Difference between revisions of "Fedcloud-tf:WorkGroups:Scenario1:OpenNebulaInstallation"
m (→References) |
|||
Line 372: | Line 372: | ||
etc. Please, keep in mind that the rOCCI client is not yet finished. | etc. Please, keep in mind that the rOCCI client is not yet finished. | ||
=== References === | |||
*https://github.com/gwdg/rOCCI-server#rocci-server---a-ruby-occi-server | *https://github.com/gwdg/rOCCI-server#rocci-server---a-ruby-occi-server | ||
*http://opennebula.org/documentation:archives:rel3.2:x509_auth | *http://opennebula.org/documentation:archives:rel3.2:x509_auth | ||
*https://github.com/gwdg/rOCCI | *https://github.com/gwdg/rOCCI |
Revision as of 16:36, 8 January 2013
OpenNebula
rOCCI-server
This section describes how to intall and configure rOCCI 0.5.x in SL6
Requirements
The following setup is recommended
- usage of the Ruby Version Manger (RVM)
- Ruby >= 1.9.3
- Bundler gem installed (use gem install bundler)
Installation
Apache and EMI2 middleware
- Install EMI2 gridsite packages:
# cd /etc/yum.repos.d # wget http://eticssoft.web.cern.ch/eticssoft/mock/emi-2-rc-sl6.repo # yum install canl-c gridsite gridsite-libs ca-policy-egi-core fetch-crl
- Install these packages:
# yum install httpd mod_ssl mod_proxy_html # chkconfig httpd on
RVM
- As oneadmin run:
$ curl -L https://get.rvm.io | sudo bash -s stable
- As root add oneadmin user to RVM group:
# usermod -a -G rvm oneadmin
- Log back in as oneadmin user:
$ rvm user gemsets
- Checkout latest version from GIT:
$ git clone git://github.com/gwdg/rOCCI-server.git
- Change to rOCCI folder:
$ cd rOCCI-server
- Use RVM:
$ rvm install ruby-1.9.3
- Install dependencies before press 'q', from another console, for SL machine:
#yum install build-essential openssl libreadline6 libreadline6-dev curl git-core zlib1g zlib1g-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt-dev autoconf libc6-dev ncurses-dev automake libtool bison subversion libexpat1-dev rubygem-xmlparser expat expat-devel
- Install gems and rocci service (v0.5.x in this case):
$ git checkout 0.5.x $ gem install bundler $ bundle install
Configuration
rOCCI-server comes with different backends. Check the etc folder for available backends (e.g. dummy, opennebula, ...). Each backend has an example configuration in a file with the name of the backend and the extension .json. Copy one of those files to etc/backend/default.json and adapt its content to your setting.
To configure the behaviour of compute, network and storage resource creation, edit the backend specific extensions of the OCCI model at etc/backend/$BACKEND/model (e.g. etc/backend/dummy/model for the dummy backend).
To change the predefined resource or OS templates, you can adapt the existing templates in etc/backend/$BACKEND/templates or add new templates. If resource or OS templates are already registered in the backend, they will be automatically discovered by rOCCI-server.
$ cd /var/lib/one/rOCCI-server/etc/backend/opennebula
- And now copy opennebula backend before edit it:
$ cp opennebula.json ../default.json $ cd ..
- And we change it to use our configuration
{ "resources":[ { "kind":"http://rocci.info/server/backend#opennebula", "attributes":{ "info":{ "rocci":{ "backend":{ "opennebula":{ "endpoint":"http://localhost:2633/RPC2", "admin":"rocci", "password":"*****", "scheme":"http://my.occi.service/" } } } } } } ] }
- Edit /var/lib/one/rOCCI-server/etc/backend/opennebula/one_templates/compute.erb file to fit your cloud resources:
OpenNebula backend
If you want to change the actual deployment within OpenNebula you can change the OpenNebula templates in the files in /var/lib/one/rOCCI-server/etc/backend/opennebula/one_templates.
To configure OpenNebula resource templates (e.g. small, medium, large, ...) change the files in etc/backend/opennebula/templates .
- As example to use x86_64 arch by default edit /var/lib/one/rOCCI-server/etc/backend/opennebula/templates and s change this line for these files (for small/medium/large):
... "architecture":{ "Mutable":true, "Required":false, "Type":"string", "Pattern":"x86|x64", "Default":"x64" ...
Add rocci user
The Sunstone, EC2 and OCCI services communicate with the core using a “server” user. OpenNebula creates the serveradmin account at bootstrap, with the authentication driver server_cipher (symmetric key).
This “server” user uses a special authentication mechanism that allows the servers to perform an operation on behalf of other user.
