HP CloudSystem Foundation Administrator's Guide
HP CloudSystem 8.0 Administrator Guide
Abstract
This information is for use by administrators using HP CloudSystem Foundation and Enterprise Software 8.0, who are assigned
to configure and provision compute resources for deployment and use in virtual data centers. This guide provides instructions
on using the CloudSystem Foundation Console and Portal user interfaces, as well as introducing the CloudSystem command
line interface. Built on OpenStack technology, CloudSystem supports most OpenStack Havana functionality available in Nova,
Keystone, Neutron, Cinder, Glance, and Horizon components. This guide describes limitations on this OpenStack functionality
in this software release. Additionally, this guide provides information necessary to configure the full use of CloudSystem
Enterprise.
HP Part Number: 5900-3376
Published: March 2014
Edition: 1
© Copyright 2014 Hewlett-Packard Development Company, L.P.
Microsoft® and Windows® are U.S. registered trademarks of the Microsoft group of companies.
Red Hat® is a registered trademark of Red Hat, Inc. in the United States and other countries.
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial
Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under
vendor's standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express
warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions contained herein.
The open source code used by HP CloudSystem is available on the HP web at http://www.hp.com/software/opensource.
Contents
I Understanding HP CloudSystem...................................................................11
1 Welcome to HP CloudSystem Administrator Guide....................................12
Features............................................................................................................................13
2 Concepts and architecture.....................................................................15
How it works.....................................................................................................................15
Associated appliances...................................................................................................16
Storage........................................................................................................................17
Physical servers.............................................................................................................17
User authentication........................................................................................................17
OpenStack technology...................................................................................................18
CloudSystem Foundation at a glance....................................................................................18
CloudSystem Foundation components..............................................................................18
Networks in CloudSystem Foundation..............................................................................19
Network tasks and user roles.....................................................................................20
CloudSystem Enterprise at a glance......................................................................................20
CloudSystem Enterprise components................................................................................20
3 Security in CloudSystem.........................................................................22
Best practices for maintaining a secure appliance..................................................................22
Enabling or disabling authorized services access...................................................................24
Restricting console access...................................................................................................24
Best practices for browser use..............................................................................................24
Managing certificates from a browser...................................................................................25
Self-signed certificate.....................................................................................................25
Protecting credentials..........................................................................................................25
4 Installation...........................................................................................27
5 Navigating the CloudSystem Console GUI...............................................28
About the graphical user interface........................................................................................28
Use the banner and main menu to navigate..........................................................................29
About Activity....................................................................................................................29
About alerts.................................................................................................................30
About tasks..................................................................................................................31
About the Activity sidebar..............................................................................................31
Activity states................................................................................................................31
Activity statuses.............................................................................................................32
Icon descriptions................................................................................................................32
Status and severity icons................................................................................................32
User control icons..........................................................................................................33
Informational icons........................................................................................................34
Browser requirements.........................................................................................................34
Required browser plug-ins and settings.............................................................................34
Supported browser features and settings..........................................................................34
Search resources................................................................................................................35
6 Support and other resources...................................................................37
Information to collect before contacting HP............................................................................37
Understanding the audit log...........................................................................................37
Download audit logs.....................................................................................................38
Create a support dump file.............................................................................................39
Enable or disable services access....................................................................................40
Contents 3
How to contact HP.............................................................................................................41
Registering for software technical support and update service..................................................41
HP authorized resellers.......................................................................................................41
Documentation feedback....................................................................................................41
Related information............................................................................................................41
HP CloudSystem documents............................................................................................42
HP Software documents.................................................................................................42
Finding documents on the HP Software Product Manuals web site...................................42
HP Insight Management documents.................................................................................43
Third-party documents....................................................................................................43
HP 3PAR StoreServ Storage documents............................................................................43
Finding documents on the HP Support Center web site..................................................43
HP ProLiant servers documents........................................................................................44
II CloudSystem Foundation appliances management........................................45
7 Manage the Foundation appliances........................................................46
About managing the appliance...........................................................................................46
About Foundation appliance settings....................................................................................46
Viewing Foundation appliance settings............................................................................46
Change the appliance host name, IP address, subnet mask, or gateway address...................46
Change the DNS server.................................................................................................47
About backup and restore operations for CloudSystem Foundation...........................................47
Shut down the appliance....................................................................................................47
Restart the appliance..........................................................................................................47
Reboot Foundation appliances.............................................................................................48
Update Foundation appliances............................................................................................48
Disassemble a CloudSystem installation................................................................................50
8 Manage users and groups.....................................................................52
About user roles.................................................................................................................52
Add a fully authorized local user (Infrastructure administrator)..................................................53
About directory service authentication..................................................................................53
Configuring CloudSystem to use Active Directory or OpenLDAP directory authentication..............55
Add a directory service..................................................................................................55
Determining search context when editing a directory.........................................................56
Editing Active Directory search context........................................................................56
Editing OpenLDAP search context...............................................................................57
Limitations: Directory tree...........................................................................................58
Limitations: Directory schema.....................................................................................58
Add a directory server...................................................................................................58
Add a directory group...................................................................................................59
Set an authentication directory service as the default directory............................................60
Allow local logins..............................................................................................................61
Disable local logins............................................................................................................61
Reset the administrator password.........................................................................................61
9 Manage licenses..................................................................................63
About licenses...................................................................................................................63
License keys..................................................................................................................64
Managing license compliance........................................................................................65
