Virtual Machines ‐ OpenStack Documentation
First, make sure you have OpenStack Access.
This documentation serves as a configuration guide for ARCSIM's OpenStack portal. Use this guide to set up your account to your specifications.
Last Updated 2024-10-21
Note
Images supplied by ARCSIM come pre-configured with fail2ban and the UFW firewall enabled. Our default fail2ban and UFW default configurations are shown in the tables in their respective sections. It will be necessary to open ports using both UFW and the OpenStack security groups and rules. See the notes below about configuration for more details.
The default configuration applies only to SSH connections and exempts subnets controlled by the University to help avoid accidentally getting locked out of a VM. The default ban time is ten minutes after five attempts. The configuration is handled by /etc/fail2ban/jail.local and all configuration changes should be made to this file so they don’t get overwritten during updates.
| Subnet | Notes |
|---|---|
| 130.111.0.0/16 | Static physical IP address on campus |
| 140.111.0.0/16 | Dynamic IP address from tempest wireless on campus |
| 10.96.0.0/16 | Administration VPN |
| 10.98.0.0/16 | Remote Access VPN |
To add additional IP addresses to the ignore list, edit the line starting with ignoreip and append your desired IP address or subnet. The default ignoreip line is shown below for reference.
ignoreip = 130.111.0.0/16 141.114.0.0/16 10.96.0.0/16 10.98.0.0/16
To stop fail2ban, run
sudo systemctl stop fail2ban
To disable fail2ban from automatically starting at boot, run
sudo systemctl disable fail2ban
| Port | Description |
|---|---|
| 22 | SSH |
| 80 | HTTP |
| 443 | HTTPS |
| 3389 | RDP |
The default configuration only opens ports 22, 80, 443, and 3389 for SSH, HTTP, HTTPS, and RDP respectively. To add additional rules, use the following syntax by specifying either a service name for common services or the port number. Below is an example of allowing web traffic on port 80 using both methods.
sudo ufw allow http
OR
sudo ufw allow 80
To disable ufw, run
sudo ufw disable
To re-enable ufw, run
sudo ufw enable
More common configuration examples can be found at the link below and the ufw man page shows the full range of available command line options.
Common UFW Configuration Examples: https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands
The Rocky OpenStack cloud can be accessed at cloud.acg.maine.edu. You should have received an email with your specific account information. It is strongly recommended that you change your password the first time you access the cloud.
This can be done after logging in by clicking on your user name in the top right hand corner of the screen and selecting Settings. This will take you to the settings screen. On the left hand side of the screen you will see a link to Change Password.
Many images use cloud-init to set an ssh key for a specific user when a new instance is launched. For many cloud images password login via SSH is disabled by default, which means that supplying a working key is required to login the first time. If you are using your own images, as opposed to the stock images that ARCSIM supplies, you’ll likely need to have an SSH key setup in order to login to your VM. OpenStack allows you to upload a previously created SSH key or can generate new ones. SSH Keys are uploaded and generated on the left hand side under Project > Compute > Key Pairs
In order to use a previously created SSH key, the key needs to be imported into OpenStack so that it can be injected into the instance when a new VM is launched. Before the key can be imported, it needs to be generated. If you already have a key you can skip directly to the import step. If not, follow the instructions below to generate a key pair. Depending on your operating system, you will need to use one of two tools to generate an SSH key pair.
For Mac and Linux users, the ssh-keygen command can be used. In most instances this will already be available on your system and can be run from the command line. Use the following command to generate the keypair.
ssh-keygen -t rsa -b 4096 -f cloud.key
This command will generate a keypair called cloud.key and cloud.key.pub that contain the private and public keys respectively. You can specify the size of the key pair as well by using the -b option shown below.
ssh-keygen -t rsa -b 4096 -f cloud.key
The default is often 3072 and that is usually sufficient. If you decide to specify the key length, you should use a power of 2 such as 4096. The private key should not be shared with anyone and needs to be kept secure. The cloud.key.pub file will be used to upload your key to OpenStack.
For Windows users, you will need to download a separate program, PuTTYgen. You can find this program on the download page from www.putty.org. If you’ll be accessing the VM from Windows, you’ll probably also want to install PuTTY to use as an SSH client.
Digital Ocean has a good write up about generating SSH keys using PuTTYgen. The relevant section is named “Create an SSH Key Pair” and is located near the top of the page.
