Introduction to Infrastructure as a Service and OpenStack
In this practice session you learn how to access cloud services that we will be using in the rest of the course. We will be using a private university cloud - which is a Cloud infrastructure running on the hardware of the University of Tartu and is managed by the High Performance Computing Center. In this lab we are working on the OpenStack cloud platform, located at: https://stack.cloud.hpc.ut.ee/
- To access the local university cloud resources your computer has to be inside the Institute network. So you should either use lab computers, Eduroam Wifi (inside the institute building) or set up a VPN connection to university network.
- VPN (English on the right side column) - https://wiki.ut.ee/pages/viewpage.action?pageId=17105590
- Eduroam Wifi (English on the right side column) - https://wiki.ut.ee/display/AA/Eduroam
NB! Students have previously reported that using Eduroam in dormitories will not give access to the University cloud. You will have to use VPN in such cases.
Practical session communication!
We run the labs physically in the Delta building. We use Zulip for the running communication between students and lab supervisors.
- You must schedule attending the practice sessions at the correct time (based on your chosen lab group). If you complete the lab tasks outside the scheduled practice sessions, we can not guarantee that you will receive timely support from the lab supervisors.
- We have set up a Zulip topic for lab and course-related discussions.
- Login to Course Zulip stream using your university account from here
- Do not make a new account!
- If you do have no access to the Zulip stream, please contact lab assistants in a practice session or through email.
- Use the
practice-session-1
Zulip topic for this lab-related questions and discussion.
- When asking questions or support from the lab assistant, please make sure also to provide all needed information, including screenshots, configurations, and even code if needed.
- If code needs to be shown to the lab supervisor, send it (or a link to it) through Zulip Direct Messages.
In case of issues check:
- Existing messages in the
practice-session-1
Zulip topic. - Possible solutions to common issues section at the end of the guide.
- Ask in the
practice-session-1
Zulip channel.
Introduction
Infrastructure as a Service (IaaS) is a model of Cloud computing, in which virtualized computing resources are provided to users over the internet. In comparison to using physical servers, computing resources can be provisioned on-demand and in real-time and applications running on the same hardware can be separated into different secure environments, each containing their own OS, software libraries and kernels.
Working with the IaaS model of Cloud usually consists of the following steps:
- Register an account to access the cloud services
- Select appropriate virtual machine image to run (Ubuntu, Debian, Windows, etc.)
- Start a new instance of the selected virtual machine image. Log into the instance as a root user over the internet and configure it to meet your requirements. I.e. install needed software, upload your own application, perform any required configuration actions as you would do in any real computer.
- As you will lose all your work when the instance is terminated -- you have three options on how to persist the changes you made:
- Save all your configuration steps to a script that will launch and configure the instance automatically for you.
- Bundle a new image from your running instance and next time launch your custom image.
- Save the running instance as a snapshot, and next time launch new instances from there.
The first option is more flexible as you can easily change the script than bundle a new image if something changes. The second and third options are simpler to use once you have a stable configuration or when launching a large number of instances.
In this lab, we are working on the OpenStack cloud platform.
Exercise 1.1. Accessing the cloud services
In this exercise, you will log into the institute OpenStack cloud and create a secure access key. You will verify that you have access to the university OpenStack cloud resources and familiarize yourself with the available cloud functionality.
- Log into https://stack.cloud.hpc.ut.ee/ using your university
username
andpassword
andut.ee
as domain. - Familiarize yourself with the available OpenStack cloud functionality.
- Create an ssh Key Pair for accessing Virtual Machines over the network. Make sure the name of the Key Pair includes your last name!
- You will find this functionality under Compute -> Key Pairs
- NB! This will download the private key as a text file into your computer with a
*.pem
extension. Copy the file into a location from where you can easily find it later.
Exercise 1.2. - Requesting computing resources from the cloud
In this exercise, you will start a Cloud instance (or virtual machine) while specifying its configuration and computing resources available for it.
- Use the OpenStack web interface
- Under the "Compute" tab go to "Instances" and start a new instance by clicking the "Launch Instance" button (If not specified leave the default values)
- We'll start a new instance of Ubuntu-based virtual machine image
- As Instance Name, specify:
Lab_number-Student_name
- e.g. "Lab_2-John_Smith". Use this format in all future labs! It helps us help you in the labs :)
- Choose ubuntu20.04 under Source tab & set the volume Size to 10GB (if it isn't)
- Also enable Delete Volume on Instance Delete under Source tab
- This will mark the underlying volume (virtual disk) to be automatically deleted when your instance is deleted.
