Difference between revisions of "Fedcloud-tf:WorkGroups:Scenario1:OpenNebulaInstallation"
Line 31: | Line 31: | ||
=== rOCCI-server + VOMS === | === rOCCI-server + VOMS === | ||
==== OpenNebula ==== | |||
*Configure OpenNebula's x509 auth, modify /etc/one/auth/x509_auth.conf file: | *Configure OpenNebula's x509 auth, modify /etc/one/auth/x509_auth.conf file: | ||
Line 38: | Line 39: | ||
For more information have a look at the official OpenNebula documentation [http://opennebula.org/documentation] | For more information have a look at the official OpenNebula documentation [http://opennebula.org/documentation] | ||
==== rOCCI-server ==== | |||
Example VHOST configuration file for Apache2 with only VOMS authentication enabled: | |||
<pre> | |||
<VirtualHost *:11443> | |||
# if you wish to change the default Ruby used to run this app | |||
PassengerRuby /opt/occi-server/embedded/bin/ruby | |||
# enable SSL | |||
SSLEngine on | |||
# for security reasons you may restrict the SSL protocol, but some clients may fail if SSLv2 is not supported | |||
SSLProtocol all | |||
# this should point to your server host certificate | |||
SSLCertificateFile /etc/grid-security/hostcert.pem | |||
# this should point to your server host key | |||
SSLCertificateKeyFile /etc/grid-security/hostkey.pem | |||
# directory containing the Root CA certificates and their hashes | |||
SSLCACertificatePath /etc/grid-security/certificates | |||
# set to optional, this tells Apache to attempt to verify SSL certificates if provided | |||
# for X.509 access with GridSite/VOMS, however, set to 'require' | |||
SSLVerifyClient require | |||
# if you have multiple CAs in the file above, you may need to increase the verify depht | |||
SSLVerifyDepth 10 | |||
# enable passing of SSL variables to passenger. For GridSite/VOMS, enable also exporting certificate data | |||
SSLOptions +StdEnvVars +ExportCertData | |||
# set RackEnv | |||
RackEnv production | |||
LogLevel info | |||
ServerName occi.host.example.org | |||
# important, this needs to point to the public folder of your rOCCI-server | |||
DocumentRoot /opt/occi-server/embedded/app/rOCCI-server/public | |||
<Directory /opt/occi-server/embedded/app/rOCCI-server/public> | |||
## variables (and is needed for gridsite-admin.cgi to work.) | |||
GridSiteEnvs on | |||
## Nice GridSite directory listings (without truncating file names!) | |||
GridSiteIndexes off | |||
## If this is greater than zero, we will accept GSI Proxies for clients | |||
## (full client certificates - eg inside web browsers - are always ok) | |||
GridSiteGSIProxyLimit 4 | |||
## This directive allows authorized people to write/delete files | |||
## from non-browser clients - eg with htcp(1) | |||
GridSiteMethods "" | |||
Allow from all | |||
Options -MultiViews | |||
</Directory> | |||
# configuration for Passenger | |||
PassengerUser rocci | |||
PassengerGroup rocci | |||
PassengerFriendlyErrorPages off | |||
# configuration for rOCCI-server | |||
## common | |||
SetEnv ROCCI_SERVER_LOG_DIR /var/log/occi-server | |||
SetEnv ROCCI_SERVER_ETC_DIR /etc/occi-server | |||
SetEnv ROCCI_SERVER_PROTOCOL https | |||
SetEnv ROCCI_SERVER_HOSTNAME occi.host.example.org | |||
SetEnv ROCCI_SERVER_PORT 11443 | |||
SetEnv ROCCI_SERVER_AUTHN_STRATEGIES "voms" | |||
SetEnv ROCCI_SERVER_HOOKS dummy | |||
SetEnv ROCCI_SERVER_BACKEND opennebula | |||
SetEnv ROCCI_SERVER_LOG_LEVEL info | |||
SetEnv ROCCI_SERVER_LOG_REQUESTS_IN_DEBUG no | |||
SetEnv ROCCI_SERVER_TMP /tmp/occi_server | |||
SetEnv ROCCI_SERVER_MEMCACHES localhost:11211 | |||
## ONE backend | |||
SetEnv ROCCI_SERVER_ONE_XMLRPC http://localhost:2633/RPC2 | |||
SetEnv ROCCI_SERVER_ONE_USER rocci | |||
SetEnv ROCCI_SERVER_ONE_PASSWD ol9OtjurcajdactubecVuevDisEctObodVa | |||
</VirtualHost> | |||
</pre> | |||
==== Automatic propagation from Perun ==== | ==== Automatic propagation from Perun ==== |
Revision as of 09:14, 9 May 2014
rOCCI-server
This section describes how to install and configure rOCCI-server 1.0.x in SL6
Installation & configuration
See rOCCI-Server#Introduction and follow the instructions. VOMS configuration specific to the EGI FedCloud is below, you should return here after your rOCCI-server has been successfully installed and configured.
