Logo ROOT   6.10/02
Reference Guide
proof/doc/confman/DeployVirtualAnalysisFacility.md
Go to the documentation of this file.
1 Deploying the Virtual Analysis Facility
2 =======================================
3 
4 Introduction
5 ------------
6 
7 Thanks to CernVM and PROOF on Demand, it is possible to deploy a ready
8 to use Virtual Analysis Facility on your cloud (either public, private
9 or even your desktop computer).
10 
11 On the server side, "configuring" the Virtual Analysis Facility is
12 simply a matter of starting a certain number of CernVM virtual machines
13 that will become part of your PROOF cluster. CernVM uses
14 contextualization to specialize each virtual machine to be either a head
15 node or a worker node.
16 
17 The Virtual Analysis Facility comes with many preconfigured things:
18 
19 - a HTCondor cluster capable of running PROOF on Demand
20 
21 - certificate authentication
22 
23 - your experiment's software (if available on CernVM-FS)
24 
25 Obtain the CernVM image and contextualization
26 ---------------------------------------------
27 
28 ### Download the CernVM bare image
29 
30 The Virtual Analysis Facility currently works with *CernVM Batch 2.7.1
31 64-bit*. This means that you need to have this CernVM image available
32 either on your local hard disk (in case of a desktop deployment) or in
33 your cloud's image repository.
34 
35 > For convenience we provide the direct link for the working versions:
36 >
37 > - [CernVM 2.7.1 batch 64-bit for
38 > **KVM**](https://cernvm.cern.ch/releases/19/cernvm-batch-node-2.7.1-2-3-x86_64.hdd.gz)
39 >
40 > - [CernVM 2.7.1 batch 64-bit for
41 > **Xen**](https://cernvm.cern.ch/releases/19/cernvm-batch-node-2.7.1-2-3-x86_64.ext3.gz)
42 >
43 > Images are gzipped. In most cases you'll need to gunzip them before
44 > registering to your image repository.
45 
46 ### Create VM configuration profiles
47 
48 CernVM images are base images supporting boot-time customization via
49 configuration profiles called "contexts". Context creation can be
50 performed through the [CernVM Online](https://cernvm-online.cern.ch/)
51 website. The site is immediately accessible if you have a CERN account.
52 
53 Go to your [CernVM Online
54 Dashboard](https://cernvm-online.cern.ch/dashboard), click on the
55 **Create new context...** dropdown and select **Virtual Analysis Facility
56 node**.
57 
58 There's only a few parameters to configure.
59 
60 Context name
61 : A name for your context (such as *VAF Master for ATLAS*). Any name
62  will work.
63 
64 Role
65 : Use this to configure either a *master* or a *slave*.
66 
67 VAF master (only available when configuring a slave)
68 : IP address or FQDN of the Virtual Analysis Facility master.
69 
70 Auth method
71 : Choose between *ALICE LDAP* (useful only for ALICE users) or *Pool
72  accounts* (good for authenticating all the other Grid users).
73 
74 Num. pool accounts (only available when using pool accounts auth)
75 : Number of pool accounts to create.
76 
77 Proxy for CVMFS
78 : An URL specifying the proxy server for CernVM-FS, such as
79  `http://ca-proxy.cern.ch:3128/`. If you leave it empty, proxy will
80  be automatically discovered.
81 
82 HTCondor shared secret
83 : VMs part of the same cluster should have the same value of this
84  field. It is used to mutually authenticate VMs and it is used like a
85  password.
86 
87 Context password
88 : Current profile will be saved on the [CernVM Online
89  repository](http://cernvm-online.cern.ch/). If you don't want the
90  information there to be publicly available to other users, type in
91  a value for protecting the context with an encryption password.
92 
93 You will have to create a profile for the **master** and the **slave**. Since
94 most of the configuration variables are the same (like the *HTCondor
95 shared secret*) you can create one, clone it and change only what's
96 needed to change.
97 
98 Deploy it on the cloud
99 ----------------------
100 
101 Provided you have access to a certain cloud API, you'll need to
102 instantiate a certain number of CernVM batch images with proper
103 contextualization: one for the master, as many as you want as slaves.
