Cloud Quick Start: Difference between revisions

From Alliance Doc
Jump to navigation Jump to search
(Marked this version for translation)
(Add a note about only RSA keys supported on import)
Line 37: Line 37:
#Click [[File:Import-Key-Pair-Button.png]]; the ''Import Key Pair'' window is displayed.
#Click [[File:Import-Key-Pair-Button.png]]; the ''Import Key Pair'' window is displayed.
#Name your key pair.
#Name your key pair.
#Paste your public key. <br/>Ensure your pasted public key contains no newline characters or extra spaces.
#Paste your public key (only RSA type ssh keys are currently supported). <br/>Ensure your pasted public key contains no newline characters or extra spaces.
#Click on the ''Import Key Pair'' button.
#Click on the ''Import Key Pair'' button.



Revision as of 23:19, 15 February 2019

Other languages:

Parent page: Cloud

If you don't already have a cloud project see getting a cloud project.

Browser compatibility

The online web interface for OpenStack, the horizon dashboard, works well with both the Firefox and Chrome web browsers. Other browsers may work also, however some browsers have shown the error message Danger: There was an error submitting the form. Please try again. which suggests that your browser is not supported by OpenStack. This error message was noticed with certain versions of the Safari web browser on Macs, upgrading Safari may help. If you see this error messages please try one of the browsers mentioned before emailing cloud support.

Creating your first virtual machine

Start by logging into a cloud where you have a project (see using the cloud for a list of cloud URLs at which you can login).

When you log in, the OpenStack dashboard shows an overview of your resources.


SSH key pair

When you start a virtual machine (also often referred to as an instance or a VM), there is no password for an admin or a root account on the virtual machine. This is for security reasons, so that no one can log in with a password (you wouldn't want a hacker to be able to access the brand new virtual machine you just started using some default password...).

OpenStack creates your VM with one SSH public key installed and you can only log in using this SSH key pair. The SSH public key can either come from a key pair which you have already created on some other machine, or can be created by OpenStack. If you are using an existing key pair from a remote machine, you will need to import the SSH public key into OpenStack so that it can be injected into the newly created VM. Alternatively, OpenStack can create a key pair for you with the private key downloaded to your local machine. In order to manage your key pairs, click on Access & Security from the left menu, then on the Key Pairs tab. From here you will have the option of importing an existing key pair, or creating a new key pair.

Importing an existing key pair

Import key pair (Click for larger image)
  1. Click Import-Key-Pair-Button.png; the Import Key Pair window is displayed.
  2. Name your key pair.
  3. Paste your public key (only RSA type ssh keys are currently supported).
    Ensure your pasted public key contains no newline characters or extra spaces.
  4. Click on the Import Key Pair button.

Creating a new key pair

Create key pair (Click for larger image)
  1. Click on Create-Key-Pair-Button.png; the Create Key Pair window is displayed.
  2. Name your key pair.
  3. Click on the Create Key Pair button.
  4. Save the <key name>.pem on your disk.
UNIX
On your local machine (not the VM), you will need to change key permissions with the chmod 400 <key name>.pem command in order to connect with this key.
WINDOWS
To use the key downloaded from OpenStack with PuTTY or MobaXterm to connect to the VM, you need to convert it to a format compatible with that software (see Generating SSH keys in Windows#Converting an OpenStack Key.)

Launching a VM

Launch Instance (Click for larger image)

To create a virtual machine, click on the Instances menu item on the left, then click on Launch-Instance-Button.png

A form is displayed where you define your virtual machine (if you are following along with this example, you can use the same values).

  • Details tab
    • Availability Zone: There is only one zone; do not change its name.
    • Instance Name: Enter a name for your virtual machine. Rules for valid host names apply.
    • Flavor: The flavor defines virtual machine hardware specifications. For a first attempt, pick either 'c1-3.75gb-36' flavor on east-cloud or 'c1-7.5gb-30' flavor on west-cloud. For more details, see Virtual machine flavors. Note: If choosing a 'p' flavor you should also choose boot from image (creates a new volume) for the boot source below.
    • Instance Count: Number of virtual machines to create.
    • Instance Boot Source: What source should be used to boot the VM.

