ZStack 3.8.9

Advanced to set the switch of verification codes and the maximum number of failed logins. • On the Advanced page, set Switch for Verification Code to true to enable this feature. Default value: false. • On the Advanced page, set Maximum Number of Failed Logins to modify the maximum number of failed logins. Default value: 6. • To better protect your account security, ZStack supports two factor authentication. If you enable two factor authentication, the cloud will require you to enter the correct account name, password, and 6-digit security code provided by the identity authentication APP for each login. The following is the procedure that you use the two authentication for the first time. Procedure 1. On the main menu of ZStack Private Cloud, select Settings > Global Settings > Advanced. On the Advanced page, set Switch For Two Factor to true to enable two factor authentication. 2. On the cellphone application store, download and install the identity authentication APP. We recommend that you use Authy, Microsoft Authenticator, and Google Authenticator. Issue: V3.9.0 127User Guide / 5 System Login 3. When you log in to the cloud for the first time, enter the correct account name and the password. Then, click the Log In button, and finally enter the prompted Identity Authentication page, as shown in Identity Authentication. Figure 5-2: Identity Authentication 4. Use the downloaded identity authentication APP to scan the QR code, as shown in Identity Authentication. Then, you will obtain 6-digit security code. 5. Click the Save and Next button. Then, the cloud will automatically download the QR code and enter the input page of the security code. 6. Enter the 6-digit security code that is displayed at real time to log in to the cloud. Note: • After you log in to the cloud successfully for the first time, the QR code for authenticating your identity will no longer be displayed. Make sure that you save and keep it carefully. • If your QR code is lost, contact the official technical support for help. • After you log in to the cloud successfully, you can check the QR code of the regular user on the account detailed page. If the QR code for the regular user is lost, contact the project admin for help. 128 Issue: V3.9.0User Guide / 5 System Login • After the admin logs in to the cloud successfully, he can check the QR code of the project identity authentication on the project detailed page. If the QR code of the project is lost, contact the platform admin for help. • To increase the security of the login password, the cloud supports the following password policies: ▬ Enable the account lock of continuous failed logins. During the locking period, you cannot log in to the cloud by using the account. Select Settings > Advanced, and enable the continuous failed logins to lock the account. • On the Advanced page, set Lock Login Attempt Maximum to true to enable this feature. Default value: false. • On the Advanced page, set Maximum Number of Failed Logins to change the maximum number of failed logins. Default value: 6. • On the Advanced page, set Account Locking Duration of Failed Logins to modify the locking time of failed logins. Default value: 10 minutes. ▬ Enable the password update cycle to change login passwords regularly. Select Settings > Advanced to set the cycles of password updates. • On the Advanced page, set Password Update Cycle to true to enable this feature. Default value: false. • On the Advanced page, set Password Update Cycle. Default value: 90 days. ▬ To configure the new password that is different from the old passwords, enable the unrepeated times of changing passwords. Select Settings > Advanced to set the unrepeated times for changing passwords. • On the Advanced page, set Password not Repeated Times to true to enable this feature. Default value: false. • On the Advanced page, set Password not Repeated Times. If the value is 3, the new password cannot be repeated with the old passwords of the last 3 times. Default value: 5. ▬ Enable the password strength to set the length of passwords and to choose whether to enable the password combination policy of numeric, alphabetic, and special characters. Select Settings > Advanced to set the password strength. • On the Advanced page, set Password Strength to true to enable this feature. Default value: false. Issue: V3.9.0 129User Guide / 5 System Login • On the Advanced page, set Password Strength to choose the length of passwords, and to choose whether to enable the password combination policy of numeric, alphabetic, and special characters. Default value: 8-32. • After you log in to the cloud successfully for the first time, select Personal Center > Change Password at the upper right of the UI. • The default login aging can last 2 hours. If your login times out, you need to log in to the cloud again. ▬ Session Timeout can customize your settings. The setting method is as follows: On the main menu of ZStack Private Cloud, select Settings > Global Settings > Basic Settings to make this configuration. Personal Center • Select Personal Center > Switch Language to change the UI language. Currently, ZStack supports three mainstream languages: Simplified Chinese, English, and Traditional Chinese. • Select Personal Center > Log Out to exit ZStack UI management page. • We recommend that you use a screen resolution that is greater than 1280 to obtain the best operation experience. 130 Issue: V3.9.0User Guide / 6 Wizard Configuration 6 Wizard Configuration If you are logging in to ZStack for the first time, you will be guided by the wizard to initialize the basic environment of ZStack Private Cloud in the UI. Note: • If the initialization process is interrupted, or if you deleted key resources during initialization, the wizard would not be displayed again. • We recommend that you complete the configuration of the ZStack basic environment according to the wizard. 6.1 Create Zone Context A zone is the largest resource scope defined in ZStack, covering resources such as clusters, L2 networks, and primary storages. As shown in Create Zone. Figure 6-1: Create Zone Set the following parameters: • Name: Enter a name for the zone. • Description: Optional. Enter a description for the zone. Click Next to finish creating a zone. Issue: V3.9.0 131User Guide / 6 Wizard Configuration 6.2 Create Cluster Context A cluster is a logical group of analogy hosts (compute nodes). As shown in Figure 6-2: Create Cluster. Figure 6-2: Create Cluster Set the following parameters: • Name: Enter a name for the cluster. • Description: Optional. Enter a description for the cluster. Click Next to finish creating a cluster. 6.3 Add Host Context A host, also known as a compute node, is a core asset of the cloud. VM instances run on hosts. As shown in Figure 6-3: Add Host. 132 Issue: V3.9.0User Guide / 6 Wizard Configuration Figure 6-3: Add Host Procedure 1. For Name, enter a name for the host. 2. Optional. For Description, enter a description for the host. 3. For Host IP, enter an IP address for the host, for example, 172.20.14.32. • For security and stability reasons, we recommend that you separate management networks from public networks in production environments, that is, use separate networks and IP addresses for the management and compute nodes. For example, you can use eth0 to connect a set of management networks. ZStack communicates with each compute node through management networks. You can also use eth1 to connect another set of public networks, which can interconnect with external networks through top-level aggregation switches. • Separating management networks from public networks can ensure the system security as much as possible and provide sufficient network bandwidth for management networks. Issue: V3.9.0 133User Guide / 6 Wizard Configuration 4. For SSH Port, enter the SSH port of the host. Default port: 22. If not specified, the default port will be used. 5. For User Name, enter the user name of the host. Default user name: root. You can also enter a normal user name as needed. • If you did not add a user to the host, you can use root as the user name. • To use a normal user name, make sure that the user has the sudo permission. • When you create a normal user, we recommend that you the adduser command. When you create a normal user and modify the sudo permission of the user, refer to the following example: #Create a normal user named test. [root@localhost ~]# adduser test #Grant the sudo permission the user test. [root@localhost ~]# echo "test ALL=(ALL) NOPASSWD: ALL" >>/ etc/sudoers 6. For Password, enter the password of the user. Note that the password is case sensitive. 7. Click Next. Then, ZStack will configure the host by calling backend jobs. • The configuration might takes several minutes. • If an error occurs during the installation, the corresponding error message will be displayed. What''s next After you complete the settings according to the wizard, if you want to add other hosts to the same cluster in the same zone, make sure that the corresponding VM instances are installed with the same CentOS operating system. The SSH ports, user names, or passwords of these hosts can be different. 6.4 Add Backup Storage A backup storage is a storage server used to store image templates or ISO images of VM instances. The following types of backup storages are available: 1. ImageStore: Stores image files by means of image segmentation. Incremental storage is supported. 2. SFTP: Stores image files by means of files. 3. Ceph: Stores image files by means of Ceph distributed block storages. 134 Issue: V3.9.0User Guide / 6 Wizard Configuration Note: ZStack Enterprise and Hybrid support ImageStore and Ceph backup storages. ZStack Community supports SFTP and Ceph backup storages. You need to make corresponding configurations in your practice according to your environmental requirements. 6.4.1 ImageStore Context As shown in Figure 6-4: Add ImageStore Backup Storage. Figure 6-4: Add ImageStore Backup Storage Procedure 1. For Name, enter a name for the backup storage. 2. Optional. For Description, enter a description for the backup storage. 3. For Type, select ImageStore. Issue: V3.9.0 135User Guide / 6 Wizard Configuration 4. For Backup Storage IP, enter the IP address of the backup storage. • For security and stability reasons, we recommend that you separate management networks from public networks in production environments. • The IP address of the backup storage can be shared with management networks to save the public network bandwidth. • When the public network is 10 Gigabit, the IP address of the backup storage can also be shared with the public network to improve the speed of transferring images between the backup storage and the compute nodes. Generally, adding and saving images will occupy a large network bandwidth. If the backup storage shares the same IP address with the public network, we recommend that you perform operations on images when the network is idle. • You can set up an independent storage network if condition permits. 5. For URL, enter the URL for attaching large capacity storages to the backup storage, for example, /ImageStore_bs. 6. For Import images, select or clear the checkbox as needed. • If selected, existing images under the URL you entered before will be imported. • This option is available for only ImageStore backup storages. 7. For SSH Port, enter the SSH port of the backup storage. Default port: 22. If not specified, the default port will be used. 8. For User Name, enter the user name of the backup storage. Default user name: root. You can also enter a normal user name as needed. • If you did not add a normal user to the backup storage, you can use root as the user name. • To use a normal user name, make sure that the user has the sudo permission. 9. For Password, enter the password of the user. Note that the password is case sensitive. 10.Click Next. Then, the system will automatically configure the ImageStore backup storage. 6.4.2 Ceph Context As shown in Figure 6-5: Add Ceph Backup Storage. 136 Issue: V3.9.0User Guide / 6 Wizard Configuration Figure 6-5: Add Ceph Backup Storage Procedure 1. For Name, enter a name for the backup storage. 2. Optional. For Description, enter a description for the backup storage. 3. For Type, select Ceph. 4. For Mon IP, enter the IP address of the Ceph monitor. 5. For SSH Port, enter the port No. of the Ceph monitor. Default port: 22. If not specified, the default port will be used. 6. For User Name, enter a name for the Ceph monitor. Default user name: root. You can also enter a normal user name as needed. • If you did not add a normal user to the Ceph monitor, you can use root as the user name. • To use a normal user name, make sure that the user has the sudo permission. 7. For Password, enter the password of the user. Note that the password is case sensitive. 8. Optional. For Pool Name, specify a storage pool for the Ceph backup storage. • If specified, you need to create a storage pool in advanced in the cluster to which the Ceph storage belongs. Issue: V3.9.0 137User Guide / 6 Wizard Configuration • If not specified, a storage pool will be automatically created. 9. Click Next. Then, the system will configure the Ceph backup storage. 6.5 Add Primary Storage A primary storage is a storage server used to store disk files, such as root volumes, data volumes , root volume snapshots, data volume snapshots, and image caches, for VM instances. When you add a primary storage by using the wizard, note that the primary storage can be one of the following types: • Local Storage: uses the hard disk of a host for storage. • Network Shared Storage: includes NFS, Shared Mount Point, and Ceph. ▬ NFS is a network file system storage. ▬ Shared Mount Point supports network shared storages provided by commonly used distributed file systems. For example, MooseFS, GlusterFS, OCFS2, and GFS2. ▬ Ceph uses distributed block storages. Note: The types of primary storage and backup storage are strongly associated. • If the backup storage is ImageStore, the primary storage can be LocalStorage, NFS, Shared Mount Point, or Ceph. • If the backup storage is Ceph, the primary storage can be Ceph. 6.5.1 Local Storage Context If you select Local Storage as the primary storage, all hosts will be configured by using the same directory. As shown in Figure 6-6: Add Local Storage. 138 Issue: V3.9.0User Guide / 6 Wizard Configuration Figure 6-6: Add Local Storage Set the following parameters: • Zone: By default, the current zone is displayed. • Name: Enter a name for the primary storage. • Description: Optional. Enter a description for the primary storage. • Type: Select LocalStorage. • URL: Enter the directory of the Local Storage. Note: • If the directory you entered does not exist, the system will create a directory automatically. • The following system directories cannot be used. Otherwise, the hosts might fail to work properly. ▬ / ▬ /dev/ ▬ /proc/ ▬ /sys/ ▬ /usr/bin ▬ /bin • Cluster: Select a cluster to mount the primary storage. Click Next to finish adding a Local Storage. Issue: V3.9.0 139User Guide / 6 Wizard Configuration 6.5.2 NFS Context If you select NFS as the primary storage, ZStack will automatically attach the same NFS shared directory on all hosts as the primary storage. Make sure that the read and write permissions of the NFS server are available. As shown in Figure 6-7: Add NFS Primary Storage. Figure 6-7: Add NFS Primary Storage Set the following parameters: • Zone: By default, the current zone is displayed. • Name: Enter a name for the primary storage. • Description: Optional. Enter a description for the primary storage. • Type: Select NFS. • URL: Enter the shared directory of the NFS server. Either an IP address or a domain is supported. Note: 140 Issue: V3.9.0User Guide / 6 Wizard Configuration • Format: NFS_Server_IP:/NFS_Share_folder or NFS_Server_Domain:/NFS_Share_folder. Examples: ▬ IP format: 192.168.0.1:/nfs_root ▬ Domain format: www.123.com:/nfs_root • You need to set the access permissions of the corresponding directories on the NFS server in advance. • To ensure security control on the NFS server side, we recommend that you configure corresponding security rules for access control. • You can check the shared directory of the NFS server by using the showmount -e command on NFS server in advance. • The following system directories cannot be used. Otherwise, the hosts might fail to work properly. ▬ / ▬ /dev/ ▬ /proc/ ▬ /sys/ ▬ /usr/bin ▬ /bin • Mount Parameter: Optional. Before you specify the mount parameters, make sure that these parameters are supported by the NFS server. Note: • The parameters are separated by commas (,). For example, nfsvers=3,sec=sys,tcp,intr, timeo=5. The preceding example means that the NFS server version is 3, the standard UNIX authentication mechanism is used, TCP is used as the transmission protocol, an NFS call can be interrupted in case of an exception, and the timeout is 0.5 seconds (5/10). • To specify the mount parameters, you can refer to the content in the -o option of mount. • You can set the parameters according to the mount command on commonly used clients. If the set parameters conflict with the NFS server side, the server side shall prevail. • Storage Network: Indicate the storage network specified for the shared storage. The storage network can be shared by the management network of the management node. Issue: V3.9.0 141User Guide / 6 Wizard Configuration Note: • If you have an independent storage network, you need to enter the CIDR of the storage network. • You can use this storage network to check the health status of a VM instance. • Cluster: Select a cluster to mount the primary storage. Click Next to finish adding an NFS primary storage. 6.5.3 Shared Mount Point Prerequisites If you select Shared Mount Point (SMP) as the primary storage, you can use network shared storages provided by commonly used distributed file systems, such as MooseFS, GlusterFS, OCFS2, and GFS2, in ZStack. Context As shown in Figure 6-8: Add SMP Primary Storage. Figure 6-8: Add SMP Primary Storage Set the following parameters: 142 Issue: V3.9.0User Guide / 6 Wizard Configuration • Zone: By default, the current zone is displayed. • Name: Enter a name for the primary storage. • Description: Optional. Enter a description for the primary storage. • Type: Select SharedMountPoint. • URL: Enter the URL of the shared storage mounted by the host. • Storage Network: Indicate the storage network specified for the shared storage. The storage network can be shared by the management network of the management node. Note: • If you have an independent storage network, you need to enter the CIDR of the storage network. • You can use this storage network to check the health status of a VM instance. • Cluster: Select a cluster to mount the primary storage. Click Next to finish adding an SMP primary storage. 6.5.4 Ceph Context ZStack supports Ceph block storages. If you select Ceph as the primary storage, you need to add a Ceph backup storage or an Image Store backup storage, and configure the Ceph distributed storage in advance. As shown in Figure 6-9: Add Ceph Primary Storage. Issue: V3.9.0 143User Guide / 6 Wizard Configuration Figure 6-9: Add Ceph Primary Storage Set the following parameters: • Zone: By default, the current zone is displayed. • Name: Enter a name for the primary storage. • Description: Optional. Enter a description for the primary storage. • Type: Select Ceph. • Disable Cephx: Determine whether to enable Ceph authentication. Note: • By default, this checkbox is not selected, indicating that Ceph authentication is enabled, • If selected, Ceph authentication is disabled. • If the network of the storage node and the compute node is relatively safe, you can disable Cephx to avoid Ceph authentication failure. 144 Issue: V3.9.0User Guide / 6 Wizard Configuration • Make sure that the key authentication of the Ceph storage is consistent with this option. If Cephx is not disabled for the Ceph storage, the selecting this checkbox here may cause VM creation failure. • Mon IP: Enter the IP address of the Ceph monitor. • SSH Port: Enter the SSH port No. of the Ceph monitor. Default port: 22. • User Name: Enter the name of the Ceph monitor. • Password: Enter the password that corresponds to the user name of the Ceph monitor. • Add More: Add the plus sign (+) to add more Ceph monitors. • Image Pool Name: Enter the name of an image pool. If not specified, the system will automatically create an image pool. • Data Volume Pool Name: Enter the name of a data volume pool. If not specified, the system will automatically create a data volume pool. • Root Volume Pool Name: Enter the name of a root volume pool. If not specified, the system will automatically create a root volume pool. • Storage Network: Indicate the storage network specified for the shared storage. The storage network can be shared by the management network of the management node. Note: • You can use this storage network to check the health status of a VM instance. • We recommend that you plan an independent storage network in advance to avoid potential risks. • Cluster: Select a cluster to mount the primary storage. Click Next to finish adding a Ceph primary storage. 6.6 Create Instance Offering Context As shown in Figure 6-10: Create Instance Offering. Issue: V3.9.0 145User Guide / 6 Wizard Configuration Figure 6-10: Create Instance Offering Set the following parameters: • Name: Enter a name for the instance offering. • Description: Optional. Enter a description for the instance offering. • CPU: Set the number of CPU cores for your VM instance. • Memory: Set the memory size for your VM instance. Unit: MB | GB | TB. • Host Allocation Strategy: When you create a VM instance by using this instance offering, the cloud will allocate a host for the VM instance according to the corresponding host allocation strategy. Default strategy: Host with min. running VMs. Each strategy is described as follows: ▬ Host with min. running VMs: The host with the minimum number of running VM instances will be chosen to create VM instances. ▬ Host with min. CPU utilization: The host with the minimum CPU utilization will be chosen to create VM instances. 146 Issue: V3.9.0User Guide / 6 Wizard Configuration Note: • The cloud collects the host CPU loads over a period of time, calculates the average CPU usage during this period, and then selects the host with the lowest CPU usage to create VM instances. • By default, the data collection cycle is 10 minutes. To change the collection cycle, go to Settings > Global Settings > Advanced, locate Minimum interval of Host collecting CPU usage, and click the Edit icon. ▬ Host with min. memory utilization: The host with the minimum memory utilization will be chosen to create VM instances. Note: • The cloud collects the host memory loads over a period of time, calculates the average memory usage during this period, and then selects the host with the lowest memory usage to create VM instances. • By default, the data collection cycle is 10 minutes. To change the collection cycle, go to Settings > Global Settings > Advanced, locate Minimum interval of Host collecting Memory usage, and click the Edit icon. ▬ Host with max. running VMs: The host with the maximum number of running VM instances will be chosen to create VM instances. To use this option, you need to set the maximum number of VM instances that can run on a host. Then, the cloud selects the host that meets the requirements to create VM instances. If no host is available, you will fail to create a VM instance. ▬ Host where the VM located last time: When you restart a stopped VM instance, the cloud selects the host where the VM was running last time. If you start a new VM instance for the first time, the cloud selects a host randomly. ▬ Random allocation: The cloud randomly selects a host to create VM instances. • Strategy Pattern: This parameter is required if you set the host allocation strategy to Host with min. CPU utilization or Host with min. memory utilization. Options: Allocation Strategy (soft) | Allocation Strategy (hard). ▬ If the cloud can query the host load information, the cloud creates VM instances according to the host allocation strategy. Issue: V3.9.0 147User Guide / 6 Wizard Configuration ▬ If the cloud cannot query the host load information, the cloud creates VM instances according to the strategy pattern. ■ Allocation strategy (soft): The cloud randomly allocates a host with sufficient resources to create VM instances without considering the host allocation strategy. ■ Allocation strategy (hard): The cloud uses the host allocation strategy forcibly, which might cause VM creation failure. • Disk Bandwidth: Optional. Set the upper limit of the root volume I/O bandwidth for a VM instance. If not specified, the I/O bandwidth is not limited. Unit: MB/s | GB/s | TB/s. The disk bandwidth parameter has the following two options: • Total: If you select Total, set the upper limit of the total read and write speed of the VM root volume. The value must be an integer. Unit: MB/s | GB/s. Value range: 1 MB/s–100 GB/s. As shown in Figure 6-11: Total Bandwidth. Figure 6-11: Total Bandwidth • Read/Write: If you select Read/Write, set the following parameters: • Volume Read Bandwidth: Set the upper limit of the read speed of the VM root volume. The value must be an integer. Unit: MB/s | GB/s. Value range: 1 MB/s–100 GB/s. • Volume Write Bandwidth: Set the upper limit of the write speed of the VM root volume. The value must be an integer. Unit: MB/s | GB/s. Value range: 1 MB/s–100 GB/s. As shown in Figure 6-12: Read/Write Bandwidth. 148 Issue: V3.9.0User Guide / 6 Wizard Configuration Figure 6-12: Read/Write Bandwidth • Upstream Bandwidth: Optional. Set the upper limit of the network bandwidth for uploading from a VM instance. If not specified, the upstream bandwidth is not limited. The value must be an integer. Unit: Kbps | Mbps | Gbps. Value range: 8 Kbps–100 Gbps. • Downstream Bandwidth: Optional. Set the upper limit of the network bandwidth for downloading from a VM instance. If not specified, the downstream bandwidth is not limited. The value must be an integer. Unit: Kbps | Mbps | Gbps. Value range: 8 Kbps–100 Gbps. Note: Before you make any settings, make sure that you fully understand the configurations of the disk bandwidth and network bandwidth. Otherwise, you might fail to upload files to or download files from a VM instance. Click Next to finish creating the instance offering. 6.7 Add Image Context As shown in Figure 6-13: Add Image. Issue: V3.9.0 149User Guide / 6 Wizard Configuration Figure 6-13: Add Image Procedure 1. For Name, enter a name for the VM image. 2. Optional. For Description, enter a description for the VM image. 3. For Image Type, select the corresponding image type according to the property of the image file. Options: qcow2 | raw. 4. For Platform, select the corresponding platform type. Options: Linux | Windows | WindowsVirtio | Other | Paravirtualization. 5. For Backup Storage, the backup storage created by the wizard is displayed by default. Note: • Make sure that the QEMU guest agent is installed for the imported images and can be started automatically. • Then, after you select Qemu guest agent, you can change the password of a VM instance created from the added image, the password of the VM instances cloned from the VM instance, or the password of the VM images when the VM instance is running. 150 Issue: V3.9.0User Guide / 6 Wizard Configuration 6. For Image URL, select a method for adding or uploading images. Options: URL | Local file. • URL: Add an image from a specified URL. ▬ HTTP/HTTPS: ■ Format: http://path/file or https://path/file ■ Example: http://cdn.zstack.io/product_downloads/images/zstack-image.qcow2 ▬ FTP: ■ Anonymous format: ftp://hostname[:port]/path/file Example: ftp://172.20.0.10/pub/zstack-image.qcow2 ■ Non-anonymous format: ftp://user:password@hostname[:port]/path/file Example: ftp://zstack:password@172.20.0.10/pub/zstack-image.qcow2 ▬ SFTP: ■ Format with password specified: sftp://user:password@hostname[:port]/path/file Example: sftp://root:password@172.20.0.10/pub/zstack-image.qcow2 ■ Password-free format: sftp://user@hostname[:port]/path/file Example: sftp://root@172.20.0.10/pub/zstack-image.qcow2 ▬ The absolute path on backup storage, which supports SFTP backup storage and ImageStore. Example: file:///opt/zstack-dvd/zstack-image-1.4.qcow2 Note: • Before you enter a URL, make sure that the URL can be accessed by a backup storage and the corresponding backup storage file exists. • Before you upload an image by using the SFTP password-free method, make sure that password-free SSH access can be achieved between a backup storage and the SFTP server. • Smooth, continuous display of progress bar, and breakpoint resume: ▬ The ImageStore backup storage supports smooth, continuous display of progress bar , and breakpoint resume. ▬ The Ceph backup storage supports smooth, continuous display of progress bar, but does not support breakpoint resume. Issue: V3.9.0 151User Guide / 6 Wizard Configuration ▬ The SFTP backup storage does not support smooth, continuous display of progress bar, or breakpoint resume. • If you upload an image by using file:///, note that: ▬ The Ceph backup storage currently does not support the file:/// format. ▬ The file:/// path contains three forward slashes (/), which correspond to the absolute path of the backup storage. For example, file:///opt/zstack-dvd/ zstack-image-1.4.qcow2. The zstack-image-1.4.qcow2 file needs to be stored in the /opt/zstack-dvd directory of the backup storage. • Local file: Upload an image file that can be accessed by your current browser. Note that ImageStore is supported. 7. For Installed Qemu guest agent, select or clear the checkbox as needed. If the QEMU guest agent is installed for the image, you can select this checkbox. Then, the password of the VM instance created from the image can be changed online. 8. Click Next. Then, the cloud will create and download the corresponding VM image file in the backend. 6.8 Create L2 Network Context As shown in Figure 6-14: Create L2 Network. 152 Issue: V3.9.0User Guide / 6 Wizard Configuration Figure 6-14: Create L2 Network Procedure 1. For Name, enter a name for the L2 network. 2. Optional. For Description, enter a description for the L2 network. 3. For Type, select a network type as needed. • L2NoVlanNetwork ▬ If you do not want to use a VLAN network, select L2NoVlanNetwork. ▬ If you select NoVlanNetwork, make sure that the port of the switch connected by the specified NIC is in Access mode. ▬ For Physical NIC, enter the physical NIC of the corresponding compute node. ▬ For Cluster, the cluster created by the wizard is displayed by default. • L2VlanNetwork ▬ If you want ZStack to configure the VLAN network, select L2VlanNetwork. ▬ If you select VlanNetwork, make sure that the port of the switch connected by the specified NIC is in Trunk mode. ▬ For VLAN ID, enter a number between 1 and 4094. Make sure that the VLAN ID is the same as that of the switch. Issue: V3.9.0 153User Guide / 6 Wizard Configuration ▬ For Physical NIC, enter the physical NIC of the corresponding compute node. ▬ For Cluster, the cluster created by the wizard is displayed by default. 4. Click Next to finish creating the L2 network. 6.9 Create L3 Network Context As shown in Figure 6-15: Create L3 Network. Figure 6-15: Create L3 Network Procedure 1. For L2 Network, the L2 network created by the wizard is displayed by default. 2. For Name, enter a name for the L3 network. 154 Issue: V3.9.0User Guide / 6 Wizard Configuration 3. For Network Service Type, the default type is flat network. 4. For Add IP Range, select IP Range or CIDR. • IP Range ▬ Enter the Start IP, End IP, Netmask, and Gateway. For example, the start IP address and end IP address can be 172.20.61.100 and 172.20.61.200, respectively. The netmask can be 255.255.0.0, and the gateway can be 172.20.0.1. ▬ Enter a DNS server, such as 8.8.8.8 and 114.114.114.114. • CIDR ▬ Set the CIDR, such as 192.168.1.0/24. ▬ Enter a DNS server, such as 8.8.8.8 and 114.114.114.114. 5. Click Next. Then, the cloud will automatically create an L3 network. What''s next Now, you completed the basic settings of the cloud by following the wizard. Issue: V3.9.0 155User Guide / 7 Cloud Operations Guide 7 Cloud Operations Guide This chapter mainly describes various O&M operations that are performed by an administrator on ZStack Private Cloud. 7.1 Resource Pool A resource pool mainly has the following resources: • VM instance: a virtual machine instance created in a compute node. • Volume: a data disk used by a VM instance and provides additional storages for the VM instance. • Image: an image template used by a VM instance. • Affinity group: a simple orchestration strategy for specifying the binding relationship between VM instances and hosts. • Instance offering: specifies the VM CPU, memory, I/O bandwidth, and other parameters. • Disk offering: specifies the size of a VM data volume. • GPU specification: specifies the frame count, RAM, resolution, and other parameters of a GPU device. • Auto scaling group: an auto scaling policy based on load balancing for VM instances. • Snapshot: a point-in-time capture of data status in a root volume or data volume. 7.1.1 VM Instance A VM instance is a virtual machine instance running on a host. A VM instance has its own IP address to access public network and run application services. VM instances are core components of ZStack. 7.1.1.1 VM Instance Management In the navigation pane of the ZStack Private Cloud UI, choose Resource Pool > VM Instance. Then, the VM Instance management page is displayed, as shown in Figure 7-1: VM Instance Management Page. 156 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-1: VM Instance Management Page The VM Instance management page has the following two tab pages: • Available: Displays a list of VM instances that are in the running or stopped state. You can perform operations, such as creating, starting, stopping, restarting, and opening the console of a VM instance. • Deleted: Displays a list of VM instances that you deleted before. For the deleted VM instances, you can recover them or completely delete them. The VM list on the VM Instance management page includes the VM name, tag, CPU, memory, default IP address, host IP address, cluster, VM state, owner, high availability (HA) level, and other information. In the Tag, Cluster, and State columns, you can filter information by clicking the drop-down arrow. On the VM Instance management page, you can perform the following operations: • Search: Click the Search icon. Then, you can search for a VM instance by entering its name, UUID, IP address, host IP address, elastic IP address, instance offering name, or owner. You can also use the advanced search method, which is the same as calling the QueryVmInstance API. For more information, see the CLI manual. ▬ When you use the advanced search, note that: ■ A search syntax includes three parts: a parameter, query condition, and value. For more information about the search syntax, see the Query API section in API Reference. ■ Cross-table queries are supported. Parameters of a search syntax must be separated by a period (.). ■ A combination query with multiple conditions is supported. Multiple search syntaxes must be separated by a space. ▬ The following are some advanced search examples: ■ Search by CPU count: cpuNum=4 Issue: V3.9.0 157User Guide / 7 Cloud Operations Guide ■ Search by IP address: vmNics.ip=192.168.10.2 ■ Search by MAC address: vmNics.mac=fa:fc:d7:d8:c0:00 ■ Search by cluster UUID: cluster.uuid=502b8933e9c04aafab5f9d7404c5790e ■ Search by image UUID: image.uuid=54ff7eb2c89a3efdb64cd3aa97796441 ■ Search by system capacity: rootVolume.actualSize<=10737418240 ■ Search by VM state: state=Running or state!=Paused ■ Search by VM platform: platform=Linux or platform=WindowsVirtio • Export CSV: Click the Export CSV icon at the upper right. Then, you can export a list of VM instances on the current page or on all related pages. • Row Count: Click the Row Count drop-down arrow. Then, you can select the number of VM instances that can be displayed on each page. • Tag: Create a tag for resources in a custom manner. With resource tags, you can quickly filter the required resources via tag types and tag names. The Tag button supports the following operations: ▬ Filter resource: Click the Tag button. Then, a tag list is displayed. After you select one or more tags in the tag list, resources that bind the tags will be automatically filtered. ▬ Display tag: Click the Tag button. Then, a tag list is displayed. If you have too many tags, find the required tags by dragging the scroll bar. Note: • A tag list is displayed according to different tag roles (admin or tenant). You can switch roles by click the Tag drop-down arrow. • Resource tags can be sorted in order according to the creation time or tag names (priority: characters > numbers > Chinese characters > English characters). To change the sort order, go to Settings > Global Settings > Advanced, locate Tag sorting field, and click the Edit icon. By default, the tags are sorted in order by tag name. ▬ Search tag: In the search box at the top of the tag list, enter either a tag name or a keyword to search for the tag that you want. This operation applies to the scenario with too many tags. We recommend that you use the scroll bar when tags are fewer. ▬ Create tag: In the lower left corner of the displayed tag list, click Create Tag. Then, you can create tags as needed. For more information about tag creation and notices, see Tag. 158 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ▬ Tag management: In the lower right corner of the displayed tag list, click Tag Management. Then, the Tag page is displayed. This page displays a list of tags. On this page, you can create a tag, delete a tag, or unbind a tag from a resource. For more information, see Tag. • Custom List: Click the Custom List icon. Then, you can customize the items that can be displayed in a VM list. Note: • In a VM list, the VM names are displayed by default. You can decide whether to display other items as needed. • After you customize the display items of a VM list, the latest information will the exported when you use the export CSV feature. • The Community version does not support the custom list feature. 7.1.1.2 Create VM Instance ZStack allows you to create one or more VM instances at a time. In the navigation pane of the ZStack Private Cloud UI, choose Resource Pool > VM Instance. On the VM Instance page, click Create VM Instance. On the displayed Create VM Instance page, set the following parameters: • Add Type: Select an add type to determine whether to create multiple VM instances at a time. Options: Single | Multiple. If you select Multiple, specify the number of VM instances to be created. • Name: Enter a name for the VM instance. • Description: Optional. Enter a description for the VM instance. • Instance Offering: Select an instance offering for creating a VM instance. • Image: Select an image for creating a VM instance. The image BIOS mode includes Legacy and UEFI. Note: • A VM instance inherits the BIOS mode of the image added to the VM instance. • You need to get the corresponding image ready, and select a proper BIOS mode. For more information, see Add Image. • You can change the BIOS mode on the VM details page. Exercise caution when you make any changes. The VM instance may fail to work properly if the BIOS mode does not match Issue: V3.9.0 159User Guide / 7 Cloud Operations Guide the VM instance. After you change the BIOS mode, restart the VM instance for the changes to take effect. • The Legacy mode is recommended when you create a VM instance. If you want to use the UEFI mode, we recommend that you select the corresponding image from the following list of operating system versions. Operating System BIOS Mode Supported Version • Windows 8 or later UEFI versions Windows • Windows 7 UEFI (compatibility module) • Windows 2008 R2 • CentOS 7.2 • CentOS 7.3 Linux UEFI • CentOS 7.4 or later versions • When you create a VM instance, a virtual drive (vDrive) will also be created by default. The relationship between different image formats and the default vDrive is as follows: ▬ If you select a qcow2 image or raw image, the system will create an empty vDrive by default. To delete the vDrive, go to the Create VM Instance page and choose Advanced > vDrive. ▬ If you select an ISO image, the system will create a vDrive by default and attach the ISO image to the vDrive. Note that this vDrive cannot be deleted on the Create VM Instance page by choosing Advanced > vDrive. • Root Disk Offering: Select a root disk size for the VM instance. This option displays only when you select an ISO image. • Network: Select a network for the VM instance. The required parameters are as follows: ▬ Network Address Type: Select a network address type. Options: IPv4 | IPv6 | Double Stack. ■ If you select IPv4, continue to select an L3 Network. The L3 network can be a private network, a public network, or a VPC network, as shown in Select IPv4 Network. Figure 7-2: Select IPv4 Network 160 Issue: V3.9.0User Guide / 7 Cloud Operations Guide You can select one or more networks as needed. Then, click OK at the bottom of the selection page, as shown in Add IPv4 L3 Network. Figure 7-3: Add IPv4 L3 Network After you add a network successfully, you can set the following parameters as needed: ■ Set Default Network: If you added more than one L3 network, you could set the default network by selecting the radio button in front of the network name. ■ Set VM NIC: You can click VM NIC Setting to set the fixed IP address and MAC address, as shown in Figure 7-4: VM NIC Setting. Issue: V3.9.0 161User Guide / 7 Cloud Operations Guide Figure 7-4: VM NIC Setting Note: • When you specify an IP address for a VM instance, the following notifications might be displayed under the input box to indicate the IP address state: ▬ If the IP address is occupied, the following message is displayed: The IP address is occupied. ▬ If the IP address is out of the specified IP range, the following message is displayed: The IP address is out of the specified IP range. ▬ If the IP address is invalid, the following message is displayed: Invalid IP address. • If you create multiple VM instances at a time, the IP addresses are allocated to the VM instance in sequence with the specified IP address as the start address. If an address in the specified range is occupied, the corresponding VM instances will fail to be created. ■ Enable SR-IOV: Choose whether to enable SR-IOV. ■ By default, this checkbox is not selected, indicating that SR-IOV is not enabled. In this case, the VM instance you created will have a vNIC attached. ■ If selected, SR-IOV is enabled. In this case, the VM instance you created will have a VF NIC attached. 