Introduction

EGI cloud supports 3 middlewares. It means you can base your cloud site installation on one of the following cloud software:

• OpenNebula
• OpenStack
• Synnefo

If you want to install an EGI Cloud Site please have a look at our EGI Cloud Site Installation Manuals below.

Note: EGI Cloud Site Installation Manual is a step-by-step instruction for Cloud Site Admin. The manual is not meant to be a comprehensive on topics related to the installation, it is a collection of steps taken by someone to install an EGI cloud site starting from a scratch. Commands executed should be made available for someone to copy&paste and easily follow up. At some initial stage the manual may not cover all cases, but it is meant to be extended by other site admins while following up the manual. It is a living document.

The manuals

Current issues:

• Documentation for cloud components is written with assumption that the admin knows where (machine, neighbour components) this components should be installed. It is missing the general cloud site deployment context
• Documentation should address the prerequsities part. 
• Documentation should address the constraints and limitations part i.e. supported operating systems, software versions.
• Documentation should provide a contact person (per component) which can be contacted in case of questions/problems.  
• Documentation should provide commands for checking validity of installation.

Prerequisities & Limitations

Whatever cloud stack you choose you need to prepare some things at the begining:

1. Hardware (minimal hw requirements for small cloud site e.g up to 100 VMs):
   
   1. number of physical machines, performance/capacity requirements: RAM size
   2. disk space - how big, where must be connected, performance of network links (images are heavy!)
2. DNS names, X.509 certificates
3. Register in fedcloud VO
4. Registration in AppDB to have access to private EGI VM image repository
5. What operating systems are supported

Cloud management frameworks

OpenStack

This part is under construction.

EGI Cloud site can be based on OpenStack software with some EGI extensions. See deployment schema (Note: high level description on what modules are to be put on which machines.)

OpenStack installation

Integration with FedCloud requires a working OpenStack installation. Follow the general documentation at http://docs.openstack.org/, there are packages ready to use for most distributions (check for example RDO for RedHat based distributions).

Requirements and Limitations

OpenStack integration with FedCloud is known to work with the following versions of OpenStack:

• Havana (EOL by OpenStack, should not be used in production)
• Icehouse
• Juno

Suggested list of services to provide FedCloud integration:

• Keystone service must be available in any case.
• If providing OCCI access (VM management):
  • Nova
  • Cinder
  • Glance
  • Neutron (nova-network can also be used for legacy installations), Per-tenant routers with private networks configuration is known to work.
• If providing CDMI access (Object storage):
  • Swift

AAI integration in OpenStack

Every FedCloud site must support authentication of users with X.509 certificates with VOMS extensions. The Keystone-VOMS extension enables this kind of authentication on Keystone.

• Pre-requisites: you will need a valid host certificate from a EUGridPMA CA.

• Installation: documentation on the installation is available at Keystone-voms documentation. Make sure to use the correct documentation for your OpenStack version.

• Take into account that using keystone-voms plugin will enforce the use of https for your Keystone service, you will need to update your URLs at the Keystone catalog and in the configuration of your services:
  • You will probably need to include your CA to your system's CA bundle to avoid certificate validation issues: /etc/ssl/certs/ca-certificates.crt from the ca-certificates package on Debian/Ubuntu systems or /etc/pki/tls/certs/ca-bundle.crt from the ca-certificates on RH and derived systems. Check the packages documentation to add a new CA to those bundles.
  • replace http with https in auth_[protocol|uri|url] and auth_[host|uri|url] in the nova, cinder, glance and neutron config files (/etc/nova/nova.conf, /etc/nova/api-paste.ini, /etc/neutron/neutron.conf, /etc/neutron/api-paste.ini, /etc/neutron/metadata_agent.ini, /etc/cinder/cinder.conf, /etc/cinder/api-paste.ini, /etc/glance/glance-api.conf, /etc/glance/glance-registry.conf, /etc/glance/glance-cache.conf) and any other service that needs to check keystone tokens.
  • You can update the URLs of the services directly in the database:

mysql> use keystone;
mysql> update endpoint set url="https://<keystone-host>:5000/v2.0" where url="http://<keystone-host>:5000/v2.0";
mysql> update endpoint set url="https://<keystone-host>:35357/v2.0" where url="http://<keystone-host>:35357/v2.0";

• VOs: Every FedCloud site is expected to support fedcloud.egi.eu, dteam and ops VOs. You should configure this VO in your /etc/keystone/voms.json file. Make sure that the tenant you are mapping the VO to exists. Below there is a sample voms.json file, adapt it with the appropriate names of your tenants:

{
    "fedcloud.egi.eu": {
        "tenant": "VO:fedcloud.egi.eu"
    },
    "dteam": {
        "tenant": "VO:dteam"
    },
    "ops": {
        "tenant": "VO:ops"
    }
}

