Locations
Locations are the environments to which Brooklyn deploys applications, including:
Brooklyn supports a wide range of locations:
- Clouds, where it will provision machines
- Localhost (e.g. your laptop),
where it will deploy via
ssh
tolocalhost
for rapid testing - BYON, where you “bring your own nodes”, specifying already-existing hosts to use
- And many others, including object stores and online services
Configuration can be set in ~/.brooklyn/brooklyn.properties
or directly in YAML when specifying a location.
On some entities, config keys determining maching selection and provisioning behavior
can also be set in
provisioning.properties`.
Clouds
For most cloud provisioning tasks, Brooklyn uses Apache jclouds. The identifiers for some of the most commonly used jclouds-supported clouds are (or see the full list):
jclouds:aws-ec2:<region>
: Amazon EC2, where:<region>
might beus-east-1
oreu-west-1
(or omitted)jclouds:softlayer:<region>
: IBM Softlayer, where:<region>
might bedal05
orams01
(or omitted)jclouds:google-compute-engine
: Google Compute Enginejclouds:openstack-nova:<endpoint>
: OpenStack, where:<endpoint>
is the access URL (required)jclouds:cloudstack:<endpoint>
: Apache CloudStack, where:<endpoint>
is the access URL (required)
For any of these, of course, Brooklyn needs to be configured with an identity
and a credential
:
location:
jclouds:aws-ec2:
identity: ABCDEFGHIJKLMNOPQRST
credential: s3cr3tsq1rr3ls3cr3tsq1rr3ls3cr3tsq1rr3l
The above YAML can be embedded directly in blueprints, either at the root or on individual services.
If you prefer to keep the credentials separate, these can be set instead in brooklyn.properties
in the jclouds.<provider>
namespace:
brooklyn.location.jclouds.aws-ec2.identity=ABCDEFGHIJKLMNOPQRST
brooklyn.location.jclouds.aws-ec2.credential=s3cr3tsq1rr3ls3cr3tsq1rr3ls3cr3tsq1rr3l
And in this case you can reference the location in YAML with location: jclouds:aws-ec2
.
The Getting Started template brooklyn.properties contains more examples of configuring cloud endpoints, including information on credential types used in different clouds.
OS Initial Login and Setup
Once a machine is provisioned, Brooklyn will normally attempt to log in via SSH and configure the machine sensibly.
The credentials for the initial OS log on are typically discovered from the cloud,
but in some environments this is not possible.
The keys loginUser
and either loginUser.password
or loginUser.privateKeyFile
can be used to force
Brooklyn to use specific credentials for the initial login to a cloud-provisioned machine.
(This custom login is particularly useful when using a custom image templates where the cloud-side account
management logic is not enabled. For example, a vCD template can have guest customization that will change
the root password. This setting tells AMP to only use the given password, rather than the initial
randomly generated password that vCD returns. Without this property, there is a race for such templates:
does Brooklyn manage to create the admin user before the guest customization changes the login and reboots,
or is the password reset first (the latter means Brooklyn can never ssh to the VM). With this property,
Brooklyn will always wait for guest customization to complete before it is able to ssh at all. In such
cases, it is also recommended to use useJcloudsSshInit=false
.)
Following a successful logon, Brooklyn performs the following steps to configure the machine:
-
creates a new user with the same name as the user
brooklyn
is running as locally (this can be overridden withuser
, below). -
install the local user’s
~/.ssh/id_rsa.pub
as anauthorized_keys
on the new machine, to make it easy for the operator tossh
in (override withprivateKeyFile
; or if there is noid_{r,d}sa{,.pub}
an ad hoc keypair will be generated; if there is a passphrase on the key, this must be supplied) -
give
sudo
access to the newly created user (override withgrantUserSudo: false
) -
disable direct
root
login to the machine
These steps can be skipped or customized as described below.
jclouds Config Keys
The following is a subset of the most commonly used configuration keys used to customize
cloud provisioning.
For more keys and more detail on the keys below, see
JcloudsLocationConfig
(javadoc,
src)
.
