Setting up of an OpenNebula-cloud for cloud computing

"nders (randerud

Master of Science Thesis Stockholm, Sweden 2011 T !T"-!#T-$%-2011&1'1

Setting up of an OpenNebula-cloud for cloud computing; and implementing web interface and authentication for KTH-users requesting to use the cloud and Administration web interface for efficient management of user approval
Author Anders !randerud
!achelors thesis in "nformation- and Software s#stems$ %& universit# credits at the 'rogram of "nformation Technolog# at The (o#al "nstitute of Technolog# #ear )*%% +,aminator at "-T was .ohan /ontelius

(o#al "nstitute of Technolog# School of "nformation and -ommunication Technolog# KTH "-T 0orum %*&$ %12 2* Kista 3(4 http 55www67th6se5en5ict

Abstract
School of "nformation and -ommunication Technolog# 8"-T9 at (o#al "nstitute of Technolog# 8KTH9 have %1 computers that the# are not using$ which the# bought from ':- at KTH a couple of #ears ago6 Teachers of KTH are interested in using these computers to let their students wor7 on a cloud computer environment6 There is an open source s#stem called OpenNebula$ which is used on man# universities and b# man# other persons setting up a cloud computer environment6 OpenNebula is an distributed virtual machine manager that allows virtuali;ation of "Tinfrastructure$ provides good environment for user management and setting up storage sub s#stems and has other desirable characterics suitable for laborations in classes6 One of the goals of this pro<ect was to install OpenNebula on %1 computers$ with one of the computers being the front end6 " call this cluster of nodes -loudelia6 These are the requirements of the s#stem "n order for a user to use the s#stem$ authentication needs to be done to ensure that it has a KTHaccount6 =hen an administrator sees a get permission-request from an user and is deciding on whether to approve the user or not$ it must be able to rel# on that an authentication-mechanism ensures that the user reall# is the user with the specific KTH-user name shown in the interface6 This ensures that an# user outside of KTH with an intent to use -loudelia in a malicious wa# doesn>t get access to the s#stem6 The teachers should be provided an interface in which the# can handle the granting5den#ing of permission of the users whom have requested permission to use -loudelia6 The# should be able to do this for all of the users in an efficient wa# and upon granting access to the users$ new user accounts should be created in OpenNebula6 This reduces the wor7 load for the teachers6 There were certain design choices that were made$ including the choice of whether to run OpenNebula with a shared or non-shared file s#stem$ whether to use Kerberos or -entral Authentication Service 8-AS9 for authentication and the choice of which virtual machine to use6 The web interfaces were implemented using 'H'$ A.A? and /#S@46 The web interface for teachers used an A.A?-framewor7 called :ataTables A%B$ which facilitates and minimi;es the code amount required for presenting data from e6g6 /#S@4 in tables on a web page6 "t was chosen to be used for the presentation of the users of the s#stem in the administration interface for this reason6 A.A? was used because it provides good capabilities of creating a website with interaction with the user6

The bac7 end on the server side was implemeted in 'H'6 "t receives arguments b# 'OST and C+T6 There are different php-files receiving data from the web interfaces with different responsibilities6

Contents
1. Introduction %6% 'roblem bac7ground %6) 'roblem statement %6D Aim 2. Background )6%6 :escription of -AS )6)6 :escription of OpenNebula 3. Architecture D6% /otivation of -AS D6) /otivation of A<a, and :ataTables D6D /otivation of ?+N as a virtual machine D62 /otivation of a Non-shared file s#stem 4. Description of i p!e entation 26) Administration and Request approval to use Cloudelia-web interface 26)a Administration web interface 26)b Request approval to use Cloudelia-web interface 26D 'H'-bac7 end 262 "nstallation of OpenNebula 26& "nstallation of -entOS$ ?+N$ Apache$ 'H' and /#S@4
". #u ar$ %. &uture 'ork %

D &

%2 %1

(iterature references Appendi)

