2.1 Managing cloud providers
NebulOuS supports two cloud providers: OpenStack and AWS. Below you will find the details on how to register accounts for these cloud providers in NebulOuS so it can deploy applications using them.
Throughout an application's lifecycle, NebulOuS dynamically manages the application cluster by adding or removing computing nodes to comply with the application SLO. When cloud resources are required, NebulOuS autonomously creates the necessary VMs and decommissions them once they are no longer needed. Currently, NebulOuS supports two cloud providers: OpenStack and Amazon Web Services. Regardless of the specific cloud provider, some requirements must be satisfied:
- The cloud provider API must be reachable by NebulOuS core to provision/decomission nodes.
- The cloud provider must offer clean Images based on Ubuntu 22.04 LTS. These images must:
- have a user
ubuntuthat can execute sudo commands without requiring password. - allow SSH connections using ssh-rsa algorithm.
- At least, 20GB of disk so the operating system and necessary software packages for NebulOuS can be installed. Moreover, the disk size must also be aligned with the disk requirements of the application components you intend to deploy.
- have a user
- The following ports are needed:
- INBOUND 22 TCP (SSH)
- INBOUND 51820 UDP (ONM)
- OUTBOUND ALL TCP & UDP
Acquire the OpenRC configuration file. This file is crucial as it contains the necessary settings and configurations
It is important to give at least, 20GB of disk so the operating system and necessary software packages for NebulOuS can be installed. Moreover, the disk size must also be aligned with the disk requirements of the application components you intend to deploy.
As a result to make sure that your images can be detected and used in the node candidate creation the following should be done:
- Create an image or copy one from an already existing image based on Ubuntu 22.04. (for example: GOLD Ubuntu 22.04 LTS)
While you can create an image from a running instance, it is often recommended to stop the instance to ensure that the image captures a consistent state.
openstack server stop <instance-id>
To create image, execute:
openstack server image create --name <image-name> <instance-id>
- Preferably, if you are creating the image from a running machine, we advice you to run:
sudo apt-get update
sudo unattended-upgrade -d
- In the
/etc/ssh/sshd_configadd the following at the end of the file:
PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-rsa-cert-v01@openssh.com
HostKeyAlgorithms=+ssh-rsa,ssh-rsa-cert-v01@openssh.com
Step 1: On the NebulOuS UI, go to the "Resources" section
Step 2: Click the "ADD RESOURCE" button
Step 3: Fill in the resource registration form
You must fill the following fields:
- Name: A name for your cloud account. NebulOuS supports multiple cloud accounts from the same or different cloud providers. Choose a name that is descriptive enough.
- Platform: OpenStack
-
In General section:
- Auth URL: OS_AUTH_URL Mapped from openrc file.
- Identity API Version: OS_IDENTITY_API_VERSION Mapped from openrc file.
- Interface Type: OS_INTERFACE Mapped from openrc file.
- add Security Group from your OpenStack account (Take into account that security group is used per region). To list all security groups one can execute command:
openstack security group list
To add security group one can execute command (https://docs.openstack.org/python-openstackclient/pike/cli/command-objects/security-group.html):
openstack security group create
[--description <description>]
[--project <project> [--project-domain <project-domain>]]
<name>
This version of NebulOuS requires that the cloud provider has all ports open. Make sure that you have a security group with rules that allow inbound and outbound traffic on all ports. To create such security group, one can execute:
openstack security group create allow-all --description "Security group with rules to allow all inbound and outbound traffic"
Also, one can add such rules to security group: Allow all inbound TCP traffic:
openstack security group rule create --proto tcp --dst-port 1:65535 allow-all
Allow all inbound UDP traffic:
openstack security group rule create --proto udp --dst-port 1:65535 allow-all
Allow all inbound ICMP traffic (e.g., ping):
openstack security group rule create --proto icmp allow-all
- add Default Network from your OpenStack account. To list all networks, one can execute command:
openstack network list
To add network, one can execute command (https://docs.openstack.org/python-openstackclient/pike/cli/command-objects/network.html):
openstack network list
[--external | --internal]
[--long]
[--name <name>]
[--enable | --disable]
[--project <project> [--project-domain <project-domain>]]
[--share | --no-share]
[--status <status>]
[--provider-network-type <provider-network-type>]
[--provider-physical-network <provider-physical-network>]
[--provider-segment <provider-segment>]
[--agent <agent-id>]
[--tags <tag>[,<tag>,...]] [--any-tags <tag>[,<tag>,...]]
[--not-tags <tag>[,<tag>,...]] [--not-any-tags <tag>[,<tag>,...]]
-
In credentials section:
-
Username: OS_USERNAME Mapped from openrc file.
-
Password: OS_PASSWORD Mapped from openrc file.
