root / docs / admin-guide.rst @ 0768a1df
History | View | Annotate | Download (16.7 kB)
1 |
.. _admin-guide: |
---|---|
2 |
|
3 |
Synnefo Administrator's Guide |
4 |
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
5 |
|
6 |
This is the complete Synnefo Administrator's Guide. |
7 |
|
8 |
|
9 |
|
10 |
General Synnefo Architecture |
11 |
============================ |
12 |
|
13 |
The following graph shows the whole Synnefo architecture and how it interacts |
14 |
with multiple Ganeti clusters. We hope that after reading the Administrator's |
15 |
Guide you will be able to understand every component and all the interactions |
16 |
between them. It is a good idea to first go through the Quick Administrator's |
17 |
Guide before proceeding. |
18 |
|
19 |
.. image:: images/synnefo-architecture1.png |
20 |
:width: 100% |
21 |
:target: _images/synnefo-architecture1.png |
22 |
|
23 |
|
24 |
Identity Service (Astakos) |
25 |
========================== |
26 |
|
27 |
|
28 |
Overview |
29 |
-------- |
30 |
|
31 |
Authentication methods |
32 |
~~~~~~~~~~~~~~~~~~~~~~ |
33 |
|
34 |
Local Authentication |
35 |
```````````````````` |
36 |
|
37 |
LDAP Authentication |
38 |
``````````````````` |
39 |
|
40 |
.. _shibboleth-auth: |
41 |
|
42 |
Shibboleth Authentication |
43 |
````````````````````````` |
44 |
|
45 |
Astakos can delegate user authentication to a Shibboleth federation. |
46 |
|
47 |
To setup shibboleth, install package:: |
48 |
|
49 |
apt-get install libapache2-mod-shib2 |
50 |
|
51 |
Change appropriately the configuration files in ``/etc/shibboleth``. |
52 |
|
53 |
Add in ``/etc/apache2/sites-available/synnefo-ssl``:: |
54 |
|
55 |
ShibConfig /etc/shibboleth/shibboleth2.xml |
56 |
Alias /shibboleth-sp /usr/share/shibboleth |
57 |
|
58 |
<Location /im/login/shibboleth> |
59 |
AuthType shibboleth |
60 |
ShibRequireSession On |
61 |
ShibUseHeaders On |
62 |
require valid-user |
63 |
</Location> |
64 |
|
65 |
and before the line containing:: |
66 |
|
67 |
ProxyPass / http://localhost:8080/ retry=0 |
68 |
|
69 |
add:: |
70 |
|
71 |
ProxyPass /Shibboleth.sso ! |
72 |
|
73 |
Then, enable the shibboleth module:: |
74 |
|
75 |
a2enmod shib2 |
76 |
|
77 |
After passing through the apache module, the following tokens should be |
78 |
available at the destination:: |
79 |
|
80 |
eppn # eduPersonPrincipalName |
81 |
Shib-InetOrgPerson-givenName |
82 |
Shib-Person-surname |
83 |
Shib-Person-commonName |
84 |
Shib-InetOrgPerson-displayName |
85 |
Shib-EP-Affiliation |
86 |
Shib-Session-ID |
87 |
|
88 |
Finally, add 'shibboleth' in ``ASTAKOS_IM_MODULES`` list. The variable resides |
89 |
inside the file ``/etc/synnefo/20-snf-astakos-app-settings.conf`` |
90 |
|
91 |
Architecture |
92 |
------------ |
93 |
|
94 |
Prereqs |
95 |
------- |
96 |
|
97 |
Installation |
98 |
------------ |
99 |
|
100 |
Configuration |
101 |
------------- |
102 |
|
103 |
Working with Astakos |
104 |
-------------------- |
105 |
|
106 |
User activation methods |
107 |
~~~~~~~~~~~~~~~~~~~~~~~ |
108 |
|
109 |
When a new user signs up, he/she is not marked as active. You can see his/her |
110 |
state by running (on the machine that runs the Astakos app): |
111 |
|
112 |
.. code-block:: console |
113 |
|
114 |
$ snf-manage user-list |
115 |
|
116 |
There are two different ways to activate a new user. Both need access to a |
117 |
running :ref:`mail server <mail-server>`. |
118 |
|
119 |
Manual activation |
120 |
````````````````` |
121 |
|
122 |
You can manually activate a new user that has already signed up, by sending |
123 |
him/her an activation email. The email will contain an approriate activation |
