CliQr is now part of Cisco Learn More About Cisco

OpenStack Appliance Setup

To setup up CloudCenter using appliances for OpenStack clouds, follow this process.

  1.  Prepare Infrastructure

    Prepare Infrastructure

    To prepare infrastructure for the appliance approach, follow this process.

    1. Download package files:

      Icon

      See Installation Overview to understand the required components and the installation options.

      See Installer Overview to understand the types of files.

      1. SSH into the VM instance designated for this component by using the key pair that you used to launch the VM.
      2. Download the following required files for this component from software.cisco.com to the /tmp folder on that VM:

    2. Import the CloudCenter QCOW2 images into the OpenStack Console.
    3. Prepare to launch the image for each component. See Component Modes and Roles for additional context.

      1. Required:

        1. One CCM is required for each CloudCenter setup.

        2. One AMQP and CCO are required for each cloud region.

      2. Optional:
        1. A monitor for each CloudCenter setup
        2. An isolated Docker container
        3. A custom worker image

          Icon

          You can use the out-of-box worker (Application VM) images. If you use custom application VM images, you do not need to launch the worker image.

    4. Launch the instance for each component using the imported images:
    5. Configure the security groups to associate with each VM. See Phase 2: Configure Network Rules for additional context. The next section in this process Configure Network Rules provides the minimum required network settings.

      Icon

      Ensure that Port 22 is open to allow SSH access into the component VM.

    6. Select a new or existing key pair to log into each instance – if multiple key pairs are available, you must select one to be used for the CloudCenter instance.

      Icon

      If you do not select a key pair, you will not be able to log into the component VM!


      • Select an existing key pair from your OpenStack console.

      • Import a new key pair – use the following authentication details to access the key pair information:

        • Username: centos

        • Key: The key used to launch the instance in the OpenStack console – use the following command to retrieve the key pair from your server and paste it in the OpenStack cloud console:

          Icon

          After adding a Private Network to the instance, be sure to inject the key-pair correctly.

    7. Setup hostname – For all launched VMs, update the hostname. Choose a hostname that matches the Role. For example:
      1. hostname – For all launched VMs, update the hostname.

        Icon

        Don't change the hostname after you install and configure a component as it may cause unknown issues.

        Icon

        Choose a hostname that matches the Role. For example:

        Example
      2. Setup the hostname resolution – Once you update the hostname, ensure that the VM host name is resolvable by running the following command
        1. hostname -i
        2. If the VM name is not resolvable, edit the file /etc/hosts and add your VM’s hostname.
          For example:

          Example
      3. Network routing loopback:
        1. Refers to deployed CCMs that are running behind the Network Address Translation (NAT).
        2. This setup places a restriction on machines from internal networks to ensure that they do not use an external IP to access the CCM.
        3. To address this restriction, you must add a line to the CCO and AMQP server's /etc/hosts file and include the internal private IP of the CCM. For example: If the CCM DNS name is ccm.example.com and it is behind a NAT, and the internal private IP address is 192.168.20.5 and its external public IP address is 54.16.20.5, then enter the following line in the local /etc/hosts file:

          Example
          Icon

          When configuring the CCM, the hostname used above (ccm.example.com) must match what you configure as the Public DNS while configuring CCM.

      4. Create the CloudCenter Descriptor JSON file:
        Once infrastructure has been setup for all the CloudCenter components, create a CloudCenter Descriptor JSON file that lists all the CloudCenter components with their modes and the IP address that correspond to infrastructure elements for each mode and role. This descriptor file will be used for network compliance check (Step #3). Following are a few sample descriptor files based on some common combination of component modes.

        Icon

        The overall file structure will depend on factors like modes of various components, number of cloud regions, use of conditional/optional components and repos etc. Also, the region names used in the file should be unique, but do not need to match up with any cloud or datacenter names. These strings are merely used to perform network compliance checks and report results: -

        Sample JSON File


  2.  Configure Network Rules

    Configure Network Rules

    In this phase, you must setup Network rules to enable communication across various components.

    Icon

    The network settings in this page provide the minimal port requirements for inter-component communication. In environments where all the components can communicate with each other via any port (typically POC environments or private datacenters), you can skip this phase.

    Production environments typically are secured by only allowing communication through the ports specified in this section.

    The tables in this section list the networking requirements for each Component Role.

     CCM Ports

    CCM Ports

    Port

    Direction

    Remote Source

    Notes

    80

    Ingress (optional)

    0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

    For HTTP to HTTPS redirection.

    Egress0.0.0.0/0To download installer or appliance packages.

