root / docs / upgrade / upgrade-0.15.rst @ 71053581
History | View | Annotate | Download (16.9 kB)
1 | 774f683b | Giorgos Korfiatis | Upgrade to Synnefo v0.15 |
---|---|---|---|
2 | 774f683b | Giorgos Korfiatis | ^^^^^^^^^^^^^^^^^^^^^^^^ |
3 | 774f683b | Giorgos Korfiatis | |
4 | 300e9d88 | Christos Stavrakakis | Prerequisites |
5 | 300e9d88 | Christos Stavrakakis | ============== |
6 | 300e9d88 | Christos Stavrakakis | |
7 | 300e9d88 | Christos Stavrakakis | Before upgrading to v0.15 there are two steps that must be performed, relative |
8 | 300e9d88 | Christos Stavrakakis | with Cyclades networking service. |
9 | 300e9d88 | Christos Stavrakakis | |
10 | 300e9d88 | Christos Stavrakakis | Add unique name to the NICs of all Ganeti instances |
11 | 300e9d88 | Christos Stavrakakis | --------------------------------------------------- |
12 | 300e9d88 | Christos Stavrakakis | |
13 | 300e9d88 | Christos Stavrakakis | Since Ganeti 2.8, it is supported to give a name to NICs of Ganeti instances |
14 | 300e9d88 | Christos Stavrakakis | and refer to them with their name, and not only by their index. Synnefo v0.15 |
15 | 300e9d88 | Christos Stavrakakis | assigns a unique name to each NIC and refers to them by their unique name. |
16 | 300e9d88 | Christos Stavrakakis | Before upgrading to v0.15, Synnefo must assign names to all existing NICs. |
17 | 300e9d88 | Christos Stavrakakis | This can easily be performed with a helper script that is shipped with Synnefo |
18 | 300e9d88 | Christos Stavrakakis | v0.14.10: |
19 | 300e9d88 | Christos Stavrakakis | |
20 | 300e9d88 | Christos Stavrakakis | .. code-block:: console |
21 | 300e9d88 | Christos Stavrakakis | |
22 | 300e9d88 | Christos Stavrakakis | cyclades.host$ /usr/lib/synnefo/tools/add_unique_name_to_nics |
23 | 300e9d88 | Christos Stavrakakis | |
24 | 300e9d88 | Christos Stavrakakis | .. note:: If you are not upgrading from v0.14.10, you can find the migration |
25 | 300e9d88 | Christos Stavrakakis | script here XXX. |
26 | 300e9d88 | Christos Stavrakakis | |
27 | 300e9d88 | Christos Stavrakakis | |
28 | 300e9d88 | Christos Stavrakakis | Extend public networks to all Ganeti backends |
29 | 300e9d88 | Christos Stavrakakis | --------------------------------------------- |
30 | 300e9d88 | Christos Stavrakakis | |
31 | 300e9d88 | Christos Stavrakakis | Before v0.15, each public network of Cyclades existed in one of the Ganeti |
32 | 300e9d88 | Christos Stavrakakis | backends. In order to support dynamic addition and removal of public IPv4 |
33 | 300e9d88 | Christos Stavrakakis | address across VMs, each public network must exist in all Ganeti backends. |
34 | 300e9d88 | Christos Stavrakakis | |
35 | 300e9d88 | Christos Stavrakakis | If you are using more than one Ganeti backends, before upgrading to v0.15 you |
36 | 300e9d88 | Christos Stavrakakis | must ensure that the network configuration to all Ganeti backends is identical |
37 | 300e9d88 | Christos Stavrakakis | and appropriate to support all public networks of Cyclades. |
38 | 300e9d88 | Christos Stavrakakis | |
39 | 300e9d88 | Christos Stavrakakis | |
40 | 300e9d88 | Christos Stavrakakis | Upgrade Steps |
41 | 300e9d88 | Christos Stavrakakis | ============= |
42 | 300e9d88 | Christos Stavrakakis | |
43 | 774f683b | Giorgos Korfiatis | The upgrade to v0.15 consists in the following steps: |
44 | 774f683b | Giorgos Korfiatis | |
45 | 774f683b | Giorgos Korfiatis | 1. Bring down services and backup databases. |
46 | 774f683b | Giorgos Korfiatis | |
47 | 774f683b | Giorgos Korfiatis | 2. Upgrade packages, migrate the databases and configure settings. |
48 | 774f683b | Giorgos Korfiatis | |
49 | 0136e854 | Christos Stavrakakis | 3. Create floating IP pools |
50 | eb765213 | Giorgos Korfiatis | |
51 | 0136e854 | Christos Stavrakakis | 4. Register services and resources. |
52 | 0136e854 | Christos Stavrakakis | |
53 | 0136e854 | Christos Stavrakakis | 5. Bring up all services. |
54 | 774f683b | Giorgos Korfiatis | |
55 | 774f683b | Giorgos Korfiatis | .. warning:: |
56 | 774f683b | Giorgos Korfiatis | |
57 | 774f683b | Giorgos Korfiatis | It is strongly suggested that you keep separate database backups |
58 | 774f683b | Giorgos Korfiatis | for each service after the completion of each step. |