124 |
link, which will complete the activation process if followed. You can send the |
125 |
email by running: |
126 |
|
127 |
.. code-block:: console |
128 |
|
129 |
$ snf-manage user-activation-send <user ID or email> |
130 |
|
131 |
Be sure to have already setup your mail server and defined it in your Synnefo |
132 |
settings, before running the command. |
133 |
|
134 |
Automatic activation |
135 |
```````````````````` |
136 |
|
137 |
FIXME: Describe Regex activation method |
138 |
|
139 |
Astakos advanced operations |
140 |
--------------------------- |
141 |
|
142 |
Adding "Terms of Use" |
143 |
~~~~~~~~~~~~~~~~~~~~~ |
144 |
|
145 |
Astakos supports versioned terms-of-use. First of all you need to create an |
146 |
html file that will contain your terms. For example, create the file |
147 |
``/usr/share/synnefo/sample-terms.html``, which contains the following: |
148 |
|
149 |
.. code-block:: console |
150 |
|
151 |
<h1>~okeanos terms</h1> |
152 |
|
153 |
These are the example terms for ~okeanos |
154 |
|
155 |
Then, add those terms-of-use with the snf-manage command: |
156 |
|
157 |
.. code-block:: console |
158 |
|
159 |
$ snf-manage term-add /usr/share/synnefo/sample-terms.html |
160 |
|
161 |
Your terms have been successfully added and you will see the corresponding link |
162 |
appearing in the Astakos web pages' footer. |
163 |
|
164 |
Enabling reCAPTCHA |
165 |
~~~~~~~~~~~~~~~~~~ |
166 |
|
167 |
Astakos supports the `reCAPTCHA <http://www.google.com/recaptcha>`_ feature. |
168 |
If enabled, it protects the Astakos forms from bots. To enable the feature, go |
169 |
to https://www.google.com/recaptcha/admin/create and create your own reCAPTCHA |
170 |
key pair. Then edit ``/etc/synnefo/20-snf-astakos-app-settings.conf`` and set |
171 |
the corresponding variables to reflect your newly created key pair. Finally, set |
172 |
the ``ASTAKOS_RECAPTCHA_ENABLED`` variable to ``True``: |
173 |
|
174 |
.. code-block:: console |
175 |
|
176 |
ASTAKOS_RECAPTCHA_PUBLIC_KEY = 'example_recaptcha_public_key!@#$%^&*(' |
177 |
ASTAKOS_RECAPTCHA_PRIVATE_KEY = 'example_recaptcha_private_key!@#$%^&*(' |
178 |
|
179 |
ASTAKOS_RECAPTCHA_ENABLED = True |
180 |
|
181 |
Restart the service on the Astakos node(s) and you are ready: |
182 |
|
183 |
.. code-block:: console |
184 |
|
185 |
# /etc/init.d/gunicorn restart |
186 |
|
187 |
Checkout your new Sign up page. If you see the reCAPTCHA box, you have setup |
188 |
everything correctly. |
189 |
|
190 |
|
191 |
|
192 |
File Storage Service (Pithos) |
193 |
============================= |
194 |
|
195 |
Overview |
196 |
-------- |
197 |
|
198 |
Architecture |
199 |
------------ |
200 |
|
201 |
Prereqs |
202 |
------- |
203 |
|
204 |
Installation |
205 |
------------ |
206 |
|
207 |
Configuration |
208 |
------------- |
209 |
|
210 |
Working with Pithos |
211 |
------------------- |
212 |
|
213 |
Pithos advanced operations |
214 |
-------------------------- |
215 |
|
216 |
|
217 |
|
218 |
Compute/Network/Image Service (Cyclades) |
219 |
======================================== |
220 |
|
221 |
Compute Overview |
222 |
---------------- |
223 |
|
224 |
Network Overview |
225 |
---------------- |
226 |
|
227 |
Image Overview |
228 |
-------------- |
229 |
|
230 |
Architecture |
231 |
------------ |
232 |
|
233 |
Prereqs |
234 |
------- |
235 |
|
236 |
RabbitMQ |
237 |
~~~~~~~~ |
238 |
|
239 |
RabbitMQ is used as a generic message broker for Cyclades. It should be |
240 |
installed on two seperate :ref:`QUEUE <QUEUE_NODE>` nodes in a high |
241 |
availability configuration as described here: |
