root / docs / upgrade / upgrade-0.15.rst @ 0f2bd3f9
History | View | Annotate | Download (20.1 kB)
1 | 774f683b | Giorgos Korfiatis | Upgrade to Synnefo v0.15 |
---|---|---|---|
2 | 774f683b | Giorgos Korfiatis | ^^^^^^^^^^^^^^^^^^^^^^^^ |
3 | 774f683b | Giorgos Korfiatis | |
4 | c7f29a98 | Constantinos Venetsanopoulos | |
5 | 300e9d88 | Christos Stavrakakis | Prerequisites |
6 | 300e9d88 | Christos Stavrakakis | ============== |
7 | 300e9d88 | Christos Stavrakakis | |
8 | 30ae7724 | Christos Stavrakakis | Before upgrading to v0.15 there are three steps that must be performed, relative |
9 | 30ae7724 | Christos Stavrakakis | to the Cyclades networking service. |
10 | 300e9d88 | Christos Stavrakakis | |
11 | c7f29a98 | Constantinos Venetsanopoulos | Add unique names to all NICs of all Ganeti instances |
12 | c7f29a98 | Constantinos Venetsanopoulos | ---------------------------------------------------- |
13 | 300e9d88 | Christos Stavrakakis | |
14 | c7f29a98 | Constantinos Venetsanopoulos | Since Ganeti 2.8, it is supported to give a name to a NIC of a Ganeti instance |
15 | c7f29a98 | Constantinos Venetsanopoulos | and then refer to the NIC by that name (and not only by its index). Synnefo |
16 | c7f29a98 | Constantinos Venetsanopoulos | v0.15 assigns a unique name to each NIC and refers to it by that unique name. |
17 | c7f29a98 | Constantinos Venetsanopoulos | Before upgrading to v0.15, Synnefo must assign names to all existing NICs. This |
18 | c7f29a98 | Constantinos Venetsanopoulos | can be easily performed with a helper script that is already shipped with |
19 | c7f29a98 | Constantinos Venetsanopoulos | Synnefo v0.14.10: |
20 | 300e9d88 | Christos Stavrakakis | |
21 | 300e9d88 | Christos Stavrakakis | .. code-block:: console |
22 | 300e9d88 | Christos Stavrakakis | |
23 | 300e9d88 | Christos Stavrakakis | cyclades.host$ /usr/lib/synnefo/tools/add_unique_name_to_nics |
24 | 300e9d88 | Christos Stavrakakis | |
25 | 300e9d88 | Christos Stavrakakis | .. note:: If you are not upgrading from v0.14.10, you can find the migration |
26 | 0af59ea1 | Christos Stavrakakis | script :ref:`here <add_names>`. |
27 | 300e9d88 | Christos Stavrakakis | |
28 | 300e9d88 | Christos Stavrakakis | Extend public networks to all Ganeti backends |
29 | 300e9d88 | Christos Stavrakakis | --------------------------------------------- |
30 | 300e9d88 | Christos Stavrakakis | |
31 | 300e9d88 | Christos Stavrakakis | Before v0.15, each public network of Cyclades existed in one of the Ganeti |
32 | 300e9d88 | Christos Stavrakakis | backends. In order to support dynamic addition and removal of public IPv4 |
33 | c7f29a98 | Constantinos Venetsanopoulos | addresses across VMs, each public network must exist in all Ganeti backends. |
34 | 300e9d88 | Christos Stavrakakis | |
35 | 300e9d88 | Christos Stavrakakis | If you are using more than one Ganeti backends, before upgrading to v0.15 you |
36 | c7f29a98 | Constantinos Venetsanopoulos | must ensure that the network configuration of all Ganeti backends is identical |
37 | 300e9d88 | Christos Stavrakakis | and appropriate to support all public networks of Cyclades. |
38 | 300e9d88 | Christos Stavrakakis | |
39 | 30ae7724 | Christos Stavrakakis | Update Ganeti allocation policy |
40 | 30ae7724 | Christos Stavrakakis | ------------------------------- |
41 | 30ae7724 | Christos Stavrakakis | |
42 | 30ae7724 | Christos Stavrakakis | Minimum number of NICs |
43 | 30ae7724 | Christos Stavrakakis | `````````````````````` |
44 | c7f29a98 | Constantinos Venetsanopoulos | Before v0.15, all Cyclades VMs were forced to be connected to the public |
45 | c7f29a98 | Constantinos Venetsanopoulos | network. Synnefo v0.15 supports more flexible configurations and dynamic |
46 | c7f29a98 | Constantinos Venetsanopoulos | addition/removal of public IPv4 addresses, which can result in a VMs with no |
47 | c7f29a98 | Constantinos Venetsanopoulos | NICs at all. However, Ganeti's default allocation policy will not allow |
48 | c7f29a98 | Constantinos Venetsanopoulos | instances without NICs. You will have to override Ganeti's default allocation |
49 | c7f29a98 | Constantinos Venetsanopoulos | policy to set the minimum number of NICs to zero. To do this, first get the |
50 | c7f29a98 | Constantinos Venetsanopoulos | current allocation policy: |
51 | 30ae7724 | Christos Stavrakakis | |
52 | 30ae7724 | Christos Stavrakakis | .. code-block:: console |
53 | 30ae7724 | Christos Stavrakakis | |
54 | 30ae7724 | Christos Stavrakakis | $ gnt-cluster show-ispecs-cmd |
55 | 30ae7724 | Christos Stavrakakis | gnt-cluster init --ipolicy-std-specs cpu-count=1,disk-count=1,disk-size=1024,memory-size=128,nic-count=1,spindle-use=1 |
56 | 30ae7724 | Christos Stavrakakis | --ipolicy-bounds-specs min:cpu-count=1,disk-count=1,disk-size=1024,memory-size=128,nic-count=1,spindle-use=1/max:cpu-count=8,disk-count=16,disk-size=1048576,memory-size=32768,nic-count=8,spindle-use=12 |
57 | 30ae7724 | Christos Stavrakakis | ganeti1.example.synnefo.org |
58 | 30ae7724 | Christos Stavrakakis | |
59 | 30ae7724 | Christos Stavrakakis | And replace `min:nic-count=1` with `min:nic-count=0`. Also, set |