162 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Note: When you enable SR-IOV, note that: • The SR-IOV feature must be enabled for the L2 network that corresponds to the L3 network. Otherwise, SR-IOV might fail to be enabled. • After SR-IOV is enabled, make sure that the physical NIC of the L3 network has an available VF NIC. Otherwise, the VM instance might fail to be created. • If SR-IOV is enabled, NICs of the VM instances that were created by using a public network or a flat network do not support the network services such as security group, VIP QoS, and elastic IP. • If SR-IOV is enabled, NICs of the VM instances that were created by using the vRouter network or VPC network do not support the security group network services. ■ If you select IPv6, continue to select an L3 Network. The L3 network can be a private network or a public network, as shown in Select IPv6 Network. Figure 7-5: Select IPv6 Network Similar to IPv4 network, you can select one or more networks as needed. Then, click OK at the bottom of the selection page. If you added more than one L3 network, you can set the default network by selecting the radio button in front of the network name. You can also click VM NIC Setting to set the fixed IP and MAC address. Note: Issue: V3.9.0 163User Guide / 7 Cloud Operations Guide • When you specify an IP address for a VM instance, the following notifications might be displayed under the input box to indicate the IP address state: ▬ If the IP address is occupied, the following message is displayed: The IP address is occupied. ▬ If the IP address is out of the specified IP range, the following message is displayed: The IP address is out of the specified IP range. ▬ If the IP address is invalid, the following message is displayed: Invalid IP address. • If you create multiple VM instances at a time, the IP addresses are allocated to the VM instance in sequence with the specified IP address as the start address. If an address in the specified range is occupied, the corresponding VM instances will fail to be created. ■ If you select Double Stack, continue to select a NIC, as shown inSelect Double Stack. Figure 7-6: Select Double Stack Click Add VM NIC. On the Add VM NIC page, set the following parameters: ■ MAC Address: Optional. Set the MAC address of the VM instance. If not set, the system will randomly allocate a MAC address to the VM instance. ■ IPv4 Network: Select an IPv4 network. The IPv4 network can be a private network, a public network, or a VPC network. ■ IPv6 Network: Select an IPv6 network. The IPv6 network can be a private network or a public network. As shown in Add VM NIC. 164 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-7: Add VM NIC Click VM NIC Setting to set the fixed IP address. Note: • When you specify an IP address for a VM instance, the following notifications might be displayed under the input box to indicate the IP address state: ▬ If the IP address is occupied, the following message is displayed: The IP address is occupied. ▬ If the IP address is out of the specified IP range, the following message is displayed: The IP address is out of the specified IP range. ▬ If the IP address is invalid, the following message is displayed: Invalid IP address. • If you create multiple VM instances at a time, the IP addresses are allocated to the VM instance in sequence with the specified IP address as the start address. If an address in the specified range is occupied, the corresponding VM instances will fail to be created. Click OK to finish adding the NIC, and go back to the Create VM Instance page. Note: Issue: V3.9.0 165User Guide / 7 Cloud Operations Guide • When you select Double Stack, verify that both the IPv4 network and IPv6 network of each NIC are on the same L2 network. • You can add multiple NICs at a time. Note that different NICs cannot share the same L2 network. So far, the basic settings for creating a VM instance are completed. The following is an example of creating a VM instance by selecting an IPv4 network, as shown in Figure 7-8: Create VM Instance. Then, click OK to finish creating the VM instance. 166 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-8: Create VM Instance Issue: V3.9.0 167User Guide / 7 Cloud Operations Guide When you create a VM instance in ZStack, you can configure the advanced settings by clicking Advanced on the Create VM Instance page, as shown in Figure 7-9: Advanced Setting. Figure 7-9: Advanced Setting 168 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Issue: V3.9.0 169User Guide / 7 Cloud Operations Guide To configure the advanced settings, set the following parameters: • Data Disk Offering: Select a data disk offering. ▬ After you select a data disk offering, the system will directly create a data volume and attach the data volume to the VM instance. ▬ If no disk offering is available, create a disk offering by referring to Create Disk Offering. • Storage Allocation Policy: Select a storage allocation policy. ▬ System allocation: The system allocates primary storages according to the preconfigured allocation policy. ▬ Manual allocation: You can manually select a primary storage as needed. • Affinity Group: Select an affinity group that you created before. The system allocates VM instances on hosts according to the rules of the chosen affinity group. 170 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • CPU Pinning: Specify the association between the physical CPU (pCPU) of hosts and the virtual CPU (vCPU) of VM instances. Then, the system allocates pCPUs to VM instances accordingly. This helps to improve the VM performance. ▬ To specify more CPU pinning policies, click Add more. ▬ Enter the vCPU range in the left text box and the pCPU range in the right text box. Note that the - symbol indicates the value range, and the ^ symbol indicates that a value is not included. If you specify multiple rules in a policy, separate each rule by using a comma (,). The following are some examples: ■ 0-2 indicates CPU 0, CPU 1, and CPU 2. ■ ^2 indicates that CPU 2 is not included. ■ 0-2,^2 indicates CPU 0 and CPU 1. ■ 1-7,^2,^3,^4,10 indicates CPU 1, CPU 5, CPU 6, CPU 7, and CPU 10. Note: • The vCPU range depends on the instance offering of the chosen VM instance, while the pCPU range depends on the chosen cluster or the number of pCPUs of the chosen host . • If a vCPU has multiple CPU pinning policies, the union of the policies will be used. • ZStack supports CPU overcommitting. Therefore, the number of vCPUs can be greater than that of pCPUs. However, if the number of vCPUs specified in the CPU pinning policy is greater than that of pCPUs, the VM performance will be affected. This setting is not recommended. • You can modify the CPU pinning policy on the Basic Attributes tab page of a VM instance. The modification takes effect after you restart the VM instance. • Cloning or migrating a VM instance will also copy the CPU pinning policy, while creating a VM image or performing VM backup cannot copy the CPU pinning policy. • When you create a VM instance, the system firstly checks the affinity group and host allocation strategies, and then checks the CPU pinning policy. • When you power off a VM instance to modify its instance offering and reduce its CPU, the invalid CPU pinning policy will not take effect. In this case, we recommend that you modify or delete this policy. • Cluster: Specify the cluster on which the host of the VM instance to be started. Issue: V3.9.0 171User Guide / 7 Cloud Operations Guide • Data Volume Primary Storage: Specify a primary storage for the data volume of the VM instance. ▬ If the primary storage type of your data volume is Shared Block, you need to select a provisioning method, including thin provisioning and thick provisioning. ■ Thin provisioning: Allocates storage space to data volumes based on the actual usage to achieve higher storage utilization. ■ Thick provisioning: Allocates required storage space in advance to provide sufficient storage capacity to data volumes, ensuring the storage performance. ▬ If the primary storage type of your data volume is Ceph, you need to specify the Data Volume Pool. ■ The Data Volume Pool parameter is optional. If not specified, the system uses the initial Ceph data volume pool to create data volumes. ■ You can add multiple data volume pools on the Storage Pool tab page of the Ceph primary storage details page. ■ A Ceph pool can be a data volume pool or a root volume pool. ▬ ZStack allows you to attach more than one primary storage to a cluster. For more information, see Cluster | Primary Storage in Cluster. Note: When you create a VM instance, the policy for allocating multiple primary storages is as follows: • If a cluster has multiple local primary storages attached: ▬ You can specify any local primary storage when you create a VM instance. ▬ If you do not specify a primary storage, the system will automatically select the local primary storage that has the most available capacity. • If a cluster has multiple shared primary storages attached (currently, multiple NFS primary storages or Shared Block primary storages are supported): ▬ You can specify any NFS or Shared Block primary storage when you create a VM instance. ▬ If you do not specify a primary storage, the system will automatically allocate an NFS or a Shared Block primary storage that is available. 172 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • If a cluster has a combination of primary storages attached (currently, the supported combinations include: 1 LocalStorage + 1 NFS, 1 LocalStorage + 1 SMP, 1 LocalStorage + 1 Shared Block): ▬ You can specify any primary storage when you create a VM instance. ▬ When you create a VM instance, if you create a data volume and attach it to the VM instance at the same time, you need to specify a primary storage for the data volume. ▬ If you do not specify a primary storage, the system will automatically use a local primary storage to create a VM instance. • Root Volume Primary Storage: Specify a primary storage for the root volume of the VM instance. ▬ If the primary storage type of your root volume is Shared Block, you need to select a provisioning method, including thin provisioning and thick provisioning. ■ Thin provisioning: Allocates storage space to data volumes based on the actual usage to achieve higher storage utilization. ■ Thick provisioning: Allocates required storage space in advance to provide sufficient storage capacity to data volumes, ensuring the storage performance. ▬ If the primary storage type of your data volume is Ceph, you need to specify the Root Volume Pool. ■ The Root Volume Pool parameter is optional. If not specified, the system uses the initial Ceph root volume pool to create VM instances. ■ You can add multiple root volume pools on the Storage Pool tab page of the Ceph primary storage details page. ■ A Ceph pool can be a data volume pool or a root volume pool. ■ Currently, root volume pools cannot be deleted. • Host: Select the host on which the VM instance is to be started. If you selected a cluster, select a host from the cluster. • vDrive: Create more vDrives for the VM instance. To create more vDrives, click Create More vDrive. To attach an ISO to a vDrive, click Attach ISO. • ▬ If you select a qcow2 image or raw image, the system will create an empty vDrive by default. To delete the vDrive, go to the Create VM Instance page and choose Advanced > vDrive. Issue: V3.9.0 173User Guide / 7 Cloud Operations Guide ▬ If you select an ISO image, the system will create a vDrive by default and attach the ISO image to the vDrive. Note that this vDrive cannot be deleted on the Create VM Instance page by choosing Advanced > vDrive. • You can set the maximum number of vDrives for a VM instance after stopping the VM instance. The method is as follows: Go to Settings > Global Settings > Advanced, locate maximumCdRomNum, and click the Edit icon. Options: 1 | 2 | 3. Default value: 3. • GPU Add Methods: Add a GPU device (pGPU or vGPU) for the VM instance by specifying a GPU specification or GPU device. ▬ GPU specifications: Allocates a GPU device according to the chosen GPU specification, as shown in Figure 7-10: GPU Specifications. Figure 7-10: GPU Specifications Auto uninstall GPU device when VM stopped: Determine whether to retain a GPU device when the corresponding VM instance is stopped. ■ By default, this checkbox is not selected if you use a pGPU. If you use a vGPU, this checkbox is selected. ■ If selected, the GPU device will be automatically uninstalled after the corresponding VM instance is stopped. When the VM instance is restarted, a new GPU device will be allocated to the VM instance according to the GPU specification. ■ If not selected, the GPU device will be retained after the corresponding VM instance is stopped. When the VM instance is restarted, the existing GPU device will be used. ▬ GPU device: Attaches the chosen GPU device when you create a VM instance. Note: 174 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • One VM instance can have multiple pGPU devices or only one vGPU device attached at the same time. • One VM instance cannot have both pGPU devices and vGPU devices attached at the same time. • You can attach GPU devices to a VM instance from the host where the VM instance is located. Currently, you cannot attach GPU devices to a VM instance across hosts. • HA Level: Select an HA level. Options: NeverStop | None. Default level: None. ▬ None: Indicates that the high availability feature is disabled for the VM instance. ▬ NeverStop: Indicates that the high availability feature is enabled for the VM instance. Note: • To enable or disable the HA feature, go to Settings > Global Settings > Basic Settings, locate Enable next to HA, and click the Edit icon. Default value: true. • If disabled, you cannot set high availability for VM instances. The VM instance details page will not display the high availability information. • If disabled, the high availability feature will be disabled globally. Please exercise caution. • Resource Priority: Set the resource priority for the VM instance. Options: Normal | High. Default priority: Normal. When resource competition occurs due to high host loads, priority is given to ensuring the resource usage of VM instances with the High resource priority. Note: We recommend that you set high resource priority only for important VM instances. • Console Password: Set a password (VNC password) for the VM console. The password must be 6 to 18 characters long. • SSH Login Method: If your VM image was installed with Cloud-Init, you can log in to your VM instance by using an SSH key or a password. ▬ If you use an SSH key, set the following parameter: ■ SSH Key: After an SSH key is injected to a VM instance, you can SSH in to the VM instance without entering a password when the VM instance is running. ▬ If you use a password, set the following parameters: ■ User Name: By default, the user name is root. Issue: V3.9.0 175User Guide / 7 Cloud Operations Guide ■ Password: After a root password is injected to a VM instance, you can SSH in to the VM instance by entering a password when the VM instance is running. Note: • The root password setting method applies to only Linux VM instances. For Windows VM instances, you can set passwords by using User Data. • Before you set the password, make sure that the VM image has the Cloud-Init installed. Note that Cloud-init 0.7.9 and 17.1 are recommended. • For CentOS, you can run yum install cloud-init to install Cloud-Init. • After you set a password, do not set the password again in User Data to avoid conflicts. • After you set a root password, a clear text password will be displayed in the User Data section on the details page of the created VM instance. Please keep your password confidential. Note: Different types of images support different SSH login methods. • Images of different operating systems: ▬ Linux image: Fixed user name: root. Supported SSH login methods: SSH key | password. ▬ Windows image: Fixed user name: administrator. Supported SSH login method: setting password by using User Data. • Images of different formats: ▬ Image of the ISO type: Supported SSH login method: SSH key. ▬ Image of the Image type: Supported SSH login methods: SSH key | password. • Hostname: Set a hostname for the VM instance. ▬ The rules for setting Linux hostname and Windows hostname are different. ■ Linux hostname: The hostname must be 2 to 60 characters long, and can be uppercase, lowercase, numbers, and hyphens (-). Note that a hostname cannot contain consecutive hyphens (-) and cannot start or end with hyphens (-). ■ Windows hostname: The hostname must be 2 to 15 characters long, and can be uppercase, lowercase, numbers, and hyphens (-). Note that a hostname cannot contain 176 Issue: V3.9.0User Guide / 7 Cloud Operations Guide consecutive hyphens (-), cannot start or end with hyphens (-), and cannot contain only numbers. ▬ Before you set a hostname, make sure that the DHCP service of the L3 network correspond ing to the VM instance is enabled. ▬ For Linux images, the hostname must be set to localhost.localdomain. ▬ After you set a hostname, do not set it again in User Data to avoid conflicts. • User Data: You can import user data. That is, you can customize VM configurations or operations by uploading custom parameters or scripts so that the VM instance can complete some specific tasks. ▬ Before you import user data, make sure that both the Userdata network service and DHCP network service are available. ▬ By default, the Userdata network service and DHCP network service in the flat network, vRouter network, and VPC network environments are enabled. ▬ If you set a hostname and password by using user data, do not set them again in SSH Login Method to avoid conflicts. ▬ After you set a root password by using user data, a clear text password will be displayed in the User Data section on the details page of the created VM instance. Please keep your password confidential. ▬ When you import user data to a Linux VM instance, note that: ■ Cloud-Init must be installed for the VM image. Recommended version: 0.7.9 and 17.1. ■ If you create a Linux VM instance by using a VM image that has Cloud-Init installed, you must import the user data. Otherwise, the Cloud-Init task will wait until the task times out. ■ The following is an example of importing user data to a Linux VM instance: #cloud-config users: - name: test shell: /bin/bash groups: users sudo: [''ALL=(ALL) NOPASSWD:ALL''] ssh-authorized-keys: - ssh-rsa AAAAB3NzaC1LXCJfjroD1lT root@10-0-0-18 bootcmd: - mkdir /tmp/temp write_files: - path: /tmp/ZStack_config content: | Hello,world! permissions: ''0755'' hostname: Perf-test disable_root: false Issue: V3.9.0 177User Guide / 7 Cloud Operations Guide ssh_pwauth: yes chpasswd: list: | root:word expire: False runcmd: - echo ls -l / >/root/list.sh The implementation of the script above is as follows: 1. Create a user named test and use ssh-key when a VM instance is created. 2. Write the /etc/hosts file when the VM instance is started, create a directory named /tmp/temp, crate a file, and write content to the file. 3. Set the hostname, enable the root user, allow SSH login with password, and change the root password. 4. Run the echo ls -l / command. ▬ When you import user data to a Windows VM instance, note that: ■ Cloudbase-Init must be installed for the VM image. The version of the Cloudbase-Init is not enforced. For information about how to install Cloudbase-Init, see Cloudbase Documentation. ■ If you create a Windows VM instance by using a VM image that has Cloudbase-Init installed, you must import the user data. Otherwise, the Cloudbase-Init task will wait until the task times out. ■ The following is an example of importing user data to a Windows VM instance: #cloud-config write_files: - encoding: b64 content: NDI= path: C:\b64 permissions: ''0644'' - encoding: base64 content: NDI= path: C:\b64_1 permissions: ''0644'' - encoding: gzip content: !!binary | H4sIAGUfoFQC/zMxAgCIsCQyAgAAAA== path: C:\gzip permissions: ''0644'' The script above creates b64, b64_1, and gzip files under C drive when the VM instance is started. • VirtioSCSI: If selected, the VirtioSCSI bus will be used, and a data volume of the SCSI type will be created. 178 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • USB redirection: ZStack is compatible with multiple USB devices for redirection. You must select this checkbox if you want to use the VDI feature. Then, the USB device on the VDI client will be redirected to the VDI VM instance. • Anti-spoofing: ZStack provides anti-IP/MAC forgery and ARP spoofing features. If selected, the VM instance can only use the IP or MAC address allocated by the cloud to communicate with external networks. ▬ By default, this setting is consistent with the Network Anti-Spoofing switch in Global Settings. ■ If the Network Anti-Spoofing switch in global settings is set to true, this checkbox is selected by default. ■ If the Network Anti-Spoofing switch in global settings is set to false, this checkbox is not selected by default. ▬ By default, the anti-spoofing setting of existing VM instances is consistent with the Network Anti-Spoofing switch in the global settings. You can manually set this switch on the Basic Attributes tab page of the VM details page. • Console Mode: Set the mode for opening the VM console. Options: vnc | spice | vnc+spice. Default mode: vnc. • Bind Tag: Bind one or more tags to the VM instance. Note: • One resource can bind 50 tags at most, while a tag can bind unlimited number of resources . • Many-to-many bindings are supported. That is, you can bind multiple tags to multiple resources. • Tags that were created by a tenant can only be bound to resources owned by the tenant, while admin tags can be bound to all resources. • An administrator can unbind or delete tenant tags. • Resource tags can be sorted in order according to the creation time or tag names (priority: characters > numbers > Chinese characters > English characters). To change the sort order, go to Settings > Global Settings > Advanced, locate Tag sorting field, and click the Edit icon. By default, the tags are sorted in order by tag name. Issue: V3.9.0 179User Guide / 7 Cloud Operations Guide 7.1.2 Volume A volume provides storages for VM instances. A volume can either be a root volume or a data volume. • Root volume: a system disk where the VM instance operating system is installed. • Data volume: a data disk that provides additional storage for a VM instance. Data volumes are mainly involved in volume management. Precautions When you use volumes, note that: • Volumes are hypervisor specific. That is, a volume that has been attached to a VM instance of one hypervisor type cannot be attached to a VM instance of another hypervisor type. For example, a volume of KVM VM instances cannot be attached to VMware VM instances. • A volume can have two sizes: real size and virtual size. The real size is the size that a volume actually occupies in the storage system, while the virtual size is the size that a volume claims for. The virtual size is usually greater than or equal to the real size. As the number of written files increases, the real size will gradually increase. • A volume (excluding shared volumes) can only be attached to one VM instance at any given time. Ceph and Shared Block primary storages support shared volumes. A shared volume can be identified and accessed by multiple VM instances at the same time. • A root volume is always attached to its owner VM instance and cannot be detached. • A data volume can be attached to or detached from different VM instances of the same hypervisor type. • In the environment where multiple primary storages are available, you can specify a primary storage to create a volume. If no primary storage is specified, the default creation method is as follows: ▬ For local primary storages, volumes are created from the primary storage with large capacity. ▬ For NFS primary storages, volumes are created from a random primary storage. ▬ For mixed primary storages (local + NFS/Shared Mount Point), volumes are created from the primary storage where the root volume of the volume does not locate. • You can set QoS for data volumes to limit the disk bandwidth. Note that excessive low QoS might cause low I/O performance. 180 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 7.1.2.1 Volume Management In the navigation pane of the ZStack Private Cloud UI, choose Resource Pool > Volume. Then, the Volume management page is displayed, as shown in Volume Management Page. Figure 7-11: Volume Management Page The Volume management page includes the following three tab pages: • Available: Displays a list of the currently available volumes in the system. • Not Instantiated: Displays a list of the uninstantiated volumes. ▬ Uninstantiated mainly indicates that a volume does not actually occupy any space. Actually , this volume is a conceptual device. This volume will be instantiated after it is attached to a VM instance. ▬ Assume that you create a volume. If you select a disk offering for the volume without specifying other resources, the volume that you created is an uninstantiated volume. • Deleted: Displays a list of volumes that have been already deleted but not expunged. You can recover or completely delete a deleted volume as needed. On the Volume management page, you can perform the following operations: • Search: Click the Search icon. Then, you can search for a volume by entering its name, UUID, or IP address. You can also use the advanced search method, which is the same as calling the QueryVolume API. For more information, see the CLI manual. ▬ When you use the advanced search, note that: ■ A search syntax includes three parts: a parameter, query condition, and value. For more information about the search syntax, see the Query API section in API Reference. ■ Cross-table queries are supported. Parameters of a search syntax must be separated by a period (.). ■ A combination query with multiple conditions is supported. Multiple search syntaxes must be separated by a space. Issue: V3.9.0 181User Guide / 7 Cloud Operations Guide ▬ The following are some advanced search examples: ■ Search volumes not attached to VM instances: vmInstanceUuid is null ■ Search volumes attached to VM instances: vmInstanceUuid is not null ■ Search by VM UUID: vmInstance.uuid=3badf3b51f4447aaabbab9ae5eca5fcb ■ Search by primary storage UUID: primaryStorageUuid=d4c96e17010f4461a511 2c19da85410d • Tag: Create a tag for resources in a custom manner. With resource tags, you can quickly filter the required resources via tag types and tag names. The Tag button supports the following operations: ▬ Filter resource: Click the Tag button. Then, a tag list is displayed. After you select one or more tags in the tag list, resources that bind the tags will be automatically filtered. ▬ Display tag: Click the Tag button. Then, a tag list is displayed. If you have too many tags, find the required tags by dragging the scroll bar. Note: • A tag list is displayed according to different tag roles (admin or tenant). You can switch roles by click the Tag drop-down arrow. • Resource tags can be sorted in order according to the creation time or tag names (priority: characters > numbers > Chinese characters > English characters). To change the sort order, go to Settings > Global Settings > Advanced, locate Tag sorting field, and click the Edit icon. By default, the tags are sorted in order by tag name. ▬ Search tag: In the search box at the top of the tag list, enter either a tag name or a keyword to search for the tag that you want. This operation applies to the scenario with too many tags. We recommend that you use the scroll bar when tags are fewer. ▬ Create tag: In the lower left corner of the displayed tag list, click Create Tag. Then, you can create tags as needed. For more information about tag creation and notices, see Tag. ▬ Tag management: In the lower right corner of the displayed tag list, click Tag Management. Then, the Tag page is displayed. This page displays a list of tags. On this page, you can create a tag, delete a tag, or unbind a tag from a resource. For more information, see Tag. 7.1.2.2 Create Volume ZStack allows you to create one or more volumes at a time. 182 Issue: V3.9.0User Guide / 7 Cloud Operations Guide On the Volume management page, click Create Volume. On the displayed Create Volume page, set the following parameters: • Add Method: Select an add method to determine whether to create multiple volumes at a time. Options: Single | Multiple. If you select Multiple, specify the number of volumes to be created. You can create 1 to 24 volumes in bulk. • Name: Enter a name for the volume. • Description: Optional. Enter a description for the volume. • Volume Type: Select a volume type. Options: Normal volume | Shared volume. Note: • Normal volume: All primary storages support normal volumes. • Shared volume: 1. Ceph and thick provisioned Shared Block primary storages support shared volumes. The same shared volume can be attached by multiple VM instances. 2. A shared volume is of the VirtioSCSI type. Therefore, if you select shared volume, the VirtioSCSI checkbox is selected by default. 3. Reading and writing a volume at the same time might cause data inconsistencies. Make sure that you know expressly how to use a volume properly. Do not detach the corresponding VM instances when a volume is written. • Create Method: Select a creation method for creating a volume. Options: Disk offering | Volume image. Note: Only the disk offering method supports batch volume creation. As shown in Figure 7-12: Create Volume. Issue: V3.9.0 183User Guide / 7 Cloud Operations Guide Figure 7-12: Create Volume Four Volume Creation Scenarios This section describes four volume creation scenarios. 1. Create a normal volume from a disk offering. 2. Create a normal volume from a volume image. 3. Create a shared volume from a disk offering. 4. Create a shared volume from a volume image. Details of volume creation scenarios are as follows: 1. Create a normal volume from a disk offering. On the Volume management page, click Create Volume. On the displayed Create Volume page, set the following parameters: • Volume Type: Select normal volume. • Create Method: Select disk offering. 184 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Disk Offering: Select a proper disk offering. • Primary Storage and VM Instance: ▬ If neither of these two parameters is specified, the volume you created will not be instantiated, and will be displayed on the Not Instantiated tab page. ▬ If you select only a VM instance, ■ Single primary storage scenario: The volume will be created on the primary storage where the VM instance is running. ■ Multiple-primary storage scenario: ■ Assume that you do not specify a primary storage. ■ When you have multiple LocalStorage primary storages, the system prefers to create a volume from the primary storage with large available capacity. ■ When you have multiple NFS primary storages or multiple Shared Block primary storages, the system will randomly select a primary storage to create a volume. ■ When you have a combination of primary storages, such as LocalStorage+NFS , LocalStorage+Shared Mount Point, and LocalStorage+Shared Block primary storage, the system automatically selects a primary storage that does not attach the current root volume to create a volume. ■ When you have a combination of Ceph primary storage and a Shared Block primary storage, the system prefers to create a volume from the primary storage with large available capacity. ▬ If you select only a primary storage, the volume that you created will be available and will occupy actual space. Note: • When you select a LocalStorage primary storage, specify a host. • When you select a Ceph primary storage, specify a Ceph storage pool. • When you select a SharedBlock primary storage, select a provisioning method, including thin provisioning and thick provisioning. ▬ Thin provisioning: Allocates a storage space to a volume according to actual usages to achieve higher storage utilizations. ▬ Thick provisioning: Preallocates the required storage space to provide sufficient storage capacities for a volume and to ensure storage performances. Issue: V3.9.0 185User Guide / 7 Cloud Operations Guide • VirtioSCSI: By default, this checkbox is selected, indicating that a VirtioSCSI bus is used to create a VirtioSCSI volume. Note: • After selected, the system will automatically allocate an ID (WWN) to the volume by initializing the volume. • After you start a VM instance (such as a Linux VM), you can check the WWN under the /dev/disk/by-id/ file path. WWN allows you to simply attach and detach data volumes. • We do not recommend that you create a VirtioSCSI volume from a LocalStorage primary storage. As shown in Create Normal Volume from Disk Offering. Figure 7-13: Create Normal Volume from Disk Offering 2. Create a normal volume from a volume image. 186 Issue: V3.9.0User Guide / 7 Cloud Operations Guide On the Volume management page, click Create Volume. On the displayed Create Volume page, set the following parameters: • Volume Type: Select normal volume. • Create Method: Select volume image. • Volume Image: Select a proper volume image. • VM Instance: Select a VM instance that you need to attach. • Primary Storage: Optional. Specify a primary storage as needed. ▬ If you specify a primary storage, this data volume will be created on the specified primary storage. ▬ If you do not specify a primary storage: ■ If the volume image is running on a Ceph backup storage, the volume will be created from a Ceph primary storage. ■ If the volume image is not running on a Ceph backup storage, ■ When you have multiple LocalStorage primary storages, the system prefers to create a volume from the primary storage with large available capacity. ■ When you have multiple NFS primary storages or multiple Shared Block primary storages, the system will randomly select a primary storage to create a volume. ■ When you have a combination of primary storages, such as LocalStorage+NFS , LocalStorage+Shared Mount Point, and LocalStorage+Shared Block primary storage, the system automatically selects a primary storage that does not attach the current root volume to create a volume. ■ When you have a combination of Ceph primary storage and a Shared Block primary storage, the system prefers to create a volume from the primary storage with large available capacity. Note: A volume image that is running on an ImageStore backup storage can be used to create a volume on a Ceph primary storage. • VirtioSCSI: By default, this checkbox is selected, indicating that a VirtioSCSI bus is used to create a VirtioSCSI volume. Note: Issue: V3.9.0 187User Guide / 7 Cloud Operations Guide • After selected, the system will automatically allocate an ID (WWN) to the volume by initializing the volume. • After you start a VM instance (such as a Linux VM), you can check the WWN under the /dev/disk/by-id/ file path. WWN allows you to simply attach and detach data volumes. • We do not recommend that you create a VirtioSCSI volume from a LocalStorage primary storage. As shown in Create Normal Volume from Volume Image. Figure 7-14: Create Normal Volume from Volume Image 3. Create a shared volume from a disk offering. On the Volume management page, click Create Volume. On the displayed Create Volume page, set the following parameters: • Volume Type: Select shared volume. Note: • Currently, only Ceph and Shared Block primary storages support shared volumes. • Shared Block primary storage does not support thin provisioned shared volumes. 188 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Create Mode: Select disk offering. • Disk Offering: Select a proper disk offering. • Primary Storage and VM Instance: ▬ If neither of these two parameters is specified, the volume you created will not be instantiated, and will be displayed on the Not Instantiated tab page. ▬ If you select only a VM instance, ■ Single primary storage scenario: The volume will be created on the primary storage where the VM instance is running. ■ Multiple-primary storage scenario: ■ Assume that you do not specify a primary storage. ■ When you have multiple LocalStorage primary storages, the system prefers to create a volume from the primary storage with large available capacity. ■ When you have multiple NFS primary storages or multiple Shared Block primary storages, the system will randomly select a primary storage to create a volume. ■ When you have a combination of primary storages, such as LocalStorage+NFS , LocalStorage+Shared Mount Point, and LocalStorage+Shared Block primary storage, the system automatically selects a primary storage that does not attach the current root volume to create a volume. ■ When you have a combination of Ceph primary storage and a Shared Block primary storage, the system prefers to create a volume from the primary storage with large available capacity. ▬ If you select only a primary storage, the volume that you created will be available and will occupy actual space. Note: • When you select a LocalStorage primary storage, specify a host. • When you select a Ceph primary storage, specify a Ceph storage pool. • When you select a SharedBlock primary storage, select a provisioning method, including thin provisioning and thick provisioning. ▬ Thin provisioning: Allocates a storage space to a volume according to actual usages to achieve higher storage utilizations. Issue: V3.9.0 189User Guide / 7 Cloud Operations Guide ▬ Thick provisioning: Preallocates the required storage space to provide sufficient storage capacities for a volume and to ensure storage performances. • VirtioSCSI: By default, this checkbox is selected, indicating that a VirtioSCSI bus is used to create a VirtioSCSI volume. Note: • A shared volume is of the VirtioSCSI type. Therefore, if you select shared volume, the VirtioSCSI checkbox is selected by default. • After selected, the system will automatically allocate an ID (WWN) to the volume by initializing the volume. • After you start a VM instance (such as a Linux VM), you can check the WWN under the /dev/disk/by-id/ file path. WWN allows you to simply attach and detach data volumes. As shown in Create Shared Volume from Disk Offering. 190 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-15: Create Shared Volume from Disk Offering 4. Create a shared volume from a volume image. On the Volume management page, click Create Volume. On the displayed Create Volume page, set the following parameters: • Volume Type: Select shared volume. • Note: • Currently, only Ceph and Shared Block primary storages support shared volumes. • Shared Block primary storage does not support thin provisioned shared volumes. • Create Mode: Select volume image. • Volume Image: Select a proper volume image. • VM Instance: Select a VM instance that you need to attach. • Primary Storage: Optional. Specify a primary storage as needed. Issue: V3.9.0 191User Guide / 7 Cloud Operations Guide ▬ If you specify a primary storage, this data volume will be created on the specified primary storage. ▬ If you do not specify a primary storage: ■ If the volume image is running on a Ceph backup storage, the volume will be created from a Ceph primary storage. ■ If the volume image is not running on a Ceph backup storage, ■ When you have multiple LocalStorage primary storages, the system prefers to create a volume from the primary storage with large available capacity. ■ When you have multiple NFS primary storages or multiple Shared Block primary storages, the system will randomly select a primary storage to create a volume. ■ When you have a combination of primary storages, such as LocalStorage+NFS , LocalStorage+Shared Mount Point, and LocalStorage+Shared Block primary storage, the system automatically selects a primary storage that does not attach the current root volume to create a volume. ■ When you have a combination of Ceph primary storage and a Shared Block primary storage, the system prefers to create a volume from the primary storage with large available capacity. Note: A volume image that is running on an ImageStore backup storage can be used to create a volume on a Ceph primary storage. • VirtioSCSI: By default, this checkbox is selected, indicating that a VirtioSCSI bus is used to create a VirtioSCSI volume. Note: • After selected, the system will automatically allocate an ID (WWN) to the volume by initializing the volume. • After you start a VM instance (such as a Linux VM), you can check the WWN under the /dev/disk/by-id/ file path. WWN allows you to simply attach and detach data volumes. • We do not recommend that you create a VirtioSCSI volume from a LocalStorage primary storage. As shown in Create Shared Volume from Volume Image. 192 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-16: Create Shared Volume from Volume Image 7.1.2.3 Volume Operations Definitions of volume operations are as follows: • Create Volume: Create a new volume from a disk offering. ▬ A normal volume can be created from a disk offering or a volume image. ▬ A shared volume can be created from a disk offering, and supports Ceph primary storage and thick provisioned Shared Block primary storages. Except for the preceding primary storages, other primary storages are not supported currently. • Enable: Enable a volume that is in the stopped state. • Disable: Disable a volume. • Attach: Attach the volume that acts as a data volume to a specified VM instance. ▬ Assume that your primary storage is LocalStorage. If you want to attach a volume that has been detached from a VM instance, make sure that this volume and target VM instances are Issue: V3.9.0 193User Guide / 7 Cloud Operations Guide on running the same host. If this volume and these target VM instances are not running on the same host, migrate this volume and these target VM instances to the same host. • Detach: Detach a volume from a VM instance. • Migrate: Migrate a volume to other compute nodes. ▬ Volumes can be migrated according to the workloads of the target compute node. ■ On the list of the recommended target compute nodes, you can sort the order of these compute nodes according to the average CPU utilization or memory utilization. By default , memory utilizations are sorted from low to high. ■ If the size of your compute nodes in a cluster is relatively large, you can sort orders for the compute nodes by selecting Top20 or Top50. ▬ The volume migration operation is only applied to LocalStorage primary storages. • Bind Tag: Bind tags for a volume. ▬ Statements on binding tags: You can select one or more volumes, and click Bind Tag to enter the tag binding page, as shown in Bind Tag. Then, select one or more tags, and then click OK to bind tags for volumes. Figure 7-17: Bind Tag • Resource tags can be sorted in order according to the creation time or tag names. By default, resource tags are sorted by tag names. You can change the sort order of tags in the global settings. 194 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Note: • The sort order priority based on tag names: character, number, Chinese, and case- insensitive English characters. • After a historical version (3.4.0 and later versions) is upgraded to the latest version, resource tags will be sorted according tag names by default. • Unbind Tag: Unbind tags from a volume. ▬ Statements on unbinding tags: You can select a volume, and click Unbind Tag or enter the unbinding tag page, as shown in Unbind Tag. Then, select one or more tags to click OK to unbind tags from the volume. Figure 7-18: Unbind Tag • You can switch to the admin tag list or user tag list by clicking the switch button at the upper left. • Tag searches and custom displays are supported. You can click the search button at the upper right, choose to display the tag count for each page by clicking on the list count, and click the page flip button to turn pages. • You can check the detailed information about the tag by clicking Details at the right. • Admin tags are created and owned by administrators (admins or platform admins), while tenant tags are created and owned by tenants (normal accounts or projects). Issue: V3.9.0 195User Guide / 7 Cloud Operations Guide • Tags created by tenants can only be bound to resources of the corresponding tenants, while admin tags can be bound to all of your resources. • Administrators can unbind or delete tenant tags. • Tags in a project are owned by the project. Therefore, all members, including the head of project, project administrator, and project member, can perform operations on these tags . • Currently, tag owners cannot be changed. • When you change a resource owner, all tenant tags bound to the resource will be unbound. However, the admin tags are not affected. • After the cloud is upgraded seamlessly, the existing tags will be updated accordingly and displayed in the latest way. If an exception occurs, refresh your browser or create a new tag. Note: • Multiple tags on a resource can be unbound simultaneously. In addition, multiple resources on a tag can also be unbound simultaneously. • A tenant can only unbind tags on the resources owned by the tenant, while an administrator can unbind tags on all resources. • Create Backup: Create a backup for a volume. ▬ Before you create a backup for a volume, make sure that the volume is attached to a VM instance that is in the running state. ▬ You can create a full backup for a volume. If you do not select the full backup checkbox, an incremental backup will be created for the volume. • Recover: Recover a volume backup locally. • Remote Sync: Synchronize a volume backup to the specified remote backup storage. • Delete: Delete a volume backup. • Create Volume Image: Create an image for the current volume. This image can be used to create new volumes. ▬ A volume image can be created. In addition, a volume on a Ceph primary storage can be used to create a volume image to an ImageStore backup storage. ▬ Before a shared volume on a Shared Block primary storage is used to create a volume image, stop all VM instances that are running on this shared volume in advance. 