VOMS configuration
- Make sure that your server can validate fedcloud.egi.eu's and ops' certs, i.e. the following files exist:
# cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms1.egee.cesnet.cz.lsc /DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms1.egee.cesnet.cz /C=NL/O=TERENA/CN=TERENA eScience SSL CA # cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms2.grid.cesnet.cz.lsc /DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms2.grid.cesnet.cz /C=NL/O=TERENA/CN=TERENA eScience SSL CA
# cat /etc/grid-security/vomsdir/ops/lcg-voms.cern.ch.lsc /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch /DC=ch/DC=cern/CN=CERN Trusted Certification Authority # cat /etc/grid-security/vomsdir/ops/voms.cern.ch.lsc /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch /DC=ch/DC=cern/CN=CERN Trusted Certification Authority
- For details on how to support other VOs, see Fedcloud-tf:Support_a_new_Virtual_Organisation
rOCCI-server + VOMS
OpenNebula
- Configure OpenNebula's x509 auth, modify /etc/one/auth/x509_auth.conf file:
# Path to the trusted CA directory. It should contain the trusted CA's for # the server, each CA certificate shoud be name CA_hash.0 :ca_dir: "/etc/grid-security/certificates"
For more information have a look at the official OpenNebula documentation [1]
rOCCI-server
Example VHOST configuration file for Apache2 with only VOMS authentication enabled:
<VirtualHost *:11443> # if you wish to change the default Ruby used to run this app PassengerRuby /opt/occi-server/embedded/bin/ruby # enable SSL SSLEngine on # for security reasons you may restrict the SSL protocol, but some clients may fail if SSLv2 is not supported SSLProtocol all # this should point to your server host certificate SSLCertificateFile /etc/grid-security/hostcert.pem # this should point to your server host key SSLCertificateKeyFile /etc/grid-security/hostkey.pem # directory containing the Root CA certificates and their hashes SSLCACertificatePath /etc/grid-security/certificates # set to optional, this tells Apache to attempt to verify SSL certificates if provided # for X.509 access with GridSite/VOMS, however, set to 'require' SSLVerifyClient require # if you have multiple CAs in the file above, you may need to increase the verify depht SSLVerifyDepth 10 # enable passing of SSL variables to passenger. For GridSite/VOMS, enable also exporting certificate data SSLOptions +StdEnvVars +ExportCertData # set RackEnv RackEnv production LogLevel info ServerName occi.host.example.org # important, this needs to point to the public folder of your rOCCI-server DocumentRoot /opt/occi-server/embedded/app/rOCCI-server/public <Directory /opt/occi-server/embedded/app/rOCCI-server/public> ## variables (and is needed for gridsite-admin.cgi to work.) GridSiteEnvs on ## Nice GridSite directory listings (without truncating file names!) GridSiteIndexes off ## If this is greater than zero, we will accept GSI Proxies for clients ## (full client certificates - eg inside web browsers - are always ok) GridSiteGSIProxyLimit 4 ## This directive allows authorized people