/ - Diff - Synnefo - Greek Research and Technology Network's projects

Revision c7f29a98

     Upgrade to Synnefo v0.15
     ^^^^^^^^^^^^^^^^^^^^^^^^
     Prerequisites
     ==============
     Before upgrading to v0.15 there are three steps that must be performed, relative
     to the Cyclades networking service.
     Add unique names to the NICs of all Ganeti instances
     ---------------------------------------------------
     Add unique names to all NICs of all Ganeti instances
     ----------------------------------------------------
     Since Ganeti 2.8, it is supported to give a name to NICs of Ganeti instances
     and refer to them by their name, and not only by their index. Synnefo v0.15
     assigns a unique name to each NIC and refers to them by their unique name.
     Before upgrading to v0.15, Synnefo must assign names to all existing NICs.
     This can easily be performed with a helper script that is shipped with Synnefo
     v0.14.10:
     Since Ganeti 2.8, it is supported to give a name to a NIC of a Ganeti instance
     and then refer to the NIC by that name (and not only by its index). Synnefo
     v0.15 assigns a unique name to each NIC and refers to it by that unique name.
     Before upgrading to v0.15, Synnefo must assign names to all existing NICs. This
     can be easily performed with a helper script that is already shipped with
     Synnefo v0.14.10:
     .. code-block:: console
-...
     .. note:: If you are not upgrading from v0.14.10, you can find the migration
      script :ref:`here <add_names>`.
     Extend public networks to all Ganeti backends
     ---------------------------------------------
     Before v0.15, each public network of Cyclades existed in one of the Ganeti
     backends. In order to support dynamic addition and removal of public IPv4
     address across VMs, each public network must exist in all Ganeti backends.
     addresses across VMs, each public network must exist in all Ganeti backends.
     If you are using more than one Ganeti backends, before upgrading to v0.15 you
     must ensure that the network configuration to all Ganeti backends is identical
     must ensure that the network configuration of all Ganeti backends is identical
     and appropriate to support all public networks of Cyclades.
     Update Ganeti allocation policy
-...
     Minimum number of NICs
     ``````````````````````
     Until v0.14 all Cyclades VM were forced to be connected to the public network.
     Synnefo v0.15 supports dynamic addition and removal of public IPv4 addresses,
     which may result in a VM holding no NICs. However, Ganeti's default allocation
     policy will not allow instance's without NICs. You will have to override
     allocation policy to set the minimum number of NICs to zero. Todo this,
     first get the current allocation policy:
     Before v0.15, all Cyclades VMs were forced to be connected to the public
     network. Synnefo v0.15 supports more flexible configurations and dynamic
     addition/removal of public IPv4 addresses, which can result in a VMs with no
     NICs at all. However, Ganeti's default allocation policy will not allow
     instances without NICs. You will have to override Ganeti's default allocation
     policy to set the minimum number of NICs to zero. To do this, first get the
     current allocation policy:
     .. code-block:: console
-...
        ganeti1.example.synnefo.org
     And replace `min:nic-count=1` with `min:nic-count=0`. Also, set
     `max:nic-count=32` to avoid reaching default limit of 8.
     `max:nic-count=32` to avoid reaching the default limit of 8.
     .. code-block:: console
-...
     Enabled and allowed disk templates
     ``````````````````````````````````
     In v0.15, the ``ARCHIPELAGO_BACKENDS`` settings, that was used to seperate
     In v0.15, the ``ARCHIPELAGO_BACKENDS`` setting, that was used to separate
     backends that were using Archipelago from the ones that were using all other
     disk templates, has been removed. Instead, allocation of instances to Ganeti
     backends is based on which disk templates are enabled and allowed in each
     Ganeti backend (see section in :ref:`admin guide <alloc_disk_templates>`).
     You can see the enabled/allowed disk templates by inspecting
     the corresponding fields in `gnt-cluster info` output. For example, to have
     a backend holding only instances with archipelago disk templates, you can set
     the `--ipolicy-disk-templates` to include only `ext` disk template.
     Ganeti backend (see section in :ref:`admin guide <alloc_disk_templates>`). You
     can see the enabled/allowed disk templates by inspecting the corresponding
     fields in the `gnt-cluster info` output. For example, to have a backend holding
     only instances with archipelago disk templates, you can set the
     `--ipolicy-disk-templates` to include only the `ext` disk template.
     .. code-block:: console
      gnt-cluster modify --ipolicy-disk-templates=ext
     Upgrade Steps
     =============
-...
 . Create floating IP pools
 . Register services and resources.
 . Re-register services and resources.
 . Bring up all services.
-...
