Beruflich Dokumente
Kultur Dokumente
Meghdoot Administration Manual Revision: 1.0 (Beta Release) Document Id: CDAC/CHN/Cloud/Meg-Adm-001 You Can find the most up-to-date documentation on our Web site at http://cdaccloud.com
Contents
1. Introduction to Meghdoot and its components 1.1Terms & Conditions 1.2Meghdoot 1.1.1 Meghdoot Architecture
2. Installation of Meghdoot and its Components 2.1Installation/Configuration of Cloud Components 2.2 Cloud Installation in Nodes 2.3 Management of Cloud 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.3.6 Image Management Storage Management Instance Management Security Management Monitoring Elasticity
3. Portal 3.1 Cloud Management 3.2 Security Console 3.3 Resource Request 3.4 Resource Info 3.5 User Info 3.6 Administration
CDAC
Page 3
CDAC
Page 4
Chapter 1
Introduction to Meghdoot and its components
1.1 Meghdoot The product features automated deployment of cloud stack and provided a convenient environment through portal for infrastructure request, application hosting, view usage and billing information and administrator users to manage their entire cloud environment and security administrators to monitor the security violations.
Features of Meghdoot Operating system kernel identification for incorporating advanced cloud features Hypervisor of stable version which falls under open source compliance and compatible with OS identified Identification of Advanced tools and cloud features which is compatible with identified OS and hypervisor Security Management which provides the security solutions for the cloud environment User management portal with administrative capabilities including adding/editing users and roles Module for Infrastructure request, Application hosting, Storage and SaaS Modules for monitoring Infrastructure request , Application hosting and billing information about cloud usage Modules which include customizing contents of the portal Modules for incorporating elasticity features at Cloud services Modules for achieving high availability at cloud stack components and virtual machines Modules for software management
CDAC
Page 5
CDAC
Page 6
Chapter 2
Installation of Meghdoot and Components
Setting up the machine for installation of Cloud Components checking valid IP address make sure that your machine has a valid IP address by using following procedure.
Click Applications -> Accessories -> Terminal Run command ifconfig Note: Check whether you have an IP Address assigned over eth0 interface. If not contact the system Administrator and checks your Network Configuration. Disable peth0 interface
Note: If peth0 interface not created, check if you have booted in Xen Kernel.
Click Applications -> Accessories -> Terminal Run command ifconfig peth0 0 Disable Proxy in web browser Open Iceweasel Browser -> Edit -> Preferences - > Click Advanced -> Click Network tab -> Settings -> Select No proxy option and then ok. Note: Login as root user to proceed with cloud installation.
First login using the user name and password you mentioned during installation and then make the following changes to login as root user.
CDAC
Page 7
CDAC
Page 8
To install the necessary cloud components, use the check box option and finally click Proceed button. For first time installation, select option Cloud Controller (CLC) and click Proceed.
CDAC
Page 9
Note: If you machine is a Node Controller stop Postgres & mysql services Enter password for the machine. Select option Now for all components and then click Proceed.
Installation of Cluster Controller Enter the name of your Cluster. You can select option Self to install component on the same machine or option Other for installing on another machine.
CDAC
Page 10
If you select option Other, provide the IP address and Password of the desired machine and click Proceed button.
CDAC
Page 11
Installation of Walrus You can select option Self to install the component on the same machine or option Other for installing on another machine.
If you select option Other, provide the IP address and Password of the desired machine and click Proceed button.
CDAC
Page 12
Installation of Storage Controller You can select option Self to install the component on the same machine and option Other for installing on another machine.
If you select option Other, provide the IP address and Password of the desired machine and click Proceed button.
CDAC
Page 13
2.2 Cloud Installation in Nodes You can select option Self to install the component on the same machine or option Other for installing on another machine.
If option Other is selected, provide the IP address and Password of the desired machine and click Proceed button.
CDAC
Page 14
Finish Installation Check the IPs which you have given for each component. Click Finish button to complete the installation of all components.
CDAC
Page 15
Meghdoot Installer - will configure and deploy the CloudPortal automatically. The following screen appears, Meghdoot Portal requires the password of the Eucalyptus Administrator to be enabled and modified.
To change the Password of the Eucalyptus Administrator, click on,Click here to open Eucalyptus Page. This will open a browser. Eucalyptus Portal is SSL Enabled by default. Hence the User has manually trust the certificate. User has click on I understand the Risks, and click on the Confirm Security Exception button.
CDAC
Page 16
CDAC
Page 17
Once the certificate is confirmed by the User, Eucalyptus Portal will be displayed, as shown below. Default User name and password is given below.
Username Password
admin admin
Once the Password is updated, click on logout link and close the browser. Now w.r.t the Installer, click on the Next button. A confirmation will appear, if you have changed the password, click Ok and continue.
CDAC
Page 18
CDAC
Page 19
The Meghdoot Portal configuration wizard display Configuring Meghdoot Portal and Configuring SaaS. By Clicking on Configuring Meghdoot Portal.
This screen involved configuration of Cloud Controller IP Address, Default Eucalyputs Machine Image (EMI) to be used for AppHosting Part, URL of Hyperic (Monitoringl), Eucalyptus Cloud Controller Portal, WAF Console and HIDS Console. Once the details are entered click on the Next button.
CDAC
Page 20
Configuring Elasticity Server component Path, Metering Cost for Storage and IP Address to be used for AppHosting. Once the information are entered click on the Next button.
Configuring Database Server and SMTP (for sending E-Mail to Users).Once the configuration information are entered, click on the Next button. A confirmation pop dialog will appear. If the configuration is finalized, click on Ok button. If any modifications are required to be done, click on cancel button. You may click on Previous button to make the necessary changes.
CDAC
Page 21
A Message dialog will appear, once the configuration details are saved.
CDAC
Page 22
Click on Ok Button. The next part involves deployment of the Cloud Portal. Click on Deploy Portal button to install the portal. Installation of portal requires restart of Apache Tomcat Server. Hence a confirmation dialog will prompt the user, to confirm the Apache Tomcat Server restart once.
Now the required files for the Portal are copies, The Apache Tomcat server will be automatically restarted after the completion of the portal deployment.
CDAC
Page 23
Once the Apache Tomcat Server is started, In the Status URL to access the portal will be shown.
CDAC
Page 24
The Next screen involves configuration database w.r.t. Cloud Portal. Now in the next screen specify Database URL, Database Username and Database Password. Once the details are entered, click on 'Test Database Connection' button.
CDAC Page 25
If the database related configurations are wrong , the status could be identified and the installer cannot proceed until correct details are entered.