Add a license key to the appliance......................................................................................65
License key format..............................................................................................................65
View license details............................................................................................................66
10 Manage security.................................................................................67
Access to the appliance console..........................................................................................67
4 Contents
Downloading and importing a self-signed certificate...............................................................67
Verifying a certificate.........................................................................................................68
III Resource configuration in CloudSystem Foundation.......................................69
11 Overview: Configuring compute resources..............................................70
Configuring cloud resources................................................................................................70
Maximum supported configuration values for each CloudSystem .............................................71
12 Network configuration.........................................................................73
About Cloud Networking....................................................................................................73
Cloud Management Network.........................................................................................73
Can I edit cloud networking after compute nodes are activated?.........................................73
Edit Cloud Networking..................................................................................................73
About Provider Networks....................................................................................................74
Provider networks in the cloud.........................................................................................74
Managing provider networks..........................................................................................74
Add Provider Network...................................................................................................74
Delete Provider Network................................................................................................75
About Private Networks......................................................................................................76
Private Networks in the cloud..........................................................................................76
Managing private networks............................................................................................76
Understanding private networks data..........................................................................76
Add VLAN IDs ........................................................................................................76
Delete Private Network VLAN....................................................................................77
About the External Network................................................................................................77
Configuring the External Network....................................................................................77
Creating the External Network subnet.........................................................................77
Creating an External Network router...........................................................................79
Assigning floating IP addresses to instances.................................................................79
13 Integrated tool connectivity and configuration.........................................81
Managing integrated tools..................................................................................................81
HP Operations Orchestration Central....................................................................................81
Using OO Central workflows..........................................................................................81
VMware vCenter Server......................................................................................................82
Register VMware vCenter Server.....................................................................................82
14 Image management.............................................................................84
About Images....................................................................................................................84
Images in the cloud.......................................................................................................84
Managing images.........................................................................................................84
Image metadata.......................................................................................................85
Can I delete images after they are provisioned?...........................................................85
Creating and obtaining images...........................................................................................85
Setting custom attributes on Microsoft Windows images.....................................................85
Create image from a snapshot of a virtual machine...........................................................86
Add Image.......................................................................................................................86
Edit Image........................................................................................................................87
Delete Image.....................................................................................................................88
15 Storage configuration..........................................................................89
Managing Storage.............................................................................................................89
Managing block storage drivers......................................................................................89
Understanding block storage drivers data....................................................................89
Add Block Storage Drivers..................................................................................................89
Edit Block Storage Drivers...................................................................................................90
Delete Block Storage Drivers................................................................................................91
Contents 5
About volume types............................................................................................................91
How are volume types used?..........................................................................................91
Managing volume types.................................................................................................91
Understanding volume types data...............................................................................91
What is the benefit of thin provisioning?......................................................................92
Add Volume Types........................................................................................................92
Edit Volume Types.........................................................................................................93
Delete Volume Types......................................................................................................93
About Volumes..................................................................................................................93
Managing Volumes.......................................................................................................93
Understanding Volumes data.....................................................................................94
Create volumes in the CloudSystem Portal.........................................................................94
Attach a volume to a VM instance in the CloudSystem Portal...............................................94
Delete Volumes.............................................................................................................95
16 Compute node creation........................................................................96
Preparing compute nodes...................................................................................................96
Creating ESX compute hypervisors.......................................................................................96
Configuring networks.........................................................................................................97
Configuring security groups for instances in an ESX cluster......................................................98
Configuring iSCSI on ESX compute hosts..........................................................................98
Configuring networking for the VMkernel.....................................................................98
Setting the discovery address and target name of the storage system...............................98
Creating KVM compute nodes.............................................................................................99
Applying CloudSystem requirements to the KVM compute node...........................................99
Creating a local YUM repository and validating dependencies......................................99
Configuring CloudSystem compute node network settings............................................101
17 Compute node management...............................................................103
About Compute Nodes.....................................................................................................103
Compute nodes in the cloud.........................................................................................103
Managing compute nodes...........................................................................................103
Can I delete compute nodes from the cloud?..............................................................103
Understanding compute node data...........................................................................104
Adding compute nodes to the cloud..............................................................................104
Calculating the number of instances that can be provisioned to a compute node.................105
Import a cluster................................................................................................................105
Activate a compute node..................................................................................................105
Deactivate a compute node...............................................................................................106
Delete a compute node.....................................................................................................107
18 Virtual machine configuration for compute services................................108
About virtual machine instances.........................................................................................108
Managing virtual machine instances..............................................................................108
Start instance..............................................................................................................108
Reboot instance..........................................................................................................109
Delete instance...........................................................................................................109
About Flavors..................................................................................................................109
Flavors in the cloud.....................................................................................................110
Manage flavors..........................................................................................................110
Add Flavor.................................................................................................................110
Can I delete a flavor that was used to create an instance?................................................110
Delete Flavor..........................................................................................................111
19 Monitor resource use and allocation in CloudSystem Console.................112
About the Console Dashboard...........................................................................................112
Dashboard status indicators..........................................................................................113
6 Contents
