Hands-on Lab Exercise Guide

Transcription

1 CloudPlatform 4.5 Training Hands-on Lab Exercise Guide Mike Palmer June

2 Table of Contents Table of Contents... 2 Overview... 4 Scenario... 9 Lab Preparation...10 Attach XenCenter to Your XenServers...10 Module Exercise 1: Create the cpman VM and Install CentOS...15 Exercise 2: Install XenServer Tools on the cpman VM...23 Exercise 3: Setup Networking on the cpman VM...25 Exercise 4: Configure the nfs-server VM...29 Exercise 5: Configure NFS on the cpman VM...33 Module Exercise 1: Install CloudPlatform...37 Exercise 2: Prepare the System VM Template...42 Module Exercise 1: Create a XenServer Resource Pool...46 Exercise 2: Build a Basic Zone...48 Module Exercise 1: Service Offerings...66 Exercise 2: Domains, Accounts and Users...72 Exercise 3: User Provisioning Using LDAP...79 Module Exercise 1: Create a Guest Virtual Machine...91 Exercise 2: VM Control Functions...98 Exercise 3: Security Groups Exercise 4: Changing a VM's Service Offering Exercise 5: Migrating a VM's Root Volume Exercise 6: Affinity Groups Module Exercise 1: Templates & ISO Preparation Exercise 2: Transferring a VM from XenServer Exercise 3: Working with Templates Exercise 4: Working with ISOs Exercise 5: Expunging VMs and Lab Preparation Module Exercise 1: Prepare the Advanced Zone XenServer Exercise 2: Build an Advanced Zone

3 Module Exercise 1: Isolated Networks Exercise 2: Shared Networks Exercise 3: Port Forwarding & Load Balancing Exercise 4: Citrix NetScaler Integration Module Exercise 1: Download Joomla Templates Exercise 2: Setup a VPC with two tiers Exercise 3: Setup the Access Control Lists Exercise 4: Create the two Joomla server VMs Exercise 5: Test the Joomla CMS System Module Exercise 1: Management Server Log Exercise 2: System VM Access and Logs Appendix Appendix 1: Editing Files with vi Appendix 2: Resetting the CloudPlatform lab

4 Overview Hands-on Training Module Objective This training will provide hands-on experience with the installation, configuration and operation of Citrix CloudPlatform 4.5 Prerequisites Experience using the vi text editor for editing configuration files is beneficial, but not required. Your lab access device (PC or Mac supported) requires the Citrix Receiver to be installed. Audience Citrix Partners, Customers, Sales Engineers, Consultants, Technical Support. Lab Environment Details The lab environment uses a single physical XenServer accessed through the internet. The XenServer hosts various Virtual Machines (VMs), including four virtual XenServers, the CloudPlatform infrastructure VMs and a Windows Server 2008 R2 (Student Desktop) for accessing the Windows applications needed for the lab. All lab infrastructure VMs share a private internal ( /24) network with an infrastructure router providing access to the internet for all VMs. An additional network (Public-Guest) is used in the Advanced zone modules. The system diagram of the lab is shown below: The Student Desktop is accessed remotely using Citrix Receiver running on your laptop. All Windows applications such as the Firefox and Chrome browsers and XenCenter (the XenServer GUI management tool), are accessed from the Student Desktop. 4

5 Virtual XenServer naming conventions When referring to a virtual XenServer VM running on the physical XenServer, the label Virtual XenServer-xx is used, e.g. VirtualXenServer-01. XenCenter manages VirtualXenServer-01 as a VM, not as a XenServer. When referring to a virtual XenServer host, the label vxs-xx is used, e.g. vxs-01. Both XenCenter and CloudPlatform manage vxs-01 as a XenServer. Lab Guide Conventions This symbol indicates particular attention must be paid to this step Special note to offer advice or background information reboot VMDemo Start Text the student enters or an item they select from a dropdown menu is printed like this Filename mentioned in text or lines added to files during editing Bold text indicates reference to a button or object Focuses attention on a particular part of the screen (R:255 G:20 B:147) Shows where to click or select an item on a screen shot (R:255 G:102 B:0) Virtual Machines vs. Instances A Virtual Machine (VM) is a software implementation of a machine (i.e. a computer) that executes programs like a physical machine. While CloudPlatform usually refers to system VMs as VMs, it often, but not always, refers to user (Guest) VMs as Instances. Lab Module Reset This lab provides the ability to reset the lab ready to start any module using the labreset.sh script. This is run on the physical XenServer host console which may be accessed through XenCenter or PuTTY. See appendix 2 for details. Command Copy & Paste Many commands and entries used in this lab are long and/or complex. To save typing and to improve accuracy, you are encouraged to copy commands from the lab guide and paste them into the XenCenter VM console or dialog box. 5

6 A command may be copied from the lab guide by highlighting the command and then using Ctrl-C to copy the command to the copy buffer. Then, in the XenServer VM console, right-click and select Paste. You can copy several commands at once and paste them into the console as a group and they will be executed in order. For instance, you can highlight and copy all four commands below and paste them together into the VM console. Each will be executed in turn. (Do not do this now!) service rpcbind start service nfslock start service nfs start chkconfig nfs on You cannot, however, group commands after a command that expects a response from the user. If you see commands grouped in the user guide (like those above) they are safe to be pasted as a group. Unfortunately you can t paste into any of the CloudPlatform VM consoles (e.g. Glenn-1, Ride-1). Lab Performance with Virtual XenServers This lab requires a total of five XenServers. These are provided using one physical XenServer to host four additional virtual XenServers, providing a total of five. Running virtual XenServers on XenServer (referred to as Xen-on-Xen or nested hypervisors) is not supported by Citrix, but is an option where multiple XenServers are needed, but are not readily available. It is ideal for training environments where lower performance is not a concern. Virtual XenServers do not have Hardware Virtual Machine (HVM) capability (like a physical CPU does), so they are only able to run fully paravirtualized operating systems such as some versions of Linux (for example RedHat or CentOS). They cannot run any versions of the Windows operating system. Each of the virtual XenServers in the lab has 6GB of RAM with two virtual CPUs assigned, so the performance and capabilities are lower than what would be expected from a typical physical XenServer. The shared storage required by CloudPlatform for primary and secondary storage cloud wide is being provided for the lab by a single NFS server VM also running on the same single physical XenServer. Consequently, disk performance will be inferior to what may be expected from dedicated NFS storage devices. Despite these limitations, the CloudPlatform lab does run quite well. Operations just take a little longer than can be expected from a production environment. There are some minor issues caused by using the Xen-on-Xen environment that are addressed in the lab step-by-step instructions. XenServer configuration for CloudPlatform Two of the Virtual XenServers (vxs-01 & vxs-02) are used for the Basic zone exercises and one (vxs-03) is used for the Advanced zone exercises. An addition virtual XenServer (vxs-04) is used for the exercise to transfer a VM from XenServer to CloudPlatform. 6

7 To use security groups in a CloudPlatform Basic zone, the XenServers must be configured to use the Linux Bridge rather than the standard Open Virtual Switch (OVS). vxs-01 and vxs-02 have been configured in this manner for you. Security groups are not available in an Advanced zone when using XenServer, so the Advanced zone XenServer (vxs-03) should use the standard OVS. vxs-04 is used as a stand-alone XenServer (outside of CloudPlatform) so it to should also use the OVS. List of Virtual Machines Used VM Name IP Address Description / OS NS NetScaler VPX Appliance Landing VM Student Desktop Landing VM (Hidden in XenCenter) AD Active Directory Server / Win 2008 R2 nfs-server NFS Server / CentOS 6.3 cpman CloudPlatform Management Console / CentOS 6.3 VirtualXenserver-01 / vxs vxs-01 Bridge / Basic zone compute host / XS 6.2 VirtualXenserver-02 / vxs vxs-02 Bridge / Basic zone compute host / XS 6.2 VirtualXenserver-03 / vxs vxs-03 OVS / Advanced zone compute host / XS 6.2 VirtualXenserver-04 / vxs vxs-04 OVS / For VM Transfer Exercise / XS 6.2 Required Lab Credentials The credentials required to connect to the environment and complete the lab exercises are shown within the step by step instructions and are summarized below: VM Name Username Password Description NS1 nsroot nsroot NetScaler VPX Appliance AD1 Administrator Citrix123 Active Directory Server nfs-server root Citrix123 NFS Server cpman root Citrix123 CloudPlatform Management Console vxs-xx root Citrix123 Virtual XenServer hosts CloudPlatform GUI admin password CloudPlatform GUI on first login CloudPlatform GUI admin Citrix123 CloudPlatform GUI after password change CloudPlatform VMs root password All CloudPlatform CentOS 5.6 template VMs CloudPlatform VMs root 1 All CloudPlatform DemoVM template VMs Reserved IP Ranges IP range Description Paris zone System VMs (Cloud-Management network) Paris zone Guest VMs (Cloud-Management network) London zone System VMs (Cloud-Management network) London zone Guest VMs (Cloud-Public network) London zone shared network (VLAN 200 on Cloud-Public) 7

8 Important notes on the lab guide for CloudPlatform The lab guide has been updated for the CloudPlatform 4.5 lab environment, however most screen shots have not been updated as there are little or no changes from 4.3. However, some GUI screens have changed substantially resulting in changes to the step by step instructions. New screen shots have been taken for these screens. 2. The Virtual XenServers used in this lab (vxs-01 to vxs-04) have not had the latest updates applied, so XenCenter shows updates are pending via the small yellow arrow on the host. This has no effect on the lab. 3. A fix is required for the release of CloudPlatform to build an advanced zone correctly. A labreset must be performed sometime after module 2, but before module 7, to apply the fix. See appendix 2 for instructions to perform the labreset function. 8

9 Scenario You work for an Infrastructure as a Service (IaaS) provider who wishes to provide compute, network and disk resources for thousands of accounts. You will build a Basic CloudPlatform zone which will fulfill your needs. You will then set up two test accounts, John.Glenn and Sally.Ride to verify the operation of your cloud and then explore the various features of CloudPlatform. Several of your customers require advanced features such as private guest networks, Port Forwarding, Load Balancing and Virtual Private Cloud that are not available in a Basic zone. You will need to create an Advanced zone to offer these features. Advanced zones are typically only able to support hundreds or perhaps thousands of accounts, rather than the hundreds of thousands accounts supported by Basic zone. Your customers can use both types of zone simultaneously. You will set up an Advanced CloudPlatform zone and exercise the new zone by exploring isolated and shared networks, Port Forwarding, Load Balancing, Citrix NetScaler Integration. Joomla is a content management system (CMS), which enables you to build Web sites and powerful online applications. You will set up a Joomla system in a CloudPlatform Virtual Private Cloud, complete with VLAN segregation and ACLs providing security not only from the outside, but also between tiers. 9

10 Lab Preparation Attach XenCenter to Your XenServers Overview XenCenter is a graphical user interface application used for managing one or more XenServers. You will be using XenCenter to manage the various XenServers (both physical and virtual) needed for the lab. Also, in the lab, XenCenter will give you a behind-the-scenes look at what CloudPlatform is doing. While XenCenter is used for XenServer management such as stopping and starting XenServers, CloudPlatform manages all VMs running on the XenServers. Step by step guidance Step Action 1. From your Student Desktop, launch Citrix XenCenter. 2. Click Add Server to add your physical XenServer to XenCenter. 10

11 Step Action 3. Enter your physical XenServer parameters from your welcome screen. IP Address Username Password Your XenServer IP address Root Your XenServer password You may find it easier to copy and paste the password to ensure it is entered correctly. Click Add. 4. Your Physical XenServer name will be different. XenCenter will attach to your physical XenServer. 5. You will notice three VMs are already running on the physical XenServer as highlighted above. They are: The nfs-server VM provides NFS shared storage needed by CloudPlatform. The two virtual XenServer VMs, VirtualXenServer-01 & VirtualXenServer At this point XenCenter only sees the two virtual XenServers as VMs running on the physical XenServer host. XenCenter is not managing them as XenServers. You must add them to XenCenter as XenServers, to allow XenCenter to manage them. 7. As with the physical XenServer, the virtual XenServers are added by using the IP address and credentials. On XenCenter, click Add New Server. 11

12 Step Action 8. Add the first virtual XenServer using the following parameters: IP Address Username root Password Citrix Click Add. 10. XenCenter attaches to your first virtual XenServer vxs-01. c Note: You may see a small yellow down arrow on the virtual XenServers in XenCenter. This indicates that there are updates available for these XenServers. Ignore the yellow arrow; it will not affect the lab. On XenCenter, click Add New Server again. 11. Add the second virtual XenServer using the following parameters: IP Address Username root Password Citrix123 Click Add. 12

13 Step Action 12. XenCenter attaches to your second virtual XenServer vxs-01. Summary You have attached XenCenter to three XenServers, one physical & two virtual. 13

14 Module 1 CloudPlatform Infrastructure Preparation This module prepares the minimum infrastructure required for a CloudPlatform implementation. You will create a Virtual Machine (VM) running on your physical XenServer host and install the CentOS Linux distribution onto the VM. This VM will become the CloudPlatform Management Server (cpman). You will then configure the VMs networking and prepare the VM for the CloudPlatform install. NFS shared storage is required for CloudPlatform s secondary storage and is often used for CloudPlatform s primary storage. Typically in the datacenter this NFS storage would be provided by a hardware storage device such as a SAN or NAS, but in this lab the NFS storage is provided by a VM (nfs-server) running on the physical XenServer. This nfs-server VM has already been created for you in the same way as cpman, and the network has been similarly configured. You will need to install and configure the components needed to provide the NFS service onto nfs-server, and also install the services necessary to access the NFS shares onto cpman. Exercises in this module Exercise 1: Create the cpman VM and install CentOS 6.3 Exercise 2: Install XenServer Tools on the cpman VM Exercise 3: Set up networking on the cpman VM Exercise 4: Configure the nfs-server VM Exercise 5: Configure NFS on the cpman VM 14

15 Exercise 1: Create the cpman VM and Install CentOS Overview The CloudPlatform Management Server runs on a RedHat or CentOS operating system version 6.2 or above. In this exercise you will: Create a VM on your physical XenServer. Install the CentOS 6.3 operating system on to it. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. Using XenCenter, ensure the CentOS 6.3 install DVD is available on the physical XenServer s local ISO Storage Repository. Click the Local ISO SR XS node on the physical XenServer and select the Storage tab. You should see two ISO files here. These are the ISO files available on the local ISO Storage Repository and can be selected to be loaded into the XenServer s DVD drive for booting a VM and installing an operating system. If you don t see the two ISO files, click the Rescan button and they should appear. 15

16 Step 2. Action Your physical XenServer name will be different. Select your physical XenServer node and click the New VM button. 3. You will be asked what VM template you want to use. Scroll down the list and select the CentOS 6 (64-bit) template. Click Next. 4. Enter the name and description of the VM to be created: Name: Description: cpman CloudPlatform Management Server Click Next. 16

17 Step 5. Action Select the CentOS-6.3-x86_64-bin-DVD1.iso file as the installation media. Leave the Advanced OS Boot parameters at the default. Click Next. 6. Click Next to accept the default home server (your physical XenServer) to create the VM. 7. Next you will specify the amount of RAM and number of CPUs for the VM. Increase the Number of vcpus to 2 and the Memory to 2048MB, and then click Next. 17

18 Step 8. Action Do not click Add. You will increase the disk size from the default of 8GB. Click Properties. 9. Change the disk size to 30GB, click OK and then click Next. 10. You only need the Internal network, so delete the other three by ensuring Cloud-Public is highlighted and then click Delete. Click Private bond0 and then click Delete twice to delete the other two networks. 18

19 Step 11. Action If your screen now looks like the one above, click Next. 12. Carefully confirm the settings you see match those shown above (except for the Home Server, which should be your physical XenServer name). Click Create Now. 13. You will notice the status bar at the bottom of XenCenter shows the progress in creating the VM. Once the VM is created it will be shown in XenCenter as cpman. This VM will become the CloudPlatform Management server. 19

20 Step 14. Action Click the cpman node and the Console tab. Once the initial boot is completed, you should see the screen above. This is the console to your newly created VM. Adjust the size of the XenCenter window if necessary to show the whole of the console and click in the console to set focus. Use the <Tab> key to select Skip and then press <Enter>. 15. Wait a few moments for the following screen to appear: 16. Press <Enter>. Keep the language selection on English. Use the <Tab> key to select OK and then press <Enter>. 20

21 Step 17. Action Use the <Tab> key to select Re-initialize and then press <Enter>. 18. Keep the time zone on America/NewYork. Use the <Tab> key to select OK and then press <Enter>. 19. Enter the root password twice: Password: Citrix123 Passwords are case sensitive. Password (confirm): Citrix123 Use the <Tab> key to select OK and then press <Enter>. 21

22 Step 20. Action Use the <Tab> key to select OK and then press <Enter>. 21. Use the <Tab> key to select Write changes to disk and then press <Enter>. 22. After a few minutes you should see the following: Press <Enter> to reboot. 23. After the reboot, you should see the login prompt. CentOS 6.3 has been installed on the cpman VM. Exercise Summary You have created a VM named cpman, and have installed the CentOS 6.3 operating system. 22

23 Exercise 2: Install XenServer Tools on the cpman VM Overview In this exercise you will: Install XenServer tools on the cpman VM. This adds a XenServer agent that assists XenServer in monitoring and controlling the VM. Step by step guidance Estimated time to complete this exercise: 5 minutes. Step Action 1. Login to the cpman console using the credentials: Username Password root Citrix Using the DVD Drive 1 selector choose xs-tools.iso. Make sure you select the xs-tools.iso DVD before executing the next step. 3. To install XenServer tools enter the following commands on the console: mount -r /dev/xvdd /mnt /mnt/linux/install.sh Answer y <Enter> to the prompt. To complete the installation, reboot the VM by entering the following command: reboot 23

24 Step 4. Action Wait until cpman is in the process of booting and then click Eject to remove the XenServer tools DVD from the DVD drive. Ejecting a DVD when you no longer need it is a XenServer best practice. The DVD drive should say <empty>. Exercise Summary You have installed the XenServer tools on to the cpman VM. 24

25 Exercise 3: Setup Networking on the cpman VM Overview In this exercise you will: Configure the networking of the CentOS VM you just created. You will need to use the vi text editor for this exercise. If you are not familiar with how to use vi, the instructor-provided cheat sheet will help you remember the commands needed, or, for more help, refer to Appendix 1 where you will get keystroke-by-keystroke instructions for editing the first file. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. Login to the cpman console using the credentials: Username Password root Citrix The internal network specified when creating the VM is attached to the first NIC of the VM, which in Linux is referred to as eth0. You need to configure eth0 by editing its configuration file with the command: vi /etc/sysconfig/network-scripts/ifcfg-eth0 Delete the following two lines: HWADDR="xx:xx:xx:xx:xxx" UUID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" Change the following lines: From BOOTPROTO="dhcp" ONBOOT="no" To BOOTPROTO="none" ONBOOT="yes" Add the following lines at the end of the file: IPADDR= NETMASK= GATEWAY= These parameters assign eth0 to use a static IP of and a gateway of After editing, the file should look exactly like: DEVICE="eth0" BOOTPROTO="none" NM_CONTROLLED="yes" ONBOOT="yes" TYPE="Ethernet" IPADDR= NETMASK= GATEWAY= Appendix 1 shows detailed step by step instructions on how to edit this file using the vi editor. Save the file and exit the editor by entering <ESC>:wq 25

26 Step Action 3. Restart the driver for the eth0 NIC to read the new configuration by entering the following command: ifup eth0 4. You can verify that the network is operational by pinging one of Google's internet DNS servers. ping -c Verify that ping packets were received. 5. Edit the following file to point to a DNS server for this VM to use. vi /etc/resolv.conf The file should be empty; add the following line: nameserver After editing, the file should look like: nameserver Save the file and exit the editor by entering <ESC>:wq 6. Ping google.com to ensure name resolution is now operational. ping -c4 google.com It may take a few seconds to start the ping. Verify that the ping packets were received. 26

27 Step Action 7. Add the two VMs, cpman and nfs-server, to the local name resolution file. vi /etc/hosts Delete the 2nd line (starting with ::1 localhost) Add the lines: cpman.cplab.local cpman nfs-server.cplab.local nfs-server After editing the file should look like: localhost localhost.localdomain localhost4 localhost4.localdomain cpman.cplab.local cpman nfs-server.cplab.local nfs-server Save the file and exit the editor by entering <ESC>:wq 8. Verify that local name resolution is working. ping -c4 nfs-server Check that ping packets were received. 9. Edit the following file to change the hostname: vi /etc/sysconfig/network Change the hostname to cpman HOSTNAME=cpman After editing the file should look like: NETWORKING=yes HOSTNAME=cpman Save the file and exit the editor by entering <ESC>:wq 10. Reboot the VM to get the new hostname registered. reboot 27

28 Step 11. Action After the reboot has completed, notice the hostname. 12. Login to the cpman console using the credentials: Username Password root Citrix123 Verify that the hostname is fully qualified by entering the following command: hostname -f A fully qualified domain name specifies the host's exact location in the DNS tree hierarchy. Exercise Summary You have configured the network of the cpman VM. 28