60 | c7f29a98 | Constantinos Venetsanopoulos | `max:nic-count=32` to avoid reaching the default limit of 8. |
61 | 30ae7724 | Christos Stavrakakis | |
62 | 30ae7724 | Christos Stavrakakis | |
63 | 30ae7724 | Christos Stavrakakis | .. code-block:: console |
64 | 30ae7724 | Christos Stavrakakis | |
65 | 30ae7724 | Christos Stavrakakis | gnt-cluster modify --ipolicy-bounds-specs min:cpu-count=1,disk-count=1,disk-size=1024,memory-size=128,nic-count=0,spindle-use=1/max:cpu-count=8,disk-count=16,disk-size=1048576,memory-size=32768,nic-count=32,spindle-use=12 |
66 | 30ae7724 | Christos Stavrakakis | |
67 | 30ae7724 | Christos Stavrakakis | Enabled and allowed disk templates |
68 | 30ae7724 | Christos Stavrakakis | `````````````````````````````````` |
69 | c7f29a98 | Constantinos Venetsanopoulos | In v0.15, the ``ARCHIPELAGO_BACKENDS`` setting, that was used to separate |
70 | 30ae7724 | Christos Stavrakakis | backends that were using Archipelago from the ones that were using all other |
71 | 30ae7724 | Christos Stavrakakis | disk templates, has been removed. Instead, allocation of instances to Ganeti |
72 | 30ae7724 | Christos Stavrakakis | backends is based on which disk templates are enabled and allowed in each |
73 | c7f29a98 | Constantinos Venetsanopoulos | Ganeti backend (see section in :ref:`admin guide <alloc_disk_templates>`). You |
74 | c7f29a98 | Constantinos Venetsanopoulos | can see the enabled/allowed disk templates by inspecting the corresponding |
75 | c7f29a98 | Constantinos Venetsanopoulos | fields in the `gnt-cluster info` output. For example, to have a backend holding |
76 | c7f29a98 | Constantinos Venetsanopoulos | only instances with archipelago disk templates, you can set the |
77 | c7f29a98 | Constantinos Venetsanopoulos | `--ipolicy-disk-templates` to include only the `ext` disk template. |
78 | 30ae7724 | Christos Stavrakakis | |
79 | 30ae7724 | Christos Stavrakakis | .. code-block:: console |
80 | 30ae7724 | Christos Stavrakakis | |
81 | 30ae7724 | Christos Stavrakakis | gnt-cluster modify --ipolicy-disk-templates=ext |
82 | 300e9d88 | Christos Stavrakakis | |
83 | c7f29a98 | Constantinos Venetsanopoulos | |
84 | 300e9d88 | Christos Stavrakakis | Upgrade Steps |
85 | 300e9d88 | Christos Stavrakakis | ============= |
86 | 300e9d88 | Christos Stavrakakis | |
87 | 774f683b | Giorgos Korfiatis | The upgrade to v0.15 consists in the following steps: |
88 | 774f683b | Giorgos Korfiatis | |
89 | 774f683b | Giorgos Korfiatis | 1. Bring down services and backup databases. |
90 | 774f683b | Giorgos Korfiatis | |
91 | 774f683b | Giorgos Korfiatis | 2. Upgrade packages, migrate the databases and configure settings. |
92 | 774f683b | Giorgos Korfiatis | |
93 | 0136e854 | Christos Stavrakakis | 3. Create floating IP pools |
94 | eb765213 | Giorgos Korfiatis | |
95 | c7f29a98 | Constantinos Venetsanopoulos | 4. Re-register services and resources. |
96 | 0136e854 | Christos Stavrakakis | |
97 | 0136e854 | Christos Stavrakakis | 5. Bring up all services. |
98 | 774f683b | Giorgos Korfiatis | |
99 | 774f683b | Giorgos Korfiatis | .. warning:: |
100 | 774f683b | Giorgos Korfiatis | |
101 | 774f683b | Giorgos Korfiatis | It is strongly suggested that you keep separate database backups |
102 | 774f683b | Giorgos Korfiatis | for each service after the completion of each step. |
103 | 774f683b | Giorgos Korfiatis | |
104 | 774f683b | Giorgos Korfiatis | 1. Bring web services down, backup databases |
105 | 774f683b | Giorgos Korfiatis | ============================================ |
106 | 774f683b | Giorgos Korfiatis | |
107 | 774f683b | Giorgos Korfiatis | 1. All web services must be brought down so that the database maintains a |
108 | 774f683b | Giorgos Korfiatis | predictable and consistent state during the migration process:: |
109 | 774f683b | Giorgos Korfiatis | |
110 | 774f683b | Giorgos Korfiatis | $ service gunicorn stop |
111 | 774f683b | Giorgos Korfiatis | $ service snf-dispatcher stop |
112 | 774f683b | Giorgos Korfiatis | $ service snf-ganeti-eventd stop |
113 | 774f683b | Giorgos Korfiatis | |
114 | 774f683b | Giorgos Korfiatis | 2. Backup databases for recovery to a pre-migration state. |
115 | 774f683b | Giorgos Korfiatis | |
116 | 774f683b | Giorgos Korfiatis | 3. Keep the database servers running during the migration process. |
117 | 774f683b | Giorgos Korfiatis | |
118 | 774f683b | Giorgos Korfiatis | |
119 | 774f683b | Giorgos Korfiatis | 2. Upgrade Synnefo and configure settings |
120 | 774f683b | Giorgos Korfiatis | ========================================= |
121 | 774f683b | Giorgos Korfiatis | |
122 | 774f683b | Giorgos Korfiatis | 2.1 Install the new versions of packages |
123 | 774f683b | Giorgos Korfiatis | ---------------------------------------- |
124 | 774f683b | Giorgos Korfiatis | |
125 | 774f683b | Giorgos Korfiatis | :: |
126 | 774f683b | Giorgos Korfiatis | |
127 | 774f683b | Giorgos Korfiatis | astakos.host$ apt-get install \ |
128 | 774f683b | Giorgos Korfiatis | python-objpool \ |
129 | 774f683b | Giorgos Korfiatis | snf-common \ |
