1
0

gce.rst 22 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708
  1. .. _cloud-getting-started-gce:
  2. ==========================================
  3. Getting Started With Google Compute Engine
  4. ==========================================
  5. Google Compute Engine (GCE) is Google-infrastructure as a service that lets you
  6. run your large-scale computing workloads on virtual machines. This document
  7. covers how to use Salt Cloud to provision and manage your virtual machines
  8. hosted within Google's infrastructure.
  9. You can find out more about GCE and other Google Cloud Platform services
  10. at https://cloud.google.com.
  11. Dependencies
  12. ============
  13. * LibCloud >= 1.0.0
  14. .. versionchanged:: 2017.7.0
  15. * A Google Cloud Platform account with Compute Engine enabled
  16. * A registered Service Account for authorization
  17. * Oh, and obviously you'll need `salt <https://github.com/saltstack/salt>`_
  18. .. _gce_setup:
  19. Google Compute Engine Setup
  20. ===========================
  21. #. Sign up for Google Cloud Platform
  22. Go to https://cloud.google.com and use your Google account to sign up for
  23. Google Cloud Platform and complete the guided instructions.
  24. #. Create a Project
  25. Next, go to the console at https://cloud.google.com/console and create a
  26. new Project. Make sure to select your new Project if you are not
  27. automatically directed to the Project.
  28. Projects are a way of grouping together related users, services, and
  29. billing. You may opt to create multiple Projects and the remaining
  30. instructions will need to be completed for each Project if you wish to
  31. use GCE and Salt Cloud to manage your virtual machines.
  32. #. Enable the Google Compute Engine service
  33. In your Project, either just click *Compute Engine* to the left, or go to
  34. the *APIs & auth* section and *APIs* link and enable the Google Compute
  35. Engine service.
  36. #. Create a Service Account
  37. To set up authorization, navigate to *APIs & auth* section and then the
  38. *Credentials* link and click the *CREATE NEW CLIENT ID* button. Select
  39. *Service Account* and click the *Create Client ID* button. This will
  40. automatically download a ``.json`` file, which may or may not be used
  41. in later steps, depending on your version of ``libcloud``.
  42. Look for a new *Service Account* section in the page and record the generated
  43. email address for the matching key/fingerprint. The email address will be used
  44. in the ``service_account_email_address`` of the ``/etc/salt/cloud.providers``
  45. or the ``/etc/salt/cloud.providers.d/*.conf`` file.
  46. #. Key Format
  47. .. note:: If you are using ``libcloud >= 0.17.0`` it is recommended that you use the ``JSON
  48. format`` file you downloaded above and skip to the `Provider Configuration`_ section
  49. below, using the JSON file **in place of 'NEW.pem'** in the documentation.
  50. If you are using an older version of libcloud or are unsure of the version you
  51. have, please follow the instructions below to generate and format a new P12 key.
  52. In the new *Service Account* section, click *Generate new P12 key*, which
  53. will automatically download a ``.p12`` private key file. The ``.p12``
  54. private key needs to be converted to a format compatible with libcloud.
  55. This new Google-generated private key was encrypted using *notasecret* as
  56. a passphrase. Use the following command and record the location of the
  57. converted private key and record the location for use in the
  58. ``service_account_private_key`` of the ``/etc/salt/cloud`` file:
  59. .. code-block:: bash
  60. openssl pkcs12 -in ORIG.p12 -passin pass:notasecret \
  61. -nodes -nocerts | openssl rsa -out NEW.pem
  62. Provider Configuration
  63. ======================
  64. Set up the provider cloud config at ``/etc/salt/cloud.providers`` or
  65. ``/etc/salt/cloud.providers.d/*.conf``:
  66. .. code-block:: yaml
  67. gce-config:
  68. # Set up the Project name and Service Account authorization
  69. project: "your-project-id"
  70. service_account_email_address: "123-a5gt@developer.gserviceaccount.com"
  71. service_account_private_key: "/path/to/your/NEW.pem"
  72. # Set up the location of the salt master
  73. minion:
  74. master: saltmaster.example.com
  75. # Set up grains information, which will be common for all nodes
  76. # using this provider
  77. grains:
  78. node_type: broker
  79. release: 1.0.1
  80. driver: gce
  81. .. note::
  82. Empty strings as values for ``service_account_private_key`` and ``service_account_email_address``
  83. can be used on GCE instances. This will result in the service account assigned to the GCE instance
  84. being used.
