Managing your cloud resources with OpenStack: Difference between revisions

From Alliance Doc
Jump to navigation Jump to search
(East->Beluga cloud)
 
(246 intermediate revisions by 12 users not shown)
Line 1: Line 1:
''Parent page: [[CC-Cloud]]''
<languages />
<translate>
<!--T:1-->
<i>Parent page: [[Cloud]]</i>


OpenStack is the software suite used on the Compute Canada Cloud to control hardware resources such as computers, storage and networking. It allows the creation and management of virtual machines ("VMs", or "instances"), which act like separate individual machines, by emulation in software. This allows users complete control over their computing environment, from choosing an operating system to software installation and configuration. Diverse use cases are supported, from hosting websites to creating virtual clusters. More documentation on OpenStack can be found at the [http://docs.openstack.org/ OpenStack web site].
<!--T:2-->
OpenStack is the software suite used on our clouds to control hardware resources such as computers, storage and networking. It allows the creation and management of virtual machines ("VMs" or "instances"), which act like separate individual machines, by emulation in software. This allows complete control over the computing environment, from choosing an operating system to software installation and configuration. Diverse use cases are supported, from hosting websites to creating virtual clusters. More documentation on OpenStack can be found at the [http://docs.openstack.org/ OpenStack website].


This page describes how to perform common tasks encountered while working with OpenStack. It is assumed that you have already read [[Cloud Quick Start]] and understand the basic operations of launching and connecting to a VM. Most tasks can be performed using the dashboard, as described there and below. But some require use of the command line tools, for example [[#Creating an Image From a Volume|creating an image]]. See [[OpenStack Command Line Clients]] for more information.
<!--T:63-->
=Security Groups=
This page describes how to perform common tasks encountered while working with OpenStack. It is assumed that you have already read [[Cloud Quick Start]] and understand the basic operations of launching and connecting to a VM. Most tasks can be performed using either the dashboard (as described below), the [[OpenStack command line clients]], or a tool called [[Terraform]]; however, some tasks require using command line tools, for example [[Working_with_images#Sharing_an_image_with_another_project|sharing an image with another project]].


=Working with Volumes=
=Working with the dashboard= <!--T:91-->
A '''volume''' provides storage which is not destroyed when a VM is terminated. On the Compute Canada cloud resources, volumes use [https://en.wikipedia.org/wiki/Ceph_(software) Ceph] storage with a 3-fold replication factor to provide safety against hardware failure. More documentation about OpenStack volumes can be found [http://docs.openstack.org/user-guide/common/cli_manage_volumes.html here].
The web browser user interface used to manage your cloud resources, as described in most of our documentation, is referred to as the "dashboard". The dashboard is developed under an OpenStack sub-project referred to as Horizon. Horizon and dashboard might be used interchangeably.  The dashboard is well documented [https://docs.openstack.org/horizon/latest/ here].  This documentation lists all of the options available on the dashboard, what they do, and how to navigate the system.


==Creating a Volume==
=Projects= <!--T:64-->
[[File:OpenStack-Dashboard-Compute-Volumes.png|800px|thumb| OpenStack Dashboard, Volumes page (Click for larger image)]]
OpenStack projects group VMs together and provide a quota out of which VMs and related resources can be created. A project is unique to a particular cloud. All accounts which are members of a project have the same level of permissions, meaning anyone can create or delete a VM within a project if they are a member. You can view the projects you are a member of by logging into an OpenStack dashboard for the clouds you have access to (see [[Cloud#Cloud_systems|Cloud systems]] for a list of cloud URLs). The active <b>project name</b> will be displayed in the top left of the dashboard, to the right of the cloud logo. If you are a member of more than one project, you can switch between active projects by clicking on the drop-down menu and selecting the project's name.


[[File:Create-Volume-Form.png|400px|thumb| Create Volume dialog (Click for larger image)]]
<!--T:74-->
Depending on your allocation, your project may be limited to certain types of VM [[Virtual_machine_flavors|flavors]]. For example, compute allocations will generally only allow "c" flavors, while persistent allocations will generally only allow "p" flavors.


