root / docs / admin-guide.rst @ a4451f59
History | View | Annotate | Download (56.8 kB)
1 |
.. _admin-guide: |
---|---|
2 |
|
3 |
Synnefo Administrator's Guide |
4 |
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
5 |
|
6 |
This is the complete Synnefo Administrator's Guide. |
7 |
|
8 |
|
9 |
|
10 |
General Synnefo Architecture |
11 |
============================ |
12 |
|
13 |
The following graph shows the whole Synnefo architecture and how it interacts |
14 |
with multiple Ganeti clusters. We hope that after reading the Administrator's |
15 |
Guide you will be able to understand every component and all the interactions |
16 |
between them. It is a good idea to first go through the Quick Administrator's |
17 |
Guide before proceeding. |
18 |
|
19 |
.. image:: images/synnefo-arch2.png |
20 |
:width: 100% |
21 |
:target: _images/synnefo-arch2.png |
22 |
|
23 |
|
24 |
|
25 |
Identity Service (Astakos) |
26 |
========================== |
27 |
|
28 |
|
29 |
Overview |
30 |
-------- |
31 |
|
32 |
Authentication methods |
33 |
~~~~~~~~~~~~~~~~~~~~~~ |
34 |
|
35 |
Local Authentication |
36 |
```````````````````` |
37 |
|
38 |
LDAP Authentication |
39 |
``````````````````` |
40 |
|
41 |
.. _shibboleth-auth: |
42 |
|
43 |
Shibboleth Authentication |
44 |
````````````````````````` |
45 |
|
46 |
Astakos can delegate user authentication to a Shibboleth federation. |
47 |
|
48 |
To setup shibboleth, install package:: |
49 |
|
50 |
apt-get install libapache2-mod-shib2 |
51 |
|
52 |
Change appropriately the configuration files in ``/etc/shibboleth``. |
53 |
|
54 |
Add in ``/etc/apache2/sites-available/synnefo-ssl``:: |
55 |
|
56 |
ShibConfig /etc/shibboleth/shibboleth2.xml |
57 |
Alias /shibboleth-sp /usr/share/shibboleth |
58 |
|
59 |
<Location /im/login/shibboleth> |
60 |
AuthType shibboleth |
61 |
ShibRequireSession On |
62 |
ShibUseHeaders On |
63 |
require valid-user |
64 |
</Location> |
65 |
|
66 |
and before the line containing:: |
67 |
|
68 |
ProxyPass / http://localhost:8080/ retry=0 |
69 |
|
70 |
add:: |
71 |
|
72 |
ProxyPass /Shibboleth.sso ! |
73 |
|
74 |
Then, enable the shibboleth module:: |
75 |
|
76 |
a2enmod shib2 |
77 |
|
78 |
After passing through the apache module, the following tokens should be |
79 |
available at the destination:: |
80 |
|
81 |
eppn # eduPersonPrincipalName |
82 |
Shib-InetOrgPerson-givenName |
83 |
Shib-Person-surname |
84 |
Shib-Person-commonName |
85 |
Shib-InetOrgPerson-displayName |
86 |
Shib-EP-Affiliation |
87 |
Shib-Session-ID |
88 |
|
89 |
Finally, add 'shibboleth' in ``ASTAKOS_IM_MODULES`` list. The variable resides |
90 |
inside the file ``/etc/synnefo/20-snf-astakos-app-settings.conf`` |
91 |
|
92 |
Architecture |
93 |
------------ |
94 |
|
95 |
Prereqs |
96 |
------- |
97 |
|
98 |
Installation |
99 |
------------ |
100 |
|
101 |
Configuration |
102 |
------------- |
103 |
|
104 |
Working with Astakos |
105 |
-------------------- |
106 |
|
107 |
User activation methods |
108 |
~~~~~~~~~~~~~~~~~~~~~~~ |
109 |
|
110 |
When a new user signs up, he/she is not marked as active. You can see his/her |
111 |
state by running (on the machine that runs the Astakos app): |
112 |
|
113 |
.. code-block:: console |
114 |
|
115 |
$ snf-manage user-list |
116 |
|
117 |
There are two different ways to activate a new user. Both need access to a |
118 |
running :ref:`mail server <mail-server>`. |
119 |
|
120 |
Manual activation |
121 |
````````````````` |
122 |
|
123 |
You can manually activate a new user that has already signed up, by sending |
124 |
him/her an activation email. The email will contain an approriate activation |
125 |
link, which will complete the activation process if followed. You can send the |
126 |
email by running: |
127 |
|
128 |
.. code-block:: console |
129 |
|
130 |
$ snf-manage user-activation-send <user ID or email> |
131 |
|
132 |
Be sure to have already setup your mail server and defined it in your Synnefo |
133 |
settings, before running the command. |
134 |
|
135 |
Automatic activation |
136 |
```````````````````` |
137 |
|
138 |
FIXME: Describe Regex activation method |
139 |
|
140 |
Setting quota limits |
141 |
~~~~~~~~~~~~~~~~~~~~ |
142 |
|
143 |
Set default quota |
144 |
````````````````` |
145 |
|
146 |
In 20-snf-astakos-app-settings.conf, |
147 |
uncomment the default setting ``ASTAKOS_SERVICES`` |
148 |
and customize the ``'uplimit'`` values. |
149 |
These are the default base quota for all users. |
150 |
|
151 |
To apply your configuration run:: |
152 |
|
153 |
# snf-manage astakos-init --load-service-resources |
154 |
# snf-manage quota --sync |
155 |
|
156 |
Set base quota for individual users |
157 |
``````````````````````````````````` |
158 |
|
159 |
For individual users that need different quota than the default |
160 |
you can set it for each resource like this:: |
161 |
|
162 |
# use this to display quota / uuid |
163 |
# snf-manage user-show 'uuid or email' --quota |
164 |
|
165 |
# snf-manage user-modify 'user-uuid' --set-base-quota 'cyclades.vm' 10 |
166 |
|
167 |
|
168 |
Enable the Projects feature |
169 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
170 |
|
171 |
If you want to enable the projects feature so that users may apply |
172 |
on their own for resources by creating and joining projects, |
173 |
in ``20-snf-astakos-app-settings.conf`` set:: |
174 |
|
175 |
# this will make the 'projects' page visible in the dashboard |
176 |
ASTAKOS_PROJECTS_VISIBLE = True |
177 |
|
178 |
You can change the maximum allowed number of pending project applications |
179 |
per user with:: |
180 |
|
181 |
# snf-manage resource-modify astakos.pending_app --limit <number> |
182 |
|
183 |
You can also set a user-specific limit with:: |
184 |
|
185 |
# snf-manage user-modify 'user-uuid' --set-base-quota 'astakos.pending_app' 5 |
186 |
|
187 |
When users apply for projects they are not automatically granted |
188 |
the resources. They must first be approved by the administrator. |
189 |
|
190 |
To list pending project applications in astakos:: |
191 |
|
192 |
# snf-manage project-list --pending |
193 |
|
194 |
Note the last column, the application id. To approve it:: |
195 |
|
196 |
# <app id> from the last column of project-list |
197 |
# snf-manage project-control --approve <app id> |
198 |
|
199 |
To deny an application:: |
200 |
|
201 |
# snf-manage project-control --deny <app id> |
202 |
|
203 |
Users designated as *project admins* can approve, deny, or modify |
204 |
an application through the web interface. In |
205 |
``20-snf-astakos-app-settings.conf`` set:: |
206 |
|
207 |
# UUIDs of users that can approve or deny project applications from the web. |
208 |
ASTAKOS_PROJECT_ADMINS = [<uuid>, ...] |
209 |
|
210 |
|
211 |
Astakos advanced operations |
212 |
--------------------------- |
213 |
|
214 |
Adding "Terms of Use" |
215 |
~~~~~~~~~~~~~~~~~~~~~ |
216 |
|
217 |
Astakos supports versioned terms-of-use. First of all you need to create an |
218 |
html file that will contain your terms. For example, create the file |
219 |
``/usr/share/synnefo/sample-terms.html``, which contains the following: |
220 |
|
221 |
.. code-block:: console |
222 |
|
223 |
<h1>~okeanos terms</h1> |
224 |
|
225 |
These are the example terms for ~okeanos |
226 |
|
227 |
Then, add those terms-of-use with the snf-manage command: |
228 |
|
229 |
.. code-block:: console |
230 |
|
231 |
$ snf-manage term-add /usr/share/synnefo/sample-terms.html |
232 |
|
233 |
Your terms have been successfully added and you will see the corresponding link |
234 |
appearing in the Astakos web pages' footer. |
235 |
|
236 |
Enabling reCAPTCHA |
237 |
~~~~~~~~~~~~~~~~~~ |
238 |
|
239 |
Astakos supports the `reCAPTCHA <http://www.google.com/recaptcha>`_ feature. |
240 |
If enabled, it protects the Astakos forms from bots. To enable the feature, go |
241 |
to https://www.google.com/recaptcha/admin/create and create your own reCAPTCHA |
242 |
key pair. Then edit ``/etc/synnefo/20-snf-astakos-app-settings.conf`` and set |
243 |
the corresponding variables to reflect your newly created key pair. Finally, set |
244 |
the ``ASTAKOS_RECAPTCHA_ENABLED`` variable to ``True``: |
245 |
|
246 |
.. code-block:: console |
247 |
|
248 |
ASTAKOS_RECAPTCHA_PUBLIC_KEY = 'example_recaptcha_public_key!@#$%^&*(' |
249 |
ASTAKOS_RECAPTCHA_PRIVATE_KEY = 'example_recaptcha_private_key!@#$%^&*(' |
250 |
|
251 |
ASTAKOS_RECAPTCHA_ENABLED = True |
252 |
|
253 |
Restart the service on the Astakos node(s) and you are ready: |
254 |
|
255 |
.. code-block:: console |
256 |
|
257 |
# /etc/init.d/gunicorn restart |
258 |
|
259 |