  85. .. note::
  86. The value provided for ``project`` must not contain underscores or spaces and
  87. is labeled as "Project ID" on the Google Developers Console.
  88. .. note::
  89. .. versionchanged:: 2015.8.0
  90. The ``provider`` parameter in cloud provider definitions was renamed to ``driver``. This
  91. change was made to avoid confusion with the ``provider`` parameter that is used in cloud profile
  92. definitions. Cloud provider definitions now use ``driver`` to refer to the Salt cloud module that
  93. provides the underlying functionality to connect to a cloud host, while cloud profiles continue
  94. to use ``provider`` to refer to provider configurations that you define.
  95. Profile Configuration
  96. =====================
  97. Set up an initial profile at ``/etc/salt/cloud.profiles`` or
  98. ``/etc/salt/cloud.profiles.d/*.conf``:
  99. .. code-block:: yaml
  100. my-gce-profile:
  101. image: centos-6
  102. size: n1-standard-1
  103. location: europe-west1-b
  104. network: default
  105. subnetwork: default
  106. tags: '["one", "two", "three"]'
  107. metadata: '{"one": "1", "2": "two"}'
  108. use_persistent_disk: True
  109. delete_boot_pd: False
  110. deploy: True
  111. make_master: False
  112. provider: gce-config
  113. The profile can be realized now with a salt command:
  114. .. code-block:: bash
  115. salt-cloud -p my-gce-profile gce-instance
  116. This will create an salt minion instance named ``gce-instance`` in GCE. If
  117. the command was executed on the salt-master, its Salt key will automatically
  118. be signed on the master.
  119. Once the instance has been created with a salt-minion installed, connectivity to
  120. it can be verified with Salt:
  121. .. code-block:: bash
  122. salt gce-instance test.version
  123. GCE Specific Settings
  124. =====================
  125. Consult the sample profile below for more information about GCE specific
  126. settings. Some of them are mandatory and are properly labeled below but
  127. typically also include a hard-coded default.
  128. Initial Profile
  129. ---------------
  130. Set up an initial profile at ``/etc/salt/cloud.profiles`` or
  131. ``/etc/salt/cloud.profiles.d/gce.conf``:
  132. .. code-block:: yaml
  133. my-gce-profile:
  134. image: centos-6
  135. size: n1-standard-1
  136. location: europe-west1-b
  137. network: default
  138. subnetwork: default
  139. tags: '["one", "two", "three"]'
  140. metadata: '{"one": "1", "2": "two"}'
  141. use_persistent_disk: True
  142. delete_boot_pd: False
  143. ssh_interface: public_ips
  144. external_ip: "ephemeral"
  145. image
  146. -----
  147. Image is used to define what Operating System image should be used
  148. to for the instance. Examples are Debian 7 (wheezy) and CentOS 6. Required.
  149. size
  150. ----
  151. A 'size', in GCE terms, refers to the instance's 'machine type'. See
  152. the on-line documentation for a complete list of GCE machine types. Required.
  153. location
  154. --------
  155. A 'location', in GCE terms, refers to the instance's 'zone'. GCE
  156. has the notion of both Regions (e.g. us-central1, europe-west1, etc)
  157. and Zones (e.g. us-central1-a, us-central1-b, etc). Required.
  158. network
  159. -------
  160. Use this setting to define the network resource for the instance.
  161. All GCE projects contain a network named 'default' but it's possible
  162. to use this setting to create instances belonging to a different
  163. network resource.
