6.4. Common Block Storage Configuration

6.4.1. Install the Block Storage Service Packages

The OpenStack Block Storage service requires the following packages:
openstack-cinder
Provides the Block Storage services and associated configuration files.
openstack-utils
Provides supporting utilities to assist with a number of tasks including the editing of configuration files.
openstack-selinux
Provides OpenStack specific SELinux policy modules.
To install all of the above packages, execute the following command while logged in as the root user: 
# yum install -y openstack-cinder openstack-utils openstack-selinux
The Block Storage services are now installed and ready to be configured.

6.4.2. Configure Block Storage Service Authentication

The Block Storage service must be explicitly configured to use the Identity service for authentication. Follow the steps listed in this procedure to configure this.
All steps listed in this procedure must be performed on each system hosting Block Storage services while logged in as the root user.

Procedure 6.3. Configuring the Block Storage Service to authenticate through the Identity Service

  1. Set the authentication strategy (auth_strategy) configuration key to keystone using the openstack-config command. 
    # openstack-config --set /etc/cinder/cinder.conf \
   DEFAULT auth_strategy keystone
  2. Set the authentication host (auth_host) configuration key to the IP address or host name of the Identity server. 
    # openstack-config --set /etc/cinder/cinder.conf \
   keystone_authtoken auth_host IP
    Replace IP with the IP address or host name of the Identity server.
  3. Set the administration tenant name (admin_tenant_name) configuration key to the name of the tenant that was created for the use of the Block Storage service. In this guide, examples use services. 
    # openstack-config --set /etc/cinder/cinder.conf \
   keystone_authtoken admin_tenant_name services
  4. Set the administration user name (admin_user) configuration key to the name of the user that was created for the use of the Block Storage service. In this guide, examples use cinder. 
    # openstack-config --set /etc/cinder/cinder.conf \
   keystone_authtoken admin_user cinder
  5. Set the administration password (admin_password) configuration key to the password that is associated with the user specified in the previous step. 
    # openstack-config --set /etc/cinder/cinder.conf \
   keystone_authtoken admin_password PASSWORD
The authentication keys used by the Block Storage services have been set and will be used when the services are started.

6.4.3. Configure the Block Storage Service to Use SSL

Use the following options in the cinder.conf file to configure SSL.

Table 6.2. SSL options for Block Storage

Configuration Option Description
backlog
Number of backlog requests to configure the socket with.
tcp_keepidle
Sets the value of TCP_KEEPIDLE in seconds for each server socket.
ssl_ca_file
CA certificate file to use to verify connecting clients.
ssl_cert_file
Certificate file to use when starting the server securely.
ssl_key_file
Private key file to use when starting the server securely.

6.4.4. Configure RabbitMQ Message Broker Settings for the Block Storage Service

As of Red Hat Enterprise Linux OpenStack Platform 5, RabbitMQ replaces QPid as the default (and recommended) message broker. The RabbitMQ messaging service is provided by the rabbitmq-server package.
This section assumes that you have already configured a RabbitMQ message broker. For more information, refer to:

Procedure 6.4. Configuring the Block Storage service to use the RabbitMQ message broker

  1. Log in as root to the system hosting the Block Storage services.
  2. In /etc/cinder/cinder.conf, set RabbitMQ as the RPC back end. 
    # openstack-config --set /etc/cinder/cinder.conf \
 DEFAULT rpc_backend cinder.openstack.common.rpc.impl_kombu
  3. Set the Block Storage service to connect to the RabbitMQ host: 
    # openstack-config --set /etc/cinder/cinder.conf \
 DEFAULT rabbit_host RABBITMQ_HOST
    Replace RABBITMQ_HOST with the IP address or host name of the message broker.
  4. Set the message broker port to 5672: 
    # openstack-config --set /etc/cinder/cinder.conf \
 DEFAULT rabbit_port 5672
  5. Set the RabbitMQ username and password created for the Block Storage service: 
    # openstack-config --set /etc/cinder/cinder.conf \
 DEFAULT rabbit_userid cinder
    # openstack-config --set /etc/cinder/cinder.conf \
 DEFAULT rabbit_password CINDER_PASS
    Where cinder and CINDER_PASS are the RabbitMQ username and password created for Block Storage (in Section 2.4.2, “Install and Configure the RabbitMQ Message Broker”).

