Meghdoot Administration Guide Version 1.

Meghdoot Administration Manual Revision: 1.0 (Beta Release) Document Id: CDAC/CHN/Cloud/Meg-Adm-001 You Can find the most up-to-date documentation on our Web site at http://cdaccloud.com

Copyright 2012 CDAC Chennai. All rights reserved.

CDAC Page 2

Contents
1. Introduction to Meghdoot and its components 1.1Terms & Conditions 1.2Meghdoot 1.1.1 Meghdoot Architecture

2. Installation of Meghdoot and its Components 2.1Installation/Configuration of Cloud Components 2.2 Cloud Installation in Nodes 2.3 Management of Cloud 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.3.6 Image Management Storage Management Instance Management Security Management Monitoring Elasticity

3. Portal 3.1 Cloud Management 3.2 Security Console 3.3 Resource Request 3.4 Resource Info 3.5 User Info 3.6 Administration

CDAC

Page 3

4. Troubleshooting 4.1Meghdoot Log Files

CDAC

Page 4

Chapter 1
Introduction to Meghdoot and its components
1.1 Meghdoot The product features automated deployment of cloud stack and provided a convenient environment through portal for infrastructure request, application hosting, view usage and billing information and administrator users to manage their entire cloud environment and security administrators to monitor the security violations.

Features of Meghdoot Operating system kernel identification for incorporating advanced cloud features Hypervisor of stable version which falls under open source compliance and compatible with OS identified Identification of Advanced tools and cloud features which is compatible with identified OS and hypervisor Security Management which provides the security solutions for the cloud environment User management portal with administrative capabilities including adding/editing users and roles Module for Infrastructure request, Application hosting, Storage and SaaS Modules for monitoring Infrastructure request , Application hosting and billing information about cloud usage Modules which include customizing contents of the portal Modules for incorporating elasticity features at Cloud services Modules for achieving high availability at cloud stack components and virtual machines Modules for software management

CDAC

Page 5

1.1.1 Meghdoot Architecture

CDAC

Page 6

Chapter 2
Installation of Meghdoot and Components
Setting up the machine for installation of Cloud Components checking valid IP address make sure that your machine has a valid IP address by using following procedure.

Click Applications -> Accessories -> Terminal Run command ifconfig Note: Check whether you have an IP Address assigned over eth0 interface. If not contact the system Administrator and checks your Network Configuration. Disable peth0 interface

Note: If peth0 interface not created, check if you have booted in Xen Kernel.

Click Applications -> Accessories -> Terminal Run command ifconfig peth0 0 Disable Proxy in web browser Open Iceweasel Browser -> Edit -> Preferences - > Click Advanced -> Click Network tab -> Settings -> Select No proxy option and then ok. Note: Login as root user to proceed with cloud installation.

First login using the user name and password you mentioned during installation and then make the following changes to login as root user.

CDAC

Page 7

2.1 Installation/Configuration of Cloud Components

Getting started with installation of Cloud Components

Double click the icon checkbox and click proceed.

at the Desktop. Click on the I hearby agree to the

CDAC

Page 8

Installation of Cloud Controller Click the option Configure Cloud

To install the necessary cloud components, use the check box option and finally click Proceed button. For first time installation, select option Cloud Controller (CLC) and click Proceed.

CDAC

Page 9

Note: If you machine is a Node Controller stop Postgres & mysql services Enter password for the machine. Select option Now for all components and then click Proceed.

Installation of Cluster Controller Enter the name of your Cluster. You can select option Self to install component on the same machine or option Other for installing on another machine.

CDAC

Page 10

If you select option Other, provide the IP address and Password of the desired machine and click Proceed button.

CDAC

Page 11

Installation of Walrus You can select option Self to install the component on the same machine or option Other for installing on another machine.

If you select option Other, provide the IP address and Password of the desired machine and click Proceed button.

CDAC

Page 12

Installation of Storage Controller You can select option Self to install the component on the same machine and option Other for installing on another machine.

If you select option Other, provide the IP address and Password of the desired machine and click Proceed button.

CDAC

Page 13

2.2 Cloud Installation in Nodes You can select option Self to install the component on the same machine or option Other for installing on another machine.

If option Other is selected, provide the IP address and Password of the desired machine and click Proceed button.

CDAC

Page 14

Finish Installation Check the IPs which you have given for each component. Click Finish button to complete the installation of all components.

CDAC

Page 15

Portal Configuration Wizard

Meghdoot Installer - will configure and deploy the CloudPortal automatically. The following screen appears, Meghdoot Portal requires the password of the Eucalyptus Administrator to be enabled and modified.

To change the Password of the Eucalyptus Administrator, click on,Click here to open Eucalyptus Page. This will open a browser. Eucalyptus Portal is SSL Enabled by default. Hence the User has manually trust the certificate. User has click on I understand the Risks, and click on the Confirm Security Exception button.

Note : This installer must be run as root user.

CDAC

Page 16

CDAC

Page 17

Once the certificate is confirmed by the User, Eucalyptus Portal will be displayed, as shown below. Default User name and password is given below.

Username Password

admin admin

Once the Password is updated, click on logout link and close the browser. Now w.r.t the Installer, click on the Next button. A confirmation will appear, if you have changed the password, click Ok and continue.

CDAC

Page 18

The Meghdoot Portal configuration wizard appears, click Next Button.

CDAC

Page 19

The Meghdoot Portal configuration wizard display Configuring Meghdoot Portal and Configuring SaaS. By Clicking on Configuring Meghdoot Portal.

This screen involved configuration of Cloud Controller IP Address, Default Eucalyputs Machine Image (EMI) to be used for AppHosting Part, URL of Hyperic (Monitoringl), Eucalyptus Cloud Controller Portal, WAF Console and HIDS Console. Once the details are entered click on the Next button.

CDAC

Page 20

Configuring Elasticity Server component Path, Metering Cost for Storage and IP Address to be used for AppHosting. Once the information are entered click on the Next button.

Configuring Database Server and SMTP (for sending E-Mail to Users).Once the configuration information are entered, click on the Next button. A confirmation pop dialog will appear. If the configuration is finalized, click on Ok button. If any modifications are required to be done, click on cancel button. You may click on Previous button to make the necessary changes.

CDAC

Page 21

A Message dialog will appear, once the configuration details are saved.

CDAC

Page 22

Click on Ok Button. The next part involves deployment of the Cloud Portal. Click on Deploy Portal button to install the portal. Installation of portal requires restart of Apache Tomcat Server. Hence a confirmation dialog will prompt the user, to confirm the Apache Tomcat Server restart once.

Now the required files for the Portal are copies, The Apache Tomcat server will be automatically restarted after the completion of the portal deployment.

CDAC

Page 23

Once the Apache Tomcat Server is started, In the Status URL to access the portal will be shown.

CDAC

Page 24

Configuring SaaS Click on Proceed with configuring SaaS button.

The Meghdoot portal configuring wizard for SaaS

The Next screen involves configuration database w.r.t. Cloud Portal. Now in the next screen specify Database URL, Database Username and Database Password. Once the details are entered, click on 'Test Database Connection' button.
CDAC Page 25

If the database related configurations are wrong , the status could be identified and the installer cannot proceed until correct details are entered.