Checkout your new Sign up page. If you see the reCAPTCHA box, you have setup |
260 |
everything correctly. |
261 |
|
262 |
|
263 |
|
264 |
File Storage Service (Pithos) |
265 |
============================= |
266 |
|
267 |
Overview |
268 |
-------- |
269 |
|
270 |
Architecture |
271 |
------------ |
272 |
|
273 |
Prereqs |
274 |
------- |
275 |
|
276 |
Installation |
277 |
------------ |
278 |
|
279 |
Configuration |
280 |
------------- |
281 |
|
282 |
Working with Pithos |
283 |
------------------- |
284 |
|
285 |
Pithos advanced operations |
286 |
-------------------------- |
287 |
|
288 |
|
289 |
|
290 |
Compute/Network/Image Service (Cyclades) |
291 |
======================================== |
292 |
|
293 |
Compute Overview |
294 |
---------------- |
295 |
|
296 |
Network Overview |
297 |
---------------- |
298 |
|
299 |
Image Overview |
300 |
-------------- |
301 |
|
302 |
Architecture |
303 |
------------ |
304 |
|
305 |
Asynchronous communication with Ganeti backends |
306 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
307 |
Synnefo uses Google Ganeti backends for VM cluster management. In order for |
308 |
Cyclades to be able to handle thousands of user requests, Cyclades and Ganeti |
309 |
communicate asynchronously. Briefly, requests are submitted to Ganeti through |
310 |
Ganeti's RAPI/HTTP interface, and then asynchronous notifications about the |
311 |
progress of Ganeti jobs are being created and pushed upwards to Cyclades. The |
312 |
architecture and communication with a Ganeti backend is shown in the graph |
313 |
below: |
314 |
|
315 |
.. image:: images/cyclades-ganeti-communication.png |
316 |
:width: 50% |
317 |
:target: _images/cyclades-ganeti-communication.png |
318 |
|
319 |
The Cyclades API server is responsible for handling user requests. Read-only |
320 |
requests are directly served by looking up the Cyclades DB. If the request |
321 |
needs an action in the Ganeti backend, Cyclades submit jobs to the Ganeti |
322 |
master using the `Ganeti RAPI interface |
323 |
<http://docs.ganeti.org/ganeti/2.2/html/rapi.html>`_. |
324 |
|
325 |
While Ganeti executes the job, `snf-ganeti-eventd`, `snf-ganeti-hook` and |
326 |
`snf-progress-monitor` are monitoring the progress of the job and send |
327 |
corresponding messages to the RabbitMQ servers. These components are part |
328 |
of `snf-cyclades-gtools` and must be installed on all Ganeti nodes. Specially: |
329 |
|
330 |
* *snf-ganeti-eventd* sends messages about operations affecting the operating |
331 |
state of instances and networks. Works by monitoring the Ganeti job queue. |
332 |
* *snf-ganeti_hook* sends messages about the NICs of instances. It includes a |
333 |
number of `Ganeti hooks <http://docs.ganeti.org/ganeti/2.2/html/hooks.html>`_ |
334 |
for customisation of operations. |
335 |
* *snf-progress_monitor* sends messages about the progress of the Image deployment |
336 |
phase which is done by the Ganeti OS Definition `snf-image`. |
337 |
|
338 |
Finally, `snf-dispatcher` consumes messages from the RabbitMQ queues, processes |
339 |
these messages and properly updates the state of the Cyclades DB. Subsequent |
340 |
requests to the Cyclades API, will retrieve the updated state from the DB. |
341 |
|
342 |
|
343 |
Prereqs |
344 |
------- |
345 |
|
346 |
Work in progress. Please refer to :ref:`quick administrator quide <quick-install-admin-guide>`. |
347 |
|
348 |
Installation |
349 |
------------ |
350 |
|
351 |
Work in progress. Please refer to :ref:`quick administrator quide <quick-install-admin-guide>`. |
352 |
|
353 |
Configuration |
354 |
------------- |
355 |
|
356 |
Work in progress. Please refer to :ref:`quick administrator quide <quick-install-admin-guide>`. |
357 |
|
358 |
Working with Cyclades |
359 |
--------------------- |
360 |
|
361 |
Managing Ganeti Backends |
362 |
~~~~~~~~~~~~~~~~~~~~~~~~ |
363 |
|
364 |
Since v0.11, Synnefo is able to manage multiple Ganeti clusters (backends) |
365 |
making it capable to scale linearly to tens of thousands of VMs. Backends |
366 |
can be dynamically added or removed via `snf-manage` commands. |
367 |
|
368 |
Each newly created VM is allocated to a Ganeti backend by the Cyclades backend |
369 |
allocator. The VM is "pinned" to this backend, and can not change through its |
370 |
lifetime. The backend allocator decides in which backend to spawn the VM based |
371 |
on the available resources of each backend, trying to balance the load between |
372 |
them. |
373 |
|
374 |
Handling of Networks, as far as backends are concerned, is based on whether the |
375 |
network is public or not. Public networks are created through the `snf-manage |
376 |
network-create` command, and are only created on one backend. Private networks |
377 |
are created on all backends, in order to ensure that VMs residing on different |
378 |
backends can be connected to the same private network. |
379 |
|
380 |
Listing existing backends |
381 |
````````````````````````` |
382 |
To list all the Ganeti backends known to Synnefo, we run: |
383 |
|
384 |
.. code-block:: console |
385 |
|
386 |
$ snf-manage backend-list |
387 |
|
388 |
Adding a new Ganeti backend |
389 |
``````````````````````````` |
390 |
Backends are dynamically added under the control of Synnefo with `snf-manage |
391 |
backend-add` command. In this section it is assumed that a Ganeti cluster, |
392 |
named ``cluster.example.com`` is already up and running and configured to be |
393 |
able to host Synnefo VMs. |
394 |
|
395 |
To add this Ganeti cluster, we run: |
396 |
|
397 |
.. code-block:: console |
398 |
|
399 |
$ snf-manage backend-add --clustername=cluster.example.com --user="synnefo_user" --pass="synnefo_pass" |
400 |
|
401 |
where ``clustername`` is the Cluster hostname of the Ganeti cluster, and |
402 |
``user`` and ``pass`` are the credentials for the `Ganeti RAPI user |
403 |
<http://docs.ganeti.org/ganeti/2.2/html/rapi.html#users-and-passwords>`_. All |
404 |
backend attributes can be also changed dynamically using the `snf-manage |
405 |
backend-modify` command. |
406 |
|
407 |
``snf-manage backend-add`` will also create all existing private networks to |
408 |
the new backend. You can verify that the backend is added, by running |
409 |
`snf-manage backend-list`. |
410 |
|
411 |
Note that no VMs will be spawned to this backend, since by default it is in a |
412 |
``drained`` state after addition and also it has no public network assigned to |
413 |
it. |
414 |
|
415 |
So, first you need to create its public network, make sure everything works as |
416 |
expected and finally make it active by un-setting the ``drained`` flag. You can |
417 |
do this by running: |
418 |
|
419 |
.. code-block:: console |
420 |
|
421 |
$ snf-manage backend-modify --drained=False <backend_id> |
422 |
|
423 |
Removing an existing Ganeti backend |
424 |
``````````````````````````````````` |
425 |
In order to remove an existing backend from Synnefo, we run: |
426 |
|
427 |
.. code-block:: console |
428 |
|
429 |
# snf-manage backend-remove <backend_id> |
430 |
|
431 |
This command will fail if there are active VMs on the backend. Also, the |
432 |
backend is not cleaned before removal, so all the Synnefo private networks |
433 |
will be left on the Ganeti nodes. You need to remove them manually. |
434 |
|
435 |
Allocation of VMs in Ganeti backends |
436 |
```````````````````````````````````` |
437 |
As already mentioned, the Cyclades backend allocator is responsible for |
438 |
allocating new VMs to backends. This allocator does not choose the exact Ganeti |
439 |
node that will host the VM but just the Ganeti backend. The exact node is |
440 |
chosen by the Ganeti cluster's allocator (hail). |
441 |
|
442 |
The decision about which backend will host a VM is based on the available |
443 |
resources. The allocator computes a score for each backend, that shows its load |
444 |
factor, and the one with the minimum score is chosen. The admin can exclude |
445 |
backends from the allocation phase by marking them as ``drained`` by running: |
446 |
|
447 |
.. code-block:: console |
448 |
|
449 |
$ snf-manage backend-modify --drained=True <backend_id> |
450 |
|
451 |
The backend resources are periodically updated, at a period defined by |
452 |
the ``BACKEND_REFRESH_MIN`` setting, or by running `snf-manage backend-update-status` |
453 |
command. It is advised to have a cron job running this command at a smaller |
454 |
interval than ``BACKEND_REFRESH_MIN`` in order to remove the load of refreshing |
455 |
the backends stats from the VM creation phase. |
456 |
|
457 |