29 Exercise 4: Configure the nfs-server VM Overview In this exercise you will: Configure the CloudPlatform primary and secondary shared storage. CloudPlatform requires shared storage for secondary storage and it is often also used for primary storage. While this would typically be provided by a physical storage device in the datacenter, for the lab, another CentOS based VM running on your physical XenServer will be used as an NFS server. The nfs-server VM has already been created for you in the same way as detailed for the cpman VM. The network has already been configured, but the NFS services need to be installed and configured. A separate 250GB storage partition was created during the install of the NFS server to act as the primary and secondary shared storage for CloudPlatform. Keeping the OS and data partitions separate is a best practice for an NFS server like this. The partition is mounted on the /nfs mount point. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. Click the nfs-server node and then the Console tab to access the nfs-server VM console. 2. Login to the nfs-server console using the credentials: Username Password root Citrix123 Make sure you are now on the nfs-server console. 29

30 Step Action 3. Install the NFS server components required by entering: yum -y install nfs-utils 4. Set up NFS services to start on reboot. chkconfig nfs on 5. Create directories on the storage partition to serve as the primary and secondary storage for two zones, Paris & London. mkdir -p /nfs/paris/primary/cluster1 mkdir -p /nfs/paris/secondary mkdir -p /nfs/london/primary/cluster1 mkdir -p /nfs/london/secondary 6. Edit the NFS exports file to allow these directories to be shared. vi /etc/exports The file should be empty; add the following line (exactly as shown) to the file: /nfs *(rw,async,no_root_squash) After editing the file should look exactly like: /nfs *(rw,async,no_root_squash) Save the file and exit the editor by entering <ESC>:wq 7. Edit the NFS configuration file to open various ports: vi /etc/sysconfig/nfs Uncomment the following lines in the file by deleting the # at the beginning of each line: #RQUOTAD_PORT=875 #LOCKD_TCPPORT=32803 #LOCKD_UDPPORT=32769 #MOUNTD_PORT=892 #STATD_PORT=662 #STATD_OUTGOING_PORT=2020 Save the file and exit the editor by entering <ESC>:wq 8. Enter the following command to verify the NFS configuration file has been edited correctly: grep PORT /etc/sysconfig/nfs You should see that only the last line (RDMA_PORT) is still commented. 30

31 Step Action 9. Configure the Linux firewall (iptables) ingress (inbound) and egress (outbound) rules to allow the NFS traffic by editing the iptables configuration file: vi /etc/sysconfig/iptables Add the following lines immediately after the 6th line (OUTPUT ACCEPT): -A INPUT -m state --state NEW -p udp --dport 111 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 111 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport j ACCEPT -A INPUT -m state --state NEW -p tcp --dport j ACCEPT -A INPUT -m state --state NEW -p udp --dport j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 892 -j ACCEPT -A INPUT -m state --state NEW -p udp --dport 892 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 875 -j ACCEPT -A INPUT -m state --state NEW -p udp --dport 875 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 662 -j ACCEPT -A INPUT -m state --state NEW -p udp --dport 662 -j ACCEPT It is highly recommended to copy and paste the above lines to ensure they are entered correctly. After editing the file should look like: # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state NEW -p udp --dport 111 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 111 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport j ACCEPT -A INPUT -m state --state NEW -p tcp --dport j ACCEPT -A INPUT -m state --state NEW -p udp --dport j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 892 -j ACCEPT -A INPUT -m state --state NEW -p udp --dport 892 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 875 -j ACCEPT -A INPUT -m state --state NEW -p udp --dport 875 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 662 -j ACCEPT -A INPUT -m state --state NEW -p udp --dport 662 -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT Save the file and exit the editor by entering <ESC>:wq 31

32 Step Action 10. Specify the local NFS domain name in the following file: vi /etc/idmapd.conf Change the 5th line: From #Domain = local.domain.edu To Domain = cplab.local Don t forget to remove the # from the start of the line. Save the file and exit the editor by entering <ESC>:wq 11. Reboot by entering: reboot 12. Login to the nfs-server console using the credentials: Username Password root Citrix123 Check the /nfs directory is being exported by entering: showmount -e Notice that the /nfs directory (containing the shared storage directories you created earlier), is in the export list. Exercise Summary You have configured the NFS server that CloudPlatform will use for primary and secondary storage. 32

33 Exercise 5: Configure NFS on the cpman VM Overview In this exercise you will: Configure the required NFS components on the CloudPlatform Management Server (cpman). Make some final infrastructure preparations. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. Switch back to the cpman console by clicking the cpman node. Make sure you are back on the cpman console. 2. Install the NFS components on cpman by entering: yum -y install nfs-utils 3. Start essential NFS services: service rpcbind start service nfslock start service nfs start chkconfig nfs on 4. Verify that the NFS server is accessible from cpman: showmount -e nfs-server Notice that nfs-server is accessible, and is exporting the /nfs directory. 33

34 Step Action 5. Linux access control, SELINUX, needs to be set to permissive for proper CloudPlatform installation and operation. Enter the following command to set permissive mode: setenforce permissive 6. While the last command immediately sets permissive mode, it will not survive a reboot. Set SELINUX to permissive at boot time by editing the following file: vi /etc/selinux/config Change the 6th line: From: SELINUX=enforcing To: SELINUX=permissive After editing, the file should look like: # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted Save the file and exit the editor by entering <ESC>:wq 7. Network Time Protocol (NTP) is required to synchronize the clocks of the servers in your cloud. The following command installs the NTP service on cpman. yum y install ntp 8. Start the NTP client by entering the following command: service ntpd start 34

35 Step Action 9. Set NTP to start again upon reboot by entering the following command: chkconfig ntpd on 10. The CloudPlatform installation is provided as a consolidated UNIX archive file known as a "TAR" file (short for Tape ARchive). TAR files can be obtained directly from web sites using the wget tool, but before you can use the tool, it must be installed. Enter the following command to install wget: yum -y install wget Once this tool is installed you are ready to install CloudPlatform. Exercise Summary You have installed and started the NFS services on cpman and configured several other services needed by CloudPlatform. You now have the entire infrastructure in place and are ready to install CloudPlatform. 35

36 Module 2 Install & Configure CloudPlatform CloudPlatform is delivered as a TAR file (often called a Tar Ball ). You can download the CloudPlatform install TAR file from the Citrix download site: To save time, the file has been placed on the Student Desktop web server for you. You will transfer the file directly from the web server onto the cpman VM using the wget tool. You will then use the file to install the CloudPlatform Management Server and CloudPlatform MySQL database. Once the CloudPlatform software install is complete, the CloudPlatform System VM template file must be seeded for each of the zones to be built. The System template file is normally downloaded directly from the internet, but again, to save time the system VM template has been placed on the Student Desktop web server. You will run a script to download the template from the web server and install it into the secondary storage for the Paris zone. You will then repeat the seeding for the London zone secondary storage. Exercises in this module Exercise 1: Install CloudPlatform Exercise 2: Prepare the System VM Template If you are using this lab guide to install CloudPlatform in your own lab, see the notes at the end of exercises 1 & 2. 36

37 Exercise 1: Install CloudPlatform Overview In this exercise you will: Download the CloudPlatform Management Server software TAR file. Install the CloudPlatform Management Server software. Step by step guidance Estimated time to complete this exercise: 20 minutes. Step Action 1. To save downloading the relatively large CloudPlatform installation TAR file from the internet, the install file has been placed on your Student Desktop web server. You will create a directory to download the file into, and then use the wget tool to obtain the file. Continuing on the cpman console, enter the following commands: mkdir /cpman_install cd /cpman_install wget 2. Use the tar tool to extract the contents of the installation file by entering the following command. tar -xvf CloudPlatform rhel6.tar.gz 3. Change directory to the CloudPlatform installation files directory. cd CloudPlatform rhel6 37

38 Step Action 4. Install the CloudPlatform Management Server by entering the command:./install.sh --install-management 5. Install the MySQL database using the following command:./install.sh --install-database 6. Edit the MySQL configuration file to change some of the default configuration parameters required by CloudPlatform. vi /etc/my.cnf Add the following lines after the 2nd line (datadir=): innodb_rollback_on_timeout=1 innodb_lock_wait_timeout=600 max_connections=350 log-bin=mysql-bin binlog-format = 'ROW' After editing, the file should look like: [mysqld] datadir=/var/lib/mysql innodb_rollback_on_timeout=1 innodb_lock_wait_timeout=600 max_connections=350 log-bin=mysql-bin binlog-format = 'ROW' socket=/var/lib/mysql/mysql.sock user=mysql # Disabling symbolic-links is recommended to prevent security risks symbolic-links=0 [mysqld_safe] log-error=/var/log/mysqld.log pid-file=/var/run/mysqld/mysqld.pid Save the file and exit the editor by entering <ESC>:wq The max_connections parameter should be set to 350 multiplied by the number of Management Servers you are deploying. Servers you are deploying. This example assumes one Management 38

39 Step Action 7. Restart the MySQL service to re-read the updated configuration file by entering: service mysqld restart 8. Set the MySQL database root password to Citrix123 by entering: mysql -u root SET PASSWORD = PASSWORD('Citrix123'); GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION; exit 9. Set up the CloudPlatform database schema in the MySQL database by entering: cloudstack-setup-databases cloud:cloud@localhost --deploy-as=root:citrix123 The CloudPlatform database is set up with username:cloud and password:cloud. 39

40 Step Action 10. The virtual XenServers used as hosts in the lab do not have Hardware Virtual Machine (HVM) capability like a physical CPU does. This means they are only able to run fully paravirtualized operating systems such as some versions of Linux (for example RedHat or CentOS). By default, CloudPlatform checks the host for HVM capability and will reject any host that does not have it. For the lab you must override the HVM check to allow the virtual XenServers to be used. This step is only required in the lab and would not be required with physical XenServers. Enter the following four commands (the INSERT command that is shown below on four lines, is all one line): mysql -u root --password=citrix123 INSERT INTO `cloud`.`configuration` (`category`, `instance`, `component`, `name`,`value`, `description`) VALUES ('Advanced', 'DEFAULT', 'management-server','xen.check.hvm', 'false', 'Should we allow only the XenServers support HVM'); commit \q You can copy and paste all four commands together. Verify that one row in the database was updated. 11. Complete the setup of the CloudPlatform Management Server by entering the command: cloudstack-setup-management This completes the setup of the cpman server. Note on Installing CloudPlatform outside of this lab environment To speed up the install process for the lab, the CloudPlatform install file was placed on your Student Desktop web server, and the command in step one of this exercise retrieved the file from there. To install CloudPlatform outside of this lab environment, the CloudPlatform install TAR file should be downloaded from the Citrix web site ( and then transferred from the download location to the cpman VM using ftp or wget. Note that the TAR filename will change depending on the version of CloudPlatform and the commands in steps 2 & 3 would change accordingly. 40

41 Exercise Summary You have downloaded, installed and configured the CloudPlatform Management Server. 41

42 Exercise 2: Prepare the System VM Template Overview CloudPlatform secondary storage is the storage used for all CloudPlatform VM templates for the zone, as well as snapshots and ISO images. In this exercise you will: Seed secondary storage with the system VM template using the template installation script. The system VM template will be used to create all CloudPlatform system VMs (system Virtual Routers, system Console Proxy VMs and system Storage transfer VMs) in the zone. Each zone has its own secondary storage so each zone s secondary storage must be separately seeded with the system template. It is not possible to simply copy the template from the secondary storage of one zone to the secondary storage of another zone. The install script also seeds the CloudPlatform database, so the script must be used on each zone separately. Note about long and complex CLI commands Several CLI commands in this exercise are long and complex. The commands are intended to be copied & then pasted into the cpman VM console to ensure the commands are entered accurately. When you paste the command ensure that the command pasted is the complete command from the lab guide. If you experience difficulty pasting, use a text editor on your laptop desktop as an intermediary, checking and reforming the command if necessary. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. Continuing on the cpman console, mount the NFS secondary storage for the Paris zone with the following two commands: mkdir -p /mnt/secondary mount -t nfs -o vers=3 nfs-server.cplab.local:/nfs/paris/secondary /mnt/secondary 2. Install the CloudPlatform system VM template by entering the following command (it's all one command): /usr/share/cloudstack-common/scripts/storage/secondary/cloud-install-sys-tmplt -m /mnt/secondary/ -u \ -h xenserver The template will be downloaded and installed. This will take several minutes. Check for the "Successfully installed" message. 42

43 Step Action 3. Repeat the seeding process for the London zone secondary storage by entering the following commands: umount /mnt/secondary mkdir -p /mnt/secondary mount -t nfs -o vers=3 nfs-server.cplab.local:/nfs/london/secondary /mnt/secondary /usr/share/cloudstack-common/scripts/storage/secondary/cloud-install-sys-tmplt -m /mnt/secondary/ -u \ -h xenserver Check for the "Successfully installed" message. 4. The secondary storage was temporarily mounted on the CloudPlatform management server to allow for the seeding; once the template is seeded, the secondary storage no longer needs to be mounted on the management server. Enter the following command to dismount the secondary storage from the CloudPlatform Management Server. umount /mnt/secondary 5. To verify both secondary storage zones have been seeded correctly, change to the nfsserver console. The next step is carried out on the nfs-server VM console. Login if necessary: Username Password root Citrix Enter the following commands: ls -l /nfs/paris/secondary/template/tmpl/1/1/ ls -l /nfs/london/secondary/template/tmpl/1/1/ The two zones, Paris & London, have been seeded with the system VM template VHD file. Each template is about 2 ½ GB in size. 43

44 Exercise Summary You have now seeded the CloudPlatform system templates for the London and Paris zones. CloudPlatform is now installed, configured and ready to build a cloud. Note on Installing CloudPlatform outside of this lab environment To speed up the seeding process in the lab, the system template was placed on your Student Desktop web server and the commands in steps 2 & 3 installed the template from there. Usually the template would be obtained directly from the cloud.com web server. To do this you would replace the command in step 2 & 3 of this exercise with the following command (do not enter this command now): /usr/share/cloudstack-common/scripts/storage/secondary/cloud-installsys-tmplt -m /export/secondary -u -h xenserver -s <optional-managementserver-secret-key> -F Note that the System template filename will change depending on the version of CloudPlatform, so the above command must be adjusted accordingly. 44

45 Module 3 Build a Basic Networking Zone All the Guest VMs throughout a Basic Networking zone share a single flat network, with every Guest VM having a unique IP address assigned from the Guest IP range. Zones are built with Pods, with each Pod consisting of Clusters of Hosts and Primary Storage. Each Pod is on its own management subnet range and contains a dedicated Guest IP range, so this allows a Basic zone to be scaled horizontally by simply adding more Pods. In this module you will build a Basic Networking zone cloud by creating your first Pod. The diagram below shows the physical networking of the lab infrastructure for the Paris Basic zone. The Paris zone components are shown in the purple dotted area. Exercises in this module Exercise 1: Create a XenServer Resource Pool Exercise 2: Build a Basic networking zone 45

46 Exercise 1: Create a XenServer Resource Pool Overview When adding multiple XenServer hosts to the same CloudPlatform cluster, the XenServers must already be bound into a Resource Pool. In this exercise you will: Create a XenServer pool consisting of two virtual XenServers. Step by step guidance Estimated time to complete this exercise: 5 minutes. Step 1. Action Using XenCenter, right-click the vxs-01 node, select Add to Pool and then click New Pool. 2. Enter the pool name: Name: Paris-XS-Cluster-1 Check vxs-02 and click Create Pool. 46

47 Step Action 3. It takes 15 seconds or so to form the Paris-XS-Cluster-1 resource pool consisting of vxs-01 and vxs-02. XenCenter always lists the Pool Master server first (vxs-01). Expand the vxs-01 and vxs-02 nodes by clicking the on both nodes. 4. You will now be able to monitor changes to the virtual XenServers when the host XenServer Resource Pool is assimilated into CloudPlatform in the next exercise. Exercise Summary You have now created a XenServer Resource Pool consisting of two XenServers to provide the compute resources for your cloud s Basic zone. 47

48 Exercise 2: Build a Basic Zone Overview In this exercise you will: Build your first cloud by creating a Basic zone using the CloudPlatform GUI. Step by step guidance Estimated time to complete this exercise: 35 minutes. Step Action 1. On the Student Desktop (not your laptop), start the CloudPlatform Management server GUI by launching the Chrome browser Use the Chrome browser for this step. You will use the Firefox browser later on. 2. Enter the following URL: 3. Arrange your desktop with your browser overlapping XenCenter as shown. This will allow you to monitor the changes to the virtual XenServers as the cloud is built and VMs are started. Note that there is no requirement to use XenCenter to monitor the cloud building; it is simply used in the lab to increase understanding of what s going on behind the scenes. 48

49 Step Action 4. ` Login to the CloudPlatform GUI using the following credentials: Username Password Domain admin password Leave Blank Click Login. 5. Accept the license agreement by clicking Agree at the very bottom of the page. 6. Click Continue with basic installation. 7. Please change the password by entering: New Password: Confirm Password: Citrix123 Citrix123 Click Save and Continue. 49

50 Step 8. Action Click OK. 9. To start creating a zone, CloudPlatform needs to know the zone name and the DNS addresses the Guest VMs and System VMs should use. Enter the following: Name Paris The zone name DNS DNS the Guest VMs will use DNS 2 Leave Blank Internal DNS DNS the System VMs will use Internal DNS 2 Leave Blank The Guest VMs usually have unrestricted internet access and are able to use external DNS. However, internet access for System VMs is often restricted; therefore, a separate internal DNS can be used for System VMs. In the lab, the Student Desktop VM acts as the DNS for both the Guest & System VMs. 10. Click Continue. Click OK. 50

51 Step Action 11. A pod is usually a rack of servers. In this dialog you must specify a name for the pod and the range of IP addresses to be used by CloudPlatform s System VMs. Enter the following parameters: Name Paris-Pod-1 The pod name Gateway Gateway the compute hosts will use Netmask Netmask the compute hosts will use IP range IP Range the system VMs will use The IP address of each System VM (Secondary Storage, Console Proxy and Virtual Router) will be assigned from the IP range entered above. The range must belong to the same subnet as the compute hosts (vxs-01 & vxs-02). Click Continue. 12. To specify the Guest network parameters for this pod enter the following parameters: Gateway Gateway the Guest VMs will use Netmask Netmask the Guest VMs will use IP range IP Range the Guest VMs will use The IP address of each Guest VM will be assigned from the IP range entered above. The IP range for the Guest VMs should be in the same network subnet (CIDR) as the pod. Best practice is to separate the System VMs and Guest VMs on separate subnets, but for simplicity you will use the same subnet for these VMs in the lab. Click Continue. 51

52 Step 13. Action Click OK. 14. Each pod contains one or more clusters. A cluster provides a way to group hosts. All hosts in a cluster must have identical hardware and run the same hypervisor. Ensure XenServer is selected as the hypervisor and enter the name as shown below: Hypervisor Name XenServer Paris-Cluster-1 Click Continue. 15. Click OK. 52

53 Step Action 16. Enter the parameters shown below to specify the first compute host IP address and login credentials. The specified IP can be a stand-alone host or a XenServer Resource Pool of hosts. In the case of a pool, use the IP address of the Pool Master, which in your case is vxs-01. Host name Username root Password Citrix Click Continue. Click OK. 18. Primary storage is used for the Virtual Disk Images (boot disks) of all VMs running in the cluster. It is shared among all hosts in the Cluster. Enter or select the following parameters: Name Paris-Pri-Cluster-1 Protocol NFS Scope Cluster Server Path /nfs/paris/primary/cluster1 Click Continue. 53

54 Step 19. Action Click OK. 20. Secondary storage is used for templates, snapshots and ISO images across the zone. Enter or select the following parameters: NFS Server Provider NFS Path /nfs/paris/secondary 21. Click Continue. 22. Click Launch. Wait about 25 seconds. Then, when CloudPlatform starts adding the host move to the next step. 54

55 Step 23. Action Roughly 40 seconds after launch, in XenCenter, notice the shared Primary Storage Repository (Primary SR) for Paris-XS-Cluster-1 is created (highlighted above). This is the SR where the Virtual Disk Images (VDIs or Boot Disks) of the VMs running in this cluster reside. It is shared amongst the cluster of hosts and is located on NFS shared storage. Click the new Primary SR node and select the Storage tab. 24. Roughly a minute after launch you will see a VDI created on the SR as highlighted above. This is the System VM template that is now being copied to primary storage from the Paris zone secondary storage. It takes about five minutes to copy the 2.4GB template. 25. The System VM template is used to create the System VMs used by CloudPlatform. Roughly six minutes after launch, the name of the template will change to Template routing A few seconds later you will see the VDIs for the two CloudPlatform system VMs created as linked clones of the template. 55

56 Step Action 27. Shortly thereafter the VMs will show up running in vxs-01 or vxs-02. It may take a minute for the second VM to show up. There will be two system VMs, the Secondary Storage system VM (s) and the Console proxy system VM (v). The order of creation of the two system VMs is random; the first one to start is numbered 1 (e.g. v-1-vm) and the second is numbered 2 (e.g. s-2-vm). The System VMs may start on vxs-01 or vxs-02. The deployment of all VMs into hosts is based on the allocation algorithm, which, by default, is set to random. CloudPlatform will choose an appropriate host with the capacity and correct hypervisor to run the VM. You can find more information on the VM allocator algorithms here: It takes another two minutes or so to complete building the zone. You will see the Cloud setup successful on the CloudPlatform GUI. Click Launch. 29. You will see the Cloud-Admin CloudPlatform Dashboard which provides at-a-glance status with alerts and system capacity performance parameters. Down the left side, the navigation bar will be present on all screens. 56

