I know a few folks are interested or doing similar things. Have a
look at skeletons/standalone-compute. We just need to supply this
info from a static source (may Iterables deserialized from json or
something). If you want, I can make a sandbox-api for this and we can
collaborate.
From a naming perspective, I think byon is cute (bring your own
nodes), but certainly open to options.
Thoughts?
-A
> --
> You received this message because you are subscribed to the Google Groups
> "jclouds-dev" group.
> To post to this group, send email to jclou...@googlegroups.com.
> To unsubscribe from this group, send email to
> jclouds-dev...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/jclouds-dev?hl=en.
>
so, I'll make a branch today (probably by lunch) with a penciled-in
byon provider.
it will be located at sandbox-apis/byon with the maven artifact
org.jclouds.api/byon
In basic form, it will throw unsupported exceptions on runNodes
commands, but operate on others, and require a resource to build
static lists from.
If you don't mind, can you open a ticket here?
http://code.google.com/p/jclouds/issues
-Adrian
p.s. if you happen to be in the valley, come to the meetup tonight!
http://www.meetup.com/jclouds/calendar/15867124/
Hi, Noah. The 'id' is an opaque string uniquely identifying this node from another in the system. In ec2, it would be 'us-east-1/i-36fe1c' in vcloud, or other restful systems, it is the href. Main requirement is that it is unique on the backend, where in this case the backend is the yaml file.
-A
I've incorporated some feedback from Kelvin and Hugo. I'd like to get
this out the door for beta-9 this weekend, if there are no strong
opinions to making this different.
High-level changes:
1. switch from map -> list format as it is easier to deal with (kelvin)
2. remove constraint to base64 secrets (hugod)
3. os_name -> os_description as jclouds has more references to this
field (adrian)
4. accept credential_url where someone can specify a file containing
their login credential
Here's the doc which is taken from here:
https://github.com/jclouds/jclouds/blob/master/sandbox-apis/byon/README.txt
If you can, vote +1 on releasing byon as it is, or suggest a revision.
Cheers, and thanks guys!
-Adrian
= Bring Your Own Nodes to the jclouds ComputeService =
The bring your own node provider (byon) allows you to specify a source
which jclouds will read
nodes from. Using this, you can have jclouds control your standalone
machines, or even cloud
hosts that are sitting idle.
== Constraints ==
The byon provider only supports the following functions of ComputeService:
* listNodes
* listNodesDetailsMatching
* getNodeMetadata
* runScriptOnNodesMatching
== How to use the byon provider ==
The byon provider requires you supply a list of nodes using a
property. Here are
the valid properties you can use:
* byon.endpoint - url to access the list, can be http://, file://,
classpath://
* byon.nodes - inline defined yaml in string form.
Note:
The identity and credential fields of the ComputeServiceContextFactory
are ignored.
=== Java example ===
Properties props = new Properties();
// if you built the yaml string by hand
props.setProperty("byon.nodes", stringLiteral);
// or you can specify an external reference
props.setProperty("byon.endpoint", "file://path/to/byon.yaml");
// or you can specify a file in your classpath
props.setProperty("byon.endpoint", "classpath:///byon.yaml");
context = new ComputeServiceContextFactory().createContext("byon",
"foo", "bar",
ImmutableSet.<Module> of(new JschSshClientModule()), props);
== File format ==
You must define your nodes in yaml, and they must be in a collection
called nodes.
Here are the properties:
* id - opaque unique id
* name - optional; user specified name
* description - optional; long description of this node
* note this is not yet in jclouds NodeMetadata
* hostname - name or ip address to contact the node on
* os_arch - ex. x86
* os_family - must conform to
org.jclouds.compute.domain.OsFamily in lower-hyphen format
ex. rhel, ubuntu, centos, debian, amzn-linux
* os_description - long description of the os ex. Ubuntu with lamp stack
* os_version - normalized to numbers when possible. ex. for
centos: 5.3, ubuntu: 10.10
* group - primary group of the machine. ex. hadoop
* tags - optional; list of arbitrary tags.
* note this list is not yet in jclouds
NodeMetadata
* username - primary login user. ex. ubuntu, vcloud, toor, root
* sudo_password - optional; when a script is run with the
"runAsRoot" option true, yet the
username is not root, a sudo command is
invoked. If sudo_password
is set, the contents will be passed to sudo -S.
Ex. echo 'foobar'| sudo -S init 5
one of:
* credential - RSA private key or password
* credential_url - location of plain-text RSA private key or password.
ex. file:///home/me/.ssh/id_rsa
classpath:///id_rsa
=== Example File ===
nodes:
- id: i-sdfkjh7
name: cluster-1
description: accounting analytics cluster
hostname: cluster-1.mydomain.com
os_arch: x86
os_family: rhel
os_description: redhat with CDH
os_version: 5.3
group: hadoop
tags:
- vanilla
username: myUser
credential: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAuzaE6azgUxwESX1rCGdJ5xpdrc1XC311bOGZBCE8NA+CpFh2
u01Vfv68NC4u6LFgdXSY1vQt6hiA5TNqQk0TyVfFAunbXgTekF6XqDPQUf1nq9aZ
lMvo4vlaLDKBkhG5HJE/pIa0iB+RMZLS0GhxsIWerEDmYdHKM25o
-----END RSA PRIVATE KEY-----
sudo_password: go panthers!
Ok. Gonna need your DevOps hat for this one. As Hugo rightly mentions, how (mechanism) one escalates to admin privileges, or if they can at all is node-specific. Most of the time, we're talking sudo here, but it could be rbac or something else. We also may have a policy to not escalate privileges.
At the risk of conflation and maybe being too coarse grained, I think we could build in something to do this.
What do you think of a node property: admin_mode
Maybe we could default to: never-escalate and have another option: sudo?
I'm sure the names are bad, so please suggest otherwise.
-Adrian
You should probably decouple username/credential from the node. We're currently looking at doing this with RunDeck (not committed, just kicking the idea around).The other thing is we rely on properly configured sudo to make things work.i.e.%wheel ALL=(ALL) NOPASSWD: ALLThe NOPASSWD: makes entering a password not required.Here's a full example:## ControlTier sudoers file granting a limited amount of functionality to ctier# to install software.### Installation and management of software#Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/yum
## necessary for CtlCenter to execute a ssh <hostname> sudo yum ... set it# explicitly for the %ctier group.#Defaults:%ctier !requiretty## Allow the ctier user to execute the SOFTWARE utilities as root without a# password prompt.## TODO: adjust to the host_alias to be more restritive.#%ctier ALL=(root) NOPASSWD: SOFTWAREThis locks down want the sudoer can do. In this case, the ctier group can only use rpm and yum.Food for thought.-Noah
I see two related concerns here which we may be happy to combine, or
want to split:
1) Do we want to execute commands on this node with admin
privileges...and if so, *all* commands or just specified commands?
2) If we want to execute some or all commands as admin, how is this to
be achieved?
2) is platform specific and could be part of a "connection spec" for a
node, along with the protocol to use for command execution (e.g. SSH),
file transfer (e.g. SFTP) etc.
1) is more of a conceptual property that could fit with the "admin_mode"
property discussed. However, in line with the yes/no/how separation
being discussed, values such as "never", "bootstrap-only" (whatever that
might mean), "all" etc. would make more sense.
The connection spec for a node would have a corresponding property
indicating whether it supports admin_mode command execution.
ap
--