If the database configuration is correct, the Next button in the screen will be enabled. Click on the Next button to continue.
CDAC Page 26
Now in the following screen, enter the Application Name, Application URL, Application Description and Billing Amount is required to be entered. Once the inputs are given, click on 'Add SaaS Details' button to save the details.
CDAC
Page 27
CDAC
Page 28
Cloud Web management Interface is designed to have an admin control over the cloud components. The various cloud components are as follows
http://IP-Address-of-Cloud:5454/meghdootnodeinstaller For Example, if the IP Address of cloud machine is 192.168.61.19, then the URL is http://192.168.61.19:5454/ meghdootnodeinstaller
Add a Node Controller: To add a Node Controller, click Operation and select Add a Node. Enter the IP address and associated root password for that machine and then click Test Button.
CDAC
Page 29
Note: To register a machine as a Node Controller, the designated machine should have been booted in Xen Kernel and services xend as well as libvirt must be running. The Cloud Management tool itself detects these pre-requisites. Once the condition is satisfied, the following screen will appear. Click Proceed to continue.
A Cloud can have any number of Cluster Controller. A Node Controller can be added to any Cluster Controller. To add a Node Controller, admin password and IP Address of the Cluster Controller is required. Installation of Node Controller requires, a user account eucalyptus. Specify the password for the user eucalyptus. The default value for the instances directory location is set to /usr/local/instances and user can change accordingly if they need another location. Now click Install Node Services button to continue.
CDAC
Page 30
CDAC
Page 31
Click Next to complete the Node Controller installation. After the complete installation of Node Controller a window will appear as follows
The details about the Node Controller can be downloaded in PDF (Encrypted and Unencrypted) format and user can select option Default or With Password and then click Submit button.
CDAC
Page 32
Remove Node To remove a Node Controller click Operation and select option Remove a Node, enter the IP Address and password of the desired Node Controller and then click Submit button.
Once the node has been removed successfully, the following screen will be displayed.
CDAC
Page 33
If an attempt is made to remove a machine that is not in the cloud the Management tool will intimate an error.
Status Cloud Host Status To know about the information about Cloud Controller, click Status and select Cloud Host Status, this will provide information about IP Address, Process ID, Ping Status and Service Status. The Following figure illustrates a sample output.
CDAC
Page 34
Storage Service Status To know about the status of Storage Controller/Walrus click Status and select Storage Service Status. In the option Select a Cloud Service select Walrus/Storage Controller and provide the IP Address and password accordingly.
Click Submit to get the information about Walrus/Storage Controller. Sample figures were illustrated as follows.
CDAC
Page 35
If you choose option Storage Controller the following page will be displayed.
Cluster Status To know about the information about Cluster Controller, click Status and select Cluster Status and then provide IP Address and password and click Submit this will provide the status of the Cluster and Node Machine(s) and a sample output is shown as follows.
User can choose option Check Node Service Status/Check Node Availability Status (PING), in Node Status and check accordingly.
CDAC Page 36
View
Cloud Host Configuration To know the information about the Cloud configuration, select View and select option Cloud Host Configuration, the configuration information which consist of IP Address of Cloud Controller, Network Mode, Scheduling Policy etc., will be displayed as follows.
CDAC
Page 37
Other Host Configuration To know the information about another Cloud Controller, click View and select option Other Host Configuration and then provide IP Address and password to know about the configuration details. A sample output is shown below
CDAC
Page 38
First, be sure to source your 'eucarc' file before running the commands below. Note that all users may upload and register images (depending on access granted to them by the Eucalyptus administrator), but only the admin user may ever upload/register kernels or ramdisks.
Second, the instructions below rely on the euca2ools command-line tools distributed by the Eucalyptus Team. Please, install them if you haven't done so already. Note Images are available at /our website .Please download it from www.cdaccloud.com/Images tar zxvf centos.tar.gz/debianos.tar.gz Adding Images
To enable a VM image as an executable entity, a user/admin must add a root disk image, a kernel/ramdisk pair (ramdisk may be optional) to Walrus and register the uploaded data with Eucalyptus. Each is added to Walrus and registered with Eucalyptus separately, using three EC2 commands.
The following example uses the test image that we provide. Unpack it to any directory: Add the kernel to Walrus, and register it with Eucalyptus (WARNING: your bucket names must not end with a slash!): Adding Kernel image to Walrus: euca-bundle-image -i <kernel file> --kernel true euca-upload-bundle -b <kernel bucket> -m /tmp/<kernel file>.manifest.xml euca-register <kernel-bucket>/<kernel file>.manifest.xml
Next, add the ramdisk image to Walrus: euca-bundle-image -i <initrd file> --ramdisk true euca-upload-bundle -b <initrd bucket> -m /tmp/<initrd file>.manifest.xml euca-register <initrd bucket>/<initrd file>.manifest.xml
CDAC Page 39
Next, add the root filesystem image to Walrus: euca-bundle-image -i <vm image file> euca-upload-bundle -b <image bucket> -m /tmp/<vm image file>.manifest.xml euca-register <image bucket>/<vm image file>.manifest.xml
Our test kernel does not require a ramdisk to boot. If the administrator would like to upload/register a kernel/ramdisk pair, the procedure is similar to the above:
There are three ways that one can associate a kernel (and ramdisk) with a VM instance. A user may associate a specific kernel/ramdisk identifier with an image at the 'euca-bundleimage' step euca-bundle-image -i <emi-XXXXXXXX> --kernel <eki-XXXXXXXX> --ramdisk <eri-XXXXXXXX> A user may choose a specific kernel/ramdisk at instance run time as an option to 'eucarun-instances' euca-run-instances --kernel <eki-XXXXXXXX> --ramdisk <eri-XXXXXXXX> <emi-XXXXXXXX> The administrator can set 'default' registered kernel/ramdisk identifiers that will be used if a kernel/ramdisk is unspecified by either of the above options. This is accomplished by logging in to the administrative interface (https://your.cloud.server:8443), clicking on the 'Configuration' tab and adding an <eki-xxxxxxxx> and optionally an <eri-xxxxxxxx> as the defaults kernel/ramdisk to be used. Deleting Images
In order to delete an image, you must first de-register the image: euca-deregister <emi-XXXXXXXX> Then, you can remove the files stored in your bucket. Assuming you have sourced your 'eucarc' to set up EC2 client tools:
CDAC
Page 40
If you would like to remove the image and the bucket, add the '--clear' option:
Note: Instead of Specifying EC2_ACCESS_KEY & EC2_SECRET_KEY, you can source the eucarc file at each terminal as follows.