57 Step 30. Action In the General Alerts panel you will see system wide alerts. 31. In the Host Alerts panel you will see host-specific alerts. 32. The System Capacity section shows the highest used resources at the top of the list. 57

58 Step 33. Action The Notifications drop-down will typically alert the user to ongoing activities, such as deploying or destroying a VM instance. It will indicate how many alerts are available for viewing. 34. Click any of the System Capacity items to see all the resource usage. 35. In the left navigation bar of the CloudPlatform GUI, click Infrastructure. 58

59 Step 36. Action The infrastructure display shows a summary of the Cloud infrastructure. In the Zones box, click View All. 37. You will see the zone list: 38. Click the Paris node to see details of the zone. Click the Compute and Storage tab to explore the zone s components. 59

60 Step 39. Action In the Hosts box, click the View All arrow to see the hosts in the zone. 40. Notice the zone, pod & cluster of the host is shown along with each host s state. Click the vxs-01 node to show more details. 41. The details of the chosen host are shown. Click the Statistics Tab. 60

61 Step 42. Action Notice a range of host statistics are provided. Click Paris on the breadcrumbs bar to return to the Paris zone details. The breadcrumb bar is a convenient way to unwind (or back out) to the upper levels. 43. Click the Physical Network tab to see the physical network configuration of the zone. 44. Notice there is just one physical network. Click the PhysicalNetworkInBasicZone node to see a diagram of this network. 61

62 Step 45. Action This physical network is carrying the Guest, Management and Storage traffic. Each of the network traffic types can be configured by clicking the appropriate configuration arrow. Click the Guest Configure arrow to show the Guest network details. 46. Click the IP ranges tab to view the IP ranges in use for the Guest network. 62

63 Step 47. Action Additional IP ranges can be added using this screen, but do not add any at this time. 48. You can explore more of the CloudPlatform GUI on your own. Just don t change anything yet! Exercise Summary You have built and started to explore a CloudPlatform Basic Networking zone. 63

64 Module 4 Service Offerings and Accounting In addition to the physical and logical infrastructure of your cloud, you also need a layer of user services so that people can actually make use of the cloud. This means not just a user UI, but a set of options and resources that users can choose from, such as templates for creating virtual machines, disk storage, networking and more. These options are presented as a set of Service Offerings that the user selects from to define a VM s characteristics and environment: Compute Offerings provide a choice of CPU speed, number of CPUs, RAM size, tags on the boot disk, and other choices. Disk Offerings provide a choice of additional disks for data storage (not the boot disk). Network Offerings describe the feature set that is available to end users from the Virtual Router or from external networking devices on a given Guest network. Templates are the base OS images that the user can choose from when creating a new VM. A user can also create a VM from an ISO image. All Service Offerings are defined by the CloudPlatform administrator, with the exception of templates, which can be defined by any CloudPlatform user. CloudPlatform has three account roles: Cloud-Admin (admin of entire cloud or Root Domain), Domain- Admin (admin of a sub-root-domain) and a User (admin of an account). The Cloud-Admin account can see all resources as well as access the cloud infrastructure and other cloud parameters. You have been using the Cloud-Admin account to create the Basic zone in the previous module and will continue to use this allpowerful account to build out the cloud infrastructure, including adding other users and domain-admins. The Domain-Admin can see and manage the resources of all users in his domain. An Account represents a single tenant. In a private cloud this could be an individual (e.g. John Glenn) or a department (e.g. Marketing). In a public cloud an account could be an individual, a small company (Acme) or a department within a large company (Acme-Marketing) A User is not a user in the traditional sense, but rather users are account administrators. Resources belong to an account, not individual users. Any user of an account can manage any and 64

65 all resources of the account, so users of an account are not isolated from each other. While multiple users are permitted per account, most installations will only have one user per account. The same user cannot belong to multiple accounts. LDAP Integration The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP). The idea of LDAP is to keep all the information of a user (contact details, login, password, permissions), in one place so that it is easier to maintain by administrators. An external LDAP server, such as Microsoft Active Directory or ApacheDS, can be used to provision and authenticate CloudPlatform end-users. Exercises in this module Exercise 1: Service Offerings Exercise 2: Domains, Accounts and Users Exercise 3: User provisioning using LDAP and Active Directory 65

66 Exercise 1: Service Offerings Overview In this exercise you will: Create a Compute Offering that will be used for most of the VMs that are created in this lab. This is a mini footprint VM to allow you to run many VMs in the lab environment where each virtual XenServer has limited RAM and CPUs. Create a Large Compute Offering that will be used later for troubleshooting. Edit existing Compute Offerings to better describe their characteristics. You will create a Network Offering in a later module. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. You should be still be logged in to the CloudPlatform GUI as admin. If the session has expired, re-login to CloudPlatform using the following credentials: Username Password Domain admin Citrix123 Leave Blank 2. In the left navigation bar of the CloudPlatform GUI, click Service Offerings. Click Add compute offering. 3. Enter or select the following parameters: Name Mini Instance Description 1 Core, 100MHz, 128MB RAM Storage Type Shared # of CPU Cores 1 CPU (in MHz) 100 Memory (in MB) 128 Public Leave the other parameters at their default. Check your entries in the next step. 66

67 Step 4. Action Click OK. 5. The Mini Instance is added. 67

68 Step Action 6. Add another offering by clicking on Add Compute Offering and entering or selecting the following parameters: 7. Name Large Instance Description 2 Core, 1GHz, 8GB RAM Storage Type Shared # of CPU Cores 2 CPU (in MHz) 1000 Memory (in MB) 8192 Public Leave the other parameters at their default and click OK. 8. The new Large Instance compute offering is added you will use it later in the troubleshooting module. Click the Small Instance node. 9. Click the Edit button: Notice only the Name and Description fields are editable. You cannot change the other offering parameters after creation. 68

69 Step Action 10. Change the description to something more descriptive: Description 1 Core, 500MHz, 512MB Click Apply and in the left navigation bar of the CloudPlatform GUI, click Service Offerings. 11. You will see the Small Instance description has been updated. Change the description of the Medium instance also to something more descriptive: Description 1 Core, 1GHz, 1GB RAM Click Apply and in the left navigation bar of the CloudPlatform GUI, click Service Offerings. 12. You now have four compute offerings from Mini to Large, complete with clear descriptions. When creating a VM, users are free to select the offering that is the most appropriate for their intended use. The user can change the service offering of a VM, even while the VM is running. You will explore this capability in a future exercise. 13. You can sort the order that the Service offerings will be presented to users by using the order keys as highlighted above. 69

70 Step Action 14. Sort the compute offerings to place them in the order as shown below: 15. Once the compute offerings have been sorted, they will always be presented to users in this order. If the offerings have not been sorted, they will be presented in random order. 16. Select Disk Offerings from the Selected Offering drop down menu. 17. The various disk offerings are shown. These disks are additional data disks that can be added to a VM, in addition to the system or boot disk already defined as part of the template. You cannot change the boot disk size with these offerings. Select Network Offerings from the Selected Offering drop down menu. The currently available network offerings are shown. You will add a network offering in a later module. 70

71 Step Action 18. You will now enable the Dynamic Service Offering option allowing VMs to have their service offering changed while running. In the left navigation bar of the CloudPlatform GUI, click Global Settings. 19. Enter dynamic into the search box as shown above and press <Enter>. Click the enable.dynamic.scale.vm node action button. 20. Change false to true 21. Click the green check mark. Click Close in reponse to the restart warning. You will restart the CloudPlatform Management Service in exercise 3 to enable the change. Exercise Summary You have added the Mini and Large instance compute offering and have edited the description of the Small and Medium instance offerings. You have also explored disk offerings and you have enabled the option to allow a user to change a VM's Service Offering while the VM is running. 71

72 Exercise 2: Domains, Accounts and Users Overview You have used the Cloud-Admin account (admin) to create a basic cloud infrastructure. You now need to create some user accounts to allow users to access the cloud. In this exercise you will: Create the Acme domain to group the accounts. Add a user account John.Glenn to the Acme domain. The account will be administered by user John.Glenn. Add a second user, Buzz.Aldrin, to the John.Glenn account. Learn about Notifications. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. In the left navigation bar of the CloudPlatform GUI, click Domains. Click the Add Domain button as highlighted above. 72

73 Step Action 2. Enter the following parameters: Name Network Domain Acme Leave Blank Click OK. 3. You will briefly see a pop-up status in the upper part of the screen indicating the new domain has been added To review the pop-up message once it has disappeared, just click on Notifications. The past messages are displayed. Note that the Notifications flag is cleared when the list is displayed. Click Clear List and then Close. 73

74 Step 6. Action Click next to the ROOT node: 7. Notice the Acme node appears. Acme is a sub-domain of ROOT. 8. Click the Acme node. 9. The details of the Acme domain are provided, including the limits imposed on the domain, such as the maximum number of instances (VMs), Public IPs, Volumes etc. The Acme domain has no limits on any parameter as indicated by the -1 for each limit. To see the accounts defined in the Acme domain, click View Accounts. No accounts are currently defined in the Acme domain. Click Add Account. 74

75 Step Action 10. To add an account, you must add an authorized user (administrator) of the account at the same time. Enter or select the following parameters: Username Password Confirm Password First Name Last Name Domain Account Type Timezone Network Domain John.Glenn xyzzy xyzzy John Glenn ROOT/Acme John.Glenn User EST [Eastern Standard Time] Leave Blank To enter the time zone, type the first few letters until the desired time zone appears. Then press <Enter>. Check your entries carefully and click Add. 75

76 Step 11. Action The new account John.Glenn is added to the Acme domain. Click the John.Glenn node to show details and limits of the account. 12. Notice this account is limited to 20 instances (VMs), 20 Public IPs etc. Click View Users. 13. John.Glenn is listed as a user of the account. Add a second user of the account by clicking Add User. 76

77 Step Action 14. Enter or select the following parameters: Username Password Confirm Password First Name Last Name Timezone Buzz.Aldrin xyzzy xyzzy Buzz Aldrin EST [Eastern Standard Time] Click OK. Usernames must be unique within a domain. 15. Buzz.Aldrin is added to the list of the John.Glenn account users. Both John & Buzz will share the administration and resources of this account. 77

78 Step Action 16. You can also provision accounts & users using an LDAP (Microsoft Active Directory or Apache DS). In the next exercise you will use an Active Directory server for user provisioning and authentication. Exercise Summary You have created a Domain (Acme) with one Account (John.Glenn) and two users (John.Glenn and Buzz.Aldrin). 78

79 Exercise 3: User Provisioning Using LDAP Overview In this exercise you will: Start a Microsoft Active Directory (AD) Server VM to use for this LDAP exercise. Configure CloudPlatform to use the AD server for user provisioning and authentication. Provision several accounts using the AD server. Show that the AD server is used for authentication, including the password. To access the LDAP service, CloudPlatform first must authenticate itself to the service. That is, it must tell the LDAP server who is going to be accessing the data so that the server can decide what the client is allowed to see and do. In LDAP, authentication is supplied in the "bind" operation. For the purposes of this exercise you will send the LDAP server the fully qualified DN of the client and the client's clear-text password. There are more secure authentication methods that avoid exposing the password in this way, but they are beyond the scope of this lab. Step by step guidance Estimated time to complete this exercise: 20 minutes. Step Action 1. Using XenCenter, select your physical XenServer node and select the Console tab. If necessary, press <Enter> to login. To start the Active Directory server you will use for LDAP user provisioning and authentication, enter the command: start.sh AD start.sh is a script written specially for the lab to start various VMs in the lab easily. 79

80 Step 2. Action You will see the AD1 VM start on XenCenter. This is a Windows 2008 R2 AD server. Click the AD1 node and select the Console tab. Wait until the server is booted, but do not login. 3. If you see a dialog asking you to login, click Cancel. 4. Continuing on the Chrome Browser, in the left navigation bar of the CloudPlatform GUI, click Global Settings. 5. Using the Select View drop down menu, select LDAP Configuration. Click Configure LDAP. 80

81 Step Action 6. Enter the following parameters to point CloudPlatform to AD1 as the LDAP directory server: Host Name This is the IP address of the Active Directory server AD1. Port 389 This is the standard port number used for LDAP traffic 7. Click OK. 8. The Active Directory server, AD1 is added as an LDAP authority. Using the Select View drop down menu, select Global Settings. 9. You now need to configure CloudPlatform to attach to the AD server in order to retrieve the required information. You also need to tell CloudPlatform what information to get and how to retrieve it from the AD server. This is accomplished in the CloudPlatform Global Settings. Enter LDAP in the search box and press <Enter>. 81

82 Step 10. Action You will see a series of global parameters used to configure the LDAP integration. The base DN describes where to load users and groups. If you're using a default Active Directory setup, all user accounts and groups are located in the "Users" folder under your domain. In the lab the Organizational Unit is Cloud and the domain is cplab.local. Click on the Action icon of the ldap.basedn node as highlighted above. Enter the value shown below: Value OU=Cloud,DC=cplab,DC=local Do not press <Enter> or click the green checkmark at this stage. If you already hit <Enter> or clicked the green checkmark, just close the pop-up that appears warning you to restart your Management servers. 11. You now need to specify the Username and Password CloudPlatform needs to use to bind (authenticate) itself to the LADP service. Click on the Action icon of the ldap.bind.password node as highlighted above. This defines the password to use to bind to the AD. Enter the password value shown below Value Citrix123 Do not press <Enter> or click the green checkmark at this stage. 82

83 Step Action 12. Click on the Action icon of the ldap.bind.principal node. This defines the Username as Administrator (in the users container), and the Domain as cplab.local, to use to bind to the AD. Enter the value shown below Value CN=Administrator,CN=users,DC=cplab,DC=local Do not press <Enter> or click the green checkmark at this stage. 13. You should now see that you have three pending changes: Click all of the green check marks one by one; ignore the status pop-ups for now. 14. Once you have finished clicking all of the green check marks, close the three pop-ups by clicking Close on each. Any change to Global Settings requires the CloudPlatform Management service to be restarted. For security reasons, this must be done from the CloudPlatform Management server (cpman) console 15. Using XenCenter, navigate to the cpman console by clicking the cpman node and select the Console tab: 83

84 Step Action 16. (If you see a login prompt for the AD, ignore it by clicking cancel.) If necessary, login in to cpman using the following credentials: Username Password root Citrix123 Enter the command: service cloudstack-management restart Wait for the command to complete. 17. Click on the Refresh Icon on the Chrome browser. 18. It may take 30 seconds to complete the refresh. Login to CloudPlatform again using the following credentials: Username Password admin Citrix From the Student Desktop (not your laptop) launch the Remote Desktop Connection application by clicking the AD.RDP icon. 20. Login to the AD using the following credentials: Username Password Administrator Citrix123 84

85 Step 21. Action You should see the AD1 desktop. Double-click the Active Directory Users and Computers icon. 22. Double-click the Cloud Organizational Unit (OU) node as highlighted above. 23. You should see the Cloud OU with several user accounts shown. All of the accounts have the password set to 1 and are currently enabled. 85

86 Step 24. Action Close the AD1 desktop by clicking the X in the top corner. 25. Back on the CloudPlatform GUI, in the left navigation bar, click Accounts. 26. You should see the admin and John.Glenn accounts listed. (As of version CloudPlatform 4.5, a baremetal-system account is also shown.) Click on Add LDAP Account Check the Sally.Ride check-box and select the ROOT/Acme Domain. Click Add. If you do not see the LDAP accounts listed as above, return to Global Settings and search for LDAP. Verify that your values match exactly with the values shown in the previous steps. If you find an error, correct it and repeat the service cloudstackmanagement restart command on cpman. Re-login to the CloudPlatform GUI and try again. 86

87 Step 27. Action Sally Ride s account is added. Provisioning an account in CloudPlatform using LDAP is much easier and faster than manually provisioning the account. You can provision multiple accounts at the same time using LDAP. 28. Click the Sally.Ride node and click View Users. Notice Sally.Ride is a user of the Sally.Ride account. 29. In the left navigation bar, click Accounts and then Add LDAP Account. Check the Jim.Lovell check-box, select the ROOT/Acme Domain, and select Admin as the type of account. Click Add. 87

88 Step 30. Action Jim Lovell has been added as a Domain-Admin for the Acme Domain. 31. Back on your Student Desktop, launch the Firefox browser and enter the following URL: Login to the CloudPlatform GUI as John.Glenn using the following credentials: Username John.Glenn Password 1 Domain Acme Click Login. Using two different browsers allows you to be logged into CloudPlatform as two different users simultaneously. In the lab you will use the Chrome browser for all admin work and the Firefox browser for user work. 88

89 Step 32. Action You should have sucessfully logged into John Glenn s CloudPlatform account using the AD for authentication. Notice the name of the user is shown at the top right. Also notice that the password used to login was not the one assigned during account creation in CloudPlatform (xyzzy); it was the password stored in the AD (1). If the password is changed in AD, CloudPlatform will require the new password. When using LDAP, the user s password cannot be changed in CloudPlatform, even by Cloud- Admin. Exercise Summary You have configured CloudPlatform to use an Active Directory server for user provisioning and authentication. 89

90 Module 5 Guest VM Control & Basic Zone Security Groups This module introduces Guest VM management in CloudPlatform. The CloudPlatform user GUI is normally the only means of control for an account s Guest VMs. You will create VMs and use the Quickview menu to stop, restart, reboot and restore a VM. You will also destroy a VM and, as Domain-Admin, bring it back to life. In a Basic zone, Guest VMs are by default isolated from each other; even between VMs in the same account. Exercise 3 shows how communications can be controlled between Guest VMs using security groups. You also will explore changing a VM s Service Offering, migrating a VM to another storage volume and finally Affinity Groups. Exercises in this module The process is split into several exercises: Exercise 1: Create a Guest Virtual Machine Exercise 2: VM control functions Exercise 3: Security Groups Exercise 4: Changing a VM s Service Offering Exercise 5: Migrating a VM s Root Volume Exercise 6: Affinity Groups 90

91 Exercise 1: Create a Guest Virtual Machine Overview In this exercise you will: Create a Guest VM using the built-in CentOS template. Step by step guidance Estimated time to complete this exercise: 20 minutes. Step Action 1. Continuing to use the Firefox browser, if necessary, login to the CloudPlatform GUI as John Glenn using the following credentials: Username John.Glenn Password 1 Domain Acme Click Login. 2. You will see John Glenn s CloudPlatform console. A user console is quite different from the cloud admin s console. The left navigation bar is limited to user functions. Domains, Infrastructure, Global Settings and Service Offering functions are only available to the Cloud-Admin. 91

92 Step Action 3. To create your first VM, in the left navigation bar, click Instances. 4. Click Add Instance. You will create a VM in the Paris zone using a Template (rather than a boot ISO). The only available zone currently is Paris. Template should be already selected. Click Next. 5. If you don t see the CentOS template listed, it hasn't finished installing after creating the zone. Click Previous and try again in a few minutes CentOS 5.6 (64-bit) no GUI (XenServer) is the built-in template that can be used for testing. As it is currently the only available template, it will be already selected. Click Next. 92

93 Step 6. Action Ensure Mini Instance is selected and click Next. 7. You don t need an additional data disk for this VM, so just click Next. 8. There are no Affinity Groups defined, so just click Next. 93

94 Step 9. Action As there are no custom security groups defined; the default security group will be selected. Click Next. 10. Enter the VM name Glenn-1. Verify that the review screen above matches your review screen and click Launch VM. 94

95 Step 11. Action The CloudPlatform GUI will show that the VM is being created. You can monitor the creation of the VM using XenCenter in the next steps. 12. A new VM (r-4-vm) starts almost immediately (see note below). This is not the VM you just created; it is the CloudPlatform Virtual Router for the Paris Basic zone which is created automatically by CloudPlatform when it is first needed. It starts quickly because it uses the same template as the other system VMs. Within a Basic zone there is one system Virtual Router (VR) to perform DNS and DHCP services. With only a single network being supported in a Basic zone, the VR doesn t need to do any routing. The router may start on vxs-01 or vxs-02. The deployment of all VMs into hosts is based on the allocation algorithm, which, by default, is set to random. CloudPlatform will choose an appropriate host with the capacity and correct hypervisor to run the template. You can find more information on the allocator algorithms here: The table below explains the labeling of the various Guest & System VMs seen in the lab. First Character i r s v VM Description User VM System Router VM Shared Storage System VM Console System VM (VNC) 14. The creation of the first VM is a five minute process that involves several steps: 1. The system Virtual Router must be created and configured. 2. The template file for the user VM is copied from secondary to primary storage. 3. The VM is created and loaded. Step 2) is especially lengthy in the lab as the template is quite large and the server based NFS storage in the lab is not so fast. Subsequent VMs, launched in the same cluster from the same template, launch much more quickly as the disk image is a linked clone of the template. 95

96 Step 15. Action You will eventually see the Glenn-1 VM show up in XenCenter labeled as i-4-3-vm running on either vxs-01 or vxs-02. i-4-3-vm is the CloudPlatform and XenServer host internal name for the Glenn-1 VM. CloudPlatform uses an internal VM naming structure for all VMs as follows: i or s First letter of the name is i for a Guest VM & s for a System VM 1 st number Account number: 2=admin, 4=first account, 5=second account etc. 2 nd number Cloud-wide user VM number: 3=first VM, 4=second VM etc. So i-4-3-vm is the first cloud-wide user VM and belongs to the first account. The system and Guest VM numbering shown in the lab guide should match the numbers you see unless you have created other VMs on your own this would put the numbering of your VMs out-of-sync with the lab guide numbering. 16. Check the Primary SR again and notice the boot disk for Glenn-1 (i-3-3-vm) is shown in the SR as ROOT-3. This is a linked clone of the CentOS 5.6 template listed below it. You can also see the root volumes for the three system VMs (Virtual Router, Secondary Storage VM and Console Proxy VM) they are all linked clones of the System VM template (routing-1). 17. The Glenn-1 VM status shows as Running in the CloudPlatform GUI. Click the Glenn-1 node. 96

