Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

MAN10

From EGIWiki
Jump to navigation Jump to search
Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators



Title Setting up Cloud Resource Centre
Document link https://wiki.egi.eu/wiki/MAN10
Last modified 19 August 2014
Policy Group Acronym OMB
Policy Group Name Operations Management Board
Contact Group operations-support@mailman.egi.eu
Document Status DRAFT
Approved Date
Procedure Statement This manual provides information on how to set up Cloud Resource Centre.
Owner Owner of procedure



Introduction

EGI cloud supports 3 middlewares. It means you can base your cloud site installation on one of the following cloud software:

  • OpenNebula
  • OpenStack
  • Synnefo

If you want to install an EGI Cloud Site please have a look at our EGI Cloud Site Installation Manuals below.

Note: EGI Cloud Site Installation Manual is a step-by-step instruction for Cloud Site Admin. The manual is not meant to be a comprehensive on topics related to the installation, it is a collection of steps taken by someone to install an EGI cloud site starting from a scratch. Commands executed should be made available for someone to copy&paste and easily follow up. At some initial stage the manual may not cover all cases, but it is meant to be extended by other site admins while following up the manual. It is a living document.

The manuals

Current issues:

  • Documentation for cloud components is written with assumption that the admin knows where (machine, neighbour components) this components should be installed. It is missing the general cloud site deployment context
  • Documentation should address the prerequsities part. 
  • Documentation should address the constraints and limitations part i.e. supported operating systems, software versions.
  • Documentation should provide a contact person (per component) which can be contacted in case of questions/problems.  
  • Documentation should provide commands for checking validity of installation.


Prerequisities & Limitations

Whatever cloud stack you choose you need to prepare some things at the begining:

  1. Hardware (minimal hw requirements for small cloud site e.g up to 100 VMs):
    1. number of physical machines, performance/capacity requirements: RAM size
    2. disk space - how big, where must be connected, performance of network links (images are heavy!)
  2. DNS names, X.509 certificates
  3. Register in fedcloud VO
  4. Registration in AppDB to have access to private EGI VM image repository
  5. What operating systems are supported

Cloud management frameworks

OpenStack

Baustelle.png This part is under construction.


EGI Cloud site can be based on OpenStack software with some EGI extensions. See deployment schema (Note: high level description on what modules are to be put on which machines.)

OpenStack installation

Integration with FedCloud requires a working OpenStack installation. Follow the general documentation at http://docs.openstack.org/, there are packages ready to use for most distributions (check for example RDO for RedHat based distributions).

Requirements and Limitations

OpenStack integration with FedCloud is known to work with the following versions of OpenStack:

  • Havana (EOL by OpenStack, should not be used in production)
  • Icehouse
  • Juno

Suggested list of services to provide FedCloud integration:

  • Keystone service must be available in any case.
  • If providing OCCI access (VM management):
  • If providing CDMI access (Object storage):
    • Swift

AAI integration in OpenStack

Every FedCloud site must support authentication of users with X.509 certificates with VOMS extensions. The Keystone-VOMS extension enables this kind of authentication on Keystone.

  • Pre-requisites: you will need a valid host certificate from a EUGridPMA CA.
  • Installation: documentation on the installation is available at Keystone-voms documentation. Make sure to use the correct documentation for your OpenStack version.
  • Take into account that using keystone-voms plugin will enforce the use of https for your Keystone service, you will need to update your URLs at the Keystone catalog and in the configuration of your services (check [keystone_authtoken] in nova, cinder, glance config files and any other service that needs to check keystone tokens)

change database? other services

  • VOs: Every FedCloud site is expected to support fedcloud.egi.eu, dteam and ops VOs. You should configure this VO in your /etc/keystone/voms.json file. Make sure that the tenant you are mapping the VO to exists. Below there is a sample voms.json file, adapt it with the appropriate names of your tenants:
{
    "fedcloud.egi.eu": {
        "tenant": "VO:fedcloud.egi.eu"
    },
    "dteam": {
        "tenant": "VO:dteam"
    },
    "ops": {
        "tenant": "VO:ops"
    }
}

