Versions Compared

Old Version 4

changes.mady.by.user Anna Liao

Saved on

compared with

New Version 5

changes.mady.by.user Anna Liao

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Canadian Access Federation (CAF) permits member institutions a single sign-on (SSO) solution for access to network and network resources across Canada. Please check the list of participating institutions to see if you can use “Federated Single Sign-On” option at https://rac-portal.cybera.ca.

 

...

Key Pairs 

Before instances can be created, users will require a key pair that will be injected into the instance to permit access; any instance launched from an image in the Rapid Access Cloud must use key pairs to access the virtual machine for the first time, as password sign-on is disabled by default, key pairs being much more secure than a default password, though it does introduce extra steps. However, once a key pair is created, it can be used for any future instances that are created; further additional key pairs can be generated for different instances if there is a need to restrict access to various systems among different users.

 

Create a key pair

 

  1. Log-in to the Rapid Access Cloud dashboard at https://cloud.cybera.ca.

  2. In the left-hand panel under “Compute”, click “Access & Security”.

  3. Click the “Key Pair” tab, then click “+Create Key Pair”.

  4. Enter a <key_pair_name>, then click “Create Key Pair”. The browser will automatically download a file named <key_pair_name>.pem.

  5. Move or save this file on your computer somewhere you will remember. It will be used when accessing instances created with this key pair.

Note: If this key file is saved to an operating system that uses file-system permissions (Unix, Linux, BSD, OSX) then make sure the permissions are set appropriately. Typically, the .ssh directory permissions ought to be set to 700 (drwx------) and the private key (*.pem) should be 600 (-rw-------).

 

$ chmod 600 /path/to/<key_pair_name>.pem

...

About key pairs

...

Key pairs are a set of mathematically generated strings, one is the private key and the other is the public key. The key pairs that are used in the Rapid Access Cloud are ssh keys generated by the OpenStack dashboard, keeping the public key to be injected as needed into new instances, and the private key is the *.pem file automatically downloaded by the browser in the steps above. If you already have a key pair suited for use, import that key by following the steps in the Advanced Guide. 

Status
colourYellow
titleCaution

 

The private key generated in the step above is not recoverable if it is lost. It is highly recommended that a backup of the key is made and kept safe, ideally on a separate hard drive or USB key.

A detailed explanation of public-key cryptography is out of the scope of this document; this will help you understand it better.

 

...

Security Groups 

Security groups are the policies that deny access to the network ports of an instance. Security groups are therefore firewalls for instances, with a set of default policies that block all access to each port from any source, including the computer you are using to access the Rapid Access Cloud dashboard. Before an instance can be accessed the appropriate ports will need to be opened and a source IP address or range of addresses will need to be configured.

 

There is a default security group that cannot be deleted, however it can have rules added and removed from it. Additional security groups can also be created depending on need. When a Rapid Access Cloud account is created the default security group is empty and a few rules are required to permit basic access. 

Modify the default security group

...

  1. Log-in to the Rapid Access Cloud dashboard at https://cloud.cybera.ca.

  2. In the left-hand panel under “Compute”, click “Access & Security”.

  3. Click the “Security Groups” tab, click the “Manage Rules” button on the right hand side associated with the “default” security group. The list is initially empty, however we are going to add rules that:

    1. permit ICMP for ping and traceroute, from any IPv4 or IPv6 address

    2. permit ssh from any IPv4 or IPv6 address

  4. Click “+Add Rule” in the top right. We are going to be adding four rules. For each rule input the values, then click the blue “Add” button. Note, the first and third rules are for IPv4 access, while the second and fourth are for IPv6:

 

Rule: (All ICMP) 

Remote: (CIDR) 

CIDR: 0.0.0.0/0


Rule: (All ICMP) 

Remote: (CIDR)

 

CIDR: ::/0


Rule: (SSH)

...

Remote: (CIDR)

...

CIDR: 0.0.0.0/0


Rule: (SSH)

 

Remote: (CIDR)

 

CIDR: ::/0

 

     5. Verify the new security group rules in the “default” security group.

...

Instances 

Instances are the virtual machines that run in the Rapid Access Cloud, and they are provisioned with a set of specifications not unlike traditional bare-metal hardware with processors, memory and storage being the primary configurable elements. The Rapid Access Cloud utilizes flavors or pre-configured templates that determine the number of virtual CPU (vCPU), available memory (RAM) and disk space. There are six flavours to choose from with the details of each available during the instance creation process. 

Launch an instance

...

  1. Log-in to the Rapid Access Cloud dashboard at https://cloud.cybera.ca.

  2. In the left-hand panel under “Compute”, click “Instances”.

  3. Click on “Launch Instance” in the top right corner.

  4. In the “Details” tab, specify the following parameters. Do not yet click “Launch”:

 

...

