FireEdge Configuration¶

The OpenNebula FireEdge server provides a next-generation web-management interface for remote OpenNebula Cluster provisioning (OneProvision GUI) as well as additional functionality to Sunstone. It’s a dedicated daemon installed by default as part of the Single Front-end Installation, but can be deployed independently on a different machine. The server is distributed as an operating system package opennebula-fireedge with the system service opennebula-fireedge.

Main Features¶

VMRC and Guacamole Proxy for Sunstone to remotely access the VMs (incl., VNC, RDP, and SSH)
OneProvision GUI: to manage deployments of fully operational Clusters on remote Edge Cloud providers, see Provisioning an Edge Cluster. Accessible from the following URL:

http://<OPENNEBULA-FRONTEND>:2616/fireedge/provision

FireEdge Sunstone: new iteration of Sunstone written in React/Redux. Accessible through the following URL:

http://<OPENNEBULA-FRONTEND>:2616

Note

We are continually expanding the feature set of FireEdge Sunstone, and hence its configuration files are in constant change. In versions 6.6.3 and later, configuration files in /etc/one/fireedge/sunstone/ can be replaced by the ones that can be downloaded here in order to activate the latest features.

Warning

FireEdge currently doesn’t support federated environments. It can interact only with a local OpenNebula instance (even if it’s federated), but can’t interact with remote, federated OpenNebula instances.

Configuration¶

The FireEdge server configuration file can be found in /etc/one/fireedge-server.conf on your Front-end. It uses YAML syntax with following parameters:

Note

After a configuration change, the FireEdge server must be restarted to take effect.

Parameter	Default Value	Description
`log`	`prod`	Log debug: `prod` or `dev`
`cors`	`true`	Enable CORS (cross-origin resource sharing)
`host`	`0.0.0.0`	IP on which the FireEdge server will listen
`port`	`2616`	Port on which the FireEdge server will listen
`one_xmlrpc`	`http://localhost:2633/RPC2`	Endpoint of OpenNebula XML-RPC API. It needs to match the ENDPOINT attribute of `onezone show 0`
`oneflow_server`	`http://localhost:2474`	Endpoint of OneFlow server
`session_expiration`	`180`	JWT expiration time (minutes)
`session_remember_expiration`	`3600`	JWT expiration time when using remember check box (minutes)
`default_zone`		Shows the default resources of that zone
`default_zone/id`	`0`	Id of the zone to which this fireedge belongs
`default_zone/name`	`OpenNebula`	Name of the zone to which this fireedge belongs
`default_zone/endpoint`	`http://localhost:2633/RPC2`	XML-RPC url of the zone to which this fireedge belongs
`minimun_opennebula_expiration`	`30`	Minimum time to reuse previously generated JWTs (minutes)
`subscriber_endpoint`	`tcp://localhost:2101`	Endpoint to subscribe for OpenNebula events
`debug_level`	`2`	Log debug level
`guacd/port`	`4822`	Connection port of guacd server
`guacd/host`	`localhost`	Connection hostname/IP of guacd server
`auth`	`opennebula`	Authentication driver for incoming requests: OpenNebula the authentication will be done by the OpenNebula core using the driver defined for the user. remote performs the login based on a Kerberos X-Auth-Username header provided by authentication backend
`auth_redirect`		This configuration is for the login button redirect. The available options are: /, . or a URL

Note

JWT is acronime of JSON Web Token

OneProvision GUI

oneprovision_dashboard

Parameter	Default Value	Description
`oneprovision_prepend_command`		Command prefix for `oneprovision` command
`oneprovision_optional_create_command`		Optional options for `oneprovision create` command. Check `oneprovision create --help` for more information.

FireEdge Sunstone

fireedge_sunstone_dashboard

Parameter	Default Value	Description
`support_url`	`https://opennebula.zendesk.com/api/v2`	Zendesk support URL
`token_remote_support`		Support enterprise token
`vcenter_prepend_command`		Command prefix for `onevcenter` command
`sunstone_prepend`		Optional parameter for `Sunstone commands` command
`tmpdir`	`/var/tmp`	Directory to store temporal files when uploading images
`max_upload_file_size`	`20000`	Max size upload file (bytes)
`proxy`		Enable an http proxy for the support portal and to download MarketPlaceApps
`leases`		Enable the vm leases
`supported_fs`		Support filesystem
`currency`	`EUR`	Currency formatting
`default_lang`	`en`	Default language setting
`langs`		List of server localizations
`keep_me_logged_in`	`true`	True to display ‘Keep me logged in’ option

Once the server is initialized, it creates the file /var/lib/one/.one/fireedge_key, used to encrypt communications with Guacd.