VM Creation
-
Most providers require exactly one of either
region
(e.g.us-east-1
) orendpoint
(the URL, usually for private cloud deployments) -
Hardware requirements can be specified, including
minRam
,minCores
, andos64Bit
; or as a specifichardwareId
-
VM image constraints can be set using
osFamily
(e.g.Ubuntu
,CentOS
,Debian
,RHEL
) andosVersionRegex
, or specific VM images can be specified usingimageId
orimageNameRegex
-
Specific VM images can be specified using
imageId
orimageNameRegex
-
Specific Security Groups can be specified using
securityGroups
, as a list of strings (the existing security group names), orinboundPorts
can be set, as a list of numeric ports (selected clouds only) -
A specific existing key pair known at the cloud to use can be specified with
keyPair
(selected clouds only) -
A specific VM name (often the hostname) base to be used can be specified by setting
groupId
. By default, this name is constructed based on the entity which is creating it, including the ID of the app and of the entity. (As many cloud portals let you filter views, this can help find a specific entity or all machines for a given application.) For more sophisticated control over host naming, you can supply a customCloudMachineNamer
(javadoc, src) , for examplecloudMachineNamer: CustomMachineNamer
.CustomMachineNamer
(javadoc, src)will use the entity’s name or following a template you supply. On many clouds, a random suffix will be appended to help guarantee uniqueness; this can be removed by setting
vmNameSaltLength: 0
(selected clouds only). -
A DNS domain name where this host should be placed can be specified with
domainName
(in selected clouds only) -
User metadata can be attached using the syntax
userMetadata: { key: value, key2: "value 2" }
(oruserMetadata=key=value,key2="value 2"
in a properties file) -
By default, several pieces of user metadata are set to correlate VMs with Brooklyn entities, prefixed with
brooklyn-
. This user metadata can be omitted by settingincludeBrooklynUserMetadata: false
. -
You can specify the number of attempts Brooklyn should make to create machines with
machineCreateAttempts
(jclouds only). This is useful as an efficient low-level fix for those occasions when cloud providers give machines that are dead on arrival. You can of course also resolve it at a higher level with a policy such asServiceRestarter
(javadoc, src) . -
If you want to investigate failures, set
destroyOnFailure: false
to keep failed VM’s around. (You’ll have to manually clean them up.) The default is false: if a VM fails to start, or is never ssh’able, then the VM will be terminated.
OS Setup
-
user
andpassword
can be used to configure the operating user created on cloud-provisioned machines -
The
loginUser
config key (and subkeys) control the initial user to log in as, in cases where this cannot be discovered from the cloud provider -
Private keys can be specified using
privateKeyFile
; these are not copied to provisioned machines, but are required if using a local public key or a pre-definedauthorized_keys
on the server. (For more information on SSH keys, see here.) -
If there is a passphrase on the key file being used, you must supply it to Brooklyn for it to work, of course!
privateKeyPassphrase
does the trick (as inbrooklyn.location.jclouds.privateKeyPassphrase
, or other places whereprivateKeyFile
is valid). If you don’t like keys, you can just use a plain oldpassword
. -
Public keys can be specified using
publicKeyFile
, although these can usually be omitted if they follow the common pattern of being the private key file with the suffix.pub
appended. (It is useful in the case ofloginUser.publicKeyFile
, where you shouldn’t need, or might not even have, the private key of theroot
user when you log in.) -
Use
dontCreateUser
to have Brooklyn run as the initialloginUser
(usuallyroot
), without creating any other user. -
A post-provisioning
setup.script
can be specified (as a URL) to run an additional script, before making theLocation
available to entities, optionally also usingsetup.script.vars
(set askey1:value1,key2:value2
) -
Use
openIptables: true
to automatically configureiptables
, to open the TCP ports required by the software process. One can alternatively usestopIptables: true
to entirely stop the iptables service. -
Use
installDevUrandom: true
to fall back to using/dev/urandom
rather than/dev/random
. This setting is useful for cloud VMs where there is not enough random entropy, which can cause/dev/random
to be extremely slow (causingssh
to be extremely slow to respond). -
Use
useJcloudsSshInit: false
to disable the use of the native jclouds support for initial commands executed on the VM (e.g. for creating new users, setting root passwords, etc.). Instead, Brooklyn’s ssh support will be used. Timeouts and retries are more configurable within Brooklyn itself. Therefore this option is particularly recommended when the VM startup is unusual (for example, if guest customizations will cause reboots and/or will change login credentials). -
Use
brooklyn.ssh.config.noDeleteAfterExec: true
to keep scripts on the server after execution. The contents of the scripts and the stdout/stderr of their execution are available in the Brooklyn web console, but sometimes it can also be useful to have them on the box. This setting prevents scripts executed on the VMs from being deleted on completion. Note that some scripts run periodically so this can eventually fill a disk; it should only be used for dev/test.
Custom template options
jclouds supports many additional options for configuring how a virtual machine is created and deployed, many of which are for cloud-specific features and enhancements. Brooklyn supports some of these, but if what you are looking for is not supported directly by Brooklyn, we instead offer a mechanism to set any parameter that is supported by the jclouds template options for your cloud.
