Command Line Interface

EGI command line interface

Command-line tools

The various public EGI services can be managed and used/accessed with a wide variety of command-line interface (CLI) tools. The documentation of each service contains a summary of the CLIs that can be used with that service, together with recommendations on which one to use in what context.

The FedCloud client

The FedCloud client is a high-level Python package for a command-line client designed for interaction with the OpenStack services in the EGI infrastructure.

Tip

The FedCloud client is the recommended command-line interface to use with most EGI services.

FedCloud client has the following modules (features):

Check-in allows checking validity of access tokens and listing Virtual Organisations (VOs) of a token
Endpoint can search endpoints in the Configuration Database and extract site-specific information from unscoped/scoped tokens
Sites allows management of site configurations
OpenStack can perform commands on OpenStack services deployed to sites
EC3 allows deploying elastic cloud compute clusters

Installation

The FedCloud client can be installed with the pip3 Python package manager (without root or administrator privileges).

Linux / Mac
Windows

To install the FedCloud client:

$ pip3 install fedcloudclient

This installs the latest version of the FedCloud client, together with its required packages (like openstackclient). It will also create executables fedcloud and openstack, adding them to the bin folder corresponding to your current Python execution environment ($VIRTUAL_ENV/bin for executing pip3 in a Python virtual environment, ~/.local/bin for executing pip3 as user (with --user option), and /usr/local/bin when executing pip3 as root).

As there are non-pure Python packages needed for installation, the Microsoft C++ Build Tools is a prerequisite, make sure it’s installed with the following options selected:

C++ CMake tools for Windows
C++ ATL for latest v142 build tools (x86 & x64)
Testing tools core features - Build Tools
Windows 10 SDK (<latest>)

In case you prefer to use non-Microsoft alternatives for building non-pure packages, please see here.

To install the FedCloud client:

> pip3 install fedcloudclient

Check if the installation is correct by executing the client:

$ fedcloud --version

Installing EGI Core Trust Anchor certificates

Some sites in the EGI infrastructure use certificates issued by Certificate Authorities (CAs) that are not included in the default OS distribution. If you receive error message “SSL exception connecting to…”, install the EGI Core Trust Anchor Certificates by running the following commands:

$ wget https://raw.githubusercontent.com/tdviet/python-requests-bundle-certs/main/scripts/install_certs.sh
$ bash install_certs.sh

Note

The above script does not work on all Linux distributions. Change python to python3 in the script if needed, see the README for more details, or follow the official instructions for installing EGI Core Trust Anchor certificates in production environments.

Using via Docker container

The FedCloud client can also be used without installation, by running it in a Docker container. In this case, the EGI Core Trust Anchor certificates are pre-installed.

To run the FedCloud client in a container, make sure Docker is installed, then run the following commands:

$ docker pull tdviet/fedcloudclient
$ docker run -it tdviet/fedcloudclient bash

To run the FedCloud client in a container, make sure Docker is installed, then run the following commands:

$ docker pull tdviet/fedcloudclient
$ docker run -it tdviet/fedcloudclient bash

To run the FedCloud client in a container, make sure Docker is installed, then run the following commands:

> docker pull tdviet/fedcloudclient
> docker run -it tdviet/fedcloudclient bash

Once you have a shell running in the container with the FedCloud client, usage is the same as from the command-line.

Using from EGI Notebooks

EGI Notebooks are integrated with access tokens so it simplifies using the FedCloud client. First make sure that you follow the installation steps above. Then, below are the commands that you need to run inside a terminal in JupyterLab:

export OIDC_ACCESS_TOKEN=`cat /var/run/secrets/egi.eu/access_token`
fedcloud token check

Please follow instructions below to learn how to use the fedcloud command.

Using from the command-line

The FedCloud client has these subcommands:

fedcloud token for checking access tokens (see token subcommands)
fedcloud endpoint for querying the Configuration Database (see endpoint subcommands)
fedcloud site for manipulating site configurations (see site subcommands)
fedcloud openstack or fedcloud openstack-int for performing OpenStack commands on sites (see openstack subcommands)
fedcloud ec3 for provisioning elastic cloud compute clusters (see cluster subcommands)

Note

See also the complete documentation or read and contribute to the source code.

Performing any OpenStack command on any site requires only three options: the site, the VO and the command. For example, to list virtual machine (VM) images available to members of VO fedcloud.egi.eu on the site CYFRONET-CLOUD, run the following command:

$ fedcloud openstack image list --vo fedcloud.egi.eu --site CYFRONET-CLOUD

Authentication

Many of the FedCloud client commands need access tokens for authentication. Users can choose whether to provide access tokens directly (via option --oidc-access-token), or generate them on the fly with oidc-agent (via option --oidc-agent-account) or from refresh tokens (via option --oidc-refresh-token, which must be provided together with option --oidc-client-id and option --oidc-client-secret).