           Availability Zone: (nova)

               Instance Name: <your_instance_name> 

           Flavor: (m1.small)

             Instance Count: 1

             Instance Boot Source: (Boot from image)

             Image Name: Ubuntu 14.04

       5 5. Click “Access & Security” tab within the Launch Instance field, and select the <key_pair_name> created earlier in the tutorial. The default security group should be checked as well.

       6. Click the “Launch” button. It should take the instance less than 2 minutes to launch; progress can be monitored in the “Status” column and should say “Active” when ready.

 

About Flavors

 

OpenStack uses ‘flavors’ to define the compute, memory, and storage capacity of computing instances. To put it simply, a flavor is an available hardware configuration for a server. The flavors available in the Rapid Access Cloud allow for a broad deployment of virtual machines given the default quotas available to users. The flavors are in two classes: m1 and g1.

  • M1 class flavors are General Purpose Instances. This family provides a balance of compute, memory, and network resources, and it is a good choice for many applications.

  • G1 instances are intended for general-purpose GPU compute applications. Uses cases include machine learning, rendering, and other server-side GPU compute workloads. (see the Advanced Guide for more on how to launch GPU instances.)

 

Accessing instances

...

Having an instance up and running is one thing, and perhaps just a single Linux ‘sandbox’ to run some code is all that is needed, however the real power of computers, virtual or otherwise, is in connectivity, and that means networks. The instances in the Rapid Access Cloud can be connected to and accessed in a variety of ways, permitting users to create an environment with multiple instances networked together in the same way a bare-metal environment can be built, but in this case with virtual machines providing the routing, switching and other network functions along with the expected servers running applications on top of operating systems like Linux and Windows. 

IP addresses 

Once an instance is provisioned, it is automatically given two addresses: a private IPv4 address, and a public IPv6 address.

...

The public address given to the instance automatically is an IPv6 address. The ability to connect to an instance via IPv6 will be limited by the network the connection is coming from; unfortunately many schools, workplaces, or home internet providers do not have IPv6 capable networks. Use the following tools to determine if your network has the ability to route IPv6 traffic: 

Cybera has confirmed that most Telus and University of Alberta users (via WiFi) have IPv6 connectivity. If you fall into one of these groups, please use the above links to verify and if possible, we ask that you use IPv6 to connect to your instance in order to help us conserve IPv4 addresses.

 

Why IPv6?

...

IPv4 addresses are limited to 4.3 billion addresses and the world is quickly approaching the limit and obtaining new ones will become impossible. IPv6 uses 128-bit addresses instead of IPv4’s 32-bit addresses, removing this limit and providing better security features over IPv4.  IPv6 is not a new technology as it has been available for over a decade, though it has been slow to implement due to legacy concerns across multiple industries.

If you’re more curious about IPv6 itself we recommend reading the Wikipedia article on IPv6.

 

Public Public IPv4 addressing 

Each Rapid Access Cloud account and its associated project is allotted one public IPv4 address. This is referred to as a floating-ip in OpenStack and can be associated with only one instance at a time.

 

This limitation on IP address availability can be overcome, and in fact can make for a more robust and secure cloud environment in some cases. Please see the Advanced Guide - Making the most of a single IPv4 Address for solutions to this problem. 

Allocate and associate a floating IP

...

While each project by default is permitted up to one public IPv4 address (or floating-ip), it is not allocated automatically; you must specifically allocate one manually to a project. Given the scarcity of the addresses for Cybera (and indeed, the world), addresses allocated to projects that have gone unused for three months will be reclaimed, however you are welcome to allocate an IP address again if needed. 

  1. Log-in to the Rapid Access Cloud dashboard at https://cloud.cybera.ca.

  2. In the left-hand panel under “Compute”, click “Instances”.

  3. Click the Action drop-down button on the right-hand side and select “Associate Floating IP”.

  4. Click on the “+” sign next to “Select an IP address”.

  5. There is only one pool of addresses available (nova) and the quota shows only one IP address from that pool, so simply click “Allocate IP”.

  6. After the IP address has been allocated, click the “Associate” button the the right hand side. Under the Instances summary, your Instance should now have three IP addresses, including a publicly accessible IPv4 address.

 

Associating the floating ip address to other instances 

Given the ease of creating and destroying instances, along with the possibilities of changing needs, moving the IPv4 address around may be required. Once the address is allocated to a project, it can be assigned to any instance associated with the project. When an instance is destroyed, the associated IP address remains allocated to the project. Simply follow the steps above to associate the IP address with a new instance, omitting the steps for allocating the address (steps 4 and 5).

 

Windows instances

...

