Show page

Differences

This shows you the differences between two versions of the page.

--- scgc:laboratoare:00 [2021/03/01 14:30]
darius.mihai [Intro]
+++ scgc:laboratoare:00 [2021/10/13 17:26] (current)
maria.mihailescu [6. Delete the virtual machine]
@@ Line 1: / Line 1: @@
-====== Laboratory 00. Working with Openstack ======
+====== Working with Openstack ======
 ===== Lab Setup =====
-  * We will be using two virtual machines in the [[http://cloud.curs.pub.ro/|faculty's cloud]].
+  * We will be using two virtual machines in the [[https://cloud.grid.pub.ro/|faculty's cloud]].
   * When creating a virtual machine follow the steps described in the exercises below.
   * These steps will be useful in all labs.
@@ Line 11: / Line 11: @@
 The faculty's cloud uses [[https://www.openstack.org/|Openstack]] to provide students with the ability to create and configure virtual machines in the faculty's cluster.
-Connect to Horizon, the web front-end of Openstack, at [[https://cloud-controller.grid.pub.ro/]] and authenticate using your LDAP username and password (LDAP is used to centrally authenticate across all UPB services; we will go into more details about how LDAP can be configured in [[scgc:laboratoare:02]]. Most labs will rely on interacting with Openstack using Horizon.
+Connect to Horizon, the web front-end of Openstack, at [[https://cloud.grid.pub.ro/]] and authenticate using your LDAP username and password (LDAP is used to centrally authenticate across all UPB services; we will go into more details about how LDAP can be configured in [[scgc:laboratoare:02]]). Most labs will rely on interacting with Openstack using Horizon.
 Most virtual machine images (base virtual disks) use [[https://cloudinit.readthedocs.io/en/latest/|cloud-init]] to automatically configure the virtual machine. As part of the first run of the virtual machine, cloud-init will re-generate SSH host keys, reset the default user's password to an invalid value (and usually make them a sudoer without requiring the password), disable root login, and inject the user's keys into the virtual machine.
-We will use ''fep.grid.pub.ro'' as a proxy for our connections to the virtual machines. You can connect to fep using ''ssh user.name@fep.grid.pub.ro'' and entering the LDAP password of your account when prompted.
+We will use ''fep8.grid.pub.ro'' as a proxy for our connections to the virtual machines. You can connect to fep using ''ssh user.name@fep8.grid.pub.ro'' and entering the LDAP password of your account when prompted.
-We also recommend using ''-o ServerAliveInterval=100'' to instruct the SSH client to send beacons to the server every 100 seconds, so you do not get disconnected due to inactivity, and ''-X'' for X11 forwarding (we will use this option later); the final command looks like ''ssh user.name@fep.grid.pub.ro -X -o ServerAliveInterval=100''. The short format will likely be enough in most cases.
+We also recommend using ''-o ServerAliveInterval=100'' to instruct the SSH client to send beacons to the server every 100 seconds, so you do not get disconnected due to inactivity, and ''-X'' for X11 forwarding (we will use this option later); the final command looks like ''ssh user.name@fep8.grid.pub.ro -X -o ServerAliveInterval=100''. The short format will likely be enough in most cases.
 <note important>
@@ Line 23: / Line 23: @@
 </note>
-==== 1. [5p] SSH key pair generation ====
+==== 1. SSH key pair generation ====
 Because the virtual machine's user's password is reset to an invalid value by cloud-init, you will not be able to log into the virtual machine using password login. Instead, you must first create an SSH key that will be automatically added to the virtual machine's default user's authorized key.
@@ Line 43: / Line 43: @@
 {{ :scgc:laboratoare:openstack-key-import.png?700 }}
-==== 2. [15p] Create virtual machines ====
+==== 2. Create virtual machines ====
 Now that the SSH key pair is available, we can start creating virtual machines. Note that you can only use a limited amount of total resources. You can see graphs of the total amount of resources you can use, and the amount of resources you have used so far through the Horizon interface, in the ''Project'' > ''Compute'' > ''Overview'' section. In the image below, resources are limited to 4 CPU cores and 4GB of RAM.
@@ Line 107: / Line 107: @@
 </note>
-==== 3. [15p] Connect to the virtual machine ====
+==== 3. Connect to the virtual machine ====
 The picture bellow shows how you can connect to the virtual machine. Since the virtual machine runs in OpenStack (i.e. in the faculty's cluster) and the assigned IP address is a private address, you cannot directly connect to the virtual machine.
@@ Line 155: / Line 155: @@
 </code>
-==== 4. [15p] Connect to the virtual machine with X forwarding ====
+==== 4. Connect to the virtual machine with X forwarding ====
 Linux uses a client-server architecture for the X window system. SSH allows you to forward graphical applications information through the X11 forwarding functionality.
 === Linux client ===
-Linux comes by default with the X11 client functionality, so if the SSH server allows X11 forwarding, you can use the ''-X'' option when connecting to the remote system. If you must go through multiple systems when connecting (e.g., you connect to fep before connecting to the Openstack virtual machine), you must set this flag for each connection.
+Linux comes by default with the X11 client functionality, so if the SSH server allows X11 forwarding, you can use the ''-X'' option when connecting to the remote system. If you must go through multiple systems when connecting (e.g., you connect to **fep** before connecting to the Openstack virtual machine), you must set this flag for each connection.
