: Check the Cinder service logs (e.g.,
/var/log/cinder/cinder-volume.log,/var/log/cinder/cinder-api.log) for error messages. - Cinder CLI: Use the
cindercommand-line tool to check the status of volumes, snapshots, and storage backends. - Database: Inspect the Cinder database to check for inconsistencies in volume states or metadata.
- Backend Storage: Check the logs and status of the underlying storage system (e.g., LVM, Ceph, NFS) to identify issues with the storage itself.
- Logs: Check the Cinder service logs (e.g.,
- How do you debug OpenStack compute issues? (tools, logs, ...)
Answer
To debug compute issues in OpenStack (Nova), you can use the following:
- Logs: Check the Nova service logs (e.g.,
/var/log/nova/nova-compute.log,/var/log/nova/nova-api.log,/var/log/nova/nova-scheduler.log) for error messages. - Nova CLI: Use the
novacommand-line tool to check the status of instances, hosts, and services. - Instance Console Log: View the console log of a specific instance to see boot-up messages and other output.
- Hypervisor: Check the logs and status of the underlying hypervisor (e.g., KVM, QEMU) to identify issues with virtualization.
- Logs: Check the Nova service logs (e.g.,
- Have you deployed OpenStack in the past? If yes, can you describe how you did it?
Answer
There are several ways to deploy OpenStack, depending on the scale and complexity of the environment. Some common methods include:
- DevStack: A script-based installer designed for development and testing purposes. It deploys OpenStack from the latest source code.
- Packstack: A utility that uses Puppet modules to deploy OpenStack on CentOS or RHEL. It is suitable for proof-of-concept and small-scale production environments.
- Kolla-Ansible: A set of Ansible playbooks that deploy OpenStack services as Docker containers. This method is highly scalable and recommended for production deployments.
- OpenStack-Ansible: A collection of Ansible playbooks that deploy OpenStack services directly on bare metal or virtual machines.
- Are you familiar with TripleO? How is it different from Devstack or Packstack?
Answer
You can read about TripleO right here
- Can you describe Nova in detail?
Answer
- Used to provision and manage virtual instances
- It supports Multi-Tenancy in different levels - logging, end-user control, auditing, etc.
- Highly scalable
- Authentication can be done using internal system or LDAP
- Supports multiple types of block storage
- Tries to be hardware and hypervisor agnostice
- Used to provision and manage virtual instances
- What do you know about Nova architecture and components?
Answer
- nova-api - the server which serves metadata and compute APIs
- the different Nova components communicate by using a queue (Rabbitmq usually) and a database
- a request for creating an instance is inspected by nova-scheduler which determines where the instance will be created and running
- nova-compute is the component responsible for communicating with the hypervisor for creating the instance and manage its lifecycle
- nova-api - the server which serves metadata and compute APIs
- Explain Neutron in detail
Answer
- One of the core component of OpenStack and a standalone project
- Neutron focused on delivering networking as a service
- With Neutron, users can set up networks in the cloud and configure and manage a variety of network services
- Neutron interacts with:
- Keystone - authorize API calls
- Nova - nova communicates with neutron to plug NICs into a network
- Horizon - supports networking entities in the dashboard and also provides topology view which includes networking details
- One of the core component of OpenStack and a standalone project
- Explain each of the following components:
- neutron-dhcp-agent
- neutron-l3-agent
- neutron-metering-agent
- neutron-*-agtent
- neutron-server
Answer
- neutron-l3-agent - L3/NAT forwarding (provides external network access for VMs for example)
- neutron-dhcp-agent - DHCP services
- neutron-metering-agent - L3 traffic metering
- neutron-*-agtent - manages local vSwitch configuration on each compute (based on chosen plugin)
- neutron-server - exposes networking API and passes requests to other plugins if required
- neutron-dhcp-agent
- Explain these network types:
- Management Network
- Guest Network
- API Network
- External Network
Answer
- Management Network - used for internal communication between OpenStack components. Any IP address in this network is accessible only within the datacetner
- Guest Network - used for communication between instances/VMs
- API Network - used for services API communication. Any IP address in this network is publicly accessible
- External Network - used for public communication. Any IP address in this network is accessible by anyone on the internet
- Management Network
- In which order should you remove the following entities:
- Network
- Port
- Router
- Subnet
Answer
- Port
- Subnet
- Router
- Network
There are many reasons for that. One for example: you can't remove router if there are active ports assigned to it.