    443      

    Egress0.0.0.0/0To download installer or appliance packages.

    Ingress

    0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

    For UI/API access.

    22

    Ingress (optional)

    Allowed SSH source IP

    For troubleshooting purposes.

    5671Ingress/Egress (optional)ESB API CommunicationFor two-way communication with the ESB AMQP module in the CCM. This port must be open if you need to establish programmatic access to the AMQP module – only required if you use the ESB functionality.
    15672Ingress/Egress (optional)ESB UI CommunicationFor two-way communication with the ESB AMQP module in the CCM. This port must be open if you need to establish access to the AMQP module from the AMQP UI – only required if you use the ESB functionality.

    8443

     

    Ingress

    • CCO or
    • CCO_LB

    For two-way communication between the CCO and CCM VMs.

    Icon

    Required for all Cloud Regions supported by your CloudCenter deployment.

    Egress

    • CCO or
    • CCO_LB 

    Ingress (optional)

    • MON or
    • MON_PRIMARY and  MON_SECONDARY 

    For two-way communication between the Monitor CM and the CCM VM.

    Egress (Optional)

    • MON or
    • MON_LB 

    Ingress

    • AMQP_IP or
    • AMQP_LB

    For Web SSH/VNC through Guacamole.

     AMQP Ports

    AMQP Ports

    Port

    Direction

    Remote Source

    Notes

    22

    Ingress (optional)

    Allowed SSH source IP

    For troubleshooting purposes.

    5671

    Ingress

    • CCO or
    • CCO_LB
    • Worker VM IP Range

    For communication from the CCO VM and from launched VMs.

    7789

    Ingress

    Worker VM IP Range

    For SSH/VNC access of launched VMs. Done through reverse proxy for loop back connection.

    7788

    Ingress/Egress

    • AMQP or
    • AMQP_PRIMARY, AMQP_SECONDARY, and AMQP_LB

    For SSH/VNC access of launched VMs. Done through reverse proxy. Done through reverse proxy for loop back connection.

    443

    Ingress

    0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

    For SSH/VNC and RDP access of launched VMs.

    8443

    Egress

    • CCM or CCM_SA or CCM_LB
    • CCO or CCO_LB

    For SSH/VNC access of launched VMs. Guacamole server on AMQP VM communicates to the CCM and CCO VMs via this port.

     CCO Ports

    CCO Ports                                                                                                        

    Port

    Direction

    Remote Source

    Notes

    8443   

    Ingress/
    Egress

    • CCM or
    • CCM_SA or
    • CCM_SA_PRIMARY and CCM_SA_SECONDARY
    • Monitor

    For two-way communication between the CCO and CCM VMs.

    22

    Ingress (optional)

    Allowed SSH source IP

    For troubleshooting purposes.

    Egress0.0.0.0/0To download installer or appliance packages.
    443Egress0.0.0.0/0To download installer or appliance packages.

    All

    Egress (Conditional)

    Cloud Region EndPoints, Script Sources

    For cloud region endpoint access and for downloading scripts/packages defined in external services.

    2375

    Egress (Conditional)

    • Only for CloudCenter 4.6.x and earlier
    • Not used for CloudCenter 4.7.x and later

    EXT_SCRIPT_EXECUTOR

    For Docker container engine access to execute external scripts.

    2376Egress (Conditional)
    • Only for CloudCenter 4.7.x and later
    • Not used for CloudCenter 4.6.x and earlier
    EXT_SCRIPT_EXECUTORFor Docker container engine access to execute external scripts.

     Monitor Ports

    MON Ports

    Port

    Direction

    Remote Source

    Notes

    22

    Ingress (optional)

    Allowed SSH source IP

    For troubleshooting purposes.

    80Egress0.0.0.0./0To download installer or appliance packages.
    443Egress0.0.0.0/0To download installer or appliance packages.
    4560Ingress
    • CCM_IP or
      CCM_PRIMARY_IP and  CCM_SECONDARY_IP
    • CCO_IP or
      CCO_PRIMARY_IP, CCO_SECONDARY_IP, and CCO_TERTIARY_IP
    (Logstash) To collect, process, and push the logs to the CCM and/or CCO.
    8881Ingress
    • CCM_IP or
      CCM_PRIMARY_IP and  CCM_SECONDARY_IP
    • CCO_IP or
      CCO_PRIMARY_IP, CCO_SECONDARY_IP, and CCO_TERTIARY_IP
    (Elasticsearch) To download logs for the CCM and/or CCO.
    8882IngressPublic browser accessTo view the logs in the Kibana console.

