|
|
| (26 intermediate revisions by one other user not shown) |
| Line 1: |
Line 1: |
| == OpenNebula ==
| | #REDIRECT[[MAN10#OpenNebula]] |
| | |
| === rOCCI-server ===
| |
| | |
| This section describes how to intall and configure rOCCI 0.5.x in SL6
| |
| | |
| ==== Requirements ====
| |
| | |
| The following setup is recommended
| |
| | |
| *usage of the Ruby Version Manger (RVM)
| |
| *Ruby >= 1.9.3
| |
| *Bundler gem installed (use ''gem install bundler'')
| |
| | |
| ==== Installation ====
| |
| | |
| ===== Apache and EMI2 middleware =====
| |
| | |
| *Install EMI2 gridsite packages:
| |
| | |
| # cd /etc/yum.repos.d
| |
| # wget http://eticssoft.web.cern.ch/eticssoft/mock/emi-2-rc-sl6.repo
| |
| # yum install canl-c gridsite gridsite-libs ca-policy-egi-core fetch-crl
| |
| | |
| *Install these packages:
| |
| | |
| # yum install httpd mod_ssl mod_proxy_html
| |
| # chkconfig httpd on
| |
| | |
| ===== RVM =====
| |
| | |
| *As oneadmin run:
| |
| | |
| $ curl -L https://get.rvm.io | sudo bash -s stable
| |
| | |
| *As root add oneadmin user to RVM group:
| |
| | |
| # usermod -a -G rvm oneadmin
| |
| | |
| *Log back in as oneadmin user:
| |
| | |
| $ rvm user gemsets
| |
| | |
| *Checkout latest version from GIT:
| |
| | |
| $ git clone git://github.com/gwdg/rOCCI-server.git
| |
| | |
| *Change to rOCCI folder:
| |
| | |
| $ cd rOCCI-server
| |
| | |
| *Use RVM:
| |
| | |
| $ rvm install ruby-1.9.3
| |
| | |
| *Install dependencies before press 'q', from another console, for SL machine:
| |
| | |
| #yum install build-essential openssl libreadline6 libreadline6-dev curl git-core zlib1g zlib1g-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt-dev autoconf libc6-dev ncurses-dev automake libtool bison subversion libexpat1-dev rubygem-xmlparser expat expat-devel
| |
| | |
| *Install gems and rocci service (v0.5.x in this case):
| |
| | |
| $ git checkout 0.5.x
| |
| $ gem install bundler
| |
| $ bundle install
| |
| | |
| ==== Configuration ====
| |
| | |
| rOCCI-server comes with different backends. Check the etc folder for available backends (e.g. dummy, opennebula, ...). Each backend has an example configuration in a file with the name of the backend and the extension .json. Copy one of those files to etc/backend/default.json and adapt its content to your setting.
| |
| | |
| To configure the behaviour of compute, network and storage resource creation, edit the backend specific extensions of the OCCI model at etc/backend/$BACKEND/model (e.g. etc/backend/dummy/model for the dummy backend).
| |
| | |
| To change the predefined resource or OS templates, you can adapt the existing templates in etc/backend/$BACKEND/templates or add new templates. If resource or OS templates are already registered in the backend, they will be automatically discovered by rOCCI-server.
| |
| | |
| $ cd /var/lib/one/rOCCI-server/etc/backend/opennebula
| |
| | |
| *And now copy opennebula backend before edit it:
| |
| | |
| $ cp opennebula.json ../default.json
| |
| $ cd ..
| |
| | |
| *And we change it to use our configuration
| |
| | |
| {
| |
| "resources":[
| |
| {
| |
| "kind":"http://rocci.info/server/backend#opennebula",
| |
| "attributes":{
| |
| "info":{
| |
| "rocci":{
| |
| "backend":{
| |
| "opennebula":{
| |
| "endpoint":"http://localhost:2633/RPC2",
| |
| "admin":"rocci",
| |
| "password":"*****",
| |
| "scheme":"http://my.occi.service/"
| |
| }
| |
| }
| |
| }
| |
| }
| |
| }
| |
| }
| |
| ]
| |
| }
| |
| | |
| *Edit ''/var/lib/one/rOCCI-server/etc/backend/opennebula/one_templates/compute.erb'' file to fit your cloud resources:
| |
| | |
| ===== OpenNebula backend =====
| |
| | |
| If you want to change the actual deployment within OpenNebula you can change the OpenNebula templates in the files in /var/lib/one/rOCCI-server/etc/backend/opennebula/one_templates.
| |
| | |
| To configure OpenNebula resource templates (e.g. small, medium, large, ...) change the files in etc/backend/opennebula/templates .
