Registering your cloud
Landscape offers your the ability to manage EC2 and Eucalyptus instances, making them automatically show up as registered computers and keeping the history of monitoring and activities over time.
To start, go to your Landscape account, click on Cloud in the left sidebar and then click Register a new cloud.
This will show you a form with the following fields:
Title: this can be anything you choose, helping you identify your cloud in the future. Let's choose Amazon US East.
Cloud provider: this is the provider which will host your instances, mapping to a server URL. You can select one of the provided options or type in an URL for an Eucalyptus endpoint. Examples of valid endpoint URLs are https://us-east-1.ec2.amazonaws.com for Amazon EC2. For UEC, the service is exposed on port 8773, so a valid end point will look like: https://<your.UEC.controller.host>:8773/services/Eucalyptus
This must be an HTTPS URL on port 443 and the certificate has to be signed by a publicly recognized CA. In other words, self-signed certificates won't work.
Access Key ID: this is the identifier given to you to access the Amazon or Eucalyptus Web Services. It's a 20 character ASCII string. In the case of Amazon, you can find its value in your AWS account page
Secret Access Key: this is the password associated to your identifier. It's a 40 character ASCII string; you can find it on the same page as your Access Key ID.
Once you've filled in this information, press Save. Landscape will try to connect immediately to the provider, checking your credentials.
You should get redirected to the main Cloud page if everything is correct.
To start using your registered cloud, click on its title in the main Cloud listing. It will display a page showing you the virtual machine instances you have (if any) and links for editing and removing your cloud. Let's click on Create new instances.
You will see a form where you can create new instances. Let's examine the different fields:
Number of instances: this is the number of instances that Landscape will try to create. If it's refused, an error will be reported and no instances will be created at all. Enter 1 to start.
Key pair: this is the identifier of the SSH key associated with your instances. You need to select one if you want SSH access to them.
Security groups: it's the list of defined security groups in your cloud. You should at least select one of those, specially if you want SSH access for example.
Instance type: the type of an instance is basically the computing power you'll get, by CPU units and memory. In the case of Amazon EC2, look at the AWS documentation for information and pricing on instance types.
Ubuntu version: this is the version of Ubuntu that the instances will be running. This choice depends on the type of applications you'll use and which version they require. If you select "Other", then you will need to provide your own AMI name in the "Image Id" field.
Startup scripts: here you can see the content of your script library. You can select scripts to be run when your instances start, in the order you specify. Go to running scripts for more information about the script library.
Tags: this field allows you to choose which tags are going to be associated with your instances. You should have a list of existing tags, which you can click on to add to the input box. You can also enter new tags: they should be separated by spaces. It's a good idea to add a tag to differentiate instances from other computers in your account.
Once everything is setup, press Run. You will be redirected to the main cloud page, and the instances you created will appear in the instance listing, initially in the pending state.
Stopping and restarting instances
When you create an instance in the cloud, a corresponding computer is created in Landscape. If you go to the computer selection screen, you will see the list of computers in your account: the virtual machine instances can be differentiated from normal computers because they have a value in the last column, VM status. It can be one of pending, running, stopping or restarting. To help you further differentiate your instances from normal computers, you should assign a tag to the instances when you create them.
If you use a custom AMI which doesn't have landscape-client installed and configured, you will not be able to use the Landscape management features with it
Click on the previously created instance, and you're going to the info page of that instance. There is a section dedicated to virtual machine instances called Virtual Machines. Here, you see two buttons: one for stopping your instance and the other for starting it again. The start button is disabled until the instance is actually in a stopped state. Restarting instances using this mechanism has a few benefits:
- it keeps the instance settings you used previously (security groups, key pairs, image, startup scripts, etc)
- it keeps the settings in Landscape itself (attached custom graphs and alerts).
- once started, the instance will use the same Landscape computer for itself, just updating its name and hostname
Managing key pairs
Let's get back to your main cloud screen. At the top right you have a section dedicated to SSH key pairs. A listing shows you all the key pairs currently in your account. You can select the ones you want to remove and press Remove to delete them permanently.
To create a new key pair, simply enter an identifier in form field and press Create. The key pair is created in EC2 or Eucalyptus, and the private key file is presented as a download to you. Save it locally, and put it in a secure place as you won't have any way to recover the contents of that file if you lose it. You can then use ssh -i /path/to/keypair.pem ubuntu@myec2hostname to connect to your instance.
See generating a keypair for some complementary information regarding Amazon's EC2 specifically but which also applies somewhat to Eucalyptus clouds.
Managing security groups
Security groups are a very important and powerful concept of EC2 and Eucalyptus for managing network security. A group is a named collection of network access rules, defining which incoming traffic is delivered to your instances.
To manage your security groups, go to your main cloud screen. The section Security groups presents a listing of the current security groups you already have in your cloud, so that you can easily remove them. Let's create a new security group:
Give a name to your security group. For example main-web.
Enter a description. For example, Allow web and admin accesses.
Then click create. This will take you to a new screen where you edit access rules of your security groups. There are two different parts.
In this section, you can allow another security group to access the current security group. This means that any instances created in the other security group will be able to access the instances in the current one. For example, it's a good idea to add the group itself, so that all the instances in the same group can communicate with each other.
The Owner field is the account number of the security group (default to your account). You can enter another account number if you want to allow instances from someone else.
The Group field is simply the name of the group to allow. In this case, enter main-web and press Create. The group is now listed under Allowed groups. You can select those groups and press Remove to disallow them again.
In this section, you can allow specific connections pretty much like a traditional firewall. First, you select a type of connection: TCP, UDP or ICMP.
If you choose TCP or UDP, you can then choose a port range to allow. Ports go from 0 to 65535; you can enter the same port twice to only allow that port.
Please note that "From" and "To" in this context are defining a range, and not the source and destination ports. In fact, both fields are about the destination port.
If you choose ICMP, you can select the type and code to allow.
The last field, CIDR, allows you to select which IP addresses to allow connections from. Two buttons help you select your current address (the one visible by Landscape) or all addresses.
See using network security for some complementary information regarding Amazon's EC2.
Additional information on setting up Landscape to manage UEC (and resolve communication / port issues) is available here: https://help.ubuntu.com/community/UEC/Landscape