59 | 774f683b | Giorgos Korfiatis | |
60 | 774f683b | Giorgos Korfiatis | 1. Bring web services down, backup databases |
61 | 774f683b | Giorgos Korfiatis | ============================================ |
62 | 774f683b | Giorgos Korfiatis | |
63 | 774f683b | Giorgos Korfiatis | 1. All web services must be brought down so that the database maintains a |
64 | 774f683b | Giorgos Korfiatis | predictable and consistent state during the migration process:: |
65 | 774f683b | Giorgos Korfiatis | |
66 | 774f683b | Giorgos Korfiatis | $ service gunicorn stop |
67 | 774f683b | Giorgos Korfiatis | $ service snf-dispatcher stop |
68 | 774f683b | Giorgos Korfiatis | $ service snf-ganeti-eventd stop |
69 | 774f683b | Giorgos Korfiatis | |
70 | 774f683b | Giorgos Korfiatis | 2. Backup databases for recovery to a pre-migration state. |
71 | 774f683b | Giorgos Korfiatis | |
72 | 774f683b | Giorgos Korfiatis | 3. Keep the database servers running during the migration process. |
73 | 774f683b | Giorgos Korfiatis | |
74 | 774f683b | Giorgos Korfiatis | |
75 | 774f683b | Giorgos Korfiatis | 2. Upgrade Synnefo and configure settings |
76 | 774f683b | Giorgos Korfiatis | ========================================= |
77 | 774f683b | Giorgos Korfiatis | |
78 | 774f683b | Giorgos Korfiatis | 2.1 Install the new versions of packages |
79 | 774f683b | Giorgos Korfiatis | ---------------------------------------- |
80 | 774f683b | Giorgos Korfiatis | |
81 | 774f683b | Giorgos Korfiatis | :: |
82 | 774f683b | Giorgos Korfiatis | |
83 | 774f683b | Giorgos Korfiatis | astakos.host$ apt-get install \ |
84 | 774f683b | Giorgos Korfiatis | python-objpool \ |
85 | 774f683b | Giorgos Korfiatis | snf-common \ |
86 | 774f683b | Giorgos Korfiatis | python-astakosclient \ |
87 | 774f683b | Giorgos Korfiatis | snf-django-lib \ |
88 | 774f683b | Giorgos Korfiatis | snf-webproject \ |
89 | 774f683b | Giorgos Korfiatis | snf-branding \ |
90 | 774f683b | Giorgos Korfiatis | snf-astakos-app |
91 | 774f683b | Giorgos Korfiatis | |
92 | 774f683b | Giorgos Korfiatis | cyclades.host$ apt-get install \ |
93 | 774f683b | Giorgos Korfiatis | python-objpool \ |
94 | 774f683b | Giorgos Korfiatis | snf-common \ |
95 | 774f683b | Giorgos Korfiatis | python-astakosclient \ |
96 | 774f683b | Giorgos Korfiatis | snf-django-lib \ |
97 | 774f683b | Giorgos Korfiatis | snf-webproject \ |
98 | 774f683b | Giorgos Korfiatis | snf-branding \ |
99 | 774f683b | Giorgos Korfiatis | snf-pithos-backend \ |
100 | 774f683b | Giorgos Korfiatis | snf-cyclades-app |
101 | 774f683b | Giorgos Korfiatis | |
102 | 774f683b | Giorgos Korfiatis | pithos.host$ apt-get install \ |
103 | 774f683b | Giorgos Korfiatis | python-objpool \ |
104 | 774f683b | Giorgos Korfiatis | snf-common \ |
105 | 774f683b | Giorgos Korfiatis | python-astakosclient \ |
106 | 774f683b | Giorgos Korfiatis | snf-django-lib \ |
107 | 774f683b | Giorgos Korfiatis | snf-webproject \ |
108 | 774f683b | Giorgos Korfiatis | snf-branding \ |
109 | 774f683b | Giorgos Korfiatis | snf-pithos-backend \ |
110 | 774f683b | Giorgos Korfiatis | snf-pithos-app \ |
111 | 774f683b | Giorgos Korfiatis | snf-pithos-webclient |
112 | 774f683b | Giorgos Korfiatis | |
113 | 774f683b | Giorgos Korfiatis | ganeti.node$ apt-get install \ |
114 | 774f683b | Giorgos Korfiatis | python-objpool \ |
115 | 774f683b | Giorgos Korfiatis | snf-common \ |
116 | 774f683b | Giorgos Korfiatis | snf-cyclades-gtools \ |
117 | 774f683b | Giorgos Korfiatis | snf-pithos-backend |
118 | 774f683b | Giorgos Korfiatis | |
119 | 774f683b | Giorgos Korfiatis | .. note:: |
120 | 774f683b | Giorgos Korfiatis | |
121 | 774f683b | Giorgos Korfiatis | Make sure `snf-webproject' has the same version with snf-common |
122 | 774f683b | Giorgos Korfiatis | |
123 | 774f683b | Giorgos Korfiatis | .. note:: |
124 | 774f683b | Giorgos Korfiatis | |
125 | 774f683b | Giorgos Korfiatis | Installing the packages will cause services to start. Make sure you bring |
126 | 774f683b | Giorgos Korfiatis | them down again (at least ``gunicorn``, ``snf-dispatcher``) |
127 | 774f683b | Giorgos Korfiatis | |
128 | 774f683b | Giorgos Korfiatis | 2.2 Sync and migrate the database |
129 | 774f683b | Giorgos Korfiatis | --------------------------------- |
