rOCCI:OpenNebula Backend

The OpenNebula backend is bundled with rOCCI-server. Follow these steps to configure and activate it:

1. Make sure OpenNebula is already installed and running in your environment. Otherwise it is highest time to install it. Note that installation of OpenNebula is beyond the scope of this Admin Guide. You may find useful some of the available OpenNebula Tutorials.
2. Create a rocci account for the rOCCI-server backend in OpenNebula and make it a member of the oneadmin group. A reasonably secure password is required. It should not be shorter than 32 characters:

   su - oneadmin oneuser create rocci '<actual_password_edited_out>' --driver server_cipher oneuser chgrp rocci oneadmin exit

3. Edit Virtual Host configuration file /etc/apache2/sites-available/occi-ssl.conf or /etc/httpd/conf.d/occi-ssl.conf, respectively, and change the following:
   1. attribute ROCCI_SERVER_BACKEND must be set to opennebula as shown:

      SetEnv ROCCI_SERVER_BACKEND opennebula

      Note: Do not confuse with attribute ROCCI_SERVER_HOOKS; that has another purpose.

   2. attribute ROCCI_SERVER_ONE_PASSWD must be set to give the password for the rocci user set up in the previous step:

      SetEnv ROCCI_SERVER_ONE_PASSWD <actual_password_edited_out>

   3. Server name attributes must be set to the rOCCI server's fully qualified domain name. Set ROCCI_SERVER_HOSTNAME and ServerName accordingly:

      ServerName rocci-server.example.com and SetEnv ROCCI_SERVER_HOSTNAME rocci-server.example.com

      Note: In case your rOCCI-server is not collocated with OpenNebula, these both need to point to the rOCCI-server. A different attribute is used to indicate the OpenNebula server.

      TODO: chmod on VH config file!

4. Restart the WebServer. You may skip this step if you are going to configure GridSite next.

   APT-based distributions (Debian, Ubuntu, …)	RPM-based distributions (Scientific Linux, CentOS, …)
   service apache2 restart	service httpd restart
   Tested in Debian 7 Wheezy	Tested in SL 6.5 Carbon

Use with GridSite and VOMS (optional)

As long as your site is a part of the EGI Federated Cloud infrastructure, or another infrastructure relying on Virtual Organization Management Services (VOMS), you also need to install the GridSite module for Apache.

1. Choose repository to install from. GridSite is available from standard distribution repositories (EPEL, Debian) but not always in its most recent versions. EGI's UMD repository may be a better source, especially if you are a part of EGI.
   1. Installing from standard distro repositories:

      APT-based distributions (Debian, Ubuntu, …)	RPM-based distributions (Scientific Linux, CentOS, …)
      apt-get install -y gridsite	rpm -ivh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm yum install -y gridsite
      Tested in Debian 7 Wheezy	Tested in SL 6.5 Carbon

   2. Installing from UMD:

      APT-based distributions (Debian, Ubuntu, …)	RPM-based distributions (Scientific Linux, CentOS, …)
      UMD is currently only available for Debian 6 Squeeze. If you cannot use the current GridSite version in Wheezy, and want a new one, contact GridSite developers.	rpm -ivh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm yum install -y yum-priorities yum-protectbase rpm -ivh http://emisoft.web.cern.ch/emisoft/dist/EMI/3/sl6/x86_64/base/emi-release-3.0.0-2.el6.noarch.rpm yum install -y gridsite
      Tested in Debian 7 Wheezy	Tested in SL 6.5 Carbon

2. Make sure mod_gridsite is loaded when WebServer starts. If you are installing in accordance with the previous step, it is already OK. Otherwise, you may need to add a config file (see example in /opt/rOCCI-server/examples/etc/apache2/mods-available/zgridsite.load) and enable the module.
3. Activate GridSite in you Virtual Host's configuration file—/etc/apache2/sites-available/occi-ssl.conf or /etc/httpd/conf.d/occi-ssl.conf, respectively.
   1. Add the following directives:

