This project is generously supported by Fractus . There is a single account that is shared among all the CS6410 students. The approach to much of the set-up is based on this fact.

Note: Fractus is behind the firewall of the CS Department. You need to use the Cisco VPN to access the machines. After installation, to connect ensure the following settings:

• Connect to: cuvpn.cuvpn.cornell.edu
• Group: CornellVPN
• Username: netid@en-cs-vpn-acad
• Use the same password for signing into your university account

Academic Integrity applies to all aspects of this course. Because we will all be sharing a single Fractus account, it will be possible (with some effort) for students to decrypt and read one another's Fractus machine image files, or to steal one another's static content files. This is not fundamentally different from the bad old days when CS programming projects were done on a batch computing system and printouts were delivered in sorted piles in public terminal rooms. The University's Academic Integrity Policy applies to everything we put into Fractus, and you are expected to follow this policy scrupulously.

Also as a consequence of sharing a single account, the instructions are not going to be comprehensive. Meaning, a student would have to take many additional steps to be able to stand up a Fractus cluster with this infrastructure. However, this process will give students familiarity with some parts of the process. Therefore, we will need to modify some of the procedures from the documentation so different students' projects will not interfere with one another. Our conventions are defined as follows:

• Authentication for Fractus operations requires either

  • a KeyID and a Secret Key, or
  • an Account ID together with Private Key and X.509 Certificate files in .pem format.

  This nominally "secret" information must be known by every CS6410 student. It is not provided in this (public) document; instead, it is available for download from CMS as part of MP 0. Effectively, we are relying on CMS authentication to restrict the Fractus account information to registered CS6410 students.

• Some Fractus resources are in either global or Fractus-account-wide name spaces. We have defined naming conventions for these resources. Here are the conventions regarding the Fractus compute service:

  • Virtual Machine Image: A machine image is a static file on disk that contains (at least) a bootable root partition. In this class, we will use the same machine image to create virtual machine instances. The image we will use is emi-F528A6E4. The EMI name is ubuntu-12-04-ebs and the root device is of type EBS.

  • Instance Name Prefixes: These should be chosen to be unique by including your netid and then appending whatever descriptive name you want according to the pattern:

    vm-netid-description

    for example:
    • vm-ks2232-mp1
    • vm-ks2232-libasync
    • vm-ks2232-fuse
    
    Each virtual machine name prefix occurs as a prefix of each of the (many) instances. Thus, the naming convention will make it possible for students to keep more than one VM.

  • Choose keypair names using the pattern:

    kp-netid-description

    for example:
    • kp-ks2232-0
    • kp-ks2232-libasync
    
    Keypair names are used in the Eucalyptus API and have to be unique across the shared account.

  • Security groups are similiar. Choose group names using the pattern:

    gp-netid-description

  To help things work smoothly with so many users sharing the same Fractus account, we ask you to adhere scrupulously to the above conventions.

  One important thing you should observe is to mark whether you are using Fractus in a shared document. The link for the document can be found in CMS. Because we have a limited shared budget to use Fractus, we don't want idle instances to be running and using the shared budget. It is your responsibility to stop the instance after use. However, as a backup plan we ask you to mark the document, so that the TA can regularly check whether instances not being used are running. Such instances running without the usage indication in the shared document can be stopped without prior notice.

  2. Downloading and Installing Eucalyptus Account Information

  To get the shared Eucalyptus account information, log on to CMS go to mp0 and download the file account-info.txt and the zip file. Open the file in a text editor and follow the instructions you see there. At the conclusion, you should be able to run:
  $echo EC2_CERT
  This code should produce a absolute path to a Base64 encoded DER certificate (.pem file). Output should match the documentation in the file.

  3. Getting Started with Eucalyptus

  Documenting enviornment set-ups is one of the most important parts of being able to reproduce an experiment. We will be installing euca2ools version 3.x. Instructions can be found HERE. Regardless of which installation method used, be sure that supporting executables (such as git, pip, or gzip) are installed.