104 
105 CernVM supports contextualization through the "user data" field
106 supported by all cloud infrastructures.
107 
108 Each cloud infrastructure has a different method of setting the "user
109 data". The following description will focus on:
110 
111 - [OpenNebula](http://opennebula.org/)
112 
113 - OpenStack (such as the [CERN Agile
114  infrastructure](https://openstack.cern.ch/))
115 
116 - [Amazon EC2](http://aws.amazon.com/ec2/)-compatible interfaces via
117  the open [Eucalyptus](http://www.eucalyptus.com/)
118  [Euca2ools](http://www.eucalyptus.com/eucalyptus-cloud/tools): many popular
119  clouds support such interface and tools
120 
121 ### Download the CernVM Online contextualizations
122 
123 Go to the CernVM Online Dashboard page where you have previously
124 customized the contexts for your master and your slaves.
125 
126 Click on the rightmost button on the line of the desired context and
127 select **Get rendered context** from the dropdown: save the output to a
128 text file (such as `my_vaf_context.txt`, the name we will use in the
129 examples that follow). This file will be subsequently passed as the so
130 called "user-data" file to the cloud API.
131 
132 > Repeat the operation for both the master context and the slave
133 > context.
134 
135 ### OpenStack API: nova
136 
137 Example of a CernVM instantiation using `nova`:
138 
139 ``` {.bash}
140 nova boot \
141  --flavor m1.xlarge \
142  --image cernvm-batch-node-2.6.0-4-1-x86_64 \
143  --key-name my_default_keyparir \
144  --user-data my_vaf_context.txt \
145  Name-Of-My-New-VM
146 ```
147 
148 The `--user-data` option requires the context file we've just
149 downloaded.
150 
151 ### EC2 API: euca-tools
152 
153 Example of a CernVM instantiation using `euca-tools`:
154 
155 ``` {.bash}
156 euca-run-instances \
157  --instance-type m1.xlarge \
158  --key my_default_keyparir \
159  --user-data-file my_vaf_context.txt \
160  cernvm-batch-node-2.6.0-4-1-x86_64
161 ```
162 
163 The `--user-data-file` option is the context file we've just downloaded.
164 
165 ### OpenNebula
166 
167 An example VM definition follows:
168 
169 ``` {.ruby}
170 CONTEXT=[
171  EC2_USER_DATA="<base64_encoded_string>",
172 ]
173 CPU="6"
174 VCPU="6"
175 DISK=[
176  IMAGE="cernvm-batch-node-2.6.0-4-1-x86_64",
177  TARGET="vda" ]
178 MEMORY="16000"
179 NAME="CernVM-VAF-Node"
180 NIC=[
181  NETWORK="My-OpenNebula-VNet" ]
182 OS=[
183  ARCH="x86_64" ]
184 ```
185 
186 The `<base64_encoded_string>` requires the base64 version of the whole
187 downloaded context definition. You can obtain it by running:
188 
189  cat my_vaf_context.txt | base64 | tr -d '\n'
190 
191 Network security groups
192 -----------------------
193 
194 In order to make the Virtual Analysis Facility work properly, the
195 firewall of your infrastructure must be configured to allow some
196 connections.
197 
198 Some ports need to allow "external" connections while other ports might
199 be safely opened to allow only connections from other nodes of the
200 Virtual Analysis Facility.
201 
202 ### Ports to open on all nodes
203 
204 HTCondor ports
205 : Allow **TCP and UDP range 9600-9700** only between nodes of the Virtual
206  Analysis Facility.
207 
208 Only HTCondor and PoD communication is needed between the nodes. No HTCondor
209 ports need to be opened to the world.
210 
211 ### Additional ports to open on the front end node
212 
213 HTTPS
214 : Allow **TCP 443** from all
215 
216 SSH
217 : Allow **TCP 22** from all
218 
219 No other ports need to be opened from the outside. Your definition of
220 *allow from all* might vary.