  164. subnetwork
  165. ----------
  166. Use this setting to define the subnetwork an instance will be created in.
  167. This requires that the network your instance is created under has a mode of 'custom' or 'auto'.
  168. Additionally, the subnetwork your instance is created under is associated with the location you provide.
  169. .. versionadded:: 2017.7.0
  170. tags
  171. ----
  172. GCE supports instance/network tags and this setting allows you to
  173. set custom tags. It should be a list of strings and must be
  174. parse-able by the python ast.literal_eval() function to convert it
  175. to a python list.
  176. metadata
  177. --------
  178. GCE supports instance metadata and this setting allows you to
  179. set custom metadata. It should be a hash of key/value strings and
  180. parse-able by the python ast.literal_eval() function to convert it
  181. to a python dictionary.
  182. use_persistent_disk
  183. -------------------
  184. Use this setting to ensure that when new instances are created,
  185. they will use a persistent disk to preserve data between instance
  186. terminations and re-creations.
  187. delete_boot_pd
  188. --------------
  189. In the event that you wish the boot persistent disk to be permanently
  190. deleted when you destroy an instance, set delete_boot_pd to True.
  191. ssh_interface
  192. -------------
  193. .. versionadded:: 2015.5.0
  194. Specify whether to use public or private IP for deploy script.
  195. Valid options are:
  196. - private_ips: The salt-master is also hosted with GCE
  197. - public_ips: The salt-master is hosted outside of GCE
  198. external_ip
  199. -----------
  200. Per instance setting: Used a named fixed IP address to this host.
  201. Valid options are:
  202. - ephemeral: The host will use a GCE ephemeral IP
  203. - None: No external IP will be configured on this host.
  204. Optionally, pass the name of a GCE address to use a fixed IP address.
  205. If the address does not already exist, it will be created.
  206. ex_disk_type
  207. ------------
  208. GCE supports two different disk types, ``pd-standard`` and ``pd-ssd``.
  209. The default disk type setting is ``pd-standard``. To specify using an SSD
  210. disk, set ``pd-ssd`` as the value.
  211. .. versionadded:: 2014.7.0
  212. ip_forwarding
  213. -------------
  214. GCE instances can be enabled to use IP Forwarding. When set to ``True``,
  215. this options allows the instance to send/receive non-matching src/dst
  216. packets. Default is ``False``.
  217. .. versionadded:: 2015.8.1
  218. Profile with scopes
  219. -------------------
  220. Scopes can be specified by setting the optional ``ex_service_accounts``
  221. key in your cloud profile. The following example enables the bigquery scope.
  222. .. code-block:: yaml
  223. my-gce-profile:
  224. image: centos-6
  225. ssh_username: salt
  226. size: f1-micro
  227. location: us-central1-a
  228. network: default
  229. subnetwork: default
  230. tags: '["one", "two", "three"]'
  231. metadata: '{"one": "1", "2": "two",
  232. "sshKeys": ""}'
  233. use_persistent_disk: True
  234. delete_boot_pd: False
  235. deploy: False
  236. make_master: False
  237. provider: gce-config
  238. ex_service_accounts:
  239. - scopes:
  240. - bigquery
  241. Email can also be specified as an (optional) parameter.
  242. .. code-block:: yaml
  243. my-gce-profile:
  244. ...snip
  245. ex_service_accounts:
  246. - scopes:
  247. - bigquery
  248. email: default
  249. There can be multiple entries for scopes since ``ex-service_accounts`` accepts
  250. a list of dictionaries. For more information refer to the libcloud documentation
  251. on `specifying service account scopes`__.
  252. SSH Remote Access
  253. =================
  254. GCE instances do not allow remote access to the root user by default.
  255. Instead, another user must be used to run the deploy script using sudo.
  256. Append something like this to ``/etc/salt/cloud.profiles`` or
  257. ``/etc/salt/cloud.profiles.d/*.conf``:
  258. .. code-block:: yaml
  259. my-gce-profile:
  260. ...
