FAQ

Here you will find answers to common questions. Please also refer to the general documentation

Operations

I get error making a snapshot of a running instance

Some recent distributions (Debian 9, Ubuntu 18) require to install the package qemu-guest-agent in order to perform snapshot while the instance is running. Therefore either shut the instance off or install the package:

$ sudo apt update
$ sudo apt install qemu-guest-agent

I get a timeout accessing GARR Cloud dashboard with my EduGain/IDEM/Google credentials!

This might be caused by a firewall set on your institutional network. Please check with your network admins that the necessary ports used by GARR Cloud services are opened. The ports are listed in the next post: “Which ports should I open on my router to access GARR Cloud platform?”

Which ports should I open on my router to access GARR Cloud platform?

GARR Cloud services are exposed on a few TCP ports which should be accessible from your institution network. Please check on the following tables the service hostname and IP addresses and the corresponding ports.

First of all, ensure that the standard HTTP 80 and HTTPS 443 ports are opened.

  • To access to GARR Cloud Dashboard with EduGain/IDEM/Google account:

    +------------+------------------------+----------------+------------+
    | service    | hostname               | IP address     | port       |
    |------------+------------------------+----------------+------------+
    | keystone   | keystone.cloud.garr.it | 90.147.165.91  | 5000       |
    +------------+------------------------+----------------+------------+
    

To check that the port is open type this address on a browser:

https://keystone.cloud.garr.it:5000

The server should reply with a string like:

{"versions": {"values": [{"status": "stable", ... }
  • To access to DaaS (Juju) Web GUI:

    +-------------------------+------------------------+----------------+------------+
    | service                 | hostname               | IP address     | port       |
    +-------------------------+------------------------+----------------+------------+
    | DaaS (garr-ct1 region)  | daas-ct.cloud.garr.it  | 90.147.167.223 | 17070      |
    +-------------------------+------------------------+----------------+------------+
    | DaaS (garr-pa1 region)  | daas-pa.cloud.garr.it  | 90.147.188.122 | 17070      |
    +-------------------------+------------------------+----------------+------------+
    

To check that the aforementioned ports are opened try to access to the DaaS web GUI:

https://daas-pa.cloud.garr.it:17070/gui/
  • To access GARR Cloud via OpenStack API libraries:

    +-------------------------------+---------------+----------------+------------+
    | service                       | hostname      | IP address     | port       |
    +-------------------------------+---------------+----------------+------------+
    | nova (garr-pa1 region)        |               | 90.147.159.93  | 8774       |
    +-------------------------------+---------------+----------------+------------+
    | nova (garr-ct1 region)        |               | 90.147.165.93  | 8774       |
    +-------------------------------+---------------+----------------+------------+
    | cinder (garr-pa1 region)      |               | 90.147.159.90  | 8776       |
    +-------------------------------+---------------+----------------+------------+
    | cinder (garr-ct1 region)      |               | 90.147.165.95  | 8776       |
    +-------------------------------+---------------+----------------+------------+
    | placement (garr-pa1 region)   |               | 90.147.159.93  | 8778       |
    +-------------------------------+---------------+----------------+------------+
    | placement (garr-ct1 region)   |               | 90.147.165.93  | 8778       |
    +-------------------------------+---------------+----------------+------------+
    | glance                        |               | 90.147.165.94  | 9292       |
    +-------------------------------+---------------+----------------+------------+
    | neutron (garr-ct1 region)     |               | 90.147.165.96  | 9696       |
    +-------------------------------+---------------+----------------+------------+
    | neutron (garr-pa1 region)     |               | 90.147.159.96  | 9696       |
    +-------------------------------+---------------+----------------+------------+
    

Quota exceeded when launching an instance

You might be using a region on which your project has no allocated resources. Follow the instructions for selecting a region where your project has available resources.

Can I change/ask for a new password?