If the database configuration is correct, the Next button in the screen will be enabled. Click on the Next button to continue.
CDAC Page 26

Now in the following screen, enter the Application Name, Application URL, Application Description and Billing Amount is required to be entered. Once the inputs are given, click on 'Add SaaS Details' button to save the details.

To exit the installer clicks on Exit the Wizard button.

CDAC

Page 27

2.3 Management of Cloud

CDAC

Page 28

Cloud Web Management Interface

Cloud Web management Interface is designed to have an admin control over the cloud components. The various cloud components are as follows

Cloud Controller Cluster Controller Walrus Storage Controller Node Controller

URL to Access the Application

http://IP-Address-of-Cloud:5454/meghdootnodeinstaller For Example, if the IP Address of cloud machine is 192.168.61.19, then the URL is http://192.168.61.19:5454/ meghdootnodeinstaller

Add a Node Controller: To add a Node Controller, click Operation and select Add a Node. Enter the IP address and associated root password for that machine and then click Test Button.

CDAC

Page 29

Note: To register a machine as a Node Controller, the designated machine should have been booted in Xen Kernel and services xend as well as libvirt must be running. The Cloud Management tool itself detects these pre-requisites. Once the condition is satisfied, the following screen will appear. Click Proceed to continue.

A Cloud can have any number of Cluster Controller. A Node Controller can be added to any Cluster Controller. To add a Node Controller, admin password and IP Address of the Cluster Controller is required. Installation of Node Controller requires, a user account eucalyptus. Specify the password for the user eucalyptus. The default value for the instances directory location is set to /usr/local/instances and user can change accordingly if they need another location. Now click Install Node Services button to continue.

CDAC

Page 30

Click Next to continue until you get a window as follows

CDAC

Page 31

Click Next to complete the Node Controller installation. After the complete installation of Node Controller a window will appear as follows

The details about the Node Controller can be downloaded in PDF (Encrypted and Unencrypted) format and user can select option Default or With Password and then click Submit button.

Download PDF in Encrypted form.

CDAC

Page 32

Remove Node To remove a Node Controller click Operation and select option Remove a Node, enter the IP Address and password of the desired Node Controller and then click Submit button.

Once the node has been removed successfully, the following screen will be displayed.

CDAC

Page 33

If an attempt is made to remove a machine that is not in the cloud the Management tool will intimate an error.

Status Cloud Host Status To know about the information about Cloud Controller, click Status and select Cloud Host Status, this will provide information about IP Address, Process ID, Ping Status and Service Status. The Following figure illustrates a sample output.

CDAC

Page 34

Storage Service Status To know about the status of Storage Controller/Walrus click Status and select Storage Service Status. In the option Select a Cloud Service select Walrus/Storage Controller and provide the IP Address and password accordingly.

Click Submit to get the information about Walrus/Storage Controller. Sample figures were illustrated as follows.

CDAC

Page 35

If you choose option Storage Controller the following page will be displayed.

Cluster Status To know about the information about Cluster Controller, click Status and select Cluster Status and then provide IP Address and password and click Submit this will provide the status of the Cluster and Node Machine(s) and a sample output is shown as follows.

User can choose option Check Node Service Status/Check Node Availability Status (PING), in Node Status and check accordingly.
CDAC Page 36

View

Cloud Host Configuration To know the information about the Cloud configuration, select View and select option Cloud Host Configuration, the configuration information which consist of IP Address of Cloud Controller, Network Mode, Scheduling Policy etc., will be displayed as follows.

CDAC

Page 37

Other Host Configuration To know the information about another Cloud Controller, click View and select option Other Host Configuration and then provide IP Address and password to know about the configuration details. A sample output is shown below

User can save this information by clicking Save as Report.

CDAC

Page 38

2.3.1 Image Management

Managing Eucalyptus Images

First, be sure to source your 'eucarc' file before running the commands below. Note that all users may upload and register images (depending on access granted to them by the Eucalyptus administrator), but only the admin user may ever upload/register kernels or ramdisks.

Second, the instructions below rely on the euca2ools command-line tools distributed by the Eucalyptus Team. Please, install them if you haven't done so already. Note Images are available at /our website .Please download it from www.cdaccloud.com/Images tar zxvf centos.tar.gz/debianos.tar.gz Adding Images

To enable a VM image as an executable entity, a user/admin must add a root disk image, a kernel/ramdisk pair (ramdisk may be optional) to Walrus and register the uploaded data with Eucalyptus. Each is added to Walrus and registered with Eucalyptus separately, using three EC2 commands.

The following example uses the test image that we provide. Unpack it to any directory: Add the kernel to Walrus, and register it with Eucalyptus (WARNING: your bucket names must not end with a slash!): Adding Kernel image to Walrus: euca-bundle-image -i <kernel file> --kernel true euca-upload-bundle -b <kernel bucket> -m /tmp/<kernel file>.manifest.xml euca-register <kernel-bucket>/<kernel file>.manifest.xml

Next, add the ramdisk image to Walrus: euca-bundle-image -i <initrd file> --ramdisk true euca-upload-bundle -b <initrd bucket> -m /tmp/<initrd file>.manifest.xml euca-register <initrd bucket>/<initrd file>.manifest.xml
CDAC Page 39

Next, add the root filesystem image to Walrus: euca-bundle-image -i <vm image file> euca-upload-bundle -b <image bucket> -m /tmp/<vm image file>.manifest.xml euca-register <image bucket>/<vm image file>.manifest.xml

Our test kernel does not require a ramdisk to boot. If the administrator would like to upload/register a kernel/ramdisk pair, the procedure is similar to the above:

Associating kernels and ramdisks with instances

There are three ways that one can associate a kernel (and ramdisk) with a VM instance. A user may associate a specific kernel/ramdisk identifier with an image at the 'euca-bundleimage' step euca-bundle-image -i <emi-XXXXXXXX> --kernel <eki-XXXXXXXX> --ramdisk <eri-XXXXXXXX> A user may choose a specific kernel/ramdisk at instance run time as an option to 'eucarun-instances' euca-run-instances --kernel <eki-XXXXXXXX> --ramdisk <eri-XXXXXXXX> <emi-XXXXXXXX> The administrator can set 'default' registered kernel/ramdisk identifiers that will be used if a kernel/ramdisk is unspecified by either of the above options. This is accomplished by logging in to the administrative interface (https://your.cloud.server:8443), clicking on the 'Configuration' tab and adding an <eki-xxxxxxxx> and optionally an <eri-xxxxxxxx> as the defaults kernel/ramdisk to be used. Deleting Images

In order to delete an image, you must first de-register the image: euca-deregister <emi-XXXXXXXX> Then, you can remove the files stored in your bucket. Assuming you have sourced your 'eucarc' to set up EC2 client tools:

CDAC

Page 40

euca-delete-bundle -a $EC2_ACCESS_KEY -s $EC2_SECRET_KEY --url $S3_URL -b <bucket> -p <file prefix>

If you would like to remove the image and the bucket, add the '--clear' option:

euca-delete-bundle -a $EC2_ACCESS_KEY -s $EC2_SECRET_KEY --url $S3_URL -b <bucket> -p <file prefix> --clear

Note: Instead of Specifying EC2_ACCESS_KEY & EC2_SECRET_KEY, you can source the eucarc file at each terminal as follows.