130 | 774f683b | Giorgos Korfiatis | |
131 | 774f683b | Giorgos Korfiatis | .. note:: |
132 | 774f683b | Giorgos Korfiatis | |
133 | 774f683b | Giorgos Korfiatis | If you are asked about stale content types during the migration process, |
134 | 774f683b | Giorgos Korfiatis | answer 'no' and let the migration finish. |
135 | 774f683b | Giorgos Korfiatis | |
136 | 774f683b | Giorgos Korfiatis | :: |
137 | 774f683b | Giorgos Korfiatis | |
138 | 774f683b | Giorgos Korfiatis | astakos-host$ snf-manage syncdb |
139 | 774f683b | Giorgos Korfiatis | astakos-host$ snf-manage migrate |
140 | 774f683b | Giorgos Korfiatis | |
141 | 774f683b | Giorgos Korfiatis | cyclades-host$ snf-manage syncdb |
142 | 774f683b | Giorgos Korfiatis | cyclades-host$ snf-manage migrate |
143 | 774f683b | Giorgos Korfiatis | |
144 | 774f683b | Giorgos Korfiatis | pithos-host$ pithos-migrate upgrade head |
145 | 774f683b | Giorgos Korfiatis | |
146 | 5547485e | Sofia Papagiannaki | .. _pithos_view_registration: |
147 | 5547485e | Sofia Papagiannaki | |
148 | 5547485e | Sofia Papagiannaki | 2.3 Register pithos view as an oauth 2.0 client in astakos |
149 | 5547485e | Sofia Papagiannaki | ---------------------------------------------------------- |
150 | 5547485e | Sofia Papagiannaki | |
151 | 5547485e | Sofia Papagiannaki | Starting from synnefo version 0.15, the pithos view, in order to get access to |
152 | 5547485e | Sofia Papagiannaki | the data of a protect pithos resource, has to be granted authorization for the |
153 | 5547485e | Sofia Papagiannaki | specific resource by astakos. |
154 | 5547485e | Sofia Papagiannaki | |
155 | 5547485e | Sofia Papagiannaki | During the authorization grant procedure, it has to authenticate itself with |
156 | 5547485e | Sofia Papagiannaki | astakos since the later has to prevent serving requests by unknown/unauthorized |
157 | 5547485e | Sofia Papagiannaki | clients. |
158 | 5547485e | Sofia Papagiannaki | |
159 | 5547485e | Sofia Papagiannaki | To register the pithos view as an OAuth 2.0 client in astakos, use the |
160 | 5547485e | Sofia Papagiannaki | following command:: |
161 | 5547485e | Sofia Papagiannaki | |
162 | 5547485e | Sofia Papagiannaki | snf-manage oauth2-client-add pithos-view --secret=<secret> --is-trusted --url https://pithos.synnefo.live/pithos/ui/view |
163 | 5547485e | Sofia Papagiannaki | |
164 | 5547485e | Sofia Papagiannaki | 2.4 Update configuration files |
165 | 06f38d70 | Ilias Tsitsimpis | ------------------------------ |
166 | 06f38d70 | Ilias Tsitsimpis | |
167 | 06f38d70 | Ilias Tsitsimpis | The ``ASTAKOS_BASE_URL`` setting has been replaced (both in Cyclades and |
168 | 06f38d70 | Ilias Tsitsimpis | Pithos services) with the ``ASTAKOS_AUTH_URL`` setting. |
169 | 06f38d70 | Ilias Tsitsimpis | |
170 | 06f38d70 | Ilias Tsitsimpis | For Cyclades service we have to change the ``20-snf-cyclades-app-api.conf`` |
171 | 06f38d70 | Ilias Tsitsimpis | file, remove the ``ASTAKOS_BASE_URL`` setting and replace it with |
172 | 6ce03057 | Giorgos Korfiatis | ``ASTAKOS_AUTH_URL``. Typically it is sufficient to add ``/identity/v2.0`` |
173 | 06f38d70 | Ilias Tsitsimpis | at the end of base url to get the auth url. For example if base url had the |
174 | 06f38d70 | Ilias Tsitsimpis | value of 'https://accounts.example.synnefo.org/' then the ``ASTAKOS_AUTH_URL`` |
175 | 06f38d70 | Ilias Tsitsimpis | setting will have the value of |
176 | 6ce03057 | Giorgos Korfiatis | 'https://accounts.example.synnefo.org/identity/v2.0'. |
177 | 06f38d70 | Ilias Tsitsimpis | |
178 | 06f38d70 | Ilias Tsitsimpis | For Pithos service we have to change the ``20-snf-pithos-app-settings.conf`` |
179 | 71053581 | Kostas Papadimitriou | file in the same way as above. In addition to this, we have to change the |
180 | 71053581 | Kostas Papadimitriou | ``PITHOS_OAUTH2_CLIENT_CREDENTIALS`` setting in the same configuration file |
181 | 71053581 | Kostas Papadimitriou | to set the credentials issued for the pithos view in `the previous step`__. |
182 | 06f38d70 | Ilias Tsitsimpis | |
183 | 71053581 | Kostas Papadimitriou | __ pithos_view_registration_ |
184 | 71053581 | Kostas Papadimitriou | |
185 | 71053581 | Kostas Papadimitriou | |
