CloudPlatform (powered by Apache CloudStack) Version 4.
CloudPlatform (powered by Apache CloudStack) Version 4.2 Administrator's Guide CloudPlatform (powered by Apache CloudStack) Version 4.2 Administrator's Guide Revised October 27, 2013 10:50 pm Pacific Author Citrix CloudPlatform © 2013 Citrix Systems, Inc. All rights reserved. Specifications are subject to change without notice. Citrix Systems, Inc., the Citrix logo, Citrix XenServer, Citrix XenCenter, and CloudPlatform are trademarks or registered trademarks of Citrix Systems, Inc.
1. Getting More Information and Help 1.1. Additional Documentation Available ............................................................................... 1.2. Citrix Knowledge Center ............................................................................................... 1.3. Contacting Support ....................................................................................................... 1 1 1 1 2. Concepts 2.1. What Is CloudPlatform? ....................................................
CloudPlatform (powered by Apache CloudStack) Version 4.2 Administrator's Guide 7. Using Projects to Organize Users and Resources 7.1. Overview of Projects .................................................................................................. 7.2. Configuring Projects ................................................................................................... 7.2.1. Setting Up Invitations ....................................................................................... 7.2.2.
10.4.1. Individual ....................................................................................................... 10.4.2. Support Matrix for an Isolated Network (Combination) ...................................... 10.4.3. Support Matrix for Shared Network (Combination) ............................................ 10.4.4. Support Matrix for Basic Zone ........................................................................ 10.5. Network Offerings .....................................................
CloudPlatform (powered by Apache CloudStack) Version 4.2 Administrator's Guide 12.7. Using Cisco UCS as Bare Metal Host CloudPlatform ................................................ 12.7.1. Registering a UCS Manager ......................................................................... 12.7.2. Associating a Profile with a UCS Blade ......................................................... 12.7.3. Disassociating a Profile from a UCS Blade .................................................... 12.8.
14.4.8. Volume Deletion and Garbage Collection ...................................................... 14.5. Working with Snapshots .......................................................................................... 14.5.1. Automatic Snapshot Creation and Retention .................................................. 14.5.2. Incremental Snapshots and Backup .............................................................. 14.5.3. Volume Status ...............................................................
CloudPlatform (powered by Apache CloudStack) Version 4.2 Administrator's Guide 16.15.2. Limitations ................................................................................................. 16.15.3. Best Practices ............................................................................................ 16.15.4. Reserving an IP Range .............................................................................. 16.16. Configuring Multiple IP Addresses on a Single NIC ..............................
17. Working with System Virtual Machines 17.1. The System VM Template ....................................................................................... 17.2. Multiple System VM Support for VMware ................................................................. 17.3. Console Proxy ........................................................................................................ 17.3.1. Changing the Console Proxy SSL Certificate and Domain ............................... 17.4. Virtual Router ....
CloudPlatform (powered by Apache CloudStack) Version 4.2 Administrator's Guide 22.3. Log Collection Utility cloud-bugtool .......................................................................... 22.3.1. Using cloud-bugtool ..................................................................................... 22.4. Data Loss on Exported Primary Storage .................................................................. 22.5. Recovering a Lost Virtual Router ...................................................
Chapter 1. Getting More Information and Help 1.1. Additional Documentation Available The following guides are available: • Installation Guide — Covers initial installation of CloudPlatform. It aims to cover in full detail all the steps and requirements to obtain a functioning cloud deployment. At times, this guide mentions additional topics in the context of installation tasks, but does not give full details on every topic.
2
Chapter 2. Concepts 2.1. What Is CloudPlatform? CloudPlatform is a software platform that pools computing resources to build public, private, and hybrid Infrastructure as a Service (IaaS) clouds. CloudPlatform manages the network, storage, and compute nodes that make up a cloud infrastructure. Use CloudPlatform to deploy, manage, and configure cloud computing environments. Typical users are service providers and enterprises.
Chapter 2. Concepts Massively Scalable Infrastructure Management CloudPlatform can manage tens of thousands of servers installed in multiple geographically distributed datacenters. The centralized management server scales linearly, eliminating the need for intermediate cluster-level management servers. No single component failure can cause cloud-wide outage. Periodic maintenance of the management server can be performed without affecting the functioning of virtual machines running in the cloud.
Management Server Overview A more full-featured installation consists of a highly-available multi-node Management Server installation and up to thousands of hosts using any of several advanced networking setups. For information about deployment options, see Choosing a Deployment Architecture in the Installation Guide. 2.3.1. Management Server Overview The Management Server is the CloudPlatform software that manages cloud resources.
Chapter 2. Concepts • Zone: Typically, a zone is equivalent to a single datacenter. A zone consists of one or more pods and secondary storage. • Pod: A pod is usually one rack of hardware that includes a layer-2 switch and one or more clusters. • Cluster: A cluster consists of one or more hosts and primary storage. • Host: A single compute node within a cluster. The hosts are where the actual cloud services run in the form of guest virtual machines.
Networking Overview • Basic. Provides a single network where guest isolation can be provided through layer-3 means such as security groups (IP address source filtering). • Advanced. For more sophisticated network topologies. This network model provides the most flexibility in defining guest networks and providing guest isolation. For more details, see Network Setup in the Installation Guide.
8
Chapter 3. Cloud Infrastructure Concepts 3.1. About Regions To increase reliability of the cloud, you can optionally group resources into multiple geographic regions. A region is the largest available organizational unit within a CloudPlatform deployment. A region is made up of several availability zones, where each zone is equivalent to a datacenter. Each region is controlled by its own cluster of Management Servers, running in one of the zones.
Chapter 3. Cloud Infrastructure Concepts The benefit of organizing infrastructure into zones is to provide physical isolation and redundancy. For example, each zone can have its own power supply and network uplink, and the zones can be widely separated geographically (though this is not required). A zone consists of: • One or more pods. Each pod contains one or more clusters of hosts and one or more primary storage servers.
About Pods For each zone, the administrator must decide the following. • How many pods to place in a zone. • How many clusters to place in each pod. • How many hosts to place in each cluster. • (Optional) If zone-wide primary storage is being used, decide how many primary storage servers to place in each zone and total capacity for these storage servers. (Supported for KVM and VMware hosts) • How many primary storage servers to place in each cluster and total capacity for these storage servers.
Chapter 3. Cloud Infrastructure Concepts 3.4. About Clusters A cluster provides a way to group hosts. To be precise, a cluster is a XenServer server pool, a set of KVM servers, a set of OVM hosts, or a VMware cluster preconfigured in vCenter. The hosts in a cluster all have identical hardware, run the same hypervisor, are on the same subnet, and access the same shared primary storage.
About Hosts server with CloudPlatform. There may be multiple vCenter servers per zone. Each vCenter server may manage multiple VMware clusters. 3.5. About Hosts A host is a single computer. Hosts provide the computing resources that run guest virtual machines. Each host has hypervisor software installed on it to manage the guest VMs. For example, a host can be a Citrix XenServer server, a Linux KVM-enabled server, or an ESXi server.
Chapter 3. Cloud Infrastructure Concepts • Dell EqualLogic™ for iSCSI • Network Appliances filers for NFS and iSCSI • Scale Computing for NFS If you intend to use only local disk for your installation, you can skip adding separate primary storage. 3.7.
Basic Zone Network Traffic Types type for each network vary depending on whether you are creating a zone with basic networking or advanced networking. A physical network is the actual network hardware and wiring in a zone. A zone can have multiple physical networks. An administrator can: • Add/Remove/Update physical networks in a zone • Configure VLANs on the physical network • Configure a name so the network can be recognized by hypervisors • Configure the service providers (firewalls, load balancers, etc.
Chapter 3. Cloud Infrastructure Concepts you must also configure a network to carry public traffic. CloudPlatform takes care of presenting the necessary network configuration steps to you in the UI when you add a new zone. 3.8.2. Basic Zone Guest IP Addresses When basic networking is used, CloudPlatform will assign IP addresses in the CIDR of the pod to the guests in that pod. The administrator must add a direct IP range on the pod for this purpose. These IPs are in the same VLAN as the hosts. 3.8.3.
Advanced Zone Public IP Addresses 3.8.5. Advanced Zone Public IP Addresses When advanced networking is used, the administrator can create additional networks for use by the guests. These networks can span the zone and be available to all accounts, or they can be scoped to a single account, in which case only the named account may create guests that attach to these networks. The networks are defined by a VLAN ID, IP range, and gateway. The administrator may provision thousands of these networks if desired.
18
Chapter 4. Accounts 4.1. Accounts, Users, and Domains Accounts An account typically represents a customer of the service provider or a department in a large organization. Multiple users can exist in an account. Domains Accounts are grouped by domains. Domains usually contain multiple accounts that have some logical relationship to each other and a set of delegated administrators with some authority over the domain and its subdomains.
Chapter 4. Accounts 4.1.1. Dedicating Resources to Accounts and Domains The root administrator can dedicate resources to a specific domain or account that needs private infrastructure for additional security or performance guarantees. A zone, pod, cluster, or host can be reserved by the root administrator for a specific domain or account. Only users in that domain or its subdomain may use the infrastructure. For example, only users in a given domain can create guests in a zone dedicated to that domain.
Using an LDAP Server for User Authentication If you delete an account or domain, any hosts, clusters, pods, and zones that were dedicated to it are freed up. They will now be available to be shared by any account or domain, or the administrator may choose to re-dedicate them to a different account or domain. System VMs and virtual routers affect the behavior of host dedication. System VMs and virtual routers are owned by the CloudPlatform system account, and they can be deployed on any host.
Chapter 4. Accounts 5. Specify the following: • Bind DN: The full distinguished name (DN), including common name (CN), of an LDAP user account that has the necessary privileges to search users. For example: cn=admin,cn=users,dc=mycom,dc=com This user account must have at least domain user privileges. • Bind Password: The password used in association with the Bind DN user account. • Hostname: Hostname or IP address.
Example LDAP Configuration Commands 6. Click OK. 4.2.1.2. Removing an LDAP Configuration 1. Log in to the CloudPlatform. 2. From the left navigational bar, click Global Settings. 3. From the Select view drop down, select LDAP Configuration. 4. In the Quick View, click Remove LDAP. Alternatively, you can click Remove LDAP in the LDAP Configuration Details page. 4.2.2.
Chapter 4. Accounts depending on which LDAP server you are using. A full discussion of distinguished names is outside the scope of our documentation. The following table shows some examples of search bases to find users in the testing department.. LDAP Server Example Search Base DN ApacheDS ou=testing,o=project Active Directory OU=testing, DC=company 4.2.4. Query Filter The query filter is used to find a mapped user in the external LDAP server.
Search User Bind DN (&(sAMAccountName=%u) or (&(mail=%e)) 4.2.5. Search User Bind DN The bind DN is the user on the external LDAP server permitted to search the LDAP directory within the defined search base. When the DN is returned, the DN and passed password are used to authenticate the CloudPlatform user with an LDAP bind. A full discussion of bind DNs is outside the scope of our documentation. The following table shows some examples of bind DNs.
26
Chapter 5. User Services Overview In addition to the physical and logical infrastructure of your cloud, and the CloudPlatform software and servers, you also need a layer of user services so that people can actually make use of the cloud. This means not just a user UI, but a set of options and resources that users can choose from, such as templates for creating virtual machines, disk storage, and more.
28
Chapter 6. User Interface 6.1. Supported Browsers The CloudPlatform web-based UI is available in the following popular browsers: • Mozilla Firefox 22 or greater • Apple Safari, all versions packaged with Mac OS X 10.5 (Leopard) or greater • Google Chrome, all versions starting from the year 2012 • Microsoft Internet Explorer 9 or greater 6.2. Log In to the UI CloudPlatform provides a web-based UI that can be used by both administrators and end users.
Chapter 6. User Interface 6.2.2. Root Administrator's UI Overview The CloudPlatform UI helps the CloudPlatform administrator provision, view, and manage the cloud infrastructure, domains, user accounts, projects, and configuration settings. The first time you start the UI after a fresh Management Server installation, you can choose to follow a guided tour to provision your cloud infrastructure. On subsequent logins, the dashboard of the logged-in user appears.
Changing the Root Password Warning You are logging in as the root administrator. This account manages the CloudPlatform deployment, including physical infrastructure. The root administrator can modify configuration settings to change basic functionality, create or delete user accounts, and take many actions that should be performed only by an authorized person. Please change the default password to a new, unique password. 6.2.4.