  261. # SSH to GCE instances as gceuser
  262. ssh_username: gceuser
  263. # Use the local private SSH key file located here
  264. ssh_keyfile: /etc/cloud/google_compute_engine
  265. If you have not already used this SSH key to login to instances in this
  266. GCE project you will also need to add the public key to your projects
  267. metadata at https://cloud.google.com/console. You could also add it via
  268. the metadata setting too:
  269. .. code-block:: yaml
  270. my-gce-profile:
  271. ...
  272. metadata: '{"one": "1", "2": "two",
  273. "sshKeys": "gceuser:ssh-rsa <Your SSH Public Key> gceuser@host"}'
  274. Single instance details
  275. =======================
  276. This action is a thin wrapper around ``--full-query``, which displays details on a
  277. single instance only. In an environment with several machines, this will save a
  278. user from having to sort through all instance data, just to examine a single
  279. instance.
  280. .. code-block:: bash
  281. salt-cloud -a show_instance myinstance
  282. Destroy, persistent disks, and metadata
  283. =======================================
  284. As noted in the provider configuration, it's possible to force the boot
  285. persistent disk to be deleted when you destroy the instance. The way that
  286. this has been implemented is to use the instance metadata to record the
  287. cloud profile used when creating the instance. When ``destroy`` is called,
  288. if the instance contains a ``salt-cloud-profile`` key, it's value is used
  289. to reference the matching profile to determine if ``delete_boot_pd`` is
  290. set to ``True``.
  291. Be aware that any GCE instances created with salt cloud will contain this
  292. custom ``salt-cloud-profile`` metadata entry.
  293. List various resources
  294. ======================
  295. It's also possible to list several GCE resources similar to what can be done
  296. with other providers. The following commands can be used to list GCE zones
  297. (locations), machine types (sizes), and images.
  298. .. code-block:: bash
  299. salt-cloud --list-locations gce
  300. salt-cloud --list-sizes gce
  301. salt-cloud --list-images gce
  302. Persistent Disk
  303. ===============
  304. The Compute Engine provider provides functions via salt-cloud to manage your
  305. Persistent Disks. You can create and destroy disks as well as attach and
  306. detach them from running instances.
  307. Create
  308. ------
  309. When creating a disk, you can create an empty disk and specify its size (in
  310. GB), or specify either an 'image' or 'snapshot'.
  311. .. code-block:: bash
  312. salt-cloud -f create_disk gce disk_name=pd location=us-central1-b size=200
  313. Delete
  314. ------
  315. Deleting a disk only requires the name of the disk to delete
  316. .. code-block:: bash
  317. salt-cloud -f delete_disk gce disk_name=old-backup
  318. Attach
  319. ------
  320. Attaching a disk to an existing instance is really an 'action' and requires
  321. both an instance name and disk name. It's possible to use this ation to
  322. create bootable persistent disks if necessary. Compute Engine also supports
  323. attaching a persistent disk in READ_ONLY mode to multiple instances at the
  324. same time (but then cannot be attached in READ_WRITE to any instance).
  325. .. code-block:: bash
  326. salt-cloud -a attach_disk myinstance disk_name=pd mode=READ_WRITE boot=yes
  327. Detach
  328. ------
  329. Detaching a disk is also an action against an instance and only requires
  330. the name of the disk. Note that this does *not* safely sync and umount the
  331. disk from the instance. To ensure no data loss, you must first make sure the
  332. disk is unmounted from the instance.
  333. .. code-block:: bash
  334. salt-cloud -a detach_disk myinstance disk_name=pd
  335. Show disk
  336. ---------
  337. It's also possible to look up the details for an existing disk with either
  338. a function or an action.
  339. .. code-block:: bash
  340. salt-cloud -a show_disk myinstance disk_name=pd
  341. salt-cloud -f show_disk gce disk_name=pd
  342. Create snapshot
  343. ---------------
  344. You can take a snapshot of an existing disk's content. The snapshot can then
  345. in turn be used to create other persistent disks. Note that to prevent data
  346. corruption, it is strongly suggested that you unmount the disk prior to
  347. taking a snapshot. You must name the snapshot and provide the name of the
  348. disk.