196 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Create Volume Snapshot: Before making important operations, temporarily retain the root volume or data volume at a specific point in time to facilitate rollback on failure. ▬ A snapshot can save all data of the current volume. You can use a snapshot to quickly recover the state of the volume to a historical state. ▬ If you create a snapshot for a volume for the first time, you will take some time to store your snapshot. ▬ In a production environment, we recommended that you limit the number of snapshots per disk within 5. Excessive snapshots might affect the I/O performance, data security, and primary storage capacity of the corresponding VM instances and volumes. For long-term backup, we recommend that you use disaster recovery related services. ▬ Currently, you cannot create snapshots for shared volumes. ▬ The snapshot of the volume on the Ceph primary storage does not occupy capacity. Therefore, the displayed snapshot capacity is the real capacity of the volume when the snapshot was created. ▬ For Ceph primary storages, the volume snapshot capacity might fail to be obtained. Here are some statements: ■ Open source Ceph (version H) and enterprise-level Ceph (earlier than 3.2.0) cannot obtain volume snapshot capacity. ■ Due to the RBD format, enterprise-level Ceph (3.2.0 and later versions) may fail to obtain VM snapshot capacity. • Recover: Recover volume data to the specified time point when the snapshot was created. ▬ Before you recover a volume snapshot, stop the VM instances to which the volume is attached, or detach the volume from the associated VM instances. ▬ Statements on performing volume snapshot: On the Volume Snapshot page, select a volume snapshot that you need to recover, and choose Actions > Recover to recover the data to the specified time point when the snapshot was created. • Delete: Delete a volume snapshot that you do not need. ▬ Snapshots created on local storage, NFS, SMP, and Shared Block storages have a tree structure. Deleting the root snapshot will also delete snapshots on the branches and detach the batch snapshots on the branches. Please exercise caution. Issue: V3.9.0 197User Guide / 7 Cloud Operations Guide ▬ Snapshots created on the Ceph shared storage are independent and do not have a tree structure. Deleting a snapshot will not affect other snapshots. ▬ When you delete snapshots in a tree structure in bulk, the cloud automatically calculates and deletes the candidate snapshots and cascades the delete operation to the associated snapshots. ▬ If the snapshots to be deleted contain batch snapshots, deleting the current snapshot will also delete the snapshots on the branches. After being deleted, the associated batch snapshots cannot be recovered. Please exercise caution. ▬ Statements on deleting volume snapshot: To delete a volume snapshot, go to the Volume Snapshot page, select one or more volume snapshots, and choose Actions > Delete. • Set Volume QoS: Set the volume bandwidth limit by configuring the total bandwidth or read/ write bandwidth. ▬ By default, the volume QoS is unlimited. If you do not set the volume QoS on your disk offering, a normal account or project member can randomly set QoS for the volume. ▬ If you set the volume QoS on your disk offering, a normal account or project member can set QoS for the volume. However, the QoS limit that you will set must not exceed the QoS limit stipulated by the disk offering. ▬ The QoS limit method set by a normal account or project member cannot be changed, and is consistent with the original QoS limit method (total bandwidth or read and write bandwidth ). • Cancel Volume QoS: Cancel the volume QoS. After the cancellation, the volume QoS is unlimited. ▬ By default, the volume QoS is unlimited. If you do not set the volume QoS on your disk offering, a normal account or project member can cancel QoS for the volume. ▬ If you set the volume QoS on your disk offering, a normal account or project member cannot cancel QoS for the volume. • Change Owner: Change the owner of a volume. ▬ If you change the owner for a volume, all the preceding user tags will be unbound without affecting admin tags. • Resize Volume: Resize a root volume or data volume when a VM instance is in the running state or stopped state. 198 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ▬ The resizing operation only increases the volume size, and the increment cannot be smaller than 4MB. The new size takes effect immediately. ▬ If you create a shared volume on a Shared Block primary storage, you cannot resize this shared volume. ▬ If you create a shared volume on a Ceph primary storage, before you resize the shared volume, make sure that this shared volume is not attached to any VM instance, or the VM instances to which the shared volume is attached is stopped. ▬ The resizing operation will trigger automatic snapshot creation for this data volume to ensure the data security. • Storage Migration: Support volume migrations between primary storages of the same type, for example, migration across Ceph primary storages, across NFS primary storages, and across Shared Block primary storages. ▬ Migration across Ceph primary storages: ■ Volumes to be migrated across Ceph primary storages cannot be attached to any VM instance. ■ Shared volumes that are not attached to VM instances can be migrated across Ceph primary storages. However, shared volumes that have been attached to VM instances cannot be migrated across Ceph primary storages. ■ To migrate between two Ceph primary storages, make sure that the Ceph monitors of these two Ceph primary storages are interconnected. ▬ Migration across NFS primary storages: ■ Volumes that are migrated across NFS primary storages cannot be attached to any VM instance. ■ To migrate between two NFS primary storages, make sure that the destination NFS primary storage can be attached to the cluster of the volume to be migrated. ▬ Migration across Shared Block primary storages: ■ Volumes on Shared Block primary storages can be attached to VM instances that are in the stopped state and migrated across Shared Block primary storages. ■ Shared volumes that are not attached to VM instances can be migrated across Shared Block primary storages. However, shared volumes that are attached to VM instances cannot be migrated across Shared Block primary storages. Issue: V3.9.0 199User Guide / 7 Cloud Operations Guide ■ To migrate between two Shared Block primary storages, make sure that the destinatio n Shared Block primary storage can be attached to the cluster of the volume to be migrated. Note: • After volumes are migrated successfully, the original data (trash) is saved to source primary storage. You can check the data on the Clear Data tab page of the details page of the source primary storage. • The Clean Up operation is supported. When you confirm the data integrity after storage migration, you can click Clean Up to manually clean up the original data. After you clean up the trash, you cannot recover the original data any more. Please exercise caution. • Delete: Delete a volume. After you delete the volume, the volume will be displayed on the Deleted tab page. ▬ If you delete a volume, you will detach the volume from associated VM instances, which will interrupt the data reading and writing process. Please exercise caution. • Recover: Recover a deleted volume. The recovered volume will be displayed on the available tab page. • Expunge: Completely delete a volume. • Scheduled Job: Create a scheduled job for a volume. A volume scheduled job can be used to create snapshots for a disk volume on schedule. • Search: Search for a volume by its name, UUID, and owner. You can also use the advanced search method. 7.1.3 Image An image is an image template used by a VM instance or volume. • Image templates include root volume images and data volume images. • Root volume images can be in the format of ISO or Image, while data volume images can be in the format of Image. • The Image format can either be raw or qcow2. • Images are stored on backup storage. If you are creating VM instances or volumes for the first time, the images will be downloaded to primary storage and stored as image caches. When you create a VM instance, the type of the image platform decides whether to use a KVM Virtio driver (including disk driver and NIC driver). The supported image platforms are as follows: 200 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Linux: Uses a Virtio driver. • Windows: Not to use a Virtio driver. Instead, QEMU is used. The image operating system is a Windows OS without a Virtio driver installed. • WindowsVirtio: Uses a Virtio driver. The image operating system is a Windows OS with a Virtio driver (including disk driver and NIC driver) installed. • Other: Not to use a Virtio driver. Instead, QEMU is used. The image operating system can be of any types. • Paravirtualization: Uses a Virtio driver. The image operating system can be any operating system with a Virtio driver installed. To add an image, you can add a URL or upload a local file. 1. URL: adds an image through the specified URL. • HTTP/HTTPS: ▬ Format: http://path/file or https://path/file ▬ Example: http://cdn.zstack.io/product_downloads/images/zstack-image.qcow2 • FTP: ▬ Anonymous format: ftp://hostname[:port]/path/file Example: ftp://172.20.0.10/pub/zstack-image.qcow2 ▬ Non-anonymous format: ftp://user:password@hostname[:port]/path/file Example: ftp://zstack:password@172.20.0.10/pub/zstack-image.qcow2 • SFTP: ▬ Format with password specified: sftp://user:password@hostname[:port]/path/file Example: sftp://root:password@172.20.0.10/pub/zstack-image.qcow2 ▬ Password-free format: sftp://user@hostname[:port]/path/file Example: sftp://root@172.20.0.10/pub/zstack-image.qcow2 • The absolute path on backup storage, which supports SFTP backup storage and ImageStore. Example: file:///opt/zstack-dvd/zstack-image-1.4.qcow2 Note: Issue: V3.9.0 201User Guide / 7 Cloud Operations Guide • Before you enter a URL, make sure that the URL can be accessed by a backup storage and the corresponding backup storage file exists. • Before you upload an image by using the SFTP password-free method, make sure that password-free SSH access can be achieved between a backup storage and the SFTP server. • Smooth, continuous display of progress bar, and breakpoint resume: ▬ The ImageStore backup storage supports smooth, continuous display of progress bar, and breakpoint resume. ▬ The Ceph backup storage supports smooth, continuous display of progress bar, but does not support breakpoint resume. ▬ The SFTP backup storage does not support smooth, continuous display of progress bar , or breakpoint resume. • If you upload an image by using file:///, note that: ▬ The Ceph backup storage currently does not support the file:/// format. ▬ The file:/// path contains three forward slashes (/), which correspond to the absolute path of the backup storage. For example, file:///opt/zstack-dvd/ zstack-image-1.4.qcow2. The zstack-image-1.4.qcow2 file needs to be stored in the /opt/zstack-dvd directory of the backup storage. 2. Upload a local file: You can upload an image that can be accessed by your current browser. Both ImageStore and Ceph backup storages are supported, as shown in Image Uploading via Local Browser. As shown in Figure 7-19: Image Uploading via Local Browser. Figure 7-19: Image Uploading via Local Browser Note: 202 Issue: V3.9.0User Guide / 7 Cloud Operations Guide When you add an image by uploading a local file, you use the local browser as a transit point. Therefore, do not refresh or close the current browser, and do not stop the management node service. Otherwise, the image might fail to be added. 7.1.3.1 Image Operations In the navigation pane of the ZStack Private Cloud UI, choose Resource Pool > Image to enter the Image management page, as shown in Image Management Page. On the Image management page, you can check the image list information, such as the name, back storage, image type, image format, state, status, capacity, platform, owner, and creation time. You can add, enable, disable, stop, export, synchronize, delete, expunge, and recover an image. In addition, you can share an image to all, recall an image from all, change an owner for an image, and migrate storages for an image. On the Image Management Page, check the status of an image that is Downloading when you download the image. Figure 7-20: Image Management Page The Image management page includes the following three tab pages: • Available: Displays a list of the current available images. • Deleted: Displays a list of images that are currently deleted but not expunged. • Exported: Displays a list of the exported images. Note: Only images on ImageStore backup storages can be exported. In addition, these exported images can be deleted. On the exported image details page, you can check image MD5 Issue: V3.9.0 203User Guide / 7 Cloud Operations Guide values used to decide and authenticate whether the downloaded images are identical to the exported images. Definitions of image operations in ZStack are as follows: • Add Image: Add a new image to a backup storage. Note: • ZStack allows you to add volume images. • Enable: Enable an image that is in disabled state. Batch operations are supported. • Disable: Disable an image that you are using. After you disable the image successfully, you cannot use this image to create VM instances without affecting previously created VM instances. Batch operations are supported. • Export: Select an image, and click Export. The cloud will export this image for you. Due to the image size that is too large, the exported time will be relatively long. The exported image will be displayed on the Exported tab page. Only a single operation is supported. Note: Only images on ImageStore backup storages can be exported. In addition, these exported images can be deleted. • Share To All: Share this image to all accounts. After your sharing, all account can use this image. Batch operations are supported. • Recall From All: Recall this image from all account. After your recalling, other accounts cannot see this image any more. Batch operations are supported. • Change Owner: Change the owner of the image. Batch operations are supported. • Storage Migration: Support image data migrations across shared storages via networks. Currently, images can be migrated across Ceph backup storages. When images are migrated across Ceph backup storages, MON nodes of both Ceph backup storages that you are using must be interconnected. Note: • After images are migrated successfully, the original data (trash) will be saved to backup storages. You can check the data on the Clear Data tab page of Ceph backup storage details page. 204 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • The Clean Up operation is supported. When you confirm data integrity after storage migrations, click Clean Up to manually clean up the original data (trash). Exercise caution. After you clean up the trash, you cannot recover the original data any more. • Sync Image: Synchronize images on one or more backup storages to the specified backup storage under the same management node. Currently, ImageStore backup storages are supported. Note: An independent image synchronization network can be set on a backup storage to reduce management network pressures. You can have two ways to set the image synchronization network as follows: • When you create a backup storage, set an image synchronization network. • On a backup storage details page, set an image synchronization network. The synchroniz ation network will take effect after your setting. • Delete: Delete an image. After you delete an image, the image will be displayed on the Deleted tab page. Batch operations are supported. • QGA: Change the state of the QEMU guest agent. ▬ Before you enable QGA, make sure that this image has installed and run the QEMU guest agent. ▬ After you enable QGA, you can change passwords online for VM instances that are created by using this image. • Recover: Recover the deleted image. After you perform recovery for an image, the image will be displayed on the Available tab page. Batch operations are supported. • Expunge: Expunge the deleted image. Only deleted images can be expunged. Batch operations are supported. • Download: Download the exported image. You can click Download to directly download the exported image on your browser. Batch operations are supported. Note: Image MD5 values can be displayed to decide and authenticate whether the downloaded images are identical to the exported images. • Copy URL: Copy the URL of the exported image. If you click the copy button, the URL of the exported image will be written to the system clipboard. You can directly copy the URL to the Issue: V3.9.0 205User Guide / 7 Cloud Operations Guide browser or download the URL with the download tool. Or, you can directly use the URL as the image URL when you add an image. Only a single operation is supported. • Delete on the Exported tab page: Delete an exported image. Batch operations are supported. Note: On backup storages, image files will be stored in the form of delta. Only if you create VM instances by using an image, export an image, or perform other operations for an image, a complete image file will be generated. This deletion operation will only delete the complete exported image without affecting the original image on a backup storage. • Search: Click the Search icon. Then, you can search for an image by entering its name, UUID, backup storage, or owner. You can also use the advanced search method, which is the same as calling the QueryImage API. For more information, see the CLI manual. ▬ When you use the advanced search, note that: ■ A search syntax includes three parts: a parameter, query condition, and value. For more information about the search syntax, see the Query API section in API Reference. ■ Cross-table queries are supported. Parameters of a search syntax must be separated by a period (.). ■ A combination query with multiple conditions is supported. Multiple search syntaxes must be separated by a space. ▬ The following examples are common types of advanced search: ■ Image platform: platform=Linux or platform=WindowsVirtio ■ Image format: format=qcow2 or format=iso ■ Image type: mediaType=DataVolumeTemplate ■ Image capacity (actual or virtual): actualSize>=568586752 or size>=8589934592 ■ Backup storage UUID: backupStorage.uuid=add8e0e46b6c48f08318e5d0dc6e9777 7.1.3.2 Add Image 1. Add a system image. On the Image management page, click Add Image. Then, the Add Image page is displayed, as shown in Add System Image. 206 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-21: Add System Image To add an image, set the following parameters: Issue: V3.9.0 207User Guide / 7 Cloud Operations Guide • Name: Enter a name for the image. • Description: Optional. Enter a description for the image. • Image Type: Select system image. The system image supports three types of image format, including qcow2, ISO, and raw. • Platform: Select an image platform. An image platform decides whether to use a KVM Virtio drive (including disk drive and NIC drive) when you create VM instances. The supported platforms are as follows: • Linux: Uses a Virtio driver. • Windows: Not to use a Virtio driver. Instead, QEMU is used. The image operating system is a Windows OS without a Virtio driver installed. • WindowsVirtio: Uses a Virtio driver. The image operating system is a Windows OS with a Virtio driver (including disk driver and NIC driver) installed. • Other: Not to use a Virtio driver. Instead, QEMU is used. The image operating system can be of any types. • Paravirtualization: Uses a Virtio driver. The image operating system can be any operating system with a Virtio driver installed. • Backup Storage: Select a backup storage that you created before. • Image URL: Enter a local URL or upload a local file. 1. URL: Enter the path that can download the image. • HTTP/HTTPS: ▬ Format: http://path/file or https://path/file ▬ Example: http://cdn.zstack.io/product_downloads/images/zstack-image.qcow2 • FTP: ▬ Anonymous format: ftp://hostname[:port]/path/file Example: ftp://172.20.0.10/pub/zstack-image.qcow2 ▬ Non-anonymous format: ftp://user:password@hostname[:port]/path/file Example: ftp://zstack:password@172.20.0.10/pub/zstack-image.qcow2 • SFTP: ▬ Format with password specified: sftp://user:password@hostname[:port]/path/file Example: sftp://root:password@172.20.0.10/pub/zstack-image.qcow2 208 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ▬ Password-free format: sftp://user@hostname[:port]/path/file Example: sftp://root@172.20.0.10/pub/zstack-image.qcow2 • The absolute path on backup storage, which supports SFTP backup storage and ImageStore. Example: file:///opt/zstack-dvd/zstack-image-1.4.qcow2 Note: • Before you enter a URL, make sure that the URL can be accessed by a backup storage and the corresponding backup storage file exists. • Before you upload an image by using the SFTP password-free method, make sure that password-free SSH access can be achieved between a backup storage and the SFTP server. • Smooth, continuous display of progress bar, and breakpoint resume: ▬ The ImageStore backup storage supports smooth, continuous display of progress bar, and breakpoint resume. ▬ The Ceph backup storage supports smooth, continuous display of progress bar, but does not support breakpoint resume. ▬ The SFTP backup storage does not support smooth, continuous display of progress bar, or breakpoint resume. • If you upload an image by using file:///, note that: ▬ The Ceph backup storage currently does not support the file:/// format. ▬ The file:/// path contains three forward slashes (/), which correspond to the absolute path of the backup storage. For example, file:///opt/zstack- dvd/zstack-image-1.4.qcow2. The zstack-image-1.4.qcow2 file needs to be stored in the /opt/zstack-dvd directory of the backup storage. 2. Local file: Upload directly an image that can be reached by the current browser. Two types of backup storage are supported, including ImageStore and Ceph. As shown in Figure 7-22: Image Uploading via Local Browser. Issue: V3.9.0 209User Guide / 7 Cloud Operations Guide Figure 7-22: Image Uploading via Local Browser Note: When you add an image by uploading a local file, you use the local browser as a transit point. Therefore, do not refresh or close the current browser, and do not stop the management node service. Otherwise, the image might fail to be added. • Boot Mode: Select a BIOS mode. Options: Legacy | UEFI. ▬ Legacy: Supports all operating systems. To ensure the usage stability, we recommend that you use the Legacy mode. ▬ UEFI: Supports two types of operating system, including Windows and CentOS. Specifically, Windows 7/2008 must use the Compatibility Support Module (CSM). Note: The VM instance may fail to work properly if the BIOS mode does not match the VM instance. Please exercise caution. • For a qcow2 image or raw image, select the BIOS mode that is consistent with the encapsulated image. • For an ISO image, select a BIOS mode as needed. The system will be installed in a guided manner according to the mode that you selected. • If the VM instances that you created want to use the UEFI guide, we recommend that you select the corresponding VM image from the following list of operating system versions. Operating System BIOS Mode Supported Version • Windows 8 or later Windows UEFI versions 210 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Operating System BIOS Mode Supported Version • Windows 7 UEFI (compatibility module) • Windows 2008 R2 • CentOS 7.2 • CentOS 7.3 Linux UEFI • CentOS 7.4 or later versions • For a Linux image of CentOS 7.4 or later version with the UEFI mode, after you restart a created VM instance, the VM instance will probably enter UEFI Shell. To reboot successfully and enter the operating system, follow the methods below: ▬ Method 1: Add a script to skip UEFI Shell and directly enter the operating system. In the operating system that you installed successfully, run vim /boot/efi/ startup.nsh to create a script and save the following contents. For the later VM rebooting operation, the VM instance will skip UEFI Shell and directly enter the operating system. FS0: CD EFI CD centos shimx64-centos.efi ▬ Method 2: Manually exit UEFI Shell. If the VM instance already entered UEFI Shell, you can manually run the following commands to exit UEFI Shell: Shell> fs0: FS0:\> cd EFI FS0:\EFI\> cd centos FS0:\EFI\centos\> shimx64-centos.efi • For a Windows VM instance (such as Windows 2012R2, Windows 2016, and Windows 10) with the UEFI mode, the following page will be displayed after the VM instance starts. Press any key to continue the installation of the VM operating system. Otherwise, the VM instance will enter UEFI Shell, as shown in Press Any Key to Continue. Figure 7-23: Press Any Key to Continue Issue: V3.9.0 211User Guide / 7 Cloud Operations Guide If the VM instance already entered UEFI Shell, you must run the following commands before you boot the operating system successfully: Shell> fs0: FS0:\> dir FS0:\> cd EFI FS0:\EFI\> cd BOOT FS0:\EFI\BOOT\> BOOTX64.EFI After you perform the preceding operations, press any key to continue VM operating system installation. Otherwise, the VM instance will enter UEFI Shell again. • CSM: The compatibility support module can only be compatible with devices that work under the Legacy mode. The UEFI operating system is not supported or not completely supported. Note: For Windows 7/2008 R2, select the compatibility support module. However, do not select the compatibility support module for other versions. • Installed QEMU guest agent: Note: • Make sure that the QEMU guest agent is installed for the imported images and can be started automatically. • Then, after you select Qemu guest agent, you can change the password of a VM instance created from the added image, the password of the VM instances cloned from the VM instance, or the password of the VM images when the VM instance is running. 2. Add a volume image. On the Image management page, click Add Image. Then, the Add Image page is displayed, as shown in Add Volume Image. 212 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-24: Add Volume Image To add a volume image, set the following parameters: • Name: Enter a name for the volume image. • Description: Optional. Enter a description for the volume image. • Image Type: Select volume image. The supported image types include qcow2 and raw. • Platform: Select a volume image platform. A volume image platform decides whether to use KVM Virtio drive (including disk drive and NIC drive) when you create VM instances. • Backup Storage: Select the backup storage that you created before. • Image URL: Enter a local URL or upload a local file. Issue: V3.9.0 213User Guide / 7 Cloud Operations Guide 7.1.4 Affinity Group 7.1.4.1 Overview Affinity Group is a simple orchestration policy designed for IaaS resources to ensure your business high performances or high availability. Affinity Group Policy Currently, ZStack provides two affinity group policies to better manage VM instances and hosts: anti-affinity group (soft) and anti-affinity group (hard). • Anti-affinity group (soft): Allocates VM instances in the affinity group to different hosts as much as possible. If no more hosts are available, the VM instances will be allocated randomly. • Anti-affinity group (hard): Strictly allocates VM instances in the affinity group to different hosts. If no more hosts are available, the allocation fails. As shown in Figure 7-25: Anti-Affinity Group (Soft) and Anti-Affinity Group (Hard). Figure 7-25: Anti-Affinity Group (Soft) and Anti-Affinity Group (Hard) Application Scenario The following are application examples of anti-affinity group (soft) and anti-affinity group (hard) policies. • Application scenario of anti-affinity group (soft): You might want to deploy nodes with different Hadoop roles on different hosts to improve the overall system performance. 214 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • For example, when you deploy a Hadoop system, you might find it difficult to calculate the exact number of nodes of different roles such as NameNode, DataNode, JobTracker, and TaskTracker. However, you might know that deploying these nodes on different hosts is more effective. With the anti-affinity group (soft) policy, you can deploy Hadoop clusters on different hosts as much as possible, which relieves the I/O pressure and improves the overall performance of the system. • Application scenario of anti-affinity group (hard): You might want to deploy two VM instances that run an active and a standby database on different hosts to ensure high availability of services. • For example, you deploy two business VM instances to run an active and a standby MySQL database respectively, and requires that the active and standby databases cannot be down at the same time. Therefore, you must deploy these two VM instances on different hosts. Due to deployment automation, you might not predict in advance which hosts have resources. With the anti-affinity group (hard) policy, you can choose two different hosts to run these two VM instances respectively, which ensures the high availability of services. 7.1.4.2 Prerequisite In this tutorial, assume that you have installed the latest ZStack, and complete the basic cloud initialization, including adding a zone, cluster, host, backup storage, primary storage, and other basic resources. For more information, see installation and deployment topics and Wizard configuration topics in User Guide. This tutorial mainly describes how to use two types of affinity group policy to better manage VM instances and hosts. 7.1.4.3 Usage Entrance To use affinity group policies for better managing VM instances and hosts, follow the two entrances below: • Resource Pool > Affinity Group • Resource Pool > VM Instance 7.1.4.3.1 Affinity Group This topic mainly describes how to use affinity groups to better manage VM instances and hosts via the entrance from Resource Pool > Affinity Group. Issue: V3.9.0 215User Guide / 7 Cloud Operations Guide Affinity Group Management Page In the navigation pane of the ZStackPrivate Cloud UI, choose Resource Pool > Affinity Group to enter the Affinity Group management page. On the Affinity Group management page, view the information of all currently existing affinity groups, including the affinity name, specified policy, binding VM count, affinity type, owner, and creation time, and perform multiple operations such as creating, enabling, and disabling an affinity group, as shown in Affinity Group Management Page Figure 7-26: Affinity Group Management Page Create Affinity Group On the Affinity Group management page, click Create Affinity Group. On the displayed Create Affinity Group page, set the following parameters: • Name: Enter a name for the affinity group. • Description: Optional. Enter a description for the affinity group. • Policy: Select an affinity group policy. Currently, ZStack provides two types of affinity group policy for a better management of VM instances and hosts as follows: • Anti-affinity group (soft): Allocates VM instances in the affinity group to different hosts as much as possible. If no more hosts are available, the VM instances will be allocated randomly. • Anti-affinity group (hard): Strictly allocates VM instances in the affinity group to different hosts. If no more hosts are available, the allocation fails. You can create an anti-affinity group, as shown in Create Anti-Affinity Group (soft). 216 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-27: Create Anti-Affinity Group (soft) Affinity Group Operations You can perform the following operations on an affinity group: • Create: Create a new affinity group in the current zone. • Enable: Reenable the affinity group that you selected to check whether VM instances within the affinity group can satisfy the affinity group policy. If the affinity group policy is met, the affinity group will be enabled successfully, or vice versa. • Disable: Disable the affinity group that you selected. Then, VM instances within the group will stop following the affinity group policy. • Bind VM instance: Bind new VM instances to the affinity group. Then, the affinity group policy will take effect immediately. • Unbind VM instance: Unbind VM instances from the affinity group. Then, the affinity group policy will take effect immediately. • Change owner: Change an owner for the affinity group. • Delete: Delete the affinity group that you selected. Then, VM instances within the group will no longer follow the affinity group policy when starting next time. Issue: V3.9.0 217User Guide / 7 Cloud Operations Guide Constraints • Currently, the affinity policy supports two types of affinity group: affinity group (soft) and affinity group (hard). These two types support the HOST type, which means that an affinity relationship between VM instances and hosts can be formed. • You can make custom controls for the VM count bounded by an affinity group without limits. In addition, the affinity group does not have quota limits, indicating that you can create limitless affinity groups. • The scope of an affinity group is the entire zone where the effect object is all hosts that meet the constraints. • One VM instance is only allowed to be bound by one affinity group at a time. • To change an affinity group to which a VM instance belongs, this VM instance must be in the running state or stopped state. • After you change an affinity group for a VM instance on a local storage, the last host where the VM instance is running will be prioritized to be enabled without following the new group policy to avoid unnecessary migrations. • After you change an affinity group for a VM instance on a shared storage, the host where the VM instance is running will be enabled by following the new group policy. • If you bind or unbind a VM instance, the affinity group policy will take effect immediately. Only VM instances that are in the stopped state in a shared storage can be bound to an affinity group whose group policy takes effect when the VM instances are started next time. • Migrating VM instances will also follow an affinity group policy. • By default, all vRouters and VPC vRouters belong to one affinity group, known as system affinity group, where anti-affinity group (soft) is adopted. Specifically, this affinity group only allows you to perform enabling and disabling operations except for other operations. • Admin accounts and regular accounts are all allowed to create affinity groups. • Admin accounts can manage all affinity groups, while regular accounts can only manage the affinity groups owned by themselves. 7.1.4.3.2 VM Instance This topic mainly describes how to use affinity groups for a better management of VM instances and hosts via the entrance from Resource Pool > VM Instance. 218 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Create VM Instance with Affinity Group In the navigation pane of the ZStackPrivate Cloud UI, choose Resource Pool > VM Instance. On the VM Instance management page, click Create VM Instance. On the displayed Create VM Instance page, set the following parameters: • Add Type: Select single. • Name: Enter a name for the VM instance. • Description: Optional. Enter a description for the VM instance. • Instance Offering: Select an appropriate instance offering. • Image: Select an image for the VM instance. • Network: Select a network for the VM instance. • Advanced: Optional. Customize your advanced settings for the VM instance as needed. If you want the VM instance to follow an affinity group policy, select an affinity group as follows: • Affinity Group: Select an existing affinity group, as shown in Create VM Instance with Affinity Group. Make sure that you specify an affinity group policy and a type for the affinity group. . Issue: V3.9.0 219User Guide / 7 Cloud Operations Guide Figure 7-28: Create VM Instance with Affinity Group 220 Issue: V3.9.0User Guide / 7 Cloud Operations Guide VM Operations on Affinity Group A VM instance enables you to perform the following operations on an affinity group: • Create VM instance by specifying affinity group: Specify an affinity group when you create a VM instance. Then, the VM instance will be created based on the specified affinity group policy. • Clone VM instance by specifying affinity group: Specify an affinity group when you clone a VM instance. Then, the VM instance will be cloned based on the specified affinity group policy. • Bind affinity group: Bind the VM instance to the affinity group. Then, the affinity group policy will take effect for the VM instance. • Unbind affinity group: Unbind the VM instance from the affinity group. Then, the affinity group policy will take effect immediately for the VM instance. Constraints When you create a VM instance, if you specify an affinity group and a host simultaneously via the VM advanced settings, note that: • With an anti-affinity group (soft), ▬ When the specified host satisfies the condition to create VM instances, but does not meet the specified anti-affinity group (soft), you can create these VM instances successfully. ▬ When the specified host does not satisfy the condition to create VM instances, you fail to create these VM instances. • With an anti-affinity group (hard), ▬ When the specified host satisfies the condition to create VM instances, but does not meet the specified anti-affinity group (hard), you fail to create these VM instances. Issue: V3.9.0 221User Guide / 7 Cloud Operations Guide ▬ When the specified host does not satisfy the condition to create VM instance,s you fail to create the VM instance. 7.1.4.4 Scenario Practice The scenario practice of two affinity group policies to better manage VM instances and hosts will be mainly introduced as follows: • Anti-affinity group (soft) for VM instances and hosts • Anti-affinity group (hard) for VM instances and hosts 7.1.4.4.1 VM Instance | Host Anti-Affinity Group (Soft) Context This topic mainly describes the scenario practice of the anti-affinity group (soft) to better manage VM instances and hosts. Assumption: In a cluster environment, you prepare four business VM instances, and deploy these VM instances dispersively on three different hosts. Procedure: 1. Create an anti-affinity group (soft). 2. Create four business VM instances by specifying this anti-affinity group. 3. Verify that these four business VM instances are dispersively deployed on three different hosts as much as possible. Procedure 1. Create an anti-affinity group (soft). In the navigation pane of the ZStackPrivate Cloud UI, choose Resource Pool > Affinity Group. On the Affinity Group management page, click Create Affinity Group. On the displayed Create Affinity Group page, set the following parameters: • Name: Enter a name for the affinity group, such as anti-affinity group (soft). • Description: Optional. Enter a description for the affinity group. • Policy: Specify an affinity group policy: anti-affinity group (soft). You can create an anti-affinity group (soft), as shown in Create Anti-Affinity Group (Soft). 222 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-29: Create Anti-Affinity Group (Soft) 2. Create four business VM instances by specifying this affinity group. In the navigation pane of the ZStackPrivate Cloud UI, choose Resource Pool > VM Instance. On the VM Instance management page, click Create VM Instance. On the displayed Create VM Instance page, set the following parameters: • Add Type: Select multiple. • Create Count: Enter a number: 4. • Name: Enter a name for the VM instance. • Description: Optional. Enter a description for the VM instance. • Instance Offering: Select an appropriate instance offering. • Image: Select an image for the VM instance. • Network: Select a network for the VM instance. • Advanced: Optional. Customize your advanced settings for the VM instance as needed. In this scenario practice, set the following parameters: ▬ Affinity Group: Select the existing affinity group (soft), as shown in Create VM Instance with Affinity Group. Issue: V3.9.0 223User Guide / 7 Cloud Operations Guide Figure 7-30: Create VM Instance with Affinity Group 224 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 3. Verify that these four business VM instances are dispersively deployed on three different hosts as much as possible. On the VM Instance management page, view that four business VM instances are dispersively deployed on three different hosts and the affinity group (soft) takes effect, as shown in Verify Anti-Affinity Group (Soft). Figure 7-31: Verify Anti-Affinity Group (Soft) 7.1.4.4.2 VM Instance | Host Anti-Affinity Group (Hard) Context This topic mainly describes the scenario practice of the anti-affinity group (hard) to better manage VM instances and hosts. Assumption: In a cluster environment, you prepare well three business VM instances, and deploy these VM instances dispersively on three different hosts. Procedure: 1. Create an anti-affinity group (hard). 2. Create three business VM instances by specifying this anti-affinity group. Issue: V3.9.0 225User Guide / 7 Cloud Operations Guide 3. Verify that these three business VM instances are dispersively deployed on three different hosts as much as possible. Procedure 1. Create an anti-affinity group (hard). In the navigation pane of the ZStack Private Cloud UI, choose Resource Pool > Affinity Group. On the Affinity Group management page, click Create Affinity Group. On the displayed Create Affinity Group page, set the following parameters: • Name: Enter a name for the affinity group, such as anti-affinity group (hard). • Description: Optional. Enter a description for the affinity group. • Policy: Specify an affinity group policy: anti-affinity group (hard). You can create an anti-affinity group (hard), as shown in Create Anti-Affinity Group (Hard). Figure 7-32: Create Anti-Affinity Group (Hard) 2. Create three business VM instances by specifying this anti-affinity group. In the navigation pane of the ZStack Private Cloud UI, choose Resource Pool > VM Instance. On the VM Instance management page, click Create VM Instance. On the displayed Create VM Instance page, set the following parameters: • Add Type: Select multiple. 226 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Create Count: Enter a number: 3. • Name: Enter a name for the VM instance. • Description: Optional. Enter a description for the VM instance. • Instance Offering: Select an appropriate instance offering. • Image: Select an image for the VM instance. • Network: Select a network for the VM instance. • Advanced: Optional. Customize your advanced settings for the VM instance as needed. In this scenario practice, set the following parameters: ▬ Affinity Group: Select the existing affinity group (hard), as shown in Create VM Instance with Affinity Group. Issue: V3.9.0 227User Guide / 7 Cloud Operations Guide Figure 7-33: Create VM Instance with Affinity Group 228 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 3. Verify that these three business VM instances are dispersively deployed on three different hosts to the greatest extent. On the VM Instance management page, view that four business VM instances are dispersively deployed on three different hosts and the affinity group (hard) takes effect, as shown in Verify Anti-Affinity Group (Hard) . Figure 7-34: Verify Anti-Affinity Group (Hard) What''s next So far, we have introduced how to use these two affinity group policies for VM instances and hosts . 