Verification of rocci-server.centos7.x86_64-2.0.4, gridsite.centos7.x86_64-2.3.4 and keystorm.centos7.x86_64-1.0.1 == === Ticket assigned === * [https://rt.egi.eu/rt/Ticket/Display.html?id=13797] * [https://rt.egi.eu/rt/Ticket/Display.html?id=13778] * [https://rt.egi.eu/rt/Ticket/Display.html?id=13908] Documentation at [https://wiki.egi.eu/wiki/MAN10#Integrating_OpenNebula] === rocci-server, gridsite and keystorm repos === (!) ensure SELINUX is disabled: {{{ [root@test27 ~]# grep SELINUX=disabled /etc/selinux/config SELINUX=disabled }}} {{{ [root@test27 yum.repos.d]# pwd /etc/yum.repos.d }}} rocci-server repo: {{{ [root@test27 yum.repos.d]# wget http://admin-repo.egi.eu/sw/unverified/cmd-one-1.cesnet.rocci-server.centos7.x86_64/2/0/4/repofiles/CESNET.rocci-server.centos7.x86_64.repo [root@test27 yum.repos.d]# cat CESNET.rocci-server.centos7.x86_64.repo # EGI Software Repository - REPO META (releaseId,repositoryId,repofileId) - (13797,2497,2454) [CESNET.rocci-server.centos7.x86_64] name=CESNET.rocci-server.centos7.x86_64 baseurl=http://admin-repo.egi.eu/sw/unverified/cmd-one-1.cesnet.rocci-server.centos7.x86_64/2/0/4/ enabled=1 protect=1 priority=1 gpgcheck=1 gpgkey=http://repository.egi.eu/sw/production/umd/UMD-RPM-PGP-KEY }}} gridsite repo: {{{ [root@test27 yum.repos.d]# wget http://admin-repo.egi.eu/sw/unverified/cmd-one-1.cesnet.gridsite.centos7.x86_64/2/3/4/repofiles/CESNET.gridsite.centos7.x86_64.repo [root@test27 yum.repos.d]# cat CESNET.gridsite.centos7.x86_64.repo # EGI Software Repository - REPO META (releaseId,repositoryId,repofileId) - (13778,2483,2440) [CESNET.gridsite.centos7.x86_64] name=CESNET.gridsite.centos7.x86_64 baseurl=http://admin-repo.egi.eu/sw/unverified/cmd-one-1.cesnet.gridsite.centos7.x86_64/2/3/4/ enabled=1 protect=1 priority=1 gpgcheck=1 gpgkey=http://repository.egi.eu/sw/production/umd/UMD-RPM-PGP-KEY }}} keystorm repo: {{{ [root@test27 yum.repos.d]# wget http://admin-repo.egi.eu/sw/unverified/cmd-one-1.cesnet.keystorm.centos7.x86_64/1/1/0/repofiles/CESNET.keystorm.centos7.x86_64.repo [root@test27 yum.repos.d]# cat CESNET.keystorm.centos7.x86_64.repo # EGI Software Repository - REPO META (releaseId,repositoryId,repofileId) - (13908,2515,2474) [CESNET.keystorm.centos7.x86_64] name=CESNET.keystorm.centos7.x86_64 baseurl=http://admin-repo.egi.eu/sw/unverified/cmd-one-1.cesnet.keystorm.centos7.x86_64/1/1/0/ enabled=1 protect=1 priority=1 gpgcheck=1 gpgkey=http://repository.egi.eu/sw/production/umd/UMD-RPM-PGP-KEY }}} EGI related CAs repo: {{{ [root@test27 yum.repos.d]# wget http://repository.egi.eu/sw/production/cas/1/current/repo-files/EGI-trustanchors.repo [root@test27 yum.repos.d]# cat EGI-trustanchors.repo # EGI Software Repository - REPO META (releaseId,repositoryId,repofileId) - (13879,-,2471) [EGI-trustanchors] name=EGI-trustanchors baseurl=http://repository.egi.eu/sw/production/cas/1/current/ enabled=1 gpgcheck=1 gpgkey=http://repository.egi.eu/sw/production/cas/1/GPG-KEY-EUGridPMA-RPM-3 }}} === Installation of packages === {{{ [root@test27 ~]# LC_ALL=C yum install occi-server gridsite keystorm lcg-CA [.....] Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: gridsite x86_64 2.3.4-1.el7.centos CESNET.gridsite.centos7.x86_64 81 k keystorm x86_64 1.1.0+20171117110859-1.el7 CESNET.keystorm.centos7.x86_64 25 M lcg-CA noarch 1.88-1 EGI-trustanchors 2.1 k occi-server x86_64 2.0.4+20171023200954-1.el7 CESNET.rocci-server.centos7.x86_64 26 M Installing for dependencies: apr x86_64 1.4.8-3.el7_4.1 updates 103 k apr-util x86_64 1.5.2-6.el7 base 92 k c-ares x86_64 1.10.0-3.el7 base 78 k ca-policy-egi-core noarch 1.88-1 EGI-trustanchors 9.8 k ca-policy-lcg noarch 1.88-1 EGI-trustanchors 10 k ca_AEGIS noarch 1.88-1 EGI-trustanchors 5.0 k [.....] ca_policy_igtf-slcs noarch 1.88-1 EGI-trustanchors 3.1 k ca_seegrid-ca-2013 noarch 1.88-1 EGI-trustanchors 4.9 k canl-c x86_64 2.1.8-1.el7 epel 70 k gridsite-libs x86_64 2.3.4-1.el7.centos CESNET.gridsite.centos7.x86_64 89 k gsoap x86_64 2.8.16-9.el7 epel 247 k httpd x86_64 2.4.6-67.el7.centos.6 updates 2.7 M httpd-tools x86_64 2.4.6-67.el7.centos.6 updates 88 k libevent x86_64 2.0.21-4.el7 base 214 k mailcap noarch 2.1.41-2.el7 base 31 k memcached x86_64 1.4.15-10.el7_3.1 base 85 k mod_auth_openidc x86_64 1.8.8-3.el7 base 123 k mod_ssl x86_64 1:2.4.6-67.el7.centos.6 updates 109 k Transaction Summary ================================================================================ Install 4 Packages (+109 Dependent packages) Total download size: 56 M Installed size: 187 M Is this ok [y/d/N]: y [.....] Importing GPG key 0x3CDBBC71: Userid : "EUGridPMA Distribution Signing Key 3 " Fingerprint: d12e 9228 22be 64d5 0146 188b c32d 99c8 3cdb bc71 From : http://repository.egi.eu/sw/production/cas/1/GPG-KEY-EUGridPMA-RPM-3 Is this ok [y/N]: y Retrieving key from http://repository.egi.eu/sw/production/umd/UMD-RPM-PGP-KEY Importing GPG key 0x96B71B07: Userid : "Kostas Koumantaros (UMD Release Manager) " Fingerprint: 32ad 8d80 fa5a 89b5 3dc5 de93 6799 de16 96b7 1b07 From : http://repository.egi.eu/sw/production/umd/UMD-RPM-PGP-KEY Is this ok [y/N]: y [.....] Complete! === Configuration === (!) gridsite apache module must be enaabled {{{ [root@test27 ~]# cat /etc/httpd/conf.modules.d/90-gridsite.conf LoadModule gridsite_module modules/mod_gridsite.so }}} We must put the desired LSC files in '/etc/grid-security/vomsdir/'. A directory for each VO: {{{ [root@test27 ~]# cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms1.grid.cesnet.cz.lsc /DC=org/DC=terena/DC=tcs/C=CZ/ST=Hlavni mesto Praha/L=Praha 6/O=CESNET/CN=voms1.grid.cesnet.cz /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA eScience SSL CA 3 }}} (!) host cartificate {{{ [root@test27 ~]# ls -l /etc/grid-security/ total 76 drwxr-xr-x 2 root root 40960 dic 5 08:08 certificates -r--r--r-- 1 apache apache 1976 dic 5 08:19 hostcert.pem -r--r--r-- 1 rocci rocci 1976 dic 5 08:19 hostcert-rocci.pem -r-------- 1 apache apache 1704 dic 5 08:19 hostkey.pem -r-------- 1 rocci rocci 1704 dic 5 08:19 hostkey-rocci.pem drwxr-xr-x 3 root root 28 dic 5 08:17 vomsdir }}} Files '/etc/keystorm/variables', and '/etc/occi-server/variables' must be edited. These are the diff's with the original: {{{ [root@test27 ~]# diff /etc/occi-server/variables /etc/occi-server/variables.original 3c3 < export HOST=0.0.0.0 --- > export HOST=127.0.0.1 5a6,7 > # export HOST_CERT=/path/to/cert > # export HOST_KEY=/path/to/key 7,10c9 < export HOST_CERT=/etc/grid-security/hostcert-rocci.pem < export HOST_KEY=/etc/grid-security/hostkey-rocci.pem < < export ROCCI_SERVER_LOG_LEVEL=debug --- > export ROCCI_SERVER_LOG_LEVEL=warn 17c16 < export ROCCI_SERVER_OPENNEBULA_ENDPOINT=http://fedcloud-one.egi.cesga.es:2633/RPC2 --- > # export ROCCI_SERVER_OPENNEBULA_ENDPOINT=http://localhost:2633/RPC2 25,27d23 < export ROCCI_SERVER_ENCRYPTION_TOKEN_CIPHER=AES-128-CBC < export ROCCI_SERVER_ENCRYPTION_TOKEN_KEY=nBTkwR5wIJpmmc3h < export ROCCI_SERVER_ENCRYPTION_TOKEN_IV=Go/xD1etgpX6ZejQ }}} {{{ [root@test27 ~]# diff /etc/keystorm/variables /etc/keystorm/variables.original 9,10c9,10 < export KEYSTORM_OPENNEBULA_ENDPOINT=http://fedcloud-one.egi.cesga.es:2633/RPC2 < export KEYSTORM_OPENNEBULA_SECRET='oneadmin:xxxxxxxxxxxxxx' --- > # export KEYSTORM_OPENNEBULA_ENDPOINT=http://localhost:2633/RPC2 > # export KEYSTORM_OPENNEBULA_SECRET=oneadmin:opennebula 13c13 < export KEYSTORM_LOG_LEVEL=debug --- > export KEYSTORM_LOG_LEVEL=warn }}} (!) Ensure same tokens for {ROCCI_SERVER_ENCRYPTION,KEYSTORM}_TOKEN_{CIPHER,KEY,IV} variables in both files. (!) Note permission and owners of the configuration files: {{{ [root@test27 ~]# ls -l /etc/occi-server/ total 12 -rw-r----- 1 root rocci 1071 dic 5 08:10 rocci_server.yml -rw-r----- 1 root rocci 1170 ene 8 05:05 variables [root@test27 ~]# ls -l /etc/keystorm/ total 20 -rw-r----- 1 root keystorm 1592 dic 5 08:09 keystorm.yml -rw-r----- 1 root keystorm 1013 ene 11 05:37 variables }}} We must ensure that service is enabled: {{{ [root@test27 ~]# LC_ALL=C chkconfig httpd on Note: Forwarding request to 'systemctl enable httpd.service'. Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@test27 ~]# systemctl stop httpd; systemctl start httpd [root@test27 ~]# systemctl enable occi-server Created symlink from /etc/systemd/system/multi-user.target.wants/occi-server.service to /etc/systemd/system/occi-server.service. [root@test27 ~]# mkdir -p /etc/systemd/system/occi-server.socket.d [root@test27 ~]# cat /etc/systemd/system/occi-server.socket.d/override.conf [Socket] # lines below are NOT duplicated by mistake ListenStream= ListenStream=0.0.0.0:11443 [root@test27 ~]# systemctl start occi-server [root@test27 ~]# systemctl enable keystorm.socket Created symlink from /etc/systemd/system/sockets.target.wants/keystorm.socket to /etc/systemd/system/keystorm.socket [root@test27 ~]# mkdir -p /etc/systemd/system/keystorm.socket.d [root@test27 ~]# cat /etc/systemd/system/keystorm.socket.d/override.conf [Socket] # lines below are NOT duplicated by mistake ListenStream= ListenStream=127.0.0.1:3000 [root@test27 ~]# systemctl start keystorm.socket [root@test27 ~]# systemctl start keystorm.service }}} (!) Ensure that host/port in file /etc/systemd/system/keystorm.socket.d/override.conf and /etc/keystorm/variables ARE THE SAME. (!) Ensure that in the OpenNebula box exists a group with same name that the VO used (fedcloud.egi.eu). (!) Ensure that the group in the OpenNebula box has the attribute KEYSTORM="YES" {{{ [root@fedcloud-one ~]# onegroup show fedcloud.egi.eu GROUP 100 INFORMATION ID : 100 NAME : fedcloud.egi.eu GROUP TEMPLATE KEYSTORM="YES" SUNSTONE=[ DEFAULT_VIEW="cloud", GROUP_ADMIN_DEFAULT_VIEW="groupadmin", GROUP_ADMIN_VIEWS="groupadmin,cloud", VIEWS="cloud" ] USER ID ADMIN 12 13 [.....] }}} === rOCCI-server test === Let's check the hostname registered in the host certificate: {{{ [root@test27 ~]# openssl x509 -in /etc/grid-security/hostcert.pem -text |grep Subject: Subject: DC=org, DC=terena, DC=tcs, C=ES, L=Santiago de Compostela, O=CESGA, CN=test27.egi.cesga.es }}} From a box with occi-client available: {{{ [root@verification ~]# voms-proxy-init -key ~/.globus/userkey.pem -cert ~/.globus/usercert.pem -certdir /etc/grid-security/certificates/ -voms fedcloud.egi.eu --rfc Enter GRID pass phrase: Your identity: /DC=org/DC=terena/DC=tcs/C=ES/O=CESGA/CN=Ruben Diez Lazaro rdiez@cesga.es Creating temporary proxy ............................... Done Contacting voms1.grid.cesnet.cz:15002 [/DC=org/DC=terena/DC=tcs/C=CZ/ST=Hlavni mesto Praha/L=Praha 6/O=CESNET/CN=voms1.grid.cesnet.cz] "fedcloud.egi.eu" Done Creating proxy ...................................................................................... Done Your proxy is valid until Wed Jan 17 17:04:06 2018 [root@verification ~]# voms-proxy-info --all subject : /DC=org/DC=terena/DC=tcs/C=ES/O=CESGA/CN=Ruben Diez Lazaro rdiez@cesga.es/CN=73748368 issuer : /DC=org/DC=terena/DC=tcs/C=ES/O=CESGA/CN=Ruben Diez Lazaro rdiez@cesga.es identity : /DC=org/DC=terena/DC=tcs/C=ES/O=CESGA/CN=Ruben Diez Lazaro rdiez@cesga.es type : RFC compliant proxy strength : 1024 bits path : /tmp/x509up_u0 timeleft : 11:59:42 key usage : Digital Signature, Key Encipherment, Data Encipherment === VO fedcloud.egi.eu extension information === VO : fedcloud.egi.eu subject : /DC=org/DC=terena/DC=tcs/C=ES/O=CESGA/CN=Ruben Diez Lazaro rdiez@cesga.es issuer : /DC=org/DC=terena/DC=tcs/C=CZ/ST=Hlavni mesto Praha/L=Praha 6/O=CESNET/CN=voms1.grid.cesnet.cz attribute : /fedcloud.egi.eu/Role=NULL/Capability=NULL timeleft : 11:59:34 uri : voms1.grid.cesnet.cz:15002 }}} List of available OS templates: {{{ [root@verification ~]# /opt/occi-cli/bin/occi --endpoint https://test27.egi.cesga.es:11443/ --action list --resource os_tpl --auth x509 --user-cred /tmp/x509up_u0 --voms http://schemas.test27.egi.cesga.es/occi/infrastructure/os_tpl#50 http://schemas.test27.egi.cesga.es/occi/infrastructure/os_tpl#51 http://schemas.test27.egi.cesga.es/occi/infrastructure/os_tpl#52 http://schemas.test27.egi.cesga.es/occi/infrastructure/os_tpl#53 http://schemas.test27.egi.cesga.es/occi/infrastructure/os_tpl#54 http://schemas.test27.egi.cesga.es/occi/infrastructure/os_tpl#55 http://schemas.test27.egi.cesga.es/occi/infrastructure/os_tpl#56 http://schemas.test27.egi.cesga.es/occi/infrastructure/os_tpl#57 http://schemas.test27.egi.cesga.es/occi/infrastructure/os_tpl#58 http://schemas.test27.egi.cesga.es/occi/infrastructure/os_tpl#61 http://schemas.test27.egi.cesga.es/occi/infrastructure/os_tpl#64 http://schemas.test27.egi.cesga.es/occi/infrastructure/os_tpl#65 http://schemas.test27.egi.cesga.es/occi/infrastructure/os_tpl#67 http://schemas.test27.egi.cesga.es/occi/infrastructure/os_tpl#68 http://schemas.test27.egi.cesga.es/occi/infrastructure/os_tpl#69 http://schemas.test27.egi.cesga.es/occi/infrastructure/os_tpl#96 http://schemas.test27.egi.cesga.es/occi/infrastructure/os_tpl#97 }}} (!) Only appliances in the VO considered by the proxy are accessible. === Finding world-writable files in the packages contents === {{{ [root@test27 ~]# rpm -qalv | egrep "^[-d]([-r][-w][-xs]){2}[-r]w" drwxrwxrwt 2 root root 0 nov 5 2016 /tmp drwxrwxrwt 2 root root 0 nov 5 2016 /var/tmp }}}