This document describes the steps for activating and possibly further configuring Eucalyptus after the software has been installed on all nodes (either from source or using binary packages).
After you've started all components, you will need to perform registration so that they can communicate with each other.
This section will assume that you have installed all Eucalyptus components and they are up and running. We will assume that your Eucalyptus setup consists of one front end and one or more nodes.
First, you will need to register various front end components. To do this, run the following commands on the front end.
$EUCALYPTUS/usr/sbin/euca_conf --register-walrus <front end IP address> $EUCALYPTUS/usr/sbin/euca_conf --register-cluster <clustername> <front end IP address> $EUCALYPTUS/usr/sbin/euca_conf --register-sc <clustername> <front end IP address>
Finally, you need to register nodes with the front end. To do so, run the following command on the front end,
$EUCALYPTUS/usr/sbin/euca_conf --register-nodes "<Node 0 IP address> <Node 1 IP address> ... <Node N IP address>"
where "<Node X IP address>" is the IP address of host X that is running the Node Controller (NC).
At this point, you have successfully registered Eucalyptus components and you are ready to proceed to configuration.
Point your browser to,
Since Eucalyptus is using a self-signed certificate, your browser is likely to prompt you to accept the certificate. On some machines it may take few minutes after the starting of the Cloud Controller for the URL to be responsive the first time you run Eucalyptus. You will be prompted for a user and password both of which are set to admin initially.
Upon logging in the first time you will be asked to
After clicking 'Submit', you will see the 'Configuration' tab. Since you've used euca_conf to register Walrus and a cluster, they will be listed along with a few configurable parameters. Look over the parameters to see if any need adjustment. For more information, see the Management section.
To use the system with client tools, you must obtain user credentials. From the 'Credentials' tab, Eucalyptus users can obtain two types of credentials: x509 certificates and query interface credentials. Use the 'Download Credentials' button to download a zip-file with both or click on the 'Show Keys' to see the query interface credentials. You will be able to use your credentials with Euca2ools, Amazon EC2 tools and third-party tools like rightscale.com. Create a directory to store your credentials, unpack the zip-file into it, and source the included 'eucarc':
mkdir $HOME/.euca unzip euca2-admin-x509.zip -d $HOME/.euca . $HOME/.euca/eucarc
Note that you will have to source this file every time you intend to use the command-line tools, or you may add it to your local default environment.
Eucalyptus deploys instances (i.e., virtual machines) on a hypervisor. Eucalyptus can use either xen or kvm hypervisors. To interact with them, Eucalyptus employs libvirt virtualization API. The best choice for the hypervisor depends on its support for your hardware, on the support for the hypervisor in your OS (some distros support KVM better, some support Xen better), as well as personal preferences.
Another consideration is support for Eucalyptus features in the hypervisor. Because Eucalyptus uses features that only recently have been added to hypervisors, some combinations of hypervisor and kernel do not function as intended. The most common problem we encounter has to do with support for attaching and removing block devices. On some kernels, for example, you may see a lot of WARN_ON messages in the logs (similar to kernel oops), with KVM you will not be able to specify the exact device block (it will be chosen by the system), and on some hypervisor-kernel combinations EBS will not work at all (e.g., Debian "squeeze" with 2.6.30-2-amd64 kernel and KVM v88).
First of all, before even installing Eucalyptus, install a hypervisor of your choice and, based on the hypervisor's documentation, try to construct and run a test VM from the command line.(If you cannot run a VM outside Eucalyptus, you will not be able to run any VMs through Eucalyptus.)
Running a Xen VM usually involves creating a configuration file and passing it to the xm create command. Running a KVM VM usually involves invoking kvm with many parameters on the command-line.
If the hypervisor doesn't work out of the box on your distro, you may want to experiment with options. For Xen, the options are specified in:
/etc/xend/xend-config.sxp
We had good luck with these:
(xend-http-server yes) (xend-unix-server yes) (xend-unix-path /var/lib/xend/xend-socket) (xend-address localhost) (network-script network-bridge) (vif-script vif-bridge) (dom0-min-mem 196) (dom0-cpus 0) (vncpasswd '')
Since Eucalyptus interacts with hypervisors through libvirt, it is also a good idea to ensure that libvirt is set up properly, particularly for user "eucalyptus". A way to do so is to try
virsh list
as the "eucalyptus" user (root usually can always connect). If that fails, the solutions are distribution-specific: for example, on some Debian-based distros, the user "eucalyptus" needs to be in the group libvirt or libvirtd.
