| Author: | Mark Biggers <[email protected] |
|---|---|
| Description: | Install & configuration of OpenNebula (ONE) 4.x on openSUSE 12.3 |
| Ref: | SDB:Cloud OpenNebula: <http://en.opensuse.org/SDB:Cloud_OpenNebula> |
| Ref: | ONE Installing the Software: <http://opennebula.org/documentation:rel4.2:ignc#opensuse_platform_notes> |
| Ref: | KVM driver, KVM configuration: <http://opennebula.org/documentation:archives:rel4.0:kvmg#kvm_configuration> |
| Ref: | ONE Rel 4.2 packages, for openSUSE: <http://download.opensuse.org/repositories/Cloud:/OpenNebula:/Testing/openSUSE_12.3/> |
| Ref: | SDB:KIWI Cookbook ONebula Cloud |
| Ref: | OCCI Server Configuration: <http://opennebula.org/documentation:rel4.2:occicg> |
| Ref: | xyzzy: <> |
| Revision: | 1.0 |
| To View: | restview README.rst |
| Metainfo: | restview, Restructured Text Viewer: <https://pypi.python.org/pypi/nrestview> |
| Metainfo: | Introductory ReST docs |
| Organization: | Internetwork Experts, http://www.INE.com |
| Date: | 25 October 2013 |
Table of Contents
For the purpose of installing ONE, read all of these docs (see Refs, above), in addition to following this guide.
SDB:Cloud OpenNebula
ONE Installing the Software
It's not enough to just install the ONE software on a given Linux platform. There is extensive documentation for planning a ONE Cloud deployment.
OpenNebula 4.2 Guides http://opennebula.org/documentation:rel4.2
The foci of this deployment is KVM technology for virtual machines, VM resources management, and to a degree, the VM "networks" management.
For a ONE Cloud-node
The decision to use Linux KVM VM technology, will require the libvirtd service, virsh and related KVM command-line tools. OpenNebula supports KVM, Xen and VMWare VM technologies.
zypper install libvirt # for KVM tools, development zypper install libvirt-client libvirt-python libvirt-devel kvm
Install & enable the Repository info, for the openSUSE ONE packages.
sudo zypper ar -n OpenNebula -f http://download.opensuse.org/repositories/Cloud:/OpenNebula:/Testing/openSUSE_12.3 on
Install the following package, to get going:
sudo zypper install opennebula
For the Sunstone management Web UI for ONE, install:
sudo zypper install opennebula-sunstone
The Secure Shell service must be up on each ONE Cloud-host, and on the Cloud-master! The oneadmin user has a ssh public-key login, for password-less logins to the ONE hosts.
for op in enable start status; do
sudo systemctl $op sshd
done
Custom Ruby packages for ONE, the Web framework sinatra, and all required openSUSE Ruby language support, needs to be installed. (Done, by latest openSUSE ONE packages!)
This installation of openVSwitch is for configuration of a basic ONE network definition. The install of OVS provides the ovs service, and the command-line``ovs-commands``.
zypper ar http://download.opensuse.org/repositories/Cloud:/OpenStack:/Master/openSUSE_12.3/Cloud:OpenStack:Master.repo zypper install -y openvswitch-switch openvswitch-kmp-default tcpdump ethtool
tcpdump and ethtool will be very useful for CRAFT networking configurations and debugging!
NOTE: The configuration of a set of openVSwitches - within & outside of a set of client VMs - will be covered in another document.
NOTE: dropped this for now - must get basic VM deployment to work!
The oneadmin user needs login authorization; provide a password here.