Finally, the admin can decide to have a user's VMs being allocated to a |
458 |
specific backend, with the ``BACKEND_PER_USER`` setting. This is a mapping |
459 |
between users and backends. If the user is found in ``BACKEND_PER_USER``, then |
460 |
Synnefo allocates all his/hers VMs to the specific backend in the variable, |
461 |
even if is marked as drained (useful for testing). |
462 |
|
463 |
|
464 |
Managing Virtual Machines |
465 |
~~~~~~~~~~~~~~~~~~~~~~~~~ |
466 |
|
467 |
As mentioned, Cyclades uses Ganeti for management of VMs. The administrator can |
468 |
handle Cyclades VMs just like any other Ganeti instance, via `gnt-instance` |
469 |
commands. All Ganeti instances that belong to Synnefo, are separated from |
470 |
others, by a prefix in their names. This prefix is defined in |
471 |
``BACKEND_PREFIX_ID`` setting in |
472 |
``/etc/synnefo/20-snf-cyclades-app-backend.conf``. |
473 |
|
474 |
Apart from handling instances directly in the Ganeti level, a number of `snf-manage` |
475 |
commands are available: |
476 |
|
477 |
* ``snf-manage server-list``: List servers |
478 |
* ``snf-manage server-show``: Show information about a server in the Cyclades DB |
479 |
* ``snf-manage server-inspect``: Inspect the state of a server both in DB and Ganeti |
480 |
* ``snf-manage server-modify``: Modify the state of a server in the Cycldes DB |
481 |
* ``snf-manage server-create``: Create a new server |
482 |
* ``snf-manage server-import``: Import an existing Ganeti instance to Cyclades |
483 |
|
484 |
|
485 |
Managing Virtual Networks |
486 |
~~~~~~~~~~~~~~~~~~~~~~~~~ |
487 |
|
488 |
Cyclades is able to create and manage Virtual Networks. Networking is |
489 |
desployment specific and must be customized based on the specific needs of the |
490 |
system administrator. For better understanding of networking please refer to |
491 |
the :ref:`Network <networks>` section. |
492 |
|
493 |
Exactly as Cyclades VMs can be handled like Ganeti instances, Cyclades Networks |
494 |
can also by handled as Ganeti networks, via `gnt-network commands`. All Ganeti |
495 |
networks that belong to Synnefo are named with the prefix |
496 |
`${BACKEND_PREFIX_ID}-net-`. |
497 |
|
498 |
There are also the following `snf-manage` commands for managing networks: |
499 |
|
500 |
* ``snf-manage network-list``: List networks |
501 |
* ``snf-manage network-show``: Show information about a network in the Cyclades DB |
502 |
* ``snf-manage network-inspect``: Inspect the state of the network in DB and Ganeti backends |
503 |
* ``snf-manage network-modify``: Modify the state of a network in the Cycldes DB |
504 |
* ``snf-manage network-create``: Create a new network |
505 |
* ``snf-manage network-remove``: Remove an existing network |
506 |
|
507 |
Managing Network Resources |
508 |
`````````````````````````` |
509 |
|
510 |
Proper operation of the Cyclades Network Service depends on the unique |
511 |
assignment of specific resources to each type of virtual network. Specifically, |
512 |
these resources are: |
513 |
|
514 |
* IP addresses. Cyclades creates a Pool of IPs for each Network, and assigns a |
515 |
unique IP address to each VM, thus connecting it to this Network. You can see |
516 |
the IP pool of each network by running `snf-manage network-inspect |
517 |
<network_ID>`. IP pools are automatically created and managed by Cyclades, |
518 |
depending on the subnet of the Network. |
519 |
* Bridges corresponding to physical VLANs, which are required for networks of |
520 |
type `PRIVATE_PHYSICAL_VLAN`. |
521 |
* One Bridge corresponding to one physical VLAN which is required for networks of |
522 |
type `PRIVATE_MAC_PREFIX`. |
523 |
|
524 |
Cyclades allocates those resources from pools that are created by the |
525 |
administrator with the `snf-manage pool-create` management command. |
526 |
|
527 |
Pool Creation |
528 |
````````````` |
529 |
Pools are created using the `snf-manage pool-create` command: |
530 |
|
531 |
.. code-block:: console |
532 |
|
533 |
# snf-manage pool-create --type=bridge --base=prv --size=20 |
534 |
|
535 |
will create a pool of bridges, containing bridges prv1, prv2,..prv21. |
536 |
|
537 |
You can verify the creation of the pool, and check its contents by running: |
538 |
|
539 |
.. code-block:: console |
540 |
|
541 |
# snf-manage pool-list |
542 |
# snf-manage pool-show --type=bridge 1 |
543 |
|
544 |
With the same commands you can handle a pool of MAC prefixes. For example: |
545 |
|
546 |
.. code-block:: console |
547 |
|
548 |
# snf-manage pool-create --type=mac-prefix --base=aa:00:0 --size=65536 |
549 |
|
550 |
will create a pool of MAC prefixes from ``aa:00:1`` to ``b9:ff:f``. The MAC |
551 |
prefix pool is responsible for providing only unicast and locally administered |
552 |
MAC addresses, so many of these prefixes will be externally reserved, to |
553 |
exclude from allocation. |
554 |
|
555 |
Cyclades advanced operations |
556 |
---------------------------- |
557 |
|
558 |
Reconciliation mechanism |
559 |
~~~~~~~~~~~~~~~~~~~~~~~~ |
560 |
|
561 |
On certain occasions, such as a Ganeti or RabbitMQ failure, the state of |
562 |
Cyclades database may differ from the real state of VMs and networks in the |
563 |
Ganeti backends. The reconciliation process is designed to synchronize |
564 |
the state of the Cyclades DB with Ganeti. There are two management commands |
565 |
for reconciling VMs and Networks |
566 |
|
567 |
Reconciling Virtual Machines |
568 |
```````````````````````````` |
569 |
|
570 |
Reconciliation of VMs detects the following conditions: |
571 |
|
572 |
* Stale DB servers without corresponding Ganeti instances |
573 |
* Orphan Ganeti instances, without corresponding DB entries |
574 |
* Out-of-sync state for DB entries wrt to Ganeti instances |
575 |
|
576 |
To detect all inconsistencies you can just run: |
577 |
|
578 |
.. code-block:: console |
579 |
|
580 |
$ snf-manage reconcile-servers |
581 |
|
582 |
Adding the `--fix-all` option, will do the actual synchronization: |
583 |
|
584 |
.. code-block:: console |
585 |
|
586 |
$ snf-manage reconcile --fix-all |
587 |
|
588 |
Please see ``snf-manage reconcile --help`` for all the details. |
589 |
|
590 |
|
591 |
Reconciling Networks |
592 |
```````````````````` |
593 |
|
594 |
Reconciliation of Networks detects the following conditions: |
595 |
|
596 |
* Stale DB networks without corresponding Ganeti networks |
597 |
* Orphan Ganeti networks, without corresponding DB entries |
598 |
* Private networks that are not created to all Ganeti backends |
599 |
* Unsynchronized IP pools |
600 |
|
601 |
To detect all inconsistencies you can just run: |
602 |
|
603 |
.. code-block:: console |
604 |
|
605 |
$ snf-manage reconcile-networks |
606 |
|
607 |
Adding the `--fix-all` option, will do the actual synchronization: |
608 |
|
609 |
.. code-block:: console |
610 |
|
611 |
$ snf-manage reconcile-networks --fix-all |
612 |
|
613 |
Please see ``snf-manage reconcile-networks --help`` for all the details. |
614 |
|
615 |
|
616 |
|
617 |
Block Storage Service (Archipelago) |
618 |
=================================== |
619 |
|
620 |
Overview |
621 |
-------- |
622 |
Archipelago offers Copy-On-Write snapshotable volumes. Pithos images can be used |
623 |
to provision a volume with Copy-On-Write semantics (i.e. a clone). Snapshots |
624 |
offer a unique deduplicated image of a volume, that reflects the volume state |
625 |
during snapshot creation and are indistinguishable from a Pithos image. |
626 |
|
627 |
Archipelago is used by Cyclades and Ganeti for fast provisioning of VMs based on |
628 |
CoW volumes. Moreover, it enables live migration of thinly-provisioned VMs with |
629 |
no physically shared storage. |
630 |
|
631 |
Archipelago Architecture |
632 |
------------------------ |
633 |
|
634 |
.. image:: images/archipelago-architecture.png |
635 |
:width: 50% |
636 |
:target: _images/archipelago-architecture.png |
637 |
|
638 |
.. _syn+archip+rados: |
639 |
|
640 |
Overview of Synnefo + Archipelago + RADOS |
641 |
----------------------------------------- |
642 |
|
643 |
.. image:: images/synnefo-arch3.png |
644 |
:width: 100% |
645 |
:target: _images/synnefo-arch3.png |
646 |
|
647 |
Prereqs |
648 |
------- |
649 |
|
650 |
The administrator must initialize the storage backend where archipelago volume |
651 |
blocks will reside. |
652 |
|
653 |
In case of a files backend, the administrator must create two directories. One |
654 |
for the archipelago data blocks and one for the archipelago map blocks. These |
655 |
should probably be over shared storage to enable sharing archipelago volumes |