242 |
|
243 |
http://www.rabbitmq.com/pacemaker.html |
244 |
|
245 |
The values set for the user and password must be mirrored in the ``RABBIT_*`` |
246 |
variables in your settings, as managed by :ref:`snf-common <snf-common>`. |
247 |
|
248 |
.. todo:: Document an active-active configuration based on the latest version |
249 |
of RabbitMQ. |
250 |
|
251 |
Installation |
252 |
------------ |
253 |
|
254 |
Configuration |
255 |
------------- |
256 |
|
257 |
Working with Cyclades |
258 |
--------------------- |
259 |
|
260 |
Managing Ganeti Backends |
261 |
^^^^^^^^^^^^^^^^^^^^^^^^ |
262 |
|
263 |
Since v0.11 Synnefo is able to manage multiple Ganeti clusters (backends) |
264 |
making it capable to scale to thousand of VMs. Backends can be dynamically be |
265 |
added or removed via `snf-manage` commands. |
266 |
|
267 |
From the VM perspective, each VM that is created is allocated to a Ganeti |
268 |
backend by Cyclades backend allocator. The VM is "pinned" to this backend, and |
269 |
can not change through its lifetime. The backend allocator decides in which |
270 |
backend to spawn the VM based of the available resources of its backend, trying |
271 |
to balance the load between them. |
272 |
|
273 |
Handling of Networks, as far as backends are concerned, is based on whether the |
274 |
network is public or not. Public networks are created through `snf-manage |
275 |
network-create` command, and are only created to one backend. Private networks |
276 |
are created in all backends in order to ensure that VMs in all backends can |
277 |
be connected to the same private network. |
278 |
|
279 |
Listing existing backend |
280 |
^^^^^^^^^^^^^^^^^^^^^^^^ |
281 |
To find out the available Ganeti backends, run: |
282 |
.. code-block:: console |
283 |
|
284 |
$ snf-manage backend-list |
285 |
|
286 |
Adding a new Ganeti backend |
287 |
^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
288 |
Backends are dynamically added under the control of Synnefo with `snf-manage |
289 |
backend-add` command. In this section it is assumed that a Ganeti cluster, |
290 |
named cluster.example.com is already up and running and configured to be able |
291 |
to host Synnefo VMs. |
292 |
|
293 |
To add the Ganeti cluster, run: |
294 |
.. code-block:: console |
295 |
|
296 |
$ snf-manage backend-add --clustername=cluster.example.com --user="synnefo_user" --pass="synnefo_pass" |
297 |
|
298 |
where clustername is the DNS resolvable address of the Ganeti cluster, and user |
299 |
and pass are the credentials for the Ganeti RAPI user. All of the backends |
300 |
attributes can also be changed dynamically with `snf-manage backend-modify` |
301 |
command. |
302 |
|
303 |
This command will also create all private networks to the new Backend. You can |
304 |
verify that the backend is added, by running `snf-manage backend-list` command. |
305 |
|
306 |
Note that no VMs will be spawned to this backend, until a public network is |
307 |
associated with it. |
308 |
|
309 |
Removing an existing Ganeti backend |
310 |
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
311 |
In order to remove an existing backend, run: |
312 |
.. code-block:: console |
313 |
|
314 |
# snf-manage backend-remove ID |
315 |
|
316 |
This command will fail if there are active VMs to the backend. Also, the |
317 |
backend is not cleaned before removing it, so all of Synnefo private networks |
318 |
will be left. |
319 |
|
320 |
Allocation of VMS in Ganneti backends |
321 |
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
322 |
