Difference between revisions of "Fedcloud-tf:WorkGroups:Scenario1:OpenNebulaInstallation"
Jump to navigation
Jump to search
m (→OCCI client) |
(Updated documentation for rOCCI-server 1.0.x) |
||
Line 1: | Line 1: | ||
== | == rOCCI-server == | ||
This section describes how to install and configure rOCCI-server 1.0.x in SL6 | |||
=== Installation & configuration === | |||
See [https://github.com/EGI-FCTF/rOCCI-server/wiki/rOCCI-Server-Admin-Guide#Introduction rOCCI-Server#Introduction] | |||
=== VOMS configuration === | |||
* | *Make sure that your server can validate fedcloud.egi.eu's and ops' certs, i.e. the following files exist: | ||
# cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms1.egee.cesnet.cz.lsc | # cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms1.egee.cesnet.cz.lsc | ||
Line 247: | Line 26: | ||
/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch | /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch | ||
/DC=ch/DC=cern/CN=CERN Trusted Certification Authority | /DC=ch/DC=cern/CN=CERN Trusted Certification Authority | ||
=== rOCCI-server + VOMS === | |||
* | *Configure OpenNebula's x509 auth, modify /etc/one/auth/x509_auth.conf file: | ||
# Path to the trusted CA directory. It should contain the trusted CA's for | # Path to the trusted CA directory. It should contain the trusted CA's for | ||
Line 268: | Line 35: | ||
:ca_dir: "/etc/grid-security/certificates" | :ca_dir: "/etc/grid-security/certificates" | ||
For more information have a look at the OpenNebula | For more information have a look at the official OpenNebula documentation [http://opennebula.org/documentation] | ||
==== | ==== Automatic propagation from Perun ==== | ||
See [https://github.com/EGI-FCTF/fctf-perun Perun] | |||
==== Manual account management ==== | |||
If you want to use X.509/VOMS authentication for your users, you need to create users in OpenNebula with the X.509 driver. For a user named 'johnsmith' from the fedcloud.egi.eu VO the command may look like this | |||
$ oneuser create johnsmith "/DC=es/DC=irisgrid/O=cesga/CN=johnsmith/VO=fedcloud.egi.eu/Role=NULL/Capability=NULL" --driver x509 | |||
*And its properties: | |||
$ oneuser update <id_x509_user> | |||
X509_DN="/DC=es/DC=irisgrid/O=cesga/CN=johnsmith" | |||
$ | |||
=== rOCCI-server upgrade === | |||
You can upgrade the server using your package manager. | |||
== | == rOCCI-cli == | ||
*Runnig on Ubuntu 12.04 with Ruby and Rubygems from repositories | *Runnig on Ubuntu 12.04 with Ruby and Rubygems from repositories | ||
Line 313: | Line 71: | ||
$ occi --help | $ occi --help | ||
*To list available resources use: | *To list available resources use: | ||
Line 356: | Line 108: | ||
$ occi --endpoint https://cloud.cesga.es:3202/ --action delete --resource https://cloud.cesga.es:3202/compute/<OCCI_ID> --auth x509 | $ occi --endpoint https://cloud.cesga.es:3202/ --action delete --resource https://cloud.cesga.es:3202/compute/<OCCI_ID> --auth x509 | ||
*More info available [https://github.com/EGI-FCTF/rOCCI-cli here]. | |||
*More info available [https://github.com/ | |||
=== rOCCI-cli + VOMS === | |||
=== | |||
*You can apply for VO "fedcloud.egi.eu" membership in [https://perun.metacentrum.cz/perun-registrar-cert/?vo=fedcloud.egi.eu Perun] | *You can apply for VO "fedcloud.egi.eu" membership in [https://perun.metacentrum.cz/perun-registrar-cert/?vo=fedcloud.egi.eu Perun] | ||
Line 379: | Line 127: | ||
# occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource compute --action create --attribute occi.core.title="MyrOCCIVM" --mixin os_tpl#debian6 --user-cred /tmp/x509up_u1000 --voms | # occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource compute --action create --attribute occi.core.title="MyrOCCIVM" --mixin os_tpl#debian6 --user-cred /tmp/x509up_u1000 --voms | ||
== References == | |||
*https://github.com/ | *https://github.com/EGI-FCTF/rOCCI-server | ||
*https://github.com/EGI-FCTF/rOCCI-cli | |||
*https://github.com/ |
Revision as of 21:20, 17 April 2014
rOCCI-server
This section describes how to install and configure rOCCI-server 1.0.x in SL6
Installation & configuration
VOMS configuration
- Make sure that your server can validate fedcloud.egi.eu's and ops' certs, i.e. the following files exist:
# cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms1.egee.cesnet.cz.lsc /DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms1.egee.cesnet.cz /C=NL/O=TERENA/CN=TERENA eScience SSL CA # cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms2.grid.cesnet.cz.lsc /DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms2.grid.cesnet.cz /C=NL/O=TERENA/CN=TERENA eScience SSL CA
# cat /etc/grid-security/vomsdir/ops/lcg-voms.cern.ch.lsc /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch /DC=ch/DC=cern/CN=CERN Trusted Certification Authority # cat /etc/grid-security/vomsdir/ops/voms.cern.ch.lsc /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch /DC=ch/DC=cern/CN=CERN Trusted Certification Authority
rOCCI-server + VOMS
- Configure OpenNebula's x509 auth, modify /etc/one/auth/x509_auth.conf file:
# Path to the trusted CA directory. It should contain the trusted CA's for # the server, each CA certificate shoud be name CA_hash.0 :ca_dir: "/etc/grid-security/certificates"
For more information have a look at the official OpenNebula documentation [1]
Automatic propagation from Perun
See Perun
Manual account management
If you want to use X.509/VOMS authentication for your users, you need to create users in OpenNebula with the X.509 driver. For a user named 'johnsmith' from the fedcloud.egi.eu VO the command may look like this
$ oneuser create johnsmith "/DC=es/DC=irisgrid/O=cesga/CN=johnsmith/VO=fedcloud.egi.eu/Role=NULL/Capability=NULL" --driver x509
- And its properties:
$ oneuser update <id_x509_user> X509_DN="/DC=es/DC=irisgrid/O=cesga/CN=johnsmith"
rOCCI-server upgrade
You can upgrade the server using your package manager.
rOCCI-cli
- Runnig on Ubuntu 12.04 with Ruby and Rubygems from repositories
$ gem install occi-cli
Note: rOCCI client is compatible with Ruby 1.9.3, 2.0.0 and jRuby 1.7.0
- Configure your user cert:
$ cat $HOME/.globus/usercert.pem $HOME/.globus/userkey.pem >> $HOME/.globus/usercred.pem
- To find out more about available options and defaults use
$ occi --help
- To list available resources use:
$ occi --endpoint https://cloud.cesga.es:3202/ --action list --resource compute --auth x509 $ occi --endpoint https://cloud.cesga.es:3202/ --action list --resource storage --auth x509 $ occi --endpoint https://cloud.cesga.es:3202/ --action list --resource network --auth x509
- To describe available resources use
$ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource compute --auth x509 $ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource storage --auth x509 $ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource network --auth x509
- To describe specific resources use:
$ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource https://cloud.cesga.es:3202/compute/<OCCI_ID> --auth x509 $ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource https://cloud.cesga.es:3202/storage/<OCCI_ID> --auth x509 $ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource https://cloud.cesga.es:3202/network/<OCCI_ID> --auth x509
- To list available OS templates or Resource templates use:
$ occi --endpoint https://cloud.cesga.es:3202/ --action list --resource os_tpl --auth x509 $ occi --endpoint https://cloud.cesga.es:3202/ --action list --resource resource_tpl --auth x509
- To describe a specific OS template or Resource template use
$ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource os_tpl#debian6 --auth x509 $ occi --endpoint https://cloud.cesga.es:3202/ --action describe --resource resource_tpl#small --auth x509
- To create a compute resource with mixins use:
$ occi --endpoint https://cloud.cesga.es:3202/ --action create --resource compute --mixin os_tpl#debian6 --mixin resource_tpl#small --attribute occi.core.title="My rOCCI VM" --auth x509
- To delete a compute resource use:
$ occi --endpoint https://cloud.cesga.es:3202/ --action delete --resource https://cloud.cesga.es:3202/compute/<OCCI_ID> --auth x509
- More info available here.
rOCCI-cli + VOMS
- You can apply for VO "fedcloud.egi.eu" membership in Perun
- Install VOMS clients
- To test VOMS support yourselves, you can use the following:
# voms-proxy-init -voms fedcloud.egi.eu -rfc
# occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource storage --action list --user-cred /tmp/x509up_u1000 --voms # occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource network --action list --user-cred /tmp/x509up_u1000 --voms # occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource compute --action list --user-cred /tmp/x509up_u1000 --voms
# occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource os_tpl --action list --user-cred /tmp/x509up_u1000 --voms # occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource os_tpl#debian6 --action describe --user-cred /tmp/x509up_u1000 --voms
# occi --endpoint https://cloud.cesga.es:3202/ --auth x509 --resource compute --action create --attribute occi.core.title="MyrOCCIVM" --mixin os_tpl#debian6 --user-cred /tmp/x509up_u1000 --voms