Difference between revisions of "Fedcloud-tf:WorkGroups:Scenario8"

From EGIWiki
Jump to: navigation, search
m (OpenStack)
Line 1: Line 1:
{{Fedcloud-tf:Menu}} {{Fedcloud-tf:WorkGroups:Menu}} {{TOC_right}}  
{{Fedcloud-tf:Menu}} {{Fedcloud-tf:WorkGroups:Menu}} {{TOC_right}}  
<font color="red">Leader: Kostas Koumantaros, EGI-InSPIRE SA2 </font>
This workgroup deals with the VM image management open issues:  
== Collaborators  ==
* Provide a mechanism so that a user can upload transparently his own image to the Fedcloud testbed.
* Provide a common place to add an endorsement to a pertinent VM so that it can be trusted.
{| border="1"
! Role
! Institution
! Name
| Scenario leader
| Kostas Koumantaros
| Collaborator
| Michel Jouvin
| Collaborator
| Stuart Kenny
== Roadmap  ==
== Roadmap  ==
*Investigate how to do double endorsement
* Integration with authentication solution (VOMS at the moment).
*Investigate x509 + VOMS authentication
== Scope  ==
== Scope  ==
This workbench deals with the issues around setting up a VM Marketplace to:
== Quick links ==
*Provide a publicly searchable place for VMs that may provide the application that is needed
*Provide a common place to add a token of endorsement to a pertinent VM
== Marketplace Howto  ==
== Register an image with the EGI.eu Marketplace  ==
(''Modified version of instructions compiled by Boris Parak. The original version can be found [http://meta.cesnet.cz/wiki/FedCloudDocumentation:How_to_upload_images_to_the_EGI.eu_Marketplace here]'')
=== Install and configure stratuslab-cli-tools  ===
This part is very straight-forward, we need ''stratuslab-cli-tools''. So
cd ~
mkdir stratuslab
cd stratuslab
wget http://repo.stratuslab.eu:8081/content/repositories/centos-6.2-releases/eu/stratuslab/pkgs/stratuslab-cli-user-pkg/2.2/stratuslab-cli-user-pkg-2.2.tar.gz
tar xvf stratuslab-cli-user-pkg-2.2.tar.gz
and then conclude the installation process by appending the following to ''~/.bashrc''
export PATH=$PATH:~/stratuslab/bin
export PYTHONPATH=$PYTHONPATH:~/stratuslab/lib/stratuslab/python
RPMs for the client are also available from the StratusLab yum repositories, see http://yum.stratuslab.eu/. Packages are provided for CentOS 6.2, OpenSuse 12.1 and Fedora 16.
=== Get demo images  ===
There are two images required for the demo. Each resource provider should upload a metadata entry for each. The first is the BNCweb image, which is available from https://appliance-repo.egi.eu/images/base/egi-bncweb/1.0/egi-bncweb.img. The second is a plain Debian 6 image (https://appliance-repo.egi.eu/images/base/Debian-6.0.5-x86_64-base/1.0/debian-6.0.5-x86_64-base.img).
=== Upload the image into your cloud  ===
==== appliance Repo  ====
Here are the steps for uploading an image to the appliance repo, which you can register to the EGI Marketplace as described below (ref?): The server uses the fedloud.egi.eu voms for authentication. You can register here (https://perun.metacentrum.cz/perun-registrar-cert/?vo=fedcloud.egi.eu). You will also need the hellasgrid-ca-chain.pem file so that curl can verify the server's certificate.
1. Create the directory where you want to place your image:
  curl --cacert ~/path/to/hellasgrid-ca-chain.pem --cert client.pem -X MKCOL https://appliance-repo.egi.eu/images/base/SL-5.7-x86_64-base
curl --cacert ~/path/to/hellasgrid-ca-chain.pem --cert client.pem -X MKCOL https://appliance-repo.egi.eu/images/base/SL-5.7-x86_64-base/1.0
2. upload the image:
  curl --cacert /path/to/hellasgrid-ca-chain.pem -T /path/to/image --cert client.pem https://appliance-repo.egi.eu/images/base/SL-5.5-x86_64-base/1.0/
Curl assumes that your cert.pem file contains your private key and certificate concatenated, if that not the case you will get a ""curl: (58) unable to set private key file: /file" error. A workaround is to create separate files for the private key and certificate. For example you can create the files using your pkcs12 certificate using openssl:
  openssl pkcs12 -in MULTICERT.p12 -out client.pem -clcerts -nokeys
openssl pkcs12 -in MULTICERT.p12 -out key.pem -nocerts
and issue the curl commands by:
  curl --cacert ~/path/to/hellasgrid-ca-chain.pem --key key.pem --cert client.pem
  curl --cacert ~/path/to/hellasgrid-ca-chain.pem --key key.pem --cert client.pem -X MKCOL https://appliance-repo.egi.eu/images/base/SL-5.7-x86_64-base
You can generate the hellasgrid-ca-chain.pem file by:
#wget http://repository.egi.eu/sw/production/cas/1/current/repo-files/EGI-trustanchors.repo | mv EGI-trustanchors.repo /etc/yum.repos/