# source /root/.euca/eucarc

Examples Following is an example using the Ubuntu pre-packaged image that we provide using the included KVM compatible kernel/ramdisk (a Xen compatible kernel/ramdisk is also included). See this page to get more pre-packaged images.

tar zxvf euca-ubuntu-9.04-x86_64.tar.gz

euca-bundle-image -i euca-ubuntu-9.04-x86_64/kvm-kernel/vmlinuz-2.6.28-11-generic -kernel true euca-upload-bundle -b ubuntu-kernel-bucket -m /tmp/vmlinuz-2.6.28-11generic.manifest.xml euca-register ubuntu-kernel-bucket/vmlinuz-2.6.28-11-generic.manifest.xml (set the printed eki to $EKI)

euca-bundle-image -i euca-ubuntu-9.04-x86_64/kvm-kernel/initrd.img-2.6.28-11-generic --ramdisk true euca-upload-bundle -b ubuntu-ramdisk-bucket -m /tmp/initrd.img-2.6.28-11generic.manifest.xml

CDAC Page 41

euca-register ubuntu-ramdisk-bucket/initrd.img-2.6.28-11-generic.manifest.xml (set the printed eri to $ERI)

euca-bundle-image -i euca-ubuntu-9.04-x86_64/ubuntu.9-04.x86-64.img --kernel $EKI -ramdisk $ERI euca-upload-bundle -b ubuntu-image-bucket -m /tmp/ubuntu.9-04.x8664.img.manifest.xml euca-register ubuntu-image-bucket/ubuntu.9-04.x86-64.img.manifest.xml Now, the newly uploaded image(s) should be ready to start using.

2.3.1 Storage Management Interacting With Block Storage The Block Storage Service in Eucalyptus is interface-compatible with Amazon's Elastic Block Store. You can therefore use either EC2 commands or euca2ools commands to control it. The instructions below rely on the euca2ools command-line tools distributed by the Eucalyptus Team. Please, install them if you haven't done so already. The following operations are possible, Creating volumes You may create a volume either from scratch or from an existing snapshot. euca-create-volume --size <size> --zone <zone> Where <size> is the size in GB and <zone> is the availability zones you wish to create the volume in (use euca-describe-availability-zones to discover zones). For instance,

CDAC

Page 42

euca-create-volume --size 1 --zone myzone Will create a 1GB volume in the availability zone "myzone" To create a volume from a snapshot, euca-create-volume --snapshot <snapshot id> --zone <zone> Where <snapshot id> is the unique identifier for a snapshot and <zone> is the availability zone you wish to create the volume in. For instance, euca-create-volume --snapshot --zone myzone snap-EF4323 Will create a volume from the snapshot "snap-EF4323" in the zone "myzone" Query the status of volumes euca-describe-volumes Volumes marked "available" are ready for use.

Attaching a volume You can attach volumes to existing instances (that have been started with euca-runinstances). You may attach a volume to only one instance at a time. euca-attach-volume -i <instance id> -d <local device name> <volume id>

CDAC

Page 43

where <volume id> is the unique identifier for a volume (vol-XXXX), <instance id> is a unique instance identifier and <local device name> is the name of the local device in the guest VM. For instance, euca-attach-volume -i i-345678 -d /dev/sdb vol-FG6578 Will attach the previously unattached volume "vol-FG6578" to instance "i-345678" with the local device name "/dev/sdb" Detaching a volume euca-detach-volume <volume id> Where <volume id> is the unique identifier for a previously attached volume (volXXXX). For instance, euca-detach-volume vol-FG6578 Will detach volume "vol-FG6578", Important! The user of the instance is responsible for making sure that the block device is unmounted before a detach. Detach cannot ensure the consistency of user data if the user detaches a volume that is in use. Deleting a volume euca-delete-volume <volume id> Where <volume id> is the unique identifier for a volume (vol-XXXX).

Creating a snapshot from a volume You can snapshot a volume so that you can create volumes in the future from the snapshot. euca-create-snapshot <volume id>
CDAC Page 44

Where <volume id> is the unique identifier for a volume (vol-XXXX). For instance, euca-create-snapshot vol-GH4342 Will snapshot the volume "vol-GH4342", The volume to be snapshotted needs to be "available" or "in-use." You cannot snapshot a volume that is in the "creating" state. Querying the status of snapshots euca-describe-snapshots You may create volumes from snapshots that are marked "completed." Deleting a snapshot euca-delete-snapshot <snapshot id> where <snapshot id> is the unique identifier for a snapshot.

2.3.3 Instance Management

Running a VM Instance You can now run instances that are accessible with the newly generated private key: euca-run-instances -k mykey -n <number of instances to start> <emi-id> euca-describe-instances Authorizing Security Groups and Allocating IPs If your administrator has configured Eucalyptus to provide security groups and elastic IPs, you may be required to allow logins to your instance, allocate a public IP (if you have not

CDAC

Page 45

done so before, check 'euca-describe-addresses' as a reminder), and assign it to your running instance: Allow 'ssh' connections from the Internet: euca-authorize -P tcp -p 22 -s 0.0.0.0/0 default Allocate a public IP if you have not done so already: euca-allocate-address Associate an allocated IP with your running instance: euca-associate-address <IP from allocate> -i <instance ID> Once the instance is shown as 'Running', it will also show two IP addresses assigned to it.

Logging into a VM Instance You can now log into it with the SSH key that you created: ssh -i mykey.private root@<accessible-instance-ip> To terminate instances, use: euca-terminate-instances <instance-id1> For more information on Euca2ools, see our Euca2ools User Guide. For more information on EC2 command line tools, see the EC2 Getting Started Guide. Please note that depending on the networking mode used to implement your Eucalyptus cloud, some command line tools may not be applicable (security groups/elastic IPs, etc.).

CDAC

Page 46

2.3.4 Security Management Security implementation for Private Cloud

Overview Security in private cloud deployment has very less concern as compare to public cloud deployment model. Security in private cloud could be achieved with existing security solution with slight modification and cloud aware configuration. This document describes how security could be implemented and what security controls are competent enough for ensuring security in private cloud.

Security Integrated Architecture This tells us where specific security control & software should be installed in cloud so that minimal security requirement of Private cloud environment is satisfied.

Cloud Head Node

OSSEC (HIDS) SERVER ModSecurity (WAF Reverse proxy mode) WAF-Console
(Internal Access)

HIDS- Console
(Internal Access)

Compute Node-1
OSSEC AGENT

Compute Node-2
OSSEC AGENT

VM-1
OSSEC AGENT

VM-2
OSSEC AGENT

VM-3
OSSEC AGENT

VM-4
OSSEC AGENT

CDAC

Page 47

ModSecurity Installation on RHEL/Centos/ platform To achieve security using some sort of existing security controls is very complex and required specific policy and design models. For reducing complexity and security risk in private cloud environment, following open source security controls have been selected and integrated in Meghdooth cloud stack. Moreover, we have devised strategy for their deployment and policy for their configuration as per cloud computing model. In addition to this, we modified source code of some tools and also developed decoder for managing specifc kind of events or alert such as for cloud access logs. ModSecurity An open source Web application firewall (WAF) cum web intrusion prevention system. It has rule based detection mechanism, when particular rule matches against incoming HTTP request, it immediately denies to access. This ModSecurity can be deployed in two modes: embedded mode and network mode (reverse proxy mode). In embedded mode, it can protect single web server only (apache web server) while in case reverse proxy mod, multiple application or web server could be protected. In context of cloud, reverse proxy mode of ModSecurity is recommended, with this kind of deployment and configuration ,different tenants application running on different application server will be monitored and protected from web attacks/threats. OSSEC An open-source Host-Based Intrusion Detection System (HIDS), meaning that it works by monitoring conditions on a host machine and reporting possible security breaches. OSSEC is not a Network-Based Intrusion Detection System (NIDS), like Snort .However Snort's logs could be monitored through ossec log monitor, following OSSEC monitors: System logs (http.log, auth.log, syslog etc) File integrity in system directories System processes VM

When a possible security breach is detected, OSSEC logs the event and assigns it an alert level. Depending on the alert level, an email or SMS can be sent. In addition, OSSEC provides limited active-response functionality to respond automatically to an event immediately after its detection

CDAC

Page 48

WAF AuditConsole- an Alert and log management GUI for ModSecurity that provides complete view of who has accessed web application at what time with report generation facility. HIDS-Console An Alert and log management GUI for OSSEC that allows us to see alert and events occurred to particular host or VM.