Interpreting the Dashboard data........................................................................................114
Compute....................................................................................................................114
Network....................................................................................................................114
Storage......................................................................................................................115
IV Cloud service provisioning, deployment, and service management in
CloudSystem Portal....................................................................................116
20 Provision a cloud in Foundation..........................................................117
Launching a virtual machine instance in the CloudSystem Portal.............................................117
Create a security group................................................................................................118
Create a key pair........................................................................................................119
Create a Private network..............................................................................................119
Launching an instance using CloudSystem Portal.............................................................119
Create a volume to attach to an instance........................................................................120
21 Monitor and manage infrastructure services in CloudSystem Portal...........122
Monitoring allocation and usage in CloudSystem Console.....................................................122
V Understanding CloudSystem Enterprise......................................................123
22 About CloudSystem Enterprise............................................................124
About the Enterprise appliance..........................................................................................124
Enterprise in the cloud.................................................................................................124
Multitenancy in Enterprise............................................................................................125
23 Install Enterprise................................................................................126
Before installing Enterprise................................................................................................126
Install the Enterprise appliance..........................................................................................126
24 Enterprise appliance management......................................................128
Managing the Enterprise appliance....................................................................................128
Logging in and changing the default HP CSA and Marketplace Portal password......................128
Update the Enterprise appliance........................................................................................130
Uninstall the Enterprise appliance......................................................................................132
Enterprise appliance settings.............................................................................................132
Viewing Enterprise appliance settings............................................................................132
25 Cloud service provisioning and deployment in Enterprise.......................134
Using HP CSA to deploy virtual machine instances to the cloud..............................................134
Using HP CSA to create a design and deploy an offering......................................................134
Set up a template........................................................................................................135
Create a server group..................................................................................................135
Connect a network to the server group...........................................................................136
Create an offering.......................................................................................................136
Deploy an offering......................................................................................................137
VI Troubleshooting reference.......................................................................138
26 Use activities and alerts to troubleshoot errors.......................................139
Basic troubleshooting techniques........................................................................................139
Alerts do not behave as expected......................................................................................140
27 Troubleshoot the CloudSystem appliances............................................141
Troubleshooting the Foundation base appliance...................................................................141
You cannot log in........................................................................................................141
First-time setup............................................................................................................141
Appliance cannot access the network............................................................................142
Time differences among CloudSystem appliances and management hosts cause unpredictable
behavior....................................................................................................................142
Contents 7
Reboot appliance after serious error..............................................................................143
Cannot restart or shut down appliance...........................................................................143
Generated host name of the base appliance is sometimes visible......................................143
Audit log...................................................................................................................144
Cannot create a support dump file ...............................................................................144
Licensing....................................................................................................................144
Troubleshooting appliance update.....................................................................................145
Version error prevents appliance update.........................................................................145
Error occurs during update process................................................................................145
Troubleshooting users and groups......................................................................................146
Cannot log in to the CloudSystem Portal.........................................................................146
Cannot perform actions in the CloudSystem Console that affect resources in the CloudSystem
Portal ........................................................................................................................147
Cannot add, delete, or modify users in the CloudSystem Portal .........................................148
Users with names containing special characters cannot be assigned to projects ..................148
Changing the default directory from two sessions of the CloudSystem Console at the same time
does not update keystone.conf correctly.........................................................................148
Troubleshooting security settings.........................................................................................149
Directory service not available......................................................................................149
Cannot add directory service........................................................................................149
Cannot add server for a directory service.......................................................................150
Cannot add directory group.........................................................................................150
No error message is displayed after adding an invalid public key.....................................151
Unable to create a security group in CloudSystem Portal...................................................151
Unauthorized CloudSystem Portal users can see project resources......................................151
Troubleshooting the CloudSystem Portal appliance................................................................152
You cannot log in to the CloudSystem Portal....................................................................152
You are logged out of the CloudSystem Console while using the CloudSystem Portal............152
Resource information in the CloudSystem Portal does not always match the CloudSystem
Console.....................................................................................................................153
Virtual machine console cannot be accessed..................................................................153
Volumes search filter always returns the last created volume..............................................154
Volumes with duplicate names can be created................................................................154
28 Troubleshoot resource configuration.....................................................155
Troubleshooting networks..................................................................................................155
Cloud Management Network configuration fails due to a timeout occurring while creating
associated virtual machines..........................................................................................155
Software Defined Networking (SDN) issues....................................................................155
Cannot create a private network...................................................................................156
Cannot delete a private network in the CloudSystem Portal...............................................156
Cannot add a router with a port using the CloudSystem Portal or the OpenStack Neutron
CLI............................................................................................................................157
External Network information is not listed on the CloudSystem Portal..................................157
OpenStack Nova command errors................................................................................158
Floating IPs are not working..........................................................................................158
Changing the External Network address allocation pools fails...........................................159
Networks not recreated after management cluster or hypervisor reboot...............................160
Troubleshooting integrated tools.........................................................................................161
VMware vCenter Server must be configured with English as the default language ...............161
VMware vCenter Server registration does not succeed.....................................................161
You cannot log in to HP Operations Orchestration...........................................................161
HP Operations Orchestration Studio help link displays a blank screen................................162
Troubleshooting images....................................................................................................162
Add image action is unsuccessful..................................................................................162
8 Contents
Create image action is unsuccessful...............................................................................164
Edit image action is unsuccessful...................................................................................165
Image server storage configuration is unsuccessful...........................................................165
Base folder of the ESX cluster shared datastore may contain files related to unused images....165
Using the OpenStack Glance API to upload an image may not succeed when CloudSystem
Foundation is first installed...........................................................................................165
Troubleshooting storage....................................................................................................166
Increase 3PAR storage systems connection limit...............................................................166
Cinder block storage volume does not attach to virtual machine instance............................167
Cinder block storage volume does not establish an SSH connection with the 3PAR storage
system.......................................................................................................................168
Specifying a device already in use causes an error when attaching a volume......................168
