salt/doc/topics/cloud/gce.rst

.. _cloud-getting-started-gce:

==========================================
Getting Started With Google Compute Engine
==========================================

Google Compute Engine (GCE) is Google-infrastructure as a service that lets you
run your large-scale computing workloads on virtual machines.  This document
covers how to use Salt Cloud to provision and manage your virtual machines
hosted within Google's infrastructure.

You can find out more about GCE and other Google Cloud Platform services
at https://cloud.google.com.


Dependencies
============

* LibCloud >= 1.0.0

.. versionchanged:: 2017.7.0

* A Google Cloud Platform account with Compute Engine enabled
* A registered Service Account for authorization
* Oh, and obviously you'll need `salt <https://github.com/saltstack/salt>`_


.. _gce_setup:

Google Compute Engine Setup
===========================
#. Sign up for Google Cloud Platform

   Go to https://cloud.google.com and use your Google account to sign up for
   Google Cloud Platform and complete the guided instructions.

#. Create a Project

   Next, go to the console at https://cloud.google.com/console and create a
   new Project.  Make sure to select your new Project if you are not
   automatically directed to the Project.

   Projects are a way of grouping together related users, services, and
   billing.  You may opt to create multiple Projects and the remaining
   instructions will need to be completed for each Project if you wish to
   use GCE and Salt Cloud to manage your virtual machines.

#. Enable the Google Compute Engine service

   In your Project, either just click *Compute Engine* to the left, or go to
   the *APIs & auth* section and *APIs* link and enable the Google Compute
   Engine service.

#. Create a Service Account

   To set up authorization, navigate to *APIs & auth* section and then the
   *Credentials* link and click the *CREATE NEW CLIENT ID* button. Select
   *Service Account* and click the *Create Client ID* button. This will
   automatically download a ``.json`` file, which may or may not be used
   in later steps, depending on your version of ``libcloud``.

   Look for a new *Service Account* section in the page and record the generated
   email address for the matching key/fingerprint. The email address will be used
   in the ``service_account_email_address`` of the ``/etc/salt/cloud.providers``
   or the ``/etc/salt/cloud.providers.d/*.conf`` file.

#. Key Format

   .. note:: If you are using ``libcloud >= 0.17.0`` it is recommended that you use the ``JSON
       format`` file you downloaded above and skip to the `Provider Configuration`_ section
       below, using the JSON file **in place of 'NEW.pem'** in the documentation.

       If you are using an older version of libcloud or are unsure of the version you
       have, please follow the instructions below to generate and format a new P12 key.

   In the new *Service Account* section, click *Generate new P12 key*, which
   will automatically download a ``.p12`` private key file. The ``.p12``
   private key needs to be converted to a format compatible with libcloud.
   This new Google-generated private key was encrypted using *notasecret* as
   a passphrase. Use the following command and record the location of the
   converted private key and record the location for use in the
   ``service_account_private_key`` of the ``/etc/salt/cloud`` file:

   .. code-block:: bash

       openssl pkcs12 -in ORIG.p12 -passin pass:notasecret \
       -nodes -nocerts | openssl rsa -out NEW.pem



Provider Configuration
======================

Set up the provider cloud config at ``/etc/salt/cloud.providers`` or
``/etc/salt/cloud.providers.d/*.conf``:

.. code-block:: yaml

    gce-config:
      # Set up the Project name and Service Account authorization
      project: "your-project-id"
      service_account_email_address: "123-a5gt@developer.gserviceaccount.com"
      service_account_private_key: "/path/to/your/NEW.pem"

      # Set up the location of the salt master
      minion:
        master: saltmaster.example.com

      # Set up grains information, which will be common for all nodes
      # using this provider
      grains:
        node_type: broker
        release: 1.0.1

      driver: gce

.. note::

    Empty strings as values for ``service_account_private_key`` and ``service_account_email_address``
    can be used on GCE instances. This will result in the service account assigned to the GCE instance
    being used.

.. note::

    The value provided for ``project`` must not contain underscores or spaces and
    is labeled as "Project ID" on the Google Developers Console.

