Fedcloud-tf:WorkGroups:Scenario1:OpenNebulaInstallation
rOCCI-server
This section describes how to install and configure rOCCI-server 1.0.x in SL6
Installation & configuration
See rOCCI:ROCCI-server_Admin_Guide and follow the instructions. VOMS configuration specific to the EGI FedCloud is below, you should return here after your rOCCI-server has been successfully installed and configured.
VOMS configuration
- Make sure that your server can validate fedcloud.egi.eu's and ops' certs, i.e. the following files exist:
# cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms1.egee.cesnet.cz.lsc /DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms1.egee.cesnet.cz /C=NL/O=TERENA/CN=TERENA eScience SSL CA # cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms2.grid.cesnet.cz.lsc /DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms2.grid.cesnet.cz /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA eScience SSL CA 2
# cat /etc/grid-security/vomsdir/ops/lcg-voms.cern.ch.lsc /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch /DC=ch/DC=cern/CN=CERN Trusted Certification Authority # cat /etc/grid-security/vomsdir/ops/voms.cern.ch.lsc /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch /DC=ch/DC=cern/CN=CERN Trusted Certification Authority
- For details on how to support other VOs, see Fedcloud-tf:Support_a_new_Virtual_Organisation
rOCCI-server + VOMS
OpenNebula
- Configure OpenNebula's x509 auth, modify /etc/one/auth/x509_auth.conf file:
# Path to the trusted CA directory. It should contain the trusted CA's for # the server, each CA certificate shoud be name CA_hash.0 :ca_dir: "/etc/grid-security/certificates"
For more information have a look at the official OpenNebula documentation [1]
rOCCI-server
Example VHOST configuration file for Apache2 with only VOMS authentication enabled:
<VirtualHost *:11443> # if you wish to change the default Ruby used to run this app PassengerRuby /opt/occi-server/embedded/bin/ruby # enable SSL SSLEngine on # for security reasons you may restrict the SSL protocol, but some clients may fail if SSLv2 is not supported SSLProtocol all # this should point to your server host certificate SSLCertificateFile /etc/grid-security/hostcert.pem # this should point to your server host key SSLCertificateKeyFile /etc/grid-security/hostkey.pem # directory containing the Root CA certificates and their hashes SSLCACertificatePath /etc/grid-security/certificates # set to optional, this tells Apache to attempt to verify SSL certificates if provided # for X.509 access with GridSite/VOMS, however, set to 'require' SSLVerifyClient require # if you have multiple CAs in the file above, you may need to increase the verify depht SSLVerifyDepth 10 # enable passing of SSL variables to passenger. For GridSite/VOMS, enable also exporting certificate data SSLOptions +StdEnvVars +ExportCertData # set RackEnv RackEnv production LogLevel info ServerName occi.host.example.org # important, this needs to point to the public folder of your rOCCI-server DocumentRoot /opt/occi-server/embedded/app/rOCCI-server/public <Directory /opt/occi-server/embedded/app/rOCCI-server/public> ## variables (and is needed for gridsite-admin.cgi to work.) GridSiteEnvs on ## Nice GridSite directory listings (without truncating file names!) GridSiteIndexes off ## If this is greater than zero, we will accept GSI Proxies for clients ## (full client certificates - eg inside web browsers - are always ok) GridSiteGSIProxyLimit 4 ## This directive allows authorized people to write/delete files ## from non-browser clients - eg with htcp(1) GridSiteMethods "" Allow from all Options -MultiViews </Directory> # configuration for Passenger PassengerUser rocci PassengerGroup rocci PassengerFriendlyErrorPages off # configuration for rOCCI-server ## common SetEnv ROCCI_SERVER_LOG_DIR /var/log/occi-server SetEnv ROCCI_SERVER_ETC_DIR /etc/occi-server SetEnv ROCCI_SERVER_PROTOCOL https SetEnv ROCCI_SERVER_HOSTNAME occi.host.example.org SetEnv ROCCI_SERVER_PORT 11443 SetEnv ROCCI_SERVER_AUTHN_STRATEGIES "voms" SetEnv ROCCI_SERVER_HOOKS dummy SetEnv ROCCI_SERVER_BACKEND opennebula SetEnv ROCCI_SERVER_LOG_LEVEL info SetEnv ROCCI_SERVER_LOG_REQUESTS_IN_DEBUG no SetEnv ROCCI_SERVER_TMP /tmp/occi_server SetEnv ROCCI_SERVER_MEMCACHES localhost:11211 ## ONE backend SetEnv ROCCI_SERVER_ONE_XMLRPC http://localhost:2633/RPC2 SetEnv ROCCI_SERVER_ONE_USER rocci SetEnv ROCCI_SERVER_ONE_PASSWD ol9OtjurcajdactubecVuevDisEctObodVa </VirtualHost>
It is strongly recommended to set SSLVerifyClient require and SetEnv ROCCI_SERVER_AUTHN_STRATEGIES "voms"!
Automatic propagation from Perun
See Perun and Fedcloud-tf:Support_a_new_Virtual_Organisation#Enable_a_Virtual_Organisation_on_a_EGI_Federated_Cloud_site_using_OpenNebula.
Manual account management
If you want to use X.509/VOMS authentication for your users, you need to create users in OpenNebula with the X.509 driver. For a user named 'johnsmith' from the fedcloud.egi.eu VO the command may look like this
$ oneuser create johnsmith "/DC=es/DC=irisgrid/O=cesga/CN=johnsmith/VO=fedcloud.egi.eu/Role=NULL/Capability=NULL" --driver x509
- And its properties:
$ oneuser update <id_x509_user> X509_DN="/DC=es/DC=irisgrid/O=cesga/CN=johnsmith"
rOCCI-server upgrade
You can upgrade the server using your package manager.
rOCCI-cli
Installation & configuration
See Fedcloud-tf:CLI_Environment.
Usage
- To test the VOMS support & rOCCI-server yourselves, you can use the following:
# voms-proxy-init -voms fedcloud.egi.eu -rfc
# occi --help
# occi --endpoint $ENDPOINT --auth x509 --resource storage --action list --user-cred /tmp/x509up_u1000 --voms # occi --endpoint $ENDPOINT --auth x509 --resource network --action list --user-cred /tmp/x509up_u1000 --voms # occi --endpoint $ENDPOINT --auth x509 --resource compute --action list --user-cred /tmp/x509up_u1000 --voms
# occi --endpoint $ENDPOINT --auth x509 --resource os_tpl --action list --user-cred /tmp/x509up_u1000 --voms # occi --endpoint $ENDPOINT --auth x509 --resource os_tpl#debian6 --action describe --user-cred /tmp/x509up_u1000 --voms
# occi --endpoint $ENDPOINT --auth x509 --resource compute --action create --attribute occi.core.title="MyrOCCIVM" --mixin os_tpl#debian6 --mixin resource_tpl#small --user-cred /tmp/x509up_u1000 --voms # occi --endpoint $ENDPOINT --auth x509 --resource /compute/<ID> --action describe --user-cred /tmp/x509up_u1000 --voms