|
|
| (6 intermediate revisions by one other user not shown) |
| Line 1: |
Line 1: |
| == rOCCI-server ==
| | #REDIRECT[[MAN10#OpenNebula]] |
| | |
| This section describes how to install and configure rOCCI-server 1.0.x in SL6
| |
| | |
| === Installation & configuration ===
| |
| | |
| See [https://github.com/EGI-FCTF/rOCCI-server/wiki/rOCCI-Server-Admin-Guide#Introduction rOCCI-Server#Introduction] and follow the instructions. VOMS configuration specific to the EGI FedCloud is below, you should return here after your rOCCI-server has been successfully installed and configured.
| |
| | |
| === VOMS configuration ===
| |
| | |
| *Make sure that your server can validate fedcloud.egi.eu's and ops' certs, i.e. the following files exist:
| |
| | |
| # cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms1.egee.cesnet.cz.lsc
| |
| /DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms1.egee.cesnet.cz
| |
| /C=NL/O=TERENA/CN=TERENA eScience SSL CA
| |
|
| |
| # cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms2.grid.cesnet.cz.lsc
| |
| /DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms2.grid.cesnet.cz
| |
| /C=NL/O=TERENA/CN=TERENA eScience SSL CA
| |
| | |
| # cat /etc/grid-security/vomsdir/ops/lcg-voms.cern.ch.lsc
| |
| /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch
| |
| /DC=ch/DC=cern/CN=CERN Trusted Certification Authority
| |
|
| |
| # cat /etc/grid-security/vomsdir/ops/voms.cern.ch.lsc
| |
| /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch
| |
| /DC=ch/DC=cern/CN=CERN Trusted Certification Authority
| |
| | |
| *For details on how to support other VOs, see [[Fedcloud-tf:Support_a_new_Virtual_Organisation]]
| |
| | |
| === rOCCI-server + VOMS ===
| |
| | |
| ==== OpenNebula ====
| |
| *Configure OpenNebula's x509 auth, modify /etc/one/auth/x509_auth.conf file:
| |
| | |
| # Path to the trusted CA directory. It should contain the trusted CA's for
| |
| # the server, each CA certificate shoud be name CA_hash.0
| |
| :ca_dir: "/etc/grid-security/certificates"
| |
| | |
| For more information have a look at the official OpenNebula documentation [http://opennebula.org/documentation]
| |
| | |
| ==== rOCCI-server ====
| |
| Example VHOST configuration file for Apache2 with only VOMS authentication enabled:
| |
| | |
| <pre>
| |
| <VirtualHost *:11443>
| |
| # if you wish to change the default Ruby used to run this app
| |
| PassengerRuby /opt/occi-server/embedded/bin/ruby
| |
| | |
| # enable SSL
| |
| SSLEngine on
| |
| | |
| # for security reasons you may restrict the SSL protocol, but some clients may fail if SSLv2 is not supported
| |
| SSLProtocol all
| |
| | |
| # this should point to your server host certificate
| |
| SSLCertificateFile /etc/grid-security/hostcert.pem
| |
| | |
| # this should point to your server host key
| |
| SSLCertificateKeyFile /etc/grid-security/hostkey.pem
| |
| | |
| # directory containing the Root CA certificates and their hashes
| |
| SSLCACertificatePath /etc/grid-security/certificates
| |
| | |
| # set to optional, this tells Apache to attempt to verify SSL certificates if provided
| |
| # for X.509 access with GridSite/VOMS, however, set to 'require'
| |
| SSLVerifyClient require
| |
| | |
| # if you have multiple CAs in the file above, you may need to increase the verify depht
| |
| SSLVerifyDepth 10
| |
| | |
| # enable passing of SSL variables to passenger. For GridSite/VOMS, enable also exporting certificate data
| |
| SSLOptions +StdEnvVars +ExportCertData
| |
| | |
| # set RackEnv
| |
| RackEnv production
| |
| LogLevel info
| |
| | |
| ServerName occi.host.example.org
| |
| # important, this needs to point to the public folder of your rOCCI-server
| |
| DocumentRoot /opt/occi-server/embedded/app/rOCCI-server/public
| |
| <Directory /opt/occi-server/embedded/app/rOCCI-server/public>
| |
| ## variables (and is needed for gridsite-admin.cgi to work.)
| |
| GridSiteEnvs on
| |
| ## Nice GridSite directory listings (without truncating file names!)