.. note::
    .. versionchanged:: 2015.8.0

    The ``provider`` parameter in cloud provider definitions was renamed to ``driver``. This
    change was made to avoid confusion with the ``provider`` parameter that is used in cloud profile
    definitions. Cloud provider definitions now use ``driver`` to refer to the Salt cloud module that
    provides the underlying functionality to connect to a cloud host, while cloud profiles continue
    to use ``provider`` to refer to provider configurations that you define.

Profile Configuration
=====================
Set up an initial profile at ``/etc/salt/cloud.profiles`` or
``/etc/salt/cloud.profiles.d/*.conf``:

.. code-block:: yaml

    my-gce-profile:
      image: centos-6
      size: n1-standard-1
      location: europe-west1-b
      network: default
      subnetwork: default
      tags: '["one", "two", "three"]'
      metadata: '{"one": "1", "2": "two"}'
      use_persistent_disk: True
      delete_boot_pd: False
      deploy: True
      make_master: False
      provider: gce-config

The profile can be realized now with a salt command:

.. code-block:: bash

    salt-cloud -p my-gce-profile gce-instance

This will create an salt minion instance named ``gce-instance`` in GCE.  If
the command was executed on the salt-master, its Salt key will automatically
be signed on the master.

Once the instance has been created with a salt-minion installed, connectivity to
it can be verified with Salt:

.. code-block:: bash

    salt gce-instance test.version


GCE Specific Settings
=====================
Consult the sample profile below for more information about GCE specific
settings. Some of them are mandatory and are properly labeled below but
typically also include a hard-coded default.

Initial Profile
---------------
Set up an initial profile at ``/etc/salt/cloud.profiles`` or
``/etc/salt/cloud.profiles.d/gce.conf``:

.. code-block:: yaml

    my-gce-profile:
      image: centos-6
      size: n1-standard-1
      location: europe-west1-b
      network: default
      subnetwork: default
      tags: '["one", "two", "three"]'
      metadata: '{"one": "1", "2": "two"}'
      use_persistent_disk: True
      delete_boot_pd: False
      ssh_interface: public_ips
      external_ip: "ephemeral"

image
-----

Image is used to define what Operating System image should be used
to for the instance. Examples are Debian 7 (wheezy) and CentOS 6. Required.

size
----

A 'size', in GCE terms, refers to the instance's 'machine type'. See
the on-line documentation for a complete list of GCE machine types. Required.

location
--------

A 'location', in GCE terms, refers to the instance's 'zone'. GCE
has the notion of both Regions (e.g. us-central1, europe-west1, etc)
and Zones (e.g. us-central1-a, us-central1-b, etc). Required.

network
-------

Use this setting to define the network resource for the instance.
All GCE projects contain a network named 'default' but it's possible
to use this setting to create instances belonging to a different
network resource.

subnetwork
----------

Use this setting to define the subnetwork an instance will be created in.
This requires that the network your instance is created under has a mode of 'custom' or 'auto'.
Additionally, the subnetwork your instance is created under is associated with the location you provide.

.. versionadded:: 2017.7.0

tags
----

GCE supports instance/network tags and this setting allows you to
set custom tags. It should be a list of strings and must be
parse-able by the python ast.literal_eval() function to convert it
to a python list.

metadata
--------

GCE supports instance metadata and this setting allows you to
set custom metadata. It should be a hash of key/value strings and
parse-able by the python ast.literal_eval() function to convert it
to a python dictionary.

use_persistent_disk
-------------------

Use this setting to ensure that when new instances are created,
they will use a persistent disk to preserve data between instance
terminations and re-creations.

delete_boot_pd
--------------

In the event that you wish the boot persistent disk to be permanently
deleted when you destroy an instance, set delete_boot_pd to True.

ssh_interface
-------------

.. versionadded:: 2015.5.0

Specify whether to use public or private IP for deploy script.

Valid options are:

- private_ips: The salt-master is also hosted with GCE
- public_ips: The salt-master is hosted outside of GCE

external_ip
-----------

Per instance setting: Used a named fixed IP address to this host.

