Ubuntu Enterprise Cloud: autoregistration features
Part of the improvements coming up for Ubuntu Enterprise Cloud in 10.04 is the support for automatic registration of Eucalyptus components, even for complex topologies. In 9.10, we only supported local registration of components on a “CLC+Walrus+CC+SC” system, and you had to manually register NCs.
In 10.04, components installed through the UEC installer will automatically register themselves with their parent component, even on remote machines and complex topologies. Here is how it works.
Eucalyptus is made of 5 types of components that can live on the same or on separate systems :
- The CLC (Cloud controller) is the entry point to the cloud, which is made of one or more clusters
- The Walrus is a unique component providing an S3-like service in the cloud
- A CC (Cluster controller) controls a given cluster
- A SC (Storage controller) handles storage in a given cluster
- A NC (Node controller) handles VMs in a given cluster. There can (and should) be multiple NCs in each cluster
Parent components need to register child components before they can use them as part of the cloud. CLC is the parent for CCs, SCs and Walrus child components, while the CC is the parent for NC child components :
The UEC installer detects components already installed on the local network (see publication, below) and offers a reasonable choice of components for you to install.
When you install a child component, it will download a preseed file from its parent. That preseed file contains the public key of the parent, and will be installed in eucalyptus authorized_keys.
Child component publication
When the new system comes up (once SSH is started), the child component will start to publish its existence on the local network via avahi.
Child component registration on parent
The two parent components run a uec-component-listener process that listens to those avahi announcements. CLC picks up Walrus, CC and SC announcements, while the CC picks up new NC announcements. They run a corresponding registration script (that lives under /usr/share/eucalyptus/registration), which usually makes a few checks and calls the relevant euca_conf --register-* command.
This will trigger key synchronization (through SSH using the authorized_keys set up during installation, if you still follow) and register the component locally. All this autoregistration process is logged to /var/log/eucalyptus/registration.log on the CLC and CC. By default, all new child components are automatically registered.
Is that sounds scary to you, you’re probably right. On untrusted networks, malicious components could take advantage of this feature to insert themselves in the cloud. That’s why I’d advise to disable autoregistration on the CLC once you get the basic key components in place. If you don’t run your NCs on a secure subnet, I’d also advise to manually register them.
To that effect, CLCs and CCs provide the uec-registration tool. Without arguments, it will tell you if autoregistration is active. Run sudo uec-registration --manual to switch to manual registration and lock down your system.
The serious reader will object that it still leaves a small window where your untrusted network can register components with your cloud. For those cases, there is a preseed value that allows you to just install UEC with all autoregistration disabled:
Just set this value and you will stay away from it :)