OpenNebula: openSUSE first-cut Deployment -- document

opennebula-suse-install.rst

OpenNebula: openSUSE first-cut Deployment

Author

Mark Biggers <mbiggers@ine.com

Description

Install & configuration of OpenNebula (ONE) 4.x on openSUSE 12.3

Ref

SDB:Cloud OpenNebula: <http://en.opensuse.org/SDB:Cloud_OpenNebula>

Ref

ONE Installing the Software: <http://opennebula.org/documentation:rel4.2:ignc#opensuse_platform_notes>

Ref

KVM driver, KVM configuration: <http://opennebula.org/documentation:archives:rel4.0:kvmg#kvm_configuration>

Ref

ONE Rel 4.2 packages, for openSUSE: <http://download.opensuse.org/repositories/Cloud:/OpenNebula:/Testing/openSUSE_12.3/>

Ref

SDB:KIWI Cookbook ONebula Cloud

Ref

OCCI Server Configuration: <http://opennebula.org/documentation:rel4.2:occicg>

Ref

xyzzy: <>

Revision

1.0

To View

restview README.rst

Metainfo

restview, Restructured Text Viewer: <https://pypi.python.org/pypi/nrestview>

Metainfo

Introductory ReST docs

Organization

Internetwork Experts, http://www.INE.com

Date

25 October 2013

---

Table of Contents

---

Getting Started

Review the documentation

For the purpose of installing ONE, read all of these docs (see Refs, above), in addition to following this guide.

SDB:Cloud OpenNebula

ONE Installing the Software

It's not enough to just install the ONE software on a given Linux platform. There is extensive documentation for planning a ONE Cloud deployment.

OpenNebula 4.2 Guides http://opennebula.org/documentation:rel4.2

Preparing for ONE installation

The foci of this deployment is KVM technology for virtual machines, VM resources management, and to a degree, the VM "networks" management.

Install, configure KVM & libvirtd

For a ONE Cloud-node

The decision to use Linux KVM VM technology, will require the libvirtd service, virsh and related KVM command-line tools. OpenNebula supports KVM, Xen and VMWare VM technologies. :

zypper install libvirt

# for KVM tools, development
zypper install libvirt-client libvirt-python libvirt-devel kvm

Installing ONE for openSUSE

Install & enable the Repository info, for the openSUSE ONE packages. :

sudo zypper ar -n OpenNebula -f http://download.opensuse.org/repositories/Cloud:/OpenNebula:/Testing/openSUSE_12.3 on

Install the following package, to get going: :

sudo zypper install opennebula

For the Sunstone management Web UI for ONE, install: :

sudo zypper install opennebula-sunstone

The Secure Shell service must be up on each ONE Cloud-host, and on the Cloud-master! The oneadmin user has a ssh public-key login, for password-less logins to the ONE hosts. :

for op in enable start status; do
    sudo systemctl $op  sshd
done

Installing the ONE packages

Install Ruby support via ONE

Custom Ruby packages for ONE, the Web framework sinatra, and all required openSUSE Ruby language support, needs to be installed. (Done, by latest openSUSE ONE packages!)

Install OpenVSwitch

This installation of openVSwitch is for configuration of a basic ONE network definition. The install of OVS provides the ovs service, and the command-lineovs-commands. :

zypper ar http://download.opensuse.org/repositories/Cloud:/OpenStack:/Master/openSUSE_12.3/Cloud:OpenStack:Master.repo

zypper install -y openvswitch-switch openvswitch-kmp-default tcpdump ethtool

tcpdump and ethtool will be very useful for CRAFT networking configurations and debugging!

NOTE: The configuration of a set of openVSwitches - within & outside of a set of client VMs - will be covered in another document.

NOTE: dropped this for now - must get basic VM deployment to work!

Configuration for ONE services

Set authorization for oneadmin

The oneadmin user needs login authorization; provide a password here. :

ONE_AUTH=/var/lib/one/.one/one_auth

sudo tee $ONE_AUTH  <<EOF
oneadmin:passWurd
EOF

sudo chown oneadmin:cloud  $ONE_AUTH

Ensure the configuration of all the Linux groups that ONE seems to need, for the oneadmin user! :

sudo groupadd -g 1000 oneadmin   ## use the _same_ GID as 'cloud'

sudo usermod -a -G libvirt,qemu,kvm,oneadmin,cloud

Finalize ssh access

Ensure that oneadmin has "clean" ssh access, across all ONE Cloud nodes. :

sudo -u oneadmin  tee ~oneadmin/.ssh/config <<EOF
Host *
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null

