Administration Guide / Manage Regions
Parent topic: Manage Regions

Examples

In this example, there will be two clouds used (10.111.5.32 and 10.111.1.1). Before setting up federation, the clouds must meet the following requirements:

Register a Region - Script-assisted

This procedure allows you to run a script to register a region:
  1. Grab a copy of /var/lib/eucalyptus/keys/cloud-cert.pem from both Cloud Controllers.
  2. Clone the following repository: https://github.com/hspencer77/region-configuration-tool.
  3. Run the region-config-tool.py script, passing the cloud certificates for cloud (i.e. region). For example: 
    # ./region-config-tool.py region_name=region-1,cloud_cert=at-long-last-asap-region.pem,domain_name=h-33.autoqa.qa1.eucalyptus-systems.com region_name=region-2,cloud_cert=long-live-asap-region.pem,domain_name=g-22-07.autoqa.qa1.eucalyptus-systems.com -f test-region-config.json
# cat test-region-config.json
{
 "Regions": [
 {
 "CertificateFingerprint": "ED:8F:9A:92:45:4D:37:F3:54:E4:2E:E7:26:28:EE:04:A1:DF:AD:82:87:60:A6:C3:4A:15:CB:D7:E9:F2:99:13",
 "CertificateFingerprintDigest": "SHA-256",
 "IdentifierPartitions": [
 1
 ],
 "Name": "region-1",
 "Services": [
 {
 "Endpoints": [
 "http://identity.h-33.autoqa.qa1.eucalyptus-systems.com:8773/"
 ],
 "Type": "identity"
 },
 {
 "Endpoints": [
 "http://compute.h-33.autoqa.qa1.eucalyptus-systems.com:8773/"
 ],
 "Type": "compute"
 }
 ]
 },
 {
 "CertificateFingerprint": "3A:69:0F:B3:A5:03:92:50:39:F2:C6:EB:E5:77:94:36:F9:36:12:E2:01:CA:AB:75:B2:6E:71:9B:D0:5E:61:94",
 "CertificateFingerprintDigest": "SHA-256",
 "IdentifierPartitions": [
 2
 ],
 "Name": "region-2",
 "Services": [
 {
 "Endpoints": [
 "http://identity.g-22-07.autoqa.qa1.eucalyptus-systems.com:8773/"
 ],
 "Type": "identity"
 },
 {
 "Endpoints": [
 "http://compute.g-22-07.autoqa.qa1.eucalyptus-systems.com:8773/"
 ],
 "Type": "compute"
 }
 ]
 }
 ]
}
  4. Change the region.region_name cloud property on both clouds: 
    [root@h-32 ~]# euctl -p region.region_name=region-1
PROPERTY	region.region_name	region-1 was {}

[root@b-01 ~]# euctl -p region.region_name=region-2
PROPERTY	region.region_name	region-2 was {}
  5. Set region.region_ssl_verify_hostnames to true on both clouds and properly signed certificates should be added to the User Facing Service (UFS).
  6. Add the region JSON file to both clouds by modifying the region.region_configuration cloud property.

Register a Region - Manual

This procedure allows you to manually register a region:
  1. Obtain the certificate fingerprint for both clouds, for example: 
    ## region-1
$ openssl s_client -showcerts -connect 10.111.5.32:8773 < /dev/null 2>/dev/null | openssl x509 -noout -fingerprint -sha256
SHA256 Fingerprint=53:AE:4C:2F:D4:2D:AB:41:B9:F9:0B:B0:3E:DE:5D:94:3B:81:FC:FB:CC:58:3D:42:71:13:01:94:97:23:23:DD