       ## variables (and is needed for gridsite-admin.cgi to work.)
       GridSiteEnvs on 
       ## Nice GridSite directory listings (without truncating file names!)
       GridSiteIndexes off 
       ## If this is greater than zero, we will accept GSI Proxies for clients
       ## (full client certificates - eg inside web browsers - are always ok)
       GridSiteGSIProxyLimit 4 
       ## This directive allows authorized people to write/delete files
       ## from non-browser clients - eg with htcp(1)
       GridSiteMethods ""
      

   2. And change the value of the SSLVerifyClient attribute to require

      SSLVerifyClient require
      

   3. Extend SSLOptions attribute with option ExportCertData:

      SSLOptions +StdEnvVars +ExportCertData
      

4. Make sure your VOMS settings are present as .lsc files in the /etc/grid-security/vomsdir structure.
   • For instance, to enable the fedcloud.egi.eu VO, you need to do the following:

     mkdir -p /etc/grid-security/vomsdir/fedcloud.egi.eu
     
     cat > /etc/grid-security/vomsdir/fedcloud.egi.eu/voms1.grid.cesnet.cz.lsc << EOF 
     /DC=org/DC=terena/DC=tcs/C=CZ/ST=Hlavni mesto Praha/L=Praha 6/O=CESNET/CN=voms1.grid.cesnet.cz
     /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA eScience SSL CA 3
     EOF
     
     cat > /etc/grid-security/vomsdir/fedcloud.egi.eu/voms2.grid.cesnet.cz << EOF 
     /DC=org/DC=terena/DC=tcs/C=CZ/ST=Hlavni mesto Praha/L=Praha 6/O=CESNET/CN=voms2.grid.cesnet.cz
     /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA eScience SSL CA 3
     EOF
     

5. Enable GridSite and restart the WebServer.

   APT-based distributions (Debian, Ubuntu, …)	RPM-based distributions (Scientific Linux, CentOS, …)
   a2enmod zgridsite service apache2 restart	service httpd restart
   Tested in Debian 7 Wheezy	Tested in SL 6.5 Carbon

The Autocreate Authentication Hook

As explained earlier, local accounts should be created for all authorized users in OpenNebula by means of a suitable synchronization tool, such as Perun. This is highly recommended since only that solution takes proper care of the overall user account life cycle, including deletion.

That said, there may be virtual organizations you must support in your site without the ability to synchronise all their user base with local accounts in your cloud manager. In that case, you may take advantage of the OpenNebula User Autocreate Hook. Once activated, it automatically creates local OpenNebula accounts for users who present appropriate VOMS proxies coming from listed virtual organizations. For that reason, autocreation only works in combination with the voms authentication strategy!

To enable automatic creation of OpenNebula accounts, edit the Virtual Host configuration file /etc/apache2/sites-available/occi-ssl.conf or /etc/httpd/conf.d/occi-ssl.conf, respectively, and use the ROCCI_SERVER_ONEUSER_AUTOCREATE_HOOK_VO_NAMES option to give a space-delimited list of VOs whose members you wish accepted in autocreate mode. Also, do not forget to activate the hook by listing it with the ROCCI_SERVER_HOOKS option. For instance:

SetEnv ROCCI_SERVER_AUTHN_STRATEGIES                          voms
...
SetEnv ROCCI_SERVER_HOOKS                                     oneuser_autocreate
...
SetEnv ROCCI_SERVER_ONEUSER_AUTOCREATE_HOOK_VO_NAMES          "examplevo samplevo"

Also you need to create a group in OpenNebula for each VO you wish supported in this manner. Based on the example above, you need to run:

su - oneadmin
onegroup create examplevo
onegroup create samplevo
exit

Then restart the Web Server.

With the autocreate hook configured, be aware that your OpenNebula will be populated with unmanaged user accounts! I.e., those accounts will remain active, and their VMs will remain running, even after those users have left the VO or, even worse, have been banned! Activating the autocreate hook is recommended only as a last resort, temporarily, until a more systematic solution has been found. It is highly recommended to audit the autocreated accounts periodically, and definitely after the hook has been deactivated again!