Alternatively you can use OpenStack to generate a keypair from the Key Pairs menu by clicking on the Create Key Pair button on the right side of the screen. Doing so will bring up the menu shown below where you’ll pick a name for the Key Pair. When you click Create Key Pair button from the menu it will begin the download of the .pem file, in this case called test-key.pem. This contains the private key that you’ll use.
Going to the Key Pairs tab, click on the Import Key Pair button on the right side of the screen. This will bring up the menu shown below. Pick a name for your key pair that will help you distinguish and remember which one you’re using and then paste the entire contents of the cloud.key.pub file into the Public Key text box.
In order to access a VM from the outside world, a floating IP is required. Floating IPs are allocated from a pool and are associated with a project until manually released. Use the dropdown menu on the Instances tab under Compute on the left hand side of the screen to associate a floating IP with a VM. If the project doesn’t have any available floating IPs, a new one can be associated with the project from the same location by clicking on the (+) sign.
There are default DNS records for the floating IPs that take the form acg-floating-.acg.maine.edu where is the floating IP address associated with the VM with the periods replaced with dashes. For example, if a VM has the floating IP 204.197.4.254 associated with it, the domain would be acg-floating-204-197-4-254.acg.maine.edu. These can be useful for accessing VMs or for use with a service like LetsEncrypt to get valid SSL certificates. The ACG-Package-Suite also has a script, install_letsencrypt.sh, that spins up a docker container that sets up an SSL certificate for a VM provided there’s already a floating IP attached and ports 80 and 443 are open.
Security groups and rules are a firewall that you will need to open ports on in order to have outside access to your VM. The Security Groups tab on the left hand side of the screen under Network gives access to the Security Groups tab.
Each security group can have multiple rules. All rules for a security group are implemented when a security group is associated with a VM. By default, the default security group has egress rules to allow all traffic out, but no ingress rules. It’s a good idea to keep as little in the default group as possible and use other groups to allow access. Creating rules for common protocols, such as SSH or RDP is as simple as selecting them from the dropdown menu. Generic TCP, UDP, and ICMP rules can also be added by specifying the port.
When selecting the Remote option use CIDR instead of Security Group as this will open the port(s) for a single IP or IP range.
To edit the security groups for a running instance go to the Project -> Compute -> Instances tab on the left hand side of the screen and using the dropdown menu on the instance on the right side select Edit Security Groups. This opens the window shown below where the available security groups are shown on the left and the security groups associated with the instance are shown on the right. Click the + button on a security group to associate it with the instance and the - button to remove it.
The first step to launching a VM is to select a image to launch from. In order to take advantage of copy-on-write and make instances quick to launch and snapshot, VMs should be launched from volumes. If you’re using the Ubuntu 16.04 Server or CentOS 7 Server images, you’re advised to setup an SSH key, but the default credentials for the provided Ubuntu and CentOS images are Default User: acguser, Default PW: acgrocks and you will be forced to change the password on the first login.
When using an SSH key pair to access your VM, you’ll need to make sure to allocate a floating IP to the instance and to specify the key file, also called the identity file, in the ssh command using the -i option as shown below.
ssh <user>@<hostname_or_ip> -i <path_to_private_key>
It is strongly recommended that after launching a new VM that you setup and configure a separate user so that in the case of restoring from a snapshot you don’t lose access to the account when the password is automatically changed. ARCSIM provides a number of additional scripts in a git repository at https://github.com/UMaineACG/ACG-Package-Suite that can be used to install and configure your VM. If you’re running one of the provided Ubuntu or CentOS 7 images, the repository has already been installed and the scripts are in your PATH at /usr/local/bin/ACG-Package-Suite/ubuntu/. You’ll find a number of install_ named scripts that can be used to install various packages.
OpenStack offers a limited console access to VMs that can be accessed by clicking on an instance name on the ‘Instances’ page and selecting the ‘Console’ tab. If you’re having trouble interacting with the console on this screen, click on the ‘Click here to show only console’ link at the top. Console access is often slow, but is useful in the event that network access is unavailable to help diagnose and fix issues. The primary method of accessing a VM should not be via the console, but through a network protocol such as SSH, RDP, or VNC.
Instance Name:
- Name of the instance to be launched
- Also used as the hostname but will truncate at the first invalid character
- Description
- Description of the VM
- Availability Zone
- Leave this at it’s default
- Count
- The number of instances to be created. If launching multiple VM simultaneously, please configure a snapshot to use as the source to reduce load and improve performance.
- Select Boot Source
- Image
- Use this option to launch an instance from one of the provided ARCSIM images.
- Image Snapshot
- Use this option when launching multiple instances simultaneously.