# source /root/.euca/eucarc
Examples Following is an example using the Ubuntu pre-packaged image that we provide using the included KVM compatible kernel/ramdisk (a Xen compatible kernel/ramdisk is also included). See this page to get more pre-packaged images.
euca-bundle-image -i euca-ubuntu-9.04-x86_64/kvm-kernel/vmlinuz-2.6.28-11-generic -kernel true euca-upload-bundle -b ubuntu-kernel-bucket -m /tmp/vmlinuz-2.6.28-11generic.manifest.xml euca-register ubuntu-kernel-bucket/vmlinuz-2.6.28-11-generic.manifest.xml (set the printed eki to $EKI)
euca-bundle-image -i euca-ubuntu-9.04-x86_64/ubuntu.9-04.x86-64.img --kernel $EKI -ramdisk $ERI euca-upload-bundle -b ubuntu-image-bucket -m /tmp/ubuntu.9-04.x8664.img.manifest.xml euca-register ubuntu-image-bucket/ubuntu.9-04.x86-64.img.manifest.xml Now, the newly uploaded image(s) should be ready to start using.
2.3.1 Storage Management Interacting With Block Storage The Block Storage Service in Eucalyptus is interface-compatible with Amazon's Elastic Block Store. You can therefore use either EC2 commands or euca2ools commands to control it. The instructions below rely on the euca2ools command-line tools distributed by the Eucalyptus Team. Please, install them if you haven't done so already. The following operations are possible, Creating volumes You may create a volume either from scratch or from an existing snapshot. euca-create-volume --size <size> --zone <zone> Where <size> is the size in GB and <zone> is the availability zones you wish to create the volume in (use euca-describe-availability-zones to discover zones). For instance,
CDAC
Page 42
euca-create-volume --size 1 --zone myzone Will create a 1GB volume in the availability zone "myzone" To create a volume from a snapshot, euca-create-volume --snapshot <snapshot id> --zone <zone> Where <snapshot id> is the unique identifier for a snapshot and <zone> is the availability zone you wish to create the volume in. For instance, euca-create-volume --snapshot --zone myzone snap-EF4323 Will create a volume from the snapshot "snap-EF4323" in the zone "myzone" Query the status of volumes euca-describe-volumes Volumes marked "available" are ready for use.
Attaching a volume You can attach volumes to existing instances (that have been started with euca-runinstances). You may attach a volume to only one instance at a time. euca-attach-volume -i <instance id> -d <local device name> <volume id>
CDAC
Page 43
where <volume id> is the unique identifier for a volume (vol-XXXX), <instance id> is a unique instance identifier and <local device name> is the name of the local device in the guest VM. For instance, euca-attach-volume -i i-345678 -d /dev/sdb vol-FG6578 Will attach the previously unattached volume "vol-FG6578" to instance "i-345678" with the local device name "/dev/sdb" Detaching a volume euca-detach-volume <volume id> Where <volume id> is the unique identifier for a previously attached volume (volXXXX). For instance, euca-detach-volume vol-FG6578 Will detach volume "vol-FG6578", Important! The user of the instance is responsible for making sure that the block device is unmounted before a detach. Detach cannot ensure the consistency of user data if the user detaches a volume that is in use. Deleting a volume euca-delete-volume <volume id> Where <volume id> is the unique identifier for a volume (vol-XXXX).
Creating a snapshot from a volume You can snapshot a volume so that you can create volumes in the future from the snapshot. euca-create-snapshot <volume id>
CDAC Page 44
Where <volume id> is the unique identifier for a volume (vol-XXXX). For instance, euca-create-snapshot vol-GH4342 Will snapshot the volume "vol-GH4342", The volume to be snapshotted needs to be "available" or "in-use." You cannot snapshot a volume that is in the "creating" state. Querying the status of snapshots euca-describe-snapshots You may create volumes from snapshots that are marked "completed." Deleting a snapshot euca-delete-snapshot <snapshot id> where <snapshot id> is the unique identifier for a snapshot.
Running a VM Instance You can now run instances that are accessible with the newly generated private key: euca-run-instances -k mykey -n <number of instances to start> <emi-id> euca-describe-instances Authorizing Security Groups and Allocating IPs If your administrator has configured Eucalyptus to provide security groups and elastic IPs, you may be required to allow logins to your instance, allocate a public IP (if you have not
CDAC
Page 45
done so before, check 'euca-describe-addresses' as a reminder), and assign it to your running instance: Allow 'ssh' connections from the Internet: euca-authorize -P tcp -p 22 -s 0.0.0.0/0 default Allocate a public IP if you have not done so already: euca-allocate-address Associate an allocated IP with your running instance: euca-associate-address <IP from allocate> -i <instance ID> Once the instance is shown as 'Running', it will also show two IP addresses assigned to it.
Logging into a VM Instance You can now log into it with the SSH key that you created: ssh -i mykey.private root@<accessible-instance-ip> To terminate instances, use: euca-terminate-instances <instance-id1> For more information on Euca2ools, see our Euca2ools User Guide. For more information on EC2 command line tools, see the EC2 Getting Started Guide. Please note that depending on the networking mode used to implement your Eucalyptus cloud, some command line tools may not be applicable (security groups/elastic IPs, etc.).
CDAC
Page 46
Overview Security in private cloud deployment has very less concern as compare to public cloud deployment model. Security in private cloud could be achieved with existing security solution with slight modification and cloud aware configuration. This document describes how security could be implemented and what security controls are competent enough for ensuring security in private cloud.
Security Integrated Architecture This tells us where specific security control & software should be installed in cloud so that minimal security requirement of Private cloud environment is satisfied.
