Version 33 (modified by ibaldin, 8 years ago)

--

Deploying an Authority

Overview

This section covers deployment steps for a typical ORCA site authority running a Eucalyptus site. The setup presumes that the container with ORCA is deployed on the head node of the Eucalyptus cluster (although this is not a firm requirement).

The configuration of an ORCA site authority for Eucalyptus consists of the following steps:

  • Set up a Eucalyptus cluster
  • Set up Image Proxy
  • Optionally setup ssh DNAT Proxy. This component is needed only if Eucalyptus head node has no publicly routable interface or no public IP addresses to give out.
  • Create an ORCA configuration directory ($ORCA_HOME) and populate it with configuration files
  • Download and customize the tomcat
  • Deploy ORCA in Tomcat

Deploying an Eucalyptus/NEuca authority

Deployment Overview

  • ORCA container is typically set up on the Eucalyptus head node. Can be set up on any host with a route to the Eucalyptus head node.
  • Image Proxy is typically set up on the Eucalyptus head node. Can be set up on any host with a route to the Eucalyptus head node. Eucalyptus user tools (euca2ools) must be installed on this host.
  • ssh DNAT proxy must be set up on the host with a publicly routable IP address and a route to the Eucalyptus head node

For example in the simplest case, when a Eucalyptus head node has a publicly routable IP address and a pool of public IP addresses to give out to VMs, ssh DNAT Proxy is not needed and ORCA container and Image Proxy can be installed on the Eucalyptus head node.

Setup Eucalyptus

We have wiki:NEuca-overview NEuca overview modified Eucalyptus] to be more friendly to network experimenters. Follow instructions for setting up Eucalyptus with NEuca patches at Eucalyptus 2.x setup with NEuca.

There are instruction on how to use NEuca with ORCA, which we will be referring to throughout this document, so it is useful to read through it.

Prepare $ORCA_HOME directory

Once you decide which host ORCA container will run on, you can begin configuring ORCA on it. All of ORCA-specific configuration is contained under $ORCA_HOME directory (typically /opt/orca), which must be declared in Tomcat start/stop scripts.

Set $ORCA_HOME. Change ownership of this directory to the user on whose behalf the euca site authority is going to run. 'geni-orca' is the user and 'nonrenci' is the group in this example. The user and group are presumed to exist.

$ mkdir /opt/orca 
$ export ORCA_HOME=/opt/orca 
$ cd $ORCA_HOME
$ chown -R geni-orca:nonrenci .

Make directories for storing Eucalyptus credentials (ec2.cred.properties file), Euca site resource description files (in NDL-OWL), ORCA actors' runtime credentials and ORCA configuration files (container.properties and config.xml).

$ mkdir $ORCA_HOME/ec2
$ mkdir $ORCA_HOME/ndl
$ mkdir $ORCA_HOME/runtime
$ mkdir $ORCA_HOME/config

Eucalyptus credentials

Create user 'orca' or similar in your Eucalyptus cluster portal. Go to the portal and download the users credentials zip file. Unzip the contents euca credentials zip file into $ORCA_HOME/ec2.

$ cd $ORCA_HOME/ec2
$ unzip ~/euca2-orca-x509.zip 

Comment out the first line in $ORCA_HOME/ec2/eucarc (ORCA uses native EC2 tools to talk to Eucalyptus, rather then eucalyptus user tools; the first line confuses EC2 tools):

#EUCA_KEY_DIR=$(dirname $(readlink -f ${BASH_SOURCE}))

Generate a key-pair for Euca for the Eucalyptus 'orca' user created above. The name of this keypair is used later to populate the "ec2.ssh.key" property in ec2.site.properties file below.

$ source $$ORCA_HOME/ec2/eucarc
$ euca-add-keypair orca
$ cat <output_previous_command> > $$ORCA_HOME/ec2/orca

Generate and store resource representations for the Eucalyptus Site

Generate the NDL resource description of the Eucalyptus site and store it in $ORCA_HOME/ndl. Example of an Eucalyptus site NDL resource description can be found here. Consult RENCI staff on how to generate this. Let ORCA_SRC be the root of the downloaded ORCA source. Actor config.xml file will reference this file later.

$ cp $ORCA_SRC/network/src/main/resources/orca/network/rencivmsite.rdf $ORCA_HOME/ndl/.
$ cp $ORCA_SRC/network/src/main/resources/orca/network/renciNet.rdf $ORCA_HOME/ndl/.

ORCA actors' runtime credentials

Generate GUIDs and certificates for ALL the actors in your container. Store the guids, which will be used for configuring the actors. Let ORCA_SRC be the root of the downloaded ORCA source.

$ cd $ORCA_SRC/tools/config
$ ant guid
$ ant security.create.actor.config -Dactor=<guid_output_from_previous_command>

Store runtime credentials in $ORCA_HOME.

$ cp -r $ORCA_SRC/tools/config/runtime/* $ORCA_HOME/runtime/.

Additional components

In addition to Eucalyptus we have developed several components that make a Eucalyptus site more ORCA- and GENI- friendly. These components are:

  • Image Proxy - permits users to post the images for their VM slivers to be posted on HTTP/FTP/bittorrent and have ORCA automatically download and register this image with each site in a slice.
  • DNAT Proxy - permits public SSH access to VMs/slivers on a Eucalyptus cluster that is hosted behind a firewall (i.e. even Eucalyptus public addresses aren't truly public).