You also need to include the appropriate .lsc files for each VO at /etc/grid-security/vomsdir/:

mkdir -p /etc/grid-security/vomsdir/fedcloud.egi.eu

cat > /etc/grid-security/vomsdir/fedcloud.egi.eu/voms1.egee.cesnet.cz << EOF
/DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms1.egee.cesnet.cz
/C=NL/O=TERENA/CN=TERENA eScience SSL CA
EOF

cat > /etc/grid-security/vomsdir/fedcloud.egi.eu/voms2.grid.cesnet.cz << EOF
/DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms2.grid.cesnet.cz
/C=NL/O=TERENA/CN=TERENA eScience SSL CA
EOF

mkdir -p /etc/grid-security/vomsdir/dteam

cat > /etc/grid-security/vomsdir/dteam/voms.hellasgrid.gr << EOF
/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms.hellasgrid.gr
/C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid CA 2006
EOF

cat > /etc/grid-security/vomsdir/dteam/voms2.hellasgrid.gr << EOF
/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms2.hellasgrid.gr
/C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid CA 2006
EOF

mkdir -p /etc/grid-security/vomsdir/ops

cat > /etc/grid-security/vomsdir/dteam/lcg-voms2.cern.ch << EOF
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
EOF

cat > /etc/grid-security/vomsdir/dteam/voms2.cern.ch << EOF
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
EOF
  • VOMS-Keystone configuration: most sites should enable the autocreate_users option in the [voms] section of Keystone-VOMS configuration. This will enable that new users are automatically created in your local keystone the first time they login into your site.

OCCI Support

OCCI is the EGI-approved access method for computing resources that VM management cloud services must expose. OCCI-OS is the recommended software to provide this capability.

OCCI-OS can be installed from the github repo (recommended) or by using pip (packages may not be up-to-date!). The module must be installed on the machines hosting your nova-api. Installation instructions are available in the README.md file of the repo. Before installing OCCI-OS, you should manually install pyssf (pip install pyssf). If installing from the github repo, be sure to select the appropriate branch for your OpenStack installation, e.g. for an OpenStack Icehouse installation:

$ pip install pyssf

$ git clone https://github.com/EGI-FCTF/occi-os.git -b stable/icehouse
Cloning into 'occi-os'...
remote: Counting objects: 1312, done.
remote: Total 1312 (delta 0), reused 0 (delta 0), pack-reused 1312
Receiving objects: 100% (1312/1312), 357.53 KiB | 0 bytes/s, done.
Resolving deltas: 100% (752/752), done.
Checking connectivity... done.

$ cd occi-os
$ python setup.py install
running install
running bdist_egg
running egg_info
creating openstackocci_icehouse.egg-info
...
Finished processing dependencies for openstackocci-icehouse==1.0

Configuration is also detailed in the [https://github.com/EGI-FCTF/occi-os/#configuration OCCI-OS readme file].

EGI Accounting

Every cloud site must publish utilization data to the EGI accounting database. You will need to install cASO, a pluggable extractor of Cloud Accounting Usage Records from OpenStack.

In order to send the records to the accounting database, you will also need to configure SSM. Follow the publishing records documentation at the accounting scenario

EGI Information System

Sites must publish information to EGI information system which is based on BDII. There is a common bdii provider for all cloud management frameworks. Information on installation and configuration is available in the cloud-bdii-provider README.md and in the Fedclouds BDII instructions, there is a specific section with OpenStack details.