130 | 774f683b | Giorgos Korfiatis | python-astakosclient \ |
131 | 774f683b | Giorgos Korfiatis | snf-django-lib \ |
132 | 774f683b | Giorgos Korfiatis | snf-webproject \ |
133 | 774f683b | Giorgos Korfiatis | snf-branding \ |
134 | 774f683b | Giorgos Korfiatis | snf-astakos-app |
135 | 774f683b | Giorgos Korfiatis | |
136 | 774f683b | Giorgos Korfiatis | cyclades.host$ apt-get install \ |
137 | 774f683b | Giorgos Korfiatis | python-objpool \ |
138 | 774f683b | Giorgos Korfiatis | snf-common \ |
139 | 774f683b | Giorgos Korfiatis | python-astakosclient \ |
140 | 774f683b | Giorgos Korfiatis | snf-django-lib \ |
141 | 774f683b | Giorgos Korfiatis | snf-webproject \ |
142 | 774f683b | Giorgos Korfiatis | snf-branding \ |
143 | 774f683b | Giorgos Korfiatis | snf-pithos-backend \ |
144 | 774f683b | Giorgos Korfiatis | snf-cyclades-app |
145 | 774f683b | Giorgos Korfiatis | |
146 | 774f683b | Giorgos Korfiatis | pithos.host$ apt-get install \ |
147 | 774f683b | Giorgos Korfiatis | python-objpool \ |
148 | 774f683b | Giorgos Korfiatis | snf-common \ |
149 | 774f683b | Giorgos Korfiatis | python-astakosclient \ |
150 | 774f683b | Giorgos Korfiatis | snf-django-lib \ |
151 | 774f683b | Giorgos Korfiatis | snf-webproject \ |
152 | 774f683b | Giorgos Korfiatis | snf-branding \ |
153 | 774f683b | Giorgos Korfiatis | snf-pithos-backend \ |
154 | 774f683b | Giorgos Korfiatis | snf-pithos-app \ |
155 | 774f683b | Giorgos Korfiatis | snf-pithos-webclient |
156 | 774f683b | Giorgos Korfiatis | |
157 | 774f683b | Giorgos Korfiatis | ganeti.node$ apt-get install \ |
158 | 774f683b | Giorgos Korfiatis | python-objpool \ |
159 | 774f683b | Giorgos Korfiatis | snf-common \ |
160 | 774f683b | Giorgos Korfiatis | snf-cyclades-gtools \ |
161 | 0af59ea1 | Christos Stavrakakis | snf-pithos-backend \ |
162 | 0af59ea1 | Christos Stavrakakis | snf-network |
163 | 774f683b | Giorgos Korfiatis | |
164 | 774f683b | Giorgos Korfiatis | .. note:: |
165 | 774f683b | Giorgos Korfiatis | |
166 | 774f683b | Giorgos Korfiatis | Make sure `snf-webproject' has the same version with snf-common |
167 | 774f683b | Giorgos Korfiatis | |
168 | 774f683b | Giorgos Korfiatis | .. note:: |
169 | 774f683b | Giorgos Korfiatis | |
170 | 774f683b | Giorgos Korfiatis | Installing the packages will cause services to start. Make sure you bring |
171 | 774f683b | Giorgos Korfiatis | them down again (at least ``gunicorn``, ``snf-dispatcher``) |
172 | 774f683b | Giorgos Korfiatis | |
173 | 774f683b | Giorgos Korfiatis | 2.2 Sync and migrate the database |
174 | 774f683b | Giorgos Korfiatis | --------------------------------- |
175 | 774f683b | Giorgos Korfiatis | |
176 | 774f683b | Giorgos Korfiatis | .. note:: |
177 | 774f683b | Giorgos Korfiatis | |
178 | 774f683b | Giorgos Korfiatis | If you are asked about stale content types during the migration process, |
179 | 774f683b | Giorgos Korfiatis | answer 'no' and let the migration finish. |
180 | 774f683b | Giorgos Korfiatis | |
181 | 774f683b | Giorgos Korfiatis | :: |
182 | 774f683b | Giorgos Korfiatis | |
183 | 774f683b | Giorgos Korfiatis | astakos-host$ snf-manage syncdb |
184 | 774f683b | Giorgos Korfiatis | astakos-host$ snf-manage migrate |
185 | 774f683b | Giorgos Korfiatis | |
186 | 774f683b | Giorgos Korfiatis | cyclades-host$ snf-manage syncdb |
187 | 774f683b | Giorgos Korfiatis | cyclades-host$ snf-manage migrate |
188 | 774f683b | Giorgos Korfiatis | |
189 | 774f683b | Giorgos Korfiatis | pithos-host$ pithos-migrate upgrade head |
190 | 774f683b | Giorgos Korfiatis | |
191 | 812e72c9 | Christos Stavrakakis | 2.3 Configure Astakos authentication URL |
192 | 812e72c9 | Christos Stavrakakis | ---------------------------------------- |
193 | 812e72c9 | Christos Stavrakakis | |
194 | 812e72c9 | Christos Stavrakakis | The ``ASTAKOS_BASE_URL`` setting has been replaced (both in Cyclades and Pithos |
195 | 812e72c9 | Christos Stavrakakis | services) with the ``ASTAKOS_AUTH_URL`` setting. |
196 | 812e72c9 | Christos Stavrakakis | |
197 | 812e72c9 | Christos Stavrakakis | For Cyclades service we have to change the ``20-snf-cyclades-app-api.conf`` |
198 | 812e72c9 | Christos Stavrakakis | file, remove the ``ASTAKOS_BASE_URL`` setting and replace it with |
199 | 812e72c9 | Christos Stavrakakis | ``ASTAKOS_AUTH_URL``. Typically it is sufficient to add ``/identity/v2.0`` at |
200 | 812e72c9 | Christos Stavrakakis | the end of base URL to get the auth URL. For example, if base URL had the value |
201 | 812e72c9 | Christos Stavrakakis | of 'https://accounts.example.synnefo.org/' then the ``ASTAKOS_AUTH_URL`` |
202 | 812e72c9 | Christos Stavrakakis | setting will have the value of |
203 | 812e72c9 | Christos Stavrakakis | 'https://accounts.example.synnefo.org/identity/v2.0'. |
204 | 5547485e | Sofia Papagiannaki | |
205 | 812e72c9 | Christos Stavrakakis | The same change has to be made for the Pithos service in |
206 | 812e72c9 | Christos Stavrakakis | ``/etc/synnefo/20-snf-pithos-app-settings.conf``. |
207 | 812e72c9 | Christos Stavrakakis | |
208 | 812e72c9 | Christos Stavrakakis | 2.4 Register Pithos view as an OAuth 2.0 client in Astakos |