To create a volume click [[File:Create-Volume-Button.png]] and fill in the following fields:
<!--T:75-->
Projects can be thought of as owned by primary investigators (PIs) and new projects and quota adjustments can only be requested by PIs. In addition, request for access to an existing project must be confirmed by the PI owning the project.


*Volume Name: <code>data</code>, for example<br/>
=Working with volumes= <!--T:8-->
*Description:<br/>Optional text
Please see [[Working_with_volumes|this page]] for more information about creating and managing storage volumes.
*Volume Source: <code>No source, empty volume</code><br/>
*Type: <code>No volume type</code><br/>
*Size (GB): <code>40</code>, or some suitable size<br/>
*Availability Zone: <code>Any Availability Zone</code><br/>


Finally click the blue "Create Volume" button.
=Working with images= <!--T:42-->
Please see [[Working_with_images|this page]] for more information about creating and managing disk image files.


==Accessing a Volume from a VM==
= Working with VMs= <!--T:69-->
To access the volume you must first '''attach''' it to a running VM. This is analogous to inserting a USB key or plugging an external drive into your personal computer. You can attach a volume from the Compute->Volumes page.
Please see [[Working_with_VMs|this page]] for more information about managing certain characteristics of your VMs in the dashboard.
* At the right-hand end of the line describing the volume will be a drop-down menu. Select "Manage Attachments" or "Edit Attachments".
* In the "Attach To Instance" drop-down box select a VM,
* Click the blue "Attach Volume" button.
The process should complete in a few seconds. Then the Compute->Volumes page will show the newly created volume is attached to your selected VM on <code>/dev/vdb</code> or some similar location.


==Formatting and Mounting an Empty Volume==
=Availability zones= <!--T:72-->
On most Linux distributions the following steps can be used to partition, format, and mount the newly created volume. NOTE: If this is not a newly created volume the partition and format steps should be skipped as they will result in loss of data on that volume, and only the steps to mount the volume should be followed.
Availability zones allow you to indicate what group of physical hardware you would like your VM to run on. On Beluga and Graham clouds, there is only one availability zone, <i>nova</i>, so there isn't any choice in the matter. However, on Arbutus there are three availability zones: <i>Compute</i>, <i>Persistent_01</i>, and <i>Persistent_02</i>. The <i>Compute</i> and <i>Persistent</i> zones only run compute or persistent flavors respectively (see [[Virtual machine flavors]]). Using two persistent zones can present an advantage; for example, two instances of a website can run in two different zones to ensure its continuous availability in the case where one of the sites goes down.


<ol>
=Security groups= <!--T:3-->
<li>Create a partition on the volume with
A security group is a set of rules to control network traffic into and out of your virtual machines. To manage security groups, go to <i>Project->Network->Security Groups</i>. You will see a list of currently defined security groups. If you have not previously defined any security groups, there will be a single default security group.  
{{Command|sudo fdisk /dev/vdb}}
<code>fdisk</code> will prompt you to enter a command. Use this sequence of single-character commands to create a new partition on your volume.</li>


n => new partition
<!--T:4-->
p => primary, only one partition on disk
To add or remove rules from a security group, click <i>Manage Rules</i> beside that group. When the group description is displayed, you can add or remove rules by clicking the <i>+Add Rule</i> and <i>Delete Rule</i> buttons.
1 => partition number 1
<return> => first sector (use default)
<return> => last sector (use default)
w => write partition table to disk and exit