Valid options are:

- ephemeral: The host will use a GCE ephemeral IP
- None: No external IP will be configured on this host.

Optionally, pass the name of a GCE address to use a fixed IP address.
If the address does not already exist, it will be created.

ex_disk_type
------------

GCE supports two different disk types, ``pd-standard`` and ``pd-ssd``.
The default disk type setting is ``pd-standard``. To specify using an SSD
disk, set ``pd-ssd`` as the value.

.. versionadded:: 2014.7.0

ip_forwarding
-------------

GCE instances can be enabled to use IP Forwarding. When set to ``True``,
this options allows the instance to send/receive non-matching src/dst
packets. Default is ``False``.

.. versionadded:: 2015.8.1

Profile with scopes
-------------------

Scopes can be specified by setting the optional ``ex_service_accounts``
key in your cloud profile. The following example enables the bigquery scope.

.. code-block:: yaml

  my-gce-profile:
   image: centos-6
    ssh_username: salt
    size: f1-micro
    location: us-central1-a
    network: default
    subnetwork: default
    tags: '["one", "two", "three"]'
    metadata: '{"one": "1", "2": "two",
                "sshKeys": ""}'
    use_persistent_disk: True
    delete_boot_pd: False
    deploy: False
    make_master: False
    provider: gce-config
    ex_service_accounts:
      - scopes:
        - bigquery


Email can also be specified as an (optional) parameter.

.. code-block:: yaml

  my-gce-profile:
  ...snip
    ex_service_accounts:
      - scopes:
        - bigquery
        email: default

There can be multiple entries for scopes since ``ex-service_accounts`` accepts
a list of dictionaries. For more information refer to the libcloud documentation
on `specifying service account scopes`__.

SSH Remote Access
=================

GCE instances do not allow remote access to the root user by default.
Instead, another user must be used to run the deploy script using sudo.
Append something like this to ``/etc/salt/cloud.profiles`` or
``/etc/salt/cloud.profiles.d/*.conf``:

.. code-block:: yaml

  my-gce-profile:
      ...

      # SSH to GCE instances as gceuser
      ssh_username: gceuser

      # Use the local private SSH key file located here
      ssh_keyfile: /etc/cloud/google_compute_engine

If you have not already used this SSH key to login to instances in this
GCE project you will also need to add the public key to your projects
metadata at https://cloud.google.com/console. You could also add it via
the metadata setting too:

.. code-block:: yaml

  my-gce-profile:
      ...

      metadata: '{"one": "1", "2": "two",
                  "sshKeys": "gceuser:ssh-rsa <Your SSH Public Key> gceuser@host"}'


Single instance details
=======================
This action is a thin wrapper around ``--full-query``, which displays details on a
single instance only. In an environment with several machines, this will save a
user from having to sort through all instance data, just to examine a single
instance.

.. code-block:: bash

    salt-cloud -a show_instance myinstance


Destroy, persistent disks, and metadata
=======================================
As noted in the provider configuration, it's possible to force the boot
persistent disk to be deleted when you destroy the instance.  The way that
this has been implemented is to use the instance metadata to record the
cloud profile used when creating the instance.  When ``destroy`` is called,
if the instance contains a ``salt-cloud-profile`` key, it's value is used
to reference the matching profile to determine if ``delete_boot_pd`` is
set to ``True``.

Be aware that any GCE instances created with salt cloud will contain this
custom ``salt-cloud-profile`` metadata entry.


List various resources
======================
It's also possible to list several GCE resources similar to what can be done
with other providers.  The following commands can be used to list GCE zones
(locations), machine types (sizes), and images.

.. code-block:: bash

    salt-cloud --list-locations gce
    salt-cloud --list-sizes gce
    salt-cloud --list-images gce


Persistent Disk
===============
The Compute Engine provider provides functions via salt-cloud to manage your
Persistent Disks. You can create and destroy disks as well as attach and
detach them from running instances.

Create
------
When creating a disk, you can create an empty disk and specify its size (in
GB), or specify either an 'image' or 'snapshot'.

