Written by Eugene Simos, Expert Oracle University Instructor
Whenever you want to deploy, create and manage Oracle virtual machines deployed to Oracle Cloud Services, you have several interesting options that can ease day-to-day administration and management tasks.
The most convenient approach is to use the graphical web console, which depending on your own security
profile roles, gives you the capability to manage and monitor your Oracle Compute
Cloud Service instances and the associated storage and networking resources.
Other tools such as the web services REST API calls, the
CLI for Oracle Compute Cloud Services and the opc-init can also be used to
create, customize and implement automations on your virtual servers, using the
Oracle IAAS infrastructure.
In this article we will use the Oracle Compute Cloud Service CLI to manage a simple IAAS
infrastructure.
To run the examples
and the provided scripts, you need to have an account for the Oracle Compute Cloud Service infrastructure, and a Linux server where
the Oracle Compute Cloud Service CLI will be installed. This is also where you will
access your Oracle IAAS services.
I used an OL6.8 virtual box (Linux part) and installed the CLI following these steps:
Download the CLI installation bundle (.zip file) from http://www.oracle.com/technetwork/topics/cloud/downloads/index.html#opccli
Unzip the CLI installation bundle.
Install the RPM file with yum (as an Linux administrator).
At the end of this
yum installation procedure, the CLI is installed on your Linux server.
Some additional settings
can be performed on your Linux server to simplify your scripts:
Store the REST API endpoint URL of your Oracle Compute Cloud
Service site in an
environment variable named OPC_API
To get the REST API end point, you have to be logged into your
Oracle Cloud account with the WebConsole, switch to the service details view,
and copy the REST Endoint url from the field shown in the image above.
Store your two-part user name (/Compute-identity_domain/user)
in an environment variable named OPC_USER.
In my testing environment, the settings are:
export
OPC_API="https://api-z17.compute.em2.oraclecloud.com"
export OPC_USER=/Compute-ouopc019/eugene.simos@oracle.com
You
can store these variables either to your .bash_profile or to a plain text file
and use them before launching your scripts.
Store your Oracle Cloud
Account password in a plain-text file on your Linux file system.
You can then specify this password file
at the command line by using the –p flag. Check that the password file
isn't world-readable by changing the permission to 600, otherwise your CLI
script will fail:
chmod 600 /full/path/to/password/file
Make sure you have the appropriate roles to execute the CLI
scripts (either of these will work):
- Compute_Operations to be able to
run all CLI commands
-Compute_Monitor
role can run only the get, list, and discover commands
An easy way to check this is to use the Web Console of your Oracle Cloud
Account Service, switch to the user view, and then place the cursor over your
account. A pop-up window will show the roles associated with your account:
Once these
preliminary configuration settings are done, you will be able to use the CLI to
create, manage and modify your Oracle Cloud Virtual Machines.
The character # in the following CLI scripts marks a comment:
# First create your ssh keys on your Linux server:
ssh-keygen -t rsa -b
2048 -C "Cloud key eugene" -P "" -f "/home/oracle/.ssh/id_rsa"
–q
# Add your public ssh key to your Oracle Compute Cloud Service:
oracle-compute -p
/home/oracle/Cloud_passwd add sshkey \
/Compute-ouopc019/eugene.simos@oracle.com/adminkey ~/.ssh/id_rsa.pub -f json
Check that they key is uploaded to your account by using
the Web Console.
# Retrieve your ssh key on your Linux server:
oracle-compute -p
/home/oracle/Cloud_passwd get sshkey \
/Compute-ouopc019/eugene.simos@oracle.com/adminkey
-f json
Create
your server(s) by create/upload/start orchestrations.
Orchestrations define attributes and interdependencies of collections of
compute, network and storage resources for the Oracle compute Cloud Service.
Orchestrations give you huge administrative flexibility by writing json
scripts. When they are uploaded to your Oracle compute Cloud Service
account, you can create/start/stop/remove all kinds of Oracle compute resources
needed for our IASS infrastructure.
An easy way to start is to create an
Oracle Virtual Machine manually, then go to the Orchestration tab of your IAAS
Compute services and download the generated json files to your local Linux
server, which you can then tailor to fit your new orchestrations.
I have created a simple OL6 server, managed by a master orchestration, which
then creates a storage and an associated Oracle image.