     .. _pithos_view_registration:
 .3 Register pithos view as an OAuth 2.0 client in astakos
 .3 Register Pithos view as an OAuth 2.0 client in Astakos
     ----------------------------------------------------------
     Starting from synnefo version 0.15, the pithos view, in order to get access to
     the data of a protect pithos resource, has to be granted authorization for the
     specific resource by astakos.
     Starting from Synnefo version 0.15, the Pithos view, in order to get access to
     the data of a protected Pithos resource, has to be granted authorization for
     the specific resource by Astakos.
     During the authorization grant procedure, it has to authenticate itself with
     astakos since the later has to prevent serving requests by unknown/unauthorized
     clients.
     Astakos, since the latter has to prevent serving requests by
     unknown/unauthorized clients.
     To register the pithos view as an OAuth 2.0 client in astakos, use the
     following command::
     To register the Pithos view as an OAuth 2.0 client in Astakos, use the
     following command (with the corresponding URL to reflect your deployment)::
         snf-manage oauth2-client-add pithos-view --secret=<secret> --is-trusted --url https://pithos.synnefo.live/pithos/ui/view
 .4 Update configuration files
     ------------------------------
     The ``ASTAKOS_BASE_URL`` setting has been replaced (both in Cyclades and
     Pithos services) with the ``ASTAKOS_AUTH_URL`` setting.
     The ``ASTAKOS_BASE_URL`` setting has been replaced (both in Cyclades and Pithos
     services) with the ``ASTAKOS_AUTH_URL`` setting.
     For Cyclades service we have to change the ``20-snf-cyclades-app-api.conf``
     file, remove the ``ASTAKOS_BASE_URL`` setting and replace it with
     ``ASTAKOS_AUTH_URL``. Typically it is sufficient to add ``/identity/v2.0``
     at the end of base url to get the auth url. For example if base url had the
     value of 'https://accounts.example.synnefo.org/' then the ``ASTAKOS_AUTH_URL``
     ``ASTAKOS_AUTH_URL``. Typically it is sufficient to add ``/identity/v2.0`` at
     the end of base URL to get the auth URL. For example, if base URL had the value
     of 'https://accounts.example.synnefo.org/' then the ``ASTAKOS_AUTH_URL``
     setting will have the value of
     'https://accounts.example.synnefo.org/identity/v2.0'.
     For Pithos service we have to change the ``20-snf-pithos-app-settings.conf``
     For the Pithos service we have to change the ``20-snf-pithos-app-settings.conf``
     file in the same way as above. In addition to this, we have to change the
     ``PITHOS_OAUTH2_CLIENT_CREDENTIALS`` setting in the same configuration file
     to set the credentials issued for the pithos view in `the previous step`__.
     __ pithos_view_registration_
 .5 Upgrade vncauthproxy and configure snf-cyclades-app
     -------------------------------------------------------
-...
     older versions. You will have to upgrade snf-vncauthproxy to v1.5 and
     configure the authentication (users) file (``/var/lib/vncauthproxy/users``).
     In case you're upgrading from an older snf-vncauthproxy version or if it's the
     In case you are upgrading from an older snf-vncauthproxy version or if it's the
     first time you're installing snf-vncauthproxy, you will need to add a
     vncauthproxy user (see below for more information on user management) and
     restart vncauthproxy daemon.
     restart the vncauthproxy daemon.
     To manage the authentication file, you can use the vncauthproxy-passwd tool,
     To manage the authentication file, you can use the ``vncauthproxy-passwd`` tool,
     to easily add, update and delete users.
     To add a user:
-...
     You should also configure the new ``CYCLADES_VNCAUTHPROXY_OPTS`` setting in
     ``snf-cyclades-app``, to provide the user and password configured for
     ``Synnefo`` in the vncauthproxy authentication file and enable SSL support if
     ``synnefo`` in the vncauthproxy authentication file and enable SSL support if
     snf-vncauthproxy is configured to run with SSL enabled for the control socket.
     .. warning:: The vncauthproxy daemon requires a restart for the changes in the
-...
     Finally, snf-vncauthproxy-1.5 adds a dedicated user and group to be used by the
     vncauthproxy daemon. The Debian default file has changed accordingly (``CHUID``
     option in ``/etc/default/vncauthproxy``). The Debian default file now also
     includes a ``DAEMON_OPTS`` variable which is used to pass any necessary / extra
     includes a ``DAEMON_OPTS`` variable which is used to pass any necessary/extra
     options to the vncauthproxy daemon. In case you're ugprading from an older
     version of vncauthproxy, you should make sure to 'merge' the new default file
     with the older one.
-...
     snf-cyclades-gtools comes with a collectd plugin to collect CPU and network
     stats for Ganeti VMs and an example collectd configuration. snf-stats-app is a
     Django (snf-webproject) app that serves the VM stats graphsmm by reading the VM
     stats (from RRD files) and serves graphs.
