CEE Connectivity User Guide

Cloud Execution Environment

1	Introduction
1.1	Scope
1.2	Target Groups
1.3	Prerequisites
1.3.1	Conditions
1.3.2	Tools and Equipment
1.3.3	Documents
2	Main CEE User Types
3	Introduction to the CEE Interfaces
3.1	Interfaces for CEE Users
3.2	Interfaces for CEE Administrators
4	System and Initial User Accounts
5	Atlas VM
5.1	CLI Logon
5.2	GUI Logon
6	vCIC
7	vFuel
8	Compute Host
9	Storage Access
9.1	EMC VNX Access
9.2	EMC ScaleIO Access
10	End-User Access

1 Introduction

This User Guide provides an overview of the available interfaces in Cloud Execution Environment (CEE), and instructions on how to connect to these. The document covers the interfaces from both a CEE user and CEE administrator point of view.

1.1 Scope

This User Guide provides a basic-level overview of the logon methods available in CEE.

1.2 Target Groups

This document is aimed at the following groups:

Users who want to access a CEE environment
Administrators who want to configure a CEE environment

1.3 Prerequisites

This section describes the prerequisites which have to be fulfilled.

1.3.1 Conditions

Ensure that the following condition is met:

The CEE is installed and running.

1.3.2 Tools and Equipment

Ensure that the following tools are available:

Computer with SSH connection to the CEE for CLI operations

1.3.3 Documents

The following document is needed:

The site-specific IP and VLAN plan

2 Main CEE User Types

The purpose of CEE Identity and Access Management (IdAM) is to manage identities and credentials for cloud users, and to provide authentication and access control services for user accesses.

The CEE IdAM solution differentiates between the following user types:

Cloud Infrastructure Administrators
Local Administrators

OpenStack users are managed by default Keystone and Dashboard operations, not by the CEE IdAM tool. For these operations, refer to OpenStack Administrator Guide.

The following OpenStack user types are defined:

OpenStack Cloud Administrators
OpenStack Cloud Users

For detailed information about the user types available in CEE, see the Security User Guide.

3 Introduction to the CEE Interfaces

3.1 Interfaces for CEE Users

The tasks of a CEE user concern managing the applications (VNFs) running on CEE. Typical tasks include creating and starting VMs, creating or deleting networks, and so on. Such management is done through the CEE Northbound (NB) API, meaning the OpenStack interfaces. These interfaces are provided through the REST API of CEE, and can be accessed by the following:

Atlas GUI
OpenStack command line client (OS CLI)
Other Cloud manager, for example: ECM
Direct access towards the CEE NB API by means of API calls, for example using Curl. This option is usually only used for demonstration or development purposes.

The use of the CEE interfaces require user authentication. The CEE users are managed in Keystone, and must be defined by the CEE administrator. The administrator creates a CEE project and connects users to it. The CEE user then use the user name and password provided by the CEE administrator to access the CEE NB interfaces.

Atlas GUI

Atlas runs as a separate VM and provides a management GUI, similar to OpenStack Horizon. The Atlas GUI is provided as a web interface. To log into the Atlas GUI, the Atlas user needs to connect to the interface using a web browser running outside CEE, and uses the credentials defined in Keystone.

OpenStack Command Line Client

The OS CLI connect to the same REST API as Atlas, and consequently uses the same credentials (users in Keystone). As the name implies, the OS CLI is used from the command line of the user's system. As the CLI uses the REST API of CEE, it can run in various places:

The OS CLI can be installed and run on the user's computer. The CEE users defined in Keystone are provided in the OS CLI, as such, it is not dependent on the local user of the computer.
The OS CLI is included in Atlas. SSH connectivity to Atlas must be provided for user access. The Atlas administrator needs to create a Linux user in Atlas that can be used for SSH connectivity. The Linux user in Atlas is different from the CEE user in Keystone. Both the Keystone CEE user and the Linux Atlas user are needed to use the OS CLI from Atlas.
OS CLI is included in the CEE infrastructure. A CEE user normally does not have direct access to the CEE infrastructure. This access is reserved for the CEE administrator

Some use-cases in Atlas require SSH and/or SFTP access to the Atlas VM. In these cases, the Atlas administrator must provide the credentials for Atlas access.

3.2 Interfaces for CEE Administrators

The CEE administrator has a number of additional interfaces apart from the interfaces provided for the CEE user.

Note:: Certain actions require the administrator to use the root account. It is recommended to use sudo to temporary gain root privileges for such actions.

Certain CEE management functions (such as debugging, user management, and updates) are done from the Linux CLI in CIC and/or Fuel. There are default users that can be used, however, it is recommended that individual users are created in the CEE infrastructure. These individual CEE administrator user accounts are to be used for SSH connections to the CEE infrastructure.
The individual CEE administrator accounts can be used to connect to the vCIC node. The CIC can be used to access the individual compute nodes, and to connect to Fuel through SSH.
The Watchmen alarm service in CEE provides an active alarm list. The service can be accessed from both the CEE infrastructure CLI and the alarm tab in Atlas. The user must be defined as an admin user in Keystone to see the alarms.
Zabbix is used for infrastructure monitoring, and provides a GUI in the form of a web interface. The credentials for Zabbix are defined during the deployment of CEE.
Note:
Zabbix is not an official API in CEE, and may be subject to change.