In HA environments, fireedge_key needs to be copied from the first leader to the followers. Optionally, in order to have the provision logs available in all the HA nodes, /var/lib/one/fireedge need to be shared between nodes.

If you need to execute the FireEdge with SSL Certificate, in the following path: /usr/lib/one/fireedge you must create a folder called cert and inside it place the files cert.pem and key.pem. After doing that you need to restart opennebula-fireedge.

Configure Sunstone for VMRC and Guacamole¶

Note

After a configuration change, the Sunstone server must be restarted to take effect.

In order for Sunstone (not FireEdge Sunstone, but rather the current Sunstone, with full admin functionality) to allow VMRC and Guacamole VNC/RDP/SSH access, you need to configure Sunstone with the public endpoint of FireEdge so that one service can redirect users to the other. To configure the public FireEdge endpoint in Sunstone, edit /etc/one/sunstone-server.conf and update the :public_fireedge_endpoint with the base URL (domain or IP-based) over which end-users can access the service. For example:

:public_fireedge_endpoint: http://one.example.com:2616

Hint

If you aren’t planning to use FireEdge, you can disable it in Sunstone by commenting out the following parameters in /etc/one/sunstone-server.conf, e.g.:

#:private_fireedge_endpoint: http://localhost:2616
#:public_fireedge_endpoint: http://localhost:2616

Warning

FireEdge currently doesn’t support X.509 Authentication.

Configure Guacamole¶

FireEdge uses Apache Guacamole, a free and open source web application that allows you to access a remote console or desktop of the Virtual Machine anywhere using a modern web browser. It is a clientless remote desktop gateway which only requires Guacamole installed on a server and a web browser supporting HTML5.

Guacamole supports multiple connection methods such as VNC, RDP, and SSH and is made up of two separate parts - server and client. The Guacamole server consists of the native server-side libraries required to connect to the server and the Guacamole proxy daemon (guacd), which accepts the user’s requests and connects to the remote desktop on their behalf.

Note

The OpenNebula binary packages provide Guacamole proxy daemon (package opennebula-guacd and service opennebula-guacd), which is installed alongside FireEdge. In the default configuration, the Guacamole proxy daemon is automatically started along with FireEdge, and FireEdge is configured to connect to the locally-running Guacamole. No extra steps are required!

If Guacamole is running on a different host to the FireEdge, following FireEdge configuration parameters have to be customized:

guacd/host
guacd/port

Service Control and Logs¶

Change the server running state by managing the operating system service opennebula-fireedge.

To start, restart or stop the server, execute one of:

systemctl start   opennebula-fireedge
systemctl restart opennebula-fireedge
systemctl stop    opennebula-fireedge

To enable or disable automatic start on host boot, execute one of:

systemctl enable  opennebula-fireedge
systemctl disable opennebula-fireedge

Server logs are located in /var/log/one in the following file:

/var/log/one/fireedge.log: operational log.
/var/log/one/fireedge.error: errors and exceptions log.

Other logs are also available in Journald. Use the following command to show them:

journalctl -u opennebula-fireedge.service

OneProvision GUI Logs

FireEdge OneProvision GUI app also creates logs for provisions created with it. These logs are saved in two phases, while the provisions are created, the logs are stored in /var/lib/one/fireedge/provision/<user_id>/tmp/, once they are created the logs are moved to /var/lib/one/fireedge/provision/<user_id>/<provision_id>/stdouterr.log.

Note

The OneProvision GUI logs get rotated automatically when the log size gets over 100kb and perform any action to the provision.

Troubleshooting¶

Conflicting Port¶

A common issue when starting FireEdge is a used port:

Error: listen EADDRINUSE: address already in use 0.0.0.0:2616

If another service is using the port, you can change FireEdge configuration (/etc/one/fireedge-server.conf) to use another host/port. Remember to also adjust the FireEdge endpoints in Sunstone configuration (/etc/one/sunstone-server.conf) as well.