- Choose the capacity of the instance
- Under Flavor tab, choose m3.nano as the type of the instance
- This will request 1 Virtual CPU core and 1GM RAM for the instance
- Choose network for the instance
- Under Networks tab, choose provider_64_net
- This will assign the instance network interface into an internal UT network
- Specify what Key Pair to use under the Key Pair tab!
- Select the Key Pair that you created in the previous exercises. If you lose the downloaded file, you will have to create and download a new one!
- As Instance Name, specify:
Exercise 1.3. Accessing your Cloud instance over the internet
We will use Secure Shell (ssh) protocol to log into the started instance over the internet. Instances in the cloud can have multiple IP addresses. Public IP for accessing the instance from outside the cloud and Private IP for accessing the instance from inside the cloud (from other instances). However, our instances will only have a single IP in the current configuration.
- Log into the instance through ssh using SSH Key-based authentication
- Linux Instructions:
ssh -i path_to_my_key_pair_file ubuntu@<instance public ip address>
- For example: ssh -i .cloud/jakovits_key.pem ubuntu@172.17.64.63
- if you get an error, check that the path to the keyfile is correct and that it has correct rights (
chmod 400 <filename>
)
Note: On an up-to-date Windows 10, the above Linux approach should also work from Windows commandline/powershell out of the box (recommended)!
- Windows Instructions:
- Use Git BASH command line, Putty, WinSCP, or SSH secure shell program to get a command-line interface to a remote server through ssh.
- When using
Git BASH
, the command is exactly the same as in Linux command line:ssh -i path_to_my_key_pair_file ubuntu@<instance public ip address>
- When using
Putty
in windows we first have to transform the private key file (_keyname_.pem) we downloaded from OpenStack into a.ppk
file.- PEM or Privacy Enhanced Mail is a Base64 encoded DER certificate. PEM certificates are frequently used for servers as they can easily be translated into readable data using a simple text editor.
- You can use PuTTYgen to convert the certificate into Putty specific
*.ppk
format. UseLoad
andSave private key
functionality in the PuttyGen program to do it.- You can follow the Convert your private key using PuTTYgen section in this guide for converting the .pem key file into .ppk file.
- After converting the key, you can use Putty to create a new SSH connection to your instance
- Username for the SSH connection has to be
ubuntu
- Specify it in Putty under
Connection->Data->Login details
- Specify it in Putty under
- Host must be the public IP of the instance you started
- SSH Key must be the same
.ppk
key you converted with PuttyKeyGen - Specify it's location under:
Connection->SSH->Auth->Private key file...
- Username for the SSH connection has to be
Exercise 1.4. Configuring Cloud Instance & installing software
We will now set up a simplistic Python web application on the instance, setting up the necessary software and dependencies. The application is built with the Flask micro web framework. The app represents a messaging board that stores posted messages into a json-structured text-file.
- Install Python Flask webserver on the instance
- First, fetch the source code of the application with git, storing it into the folder "lab1app":
git clone https://bitbucket.org/jaks6/cloud-computing-2022-lab-1.git lab1app
- Enter the application src directory:
cd lab1app
- This app uses the pip package Flask as a dependency. We will create a Python venv (virtual environment) for this application and install the packages for the app within the venv.
- Update the package lists about available software and install the python3-venv package:
-
sudo apt update && sudo apt install python3-venv
-
- Create a venv named "env", and activate it:
python3 -m venv env
source env/bin/activate
- After activating, you should see the "(env)" appear infront of your username in the terminal session.
- Use pip to install the necessary dependencies of this application (defined in requirements.txt):
pip install -r requirements.txt
- Update the package lists about available software and install the python3-venv package:
- Start the Flask web application
flask run --host=0.0.0.0
- This will start the Flask server on port 5000.
- Note: you need to be in the lab1app folder!
- we set the "host=0.0.0.0" parameter to ensures the webserver listens to external traffic too, not only local traffic.
- (Or, to set it to run in the background, if you wish :)
nohup flask run --host=0.0.0.0 &
- nohup ensures the program stays running after we log out
- Note: if you want to kill python program running in the background, you can use
fuser -n tcp -k 5000
- this kills the process listening on port 5000
- First, fetch the source code of the application with git, storing it into the folder "lab1app":
- Check that the installation of the Flask web server is successful
- Try accessing the address of your virtual machine on port 5000 from a browser (from within the university network).
- E.g. http://172.17.67.124:5000
- This, in theory, should display the
lab1app/templates/home.html
page that's being provided by your web server. - However, it does not work at the moment, as by default communication with the cloud instances from outside other than ssh (port 22) is restricted by default.
- Let's use an alternative approach to verify our web server is running
- Log into the instance through ssh
- Use the
wget
command to download the webpage from your server. - On the instance command line run
wget localhost:5000
.- This should download index.html file into the currently active directory, which among other HTML codes should contain a string "Message board".