-
Project Domain Name: OS_PROJECT_DOMAIN_NAME Mapped from openrc file
-
-
In SSH Credentials section
- Username (e.g.: ubuntu), Key Pair Name and Key Private Key, you can define them in the "Key pair" section of your AWS account
After filling in the form and saving it, you need to click the eye button
To confirm that you OpenStack installation is ready. *Using the credentials OS_USERNAME, OS_PASSWORD and OS_PROJECT_DOMAIN_NAME ** create a VM that uses the image you created:
openstack server create \
--image "<name_of_the_NebulOuS_ready_image" \
--flavor <flavor> \
--key-name <name_of_the_nebulous_ssh_key> \
--network <name_of_the_nebulous_network> \
--security-group <name_of_the_nebulous_sg> \
Test-NebulOuS
If an unauthorized error appears on the UI, please check that you have this step
If you encounter another issue. Please refer to https://github.com/eu-nebulous/nebulous/wiki/6.4-Common-errors#cloud-providers
NebulOuS can only instantiate machines on AWS that fulfill the following conditions:
- Are owned by the account that is used in the cloud definition.
- Are tagged with: proactive-list-label:listed-in-proactive and Name:Ubuntu 22.04
- Are based on an Ubuntu 22.04 Server LTS image
As a result to make sure that your images can be detected and used in the node candidate creation the following should be done: 1- Create an AMI based on Ubuntu 22.04 Server LTS. In this step, you will need to define the disk ammount associated to the AMI. It is important that you select at least, 20GB of disk so the operating system and necessary software packages for NebulOuS can be installed. Moreover, the disk size must also be aligned with the disk requirements of the application components you intend to deploy.
1.1- Run:
sudo apt-get update
sudo unattended-upgrade -d
1.2- Make sure user ubuntu exists and it can execute sudo commands without requesting the password.
1.3- In the /etc/ssh/sshd_config add the following at the end of the file:
PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-rsa-cert-v01@openssh.com
HostKeyAlgorithms=+ssh-rsa,ssh-rsa-cert-v01@openssh.com
1.4- from the running instance save the image following this manual:
https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/tkv-create-ami-from-instance.html
2- Either at the creation step or after the image is created, add the tag to the AMI:
Please note that if the image should be present in different regions, then it can be copied from one region to another following this manual:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html#ami-copy-steps
Security groups and open ports
This version of NebulOuS requires that the cloud provider has all ports open. Make sure that you have a security group with rules that allow inbound and outbound traffic on all ports.
Step 1: On the mNebulOuS UI, go to the "Resources" section
VMs created by NebulOuS need to be able to be reachable by certain NebulOuS core services. To achieve it, you need to create a security group with specific rules.
To create a security group:
-
Click on the
Security groupsection under theNetwork & Securitysection of the left menu. -
Click on the
Create security groupbutton. -
Give it a name and a description.
-
Configure the following Inbound rules:
-
Configure the following Outbound rules:
- Keep in mind that these are rules necessary for NebulOuS to operate correctly the VMs created on AWS. If your application needs to expose any other ports, you need to configure them here too.
You will have to give NebulOuS access right to your AWS account in order to create and destroy VMs. It is best practice to create a dedicated user with limited acces to the account. To do so, you can create a dedicated user.
-
Go to
Security credentialssection
-
Go to
Policiessection from the left menu. -
Click
Create policy, -
Give it a name. e.g: NebulOuSCustomPricingPolicy
-
Copy the following JSON in the JSON Policiy Editor:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"pricing:DescribeServices",
"pricing:ListPriceLists",
"pricing:GetAttributeValues",
"pricing:GetPriceListFileUrl",
"pricing:GetProducts"
],
"Resource": "*"
}
]
}
-
Save the policy
-
Go to
Userssection from the left menu. -
Click
Create user -
Give it a name
-
In the
Set permissionsstep, selectAttach policies directly
-
Select the policy created previously and
AmazonEC2FullAccess,AWSPriceListServiceFullAccess -
Save.
-
Go to
Security credentialssection of the newly created user and clickCreate access key
-
Select the option
Third party service -
Give the credentials a name.
-
Save
Access keyandSecret access keyto use them later when registering the cloud provider in NebulOuS
Step 2: Click the "ADD RESOURCE" button
Step 3: Fill in the resource registration form
You must fill the following fields:
- Name: A name for your cloud account. NebulOuS supports multiple cloud accounts from the same or different cloud providers. Choose a name that is descriptive enough.
- Platform: AWS
- Regions: Select the region for your AWS account. Only one region is permited. Make sure you have an AMI defined in the region you are configuring.
-
In General section:
- add Security Group from your aws account (in EC2 Dashboard you can find default security groups or you can create your own). Make sure that the security group is in the same region you are configuring.
- In credentials section
- Provide a value for Username (Access key ID obtained from AWS portal) and Secret (Secret access key obtained form AWS portal)
-
In SSH Credentials section
- Username (must be
ubuntu), Key Pair Name and Key Private Key, you can define them in the "Key pair" section of your AWS account.
- Username (must be
After filling in the form and saving it, you need to click the eye button
If an unauthorized error appears on the UI, please check that you have this step
If you encounter another issue. Please refer to https://github.com/eu-nebulous/nebulous/wiki/6.4-Common-errors#cloud-providers
Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the Directorate-General for Communications Networks, Content and Technology. Neither the European Union nor the granting authority can be held responsible for them.
© 2024 NEBULOUS. ALL RIGHTS RESERVED