Part of the process for creating a virtual machine is the creation of a jclouds TemplateOptions
object. jclouds
providers extends this with extra options for each cloud - so when using the AWS provider, the object will be of
type AWSEC2TemplateOptions
. By examining the source code,
you can see all of the options available to you.
The templateOptions
config key takes a map. The keys to the map are method names, and Brooklyn will find the method on
the TemplateOptions
instance; it then invokes the method with arguments taken from the map value. If a method takes a
single parameter, then simply give the argument as the value of the key; if the method takes multiple parameters, the
value of the key should be an array, containing the argument for each parameter.
For example, here is a complete blueprint that sets some AWS EC2 specific options:
location: AWS_eu-west-1
services:
- type: org.apache.brooklyn.entity.software.base.EmptySoftwareProcess
provisioningProperties:
templateOptions:
subnetId: subnet-041c8373
mapNewVolumeToDeviceName: ["/dev/sda1", 100, true]
securityGroupIds: ['sg-4db68928']
Here you can see that we set three template options:
subnetId
is an example of a single parameter method. Brooklyn will effectively try to run the statementtemplateOptions.subnetId("subnet-041c88373");
mapNewVolumeToDeviceName
is an example of a multiple parameter method, so the value of the key is an array. Brooklyn will effectively true to run the statementtemplateOptions.mapNewVolumeToDeviceName("/dev/sda1", 100, true);
securityGroupIds
demonstrates an ambiguity between the two types; Brooklyn will first try to parse the value as a multiple parameter method, but there is no method that matches this parameter. In this case, Brooklyn will next try to parse the value as a single parameter method which takes a parameter of typeList
; such a method does exist so the operation will succeed.
If the method call cannot be matched to the template options available - for example if you are trying to set an AWS EC2 specific option but your location is an OpenStack cloud - then a warning is logged and the option is ignored.
AWS VPC issues which may affect users with older AWS accounts
AWS now has different default behaviour depending on the age of your AWS account and whether you used the target region before, or during, 2013. In this case VM provisioning may fail with an error like:
Detected that your EC2 account is a legacy 'classic' account, but the recommended instance type requires VPC.
You can specify the 'eu-central-1' region to avoid this problem, or you can specify a classic-compatible instance type,
or you can specify a subnet to use with 'networkName'
taking care that the subnet auto-assigns public IP's and allows ingress on all ports,
as Brooklyn does not currently configure security groups for non-default VPC's;
or setting up Brooklyn to be in the subnet or have a jump host or other subnet access configuration).
For more information on VPC vs classic see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-vpc.html.
Specifically, there are issues with the certain AMIs and instance types. If these are specified or a recommended by brooklyn then you may see the above error. There are a few options for fixing this:
-
specify a different region which does not support EC2-classic.
You can check this on the AWS console under “Supported Platforms. Frankfurt (eu-central-1) is guaranteed to be VPC only. -
specify an instance type that is compatible with ec2-classic.
Instance types C4, M4, T2 are only supported in VPC so should not be used. This is described here -
create a subnet to use with the instance. Ensure that the subnet is set to auto-assign public IPs and allows ingress on all ports. Brooklyn cannot currently do this for you. Use the networkName parameter to specify this value in your blueprint.
See the following resources for more information:
Inheritance and Named Locations
Named locations can be defined for commonly used groups of properties,
with the syntax brooklyn.location.named.your-group-name.
followed by the relevant properties.
These can be accessed at runtime using the syntax named:your-group-name
as the deployment location.
Some illustrative examples using named locations and showing the syntax and properties above are as follows:
# Production pool of machines for my application (deploy to named:prod1)
brooklyn.location.named.prod1=byon:(hosts="10.9.1.1,10.9.1.2,produser2@10.9.2.{10,11,20-29}")
brooklyn.location.named.prod1.user=produser1
brooklyn.location.named.prod1.privateKeyFile=~/.ssh/produser_id_rsa
brooklyn.location.named.prod1.privateKeyPassphrase=s3cr3tCOMPANYpassphrase
# AWS using my company's credentials and image standard, then labelling images so others know they're mine
brooklyn.location.named.company-jungle=jclouds:aws-ec2:us-west-1
brooklyn.location.named.company-jungle.identity=BCDEFGHIJKLMNOPQRSTU
brooklyn.location.named.company-jungle.privateKeyFile=~/.ssh/public_clouds/company_aws_id_rsa
brooklyn.location.named.company-jungle.imageId=ami-12345
brooklyn.location.named.company-jungle.minRam=2048
brooklyn.location.named.company-jungle.userMetadata=application=my-jungle-app,owner="Bob Johnson"
brooklyn.location.named.company-jungle.machineCreateAttempts=2
brooklyn.location.named.AWS\ Virginia\ Large\ Centos = jclouds:aws-ec2
brooklyn.location.named.AWS\ Virginia\ Large\ Centos.region = us-east-1
brooklyn.location.named.AWS\ Virginia\ Large\ Centos.imageId=us-east-1/ami-7d7bfc14
brooklyn.location.named.AWS\ Virginia\ Large\ Centos.user=root
brooklyn.location.named.AWS\ Virginia\ Large\ Centos.minRam=4096
The precedence for configuration defined at different levels is that the most value defined in the most specific context will apply.