If you registered through a federated IdP (IDEM or EduGain), you wuld have to change the password though your Identity Provider. Use the dashoard only for changing the Cloud GARR password.

Can I import custom VM images to the cloud (e.g. a VirtualBox image)?

Yes, follow the instructions on the following link to convert in the correct format: https://cloud.garr.it/support/kb/openstack/manageCustomImages/

Can I spawn Windows images?

Yes, the relevant image is labeled “GARR”, for example WindowsServer2012R2 - GARR, but please note that when creating a new machine you need to make sure you also set a ``Key Pair``. In fact, for Windows machines the key pair is used to encrypt the Administrator password which is automatically generated and injected in the machine at first boot.

To retrieve the Administrator password (the initial boot will likely take several minutes):

  • CLI method: execute the command (you will be prompted for the SSH key passphrase):

    nova get-password <server_UUID> /path/to/private/key/file
    
  • GUI method: open another browser tab, navigate to the VM list, pick the Retrieve password action for your VM, which should open a window in which you can select or copy/paste your private key to be used for decryption. If you don’t get the chance to input your private key, open the Console GUI, as the server most likely needs you to answer some question or push button to proceed.

NOTE:

There is a problem in the dashboard currently: the Retrieve password menu opens a window where to paste the private key and a field where to get the password, but this mechanism fails with Could not decrypt the password. However, the encrypted password is shown, and it can be de-crypted in the following way:

  • Copy-paste the encrypted password

  • Decode the encrypted password and save to a file:

    echo "<encrypted_password>" | base64 -d > encrypt_pass.txt
    
  • Decrypt the password:

    openssl rsautl -decrypt -in encrypt_pass.txt -out plain.txt -inkey <your_private_ssh_key>
    
  • Find the decripted password in file plain.txt

I have created a Linux VM, injected my ssh key and assigned a floating IP. Now how do I log into it?

To log into a virtual machine, use the ssh command on your host machine, using the keypair you selected when creating the instance.

But first, make sure the SecurityGroups configured for your server allow connection to port 22 from your subnet (or from the Universe, namely 0.0.0.0, although this is generally not advised). You can update the default SecurityGroup, or create a new one from Project - Network - Security Groups, and add one or more rules for SSH for your different subnets.

Each Linux operating system provides a default account on which to login with a keypair:

  • for Ubuntu images, login as ubuntu
  • for CentOS images, login as centos
  • for Cirros images, login as cirros
  • for Debian images, login as debian
  • for Fedora images, login as fedora

Warning

Ensure the keypair file has the proper access rights:

$ chmod 400 MyKey.pem

Invoke ssh specifying the keypair and the IP address of the instance; for example:

$ ssh -i MyKey.pem ubuntu@90.147.27.2

Last login: Tue Jan 12 11:20:28 2016
$

Can I log in as root on a Linux VM?

Logging in as root is disabled by default on Linux VMs.

Log in with the default account, as explained above, and use sudo to issue privileged commands.

Do sudo -s to open a root shell.

I get an error when I issue the sudo command

If inside a VM you try to issue the sudo command, e.g. sudo -s and you get the following error:

sudo: unable to resolve host

then the problem is likely due to a missing entry in /etc/hosts. This can be fixed either when creating the VM(s) or directly from within the VM(s).

  • At VM creation time, you can supply an user data script through the following steps:

    1. prepare an userdata.txt file with the following content:

      #cloud-config
      manage_etc_hosts: true
      
    2. then either:

      • from the dashboard, supply it in the Configuration section of the new instance creation dialog

      • from the command line, use the –user-data flag of the openstack server create command, e.g.:

        openstack server create --image 39e0b535-9c21-42af-9096-397c3687664e --flavor m1.small --nic net-id=default --key mykey --user-data userdata.txt myinstance
        
  • From inside the VM, the problem can be fixed by issuing the following command:

    echo "manage_etc_hosts: true" | sudo tee /etc/cloud/cloud.cfg.d/99_etchosts.cfg > /dev/null
    

    and then rebooting the VM:

    reboot
    

I get an error when creating an instance

If you get an error like this while creating an instance:

Exceeded maximum number of retries. Exceeded max scheduling attempts 3 for
instance (...) Last exception: Binding failed for port (...)

please ensure that you did not select the network named `floating-ip` in the Network tab when launching the instance, but either a project specific net or the default net.

