Configuring OpenStack Observer jobs

Using the OpenStack Observer, you can configure jobs that dynamically load OpenStack data for analysis by Agile Service Manager.

Before you begin

Important: The OpenStack Observer supports the on-premise OpenStack version Stein.

Ensure you have the OpenStack service details to hand, such as the parameters for its APIs or RabbitMQ message bus. If you are configuring a query job, have OpenStack location and authorisation details to hand. If you are configuring a rabbitmq job, you must also identify and provide access to the RabbitMQ message bus.

OpenStack installation requirements:
If you have installed OpenStack using DevStack, you must add the code specified here to the end of the local.conf file, and reinstall it. If you have installed OpenStack using another installation method, you must add the code specified here to the nova.conf file, and then restart the Nova (compute) service.
If you have already installed OpenStack using DevStack
Add the following code to the end of the local.conf file, and then reinstall OpenStack.
If you are planning to install OpenStack using DevStack
Add the following code to the end of the local.conf file before installation.
[[post-config|$NOVA_CONF]] 
[DEFAULT]
notification_topics = notifications,com.ibm.asm.obs.nova.notify
notification_driver=messagingv2 
notify_on_state_change=vm_and_task_state 
notify_on_any_change=True
For standard (or any other) OpenStack installations
Add the following code under the [DEFAULT] section of the nova.conf file, and then restart the Nova (compute) service.
notification_topics = notifications,com.ibm.asm.obs.nova.notify
notification_driver=messagingv2 
notify_on_state_change=vm_and_task_state 
notify_on_any_change=True

The OpenStack Observer is installed as part of the core installation procedure.

Note: OpenStack uses RBAC-based protection of its API by defining policy rules based on an RBAC approach. Availability of resources retrieved by the observer is also governed by the same policy. For example, a VM created in project A by users with the admin role may only be available to other users with the same admin role. This can be configured or modified according to user requirements in the OpenStack's policy configuration.
Note: A Certificate Chaining Error can occur when launching an OpenStack Observer job. See the following troubleshooting topic for more information: OpenStack Observer certificate chaining error

About this task

The OpenStack Observer jobs extract OpenStack resources via REST or RabbitMQ. The Observer loads and updates the resources and their relationships within the Netcool Agile Service Manager core topology service.

You configure and run the following two jobs.
Restapi Load job
A transient (one-off) job that loads all requested topology data from the OpenStack instance by REST API.
By default, Load jobs are one-off, transient jobs that perform a full upload of all requested topology data as soon as they are triggered.
You can also run these jobs (again) manually from the Observer UI, or schedule them to run at set times when configuring them.
The job loads baseline topology data through the following OpenStack's APIs:
  • Keystone (identity)
  • Cinder (block storage)
  • Glance (image)
  • Heat (orchestration)
  • Neutron (network)
  • Nova (compute)
Restriction: An OpenStack environment that has a list of endpoints whereby the 'heat-cfn' service comes first (before the 'heat' service) will encounter a JSON parsing error recorded in the logs due to a known issue in the openstack4j library. When this happens, the full load for the heat service will be skipped entirely. Other services will run as normal.
Rabbitmq Listen job
A long-running job that reads messages on OpenStack's RabbitMQ message bus for activity from the Cinder (block storage), Heat (orchestration), Neutron (network) and Nova (compute) components continually, until it is explicitly stopped, or until the Observer is stopped.
The rabbitmq job should only be run after an initial restapi job has been completed.
Restriction: Only one rabbitmq job should be listening to one queue (or sets of queues) at any one time. If you need to listen to multiple projects, then separate queues must be set up in OpenStack, with appropriate names, before separate listening jobs are submitted for each. For example, for Nova via the rmq_nova_notify attribute, for Neutron via the rmq_neutron_notify attribute.
Table 1. OpenStack Observer restapi job parameters
Parameter Action Details
Unique ID Enter a unique name for the job Required
OpenStack authentication type Specify the OpenStack connection authentication technique to use. Required. Choose either V2_Tenant, V3_Unscoped, V3_Project, V3_Domain, or V3_ProjectDomain.
OpenStack password Specify the OpenStack password with which to authenticate. Required. Must be encrypted.
OpenStack identity endpoint Specify the authentication URL. Required. Must include the port and version.
Data center name Specify the name of the data center in which the OpenStack instance is running. Required. If more than one OpenStack instance is run, and duplicate project or tenant names exist, you must disambiguate them here.
OpenStack username Specify the OpenStack user name to connect as (or to). Required
OpenStack project name Specify the OpenStack project name. Required
OpenStack domain name Specify the OpenStack domain name. Optional.
OpenStack region name Specify the OpenStack region. Optional
OpenStack perspective Select the URL perspective the API accesses data from. Optional. Choose from Admin, Public, and Internal.
Connection and read timeout (ms) Choose the timeout setting for the connection and read actions. Optional. The default is 5000 (5 seconds).
SSL Verification Choose whether to use SSL verification (true or false). If false, HTTPS is used, but without hostname validation. Optional
OpenStack host certificate Specify a certificate name to load into the trust store If specified, then a certificate file with the same name must exist in the /opt/ibm/netcool/asm/security directory.

