Authentication and Authorization integration
This manual provides information on how to set up a Resource Centre providing cloud resources in the EGI infrastructure. Integration with FedCloud requires a working OpenStack installation as a pre-requirement. EGI supports any recent OpenStack version (tested from OpenStack Mitaka).
EGI expects the following OpenStack services to be available and accessible from outside your site:
- Swift (if providing Object Storage)
FedCloud components are distributed through CMD (Cloud Middleware Distribution) or docker container images available in dockerhub. These docker containers come pre-packaged and ready to use in the EGI FedCloud Appliance so you do not need to install any extra components on your site but just run a VM and configure it approprietely to interact with your services.
The integration is performed by a set of EGI components that interact with the OpenStack services APIs:
- Authentication of EGI users into your system is performed by configuring the native OpenID Connect support of Keystone. Support for legacy VOs using VOMS requires the installation of the Keystone-VOMS Authorization plugin to allow users with a valid VOMS proxy to obtain tokens to access your OpenStack deployment.
- cASO collects accounting data from OpenStack and uses SSM to send the records to the central accounting database on the EGI Accounting service (APEL)
- cloud-info-provider registers the RC configuration and description through the Messaging service to facilitate service discovery
- cloudkeeper (and cloudkeeper-os) synchronises with EGI AppDB so new or updated images can be provided by the RC to user communities (VO).
Not all EGI components need to share the same credentials. They are individually configured, you can use different credentials and permissions if desired.
EGI distributes the integration components as:
- A Virtual Appliance (VA) that uses Docker containers to bundle all of the components in a single VM and just needs minor configuration to get started
- RPM and DEB Packages in the CMD distribution
FedCloud Virtual Appliance
The EGI FedCloud Appliance is available at AppDB as an OVA file. You can easily extract the VMDK disk by untaring and optionally converting it to your preferred format with qemu-img:
# get image and extract VMDK $ curl $(curl "https://appdb.egi.eu/store/vm/image/fc90d1aa-b0ae-46a0-b457-96f6f7a7d446:7875/json?strict" | jq -r .url) | \ tar x "*.vmdk" # convert to qcow2 $ qemu-img convert -O qcow2 FedCloud-Appliance.Ubuntu.*.vmdk fedcloud-appliance.qcow2
The appliance running at your OpenStack must:
- Have a host certificate to send the accounting information to the accounting
repository. DN of the host certificate must be registered in GOCDB with
eu.egi.cloud.accounting. The host certificate and key in PEM format are expected in
- Have enough disk space for handling the VM image replication (~ 100GB for
fedcloud.egi.euVO). By default these are stored at /image_data. You can mount a volume at that location.
Upgrading the OpenStack Appliance
From 2018.05.07 or newer to 2021.03.12
- Removes BDII, service is no longer in use
- A cloud-info-provider cron is added
- Uses AMS for pushing accounting records. New configuration file for ssmsend is available
From 2017.08.09 to 2018.05.07
- This upgrade moves the
voms.jsonfile to the respective
- No other changes in configuration are needed
From 20160403 to 2017.08.09
There are several major changes between these versions, namely:
- atrope has been deprecated and cloudkeeper is used instead. The configuration cannot be reused directly and the new services need to be configured as described above
- caso is upgraded to version 1.1.1, the configuration file has some incompatible changes.
- A new bdii.service is available for managing the process is available.
The CMD-OS repository provides packages that have gone through a quality assurance process for the supported distributions. Packages are available via the EGI repository.
The following services must be accessible to allow access to an OpenStack-based FedCloud site (default ports listed below, can be adjusted to your installation)
|5000/TCP||OpenStack/Keystone||Authentication to your OpenStack.|
|8776/TCP||OpenStack/cinder||Block Storage management.|
|9292/TCP||OpenStack/glance||VM Image management.|
The EGI Cloud components require the following outgoing connections open:
|443/TCP||ARGO Messaging System (used to send accounting records by SSM).|
|8443/TCP||AMS authentication (used to send accounting records by SSM).|
|443/TCP||AppDB image lists (used by cloudkeeper).|
|8080/TCP||Swift server hosting EGI images (used by cloudkeeper).|
Images listed in AppDB may be hosted in other servers besides
cephrgw01.ifca.es. Check the specific VO-wide image lists for details.
This is an overview of the expected account permissions used in an OpenStack site, these accounts can be merged as needed for your deployment:
|cloud-info||Member of all projects supporting EGI VOs|
|accounting||Member of all projects and able to list users (allowed to |
|cloud-keeper||Permission to manage the images for all the projects supporting EGI VOs|
|Other users||Automatically created by Keystone and permission set as configured in the mappings|
cloud info provider configuration
cloudkeeper and AppDB integration
Configuring GPU flavors
Summary of steps for configuring new VOs in OpenStack