    8443

     

    Ingress/ Egress

    • CCM or
    • CCM_SA or
    • CCM_SA_PRIMARY, CCM_SA_SECONDARY, and CCM_LB

    For two-way communication between the CCM and Monitor VMs.

    Egress

    CCO or CCO_LB

    For access to the CCO VM.

  3.  Perform Network Compliance Check

    Perform Network Compliance Check

    You must perform the network compliance check to ensure that all network rules for inter-component communication between CloudCenter component VMs, application VMs and end user access are accurately setup.

    CloudCenter Component VMs

    To perform network compliance checks for CloudCenter components, perform this procedure on each VM launched as part of the 1. Prepare Infrastructure process.

    1. Upload the deployment descriptor JSON file created in 1. Prepare Infrastructure to the /tmp location.
    2. Upload the validator script called validator.py to the /tmp location (available with the CloudCenter appliance files).
    3. Execute the following command from the location /tmp location.

      Command

      Examples:

      • python network_validator.py –-role=CCM --deploymentDetails=deployment.json

      • python network_validator.py –-role=CCO --region=AmazonEast1 --deploymentDetails=deployment.json

      • python network_validator.py –-role=AMQP --region=AmazonEast1 --deploymentDetails=deployment.json

    4. Verify the results to ensure that there are no failures and that all required network rules are setup accurately. In case of failures, update network settings as appropriate and repeat the test.

    Application VMs

    To ensure that application VMs (that are launched as part of application orchestration) can communicate with relevant CloudCenter components and repositories, perform this procedure:

    1. Launch a test VM in every cloud environment intended to be managed by CloudCenter.
    2. Upload the deployment descriptor JSON file to the /tmp location.
    3. Upload the validator script called validator.py to the /tmp location.
    4. Execute the following command from the /tmp location.

      Command

      Example:
      python network_validator.py –-role=AGENT --region=AmazonEast1 --deploymentDetails=deployment.json

    5. Verify the results to ensure that there are no failures and that all required network rules are setup accurately. In case of failures, update network settings as appropriate and repeat the tests

    6. Once network compliance check is successful, terminate the test VMs.
    Client Test

    Some CloudCenter components (CCM, AMQP or GUAC) must be accessible to end users to ensure UI or REST API access. To ensure client access to these components, perform this procedure:

    1. Identify the Linux, Windows (Python Enabled), or MacOSX systems running in networks accessed by end users.
    2. Upload the deployment descriptor file to this client system.
    3. Upload the validator.py to the client system.
    4. Execute the following command from the python script location.

      Command
    5. Verify the results to ensure that there are no failures and that all required network rules are setup accurately. In case of failures, update network settings as appropriate and repeat the test.

    Icon

    Before proceeding to to the next section, ensure that network compliance check is successful.

  4.  Configure Components

    Configure Components

    After you launch the instance for each image:

    1. Power on the image.
    2. Log into the image.
    3. SSH into each component instance as the centos user, and run the following command as the root user:

    4. Launch the CloudCenter wizard for each component:

      1.  CCM Wizard Properties

        Configure CCM Wizard Properties

        To configure the CCM wizard properties, follow this procedure.

          1. SSH into the CCM instance as a CentOS user.
          2. Run the following command:

        1. Invoke the CCM wizard.

          CCM Wizard Path
        2. Configure the server properties.

          Write this down for future reference!

          Icon
          Write down the Field details in a printed version of the Your Notes section for later use.

          CCM Properties

          Description

          Mail

          SMTP server details to send mail notifications. If you retain the default settings, the SMTP sever details are not configured.

          • SMTP Host: smtp.gmail.com
          • SMTP Port: Defaults to 465
          • SMTP Auth: Boolean setting
            • True = Authentication is required for the SMTP server.
            • False = Authentication is not required for the SMTP server.

          Mail_User

          Mail authentication and configuration details to send mail notifications. If you retain the default settings, the mail functionality is not be configured and emails are not sent.

          • Mail User: Your email address for the SMTP server
          • Password: The password to log into the SMTP server
          • From User: The email address (no reply) to initiate emails from the CCM server
          • Display Name: The name to be displayed when you initiate emails from the CCM server
          Server_info (Required)

          Public DNS: DNS (or IP address) of the CCM – Used by the CCO VM to communicate with the CCM VM.

          Monitor URL: Monitor VM's complete URL. For example, https://<MON or MON_LB IP address>:8443.

          • Requires HTTPS protocol.
          • Used by the CCM VM to retrieve the health status from the Monitor VM.