1. Introduction
1.1 *rob!e background

"-T at (o#al "nstitute of Technolog# 8KTH9 have %1 computers that the# are not using$ which the# bought from ':- at KTH a couple of #ears ago6 Teachers of KTH are interested in using these computers to let their students wor7 on a cloud computer environment6 There is an open souce s#stem called OpenNebula$ which is used on man# universities and b# man# others setting up a cloud computer environment6 "t is an distributed virtual machine manager that allows #ou to virtuali;e #our infrastructure$ it provides good environment for user management$ setting up storage subs#stems and has other desirable characterics and has other desirable characterics suitable for laborations in classes6 There is also a broad user group using OpenNebula and a mailing list$ which reaches e,perienced OpenNebula-user willing to provide their help6

1.2 *rob!e

state ent

One of the goals of this pro<ect is to install OpenNebula on %1 computers$ with one of the computers being the front end6 " call this cluster of nodes -loudelia6 The requirements of the s#stem included the following requirements The interfaces that are developed will be used b# teachers 8Fadministrators>9 and ordinar# users 8Fuser>96 The administrators should be able to grant other teachers of KTH the privilege to become administrators6 "n order for a user to use the s#stem$ authentication needs to be done to ensure that it has a KTH-account6 =hen an administrator sees an get permission-request from an user and is deciding on whether to approve the user or not$ it must be able to rel# on that an authentication-mechanism ensures that the user reall# is the user with the specific KTH-user name shown in the interface6 An administrator should be presented with information of all KTH-users that have requested and are waiting for to get permission to use OpenNebula for a certain course6 The administrator should be able to grant permission to an# number of these users at a time$ and upon granting permission these users will get access to -loudelia as OpenNebula->regular users> Ae,plained belowB using the login details the# provided upon requesting permission to -loudelia6 An administrator should be able to see a list of all the users of a certain course and can change the permission rights of an user6

1.3 Ai

The authentication procedure outalined above ensures that an# user outside of KTH with an intent to use -loudelia in a malicious wa# doesn>t get access to the s#stem6 The described procedure of handling the accounts reduces the wor7 load of the administratiors6 One advantage is that the# don>t need to set up accounts for each user one at a time$ b# manuall# assigning them user names$ passwords and entering the commands required in OpenNebula for creating an OpenNebula-regular user6

2. Background
+ssential components of the s#stem developed and deplo#ed in this thesis are OpenNebula and -AS$ which are described in this section6

2.1. Description of CA#

An application that wants to authenticate users with -AS$ uses a -AS client and a small amount of code in order to interact with the user6 A new user opens a web page of the web browser and the web application redirects the browser to -AS-login 8via the -AS-client96 -AS then authenticates the user6 The user is onl# returned to the web application upon successful login6 3pon successful login$ -AS will redirect the browser bac7 to the application and append a tic7et parameter to the 3(46 The application sends the tic7et bac7 to the -AS-server in order to validate it6 3pon receival of the tic7et$ -AS will either respond that the tic7et doesn>t correspond to a valid user$ or it will create a response including the user>s Net":$ so that the web application can 7now the identit# of the user6 The application should 7eep trac7 of its own session management6 A)B

2.2. Description of +pen,ebu!a

OpenNebula is an open source cloud computing tool used to manage the heterogenit# and comple,it# of distributed data center infrastructures6 Some of it is ob<ectives are to develop the most-advanced$ highl#-scalable and adaptable software tool7it for cloud computing management and to assure the stabilit# and the qualit# of their software tool7it6 ADB The cloud consists of a front end$ which e,ecutees the OpenNebula and cluster services6 "t also contains of other nodes$ which are h#pervisor-enabled hosts that provide the resources needed b# the virtual machines6 The Foneadmin> is the administrator of the private cloud and it performs an# operation on the virtual machines$ virtual networ7s and nodes6 "n order for doing this the oneadmin can either use the console or Sunstone$ which is a web client6 Sunstone provides a smooth wa# to add and remove users$ manage virtual machines$ clusters and hosts and virtual networ7s6 "t can also be accessed b# other users whom want to use