- Use
less index.html
command to check the downloaded file content from the command line - Alternatively you can use command line web-browser
sudo apt install lynx
andlynx localhost:5000
- Try accessing the address of your virtual machine on port 5000 from a browser (from within the university network).
- Modify (or replace) the current home.html file at
lab1app/templates/home.html
to change the web page content.- How exactly you change its content is up to you, but it should at least contain your Full Name, so it is possible to visually see that you have modified it.
- To deploy the changes, you need stop and re-start the Flask server! See Ex 1.4 for the relevant commands.
- Command line file editor
nano
can be used to modify file contents. - Feel free to replace the whole HTML file with a new one.
Exercise 1.5. Creating Security group to enable access through port 5000
To allow access to the hosted web server on your instance you need to create a new security group and define an access rule for the HTTP port 5000 used by Flask.
- Under the
Network
tab go toSecurity Groups
and create a new security group by clicking theCreate Security Group
button - Choose a
name for this security group
, which should include your first and last name - Add the HTTP TCP port 5000 to your security group.
- Remote IP Prefix should stay
0.0.0.0/0
(this means all devices from any IP address can access this port) - Do not assign a Security Group in the Remote field, it would limit the specified port rule to apply only for other cloud instances inside the selected security group.
- Remote IP Prefix should stay
- Now add this security group to your instance
- Use
Compute -> Instances -> drop down menu next to your instance -> Edit security groups
and add your security group from under All Security Groups into Instance Security Groups
- Use
- Access your instance through a web browser
Exercise 1.6. Creating a new Cloud Instance snapshot
Lets save all the changes you have made to the instance by creating a snapshot. This allows you to start multiple already-configured Flask web server instances at once, with your web application already included.
- Under the
Compute
tab, go toInstances
and chooseCreate snapshot
button next to your instance. - Choose a name for this snapshot, it must include your last name.
- After you confirm that the snapshot is ready, terminate your instance
- Start a
new instance
as you did previously, but now use your snapshot as the source instead of Image ubuntu and make sure that both your new security group together with the default security group are chosen.- Make sure you can access the Messageboard website from the web browser using your new instance's IP address.
- Make a screenshot of the browser showing your deployed web page on the instance
- NB! Your name must be clearly visible on the screenshot you took in the previous task!
- From the screenshot, the URL with the public IP should be visible
- In the future, you are able to start a copy (or multiple copies) of this webserver at any time by starting a new instance from this snapshot.
Bonus tasks
The normal exercises have been prepared in a way that should not take you more than two academic hours to solve them. However, you can earn extra practice session credit points by completing Bonus exercises. Not all practice sessions will have bonus tasks, and some bonus tasks may take significantly more than 2 hours to solve. But they have been designed for students who wish to learn more practical knowledge of Cloud Computing.
Bonus task 1: Accessing your instance through the web interface
[ Click to see Bonus task 1 description ]
To have access to your VM when the external network connection is down or there is a problem connecting over SSH we can use the OpenStack web interface and VNC. Make sure you changed the password earlier for user ubuntu
so you can log into your VM using username:password through the OpenStack web console. Virtual Network Computing (VNC) is a graphical desktop sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction, over a network. https://en.wikipedia.org/wiki/Virtual_Network_Computing
- Change the password of the user ubuntu inside your instance
sudo passwd ubuntu
- assign a password you can remember.
- We have to use sudo because normal use of
passwd
command otherwise requires us to enter the current password, which we do not know.
- Now the user ubuntu has a password and we can use it to log into the instance through the web console instead of an ssh client.
- Log in to the OpenStack web interface at https://stack.cloud.hpc.ut.ee/
- Go to the Instances page and click on the name of your instance.
- Go to the
Console
Tab and click on the Click here to show only console link. - A command-line interface should show up in a few moments. Refresh the page if it does not show up. If you see only a black screen try hitting
ENTER
a few times. - Log into the instance using ubuntu as the username and the password you previously specified.
- Take a screenshot of the web command line interface after you have successfully logged in and executed a
sudo
command without error. The browser should stay visible in the screenshot.- The screenshot should display both the command line interface and the browser.
Bonus task 2: Attach a volume to an instance
[ Click to see Bonus task 2 description ]
Volumes are virtual hard disks, which can be used as more permanent storage of files or extending the available disk space of an instance. We will create a new volume and attach it to our instance to increase the available disk space.
- Create a new
2GB
size volume (Volumes -> Volume -> Create Volume)- Use your last name as the name of your volume.
- Attach the volume to your running instance.
- Go to the list of instances
- On the right side, next to the Create Snapshot button, choose Attach Volume from the
drop down menu
and choose the volume you just created.