97 Step 18. Action You will see the details of the Glenn-1 VM. Notice the VM was created from the CentOS 5.6 template using the Mini Instance compute offering. Exercise Summary You have started a VM running in the CloudPlatform environment. 97

98 Exercise 2: VM Control Functions Overview In this exercise you will: Explore VM control functions. Step by step guidance Estimated time to complete this exercise: 25 minutes. Step 1. Action On the Glenn-1 VM details page, you will see a group of eight icons that can be used for controlling the VM as shown below: Stop the VM Reboot the VM Take VM Snapshot Destroy the VM Attach an ISO to the VM Reset the VM password (when the VM is properly prepared) Change Service Offering View the in VM console 2. To explore more information about the Glenn-1 VM you just created, click the NICs tab to see the network information. Make a note of the Glenn-1 VM IP address for later reference. The IP address is allocated randomly out of the guest network IP address pool specified at zone creation, so your IP may be different from that shown above. 98

99 Step 3. Action z` Click Instances in the breadcrumb bar to return to the VM list. 4. VMs can also be controlled through the Quickview menu accessed by touching the Quickview + with the mouse pointer - no click is necessary. The browser containing the CloudPlatform GUI must have focus for the roll-over to work. 5. The Quickview menu offers a convenient alternate way to control the VM. Select View Console from the Quickview menu. 99

100 Step Action 6. This will open a browser window with a console for the Glenn-1 VM. Notice the VM name is shown on the top left of the console window for identification. 7. Leaving the Glenn-1 console window open, bring up the Glenn-1 Quickview menu again: 8. Click the Stop menu item. Click OK to confirm the stop. This will shut down the selected VM. 100

101 Step Action 9. Notice on the Glenn-1 console the VM is shutting down and, in XenCenter, i-4-3-vm is shutting down and then disappears from the host: VMs are only allocated to a host while in a running state, so stopped VMs do not take up host resources. The disk volume of the VM however remains intact. When you restart the VM, CloudPlatform will reallocate the VM to a suitable host. The VM shows as Stopped in the CloudPlatform GUI. 10. As the VM is no longer running, the Glenn-1 console is disconnected and will need to be closed and re-opened if needed again (after the VM is re-started). Close the Glenn-1 console window by clicking the X in the top right corner. 11. In the left navigation bar of the CloudPlatform GUI, click Storage to show the primary storage allocated to your VMs. Notice the Glenn-1 boot disk ROOT-3 is still allocated. 101

102 Step Action 12. In the left navigation bar of the CloudPlatform GUI, click Instances. Touch the Glenn-1 Quickview + to bring up the Quickview menu: 13. Click Start Instance and confirm the re-start by clicking Yes. The VM is started and appears back in vxs-01 or vxs Access the Quickview menu for Glenn-1. Select Reboot and confirm by clicking Yes 15. The VM is shut down and rebooted; it is not removed from the host. This can be monitored in XenCenter. 102

103 Step Action 16. Access the Quickview menu for Glenn-1. Select Reinstall VM and confirm you want to reinstall the VM by clicking Yes. 17. The VM is shut down, removed from the host, and then recreated from the original template. Data on the root disk will be lost. This can be monitored in XenCenter 18. Notice i-4-3-vm stops, briefly disappears from XenCenter and then re-appears. 19. Once the VM re-appears, click the Glenn-1 node in the CloudPlatform GUI and select the NICs tab. Notice that the IP address of the VM is the same as it was before the reset, even though the VM was re-created. 103

104 Step 20. Action Click Instances in the breadcrumb bar Using the Glenn-1 VM Quickview menu, select Destroy. Click OK to confirm. 21. In XenCenter, note that the VM is stopped and is removed from vxs-02. Also, the CloudPlatform GUI shows the VM has been destroyed: 22. In the left navigation bar of the CloudPlatform GUI, click Instances to refresh the screen. You will notice the Glenn-1 VM has been removed from the list, however it isn t completely gone from the system. It will be fully purged from the system by the system clean-up routine, which, by default, runs once per day. The VM name, Glenn-1, cannot be re-used until the VM is purged. You will see in a later exercise how to change the purge delay. 104

105 Step Action 23. Create a new VM by clicking Add Instance. Enter or select the following parameters: Select a zone Select ISO or Template Select a template Compute Offering Data Disk Offering Affinity Groups Security Group VM Name Paris Template CentOS 5.6 (64 bit) no GUI XenServer Mini Instance No Thanks No Selection default Glenn-2 Check the review screen and if all is correct, click Launch VM. 24. Notice that this second VM is created in a few seconds, substantially faster than the first VM. The VDI for Glenn-2 is quickly created as a linked clone from the CentOS 5.6 template already present on the cluster s primary storage. Hover over the Glenn-2 Quickview + icon. 25. Select the View Console option. 105

106 Step Action 26. The console of the Glenn-2 VM appears in a new browser window. 27. Wait until the VM finishes booting, then login using the following credentials: Username Password root password 28. Send four pings by entering: ping c4 google.com This VNC based console has no paste capability, so commands must be typed Four pings are sent and received showing the VM has access to the internet, including name resolution. Note: It may take a few seconds for the pings to start. Leave the console open for later use. 106

107 Step Action 29. Back on the CloudPlatform GUI, in the left navigation bar of the CloudPlatform GUI, click Dashboard. The user Dashboard summarizes the account including latest events. Notice that the account has one VM running. 30. Logout of John Glenn s account by selecting Logout from the user menu at the top right. 31. Login to Sally Ride s account using the following credentials: Username Sally.Ride Password 1 Domain Acme 107

108 Step 32. Action Notice that the total VMs is zero. Sally has no visibility of John Glenn s account VMs. Only the Cloud-Admin or Domain-Admin has visibility across accounts. 33. In the left navigation bar of the CloudPlatform GUI, click Instances. Click Add Instance. 108

109 Step Action 34. Enter or select the following parameters: Select a zone Select ISO or Template Select a template Compute Offering Data Disk Offering Affinity Groups Security Group VM Name Paris Template CentOS 5.6 (64 bit) no GUI XenServer Mini Instance No Thanks No Selection default Ride-1 Check the review screen and if all is correct, click Launch VM. 35. The Ride-1 VM is created. Notice that this VM was also created in a few seconds. The VDI for this was also created as a linked clone from the CentOS 5.6 template already present on the cluster s primary storage 36. In XenCenter, notice that the new VM has an internal name i-4-6-vm. As the 3 rd account to start a VM, the 2 nd digit is 4. The last digit(s) represent the VM number system-wide. This digit increments each time a VM starts from any account. 37. Logout of Sally Ride's account and login as the Acme Domain-Admin using the following credentials: Username Jim.Lovell Password 1 Domain Acme 109

110 Step 38. Action Notice how Jim, as the Acme Domain-Admin, sees a total of three VMs, two of which are running. Click Instances. 39. The Acme Domain-Admin has visibility of all the running VMs in the Acme domain: Ride-1, Glenn-2 and also the destroyed Glenn-1. Glenn-1 is only visible to the Domain-Admin and Cloud-Admin. On the left navigation bar of the CloudPlatform GUI, click Storage. 40. Notice the ROOT disk volume for the Glenn-1 VM is still allocated. This will allow the VM to be restarted by the Domain-Admin (or Cloud-Admin). 110

111 Step Action 41. On the left navigation bar of the CloudPlatform GUI, click back on Instances. 42. Pull up the Quickview menu of the Glenn-1 VM. Click Recover VM and confirm by clicking Yes. 43. After a few seconds, the Glenn-1 VM is now restored, but it is currently stopped. 44. Using the Glenn-1 Quickview menu, click Start Instance and confirm by clicking Yes. After 30 seconds or so the Glenn-1 VM is running again, back from being destroyed. When a user destroys a Guest VM, the disk volume does not get removed immediately. It is expunged (removed) by the expunge thread which runs every so often at an interval specified in the Global Settings by expunge.delay and expunge.interval. The default cleanup delay and interval is once per day. You will change these settings in a later module. Exercise Summary You have created and managed several Guest VMs running in the CloudPlatform environment. You have also demonstrated the ability of the Domain-Admin to view all VMs in the domain, including destroyed VMs. 111

112 Exercise 3: Security Groups Overview In a Basic zone, security groups are used to isolate all Guest VMs from one another. Security groups are implemented by the hypervisor using layer 3 IP address filtering, leveraging iptables and ebtables. By default security groups deny ingress (inbound traffic) to all guest VMs. Adding ingress or egress (outbound from the VM) rules to the security group can allow communication between VMs in separate accounts or in the same account. In this exercise you will: Explore security groups. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. Logoff Jim Lovell s account and log back in to Sally Ride s account using the following credentials: 2. Username Sally.Ride Password 1 Domain Acme Sally has one VM running: Ride

113 Step 3. Action Use the Student Desktop taskbar to access the Glenn-2 VM console you opened earlier. Enter the following command to try pinging the Ride-1 VM: ping c2 Ride-1 After a few seconds the ping fails. By default, CloudPlatform denies all ingress (inbound) traffic into a Basic zone VM, whether from the same domain or even the same account, so Ride-1 never sees the ping request. To allow communication between Basic zone VMs, an ingress rule must be added to the security group controlling the VM receiving the traffic. 4. Using the Firefox browser CloudPlatform GUI, in the left navigation bar, click Network. Using Select View, select Security Groups. 5. As you are logged into the Sally.Ride account, you see the default security group for the Sally.Ride account. This is the security group controlling traffic for the Ride-1 VM. Each account has its own default security group. Click the default node. 113

114 Step 6. Action Click the Ingress Rule tab. 7. Notice there are no ingress rules listed, so no ingress traffic is allowed. 8. Leave Add by CIDR selected and add an ingress rule by entering or selecting the following parameters: Protocol ICMP ICMP Type 8 ICMP Code 0 CIDR /0 ICMP Type 8 is Echo and ICMP Code 0 is Echo reply A CIDR of /0 allows traffic from any IP address. This rule will allow ICMP (ping) packets to ingress (enter) Ride-1 permitting the VM to respond to pings from Glenn-2. Click Add. 114

115 Step 9. Action The rule is added. 10. Back on the Glenn-2 console, try the ping command again: ping c2 Ride-1 Notice the pings now complete due to the ingress rule you just added. 11. Delete the rule you just added by clicking the X on the rule: 12. Wait a few seconds and try to ping Ride-1 again from the Glenn-2 console: ping c2 Ride-1 If the ping succeeds, wait a few seconds and try again. While adding a rule takes effect immediately, it can take a short time to disengage ingress and egress rules. 13. Rather than specifying a CIDR, you can also add a rule by account limiting ingress only to VMs that belongs to a specified account and security group within that account. Select Add by Account and add an ingress rule by entering or selecting the following parameters: Protocol ICMP ICMP Type 8 ICMP Code 0 Account John.Glenn Security Group default Click Add. 115

116 Step Action 14. Back on the Glenn-2 console, try the ping command again: ping c2 Ride-1 Notice the pings now complete due to the ingress rule you just added. (If you tried this ping from a VM belonging to another account such as Sally.Ride, the ping would fail even though the VM belongs to the Sally.Ride account.) 15. Delete the rule you just added by clicking the X on the rule: 16. You will now show that a VM can be a member of a named security group, linking specific ingress and/or egress rules for all member VMs. 17. In the CloudPlatform GUI breadcrumbs bar click Network Security Groups. Click Add Security Group. 116

117 Step Action 18. Fill in the name and description as shown: Name Description Engineering Engineering Click OK. 19. The new Engineering security group is created. 20. Create a new VM making it a member of the new Sally.Ride Engineering security group. In the left navigation bar of the CloudPlatform GUI, click Instances and then click Add Instance. Enter or select the following parameters: Select a zone Select ISO or Template Select a template Compute Offering Data Disk Offering Affinity Groups Security Group VM Name Paris Template CentOS 5.6 (64 bit) no GUI XenServer Mini Instance No Thanks No Selection Engineering Ride-2 117

118 Step 21. Action Check the review screen including the use of the Engineering security group, and if all is correct, click Launch VM. 22. The Ride-2 VM is created. Click the Ride-2 node. 23. Click the Security Groups tab. Notice the Ride-2 VM is a member of the Engineering security group. A VM can be a member of only one security group and membership must be selected at the time of a VM s creation. You cannot change a VM s security group membership after creation. 118

119 Step Action 24. Back on the Glenn-2 console, enter the following command to remotely connect (ssh) into the Ride-2 VM you just created: ssh Ride-2 As there is no rule in the Sally.Ride Engineering security group allowing ssh traffic ingress to VMs, the ssh fails: 25. To allow ingress you need to add a rule to the new Engineering security group. In the CloudPlatform GUI left navigation bar, click Network. Select the Security Groups view. Click the Engineering node. 26. Click the Ingress Rule tab. You will add a rule to allow TCP traffic on port 22 (ssh traffic), from any IP address, ingress. Enter or select the following parameters: Protocol TCP Start Port 22 End Port 22 CIDR /0 27. Click Add. A rule is added, so ssh traffic from any IP is allowed ingress to any VM that is a member of the Sally.Ride Engineering security group. 119

120 Step Action 28. Back on the Glenn-2 Console, enter the following command to ssh into Ride-2 VM again. ssh Ride-2 Enter yes to the security question 29. Enter the root password to login to Ride-2 : password Notice that you have succssfully used ssh to login to the Ride-2 VM. As there is now a rule in the Engineering security group allowing ssh ingress, any VM in the Engineering security group would also have ssh access. 30. Close the Glenn-2 VM console window using the X at the top right. Exercise Summary In a Basic zone, by default, CloudPlatform allows all Egress (outbound) traffic from a VM. In a Basic zone, by default, CloudPlatform denies all Ingress (inbound) traffic into a VM, whether from the same domain or even the same account. Ingress traffic is permitted as a response to a request from the VM, e.g. the VM pings an internet address such as Adding ingress and/or egress rules to security groups can allow VMs to communicate. Custom or named security groups can be created to control groups of VMs differently. Security group membership must be selected at the time of a VM s creation. You cannot change a VM s security group membership after creation. 120

121 Exercise 4: Changing a VM's Service Offering Overview In this exercise you will: Change the compute offering of a VM while the VM is still running. You can only increase the number of CPUs, RAM or CPU MHz; no decreases are allowed. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. Back on the Firefox browser, in the left navigation bar of the CloudPlatform GUI, click Instances. 2. Click on the Ride-1 node. 3. Notice at the bottom, Ride-1 was created using the Mini-Instance service offering. The Mini Instance service offering has 1 vcpu, 128MB RAM and 100MHz CPU. Open up a console to Ride-1 by clicking on the View Console icon as shown above. 4. Logon to the console using the credentials: Username: Password: root password Enter the following command to start the system information tool "top": top 121

122 Step 5. Action Top shows constantly refreshed system information, including the total RAM. Notice Ride- 1 has 128MB of RAM. 6. You can increase the number of vcpus, amount of RAM or MHz by changing the service offering to a more beefy offering, such as the "Small Instance" compute offering. This still has 1 vcpu, but has 500MHz CPU and 512MB RAM. 7. In the CloudPlatform GUI, click on the Change Service Offering icon as shown above. Select Small Instance and click OK. 122

123 Step 8. Action In about a second, the RAM total in the Top display changes to 512MB, the size of the RAM offered in the Small Instance. Quit Top by entering: q Close the Ride-1 console. 9. Back on the Mozilla browser, notice on the Details tab, the Compute Offering has changed from "Mini Instance" to "Small Instance". Note that RAM can only be increased to a maximum of four times the initial value. Exercise Summary You have changed the Compute Offering for a VM while the VM was running. 123

124 Exercise 5: Migrating a VM's Root Volume Overview In this exercise you will: Create a new Storage Repository (SR) for Guest VM VDIs. Move the root volume of a VM to the new SR while the VM is running. This uses CloudPlatform's Live Storage Motion technology. Only Cloud-Admin can migrate disk volumes, so you must use the Chrome browser CloudPlatform GUI. Step by step guidance Estimated time to complete this exercise: 15 minutes. Step Action 1. To minimize clutter on the XenCenter display, collapse the vxs-01 & vxs-02 node by clicking the in front of each of them Switch to the Chrome browser. You should be still be logged in to the CloudPlatform GUI as admin. If the session has expired, re-login to CloudPlatform using the following credentials: Username Password Domain admin Citrix123 Leave Blank 124

125 Step Action 4. In the left navigation bar of the CloudPlatform GUI, click Instances. 5. Click on the Ride-1 node as shown above. 6. Click View Volumes to see the volumes associated with this VM. Click the ROOT-6 (Ride-1) volume node. 7. Scroll down the details page until you see the storage being used for this volume. Notice it is Paris-Pri-Cluster

126 Step Action 8. In the left navigation bar of the CloudPlatform GUI, click Infrastructure. 9. Click Primary Storage / View All. 10. You can see the primary storage for Paris-Cluster-1 is hosted on the nfs-server ( ) at /nfs/paris/primary/cluster1. Using XenCenter click on the nfs-server node and select the Console tab. If necessary, logon to the nfs-server console using the credentials: Username: Password: root Citrix Create a new directory on the nfs-server with the following command: mkdir /nfs/paris/primary/ssd This will serve as the new ssd Storage Repository. 126

127 Step 12. Action Back on the Chrome CloudPlatform GUI, click on Add Primary Storage. 13. Enter or select the following parameters: Scope Cluster Zone Paris Pod Paris-Pod-1 Cluster Paris-Cluster-1 Name SSD Protocol nfs Server Path /nfs/paris/primary/ssd Provider DefaultPrimary Storage Tags Leave Blank Check your entries in the next step. 14. If all is correct, click OK. 127

128 Step 15. Action The new primary storage volume SSD is added. 16. In the left navigation bar of the CloudPlatform GUI, click Instances, then the Ride-1 node. 17. Click on View Volumes. 18. Click the Root-6 (Ride-1) volume node. 19. Click Migrate Volume. Only suitable volumes for migrating the boot volume are shown. In this case, the SSD Storage Pool you just added is the only other storage pool available in Cluster-1, so it is already selected. Click OK. 128

129 Step Action 20. The volume is copied over to the new pool while the VM continues to run. This takes approximately two minutes. 21. S Once the transfer is complete you will see a notification pop-up indicating you have sucessfully migrated the disk volume. Scroll down the Volume Details to show the storage is now in the SSD pool. 22. Using XenCenter, notice the new Storage Repository (f69ef ). Click the new node and select the storage tab. Notice the Root-6 volume is now located on this SSD SR. Exercise Summary You have migrated the root volume of the Ride-1 VM from the default primary storage to a new Storage Pool. 129

130 Exercise 6: Affinity Groups Overview In this exercise you will: Use an Anti-Affinity Group to ensure two VMs do not run on the same host. This could be used, for instance, to ensure two web server VMs run on separate hosts, thereby assuring one of the two web servers remains up even if one host fails. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. Continuing in the Chrome browser, in the left navigation bar of the CloudPlatform GUI, click Affinity Groups. Click Add New Affinity group. 2. Enter or select the following parameters: Name Description Type VM Separation Keep VMs on seperate hosts Host anti-affinity Click OK. 3. A new anti-affinity group has been created. Any VM that belongs to this anti-affinity group will not be placed on a host that is already running another VM from the same anti-affinity group. 130

131 Step Action 4. In the left navigation bar of the CloudPlatform GUI, click Instances, then click Add Instance. Enter or select the following parameters: Select a zone Select ISO or Template Select a template Compute Offering Data Disk Offering Affinity Groups Security Group VM Name Paris Template CentOS 5.6 (64 bit) no GUI XenServer Mini Instance No Thanks VM Seperation default Admin-1 Click Launch VM. 5. Create another identical VM (except for the name); enter or select the following parameters: Select a zone Select ISO or Template Select a template Compute Offering Data Disk Offering Affinity Groups Security Group VM Name Paris Template CentOS 5.6 (64 bit) no GUI XenServer Mini Instance No Thanks VM Seperation default Admin-2 6. Click on the Admin-1 node. Click on View Host. 131

132 Step 7. Action (This may be vxs-01 or vxs-02 depending on the allocation algorithm.) 8. In the left navigation bar of the CloudPlatform GUI, click Instances, then click on the Admin-2 node and click on View Host. Notice the Admin-1 and Admin-2 VMs are in different hosts. 9. In the left navigation bar of the CloudPlatform GUI, click Instances, then click Add Instance. Enter or select the following parameters: Select a zone Select ISO or Template Select a template Compute Offering Data Disk Offering Affinity Groups Security Group VM Name Paris Template CentOS 5.6 (64 bit) no GUI XenServer Mini Instance No Thanks VM Seperation default Admin-3 Click Launch VM. 10. The VM creation fails in a few seconds with an error. CloudPlatform only has two hosts available in the Paris zone and each already has a VM from the VM Separation anti-affinity group. Hosting another VM from the same group on either host would violate the anti-affinity rule, so the deployment fails. 132

