diff --git a/apps/opennebula/.helmignore b/apps/opennebula/.helmignore new file mode 100644 index 0000000..8ecf230 --- /dev/null +++ b/apps/opennebula/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +.#* diff --git a/apps/opennebula/Chart.yaml b/apps/opennebula/Chart.yaml new file mode 100644 index 0000000..7c227c6 --- /dev/null +++ b/apps/opennebula/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: ungleich-opennebula +description: OpenNebula Control Plane, made for replacing native OpenNebula setups + +version: 0.1.0 +appVersion: "6.0.0.2" diff --git a/apps/opennebula/README.md b/apps/opennebula/README.md new file mode 100644 index 0000000..fc0ea3c --- /dev/null +++ b/apps/opennebula/README.md @@ -0,0 +1,136 @@ +## OpenNebula Chart + +## Containers to do + +- oned: main api + - also needs ssh files +- scheduler +- mysql for data +- sunstone +- novnc +- nginx on 443 + +Storage: + +- mysql pvc (prod: 65G!) + +## Containers done + +### Scheduler + +Needs /etc/one/sched.conf. + +[root@opennebula-opennebula-6cbb864798-txfhf one]# /usr/bin/mm_sched +Could not open file /root/.one/one_auth + +``` +[root@opennebula-opennebula-6cbb864798-txfhf one]# mkdir /root/.one +[root@opennebula-opennebula-6cbb864798-txfhf one]# vi /root/.one/one_auth +[root@opennebula-opennebula-6cbb864798-txfhf one]# /usr/bin/mm_sched +``` + + +## DB cleanup + +- via cronjob +- maybe 1/month + +``` +ALTER TABLE vm_pool DROP INDEX ftidx; +ALTER TABLE vm_pool ADD FULLTEXT INDEX ftidx (search_token); +``` + +## Oned + +- Needs SSH keys +- Define secret and provide out-of-band? + + +## certbot for nginx + +## nginx for sunstone + +## Sunstone + +templates: sunstone-server + - needs ssl certificates access + +files: + +- /var/lib/one/.one/one_auth +- /var/lib/one/.one/sunstone_auth + +Maybe via latent / hanging secret? + +cmd: + +``` +mkdir -p /run/lock/one +mkdir -p /run/one +ruby /usr/lib/one/sunstone/sunstone-server.rb +``` + + +`` +[root@opennebula-opennebula-574c564b76-h6skt /]# sunstone-server start +Error, check /var/log/one/novnc.log +Could not start novnc server +touch: cannot touch '/var/lock/one/.sunstone.lock': No such file or directory +Error creating lock file +VNC server is not running +[root@opennebula-opennebula-574c564b76-h6skt /]# mkdir -p /run/lock/one +[root@opennebula-opennebula-574c564b76-h6skt /]# sunstone-server start +VNC proxy started +/usr/bin/sunstone-server: line 104: /var/run/one/sunstone.pid: No such file or directory +sunstone-server started +[root@opennebula-opennebula-574c564b76-h6skt /]# +``` + +``` +SUNSTONE_CONF=/etc/one/sunstone-server.conf +`` + +- Starting novnc +- ruby $SUNSTONE_SERVER > $SUNSTONE_LOG 2>$SUNSTONE_LOG_ERROR & + + SUNSTONE_PID=/var/run/one/sunstone.pid + SUNSTONE_SERVER=/usr/lib/one/sunstone/sunstone-server.rb + SUNSTONE_LOCK_FILE=/var/lock/one/.sunstone.lock + SUNSTONE_LOG=/var/log/one/sunstone.log + SUNSTONE_LOG_ERROR=/var/log/one/sunstone.error + SUNSTONE_CONF=/etc/one/sunstone-server.conf + NOVNC_SERVER=/usr/bin/novnc-server + +- Memcached +- SSL cert + +Sat Aug 07 11:54:42 2021 [E]: No such file or directory @ rb_sysopen - /var/lib/one/.one/sunstone_auth + +serveradmin:... + +Sat Aug 07 12:08:37 2021 [E]: Configuration of ':webauthn_origin' is missing + +Provide the serveradmin and oneadmin credentials in the /var/lib/one/.one/. + +### File upload + +From the website: + + +If you want to upload files to OpenNebula, you will have to share the +uploads directory (/var/tmp by default) between Sunstone and +oned. Some servers do not take into account the TMPDIR environment +variable, in which case this directory must be defined in the +configuration file (:tmpdir). It may also be necessary to set it in +Passenger (client_body_temp_path). + +We can probably do without it using the hostpath + +## Fireedge + +* Basically a guacamole viewer, which we already have + +## Follow up + +- Find out if DB can be cleaned up (65G is huge!) + - https://docs.opennebula.io/6.0/installation_and_configuration/opennebula_services/database.html diff --git a/apps/opennebula/nginx/https.conf b/apps/opennebula/nginx/https.conf new file mode 100644 index 0000000..e11d219 --- /dev/null +++ b/apps/opennebula/nginx/https.conf @@ -0,0 +1,53 @@ +server { + listen *:443 ssl; + listen [::]:443 ssl; + + ssl_certificate /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem; + + server_name {{ tpl .Values.fqdn . }}; + + root /usr/share/nginx/html; + + client_max_body_size 0; + + try_files $uri/index.html $uri.html $uri @sunstone; + + location ~* \.(ico|css|js|gif|jpe?g|png)(\?[0-9]+)?$ { + expires 1y; + + # Need to enable proxying in this location as well + try_files $uri @sunstone; + } + + # Rails error pages + error_page 500 502 503 504 /500.html; + + location @sunstone { + proxy_pass http://localhost:9869; + + # Forward original host name to be seen in unicorn + proxy_set_header Host $host; + + # Server name and address like being available in PHP + proxy_set_header SERVER_NAME $server_name; + proxy_set_header SERVER_ADDR $server_addr; + + # Forward client ip address to rack/rails so logging + proxy_set_header X-Forwarded-For $remote_addr; + + # Tell rack if it is http or https + # https://github.com/intridea/omniauth/blob/master/lib/omniauth/strategy.rb#L483 + # http://nginx.org/en/docs/http/ngx_http_core_module.html#variables + # $https was introduced in 1.1.11 - we are using 0.7.67-3+squeeze3 + # so we cannot use + # proxy_set_header HTTPS $https; + # but have to forward the scheme like this + proxy_set_header X_FORWARDED_SCHEME $scheme; + + # Some applications seem to use X_FORWARDED_SCHEME while others need + # X_FORWARDED_PROTO, so we set X_FORWARDED_PROTO too + proxy_set_header X_FORWARDED_PROTO $scheme; + + } +} diff --git a/apps/opennebula/nginx/xmlrpc.conf b/apps/opennebula/nginx/xmlrpc.conf new file mode 100644 index 0000000..4ca84a3 --- /dev/null +++ b/apps/opennebula/nginx/xmlrpc.conf @@ -0,0 +1,41 @@ +server { + listen *:2634 ssl; + listen [::]:2634 ssl; + + ssl_certificate /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem; + + server_name {{ tpl .Values.fqdn . }}; + + root /usr/share/nginx/html; + + client_max_body_size 0; + + location / { + proxy_pass http://localhost:2633; + + # Forward original host name to be seen in unicorn + proxy_set_header Host $host; + + # Server name and address like being available in PHP + proxy_set_header SERVER_NAME $server_name; + proxy_set_header SERVER_ADDR $server_addr; + + # Forward client ip address to rack/rails so logging + proxy_set_header X-Forwarded-For $remote_addr; + + # Tell rack if it is http or https + # https://github.com/intridea/omniauth/blob/master/lib/omniauth/strategy.rb#L483 + # http://nginx.org/en/docs/http/ngx_http_core_module.html#variables + # $https was introduced in 1.1.11 - we are using 0.7.67-3+squeeze3 + # so we cannot use + # proxy_set_header HTTPS $https; + # but have to forward the scheme like this + proxy_set_header X_FORWARDED_SCHEME $scheme; + + # Some applications seem to use X_FORWARDED_SCHEME while others need + # X_FORWARDED_PROTO, so we set X_FORWARDED_PROTO too + proxy_set_header X_FORWARDED_PROTO $scheme; + + } +} diff --git a/apps/opennebula/one/oned.conf b/apps/opennebula/one/oned.conf new file mode 100644 index 0000000..34c5150 --- /dev/null +++ b/apps/opennebula/one/oned.conf @@ -0,0 +1,1542 @@ +#******************************************************************************* +# OpenNebula Configuration file +#******************************************************************************* + +#******************************************************************************* +# Daemon configuration attributes +#------------------------------------------------------------------------------- +# MANAGER_TIMER: Time in seconds the core uses to evaluate periodical functions. +# MONITORING_INTERVALS cannot have a smaller value than MANAGER_TIMER. +# +# MONITORING_INTERVAL_HOST: Time in seconds between host monitorization. +# MONITORING_INTERVAL_VM: Time in seconds between VM monitorization. +# MONITORING_INTERVAL_MARKET: Time in seconds between market monitorization. +# MONITORING_INTERVAL_DATASTORE: Time in seconds between image monitorization. +# +# MONITORING_THREADS: Max. number of threads used to process monitor messages +# +# HOST_PER_INTERVAL: Number of hosts monitored in each interval. +# HOST_MONITORING_EXPIRATION_TIME: Time, in seconds, to expire monitoring +# information. Use 0 to disable HOST monitoring recording. +# +# VM_INDIVIDUAL_MONITORING: VM monitoring information is obtained along with the +# host information. For some custom monitor drivers you may need activate the +# individual VM monitoring process. +# VM_PER_INTERVAL: Number of VMs monitored in each interval, if the individual +# VM monitoring is set to yes. +# VM_MONITORING_EXPIRATION_TIME: Time, in seconds, to expire monitoring +# information. Use 0 to disable VM monitoring recording. +# +# SCRIPTS_REMOTE_DIR: Remote path to store the monitoring and VM management +# scripts. +# +# PORT: Port where oned will listen for xmlrpc calls. +# LISTEN_ADDRESS: Host IP to listen on for xmlrpc calls (default: all IPs). +# +# DB: Configuration attributes for the database backend +# backend : can be sqlite or mysql (default is sqlite) +# server : (mysql) host name or an IP address for the MySQL server +# port : (mysql) port for the connection to the server. +# If set to 0, the default port is used. +# user : (mysql) user's MySQL login ID +# passwd : (mysql) the password for user +# db_name : (mysql) the database name +# connections: (mysql) number of max. connections to mysql server +# +# VNC_PORTS: VNC port pool for automatic VNC port assignment, if possible the +# port will be set to ``START`` + ``VMID`` +# start : first port to assign +# reserved: comma separated list of ports or ranges. Two numbers separated by +# a colon indicate a range. +# +# LOG: Configuration for the logging system +# system: defines the logging system: +# file to log in the oned.log file +# syslog to use the syslog facilities +# std to use the default log stream (stderr) to use with systemd +# debug_level: 0 = ERROR, 1 = WARNING, 2 = INFO, 3 = DEBUG +# +# VM_SUBMIT_ON_HOLD: Forces VMs to be created on hold state instead of pending. +# Values: YES or NO. +#******************************************************************************* + +LOG = [ + SYSTEM = "std", + DEBUG_LEVEL = 3 +] + +#MANAGER_TIMER = 15 + +MONITORING_INTERVAL_HOST = 60 +MONITORING_INTERVAL_VM = 180 +MONITORING_INTERVAL_DATASTORE = 300 +MONITORING_INTERVAL_MARKET = 600 + +MONITORING_THREADS = 50 + +#HOST_PER_INTERVAL = 15 +#HOST_MONITORING_EXPIRATION_TIME = 43200 + +#VM_INDIVIDUAL_MONITORING = "no" +#VM_PER_INTERVAL = 5 +#VM_MONITORING_EXPIRATION_TIME = 14400 + +SCRIPTS_REMOTE_DIR=/var/tmp/one + +PORT = 2633 + +LISTEN_ADDRESS = "127.0.0.1" + +# Sample configuration for MySQL +DB = [ BACKEND = "mysql", + SERVER = "::1", + PORT = 3306, + USER = "root", + PASSWD = "", + DB_NAME = "opennebula" ] + + +VNC_PORTS = [ + START = 10000, + RESERVED = "30000:65535" +] + +#******************************************************************************* +# API configuration attributes +#------------------------------------------------------------------------------- +# VM_SUBMIT_ON_HOLD: Forces VMs to be created on hold state instead of pending. +# Values: YES or NO. +# API_LIST_ORDER: Sets order (by ID) of elements in list API calls. +# Values: ASC (ascending order) or DESC (descending order) +#******************************************************************************* +# +#API_LIST_ORDER = "DESC" +#VM_SUBMIT_ON_HOLD = "NO" + +#******************************************************************************* +# Federation & HA configuration attributes +#------------------------------------------------------------------------------- +# Control the federation capabilities of oned. Operation in a federated setup +# requires a special DB configuration. +# +# FEDERATION: Federation attributes +# MODE: Operation mode of this oned. +# STANDALONE no federated.This is the default operational mode +# MASTER this oned is the master zone of the federation +# SLAVE this oned is a slave zone +# ZONE_ID: The zone ID as returned by onezone command +# SERVER_ID: ID identifying this server in the zone as returned by the +# onezone server-add command. This ID controls the HA configuration of +# OpenNebula: +# -1 (default) OpenNebula will operate in "solo" mode no HA +# Operate in HA (leader election and state replication) +# MASTER_ONED: The xml-rpc endpoint of the master oned, e.g. +# http://master.one.org:2633/RPC2 +# +# +# RAFT: Algorithm attributes +# LIMIT_PURGE: Number of logs that will be deleted on each purge. +# LOG_RETENTION: Number of DB log records kept, it determines the +# synchronization window across servers and extra storage space needed. +# LOG_PURGE_TIMEOUT: How often applied records are purged according the log +# retention value. (in seconds) +# ELECTION_TIMEOUT_MS: Timeout to start a election process if no heartbeat +# or log is received from leader. +# BROADCAST_TIMEOUT_MS: How often heartbeats are sent to followers. +# XMLRPC_TIMEOUT_MS: To timeout raft related API calls. To set an infinite +# timeout set this value to 0. +# +# RAFT_LEADER_HOOK: Executed when a server transits from follower->leader +# The purpose of this hook is to configure the Virtual IP. +# COMMAND: raft/vip.sh is a fully working script, this should not be changed +# ARGUMENTS: and must be replaced. For example +# ARGUMENTS = "leader ens1 10.0.0.2/24" +# +# RAFT_FOLLOWER_HOOK: Executed when a server transits from leader->follower +# The purpose of this hook is to configure the Virtual IP. +# COMMAND: raft/vip.sh is a fully working script, this should not be changed +# ARGUMENTS: and must be replaced. For example +# ARGUMENTS = "follower ens1 10.0.0.2/24" +# +# NOTE: Timeout tunning depends on the latency of the servers (network and load) +# as well as the max downtime tolerated by the system. Timeouts needs to be +# greater than 10ms +# +#******************************************************************************* + +FEDERATION = [ + MODE = "STANDALONE", + ZONE_ID = 0, + SERVER_ID = -1, + MASTER_ONED = "" +] + +RAFT = [ + LIMIT_PURGE = 100000, + LOG_RETENTION = 250000, + LOG_PURGE_TIMEOUT = 60, + ELECTION_TIMEOUT_MS = 5000, + BROADCAST_TIMEOUT_MS = 500, + XMLRPC_TIMEOUT_MS = 1000 +] + +# Executed when a server transits from follower->leader +# RAFT_LEADER_HOOK = [ +# COMMAND = "raft/vip.sh", +# ARGUMENTS = "leader " +# ] + +# Executed when a server transits from leader->follower +# RAFT_FOLLOWER_HOOK = [ +# COMMAND = "raft/vip.sh", +# ARGUMENTS = "follower " +# ] + +#******************************************************************************* +# Default showback cost +#------------------------------------------------------------------------------- +# The following attributes define the default cost for Virtual Machines that +# don't have a CPU, MEMORY or DISK cost. This is used by the oneshowback +# calculate method. +#******************************************************************************* + +DEFAULT_COST = [ + CPU_COST = 0, + MEMORY_COST = 0, + DISK_COST = 0 +] + +#******************************************************************************* +# XML-RPC server configuration +#------------------------------------------------------------------------------- +# These are configuration parameters for oned's xmlrpc-c server +# +# MAX_CONN: Maximum number of simultaneous TCP connections the server +# will maintain +# +# MAX_CONN_BACKLOG: Maximum number of TCP connections the operating system +# will accept on the server's behalf without the server accepting them from +# the operating system +# +# KEEPALIVE_TIMEOUT: Maximum time in seconds that the server allows a +# connection to be open between RPCs +# +# KEEPALIVE_MAX_CONN: Maximum number of RPCs that the server will execute on +# a single connection +# +# TIMEOUT: Maximum time in seconds the server will wait for the client to +# do anything while processing an RPC. This timeout will be also used when +# proxy calls to the master in a federation. +# +# RPC_LOG: Create a separated log file for xml-rpc requests, in +# "/var/log/one/one_xmlrpc.log". +# +# MESSAGE_SIZE: Buffer size in bytes for XML-RPC responses. +# +# LOG_CALL_FORMAT: Format string to log XML-RPC calls. Interpreted strings: +# %i -- request id +# %m -- method name +# %u -- user id +# %U -- user name +# %l[number] -- param list and number of characters (optional) to print +# each parameter, default is 20. Example: %l300 +# %p -- user password +# %g -- group id +# %G -- group name +# %a -- auth token +# %A -- client IP address (only IPv4 supported) +# %P -- client TCP port +# %% -- % +#******************************************************************************* + +#MAX_CONN = 15 +#MAX_CONN_BACKLOG = 15 +#KEEPALIVE_TIMEOUT = 15 +#KEEPALIVE_MAX_CONN = 30 +#TIMEOUT = 15 +#RPC_LOG = NO +#MESSAGE_SIZE = 1073741824 +#LOG_CALL_FORMAT = "Req:%i UID:%u IP:%A %m invoked %l20" + +#******************************************************************************* +# Physical Networks configuration +#******************************************************************************* +# NETWORK_SIZE: Here you can define the default size for the virtual networks +# +# MAC_PREFIX: Default MAC prefix to be used to create the auto-generated MAC +# addresses is defined here (this can be overwritten by the Virtual Network +# template) +# +# VLAN_IDS: VLAN ID pool for the automatic VLAN_ID assignment. This pool +# is for 802.1Q networks (Open vSwitch and 802.1Q drivers). The driver +# will try first to allocate VLAN_IDS[START] + VNET_ID +# start: First VLAN_ID to use +# reserved: Comma separated list of VLAN_IDs or ranges. Two numbers +# separated by a colon indicate a range. +# +# VXLAN_IDS: Automatic VXLAN Network ID (VNI) assignment. This is used +# for vxlan networks. +# start: First VNI to use +# NOTE: reserved is not supported by this pool +# +# PCI_PASSTHROUGH_BUS: Default bus to attach passthrough devices in the guest, +# in hex notation. It may be overwritten in the PCI device using the BUS +# attribute. +#******************************************************************************* + +NETWORK_SIZE = 254 + +MAC_PREFIX = "02:00" + +VLAN_IDS = [ + START = "2", + RESERVED = "0, 1, 4095" +] + +VXLAN_IDS = [ + START = "2" +] + +#PCI_PASSTHROUGH_BUS = "0x01" + +#******************************************************************************* +# DataStore Configuration +#******************************************************************************* +# DATASTORE_LOCATION: Path for Datastores. It IS the same for all the hosts +# and front-end. It defaults to /var/lib/one/datastores (in self-contained mode +# defaults to $ONE_LOCATION/var/datastores). Each datastore has its own +# directory (called BASE_PATH) in the form: $DATASTORE_LOCATION/ +# You can symlink this directory to any other path if needed. BASE_PATH is +# generated from this attribute each time oned is started. +# +# DATASTORE_CAPACITY_CHECK: Checks that there is enough capacity before +# creating a new image. Defaults to Yes +# +# DEFAULT_IMAGE_TYPE: This can take values +# OS Image file holding an operating system +# CDROM Image file holding a CDROM +# DATABLOCK Image file holding a datablock, created as an empty block +# +# DEFAULT_DEVICE_PREFIX: This can be set to +# hd IDE prefix +# sd SCSI +# vd KVM virtual disk +# +# DEFAULT_CDROM_DEVICE_PREFIX: Same as above but for CDROM devices. +# +# DEFAULT_IMAGE_PERSISTENT: Control the default value for the PERSISTENT +# attribute on image creation (oneimage clone, onevm disk-saveas). If blank +# images will inherit the persistent attribute from the base image. +# +# DEFAULT_IMAGE_PERSISTENT_NEW: Control the default value for the PERSISTENT +# attribute on image creation (oneimage create). By default images are no +# persistent if not set. +#******************************************************************************* + +#DATASTORE_LOCATION = /var/lib/one/datastores + +DATASTORE_CAPACITY_CHECK = "no" + +DEFAULT_DEVICE_PREFIX = "vd" +DEFAULT_CDROM_DEVICE_PREFIX = "hd" + +DEFAULT_IMAGE_TYPE = "OS" +#DEFAULT_IMAGE_PERSISTENT = "" +#DEFAULT_IMAGE_PERSISTENT_NEW = "" + +#******************************************************************************* +# Information Driver Configuration +#******************************************************************************* +# You can add more information managers with different configurations but make +# sure it has different names. +# +# name : name for this information manager +# +# executable: path of the information driver executable, can be an +# absolute path or relative to $ONE_LOCATION/lib/mads (or +# /usr/lib/one/mads/ if OpenNebula was installed in /) +# +# arguments : for the driver executable, usually a probe configuration file, +# can be an absolute path or relative to $ONE_LOCATION/etc (or +# /etc/one/ if OpenNebula was installed in /) +#******************************************************************************* + +#------------------------------------------------------------------------------- +# Information