Deploy instance using Horizon

This guide describes how to deploy and instance from the Horizon GUI. To do this, only a browser is needed on the client. After launching the instance, advanced configuration and installation of applications are done from the command-line interface (for details, see https://pannet.atlassian.net/l/c/r6L5KuoC and https://pannet.atlassian.net/l/c/QTDZzFvU). The procedure described here gives an overview of the information needed to create and launch an instance.

Contents

To use Pan-Net Cloud Services, you need to have a tenant. The first step is to create or order a tenant on the Pan-Net portal as described in Create a tenant. You need to select a project name for the tenant, hereafter referred to as <project-name>. After the creation of the first tenant in a data center, the portal will send you an e-mail with a machine-generated password, denoted <password> in the text. This password is valid for all your tenants in the same data center. At this point it is also convenient to create a project directory on your client.

This guide describes how to create a virtual machine with networking, including the following steps:

  • Generate a key pair on the tenant and add it to the SSH client

  • Creation of instance using the Horizon wizard

  • Assignment and association of a public IP address

  • Allow SSH traffic to the instance by assigning to it a security group with suitable rules

Please note that assignment of the network, security group and floating IP can be done after the instance has been created and when it is running, whereas the key pair cannot be changed on a running instance.

Log in to Horizon

To use the Horizon GUI, the first step is to log in to the data center where the tenant was created. From the Pan-Net portal, you can access the Horizon dashboard by clicking on the URL link in an instance record found under My Account/Compute in the portal. (Figure 1).

On the login screen (Figure 2), enter user domain, your e-mail address and your data center password <password> generated at the time the first tenant in the data center was created, see Order a Compute product - Standard process

Please note that these details can also be found in the resource file as the values of the environmental variables OS_USER_DOMAIN_NAME, OS_USERNAME and OS_PASSWORD.

The first screen shown is the dashboard (Figure 3), which gives the usage status of the available resources in your tenant. Initially, all resources are unused, apart from a default security group that is created automatically. Your project name is shown on the left and your user name in the upper right corner.

From the left-hand side menu, select Instances. Initially, all the page is empty. After instances has been created, they will be listed on this page.

Create key pair on tenant

To create a key pair in the tenant, navigate to Compute/Key Pairs and click Create Key Pair. In the shown form, enter a name for the key pair, denoted by <key-pair-name> in the text, and click Create Key Pair (Figure 4).

After the key has been generated, a dialog is shown for downloading the generated certificate in PEM (Privacy Enhanced Mail) format, say <key-pair-name>.pem, that needs to be stored on the client. A suitable location to store the file is a project directory created for the tenant on the client machine. The certificate is needed to establish an SSH connection to the instance in a later step.

After creating the key, it should be visible in the Key Pairs window (Figure 5). If there are more than one key pair in the list, and the new key pair name is not selected as active, click on the arrow buttons to deselect the old key pair and select the new one.

Create and configure network

If there is no internal network present (created automatically with the tenant or in a previous deployment) then it needs to be configured in a few steps. Whether an internal network exists or not is easily checked by opening the Network/Networks menu item (Figure 6).

If there is only an external network present, then proceed with the steps below. Otherwise, this section can be skipped over.

Create network and subnet

The network wizard in Horizon creates both the network and subnet resources at the same time. It is launched by clicking on the button Create Network under Network/Networks (Figure 7).

In the first tab, a network name is required. Leaving the option Create Subnet selected, the wizard will create a subnet to this network. Click Next to continue.

Under the tab Subnet, enter a subnet name and an IP address range in CIDR format. When creating the subnet, the chosen IP range on the local network needs to be passed as an argument value. This range is expressed in CIDR notation and can be almost any legal IP address range. Common address ranges are 10.x.x.x or 192.168.x.x. In CIDR notation, the second range is written 192.168.0.0/24. The other options should be left with their default settings (Figure 8). Click Next to continue.

To be able to communicate with the outside world and resolve domain names, we need to point the VM to a domain name server. A convenient way to do this is to use Google’s name servers and set IP address 8.8.8.8 as primary and 8.8.4.4 as secondary DNS server. These addresses are entered in the designated field under the final tab (Figure 9).

