Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
OpenNebula: openSUSE first-cut Deployment -- document

OpenNebula: openSUSE first-cut Deployment

Author: Mark Biggers <
Description:Install & configuration of OpenNebula (ONE) 4.x on openSUSE 12.3
Ref:SDB:Cloud OpenNebula: <>
Ref:ONE Installing the Software: <>
Ref:KVM driver, KVM configuration: <>
Ref:ONE Rel 4.2 packages, for openSUSE: <>
Ref:SDB:KIWI Cookbook ONebula Cloud
Ref:OCCI Server Configuration: <>
Ref:xyzzy: <>
Revision: 1.0
To View:restview README.rst
Metainfo:restview, Restructured Text Viewer: <>
Metainfo:Introductory ReST docs
Organization: Internetwork Experts,
Date: 25 October 2013

1   Getting Started

1.1   Review the documentation

For the purpose of installing ONE, read all of these docs (see Refs, above), in addition to following this guide.

SDB:Cloud OpenNebula

ONE Installing the Software

It's not enough to just install the ONE software on a given Linux platform. There is extensive documentation for planning a ONE Cloud deployment.

OpenNebula 4.2 Guides

2   Preparing for ONE installation

The foci of this deployment is KVM technology for virtual machines, VM resources management, and to a degree, the VM "networks" management.

2.1   Install, configure KVM & libvirtd

For a ONE Cloud-node

The decision to use Linux KVM VM technology, will require the libvirtd service, virsh and related KVM command-line tools. OpenNebula supports KVM, Xen and VMWare VM technologies.

zypper install libvirt

# for KVM tools, development
zypper install libvirt-client libvirt-python libvirt-devel kvm

3   Installing ONE for openSUSE

Install & enable the Repository info, for the openSUSE ONE packages.

sudo zypper ar -n OpenNebula -f on

Install the following package, to get going:

sudo zypper install opennebula

For the Sunstone management Web UI for ONE, install:

sudo zypper install opennebula-sunstone

The Secure Shell service must be up on each ONE Cloud-host, and on the Cloud-master! The oneadmin user has a ssh public-key login, for password-less logins to the ONE hosts.

for op in enable start status; do
    sudo systemctl $op  sshd

3.1   Installing the ONE packages

3.2   Install Ruby support via ONE

Custom Ruby packages for ONE, the Web framework sinatra, and all required openSUSE Ruby language support, needs to be installed. (Done, by latest openSUSE ONE packages!)

3.3   Install OpenVSwitch

This installation of openVSwitch is for configuration of a basic ONE network definition. The install of OVS provides the ovs service, and the command-line``ovs-commands``.

zypper ar

zypper install -y openvswitch-switch openvswitch-kmp-default tcpdump ethtool

tcpdump and ethtool will be very useful for CRAFT networking configurations and debugging!

NOTE: The configuration of a set of openVSwitches - within & outside of a set of client VMs - will be covered in another document.

NOTE: dropped this for now - must get basic VM deployment to work!

4   Configuration for ONE services

4.1   Set authorization for oneadmin

The oneadmin user needs login authorization; provide a password here.


sudo tee $ONE_AUTH  <<EOF

sudo chown oneadmin:cloud  $ONE_AUTH

Ensure the configuration of all the Linux groups that ONE seems to need, for the oneadmin user!

sudo groupadd -g 1000 oneadmin   ## use the _same_ GID as 'cloud'

sudo usermod -a -G libvirt,qemu,kvm,oneadmin,cloud

4.2   Finalize ssh access

Ensure that oneadmin has "clean" ssh access, across all ONE Cloud nodes.

sudo -u oneadmin  tee ~oneadmin/.ssh/config <<EOF
Host *
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null


4.3   Enable sudo access to key commands

There is a need for restricted``sudo`` privileges for the oneadmin user. Create this file as root.