133 Step 11. Action In XenCenter, collapse the Paris-XS-Cluster-1 node by clicking the in front of the node. Exercise Summary You have shown how an anti-affinity group can be used to ensure two VMs do not run on the same host. 133

134 Module 6 Working with Templates and ISO files A template is a "gold image" that contains all the various configuration settings to create a VM. It is a virtual disk image that includes the operating system, optional software such as office applications, and settings such as access control to determine who can use the template. The size of the system (boot) disk is also defined by the template. Each template is associated with a particular type of hypervisor, which must be specified when the template is added to CloudPlatform. When users launch (or create) VMs, they can choose from a list of templates. CloudPlatform ships with a default CentOS 5.6 template. In order to present more choices to users, CloudPlatform administrators and users can create templates and add them to CloudPlatform. ISO files (typically CD or DVD images) are used to install either new operating systems (if the ISO is a bootable image) or be attached to a VM to install applications. Uploading a template or an ISO image to CloudPlatform requires the image to be accessible via HTTP (i.e. it must be placed on a web server). The HTTP server must have the MIME types set as follows: ISO VHD none/none none/none As setting up a web server is beyond the scope of this lab, a web server has been provided for you as part of the Student Desktop server with the MIME types correctly set. Exercises in this module The process is split into several exercises: Exercise 1: Templates and ISO preparation Exercise 2: Transferring a VM from XenServer Exercise 3: Working with templates Exercise 4: Working with ISOs Exercise 5: Expunging VMs and Lab preparation 134

135 Exercise 1: Templates & ISO Preparation Overview To protect the cloud infrastructure from rogue attempts to download arbitrary infrastructure files using the template download feature, the ability to download templates from web servers on the same network as the CloudPlatform management server is usually disabled. In our lab the Student Desktop web server and the CloudPlatform infrastructure are on the same network, so you will need to disable this safeguard. In this exercise you will: Configure CloudPlatform to allow Templates and ISOs to be downloaded from an internal web server. Step by step guidance Estimated time to complete this exercise: 5 minutes. Step Action 1. Switch back to the Chrome browser. You may need to re-login using the following credentials: Username Password Domain admin Citrix123 Leave Blank 2. In the left navigation bar of the CloudPlatform GUI, click Global Settings. 3. In the search box at the top right, enter the search term secstorage and hit <Enter>. On the secstorage.allowed.internal.sites node, click the Edit action. 4. Enter the CIDR of the Student Desktop web server: /32 Click the green check mark. This limits the ability to download from the single IP address , which is the web server running on the Student Desktop. 135

136 Step 5. Action A pop up box appears: Click Close. 6. Using XenCenter, select the cpman node and the Console tab. 7. If necessary, login in using the following credentials: Username Password root Citrix123 Enter the command: service cloudstack-management restart Wait for the command to complete. 8. Click Refresh on the Chrome browser URL address bar. You may need to wait 30 seconds or so for the Management Service to respond. 9. After restarting the management service you must log back into to the CloudPlatform GUI. Use the following credentials: Username Password Domain admin Citrix123 Leave Blank 136

137 Exercise Summary You have prepared CloudPlatform to allow downloading of Templates & ISOs only from the IP address , which is the Student Desktop web server. 137

138 Exercise 2: Transferring a VM from XenServer Overview In this exercise you will: Transfer a VM from a stand-alone XenServer (vxs-04) into your CloudPlatform cloud. The process involves exporting the VM from XenServer as a VHD (Microsoft s Virtual Hard Disk file format) and uploading the file to CloudPlatform to create a template. A VM will be created in CloudPlatform from the template. Step by step guidance Estimated time to complete this exercise: 25 minutes. Step Action 1. This module requires a new stand-alone virtual XenServer. 2. Using XenCenter, select the node of your physical XenServer and select the Console tab. If necessary, press <Enter> to login. start.sh is a script written specially for the lab to start various VMs in the lab easily. Enter the command: start.sh V4 You will see the VirtualXenServer-04 VM start on XenCenter. Click the VirtualXenServer-04 node and select the Console tab. 138

139 Step 3. Action Wait until the boot completes. Notice that the IP address of the new XenServer is Add the new host to XenCenter by selecting Add New Server and entering the following parameters: Server User Name root Password Citrix Click Add. The vxs-04 XenServer has two running VMs: DemoVM and DHCP. DemoVM is the VM you will export from this XenServer and import into CloudPlatform. The DHCP VM will provide the DHCP service required by XenServer for the export. (If the two VMs are not yet running, wait a few moments for them to start automatically.) 139

140 Step Action 6. Select the DemoVM VM node, then the Console tab. Notice the DemoVM banner shows Citrix Demonstration Linux Virtual Machine. (This will be used to identify the VM when it has been transferred to CloudPlatform.) 7. To export a VM from XenServer, the VM must be stopped. 8. Right click the DemoVM node and select Shut Down. Click Yes in response to the XenCenter verification dialog. 9. Once DemoVM has shut down (denoted by the flag turning red as shown above) right click the DemoVM VM node and select Export Enter c:\temp (a directory on your Student Desktop) as the export location and click Next. 140

141 Step 10. Action Click Next. 11. Click Next. 12. This dialog selects the output type. Leaving the options unchecked will export the VHD file you need. Click Next. 141

142 Step 13. Action This dialog sets the network to use for the transfer and whether or not to use DHCP. Leave the default options and click Next. 14. Verify that your screen matches the one above and click Finish. 15. You can monitor the progress of the export at the bottom of the XenServer screen or through Windows Explorer in the next step. The export process should take roughly three minutes. 142

143 Step Action 16. Using your Student Desktop, bring up Windows Explorer and navigate to the c:\temp\demovm directory where the exported files were written. 17. Once the DemoVM.ovf file appears, you know the export is complete. To make the import step easier, rename the VHD file to DemoVM.vhd. The name CloudPlatform will use is case sensitive, so note the capitalization. 18. Drag and drop the VHD file DemoVM.vhd from c:\temp\demovm to c:\inetpub\wwwroot. This puts the DemoVM.vhd file into the Student Desktop web server home directory, so it can be served to CloudPlatform. 143

144 Step Action 19. To allow the lab to work properly in case this module was skipped, a copy of the DemoVM.vhd file is already in wwwroot. 20. Click Move & Replace to allow the existing file to be overwritten. You may see two more warnings. If so, click Continue and Continue again to acknowledge. 21. Using the Chrome Browser, in the left navigation bar of the CloudPlatform GUI, click Templates. Click Register Template. 144

145 Step Action 22. Enter or select the following parameters: Name Description URL Zone Hypervisor XenServer is 6.1+ Format OS Type Extractable Password Enabled Dynamically Scalable Public Featured Routing HVM DemoVM DemoVM All zones XenServer VHD CentOS 5.7 (32-bit) Make sure there are no blanks after the URL Check your entries carefully, especially the OS Type is Centos bit. Click OK. 145

146 Step Action 23. DemoVM is added to the list of templates. As with the compute offerings, sort the list as shown below so CloudPlatform will present the list of templates in your sorted order. 24. (If the templates were already in this order, change the order, then change it back so CloudPlatform registers the sorted order.) Click the DemoVM node to see details of the template. Select the Zones tab and wait for the status to show Download Complete. Click the Refresh button occasionally while waiting. 146

147 Step Action 25. You will now create an instance, using the imported template. In the left navigation bar of the CloudPlatform GUI, select Instances. Click Add Instance and enter or select the following parameters: Select a zone Select ISO or Template Select a template Compute Offering Data Disk Offering Affinity Groups Security Group VM Name Paris Template DemoVM Mini Instance No Thanks No Selection Default Admin-4 Check the review screen and if all is correct, click Launch VM. 26. After about 90 seconds the new Admin-4 VM is started based on the DemoVM template. 27. Using the Admin-4 Quickview, bring up the Admin-4 console. Once the VM has booted, you will recognize the banner of the VM as being the same as DemoVM originally running on vxs-04. Exercise Summary You have successfully exported a VM from XenServer and imported it into CloudPlatform as a template. You then created a CloudPlatform VM from the template. 147

148 Exercise 3: Working with Templates Overview In this exercise you will: Create a template from an existing VM on CloudPlatform. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. Logon to the Admin-4 VM using the following credentials. Username root Password 1 2. Customize the VM by entering: touch file1 This will create the file file1 in your home directory. Verify it exists by entering the command: ls 3. Shutdown the Admin-4 VM by using the Admin-4 QuickView menu Stop and confirm by clicking OK. 4. Close the Admin-4 VM console window. After a few seconds Admin-4 is stopped. 5. In the left navigation bar of the CloudPlatform GUI, click Storage. These are the Virtual Disk Images (VDIs) for the Guest VMs in the system. Notice the disk image for Admin-4 VM is ROOT-11 (your volume number may be different). 148

149 Step Action 6. Using the Quickview menu for the ROOT-11 node: Select Create Template. 7. Enter or select the following parameters: Name Description Original XS Version is 6.1+ OS Type Public Password Enabled Featured Dynamically Scalable DemoVM Copy DemoVM Copy CentOS 5.7 (32-bit) Click OK. 8. You will notice the Quickview symbol flashing while the template is created from the VDI. In the left navigation bar of the CloudPlatform GUI, click Templates. 149

150 Step 9. Action Notice the new template DemoVM Copy is added to the template list. Click the DemoVM Copy node and select the Zones tab. 10. Click the Refresh button until you see the Download is complete and the template is ready. 11. In the left navigation bar of the CloudPlatform GUI, click Instances. Click Add Instance and enter or select the following parameters: Select a zone Select ISO or Template Select a template Compute Offering Data Disk Offering Affinity Groups Security Group VM Name Paris Template DemoVM Copy Mini Instance No Thanks No Selection Default Admin-5 Check the review screen and if all is correct, click Launch VM. 12. Unfortunately this instance is unable to be created due to the Virtual XenServers in the lab not supporting HVM. The HVM database fix applied in Module 2 does work here. Skip steps 13 &

151 Step 13. Action Wait a minute or so until the VM is running (the first VM starting from a new template always takes longer). 14. Using Admin-5 s Quickview, click View Console. Once it's booted, log on using the following credentials: Username root Password 1 Enter the following command: ls The presence of the file file1 shows the DemoVM Copy template includes changes made to the VM after it was created from the original DemoVM template. Exercise Summary You created a template from a CloudPlatform VM and then you created a new VM from the created template. 151

152 Exercise 4: Working with ISOs Overview CloudPlatform supports ISOs and their attachment to Guest VMs. ISOs can also be used to boot a VM and install an OS. An ISO is a read-only file that has an ISO/CD-ROM style file system. Users can upload their own ISOs and mount them on their Guest VMs. In this exercise you will: Upload an ISO image to CloudPlatform. Attach the ISO to a VM. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. Using Windows Explorer on the Student Desktop again, navigate to the C:\ISO directory. Notice the XenServer performance monitoring ISO file. This is the ISO file you will register with CloudPlatform. 2. Drag and drop the ISO file into the c:\inetpub\wwwroot directory. Click Continue for the two Windows warnings as before. 3. In the left navigation bar of the CloudPlatform GUI, click Templates. Using Select View, change from Templates to ISO. Click Register ISO. 152

153 Step Action 4. Enter or select the following parameters: Name Description URL Zone Bootable Extractable Public Featured XenServer Performance Monitoring XenServer Performance Monitoring Paris Make sure there are no blanks after the URL Click OK. 5. The new ISO is added to the list. Click the XenServer Performance Monitoring node. 153

154 Step 6. Action Click the Zones tab and you should see that the ISO is ready & successfully installed. (This ISO is very small so it installs quickly; a larger ISO may of course take longer to install.) 7. In the left navigation bar of the CloudPlatform GUI, click Instances. Using the Admin-5 Quickview, select the option to Attach ISO. 8. A pop-up appears. Select the XenServer Performance Monitoring ISO. Click OK. 154

155 Step Action 9. Using the Admin-5 console from earlier, enter the following commands to mount the ISO and then list the contents: mount -r /dev/xvdd /mnt ls /mnt Notice the XenServer Performance Tools ISO contents are listed. Do not try and install the package. Exercise Summary You successfully registered an ISO into CloudPlatform and attached the ISO to a VM. 155

156 Exercise 5: Expunging VMs and Lab Preparation Overview After six modules, CloudPlatform has numerous VMs and the stand-alone virtual XenServer (vxs- 04) you no longer need. In this exercise you will: Clean up the CloudPlatform lab for the next set of modules. Set the system cleanup routines to run every ten minutes, so destroyed VMs will be more rapidly expunged from the system. Start a new virtual XenServer (vxs-03) needed to build an Advanced zone in the next module. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. In the left navigation bar of the CloudPlatform GUI, click Instances. Using the Quickview menu of each VM, select the Destroy option. As you are logged in as Admin, you can optionally immediately expunge the VM using the expunge checkbox. Users do not have this immediate expunge ability. For each VM, check the Expunge option in the confirmation pop-up and click OK. While this screen does allow you to select multiple VMs using the checkboxes on the left, unfortunately, this multi-select can only be used for snapshot operations. 156

157 Step 2. Action In the left navigation bar of the CloudPlatform GUI, click Instances to refresh the screen until you see all VMs have been removed. The Admin-3 VM may take a little longer to be removed. You can also close any VM console windows left open and the Windows Explorer window. 3. As previously mentioned, when a VM is destroyed by a user, the disk volume does not get removed immediately. It is expunged (removed) by the expunge thread which runs every so often at an interval specified by the expunge.delay and expunge.interval. These values can be configured in Global Settings by the Cloud-Admin. The default cleanup delay and interval is once per day; you will change it to 10 minutes. In the left navigation bar of the CloudPlatform GUI, select Global Settings. 4. In the search box enter expunge and hit <Enter>. 5. Click the Edit icon for the expunge.delay setting. Enter the value of 600 and click the Green Check mark. Close the warning asking you to restart your management server. Also set the expunge.interval settings to 600. Close the warning asking you to restart your management server. Leave expunge.workers at

158 Step 6. Action 7. Back on XenCenter, enter the following command into the cpman console to restart the CloudPlatform Management service to register these changes. service cloudstack-management restart 8. Shut down the VirtualXenServer-04 VM as it is no longer needed. Right click the VirtualXenServer-04 node and select Force Shutdown. Confirm by clicking Yes. Force Shutdown is like pulling the power plug on a physical server, so you should only use it on a VM you are going to delete. 9. Once VirtualXenServer-04 has shut down, delete the VM by right clicking the VM and selecting Delete VM. 10. Confirm the delete (including the attached virtual disk) by clicking Delete. 158

159 Step Action 11. Right-click the vxs-04 node and select Disconnect. (XenCenter will do this automatically if you wait too long after shutting down VirtualXenserver-04). 12. Right-click the vxs-04 node at the bottom of the list and select Remove from XenCenter. 13. For the next module you will need an additional virtual XenServer, vxs-03. Go to the console of your physical XenServer and select the Console tab. 14. Enter the command: start.sh V3 You will see the new VirtualXenServer-03 VM on XenCenter. 159

160 Step Action 15. On XenCenter, click the VirtualXenServer-03 node and then click the Console tab. Wait until the boot process has completed and you see the XenServer console. Exercise Summary You have cleaned up the CloudPlatform lab by destroying all Guest VMs and configured the system to expunge all destroyed VMs every 10 minutes. You have deleted the stand-alone vxs-04 as it is no longer needed, and you have started vxs-03 ready for the next module. 160

161 Module 7 Build an Advanced Zone All the Guest VMs throughout a Basic Networking zone share a single flat network. There is no concept of isolated or private Guest networks in a Basic zone; so Guest VMs are isolated from one another using security groups. Security groups are sets of IP filter rules that are applied to a Guest VM's networking. A Basic zone has one Virtual Router used zone wide, offering DHCP and DNS services only. In an Advanced Networking zone, each account has one or more isolated (private) Guest networks and each isolated network has a CloudPlatform Virtual Router with a Public IP address. Guest VMs may run on any host zone wide and still communicate with each other and their private Virtual Router on their own private VLAN. An account's Guest VMs are completely isolated from another account's VMs by the VLANs. Shared networks are also available to allow Guest VMs from different accounts to communicate directly. In an Advanced zone, each isolated network s Virtual Router allows the user to configure advanced features such as: DNS & DHCP, Firewall, Client IPSEC VPN, Load Balancing, Source / Static NAT, Port Forwarding and Virtual Private Clouds. The two networking models may be in use in the same cloud. However, a given zone must use either Basic Networking or Advanced Networking. 161

162 CloudPlatform has four network traffic types: Public traffic is network traffic on the public side of a CloudPlatform Virtual Router, connecting the VR to the outside world. Guest traffic is network traffic generated when Guest VMs communicate with each other or Gateway devices such as Virtual Routers. Management traffic is network traffic generated when CloudPlatform s internal resources communicate with each other. This includes communication between hosts, system VMs, and any other component that communicates directly with the CloudPlatform Management Server. Storage traffic is network traffic generated by the secondary storage VM when templates are transferred from secondary to primary storage or snapshots are saved. A Basic zone has three traffic types, Guest, Management & Storage. There is no Public traffic in a Basic zone as every host computer, system VM and guest VM has a unique IP address. There is no requirement for CloudPlatform to perform routing. An Advanced zone has all four traffic types that share multiple physical networks. In the lab, the Public traffic and Guest traffic share the same physical network. However, the Public traffic is separated from the Guest traffic through the use of VLANs. The Public traffic uses the untagged (non-vlan) network while all Guest VM traffic always uses VLANs. The diagram below shows the physical network structure for the Public and Guest networks which share a common physical network in the lab s Advanced zone. This network is trunked and requires trunked switches for all host interconnects. CloudPlatform Management and Storage traffic uses a separate physical network not shown on the diagram above. Exercises in this module Exercise 1: Prepare the Advanced Zone XenServer include renaming the network interfaces. Exercise 2: Build a CloudPlatform Advanced networking zone named London. 162

163 Exercise 1: Prepare the Advanced Zone XenServer Overview In this exercise you will: Attach XenCenter to your XenServer compute host for the Advanced zone. Rename the two physical networks on this XenServer to meaningful labels. A fix is required for the release of CloudPlatform to build an advanced zone correctly. A labreset must be performed sometime after module 2, but before module 7, to apply the fix. If you have not already done a labreset after module 2, you should perform a labreset.sh M7 now. See appendix 2 for instructions. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. Attach XenCenter to vxs-03 by clicking on Add New Server. Enter the following parameters: IP Address Username root Password Citrix

164 Step 2. Action Notice that vxs-03 shows up as already being part of the London-XS-Cluster1 resource pool. vxs-03 was created from a template. When the template was created vxs-03 was part of a resource pool named London-XS-Cluster1, so a VM created from this template will be part of this same pool. 3. Click the vxs-03 node and then the Networking tab. Notice this XenServer has two networks labeled "Network 0" and "Network 1". Each is assigned to a separate NIC. CloudPlatform is unable to use these default labels to assign traffic in an Advanced zone, so they must be changed. You will change them to something more representative of the traffic type assigned to the network. Ensure Network 0 node is highlighted and click Properties. 4. Network 0 will be used for CloudPlatform Management traffic which is communications between the CloudPlatform Management Server and the compute hosts, system VMs etc. Change the network name (label): From Network 0 To Management The label is case sensitive. Click OK. 164

165 Step 5. Action Now click the Network 1 node and Properties. 6. This network will be used for the Public traffic (from the CloudPlatform Virtual Routers) and Guest traffic (from the CloudPlatform Guest VMs). VLANs keep these two traffic types logically separate, despite them sharing the same physical network. Change the network name (label): From Network 1 To Public-Guest The label is case sensitive. Click OK. 7. Carefully verify that your server networks now look exactly like this. The vxs-03 XenServer is now ready to be added to a CloudPlatform Advanced zone. The XenServer network labels here must match the network labels you will set in CloudPlatform, or your Advanced Zone deployment will fail. 165

166 Exercise Summary You have attached XenCenter to your virtual XenServer vxs-03 and have configured vxs-03 s networking ready to be deployed into a CloudPlatform Advanced zone. 166

167 Exercise 2: Build an Advanced Zone Overview In this exercise you will: Build a CloudPlatform Advanced zone named London. Here's a summary of the steps you will perform: 1. Set up the physical networking by associating the various CloudPlatform traffic types with the two physical networks available on the XenServer host. Traffic Type Management Public Guest vxs-03 Network Label Management Public-Guest Public-Guest 2. Provide a range of publicly-accessible IP addresses for users to use when NATing between their VMs Guest network and the Public network. 3. Configure a pod with a range of reserved IP addresses for CloudPlatform's internal Management traffic. 4. Specify a range of VLAN IDs to use for the Guest isolated networks. 5. Add a Cluster to the zone. 6. Add a Host computer to the zone. 7. Add Primary and Secondary storage and enable the new Advanced zone. The following diagram shows the physical networking of the lab infrastructure. The London Advanced zone components are shown in the purple shaded area. 167

168 While the Public traffic and Guest traffic share the same physical network, all Guest traffic is handled by individual VLANs on the network, thereby keeping the two traffic types separate. The VLANs also keep Guest traffic for each account separate. Step by step guidance Estimated time to complete this exercise: 15 minutes. Step Action 1. Using the Chrome bowser, if necessary, login to the CloudPlatform GUI using the following credentials: Username Password Domain admin Citrix123 Leave Blank Click Login. 2. In the left navigation bar of the CloudPlatform GUI, click Infrastructure. In the Zones box, click View All. 168