Under Network/Networks, the created network is now visible (Figure 10).

Create router

The internal network needs to have a router, which is created by clicking the button Create Routers under Network/Routers (Figure 11).

This launches a wizard where a router name needs to be filled in. Next, click on Create Router (Figure 12).

The router can be found under the menu item Network/Routers as a new resource (Figure 13).

Add interface to internal network

The router also needs to be connected to the subnet over an interface. By clicking on the router name, some more options are shown (Figure 14).

Under the tab Interfaces, click on Add Interface (Figure 15)

In the input form that opens, the subnet that the router should interface must be selected (Figure 16). The field IP Address (optional) can be left empty, in which case a default IP address is assigned to the interface (usually the first IP address in the range).

On the parent page, the IP address of the router interface is now shown in the column Fixed IPs (Figure 17).

Start the instance wizard

Start the instance (virtual machine) creation wizard by clicking on the button Launch Instance under Compute/Instances on the right-hand side on the page (Figure 18).

The wizard contains a list of steps to define and configure an instance. The steps marked with a star contain mandatory information fields. The instance cannot be launched before all mandatory information has been entered into the wizard. However, many of these fields have default values that can be left unchanged. Only fields requiring user input are described below.

Add general instance details

The first required field is the name you need to choose for the instance in Instance Name (Figure 19). The name will be the initial host name of the server. It can be maximum 63 characters long and should avoid characters that could be ambiguous in command-line expressions.

This name is referred to as <server-name> in the text. The Count parameter determines the number of instances with the same parameters that will be created. Click Next to continue.

Specify source image

In the Source window, select the boot source for the operating system to be deployed in your virtual machine. You can either choose a predefined image from the displayed list, or upload your own source as described in Manage images. To select a predefined image, click on the upward pointing arrow button next to it to make it appear under Allocated. Figure 20 shows a selected image. If needed, you can remove a selected source by clicking on the downward pointing arrow button next to it, and then choose another one. Click Next to continue.

Select flavor

The Flavor window contains a lists of predefined instance configurations (in terms of compute, memory and storage capacity) from which a suitable alternative needs to be selected. A flavor is selected by clicking the arrow button next to it, which will move it to the Allocated row. A chosen instance flavor can deselected with the arrow button that appears next to it.

Resources for the chosen configuration will be reserved from free (unallocated) resources in your tenant space. You cannot deploy a configuration that requires more resources than there are available in any resource category. For configurations exceeding any of the available resources, a small warning icon is shown in the flavors list (Figure 21). Should such a configuration be selected, the Launch Instance button would remain inactive, preventing its launch.

Figure 22 shows a selected configuration within the limits of the resources. Click Next to continue.

Select network

The Networks window shows a list of generated networks. Select the internal network that contains that either has been created automatically or by following the steps under the section Create and configure network. It is selected by clicking on the arrow button next to it (Figure 23). Click Next to continue.

If a suitable security group has been created, this can be selected in the tab Select Security Group, but it can also be created and assigned at a later stage (as is done below). Only the default security group is allocated at this time (Figure 24). Click Next to continue.

Select Security Group

In the Select Key Pair window, the key pair created earlier should be allocated to the instance (Figure 25). It is possible to create a new key pair directly at this step, but using an existing key pair can avoid trouble connecting due to permission issues. Click Next to continue.

Select Key Pair

After having entered this information, no stars indicating incomplete mandatory information should be visible in the list on the left-hand side. A proper security group is still needed before the instance configuration is complete, but this can be done outside the wizard. You will now be able to launch the instance by clicking the button Launch Instance in the bottom right-hand corner of the window.

Launch the instance

Once you click the button Launch Instance your VM will be created (spawned) and you will be able to see the progress in the Instances window (Figure 26). This process takes a moment to complete.

