VO Configuration guide

Summary of steps for configuring new VOs in OpenStack

In this page you can find a summary of the needed steps for supporting a new VO in your OpenStack infrastructure.

Local project creation

The usual method of supporting a VO is by creating a local project for it. You should assign quotas to this project as agreed in the OLA defining the support for the given VO.

  1. Create a group where users belongig to the VO will be mapped to: :

    group_id=$(openstack group create -f value -c id <new_group>)
    
  2. Add that group to the desired local project: :

    $ openstack role add member --group $group_id --project <your project>
    

Keystone Mapping

Expand your mapping.json with the VO membership to the created group (substitute group_id and entitlement as appropriate). The expected mappings for the VOs are listed in vo-mappings.yaml of fedcloud-catchall-operations repository:

[
    <existing mappings>,
    {
        "local": [
            {
                "user": {
                    "name": "{0}"
                },
                "group": {
                    "id": "<group_id>"
                }
            }
        ],
        "remote": [
            {
                "type": "HTTP_OIDC_SUB"
            },
            {
                "type": "HTTP_OIDC_ISS",
                "any_one_of": [
                    "https://aai.egi.eu/auth/realms/egi"
                ]
            },
            {
                "type": "OIDC-eduperson_entitlement",
                "regex": true,
                "any_one_of": [
                    "^<entitlement>$"
                ]
            }
        ]
    }
]

And update the mapping in your Keystone IdP:

$ openstack mapping set --rules mapping.json egi-mapping

Accounting

Add the project supporting the VO to cASO:

  1. In the projects field of /etc/caso/caso.conf :

    projects = vo_project1, vo_project2, <your_new_vo_project>
    
  2. and as a new mapping in /etc/caso/voms.json :

    {
      "<your new vo>": {
        "projects": ["<your new vo project>"]
      }
    }
    

Be sure to include the user running cASO as member of the project if it does not have admin privileges:

openstack role add member --user <your caso user> --project <your new vo project>

Information system

Add the mapping to your site configuration with a new Pull Request to the fedcloud-catchall-operations repository

---
vos:
  - name: <vo name>
    auth:
      project_id: <your new vo project>

VM Image Management

cloudkeeper-core

Add the new image list to the cloudkeeper configuration in /etc/cloudkeeper/cloudkeeper.yml (or /etc/cloudkeeper/image-lists.conf if using the appliance), new entry should look similar to:

https://<APPDB_TOKEN>:x-oauth-basic@vmcaster.appdb.egi.eu/store/vo/<your new vo>/image.list

cloudkeeper-os

Add the user configured in cloudkeeper-os as member of the new project:

$ openstack role add member \
            --user <your cloudkeeper-os user> \
            --project <your new vo project>

Add the mapping of the project to the VO in /etc/cloudkeeper-os/mapping.json:

{
  "<your new vo>": {
    "tenant": "<your new vo project>"
  }
}