169 Step Action 3. The Paris Basic zone is listed. Click Add Zone. 4. The Add zone dialog box appears. In an Advanced Zone, Security Groups are only available with the KVM hypervisor. Select Advanced, leave security groups unchecked and click Next. 169

170 Step Action 5. Enter or select the following parameters: Name London IPv4 DNS IPv4 DNS 2 Leave Blank IPv6 DNS 1 Leave Blank IPv6 DNS 2 Leave Blank Internal DNS Internal DNS 2 Leave Blank Hypervisor XenServer Network Domain Leave Blank Guest CIDR /24 Dedicated Leave Unchecked Local Storage Leave Unchecked This dialog allows the DNS service for Guest VMs to be specified differently to the DNS service for the CloudPlatform System VMs. The first four DNS entries (IPV4 & IPV6) are used for Guest VMs, which usually have unrestricted internet access and hence are able to use an external DNS. But internet access for CloudPlatform System VM's is often restricted, so in this case, an internal DNS must be used. The hypervisor specified in this dialog refers to the hypervisor used in the first cluster. When additional clusters are added, different hypervisors can be specified as needed. CIDR notation is syntax for specifying IP addresses and their associated routing prefix. The default entry for the Guest CIDR ( /24) means all Guest VMs will get network addresses with a netmask of Click Next. 170

171 Step Action 6. When adding an Advanced zone, you need to set up one or more physical networks, each of which corresponds to a NIC on the hypervisor host. Each physical network can carry one or more types of traffic. In the London Advanced zone there will be two physical networks: The first network is for the Management traffic called "Management". The second network is for the Public traffic and Guest traffic called "Public-Guest." The colored icons represent the various traffic types to be carried on the networks. Drag and drop the Public traffic and Guest traffic icons from Physical Network 1 to Physical Network You now have the Management traffic on Physical Network 1. The Public traffic and Guest traffic will be on Physical Network 2. Unless specified differently, it is implied that Storage traffic will be on the same network as the Management traffic. 171

172 Step Action 8. Rename these two CloudPlatform physical networks with names reflecting their use. Physical network 1 is used for the Management traffic. Click the Physical Network 1 box and enter: Physical Network Name Management Leave the Isolation method as VLAN. 9. Physical network 2 is used for the Public traffic and Guest traffic. Click the Physical Network 2 box and enter: Physical Network Name Public-Guest Leave the Isolation method as VLAN. 10. You now need to assign the traffic types to the physical networks available on the XenServer host. Click on the Management Edit icon to assign the Management traffic to the Management network on the XenServer host. 11. Enter the label exactly as shown: XenServer Traffic Label Management While the dialog box uses the term XenServer Traffic Label, it should really say XenServer Network label. The label is case sensitive. Click OK. 172

173 Step Action 12. You will not see any changes on the screen 13. Click the Management Edit button again and you will see that the "Management" network was registered. 14. Click OK. Click the Public Edit button to assign the Public traffic to the "Public-Guest" network on the host. Enter the label exactly as shown: XenServer Traffic Label Public-Guest The label is case sensitive. Click OK. 173

174 Step 15. Action Click the Guest Edit button to assign the Guest traffic to the "Public-Guest" network on the host. Enter the label exactly as shown: XenServer Traffic Label Public-Guest The label is case sensitive. Click OK. While the Public and Guest traffic will share the same physical "Public-Guest" network, the traffic will be on separate virtual networks due to the use of VLANs. 16. Click Next to finish configuring the physical networks and their traffic types. 174

175 Step Action 17. Publicly-accessible IPs can be allocated to allow users access to their Guest VMs from the internet. End users can allocate these IP addresses to their Guest VMs using CloudPlatform s Port Forwarding or Load Balancing services. This dialog sets up the Gateway and IP address range for the publically accessible IP addresses. Enter the following: Gateway Netmask VLAN Start IP End IP Leave Blank Click Add. 18. In the lab, the network represents a public network. In a real-world implementation the network would be a publically accessible network such as The configuration is accepted. Additional public IP address ranges could be added if required (do not add any more now). Click Next. 175

176 Step Action 19. Each zone must contain one or more pods. A pod contains hosts and primary storage, which you will add in a later step. This dialog sets up the gateway and IP address range to be used by the CloudPlatform system VMs on the Management network for the first pod. The reserved IP range must be unique for each zone in the cloud. Enter the parameters as shown: Pod name London-Pod1 Reserved System Gateway Reserved System Netmask Start Reserved System IP End Reserved System IP Click Next. 20. Guest network traffic is communication between Guest VMs (and between the Guest VMs and the CloudPlatform Virtual Router for the network) over isolated networks. The isolated networks are created using VLANs. You will now specify a range of VLAN IDs to use for the isolated networks in this zone. VLAN Range Click Next. When you have more than one host in an Advanced zone, you must have this VLAN range trunked on your physical switch inter-connecting the hosts. 21. Each pod must contain one or more clusters. Each cluster consists of one or more hosts and one or more primary storage servers. The hosts in a cluster must all: Have identical hardware, (or must be masked to look identical). Run the same hypervisor Have the same NIC configuration Be on the same subnet Access the same shared Primary Storage Enter the name for the first cluster in the London zone: Cluster Name London-Cluster1 Click Next. 176

177 Step Action 22. Each cluster must contain at least one compute host for Guest VMs to run on. The compute host for the Advanced zone is vxs-03 with an IP address of Enter the host IP address and credentials. Host Name Username root Password Citrix123 Host Tags Leave Blank Click Next. 23. Each cluster must contain one or more primary storage servers. Primary storage contains the disk volumes for all the VMs running on hosts in the cluster. You can use any standards-compliant protocol that is supported by the underlying hypervisor. In the lab this is NFS. Enter the Primary Storage access parameters for London-Cluster1: Name London-Pri-Cluster1 Scope Cluster Protocol nfs Server Path /nfs/london/primary/cluster1 Click Next. 177

178 Step Action 24. Each zone must have at least one secondary storage server. Secondary storage stores VM templates, ISO images, and VM disk volume snapshots. This server must be available to all hosts in the zone. You will use an NFS server to provide secondary storage. Select NFS from the Provider drop down selector. 25. Enter the Secondary Storage access parameters for the London zone: Provider NFS Name Leave Blank NFS Server Path /nfs/london/secondary 26. Click Next The zone is ready to be created. Click Launch Zone. 27. Wait while the zone is created. 178

179 Step Action 28. Once the zone is created, you are asked if you would like to enable the zone. Leaving the zone disabled would allow you to further configure the zone before releasing it for use by users. A disabled zone is not visible to users. Click Yes to enable the zone. 29. Notice that the London zone has been added to the list of available zones; however, the zone is still in the processs of being set up. Zones can be enabled and disabled using the Quickview menu on this screen. Disabled zones are not available for users to start new VMs; however, existing VMs in the zone will stay running if the zone is disabled. Do not disable any zones at this time. 30. Using XenCenter, review the changes that have occurred to the virtual XenServer vxs-03 just added to CloudPlatform. The vxs-03 node Networking tab should still be selected. Notice that an additional network, cloud_link_local_network has been added. This is a special "link-local" network setup for secure communication between the CloudPlatform System VMs and the host XenServer. A link-local address is an Internet Protocol address that is intended only for communications within a segment of a local network (a link) or a point-to-point connection that a host is connected to. Routers do not forward packets with link-local addresses. Link-local addresses for IPV4 are defined in the address block /

180 Step Action 31. Expand the vxs-03 node by clicking on the. When creating the Advanced zone, the system VM template must be copied from secondary storage to the cluster s primary storage. This takes five to six minutes. After this time you will notice the two system VMs for the Advanced zone starting on vxs-03. In another minute or so, both system VMs should be running. 32. In the left navigation bar of the CloudPlatform GUI, click Infrastructure. 33. Click on the System VMs View All box. Repeat the previous step and this one, until you see the London zone system VMs are running. 180

181 Step Action 34. In the left navigation bar of the CloudPlatform GUI, click Templates. 35. Click the DemoVM node. Click the Zones tab and notice the DemoVM template is available in both the London and Paris zones. Secondary Storage for the Paris and London zones is separate, so templates in the Paris zone that were registered as being available in all zones, will be copied automatically by CloudPlatform to the London zone. The template may be still downloading or installing into the London zone. Click the Refresh button to refresh the screen. Wait until the download is complete and the DemoVM template is ready in the London zone before proceeding. 181

182 Step 36. Action In the left navigation bar of the CloudPlatform GUI, click Templates. Click the DemoVM Copy node. 37. Select the Zone tab. Notice the DemoVM Copy template is only available in the Paris zone because it was based on a VM running in the Paris zone. It will not be available in all zones. Exercise Summary You have added an Advanced zone to your cloud and verified that the template to be used for creating VMs in this module is ready for use. 182

183 Module 8 Advanced Zone Networking Isolated networks An isolated network is constructed using a VLAN and can be accessed only by VMs of a single account. This offers total isolation between different accounts. The diagram below shows the logical network structure for the Guest and Public networks. Each network in an Advanced zone also has a Virtual Router that offers the following advanced features configurable by the end user: DNS & DHCP, Firewall, Client IPSEC VPN, Load Balancing, Source / Static NAT and Port Forwarding. Isolated networks are explored in exercise one. Shared networks Shared networks are also constructed using VLANs and can be accessed by VMs that belong to many different accounts. A shared network must be created by Cloud-Admin and can allow sharing zone-wide or just in one Domain. The shared network Virtual Router only has an interface on the shared network, so offers no routing ability; only DNS and DCHP services are provided. Shared networks are explored in exercise two. 183

184 Port Forwarding and Load Balancing VMs on the Guest networks do not have Public IP addresses, so Guest VMs are inaccessible directly from the internet. Port Forwarding, a service of the CloudPlatform isolated network Virtual Router, can be used to route Public traffic to an appropriate VM on the Guest network. Load Balancing is another service of the CloudPlatform Virtual Router and is similar to Port Forwarding, but with the ability to forward traffic to two or more servers depending on rules, such as how busy each server is. Port Forwarding and Load Balancing are explored in exercise three. Citrix NetScaler Integration Citrix NetScaler is the industry's leading web application delivery solution, and maximizes the performance and availability of all applications and data. Exercise four explores the integration of a Citrix NetScaler into CloudPlatform as a load balancer. Exercises in this module Exercise 1: Explore Isolated networks. Exercise 2: Explore Shared networks. Exercise 3: Port Forwarding and Load Balancing. Exercise 4: Using a Citrix NetScaler for Load Balancing. 184

185 Exercise 1: Isolated Networks Overview In an Advanced zone, Guest VMs are usually attached to one or more individually isolated guest networks created by CloudPlatform using VLANs. In this exercise you will: Create a VM using the John.Glenn account. The VM will be attached to the Glenn-Net1 isolated network which is created at the same time as the VM. Create a second VM also attached to the Glenn-Net1 network. Verify that Glenn VMs can communicate across Glenn-Net1. Create a VM using the Sally.Ride account. The VM will be attached to the Ride-Net1 isolated network which is created at the same time as the VM. Verify that Glenn VMs cannot communicate with Ride VMs as they are on separate networks. Since Glenn DNS services are limited to Glenn-Net1, the Glenn VMs can t even lookup the Ride VMs. The diagram below summarizes what is created in this exercise. Step by step guidance Estimated time to complete this exercise: 20 minutes. Step Action 1. Login to the Firefox browser CloudPlatform GUI using John Glenn s credentials for the John.Glenn account: Username John.Glenn Password 1 Domain Acme Ensure you use the Firefox browser for this step. 185

186 Step Action 2. In the left navigation bar, click Instances. 3. Click Add Instance. Make sure you select the London zone for all module 8 VMs. Select the London zone and ensure Template is selected. Then click Next. 4. Ensure that the Demo VM template is selected. Then click Next. 5. Ensure that the Mini Instance Compute Offering is selected. Then click Next. 6. You don t need any additional data disk, so ensure that No Thanks is selected. Then click Next. 7. There are no affinity groups defined in the London zone, so just click Next. 186

187 Step 8. Action You now need to select the network (or networks) to be used for this Guest VM. There are currently no Advanced networks for the John.Glenn account, so one must be created using the Add Network dialog. 9. Enter the following parameters in the Add Network section: Name Network Offering Glenn-Net1 DefaultIsolatedNetworkOfferingWithSourceNatService The only network offering currently available is Default isolated network with Source NAT Service. Click Next. 187

188 Step 10. Action Enter the name of the VM: Name (Optional) Add to group (Optional) Glenn-A1 Leave Blank Check the review screen; make sure you selected the London zone. If correct, click Launch VM. 11. Monitor the vxs-03 host in XenCenter. Notice that a Virtual Router (r-16-vm) is created almost immediately. This is the Virtual Router (VR) for the Glenn-Net1 isolated network; in CloudPlatform, a VR gets created for every network. As this is the first time the DemoVM template is being used in this cluster, the Secondary Storage System VM copies it from the London zone secondary storage to the London- Cluster1 primary storage. After this is done, the Glenn-A1 VM is created (internal name is i-3-15-vm). This takes about two minutes. 188

189 Step Action 12. In the left navigation bar of the CloudPlatform GUI, click Network. 13. You will see that the Glenn-Net1 isolated network has been created. Click the Glenn-Net1 node. Details of the network are shown. Scroll through and notice that the VLAN ID for the network is not shown. CloudPlatform obscures specific resource details from the user. 14. You can only fully inspect the network infrastructure that was just created as Cloud-Admin. Using the Chrome browser, re-login as admin if necessary using the following credentials: Username Password Domain admin Citrix123 Leave Blank 15. In the left navigation bar of the CloudPlatform GUI, click Network. Click the Glenn-Net1 node for more details. 189

190 Step 16. Action Scroll down and notice that the VLAN ID of the network is added to the network details. While the VLAN ID is not shown to the user, it is shown to Cloud-Admin. Glenn-Net1 has been assigned the VLAN ID 109. Your VLAN ID will probably be different because the ID is chosen randomly from the VLAN range specified when the zone was created. 17. Using XenCenter, click the r-16-vm node and then select the Networking tab. This is the CloudPlatform Virtual Router for the Glenn-Net1 isolated network. You will notice that r-16-vm has three interfaces: Glenn-Net1, which is VLAN 109 on the Public-Guest network. The link-local network for the VR to communicate directly with the host XenServers. The Public network, which is the untagged (non-vlan) traffic on the Public-Guest network. 18. Click the i-3-15-vm node in XenCenter and select the Networking tab: i-3-15-vm is the Glenn-A1 VM just created. You will notice it only has one interface on the isolated Glenn-Net1 network, which is VLAN 109 on the Public-Guest network. 19. Switch back to the Firefox browser where you should be logged on as John Glenn (if not relogin using the following credentials): Username John.Glenn Password 1 Domain Acme 190

191 Step Action 20. In the left navigation bar of the CloudPlatform GUI, click Instances. Click Add Instance and enter or select the following parameters: Select a zone Select ISO or Template Select a template Compute Offering Data Disk Offering Affinity Groups Network VM Name London Template DemoVM Mini Instance No Thanks No Selection Glenn-Net1 Glenn-A2 You will notice that the Glenn-Net1 is offered as the default selection. You could create a new isolated network if desired, but in this case, just accept the default Glenn-Net1. Check the review screen; if all is correct, click Launch VM. 21. Glenn-A2 is created in a few seconds because the VDI is created as a linked clone from the DemoVM template already available on the Primary Storage for the cluster. 22. Using Quickview, open a console for Glenn-A1. Your IP address may be different. Login using the following credentials: Username root Password 1 191

192 Step Action 23. Enter the command: ping -c4 Glenn-A2 Glenn-2 responds to Glenn-1 s pings. Since Glenn-A1 and Glenn-A2 share the same Glenn-Net1 isolated network, they are able to communicate. The network s Virtual Router is providing DNS for hostname lookup. (You might have to wait a few seconds for Glenn-A2 to finish booting before it responds.) You can close this console by clicking the X in the upper right corner. 24. Using the Firefox browser, logout from John Glenn s account and login using Sally Ride s account. Username Sally.Ride Password 1 Domain Acme 25. Create a VM using the Sally.Ride account. In the left navigation bar of the CloudPlatform GUI, click Instances. Click Add Instance and enter or select the following parameters: Select a zone Select ISO or Template Select a template Compute Offering Data Disk Offering Affinity Groups London Template DemoVM Mini Instance No Thanks No Selection Click Next. 192

193 Step 26. Action Notice that Glenn-Net1 is not shown as an available network for the VM, as Glenn-Net1 is only available to the John.Glenn account. You must create a new isolated network for the Sally.Ride account. 27. Enter the following parameters in the Add Network section to create a new isolated network. Name Network Offering Ride-Net1 DefaultIsolatedNetworkOfferingWithSourceNatService 28. Enter the name of the VM: Name (Optional) Ride-A1 Check the review screen and click Launch VM. 29. Monitor the vxs-03 host in XenCenter. Notice that a new Virtual Router (r-19-vm) for the new Ride-Net1 isolated network is created. One Virtual Router gets created per network. In another minute or so the Ride-A1 VM is created (internal name is i-3-17-vm). 193

194 Step Action 30. To inspect the new network infrastructure that was just created, use the Chrome browser to access the admin account (re-login if necessary): Username Password Domain admin Citrix123 Leave Blank 31. In the left navigation bar of the CloudPlatform GUI, click Network. Notice that there are now two isolated networks: one for the Sally.Ride account and one for the John.Glenn account. 32. Clicking each of the network nodes and looking at the details page, you can see that Glenn- Net1 and Ride-Net1 are on different VLANs keeping the traffic separate. Your VLAN IDs may be different as they are assigned randomly. The two Guest networks are completely separate as shown in the diagram below. 33. On the Firefox browser, in the left navigation bar of the CloudPlatform GUI, click Instances. Using Quickview, open the console for Ride-A1. Your IP address may be different. 194

195 Step Action 34. Login using the following credentials: Username root Password Enter the command: ping -c4 Glenn-A1 The VM Glenn-A1 is unknown on the Ride-Net1 network. The Virtual Router for the Ride- Net1 network provides the DNS lookup service for the network, but the scope is limited to VMs on that network (and the internet). The Glenn-A1 and Ride-A1 VMs are on separate isolated networks and have non-routable IP addresses, so direct communication is not possible. 36. Now try accessing the internet from Ride-A1 by entering the command: ping google.com Notice that the ping hangs (even though the DNS lookup succeeded). This is because the default egress rules for Advanced zone isolated networks deny access to the internet. Do not cancel the ping. 37. On the Firefox browser, in the left navigation bar of the CloudPlatform GUI, click Network. 38. Click the Ride-Net1 node and then select the Egress rules tab. Notice that there are no egress rules registered. 195

196 Step Action 39. Add an egress rule by entering or selecting the following parameters: Source CIDR /24 Protocol All Click Add. This rule allows any VM on the Ride-Net /24 subnet to send traffic out to the internet. 40. Notice on Ride-A1 s console that pinging google.com is now succeeding. You have successfully allowed the Guest VMs on the Glenn-Net1 network access to the internet. Stop the ping by entering Ctrl-C. Exercise Summary You have seen that CloudPlatform s Advanced zone isolated networks use VLANs as the isolation mechanism. All VMs on the same isolated network can communicate, but cannot communicate with VMs in other accounts. A network egress rule must be added to allow internet access for the VMs. 196

197 Exercise 2: Shared Networks Overview A shared network can be accessed by any Guest VM that is within the scope of the network. This enables Guest VMs that belong to different accounts (and are hence on separate isolated networks), the ability to communicate directly. Shared Networks can only be created by Cloud-Admin. During creation, the shared network scope can be designated zone-wide or can be limited to a certain domain or to a specific account. Often, for security and account isolation considerations, a shared network is assigned to a single domain. In this exercise you will: Create a shared VLAN network. Create a John.Glenn account VM (Glenn-A3) attached to both Glenn-Net1 and the new shared VLAN network. Create a Sally.Ride account VM (Ride-A2) attached to both Ride-Net1 and the new shared VLAN network. Verify that the Glenn-A3 VM can communicate directly with the Ride-A2 VM. The yellow highlighted section in the diagram below summarizes what is created in this exercise. The shared network is created on a non-routable subnet ( /24) of the public network, so the shared network Virtual Router offers no routing ability or advanced features such as Port Forwarding. Only DNS & DHCP services are offered. If needed, advanced services and routing of the shared network would need to be provided by an infrastructure router outside of CloudPlatform. 197

198 Step by step guidance Estimated time to complete this exercise: 15 minutes. Step Action 1. Using the Chrome browser, you should currently be logged into CloudPlatform as Cloud- Admin. You must be Could-Admin to create a shared network. In the left navigation bar of the CloudPlatform GUI, click Network. Click Add Guest Network. 2. Enter or select the following parameters: Name AcmeShare-VLAN-200 Description Acme Shared Network VLAN-200 Zone London Physical network Public-Guest VLAN ID 200 Secondary Isolated VLAN ID Leave Blank Scope Domain Domain Root/Acme Sub Domain Access Leave Unchecked Network Offering Offering for Shared Networks IPv4 Gateway IPv4 Netmask IPv4 Start IP IPv4 End IP IPv6 Gateway Leave Blank IPv6 CIDR Leave Blank IPv6 Start IP Leave Blank IPv6 End IP Leave Blank Network Domain Leave Blank Notice that with a shared network, the admin is allowed to specify the VLAN ID to be used. Since the VLAN ID is known, this allows equipment outside of CloudPlatform to be placed on the same VLAN. This is not possible with isolated networks. Check your entries in the next step. 198