4 System and Initial User Accounts

The initial administrator and system account credentials that are created during the system installation are shown in Table 1.

Table 1 Initial Administrator and System Account Credentials
Username	Where	Type	Initial Password and Public Key Set	Place of Use	Allowed Human Interface
ceeadm	vCIC, Compute, vFuel	Linux	Initial factory password; initial public key is generated at installation time.	Initial non-root administrator account for example for the following: Update LDAP account	SSH, console access
ceebackup	vCIC, vFuel	Linux	Initial factory password; initial public key is generated at installation time.	Backup and restore processes	SSH, console access
root	vFuel	Linux	Initial factory password	Manage CIC, Compute, Fuel	SSH, console access
root	vCIC, Compute	Linux	Initial factory password, public key based login available only from Fuel.	Mainly for Fuel to manage CIC and Compute	Console access (no SSH)
atlasadm	Atlas VM	Linux	Initial password to log into Atlas, no public key based authentication by default.	Initial account in Atlas VM.	SSH
admin	vCIC, Host, Atlas	OpenStack	Initial factory passwords, no public keys.	OpenStack management	Atlas dashboard, OpenStack CLI (restful interfaces)

For more information on initial administrator and system accounts, see the System Hardening Guideline.

5 Atlas VM

5.1 CLI Logon

To log on to Atlas using the CLI, follow these steps:

Open a command line.
Type in the following command:
```
ssh user@Atlas_IP
```
Replace Atlas_IP with the administrator defined Atlas IP address.

The user can be a personal user account or atlasadm depending on the credentials provided by the Atlas administrator.

5.2 GUI Logon

To log on to Atlas using the GUI, follow these steps:

Open a web browser.
Navigate to https://Atlas_IP/ to reach the Atlas GUI logon screen, as shown in Figure 1.
Replace Atlas_IP with the administrator defined Atlas IP address.

Figure 1 Atlas Login Screen

Type the username and password in the corresponding fields, then click > to log in to Atlas.

Note:: Atlas is best viewed using Google Chrome™, but it also supports Mozilla Firefox® 40.0+.

6 vCIC

The vCICs can be reached from:

vCIC public IP addresses on VLAN cee_om_sp, using the IdAM username and password
vFuel
The fuel node command can be used in vFuel to list the available nodes in the system.

The CEE Region has one vCIC node (cic-1) in case of Single Server and three vCIC nodes (cic-1, cic-2 and cic-3) in case of Multi-Server configurations with public IP addresses according to IP addresses allocated for vCIC nodes in cee_om_sp network.

The vCIC nodes have hostnames of the format cic-<id>, for example: cic-2

To log on to any vCIC from outside CEE using the NB IP of the vCIC, follow these steps:

Open a command line.
Type in the following command:
```
ssh personal-user@any_cic-ip-address
```

Note:: The command line capabilities provided by the vCIC can be used by the CEE administrator for administrative tasks only.

To log on to any vCIC from vFuel, follow these steps:

Open a command line.
Type in the following command:
```
ssh cic-id
```

Note:: This method is only applicable if a management network is connected to vFuel with a direct ssh connection to vFuel from outside CEE. The normal procedure is to connect to vCIC and then use ssh to connect to vFuel. In such cases there is no need to make another ssh session to the vCIC from vFuel.

7 vFuel

To log on to vFuel, follow these steps:

Connect to vCIC as described in Section 6.
Type in the following command:
```
ssh root@fuel_address
```
fuel_address is the Fuel static address in the fuel_ctrl_sp VLAN. The factory default value is 192.168.0.11. Refer to the local version of the IP and VLAN plan, updated with site-specific IP addresses.

8 Compute Host

Compute hosts can be reached:

From vCIC
From vFuel
The fuel node command can be used in vFuel to list the available nodes in the system.

Compute hosts have hostnames of the format compute-<shelf-id>-<blade id, for example: compute-0-3.

More examples are provided in Table 2.

Table 2 Examples of Hostnames
Hostname	Description
`compute-0-5`	Compute host in shelf 0 (enclosure 0), device bay 5
`compute-1-10`	Compute host in shelf 1 (enclosure 1), device bay 10
…	Following the same pattern for further shelves
`compute-2-16`	Compute host in shelf 2 (enclosure 2), device bay 16

To log on to a compute host, follow these steps:

Connect to vFuel as described in Section 7.
Type in the following command:
```
ssh ceeadm@compute_address
```
Replace compute_address with the relevant IP address or compute node name.

9 Storage Access

9.1 EMC VNX Access

Refer to the EMC VNX technical documentation regarding CLI and GUI access.

9.2 EMC ScaleIO Access

Refer to the EMC ScaleIO technical documentation regarding CLI and GUI access.

10 End-User Access

End users can manage the virtual resources through the following interfaces:

OpenStack northbound APIs
GUI in Atlas
OpenStack command line clients, for exampe in Atlas
Usage of the OpenStack client requires authentication. The username and password are defined in Keystone and must be provided by the CEE administrator. The username and password can be provided as command line parameters, or configured as environment variables. The procedure for configuring the environment variables are described in OpenStack Administration Guide.

Note:: The command line capabilities provided by the vCIC can be used by the CEE administrator for administrative tasks only.