On distros using PolicyKit, you may want to ensure that in
/etc/PolicyKit/PolicyKit.conf
there is something like
<config version="0.1">
<match action="org.libvirt.unix.manage">
<match user="eucalyptus">
<return result="yes"/>
</match>
</match>
</config>
As the last resort, you may want to look into
/etc/libvirt/libvirtd.conf
and keep an eye on logs in
/var/log/libvirt
Backing up and restoring a Eucalyptus installation involves saving and restoring the contents of five file-system locations. Three are on the CLC machine:
One on the Walrus machine (which is the same as CLC machine in a single-cluster installation):
And one on each of the cluster head nodes (again, same as the CLC machine in a single-cluster installation):
If the files at these locations are backed up, a Eucalyptus installation can be fully restored after a crash or a failed upgrade. What follows is a step-by-step guide to backup and restoration.
euca-terminate-instances ... # (as admin)
$EUCALYPTUS/etc/init.d/eucalyptus-nc stop $EUCALYPTUS/etc/init.d/eucalyptus-cc stop $EUCALYPTUS/etc/init.d/eucalyptus-cloud stop
ps aux | grep euca kill -9 ...
du -sh $EUCALYPTUS/var/lib/eucalyptus/
export BACKUP=/path/to/backup/directory mkdir -p $BACKUP
cp -a $EUCALYPTUS/etc/eucalyptus/eucalyptus.conf \ $EUCALYPTUS/var/lib/eucalyptus/keys \ $EUCALYPTUS/var/lib/eucalyptus/db \ $EUCALYPTUS/var/lib/eucalyptus/bukkits \ $EUCALYPTUS/var/lib/eucalyptus/volumes \ $BACKUPor, alternatively, with tar:
tar cvf $BACKUP/eucalyptus-backup.tar \ $EUCALYPTUS/etc/eucalyptus/eucalyptus.conf \ $EUCALYPTUS/var/lib/eucalyptus/keys \ $EUCALYPTUS/var/lib/eucalyptus/db \ $EUCALYPTUS/var/lib/eucalyptus/bukkits \ $EUCALYPTUS/var/lib/eucalyptus/volumes
In either case, be careful if any of the above are symbolic links as they may be copied instead of the directories they point to. Check that the backup indeed contains files from the original locations.
Same as in the Backup step, make sure no Eucalyptus components are running on any of the nodes
If you are trying to recover from a broken upgrade by rolling back or by trying the upgrade again, this would be the right time to
Warning: DEBs will restart the services: be sure you stop them again before copying back the backed-up files.
cp -a $BACKUP/eucalyptus.conf $EUCALYPTUS/etc/eucalyptus cp -a $BACKUP/keys $BACKUP/db $BACKUP/bukkits $BACKUP/volumes $EUCALYPTUS/var/lib/eucalyptusor with tar:
cd $EUCALYPTUS tar xvf $BACKUP/eucalyptus-backup.tar
Eucalyptus versions 1.5 and higher include a highly configurable VM networking subsystem that can be adapted to a variety of network environments. There are four high level networking "modes", each with its own set of configuration parameters, features, benefits and in some cases restrictions placed on your local network setup. The administrator must select one of these four modes before starting Eucalyptus on the front-end and nodes via modification of the 'eucalyptus.conf' configuration file on each machine running a Eucalyptus component. Brief descriptions of each mode follows:
SYSTEM Mode - This is the simplest networking mode, but also offers the smallest number of networking features. In this mode, Eucalyptus simply assigns a random MAC address to the VM instance before booting and attaches the VM instance's ethernet device to the physical ethernet through the node's local Xen bridge. VM instances typically obtain an IP address using DHCP, the same way any non-VM machine using DHCP would obtain an address. Note that in this mode, the Eucalyptus administrator (or the administrator that manages the network to which Eucalyptus components are attached) must set up a DHCP server that has a dynamic pool of IP addresses to hand out as VMs boot. In other words, if your laptop/desktop/server gets an IP address using DHCP on the same network as the Eucalyptus nodes, then your VMs should similarly obtain addresses. This mode is most useful for users who want to try out Eucalyptus on their laptops/desktops.
STATIC Mode - This mode offers the Eucalyptus administrator more control over VM IP address assignment. Here, the administrator configures Eucalyptus with a 'map' of MAC address/IP Address pairs. When a VM is instantiated, Eucalyptus sets up a static entry within a Eucalyptus controlled DHCP server, takes the next free MAC/IP pair, assigns it to a VM, and attaches the VMs ethernet device to the physical ethernet through the Xen bridge on the nodes (in a manner similar to SYSTEM mode). This mode is useful for administrators who have a pool of MAC/IP addresses that they wish to always assign to their VMs.
NOTE - Running Eucalyptus in SYSTEM or STATIC mode disables some key functionality such as the definition of ingress rules between collections of VMs (termed security groups in Amazon EC2), the user-controlled, dynamic assignment of IPs to instances at boot and run-time (elastic IPs in Amazon EC2), isolation of network traffic between VMs (that is, the root user within VMs will be able to inspect and potentially interfere with network traffic from other VMs), and the availability of the meta-data service (use of the http://169.254.169.254/ URL to obtain instance specific information).
MANAGED Mode - This mode is the most featureful of the three modes, but also carries with it the most potential constraints on the setup of the Eucalyptus administrator's network. In MANAGED mode, the Eucalyptus administrator defines a large network (usually private, unroutable) from which VM instances will draw their IP addresses. As with STATIC mode, Eucalyptus will maintain a DHCP server with static mappings for each VM instance that is created. Eucalyptus users can define a number of 'named networks', or 'security groups', to which they can apply network ingress rules that apply to any VM that runs within that 'network'. When a user runs a VM instance, they specify the name of such a network that a VM is to be a member of, and Eucalyptus selects a subset of the entire range of IPs that other VMs in the same 'network' can reside. A user can specify ingress rules that apply to a given 'network', such as allowing ping (ICMP) or ssh (TCP, port 22) traffic to reach their VMs. This capability allows Eucalyptus expose a capability similar to Amazon's 'security groups'. In addition, the administrator can specify a pool of public IP addresses that users may allocate, then assign to VMs either at boot or dynamically at run-time. This capability is similar to Amazon's 'elastic IPs'. Eucalyptus administrators that require security groups, elastic IPs, and VM network isolation must use this mode.