to write/delete files ## from non-browser clients - eg with htcp(1) GridSiteMethods "" Allow from all Options -MultiViews </Directory> # configuration for Passenger PassengerUser rocci PassengerGroup rocci PassengerFriendlyErrorPages off # configuration for rOCCI-server ## common SetEnv ROCCI_SERVER_LOG_DIR /var/log/occi-server SetEnv ROCCI_SERVER_ETC_DIR /etc/occi-server SetEnv ROCCI_SERVER_PROTOCOL https SetEnv ROCCI_SERVER_HOSTNAME occi.host.example.org SetEnv ROCCI_SERVER_PORT 11443 SetEnv ROCCI_SERVER_AUTHN_STRATEGIES "voms" SetEnv ROCCI_SERVER_HOOKS dummy SetEnv ROCCI_SERVER_BACKEND opennebula SetEnv ROCCI_SERVER_LOG_LEVEL info SetEnv ROCCI_SERVER_LOG_REQUESTS_IN_DEBUG no SetEnv ROCCI_SERVER_TMP /tmp/occi_server SetEnv ROCCI_SERVER_MEMCACHES localhost:11211 ## ONE backend SetEnv ROCCI_SERVER_ONE_XMLRPC http://localhost:2633/RPC2 SetEnv ROCCI_SERVER_ONE_USER rocci SetEnv ROCCI_SERVER_ONE_PASSWD ol9OtjurcajdactubecVuevDisEctObodVa </VirtualHost>
Automatic propagation from Perun
See Perun and Fedcloud-tf:Support_a_new_Virtual_Organisation#Enable_a_Virtual_Organisation_on_a_EGI_Federated_Cloud_site_using_OpenNebula.
Manual account management
If you want to use X.509/VOMS authentication for your users, you need to create users in OpenNebula with the X.509 driver. For a user named 'johnsmith' from the fedcloud.egi.eu VO the command may look like this
$ oneuser create johnsmith "/DC=es/DC=irisgrid/O=cesga/CN=johnsmith/VO=fedcloud.egi.eu/Role=NULL/Capability=NULL" --driver x509
- And its properties:
$ oneuser update <id_x509_user> X509_DN="/DC=es/DC=irisgrid/O=cesga/CN=johnsmith"
rOCCI-server upgrade
You can upgrade the server using your package manager. Sites running on CentOS 6 or Scientific Linux 6 must execute the following after each upgrade and restart httpd:
$ /opt/occi-server/embedded/bin/passenger-install-apache2-module --auto --languages ruby $ /opt/occi-server/embedded/bin/passenger-install-apache2-module --snippet > /etc/httpd/conf.d/passenger.conf
rOCCI-cli
Installation & configuration
See Fedcloud-tf:CLI_Environment.
Usage
- To test the VOMS support & rOCCI-server yourselves, you can use the following:
# voms-proxy-init -voms fedcloud.egi.eu -rfc
# occi --help
# occi --endpoint $ENDPOINT --auth x509 --resource storage --action list --user-cred /tmp/x509up_u1000 --voms # occi --endpoint $ENDPOINT --auth x509 --resource network --action list --user-cred /tmp/x509up_u1000 --voms # occi --endpoint $ENDPOINT --auth x509 --resource compute --action list --user-cred /tmp/x509up_u1000 --voms
# occi --endpoint $ENDPOINT --auth x509 --resource os_tpl --action list --user-cred /tmp/x509up_u1000 --voms # occi --endpoint $ENDPOINT --auth x509 --resource os_tpl#debian6 --action describe --user-cred /tmp/x509up_u1000 --voms
# occi --endpoint $ENDPOINT --auth x509 --resource compute --action create --attribute occi.core.title="MyrOCCIVM" --mixin os_tpl#debian6 --mixin resource_tpl#small --user-cred /tmp/x509up_u1000 --voms # occi --endpoint $ENDPOINT --auth x509 --resource /compute/<ID> --action describe --user-cred /tmp/x509up_u1000 --voms