656 |
between multiple nodes. He or she, must also be able to supply a directory where |
657 |
the pithos data and map blocks reside. |
658 |
|
659 |
In case of a RADOS backend, the administrator must create two rados pools, one |
660 |
for data blocks, and one for the map blocks. These pools, must be the same pools |
661 |
used in pithos, in order to enable volume creation based on pithos images. |
662 |
|
663 |
Installation |
664 |
------------ |
665 |
|
666 |
Archipelago consists of |
667 |
|
668 |
* ``libxseg0``: libxseg used to communicate over shared memory segments |
669 |
* ``python-xseg``: python bindings for libxseg |
670 |
* ``archipelago-kernel-dkms``: contains archipelago kernel modules to provide |
671 |
block devices to be used as vm disks |
672 |
* ``python-archipelago``: archipelago python module. Includes archipelago and |
673 |
vlmc functionality. |
674 |
* ``archipelago``: user space tools and peers for the archipelago management and |
675 |
volume composition |
676 |
* ``archipelago-ganeti``: ganeti ext storage scripts, that enable ganeti to |
677 |
provision VMs over archipelago |
678 |
|
679 |
Performing |
680 |
|
681 |
.. code-block:: console |
682 |
|
683 |
$ apt-get install archipelago-ganeti |
684 |
|
685 |
should fetch all the required packages and get you up 'n going with archipelago |
686 |
|
687 |
Bare in mind, that custom librados is required, which is provided in the apt |
688 |
repo of GRNet. |
689 |
|
690 |
|
691 |
For now, librados is a dependency of archipelago, even if you do not intend to |
692 |
use archipelago over RADOS. |
693 |
|
694 |
Configuration |
695 |
------------- |
696 |
Archipelago should work out of the box with a RADOS backend, but basic |
697 |
configuration can be done in ``/etc/default/archipelago`` . |
698 |
|
699 |
If you wish to change the storage backend to files, set |
700 |
|
701 |
.. code-block:: console |
702 |
|
703 |
STORAGE="files" |
704 |
|
705 |
and provide the appropriate settings for files storage backend in the conf file. |
706 |
|
707 |
These are: |
708 |
|
709 |
* ``FILED_IMAGES``: directory for archipelago data blocks. |
710 |
* ``FILED_MAPS``: directory for archipelago map blocks. |
711 |
* ``PITHOS``: directory of pithos data blocks. |
712 |
* ``PITHOSMAPS``: directory of pithos map blocks. |
713 |
|
714 |
The settings for RADOS storage backend are: |
715 |
|
716 |
* ``RADOS_POOL_MAPS``: The pool where archipelago and pithos map blocks reside. |
717 |
* ``RADOS_POOL_BLOCKS``: The pool where archipelago and pithos data blocks |
718 |
reside. |
719 |
|
720 |
Examples can be found in the conf file. |
721 |
|
722 |
Be aware that archipelago infrastructure doesn't provide default values for this |
723 |
settings. If they are not set in the conf file, archipelago will not be able to |
724 |
function. |
725 |
|
726 |
Archipelago also provides ``VERBOSITY`` config options to control the output |
727 |
generated by the userspace peers. |
728 |
|
729 |
The available options are: |
730 |
|
731 |
* ``VERBOSITY_BLOCKERB`` |
732 |
* ``VERBOSITY_BLOCKERM`` |
733 |
* ``VERBOSITY_MAPPER`` |
734 |
* ``VERBOSITY_VLMC`` |
735 |
|
736 |
and the available values are: |
737 |
|
738 |
* 0 : Error only logging. |
739 |
* 1 : Warning logging. |
740 |
* 2 : Info logging. |
741 |
* 3 : Debug logging. WARNING: This options produces tons of output, but the |
742 |
logrotate daemon should take care of it. |
743 |
|
744 |
Working with Archipelago |
745 |
------------------------ |
746 |
|
747 |
``archipelago`` provides basic functionality for archipelago. |
748 |
|
749 |
Usage: |
750 |
|
751 |
.. code-block:: console |
752 |
|
753 |
$ archipelago [-u] command |
754 |
|
755 |
|
756 |
Currently it supports the following commands: |
757 |
|
758 |
* ``start [peer]`` |
759 |
Starts archipelago or the specified peer. |
760 |
* ``stop [peer]`` |
761 |
Stops archipelago or the specified peer. |
762 |
* ``restart [peer]`` |
763 |
Restarts archipelago or the specified peer. |
764 |
* ``status`` |
765 |
Show the status of archipelago. |
766 |
|
767 |
Available peers: ``blockerm``, ``blockerb``, ``mapperd``, ``vlmcd``. |
768 |
|
769 |
|
770 |
``start``, ``stop``, ``restart`` can be combined with the ``-u / --user`` option |
771 |
to affect only the userspace peers supporting archipelago. |
772 |
|
773 |
|
774 |
|
775 |
Archipelago advanced operations |
776 |
------------------------------- |
777 |
The ``vlmc`` tool provides a way to interact with archipelago volumes |
778 |
|
779 |
* ``vlmc map <volumename>``: maps the volume to a xsegbd device. |
780 |
|
781 |
* ``vlmc unmap </dev/xsegbd[1-..]>``: unmaps the specified device from the |
782 |
system. |
783 |
|
784 |
* ``vlmc create <volumename> --snap <snapname> --size <size>``: creates a new |
785 |
volume named <volumename> from snapshot name <snapname> with size <size>. |
786 |
The ``--snap`` and ``--size`` are optional, but at least one of them is |
787 |
mandatory. e.g: |
788 |
|
789 |
``vlmc create <volumename> --snap <snapname>`` creates a volume named |
790 |
volumename from snapshot snapname. The size of the volume is the same as |
791 |
the size of the snapshot. |
792 |
|
793 |
``vlmc create <volumename> --size <size>`` creates an empty volume of size |
794 |
<size> named <volumename>. |
795 |
|
796 |
* ``vlmc remove <volumename>``: removes the volume and all the related |
797 |
archipelago blocks from storage. |
798 |
|
799 |
* ``vlmc list``: provides a list of archipelago volumes. Currently only works |
800 |
with RADOS storage backend. |
801 |
|
802 |
* ``vlmc info <volumename>``: shows volume information. Currently returns only |
803 |
volume size. |
804 |
|
805 |
* ``vlmc open <volumename>``: opens an archipelago volume. That is, taking all |
806 |
the necessary locks and also make the rest of the infrastructure aware of the |
807 |
operation. |
808 |
|
809 |
This operation succeeds if the volume is alread opened. |
810 |
|
811 |
* ``vlmc close <volumename>``: closes an archipelago volume. That is, performing |
812 |
all the necessary functions in the insfrastrure to successfully release the |
813 |
volume. Also releases all the acquired locks. |
814 |
|
815 |
``vlmc close`` should be performed after a ``vlmc open`` operation. |
816 |
|
817 |
* ``vlmc lock <volumename>``: locks a volume. This step allow the administrator |
818 |
to lock an archipelago volume, independently from the rest of the |
819 |
infrastrure. |
820 |
|
821 |
* ``vlmc unlock [-f] <volumename>``: unlocks a volume. This allow the |
822 |
administrator to unlock a volume, independently from the rest of the |
823 |
infrastructure. |
824 |
The unlock option can be performed only by the blocker that acquired the lock |
825 |
in the first place. To unlock a volume from another blocker, ``-f`` option |
826 |
must be used to break the lock. |
827 |
|
828 |
|
829 |
Synnefo management commands ("snf-manage") |
830 |
========================================== |
831 |
|
832 |
Each Synnefo service, Astakos, Pithos and Cyclades are controlled by the |
833 |
administrator using the "snf-manage" admin tool. This tool is an extension of |
834 |
the Django command-line management utility. It is run on the host that runs |
835 |
each service and provides different types of commands depending the services |
836 |
running on the host. If you are running more than one service on the same host |
837 |
"snf-manage" adds all the corresponding commands for each service dynamically, |
838 |
providing a unified admin environment. |
839 |
|
840 |
To run "snf-manage" you just type: |
841 |
|
842 |
.. code-block:: console |
843 |
|
844 |
# snf-manage <command> [arguments] |
845 |
|
846 |
on the corresponding host that runs the service. For example, if you have all |
847 |
services running on different physical hosts you would do: |
848 |
|
849 |
.. code-block:: console |
850 |
|
851 |
root@astakos-host # snf-manage <astakos-command> [argument] |
852 |
root@pithos-host # snf-manage <pithos-command> [argument] |
853 |
root@cyclades-host # snf-manage <cyclades-command> [argument] |
854 |
|
855 |
If you have all services running on the same host you would do: |
856 |
|
857 |
.. code-block:: console |
858 |
|
859 |
root@synnefo-host # snf-manage <{astakos,pithos,cyclades}-command> [argument] |
860 |
|
861 |
Note that you cannot execute a service's command on a host that is not running |
862 |
this service. For example, the following will return an error if Astakos and |
863 |
Cyclades are installed on different physical hosts: |
864 |
|
865 |
.. code-block:: console |
866 |
|
867 |