ModSecurity Installation On Debian based BOSS Linux flavor Prerequisites:

1 2 3 4 5 6 7

apache or httpd mod_unique_id libapr and libapr-util libpcre libxml2 libcurl v7.15.1 or Higher mlogc-( for forwarding logs to remote location)

Installation of libxml2: wget ftp://xmlsoft.org/libxml2/libxml2-sources-2.6.29.tar.gz tar -xvzf libxml2-sources-2.6.29.tar.gz cd libxml2-2.6.29 ./configure make make install

Installation of libapr and libaprutil: Download the tar file from the following link o http://apr.apache.org/download.cgi Untar the file o tar zxvf /<path to the file>
CDAC Page 49

cd apr<version> ./configure make make install

Installation of libpcre: yum install pcre pcre-devel

Installation of curl: yum install curl

Installation steps for ModSecurity from source Package

Step 1. Copy from Meghdoot DVD or Download the tar file from the following link http://www.modsecurity.org/download/ Step 2. Move the downloaded tar file into /opt directory mv /<path to downloaded file> /opt Step 3. Extract the tar file as follows tar zxvf /opt/<filename> Step.4. Change working directory to untared directory cd modsecurity-apache_<version> Step.5. Execute configure binary ./configure Step.6. Make Step 7. Make mlogc Step.8. Make install

CDAC

Page 50

ModSecurity Configuration On RHEL/ CentOS Create necessary directories mkdir /opt/modsecurity mkdir /opt/modsecurity/etc mkdir /opt/modsecurity/var mkdir /opt/modsecurity/var/audit mkdir /opt/modsecurity/var/data mkdir /opt/modsecurity/var/log mkdir /opt/modsecurity/var/tmp mkdir /opt/modsecurity/var/upload mkdir /opt/modsecurity/bin

Creating user and group groupadd apache useradd -g apache apache

Change the ownership of the directories chown apache /opt/modsecurity/var/audit chown apache /opt/modsecurity/var/data chown apache /opt/modsecurity/var/tmp/ chown apache /opt/modsecurity/var/upload/

Changing the permissions of the created directories chmod 750 /opt/modsecurity/ chmod 750 /opt/modsecurity/bin/ chmod 700 /opt/modsecurity/etc/ chmod 750 /opt/modsecurity/var/ chmod 750 /opt/modsecurity/var/tmp/ chmod 700 /opt/modsecurity/var/audit/ chmod 700 /opt/modsecurity/var/data/ chmod 700 /opt/modsecurity/var/log/
Page 51

CDAC

chmod 700 /opt/modsecurity/var/upload/

Create ModSecurity Config file touch /opt/modsecurity/etc/modsecurity.conf

Copy the following contents into above file ( modsecurity.conf )

LoadModule unique_id_module modules/mod_unique_id.so LoadModule security2_module /usr/lib64/httpd/modules/mod_security2.so

SecRuleEngine On SecRequestBodyAccess On SecDefaultAction "phase:2,deny,log" SecRequestBodyLimit 1310720 SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecResponseBodyAccess Off SecResponseBodyMimeType text/plain text/html SecResponseBodyLimit 524288 SecResponseBodyLimitAction ProcessPartial SecTmpDir /opt/modsecurity/var/tmp/ SecDataDir /opt/modsecurity/var/data/ SecUploadDir /opt/modsecurity/var/upload/ SecUploadKeepFiles Off SecUploadFileMode 0600 # Debug log SecDebugLog /opt/modsecurity/var/log/debug.log SecDebugLogLevel 3 # Log only what is really necessary.

CDAC

Page 52

SecAuditEngine RelevantOnly # Also log requests that cause a server error. SecAuditLogRelevantStatus ^(5|4)

# Log everything we know about a transaction. SecAuditLogParts ABCDEFGHIJKZ

# Use a single file for logging. SecAuditLogType Concurrent SecAuditLog "|/usr/local/bin/mlogc /etc/httpd/mlogc.conf"

# Specify the path for concurrent audit logging. SecAuditLogStorageDir /var/log/mlogc/data Include /opt/modsecurity-apache_2.5.13/rules/base_rules/*.conf

Now, open the httpd.conf file of apache server and include the modsecurity configuration file as follows.

Include /opt/modsecurity/etc/modsecurity.conf

Download the rules from ModSecurity website

http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/

Untar the file to /opt directory and edit the last line

/opt/ModSecurity/etc/modsecurity.conf files according to the version you downloaded

CDAC

Page 53

Installing mlogc: We built the mlogc binary. So copy the mlogc binary into /usr/local/bin directory

cp <path to modsecurity-apache directory>/tools/mlogc /usr/local/bin

ModSecurity Installation On Debian based BOSS Linux flavor

ModSecurity installation using Binary Script inbuilt in Security-Packages of Meghdoot DVD Copy the following script to a file with .sh extension and execute that file in the command prompt.

# # command to update repository echo " Updating the repository " echo "-----------------------------\n\n" apt-get update # command to install apache2.. apt-get install apache2 # command to install modsecurity.. apt-get install libapache-mod-security

echo "\n\n Creating the necessory directories....."

if [ -d /opt/modsecurity ] then echo "\n Directory /opt/modsecurity is already existing ... OK\n" else mkdir /opt/modsecurity echo "\n Directoty /opt/modsecurity is crteated.... OK\n"

CDAC

Page 54

fi

if [ -d /opt/modsecurity/etc ] then echo "\n Directory /opt/modsecurity/etc is already existing ... OK\n" else mkdir /opt/modsecurity/etc echo "\n Directoty /opt/modsecurity/etc is crteated.... OK\n" fi

if [ -d /opt/modsecurity/var ] then echo "\n Directory /opt/modsecurity/var is already existing ... OK\n" else mkdir /opt/modsecurity/var echo "\n Directoty /opt/modsecurity/var is crteated.... OK\n" fi

if [ -d /opt/modsecurity/var/audit ] then echo "\n Directory /opt/modsecurity/var/audit is already existing ... OK\n" else mkdir /opt/modsecurity/var/audit echo "\n Directoty /opt/modsecurity/var/audit is crteated.... OK\n" fi

if [ -d /opt/modsecurity/var/data ] then echo "\n Directory /opt/modsecurity/var/data is already existing ... OK\n" else