EOF

Enable sudo access to key commands

There is a need for restrictedsudo privileges for the oneadmin user. Create this file as root. :

tee /etc/sudoers.d/oneadmin-sudo  <<EOF

# 'oneadmin' management sudo rights -- openSUSE paths
Cmnd_Alias  ONEADMIN_NETW = /usr/bin/ovs-vsctl, /usr/sbin/ebtables
Cmnd_Alias  ONEADMIN_LVM  = /sbin/lvs, /sbin/lvcreate, /sbin/lvremove, /sbin/vgdisplay, /usr/bin/dd

%cloud     ALL = NOPASSWD: ONEADMIN_NETW
%oneadmin  ALL = NOPASSWD: ONEADMIN_NETW

EOF

Restrict services access to /var/lib/one

Add to the "allowed" folder access, for ONE data (optional). :

sudo mkdir -p /etc/one/image/
tee /etc/one/image/fs.conf  <<EOF
## IMAGE_REPOSITORY_PATH=/var/lib/one/images
## RESTRICTED_DIRS="/var/lib/one/ /etc/one/"
SAFE_DIRS="/var/lib/one/downloads"
EOF

Configuring KVM & Libvirtd service

For a ONE Cloud-node

This config-file for PolicyKit permits oneadmin (in cloud group) to manage libvirtd controlled resources. Run this as user root. :

tee /etc/polkit-1/rules.d/50-org.libvirt.unix.manage.rules <<EOF

# on Cloud "nodes"  -- so 'polkitd' permits 'oneadmin' user
# to do 'libvirtd' ops
#
polkit.addRule(function(action, subject) {
  if (action.id == "org.libvirt.unix.manage" &&
    subject.isInGroup("cloud")) {
      return polkit.Result.YES;
    }
 });
EOF

sudo systemctl restart polkit.service

Now, enable the oneadmin:cloud user to do qemu-kvm KVM operations, and stop libvirtd from changing ownership of KVM images, etc from the oneadmin user. :

# this patch may need regen...
sudo patch -b -p0 -d /etc/libvirt  < ine_craft_service/doc/etc-libvirt/qemu.conf.patch

Next, enable libvirtd to listen as a service on its standard TCP port, and turn on SASL support. :

sudo patch -b -p0 -d /etc/libvirt  < ine_craft_service/doc/etc-libvirt/libvirtd.conf.patch

# the 'patch' should include:

   listen_tls = 0
   listen_tcp = 1
   mdns_adv = 0
   unix_sock_group = “cloud”
   unix_sock_rw_perms = “0777″

   auth_unix_ro = “none”
   auth_unix_rw = “none”


sudo systemctl restart libvirtd
sudo systemctl status  libvirtd

qemu-kvm cannot be run by the oneadmin (non-root) user, without this new udev rule. :

sudo tee /etc/udev/rules.d/60-qemu-kvm.rules  <<!EOF
KERNEL=="kvm", GROUP="cloud", MODE="0660"
EOF

sudo udevadm control --reload-rule   ## *must* reload udev rules!

Doing some due diligence... :

mkdir /var/run/libvirt/network  ## silence libvirtd complaints in 'messages'

Trust, but verify

Dump the Cloud-node configuration, as known to libvirtd (via a Ruby app). :

# this script is a "virsh" wrapper ... !
sudo -u oneadmin /var/lib/one/remotes/im/kvm.d/kvm.rb

Running the ONE services

Initialize for ONE service

There is a one-time initialization for the ONE service oned, that must happen. :

sudo -u oneadmin env ONE_AUTH=/var/lib/one/.one/one_auth /usr/sbin/onedsetup

Bring up ONE services

Next, enable all OpenNebula services, start them and then get their status. :

OP=enable

for svc in one.service one_scheduler.service sunstone.service; do
    sudo systemctl $OP $svc
done

OP=restart
# paste above for-loop, here

OP=status
# paste above for-loop, here

Trust,but verify ONE services

Run some "tests" as oneadmin, to see if access and configurations may work. :

sudo su - oneadmin  # become the oneadmin user

onehost list

onehost show 0 -x   # should dump the #0 Host info & resources, as XML

Start the OCCI api-service

Next, start the OCCI remote-API service. :

sudo -u oneadmin  occi-server start

To stop this service: :

sudo kill $(cat /var/run/one/occi-server.pid)

NOTE: OCCI-service - start, stop, etc - needs to be in a "host local" service script - using systemd?

Trust, but verify

To test this service at any time - as oneadmin user: :

occi-storage list

occi-instance-type list --verbose  #  -U oneadmin -P passWurd