Volume not associated with a volume type cannot be modified or deleted when the storage
driver is removed........................................................................................................169
Volume is in Error state when it is created without a block storage driver............................169
Unable to associate block storage driver with 3PAR storage system....................................169
Unable to delete block storage driver.............................................................................170
Unable to delete a volume type.....................................................................................170
Unable to edit a volume type........................................................................................170
Volume created with a failed block storage driver cannot be deleted .................................170
Volume status is mismatched between CloudSystem Console and CloudSystem Portal...........171
Renaming or changing the comment section in volumes with an “osv-” prefix in the 3PAR
storage system causes the volumes to become inoperable.................................................171
Block storage volumes may indefinitely remain in undesired state......................................171
Last iSCSI initiator configured for an ESX host is used for attaching a volume.......................171
Attaching an iSCSI volume to an ESX instance slows if degraded LUNs exist in vCenter
Server........................................................................................................................172
Volume state is not immediately updated when deleting a volume does not succeed............172
Block storage drivers Host CPG summary is not automatically updated...............................172
Troubleshooting compute nodes.........................................................................................173
Compute nodes do not appear on overview screen..........................................................173
Import cluster action does not complete..........................................................................174
Activate compute node action is unsuccessful..................................................................174
Deactivate compute node action is unsuccessful..............................................................176
Delete compute node action is unsuccessful....................................................................176
Red Hat netcf bug fix update corrects libvirt issues...........................................................176
Troubleshooting virtual machine instances...........................................................................177
Deployed instance does not boot..................................................................................178
Launch of first instance provisioned from ESX does not complete........................................179
Booted instances cannot get IP address in ESX environment with vCNS..............................179
Moving a virtual machine with an additional attached volume using vMotion in vCenter Server
does not succeed........................................................................................................180
Delete instance action only partially completes when compute node is unresponsive............180
Deleting an instance and removing it from the database may cause the instance to remain in
the Building state........................................................................................................181
Create instance runs indefinitely when the Foundation base appliance is rebooted..............181
Soft rebooting a “Shutoff” instance or instance in the CloudSystem Portal causes instance
error..........................................................................................................................181
Instance running on ESX compute node cannot be paused................................................181
Resizing an instance does not succeed when a volume is attached to the instance ..............182
Launching an instance results in error state ....................................................................182
29 Troubleshoot CLI errors......................................................................183
Troubleshoot csadmin.......................................................................................................183
Certificate verification errors.........................................................................................183
Contents 9
Host or proxy connection errors.....................................................................................184
csadmin --version does not display the correct version number...........................................184
Some options returned by csadmin –help are not supported..............................................184
30 Troubleshoot Enterprise......................................................................185
Troubleshooting the Enterprise appliance............................................................................185
Enterprise cannot communicate with Foundation after the Foundation network configuration is
changed....................................................................................................................185
Cannot see Enterprise installation progress.....................................................................185
Cannot create a design in HP CSA................................................................................186
Cannot provision a design with server groups connected to more than one volume group on
ESX compute nodes.....................................................................................................186
Cannot create a subscription with a volume group attached to a server group ....................186
Volumes are not presented when attaching a volume to a design.......................................186
Adding a server to a server group does not delete partially provisioned servers...................186
HP CSA does not clean up resources when a subscription does not succeed.......................187
Cannot create a subscription configured to create a new router.........................................187
Cannot create a template without a keypair ...................................................................187
Removing a volume group from a subscription does not succeed.......................................187
Some Cloud OS endpoints are visible but are not supported APIs for use by external clients...187
VII Appendices.........................................................................................188
A Enabling strong certificate validation in the CloudSystem Portal................189
Using OpenLDAP.............................................................................................................189
Using Active Directory......................................................................................................190
B Working with the csadmin CLI..............................................................192
Configure a CLI shell to ease secure access when using csadmin............................................192
Getting help for csadmin..................................................................................................192
Order of syntax for commands and arguments.....................................................................192
Optional arguments.....................................................................................................192
Required common arguments........................................................................................193
Optional common arguments........................................................................................193
Command syntax and examples........................................................................................193
C Supported console operations on the CloudSystem appliances.................199
Enable console access and set the password.......................................................................199
Using the CloudSystem appliances console.....................................................................199
Logging in to the appliance consoles........................................................................199
CloudSystem appliance console tasks.................................................................................200
D Limitations on support for OpenStack CLI commands...............................204
E Limitations on support for OpenStack functionality in the CloudSystem
Portal...................................................................................................210
10 Contents
Part I Understanding HP CloudSystem
1 Welcome to HP CloudSystem Administrator Guide
Virtual
machines
Networks
and
endpoints
Ephemeral
volumes
Compute
services
Network
services
Storage
services
Servers
HP Converged Infrastructure
Consumers
• Browse, request & manage
virtualized services
• Simple self-service portal
Administrator
• Manage resources and access
• Provision VM Hosts
Identity (Keystone)
users, projects, regions,...
Compute (Nova)
images, instances,
security groups, ...
Network (Neutron)
provider and private tenant
networks, endpoints, routing
Volumes (Cinder)
block storage for VMs
Resources
OpenStack
service offerings
Storage Networking
HP CloudSystem works in converged infrastructure environments and provides a software-defined
approach to managing the cloud. CloudSystem consists of two offerings:
• HP CloudSystem Foundation is based on the HP Cloud OS distribution of OpenStack Cloud
Software. It integrates hardware and software to deliver core Infrastructure as a Service (IaaS)
provisioning and lifecycle management of compute, network and storage resources. You can
manage CloudSystem Foundation from an administrative console, self-service portal, CLIs,
and OpenStack APIs. It provides an appliance-based deployment console to simplify installation
and maintenance, and an embedded version of HP Operations Orchestration (OO) for
automating administrative processes. See CloudSystem Foundation components (page 18) for
more information.
Figure 1 CloudSystem Foundation
• HP CloudSystem Enterprise expands on CloudSystem Foundation to integrate servers, storage,
networking, security, and management to automate the lifecycle for hybrid service delivery.
Template architects can use Enterprise to create infrastructure templates and offer them as
services in a Marketplace Portal. Users select services from a catalog and manage their
subscriptions. When a service is requested, Enterprise automatically provisions the servers,
12 Welcome to HP CloudSystem Administrator Guide
storage, and networking. Enterprise also includes an enhanced set of Operations Orchestration
Consumers
• Browse request & manage
virtualized services
Complex service
template
HP Servers
HP Storage
HP Networking
Resources
Compute
services
Network
services
Storage
services
Figure 2 CloudSystem Enterprise
Design, provision, and manage complex services with HP CloudSystem Enterprise
Administrator
• Manage catalog, subscriptions
and providers
Service Catalog
Public
cloud
services
Architects
• Design and publish
infrastructure and
applications services
• Topology and service
design tools
workflows. See CloudSystem Enterprise components (page 20) for more information.
Figure 2 CloudSystem Enterprise
Features
Features in CloudSystem allow you to:
• Easily install and upgrade CloudSystem, which is a set of virtual machine appliances connected
by multiple networks.
See CloudSystem Foundation components (page 18) and Monitor resource use and allocation
in CloudSystem Console (page 112).
• Manage the lifecycle of your infrastructure, including monitoring its health, using an
administrator user interface that simplifies adding and managing cloud services.
See Monitor resource use and allocation in CloudSystem Console (page 112) and About the
Console Dashboard (page 112).
• Create and activate compute nodes, which have software installed and configured that enables
the compute node to be added to the cloud.
See Compute node creation (page 96) and Compute node management (page 103).
• Configure provider networks, which allow you to connect pre-existing physical networks to
the cloud, and private networks, which allow groups of users to share private resources
exclusively inside their virtual data center or cloud.
See Network configuration (page 73).
• Configure virtual server storage to connect 3PAR storage systems to compute nodes.
See Storage configuration (page 89).
• Create, upload, and manage operating system images. A created image is a snapshot of an
active instance. You can also track which images are in use and on which virtual machines.
See Image management (page 84).