For example, in the example below the config key is repeatedly overridden. If you deploy
location: named:my-aws
, Brooklyn will get VAL5
or KEY
:
brooklyn.location.KEY=VAL1
brooklyn.location.jclouds.KEY=VAL2
brooklyn.location.jclouds.aws-ec2.KEY=VAL3
brooklyn.location.jclouds.aws-ec2@us-west-1.KEY=VAL4
brooklyn.location.named.my-aws=jclouds:aws-ec2:us-west-1
brooklyn.location.named.my-aws.KEY=VAL5
Localhost
If passwordless ssh login to localhost
and passwordless sudo
is enabled on your
machine, you should be able to deploy blueprints with no special configuration,
just by specifying location: localhost
in YAML.
If you use a passpharse or prefer a different key, these can be configured as follows:
brooklyn.location.localhost.privateKeyFile=~/.ssh/brooklyn_key
brooklyn.location.localhost.privateKeyPassphrase=s3cr3tPASSPHRASE
If you encounter issues or for more information, see SSH Keys Localhost Setup.
BYON
“Bring-your-own-nodes” mode is useful in production, where machines have been provisioned by someone else, and during testing, to cut down provisioning time.
Your nodes must meet the following prerequisites:
- A suitable OS must have been installed on all nodes
- The node must be running sshd (or similar)
- the brooklyn user must be able to ssh to each node as root or as a user with passwordless sudo permission. (For more information on SSH keys, see here.)
To deploy to machines with known IP’s in a blueprint, use the following syntax:
location:
byon:
user: brooklyn
privateKeyFile: ~/.ssh/brooklyn.pem
hosts:
- 192.168.0.18
- 192.168.0.19
Some of the login properties as described above for jclouds are supported,
but not loginUser
(as no users are created), and not any of the
VM creation parameters such as minRam
and imageId
.
(These clearly do not apply in the same way, and they are not
by default treated as constraints, although an entity can confirm these
where needed.)
As before, if the brooklyn user and its default key are authorized for the hosts,
those fields can be omitted.
Named locations can also be configured in your brooklyn.properties
,
using the format byon:(key=value,key2=value2)
.
For convenience, for hosts wildcard globs are supported.
brooklyn.location.named.On-Prem\ Iron\ Example=byon:(hosts="10.9.1.1,10.9.1.2,produser2@10.9.2.{10,11,20-29}")
brooklyn.location.named.On-Prem\ Iron\ Example.user=produser1
brooklyn.location.named.On-Prem\ Iron\ Example.privateKeyFile=~/.ssh/produser_id_rsa
brooklyn.location.named.On-Prem\ Iron\ Example.privateKeyPassphrase=s3cr3tpassphrase
For more complex host configuration, one can define custom config values per machine. In the example
below, there will be two machines. The first will be a machine reachable on
ssh -i ~/.ssh/brooklyn.pem -p 8022 myuser@50.51.52.53
. The second is a windows machine, reachable
over WinRM. Each machine has also has a private address (e.g. for within a private network).
location:
byon:
hosts:
- ssh: 50.51.52.53:8022
privateAddresses: [10.0.0.1]
privateKeyFile: ~/.ssh/brooklyn.pem
user: myuser
- winrm: 50.51.52.54:8985
privateAddresses: [10.0.0.2]
password: mypassword
user: myuser
osFamily: windows
The BYON location also supports a machine chooser, using the config key byon.machineChooser
.
This allows one to plugin logic to choose from the set of available machines in the pool. For
example, additional config could be supplied for each machine. This could be used (during the call
to location.obtain()
) to find the config that matches the requirements of the entity being
provisioned. See FixedListMachineProvisioningLocation.MACHINE_CHOOSER
.