| |
| | |
| *As example to use x86_64 arch by default edit /var/lib/one/rOCCI-server/etc/backend/opennebula/templates and s change this line for these files (for small/medium/large):
| |
| | |
| ...
| |
| "architecture":{
| |
| "Mutable":true,
| |
| "Required":false,
| |
| "Type":"string",
| |
| "Pattern":"x86|x64",
| |
| "Default":"x64"
| |
| ...
| |
| | |
| ===== Add rocci user =====
| |
| | |
| The Sunstone, EC2 and OCCI services communicate with the core using a “server” user. OpenNebula creates the serveradmin account at bootstrap, with the authentication driver server_cipher (symmetric key).
| |
| | |
| This “server” user uses a special authentication mechanism that allows the servers to perform an operation on behalf of other user.
| |
| | |
| *To add rocci user we run as oneadmin:
| |
| | |
| $ oneuser create rocci <good_pass_here_from_default.json> --driver server_cipher
| |
| $ oneuser chgrp rocci oneadmin
| |
| | |
| (!) User/Pass is the same that default.json conf file.
| |
| | |
| ===== Apache conf =====
| |
| | |
| *Add apache user to oneadmin group:
| |
| | |
| # usermod -a -G oneadmin apache
| |
| | |
| *If you want to configure apache automatically, from /var/lib/one/rOCCI-server directory as oneadmin user run this ( {i} for SL6 installation these packages are required: ''apache2-prefork-dev libapr1-dev libaprutil1-dev'')
| |
| | |
| $ bundle exec passenger-install-apache2-module
| |
| | |
| this script shows this info at the end:
| |
| | |
| The Apache 2 module was successfully installed.
| |
|
| |
| Please edit your Apache configuration file, and add these lines:
| |
|
| |
| LoadModule passenger_module /var/lib/one/.rvm/gems/ruby-1.9.3-p327@rOCCI-server/gems/passenger-3.0.12/ext/apache2/mod_passenger.so
| |
| PassengerRoot /var/lib/one/.rvm/gems/ruby-1.9.3-p327@rOCCI-server/gems/passenger-3.0.12
| |
| PassengerRuby /usr/local/rvm/wrappers/ruby-1.9.3-p327@rOCCI-server/ruby
| |
|
| |
| After you restart Apache, you are ready to deploy any number of Ruby on Rails
| |
| applications on Apache, without any further Ruby on Rails-specific
| |
| configuration!
| |
| | |
| *Now we must create '''/etc/httpd/conf.d/passenger.conf''' file as root:
| |
| | |
| # vi /etc/httpd/conf.d/passenger.conf
| |
| | |
| and include these lines
| |
| | |
| # Passenger module for rOCCI
| |
| LoadModule passenger_module /var/lib/one/.rvm/gems/ruby-1.9.3-p327@rOCCI-server/gems/passenger-3.0.12/ext/apache2/mod_passenger.so
| |
| PassengerRoot /var/lib/one/.rvm/gems/ruby-1.9.3-p327@rOCCI-server/gems/passenger-3.0.12
| |
| PassengerRuby /usr/local/rvm/wrappers/ruby-1.9.3-p327@rOCCI-server/ruby
| |
| | |
| *Manually check these files (In this case we will use 3202 port for rOCCI service):
| |
| | |
| Edit /etc/httpd/conf.d/ssl.conf:
| |
| | |
| LoadModule ssl_module modules/mod_ssl.so
| |
| LoadModule gridsite_module /usr/lib64/httpd/modules/mod_gridsite.so
| |
| NameVirtualHost your.host.name:3202
| |
| Listen 443
| |
| Listen 3202
| |
| ...