Cybera does provide Windows images in the Rapid Access Cloud, in the form of Windows Server 2012 R2 and Server 2008 R2. You will need to provide your own valid license from Microsoft, and follow additional steps covered in the Advanced Guide. 

 

...

Login

 

After creating a key pair, modifying the default security group, and clicking through the process of launching an instance and assigning a floating IP, you are now able to log in. The basics are the same regardless of where you are logging in from, but like many things it is the details that matter.

Because the instance built according to this document is a Ubuntu Linux distribution, the default username is ubuntu. For each of the other Linux distributions available in the Rapid Access Cloud, the username follows the same scheme: centos, debian, and fedora. 

IPv6 Access

...

As mentioned in the Accessing Instances section, connecting to an instance via IPv6 is preferred over using a Floating IP. Please see the links above to determine if you have IPv6 connectivity (Telus and University of Alberta users are known to have IPv6 connectivity). If you do have IPv6 connectivity, replace "floating_ip_address" with your instance's IPv6 address in the instructions below.

 

From Linux, UNIX, or BSD (including OS X)

 

The simplest way to use ssh from these operating systems is:

 

  1. Open a terminal and enter:

...

          $ ssh -i /path/to/<key_pair_name>.pem ubuntu@<floating_ip_address>

...

     The authenticity of host '<floating_ip_address> (<floating_ip_address>)' can't be established. 

     RSA key fingerprint is e5:de:ad:c3:be:ef:b2:ba:be:a1:ba:dc:af:ea:ce:d4.

       Are you sure you want to continue connecting (yes/no)?

        3. You are now logged in and will then be presented with the Message Of The Day and a shell prompt: 

No Format
----------------------------

...

 


Cloud Image Helper Scripts

...

 


----------------------------

...

 


To enable automatic updates please run:

...

 


/usr/local/bin/enableAutoUpdate

...

 

 
To install the latest OpenStack tools please run:
/usr/local/bin/installOpenStackTools
To use the local software update proxy please run:
/usr/local/bin/localSUS
To remove this message from your message of the day please run:
sudo rm /etc/motd
ubuntu@<your_instance_name>:~$

 

----------------------------

Cloud Image Helper Scripts

----------------------------

To enable automatic updates please run:

/usr/local/bin/enableAutoUpdate 

To install the latest OpenStack tools please run: 

/usr/local/bin/installOpenStackTools

To use the local software update proxy please run:

 

/usr/local/bin/localSUS

To remove this message from your message of the day please run:

 

sudo rm /etc/motd

ubuntu@<your_instance_name>:~$

...

From Windows 

There are plenty of applications that allow ssh access from within Windows, none of which are bundled with Windows (at this time). You are welcome to use any that fit your needs, however puTTY is a widely used and well supported suite of SSH utilities that includes key management and generation, an scp client and the ssh client itself.

 

In order to connect to your instances using puTTY, you first need to convert your private key to a puTTY compatible format:

 

Convert OpenStack private key to puTTY compatible key

...

  1. Launch PuTTYGen, installed as part of the PuTTY suite.

  2. Click Conversions from the “PuTTY Key Generator” menu and select Import key.

  3. Navigate to the OpenStack private key (*.pem) used in the instance you would like to connect to and click “Open”.

  4. Under Actions / Save the generated key, select Save private key.

  5. Choose an optional passphrase to protect the private key.

  6. Save the private key to the desktop as a *.ppk.

 

Connect to instance with PuTTY

...

Initially, in order to take advantage of volumes, a two step process of creating and then attaching must be followed. It is also likely the volume will need to be formatted before it can be used.

Create a volume

...

  1. Log-in to the Rapid Access Cloud dashboard at https://cloud.cybera.ca.

  2. In the left-hand panel under “Compute”, click “Volumes”.

  3. Click “+Create Volume” on the right hand side.

  4. In the Create Volume  screen screen enter the following values:

 

Volume Name: <your_volume_name>

 

Description: <your_description>

...

Type: (No volume type)

...

Size (GB): 25

 

Availability Zone: (Any availability zone)

 

  1. Click the blue “Create Volume” button and after a few moments a 25GB volume will be ready for attachment to an instance.

 

Attach a volume

...

  1. Log-in to the Rapid Access Cloud dashboard at https://cloud.cybera.ca.

  2. In the left-hand panel under “Compute”, click “Volumes”.

  3. Click the Action drop-down button on the right-hand side and select “Manage Attachments”.

  4. Under “Attach to Instance” select the instance the volume is be attached to, then click the blue “Attach Volume” button.

  5. After a few moments, the volume will be attached. Take note of the “Attached to” column on the summary screen, it will list where it is attached like “/dev/sdc”.

...