CDAC

Page 55

mkdir /opt/modsecurity/var/data echo "\n Directoty /opt/modsecurity/var/data is crteated.... OK\n" fi

if [ -d /opt/modsecurity/var/log ] then echo "\n Directory /opt/modsecurity/var/log is already existing ... OK\n" else mkdir /opt/modsecurity/var/log echo "\n Directoty /opt/modsecurity/var/log is crteated.... OK\n" fi

if [ -d /opt/modsecurity/var/tmp ] then echo "\n Directory /opt/modsecurity/var/tmp is already existing ... OK\n" else mkdir /opt/modsecurity/var/tmp echo "\n Directoty /opt/modsecurity/var/tmp is crteated.... OK\n" fi

if [ -d /opt/modsecurity/var/upload ] then echo "\n Directory /opt/modsecurity/var/upload is already existing ... OK\n" else mkdir /opt/modsecurity/var/upload echo "\n Directoty /opt/modsecurity/var/upload is crteated.... OK\n" fi

if [ -d /opt/modsecurity/bin ]

CDAC

Page 56

then echo "\n Directory /opt/modsecurity/bin is already existing ... OK\n" else mkdir /opt/modsecurity/bin echo "\n Directoty /opt/modsecurity/bin is crteated.... OK\n" fi

echo " \n Creating the the user apache and group apache ...\n"

groupadd apache useradd -g apache apache

echo "\n Changing the ownership of created directories...."

chown apache /opt/modsecurity/var/audit chown apache /opt/modsecurity/var/data chown apache /opt/modsecurity/var/tmp/ chown apache /opt/modsecurity/var/upload/

echo "Done\n"

echo "\n Changing the permssions of the created directories ...."

chmod 750 /opt/modsecurity/ chmod 750 /opt/modsecurity/bin/ chmod 700 /opt/modsecurity/etc/ chmod 750 /opt/modsecurity/var/ chmod 750 /opt/modsecurity/var/tmp/ chmod 700 /opt/modsecurity/var/audit/

CDAC

Page 57

chmod 700 /opt/modsecurity/var/data/ chmod 700 /opt/modsecurity/var/log/ chmod 700 /opt/modsecurity/var/upload/ echo "..Done\n"

echo "\n Creating the necessary config files...."

if [ -f /opt/modsecurity/etc/modsecurity.conf ] then echo "\n File /opt/modsecurity/etc/modsecurity.conf is already existing ... OK\n" else touch /opt/modsecurity/etc/modsecurity.conf echo "\n File /opt/modsecurity/etc/modsecurity.conf is created.... OK\n" fi

# Creation of reverse-proxy configuration file which need to be configured when ModSecurity(WAF) is # deployed in Network mode(reverse proxy mode)

if [ -f /opt/modsecurity/etc/reverse-proxy.conf ] then echo "\n File /opt/modsecurity/etc/reverse-proxy .conf is already existing ... OK\n" else touch /opt/modsecurity/etc/reverse-proxy.conf echo "\n File /opt/modsecurity/etc/reverse-proxy.conf is created.... OK\n" fi

if [ -f /opt/modsecurity/etc/main.conf ]

CDAC

Page 58

then echo "\n File /opt/modsecurity/etc/main.conf is already existing ... OK\n" else touch /opt/modsecurity/etc/main.conf echo "\n File /opt/modsecurity/etc/main.conf is created.... OK\n" fi

if [ -f /opt/modsecurity/etc/rules-first.conf ] then echo "\n File /opt/modsecurity/etc/rules-first.conf is already existing ... OK\n" else touch /opt/modsecurity/etc/rules-first.conf echo "\n File /opt/modsecurity/etc/rules-first.conf is created.... OK\n" fi

if [ -f /opt/modsecurity/etc/rules.conf ] then echo "\n File /opt/modsecurity/etc/rules.conf is already existing ... OK\n" else touch /opt/modsecurity/etc/rules.conf echo "\n File /opt/modsecurity/etc/rules.conf is created.... OK\n" fi

if [ -f /opt/modsecurity/etc/rules-last.conf ] then echo "\n File /opt/modsecurity/etc/rules-last.conf is already existing ... OK\n" else touch /opt/modsecurity/etc/rules-last.conf echo "\n File /opt/modsecurity/etc/rules-last.conf is created.... OK\n" fi

CDAC

Page 59

Configuring Mod-security

Download the core rule set from http: //www.Modsecurity.org/download/, In the tar file all rules will be present. So extract those rules directory to opt folder. Now open modsecurity.conf file ( which will be in /opt/modsecurity/etc / folder ) and add the following configuration

SecRuleEngine On SecRequestBodyAccess On SecDefaultAction "phase:2,deny,log" SecRequestBodyLimit 1310720 SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecResponseBodyAccess Off SecResponseBodyMimeType text/plain text/html SecResponseBodyLimit 524288 SecResponseBodyLimitAction ProcessPartial SecTmpDir /opt/modsecurity/var/tmp/ SecDataDir /opt/modsecurity/var/data/ SecUploadDir /opt/modsecurity/var/upload/ SecUploadKeepFiles Off SecUploadFileMode 0600 # Debug log SecDebugLog /opt/modsecurity/var/log/debug.log SecDebugLogLevel 3 # Log only what is really necessary. SecAuditEngine RelevantOnly # Also log requests that cause a server error. SecAuditLogRelevantStatus ^5

CDAC

Page 60

# Log everything we know about a transaction. SecAuditLogParts ABCDEFGHIJKZ

# Use a single file for logging. SecAuditLogType Concurrent SecAuditLog "|/usr/local/bin/mlogc /etc/apache2/mlogc.conf"

# Specify the path for concurrent audit logging. SecAuditLogStorageDir /var/log/mlogc/data Include /opt/modsecurity-apache_2.5.13/rules/base_rules/*.conf

Open reverse-proxy.conf file ( which will be in /opt/modsecurity/etc / folder ) and add the following configuration

ProxyRequests Off

# following two lines needs to be added for each User Applications/other web server # that you want to protect

Proxy Pass <resource> <Target URI> ProxyPassReverse <resource> <Target URI>

Sample example of configuration for cloudforum application

#ProxyRequests Off #ProxyPass /cloudforum http://cdaccloud.com/cloudforum #ProxyPassReverse /cloudorum http://cdaccloud.com/cloudforum

CDAC

Page 61

Open the httpd.conf file of apache server and include the modsecurity configuration file as follows. Include /opt/modsecurity/etc/modsecurity.conf Include /opt/modsecurity/etc/reverse-proxy.conf

Now restart your apache web server. /etc/init.d/apache2 restart

Mlogc Installation: Description: mlogc is ModSecurity Audit Log Collector which is used to connect a ModSecurity sensor to the central audit log repository.

Install all the following dependencies. apache2-threaded-dev libcurl3 libc6 curl libcurl4-openssl-dev pcre

Download the mlogc source from - http://www.modsecurity.org/download/

Untar the file and change directory to mlogc-src folder cd mlogc-src Execute the command 'make'

Now we can see a executable file with the name mlogc in the same folder. Copy that file to a safer location like /usr/local/bin. Now edit the mlogc.conf file which will be in the same directory by providing the sensor and remote location of WAF-AuditConsole.

CDAC

Page 62

Note: For sensor creation and deployment of AuditConsole you need to follow the installation steps of AuditConsole.