7.1.5 Instance Offering An instance offering is a specification of the VM CPU and memory, and defines the host allocator strategy, disk bandwidth, and network bandwidth. Issue: V3.9.0 229User Guide / 7 Cloud Operations Guide 7.1.5.1 Instance Offering Operations In the navigation pane of the ZStack Private Cloud UI, choose Resource Pool > Instance Offering. Then, the Instance Offering management page is displayed, as shown in Figure 7-35: Instance Offering Management Page. On the Instance Offering management page, you can view the instance offering information, such as the instance offering name, CPU, memory, state, status, and host allocation strategy. You can also create, enable, disable an instance offering, share an instance offering globally, recall an instance offering globally, or delete an instance offering. Figure 7-35: Instance Offering Management Page You can perform the following operations on an instance offering: • Create instance offering: Create an instance offering. • Enable: Enable an instance offering that is in the disabled state. You can enable instance offerings in bulk. • Disable: Disable an instance offering. After an instance offering is disabled, you cannot use it to create a VM instance. However, existing VM instances are not affected. You can disable instance offerings in bulk. • Share to all: After an instance offering is shared globally, it can be used by all accounts. You can share instance offerings in bulk. • Recall from all: After an instance offering is recalled globally, it becomes invisible to other accounts. You can recall instance offerings in bulk. • Delete: When you delete an instance offering, a dialog box will be displayed, prompting you to confirm the delete operation. You can delete instance offerings in bulk. • Search: You can search for an instance offering by its name, UUID, or by using the advanced search. 230 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 7.1.5.2 Create Instance Offering In the navigation pane of the ZStack Private Cloud UI, choose Resource Pool > Instance Offering. On the Instance Offering page, click Create Instance Offering. On the displayed Create Instance Offering page, set the following parameters: • Name: Enter a name for the instance offering. • Description: Optional. Enter a description for the instance offering. • CPU: Set the number of CPU cores. Note: Currently, a VM instance can have up to 240 CPU cores. You can set the number of CPU cores as needed. • Memory: Set the memory size for your VM instance. Unit: MB | GB | TB. • Host Allocation Strategy: When you create a VM instance by using this instance offering, the cloud will allocate a host for the VM instance according to the corresponding host allocation strategy. Default strategy: Host with min. running VMs. Each strategy is described as follows: ▬ Host with min. running VMs: The host with the minimum number of running VM instances will be chosen to create VM instances. ▬ Host with min. CPU utilization: The host with the minimum CPU utilization will be chosen to create VM instances. Note: • The cloud collects the host CPU loads over a period of time, calculates the average CPU usage during this period, and then selects the host with the lowest CPU usage to create VM instances. • By default, the data collection cycle is 10 minutes. To change the collection cycle, go to Settings > Global Settings > Advanced, locate Minimum interval of Host collecting CPU usage, and click the Edit icon. ▬ Host with min. memory utilization: The host with the minimum memory utilization will be chosen to create VM instances. Note: Issue: V3.9.0 231User Guide / 7 Cloud Operations Guide • The cloud collects the host memory loads over a period of time, calculates the average memory usage during this period, and then selects the host with the lowest memory usage to create VM instances. • By default, the data collection cycle is 10 minutes. To change the collection cycle, go to Settings > Global Settings > Advanced, locate Minimum interval of Host collecting Memory usage, and click the Edit icon. ▬ Host with max. running VMs: The host with the maximum number of running VM instances will be chosen to create VM instances. To use this option, you need to set the maximum number of VM instances that can run on a host. Then, the cloud selects the host that meets the requirements to create VM instances. If no host is available, you will fail to create a VM instance. ▬ Host where the VM located last time: When you restart a stopped VM instance, the cloud selects the host where the VM was running last time. If you start a new VM instance for the first time, the cloud selects a host randomly. ▬ Random allocation: The cloud randomly selects a host to create VM instances. • Strategy Pattern: This parameter is required if you set the host allocation strategy to Host with min. CPU utilization or Host with min. memory utilization. Options: Allocation Strategy (soft) | Allocation Strategy (hard). ▬ If the cloud can query the host load information, the cloud creates VM instances according to the host allocation strategy. ▬ If the cloud cannot query the host load information, the cloud creates VM instances according to the strategy pattern. ■ Allocation strategy (soft): The cloud randomly allocates a host with sufficient resources to create VM instances without considering the host allocation strategy. ■ Allocation strategy (hard): The cloud uses the host allocation strategy forcibly, which might cause VM creation failure. • Disk Bandwidth: Optional. Set the upper limit of the root volume I/O bandwidth for a VM instance. If not specified, the I/O bandwidth is not limited. Unit: MB/s | GB/s | TB/s. The disk bandwidth parameter has the following two options: • Total: If you select Total, set the upper limit of the total read and write speed of the VM root volume. The value must be an integer. Unit: MB/s | GB/s. Value range: 1 MB/s–100 GB/s. 232 Issue: V3.9.0User Guide / 7 Cloud Operations Guide As shown in Figure 7-36: Total Bandwidth. Figure 7-36: Total Bandwidth • Read/Write: If you select Read/Write, set the following parameters: • Volume Read Bandwidth: Set the upper limit of the read speed of the VM root volume. The value must be an integer. Unit: MB/s | GB/s. Value range: 1 MB/s–100 GB/s. • Volume Write Bandwidth: Set the upper limit of the write speed of the VM root volume. The value must be an integer. Unit: MB/s | GB/s. Value range: 1 MB/s–100 GB/s. As shown in Figure 7-37: Read/Write Bandwidth. Figure 7-37: Read/Write Bandwidth • Network Bandwidth: Set the upper limit of the VM network bandwidth. The value must be an integer. Unit: Kbps | Mbps | Gbps. Value range: 8 Kbps–100 Gbps. ▬ Upstream Bandwidth: Optional. Set the upper limit of the network bandwidth for uploading from a VM instance. If not specified, the upstream bandwidth is not limited. The value must be an integer. Unit: Kbps | Mbps | Gbps. Value range: 8 Kbps–100 Gbps. Issue: V3.9.0 233User Guide / 7 Cloud Operations Guide ▬ Downstream Bandwidth: Optional. Set the upper limit of the network bandwidth for downloading from a VM instance. If not specified, the downstream bandwidth is not limited. The value must be an integer. Unit: Kbps | Mbps | Gbps. Value range: 8 Kbps–100 Gbps. Note: Before you make any settings, make sure that you fully understand the configurations of the disk bandwidth and network bandwidth. Otherwise, you might fail to upload files to or download files from a VM instance. • Advanced: You can configure advanced parameters in JSON format to customize the disk performance. Sample: { "allocate": { "primaryStorage": { "type": "Enter the primary storage type. Options: Ceph | LocalStorage | NFS | SharedBlock.", "uuid": "Enter the primary storage UUID.", "poolNames": [ "Enter the name of the Ceph pool. If the primary storage type is not Ceph, or if the primary storage is not specified, leave this field blank." ] } }, "priceUserConfig": { "rootVolume": { "priceKeyName": "Customize the billing type of the root volume . This field is used for root volume billing." } }, "displayAttribute": { "rootVolume": { "diskType": "Customize the display name of the root volume. This field is used for the display on the details page." } } } The sample above contains three configurations: 1. Configure the primary storage of the root volume. "allocate": { "primaryStorage": { "type": "Enter the primary storage type. Options: Ceph | LocalStorage | NFS | SharedBlock.", "uuid": "Enter the primary storage UUID.", "poolNames": [ 234 Issue: V3.9.0User Guide / 7 Cloud Operations Guide "Enter the name of the Ceph pool. If the primary storage type is not Ceph, or if the primary storage is not specified, leave this field blank." ] } } • type: Enter the primary storage type. Options: Ceph | LocalStorage | NFS | SharedBlock. If the type is Ceph, you can specify a Ceph pool. • uuid: Enter the primary storage UUID. • poolNames: Enter the name of the Ceph pool. If the primary storage type is not Ceph, or if the primary storage is not specified, this field is optional. Note: If no primary storage is specified, you can delete the codes in this part or leave them unspecified. 2. Configure the billing type of the root volume. "priceUserConfig": { "rootVolume": { "priceKeyName": "Customize the billing type of the root volume. This field is used for root volume billing." } } • priceKeyName: Customize the billing type of the root volume. This field is used for root volume billing. Note: If no billing is required, you can delete the codes in this part or leave them unspecified. 3. Configure the display attributes of the root volume. "displayAttribute": { "rootVolume": { "diskType": "Customize the display name of the root volume. This field is used for the display on the details page." } } • rootVolume: Customize the display name of the root volume. This field is used for display on the details page. You can configure multiple attributes in the key-value format. Note: Issue: V3.9.0 235User Guide / 7 Cloud Operations Guide If no special display is required, you can delete the codes in this part or leave them unspecified. As shown in Figure 7-38: Create Instance Offering. Click OK to finish creating the instance offering. 236 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-38: Create Instance Offering Issue: V3.9.0 237User Guide / 7 Cloud Operations Guide 7.1.6 Disk Offering A disk offering is a specification of a volume, which defines the size of a volume and how the volume will be created. Disk offerings can be used to create both root volumes and data volumes. 7.1.6.1 Disk Offering Operations In the navigation pane of the ZStack Private Cloud UI, choose Resource Pool > Disk Offering. Then, the Disk Offering management page is displayed, as shown in Figure 7-39: Disk Offering Management Page. On the Disk Offering management page, you can view the disk offering information, such as the disk offering name, capacity, and state. You can also create, enable, disable a disk offering, share a disk offering globally, recall a disk offering globally, or delete a disk offering. 238 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-39: Disk Offering Management Page You can perform the following operations on a disk offering: • Create disk offering: Create a new disk offering. • Enable: Enable a disk offering that is in the disabled state. You can enable disk offerings in bulk. • Disable: Disable a disk offering. After a disk offering is disabled, you cannot use it to create a volume. However, existing volumes are not affected. You can disable disk offerings in bulk. • Share to all: After a disk offering is shared globally, it can be used by all accounts. You can share disk offerings in bulk. • Recall from all: After a disk offering is recalled globally, it becomes invisible to other accounts. You can recall disk offerings in bulk. • Delete: When you delete a disk offering, a dialog box will be displayed, prompting you to confirm the delete operation. You can delete disk offerings in bulk. • Search: You can search for a disk offering by its name, UUID, or by using the advanced search . 7.1.6.2 Create Disk Offering In the navigation pane of the ZStack Private Cloud UI, choose Resource Pool > Disk Offering. On the Disk Offering page, click Create Disk Offering. On the displayed Create Disk Offering page, set the following parameters: • Name: Enter a name for the disk offering. • Description: Optional. Enter a description for the disk offering. • Size: Set the volume size. • Disk Bandwidth: Optional. Set the upper limit of the volume I/O bandwidth. If not specified, the I/O bandwidth is not limited. Unit: MB/s | GB/s | TB/s. The disk bandwidth parameter has the following two options: • Total: Issue: V3.9.0 239User Guide / 7 Cloud Operations Guide If you select Total, set theupper limit of the total read and write speed of the volume. As shown in Figure 7-40: Total Bandwidth. Figure 7-40: Total Bandwidth • Read/Write: As shown in Figure 7-41: Read/Write Bandwidth. Figure 7-41: Read/Write Bandwidth If you select Read/Write, set the following parameters: • Volume Read Bandwidth: Set the upper limit of the read speed of the volume. • Volume Write Bandwidth: Set the upper limit of the write speed of the volume. • Advanced: You can configure advanced parameters in JSON format to customize the disk performance. Sample: { "allocate": { "primaryStorage": { "type": "Enter the primary storage type. Options: Ceph | LocalStorage | NFS | SharedBlock.", "uuid": "Enter the primary storage UUID.", "poolNames": [ 240 Issue: V3.9.0User Guide / 7 Cloud Operations Guide "Enter the name of the Ceph pool. If the primary storage type is not Ceph, or if the primary storage is not specified, leave this field blank." ] } }, "priceUserConfig": { "volume": { "priceKeyName": "Customize the billing type of the data volume . This field is used for data volume billing." } }, "displayAttribute": { "volume": { "diskType": "Customize the display name of the data volume. This field is used for the display on the details page." } } } The sample above contains three configurations: 1. Configure the primary storage of the data volume. "allocate": { "primaryStorage": { "type": "Enter the primary storage type. Options: Ceph | LocalStorage | NFS | SharedBlock.", "uuid": "Enter the primary storage UUID.", "poolNames": [ "Enter the name of the Ceph pool. If the primary storage type is not Ceph, or if the primary storage is not specified, leave this field blank." ] } } • type: Enter the primary storage type. Options: Ceph | LocalStorage | NFS | SharedBlock. If the type is Ceph, you can specify a Ceph pool. • uuid: Enter the primary storage UUID. • poolNames: Enter the name of the Ceph pool. If the primary storage type is not Ceph, or if the primary storage is not specified, this field is optional. Note: If no primary storage is specified, you can delete the codes in this part or leave them unspecified. 2. Configure the billing type of the data volume. "priceUserConfig": { "volume": { "priceKeyName": "Customize the billing type of the data volume. This field is used for data volume billing." } Issue: V3.9.0 241User Guide / 7 Cloud Operations Guide } • priceKeyName: Customize the billing type of the data volume. This field is used for data volume billing. Note: If no billing is required, you can delete the codes in this part or leave them unspecified. 3. Configure the display attributes of the data volume. "displayAttribute": { "volume": { "diskType": "Customize the display name of the data volume. This field is used for the display on the details page." } } • volume: Customize the display name of the data volume. This field is used for the display on the details page. You can configure multiple attributes in the key-value format. Note: If no special display is required, you can delete the codes in this part or leave them unspecified. As shown in Figure 7-42: Create Disk Offering. Click OK to finish creating a disk offering. 242 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-42: Create Disk Offering Issue: V3.9.0 243User Guide / 7 Cloud Operations Guide 7.1.7 GPU Specifications A GPU specification defines the specification of the frame count, video memory, resolution, and other parameters of a GPU. A GPU specification can be either a physical GPU (pGPU) specificat ion or a vitual GPU (vGPU) specification. GPU Specifications Management Page In the navigation pane of the ZStack Private Cloud UI, choose Resource Pool > GPU Specifications. Then, the GPU Specifications management page is displayed, as shown in Figure 7-43: GPU Specifications Management Page. 244 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-43: GPU Specifications Management Page The GPU specifications management page has the following two tab pages: • pGPU: Displays a list of pGPU specifications scanned on all hosts in the cloud and the basic information about these pGPU specifications. • vGPU: Displays a list of available vGPU specifications generated from virtual segmentation and the basic information about these vGPU specifications. pGPU Specifications A pGPU specification defines the specification of the frame count, video memory, resolution, and other parameters of a pGPU. pGPU Operations You can perform the following operations on a pGPU specification: • Enable: Enable the pGPU specification. After enabled, the pGPU specification can be used to allocate a pGPU to a VM instance. • Disable: Disable the pGPU specification. After disabled, the pGPU specification cannot be used to allocate a pGPU to a VM instance. • Set ROM: Set ROM for a pGPU that corresponds to the pGPU specification for GPU pass-through. • You can obtain the required ROM file on the official website of the graphics card vendor. • After a ROM file is uploaded, it will be directly updated to the pGPU device corresponding to the pGPU specification you added before. • The newly uploaded ROM file will overwrite the previously uploaded ROM file. • Share To All: Issue: V3.9.0 245User Guide / 7 Cloud Operations Guide Share the pGPU specification to all accounts or projects. Then, the accounts or projects can use the pGPU specification to allocate a pGPU to VM instances. • Recall From All: Recall the pGPU specification globally. After a pGPU specification is recalled, the resources in use are not affected. However, the pGPU specification cannot be used to allocate a pGPU to a VM instance. vGPU Specification A vGPU specification is generated from a pGPU through virtual segmentation, and defines the specification of the frame count, video memory, resolution, and other parameters of a vGPU. vGPU Operations You can perform the following operations on a vGPU specification: • Enable: Enable the vGPU specification. After enabled, the vGPU specification can be used to allocate a vGPU to a VM instance. • Disable: Disable the vGPU specification. After disabled, the vGPU specification cannot be used to allocate a vGPU to a VM instance. • Share To All: Share the vGPU specification to all accounts or projects. Then, the accounts or projects can use the vGPU specification to allocate a vGPU to VM instances. • Recall From All: Recall the vGPU specification globally. After a vGPU specification is recalled, the resources in use are not affected. However, the vGPU specification cannot be used to allocate a vGPU to a VM instance. 7.1.8 Snapshot A snapshot is a point-in-time capture of data status in a disk. Before you perform mission-critical operations, you can take snapshots for the data volume or root volume of a VM instance so that you can immediately roll back on failure. For long-term backup, we recommend that you use disaster recovery related services. 246 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Snapshot Management Page In the navigation pane of the ZStack Private Cloud UI, choose Resource Pool > Snapshot. Then, the Snapshot management page is displayed, as shown in Figure 7-44: Snapshot Management Page. Figure 7-44: Snapshot Management Page The Snapshot management page has the following two tab pages: • VM Instance: Displays a list of VM instances that have snapshots. You can also view the VM name, VM state, snapshot count, snapshot size, and other basic information. ▬ You can click the Snapshot Count drop-down arrow to sort VM instances by snapshot count. ▬ You can click the Snapshot Size drop-down arrow to sort VM instances by snapshot size. • Volume: Displays a list of volumes that have snapshots. You can also view the volume name, volume state, volume status, snapshot count, snapshot size, and other basic information. ▬ You can click the Snapshot Count drop-down arrow to sort volumes by snapshot count. ▬ You can click the Snapshot Size drop-down arrow to sort volumes by snapshot size. On the Snapshot management page, you can perform the following operations: • Refresh: You can refresh the snapshot list by clicking the Refresh button in the upper left corner. • Search: You can search for a VM instance or a volume by name by clicking the Search button next to Refresh. • Filter: You can flip pages or change the number of items to be displayed on each page by clicking the Filter button on the upper right corner. The number of items to be displayed on each page can be 10, 20, 50, or 100. Issue: V3.9.0 247User Guide / 7 Cloud Operations Guide VM Snapshot • VM snapshot management: On the VM Instance tab page, click on the name of a VM instance. Then, the VM snapshot management page is displayed, as shown in Figure 7-45: VM Snapshot Management Page. Figure 7-45: VM Snapshot Management Page • You can create snapshots for running or stopped VM instances. • You cannot create batch snapshot for VM instances that have a shared volume attached. • In a production environment, we recommended that you limit the number of snapshots per disk within 5. Excessive snapshots might affect the I/O performance, data security, and primary storage capacity of the corresponding VM instances and volumes. For long-term backup, we recommend that you use disaster recovery related services. • To ensure data integrity in a production environment, we recommend that you do not take snapshots for VM instances with high I/O. When a high I/O operation is performed in a VM instance, some data in the VM memory might fail to be saved to the disk. In this case, these data will not be saved to the snapshot you created for the VM instance. • The snapshot of the VM instance on the Ceph primary storage does not occupy capacity. Therefore, the displayed snapshot capacity is the real capacity of the VM root volume when the snapshot was created. • For Ceph primary storages, the VM snapshot capacity might fail to be obtained. Here are some statements: 248 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ▬ Open source Ceph (version H) and enterprise-level Ceph (earlier than 3.2.0) cannot obtain VM snapshot capacity. ▬ Due to the RBD format, enterprise-level Ceph (3.2.0 and later versions) may fail to obtain VM snapshot capacity. • You can perform the following operations on a VM snapshot: • Create: Create a snapshot for a running or stopped VM instance. A VM snapshot can be either a single snapshot or a batch snapshot. • Single snapshot: Creates snapshot only for VM root volumes. • Batch snapshot: Creates snapshot for both VM instances and the attached data volumes. You can recover a VM instance and its attached data volumes by recovering the batch snapshot. Note: Currently, if a VM instance has a shared volume attached, you cannot create snapshot for the all data volumes of the VM instance at the same time. As shown in Figure 7-46: Create VM Snapshot. Issue: V3.9.0 249User Guide / 7 Cloud Operations Guide Figure 7-46: Create VM Snapshot • Restore: Recover data to the time of point when the snapshot was taken. Note: • For a single snapshot, you can only restore the VM root volume to the time of point when the snapshot was taken. • For a batch snapshot, you can restore both the root volume and data volume to the time of point when the snapshot was taken. • You can restore snapshots only for VM instances that are stopped. Before you restore a snapshot, stop the corresponding VM instance. • You can choose whether to automatically start the corresponding VM instance after restoring from a snapshot. • If a VM batch snapshot is displayed as not restorable, the possible reasons are as follows: ▬ At least one data volume snapshot in the batch snapshot was deleted. In this case, you can only restore single snapshots. 250 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ▬ At least one data volume attached by the VM instance was deleted. In this case, you can only restore single snapshots. ▬ At least one data volume attached by the VM instance was detached. In this case , you can only restore single snapshots. To restore the batch snapshot, attach the detached data volumes to the VM instance again. ▬ The VM instance has a new data volume attached. In this case, you can only restore single snapshots. To restore the batch snapshot, detach the new data volume from the VM instance. • Delete: Delete a snapshot that you no longer need. You can delete snapshots in bulk. Note: • Snapshots created on local storage, NFS, SMP, and Shared Block storages have a tree structure. Deleting the root snapshot will also delete snapshots on the branches and detach the batch snapshots on the branches. Please exercise caution. • Snapshots created on the Ceph shared storage are independent and do not have a tree structure. Deleting a snapshot will not affect other snapshots. • When you delete snapshots in a tree structure in bulk, the cloud automatically calculates and deletes the candidate snapshots and cascades the delete operation to the associated snapshots. • If the snapshots to be deleted contain batch snapshots, note that: ▬ Deleting a batch snapshot will also delete the data volume snapshots in the batch snapshot and the snapshots on the branches. Please exercise caution. ▬ Deleting single snapshots and batch snapshots in bulk will also delete the single snapshots on the branches and detach the batch snapshots on the branches. • Detach batch snapshot: Detaching batch snapshot will restore the VM snapshot to single snapshots and detach the relationship between the VM instance and related volume snapshots. The snapshots cannot be recovered in bulk after being detached. Please exercise caution. Volume Snapshot • Volume snapshot management: Issue: V3.9.0 251User Guide / 7 Cloud Operations Guide On the Volume tab page, click on the name of a volume. Then, the volume snapshot management page is displayed, as shown in Figure 7-47: Volume Snapshot Management Page. Figure 7-47: Volume Snapshot Management Page • In a production environment, we recommended that you limit the number of snapshots per disk within 5. Excessive snapshots might affect the I/O performance, data security, and primary storage capacity of the corresponding VM instances and volumes. For long-term backup, we recommend that you use disaster recovery related services. • Currently, you cannot create snapshots for shared volumes. • The snapshot of the volume on the Ceph primary storage does not occupy capacity. Therefore, the displayed snapshot capacity is the real capacity of the volume when the snapshot was created. • For Ceph primary storages, the volume snapshot capacity might fail to be obtained. Here are some statements: ▬ Open source Ceph (version H) and enterprise-level Ceph (earlier than 3.2.0) cannot obtain volume snapshot capacity. ▬ Due to the RBD format, enterprise-level Ceph (3.2.0 and later versions) may fail to obtain VM snapshot capacity. • You can perform the following operations on a volume snapshot: 252 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Create: Create a snapshot for a volume. ▬ You cannot create snapshots for shared volumes created on the Shared Block primary storage. • Restore: Restore volume data to the time of point when the snapshot was taken. ▬ Before you restore a volume, you need to stop the VM instance to which the volume is attached, or detach the volume from the associated VM instance. • Delete: Delete a volume snapshot. You can delete volume snapshots in bulk. ▬ Snapshots created on local storage, NFS, SMP, and Shared Block storages have a tree structure. Deleting the root snapshot will also delete snapshots on the branches and detach the batch snapshots on the branches. Please exercise caution. ▬ Snapshots created on the Ceph shared storage are independent and do not have a tree structure. Deleting a snapshot will not affect other snapshots. ▬ When you delete snapshots in a tree structure in bulk, the cloud automatically calculates and deletes the candidate snapshots and cascades the delete operation to the associated snapshots. ▬ If the snapshots to be deleted contain batch snapshots, deleting the current snapshot will also delete the snapshots on the branches. After being deleted, the associated batch snapshots cannot be recovered. Please exercise caution. 7.2 Hardware The hardware resource mainly is configuration information associated with a physical hardware environment. The hardware resource on the cloud mainly includes: • Zone: A largest resource definition in ZStack, including cluster, L2 network, primary storage, and other resources. Generally, a zone corresponds to an equipment room of a data center. • Cluster: A logical group of hosts (compute node). Generally, a cluster corresponds to a rack. • Host: A host that provides compute, network, and storage for VM instances. • Primary storage: A storage server used to store VM disk files (including root volume, disk volume, snapshot, and image cache). The supported primary storage types include LocalStora ge, NFS, Shared Mount Point, Ceph, and Shared Block. • Backup storage: A storage server used to store VM image templates (including ISO). The supported backup storage types include ImageStore, SFTP (only for ZStack Community), and Ceph. Issue: V3.9.0 253User Guide / 7 Cloud Operations Guide • SAN storage: LUN devices that are virtually split on an iSCSI-SAN or FC-SAN storage. These devices can be passed through directly to VM instances or can be added as Shared Block primary storages. 7.2.1 Zone Zone is a largest resource definition in ZStack, including cluster, L2 network, primary storage, and other resources. • In a data center, a zone corresponds to a machine room. • A zone defines a visible boundary. Subresources within the same zone can be visible mutually and can form a certain relationship. However, subresources within different zones are invisible mutually and cannot form mutual relationships. • Resources in a zone is organized as follows, as shown in Zone Resource Structure. 254 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-48: Zone Resource Structure When you organize a zone, note that: 1. Hosts in the same physical layer 2 broadcast domain must be in the same zone. These hosts can be grouped as one or more clusters. 2. A physical layer 2 broadcast domain cannot span multiple zones. Instead, it must be mapped as an L2 network in a single zone. 3. A primary storage cannot span multiple zones. Instead, it should be mapped as the primary storage in a single zone. 4. A data center can have multiple zones. 5. A zone can have one or more backup storages attached. Issue: V3.9.0 255User Guide / 7 Cloud Operations Guide • Resources in a zone, such as primary storage, can only access the backup storage that is attached to the zone. • A backup storage can be detached from a zone. After the backup storage is detached, resources in the zone will not see the backup storage any more. • If a backup storage is no longer accessible to resources of a zone due to network typology changes in a data center, you can detach the backup storage from this zone. • To better manage the relationship between backup storages and zones, the UI specifies that a backup storage can only be attached to one zone at a time. That is, a backup storage that has been attached to a zone cannot be reattached to the other zone. When you add a backup storage on the UI, the backup storage will be automatically attached to the current zone. When you delete a zone, you will directly delete the backup storage attached to the zone. 7.2.1.1 Zone Management In the navigation pane of the ZStack Private Cloud UI, choose Hardware > Zone. Then, the Zone management page is displayed, as shown in Zone Management Page. Figure 7-49: Zone Management Page On the Zone management page, check the information of all zones on the cloud, including zone names and states. On the Zone management page, perform the following operations: • Search: Quickly conduct searches for zones according to the zone name and UUID by clicking Search. In addition, you can conduct advanced searches. Specifically, the usages for both advanced search and QueryZone are identical. For more information about the usages, see zstack-cli Command Manual. 256 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • List count: Display the zone count for each page by clicking List Count. 7.2.1.2 Create Zone On the Zone management page, click Create Zone. On the displayed Create Zone page, set the following parameters: • Name: Enter a name for the zone. • Description: Optional. Enter a description for the zone. You can crest a zone, as shown in Create Zone. Figure 7-50: Create Zone 7.2.1.3 Zone Operations You can perform the following operations on a zone: • Create zone: Create a new zone in the system. • Enable: Enable the zone that you selected. • Disable: Disable the zone that you selected. Note: • If you disable a zone, all subresources on the zone will be disabled as well. • After you disable a zone, you can either manually reenable some clusters on the zone again or create a new cluster on the current zone without reenabling the entire zone. • Delete: Delete the zone that you selected. Issue: V3.9.0 257User Guide / 7 Cloud Operations Guide Note: Exercise caution. If you delete a zone, all subresources on the zone will be deleted as well, such as clusters, hosts, networks, primary storages, and vCenters that you took over. 7.2.2 Cluster A cluster is a logical group of hosts (compute nodes). In a real data center, a cluster usually maps to a rack. When you organize a cluster, note that: 1. Hosts in the same cluster must be installed with the same operating system. 2. Hosts in the same cluster must have the same network configuration. 3. Hosts in the same cluster must be able to access the same primary storage. 4. Before a cluster can provide VM instance services, the cluster must have a primary storage and an L2 network attached. 5. The size of a cluster, which is the maximum number of hosts that the cluster can contain, is not enforced. The relationship between a typical cluster and its associated resources is as follows. Cluster | Zone Operations on multiple clusters are supported. That is, you can create more than one cluster in a zone, and allocate newly created hosts to different clusters as needed. Cluster | Primary Storage and L2 Network Primary storage and L2 network can be attached to or detached from a cluster. The following diagram shows the relationship between cluster and primary storage, L2 network, as shown in Figure 7-51: Relationship Between Cluster and Primary Storage, L2 Network. 258 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-51: Relationship Between Cluster and Primary Storage, L2 Network Note: When you attach primary storage and L2 network to cluster, note that: 1. Cluster | Primary Storage • A primary storage can be attached to one or more clusters. • A cluster can have one or more primary storages attached. The following are primary storages of the same type that a cluster can have: • A cluster can have one or more LocalStorage primary storages attached. • A cluster can have one or more NFS primary storages attached. • A cluster can have one or more SharedBlock primary storages attached. • A cluster can have one or more Shared Mount Point primary storages attached. • A cluster can have only one Ceph primary storage attached. Issue: V3.9.0 259User Guide / 7 Cloud Operations Guide The following are combinations of primary storages that a cluster can have: • A cluster can have both a LocalStorage and an NFS primary storage attached. • A cluster can have both a LocalStorage and a Shared Mount Point primary storage attached. • A cluster can have both a LocalStorage and a SharedBlock primary storage attached. • A cluster can have both a Ceph primary storage and a SharedBlock primary storage attached. • A cluster can have both a Ceph primary storage and more than one SharedBlock primary storages attached. The following table lists the relationship between primary storage and cluster, as shown in Table 7-1: Relationship Between Primary Storage and Cluster. Table 7-1: Relationship Between Primary Storage and Cluster Primary Storage Cluster A cluster can have one or more LocalStora LocalStorage ge attached. A cluster can have one or more NFS NFS primary storages attached. A cluster can have one or more SharedBloc SharedBlock k primary storages attached. A cluster can have one Share Mount Point Share Mount Point attached. Ceph A cluster can have only one Ceph. A cluster can have one LocalStorage + one LocalStorage + NFS NFS attached. A cluster can have one LocalStorage + one LocalStorage + SMP Share Mount Point attached. A cluster can have one LocalStorage + one LocalStorage + SharedBlock Shared Block attached. • A cluster can have one Ceph + one Shared Block attached. Ceph + SharedBlock • A cluster can have one Ceph + multiple SharedBlock attached. 260 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • When you attach multiple LocalStorage primary storages to a cluster, partition the corresponding URLs on the hosts before you add hosts and primary storages and make sure that each LocalStorage is deployed on an exclusive logical volume or physical disk. • A primary storage can be accessed by all hosts in the cluster to which the primary storage belongs. • If a primary storage cannot be accessed by hosts in the cluster due to network typology changes in the data center, you can detach the primary storage from the cluster. 2. Cluster | L2 Network • A cluster can have one or more L2 networks attached. Also, an L2 network can be attached to one or more clusters. • A cluster can have a VXLAN pool attached. The VNIs in the VXLAN pool can be used to create different VxlanNetworks. • One NIC can have only one NoVlanNetwork created. • For VlanNetwork, different VLAN IDs represent different L2 networks. • If hosts in a cluster no longer exist in the layer 2 broadcast domain of an L2 network due to network typology changes in the data center, you can detach the L2 network from the cluster. Cluster | Backup Storage No direct dependency exists between cluster and backup storage. A backup storage can provide services for multiple clusters. Note: • The primary storage and backup storage attached to the same cluster are associated with each other. • A Ceph primary storage can work with backup storages of the ImageStore type. • The following table lists the relationship between primary storage (PS) and backup storage (BS), as shown in Table 7-2: Relations Between Primary Storage and Backup Storage. Table 7-2: Relations Between Primary Storage and Backup Storage PS\BS ImageStore SFTP Ceph LocalStorage ○ ○ × NFS ○ ○ × Issue: V3.9.0 261User Guide / 7 Cloud Operations Guide Shared Mount Point ○ ○ × Ceph ○ × ○ SharedBlock ○ × × 7.2.2.1 Cluster Management In the navigation pane of the ZStackPrivate Cloud UI, choose Hardware > Cluster. Then, the Cluster management page is displayed, as shown in Cluster Management Page. Figure 7-52: Cluster Management Page On the Cluster management page, check the information of all clusters on the current zone, including cluster names, hypervisors, host counts, available CPU capacity, available memory capacity, and states. On the Cluster management page, perform the following operations on a cluster: • Search: Quickly conduct searches for zones according to the cluster name and UUID by clicking Search. In addition, you can conduct advanced searches. Specifically, the usages for both advanced search and QueryCluster are identical. For more information about the usages, see zstack-cli Command Manual. • List count: Display the cluster count for each page by clicking List Count. 7.2.2.2 Create Cluster On the Cluster management page, click Create Cluster. On the displayed Create Cluster page, set the following parameters: • Zone: Display the current zone. • Name: Enter a name for the cluster. • Description: Optional. Enter a description for the cluster. 262 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • VDI Network: Optional. Enter a VDI network CIDR if you deployed a network used independently by VDI. ▬ If you deployed a network used independently by VDI, add the network directly to the cloud. ▬ Normally, a VDI network will occupy many bandwidths. An independent VDI network can be used to avoid the network congestion and improve transmission efficiencies. ▬ If not set, VDI will use a management network by default. • Migration Network: Optional. Enter a CIDR for a migration network if you deployed a network used independently by VM migrations. ▬ If you deployed a network used independently by VM migrations, add directly the network to the cloud. ▬ If you use an independent migration network, you can avoid the network congestion and improve transmission efficiencies. ▬ If not set, VM migrations will use a management network by default. • Advanced: Expand advanced to make advanced parameter settings for the cluster. ▬ VM CPU Model: Specify a VM CPU mode for a KVM cluster, as shown in VM CPU Model. Issue: V3.9.0 263User Guide / 7 Cloud Operations Guide Figure 7-53: VM CPU Model Note: • By default, none is selected. On the global settings, VM CPU Model can decide the CPU model of VM instances in the current cluster. VM CPU Model has the following three modes: • none: The VM CPU model will be inconsistent with the host CPU model. • host-model: The VM CPU model will be consistent with the host CPU model, such as Haswell Intel CPU. • host-passthrough: The VM CPU model and attributes will be strictly consistent with the host CPU model and attributes. For example, EPT, large-page memory, and virtualization are supported. 264 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • If you select one specific CPU mode, VM instances in the current cluster will uniformly be configured with the CPU mode. • If you select host-passthrough, the VM CPU model in the current cluster will be consistent with the host CPU model. ▬ Host CPU Model: Select a checking mechanism of the host CPU model in the current KVM cluster, as shown in Host CPU Model. Figure 7-54: Host CPU Model Note: • The host CPU model has the following three setting methods: use global settings, check, and uncheck. ▬ Use global setting: By default, Use global setting is selected. On the global settings, Host CPU Model checking can decide the host CPU model in the current cluster. Host CPU Model checking has the following two modes: • true: When you hot migrate VM instances or add hosts, the system will check whether a source host CPU model is consistent with a destination host CPU model. If inconsistent, the system will not allow you to hot migrate the VM instances or add the hosts. • false: When you hot migrate VM instance or add hosts, the system will not check whether a source host CPU model is consistent with a destination host CPU model. ▬ Check: Issue: V3.9.0 265User Guide / 7 Cloud Operations Guide When you hot migrate VM instance or add hosts, the system will check whether a source host CPU model is consistent with a destination host CPU model in the current cluster. If inconsistent, the system will not allow you to hot migrate the VM instances or add the hosts. ▬ Not Checking: When you hot migrate VM instance or add hosts, the system will not check whether a source host CPU model is consistent with a destination host CPU model in the current cluster. • Technically, the consistency between host CPU models can ensure the possibility that VM instances will be migrated successfully. ▬ Type: Select a hypervisor type, including KVM and XDragon. You can create a cluster, as shown in Create Cluster. 