#yum install &nbsp;yum install ca_HellasGrid-CA-2006 ca_HellasGrid-Root
#cat /etc/grid-security/certificates/HellasGrid-Root.pem /etc/grid-security/certificates/HellasGrid-CA-2006.pem &gt; /path/to/new/hellasgrid-ca-chain.pem
==== Other  ====
This step is different for every cloud platform. For instance, in OpenNebula v3.4+ you can use Sunstone GUI to upload images directly, in previous versions you have to upload the image to the frontend and then register it.
Sice FedCloud-TF will be using OCCI to access the cloud, you must provide a location of the image that is OCCI-compatible. To find the right link you can browse through all the storage elements registered in your OCCI server
checking the ''occi.core.title'' attribute for the right name. You should end up with something like
=== Build the metadata  ===
The EGI.eu Marketplace stores only metadata which points to the image, provide basic information and integrity verification. Since RDF is not the most user-friendly format, we can use ''stratus-build-metadata'' to generate a template
stratus-build-metadata --author='##YOUR_NAME##' --type=base --os=Ubuntu --os-version=11.04 --os-arch=x86_64 \
--image-version=1.0 --hypervisor=xen --format=raw --comment='BNCWeb appliance for the OGF35 demo available at ##YOUR_SITE##' \
--compression=none --location='https://occi.host:port/storage/a39a1d08-bff8-5a62-ba68-a1cd76bb4511' egi-bncweb.img
'''Note:''' stratus-build-metadata needs the image to compute checksums, you can download it here [https://appliance-repo.egi.eu/images/base/egi-bncweb/1.0/egi-bncweb.img egi-bncweb.img]
=== Modify the metadata  ===
Now we can check/modify the metadata, the most important elements are ''dcterms:valid'' and ''dcterms:title''.
The correct format for ''dcterms:title'' is ''EGI-##IMAGE_NAME##-##SITE_NAME##''. This field will need to be manually added to the metadata file. You can also modify the validity date as required.
'''Metadata from the EGI.eu Marketplace cannot be removed, it can only expire.''' It is also possible to ''deprecate'' an entry. This might be necessary, if for example, a security issue is detected with the image, or if you simply wish to no longer endorse the image. Instructions for the stratus-deprecate-image command can be found [http://stratuslab.eu/doku.php/ref-doc:user-cli#stratus-deprecate-metadata here].
<pre>&lt;?xml version="1.0" encoding="UTF-8" standalone="no"?&gt;
&lt;rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
    &lt;rdf:Description rdf:about="#DtRwHZzoo1xFKtk-iL51t6RNQ9Q"&gt;
        &lt;slreq:checksum rdf:parseType="Resource"&gt;
        &lt;slreq:checksum rdf:parseType="Resource"&gt;
        &lt;slreq:checksum rdf:parseType="Resource"&gt;
        &lt;slreq:checksum rdf:parseType="Resource"&gt;
        &lt;slreq:endorsement rdf:parseType="Resource"/&gt;
        &lt;dcterms:description&gt;BNCWeb appliance for the OGF35 demo available at ##YOUR_SITE##&lt;/dcterms:description&gt;
| name=Notice
| text=These fields should be checked: ''&lt;dcterms:title&gt;EGI-BNCweb-##YOUR_SITE##&lt;/dcterms:title&gt;'' ''&lt;dcterms:creator&gt;##YOUR_NAME##&lt;/dcterms:creator&gt;'' ''&lt;dcterms:description&gt;BNCWeb appliance for the OGF35 demo available at ##YOUR_SITE##&lt;/dcterms:description&gt;'' and ''&lt;dcterms:publisher&gt;##YOUR_SITE##&lt;/dcterms:publisher&gt;''
==== Modify Metadata (OCCI 1.1 servers)  ====
| name=Warning
| text=These changes are required for TF2012 demo.
&lt;slterms:location&gt;https://occi.host:port/storage/##STORAGE ID##&lt;/slterms:location&gt;
&lt;dcterms:requires&gt;https://occi.host:port/network/##NETWORK ID##&lt;/dcterms:requires&gt;
Set &lt;dcterms:valid&gt; field to be used until TF demo:
==== Modify Metadata (rOCCI or OCCI OpenStack servers)  ====
| name=Warning
| text=These changes are required for TF2012 demo
Set &lt;dcterms:valid&gt; field to be used until TF demo:
=== Sign the metadata  ===
To establish the origin of the image, we have to sign the metadata with a personal certificate (ideally the one registered with EGI.eu). '''Before''' doing this you should familiarise yourself with the [https://documents.egi.eu/public/ShowDocument?docid=771 EGI Security Policy for the Endorsement and Operation of Virtual Machine Images].
stratus-sign-metadata --p12-cert=##FULL_PATH_TO_usercred.p12## egi-bncweb.xml
=== Register the metadata with the EGI.eu Marketplace  ===
And to complete the process, we have to upload the metadata to the EGI.eu Marketplace with ''stratus-upload-metadata''
stratus-upload-metadata --marketplace-endpoint=marketplace.egi.eu egi-bncweb.xml