MANAGED-NOVLAN Mode - This mode is identical to MANAGED mode in terms of features (dynamic IPs and security groups) but does not provide VM network isolation. Admins who want dynamic assignable IPs and the security groups, but are not running on a network that is 'VLAN clean' or don't care if their VMs are isolated from one another on the network should choose this mode.
Each Eucalyptus network mode has its own set of infrastructure requirements, configuration parameters, and caveats. These are described in more detail in the following sections.
For some of the network modes, you'll be required to set up an Ethernet bridge in order for the network mode to function. If you use Xen, the distros typically set up a bridge for you, and you'll simply have to find its name. For Xen versions 3.0 or earlier the bridge name is typically
xenbr0
while if you use Xen 3.2 the bridge name is typically
eth0
If you use KVM, or you wish to configure a bridge manually, the following describes how to set up a bridge on various distributions. In these examples, it is assumed that your bridge device will obtain its IP address using DHCP, and that your physical ethernet device is named 'eth0'.
# create a new ethernet bridge configuration file '/etc/sysconfig/network-scripts/ifcfg-br0' # and populate it with the following DEVICE=br0 BOOTPROTO=dhcp ONBOOT=yes TYPE=Bridge # add your physical ethernet device to the bridge by editing your physical ethernet device # configuration file (in this example, 'eth0') '/etc/sysconfig/network-scripts/ifcfg-eth0' DEVICE=eth0 TYPE=Ethernet BRIDGE=br0
# All network configuration is done using the 'yast2' configuration tool Run yast2 Network Devices Network Settings Add Device Type->Bridge Next Bridged Devices->select your pysical device (eth0) Next Ok Quit
# create a new ethernet bridge device and attach your physical
# ethernet device to the bridge by adding the following to '/etc/network/interfaces'
auto br0
iface br0 inet dhcp
bridge_hello 2
bridge_fd 1
bridge_ports eth0
# and comment out your settings for 'eth0' in the same file
When you are finished configuring a bridge, it is advised that you restart the machine (or, at least, restart the networking subsystem). Once it is back up and running, the
brctl show
command will list all available bridges, which you can use to check that your system is properly configured to run Eucalyptus.
NOTE: the bridge name
virbr0
is created by libvirt is shouldn't not be used.
For the reminder of this document, we assume that you correctly identified the bridge and that such bridge is called
br0
There is very little Eucalyptus configuration to use SYSTEM mode, as in this mode, Eucalyptus mostly stays 'out of the way' in terms of VM networking. The options in 'eucalyptus.conf' that must be configured correctly in 'SYSTEM' mode are as follows:
On the front-end:
VNET_MODE="SYSTEM"
On each node:
VNET_MODE="SYSTEM" VNET_BRIDGE
In each Eucalyptus node controller's (NC) 'eucalyptus.conf' file, make sure that the parameter 'VNET_BRIDGE' is set to the name of the bridge device that is connected to your local ethernet
VNET_BRIDGE="br0"
Make sure that what you are specifying in this field is actually a bridge, and that it is the bridge that is connected to an ethernet network that has a DHCP server running elsewhere that is configured to hand out IP addresses dynamically. Note that your front-end machine does not need to have any bridges (this is fine, as VNET_BRIDGE is only a relevant for node controllers, and will be safely ignored by the front-end components).
To test whether this mode is working properly at run-time, you can check on a node before and after an instance is running the configure bridge. You should see a new interface associate with the bridge for example you could see
; brctl show
bridge name bridge id STP enabled interfaces
eth0 8000.000c29369858 no peth0
vif18.0
on a node controller running Xen 3.2: note that Eucalyptus has correctly attached the VM's 'eth0' interface (vif18.0) to the bridge ('br0') that is being used to attach VMs to the local ethernet ('peth0').
In the case of kvm you may see something like
; brctl show bridge name bridge id STP enabled interfaces br0 8000.00005a00083d no eth0 vnet0
At this point, the VM should be sending DHCP requests to the local ethernet, and the DHCP server on the network should be sending a reply.
CAVEATS - In this mode, as mentioned previously, VMs are simply started with their ethernet interfaces attached to the local ethernet without any isolation. Practically, this means that you should treat a VM the same way that you would treat a non-VM machine running on the network. Eucalyptus does it's best to discover the IP address that was assigned to a running VM via a third-party DHCP server, but can be unsuccessful depending on the specifics of your network (switch types/configuration, location of CC on the network, etc.). Practically, if Eucalyptus cannot determine the VM's IP, then the user will see '0.0.0.0' in the output of 'describe-instances' in both the private and public address fields. The best workaround for this condition is to instrument your VMs to send some network traffic to your front end on boot (after they obtain an IP address). For instance, setting up your VM to ping the front-end a few times on boot should allow Eucalyptus to be able to discover the VMs IP.