Now create necessary directories and files which are needed for mlogc. mkdir /var/log/mlogc/ mkdir /var/log/mlogc/data touch /var/log/mlogc/mlogc-error.log touch /var/log/mlogc/mlogc-queue.log touch /var/log/mlogc/mlogc-transaction.log

Now restart your apache web server. /etc/init.d/apache2 restart

WAF-Audit console Installations and configuration

WAF installation and configuration is platform independent (RHEL/ Centos/ Debian/ BOSS). Following set of steps need to be performed

Prerequisites Jre (java run time environment) apache-Tomcat application server Mysql/postgresql database server

Installation from Meghdooth cloud DVD ModSecurity would be installed automatically if you are using Meghdooth cloud DVD for installation. Once cloud head node established completely, just you have to configure database settings through initial window of WAF-Console.

Install apache-tomcat software and copy that war file into webapps folder and re start apache-tomcat.

CDAC

Page 63

Configuration WAF- Console stores all ModSecurity events into mysql backend database. So we need to create a database and a user who is having access to this database. mysqladmin -u root -p create <database-name> mysql -u root -p <database-name> GRANT ALL on <database-name>.* to Username@localhost IDENTIFIED BY '<password>'; FLUSH PRIVILEGES;

If you have any already existing .sql back up files you can dump them as follows mysql -u root -p <database-name> < <pat to dump file >

Now open web browser and access the following URL http://localhost:8080/WAF-Console-<version number>

Login using admin and admin as username and password and set a temporary directory location as /opt/audit and click OK

Configuring Database Give your database details

URL: jdbc:mysql://127.0.0.1/<database-name> Username: <username> Password: <password>

Configuring sensors Create a sensor and its password System sensors addsensor

CDAC

Page 64

mlogc configuration Same sensor name and password must be mentioned in the mlogc.conf file cp <path to modsecurity-apache directory>/apache2/mlogc-src/mlogc-default.conf /etc/httpd/mlogc.conf mention the username and password mention the Console URI according to your AuditConsole deployment Ex: http://localhost:8080/AuditConsole-<version number> /rpc/ auditLogReceiver

OSSEC Installation and Configuration

OSSEC performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. As OSSEC monitors system logs, directories and processes, it uses a set of rules to determine when an alert should be triggered.

Prerequisites for OSSEC Installation from source package(tar package) Gcc complier Make Opesssl Iptables firewall

OSSEC Installation OSSEC works on a server-client model. The server must be a UNIX /Linux machine; the clients, which OSSEC calls agents, can run virtually any operating system. So there are three deployments mode of Ossec is available: Local mode Server mode Agent mode

CDAC

Page 65

OSSEC Server and local installation is independent to Linux Operating Sytem distribution Step 1: Download the OSSEC from the following URL http: //www.Ossec.net/files/ Step 2: Un-tar the files to a local directory and change to that directory.

Local Installation Run the following Installation shell scripts # ./install.sh What kind of installation do you want (server, agent, local or help)? local Setting up the installation environment. Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec --- Press ENTER to continue -- Once you press the enter key the source code will be compiled and ossec will be deployed into the system in local mode.

Installing the Server: Run the following Installation shell scripts # ./install.sh What kind of installation do you want (server, agent, local or help)? server

Installing OSSEC Agent on Linux Run the following Installation shell scripts # ./install.sh What kind of installation do you want (server, agent, local or help)? agent What is IP of your Cloud Head Node (OSSEC HIDS) Server? IP (www.xxx.yyy.zzz)
CDAC Page 66

Installing OSSEC agents on windows Host : Download the .exe file from the following site http://www.ossec.net/main/downloads Click on the downloaded file

Enter the source ip of server and authentication key

CDAC

Page 67

Managing Agents: The server-agent traffic is encrypted and validated using pre-shared keys. These keys must be generated on the server and then imported on the agent side. The procedure is the same regardless of the agent platform. All agent key management is done using the manage agents utility in the OSSEC HIDS bin directory

Now, execute the following line in the command prompt. /opt/ossec/bin/manage agents Then the following information will be displayed in the command prompt.

**************************************** * OSSEC HIDS v1.4 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q:

Now select your option If you select A, following info will be displayed. - Adding a new agent (use \q to return to the main menu). Please provide the following: * A name for the new agent: <give a name for agent> * The IP Address of the new agent: < enter IP address of the agent> * An ID for the new agent [001] : < ID of the Agent > Agent information:
CDAC Page 68

Conrm adding it?(y/n): y Agent added.

Managing Rule-base of OSSEC These rules reside in /var/ossec/rules and are XML files. A rule fires when certain Conditions are met.For example, Foolowing, contained in syslog_rules.xml, will fire when OSSEC detects the strings Promiscuous mode enabled or device [non white space string] entered promiscuous mode within the Linux system log. <rule id="5104" level="8"> <if_sid>5100</if_sid> <regex>Promiscuous mode enabled|</regex> <regex>device \S+ entered promiscuous mode</regex> <description>Interface entered in promiscuous(sniffing) mode.</description> <group>promisc,</group> </rule> OSSEC comes with a comprehensive set of rules that should cover virtually every security-related aspect of the system. Nonetheless, there may be times when you want to write a custom rule. Since rules are XML files, they are easy to edit. However the OSSEC manual recommends that instead of editing the rules themselves, you modify their behavior by writing custom rules and adding them to the local_rules.xml file. The procedures for writing custom rules are explained in the OSSEC manual or online.

Rules can be made highly granular so that they will only fire for certain hosts involving certain IP addresses at certain times of the day, etc. For example, OSSEC by default will generate an alert and an email whenever an agent connects or disconnects. Chances are that you don't care very much if a workstation disconnects, as this happens whenever someone with a laptop goes home for the day. But you probably want to know if a machine in the server room stops responding. You could write a custom rule to modify the behavior of rules 503 and 504 (the agent-connect and agent-disconnect rules) so that they would only fire when servers disconnect. Again, see the OSSEC manual for the specifics of writing such a rule.
CDAC Page 69

HIDS-Console Installation and Configuration

It is Web based PHP GUI Application for OSSEC-HIDS alert and log management .it also displays configuration information about deployed agents and server.

Prerequisites Apache with PHP (>= 4.1 or >= 5.0) installed. (with posix support) OR Lighttpd (>= 1.x) with PHP-cgi (php4-cgi or php5-cgi) in FastCGI OSSEC (version >= 0.9-3) already installed.