      Boot from image indicates that you wish to boot from an already created image. Another common option is Boot from volume which allows one to boot from an existing volume which is commonly done with "p" flavors.

    • Image Name: name of the image to boot from, e.g. CentOS-7-x86-64-GenericCloud-1503.
    • Project Limits: The green bars reflect the fraction of your available resources that will be consumed by the VM you are about to launch. If the bars become red, the flavor chosen will consume more resources than your project has available. Blue bars indicate any existing resources your project may be using.
  • Access & Security tab
    • Key Pair: Select your SSH key pair.

      If you have only one, it is selected by default. If you do not have a key pair, please see above.

  • Security Groups: ensure that the default security group is checked.
  • Networking tab: Do not change this now.

    Networking will be discussed later, after you have launched a virtual machine.

  • Post-Creation tab: Do not change this now.

    This is where you would paste a cloud-init script which can do things such as install and configure software, add users, and additional SSH keys (see accessing a VM with multiple users) in an automated step after the VM is created. See cloudinit for more details about cloud-init.

  • Advanced Options tab: Leave Disk Partition on Automatic for now.

Once you have reviewed all the tabs and defined your virtual machine, click on the Launch button and your virtual machine will be created. The Instances list will be displayed and the Task field will show the current task for the VM; it will likely be spawning initially. Once the VM has spawned it will have the Power State of Running. It may take a few minutes for your virtual machine to start, depending on a variety of factors.

Note: When creating a persistent service, we recommend that you boot your virtual machine from a volume; see Configuring a data or web server.

Network

Manage Floating IP (Click for larger image)
Add Rule (Click for larger image)

On the Instances page is a list VMs with their IP address(es) displayed in the IP Address column. Each VM will have at least one private IP address, but some may also have a second public IP assigned to it.

Private IP

When your OpenStack project is created a local network is also created for you. This local network is used to connect VMs within that project allowing them to communicate with each other and the outside world. Their private IP address does not allow the outside world to reference that VM. Any VM created in your project will have a private IP address assigned to it from this network of the form 192.168.X.Y.

Public IP

Public IPs allow outside services and tools to initiate contact with your VM, such as allowing you to connecting to it to perform administrative tasks or serve up web content. Public IPs can also be pointed to by domain names.

To assign a public IP to a VM, you need to select Associate Floating IP from the drop-down menu button (indicated by ▼) of the Actions column in the Instances list. If this is your first time associating a floating IP, your project hasn't been assigned an external IP address yet. You need to click on the “+” sign to bring up the Allocate Floating IP dialog box. There is only one pool of public addresses, so the correct pool will already be selected; click on the Allocate IP button. The Manage Floating IP Associations screen is displayed again, indicating the IP address and the port (or VM) to which it will be associated (or more specifically NATted); click on the Associate button.

Firewall, add rules to allow SSH

To connect to your virtual machine via SSH, you will need to allow access for SSH to your VM.

  1. On the Security Groups tab, select Access & Security; on the default row, click Manage-Rules-Button.png
  2. On the next screen, click Add-Rule-Button.png
  3. SSH has a predefined rule. Select it in the Rules dropdown menu and leave CIDR' under Remote.
  4. It is a good security practice to replace the 0.0.0.0/0 in the CIDR text box with <your-ip>/32.

    If you don't know your current IP address you can see it by going to ipv4.icanhazip.com in your browser.

    Leaving the 0.0.0.0/0 will allow anyone to attempt a connection with your VM via SSH. The suggested replacement will restrict SSH access to your VM only from this IP. If you want to allow SSH access from other IPs you can add additional SSH rules with different IP address or you can specify a range of IP addresses by using this tool to calculate your CIDR rule from a range of IP addresses.

  5. Finally, click the Add button.

Note: be sure not to remove the default security rules as this will affect the ability of your VM to function properly (see security groups).

Connecting to your VM with SSH

If you created a key pair on the first step, you will need to know where it is.

