Using the Cloud

Accessing VMs

For the first access to VMs before they are configured and host higher-level services SSH is used.

Before spawning a VM, a SSH keypair must be created and either uploaded via the JSC Cloud OpenStack Dashboard or the CLI. For the later one, make sure you follow the procedure mentioned here to make the CLI libraries and access available.

$ openstack keypair create --public-key ~/.ssh/id_ed25519.pub my_user

Network Setup

Important

Due to site security constraints it’s only allowed to use the following ports for services you want to provide to the global internet:

22
80
443
7000-7020

Create and manage networks

Create a network

Creating a network in the WebUI

Go to the Project → Network → Networks tab and select Create network.
Define a name for the network with Admin status and Create subnet both being “enabled”. Select Next.
Define a name for the subnet. You could have several subnets per network. If you only intend to use one, then the subnet name may be the same as the network name chosen on the previous tab. The same holds true for the first network you create.
The network address should be a private network range, such as 192.168.42.0/16 or 10.0.0.0/8. This range is only available within your network and by the connected router (see next section). In the subnet details, it is important to set the following three DNS servers:

94.32.3
94.32.4
94.32.5

Creating a network in the Command Line Interface

Before creating a network via command line make sure you followed the procedure mentioned here to make the CLI libraries and access available.

openstack network create --no-share my-projects-internal-network
openstack subnet create my-projects-internal-network-subnet --network my-projects-internal-network --subnet-range 192.0.2.0/24

Create a router

A router is required to allow for virtual machines (VMs) on your internal network to reach the outside world or other networks within your project. You will also need a router to reach VMs from the outside, which is the case if you want to offer services on your VMs.

Creating a router in the WebUI

Go to the Project → Network → Routers tab and select Create router.
Define a name for the router with Admin status “enabled” and an External network, which for the JSC Cloud will be “dmz-jusuf-cloud”.
The router gets automatically connected to the DMZ network, but you still need to connect it to your internal networks. This is done at Project → Network → Router. Select the router, then Interfaces and Add interface. Add an interface from your internal network.

Creating a router in the Command Line Interface

Before creating a router via command line make sure you followed the procedure mentioned here to make the CLI libraries and access available.

openstack router create my-projects-internal-network-to-internet
openstack router set my-projects-internal-network-to-internet --external-gateway dmz-jusuf-cloud
openstack router add subnet my-projects-internal-network-to-internet my-projects-internal-network-subnet

Generic OpenStack documentation

If you prefer the generic documentation that may be lacking important information regarding our local installation, please refer to the OpenStack documentation.

Security Groups

Security groups are a means to control inbound and outbound network traffic for your VMs. This includes protection of network traffic even among your VMs. The default security group in every new project limits network traffic to the bare minimum that is required to run a VM. It does not even allow for incoming connections via SSH or ICMP traffic (ping). Therefore, you will want to add rules to the default security group or add additional groups containing such rules.

In order to be able to access a VM via SSH once you have started it, you will at least have to add a rule to allow for this.

Security Groups in WebUI

Go to the Project → Network → Security groups tab.
Select Create security group and create a group with a meaningful name, e.g. ssh_external.
Select Manage rules on the newly created security group.
From the number of predefined rules select “SSH”.
For the remote select CIDR, which, plainly put, is a way to express network ranges.
If you really want to allow SSH traffic from anywhere, then the default 0.0.0.0/0 is the right choice. In order to limit traffic to sources within the Juelich campus, you would use 134.94.0.0/16.

Keep in mind that the granularity of assigning rules to VMs is by security group only. Therefore, it is advisable to group rules that are commonly used together in security groups. Again, should you prefer to use the generic documentation, please refer to the OpenStack Documentation. This may help you get a better understanding of the concept of security rules, but uses the command-line interface to set everything up.

Security Groups in Command Line Interface

Before creating security groups via command line make sure you followed the procedure mentioned here to make the CLI libraries and access available.

openstack security group create test-securitygroup
openstack security group rule create --protocol tcp --dst-port 22 test-securitygroup
openstack security group rule create --protocol icmp test-securitygroup