Collector for KVM IM's. +#------------------------------------------------------------------------------- +# This driver CANNOT BE ASSIGNED TO A HOST, and needs to be used with KVM +# -h prints this help. +# -a Address to bind the collectd socket (default 0.0.0.0) +# -p UDP port to listen for monitor information (default 4124) +# -f Interval in seconds to flush collected information (default 5) +# -t Number of threads for the server (default 50) +# -i Time in seconds of the monitorization push cycle. This parameter must +# be smaller than MONITORING_INTERVAL_HOST, otherwise push monitorization will +# not be effective. +# -w Timeout in seconds to execute external commands (default unlimited) +#------------------------------------------------------------------------------- +IM_MAD = [ + NAME = "collectd", + EXECUTABLE = "collectd", + ARGUMENTS = "-p 4124 -f 5 -t 50 -i 60" ] +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# KVM UDP-push Information Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of hosts monitored at the same time +# -w Timeout in seconds to execute external commands (default unlimited) +#------------------------------------------------------------------------------- +IM_MAD = [ + NAME = "kvm", + SUNSTONE_NAME = "KVM", + EXECUTABLE = "one_im_ssh", + ARGUMENTS = "-r 3 -t 15 -w 90 kvm" ] +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# KVM SSH-pull Information Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of hosts monitored at the same time +# -w Timeout in seconds to execute external commands (default unlimited) +#------------------------------------------------------------------------------- +# IM_MAD = [ +# NAME = "kvm", +# SUNSTONE_NAME = "kvm-ssh", +# EXECUTABLE = "one_im_ssh", +# ARGUMENTS = "-r 3 -t 15 -w 90 kvm-probes" ] +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# LXD UDP-push Information Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of hosts monitored at the same time +# -w Timeout in seconds to execute external commands (default unlimited) +#------------------------------------------------------------------------------- +IM_MAD = [ + NAME = "lxd", + SUNSTONE_NAME = "LXD", + EXECUTABLE = "one_im_ssh", + ARGUMENTS = "-r 3 -t 15 -w 90 lxd" ] +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# LXD SSH-pull Information Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of hosts monitored at the same time +# -w Timeout in seconds to execute external commands (default unlimited) +#------------------------------------------------------------------------------- +# IM_MAD = [ +# NAME = "lxd", +# SUNSTONE_NAME = "lxd-ssh", +# EXECUTABLE = "one_im_ssh", +# ARGUMENTS = "-r 3 -t 15 -w 90 lxd-probes" ] +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# vCenter Information Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of hosts monitored at the same time +# -w Timeout in seconds to execute external commands (default unlimited) +#------------------------------------------------------------------------------- +IM_MAD = [ + NAME = "vcenter", + SUNSTONE_NAME = "VMWare vCenter", + EXECUTABLE = "one_im_sh", + ARGUMENTS = "-c -t 15 -r 0 vcenter" ] +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# EC2 Information Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of hosts monitored at the same time +# -w Timeout in seconds to execute external commands (default unlimited) +#------------------------------------------------------------------------------- +#IM_MAD = [ +# NAME = "ec2", +# SUNSTONE_NAME = "Amazon EC2", +# EXECUTABLE = "one_im_sh", +# ARGUMENTS = "-c -t 1 -r 0 -w 600 ec2" ] +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# Azure Information Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of hosts monitored at the same time +# -w Timeout in seconds to execute external commands (default unlimited) +#------------------------------------------------------------------------------- +#IM_MAD = [ +# NAME = "az", +# SUNSTONE_NAME = "Microsoft Azure", +# EXECUTABLE = "one_im_sh", +# ARGUMENTS = "-c -t 1 -r 0 az" ] +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# Hybrid OpenNebula Information Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of hosts monitored at the same time +#------------------------------------------------------------------------------- +# IM_MAD = [ +# NAME = "one", +# SUNSTONE_NAME = "OpenNebula", +# EXECUTABLE = "one_im_sh", +# ARGUMENTS = "-c -t 1 -r 0 one" ] +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# Dummy Information Driver Manager Configuration +#------------------------------------------------------------------------------- +#IM_MAD = [ NAME="dummy", SUNSTONE_NAME="Testing", EXECUTABLE="one_im_dummy"] +#------------------------------------------------------------------------------- + +#******************************************************************************* +# Virtualization Driver Configuration +#******************************************************************************* +# You can add more virtualization managers with different configurations but +# make sure it has different names. +# +# name : name of the virtual machine manager driver +# +# executable: path of the virtualization driver executable, can be an +# absolute path or relative to $ONE_LOCATION/lib/mads (or +# /usr/lib/one/mads/ if OpenNebula was installed in /) +# +# arguments : for the driver executable +# +# default : default values and configuration parameters for the driver, can +# be an absolute path or relative to $ONE_LOCATION/etc (or +# /etc/one/ if OpenNebula was installed in /) +# +# type : driver type, supported drivers: xen, kvm, xml +# +# keep_snapshots: do not remove snapshots on power on/off cycles and live +# migrations if the hypervisor supports that. +# +# imported_vms_actions : comma-separated list of actions supported +# for imported vms. The available actions are: +# migrate +# live-migrate +# terminate +# terminate-hard +# undeploy +# undeploy-hard +# hold +# release +# stop +# suspend +# resume +# delete +# delete-recreate +# reboot +# reboot-hard +# resched +# unresched +# poweroff +# poweroff-hard +# disk-attach +# disk-detach +# nic-attach +# nic-detach +# snap-create +# snap-delete +#******************************************************************************* + +#------------------------------------------------------------------------------- +# KVM Virtualization Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of hosts monitored at the same time +# -l actions executed locally, command can be +# overridden for each action. +# Valid actions: deploy, shutdown, cancel, save, restore, migrate, poll +# An example: "-l migrate=migrate_local,save" +# -p more than one action per host in parallel, needs support from hypervisor +# -s to execute remote commands, bash by default +# -w Timeout in seconds to execute external commands (default unlimited) +# +# Note: You can use type = "qemu" to use qemu emulated guests, e.g. if your +# CPU does not have virtualization extensions or use nested Qemu-KVM hosts +#------------------------------------------------------------------------------- +VM_MAD = [ + NAME = "kvm", + SUNSTONE_NAME = "KVM", + EXECUTABLE = "one_vmm_exec", + ARGUMENTS = "-t 15 -r 0 kvm", + DEFAULT = "vmm_exec/vmm_exec_kvm.conf", + TYPE = "kvm", + KEEP_SNAPSHOTS = "yes", + IMPORTED_VMS_ACTIONS = "terminate, terminate-hard, hold, release, suspend, + resume, delete, reboot, reboot-hard, resched, unresched, disk-attach, + disk-detach, nic-attach, nic-detach, snapshot-create, snapshot-delete" +] + +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# LXD Virtualization Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of hosts monitored at the same time +# -l actions executed locally, command can be +# overridden for each action. +# Valid actions: deploy, shutdown, cancel, save, restore, migrate, poll +# An example: "-l migrate=migrate_local,save" +# -p more than one action per host in parallel, needs support from hypervisor +# -s to execute remote commands, bash by default +# -w Timeout in seconds to execute external commands (default unlimited) +# +#------------------------------------------------------------------------------- +VM_MAD = [ + NAME = "lxd", + SUNSTONE_NAME = "LXD", + EXECUTABLE = "one_vmm_exec", + ARGUMENTS = "-t 15 -r 0 lxd", + # DEFAULT = "vmm_exec/vmm_exec_lxd.conf", + TYPE = "xml", + KEEP_SNAPSHOTS = "no", + IMPORTED_VMS_ACTIONS = "terminate, terminate-hard, reboot, reboot-hard, poweroff, poweroff-hard, suspend, resume, stop, delete, nic-attach, nic-detach" +] + +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# vCenter Virtualization Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of hosts monitored at the same time +# -p more than one action per host in parallel, needs support from hypervisor +# -s to execute commands, bash by default +# -d default snapshot strategy. It can be either 'detach' or 'suspend'. It +# defaults to 'suspend'. +# -w Timeout in seconds to execute external commands (default unlimited) +#------------------------------------------------------------------------------- +VM_MAD = [ + NAME = "vcenter", + SUNSTONE_NAME = "VMWare vCenter", + EXECUTABLE = "one_vmm_sh", + ARGUMENTS = "-p -t 15 -r 0 vcenter -s sh", + DEFAULT = "vmm_exec/vmm_exec_vcenter.conf", + TYPE = "xml", + KEEP_SNAPSHOTS = "yes", + DS_LIVE_MIGRATION = "yes", + IMPORTED_VMS_ACTIONS = "terminate, terminate-hard, hold, release, suspend, + resume, delete, reboot, reboot-hard, resched, unresched, poweroff, + poweroff-hard, disk-attach, disk-detach, nic-attach, nic-detach, + snapshot-create, snapshot-delete, migrate, live-migrate" +] +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# EC2 Virtualization Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of actions performed at the same time +# -w Timeout in seconds to execute external commands (default unlimited) +# -p more than one action per host in parallel, needs support from hypervisor +#------------------------------------------------------------------------------- +#VM_MAD = [ +# NAME = "ec2", +# SUNSTONE_NAME = "Amazon EC2", +# EXECUTABLE = "one_vmm_sh", +# ARGUMENTS = "-t 15 -r 0 -w 600 -p ec2", +# TYPE = "xml", +# KEEP_SNAPSHOTS = "no", +# IMPORTED_VMS_ACTIONS = "terminate, terminate-hard, hold, release, suspend, +# resume, delete, reboot, reboot-hard, resched, unresched, poweroff, +# poweroff-hard, disk-attach, disk-detach, nic-attach, nic-detach, +# snap-create, snap-delete" +#] +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# Azure Virtualization Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of