CentOS 6.4 – Connecting OpenNebula Sunstone to LDAP server

In a previous post I’ve installed an LDAP server with OpenLDAP in my CentOS 6.4, please read it if you want to know the structure of my lab’s LDAP directory. I’m going to configure OpenNebula so it uses this LDAP for Sunstone authentication.

I’m following the official documentation about this topic and I’m offering my examples and comments, please read http://opennebula.org/documentation:rel4.2:ldap if you have any doubt.

The first thing to do is installing the following gem:

# gem install net-ldap

If the gem is not installed this is the error you’ll find in /var/log/one/oned.log: Error `gem_original_require’: no such file to load — net/ldap (LoadError)

We’ll need to configure the LDAP connection parameters in the /etc/one/auth/ldap_auth.conf. My LDAP running in the same host only requires the following parameters. I’ll use the uid attribute for the user field and the users must me members of the group onemanagers:

# Ldap authentication method
:auth_method: :simple

# Ldap server
:host: localhost
:port: 389

# base hierarchy where to search for users and groups
:base: 'dc=example,dc=com'

# group the users need to belong to. If not set any user will do
:group: 'cn=onemanagers,ou=Groups,dc=example,dc=com'

# field that holds the user name, if not set 'cn' will be used
:user_field: 'uid'

# field name for group membership, by default it is 'member'
:group_field: 'member'

# user field that that is in in the group group_field, if not set 'dn' will be used
:user_group_field: 'dn'

Now edit the /etc/one/oned.conf file and add default in the authn directive inside the AUTH_MAD section

executable = "one_auth_mad",
authn = "ssh,x509,ldap,default,server_cipher,server_x509"

If you forget to add “default” this is the error you’ll find in your /var/log/one/oned.log: Error Auth Error: Authentication driver ‘default’ not available

If you want to authenticate users that are not included in opennebula database but in the LDAP directory execute this command so LDAP authentication driver is used as the default authentication driver. I execute the following commands:

# cp -R /var/lib/one/remotes/auth/ldap /var/lib/one/remotes/auth/default
chown oneadmin:oneadmin /var/lib/one/remotes/auth/default ( -- remember to do this if you are using the root account --)

Finally let’s change how Sunstone authenticates users:

  • Edit the /etc/one/sunstone-server.conf and change :auth: sunstone to :auth: opennebula

Restart your services (maybe it’s not needed but just in case… 😀 )

Ok. The authentication with LDAP works. If I try to log with a new user which is a member of the cn=onemanagers group the user is added to OpenNebula automatically. Here’s an image of how my user n40lab has been added as a new Sunstone user.




CentOS 6.4 – OpenNebula 4 Eagle installation

Info 13/05/2013: this post has been updated as OpenNebula 4 has been published last week. A big thanks to C12G Labs and other contributors for such a great job.

Info 03/06/2013: this post has been updated as OpenNebula 4.0.1 has been recently published.

I’ve downloaded the CentOS-6.4-opennebula-4.0.1-1.tar.gz from OpenNebula’s download page. It’s really easy to install OpenNebula using the rpm packages provided by C12G Labs.

Warning: Don’t install the opennebula-context-4.0.1-1.x86_64.rpm package inside the context directory as it will reconfigure your network interfaces, that package should be used if you want to install contextualization scripts in RedHat or CentOS virtual machines.

Warning: be sure to use the EPEL repository to solve ruby dependencies. Read the step 2 of this old article.

tar xvfz CentOS-6.4-opennebula-4.0.1-1.tar.gz
cd opennebula-4.0.1-1

yum localinstall opennebula-common-4.0.1-1.x86_64.rpm
yum localinstall opennebula-ruby-4.0.1-1.x86_64.rpm
yum localinstall opennebula-4.0.1-1.x86_64.rpm
yum localinstall opennebula-sunstone-4.0.1-1.x86_64.rpm
yum localinstall opennebula-server-4.0.1-1.x86_64.rpm

Note: VNC Service (novnc) is now installed with opennebula-sunstone package, in previous versions you had to install it with a script called install_novnc.sh

Ok. Let’s start the opennebula and opennebula-sunstone services.

cd /usr/share/one
# service opennebula start
Starting OpenNebula daemon: [ OK ]

#service opennebula-sunstone start
Starting Sunstone Server daemon: VNC proxy started
sunstone-server started [ OK ]

If you want Sunstone to listen in a different IP address than edit the :host: directive in the /etc/one/sunstone-server.conf and add an iptables rule if your firewall is running (also remember to save that rule).

iptables -I INPUT -p tcp --dport 9869 -m state --state=NEW,ESTABLISHED,RELATED -j ACCEPT

# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

Try to open in a browser the Sunstone GUI: http://x.x.x.x:9869 (where x.x.x.x is the ip address configured in /etc/one/sunstone-server.conf) and remember that the oneadmin password is the random string inside the /var/lib/one/.one/one_auth file.