In this mode, Eucalyptus will manage VM IP address assignment by maintaining its own DHCP server with one static entry per VM. The options in 'eucalyptus.conf' that must be configured correctly in 'STATIC' mode are as follows:
On the front-end (options annotated with a '*' may be required depending on your installation, see below for details):
VNET_MODE="STATIC" VNET_PUBINTERFACE VNET_PRIVINTERFACE VNET_DHCPDAEMON *VNET_DHCPUSER VNET_SUBNET VNET_NETMASK VNET_BROADCAST VNET_ROUTER VNET_DNS VNET_MACMAP
On each node:
VNET_MODE="STATIC" VNET_BRIDGE
The Eucalyptus administrator must configure the front-end's 'eucalyptus.conf' first with a valid, configured ethernet device that is attached to the same physical ethernet as the Eucalyptus nodes:
VNET_PRIVINTERFACE="eth0"
If the front-end has a second ethernet device which is used to access the public network, let's say eth1, then you need to configured it as
VNET_PUBINTERFACE="eth1"
Next, the admin must ensure that there is a DHCP server binary installed on the front-end and Eucalyptus knows where it is located:
VNET_DHCPDAEMON="/usr/sbin/dhcpd3"
If your DHCP daemon binary is configured to run as 'non-root' (say, as the user 'dhcpd' as is the case in Ubuntu >= 8.10), then you must configure Eucalyptus to be aware of that user:
VNET_DHCPUSER="<dhcpusername>"
Then, the admin must input IP subnet information for that device. For example, if the front-end's 'eth0' interface has the IP address '192.168.1.254' on the '192.168.1.0/24' network, with a gateway at '192.168.1.1' and a DNS at '192.168.1.2', the values in 'eucalyptus.conf' would look like so:
VNET_SUBNET="192.168.1.0" VNET_NETMASK="255.255.255.0" VNET_BROADCAST="192.168.1.255" VNET_ROUTER="192.168.1.1" VNET_DNS="192.168.1.2"
Finally, the administrator must supply a list of static MAC/IP mappings that will be assigned, first come first served, to VM instances. Note that each IP must reside in the subnet defined above, and must not be in use by any other machine on the network.
VNET_MACMAP="AA:DD:11:CE:FF:ED=192.168.1.3 AA:DD:CE:FF:EE=192.168.1.4"
On the nodes, you must ensure that the bridge is entered
VNET_BRIDGE="br0"
Once you have configured Eucalyptus properly, start up the node controllers and the front-end components. To test whether this mode is working properly at run-time, you can follow the last paragraph of the SYSTEM mode, in which the bridge is inspected.
Make sure that the DHCP server has been started properly on the front-end ('ps axww | grep -i dhcpd | grep -i euca'). At this point, the VM should be sending DHCP requests to the local ethernet, and the DHCP server on the front-end should be sending a reply with one of the static MAC/IP mappings the admin has defined in 'eucalyptus.conf'.
CAVEATS - In this mode, as mentioned previously, VMs are started with their ethernet interfaces attached to the local ethernet without any isolation. Practically, this means that you should treat a VM the same way that you would treat a non-VM machine running on the network. Eucalyptus does not verify that your settings are valid, thus, you must enter them correctly in order for your VMs to obtain IP addresses. Finally, we assume that the installed DHCP daemon is, or is compatible with, ISC DHCP Daemon version 3.0.X. If it is not, we recommend either installing a version that is (common in most distributions) or writing a wrapper script around your installed DHCP server and point Eucalyptus at it (via VNET_DHCPDAEMON in 'eucalyptus.conf').
In this mode, Eucalyptus will fully manage the local VM instance network and provides all of the networking features Eucalyptus current supports (VM network isolation, user controllable VM firewalls (ingress rules/security groups), dynamic public IP assignment). The options in 'eucalyptus.conf' that must be configured correctly in 'MANAGED' mode are as follows:
On the front-end (options annotated with a '*' may be required depending on your installation, see below for details):
VNET_MODE="MANAGED" VNET_PUBINTERFACE VNET_PRIVINTERFACE VNET_DHCPDAEMON *VNET_DHCPUSER VNET_SUBNET VNET_NETMASK VNET_DNS VNET_ADDRSPERNET *VNET_PUBLICIPS *VNET_CLOUDIP *VNET_LOCALIP
On each node:
VNET_MODE="MANAGED" VNET_PUBINTERFACE VNET_PRIVINTERFACE
Be advised that this mode requires that your local network/configuration conforms to certain requirements that Eucalyptus depends upon.
Before using 'MANAGED' mode, you must confirm that:
1.) there is an available range of iP addresses that is completely unused on the network (192.168..., 10....., other).
2.) your network is 'VLAN clean', meaning that all switch ports that Eucalyptus components are connected to will allow and forward VLAN tagged packets.
3.) you are not running a firewall on the front-end (CC) or your firewall is compatible with the dynamic changes that Eucalyptus will make to the front-end's netfilter rules.