Features 13
• Define and configure virtual machines. The number of CPUs and amount of memory to assign
to a virtual machine is designated by selecting the flavor (instance type) to associate with a
virtual machine.
See Virtual machine configuration for compute services (page 108).
• Deploy virtual machine instances with VLAN networks and HP 3PAR virtual machine block
storage using the CloudSystem Portal.
See Provision a cloud in Foundation (page 117).
• Use HP Operations Orchestration workflows to automate operational tasks and processes.
See CloudSystem Foundation components (page 18).
• Install CloudSystem Enterprise. CloudSystem Foundation uses OpenStack technology to provision
and manage cloud services. CloudSystem Enterprise uses CloudSystem Foundation for appliance
management and provides added value through the user interface, capacity planning/analytics,
high availability, disaster recovery, and more.
See About CloudSystem Enterprise (page 124).
• For high availability, use the features of VMware vCenter Server when the cloud is deployed
on ESX clusters. For KVM, a CloudSystem white paper describes setting up an HA environment
on the management cluster in which CloudSystem runs.
• Use OpenStack API technology for portability and developer community access.
• Issue OpenStack commands for supported operations using a Windows or Linux client.
14 Welcome to HP CloudSystem Administrator Guide
2 Concepts and architecture
CloudSystem provides you with the flexibility of virtualized compute resources, networks, and
storage. With CloudSystem, you configure, manage, and deploy infrastructure services into a
cloud environment for access by your end users.
How it works
Figure 3 illustrates the relationship between CloudSystem Foundation, the Foundation virtual
appliances, CloudSystem Enterprise, and the underlying network infrastructure.
The CloudSystem Foundation base appliance includes a management console GUI and a web-based,
end-user portal that is built on OpenStack Horizon functionality. The base appliance includes the
data store for Glance images that can be used to build the compute virtual machines. The installation
of CloudSystem Foundation also includes the SDN appliance, the network node appliances, and
a vCenter Server proxy appliance.
From within the CloudSystem Console, you can install the Enterprise piece of CloudSystem. Enterprise
provides significant manageability and design tool extensions and cloud-bursting to multiple
providers through the HP CSA Cloud Service Management Console. Access to these services is
provided to end users through the Marketplace Portal. Once you install the Enterprise software,
you can move between Foundation and Enterprise user interfaces to manage, provision, and deploy
cloud services.
How it works 15
Figure 3 CloudSystem appliances and network infrastructure
See the HP CloudSystem Installation and Configuration Guide at the Enterprise Information Library
for an expanded discussion of network architecture and initial network configuration.
Associated appliances
The following appliances are automatically created after the Cloud Networking settings are saved.
For more information, see Networks in CloudSystem Foundation (page 19).
Software Defined Networking (SDN)
appliance
Network node appliances Manage network services, such as DHCP and L3 (routing)
16 Concepts and architecture
Manages the network infrastructure for the CloudSystem.
services, for provisioned virtual machines and provisioned
virtual networks. Three network node appliances are created
when the Cloud Networking settings are saved.
Storage
The following appliance is automatically created after an ESX cluster is imported. (No proxy
appliances are started in a KVM-only environment.)
Proxy appliance Acts as a communication mechanism between OpenStack technology
and VMware vCenter Server, and runs the OpenStack agents for up to
twelve clusters for each vCenter Server. Additional appliances are
automatically created when the number of new clusters added to the cloud
are reached. New proxy appliances are created with the first, 13th, and
25th cluster additions.
CloudSystem works with HP 3PAR StoreServ Storage, a cluster-based storage architecture that
incorporates data management and fault tolerance technologies that can meet the storage needs
of smaller sites and can be scaled for global organizations.
3PAR storage is required to create block storage for VM guests.
Storage for manually provisioned hypervisor hosts is more flexible, and can include local disks.
Virtual server storage
Virtual server storage connects the 3PAR storage system to virtual machine instances. Options
include:
• Fibre Channel Storage Area Network (FC SAN), which provides block-level storage that can
be accessed by the applications running on any networked servers
• Direct-Attach Fibre Channel Storage, a single-layer Fibre Channel storage network that
eliminates SAN switches and HBAs (host bus adapters)
• iSCSI, which is block-level storage that uses traditional Ethernet network components for
connectivity
Physical servers
Servers running an ESX cluster or a KVM hypervisor can be used as a management cluster, a
management hypervisor, or as compute clusters or nodes.
Management cluster or hypervisor Clustered or standalone hypervisors that host the virtual
machine appliances that comprise the CloudSystem solution.
There are three possible configurations:
• An ESX management cluster that hosts the virtual
machines running CloudSystem and its integrated tools.
• A standalone ESX management hypervisor that hosts
the virtual machines running CloudSystem and its
integrated tools.
See also Integrated tool connectivity and configuration
(page 81).
• A KVM management hypervisor that hosts the virtual
machines running CloudSystem software.
Compute nodes ESX clusters and KVM hosts that provide the pool of
User authentication
You can choose one of two methods of user authentication. If you use local logins, CloudSystem
provides local authentication for users authorized to access CloudSystem. The Infrastructure
administrator enters user data, which is saved in the appliance database. When anyone tries to
hypervisor resources used to provision virtual machine
instances.
How it works 17
access the CloudSystem Console or Portal, the login information entered is checked against the
user attributes stored in the database.
Alternatively, you can use an external authentication directory service (also called an enterprise
directory) to provide a single sign-on for groups of users instead of maintaining individual local
login accounts. Examples of an authentication directory service include Microsoft Windows Active
Directory or OpenLDAP (LDAP - Lightweight Directory Access Protocol).
For more information, see Security in CloudSystem (page 22) and Manage users and groups
(page 52).
OpenStack technology
CloudSystem software leverages the capabilities of multiple OpenStack technologies. Because of
this underlying functionality, you can use OpenStack CLI and API to configure compute resources,
and provision and deploy these resources to a cloud.
Table 1 OpenStack clients used in CloudSystem
CapabilityServiceClient
Block storage managementCinder
Compute resource managementNova
For additional information on installing and using the OpenStack CLI with CloudSystem software,
see the “Command line interfaces” appendix in the HP CloudSystem 8.0 Installation and
Configuration Guide at Enterprise Information Library.