Installation

HIDS-Console package in Meghdoot DVD--Copy Package at respective location (refer integration architecture) tar -zxvf HIDS-Console-1.0.tar.gz mv HIDS-Console-1.0 /var/www/HIDS-Console cd /var/www/HIDS-Console ./setup.sh

Configuration

Fix /tmp permissions or Add your web server user (www-data) to the ossec group Check & Edit the file using vi /etc/group .If this file contains the line "ossec: x: 1002: www-data" then leave it. Otherwise add this line at the end of the file and save it. Run command chmod 770 /var/ossec/tmp Run command chmod 770 /var/ossec/logs/alerts/alerts.log Run command chgrp www-data /var/ossec/tmp Run command /etc/init.d/apache2 restart

CDAC

Page 70

Enable some of the specific authentication module available for apache : Type of Auth_Modules: Basic, Digest, Pam

# vi /etc/apache2/httpd.conf Add following lines

<Directory /var/www> AuthType Basic AuthName "Blocked Restricted Access" AuthUserFile /etc/apache2/passwd Require user </Directory> Create a password file with htpasswd htpasswd command is used to create and update the flat-files (text file) used to store usernames and password for basic authentication of Apache users. General syntax:

htpasswd -c password-file username Where,-c : Create the password-file. If password-file already exists, it is rewritten and truncated. Username: The username to create or update in password-file. If username does not exist in this file, an entry is added. If it does exist, the password is changed

Restart Apache # /etc/init.d/apache2 restart

CDAC

Page 71

Product /Solution Snapshots of after deployment Meghdoot-AppSecurity This Solution includes two components; WAF -ModSecurity - An open source web application firewall cum intrusion detection WAF-Console - An ModSecurity alert and log management Console

Meghdoot-End Point Security

This Solution includes two components: HIDS-OSSEC- an open source Host intrusion cum prevention(limited) system HIDS-Console- An HIDS alert and log management console

CDAC

Page 72

CDAC

Page 73

2.3.5 Monitoring Hyperic HQ

Pre-requisites Postgres 8.3 or above postgresql-client-common Java Development Kit 1.6 or above

Type the following commands to set a host name for the Machine. For example , If you wish to set the host name as portalserver, Open a terminal and type the following commands as root user. hostname portalserver echo portalserver > /etc/hostname

Now exit the Terminal. Click System -> Logout root Now login again as root user.

Note: By default Hyperic is Installed & Configured

Mapping the Hostname Now open a terminal /etc/hosts file should look like as follows. Replace the <LAN IP Address> part with the IP Address of your machine Replace the <Hostname> part with the Host name of your machine. In our case ,the host name is portalserver. 127.0.0.1 localhost <LAN IP Address> <Hostname>

# The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback

fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes

CDAC Page 74

ff02::2 ip6-allrouters ff02::3 ip6-allhosts

Starting the Hyperic

Open a Terminal and execute the following commands as root user.

cd /home/hyperic/server-4.2.0.7/bin export JAVA_HOME=/usr/lib/jvm/java-6-openjdk/ chmod 777 *.sh ./hq-server.sh start

This will give the following log messages in the terminal.

Starting HQ server... Initializing HQ server configuration... Checking jboss jndi port... Checking jboss mbean port... Verify HQ database schema... Unable to locate tools.jar. Expected to find it in /home/hyperic/server4.2.0.7/lib/tools.jar Loading taskdefs... Taskdefs loaded Booting the HQ server (Using JAVA_OPTS=-XX:MaxPermSize=192m Xmx512m -Xms512m -XX:+HeapDumpOnOutOfMemoryError)... HQ server booted. Login to HQ at: http://127.0.0.1:7080/

CDAC

Page 75

Note: All the Physical Servers, Virtual Machine(s) where Hyperic Agent is about to be deployed, must have unique host name. , (/etc/hostname) .The same host name must be linked with the IP Address in /etc/hosts file.

Hyperic Architecture Diagram:

Registering Hyperic Agent with Hyperic Server :

Preliminary Tests to be done from Agent Side :

Check whether the Machine is able to ping the Machine where Hyperic Server is installed. telnet < Hyperic Server Machine> 7080 to check whether the agent machine is able to connect to the Machine where Hyperic Server is installed. If any port blocking software like firewall is running, kindly disable it. Check whether Java is installed or not. (Commands java must work) Check whether JAVA_HOME environment variable is defined. o echo $JAVA_HOME Must display some values such as o /usr/lib/jvm/java-6-openjdk/

CDAC

Page 76

Kindly sync the date between Hyperic Server Machine and Hyperic Agent Machine. This is for generating graph(s) and for accuracy of data w.r.t time.

Installing & Starting Hyperic Agent

In the Machine where Hyperic Server is installed, copy the following directory /home/hyperic/agent-4.2.0.7 and put it in the Machine in the location ( /home/hyperic/agent4.2.0.7 ) where the Agent is to be deployed Execute the following commands in the terminal as root user cd /home/hyperic/agent-4.2.0.7 cd .. cd data rm -rf * cd .. cd /home/hyperic/agent-4.2.0.7bin chmod 777 *.sh ./check_launch_agent.sh

To confirm whether the agent has started successfully, execute the following command as root user. lsof -i :2144

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME java 19544 root 129u IPv4 14144078 0t0 TCP *:2144 (LISTEN)

To see the logs, go to the following directory,

/home/hyperic/agent-4.2.0.7/log

CDAC

Page 77

Setting up Agent

CDAC

Page 78

Accessing the Monitoring Tool

Now you can login to the Monitoring Tool. To access the tool, open a browser and enter the URL as http://<Cloud IP Address>::7080

The following page will appear in the browser. The default User name and password are as follows :

Default User Name Default Password

hqadmin hqadmin

Once you have logged in, it is suggested to change the default password.

Once you have logged in, Click on HQ link, at the top right of the Screen.

CDAC

Page 79

Now click on the Change link.

Now enter the password in new password field and confirm new password field and click ok button.

CDAC

Page 80

Now the password of the user hqadmin is changed. Click on the Add-To-Inventory Button in the Auto-Discovery Frame. The Screen shot is shown below.

Monitoring Hyperic Agents

Once a resource is approved, the resource is added for monitoring. At first the Agent will be reporting the details such as system configuration, hardware details to the Hyperic Server.At that time, the status will be grey color (collecting phase) The availability of each network service, and each autogroup of network services, is indicated by an icon: Green - "Available", indicates that a service (or all of the services in an autogroup) is available. Yellow - The "Warning" availability state does not apply to an individual network service, with few exceptions. Generally, the agent reports that a network service is either "Available" (green) or "Not Available" (red). The "Warning" state is reported for an autogroup of network services, and indicates that not all of the services in the group are available.
CDAC Page 81

Red - "Not available", indicates that the service (or all of the services in an autogroup) is not available. Grey - "Unknown", indicates that availability cannot be determined, because the service was created, but not configured correctly.

Availability Status

Once the resource is added for monitoring and completed the collection phase, the availability status will be changed to green.

Note: This is just an getting started manual for installing and configuration of Hyperic. For more details kindly refer, http://support.hyperic.com/display/DOC/Installation+Requirements

CDAC

Page 82

Recently Added Resources The recently added resource will be shown in the dashboard, under the Recently Added strip.

Monitoring Resources Once the installation and working of the agent is complete, the details will be displayed in a graphical form as shown below.

CDAC

Page 83

2.3.6 Elasticity Location of Elasticity Packages The Elasticity Server Components and Elasticity Agent Components are located at the folder /home/elasticity as a tar file.

Configuring Elasticity Server Service

First untar the ELASTICITY-SERVER Package. The Folder Structure are as follows.