266 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-55: Create Cluster 7.2.2.3 Cluster Operations You can perform the following operations on a cluster: • Create cluster: Create a new cluster in the current zone. • Enable: Enable the cluster that you selected. • Disable: Disable the cluster that you selected. Issue: V3.9.0 267User Guide / 7 Cloud Operations Guide Note: • If you disable a cluster, all hosts on the cluster will be disabled as well. • After you disable a cluster, you can either manually reenable some hosts on the cluster or add a new host on the current cluster without reenabling the entire cluster. • Attach or detach L2 network: Attach an L2 network to the cluster or detach an L2 network from the cluster. • Attach or detach primary storage: Attach a primary storage to the cluster or detach a primary storage from the cluster. Note: Exercise caution. When you detach a primary storage from a cluster, note that: • All VM instances on the primary storage will be stopped. • All vRouters or VPC vRouters on the primary storage will be deleted, and the network services of associated VM instances will be abnormal. • All volumes on the primary storage will probably be used normally. • Delete: Delete the cluster that you selected. Note: • If you delete a cluster, all hosts on the cluster will be deleted as well. • Exercise caution. If your primary storage is with LocalStorage, all VM instances and volumes on the hosts will be deleted as well. 7.2.3 Host A host, also known as a compute node, is a physical server that provides VM instances with compute, network, and storage resources. • Host is the core asset in ZStack. VM instances run on hosts. As shown in Figure 7-56: Host. 268 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-56: Host 7.2.3.1 Host Management In the navigation pane of the ZStack Private Cloud UI, choose Hardware > Host. Then, the Host management page, as shown in Host Management Page. Figure 7-57: Host Management Page On the Host management page, check information about all the hosts that are running in the current zone, including host names, tags, host IP addresses, clusters, states, and statuses. Issue: V3.9.0 269User Guide / 7 Cloud Operations Guide On the Host management page, you can perform the following operations: • Search: Click the Search icon. Then, you can search for a host by entering its name, UUID, or IP address. You can also use the advanced search method, which is the same as calling the QueryHost API. For more information, see the CLI manual. ▬ When you use the advanced search, note that: ■ A search syntax includes three parts: a parameter, query condition, and value. For more information about the search syntax, see the Query API section in API Reference. ■ Cross-table queries are supported. Parameters of a search syntax must be separated by a period (.). ■ A combination query with multiple conditions is supported. Multiple search syntaxes must be separated by a space. ▬ The following are some advanced search examples: ■ Search by hypervisor type: hypervisorType=KVM ■ Search by host state or status: state=Enabled or status=Connected ■ Search by cluster UUID: cluster.uuid!=b7c14dc077f244c6825139e2afd2e82d ■ Search by VM UUID: vmInstance.uuid=1b6d1e95e37547d19654b4e09653381e ■ Search by primary storage UUID: cluster.primaryStorage.uuid=d4c96e17010f4461a511 2c19da85410d • Export CSV: Click the Export CSV icon at the upper right. Then, you can export a list of hosts on the current page or on all related pages. • Row count: Click the Row Count drop-down arrow. Then, you can select the number of hosts that can be displayed on each page. • Tag: Create a tag for resources in a custom manner. With resource tags, you can quickly filter the required resources via tag types and tag names. ▬ Filter resource: Click the Tag button. Then, a tag list is displayed. After you select one or more tags in the tag list, resources that bind the tags will be automatically filtered. ▬ Display tag: Click the Tag button. Then, a tag list is displayed. If you have too many tags, find the required tags by dragging the scroll bar. Note: • A tag list is displayed according to different tag roles (admin or tenant). You can switch roles by click the Tag drop-down arrow. 270 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Resource tags can be sorted in order according to the creation time or tag names (priority: characters > numbers > Chinese characters > English characters). To change the sort order, go to Settings > Global Settings > Advanced, locate Tag sorting field, and click the Edit icon. By default, the tags are sorted in order by tag name. ▬ Search tag: In the search box at the top of the tag list, enter either a tag name or a keyword to search for the tag that you want. This operation applies to the scenario with too many tags. We recommend that you use the scroll bar when tags are fewer. ▬ Create tag: In the lower left corner of the displayed tag list, click Create Tag. Then, you can create tags as needed. For more information about tag creation and notices, see Tag. ▬ Tag management: In the lower right corner of the displayed tag list, click Tag Management. Then, the Tag page is displayed. This page displays a list of tags. On this page, you can create a tag, delete a tag, or unbind a tag from a resource. For more information, see Tag. Note: Hosts can only bind admin tags. 7.2.3.2 Add Host ZStack allows you to add hosts via the following two methods: • Manual add • Use template Manual Add On the Host page, click Add Host. On the displayed Add Host page, select Manual Add, and then set the following parameters: • Name: Enter a name for the host. • Description: Optional. Enter a description for the host. • Cluster: Select the cluster where the host belongs. • Add IP/IP range: Select either an IP address or an IP range to add the host. You can add up to 500 hosts at a time. You can either specify an IP address or an IP range for a host. • To specify IP for a host, set the following parameters: ▬ Host IP: Enter an IP address for the host. Issue: V3.9.0 271User Guide / 7 Cloud Operations Guide ▬ Scan host IOMMU setting: Select this checkbox if you need to use the physical GPU pass-through feature or the vGPU feature. Note: • If you scan hosts by using an IOMMU device, the physical GPU pass-through feature or the vGPU feature will be supported. • If not selected, CPUs on a host will disable IOMMU. This check box is not selected by default. • If selected, CPUs on a host enable IOMMU, and all available GPU devices on the host will be traversed. Make sure that the BIOS mode on the host has enabled Intel VT-d or AMD IOMMU. • If you enable IOMMU for the first time, reboot the host to verify that IOMMU configurations on the CPUs take effect. ▬ Disable Intel EPT support: Disable or enable the Intel EPT support feature. Note: • This checkbox is not selected by default, indicating that the Intel EPT support is enabled. • If CPU models on your servers are too old, you will fail to create VM instances, or cannot open the console UIs of the VM instances. You can select this check box to disable the Intel EPT support feature. • You can change the enabled state or the disabled state of the Intel EPT support feature on the host details page. • This feature is only applied to Intel CPU. ▬ SSH Port: Set an SSH port for the host. Default port: 22. ▬ User Name: Use either the default user name (root) or enter a regular user name for the host. ▬ Password: Enter the corresponding user password for the host. ▬ Add More Host: Click the Plus sign + button to continue adding more hosts. The same user name and password will be used by default when you add more hosts. If the user name and the password are inconsistent, customize a user name and a password as needed. As shown in Add Host with IP Address. 272 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-58: Add Host with IP Address • To specify IP range, set the following parameters: ▬ Start IP: Enter a start IP address of the host IP range that you preconfigured. ▬ End IP: Enter an end IP address of the host IP range that you preconfigured. ▬ Scan host IOMMU setting: Select this checkbox if you need to use the physical GPU pass-through feature or the vGPU feature. Note: • If you scan hosts by using an IOMMU device, the physical GPU pass-through feature or the vGPU feature will be supported. Issue: V3.9.0 273User Guide / 7 Cloud Operations Guide • If not selected, CPUs on a host will disable IOMMU. This check box is not selected by default. • If selected, CPUs on a host enable IOMMU, and all available GPU devices on the host will be traversed. Make sure that the BIOS mode on the host has enabled Intel VT-d or AMD IOMMU. • If you enable IOMMU for the first time, reboot the host to verify that IOMMU configurations on the CPUs take effect. ▬ Disable Intel EPT support: Disable or enable the Intel EPT support feature. Note: • This checkbox is not selected by default, indicating that the Intel EPT support is enabled. • If CPU models on your servers are too old, you will fail to create VM instances, or cannot open the console UIs of the VM instances. You can select this check box to disable the Intel EPT support feature. • You can change the enabled state or the disabled state of the Intel EPT support feature on the host details page. • This feature is only applied to Intel CPU. ▬ SSH Port: Set uniformly an SSH port for the hosts that you add in bulk. Default port: 22 ▬ User Name: Use the default user name or enter uniformly a user name for the hosts that you add in bulk. ▬ Password: Set uniformly a password for the hosts that you add in bulk. As shown in Add Host with IP Range. 274 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-59: Add Host with IP Range Note: In production environments, we recommend that you separate management networks from public networks to ensure your cloud security to the greatest extend. In addition, make sure that the management networks have enough network bandwidths. You can add a host and configure its IP address by selecting Manual Add, as shown in Add Host with Manual Add Method. Issue: V3.9.0 275User Guide / 7 Cloud Operations Guide Figure 7-60: Add Host with Manual Add Method 276 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Use Template You can add a host by selecting Use Template, as shown in Add Host with Use Template Method. Issue: V3.9.0 277User Guide / 7 Cloud Operations Guide Figure 7-61: Add Host with Use Template Method Procedure: 1. Download a configuration template file. Click Download Template to download the configuration template file with the CSV format, as shown in Configuration Template File. Figure 7-62: Configuration Template File 2. Enter the configuration information for the host according to the required format. The configuration template includes the table title and a column of examples. When you edit the configuration template, delete or overwrite these examples. To edit the configuration template, set the following parameters: • Name: Enter a name for the host. If null, the system will allocate a name (HOST- host IP address) to the host by default. • Description: Optional. Enter a description for the host. • Cluster: Enter a UUID of the cluster where the host belongs. • Host IP: Enter an IP address or an IP range for the host. 278 Issue: V3.9.0User Guide / 7 Cloud Operations Guide If you enter multiple IP ranges for the host, use commas to separate the ranges. ^ means that the IP range is not included. For example, 127.0.0.1-127.0.0.10,^127.0.0.2-127.0.0.3 • Scan host IOMMU setting: Select whether to enable the scan host IOMMU setting. To enable this feature, enter YES/Yes/yes/Y/y. To disable this feature, enter NO/No/no/N/n. If you do not enter anything, this feature will be disabled by default. Note: • If you scan hosts by using an IOMMU device, the GPU pass-through feature will be supported. • If disabled, CPUs on a host disable IOMMU. • If enabled, CPUs on a host will enable IOMMU and all available GPU devices on the host will be traversed. Make sure that the BIOS mode on the host has enabled Intel VT- d or AMD IOMMU. • If you enable IOMMU for the first time, reboot the host to verify that IOMMU configurat ions on the CPUs take effect. • Disable Intel EPT support: Disable or enable the Intel EPT support. If you enter NO/No/no/ N/n, or if null, the Intel EPT support will be enabled. If you enter YES/Yes/yes/Y/y, the Intel EPT support will be disabled. Note: • If CPU models on your servers are too old, you will fail to create VM instances, or cannot open the console UIs of the VM instances. You can select this checkbox to disable the Intel EPT support feature. • You can change the enabled state or the disabled state of the Intel EPT support feature on the host details page. • This feature is only applied to Intel CPU. • SSH Port: Set an SSH port for the host. Default port: 22. • User Name: Enter a user name for the host. • Password: Enter the corresponding user password for the host. 3. Upload the configuration template file directly to the cloud through a browser after you complete editing the configuration template file, as shown in Add Host with Template. Issue: V3.9.0 279User Guide / 7 Cloud Operations Guide Figure 7-63: Add Host with Template 4. Check the syntax for the configuration template file. Click SynTax Check to check whether the syntax of the configuration template file is correct. • If the syntax is incorrect, an error page will be displayed. After you modify the configuration template file, upload it again. • If the syntax is correct, click OK. Then, the cloud will add the host according to the configuration template file. 7.2.3.3 Host Operations You can perform the following operations on a host: • Add host: Add a new host. • Enable: Enable the host that you selected. • Disable: Disable the host that you selected. Note: After you disabled a host successfully, the original resources on the host will not be affected, but the host cannot serve as a candidate host to apply for new resources. • Reconnect: Reconnect the host that you selected. Note: 280 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Generally, after you update the configurations of the host, reconnect the host. • For example, after you update the memory or hard disk of the host, reconnect the host to update your database. • Bind tag: Bind a tag for the host. ▬ Hosts can only bind admin tags. Note: • One resource can bind 50 tags at most, while a tag can bind unlimited number of resources . • Many-to-many bindings are supported. That is, you can bind multiple tags to multiple resources. • Tags that were created by a tenant can only be bound to resources owned by the tenant, while admin tags can be bound to all resources. • An administrator can unbind or delete tenant tags. • Resource tags can be sorted in order according to the creation time or tag names (priority: characters > numbers > Chinese characters > English characters). To change the sort order, go to Settings > Global Settings > Advanced, locate Tag sorting field, and click the Edit icon. By default, the tags are sorted in order by tag name. • Unbind tag: Unbind a tag on the host. Note: • Multiple tags on a resource can be unbound simultaneously. In addition, multiple resources on a tag can also be unbound simultaneously. • A tenant can only unbind tags on the resources owned by the tenant, while an administra tor can unbind tags on all resources. • Enter maintenance mode: Place the host in maintenance mode. In this mode, you can stop and repair the host. Batch operations are supported. ▬ If a host is running on a LocalStorage primary storage, VM instances that are running on the host will be stopped after the host enters maintenance mode. ▬ If a host is running on a shared storage, VM instances that are running on the host will be migrated automatically after the host enters maintenance mode. Issue: V3.9.0 281User Guide / 7 Cloud Operations Guide Note: • Under the shared storage scenario, after the host enters maintenance mode, you can set the policy for VM migration in case of migration failure. • Method: Go to Settings > Global Settings > Advanced, locate host.maintenance.policy, and click the Edit icon. • If you select Stop Vm On Migration Failure, VM instances that are running on a shared storage will be automatically migrated to other hosts after the host where the VM instances belong enters maintenance mode. In addition, other VM instances that fail to be migrated will be forced to stop. • If you select Just Migrate, VM instances that are running on a shared storage will be automatically migrated to other hosts after the host where the VM instances belong enters maintenance mode. If some VM instances are still running on the host, the host will fail to enter maintenance mode. • Delete: Delete the host that you selected. Note: • If you delete a host, all VM instances that are running on the host will be stopped. • LocalStorage primary storage scenario: ▬ If the cluster where the host belongs is attached to a LocalStorage primary storage, all VM instances and volumes on this host will be deleted as well. Please exercise caution. ▬ Even if you add a deleted host to the cloud again, the system will deploy this host again . If the previous database resource is not backed up, associated business data will not be recovered. • Shared storage scenario: ▬ Assume that Set HA Level on VM instances is set to None. After you delete the host where the VM instances belong, the corresponding VM instances will be stopped. ▬ Assume that Set HA Level on VM instances is set to NeverStop. If resources of other hosts permit, the VM instances with the NeverStop HA level and running on this host will be stopped firstly after you delete the host. Next, these VM 282 Issue: V3.9.0User Guide / 7 Cloud Operations Guide instances will be migrated to other hosts and then automatically start without affecting your data security. If resources on these hosts are insufficient, the corresponding VM instances will be stopped. Note: Under this circumstance, a portion of VM instances might be migrated to other hosts with sufficient resources, while another portion of VM instances might be stopped due to a shortage of host resources. ▬ If you delete the host, data volumes on the shared storage will not be affected. • Assume that you have installed the Migration Service module license. If the host is specified as a conversion host, the corresponding conversion host will be deleted as well after the host is deleted. In addition, an on-going V2V migration job on this conversion host will be automatically canceled. Please exercise caution. 7.2.4 Primary Storage A primary storage is a storage server used to store disk files, such as root volumes, data volumes, root volume snapshots, data volume snapshots, and image caches, for VM instances, as shown in Primary Storage. Issue: V3.9.0 283User Guide / 7 Cloud Operations Guide Figure 7-64: Primary Storage A primary storage can be a local storage or a shared storage. • Local Storage: uses the hard disks of a host to store disk files. • Network Shared Storage: supports NFS, Shared Mount Point, Ceph, and Shared Block, . ▬ NFS is a network file system storage. ▬ Shared Mount Point supports network shared storages provided by commonly used distributed file systems. For example, MooseFS, GlusterFS, OCFS2, and GFS2. ▬ Ceph uses distributed block storages. ▬ Shared Block uses shared block storages. 7.2.4.1 Primary Storage Operations Primary Storage Page In the navigation pane of the ZStack Private Cloud UI, choose Hardware > Primary Storage. Then, the Primary Storage page is displayed, as shown in Primary Storage Page. 284 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-65: Primary Storage Page On the Primary Storage page, check the information of all primary storages, including names of primary storages, storage types, URLs, capacities of primary storages, states, and statuses. In addition, you can add, enable, and disable one or more than one primary storages. Primary Storage Operations You can perform the following operations on a primary storage: • Search: Support three types of search method on the primary storage page: name, UUID, and advanced. • Add a primary storage: Add the primary storage to the cloud. Each primary storage has its own corresponding primary storage type. When you select different primary storage types, the Add Primary Storage page is a bit different. This chapter will introduce all these differences according to the types. • Enable: Enable the primary storage that is in the disabled state. Batch operations are supported. • Disable: Disable the primary storage. After you disable the primary storage, you cannot create new VM instances, volumes, and snapshots that are attached to the primary storage. Original resources are not affected. Batch operations are supported. • Reconnect: Reconnect the primary storage. When you reconnect the primary storage, the storage information that is associated with the primary storage will be updated. Batch operations are supported. Note: If any one of hosts can connect normally to the primary storage, the status of the primary storage will be Connected. • Create volume: Create a volume on the primary storage. Then, this volume will be an instantiated volume. Only a single operation is supported. Issue: V3.9.0 285User Guide / 7 Cloud Operations Guide Note: Shared volumes currently support two types of primary storage: Ceph and Shared Block. • Attach cluster: Attach the primary storage to the specified cluster. One cluster can attach multiple storages. The following are primary storages of the same type that a cluster can have: • A cluster can have one or more LocalStorage primary storages attached. • A cluster can have one or more NFS primary storages attached. • A cluster can have one or more SharedBlock primary storages attached. • A cluster can have one or more Shared Mount Point primary storages attached. • A cluster can have only one Ceph primary storage attached. The following are combinations of primary storages that a cluster can have: • A cluster can have both a LocalStorage and an NFS primary storage attached. • A cluster can have both a LocalStorage and a Shared Mount Point primary storage attached . • A cluster can have both a LocalStorage and a SharedBlock primary storage attached. • A cluster can have both a Ceph primary storage and a SharedBlock primary storage attached. • A cluster can have both a Ceph primary storage and more than one SharedBlock primary storages attached. • Detach cluster: Detach the primary storage from the specified cluster. Note: If you detach a primary storage from a cluster, make sure that you pay attention that: • All VM instances on the primary storage will be stopped. • All vRouters or VPC vRouters on the primary storage will be deleted. In this regard, the network services of related VM instances will be abnormal. • All volumes on the primary storage cannot be used normally. • Enter maintenance mode: After the primary storage enters the maintenance mode, all VM instances (including NeverStop) that use the primary storage will be stopped. Batch operations are supported. • Delete: Delete the primary storage. Batch operations are supported. 286 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Note: • Before you perform this deleting operation, verify that you detach the primary storage from all clusters. • Deleting the primary storage is a very dangerous operation. If you perform this operation , all resources on the primary storage will be deleted, such as VM instances, volumes, and snapshots. Even if you add this primary storage again, the original files cannot be automatically detected. • Clean up: Clean up original data (trashes) reserved by the migrations across Ceph primary storages, the migrations across NFS primary storages, and the migrations across Shared Block primary storages. On the Clear Data tab, click Clean UP to clean up trashes reserved by the storage migrations. Exercise caution. After you clean up the trashes successfully, the trashes cannot be recovered. 7.2.4.2 Local Storage If the primary storage type is Local Storage, the local hard disk directory of each host will be used as the primary storage. A Local Storage primary storage matches an ImageStore or SFTP backup storage. The capacity of the Local Storage is the accumulation of the directory capacity of each host. 7.2.4.2.1 Add Primary Storage | Local Storage Add Local Storage In the navigation pane of the ZStack Private Cloud UI, choose Hardware > Primary Storage. On the Primary Storage page, click Add Primary Storage. On the displayed Add Primary Storage page, set the following parameters: • Zone: By default, the current zone is displayed. • Name: Enter a name for the primary storage. • Description: Optional. Enter a description for the primary storage. • Type: Select LocalStorage. • URL: Enter the directory of the Local Storage. Note: • If the directory you entered does not exist, the system will create a directory automatically. Issue: V3.9.0 287User Guide / 7 Cloud Operations Guide • The following system directories cannot be used. Otherwise, the hosts might fail to work properly. ▬ / ▬ /dev/ ▬ /proc/ ▬ /sys/ ▬ /usr/bin ▬ /bin • Cluster: Select a cluster to mount the primary storage. As shown in Figure 7-66: Add Local Storage. Figure 7-66: Add Local Storage 288 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Notice If you mount multiple Local Storages, make sure that each Local Storage is deployed on an exclusive logical volume or physical disk. 7.2.4.3 NFS If the primary storage type is NFS, ZStack will automatically mount the same NFS shared directory on all hosts as the primary storage. An NFS primary storage matches an ImageStore or SFTP backup storage. The shared directory will be mounted on all hosts. 7.2.4.3.1 Add Primary Storage | NFS Add NFS Primary Storage In the navigation pane of the ZStack Private Cloud UI, choose Hardware > Primary Storage. On the Primary Storage page, click Add Primary Storage. On the displayed Add Primary Storage page, set the following parameters: • Zone: By default, the current zone is displayed. • Name: Enter a name for the primary storage. • Description: Optional. Enter a description for the primary storage. • Type: Select NFS. • URL: Enter the shared directory of the NFS server. Either an IP address or a domain is supported. Note: • Format: NFS_Server_IP:/NFS_Share_folder or NFS_Server_Domain:/NFS_Share_folder. Examples: ▬ IP format: 192.168.0.1:/nfs_root ▬ Domain format: www.123.com:/nfs_root • You need to set the access permissions of the corresponding directories on the NFS server in advance. • To ensure security control on the NFS server side, we recommend that you configure corresponding security rules for access control. • You can check the shared directory of the NFS server by using the showmount -e command on NFS server in advance. Issue: V3.9.0 289User Guide / 7 Cloud Operations Guide • The following system directories cannot be used. Otherwise, the hosts might fail to work properly. ▬ / ▬ /dev/ ▬ /proc/ ▬ /sys/ ▬ /usr/bin ▬ /bin • Mount Parameter: Optional. Before you specify the mount parameters, make sure that these parameters are supported by the NFS server. Note: • The parameters are separated by commas (,). For example, nfsvers=3,sec=sys,tcp,intr, timeo=5. The preceding example means that the NFS server version is 3, the standard UNIX authentication mechanism is used, TCP is used as the transmission protocol, an NFS call can be interrupted in case of an exception, and the timeout is 0.5 seconds (5/10). • To specify the mount parameters, you can refer to the content in the -o option of mount. • You can set the parameters according to the mount command on commonly used clients. If the set parameters conflict with the NFS server side, the server side shall prevail. • Storage Network: Indicate the storage network specified for the shared storage. The storage network can be shared by the management network of the management node. Note: • If you have an independent storage network, you need to enter the CIDR of the storage network. • You can use this storage network to check the health status of a VM instance. • Cluster: Select a cluster to mount the primary storage. As shown in Figure 7-67: Add NFS Primary Storage. 290 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-67: Add NFS Primary Storage 7.2.4.4 Shared Mount Point If the primary storage type is Shared Mount Point (SMP), ZStack allows you use network shared storages provided by commonly used distributed file systems, such as MooseFS, GlusterFS, OCFS2, and GFS2. • Similar to addling a Local Storage, you only need to provide the local directory where the host is mounted. Then, ZStack can complete the docking of various distributed file systems. Issue: V3.9.0 291User Guide / 7 Cloud Operations Guide • A SMP primary storage matches an ImageStore or SFTP backup storage. • If you use SMP as the primary storage, you need to configure the corresponding distributed file system in advance, and mount the shared file system on each host to the same file directory according to the client configurations of different storage systems. The following is an example of configuring a primary storage by using MooseFS: • Download and install the MooseFS client tool mfsmount, and create a corresponding directory as a mount node. • Assume that the IP address of the MooseFS Master Server is 172.20.12.19. Create /mnt/ mfs/mnt/mfs as the mount point and use the mfsmount command to mount the MooseFS system. • You can also use the mfssetgoal command to set the number of file copies to save as needed. [root@localhost ~]#mkdir /mnt/mfs [root@localhost ~]#mfsmount /mnt/mfs -H 172.20.12.19 [root@localhost ~]#mkdir /mnt/mfs/zstack [root@localhost ~]#mfssetgoal -r 2 /mnt/mfs/zstack/ #The above commands mount the files in the /mnt/mfs/zstack/ directory to the remote client 172.20.12.19, and saves two copies on the MooseFS storage server. 7.2.4.4.1 Add Primary Storage | Shared Mount Point Add SMP Primary Storage In the navigation pane of the ZStack Private Cloud UI, choose Hardware > Primary Storage. On the Primary Storage page, click Add Primary Storage. On the displayed Add Primary Storage page, set the following parameters: • Zone: By default, the current zone is displayed. • Name: Enter a name for the primary storage. • Description: Optional. Enter a description for the primary storage. • Type: Select SharedMountPoint. • URL: Enter the URL of the shared storage mounted by the host. • Storage Network: Indicate the storage network specified for the shared storage. The storage network can be shared by the management network of the management node. Note: 292 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • If you have an independent storage network, you need to enter the CIDR of the storage network. • You can use this storage network to check the health status of a VM instance. • Cluster: Select a cluster to mount the primary storage. As shown in Figure 7-68: Add SMP Primary Storage. Figure 7-68: Add SMP Primary Storage Issue: V3.9.0 293User Guide / 7 Cloud Operations Guide 7.2.4.5 Ceph ZStack supports Ceph block storages. If you use Ceph as the primary storage, you need to add a Ceph backup storage or an Image Store backup storage, and configure the Ceph distributed storage in advance. If you are concerned about data security and I/O performance, please contact our official technical support to obtain relevant information about Ceph products of the Enterprise edition. 7.2.4.5.1 Add Primary Storage | Ceph This topic describes how to add a Ceph primary storage on the ZStack Private Cloud UI. Add Ceph Primary Storage In the navigation pane of the ZStack Private Cloud UI, choose Hardware > Primary Storage. On the Primary Storage page, click Add Primary Storage. On the displayed Add Primary Storage page, set the following parameters: • Zone: By default, the current zone is displayed. • Name: Enter a name for the primary storage. • Description: Optional. Enter a description for the primary storage. • Type: Select Ceph. • Disable Cephx: Determine whether to enable Ceph authentication. Note: • By default, this checkbox is not selected, indicating that Ceph authentication is enabled, • If selected, Ceph authentication is disabled. • If the network of the storage node and the compute node is relatively safe, you can disable Cephx to avoid Ceph authentication failure. • Make sure that the key authentication of the Ceph storage is consistent with this option. If Cephx is not disabled for the Ceph storage, the selecting this checkbox here may cause VM creation failure. • Mon IP: Enter the IP address of the Ceph monitor. • SSH Port: Enter the SSH port No. of the Ceph monitor. Default port: 22. • User Name: Enter the name of the Ceph monitor. • Password: Enter the password that corresponds to the user name of the Ceph monitor. • Add More: Add the plus sign (+) to add more Ceph monitors. 294 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Image Pool Name: Enter the name of an image pool. If not specified, the system will automatically create an image pool. • Data Volume Pool Name: Enter the name of a data volume pool. If not specified, the system will automatically create a data volume pool. • Root Volume Pool Name: Enter the name of a root volume pool. If not specified, the system will automatically create a root volume pool. • Storage Network: Indicate the storage network specified for the shared storage. The storage network can be shared by the management network of the management node. Note: • You can use this storage network to check the health status of a VM instance. • We recommend that you plan an independent storage network in advance to avoid potential risks. • Cluster: Select a cluster to mount the primary storage. As shown in Figure 7-69: Add Ceph Primary Storage. Issue: V3.9.0 295User Guide / 7 Cloud Operations Guide Figure 7-69: Add Ceph Primary Storage 296 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Add Ceph Monitor Generally, a Ceph cluster will be configured with multiple Ceph monitors (Ceph Mon). The configuration method is as follows: 1. On the Primary Storage page, click on the name of a Ceph primary storage. On the displayed details page, click Ceph Mon. Then, the Ceph Mon tab page is displayed, as shown in Figure 7-70: Ceph Mon. Figure 7-70: Ceph Mon 2. Click Actions > Add Ceph Mon next to Ceph Mon. On the displayed Add Ceph Mon page, set the following parameters: Issue: V3.9.0 297User Guide / 7 Cloud Operations Guide • Mon IP: Enter the IP address of the Ceph mon. • SSH Port: Enter the SSH port of the Ceph mon. Default port: 22. • User Name: Enter a user name for the Ceph mon. • Password: Enter a password that corresponds to the user name of the Ceph mon. As shown in Figure 7-71: Add Ceph Mon. Figure 7-71: Add Ceph Mon Note: • Enter at least one available Ceph mon. • On the wizard page, we recommend that you add only one Ceph mon to quickly finish the basic initialization. You can add other Ceh mons on the primary storage page. • If you are not familiar with the configuration of Ceph, we recommended that you select other primary storage types. 298 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 7.2.4.6 Shared Block Shared Block is a block-level data storage service that features simple deployment, flexible expansion, and high performance in comparison with SMP primary storage. Shared Block allows you to use a LUN device that you segmented on a SAN storage as a storage pool. This storage pool can be used by your VM instances that are running your businesses (business VM). • Shared Block adopts the shared block storage method to match ImageStore. • Shared Block allows you to add LUN devices online. Currently, Shared Block supports two types of shared access protocol: iSCSI and FC. 7.2.4.6.1 Add Primary Storage | SharedBlock This topic describes how to add a Shared Block primary storage in the ZStack Private Cloud UI. Add Shared Block Primary Storage In the navigation pane of the ZStack Private Cloud UI, choose Hardware > Primary Storage. On the Primary Storage page, click Add Primary Storage. On the displayed Add Primary Storage page, set the following parameters: • Zone: By default, the current zone is displayed. • Name: Enter a name for the primary storage. • Description: Optional. Enter a description for the primary storage. • Type: Select SharedBlock. • Thick Provision/Thin Provision: Select the provisioning method, including thick provision and thin provision. ▬ Thick provision: Allocate the required storage space in advance to provide sufficient storage capacities and to ensure storage performances. ▬ Thin provision: Allocate storage spaces as needed to achieve a higher storage utilization. • Storage Network: Indicate the storage network specified for the shared storage. The storage network can be shared by the management network of the management node. Note: • If you have an independent storage network, you need to enter the CIDR of the storage network. • You can use this storage network to check the health status of a VM instance. • Cluster: Select a cluster to mount the primary storage. Issue: V3.9.0 299User Guide / 7 Cloud Operations Guide • Shared Block: Select a Shared Block. You need to enter WWIDs. You can add multiple LUN devices. Note: Make sure that compute nodes can normally connect to storage devices, and have been added to the cloud. • Clear SharedBlock: Choose whether to clear LUN devices. This checkbox is not selected by default. ▬ If selected, the residual data in LUN devices will be forced to clean, including file systems, RAID, or signatures of partition tables. ▬ If your LUN devices store data, and you do not clean the devices, you will fail to add LUN devices or attach primary storages. ▬ When you add LUN devices, the devices must not include partitions. Or otherwise, you will fail to add the devices. As shown in Add SharedBlock Primary Storage. 300 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-72: Add SharedBlock Primary Storage Issue: V3.9.0 301User Guide / 7 Cloud Operations Guide 7.2.5 Backup Storage A backup storage is a storage server used to store image template files. • A backup storage must be attached to a zone before the resources on the zone can reach it. Note that you can share images across multiple zones by using the backup storage, as shown in Backup Storage. Figure 7-73: Backup Storage • To better manage backup storages and zones, ZStack UI specifies that one backup storage can only correspond to one zone. In the UI, when you add a backup storage, the backup storage will be attached to the current zone by default. When you delete a zone, the backup storage that attaches the zone will also be deleted. Backup Storage Type A backup storage supports the following types: 1. ImageStore • Image files are stored by means of image segmentation. Incremental storage is supported. • Snapshots and images can be created when VM instances are running or stopped. 302 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • When VM instances are cloned without data volumes, the VM instances that are running, paused, or stopped can be cloned. • When VM instances are cloned with data volumes, the VM instances that are running, paused, or stopped, and with storage types of LocalStorage, NFS, Shared Mount Point, Ceph, or SharedBlock can be cloned. • Images can be synchronized across ImageStore backup storages within the same management network. • The existing images can be obtained. In addition, you can obtain the existing image files under the URL path in the backup storage. 2. SFTP • Only SFTP community edition is supported. • Image files are stored by means of files. • Snapshots and images can be created when VM instances are stopped. • On the backup storage, the images that you create can reach the corresponding backup storage path, and can be copied to other cloud environments for direct use. 3. Ceph： • Image files are stored by means of Ceph distributed block storages. • Snapshots and images can be created when VM instances are running or stopped. • When VM instances are cloned without disk volumes, the VM instances that are running, paused, or stopped can be cloned. • VM instances cannot be cloned with data volumes. • Images must be exported on backup storages. Assume that the image path you use is ceph://bak-t-c9923f9821bf45498fdf9cdfa1749943/ 61ece0adc7244b0cbd12dafbc5494f0c. Then, run the following commands on the backup storage: rbd export -p bak-t-c9923f9821bf45498fdf9cdfa1749943 --image 61ece0adc7244b0cbd12dafbc5494f0c /root/export-test.image # bak-t-c9923f9821bf45498fdf9cdfa1749943 represents the pool name where the image belongs to. # 61ece0adc7244b0cbd12dafbc5494f0c represents the image name. Issue: V3.9.0 303User Guide / 7 Cloud Operations Guide # /root/export-test.image represents the exported target file name . Backup Storage | Primary Storage The types of primary storage and backup storage are strongly associated, as shown in Relations Between Backup Storage and Primary Storage. Table 7-3: Relations Between Primary Storage and Backup Storage PS\BS ImageStore SFTP Ceph LocalStorage ○ ○ × NFS ○ ○ × Shared Mount Point ○ ○ × Ceph ○ × ○ SharedBlock ○ × × • When primary storages are LocalStorage, NFS, or Shared Mount Point, the default type for backup storages is ImageStore, or SFTP. • When primary storages are NFS or Shared Mount Point, the corresponding shared directories can be manually attached to the local directories of the corresponding backup storages. In this regard, both primary storages and backup storages can use the network shared storage. • When primary storages are Ceph, backup storages can use the primary storages in the same Ceph cluster as backup storages. In addition, backup storages can use the primary storages with the ImageStore type as backup storages. • When primary storages are SharedBlock, the default type for backup storages is ImageStore. 7.2.5.1 Backup Storage Operations Backup Storage Page In the navigation pane of the ZStack Private Cloud UI, choose Hardware > Backup Storage. Then, the Backup Storage page is displayed, as shown in Backup Storage. 304 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-74: Backup Storage On the Backup Storage page, check the information of backup storages, including names of backup storages, backup storage types, URLs, backup storage capacities, states, and statuses. In addition, you can add, enable, disable, reconnect, and delete one or more backup storages. Backup Storage Operations You can perform the following operations on a backup storage: • Search: Support three types of search method on the backup storage page: name, UUID, and advanced. • Add backup storage: Add the backup storage to the cloud. Each backup storage has its own corresponding backup storage type. When you select different backup storage types, the Add Backup Storage page is a bit different. This chapter will introduce all these differences according to the types. • Enable: Enable the backup storage that is in the disabled state. Batch operations are supported. • Disable: Disable the backup storage. Batch operations are supported. • Reconnect: Reconnect the backup storage. When you reconnect the backup storage, the storage information that is associated with the backup storage will be updated. Batch operations are supported. Note: • When a backup storage reconnects, you cannot manage and operate all the preceding resources. • If any host can connect normally to the backup storage, the status of the backup storage will be Connected. • Clear data: Clear invalid data that have been totally deleted on the backup storage to release storage spaces. Issue: V3.9.0 305User Guide / 7 Cloud Operations Guide Note: • For example, assume that you have deleted an image file totally, and have deleted VM instances that you created by using this image file. If you clear data, storage spaces of the backup storage will be released. After you clear the data successfully, the UI page will display the released space size and the available space. • Only ImageStore backup storages support the preceding operation. • When you clear data, avoid related operations of writing data. • Delete: Delete the backup storage. Batch operations are supported. Note: • Exercise caution. If you delete the backup storage, all image files on the backup storage will be deleted as well. • The preceding deleting operation can only remove the records of the backup storage and the image on the ZStack. Real data will not deleted. • Clear data: Click OK to clean up original data reserved by the migrations across Ceph primary storages on the Clear Data tab of the Ceph backup storage details page. Exercise caution. After you clean up the original data successfully, the data cannot be recovered. 