The following config includes:
One bastion host for installation
DNS and other resources for OCP4
SSH access setup
This file ./default_vars.yml contains all the variables you need to define to control the deployment of your environment. These are the defaults.
Override the defaults for your environment by creating your own myenvironment-variables.yml file, as below.
You will needs to define the ocp4_pull_secret
variable in order to deploy this config.
Add this variable to your secret file.
It should look like:
ocp4_pull_secret: '{"auths":{"":{"auth":"...","email":"..."},"":{"auth":"...","email":"..."},"":{"auth":"...","email":"..."},"":{"auth":"...","email":"..."}}}'
You can create yaml files of your desired configs and secrets and execute them:
ansible-playbook ansible/main.yaml -e @myenvironment-variables.yml -[email protected]
Run the destroy_env.yml
Ex: ansible-playbook ansible/configs/ocp4-disconnected-osp-lab/destroy_env.yml -e @myenvironment-variables.yml -[email protected]
TODO: Tie this into the cloud_providers/osp_destroy_env.yml
The teardown process is roughly as follows:
Delete compute & storage resources
openstack purge
openstack --os-cloud sten2 project purge --keep-project --project sten2-project
Delete network resources
neutron purge
neutron --os-cloud sten2 purge bb4e371f4bf443feb6e4435c8f5df6ae
Delete the Heat stack
If you don’t delete the HOT as the user that created it, the keypair will not be deleted
Delete Keypair if necessary
TODO: add this functionality
Cleanup DNS entries for bastion & OpenShift
Delete project
Software stages in config provide:
Pull copy of the installer to bastion
Pull copy of the oc binary to bastion
Clone ansible for generating the IaaS to bastion
Go through the IPI created assets and create those?
Talk to engineering and see what they are creating?
Install any load balancer to utility VM?
Install registry to utility VM?
Explain UPI
Explain OpenStack environment and requirements
Prep work
Create IaaS components
OpenShift install
OLM install workaround?
With either setup, you also need to have a clouds.yaml
file on your system with credentials.
You can store this either in your working directory or in ~/.config/openstack/clouds.yaml
To prepare an admin host to deploy this config. This has been tested on RHEL 7.7.
sudo subscription-manager register
sudo subscription-manager attach --pool=<yourpool>
sudo subscription-manager repos --disable=* --enable rhel-7-server-optional-rpms \
--enable rhel-7-server-rpms --enable rhel-7-server-extras-rpms
sudo yum update -y
sudo yum install python-virtualenv git gcc
git clone
cd agnosticd
git checkout disco-ocp4
virtualenv ~/venv-openstack
source ~/venv-openstack/bin/activate
pip install -r ./ansible/configs/ocp4-disconnected-ha-lab/files/admin_host_requirements.txt
# Install python3:
brew install python
# Make sure your path has this in it:
# Make sure virtualenv and virtualenvwrapper are installed system wide
pip install virtualenv
pip install virtualenvwrapper
# Add this to your .bashrc
export WORKON_HOME=~/.virtualenvs
[ -f /usr/local/bin/ ] && source /usr/local/bin/
# To start a new python virtual env
mkvirtualenv venv-openstack
# Activate virtual env
workon venv-openstack
# Clone repo and install python libraries
git clone
cd agnosticd
git checkout disco-ocp4
pip install -r ./ansible/configs/ocp4-disconnected-ha-lab/files/macos_requirements.txt
User access:
is defined either in sample_vars
or from deployer script. This is the account that people will use and will generally match their opentlc ID. lab-user
is the default defined in the role
Student name is set up by the bastion-student-user role
It generates a password if not defined in student_password
It creates a user on the bastions
*We should have it create on all nodes (i.e. utilityVM also)
It adds student_key to the student_user account on bastion
*We should have it create on all nodes
Where do we get student_key from?
It adds env_authorized_key to the student_user account on bastion
What is this key actually used for? It gets generated in set_env_authorized_key role
If this key is dynamically generated per run, can we send it in email?
What about the guid-infra-key we create in heat template - can we use that instead of this?
*We should have it create on all nodes
It enables password auth and passwordless sudo
Nate added tasks to copy priv key, pub key, ssh conf from root > student .ssh directory
There is probably a better way
student_name account has the {{guid}} added to its authorized keys
cloud-user has ^ + sucked in ones + one generated by nova
We connect as ansible_user, which is cloud-user for OSP
We install python Openstack modules using pip3
We need to make this available for all users, or at least student_name
Add /usr/local/bin to system wide PATH
To load test, use cloudforms-oob:
./ -t 5 -y \
-c 'OPENTLC OpenShift 4 Labs' \
-d "environment=DEV,region=dev_na_osp,check=t,expiration=7,runtime=8" \
-i 'OpenShift 4 Install VM - OpenStack'