Chapter 6. User Interface For more information on creating a new instance, see Section 11.4, “Creating VMs”. 2. Download the script file cloud-set-guest-sshkey from the following link: http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-sshkey.in 3. Copy the file to /etc/init.d. 4. Give the necessary permissions on the script: chmod +x /etc/init.d/cloud-set-guest-sshkey 5. Run the script while starting up the operating system: chkconfig --add cloud-set-guest-sshkey 6. Stop the instance. 6.3.2.
Creating an Instance 2. Copy the key data into a file.
34
Chapter 7. Using Projects to Organize Users and Resources 7.1. Overview of Projects Projects are used to organize people and resources. CloudPlatform users within a single domain can group themselves into project teams so they can collaborate and share virtual resources such as VMs, snapshots, templates, data disks, and IP addresses. CloudPlatform tracks resource usage per project as well as per user, so the usage can be billed to either a user account or a project.
Chapter 7. Using Projects to Organize Users and Resources 1. Log in as administrator to the CloudPlatform UI. 2. In the left navigation, click Global Settings. 3. In the search box, type project and click the search button. 4. In the search results, you can see a few other parameters you need to set to control how invitations behave. The table below shows global configuration parameters related to project invitations. Click the edit button to set each parameter.
Creating a New Project 3. In the search box, type allow.user.create.projects. 4. Click the edit button to set the parameter. allow.user.create.projects Set to true to allow end users to create projects. Set to false if you want only the CloudPlatform root administrator and domain administrators to create projects. 5. Restart the Management Server. # service cloud-management restart 7.3. Creating a New Project CloudPlatform administrators and domain administrators can create projects.
Chapter 7. Using Projects to Organize Users and Resources 5. Click the Invitations tab. 6. In Add by, select one of the following: a. Account – The invitation will appear in the user’s Invitations tab in the Project View. See Using the Project View. b. Email – The invitation will be sent to the user’s email address. Each emailed invitation includes a unique code called a token which the recipient will provide back to CloudPlatform when accepting the invitation.
Suspending or Deleting a Project 7.6. Suspending or Deleting a Project When a project is suspended, it retains the resources it owns, but they can no longer be used. No new resources or members can be added to a suspended project. When a project is deleted, its resources are destroyed, and member accounts are removed from the project. The project’s status is shown as Disabled pending final deletion.
40
Chapter 8. Steps to Provisioning Your Cloud Infrastructure This section tells how to add regions, zones, pods, clusters, hosts, storage, and networks to your cloud. If you are unfamiliar with these entities, please begin by looking through Chapter 3, Cloud Infrastructure Concepts. 8.1. Overview of Provisioning Steps After the Management Server is installed and running, you can add the compute resources for it to manage.
Chapter 8. Steps to Provisioning Your Cloud Infrastructure 8.2. Adding Regions (optional) Grouping your cloud resources into geographic regions is an optional step when provisioning the cloud. For an overview of regions, see Section 3.1, “About Regions”. 8.2.1. The First Region: The Default Region If you do not take action to define regions, then all the zones in your cloud will be automatically grouped into a single default region. This region is assigned the region ID of 1.
Adding Third and Subsequent Regions 3. Now add the new region to region 1 in CloudPlatform. a. Log in to CloudPlatform in the first region as root administrator (that is, log in to :8080/client). b. In the left navigation bar, click Regions. c. Click Add Region. In the dialog, fill in the following fields: • ID. A unique identifying number. Use the same number you set in the database during Management Server installation in the new region; for example, 2. • Name.
Chapter 8. Steps to Provisioning Your Cloud Infrastructure 2. Once the Management Server is running, add your new region to all existing regions by repeatedly using the Add Region button in the UI. For example, if you were adding region 3: a. Log in to CloudPlatform in the first region as root administrator (that is, log in to :8080/client), and add a region with ID 3, the name of region 3, and the endpoint :8080/client. b.
Adding a Zone 2. In the left navigation bar, click Regions. 3. Click the name of the region you want to delete. 4. Click the Remove Region button. 5. Repeat these steps for :8080/client. 8.3. Adding a Zone Adding a zone consists of three phases: • Create a mount point for secondary storage on the Management Server. • Seed the system VM template on the secondary storage. • Add the zone. 8.3.1.
Chapter 8. Steps to Provisioning Your Cloud Infrastructure This process will require approximately 5 GB of free space on the local file system and up to 30 minutes each time it runs. • For XenServer: # /usr/share/cloudstack-common/scripts/storage/secondary/cloud-install-sys-tmplt -m / mnt/secondary -u http://download.cloud.com/templates/4.2/systemvmtemplate-2013-07-12master-xen.vhd.
Steps to Add a New Zone For more information about the network types, see Network Setup. 7. The rest of the steps differ depending on whether you chose Basic or Advanced. Continue with the steps that apply to you: • Section 8.3.3.1, “Basic Zone Configuration” • Section 8.3.3.2, “Advanced Zone Configuration” 8.3.3.1. Basic Zone Configuration 1. After you select Basic in the Add Zone wizard and click Next, you will be asked to enter the following details. Then click Next. • Name. A name for the zone.
Chapter 8. Steps to Provisioning Your Cloud Infrastructure The traffic types are management, public, guest, and storage traffic. For more information about the types, roll over the icons to display their tool tips, or see Basic Zone Network Traffic Types. This screen starts out with some traffic types already assigned. To add more, drag and drop traffic types onto the network. You can also change the network name if desired. 3. Assign a network traffic label to each traffic type on the physical network.
Steps to Add a New Zone • Pod Name. A name for the pod. • Reserved system gateway. The gateway for the hosts in that pod. • Reserved system netmask. The network prefix that defines the pod's subnet. Use CIDR notation. • Start/End Reserved System IP. The IP range in the management network that CloudPlatform uses to manage various system VMs, such as Secondary Storage VMs, Console Proxy VMs, and DHCP. For more information, see System Reserved IP Addresses. 8. Configure the network for guest traffic.
Chapter 8. Steps to Provisioning Your Cloud Infrastructure • KVM vSphere Installation and Configuration • Oracle VM (OVM) Installation and Configuration To configure the first host, enter the following, then click Next: • Host Name. The DNS name or IP address of the host. • Username. The username is root. • Password. This is the password for the user named above (from your XenServer or KVM install). • Host Tags. (Optional) Any labels that you use to categorize hosts for ease of maintenance.
Steps to Add a New Zone • Public. A public zone is available to all users. A zone that is not public will be assigned to a particular domain. Only users in that domain will be allowed to create guest VMs in this zone. 2. Choose which traffic types will be carried by the physical network. The traffic types are management, public, guest, and storage traffic. For more information about the types, roll over the icons to display their tool tips, or see Section 3.8.3, “Advanced Zone Network Traffic Types”.
Chapter 8. Steps to Provisioning Your Cloud Infrastructure 4. Click Next. 5. Configure the IP range for public Internet traffic. Enter the following details, then click Add. If desired, you can repeat this step to add more public Internet IP ranges. When done, click Next. • Gateway. The gateway in use for these IP addresses. • Netmask. The netmask associated with this IP range. • VLAN. The VLAN that will be used for public traffic. • Start IP/End IP.
Steps to Add a New Zone • Start/End Reserved System IP. The IP range in the management network that CloudPlatform uses to manage various system VMs, such as Secondary Storage VMs, Console Proxy VMs, and DHCP. For more information, see Section 3.8.6, “System Reserved IP Addresses”. 7. Specify a range of VLAN IDs to carry guest traffic for each physical network (see VLAN Allocation Example ), then click Next. 8. In a new pod, CloudPlatform adds the first cluster for you.
Chapter 8. Steps to Provisioning Your Cloud Infrastructure more information, see HA-Enabled Virtual Machines as well as HA for Hosts, both in the Administration Guide. 10. In a new cluster, CloudPlatform adds the first primary storage server for you. You can always add more servers later. For an overview of what primary storage is, see Section 3.6, “About Primary Storage”. To configure the first primary storage server, enter the following, then click Next: • Name. The name of the storage device. • Protocol.
Adding a Pod SharedMountPoint • Path. The path on each host that is where this primary storage is mounted. For example, "/mnt/primary". • Tags (optional). The comma-separated list of tags for this storage device. It should be an equivalent set or superset of the tags on your disk offerings. The tag sets on primary storage across clusters in a Zone must be identical.
Chapter 8. Steps to Provisioning Your Cloud Infrastructure 5. Enter the following details in the dialog. • Name. The name of the pod. • Gateway. The gateway for the hosts in that pod. • Netmask. The network prefix that defines the pod's subnet. Use CIDR notation. • Start/End Reserved System IP. The IP range in the management network that CloudPlatform uses to manage various system VMs, such as Secondary Storage VMs, Console Proxy VMs, and DHCP. For more information, see System Reserved IP Addresses. 6.
Add Cluster: vSphere 3. Click the Compute tab. In the Pods node, click View All. Select the same pod you used in step 1. 4. Click View Clusters, then click Add Cluster. The Add Cluster dialog is displayed. 5. In Hypervisor, choose OVM. 6. In Cluster, enter a name for the cluster. 7. Click Add. 8.5.3. Add Cluster: vSphere Host management for vSphere is done through a combination of vCenter and the CloudPlatform UI.
Chapter 8. Steps to Provisioning Your Cloud Infrastructure 2. Log in to the UI. 3. In the left navigation, choose Infrastructure. In Zones, click View More, then click the zone in which you want to add the cluster. 4. Click the Compute tab, and click View All on Pods. Choose the pod to which you want to add the cluster. 5. Click View Clusters. 6. Click Add Cluster. 7. In Hypervisor, choose VMware. 8. Provide the following information in the dialog. The fields below make reference to values from vCenter.
Add Cluster: vSphere If you have enabled Nexus dvSwitch in the environment, the following parameters for dvSwitch configuration are displayed: • Nexus dvSwitch IP Address: The IP address of the Nexus VSM appliance. • Nexus dvSwitch Username: The username required to access the Nexus VSM applicance. • Nexus dvSwitch Password: The password associated with the username specified above. There might be a slight delay while the cluster is provisioned.
Chapter 8. Steps to Provisioning Your Cloud Infrastructure 8.6. Adding a Host 1. Before adding a host to the CloudPlatform configuration, you must first install your chosen hypervisor on the host. CloudPlatform can manage hosts running VMs under a variety of hypervisors. The CloudPlatform Installation Guide provides instructions on how to install each supported hypervisor and configure it for use with CloudPlatform.
Adding a Host (XenServer, KVM, or OVM) For all additional hosts to be added to the cluster, run the following command. This will cause the host to join the master in a XenServer pool. # xe pool-join master-address=[master IP] master-username=root master-password=[your password] Note When copying and pasting a command, be sure the command has pasted as a single line before executing. Some document viewers may introduce unwanted line breaks in copied text.
Chapter 8. Steps to Provisioning Your Cloud Infrastructure 7. Click Add Host. 8. Provide the following information. • Host Name. The DNS name or IP address of the host. • Username. Usually root. • Password. This is the password for the user named above (from your XenServer, KVM, or OVM install). • Host Tags (Optional). Any labels that you use to categorize hosts for ease of maintenance. For example, you can set to the cloud's HA tag (set in the ha.
Adding Secondary Storage • Pod. (Visible only if you choose Cluster in the Scope field.) The pod for the storage device. • Cluster. (Visible only if you choose Cluster in the Scope field.) The cluster for the storage device. • Name. The name of the storage device • Protocol. For XenServer, choose either NFS, iSCSI, or PreSetup. For KVM, choose NFS or SharedMountPoint. For vSphere choose either VMFS (iSCSI or FiberChannel) or NFS • Server (for NFS, iSCSI, or PreSetup).
Chapter 8. Steps to Provisioning Your Cloud Infrastructure 3. Log in to the CloudPlatform UI as root administrator. 4. In the left navigation bar, click Infrastructure. 5. In Secondary Storage, click View All. 6. Click Add Secondary Storage. 7. Fill in the following fields: • Name. Give the storage a descriptive name. • Provider. Choose the type of storage provider (such as S3, Swift, or NFS). NFS can be used for zone-based storage, and the others for region-wide object storage.