- Create a new disk partition on the attached volume
- Log into your instance through ssh
- Check the list of available disks and their partitions using the
lsblk
command line command - The name of the new disk added as a result of attaching your cloud volume might be
vdb
orsdb
- Create a new partition on the added disk
- Run
sudo fdisk /dev/vdb
command to start the partitioning process - Press
n
to create a new disk partition. - Press
p
to create a primary disk partition. - Press
1
to denote it as 1st disk partition. - Press
ENTER
twice to accept the default of 1st and last cylinder – to convert the remainder of hard-disk to a single disk partition - Press
t
to choose a type for the new partition. - Press
83
change your new partition to Linux partition type. - Finally, press
w
to commit changes.
- Run
- Mount the volume inside the instance to
/data
folder- Create the
/data
folder:sudo mkdir /data
- Create a ext4 type filesystem on the new partition:
sudo mkfs.ext4 /dev/vdb1
- Mount the partition under
/data
folder:sudo mount -t ext4 /dev/vdb1 /data
- Create the
- Create a new file in the mounted folder to verify that everything is working correctly.
- You can use the
nano
command line text editor:sudo nano /data/myfile.txt
(CTR+X keys to exit the editor)
- You can use the
- Run
lsblk
command in the command-line interface inside your cloud instance and take a screenshot of the output.- This command will display what are the available disks and disk partitions and also show where inside the Filesystem they have been mounted.
NB! Once you are done, you must delete your instance and the Volume you created! Also, be careful you do not delete the work of other students.
Deliverables:
- Your instance must have been terminated (deleted)!
- Snapshot (VM image) must exist with your name.
- Screenshot created in exercise 1.6 and any bonus tasks you complete
- Pack the screenshots into a single zip file and upload them through the following submission form.
- Also, submit an answer for the following questions:
- What happens if you lose your ssh KeyPair file? What happens to existing instances which were started with the lost ssh key?
- What are the advantages of utilizing cloud Volumes? Briefly describe at least two scenarios, where using volumes simplifies working with cloud instances.
Possible solutions to common issues
- If you can not access the Cloud instance over SSH,
- it may be because you are using ut public (use eduroam instead) or have not set up VPN connection.
- If you can not access your instance over port 5000
- it may be because you have not opened port 5000 in your security group
- or added the created the security group to your instance
- or not used correct IP filter for Remote IP Prefix:
- Remote IP Prefix should stay 0.0.0.0/0 (this means all devices from any IP address can access this port)
- Do not assign Remote Security Group, it would limit to the specified port from only the cloud instances inside the selected security group.
- If you get a warning from ssh command line command about the file permissions of the SSH KeyPair file:
- In Linux: use chmod command line command to change the file permissions to 600 (removing permissions for other users and group users)
- In Windows: modify key file Security permissions, and remove permissions for the generic Users, leaving your own windows user and Administrator user permissions in place
- Can not access UT OpenStack with your university account
- Everyone who registered for the course AFTER 2/6/2023, please send Pelle Jakovits a Direct Message in Zulip topic
general discussion
with your university username. We will need it to request access to University OpenStack Cloud, which is required to be able to complete the first lab.
- Everyone who registered for the course AFTER 2/6/2023, please send Pelle Jakovits a Direct Message in Zulip topic
- You might encounter an error stating that something is locked that is Ubuntu running some updates in the background so please give it few minutes to complete and try again later, if still no luck, ask help from the lab instructor. (Use with caution! https://www.tecmint.com/fix-unable-to-lock-the-administration-directory-var-lib-dpkg-lock/)
- FIX ERROR: "sudo: unable to resolve host <your_machine_name_here>"
- If you try entering any sudo commands i.e
sudo free
;sudo du
you should get and error "unable to resolve ..." - In order to fix it edit
/etc/hosts
file and add your hostname to the end of first-line like this127.0.0.1 localhost <your_machine_hostname_here>
. You can usenano
withsudo
rights to do it.
- If you try entering any sudo commands i.e
- FIX ERROR: ssh: connect to host 172.17.6X.YYY port 22: No route to host
- Check you are using eduroam in Delta, or VPN from home
- IF you have Linux on your computer AND have Docker installed:
- Then there is a possibility of network address conflict between docker network and university network that VPN uses. It is likely that packets you try to send to some of the 172.17.* networks are sent to your local docker network instead.
- One solution would be to reconfigure what networks your local Docker uses. The steps are:
- Create a directory in the virtual machine in the path:
sudo mkdir /etc/docker
- Create a file in the docker directory:
sudo nano /etc/docker/daemon.json
- Copy the following entry into the file:
{ "default-address-pools": [{"base":"172.80.0.0/16","size":24}] }
- Restart docker service using:
sudo systemctl restart docker
- Create a directory in the virtual machine in the path: