Académique Documents
Professionnel Documents
Culture Documents
"nders (randerud
Setting up of an OpenNebula-cloud for cloud computing; and implementing web interface and authentication for KTH-users requesting to use the cloud and Administration web interface for efficient management of user approval
Author Anders !randerud
!achelors thesis in "nformation- and Software s#stems$ %& universit# credits at the 'rogram of "nformation Technolog# at The (o#al "nstitute of Technolog# #ear )*%% +,aminator at "-T was .ohan /ontelius
(o#al "nstitute of Technolog# School of "nformation and -ommunication Technolog# KTH "-T 0orum %*&$ %12 2* Kista 3(4 http 55www67th6se5en5ict
Abstract
School of "nformation and -ommunication Technolog# 8"-T9 at (o#al "nstitute of Technolog# 8KTH9 have %1 computers that the# are not using$ which the# bought from ':- at KTH a couple of #ears ago6 Teachers of KTH are interested in using these computers to let their students wor7 on a cloud computer environment6 There is an open source s#stem called OpenNebula$ which is used on man# universities and b# man# other persons setting up a cloud computer environment6 OpenNebula is an distributed virtual machine manager that allows virtuali;ation of "Tinfrastructure$ provides good environment for user management and setting up storage sub s#stems and has other desirable characterics suitable for laborations in classes6 One of the goals of this pro<ect was to install OpenNebula on %1 computers$ with one of the computers being the front end6 " call this cluster of nodes -loudelia6 These are the requirements of the s#stem "n order for a user to use the s#stem$ authentication needs to be done to ensure that it has a KTHaccount6 =hen an administrator sees a get permission-request from an user and is deciding on whether to approve the user or not$ it must be able to rel# on that an authentication-mechanism ensures that the user reall# is the user with the specific KTH-user name shown in the interface6 This ensures that an# user outside of KTH with an intent to use -loudelia in a malicious wa# doesn>t get access to the s#stem6 The teachers should be provided an interface in which the# can handle the granting5den#ing of permission of the users whom have requested permission to use -loudelia6 The# should be able to do this for all of the users in an efficient wa# and upon granting access to the users$ new user accounts should be created in OpenNebula6 This reduces the wor7 load for the teachers6 There were certain design choices that were made$ including the choice of whether to run OpenNebula with a shared or non-shared file s#stem$ whether to use Kerberos or -entral Authentication Service 8-AS9 for authentication and the choice of which virtual machine to use6 The web interfaces were implemented using 'H'$ A.A? and /#S@46 The web interface for teachers used an A.A?-framewor7 called :ataTables A%B$ which facilitates and minimi;es the code amount required for presenting data from e6g6 /#S@4 in tables on a web page6 "t was chosen to be used for the presentation of the users of the s#stem in the administration interface for this reason6 A.A? was used because it provides good capabilities of creating a website with interaction with the user6
The bac7 end on the server side was implemeted in 'H'6 "t receives arguments b# 'OST and C+T6 There are different php-files receiving data from the web interfaces with different responsibilities6
Contents
1. Introduction %6% 'roblem bac7ground %6) 'roblem statement %6D Aim 2. Background )6%6 :escription of -AS )6)6 :escription of OpenNebula 3. Architecture D6% /otivation of -AS D6) /otivation of A<a, and :ataTables D6D /otivation of ?+N as a virtual machine D62 /otivation of a Non-shared file s#stem 4. Description of i p!e entation 26) Administration and Request approval to use Cloudelia-web interface 26)a Administration web interface 26)b Request approval to use Cloudelia-web interface 26D 'H'-bac7 end 262 "nstallation of OpenNebula 26& "nstallation of -entOS$ ?+N$ Apache$ 'H' and /#S@4
". #u ar$ %. &uture 'ork %
D &
%2 %1
1. Introduction
1.1 *rob!e background
