CloudStack User Guide
This is a user's guide on using CloudStack provided by Research Computing Services.
Introduction
Apache CloudStack is a Infrastructure as a Service (IaaS) platform that allows users to quickly spin up Linux/Non-Windows based virtual machines. RCS is providing this service to help researchers quickly set up and prototype short-term research related software on premises. CloudStack is not appropriate for long term (multi-year) workloads or workloads that depend on Windows. All CloudStack accounts are subject to a yearly renewal request. Services set up on CloudStack virtual machines can be accessed from the campus network and also the internet if required.
Access to CloudStack can be requested via ServiceNow.
Please refer to our CloudStack End User Agreement for acceptable uses and requirements.
Accessing the CloudStack management console
The CloudStack management console is a web-based portal that allows you to view and manage your cloud infrastructure including virtual machines, storage, and network. Any modern web browsers including Chrome, Firefox, Edge, and Safari is supported.
Access the CloudStack management console is possible only from an IT-managed computer or through the IT General VPN when working on unmanaged machines (eg. AirUC) or when working off campus (eg. at home). Please review the IT knowledge base article on connecting to the General VPN or contact IT support if you need assistance connecting to the General VPN.
Login to CloudStack
To log in to CloudStack, navigate to https://cloudstack.rcs.ucalgary.ca/. If this site fails to load, please make sure you are either on a IT managed computer or connected to the General VPN.
Sign in to CloudStack using the Single Sign-On option as shown in the image below. This method will require you to authenticate through our central authentication service using your University of Calgary IT credentials and will require multi-factor authentication. You must have multi-factor authentication set up either via your phone or with the Microsoft Authenticator app.
Note: Due to a bug with the UI, if the Single Sign-On option is disabled, please refresh the login page and try again. This issue should be addressed in our next update for CloudStack.
CloudStack Dashboard
After logging in, you will be presented with your CloudStack management console. The dashboard shows you a general overview of your account's status.
On the right hand side of the dashboard, you will also see recent activity and events that was done within your CloudStack account.
If you wish to see your CloudStack account resource quota and allocation, navigate to: Accounts -> Click on your account -> Resources
.
Working with virtual machines
CloudStack allows you to control the lifecycle of virtual machines within your cloud account. VMs may be started, stopped, rebooted, or destroyed within your management console.
Create a VM
To create a new VM, enter the CloudStack management console and navigate to: Compute -> Instances -> Add Instance
Virtual Machines require the following details:
- Deployment zone. Your account will already be placed in the appropriate zone.
- Boot template or ISO. You may choose either a pre-created template or boot from a custom CD-ROM ISO file.
- Compute offering. You may select an appropriate size for your new VM. Resources will be counted against your account's quota.
- Data Disk. You may choose to add an additional virtual disk to your VM to store your data. Alternatively, if you wish to use a single virtual disk for your VM, you may choose to override the size of your root disk in step 2 and select 'No thanks' in this step.
- Networks. You may choose one or more networks your VM should connect to. All CloudStack accounts come with a default network already created and ready to be used.
- SSH keypairs. For templates that support custom SSH key pairs, you may choose to use a custom SSH keypair to be installed as part of the deployment process.
- Advanced settings. For templates that support custom user-data (Cloud-Init), you may choose to enable the advanced settings and provide your own Cloud-Init user-data payload. More on this in the advanced tasks section below.
- Other VM details. You may give your new VM a friendly name and make it part of a group. Groups allow you to group related VMs together for better organization. You may change these details at a later time.
When you are done, review the instance summary on the right hand side and then click on the 'Launch Virtual Machine' button.
Choosing a virtual machine template
We provide a Rocky Linux 8.5 template for your convenience. Rocky Linux is an open source Linux distribution that is binary-compatible with Red Hat Enterprise Linux.