| |
| | |
| Create a new VirtualHost in the conf.d directory of Apache (e.g. in /etc/httpd/conf.d/rocci.conf) with the following content:
| |
| | |
| <VirtualHost your.host.name:3202>
| |
| ServerName your.host.name
| |
|
| |
| SSLEngine on
| |
| SSLProtocol all
| |
| SSLCertificateFile /etc/grid-security/hostcert.pem
| |
| SSLCertificateKeyFile /etc/grid-security/hostkey.pem
| |
|
| |
| SSLCACertificatePath /etc/grid-security/certificates
| |
| SSLCARevocationPath /etc/grid-security/certificates
| |
|
| |
| SSLVerifyClient require
| |
| SSLVerifyDepth 10
| |
| SSLOptions +StdEnvVars
| |
|
| |
| # important, this needs to point to the public folder of your rOCCI-server
| |
| DocumentRoot /var/lib/one/rOCCI-server/public
| |
| <Directory /var/lib/one/rOCCI-server/public>
| |
|
| |
| ## This exports various bits of info into the CGI environment variables
| |
| GridSiteEnvs on
| |
|
| |
| ## Nice GridSite directory listings turned off
| |
| GridSiteIndexes off
| |
|
| |
| ## If this is greater than zero, we will accept GSI Proxies for clients
| |
| ## (full client certificates - eg inside web browsers - are always ok)
| |
| GridSiteGSIProxyLimit 1
| |
|
| |
| ## This directive stops GridSite from handling DELETE requests before they
| |
| ## get to rOCCI-server
| |
| GridSiteMethods ""
| |
|
| |
| Allow from all
| |
| Options -MultiViews
| |
| </Directory>
| |
|
| |
| LogLevel debug
| |
| </VirtualHost>
| |
| | |
| *'''Change /var/lib/one/rOCCI-server/public permissions as oneadmin:'''
| |
| | |
| $ chmod -R 770 /var/lib/one/rOCCI-server/public
| |
| $ chmod 440 /etc/grid-security/hostkey.pem
| |
| | |
| *'''You have to start/restart Apache before you can use rOCCI-server!'''
| |
| | |
| *Make sure that can validate fedcloud.egi.eu's and ops' certs, i.e. the following files exists:
| |
| | |
| # cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms1.egee.cesnet.cz.lsc
| |
| /DC=org/DC=terena/DC=tcs/C=CZ/O=CESNET/CN=voms1.egee.cesnet.cz
| |
| /C=NL/O=TERENA/CN=TERENA eScience SSL CA
| |
|
| |
| # cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms2.grid.cesnet.cz.lsc
| |
| /DC=org/DC=terena/DC=tcs/C=CZ/O=CESNET/CN=voms2.grid.cesnet.cz
| |
| /C=NL/O=TERENA/CN=TERENA eScience SSL CA
| |
| | |
| # cat /etc/grid-security/vomsdir/ops/lcg-voms.cern.ch.lsc
| |
| /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch
| |
| /DC=ch/DC=cern/CN=CERN Trusted Certification Authority
| |
|
| |
| # cat /etc/grid-security/vomsdir/ops/voms.cern.ch.lsc
| |
| /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch
| |
| /DC=ch/DC=cern/CN=CERN Trusted Certification Authority
| |
| *Finally:
| |
| | |
| /etc/init.d/httpd restart
| |
| | |
| ==== rOCCI + VOMS ====
| |
| | |
| If you want to use X.509/VOMS authentication for your users, you need to create the users in OpenNebula with the X.509 driver. For a user named 'johnsmith' from fedcloud.egi.eu the command may look like this
| |
| | |
| $ oneuser create johnsmith "/DC=es/DC=irisgrid/O=cesga/CN=johnsmith|/DC=es/DC=irisgrid/O=cesga/CN=johnsmith/VO=fedcloud.egi.eu/Role=NULL/Capability=NULL" --driver x509
| |
| | |
| *And its properties:
| |
| | |
| $ oneuser update <id_x509_user>
| |
| X509_DN="/DC=es/DC=irisgrid/O=cesga/CN=johnsmith"
| |
| | |
| *Add OpenNebula x509 auth, modify /etc/one/auth/x509_auth.conf file:
| |
| | |
| # Path to the trusted CA directory. It should contain the trusted CA's for
| |
| # the server, each CA certificate shoud be name CA_hash.0
| |
| :ca_dir: "/etc/grid-security/certificates"
| |
| | |
| For more information have a look at the OpenNebula Documentation on x509 Authentication: http://opennebula.org/documentation:archives:rel3.2:x509_auth
| |
| | |
| ==== rOCCI-server upgrade ====
| |
| | |
| If you checked out rOCCI-server from GIT, then you can pull the latest version or a tagged version, update all required ruby gems using bundler and restart apache server.
| |
| | |
| *As oneadmin (or rocci user depends on your configuration):
| |
| | |
| $ cd rOCCI-server
| |
| | |
| *Check the active branch, should be 0.5.x
| |
| | |
| $ git branch
| |
| * 0.5.x
| |
| ...
| |
| | |
| *Update the server
| |
| | |
| $ git pull
| |
| | |
| *Update dependencies
| |
| | |
| $ bundle install
| |
| | |
| *As root, restart Apache2/httpd, e.g for SL6.
