Difference between revisions of "Federated Cloud OpenStack Appliance"
Line 99: | Line 99: | ||
The appliance | The appliance provides VMI replication with [https://github.com/the-cloudkeeper-project/cloudkeeper cloudkeeper]. Every 4 hours, the appliance will perform the following actions: | ||
* download the configured lists in <code>/etc/ | * download the configured lists in <code>/etc/cloudkeeper/image-lists.conf</code> and verify its signature | ||
* check any changes in the lists and download new images | * check any changes in the lists and download new images | ||
* synchronise this information to the configured glance endpoint | * synchronise this information to the configured glance endpoint | ||
cloudkeeper has two components: | |||
* fronted dealing the with image lists and downloading the needed images | |||
* backend dealing with your glance catalogue | |||
First you need to configure and start the backend. Edit <code>/etc/cloudkeeper/cloudkeeper-os.conf</code>: | |||
* aa | |||
Configure the glance credentials in the <code>/etc/atrope/atrope.conf</code> file and add the lists you want to download at the <code>/etc/atrope/hepix.yaml</code>. See the following example for fedcloud.egi.vo list: | Configure the glance credentials in the <code>/etc/atrope/atrope.conf</code> file and add the lists you want to download at the <code>/etc/atrope/hepix.yaml</code>. See the following example for fedcloud.egi.vo list: |
Revision as of 14:30, 8 August 2017
Integration with EGI FedCloud Appliance
The EGI FedCloud Appliance packages a set of docker containers to federate a OpenStack deployment with some EGI services:
- Information System (BDII)
- Accounting (cASO, SSM)
- Image management (cloudkeeper)
You can get the current version of the appliance at AppDB entry. It is available as an OVA file. You can easily extract the VMDK disk of the OVA by untaring the file.
Pre-requisites
The appliance works by querying the public APIs of an existing OpenStack installation. It assumes Keystone-VOMS is installed at that OpenStack and the voms.json
file is properly configured.
The appliance uses the following OpenStack APIs:
- nova, for getting images and flavors available and to get usage information
- keystone, for authentication and for getting the available tenants
- glance, for querying, uploading and removing VM images.
Not all services need to be accessed with the same credentials. Each component is individually configured, you can use different accounts if needed for each of them.
Host certificate
A host certificate is needed to send the accounting information before sending it to the accounting repository. DN of the host certificate must be registered in GOCDB service type eu.egi.cloud.accounting (see the registration section for more information).
The host certificate and key in PEM format are expected in //etc/grid-security/hostcert.pem
and /etc/grid-security/hostkey.pem
respectively.
Disk space
VM Image replication requires large disk space (~ 100 GB) for storing the downloaded images. By default these are stored at /image_data
. You can mount a volume at that location.
Public IP / accessible name
The appliance should be accessible by the EGI Information System. EGI information system will check GOCDB for the exact location of your appliance (see the registration section below for more information).
EGI Accounting (cASO/SSM)
There are two different processes handling the accounting integration:
- cASO, which connects to the OpenStack deployment to get the usage information, and,
- ssmsend, which sends that usage information to the central EGI accounting repository.
They are run by cron every hour (cASO) and every six hours (ssmsend).
cASO configuration is stored at /etc/caso/caso.conf
. Most default values are ok, but you must set:
site_name
(line 12)projects
(line 20)- credentials to access the accounting data (lines 28-47, more options also available). Check the cASO documentation for the expected permissions of the user configured here.
The cron job will use the voms mapping file at /etc/voms.json
.
cASO will write records to /var/spool/apel
where ssmsend will take them.
SSM configuration is available at /etc/apel
. Defaults should be ok for most cases. The cron file uses /etc/grid-security
for the CAs and the host certificate and private keys (in /etc/grid-security/hostcert.pem
and /etc/grid-security/hostkey.pem
).
Running the services
Both caso and ssmsend are run via cron scripts. They are located at /etc/cron.d/caso
and /etc/crond.d/ssmsend
respectively. For convenience there are also two scripts /usr/loca/bin/caso-extract.sh
and /usr/local/bin/ssm-send.sh
that run the docker container with the proper volumes.
EGI Information System (BDII)
Information discovery provides a real-time view about the actual images and flavors available at the OpenStack for the federation users. It has two components:
- Resource-Level BDII: which queries the OpenStack deployment to get the information to publish
- Site-Level BDII: gathers information from several resource-level BDIIs (in this case only 1) and makes it publicly available for the EGI information system.
Resource-level BDII
This is provided by container egifedcloud/cloudbdii
. You need to configure:
/etc/cloud-info-provider/openstack.rc
, with the credentials to query your OpenStack. The user configured just needs to be able to access the lists of images and flavors.
/etc/cloud-info-provider/openstack.yaml
, this file includes the static information of your deployment. Make sure to set theSITE-NAME
as defined in GOCDB.
Site-level BDII
The egifedcloud/sitebdii
container runs this process. Configuration files:
/etc/sitebdii/glite-info-site-defaults.conf
. Set here the name of your site (as defined in GOCDB) and the public hostname where the appliance will be available.
/etc/sitebdii/site.cfg
. Include here basic information on your site.
Running the services
In order to run the information discovery containers, there is a docker-compose file at /etc/sitebdii/docker-compose.yml
. Run it with:
docker-compose -f /etc/sitebdii/docker-compose.yml up -d
Check the status with:
docker-compose -f /etc/sitebdii/docker-compose.yml ps
You should be able to get the BDII information with an LDAP client, e.g.:
ldapsearch -x -p 2170 -h <yourVM.hostname.domain.com> -b o=glue
EGI Image Management (cloudkeeper)
TBC
The appliance provides VMI replication with cloudkeeper. Every 4 hours, the appliance will perform the following actions:
- download the configured lists in
/etc/cloudkeeper/image-lists.conf
and verify its signature - check any changes in the lists and download new images
- synchronise this information to the configured glance endpoint
cloudkeeper has two components:
- fronted dealing the with image lists and downloading the needed images
- backend dealing with your glance catalogue
First you need to configure and start the backend. Edit /etc/cloudkeeper/cloudkeeper-os.conf
:
- aa
Configure the glance credentials in the /etc/atrope/atrope.conf
file and add the lists you want to download at the /etc/atrope/hepix.yaml
. See the following example for fedcloud.egi.vo list:
# This must match the VO name configured at the voms.json file fedcloud.egi.eu: url: https://vmcaster.appdb.egi.eu/store/vo/fedcloud.egi.eu/image.list enabled: true # All image lists from AppDB will have this endorser endorser: dn: '/DC=EU/DC=EGI/C=NL/O=Hosts/O=EGI.eu/CN=appdb.egi.eu' ca: "/DC=ORG/DC=SEE-GRID/CN=SEE-GRID CA 2013" # You must get this from AppDB token: 17580f07-1e33-4a38-94e3-3386daced5be # if you want to restrict the images downloaded from the AppDB, you can add here a list of the identifiers # check the "dc:identifier" field in the image list file. images: [] # images names will prefixed with this string for easy identification prefix: "FEDCLOUD "
Check How to subscribe to a private image list for instructions to get the URL and token. The prefix
if specified will be added in the image title in glance. You can define a subset of images to download with the images
field.
Running the service
atrope is run via a cron scripts: /etc/cron.d/atrope
. For convenience the /usr/loca/bin/atrope-dispatch.sh
script runs the docker container with the proper volumes.