Next you should see your VM with the following status field values (Figure 27):

  • Image Name with the chosen image (boot source)

  • IP Address with an internal (LAN) address

  • Flavor with the chosen configuration

  • Status should be “Active”

  • Power State should be “Running”

Associate floating IP

The tenant is pre-assigned two floating IP addresses by default. This is considered sufficient for deployments with efficient networking configurations as described in How-to guide Configure network. The user cannot increase the number of floating IP addresses; should more public IP addresses be needed, it is necessary to contact Pan-Net SOC, see Troubleshooting

On the Instances page, the last field Actions contains a button with further operations. In the drop-down menu, select Associate Floating IP. In the window that pops up, a drop-down menu of available public IP addresses is shown as well as a drop-down menu of end-points under Port to be associated (Figure 28).

In case the field IP Address states that “No Floating IP addresses are allocated” click on the '+' button next to the drop down menu (Figure 29).

This action will allocate the IP address from the pre-configured pool of floating IP addresses.

Next, click on Allocate IP, and in the following screen, select as port your VM, which is presented as <server-name>: <IP address>, where the IP address is the internal address. Click the button Associate for this binding to take effect (Figure 30).

The public IP address is now visible in the instance details (under Compute/Instances) as shown in Figure 31.

Configure security groups

Security groups controls which traffic types (protocols) to allow to or from an instance. A default security group is created automatically. Even if the default security group can be edited by adding rules for different traffic types, it is considered better practice to create a new security group for each application. For remote access to the instance, we need to allow SSH traffic. To do this, open the Network/Security Groups window and click Create Security Group (Figure 32).

Add a name to the security group (for example ssh-only) and click Create Security Group (Figure 33).

On the row of the newly created security group, click on Manage Rules (Figure 34).

A list of existing rules are shown, which for a newly created security group is empty. Click on Add Rule. In the opened window, select SSH from the drop-down menu Rule (Figure 35). Click on Add to apply.

In the list of allowed protocols in the security group, SSH on port 22 should now be visible Figure 36).

Note that for egress traffic, any traffic on any port should be allowed. To allow pinging to the instance, add the rule All ICMP on ingress from all IP addresses (CIDR 0.0.0.0/0). Click on Add to apply.

To allow ingress HTTP traffic, we need to add another rule to the security group. Click on Add Rule, select HTTP and click Add. The Security Group rules should now include the rules for SSH on port 22 and HTTP on port 80.

Assign security group

A security group can be assigned to an instance when the instance is created, or added to it later from the drop-down menu after the instance name in Compute/Instances (Figure 37).

Select Edit Security Group to open the window in Figure 38 and add the chosen security group by clicking on '+' and then Save. The security groups applied to the instance are listed on the right-hand side.

After the IP association has been made and a security group added that allows ICMP, you will be able to ping the instance at the public IP address. The public IP address is also visible under Instances in the field IP Address for the instance.

For more details on security groups, see How-to guide Configure security

Connect to the instance

At this point, we will need the certificate downloaded at the time the key pair was created. Change directory to where the file is located and set necessary permissions by

sudo chmod 0600 <key-pair-name>.pem

To establish a connection with an instance with the key <key-pair-name> associated to it, no password is needed. The connection is set up with the command

ssh -i <key-pair-name>.pem <user-name>@<IP address>

where <IP address> is the public IP address previously associated to the VM just created. The user name <user-name> is a default name associated with the image chosen for your VM’s operating system, for example ubuntu for Ubuntu. A table with these names can be found in Image service.

The first time SSH is invoked, you are presented with the fingerprint of the public key of the server and prompted to accept it (Figure 39).

Answering yes at the prompt launches the session and the server’s key is stored in the file /.ssh/known_hosts on the client for future use. The prompt now shows the user and remote host name (Figure 40).

A common error is forgetting to change permissions of the key file. Instead of opening the session, an error message is shown (Figure 41).

To fix this, simply do

sudo chown 0600 <key-pair-name>.pem

and issue the SSH command again.

Using the instance

Now, your virtual machine is configured with internet access and prepared for installation of applications. After connecting to the VM by SSH, you may, for example, perform a system update and upgrade directly on your VM by

sudo apt update && sudo apt upgrade

The procedure described in this chapter can be done directly from the command-line, as described in Deploy instance using CLI. In general, the command-line interface offers a higher degree of flexibility and efficiency - a single command can replace a number of GUI operations.

When the instance is ready to use, its floating IP can be reused after providing access through a bastion host for management operations, see Configure bastion host