Self-service Cloud Infrastructure (OpenStack)
Status: beta phase in progress (invite-only for now)
Quick Start
This page provides a short description for the process of launching a Linux-based virtual machine, setting up a DNS name for it and making it available on the network.
While we prepare more comprehensive documentation, please refer to CERN's OpenStack Guide and/or the upstream documentation provided by the OpenStack project.
Subscribe to the OpenStack Service
As noted in your invitation mail you need to request a project (or tenant) before you're able to sign in to the dashboard.
The corresponding web form is available at request-project.apps.h-da.cloud.
Note that the project short identifier given there will be part of any DNS name created for your virtual machines.
Also, if you want to grant shared access to the project to any other h_da users, remember to supply their names there as well. Adding additional users to your project after its initial creation is currently not supported through a self-service interface (but might be in the future).
After submitting the form you should receive an indication that project creation was performed successfully. You should also get an email with some additional information.
Sign in to the OpenStack Dashboard
Following project creation you're now able to sign in to the web dashboard, available at beta.h-da.cloud.
Use your standard h_da credentials. Important: specify h-da.de
in the
sign-in form's Domain field.
Creating an Instance
To create a new instance (virtual machine), navigate to the Instances Tab and use the Launch Instance button.
Besides picking a name for your instance, you can leave the default settings before proceeding with Next.
Operating System Image
In the Source tab, pick an operating system image to use.
Flavor
The flavor (or instance type) determines the amount of resources allocated to your virtual machine.
Networks
Each project is assigned its own network that is connected to the outside world using a router.
Ensure to select your project network in the Networks tab (should already be pre-selected).
Security Groups
The term security group refers to network access control lists (firewall rules). These allow you to control who can connect to services provided by your machine.
For convenience, there are predefined security groups: allow-ssh
(for
allowing SSH login, required to login to your VM) and allow-icmp
(recommended
for sane network behaviour). Additional ones for providing access only to the
h_da campus network might be added in the future.
Key Pairs
Linux-based instances generally use SSH public key authentication for controlling who can log in to the system.
Import a pre-existing SSH public key using the Import Key Pair button.
Choose "SSH Key" as the Key Type and paste your public key.
Launch the Instance
Once finished, press Launch Instance to trigger creation of your virtual machine. This process might take some time. You can follow its progress by clicking on the instance name and viewing the log output provided by the guest operating system.
Completion is usually signaled by a log message like "Cloud-init finished" combined with an ASCII art overview of IP addresses and imported SSH keys.
Connecting to your Instance
In the instance overview you can see that your virtual machine has two IP addresses assigned to it:
- an IPv4 address from private RFC1918 space (e.g.
10.192.1.154
) - a globally-routed IPv6 address (e.g.
2001:67c:295c:5001:f816:3eff:fe78:4aed
)
The IPv6 address is directly reachable from the outside world (if allowed by configured security groups).
$ ssh ubuntu@2001:67c:295c:5001:f816:3eff:fe78:4aed
The private IPv4 address allows the VM to communicate outwards (through SNAT) but cannot be used to reach the system from the outside world.
Getting a public IPv4 address
A globally-routed IPv4 address may be allocated to your instance by using a concept called Floating IPs. Any traffic destined to a floating IP will be directed to the VM it is associated with.
In the instance overview, choose Associate Floating IP in the dropdown.
Create a new floating IP using the +
button.
In the popup just select Allocate IP.
Associate the newly created IP address with your instance.
Now your virtual machine should be reachable from the outside world using IPv6 as well as IPv4 (as allowed by security groups).
$ ssh ubuntu@141.100.232.193
DNS names
Approximately no one wants to access services using their raw IP addresses. With IPv6 in particular, even remembering them is barely possible.
Hence, every project is also assigned a domain in the Domain Name System (DNS). Your domain (also called zone in DNS lingo) is available through the dashboard.
To create a DNS name for your instance, use Create Record Set.
Enter the fully-qualified DNS name to use (the name must be within your
project domain) and the IP address it should point to. Record type is A
for
IPv4 addresses and AAAA
for IPv6.
After submitting the form the record set should show up with status Pending and eventually transition to Active.
You should now be able to connect to your instance using a DNS name.
$ ssh ubuntu@my-instance.example.users.h-da.cloud
Don't be concerned if this doesn't work immediately. DNS data tends to be heavily cached and you might have to wait for a negative cache entry to expire (especially if you tried to use the name while it was not yet active on the OpenStack name servers).
Known Issues
This section describes known issues and their workarounds, if any.
Docker Networking
When running Docker containers inside the VM, networking appears to be randomly broken inside the container.
This is caused by an MTU mismatch. The Docker daemon always creates its bridge device and any associated container interfaces with an MTU of 1500, regardless of the virtual machine interface's actual MTU.
Workaround
To work around this issue, edit /etc/docker/daemon.json
and set the MTU for
created container interfaces to a value less than or equal to 1422.
{
"mtu": 1422
}
Make sure to restart the Docker daemon as well as any containers that might still be running.
Depending on how Docker was installed, the config file path may differ. For
Snap installations the file can be found at
/var/snap/docker/current/config/daemon.json
. If the file already contains
other entries, leave those in place and include the MTU line in addition to
them.
Example:
{
"log-level": "error",
"storage-driver": "overlay2",
"mtu": 1422
}
For additional information including a solution for docker-compose, refer to this article.
Going Forward
We're currently validating a change to allow for a larger MTU on the virtual machine network interfaces.
Slow I/O on Boot Volumes
Boot volumes are implemented as writable shallow clones of their underlying OS base images. Even tiny write operations (like file system timestamp updates) force an "upcopy" of a much larger block of data. Therefore it's expected that boot volumes will always be slower than additional volumes attached to your instance.
Still, the performance delta seems bigger than expected so we're investigating.
Workaround
If you need fast storage, create a separate volume and attach it to your instance.