## region-2
$ openssl s_client -showcerts -connect 10.111.1.1:8773 < /dev/null 2>/dev/null | openssl x509 -noout -fingerprint -sha256
SHA256 Fingerprint=07:52:F3:50:07:FB:C3:B7:28:AA:ED:D4:19:17:D4:05:E8:92:DE:8A:85:18:2E:6C:11:A9:84:56:D8:A
  2. Create region JSON configuration file, for example: 
    {
    "Regions": [
        {
            "Name": "region-1",
            "CertificateFingerprintDigest": "SHA-256",
            "CertificateFingerprint": "53:AE:4C:2F:D4:2D:AB:41:B9:F9:0B:B0:3E:DE:5D:94:3B:81:FC:FB:CC:58:3D:42:71:13:01:94:97:23:23:DD",
            "IdentifierPartitions": [
                1
            ],
            "Services": [
                {
                    "Type": "identity",
                    "Endpoints": [
                        "http://identity.h-33.autoqa.qa1.eucalyptus-systems.com:8773/"
                    ]
                },
                {
                    "Type": "compute",
                    "Endpoints": [
                        "http://compute.h-33.autoqa.qa1.eucalyptus-systems.com:8773/"
                    ]
                }
            ]
        },
        {
            "Name": "region-2",
            "CertificateFingerprintDigest": "SHA-256",
            "CertificateFingerprint": "07:52:F3:50:07:FB:C3:B7:28:AA:ED:D4:19:17:D4:05:E8:92:DE:8A:85:18:2E:6C:11:A9:84:56:D8:A3:82:03",
            "IdentifierPartitions": [
                2
            ],
            "Services": [
                {
                    "Type": "identity",
                    "Endpoints": [
                        "http://identity.g-22-07.autoqa.qa1.eucalyptus-systems.com:8773/"
                    ]
                },
                {
                    "Type": "compute",
                    "Endpoints": [
                        "http://compute.g-22-07.autoqa.qa1.eucalyptus-systems.com:8773/"
                    ]
                }
            ]
        }
    ]
}
  3. Change the region.region_name cloud property on both clouds: 
    [root@h-32 ~]# euctl -p region.region_name=region-1
PROPERTY	region.region_name	region-1 was {}

[root@b-01 ~]# euctl -p region.region_name=region-2
PROPERTY	region.region_name	region-2 was {}
  4. Set region.region_ssl_verify_hostnames to true, and properly signed certificates should be added to the User Facing Service (UFS).
  5. Add the region JSON file to both clouds by modifying the region.region_configuration cloud property. Region section for both clouds look like the following after all the changes: 
    ### region 1
[root@h-32 ~]# euctl region.
PROPERTY	region.region_configuration	{
    "Regions": [
        {
            "Name": "region-1",
            "CertificateFingerprintDigest": "SHA-256",
            "CertificateFingerprint": "53:AE:4C:2F:D4:2D:AB:41:B9:F9:0B:B0:3E:DE:5D:94:3B:81:FC:FB:CC:58:3D:42:71:13:01:94:97:23:23:DD",
            "IdentifierPartitions": [
                1
            ],
            "Services": [
                {
                    "Type": "identity",
                    "Endpoints": [
                        "http://identity.h-33.autoqa.qa1.eucalyptus-systems.com:8773/"
                    ]
                },
                {
                    "Type": "compute",
                    "Endpoints": [
                        "http://compute.h-33.autoqa.qa1.eucalyptus-systems.com:8773/"
                    ]
                }
            ]
        },
        {
            "Name": "region-2",
            "CertificateFingerprintDigest": "SHA-256",
            "CertificateFingerprint": "07:52:F3:50:07:FB:C3:B7:28:AA:ED:D4:19:17:D4:05:E8:92:DE:8A:85:18:2E:6C:11:A9:84:56:D8:A3:82:03",
            "IdentifierPartitions": [
                2
            ],
            "Services": [
                {
                    "Type": "identity",
                    "Endpoints": [
                        "http://identity.g-22-07.autoqa.qa1.eucalyptus-systems.com:8773/"
                    ]
                },
                {
                    "Type": "compute",
                    "Endpoints": [
                        "http://compute.g-22-07.autoqa.qa1.eucalyptus-systems.com:8773/"
                    ]
                }
            ]
        }
    ]
}
PROPERTY	region.region_enable_ssl	true
PROPERTY	region.region_name	region-1
PROPERTY	region.region_ssl_ciphers	RSA:DSS:ECDSA:TLS_EMPTY_RENEGOTIATION_INFO_SCSV:!NULL:!EXPORT:!EXPORT1024:!MD5:!DES
PROPERTY	region.region_ssl_default_cas 	true
PROPERTY	region.region_ssl_protocols	TLSv1.2
PROPERTY	region.region_ssl_verify_hostnames	true