- To add rocci user we run as oneadmin:
$ oneuser create rocci <good_pass_here_from_default.json> --driver server_cipher $ oneuser chgrp rocci oneadmin
(!) User/Pass is the same that default.json conf file.
Apache conf
- Add apache user to oneadmin group:
# usermod -a -G oneadmin apache
- If you want to configure apache automatically, from /var/lib/one/rOCCI-server directory as oneadmin user run this ( {i} for SL6 installation these packages are required: apache2-prefork-dev libapr1-dev libaprutil1-dev)
$ bundle exec passenger-install-apache2-module
this script shows this info at the end:
The Apache 2 module was successfully installed. Please edit your Apache configuration file, and add these lines: LoadModule passenger_module /var/lib/one/.rvm/gems/ruby-1.9.3-p327@rOCCI-server/gems/passenger-3.0.12/ext/apache2/mod_passenger.so PassengerRoot /var/lib/one/.rvm/gems/ruby-1.9.3-p327@rOCCI-server/gems/passenger-3.0.12 PassengerRuby /usr/local/rvm/wrappers/ruby-1.9.3-p327@rOCCI-server/ruby After you restart Apache, you are ready to deploy any number of Ruby on Rails applications on Apache, without any further Ruby on Rails-specific configuration!
- Now we must create /etc/httpd/conf.d/passenger.conf file as root:
# vi /etc/httpd/conf.d/passenger.conf
and include these lines
# Passenger module for rOCCI LoadModule passenger_module /var/lib/one/.rvm/gems/ruby-1.9.3-p327@rOCCI-server/gems/passenger-3.0.12/ext/apache2/mod_passenger.so PassengerRoot /var/lib/one/.rvm/gems/ruby-1.9.3-p327@rOCCI-server/gems/passenger-3.0.12 PassengerRuby /usr/local/rvm/wrappers/ruby-1.9.3-p327@rOCCI-server/ruby
- Manually check these files (In this case we will use 3202 port for rOCCI service):
Edit /etc/httpd/conf.d/ssl.conf:
LoadModule ssl_module modules/mod_ssl.so LoadModule gridsite_module /usr/lib64/httpd/modules/mod_gridsite.so NameVirtualHost your.host.name:3202 Listen 443 Listen 3202 ...
Create a new VirtualHost in the conf.d directory of Apache (e.g. in /etc/httpd/conf.d/rocci.conf) with the following content:
<VirtualHost your.host.name:3202> ServerName your.host.name SSLEngine on SSLProtocol all SSLCertificateFile /etc/grid-security/hostcert.pem SSLCertificateKeyFile /etc/grid-security/hostkey.pem SSLProxyEngine on SSLCACertificatePath /etc/grid-security/certificates SSLCARevocationPath /etc/grid-security/certificates SSLVerifyClient require SSLVerifyDepth 10 SSLOptions +StdEnvVars # important, this needs to point to the public folder of your rOCCI-server DocumentRoot /var/lib/one/rOCCI-server/public <Directory /var/lib/one/rOCCI-server/public> ## This exports various bits of info into the CGI environment variables GridSiteEnvs on ## Nice GridSite directory listings turned off GridSiteIndexes off ## If this is greater than zero, we will accept GSI Proxies for clients ## (full client certificates - eg inside web browsers - are always ok) GridSiteGSIProxyLimit 1 ## This directive stops GridSite from handling DELETE requests before they ## get to rOCCI-server GridSiteMethods "" Allow from all Options -MultiViews </Directory> LogLevel debug </VirtualHost>
- Change /var/lib/one/rOCCI-server/public permissions as oneadmin:
$ chmod -R 770 /var/lib/one/rOCCI-server/public $ chmod 440 /etc/grid-security/hostkey.pem
- You have to start/restart Apache before you can use rOCCI-server!