root@astakos-host # snf-manage <cyclades-command> [argument] |
868 |
Unknown command: 'cyclades-command' |
869 |
Type 'snf-manage help' for usage. |
870 |
|
871 |
This is the complete list of "snf-manage" commands for each service. |
872 |
|
873 |
Astakos snf-manage commands |
874 |
--------------------------- |
875 |
|
876 |
============================ =========================== |
877 |
Name Description |
878 |
============================ =========================== |
879 |
fix-superusers Transform superusers created by syncdb into AstakosUser instances |
880 |
cleanup-full Cleanup sessions and session catalog |
881 |
commission-list List pending commissions |
882 |
commission-show Show details for a pending commission |
883 |
project-control Manage projects and applications |
884 |
project-list List projects |
885 |
project-show Show project details |
886 |
quota List and check the integrity of user quota |
887 |
reconcile-resources-astakos Reconcile resource usage of Quotaholder with Astakos DB |
888 |
resource-add Add resource |
889 |
resource-export-astakos Export astakos resources in json format |
890 |
resource-import Register service resources |
891 |
resource-list List resources |
892 |
resource-modify Modify a resource's default base quota and boolean flags |
893 |
service-add Register a service |
894 |
service-list List services |
895 |
service-modify Modify service attributes |
896 |
service-show Show service details |
897 |
term-add Add approval terms |
898 |
user-activation-send Send user activation |
899 |
user-add Add user |
900 |
authpolicy-add Create a new authentication provider policy profile |
901 |
authpolicy-list List existing authentication provider policy profiles |
902 |
authpolicy-remove Remove an authentication provider policy |
903 |
authpolicy-set Assign an existing authentication provider policy profile to a user or group |
904 |
authpolicy-show Show authentication provider profile details |
905 |
group-add Create a group with the given name |
906 |
group-list List available groups |
907 |
user-list List users |
908 |
user-modify Modify user |
909 |
user-show Show user details |
910 |
============================ =========================== |
911 |
|
912 |
Pithos snf-manage commands |
913 |
-------------------------- |
914 |
|
915 |
============================ =========================== |
916 |
Name Description |
917 |
============================ =========================== |
918 |
reconcile-commissions-pithos Display unresolved commissions and trigger their recovery |
919 |
resource-export-pithos Export pithos resources in json format |
920 |
reconcile-resources-pithos Detect unsynchronized usage between Astakos and Pithos DB resources and synchronize them if specified so. |
921 |
============================ =========================== |
922 |
|
923 |
Cyclades snf-manage commands |
924 |
---------------------------- |
925 |
|
926 |
============================ =========================== |
927 |
Name Description |
928 |
============================ =========================== |
929 |
FIXME: list cyclades cmds |
930 |
============================ =========================== |
931 |
|
932 |
Pithos managing accounts |
933 |
======================== |
934 |
|
935 |
Pithos provides a utility tool for managing accounts. |
936 |
To run you just type: |
937 |
|
938 |
.. code-block:: console |
939 |
|
940 |
# pithos-manage-accounts <command> [arguments] |
941 |
|
942 |
This is the list of the available commands: |
943 |
|
944 |
============================ =========================== |
945 |
Name Description |
946 |
============================ =========================== |
947 |
delete Remove an account from the Pithos DB |
948 |
export-quota Export account quota in a file |
949 |
list List existing/dublicate accounts |
950 |
merge Move an account contents in another account |
951 |
set-container-quota Set container quota for all or a specific account |
952 |
============================ =========================== |
953 |
|
954 |
|
955 |
The "kamaki" API client |
956 |
======================= |
957 |
|
958 |
To upload, register or modify an image you will need the **kamaki** tool. |
959 |
Before proceeding make sure that it is configured properly. Verify that |
960 |
*image.url*, *file.url*, *user.url* and *token* are set as needed: |
961 |
|
962 |
.. code-block:: console |
963 |
|
964 |
$ kamaki config list |
965 |
|
966 |
To chage a setting use ``kamaki config set``: |
967 |
|
968 |
.. code-block:: console |
969 |
|
970 |
$ kamaki config set image.url https://cyclades.example.com/plankton |
971 |
$ kamaki config set file.url https://pithos.example.com/v1 |
972 |
$ kamaki config set user.url https://accounts.example.com |
973 |
$ kamaki config set token ... |
974 |
|
975 |
To test that everything works, try authenticating the current account with |
976 |
kamaki: |
977 |
|
978 |
.. code-block:: console |
979 |
|
980 |
$ kamaki user authenticate |
981 |
|
982 |
This will output user information. |
983 |
|
984 |
Upload Image |
985 |
------------ |
986 |
|
987 |
By convention, images are stored in a container called ``images``. Check if the |
988 |
container exists, by listing all containers in your account: |
989 |
|
990 |
.. code-block:: console |
991 |
|
992 |
$ kamaki file list |
993 |
|
994 |
If the container ``images`` does not exist, create it: |
995 |
|
996 |
.. code-block:: console |
997 |
|
998 |
$ kamaki file create images |
999 |
|
1000 |
You are now ready to upload an image to container ``images``. You can upload it |
1001 |
with a Pithos+ client, or use kamaki directly: |
1002 |
|
1003 |
.. code-block:: console |
1004 |
|
1005 |
$ kamaki file upload ubuntu.iso images |
1006 |
|
1007 |
You can use any Pithos+ client to verify that the image was uploaded correctly, |
1008 |
or you can list the contents of the container with kamaki: |
1009 |
|
1010 |
.. code-block:: console |
1011 |
|
1012 |
$ kamaki file list images |
1013 |
|
1014 |
The full Pithos URL for the previous example will be |
1015 |
``pithos://u53r-un1qu3-1d/images/ubuntu.iso`` where ``u53r-un1qu3-1d`` is the |
1016 |
unique user id (uuid). |
1017 |
|
1018 |
Register Image |
1019 |
-------------- |
1020 |
|
1021 |
To register an image you will need to use the full Pithos+ URL. To register as |
1022 |
a public image the one from the previous example use: |
1023 |
|
1024 |
.. code-block:: console |
1025 |
|
1026 |
$ kamaki image register Ubuntu pithos://u53r-un1qu3-1d/images/ubuntu.iso --public |
1027 |
|
1028 |
The ``--public`` flag is important, if missing the registered image will not |
1029 |
be listed by ``kamaki image list``. |
1030 |
|
1031 |
Use ``kamaki image register`` with no arguments to see a list of available |
1032 |
options. A more complete example would be the following: |
1033 |
|
1034 |
.. code-block:: console |
1035 |
|
1036 |
$ kamaki image register Ubuntu pithos://u53r-un1qu3-1d/images/ubuntu.iso \ |
1037 |
--public --disk-format diskdump --property kernel=3.1.2 |
1038 |
|
1039 |
To verify that the image was registered successfully use: |
1040 |
|
1041 |
.. code-block:: console |
1042 |
|
1043 |
$ kamaki image list --name-like=ubuntu |
1044 |
|
1045 |
|
1046 |
Miscellaneous |
1047 |
============= |
1048 |
|
1049 |
.. _branding: |
1050 |
|
1051 |
Branding |
1052 |
-------- |
1053 |
|
1054 |
Since Synnefo v0.14, you are able to adapt the Astakos, Pithos and Cyclades Web |
1055 |
UI to your company’s visual identity. This is possible using the snf-branding |
1056 |
component, which is automatically installed on the nodes running the API |
1057 |
servers for Astakos, Pithos and Cyclades. |
1058 |
|
1059 |
Configuration |
1060 |
~~~~~~~~~~~~~ |
1061 |
|
1062 |
This can be done by changing only the settings of the snf-branding component. |
1063 |
The settings for the snf-branding application can be found inside the |
1064 |
configuration file ``/etc/synnefo/15-snf-branding.conf`` on the nodes that have |
1065 |
Astakos, Pithos and Cyclades installed. |
1066 |
|
1067 |
By default, the global service name is "Synnefo" and the company name is |
1068 |
"GRNET". These names and their respective logos and URLs are used throughout |
1069 |
the Astakos, Pithos and Cyclades UI. |
1070 |
|
1071 |
**Names and URLs:** |
1072 |
|
1073 |
The first group of branding customization refers to the service's and company's |
1074 |
information. |
1075 |
|
1076 |
You can overwrite the company and the service name and URL respectively by |
1077 |
uncommenting and setting the following: |
1078 |
|
1079 |
.. code-block:: console |
1080 |
|
1081 |