All three of these requirements must be met before MANAGED mode should be attempted. Failure to verify the above will, at least, result VM instances being unavailable on the network.
For requirement '1', choose a IP range that you know is completely unused on your network. Choose a range that is as large as possible. Typical examples are:
if the network 10.0.0.0 - 10.255.255.255 is completely unused:
VNET_MODE="MANAGED" VNET_SUBNET="10.0.0.0" VNET_NETMASK="255.0.0.0" VNET_DNS="<your DNS>" VNET_ADDRSPERNET="128"
or if the network 192.168.0.0 - 192.168.255.255 is completely unused:
VNET_MODE="MANAGED" VNET_SUBNET="192.168.0.0" VNET_NETMASK="255.255.0.0" VNET_DNS="<your DNS>" VNET_ADDRSPERNET="64"
Next, the admin must verify that the local network will allow/forward VLAN tagged packets between machines running Eucalyptus components. To verify, perform the following test:
on the front-end, choose the interface that is on the local ethernet (and will be set in eucalyptus.conf as VNET_PRIVINTERFACE), and run:
vconfig add <interface> 10 ifconfig <interface>.10 192.168.1.1 up
replace '192.168.1.1' with an IP from the range you selected above.
On the node, choose the interface on the local network (will be set in eucalyptus.conf as VNET_PRIVINTERFACE and VNET_PUBINTERFACE), and run:
vconfig add <interface> 10 ifconfig <interface>.10 192.168.1.2 up
again, replace '192.168.1.2' with another IP in the range you selected above.
Then, try a ping between hosts. On the front-end:
ping 192.168.1.2
on the node:
ping 192.168.1.1
If this does not work, then your switch needs to be configured to forward VLAN tagged packets (if it is a managed switch, see your switch's documentation to determine how to do this).
Finally, you need to carefully inspect the firewall on the front-end to make sure that it will not interfere with Eucalyptus, or vice-versa. Eucalyptus will flush the 'filter' and 'nat' tables upon boot in MANAGED mode, but provides a way for the administrator to define special rules that are loaded when Eucalyptus starts (see below for details).
The Eucalyptus administrator must configure the front-end's 'eucalyptus.conf' first with a valid, configured ethernet device that is attached to the same physical ethernet as the Eucalyptus nodes:
VNET_PRIVINTERFACE="eth0"
If the front-end has a second ethernet device which is used to access the public network, let's say eth1, then you need to configured it as
VNET_PUBINTERFACE="eth1"
Next, the admin ust ensure that there is a DHCP server binary installed on the front-end and Eucalyptus knows where it is located:
VNET_DHCPDAEMON="/usr/sbin/dhcpd3"
If your DHCP daemon binary is configured to run as 'non-root' (say, as the user 'dhcpd' as is the case in Ubuntu >= 8.10), then you must configure Eucalyptus to be aware of that user:
VNET_DHCPUSER="<dhcpusername>"
Nodes must have VNET_PRIVINTERFACE and VNET_PUBINTERFACE set properly (they should be set with the same value, the device facing the CC). For example, with current Xen versions, this parameter (when your node's Xen bridge is 'eth0') is typically:
VNET_PUBINTERFACE="peth0" VNET_PRIVINTERFACE="peth0"
while for kvm it should be something like
VNET_PUBINTERFACE="eth0" VNET_PRIVINTERFACE="eth0"
Once you have verified that your network configuration meets the requirements for running in MANAGED mode, the rest of the configuration is fairly simple. For example, if the 192.168.0.0/16 network is free and unused on your network:
VNET_MODE="MANAGED" VNET_SUBNET="192.168.0.0" VNET_NETMASK="255.255.0.0" VNET_DNS="<your dns>" VNET_ADDRSPERNET="64" VNET_PUBLICIPS="<publicIPa> <publicIPb> ... <publicIPn>"
SUBNET, NETMASK, and DNS have been described previously. VNET_ADDRSPERNET is used to control how many VM instances may simultaneously be part of an individual user's named network (called a 'security group' in Amazon EC2). Choosing the right value for this parameter depends on how many IPs you have made available using VNET_SUBNET/VNET_NETMASK, how many VLANs your network supports simultaneously, and how many concurrent active user networks the administrator wishes to support. In the above example, there are 65536 addresses available (192.168.0.0/16). If we divide by the number of addresses per network (set to 64 above), we find the maximum number of simultaneous active named networks that can be in use at any one point in time (65536 / 64 == 1024). If your eucalyptus installation has 100 users, then each user could have at most 10 active security groups in operation at any point in time (of course, they can define as many as they wish, but can only have sets of running VMs residing in at most 10 networks). Each security group could support up to 61 instances (64 addresses minus 1 address for the subnet, broadcast, and router IPs). If your installation favors more VMs per network and fewer active security groups per user, the administrator may adjust the VNET_ADDRSPERNET parameter accordingly. Setting it to '256' would result in each active user's security group supporting up to 253 VM instances, and each of 100 users could simultaneously have 2 active security groups.