  349. .. code-block:: bash
  350. salt-cloud -f create_snapshot gce name=backup-20140226 disk_name=pd
  351. Delete snapshot
  352. ---------------
  353. You can delete a snapshot when it's no longer needed by specifying the name
  354. of the snapshot.
  355. .. code-block:: bash
  356. salt-cloud -f delete_snapshot gce name=backup-20140226
  357. Show snapshot
  358. -------------
  359. Use this function to look up information about the snapshot.
  360. .. code-block:: bash
  361. salt-cloud -f show_snapshot gce name=backup-20140226
  362. Networking
  363. ==========
  364. Compute Engine supports multiple private networks per project. Instances
  365. within a private network can easily communicate with each other by an
  366. internal DNS service that resolves instance names. Instances within a private
  367. network can also communicate with either directly without needing special
  368. routing or firewall rules even if they span different regions/zones.
  369. Networks also support custom firewall rules. By default, traffic between
  370. instances on the same private network is open to all ports and protocols.
  371. Inbound SSH traffic (port 22) is also allowed but all other inbound traffic
  372. is blocked.
  373. Create network
  374. --------------
  375. New networks require a name and CIDR range if they don't have a 'mode'.
  376. Optionally, 'mode' can be provided. Supported modes are 'auto', 'custom', 'legacy'.
  377. Optionally, 'description' can be provided to add an extra note to your network.
  378. New instances can be created and added to this network by setting the network name during create. It is
  379. not possible to add/remove existing instances to a network.
  380. .. code-block:: bash
  381. salt-cloud -f create_network gce name=mynet cidr=10.10.10.0/24
  382. salt-cloud -f create_network gce name=mynet mode=auto description=some optional info.
  383. .. versionchanged:: 2017.7.0
  384. Destroy network
  385. ---------------
  386. Destroy a network by specifying the name. If a resource is currently using
  387. the target network an exception will be raised.
  388. .. code-block:: bash
  389. salt-cloud -f delete_network gce name=mynet
  390. Show network
  391. ------------
  392. Specify the network name to view information about the network.
  393. .. code-block:: bash
  394. salt-cloud -f show_network gce name=mynet
  395. Create subnetwork
  396. -----------------
  397. New subnetworks require a name, region, and CIDR range.
  398. Optionally, 'description' can be provided to add an extra note to your subnetwork.
  399. New instances can be created and added to this subnetwork by setting the subnetwork name during create. It is
  400. not possible to add/remove existing instances to a subnetwork.
  401. .. code-block:: bash
  402. salt-cloud -f create_subnetwork gce name=mynet network=mynet region=us-central1 cidr=10.0.10.0/24
  403. salt-cloud -f create_subnetwork gce name=mynet network=mynet region=us-central1 cidr=10.10.10.0/24 description=some info about my subnet.
  404. .. versionadded:: 2017.7.0
  405. Destroy subnetwork
  406. ------------------
  407. Destroy a subnetwork by specifying the name and region. If a resource is currently using
  408. the target subnetwork an exception will be raised.
  409. .. code-block:: bash
  410. salt-cloud -f delete_subnetwork gce name=mynet region=us-central1
  411. .. versionadded:: 2017.7.0
  412. Show subnetwork
  413. ---------------
  414. Specify the subnetwork name to view information about the subnetwork.
  415. .. code-block:: bash
  416. salt-cloud -f show_subnetwork gce name=mynet
  417. .. versionadded:: 2017.7.0
  418. Create address
  419. --------------
  420. Create a new named static IP address in a region.
  421. .. code-block:: bash
  422. salt-cloud -f create_address gce name=my-fixed-ip region=us-central1
  423. Delete address
  424. --------------
  425. Delete an existing named fixed IP address.
  426. .. code-block:: bash
  427. salt-cloud -f delete_address gce name=my-fixed-ip region=us-central1
  428. Show address
  429. ------------
  430. View details on a named address.
  431. .. code-block:: bash
  432. salt-cloud -f show_address gce name=my-fixed-ip region=us-central1
  433. Create firewall
  434. ---------------
  435. You'll need to create custom firewall rules if you want to allow other traffic
  436. than what is described above. For instance, if you run a web service on
  437. your instances, you'll need to explicitly allow HTTP and/or SSL traffic.