#BRANDING_SERVICE_NAME = 'Synnefo' |
1082 |
#BRANDING_SERVICE_URL = 'http://www.synnefo.org/' |
1083 |
#BRANDING_COMPANY_NAME = 'GRNET' |
1084 |
#BRANDING_COMPANY_URL = 'https://www.grnet.gr/en/' |
1085 |
|
1086 |
| ``BRANDING_SERVICE_NAME`` appears in Astakos Dashboard/Projects pages. |
1087 |
| ``BRANDING_COMPANY_NAME`` and ``BRANDING_COMPANY_URL`` appear in Astakos, |
1088 |
Pithos and Cyclades footer only if ``BRANDING_SHOW_COPYRIGHT`` is set to True. |
1089 |
|
1090 |
**Copyright options:** |
1091 |
|
1092 |
By default, no Copyright message is shown in the UI footer. If you want to make |
1093 |
it visible in the footer of Astakos, Pithos and Cyclades UI, you can uncomment |
1094 |
and set to ``True`` the setting: |
1095 |
|
1096 |
.. code-block:: console |
1097 |
|
1098 |
#BRANDING_SHOW_COPYRIGHT = False |
1099 |
|
1100 |
Copyright message defaults to 'Copyright (c) 2011-<current_year> |
1101 |
<BRANDING_COMPANY_NAME>.' but you can overwrite it to a completely custom one by |
1102 |
setting the following option: |
1103 |
|
1104 |
.. code-block:: console |
1105 |
|
1106 |
#BRANDING_COPYRIGHT_MESSAGE = 'Copyright (c) 2011-<current_year> GRNET' |
1107 |
|
1108 |
**Images:** |
1109 |
|
1110 |
The Astakos, Pithos and Cyclades Web UI has some logos and images. |
1111 |
|
1112 |
The branding-related images are presented in the following table: |
1113 |
|
1114 |
=============== ============================ ========= |
1115 |
Image Name/extension convention Usage |
1116 |
=============== ============================ ========= |
1117 |
Favicon favicon.ico Favicon for all services |
1118 |
Dashboard logo dashboard_logo.png Visible in all Astakos UI pages |
1119 |
Compute logo compute_logo.png Visible in all Cyclades UI pages |
1120 |
Console logo console_logo.png Visible in the Cyclades Console Window |
1121 |
Storage logo storage_logo.png Visible in all Pithos UI pages |
1122 |
=============== ============================ ========= |
1123 |
|
1124 |
There are two methods available for replacing all, or individual, |
1125 |
branding-related images: |
1126 |
|
1127 |
1. Create a new directory and place there some or all of your images. |
1128 |
|
1129 |
If you want to replace all of your images, keep the name/extension |
1130 |
conventions as indicated in the above table and set: |
1131 |
|
1132 |
.. code-block:: console |
1133 |
|
1134 |
#BRANDING_IMAGE_MEDIA_URL= MEDIA_URL + 'branding/images/' |
1135 |
|
1136 |
to the relative path of your directory. |
1137 |
You could also use an absolute path to a directory and set for example |
1138 |
``BRANDING_IMAGE_MEDIA_URL`` = 'https://www.synnefo.org/images/' |
1139 |
|
1140 |
If you wish to replace individual images, **do not uncomment** |
1141 |
``BRANDING_IMAGE_MEDIA_URL``, but instead provide a relative path, pointing to |
1142 |
the file inside your directory for each ``BRANDING_<image>_URL`` that you wish |
1143 |
to replace. |
1144 |
|
1145 |
2. Upload some or all of your images to a server and replace each |
1146 |
``BRANDING_<image>_URL`` with the absolute url of the image (i.e. |
1147 |
``BRANDING_DASHBOARD_URL``= 'https://www.synnefo.com/images/my_dashboard.jpg'). |
1148 |
|
1149 |
Note that the alternative text for each image tag inside html documents is |
1150 |
alt=“BRANDING_SERVICE_NAME {Dashboard, Compute. Console, Storage}” respectively. |
1151 |
|
1152 |
.. note:: Retina optimized images: |
1153 |
|
1154 |
Synnefo UI is optimized for Retina displays. As far as images are concerned, |
1155 |
`retina.js <http://retinajs.com/>`_ is used. |
1156 |
|
1157 |
Retina.js checks each image on a page to see if there is a high-resolution |
1158 |
version of that image on your server. If a high-resolution variant exists, |
1159 |
the script will swap in that image in-place. |
1160 |
|
1161 |
The script assumes you use `Apple's prescribed high-resolution modifier (@2x) |
1162 |
<http://developer.apple.com/library/ios/#documentation/2DDrawing/Conceptual/ |
1163 |
DrawingPrintingiOS/SupportingHiResScreensInViews/SupportingHiResScreensInViews |
1164 |
.html#//apple_ref/doc/uid/TP40010156-CH15-SW1>`_ to denote high-resolution |
1165 |
image variants on your server. |
1166 |
|
1167 |
For each of the images that you wish the script to replace, you must have a |
1168 |
high-resolution variant in the same folder named correctly and it will be |
1169 |
detected automatically. For example if your image is in <my_directory> and is |
1170 |
named "my_image.jpg" the script will look in the same directory for an image |
1171 |
named "my_image@2x.jpg". |
1172 |
|
1173 |
In case that you don’t want to use a high-resolution image, the |
1174 |
normal-resolution image will be visible. |
1175 |
|
1176 |
More branding |
1177 |
~~~~~~~~~~~~~ |
1178 |
|
1179 |
Although, it is not 100% branding-related, further verbal customization is |
1180 |
feasible. |
1181 |
|
1182 |
**EMAILS** |
1183 |
|
1184 |
The output of all email *.txt files will be already customized to contain your |
1185 |
company and service names but you can further alter their content if you feel |
1186 |
it best fits your needs using django’s TEMPLATE_DIRS setting. |
1187 |
|
1188 |
For more information visit |
1189 |
https://docs.djangoproject.com/en/1.2/ref/settings/#template-dirs. |
1190 |
|
1191 |
In order to overwrite one or more email-templates you need to create a new one |
1192 |
directory and provide its path to the TEMPLATE_DIRS. Inside this directory, you |
1193 |
must place your <email-file>.txt files respecting the following structure: |
1194 |
|
1195 |
*<emails-dir>*/ |
1196 |
*im*/ |
1197 |
| activation_email.txt |
1198 |
| email.txt |
1199 |
| invitation.txt |
1200 |
| switch_accounts_email.txt |
1201 |
| welcome_email.txt |
1202 |
*projects*/ |
1203 |
| project_approval_notification.txt |
1204 |
| project_denial_notification.txt |
1205 |
| project_membership_change_notification.txt |
1206 |
| project_membership_enroll_notification.txt |
1207 |
| project_membership_leave_request_notification.txt |
1208 |
| project_membership_request_notification.txt |
1209 |
| project_suspension_notification.txt |
1210 |
| project_termination_notification.txt |
1211 |
*registration*/ |
1212 |
| email_change_email.txt |
1213 |
| password_email.txt |
1214 |
|
1215 |
Feel free to omit any of the above files you do not wish to overwrite. |
1216 |
|
1217 |
Below is a list of all emails sent by Synnefo to users along with a short |
1218 |
description and a link to their content: |
1219 |
|
1220 |
* ``snf-astakos-app/astakos/im/templates/im/email.txt`` |
1221 |
Base email template. Contains a contact email and a “thank you” message. |
1222 |
(`Link <https://code.grnet.gr/projects/synnefo/repository/revisions/master/changes/snf-astakos-app/astakos/im/templates/im/email.txt>`_) |
1223 |
* ``snf-astakos-app/astakos/im/templates/im/activation_email.txt`` Email sent to |
1224 |
user that prompts him/her to click on a link provided to activate the account. |
1225 |
Extends “email.txt” (`Link <https://code.grnet.gr/projects/synnefo/repository/revisions/master/changes/snf-astakos-app/astakos/im/templates/im/activation_email.txt>`_) |
1226 |
* ``snf-astakos-app/astakos/im/templates/im/invitation.txt`` Email sent to an |
1227 |
invited user. He/she has to click on a link provided to activate the account. |
1228 |
Extends “email.txt” (`Link <https://code.grnet.gr/projects/synnefo/repository/revisions/master/changes/snf-astakos-app/astakos/im/templates/im/invitation.txt>`_) |
1229 |
* ``snf-astakos-app/astakos/im/templates/im/switch_accounts_email.txt`` Email |
1230 |
sent to user upon his/her request to associate this email address with a |
1231 |
shibboleth account. He/she has to click on a link provided to activate the |
1232 |
association. Extends “email.txt” (`Link <https://code.grnet.gr/projects/synnefo/repository/revisions/master/changes/snf-astakos-app/astakos/im/templates/im/switch_accounts_email.txt>`_) |
1233 |
* ``snf-astakos-app/astakos/im/templates/im/welcome_email.txt`` Email sent to |
1234 |
inform the user that his/ her account has been activated. Extends “email.txt” |
1235 |
(`Link <https://code.grnet.gr/projects/synnefo/repository/revisions/master/changes/snf-astakos-app/astakos/im/templates/im/welcome_email.txt>`_) |
1236 |
* ``snf-astakos-app/astakos/im/templates/registration/email_change_email.txt`` |
1237 |
Email sent to user when he/she has requested new email address assignment. The |
1238 |
user has to click on a link provided to validate this action. Extends |
1239 |