- Volume
- Volume Snapshot
- Image
- Volume Size (GB)
- The size of the volume to create from the Image. The default size is 80GB for all flavors.
- Create New Volume
- Only available when launching from an image or image snapshot
- Delete Volume on Instance Delete
- It’s generally a good idea to select this if the VM is expected to be transient. Use this option when launching multiple instances simultaneously to avoid manual volume cleanup.
- Name
- Flavor name, ease way to reference the configuration
- VCPUS
- Number of virtual CPUs
- RAM
- Amount of RAM
- Total Disk
- Root Disk
- The size of the disk the root disk volume
- Ephemeral Disk
- Public
- Is it a public or private image
If the project only has a single network then it should automatically be selected. Just make sure a network has been selected.
Make sure to add any required security groups. For more information about creating security groups, see Security Groups.
If you already have a key, you can import the public key file or create a new key through the web interface. For more information about creating and using keypairs, see SSH Keys.
- Name
- Name of the key pair
- Fingerprint
- Key pair cryptographic fingerprint
Allows you to pass data into the VM upon creation. There are two options, file upload and customization script direct input. The direct input option gives you a text input that will run as a script while the file upload option allows you to pass in a file. The commands will be run as the root user and the script should begin with an appropriate shebang. Leave the disk partitioning to Automatic unless you know what you’re doing.
Caution
Do not add scheduler hints as it will likely cause VM launch failure.
It’s useful to have a full backup of a VM in a variety of circumstances. OpenStack has the ability to create snapshots of a VM that can be used to spin up a new copy of the VM in the event of an issue. On the Instances page there is a drop down on the right side of the screen. The default option for a running VM is Create Snapshot. Press that button and it will open a screen where you can supply a snapshot name.
The snapshots are listed in the Images page and will show a size of 0 instead of the actual disk size. This is due to the fact that the image is simply a wrapper for the volume. You can verify this on the Volumes page under the Volume Snapshots tab. This will list the volumes associated with the underlying snapshots. When spinning up a new VM from a snapshot, use the Boot from volume snapshot option and select the appropriate volume snapshot. This will fill in the correct value for the size based on the actual size of the volume.
Sometimes a VM needs to be moved to a new project. While the VM itself can’t be directly moved to another project, a volume snapshot can be utilized to create an identical copy of the root volume of the VM and a Volume Transfer can be initiated. Under the Volumes tab on the Volumes page, each volume in the Available state has a drop down menu with an option titled Create Transfer as shown below.
Once clicked, it will bring up a dialog where the transfer can be given a name. It’s useful to pick a meaningful name for the transfer in the event you require assistance.
Once the name has been specified, the transfer will be created and the following screen will be shown.
Important
Make sure to note both the Transfer ID and Authentication Key as both will be required to complete the volume transfer process and CAN NOT be retrieved after the initial creation of the transfer.
With the Transfer ID and Authentication Key in hand, go to the secondary project that you wish to transfer the volume to and on the Volumes tab of the Volumes page you’ll see three buttons in the top right corner. The middle button is Accept Transfer and when clicked will bring up the following dialog where the Transfer ID and Authentication Key can be entered.
Once the Transfer ID and Authentication Key have been entered and the Accept Volume Transfer button has been clicked, the transfer will complete and the volume will now be located in the new project. At this point it's a good idea to create a new snapshot of the volume so that additional copies can be spun up in the future.
Each user has access to the public images. Only admin accounts can upload public images and there is a checkbox for it in the GUI. Regular users can only upload private images, which are only available in the current project. Images can be uploaded in a number of formats, qcow2 being the most common. If the image you want is in AMI format, an administrator will have to upload it for you as AMI images are a special case. RAW format images are the largest in terms of filesize, but will take the least amount of time to launch from because the file system utilizes copy-on-write.
- Name: Name of the Image
- Description: Description of the image. Leave blank due to a bug causing issues with images with descriptions.
- Image Source: Select location of image (url or file)
- Options: Image Location, Image File
- Format: The format of the selected image.
- Options: AKI, ARI, AMI, ISO, OVA, QCOW2, Raw, VDI, VHD, VMDK
- Architecture: Leave this blank.
- Minimum Disk (GB): Minimum size of disk (relates to what flavors can be used)
- Our flavors come with either 40GB or 80GB disks. Set this value to 20GB unless you have a good reason not to.
- Minimum RAM (MB): Minimum amount of RAM (relates to what flavors can be used)
- Our flavors range in amount of RAM with the minimum being 1GB. Set this value to 512MB unless you have a good reason not to.