  438. The firewall rule must have a name and it will use the 'default' network
  439. unless otherwise specified with a 'network' attribute. Firewalls also support
  440. instance tags for source/destination
  441. .. code-block:: bash
  442. salt-cloud -f create_fwrule gce name=web allow=tcp:80,tcp:443,icmp
  443. Delete firewall
  444. ---------------
  445. Deleting a firewall rule will prevent any previously allowed traffic for the
  446. named firewall rule.
  447. .. code-block:: bash
  448. salt-cloud -f delete_fwrule gce name=web
  449. Show firewall
  450. -------------
  451. Use this function to review an existing firewall rule's information.
  452. .. code-block:: bash
  453. salt-cloud -f show_fwrule gce name=web
  454. Load Balancer
  455. =============
  456. Compute Engine possess a load-balancer feature for splitting traffic across
  457. multiple instances. Please reference the
  458. `documentation <https://developers.google.com/compute/docs/load-balancing/>`_
  459. for a more complete description.
  460. The load-balancer functionality is slightly different than that described
  461. in Google's documentation. The concept of *TargetPool* and *ForwardingRule*
  462. are consolidated in salt-cloud/libcloud. HTTP Health Checks are optional.
  463. HTTP Health Check
  464. -----------------
  465. HTTP Health Checks can be used as a means to toggle load-balancing across
  466. instance members, or to detect if an HTTP site is functioning. A common
  467. use-case is to set up a health check URL and if you want to toggle traffic
  468. on/off to an instance, you can temporarily have it return a non-200 response.
  469. A non-200 response to the load-balancer's health check will keep the LB from
  470. sending any new traffic to the "down" instance. Once the instance's
  471. health check URL beings returning 200-responses, the LB will again start to
  472. send traffic to it. Review Compute Engine's documentation for allowable
  473. parameters. You can use the following salt-cloud functions to manage your
  474. HTTP health checks.
  475. .. code-block:: bash
  476. salt-cloud -f create_hc gce name=myhc path=/ port=80
  477. salt-cloud -f delete_hc gce name=myhc
  478. salt-cloud -f show_hc gce name=myhc
  479. Load-balancer
  480. -------------
  481. When creating a new load-balancer, it requires a name, region, port range,
  482. and list of members. There are other optional parameters for protocol,
  483. and list of health checks. Deleting or showing details about the LB only
  484. requires the name.
  485. .. code-block:: bash
  486. salt-cloud -f create_lb gce name=lb region=... ports=80 members=w1,w2,w3
  487. salt-cloud -f delete_lb gce name=lb
  488. salt-cloud -f show_lb gce name=lb
  489. You can also create a load balancer using a named fixed IP addressby specifying the name of the address.
  490. If the address does not exist yet it will be created.
  491. .. code-block:: bash
  492. salt-cloud -f create_lb gce name=my-lb region=us-central1 ports=234 members=s1,s2,s3 address=my-lb-ip
  493. Attach and Detach LB
  494. --------------------
  495. It is possible to attach or detach an instance from an existing load-balancer.
  496. Both the instance and load-balancer must exist before using these functions.
  497. .. code-block:: bash
  498. salt-cloud -f attach_lb gce name=lb member=w4
  499. salt-cloud -f detach_lb gce name=lb member=oops
  500. __ https://libcloud.readthedocs.io/en/latest/compute/drivers/gce.html#specifying-service-account-scopes