Tip

Users of EGI Check-in can get a Check-in client ID and refresh token, as well as all the information needed to obtain access tokens for their FedCloud client, by visiting EGI Check-in Token Portal.

Tip

To provide access tokens automatically via oidc-agent, follow these instructions to register a client, then pass the client name (account name used during client registration) to the FedCloud client via option --oidc-agent-account.

Important

Refresh tokens have long lifetime (one year in EGI Check-in), so they must be properly protected. Exposing refresh tokens via environment variables or command-line options is considered insecure and will be disabled in the near future in favor of using oidc-agent.

If multiple methods of getting access tokens are given at the same time, the FedCloud client will try to get an access token from the oidc-agent first, then obtain one using the refresh token.

The default authentication protocol is openid. Users can change the default protocol via the option --openstack-auth-protocol. However, sites may have the protocol fixed in the site configuration (e.g. oidc for the site INFN-CLOUD-BARI).

The default OIDC identity provider is EGI Check-in (https://aai.egi.eu/auth/realms/egi). Users can set another OIDC identity provider via option --oidc-url.

Note

Remember to also set the identity provider’s name accordingly for OpenStack commands, by using the option --openstack-auth-provider.

Environment variables

Most of the FedCloud client options can be set via environment variables:

Tip

To save a lot of time, set the frequently used options like access token, VO, etc. using environment variables.

Tip

When you want commands to work on all sites in the EGI infrastructure, use ALL_SITES for the --site parameter.

Environment variable	Command-line option	Default value
OIDC_AGENT_ACCOUNT	`--oidc-agent-account`
OIDC_ACCESS_TOKEN	`--oidc-access-token`
OIDC_REFRESH_TOKEN	`--oidc-refresh-token`
OIDC_CLIENT_ID	`--oidc-client-id`
OIDC_CLIENT_SECRET	`--oidc-client-secret`
OIDC_URL	`--oidc-url`	https://aai.egi.eu/auth/realms/egi
OPENSTACK_AUTH_PROTOCOL	`--openstack-auth-protocol`	openid
OPENSTACK_AUTH_PROVIDER	`--openstack-auth-provider`	egi.eu
OPENSTACK_AUTH_TYPE	`--openstack-auth-type`	v3oidcaccesstoken
EGI_VO	`--vo`

Getting help

The FedCloud client can display help for the commands and subcommands it supports. Try running the following command to see the commands supported by the FedCloud client:

$ fedcloud --help
Usage: fedcloud [OPTIONS] COMMAND [ARGS]...

Options:
  --version  Show the version and exit.
  --help     Show this message and exit.

Commands:
  ec3            EC3 related commands
  endpoint       endpoint command group for interaction with GOCDB and...
  openstack      Executing OpenStack commands on site and VO
  openstack-int  Interactive OpenStack client on site and VO
  site           Site command group for manipulation with site...
  token          Token command group for manipulation with tokens

Similarly, you can see help for e.g. the openstack subcommand by running the command below:

$ fedcloud openstack --help
Usage: fedcloud openstack [OPTIONS] OPENSTACK_COMMAND...

  Executing OpenStack commands on site and VO

Options:
  --oidc-client-id TEXT           OIDC client id
  --oidc-client-secret TEXT       OIDC client secret
  --oidc-refresh-token TEXT       OIDC refresh token
  --oidc-access-token TEXT        OIDC access token
  --oidc-url TEXT                 OIDC URL  [default: <https://aai.egi.eu/auth/realms/egi>]
  --oidc-agent-account TEXT       short account name in oidc-agent
  --openstack-auth-protocol TEXT  Check-in protocol  [default: openid]
  --openstack-auth-type TEXT      Check-in authentication type  [default:
                                  v3oidcaccesstoken]
  --openstack-auth-provider TEXT  Check-in identity provider  [default:
                                  egi.eu]
  --vo TEXT                       Name of the VO  [required]
  -i, --ignore-missing-vo         Ignore sites that do not support the VO
  -j, --json-output               Print output as a big JSON object
  --help                          Show this message and exit.

Note

Most commands support multiple levels of subcommands, you can get help for all of them using the same principle as above.

Using from Python

The FedCloud client can be used as a library for developing other services and tools for EGI services. Most of the functionalities can be called directly from Python code without side effects.

