CPR
=========
Deploy INDIGO CIP service using the following procedure <br>
Requirements
------------
The service run as a container.
Role Variables
--------------
Dependencies
------------
Deployment as container
--------------------
Image: Python:2
```
$ docker run -td --name cip python:2
$ docker exec -it cip bash
(container) $ apt update
(container) $ apt install git vim wget
(container) $ git clone https://github.com/maricaantonacci/cloud-info-provider-deep && cd cloud-info-provider-deep
(container) $ pip install -r requirements.txt
(container) $ pip install -e .
(container) $ cloud-info-provider-service -h
/usr/local/lib/python2.7/site-packages/OpenSSL/crypto.py:14: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography import utils, x509
usage: cloud-info-provider-service [-h] [--middleware MIDDLEWARE]
[--format FORMAT] [--yaml-file YAML_FILE]
[--template-dir TEMPLATE_DIR]
(container) $ pip install git+https://github.com/indigo-dc/bulksend2cmdb
```
Installation of grid-security certs
```
(container) $ cat /etc/apt/sources.list
...
#### #### EGI Trust Anchor Distribution ####
deb http://repository.egi.eu/sw/production/cas/1/current egi-igtf core
(container) $ wget -q -O - https://dist.eugridpma.info/distribution/igtf/current/GPG-KEY-EUGridPMA-RPM-3 | apt-key add -
(container) $ apt-get update
(container) $ apt-get install ca-policy-egi-core
(container) $ ls /etc/grid-security/certificates/
-- list of certs
(container) $ cd /usr/local/share/ca-certificates
(container) $ for f in /etc/grid-security/certificates/*.pem ; do ln -s $f $(basename $f .pem).crt; done
(container) $ ls
-- list of certs
(container) $ update-ca-certificates
```
Installation of a new cert (es chain per Mesos)
```
(container) ### copy the certificate-chain.pem certs into /root/certs
(container) $ cp /root/certs/certificate-chain*.pem /usr/local/share/ca-certificates
(container) $ cd /usr/local/share/ca-certificates
(container) $ for f in /etc/grid-security/certificates/*.pem ; do ln -s $f $(basename $f .pem).crt; done
(container) $ update-ca-certificates
Updating certificates in /etc/ssl/certs...
x added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
(container) ### check certificates in /etc/ssl/certs
```
Populate CMDB from CIP
----------------------
#Create configuration files
##Files for Cloud provider
os.provider.yaml
```
(container) $ mkdir -p /root/provider/sites
(container) $ cat cat <<EOF >>/root/provider/sites/os.provider.yaml
site:
name: Cloud
id: provider_cloud
is_public: false
country: Italy
country_code: IT
roc: NGI_IT
owner_contacts:
-
owner_contacts_iam:
-
compute:
total_cores: 0
total_ram: 0
max_dedicated_ram: 0
min_dedicated_ram: 0
accelerators_virt_type: UNKNOWN
total_accelerators: 0
max_accelerators: 0
min_accelerators: 0
hypervisor: UNKNOWN
hypervisor_version: UNKNOWN
service_production_level: production
capabilities:
- executionmanagement.dynamicvmdeploy
- security.accounting
failover: false
live_migration: false
vm_backup_restore: false
endpoints:
defaults:
iam_enabled: true
idp_protocol: openid
region: sdds
middleware_version: Rocky
api_endpoint_technology: webservice
api_authn_method: openid
production_level: production
federation:
iotwins:
issuer: https://iotwins-iam.cloud.cnaf.infn.it/
protocol: openid
shares:
'ioTwins-TB01':
auth:
project_id: <>
region_name: <>
iam_organisation: TB01/cloud #IAM Group
public_network_name: public
private_network_name: tb01-net
templates:
defaults:
platform: x86_64
network: public
network_in: undefined
network_out: true
images:
defaults:
os_type: Linux
architecture: x86_64
gpu_driver: 'NA'
gpu_cuda_driver: 'NA'
gpu_cudnn_driver: 'NA'
EOF
```
collect-push-cloud.sh
```
(container) $ cd /root/provider
(container) $ cat cat <<EOF >>collect-push-cloud.sh
#!/bin/bash
set -x
export CMDB_ENDPOINT_READ=
export CMDB_ENDPOINT_WRITE=
export CMDB_USER=
export CMDB_PASS=
################
## Provider ##
################
echo "***** Provider *****"
echo "Getting OpenStack data from Provider...."
