OpenStack Installation Guide

This comprehensive guide covers the installation and configuration of OpenStack with Docker integration, Suricata IDS/IPS, and KVM hypervisor setup.

Prerequisites

• Ubuntu 20.04 LTS or later (or compatible Linux distribution)
• Minimum 8GB RAM (16GB recommended)
• 100GB+ available disk space
• Two network interfaces (for provider and management networks)
• Root or sudo access
• Stable internet connection

System Preparation

Update System

sudo apt update && sudo apt upgrade -y
sudo apt install -y python3-pip python3-dev libffi-dev gcc libssl-dev

Configure Networking

# Edit network configuration
sudo nano /etc/netplan/01-netcfg.yaml

# Example configuration:
network:
  version: 2
  ethernets:
    enp0s3:  # Management network
      dhcp4: true
    enp0s8:  # Provider network
      dhcp4: false

# Apply network changes
sudo netplan apply

Install Docker and Docker Compose

# Install Docker
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker $USER

# Install Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/download/v2.20.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

# Verify installation
docker --version
docker-compose --version

OpenStack Installation with Kolla-Ansible

Install Kolla-Ansible

# Create virtual environment
python3 -m venv kolla-env
source kolla-env/bin/activate

# Install Kolla-Ansible
pip install kolla-ansible

# Create configuration directory
sudo mkdir -p /etc/kolla
sudo chown $USER:$USER /etc/kolla

# Copy configuration files
cp -r kolla-env/share/kolla-ansible/etc_examples/kolla/* /etc/kolla/
cp kolla-env/share/kolla-ansible/ansible/inventory/* .

Configure Kolla-Ansible

# Edit global configuration
nano /etc/kolla/globals.yml

# Key configurations:
kolla_base_distro: "ubuntu"
kolla_install_type: "source"
openstack_release: "yoga"
kolla_internal_vip_address: "10.0.0.10"  # Your management network IP
network_interface: "enp0s3"  # Management interface
neutron_external_interface: "enp0s8"  # Provider interface
enable_haproxy: "no"  # Disable for single-node
enable_cinder: "yes"
enable_neutron: "yes"
enable_horizon: "yes"

Generate Passwords

# Generate random passwords
kolla-genpwd

Deploy OpenStack

# Install Ansible
pip install ansible

# Bootstrap servers
kolla-ansible -i all-in-one bootstrap-servers

# Perform pre-deployment checks
kolla-ansible -i all-in-one prechecks

# Deploy OpenStack
kolla-ansible -i all-in-one deploy

Post-Deployment Configuration

Generate OpenRC File

# Generate admin credentials
kolla-ansible -i all-in-one post-deploy

# Source the credentials
source /etc/kolla/admin-openrc.sh

Install OpenStack CLI

pip install python-openstackclient python-glanceclient python-neutronclient

Create Initial Resources

# Create networks
openstack network create --external --provider-physical-network physnet1 --provider-network-type flat public
openstack subnet create --network public --allocation-pool start=192.168.1.100,end=192.168.1.200 --dns-nameserver 8.8.8.8 --gateway 192.168.1.1 --subnet-range 192.168.1.0/24 public-subnet

openstack network create private
openstack subnet create --network private --subnet-range 10.0.0.0/24 --dns-nameserver 8.8.8.8 private-subnet

# Create router
openstack router create router1
openstack router set --external-gateway public router1
openstack router add subnet router1 private-subnet

# Create security group
openstack security group create default-security-group
openstack security group rule create --protocol tcp --dst-port 22 default-security-group
openstack security group rule create --protocol tcp --dst-port 80 default-security-group
openstack security group rule create --protocol tcp --dst-port 443 default-security-group

# Create key pair
ssh-keygen -t rsa -b 4096 -f ~/.ssh/openstack-key -N ""
openstack keypair create --public-key ~/.ssh/openstack-key.pub openstack-keypair

KVM Hypervisor Configuration

Install KVM and Related Packages

sudo apt install -y qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils virt-manager
sudo systemctl enable --now libvirtd
sudo usermod -aG libvirt $USER

Configure KVM for OpenStack

# Check if KVM is working
sudo kvm-ok

# Configure libvirt for OpenStack
sudo nano /etc/libvirt/libvirtd.conf

# Uncomment and modify:
listen_tls = 0
listen_tcp = 1
auth_tcp = "none"
tcp_port = "16509"

# Restart libvirt
sudo systemctl restart libvirtd

Upload Cirros Test Image

# Download Cirros image
wget http://download.cirros-cloud.net/0.5.2/cirros-0.5.2-x86_64-disk.img

# Upload to Glance
openstack image create \
    --container-format bare \
    --disk-format qcow2 \
    --file cirros-0.5.2-x86_64-disk.img \
    --public \
    cirros