.. code-block:: bash

    salt-cloud -f create_disk gce disk_name=pd location=us-central1-b size=200

Delete
------
Deleting a disk only requires the name of the disk to delete

.. code-block:: bash

    salt-cloud -f delete_disk gce disk_name=old-backup

Attach
------
Attaching a disk to an existing instance is really an 'action' and requires
both an instance name and disk name. It's possible to use this ation to
create bootable persistent disks if necessary. Compute Engine also supports
attaching a persistent disk in READ_ONLY mode to multiple instances at the
same time (but then cannot be attached in READ_WRITE to any instance).

.. code-block:: bash

    salt-cloud -a attach_disk myinstance disk_name=pd mode=READ_WRITE boot=yes

Detach
------
Detaching a disk is also an action against an instance and only requires
the name of the disk. Note that this does *not* safely sync and umount the
disk from the instance. To ensure no data loss, you must first make sure the
disk is unmounted from the instance.

.. code-block:: bash

    salt-cloud -a detach_disk myinstance disk_name=pd

Show disk
---------
It's also possible to look up the details for an existing disk with either
a function or an action.

.. code-block:: bash

    salt-cloud -a show_disk myinstance disk_name=pd
    salt-cloud -f show_disk gce disk_name=pd

Create snapshot
---------------
You can take a snapshot of an existing disk's content. The snapshot can then
in turn be used to create other persistent disks. Note that to prevent data
corruption, it is strongly suggested that you unmount the disk prior to
taking a snapshot. You must name the snapshot and provide the name of the
disk.

.. code-block:: bash

    salt-cloud -f create_snapshot gce name=backup-20140226 disk_name=pd

Delete snapshot
---------------
You can delete a snapshot when it's no longer needed by specifying the name
of the snapshot.

.. code-block:: bash

    salt-cloud -f delete_snapshot gce name=backup-20140226

Show snapshot
-------------
Use this function to look up information about the snapshot.

.. code-block:: bash

    salt-cloud -f show_snapshot gce name=backup-20140226

Networking
==========
Compute Engine supports multiple private networks per project. Instances
within a private network can easily communicate with each other by an
internal DNS service that resolves instance names. Instances within a private
network can also communicate with either directly without needing special
routing or firewall rules even if they span different regions/zones.

Networks also support custom firewall rules. By default, traffic between
instances on the same private network is open to all ports and protocols.
Inbound SSH traffic (port 22) is also allowed but all other inbound traffic
is blocked.

Create network
--------------
New networks require a name and CIDR range if they don't have a 'mode'.
Optionally, 'mode' can be provided. Supported modes are 'auto', 'custom', 'legacy'.
Optionally, 'description' can be provided to add an extra note to your network.
New instances can be created and added to this network by setting the network name during create. It is
not possible to add/remove existing instances to a network.

.. code-block:: bash

    salt-cloud -f create_network gce name=mynet cidr=10.10.10.0/24
    salt-cloud -f create_network gce name=mynet mode=auto description=some optional info.

.. versionchanged:: 2017.7.0

Destroy network
---------------
Destroy a network by specifying the name. If a resource is currently using
the target network an exception will be raised.

.. code-block:: bash

    salt-cloud -f delete_network gce name=mynet

Show network
------------
Specify the network name to view information about the network.

.. code-block:: bash

    salt-cloud -f show_network gce name=mynet

Create subnetwork
-----------------

New subnetworks require a name, region, and CIDR range.
Optionally, 'description' can be provided to add an extra note to your subnetwork.
New instances can be created and added to this subnetwork by setting the subnetwork name during create. It is
not possible to add/remove existing instances to a subnetwork.

.. code-block:: bash

    salt-cloud -f create_subnetwork gce name=mynet network=mynet region=us-central1 cidr=10.0.10.0/24
    salt-cloud -f create_subnetwork gce name=mynet network=mynet region=us-central1 cidr=10.10.10.0/24 description=some info about my subnet.

.. versionadded:: 2017.7.0

Destroy subnetwork
------------------

Destroy a subnetwork by specifying the name and region. If a resource is currently using
the target subnetwork an exception will be raised.