“email.txt” (`Link <https://code.grnet.gr/projects/synnefo/repository/revisions/master/changes/snf-astakos-app/astakos/im/templates/registration/email_change_email.txt>`_) |
1240 |
* ``snf-astakos-app/astakos/im/templates/registration/password_email.txt`` Email |
1241 |
sent for resetting password purpose. The user has to click on a link provided |
1242 |
to validate this action. Extends “email.txt” (`Link <https://code.grnet.gr/projects/synnefo/repository/revisions/master/changes/snf-astakos-app/astakos/im/templates/registration/password_email.txt>`_) |
1243 |
* ``snf-astakos-app/astakos/im/templates/im/projects/project_approval_notification.txt`` |
1244 |
Informs the project owner that his/her project has been approved. Extends |
1245 |
“email.txt” (`Link <https://code.grnet.gr/projects/synnefo/repository/revisions/master/changes/snf-astakos-app/astakos/im/templates/im/projects/project_approval_notification.txt>`_) |
1246 |
* ``snf-astakos-app/astakos/im/templates/im/projects/project_denial_notification.txt`` |
1247 |
Informs the project owner that his/her project application has been denied |
1248 |
explaining the reasons. Extends “email.txt” (`Link <https://code.grnet.gr/projects/synnefo/repository/revisions/master/changes/snf-astakos-app/astakos/im/templates/im/projects/project_denial_notification.txt>`_) |
1249 |
* ``snf-astakos-app/astakos/im/templates/im/projects/project_membership_change_notification.txt`` |
1250 |
An email is sent to a user containing information about his project membership |
1251 |
(whether he has been accepted, rejected or removed). Extends “email.txt” (`Link |
1252 |
<https://code.grnet.gr/projects/synnefo/repository/revisions/master/changes/snf-astakos-app/astakos/im/templates/im/projects/project_membership_change_notification.txt>`_) |
1253 |
* ``snf-astakos-app/astakos/im/templates/im/projects/project_membership_enroll_notification.txt`` |
1254 |
Informs a user that he/she has been enrolled to a project. Extends |
1255 |
“email.txt” (`Link <https://code.grnet.gr/projects/synnefo/repository/revisions/master/changes/snf-astakos-app/astakos/im/templates/im/projects/project_membership_enroll_notification.txt>`_) |
1256 |
* ``snf-astakos-app/astakos/im/templates/im/projects/project_membership_leave_request_notification.txt`` |
1257 |
An email is sent to the project owner to make him aware of a user having |
1258 |
requested to leave his project. Extends “email.txt” (`Link <https://code.grnet.gr/projects/synnefo/repository/revisions/master/changes/snf-astakos-app/astakos/im/templates/im/projects/project_membership_leave_request_notification.txt>`_) |
1259 |
* ``snf-astakos-app/astakos/im/templates/im/projects/project_membership_request_notification.txt`` |
1260 |
An email is sent to the project owner to make him/her aware of a user having |
1261 |
requested to join his project. Extends “email.txt” (`Link <https://code.grnet.gr/projects/synnefo/repository/revisions/master/changes/snf-astakos-app/astakos/im/templates/im/projects/project_membership_request_notification.txt>`_) |
1262 |
* ``snf-astakos-app/astakos/im/templates/im/projects/project_suspension_notification.txt`` |
1263 |
An email is sent to the project owner to make him/her aware of his/her project |
1264 |
having been suspended. Extends “email.txt” (`Link <https://code.grnet.gr/projects/synnefo/repository/revisions/master/changes/snf-astakos-app/astakos/im/templates/im/projects/project_suspension_notification.txt>`_) |
1265 |
* ``snf-astakos-app/astakos/im/templates/im/projects/project_termination_notification.txt`` |
1266 |
An email is sent to the project owner to make him/her aware of his/her project |
1267 |
having been terminated. Extends “email.txt” (`Link <https://code.grnet.gr/projects/synnefo/repository/revisions/master/changes/snf-astakos-app/astakos/im/templates/im/projects/project_termination_notification.txt>`_) |
1268 |
|
1269 |
.. warning:: Django templates language: |
1270 |
|
1271 |
If you choose to overwrite these email templates, be mindful of the necessary |
1272 |
information contained in django template variables that must not be omitted, |
1273 |
such as the activation link for activating one’s account and many more. |
1274 |
These variables are contained into {{}} inside the templates. |
1275 |
|
1276 |
|
1277 |
.. RabbitMQ |
1278 |
|
1279 |
RabbitMQ Broker |
1280 |
--------------- |
1281 |
|
1282 |
Queue nodes run the RabbitMQ sofware, which provides AMQP functionality. To |
1283 |
guarantee high-availability, more than one Queue nodes should be deployed, each |
1284 |
of them belonging to the same `RabbitMQ cluster |
1285 |
<http://www.rabbitmq.com/clustering.html>`_. Synnefo uses the RabbitMQ |
1286 |
active/active `High Available Queues <http://www.rabbitmq.com/ha.html>`_ which |
1287 |
are mirrored between two nodes within a RabbitMQ cluster. |
1288 |
|
1289 |
The RabbitMQ nodes that form the cluster, are declared to Synnefo through the |
1290 |
`AMQP_HOSTS` setting. Each time a Synnefo component needs to connect to |
1291 |
RabbitMQ, one of these nodes is chosen in a random way. The client that Synnefo |
1292 |
uses to connect to RabbitMQ, handles connection failures transparently and |
1293 |
tries to reconnect to a different node. As long as one of these nodes are up |
1294 |
and running, functionality of Synnefo should not be downgraded by the RabbitMQ |
1295 |
node failures. |
1296 |
|
1297 |
All the queues that are being used are declared as durable, meaning that |
1298 |
messages are persistently stored to RabbitMQ, until they get successfully |
1299 |
processed by a client. |
1300 |
|
1301 |
Currently, RabbitMQ is used by the following components: |
1302 |
|
1303 |
* `snf-ganeti-eventd`, `snf-ganeti-hook` and `snf-progress-monitor`: |
1304 |
These components send messages concerning the status and progress of |
1305 |
jobs in the Ganeti backend. |
1306 |
* `snf-dispatcher`: This daemon, consumes the messages that are sent from |
1307 |
the above components, and updates the Cyclades DB accordingly. |
1308 |
|
1309 |
|
1310 |
Installation |
1311 |
~~~~~~~~~~~~ |
1312 |
|
1313 |
Please check the RabbitMQ documentation which covers extensively the |
1314 |
`installation of RabbitMQ server <http://www.rabbitmq.com/download.html>`_ and |
1315 |
the setup of a `RabbitMQ cluster <http://www.rabbitmq.com/clustering.html>`_. |
1316 |
Also, check out the `web management plugin |
1317 |
<http://www.rabbitmq.com/management.html>`_ that can be useful for managing and |
1318 |
monitoring RabbitMQ. |
1319 |
|
1320 |
For a basic installation of RabbitMQ on two nodes (node1 and node2) you can do |
1321 |
the following: |
1322 |
|
1323 |
On both nodes, install rabbitmq-server and create a Synnefo user: |
1324 |
|
1325 |
.. code-block:: console |
1326 |
|
1327 |
$ apt-get install rabbitmq-server |
1328 |
$ rabbitmqctl add_user synnefo "example_pass" |
1329 |
$ rabbitmqctl set_permissions synnefo ".*" ".*" ".*" |
1330 |
|
1331 |
Also guarantee that both nodes share the same cookie, by running: |
1332 |
|
1333 |
.. code-block:: console |
1334 |
|
1335 |
$ scp node1:/var/lib/rabbitmq/.erlang.cookie node2:/var/lib/rabbitmq/.erlang.cookie |
1336 |
|
1337 |
and restart the nodes: |
1338 |
|
1339 |
.. code-block:: console |
1340 |
|
1341 |
$ /etc/init.d/rabbitmq-server restart |
1342 |
|
1343 |
|
1344 |
To setup the RabbitMQ cluster run: |
1345 |
|
1346 |
.. code-block:: console |
1347 |
|
1348 |
root@node2: rabbitmqctl stop_app |
1349 |
root@node2: rabbitmqctl reset |
1350 |
root@node2: rabbitmqctl cluster rabbit@node1 rabbit@node2 |
1351 |
root@node2: rabbitmqctl start_app |
1352 |
|
1353 |
You can verify that the cluster is set up correctly by running: |
1354 |
|
1355 |
.. code-block:: console |
1356 |
|
1357 |
root@node2: rabbitmqctl cluster_status |
1358 |
|
1359 |
|
1360 |
Logging |
1361 |
------- |
1362 |
|
1363 |
Logging in Synnefo is using Python's logging module. The module is configured |
1364 |
using dictionary configuration, whose format is described here: |
1365 |
|
1366 |
http://docs.python.org/release/2.7.1/library/logging.html#logging-config-dictschema |
1367 |
|
1368 |
Note that this is a feature of Python 2.7 that we have backported for use in |
1369 |
Python 2.6. |
1370 |
|
1371 |
The logging configuration dictionary is defined in |
1372 |
``/etc/synnefo/10-snf-webproject-logging.conf`` |
1373 |
|
1374 |
The administrator can have finer logging control by modifying the |
1375 |
``LOGGING_SETUP`` dictionary, and defining subloggers with different handlers |
1376 |
and log levels. e.g. To enable debug messages only for the API set the level |
1377 |
of 'synnefo.api' to ``DEBUG`` |
1378 |
