openstack/openstack-manuals
Code Issues Proposed changes

Merge "Updates the docs for using cloudpipe"

Browse Source
This commit is contained in:
Jenkins 2012-03-07 03:52:08 +00:00 committed by Gerrit Code Review
commit ed996c3abf
2 changed files with 153 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
doc/src/docbkx/openstack-compute-admin/computeadmin.xml
View File

@ -672,8 +672,7 @@ ii qemu-kvm 0.14.0~rc1+noroms-0ubuntu4~ppalucid1
restricted by Role Based Access Control in the deprecated nova auth system. </para> restricted by Role Based Access Control in the deprecated nova auth system. </para>
<simplesect><title>Using the nova-manage command</title> <simplesect><title>Using the nova-manage command</title>
<para>The nova-manage command may be used to perform many essential functions for <para>The nova-manage command may be used to perform many essential functions for
administration and ongoing maintenance of nova, such as user creation, vpn administration and ongoing maintenance of nova, such as network creation.</para>
management, and much more.</para>
<para>The standard pattern for executing a nova-manage command is: </para> <para>The standard pattern for executing a nova-manage command is: </para>
<literallayout class="monospaced">nova-manage category command [args]</literallayout> <literallayout class="monospaced">nova-manage category command [args]</literallayout>
@ -2698,18 +2697,18 @@ Then perform the mount. </literallayout></para>
</tr> </tr>
<tr> <tr>
<td>--vpn_image_id</td> <td>--vpn_image_id</td>
<td>default: 'ami-cloudpipe'</td> <td>default: None</td>
<td>AMI (Amazon Machine Image) for cloudpipe VPN server</td> <td>Glance id for cloudpipe VPN server</td>
</tr> </tr>
<tr> <tr>
<td>--vpn_client_template</td> <td>--vpn_client_template</td>
<td>default: '-vpn'</td> <td>default: '/usr/lib/pymodules/python2.6/nova/cloudpipe/client.ovpn.template'</td>
<td>String value; Template for creating users vpn file.</td> <td>String value; Template for creating users vpn file.</td>
</tr> </tr>
<tr> <tr>
<td>--vpn_key_suffix</td> <td>--vpn_key_suffix</td>
<td>default: '/root/nova/nova/nova/cloudpipe/client.ovpn.template'</td> <td>default: '-vpn'</td>
<td>This is the interface that VlanManager uses to bind bridges and VLANs to.</td> <td>String value; This suffix is added to keys and security groups created by the cloudpipe extension.</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