My orchestration json files are on my local Linux server; then with the
following CLI, I upload them to my account:
# add the orchestration:
oracle-compute
-p /home/oracle/Cloud_passwd \
add orchestration home/oracle/cloud/eugeneOL671_storage.json -f json
oracle-compute
-p /home/oracle/Cloud_passwd \
add orchestration /home/oracle/cloud/eugeneOL671_instance.json -f json
oracle-compute
-p /home/oracle/Cloud_passwd \
add orchestration /home/oracle/cloud/eugeneOL671_master.json -f json
# start the orchestration, creates, and starts my Oracle
Linux server:
oracle-compute -p
/home/oracle/Cloud_passwd start orchestration \
/Compute-ouopc019/eugene.simos@oracle.com/eugeneOL671_master -fjson
# monitor the orchestration:
oracle-compute -p
/home/oracle/Cloud_passwd get orchestration \
/Compute-ouopc019/eugene.simos@oracle.com/eugeneOL671_master -F
status,description
Then we have to enable network ssh access to our image
from the public internet:
# security lists @ firewalls
# create security list
oracle-compute
-p /home/oracle/Cloud_passwd \
add seclist /Compute-ouopc019/eugene.simos@oracle.com/permitall \
--policy permit --outbound_cidr_policy permit --description 'Permit in both
directions'
Check again that this configuration has been created on your
Oracle Compute account with the Web Console:
The same result can be obtained by using the CLI as:
# list sec lists
oracle-compute -p
/home/oracle/Cloud_passwd \
list seclist /Compute-ouopc019/eugene.simos@oracle.com -F
name,policy,outbound_cidr_policy
Then create a security IP list;
this is a set of IP addresses or subnets external to the instances that you
have to create in your Oracle Cloud Compute account.
This list will be used as a source or a destination when you define access rules
(in our case it will be used to provide ssh access from the Linux box – public
internet - to the Cloud Compute instance). By default, there are some IP lists predefined,
but for the sake of this example, I have explicitly created a public IP range:
# create a security IP list
oracle-compute add
seciplist /Compute-ouopc019/eugene.simos@oracle.com/sshhosts 0.0.0.0/0 \
--description 'ssh hosts for the my cloud instances' -f json
Again, the verification of this setting can be done from
the Web Console:
Retrieve the vcable_ID of the cloud instance
that you want to add to the security list “permitall”
#
oracle-compute -p
/home/oracle/Cloud_passwd get instance \
/Compute-ouopc019/eugene.simos@oracle.com/eugeneOL671/9a634738-b48a-453b-a082-46301d312833/02c24eee-ec82-426f-8fc7-cea9738a7f51
-F vcable_id
The reply of the command is the vcable_id:
vcable_id
/Compute-ouopc019/eugene.simos@oracle.com/02ec31ea-4189-42f4-a68a-31f240aec227
We will use this value to get the ip of the instance as:
oracle-compute
-p /home/oracle/Cloud_passwd list ipassociation \
/Compute-ouopc019/eugene.simos@oracle.com \
--vcable
/Compute-ouopc019/eugene.simos@oracle.com/02ec31ea-4189-42f4-a68a-31f240aec227
-f json
Then build a security association list.
A security association is a relationship between a
security list and the vcable of an instance.
The vcable is an attachment point to a specific network interface of a cloud
compute instance (Virtual machine).
# create a security association
between the permittall and our vcable_id server:
oracle-compute
-p /home/oracle/Cloud_passwd add secassociation \
/Compute-ouopc019/eugene.simos@oracle.com/02ec31ea-4189-42f4-a68a-31f240aec227
\
/Compute-ouopc019/eugene.simos@oracle.com/permitall -f json
Create
a security rule
This security rule will define network access from a
set of external hosts (an IP list) to our cloud instance defined in a security
list.
# create a sec rule to let ssh
traffic from the Internet to the mycloud seclist'
oracle-compute
-p /home/oracle/Cloud_passwd add secrule \
/Compute-ouopc019/eugene.simos@oracle.com/publicssh
\
seciplist:/oracle/public/public-internet \
seclist:/Compute-ouopc019/eugene.simos@oracle.com/permitall \
/oracle/public/ssh permit --disabled false \
--description 'Permit ssh traffic from the Internet to the mycloud seclist' -f
json
Again, check the creation of this setting within the Web
Console:
And the last step is to connect to your Oracle Cloud
instance from your Linux box to a predefined opc account using your private
ssh key:
Conclusion:
By following a few simple steps, you can create, configure and start a cloud
instance by using simple scripting tools.
To
learn more about the above process, register for this 3-day course:
Oracle Cloud IaaS: Compute and Storage Fundamentals
If there is no
classroom training scheduled near you, try Oracle University's Live Virtual
Class format. You can attend from anywhere with an internet connection.
Next: in future posts, I will demonstrate the ability to
configure and distribute software using Chef-Solo configurations.
About the Author
Eugene Simos is based in France and joined Oracle through the BEA-Weblogic Acquisition, where he worked for the Professional Service, Support and Education for major accounts across the EMEA Region. He worked in the banking sector, ATT and Telco companies giving him extensive experience on production environments. Eugene currently specializes in Oracle Fusion Middleware, teaching an array of courses on Weblogic/Webcenter, Content,BPM /SOA/Identity-Security/GoldenGate/Virtualisation/Unified Comm Suite) throughout the EMEA region.