"-T at (o#al "nstitute of Technolog# 8KTH9 have %1 computers that the# are not using$ which the# bought from ':- at KTH a couple of #ears ago6 Teachers of KTH are interested in using these computers to let their students wor7 on a cloud computer environment6 There is an open souce s#stem called OpenNebula$ which is used on man# universities and b# man# others setting up a cloud computer environment6 "t is an distributed virtual machine manager that allows #ou to virtuali;e #our infrastructure$ it provides good environment for user management$ setting up storage subs#stems and has other desirable characterics and has other desirable characterics suitable for laborations in classes6 There is also a broad user group using OpenNebula and a mailing list$ which reaches e,perienced OpenNebula-user willing to provide their help6
1.2 *rob!e
state ent
One of the goals of this pro<ect is to install OpenNebula on %1 computers$ with one of the computers being the front end6 " call this cluster of nodes -loudelia6 The requirements of the s#stem included the following requirements The interfaces that are developed will be used b# teachers 8Fadministrators>9 and ordinar# users 8Fuser>96 The administrators should be able to grant other teachers of KTH the privilege to become administrators6 "n order for a user to use the s#stem$ authentication needs to be done to ensure that it has a KTH-account6 =hen an administrator sees an get permission-request from an user and is deciding on whether to approve the user or not$ it must be able to rel# on that an authentication-mechanism ensures that the user reall# is the user with the specific KTH-user name shown in the interface6 An administrator should be presented with information of all KTH-users that have requested and are waiting for to get permission to use OpenNebula for a certain course6 The administrator should be able to grant permission to an# number of these users at a time$ and upon granting permission these users will get access to -loudelia as OpenNebula->regular users> Ae,plained belowB using the login details the# provided upon requesting permission to -loudelia6 An administrator should be able to see a list of all the users of a certain course and can change the permission rights of an user6
1.3 Ai
The authentication procedure outalined above ensures that an# user outside of KTH with an intent to use -loudelia in a malicious wa# doesn>t get access to the s#stem6 The described procedure of handling the accounts reduces the wor7 load of the administratiors6 One advantage is that the# don>t need to set up accounts for each user one at a time$ b# manuall# assigning them user names$ passwords and entering the commands required in OpenNebula for creating an OpenNebula-regular user6
2. Background
+ssential components of the s#stem developed and deplo#ed in this thesis are OpenNebula and -AS$ which are described in this section6
the cloud6 3sers use the OpenNebula facilities to create and manage their own virtual machines and virtual networ7s6 "n OpenNebula image repositories are used$ which is a storage medium that holds the base images of the virtual machines6 OpenNebula uses a daemon$ which is the core service of the s#stem6 "t manages the life-c#cle of the G/s and orchestrates the cluster subs#stems 8networ7$ storage and h#pervisors96 OpenNebula also uses drivers$ which are programs used b# the core to interface with an specific cluster subs#stem$ e6g6 a given h#pervisor or storage file s#stem6H A2B OpenNebula use the ?+N h#pervisor$ which is a powerful open source standard for virtuali;ation6 "t provides efficient$ powerful and a secure virtuali;ation of ,E1$ ,E1I12$ "A12$ A(/ and other -'3-architectures6 "t is runnable on e6g6 4inu,$ =indows and Solaris6 OpenNebula is installed on -entOS$ which is an open source operating s#stem based on the 4inu,-7ernel6
3. Architecture
"n this section the architecture and the different design choices that were made are described; namel# the choice of whether to run OpenNebula with a shared or non-shared file s#stem$ whether to use Kerberos or -AS for authori;ation and the choice of which virtual machine to use6 On the different computers -entOS is installed together with ?+N Girtuali;ation6 The ?+N Girtuali;ation is deplo#ed on a -entOS-operating-s#stem and OpenNebula is installed on the -entOS-operating s#stem6
achine
=hen installing OpenNebula through an +,press installation script available at the OpenNebulawebsite$ there is the possibilit# to choose between installing it with either KG/ or ?+N6 The requirements in order to use KG/ are the following
5
2The cluster nodes must have a wor7ing installation of KG/$ that usuall# requires -'3 with GT e,tensions
libvirt JK *626* 7vm 7ernel modules 87vm67o$ 7vm-Lintel$amdM67o96 Available from 7ernel )616)*
