Deploying the on-premises region

Use either the command-line interface or IBM® Cloud Manager - Deployer to deploy an on-premises region.

About this task

To deploy your on-premises cloud by using the command-line interface, complete the following steps.

Note: If you want to deploy your on-premises cloud by using the IBM Cloud Manager - Deployer, skip the following steps. For instructions, see Deploying the cloud environment using the IBM Cloud Manager - Deployer user interface. The instructions in the user interface guide you through the deployment process.

Procedure

  1. Log in to the deployment system as the root user. This is the system where IBM Cloud Manager with OpenStack was installed.
  2. Navigate to the directory that you created to store the files for the topology that you deploy.
    This directory contains your your-hybrid-passwords-file.json file.
  3. Copy the example-icos-hybrid-controller-n-compute-kvm-cloud.yml cloud file as the base structure for your cloud deployment and rename it for your cloud environment.
    Note: This step assumes the default IBM Cloud Manager with OpenStack installation path on the deployment server (/opt/ibm/cmwo).
    $ cp /opt/ibm/cmwo/cli/config/ example-icos-hybrid-controller-n-compute-kvm-cloud.yml 
your-icos-hybrid-cloud.yml
  4. Change the required YAML attributes in your cloud file, your-icos-hybrid-cloud.yml.
    Note: The name of your on-premises cloud (OpenStack region name) must be RegionTwo.
    • Cloud Information (cloud): Customize the cloud information.
      • password_file: YOUR_PASSWORD_FILE: Specify the your-hybrid-passwords-file.json file name.
    • Hybrid Cloud Information:
      • off_prem_certificate_chain_file: YOUR_OFF_PREM_CERTIFICATE_CHAIN_FILE_LOCAL_LOCATION: The SSL certificate chain file for the IBM Cloud OpenStack Services region. Enter the local location on the Chef server of the IBM Cloud OpenStack Services SSL certificate chain file as a fully qualified path and file name. This value is required unless both the on-premises region, and the IBM Cloud OpenStack Services system have trusted, commercially signed SSL certificates.
    • Node Information (nodes): Customize the information for each node system in your cloud. You can copy the kvm_compute node section to include more KVM compute nodes in your cloud.
      • fqdn: Set to the fully qualified domain name of the node system. The deployment system must be able to SSH by using the fully qualified domain name. You can also set to the public IP address, private IP address, or host name.
      If you are deploying to PowerKVM hypervisors, do the following:
      1. Change the line kvm_compute_node_names: kvm_compute to powerkvm_compute_node_names: powerkvm_compute.
      2. In the Nodes section, change the line - name: kvm_compute to - name: powerkvm_compute.
  5. Deploy your cloud. 
    $ knife os manage deploy cloud your-icos-hybrid-cloud.yml
    Note: This command generates a topology file and other related files for your deployment and stores them in the same directory as your cloud file, your-icos-hybrid-cloud.yml. The cloud file is no longer needed after the deployment completes and can be removed. The generated files are only used if you must update your cloud.
    $ rm your-icos-hybrid-cloud.yml

Results

After the deployment is complete, the IBM Cloud Manager with OpenStack services are ready to use. The IBM Cloud Manager - Dashboard is available at https://node.fqdn.com/, where node.fqdn.com is the fully qualified domain name of the node. You can log in using the admin-on-prem user with the password that you customized.
When you log in to the IBM Cloud Manager - Dashboard using your admin-on-prem user, Horizon considers that user to be an administrator and displays the Admin tab in the left navigation pane when you are in RegionTwo (the on-premises region). When you select RegionOne (the IBM Cloud OpenStack Services region), you no longer have access to administrator functions and the Admin tab goes away. This can cause a couple of problems:
  1. If you are on the Admin tab in RegionTwo and then select RegionOne you are logged out with an error message that you do not have permission to /admin. To recover, select the home page link and you are directed to the main Projects page for RegionOne.
  2. Since Horizon still considers you to be an administrator when you are in RegionOne, if you select the Identity tab from the navigation pane, Horizon uses the Identity Service's adminURL endpoint rather than the public endpoint. For RegionOne, IBM Cloud OpenStack Services uses an internal 172.xx.xx.xx address for the adminURL that your environment will not have access to. To work around this problem, you can create a DNAT rule on your gateway or your on-premises OpenStack controller to map the 172.xx.xx.xx address to 192.168.101.10. To find the adminURL on your on-premises OpenStack controller, run the following action:
    - . ./openrc
- OS_AUTH_URL=https://192.168.101.10:5000/v3 openstack --os-identity-api-version 3 endpoint list
    The output gives you a list of the service endpoints and you can find the RegionOne identity service adminURL endpoint. It starts with 172.

    Use that address to create the DNAT rule.

After you deploy the on-premises region, you need to configure the region for functions such as networking and security. For information about post-deployment tasks, see Managing IBM Cloud Manager with OpenStack as an Administrator.

If you want to deploy the same image in both regions, you must create the image in both regions by using the glance command-line interface or the dashboard. For more information, see Copying OpenStack Glance images.