  3.1. Running an Instance

  As per our convention, you should use a netid-specific name following our naming conventions; for example,

  kp-netid-xxx

  where the netid part should be replaced by your own netid, and xxx is a postfix that helps you identify the key. The logon step where you connect to your instance requires an ssh flag that takes the name of this file as an argument. Therefore, put it someplace where you can find it. For example:
  $ euca-create-keypair kp-ks2232-test > ~/.euca/fractus/id-rsa-kp-ks2232-test
$ chmod 600 ~/.euca/fractus/id-rsa-kp-ks2232-test


  Again, the name you use for this file is arbitrary, but you need some convention that will enable you to remember the name of the RSA private key file associated with each of your Eucalyptus keypair names. SSH has been noted to refuse using public keys unless the file permissions are set apropriately (e.g. on UNIX the command chmod 600 ~/.euca/fractus/id-rsa-kp-ks2232-test should do the trick). To debug your ssh connections, use the -v or -vv flag.

  If the error "No ec2 endpoint given... populates. DO NOT PANIC.. This is simply a matter of the environment being disturbed. Rerun: $ source ~/.euca/fractus/eucarc . This should resolve the issue.
  
  

  The Network Security Group is another important issue that is not well covered in the Eucalyptus documentation. Every Eucalyptus instance runs in a named security group that you specify when you start the instance. The security group has a set of firewall rules that control network connectivity between instances in the group and instances outside it.

  If you start an instance without explicitly specifying a security group, the instance runs in a predefined group named "default". Clearly, it would be a Bad Idea for concurrent users of a shared account to have instances running in the (same) default security group; so we use the naming convention described above for security groups. You should create a new security group for the remainder of this exercise using a command like

  $ euca-create-group gp-netid-xxx -d "yyyyyyyy"
  

  Where as above you should replace netid by your own netid, xxx by a string to make the security group name unique among all the security group names you define, and yyyyyyy by a short description of this security group as in the following:

  $ euca-create-group gp-ks2232-test -d "test group for getting started"

  You can check to make sure this worked by typing

  $ euca-describe-groups gp-netid-xxx
          or just
  $ euca-describe-groups
  which will list all groups that have been defined by anyone using the shared account.

  It is now time to start our instance. The command is as follows:

  $ euca-run-instances emi-F528A6E4 -g gp-ks2232-test -k kp-ks2232-test -z fractus
  starts an instance in the specified group gp-ks2232-test. The Eucalyptus Machine Image used in the example is called . For a complete list of available images, you can run the euca-describe-images command. In general we will provide you with an image that containsM all the libraries required for the mini-project assignments -- emi-F528A6E4 is one such image and you can use this image for the current mini-project. Before you actually start the instance please mark in the shared document (link provided in CMS) that you are starting to use Eucalyptus.

  In the next step, "Authorizing Network Access," you need to specify your group name in place of "default".

  $ euca-authorize gp-ks2232-test -P tcp -p 22   -s   0.0.0.0/0
$ euca-authorize gp-ks2232-test -P tcp   -p   80 -s 0.0.0.0/0
Opens the standard TCP ports from any address (0.0.0.0/0) for ssh (22) and HTTP (80) in the group gp-ks2232-test.

  At this point, you should be able to connect to your instance via the ssh command. Again, this command uses the name of the RSA private key file you saved when you created your Eucalyptus keypair, and the external network address assigned to your running instance. To identify your instance, run the $ euca-describe-instances to find the addresses indicated by .xx.xx in the example below:

  ssh   -i   ~/.euca/fractus/id-rsa-kp-ks2232-test   root@128.84.xx.xx
  "Congratulations!" You have started and connected to an instance! However, we are not finished.

  DO NOT go away without remembering to shut down your instance -- the CS6410 course account is charged for the instance for as long as it continues to run.

  4.2. Cleaning Up

  Don't leave any Eucalyptus instances running!

  The command: $   euca-describe-instances --filter key-name=kp-netid-xxx will show you a list all running instances using your key. You can then stop them by running $ euca-stop-instances   i-nnnnn ...
  Also return to the shared document and unmark your Eucalyptus usage status. Please don't forget to do these steps.

  5. What to Submit?

  You don't have to submit anything. But after the deadline, we will check if you have created the keypair, security group, and VM instance successfully. So make sure to leave your work correctly named with your NetID.

  6. End of MP 0_a

  At this point, this subproject is complete. Once again, this was only a peek into the Eucalyptus API. For a more thorough breakdown of the API, installation, or associated guides, please go HERE. Let it be noted, these documents refer to a more current version of Eucalyptus than is installed on our Fractus cluster. Nevertheless, these documents can be of some use to interested parties.