OneGate Configuration¶
The OneGate server allows Virtual Machines to pull and push information from/to OpenNebula. It can be used with all hypervisor Host types (KVM, LXC, and the legacy vCenter driver) if the guest operating system has preinstalled the OpenNebula contextualization package. It’s a dedicated daemon installed by default as part of the Single Front-end Installation, but can be deployed independently on a different machine. The server is distributed as an operating system package opennebula-gate
with the system service opennebula-gate
.
Read more in OneGate Usage.
Recommended Network Setup¶
To use the OneGate Service, VMs must have connectivity to the service. We recommend setting up a dedicated virtual network, ideally on a separate VLAN, for OneGate access. To accomplish this, simply add a virtual network interface (NIC) to the OneGate Service network for the VMs requiring access to the service. In cases where you’re deploying a multi-tier service, you can just add the virtual router to the OneGate Service network. The recommended network layout is illustrated in the diagram below:
Configuration¶
The OneGate configuration file can be found in /etc/one/onegate-server.conf
on your Front-end. It uses the YAML syntax, with the parameters listed in the table below.
Note
After a configuration change, the OneGate server must be restarted to take effect.
Tip
For a quick view of any changes in configuration file options in maintenance releases, check the Resolved Issues page in the Release Notes for the release. Please note that even in the case of changes (such as a new option available), you do not need to update your configuration files unless you wish to change the application’s behavior.
Parameter |
Description |
---|---|
Server Configuration |
|
|
Endpoint of OpenNebula XML-RPC API |
|
Host/IP where OneGate will listen |
|
Port where OneGate will listen |
|
SSL proxy URL that serves the API (set if is being used) |
Authentication |
|
|
Authentication driver for incoming requests.
|
|
Authentication driver to communicate with OpenNebula core
For more information, visit the Cloud Server Authentication reference. |
OneFlow Endpoint |
|
|
Endpoint where the OneFlow server is listening |
Permissions |
|
|
By default OneGate exposes all the available API calls. Each of the actions can be enabled/disabled in the server configuration. |
|
Attributes that cannot be modified when updating a VM template |
|
Actions that cannot be performed on a VM |
|
Attributes of the Virtual Network template that will be retrieved for Virtual Networks |
Logging |
|
|
Logging level. Values: |
|
Default interval for timestamps. Tokens will be generated using the same timestamp for this interval of time. THIS VALUE CANNOT BE LOWER THAN EXPIRE_MARGIN. |
|
Tokens will be generated if time > EXPIRE_TIME - EXPIRE_MARGIN |
In the default configuration, the OneGate server will only listen to requests coming from localhost
. Because the OneGate needs to be accessible remotely from the Virtual Machines, you need to change :host
parameter in /etc/one/onegate-server.conf
to a public IP of your Front-end host or to 0.0.0.0
(to work on all IP addresses configured on host).
Configure OpenNebula¶
Before Virtual Machines can communicate with OneGate, you need to edit /etc/one/oned.conf and set the OneGate endpoint in parameter ONEGATE_ENDPOINT
. This endpoint (IP/hostname) must be reachable from the Virtual Machines over the network!
ONEGATE_ENDPOINT = "http://one.example.com:5030"
Restart the OpenNebula service to apply changes.
Service Control and Logs¶
Change the server running state by managing the operating system service opennebula-gate
.
To start, restart or stop the server, execute one of:
systemctl start opennebula-gate
systemctl restart opennebula-gate
systemctl stop opennebula-gate
To enable or disable automatic start on Host boot, execute one of:
systemctl enable opennebula-gate
systemctl disable opennebula-gate
Server logs are located in /var/log/one
in following files:
/var/log/one/onegate.log
/var/log/one/onegate.error
Other logs are also available in Journald. Use the following command to show:
journalctl -u opennebula-gate.service
Advanced Setup¶
Example: Use Transparent OneGate Proxy to Improve Security¶
Add the following config snippet to the ~oneadmin/remotes/etc/vnm/OpenNebulaNetwork.conf
file on Front-end machines:
:tproxy:
# OneGate service.
- :service_port: 5030
:remote_addr: 10.11.12.13 # OpenNebula Front-end VIP
:remote_port: 5030
Propagate config to Hypervisor hosts, execute as oneadmin
on the leader Front-end machine:
$ onehost sync -f
Deploy a guest Virtual Machine and test OneGate connectivity from within:
$ onegate vm show
Read more in Transparent Proxies.