onwards6 the qemu user-land toolsH A&B The processes of the computers used in this pro<ect don>t have a virtual e,tension and thus it is not possible KG/ on them6 ?+N is a virtual machine that doesn>t requires this and thus the choice of using ?+N was simple6
A big advantage of to use a non-shared s#stem with SSH$ is that it doesn>t require e,tra wor7 in order to implement securit#6
4.2 Ad inistration 'eb interface and Request approval to use Cloudelia-'eb interface
The Administration interface and Request approval to use Cloudelia-interface interact with a database6 This database contains a table called usersTable containing these columns Username A'rimar# 7e#B$ Password$ First name and Last name6 "t also contains two tables containing Courses Approved, Courses Waiting For Approval and one table containing user ids of administrators that are allowed to use the Administration interface6 There is a table in the database containing all of the course ids$ which is used to in a quic7 wa# retrieve the courses and displa#ing them in the Regular users-interface and the Administration-interface6 The interfaces have been tested and are running in 0irefo, and Coogle -hrome6
4.2a Ad inistration interface for appro.ing and re o.ing users re4uesting to access Cloudelia and adding ne' ad inistrators and courses
The Administration interface uses one database for teachers$ which contains KTH-id>s of administrators6 The administrator logs in through F%D*6)DQ6)*6%D*5admin"nterface6phpP6 3pon browsing to this website$ the user is forwarded to a -AS-login-page if he5she hasn>t been authenticated within the last hours b# -AS6 3pon successful login$ there is a chec7 in the /#S@4-table called teac ers$ which is done in order to e,amine whether the teacher is allowed to access the administration interface6 "f the user is in the teac ers-table the Administration interface will be presented6 Otherwise the Administration interface won>t be presented6 The Administration interface consists of one page with with two menus6 One of the menu contains the alternative choices - each corresponding to a different view Approve users, List approved users, Add administrator and Add course6 The other menu consists of the course codes6 The user needs to choose one alternative from each menu and upon choosing this$ the result is displa#ed in the view6 The request is handled b# an A.A?-script$ which forwards the choices to a php-script that reads the data corresponding to the choice from the database and returns the repl# to the A.A?-script6 The A.A?-script displa#s the data in the view6 =hen the administrator chooses users b# chec7ing the different chec7 bo,es corresponding to the users and clic7s on the FApprove users> or the F(emove users>-button of the PApproved usersP-mode$ code is e,ecuted - if certain criteria are fulfilled outlined below - which inserts lines in a shell script for adding5removing users to OpenNebula6 !efore adding a user to OpenNebula it is chec7ed if the user with the specific approved user name alread# e,ists in the database6 "f this is the case a new OpenNebula-user isn>t added to the database6 The user name and the course are added to Courses Waiting !or Approval if the userscourse combination doesn>t alread# e,ist in the database6 =hen the user is pressing the F(emove users>-button$ the respective users are removed from the database if he5she isn>t registered to an# other courses6 =hen the administrator is removing an approved user with the user name spec"username from a course and this user isnPt approved to an# other course$ a line in the shell script add(emove3sers6sh will be added$ specif#ing that the user should be removed Poneuser delete spec"usernameP6 3pon approval of a user$ its user name and password are added to a shell script named addRemoveUsers#s 6 This file is located in 5var5html5www5bachelors and should be e,ecuted b# the administrator after both removal and approval of users and subsequentl# the contents of it should be emptied6
Administration inter!ace used !or approving$dening users access to Cloudelia, list and remove users !rom Cloudelia, allow teac ers to get access to t e administration inter!aces and add courses#
The user logs in through -AS-login and gets access to the registration interface for regular users of OpenNebula6 He5she fills out her name and chooses a course from the courses that have been loaded from the database and clic7s on the F(egister button>6 The KTH-user name of the user is presented to the user6 3pon registering a chec7 is done whether that user name e,ists in the