- Make sure that can validate fedcloud.egi.eu's certs, i.e. the following file exists:
# cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms1.egee.cesnet.cz.lsc /DC=org/DC=terena/DC=tcs/C=CZ/O=CESNET/CN=voms1.egee.cesnet.cz /C=NL/O=TERENA/CN=TERENA eScience SSL CA
- Finally:
/etc/init.d/httpd restart
rOCCI + VOMS
If you want to use X.509/VOMS authentication for your users, you need to create the users in OpenNebula with the X.509 driver. For a user named 'johnsmith' from fedcloud.egi.eu the command may look like this
$ oneuser create johnsmith "/DC=es/DC=irisgrid/O=cesga/CN=johnsmith|/DC=es/DC=irisgrid/O=cesga/CN=johnsmith/VO=fedcloud.egi.eu/Role=NULL/Capability=NULL" --driver x509
- And its properties:
$ oneuser update <id_x509_user> X509_DN="/DC=es/DC=irisgrid/O=cesga/CN=johnsmith"
- Add OpenNebula x509 auth, modify /etc/one/auth/x509_auth.conf file:
# Path to the trusted CA directory. It should contain the trusted CA's for # the server, each CA certificate shoud be name CA_hash.0 :ca_dir: "/etc/grid-security/certificates"
For more information have a look at the OpenNebula Documentation on x509 Authentication: http://opennebula.org/documentation:archives:rel3.2:x509_auth
rOCCI-server upgrade
If you checked out rOCCI-server from GIT, then you can pull the latest version or a tagged version, update all required ruby gems using bundler and restart the server by touching the file tmp/restart.txt:
- As oneadmin (or rocci user depends on your configuration):
$ cd rOCCI-server
- Check the active branch, should be 0.5.x
$ git branch * 0.5.x ...
- Update the server
$ git pull
- Update dependencies
$ bundle install
- As root, restart Apache2/httpd, e.g for SL6.
$ service httpd restart
OCCI client
- Runnig on Ubuntu 12.04 with Ruby and Rubygems from repositories
$ gem install occi
Note: rOCCI client is compatible with Ruby 1.8.7, 1.9.2 and 1.9.3 + jRuby 1.7.0
- Configure your user cert:
$ cat $HOME/.globus/usercert.pem $HOME/.globus/userkey.pem >> $HOME/.globus/usercred.pem
- To find out more about available options and defaults use
$ occi --help
- To run the client in an interactive mode use:
$ occi --interactive $ occi --interactive --endpoint https://cloud.cesga.es:3202/ $ occi --interactive --endpoint https://cloud.cesga.es:3202/ --auth x509
- To list available resources use:
$ occi --endpoint https://cloud.cesga.es:3202/ --action list --resource compute --auth x509 $ occi --endpoint https://cloud.cesga.es:3202/ --action list --resource storage --auth x509 $ occi --endpoint https://cloud.cesga.es:3202/ --action list --resource network --auth x509
- To describe available resources use
$ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource compute --auth x509 $ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource storage --auth x509 $ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource network --auth x509
- To describe specific resources use:
$ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource https://cloud.cesga.es:3202/compute/<OCCI_ID> --auth x509 $ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource https://cloud.cesga.es:3202/storage/<OCCI_ID> --auth x509 $ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource https://cloud.cesga.es:3202/network/<OCCI_ID> --auth x509
- To list available OS templates or Resource templates use:
$ occi --endpoint https://cloud.cesga.es:3202/ --action list --resource os_tpl --auth x509 $ occi --endpoint https://cloud.cesga.es:3202/ --action list --resource resource_tpl --auth x509
- To describe a specific OS template or Resource template use
$ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource os_tpl#debian6 --auth x509 $ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource resource_tpl#small --auth x509
- To create a compute resource with mixins use:
$ occi --endpoint https://cloud.cesga.es:3202/ --action create --resource compute --mixin os_tpl#debian6 --mixin resource_tpl#small --resource-title "My rOCCI VM" --auth x509
- To delete a compute resource use:
$ occi --endpoint https://cloud.cesga.es:3202/ --action delete --resource https://cloud.cesga.es:3202/compute/<OCCI_ID> --auth x509
- More info available here.
OCCI+VOMS client usage
A beta version of the rOCCI client can be installed by running
$ gem install occi --pre
Note: The proxy/VOMS certificate support will be a part of the next stable release.
- To test VOMS support yourselves, you can use the following.
# voms-proxy-init -voms fedcloud.egi.eu
# occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource storage --action list --user-cred /tmp/x509up_u1000 --proxy-ca ~/.globus/usercert.pem # occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource network --action list --user-cred /tmp/x509up_u1000 --proxy-ca ~/.globus/usercert.pem # occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource compute --action list --user-cred /tmp/x509up_u1000 --proxy-ca ~/.globus/usercert.pem
# occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource os_tpl --action list --user-cred /tmp/x509up_u1000 --proxy-ca ~/.globus/usercert.pem # occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource os_tpl#debian6 --action describe --user-cred /tmp/x509up_u1000 --proxy-ca ~/.globus/usercert.pem
# occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource compute --action create --resource-title "MyrOCCIVM" --mixin os_tpl#debian6 --user-cred /tmp/x509up_u1000 --proxy-ca ~/.globus/usercert.pem
etc. Please, keep in mind that the rOCCI client is not yet finished.