tee /etc/sudoers.d/oneadmin-sudo  <<EOF

# 'oneadmin' management sudo rights -- openSUSE paths
Cmnd_Alias  ONEADMIN_NETW = /usr/bin/ovs-vsctl, /usr/sbin/ebtables
Cmnd_Alias  ONEADMIN_LVM  = /sbin/lvs, /sbin/lvcreate, /sbin/lvremove, /sbin/vgdisplay, /usr/bin/dd



4.4   Restrict services access to /var/lib/one

Add to the "allowed" folder access, for ONE data (optional).

sudo mkdir -p /etc/one/image/
tee /etc/one/image/fs.conf  <<EOF
## IMAGE_REPOSITORY_PATH=/var/lib/one/images
## RESTRICTED_DIRS="/var/lib/one/ /etc/one/"

4.5   Configuring KVM & Libvirtd service

For a ONE Cloud-node

This config-file for PolicyKit permits oneadmin (in cloud group) to manage libvirtd controlled resources. Run this as user root.

tee /etc/polkit-1/rules.d/50-org.libvirt.unix.manage.rules <<EOF

# on Cloud "nodes"  -- so 'polkitd' permits 'oneadmin' user
# to do 'libvirtd' ops
polkit.addRule(function(action, subject) {
  if ( == "org.libvirt.unix.manage" &&
    subject.isInGroup("cloud")) {
      return polkit.Result.YES;

sudo systemctl restart polkit.service

Now, enable the oneadmin:cloud user to do qemu-kvm KVM operations, and stop libvirtd from changing ownership of KVM images, etc from the oneadmin user.

# this patch may need regen...
sudo patch -b -p0 -d /etc/libvirt  < ine_craft_service/doc/etc-libvirt/qemu.conf.patch

Next, enable libvirtd to listen as a service on its standard TCP port, and turn on SASL support.

sudo patch -b -p0 -d /etc/libvirt  < ine_craft_service/doc/etc-libvirt/libvirtd.conf.patch

# the 'patch' should include:

   listen_tls = 0
   listen_tcp = 1
   mdns_adv = 0
   unix_sock_group = “cloud”
   unix_sock_rw_perms = “0777″

   auth_unix_ro = “none”
   auth_unix_rw = “none”

sudo systemctl restart libvirtd
sudo systemctl status  libvirtd

qemu-kvm cannot be run by the oneadmin (non-root) user, without this new udev rule.

sudo tee /etc/udev/rules.d/60-qemu-kvm.rules  <<!EOF
KERNEL=="kvm", GROUP="cloud", MODE="0660"

sudo udevadm control --reload-rule   ## *must* reload udev rules!

Doing some due diligence...

mkdir /var/run/libvirt/network  ## silence libvirtd complaints in 'messages'

4.5.1   Trust, but verify

Dump the Cloud-node configuration, as known to libvirtd (via a Ruby app).

# this script is a "virsh" wrapper ... !
sudo -u oneadmin /var/lib/one/remotes/im/kvm.d/kvm.rb

5   Running the ONE services

5.1   Initialize for ONE service

There is a one-time initialization for the ONE service oned, that must happen.

sudo -u oneadmin env ONE_AUTH=/var/lib/one/.one/one_auth /usr/sbin/onedsetup

5.2   Bring up ONE services

Next, enable all OpenNebula services, start them and then get their status.


for svc in one.service one_scheduler.service sunstone.service; do
    sudo systemctl $OP $svc

# paste above for-loop, here

# paste above for-loop, here

5.2.1   Trust,but verify ONE services

Run some "tests" as oneadmin, to see if access and configurations may work.

sudo su - oneadmin  # become the oneadmin user

onehost list

onehost show 0 -x   # should dump the #0 Host info & resources, as XML

5.3   Start the OCCI api-service

Next, start the OCCI remote-API service.

sudo -u oneadmin  occi-server start

To stop this service:

sudo kill $(cat /var/run/one/

NOTE: OCCI-service - start, stop, etc - needs to be in a "host local" service script - using systemd?

5.3.1   Trust, but verify

To test this service at any time - as oneadmin user:

occi-storage list

occi-instance-type list --verbose  #  -U oneadmin -P passWurd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.