Initialize and Test 5. In Secondary Storage, click View All. 6. In Select View, choose Secondary Staging Store. 7. Click the Add NFS Secondary Staging Store button. 8. Fill out the dialog box fields, then click OK: • Zone. The zone where the NFS Secondary Staging Store is to be located. • NFS server. The name of the zone's Secondary Staging Store. • Path. The path to the zone's Secondary Staging Store. 8.9. Initialize and Test After everything is configured, CloudPlatform will perform its initialization.
Chapter 8. Steps to Provisioning Your Cloud Infrastructure If you decide to grow your deployment, you can add more hosts, primary storage, zones, pods, and clusters.
Chapter 9. Service Offerings In this chapter we discuss compute, disk, and system service offerings. Network offerings are discussed in the section on setting up networking for users. 9.1. Compute and Disk Service Offerings A service offering is a set of virtual hardware features such as CPU core count and speed, memory, and disk size. The CloudPlatform administrator can set up various offerings, and then end users choose from the available offerings when they create a new VM.
Chapter 9. Service Offerings • Storage type: The type of disk that should be allocated. Local allocates from storage attached directly to the host where the system VM is running. Shared allocates from storage accessible via NFS. • # of CPU cores: The number of cores which should be allocated to a system VM with this offering • CPU (in MHz): The CPU speed of the cores that the system VM is allocated. For example, “2000” would provide for a 2 GHz clock.
Modifying or Deleting a Service Offering • Disk Size. Appears only if Custom Disk Size is not selected. Define the volume size in GB. • QoS Type. Three options: Empty (no Quality of Service), hypervisor (rate limiting enforced on the hypervisor side), and storage (guaranteed minimum and maximum IOPS enforced on the storage side). If using QoS, make sure that the hypervisor or storage system supports this feature. • (Optional) Storage Tags.
Chapter 9. Service Offerings 5. In the dialog, make the following choices: • Name. Any desired name for the system offering. • Description. A short description of the offering that can be displayed to users • System VM Type. Select the type of system virtual machine that this offering is intended to support. • Storage type. The type of disk that should be allocated. Local allocates from storage attached directly to the host where the system VM is running. Shared allocates from storage accessible via NFS.
Changing the Secondary Storage VM Service Offering on a Guest Network 6. Click the Change Service button. 7. Select the offering you want. The Change service dialog box is displayed. 8. Click OK. 9. If you stopped any VMs, restart them.
72
Chapter 10. Setting Up Networking for Users 10.1. Overview of Setting Up Networking for Users People using cloud infrastructure have a variety of needs and preferences when it comes to the networking services provided by the cloud.
Chapter 10. Setting Up Networking for Users • Source NAT per zone is not supported when the service provider is virtual router. However, Source NAT per account is supported with virtual router in a Shared Network. For information, see Section 16.5.3, “Configuring a Shared Guest Network”. 10.2.3. Runtime Allocation of Virtual Network Resources When you define a new virtual network, all your settings for that network are stored in CloudPlatform.
Support Matrix for an Isolated Network (Combination) Virtual Router VPC Virtual Router BigIP F5 Juniper SRX Citrix NetScaler Y Y N Y N Load Balancing Y Y Y N Y Remote VPN Y N N Y N Network ACL N Y N N N Usage Monitoring Y Y Y Y Y Security Group N N N N N Firewall Y N N Y N Port Forwarding 10.4.2.
Chapter 10. Setting Up Networking for Users NW DHCP DNS Devices User Data Source Static NAT NAT Port Load Remote NetworkUsage SecurityFirewall Forwarding Balancing VPN ACL Monitoring Group by Side SRX and F5 Inline LB No VR VR VR SRX SRX SRX F5 SRX SRX Y N Static NAT / PF Yes LB Yes 10.4.3.
Support Matrix for Basic Zone 10.4.4. Support Matrix for Basic Zone Y = Supported N = Not Supported NW DHCP DNS Devices User Data Source Static NAT NAT Port Load Remote NetworkUsage SecurityFirewall Forwarding Balancing VPN ACL Monitoring Group Virtual VR Router VR VR N N N VR VR and NetScaler (EIP/ ELB) VR VR N NetScaler N N N N Y Y N NetScaler N N Y Y N 10.5.
Chapter 10. Setting Up Networking for Users a web server farm and require a scalable firewall solution, load balancing solution, and alternate networks for accessing the database backend.
Creating a New Network Offering • Supported Services. Select one or more of the possible network services. For some services, you must also choose the service provider; for example, if you select Load Balancer, you can choose the CloudPlatform virtual router or any other load balancers that have been configured in the cloud. Depending on which services you choose, additional fields may appear in the rest of the dialog box.
Chapter 10. Setting Up Networking for Users Supported Services Description Isolated Shared been configured in the cloud. VPN For more information, see Section 16.24, “Remote Access VPN”. Supported Supported User Data For more information, see Section 20.3, “User Data and Meta Data”. Not Supported Supported Network ACL For more information, see Section 16.27.4, “Configuring Network Access Control List”. Supported Not Supported Security Groups For more information, see Section 16.6.
Changing the Network Offering on a Guest Network Side by Side: In side by side mode, a firewall device is deployed in parallel with the load balancer device. So the traffic to the load balancer public IP is not routed through the firewall, and therefore, is exposed to the public network. • Associate Public IP: Select this option if you want to assign a public IP address to the VMs deployed in the guest network. This option is available only if • Guest network is shared. • StaticNAT is enabled.
Chapter 10. Setting Up Networking for Users 2. If you are changing from a network offering that uses the CloudPlatform virtual router to one that uses external devices as network service providers, you must first stop all the VMs on the network. See Section 11.7, “Stopping and Starting VMs”. 3. In the left navigation, choose Network. 4. Click the name of the network you want to modify. 5. In the Details tab, click Edit. 6. In Network Offering, choose the new network offering, then click Apply.
Creating and Changing a Virtual Router Network Offering • System Offering. Choose the system service offering that you want virtual routers to use in this network. In this case, the default “System Offering For Software Router” and the custom “VRsystemofferingHA” are available and displayed. 6. Click OK and the network offering is created. To change the network offering of a guest network to the virtual router service offering: 1. Select Network from the left navigation pane. 2.
84
Chapter 11. Working With Virtual Machines 11.1. About Working with Virtual Machines CloudPlatform provides administrators with complete control over the life cycle of all guest VMs executing in the cloud. CloudPlatform provides several guest management operations for end users and administrators. VMs may be stopped, started, rebooted, and destroyed. Guest VMs have a name and group. VM names and groups are opaque to CloudPlatform and are available for end users to organize their VMs.
Chapter 11. Working With Virtual Machines 11.2.1. Monitor VMs for Max Capacity The CloudPlatform administrator should monitor the total number of VM instances in each cluster, and disable allocation to the cluster if the total is approaching the maximum that the hypervisor can handle. Be sure to leave a safety margin to allow for the possibility of one or more hosts failing, which would increase the VM load on the other hosts as the VMs are automatically redeployed.
Creating VMs Once a virtual machine is destroyed, it cannot be recovered. All the resources used by the virtual machine will be reclaimed by the system. This includes the virtual machine’s IP address. A stop will attempt to gracefully shut down the operating system, which typically involves terminating all the running applications. If the operation system cannot be stopped, it will be forcefully terminated. This has the same effect as pulling the power cord to a physical machine.
Chapter 11. Working With Virtual Machines 2. In the left navigation bar, click Instances. 3. Click Add Instance. 4. Select a zone. 5. Select a template, then follow the steps in the wizard. For more information about how the templates came to be in this list, see Chapter 13, Working with Templates. 6. Be sure that the hardware you have allows starting the selected service offering. 7. Click Submit and your VM will be created and started.
Accessing VMs virtual machine. A linked clone is also a copy of an existing virtual machine, but it has ongoing dependency on the original. A linked clone shares the virtual disk of the original VM, and retains access to all files that were present at the time the clone was created. The use of these different clone types involves some side effects and tradeoffs, so it is to the administrator's advantage to be able to choose which of the two types will be used in a CloudPlatform deployment.
Chapter 11. Working With Virtual Machines The default format of the internal name is i---, where instance.name is a global parameter. When vm.instancename.flag is set to true, if a display name is provided during the creation of a guest VM, the display name is appended to the internal name of the guest VM on the host. This changes the internal name format to i---. The following table explains how a VM name is displayed in different scenarios.
Affinity Groups • Host tags. The administrator can assign tags to hosts. These tags can be used to specify which host a VM should use. The CloudPlatform administrator decides whether to define host tags, then create a service offering using those tags and offer it to the user. • Affinity groups. By defining affinity groups and assigning VMs to them, the user or administrator can influence (but not dictate) which VMs should run on separate hosts.
Chapter 11. Working With Virtual Machines 5. Click the Change Affinity button. View Members of an Affinity Group To see which VMs are currently assigned to a particular affinity group: 1. In the left navigation bar, click Affinity Groups. 2. Click the name of the group you are interested in. 3. Click View Instances. The members of the group are listed. From here, you can click the name of any VM in the list to access all its details and controls. Delete an Affinity Group To delete an affinity group: 1.
Limitations on VM Snapshots 11.9.1. Limitations on VM Snapshots • If a VM has some stored snapshots, you can't attach new volume to the VM or delete any existing volumes. If you change the volumes on the VM, it would become impossible to restore the VM snapshot which was created with the previous volume structure. If you want to attach a volume to such a VM, first delete its snapshots. • VM snapshots which include both data volumes and memory can't be kept if you change the VM's service offering.
Chapter 11. Working With Virtual Machines Note If a snapshot is already in progress, then clicking this button will have no effect. 5. Provide a name and description. These will be displayed in the VM Snapshots list. 6. (For running VMs only) If you want to include the VM's memory in the snapshot, click the Memory checkbox. This saves the CPU and memory state of the virtual machine. If you don't check this box, then only the current state of the VM disk is saved.
Changing the Service Offering for a VM 6. Make the desired changes to the following: • Display name: Enter a new display name if you want to change the name of the VM. • OS Type: Select the desired operating system. • Group: Enter the group name for the VM. 7. Click Apply. 11.11. Changing the Service Offering for a VM To upgrade or downgrade the level of compute resources available to a virtual machine, you can change the VM's compute offering. 1. Log in to the CloudPlatform UI as a user or admin. 2.
Chapter 11. Working With Virtual Machines with previous versions will not have the dynamic scaling capability unless you update them using the following procedure. 11.11.2. Updating Existing VMs If you are upgrading from a previous version of CloudPlatform, and you want your existing VMs created with previous versions to have the dynamic scaling capability, update the VMs using the following steps: 1. Make sure the zone-level setting enable.dynamic.scale.vm is set to true.
Resetting the Virtual Machine Root Volume on Reboot • When scaling memory or CPU for a Linux VM on VMware, you might need to run scripts in addition to the other steps mentioned above. For more information, see Hot adding memory in Linux 2 (1012764) in the VMware Knowledge Base. • (VMware) If resources are not available on the current host, scaling up will fail on VMware because of a known issue where CloudPlatform and vCenter calculate the available capacity differently.
Chapter 11. Working With Virtual Machines Note If the VM's storage has to be migrated along with the VM, this will be noted in the host list. CloudPlatform will take care of the storage migration for you. 6. Click OK. 11.14. Deleting VMs Users can delete their own virtual machines. A running virtual machine will be abruptly stopped before it is deleted. Administrators can delete any virtual machines. To delete a virtual machine: 1. Log in to the CloudPlatform UI as a user or admin. 2.
Adding an ISO contains an OS image. CloudPlatform allows a user to boot a guest VM off of an ISO image. Users can also attach ISO images to guest VMs. For example, this enables installing PV drivers into Windows. ISO images are not hypervisor-specific. 11.16.1. Adding an ISO To make additional operating system or other software available for use with guest VMs, you can add an ISO.
Chapter 11. Working With Virtual Machines Note It is not recommended to choose an older version of the OS than the version in the image. For example, choosing CentOS 5.4 to support a CentOS 6.2 image will usually not work. In these cases, choose Other. • Extractable: Choose Yes if the ISO should be available for extraction. • Public: Choose Yes if this ISO should be available to other users. • Featured: Choose Yes if you would like this ISO to be more prominent for users to select.