An usage example is available on GitHub. Just copy/download the code, add your access token and execute python demo.py to see how it works.

Using in scripts

The FedCloud client can also be used in scripts for simple automation, either for setting environment variables for other tools, or to process outputs from OpenStack commands.

Setting environment variables for external tools

Some FedCloud commands generate output that contains shell commands to set environment variables with the returned result, as exemplified below.

Run a command to get details of a project:

$ export EGI_SITE=IISAS-FedCloud
$ export EGI_VO=eosc-synergy.eu
$ fedcloud site show-project-id --site $EGI_SITE
export OS_AUTH_URL="https://cloud.ui.savba.sk:5000/v3/";
export OS_PROJECT_ID="51f736d36ce34b9ebdf196cfcabd24ee";

Run the same command but set environment variables with the returned values:

$ eval $(fedcloud site show-project-id)

The environment variables will have their values set to what the command returned:

$ echo $OS_AUTH_URL
https://cloud.ui.savba.sk:5000/v3/

$ echo $OS_PROJECT_ID
51f736d36ce34b9ebdf196cfcabd24ee

Run a command to get details of a project:

> set EGI_SITE=IISAS-FedCloud
> set EGI_VO=eosc-synergy.eu
> fedcloud site show-project-id --site %EGI_SITE%
set OS_AUTH_URL=https://cloud.ui.savba.sk:5000/v3/
set OS_PROJECT_ID=51f736d36ce34b9ebdf196cfcabd24ee

If you copy the returned output and execute it as commands in a command prompt:

> set OS_AUTH_URL=https://cloud.ui.savba.sk:5000/v3/
> set OS_PROJECT_ID=51f736d36ce34b9ebdf196cfcabd24ee

The environment variables will have their values set to what the command returned:

> set OS_AUTH_URL
OS_AUTH_URL=https://cloud.ui.savba.sk:5000/v3/

> set OS_PROJECT_ID
OS_PROJECT_ID=51f736d36ce34b9ebdf196cfcabd24ee

Run a command to get details of a project:

> $Env:EGI_SITE="IISAS-FedCloud"
> $Env:EGI_VO="eosc-synergy.eu"
> fedcloud site show-project-id --site $Env:EGI_SITE
$Env:OS_AUTH_URL="https://cloud.ui.savba.sk:5000/v3/";
$Env:OS_PROJECT_ID="51f736d36ce34b9ebdf196cfcabd24ee";

Run the same command but set environment variables with the returned values:

> fedcloud site show-project-id --site $Env:EGI_SITE `
                | Out-String | Invoke-Expression

The environment variables will have their values set to what the command returned:

> $Env:OS_AUTH_URL
https://cloud.ui.savba.sk:5000/v3/

> $Env:OS_PROJECT_ID
51f736d36ce34b9ebdf196cfcabd24ee

Processing output from OpenStack commands

The fedcloud openstack subcommand’s output can be converted to JavaScript Object Notation (JSON) format by using the --json-output option. This is useful for further machine processing of the command output.

Tip

JSON output can be processed with a tool like jq, which can slice, filter, map, and transform structured data. It acts as a filter: it takes an input and produces an output. Check out the tutorial for using it to extract data from JSON sources.

$ export EGI_SITE=IISAS-FedCloud
$ export EGI_VO=eosc-synergy.eu
$ fedcloud openstack flavor list --site $EGI_SITE --json-output
[
{
  "Site": "IISAS-FedCloud",
  "VO": "eosc-synergy.eu",
  "command": "flavor list",
  "Exception": null,
  "Error code": 0,
  "Result": [
    {
      "ID": "0",
      "Name": "m1.nano",
      "RAM": 64,
      "Disk": 1,
      "Ephemeral": 0,
      "VCPUs": 1,
      "Is Public": true
    },
    {
      "ID": "2e562a51-8861-40d5-8fc9-2638bab4662c",
      "Name": "m1.xlarge",
      "RAM": 16384,
      "Disk": 40,
      "Ephemeral": 0,
      "VCPUs": 8,
      "Is Public": true
    },
    ...
  ]
}
]

# The following jq command selects flavors with VCPUs=2 and prints their names
$ fedcloud openstack flavor list --site IISAS-FedCloud --json-output | \
    jq -r '.[].Result[] | select(.VCPUs == 2) | .Name'
m1.medium

Note

Note that --json-output option can be used only with those OpenStack commands that have outputs. Using this parameter with commands with no output (e.g. setting properties) will generate an unsupported parameter error.

Last modified March 8, 2023 by Baptiste Grenier : Import a GitHub action to check spell (#584)