<li>Format the newly created partition with
== Default security group == <!--T:5-->
{{Command|sudo mkfs -t ext4 /dev/vdb1}}
[[File:Default_security_group_EN.png|400px|thumb| Default Security Group Rules (Click for larger image)]]
<li>Create a place to mount the device with
The <b>default security group</b> contains rules which allow a VM access out to the internet, for example to download operating system upgrades or package installations, but does not allow another machine to access it, except for other VMs belonging to the same default security group. We recommend you do not remove rules from the default security group as this may cause problems when creating new VMs. The image on the right shows the default security group rules that should be present:
{{Command|sudo mkdir /media/data}}
* 2 Egress rules to allow your instance to access an outside network without any limitation; there is one rule for IPV4 and one for IPV6.
<li>Finally, mount the volume with
* 2 Ingress rules to allow communication for all the VMs that belong to that security group, for both IPV4 and IPV6.
{{Command|sudo mount /dev/vdb1 /media/data}}
It is safe to add rules to the default security group and you may recall that we did this in [[Cloud Quick Start]] by either adding security rules for [[Cloud_Quick_Start#Network_settings|SSH]] or [[Cloud_Quick_Start#FCreating_your_first_virtual_machine|RDP (see <i>Firewall, add rules to allow RDP</i> under the Windows tab)]] to your default security group so that you could connect to your VM.
</ol>


If the VM is rebooted for some reason the volume will need to be remounted. To cause the VM to mount the volume automatically at boot time, edit <code>/etc/fstab</code> and add a line like
== Managing security groups == <!--T:6-->
You can define multiple security groups and a VM can belong to more than one security group. When deciding on how to manage your security groups and rules, think carefully about what needs to be accessed and who needs to access it. Strive to minimize the IP addresses and ports in your Ingress rules. For example, if you will always be connecting to your VM via SSH from the same computer with a static IP, it makes sense to allow SSH access only from that IP. To specify the allowed IP or IP range, use the [[OpenStack#Using_CIDR_rules|CIDR]] box (use this web-based tool for converting [http://www.ipaddressguide.com/cidr IP ranges to CIDR] rules). Further, if you only need to connect to one VM via SSH from the outside and then can use that as a gateway to any other cloud VMs, it makes sense to put the SSH rule in a separate security group and add that group only to the gateway VM. However, you will also need to ensure your SSH keys are configured correctly to allow you to use SSH between VMs (see [[SSH Keys]]). In addition to CIDR, security rules can be limited within a project using security groups. For example, you can configure a security rule for a VM in your project running a MySQL Database to be accessible from other VMs in the default security group.


/dev/vdb1 /media/data ext4 defaults 0 2
<!--T:7-->
The security groups a VM belongs to can be chosen when it is created on the <i>Launch Instance</i> with the <i>Security Groups</i> option, or after the VM has been launched by selecting <i>Edit Security Groups</i> from the drop-down menu of actions for the VM on the <i>Project->Compute->Instances</i> page.


If you are not rebooting, you can mount the device just added to <code>/etc/fstab</code> with
==Using CIDR rules== <!--T:67-->
{{Command|sudo mount -a}}
CIDR stands for Classless Inter-Domain Routing and is a standardized way of defining IP ranges (see also this Wikipedia page on [https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing CIDR]).


==Booting From a Volume==
<!--T:68-->
If running a persistent machine, booting from a volume is a safer option. When creating a VM booting from an image, rather than a volume, it will store the VM on the local disk of the actual machine running the VM. If something went wrong with that machine or its disk, there is a good chance your VM would be lost. Volume storage has a built in redundancy which will protect your volumes from hardware failure.
An example of a CIDR rule is <code>192.168.1.1/24</code>. This looks just like a normal IP address with a <code>/24</code> appended to it. IP addresses are made up of 4, 1-byte (8 bits) numbers ranging from 0 to 255. What this <code>/24</code> means is that this CIDR rule will match the first left most 24 bits (3 bytes) of an IP address. In this case, any IP address starting with <code>192.168.1</code> will match this CIDR rule. If <code>/32</code> is appended, the full 32 bits of the IP address must match exactly; if <code>/0</code> is appended, no bits must match and therefore any IP address will match it.