7.2.5.2 ImageStore ImageStore stores image files with image segmentation. When primary storages are with LocalStorage, NFS, Shared Mount Point, Ceph, and Shared Block, couple them with ImageStore backup storages as needed. 7.2.5.2.1 Add Backup Storage|ImageStore Add ImageStore Backup Storage In the navigation pane of the ZStack Private Cloud UI, choose Hardware > Backup Storage. On the Backup Storage page, click Add Backup Storage. On the displayed Add Backup Storage page, set the following parameters: • Zone: By default, the current zone is displayed. • Name: Enter a name for the backup storage. • Description: Optional. Enter a description for the backup storage. • Type: Select ImageStore. 306 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Backup Storage IP: Enter an IP address for the backup storage. • URL: Enter a URL of a storage that is attached to the backup storage, such as /zstack_bs. Note: • We recommend that you attach a large capacity storage for the URL, and enter the absolute path of the directory. • The following system directories cannot be used. Otherwise, the hosts might fail to work properly. ▬ / ▬ /dev/ ▬ /proc/ ▬ /sys/ ▬ /usr/bin ▬ /bin • Import existing images: Choose whether to obtain the existing images. Note: • If selected, you can obtain the existing image files under the URL directory in the backup storage. • Only ImageStore backup storages support the preceding operation. • SSH Port: Set an SSH port for the backup storage. Default port: 22. • User Name: Use either the default user name (root) or enter a user name for the backup storage. • Password: Enter the corresponding user password. • Image Synchronization Network: Optional. Enter a CIDR for the image synchronization network if you deployed a network that is used independently by the image synchronization. Note: • ImageStore backup storages within the same management node allow you to synchronize images. • If you deployed a network that is used independently by the image synchronization, add directly the network to the cloud. Issue: V3.9.0 307User Guide / 7 Cloud Operations Guide • If you use an independent image synchronization network, you can avoid network congestion and improve transmission efficiencies. • If not set, a management network will be used by default when images are synchronized. • If you set an image synchronization network for both a source ImageStore and a destinatio n ImageStore, only the image synchronization network of the destination ImageStore will work. As shown in Add ImageStore Backup Storage. Figure 7-75: Add ImageStore Backup Storage 308 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 7.2.5.3 SFTP (Community) Only SFTP backup storages with the community version are supported. Images files will be stored in file. When primary storages are with LocalStorage, NFS, and Share Mount Point, couple them with SFTP backup storages. 7.2.5.3.1 Add Backup Storage|SFTP Add SFTP Backup Storage In the navigation pane of the ZStack Private Cloud UI, choose Hardware > Backup Storage. On the Backup Storage page, click Add Backup Storage. On the displayed Add Backup Storage page, set the following parameters: • Zone: By default, the current zone is displayed. • Name: Enter a name for the SFTP backup storage. • Description: Optional. Enter a description for the SFTP backup storage. • Type: Select SFTP. • Backup Storage IP: Enter an IP adders for the SFTP backup storage. • URL: Enter a URL of a storage that is attached to the SFTP backup storage, such as / zstack_bs. Issue: V3.9.0 309User Guide / 7 Cloud Operations Guide Note: • We recommend that you attach a large capacity of storage for the URL in advance, and enter the absolute path of the directory. • The following system directories cannot be used. Otherwise, the hosts might fail to work properly. ▬ / ▬ /dev/ ▬ /proc/ ▬ /sys/ ▬ /usr/bin ▬ /bin • SSH Port: Set an SSH port for the SFTP backup storage. Default port: 22. • User Name: Use either the default user name (root) or enter a user name for the SFTP backup storage. • Password: Enter the corresponding user password. As shown in Add SFTP Backup Storage. 310 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-76: Add SFTP Backup Storage Issue: V3.9.0 311User Guide / 7 Cloud Operations Guide 7.2.5.4 Ceph Ceph backup storages store image files in Ceph distributed storage. When primary storages are with Ceph, couple them with Ceph backup storages. 7.2.5.4.1 Add Backup Storage | Ceph Add Ceph Backup Storage In the navigation pane of the ZStack Private Cloud UI, choose Hardware > Backup Storage. On the Backup Storage page, click Add Backup Storage. On the displayed Add Backup Storage page, set the following parameters: • Zone: By default, the current zone is displayed. • Name: Enter a name for the Ceph backup storage. • Description: Optional. Enter a description for the Ceph backup storage. • Type: Select Ceph. • Mon IP: Enter an IP address of the Ceph monitoring node. • SSH Port: Enter an SSH port of the Ceph monitoring node. Default port: 22. • User Name: Enter a user name of the Ceph monitoring node. • Password: Enter a password corresponded by the user name of the Ceph monitoring node. • Add More: Click the Plus sign (⊕) button to add more Ceph monitoring nodes. • Pool Name: Optional. Enter a pool name. Note: • A specific storage pool can be specified for the Ceph backup storage. If null, the system will automatically create a pool name for you by default. • If specified, make sure that you create storage pools in the Ceph storage cluster in advance. As shown in Add Ceph Backup Storage. 312 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-77: Add Ceph Backup Storage Issue: V3.9.0 313User Guide / 7 Cloud Operations Guide 7.2.6 SAN Storage ZStack allows you to manipulate SAN storages, including iSCSI server and FC storage. 7.2.6.1 iSCSI Storage ZStack allows you to add iSCSI storages. Without reaching to each host for making further configurations, ZStack automatically logs in to iSCSI, automatically scans and discovers disks, and automatically configures iSCSI connections. The whole process is convenient and quick. Specifically, iSCSI disks that can be correctly identified support the following usages: • iSCSI disks can be passed through directly to VM instances. • iSCSI disks can be added as SharedBlock primary storages in shared block. Add iSCSI Storage In the navigation pane of the ZStack Private Cloud UI, choose Hardware > SAN Storage > iSCSI Storage. On the iSCSI Storage page, click Add iSCSI Storage. On the displayed iSCSI Storage, set the following parameters: • Name: Enter a name for the iSCSI storage. • IP Address: Enter an IP address for the iSCSI storage. • Port: Enter a port number for the iSCSI storage. Default value: 3260. • Cluster: Optional. Either select a cluster that you created or attach a cluster to the iSCSI storage after you add the iSCSI storage. • CHAP User Name: Optional. Enter a CHAP user name of the iSCSI storage if you configured the CHAP user name for the iSCSI storage. • CHAP Password: Optional. Enter a CHAP password of the iSCSI storage if you configured the CHAP password for the iSCSI storage. Click OK to complete adding the iSCSI storage, as shown in Add iSCSI Server. 314 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-78: Add iSCSI Server After you add a iSCSI storage, IQN can be viewed on the UI, as shown in Complete Adding iSCSI Storage. Issue: V3.9.0 315User Guide / 7 Cloud Operations Guide Figure 7-79: Complete Adding iSCSI Storage In the preceding picture, the red frame represents IQN (iSCSI Qualified Name). One iSCSI storage supports multiple IQNs. iSCSI Storage Operations You can perform the following operations on a iSCSI storage: • Add: Add the iSCSI storage to ZStack. • Enable: Enable the iSCSI storage. • Disable: Disable the iSCSI storage. At this time, the iSCSI storage will be unavailable. • Attach cluster: Attach the iSCSI storage to a cluster. • Detach cluster: Detach the iSCSI storage to the cluster that you attached. • Synchronize data: Synchronize data in the iSCSI storage. • Delete: Exercise caution. Delete the iSCSI storage. Note: • Before you delete an iSCSI storage, make sure that you detach the iSCSI storage from a cluster. Detaching the cluster will cut off connections between hosts and the iSCSI storage. • LUN devices serve as primary storages. If you delete the iSCSI storage, primary storages will be disconnected. • LUN devices can be passed through to VM instances. If you delete the iSCSI storage, you will be at risk of losing data. 316 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Disk (LUN Device) Operations • Attach LUN to VM Instance: Pass through an iSCSI storage to VM instances. One disk can attach multiple VM instances, while one VM instance can attach multiple disks. • Detach LUN from VM Instance: Detach the iSCSI storage from the VM instances. Notice ZStack not only allows you to add iSCSI disks as SharedBlock primary storages, but also allows you to pass through iSCSI disks to VM instances. When you use the iSCSI disks, note that: • Disks that have not attached VM instances can be added as SharedBlock primary storages. • Disks that are not added as primary storages can be attached to VM instances. • On disk can attach multiple VM instances, while one VM instance can attach multiple disks. 7.2.6.2 FC Storage ZStack supports FC storage pass-throughs, automatically scans and discovers FC storages that you preconfigured, and provides a direct display of details of FC storages. Specifically, FC LUN devices that can be rightly detected support the following usages: • LUN devices of a FC storage can be passed through to VM instances. • LUN devices of a FC storage can be added as SharedBlock primary storages in means of shared blocks. FC Storage Page In the navigation pane of the ZStack Private Cloud UI, choose Hardware > SAN Storage. On the SAN Storage page, click Fiber Channel to enter the Fiber Channel tab page, as shown in FC Storage Page. Issue: V3.9.0 317User Guide / 7 Cloud Operations Guide Figure 7-80: FC Storages Page FC Storage Operations You can perform the following operations on an FC storage: • Sync device information: Refresh manually the FC storage list to detect the latest FC storage list. • Attach VM Instance: Pass through directly an LUN device of the FC storage to VM instances. An Lun device can attach multiple VM instances, while a VM instance can be attached to multiple LUN devices. • Detach VM Instance: Detach the attached VM instances from an LUN device. • Check cluster status: Check the status of the cluster where the LUN device is running. If all hosts normally connect to the LUN device, this LUN device can be added as a SharedBlock primary storage. Notice ZStack not only allows you to add an FC LUN device as a SharedBlock primary storage, but also allows you to directly pass through an FC LUN device to VM instances. When you use the FC LUN device, make sure that you pay attention that: • If the status of a cluster to which an FC LUN device is attached is normal, and VM instances are not attached to the FC LUN device, the FC LUN device can be added as a SharedBlock primary storage. • An LUN device that is not added as a primary storage can attach VM instances. • An LUN device can attach multiple VM instances, while a VM instance can be attached to multiple LUN devices. 318 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 7.2.7 Peripheral Device Tutorial 7.2.7.1 LUN Pass-through 7.2.7.1.1 Overview ZStack supports the LUN device pass-through feature, including FC LUN device pass-through and iSCSI LUN device pass-through. • iSCSI LUN device pass-through: After you add an iSCSI server, all LUN devices on the iSCSI server are displayed at real time via the data synchronization on the UI and can be passed through to VM instances. • FC LUN device pass-through: After you deploy an FC storage, the FC storage and all LUN devices are displayed at real time on the UI and can be passed through to VM instances. 7.2.7.1.2 Preparation • You can use the latest version of ZStack installation package to install the operating system for your servers. In addition, you need to deploy all necessary resources used for creating VM instances. • The operating system versions of all servers must be consistent. Specifically, the operating system installations must all be based on c74 ISO or c76 ISO. • Specifically, install one of your servers with ZStack Enterprise Management Node to serve as a management node. • With a management node, you can manipulate hosts. These hosts can automatically deploy and install LVM, Multipath, and other toolkits. For more information about the deployment and installation, see related deployment and installation topics in User Guide. • You can deploy FC storages or iSCSI storages on hosts, virtually split the FC storages or iSCSI storages into LUN devices with certain capacities, and scan and discover disks online. • Multipath accesses must be configured for FC storages or iSCSI storages of more than two link aggregations. 7.2.7.1.3 Add Host Note: Issue: V3.9.0 319User Guide / 7 Cloud Operations Guide ZStack allows you to add hosts via an IP address, IP range, and template. For more information about how to add hosts, see Add Host in User Guide. This scenario takes the IP method to add hosts. In the navigation pane of the ZStack Private Cloud UI, choose Hardware > Host, On the Host page, click Add Host. On the displayed Add Host page, set the following parameters: • Add Method: Select manual add. • Name: Enter a name for the host. • Description: Optional. Enter a description for the host. • Cluster: Select a cluster where the host belongs. • Add IP/IP range: Select IP. • Host IP: Enter a host IP address. • Scan host IOMMU setting: If not selected, the IOMMU support is disable. Note: • If you scan hosts by using an IOMMU device, the physical GPU pass-through feature or the vGPU feature will be supported. • If not selected, CPUs on a host will disable IOMMU. This check box is not selected by default. • If selected, CPUs on a host enable IOMMU, and all available GPU devices on the host will be traversed. Make sure that the BIOS mode on the host has enabled Intel VT-d or AMD IOMMU. • If you enable IOMMU for the first time, reboot the host to verify that IOMMU configurations on the CPUs take effect. • Disable Intel EPT support: Disable or enable the Intel EPT support feature. Note: • This checkbox is not selected by default, indicating that the Intel EPT support is enabled. • If CPU models on your servers are too old, you will fail to create VM instances, or cannot open the console UIs of the VM instances. You can select this check box to disable the Intel EPT support feature. • You can change the enabled state or the disabled state of the Intel EPT support feature on the host details page. 320 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • This feature is only applied to Intel CPU. • SSH Port: Set an SSH port for the host. Default value: 22. • User Name: Use either the default user name (root) or enter a regular user name for the host. • Password: Enter the corresponding user password for the host. • Add More Host: Click the Plus sign + button to continue to add more hosts. Click OK to complete adding the host, as shown in Add Host. Figure 7-81: Add Host Issue: V3.9.0 321User Guide / 7 Cloud Operations Guide 7.2.7.1.4 Attach LUN Device One LUN device can be simultaneously attached to multiple VM instances, while one VM instance can attach multiple LUN devices. You can attach or detach an LUN device to or from a VM instance by manipulating the following four UI pages: • FC storage page: Attach an FC LUN device to a VM instance. For more information, see Attach LUN Device via FC Storage Page. • iSCSI storage page: Attach an iSCSI LUN device to a VM instance. For more information, see Attach LUN Device via iSCSI Server Page • VM details page: Attach an FC LUN device and an iSCSI LUN device to a VM instance. You can distinguish the storages where LUN devices belong via Type. For more information, see Attach LUN Device via VM Details Page 322 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Host details page: Attach an FC LUN device and an iSCSI LUN device to a VM instance. You can distinguish the storages where LUN devices belong via Type. For more information, see Attach LUN Device via Host Details Page Attach LUN Device via FC Storage Page In the navigation pane of the ZStackPrivate Cloud UI, choose Hardware > SAN Storage. On the FC Storage tab page of the SAN Storage page, check FC storages and LUN devices on the FC storages, as shown in FC Storage. Figure 7-82: FC Storage After you add a host, if you deploy an FC storage on the host, ZStack will automatically detect and display the host to the FC storage page. Click Sync Device Info to manually refresh the list information. To select an LUN device, choose Actions > Attach VM Instance. On the displayed Select VM Instance page, select VM instances that you need to attach, and click OK to complete attaching an LUN device, as shown in Attach VM Instance. Issue: V3.9.0 323User Guide / 7 Cloud Operations Guide Figure 7-83: Attach VM Instance After you attach the LUN to the VM instances, choose Actions > Detach VM Instance to detach the LUN from the VM instances. Attach LUN Device via iSCSI Server Page In the navigation pane of the ZStackPrivate Cloud UI, choose Hardware > SAN StorageOn the iSCSI Server tab page of the SAN Storage page, click IQN (iSCSI Qualified Name) to enter the Disk tab page, Disk Tab Page. Figure 7-84: Disk Tab Page On the Disk tab page, select an iSCSI LUN device, and choose Actions > Attach LUN to VM Instance. On the displayed Select VM Instance page, select VM instances that you need to attach, and click OK to complete attaching the iSCSI LUN device. After you attach the iSCSI LUN device to the VM instances, choose Actions > Detach LUN from VM Instance to detach the iSCSI LUN device from the VM instances. 324 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Attach LUN Device via VM Details Page In the navigation pane of the ZStackPrivate Cloud UI, choose Resource Pool > VM Instance to enter the VM Instance page. You can select a VM instance that you need to attach an LUN device, and then select the Configurations tab page, as shown in Configurations Page. Figure 7-85: Configurations Page On the Block Device tab page, choose Actions > Attach. On the Select LUN page, select an LUN device which will be passed through to the VM instance, and click OK to attach the LUN device to the VM instance, as shown in Select LUN. Figure 7-86: Select LUN After you attach the LUN device to the VM instance, choose Actions > Detach to detach the LUN device from the VM instance. Issue: V3.9.0 325User Guide / 7 Cloud Operations Guide Attach LUN Device via Host Details Page In the navigation pane of the ZStackPrivate Cloud UI, choose Hardware > Host to enter the Host page. You can select a host that has attached an LUN device, and then select the Block Device tab page, as shown in Block Device Page. Figure 7-87: Block Device Page On the Block Device tab page, choose Actions > Attach LUN to VM Instance. On the Select VM Instance page, select VM instance to which you need to attach an LUIN device, and click OK to complete attaching the LUN device to the VM instances, as shown in Attach LUN to VM Instance. Figure 7-88: Attach LUN to VM Instance After you attach the LUN device to the VM instances, choose Actions > Detach LUN from VM Instance to detach the LUN device from the VM instances. So far, we have introduced the pass-through feature of LUN devices. 7.2.7.1.5 Typical Usage Scenario LUN device pass-through allows applications of different nodes to consistently access data. Generally, the typical usage scenario for this pass-through is as follows: 326 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Application softwares or system softwares with sharable data LUN storages, such as Oracle RAC and Microsoft Cluster Server (MSCS). • Cluster file systems, such as OCFS2, GPFS, and GFS2. 7.2.7.1.5.1 Windows Server Failover Clustering (WSFC) Windows Server Failover Clustering (WSFC) is a group of independent servers that work collaboratively to improve high availabilities and scalability of clustered roles (formerly called application softwares and services). Clustered servers (nodes) are connected via physical cables and softwares. If one or more clustered nodes fail over, other nodes will start to provide services in a process know as failover. Clustered roles will be automatically monitored to make sure whether clustered nodes can work properly. If these clustered nodes do not work, these roles will be restarted or migrated to other clustered nodes. Note: When you use Windows Server Failover Clustering, note that: • Currently, Windows Server Failover Clustering requires VM instances to be included in the same anti-affinity group, which means that VM instances cannot be attached to the same host. • If you deployed master nodes of Windows Server Failover Clustering on VM instances, make sure that you do not perform hot migrations for the VM instances. Otherwise, Windows Server Failover Clustering will probably be not available. In addition, Windows Server Failover Clustering provides the Cluster Shared Volumes (CSV) feature that offers consistent, distributed namespaces. With these namespaces, clustered roles can access shared storages from all nodes. With the Windows Server Failover Clustering feature, you can experience a minimum of business interruptions in service. Windows Server Failover Clustering has a relatively special requirement for storages. In this regard, we recommend that you provide shared disks for VM instances via FC pass-through or iSCSI pass-through. Or, you can provide clustered quorums and data services by using independent shared file systems to attach VM instances. For more information about Windows Server Failover Clustering, see Microsoft Official Documentation. 7.2.7.1.5.2 Oracle Real Application Clusters Oracle RAC (Oracle Real Application Clusters) is initially designed to provide better database services. After years of development, Oracle Real Application Clusters is now based on a comprehensive high availability system. This high availability system can either act as the base Issue: V3.9.0 327User Guide / 7 Cloud Operations Guide of a database cloud system, or serve as a shared infrastructure to provide higher availabili ty, scalability, flexibility, and agility for all application softwares in a data center. Oracle Real Application Clusters adopts a shared disk architecture. In this regard, a volume manager and a file system used for storing database data must support cluster identifying. Oracle ASM ( Oracle Automatic Storage Management) is a volume (cluster) manager recommended for Oracle database. Oracle Automatic Storage Management can automatically manage shared disks. Therefore, you can provide bare devices for RAC nodes via FC LUN pass-through, iSCSI LUN pass-through, or shared, virtual disks. These RAC nodes can manage databases without deploying additional shared file systems, as shown in RAC Workflow. Figure 7-89: RAC Workflow For more information about Oracle Real Application Clusters, see Oracle Official Documentation. 7.3 Network Resource ZStack network resource mainly includes: • Network diagram • SDN controller • L2 network resource • L3 network • Route resource • VPC 328 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Network Diagram The diagram not only provides the direct display of global diagrams in the cloud and helps you to analyze network problems, but also allows you to generate custom network diagrams to quickly locate the resource states. SDN Controller By adding SDN controllers, you can take over the SDN networks of hardware switches in the cloud to lower the network latency and to improve the VXLAN network performance. L2 Network Resource An L2 network resource includes a VXLAN pool and an L2 network. • An L2 network corresponds to a layer 2 broadcast domain. This L2 network supports multiple network types, such as L2NoVlanNetwork, L2VlanNetwork, VxlanNetwork, and HardwareVx lanNetwork. • L2NoVlanNetwork and L2VlanNetwork is a group that must be identical to the configurations of compute node ports on the switch sides. • Both VXLAN Pool and VxlanNetwork with the hardware SDN type provide the configurations of the VxlanNetwork type. Before you use VxlanNetwork, create a VXLAN Pool first. After you create the VXLAN Pool successfully, create VxlanNetwork by specifying or randomly choosing Vni. • Both VXLAN Pool and HardwareVxlanNetwork with the hardware type provide the configurat ions of the HardwareVxlanNetwork type. Before you use HardwareVxlanNetwork, create a VXLAN Pool first. After you create VXLAN Pool successfully, create HardwareVxlanNetwork by specifying or randomly choosing Vni. L3 Network An L3 network can serve as a sub-resource of the L2 network. Mainly based on the L2 network , the L3 network provides the network configurations for VM instances, including the IP range, gateway, DNS and network service. Route Resource ZStack use custom Linux VM instances to serve as routing devices to provide the network services of VM instances. Related route resources mainly includes the vRouter, vRoute image, vRouter offering, and vRouter table. Issue: V3.9.0 329User Guide / 7 Cloud Operations Guide VPC VPC is the custom private cloud network environment that is jointly comprised by a VPC vRouter and a VPC network. VPC can help enterprise users to build a logically isolated private cloud. In addition, VPC features lie at the flexible network configuration, secure, reliable isolation, and optimization of east-west network traffic direction. A VPC network can act as a private VPC network to provide multiple network services by using a VPC vRouter. Network Usage Procedure Fore you create an L3 network, create an L2 network first. Finally, use these networks to provide multiple network services. Network Infrastructure Model ZStack supports three basic network infrastructure models: flat network, vRoute network, and VPC. 1. Flat Network • A flat network supports multiple network services: DHCP, EIP, security group, and User Data. • The network services of the flat network adopt the distributed DHCP and the distributed EIP structure. • The DHCP service of the flat network can also include the DNS feature. • The network model used by the initialization guide adopts the flat network. • ZStack supports the flat network infrastructure based on both VxlanNetwork and HardwareVxlanNetwork. 2. vRouter Network • A vRouter network can support multiple network services: DHCP, DNS, SNAT, vRouter table, EIP, port forwarding, load balancing, IPsec tunnel, and security group. • The DHCP service of the vRouter network adopts the distributed DHCP by default. • The vRouter provides multiple network services by mainly using custom Linux VM instances as routing devices. • ZStack supports the vRouter network infrastructure based on VxlanNetwork. 3. VPC 330 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • VPC supports also multiple network services: DHCP, DNS, SNAT, vRouter table, EIP, port forwarding, load balancing, IPsec tunnel, security group, dynamic routing, multicast routing, VPC firewall, and Netflow. • The DHCP service of VPC adopts the distributed DHCP by default. • VPC provides multiple network services by mainly using custom Linux VM instances as VPC vRouters. • Network services such as port forwarding, load balancing, IPsec tunnel, and vRouter table can apply to multiple subnets of a VPC simultaneously to further improve network efficienci es. • ZStack supports the VPC network infrastructure based on VxlanNetwork. • ZStack supports the distributed routing feature to optimize east-west network traffics, and to lower network latencies. For more information about the network service, see Network Service. 7.3.1 Network Diagram ZStack supports the network diagram feature. ZStack not only supports the global diagrams of the cloud, but also allows you to generate diagrams for your custom resources to quickly locate the resource states. 7.3.1.1 Global Diagram Global Diagram Page On the main menu of ZStackprivate cloud, select Network Resource > Network Diagram to directly enter the All page, as shown in All. Note that the global diagram is equal to All in Network Diagram. Issue: V3.9.0 331User Guide / 7 Cloud Operations Guide Figure 7-90: All Global Diagram Operations You can perform the following operations on a global diagram: • Check: Allow you to directly check the network diagram of the entire cloud. • Refresh: Click the refreshing button at the upper left of the UI to display the latest global diagram. • Export: Click the Export button at the upper left of the UI to allow you to export the current global diagram as the png picture format. • Search: Click the Search button at the upper right of the UI to prompt the Search box. You can conduct searches by resource types and resource properties. ▬ Supported resource types: VM instance, router (vRouter or VPC vRouter), private network, and public network. ▬ Supported resource properties: resource name, resource UUID, IP address, and EIP. • Zoom in/out: Click the Zoom In or Zoom Out button at the lower right of the UI to zoom in or out the current network diagram. • Default: Click the Default button at the lower right of the UI to recover the network diagram that you have zoomed in or out to the defaulted size. • Highlighting displays by selecting resources: Select the resource that you want to be highlighte d. When you select a resource, you can highlight that resource and its associated resources. 332 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Floating displays of resource information: Provide a floating display of a resource to which you hover over. The related information of the resource will be automatically floated on the UI. • Open consoles: Open the console of the resource to which you hover over. The related information of the resource will be automatically floated on the UI. Then, click the console button at the upper right of the floating page to open the console of the resource. • State displays of routers or VM instances: Manipulate real-time states of routers or VM instances by the dot colors at the upper right of the resources. For more information about the state, see State Display Definition for Router or VM Instance. Table 7-4: State Display Definition for Router or VM Instance Router/VM State Dot Color Starting Blue Running Green Stopping Blue Stopped Red Rebooting Blue Deleting Blue Deleted Grey Migrating Blue Expunging Blue Pausing Blue Paused Grey Recovering Blue Unknown Yellow 7.3.1.2 Custom Diagram Custom Diagram Page On the main menu of ZStackprivate cloud, select Network Resource > Network Diagram > Custom to enter the Custom page, as shown in Custom. Note that the custom diagram is equal to Custom in Network Diagram. Issue: V3.9.0 333User Guide / 7 Cloud Operations Guide Figure 7-91: Custom Custom Diagram Operations You can perform the following operations on a custom diagram: • Generate and check the specified resources: Generate and check corresponding network diagrams by specifying resources. Currently, these resources include VM instance, router ( vRouter or VPC vRouter), private network, and public network. • Refresh: Click the refreshing button at the upper left of the UI to display the latest diagram. • Export: Click the Export button at the upper left of the UI to allow you to export the current diagram as the png picture format. • Search: Click the Search button at the upper right of the UI to prompt the Search box. You can conduct searches by resource types and resource properties. ▬ Generate the custom network diagram in advance. By using the Search button, you can conduct searches for the resources on the custom diagram. ▬ Supported resource types: VM instance, router (vRouter or VPC vRouter), private network, and public network. ▬ Supported resource properties: resource name, resource UUID, IP address, and EIP. • Zoom in/out: Click the Zoom In or Zoom Out button at the lower right of the UI to zoom in or out the current network diagram. • Default: Click the Default button at the lower right of the UI to recover the network diagram that you have zoomed in or out to the defaulted size. 334 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Highlighting displays by selecting resources: Select the resource that you want to be highlighte d. When you select a resource, you can highlight that resource and its associated resources. • Floating displays of resource information: Provide a floating display of a resource to which you hover over. The related information of the resource will be automatically floated on the UI. • Open consoles: Open the console of the resource to which you hover over. The related information of the resource will be automatically floated on the UI. Then, click the console button at the upper right of the floating page to open the console of the resource. • State displays of routers or VM instances: Manipulate real-time states of routers or VM instances by the dot colors at the upper right of the resources. For more information about the state, see Table 7-4: State Display Definition for Router or VM Instance. 7.3.2 SDN Controller By adding an SDN controller, you can take over SDN networks of hardware switches to reduce network latencies and improve VXLAN network performances. • Before you add an SDN controller to the cloud, make sure that you plan for management networks in advance, and complete preparing the basic configurations for the SDN controller. • Currently, the cloud only allows you to add an H3C SDN controller: VCFC. Add SDN Controller In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > SDN Controller. On the SDN Controller page, click Add SDN Controller. On the displayed Add SDN Controller page, set the following parameters: • Name: Enter a name for the SDN controller. • Description: Optional. Enter a description for the SDN controller. • Vendor: Select an SDN controller vendor. Currently, the cloud only allows you to add H3C SDN controller: VCFC. • IP: Enter an IP address of the SDN controller. • User Name: Enter the user name of the SDN controller. • Password: Enter the password of the SDN controller. • Virtual Distributed Switch UUID: Enter a virtual distributed switch UUID. Note: Issue: V3.9.0 335User Guide / 7 Cloud Operations Guide • Make sure that you complete configuring a virtual distributed switch in the SDN controller in advance. • With this virtual distributed switch, an available VNI range of the hardware SDN VXLAN Pool can be determined. You can add an SDN controller, as shown in Add SDN Controller. Figure 7-92: Add SDN Controller SDN Controller Operations You can perform the following operations on an SDN controller: 336 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Change name: Change a name for the SDN controller. • Change description: Change a description oft the SDN controller. • Delete: Delete the SDN controller. Exercise caution. If the SDN controller, the hardware SDN VXLAN Pool associated with the SDN controller will be deleted as well. In this regard, all VXLAN networks under the VXLAN Pool and the L3 networks in the VXLAN networks will be deleted as well. • Audit: Check the related operations of the SDN controller. 7.3.3 L2 Network Resource An L2 network resource includes a VXLAN Pool and an L2 network. 7.3.3.1 VXLAN Pool A VXLAN pool is a collection of VXLAN types that encapsulate packets with UDP. It is a large L2 network established over an IP network for a large-scale cloud computing center. • Before you use a VXLAN network, create a VXLAN Pool first. • A VXLAN Pool cannot be used to create an L3 network, and is only a collection of VXLAN networks. • A VXLAN Pool supports two types of SDN: software SDN and hardware SDN. ▬ Software SDN: ■ The VNI range of a software SDN VXLAN Pool supports 1-16777214. ■ The CIDR IP address of a host that is attached to a cluster can serve as a VTEP (VXLAN tunnel endpoint). ■ Generally, a VTEP corresponds to an NIC IP address of a compute node within a cluster. On the cloud, you can configure a VTEP according to its corresponding CIDR. For example, ■ Assume that the NIC IP address of a compute node is 10.12.0.8, the subnet mask is 255.0.0.0, and the gateway is 10.0.0.1. Then, the CIDR of the VTEP is 10.0.0.1/ 8. ■ Assume that the NIC of the compute node is 172.20.12.13, the subnet mask is 255 .255.0.0, and the gateway is 172.20.0.1. Then, the CIDR of the VTEP is 172.20.0.1 /16. ■ When a VXLAN Pool is attached to a cluster, the IP address that is associated to the VTEP will be looked up without checking physical L2 devices. Issue: V3.9.0 337User Guide / 7 Cloud Operations Guide ▬ Hardware SDN: ■ An SDN controller needs to be added to the cloud in advance. ■ The VNI range of a hardware SDN VXLAN Pool depends on a virtually distributed switch to which an SDN controller corresponds. ■ The NIC of a host that is attached to a cluster must connect to a switch which is managed by the SDN controller. Create VXLAN Pool In the navigation pane of the ZStack Private Cloud, choose Network Resource > L2 Network Resource > VXLAN Pool. On the VXLAN Pool page, click Create VXLAN Pool. On the displayed Create VXLAN Pool page, set the following parameters: • Name: Enter a name for the VXLAN Pool. • Description: Optional. Enter a description for the VXLAN Pool. • Type: Select a type for the VXLAN Pool, including software SDN and hardware SDN. ▬ If you select the software SDN type, set the following parameters: ■ Start Vni: Enter a start ID for the VxlanNetwork. The start ID supports 1-16777214. ■ End Vni: Enter an end ID for the VxlanNetwork. The end ID supports 1-16777214, which must be larger than or equal to the Start VNI. Note: The cloud will reserve the last two VNIs (16777215 and 16777216) of the Start VNI and the End VNI for the system. ■ Cluster: Optional. Select the cluster that you need to attach. Note: • When you create a VXLAN Pool, you can attach it to a cluster. Or, you can attach it to the cluster after you create the VXLAN Pool. • When you attach the cluster, the compute node in the cluster must have a subnet IP address that is associated to the VTEP. ■ VTEP CIDR: Enter the CIDR to which the VTEP corresponds. You can create a VXLAN Pool with the software SDN type, as shown in Create Software SDN VXLAN Pool. 338 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-93: Create Software SDN VXLAN Pool ▬ If you select the hardware SDN type, set the following parameters: ■ SDN Controller: Add an SDN controller to the cloud in advance. ■ Start Vni: Enter a start ID for the HardwareVxlanNetwork. ■ End Vni: Enter an end ID for the HardwareVxlanNetwork. This end ID must be larger or equal to the Start VNI. Note: The VNI range of a hardware SDN VXLAN Pool depends on a virtually distributed switch to which an SDN controller corresponds. ■ Cluster: Optional. Select a cluster that you need to attach. Note: When you create a VXLAN Pool, you can attach it to a cluster. Or, you can attach it to the cluster after you create the VXLAN Pool. ■ NIC: Enter an NIC for the host. Note: Issue: V3.9.0 339User Guide / 7 Cloud Operations Guide The NIC of a host that is attached to a cluster must connect to a switch which is managed by an SDN controller. You can create a VXLAN Pool with the hardware SDN type, as shown in Create Hardware SDN VXLAN Pool. Figure 7-94: Create Hardware SDN VXLAN Pool You can create a VXLAN Pool with the software SDN type, as shown in Create VXLAN Pool. 340 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-95: Create VXLAN Pool VXLAN Pool Operations You can perform the following operations on a VXLAN Pool: • Change name: Change the name of the VXLAN Pool. • Change description: Change the description of the VXLAN Pool. • Attach cluster: Attach the VXLAN Pool to a cluster. Issue: V3.9.0 341User Guide / 7 Cloud Operations Guide ▬ Software SDN VXLAN Pool: Specify a CIDR to which a VTEP corresponds. Make sure that the CIDR of each host in the cluster has the corresponding IP address. Or otherwise, you will fail to attach the VXLAN Pool to the cluster. ▬ Hardware SDN VXLAN Pool: The NIC of a host that is attached to a cluster must connect to a switch which is managed by an SDN controller. • Detach cluster: Detach a cluster from the VXLAN Pool. • Delete: Delete the VXLAN Pool. If you delete the VXLAN Pool, its corresponding subresource VXLAN networks, associated L3 network, and VM NICs will be deleted as well. • Share: Share the VXLAN Pool to the specified regular account. • Recall: Recall the VXLAN Pool from the regular account. You can make this account invisible. • Share to all: Share the VXLAN Pool to all regular accounts. • Recall from all: Recall the VXLAN Pool from all regular accounts. You can make these accounts invisible. • Create VNI range: Create a VNI range to the VXLAN Pool. • Delete VNI range: Delete a VNI range from the VXLAN Pool. • Change VNI range name: Change the VNI range name of the current VXLAN Pool. Only a single operation is supported. Note: • Changing a VNI range name supports 255 characters at most. You can use special characters as needed. • Under one VXALN Pool, different VNI ranges can use the same VNI range name. • Create VXLAN network: Create a VXLAN network according to a VXLAN Pool. Each VXLAN network corresponds to a VNI in a VXLAN Pool. • Delete VXLAN network: Delete the VXLAN network. If you delete the VXLAN network, its corresponding subresource L3 network and VM NICs of the L3 network will be deleted as well. • Audit: Check the related operations of the VXLAN Pool. 7.3.3.2 L2 Network An L2 network is a layer 2 broadcast domain used for layer 2 isolation. Generally, L2 networks are identified by names of devices on the physical network. • VLAN, VXLAN, or SDN can be used as an L2 network and can provide layer 2 isolation. • An L2 network is used to provide layer 2 isolation for an L3 network, as shown in L2 Network. 342 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-96: L2 Network Four Major Types of L2 Network An L2 network supports mainly four types. 1. L2NoVlanNetwork L2NoVlanNetwork indicates that VLAN settings are not used for connecting the corresponding host. • If you set VLAN for a switch port, make sure that the switch port is in Access mode. • If you do not set VLAN for the switch port, do not make any operation. • If you create an L2 network, note that a bridge will be created according to the network device that you have entered. 2. L2VlanNetwork L2VlanNetwork indicates that VLAN settings are used for connecting the corresponding host. • The switch port connected by the host must be in Trunk mode. • The virtual LAN can be divided logically. Note that it can support 1-4094 subnets. • If you create an L2 network, note that a VLAN device will be created according to the network device that you have entered. In addition, a bridge will be created according to the VLAN device. 3. VxlanNetwork VxlanNetwork indicates that the VXLAN network is created by using the VNI specialized by VxlanNetworkPool of the Software SDN type. Issue: V3.9.0 343User Guide / 7 Cloud Operations Guide • VxlanNetwork is created according to VxlanNetworkPool of the Software SDN type. • Each VxlanNetwork corresponds to a VNI specialized by VxlanNetworkPool of the Software SDN type. • VxlanNetwork can be used for creating an L3 network. 