Merge "Updates the docs for using cloudpipe"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
ed996c3abf
|
|
@ -672,8 +672,7 @@ ii qemu-kvm 0.14.0~rc1+noroms-0ubuntu4~ppalucid1
|
|||
restricted by Role Based Access Control in the deprecated nova auth system. </para>
|
||||
<simplesect><title>Using the nova-manage command</title>
|
||||
<para>The nova-manage command may be used to perform many essential functions for
|
||||
administration and ongoing maintenance of nova, such as user creation, vpn
|
||||
management, and much more.</para>
|
||||
administration and ongoing maintenance of nova, such as network creation.</para>
|
||||
|
||||
<para>The standard pattern for executing a nova-manage command is: </para>
|
||||
<literallayout class="monospaced">nova-manage category command [args]</literallayout>
|
||||
|
|
@ -2698,18 +2697,18 @@ Then perform the mount. </literallayout></para>
|
|||
</tr>
|
||||
<tr>
|
||||
<td>--vpn_image_id</td>
|
||||
<td>default: 'ami-cloudpipe'</td>
|
||||
<td>AMI (Amazon Machine Image) for cloudpipe VPN server</td>
|
||||
<td>default: None</td>
|
||||
<td>Glance id for cloudpipe VPN server</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>--vpn_client_template</td>
|
||||
<td>default: '-vpn'</td>
|
||||
<td>default: '/usr/lib/pymodules/python2.6/nova/cloudpipe/client.ovpn.template'</td>
|
||||
<td>String value; Template for creating users vpn file.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>--vpn_key_suffix</td>
|
||||
<td>default: '/root/nova/nova/nova/cloudpipe/client.ovpn.template'</td>
|
||||
<td>This is the interface that VlanManager uses to bind bridges and VLANs to.</td>
|
||||
<td>default: '-vpn'</td>
|
||||
<td>String value; This suffix is added to keys and security groups created by the cloudpipe extension.</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
|
|
|||
|
|
@ -370,7 +370,7 @@ brctl delbr br_NNN</literallayout>
|
|||
<title>Cloudpipe — Per Project Vpns</title>
|
||||
<para> Cloudpipe is a method for connecting end users to their project instances in VLAN
|
||||
networking mode. </para>
|
||||
<para> The support code for cloudpipe implements admin commands (via nova-manage) to
|
||||
<para> The support code for cloudpipe implements admin commands (via an extension) to
|
||||
automatically create a VM for a project that allows users to vpn into the private
|
||||
network of their project. Access to this vpn is provided through a public port on
|
||||
the network host for the project. This allows users to have free access to the
|
||||
|
|
@ -395,20 +395,23 @@ brctl delbr br_NNN</literallayout>
|
|||
<listitem><para>set down.sh in /etc/openvpn/ </para></listitem>
|
||||
<listitem><para>download and run the payload on boot from /etc/rc.local</para></listitem>
|
||||
<listitem><para>setup /etc/network/interfaces </para></listitem>
|
||||
<listitem><para>register the image and set the image id in your flagfile: </para>
|
||||
<listitem><para>upload the image and set the image id in your config file: </para>
|
||||
<literallayout class="monospaced">
|
||||
--vpn_image_id=ami-xxxxxxxx
|
||||
vpn_image_id=[uuid from glance]
|
||||
</literallayout>
|
||||
</listitem>
|
||||
<listitem><para>you should set a few other flags to make vpns work properly: </para>
|
||||
<listitem><para>you should set a few other config options to make vpns work properly: </para>
|
||||
<literallayout class="monospaced">
|
||||
--use_project_ca
|
||||
--cnt_vpn_clients=5
|
||||
use_project_ca=True
|
||||
cnt_vpn_clients=5
|
||||
force_dhcp_release=True
|
||||
</literallayout>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<para> When you use nova-manage to launch a cloudpipe for a user, it goes through
|
||||
the following process: </para>
|
||||
<para>
|
||||
When you use the cloudpipe extension to launch a vpn for a user it goes through the
|
||||
following process:
|
||||
</para>
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para> creates a keypair called <project_id>-vpn and saves it in the
|
||||
|
|