the cloud6 3sers use the OpenNebula facilities to create and manage their own virtual machines and virtual networ7s6 "n OpenNebula image repositories are used$ which is a storage medium that holds the base images of the virtual machines6 OpenNebula uses a daemon$ which is the core service of the s#stem6 "t manages the life-c#cle of the G/s and orchestrates the cluster subs#stems 8networ7$ storage and h#pervisors96 OpenNebula also uses drivers$ which are programs used b# the core to interface with an specific cluster subs#stem$ e6g6 a given h#pervisor or storage file s#stem6H A2B OpenNebula use the ?+N h#pervisor$ which is a powerful open source standard for virtuali;ation6 "t provides efficient$ powerful and a secure virtuali;ation of ,E1$ ,E1I12$ "A12$ A(/ and other -'3-architectures6 "t is runnable on e6g6 4inu,$ =indows and Solaris6 OpenNebula is installed on -entOS$ which is an open source operating s#stem based on the 4inu,-7ernel6

3. Architecture
"n this section the architecture and the different design choices that were made are described; namel# the choice of whether to run OpenNebula with a shared or non-shared file s#stem$ whether to use Kerberos or -AS for authori;ation and the choice of which virtual machine to use6 On the different computers -entOS is installed together with ?+N Girtuali;ation6 The ?+N Girtuali;ation is deplo#ed on a -entOS-operating-s#stem and OpenNebula is installed on the -entOS-operating s#stem6

3.1 -oti.ation of CA#

:uring this thesis " chose between using -AS and Kerberos$ which both can be used to implement the desired authentication mechanism specified in the Problem statement-section6 The advantages that led me to choose -AS over Kerberos was that it is easier to implement and that there is no direct support for 7erberos-over-http6 "n m# solution " wanted to use authentication over http and since Kerberos has no direct support for it$ choosing -AS was a simple choice6

3.2 -oti.ation of A/a) and DataTab!es

:ataTables is an A.A?-framewor7 that facilitates and minimi;es the code amount required for presenting data from e6g6 /#S@4 in tables on a web page6 "t was chosen to be used for the presentation of the users of the s#stem in the administration interface for this reason6 Another s#stem named Coogle =eb Tool7it was considered$ but wasn>t chosen due to a bug that occured6 :ataTables also requires less time to use and learn for a user familiar with A<a, and 'H'6 A.A? was used because it provides good capabilities of creating a website with interaction with the user6

3.3 -oti.ation of 01, as a .irtua!

achine

=hen installing OpenNebula through an +,press installation script available at the OpenNebulawebsite$ there is the possibilit# to choose between installing it with either KG/ or ?+N6 The requirements in order to use KG/ are the following
5

2The cluster nodes must have a wor7ing installation of KG/$ that usuall# requires -'3 with GT e,tensions

libvirt JK *626* 7vm 7ernel modules 87vm67o$ 7vm-Lintel$amdM67o96 Available from 7ernel )616)*
onwards6 the qemu user-land toolsH A&B The processes of the computers used in this pro<ect don>t have a virtual e,tension and thus it is not possible KG/ on them6 ?+N is a virtual machine that doesn>t requires this and thus the choice of using ?+N was simple6

3.4 -oti.ation of ,on3shared fi!e s$ste

"n OpenNebula one can chose between using a Shared or a Non-shared file s#stem6 "n a non-shared file s#stem the images are alwa#s cloned and one is able to do cold migrations6 The non-shared file s#stem doesn>t impose an# big storage requirements6 A shared file s#stem$ on the other hand$ requires much more storage6 Ta7e e6g6 this e,ample from the website of OpenNebula N A 2 core cluster will t#picall# run around E*G/s$ each G/ will require an average of %*C! of dis7 space6 So #ou will need OE**C! for 5srv5cloud5one$ #ou will also want to store %*-%& master images so O)**C! for 5srv5cloud5images6 A %T! 5srv5cloud will be enough for this e,ample setup6H A1B The reason a Non-shared file s#stem was chosen was because it didn>t require an# purchase of additional storage6 =hen one chooses to use a Non-shared setup one onl# needs the space for the golden images in the repositories$ provided that one doesn>t want to store stopped images and be able to restart previousl# stopped images6 The cloud hosts need as much storage as is required for the wished amount of virtual machines to run6 The two storage bac7 ends have different characteristics6 Shared storage allows live migrations to be done and direct starts of non-cloned images6 Non-shared storage is more scalable as the N0S-share is not the bottlenec7$ but live migrations canPt be performed6 AQB

