[one-users] Dedicated Frontend Server - Sunstone
Daniel Molina
dmolina at opennebula.org
Mon Aug 12 00:45:51 PDT 2013
Hi Sebastian,
comments inline
On 10 August 2013 17:59, Sebastian Igerl <igerlster at gmail.com> wrote:
> Hello,
>
> i'm trying to setup an opennebula 4.2 environment with one dedicated
> sunstone frontend server and one server for the opennebula managment.
> (Security reasons... ?! ) Only the sunstone server has a public ip.
>
> If i understand the documentation right this should be possible because
> both communicate using rpc (-> config: :one_xmlrpc:
> http://onemanager:2633/RPC2)
>
> But vpn and iso uploads don't seem to work this way ?
>
> I tried an vpn connection, seems that sunstone must have access to each
> nodes ip ?
>
> Although uploading an iso file results in an error because sunstone
> uploads it to his tmp directory which the management server can't see...
>
> Should i maybe start the sunstone server on the management too, so vpc
> proxy gets started ? How do i tell my frontend sonstone to use the vpn
> proxy on my management host?
>
The vnc proxy must be able to connect to the hosts where the vms are
running, so it should run in the same machine where oned is running. You
can start it using the novnc-server script, instead of starting sunstone.
Then, you should forward the port where novnc is listening to the machine
where sunstone is running.
You will also have to export (nfs) the vnc tokens folder
(''/var/lib/one/sunstone_vnc_tokens''). sunstone-server will generate
tokens for each connection in this folder and the novnc-server will use
them to open a new vnc connection.
> For the iso upload problem maybe mount the tmp upload directory over nfs ?
>
Yes, this directory has to be reachable by oned. You can change the default
directory in sunsonte-server.conf
>
> I'm doing this because i thought if someone get's access to the frontend
> server he can't do much with it... but i'm not really sure since sunstone
> needs the /var/lib/one/.one/sunstone_auth key ?!
>
Yes, using this file a "user" could authenticate on behalf of other users,
so you should protect this file as much as possible. You can also use x509
certificates instead of "auth file" mechanism. For more information on this
method, please check the Servers Authentication section in the following
link:
http://opennebula.org/documentation:rel4.2:external_auth
Hope this helps.
> Thanks for your help,
>
> Sebastian
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
--
Join us at OpenNebulaConf2013 <http://opennebulaconf.com/> in Berlin, 24-26
September, 2013
--
Daniel Molina
Project Engineer
OpenNebula - The Open Source Solution for Data Center Virtualization
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130812/9abbfe5d/attachment-0002.htm>
More information about the Users
mailing list