OpenNebula Sunstone: The Cloud Operations Center 2.2


OpenNebula Sunstone is the new OpenNebula Cloud Operations Center, a GUI intended for users and admins, that will simplify the typical management operations in private and hybrid cloud infrastructures. You will be able to manage our virtual and physical resources in a similar way as we do with the CLI.

Requirements & Installation

:!: OpenNebula Sunstone supports Firefox (> 3.5) and Chrome browsers. Internet Explorer, Opera and others are not supported and may not work well.

You must have an OpenNebula site properly configured and running to install OpenNebula Sunstone, be sure to check the OpenNebula Installation and Configuration Guides to set up your private cloud first. This guide also assumes that you are familiar with the configuration and use of OpenNebula.

OpenNebula Sunstone is installed during the OpenNebula installation, so you just need to install the following packages to meet the runtime dependencies:

  • The JSON parser library:

$ sudo gem install json

  • The Sinatra web framework and the thin web server:

$ sudo gem install sinatra
$ sudo gem install thin

:!: For Ubuntu 10.4, the following versions are needed:

$ sudo gem install rack —version 1.0.1 
$ sudo gem install sinatra —version 1.0 
$ sudo gem install thin --version 1.2.11

Starting the Cloud Operations Center

To start the OpenNebula Operations Center just issue the following command as oneadmin

$ $ONE_LOCATION/bin/sunstone-server start

By default the server will be listening at localhost:4567. If you want to change this settings you can use the following options when starting the server:

-H Host for the Sunstone server
-p Port for incoming connections

:!: In order to access Sunstone from other place than localhost you need to specify the server's public IP with the -H option. Otherwise it will not be reachable from the outside.

You can find the Sunstone server log file in $ONE_LOCATION/var/sunstone.log if OpenNebula has been installed in standalone, or in /var/log/one/sunstone.log if installed in system-wide.

To stop the OpenNebula Operations Center service:

$ $ONE_LOCATION/bin/sunstone-server stop


If you want to interact with the OpenNebula Operations Center you have to open a new browser and go to the url where your Sunstone server is deployed. You will find the login screen where the username and password correspond to the OpenNebula credentials.

You can create new users using the command oneuser create from the CLI or you can log in the Cloud Operations Center as oneadmin and create them from the GUI.

You can check the available actions for each resource in the following guides:

Advanced Configuration

Deploying Sunstone in a different machine

By default the Sunstone server is configured to run in the frontend, but you are able to install the Sunstone server in a machine different from the frontend.

  • Use the -s option when installing from the source in the machine that will be running the server.

$ ./ -s

  • Define the following environment variables:

ONE_AUTH Needs to point to a file containing just a single line stating the oneadmin's credentials, “username:password”. If ONE_AUTH is not defined, $HOME/.one/one_auth will be used instead. If no auth file is present, OpenNebula Sunstone cannot work properly, as this is needed by the server to authenticate users.
ONE_LOCATION If OpenNebula was installed in self-contained mode, this variable must be set to <destination_folder>. Otherwise, in system wide mode, this variable must be unset. More info on installation modes can be found here
ONE_XMLRPC The endpoint where the OpenNebula core is waiting for the XMLRPC requests

Using this setup the VirtualMachine logs will not be available. If you need to retrieve this information you must deploy the server in the frontend

Configuring a SSL Proxy

OpenNebula Sunstone runs natively just on normal HTTP connections. If the extra security provided by SSL is needed, a proxy can be set up to handle the SSL connection that forwards the petition to the Sunstone server and takes back the answer to the client.

This set up needs:

  • A server certificate for the SSL connections
  • An HTTP proxy that understands SSL
  • OpenNebula Sunstone configuration to accept petitions from the proxy

If you want to try out the SSL setup easily, you can find in the following lines an example to set a self-signed certificate to be used by a lighttpd configured to act as an HTTP proxy to a correctly configured OpenNebula Sunstone.

Let's assume the server were the lighttpd proxy is going to be started is called Therefore, the steps are:

1. Snakeoil Server Certificate

We are going to generate a snakeoil certificate. If using an Ubuntu system follow the next steps (otherwise your milleage may vary, but not a lot):

  • Install the ssl-cert package

$ sudo apt-get install ssl-cert

  • Generate the certificate

$ sudo /usr/sbin/make-ssl-cert generate-default-snakeoil

  • As we are using lighttpd, we need to append the private key with the certificate to obtain a server certificate valid to lighttpd

$ sudo cat /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/certs/ssl-cert-snakeoil.pem > /etc/lighttpd/server.pem

2. lighttpd as a SSL HTTP Proxy

You will need to edit the /etc/lighttpd/lighttpd.conf configuration file and

  • Add the following modules (if not present already)
    • mod_access
    • mod_alias
    • mod_proxy
    • mod_accesslog
    • mod_compress
  • Change the server port to 443 if you are going to run lighttpd as root, or any number above 1024 otherwise:
server.port               = 8443
  • Add the proxy module section:
#### proxy module
## read proxy.txt for more info
proxy.server               = ( "" =>
                                ("" =>
                                   "host" => "",
                                   "port" => 4567

#### SSL engine
ssl.engine                 = "enable"
ssl.pemfile                = "/etc/lighttpd/server.pem"

The host must be the server hostname of the computer running the Sunstone server, and the port the one that the Sunstone Server is running on.

3. OpenNebula Sunstone Configuration

Start the Sunstone server using the default values, this way the server will be listening at localhost:4567

Once the lighttpd server is started, OpenNebula Sunstone requests using HTTPS URIs can be directed to, that will then be unencrypted, passed to localhost, port 4567, satisfied (hopefully), encrypted again and then passed back to the client.