209 | 5547485e | Sofia Papagiannaki | ---------------------------------------------------------- |
210 | 5547485e | Sofia Papagiannaki | |
211 | c7f29a98 | Constantinos Venetsanopoulos | Starting from Synnefo version 0.15, the Pithos view, in order to get access to |
212 | c7f29a98 | Constantinos Venetsanopoulos | the data of a protected Pithos resource, has to be granted authorization for |
213 | c7f29a98 | Constantinos Venetsanopoulos | the specific resource by Astakos. |
214 | 5547485e | Sofia Papagiannaki | |
215 | 5547485e | Sofia Papagiannaki | During the authorization grant procedure, it has to authenticate itself with |
216 | c7f29a98 | Constantinos Venetsanopoulos | Astakos, since the latter has to prevent serving requests by |
217 | c7f29a98 | Constantinos Venetsanopoulos | unknown/unauthorized clients. |
218 | 5547485e | Sofia Papagiannaki | |
219 | 8a41dc10 | Sofia Papagiannaki | Each oauth 2.0 client is identified by a client identifier (client_id). |
220 | 8a41dc10 | Sofia Papagiannaki | Moreover, the confidential clients are authenticated via a password |
221 | 8a41dc10 | Sofia Papagiannaki | (client_secret). |
222 | 8a41dc10 | Sofia Papagiannaki | Then, each client has to declare at least a redirect URI so that astakos will |
223 | 8a41dc10 | Sofia Papagiannaki | be able to validate the redirect URI provided during the authorization code |
224 | 8a41dc10 | Sofia Papagiannaki | request. |
225 | 8a41dc10 | Sofia Papagiannaki | If a client is trusted (like a pithos view) astakos grants access on behalf |
226 | 8a41dc10 | Sofia Papagiannaki | of the resource owner, otherwise the resource owner has to be asked. |
227 | 8a41dc10 | Sofia Papagiannaki | |
228 | 8a41dc10 | Sofia Papagiannaki | To register the pithos view as an OAuth 2.0 client in astakos, use the |
229 | 8a41dc10 | Sofia Papagiannaki | following command:: |
230 | 5547485e | Sofia Papagiannaki | |
231 | 6f65ba13 | Sofia Papagiannaki | astakos-host$ snf-manage oauth2-client-add pithos-view --secret=<secret> --is-trusted --url <redirect_uri> |
232 | 6f65ba13 | Sofia Papagiannaki | |
233 | 6f65ba13 | Sofia Papagiannaki | The redirect_uri should be the ``PITHOS_BASE_URL`` plus the ``/ui/view`` |
234 | 6f65ba13 | Sofia Papagiannaki | suffix, for example:: |
235 | 6f65ba13 | Sofia Papagiannaki | |
236 | 6f65ba13 | Sofia Papagiannaki | https://node2.example.com/pithos/ui/view |
237 | 06f38d70 | Ilias Tsitsimpis | |
238 | 812e72c9 | Christos Stavrakakis | You can see the registered clients by running:: |
239 | 06f38d70 | Ilias Tsitsimpis | |
240 | a8cb584f | Sofia Papagiannaki | astakos-host$ snf-manage oauth2-client-list -o id,identifier,redirect_urls,is_trusted |
241 | 06f38d70 | Ilias Tsitsimpis | |
242 | 7f095784 | Christos Stavrakakis | Finally, you will have to add the registered `identifier` (e.g. `pithos-view`) |
243 | 7f095784 | Christos Stavrakakis | and `client_secret` to the ``PITHOS_OAUTH2_CLIENT_CREDENTIALS`` setting in |
244 | 812e72c9 | Christos Stavrakakis | ``/etc/synnefo/20-snf-pithos-app-settings.conf``. |
245 | 06f38d70 | Ilias Tsitsimpis | |
246 | 71053581 | Kostas Papadimitriou | |
247 | 71053581 | Kostas Papadimitriou | 2.5 Upgrade vncauthproxy and configure snf-cyclades-app |
248 | f3c5f1df | Stratos Psomadakis | ------------------------------------------------------- |
249 | f3c5f1df | Stratos Psomadakis | |
250 | f3c5f1df | Stratos Psomadakis | Synnefo v0.15 adds support for snf-vncauthproxy >= 1.5 and drops support for |
251 | fba7aaf4 | Stratos Psomadakis | older versions. You will have to upgrade snf-vncauthproxy to v1.5 and |
252 | fba7aaf4 | Stratos Psomadakis | configure the authentication (users) file (``/var/lib/vncauthproxy/users``). |
253 | f3c5f1df | Stratos Psomadakis | |
254 | c7f29a98 | Constantinos Venetsanopoulos | In case you are upgrading from an older snf-vncauthproxy version or if it's the |
255 | fba7aaf4 | Stratos Psomadakis | first time you're installing snf-vncauthproxy, you will need to add a |
256 | fba7aaf4 | Stratos Psomadakis | vncauthproxy user (see below for more information on user management) and |
257 | c7f29a98 | Constantinos Venetsanopoulos | restart the vncauthproxy daemon. |
258 | f3c5f1df | Stratos Psomadakis | |
259 | c7f29a98 | Constantinos Venetsanopoulos | To manage the authentication file, you can use the ``vncauthproxy-passwd`` tool, |
260 | fba7aaf4 | Stratos Psomadakis | to easily add, update and delete users. |
261 | f3c5f1df | Stratos Psomadakis | |
262 | f3c5f1df | Stratos Psomadakis | To add a user: |
263 | fba7aaf4 | Stratos Psomadakis | |
264 | f3c5f1df | Stratos Psomadakis | .. code-block:: console |
265 | f3c5f1df | Stratos Psomadakis | |
266 | f3c5f1df | Stratos Psomadakis | # vncauthproxy-passwd /var/lib/vncauthproxy/users synnefo |
267 | f3c5f1df | Stratos Psomadakis | |
268 | f3c5f1df | Stratos Psomadakis | You will be prompted for a password. |
269 | f3c5f1df | Stratos Psomadakis | |
270 | f3c5f1df | Stratos Psomadakis | You should also configure the new ``CYCLADES_VNCAUTHPROXY_OPTS`` setting in |
