Discovering OpenStack

OpenStack provides open-source cloud software used to create public or private clouds. You can have virtualized computing platforms, such as public clouds, private clouds hosted by a cloud provider, or in your data center.

You access and configure all of your services by using Horizon, the OpenStack Dashboard. Horizon is the product name for the dashboard component. Most other OpenStack components, known as projects, have product names, for example, the Compute Service is called Nova. For more information, see OpenStack project navigator.

BMC Helix Discovery uses SSH or API (HTTPS, port 443) to process the services that are run on OpenStack.

OpenStack components discovered by using SSH: 

OpenStack components discovered by using API:

The following set of OpenStack services can be discovered with the latest product content update:

  • Compute (Nova)
  • Block storage (Cinder)
  • Load balancers (Neutron)
  • Load balancers (Octavia; also includes Neutron load balancers)
  • Orchestration (Heat)
  • Shared file systems (Manila)

Creating credentials

To perform discovery on OpenStack, you must provide a credential with which BMC Helix Discovery can access the OpenStack cloud. Creating a credential is a two-stage process. You create a credential in the OpenStack dashboard and then add the cloud discovery credential by using the access key created in the OpenStack dashboard in BMC Helix Discovery.

To create a credential in the OpenStack dashboard

  1. In the OpenStack dashboard, create a new user for Discovery, for example, discovery.

    Important

    The user should be a member of projects that you want to discover. Otherwise, API does not return these projects.

  2. Enter a user name and password. 

    Important

    If you lose the password, you cannot retrieve it from the dashboard. Instead, you must update the password and use it as the BMC Helix Discovery cloud credential. You must note the password until you have successfully tested the cloud credential.

  3. Select a project to use as a default.
  4. Grant the discovery user the admin or member role on the default project.

To create a cloud credential in BMC Helix Discovery

Create the cloud credential similarly to any other credential. The OpenStack cloud credential uses a username and password combination in the same way as a device credential.

  1. From the BMC Helix Discovery Device Credentials page, click Add and select Cloud Provider.
    The Add Credential page is displayed.
  2. Click the icon next to Credential Types to see the available Cloud Providers.
  3. Select OpenStack.
  4. Add credential information:
    • Label
    • Description
    • Username
    • Password
  5. Enter additional information:
    • User Domain
    • Timeout
  6. (Optional) Specify a proxy to access OpenStack. To use a proxy, you must specify the following:
    • Hostname
    • Port
    • (Only for authenticating proxies) User name 
    • (Only for authenticating proxies) Password

  7. (Optional) If your proxy uses self-signed certificates, the TLS Certificate Check option can be disabled. 

    Warning

    If you disable the certificate check, your credentials can be intercepted by a man-in-the-middle attack.

  8. Click Apply to save the credential.

To test the credential

After you have created the credential, you must verify if it works.

  1. From the credentials page, click Devices.
  2. Filter the list to view cloud credentials.
  3. Click Actions against the OpenStack cloud credential you added, then click Test.
  4. Click Test.
    The following screenshot shows a successful test.
    OpenStackCredTest.png

If the credential test is unsuccessful, click on the Failure status to see the details.

To run an OpenStack cloud scan

Use the Add New Run control to perform cloud discovery from the Status page.

  1. Click Add New Run.
    The Add a New Run dialog box is displayed.
    OpenStackScan.png
  2. Enter a Label for the cloud discovery run.
  3. (Optional) Select Scheduled to add a scheduled cloud run and fill in the scheduling information.
  4. Select Cloud.
  5. Select the provider OpenStack.
  6. Select the appropriate cloud credential. If none are available, you must add one.
  7. Click OK.

After the scan is complete, you can examine the results. The following screenshot shows a discovered VM running in OpenStack.

OpenStackResults.png

Scanning the hosts running the VMs in the cloud

Perform a normal scan on the hosts running the VMs discovered in the cloud scan. To find these hosts, use the Unscanned Cloud Hosts report on the Cloud Overview dashboard. Host scanning assumes that the appliance or proxy has network access to hosts running in the cloud, for example, by using a VPN.

Using the all_tenants approach

Important

This approach applies only to OpenStack Nova and OpenStack Manila.

In some cases, projects are created and removed often. Hence, it is difficult to be sure that the user for the OpenStack discovery is always set as a member of these projects. As a result, BMC Helix Discovery might not recognize all projects and all resources in all projects. To prevent this, the all_tenants approach for Nova and Manila services is used.

The all_tenant approach requires the following prerequisites:

  • The admin user for API scan.
  • The user is a member of the admin project and is not a member of any other projects.
  • The admin project is set as the default project of the user.

When you run a regular scan, BMC Helix Discovery obtains information about all the projects, Nova VMs, and Manila storages without membership in all projects.

OpenStack discovery patterns

The OpenStack discovery patterns are available on the Manage > Knowledge page. They are located in the Pattern modules list in Cloud > OpenStack.

Known issues

Issue symptoms

During the OpenStack discovery of OTC (Open Telekom Cloud), OpenStack.Keystone.Projects.List fails. 

Issue scope

The issue occurs because Discovery requires another URL to get a list of projects.

Resolution

  1. On the BMC Helix Discovery appliance, start editing /usr/tideway/data/installed/cloud/openstack.json
  2. Find the OpenStack.Keystone.Projects.List request section.
  3. Change the url value from {endpoint}/auth/projects to {endpoint}/projects
  4. Save the file.
  5. Restart all BMC Helix Discovery services.

The differences between the two URLs are as follows:

  • /auth/projects

Returns the list of projects available to be scoped based on the X-Auth-Token provided in the request; seeOpenStack API Documentation.

  • /projects

Returns all projects; seeOpenStack API Documentation.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*