6.4.5. Configure the Block Storage Service Database Connection

The database connection string used by the Block Storage services (the value of the sql_connection configuration key) is defined in the /etc/cinder/cinder.conf file. The string must be updated to point to a valid database server before starting the service.
The following command must be executed as the root user on each system hosting Block Storage services: 
# openstack-config --set /etc/cinder/cinder.conf \
   DEFAULT sql_connection mysql://USER:PASS@IP/DB
Replace:
  • USER with the database user name the Block Storage services are to use, usually cinder.
  • PASS with the password of the chosen database user.
  • IP with the IP address or host name of the database server.
  • DB with the name of the database that has been created for use by the Block Storage services, usually cinder.

Important

The IP address or host name specified in the connection configuration key must match the IP address or host name to which the cinder database user was granted access when creating the cinder database. Moreover, if the database is hosted locally and you granted permissions to 'localhost' when creating the cinder database, you must enter 'localhost'.
The database connection string has been set and will be used by the Block Storage services.

6.4.6. Configure the Firewall to Allow Block Storage Service Traffic

Systems attempting to use the functionality provided by the Block Storage services access it over the network using ports 3260 and 8776.
To allow this the firewall on the system hosting the Block Storage service must be altered to allow network traffic on these ports. All steps in this procedure must be run on each system hosting Block Storage services while logged in as the root user.

Procedure 6.5. Configuring the firewall to allow Block Storage Service traffic (for Red Hat Enterprise Linux 6-based systems)

  1. Open the /etc/sysconfig/iptables file in a text editor.
  2. Add an INPUT rule allowing TCP traffic on ports 3260 and 8776 to the file. The new rule must appear before any INPUT rules that REJECT traffic. 
    -A INPUT -p tcp -m multiport --dports 3260,8776 -j ACCEPT
  3. Save the changes to the /etc/sysconfig/iptables file.
  4. Restart the iptables service to ensure that the change takes effect. 
    # service iptables restart

Procedure 6.6. Configuring the firewall to allow Block Storage Service traffic (for Red Hat Enterprise Linux 7-based systems)

  1. Add a rule allowing TCP traffic on ports 3260 and 8776: 
    # firewall-cmd --permanent --add-port=3260/tcp
    # firewall-cmd --permanent --add-port=8776/tcp
  2. For the change to take immediate effect, add the rules to the runtime mode: 
    # firewall-cmd --add-port=3260/tcp
    # firewall-cmd --add-port=8776/tcp
The firewall is now configured to allow incoming connections to the Block Storage service on ports 3260 and 8776.

6.4.7. Populate the Block Storage Database

You can populate the Block Storage database after you have successfully configured the Block Storage service database connection string (refer to Section 6.4.5, “Configure the Block Storage Service Database Connection”).

Important

This procedure only needs to be followed once to initialize and populate the database. You do not need to perform these steps again when adding additional systems hosting Block Storage services.

Procedure 6.7. Populating the Block Storage Service database

  1. Log in to the system hosting one of the Block Storage services.
  2. Use the su command to switch to the cinder user. 
    # su cinder -s /bin/sh
  3. Run the cinder-manage db sync command to initialize and populate the database identified in /etc/cinder/cinder.conf. 
    $ cinder-manage db sync
The Block Storage service database has been initialized and populated.

6.4.8. Increase the Throughput of the Block Storage API Service

By default, the Block Storage API service (openstack-cinder-api) runs in one process. This limits the number of API requests that the Block Storage service can process at any given time. In a production environment, you should increase the Block Storage API throughput by allowing openstack-cinder-api to run in as many processes as the machine capacity allows.
Red Hat Enterprise Linux OpenStack Platform 5 adds a new Block Storage API service option to address this, namely osapi_volume_workers. This option allows you to specify the number of API service workers (or OS processes) to launch for openstack-cinder-api.
To set this option, run the following command on the openstack-cinder-api host: 
# openstack-config --set /etc/cinder/cinder.conf \
 DEFAULT osapi_volume_workers CORES
Replace CORES with the number of CPU cores/threads on a machine.