- Network
- What is a provider network?
Answer
A provider network is a network that is created by an OpenStack administrator and maps directly to an existing physical network in the data center. It allows for direct layer-2 connectivity to instances and is typically used for providing external network access or for connecting to specific physical networks.
- What components and services exist for L2 and L3?
Answer
- L2 (Layer 2): The primary L2 component is the
neutron-openvswitch-agent(or a similar agent for other plugins), which runs on each compute node and manages the local virtual switch (e.g., Open vSwitch). It is responsible for connecting instances to virtual networks and enforcing security group rules. - L3 (Layer 3): The
neutron-l3-agentis responsible for providing L3 services like routing and floating IPs. It manages virtual routers that connect private networks to external networks.
- L2 (Layer 2): The primary L2 component is the
- What is the ML2 plug-in? Explain its architecture
Answer
ML2 (Modular Layer 2) is a framework that allows OpenStack to simultaneously utilize a variety of layer-2 networking technologies. It replaces the monolithic plugins for individual network types and provides a more flexible and extensible architecture. ML2 uses a combination of
Typedrivers (for network types like VLAN, VXLAN, etc.) andMechanismdrivers (for connecting to different network mechanisms like Open vSwitch, Linux Bridge, etc.). - What is the L2 agent? How does it works and what is it responsible for?
Answer
The L2 agent is a service that runs on each compute node and is responsible for wiring virtual networks to instances. It communicates with the Neutron server to get the network topology and then configures the local virtual switch (e.g., Open vSwitch) to connect instances to the correct networks. It also enforces security group rules by configuring the virtual switch.
- What is the L3 agent? How does it works and what is it responsible for?
Answer
The L3 agent is responsible for providing layer-3 networking services, such as routing and floating IPs. It runs on network nodes and manages virtual routers that connect private networks to external networks. The L3 agent creates network namespaces for each router to provide isolation and then configures routing rules and NAT to enable traffic to flow between networks.
- Explain what the Metadata agent is responsible for
Answer
The Metadata agent is responsible for providing metadata (e.g., instance ID, hostname, public keys) to instances. It runs on network nodes and acts as a proxy between instances and the Nova metadata service. When an instance requests metadata, the request is forwarded to the Metadata agent, which then retrieves the information from Nova and returns it to the instance.
- What networking entities Neutron supports?
Answer
Neutron supports a variety of networking entities, including:
- Network: An isolated layer-2 broadcast domain.
- Subnet: A block of IP addresses that can be assigned to instances.
- Port: A connection point for attaching a single device, such as an instance, to a virtual network.
- Router: A logical entity that connects multiple layer-2 networks.
- Floating IP: A public IP address that can be associated with an instance to provide external connectivity.
- Security Group: A collection of firewall rules that control inbound and outbound traffic to instances.
- How do you debug OpenStack networking issues? (tools, logs, ...)
Answer
To debug networking issues in OpenStack (Neutron), you can use the following:
- Logs: Check the Neutron service logs (e.g.,
/var/log/neutron/neutron-server.log,/var/log/neutron/openvswitch-agent.log,/var/log/neutron/l3-agent.log) for error messages. - Neutron CLI: Use the
neutroncommand-line tool to check the status of networks, subnets, ports, routers, and other networking entities. ip netns: Use theip netnscommand to inspect network namespaces and the network configurations within them.ovs-vsctlandovs-ofctl: Use these tools to inspect the configuration and flow tables of Open vSwitch bridges.tcpdump: Usetcpdumpto capture and analyze network traffic on various interfaces to identify connectivity issues.
