An introduction to integrating Red Hat OpenStack with Cisco ACI
We conducted a Proof of Concept (PoC) with one of our customers while working on an engagement related to Red Hat OpenStack where the goal was to install Red Hat OpenStack in their environment and combine it with a Cisco ACI network solution already present in their environment. Therefore, the primary goal of this article is to discuss our experiences with:
- CISCO ACI Preparation on the director node in the cloud.
- HEAT Templates for Overcloud Deployment are being created (ACI perspective).
- OpenStack problems and their implemented fixes.
Let’s examine the abovementioned elements in more detail using real instructions and screenshots of the desired results.
CISCO ACI Preparation on the Director Node / Undercloud
The actions that must be taken on the director node to configure Cisco-related services on the Overcloud in order for OpenStack to interact with CISCO ACI are listed below.
Download the openstack-tripleo-cisco packages to the Director from a working Cisco account.
Installing HEAT templates and Cisco ACI packages on the undercloud / director node
[stack@director ~]$ sudo yum install /home/stack/tripleo-ciscoaci-13.0-642.noarch.rpm
Command output:
Run the Cisco Aci Python script to download and install packages and container images for Cisco products.
Command:
[stack@director ~]$ /opt/ciscoaci-tripleo-heat-templates/tools/build_openstack_aci_containers.py
Command output:
Create Cisco ACI Services and Controller and Compute Roles in aci roles.yaml.
Command:
[stack@director ~]$ openstack overcloud roles generate --roles-path /usr/share/openstack-tripleo-heat-templates/roles -o ~/templates/environment-files/roles_data.yaml Controller Compute [stack@director ~]$ cp /home/stack/templates/environment-files/roles_data.yaml /home/stack/templates/environment-files/aci_roles_data.yaml [stack@director ~]$ vim /home/stack/templates/environment-files/aci_roles_data.yaml ~~~ Under controller role added the following lines: ~~~ - OS::TripleO::Services::CiscoAciAIM - OS::TripleO::Services::CiscoAciLldp ~~~ Under the compute role added the following line: ~~~ - OS::TripleO::Services::CiscoAciLldp
Command output :
HEAT Templates for Overcloud Deployment are being created (ACI perspective)
For its Overcloud deployment strategy, the director uses a template format called Heat Orchestration Templates (HOT). Most HOT format templates are expressed as YAML files. A stack, which is a group of resources that Heat produces and the configuration for each resource, is what a template is used for. In OpenStack, resources are objects that can be compute resources, network configuration, security groups, scaling rules, or custom resources.
Run the Templates using the Deploy Command.
source ~/stackrc nohup openstack overcloud deploy --templates /home/stack/templates \ -n /home/stack/templates/environment-files/network_data.yaml \ -r /home/stack/templates/environment-files/aci_roles_data.yaml \ -e /home/stack/templates/environment-files/node-info.yaml \ -e /home/stack/templates/environment-files/overcloud_images.yaml \ -e /home/stack/templates/environment-files/ciscoaci_containers.yaml \ -e /home/stack/templates/environment-files/aci_cs.yaml \ -e /home/stack/templates/environment-files/cinder-dellemc-unity-config.yaml \ -e /home/stack/templates/environment-files/ips-from-pool-all.yaml \ --log-file /home/stack/Overcloud-Logs/osp-deploy-log-`date +%F_%H-%M-%S`.out &
Template for Cisco ACI Container Images
parameter_defaults: DockerHorizonImage: X.X.X.X:pppp/rhosp13/openstack-horizon-ciscoaci:latest DockerCiscoAciAimImage: X.X.X.X:pppp/rhosp13/openstack-ciscoaci-aim:latest DockerOpflexAgentImage: X.X.X.X:pppp/rhosp13/openstack-ciscoaci-opflex:latest DockerNeutronApiImage: X.X.X.X:pppp/rhosp13/openstack-neutron-server-ciscoaci:latest DockerNeutronConfigImage: X.X.X.X:pppp/rhosp13/openstack-neutron-server-ciscoaci:latest DockerHeatEngineImage: X.X.X.X:pppp/rhosp13/openstack-heat-engine-ciscoaci:latest DockerCiscoLldpImage: X.X.X.X:pppp/rhosp13/openstack-ciscoaci-lldp:latest
OpenStack problems and the solution implemented
When I encountered problems, I reported them to TSANet Connect (Technical Support Alliance Network) and enlisted the help of the Cisco global teams. The Cisco technical team participated in a few calls, and their assistance was incredibly beneficial because they had excellent and practical knowledge on both the Red Hat OpenStack and Cisco ACI sides from an integration standpoint.
The precise problems and the chosen solutions are described in the section below:
1 Accessing Openstack machines incorrectly from outside the platform Problem:
Openstack-created machines could not be accessed from outside the platform. There is no feature to establish a network of type “FLAT” in openstack with Cisco ACI Integration.
Solution Implemented:
- Providing OpenStack access to the L3OUT Domain in Cisco ACI for the common tenant.
- OpenStack’s creation of an external floating IP network. /overcloudrc source
(overcloud) [stack@director]$ neutron net-create ext-fip-net --router:external --apic:distinguished_names type=dict ExternalNetwork=uni/tn-common/out-FW-Common-Services-Zone-L3Out/instP-Common-Services-xEPG (overcloud) [stack@director]$ neutron subnet-create ext-fip-net X.X.X.X/25 --name ext-fip-subnet --disable-dhcp --gateway X.X.X.X
- Openstack virtual router creation source /overcloudrc
(overcloud) [stack@director]$ openstack router create Router1
- Changing the router’s external gateway to the external FIP network /overcloudrc source
(overcloud) [stack@director]$ openstack router set --external-gateway ext-net Router1
- Connecting the router to the tenant/private network. /overcloudrc source
(overcloud) [stack@director]$ openstack router add subnet Router1 tenant-subnet1
The network topology shown below was built after using the aforementioned solution.
2 VMs created on the compute node are not being learnt by Cisco ACI.
Issue:- We had just 2 compute nodes for our PoC. The Cisco ACI was not learning machines created on compute node 1. In other words, the machine network running on Openstack compute node 1 wasn’t connected to CISCO ACI. Both the gateway IP and the ability to link between machines were unavailable.
Solution Implemented
- On compute node 1 and compute node 0, openvswitch was configured differently from one another.
- The computing node’s OpenVswitch Bridge (OVS) “br-fabric” is connected to Cisco ACI, and OVS Bridge “br-ex” is connected to the compute host’s Cisco Opflex Agent. The VMs have external connectivity with the Cisco ACI thanks to connectivity between these two OVS Bridge.
- The faulty compute host did not have a patch port (which can be visualised as a virtual wire) between br-fabric and br-ex ( Compute-1).
- The commands listed below were used to create a patch port.
(overcloud) [stack@director ~]$ ssh comp1 -l heat-admin [heat-admin@overcloud-compute-1 ~]$ sudo ovs-vsctl add-port br-ex br-ex_to_br-fa [heat-admin@overcloud-compute-1 ~]$ sudo ovs-vsctl set interface br-ex_to_br-fa type=patch [heat-admin@overcloud-compute-1 ~]$ sudo ovs-vsctl set interface br-ex_to_br-fa options:peer=br-fa_to_br-ex
The Cisco ACI is now familiar with the VMs built in OpenStack after the above solution has been implemented.
Conclusion
This post will be extremely helpful to anyone who is going to integrate Red Hat OpenStack with Cisco ACI network solution or who may do so in the future. You can prepare OpenStack for Cisco ACI, the Heat template, and potential problems with the help of the information provided here. Any recommendations for enhancements would be appreciated.