EGI Image Management

  1. EGI Image Management
    Each cloud site must give access to EGI-approved VM images. An image clarifying functions and relations between vmcaster, vmcatcher, glance, glancepush and openstack handler for vmcatcher would be well welcome.
    1. Registration in AppDB to have access to private EGI VM image repository - missing, please describe steps to be done by Site Admin, should be as prerequisite steps because it requires manual step by someone
    2. VMCatcher - allows users to subscribe to VMs (unclear). https://github.com/hepix-virtualisation/vmcatcher
    3. Install EGI-customized version of glancepush: instruction: https://wiki.egi.eu/wiki/Fedcloud-tf:WorkGroups:Scenario8:Configuration#OpenStack software repo: https://appdb.egi.eu/store/software/python.glancepush/releases/0.0.x
    4. Install Openstack handler for vmcatcher: instruction: : https://wiki.egi.eu/wiki/Fedcloud-tf:WorkGroups:Scenario8:Configuration#OpenStack software repo: https://appdb.egi.eu/store/software/openstack.handler.for.vmcatcher



Registration of services in GOCDB

  1. EGI Configuration Management Database (GOCDB)
    Each cloud site must register services in EGI configuration management database which is GOCDB
    Need information if cloud site must be separate from grid site or can be share. Shouldn't GOCDB step be earlier to allow nagios monitoring?
    1. Registering endpoints https://wiki.egi.eu/wiki/Fedcloud-tf:WorkGroups:Scenario5#GOCDB - ok, but we need info on what exactly has been registered in gocDB like "I have regiesterd os.acme.org as with type eu.egi.cloud.accounting.
    2. Registering SiteExtension Properties - is this still valid requirement? missing instruction

Installation Validation

  1. Installation validaton - this is a new step: describe steps performed by site admin that confirms the site installation is working well according to EGI requirementsIt is better to have it as a separate, final step for all checks
    1. Nagios step - missing
    2. check accounting - missing
    3. check vmcatcher subscription - missing
    4. check BDII publishing - missing
    5. check OCCI It is possible to reuse https://wiki.egi.eu/wiki/HOWTO04_Site_Certification_Manual_tests#Cloud_Compute_.28OCCI.29_checks
    6. check CDMI It is possible to reuse https://wiki.egi.eu/wiki/HOWTO04_Site_Certification_Manual_tests#Cloud_Storage_.28CDMI.29_checks

Support for CDMI Maybe it is better to have separated part on CDMI and not mix it with OCCI.

OpenNebula

EGI Cloud site is based on OpenNebula software with some EGI extensions.See Deployment Schema (Note: here we need high level explanation on what modules are to be put on which machines.)

Stages of installation (similar for every middleware):

  1. OpenNebula installation with X.509 support
    1. Be consistent on requirements WHICH OpenNebula version is supported.
    2. Unfortunately this manual does not cover OpenNebula installation. You need to do this by yourself but this is well described here: http://docs.opennebula.org/4.4/
    3. Configure X.509 support according to http://docs.opennebula.org/4.4/administration/authentication/x509_auth.html
  2. Support for OCCI - EGI-approved access method
    1. Described here: https://wiki.egi.eu/wiki/Fedcloud-tf:WorkGroups:_Federated_AAI:OpenNebula but missing the context of EGI Cloud site installation i.e. what modules should be put on which machines, and which commands executed.
  3. EGI User Authentication/Authorization
    1. You need to integrate with Perun. Described here https://github.com/EGI-FCTF/fctf-perun but missing context of EGI Cloud site installation and missing commands to be executed.
  4. EGI Image Management
    1. Missing in the instructions for OpenNebula. Seems we have in https://wiki.egi.eu/wiki/Fedcloud-tf:WorkGroups:Scenario8:Configuration#VMcatcher section for Opennebula. Still no common context.
  5. EGI Accounting
    1. Described here: https://github.com/EGI-FCTF/opennebula-cloudacc but missing context of EGI Cloud site installation - complete with info on which host the commands should be executed.
  6. EGI Information System
    1. Described here https://wiki.egi.eu/wiki/Fedclouds_BDII_instructions but again missing context of where these commands should be executed.
  7. EGI Configuration Management Database (GOCDB)
    1. Manual not available. We need information on OpenNebula-specific service types to be registered in GOCDB.

What with support for CDMI in Opennebula?

Synnefo

There are installation guides e.g. https://www.synnefo.org/docs/synnefo/latest/install-guide-debian.html#install-guide-debian but it seems there is no EGI-specific installation guides.

Revision History

Version Authors Date Comments