HIDS- Console
(Internal Access)
Compute Node-1
OSSEC AGENT
Compute Node-2
OSSEC AGENT
VM-1
OSSEC AGENT
VM-2
OSSEC AGENT
VM-3
OSSEC AGENT
VM-4
OSSEC AGENT
CDAC
Page 47
ModSecurity Installation on RHEL/Centos/ platform To achieve security using some sort of existing security controls is very complex and required specific policy and design models. For reducing complexity and security risk in private cloud environment, following open source security controls have been selected and integrated in Meghdooth cloud stack. Moreover, we have devised strategy for their deployment and policy for their configuration as per cloud computing model. In addition to this, we modified source code of some tools and also developed decoder for managing specifc kind of events or alert such as for cloud access logs. ModSecurity An open source Web application firewall (WAF) cum web intrusion prevention system. It has rule based detection mechanism, when particular rule matches against incoming HTTP request, it immediately denies to access. This ModSecurity can be deployed in two modes: embedded mode and network mode (reverse proxy mode). In embedded mode, it can protect single web server only (apache web server) while in case reverse proxy mod, multiple application or web server could be protected. In context of cloud, reverse proxy mode of ModSecurity is recommended, with this kind of deployment and configuration ,different tenants application running on different application server will be monitored and protected from web attacks/threats. OSSEC An open-source Host-Based Intrusion Detection System (HIDS), meaning that it works by monitoring conditions on a host machine and reporting possible security breaches. OSSEC is not a Network-Based Intrusion Detection System (NIDS), like Snort .However Snort's logs could be monitored through ossec log monitor, following OSSEC monitors: System logs (http.log, auth.log, syslog etc) File integrity in system directories System processes VM
When a possible security breach is detected, OSSEC logs the event and assigns it an alert level. Depending on the alert level, an email or SMS can be sent. In addition, OSSEC provides limited active-response functionality to respond automatically to an event immediately after its detection
CDAC
Page 48
WAF AuditConsole- an Alert and log management GUI for ModSecurity that provides complete view of who has accessed web application at what time with report generation facility. HIDS-Console An Alert and log management GUI for OSSEC that allows us to see alert and events occurred to particular host or VM.
apache or httpd mod_unique_id libapr and libapr-util libpcre libxml2 libcurl v7.15.1 or Higher mlogc-( for forwarding logs to remote location)
Installation of libxml2: wget ftp://xmlsoft.org/libxml2/libxml2-sources-2.6.29.tar.gz tar -xvzf libxml2-sources-2.6.29.tar.gz cd libxml2-2.6.29 ./configure make make install
Installation of libapr and libaprutil: Download the tar file from the following link o http://apr.apache.org/download.cgi Untar the file o tar zxvf /<path to the file>
CDAC Page 49
Step 1. Copy from Meghdoot DVD or Download the tar file from the following link http://www.modsecurity.org/download/ Step 2. Move the downloaded tar file into /opt directory mv /<path to downloaded file> /opt Step 3. Extract the tar file as follows tar zxvf /opt/<filename> Step.4. Change working directory to untared directory cd modsecurity-apache_<version> Step.5. Execute configure binary ./configure Step.6. Make Step 7. Make mlogc Step.8. Make install
CDAC
Page 50
ModSecurity Configuration On RHEL/ CentOS Create necessary directories mkdir /opt/modsecurity mkdir /opt/modsecurity/etc mkdir /opt/modsecurity/var mkdir /opt/modsecurity/var/audit mkdir /opt/modsecurity/var/data mkdir /opt/modsecurity/var/log mkdir /opt/modsecurity/var/tmp mkdir /opt/modsecurity/var/upload mkdir /opt/modsecurity/bin
Change the ownership of the directories chown apache /opt/modsecurity/var/audit chown apache /opt/modsecurity/var/data chown apache /opt/modsecurity/var/tmp/ chown apache /opt/modsecurity/var/upload/
Changing the permissions of the created directories chmod 750 /opt/modsecurity/ chmod 750 /opt/modsecurity/bin/ chmod 700 /opt/modsecurity/etc/ chmod 750 /opt/modsecurity/var/ chmod 750 /opt/modsecurity/var/tmp/ chmod 700 /opt/modsecurity/var/audit/ chmod 700 /opt/modsecurity/var/data/ chmod 700 /opt/modsecurity/var/log/
Page 51
CDAC
SecRuleEngine On SecRequestBodyAccess On SecDefaultAction "phase:2,deny,log" SecRequestBodyLimit 1310720 SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecResponseBodyAccess Off SecResponseBodyMimeType text/plain text/html SecResponseBodyLimit 524288 SecResponseBodyLimitAction ProcessPartial SecTmpDir /opt/modsecurity/var/tmp/ SecDataDir /opt/modsecurity/var/data/ SecUploadDir /opt/modsecurity/var/upload/ SecUploadKeepFiles Off SecUploadFileMode 0600 # Debug log SecDebugLog /opt/modsecurity/var/log/debug.log SecDebugLogLevel 3 # Log only what is really necessary.
CDAC
Page 52
SecAuditEngine RelevantOnly # Also log requests that cause a server error. SecAuditLogRelevantStatus ^(5|4)
# Use a single file for logging. SecAuditLogType Concurrent SecAuditLog "|/usr/local/bin/mlogc /etc/httpd/mlogc.conf"
# Specify the path for concurrent audit logging. SecAuditLogStorageDir /var/log/mlogc/data Include /opt/modsecurity-apache_2.5.13/rules/base_rules/*.conf
Now, open the httpd.conf file of apache server and include the modsecurity configuration file as follows.
Include /opt/modsecurity/etc/modsecurity.conf
http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/
Untar the file to /opt directory and edit the last line
CDAC
Page 53
Installing mlogc: We built the mlogc binary. So copy the mlogc binary into /usr/local/bin directory
ModSecurity installation using Binary Script inbuilt in Security-Packages of Meghdoot DVD Copy the following script to a file with .sh extension and execute that file in the command prompt.
