|
|
| (One intermediate revision by the same user not shown) |
| Line 1: |
Line 1: |
| {{Fedcloud_Menu}} {{TOC_right}}
| | #REDIRECT [[MAN10]] |
| [[Category:Federated_Cloud]]
| |
| | |
| = Introduction =
| |
| | |
| Integration with FedCloud requires a ''working OpenStack installation as a pre-requirement'' (see http://docs.openstack.org/ for details). This manual provides information on how to set up a Resource Centre providing cloud resources in the EGI infrastructure, using '''OpenStack Ocata'''. FedCloud components are distributed through [[EGI_Cloud_Middleware_Distribution|CMD (Cloud Middleware Distribution)]]; for components distributed with CMD, corresponding instructions will be provided.
| |
| | |
| Your OpenStack resources can be exposed to users in one or both of the EGI Federated Cloud realms:
| |
| * the OpenStack realm, which uses the native OpenStack APIs
| |
| * the Open Standards realm, which uses OCCI standard for providing IaaS capabilities to the users and requires an extra service that allows serving the OCCI API.
| |
| | |
| Your endpoints (Nova, OCCI) will be described [https://goc.egi.eu GOCDB] as described below.
| |
| | |
| = Pre-requirements =
| |
| | |
| This guide assumes a working OpenStack installation. Minimal OpenStack services are:
| |
| * Keystone
| |
| * Nova
| |
| * Cinder
| |
| * Glance
| |
| * Neutron
| |
| | |
| Optionally swift can also be exposed to EGI FedCloud
| |
| | |
| Servers need to authenticate each other in the EGI Federated Cloud context; this is fulfilled using ''X.509 certificates'', so a Resource Centre should be able to obtain ''server certificates'' for some services.
| |
| | |
| = Components description =
| |
| | |
| The integration is performed installing some EGI extensions on top of the OpenStack components.
| |
| | |
| [[File:Openstack-fedcloud.png|800px]]
| |
| | |
| *'''Keystone-VOMS Authorization plugin''' allow users with a valid VOMS proxy to access the OpenStack deployment. See [[AAI guide for OpenStack]] for the upcoming OpenID Connect based integration.
| |
| *'''OpenStack OCCI Interface (ooi)''' translates between OpenStack API and OCCI (optional)
| |
| *'''cASO''' collecting accounting data from OpenStack + '''SSM''' sending the records extracted by cASO to the central accounting database on the EGI Accounting service (APEL)
| |
| *'''BDII cloud provider''' registers the RC configuration and description through the EGI Information System to facilitate service discovery
| |
| *'''cloudkeeper''' checks the [https://appdb.egi.eu/browse/cloud EGI App DB] for new or updated images that can be provided by the RC to the user communities (VO) supported
| |
| | |
| = Configuring the EGI User Management/AAI (Keystone-VOMS) =
| |
| | |
| Every FedCloud site must support authentication of users with X.509 certificates with VOMS extensions. The Keystone-VOMS extension enables this kind of authentication on Keystone.
| |
| | |
| Documentation on the installation is available on https://keystone-voms.readthedocs.io/en/stable-newton/
| |
| | |
| Notes:
| |
| * '''You need a host certificate from a recognised CA for your keystone server'''.
| |
| * Take into account that using keystone-voms plugin will '''enforce the use of https for your Keystone service''', you will need to update your URLs at the Keystone catalog and in the configuration of your services:
| |
| ** You will probably need to include your CA to your system's CA bundle to avoid certificate validation issues: <code>/etc/ssl/certs/ca-certificates.crt</code> from the <code>ca-certificates</code> package on Debian/Ubuntu systems or <code>/etc/pki/tls/certs/ca-bundle.crt</code> from the <code>ca-certificates</code> on RH and derived systems. The [[Federated_Cloud_APIs_and_SDKs#CA_CertificatesCheck|Federated Cloud OpenStack Client guide]] includes information on how to do it.
| |
| ** replace http with https in <code>auth_[protocol|uri|url]</code> and <code>auth_[host|uri|url]</code> in the nova, cinder, glance and neutron config files (<code>/etc/nova/nova.conf</code>, <code>/etc/nova/api-paste.ini</code>, <code>/etc/neutron/neutron.conf</code>, <code>/etc/neutron/api-paste.ini</code>, <code>/etc/neutron/metadata_agent.ini</code>, <code>/etc/cinder/cinder.conf</code>, <code>/etc/cinder/api-paste.ini</code>, <code>/etc/glance/glance-api.conf</code>, <code>/etc/glance/glance-registry.conf</code>, <code>/etc/glance/glance-cache.conf</code>) and any other service that needs to check keystone tokens.