There are several ways to boot a VM from a volume, you can either create a volume (or use a pre-existing one) and then select to boot from it, or you can create a volume as part of the process of launching a VM.
=Working with cloudInit= <!--T:89-->


If creating a volume first, proceed in the same way as described above, except that you choose a volume source. You can either use an image or another volume as the source for your new volume. When launching a VM from a pre-existing volume OpenStack does not load an operating system onto the volume. This is what you would want if you were booting from a volume which you have already been working with previously, containing a working and configured operating system. However, if you create an empty volume as done above, there will be no operating system loaded to boot from so you will not be able to use your VM.
<!--T:90-->
<b>The first time your instance is launched</b>, you can customize it using cloudInit. This can be done either
* via the OpenStack command-line interface, or
* by pasting your cloudInit script in the <i>Customization Script</i> field of the OpenStack dashboard (<i>Project-->Compute-->Instances-->Launch instance</i> button, <i>Configuration</i> option).  


If creating a volume as part of the process of launching the VM, select <code>Boot from image (creates a new volume)</code> select the image to use and the size of the volume. The default device name of <code>vda</code> should work well. If this volume is something you would like to remain longer than the VM ensure that the "Delete on Terminate" check box is unchecked. If you are unsure about this option, it is better to leave this box unchecked as you can always manually delete the volume later as an extra step.
==Add users with cloudInit during VM creation== <!--T:30-->
[[File:VM multi user cloud init.png|400px|thumb| Cloud init to add multiple users (Click for larger image)]]
Alternatively, you can do this during the creation of a VM using [http://cloudinit.readthedocs.org/en/latest/index.html# cloudInit]. The following cloudInit script adds two users <code>gretzky</code> and <code>lemieux</code> with and without sudo permissions respectively.


==Creating an Image From a Volume==
<!--T:31-->
Creating an image from a volume allows you to download the image either for a backup or to use in virtual box.
#cloud-config
{{Command|openstack image create --disk-format <format> --volume <volume_name> <image_name>}}
users:
where <volume_name> can be found from the OpenStack dash board by clicking on the volume name and <image_name> is the name given to the image you are creating and <format> is the disk format (two possible values are qcow2 and vmdk). See [[OpenStack Command Line Clients]] for more details about working with command line. This image can then be downloaded in the way described in [[OpenStack#Downloading an image into a local VirtualBox | Downloading an image into a local VirtualBox]]
  - name: gretzky
 
    shell: /bin/bash
=Accessing a VM with Multiple Users=
    sudo: ALL=(ALL) NOPASSWD:ALL
[[File:VM multi user cloud init.png|400px|thumb| Cloud init to add multiple users (Click for larger image)]]
    ssh_authorized_keys:
      - <Gretzky's public key goes here>
  - name: lemieux
    shell: /bin/bash
    ssh_authorized_keys:
      - <Lemieux's public key goes here>


There are a number of ways to approach this, but basically what is needed is to add another public ssh key to the VM (see [[ssh keys]] about working with and creating keys). This could be done by adding to the <code>authorized_keys</code> of the primary user account provided for the VM, usually named after the operating system, or it could be added to a newly created user account. In Ubuntu, when logged in with the primary user's account this can be accomplished with the command {{Command|sudo adduser USERNAME}}
<!--T:32-->
Then add the supplied public key to that user's <code>.ssh/authorized_keys</code> file as described in [[ssh keys]] and linked pages.
For more about the YAML format used by cloudInit, see [http://www.yaml.org/spec/1.2/spec.html#Preview YAML Preview]. Note that YAML is very picky about white space formatting, so that there must be a space after the "-" before your public key string. Also, this configuration overwrites the default user that is added when no cloudInit script is specified, so the users listed in this configuration script will be the <i>only</i> users on the newly created VM. It is therefore vital to have at least one user with sudo permission. More users can be added by simply including more <code>- name: username</code> sections.