|
1379 |
By default, the Django webapp and snf-manage logs to syslog, while |
1380 |
`snf-dispatcher` logs to `/var/log/synnefo/dispatcher.log`. |
1381 |
|
1382 |
|
1383 |
.. _scale-up: |
1384 |
|
1385 |
Scaling up to multiple nodes |
1386 |
============================ |
1387 |
|
1388 |
Here we will describe how should a large scale Synnefo deployment look like. Make |
1389 |
sure you are familiar with Synnefo and Ganeti before proceeding with this section. |
1390 |
This means you should at least have already set up successfully a working Synnefo |
1391 |
deployment as described in the :ref:`Admin's Quick Installation Guide |
1392 |
<quick-install-admin-guide>` and also read the Administrator's Guide until this |
1393 |
section. |
1394 |
|
1395 |
Graph of a scale-out Synnefo deployment |
1396 |
--------------------------------------- |
1397 |
|
1398 |
Each box in the following graph corresponds to a distinct physical node: |
1399 |
|
1400 |
.. image:: images/synnefo-arch2-roles.png |
1401 |
:width: 100% |
1402 |
:target: _images/synnefo-arch2-roles.png |
1403 |
|
1404 |
The above graph is actually the same with the one at the beginning of this |
1405 |
:ref:`guide <admin-guide>`, with the only difference that here we show the |
1406 |
Synnefo roles of each physical node. These roles are described in the |
1407 |
following section. |
1408 |
|
1409 |
.. _physical-node-roles: |
1410 |
|
1411 |
Physical Node roles |
1412 |
------------------- |
1413 |
|
1414 |
As appears in the previous graph, a scale-out Synnefo deployment consists of |
1415 |
multiple physical nodes that have the following roles: |
1416 |
|
1417 |
* **WEBSERVER**: A web server running in front of gunicorn (e.g.: Apache, nginx) |
1418 |
* **ASTAKOS**: The Astakos application (gunicorn) |
1419 |
* **ASTAKOS_DB**: The Astakos database (postgresql) |
1420 |
* **PITHOS**: The Pithos application (gunicorn) |
1421 |
* **PITHOS_DB**: The Pithos database (postgresql) |
1422 |
* **CYCLADES**: The Cyclades application (gunicorn) |
1423 |
* **CYCLADES_DB**: The Cyclades database (postgresql) |
1424 |
* **MQ**: The message queue (RabbitMQ) |
1425 |
* **GANETI_MASTER**: The Ganeti master of a Ganeti cluster |
1426 |
* **GANETI_NODE** : A VM-capable Ganeti node of a Ganeti cluster |
1427 |
|
1428 |
You will probably also have: |
1429 |
|
1430 |
* **CMS**: The CMS used as a frotend portal for the Synnefo services |
1431 |
* **NS**: A nameserver serving all other Synnefo nodes and resolving Synnefo FQDNs |
1432 |
* **CLIENT**: A machine that runs the Synnefo clients (e.g.: kamaki, Web UI), |
1433 |
most of the times, the end user's local machine |
1434 |
|
1435 |
From this point we will also refer to the following groups of roles: |
1436 |
|
1437 |
* **SYNNEFO**: [ **ASTAKOS**, **ASTAKOS_DB**, **PITHOS**, **PITHOS_DB**, **CYCLADES**, **CYCLADES_DB**, **MQ**, **CMS**] |
1438 |
* **G_BACKEND**: [**GANETI_MASTER**, **GANETI_NODE**] |
1439 |
|
1440 |
Of course, when deploying Synnefo you can combine multiple of the above roles on a |
1441 |
single physical node, but if you are trying to scale out, the above separation |
1442 |
gives you significant advantages. |
1443 |
|
1444 |
So, in the next section we will take a look on what components you will have to |
1445 |
install on each physical node depending on its Synnefo role. We assume the graph's |
1446 |
architecture. |
1447 |
|
1448 |
Components for each role |
1449 |
------------------------ |
1450 |
|
1451 |
When deploying Synnefo in large scale, you need to install different Synnefo |
1452 |
or/and third party components on different physical nodes according to their |
1453 |
Synnefo role, as stated in the previous section. |
1454 |
|
1455 |
Specifically: |
1456 |
|
1457 |
Role **WEBSERVER** |
1458 |
* Synnefo components: `None` |
1459 |
* 3rd party components: Apache |
1460 |
Role **ASTAKOS** |
1461 |
* Synnefo components: `snf-webproject`, `snf-astakos-app` |
1462 |
* 3rd party components: Django, Gunicorn |
1463 |
Role **ASTAKOS_DB** |
1464 |
* Synnefo components: `None` |
1465 |
* 3rd party components: PostgreSQL |
1466 |
Role **PITHOS** |
1467 |
* Synnefo components: `snf-webproject`, `snf-pithos-app`, `snf-pithos-webclient` |
1468 |
* 3rd party components: Django, Gunicorn |
1469 |
Role **PITHOS_DB** |
1470 |
* Synnefo components: `None` |
1471 |
* 3rd party components: PostgreSQL |
1472 |
Role **CYCLADES** |
1473 |
* Synnefo components: `snf-webproject`, `snf-cyclades-app`, `snf-vncauthproxy` |
1474 |
* 3rd party components: Django Gunicorn |
1475 |
Role **CYCLADES_DB** |
1476 |
* Synnefo components: `None` |
1477 |
* 3rd party components: PostgreSQL |
1478 |
Role **MQ** |
1479 |
* Synnefo components: `None` |
1480 |
* 3rd party components: RabbitMQ |
1481 |
Role **GANETI_MASTER** |
1482 |
* Synnefo components: `snf-cyclades-gtools` |
1483 |
* 3rd party components: Ganeti |
1484 |
Role **GANETI_NODE** |
1485 |
* Synnefo components: `snf-cyclades-gtools`, `snf-network`, `snf-image`, `nfdhcpd` |
1486 |
* 3rd party components: Ganeti |
1487 |
Role **CMS** |
1488 |
* Synnefo components: `snf-webproject`, `snf-cloudcms` |
1489 |
* 3rd party components: Django, Gunicorn |
1490 |
Role **NS** |
1491 |
* Synnefo components: `None` |
1492 |
* 3rd party components: BIND |
1493 |
Role **CLIENT** |
1494 |
* Synnefo components: `kamaki`, `snf-image-creator` |
1495 |
* 3rd party components: `None` |
1496 |
|
1497 |
Example scale out installation |
1498 |
------------------------------ |
1499 |
|
1500 |
In this section we describe an example of a medium scale installation which |
1501 |
combines multiple roles on 10 different physical nodes. We also provide a |
1502 |
:ref:`guide <i-synnefo>` to help with such an install. |
1503 |
|
1504 |
We assume that we have the following 10 physical nodes with the corresponding |
1505 |
roles: |
1506 |
|
1507 |
Node1: |
1508 |
**WEBSERVER**, **ASTAKOS** |
1509 |
Guide sections: |
1510 |
* :ref:`apt <i-apt>` |
1511 |
* :ref:`gunicorn <i-gunicorn>` |
1512 |
* :ref:`apache <i-apache>` |
1513 |
* :ref:`snf-webproject <i-webproject>` |
1514 |
* :ref:`snf-astakos-app <i-astakos>` |
1515 |
Node2: |
1516 |
**WEBSERVER**, **PITHOS** |
1517 |
Guide sections: |
1518 |
* :ref:`apt <i-apt>` |
1519 |
* :ref:`gunicorn <i-gunicorn>` |
1520 |
* :ref:`apache <i-apache>` |
1521 |
* :ref:`snf-webproject <i-webproject>` |
1522 |
* :ref:`snf-pithos-app <i-pithos>` |
1523 |
* :ref:`snf-pithos-webclient <i-pithos>` |
1524 |
Node3: |
1525 |
**WEBSERVER**, **CYCLADES** |
1526 |
Guide sections: |
1527 |
* :ref:`apt <i-apt>` |
1528 |
* :ref:`gunicorn <i-gunicorn>` |
1529 |
* :ref:`apache <i-apache>` |
1530 |
* :ref:`snf-webproject <i-webproject>` |
1531 |
* :ref:`snf-cyclades-app <i-cyclades>` |
1532 |
* :ref:`snf-vncauthproxy <i-cyclades>` |
1533 |
Node4: |
1534 |
**WEBSERVER**, **CMS** |
1535 |
Guide sections: |
1536 |
* :ref:`apt <i-apt>` |
1537 |
* :ref:`gunicorn <i-gunicorn>` |
1538 |
* :ref:`apache <i-apache>` |
1539 |
* :ref:`snf-webproject <i-webproject>` |
1540 |
* :ref:`snf-cloudcms <i-cms>` |
1541 |
Node5: |
1542 |
**ASTAKOS_DB**, **PITHOS_DB**, **CYCLADES_DB** |
1543 |
Guide sections: |
1544 |
* :ref:`apt <i-apt>` |
1545 |
* :ref:`postgresql <i-db>` |
1546 |
Node6: |
1547 |
**MQ** |
1548 |
Guide sections: |
1549 |
* :ref:`apt <i-apt>` |
1550 |
* :ref:`rabbitmq <i-mq>` |
1551 |
Node7: |
1552 |
**GANETI_MASTER**, **GANETI_NODE** |
1553 |
Guide sections: |
1554 |
* :ref:`apt <i-apt>` |
1555 |
* :ref:`general <i-backends>` |
1556 |
* :ref:`ganeti <i-ganeti>` |
1557 |
* :ref:`snf-cyclades-gtools <i-gtools>` |
1558 |
* :ref:`snf-network <i-network>` |
1559 |
* :ref:`snf-image <i-image>` |
1560 |
* :ref:`nfdhcpd <i-network>` |
1561 |
Node8: |
1562 |
**GANETI_NODE** |
1563 |
Guide sections: |
1564 |
* :ref:`apt <i-apt>` |
1565 |
* :ref:`general <i-backends>` |
1566 |
* :ref:`ganeti <i-ganeti>` |
1567 |
* :ref:`snf-cyclades-gtools <i-gtools>` |
1568 |
* :ref:`snf-network <i-network>` |
1569 |
* :ref:`snf-image <i-image>` |
1570 |
* :ref:`nfdhcpd <i-network>` |
1571 |
Node9: |
1572 |
**GANETI_NODE** |
1573 |
Guide sections: |
1574 |
`Same as Node8` |
1575 |
Node10: |
1576 |
**GANETI_NODE** |
1577 |
Guide sections: |
1578 |
`Same as Node8` |
1579 |
|
1580 |
All sections: :ref:`Scale out Guide <i-synnefo>` |
1581 |
|
1582 |
|
1583 |
Upgrade Notes |
1584 |
============= |
1585 |
|
1586 |
.. toctree:: |
1587 |
:maxdepth: 1 |
1588 |
|
1589 |
v0.12 -> v0.13 <upgrade/upgrade-0.13> |
1590 |
|
1591 |
|
1592 |
Changelog, NEWS |
1593 |
=============== |
1594 |
|
1595 |
* v0.13 :ref:`Changelog <Changelog-0.13>`, :ref:`NEWS <NEWS-0.13>` |