or manually at
=== Howto update and change old metadata  ===
To update uploaded metadata just modify the metadata file, sign it again, and then upload. It is basically the same procedure as uploading new metadata. Only the most recent entry for a particular image identifier/email address is displayed.
== [https://github.com/hepix-virtualisation/vmcatcher VMcatcher]  ==
VMcatcher allows users to subscribe to virtual machine Virtual Machine image lists, cache the images referenced to in the Virtual Machine Image List, validate the images list with x509 based public key cryptography, and validate the images against sha512 hashes in the images lists and provide events for further applications to process updates or expiries of virtual machine images without having to further validate the images.
=== Installation  ===
=== Usage  ===
=== Event Handlers  ===
==== OpenNebula  ====
[https://github.com/robertord/Fedcloud/blob/master/vmcatcher_eventHndlExpl_ON vmcatcher_eventHndlExpl_ON] is a VMcatcher event handler for OpenNebula to store or disable images based on VMcatcher response. The easy way to setup ''vmcatcher_eventHndlExpl_ON'' is creating a cron (use /etc/cron.d/vmcatcher as example):
export VMCATCHER_RDBMS="sqlite:////var/lib/one/vmcatcher.db"
export VMCATCHER_CACHE_DIR_CACHE="/var/lib/one/cache"
export VMCATCHER_CACHE_DIR_DOWNLOAD="/var/lib/one/cache/partial"
export VMCATCHER_CACHE_DIR_EXPIRE="/var/lib/one/cache/expired"
export VMCATCHER_CACHE_EVENT="python &lt;vmcatcher_eventHndlExpl_ON path&gt;/vmcatcher_eventHndlExpl_ON"
50 */6 * * *    oneadmin  (/usr/bin/vmcatcher_subscribe -U; /usr/bin/vmcatcher_cache  ) &gt;&gt; /var/log/vmcatcher.log 2&gt;&amp;1
*vmcatcher_cache must be executed as oneadmin user.
*Environment variables can be used to set default values but the command line options will override any set environment options. Set these env variables for oneadmin user: VMCATCHER_RDBMS, VMCATCHER_CACHE_DIR_CACHE, VMCATCHER_CACHE_DIR_DOWNLOAD, VMCATCHER_CACHE_DIR_EXPIRE and VMCATCHER_CACHE_EVENT.
*vmcatcher_eventHndlExpl_ON generates ON image templates. These templates are available from $VMCATCHER_CACHE_DIR_CACHE/templates (templates nomenclature $VMCATCHER_EVENT_DC_IDENTIFIER.one)
*The new ON images include ''VMCATCHER_EVENT_DC_IDENTIFIER = &lt;VMCATCHER_UUID&gt;'' tag. This tag is used to identify Fedcloud VM images.
*VMcatcher expired images are set as disabled by ON. It is up to the RP to remove disabled images or assign the new ones to a specific ON group or user.
==== OpenStack  ====
vmcatcher may be branched to Openstack Glance catalog using [https://github.com/EGI-FCTF/glancepush glancepush] tool. Basically:
# glancepush-vmcatcher uses vmcatcher's event handler to signal glancepush that a new image was updated in vmcatcher's cache
# glancepush uploads the new image to glance in a quarantined zone (only the configured tenant will have access to the image)
# glancepush instanciates a VM with the new image
# glancepush pass policy compliance tests inside the VM (no hardcoded secrets, packages up to date...)
# if the tests pass, the image will be released publicly in the catalog or stalled otherwise.
Please read the full documentation [https://github.com/EGI-FCTF/glancepush/wiki here].
The binaries for glancepush and glancepush-vmcatcher are located [ftp://ftp.in2p3.fr/ccin2p3/egi-acct-osdriver/  IN2P3-CC ftp repository]
=== Links  ===
[https://github.com/hepix-virtualisation/vmcatcher VMcatcher]
[http://grid.desy.de/vm/hepix/vwg/doc/html/index.shtml HEPIX Virtualisation Working Group]
[http://grid.desy.de/vm/hepix/vwg/doc/html/imagetransfer/imagetransfer.shtml Part&nbsp;IV.&nbsp;Virtual Machine Image Transfer]
[https://github.com/robertord/Fedcloud/blob/master/vmcatcher_eventHndlExpl_ON github OpenNebula VMcatcher event handler]
* [[Fedcloud-tf:WorkGroups:Scenario8:Configuration|Tool configuration]]

Revision as of 09:28, 7 May 2013

Main Roadmap and Innovation Technology For Users For Resource Providers Media

Workbenches: Open issues
Scenario 1
VM Management
Scenario 2
Data Management
Scenario 3
Information Systems
Scenario 4
Scenario 5
Scenario 6
Scenario 7
Federated AAI
Scenario 8
VM Image Management
Scenario 9
Scenario 10
Scenario 11

This workgroup deals with the VM image management open issues:

  • Provide a mechanism so that a user can upload transparently his own image to the Fedcloud testbed.
  • Provide a common place to add an endorsement to a pertinent VM so that it can be trusted.


  • Integration with authentication solution (VOMS at the moment).


Quick links