-
Notifications
You must be signed in to change notification settings - Fork 2
Home
You will find here basic documentation about how to install, configure and run glancepush service.
Glancepush is intended to automate foreign images upload into Openstack Glance catalog. It provides image manipulation and site policy compliance checks. When using with vmcatcher, you will have to install the package glancepush-vmcatcher also.
You will need:
- a working glance service
- a user account in Openstack which is allowed to push images in the catalog and instanciate VMs
- working python-novaclient and python-glanceclient
- a working vmcatcher client, properly configured that caches images on a local filesystem
You will find binary packages on IN2P3-CC EGI-FCTF ftp repository.
# download and install the package
$ wget ftp://ftp.in2p3.fr/ccin2p3/egi-acct-osdriver/glancepush/glancepush_latest.deb
$ wget ftp://ftp.in2p3.fr/ccin2p3/egi-acct-osdriver/glancepush-vmcatcher/glancepush-vmcatcher_latest.deb
$ dpkg -i glancepush_latest.deb glancepush-vmcatcher_latest.deb
# configure it
$ man glancepushrc
$ man gpvmcmapping
# edit configuration files
# start the service
$ service glancepush start
# download the package and install it
$ wget ftp://ftp.in2p3.fr/ccin2p3/egi-acct-osdriver/glancepush/glancepush-latest.noarch.rpm
$ yum localinstall -y glancepush-current.noarch.rpm
# configure it
$ man glancepushrc
$ man gpvmcmapping
# edit configuration files
# enable and start the service
$ chkconfig glancepush on
$ service glancepush start
For base configuration, please refer to glancepushrc (5) to get all configuration options details.
Step 1: setup the nova account that will be used by glancepush to spawn instances: edit /etc/glancepush/glancepushrc parameter novarc, point a valid novacreds file (that defines OS_USERNAME etc...).
Step 2: configure the ssh private key that will be used by glancepush to connect to the spawned instances: edit /etc/glancepush/glancepushrc parameter key, point a valid private key file. The public key has to be provided to Keystone for the nova user defined by OS_USERNAME.
Step 3: you probably also want to setup the parameters keypair, testing_tenant and mailto to fit your needs:
# path of the private key that will be used to connect to the VMs
key="/etc/glancepush/key"
# path of the Openstack credentials used to manage VMs
novacreds="/etc/glancepush/novarc"
# name of the keypair provided to Openstack
keypair="keyname"
# tenant which will launch instances for policy checks
testing_tenant="a_valid_tenant"
# email where to send gpupdate cron errors
mailto="admins@yoursite"
# debug {true|false}
debug="true"
# cron timings when the service will run
crondate="0 8 * * *"
Step 0: subscribe to the image with vmcatcher_image. Then, modify the vmcatcher environment to use gpvmcupdate (provided by glancepush-vmcatcher package) to handle vmcatcher events:
export VMCATCHER_CACHE_EVENT=/usr/bin/gpvmcupdate
This will feed a new upload request (/var/spool/glancepush) to glancepush, based on an update event.
Step 1: edit /etc/gpvmcmapping. This is the file which defines the mapping between the image vmcatcher name and the name used in glance. This is shell syntax and has to define associative array vmcmapping:
declare -A vmcmapping=(
["CernVM Batch Node (QEMU,KVM)"]="vmc-cernvm-batch-x86"
)
Step 2: create a metadata file in /etc/glancepush/meta. The file has to be named as the glance desired name defined in the vmcmapping file. For instance, create a file /etc/glancepush/meta/vmc-cernvm-batch-x86. The informations in that file will be passed to glance image-create command:
comment="CernVM Batch Node"
is_public="yes"
is_protected="yes"
disk_format="qcow2"
container_format="bare"
Step 3: create a transform script in /etc/glancepush/transform. The file has to be named as the glance desired name defined in the vmcmapping file. For instance, create /etc/glancepush/transform/vmc-cernvm-batch-x86. The script is in charge of performing the appropriate modifications of the actual image file required to make the image compliant to your policies and/or catalog. It reads the original image on its standard input and write the transformed image to its standard ouptut. Neutral example script:
#! /bin/sh
cat
Step 4: write a policy check script in /etc/glancepush/test (for instance /etc/glancepush/test/vmc-cernvm-batch-x86). It will be copied into an fresh dedicated instance and executed within. If the test succeeds, the VM image will be released publicly. Otherwise, the update of that image will be blocked until the quarantined image is removed. The content of the script highly depends on site policy. An empty script is obviously valid:
#! /bin/sh
:
When branching other image generation tools to glancepush, the only additional step is to rewrite the equivalent for vmcatcher of gpvmcupdate. The script is very simple, it writes a file named /var/spool/glancepush/$IMAGE with content:
file=/path/to/the/updated/image
- implement a backup mecanism of replaced images