Changing a VM's Base Image type of image). When this call occurs, the VM's root disk is first destroyed, then a new root disk is created from the source designated in the template ID parameter. The new root disk is attached to the VM, and now the VM is based on the new template. You can also omit the template ID parameter from the restoreVirtualMachine call. In this case, the VM's root disk is destroyed and recreated, but from the same template or ISO that was already in use by the VM.
102
Chapter 12. Working With Hosts 12.1. Adding Hosts Additional hosts can be added at any time to provide more capacity for guest VMs. For requirements and instructions, see Section 8.6, “Adding a Host”. 12.2. Scheduled Maintenance and Maintenance Mode for Hosts You can place a host into maintenance mode. When maintenance mode is activated, the host becomes unavailable to receive new guest VMs, and the guest VMs already running on the host are seamlessly migrated to another host not in maintenance mode.
Chapter 12. Working With Hosts 1. In the Resources pane, select the server, then do one of the following: • Right-click, then click Enter Maintenance Mode on the shortcut menu. • On the Server menu, click Enter Maintenance Mode. 2. Click Enter Maintenance Mode. The server's status in the Resources pane shows when all running VMs have been successfully migrated off the server. To take a server out of Maintenance Mode: 1.
Removing XenServer and KVM Hosts 12.4.1. Removing XenServer and KVM Hosts A node cannot be removed from a cluster until it has been placed in maintenance mode. This will ensure that all of the VMs on it have been migrated to other Hosts. To remove a Host from the cloud: 1. Place the node in maintenance mode. See Section 12.2, “Scheduled Maintenance and Maintenance Mode for Hosts”. 2. For KVM, stop the cloud-agent service. 3. Use the UI option to remove the node.
Chapter 12. Working With Hosts orchestrate. CloudPlatform can automatically understand the UCS environment, server profiles, etc. so CloudPlatform administrators can deploy a bare metal OS on a Cisco UCS. An overview of the steps involved in using UCS with CloudPlatform: 1. Set up your UCS blades, profiles, and UCS Manager according to Cisco documentation 2. Register the UCS Manager with CloudPlatform 3. Associate a profile with a UCS blade 4.
Disassociating a Profile from a UCS Blade 6. Click the name of the UCS Manager. A list is displayed that shows the names of the blades that are installed under the selected manager. 7. In the Actions column, click the Associate Profile icon. 8. In the dialog, select the name of the profile you want to associate with this blade, then click OK. The dropdown list in the dialog box lists the profiles that are currently defined in the UCS Manager where this blade resides.
Chapter 12. Working With Hosts mysql> select id from cloud.host where name like '%h%'; 4. This should return a single ID. Record the set of such IDs for these hosts. 5. Update the passwords for the host in the database. In this example, we change the passwords for hosts with IDs 5, 10, and 12 to "password". mysql> update cloud.host set password='password' where id=5 or id=10 or id=12; 12.9.
Limitations on Over-Provisioning in XenServer and KVM 12.9.1. Limitations on Over-Provisioning in XenServer and KVM • In XenServer, due to a constraint of this hypervisor, you can not use an over-provisioning factor greater than 4. • The KVM hypervisor can not manage memory allocation to VMs dynamically. CloudPlatform sets the minimum and maximum amount of memory that a VM can use. The hypervisor adjusts the memory within the set limits based on the memory contention. 12.9.2.
Chapter 12. Working With Hosts done, CloudPlatform recalculates or scales the used and reserved capacities based on the new overprovisioning ratios, to ensure that CloudPlatform is correctly tracking the amount of free capacity. Note It is safer not to deploy additional new VMs while the capacity recalculation is underway, in case the new values for available capacity are not high enough to accommodate the new VMs.
VLAN Allocation Example CloudPlatform manages VLANs differently based on hypervisor type. For XenServer or KVM, the VLANs are created on only the hosts where they will be used and then they are destroyed when all guests that require them have been terminated or moved to another host. For vSphere the VLANs are provisioned on all hosts in the cluster even if there is no guest running on a particular Host that requires the VLAN.
Chapter 12. Working With Hosts 5. Click Physical Network. 6. In the Guest node of the diagram, click Configure. 7. Click Edit The VLAN Ranges field now be editable. 8. Enter the start and end of the VLAN range. If you have multiple ranges, separate them by a comma. For example: 200-210,300-350,500-600, 100-110 Specify all the VLANs you want to use, VLANs not specified will be removed if you are adding new ranges to the existing list. 9. Click Apply. 12.10.3.
Chapter 13. Working with Templates A template is a reusable configuration for virtual machines. When users launch VMs, they can choose from a list of templates in CloudPlatform. Specifically, a template is a virtual disk image that includes one of a variety of operating systems, optional additional software such as office applications, and settings such as access control to determine who can use the template.
Chapter 13. Working with Templates A default template is provided for each of XenServer, KVM, and vSphere. The templates that are downloaded depend on the hypervisor type that is available in your cloud. Each template is approximately 2.5 GB physical size. The default template includes the standard iptables rules, which will block most access to the template excluding ssh.
Creating a Template from a Snapshot • Name and Display Text. These will be shown in the UI, so choose something descriptive. • OS Type. This helps CloudPlatform and the hypervisor perform certain operations and make assumptions that improve the performance of the guest. Select one of the following. • If the operating system of the stopped VM is listed, choose it. • If the OS type of the stopped VM is not listed, choose Other.
Chapter 13. Working with Templates Templates are uploaded based on a URL. HTTP is the supported access protocol. Templates are frequently large files. You can optionally gzip them to decrease upload times. To upload a template: 1. In the left navigation bar, click Templates. 2. Click Register Template. 3. Provide the following in the dialog box: • Name and Description. These will be shown in the UI, so choose something descriptive. • URL.
Exporting Templates 13.9. Exporting Templates End users and Administrators may export templates from the CloudPlatform. Navigate to the template in the UI and choose the Download function from the Actions menu. 13.10. Creating a Windows Template Windows templates must be prepared with Sysprep before they can be provisioned on multiple machines. Sysprep allows you to create a generic Windows template and avoid any possible SID conflicts.
Chapter 13. Working with Templates 1. Download and install the Windows AIK Note Windows AIK should not be installed on the Windows 2008 R2 VM you just created. Windows AIK should not be part of the template you create. It is only used to create the sysprep answer file. 2. Copy the install.wim file in the \sources directory of the Windows 2008 R2 installation DVD to the hard disk. This is a very large file and may take a long time to copy. Windows AIK requires the WIM file to be writable. 3.
System Preparation for Windows Server 2008 R2 b. You need to automate the Software License Terms Selection page, otherwise known as the End-User License Agreement (EULA). To do this, expand the Microsoft-Windows-Shell-Setup component. High-light the OOBE setting, and add the setting to the Pass 7 oobeSystem. In Settings, set HideEULAPage true.
Chapter 13. Working with Templates c. Make sure the license key is properly set. If you use MAK key, you can just enter the MAK key on the Windows 2008 R2 VM. You need not input the MAK into the Windows System Image Manager. If you use KMS host for activation you need not enter the Product Key. Details of Windows Volume Activation can be found at http://technet.microsoft.com/en-us/library/ bb892849.aspx d. You need to automate is the Change Administrator Password page.
System Preparation for Windows Server 2003 R2 You may read the AIK documentation and set many more options that suit your deployment. The steps above are the minimum needed to make Windows unattended setup work. 8. Save the answer file as unattend.xml. You can ignore the warning messages that appear in the validation window. 9. Copy the unattend.xml file into the c:\windows\system32\sysprep directory of the Windows 2008 R2 Virtual Machine 10. Once you place the unattend.
Chapter 13. Working with Templates a. Select Create New to create a new Answer File. b. Enter “Sysprep setup” for the Type of Setup. c. Select the appropriate OS version and edition. d. On the License Agreement screen, select “Yes fully automate the installation”. e. Provide your name and organization. f. Leave display settings at default. g. Set the appropriate time zone. h. Provide your product key. i. Select an appropriate license mode for your deployment j.
Importing Amazon Machine Images You need to have a XenServer host with a file-based storage repository (either a local ext3 SR or an NFS SR) to convert to a VHD once the image file has been customized on the Centos/Fedora host. Note When copying and pasting a command, be sure the command has pasted as a single line before executing. Some document viewers may introduce unwanted line breaks in copied text. To import an AMI: 1.
Chapter 13. Working with Templates # cat etc/fstab /dev/xvda / /dev/xvdb /mnt none /dev/pts none /proc none /sys ext3 ext3 devpts proc sysfs defaults defaults gid=5,mode=620 defaults defaults 1 0 0 0 0 1 0 0 0 0 7. Enable login via the console. The default console device in a XenServer system is xvc0. Ensure that etc/inittab and etc/securetty have the following lines respectively: # grep xvc0 etc/inittab co:2345:respawn:/sbin/agetty xvc0 9600 vt100-nav # grep xvc0 etc/securetty xvc0 8.
Converting a Hyper-V VM to a Template # scp CentOS_6.2_x64 xenhost:/var/run/sr-mount/a9c5b8c8-536b-a193-a6dc-51af3e5ff799/ 15. Log in to the Xenserver and create a VDI the same size as the image. [root@xenhost ~]# cd /var/run/sr-mount/a9c5b8c8-536b-a193-a6dc-51af3e5ff799 [root@xenhost a9c5b8c8-536b-a193-a6dc-51af3e5ff799]# ls -lh CentOS_6.2_x64 -rw-r--r-- 1 root root 10G Mar 16 16:49 CentOS_6.
Chapter 13. Working with Templates 3. Name the VM, choose the NFS VHD SR under Storage, enable "Run Operating System Fixups" and choose the NFS ISO SR. 4. Click Next, then Finish. A VM should be created. Option two: 1. Run XenConvert, under From choose VHD, under To choose XenServer. Click Next. 2. Choose the VHD, then click Next. 3. Input the XenServer host info, then click Next. 4. Name the VM, then click Next, then Convert. A VM should be created.
Linux OS Installation new password to the virtual router for the account. Thus an instance reboot is necessary to effect any password changes. If the script is unable to contact the virtual router during instance boot it will not set the password but boot will continue normally. 13.13.1. Linux OS Installation Use the following steps to begin the Linux OS installation: 1. Download the script file cloud-set-guest-password: • Linux: http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.
128
Chapter 14. Working With Storage 14.1. Storage Overview CloudPlatform defines two types of storage: primary and secondary. Primary storage can be accessed by either iSCSI or NFS. Additionally, direct attached storage may be used for primary storage. Secondary storage is always accessed using NFS or a combination of NFS and object storage. There is no ephemeral storage in CloudPlatform. All volumes on all nodes are persistent. 14.2.
Chapter 14. Working With Storage VMware vSphere Citrix XenServer KVM Oracle VM Fiber Channel support VMFS Yes, via Existing SR Yes, via Shared Mountpoint No NFS support Y Y Y Y Local storage support Y Y Y Y Storage over-provisioning NFS and iSCSI NFS NFS No XenServer uses a clustered LVM system to store VM images on iSCSI and Fiber Channel volumes and does not support over-provisioning in the hypervisor. The storage server itself, however, can support thin-provisioning.
Maintenance Mode for Primary Storage 14.2.5. Maintenance Mode for Primary Storage Primary storage may be placed into maintenance mode. This is useful, for example, to replace faulty RAM in a storage device. Maintenance mode for a storage device will first stop any new guests from being provisioned on the storage device. Then it will stop all guests that have any volume on that storage device. When all such guests are stopped the storage device is in maintenance mode and may be shut down.
Chapter 14. Working With Storage Then log in to the CloudPlatform UI and stop and start (not reboot) the Secondary Storage VM for that Zone. 14.3.3. Changing Secondary Storage Servers You can change the secondary storage NFS mount. Perform the following steps to do so: 1. Stop all running Management Servers. 2. Wait 30 minutes. This allows any writes to secondary storage to complete. 3. Copy all files from the old secondary storage mount to the new. 4.
Uploading an Existing Volume to a Virtual Machine local data volumes can be attached to virtual machines, detached, re-attached, and deleted just as with the other types of data volume. Local storage is ideal for scenarios where persistence of data volumes and HA is not required. Some of the benefits include reduced disk I/O latency and cost reduction from using inexpensive local disks. In order for local volumes to be used, the feature must be enabled for the zone.