actions performed at the same time +# -w Timeout in seconds to execute external commands (default unlimited) +#------------------------------------------------------------------------------- +#VM_MAD = [ +# NAME = "az", +# SUNSTONE_NAME = "Microsoft Azure", +# EXECUTABLE = "one_vmm_sh", +# ARGUMENTS = "-t 15 -r 0 az", +# TYPE = "xml", +# KEEP_SNAPSHOTS = "no", +# IMPORTED_VMS_ACTIONS = "terminate, terminate-hard, hold, release, suspend, +# resume, delete, reboot, reboot-hard, resched, unresched, poweroff, +# poweroff-hard, disk-attach, disk-detach, nic-attach, nic-detach, +# snap-create, snap-delete" +#] +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# Hybrid OpenNebula Virtualization Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of actions performed at the same time +#------------------------------------------------------------------------------- +# VM_MAD = [ +# NAME = "one", +# SUNSTONE_NAME = "OpenNebula", +# EXECUTABLE = "one_vmm_sh", +# ARGUMENTS = "-t 15 -r 0 one", +# TYPE = "xml", +# KEEP_SNAPSHOTS = "no", +# IMPORTED_VMS_ACTIONS = "terminate, terminate-hard, hold, release, suspend, +# resume, delete, reboot, reboot-hard, resched, unresched, poweroff, +# poweroff-hard" +# ] +#------------------------------------------------------------------------------- + + +#------------------------------------------------------------------------------- +# Dummy Virtualization Driver Configuration +#------------------------------------------------------------------------------- +#VM_MAD = [ NAME="dummy", SUNSTONE_NAME="Testing", EXECUTABLE="one_vmm_dummy", +# TYPE="xml" ] +#------------------------------------------------------------------------------- + +#******************************************************************************* +# Transfer Manager Driver Configuration +#******************************************************************************* +# You can add more transfer managers with different configurations but make +# sure it has different names. +# name : name for this transfer driver +# +# executable: path of the transfer driver executable, can be an +# absolute path or relative to $ONE_LOCATION/lib/mads (or +# /usr/lib/one/mads/ if OpenNebula was installed in /) +# arguments : +# -t: number of threads, i.e. number of transfers made at the same time +# -d: list of transfer drivers separated by commas, if not defined all the +# drivers available will be enabled +# -w: Timeout in seconds to execute external commands (default unlimited) +#******************************************************************************* + +TM_MAD = [ + EXECUTABLE = "one_tm", + ARGUMENTS = "-t 15 -d dummy,lvm,shared,fs_lvm,qcow2,ssh,ceph,dev,vcenter,iscsi_libvirt" +] + +#******************************************************************************* +# Datastore Driver Configuration +#******************************************************************************* +# Drivers to manage the datastores, specialized for the storage backend +# executable: path of the transfer driver executable, can be an +# absolute path or relative to $ONE_LOCATION/lib/mads (or +# /usr/lib/one/mads/ if OpenNebula was installed in /) +# +# arguments : for the driver executable +# -t number of threads, i.e. number of repo operations at the same time +# -d datastore mads separated by commas +# -s system datastore tm drivers, used to monitor shared system ds. +# -w Timeout in seconds to execute external commands (default unlimited) +#******************************************************************************* + +DATASTORE_MAD = [ + EXECUTABLE = "one_datastore", + ARGUMENTS = "-t 15 -d dummy,fs,lvm,ceph,dev,iscsi_libvirt,vcenter -s shared,ssh,ceph,fs_lvm,qcow2,vcenter" +] + +#******************************************************************************* +# Marketplace Driver Configuration +#******************************************************************************* +# Drivers to manage different marketplaces, specialized for the storage backend +# executable: path of the transfer driver executable, can be an +# absolute path or relative to $ONE_LOCATION/lib/mads (or +# /usr/lib/one/mads/ if OpenNebula was installed in /) +# +# arguments : for the driver executable +# -t number of threads, i.e. number of repo operations at the same time +# -m marketplace mads separated by commas +# --proxy proxy address if required to access the internet +# -w Timeout in seconds to execute external commands (default unlimited) +#******************************************************************************* + +MARKET_MAD = [ + EXECUTABLE = "one_market", + ARGUMENTS = "-t 15 -m http,s3,one,linuxcontainers" +] + +#******************************************************************************* +# IPAM Driver Configuration +#******************************************************************************* +# Drivers to manage different IPAMs +# executable: path of the IPAM driver executable, can be an +# absolute path or relative to $ONE_LOCATION/lib/mads (or +# /usr/lib/one/mads/ if OpenNebula was installed in /) +# +# arguments : for the driver executable +# -t number of threads, i.e. number of operations at the same time +# -i IPAM mads separated by commas +#******************************************************************************* + +IPAM_MAD = [ + EXECUTABLE = "one_ipam", + ARGUMENTS = "-t 1 -i dummy" +] + +#******************************************************************************* +# Hook Manager Configuration +#******************************************************************************* +# The Driver (HM_MAD) +# ----------------------------------------------- +# +# Used to execute the Hooks: +# executable: path of the hook driver executable, can be an +# absolute path or relative to $ONE_LOCATION/lib/mads (or +# /usr/lib/one/mads/ if OpenNebula was installed in /) +# +# arguments : for the driver executable, can be an absolute path or relative +# to $ONE_LOCATION/etc (or /etc/one/ if OpenNebula was installed +# in /) +# +# Virtual Machine Hooks (VM_HOOK) +# ------------------------------- +# +# Defined by: +# name : for the hook, useful to track the hook (OPTIONAL) +# on : when the hook should be executed, +# - CREATE, when the VM is created (onevm create) +# - PROLOG, when the VM is in the prolog state +# - RUNNING, after the VM is successfully booted +# - UNKNOWN, when the VM is in the unknown state +# - SHUTDOWN, after the VM is shutdown +# - STOP, after the VM is stopped (including VM image transfers) +# - DONE, after the VM is deleted or shutdown +# - CUSTOM, user defined specific STATE and LCM_STATE combination +# of states to trigger the hook. +# command : path is relative to $ONE_LOCATION/var/remotes/hook +# (self-contained) or to /var/lib/one/remotes/hook (system-wide). +# That directory will be copied on the hosts under +# SCRIPTS_REMOTE_DIR. It can be an absolute path that must exist +# on the target host +# arguments : for the hook. You can access to VM information with $ +# - $ID, the ID of the virtual machine +# - $TEMPLATE, the VM template in xml and base64 encoded +# - $PREV_STATE, the previous STATE of the Virtual Machine +# - $PREV_LCM_STATE, the previous LCM STATE of the Virtual Machine +# remote : values, +# - YES, The hook is executed in the host where the VM was +# allocated +# - NO, The hook is executed in the OpenNebula server (default) +# +# Example Virtual Machine Hook +# ---------------------------- +# +# VM_HOOK = [ +# name = "advanced_hook", +# on = "CUSTOM", +# state = "ACTIVE", +# lcm_state = "BOOT_UNKNOWN", +# command = "log.rb", +# arguments = "$ID $PREV_STATE $PREV_LCM_STATE" ] +# +# Host Hooks (HOST_HOOK) +# ------------------------------- +# +# Defined by: +# name : for the hook, useful to track the hook (OPTIONAL) +# on : when the hook should be executed, +# - CREATE, when the Host is created (onehost create) +# - ERROR, when the Host enters the error state +# - DISABLE, when the Host is disabled +# - ENABLE, when the Host is enabled +# - OFFLINE, when the Host is offline +# command : path is relative to $ONE_LOCATION/var/remotes/hook +# (self-contained) or to /var/lib/one/remotes/hook (system-wide). +# That directory will be copied on the hosts under +# SCRIPTS_REMOTE_DIR. It can be an absolute path that must exist +# on the target host. +# arguments : for the hook. You can use the following Host information: +# - $ID, the ID of the host +# - $TEMPLATE, the Host template in xml and base64 encoded +# remote : values, +# - YES, The hook is executed in the host +# - NO, The hook is executed in the OpenNebula server (default) +# +# Virtual Network (VNET_HOOK) +# Virtual Router (VROUTER_HOOK) +# User (USER_HOOK) +# Group (GROUP_HOOK) +# Image (IMAGE_HOOK) +# ------------------------------- +# +# These hooks are executed when one of the referring entities are created or +# removed. Each hook is defined by: +# name : for the hook, useful to track the hook (OPTIONAL) +# on : when the hook should be executed, +# - CREATE, when the vnet is created +# - REMOVE, when the vnet is removed +# command : path is relative to $ONE_LOCATION/var/remotes/hook +# (self-contained) or to /var/lib/one/remotes/hook (system-wide). +# That directory will be copied on the hosts under +# SCRIPTS_REMOTE_DIR. It can be an absolute path that must exist +# on the target host. +# arguments : for the hook. You can use the following Host information: +# - $ID, the ID of the host +# - $TEMPLATE, the vnet template in xml and base64 encoded +# +# Please note: In a Federation, User and Group hooks can only be defined in +# the master OpenNebula. +#------------------------------------------------------------------------------- + +HM_MAD = [ + EXECUTABLE = "one_hm" ] + +#VNET_HOOK = [ +# name = "vcenter_net_create", +# on = "CREATE", +# command = "vcenter/create_vcenter_net.rb", +# arguments = "$ID $TEMPLATE"] + +#VNET_HOOK = [ +# name = "vcenter_net_delete", +# on = "REMOVE", +# command = "vcenter/delete_vcenter_net.rb", +# arguments = "$ID $TEMPLATE"] + +#******************************************************************************* +# Fault Tolerance Hooks +#******************************************************************************* +# This hook is used to perform recovery actions when a host fails. +# Script to implement host failure tolerance +# One of the following modes must be chosen +# -m resched VMs to another host. (Only for images in shared storage!) +# -r recreate VMs running in the host. State will be lost. +# -d delete VMs running in the host +# +# Additional flags +# -f resubmit suspended and powered off VMs (only for recreate) +# -p avoid resubmission if host comes back after n monitoring +# cycles. 