Another alternative would be to do this during the creation of your VM using [http://cloudinit.readthedocs.org/en/latest/index.html# CloudInit]. The following CloudInit script (which uses the YAML format, see [http://www.yaml.org/spec/1.2/spec.html#Preview YAML Preview]):
<!--T:33-->
If you wish to preserve the default user created by the distribution (users <code>debian, centos, ubuntu,</code> <i>etc.</i>), use the following form:


<!--T:34-->
  #cloud-config
  #cloud-config
  users:
  users:
   - name: sysadmin
  - default
   - name: gretzky
     shell: /bin/bash
     shell: /bin/bash
     sudo: ALL=(ALL) NOPASSWD:ALL
     sudo: ALL=(ALL) NOPASSWD:ALL
     ssh_authorized_keys:
     ssh_authorized_keys:
       - <Insert public key>
       - <Gretzky's public key goes here>
   - name: user
   - name: lemieux
     shell: /bin/bash
     shell: /bin/bash
     ssh_authorized_keys:
     ssh_authorized_keys:
       - <Insert public key>
       - <Lemieux's public key goes here>


adds two users <code>sysadmin</code> and <code>user</code> with and without sudo permissions respectively. The <code><Insert public key></code> must be replaced with the public key to use for that user. Note that YAML is very picky about white space formatting, so that there must be a space after the "-" before your public key string. Also, this configuration overwrites the default user that is added when no CloudInit script is specified, so that the users listed in this configuration script will be the only users on the newly created VM so it is important to have at least one user with sudo permission. More users can be added by simply including another <code>- name: username</code> section.
<!--T:35-->
After the VM has finished spawning, look at the log to ensure that the public keys have been added correctly for those users. The log can be found by clicking on the name of the instance on the "Compute->Instances" panel and then selecting the "log" tab. The log should show something like this:


After the VM has finished spawning, take a look at the log to ensure that the public keys have been added correctly for those users. The log can be found by click the name of the instance under the "Compute->Instances" panel and then selecting the "log" tab.  The log should show something like:
<!--T:36-->
 
  ci-info: ++++++++Authorized keys from /home/gretzky/.ssh/authorized_keys for user gretzky++++++++
  ci-info: ++++++++Authorized keys from /home/sysadmin/.ssh/authorized_keys for user sysadmin++++++++
  ci-info: +---------+-------------------------------------------------+---------+------------------+
  ci-info: +---------+-------------------------------------------------+---------+------------------+
  ci-info: | Keytype |                Fingerprint (md5)                | Options |    Comment      |
  ci-info: | Keytype |                Fingerprint (md5)                | Options |    Comment      |
Line 106: Line 113:
  ci-info: | ssh-rsa | ad:a6:35:fc:2a:17:c9:02:cd:59:38:c9:18:dd:15:19 |    -    | rsa-key-20160229 |
  ci-info: | ssh-rsa | ad:a6:35:fc:2a:17:c9:02:cd:59:38:c9:18:dd:15:19 |    -    | rsa-key-20160229 |
  ci-info: +---------+-------------------------------------------------+---------+------------------+
  ci-info: +---------+-------------------------------------------------+---------+------------------+
  ci-info: ++++++++++++Authorized keys from /home/user/.ssh/authorized_keys for user user++++++++++++
  ci-info: ++++++++++++Authorized keys from /home/lemieux/.ssh/authorized_keys for user lemieux++++++++++++
  ci-info: +---------+-------------------------------------------------+---------+------------------+
  ci-info: +---------+-------------------------------------------------+---------+------------------+
  ci-info: | Keytype |                Fingerprint (md5)                | Options |    Comment      |
  ci-info: | Keytype |                Fingerprint (md5)                | Options |    Comment      |
Line 113: Line 120:
  ci-info: +---------+-------------------------------------------------+---------+------------------+
  ci-info: +---------+-------------------------------------------------+---------+------------------+


Once this is done, users can log into the VM with their private keys as usual (see [[ssh keys]]).
<!--T:37-->
 
Once this is done, users can log into the VM with their private keys as usual (see [[SSH Keys]]).
=Downloading an image into a local VirtualBox=
The first step is to install the OpenStack client and download the OpenStack RC file and source it (see [[OpenStack Command Line Clients]]).
The OpenStack client can list the available images on your OpenStack project with
{{Command|openstack image list}}
producing something like:
 