ELASTICITY-SERVER |--->cloud.properties -- > Configuration File. |---> db Code |---> jar API Jar Files are loated here. |--->schema Schema is located here. |--->start.sh Shell Script to start the Elasticity Service at the Server Side,once the configuration is done |--->typica Code

Restore the Dump The Schema file is located inside the schema folder Open a terminal and type, pgadmin3

Now execute the following queries in the SQL Editor CREATE TABLE elasticitydetails ( ipaddress character varying(15), instanceid character varying(15), "time" bigint, newinstanceid character varying(15) )

CREATE TABLE elasticityinstancedetails( newinstanceid character varying(15), ipaddress character varying(15) )

CDAC

Page 84

CREATE TABLE terminatedinstancedetails( instanceid character varying(20), ipaddress character varying(20), "time" bigint )

Set the Properties in the Configuration file

accesskey= Query ID of Admin account from the Cloud Host Portal . secretkey=Secret Key of Admin account from the Cloud Host Portal . ipaddress=IP Address of Cloud Host port=8773 (Default) Cloud Host Port Number. appport=8080 (The port used by the web application.) vmelasticityport=5678 (Default)Port Used by Load balancer to communicate with virtual machine jdbc.connection.url=jdbc:postgresql://localhost jdbc.databasename=postgres jdbc.username=postgres (Default) jdbc.password=<Password for the postgres user>

It is not required to change the properties mentioned as default. Once the configuration is completed, Elasticity Server Service can be invoked. Now execute the following commands as root.

chmod 777 start.sh ./start.sh

Once the Service is started, the following log messages will be printed.

/root/Desktop/cloud_src/ELASTICITY-LATEST-BUILD/ELASTICITY/ELASTICITYSERVER Info:
CDAC

AWSKey: XYSXYSXYSXYSXYSXYSXYSXYSXYSXYS
Page 85

Secret Key :SKEYSKEYSKEYSKEYSKEYSKEYSKEY Head Node IP Address:A.B.C.D Web Service Port:8773 VM Web App Port:8080 VM Intimation Port:5678 JDBC Connection URL:jdbc:postgresql://localhost JDBC DB Name:postgres JDBC User Name:postgres *************** Elasticity Server Side Service ********************* NOTICE: Please Check whether the date and time in this Machine is synced with the Machine : A.B.C.D Service Running on Port : 6666 Service Started @ Tue Aug 30 00:41:59 IST 2011 ******************************************************************** ELASTICITY_INFO: Waiting for connection....

Configuring Elasticity Agent : The Elasticity Agent needs to bundle along with the Virtual Machine Image. Elasticity Agent package which will reside at the Virtual Machine can be located at /home/elasticity as a tar file. Untar the Elasticity-Agent Package. The Folder structure for the Elasticity Agent package is as follows

ELASTICITY-AGENT/ `-- elasticity `-- ramcode |-- client |-- elasticity_agent.sh |-- lib Elasticity Agent Service API Files

|-- loadbalancer.properties Configuration File.

CDAC

Page 86

Open the configuration file and enter the IP Address of the Load Balancer.

Please avoid spaces,new line etc.The following command can be used to specify the IP Address of the Load Balancer. echo <IP ADDRESS of the Load Balancer> > loadbalancer.properties

Deploying Elasticity-Agent Package inside the Virtual Machine Image: You can get the Virtual Machine Image along with the DVD. Now Open a terminal and execute the following commands as root.

mkdir temp-mnt mount -o loop debian.img temp-mnt/ mount -o bind /proc temp-mnt/proc mount -o bind /sys temp-mnt/sys mount -o bind /dev temp-mnt/dev

chroot temp-mnt cd /root mkdir .elasticity

Copy the ramcode folder inside the elasticity folder.Now open another terminal .

cp -r ramcode temp-mount/root/.elasticity exit

Now goto the previous terminal, and execute the following commands. cd /root/.elasticity/ramcode chmod 777 elasticity_agent.sh cp elasticity_agent.sh /etc/init.d update-rc.d elasticity_agent.sh start 24 2 .
CDAC Page 87

Also deploy your web application inside the Virtual Machine Image, so that these services will be invoked once the Virtual Machine is booted. The log messages can be found at /var/log/elasticity.log

Once the deploying of Services are complete, execute the following commands as root. Remember to stop all the process inside the Virtual Machine Image.

umount temp-mnt/proc umount temp-mnt/dev umount temp-mnt/sys umount temp-mnt/ exit

Bundling and Uploading Virtual Machine Image to the Cloud. Now Bundle and upload the Virtual Machine Image to the Cloud. This will generate an Image ID .The Image ID will starts with emi-.(Eucalyptus Machine Image). Now launch the Virtual Machine Image via euca2ools utility.

CDAC

Page 88

Chapter 3
Portal
I the address bar of the browser type the following http://<Your-IP-Address>:5454/cloudportal

The default user name is admin and password is admin, after login reset your password for security purpose.

if you have reset the password while configuring the cloud use the same password to login in to the portal.

CDAC

Page 89

After login as Admin the following screen appears,

CDAC

Page 90

3.1 Cloud Management

Select Cloud Management tab and click Eucalyptus to proceed to the following screen, the default user is admin and password is admin. After login reset your password for security purpose.

CDAC

Page 91

3.2 Security Console Select Security Console tab and click WAF Console to proceed to the following screen, the default user is admin and password is admin.

After login as admin the following screen appears

Select Security Console tab and click HIDS Console to proceed to the following screen,

CDAC

Page 92

3.3 Resource Request Select Resource Request tab select IaaS

CDAC

Page 93

After specifying Instance Name, Type and OS click Proceed for Key Pair screen as follows,

Key pair generation has two options, for the first time IaaS request select new option and click create for generation of keypair.

CDAC

Page 94

The user can also select Use Existing option, and click Proceed button.

Software configuration screen will appears and it is of optional for user. The user can select Web Server, App Server and Data Base Server if needed. After clicking proceed the configuration details screen will appears as follows.

The user can launch instance by clicking confirm button.

CDAC Page 95

Select Resource Request tab select AppHosting

CDAC

Page 96

The user can select Web Server, App Server and DB Server. The Instance type should also be specified along with the URL Name and Elasticity option and click create for launching application. Select Resource Request tab select SaaS

Select Resource Request tab select Volumes, from Volumes click list Volumes

CDAC

Page 97

The user can create volumes by selecting the Size, Available Zones and Volume Snapshot option.

CDAC

Page 98

The user has also can attach or detach volume by clicking volumes Attach and Detach .

The User can also create snapshot for the created volumes.

CDAC

Page 99

3.4 Resource Info Select Resource Info tab select Service Status, The status about the cloud components can be viewed using Service Status from Resource Info tab.

Select Resource Info tab select Monitor, The user can monitor Resource, Instance and Application.

CDAC

Page 100

Select Resource Info tab and using option Billing Info, information for Infrastructure, Storage and Application can be viewed.

3.5 User Info Select User Info tab and click User List, for the list of user registered in the cloud and users waiting for approval.

Select User Info tab and click Edit for updating user information.

CDAC

Page 101

Select User Info tab and click Change Password for updating password.

CDAC

Page 102

3.6 Administration The Administration tab has options Manage Contents Manage Elasticity and Manage Metering for updating Contents, Elasticity configuration and Metering for software and applications.

For Elasticity configuration the admin can configure Max, Min Threshold, Load Balancer IP and no off instances for Elasticity.

The Administration tab has options Manage Metering for infrastructure and platform. For Infrastructure configuration instance type, Pulse rate and amount should be specified.

CDAC

Page 103

For platform configuration Type, Component, Pulse rate and Amount should be specified.

CDAC

Page 104

Chapter 4
Troubleshooting
4.1 Meghdoot Log Files /var/www/cloudportallog/ - Portal /opt/eucalyptus/var/log/eucalyptus/cloud-error.log Cloud Logs /usr/share/dbdump.log - DataBase Logs

CDAC

Page 105