199 Step 3. Action Check your entries carefully against the screenshot above and click OK. 4. The shared Network is added. 199

200 Step Action 5. Using the Firefox browser, you should be still logged in as Sally Ride, if not, login using the following credentials: Username Sally.Ride Password 1 Domain Acme 6. Create a VM using the Sally.Ride account. In the left navigation bar of the CloudPlatform GUI, click Instances. Click Add Instance and enter or select the following parameters: Select a zone Select ISO or Template Select a template Compute Offering Data Disk Offering Affinity Groups London Template DemoVM Mini Instance No Thanks No Selection Notice that the AcmeShare-VLAN-200 shared network is now available as an additional network option along with the Ride-Net1 isolated network. Making a network the default makes it the primary, or device 0 network Check Default on the AcmeShare-VLAN-200 shared network (this will also automatically select this network). Leave Ride-Net1 selected also. There is an issue clicking the Default button in this dialog when using Firefox, making it difficult to register the click. Try clicking the lower part of the radio button as highlighted above. Click Next. 7. Enter the VM name: VM Name Ride-A2 Notice only the default network name is listed. Click Launch VM. 200

201 Step Action 8. On XenCenter, after a few seconds you will see the Virtual Router for this new shared network created: 9. Click on the new Virtual Router node and select the Networking tab. Notice the Virtual Router for the shared network has only two interfaces, while the isolated network s VRs had three. The shared network VR has no interface on the Public-Guest network so no routing to the Public network is possible using this VR. 10. In another minute or so you will see the Ride-A2 VM start. 11. Click the Ride-A2 node and then select the NICs tab. Scroll down to see the two networks listed: the shared network, AcmeShare-VLAN-200 & the isolated network, Ride-Net1. 201

202 Step Action 12. Using the Firefox browser logout of Sally Ride s account and log in to John Glenn s account using the credentials: Username John.Glenn Password 1 Domain Acme 13. Create a VM using the John.Glenn account. In the left navigation bar of the CloudPlatform GUI, click Instances. Click Add Instance and enter or select the following parameters: Select a zone Select ISO or Template Select a template Compute Offering Data Disk Offering Affinity Groups London Template DemoVM Mini Instance No Thanks No Selection Click Next. 14. While the Glenn-Net1 network is the default, as the Glenn account is also part of the scope of the shared "AcmeShare" network, it is also an option. Check Default on the AcmeShare-VLAN-200 shared network (this will also automatically select this network). Leave Glenn-Net1 selected also. Click Next. 15. Enter the VM Name: VM Name Glenn-A3 Check the review screen and if all is correct, click Launch VM. 202

203 Step Action 16. In a few seconds the new VM appears in the CloudPlatform GUI. 17. Using Quickview, open a console for Glenn-A3. Wait for it to finish booting. Login using the following credentials: Username root Password Enter the command: ping -c4 Ride-A2 Glenn-A3 is able to communicate with Ride-A2 directly through the shared network. Exercise Summary You have seen that a shared network can be used to allow VMs from two separate accounts to communicate. 203

204 Exercise 3: Port Forwarding & Load Balancing Overview Port forwarding allows remote computers (for example, computers on the internet) to connect to a specific computer or service within a private LAN. All Advanced zone Guest VMs have non-routable private IP addresses ( xxx). This means the Guest VMs are not directly accessible from the internet. While Guest VMs can access the internet outbound (through the CloudPlatform Virtual Router), and can receive responses back, communication cannot be initiated from the internet. In this exercise you will: Use Port Forwarding to allow a Guest VM to be accessed from the internet using remote command-line login, ssh. You will see that an end-user is able to configure his isolated network's Virtual Router features for himself. You will also explore Load Balancing. Load Balancing is similar to Port Forwarding, but with the ability to forward to two or more computers depending on rules such as how busy each computer is. Step by step guidance Estimated time to complete this exercise: 15 minutes. Step Action 1. Back on the Firefox Browser, (logged is as John.Glenn), the left navigation bar of the CloudPlatform GUI, click Network. 2. Click the Glenn-Net1 node. Click View IP Addresses. 204

205 Step Action You will see a Public IP address [Source NAT] assigned to the Glenn-Net1 network. This Public IP address has been assigned to the Public side of the Virtual Router for the Glenn- Net1 network. The VR has one connection on the Public network and one on the isolated Glenn-Net1 network (plus a link-local interface). Once configured, the VR Port Forwarding service will forward traffic received on this Public IP to the assigned VM on the Glenn-Net1 network. 4. In the lab, the network represents a public network. In a real-world scenario the network would be a publically accessible network such as Click the IP address node and then select the Configuration tab. 5. This screen allows you to configure the Virtual Router controlling the Firewall, Port Forwarding and Load balancing for this network IP address. In the Firewall box, click the View All. 205

206 Step 6. Action The firewall controls Ingress (in-bound) traffic to the network. By default there are no firewall rules in place, so no ingress traffic is allowed. When adding an ingress rule, you must specify the source of the traffic (what IP address or range of IP addresses the traffic will come from), along with the type of traffic (e.g. TCP) and the port number or range or ports that should be allowed through the firewall. You must add a rule to allow ingress of internet ssh traffic (which uses port 22). Enter the following parameters to enable this rule. Source CIDR /0 Protocol TCP Start Port 22 End Port 22 Click Add. 7. The rule is added to allow port 22 traffic originating from any IP address through the firewall. Click the xxx node in the breadcrumb bar. 206

207 Step Action 8. Now that the ingress of port 22 traffic through the firewall has been enabled for this IP address, the destination Guest VM for the traffic can be specified. In the Port Forwarding box, click View All. 9. Enter or select the following parameters: Private Port Start 22 Private Port End 22 Public Port Start 22 Public Port End 22 Protocol TCP 10. This rule specifies that traffic received on Public network port 22 will be sent to Private network port 22 of the Guest VM selected in the next step. You can enter a range of ports here; the private and public ports may be different. Click Add. Select Glenn-A1 as the destination Guest VM. Click Apply. 207

208 Step 11. Action The Guest VM Glenn-A1 will receive all port 22 TCP traffic arriving on the xxx Public IP address. 12. To demonstrate the Port Forwarding rule you have just setup, from the Student Desktop, launch the PuTTY application. This is a secure remote shell (ssh) application Enter your xxx IP address (shown in the breadcrumb bar) as the Host name and also in the Saved Sessions box. (Your IP address may be different to that shown in the screen-shot above). Click Save, then Open. 13. The first time you ssh into a server, you may get the following dialog box. 4 Click Yes to throw caution to the wind and connect insecurely to this server. Enter the following credentials: Username root Password 1 208

209 Step 14. Action You have accessed Glenn-A1 using the xxx Public IP address. The port forwarding rule has forwarded the ssh traffic on port 22 to the Ride-A1 Guest VM. Type the following command to exit from the ssh session: exit 15. You will now set up a Load Balancing rule. This is similar to a Port Forwarding rule, but can be used with multiple VMs so the load is balanced amongst them. You can only do either Port Forwarding or Load Balancing with the same Public IP, so you must either aquire a new IP or delete the Port Forwarding rule. In the CloudPlatform GUI, delete the Port Forwarding rule by clicking the X next to the rule. c 16. c After deleting the rule, click the xxx IP address in the breadcrumb bar to return to the VR configuration screen. 209

210 Step 17. Action In the Load Balancing box, click View All. 18. To add a Load Balancing rule, enter the following parameters: Name LoadBal Public Port 22 Private Port 22 Algorithm Round Robin Stickyness Leave unchanged Health Check Leave unchanged Click Add. 19. Select both Glenn-A1 and Glenn-A2 and click Apply. 210

211 Step 20. Action The load balancing rule is applied. Click the + as highlighted above, to show the servers tied in to this load balancing rule. Additional servers can be added using the Add button or deleted using the X. (Do not do this at this time.) Inbound ssh traffic arriving on the xxx Public IP for the Glenn-Net1 network will be directed to Glenn-A1 or Glenn-A2 Guest VMs using a round-robin algorithm. 21. To demonstrate the load balancing rule you have setup, launch the PuTTY application again. Double-click the xxx IP address you saved earlier. (Your IP address may be different to that shown in the screen-shot above). 22. Login to the server using the following credentials: Username root Password 1 Notice from the prompt that the Glenn-A1 VM responded. Type exit at the prompt. 211

212 Step Action 23. Launch the PuTTY application again and double click the saved xxx [Source NAT] IP address. 24. Login to the server using the following credentials: Username root Password 1 Notice this time the Glenn-A2 VM responded. Type exit at the prompt. You can repeat this as many times as you wish. Each time you connect, you will get the next server in the round-robin. If either of the servers is stopped, the remaining server will answer all requests. 25. Returning to XenCenter, reduce some of the clutter by collapsing the London-XS-Cluster1 node by clicking on the. 26. Exercise Summary You have shown that CloudPlatform Guest VMs can be accessed using a public address through the use of Port Forwarding. Load Balancing can also be used to allow access to VMs from a public IP address and in addition allows the load to be balanced across two or more servers. 212

213 Exercise 4: Citrix NetScaler Integration Overview In this exercise you will: Add the NetScaler Appliance (VPX) into the infrastructure. Create a Network Offering using the NetScaler device. Create a NetScaler Powered isolated network from the Network Offering which will then be used as the isolated network for two Guest VMs. Using the CloudPlatform GUI, acquire a Public IP and configure a load balancing rule for the two Guest VMs on the NetScaler. CloudPlatform handles the configuration of the NetScaler to implement the load balancing rules. Due to limitations in the lab environment you will not be able to actually see the NetScaler handling the HTTP traffic, but you will be able to examine the configuration changes that take place on the NetScaler. Step by step guidance Estimated time to complete this exercise: 30 minutes. Step Action 1. From XenCenter click your physical XenServer node and select the Console tab. Press <Enter> to login if necessary (no credentials are needed). Enter the command: start.sh NS 2. You will see the new NS1 VM start on XenCenter. This is a NetScaler VPX Appliance. Click the NS1 node and select the Console tab. Wait about two minutes until the NetScaler finishes booting and you see the login prompt, but do NOT login to the NetScaler console. 213

214 Step Action 3. You must be Cloud-Admin to create network offerings, so back on the Chrome browser CloudPlatform GUI, if not already logged in as admin, login using the following credentials: Username Password Domain admin Citrix123 Leave Blank In the left navigation bar, click Infrastructure, then Zones [View All], then the London node, then the Physical Network tab and finally the Public-Guest node. You should see the following screen: Click Network Service Providers [Configure] as shown above. 4. You see a list of supported providers or devices. Click the NetScaler node. 214

215 Step 5. Action Click the Add NetScaler Device button. 6. Enter or select the following parameters to add a new NetScaler device: IP address (NSIP) User Name nsroot Password nsroot Type NetScaler VPX LoadBalancer Public Interface 1/2 Private Interface 1/2 GSLB Service Leave Unchecked GSLB Service Public IP Leave Blank GSLB Service Private IP Leave Blank Number of retries 2 Dedicated Leave Unchecked Capacity Leave Blank Click OK. 215

216 Step 7. Action Notice that the NetScaler is in a disabled state. Click the Enable button and click Yes to confirm. 8. The NetScaler you just added to CloudPlatform is enabled. 9. You now need to create a CloudPlatform Network Service Offering that includes the NetScaler device you just added. In the left navigation bar of the CloudPlatform GUI, click Service Offerings. 10. From the Service Offering drop-down list, select Network Offering. Click Add network offering. 216

217 Step Action 11. Enter or select the following parameters to add a new Network Offering: Name Description Network Rate (Mb/s) Guest Type Persistent Specify VLAN VPC Supported Services: VPN Supported Services: DHCP Supported Services: DNS Supported Services: Firewall Supported Services: Load Balancer Supported Services: User Data Supported Services: Source NAT Supported Services: Static NAT Supported Services: Port Forwarding Supported Services: Security Groups Supported Services: Network/ACL Supported Services: Virtual Networking Supported Services: BaremetalPxeSvc System Offering for Router Redundant Router Capability Supported Source NAT Type LB Isolation Conserve Mode Tags Default Egress Policy NS-Powered-Network NetScaler Powered Network Leave Blank Isolated Leave Unchecked Leave Unchecked Leave Unchecked Check & Leave Virtual Router as the provider Check & Leave Virtual Router as the provider Check & Leave Virtual Router as the provider Check & Leave Virtual Router as the provider Check & Select NetScaler as provider Check & Leave Virtual Router as the provider Check & Leave Virtual Router as the provider Leave Unchecked Check & Leave Virtual Router as the provider Leave Unchecked Leave Unchecked Leave Unchecked Leave Unchecked None Leave Unchecked Per Account Shared Leave Unchecked Leave Blank Allow Note: Only the entries shown in blue need to be changed. Ensure NetScaler is selected as the Load Balancer Provider Click OK to create a new Network offering. 217

218 Step Action 12. By default a new Network Offering is created in the Disabled state. 13. Click the NS-Powered-Network node. Click the Enable button and click Yes to confirm. 14. You will now create a new network based on the NS-Powered-Network Offering. In the left navigation bar of the CloudPlatform GUI, click Network. 15. Click Add Isolated network. 218

219 Step Action 16. Enter or select the following parameters to create a new network: Name Display Test Zone Network Offering Guest Gateway Guest Netmask Network Domain Domain NS-LB-Net1 NS-LB-Net1 London NS-Powered-Network Leave Blank Leave Blank Leave Blank Leave Blank Click OK to create the isolated network. 17. The NetScaler based isolated network has been created. 18. In the left navigation bar of the CloudPlatform GUI, click Instances. Enter or select the following parameters to create a VM using the new NS-LB-Net1 network: Select a zone Select ISO or Template Select a template Compute Offering Data Disk Offering Affinity Groups Network Instance Name London Template DemoVM Mini Instance No Thanks No Selection NS-LB-Net1 WebServer-1 Click Launch VM. Go immediately to the next step. 219

220 Step Action 19. Enter or select the following parameters to create a second VM using the new NS-LB-Net1 network: Select a zone Select ISO or Template Select a template Compute Offering Data Disk Offering Affinity Groups Network Instance Name London Template DemoVM Mini Instance No Thanks No Selection NS-LB-Net1 WebServer-2 Click Launch VM. 20. Wait for both new Guest VMs to be running: 21. In the left navigation bar of the CloudPlatform GUI, click Network. 22. Click the NS-LB-Net1 node. Scroll down and notice the VLAN ID and CIDR that was assigned to this network. You will see how this information is used on the NetScaler device later. Click View IP Addresses. 220

221 Step 23. Action This shows the Public IP assigned to the Public side of the NS-LB-Net1 network Virtual Router. We need to aquire a new Public IP address to use for the Public side of the NetScaler. Click Acquire New IP and click OK to confirm. 24. A second Public IP is added to the network. You will use this new IP as the VIP (Virtual Server IP) address of the NetScaler Virtual Server handling this load balancing rule. Click the new IP address that was added (not the one labeled [Source NAT]). 25. Click the Configuration tab and then, Load Balancing / View All. When using a NetScaler there is no need to open ports through the firewall like you did when using the Virtual Router. 221

222 Step Action 26. Enter or select the following parameters to add a new Load Balancing policy: Name NS-LB Public Port 80 Private Port 80 Algorithm Round-Robin 27. Click Add to create the Load Balancing policy. 28. Now select WebServer-1 and WebServer-2 to add the VMs to be load balanced. Click Apply. 29. The load balancing policy has been created and has been pushed to the NetScaler (you will see this later). Click the + icon to show the servers configured in this policy. This completes the integration of NetScaler to balance HTTP traffic that hits the Public IP onto the two CloudPlatform VMs specified. Unfortunately, after all that work, in the lab you cannot see the NetScaler in action loadbalancing the web servers. This is due to a limitation in the virtual Xenservers used in the lab. This of course is not a problem when using physical XenServers. You can however explore the NetScaler appliance configuration to show how CloudPlatform setup the NetScaler to be a load balancer in the cloud. 30. Create a new tab on your Chrome web browser and enter the following URL: Login to the Netscaler using the following credentials: Username Password nsroot nsroot 222

223 Step Action 31. You will see the NetScaler System "Configuration" screen. Expand Traffic Management by clicking on the as shown above. 32. Expand Load balancing by clicking on the as shown above. 33. Click Virtual Servers. 223

224 Step Action 34. Notice that the CloudPlatform load balancing policy has been pushed to the NetScaler device and that you have one NetScaler Virtual Server setup: 35. This Virtual Server processes incoming HTTP requests to Public IP address (Your IP address may be different). The IP address of this Virtual Server, or the VIP, is the same as the extra IP address you acquired for the NS-LB-Net1 network. The virtual server is Down due to the limitation mentioned with the virtual XenServer. 36. Click on Servers. This shows the servers that will handle the HTTP traffic for this policy. The 2 IP addresses listed are the IP addresses of the WebServer-1 and WebServer-2 VMs. 224

225 Step 37. Action Click Services. 38. A NetScaler Service is a combination of a service and a port number; for this service the port number is Navigate to System, then expand Network, then click IPs: The first three IP addresses you see are the NSIP, MIP & SNIP which were pre-configured in the NetScaler appliance template. The fourth IP is another Subnet IP and is used as a back channel to the servers that are being load balanced (WebServer-1 and WebServer-2). This IP is part of the same CIDR as the NS-LB-Net1 network. The fifth IP is the VIP - the IP of the NetScaler Virtual Server for this policy. 225

226 Step Action 40. In the next module you will create a Virtual Private Cloud running a web site Content Management System (CMS). This requires the use of VMs with more RAM than the mini instance used so far, so you must make some room on vxs-03 for these larger VMs. Rather than having you delete and expunge all the VMs manually, you will reset the lab to clear all the user VMs from vxs-03. Click your physical XenServer node and select the Console tab. If prompted, hit Enter to Login. 41. Enter the following command to prepare the lab for module 9. labreset.sh M9 Wait at least five minutes before proceeding with module 9. Exercise Summary You have integrated a NetScaler into your CloudPlatform and used it to set up load balancing of HTTP traffic to two web servers. 226

227 Module 9 Virtual Private Cloud CloudPlatform Virtual Private Cloud (VPC) allows the end-user to create a tiered network (such as web / application / database), complete with VLAN segregation and ACLs providing security not only from the outside, but also between tiers. The user has complete control over the virtual networking environment, including selection of the IP addresses used, creation of subnets, and configuration of route tables and network gateways. The user can easily customize the network configuration for their VPC. For example, they can create a public-facing subnet for webservers that has access to the internet, and place backend systems such as databases or application servers in a private-facing subnet with no internet access. They can leverage multiple layers of security, including security groups and network access control lists, to help control access to VMs in each subnet. CloudPlatform VPC also offers Private Gateways and VPN to leverage the Cloud as an extension of your corporate datacenter. Major Components of a VPC A VPC acts as a container for multiple isolated networks that can communicate with each other via a dedicated Virtual Router. The VPC is comprised of the following network components: Network Tiers: Each tier acts as an isolated network with its own VLAN and CIDR list, where you can place VMs. The tiers are segmented by means of VLANs. The NIC of each tier acts as its gateway. Virtual Router: A dedicated Virtual Router is automatically created and started when you create a VPC. The Virtual Router connects the tiers and directs traffic among the public gateway, the VPN gateways, and the NAT VMs. For each tier, a corresponding NIC and IP exist in the Virtual Router. The Virtual Router also provides DNS and DHCP services. ACL: A network Access Control List can be defined on the VPC virtual router to control incoming (ingress) and outgoing (egress) traffic between the VPC tiers, and between the tiers and the Internet. Network ACL items are numbered rules that are evaluated in order, starting with the lowest numbered rule. These rules determine whether traffic is allowed in or out of any tier associated with the network ACL. 227

228 Joomla is a content management system (CMS), which enables you to build Web sites and powerful online applications. In this module, you will set up a Virtual Private Cloud to host a Joomla system consisting of a Web Server and a MySQL Database server. In this module you will create a VPC consisting of two tiers. The Web tier will have a Web Server application that is accessible from the public internet. The Database tier will have a MySQL database application that is used by the Web Server. You will lock down the network traffic using ACLs for each tier. The Web tier will allow only HTTP and SQL network traffic and the Database tier will only allow SQL traffic. The Web Server must have access to the database server to function. The Joomla Web Server and MySQL Database have been pre-configured to save time in the lab. The two servers are available as two VM templates that will be imported into CloudPlatform by the user. The VPC is also created and fully configured by the user requiring no Cloud-Admin support. Exercises in this module Exercise 1: Download the two Joomla server templates into CloudPlatform. Exercise 2: Set up the VPC with two tiers: Web Server tier & Database Server tier. Exercise 3: Set up the Access Control Lists for the tiers to lock down traffic flow. Exercise 4: Create the Joomla Web Server and Database server VMs. Exercise 5: Test the Joomla system. 228

229 Exercise 1: Download Joomla Templates Overview Joomla is easy to install, but to speed things up in the lab, the Joomla Web Server and Database Server have been pre-installed and configured and made available as two templates, Joomla-ws and Joomla-db. The templates have been placed on the Student Desktop web server ready for downloading into CloudPlatform. In this exercise you will: Download the two Joomla server templates into CloudPlatform. Step by step guidance Estimated time to complete this exercise: 15 minutes. Step Action 1. Login to the Firefox browser CloudPlatform GUI using Sally Ride s credentials: Username Sally.Ride Password 1 Domain Acme 2. In the left navigation bar of the CloudPlatform GUI, click Templates. Notice as a user (i.e. not admin) the template filter defaults to Mine, showing only the templates belonging to the user. Click Register Template. 3. First you will register the Joomla Database Server template by entering or selecting the following parameters: Name Description URL Zone Hypervisor Format OS Type Extractable Password Enabled Dynamically Scalable Public HVM Joomla-db Joomla Database Server London XenServer VHD CentOS 6.3 (64-bit) Leave Unchecked Leave Unchecked Leave Unchecked Leave Unchecked Uncheck Click OK. 229