## region 2
[root@b-01 ~]# euctl region.
PROPERTY	region.region_configuration	{
    "Regions": [
        {
            "Name": "region-1",
            "CertificateFingerprintDigest": "SHA-256",
            "CertificateFingerprint": "53:AE:4C:2F:D4:2D:AB:41:B9:F9:0B:B0:3E:DE:5D:94:3B:81:FC:FB:CC:58:3D:42:71:13:01:94:97:23:23:DD",
            "IdentifierPartitions": [
                1
            ],
            "Services": [
                {
                    "Type": "identity",
                    "Endpoints": [
                        "http://identity.h-33.autoqa.qa1.eucalyptus-systems.com:8773/"
                    ]
                },
                {
                    "Type": "compute",
                    "Endpoints": [
                        "http://compute.h-33.autoqa.qa1.eucalyptus-systems.com:8773/"
                    ]
                }
            ]
        },
        {
            "Name": "region-2",
            "CertificateFingerprintDigest": "SHA-256",
            "CertificateFingerprint": "07:52:F3:50:07:FB:C3:B7:28:AA:ED:D4:19:17:D4:05:E8:92:DE:8A:85:18:2E:6C:11:A9:84:56:D8:A3:82:03",
            "IdentifierPartitions": [
                2
            ],
            "Services": [
                {
                    "Type": "identity",
                    "Endpoints": [
                        "http://identity.g-22-07.autoqa.qa1.eucalyptus-systems.com:8773/"
                    ]
                },
                {
                    "Type": "compute",
                    "Endpoints": [
                        "http://compute.g-22-07.autoqa.qa1.eucalyptus-systems.com:8773/"
                    ]
                }
            ]
        }
    ]
}
PROPERTY	region.region_enable_ssl	true
PROPERTY	region.region_name	region-2
PROPERTY	region.region_ssl_ciphers	RSA:DSS:ECDSA:TLS_EMPTY_RENEGOTIATION_INFO_SCSV:!NULL:!EXPORT:!EXPORT1024:!MD5:!DES
PROPERTY	region.region_ssl_default_cas	true
PROPERTY	region.region_ssl_protocols	TLSv1.2
PROPERTY	region.region_ssl_verify_hostnames	true

Describe Regions

Using cloud administrator (i.e. eucalyptus/admin user) credentials on each cloud, use execute DescribeRegions. This is a sanity check to make sure the configuration is correct on both clouds.
Note: Reminder: the cloud administrator for each cloud can only see the resources for that cloud. The eucalyptus account is one of the system accounts, therefore it is not synced across all clouds.
# euca-describe-regions
REGION	region-1	http://compute.h-33.autoqa.qa1.eucalyptus-systems.com:8773/
REGION	region-2	http://compute.g-22-07.autoqa.qa1.eucalyptus-systems.com:8773/

Create a Non-system Account

After federation has been configuration correctly, create a non-system account on either cloud using the eucalyptus/admin user. In the example below, the non-system account test1 will be created. The credentials from the test1/admin user will be downloaded and sourced. The user will run DescribeAvailabilityZones against both clouds to confirm federation is working as expected.

  1. On region-2 cloud, using eucalyptus/admin user - create IAM account 'test1' 
    [root@b-01 ~]# euare-accountcreate -a test1
test1	002093902049

[root@b-01 ~]# euare-accountlist
eucalyptus	000163314767
(eucalyptus)objectstorage	000107497415
(eucalyptus)blockstorage	000831185453
(eucalyptus)loadbalancing	000744507680
(eucalyptus)aws-exec-read	000890823690
test1	002093902049
(eucalyptus)cloudformation	000993524712
(eucalyptus)database	000630877528
(eucalyptus)imaging	000789831484
  2. Generate credentials for test1/admin user: 
    # euare-useraddkey --region admin@test1
  3. Run DescribeAvailibilityZones against each region: 
    # euca-describe-regions
REGION	region-1	http://compute.h-33.autoqa.qa1.eucalyptus-systems.com:8773/
REGION	region-2	http://compute.g-22-07.autoqa.qa1.eucalyptus-systems.com:8773/
# euca-describe-availability-zones -U http://compute.h-33.autoqa.qa1.eucalyptus-systems.com:8773/
AVAILABILITYZONE	region1-az-one	available
# euca-describe-availability-zones -U http://compute.g-22-07.autoqa.qa1.eucalyptus-systems.com:8773/
AVAILABILITYZONE	region2-az-one	available
Parent topic: Manage Regions
Copyright: © 2018 Eucalyptus Cloud
x