Docker Integration

Create Docker Compose for Additional Services

# Create docker-compose.yml
nano docker-compose.yml

version: '3.8'
services:
  suricata:
    image: jasonish/suricata:latest
    container_name: suricata-ids
    network_mode: host
    volumes:
      - ./suricata-config:/etc/suricata
      - ./suricata-logs:/var/log/suricata
      - ./suricata-rules:/etc/suricata/rules
    command: suricata -c /etc/suricata/suricata.yaml -i enp0s3
    restart: unless-stopped
    
  monitoring:
    image: prom/prometheus:latest
    container_name: openstack-monitoring
    ports:
      - "9090:9090"
    volumes:
      - ./prometheus.yml:/etc/prometheus/prometheus.yml
    restart: unless-stopped

Suricata IDS/IPS Configuration

# Create Suricata configuration directory
mkdir -p suricata-config suricata-logs suricata-rules

# Create basic Suricata configuration
nano suricata-config/suricata.yaml

# Basic configuration content:
default-log-dir: /var/log/suricata/
stats:
  enabled: yes
  interval: 8

outputs:
  - fast:
      enabled: yes
      filename: fast.log
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json

af-packet:
  - interface: enp0s3
    cluster-id: 99
    cluster-type: cluster_flow

detect-engine:
  - profile: medium
  - custom-values:
      toclient-groups: 3
      toserver-groups: 25

# Start services
docker-compose up -d

Testing and Validation

Launch Test Instance

# Create flavor
openstack flavor create --id 1 --ram 512 --disk 1 --vcpus 1 m1.tiny

# Launch instance
openstack server create \
    --image cirros \
    --flavor m1.tiny \
    --key-name openstack-keypair \
    --network private \
    --security-group default-security-group \
    test-instance

# Check status
openstack server list
openstack server show test-instance

Access Instance

# Create floating IP
openstack floating ip create public

# Assign floating IP to instance
openstack server add floating ip test-instance [FLOATING_IP]

# SSH to instance
ssh -i ~/.ssh/openstack-key cirros@[FLOATING_IP]

Monitoring and Maintenance

Regular Health Checks

# Check OpenStack services
openstack catalog list
openstack service list
openstack hypervisor list

# Check container status
docker ps
docker-compose logs suricata

# Check system resources
df -h
free -h
top

Backup Configuration

# Backup Kolla configuration
sudo tar -czf openstack-config-backup.tar.gz /etc/kolla/

# Backup database (if using MariaDB container)
docker exec kolla_mariadb_1 mysqldump --all-databases > openstack-db-backup.sql

# Create automated backup script
nano backup-script.sh

#!/bin/bash
BACKUP_DIR="/opt/openstack-backups"
DATE=$(date +%Y%m%d_%H%M%S)

mkdir -p $BACKUP_DIR

# Configuration backup
sudo tar -czf $BACKUP_DIR/config-$DATE.tar.gz /etc/kolla/

# Database backup
docker exec kolla_mariadb_1 mysqldump --all-databases > $BACKUP_DIR/db-$DATE.sql

# Keep only last 7 days of backups
find $BACKUP_DIR -type f -mtime +7 -delete

chmod +x backup-script.sh

# Add to crontab for daily backups
echo "0 2 * * * /path/to/backup-script.sh" | crontab -

Troubleshooting Common Issues

Service Not Starting

# Check container logs
docker logs kolla_nova_compute_1
docker logs kolla_neutron_agent_1

# Check OpenStack service logs
sudo tail -f /var/log/kolla/nova/nova-compute.log
sudo tail -f /var/log/kolla/neutron/neutron-server.log

Network Connectivity Issues

# Check network namespaces
sudo ip netns list

# Debug neutron networks
openstack network agent list
neutron agent-show [AGENT_ID]

# Check OVS bridges
sudo ovs-vsctl show

Performance Optimization

# Optimize MySQL/MariaDB
# Add to /etc/kolla/config/mariadb.cnf
[mysqld]
innodb_buffer_pool_size = 2G
max_connections = 200
query_cache_size = 128M

# Optimize Nova compute
# Add to /etc/kolla/config/nova.conf
[DEFAULT]
cpu_allocation_ratio = 2.0
ram_allocation_ratio = 1.0

# Restart services after changes
kolla-ansible -i all-in-one deploy --tags nova,mariadb

Security Best Practices

• Regularly update OpenStack and container images
• Use strong passwords and enable two-factor authentication
• Configure proper firewall rules
• Monitor Suricata alerts for suspicious activity
• Implement network segmentation
• Regular security audits and penetration testing

Next Steps

After completing this installation:

1. Explore advanced OpenStack services (Heat, Swift, etc.)
2. Implement high availability configurations
3. Set up centralized logging with ELK stack
4. Configure automated monitoring and alerting
5. Integrate with external identity providers