Chapter 14. Working With Storage 4. Click Upload Volume. 5. Provide the following: • Name and Description. Any desired name and a brief description that can be shown in the UI. • Availability Zone. Choose the zone where you want to store the volume. VMs running on hosts in this zone can attach the volume. • Format. Choose one of the following to indicate the disk image format of the volume. Hypervisor Disk Image Format XenServer VHD VMware OVA KVM QCOW2 OVM RAW • URL.
Detaching and Moving Volumes 14.4.4. Detaching and Moving Volumes Note This procedure is different from moving volumes from one storage pool to another as described in Section 14.4.5, “VM Storage Migration”. A volume can be detached from a guest VM and attached to another guest. Both CloudPlatform administrators and users can detach volumes from VMs and move them to other VMs.
Chapter 14. Working With Storage Note Because of a limitation in VMware, live migration of storage for a VM is allowed only if the source and target storage pool are accessible to the source host; that is, the host where the VM is running when the live migration operation is requested. 14.4.5.1. Migrating a Data Volume to a New Storage Pool There are two situations when you might want to migrate a disk: • Move the disk to new storage, but leave it attached to the same running VM.
Resizing Volumes 1. Log in to the CloudPlatform UI as a user or admin. 2. In the left navigation bar, click Instances, and click the VM name. 3. (KVM only) Stop the VM. 4. Click the Migrate button and choose the destination from the dropdown list. Note If the VM's storage has to be migrated along with the VM, this will be noted in the host list. CloudPlatform will take care of the storage migration for you. 5.
Chapter 14. Working With Storage 4. Select the volume name in the Volumes list, then click the Resize Volume button 5. In the Resize Volume pop-up, choose desired characteristics for the storage. a. If you select Custom Disk, specify a custom size. b. Click Shrink OK to confirm that you are reducing the size of a volume. This parameter protects against inadvertent shrinking of a disk, which might lead to the risk of data loss. You must sign off that you know what you are doing. 6. Click OK. 14.4.7.
Automatic Snapshot Creation and Retention CloudPlatform supports snapshots of disk volumes. Snapshots are a point-in-time capture of virtual machine disks. Memory and CPU states are not captured. If you are using the Oracle VM hypervisor, you can not take snapshots, since OVM does not support them. Snapshots may be taken for volumes, including both root and data disks (except when the Oracle VM hypervisor is used, which does not support snapshots).
Chapter 14. Working With Storage When a snapshot is taken manually, a snapshot is always created regardless of whether a volume has been active or not. 14.5.4. Snapshot Restore There are two paths to restoring snapshots. Users can create a volume from the snapshot. The volume can then be mounted to a VM and files recovered as needed. Alternatively, a template may be created from the snapshot of a root disk. The user can then boot a VM from this template to effect recovery of the root disk. 14.5.5.
Chapter 15. Working with Usage The Usage Server is an optional, separately-installed part of CloudPlatform that provides aggregated usage records which you can use to create billing integration for CloudPlatform. The Usage Server works by taking data from the events log and creating summary usage records that you can access using the listUsageRecords API call. The usage records show the amount of resources, such as VM run time or template storage space, consumed by guest instances.
Chapter 15. Working with Usage Parameter Name Description Default: The time zone of the management server. usage.sanity.check.interval The number of days between sanity checks. Set this in order to periodically search for records with erroneous data before issuing customer invoices. For example, this checks for VM usage records created after the VM was destroyed, and similar checks for templates, volumes, and so on. It also checks for usage times longer than the aggregation range.
Setting Usage Limits • enable.usage.server = true • usage.execution.timezone = America/New_York • usage.stats.job.exec.time = 07:00. This will run the Usage job at 2:00 AM EST. Note that this will shift by an hour as the East Coast of the U.S. enters and exits Daylight Savings Time. • usage.stats.job.aggregation.
Chapter 15. Working with Usage Parameter Name Description max.account.primary.storage (GB) Maximum primary storage space that can be used for an account. Default is 20*10. max.account.secondary.storage (GB) Maximum secondary storage space that can be used for an account. Default is 20*20. max.project.cpus Maximum number of CPU cores that can be used for an account. Default is 40. max.project.ram (MB) Maximum RAM that can be used for an account. Default is 40960. max.project.primary.
Default Account Resource Limits Parameter Name Definition max.volume.size.gb Maximum size for a volume in GB network.throttling.rate The default data transfer rate in megabits per second allowed in network. snapshot.max.hourly Maximum recurring hourly snapshots to be retained for a volume. If the limit is reached, early snapshots from the start of the hour are deleted so that newer ones can be saved. This limit does not apply to manual snapshots.
Chapter 15. Working with Usage 15.2.3. Per-Domain Limits CloudPlatform allows the configuration of limits on a domain basis. With a domain limit in place, all users still have their account limits. They are additionally limited, as a group, to not exceed the resource limits set on their domain. Domain limits aggregate the usage of all accounts in the domain as well as all accounts in all subdomains of that domain.
Chapter 16. Managing Networks and Traffic In a CloudPlatform, guest VMs can communicate with each other using shared infrastructure with the security and user perception that the guests have a private LAN. The CloudPlatform virtual router is the main component providing networking features for guest traffic. 16.1. Guest Traffic A network can carry guest traffic only between VMs within one zone.
Chapter 16. Managing Networks and Traffic Servers are connected as follows: • Storage devices are connected to only the network that carries management traffic. • Hosts are connected to networks for both management traffic and public traffic. • Hosts are also connected to one or more networks carrying guest traffic. We recommend the use of multiple physical Ethernet cards to implement each network interface as well as redundant switch fabric in order to maximize throughput and improve reliability. 16.3.
Basic Zone Physical Network Configuration A firewall for management traffic operates in the NAT mode. The network typically is assigned IP addresses in the 192.168.0.0/16 Class B private address space. Each pod is assigned IP addresses in the 192.168.*.0/24 Class C private address space. Each zone has its own set of public IP addresses. Public IP addresses from different zones do not overlap. 16.4.
Chapter 16. Managing Networks and Traffic 1. In the left navigation, choose Infrastructure. On Zones, click View More, then click the zone to which you want to add a network. 2. Click the Network tab. 3. Click Add Isolated Guest Network. The Add Isolated Guest Network window is displayed: 4. Provide the following information: • Name. The name of the network. This will be user-visible. • Display Text: The description of the network. This will be displayed to the user.
Configuring a Shared Guest Network 16.5.3. Configuring a Shared Guest Network 1. Log in to the CloudPlatform UI as administrator. 2. In the left navigation, choose Infrastructure. 3. On Zones, click View More. 4. Click the zone to which you want to add a guest network. 5. Click the Physical Network tab. 6. Click the physical network you want to work with. 7. On the Guest node of the diagram, click Configure. 8. Click the Network tab. 9. Click Add guest network. The Add guest network window is displayed.
Chapter 16. Managing Networks and Traffic • Network Domain: A custom DNS suffix at the level of a network. If you want to assign a special domain name to the guest VM network, specify a DNS suffix. 11. Click OK to confirm. 16.6. Using Security Groups to Control Traffic to VMs 16.6.1. About Security Groups Security groups provide a way to isolate traffic to VMs. A security group is a group of VMs that filter their incoming and outgoing traffic according to a set of rules, called ingress and egress rules.
Enabling Security Groups 16.6.3. Enabling Security Groups In order for security groups to function in a zone, the security groups feature must first be enabled for the zone. The administrator can do this when creating a new zone, by selecting a network offering that includes security groups. The procedure is described in Zone Configuration in the Installation Guide. The administrator can not enable security groups for an existing zone, only when creating a new zone. 16.6.4.
Chapter 16. Managing Networks and Traffic • Account, Security Group. (Add by Account only) To accept only traffic from another security group, enter the CloudPlatform account and name of a security group that has already been defined in that account. To allow traffic between VMs within the security group you are editing now, enter its name (that is, the same name you chose in step 3). The following example allows inbound HTTP access from anywhere: 5.
About Using a NetScaler Load Balancer An external Juniper SRX or Cisco ASA can be used for: • Source NAT • Static NAT • Firewall • Port forwarding A NetScaler or F5 can be used for: • Load balancing For details about installing and setting up these external network service providers, see the CloudPlatform Installation Guide. 16.7.1. About Using a NetScaler Load Balancer Citrix NetScaler is supported as an external network element for load balancing in zones that use isolated networking in advanced zones.
Chapter 16. Managing Networks and Traffic NetScaler ADC Type Description of Capabilities CloudPlatform Supported Features act as application firewall and load balancer supported without limitation. In basic zones, static NAT, elastic IP (EIP), and elastic load balancing (ELB) are also provided. VPX Virtual appliance. Can run as VM on XenServer, ESXi, and Hyper-V hypervisors. Same functionality as MPX Supported on ESXi and XenServer. Same functional support as for MPX.
Initial Setup of External Firewalls and Load Balancers # com2sec com2sec sec.name local mynetwork source localhost 0.0.0.0 community public public Note Setting to 0.0.0.0 allows all IPs to poll the NetScaler server. b. Map the security names into group names: # group group group group c. group.name MyRWGroup MyRWGroup MyROGroup MyROGroup sec.model v1 v2c v1 v2c sec.
Chapter 16. Managing Networks and Traffic The following objects are created on the load balancer: • A new VLAN that matches the account's provisioned Zone VLAN • A self IP for the VLAN. This is always the second IP of the account's private subnet (e.g. 10.1.1.2). 16.7.4. Ongoing Configuration of External Firewalls and Load Balancers Additional user actions (e.g. setting a port forward) will cause further programming of the firewall and load balancer.
Configuring AutoScale 6. In the Load Balancing node of the diagram, click View All. In a Basic zone, you can also create a load balancing rule without acquiring or selecting an IP address. CloudPlatform internally assigns an IP when you create the load balancing rule, which is listed in the IP Addresses page when the rule is created. To do that, select the name of the network, then click the Add Load Balancer tab. Continue with 7. 7. Fill in the following: • Name: A name for the load balancer rule.
Chapter 16. Managing Networks and Traffic VMs automatically and launching new VMs when you need them, without the need for manual intervention. NetScaler AutoScaling is designed to seamlessly launch or terminate VMs based on user-defined conditions. Conditions for triggering a scaleup or scaledown action can vary from a simple use case like monitoring the CPU usage of a server to a complex use case of monitoring a combination of server's responsiveness and its CPU usage.
Configuring AutoScale Configuration Specify the following: • Template: A template consists of a base OS image and application. A template is used to provision the new instance of an application on a scaleup action. When a VM is deployed from a template, the VM can start taking the traffic from the load balancer without any admin intervention. For example, if the VM is deployed for a Web service, it should have the Web server running, the database connected, and so on.
Chapter 16. Managing Networks and Traffic Note If an application, such as SAP, running on a VM instance is down for some reason, the VM is then not counted as part of Min Instance parameter, and the AutoScale feature initiates a scaleup action if the number of active VM instances is below the configured value.
Configuring AutoScale • Polling interval: Frequency in which the conditions, combination of counter, operator and threshold, are to be evaluated before taking a scale up or down action. The default polling interval is 30 seconds. • Quiet Time: This is the cool down period after an AutoScale action is initiated. The time includes the time taken to complete provisioning a VM instance from its template and the time taken by an application to be ready to serve traffic.
Chapter 16. Managing Networks and Traffic Runtime Considerations • An administrator should not assign a VM to a load balancing rule which is configured for AutoScale. • Before a VM provisioning is completed if NetScaler is shutdown or restarted, the provisioned VM cannot be a part of the load balancing rule though the intent was to assign it to a load balancing rule.
Global Server Load Balancing You can delete or modify existing health check policies. To configure how often the health check is performed by default, use the global configuration setting healthcheck.update.interval (default value is 600 seconds). You can override this value for an individual health check policy. For details on how to set a health check policy using the UI, see Section 16.8.1, “Adding a Load Balancer Rule”. 16.9.
Chapter 16. Managing Networks and Traffic • Load Balancing or Content Switching Virtual Servers: According to Citrix NetScaler terminology, a load balancing or content switching virtual server represents one or many servers on the local network. Clients send their requests to the load balancing or content switching virtual server’s virtual IP (VIP) address, and the virtual server balances the load across the local servers.
