infra-docs

Edit

Self-service Cloud Infrastructure (OpenStack)

Status: beta phase in progress (invite-only for now)

Quick Start

This page provides a short description for the process of launching a Linux-based virtual machine, setting up a DNS name for it and making it available on the network.

While we prepare more comprehensive documentation, please refer to CERN's OpenStack Guide and/or the upstream documentation provided by the OpenStack project.

Subscribe to the OpenStack Service

As noted in your invitation mail you need to request a project (or tenant) before you're able to sign in to the dashboard.

The corresponding web form is available at request-project.apps.h-da.cloud.

Note that the project short identifier given there will be part of any DNS name created for your virtual machines.

Also, if you want to grant shared access to the project to any other h_da users, remember to supply their names there as well. Adding additional users to your project after its initial creation is currently not supported through a self-service interface (but might be in the future).

After submitting the form you should receive an indication that project creation was performed successfully. You should also get an email with some additional information.

Sign in to the OpenStack Dashboard

Following project creation you're now able to sign in to the web dashboard, available at beta.h-da.cloud.

Use your standard h_da credentials. Important: specify h-da.de in the sign-in form's Domain field.

Dashboard login

Creating an Instance

To create a new instance (virtual machine), navigate to the Instances Tab and use the Launch Instance button.

Launch instance

Besides picking a name for your instance, you can leave the default settings before proceeding with Next.

Instance details

Operating System Image

In the Source tab, pick an operating system image to use.

Instance source

Flavor

The flavor (or instance type) determines the amount of resources allocated to your virtual machine.

Instance flavor

Networks

Each project is assigned its own network that is connected to the outside world using a router.

Ensure to select your project network in the Networks tab (should already be pre-selected).

Instance network

Security Groups

The term security group refers to network access control lists (firewall rules). These allow you to control who can connect to services provided by your machine.

For convenience, there are predefined security groups: allow-ssh (for allowing SSH login, required to login to your VM) and allow-icmp (recommended for sane network behaviour). Additional ones for providing access only to the h_da campus network might be added in the future.

Instance security groups

Key Pairs

Linux-based instances generally use SSH public key authentication for controlling who can log in to the system.

Import a pre-existing SSH public key using the Import Key Pair button.

Instance key pairs

Choose "SSH Key" as the Key Type and paste your public key.

Instance import pub key

Launch the Instance

Once finished, press Launch Instance to trigger creation of your virtual machine. This process might take some time. You can follow its progress by clicking on the instance name and viewing the log output provided by the guest operating system.

Completion is usually signaled by a log message like "Cloud-init finished" combined with an ASCII art overview of IP addresses and imported SSH keys.

Connecting to your Instance

In the instance overview you can see that your virtual machine has two IP addresses assigned to it:

  • an IPv4 address from private RFC1918 space (e.g. 10.192.1.154)
  • a globally-routed IPv6 address (e.g. 2001:67c:295c:5001:f816:3eff:fe78:4aed)

The IPv6 address is directly reachable from the outside world (if allowed by configured security groups).

$ ssh ubuntu@2001:67c:295c:5001:f816:3eff:fe78:4aed

The private IPv4 address allows the VM to communicate outwards (through SNAT) but cannot be used to reach the system from the outside world.

Getting a public IPv4 address

A globally-routed IPv4 address may be allocated to your instance by using a concept called Floating IPs. Any traffic destined to a floating IP will be directed to the VM it is associated with.

In the instance overview, choose Associate Floating IP in the dropdown.

Floating IP

Create a new floating IP using the + button.

Floating IP

In the popup just select Allocate IP.

Floating IP

Associate the newly created IP address with your instance.

Floating IP

Now your virtual machine should be reachable from the outside world using IPv6 as well as IPv4 (as allowed by security groups).

$ ssh ubuntu@141.100.232.193

DNS names

Approximately no one wants to access services using their raw IP addresses. With IPv6 in particular, even remembering them is barely possible.

Hence, every project is also assigned a domain in the Domain Name System (DNS). Your domain (also called zone in DNS lingo) is available through the dashboard.

DNS Zone

To create a DNS name for your instance, use Create Record Set.

DNS RRset

Enter the fully-qualified DNS name to use (the name must be within your project domain) and the IP address it should point to. Record type is A for IPv4 addresses and AAAA for IPv6.

DNS pending

After submitting the form the record set should show up with status Pending and eventually transition to Active.

You should now be able to connect to your instance using a DNS name.

$ ssh ubuntu@my-instance.example.users.h-da.cloud

Don't be concerned if this doesn't work immediately. DNS data tends to be heavily cached and you might have to wait for a negative cache entry to expire (especially if you tried to use the name while it was not yet active on the OpenStack name servers).

Known Issues

This section describes known issues and their workarounds, if any.

Docker Networking

When running Docker containers inside the VM, networking appears to be randomly broken inside the container.

This is caused by an MTU mismatch. The Docker daemon always creates its bridge device and any associated container interfaces with an MTU of 1500, regardless of the virtual machine interface's actual MTU.

Workaround

To work around this issue, edit /etc/docker/daemon.json and set the MTU for created container interfaces to a value less than or equal to 1422.

{
  "mtu": 1422
}

Make sure to restart the Docker daemon as well as any containers that might still be running.

Depending on how Docker was installed, the config file path may differ. For Snap installations the file can be found at /var/snap/docker/current/config/daemon.json. If the file already contains other entries, leave those in place and include the MTU line in addition to them.

Example:

{
    "log-level":        "error",
    "storage-driver":   "overlay2",
    "mtu": 1422
}

For additional information including a solution for docker-compose, refer to this article.

Going Forward

We're currently validating a change to allow for a larger MTU on the virtual machine network interfaces.

Slow I/O on Boot Volumes

Boot volumes are implemented as writable shallow clones of their underlying OS base images. Even tiny write operations (like file system timestamp updates) force an "upcopy" of a much larger block of data. Therefore it's expected that boot volumes will always be slower than additional volumes attached to your instance.

Still, the performance delta seems bigger than expected so we're investigating.

Workaround

If you need fast storage, create a separate volume and attach it to your instance.

Last updated on 5/18/2022 by Lars Seipel
Intel Unite - document sharing toolNetbox