+--------------------------------------+---------------------------------------+-------------+------------------+-------------+--------+
| ID                                  | Name                                  | Disk Format | Container Format | Size        | Status |
+--------------------------------------+---------------------------------------+-------------+------------------+-------------+--------+
| 982761b2-c77b-4852-8ae3-bf98b32b8894 | Hadoop-2.2.4                          | qcow2      | bare            | 10253107200 | active |
| b7bd3033-9836-406d-a8f2-2e91978026b4 | hadoopmaster                          | qcow2      | bare            | 3493527552  | active |
| 2c751755-854d-49c3-af82-d501e51e7159 | hadoopmaster-active                  | qcow2      | bare            | 13134004224 | active |
| c41012f4-ed82-4478-a81f-5efb96a31b1a | hadoopmaster-old                      | qcow2      | bare            | 3493527552  | active |
| 78e61a3f-b546-441a-b476-a7077b04ca36 | hadoopslave                          | qcow2      | bare            | 3490971648  | active |
| 516845c3-b256-4c6d-a2cb-e31e822c7e34 | hadoopslave1-active                  | qcow2      | bare            | 8345026560  | active |
| 1546bd86-5314-4fce-9576-e2f6930dad30 | hadoopslave1-old                      | qcow2      | bare            | 3490971648  | active |
| baf78e8d-8288-4854-a66b-812cdf3ccbca | TestVM                                | qcow2      | bare            | 13167616    | active |
| 2faf97d7-5b0b-44ce-8024-3bef5a634570 | test_ubuntu_initial                  | qcow2      | bare            | 1799487488  | active |
| 308b6614-396a-4360-9c33-4e86f41ea0ec | trusty                                | qcow2      | bare            | 256180736  | active |
| 9b3c3fda-2aca-43b5-a3e7-662a94f5e7fb | Ubuntu_14.04_Trusty-amd64-20150708    | qcow2      | bare            | 257884672  | active |
| f93e66cf-fec1-4460-8fc7-506e716fbf30 | ucernvm-prod.1.18-10                  | raw        | bare            | 20971520    | active |
+--------------------------------------+---------------------------------------+-------------+------------------+-------------+--------+
 
You can then download a particular image with
{{Command|openstack image save --file ./<file-name-for-image>.<format> 2c751755-854d-49c3-af82-d501e51e7159}}
where <format> matches that given in the table above for your selected image andthe last argument is the <code>ID</code> of the image you wish to download.


Then to use this image in VirtualBox you will need to convert the image in the qcow2 format to the vmdk format. This can be done with the <code>qemu-img</code> tool. This can be installed with something like
<!--T:49-->
{{Command|sudo apt-get install qemu-img}}
[[Category:Cloud]]
then do the conversion with
</translate>
{{Command|qemu-img convert -f qcow2 vdisk.qcow2 -O vmdk vdisk.vmdk}}
Then you can create a new virtual machine and attach the vmdk image to it (see [http://techathlon.com/how-to-run-a-vmdk-file-in-oracle-virtualbox/] for detailed instructions on this).
[[Category:CC-Cloud]]

Latest revision as of 20:41, 7 July 2023

Other languages:

Parent page: Cloud

OpenStack is the software suite used on our clouds to control hardware resources such as computers, storage and networking. It allows the creation and management of virtual machines ("VMs" or "instances"), which act like separate individual machines, by emulation in software. This allows complete control over the computing environment, from choosing an operating system to software installation and configuration. Diverse use cases are supported, from hosting websites to creating virtual clusters. More documentation on OpenStack can be found at the OpenStack website.

This page describes how to perform common tasks encountered while working with OpenStack. It is assumed that you have already read Cloud Quick Start and understand the basic operations of launching and connecting to a VM. Most tasks can be performed using either the dashboard (as described below), the OpenStack command line clients, or a tool called Terraform; however, some tasks require using command line tools, for example sharing an image with another project.