230 Step 4. Action Notice you now have the Joomla Database Server template available, although it is probably still being downloaded. Click the Joomla-db template node and then the Zones tab. 5. Note the Status on the details tab. Click Refresh until you confirm the template is downloading. Then you can proceed to the next step without waiting for it to complete. 6. In the left navigation bar of the CloudPlatform GUI, click Templates. Click Register Template. 230

231 Step Action 7. Next you will register the Joomla Web Server template by entering or selecting the following parameters: Name Description URL Zone Hypervisor Format OS Type Extractable Password Enabled Dynamically Scalable Public HVM Joomla-ws Joomla Web Server London XenServer VHD CentOS 6.3 (64-bit) Leave Unchecked Leave Unchecked Leave Unchecked Leave Unchecked Uncheck Click OK. 8. As with the Joomla Database template, verify that the Joomla Web Server template is downloading. Once you have confirmed that it is downloading, move to the next exercise. Exercise Summary You have downloaded the Joomla server templates from the Student Desktop server. 231

232 Exercise 2: Setup a VPC with two tiers Overview In this exercise you will: Set up a VPC with two tiers. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. In the left navigation bar of the CloudPlatform GUI, click Network and in the Select View dropdown, select VPC. Click Add VPC. 2. Create a new VPC by entering or selecting the following parameters: 3. Name Joomla Description Joomla CMS Zone London Super CIDR for Guest Networks /16 DNS Domain for Guest Networks Leave Blank Public Load Balance Provider VpcVirtualRouter The Super CIDR defines the CIDR range for all the tiers (guest networks) within the VPC. Each tier must have a CIDR within the Super CIDR value entered here. Click OK. It takes a little over a minute to create the VPC. Once the VPC has been created, click on Configure. 232

233 Step Action 4. To create the first tier of the VPC, enter or select the following parameters: 5. Name Web Tier Network Offering DefaultIsolatedNetworkOfferingForVpcNetworks Gateway Netmask ACL Leave Blank This will set up the Web Tier on the /24 subnet. It is implemented as an isolated network using a VLAN. You will define and add the ACL in the next exercise. Click OK. The Web Tier has been created. Add a second tier by clicking Create Network. 6. Enter or select the following parameters: Name Database Tier Network Offering DefaultIsolatedNetworkOfferingForVpcNetworksNoLB Gateway Netmask ACL Leave Blank This will set up the Database Tier on the /24 subnet. It is implemented as another isolated network; the VLAN is different from the Web Tier. You will define and add the ACL in the next exercise. Click OK. 233

234 Step 7. Action The Database tier has been added. 8. In the left navigation bar of the CloudPlatform GUI, click Network. Notice that Sally has two new isolated networks with the subnets you specified. Exercise Summary You have set up a VPC with two tiers. 234

235 Exercise 3: Setup the Access Control Lists Overview A network Access Control List (ACL) can be defined on the VPC virtual router to control incoming (ingress) and outgoing (egress) traffic between the VPC tiers, and the tiers and Internet. In this exercise you will: Set up the Access Control Lists for each of the tiers to lock down traffic flow. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. In Select View, select VPC and click Configure for the Joomla node. 2. You have set up the two tiers of the VPC and now need to set up the Access Control Lists to allow the following traffic into the relevant tiers: Click on the Network ACL Lists. You see there are the two default ACLs to Allow All traffic and Deny All Traffic. You will create two new ACLs to lock down the network traffic in the VPC, while still meeting the requirements of the Joomla system Click Add ACL List. 3. Create an ACL for the Web Tier. Enter the following parameters: ACL List Name Description WebTierACL WebTier ACL Click OK. 235

236 Step 4. Action The new WebTier ACL is added. Click Add ACL List again to create an ACL for the Database Tier. 5. Enter the following parameters: ACL List Name Description DBTierACL DBTier ACL Click OK. 6. The new DBTier ACL is added. 7. You now need to configure the rules in each of the newly added ACLs. Click on the WebTierACL node and select the ACL List Rules tab 8. The first rule you need to add for the Web tier, is to allow the ingress of TCP traffic from the internet (any IP address) that arrives on port 80 (http traffic). Enter or select the following parameters: Rule Number 1 CIDR /0 Action Allow Protocol TCP Start Port 80 End Port 80 Traffic Type Ingress Leave all other entries blank and click Add. You will need to scroll to the right to see the Add button. 236

237 Step 9. Action The ACL rule is added. 10. You now need to add a second rule to allow the SQL traffic on port 3306 to egress the Web Tier to go to the Database tier ( ). For an Egress rule, the CIDR specifies the destination of the traffic. For an Ingress rule, the CIDR specifies the source of the traffic. Enter or select the following parameters: Rule Number 2 CIDR /24 Action Allow Protocol TCP Start Port 3306 End Port 3306 Traffic Type Egress Make sure you select Egress for this rule. Leave all other entries blank and click Add. 11. This completes the rules for the Web tier. You have specified two types of traffic to allow for the Web Tier: 1. Allow HTTP traffic to ingress the layer from the web (and allow response back) 2. Allow SQL traffic to egress the layer to the Database layer (and allow response back) Any traffic that does not match either of these rules will be blocked. Click Router Network ACL Lists in the breadcrumb bar. 237

238 Step 12. Action Click on the DBTierACL node and select the ACL List Rules tab 13. You need to add a rule to allow SQL traffic into the Database tier from the Web tier ( ). 14. Enter or select the following parameters: Rule Number 1 CIDR /24 Action Allow Protocol TCP Start Port 3306 End Port 3306 Traffic Type Ingress Leave all other entries blank and click Add. This completes the rules for the Database tier. You have specified one type of traffic to allow for the Web Tier: 1. Allow SQL traffic to ingress the layer from the Web layer (and allow response back) Any traffic that does not match this rule will be blocked. 15. You now need to set the ACL to be used by each tier. Click Joomla CMS in the breadcrumb bar. 238

239 Step 16. Action Click the arrow in the top right corner of the Web tier to view the details of the tier. 17. Click the Replace ACL icon. 18. Select the WebTierACL and click OK. 19. Scroll down the details screen to verify the ACL was replaced. Click on Joomla CMS in the breadcrumb bar. 20. Click the arrow in the top right corner of the Database tier to view the details of the tier. 239

240 Step 21. Action Click the Replace ACL icon. 22. Select the DBTierACL and click OK. Exercise Summary You have created ACLs to control the traffic flow to and between the tiers, and you have assigned them to the two tiers. 240

241 Exercise 4: Create the two Joomla server VMs Overview In this exercise you will: Create the two Joomla server VMs. Step by step guidance Estimated time to complete this exercise: 15 minutes. Step Action 1. In the left navigation bar of the CloudPlatform GUI, click Templates, then click the Joomladb node, then click the Zones tab. Verify that the status is Download Complete and that the template is ready. If the template is still downloading or installing, you must wait for it to complete. Click Refresh until you see that the template is ready. 2. In the same way, check the Joomla-ws template has also completed downloading and is ready. 3. In the left navigation bar of the CloudPlatform GUI, click Network. In Select View, select VPC and click Configure for the Joomla node. 241

242 Step 4. Action Click on the Database tier Virtual Machines box. 5. There are currently no VMs running in this tier. Click Add Instance. 6. Enter or select the following parameters: Select a zone Select ISO or Template Select a template Compute Offering Data Disk Offering Affinity Groups Tier IP Address (Optional) VM Name London Template Joomla-db Small Instance No Thanks No Selection Database Tier Leave Blank Joomla-db Use the Small Instance! Notes: 1. You will find the Joomla templates on the My Templates tab. 2. Ensure that you use this exact VM name Click Launch VM. 242

243 Step 7. Action Wait about three minutes until Joomla-db is running. Click Joomla-CMS in the breadcrumb bar. 8. Click on the Web tier Virtual Machines box. 9. There are currently no VMs running in the Web tier. Click Add Instance. 10. Enter or select the following parameters: Select a zone Select ISO or Template Select a template Compute Offering Data Disk Offering Affinity Groups Tier IP Address (optional) VM Name Click Launch VM. London Template Joomla-ws Small Instance No Thanks No Selection Web Tier Leave Blank Joomla-ws Use the Small Instance! 243

244 Step 11. Action Wait about three minutes until Joomla-ws is running, then click on Joomla CMS in the breadcrumb bar. 12. Each tier has one VM running. Exercise Summary You have created the Web Server and Database Server components of the Joomla system. 244

245 Exercise 5: Test the Joomla CMS System Overview In this exercise you will: Assign a Public IP to the Joomla Web Server to allow access from the internet. Verify that you can access the Joomla Web site from the internet. Interrupt the communication between the Web Server and the Database server and note that the web site stops working. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step 1. Action Click the Public IP Addresses box in the Router box. 2. Click Acquire New IP and confirm by clicking OK. 3. This will be the IP used to access the Joomla system from the Internet. Click the newlyacquired IP node and then select the Configuration tab. 245

246 Step 4. Action Click View All in the Load Balancing box. 5. Ensure that the Tier is set to Web Tier because you want to load balance into the Web tier. Traffic from the internet will come in on Public Port 80 and we want to send it to Private Port 80. Enter or select the following parameters: Name Web-LB Public Port 80 Private Port 80 Algorithm Round-Robin Stickiness Leave Unchanged Health Check Leave Unchanged Click Add. 246

247 Step 6. Action You will see a list of the VMs available to be used for this load balancing rule. While you currently only have one VM, you could have several and the load will be shared between the VMs using the algorithm specified in the previous step (Round-Robin). Check Select for the Joomla-ws node and click Apply. 7. You have now enaged a load balancing rule that will forward all internet traffic to the specified server or servers. Click on the for the new rule to show the server(s) configured as part of the rule. 8. Notice that the rule is configured to use Joomla-ws. 9. Create a new tab on your Firefox web browser and enter the IP Address acquired in step 3 of this exercise (you can see it in your breadcrumb bar) Your IP address may be different to the one shown here 247

248 Step Action 10. After a few seconds you should see the Joomla web site: Click on the links on the web page and notice the web site functions as you would expect. 11. Returning to the CloudPlatform tab in the Firefox browser, click on Joomla CMS in the CloudPlatform GUI breadcrumb bar. 12. Click the arrow in the top right corner of the Database tier to view the details of the tier. 13. Click the Replace ACL icon. Select the default_deny ACL and click OK. This ACL denies access to the tier for all network traffic. This will prevent the SQL requests from the Web Server reaching the Database tier and hence the Web Server will not be able to display the results. 248

249 Step Action 14. Return to the Joolma web page tab and notice that the web site links no longer work because the Joomla database is inaccessible. After about 30 seconds, you get an error message indicating the database server did not respond. 15. Replace the Database tier ACL with DBTierACL and notice that the web site immediately functions normally (click refresh on the Joomla web page tab). Exercise Summary You have shown a real-world application running in a VPC and how ACLs are used control network traffic. 249

250 Module 10 Troubleshooting In this module you will learn about troubleshooting CloudPlatform problems. The CloudPlatform Management Server logs all activities for diagnostics purposes. This includes a variety of error messages. The system VMs (Secondary Storage, Console Proxy and Virtual Router) log their activities separately. Exercises in this module Exercise 1: Troubleshooting using the Management Server log. Exercise 2: Accessing the CloudPlatform System VM console and logs 250

251 Exercise 1: Management Server Log Overview In this exercise you will: Learn the basics of troubleshooting CloudPlatform problems using the CloudPlatform Management Server log file: /var/log/cloudstack/management/management-server.log Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. Continue using the Firefox browser where you should be logged in as Sally.Ride. In the left navigation bar of the CloudPlatform GUI, click Instances. Click Add Instance and enter or select the following parameters to create a new VM: Select a zone Select ISO or Template Select a template Compute Offering Data Disk Offering Affinity Groups Security Group Instance Names j Click Launch VM. Paris Template DemoVM Large-Instance No Thanks No Selection default Large-Instance 2. Since Large-Instance is requesting more computing resources than CloudPlatform has available, you can expect a problem in trying to deploy this VM. After a few seconds the following message pops up to inform the user that the deployment fails. For various reasons, CloudPlatform is non-specific about the cause of the problem Note the name of the VM shown in the pop-up in this case i-5-29-vm. This is the internal name of the VM that you just tried to deploy (your name may be different.) Leave the status window open so you can refer to the VM name later. 251

252 Step Action 3. To find out why the VM could not be deployed, a user would need to contact his cloud administrator because users cannot access the CloudPlatform server log. Cloud Admin can access the CloudPlatform Server log to determine the reason for the deployment failure. The log is located on the cpman VM in the following file: /var/log/cloudstack/management/management-server.log You could search through the log file on the cpman console, but using the PuTTY application will allow for a much larger screen, which makes the log easier to read. From the Student Desktop launch PuTTY: 4. You should see a Saved Session named cpman. Double click cpman to connect to the CloudPlatform Management Server. If you get the above security warning, throw caution to the wind again and ignore it by clicking on Yes. 252

253 Step Action 5. Login to the new PuTTY window using the following credentials: Username Password root Citrix Enlarge the PuTTY console as wide and tall as you can make it; this makes the log easier to read. Enter the following command: less /var/log/cloudstack/management/management-server.log (To paste into the PuTTY console, just right click in the console.) Now search for the name of the VM that failed to launch by entering the command (it is case sensitive): i-5-29-vm 7. You should see a group of the search terms highlighted. Since the lines wrap, the layout of the highlights may look different depending on the width of your screen. You can use other viewers such as vi, but "less" highlights all the search terms found at once, which makes it easier to locate the problem. 253

254 Step Action 8. Looking through the log at the highlighted entries, you first see where CloudPlatform is allocating resources for the new VM: Scrolling down further (using the down arrow key) you see where CloudPlatform was unable to find a host with enough CPU and/or RAM capacity to run the VM, and is therefore cannot run the VM you were trying to start. Use the arrow keys to move around the file Do not use the Mouse! Exercise Summary You have learned how to access and search through the CloudPlatform event log to troubleshoot problems. 254

255 Exercise 2: System VM Access and Logs Overview In this exercise you will: Learn how to access the console of any of the CloudPlatform System VMs. View the IP routing table of the System Virtual router responsible for the VPC you created in the previous module. View the VR s event log. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. Using the Chrome browser (logged in as admin), in the left navigation bar of the CloudPlatform GUI, click Infrastructure. Click Virtual Routers / View All. You can access the Console Proxy & Secondary Storage VMs using View All in the System VMs box. 2. Use the Quickview menu for the VPC router to bring up the console for this router. While the node name may vary, you can always identify the router using the Public IP address assigned shown in the second column. 255

256 Step Action 3. The system VM password is set randomly when the CloudPlatform management server is installed. The password can be found in Global Settings. 4. In the left navigation bar of the CloudPlatform GUI, click Global Settings. In the Search box enter password and click the search icon. 5. Fifth on the list is system.vm.password, which in this case is set to AMUBH5Wp. You can also change the password here, but for now just note it for the next step. Login to the System VM using the following credentials: Username Password root From Previous Step 256

257 Step 6. Action Show the IP routing table using the route command: route 7. From the IP routing table you can see the VPC router has four interfaces: Public Network Guest Network (Web Tier) Guest Network (Database Tier) Link-Local Hypervisor connection 8. You can view the System VM event log using the command: less /var/log/cloud.log 257

258 Step 9. Action You can browse through the log using the arrow keys. Exercise Summary You have learned how to access the CloudPlatform System VM consoles and how to access the System VM event logs. 258

259 Appendix Appendix 1: Editing Files with vi Overview vi is a screen-oriented text editor originally created for the Unix operating system in That is not a typo. While vi is almost 40 years old, it is still the de-facto standard for text file editing in the Linux/Unix world and is not going away anytime soon. While there are file editors available for Linux that are easier to use, they are often not available when you need them, whereas vi is almost always there, ready and willing! If you will be working with Linux, you might as well learn vi. Modal Editor vi is a modal editor operating in either insert mode or command mode. vi operates only from the keyboard so, since there is no mouse to move the cursor, keystrokes are used not only to enter text into the file, but also to move the cursor and control the function of the editor. While for newbies this is cumbersome, for experts, it can be much faster than using a mouse. In the right hands vi is a very powerful editor that can run rings around any mouse driven counterpart with its rich, powerful set of features. You, however, only need some simple basic functions to edit the files in this lab, so you'll be up and running in no time. Insert mode In insert mode, most keystrokes become part of the document. i Enter Insert mode Command mode In command mode, keystrokes control the edit session. <ESC> Enter command mode Moving the cursor You can use the arrow keys to move the cursor around in either mode. Deleting When in command mode, you delete text using either of the following commands: x dd Deletes the character under the cursor Deletes the current line Writing & Quitting Once you have edited the file, you can write the file and / or quit vi using the following commands: <ESC>:wq Writes the file and quits vi <ESC>:q! Quits vi without writing the file (handy if you mess up) 259

260 In this appendix, you will edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file to set up the cpman network. The step-by-step instructions assume you have not previously edited the file. Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. On the cpman console, enter the following. vi /etc/sysconfig/network-scripts/ifcfg-eth0 2. You will see the following (your HWADDR and UUID will be different): 3. You will see the cursor at the top left corner (the character is shown in inverse). The editor starts in command mode at this point, meaning keystrokes control the edit session. 4. Remembering not to use the mouse, move the cursor to the third line by pressing the down arrow key twice: 260

261 Step Action 5. Press the d key twice to delete the HWADDR= line. 6. Move the cursor to the last line using the down arrow key. 7. Press the d key twice to delete the UUID= line. 8. Using the arrow keys move the cursor to the d of dhcp in the second line:. 9. Press the x key four times to delete four characters (dhcp). 10. Press the i key to put vi into insert mode: Notice the insert mode indicator at the bottom of the screen. 11. Type the word none. 261

262 Step Action 12. Hit the <ESC> key to come out of Insert mode and use the arrow keys to move the cursor onto the n of the word no in the fourth line. 13. Press the x key twice times to delete two characters (no). 14. Press the i key to put vi into insert mode and type the word yes. 15. Use the arrow key to move past the end of the last line. 16. Hit <Enter> to open up a new line. 17. Highlight and copy (Ctrl-C) the following three lines from this document: IPADDR= NETMASK= GATEWAY= Back in vi, right click the console and select Paste: 262

263 Step Action 19. The text has been pasted: This completes editing of the file. Compare your file with the listing above. Yours should look exactly the same; check carefully for missing characters or typos. 20. To save and exit, press the <ESC> key to get out of insert mode, followed by: :wq That was easy, wasn't it? You can use the same principals to edit the other configuration files needed in this lab. Remember to take your time and if you mess up a file and just want to quit without saving, press the <ESC> key and then type :q! This will abort the edit; nothing is written to the file, so you can try again. Appendix Summary You have learned a few basic vi commands to permit you to edit the files needed for this lab using vi. 263

264 Appendix 2: Resetting the CloudPlatform lab Overview This appendix shows you how to reset the CloudPlatform lab in preparation to execute any module. The CloudPlatform lab is usually executed in order, starting with module 1. However it is possible to reset the lab so that it is ready to execute any module using the labreset.sh script. This script will stop all existing VMs running on the physical XenServer host and start the new VMs needed for the module. Notes 1. The CloudPlatform shared storage and console system VMs will be restarted automatically by CloudPlatform after the reset, but this may take a few minutes. Operations requiring these system VMs (such as starting a user VM) may be delayed until the relevant system VMs are running. The system router VMs will also be restarted automatically by CloudPlatform, but only when they are actually needed. 2. If any Guest VMs were running at the end of the previous module, they will be stopped when the lab is reset to the current module. They may be manually restarted if needed. The lab guide may show them as running, but this is inconsequential. 3. If some or all of module 6 has been completed, file operations on Student Desktop must be undone before re-executing the module. a. Delete the c:\temp\demovm directory b. Move the XenServer-6.1-perf-monitoring.iso file from c:\inetpub\wwwroot back to c:\iso c. The file c:\inetpub\wwwroot\demovm.vhd will always be present to allow resetting the lab to module 8 or 9; otherwise the DemoVM template copy between zones during this module will fail. 4. The London-Cluster1 XenServer pool and/or Paris-Cluster1 XenServer pool may need to be re-attached to XenCenter. 264

265 Step by step guidance Estimated time to complete this exercise: 10 minutes. Step Action 1. Click your physical XenServer node and select the Console tab. If prompted, hit Enter to Login. 2. This script will remove all existing non-hidden VMs from the Physical XenServer. The lab reset command is shown below (do not enter it at the moment): labreset.sh Mn Where n is the module number that you wish to reset to. For example is you wish to reset ready for module 3, you would enter: labreset.sh M3 The script shuts down and destroys ALL existing VMs, excluding hidden infrastructure VMs. Then the required VMs for the requested module are started. 3. Enter the reset command now for the module you wish to reset to Eg: labreset.sh M3 Typical output of the command is shown below. The output varies depending on what VMs were running and the reset module number. 265