As already mentioned, the backend allocator is responsible allocating new VMs |
323 |
to backends. This allocator is not concerned about the Ganeti node that will |
324 |
host the VM, which is chosen by the Ganeti allocator. |
325 |
|
326 |
The decision about which backend will host a VM is based on the available |
327 |
resources. The allocator computes a score for each backend, that shows its load |
328 |
factor, and the one with the minimum score is chosen. The admin can exclude |
329 |
backends from the allocation phase by marking them as drained by running: |
330 |
.. code-block:: console |
331 |
|
332 |
$ snf-manage backend-modify --drained ID |
333 |
|
334 |
The backend resources are periodically updated, at a period defined by |
335 |
`BACKEND_REFRESH_MIN` setting or by running `snf-manage backend-update-status` |
336 |
command. It is advised to have a cron job running this command at a smaller |
337 |
interval than `BACKEND_REFRESH_MIN` in order to remove the load of refreshing |
338 |
the backends stats from the VM creation phase. |
339 |
|
340 |
Finally, the admin can decide to have a user VMs in a specific backend, with |
341 |
the `BACKEND_PER_USER` setting. |
342 |
|
343 |
|
344 |
Cyclades advanced operations |
345 |
---------------------------- |
346 |
|
347 |
Reconciliation mechanism |
348 |
~~~~~~~~~~~~~~~~~~~~~~~~ |
349 |
On certain occasions, such as a Ganeti or RabbitMQ failure, the state of |
350 |
Cyclades database may differ from the real state of VMs and networks in the |
351 |
Ganeti backends. The reconciliation process is designed to synchronize |
352 |
the state of the Cyclades DB with Ganeti. There are two management commands |
353 |
for reconciling VMs and Networks |
354 |
|
355 |
Reconciling VirtualMachine |
356 |
~~~~~~~~~~~~~~~~~~~~~~~~~~ |
357 |
Reconciliation of VMs detects the following conditions: |
358 |
* Stale DB servers without corresponding Ganeti instances |
359 |
* Orphan Ganeti instances, without corresponding DB entries |
360 |
* Out-of-sync state for DB entries wrt to Ganeti instances |
361 |
|
362 |
To detect all inconsistencies you can just run: |
363 |
.. code-block:: console |
364 |
$ snf-manage reconcile --detect-all |
365 |
|
366 |
Adding the `--fix-all` option, will do the actual synchronization: |
367 |
.. code-block:: console |
368 |
$ snf-manage reconcile --detect-all --fix-all |
369 |
|
370 |
Please see ``snf-manage reconcile --help`` for all the details. |
371 |
|
372 |
|
373 |
Reconciling Networks |
374 |
~~~~~~~~~~~~~~~~~~~~ |
375 |
Reconciliation of Networks detects the following conditions: |
376 |
* Stale DB networks without corresponding Ganeti networks |
377 |
* Orphan Ganeti networks, without corresponding DB entries |
378 |
* Private networks that are not created to all Ganeti backends |
379 |
* Unsynchronized IP pools |
380 |
|
381 |
To detect all inconsistencies you can just run: |
382 |
.. code-block:: console |
383 |
$ snf-manage reconcile-networks |
384 |
|
385 |
Adding the `--fix-all` option, will do the actual synchronization: |
386 |
.. code-block:: console |
387 |
$ snf-manage reconcile-networks --fix-all |
388 |
|
389 |
Please see ``snf-manage reconcile-networks --help`` for all the details. |
390 |
|
391 |
|
392 |
Block Storage Service (Archipelago) |
393 |
=================================== |
394 |
|
395 |
Overview |
396 |
-------- |
397 |
|
398 |
Architecture |
399 |
------------ |
400 |
|
401 |
Prereqs |
402 |
------- |
403 |
|
404 |
Installation |
405 |
------------ |
406 |
|
407 |
Configuration |
408 |
------------- |
409 |
|
410 |
Working with Archipelago |
411 |
------------------------ |