186 | 71053581 | Kostas Papadimitriou | 2.5 Upgrade vncauthproxy and configure snf-cyclades-app |
187 | f3c5f1df | Stratos Psomadakis | ------------------------------------------------------- |
188 | f3c5f1df | Stratos Psomadakis | |
189 | f3c5f1df | Stratos Psomadakis | Synnefo v0.15 adds support for snf-vncauthproxy >= 1.5 and drops support for |
190 | fba7aaf4 | Stratos Psomadakis | older versions. You will have to upgrade snf-vncauthproxy to v1.5 and |
191 | fba7aaf4 | Stratos Psomadakis | configure the authentication (users) file (``/var/lib/vncauthproxy/users``). |
192 | f3c5f1df | Stratos Psomadakis | |
193 | fba7aaf4 | Stratos Psomadakis | In case you're upgrading from an older snf-vncauthproxy version or if it's the |
194 | fba7aaf4 | Stratos Psomadakis | first time you're installing snf-vncauthproxy, you will need to add a |
195 | fba7aaf4 | Stratos Psomadakis | vncauthproxy user (see below for more information on user management) and |
196 | fba7aaf4 | Stratos Psomadakis | restart vncauthproxy daemon. |
197 | f3c5f1df | Stratos Psomadakis | |
198 | f3c5f1df | Stratos Psomadakis | To manage the authentication file, you can use the vncauthproxy-passwd tool, |
199 | fba7aaf4 | Stratos Psomadakis | to easily add, update and delete users. |
200 | f3c5f1df | Stratos Psomadakis | |
201 | f3c5f1df | Stratos Psomadakis | To add a user: |
202 | fba7aaf4 | Stratos Psomadakis | |
203 | f3c5f1df | Stratos Psomadakis | .. code-block:: console |
204 | f3c5f1df | Stratos Psomadakis | |
205 | f3c5f1df | Stratos Psomadakis | # vncauthproxy-passwd /var/lib/vncauthproxy/users synnefo |
206 | f3c5f1df | Stratos Psomadakis | |
207 | f3c5f1df | Stratos Psomadakis | You will be prompted for a password. |
208 | f3c5f1df | Stratos Psomadakis | |
209 | f3c5f1df | Stratos Psomadakis | You should also configure the new ``CYCLADES_VNCAUTHPROXY_OPTS`` setting in |
210 | f3c5f1df | Stratos Psomadakis | ``snf-cyclades-app``, to provide the user and password configured for |
211 | f3c5f1df | Stratos Psomadakis | ``Synnefo`` in the vncauthproxy authentication file and enable SSL support if |
212 | f3c5f1df | Stratos Psomadakis | snf-vncauthproxy is configured to run with SSL enabled for the control socket. |
213 | f3c5f1df | Stratos Psomadakis | |
214 | f3c5f1df | Stratos Psomadakis | .. warning:: The vncauthproxy daemon requires a restart for the changes in the |
215 | f3c5f1df | Stratos Psomadakis | authentication file to take effect. |
216 | f3c5f1df | Stratos Psomadakis | |
217 | f3c5f1df | Stratos Psomadakis | .. warning:: If you fail to provide snf-vncauthproxy with a valid |
218 | f3c5f1df | Stratos Psomadakis | authentication file, or in case the configuration of vncauthproxy and the |
219 | f3c5f1df | Stratos Psomadakis | vncauthproxy snf-cyclades-app settings don't match (ie not having SSL enabled |
220 | f3c5f1df | Stratos Psomadakis | on both), VNC console access will not be functional. |
221 | f3c5f1df | Stratos Psomadakis | |
222 | f3c5f1df | Stratos Psomadakis | Finally, snf-vncauthproxy-1.5 adds a dedicated user and group to be used by the |
223 | f3c5f1df | Stratos Psomadakis | vncauthproxy daemon. The Debian default file has changed accordingly (``CHUID`` |
224 | f3c5f1df | Stratos Psomadakis | option in ``/etc/default/vncauthproxy``). The Debian default file now also |
225 | f3c5f1df | Stratos Psomadakis | includes a ``DAEMON_OPTS`` variable which is used to pass any necessary / extra |
226 | f3c5f1df | Stratos Psomadakis | options to the vncauthproxy daemon. In case you're ugprading from an older |
227 | f3c5f1df | Stratos Psomadakis | version of vncauthproxy, you should make sure to 'merge' the new default file |
228 | f3c5f1df | Stratos Psomadakis | with the older one. |
229 | f3c5f1df | Stratos Psomadakis | |
230 | f3c5f1df | Stratos Psomadakis | Check the `documentation |
231 | f3c5f1df | Stratos Psomadakis | <http://www.synnefo.org/docs/snf-vncauthproxy/latest/index.html>`_ of |
232 | f3c5f1df | Stratos Psomadakis | snf-vncauthproxy for more information on upgrading to version 1.5. |
233 | 0136e854 | Christos Stavrakakis | |
234 | 71053581 | Kostas Papadimitriou | 2.6 Stats configuration |
235 | 62c0a9e1 | Stratos Psomadakis | ----------------------- |
236 | 62c0a9e1 | Stratos Psomadakis | |