You also need to include the appropriate .lsc files for each VO at /etc/grid-security/vomsdir/:

mkdir -p /etc/grid-security/vomsdir/fedcloud.egi.eu

cat > /etc/grid-security/vomsdir/fedcloud.egi.eu/voms1.egee.cesnet.cz << EOF
/DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms1.egee.cesnet.cz
/C=NL/O=TERENA/CN=TERENA eScience SSL CA
EOF

cat > /etc/grid-security/vomsdir/fedcloud.egi.eu/voms2.grid.cesnet.cz << EOF
/DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms2.grid.cesnet.cz
/C=NL/O=TERENA/CN=TERENA eScience SSL CA
EOF

mkdir -p /etc/grid-security/vomsdir/dteam

cat > /etc/grid-security/vomsdir/dteam/voms.hellasgrid.gr << EOF
/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms.hellasgrid.gr
/C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid CA 2006
EOF

cat > /etc/grid-security/vomsdir/dteam/voms2.hellasgrid.gr << EOF
/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms2.hellasgrid.gr
/C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid CA 2006
EOF

mkdir -p /etc/grid-security/vomsdir/ops

cat > /etc/grid-security/vomsdir/dteam/lcg-voms2.cern.ch << EOF
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
EOF

cat > /etc/grid-security/vomsdir/dteam/voms2.cern.ch << EOF
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
EOF

• VOMS-Keystone configuration: most sites should enable the autocreate_users option in the [voms] section of Keystone-VOMS configuration. This will enable that new users are automatically created in your local keystone the first time they login into your site.

OCCI Support

OCCI is the EGI-approved access method for computing resources that VM management cloud services must expose. OCCI-OS is the recommended software to provide this capability.

OCCI-OS can be installed from the github repo (recommended) or by using pip (packages may not be up-to-date!). The module must be installed on the machines hosting your nova-api. Installation instructions are available in the README.md file of the repo. Before installing OCCI-OS, you should manually install pyssf (pip install pyssf). If installing from the github repo, be sure to select the appropriate branch for your OpenStack installation, e.g. for an OpenStack Icehouse installation:

$ pip install pyssf

$ git clone https://github.com/EGI-FCTF/occi-os.git -b stable/icehouse
Cloning into 'occi-os'...
remote: Counting objects: 1312, done.
remote: Total 1312 (delta 0), reused 0 (delta 0), pack-reused 1312
Receiving objects: 100% (1312/1312), 357.53 KiB | 0 bytes/s, done.
Resolving deltas: 100% (752/752), done.
Checking connectivity... done.

$ cd occi-os
$ python setup.py install
running install
running bdist_egg
running egg_info
creating openstackocci_icehouse.egg-info
...
Finished processing dependencies for openstackocci-icehouse==1.0

Configuration is also detailed in the [https://github.com/EGI-FCTF/occi-os/#configuration OCCI-OS readme file].

EGI Accounting

Every cloud site must publish utilization data to the EGI accounting database. You will need to install cASO, a pluggable extractor of Cloud Accounting Usage Records from OpenStack.

• Latest version is available at PyPi: (https://pypi.python.org/pypi/caso/), you can install it with pip install caso.
• Check the cASO documentation includes how to install and configure OpenStack for generating the accounting records.
• Source code available at cASO github repo
• Packages for Ubuntu distributions are build at OpenSUSE build service home:aloga:cloud:integration project

In order to send the records to the accounting database, you will also need to configure SSM. Follow the publishing records documentation at the accounting scenario

EGI Information System

Sites must publish information to EGI information system which is based on BDII. There is a common bdii provider for all cloud management frameworks. Information on installation and configuration is available in the cloud-bdii-provider README.md and in the Fedclouds BDII instructions, there is a specific section with OpenStack details.

EGI Image Management

Sites in FedCloud offering VM management capability must give access to VO-endorsed VM images. This functionality is provided with vmcatcher (that is able to subscribe to the image lists available in AppDB) and a set of tools that are able to push the subscribed images into the glance catalog. Information on installation of the software is available at FedCloud Scenario 8 wiki, there is a specific section on OpenStack to install and configure the event handlers.

In order to subscribe to VO-wide image lists, you need to have a valid access token to the AppDB. Check how to access to VO-wide image lists and how to subscribe to a private image list documentation for more information.

Registration of services in GOCDB

Site cloud services must be registered in EGI Configuration Management Database (GOCDB). If you are creating a new site for your cloud services, check the PROC09 Resource Centre Registration and Certification procedure. Services can also coexist within an existing (grid) site.

If offering OCCI interface, sites should register the following services:

• eu.egi.cloud.vm-management.occi for the OCCI endpoint offered by the site. Please note the special endpoint URL syntax described at Fedcloud-tf:WorkGroups:Scenario5#GOCDB
• eu.egi.cloud.accounting (host should be your OCCI machine)
• eu.egi.cloud.vm-metadata.vmcatcher (also host is your OCCI machine)
• Site should also declare the following properties using the Site Extension Properties feature:
  1. Max number of virtual cores for VM with parameter name: cloud_max_cores4VM
  2. Max amount of RAM for VM with parameter name: cloud_max_RAM4VM using the format: value+unit, e.g. "16GB".
  3. Max amount of storage that could be mounted in a VM with parameter name: cloud_max_storage4VM using the format: value+unit, e.g. "16GB".