Working with the dashboard

The web browser user interface used to manage your cloud resources, as described in most of our documentation, is referred to as the "dashboard". The dashboard is developed under an OpenStack sub-project referred to as Horizon. Horizon and dashboard might be used interchangeably. The dashboard is well documented here. This documentation lists all of the options available on the dashboard, what they do, and how to navigate the system.

Projects

OpenStack projects group VMs together and provide a quota out of which VMs and related resources can be created. A project is unique to a particular cloud. All accounts which are members of a project have the same level of permissions, meaning anyone can create or delete a VM within a project if they are a member. You can view the projects you are a member of by logging into an OpenStack dashboard for the clouds you have access to (see Cloud systems for a list of cloud URLs). The active project name will be displayed in the top left of the dashboard, to the right of the cloud logo. If you are a member of more than one project, you can switch between active projects by clicking on the drop-down menu and selecting the project's name.

Depending on your allocation, your project may be limited to certain types of VM flavors. For example, compute allocations will generally only allow "c" flavors, while persistent allocations will generally only allow "p" flavors.

Projects can be thought of as owned by primary investigators (PIs) and new projects and quota adjustments can only be requested by PIs. In addition, request for access to an existing project must be confirmed by the PI owning the project.

Working with volumes

Please see this page for more information about creating and managing storage volumes.

Working with images

Please see this page for more information about creating and managing disk image files.

Working with VMs

Please see this page for more information about managing certain characteristics of your VMs in the dashboard.

Availability zones

Availability zones allow you to indicate what group of physical hardware you would like your VM to run on. On Beluga and Graham clouds, there is only one availability zone, nova, so there isn't any choice in the matter. However, on Arbutus there are three availability zones: Compute, Persistent_01, and Persistent_02. The Compute and Persistent zones only run compute or persistent flavors respectively (see Virtual machine flavors). Using two persistent zones can present an advantage; for example, two instances of a website can run in two different zones to ensure its continuous availability in the case where one of the sites goes down.

Security groups

A security group is a set of rules to control network traffic into and out of your virtual machines. To manage security groups, go to Project->Network->Security Groups. You will see a list of currently defined security groups. If you have not previously defined any security groups, there will be a single default security group.

To add or remove rules from a security group, click Manage Rules beside that group. When the group description is displayed, you can add or remove rules by clicking the +Add Rule and Delete Rule buttons.

Default security group

Default Security Group Rules (Click for larger image)

The default security group contains rules which allow a VM access out to the internet, for example to download operating system upgrades or package installations, but does not allow another machine to access it, except for other VMs belonging to the same default security group. We recommend you do not remove rules from the default security group as this may cause problems when creating new VMs. The image on the right shows the default security group rules that should be present:

  • 2 Egress rules to allow your instance to access an outside network without any limitation; there is one rule for IPV4 and one for IPV6.
  • 2 Ingress rules to allow communication for all the VMs that belong to that security group, for both IPV4 and IPV6.

It is safe to add rules to the default security group and you may recall that we did this in Cloud Quick Start by either adding security rules for SSH or RDP (see Firewall, add rules to allow RDP under the Windows tab) to your default security group so that you could connect to your VM.

Managing security groups

You can define multiple security groups and a VM can belong to more than one security group. When deciding on how to manage your security groups and rules, think carefully about what needs to be accessed and who needs to access it. Strive to minimize the IP addresses and ports in your Ingress rules. For example, if you will always be connecting to your VM via SSH from the same computer with a static IP, it makes sense to allow SSH access only from that IP. To specify the allowed IP or IP range, use the CIDR box (use this web-based tool for converting IP ranges to CIDR rules). Further, if you only need to connect to one VM via SSH from the outside and then can use that as a gateway to any other cloud VMs, it makes sense to put the SSH rule in a separate security group and add that group only to the gateway VM. However, you will also need to ensure your SSH keys are configured correctly to allow you to use SSH between VMs (see SSH Keys). In addition to CIDR, security rules can be limited within a project using security groups. For example, you can configure a security rule for a VM in your project running a MySQL Database to be accessible from other VMs in the default security group.