271 | f3c5f1df | Stratos Psomadakis | ``snf-cyclades-app``, to provide the user and password configured for |
272 | c7f29a98 | Constantinos Venetsanopoulos | ``synnefo`` in the vncauthproxy authentication file and enable SSL support if |
273 | f3c5f1df | Stratos Psomadakis | snf-vncauthproxy is configured to run with SSL enabled for the control socket. |
274 | f3c5f1df | Stratos Psomadakis | |
275 | f3c5f1df | Stratos Psomadakis | .. warning:: The vncauthproxy daemon requires a restart for the changes in the |
276 | f3c5f1df | Stratos Psomadakis | authentication file to take effect. |
277 | f3c5f1df | Stratos Psomadakis | |
278 | f3c5f1df | Stratos Psomadakis | .. warning:: If you fail to provide snf-vncauthproxy with a valid |
279 | f3c5f1df | Stratos Psomadakis | authentication file, or in case the configuration of vncauthproxy and the |
280 | f3c5f1df | Stratos Psomadakis | vncauthproxy snf-cyclades-app settings don't match (ie not having SSL enabled |
281 | f3c5f1df | Stratos Psomadakis | on both), VNC console access will not be functional. |
282 | f3c5f1df | Stratos Psomadakis | |
283 | f3c5f1df | Stratos Psomadakis | Finally, snf-vncauthproxy-1.5 adds a dedicated user and group to be used by the |
284 | f3c5f1df | Stratos Psomadakis | vncauthproxy daemon. The Debian default file has changed accordingly (``CHUID`` |
285 | f3c5f1df | Stratos Psomadakis | option in ``/etc/default/vncauthproxy``). The Debian default file now also |
286 | c7f29a98 | Constantinos Venetsanopoulos | includes a ``DAEMON_OPTS`` variable which is used to pass any necessary/extra |
287 | f3c5f1df | Stratos Psomadakis | options to the vncauthproxy daemon. In case you're ugprading from an older |
288 | f3c5f1df | Stratos Psomadakis | version of vncauthproxy, you should make sure to 'merge' the new default file |
289 | f3c5f1df | Stratos Psomadakis | with the older one. |
290 | f3c5f1df | Stratos Psomadakis | |
291 | f3c5f1df | Stratos Psomadakis | Check the `documentation |
292 | f3c5f1df | Stratos Psomadakis | <http://www.synnefo.org/docs/snf-vncauthproxy/latest/index.html>`_ of |
293 | f3c5f1df | Stratos Psomadakis | snf-vncauthproxy for more information on upgrading to version 1.5. |
294 | 0136e854 | Christos Stavrakakis | |
295 | 71053581 | Kostas Papadimitriou | 2.6 Stats configuration |
296 | 62c0a9e1 | Stratos Psomadakis | ----------------------- |
297 | 62c0a9e1 | Stratos Psomadakis | |
298 | 62c0a9e1 | Stratos Psomadakis | snf-cyclades-gtools comes with a collectd plugin to collect CPU and network |
299 | 62c0a9e1 | Stratos Psomadakis | stats for Ganeti VMs and an example collectd configuration. snf-stats-app is a |
300 | c7f29a98 | Constantinos Venetsanopoulos | Django (snf-webproject) app that serves the VM stats graphs by reading the VM |
301 | c7f29a98 | Constantinos Venetsanopoulos | stats (from RRD files). |
302 | 62c0a9e1 | Stratos Psomadakis | |
303 | c7f29a98 | Constantinos Venetsanopoulos | To enable/deploy the VM stats collecting and snf-stats-app, see the relevant |
304 | 62c0a9e1 | Stratos Psomadakis | documentation in the :ref:`admin guide <admin-guide-stats>`. |
305 | 62c0a9e1 | Stratos Psomadakis | |
306 | c7f29a98 | Constantinos Venetsanopoulos | If you were using collectd to collect VM stats on Debian Squeeze and you are |
307 | 62c0a9e1 | Stratos Psomadakis | upgrading to Wheezy, you will need to upgrade your RRD files. Follow the |
308 | 62c0a9e1 | Stratos Psomadakis | instructions on the collectd v4-to-v5 migration `guide |
309 | 62c0a9e1 | Stratos Psomadakis | <https://collectd.org/wiki/index.php/V4_to_v5_migration_guide>`_. |
310 | c7f29a98 | Constantinos Venetsanopoulos | You will probably just need to run the `migration script |
311 | 62c0a9e1 | Stratos Psomadakis | <https://collectd.org/wiki/index.php/V4_to_v5_migration_guide#Migration_script>`_ |
312 | 62c0a9e1 | Stratos Psomadakis | provided. |
313 | 62c0a9e1 | Stratos Psomadakis | |
314 | 62c0a9e1 | Stratos Psomadakis | If you were using a previous version of snf-stats-app, you should also make |
315 | 62c0a9e1 | Stratos Psomadakis | sure to set the ``STATS_BASE_URL`` setting in ``20-snf-stats-app-settings.conf`` |
316 | 62c0a9e1 | Stratos Psomadakis | to match your deployment and change the graph URL settings in |
317 | 62c0a9e1 | Stratos Psomadakis | ``20-snf-cyclades-app-api.conf`` accordingly. |
318 | 62c0a9e1 | Stratos Psomadakis | |
319 | bd16bf3e | Stratos Psomadakis | v0.15 has also introduced the ``CYCLADES_STATS_SECRET_KEY`` and |
320 | bd16bf3e | Stratos Psomadakis | ``STATS_SECRET_KEY`` settings. ``CYCLADES_STATS_SECRET_KEY`` in |
321 | bd16bf3e | Stratos Psomadakis | ``20-snf-cyclades-app-api.conf`` is used by Cyclades to encrypt the instance id |
322 | bd16bf3e | Stratos Psomadakis | / hostname in the URLs serving the VM stats. You should set it to a random |
323 | c7f29a98 | Constantinos Venetsanopoulos | value/string and make sure that it's the same as the ``STATS_SECRET_KEY`` |
324 | bd16bf3e | Stratos Psomadakis | setting (used to decrypt the instance hostname) in |
325 | bd16bf3e | Stratos Psomadakis | ``20-snf-stats-settings.conf`` on your Stats host. |