237 | 62c0a9e1 | Stratos Psomadakis | snf-cyclades-gtools comes with a collectd plugin to collect CPU and network |
238 | 62c0a9e1 | Stratos Psomadakis | stats for Ganeti VMs and an example collectd configuration. snf-stats-app is a |
239 | 62c0a9e1 | Stratos Psomadakis | Django (snf-webproject) app that serves the VM stats graphsmm by reading the VM |
240 | 62c0a9e1 | Stratos Psomadakis | stats (from RRD files) and serves graphs. |
241 | 62c0a9e1 | Stratos Psomadakis | |
242 | 62c0a9e1 | Stratos Psomadakis | To enable / deploy VM stats collecting and snf-stats-app see the relevant |
243 | 62c0a9e1 | Stratos Psomadakis | documentation in the :ref:`admin guide <admin-guide-stats>`. |
244 | 62c0a9e1 | Stratos Psomadakis | |
245 | 62c0a9e1 | Stratos Psomadakis | If you were using collectd to collect VM stats on Debian squeeze and you are |
246 | 62c0a9e1 | Stratos Psomadakis | upgrading to Wheezy, you will need to upgrade your RRD files. Follow the |
247 | 62c0a9e1 | Stratos Psomadakis | instructions on the collectd v4-to-v5 migration `guide |
248 | 62c0a9e1 | Stratos Psomadakis | <https://collectd.org/wiki/index.php/V4_to_v5_migration_guide>`_. |
249 | 62c0a9e1 | Stratos Psomadakis | You will proabably just need to run the `migration script |
250 | 62c0a9e1 | Stratos Psomadakis | <https://collectd.org/wiki/index.php/V4_to_v5_migration_guide#Migration_script>`_ |
251 | 62c0a9e1 | Stratos Psomadakis | provided. |
252 | 62c0a9e1 | Stratos Psomadakis | |
253 | 62c0a9e1 | Stratos Psomadakis | If you were using a previous version of snf-stats-app, you should also make |
254 | 62c0a9e1 | Stratos Psomadakis | sure to set the ``STATS_BASE_URL`` setting in ``20-snf-stats-app-settings.conf`` |
255 | 62c0a9e1 | Stratos Psomadakis | to match your deployment and change the graph URL settings in |
256 | 62c0a9e1 | Stratos Psomadakis | ``20-snf-cyclades-app-api.conf`` accordingly. |
257 | 62c0a9e1 | Stratos Psomadakis | |
258 | bd16bf3e | Stratos Psomadakis | v0.15 has also introduced the ``CYCLADES_STATS_SECRET_KEY`` and |
259 | bd16bf3e | Stratos Psomadakis | ``STATS_SECRET_KEY`` settings. ``CYCLADES_STATS_SECRET_KEY`` in |
260 | bd16bf3e | Stratos Psomadakis | ``20-snf-cyclades-app-api.conf`` is used by Cyclades to encrypt the instance id |
261 | bd16bf3e | Stratos Psomadakis | / hostname in the URLs serving the VM stats. You should set it to a random |
262 | bd16bf3e | Stratos Psomadakis | value / string and make sure that it's the same as the ``STATS_SECRET_KEY`` |
263 | bd16bf3e | Stratos Psomadakis | setting (used to decrypt the instance hostname) in |
264 | bd16bf3e | Stratos Psomadakis | ``20-snf-stats-settings.conf`` on your Stats host. |
265 | bd16bf3e | Stratos Psomadakis | |
266 | 71053581 | Kostas Papadimitriou | 2.7 Shibboleth configuration updates |
267 | 71053581 | Kostas Papadimitriou | ------------------------------------ |
268 | 5547485e | Sofia Papagiannaki | |
269 | 71053581 | Kostas Papadimitriou | .. note:: |
270 | 71053581 | Kostas Papadimitriou | |
271 | 71053581 | Kostas Papadimitriou | Skip this step unless you have ``shibboleth`` enabled in astakos |
272 | 71053581 | Kostas Papadimitriou | ``IM_MODULES`` setting. |
273 | 71053581 | Kostas Papadimitriou | |
274 | 71053581 | Kostas Papadimitriou | As of v0.15 astakos uses the ``REMOTE_USER`` header provided by apache's |
275 | 71053581 | Kostas Papadimitriou | ``mod_shib2`` service in order to resolve the unique identifier which is used to |
276 | 71053581 | Kostas Papadimitriou | associate a shibboleth account to a local astakos user. Prior to this version |
277 | 71053581 | Kostas Papadimitriou | astakos adhered to the presence of the ``MOD_SHIB_EPPN`` header which although |
278 | 71053581 | Kostas Papadimitriou | safe enough on most of the ``SP`` deployment scenarios, it may cause issues in |
279 | 71053581 | Kostas Papadimitriou | certain cases, such as global wide IdP support or inability of supported IdPs |
280 | 71053581 | Kostas Papadimitriou | to release the ``eduPersonPrincipalName`` attribute. The ``REMOTE_USER`` header |
281 | 71053581 | Kostas Papadimitriou | can be set by administrators to match any of the available shibboleth |
282 | 71053581 | Kostas Papadimitriou | attributes. |