# # command to update repository echo " Updating the repository " echo "-----------------------------\n\n" apt-get update # command to install apache2.. apt-get install apache2 # command to install modsecurity.. apt-get install libapache-mod-security
if [ -d /opt/modsecurity ] then echo "\n Directory /opt/modsecurity is already existing ... OK\n" else mkdir /opt/modsecurity echo "\n Directoty /opt/modsecurity is crteated.... OK\n"
CDAC
Page 54
fi
if [ -d /opt/modsecurity/etc ] then echo "\n Directory /opt/modsecurity/etc is already existing ... OK\n" else mkdir /opt/modsecurity/etc echo "\n Directoty /opt/modsecurity/etc is crteated.... OK\n" fi
if [ -d /opt/modsecurity/var ] then echo "\n Directory /opt/modsecurity/var is already existing ... OK\n" else mkdir /opt/modsecurity/var echo "\n Directoty /opt/modsecurity/var is crteated.... OK\n" fi
if [ -d /opt/modsecurity/var/audit ] then echo "\n Directory /opt/modsecurity/var/audit is already existing ... OK\n" else mkdir /opt/modsecurity/var/audit echo "\n Directoty /opt/modsecurity/var/audit is crteated.... OK\n" fi
if [ -d /opt/modsecurity/var/data ] then echo "\n Directory /opt/modsecurity/var/data is already existing ... OK\n" else
CDAC
Page 55
if [ -d /opt/modsecurity/var/log ] then echo "\n Directory /opt/modsecurity/var/log is already existing ... OK\n" else mkdir /opt/modsecurity/var/log echo "\n Directoty /opt/modsecurity/var/log is crteated.... OK\n" fi
if [ -d /opt/modsecurity/var/tmp ] then echo "\n Directory /opt/modsecurity/var/tmp is already existing ... OK\n" else mkdir /opt/modsecurity/var/tmp echo "\n Directoty /opt/modsecurity/var/tmp is crteated.... OK\n" fi
if [ -d /opt/modsecurity/var/upload ] then echo "\n Directory /opt/modsecurity/var/upload is already existing ... OK\n" else mkdir /opt/modsecurity/var/upload echo "\n Directoty /opt/modsecurity/var/upload is crteated.... OK\n" fi
if [ -d /opt/modsecurity/bin ]
CDAC
Page 56
then echo "\n Directory /opt/modsecurity/bin is already existing ... OK\n" else mkdir /opt/modsecurity/bin echo "\n Directoty /opt/modsecurity/bin is crteated.... OK\n" fi
echo " \n Creating the the user apache and group apache ...\n"
chown apache /opt/modsecurity/var/audit chown apache /opt/modsecurity/var/data chown apache /opt/modsecurity/var/tmp/ chown apache /opt/modsecurity/var/upload/
echo "Done\n"
chmod 750 /opt/modsecurity/ chmod 750 /opt/modsecurity/bin/ chmod 700 /opt/modsecurity/etc/ chmod 750 /opt/modsecurity/var/ chmod 750 /opt/modsecurity/var/tmp/ chmod 700 /opt/modsecurity/var/audit/
CDAC
Page 57
chmod 700 /opt/modsecurity/var/data/ chmod 700 /opt/modsecurity/var/log/ chmod 700 /opt/modsecurity/var/upload/ echo "..Done\n"
if [ -f /opt/modsecurity/etc/modsecurity.conf ] then echo "\n File /opt/modsecurity/etc/modsecurity.conf is already existing ... OK\n" else touch /opt/modsecurity/etc/modsecurity.conf echo "\n File /opt/modsecurity/etc/modsecurity.conf is created.... OK\n" fi
# Creation of reverse-proxy configuration file which need to be configured when ModSecurity(WAF) is # deployed in Network mode(reverse proxy mode)
if [ -f /opt/modsecurity/etc/reverse-proxy.conf ] then echo "\n File /opt/modsecurity/etc/reverse-proxy .conf is already existing ... OK\n" else touch /opt/modsecurity/etc/reverse-proxy.conf echo "\n File /opt/modsecurity/etc/reverse-proxy.conf is created.... OK\n" fi
if [ -f /opt/modsecurity/etc/main.conf ]
CDAC
Page 58
then echo "\n File /opt/modsecurity/etc/main.conf is already existing ... OK\n" else touch /opt/modsecurity/etc/main.conf echo "\n File /opt/modsecurity/etc/main.conf is created.... OK\n" fi
if [ -f /opt/modsecurity/etc/rules-first.conf ] then echo "\n File /opt/modsecurity/etc/rules-first.conf is already existing ... OK\n" else touch /opt/modsecurity/etc/rules-first.conf echo "\n File /opt/modsecurity/etc/rules-first.conf is created.... OK\n" fi
if [ -f /opt/modsecurity/etc/rules.conf ] then echo "\n File /opt/modsecurity/etc/rules.conf is already existing ... OK\n" else touch /opt/modsecurity/etc/rules.conf echo "\n File /opt/modsecurity/etc/rules.conf is created.... OK\n" fi
if [ -f /opt/modsecurity/etc/rules-last.conf ] then echo "\n File /opt/modsecurity/etc/rules-last.conf is already existing ... OK\n" else touch /opt/modsecurity/etc/rules-last.conf echo "\n File /opt/modsecurity/etc/rules-last.conf is created.... OK\n" fi
CDAC
Page 59
Configuring Mod-security
Download the core rule set from http: //www.Modsecurity.org/download/, In the tar file all rules will be present. So extract those rules directory to opt folder. Now open modsecurity.conf file ( which will be in /opt/modsecurity/etc / folder ) and add the following configuration
SecRuleEngine On SecRequestBodyAccess On SecDefaultAction "phase:2,deny,log" SecRequestBodyLimit 1310720 SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecResponseBodyAccess Off SecResponseBodyMimeType text/plain text/html SecResponseBodyLimit 524288 SecResponseBodyLimitAction ProcessPartial SecTmpDir /opt/modsecurity/var/tmp/ SecDataDir /opt/modsecurity/var/data/ SecUploadDir /opt/modsecurity/var/upload/ SecUploadKeepFiles Off SecUploadFileMode 0600 # Debug log SecDebugLog /opt/modsecurity/var/log/debug.log SecDebugLogLevel 3 # Log only what is really necessary. SecAuditEngine RelevantOnly # Also log requests that cause a server error. SecAuditLogRelevantStatus ^5
CDAC
Page 60
# Use a single file for logging. SecAuditLogType Concurrent SecAuditLog "|/usr/local/bin/mlogc /etc/apache2/mlogc.conf"
# Specify the path for concurrent audit logging. SecAuditLogStorageDir /var/log/mlogc/data Include /opt/modsecurity-apache_2.5.13/rules/base_rules/*.conf
Open reverse-proxy.conf file ( which will be in /opt/modsecurity/etc / folder ) and add the following configuration
ProxyRequests Off
# following two lines needs to be added for each User Applications/other web server # that you want to protect
CDAC
Page 61
Open the httpd.conf file of apache server and include the modsecurity configuration file as follows. Include /opt/modsecurity/etc/modsecurity.conf Include /opt/modsecurity/etc/reverse-proxy.conf
Mlogc Installation: Description: mlogc is ModSecurity Audit Log Collector which is used to connect a ModSecurity sensor to the central audit log repository.
Install all the following dependencies. apache2-threaded-dev libcurl3 libc6 curl libcurl4-openssl-dev pcre
Untar the file and change directory to mlogc-src folder cd mlogc-src Execute the command 'make'
Now we can see a executable file with the name mlogc in the same folder. Copy that file to a safer location like /usr/local/bin. Now edit the mlogc.conf file which will be in the same directory by providing the sensor and remote location of WAF-AuditConsole.
CDAC
Page 62
Note: For sensor creation and deployment of AuditConsole you need to follow the installation steps of AuditConsole.