| |
| ** You can update the URLs of the services directly in the database:
| |
| <pre>
| |
| mysql> use keystone;
| |
| mysql> update endpoint set url="https://<keystone-host>:5000/v2.0" where url="http://<keystone-host>:5000/v2.0";
| |
| mysql> update endpoint set url="https://<keystone-host>:35357/v2.0" where url="http://<keystone-host>:35357/v2.0";
| |
| </pre>
| |
| | |
| * Support for EGI VOs: [[HOWTO16 | VOMS configuration]], you should configure fedcloud.egi.eu, dteam and ops VOs.
| |
| | |
| * VOMS-Keystone configuration: most sites should enable the <code>autocreate_users</code> option in the <code>[voms]</code> section of [https://keystone-voms.readthedocs.org/en/latest/configuration.html Keystone-VOMS configuration]. This will enable that new users are automatically created in your local keystone the first time they login into your site.
| |
| | |
| * if (and only if) you need to configure the Per-User Subproxy (PUSP) feature, please follow the specific guide at [[Long-tail_of_science_-_information_for_providers#Instructions_for_OpenStack_providers | Instructions for OpenStack providers]]
| |
| | |
| = Configuring the EGI VM Management Interface (OCCI interface) (Optional) =
| |
| | |
| [https://github.com/openstack/ooi ooi] is the recommended software to provide OCCI for OpenStack. Installation and configuration of ooi is available at [http://ooi.readthedocs.org/en/stable/index.html ooi documentation]. Packages currently supported and working on Mitaka can be found at https://appdb.egi.eu/store/software/ooi/releases/occi-1.1/
| |
| | |
| Once the OCCI interface is installed, you should register it on your installation (adapt the region and URL to your deployment):
| |
| <pre>
| |
| $ openstack service create --name occi --description "OCCI Interface" occi
| |
| +-------------+----------------------------------+
| |
| | Field | Value |
| |
| +-------------+----------------------------------+
| |
| | description | OCCI Interface |
| |
| | enabled | True |
| |
| | id | 6dfd6a56c9a6456b84e8c86038e58f56 |
| |
| | name | occi |
| |
| | type | occi |
| |
| +-------------+----------------------------------+
| |
| | |
| $ openstack endpoint create --region RegionOne occi --publicurl http://172.16.4.70:8787/occi1.1
| |
| | |
| +-------------+----------------------------------+
| |
| | Property | Value |
| |
| +-------------+----------------------------------+
| |
| | description | OCCI service |
| |
| | id | 8e6de5d0d7624584bed6bec9bef7c9e0 |
| |
| | name | occi_api |
| |
| | type | occi |
| |
| +-------------+----------------------------------+
| |
| </pre>
| |
| | |
| = Configuring Accounting, Information System, Image Management =
| |
| | |
| There are two options to install the remaining Accounting, Information System and Image Management components:
| |
| * [[Federated_Cloud_OpenStack_Appliance| using the EGI FedCloud Appliance]] (recommended), which packages docker containers to bundle an OpenStack deployment of the corresponding services
| |
| * [[#Integration_using_individual_components | using individual components]]
| |
| | |
| == Integration using EGI FedCloud Appliance ==
| |
| | |
| Follow the guide in [[Federated Cloud OpenStack Appliance]] to integrate with this method.
| |
| | |
| == Integration using individual components ==
| |
| === EGI Accounting (cASO/SSM) ===
| |
| | |
| Every cloud RC should publish utilization data to the EGI accounting database. You will need to install '''cASO''', a pluggable extractor of Cloud Accounting Usage Records from OpenStack.
| |
| | |
| Documentation on how to install and configure cASO is available at https://caso.readthedocs.org/en/latest/
| |
| | |
| In order to send the records to the accounting database, you will also need to configure '''SSM''', whose documentation can be found at https://github.com/apel/ssm
| |
| | |
| === EGI Information System (BDII) ===
| |
| | |
| Sites must publish information to EGI information system which is based on BDII. The BDII can be installed easily directly from the distribution repository, the package is usually named "bdii".