The CloudSystem Portal is based on the Openstack Horizon client. Not all OpenStack features are
supported in this version of CloudSystem. For information on limitations, see Limitations on support
for OpenStack CLI commands (page 204) and Limitations on support for OpenStack functionality
in the CloudSystem Portal (page 210).
CloudSystem Foundation at a glance
HP CloudSystem allows you to prepare private cloud resources and deploy virtual machine instances
into this cloud. In CloudSystem Foundation, you use CloudSystem Console to configure cloud
resources for deployment. This includes creating images, establishing shared and private networks,
and configuring block storage. End users use the CloudSystem Portal to provision and manage
VMs, storage, and networks. This work includes managing virtual machine security, attaching
volumes, and launching virtual machine instances.
When you provision new subscriptions from CloudSystem Enterprise, new virtual machines, block
storage volumes, and networks are provisioned in CloudSystem Foundation. These resources are
visible in the CloudSystem Portal. If you modify them from the CloudSystem Portal, the changes
will not be reflected in the Enterprise Marketplace Portal.
Create, configure, and assign storage volumes and
volume types
Create, configure and store imagesImage managementGlance
Create users and manage user roles and credentialsIdentity managementKeystone
Configure Private (and External) networksNetwork managementNeutron
Manage virtual machine instances, flavors, and
images and deploy instances to a cloud
CloudSystem Foundation components
CloudSystem Foundation is the platform that you use to manage both Foundation and Enterprise
appliances. Foundation includes the following components, which run on virtual machine appliances
on the management cluster or hypervisor.
CloudSystem Console Web-based user interface for administrative tasks, including
18 Concepts and architecture
managing and monitoring the cloud and releasing resources
back to the cloud. From the console, you can activate
compute nodes, configure networks and storage, and
perform maintenance tasks on the Foundation and Enterprise
appliances.
CloudSystem Portal Web-based interface for creating, launching, and managing
virtual machine instances. The portal can be accessed by
appending /portal to the Foundation appliance URL (for
example, https://192.0.2.2/portal).
HP Operations Orchestration Operations Orchestration Central automates operational
tasks and processes using a set of predefined workflows.
OO Central is packaged with the Foundation appliance
and is launched from the Integrated Tools screen in the
CloudSystem Console. Enterprise integrates with OO Central
to support pre- and post-server group provisioning.
Operations Orchestration Studio is an optional tool for
customizing workflows, which is installed separately. The
OO Studio installation files are included with the
CloudSystem installation tar files. See the HP CloudSystem
Installation and Configuration Guide on the Enterprise
Information Library for more information.
Command line interface csadmin provides command line access for storage system
administrative tasks, private network VLAN management
tasks, appliance management tasks and console user
management tasks.
csstart deploys and configures the Foundation base
appliance on the management cluster or hypervisor. For a
more friendly user experience, launch the csstart GUI; or
you can run csstart from the command line.
Networks in CloudSystem Foundation
CloudSystem Foundation is built on OpenStack Networking technology. The underlying network
infrastructure is managed by a Software Defined Networking (SDN) appliance. Multiple network
node appliances manage network services, such as DHCP and routing. A vCenter proxy appliance
runs the OpenStack agents for use. All of these virtual appliances to support networking are
automatically created when CloudSystem Foundation is configured. You can use the CLI to access
and manage these appliances.
CloudSystem Foundation uses three types of networks:
• Private networks are restricted and can be accessed only by virtual machine instances assigned
to the network. See About Private Networks (page 76).
• Provider networksisc.prov.ntwks.name; are shared networks in the data center on which users
can provision any number of virtual machine instances. See About Provider Networks
(page 74).
• The External Network allows you to route virtual machine instances on Private networks out
from the CloudSystem private cloud to the data center, the corporate intranet, or the Internet..
See About the External Network (page 77).
See also How it works (page 15).
CloudSystem Foundation at a glance 19
Network tasks and user roles
The following table lists CloudSystem network tasks according to user roles and the interfaces used
to perform them.
Additional informationInterfaceUser RoleTask
and VLAN ranges that can
be assigned to Private
Networks
Network configuration
using supported APIs
instances
networks
either dedicated static IPs or
DHCP
Private networks from
outside of the cloud using
floating IP addresses
CloudSystem ConsoleInfrastructure administratorCreate pools of VLAN IDs
CloudSystem ConsoleInfrastructure administratorCreate Provider networks
CloudSystem PortalInfrastructure administratorComplete the External
Infrastructure administratorCustomize network offerings
Foundation base appliance
command line
CloudSystem PortalCloud userCreate routers to connect
CloudSystem PortalCloud userAccess instances that are on
About Private Networks
(page 76)
About Provider Networks
(page 74)
About the External Network
(page 77)
OpenStack Networking API
v2.0 Reference
OpenStack End User GuideCloudSystem PortalCloud userAttach Private networks to
OpenStack End User Guide
and Creating an External
Network router (page 79)
OpenStack End User GuideCloudSystem PortalCloud administratorManage IP addresses using
OpenStack End User Guide
and Assigning floating IP
addresses to instances
(page 79)
CloudSystem Enterprise at a glance
To install CloudSystem Enterprise, select the Enterprise screen on the main menu in the CloudSystem
Console and click Install CloudSystem Enterprise. After installation, the Enterprise screen in the
CloudSystem Console provides links to HP Cloud Service Automation and the Marketplace Portal.
You will continue to use the Foundation platform to perform appliance management tasks after
Enterprise is installed.
CloudSystem Enterprise components
Enterprise includes the following components:
HP CSA Cloud Service Management
Console
Marketplace Portal The Marketplace Portal provides a customer interface for
HP Cloud Service Automation orchestrates the deployment
of compute and infrastructure resources and complex
multi-tier application architectures. HP CSA and its user
interface, the Cloud Service Management Console,
integrates and leverages the strengths of several HP data
center management and automation products, adding
resource management, service offering design, and a
customer portal to create a comprehensive service
automation solution.
requesting new cloud services and for monitoring and
managing existing services, with subscription pricing to meet
your business requirements.