Connecting from a Linux machine

Question.png
[name@server ~]$  ssh -i /path/where/your/key/is/my_key.key <user name>@<public IP of your server>

where <user name> is the name of the user connecting and <public IP of your server> is the public IP you set in the previous step. The default user name depends on the image.

Image distribution name <user name>
Debian debian
Ubuntu ubuntu
CentOS centos
Fedora fedora

These default users have full sudo privileges. The root account is normally disabled.

Connecting from a Windows machine

See Connecting with PuTTY or Connecting with MobaXTerm.

Where to go from here

Request access to a Windows image

To create a Windows VM in the Compute Canada cloud you must first request access to a Windows image by emailing cloud@computecanada.ca.

You will be provided access to a Windows Server 2012 Evaluation image and a username to use when connecting. The evaluation period is 180 days. It may be possible to apply a Windows license to a running VM created from this evaluation image. Compute Canada does not provide these licenses.

SSH key pair

Create key pair (Click for larger image)

Windows VMs encrypt the administrative account password with a public key. The matching private key decrypts the password.

We recommend creating a new key pair within the OpenStack dashboard rather than importing an existing key pair. To create a new key pairː

  1. Click on Access & Security from the left menu.
  2. Select the Key Pairs tab.
  3. Click on Create-Key-Pair-Button.png; the Create Key Pair window is displayed.
  4. Give your key pair a name.
  5. Click Create Key Pair button.
  6. Save the <key name>.pem file on your local drive.

If you would like to use an existing key pair with your Windows VM see the comments on key pairs below.

Launching a VM

Launch Instance (Click for larger image)

To create a virtual machine, click on the Instances menu item on the left, then click on Launch-Instance-Button.png

A form is displayed where you define your virtual machine.

  • Details tab
    • Availability Zone: There is only one zone; do not change its name.
    • Instance Name: Enter a name for your virtual machine. It is best to follow the rules for valid host names.
    • Flavor: The flavor defines virtual machine hardware specifications; choose the 'p2-3gb' flavor.

      The Windows image is quite large and requires a large bootable drive. C-flavors, as described here, only have root drives of 20 GB, choosing a "p" flavor allows for larger root volumes. The smallest "p" flavor has 1.5 GB of RAM and from experience this is too little to run Windows well. Choosing a slightly larger flavor, such as "p2-3gb", improves the performance of the VM.

    • Instance Count: Number of virtual machines to create.
    • Instance Boot Source: What source should be used to boot the VM; choose Boot from Image (creates new volume).
    • Image Name: select the Windows image name you were provided.
    • Device Size: The size of the root drive; enter 30GB or more.

      The final operating system occupies approximately 20 GB of space, though more is needed during setup.

    • Delete on Terminate: If this box is checked the volume that is created with the VM will be deleted when the VM is terminated.

      It is generally recommended not to check this box as the volume can be deleted manually if desired and allows the VM to be terminated without deleting the volume.

    • Project Limits: The green bars reflect the fraction of your available resources that will be consumed by the VM you are about to launch. If the bars become red, the flavor chosen will consume more resources than your project has available. Blue bars indicate any existing resources your project may be using.
  • Access & Security tab
    • Key pair: Select your SSH key pair.

      If you have only one, it is selected by default. If you do not have a key pair, please see above.

    • Security Groups: Ensure the default security group is checked.
  • Networking tab: Do not change this now. Networking will be discussed later, after you have launched a virtual machine.

  • Post-Creation tab: Do not change this now.
  • Advanced Options tab: Leave Disk Partition on Automatic for now.

Once you have reviewed all the tabs and defined your virtual machine, click on the Launch button and your virtual machine will be created. The Instances list will be displayed and the Task field will show the current task for the VM; it will likely be "Block Device Mapping" initially. Once the VM has spawned and beginning to boot, it will have the Power State of "Running". It will likely take 10+ minutes to finish creating the volume and coping the image to it before beginning to boot.