| |
| | |
| $ service httpd restart
| |
| | |
| <br>
| |
| | |
| === OCCI client ===
| |
| | |
| *Runnig on Ubuntu 12.04 with Ruby and Rubygems from repositories
| |
| | |
| $ gem install occi -v "~> 3.1.0"
| |
| | |
| '''Note:''' rOCCI client is compatible with Ruby 1.8.7, 1.9.2 and 1.9.3 + jRuby 1.7.0
| |
| | |
| *Configure your user cert:
| |
| | |
| $ cat $HOME/.globus/usercert.pem $HOME/.globus/userkey.pem >> $HOME/.globus/usercred.pem
| |
| | |
| *To find out more about available options and defaults use
| |
| | |
| $ occi --help
| |
| | |
| *To run the client in an interactive mode use:
| |
| | |
| $ occi --interactive
| |
| $ occi --interactive --endpoint https://cloud.cesga.es:3202/
| |
| $ occi --interactive --endpoint https://cloud.cesga.es:3202/ --auth x509
| |
| | |
| *To list available resources use:
| |
| | |
| $ occi --endpoint https://cloud.cesga.es:3202/ --action list --resource compute --auth x509
| |
| $ occi --endpoint https://cloud.cesga.es:3202/ --action list --resource storage --auth x509
| |
| $ occi --endpoint https://cloud.cesga.es:3202/ --action list --resource network --auth x509
| |
| | |
| *To describe available resources use
| |
| | |
| $ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource compute --auth x509
| |
| $ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource storage --auth x509
| |
| $ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource network --auth x509
| |
| | |
| *To describe specific resources use:
| |
| | |
| $ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource https://cloud.cesga.es:3202/compute/<OCCI_ID> --auth x509
| |
| $ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource https://cloud.cesga.es:3202/storage/<OCCI_ID> --auth x509
| |
| $ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource https://cloud.cesga.es:3202/network/<OCCI_ID> --auth x509
| |
| | |
| *To list available OS templates or Resource templates use:
| |
| | |
| $ occi --endpoint https://cloud.cesga.es:3202/ --action list --resource os_tpl --auth x509
| |
| $ occi --endpoint https://cloud.cesga.es:3202/ --action list --resource resource_tpl --auth x509
| |
| | |
| *To describe a specific OS template or Resource template use
| |
| | |
| $ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource os_tpl#debian6 --auth x509
| |
| $ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource resource_tpl#small --auth x509
| |
| | |
| *To create a compute resource with mixins use:
| |
| | |
| $ occi --endpoint https://cloud.cesga.es:3202/ --action create --resource compute --mixin os_tpl#debian6 --mixin resource_tpl#small --resource-title "My rOCCI VM" --auth x509
| |
| | |
| *To delete a compute resource use:
| |
| | |
| $ occi --endpoint https://cloud.cesga.es:3202/ --action delete --resource https://cloud.cesga.es:3202/compute/<OCCI_ID> --auth x509
| |
| | |
| <br>
| |
| | |
| *More info available [https://github.com/gwdg/rOCCI here].
| |
| | |
| | |
| | |
| ==== OCCI+VOMS client usage ====
| |
| | |
| *You can apply for VO "fedcloud.egi.eu" membership in [https://perun.metacentrum.cz/perun-registrar-cert/?vo=fedcloud.egi.eu Perun]
| |
| | |
| *To test VOMS support yourselves, you can use the following:
| |
| | |
| # voms-proxy-init -voms fedcloud.egi.eu
| |
| | |
| # occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource storage --action list --user-cred /tmp/x509up_u1000 --proxy-ca ~/.globus/usercert.pem
| |
| # occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource network --action list --user-cred /tmp/x509up_u1000 --proxy-ca ~/.globus/usercert.pem
| |
| # occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource compute --action list --user-cred /tmp/x509up_u1000 --proxy-ca ~/.globus/usercert.pem
| |
| | |
| # occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource os_tpl --action list --user-cred /tmp/x509up_u1000 --proxy-ca ~/.globus/usercert.pem
| |
| # occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource os_tpl#debian6 --action describe --user-cred /tmp/x509up_u1000 --proxy-ca ~/.globus/usercert.pem
| |
| | |
| # occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource compute --action create --resource-title "MyrOCCIVM" --mixin os_tpl#debian6 --user-cred /tmp/x509up_u1000 --proxy-ca ~/.globus/usercert.pem
| |
| | |
| etc.
| |
| | |
| === References ===
| |
| | |
| *https://github.com/gwdg/rOCCI-server#rocci-server---a-ruby-occi-server
| |
| *http://opennebula.org/documentation:archives:rel3.2:x509_auth
| |
| *https://github.com/gwdg/rOCCI
| |
The wiki is deprecated and due to be decommissioned by the end of September 2022.