412 |
|
413 |
Archipelago advanced operations |
414 |
------------------------------- |
415 |
|
416 |
|
417 |
.. _mail-server: |
418 |
|
419 |
Configure mail server |
420 |
--------------------- |
421 |
|
422 |
In order to be able to send email (for example activation emails), |
423 |
synnefo needs access to a running mail server. Your mail server should |
424 |
be defined in the ``/etc/synnefo/00-snf-common-admins.conf`` |
425 |
related constants. At least: |
426 |
|
427 |
.. code-block:: console |
428 |
|
429 |
EMAIL_HOST = "my_mail_server.example.com" |
430 |
EMAIL_PORT = "25" |
431 |
|
432 |
The "kamaki" API client |
433 |
======================= |
434 |
|
435 |
To upload, register or modify an image you will need the **kamaki** tool. |
436 |
Before proceeding make sure that it is configured properly. Verify that |
437 |
*image_url*, *storage_url*, and *token* are set as needed: |
438 |
|
439 |
.. code-block:: console |
440 |
|
441 |
$ kamaki config list |
442 |
|
443 |
To chage a setting use ``kamaki config set``: |
444 |
|
445 |
.. code-block:: console |
446 |
|
447 |
$ kamaki config set image_url https://cyclades.example.com/plankton |
448 |
$ kamaki config set storage_url https://pithos.example.com/v1 |
449 |
$ kamaki config set token ... |
450 |
|
451 |
Upload Image |
452 |
------------ |
453 |
|
454 |
As a shortcut, you can configure a default account and container that will be |
455 |
used by the ``kamaki store`` commands: |
456 |
|
457 |
.. code-block:: console |
458 |
|
459 |
$ kamaki config set storage_account images@example.com |
460 |
$ kamaki config set storage_container images |
461 |
|
462 |
If the container does not exist, you will have to create it before uploading |
463 |
any images: |
464 |
|
465 |
.. code-block:: console |
466 |
|
467 |
$ kamaki store create images |
468 |
|
469 |
You are now ready to upload an image. You can upload it with a Pithos+ client, |
470 |
or use kamaki directly: |
471 |
|
472 |
.. code-block:: console |
473 |
|
474 |
$ kamaki store upload ubuntu.iso |
475 |
|
476 |
You can use any Pithos+ client to verify that the image was uploaded correctly. |
477 |
The full Pithos URL for the previous example will be |
478 |
``pithos://images@example.com/images/ubuntu.iso``. |
479 |
|
480 |
|
481 |
Register Image |
482 |
-------------- |
483 |
|
484 |
To register an image you will need to use the full Pithos+ URL. To register as |
485 |
a public image the one from the previous example use: |
486 |
|
487 |
.. code-block:: console |
488 |
|
489 |
$ kamaki glance register Ubuntu pithos://images@example.com/images/ubuntu.iso --public |
490 |
|
491 |
The ``--public`` flag is important, if missing the registered image will not |
492 |
be listed by ``kamaki glance list``. |
493 |
|
494 |
Use ``kamaki glance register`` with no arguments to see a list of available |
495 |
options. A more complete example would be the following: |
496 |
|
497 |
.. code-block:: console |
498 |
|
499 |
$ kamaki glance register Ubuntu pithos://images@example.com/images/ubuntu.iso \ |
500 |
--public --disk-format diskdump --property kernel=3.1.2 |
501 |
|
502 |
To verify that the image was registered successfully use: |
503 |
|
504 |
.. code-block:: console |
505 |
|
506 |
$ kamaki glance list -l |
507 |
|
508 |
|
509 |
|
510 |
Miscellaneous |
511 |
============= |
512 |
|
513 |
Admin tool: snf-manage |
514 |
---------------------- |
515 |
|
516 |
``snf-manage`` is a tool used to perform various administrative tasks. It needs |
517 |
to be able to access the django database, so the following should be able to |
518 |