Locality settings and license agreement

Locality Settings (Click for larger image)

When the VM first boots it will not finish booting until location, language, and keyboard settings are selected and you agree to the license using the console built into the OpenStack dashboard.

To get to the console:

  1. Go to Instances on the left hand menu.
  2. Click on the Instance Name of your Windows VM.
  3. Click on the Console tab to display the Instance Console and wait until you see a Settings screen as shown in the figure to the right.
    If you waited a significant amount of time the console screen may have gone into a screensaver mode (blank/black screen). If this is case, click on the blank/black screen so that it gains focus and if necessary press a key on your keyboard to wake it up.

The console mouse pointer often lags behind the actual mouse pointer location. You can either try to account for the lag or use keyboard shortcuts when the console screen has focus.

  • The tab key will select different fields.
  • The up and down arrows will select different options.
  • Under the Country or region drop down menu, letter keys move to the top of the countries beginning with that letter.
  • Finally press the tab key until the next box is selected then press the enter key.

You will then be presented with a request to accept the terms and conditions of the license agreement.

  • Press the tab key until the I accept box is highlighted.
  • Press the enter key.

At this point your VM will restart. Once it finishes restarting the Console will display a sign in screen with the current (UTC) time and date.

Network

Manage Floating IP (Click for larger image)
Add RDP Rule (Click for larger image)

On the Instances page is a list VMs with their IP address(es) displayed in the IP Address column. Each VM will have at least one private IP address, but some may also have a second public IP assigned to it.

Private IP

When your OpenStack project is created a local network is also created for you. This local network is used to connect VMs within that project allowing them to communicate with each other and the outside world. Their private IP address does not allow the outside world to reference that VM. Any VM created in your project will have a private IP address assigned to it from this network of the form 192.168.X.Y.

Public IP

Public IPs allow outside services and tools to initiate contact with your VM, such as allowing you to connecting to it to perform administrative tasks or serve up web content. Public IPs can also be pointed to by domain names.

To assign a public IP to a VM, you need to select Associate Floating IP from the drop-down menu button (indicated by ▼) of the Actions column in the Instances list. If this is your first time associating a floating IP, your project hasn't been assigned an external IP address yet. You need to click on the “+” sign to bring up the Allocate Floating IP dialog box. There is only one pool of public addresses, so the correct pool will already be selected; click on the Allocate IP button. The Manage Floating IP Associations screen is displayed again, indicating the IP address and the port (or VM) to which it will be associated (or more specifically NATted); click on the Associate button.

Firewall, add rules to allow RDP

To connect to your virtual machine using a remote desktop connection client, you will need to allow access for remote desktop protocol (RDP) to your VM.

  1. On the Security Groups tab, select Access & Security; on the default row, click Manage-Rules-Button.png
  2. On the next screen, click Add-Rule-Button.png
  3. RDP has a predefined rule. Select it in the Rules dropdown menu and leave CIDR' under Remote.
  4. Replace the 0.0.0.0/0 in the CIDR text box with <your-ip>/32.

    If you don't know your current IP address you can see it by going to ipv4.icanhazip.com in your browser. Leaving 0.0.0.0/0 will allow anyone to attempt a connection with your VM. You should never allow completely open access with RDP as your VM will be susceptible to brute force attacks. This replacement will restrict RDP access to your VM only from this IP. If you want to allow access from other IPs you can add additional RDP rules with different IP address or you can specify a range of IP addresses by using this tool to calculate your CIDR rule from a range of IP addresses.

    If you leave RDP open to the world by leaving the 0.0.0.0/0 in the CIDR text box, a cloud administrator may revoke access to your VM until the security rule is fixed.

  5. Finally, click the Add button.

Remote desktop connection

Retrieving Windows instance password (Click for larger image)
Remote desktop client in Windows (Click for larger image)
Remmina remote desktop client in Ubuntu (Click for larger image)

To connect to a Windows VM we will use a Remote Desktop Connection client. To connect to your Windows VM you need to supply a floating IP, user name, and password.