326 | bd16bf3e | Stratos Psomadakis | |
327 | 71053581 | Kostas Papadimitriou | 2.7 Shibboleth configuration updates |
328 | 71053581 | Kostas Papadimitriou | ------------------------------------ |
329 | 5547485e | Sofia Papagiannaki | |
330 | 71053581 | Kostas Papadimitriou | .. note:: |
331 | 71053581 | Kostas Papadimitriou | |
332 | c7f29a98 | Constantinos Venetsanopoulos | Skip this step unless you have ``shibboleth`` enabled in Astakos |
333 | 71053581 | Kostas Papadimitriou | ``IM_MODULES`` setting. |
334 | 71053581 | Kostas Papadimitriou | |
335 | c7f29a98 | Constantinos Venetsanopoulos | As of v0.15 Astakos uses the ``REMOTE_USER`` header provided by Apache's |
336 | c7f29a98 | Constantinos Venetsanopoulos | ``mod_shib2`` service in order to resolve the unique identifier which is used |
337 | c7f29a98 | Constantinos Venetsanopoulos | to associate a shibboleth account to a local Astakos user. Prior to this |
338 | c7f29a98 | Constantinos Venetsanopoulos | version, Astakos adhered to the presence of the ``MOD_SHIB_EPPN`` header which |
339 | c7f29a98 | Constantinos Venetsanopoulos | although safe enough on most of the ``SP`` deployment scenarios, it may cause |
340 | c7f29a98 | Constantinos Venetsanopoulos | issues in certain cases, such as global wide IdP support or inability of |
341 | c7f29a98 | Constantinos Venetsanopoulos | supported IdPs to release the ``eduPersonPrincipalName`` attribute. The |
342 | c7f29a98 | Constantinos Venetsanopoulos | ``REMOTE_USER`` header can be set by administrators to match any of the |
343 | c7f29a98 | Constantinos Venetsanopoulos | available shibboleth attributes. |
344 | 71053581 | Kostas Papadimitriou | |
345 | 71053581 | Kostas Papadimitriou | If ``EPPN`` matches the service provider needs and you want to continue using |
346 | 71053581 | Kostas Papadimitriou | it as the unique identifier, you need to ensure that the ``REMOTE_USER`` |
347 | 71053581 | Kostas Papadimitriou | attribute is set to ``eppn`` in the ``mod_shib2`` config file located at |
348 | 71053581 | Kostas Papadimitriou | ``/etc/shibboleth/shibboleth2.xml`` |
349 | 71053581 | Kostas Papadimitriou | |
350 | 71053581 | Kostas Papadimitriou | .. code-block:: xml |
351 | 71053581 | Kostas Papadimitriou | |
352 | 71053581 | Kostas Papadimitriou | <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. --> |
353 | 71053581 | Kostas Papadimitriou | <ApplicationDefaults entityID="https://sp.example.org/shibboleth" REMOTE_USER="eppn"> |
354 | 71053581 | Kostas Papadimitriou | |
355 | 71053581 | Kostas Papadimitriou | Otherwise, if ``EPPN`` doesn't suit the requirements for your ``SP`` |
356 | 71053581 | Kostas Papadimitriou | deployment, change the ``REMOTE_USER`` attribute as required e.g.: |
357 | 71053581 | Kostas Papadimitriou | |
358 | 71053581 | Kostas Papadimitriou | .. code-block:: xml |
359 | 71053581 | Kostas Papadimitriou | |
360 | 71053581 | Kostas Papadimitriou | <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. --> |
361 | 71053581 | Kostas Papadimitriou | <ApplicationDefaults entityID="https://sp.example.org/shibboleth" REMOTE_USER="persistent-nameid persistent-id targeted-id"> |
362 | 71053581 | Kostas Papadimitriou | |
363 | 71053581 | Kostas Papadimitriou | and restart the ``shibd`` service: |
364 | 71053581 | Kostas Papadimitriou | |
365 | 71053581 | Kostas Papadimitriou | .. code-block:: console |
366 | 71053581 | Kostas Papadimitriou | |
367 | 71053581 | Kostas Papadimitriou | $ service shibd restart |
368 | 71053581 | Kostas Papadimitriou | |
369 | c7f29a98 | Constantinos Venetsanopoulos | **Note** that every time you alter the ``REMOTE_USER`` attribute, all existing |
370 | c7f29a98 | Constantinos Venetsanopoulos | shibboleth enabled Astakos users will be invalidated and no longer be able to |
371 | c7f29a98 | Constantinos Venetsanopoulos | login to their existing account using shibboleth. Specifically, for the case of |
372 | c7f29a98 | Constantinos Venetsanopoulos | switching from *eppn* to another attribute, Astakos is able to prevent |
373 | 71053581 | Kostas Papadimitriou | invalidation and automatically migrate existing *eppn* accounts. In order to do |
374 | 71053581 | Kostas Papadimitriou | that, set the ``ASTAKOS_SHIBBOLETH_MIGRATE_EPPN`` setting to ``True`` in |
375 | 71053581 | Kostas Papadimitriou | ``20-snf-astakos-app-settings.conf`` configuration file. Now every time an |
376 | c7f29a98 | Constantinos Venetsanopoulos | existing *eppn* user logs in using shibboleth, Astakos will update the |
377 | c7f29a98 | Constantinos Venetsanopoulos | associated *eppn* identifier to the contents of the ``REMOTE_USER`` header. |
378 | 71053581 | Kostas Papadimitriou | |
379 | 71053581 | Kostas Papadimitriou | .. warning:: |
380 | 71053581 | Kostas Papadimitriou | |
381 | 71053581 | Kostas Papadimitriou | IdPs should keep releasing the ``EPPN`` attribute in order for the migration |
382 | 71053581 | Kostas Papadimitriou | to work. |
383 | 5547485e | Sofia Papagiannaki | |
384 | c7f29a98 | Constantinos Venetsanopoulos | |
385 | 0136e854 | Christos Stavrakakis | 3. Create floating IP pools |