.. code-block:: bash

    salt-cloud -f delete_subnetwork gce name=mynet region=us-central1

.. versionadded:: 2017.7.0

Show subnetwork
---------------

Specify the subnetwork name to view information about the subnetwork.

.. code-block:: bash

    salt-cloud -f show_subnetwork gce name=mynet

.. versionadded:: 2017.7.0

Create address
--------------
Create a new named static IP address in a region.

.. code-block:: bash

    salt-cloud -f create_address gce name=my-fixed-ip region=us-central1

Delete address
--------------
Delete an existing named fixed IP address.

.. code-block:: bash

    salt-cloud -f delete_address gce name=my-fixed-ip region=us-central1

Show address
------------
View details on a named address.

.. code-block:: bash

    salt-cloud -f show_address gce name=my-fixed-ip region=us-central1

Create firewall
---------------
You'll need to create custom firewall rules if you want to allow other traffic
than what is described above. For instance, if you run a web service on
your instances, you'll need to explicitly allow HTTP and/or SSL traffic.
The firewall rule must have a name and it will use the 'default' network
unless otherwise specified with a 'network' attribute. Firewalls also support
instance tags for source/destination

.. code-block:: bash

    salt-cloud -f create_fwrule gce name=web allow=tcp:80,tcp:443,icmp

Delete firewall
---------------
Deleting a firewall rule will prevent any previously allowed traffic for the
named firewall rule.

.. code-block:: bash

    salt-cloud -f delete_fwrule gce name=web

Show firewall
-------------
Use this function to review an existing firewall rule's information.

.. code-block:: bash

    salt-cloud -f show_fwrule gce name=web

Load Balancer
=============
Compute Engine possess a load-balancer feature for splitting traffic across
multiple instances. Please reference the
`documentation <https://developers.google.com/compute/docs/load-balancing/>`_
for a more complete description.

The load-balancer functionality is slightly different than that described
in Google's documentation.  The concept of *TargetPool* and *ForwardingRule*
are consolidated in salt-cloud/libcloud.  HTTP Health Checks are optional.

HTTP Health Check
-----------------
HTTP Health Checks can be used as a means to toggle load-balancing across
instance members, or to detect if an HTTP site is functioning.  A common
use-case is to set up a health check URL and if you want to toggle traffic
on/off to an instance, you can temporarily have it return a non-200 response.
A non-200 response to the load-balancer's health check will keep the LB from
sending any new traffic to the "down" instance.  Once the instance's
health check URL beings returning 200-responses, the LB will again start to
send traffic to it. Review Compute Engine's documentation for allowable
parameters.  You can use the following salt-cloud functions to manage your
HTTP health checks.

.. code-block:: bash

    salt-cloud -f create_hc gce name=myhc path=/ port=80
    salt-cloud -f delete_hc gce name=myhc
    salt-cloud -f show_hc gce name=myhc


Load-balancer
-------------
When creating a new load-balancer, it requires a name, region, port range,
and list of members. There are other optional parameters for protocol,
and list of health checks. Deleting or showing details about the LB only
requires the name.

.. code-block:: bash

    salt-cloud -f create_lb gce name=lb region=... ports=80 members=w1,w2,w3
    salt-cloud -f delete_lb gce name=lb
    salt-cloud -f show_lb gce name=lb

You can also create a load balancer using a named fixed IP addressby specifying the name of the address.
If the address does not exist yet it will be created.

.. code-block:: bash

    salt-cloud -f create_lb gce name=my-lb region=us-central1 ports=234 members=s1,s2,s3 address=my-lb-ip

Attach and Detach LB
--------------------
It is possible to attach or detach an instance from an existing load-balancer.
Both the instance and load-balancer must exist before using these functions.

.. code-block:: bash

    salt-cloud -f attach_lb gce name=lb member=w4
    salt-cloud -f detach_lb gce name=lb member=oops

__ https://libcloud.readthedocs.io/en/latest/compute/drivers/gce.html#specifying-service-account-scopes