| |
| | |
| There is a common cloud information provider for all cloud management frameworks that collects the information from the used CMF and send them to the aforementioned BDII. It can be installed on the same machine as the BDII or on another machine. The installation and configuration guide for the cloud information provider can be found in the following [[HOWTO15|Fedclouds BDII instructions]]; more detailed installation and configuration instructions are available at https://github.com/EGI-FCTF/cloud-bdii-provider
| |
| | |
| === EGI Image Management (vmcatcher, glancepush) ===
| |
| | |
| Sites in FedCloud offering VM management capability must give access to VO-endorsed VM images. This functionality is provided with vmcatcher (that is able to subscribe to the image lists available in AppDB) and a set of tools that are able to push the subscribed images into the glance catalog. In order to subscribe to VO-wide image lists, you need to have a valid access token to the AppDB. Check [https://wiki.appdb.egi.eu/main:faq:how_to_get_access_to_vo-wide_image_lists how to access to VO-wide image lists] and [https://wiki.appdb.egi.eu/main:faq:how_to_subscribe_to_a_private_image_list_using_the_vmcatcher how to subscribe to a private image list] documentation for more information.
| |
| | |
| Please refer to [https://github.com/hepix-virtualisation/vmcatcher vmcatcher documentation] for installation.
| |
| | |
| Vmcatcher may be branched to Openstack Glance catalog using [https://appdb.egi.eu/store/software/python.glancepush python-glancepush] tool and [https://appdb.egi.eu/store/software/openstack.handler.for.vmcatcher Openstack Handler for Vmcatcher] event handler. To install and configure glancepush and the handler, you can refer to the following instructions:
| |
| | |
| *Install the latest release of glancepush from https://appdb.egi.eu/store/software/python.glancepush
| |
| **for debian based systems, just download the tarball, extract it, and execute python setup.py install
| |
| | |
| [stack@ubuntu]$ wget http://repository.egi.eu/community/software/python.glancepush/0.0.X/releases/generic/0.0.6/python-glancepush-0.0.6.tar.gz
| |
| [stack@ubuntu]$ tar -zxvf python-glancepush-0.0.6.tar.gz
| |
| [stack@ubuntu]$ python setup.py install
| |
| | |
| **for RHEL6 you can run:
| |
| | |
| [stack@rhel]$ yum localinstall http://repository.egi.eu/community/software/python.glancepush/0.0.X/releases/sl/6/x86_64/RPMS/python-glancepush-0.0.6-1.noarch.rpm
| |
| | |
| *Then, configure glancepush directories
| |
| | |
| [stack@ubuntu]$ sudo mkdir -p /var/spool/glancepush /etc/glancepush/log /etc/glancepush/transform/ /etc/glancepush/clouds /var/log/glancepush
| |
| [stack@ubuntu]$ sudo chown stack:stack -R /var/spool/glancepush /etc/glancepush /var/log/glancepush/
| |
| | |
| *Copy the file /etc/keystone/voms.json to /etc/glancepush/voms.json. Then create a file in clouds file for every VO to which you are subscribed. For example, if you're subscribed to fedcloud, atlas and lhcb, you'll need 3 files in the /etc/glancepush/clouds directory with the credentials for this VO/tenants, for example:
| |
| | |
| [general]
| |
| # Tenant for this VO. Must match the tenant defined in voms.json file
| |
| testing_tenant=egi
| |
| # Identity service endpoint (Keystone)
| |
| endpoint_url=https://server4-eupt.unizar.es:5000/v2.0
| |
| # User Password
| |
| password=123456
| |
| # User
| |
| username=John
| |
| # Set this to true if you're NOT using self-signed certificates
| |
| is_secure=True
| |
| # SSH private key that will be used to perform policy checks (to be done)
| |
| ssh_key=Carlos_lxbifi81
| |
| # WARNING: Only define the next variable if you're going to need it. Otherwise you may encounter problems