If offering CDMI interface, site should register:

• eu.egi.cloud.storage-management.cdmi. Note also the enpoint URL syntax described at Fedcloud-tf:WorkGroups:Scenario5#GOCDB

Once the site services are registered in GOCDB and set as monitored they will be checked by the Cloud SAM instance.

Installation Validation

1. Installation validaton - this is a new step: describe steps performed by site admin that confirms the site installation is working well according to EGI requirements. It is better to have it as a separate, final step for all checks
   1. Nagios step - missing
   2. check accounting - missing
      
   3. check vmcatcher subscription - missing
      
   4. check BDII publishing - missing
      
   5. check OCCI It is possible to reuse https://wiki.egi.eu/wiki/HOWTO04_Site_Certification_Manual_tests#Cloud_Compute_.28OCCI.29_checks
   6. check CDMI It is possible to reuse https://wiki.egi.eu/wiki/HOWTO04_Site_Certification_Manual_tests#Cloud_Storage_.28CDMI.29_checks

Support for CDMI Maybe it is better to have separated part on CDMI and not mix it with OCCI.

OpenNebula

This part is under construction.

EGI Cloud site is based on OpenNebula software with some EGI extensions.See Deployment Schema (Note: here we need high level explanation on what modules are to be put on which machines.)

Stages of installation (similar for every middleware):

OpenNebula Installation

Follow OpenNebula Documentation and install OpenNebula with enabled X.509 authentication support.

The following OpenNebula versions are supported:

• OpenNebula v4.4.x (legacy)
• OpenNebula v4.6.x
• OpenNebula v4.8.x
• OpenNebula v4.10.x
• OpenNebula v4.12.x

OpenNebula Integration

Integration Prerequisites

• Working OpenNebula installation with X.509 support enabled.
• Valid IGTF-trusted host certificates for selected hosts.

EGI User Management/AAI

See Integration with Perun.

EGI Virtual Machine Management Interface -- OCCI

See rOCCI-server

EGI Accounting

See Described here: https://github.com/EGI-FCTF/opennebula-cloudacc

EGI Information System

Sites must publish information to EGI information system which is based on BDII. There is a common bdii provider for all cloud management frameworks. Information on installation and configuration is available in the cloud-bdii-provider README.md and in the Fedclouds BDII instructions, there is a specific section with OpenNebula details.

EGI Image Management

Sites in FedCloud offering VM management capability must give access to VO-endorsed VM images. This functionality is provided with vmcatcher (that is able to subscribe to the image lists available in AppDB) and a set of tools that are able to push the subscribed images into the glance catalog. Information on installation of the software is available at FedCloud Scenario 8 wiki, there is a specific section on OpenNebula to install and configure the event handlers.

In order to subscribe to VO-wide image lists, you need to have a valid access token to the AppDB. Check how to access to VO-wide image lists and how to subscribe to a private image list documentation for more information.

Registration of services in GOCDB

Site cloud services must be registered in EGI Configuration Management Database (GOCDB). If you are creating a new site for your cloud services, check the PROC09 Resource Centre Registration and Certification procedure. Services can also coexist within an existing (grid) site.

If offering OCCI interface, sites should register the following services:

• eu.egi.cloud.vm-management.occi for the OCCI endpoint offered by the site. Please note the special endpoint URL syntax described at Fedcloud-tf:WorkGroups:Scenario5#GOCDB
• eu.egi.cloud.accounting (host should be your OCCI machine)
• eu.egi.cloud.vm-metadata.vmcatcher (also host is your OCCI machine)
• Site should also declare the following properties using the Site Extension Properties feature:
  1. Max number of virtual cores for VM with parameter name: cloud_max_cores4VM
  2. Max amount of RAM for VM with parameter name: cloud_max_RAM4VM using the format: value+unit, e.g. "16GB".
  3. Max amount of storage that could be mounted in a VM with parameter name: cloud_max_storage4VM using the format: value+unit, e.g. "16GB".

Once the site services are registered in GOCDB and set as monitored they will be checked by the Cloud SAM instance.

Installation Validation

1. Installation validaton - this is a new step: describe steps performed by site admin that confirms the site installation is working well according to EGI requirements. It is better to have it as a separate, final step for all checks
   1. Nagios step - missing
   2. check accounting - missing
      
   3. check vmcatcher subscription - missing
      
   4. check BDII publishing - missing
      
   5. check OCCI It is possible to reuse https://wiki.egi.eu/wiki/HOWTO04_Site_Certification_Manual_tests#Cloud_Compute_.28OCCI.29_checks

Synnefo

There are installation guides e.g. https://www.synnefo.org/docs/synnefo/latest/install-guide-debian.html#install-guide-debian but it seems there is no EGI-specific installation guides.

Revision History