 <code bash>
 user@workstation ~ $ ssh -X user.name@fep.grid.pub.ro
 ...
-[user.name@fep7-1 ~]$ ssh -i ~/.ssh/id_openstack student@10.9.X.Y
+[user.name@fep7-1 ~]$ ssh -X -i ~/.ssh/id_openstack student@10.9.X.Y
 </code>
@@ Line 169: / Line 169: @@
 === MacOS client ===
-The MacOS SSH client has X11 forwarding functionality, but may not have an X11 server installed. You must first install an X11 server before being able to forward the GUI. Please follow [[https://medium.com/@toja/using-x11-apps-in-mac-os-x-c74b304fd128|these instructions]]. Afterwards, you can use the same commands described for the Linux cient (above).
+The MacOS SSH client has X11 forwarding functionality, but may not have an X11 server installed. You must first install an X11 server before being able to forward the GUI. Please follow [[https://medium.com/@toja/using-x11-apps-in-mac-os-x-c74b304fd128|these instructions]]. Afterwards, you can use the same commands described for the Linux client (above).
 === Windows client ===
@@ Line 181: / Line 181: @@
 student@scgc-lab00:~$ xclock
 </code>
-==== 5. [20p] Connect to one of your colleague's virtual machine ====
+<hidden>
+==== 5. Connect to someone else's virtual machine ====
+Partner up with someone else in the lab. Create a simple simple message server using ''netcat'' to listen to port ''8890''. Ask your partner to connect to your client and also try to connect to their server. You will need two terminals to perform this.
+<code bash>
+# Create the text server in listen mode in the first terminal
+student@scgc-lab00:~$ nc -l 8890
+# Check that the server is running on your system
+student@scgc-lab00:~$ ss -ltnp | grep 8890 # print TCP ports in listen mode, with information about the process
+LISTEN   0         1                   0.0.0.0:8890             0.0.0.0:*        users:(("nc",pid=11111,fd=3))
+# Connect to your partner's server (their virtual machine has IP 10.9.A.B)
+student@scgc-lab00:~$ nc 10.9.A.B 8890
+</code>
+<note tip>
+To open the SSH connections, you can open multiple SSH connections to the virtual machine in Openstack, or use a terminal multiplexing application like ''screen'' or ''tmux'' (this is the recommended option, since it also allows you to not lose your session even when losing the internet connection).
+For example, for tmux, write ''tmux'' in the virtual machine's terminal. You will see a new interface appear, with a green ribbon at the bottom. By default, tmux uses the ''<C-b>'' key combination as the control sequence (''<C-b>'' is the notation used by vim for "hold ctrl and press b", and we will use it here). To create a second terminal in horizontal split mode, press ''<C-b>"'' (that is the key combination ''ctrl+b'' and then double quotes ''"''). Afterwards, you can navigate between the panes using ''<C-b><arrow-key>'' - e.g., ''<C-b><down-arrow>'' to go to the next pane down from your current position.
+</note>
+If you cannot communicate with your partner's virtual machine, it's because all traffic is Openstack is routed through a firewall. To view the allowed rules in the default security policy (the one your virtual machine uses unless you have created another policy group and set during the virtual machine's creation process), go to the Horizon dashboard, navigate to ''Project'' > ''Network'' > ''Security Groups'' and click on ''Manage Rules'' for the desired security groups.
+You can see that by default, all traffic generated by the virtual machine is allowed outside (the rules specifying the ''Egress'' direction, for both IPv4 and IPv6 allow all IP protocols and port ranges, and to any IP (CIDR ''0.0.0.0/0'' for IPv4 and ''::/0'' for IPv6).
+However, for input traffic, only specific ports are allowed from any IP (see the rules for IPv4 and CIDR ''0.0.0.0/0''), while other ports are only accessible from virtual machines with a network interface in the ''default'' security group (the rules with ''default'' under the ''Remote Security Group''). Overall, these rules are meant to allow connections coming from any IP (e.g., fep) to access only certain services (e.g., SSH on port 22, HTTP(S) on ports 80, 443 and 8080, RDP on port 3389, VNC on port 5901), while your virtual machines can communicate on any port.
+To allow your partner's virtual machine to communicate with your virtual machine, click on ''Add Rule'' and select the ''Other Protocol'' rule, the ''Ingress'' direction, ''-1'' as IP protocol, ''CIDR'' type for remote, and ''10.9.A.B/32'' (your partner's virtual machine's IP address) for CIDR value. You could also use ''0.0.0.0/0'' for CIDR, but this is less secure, since it would allow any IP to connect to your virtual machine's ports, thus all security measures will have to be implemented on the virtual machine itself.
+{{ :scgc:laboratoare:openstack-security-group-cidr.png?700 }}
+</hidden>
+==== 5. Delete the virtual machine ====
+After each lab, and whenever you no longer need a virtual machine, please delete it. Go to the Horizon dashboard, go to ''Project'' > ''Compute'' > ''Instances'' and delete the virtual machine. You can either select all virtual machines your wish to delete from their checkbox on the left, and then click on ''Delete Instances'', or select ''Delete instance'' from the dropdown menu on the right.
-==== 6. [5p] Delete the virtual machine ====
+It would also be a good idea to delete the security group rule you have previously created earlier if you do not need to allow communication with machines outside your project.

Resources

Laboratories

scgc/laboratoare/00.1614601858.txt.gz · Last modified: 2021/03/01 14:30 by darius.mihai

Show page Old revisions

Media Manager Back to top