Template | Cloud-Init Support | Password Support | Default Username |
---|---|---|---|
RockyLinux 8.5 | Yes | Yes | rocky |
Ubuntu Server 22.04 | Yes | Yes | ubuntu |
Templates that support Cloud-Init will accept Cloud-Init configs provided under advanced settings (step 7). Templates that supports CloudStack's VM password management will also set the randomly generated password to the default user account.
Note: All VM templates are configured with SSH password authentication enabled. You should be able to authenticate as the rocky user via SSH using the generated password and with a SSH key pair that you specified during the VM creation step. The root account is disabled by default and cannot be used to log in.
Virtual machine credentials
VM templates that support password will have a randomly generated password set when the VM is first created or when a password reset request is made (available only when the VM is powered off). A randomly generated 6 character password will be displayed when a new password is set and appears as a notification in your CloudStack management console.
This password is set on the default username for your template. For example, the Rocky Linux VM template will set this password to the 'rocky' user account. You may become the super user by logging in as the rocky
user and then running sudo su
.
Note: If you specify a custom Cloud-Init config that creates additional users or sets account passwords, the displayed password will be overridden and have no effect.
Creating a custom template
Alternatively, you may decide to install a custom OS such as a different Linux distribution or other UNIX based operating systems and create a template from that. To create a custom template:
- Create a new virtual machine and select your custom ISO media. If you wish to upload your own ISO, see the 'register ISO' section below.
- Start the virtual machine and proceed through the OS setup process
- Once the system has been set up, prepare the VM to be templated by removing any host-specific files such as SSH host keys, static network configuration settings, temporary files and caches.
- Power off the virtual machine
- Navigate to the virtual machine page and click on the 'create template' button
Registering a custom ISO
You may install custom ISO file into your CloudStack account either by directly uploading the ISO through the web console or by providing a URL to the ISO file on the internet.
Please do not install Windows on our CloudStack infrastructure. If you need a Windows VM, please contact us as we have alternative solutions.
Download a ISO from the internet
To add a custom ISO file from the internet, enter the CloudStack management console and navigate to: Images -> ISOs -> Register ISO
You may check the state of the ISO file by clicking on it and verify the state of the file. If the file is successfully downloaded, its ready state should become ‘true’. The ISO file will only appear in the selection list when the file is downloaded successfully.
Upload a custom ISO
To upload an ISO file, enter the CloudStack management console and navigate to: Images -> ISOs -> Upload ISO from Local (icon)
Connecting to your VM console
The CloudStack management console has a KVM (keyboard, video, mouse) feature built-in, allowing you to remotely connect to and interact with your virtual machine. To connect to your virtual machine's console, navigate to: Compute -> Instances -> Your Instance -> View console
.
Expanding a VM disk
Virtual machine disks can be expanded after they are created within CloudStack. However, you will need to expand the partitions and filesystems manually.
To grow an existing disk:
- Go into your VM details page and click on ‘Volumes’.
- Click on the volume you wish to expand.
- Click on the ‘Resize Volume’ icon in the top right.
Once the volume has been expanded, you should be able to verify the disk volume has grown with lsblk
. There should also be some messages by the kernel when this occurs. However, you will still need to expand any partitions, volumes, and filesystems on your system manually.
To expand your partition, use the growpart
command followed by your disk device and partition number. Eg: /usr/bin/growpart /dev/vda 3
For LVM volume sets, you can expand the volume using the pvresize
and lvresize
commands:
/usr/sbin/pvresize -y -q /dev/vda3
/usr/sbin/lvresize -y -q -r -l +100%FREE /dev/mapper/<volume-name>
To expand your filesystem:
- XFS:
/usr/sbin/xfs_growfs <volume>
- EXT:
resize2fs <volume>
Destroying a VM
If you need to delete a VM, click on the red garbage bin icon in the VM instance page. All deletions are irreversible, so please make sure you have a copy of any data you need before proceeding.
The VM root volume can be deleted immediately by enabling the 'Expunge' option in the dialog box. If left disabled, the VM root volume will linger for a day before it is deleted by the system. You may wish to expunge a volume if you are running low on space or volume quota.