| |
| GridSiteIndexes off
| |
| ## If this is greater than zero, we will accept GSI Proxies for clients
| |
| ## (full client certificates - eg inside web browsers - are always ok)
| |
| GridSiteGSIProxyLimit 4
| |
| ## This directive allows authorized people to write/delete files
| |
| ## from non-browser clients - eg with htcp(1)
| |
| GridSiteMethods ""
| |
| | |
| Allow from all
| |
| Options -MultiViews
| |
| </Directory>
| |
| | |
| # configuration for Passenger
| |
| PassengerUser rocci
| |
| PassengerGroup rocci
| |
| PassengerFriendlyErrorPages off
| |
| | |
| # configuration for rOCCI-server
| |
| ## common
| |
| SetEnv ROCCI_SERVER_LOG_DIR /var/log/occi-server
| |
| SetEnv ROCCI_SERVER_ETC_DIR /etc/occi-server
| |
| | |
| SetEnv ROCCI_SERVER_PROTOCOL https
| |
| SetEnv ROCCI_SERVER_HOSTNAME occi.host.example.org
| |
| SetEnv ROCCI_SERVER_PORT 11443
| |
| SetEnv ROCCI_SERVER_AUTHN_STRATEGIES "voms"
| |
| SetEnv ROCCI_SERVER_HOOKS dummy
| |
| SetEnv ROCCI_SERVER_BACKEND opennebula
| |
| SetEnv ROCCI_SERVER_LOG_LEVEL info
| |
| SetEnv ROCCI_SERVER_LOG_REQUESTS_IN_DEBUG no
| |
| SetEnv ROCCI_SERVER_TMP /tmp/occi_server
| |
| SetEnv ROCCI_SERVER_MEMCACHES localhost:11211
| |
| | |
| ## ONE backend
| |
| SetEnv ROCCI_SERVER_ONE_XMLRPC http://localhost:2633/RPC2
| |
| SetEnv ROCCI_SERVER_ONE_USER rocci
| |
| SetEnv ROCCI_SERVER_ONE_PASSWD ol9OtjurcajdactubecVuevDisEctObodVa
| |
| </VirtualHost>
| |
| </pre>
| |
| | |
| ==== Automatic propagation from Perun ====
| |
| | |
| See [https://github.com/EGI-FCTF/fctf-perun Perun] and [[Fedcloud-tf:Support_a_new_Virtual_Organisation#Enable_a_Virtual_Organisation_on_a_EGI_Federated_Cloud_site_using_OpenNebula]].
| |
| | |
| ==== Manual account management ====
| |
| | |
| If you want to use X.509/VOMS authentication for your users, you need to create users in OpenNebula with the X.509 driver. For a user named 'johnsmith' from the fedcloud.egi.eu VO the command may look like this
| |
| | |
| $ oneuser create johnsmith "/DC=es/DC=irisgrid/O=cesga/CN=johnsmith/VO=fedcloud.egi.eu/Role=NULL/Capability=NULL" --driver x509
| |
| | |
| *And its properties:
| |
| | |
| $ oneuser update <id_x509_user>
| |
| X509_DN="/DC=es/DC=irisgrid/O=cesga/CN=johnsmith"
| |
| | |
| === rOCCI-server upgrade ===
| |
| | |
| You can upgrade the server using your package manager. Sites running on CentOS 6 or Scientific Linux 6 '''must''' execute the following after each upgrade and restart '''httpd''':
| |
| | |
| <pre>
| |
| $ /opt/occi-server/embedded/bin/passenger-install-apache2-module --auto --languages ruby
| |
| $ /opt/occi-server/embedded/bin/passenger-install-apache2-module --snippet > /etc/httpd/conf.d/passenger.conf
| |
| </pre>
| |
| | |
| == rOCCI-cli ==
| |
| | |
| === Installation & configuration ===
| |
| | |
| See [[Fedcloud-tf:CLI_Environment]].
| |
| | |
| === Usage ===
| |
| | |
| *To test the VOMS support & rOCCI-server yourselves, you can use the following:
| |
| | |
| # voms-proxy-init -voms fedcloud.egi.eu -rfc
| |
| | |
| # occi --help
| |
| | |
| # occi --endpoint $ENDPOINT --auth x509 --resource storage --action list --user-cred /tmp/x509up_u1000 --voms
| |
| # occi --endpoint $ENDPOINT --auth x509 --resource network --action list --user-cred /tmp/x509up_u1000 --voms
| |
| # occi --endpoint $ENDPOINT --auth x509 --resource compute --action list --user-cred /tmp/x509up_u1000 --voms
| |
| | |
| # occi --endpoint $ENDPOINT --auth x509 --resource os_tpl --action list --user-cred /tmp/x509up_u1000 --voms
| |
| # occi --endpoint $ENDPOINT --auth x509 --resource os_tpl#debian6 --action describe --user-cred /tmp/x509up_u1000 --voms
| |
| | |
| # occi --endpoint $ENDPOINT --auth x509 --resource compute --action create --attribute occi.core.title="MyrOCCIVM" --mixin os_tpl#debian6 --mixin resource_tpl#small --user-cred /tmp/x509up_u1000 --voms
| |
| # occi --endpoint $ENDPOINT --auth x509 --resource /compute/<ID> --action describe --user-cred /tmp/x509up_u1000 --voms
| |
| | |
| == References ==
| |
| | |
| *https://github.com/EGI-FCTF/rOCCI-server
| |
| *https://github.com/EGI-FCTF/rOCCI-cli
| |
The wiki is deprecated and due to be decommissioned by the end of September 2022.