| |
| cacert=path_to_your_cert
| |
| | |
| *Install [https://appdb.egi.eu/store/software/openstack.handler.for.vmcatcher Openstack handler for vmcatcher]. For debian based systems, just download the tarball, extract it and execute python setup.py install
| |
| | |
| [stack@ubuntu]$ wget http://repository.egi.eu/community/software/openstack.handler.for.vmcatcher/0.0.X/releases/generic/0.0.7/gpvcmupdate-0.0.7.tar.gz
| |
| [stack@ubuntu]$ tar -zxvf gpvcmupdate-0.0.7.tar.gz
| |
| [stack@ubuntu]$ python setup.py install
| |
| | |
| while for RHEL6 you can run:
| |
| | |
| [stack@rhel]$ yum localinstall http://repository.egi.eu/community/software/openstack.handler.for.vmcatcher/0.0.X/releases/sl/6/x86_64/RPMS/gpvcmupdate-0.0.7-1.noarch.rpm
| |
| | |
| *Create the vmcatcher folders for OpenStack
| |
| | |
| [stack@ubuntu]$ mkdir -p /opt/stack/vmcatcher/cache /opt/stack/vmcatcher/cache/partial /opt/stack/vmcatcher/cache/expired
| |
| | |
| *Check that vmcatcher is running properly by listing and subscribing to an image list
| |
| | |
| [stack@ubuntu]$ export VMCATCHER_RDBMS="sqlite:////opt/stack/vmcatcher/vmcatcher.db"
| |
| [stack@ubuntu]$ vmcatcher_subscribe -l
| |
| [stack@ubuntu]$ vmcatcher_subscribe -e -s https://vmcaster.appdb.egi.eu/store/vappliance/tinycorelinux/image.list
| |
| [stack@ubuntu]$ vmcatcher_subscribe -l
| |
| 8ddbd4f6-fb95-4917-b105-c89b5df99dda True None https://vmcaster.appdb.egi.eu/store/vappliance/tinycorelinux/image.list
| |
| | |
| *Create a CRON wrapper for vmcatcher, named <code>$HOME/gpvcmupdate/vmcatcher_eventHndl_OS_cron.sh</code>, using the following code
| |
| | |
| #!/bin/bash
| |
| #Cron handler for VMCatcher image syncronization script for OpenStack
| |
|
| |
| #Vmcatcher configuration variables
| |
| export VMCATCHER_RDBMS="sqlite:////opt/stack/vmcatcher/vmcatcher.db"
| |
| export VMCATCHER_CACHE_DIR_CACHE="/opt/stack/vmcatcher/cache"
| |
| export VMCATCHER_CACHE_DIR_DOWNLOAD="/opt/stack/vmcatcher/cache/partial"
| |
| export VMCATCHER_CACHE_DIR_EXPIRE="/opt/stack/vmcatcher/cache/expired"
| |
| export VMCATCHER_CACHE_EVENT="python $HOME/gpvcmupdate/gpvcmupdate.py -D"
| |
|
| |
| #Update vmcatcher image lists
| |
| vmcatcher_subscribe -U
| |
|
| |
| #Add all the new images to the cache
| |
| for a in `vmcatcher_image -l | awk '{if ($2==2) print $1}'`; do
| |
| vmcatcher_image -a -u $a
| |
| done
| |
|
| |
| #Update the cache
| |
| vmcatcher_cache -v -v
| |
|
| |
| #Run glancepush
| |
| /usr/bin/glancepush.py
| |
| | |
| *Set the newly created file as executable
| |
| | |
| [stack@ubuntu]$ chmod +x $HOME/gpvcmupdate/vmcatcher_eventHndl_OS_cron.sh
| |
| | |
| *Test that the vmcatcher handler is working correctly by running
| |
| | |
| [stack@ubuntu]$ $HOME/gpvcmupdate/vmcatcher_eventHndl_OS_cron.sh
| |
| INFO:main:Defaulting actions as 'expire', and 'download'.
| |
| DEBUG:Events:event 'ProcessPrefix' executed 'python /opt/stack/gpvcmupdate/gpvcmupdate.py'
| |
| DEBUG:Events:stdout=
| |
| DEBUG:Events:stderr=Ignoring ProcessPrefix event.
| |
| INFO:DownloadDir:Downloading '541b01a8-94bd-4545-83a8-6ea07209b440'.
| |
| DEBUG:Events:event 'AvailablePrefix' executed 'python /opt/stack/gpvcmupdate/gpvcmupdate.py'
| |
| DEBUG:Events:stdout=AvailablePrefix
| |
| DEBUG:Events:stderr=
| |
| INFO:CacheMan:moved file 541b01a8-94bd-4545-83a8-6ea07209b440
| |
| DEBUG:Events:event 'AvailablePostfix' executed 'python /opt/stack/gpvcmupdate/gpvcmupdate.py'
| |
| DEBUG:Events:stdout=AvailablePostfixCreating Metadata Files
| |
| DEBUG:Events:stderr=
| |
| DEBUG:Events:event 'ProcessPostfix' executed 'python /opt/stack/gpvcmupdate/gpvcmupdate.py'
| |
| DEBUG:Events:stdout=
| |
| DEBUG:Events:stderr=Ignoring ProcessPostfix event.