Error when rebooting an instance “Image UUID could not be found”

If you get an error like this while rebooting an instance:

Image b1d6e7ff-8397-4b80-8972-d6402382f213 could not be found.

it means that the original image used to create the instance has been deleted.

In order to fix the problem you first need to identify a suitable current image: for example, if the original machine was built using “Debian 8.7” you may select “Debian - 8 - GARR” as a replacement:

$ openstack image list | grep GARR | grep Debian
| 70eb2fbb-e195-4147-9cf8-871b28b6331d | Debian 8 - GARR                                        | active  |

and then execute:

  • for machines built on non-ephemeral disk:

    export theSrvUUID=<theUUIDofTheServerInError>
    export theImgUUID=70eb2fbb-e195-4147-9cf8-871b28b6331d
    nova reset-state --active  $theSrv
    nova rebuild --poll $theSrv $theImgUUIDNew
    
  • for machines built on ephemeral disk, ask Cloud admins for help, since a rebuild would, in this case, wipe all your local changes. Cloud admins will:

    nova reset-state --active  $theSrv
    # update the OpenStack database: update instances set image_ref='newUUID' where image_ref='disappearedUUID' and uuid='srvUUID';
    nova reboot --poll $theSrv
    

Which network should I choose when creating an instance?

In the Launch Instance / Networks tab select between:

  • the pre-created internal network default which is connected to a router on the external network and allows assinging floating IPs to the VM.

    Warning

    this network is shared among all projects, hence all VMs on this network belong to the same broadcast domain and can reach each other.

  • any user-defined project network.

Do not select the external network floating-ip as VMs cannot be attached to external networks.

apt-get in a Docker hangs

This might occur on Ubuntu 16 (not on Ubunto 14 or CentOS).) If a network request hangs, for example doing:

$ docker run -it ubuntu bash
# apt-get update
0% [Waiting for headers]

the solution is to clamp the MTU (Maximum Transmission Unit) to the MSS (Maximum Segment Size) with the following command:

$ sudo iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Can I add more than one Floating IP to an instance?

Due to limitations of the OpenStack dashboard this is only possible through the CLI on the OpenStack controller as follows:

  • from the Dashboard add an interface to the VM

  • from the VM console activate the interface (ifup with the corresponding private ip that appears in the dashboard)

  • add the Floating IP with the CLI command:

    $ neutron floatingip-associate $FIP $PORT_ID
    

    where FIP is a floating IP id that you get from:

    $ neutron floatingip-list
    

    and PORT_ID is the id of the port with the correct private IP (non floating) returned by:

    $ neutron port-list
    

How do I log into a Juju controller

The command juju controller-config supplies most information about a controller. To find out more, look at this file on the machine where you bootstrapped the controller:

~/.local/share/juju/controllers.yaml

From there you can see the IP address of the controller, and you can log into it via ssh using the locally stored keypair:

$ ssh -i ~/.local/share/juju/ssh/juju_id_rsa ubuntu@10.3.1.0

Can I get storage for doing backups of my data?

The GARR Cloud Platform currently provides just computing facilities. However, nothing prevents using the storage assigned to a project for specific usage. One can for example create an Object Storage and use it to store its data. Here is a quick guide on how to use Swift for doing backups.