Configuring GSLB Tenant-A wishes to leverage the GSLB service provided by the xyztelco cloud. Tenant-A configures a GSLB rule to load balance traffic across virtual server 1 at Zone-1 and virtual server 2 at Zone-2. The domain name is provided as A.xyztelco.com. CloudPlatform orchestrates setting up GSLB virtual server 1 on the GSLB service provider at Zone-1. CloudPlatform binds virtual server 1 of Zone-1 and virtual server 2 of Zone-2 to GLSB virtual server 1.
Chapter 16. Managing Networks and Traffic To configure GSLB in your cloud environment, as a cloud administrator you must first configure a standard load balancing setup for each zone. This enables to balance load across different servers in each zone in the region. Then, configure both the NetScaler appliances that you plan to add to each zone as authoritative DNS (ADNS) servers.
Configuring GSLB 3. In each zone that are participating in GSLB, add GSLB-enabled NetScaler device. For more information, see Section 16.9.2.2, “Enabling GSLB in NetScaler”. On CloudPlatform side, perform the following as a domain administrator or user: 1. Add a GSLB rule on both the sites. See Section 16.9.2.3, “Adding a GSLB Rule”. 2. Assign load balancer rules. See Section 16.9.2.4, “Assigning Load Balancing Rules to GSLB”. 16.9.2.1.
Chapter 16. Managing Networks and Traffic 3. In Zones, click View More. 4. Choose the zone you want to work with. 5. Click the Physical Network tab, then click the name of the physical network. 6. In the Network Service Providers node of the diagram, click Configure. You might have to scroll down to see this. 7. Click NetScaler. 8. Click Add NetScaler device and provide the following: For NetScaler: • IP Address: The IP address of the NetScaler appliance.
Configuring GSLB 6. Specify the following: • Name: Name for the GSLB rule. • Description: (Optional) A short description of the GSLB rule that can be displayed to users. • GSLB Domain Name: A preferred domain name for the service. • Algorithm: (Optional) The algorithm to use to load balance the traffic across the zones. The options are Round Robin, Least Connection, and Proximity. • Service Type: The transport protocol to use for GSLB. The options are TCP and UDP.
Chapter 16. Managing Networks and Traffic 7. Click assign more load balancing. 8. Select the load balancing rule you have created for the zone. 9. Click OK to confirm. 16.10. Using Multiple Guest Networks In zones that use advanced networking, additional networks for guest traffic may be added at any time after the initial installation. You can also customize the domain name associated with the network by specifying a DNS suffix for each network. A VM's networks are defined at VM creation time.
Reconfiguring Networks in VMs This feature is supported on XenServer, VMware, and KVM hypervisors. 16.10.2.1. Prerequisites For adding or removing networks to work, ensure that vm-tools are running on the guest VMs on VMware host. 16.10.2.2. Adding a Network 1. Log in to the CloudPlatform UI as an administrator or end user. 2. In the left navigation, click Instances. 3. Choose the VM that you want to work with. 4. Click the NICs tab. 5. Click Add network to VM. The Add network to VM dialog is displayed.
Chapter 16. Managing Networks and Traffic 2. In the left navigation, click Instances. 3. Choose the VM that you want to work with. 4. Click the NICs tab. 5. Locate the NIC you want to work with. 6. Click the Set default NIC button. 7. Click Yes to confirm. 16.11. Guest IP Ranges The IP ranges for guest network traffic are set on a per-account basis by the user. This allows the users to configure their network in a fashion that will enable VPN linking between their guest network and their clients.
Reserving Public IP Addresses and VLANs for Accounts 16.14. Reserving Public IP Addresses and VLANs for Accounts CloudPlatform provides you the ability to reserve a set of public IP addresses and VLANs exclusively for an account. During zone creation, you can continue defining a set of VLANs and multiple public IP ranges. This feature extends the functionality to enable you to dedicate a fixed set of VLANs and guest IP addresses for a tenant.
Chapter 16. Managing Networks and Traffic • Domain: The domain associated with the account. To create a new IP range and assign an account, perform the following: a. Specify the following: • Gateway • Netmask • VLAN • Start IP • End IP • Account: Perform the following: i. Click Account. The Add Account page is displayed. ii. Specify the following: • Account: The account to which you want to assign an IP address range. • Domain: The domain associated with the account. iii. Click OK. b. Click Add. 16.14.
IP Reservation in Isolated Guest Networks • Domain: The domain associated with the account. 16.15. IP Reservation in Isolated Guest Networks In isolated guest networks, a part of the guest IP address space can be reserved for nonCloudPlatform VMs or physical servers. To do so, you configure a range of Reserved IP addresses by specifying the CIDR when a guest network is in Implemented state.
Chapter 16. Managing Networks and Traffic Case CIDR Network CIDR Reserved IP Range for NonCloudPlatform VMs Description CIDR field in the UI. 3 10.1.1.0/24 None None Removing IP Reservation by the UpdateNetwork API with guestvmcidr=10.1.1.0/24 or enter 10.1.1.0/24 in the CIDR field in the UI. 16.15.2. Limitations • The IP Reservation is not supported if active IPs that are found outside the Guest VM CIDR.
Use Cases supported on all the network configurations—Basic, Advanced, and VPC. Security Groups, Static NAT and Port forwarding services are supported on these additional IPs. As always, you can specify an IP from the guest subnet; if not specified, an IP is automatically picked up from the guest VM subnet. You can view the IPs associated with for each guest VM NICs on the UI. You can apply NAT on these additional guest IPs by using network configuration option in the CloudPlatform UI.
Chapter 16. Managing Networks and Traffic passed, NAT is configured on the specified private IP of the VM. if not passed, NAT is configured on the primary IP of the VM. 16.17. Multiple Subnets in Shared Network CloudPlatform provides you with the flexibility to add guest IP ranges from different subnets in Basic zones and security groups-enabled Advanced zones. For security groups-enabled Advanced zones, it implies multiple subnets can be added to the same VLAN.
About Elastic IP 10. Specify the following: All the fields are mandatory. • Gateway: The gateway for the tier you create. Ensure that the gateway is within the Super CIDR range that you specified while creating the VPC, and is not overlapped with the CIDR of any existing tier within the VPC. • Netmask: The netmask for the tier you create. For example, if the VPC CIDR is 10.0.0.0/16 and the network tier CIDR is 10.0.1.0/24, the gateway of the tier is 10.0.1.1, and the netmask of the tier is 255.255.255.0.
Chapter 16. Managing Networks and Traffic services if a NetScaler device is deployed in your zone. Consider the following illustration for more details. In the illustration, a NetScaler appliance is the default entry or exit point for the CloudPlatform instances, and firewall is the default entry or exit point for the rest of the data center. Netscaler provides LB services and staticNAT service to the guest networks. The guest traffic in the pods and the Management Server are on different subnets / VLANs.
Portable IPs Note Inbound NAT (INAT) is a type of NAT supported by NetScaler, in which the destination IP address is replaced in the packets from the public network, such as the Internet, with the private IP address of a VM in the private network. Reverse NAT (RNAT) is a type of NAT supported by NetScaler, in which the source IP address is replaced in the packets generated by a VM in the private network with the public IP address.
Chapter 16. Managing Networks and Traffic The salient features of Portable IP are as follows: • IP is statically allocated • IP need not be associated with a network • IP association is transferable across networks • IP is transferable across both Basic and Advanced zones • IP is transferable across VPC, non-VPC isolated and shared networks • Portable IP transfer is available only for static NAT.
Transferring Portable IP 6. Specify whether you want cross-zone IP or not. 7. Click Yes in the confirmation dialog. Within a few moments, the new IP address should appear with the state Allocated. You can now use the IP address in port forwarding or static NAT rules. 16.19.4. Transferring Portable IP Portable IP is transferred from one network to another only if Static NAT is enabled. However, when a portable IP is associated with a network, you can use it for any service in the network.
Chapter 16. Managing Networks and Traffic 5. Click the IP address you want to work with. 6. Click the Static NAT button. The button toggles between Enable and Disable, depending on whether static NAT is currently enabled for the IP address. 7. If you are enabling static NAT, a dialog appears where you can choose the destination VM and click Apply. 16.21. IP Forwarding and Firewalling By default, all incoming traffic to the public IP address is rejected.
Egress Firewall Rules in an Advanced Zone 2. In the left navigation, choose Network. 3. In Select view, choose Guest networks, then click the Guest network you want. 4. To add an egress rule, click the Egress rules tab and fill out the following fields to specify what type of traffic is allowed to be sent out of VM instances in this guest network: • CIDR: (Add by CIDR only) To send traffic only to the IP addresses within a particular address block, enter a CIDR or a comma-separated list of CIDRs.
Chapter 16. Managing Networks and Traffic a. Log in with admin privileges to the CloudPlatform UI. b. In the left navigation bar, click Service Offerings. c. In Select Offering, choose Network Offering. d. Click Add Network Offering. e. In the dialog, make necessary choices, including firewall provider. f. In the Default egress policy field, specify the behaviour. g. Click OK. 2. Create an isolated network by using this network offering.
Port Forwarding • ICMP Type and ICMP Code. Used only if Protocol is set to ICMP. Provide the type and code required by the ICMP protocol to fill out the ICMP header. Refer to ICMP documentation for more details if you are not sure what to enter 7. Click Add. 16.21.3. Port Forwarding A port forward service is a set of port forwarding rules that define a policy. A port forward service is then applied to one or more guest VMs.
Chapter 16. Managing Networks and Traffic • Least connection • Source IP This is similar to port forwarding but the destination may be multiple IP addresses. 16.23. DNS and DHCP The Virtual Router provides DNS and DHCP services to the guests. It proxies DNS requests to the DNS server configured on the Availability Zone. 16.24. Remote Access VPN CloudPlatform account owners can create virtual private networks (VPN) to access their virtual machines.
Using Remote Access VPN with Windows • remote.access.vpn.psk.length – Length of the IPSec key. • remote.access.vpn.user.limit – Maximum number of VPN users per account. To enable VPN for a particular network: 1. Log in as a user or administrator to the CloudPlatform UI. 2. In the left navigation, click Network. 3. Click the name of the network you want to work with. 4. Click View IP Addresses. 5. Click one of the displayed IP address names. 6. Click the Enable VPN button.
Chapter 16. Managing Networks and Traffic 12. Enter the user name and password from step 1. 16.24.3. Using Remote Access VPN with Mac OS X First, be sure you've configured the VPN settings in your CloudPlatform install. This section is only concerned with connecting via Mac OS X to your VPN. Note, these instructions were written on Mac OS X 10.7.5. They may differ slightly in older or newer releases of Mac OS X. 1. On your Mac, open System Preferences and click Network. 2.
Setting Up a Site-to-Site VPN Connection Note In addition to the specific Cisco and Juniper devices listed above, the expectation is that any Cisco or Juniper device running on the supported operating systems are able to establish VPN connections. To set up a Site-to-Site VPN connection, perform the following: 1. Create a Virtual Private Cloud (VPC). See Section 16.27, “Configuring a Virtual Private Cloud”. 2. Create a VPN Customer Gateway. 3. Create a VPN gateway for the VPC that you created. 4.
Chapter 16. Managing Networks and Traffic Provide the following information: • Name: A unique name for the VPN customer gateway you create. • Gateway: The IP address for the remote gateway. • CIDR list: The guest CIDR list of the remote subnets. Enter a CIDR or a comma-separated list of CIDRs. Ensure that a guest CIDR list is not overlapped with the VPC’s CIDR, or another guest CIDR. The CIDR must be RFC1918-compliant.
Setting Up a Site-to-Site VPN Connection Note The IKE peers (VPN end points) authenticate each other by computing and sending a keyed hash of data that includes the Preshared key. If the receiving peer is able to create the same hash independently by using its Preshared key, it knows that both peers must share the same secret, thus authenticating the customer gateway. • IKE Encryption: The Internet Key Exchange (IKE) policy for phase-1.
Chapter 16. Managing Networks and Traffic Note When PFS is turned on, for every negotiation of a new phase-2 SA the two gateways must generate a new set of phase-1 keys. This adds an extra layer of protection that PFS adds, which ensures if the phase-2 SA’s have expired, the keys used for new phase-2 SA’s have not been generated from the current phase-1 keying material. • IKE Lifetime (seconds): The phase-1 lifetime of the security association in seconds. Default is 86400 seconds (1 day).
Setting Up a Site-to-Site VPN Connection The VPC page is displayed where all the tiers you created are listed in a diagram. 5. Click the Settings icon. For each tier, the following options are displayed: • Internal LB • Public LB IP • Static NAT • Virtual Machines • CIDR The following router information is displayed: • Private Gateways • Public IP Addresses • Site-to-Site VPNs • Network ACL Lists 6. Select Site-to-Site VPN.
Chapter 16. Managing Networks and Traffic All the VPCs that you create for the account are listed in the page. 4. Click the Configure button of the VPC to which you want to deploy the VMs. The VPC page is displayed where all the tiers you created are listed in a diagram. 5. Click the Settings icon.
Setting Up a Site-to-Site VPN Connection • Gateway • State • IPSec Preshared Key • IKE Policy • ESP Policy 16.24.4.4. Restarting and Removing a VPN Connection 1. Log in to the CloudPlatform UI as an administrator or end user. 2. In the left navigation, choose Network. 3. In the Select view, select VPC. All the VPCs that you have created for the account is listed in the page. 4. Click the Configure button of the VPC to which you want to deploy the VMs.
Chapter 16. Managing Networks and Traffic 9. To remove a VPN connection, click the Delete VPN connection button To restart a VPN connection, click the Reset VPN connection button present in the Details tab. 16.25. Isolation in Advanced Zone Using Private VLAN Isolation of guest traffic in shared networks can be achieved by using Private VLANs (PVLAN). PVLANs provide Layer 2 isolation between ports within the same VLAN.
Prerequisites • Understanding Private VLANs 8 • Cisco Systems' Private VLANs: Scalable Security in a Multi-Client Environment 9 10 • Private VLAN (PVLAN) on vNetwork Distributed Switch - Concept Overview (1010691) 16.25.2. Prerequisites • Use a PVLAN supported switch. 11 See Private VLAN Catalyst Switch Support Matrix for more information. • All the layer 2 switches, which are PVLAN-aware, are connected to each other, and one of them is connected to a router.
Chapter 16. Managing Networks and Traffic 9. Click Add guest network. The Add guest network window is displayed. 10. Specify the following: • Name: The name of the network. This will be visible to the user. • Description: The short description of the network that can be displayed to users. • VLAN ID: The unique ID of the VLAN. • Secondary Isolated VLAN ID: The unique ID of the Secondary Isolated VLAN. For the description on Secondary Isolated VLAN, see Section 16.25.1, “About Private VLAN”.
About Inter-VLAN Routing This feature is supported on XenServer and VMware hypervisors. The major advantages are: • The administrator can deploy a set of VLANs and allow users to deploy VMs on these VLANs. A guest VLAN is randomly alloted to an account from a pre-specified set of guest VLANs. All the VMs of a certain tier of an account reside on the guest VLAN allotted to that account. Note A VLAN allocated for an account cannot be shared between multiple accounts.
Chapter 16. Managing Networks and Traffic To set up a multi-tier Inter-VLAN deployment, see Section 16.27, “Configuring a Virtual Private Cloud”. 16.27. Configuring a Virtual Private Cloud 16.27.1. About Virtual Private Clouds CloudPlatform Virtual Private Cloud is a private, isolated part of CloudPlatform. A VPC can have its own virtual network topology that resembles a traditional physical network.
About Virtual Private Clouds • Private Gateway: All the traffic to and from a private network routed to the VPC through the private gateway. For more information, see Section 16.27.5, “Adding a Private Gateway to a VPC”. • VPN Gateway: The VPC side of a VPN connection. • Site-to-Site VPN Connection: A hardware-based VPN connection between your VPC and your datacenter, home network, or co-location facility. For more information, see Section 16.24.4, “Setting Up a Site-to-Site VPN Connection”.
Chapter 16. Managing Networks and Traffic • All network tiers inside the VPC should belong to the same account. • When a VPC is created, by default, a SourceNAT IP is allocated to it. The Source NAT IP is released only when the VPC is removed. • A public IP can be used for only one purpose at a time. If the IP is a sourceNAT, it cannot be used for StaticNAT or port forwarding. • The instances can only have a private IP address that you provision.
Adding Tiers Provide the following information: • Name: A short name for the VPC that you are creating. • Description: A brief description of the VPC. • Zone: Choose the zone where you want the VPC to be available. • Super CIDR for Guest Networks: Defines the CIDR range for all the tiers (guest networks) within a VPC. When you create a tier, ensure that its CIDR is within the Super CIDR value you enter. The CIDR must be RFC1918 compliant.
Chapter 16. Managing Networks and Traffic Note The end users can see their own VPCs, while root and domain admin can see any VPC they are authorized to see. 4. Click the Configure button of the VPC for which you want to set up tiers. 5. Click Create network. The Add new tier dialog is displayed, as follows: If you have already created tiers, the VPC diagram is displayed. Click Create Tier to add a new tier. 6. Specify the following: All the fields are mandatory.
Configuring Network Access Control List For more information, see Section 12.10.3, “Assigning VLANs to Isolated Networks”. • Netmask: The netmask for the tier you create. For example, if the VPC CIDR is 10.0.0.0/16 and the network tier CIDR is 10.0.1.0/24, the gateway of the tier is 10.0.1.1, and the netmask of the tier is 255.255.255.0. 7. Click OK. 8. Continue with configuring access control list for the tier. 16.27.4.
Chapter 16. Managing Networks and Traffic • Virtual Machines • CIDR The following router information is displayed: • Private Gateways • Public IP Addresses • Site-to-Site VPNs • Network ACL Lists 5. Select Network ACL Lists. The following default rules are displayed in the Network ACLs page: default_allow, default_deny. 6. Click Add ACL Lists, and specify the following: • ACL List Name: A name for the ACL list. • Description: A short description of the ACL list that can be displayed to users. 16.27.4.3.
Configuring Network Access Control List protocol is typically used to send error messages or network monitoring data. All supports all the traffic. Other option is Protocol Number. • Start Port, End Port (TCP, UDP only): A range of listening ports that are the destination for the incoming traffic. If you are opening a single port, use the same number in both fields. • Protocol Number: The protocol number associated with IPv4. For more information, see 12 Protocol Numbers .
Chapter 16. Managing Networks and Traffic 16.27.5. Adding a Private Gateway to a VPC A private gateway can be added by the root admin only. The VPC private network has 1:1 relationship with the NIC of the physical network. You can configure multiple private gateways to a single VPC. No gateways with duplicated VLAN and IP are allowed in the same data center. 1. Log in to the CloudPlatform UI as an administrator or end user. 2. In the left navigation, choose Network. 3. In the Select view, select VPC.
Adding a Private Gateway to a VPC 8. Specify the following: • Physical Network: The physical network you have created in the zone. • IP Address: The IP address associated with the VPC gateway. • Gateway: The gateway through which the traffic is routed to and from the VPC. • Netmask: The netmask associated with the VPC gateway. • VLAN: The VLAN associated with the VPC gateway. • Source NAT: Select this option to enable the source NAT service on the VPC private gateway. See Section 16.27.5.
Chapter 16. Managing Networks and Traffic gateway to avoid IP conflicts. If Source NAT is enabled, the guest VMs in VPC reaches the enterprise network via private gateway IP address by using the NAT service. The Source NAT service on a private gateway can be enabled while adding the private gateway. On deletion of a private gateway, source NAT rules specific to the private gateway are deleted. To enable source NAT on existing private gateways, delete them and create afresh with source NAT. 16.27.5.2.
Deploying VMs to the Tier 16.27.5.4. Blacklisting Routes CloudPlatform enables you to block a list of routes so that they are not assigned to any of the VPC private gateways. Specify the list of routes that you want to blacklist in the blacklisted.routes global parameter. Note that the parameter update affects only new static route creations. If you block an existing static route, it remains intact and continue functioning. You cannot add a static route if the route is blacklisted for the zone. 16.27.6.
Chapter 16. Managing Networks and Traffic For more information about how the templates came to be in this list, see Chapter 13, Working with Templates. 7. Ensure that the hardware you have allows starting the selected service offering. 8. Under Networks, select networks for the VM you are launching. You can deploy a VM to a VPC tier and multiple shared networks. 9. Click Next, review the configuration and click Launch. Your VM will be deployed to the selected VPC tier and shared network. 16.27.8.
Releasing an IP Address Alloted to a VPC The VPC page is displayed where all the tiers you created are listed in a diagram. The following options are displayed. • Internal LB • Public LB IP • Static NAT • Virtual Machines • CIDR The following router information is displayed: • Private Gateways • Public IP Addresses • Site-to-Site VPNs • Network ACL Lists 5. Select IP Addresses. The Public IP Addresses page is displayed. 6. Click Acquire New IP, and click Yes in the confirmation dialog.
Chapter 16. Managing Networks and Traffic • Static NAT • Virtual Machines • CIDR The following router information is displayed: • Private Gateways • Public IP Addresses • Site-to-Site VPNs • Network ACL Lists 5. Select Public IP Addresses. The IP Addresses page is displayed. 6. Click the IP you want to release. 7. In the Details tab, click the Release IP button 16.27.10.
Adding Load Balancing Rules on a VPC The following router information is displayed: • Private Gateways • Public IP Addresses • Site-to-Site VPNs • Network ACL Lists 5. In the Router node, select Public IP Addresses. The IP Addresses page is displayed. 6. Click the IP you want to work with. 7. In the Details tab,click the Static NAT button. The button toggles between Enable and Disable, depending on whether static NAT is currently enabled for the IP address. 8.
Chapter 16. Managing Networks and Traffic 2. Create a network offering, as given in Section 16.27.11.1.2, “Creating a Network Offering for Public LB”. 3. Create a VPC with Netscaler as the Public LB provider. For more information, see Section 16.27.2, “Adding a Virtual Private Cloud”. 4. For the VPC, acquire an IP. 5. Create an public load balancing rule and apply, as given in Section 16.27.11.1.3, “Creating a Public LB Rule”. 16.27.11.1.2.
Adding Load Balancing Rules on a VPC 16.27.11.1.3. Creating a Public LB Rule 1. Log in to the CloudPlatform UI as an administrator or end user. 2. In the left navigation, choose Network. 3. In the Select view, select VPC. All the VPCs that you have created for the account is listed in the page. 4. Click the Configure button of the VPC, for which you want to configure load balancing rules. The VPC page is displayed where all the tiers you created listed in a diagram.
Chapter 16. Managing Networks and Traffic • Source • Stickiness. (Optional) Click Configure and choose the algorithm for the stickiness policy. See Sticky Session Policies for Load Balancer Rules. • Add VMs: Click Add VMs, then select two or more VMs that will divide the load of incoming traffic, and click Apply. The new load balancing rule appears in the list. You can repeat these steps to add more load balancing rules for this IP address. 16.27.11.2.
Adding Load Balancing Rules on a VPC 16.27.11.2.2. Enabling Internal LB on a VPC Tier 1. Create a network offering, as given in Section 16.27.11.2.4, “Creating an Internal LB Rule”. 2. Create an internal load balancing rule and apply, as given in Section 16.27.11.2.4, “Creating an Internal LB Rule”. 16.27.11.2.3.
Chapter 16. Managing Networks and Traffic • Name: Any desired name for the network offering. • Description: A short description of the offering that can be displayed to users. • Network Rate: Allowed data transfer rate in MB per second. • Traffic Type: The type of network traffic that will be carried on the network. • Guest Type: Choose whether the guest network is isolated or shared. • Persistent: Indicate whether the guest network is persistent or not.
Adding a Port Forwarding Rule on a VPC • Name: A name for the load balancer rule. • Description: A short description of the rule that can be displayed to users. • Source IP Address: The source IP from which traffic originates. The IP is acquired from the CIDR of that particular tier on which you want to create the Internal LB rule. For every Source IP, a new Internal LB VM is created for load balancing. • Source Port: The port associated with the source IP. Traffic on this port is load balanced.
Chapter 16. Managing Networks and Traffic The IP Addresses page is displayed. 6. Click the IP address for which you want to create the rule, then click the Configuration tab. 7. In the Port Forwarding node of the diagram, click View All. 8. Select the tier to which you want to apply the rule. 9. Specify the following: • Public Port: The port to which public traffic will be addressed on the IP address you acquired in the previous step.