Now create necessary directories and files which are needed for mlogc. mkdir /var/log/mlogc/ mkdir /var/log/mlogc/data touch /var/log/mlogc/mlogc-error.log touch /var/log/mlogc/mlogc-queue.log touch /var/log/mlogc/mlogc-transaction.log
WAF installation and configuration is platform independent (RHEL/ Centos/ Debian/ BOSS). Following set of steps need to be performed
Prerequisites Jre (java run time environment) apache-Tomcat application server Mysql/postgresql database server
Installation from Meghdooth cloud DVD ModSecurity would be installed automatically if you are using Meghdooth cloud DVD for installation. Once cloud head node established completely, just you have to configure database settings through initial window of WAF-Console.
Install apache-tomcat software and copy that war file into webapps folder and re start apache-tomcat.
CDAC
Page 63
Configuration WAF- Console stores all ModSecurity events into mysql backend database. So we need to create a database and a user who is having access to this database. mysqladmin -u root -p create <database-name> mysql -u root -p <database-name> GRANT ALL on <database-name>.* to Username@localhost IDENTIFIED BY '<password>'; FLUSH PRIVILEGES;
If you have any already existing .sql back up files you can dump them as follows mysql -u root -p <database-name> < <pat to dump file >
Now open web browser and access the following URL http://localhost:8080/WAF-Console-<version number>
Login using admin and admin as username and password and set a temporary directory location as /opt/audit and click OK
Configuring sensors Create a sensor and its password System sensors addsensor
CDAC
Page 64
mlogc configuration Same sensor name and password must be mentioned in the mlogc.conf file cp <path to modsecurity-apache directory>/apache2/mlogc-src/mlogc-default.conf /etc/httpd/mlogc.conf mention the username and password mention the Console URI according to your AuditConsole deployment Ex: http://localhost:8080/AuditConsole-<version number> /rpc/ auditLogReceiver
OSSEC performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. As OSSEC monitors system logs, directories and processes, it uses a set of rules to determine when an alert should be triggered.
Prerequisites for OSSEC Installation from source package(tar package) Gcc complier Make Opesssl Iptables firewall
OSSEC Installation OSSEC works on a server-client model. The server must be a UNIX /Linux machine; the clients, which OSSEC calls agents, can run virtually any operating system. So there are three deployments mode of Ossec is available: Local mode Server mode Agent mode
CDAC
Page 65
OSSEC Server and local installation is independent to Linux Operating Sytem distribution Step 1: Download the OSSEC from the following URL http: //www.Ossec.net/files/ Step 2: Un-tar the files to a local directory and change to that directory.
Local Installation Run the following Installation shell scripts # ./install.sh What kind of installation do you want (server, agent, local or help)? local Setting up the installation environment. Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec --- Press ENTER to continue -- Once you press the enter key the source code will be compiled and ossec will be deployed into the system in local mode.
Installing the Server: Run the following Installation shell scripts # ./install.sh What kind of installation do you want (server, agent, local or help)? server
Installing OSSEC Agent on Linux Run the following Installation shell scripts # ./install.sh What kind of installation do you want (server, agent, local or help)? agent What is IP of your Cloud Head Node (OSSEC HIDS) Server? IP (www.xxx.yyy.zzz)
CDAC Page 66
Installing OSSEC agents on windows Host : Download the .exe file from the following site http://www.ossec.net/main/downloads Click on the downloaded file
CDAC
Page 67
Managing Agents: The server-agent traffic is encrypted and validated using pre-shared keys. These keys must be generated on the server and then imported on the agent side. The procedure is the same regardless of the agent platform. All agent key management is done using the manage agents utility in the OSSEC HIDS bin directory
Now, execute the following line in the command prompt. /opt/ossec/bin/manage agents Then the following information will be displayed in the command prompt.
**************************************** * OSSEC HIDS v1.4 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q:
Now select your option If you select A, following info will be displayed. - Adding a new agent (use \q to return to the main menu). Please provide the following: * A name for the new agent: <give a name for agent> * The IP Address of the new agent: < enter IP address of the agent> * An ID for the new agent [001] : < ID of the Agent > Agent information:
CDAC Page 68
Managing Rule-base of OSSEC These rules reside in /var/ossec/rules and are XML files. A rule fires when certain Conditions are met.For example, Foolowing, contained in syslog_rules.xml, will fire when OSSEC detects the strings Promiscuous mode enabled or device [non white space string] entered promiscuous mode within the Linux system log. <rule id="5104" level="8"> <if_sid>5100</if_sid> <regex>Promiscuous mode enabled|</regex> <regex>device \S+ entered promiscuous mode</regex> <description>Interface entered in promiscuous(sniffing) mode.</description> <group>promisc,</group> </rule> OSSEC comes with a comprehensive set of rules that should cover virtually every security-related aspect of the system. Nonetheless, there may be times when you want to write a custom rule. Since rules are XML files, they are easy to edit. However the OSSEC manual recommends that instead of editing the rules themselves, you modify their behavior by writing custom rules and adding them to the local_rules.xml file. The procedures for writing custom rules are explained in the OSSEC manual or online.
Rules can be made highly granular so that they will only fire for certain hosts involving certain IP addresses at certain times of the day, etc. For example, OSSEC by default will generate an alert and an email whenever an agent connects or disconnects. Chances are that you don't care very much if a workstation disconnects, as this happens whenever someone with a laptop goes home for the day. But you probably want to know if a machine in the server room stops responding. You could write a custom rule to modify the behavior of rules 503 and 504 (the agent-connect and agent-disconnect rules) so that they would only fire when servers disconnect. Again, see the OSSEC manual for the specifics of writing such a rule.
CDAC Page 69
It is Web based PHP GUI Application for OSSEC-HIDS alert and log management .it also displays configuration information about deployed agents and server.
Prerequisites Apache with PHP (>= 4.1 or >= 5.0) installed. (with posix support) OR Lighttpd (>= 1.x) with PHP-cgi (php4-cgi or php5-cgi) in FastCGI OSSEC (version >= 0.9-3) already installed.