     Django (snf-webproject) app that serves the VM stats graphs by reading the VM
     stats (from RRD files).
     To enable / deploy VM stats collecting and snf-stats-app see the relevant
     To enable/deploy the VM stats collecting and snf-stats-app, see the relevant
     documentation in the :ref:`admin guide <admin-guide-stats>`.
     If you were using collectd to collect VM stats on Debian squeeze and you are
     If you were using collectd to collect VM stats on Debian Squeeze and you are
     upgrading to Wheezy, you will need to upgrade your RRD files. Follow the
     instructions on the collectd v4-to-v5 migration `guide
     <https://collectd.org/wiki/index.php/V4_to_v5_migration_guide>`_.
     You will proabably just need to run the `migration script
     You will probably just need to run the `migration script
     <https://collectd.org/wiki/index.php/V4_to_v5_migration_guide#Migration_script>`_
     provided.
-...
     ``STATS_SECRET_KEY`` settings. ``CYCLADES_STATS_SECRET_KEY`` in
     ``20-snf-cyclades-app-api.conf`` is used by Cyclades to encrypt the instance id
     / hostname  in the URLs serving the VM stats. You should set it to a random
     value / string and make sure that it's the same as the ``STATS_SECRET_KEY``
     value/string and make sure that it's the same as the ``STATS_SECRET_KEY``
     setting (used to decrypt the instance hostname) in
     ``20-snf-stats-settings.conf`` on your Stats host.
-...
     .. note::
       Skip this step unless you have ``shibboleth`` enabled in astakos
       Skip this step unless you have ``shibboleth`` enabled in Astakos
       ``IM_MODULES`` setting.
     As of v0.15 astakos uses the ``REMOTE_USER`` header provided by apache's
     ``mod_shib2`` service in order to resolve the unique identifier which is used to
     associate a shibboleth account to a local astakos user. Prior to this version
     astakos adhered to the presence of the ``MOD_SHIB_EPPN`` header which although
     safe enough on most of the ``SP`` deployment scenarios, it may cause issues in
     certain cases, such as global wide IdP support or inability of supported IdPs
     to release the ``eduPersonPrincipalName`` attribute. The ``REMOTE_USER`` header
     can be set by administrators to match any of the available shibboleth
     attributes.
     As of v0.15 Astakos uses the ``REMOTE_USER`` header provided by Apache's
     ``mod_shib2`` service in order to resolve the unique identifier which is used
     to associate a shibboleth account to a local Astakos user. Prior to this
     version, Astakos adhered to the presence of the ``MOD_SHIB_EPPN`` header which
     although safe enough on most of the ``SP`` deployment scenarios, it may cause
     issues in certain cases, such as global wide IdP support or inability of
     supported IdPs to release the ``eduPersonPrincipalName`` attribute. The
     ``REMOTE_USER`` header can be set by administrators to match any of the
     available shibboleth attributes.
     If ``EPPN`` matches the service provider needs and you want to continue using
     it as the unique identifier, you need to ensure that the ``REMOTE_USER``
-...
       $ service shibd restart
     **notice** that every time you alter the ``REMOTE_USER`` attribute, all
     existing shibboleth enabled astakos users will be invalidated and no longer be
     able to login to their existing account using shibboleth. Specifically for the
     case of switching from *eppn* to another attribute, astakos is able to prevent
     **Note** that every time you alter the ``REMOTE_USER`` attribute, all existing
     shibboleth enabled Astakos users will be invalidated and no longer be able to
     login to their existing account using shibboleth. Specifically, for the case of
     switching from *eppn* to another attribute, Astakos is able to prevent
     invalidation and automatically migrate existing *eppn* accounts. In order to do
     that, set the ``ASTAKOS_SHIBBOLETH_MIGRATE_EPPN`` setting to ``True`` in
     ``20-snf-astakos-app-settings.conf`` configuration file. Now every time an
     existing *eppn* user logs in using shibboleth, astakos will update the associated
     *eppn* identifier to the contents of the ``REMOTE_USER`` header.
     existing *eppn* user logs in using shibboleth, Astakos will update the
     associated *eppn* identifier to the contents of the ``REMOTE_USER`` header.
     .. warning::
       IdPs should keep releasing the ``EPPN`` attribute in order for the migration
       to work.
 . Create floating IP pools
     ===========================
     Synnefo v0.15 introduces floating IPs, which are public IPv4 addresses that can
     dynamically be added/removed to/from VMs and are quotable via the
     'cyclades.floating_ip' resource. Connecting a VM to a public network is only
     allowed if the user has firstly created a floating IP from this network.
     be dynamically added/removed to/from VMs and are quotable via the
     ``cyclades.floating_ip`` resource. Connecting a VM to a public network is only
     allowed if the user has first allocated a floating IP from this network.