A big advantage of to use a non-shared s#stem with SSH$ is that it doesn>t require e,tra wor7 in order to implement securit#6

4. Description of i p!e entatiton

4.1 CA#3!ogin
The -AS-login is done in the 'H'-files for the Aministration interface and Request approval to use Cloudelia-interface6 The# use the following code includeIonce8Plogincas5-AS6phpP9; 55 initiali;e php-AS php-AS client8-ASIG+(S"ONI)I*$Plogin67th6seP$22D$PP9; php-AS setNo-asServerGalidation89; 55 force -AS authentication php-AS forceAuthentication89; 55 at this step$ the user has been authenticated b# the -AS server 55 and the userPs login name can be read with php-AS get3ser896 55 logout if desired if 8isset8RI(+@3+STAPlogoutPB99 L php-AS logout89; MN AEB

4.2 Ad inistration 'eb interface and Request approval to use Cloudelia-'eb interface
The Administration interface and Request approval to use Cloudelia-interface interact with a database6 This database contains a table called usersTable containing these columns Username A'rimar# 7e#B$ Password$ First name and Last name6 "t also contains two tables containing Courses Approved, Courses Waiting For Approval and one table containing user ids of administrators that are allowed to use the Administration interface6 There is a table in the database containing all of the course ids$ which is used to in a quic7 wa# retrieve the courses and displa#ing them in the Regular users-interface and the Administration-interface6 The interfaces have been tested and are running in 0irefo, and Coogle -hrome6

4.2a Ad inistration interface for appro.ing and re o.ing users re4uesting to access Cloudelia and adding ne' ad inistrators and courses
The Administration interface uses one database for teachers$ which contains KTH-id>s of administrators6 The administrator logs in through F%D*6)DQ6)*6%D*5admin"nterface6phpP6 3pon browsing to this website$ the user is forwarded to a -AS-login-page if he5she hasn>t been authenticated within the last hours b# -AS6 3pon successful login$ there is a chec7 in the /#S@4-table called teac ers$ which is done in order to e,amine whether the teacher is allowed to access the administration interface6 "f the user is in the teac ers-table the Administration interface will be presented6 Otherwise the Administration interface won>t be presented6 The Administration interface consists of one page with with two menus6 One of the menu contains the alternative choices - each corresponding to a different view Approve users, List approved users, Add administrator and Add course6 The other menu consists of the course codes6 The user needs to choose one alternative from each menu and upon choosing this$ the result is displa#ed in the view6 The request is handled b# an A.A?-script$ which forwards the choices to a php-script that reads the data corresponding to the choice from the database and returns the repl# to the A.A?-script6 The A.A?-script displa#s the data in the view6 =hen the administrator chooses users b# chec7ing the different chec7 bo,es corresponding to the users and clic7s on the FApprove users> or the F(emove users>-button of the PApproved usersP-mode$ code is e,ecuted - if certain criteria are fulfilled outlined below - which inserts lines in a shell script for adding5removing users to OpenNebula6 !efore adding a user to OpenNebula it is chec7ed if the user with the specific approved user name alread# e,ists in the database6 "f this is the case a new OpenNebula-user isn>t added to the database6 The user name and the course are added to Courses Waiting !or Approval if the userscourse combination doesn>t alread# e,ist in the database6 =hen the user is pressing the F(emove users>-button$ the respective users are removed from the database if he5she isn>t registered to an# other courses6 =hen the administrator is removing an approved user with the user name spec"username from a course and this user isnPt approved to an# other course$ a line in the shell script add(emove3sers6sh will be added$ specif#ing that the user should be removed Poneuser delete spec"usernameP6 3pon approval of a user$ its user name and password are added to a shell script named addRemoveUsers#s 6 This file is located in 5var5html5www5bachelors and should be e,ecuted b# the administrator after both removal and approval of users and subsequentl# the contents of it should be emptied6