The security groups a VM belongs to can be chosen when it is created on the Launch Instance with the Security Groups option, or after the VM has been launched by selecting Edit Security Groups from the drop-down menu of actions for the VM on the Project->Compute->Instances page.

Using CIDR rules

CIDR stands for Classless Inter-Domain Routing and is a standardized way of defining IP ranges (see also this Wikipedia page on CIDR).

An example of a CIDR rule is 192.168.1.1/24. This looks just like a normal IP address with a /24 appended to it. IP addresses are made up of 4, 1-byte (8 bits) numbers ranging from 0 to 255. What this /24 means is that this CIDR rule will match the first left most 24 bits (3 bytes) of an IP address. In this case, any IP address starting with 192.168.1 will match this CIDR rule. If /32 is appended, the full 32 bits of the IP address must match exactly; if /0 is appended, no bits must match and therefore any IP address will match it.

Working with cloudInit

The first time your instance is launched, you can customize it using cloudInit. This can be done either

  • via the OpenStack command-line interface, or
  • by pasting your cloudInit script in the Customization Script field of the OpenStack dashboard (Project-->Compute-->Instances-->Launch instance button, Configuration option).

Add users with cloudInit during VM creation

Cloud init to add multiple users (Click for larger image)

Alternatively, you can do this during the creation of a VM using cloudInit. The following cloudInit script adds two users gretzky and lemieux with and without sudo permissions respectively.

 #cloud-config
users:
  - name: gretzky
    shell: /bin/bash
    sudo: ALL=(ALL) NOPASSWD:ALL
    ssh_authorized_keys:
      - <Gretzky's public key goes here>
  - name: lemieux
    shell: /bin/bash
    ssh_authorized_keys:
      - <Lemieux's public key goes here>

For more about the YAML format used by cloudInit, see YAML Preview. Note that YAML is very picky about white space formatting, so that there must be a space after the "-" before your public key string. Also, this configuration overwrites the default user that is added when no cloudInit script is specified, so the users listed in this configuration script will be the only users on the newly created VM. It is therefore vital to have at least one user with sudo permission. More users can be added by simply including more - name: username sections.

If you wish to preserve the default user created by the distribution (users debian, centos, ubuntu, etc.), use the following form:

 #cloud-config
users:
  - default
  - name: gretzky
    shell: /bin/bash
    sudo: ALL=(ALL) NOPASSWD:ALL
    ssh_authorized_keys:
      - <Gretzky's public key goes here>
  - name: lemieux
    shell: /bin/bash
    ssh_authorized_keys:
      - <Lemieux's public key goes here>

After the VM has finished spawning, look at the log to ensure that the public keys have been added correctly for those users. The log can be found by clicking on the name of the instance on the "Compute->Instances" panel and then selecting the "log" tab. The log should show something like this:

ci-info: ++++++++Authorized keys from /home/gretzky/.ssh/authorized_keys for user gretzky++++++++
ci-info: +---------+-------------------------------------------------+---------+------------------+
ci-info: | Keytype |                Fingerprint (md5)                | Options |     Comment      |
ci-info: +---------+-------------------------------------------------+---------+------------------+
ci-info: | ssh-rsa | ad:a6:35:fc:2a:17:c9:02:cd:59:38:c9:18:dd:15:19 |    -    | rsa-key-20160229 |
ci-info: +---------+-------------------------------------------------+---------+------------------+
ci-info: ++++++++++++Authorized keys from /home/lemieux/.ssh/authorized_keys for user lemieux++++++++++++
ci-info: +---------+-------------------------------------------------+---------+------------------+
ci-info: | Keytype |                Fingerprint (md5)                | Options |     Comment      |
ci-info: +---------+-------------------------------------------------+---------+------------------+
ci-info: | ssh-rsa | ad:a6:35:fc:2a:17:c9:02:cd:59:38:c9:18:dd:15:19 |    -    | rsa-key-20160229 |
ci-info: +---------+-------------------------------------------------+---------+------------------+

Once this is done, users can log into the VM with their private keys as usual (see SSH Keys).