386 | 0136e854 | Christos Stavrakakis | =========================== |
387 | 0136e854 | Christos Stavrakakis | |
388 | 0136e854 | Christos Stavrakakis | Synnefo v0.15 introduces floating IPs, which are public IPv4 addresses that can |
389 | c7f29a98 | Constantinos Venetsanopoulos | be dynamically added/removed to/from VMs and are quotable via the |
390 | c7f29a98 | Constantinos Venetsanopoulos | ``cyclades.floating_ip`` resource. Connecting a VM to a public network is only |
391 | c7f29a98 | Constantinos Venetsanopoulos | allowed if the user has first allocated a floating IP from this network. |
392 | 0136e854 | Christos Stavrakakis | |
393 | 0136e854 | Christos Stavrakakis | Floating IPs are created from networks that are marked as Floating IP pools. |
394 | 0136e854 | Christos Stavrakakis | Creation of floating IP pools is done with the `snf-manage network-create` |
395 | 0136e854 | Christos Stavrakakis | command using the `--floating-ip-pool` option. |
396 | 0136e854 | Christos Stavrakakis | |
397 | 0136e854 | Christos Stavrakakis | Existing networks can be converted to floating IPs using `network-modify` |
398 | 0136e854 | Christos Stavrakakis | command: |
399 | 0136e854 | Christos Stavrakakis | |
400 | 0136e854 | Christos Stavrakakis | .. code-block:: console |
401 | 0136e854 | Christos Stavrakakis | |
402 | 0136e854 | Christos Stavrakakis | snf-manage network-modify --floating-ip-pool=True <network_ID> |
403 | 0136e854 | Christos Stavrakakis | |
404 | 0136e854 | Christos Stavrakakis | Already allocated public IPv4 addresses are not automatically converted to |
405 | 0136e854 | Christos Stavrakakis | floating IPs. Existing VMs can keep their IPv4 addresses which will be |
406 | c7f29a98 | Constantinos Venetsanopoulos | automatically released when these VMs get destroyed. If the admin wants to |
407 | c7f29a98 | Constantinos Venetsanopoulos | convert existing public IPs to floating IPs, he/she can do so by running the |
408 | c7f29a98 | Constantinos Venetsanopoulos | following provided tool: |
409 | 0136e854 | Christos Stavrakakis | |
410 | 0136e854 | Christos Stavrakakis | .. code-block:: console |
411 | 0136e854 | Christos Stavrakakis | |
412 | 0136e854 | Christos Stavrakakis | cyclades.host$ /usr/lib/synnefo/tools/update_to_floating_ips |
413 | 0136e854 | Christos Stavrakakis | |
414 | c7f29a98 | Constantinos Venetsanopoulos | or just for one network: |
415 | 0136e854 | Christos Stavrakakis | |
416 | 0136e854 | Christos Stavrakakis | .. code-block:: console |
417 | 0136e854 | Christos Stavrakakis | |
418 | 0136e854 | Christos Stavrakakis | cyclades.host$ /usr/lib/synnefo/tools/update_to_floating_ips --network-id=<network_ID> |
419 | 0136e854 | Christos Stavrakakis | |
420 | c7f29a98 | Constantinos Venetsanopoulos | |
421 | 0136e854 | Christos Stavrakakis | 4. Register services and resources |
422 | 762d2797 | Giorgos Korfiatis | ================================== |
423 | eb765213 | Giorgos Korfiatis | |
424 | 0136e854 | Christos Stavrakakis | 4.1 Re-register service and resource definitions |
425 | 762d2797 | Giorgos Korfiatis | ------------------------------------------------ |
426 | 762d2797 | Giorgos Korfiatis | |
427 | 762d2797 | Giorgos Korfiatis | You will need to register again all Synnefo components, updating the |
428 | c7f29a98 | Constantinos Venetsanopoulos | service and resource definitions. On the Astakos node, run:: |
429 | eb765213 | Giorgos Korfiatis | |
430 | eb765213 | Giorgos Korfiatis | astakos-host$ snf-component-register |
431 | eb765213 | Giorgos Korfiatis | |
432 | eb765213 | Giorgos Korfiatis | This will detect that the Synnefo components are already registered and ask |
433 | eb765213 | Giorgos Korfiatis | to re-register. Answer positively. You need to enter the base URL and the UI |
434 | eb765213 | Giorgos Korfiatis | URL for each component, just like during the initial registration. |
435 | eb765213 | Giorgos Korfiatis | |
436 | 762d2797 | Giorgos Korfiatis | .. note:: |
437 | 762d2797 | Giorgos Korfiatis | |
438 | 762d2797 | Giorgos Korfiatis | You can run ``snf-manage component-list -o name,ui_url`` to inspect the |
439 | 762d2797 | Giorgos Korfiatis | current registered UI URL. In the default installation, the base URL can |
440 | 762d2797 | Giorgos Korfiatis | be found by stripping ``/ui`` from the UI URL. |
441 | 762d2797 | Giorgos Korfiatis | |
442 | c7f29a98 | Constantinos Venetsanopoulos | The meaning of resources ``cyclades.cpu`` and ``cyclades.ram`` has changed in |
443 | c7f29a98 | Constantinos Venetsanopoulos | v0.15: they now denote the number of CPUs/RAM of *active* VMs (VMs that are not |
444 | c7f29a98 | Constantinos Venetsanopoulos | shutdown) rather than all VMs as happened until now. To represent total CPUs |
445 | c7f29a98 | Constantinos Venetsanopoulos | and total RAM, as previously, two new resources ``cyclades.total_cpu`` and |
446 | c7f29a98 | Constantinos Venetsanopoulos | ``cyclades.total_ram`` are introduced. We now also control the usage of |
447 | c7f29a98 | Constantinos Venetsanopoulos | floating IPs through the resource ``cyclades.floating_ip``. |