20 Concepts and architecture
Topology Designer and Sequential
Designer
The HP CSA graphical service design and content portability
tools simplify developing, leveraging, and sharing an array
of service offerings that can be tailored to your end users’
needs.
You can use two different designers to design new cloud
services with reusable service design templates.
• Use Topology Designer to create infrastructure service
designs.
• Use Sequential Designer to create more complex
application service designs.
The designs created through both designers appear as
service offerings that Marketplace Portal users can select
and provision.
CloudSystem Enterprise at a glance 21
3 Security in CloudSystem
CloudSystem security depends in part on the security level that you chose when you installed
CloudSystem Foundation and on your work practices. This chapter describes security concepts to
consider when working with browsers, certificates, and networks for secure communication and
transfer of data among the appliances, networks, and computes nodes in a CloudSystem virtualized
data center.
For additional information, see Manage security (page 67) and the HP CloudSystem Installation
and Configuration Guide on the Enterprise Information Library.
Best practices for maintaining a secure appliance
Most security policies and practices used in a traditional environment apply in a virtualized
environment. However, in a virtualized environment, these policies might require modifications
and additions.
22 Security in CloudSystem
The following table comprises a partial list of security best practices that HP recommends in both
physical and virtual environments. Differing security policies and implementation practices make
it difficult to provide a complete and definitive list.
Best PracticeTopic
Accounts
Certificates
• Limit the number of local accounts. Integrate the appliance with an enterprise directory solution
such as Microsoft Active Directory or OpenLDAP.
• Use certificates signed by a trusted certificate authority (CA), if possible.
CloudSystem uses certificates to authenticate and establish trust relationships. One of the most
common uses of certificates is when a connection from a web browser to a web server is
established. The machine level authentication is carried out as part of the HTTPS protocol, using
SSL. Certificates can also be used to authenticate devices when setting up a communication
channel.
The appliance supports self-signed certificates and certificates issued by a CA.
The appliance is initially configured with self-signed certificates for the web server, database,
and message broker software. The browser will display a warning when browsing to the
appliance using self-signed certificates.
HP advises customers to examine their security needs (that is, to perform a risk assessment) and
consider the use of certificates signed by a trusted CA. For the highest level of security, HP
recommends that you use certificates signed by a trusted certificate authority:
◦ Ideally, you should use your company's existing CA and import their trusted certificates. The
trusted root CA certificate should be deployed to user’s browsers that will contact systems
and devices that will need to perform certificate validation
◦ If your company does not have its own certificate authority, then consider using an external
CA. There are numerous third-party companies that provide trusted certificates. You will need
to work with the external CA to have certificates generated for specific devices and systems
and then import these trusted certificates into the components that use them.
As the Infrastructure administrator, you can generate a CSR (certificate signing request) and,
upon receipt, upload the certificate to the appliance web server. This ensures the integrity and
authenticity of your HTTPS connection to the appliance. Certificates can also be uploaded for
the database and message broker.
Network
Nonessential
services
Passwords
Roles
Service
Management
• Do not connect management systems (for example, the appliance, the iLO card, and Onboard
Administrator) directly to the Internet.
If you require access to the Internet, use a corporate VPN (virtual private network) that provides
firewall protection.
• The appliance is preconfigured so that nonessential services are removed or disabled in its
management environment. Ensure that you continue to minimize services when you configure
host systems, management systems, network devices (including network ports not in use) to
significantly reduce the number of ways your environment could be attacked.
• For local accounts on the appliance, change the passwords periodically according to your
password policies.
• Password contains between 8 and 40 characters
• The following special characters are not allowed:
< > ; , " ' & / \ | + =
• Clearly define and use administrative roles and responsibilities; for example, the Infrastructure
administrator performs most administrative tasks.
• Consider using the practices and procedures, such as those defined by the Information Technology
Infrastructure Library (ITIL). For more information, see the following website:
http://www.itil-officialsite.com/home/home.aspx
Best practices for maintaining a secure appliance 23
Best PracticeTopic
Updates
Virtual
Environment
• Ensure that a process is in place to determine if software and firmware updates are available,
and to install updates for all components in your environment on a regular basis.
• Most security policies and practices used in a traditional environment apply in a virtualized
environment. However, in a virtualized environment, these policies might require modifications
and additions.
• Educate administrators about changes to their roles and responsibilities in a virtual environment.
• Restrict access to the appliance console to authorized users. For more information, see Restricting
console access (page 24).
• If you use an Intrusion Detection System (IDS) solution in your environment, ensure that the solution
has visibility into network traffic in the virtual switch.
• Maintain a zone of trust, for example, a DMZ (demilitarized zone) that is separate from production
machines.
• Ensure proper access controls on Fibre Channel devices.
• Use LUN masking on both storage and compute hosts.
• Ensure that LUNs are defined in the host configuration, instead of being discovered.
• Use hard zoning (which restricts communication across a fabric) based on port WWNs
(Worldwide Names), if possible.
• Ensure that communication with the WWNs is enforced at the switch-port level.
Enabling or disabling authorized services access
When you first start up the appliance, you can choose to enable or disable access by on-site
authorized support representatives. By default, on-site authorized support representatives are
allowed to access your system through the appliance console and diagnose issues that you have
reported.
Support access is a root-level shell, which enables the on-site authorized support representative to
debug any problems on the appliance and obtain a one-time password using a challenge/response
mechanism similar to the one for a password reset.
Any time after the initial configuration of the appliance, you can enable or disable services access
through the UI by selecting Actions→Edit services access on the Settings window.
You can also use an appliance/settings REST API to enable or disable services access.
NOTE: HP recommends that you enable access. Otherwise, the authorized support representative
might be unable to access the appliance to correct a problem.
Restricting console access
For the virtual appliance, you can restrict console access through secure management practices
of the hypervisor itself.
For VMware vSphere, this information is available from the VMware website:
http://www.vmware.com
In particular, search for topics related to vSphere's Console Interaction privilege and best practices
for managing VMware's roles and permissions.
Best practices for browser use
• Enable SSL v3 and TLS.
SSL v2 is considered insecure and should not be enabled in the browser unless there is a
specific need for it.
• Enable cookies to store the authenticated user’s session ID.