4. HardwareVxlanNetwork HardwareVxlanNetwork indicates that the VXLAN network is created by using the VNI specialized by VxlanNetworkPool of the Hardware SDN type. • HardwareVxlanNetwork is created according to VxlanNetworkPool of the Hardware SDN type. • Each HardwareVxlanNetwork corresponds to a VNI specialized by VxlanNetworkPool of the Hardware SDN type. • HardwareVxlanNetwork can be used for creating an L3 network. Note: • When you add NoVlanNetWork or VlanNetwork, enter the NIC name. • In CentOS 7, the NIC name in the ethX format will be changed after the system reboots. In addition, the NIC sequence will also be randomly changed. We recommend that you change the NIC name of each compute node (especially for VM instances with multiple NICs) to a non -ethX format, such as em01. Relationship Between L2 Network and Cluster/L3 Network/VM Instance The relationship between L2 network and cluster/L3 network/VM instance is as follows: • If you attached an L2 network to a cluster whereas the L2 network was not attached to a host, you could not add the host to the cluster. • If you did not attach an L2 network to a cluster and the L2 network was not attached to a host, you could not attach the L2 network to the cluster. • If you attached an L2 network to a host whereas the corresponding L2 network devices were inconsistently connected to other hosts in a cluster, note that the VM instance IP that you created would not work normally. • You can use one L2 network to create multiple child L3 networks. If you select the HarewareVx lanNetwork L2 network to create a private network, you can only create a flat network and corresponding network services. vRouter network cannot be created by using the HarewareVx lanNetwork L2 network. 344 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • If you delete an L2 network, note that the corresponding L3 network will also be deleted, and that the VM NIC in the L3 network will be deleted as well. • If you delete an L2 network, you will also delete the vRouter, VPC vRouter, and vRouter offering in the L2 network. • If you delete the corresponding L2 network of a public network, note that all network services of the corresponding router will be deleted, including the vRouter, VPC vRouter, vRouter offering , virtual IP, elastic IP, port forwarding, load balancing, IPsec tunnel, and Netflow. • You can create multiple VxlanNetworks by using a VXLAN Pool of the Software SDN type. These VxlanNetworks can be applied to the flat network, vRouter network, or VPC network respectively. • VM instances in VxlanNetwork cannot be accessed through the Internet. To access these VM instances through the Internet, you need to use an elastic IP or port forwarding. • You can also create multiple HardwareVxlanNetworks by using a VXLAN Pool of the Hardware SDN type. These HardwareVxlanNetworks can currently be applied to flat networks. 7.3.3.2.1 L2NoVlanNetwork L2NoVlanNetwork is the L2 network without the VLAN mode. If you do not plan to use a VLAN network, select L2NoVlanNetwork. Note: When the access port of a switch is in the Access mode, configure L2NoVlanNetwork. Create L2NoVlanNetwork In the navigation pane of the ZStackprivate cloud UI, choose Network Resource > L2 Network Resource > L2 Network. On the L2 Network page, click Create L2 Network. On the displayed Create L2 Network page, set the following parameters: • Name: Enter a name for the L2 network. • Description: Optional. Enter a description for the L2 network. • Type: Select L2NoVlanNetwork. • Physical NIC: Enter the name of the L2 network device, such as em01. • Enable SR-IOV: Choose whether to enable SR-IOV. ▬ By default, this checkbox is not selected, indicating that SR-IOV is not enabled. In this case , the SR-IOV cannot be enabled for the L3 network corresponding to this L2 network. Issue: V3.9.0 345User Guide / 7 Cloud Operations Guide ▬ If selected, SR-IOV is enabled. In this case, the SR-IOV can be enabled for the L3 network corresponding to this L2 network. Make sure that VF NICs are generated from the physical NICs used by the L2 network through SR-IOV. • Cluster: Optional. Select the cluster that you need to attach. Note: • When you create an L2 network with the L2NoVlanNetwork type, you can attach it to a cluster. Or, you can attach it to the cluster after you create the L2 network with the L2NoVlanNetwork type, as shown in Create L2NoVlanNetwork. • If the L2 network is not attached to the cluster, you cannot use this L2 network to create VM instances. You can create an L2NoVlanNetwork, as shown in Create L2NoVlanNetwork. 346 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-97: Create L2NoVlanNetwork 7.3.3.2.2 L2VlanNetwork L2VlanNetwork is the L2 network with the VLAN mode. If you plan to use a VLAN network, select L2VlanNetwork. Note: • A VLAN ID supports 1-4094. • If a VM network and a host network can be interconnected, the switch side must be in the Trunk mode. Issue: V3.9.0 347User Guide / 7 Cloud Operations Guide Create L2VlanNetwork In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > L2 Network Resource > L2 Network . On the L2 Network page, click Create L2 Network . On the displayed Create L2 Network page, set the following parameters: • Name: Enter a name for the L2 network. • Description: Optional. Enter a description for the L2 network. • Type: Select L2VlanNetwork. • VLAN ID: Enter a VLAN ID that must match actual network configurations. A VLAN ID supports 1-4094. • Physical NIC: Enter the name of the L2 network device, such as em01. • Enable SR-IOV: Choose whether to enable SR-IOV. ▬ By default, this checkbox is not selected, indicating that SR-IOV is not enabled. In this case , the SR-IOV cannot be enabled for the L3 network corresponding to this L2 network. ▬ If selected, SR-IOV is enabled. In this case, the SR-IOV can be enabled for the L3 network corresponding to this L2 network. Make sure that VF NICs are generated from the physical NICs used by the L2 network through SR-IOV. • Cluster: Optional. Select the cluster that you need to attach. Note: • When you create an L2 network with the L2VlanNetwork type, you can attach it to a cluster. Or, you can attach it to the cluster after you create the L2 network with the L2VlanNetwork type, as shown in Create L2VlanNetwork. • If the L2 network is not attached to the cluster, you cannot use this L2 network to create VM instances. 348 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-98: Create L2VlanNetwork 7.3.3.2.3 VxlanNetwork After you complete creating a VXLAN Pool with the software SDN type, create a VxlanNetwork L2 network by using this VXLAN Pool. Each VxlanNetwork corresponds to a VNI in a VXLAN Pool. VxlanNetwork Features • VxlanNetwork is a logical layer 2 network that is built and encapsulated on a layer 3 physical network by using UDP. • VxlanNetwork can overlay across L3 networks. Issue: V3.9.0 349User Guide / 7 Cloud Operations Guide • VxlanNetwork can encapsulate broadcast messages and multicast messages by using an IP multicast. • VxlanNetwork uses 24-bit VxlanNetwork identifier, and supports a maximum of 16M logical nets. Create VxlanNetwork In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > L2 Network Resource > L2 Network. On the L2 Network page, click Create L2 Network. On the displayed Create L2 Network page, set the following parameters: • Name: Enter a name for the VxlanNetwork L2 network. • Description: Optional. Enter a description for the VxlanNetwork L2 network. • Type: Select VxlanNetwork. • VXLAN Pool: Select a VXLAN Pool with the software SDN type. • Vni: Optional. Select the specified VNI in the VXLAN Pool. If null, the cloud will randomly allocate a VINI for you. You can create an L2 network with the VxlanNetwork type, as shown in Create VxlanNetwork. 350 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-99: Create VxlanNetwork 7.3.3.2.4 HardwareVxlanNetwork After you complete creating a VXLAN Pool with the hardware SDN type, create a HardwareVx lanNetwork L2 network by using this VXLAN Pool. Each HardwareVxlanNetwork corresponds to a VNI in a VXLAN Pool. HardwareVxlanNetwork Features • HardwareVxlanNetwork is a logical layer 2 network that is built and encapsulated on a layer 3 physical network by using UDP. • HardwareVxlanNetwork can overlay across L3 networks. • HardwareVxlanNetwork can encapsulate broadcast messages and multicast messages by using an IP multicast. Issue: V3.9.0 351User Guide / 7 Cloud Operations Guide • A VNI range supported by a hardware SDN VXLAN Pool depends on a virtual distributed switch corresponds by an SDN controller. Create HardwareVxlanNetwork In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > L2 Network Resource > L2 Network. On the L2 Network page, click Create L2 Network. On the displayed Create L2 Network page, set the following parameters: • Name: Enter a name for the HardwareVxlanNetwork L2 network. • Description: Optional. Enter a description for the HardwareVxlanNetwork L2 network. • Type: Select HardwareVxlanNetwork. • VXLAN Pool: Select a VXALN Pool with the hardware SDN type. • Vni: Optional. Select the specified VNI in the VXLAN Pool. If null, the cloud will randomly allocate a VINI for you. You can create an L2 network with the HardwareVxlanNetwork type, as shown in Create HardwareVxlanNetwork. 352 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-100: Create HardwareVxlanNetwork 7.3.3.3 L2 Network Operations L2NoVlanNetwork and L2VlanNetwork Types L2 networks with L2NoVlanNetwork and L2VlanNetwork types support the following operations: • Change name: Change the name of the L2 networks. • Change description: Change the description of the L2 networks. • Attach cluster: Attach the L2 networks to the a cluster. • Detach cluster: Detach the L2 networks from the cluster. • Share: Share the L2 networks to the specified regular accounts or projects. • Recall: Recall the L2 networks from the specified regular accounts or projects. You can make these accounts or projects invisible. Issue: V3.9.0 353User Guide / 7 Cloud Operations Guide • Share to all: Share the L2 networks to all regular accounts or projects. • Recall from all: Recall the L2 networks from all regular accounts or projects. You can make these accounts or projects invisible. • Delete: Delete the L2 networks. If you delete the L2 networks, subresource L3 networks and VM NICs of the L3 networks will be deleted as well. • Audit: Check the related operations of the L2 networks with the L2NoVlanNetwork and L2VlanNetwork types. VxlanNetwork Type An L2 network with the VxlanNetwork type supports the following operations: • Change name: Change the name of the L2 network with the VxlanNetwork type. • Change description: Change the description of the L2 network with the VxlanNetwork type. • Share: Share the L2 network with the VxlanNetwork type to the specified regular accounts or projects. • Recall: Recall the L2 network with the VxlanNetwork type from the specified regular accounts or projects. • Share to all: Share the L2 network with the VxlanNetwork type to the all regular accounts or projects. You can make these accounts or projects invisible. • Recall from all: Recall the L2 network with the VxlanNetwork type from all regular accounts or projects. You can make these accounts or projects invisible. • Delete: Delete the L2 network with the VxlanNetwork type. If you delete the L2 network with the VxlanNetwork type, its subresource L3 networks and VM NICs of the L3 networks will be deleted as well. • Audit: Check the related operations of the L2 network with the VxlanNetwork type. HardwareVxlanNetwork Type The L2 network with the HardwareVxlanNetwork type supports the following operations: • Change name: Change the name of the L2 network with the HardwareVxlanNetwork type. • Change description: Change the description of the L2 network with the HardwareVxlanNetwork type. • Delete: Delete the L2 network with the HardwareVxlanNetwork type. If you delete the L2 network with the HardwareVxlanNetwork type, its subresource L3 networks and VM NICs of the L3 networks will be deleted as well. • Audit: Check the related operations of the L2 network with the HardwareVxlanNetwork type. 354 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 7.3.4 L3 Network An L3 network is a collection of network configurations for VM instances, including the IP address range, gateway, DNS, and network services. • The IP address range includes the start IP address, end IP address, netmask, and gateway. For example, you can specify the IP address range from 172.20.12.2 to 172.20.12.255, set the netmask to 255.255.0.0, and set the gateway to 172.20.0.1. In addition, you can use a CIDR to specify an IP address range, such as 192.168.1.0/24. • A DNS provides DNS resolution services used for configuring VM instance networks. Public Network Generally, a public network is a type of network wherein anyone has access and through it can directly connect to the Internet. Due to a fact that the public network is a logical concept, you can also customize the public network when you cannot access the Internet. In addition, the public network can provide the network service in a vRouter network and a VPC network. • The public network can be used in the flat network environment to create VM instances. • The public network can be used in the vRouter network environment to create vRouters. • The public network can be used in the VPC network to create VPC vRouters. System Network A system network is a specific network used by a management node. • The system network can be used as a management network to deploy and set related resources, such as a host, primary storage, backup storage, and vRouter. • The system network can be used as a migration network to migrate VM instances. • Assume that your network resources are insufficient, and that you cannot use a management network separately. Then, the public network will act as the management network. • An independent system network can be used in a specific manner, such as managing the vRouter network. • The system network cannot be used to create ordinary VM instances. Private Network A private network is known as a business network or an access network. Generally, VM instances use the private network. The private network can specify the network used by VM instances, and supports three network architecture models: the flat network, vRouter network, and VPC network. Issue: V3.9.0 355User Guide / 7 Cloud Operations Guide Specific Network Scenarios • Management Network A management network is a type of a system network, which can be used for managing and controlling the corresponding physical resources. • For example, when you access a host, a backup storage, a primary storage, and other resources that require an IP address, you need to use the management network. • When you create vRouters or VPC vRouters, you need an IP address that can be interconnected between management networks in vRouters or VPC vRouters. With this IP address, you can deploy an agent and obtain messages returned by the agent. • Storage Network A storage network is the network specified by the shared storage. You can use the storage network to check the health status of a VM instance. We recommend that you plan for an independent storage network in advance to avoid potential risks. • VDI Network When you create clusters, you can specify CIDR for the VDI network. In the VDI scenario, the network traffics generated by the protocol communication between server side and client side use the VDI network. If you do not make any configuration to the VDI network, note that the management network will be used by default. • Migration Network When you create clusters, you can specify CIDR for the migration network, which can be used for VM instance migration. If you do not make any configuration to the migration network, note that the management network will be used for VM instance migration. • Image Synchronization Network An image synchronization network is the network that images can be synchronized among backup storages with the ImageStore type in the same management node. • If you have deployed an independent network for synchronizing images, you can specify CIDR for the image synchronization network. • If you do not make any configuration to the image synchronization network, note that the management network will be used by default. • If you set both source image store and target image store as the image synchronization network, note that only the target image store can take effect. 356 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Data Network A data network is the network that data can transfer between a compute node and a backup storage. • If you use an independent data network, you can avoid a network congestion, and improve the data transfer rate. • If you do not make any configuration to the data network, note that the management network will be used by default. • Backup Network ZStack provides backup services, which are add-on licensed features. A backup network is the network that you can back up your local VM instances, volumes, or databases to the local backup storage. Also, the backup network is the network that you can restore the local backup data from the local backup storage. • If you deploy an independent network for local backup, you can specify CIDR for the backup network. • If you use an independent network, you can avoid a network congestion, and improve the data transfer rate. • If you do not make any configuration to the backup network, note that the management network will be used for local backup by default. Note: We provide backup services as an independent function module. In this regard, you need to purchase the Base License on ZStack first, and then purchase a Plus License of the backup services. Note that the Plus License cannot be used separately. • Traffic Network A traffic network is the specified network of a port mirroring, which can be used to mirror the network traffic in the NIC to remote access. In addition, the traffic network cannot act as other networks, and cannot be used to create VM instances. Notice • When you create VM instances, you can specify multiple networks. That is, you can specify multiple flat networks, vRouter networks, VPC networks, or a combination of flat networks, vRouter networks, and VPC networks. Issue: V3.9.0 357User Guide / 7 Cloud Operations Guide • We support multi-layer networks. In addition, the L2 networks of multi-layer networks can intercommunicate. Therefore, you need to pay a special attention to avoid the conflict of IP address spaces. • You can create multiple L3 networks by using an L2 network. If the L2 network is the HarewareVxlanNetwork type, the private network that you created can only support the flat network and other corresponding network services, but not vRouter network. 7.3.4.1 Public Network Generally, a public network is a network that can directly connect to the Internet. The public network is a logical concept, so you can customize the network in the environment that you cannot connect to the Internet. Network services are provided on vRouters or VPCs. In this regard, you can either create VM instances by using public networks with the flat network type, or create VM instances separately by using vRouter network environments and VPC environments. Create Public Network In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > L3 Network > Public Network. On the Public Network page, click Create Public Network. On the displayed Create Public Network page, set the following parameters: • Name: Enter a name for the public network. • Description: Optional. Enter a description for the public network. • L2 Network: Select the corresponding L2 network for the public network. Note: An L2 network can be used to create multiple L3 networks. Click the plus sign (⊕) under the L2 Network field. Then, the Select L2 Network page is displayed on the right. This page has the following two tabs: • Default: Displays a list of L2 networks that do not have an L3 network attached in the current zone. • All: Displays a list of all L2 networks in the current zone, including the L2 networks that have or not have an L3 network attached. As shown in Select L2 Network. 358 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-101: Select L2 Network • Stop DHCP server: Choose whether to enable the DHCP service. Note: • By default, this checkbox is not selected, indicating that the DHCP service is enabled, and IP addresses will be automatically allocated to VM instances. In this case, you can customize an IP address for the DHCP service, or let the system randomly specify a DHCP IP address. • If selected, the DHCP service will be disabled, indicating that VM instances that use this network cannot obtain automatically IP addresses, and you need to configure IP addresses manually. In this case, you cannot customize the DHCP IP address. In addition, the system cannot randomly specify DHCP IP addresses. • Add IP Range: Select a network address type, including IPv4 and IPv6. Then, add a network range, including IP range and CIDR. Next, we will introduce 4 types of network range scenarios. 1. IPv4 | IP Range. If you select the network address with the IPv4 type and add the network range with the IP range, set the following parameters: • Start IP: Enter a start IP address for the network range, such as 172.20.108.100. • End IP: Enter an end IP address for the network range, such as 172.20.108.200. • Netmask: Enter a netmask for the network range, such as 255.255.0.0. • Gateway: Enter a gateway for the network range, such as 172.20.0.1. • DHCP IP: Optional. Enter a DHCP IP address as needed, such as 172.20.108.10. Issue: V3.9.0 359User Guide / 7 Cloud Operations Guide Note: • If you create an L3 network and enable the DHCP service for the first time, or if you add the first IP range for the L3 network of the enabled DHCP service, you can customize the DHCP IP address. • If the L3 network has a DHCP IP address, you cannot customize the DHCP IP address when you add an IP range. • The DHCP IP address can be included or excluded on the IP range that you added . However, the DHCP IP address must be within the CIDR to which the added IP range belongs, and must not be occupied. • The IP range specified within the start IP address and end IP address cannot contain IP addresses of the link-local address (169.254.0.0/16). • If not specified, the system will randomly specify an IP address within the IP range that you added. As shown in IPv4 | IP Range. 360 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-102: IPv4 | IP Range Note: When you add network ranges with IPv4 | IP Range, make sure that you pay attention that: • You must not include the gateway (for example, xxx.xxx.xxx.1), broadcast address (for example, xxx.xxx.xxx.255), and network address (for example, xxx.xxx.xxx.0) in the IP range that you added. • The network range of a private network cannot overlap with the public network or management network on a vRouter offering. 2. IPv4 | CIDR. Issue: V3.9.0 361User Guide / 7 Cloud Operations Guide If you select the network address with the IPv4 and add the network range with CIDR, set the following parameters: • CIDR: Enter a CIDR for the network range, such as 192.168.108.1/24. • Gateway: Set a gateway, such as 192.168.108.1. Note: • The first or the last allowed CIDR IP address can act as a gateway. • If null, the first IP address that is used by default will serve as a gateway. • DHCP IP: Optional. Set a DHCP IP address as needed, such as 192.168.108.10. Note: • If you create an L3 network and enable the DHCP service for the first time, or if you add the first network range for the L3 network of the enabled DHCP service, you can customize the DHCP IP address. • If the L3 network has a DHCP IP address, you cannot customize the DHCP IP address when you add the IP range. • The DHCP IP address can be included or excluded on the IP range that you added. However, the DHCP IP address must not be in conflict with the current CIDR. • If not specified, the system will randomly specify an IP address within the IP range that you added before. • The first IP address in a CIDR is deemed as a gateway by default, and cannot serve as a DHCP IP address. As shown in Figure 7-103: IPv4 | CIDR. 362 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-103: IPv4 | CIDR Note: If you add a network range with IPv4 | CIDR, set the following parameters: • The IP range specified in the CIDR cannot contain IP addresses of the link-local address (169.254.0.0/16). • The network range of a private network cannot overlap with the public network or management network on a vRouter offering. 3. IPv6 | IP Range. If you select the network address with the IPv6 and add the network range with the IP range, set the following parameters: • Mode: Provide an IP allocation method. Default method: Stateful-DHCP. Note: • Stateful-DHCP: Set a stateful IP address by using the DHCP protocol. Issue: V3.9.0 363User Guide / 7 Cloud Operations Guide You can configure both access addresses and other parameters by using the DHCP protocol. • Start IP: Enter a start IP address for the network range, such as 2000:910A:2222:5498: 8475:1111:3900:2002. • End IP: Enter an end IP address for the network range, such as 2000:910A:2222:5498: 8475:1111:3900:2009. • Prefix Length: Enter a prefix length for the network range, such as 64. Note: The prefix length is 64-126. If less than 64, you will fail to create VM instances. • Gateway: Enter the gateway for the network range, such as 2000:910A:2222:5498:8475 :1111:3900:2001. • DHCP IP: Optional. Set a DHCP IP address as needed, such as 2000:910A:2222:5498: 8475:1111:3900:2006. Note: • If you create an L3 network and enable the DHCP service for the first time, or if you add the first IP range for the L3 network of the enabled DHCP service, you can customize the DHCP IP address. • If the L3 network has a DHCP IP address, you cannot customize the DHCP IP address when you add an IP range. • The DHCP IP address can be included or excluded on the IP range that you added . However, the DHCP IP address must be within the CIDR to which the added IP range belongs, and must not be occupied. • The IP range specified within the start IP address and end IP address cannot contain IP addresses of the link-local address (169.254.0.0/16). • If not specified, the system will randomly specify an IP address within the IP range that you added. As shown in IPv6 | IP Range. 364 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-104: IPv6 | IP Range Note: If you add a network range with IPv6 | IP Range, set the following parameters: • You must not include the gateway (for example, xxxx::1) in the IP range that you add. • The IP range specified within the start IP address and end IP address cannot contain IP addresses of the link-local address (fe80::/10). Issue: V3.9.0 365User Guide / 7 Cloud Operations Guide • The network range of a private network cannot overlap with the public network or management network on a vRouter offering. 4. IPv6 | CIDR: If you select the network address with the IPv6 and add the network range with a CIDR, set the following parameters: • Mode: Provide three types of IP allocation methods: Stateful-DHCP, Stateless-DHCP, and SLAAC. Note: • Stateful-DHCP: Set a stateful IP address by using the DHCP protocol. Default method: Stateful-DHCP. You can configure both access addresses and other parameters by using the DHCP protocol. • Stateless-DHCP: Set a stateless IP address without using the DHCP protocol. Access addresses can be automatically derived from the prefix length advertised by routes, while other parameters can be configured by using the DHCP protocol. • SLAAC: Automatically set the stateless IP address. Access addresses can be automatically derived from the prefix length advertised by routes, while other parameters is accompanied in the route advertisement. • CIDR: Enter CIDR for the network range, such as 234E:2457:3D::/64. • DHCP IP: Optional. Set the DHCP IP address as needed, such as 234E:2457:3D::F. Note: • If you create an L3 network and enable the DHCP service for the first time, or if you add the first network range for the L3 network of the enabled DHCP service, you can customize the DHCP IP address. • If the L3 network has a DHCP IP address, you cannot customize the DHCP IP address when you add the IP range. • The DHCP IP address can be included or excluded on the IP range that you added. However, the DHCP IP address must not be in conflict with the current CIDR. • If not specified, the system will randomly specify an IP address within the IP range that you added before. 366 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • The first IP address in a CIDR is deemed as a gateway by default, and cannot serve as a DHCP IP address. As shown in Figure 7-105: IPv6 | CIDR. Figure 7-105: IPv6 | CIDR Note: If you add a network range with IPv6 | CIDR, set the following parameters: • The first IP address in a CIDR has been deemed as a gateway by default. • The IP range specified in the CIDR cannot contain IP addresses of the link-local address (fe80::/10). • The network range of a private network cannot overlap with the public network or management network on a vRouter offering. • Add DNS: Add a DNS server used for configuring the DNS service of an L3 network. ▬ IPv4 type: For example, specify 223.5.5.5、8.8.8.8 or 114.114.114.114. ▬ IPv6type: For example, specify 240C::6644 or 240C::6666. Issue: V3.9.0 367User Guide / 7 Cloud Operations Guide As shown in Create Public Network with IPv4 | CIDR. Figure 7-106: Create Public Network with IPv4 | CIDR 368 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Public Network Operations You can perform the following operations on a public network: • Create a public network: Create a new public network. • Add an IP range: Add a new IP range for the public network. • Share to all: Share the public network to all projects or regular accounts. Make sure that you have installed the License of the Enterprise Management module. • Recall from all: Recall the public network from all projects or regular accounts. Make sure that you have installed the License of the enterprise management module. You can make these projects or regular accounts invisible. • Delete: Delete the public network. Issue: V3.9.0 369User Guide / 7 Cloud Operations Guide Note: Exercise caution. If you delete the public network, you will detach the VM NICs that are using this network. In addition, you will delete the corresponding routers, network services, and vRouter offerings. Notice Make sure that the IP range of the public network can reach the Internet. Otherwise, vRouters or VPC vRouters cannot work properly. 7.3.4.2 Network Service ZStack provides VM instances with multiple network resources, including the security group, virtual IP address (VIP), elastic IP address (EIP), port forwarding, load balancing, and IPsec tunnel. ZStack supports the following three network models: • Flat network • vRouter network • VPC Network Service Module Network Service Module provides network services. Note that it has been hidden in the UI. Network Service Module has the following four types: 1. Virtual Router Network Service Module (Not recommended) This module provides the following network services: DNS, SNAT, load balancing, port forwarding, EIP, and DHCP. 2. Flat Network Service Module (Flat Network Service Provider) This module provides the following network services: • Userdata: You can customize some operations, such as ssh-key injection, by using the userdata service. Then, the cloud-init plugin in your VM instance will load and perform these operations when the VM instance is started. • EIP: The elastic IP address realized by distributed EIP can access private networks through public networks. • DHCP: DHCP allows you to dynamically obtain an IP address. 370 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Note: The DHCP service covers the DNS feature. • VIP QoS: The upstream bandwidth and downstream bandwidth can be adjusted by setting the VIP QoS. The VIP QoS can only be applied to EIPs. 3. vRouter Network Service Module This module provides the following network services: • IPsec: IPsec tunnels can be used to achieve VPN connections. • vRouter route table: You can manage custom routes by using route tables. • Centralized DNS: The DNS service is provided when the DHCP service is enabled. • VIP QoS: The upstream bandwidth and downstream bandwidth can be adjusted by setting the VIP QoS. • DNS: vRouters can be used to provide the DNS service. • SNAT: VM instances can access directly the Internet by using SNAT. • Load balancing: Inbound traffics from a VIP can be distributed to a group of backend VM instances, and unavailable VM instances will be detected and isolated automatically. • Port forwarding: Port traffics of specified public IP addresses can be forwarded to the ports of corresponding VM instances according to specified protocols. • EIP: vRouters can use EIPs to access private networks of VM instances through public networks. • DHCP: The centralized DHCP service is provided. 4. Security Group Network Service Module This module provides the following network service: • Security group: You can manipulate securities of VM instance firewalls by using iptables. Flat Network Practice In your production environments, we recommend that you use the following combination of network services: • Flat Network Service Module ▬ Userdata: You can customize some operations, such as ssh-key injection, by using the userdata service. Then, the cloud-init plugin in your VM instance will load and perform these operations when the VM instance is started. Issue: V3.9.0 371User Guide / 7 Cloud Operations Guide ▬ EIP: The elastic IP address realized by distributed EIP can access private networks through public networks. ▬ DHCP: DHCP allows you to dynamically obtain an IP address. Note: The DHCP service covers the DNS feature. • Security Group Network Service Module ▬ Security group: You can manipulate securities of VM instance firewalls by using iptables. vRouter Network Practice In your production environments, we recommend that you use the following combination of network services: • Flat Network Service Module ▬ Userdata: You can customize some operations, such as ssh-key injection, by using the userdata service. Then, the cloud-init plugin in your VM instance will load and perform these operations when the VM instance is started. ▬ DHCP: DHCP allows you to dynamically obtain an IP address. • vRouter Network Service Module ▬ DNS: vRouters can be used to provide the DNS service. ▬ SNAT: VM instances can access directly the Internet by using SNAT. ▬ vRouter route table: You can manage custom routes by using route tables. ▬ EIP: vRouters can use EIPs to access private networks of VM instances through public networks. ▬ Port forwarding: Port traffics of specified public IP addresses can be forwarded to the ports of corresponding VM instances according to specified protocols. ▬ Load balancing: Inbound traffics from a VIP can be distributed to a set of backend VM instances, and unavailable VM instances will be detected and isolated automatically. ▬ IPsec: IPsec tunnels can be used to achieve VPN connections. • Security Group Network Service Module ▬ Security group: You can manipulate securities of VM instance firewalls by using iptables. 372 Issue: V3.9.0User Guide / 7 Cloud Operations Guide VPC Network Practice In your production environments, we recommend that you use the following combination of network services: • Flat Network Service Module ▬ Userdata: You can customize some operations, such as ssh-key injection, by using the userdata service. Then, the cloud-init plugin in your VM instance will load and perform these operations when the VM instance is started. ▬ DHCP: DHCP allows you to dynamically obtain an IP address. • vRouter Network Service Module ▬ DNS: VPC vRouters can be used to provide DNS services. ▬ SNAT: VM instances can access directly the Internet by using SNAT. ▬ vRouter route table: You can manage custom routes by using route tables. ▬ EIP: VPC vRouters can use EIPs to access private networks of VM instances through public networks. ▬ Port forwarding: Port traffics of specified public IP addresses can be forwarded to the ports of corresponding VM instances according to specified protocols. ▬ Load balancing: Inbound traffics from a VIP can be distributed to a set of backend VM instances, and unavailable VM instances will be detected and isolated automatically. ▬ IPsec: IPsec tunnels can be used to achieve VPN connections. • Security Group Network Service Module ▬ Security group: You can manipulate securities of VM instance firewalls by using iptables. Advanced Network Services • Dynamic routing: Dynamic routing uses the Open Shortest Path First (OSPF) routing protocol to distribute routing information within a single autonomous system. This service applies to VPC network scenarios. • Multicast routing: Multicast routing forwards the multicast information sent by the multicast source to VM instances, achieving one-to-multi-point communication in the transmission side and receiving side. This service applies to VPC network scenarios. • VPC firewall: VPC firewalls filter the south-north traffic on the VPC vRouter ports, effectively protecting the VPC communication security and VPC vRouter security. This service applies to VPC network scenarios. Issue: V3.9.0 373User Guide / 7 Cloud Operations Guide • Netflow: Netflow monitors and analyzes the inbound and outbound traffics of the VPC vRouter NICs. Currently, the following two types of data-flow output formats are supported: Netflow V5 and Netflow V9. This service applies to VPC network scenarios. • Port mirroring: Port mirroring copies and sends network traffics of VM NICs from a port to another port, and analyzes the business packets on the ports, better monitoring and managing the network data. This service applies to flat network, vRouter network, and VPC network scenarios. 7.3.4.3 System Network A system network is a network that is used specifically by a management node. For example, the system network can be a management network used for deploying and configuring associated resources, including deploying hosts, primary storages, backup storages, and vRouters. Also , the system network can be a migration network used for migrating VM instances. If network resources are insufficient, both the system network and the public network can share resources. An independent system network is only used for specific usages other than creating normal VM instances. Create System Network In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > L3 Network > System Network. On the System Network page, click Create System Network. On the displayed Create System Network page, set the following parameters: • Name: Enter a name for the system network. • Description: Optional. Enter a description for the system network. • L2 Network: Select the corresponding L2 network for the system network. Note: An L2 network can be used to create multiple L3 networks. Click the plus sign (⊕) under the L2 Network field. Then, the Select L2 Network page is displayed on the right. This page has the following two tabs: • Default: Displays a list of L2 networks that do not have an L3 network attached in the current zone. • All: Displays a list of all L2 networks in the current zone, including the L2 networks that have or not have an L3 network attached. • Add IP Range: Add a network range, including IP range and CIDR. 374 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ▬ If you select the IP range, set the following parameters: ■ Start IP: Enter a start IP address for the IP range, such as 172.20.108.100. ■ End IP: Enter an end IP address for the IP range, such as 172.20.108.120 Note: The IP range specified within the start IP address and end IP address cannot contain IP addresses of the link-local address (169.254.0.0/16). ■ Netmask: Enter a netmask for the IP range, such as 255.255.0.0. ■ Gateway: Enter a gateway for the IP range, such as 172.20.0.1. ▬ If you select CIDR, set the following parameters: ■ CIDR: Enter a CIDR of the IP range, such as 192.168.1.1/24. Note: The IP range specified in the CIDR cannot contain IP addresses of the link-local addresses (169.254.0.0/16). ■ Gateway: Set a gateway for the CIDR, such as 192.168.1.1. Note: • The first or the last allowed CIDR IP address can act as a gateway. • If null, the first IP address that is used by default will serve as a gateway. You can create a system network, as shown in Create System Network. Issue: V3.9.0 375User Guide / 7 Cloud Operations Guide Figure 7-107: Create System Network 376 Issue: V3.9.0User Guide / 7 Cloud Operations Guide System Network Operations You can perform the following operations on a system network: • Create system network: Create a new system network. • Add network range: Add a new IP range for the system network. • Share to all: Share the system network to all projects or regular accounts. Make sure that you have installed the License of the Enterprise Management module. • Recall from all: Recall the system network from all projects or regular accounts. You can make these projects or regular accounts invisible. Make sure that you have installed the License of the Enterprise Management module. • Delete: Delete the system network. Note: If you delete the system network, the associated routers will be deleted as well. Notice When you create a vRouter offering, both public network and system network can not use the same one IP range. 7.3.4.4 Private Network A private network is a network that is used by VM instances. Generally, a private network, known as an internal network, supports three types of network infrastructure model: flat network, vRouter network, and VPC network. • The private network used by VM instances can be used to create VM instances. Generally, the private network is an internal network. • When you use the private network with the flat network type, this private network that serves as a large layer 2 network can directly connect to host networks, and can also reach the Internet. • When you use the private network with the vRouter network type, this private network can reach the Internet by using a vRouter. • When you use the private network with the VPC network type, this private network can reach the Internet by using a VPC vRouter. This topic mainly describes the flat network and the vRouter network types. For more information about VPCs, see VPC. Issue: V3.9.0 377User Guide / 7 Cloud Operations Guide ZStack Private Cloud supports the ARM vRouter network type. For more information the ARM vRouter network type, see ARM vRouter Network. Choose Network Resource > L3 Network > Private Network, and create a private network. You can select the flat network type and vRouter network type. Configure related services according to different supported services. • Flat network ▬ A flat network supports multiple network services, including DHCP, EIP, security group, and User Data. ▬ The network services of the flat network adopt the distributed DHCP and the distributed EIP structure. ▬ The DHCP service of the flat network also includes the DNS feature. • vRouter network ▬ A vRouter network also supports multiple network services, including DHCP, DNS, SNAT, vRouter table, EIP, port forwarding, load balancing, IPsec tunnel, and security group. ▬ The vRouter network provides multiple network services by mainly using a custom Linux VM instances as a routing device. ▬ The DHCP service of the vRouter network adopts the distributed DHCP by default. Create Private Network with Flat Network Type In the navigation pane of the ZStackPrivate Cloud UI, choose Network Resource > L3 Network > Private Network. On the Private Network page, click Create Private Network. On the displayed Create Private Network page, set the following parameters: • Name: Enter a name for the private network. • Description: Optional. Enter a description of the private network. • L2 Network: Select the corresponding L2 network for the private network. Note: An L2 network can be used to create multiple L3 networks. Click the plus sign (⊕) under the L2 Network field. Then, the Select L2 Network page is displayed on the right. This page has the following two tabs: • Default: Displays a list of L2 networks that do not have an L3 network attached in the current zone. 378 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • All: Displays a list of all L2 networks in the current zone, including the L2 networks that have or not have an L3 network attached. • Stop DHCP server: Choose whether to enable the DHCP service. Note: • By default, this checkbox is not selected, indicating that the DHCP service is enabled, and IP addresses will be automatically allocated to VM instances. In this case, you can customize an IP address for the DHCP service, or let the system randomly specify a DHCP IP address. • If selected, the DHCP service will be disabled, indicating that VM instances that use this network cannot obtain automatically IP addresses, and you need to configure IP addresses manually. In this case, you cannot customize the DHCP IP address. In addition, the system cannot randomly specify DHCP IP addresses. • Network Type: Select the flat network. Note: If an L2 network is a network with the HarewareVxlanNetwork type, the private network that you created only supports the flat network and the corresponding network services. In addition, this L2 network with the HarewareVxlanNetwork type does not support the vRouter network. • Add IP Range: Select a network address type, including IPv4 and IPv6. Then, add a network range, including IP range and CIDR. Next, we will introduce 4 types of network range scenarios. 