@ -426,8 +429,8 @@ brctl delbr br_NNN</literallayout>
|
|||
<para> zips up the info and puts it b64 encoded as user data </para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para> launches an m1.tiny instance with the above settings using the
|
||||
flag-specified vpn image </para>
|
||||
<para> launches an [vpn_instance_type] instance with the above settings using the
|
||||
flag-specified vpn image</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
|
@ -441,12 +444,12 @@ brctl delbr br_NNN</literallayout>
|
|||
instance. </para>
|
||||
<para> If specific high numbered ports do not work for your users, you can always
|
||||
allocate and associate a public IP to the instance, and then change the
|
||||
vpn_public_ip and vpn_public_port in the database. (This will be turned into a
|
||||
nova-manage command or a flag soon.) </para>
|
||||
vpn_public_ip and vpn_public_port in the database. Rather than using the db
|
||||
directly, you can also use nova-manage vpn change [new_ip] [new_port] </para>
|
||||
</section>
|
||||
<section xml:id="certificates-and-revocation">
|
||||
<title>Certificates and Revocation</title>
|
||||
<para>If the use_project_ca flag is set (required to for cloudpipes to work
|
||||
<para>If the use_project_ca config option is set (required to for cloudpipes to work
|
||||
securely), then each project has its own ca. This ca is used to sign the
|
||||
certificate for the vpn, and is also passed to the user for bundling images.
|
||||
When a certificate is revoked using nova-manage, a new Certificate Revocation
|
||||
|
|
@ -460,24 +463,17 @@ brctl delbr br_NNN</literallayout>
|
|||
<title>Restarting and Logging into the Cloudpipe VPN</title>
|
||||
<para>You can reboot a cloudpipe vpn through the api if something goes wrong (using
|
||||
"nova reboot" for example), but if you generate a new crl, you will have to
|
||||
terminate it and start it again using nova-manage vpn run. The cloudpipe
|
||||
instance always gets the first ip in the subnet and it can take up to 10 minutes
|
||||
for the ip to be recovered. If you try to start the new vpn instance too soon,
|
||||
the instance will fail to start because of a "NoMoreAddresses" error. If you
|
||||
can’t wait 10 minutes, you can manually update the ip with something like the
|
||||
following (use the right ip for the project): </para>
|
||||
<literallayout class="monospaced">
|
||||
nova delete <instance_id>
|
||||
mysql nova -e "update fixed_ips set allocated=0, leased=0, instance_id=NULL where fixed_ip='10.0.0.2'"
|
||||
</literallayout>
|
||||
<para>You also will need to terminate the dnsmasq running for the user (make sure
|
||||
you use the right pid file):</para>
|
||||
<literallayout class="monospaced">sudo kill `cat /var/lib/nova/br100.pid`</literallayout>
|
||||
<para>Now you should be able to re-run the vpn:</para>
|
||||
<literallayout class="monospaced">nova-manage vpn run <project_id></literallayout>
|
||||
terminate it and start it again using the cloudpipe extension. The cloudpipe
|
||||
instance always gets the first ip in the subnet and if force_dhcp_release is
|
||||
not set it takes some time for the ip to be recovered. If you try to start the
|
||||
new vpn instance too soon, the instance will fail to start because of a
|
||||
"NoMoreAddresses" error. It is therefore recommended to use force_dhcp_release.</para>
|
||||
<para>The keypair that was used to launch the cloudpipe instance should be in the
|
||||
keys/<project_id> folder. You can use this key to log into the cloudpipe
|
||||
instance for debugging purposes.</para>
|
||||
instance for debugging purposes. If you are running multiple copies of nova-api
|
||||
this key will be on whichever server used the original request. To make debugging
|
||||
easier, you may want to put a common administrative key into the cloudpipe image
|
||||
that you create</para>
|
||||
</section>
|
||||
</section></section>
|
||||
<section xml:id="enabling-ping-and-ssh-on-vms">
|
||||
|
|
|
|||
Loading…
Reference in New Issue