0 to disable it. Default is 2. +# -u disables fencing. Fencing is enabled by default. Don't disable it +# unless you are very sure about what you're doing +#******************************************************************************* +# +#HOST_HOOK = [ +# NAME = "error", +# ON = "ERROR", +# COMMAND = "ft/host_error.rb", +# ARGUMENTS = "$ID -m -p 5", +# REMOTE = "no" ] +#------------------------------------------------------------------------------- + +#******************************************************************************* +# Auth Manager Configuration +#******************************************************************************* +# AUTH_MAD: The Driver that will be used to authenticate (authn) and +# authorize (authz) OpenNebula requests. If defined OpenNebula will use the +# built-in auth policies. +# +# executable: path of the auth driver executable, can be an +# absolute path or relative to $ONE_LOCATION/lib/mads (or +# /usr/lib/one/mads/ if OpenNebula was installed in /) +# +# authn : list of authentication modules separated by commas, if not +# defined all the modules available will be enabled +# authz : list of authentication modules separated by commas +# +# DEFAULT_AUTH: The default authentication driver to use when OpenNebula does +# not know the user and needs to authenticate it externally. If you want to +# use "default" (not recommended, but supported for backwards compatibility +# reasons) make sure you create a symlink pointing to the actual authentication +# driver in /var/lib/one/remotes/auth, and add "default" to the 'auth' +# parameter in the 'AUTH_MAD' section. +# +# SESSION_EXPIRATION_TIME: Time in seconds to keep an authenticated token as +# valid. During this time, the driver is not used. Use 0 to disable session +# caching +# +# ENABLE_OTHER_PERMISSIONS: Whether or not users can set the permissions for +# 'other', so publishing or sharing resources with others. Users in the oneadmin +# group will still be able to change these permissions. Values: YES or NO. +# +# DEFAULT_UMASK: Similar to Unix umask, sets the default resources permissions. +# Its format must be 3 octal digits. For example a umask of 137 will set +# the new object's permissions to 640 "um- u-- ---" +#******************************************************************************* + +AUTH_MAD = [ + EXECUTABLE = "one_auth_mad", + AUTHN = "ssh,x509,ldap,server_cipher,server_x509" +] + +#DEFAULT_AUTH = "default" + +SESSION_EXPIRATION_TIME = 900 + +#ENABLE_OTHER_PERMISSIONS = "YES" + +DEFAULT_UMASK = 177 + +#******************************************************************************* +# OneGate +# ONEGATE_ENDPOINT: The URL for the onegate server (the Gate to OpenNebula for +# VMs). The onegate server is started using a separate command. The endpoint +# MUST be consistent with the values in onegate-server.conf +#******************************************************************************* + +#ONEGATE_ENDPOINT = "http://frontend:5030" + +#******************************************************************************* +# VM Operations Permissions +#****************************************************************************** +# The following parameters define the operations associated to the ADMIN, +# MANAGE and USE permissions. Note that some VM operations require additional +# permissions on other objects. Also some operations refers to a class of +# actions: +# - disk-snapshot, includes create, delete and revert actions +# - disk-attach, includes attach and detach actions +# - nic-attach, includes attach and detach actions +# - snapshot, includes create, delete and revert actions +# - resched, includes resched and unresched actions +#****************************************************************************** + +VM_ADMIN_OPERATIONS = "migrate, delete, recover, retry, deploy, resched" + +VM_MANAGE_OPERATIONS = "undeploy, hold, release, stop, suspend, resume, reboot, + poweroff, disk-attach, nic-attach, disk-snapshot, terminate, disk-resize, + snapshot, updateconf, rename, resize, update, disk-saveas" + +VM_USE_OPERATIONS = "" + +#******************************************************************************* +# Default Permissions for VDC ACL rules +#******************************************************************************* +# Default ACL rules created when resource is added to a VDC. The following +# attributes configures the permissions granted to the VDC group for each +# resource types: +# DEFAULT_VDC_HOST_ACL: permissions granted on hosts added to a VDC. +# DEFAULT_VDC_NET_ACL: permissions granted on vnets added to a VDC. +# DEFAULT_VDC_DATASTORE_ACL: permissions granted on datastores to a VDC. +# +# DEFAULT_VDC_CLUSTER_HOST_ACL: permissions granted to cluster hosts when a +# cluster is added to the VDC. +# DEFAULT_VDC_CLUSTER_NET_ACL: permissions granted to cluster vnets when a +# cluster is added to the VDC. +# DEFAULT_VDC_CLUSTER_DATASTORE_ACL: permissions granted to cluster datastores +# when a cluster is added to the VDC. +# +# When defining the permissions you can use "" or "-" to not add any rule to +# that specific resource. Also you can combine several permissions with "+", +# for exampl "MANAGE+USE". Valid permissions are USE, MANAGE or ADMIN. +# +# Example: +# DEFAULT_VDC_HOST_ACL = "MANAGE" +# Adds @ HOST/# MANAGE # when a host is added to the VDC, +# eg. onevdc addhost +# +# DEFAULT_VDC_VNET_ACL = "USE" +# Adds @ NET/# USE # when a vnet is added to the VDC, +# eg. onevdc addvnet +# +# DEFAULT_VDC_DATASTORE_ACL = "USE" +# Adds @ DATASTORE/# USE # when a vnet is added to the VDC, +# eg. onevdc adddatastore +# +# DEFAULT_VDC_CLUSTER_HOST_ACL = "MANAGE" +# DEFAULT_VDC_CLUSTER_NET_ACL = "USE" +# DEFAULT_VDC_CLUSTER_DATASTORE_ACL = "USE" +# Adds: +# @ HOST/% MANAGE # +# @ DATASTORE+NET/% USE # +# when a cluster is added to the VDC, e.g. onevdc addcluster +#******************************************************************************* + +DEFAULT_VDC_HOST_ACL = "MANAGE" +DEFAULT_VDC_VNET_ACL = "USE" +DEFAULT_VDC_DATASTORE_ACL = "USE" + +DEFAULT_VDC_CLUSTER_HOST_ACL = "MANAGE" +DEFAULT_VDC_CLUSTER_NET_ACL = "USE" +DEFAULT_VDC_CLUSTER_DATASTORE_ACL = "USE" + +#******************************************************************************* +# Restricted Attributes Configuration +#******************************************************************************* +# The following attributes are restricted to users outside the oneadmin group +#******************************************************************************* + +VM_RESTRICTED_ATTR = "CONTEXT/FILES" +VM_RESTRICTED_ATTR = "NIC/MAC" +VM_RESTRICTED_ATTR = "NIC/VLAN_ID" +VM_RESTRICTED_ATTR = "NIC/BRIDGE" +VM_RESTRICTED_ATTR = "NIC/INBOUND_AVG_BW" +VM_RESTRICTED_ATTR = "NIC/INBOUND_PEAK_BW" +VM_RESTRICTED_ATTR = "NIC/INBOUND_PEAK_KB" +VM_RESTRICTED_ATTR = "NIC/OUTBOUND_AVG_BW" +VM_RESTRICTED_ATTR = "NIC/OUTBOUND_PEAK_BW" +VM_RESTRICTED_ATTR = "NIC/OUTBOUND_PEAK_KB" +VM_RESTRICTED_ATTR = "NIC/OPENNEBULA_MANAGED" +VM_RESTRICTED_ATTR = "NIC/VCENTER_INSTANCE_ID" +VM_RESTRICTED_ATTR = "NIC/VCENTER_NET_REF" +VM_RESTRICTED_ATTR = "NIC/VCENTER_PORTGROUP_TYPE" +VM_RESTRICTED_ATTR = "NIC/EXTERNAL" +VM_RESTRICTED_ATTR = "NIC_ALIAS/MAC" +VM_RESTRICTED_ATTR = "NIC_ALIAS/VLAN_ID" +VM_RESTRICTED_ATTR = "NIC_ALIAS/BRIDGE" +VM_RESTRICTED_ATTR = "NIC_ALIAS/INBOUND_AVG_BW" +VM_RESTRICTED_ATTR = "NIC_ALIAS/INBOUND_PEAK_BW" +VM_RESTRICTED_ATTR = "NIC_ALIAS/INBOUND_PEAK_KB" +VM_RESTRICTED_ATTR = "NIC_ALIAS/OUTBOUND_AVG_BW" +VM_RESTRICTED_ATTR = "NIC_ALIAS/OUTBOUND_PEAK_BW" +VM_RESTRICTED_ATTR = "NIC_ALIAS/OUTBOUND_PEAK_KB" +VM_RESTRICTED_ATTR = "NIC_ALIAS/OPENNEBULA_MANAGED" +VM_RESTRICTED_ATTR = "NIC_ALIAS/VCENTER_INSTANCE_ID" +VM_RESTRICTED_ATTR = "NIC_ALIAS/VCENTER_NET_REF" +VM_RESTRICTED_ATTR = "NIC_ALIAS/VCENTER_PORTGROUP_TYPE" +VM_RESTRICTED_ATTR = "NIC_ALIAS/EXTERNAL" +VM_RESTRICTED_ATTR = "NIC_DEFAULT/MAC" +VM_RESTRICTED_ATTR = "NIC_DEFAULT/VLAN_ID" +VM_RESTRICTED_ATTR = "NIC_DEFAULT/BRIDGE" +VM_RESTRICTED_ATTR = "NIC_DEFAULT/EXTERNAL" +VM_RESTRICTED_ATTR = "DISK/TOTAL_BYTES_SEC" +VM_RESTRICTED_ATTR = "DISK/TOTAL_BYTES_SEC_MAX_LENGTH" +VM_RESTRICTED_ATTR = "DISK/TOTAL_BYTES_SEC_MAX" +VM_RESTRICTED_ATTR = "DISK/READ_BYTES_SEC" +VM_RESTRICTED_ATTR = "DISK/READ_BYTES_SEC_MAX_LENGTH" +VM_RESTRICTED_ATTR = "DISK/READ_BYTES_SEC_MAX" +VM_RESTRICTED_ATTR = "DISK/WRITE_BYTES_SEC" +VM_RESTRICTED_ATTR = "DISK/WRITE_BYTES_SEC_MAX_LENGTH" +VM_RESTRICTED_ATTR = "DISK/WRITE_BYTES_SEC_MAX" +VM_RESTRICTED_ATTR = "DISK/TOTAL_IOPS_SEC" +VM_RESTRICTED_ATTR = "DISK/TOTAL_IOPS_SEC_MAX_LENGTH" +VM_RESTRICTED_ATTR = "DISK/TOTAL_IOPS_SEC_MAX" +VM_RESTRICTED_ATTR = "DISK/READ_IOPS_SEC" +VM_RESTRICTED_ATTR = "DISK/READ_IOPS_SEC_MAX_LENGTH" +VM_RESTRICTED_ATTR = "DISK/READ_IOPS_SEC_MAX" +VM_RESTRICTED_ATTR = "DISK/WRITE_IOPS_SEC" +VM_RESTRICTED_ATTR = "DISK/WRITE_IOPS_SEC_MAX_LENGTH" +VM_RESTRICTED_ATTR = "DISK/WRITE_IOPS_SEC_MAX" +VM_RESTRICTED_ATTR = "DISK/OPENNEBULA_MANAGED" +VM_RESTRICTED_ATTR = "DISK/VCENTER_DS_REF" +VM_RESTRICTED_ATTR = "DISK/VCENTER_INSTANCE_ID" +#VM_RESTRICTED_ATTR = "DISK/SIZE" +VM_RESTRICTED_ATTR = "DISK/ORIGINAL_SIZE" +VM_RESTRICTED_ATTR = "DISK/SIZE_PREV" +VM_RESTRICTED_ATTR = "CPU_COST" +VM_RESTRICTED_ATTR = "MEMORY_COST" +VM_RESTRICTED_ATTR = "DISK_COST" +VM_RESTRICTED_ATTR = "PCI" +VM_RESTRICTED_ATTR = "EMULATOR" +VM_RESTRICTED_ATTR = "RAW" +VM_RESTRICTED_ATTR = "USER_PRIORITY" +VM_RESTRICTED_ATTR = "USER_INPUTS/CPU" +VM_RESTRICTED_ATTR = "USER_INPUTS/MEMORY" +VM_RESTRICTED_ATTR = "USER_INPUTS/VCPU" +VM_RESTRICTED_ATTR = "VCENTER_VM_FOLDER" +VM_RESTRICTED_ATTR = "VCENTER_ESX_HOST" + +#VM_RESTRICTED_ATTR = "RANK" +#VM_RESTRICTED_ATTR = "SCHED_RANK" +#VM_RESTRICTED_ATTR = "REQUIREMENTS" +#VM_RESTRICTED_ATTR = "SCHED_REQUIREMENTS" + +IMAGE_RESTRICTED_ATTR = "SOURCE" +IMAGE_RESTRICTED_ATTR = "VCENTER_IMPORTED" + +#******************************************************************************* +# The following restricted attributes only apply to VNets that are a reservation. +# Normal VNets do not have restricted attributes. +#******************************************************************************* + +VNET_RESTRICTED_ATTR = "VN_MAD" +VNET_RESTRICTED_ATTR = "PHYDEV" +VNET_RESTRICTED_ATTR = "VLAN_ID" +VNET_RESTRICTED_ATTR = "BRIDGE" +VNET_RESTRICTED_ATTR = "CONF" +VNET_RESTRICTED_ATTR = "BRIDGE_CONF" +VNET_RESTRICTED_ATTR = "OVS_BRIDGE_CONF" +VNET_RESTRICTED_ATTR = "IP_LINK_CONF" +VNET_RESTRICTED_ATTR = "FILTER_IP_SPOOFING" +VNET_RESTRICTED_ATTR = "FILTER_MAC_SPOOFING" + +VNET_RESTRICTED_ATTR = "AR/VN_MAD" +VNET_RESTRICTED_ATTR = "AR/PHYDEV" +VNET_RESTRICTED_ATTR = "AR/VLAN_ID" +VNET_RESTRICTED_ATTR = "AR/BRIDGE" +VNET_RESTRICTED_ATTR = "AR/FILTER_IP_SPOOFING" +VNET_RESTRICTED_ATTR = "AR/FILTER_MAC_SPOOFING" + +VNET_RESTRICTED_ATTR = "CLUSTER_IDS" + +VNET_RESTRICTED_ATTR = "EXTERNAL" + +#******************************************************************************* +# Inherited Attributes Configuration +#******************************************************************************* +# The following attributes will be copied from the resource template to the +# instantiated VMs. More than one attribute can be defined. +# +# INHERIT_IMAGE_ATTR: Attribute to be copied from the Image template +# to each VM/DISK. +# +# INHERIT_DATASTORE_ATTR: Attribute to be copied from the Datastore template +# to each VM/DISK. +# +# INHERIT_VNET_ATTR: Attribute to be copied from the Network template +# to each VM/NIC. +#******************************************************************************* + +#INHERIT_IMAGE_ATTR = "EXAMPLE" +#INHERIT_IMAGE_ATTR = "SECOND_EXAMPLE" +#INHERIT_DATASTORE_ATTR = "COLOR" +#INHERIT_VNET_ATTR = "BANDWIDTH_THROTTLING" + +INHERIT_DATASTORE_ATTR = "CEPH_HOST" +INHERIT_DATASTORE_ATTR = "CEPH_SECRET" +INHERIT_DATASTORE_ATTR = "CEPH_KEY" +INHERIT_DATASTORE_ATTR = "CEPH_USER" +INHERIT_DATASTORE_ATTR = "CEPH_CONF" +INHERIT_DATASTORE_ATTR = "POOL_NAME" + +INHERIT_DATASTORE_ATTR = "ISCSI_USER" +INHERIT_DATASTORE_ATTR = "ISCSI_USAGE" +INHERIT_DATASTORE_ATTR = "ISCSI_HOST" + +INHERIT_IMAGE_ATTR = "ISCSI_USER" +INHERIT_IMAGE_ATTR = "ISCSI_USAGE" +INHERIT_IMAGE_ATTR = "ISCSI_HOST" +INHERIT_IMAGE_ATTR = "ISCSI_IQN" + +INHERIT_DATASTORE_ATTR = "GLUSTER_HOST" +INHERIT_DATASTORE_ATTR = "GLUSTER_VOLUME" + +INHERIT_DATASTORE_ATTR = "DISK_TYPE" +INHERIT_DATASTORE_ATTR = "ALLOW_ORPHANS" + +INHERIT_DATASTORE_ATTR = "VCENTER_ADAPTER_TYPE" +INHERIT_DATASTORE_ATTR = "VCENTER_DISK_TYPE" +INHERIT_DATASTORE_ATTR = "VCENTER_DS_REF" +INHERIT_DATASTORE_ATTR = "VCENTER_DS_IMAGE_DIR" +INHERIT_DATASTORE_ATTR = "VCENTER_DS_VOLATILE_DIR" +INHERIT_DATASTORE_ATTR = "VCENTER_INSTANCE_ID" + +INHERIT_IMAGE_ATTR = "DISK_TYPE" +INHERIT_IMAGE_ATTR = "VCENTER_ADAPTER_TYPE" +INHERIT_IMAGE_ATTR = "VCENTER_DISK_TYPE" + +INHERIT_VNET_ATTR = "VLAN_TAGGED_ID" +INHERIT_VNET_ATTR = "FILTER_IP_SPOOFING" +INHERIT_VNET_ATTR = "FILTER_MAC_SPOOFING" +INHERIT_VNET_ATTR = "MTU" +INHERIT_VNET_ATTR = "INBOUND_AVG_BW" +INHERIT_VNET_ATTR = "INBOUND_PEAK_BW" +INHERIT_VNET_ATTR = "INBOUND_PEAK_KB" +INHERIT_VNET_ATTR = "OUTBOUND_AVG_BW" +INHERIT_VNET_ATTR = "OUTBOUND_PEAK_BW" +INHERIT_VNET_ATTR = "OUTBOUND_PEAK_KB" +INHERIT_VNET_ATTR = "CONF" +INHERIT_VNET_ATTR = "BRIDGE_CONF" +INHERIT_VNET_ATTR = "OVS_BRIDGE_CONF" +INHERIT_VNET_ATTR = "IP_LINK_CONF" +INHERIT_VNET_ATTR = "EXTERNAL" + +INHERIT_VNET_ATTR = "VCENTER_NET_REF" +INHERIT_VNET_ATTR = "VCENTER_SWITCH_NAME" +INHERIT_VNET_ATTR = "VCENTER_SWITCH_NPORTS" +INHERIT_VNET_ATTR = "VCENTER_PORTGROUP_TYPE" +INHERIT_VNET_ATTR = "VCENTER_CCR_REF" +INHERIT_VNET_ATTR = "VCENTER_INSTANCE_ID" + +#******************************************************************************* +# Transfer Manager Driver Behavior Configuration +#******************************************************************************* +# The configuration for each driver is defined in TM_MAD_CONF. These +# values are used when creating a new datastore and should not be modified +# since they define the datastore behavior. +# name : name of the transfer driver, listed in the -d option of the +# TM_MAD section +# ln_target : determines how the persistent images will be cloned when +# a new VM is instantiated. +# NONE: The image will be linked and no more storage capacity will be used +# SELF: The image will be cloned in the Images datastore +# SYSTEM: The image will be cloned in the System datastore +# clone_target : determines how the non persistent images will be +# cloned when a new VM is instantiated. +# NONE: The image will be linked and no more storage capacity will be used +# SELF: The image will be cloned in the Images datastore +# SYSTEM: The image will be cloned in the System datastore +# shared : determines if the storage holding the system datastore is shared +# among the different hosts or not. Valid values: "yes" or "no" +# ds_migrate : The driver allows migrations across datastores. Valid values: +# "yes" or "no". Note: THIS ONLY APPLIES TO SYSTEM DS. +# allow_orphans: Snapshots can live without parents. Suported values: +# YES: Children can be orphan (no parent snapshot) +# |- snap_1 +# |- snap_2 +# |- snap_3 +# NO: New snapshots are set active and child of the previous one +# |- snap_1 +# |- snap_2 +# |- snap_3 +# MIXED: Snapshots are children of last snapshot reverted to +# |- snap_1 (<--- revert) +# |- snap_3 +# |- snap_4 +# |- snap_2 +#******************************************************************************* + +TM_MAD_CONF = [ + NAME = "dummy", LN_TARGET = "NONE", CLONE_TARGET = "SYSTEM", SHARED = "YES", + DS_MIGRATE = "YES" +] + +TM_MAD_CONF = [ + NAME = "lvm", LN_TARGET = "NONE", CLONE_TARGET = "SELF", SHARED = "YES" +] + +TM_MAD_CONF = [ + NAME = "shared", LN_TARGET = "NONE", CLONE_TARGET = "SYSTEM", SHARED = "YES", + DS_MIGRATE = "YES", TM_MAD_SYSTEM = "ssh", LN_TARGET_SSH = "SYSTEM", + CLONE_TARGET_SSH = "SYSTEM", DISK_TYPE_SSH = "FILE" +] + +TM_MAD_CONF = [ + NAME = "fs_lvm", LN_TARGET = "SYSTEM", CLONE_TARGET = "SYSTEM", SHARED="YES", + DRIVER = "raw" +] + +TM_MAD_CONF = [ + NAME = "qcow2", LN_TARGET = "NONE", CLONE_TARGET = "SYSTEM", SHARED = "YES", + DRIVER = "qcow2" +] + +TM_MAD_CONF = [ + NAME = "ssh", LN_TARGET = "SYSTEM", CLONE_TARGET = "SYSTEM", SHARED = "NO", + DS_MIGRATE = "YES" +] + +TM_MAD_CONF = [ + NAME = "ceph", LN_TARGET = "NONE", CLONE_TARGET = "SELF", SHARED = "YES", + DS_MIGRATE = "NO", DRIVER = "raw", ALLOW_ORPHANS="mixed", + TM_MAD_SYSTEM = "ssh,shared", LN_TARGET_SSH = "SYSTEM", CLONE_TARGET_SSH = "SYSTEM", + DISK_TYPE_SSH = "FILE", TM_MAD_SYSTEM = "shared", LN_TARGET_SHARED = "NONE", + CLONE_TARGET_SHARED = "SELF", DISK_TYPE_SHARED = "RBD" +] + +TM_MAD_CONF = [ + NAME = "iscsi_libvirt", LN_TARGET = "NONE", CLONE_TARGET = "SELF", SHARED = "YES", + DS_MIGRATE = "NO" +] + +TM_MAD_CONF = [ + NAME = "dev", LN_TARGET = "NONE", CLONE_TARGET = "NONE", SHARED = "YES" +] + +TM_MAD_CONF = [ + NAME = "vcenter", LN_TARGET = "NONE", CLONE_TARGET = "SYSTEM", SHARED = "YES" +] + +#******************************************************************************* +# Datastore Manager Driver Behavior Configuration +#******************************************************************************* +# The configuration for each driver is defined in DS_MAD_CONF. These +# values are used when creating a new datastore and should not be modified +# since they define the datastore behavior. +# name : name of the transfer driver, listed in the -d option of the +# DS_MAD section +# required_attrs : comma separated list of required attributes in the DS +# template +# persistent_only: specifies whether the datastore can only manage persistent +# images +#******************************************************************************* + +DS_MAD_CONF = [ + NAME = "ceph", + REQUIRED_ATTRS = "DISK_TYPE,BRIDGE_LIST", + PERSISTENT_ONLY = "NO", + MARKETPLACE_ACTIONS = "export" +] + +DS_MAD_CONF = [ + NAME = "dev", REQUIRED_ATTRS = "DISK_TYPE", PERSISTENT_ONLY = "YES" +] + +DS_MAD_CONF = [ + NAME = "iscsi_libvirt", REQUIRED_ATTRS = "DISK_TYPE,ISCSI_HOST", + PERSISTENT_ONLY = "YES" +] + +DS_MAD_CONF = [ + NAME = "dummy", REQUIRED_ATTRS = "", PERSISTENT_ONLY = "NO" +] + +DS_MAD_CONF = [ + NAME = "fs", REQUIRED_ATTRS = "", PERSISTENT_ONLY = "NO", + MARKETPLACE_ACTIONS = "export" +] + +DS_MAD_CONF = [ + NAME = "lvm", REQUIRED_ATTRS = "DISK_TYPE,BRIDGE_LIST", + PERSISTENT_ONLY = "NO" +] + +DS_MAD_CONF = [ + NAME = "vcenter", + REQUIRED_ATTRS = "VCENTER_INSTANCE_ID,VCENTER_DS_REF,VCENTER_DC_REF", + PERSISTENT_ONLY = "NO", + MARKETPLACE_ACTIONS = "export" +] + +#******************************************************************************* +# MarketPlace Driver Behavior Configuration +#******************************************************************************* +# The configuration for each driver is defined in MARKET_MAD_CONF. These +# values are used when creating a new marketplaces and should not be modified +# since they define the marketplace behavior. +# name : name of the market driver +# required_attrs : comma separated list of required attributes in the Market +# template +# app_actions: List of actions allowed for a MarketPlaceApp +# - monitor The apps of the marketplace will be monitored +# - create, the app in the marketplace +# - delete, the app from the marketplace +# public: set to yes for external marketplaces. A public marketplace can be +# removed even if it has registered apps. +#******************************************************************************* + +MARKET_MAD_CONF = [ + NAME = "one", + SUNSTONE_NAME = "OpenNebula.org Marketplace", + REQUIRED_ATTRS = "", + APP_ACTIONS = "monitor", + PUBLIC = "yes" +] + +MARKET_MAD_CONF = [ + NAME = "http", + SUNSTONE_NAME = "HTTP server", + REQUIRED_ATTRS = "BASE_URL,PUBLIC_DIR", + APP_ACTIONS = "create, delete, monitor" +] + +MARKET_MAD_CONF = [ + NAME = "s3", + SUNSTONE_NAME = "Amazon S3", + REQUIRED_ATTRS = "ACCESS_KEY_ID,SECRET_ACCESS_KEY,REGION,BUCKET", + APP_ACTIONS = "create, delete, monitor" +] + +MARKET_MAD_CONF = [ + NAME = "linuxcontainers", + SUNSTONE_NAME = "LinuxContainers.org", + REQUIRED_ATTRS = "", + APP_ACTIONS = "monitor", + PUBLIC = "yes" +] + +#******************************************************************************* +# Authentication Driver Behavior Definition +#******************************************************************************* +# The configuration for each driver is defined in AUTH_MAD_CONF. These +# values must not be modified since they define the driver behavior. +# name : name of the auth driver +# password_change : allow the end users to change their own password. Oneadmin +# can still change other user's passwords +# driver_managed_groups : allow the driver to set the user's group even after +# user creation. In this case addgroup, delgroup and chgrp +# will be disabled, with the exception of chgrp to one of +# the groups in the list of secondary groups +# max_token_time : limit the maximum token validity, in seconds. Use -1 for +# unlimited maximum, 0 to disable login tokens +#******************************************************************************* + +AUTH_MAD_CONF = [ + NAME = "core", + PASSWORD_CHANGE = "YES", + DRIVER_MANAGED_GROUPS = "NO", + MAX_TOKEN_TIME = "-1" +] + +AUTH_MAD_CONF = [ + NAME = "public", + PASSWORD_CHANGE = "NO", + DRIVER_MANAGED_GROUPS = "NO", + MAX_TOKEN_TIME = "-1" +] + +AUTH_MAD_CONF = [ + NAME = "ssh", + PASSWORD_CHANGE = "YES", + DRIVER_MANAGED_GROUPS = "NO", + MAX_TOKEN_TIME = "-1" +] + +AUTH_MAD_CONF = [ + NAME = "x509", + PASSWORD_CHANGE = "NO", + DRIVER_MANAGED_GROUPS = "NO", + MAX_TOKEN_TIME = "-1" +] + +AUTH_MAD_CONF = [ + NAME = "ldap", + PASSWORD_CHANGE = "YES", + DRIVER_MANAGED_GROUPS = "YES", + MAX_TOKEN_TIME = "86400" +] + +AUTH_MAD_CONF = [ + NAME = "server_cipher", + PASSWORD_CHANGE = "NO", + DRIVER_MANAGED_GROUPS = "NO", + MAX_TOKEN_TIME = "-1" +] + +AUTH_MAD_CONF = [ + NAME = "server_x509", + PASSWORD_CHANGE = "NO", + DRIVER_MANAGED_GROUPS = "NO", + MAX_TOKEN_TIME = "-1" +] + +#******************************************************************************* +# Authentication Driver Behavior Definition +#******************************************************************************* +# The configuration for each driver is defined in VN_MAD_CONF. These +# values must not be modified since they define the driver behavior. +# name : name of the auth driver +# BRIDGE_TYPE : define the technology used by the driver +#******************************************************************************* + +VN_MAD_CONF = [ + NAME = "dummy", + BRIDGE_TYPE = "linux" +] + +VN_MAD_CONF = [ + NAME = "802.1Q", + BRIDGE_TYPE = "linux" +] + +VN_MAD_CONF = [ + NAME = "ebtables", + BRIDGE_TYPE = "linux" +] + +VN_MAD_CONF = [ + NAME = "fw", + BRIDGE_TYPE = "linux" +] + +VN_MAD_CONF = [ + NAME = "ovswitch", + BRIDGE_TYPE = "openvswitch" +] + +VN_MAD_CONF = [ + NAME = "vxlan", + BRIDGE_TYPE = "linux" +] + +VN_MAD_CONF = [ + NAME = "vcenter", + BRIDGE_TYPE = "vcenter_port_groups" +] + +VN_MAD_CONF = [ + NAME = "ovswitch_vxlan", + BRIDGE_TYPE = "openvswitch" +] + +VN_MAD_CONF = [ + NAME = "bridge", + BRIDGE_TYPE = "linux" +] diff --git a/apps/opennebula/one/sched.conf b/apps/opennebula/one/sched.conf new file mode 100644 index 0000000..8de1947 --- /dev/null +++ b/apps/opennebula/one/sched.conf @@ -0,0 +1,125 @@ +#******************************************************************************* +# OpenNebula Configuration file +#******************************************************************************* + +#******************************************************************************* +# Daemon configuration attributes +#------------------------------------------------------------------------------- +# MESSAGE_SIZE: Buffer size in bytes for XML-RPC responses. +# +# XMLRPC_TIMEOUT: Seconds to timeout XML-RPC calls to oned +# +# ONE_XMLRPC: URL to connect to the OpenNebula daemon (oned) +# +# SCHED_INTERVAL: Seconds between two scheduling actions +# +# MAX_VM: Maximum number of Virtual Machines scheduled in each scheduling +# action. Use 0 to schedule all pending VMs each time. +# +# MAX_DISPATCH: Maximum number of Virtual Machines dispatched in each +# scheduling action +# +# MAX_HOST: Maximum number of Virtual Machines dispatched to each host in +# each scheduling action +# +# LIVE_RESCHEDS: Perform live (1) or cold migrations (0) when rescheduling a VM +# +# DEFAULT_SCHED: Definition of the default scheduling algorithm +# - policy: +# 0 = Packing. Heuristic that minimizes the number of hosts in use by +# packing the VMs in the hosts to reduce VM fragmentation +# 1 = Striping. Heuristic that tries to maximize resources available for +# the VMs by spreading the VMs in the hosts +# 2 = Load-aware. Heuristic that tries to maximize resources available for +# the VMs by using those nodes with less load +# 3 = Custom. +# - rank: Custom arithmetic expression to rank suitable hosts based in +# their attributes +# 4 = Fixed. Hosts will be ranked according to the PRIORITY attribute found +# in the Host or Cluster template. +# +# DEFAULT_DS_SCHED: Definition of the default storage scheduling algorithm +# - policy: +# 0 = Packing. Tries to optimize storage usage by selecting the DS with +# less free space +# 1 = Striping. Tries to optimize I/O by distributing the VMs across +# datastores. +# 2 = Custom. +# - rank: Custom arithmetic expression to rank suitable datastores based +# on their attributes +# 3 = Fixed. Datastores will be ranked according to the PRIORITY attribute +# found in the Datastore template. +# +# DEFAULT_NIC_SCHED: Definition of the default virtual network scheduler +# - policy: +# 0 = Packing. Tries to pack address usage by selecting the VNET with +# less free leases +# 1 = Striping. Tries to distribute address usage across VNETs. +# 2 = Custom. +# - rank: Custom arithmetic expression to rank suitable datastores based +# on their attributes +# 3 = Fixed. Virtual Networks will be ranked according to the PRIORITY +# attribute found in the Virtual Network template. +# +# DIFFERENT_VNETS: When set (YES) the NICs of a VM will be forced to be in +# different Virtual Networks. +# +# LOG: Configuration for the logging system +# - system: defines the logging system: +# file to log in the sched.log file +# syslog to use the syslog facilities +# - debug_level: +# 0 = ERROR +# 1 = WARNING +# 2 = INFO +# 3 = DEBUG Includes general scheduling information (default) +# 4 = DDEBUG Includes time taken for each step +# 5 = DDDEBUG Includes detailed information about the scheduling +# decision, such as VM requirements, Host ranking for +# each VM, etc. This will impact the performance +# +# MEMORY_SYSTEM_DS_SCALE: This factor scales the VM usage of the system DS with +# the memory size. This factor can be use to make the scheduler consider the +# overhead of checkpoint files: +# system_ds_usage = system_ds_usage + memory_system_ds_scale * memory +# +#******************************************************************************* + +MESSAGE_SIZE = 1073741824 +TIMEOUT = 60 + +ONE_XMLRPC = "http://localhost:2633/RPC2" + +SCHED_INTERVAL = 15 + +MAX_VM = 5000 +MAX_DISPATCH = 30 +MAX_HOST = 1 + +LIVE_RESCHEDS = 1 + +MEMORY_SYSTEM_DS_SCALE = 0 + +DIFFERENT_VNETS = YES + +DEFAULT_SCHED = [ + POLICY = 0 +] + +DEFAULT_DS_SCHED = [ + POLICY = 1 +] + +DEFAULT_NIC_SCHED = [ + POLICY = 1 +] + +#DEFAULT_SCHED = [ +# policy = 3, +# rank = "- (RUNNING_VMS * 50 + FREE_CPU)" +#] + +LOG = [ + system = "std", + debug_level = 3 +] diff --git a/apps/opennebula/one/sunstone-server.conf b/apps/opennebula/one/sunstone-server.conf new file mode 100644 index 0000000..330a388 --- /dev/null +++ b/apps/opennebula/one/sunstone-server.conf @@ -0,0 +1,257 @@ +# -------------------------------------------------------------------------- # +# Copyright 2002-2017, OpenNebula Project, OpenNebula Systems # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); you may # +# not use this file except in compliance with the License. You may obtain # +# a copy of the License at # +# # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, # +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +#--------------------------------------------------------------------------- # + +################################################################################ +# Server Configuration +################################################################################ + +# Directory to store temp files when uploading images +# +:tmpdir: /var/tmp + +# OpenNebula sever contact information +# +:one_xmlrpc: http://localhost:2633/RPC2 +:one_xmlrpc_timeout: 60 + +# :subscriber_endpoint to subscribe for OpenNebula events must match those in +# oned.conf +:subscriber_endpoint: tcp://localhost:2101 + +# Server Configuration +# +# Sinatra fails if the IP is specified in k8s +#:host: 127.0.0.1 +:port: 9869 + +# Place where to store sessions, this value can be memory, memcache or memcache-dalli +# Use memcache when starting multiple server processes, for example, +# with passenger +# +# NOTE. memcache needs a separate memcached server to be configured. Refer +# to memcached documentation to configure the server. +:sessions: memory + +# Memcache configuration +:memcache_host: localhost +:memcache_port: 11211 +:memcache_namespace: opennebula.sunstone + +# Excution environment for Sunstone +# dev, Instead of pulling the minified js all the files will be pulled (app/main.js) +# Check the Building from Source guide in the docs, for details on how to run +# Sunstone in development +# prod, the minified js will be used (dist/main.js) +:env: 'prod' + + +################################################################################ +# Log +################################################################################ + +# Log debug level +# 0 = ERROR, 1 = WARNING, 2 = INFO, 3 = DEBUG +# +:debug_level: 3 + +################################################################################ +# Proxy +################################################################################ + +# Enable an http proxy for the support portal and to download MarketPlaceApps +# from the MarketPlace to the user's desktop. +# :proxy: http://: + +################################################################################ +# Auth +################################################################################ + +# Authentication driver for incomming requests +# sunstone: for OpenNebula's user-password scheme +# x509: for x509 certificates based authentication +# opennebula: the authentication will be done by the opennebula core using the +# driver defined for the user +# remote: performs the login based on a Kerberos REMOTE_USER +# +:auth: opennebula + +# Authentication driver to communicate with OpenNebula core +# cipher, for symmetric cipher encryption of tokens +# x509, for x509 certificate encryption of tokens +# +:core_auth: cipher + +# Two Factor Authentication Issuer Label +:two_factor_auth_issuer: opennebula + +################################################################################ +# WebAuthn +################################################################################ + +# This value needs to match `window.location.origin` evaluated by the User Agent +# during registration and authentication ceremonies. Remember that WebAuthn +# requires TLS on anything else than localhost. +#:webauthn_origin: http://localhost:9869 +:webauthn_origin: https://{{ tpl .Values.fqdn . }} + +# Relying Party name for display purposes +:webauthn_rpname: 'OpenNebula Cloud' + +# Optional client timeout hint, in milliseconds. Specifies how long the browser +# should wait for any interaction with the user. +:webauthn_timeout: 60000 + +# Optional differing Relying Party ID +# See