          Hazelcast IP: Private IP address of the CCM VM – Used internally by the CloudCenter platform. Required for HA Mode.

          External URL: The CloudCenter External URL for the CCM server. Required for HA Mode.

          Config_App_Logo

          Used by the application profile templates.

          ESB_Info

          Required only if you installed Enterprise Service Bus (ESB), an optional component that is not installed in CloudCenter appliances by default.

          Network

          Use the defaults if you are not making any changes to these settings.

          • Hostname:
          • Interface:
          DB
          (Effective CloudCenter 4.7.0)
          • IP or Hostname: DNS or IP of the Database
            • Local host: Default, does not include the flyway migrate configuration
            • Remote host, includes the flyway migrate configuration – see the last bullet in this row.
          • Authentication credentials for the database (either local or remote).
            • Username:
            • Password:
          •  Flyway Migrate: Optional. Remote Host Configure the CCM to a remote database by providing the IP address of the remote database. When you provide the IP address, you see an additional screen to configure the flyway migrate process.
            • Yes: Flyway migration takes place.
            • No: Only the configuration files are updated.
            Icon

            DB configuration is required for standalone database deployments.

          ELK_Info
          (Effective CloudCenter 4.7.0)
          • ELK Host: Specify the IP address for the ELK host (Monitor VM).
          • Elasticsearch Port: Displays 8881 by default.
          • Logstash Port: Displays 4560 by default.
          • Kibana Port: Displays 8882 by default.
          • ELK User: The default ELK Username = logreader.
          • ELK Password: The default ELK Password is re@d0nly (zero between d and n) (change this password after the initial login – see Download Log File for additional context).
          • Host Identifier: A Unique ID for the server – be sure to prefix the unique identifier with CCM_ for example, CCM_1
          • Host Identifier List: Only applies to environments using the HA mode – provide a list of comma separated unique host identifiers for all ELK/Monitor hosts in a HA setup = for example, CCM_1,CCM_2,myCCM.

            Icon

            In an environment operating in HA mode, if you have two CCM instances with unique IDs configured as CCM_1,CCM_2 in their respective server.properties file, then this property should state CCM_1,CCM_2 in both CCM instances. Each CCM must be aware of the unique ID of the other CCM(s) when in HA mode.

        3. Exit the CCM configuration wizard.

        4. Select Yes, to restart the Tomcat service for the changes to take effect.

        You have successfully installed the CCM instance! You can now proceed to the next step:

        • If you are installing a Health Monitor component – see Health Monitor Installation (Optional)

      2.  AMQP - CCM/CCO Wizard Properties

        AMQP  – Configure CCM/CCO Properties for Guacamole Server

        Dedicated GUAC Setup?

        Icon

        This GUA config wizard step is not required if you have set up a dedicated Guacamole server.

          1. SSH into the GUA instance as a centos user.
          2. Run the following command:

        1. Invoke the GUA wizard.

          GUA Wizard Path
        2. Configure the CCM and CCO (once installed) properties.

          Write this down for future reference!

          Icon
          Write down the Field details in a printed version of the Your Notes section for later use.
        3. Configure the properties for the CCM and CCO (once installed) VMs:

          GroupPossible IP Addresses

          CCM_Info

          CCM Host:

          CCM_IP or  CCM_SA_IP or CCM_LB_IP

          CCO_InfoCCO Host (once installed):
          CCO_IP or  CCO_LB_IP
        4. Verify your changes and Exit the GUA configuration wizard.

        5. Select Yes, to restart the Tomcat service for the changes to take effect.

          Icon

          If you are installing the AMQP instance for the first time, then you may need to wait for a few minutes to ensure that all users are listed. You can verify that all users are listed by running the following commands:

        You have successfully configured the AMQP instance! Proceed to the CCO (Required) section.

        Post-Install Setup

        Icon

        Any change in the hostname may result in a VM bounce/reboot.

        If you change the AMQP server's hostname, the local AMQP database is renamed and you may need to rerun the AMQP configuration.

        Some clouds set the hostname automatically for each new instance or boot and RabbitMQ uses the a pre-set hostname to set the database name. In these cases, you must run the following commands as root to rerun the AMQP configuration:

        You will also need to run these commands again if the node is rebooted, as you may end up with a new hostname and database name.

        If a database user exists and a login is not associated, this user may not be able to log into the AMQP server.

        Ensure that the required users (cliqr and cliqr_worker) are setup in your database. If you have additional users in your database, they will also be displayed when you run the rabbitmqctl command.