Virtual machine networking
The CloudStack platform allows you to define custom virtual private cloud (VPC) network which can contain any number of guest networks that your virtual machines connect to. Each guest network has its own private network address space and is not directly routable from campus or the internet. For virtual machines that require internet access, the VPC or guest network it is connected to must have a NAT IP address associated. The following diagram shows how a guest network connects to the internet and campus network.
In order to expose a virtual machine's services to campus or the internet, the appropriate port forwardings must be set up on the VPC containing the guest network. More on this will be discussed in the next section.
Having multiple guest networks allows for more advanced network setups but is not required. We recommend using a single flat network for most workloads.
By default, all CloudStack accounts come with a default VPC and guest network set up with a NAT IP assigned.
IP addresses
Due to the design decisions made during the setup of the CloudStack platform, only internal 10.44.12X.X IPs can be assigned to your VPC. These IP addresses are accessible from the university campus network. However, there is a special section of IP addresses that can be accessed from the internet.
IP address range | Accessible from | Internet IP mapping |
---|---|---|
10.44.120.3-128 | Campus, Internet | 10.44.120.X maps to 136.159.140.X (ports 80 and 443 only) |
10.44.120.129-255 | Campus only | N/A |
10.44.121.0-255 | Campus only | N/A |
10.44.122.0-255 | Campus only | N/A |
10.44.123.0-255 | Campus only | N/A |
If you need a service exposed to the internet, please request for a public IP address using our ServiceNow request form. Additionally, if your service is not port 80 or 443, you must also request for a firewall change request to allow the special port through.
Exposing a network service to campus
In order to make a virtual machine be visible to the campus network, you must first set up a port forwarding from a campus IP address to your virtual machine.
To create a port forwarding, navigate to Network -> VPC -> Select your VPC -> Public IP Addresses
. If you do not have any available IP addresses, you will need to click on 'Acquire New IP' and select an available IP address. Click on the IP address you wish to use to create a port forwarding on and then navigate to the 'Port Forwarding' tab. Enter the private port range, the public port range, the protocol, and select the target VM.
For example, to port forward only HTTP (tcp/80) traffic, you would enter the following:
Exposing a network to the internet
Exposing a service to the internet is the same as exposing it to campus. However, you must create a port forwarding on an IP address that maps to an internet IP address outlined in the IP address table above. If your account does not have one of these IP addresses available, please request for one on the ServiceNow request form.
By default, only ports 80 and 443 are allowed through the Internet IP address. For all other ports, please create a firewall rule change request in ServiceNow.
Automation
Cloud-Init
Using our Rocky Linux template and the Cloud-Init feature that's built in to CloudStack, you can easily set up virtual machines for specific tasks without any manual setup.
Docker host
Use the following Cloud-Init config to set up a new docker host with docker-compose.
#cloud-config
write_files:
- path: /usr/bin/expand_lvm_root
content: |
#!/bin/bash
/usr/bin/growpart /dev/vda 3
/usr/sbin/pvresize -y -q /dev/vda3
/usr/sbin/lvresize -y -q -r -l +50%FREE /dev/mapper/*root
/usr/sbin/lvresize -y -q -r -l +100%FREE /dev/mapper/*var/dev/mapper/*root
/usr/sbin/xfs_growfs /
/usr/sbin/xfs_growfs /var
permissions: '0700'
- path: /usr/bin/setup_docker
content: |
#!/bin/bash
yum install -y yum-utils
yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce docker-ce-cli containerd.io
systemctl start docker
systemctl enable docker
curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
permissions: '0700'
- path: /root/docker-compose.yml
permissions: '0700'
content: |
version: '3.3'
services:
web:
image: php:7.4-apache
restart: always
user: "0:0"
volumes:
- /var/www/html:/var/www/html
ports:
- "80:80"
- path: /var/www/html/index.php
permissions: '0644'
content: |
<h1>Hello there!</h1>
<p>I see you from <?php echo $_SERVER['REMOTE_ADDR']; ?></p>
'"`UNIQ--pre-00000001-QINU`"'
# Ensure VM has the largest / possible
runcmd:
- /usr/bin/expand_lvm_root
- /usr/bin/setup_docker
- cd /root; docker-compose up -d
CloudStack API
You can request for a CloudStack API key to automate infrastructure deployment using Terraform or CloudMonkey. A new API key can be generated by navigating to your profile page (top right) and then clicking on the 'Generate keys' button.