https://www.w3.org/TR/webauthn/#relying-party-identifier +# :webauthn_rpid: example.com + +# Supported cryptographic algorithms +# See https://www.iana.org/assignments/jose/jose.xhtml +# Possible is any list of +# ES256 | ES384 | ES512 | PS256 | PS384 | PS512 | RS256 | RS384 | RS512 | RS1 +# :webauthn_algorithms: [ES256, PS256, RS256] + +################################################################################ +# Check Upgrades +################################################################################ + +# To check for the latest release. Comment this value if you don't want to check +# this. +:remote_version: http://downloads.opennebula.org/latest + +################################################################################ +# UI Settings +################################################################################ +# :vnc_proxy_ +# port: port where the vnc proxy will listen +# support_wss: no | yes | only. For yes and only, provide path to +# cert and key. "yes" means both ws and wss connections will be +# supported. +# vnc_proxy_cert: Certificate to encrypt wss connections. +# vnc_proxy_key: Key for wss connections. Only necessary if not included in cert. +# vnc_proxy_ipv6: Enable ipv6 support for novnc-server +# +# :vnc_request_password: true | false +# Request VNC password for external windows, by default it will not be requested +# +:vnc_proxy_port: 29876 +:vnc_proxy_support_wss: yes +:vnc_proxy_cert: /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem +:vnc_proxy_key: /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem +:vnc_proxy_ipv6: yes +:vnc_request_password: false + +# Login Session Length in seconds, defaults to 1 hour. +#:session_expire_time: 3600 + + +# Default language setting +:lang: en_US + +# Default table order +:table_order: desc + +# Default views directory +:mode: 'mixed' + +# True to display 'Keep me logged in' option. +:keep_me_logged: true + +# this display button and clock icon in table of vm +:leases: + suspend: + time: "+1209600" + color: "#000000" + warning: + time: "-86400" + color: "#085aef" + terminate: + time: "+1209600" + color: "#e1ef08" + warning: + time: "-86400" + color: "#ef2808" + +# This change the thresholds of dashboard resource usage +:threshold_min: 0 +:threshold_low: 33 +:threshold_high: 66 + +#support filesystem +:support_fs: + - ext4 + - ext3 + - ext2 + - xfs + + +################################################################################ +# Marketplace +################################################################################ + +# Marketplace username and password +# If no credentials are provided, an anonymous client will be used +# +#:marketplace_username: +#:marketplace_password: + +# Marketplace endpoint +# The url should not include the /appliance path since it will be automatically +# included +# +:marketplace_url: http://marketplace.opennebula.systems/ + +################################################################################ +# OneFlow +################################################################################ + +# OneFlow endpoint +# +:oneflow_server: http://localhost:2474/ + +################################################################################ +# Routes +################################################################################ + +# Array of files containing ruby code to extend the default sunstone-server +# routes. These files must be placed inside the custom_routes directory +# in the sunstone root dir (/usr/lib/one/sunstone/routes) +# +# Example: +# $ ls /usr/lib/one/sunstone/routes +# custom.rb other.rb +# +# $ cat /usr/lib/one/sunstone/routes/example.rb +# get '/custom' do +# body "It works" +# end +# +#:routes: +# - custom +# - other + +:routes: + - oneflow + - vcenter + - support + - nsx + +################################################################################ +# FireEdge +################################################################################ + +#:private_fireedge_endpoint: http://localhost:2616 +#:public_fireedge_endpoint: http://localhost:2616 diff --git a/apps/opennebula/templates/configmap.yaml b/apps/opennebula/templates/configmap.yaml new file mode 100644 index 0000000..3428fa4 --- /dev/null +++ b/apps/opennebula/templates/configmap.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-opennebula-config +data: +{{ tpl (.Files.Glob "one/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-nginx-config +data: +{{ tpl (.Files.Glob "nginx/*").AsConfig . | indent 2 }} diff --git a/apps/opennebula/templates/deployment.yaml b/apps/opennebula/templates/deployment.yaml new file mode 100644 index 0000000..8285312 --- /dev/null +++ b/apps/opennebula/templates/deployment.yaml @@ -0,0 +1,261 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name }}-opennebula +spec: + selector: + matchLabels: + app-inside: {{ .Release.Name }}-opennebula + replicas: 1 + strategy: + type: "Recreate" + template: + metadata: + labels: + app: {{ .Release.Name }} + app-inside: {{ .Release.Name }}-opennebula + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + spec: + initContainers: + - name: wait-for-cert + image: busybox + command: + - sh + - -c + - until ls /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; do sleep 2; done + volumeMounts: + - name: etcletsencrypt + mountPath: "/etc/letsencrypt" + - name: sync-opennebula + image: "opennebula/opennebula:{{ .Chart.AppVersion }}" + command: + - rsync + - -av + - /usr/lib/one/sunstone/public/ + - /for-nginx + volumeMounts: + - name: tmp + mountPath: "/for-nginx" + containers: + - name: nginx + image: nginx:1.21-alpine + ports: + - containerPort: 443 + - containerPort: 2634 + volumeMounts: + - name: nginx-config + mountPath: "/etc/nginx/conf.d/" + - name: etcletsencrypt + mountPath: "/etc/letsencrypt" + - name: tmp + mountPath: "/usr/share/nginx/html" + - name: memcached + image: "memcached:1.6.10-alpine" + ports: + - name: tcp-11211 + containerPort: 11211 + protocol: TCP + - name: mysql + image: "mysql:8.0.26" + ports: + - name: tcp-3306 + containerPort: 3306 + protocol: TCP + env: + - name: MYSQL_ALLOW_EMPTY_PASSWORD + value: "yes" + # - name: MYSQL_ROOT_PASSWORD + # valueFrom: + # secretKeyRef: + # name: {{ .Release.Name }}-mysql-config + # key: PASSWORD + volumeMounts: + - name: mysql-data + mountPath: "/var/lib/mysql/" + subPath: mysql + + - name: oned + image: "opennebula/opennebula:{{ .Chart.AppVersion }}" + ports: + - name: tcp-2633 + containerPort: 2633 + protocol: TCP + volumeMounts: + - name: auth + mountPath: "/root/.one" + - name: opennebula-config + mountPath: "/tmp/one" + command: + - "/bin/sh" + - "-c" + - "cp /tmp/one/oned.conf /etc/one/ && mkdir -p /run/lock/one && sleep 15; oned -f" + - name: sunstone + image: "opennebula/opennebula:{{ .Chart.AppVersion }}" + ports: + - name: tcp-9869 + containerPort: 9869 + protocol: TCP + - name: vnc-proxy + containerPort: 29876 + protocol: TCP + volumeMounts: + - name: auth + mountPath: "/var/lib/one/.one" + - name: opennebula-config + mountPath: "/tmp/one" + command: + - "/bin/sh" + - "-c" + - "cp /tmp/one/sunstone-server.conf /etc/one/ && mkdir -p /run/lock/one /run/one && sleep 20; ruby /usr/lib/one/sunstone/sunstone-server.rb; sleep 120" + - name: scheduler + image: "opennebula/opennebula:{{ .Chart.AppVersion }}" + command: + - "sh" + - "-c" + - "cp /tmp/one/sched.conf /etc/one/ && /usr/bin/mm_sched" + volumeMounts: + - name: auth + mountPath: "/root/.one" + - name: opennebula-config + mountPath: "/tmp/one" + volumes: + - name: auth + secret: + secretName: {{ .Release.Name }}-one-auth + - name: etcletsencrypt + persistentVolumeClaim: + claimName: {{ .Release.Name}}-letsencrypt-certs + - name: mysql-data + persistentVolumeClaim: + claimName: {{ .Release.Name }}-mysql-data + - name: nginx-config + configMap: + name: {{ .Release.Name }}-nginx-config + - name: opennebula-config + configMap: + name: {{ .Release.Name }}-opennebula-config + - name: tmp + emptyDir: {} +# --- +# apiVersion: batch/v1 +# kind: Job +# metadata: +# name: {{ .Release.Name }}-getcert +# spec: +# template: +# metadata: +# labels: +# app: {{ .Release.Name }}-opennebula +# spec: +# restartPolicy: Never +# containers: +# - name: certbot +# image: ungleich/ungleich-certbot +# ports: +# - containerPort: 80 +# env: +# - name: DOMAIN +# value: {{ .Values.fqdn }} +# - name: EMAIL +# value: {{ .Values.email }} +# - name: STAGING +# value: {{ .Values.letsencryptStaging }} +# # volumeMounts: +# # - name: etcletsencrypt +# # mountPath: "/etc/letsencrypt" +# # volumes: +# # - name: etcletsencrypt +# # persistentVolumeClaim: +# # claimName: {{ .Release.Name }}-letsencrypt-certs +# backoffLimit: 3 +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }} + labels: + app: {{ .Release.Name }} +spec: + type: ClusterIP + ports: + - port: 80 + protocol: TCP + name: http + - port: 443 + protocol: TCP + name: https + - port: 2643 + protocol: TCP + name: xmlrpc + selector: + app: {{ .Release.Name }} +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ .Release.Name}}-letsencrypt-certs +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 50Mi + storageClassName: rook-cephfs +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ .Release.Name }}-mysql-data +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.dbsizeingb }}Gi +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-one-auth +stringData: + one_auth: {{ .Values.one_auth }} + sunstone_auth: {{ .Values.sunstone_auth }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Release.Name }}-getcert +spec: + template: + metadata: + labels: + app: {{ .Release.Name }} + spec: + restartPolicy: Never + containers: + - name: certbot + image: ungleich/ungleich-certbot + + ports: + - containerPort: 80 + env: + - name: DOMAIN + value: "{{ tpl .Values.fqdn . }}" + - name: ONLYGETCERT + value: "yes" + - name: EMAIL + value: "{{ .Values.email }}" + {{ if eq .Values.letsencryptStaging "no" }} + - name: STAGING + value: "no" + {{ end }} + volumeMounts: + - name: etcletsencrypt + mountPath: "/etc/letsencrypt" + volumes: + - name: etcletsencrypt + persistentVolumeClaim: + claimName: {{ .Release.Name }}-letsencrypt-certs + backoffLimit: 3 diff --git a/apps/opennebula/values.yaml b/apps/opennebula/values.yaml new file mode 100644 index 0000000..b5b2eab --- /dev/null +++ b/apps/opennebula/values.yaml @@ -0,0 +1,15 @@ +clusterDomain: "c2.k8s.ooo" + +# For http/https/letsencrypt +fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + +# Size for the pvc for mysql +dbsizeingb: 100 + +# Opennebula secrets +one_auth: "" +sunstone_auth: "" + +# Letsencrypt settings +email: "" +letsencryptStaging: "yes"