The new Sunstone interface looks awesome! In the next days I’ll try the new interface creating a new host.


Read this post if you want to configure a OpenNebula system with KVM and Openvswitch.


OpenNebula – Using SPICE for VM graphics

OpenNebula 4’s Sunstone GUI comes with NoVNC so you can open VNC connections against your VM if you configure the graphics section. NoVNC is awesome and offers secure websocket connections. However, I sometimes have problems with VNC’s mouse pointer position (it’s not a problem with OpenNebula or NoVNC just a qemu/vnc issue) and the trick about using tablet usb pointer shown in this discussion solves it.

If you want a different way to connect to your KVM guests you can try SPICE. If you’re curious about using SPICE in CentOS/RHEL please read Timothy Lee’s howto which is a great guide and helped me to understand how to use remote-viewer and what packages should I need.

Ok hands on. In the OpenNebula VM template I just set:


If you wish to specify a port in the graphics section you have the explanation In OpenNebula’s documentation. If no port is specified OpenNebula will use the VNC_BASE_PORT variable set in /etc/one/oned.conf ( 5900 ) + your VM’s id e.g my VM has ID 7 so the SPICE/VNC port will be 5907.

A Spice server connection opened by qemu-kvm will be listening in any address ( but in order to connect from a remote host I need an iptables rule e.g:

  • iptables -I INPUT -m tcp -p tcp –dport 5907 -m state –state=NEW,ESTABLISHED,RELATED -j ACCEPT
  • service iptables save

From my Fedora desktop I have to install virt-viewer and spice-client:

  • yum install virt-viewer spice-client

And finally I open a spice connection with remote-viewer:

  • remote-viewer spice://haddock.macto.local:5907 &

A new window is shown. Enjoy!

OpenNebula 4 Beta – running a virtual machine

Today we’re going to run a virtual machine using the KVM hypervisor and an openvswitch based virtual network. I’ve recorded a screencast so you can follow the steps easily. I’m going to configure a virtual network using openvswitch and I’ll test connectivity pinging my router

Before the screencast a few comments:

  • I’m going to add a rule in iptables allowing traffic for VNC connection using the following commands:
iptables -I INPUT -p tcp --dport 29876 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
service iptables save
  • I’m using the ttylinux image from the OpenNebula market as it is small. I’m skipping the “Create image” step so image downloading time doesn’t affect the screencast.
  • The virtual machine template will run with 512 MB of RAM and it’ll use 50% of a CPU (maximum).
  • A virtual network called net0 is created with a fixed range (,, though just one IP address would be needed.
  • ttylinux image is ready for contextualization so an IP address from the net0 pool will be automatically assigned after adding a NIC to the template. My openvswitch bridge is named br0.

And finally here is the video:

OpenNebula (Part II) – Sunstone GUI

I’m a big fan of the command line, but as an OpenNebula newbie user, I’m going to use the OpenNebula’s GUI called Sunstone. Sunstone is built on ruby and it’ll be listening on localhost:port 9869 by default, so if you need to change that behaviour please edit the Server Configuration section in the /etc/one/sunstone-server.conf file.

Assuming you’ve installed the opennebula-sunstone rpm package, you can start the GUI with:

root@haddock opennebula-3.8.1]# service opennebula-sunstone start
Starting Sunstone Server daemon: sunstone-server started [ OK ]

Now, open your browser and enter your OpenNebula hosts ip address and set the port to 9869. A login screen should welcome you. Unless you created another user, you can enter Sunstone with your oneadmin user. If you wonder what is the password for your oneadmin user, it should be in the /var/lib/one/.one/one_auth file. In my case the password was a  random string generated by OpenNebula rpm installation.

And here we go, Sunstone running and ready. In the following post I’ll create my first virtual machine using an existing image using the Sunstone GUI.