283 | 71053581 | Kostas Papadimitriou | |
284 | 71053581 | Kostas Papadimitriou | If ``EPPN`` matches the service provider needs and you want to continue using |
285 | 71053581 | Kostas Papadimitriou | it as the unique identifier, you need to ensure that the ``REMOTE_USER`` |
286 | 71053581 | Kostas Papadimitriou | attribute is set to ``eppn`` in the ``mod_shib2`` config file located at |
287 | 71053581 | Kostas Papadimitriou | ``/etc/shibboleth/shibboleth2.xml`` |
288 | 71053581 | Kostas Papadimitriou | |
289 | 71053581 | Kostas Papadimitriou | .. code-block:: xml |
290 | 71053581 | Kostas Papadimitriou | |
291 | 71053581 | Kostas Papadimitriou | <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. --> |
292 | 71053581 | Kostas Papadimitriou | <ApplicationDefaults entityID="https://sp.example.org/shibboleth" REMOTE_USER="eppn"> |
293 | 71053581 | Kostas Papadimitriou | |
294 | 71053581 | Kostas Papadimitriou | Otherwise, if ``EPPN`` doesn't suit the requirements for your ``SP`` |
295 | 71053581 | Kostas Papadimitriou | deployment, change the ``REMOTE_USER`` attribute as required e.g.: |
296 | 71053581 | Kostas Papadimitriou | |
297 | 71053581 | Kostas Papadimitriou | .. code-block:: xml |
298 | 71053581 | Kostas Papadimitriou | |
299 | 71053581 | Kostas Papadimitriou | <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. --> |
300 | 71053581 | Kostas Papadimitriou | <ApplicationDefaults entityID="https://sp.example.org/shibboleth" REMOTE_USER="persistent-nameid persistent-id targeted-id"> |
301 | 71053581 | Kostas Papadimitriou | |
302 | 71053581 | Kostas Papadimitriou | and restart the ``shibd`` service: |
303 | 71053581 | Kostas Papadimitriou | |
304 | 71053581 | Kostas Papadimitriou | .. code-block:: console |
305 | 71053581 | Kostas Papadimitriou | |
306 | 71053581 | Kostas Papadimitriou | $ service shibd restart |
307 | 71053581 | Kostas Papadimitriou | |
308 | 71053581 | Kostas Papadimitriou | **notice** that every time you alter the ``REMOTE_USER`` attribute, all |
309 | 71053581 | Kostas Papadimitriou | existing shibboleth enabled astakos users will be invalidated and no longer be |
310 | 71053581 | Kostas Papadimitriou | able to login to their existing account using shibboleth. Specifically for the |
311 | 71053581 | Kostas Papadimitriou | case of switching from *eppn* to another attribute, astakos is able to prevent |
312 | 71053581 | Kostas Papadimitriou | invalidation and automatically migrate existing *eppn* accounts. In order to do |
313 | 71053581 | Kostas Papadimitriou | that, set the ``ASTAKOS_SHIBBOLETH_MIGRATE_EPPN`` setting to ``True`` in |
314 | 71053581 | Kostas Papadimitriou | ``20-snf-astakos-app-settings.conf`` configuration file. Now every time an |
315 | 71053581 | Kostas Papadimitriou | existing *eppn* user logs in using shibboleth, astakos will update the associated |
316 | 71053581 | Kostas Papadimitriou | *eppn* identifier to the contents of the ``REMOTE_USER`` header. |
317 | 71053581 | Kostas Papadimitriou | |
318 | 71053581 | Kostas Papadimitriou | .. warning:: |
319 | 71053581 | Kostas Papadimitriou | |
320 | 71053581 | Kostas Papadimitriou | IdPs should keep releasing the ``EPPN`` attribute in order for the migration |
321 | 71053581 | Kostas Papadimitriou | to work. |
322 | 5547485e | Sofia Papagiannaki | |
323 | 0136e854 | Christos Stavrakakis | 3. Create floating IP pools |
324 | 0136e854 | Christos Stavrakakis | =========================== |
325 | 0136e854 | Christos Stavrakakis | |
326 | 0136e854 | Christos Stavrakakis | Synnefo v0.15 introduces floating IPs, which are public IPv4 addresses that can |
327 | 0136e854 | Christos Stavrakakis | dynamically be added/removed to/from VMs and are quotable via the |
328 | 0136e854 | Christos Stavrakakis | 'cyclades.floating_ip' resource. Connecting a VM to a public network is only |
329 | 0136e854 | Christos Stavrakakis | allowed if the user has firstly created a floating IP from this network. |
330 | 0136e854 | Christos Stavrakakis | |
331 | 0136e854 | Christos Stavrakakis | Floating IPs are created from networks that are marked as Floating IP pools. |
332 | 0136e854 | Christos Stavrakakis | Creation of floating IP pools is done with the `snf-manage network-create` |