If you would like users to log in to their instances from outside the cluster/cluster front-end, you must find a set of public IP addresses, that are not in use, and allow Eucalyptus to dynamically route them to VM instances at instance boot time or dynamically at run time. For each IP address you choose, your front-end must be capable of being configured with that IP address. To test, choose some free public IP addresses and perform the following test for each one:
on the front-end:
ip addr add <publicIP>/32 dev <interface>
on some external machine representative of where users will wish to log into their VM instances:
ping <publicIP>
if this works, then dynamic IP assignment to VM instances will work. Remove the assigned address with the following command:
ip addr del <publicIP>/32 dev <interface>
Once you have compiled a list of available public IP addresses, allow Eucalyptus to use them by listing the IPs in 'eucalyptus.conf':
VNET_PUBLICIPS="<publicIPa> <publicIPb> ... <publicIPn>"
or, you can specify a range of IPs with:
VNET_PUBLICIPS="<publicIPa>-<publicIPb>"
where publicIPa and publicIPb are in the same /24 subnet.
If your cluster-controller and cloud-controller are running on separate hosts, you need to set:
VNET_CLOUDIP="<ip-of-cloud-controller>"
And, if you are running multiple clusters in your installation, and wish to manually specify the IP of the cluster-controller that all other cluster-controllers can reach, you may set:
VNET_LOCALIP="<ip-of-cluster-controller"
The cluster-controller will attempt to determine this value automatically if it is not set.
CAVEATS - When Eucalyptus is running in MANAGED mode, you cannot currently run an entire eucalyptus installation on a single machine as this mode depends upon traffic between named networks passing through a front-end router (instead of going through the loopback device). If you wish to run Eucalyptus on a single machine (laptop), you must use SYSTEM or STATIC mode. In MANAGED mode, Eucalyptus will flush the front-end's iptables rules for both 'filter' and 'nat'. Next, it will set the default policy for the 'FORWARD' chain in 'filter' to 'DROP'. At run time, the front-end will be adding and removing rules from 'FORWARD' as users add/remove ingress rules from their active security groups. In addition, the 'nat' table will be configured to allow VMs access to the external network using IP masquerading, and will dynamically add/remove rules in the 'nat' table as users assign/unassign public IPs to VMs at instance boot or run-time. If the administrator has some rules that they wish to apply o the front-end, they should perform the following procedure on the front-end, before eucalyptus is started or while eucalyptus is not running. WARNING if the admin chooses to perform this operation to define special iptables rules that are loaded when Eucalyptus starts, they could inadvertently cause Eucalyptus VM networking to fail. It is suggested that you only do this only if you are completely sure that it will not interfere with the operation of Eucalyptus.
<use iptables to set up your iptables rules> iptables-save > $EUCALYPTUS/var/run/eucalyptus/net/iptables-preload
If you start an instance believe that it is running but is not available on the network, here are some things to check.
First, verify that the requirements of MANAGED mode have been met as described above (unused range of IPs, VLAN capable network, no interfering firewall rules on the nodes or front-end). Test whether you can get to the instance from the front-end using it's private address (from the range you specified). If you cannot, next, inspect the interfaces on the front-end and nodes:
on front-end:
ifconfig -a
You should see an interface '<interface>.<vlan>' with an IP address that is up and running. For instance, if may be 'eth0.10'. If it is not, check your VNET_PUBINTERFACE and VNET_PRIVINTERFACE parameter and inspect the eucalyptus log files for errors.
on the node:
brctl show
You should see a number of bridges called 'eucabr<vlan>', where '<vlan>' is a number that typically starts from '10'. The output should be similar (if VNET_PRIVINTERFACE="peth0") to:
; brctl show
bridge name bridge id STP enabled interfaces
eucabr10 8000.000c29369858 no peth0.10
vif18.0
If this is not the case, check your VNET_PRIVINTERFACE setting, and inspect the logfiles for details.
Back on the front-end, make sure that 'dhcpd' is running:
ps axww | grep <dhcpd>
where '<dhcpd>' is what you have set for VNET_DHCPDAEMON. Make sure that, in the output of 'ps', you see that the daemon is listening on the vlan tagged interface from above (<interface>.<vlan>). If it is not running, check the eucalyptus logs for the reason why (if the command failed, you will see this information in 'cc.log', if the daemon failed at runtime, you can inspect the reason in the daemon's output itself in 'http-cc_error_log'.
If you can access the private IP of the instance from the front-end, but public IPs are not being forwarded properly, first confirm that the user's security group is set up properly by having them run 'euca-describe-group <group of instance>'. '<group of instance>' is set to 'default' by default or if unspecified when the instance was started. If the group has appropriate ingress rules set, check that the rules have been implemented on the front-end:
iptables -L <username>-<groupname>
If there are no rules here, check the 'cc.log' for errors applying the table rules for more insight. Next, check the 'nat' table:
iptables -L -t nat
You should see one DNAT rule for routing traffic from a public IP to the instance IP, and one SNAT rule for setting the source IP of outgoing packets from that instance. If you do not, check 'cc.log' to determine the cause.