10
database6 "f it doesn>t e,ist$ the user name provided from -AS 8i6e6 the KTH user name of the user9 is written to the database together with the user entered data and a secure password generated at the time the user clic7ed the (egister-button6 The generated password is displa#ed to the user upon successful registration6 The user is displa#ed a message if the user name alread# e,isted6 "f the user e,ists$ but not the user-course combination$ the course is added to the Courses Waiting For Approval-table for that specific user6 The data is validated b# the server in order to chec7 that the user has correctl# filled out the form6
11
brctl addbr br* brctl addif br* eth% On the front end$ the command Fonehost create hostname imI,en vmmI,en tmIssh> is e,ecuted for the different hosts that will act as wor7er nodes in Cloudelia6 ,mm"-en defines that ?en will be used as a virtual driver to boot$ stop$ resume or migrate virtual machines in the host$ and tm"ss defines that SSH will be used as the storage driver to clone$ delete$ move or cop# images into the host6 &m"-en defines that ?+N will be used as information driver to monitor the host6 FHostname> should be the ip address or the host name of the cluster node6 "n order to enable the nodes of the OpenNebula-cloud the command Fonehost enable ip-address> is e,ecuted for all of the different ip addresses of the cloud$ replacing Fip-address> with the different ip addresses of the cloud6
12
/#S@4-support in 'H' are installed6 'H'/#Admin$ a web interface through which one can manage ones /#S@4 databases$ is installed6 .SON-support for 'H' is installed6
13
". #u
ar$
"ncluded in the ob<ectives of this thesis were to create an interface which students would use to as7 to get access to -loudelia and an administrator interface in which administrators could approve or den# access to these users6 3pon approval the users would get access to the cloud$ which would be set up as part of the thesis6 This mechanism would reduce the wor7 that is required to be done b# the administrators6 Another of the aims was to find an authentication procedure$ which ensures that an# user outside of KTH with an intent to use -loudelia in a malicious wa#$ wonPt get access to the s#stem6 -AS was chosen for this purpose since it is a secure alternative and is easil# implemented over http6 The web interfaces and the securit# mechanism were successfull# implemented and deplo#ed on the front end of -loudelia6 The web interface of teachers needs to handle a large amount of data and present the data in a structured wa#6 :ataTables is an A.A?-framewor7 that facilitates and minimi;es the code amount required for presenting data from e6g6 /#S@4 in tables on a web page6 "t was chosen to be used for the presentation of the users of the s#stem in the administration interface for this reason6 OpenNebula requires a virtual machine on the computers on which it is installed6 KG/ and ?+N were considered and ?+N was chosen since KG/ couldnPt run due to the lac7 of -'3Ps with virtual e,tensions6 =hen installing OpenNebula a choice can be made between using a Non-shared or a Shared file s#stem6 A Non-shared files#stem was chosen due to that it didn>t require an# purchase of additional storage6 A big advantage with using a Non-shared s#stem with SSH is that it doesn>t require an# e,tra wor7 in order to implement securit#6 The Administration interface and interface used for registration communicate much with the bac7 end$ which was implemeted in 'H'6 The bac7 end receives arguments b# 'OST and C+T6 There are different php-files receiving data from the web interfaces with different responsibilities6 These php-files retrieve data from tables in a /#S@4-database6 =hen a user logs in to the Administration interface$ the user name of that user is matched to the teachers table in the database6 "f it isnPt found in the table$ then the user is denied access to the administration interface6
14
3pon the administratorPs approval of a user$ its user name and password is added to a shell script b# 'H'6 =hen the administrator e,ecutes this shell script$ the approved users get access to OpenNebula and can log in through %D*6)DQ6)*6%D* 2&1Q 6 "f a user subsequentl# is removed from all courses to which it is approved$ it will also be added to a shell script$ which should be e,ecuted b# an administrator6
15
%. &uture 'ork