| |
| | |
| <br>
| |
| | |
| *Add the following line to the stack user crontab:
| |
| | |
| 50 */6 * * * $HOME/gpvcmupdate/vmcatcher_eventHndl_OS_cron.sh >> /var/log/glancepush/vmcatcher.log 2>&1
| |
| | |
| ''NOTES:''
| |
| | |
| *It is recommended to execute glancepush and vmcatcher_cache as stack or other non-root user.
| |
| *VMcatcher expired images are removed from OS.
| |
| | |
| = Post-installation =
| |
| | |
| After the installation of all the needed components, it is recommended to set the following policies on Nova to avoid users accessing other users resources:
| |
| <pre>
| |
| [root@egi-cloud]# sed -i 's|"admin_or_owner": "is_admin:True or project_id:%(project_id)s",|"admin_or_owner": "is_admin:True or project_id:%(project_id)s",\n "admin_or_user": "is_admin:True or user_id:%(user_id)s",|g' /etc/nova/policy.json
| |
| [root@egi-cloud]# sed -i 's|"default": "rule:admin_or_owner",|"default": "rule:admin_or_user",|g' /etc/nova/policy.json
| |
| [root@egi-cloud]# sed -i 's|"compute:get_all": "",|"compute:get": "rule:admin_or_owner",\n "compute:get_all": "",|g' /etc/nova/policy.json
| |
| </pre>
| |
| | |
| = Registration, validation and certification =
| |
| | |
| As mentioned in the [https://wiki.egi.eu/wiki/Federated_Cloud_resource_providers_support main page], RC services must be '''registered''' in the [https://goc.egi.eu EGI Configuration Management Database (GOCDB)]. If you are creating a new site for your cloud services, please follow the [https://wiki.egi.eu/wiki/PROC09 Resource Centre Registration and Certification] with the help of EGI Operations and your reference Resource Infrastructure.
| |
| | |
| You will need to register the following services (all of them can be provided by the Federated Cloud Appliance):
| |
| * '''Site-BDII'''. This service collects and publishes site's data for the Information System. Existing sites should already have this registered.
| |
| * '''eu.egi.cloud.accounting'''. Register here the host sending the records to the accounting repository (executing SSM send).
| |
| * '''eu.egi.cloud.vm-metadata.vmcatcher''' for the VMI replication mechanism. Register here the host providing the replication.
| |
| | |
| If offering OCCI interface, the site must register also:
| |
| * '''eu.egi.cloud.vm-management.occi''' for the OCCI endpoint offered by the site. Please note the special endpoint URL syntax described at [[Federated_Cloud_Technology#eu.egi.cloud.vm-management.occi|GOCDB usage in FedCloud]]
| |
| | |
| If offering native OpenStack access, you must register:
| |
| * '''org.openstack.nova''' for the Nova endpoint of the site. Please note the special endpoint URL syntax described at [[Federated_Cloud_Technology#org.openstack.nova|GOCDB usage in FedCloud]]
| |
| | |
| | |
| Site should also declare the following properties using the ''Site Extension Properties'' feature:
| |
| *# Max number of virtual cores for VM with parameter name: <code>cloud_max_cores4VM</code>
| |
| *# Max amount of RAM for VM with parameter name: <code>cloud_max_RAM4VM</code> using the format: value+unit, e.g. "16GB".
| |
| *# Max amount of storage that could be mounted in a VM with parameter name: <code>cloud_max_storage4VM</code> using the format: value+unit, e.g. "16GB".
| |
| | |
| The '''installation validation''' is part of the aforementioned [https://wiki.egi.eu/wiki/PROC09 Resource Centre Registration and Certification] procedure. After you register the services in GOCDB, EGI Operations will test your services using the [[HOWTO04_Site_Certification_Manual_tests#Check_the_functionality_of_the_cloud_elements|site certification manual tests]] mentioned in the same procedure. It is important to use that guide to test the services published to check that they are behaving properly.
| |
| | |
| Once the site services are registered in GOCDB (and flagged as "monitored") they will appear in the EGI service monitoring tools. EGI will check the status of the services (see [https://wiki.egi.eu/wiki/Federated_Cloud_infrastructure_status Infrastructure Status] for details). Check if your services are present in the EGI service monitoring tools and passing the tests; if you experience any issues (services not shown, services are not OK...) please contact back EGI Operations or your reference Resource Infrastructure.
| |
The wiki is deprecated and due to be decommissioned by the end of September 2022.