[one-users] Problems using OpenNebula EC2 interface

Daniel Molina dmolina at opennebula.org
Tue May 3 15:08:49 PDT 2011


Hi,

On 3 May 2011 21:48, Lars Kellogg-Stedman <lars at seas.harvard.edu> wrote:
> After successfully getting the OCCI clients working with OpenNebula,
> I've tried getting the EC2 interface to work and I've run into a
> variety of problems.
>
> (1) The OpenNebula tools don't respect the path in EC2_URL.
>
>    If EC2_URL is set to something like "http://myserver/ec2/", the
> OpenNebula EC2 clients (such as econe-describe-images) attempt to
> communicate with "/" instead of "/ec2/" on the server, causing them to
> fail unilaterally.  We've got econe-server at "/ec2/" because
> occi-server is available at "/occi/".
>

The econe tools use the ruby URI gem that will take the host part of
the string and will ignore the path. You can handle this situation by
running the OCCI server and the EC2 server in different ports or using
a proxy, for example lighttpd. This could be a lighttpd configuration:

# Talking dummy cloud
$HTTP["host"] =~ "myserver" {
        proxy.server  = ( "" =>
                                    ("" =>
                                     (
                                       "host" => "127.0.0.1",
                                       "port" => 4567
                                     )
                                     )
                                 )


        $HTTP["url"] =~ "/(compute|storage|network)" {
                        proxy.server = ( "" =>
                                           ("" =>
                                             (
                                                "host" => "127.0.0.1",
                                                "port" => 4568
                                             )
                                           )
                                           )
            }

> (2) Authentication is failing.
>
>    We've tried using eucatools, and while it's talking to the correct
> URL, we're always getting a "User not authorized" response.  Nothing
> particularly useful is showing up in the logs, and we've had no
> problems accessing the OCCI interface using the same username and
> password.
>

Are you using the sha1 password for the EC2_SECRET_KEY?
~$ env | grep EC2
EC2_SECRET_KEY=e17a1234834936f71bb3242772d25150d40791e72
EC2_URL=http://localhost:4567
EC2_ACCESS_KEY=oneadmin

Maybe the problem is related to the previous point. The Signature that
will authenticate the user is generated using the EC2_URL, maybe the
server is ignoring the path section. Would you mind to try starting
the server without path?.


> (3) It's unclear how to use Amazon's own CLI tools.
>
>    Amazon's tools appear to want an access key and x509 certificate.
> I'm not sure how to get them to authenticate with an access key and
> secret key the way the OpenNebula and Ecuatools clients work.
>

The EC2 tools use x509 certificates [1], this feature is not supported
in OpenNebula 2.2. Therefore if you want to interact with the
OpenNebula Ec2 Server you can use one of the following options: econe
tools, euca tools or portals like hybrid or elastic fox that are based
on the Access Key authentication.

> Before I open bug reports on these, I wanted to check in here and see
> if I'm missing anything obvious.  If it matters, we're running 2.2 on
> CentOS 5.
>

[1] http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html

Kind regards.

> --
> Lars Kellogg-Stedman <lars at seas.harvard.edu>
> Senior Technologist
> Harvard University SEAS
> Academic and Research Computing (ARC)
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>



-- 
Daniel Molina, Cloud Technology Engineer/Researcher
Major Contributor
OpenNebula - The Open Source Toolkit for Cloud Computing
www.OpenNebula.org | dmolina at opennebula.org



More information about the Users mailing list