333 | 0136e854 | Christos Stavrakakis | command using the `--floating-ip-pool` option. |
334 | 0136e854 | Christos Stavrakakis | |
335 | 0136e854 | Christos Stavrakakis | Existing networks can be converted to floating IPs using `network-modify` |
336 | 0136e854 | Christos Stavrakakis | command: |
337 | 0136e854 | Christos Stavrakakis | |
338 | 0136e854 | Christos Stavrakakis | .. code-block:: console |
339 | 0136e854 | Christos Stavrakakis | |
340 | 0136e854 | Christos Stavrakakis | snf-manage network-modify --floating-ip-pool=True <network_ID> |
341 | 0136e854 | Christos Stavrakakis | |
342 | 0136e854 | Christos Stavrakakis | Already allocated public IPv4 addresses are not automatically converted to |
343 | 0136e854 | Christos Stavrakakis | floating IPs. Existing VMs can keep their IPv4 addresses which will be |
344 | 0136e854 | Christos Stavrakakis | automatically be released when these VMs will be destroyed. In order to |
345 | 0136e854 | Christos Stavrakakis | convert existing public IPs to floating IPs run the following command: |
346 | 0136e854 | Christos Stavrakakis | |
347 | 0136e854 | Christos Stavrakakis | .. code-block:: console |
348 | 0136e854 | Christos Stavrakakis | |
349 | 0136e854 | Christos Stavrakakis | cyclades.host$ /usr/lib/synnefo/tools/update_to_floating_ips |
350 | 0136e854 | Christos Stavrakakis | |
351 | 0136e854 | Christos Stavrakakis | or for just one network: |
352 | 0136e854 | Christos Stavrakakis | |
353 | 0136e854 | Christos Stavrakakis | .. code-block:: console |
354 | 0136e854 | Christos Stavrakakis | |
355 | 0136e854 | Christos Stavrakakis | cyclades.host$ /usr/lib/synnefo/tools/update_to_floating_ips --network-id=<network_ID> |
356 | 0136e854 | Christos Stavrakakis | |
357 | 0136e854 | Christos Stavrakakis | 4. Register services and resources |
358 | 762d2797 | Giorgos Korfiatis | ================================== |
359 | eb765213 | Giorgos Korfiatis | |
360 | 0136e854 | Christos Stavrakakis | 4.1 Re-register service and resource definitions |
361 | 762d2797 | Giorgos Korfiatis | ------------------------------------------------ |
362 | 762d2797 | Giorgos Korfiatis | |
363 | 762d2797 | Giorgos Korfiatis | You will need to register again all Synnefo components, updating the |
364 | 762d2797 | Giorgos Korfiatis | service and resource definitions. On the astakos node, run:: |
365 | eb765213 | Giorgos Korfiatis | |
366 | eb765213 | Giorgos Korfiatis | astakos-host$ snf-component-register |
367 | eb765213 | Giorgos Korfiatis | |
368 | eb765213 | Giorgos Korfiatis | This will detect that the Synnefo components are already registered and ask |
369 | eb765213 | Giorgos Korfiatis | to re-register. Answer positively. You need to enter the base URL and the UI |
370 | eb765213 | Giorgos Korfiatis | URL for each component, just like during the initial registration. |
371 | eb765213 | Giorgos Korfiatis | |
372 | 762d2797 | Giorgos Korfiatis | .. note:: |
373 | 762d2797 | Giorgos Korfiatis | |
374 | 762d2797 | Giorgos Korfiatis | You can run ``snf-manage component-list -o name,ui_url`` to inspect the |
375 | 762d2797 | Giorgos Korfiatis | current registered UI URL. In the default installation, the base URL can |
376 | 762d2797 | Giorgos Korfiatis | be found by stripping ``/ui`` from the UI URL. |
377 | 762d2797 | Giorgos Korfiatis | |
378 | 762d2797 | Giorgos Korfiatis | The meaning of resources ``cyclades.cpu`` and ``cyclades.ram`` has changed: |
379 | 762d2797 | Giorgos Korfiatis | they now denote the number of CPUs and, respectively, RAM of *active* VMs |
380 | 762d2797 | Giorgos Korfiatis | rather than all VMs. To represent total CPUs and total RAM, as previously, |
381 | 762d2797 | Giorgos Korfiatis | new resources ``cyclades.total_cpu`` and ``cyclades.total_ram`` are |
382 | 762d2797 | Giorgos Korfiatis | introduced. We now also control the usage of floating IPs through resource |
383 | 762d2797 | Giorgos Korfiatis | ``cyclades.floating_ip``. |
384 | 762d2797 | Giorgos Korfiatis | |
385 | 0136e854 | Christos Stavrakakis | 4.2 Tweek resource settings |
386 | 762d2797 | Giorgos Korfiatis | --------------------------- |
387 | 762d2797 | Giorgos Korfiatis | |
388 | 762d2797 | Giorgos Korfiatis | New resources (``cyclades.total_cpu``, ``cyclades.total_ram``, and |