448 | 762d2797 | Giorgos Korfiatis | |
449 | 0136e854 | Christos Stavrakakis | 4.2 Tweek resource settings |
450 | 762d2797 | Giorgos Korfiatis | --------------------------- |
451 | 762d2797 | Giorgos Korfiatis | |
452 | c7f29a98 | Constantinos Venetsanopoulos | The new resources (``cyclades.total_cpu``, ``cyclades.total_ram``, and |
453 | c7f29a98 | Constantinos Venetsanopoulos | ``cyclades.floating_ip``) are registered with infinite default base quota |
454 | c7f29a98 | Constantinos Venetsanopoulos | (meaning that they are not restricted at all). You will probably need to |
455 | c7f29a98 | Constantinos Venetsanopoulos | restrict them, especially ``cyclades.floating_ip``. In order to change the |
456 | c7f29a98 | Constantinos Venetsanopoulos | default limit of a resource for all *future* users, for instance restricting |
457 | c7f29a98 | Constantinos Venetsanopoulos | floating IPs to 2, run:: |
458 | 762d2797 | Giorgos Korfiatis | |
459 | 762d2797 | Giorgos Korfiatis | astakos-host$ snf-manage resource-modify cyclades.floating_ip --default-quota 2 |
460 | 762d2797 | Giorgos Korfiatis | |
461 | 762d2797 | Giorgos Korfiatis | Note that this command does not affect *existing* users any more. They can |
462 | 762d2797 | Giorgos Korfiatis | still have infinite floating IPs. You can update base quota of existing |
463 | 762d2797 | Giorgos Korfiatis | users in bulk, possibly excluding some users, with:: |
464 | 762d2797 | Giorgos Korfiatis | |
465 | c7f29a98 | Constantinos Venetsanopoulos | astakos-host$ snf-manage user-modify --all --base-quota cyclades.floating_ip 2 --exclude userid1,userid2 |
466 | 762d2797 | Giorgos Korfiatis | |
467 | 762d2797 | Giorgos Korfiatis | .. note:: |
468 | 762d2797 | Giorgos Korfiatis | |
469 | c7f29a98 | Constantinos Venetsanopoulos | You can inspect base quota with ``snf-manage quota-list``, before applying |
470 | 762d2797 | Giorgos Korfiatis | any changes, for example:: |
471 | 762d2797 | Giorgos Korfiatis | |
472 | 762d2797 | Giorgos Korfiatis | # Get users with cyclades.vm base quota that differ from the default value |
473 | 762d2797 | Giorgos Korfiatis | astakos-host$ snf-manage quota-list --with-custom=True --filter-by "resource=cyclades.vm" |
474 | 762d2797 | Giorgos Korfiatis | |
475 | 762d2797 | Giorgos Korfiatis | # Get users with cyclades.vm base quota greater than 3 |
476 | 762d2797 | Giorgos Korfiatis | astakos-host$ snf-manage quota-list --filter-by "resource=cyclades.vm,base_quota>3" |
477 | 762d2797 | Giorgos Korfiatis | |
478 | c7f29a98 | Constantinos Venetsanopoulos | Furthermore in v0.15, it is possible to control whether a resource is visible |
479 | c7f29a98 | Constantinos Venetsanopoulos | to the users via the API or the Web UI. The default value for these options is |
480 | c7f29a98 | Constantinos Venetsanopoulos | denoted inside the default resource definitions. Note that the system always |
481 | c7f29a98 | Constantinos Venetsanopoulos | checks and enforces resource quota, regardless of their visibility. By default, |
482 | c7f29a98 | Constantinos Venetsanopoulos | the new resources ``cyclades.total_cpu``, ``cyclades.total_ram`` and |
483 | c7f29a98 | Constantinos Venetsanopoulos | ``astakos.pending_app`` are not visible neither via the API nor via the Web UI. |
484 | c7f29a98 | Constantinos Venetsanopoulos | You can change this behavior with:: |
485 | 762d2797 | Giorgos Korfiatis | |
486 | 762d2797 | Giorgos Korfiatis | astakos-host$ snf-manage resource-modify <resource> --api-visible=True (or --ui-visible=True) |
487 | 762d2797 | Giorgos Korfiatis | |
488 | 0136e854 | Christos Stavrakakis | 4.3 Update the Quotaholder |
489 | 762d2797 | Giorgos Korfiatis | -------------------------- |
490 | 762d2797 | Giorgos Korfiatis | |
491 | 762d2797 | Giorgos Korfiatis | To update quota for all new or modified Cyclades resources, bring up Astakos:: |
492 | 762d2797 | Giorgos Korfiatis | |
493 | 762d2797 | Giorgos Korfiatis | astakos-host$ service gunicorn start |
494 | 762d2797 | Giorgos Korfiatis | |
495 | 762d2797 | Giorgos Korfiatis | and run on the Cyclades node:: |
496 | 762d2797 | Giorgos Korfiatis | |
497 | 762d2797 | Giorgos Korfiatis | cyclades-host$ snf-manage reconcile-resources-cyclades --fix --force |
498 | 762d2797 | Giorgos Korfiatis | |
499 | 0136e854 | Christos Stavrakakis | |
500 | 0136e854 | Christos Stavrakakis | 5. Bring all services up |
501 | 774f683b | Giorgos Korfiatis | ======================== |
502 | 774f683b | Giorgos Korfiatis | |
503 | 774f683b | Giorgos Korfiatis | After the upgrade is finished, we bring up all services: |
504 | 774f683b | Giorgos Korfiatis | |
505 | 774f683b | Giorgos Korfiatis | .. code-block:: console |
506 | 774f683b | Giorgos Korfiatis | |
507 | 774f683b | Giorgos Korfiatis | astakos.host # service gunicorn start |
508 | 774f683b | Giorgos Korfiatis | cyclades.host # service gunicorn start |
509 | 774f683b | Giorgos Korfiatis | pithos.host # service gunicorn start |
510 | 774f683b | Giorgos Korfiatis | |
511 | 774f683b | Giorgos Korfiatis | cyclades.host # service snf-dispatcher start |