import the Django settings. |
519 |
|
520 |
Additionally, administrative tasks can be performed via the admin web interface |
521 |
located in /admin. Only users of type ADMIN can access the admin pages. To |
522 |
change the type of a user to ADMIN, snf-admin can be used: |
523 |
|
524 |
.. code-block:: console |
525 |
|
526 |
$ snf-manage user-modify 42 --type ADMIN |
527 |
|
528 |
Logging |
529 |
------- |
530 |
|
531 |
Logging in Synnefo is using Python's logging module. The module is configured |
532 |
using dictionary configuration, whose format is described here: |
533 |
|
534 |
http://docs.python.org/release/2.7.1/library/logging.html#logging-config-dictschema |
535 |
|
536 |
Note that this is a feature of Python 2.7 that we have backported for use in |
537 |
Python 2.6. |
538 |
|
539 |
The logging configuration dictionary is defined in settings.d/00-logging.conf |
540 |
and is broken in 4 separate dictionaries: |
541 |
|
542 |
* LOGGING is the logging configuration used by the web app. By default all |
543 |
loggers fall back to the main 'synnefo' logger. The subloggers can be |
544 |
changed accordingly for finer logging control. e.g. To disable debug |
545 |
messages from the API set the level of 'synnefo.api' to 'INFO'. |
546 |
|
547 |
* DISPATCHER_LOGGING is the logging configuration of the logic/dispatcher.py |
548 |
command line tool. |
549 |
|
550 |
* SNFADMIN_LOGGING is the logging configuration of the snf-admin tool. |
551 |
Consider using matching configuration for snf-admin and the synnefo.admin |
552 |
logger of the web app. |
553 |
|
554 |
Please note the following: |
555 |
|
556 |
* As of Synnefo v0.7, by default the Django webapp logs to syslog, the |
557 |
dispatcher logs to /var/log/synnefo/dispatcher.log and the console, |
558 |
snf-admin logs to the console. |
559 |
* Different handlers can be set to different logging levels: |
560 |
for example, everything may appear to the console, but only INFO and higher |
561 |
may actually be stored in a longer-term logfile |
562 |
|
563 |
|
564 |
|
565 |
Scaling up to multiple nodes |
566 |
============================ |
567 |
|
568 |
Here we will describe how to deploy all services, interconnected with each |
569 |
other, on multiple physical nodes. |
570 |
|
571 |
synnefo components |
572 |
------------------ |
573 |
|
574 |
You need to install the appropriate synnefo software components on each node, |
575 |
depending on its type, see :ref:`Architecture <cyclades-architecture>`. |
576 |
|
577 |
Please see the page of each synnefo software component for specific |
578 |
installation instructions, where applicable. |
579 |
|
580 |
Install the following synnefo components: |
581 |
|
582 |
Nodes of type :ref:`APISERVER <APISERVER_NODE>` |
583 |
Components |
584 |
:ref:`snf-common <snf-common>`, |
585 |
:ref:`snf-webproject <snf-webproject>`, |
586 |
:ref:`snf-cyclades-app <snf-cyclades-app>` |
587 |
Nodes of type :ref:`GANETI-MASTER <GANETI_MASTER>` and :ref:`GANETI-NODE <GANETI_NODE>` |
588 |
Components |
589 |
:ref:`snf-common <snf-common>`, |
590 |
:ref:`snf-cyclades-gtools <snf-cyclades-gtools>` |
591 |
Nodes of type :ref:`LOGIC <LOGIC_NODE>` |
592 |
Components |
593 |
:ref:`snf-common <snf-common>`, |
594 |
:ref:`snf-webproject <snf-webproject>`, |
595 |
:ref:`snf-cyclades-app <snf-cyclades-app>`. |
596 |
|
597 |
|
598 |
|
599 |
Upgrade Notes |
600 |
============= |
601 |
|
602 |
Cyclades upgrade notes |
603 |
---------------------- |
604 |
|
605 |
.. toctree:: |
606 |
:maxdepth: 2 |
607 |
|
608 |
cyclades-upgrade |
609 |
|
610 |
Changelog |
611 |
========= |