Fedcloud-tf:ResourceProviders:OpenStack

From EGIWiki
Revision as of 12:07, 29 July 2014 by Spinto (talk | contribs) (CDMI installation and configuration)
Jump to: navigation, search
Main Roadmap and Innovation Technology For Users For Resource Providers Media



OpenStack Resource Provider Deployment guide

This section describes steps necessary for new Resource Provider (RP) using Openstack middleware to join EGI Cloud Federation. It is strongly recommended using the last Openstack version. Specifically, the VOMS-enabled authentication will require Havana version of Keystone. The installation and configuration instructions for OpenStack are available online[1].

The actual integration with the EGI Cloud Federation consists of the following steps:

  1. VOMS-enable Keystone installation and configuration
  2. OCCI installation and configuration
  3. Integration with accounting service APEL
  4. Integration with VM Image Management infrastructure
  5. Integration with information system
  6. Registration of deployed services in GOCDB

Each of the above-mentioned steps is a requirement for every Resource Provider wishing to join the EGI Cloud Federation. Resource Providers are welcome to deploy and offer additional services such as object storage (CDMI) but this is not a requirement at this time. Detailed description of the listed steps is as follows.

VOMS-enable Keystone installation and configuration

The installation and configuration of VOMS-enable Keystone is available online[2]. That will enable X.509 authentication mechanism and allows users with valid VOMS proxy certificate to log in. The actual VO for EGI Cloud Federation fedcloud.egi.eu should be enabled in the configuration (details can be found here: Federated AAI Configuration). There is an option for automatically creating new users for trusted VO on the fly.

OCCI installation and configuration

The steps of installation and configuration of OCCI is available online[3]. The installation and configuration should be done on the machine with Nova server. Be aware of selecting the appropriate branch for your OpenStack installation.

For more information, detailed instructions for OpenStack Grizzly configuration/installation OCCI support, provided by INFN, are available here.

Integration with accounting service APEL

Like RP with OpenNebula, the client for accounting service APEL must be installed and configured. The details of installation and configuration of APEL for Openstack is available at[4][5].

Integration with VM Image management infrastructure

Resource Providers are required to integrate their Openstack with an image management service used within the federation. Installation and configuration details are available online in the Wiki[6]. This service ensures that all images are trusted and up-to-date for all Resource Providers across the federation.

In addition to vmcaster/vmcatcher, glancepush-vmcatcher[7] uses vmcatcher's event handler to signal glancepush that a new image was updated in vmcatcher's cache and glancepush will check and publish images from vmcatcher cache to glance service in Openstack.

Integration with information system LDAP/BDII

Integration with BDII for RP with Openstack is identical as in the OpenNebula case. The instructions are available online in the Wiki[8].

CDMI installation and configuration

For the OpenStack Storage service (Swift) to work within the EGI Federated Cloud, the CDMI OpenStack addon need to be installed. To do so, you can follow the instructions here.

NOTE: If you are using OpenStack Havana stable branch (stable/havana) and you have delay_auth_decision = 1 into your /etc/swift/proxy-server.conf file (which is required to support public access to files), www-authenticate is not sent correctly by the CDMI interface. To fix this, you need to apply, over a stable/havana distribution, first the following patch: git fetch https://review.openstack.org/openstack/swift refs/changes/76/43476/14 && git checkout FETCH_HEAD and then this patch: https://bugs.launchpad.net/swift/+bug/1349364 NOTE: If you are using OpenStack Icehouse stable branch (stable/icehouse) and you have delay_auth_decision = 1 into your /etc/swift/proxy-server.conf file (which is required to support public access to files), www-authenticate is not sent correctly by the CDMI interface for Keystone authentication. To fix this, you need to apply this patch: https://bugs.launchpad.net/swift/+bug/1349364 .

References