ONE_AUTH=/var/lib/one/.one/one_auth sudo tee $ONE_AUTH <<EOF oneadmin:passWurd EOF sudo chown oneadmin:cloud $ONE_AUTH
Ensure the configuration of all the Linux groups that ONE seems to need, for the oneadmin user!
sudo groupadd -g 1000 oneadmin ## use the _same_ GID as 'cloud' sudo usermod -a -G libvirt,qemu,kvm,oneadmin,cloud
Ensure that oneadmin has "clean" ssh access, across all ONE Cloud nodes.
sudo -u oneadmin tee ~oneadmin/.ssh/config <<EOF
Host *
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
EOF
There is a need for restricted``sudo`` privileges for the oneadmin user. Create this file as root.
tee /etc/sudoers.d/oneadmin-sudo <<EOF # 'oneadmin' management sudo rights -- openSUSE paths Cmnd_Alias ONEADMIN_NETW = /usr/bin/ovs-vsctl, /usr/sbin/ebtables Cmnd_Alias ONEADMIN_LVM = /sbin/lvs, /sbin/lvcreate, /sbin/lvremove, /sbin/vgdisplay, /usr/bin/dd %cloud ALL = NOPASSWD: ONEADMIN_NETW %oneadmin ALL = NOPASSWD: ONEADMIN_NETW EOF
Add to the "allowed" folder access, for ONE data (optional).
sudo mkdir -p /etc/one/image/ tee /etc/one/image/fs.conf <<EOF ## IMAGE_REPOSITORY_PATH=/var/lib/one/images ## RESTRICTED_DIRS="/var/lib/one/ /etc/one/" SAFE_DIRS="/var/lib/one/downloads" EOF
For a ONE Cloud-node
This config-file for PolicyKit permits oneadmin (in cloud group) to manage libvirtd controlled resources. Run this as user root.
tee /etc/polkit-1/rules.d/50-org.libvirt.unix.manage.rules <<EOF
# on Cloud "nodes" -- so 'polkitd' permits 'oneadmin' user
# to do 'libvirtd' ops
#
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &&
subject.isInGroup("cloud")) {
return polkit.Result.YES;
}
});
EOF
sudo systemctl restart polkit.service
Now, enable the oneadmin:cloud user to do qemu-kvm KVM operations, and stop libvirtd from changing ownership of KVM images, etc from the oneadmin user.
# this patch may need regen... sudo patch -b -p0 -d /etc/libvirt < ine_craft_service/doc/etc-libvirt/qemu.conf.patch
Next, enable libvirtd to listen as a service on its standard TCP port, and turn on SASL support.
sudo patch -b -p0 -d /etc/libvirt < ine_craft_service/doc/etc-libvirt/libvirtd.conf.patch # the 'patch' should include: listen_tls = 0 listen_tcp = 1 mdns_adv = 0 unix_sock_group = “cloud” unix_sock_rw_perms = “0777″ auth_unix_ro = “none” auth_unix_rw = “none” sudo systemctl restart libvirtd sudo systemctl status libvirtd
qemu-kvm cannot be run by the oneadmin (non-root) user, without this new udev rule.
sudo tee /etc/udev/rules.d/60-qemu-kvm.rules <<!EOF KERNEL=="kvm", GROUP="cloud", MODE="0660" EOF sudo udevadm control --reload-rule ## *must* reload udev rules!
Doing some due diligence...
mkdir /var/run/libvirt/network ## silence libvirtd complaints in 'messages'
Dump the Cloud-node configuration, as known to libvirtd (via a Ruby app).
# this script is a "virsh" wrapper ... ! sudo -u oneadmin /var/lib/one/remotes/im/kvm.d/kvm.rb
There is a one-time initialization for the ONE service oned, that must happen.
sudo -u oneadmin env ONE_AUTH=/var/lib/one/.one/one_auth /usr/sbin/onedsetup
Next, enable all OpenNebula services, start them and then get their status.
OP=enable
for svc in one.service one_scheduler.service sunstone.service; do
sudo systemctl $OP $svc
done
OP=restart
# paste above for-loop, here
OP=status
# paste above for-loop, here
Run some "tests" as oneadmin, to see if access and configurations may work.
sudo su - oneadmin # become the oneadmin user onehost list onehost show 0 -x # should dump the #0 Host info & resources, as XML
Next, start the OCCI remote-API service.
sudo -u oneadmin occi-server start
To stop this service:
sudo kill $(cat /var/run/one/occi-server.pid)
NOTE: OCCI-service - start, stop, etc - needs to be in a "host local" service script - using systemd?
To test this service at any time - as oneadmin user:
occi-storage list occi-instance-type list --verbose # -U oneadmin -P passWurd