Administration inter!ace used !or approving$dening users access to Cloudelia, list and remove users !rom Cloudelia, allow teac ers to get access to t e administration inter!aces and add courses#

4.2b Request approval to use Cloudelia-'eb interface

User stud%ing t e course &'(()(, requesting to use *pen+ebula#

The user logs in through -AS-login and gets access to the registration interface for regular users of OpenNebula6 He5she fills out her name and chooses a course from the courses that have been loaded from the database and clic7s on the F(egister button>6 The KTH-user name of the user is presented to the user6 3pon registering a chec7 is done whether that user name e,ists in the
10

database6 "f it doesn>t e,ist$ the user name provided from -AS 8i6e6 the KTH user name of the user9 is written to the database together with the user entered data and a secure password generated at the time the user clic7ed the (egister-button6 The generated password is displa#ed to the user upon successful registration6 The user is displa#ed a message if the user name alread# e,isted6 "f the user e,ists$ but not the user-course combination$ the course is added to the Courses Waiting For Approval-table for that specific user6 The data is validated b# the server in order to chec7 that the user has correctl# filled out the form6

4.3 *H*3back end.

The bac7 end of the server side is implemeted in 'H'6 "t receives arguments b# 'OST and C+T6 There are different php-files receiving data from the web interfaces with different responsibilities 8See more information in Appendi, S section &69 one is chec7ing if a specific teacher is in the teac ers-table$ one is retrieving the courses from the courses-table and sending them bac7 in a selection menu$ one is inserting the students into the users-table and one is dealing with all of the various requests from the administration interface6 !ased on the sent to this 'H'-file$ it will do different operations on the different sql tables in form of select$ delete and insert-operations6 "t receives an arra# with users and will perform operations on each of these users6 The bac7 end chec7s the parameters sent b# 'OST and C+T to avoid /#S@4-in<ections6

4.4 Insta!!ation of +pen,ebu!a

"n order to install OpenNebula$ OpenNebula +,press is first downloaded and unpac7ed on the OpenNebula-front end6 Then the user is switched to the root user6 After this$ Fsudo 65install6sh> in the terminal is e,ecuted inside of the OpenNebula +,press-director#6 Subsequentl# the alternative F-entOS - ?en - SSH> is chosen6 The file node-install6sh is put on an 3S!-memor# and is e,ecuted on all OpenNebula-wor7er nodes6 The OpenNebula-installation script is e,ecuted on the front end-computer6 (ub# %6T6) is installed and configurations are done - so that all programs will use (ub# %6T6) instead of (ub# %6E6&$ which was installed in the OpenNebulainstallation script - since the SunStone-application provided with OpenNebula doesn>t wor7 otherwise6 (ub# %6T6) is installed using (ub# Gersion /anager6 Also .SON$ (ac7$ Sinatra and Thin - pac7ages which are required in order to run Sunstone - are installed using (ub# Gersion /anager through the command Frvm %6T6) gem install .SON rac7 sinatra thin>6 +ach computer is restarted after the e,ecution of the OpenNebula +,press-script6 This is e,ecuted on each node in order to configure the networ7 interfaces

11

brctl addbr br* brctl addif br* eth% On the front end$ the command Fonehost create hostname imI,en vmmI,en tmIssh> is e,ecuted for the different hosts that will act as wor7er nodes in Cloudelia6 ,mm"-en defines that ?en will be used as a virtual driver to boot$ stop$ resume or migrate virtual machines in the host$ and tm"ss defines that SSH will be used as the storage driver to clone$ delete$ move or cop# images into the host6 &m"-en defines that ?+N will be used as information driver to monitor the host6 FHostname> should be the ip address or the host name of the cluster node6 "n order to enable the nodes of the OpenNebula-cloud the command Fonehost enable ip-address> is e,ecuted for all of the different ip addresses of the cloud$ replacing Fip-address> with the different ip addresses of the cloud6