Installation
HIDS-Console package in Meghdoot DVD--Copy Package at respective location (refer integration architecture) tar -zxvf HIDS-Console-1.0.tar.gz mv HIDS-Console-1.0 /var/www/HIDS-Console cd /var/www/HIDS-Console ./setup.sh
Configuration
Fix /tmp permissions or Add your web server user (www-data) to the ossec group Check & Edit the file using vi /etc/group .If this file contains the line "ossec: x: 1002: www-data" then leave it. Otherwise add this line at the end of the file and save it. Run command chmod 770 /var/ossec/tmp Run command chmod 770 /var/ossec/logs/alerts/alerts.log Run command chgrp www-data /var/ossec/tmp Run command /etc/init.d/apache2 restart
CDAC
Page 70
Enable some of the specific authentication module available for apache : Type of Auth_Modules: Basic, Digest, Pam
<Directory /var/www> AuthType Basic AuthName "Blocked Restricted Access" AuthUserFile /etc/apache2/passwd Require user </Directory> Create a password file with htpasswd htpasswd command is used to create and update the flat-files (text file) used to store usernames and password for basic authentication of Apache users. General syntax:
htpasswd -c password-file username Where,-c : Create the password-file. If password-file already exists, it is rewritten and truncated. Username: The username to create or update in password-file. If username does not exist in this file, an entry is added. If it does exist, the password is changed
CDAC
Page 71
Product /Solution Snapshots of after deployment Meghdoot-AppSecurity This Solution includes two components; WAF -ModSecurity - An open source web application firewall cum intrusion detection WAF-Console - An ModSecurity alert and log management Console
This Solution includes two components: HIDS-OSSEC- an open source Host intrusion cum prevention(limited) system HIDS-Console- An HIDS alert and log management console
CDAC
Page 72
CDAC
Page 73
Pre-requisites Postgres 8.3 or above postgresql-client-common Java Development Kit 1.6 or above
Type the following commands to set a host name for the Machine. For example , If you wish to set the host name as portalserver, Open a terminal and type the following commands as root user. hostname portalserver echo portalserver > /etc/hostname
Now exit the Terminal. Click System -> Logout root Now login again as root user.
Mapping the Hostname Now open a terminal /etc/hosts file should look like as follows. Replace the <LAN IP Address> part with the IP Address of your machine Replace the <Hostname> part with the Host name of your machine. In our case ,the host name is portalserver. 127.0.0.1 localhost <LAN IP Address> <Hostname>
# The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback
Starting HQ server... Initializing HQ server configuration... Checking jboss jndi port... Checking jboss mbean port... Verify HQ database schema... Unable to locate tools.jar. Expected to find it in /home/hyperic/server4.2.0.7/lib/tools.jar Loading taskdefs... Taskdefs loaded Booting the HQ server (Using JAVA_OPTS=-XX:MaxPermSize=192m Xmx512m -Xms512m -XX:+HeapDumpOnOutOfMemoryError)... HQ server booted. Login to HQ at: http://127.0.0.1:7080/
CDAC
Page 75
Note: All the Physical Servers, Virtual Machine(s) where Hyperic Agent is about to be deployed, must have unique host name. , (/etc/hostname) .The same host name must be linked with the IP Address in /etc/hosts file.
Check whether the Machine is able to ping the Machine where Hyperic Server is installed. telnet < Hyperic Server Machine> 7080 to check whether the agent machine is able to connect to the Machine where Hyperic Server is installed. If any port blocking software like firewall is running, kindly disable it. Check whether Java is installed or not. (Commands java must work) Check whether JAVA_HOME environment variable is defined. o echo $JAVA_HOME Must display some values such as o /usr/lib/jvm/java-6-openjdk/
CDAC
Page 76
Kindly sync the date between Hyperic Server Machine and Hyperic Agent Machine. This is for generating graph(s) and for accuracy of data w.r.t time.
In the Machine where Hyperic Server is installed, copy the following directory /home/hyperic/agent-4.2.0.7 and put it in the Machine in the location ( /home/hyperic/agent4.2.0.7 ) where the Agent is to be deployed Execute the following commands in the terminal as root user cd /home/hyperic/agent-4.2.0.7 cd .. cd data rm -rf * cd .. cd /home/hyperic/agent-4.2.0.7bin chmod 777 *.sh ./check_launch_agent.sh
To confirm whether the agent has started successfully, execute the following command as root user. lsof -i :2144
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME java 19544 root 129u IPv4 14144078 0t0 TCP *:2144 (LISTEN)
/home/hyperic/agent-4.2.0.7/log
CDAC
Page 77
Setting up Agent
CDAC
Page 78
Now you can login to the Monitoring Tool. To access the tool, open a browser and enter the URL as http://<Cloud IP Address>::7080
The following page will appear in the browser. The default User name and password are as follows :
hqadmin hqadmin
Once you have logged in, it is suggested to change the default password.
Once you have logged in, Click on HQ link, at the top right of the Screen.
CDAC
Page 79
Now enter the password in new password field and confirm new password field and click ok button.
CDAC
Page 80
Now the password of the user hqadmin is changed. Click on the Add-To-Inventory Button in the Auto-Discovery Frame. The Screen shot is shown below.
Once a resource is approved, the resource is added for monitoring. At first the Agent will be reporting the details such as system configuration, hardware details to the Hyperic Server.At that time, the status will be grey color (collecting phase) The availability of each network service, and each autogroup of network services, is indicated by an icon: Green - "Available", indicates that a service (or all of the services in an autogroup) is available. Yellow - The "Warning" availability state does not apply to an individual network service, with few exceptions. Generally, the agent reports that a network service is either "Available" (green) or "Not Available" (red). The "Warning" state is reported for an autogroup of network services, and indicates that not all of the services in the group are available.
CDAC Page 81
Red - "Not available", indicates that the service (or all of the services in an autogroup) is not available. Grey - "Unknown", indicates that availability cannot be determined, because the service was created, but not configured correctly.
Availability Status
Once the resource is added for monitoring and completed the collection phase, the availability status will be changed to green.
Note: This is just an getting started manual for installing and configuration of Hyperic. For more details kindly refer, http://support.hyperic.com/display/DOC/Installation+Requirements
CDAC
Page 82
Recently Added Resources The recently added resource will be shown in the dashboard, under the Recently Added strip.
Monitoring Resources Once the installation and working of the agent is complete, the details will be displayed in a graphical form as shown below.
CDAC
Page 83
2.3.6 Elasticity Location of Elasticity Packages The Elasticity Server Components and Elasticity Agent Components are located at the folder /home/elasticity as a tar file.
First untar the ELASTICITY-SERVER Package. The Folder Structure are as follows.
ELASTICITY-SERVER |--->cloud.properties -- > Configuration File. |---> db Code |---> jar API Jar Files are loated here. |--->schema Schema is located here. |--->start.sh Shell Script to start the Elasticity Service at the Server Side,once the configuration is done |--->typica Code
Restore the Dump The Schema file is located inside the schema folder Open a terminal and type, pgadmin3
Now execute the following queries in the SQL Editor CREATE TABLE elasticitydetails ( ipaddress character varying(15), instanceid character varying(15), "time" bigint, newinstanceid character varying(15) )
CDAC
Page 84
CREATE TABLE terminatedinstancedetails( instanceid character varying(20), ipaddress character varying(20), "time" bigint )
accesskey= Query ID of Admin account from the Cloud Host Portal . secretkey=Secret Key of Admin account from the Cloud Host Portal . ipaddress=IP Address of Cloud Host port=8773 (Default) Cloud Host Port Number. appport=8080 (The port used by the web application.) vmelasticityport=5678 (Default)Port Used by Load balancer to communicate with virtual machine jdbc.connection.url=jdbc:postgresql://localhost jdbc.databasename=postgres jdbc.username=postgres (Default) jdbc.password=<Password for the postgres user>
It is not required to change the properties mentioned as default. Once the configuration is completed, Elasticity Server Service can be invoked. Now execute the following commands as root.
Once the Service is started, the following log messages will be printed.
/root/Desktop/cloud_src/ELASTICITY-LATEST-BUILD/ELASTICITY/ELASTICITYSERVER Info:
CDAC
AWSKey: XYSXYSXYSXYSXYSXYSXYSXYSXYSXYS
Page 85
Secret Key :SKEYSKEYSKEYSKEYSKEYSKEYSKEY Head Node IP Address:A.B.C.D Web Service Port:8773 VM Web App Port:8080 VM Intimation Port:5678 JDBC Connection URL:jdbc:postgresql://localhost JDBC DB Name:postgres JDBC User Name:postgres *************** Elasticity Server Side Service ********************* NOTICE: Please Check whether the date and time in this Machine is synced with the Machine : A.B.C.D Service Running on Port : 6666 Service Started @ Tue Aug 30 00:41:59 IST 2011 ******************************************************************** ELASTICITY_INFO: Waiting for connection....
Configuring Elasticity Agent : The Elasticity Agent needs to bundle along with the Virtual Machine Image. Elasticity Agent package which will reside at the Virtual Machine can be located at /home/elasticity as a tar file. Untar the Elasticity-Agent Package. The Folder structure for the Elasticity Agent package is as follows
ELASTICITY-AGENT/ `-- elasticity `-- ramcode |-- client |-- elasticity_agent.sh |-- lib Elasticity Agent Service API Files
CDAC
Page 86
Open the configuration file and enter the IP Address of the Load Balancer.
Please avoid spaces,new line etc.The following command can be used to specify the IP Address of the Load Balancer. echo <IP ADDRESS of the Load Balancer> > loadbalancer.properties
Deploying Elasticity-Agent Package inside the Virtual Machine Image: You can get the Virtual Machine Image along with the DVD. Now Open a terminal and execute the following commands as root.
mkdir temp-mnt mount -o loop debian.img temp-mnt/ mount -o bind /proc temp-mnt/proc mount -o bind /sys temp-mnt/sys mount -o bind /dev temp-mnt/dev
Copy the ramcode folder inside the elasticity folder.Now open another terminal .
Now goto the previous terminal, and execute the following commands. cd /root/.elasticity/ramcode chmod 777 elasticity_agent.sh cp elasticity_agent.sh /etc/init.d update-rc.d elasticity_agent.sh start 24 2 .
CDAC Page 87
Also deploy your web application inside the Virtual Machine Image, so that these services will be invoked once the Virtual Machine is booted. The log messages can be found at /var/log/elasticity.log
Once the deploying of Services are complete, execute the following commands as root. Remember to stop all the process inside the Virtual Machine Image.
Bundling and Uploading Virtual Machine Image to the Cloud. Now Bundle and upload the Virtual Machine Image to the Cloud. This will generate an Image ID .The Image ID will starts with emi-.(Eucalyptus Machine Image). Now launch the Virtual Machine Image via euca2ools utility.
CDAC
Page 88
Chapter 3
Portal
I the address bar of the browser type the following http://<Your-IP-Address>:5454/cloudportal
The default user name is admin and password is admin, after login reset your password for security purpose.
if you have reset the password while configuring the cloud use the same password to login in to the portal.
CDAC
Page 89
CDAC
Page 90
CDAC
Page 91
3.2 Security Console Select Security Console tab and click WAF Console to proceed to the following screen, the default user is admin and password is admin.
Select Security Console tab and click HIDS Console to proceed to the following screen,
CDAC
Page 92
CDAC
Page 93
After specifying Instance Name, Type and OS click Proceed for Key Pair screen as follows,
Key pair generation has two options, for the first time IaaS request select new option and click create for generation of keypair.
CDAC
Page 94
The user can also select Use Existing option, and click Proceed button.
Software configuration screen will appears and it is of optional for user. The user can select Web Server, App Server and Data Base Server if needed. After clicking proceed the configuration details screen will appears as follows.
CDAC
Page 96
The user can select Web Server, App Server and DB Server. The Instance type should also be specified along with the URL Name and Elasticity option and click create for launching application. Select Resource Request tab select SaaS
Select Resource Request tab select Volumes, from Volumes click list Volumes
CDAC
Page 97
The user can create volumes by selecting the Size, Available Zones and Volume Snapshot option.
CDAC
Page 98
The user has also can attach or detach volume by clicking volumes Attach and Detach .
The User can also create snapshot for the created volumes.
CDAC
Page 99
3.4 Resource Info Select Resource Info tab select Service Status, The status about the cloud components can be viewed using Service Status from Resource Info tab.
Select Resource Info tab select Monitor, The user can monitor Resource, Instance and Application.
CDAC
Page 100
Select Resource Info tab and using option Billing Info, information for Infrastructure, Storage and Application can be viewed.
3.5 User Info Select User Info tab and click User List, for the list of user registered in the cloud and users waiting for approval.
Select User Info tab and click Edit for updating user information.
CDAC
Page 101
Select User Info tab and click Change Password for updating password.
CDAC
Page 102
3.6 Administration The Administration tab has options Manage Contents Manage Elasticity and Manage Metering for updating Contents, Elasticity configuration and Metering for software and applications.
For Elasticity configuration the admin can configure Max, Min Threshold, Load Balancer IP and no off instances for Elasticity.
The Administration tab has options Manage Metering for infrastructure and platform. For Infrastructure configuration instance type, Pulse rate and amount should be specified.
CDAC
Page 103
For platform configuration Type, Component, Pulse rate and Amount should be specified.
CDAC
Page 104
Chapter 4
Troubleshooting
4.1 Meghdoot Log Files /var/www/cloudportallog/ - Portal /opt/eucalyptus/var/log/eucalyptus/cloud-error.log Cloud Logs /usr/share/dbdump.log - DataBase Logs
CDAC
Page 105