     Floating IPs are created from networks that are marked as Floating IP pools.
     Creation of floating IP pools is done with the `snf-manage network-create`
-...
     Already allocated public IPv4 addresses are not automatically converted to
     floating IPs. Existing VMs can keep their IPv4 addresses which will be
     automatically be released when these VMs will be destroyed. In order to
     convert existing public IPs to floating IPs run the following command:
     automatically released when these VMs get destroyed. If the admin wants to
     convert existing public IPs to floating IPs, he/she can do so by running the
     following provided tool:
     .. code-block:: console
      cyclades.host$ /usr/lib/synnefo/tools/update_to_floating_ips
     or for just one network:
     or just for one network:
     .. code-block:: console
      cyclades.host$ /usr/lib/synnefo/tools/update_to_floating_ips --network-id=<network_ID>
 . Register services and resources
     ==================================
-...
     ------------------------------------------------
     You will need to register again all Synnefo components, updating the
     service and resource definitions. On the astakos node, run::
     service and resource definitions. On the Astakos node, run::
         astakos-host$ snf-component-register
-...
        current registered UI URL. In the default installation, the base URL can
        be found by stripping ``/ui`` from the UI URL.
     The meaning of resources ``cyclades.cpu`` and ``cyclades.ram`` has changed:
     they now denote the number of CPUs and, respectively, RAM of *active* VMs
     rather than all VMs. To represent total CPUs and total RAM, as previously,
     new resources ``cyclades.total_cpu`` and ``cyclades.total_ram`` are
     introduced. We now also control the usage of floating IPs through resource
     ``cyclades.floating_ip``.
     The meaning of resources ``cyclades.cpu`` and ``cyclades.ram`` has changed in
     v0.15: they now denote the number of CPUs/RAM of *active* VMs (VMs that are not
     shutdown) rather than all VMs as happened until now. To represent total CPUs
     and total RAM, as previously, two new resources ``cyclades.total_cpu`` and
     ``cyclades.total_ram`` are introduced. We now also control the usage of
     floating IPs through the resource ``cyclades.floating_ip``.
 .2 Tweek resource settings
     ---------------------------
     New resources (``cyclades.total_cpu``, ``cyclades.total_ram``, and
     ``cyclades.floating_ip``) are registered with infinite default base quota.
     You will probably need to restrict them, especially
     ``cyclades.floating_ip``. In order to change the default for all *future*
     users, for instance restricting floating IPs to 2, run::
     The new resources (``cyclades.total_cpu``, ``cyclades.total_ram``, and
     ``cyclades.floating_ip``) are registered with infinite default base quota
     (meaning that they are not restricted at all). You will probably need to
     restrict them, especially ``cyclades.floating_ip``. In order to change the
     default limit of a resource for all *future* users, for instance restricting
     floating IPs to 2, run::
         astakos-host$ snf-manage resource-modify cyclades.floating_ip --default-quota 2
-...
     still have infinite floating IPs. You can update base quota of existing
     users in bulk, possibly excluding some users, with::
         astakos-host$ snf-manage user-modify --all --base-quota cyclades.floating_ip 2 --exclude uuid1,uuid2
         astakos-host$ snf-manage user-modify --all --base-quota cyclades.floating_ip 2 --exclude userid1,userid2
     .. note::
        You can inspect base quota with ``snf-manage quota-list`` before applying
        You can inspect base quota with ``snf-manage quota-list``, before applying
        any changes, for example::
          # Get users with cyclades.vm base quota that differ from the default value
-...
          # Get users with cyclades.vm base quota greater than 3
          astakos-host$ snf-manage quota-list --filter-by "resource=cyclades.vm,base_quota>3"
     It is now possible to control whether a resource is visible for the users
     through the API or the UI. Note that the system always checks resource
     quota, regardless of their visibility. By default, ``cyclades.total_cpu``,
     ``cyclades.total_ram`` and ``astakos.pending_app`` are not visible. You can
     change this behavior with::
     Furthermore in v0.15, it is possible to control whether a resource is visible
     to the users via the API or the Web UI. The default value for these options is
     denoted inside the default resource definitions. Note that the system always
     checks and enforces resource quota, regardless of their visibility. By default,
     the new resources ``cyclades.total_cpu``, ``cyclades.total_ram`` and
     ``astakos.pending_app`` are not visible neither via the API nor via the Web UI.
     You can change this behavior with::
         astakos-host$ snf-manage resource-modify <resource> --api-visible=True (or --ui-visible=True)

Also available in: Unified diff