Boot instances on volume via CLI

Here is an example of the CLI command to boot an instance directly on volume:

$ nova boot --key-name=$KEY --flavor $FLAVOR --nic net-name=$NET --security-group $SECGROUP  --block-device source=image,id=$IMAGE_ID,dest=volume,size=$SIZE,shutdown=remove,bootindex=0 $SERVER_NAME

where:

  • $KEY is the name of the public SSH key (retieve them with openstack keypair list)
  • $FLAVOR is the flavor name (openstack flavor list)
  • $NET is the name of the private network (openstack network list)
  • $SECGROUP is the name of the security group (openstack security group list –project MY_PROJECT)
  • $IMAGE_ID is the ID of the image to boot the VM from (openstack image list)
  • $SIZE is the size of the volume in GB
  • $SERVER_NAME is the name of the VM

Can I use object storage for backup?

Following a link with a quick guide at backup on object storage: https://elastx.se/en/blog/getting-started-application-backups-to-swift

endpoints at the moment of writing are (October 2018):

| bd9e71c06c1e498d9d70382d871bd139 | garr-ct1   | swift          | object-store    | True    | public    | http://90.147.165.90:80/swift/v1                               |
| d90c07bd83b94dc695eb090c7010f646 | garr-pa1   | swift          | object-store    | True    | public    | http://90.147.165.90:80/swift/v1                               |

How can I clone an existing instance?

A recommended procedure for cloning an instance is to perform the following operations:

  • shut off the instance to be cloned
  • create a snapshot of the instance
  • verify that the snapshot is indeed among the images of the current project
  • launch a new VM, selecting “instance snapshot” as “boot source” and then selecting the above-created snapshot

Architecture

Can you describe the architecture of the platform?

Here is the Reference Cloud Architecture document.

Why did you choose Juju for automation?

There are several tools for OpenStack automation. The most poplura ones are Chef, Puppet, Ansible, ‘SaltStack` and Juju. Here is a brief comparison. Here is a video of a presentation on Chef vs Puppet vs Ansible vs Salt. Our choice fell on Juju because is a tool that covers all aspects of automation deployment and maintenance, from hardware, to cloud and to application provisioning.

../../_images/ceph-juju-puppet-heat.png

This table provides a comparison of tool coverage.

Task Puppet Chef Salt Ansible Juju
Rolling Updates x x x x x
Health Check x x
Backup Restore x x x x
Networking x x x x
Storage x x x x
VM provisioning x x x x
Life cycle Mgmt x x x x
Relation Mgmt x x x x
Service Discovery x x
Config. Packaging
Templating
Service Provisioning| Yes

Can I use Ansible for automation?

Juju charms consists of scripts and configuration settings files. Scripts can be used in any language, and in particular they can be written in Ansible.

Can I use Juju with Puppet or Chef?

Puppet and Chef are great tools for configuring servers and keeping them consistent across a network. Juju works a layer above that by focusing on the service the application delivers, regardless of the machine on which it runs. One of the main advantages of Juju is its dynamic configuration ability, which allows you to re-configure services on the fly, add, remove, or change relationships between services, and scale in or out with ease. If you are using a configuration management tool to get your machines up and running, Juju can complement it with the service modelling layer which performs all the tasks described above. Integration is quite straightforward. Because Juju charms can be written in any language, you can include your existing Puppet or Chef code in a Juju charm. No need to write new code. Model, connect and configure. The charm browser has hundreds of charms and bundles allowing you to build complex services and see them deployed in the GUI.

Do you handle containers?

Take a look at the GARR Container Platform.

A comparision of container orchestration tools is described in Orchestration tool roundup Kubernetes vs. Docker vs. Heat vs. Terraform vs. Tosca.

Policy

What are the terms of service?

Look at this document.

Do you charge for bandwidth?

No.

Do you monitor egress traffic?

Yes. Traffic is monitored in order to avoid abuse and abnornal traffic is reported to you. If you are unable to stop abnormal traffic, this may lead to your account suspension or termination.

Certain types of traffic are not allowed: torrents, spam, ssh probes, hacking attempts, botnets, ddos, etc.