- Logs: Check the Neutron service logs (e.g.,
- Explain Glance in detail
Answer
- Glance is the OpenStack image service
- It handles requests related to instances disks and images
- Glance also used for creating snapshots for quick instances backups
- Users can use Glance to create new images or upload existing ones
- Glance is the OpenStack image service
- Describe Glance architecture
Answer
- glance-api - responsible for handling image API calls such as retrieval and storage. It consists of two APIs: 1. registry-api - responsible for internal requests 2. user API - can be accessed publicly
- glance-registry - responsible for handling image metadata requests (e.g. size, type, etc). This component is private which means it's not available publicly
- metadata definition service - API for custom metadata
- database - for storing images metadata
- image repository - for storing images. This can be a filesystem, swift object storage, HTTP, etc.
- glance-api - responsible for handling image API calls such as retrieval and storage. It consists of two APIs: 1. registry-api - responsible for internal requests 2. user API - can be accessed publicly
- Explain Swift in detail
Answer
- Swift is Object Store service and is an highly available, distributed and consistent store designed for storing a lot of data
- Swift is distributing data across multiple servers while writing it to multiple disks
- One can choose to add additional servers to scale the cluster. All while swift maintaining integrity of the information and data replications.
- Swift is Object Store service and is an highly available, distributed and consistent store designed for storing a lot of data
- Can users store by default an object of 100GB in size?
Answer
Not by default. Object Storage API limits the maximum to 5GB per object but it can be adjusted.
- Explain the following in regards to Swift:
- Container
- Account
- Object
Answer
- Container - Defines a namespace for objects.
- Account - Defines a namespace for containers
- Object - Data content (e.g. image, document, ...)
- Container
- True or False? there can be two objects with the same name in the same container but not in two different containers
Answer
False. Two objects can have the same name if they are in different containers.
- Explain Cinder in detail
Answer
- Cinder is OpenStack Block Storage service
- It basically provides used with storage resources they can consume with other services such as Nova
- One of the most used implementations of storage supported by Cinder is LVM
- From user perspective this is transparent which means the user doesn't know where, behind the scenes, the storage is located or what type of storage is used
- Cinder is OpenStack Block Storage service
- Describe Cinder's components
Answer
- cinder-api - receives API requests
- cinder-volume - manages attached block devices
- cinder-scheduler - responsible for storing volumes
- cinder-api - receives API requests
- Can you describe the following concepts in regards to Keystone?
- Role
- Tenant/Project
- Service
- Endpoint
- Token
Answer
- Role - A list of rights and privileges determining what a user or a project can perform
- Tenant/Project - Logical representation of a group of resources isolated from other groups of resources. It can be an account, organization, ...
- Service - An endpoint which the user can use for accessing different resources
- Endpoint - a network address which can be used to access a certain OpenStack service
- Token - Used for access resources while describing which resources can be accessed by using a scope
- Role
- What are the properties of a service? In other words, how a service is identified?
Answer
Using:
- Name
- ID number
- Type
- Description
- Explain the following:
- PublicURL
- InternalURL
- AdminURL
Answer
- PublicURL - Publicly accessible through public internet
- InternalURL - Used for communication between services
- AdminURL - Used for administrative management
- PublicURL
- What is a service catalog?
Answer
A list of services and their endpoints
- Describe each of the following services
- Swift
- Sahara
- Ironic
- Trove
- Aodh
- Ceilometer
Answer
- Swift - highly available, distributed, eventually consistent object/blob store
- Sahara - Manage Hadoop Clusters
- Ironic - Bare Metal Provisioning
- Trove - Database as a service that runs on OpenStack
- Aodh - Alarms Service
- Ceilometer - Track and monitor usage
- Swift
- Identify the service/project used for each of the following:
- Database as a service which runs on OpenStack
- Bare Metal Provisioning
- Track and monitor usage
- Alarms Service
- Manage Hadoop Clusters
- highly available, distributed, eventually consistent object/blob store
Answer
- Database as a service which runs on OpenStack - Trove
- Bare Metal Provisioning - Ironic
- Track and monitor usage - Ceilometer
- Alarms Service - Aodh
- Manage Hadoop Clusters
- Manage Hadoop Clusters - Sahara
- highly available, distributed, eventually consistent object/blob store - Swift
- Database as a service which runs on OpenStack
- Can you describe Keystone service in detail?
Answer
- You can't have OpenStack deployed without Keystone
- It Provides identity, policy and token services
- The authentication provided is for both users and services
- The authorization supported is token-based and user-based.
- There is a policy defined based on RBAC stored in a JSON file and each line in that file defines the level of access to apply
- It Provides identity, policy and token services
- You can't have OpenStack deployed without Keystone
- Describe Keystone architecture
Answer
- There is a service API and admin API through which Keystone gets requests
- Keystone has four backends:
- Token Backend - Temporary Tokens for users and services
- Policy Backend - Rules management and authorization
- Identity Backend - users and groups (either standalone DB, LDAP, ...)
- Catalog Backend - Endpoints
- It has pluggable environment where you can integrate with:
- LDAP
- KVS (Key Value Store)
- SQL
- PAM
- Memcached
- Keystone has four backends:
- There is a service API and admin API through which Keystone gets requests
- Describe the Keystone authentication process
Answer
- Keystone gets a call/request and checks whether it's from an authorized user, using username, password and authURL
- Once confirmed, Keystone provides a token.
- A token contains a list of user's projects so there is no to authenticate every time and a token can submitted instead
- Keystone gets a call/request and checks whether it's from an authorized user, using username, password and authURL
- What each of the following does?:
- nova-api
- nova-compuate
- nova-conductor
- nova-cert
- nova-consoleauth
- nova-scheduler
Answer
- nova-api - responsible for managing requests/calls
- nova-compute - responsible for managing instance lifecycle
- nova-conductor - Mediates between nova-compute and the database so nova-compute doesn't access it directly
- nova-cert - Manages X509 certificates for secure communication.
- nova-consoleauth - Authorizes tokens for users to access instance consoles.
- nova-scheduler - Determines which compute host an instance should be launched on based on a set of filters and weights.
- nova-api
- What types of Nova proxies are you familiar with?
Answer
- Nova-novncproxy - Access through VNC connections
- Nova-spicehtml5proxy - Access through SPICE
- Nova-xvpvncproxy - Access through a VNC connection
- Nova-novncproxy - Access through VNC connections
- Explain BGP dynamic routing
Answer
BGP (Border Gateway Protocol) is a standardized exterior gateway protocol used to exchange routing and reachability information among autonomous systems on the internet. In OpenStack, BGP can be used to dynamically advertise floating IP addresses and project networks to physical routers, eliminating the need for static routes and enabling more scalable and resilient network architectures.
- What is the role of network namespaces in OpenStack?
Answer
Network namespaces are a Linux kernel feature that provides isolated network stacks for different processes. In OpenStack, network namespaces are used to isolate the network resources of different virtual routers and other networking services. This ensures that each router has its own set of interfaces, routing tables, and firewall rules, preventing conflicts and providing a secure multi-tenant environment.
- Can you describe Horizon in detail?
Answer
- Django-based project focusing on providing an OpenStack dashboard and the ability to create additional customized dashboards
- You can use it to access the different OpenStack services resources - instances, images, networks, ...
- By accessing the dashboard, users can use it to list, create, remove and modify the different resources
- It's also highly customizable and you can modify or add to it based on your needs
- You can use it to access the different OpenStack services resources - instances, images, networks, ...
- Django-based project focusing on providing an OpenStack dashboard and the ability to create additional customized dashboards
- What can you tell about Horizon architecture?
Answer
- API is backward compatible
- There are three type of dashboards: user, system and settings
- It provides core support for all OpenStack core projects such as Neutron, Nova, etc. (out of the box, no need to install extra packages or plugins)
- Anyone can extend the dashboards and add new components
- Horizon provides templates and core classes from which one can build its own dashboard
- API is backward compatible