389 | 762d2797 | Giorgos Korfiatis | ``cyclades.floating_ip``) are registered with infinite default base quota. |
390 | 762d2797 | Giorgos Korfiatis | You will probably need to restrict them, especially |
391 | 762d2797 | Giorgos Korfiatis | ``cyclades.floating_ip``. In order to change the default for all *future* |
392 | 762d2797 | Giorgos Korfiatis | users, for instance restricting floating IPs to 2, run:: |
393 | 762d2797 | Giorgos Korfiatis | |
394 | 762d2797 | Giorgos Korfiatis | astakos-host$ snf-manage resource-modify cyclades.floating_ip --default-quota 2 |
395 | 762d2797 | Giorgos Korfiatis | |
396 | 762d2797 | Giorgos Korfiatis | Note that this command does not affect *existing* users any more. They can |
397 | 762d2797 | Giorgos Korfiatis | still have infinite floating IPs. You can update base quota of existing |
398 | 762d2797 | Giorgos Korfiatis | users in bulk, possibly excluding some users, with:: |
399 | 762d2797 | Giorgos Korfiatis | |
400 | 762d2797 | Giorgos Korfiatis | astakos-host$ snf-manage user-modify --all --base-quota cyclades.floating_ip 2 --exclude uuid1,uuid2 |
401 | 762d2797 | Giorgos Korfiatis | |
402 | 762d2797 | Giorgos Korfiatis | .. note:: |
403 | 762d2797 | Giorgos Korfiatis | |
404 | 762d2797 | Giorgos Korfiatis | You can inspect base quota with ``snf-manage quota-list`` before applying |
405 | 762d2797 | Giorgos Korfiatis | any changes, for example:: |
406 | 762d2797 | Giorgos Korfiatis | |
407 | 762d2797 | Giorgos Korfiatis | # Get users with cyclades.vm base quota that differ from the default value |
408 | 762d2797 | Giorgos Korfiatis | astakos-host$ snf-manage quota-list --with-custom=True --filter-by "resource=cyclades.vm" |
409 | 762d2797 | Giorgos Korfiatis | |
410 | 762d2797 | Giorgos Korfiatis | # Get users with cyclades.vm base quota greater than 3 |
411 | 762d2797 | Giorgos Korfiatis | astakos-host$ snf-manage quota-list --filter-by "resource=cyclades.vm,base_quota>3" |
412 | 762d2797 | Giorgos Korfiatis | |
413 | 762d2797 | Giorgos Korfiatis | It is now possible to control whether a resource is visible for the users |
414 | 762d2797 | Giorgos Korfiatis | through the API or the UI. Note that the system always checks resource |
415 | 762d2797 | Giorgos Korfiatis | quota, regardless of their visibility. By default, ``cyclades.total_cpu``, |
416 | 762d2797 | Giorgos Korfiatis | ``cyclades.total_ram`` and ``astakos.pending_app`` are not visible. You can |
417 | 762d2797 | Giorgos Korfiatis | change this behavior with:: |
418 | 762d2797 | Giorgos Korfiatis | |
419 | 762d2797 | Giorgos Korfiatis | astakos-host$ snf-manage resource-modify <resource> --api-visible=True (or --ui-visible=True) |
420 | 762d2797 | Giorgos Korfiatis | |
421 | 0136e854 | Christos Stavrakakis | 4.3 Update the Quotaholder |
422 | 762d2797 | Giorgos Korfiatis | -------------------------- |
423 | 762d2797 | Giorgos Korfiatis | |
424 | 762d2797 | Giorgos Korfiatis | To update quota for all new or modified Cyclades resources, bring up Astakos:: |
425 | 762d2797 | Giorgos Korfiatis | |
426 | 762d2797 | Giorgos Korfiatis | astakos-host$ service gunicorn start |
427 | 762d2797 | Giorgos Korfiatis | |
428 | 762d2797 | Giorgos Korfiatis | and run on the Cyclades node:: |
429 | 762d2797 | Giorgos Korfiatis | |
430 | 762d2797 | Giorgos Korfiatis | cyclades-host$ snf-manage reconcile-resources-cyclades --fix --force |
431 | 762d2797 | Giorgos Korfiatis | |
432 | 0136e854 | Christos Stavrakakis | |
433 | 0136e854 | Christos Stavrakakis | 5. Bring all services up |
434 | 774f683b | Giorgos Korfiatis | ======================== |
435 | 774f683b | Giorgos Korfiatis | |
436 | 774f683b | Giorgos Korfiatis | After the upgrade is finished, we bring up all services: |
437 | 774f683b | Giorgos Korfiatis | |
438 | 774f683b | Giorgos Korfiatis | .. code-block:: console |
439 | 774f683b | Giorgos Korfiatis | |
440 | 774f683b | Giorgos Korfiatis | astakos.host # service gunicorn start |
441 | 774f683b | Giorgos Korfiatis | cyclades.host # service gunicorn start |
442 | 774f683b | Giorgos Korfiatis | pithos.host # service gunicorn start |
443 | 774f683b | Giorgos Korfiatis | |
444 | 774f683b | Giorgos Korfiatis | cyclades.host # service snf-dispatcher start |