.osts t at are included in t e cloud#

4." Insta!!ation of Cent+#5 01,5 Apache5 *H* and -$#6(

The -entOS-installation file is downloaded6 "t is e,tracted to an 3S! drive6 This 3S!-drive is used installing -entOS on all %1 computers6 The computers are individuall# assigned the "'addresses that the networ7 administrator has reserved for this purpose6 :uring the installation virtuali;ation is installed6 Then Apache$ 'H' and /#S@4-server are installed and s#stem startup-lin7s are created so that Apache and /#S@4-server will start automaticall# each time the computer is rebooted6 /#S@4-server and Apache are started6 The commands m%sqladmin -u root password /secret password0 and m%sqladmin - %D*6)DQ6)*6%D* -u root password /secret password0 are e,ecuted in order to create a password for logging into the /#S@4-server6 The files for the web interfaces are put in ApachePs default document root F$var$www$ tml>6 'ac7ages for

12

/#S@4-support in 'H' are installed6 'H'/#Admin$ a web interface through which one can manage ones /#S@4 databases$ is installed6 .SON-support for 'H' is installed6

13

". #u

ar$

"ncluded in the ob<ectives of this thesis were to create an interface which students would use to as7 to get access to -loudelia and an administrator interface in which administrators could approve or den# access to these users6 3pon approval the users would get access to the cloud$ which would be set up as part of the thesis6 This mechanism would reduce the wor7 that is required to be done b# the administrators6 Another of the aims was to find an authentication procedure$ which ensures that an# user outside of KTH with an intent to use -loudelia in a malicious wa#$ wonPt get access to the s#stem6 -AS was chosen for this purpose since it is a secure alternative and is easil# implemented over http6 The web interfaces and the securit# mechanism were successfull# implemented and deplo#ed on the front end of -loudelia6 The web interface of teachers needs to handle a large amount of data and present the data in a structured wa#6 :ataTables is an A.A?-framewor7 that facilitates and minimi;es the code amount required for presenting data from e6g6 /#S@4 in tables on a web page6 "t was chosen to be used for the presentation of the users of the s#stem in the administration interface for this reason6 OpenNebula requires a virtual machine on the computers on which it is installed6 KG/ and ?+N were considered and ?+N was chosen since KG/ couldnPt run due to the lac7 of -'3Ps with virtual e,tensions6 =hen installing OpenNebula a choice can be made between using a Non-shared or a Shared file s#stem6 A Non-shared files#stem was chosen due to that it didn>t require an# purchase of additional storage6 A big advantage with using a Non-shared s#stem with SSH is that it doesn>t require an# e,tra wor7 in order to implement securit#6 The Administration interface and interface used for registration communicate much with the bac7 end$ which was implemeted in 'H'6 The bac7 end receives arguments b# 'OST and C+T6 There are different php-files receiving data from the web interfaces with different responsibilities6 These php-files retrieve data from tables in a /#S@4-database6 =hen a user logs in to the Administration interface$ the user name of that user is matched to the teachers table in the database6 "f it isnPt found in the table$ then the user is denied access to the administration interface6

14

3pon the administratorPs approval of a user$ its user name and password is added to a shell script b# 'H'6 =hen the administrator e,ecutes this shell script$ the approved users get access to OpenNebula and can log in through %D*6)DQ6)*6%D* 2&1Q 6 "f a user subsequentl# is removed from all courses to which it is approved$ it will also be added to a shell script$ which should be e,ecuted b# an administrator6

15

%. &uture 'ork
The Administration interface and Request approval to use Cloudelia-interface can be improved in some wa#s6 One of these improvements is that a student who alread# has signed in to a course$ could get the first name and last name filled in automaticall# upon logging in to the Request approval to use Cloudelia-interface6 The courses that it alread# had requested approval for could be removed from the courses displa#ed in this interface6 Another improvement is to find a wa# to e,ecute the shell script from the php code$ decreasing the wor7 that the administrator has to do manuall#6

16

(iterature references
%6 /ore information on this website http 55www6datatables6net5 )6 http 55www6<asig6org5cas5about ; (etrieved )*%%-*2 D6 About t e *pen+ebula#org Pro1ect2 http 55opennebula6org5about about ; (etrieved )*%%-*1 26 Overview-section of 3Planning t e installation3; http 55opennebula6org5documentation rel)6) plan ; (etrieved )*%%-*1 &6 KG/-driver-section of http 55www6opennebula6org5documentation rel)6) 7vmg ; (etrieved )*%%-*1 16 Storage-section of the article in note D6 (etrieved )*%%-*1 Q6 3ser repl# of Open nebula mailing list; http 55comments6gmane6org5gmane6comp6distributed6opennebula6user5D%*Q ; (etrieved )*%%-*1 E6 P.P https 55www67th6se5social5page5php5 ; (etrieved )*%%-*2

