Cloudpipe is a method for connecting end users to their project instances in VLAN networking mode.
The support code for cloudpipe implements admin commands (via an extension) to automatically create a VM for a project that allows users to VPN into the private network of their project. Access to this VPN is provided through a public port on the network host for the project. This allows users to have free access to the virtual machines in their project without exposing those machines to the public internet.
The cloudpipe image is basically just a Linux instance with openvpn installed. It needs a simple script to grab user data from the metadata server, b64 decode it into a zip file, and run the autorun.sh script from inside the zip. The autorun script will configure and run openvpn to run using the data from nova.
It is also useful to have a cron script that will periodically redownload the metadata and copy the new Certificate Revocation List (CRL). This list is contained within the payload file and will keeps revoked users from connecting and will disconnect any users that are connected with revoked certificates when their connection is renegotiated (every hour). (More infos about revocation can be found in the following section : "Certificates and Revocation").
In this how-to, we are going to create our cloud-pipe image from a running Ubuntu instance which will serve as a template. When all the components will be installed and configured, we will create an image from that instance that will be uploaded to the Glance repositories.