        If you do not see these users in your database, run the following commands as root (to recreate the users in the AMQP configuration):

        Reboot the AMQP Server

        Reboot the AMQP server.

        Start the Wizard

        Use the following command to start the guacamole wizard if you need to change settings as required by your deployment. See Per CloudCenter Region Installation (Required) > AMQP  for additional context.

      3.  CCO Wizard Properties

        CCO – Configure CCO Wizard Properties

          1. SSH into the CCO instance as a centos user.
          2. Run the following command:

        1. Invoke the CCO wizard.

          CCO Wizard Path
        2. Configure the server properties.

          Write this down for future reference!

          Icon
          Write down the Field details in a printed version of the Your Notes section for later use.
          GroupNotes

          AgentBundle

          Use the defaults.

          • If you are using the custom bundle, replace cdn.cliqr.com with the custom bundle store IP or DNS
          • If you are using the package store, replace repo.cliqrtech.com with the custom package store IP or DNS

          AMQP_Server

          • AMQP Server IP: AMQP_IP or AMQP_LB_IP
          • AMQP Port: 5671
          NetworkHostname: Configure the Network details for your CCO environment. This is an optional step to configure the Private IP of the VM. You can generally configure this information if the VM does not have preset IP or hostname or if you need to override an existing IP or Hostname.

          Guacamole

           

          • Connection Broker Host: AMQP_IP or AMQP_LB_IP 
          • Connection Broker Port1: 7788
          • Connection Broker Port2: 7789

          Docker

          • Docker Registry URL: Set only if custom docker registry is used.
          • Docker CACert URL: Set only if docker registry uses SSL with custom CA Certificates.

          ELK_Info

          (Effective CloudCenter 4.7.0)

          • ELK Host: Specify the IP address for the ELK/Monitor host.
          • Elasticsearch Port: Displays 8881 by default.
          • Logstash Port: Displays 4560 by default.
          • Host Identifier: The Unique ID for the server – be sure to prefix the unique identifier with CCO_ for example, CCO_Openstack_regionOne or CCO_Amazon_east.
          • Host Identifier List: This field only applies to environments using the HA mode – provide a list of comma separated unique host Identifiers for all ELK/Monitor hosts in a HA setup = for example, CCO1,CCO2,myCCO.

            Icon

            In an environment operating in HA mode, if you have three CCO instances with unique IDs configured as CCO_1,CCO_2,CCO_3 in their respective server.properties file, then this property should state CCO_1,CCO_2,CCO_3 in each CCO instance. Each CCO must be aware of the unique ID of the other CCO(s) when in HA mode.

        3. Verify your changes and Exit the CCO configuration wizard.

        4. Select Yes, to restart the Tomcat service for the changes to take effect.

        You have successfully configured the CCO instance! You can now proceed to the next step:

        • If you are installing a dedicated Docker component – see Dedicated Docker Registry Installation (Optional)
        • If you are not installing a dedicated Docker component – see Setup the Admin Account and proceed with configuring and setting up CloudCenter.

      4.  Monitor - CCM Wizard Properties

        Monitor – Configure Monitor Properties

          1. SSH into the MONITOR instance as a centos user.
          2. Run the following command:

        1. Invoke the wizard.

          Monitor Wizard Path
        2. Configure the properties for the Monitor instance.

          Write this down for future reference!

          Icon

           Write down the Field details in a printed version of the Your Notes section for later use.

          GroupNotes
          CCM_Info
          • Monitor ID – A unique (alphanumeric) identifier used for the health check instance.
          • CCM Hostname/URL (Required)
            • CCM_IP or 
            • CCM_SA_IP or
            • CCM_LB_IP
          • Monitor User – The User ID configured on the CCM server to enable health check for cloud  regions.
            • To perform a health check on all activated cloud regions, set this value as 2 (2 is the CloudCenter’s root administrator’s User ID).
            • To perform a health check on specific cloud regions, create and activate a new user with those specific regions and use that user’s User ID as value for this property. To get the User ID, use the v1 User Management APIs.
          ELK_LoginFor the ELK/Monitor host.
          • ELK User: The default ELK Username = logreader.
          • ELK Password: The default ELK Password is re@d0nly (zero between d and n) (change this password after the initial login – see Download Log File for additional context).
        3. Verify your changes and Exit the Monitor configuration wizard.

        4. Select Yes, to restart the Tomcat service for the changes to take effect.

        You have successfully configured the Monitor instance! You can now proceed to the Per CloudCenter Region Installation section and install the CloudCenter components for each Cloud.

 

  • No labels