« back to all changes in this revision
Viewing changes to doc/source/devref/cloudpipe.rst
- browse files at revision 985
- compare with another revision
- download diff
- download tarball
- view history from revision 985
- Committer: Tarmac
- Author(s): Vishvananda Ishaya
- Date: 2011-04-13 08:32:06 UTC
- mfrom: (976.2.2 better-docs)
- Revision ID: tarmac-20110413083206-o9sptovi465hrv6l
Updates the documentation on creating and using a cloudpipe image.
- files added:
- doc/source/devref/rc.local
- files modified:
- doc/source/devref/cloudpipe.rst
added
removed
doc/source/devref/cloudpipe.rst
38
38
It is also useful to have a cron script that will periodically redownload the metadata and copy the new crl. This will keep revoked users from connecting and will disconnect any users that are connected with revoked certificates when their connection is renegotiated (every hour).
39
39
40
40
41
Creating a Cloudpipe Image
42
--------------------------
43
44
Making a cloudpipe image is relatively easy.
45
46
# install openvpn on a base ubuntu image.
47
# set up a server.conf.template in /etc/openvpn/
48
49
.. literalinclude:: server.conf.template
50
:language: bash
51
:linenos:
52
53
# set up.sh in /etc/openvpn/
54
55
.. literalinclude:: up.sh
56
:language: bash
57
:linenos:
58
59
# set down.sh in /etc/openvpn/
60
61
.. literalinclude:: down.sh
62
:language: bash
63
:linenos:
64
65
# download and run the payload on boot from /etc/rc.local.
66
67
.. literalinclude:: rc.local
68
:language: bash
69
:linenos:
70
71
# register the image and set the image id in your flagfile::
72
73
--vpn_image_id=ami-xxxxxxxx
74
75
# you should set a few other flags to make vpns work properly::
76
77
--use_project_ca
78
--cnt_vpn_clients=5
79
80
41
81
Cloudpipe Launch
42
82
----------------
43
83
63
103
64
104
If the use_project_ca flag is set (required to for cloudpipes to work securely), then each project has its own ca. This ca is used to sign the certificate for the vpn, and is also passed to the user for bundling images. When a certificate is revoked using nova-manage, a new Certificate Revocation List (crl) is generated. As long as cloudpipe has an updated crl, it will block revoked users from connecting to the vpn.
65
105
106
The userdata for cloudpipe isn't currently updated when certs are revoked, so it is necessary to restart the cloudpipe instance if a user's credentials are revoked.
107
108
109
Restarting Cloudpipe VPN
110
------------------------
111
112
You can reboot a cloudpipe vpn through the api if something goes wrong (using euca-reboot-instances for example), but if you generate a new crl, you will have to terminate it and start it again using nova-manage vpn run. The cloudpipe instance always gets the first ip in the subnet and it can take up to 10 minutes for the ip to be recovered. If you try to start the new vpn instance too soon, the instance will fail to start because of a NoMoreAddresses error. If you can't wait 10 minutes, you can manually update the ip with something like the following (use the right ip for the project)::
113
114
euca-terminate-instances <instance_id>
115
mysql nova -e "update fixed_ips set allocated=0, leased=0, instance_id=NULL where fixed_ip='10.0.0.2'"
116
117
You also will need to terminate the dnsmasq running for the user (make sure you use the right pid file)::
118
119
sudo kill `cat /var/lib/nova/br100.pid`
120
121
Now you should be able to re-run the vpn::
122
123
nova-manage vpn run <project_id>
124
125
126
Logging into Cloudpipe VPN
127
--------------------------
128
129
The keypair that was used to launch the cloudpipe instance should be in the keys/<project_id> folder. You can use this key to log into the cloudpipe instance for debugging purposes.
130
66
131
67
132
The :mod:`nova.cloudpipe.pipelib` Module
68
133
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Loggerhead is a web-based interface for Breezy
Version: 2.0.1