rOCCI:OpenNebula Backend
The OpenNebula backend is bundled with rOCCI-server. Follow these steps to configure and activate it:
- Make sure OpenNebula is already installed and running in your environment. Otherwise it is highest time to install it. Note that installation of OpenNebula is beyond the scope of this Admin Guide. You may find useful some of the available OpenNebula Tutorials.
- Create a
rocci
account for the rOCCI-server backend in OpenNebula and make it a member of theoneadmin
group:su - oneadmin oneuser create rocci '<actual_password_edited_out>' --driver server_cipher oneuser chgrp rocci oneadmin exit
- Edit Virtual Host configuration file
/etc/apache2/sites-available/occi-ssl
or/etc/httpd/conf.d/occi-ssl.conf
, respectively, and change the following:- attribute
ROCCI_SERVER_BACKEND
must be set toopennebula
as shown:SetEnv ROCCI_SERVER_BACKEND opennebula
Note: Do not confuse with attribute
ROCCI_SERVER_HOOKS
; that has another purpose. - attribute
ROCCI_SERVER_ONE_PASSWD
must be set to give the password for therocci
user set up in the previous step:SetEnv ROCCI_SERVER_ONE_PASSWD <actual_password_edited_out>
- Server name attributes must be set to the rOCCI server's fully qualified domain name. Set
ROCCI_SERVER_HOSTNAME
andServerName
accordingly:ServerName rocci-server.example.com
and
SetEnv ROCCI_SERVER_HOSTNAME rocci-server.example.com
Note: In case your rOCCI-server is not collocated with OpenNebula, these both need to point to the rOCCI-server. A different attribute is used to indicate the OpenNebula server.
TODO: chmod on VH config file!
- attribute
- Restart the WebServer. You may skip this step if you are going to configure GridSite next.
APT-based distributions (Debian, Ubuntu, …) RPM-based distributions (Scientific Linux, CentOS, …) service apache2 restart
service httpd restart
Tested in Debian 7 Wheezy Tested in SL 6.5 Carbon
Use with GridSite and VOMS (optional)
As long as your site is a part of the EGI Federated Cloud infrastructure, or another infrastructure relying on Virtual Organization Management Services (VOMS), you also need to install the GridSite module for Apache.
-
Choose repository to install from. GridSite is available from standard distribution repositories (EPEL, Debian) but not always in its most recent versions. EGI's UMD repository may be a better source, especially if you are a part of EGI.
- Installing from standard distro repositories:
APT-based distributions (Debian, Ubuntu, …) RPM-based distributions (Scientific Linux, CentOS, …) apt-get install -y gridsite
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm yum install -y gridsite
Tested in Debian 7 Wheezy Tested in SL 6.5 Carbon - Installing from UMD:
APT-based distributions (Debian, Ubuntu, …) RPM-based distributions (Scientific Linux, CentOS, …) UMD is currently only available for Debian 6 Squeeze. If you cannot use the current GridSite version in Wheezy, and want a new one, contact GridSite developers.
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm yum install -y yum-priorities yum-protectbase rpm -ivh http://emisoft.web.cern.ch/emisoft/dist/EMI/3/sl6/x86_64/base/emi-release-3.0.0-2.el6.noarch.rpm yum install -y gridsite
Tested in Debian 7 Wheezy Tested in SL 6.5 Carbon
- Installing from standard distro repositories:
- Make sure
mod_gridsite
is loaded when WebServer starts. If you are installing in accordance with the previous step, it is already OK. Otherwise, you may need to add a config file (see example in/opt/rOCCI-server/examples/etc/apache2/mods-available/zgridsite.load
) and enable the module. - Activate GridSite in you Virtual Host's configuration file—
/etc/apache2/sites-available/occi-ssl
or/etc/httpd/conf.d/occi-ssl.conf
, respectively.- Add the following directives:
## variables (and is needed for gridsite-admin.cgi to work.) GridSiteEnvs on ## Nice GridSite directory listings (without truncating file names!) GridSiteIndexes off ## If this is greater than zero, we will accept GSI Proxies for clients ## (full client certificates - eg inside web browsers - are always ok) GridSiteGSIProxyLimit 4 ## This directive allows authorized people to write/delete files ## from non-browser clients - eg with htcp(1) GridSiteMethods ""
- And change the value of the
SSLVerifyClient
attribute torequire
SSLVerifyClient require - Extend
SSLOptions
attribute with optionExportCertData
: SSLOptions +StdEnvVars +ExportCertData
- Add the following directives:
- Make sure your VOMS settings are present, either in
/etc/vomses
or as.lsc
files in the/etc/grid-security/vomsdir
structure. - Enable GridSite and restart the WebServer.
APT-based distributions (Debian, Ubuntu, …) RPM-based distributions (Scientific Linux, CentOS, …) a2enmod zgridsite service apache2 restart
service httpd restart
Tested in Debian 7 Wheezy Tested in SL 6.5 Carbon
The Autocreate Authentication Hook
As explained earlier, local accounts should be created for all authorized users in OpenNebula by means of a suitable synchronization tool, such as Perun. This is highly recommended since only that solution takes proper care of the overall user account life cycle, including deletion.
That said, there may be virtual organizations you must support in your site without the ability to synchronise all their user base with local accounts in your cloud manager. In that case, you may take advantage of the OpenNebula User Autocreate Hook. Once activated, it automatically creates local OpenNebula accounts for users who present appropriate VOMS proxies coming from listed virtual organizations.
To enable automatic creation of OpenNebula accounts, edit the Virtual Host configuration file /etc/apache2/sites-available/occi-ssl
or /etc/httpd/conf.d/occi-ssl.conf
, respectively, and use the ROCCI_SERVER_ONEUSER_AUTOCREATE_HOOK_VO_NAMES
option to give a space-delimited list of VOs whose members you wish accepted in autocreate mode. Also, do not forget to activate the hook by listing it with the ROCCI_SERVER_HOOKS
option. For instance:
SetEnv ROCCI_SERVER_HOOKS oneuser_autocreate ... SetEnv ROCCI_SERVER_ONEUSER_AUTOCREATE_HOOK_VO_NAMES examplevo samplevo |
Then restart the Web Server.
With the autocreate hook configured, be aware that your OpenNebula will be populated with unmanaged user accounts! I.e., those accounts will remain active, and their VMs will remain running, even after those users have left the VO or, even worse, have been banned! Activating the autocreate hook is recommended only as a last resort, temporarily, until a more systematic solution has been found. It is highly recommended to audit the autocreated accounts periodically, and definitely after the hook has been deactivated again!