Editing, Restarting, and Removing a Virtual Private Cloud 16.27.14. Editing, Restarting, and Removing a Virtual Private Cloud Note Ensure that all the tiers are removed before you remove a VPC. 1. Log in to the CloudPlatform UI as an administrator or end user. 2. In the left navigation, choose Network. 3. In the Select view, select VPC. All the VPCs that you have created for the account is listed in the page. 4. Select the VPC you want to work with. 5.
Chapter 16. Managing Networks and Traffic • When you create a guest network, the network offering that you select defines the network persistence. This in turn depends on whether persistent network is enabled in the selected network offering. • An existing network can be made persistent by changing its network offering to an offering that has the Persistent option enabled. While setting this property, even if the network has no running VMs, the network is provisioned.
Chapter 17. Working with System Virtual Machines CloudPlatform uses several types of system virtual machines to perform tasks in the cloud. In general CloudPlatform manages these system VMs and creates, starts, and stops them as needed based on scale and immediate needs. However, the administrator should be aware of them and their roles to assist in debugging issues. 17.1. The System VM Template The System VMs come from a single template. The System VM has the following characteristics: • Debian 7.
Chapter 17. Working with System Virtual Machines The VNC traffic never goes through the guest virtual IP, and there is no need to enable VNC within the guest. The console proxy VM will periodically report its active session count to the Management Server. The default reporting interval is five seconds. This can be changed through standard Management Server configuration with the parameter consoleproxy.loadscan.interval.
Virtual Router d. Convert your private key format into PKCS#8 encrypted format. openssl pkcs8 -topk8 -in yourprivate.key -out yourprivate.pkcs8.encryped.key e. Convert your PKCS#8 encrypted private key into the PKCS#8 format that is compliant with CloudPlatform openssl pkcs8 -in yourprivate.pkcs8.encrypted.key -out yourprivate.pkcs8.key 3. In the Update SSL Certificate screen of the CloudPlatform UI, paste the following • Certificate from step 1(c). • Private key from step 1(e).
Chapter 17. Working with System Virtual Machines 17.4.2. Upgrading a Virtual Router with System Service Offerings When CloudPlatform creates a virtual router, it uses default settings which are defined in a default system service offering. See Section 9.2, “System Service Offerings”. All the virtual routers in a single guest network use the same system service offering. You can upgrade the capabilities of the virtual router by creating and applying a custom system service offering. 1.
Chapter 18. System Reliability and High Availability 18.1. HA for Management Server The CloudPlatform Management Server should be deployed in a multi-node configuration such that it is not susceptible to individual server failures. The Management Server itself (as distinct from the MySQL database) is stateless and may be placed behind a load balancer. Normal operation of Hosts is not impacted by an outage of all Management Serves. All guest VMs will continue to work.
Chapter 18. System Reliability and High Availability 18.4. Primary Storage Outage and Data Loss When a primary storage outage occurs, all hosts in that cluster are rebooted. This ensures that affected VMs running on the hypervisor are appropriately marked as stopped. Guests that are marked for HA will be restarted as soon as practical when the primary storage comes back on line. With NFS, the hypervisor may allow the virtual machines to continue running depending on the nature of the issue.
Limitations on API Throttling 18.6.2. Limitations on API Throttling The following limitations exist in the current implementation of this feature. Note Even with these limitations, CloudPlatform is still able to effectively use API throttling to avoid malicious attacks causing denial of service. • In a deployment with multiple Management Servers, the cache is not synchronized across them.
236
Chapter 19. Managing the Cloud 19.1. Using Tags to Organize Resources in the Cloud A tag is a key-value pair that stores metadata about a resource in the cloud. Tags are useful for categorizing resources. For example, you can tag a user VM with a value that indicates the user's city of residence. In this case, the key would be "city" and the value might be "Toronto" or "Tokyo." You can then request CloudPlatform to find all resources that have a given tag; for example, VMs for users in a given city.
Chapter 19. Managing the Cloud • listNetworkACLs • listStaticRoutes 19.2. Setting Configuration Parameters 19.2.1. About Configuration Parameters CloudPlatform provides a variety of settings you can use to set limits, configure features, and enable or disable features in the cloud. Once your Management Server is running, you might need to set some of these configuration parameters, depending on what optional features you are setting up.
Setting Global Configuration Parameters Field Value host This is the IP address of the Management Server. If you are using multiple Management Servers you should enter a load balanced IP address that is reachable via the private network. default.page.size Maximum number of items per page that can be returned by a CloudStack API command. The limit applies at the cloud level and can vary from cloud to cloud.
Chapter 19. Managing the Cloud 4. Click the name of the resource where you want to set a limit. 5. Click the Settings tab. 6. Use the search box to narrow down the list to those you are interested in. 7. In the Actions column, click the Edit icon to modify a value. 19.2.4. Granular Global Configuration Parameters The following global configuration parameters have been made more granular. The parameters are listed under three different scopes: account, cluster, and zone. Field Field account remote.
Granular Global Configuration Parameters Field Field Value are sent that the available memory is below the threshold. cluster cluster.cpu.allocated.capacity.disablethreshold The percentage, as a value between 0 and 1, of CPU utilization above which allocators will disable that cluster from further usage. Keep the corresponding notification threshold lower than this value to be notified beforehand. cluster cluster.memory.allocated.capacity.
Chapter 19. Managing the Cloud Field Field Value because the available storage capacity is below the threshold. zone storage.overprovisioning.factor Used for storage overprovisioning calculation; available storage will be the mathematical product of actualStorageSize and storage.overprovisioning.factor. zone network.throttling.rate Default data transfer rate in megabits per second allowed in a network. zone guest.domain.suffix Default domain name for VMs inside a virtual networks with a router.
Customizing Alerts with Global Configuration Settings For a list of CloudPlatform alerts, see Appendix B, Alerts. For the most up-to-date list, call the listAlerts API. Note In addition to alerts, CloudPlatform also generates events. Unlike alerts, which indicate issues of concern, events track all routine user and administrator actions in the cloud. For example, every time a guest VM starts, this creates an associated event. Events are stored in the Management Server’s database.
Chapter 19. Managing the Cloud Each SNMP trap contains the following information: message, podId, dataCenterId, clusterId, and generationTime. 19.4.2.2. Syslog Alert Details CloudPlatform generates a syslog message for every alert. Each syslog message incudes the fields alertType, message, podId, dataCenterId, and clusterId, in the following format. If any field does not have a valid value, it will not be included.
Customizing the Network Domain Name The following example shows how to configure two Syslog managers at IP addresses 10.1.1.1 and 10.1.1.2. Substitute your own IP addresses. You can set Facility to any syslog-defined value, such as LOCAL0 - LOCAL7. Do not change the other values. PAGE 256Chapter 19. Managing the Cloud • For all networks, if a network domain is specified as part of a network's own configuration, that value is used. • For an account-specific network, the network domain specified for the account is used. If none is specified, the system looks for a value in the domain, zone, and global configuration, in that order. • For a domain-specific network, the network domain specified for the domain is used.
Chapter 20. CloudPlatform API The CloudPlatform API is a low level API that has been used to implement the CloudPlatform web UIs. It is also a good basis for implementing other popular APIs such as EC2/S3 and emerging DMTF standards. Many CloudPlatform API calls are asynchronous. These will return a Job ID immediately when called. This Job ID can be used to query the status of the job later. Also, status calls on impacted resources will provide some indication of their state.
Chapter 20. CloudPlatform API • local-hostname. The hostname of the VM • public-ipv4. The first public IP for the router. (E.g. the first IP of eth2) • public-hostname. This is the same as public-ipv4 • instance-id.
Chapter 21. Tuning This section provides tips on how to improve the performance of your cloud. 21.1. Performance Monitoring Host and guest performance monitoring is available to end users and administrators. This allows the user to monitor their utilization of resources and determine when it is appropriate to choose a more powerful service offering or larger disk. 21.2.
Chapter 21. Tuning For more information about the buffer pool, see "The InnoDB Buffer Pool" at MySQL Reference 2 Manual . 21.4. Set and Monitor Total VM Limits per Host The CloudPlatform administrator should monitor the total number of VM instances in each cluster, and disable allocation to the cluster if the total is approaching the maximum that the hypervisor can handle.
Chapter 22. Troubleshooting 22.1. Events An event is essentially a significant or meaningful change in the state of both virtual and physical resources associated with a cloud environment. Events are used by monitoring systems, usage and billing systems, or any other event-driven workflow systems to discern a pattern and make the right business decision.
Chapter 22. Troubleshooting Configuration As a CloudPlatform administrator, perform the following one-time configuration to enable event notification framework. At run time no changes can control the behaviour. 1. Open 'componentContext.xml. 2. Define a bean named eventNotificationBus as follows: • name : Specify a name for the bean. • server : The name or the IP address of the RabbitMQ AMQP server. • port : The port on which RabbitMQ server is running.
Event Log Queries • INFO. This event is generated when an operation has been successfully performed. • WARN. This event is generated in the following circumstances. • When a network is disconnected while monitoring a template download. • When a template download is abandoned. • When an issue on the storage server causes the volumes to fail over to the mirror storage server. • ERROR. This event is generated when an operation has not been successfully performed 22.1.5.
Chapter 22. Troubleshooting 22.1.6.1. Permissions Consider the following: • The root admin can delete or archive one or multiple alerts or events. • The domain admin or end user can delete or archive one or multiple events. 22.1.6.2. Procedure 1. Log in as administrator to the CloudPlatform UI. 2. In the left navigation, click Events. 3. Perform either of the following: • To archive events, click Archive Events, and specify event type and date.
Log Collection Utility cloud-bugtool 22.3. Log Collection Utility cloud-bugtool CloudPlatform provides a command-line utility called cloud-bugtool to make it easier to collect the logs and other diagnostic data required for troubleshooting. This is especially useful when interacting with Citrix Technical Support.
Chapter 22. Troubleshooting Cause It is possible that a client from outside the intended pool has mounted the storage. When this occurs, the LVM is wiped and all data in the volume is lost Solution When setting up LUN exports, restrict the range of IP addresses that are allowed access by specifying a subnet mask. For example: echo “/export 192.168.1.0/24(rw,async,no_root_squash)” > /etc/exports Adjust the above command to suit your deployment needs.
Unable to deploy VMs from uploaded vSphere template Cause The CloudPlatform administrator UI was used to place the host in scheduled maintenance mode. This mode is separate from vCenter's maintenance mode. Solution Use vCenter to place the host in maintenance mode. More Information See Section 12.2, “Scheduled Maintenance and Maintenance Mode for Hosts” 22.7. Unable to deploy VMs from uploaded vSphere template Symptom When attempting to create a VM, the VM will not deploy.
Chapter 22. Troubleshooting VMware Knowledge Base Article 1 22.9. Load balancer rules fail after changing network offering Symptom After changing the network offering on a network, load balancer rules stop working. Cause Load balancing rules were created while using a network service offering that includes an external load balancer device such as NetScaler, and later the network service offering changed to one that uses the CloudPlatform virtual router.
Appendix A. Event Types VM.CREATE TEMPLATE.EXTRACT SG.REVOKE.INGRESS VM.DESTROY TEMPLATE.UPLOAD HOST.RECONNECT VM.START TEMPLATE.CLEANUP MAINT.CANCEL VM.STOP VOLUME.CREATE MAINT.CANCEL.PS VM.REBOOT VOLUME.DELETE MAINT.PREPARE VM.UPGRADE VOLUME.ATTACH MAINT.PREPARE.PS VM.RESETPASSWORD VOLUME.DETACH VPN.REMOTE.ACCESS.CREATE ROUTER.CREATE VOLUME.UPLOAD VPN.USER.ADD ROUTER.DESTROY SERVICEOFFERING.CREATE VPN.USER.REMOVE ROUTER.START SERVICEOFFERING.UPDATE NETWORK.RESTART ROUTER.
260
Appendix B. Alerts The following is the list of alert type numbers. The current alerts can be found by calling the listAlerts API command.
Appendix B. Alerts STORAGE_DELETE = 20 // Failed to delete storage pool UPDATE_RESOURCE_COUNT = 21 // Failed to update the resource count USAGE_SANITY_RESULT = 22 // Usage Sanity Check failed DIRECT_ATTACHED_PUBLIC_IP = 23 // Number of unallocated shared network IPs is low in availability zone LOCAL_STORAGE = 24 // Remaining unallocated Local Storage is below configured threshold RESOURCE_LIMIT_EXCEEDED = 25 //Generated when the resource limit exceeds the limit.