24 Security in CloudSystem
• Always log out before closing the browser.
In the browser, a memory-based cookie stores the authenticated user’s session ID.
Memory-based cookies are deleted when you close the browser. When you log out, the session
on the appliance is invalidated.
• Avoid clicking links outside the appliance UI.
While logged in to the appliance, avoid clicking links in email or instant messages. The links
might be malicious and take advantage of your login session.
• Use separate browsers for appliance and non-appliance use.
Do not use the same browser instance (for example, separate tabs in the same browser) to
browse to other websites.
Managing certificates from a browser
A certificate authenticates the appliance over SSL. The certificate contains a public key, and the
appliance maintains the corresponding private key, which is uniquely tied to the public key.
NOTE: This section discusses certificate management from the perspective of the browser. For
information on how a non-browser client (such as cURL) uses the certificate, see the documentation
for that client.
The certificate also contains the name of the appliance, which the SSL client uses to identify the
appliance.
The certificate has the following boxes:
• Common Name (CN)
This name is required. By default it contains the fully qualified host name of the appliance.
• Alternative Name
The name is optional, but HP recommends supplying it because it supports multiple names
(including IP addresses) to minimize name-mismatch warnings from the browser.
By default, this name is populated with the fully qualified host name (if DNS is in use), a short
host name, and the appliance IP address.
NOTE: If you enter Alternative Names, one of them must be your entry for the Common
Name.
Self-signed certificate
The default certificate generated by the appliance is self-signed; it is not issued by a trusted certificate
authority.
By default, browsers do not trust self-signed certificates because they lack prior knowledge of them.
The browser displays a warning dialog box; you can use it to examine the content of the self-signed
certificate before accepting it.
Protecting credentials
Local user account passwords are stored using a salted hash; that is, they are combined with a
random string, and then the combined value is stored as a hash. A hash is a one-way algorithm
that maps a string to a unique value so that the original string cannot be retrieved from the hash.
Passwords are masked in the browser. When transmitted between appliance and the browser over
the network, passwords are protected by SSL.
Local user account passwords must be a minimum of eight characters, with at least one uppercase
character. The appliance does not enforce additional password complexity rules. Password strength
Managing certificates from a browser 25
and expiration are dictated by the site security policy. If you integrate an external authentication
directory service (also known as an enterprise directory) with the appliance, the directory service
enforces password strength and expiration.
26 Security in CloudSystem
4 Installation
A successful install and configuration of CloudSystem software depends on the preparation done
beforehand. See the HP CloudSystem Installation and Configuration Guide on the Enterprise
Information Library for the following information.
• Supported hardware and software configurations
• Preparations necessary prior to installing CloudSystem
• Network configuration details
• HP Operations Orchestration configuration
• Installing CloudSystem Enterprise
• Troubleshooting installation
• csstart command reference
• Configuring additional virtualization providers to work with CloudSystem Enterprise
27
5 Navigating the CloudSystem Console GUI
This chapter provides you with an overview of the GUI functions in the CloudSystem Console. More
information about using these features is located in the CloudSystem Console Help.
About the graphical user interface
The image shown below illustrates important areas in the CloudSystem Console graphical user
interface.
Figure 4 Screen components
1
Main menu: Access the primary resource management areas of the appliance for compute,
networking, and storage resources, and for appliance administration. (To see the main menu,
click in the gray area labeled CloudSystem Console.)
2
Search: Enter a search term. The Scope option allows you to restrict your search to the resource
you are on, or widen the search to all resources managed by the CloudSystem Console. (To
see the Scope selector, click on or near the word “Search”.)
3
Activity sidebar: View alerts and notifications generated by the appliance.
Click the Activity icon , then click the left or right pin icons to expand or collapse this
sidebar.
4
Session control: View the status of your login, or log out of the appliance.
5
Help sidebar: View links to online help and to recommended actions. Recommended actions
include tasks needed to configure the appliance or to prepare resources for provisioning to
a cloud.
Click the Help icon , then click the left or right pin icons to expand or collapse this
sidebar.
28 Navigating the CloudSystem Console GUI
6
Actions menu: Access the available actions that you can perform on a resource. Actions menus
contain only tasks that can be performed on a specific resource.
7
Details pane: View the details for the resource area you have open.
8
Master pane: Manage the display of information in the Details pane for each specific resource.
You can use filters and sorting to control the display of information.
Use the banner and main menu to navigate
Use the main menu to navigate through the resources and actions that the appliance provides.
To expand the main menu, click the in the banner at the top of the screen.
Figure 5 Main menu and top of page banner
The main menu provides access to resources and actions. The following figure shows the expanded
menu.
NOTE: Your ability to view a resource or perform an action depends on your role.
Figure 6 Main menu
About Activity
The Activity overview screen lists alerts and other notifications about activities occurring in your
cloud environment. You can filter, sort, and expand areas of the screen to refine how information
is displayed. Links within activity details enable you to view additional information about specific
resources listed.
Activity Screen components
You can use the screen areas shown below to monitor and interpret Activity data.
Use the banner and main menu to navigate 29
1
The default Activity view shows all active notifications. Use the filters and date range selectors
on the Filters menu bar to filter all stored notifications.
You can also click the icon to expand (or collapse) the filter banner, which contains the
same selection choices in a vertical presentation.
2
Click the icon to expand the view of a notification, or click the icon to collapse the view.
3
Click the link to view details about the resource associated with this notification. If multiple
events have sent the same notification, a count is given.
4
Type in the note box to add instructions or other information to this notification.
TIP: You can click and drag the lower right corner of the note box to expand the box for
better viewing or easier editing.
5
Click the icon to view more details about this notification.
6
Click the icon and select from the list to assign (or reassign) an Owner for this notification.
7
Use the Actions menu to assign, clear, or restore selected notifications.
About alerts
The appliance uses alert messages to report issues with the resources it manages. The resources
generate alerts to notify you that some meaningful event occurred and that an action might be
required.
An event is a single, low-level problem or change that occurred on a resource. Usually, events are
detected by an agent running either on the resource or on the appliance.
30 Navigating the CloudSystem Console GUI
Loading...