## [Provider] CIP:Openstack with OIDC token
cloud-info-provider-service \
--insecure \
--all-images \
--select-flavors private \
--os-auth-type v3oidcaccesstoken \
--os-protocol openid \
--os-identity-provider iotwins \ # IAM organization
--os-access-token $IAM_ACCESS_TOKEN \
--os-auth-url <CLOUD_PROVIDER_API_V3_URL> \
--os-project-domain-name default \
--middleware openstack \
--format cmdb \
--yaml-file /root/iotwins-providers/sites/os.provider.yaml \
--template-dir /root/cloud-info-provider-deep/etc/templates/ | bulksend2cmdb --cmdb-read-endpoint $CMDB_ENDPOINT_READ \
--cmdb-write-endpoint $CMDB_ENDPOINT_WRITE \
--cmdb-db-user $CMDB_USER \
--cmdb-db-pass $CMDB_PASS
EOF
```
## Files for Mesos provider
mesos.provider.yaml
```
(container) $ cat cat <<EOF >>/root/provider/sites/mesos.provider.yaml
site:
name: mesos
country: Italy
country_code: IT
is_public: False
owner_contacts:
-
owner_contacts_iam:
-
compute:
accelerators:
vendor: nvidia
model: V100 # TITANX, TITANXSND
endpoints:
defaults:
iam_enabled: true
total_cores: 16
federation:
iotwins:
issuer: https://iotwins-iam.cloud.cnaf.infn.it
protocol: oidc
https://<>/chronos:
service_parent_id: https://<>/mesos
local_volumes_host_base_path: /tmp
# not GPU-enabled
total_accelerators: 1
https://<>/marathon:
service_parent_id: https://<>/mesos
load_balancer_ips: [<>]
local_volumes_host_base_path: /tmp
persistent_storage_drivers: []
# not GPU-enabled
total_accelerators: 1
EOF
```
collect-push-mesos.sh
```
(container) $ cd /root/provider
(container) $ cat <<EOF >>collect-push-mesos.sh
#!/bin/bash
set -x
export CMDB_ENDPOINT_READ=
export CMDB_ENDPOINT_WRITE=
export CMDB_USER=
export CMDB_PASS=
################
## Provider ##
################
echo "***** Provider *****"
echo "Getting Mesos data from Provider...."
## [Provider] CIP:Mesos with OIDC token
for endpoint in mesos marathon chronos; do
echo "Getting Mesos data from https://<>/${endpoint}.."
cloud-info-provider-service \
--middleware mesos \
--format cmdb \
--mesos-cacert /etc/ssl/certs \
--mesos-framework $endpoint \
--mesos-endpoint https://<>/${endpoint} \
--oidc-auth-bearer-token $IAM_ACCESS_TOKEN \
--yaml-file /root/iotwins-providers/sites/mesos.provider.yaml \
--template-dir /root/cloud-info-provider-deep/etc/templates/ | bulksend2cmdb --cmdb-read-endpoint $CMDB_ENDPOINT_READ \
--cmdb-write-endpoint $CMDB_ENDPOINT_WRITE \
--cmdb-db-user $CMDB_USER \
--cmdb-db-pass $CMDB_PASS
echo ""
done
EOF
```
## Populate CMDB
### Generate IAM Access Token
Generate a proper IAM Access Token
### Execute collect-push
```
(container) $ ./collect-push-mesos.sh
or
(container) $ ./collect-push-cloud.sh
```
Information
-----------
iotwins-infn-cloud-support@lists.cnaf.infn.it
INFN Italy