VO Configuration guide
In this page you can find a summary of the needed steps for supporting a new VO in your OpenStack infrastructure.
Local project creation
The usual method of supporting a VO is by creating a local project for it. You should assign quotas to this project as agreed in the OLA defining the support for the given VO.
Create a group where users belongig to the VO will be mapped to: :
group_id=$(openstack group create -f value -c id <new_group>)
Add that group to the desired local project: :
$ openstack role add member --group $group_id --project <your project>
Keystone Mapping
Expand your mapping.json
with the VO membership to the created group
(substitute group_id
and entitlement
as appropriate). The expected mappings
for the VOs are listed in
vo-mappings.yaml
of fedcloud-catchall-operations repository:
[
<existing mappings>,
{
"local": [
{
"user": {
"name": "{0}"
},
"group": {
"id": "<group_id>"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_SUB"
},
{
"type": "HTTP_OIDC_ISS",
"any_one_of": [
"https://aai.egi.eu/auth/realms/egi"
]
},
{
"type": "OIDC-eduperson_entitlement",
"regex": true,
"any_one_of": [
"^<entitlement>$"
]
}
]
}
]
And update the mapping in your Keystone IdP:
$ openstack mapping set --rules mapping.json egi-mapping
Accounting
Add the project supporting the VO to cASO:
In the
projects
field of/etc/caso/caso.conf
:projects = vo_project1, vo_project2, <your_new_vo_project>
and as a new mapping in
/etc/caso/voms.json
:{ "<your new vo>": { "projects": ["<your new vo project>"] } }
Be sure to include the user running cASO as member of the project if it does not have admin privileges:
openstack role add member --user <your caso user> --project <your new vo project>
Information system
Add the mapping to your site configuration with a new Pull Request to the fedcloud-catchall-operations repository
---
vos:
- name: <vo name>
auth:
project_id: <your new vo project>
VM Image Management
cloudkeeper-core
Add the new image list to the cloudkeeper
configuration in
/etc/cloudkeeper/cloudkeeper.yml
(or /etc/cloudkeeper/image-lists.conf
if
using the appliance), new entry should look similar to:
https://<APPDB_TOKEN>:x-oauth-basic@vmcaster.appdb.egi.eu/store/vo/<your new vo>/image.list
cloudkeeper-os
Add the user configured in cloudkeeper-os as member of the new project:
$ openstack role add member \
--user <your cloudkeeper-os user> \
--project <your new vo project>
Add the mapping of the project to the VO in /etc/cloudkeeper-os/mapping.json
:
{
"<your new vo>": {
"tenant": "<your new vo project>"
}
}