17

Appendi)
#ection 1 7sage instructions #ection 1a. Ho' to !og in to the 'eb interfaces of C!oude!ia
Start with logging in to the computer which is the front end for -loudelia on computer )1 A%D*6)DQ6)*6%D*B6 4og in to web interface deplo#ed on that computer b# providing KTH-login details6 Student interface %D*6)DQ6)*6%D*5student"nterface6php Admin interface %D*6)DQ6)*6%D*5admin"nterface6php

#ection 1b. Ho' to use *hp-$Ad in

'H'/#Admin is used to create table and configure databases manuall#6 "n order to access it$ browse to the website localhost5phpm#admin in a web browser of the front end computer6 4og in with the password that has been given to the administrators and with the user name Froot>6 "t is also possible to allow certain ip addresses for public access b# adding an e,ception rule for these certain ip addresses in a configuration file for 'H'/#Admin6

#ection 1c 7sage instructions for #unstone

"t is started through the command Fsunstone-server -H F%D*6)DQ6)*6%D*> -p 2&1Q start> being logged in as oneadmin and subsequentl# having e,ecuted Frvm use %6T6)>6 "t is important to use a capital H and a small Fp> in the command6 3pon successful e,ecution of the command$ the te,t Fsunstone-server started> is printed out on the console6 The service is accessed through a web browser on this address http 55%D*6)DQ6)*6%D* 2&1Q5 To stop SunStone this command is written in the terminal logged in as oneadmin Fsunstoneserver stop>

#ection 1d Instructions for e)ecuting she!! script used for adding8re o.ing users
The administrator logs in through SSH using 'utt# and logging in to the "' %D*6)DQ6)*6%D*6 "t e,ecutes the command Fsu oneadmin> and then F cd 5var5 '''5html5bachelors> and finall#
18

F65add(emove3sers6sh>6 This e,ecutes the shell script Padd(emove3sers6shP$ which adds the user5users to OpenNebula; and the user5users can subsequentl# log in through %D*6)DQ6)*6%D* 2&1Q using the username and password the# received upon requesting approval to use Cloudelia 6 The administrator then must e,ecute the command PJ add(emove3sers6shP to empt# the contents of the file6

#ection 1e. Instructions if nodes of the c!oud goes do'n

&ront end -hoose the boot option with ?+N6 =hen the different daemons are loading$ it is printed out on the screen F'ress " to enter interactive setup>6 :o thisU -lic7 on FV> for all of the different questions6 "f this isnPt done it ma# result in that a blac7 screen is displa#ed and the computer has to be rebooted #et again6 4og in using the username Froot>6 !e sure that OpenSSH-server is up running 6 This can be chec7ed b# the command Pps au, W grep sshdP and should result in one process being listed with the parameter P5usr5sbin5sshdP6 Sshd must be running for the administrator to perform that which is outlined in section Q6%d6 The OpenSSH-server is restarted through the command P5etc5init6d5sshd restartP :o Fsu oneadmin> to enter into the user account for OpenNebula6 (un the command Frvm use %6T6)> so that the (ub#-version required for SunStone to wor7 well will be used6 0ollow the instructions in the Sunstone-paragraph above in section %c for starting Sunstone6 "n order to enable the nodes of the OpenNebula-cloud this should be done6 +,ecute the command Ponehost listP logged in as PoneadminP (un the command Fonehost enable ip-address> for all of the different ip-addresses of the cloud$ replacing Fip-address> with the ip addresses of the cloud6 +rdinar$ nodes Start up the computers6 -lic7 on 0% during start up6 4og in as root6 On some computers 8e6g6 computer T$%2$ )*$ )Q and )E9 there is a menu choice that must be made between -entOS ?+N and -entOS without ?+N6 -hoose -entOS with ?+N6