If all of these checks pass and the instance still is experiencing network problems, please prepare the following information and send it along to the Eucalyptus discussion board:
on front-end and one representative node, capture the output of the following commands:
netstat -rn ifconfig -a brctl show iptables-save
and send us 'cc.log', 'nc.log', 'httpd-cc_error_log' and 'httpd-nc_error_log'.
In this mode, Eucalyptus will fully manage the local VM instance network and provides all of the networking features Eucalyptus current supports (user controllable VM firewalls (ingress rules/security groups), dynamic public IP assignment), but does not provide VM network isolation. The options in 'eucalyptus.conf' that must be configured correctly in 'MANAGED-NOVLAN' mode are as follows:
On the front-end (options annotated with a '*' may be required depending on your installation, see below for details):
VNET_MODE="MANAGED-NOVLAN" VNET_PRIVINTERFACE VNET_PUBINTERFACE VNET_DHCPDAEMON *VNET_DHCPUSER VNET_SUBNET VNET_NETMASK VNET_DNS VNET_ADDRSPERNET *VNET_PUBLICIPS *VNET_CLOUDIP *VNET_LOCALIP
On each node:
VNET_MODE="MANAGED-NOVLAN" VNET_BRIDGE
Be advised that this mode requires that your local network/configuration conforms to certain requirements that Eucalyptus depends upon.
Before using 'MANAGED-NOVLAN' mode, you must confirm that:
1.) there is an available range of iP addresses that is completely unused on the network (192.168..., 10....., other).
2.) you are not running a firewall on the front-end (CC) or your firewall is compatible with the dynamic changes that Eucalyptus will make to the front-end's netfilter rules.
Both of these requirements must be met before MANAGED-NOVLAN mode should be attempted. Failure to verify the above will, at least, result VM instances being unavailable on the network.
For requirement '1', choose a IP range that you know is completely unused on your network. Choose a range that is as large as possible. Typical examples are:
if the network 10.0.0.0 - 10.255.255.255 is completely unused:
VNET_MODE="MANAGED-NOVLAN" VNET_SUBNET="10.0.0.0" VNET_NETMASK="255.0.0.0" VNET_DNS="<your DNS>" VNET_ADDRSPERNET="128"
or if the network 192.168.0.0 - 192.168.255.255 is completely unused:
VNET_MODE="MANAGED-NOVLAN" VNET_SUBNET="192.168.0.0" VNET_NETMASK="255.255.0.0" VNET_DNS="<your DNS>" VNET_ADDRSPERNET="64"
You will need to carefully inspect the firewall on the front-end to make sure that it will not interfere with Eucalyptus, or vice-versa. Eucalyptus will flush the 'filter' and 'nat' tables upon boot in MANAGED-NOVLAN mode, but provides a way for the administrator to define special rules that are loaded when Eucalyptus starts (see below for details).
The Eucalyptus administrator must configure the front-end's 'eucalyptus.conf' first with a valid, configured ethernet device that is attached to the same physical ethernet as the Eucalyptus nodes:
VNET_PRIVINTERFACE="eth0"
If the front-end has a second ethernet device which is used to access the public network, let's say eth1, then you need to configured it as
VNET_PUBINTERFACE="eth1"
Next, the admin ust ensure that there is a DHCP server binary installed on the front-end and Eucalyptus knows where it is located:
VNET_DHCPDAEMON="/usr/sbin/dhcpd3"
If your DHCP daemon binary is configured to run as 'non-root' (say, as the user 'dhcpd' as is the case in Ubuntu >= 8.10), then you must configure Eucalyptus to be aware of that user:
VNET_DHCPUSER="<dhcpusername>"
Nodes must have VNET_BRIDGE set properly:
VNET_BRIDGE="br0"
Once you have verified that your network configuration meets the requirements for running in MANAGED-NOVLAN mode, the rest of the configuration is fairly simple. For example, if the 192.168.0.0/16 network is free and unused on your network:
VNET_MODE="MANAGED-NOVLAN" VNET_SUBNET="192.168.0.0" VNET_NETMASK="255.255.0.0" VNET_DNS="<your dns>" VNET_ADDRSPERNET="64" VNET_PUBLICIPS="<publicIPa> <publicIPb> ... <publicIPn>"
SUBNET, NETMASK, and DNS have been described previously. VNET_ADDRSPERNET is used to control how many VM instances may simultaneously be part of an individual user's named network (called a 'security group' in Amazon EC2). Choosing the right value for this parameter depends on how many IPs you have made available using VNET_SUBNET/VNET_NETMASK, how many VLANs your network supports simultaneously, and how many concurrent active user networks the administrator wishes to support. In the above example, there are 65536 addresses available (192.168.0.0/16). If we divide by the number of addresses per network (set to 64 above), we find the maximum number of simultaneous active named networks that can be in use at any one point in time (65536 / 64 == 1024). If your eucalyptus installation has 100 users, then each user could have at most 10 active security groups in operation at any point in time (of course, they can define as many as they wish, but can only have sets of running VMs residing in at most 10 networks). Each security group could support up to 61 instances (64 addresses minus 1 address for the subnet, broadcast, and router IPs). If your installation favors more VMs per network and fewer active security groups per user, the administrator may adjust the VNET_ADDRSPERNET parameter accordingly. Setting it to '256' would result in each active user's security group supporting up to 253 VM instances, and each of 100 users could simultaneously have 2 active security groups.