The Administration interface and Request approval to use Cloudelia-interface can be improved in some wa#s6 One of these improvements is that a student who alread# has signed in to a course$ could get the first name and last name filled in automaticall# upon logging in to the Request approval to use Cloudelia-interface6 The courses that it alread# had requested approval for could be removed from the courses displa#ed in this interface6 Another improvement is to find a wa# to e,ecute the shell script from the php code$ decreasing the wor7 that the administrator has to do manuall#6
16
(iterature references
%6 /ore information on this website http 55www6datatables6net5 )6 http 55www6<asig6org5cas5about ; (etrieved )*%%-*2 D6 About t e *pen+ebula#org Pro1ect2 http 55opennebula6org5about about ; (etrieved )*%%-*1 26 Overview-section of 3Planning t e installation3; http 55opennebula6org5documentation rel)6) plan ; (etrieved )*%%-*1 &6 KG/-driver-section of http 55www6opennebula6org5documentation rel)6) 7vmg ; (etrieved )*%%-*1 16 Storage-section of the article in note D6 (etrieved )*%%-*1 Q6 3ser repl# of Open nebula mailing list; http 55comments6gmane6org5gmane6comp6distributed6opennebula6user5D%*Q ; (etrieved )*%%-*1 E6 P.P https 55www67th6se5social5page5php5 ; (etrieved )*%%-*2
17
Appendi)
#ection 1 7sage instructions #ection 1a. Ho' to !og in to the 'eb interfaces of C!oude!ia
Start with logging in to the computer which is the front end for -loudelia on computer )1 A%D*6)DQ6)*6%D*B6 4og in to web interface deplo#ed on that computer b# providing KTH-login details6 Student interface %D*6)DQ6)*6%D*5student"nterface6php Admin interface %D*6)DQ6)*6%D*5admin"nterface6php
#ection 1d Instructions for e)ecuting she!! script used for adding8re o.ing users
The administrator logs in through SSH using 'utt# and logging in to the "' %D*6)DQ6)*6%D*6 "t e,ecutes the command Fsu oneadmin> and then F cd 5var5 '''5html5bachelors> and finall#
18
F65add(emove3sers6sh>6 This e,ecutes the shell script Padd(emove3sers6shP$ which adds the user5users to OpenNebula; and the user5users can subsequentl# log in through %D*6)DQ6)*6%D* 2&1Q using the username and password the# received upon requesting approval to use Cloudelia 6 The administrator then must e,ecute the command PJ add(emove3sers6shP to empt# the contents of the file6
19
#ection 2. Ho' to
Here is more information about how to manage the cloud http 55www6opennebula6org5documentation documentationXoperationIguide SunStone can be used http 55www6opennebula6org5documentation rel)6) imgIguide ASee the bottom of this page6B "f a host goes down this can be tried in the terminal when being logged in as Foneadmin> onehost enable ipIaddress "f it still doesnPt wor7$ the host might have crashed6 See section %6e of what to do if this is the case6
#ection 3. I* addresses for the c!oud 912 up running at the ti e of the 'riting of this thesis.:
Here follows the numbers of the computers - i6e6 the number to the right of the computer in the server hall - and their different assigned ip addresses -omputer )E %)*6)DQ6)*6%DT; open-nebula-%16it67th6se -omputer )Q %D*6)DQ6)*6%DE -omputer )1 %D*6)DQ6)*6%D*; open-nebula-Q6it67th6se A&ront end of C!oude!iaB -omputer )& -omputer doesn>t start due to hardware problem6 -omputer )* %D*6)DQ6)*6%)2 ; open-nebula-%6it67th6se -omputer %T %D*6)DQ6)*6%)1; open-nebula-D6it67th6se -omputer %E %D*6)DQ6)*6%)Q ; open-nebula-26it67th6se -omputer %Q %D*6)DQ6)*6%)T; open-nebula-16it67th6se -omputer %1 %D*6)DQ6)*6%D2 -omputer %& -omputer doesn>t start due to hardware problem6 -omputer %2 %D*6)DQ6)*6%DQ -omputer %D %D*6)DQ6)*6%DD -omputer %* %D*6)DQ6)*6%D1; open-nebula-%D6it67th6se -omputer T %D*6)DQ6)*6%D) -omputer Q and E =as borrowed and not returned6 3pon return of the computers$ the# can be assigned e6g6 %D*6)DQ6)*6%D% and %D*6)DQ6)*6%D& Assigned "' addresses %D*6)DQ6)*6%)2-%DT Name in :NS open-nebula-%67th6se S open-nebula-%16it67th6se
20
St#le sheets 0iles used for -AS login6 3sed b# administrators for approval of users$etc6 3sed for registration of students6
Shell script for adding and removing users S approved5removed in admin"nterface6php - to5from the cloud6
"ncludes5 password6php
Adding teacher to the /#S@4-table teac ers# Handling requests for approval and removal of users6 -hec7 if teachers is in table called teac ers# 3sed b# studentAdd:ata6php$ adminShow:ata6php and other php files$ e6g6 for connection to the database "nclude files used for .quer# and :ataTables6 3sed for generation of random and secure password6
21
sql-hec76php studentAdd:ata6php
22