Image Proxy is a mandatory component, while DNAT proxy is optional. Both components are setup separately, however from ORCA perspective their configuration is managed through $ORCA_HOME/ec2/ec2.site.properties file. The following sections describe how to set up these components.

Image Proxy

ORCA provides the capability for the user to specify urls for the filesystem image, kernel (optional) and ramdisk (optional) in their resource request. The user images would then be used to stand up the vms across potentially multiple independent Eucalyptus sites under ORCA control. The Image proxy is used to serve this purpose. Follow instructions on https://code.renci.org/gf/project/networkedclouds/wiki/?pagename=ImageProxy to setup and run Image proxy. To configure ORCA to use the Image proxy, follow instructions on ImageProxy with ORCA.

Image Proxy is typically deployed into a separate Axis2 container on the Eucalyptus master host. If not, it can be deployed on a separate host that

  • Has a routable path to Eucalyptus head node
  • Has Eucalyptus user tools installed

Image Proxy with Eucalyptus/NEuca

ssh DNAT Proxy Tunneling and Using Shorewall

When you need access to vm instances created in a private address space separated from the public Internet, ssh proxy tunneling can be used. We support Shorewall-DNAT proxy for this purpose. Install and run Shorewall on a machine (the NAT host) that is accessible via the public internet by following instructions at Shorewall setup. To use Shorewall with ORCA, follow instructions for Shorewall configuration for ORCA.

The DNAT Proxy must be installed on the host that has publicly routable IP address and has a route to the Eucalyptus head node. DNAT Proxy is only needed if the Eucalyptus head node has no publicly routable IP address or has no public IP addresses to give out to the VMs.

DNAT Proxy

ORCA Configuration

$ORCA_HOME/config/config.xml

An example of a configuration file for a container with site authority actors managing an Eucalyptus/NEuca cluster and a network switch can be found here. Please modify this file to tailor to your installation. Remember to use unique GUIDs for each actor, which were generated in the last step. Name this file 'config.xml' and place it in $ORCA_HOME/config

$ cp $HOME/euca-m.renci.ben-config.xml $ORCA_HOME/config/config.xml 

$ORCA_HOME/config/container.properties

An example of 'container.properties' for a container with site authority actors managing an Eucalyptus/NEuca cluster and a network switch can be found here. Please modify this file to tailor to your installation - change 'protocols.soapaxis2.url' and 'container.guid' properties to point to the correct soapaxis url and a new guid respectively. To make the actors in the container talk to the RENCI Actor Registry, follow instructions for configuring with registry. From Camano 3.0+, this is the recommended way to connect to other actors (Brokers, SMs). Name this file 'container.properties' and place it in $ORCA_HOME/config

$ cp $HOME/euca-m.renci.ben-container.properties $ORCA_HOME/config/container.properties 

$ORCA_HOME/ec2/ec2.site.properties

Modify orca/trunk/handlers/ec2/ec2.site.sample.properties for your installation. For the shorewall proxy section, see shorewall-with-orca. For the Image proxy section, see "Handler Integration" in image-proxy-with-orca. Name this file 'ec2.site.properties' and place it in $ORCA_HOME/config .

$ cp $HOME/ec2.site.sample.properties $ORCA_HOME/config/ec2.site.properties 

$ORCA_HOME/ec2/eucanet.cred.properties

Look up the "Credentials" sub-section of the section "Eucanet handler" to populate eucanet.cred.properties file and place it in $ORCA_HOME/config .

Set up tomcat

$ cd $ORCA_HOME
$ wget https://geni-orca.renci.org/svn/software/tomcat.tar.gz
$ tar zxvf tomcat.tar.gz
$ cd $ORCA_HOME/tomcat

Edit start.sh and stop.sh to point to correct paths for ORCA_HOME and CATALINA_HOME. Example start.sh

#!/bin/bash

# customize this to your setup
export ORCA_HOME=/opt/orca

# if you are using non-standard java, uncomment and change this
# export JAVA_HOME=/opt/java/jdk-1.6.20
export LD_LIBRARY_PATH=/usr/local/lib

# assuming tomcat is under $ORCA_HOME
export CATALINA_HOME=$ORCA_HOME/tomcat

# if you want to enable debugging, uncomment this line and comment out the following one. Default debug port is 11000
#declare -x CATALINA_OPTS="-ea -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=11000 -Xmx1024m"
declare -x CATALINA_OPTS="-Xmx1024m"

export ANT_HOME=
$CATALINA_HOME/bin/catalina.sh start

Example of stop.sh.

#!/bin/bash

# customize this to your install
export ORCA_HOME=/opt/orca

# uncomment and customize this if you are using non-standard Java install
#export JAVA_HOME=/opt/java/jdk1.6.0_23

# assuming tomcat lives under $ORCA_HOME
export CATALINA_HOME=$ORCA_HOME/tomcat

$CATALINA_HOME/bin/shutdown.sh

Final Deployment

Now you are ready to deploy. Start tomcat on the Eucalyptus head node.

$ cd $ORCA_HOME/tomcat
$ ./stop.sh (if you want to kill an existing tomcat, or if you are doing a fresh container redeploy)
$ rm -f $ORCA_HOME/state_recovery.lock  (if you want a fresh redeploy)
$ ./start.sh

Deploy orca webapp by pointing to the machine where the tomcat server is running (euca-m.renci.ben in this example).

$ cd $ORCA_SRC
$ mvn clean install
$ cd $ORCA_SRC/webapp
$ mvn clean package
$ ant -Duser.target.server=euca-m.renci.ben deploy

Some troubleshooting tips

Attachments