If you would like users to log in to their instances from outside the cluster/cluster front-end, you must find a set of public IP addresses, that are not in use, and allow Eucalyptus to dynamically route them to VM instances at instance boot time or dynamically at run time. For each IP address you choose, your front-end must be capable of being configured with that IP address. To test, choose some free public IP addresses and perform the following test for each one:
on the front-end:
ip addr add <publicIP>/32 dev <interface>
on some external machine representative of where users will wish to log into their VM instances:
ping <publicIP>
if this works, then dynamic IP assignment to VM instances will work. Remove the assigned address with the following command:
ip addr del <publicIP>/32 dev <interface>
Once you have compiled a list of available public IP addresses, allow Eucalyptus to use them by listing the IPs in 'eucalyptus.conf':
VNET_PUBLICIPS="<publicIPa> <publicIPb> ... <publicIPn>"
or, you can specify a range of IPs with:
VNET_PUBLICIPS="<publicIPa>-<publicIPb>"
where publicIPa and publicIPb are in the same /24 subnet.
If your cluster-controller and cloud-controller are running on separate hosts, you need to set:
VNET_CLOUDIP="<ip-of-cloud-controller>"
And, if you are running multiple clusters in your installation, and wish to manually specify the IP of the cluster-controller that all other cluster-controllers can reach, you may set:
VNET_LOCALIP="<ip-of-cluster-controller"
The cluster-controller will attempt to determine this value automatically if it is not set.
CAVEATS - When Eucalyptus is running in MANAGED-NOVLAN mode, you cannot currently run an entire eucalyptus installation on a single machine as this mode depends upon traffic between named networks passing through a front-end router (instead of going through the loopback device). If you wish to run Eucalyptus on a single machine (laptop), you must use SYSTEM or STATIC mode. In MANAGED-NOVLAN mode, Eucalyptus will flush the front-end's iptables rules for both 'filter' and 'nat'. Next, it will set the default policy for the 'FORWARD' chain in 'filter' to 'DROP'.
At run time, the front-end will be adding and removing rules from 'FORWARD' as users add/remove ingress rules from their active security groups. In addition, the 'nat' table will be configured to allow VMs access to the external network using IP masquerading, and will dynamically add/remove rules in the 'nat' table as users assign/unassign public IPs to VMs at instance boot or run-time. If the administrator has some rules that they wish to apply o the front-end, they should perform the following procedure on the front-end, before eucalyptus is started or while eucalyptus is not running. WARNING if the admin chooses to perform this operation to define special iptables rules that are loaded when Eucalyptus starts, they could inadvertently cause Eucalyptus VM networking to fail. It is suggested that you only do this only if you are completely sure that it will not interfere with the operation of Eucalyptus.
<use iptables to set up your iptables rules> iptables-save > $EUCALYPTUS/var/run/eucalyptus/net/iptables-preload
If you edit a networking related value in eucalyptus.conf, you will need to restart the CC ($EUCALYPTUS/etc/init.d/eucalyptus-cc restart) for changes to take effect. If you change the networking mode, you will need to perform a cleanrestart ($EUCALYPTUS/etc/init.d/eucalyptus-cc cleanrestart)
If you are running Eucalyptus in multi-cluster mode, we strongly recommend that you configure all your clusters to have an identical networking mode. In addition we strongly recommend that you do not run multiple clusters in the same broadcast domain. Each cluster should be in a separate domain.
Eucalyptus versions >= 1.6 support multiple clusters within a single Eucalyptus cloud installation. This section briefly describes how Eucalyptus manages the networking aspect of a multi-cluster setup. First, in SYSTEM or STATIC networking modes, Eucalyptus does not perform any special configuration for a multi-cluster setup. In MANAGED and MANAGED-NOVLAN modes, Eucalyptus will set up layer two tunnels between your clusters, so that virtual machines that are in the same security group, but distributed across clusters (potentially each in their own broadcast domain), can communicate with one another. We use the 'vtun' package to handle all layer two tunneling between clusters.
For the most part, as long as 'vtun' is installed on your cluster controllers, multi-cluster tunneling is handled automatically by the cluster controller software. There are a few caveats to be aware of, depending on your chosen networking mode and network topology.
MANAGED mode: during normal operation, you will see many tunnel interfaces being created and destroyed as virtual networks are constructed and torn down.
MANAGED-NOVLAN mode: your CC will need to be configured with a bridge as it's primary, public interface (VNET_PUBINTERFACE) in order for vtun tunneling to work in this mode.
BOTH modes: the CC attempts to auto-discover it's list of local IP addresses upon startup, but if the IP that was used to register the CC is not locally available, you can override the CC's notion of 'self' by setting the 'VNET_LOCALIP' variable in eucalyptus.conf.
BOTH modes: do not run two CCs in the same broadcast domain with tunneling enabled, this will potentially lead to a broadcast storm as tunnels start forwarding packets in a loop on your local network.
If you wish to disable tunneling altogether, set 'VNET_LOCALIP=0.0.0.0' in eucalyptus.conf.