Optional for on-prem. If used, must be in the /opt/ibm/netcool/asm/security directory.

Required for OCP. Use the instructions in the following topic to obtain the authentication certificate using OpenSSL and store them as secrets: Defining observer security
SSL truststore file name Specify a truststore file name. Required
SSL truststore file password Specify a truststore file password. Required
Job schedule Specify when the job runs. Optional. Load jobs only.
Observer job description Enter additional information to describe the job. Optional
Table 2. OpenStack Observer rabbitmq job parameters
Parameter Action Details
Unique ID Enter a unique name for the job Required
RabbitMQ username Specify the AMQP user name to connect to the broker. Required
RabbitMQ password Specify the password to use to connect to the broker. Required. Must be encrypted.
RabbitMQ hosts Enter a (comma-seperated) list of hosts in the RabbitMQ cluster. Required. The first successful connection is used.
Data center name Specify the name of the data center in which the OpenStack instance is running. Required. If more than one OpenStack instance is run, and duplicate project or tenant names exist, you must disambiguate them here.
OpenStack username Specify the OpenStack user name to connect as (or to). Required
OpenStack project name Specify the OpenStack project. Optional
RabbitMQ virtual host name Specify the virtual host to connect to the broker. Optional
Use SSL? Choose whether to use an SSL connection. Optional. Choose true or false. For RabbitMQ, you must choose true.
Nova v2 Oslo message queue Specify the Nova v2 Oslo message queue. Optional
Neutron v2 Oslo message queue Specify the Neutron v2 Oslo message queue. Optional
Cinder v2 Oslo message queue Specify the Cinder v2 Oslo message queue. Optional
Heat v2 Oslo message queue Specify the Heat v2 Oslo message queue. Optional
Number of consumer instances Specify the number of consumer instances to create for each API queue type. Optional
Observer job description Enter additional information to describe the job. Optional
Important: You must specify the following properties consistently for both the restapi and rabbitmq jobs:
  • Data center name
  • OpenStack project name
  • OpenStack username
Encryption requirement:
The restapi and rabbitmq jobs require passwords in the configuration file to be encrypted. To encrypt the OpenStack or RabbitMQ passwords, run the encrypt_password.sh script in the $ASM_HOME/bin directory: 
./bin/encrypt_password.sh
Enter and then confirm the password. The encryption utility will return an encrypted password, for example: 
2IuExvqz5SGnGgROYGLAQg==
SSL requirements: To acquire SSL certificates and build SSL truststores, use the relevant instructions for both on-prem and OCP in the following section: Defining observer security

Procedure

  1. From the Observer Configuration UI, click Configure under the OpenStack icon, or select an existing OpenStack job to be edited.
  2. Choose either restapi or rabbitmq from the job type drop-down.

Configure the OpenStack Observer restapi job

  1. Enter or edit the following required parameters:
    • Unique ID
    • OpenStack authentication type
    • OpenStack password (must be encrypted)
    • OpenStack identity endpoint
    • Data Center name
    • OpenStack username
  2. Enter or edit the following optional parameters:
    • OpenStack project name
    • OpenStack domain name
    • OpenStack region name
    • OpenStack perspective
    • Connection and read timeout (ms)
    • SSL Verification
  3. Optional: Define a Job schedule (for Load jobs only) by setting the time when the job should run, and whether it should run at regular intervals. By default, the job runs immediately, and only once. Optionally, you can specify a future date and time for the job to run, and then set it to run at regular intervals after that, if required. The run intervals must be at least 90 seconds apart, and if you set them at less than 15 minutes, a warning is displayed, as the frequency can impact system performance.
  4. Optional: Enter an Observer job description to explain the purpose of the job in more detail.

Configure the OpenStack Observer rabbitmq job

  1. Enter or edit the following parameters:
    • Unique ID
    • RabbitMQ username
    • RabbitMQ password (must be encrypted)
    • RabbitMQ hosts
    • Data center name
    • OpenStack username
  2. Enter or edit the following optional parameters:
    • OpenStack project name
    • RabbitMQ virtual host name
    • Use SSL?
    • Nova v2 Oslo message queue
    • Neutron v2 Oslo message queue
    • Cinder v2 Oslo message queue
    • Heat v2 Oslo message queue
    • Number of consumer instances
    • Observer job description
  3. Click Run job to save your job and begin retrieving information.