19

#ection 2. Ho' to

anage the c!oud

Here is more information about how to manage the cloud http 55www6opennebula6org5documentation documentationXoperationIguide SunStone can be used http 55www6opennebula6org5documentation rel)6) imgIguide ASee the bottom of this page6B "f a host goes down this can be tried in the terminal when being logged in as Foneadmin> onehost enable ipIaddress "f it still doesnPt wor7$ the host might have crashed6 See section %6e of what to do if this is the case6

#ection 3. I* addresses for the c!oud 912 up running at the ti e of the 'riting of this thesis.:
Here follows the numbers of the computers - i6e6 the number to the right of the computer in the server hall - and their different assigned ip addresses -omputer )E %)*6)DQ6)*6%DT; open-nebula-%16it67th6se -omputer )Q %D*6)DQ6)*6%DE -omputer )1 %D*6)DQ6)*6%D*; open-nebula-Q6it67th6se A&ront end of C!oude!iaB -omputer )& -omputer doesn>t start due to hardware problem6 -omputer )* %D*6)DQ6)*6%)2 ; open-nebula-%6it67th6se -omputer %T %D*6)DQ6)*6%)1; open-nebula-D6it67th6se -omputer %E %D*6)DQ6)*6%)Q ; open-nebula-26it67th6se -omputer %Q %D*6)DQ6)*6%)T; open-nebula-16it67th6se -omputer %1 %D*6)DQ6)*6%D2 -omputer %& -omputer doesn>t start due to hardware problem6 -omputer %2 %D*6)DQ6)*6%DQ -omputer %D %D*6)DQ6)*6%DD -omputer %* %D*6)DQ6)*6%D1; open-nebula-%D6it67th6se -omputer T %D*6)DQ6)*6%D) -omputer Q and E =as borrowed and not returned6 3pon return of the computers$ the# can be assigned e6g6 %D*6)DQ6)*6%D% and %D*6)DQ6)*6%D& Assigned "' addresses %D*6)DQ6)*6%)2-%DT Name in :NS open-nebula-%67th6se S open-nebula-%16it67th6se
20

Catewa# %D*6)DQ6)*6% Subnet mas7 )&&6)&&6)&&6*

#ection 4. I pro.e ent that cou!d be done

One improvement that could be done is to find a wa# to e,ecute the shell script described above in 26)a from the php code6 Some more information of how this might be done on these web sites http 55www6uni,6com5uni,-advanced-e,pert-users5%E)%)-run-shell-script-different-user6html http 55uni,6stac7e,change6com5questions5%&)125e,ecuting-a-shell-command-from-php-withshell-e,ec " have tried to e,ecute the shell script 5usr5bin5oneuser from the 'H'-file without success6 " tried e6g6 this command Pecho shellIe,ec 8Honeuser create test&1 test&1H9;P after that " had e,ecuted PshellIe,ec 8Hsu oneadmin )JY%H9P6 The e,ecution of the second shell command results in the error message PZtestsudo no tt# present and no as7passP6

#ection ". &i!es used in the 'eb interfaces ;13<.23=.2<.13<>

$var$www$ tml 4 css5 logincas5 admin"nterface6php student"nterface6php $var$www$ tml$bac elors$ add(emove3sers6sh addTeacher6php adminShow:ata6php chec7"fTeachers"s"nTeachers:atabase6php common0unctions6php

St#le sheets 0iles used for -AS login6 3sed b# administrators for approval of users$etc6 3sed for registration of students6
Shell script for adding and removing users S approved5removed in admin"nterface6php - to5from the cloud6

"ncludes5 password6php

Adding teacher to the /#S@4-table teac ers# Handling requests for approval and removal of users6 -hec7 if teachers is in table called teac ers# 3sed b# studentAdd:ata6php$ adminShow:ata6php and other php files$ e6g6 for connection to the database "nclude files used for .quer# and :ataTables6 3sed for generation of random and secure password6
21

sql-hec76php studentAdd:ata6php

-ode for avoiding /#S@4-in<ections6 Handle requests from student"nterface6php

22