54
doc/src/docbkx/openstack-compute-admin/computenetworking.xml
View File

@ -370,7 +370,7 @@ brctl delbr br_NNN</literallayout>
<title>Cloudpipe — Per Project Vpns</title> <title>Cloudpipe — Per Project Vpns</title>
<para> Cloudpipe is a method for connecting end users to their project instances in VLAN <para> Cloudpipe is a method for connecting end users to their project instances in VLAN
networking mode. </para> networking mode. </para>
<para> The support code for cloudpipe implements admin commands (via nova-manage) to <para> The support code for cloudpipe implements admin commands (via an extension) to
automatically create a VM for a project that allows users to vpn into the private automatically create a VM for a project that allows users to vpn into the private
network of their project. Access to this vpn is provided through a public port on network of their project. Access to this vpn is provided through a public port on
the network host for the project. This allows users to have free access to the the network host for the project. This allows users to have free access to the
@ -395,20 +395,23 @@ brctl delbr br_NNN</literallayout>
<listitem><para>set down.sh in /etc/openvpn/ </para></listitem> <listitem><para>set down.sh in /etc/openvpn/ </para></listitem>
<listitem><para>download and run the payload on boot from /etc/rc.local</para></listitem> <listitem><para>download and run the payload on boot from /etc/rc.local</para></listitem>
<listitem><para>setup /etc/network/interfaces </para></listitem> <listitem><para>setup /etc/network/interfaces </para></listitem>
<listitem><para>register the image and set the image id in your flagfile: </para> <listitem><para>upload the image and set the image id in your config file: </para>
<literallayout class="monospaced"> <literallayout class="monospaced">
--vpn_image_id=ami-xxxxxxxx vpn_image_id=[uuid from glance]
</literallayout> </literallayout>
</listitem> </listitem>
<listitem><para>you should set a few other flags to make vpns work properly: </para> <listitem><para>you should set a few other config options to make vpns work properly: </para>
<literallayout class="monospaced"> <literallayout class="monospaced">
--use_project_ca use_project_ca=True
--cnt_vpn_clients=5 cnt_vpn_clients=5
force_dhcp_release=True
</literallayout> </literallayout>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para> When you use nova-manage to launch a cloudpipe for a user, it goes through <para>
the following process: </para> When you use the cloudpipe extension to launch a vpn for a user it goes through the
following process:
</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
<para> creates a keypair called &lt;project_id&gt;-vpn and saves it in the <para> creates a keypair called &lt;project_id&gt;-vpn and saves it in the
@ -426,8 +429,8 @@ brctl delbr br_NNN</literallayout>
<para> zips up the info and puts it b64 encoded as user data </para> <para> zips up the info and puts it b64 encoded as user data </para>
</listitem> </listitem>
<listitem> <listitem>
<para> launches an m1.tiny instance with the above settings using the <para> launches an [vpn_instance_type] instance with the above settings using the
flag-specified vpn image </para> flag-specified vpn image</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
</section> </section>
@ -441,12 +444,12 @@ brctl delbr br_NNN</literallayout>
instance. </para> instance. </para>
<para> If specific high numbered ports do not work for your users, you can always <para> If specific high numbered ports do not work for your users, you can always
allocate and associate a public IP to the instance, and then change the allocate and associate a public IP to the instance, and then change the
vpn_public_ip and vpn_public_port in the database. (This will be turned into a vpn_public_ip and vpn_public_port in the database. Rather than using the db
nova-manage command or a flag soon.) </para> directly, you can also use nova-manage vpn change [new_ip] [new_port] </para>
</section> </section>
<section xml:id="certificates-and-revocation"> <section xml:id="certificates-and-revocation">
<title>Certificates and Revocation</title> <title>Certificates and Revocation</title>
<para>If the use_project_ca flag is set (required to for cloudpipes to work <para>If the use_project_ca config option is set (required to for cloudpipes to work
securely), then each project has its own ca. This ca is used to sign the securely), then each project has its own ca. This ca is used to sign the
certificate for the vpn, and is also passed to the user for bundling images. certificate for the vpn, and is also passed to the user for bundling images.
When a certificate is revoked using nova-manage, a new Certificate Revocation When a certificate is revoked using nova-manage, a new Certificate Revocation
@ -460,24 +463,17 @@ brctl delbr br_NNN</literallayout>
<title>Restarting and Logging into the Cloudpipe VPN</title> <title>Restarting and Logging into the Cloudpipe VPN</title>
<para>You can reboot a cloudpipe vpn through the api if something goes wrong (using <para>You can reboot a cloudpipe vpn through the api if something goes wrong (using
"nova reboot" for example), but if you generate a new crl, you will have to "nova reboot" for example), but if you generate a new crl, you will have to
terminate it and start it again using nova-manage vpn run. The cloudpipe terminate it and start it again using the cloudpipe extension. The cloudpipe
instance always gets the first ip in the subnet and it can take up to 10 minutes instance always gets the first ip in the subnet and if force_dhcp_release is
for the ip to be recovered. If you try to start the new vpn instance too soon, not set it takes some time for the ip to be recovered. If you try to start the
the instance will fail to start because of a "NoMoreAddresses" error. If you new vpn instance too soon, the instance will fail to start because of a
cant wait 10 minutes, you can manually update the ip with something like the "NoMoreAddresses" error. It is therefore recommended to use force_dhcp_release.</para>
following (use the right ip for the project): </para>
<literallayout class="monospaced">
nova delete &lt;instance_id&gt;
mysql nova -e "update fixed_ips set allocated=0, leased=0, instance_id=NULL where fixed_ip='10.0.0.2'"
</literallayout>
<para>You also will need to terminate the dnsmasq running for the user (make sure
you use the right pid file):</para>
<literallayout class="monospaced">sudo kill `cat /var/lib/nova/br100.pid`</literallayout>
<para>Now you should be able to re-run the vpn:</para>
<literallayout class="monospaced">nova-manage vpn run &lt;project_id&gt;</literallayout>
<para>The keypair that was used to launch the cloudpipe instance should be in the <para>The keypair that was used to launch the cloudpipe instance should be in the
keys/&lt;project_id&gt; folder. You can use this key to log into the cloudpipe keys/&lt;project_id&gt; folder. You can use this key to log into the cloudpipe
instance for debugging purposes.</para> instance for debugging purposes. If you are running multiple copies of nova-api
this key will be on whichever server used the original request. To make debugging
easier, you may want to put a common administrative key into the cloudpipe image
that you create</para>
</section> </section>
</section></section> </section></section>
<section xml:id="enabling-ping-and-ssh-on-vms"> <section xml:id="enabling-ping-and-ssh-on-vms">