Retrieving the password

Open the Retrieve Instance Password form:

  1. Go to Instances on the left menu.
  2. In the drop down menu next the instance select Retrieve Password.

The password has been encrypted using the public key you selected when creating the VM. To decrypt the password:

  1. Click the Choose File button and browse to your private key file.

    If you followed the steps above in the ssh key section, you should have a private key saved on your local computer with a ".pem" extension which matches the public key.

  2. Select the key and click Open.
  3. Click the Decrypt Password button at the bottom left.

Keep this form open as we will use the password in the next step. This process can be repeated later to retrieve the password again.

From a Windows client

Many Windows systems come with the remote desktop connection tool pre-installed. Try searching for "remote desktop connection" in your Windows system search. If you can not find it, you can go to the Microsoft store and install it. It should be a free installation.

Once you have run the remote desktop connection tool you should see a window similar to the one displayed on the right. To connect to your Windows VM:

  1. Enter the public IP address next to Computer.
  2. Add the user name you were provided with in the User name text box.
  3. Click the Connect button at the bottom.
  4. Enter the password retrieved in the previous step when prompted.
  5. Click the OK button.

You will likely be presented with an alert The identity of the remote computer cannot be verified. Do you want to connect anyway?. This is normal click Yes to continue. Once you connect you should see the desktop of your Windows VM displayed within the RDC window.

TODO: The specific certificate error is "The certificate is not from a trusted certifying authority". Is seeing this alert really normal? Do we want to register the Windows image certificate with a signing authority? Could we use letsencrypt or should we just ignore this issue?

From a Linux client

To connect via RDP from Linux you will need a remote desktop client. There are number of different clients out there but the Remmina client appears to work well when tested with Ubuntu. The previous link provides instructions for installing it in Ubuntu, Debian, Fedora and a few other Linux operating systems.

Once you have installed and launched Remmina to connect to your Windows VM:

  1. Click on Create a new remote desktop file (file with a green '+' sign).

    You should see a window similar to that shown on the right.

  2. Enter the public IP of your Windows VM next to Server.
  3. Enter the user name you were provided next to User name.
  4. Enter the password you retrieved in the above step next to Password.
  5. Click Connect.

From a Mac client

TODO: Anyone with a Mac want to write up this section?

License information

TODO: need to provide information which would be helpful for users to know what path to take to get a license. Should cover things like:

  • Where to go to get a license
  • What kind of license do I need/what licenses will work in the cloud
  • How to apply my license to my existing cloud VM
  • How to apply it to a new VM (if that is different than above bullet item)

Comments on key pairs

There are a couple different formats for key files and you can also choose to protect your private keys with passphrases or not. In order to be able to decrypt the Windows VM password your private key must be in OpenSSH format and not have a passphrase. If you created your key pair with OpenStack and downloaded the .pem key file it will already be in the correct format. If you used the ssh-keygen command to create your key pair and didn't specify a passphrase it will also likely be in the correct format. For more general information about key pairs see the SSH Keys page.

An example of an acceptable private key in the OpenSSH format without a passphrase:


BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAvMP5ziiOw9b5XMZUphATDZdnbFPCT0TKZwOI9qRNBJmfeLfe
...
DrzXjRpzmTb4D1+wTG1u7ucpY04Q3KHmX11YJxXcykq4l5jRZTKj
-----END RSA PRIVATE KEY-----

The ... in the middle indicates multiple lines of characters similar to those above and below it. Below are two examples of private keys which will not work with OpenStack with Windows VMs

OpenSSH format with a passphrase:


BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,CA51DBE454ACC89A

0oXD+6j5aiWIwrNMiGYDqoD0OqlURfKeQhy//FwHuyuithOSI8uwjSUqV9BM9vi1
...
8XaBb/ALqh8zLQOXEUuTstlMWXnhzBWLvu7tob0QN7pI16g3CXuOag==
-----END RSA PRIVATE KEY-----

ssh.com format without a passphrase


BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Comment: "rsa-key-20171130"
P2/56wAAA+wAAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
...
QJX/qgGp0=
---- END SSH2 ENCRYPTED PRIVATE KEY ----

Where to go from here