Terraform Integration
Terraform allows you to define infrastructure as code and can be used in conjunction with CloudStack to configure your virtual machines and guest networks. Use the official CloudStack provider.
The following is an example Terraform file for reference. Specify your CloudStack API keys either as a separate vars.tf
.
# Configure the CloudStack Provider
terraform {
required_providers {
cloudstack = {
source = "cloudstack/cloudstack"
version = "0.4.0"
}
}
}
provider "cloudstack" {
api_url = "${var.cloudstack_api_url}"
api_key = "${var.cloudstack_api_key}"
secret_key = "${var.cloudstack_secret_key}"
}
# Create a new VPC
resource "cloudstack_vpc" "default" {
name = "wedgenet-vpc"
display_text = "wedgenet-vpc"
cidr = "100.64.0.0/20"
vpc_offering = "Default VPC offering"
zone = "zone1"
}
# Create a new ACL
resource "cloudstack_network_acl" "default" {
name = "vpc-acl"
vpc_id = "${cloudstack_vpc.default.id}"
}
# One ingress and one egress rule for the ACL
resource "cloudstack_network_acl_rule" "ingress" {
acl_id = "${cloudstack_network_acl.default.id}"
rule {
action = "allow"
cidr_list = ["0.0.0.0/0"]
protocol = "tcp"
ports = ["22", "80", "443"]
traffic_type = "ingress"
}
}
resource "cloudstack_network_acl_rule" "egress" {
acl_id = "${cloudstack_network_acl.default.id}"
rule {
action = "allow"
cidr_list = ["0.0.0.0/0"]
protocol = "all"
traffic_type = "egress"
}
}
# Create a new network in the VPC
resource "cloudstack_network" "primary" {
name = "primary"
display_text = "primary"
cidr = "100.64.1.0/24"
network_offering = "DefaultIsolatedNetworkOfferingForVpcNetworks"
acl_id = "${cloudstack_network_acl.default.id}"
vpc_id = "${cloudstack_vpc.default.id}"
zone = "zone1"
}
# Create a new public IP address for this network
resource "cloudstack_ipaddress" "public_ip" {
vpc_id = "${cloudstack_vpc.default.id}"
network_id = "${cloudstack_network.wosnet1.id}"
}
# Create VMs.
resource "cloudstack_instance" "vm" {
count = 1
name = "vm${count.index+1}"
zone = "zone1"
service_offering = "rcs.c4"
template = "RockyLinux 8.5"
network_id = "${cloudstack_network.wosnet1.id}"
# Cloud Init data can be used to configure your VM on first startup if your template supports Cloud Init
user_data = <<EOF
#cloud-config
# Require specific packages
packages:
- tmux
- git
- tcpdump
EOF
}
Troubleshooting
Cannot create a volume snapshot
Volume snapshots can only be taken on VMs that are powered off.
Cannot create a VM snapshot
Disk-only VM snapshots cannot be taken when the VM is running. If you intend to snapshot a running system, you must also snapshot its memory.
VM state is still running after shutdown
After running 'shutdown' on a VM, the VM state reported by CloudStack is still running.
Please try to do a force shutdown from the CloudStack management console. The VM state isn't updated by CloudStack and as a result, the state of a VM isn't properly reflected when power state changes outside of CloudStack (likely a bug?)