1. IPv4 | IP Range. If you select the network address with the IPv4 type and add the network range with the IP range, set the following parameters: • Start IP: Enter a start IP address for the network range, such as 172.20.108.100. • End IP: Enter an end IP address for the network range, such as 172.20.108.200. • Netmask: Enter a netmask for the network range, such as 255.255.0.0. • Gateway: Enter a gateway for the network range, such as 172.20.0.1. • DHCP IP: Optional. Enter a DHCP IP address as needed, such as 172.20.108.10. Issue: V3.9.0 379User Guide / 7 Cloud Operations Guide Note: • If you create an L3 network and enable the DHCP service for the first time, or if you add the first IP range for the L3 network of the enabled DHCP service, you can customize the DHCP IP address. • If the L3 network has a DHCP IP address, you cannot customize the DHCP IP address when you add an IP range. • The DHCP IP address can be included or excluded on the IP range that you added . However, the DHCP IP address must be within the CIDR to which the added IP range belongs, and must not be occupied. • The IP range specified within the start IP address and end IP address cannot contain IP addresses of the link-local address (169.254.0.0/16). • If not specified, the system will randomly specify an IP address within the IP range that you added. As shown in IPv4 | IP Range. 380 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-108: IPv4 | IP Range Note: When you add network ranges with IPv4 | IP Range, make sure that you pay attention that: • You must not include the gateway (for example, xxx.xxx.xxx.1), broadcast address (for example, xxx.xxx.xxx.255), and network address (for example, xxx.xxx.xxx.0) in the IP range that you added. • The network range of a private network cannot overlap with the public network or management network on a vRouter offering. 2. IPv4 | CIDR. Issue: V3.9.0 381User Guide / 7 Cloud Operations Guide If you select the network address with the IPv4 and add the network range with CIDR, set the following parameters: • CIDR: Enter a CIDR for the network range, such as 192.168.108.1/24. • Gateway: Set a gateway, such as 192.168.108.1. Note: • The first or the last allowed CIDR IP address can act as a gateway. • If null, the first IP address that is used by default will serve as a gateway. • DHCP IP: Optional. Set a DHCP IP address as needed, such as 192.168.108.10. Note: • If you create an L3 network and enable the DHCP service for the first time, or if you add the first network range for the L3 network of the enabled DHCP service, you can customize the DHCP IP address. • If the L3 network has a DHCP IP address, you cannot customize the DHCP IP address when you add the IP range. • The DHCP IP address can be included or excluded on the IP range that you added. However, the DHCP IP address must not be in conflict with the current CIDR. • If not specified, the system will randomly specify an IP address within the IP range that you added before. • The first IP address in a CIDR is deemed as a gateway by default, and cannot serve as a DHCP IP address. As shown in Figure 7-109: IPv4 | CIDR. 382 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-109: IPv4 | CIDR Note: If you add a network range with IPv4 | CIDR, set the following parameters: • The IP range specified in the CIDR cannot contain IP addresses of the link-local address (169.254.0.0/16). • The network range of a private network cannot overlap with the public network or management network on a vRouter offering. 3. IPv6 | IP Range. If you select the network address with the IPv6 and add the network range with the IP range, set the following parameters: • Mode: Provide an IP allocation method. Default method: Stateful-DHCP. Note: • Stateful-DHCP: Set a stateful IP address by using the DHCP protocol. Issue: V3.9.0 383User Guide / 7 Cloud Operations Guide You can configure both access addresses and other parameters by using the DHCP protocol. • Start IP: Enter a start IP address for the network range, such as 2000:910A:2222:5498: 8475:1111:3900:2002. • End IP: Enter an end IP address for the network range, such as 2000:910A:2222:5498: 8475:1111:3900:2009. • Prefix Length: Enter a prefix length for the network range, such as 64. Note: The prefix length is 64-126. If less than 64, you will fail to create VM instances. • Gateway: Enter the gateway for the network range, such as 2000:910A:2222:5498:8475 :1111:3900:2001. • DHCP IP: Optional. Set a DHCP IP address as needed, such as 2000:910A:2222:5498: 8475:1111:3900:2006. Note: • If you create an L3 network and enable the DHCP service for the first time, or if you add the first IP range for the L3 network of the enabled DHCP service, you can customize the DHCP IP address. • If the L3 network has a DHCP IP address, you cannot customize the DHCP IP address when you add an IP range. • The DHCP IP address can be included or excluded on the IP range that you added . However, the DHCP IP address must be within the CIDR to which the added IP range belongs, and must not be occupied. • The IP range specified within the start IP address and end IP address cannot contain IP addresses of the link-local address (169.254.0.0/16). • If not specified, the system will randomly specify an IP address within the IP range that you added. As shown in IPv6 | IP Range. 384 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-110: IPv6 | IP Range Note: If you add a network range with IPv6 | IP Range, set the following parameters: • You must not include the gateway (for example, xxxx::1) in the IP range that you add. • The IP range specified within the start IP address and end IP address cannot contain IP addresses of the link-local address (fe80::/10). Issue: V3.9.0 385User Guide / 7 Cloud Operations Guide • The network range of a private network cannot overlap with the public network or management network on a vRouter offering. 4. IPv6 | CIDR: If you select the network address with the IPv6 and add the network range with a CIDR, set the following parameters: • Mode: Provide three types of IP allocation methods: Stateful-DHCP, Stateless-DHCP, and SLAAC. Note: • Stateful-DHCP: Set a stateful IP address by using the DHCP protocol. Default method: Stateful-DHCP. You can configure both access addresses and other parameters by using the DHCP protocol. • Stateless-DHCP: Set a stateless IP address without using the DHCP protocol. Access addresses can be automatically derived from the prefix length advertised by routes, while other parameters can be configured by using the DHCP protocol. • SLAAC: Automatically set the stateless IP address. Access addresses can be automatically derived from the prefix length advertised by routes, while other parameters is accompanied in the route advertisement. • CIDR: Enter CIDR for the network range, such as 234E:2457:3D::/64. • DHCP IP: Optional. Set the DHCP IP address as needed, such as 234E:2457:3D::F. Note: • If you create an L3 network and enable the DHCP service for the first time, or if you add the first network range for the L3 network of the enabled DHCP service, you can customize the DHCP IP address. • If the L3 network has a DHCP IP address, you cannot customize the DHCP IP address when you add the IP range. • The DHCP IP address can be included or excluded on the IP range that you added. However, the DHCP IP address must not be in conflict with the current CIDR. • If not specified, the system will randomly specify an IP address within the IP range that you added before. 386 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • The first IP address in a CIDR is deemed as a gateway by default, and cannot serve as a DHCP IP address. As shown in Figure 7-111: IPv6 | CIDR. Figure 7-111: IPv6 | CIDR Note: If you add a network range with IPv6 | CIDR, set the following parameters: • The first IP address in a CIDR has been deemed as a gateway by default. • The IP range specified in the CIDR cannot contain IP addresses of the link-local address (fe80::/10). • The network range of a private network cannot overlap with the public network or management network on a vRouter offering. • Add DNS: Add a DNS server used for configuring the DNS service of an L3 network. ▬ IPv4 type: For example, specify 223.5.5.5、8.8.8.8 or 114.114.114.114. ▬ IPv6type: For example, specify 240C::6644 or 240C::6666. Issue: V3.9.0 387User Guide / 7 Cloud Operations Guide You can create a private network with the flat network type and IPv4 | CIDR, as shown in Create Private Network with Flat Network Type and IPv4 CIDR. Figure 7-112: Create Private Network with Flat Network Type and IPv4 CIDR 388 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Create Private Network with vRouter Network Type In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > L3 Network > Private Network. On the Private Network page, click Create Private Network. On the displayed Create Private Network page, set the following parameters: • Name: Set a name for the private network. • Description: Optional. Enter a description for the private network. • L2 Network: Select a corresponding L2 network for the private network. Note: An L2 network can be used to create multiple L3 networks. Issue: V3.9.0 389User Guide / 7 Cloud Operations Guide Click the plus sign (⊕) under the L2 Network field. Then, the Select L2 Network page is displayed on the right. This page has the following two tabs: • Default: Displays a list of L2 networks that do not have an L3 network attached in the current zone. • All: Displays a list of all L2 networks in the current zone, including the L2 networks that have or not have an L3 network attached. • Stop DHCP server: Choose whether to enable the DHCP service. Note: • By default, this checkbox is not selected, indicating that the DHCP service is enabled, and IP addresses will be automatically allocated to VM instances. In this case, you can customize an IP address for the DHCP service, or let the system randomly specify a DHCP IP address. • If selected, the DHCP service will be disabled, indicating that VM instances that use this network cannot obtain automatically IP addresses, and you need to configure IP addresses manually. In this case, you cannot customize the DHCP IP address. In addition, the system cannot randomly specify DHCP IP addresses. • Network Type: Select the vRouter network. Note: If an L2 network is the network with the HarewareVxlanNetwork type, the private network that you create only supports the flat network and the corresponding network services. In addition, this L2 network with the HarewareVxlanNetwork type does not support the vRouter network. • vRouter Offering: Select a vRouter offering that you created. Note: • If you do not have a vRouter offering in the cloud, create a vRouter offering on the vRouter Offering page. • For more information about how to create a vRouter offering, see vRouter Offering. • Add IP Range: Add a network range for the vRouter network, including IP range and CIDR. ▬ If you select IP Range, set the following parameters: ■ Start IP: Enter a start IP address for the network range, such as 172.20.108.100. 390 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ■ End IP: Enter an end IP address for the network range, such as 172.20.108.200. ■ Netmask: Enter a netmask for the network range, such as 255.255.0.0. ■ Gateway: Enter a gateway for the network range, such as 172.20.0.1. ■ DHCP IP: Optional. Enter a DHCP IP address as needed, such as 172.20.108.10. Note: • If you create an L3 network and enable the DHCP service for the first time, or if you add the first IP range for the L3 network of the enabled DHCP service, you can customize the DHCP IP address. • If the L3 network has a DHCP IP address, you cannot customize the DHCP IP address when you add an IP range. • The DHCP IP address can be included or excluded on the IP range that you added . However, the DHCP IP address must be within the CIDR to which the added IP range belongs, and must not be occupied. • The IP range specified within the start IP address and end IP address cannot contain IP addresses of the link-local address (169.254.0.0/16). • If not specified, the system will randomly specify an IP address within the IP range that you added. Note: When you add a network range with IP Range, make sure that you pay attention that: • You must not include the gateway (for example, xxx.xxx.xxx.1), broadcast address (for example, xxx.xxx.xxx.255), and network address (for example, xxx.xxx.xxx.0) in the IP range that you added. • The network range of a private network cannot overlap with the public network or management network on a vRouter offering. ▬ If you select CIDR, set the following parameters: ■ CIDR: Enter a CIDR for the network range, such as 192.168.108.1/24. ■ Gateway: Set a gateway, such as 192.168.108.1. Note: • The first or the last allowed CIDR IP address can act as a gateway. • If null, the first IP address that is used by default will serve as a gateway. Issue: V3.9.0 391User Guide / 7 Cloud Operations Guide ■ DHCP IP: Optional. Set a DHCP IP address as needed, such as 192.168.108.10. Note: • If you create an L3 network and enable the DHCP service for the first time, or if you add the first network range for the L3 network of the enabled DHCP service, you can customize the DHCP IP address. • If the L3 network has a DHCP IP address, you cannot customize the DHCP IP address when you add the IP range. • The DHCP IP address can be included or excluded on the IP range that you added. However, the DHCP IP address must not be in conflict with the current CIDR. • If not specified, the system will randomly specify an IP address within the IP range that you added before. • The first IP address in a CIDR is deemed as a gateway by default, and cannot serve as a DHCP IP address. Note: When you add a network range with CIDR, make sure that you pay attention that: • The IP range specified in the CIDR cannot contain IP addresses of the link-local address (169.254.0.0/16). • The network range of a private network cannot overlap with the public network or management network on a vRouter offering. • Add DNS: Add a DNS server used for configuring the DNS service of an L3 network, such as 223.5.5.5, 8.8.8.8, or 114.114.114.114. • More Settings: Support advanced settings for the vRouter offering in the vRouter | IP Range scenario. ▬ Router Interface IP: Optional. Set a dual gateway for the vRouter by configuring the router interface IP address. Note: • When you create a vRouter network and add a network range with the vRouter | IP Range, you can set a dual gateway for the vRouter by configuring the router interface IP address. Doing so will achieve better distributed traffics and improve the network flexibility and stability. 392 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • A router interface IP address cannot overlap with the IP range on the basic settings, but can interconnect with the gateways in the basic settings. • After you set the router interface IP address, configure the corresponding policy route on switches so that the scenario can work properly. You can create a private network with vRouter | CIDR, as shown in Create Private Network with vRouter Network CIDR. Figure 7-113: Create Private Network with vRouter Network CIDR Issue: V3.9.0 393User Guide / 7 Cloud Operations Guide Private Network Operations You can perform the following operation on a private network: • Create private network: Create a new private network. • Add network range: Add a new IP range for the private network. • Share to all: Share the private network to all projects or regular accounts. Make sure that you have installed the License of the Enterprise Management module. • Recall from all: Recall the private network from all projects or regular accounts. You can make these projects or regular accounts invisible. Make sure that you have installed the License of the Enterprise Management module. • Delete: Delete the private network. Note: If you delete the private network, VM NICs that use this private network will be deleted as well. • Attach vRouter offering: Attach a vRouter offering to the vRoute network. • Detach vRouter offering: Detach a vRouter offering from the vRoute network. 394 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 7.3.5 Route Resource A virtual router network (vRouter network) mainly uses custom Linux VM instances as route devices. The vRouter VM instances provide many network services, such as DHCP, DNS, SNAT, route table, elastic IP (EIP), port forwarding, load balancing, IPsec tunnel, and security group. A vRouter network mainly includes a vRouter image, vRouter offering, and vRouter. • vRouter image: encapsulates many network services, and is used only to create vRouters. • vRouter offering: defines the resources used by a vRouter, including the CPU, memory, vRouter image, public network, and management network. • vRouter: acts as a custom Linux VM instance and provides network services such as DHCP, DNS, SNAT, route table, EIP, port forwarding, load balancing, IPsec tunnel, and security group. vRouter Network Topology A vRouter VM instance mainly includes the following three basic networks: • Public network The network that provides virtual IPs for user VM instances that use EIP, port forwarding, load balancing, and IPsec tunnel. Generally, the public network must be accessible to the Internet. • Management network The network that manages and controls the corresponding physical resources, such as a host , backup storage, and primary storage, of whose resources can be reached by using an IP address. • Private network Also known as the business network or the access network. The private network is the internal network used by VM instances. Here is the deployment mode of the vRouter network. • You can combine the public network and the management network, while deploying the private network independently, as shown in Deployment Mode-1. Issue: V3.9.0 395User Guide / 7 Cloud Operations Guide Figure 7-114: Deployment Mode-1 • You can deploy the public network, management network, and private network separately, as shown in Deployment Mode-2. Figure 7-115: Deployment Mode-2 vRouter Network Service The vRouter VM instances provide a collection of network services, including the DHCP, DNS, SNAT, route table, EIP, port forwarding, load balancing, IPsec tunnel, and security group. • DHCP ▬ In a vRouter, the DHCP service is provided by the flat network. • DNS ▬ A vRouter can act as a DNS server to provide the DNS service. 396 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ▬ The DNS address in a vRouter VM instance is the vRouter IP address. Note that the DNS address that you set is forwarded by the vRouter. • SNAT ▬ A vRouter can act as a router to translate the source network address for VM instances. ▬ VM instances can directly access the Internet by using SNAT. • We will introduce the vRouter table, security group, EIP, port forwarding, load balancing, and IPsec in specific sections. Basic Deployment Procedure of vRouter network 1. Create an L2 public network, and attach it to the corresponding cluster. 2. Create an L3 public network. 3. Create an L2 management network, and attach it to the corresponding cluster. 4. Create an L3 management network, and use it for communicating with the physical resources, such as a host, primary storage, and backup storage. 5. Add a vRouter image. 6. Create a vRouter offering. 7. Create an L2 private network, and attach it to the corresponding cluster. 8. Create an L3 private network with the vRouter type. 9. Create VM instances by using this L3 private network. Note that a vRouter will be automatically created when the VM instances are created by using the L3 private network. The vRouter can provide a group of network services of the vRouter network. Note: • If your condition does not permit, the management network and the public network can share the same network. • For security and stability concerns, we recommend that you deploy the management network independently, and isolate it from the public network. 7.3.5.1 vRouter A vRouter is a custom Linux VM instance designed for providing multiple network services such as distributed DHCP, DNS, SNAT, vRouter table, EIP, port forwarding, load balancing, IPsec tunnel, and security group. Issue: V3.9.0 397User Guide / 7 Cloud Operations Guide • When a VM instance is created with a vRouter network for the first time, a vRouter will be created synchronously. When a vRouter is created for the first time, the starting time for the vRouter probably takes a while. • A vRouter must have three types of network: a public network, management network, and private network. • The same vRouter network can only be used to create one vRouter. • To provide multiple network services, a vRouter must be in the running state and the connected state. If the vRouter is in other states, check whether associated resources of the vRouter can work properly. • vRouters have higher resource priorities than VM instances. When the host workload rates are extremely high, and then resources contend with each other, the resource priority sequence from low to high is: VM instances with Normal priorities < VM instances with High priorities < vRouters. For example, when CPU resources contend with each other on hosts, vRouters have higher CPU resource grabbing capability. vRouter Operations You can perform the following operations on a vRouter: • Change name and description: Enter a name and a description for the vRouter. • Change CPU or memory capacity: Change a CPU or memory capacity for the vRouter. • Change platform: Change a platform type for the vRouter. • Start: Start the vRouter that is in the stopped state. • Reboot: Reboot the vRouter. • Reconnect: Reconnect the vRouter. Note: • Currently, when a ZStack management node reboots after upgrading successfully, you need to manually reconnect and upgrade vRouters. • After you manually reconnect and upgrade the vRouters successfully, set QoS for VIPs and IPsec tunnel services to ensure that the vRouters work normally. • Migrate: Migrate the vRouter online. Assume that you migrate online the vRouter in the local storage. In the navigation pane of the ZStack Private Cloud UI, choose Settings > Global Settings > Basic Settings, and set Live Migration to true. • Open console: Access the vRouter through the terminal. 398 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Set or cancel console password: Set or cancel the console password for the vRouter, and reboot the vRouter to take effect this configuration. • Delete: Delete the vRouter. Exercise caution when you delete the vRouter, the associated VM network services will be unavailable. Reboot VM instances to recover the VM network services. • Attach or detach physical NIC: ▬ Attach or detach a new public network. ▬ Cannot detach the public network and the management network defined by the vRouter offering. ▬ Cannot attach or detach a private network. 7.3.5.2 vRouter Image A vRouter image encapsulates multiple network services, and can only be used to create vRouters. • A vRouter image is an image that is customized and encapsulated by ZStack. A vRouter image has the following two types: ▬ vRouter Image for KVM (qcow2 format): Download this vRouter image for KVM from the URL specified by ZStack official website. ▬ ARM vRouter Image: To obtain the ARM vRouter image, contact ZStack official technical support. For information about the application scenario of the ARM vRouter image, see ARM vRouter Network. • A vRouter image cannot be used directly to create VM instances. • For 3.8.0 and later versions, a vRouter has its own agent service. Add vRouter Image In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > vRouter Resource > vRouter Image. On the vRouter Image page, click Add vRouter Image. On the displayed Add vRouter Image page, set the following parameters: • Name: Enter a name for the vRouter image. • Description: Optional. Enter a description for the vRouter image. • Backup Storage: Select a backup storage to store the vRouter image, for example, BS-1. • Image URL: Enter a local URL or upload a local file. 1. URL: Enter the path that can download the vRouter image. Issue: V3.9.0 399User Guide / 7 Cloud Operations Guide Note: ZStack provides you with dedicated vRouter images. You can download the latest vRouter images from ZStack Official Website. • File name: zstack-vRouter-3.9.0.qcow2 • Download address: Click ZStack Official Website. 2. Local file: Upload a vRouter image file that can directly be accessed by the current browser. Note: • vRouter images can be uploaded to an ImageStore or a Ceph backup storage. • A local browser will serve as a transmission relay used for uploading vRouter images . Make sure that you do not refresh or stop the current browser, and do not stop your management node. Or otherwise, you will fail to add a vRouter image. As shown in Add vRouter Image. Click OK. Then, a vRouter image will be added. 400 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-116: Add vRouter Image vRouter Image Operations You can perform the following operation on a vRouter image: • Enable: Enable the vRouter image. When you create a vRouter, you can use this vRouter image as a candidate image. • Disable: Disable the vRouter image. When you create a vRouter, you can no longer use this vRouter image as a candidate image. • Export: Export the vRouter image. If your backup storage is with the ImageStore type, you can export this vRouter image. • Delete: Delete the vRouter image. • Recover: Recover the vRouter image that is in the deleted state. • Expunge: Expunge the vRouter image that is in the deleted state. • Audit: Check the related operations of the vRouter image. Issue: V3.9.0 401User Guide / 7 Cloud Operations Guide You can perform the following operation on an exported vRouter image: • Download: Directly download the vRouter image. • Copy URL: Copy the URL of the exported vRouter image. • Delete: Delete the exported vRouter image. 7.3.5.3 vRouter Offering A vRouter offering defines a CPU, memory, vRouter image, management network, and public network all used by a vRouter (normal vRouter, VPC vRouter, or ARM vRouter). For information about the ARM vRouter offering, see ARM vRouter Network. Create vRouter Offering In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > vRouter Resource > vRouter Offering. On the vRouter Offering page, click Create vRouter Offering. On the displayed Create vRouter Offering page, set the following parameters: • Name: Enter a name for the vRouter offering. • Description: Optional. Enter a description for the vRouter offering. • CPU: Set the CPU count for the vRouter offering. In the production environment, we recommend that the CPU count must be greater than 8. • Memory: Set the memory size for the vRouter offering. Unit: M | G | T. In a production environment, we recommend that you set the memory size to be greater than 8 G. • Image: Select the vRouter image that you added. • Management Network: Select the L3 management network that you created from the network list. • L3 Network: Select the L3 public network that you created from the network list, including public network and flat network. ▬ If the L3 network is a public network, the vRouter or VPC vRouter created from this vRouter offering can provide various network services for vRouter networks and VPC networks. ▬ If the L3 network is a public network, the vRouter created from this vRouter offering can provide load balancing network services for flat networks. ▬ If the L3 network is a flat network, the vRouter created from this vRouter offering can provide load balancing network services for flat networks. As shown in Create vRouter Offering. Click OK. Then, a vRouter offering will be created. 402 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-117: Create vRouter Offering vRouter Offering Operations You can perform the following operation on a vRouter offering: • Change name and description: Change a name and a description for the vRouter offering. Issue: V3.9.0 403User Guide / 7 Cloud Operations Guide • Enable: Enable the vRouter offering. When you create a vRouter, use this vRouter offering as a candidate offering. • Disable: Disable the vRouter offering. After you disable the vRouter offering, you can no longer use this vRouter offering as a candidate offering when you create a vRouter. • Share: Share the vRouter offering to the specified regular accounts. • Recall: Recall the vRouter offering from the specified regular accounts. You make these accounts invisible. • Share to all: Share the vRouter offering to all accounts. • Recall from all: Recall the vRouter offering from all regular accounts. You make these accounts invisible. • Delete: Delete the vRouter offering. • Audit: Check the related operations of the vRouter offering. 7.3.5.4 vRouter Table To meet the need of various network application scenarios, ZStack allows you to customize your configurations for vRouter tables and vRouter route entries. Create vRouter Table In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > vRouter Resource > vRouter Table. On the vRouter Table page, click Create vRouter Table. On the displayed Create vRouter Table page, set the following parameters: • Name: Enter a name for the vRouter table. • Description: Optional. Enter a description for the vRouter table. • Router: Optional. Select a router for the vRouter table. When you create a vRouter table, specify a routing device that you need to attach. You can also attach the routing device after you create the vRouter table. You can create a vRouter table, as shown in Create vRouter Table. 404 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-118: Create vRouter Table Add vRouter Route Entry On the vRouter Table page, select the vRouter table that you created. On the details page of the vRouter table, click vRouter Route Entry. On the vRouter Route Entry page, choose Actions > Add vRouter Route Entry. On the displayed Add vRouter Route Entry page, set the following parameters: • Destination CIDR Block: Se the destination CIDR IP range. • Type: Select a router type for the vRouter, including user static and user black hole. Generally, the router type is User Static by default. To avoid loops, set User Black Hole to discard the matched data packets. • Next Hop: Enter a next hop address to ensure that you can reach the next hop. • Distance: Set a distance for the vRouter table. The distance range for a vRouter is 1-254. The bigger the data reaches, the lower the distance is. You can add a vRouter route entry, as shown in Add vRouter Route Entry. Issue: V3.9.0 405User Guide / 7 Cloud Operations Guide Figure 7-119: Add vRouter Route Entry vRouter Table Operations You can perform the following operation on a vRouter table: • Create vRouter table: Create a vRouter table. When you create a vRouter table, specify a routing device that you need to attach. In addition, you can attach the routing device after you create the vRouter table. • Add vRouter table: Add a vRouter route entry to the vRouter table in a custom manner. • Delete vRouter route entry: Delete a vRouter route entry on the vRouter table. • Attach router: Attach a regular vRouter and a VPC vRouter to the vRouter table. • Detach router: Detach a regular vRouter and a VPC vRouter from the vRouter table. • Delete: Delete the vRouter table. • Audit: Check the related operations of the vRouter table. 406 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 7.3.6 VPC Virtual Private Cloud (VPC) is a custom network environment that consists of the VPC vRouter and the VPC network. VPC can help enterprise users to build a logically isolated private cloud. VPC vRouter and VPC Network VPC consists of VPC vRouter and VPC network. • A VPC vRouter is a virtual router that you can directly create by attaching a vRouter offering . The VPC vRouter has two types of networks by default: the public network and the management network. • A VPC network can be used as a VPC private network, and can be attached to a VPC vRouter. The VPC network topology is shown in VPC Network Topology. Figure 7-120: VPC Network Topology VPC Features VPC has the following features: • Flexible network configuration: Different VPC networks can be flexibly attached to the VPC vRouters. You can customize an independent IP range and an independent gateway for each VPC network. VPC vRouters allow you to attach or detach gateways, and also to dynamically configure your route tables and route entries. Issue: V3.9.0 407User Guide / 7 Cloud Operations Guide • Secure and reliable isolation: Different VPC networks in different VPCs are logically isolated. That is, the VPC networks support VLAN and VXLAN for logical layer 2 isolation, and different VPCs of different accounts will not affect each other. • Multi-subnet interconnection: Multiple VPC networks under the same VPC can communicate privately and securely with one another. • Network traffic optimization: VPC supports distributed route features, indicating that it can optimize the east-west network traffic, and reduce the network latency effectively. • VPC vRouter HA: In a VPC vRouter HA group, you can deploy two VPC vRouters according to the active-backup policy. When the active VPC vRouter is abnormal, the backup VPC vRouter will automatically take over to work properly, thus ensuring your business continuity. VPC Network Service The VPC network, which acts as a private network, provides a group of network services by using VPC vRouters. • DHCP: By default, the VPC network provides distributed DHCP services by using the flat network service module. • DNS: A VPC vRouter can act as a DNS server to provide DNS services. The DNS address in a VPC vRouter VM instance is the IP address of the VPC vRouter. Note that the DNS address that you set is forwarded by the VPC vRouter. • SNAT: A VPC vRouter can provide the source network address translation (SNAT) services for VM instances. Then, the VM instances can directly access the Internet by using SNAT. • Route table: Through the route table, you can manage and customize routes. • Security group: The security group service is provided by the security group network service module. You can configure and manage firewalls for VM instances by using iptables. • Elastic IP address (EIP): You can bind an EIP to a VPC network. Then, the public network can interconnect with the private network of the VM instance. • Port forwarding: The port forwarding service allows a public IP address to interconnect with the private IP address of a VM instance. To be more specific, you can create port forwarding rules to allow outside network to reach specific ports of your VM instances. • Load balancing: The load balancing service distributes your inbound traffic from a public IP address to a group of backup VM instances. Then, this service will automatically check and isolate the VM instances that are unavailable. • IPsec tunnel: The IPsec tunnel can be used to achieve interconnection between different virtual private networks (VPNs). 408 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Dynamic routing: The VPC vRouter supports the Open Shortest Path First (OSPF) routing protocol, which is used to distribute routing information within a single autonomous system. • Multicast routing: The VPC vRouter forwards the multicast information sent by the multicast source to VM instances, achieving one-to-multi-point communication in the transmission side and receiving side. • VPC firewall: The VPC firewall filters the south-north traffic on the VPC vRouter ports, effectivel y protecting the VPC communication security and VPC vRouter security. • Netflow: The Netflow service monitors and analyzes the inbound and outbound traffics of the VPC vRouter NICs. Currently, the following two types of data-flow output formats are supported : Netflow V5 and Netflow V9. Basic Deployment Procedure of VPC Private Network 1. Create an L2 public network, and attach it the corresponding cluster. 2. Create an L3 public network. 3. Create an L2 management network, and attach it to corresponding cluster. 4. Create an L3 management network, and use it for communicating with the physical resources, such as a host primary storage, and backup storage. 5. Add a vRouter image. 6. Create a vRouter offering. 7. Create a VPC vRouter by attaching a vRouter offering. The VPC vRouter can provide a group of network services. 8. Create an L2 private network, and attach it to the corresponding cluster. Note that the L2 private network is used for creating a VPC L3 network. 9. Create a VPC L3 network by specifying a VPC vRouter. Note that the IP range cannot be overlapped. 10.Create VM instances by using the VPC network. Note: • If your condition does not permit, the management network and the public network can share the same network. • In consideration of security and stability, we recommend that you deploy the management network independently, and isolate it from the public network. • When you create a VPC network, you can specify a VPC vRouter. Or, you can attach the VPC vRouter to the VPC network after creating the VPC network. Issue: V3.9.0 409User Guide / 7 Cloud Operations Guide 7.3.6.1 VPC vRouter A VPC vRouter page displays VPC vRouters and high availability groups on the ZStack Private Cloud. • A VPC vRouter is a virtual router that you can directly create by attaching a vRouter offering. The VPC vRouter has two types of network by default: public network and management network. Note: • The VPC vRouter is the core of the VPC. A VPC vRouter can be created by specifying a vRouter offering. • Before you create a vRouter offering, you must create the required public network, management network, and vRouter image in advance. • A VPC vRouter can be attached to or detached from VPC networks or other networks. • The public network and the management network that are defined by a vRouter offering cannot be detached. • You can use the same vRouter offering to create multiple VPC vRouters. These VPC vRouters share both the public IP range and the management IP range defined by the same vRouter offering. • The public network is the default network used to provide network services. • VPC vRouters have higher resource priorities than VM instances. When the host workload rates are extremely high, and then resources contend with each other, the resource priority sequence from low to high is as follows: VM instances with Normal priorities < VM instances with High priorities < VPC vRouters. For example, when CPU resources contend with each other on hosts, VPC vRouters have higher CPU resource grabbing capability. • VPC vRouter HA group: Deploy a pair of VPC vRouters with the active backup bonding mode. When the master VPC vRouter is abnormal, the slave VPC vRouter will be used to ensure your business continuity. Note: VPC vRouters within high availability groups will only be displayed on the details page of the high availability groups rather than being displayed separately on vRouter lists. Next, we will introduce how to create VPC vRouters and high availability groups and check their details. 410 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Create VPC vRouter In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > VPC > VPC vRouter. On the VPC vRouter page, click Create VPC vRouter. On the displayed Create VPC vRouter page, set the following parameters: • Name: Enter a name for the VPC vRouter. • Description: Optional. Enter a description for the VPC vRouter. • vRouter Offering: Select the vRouter offering that you created. For more information about the vRouter offering, see vRouter Offering. • Specify Default IP: Optional. Specify the default IP address for the VPC vRouter. If null, the cloud will randomly allocate an IP address for the VPC vRouter. • DNS: Optional. Configure DNS for the VPC vRouter. Default DNS address: 223.5.5.5 Note: • If you use services in a VPC vRouter, you can access the public network services via DNS . If you need to use other DNS for making resolutions, specify an DNS address as needed. • If you create a VM instance by using a VPC network, the DNS that you saw from the VM instance is the gateway of the VPC network. The gateway is forwarded by a VPC vRouter. You can create a VPC vRouter, as shown in Create VPC vRouter. Issue: V3.9.0 411User Guide / 7 Cloud Operations Guide Figure 7-121: Create VPC vRouter VPC vRouter Operations You can perform the following operations on a VPC vRouter: • Start: Start the VPC vRouter that is in the stopped state. • Stop: Stop the VPC vRouter that is the running state. • Reboot: Reboot the VPC vRouter. • Reconnect: Reconnect the VPC vRouter. Note: • Currently, when a ZStack management node reboots after upgrading successfully, reconnect and upgrade VPC vRouters manually. • After you reconnect manually and upgrade the VPC vRouters successfully, configure QoS for VIPs and IPsec tunnel services to ensure that the VPC vRouters work normally. 412 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Migrate: Allow you to migrate VPC vRouters online. Assume that you want to migrate VPC vRouters on local storages online. In the navigation pane of the ZStack Private Cloud UI, choose Settings > Global Settings > Basic Settings, and set Live Migration to true. • Open console: Access the VPC vRouter through the terminal. • Set or delete console password: Set the console password for the VPC vRouter. Reboot the VPC vRouter before the setting takes effect. • Set cross-cluster HA policy: Enable the policy by default. This policy is enabled by default, indicating that the VPC vRouter can be automatically migrated across clusters. When turned off, the VPC vRouter will be stuck to the specified cluster where the policy takes effect. ▬ Background information: ■ For versions former than 3.8.0, when a cross-cluster HA policy of a VPC vRouter triggers , or when a VPC vRouter enters into maintenance mode, the cloud will select other appropriate compute nodes to automatically recover or migrate the VPC vRouter. In addition, these appropriate compute nodes are running on the current cluster and even across clusters if multiple clusters attach the same L3 network and primary storages. ■ For 3.8.0 and later versions, VPC vRouters allow you to set a cross-cluster HA policy. When turned on, the VPC vRouter will not be stuck to a specified cluster. ▬ Currently, this policy applies to scenarios such as VPC vRouter HA and host entering into maintenance mode. ▬ This policy only affects the VPC vRouter auto-migration behavior. Other behaviors, such as manual live migration and specifying a host to start VPC vRouter, are not affected. ▬ When turned on, the VPC vRouter will not be stuck to a specified cluster. • Delete: Delete the VPC vRouter. Exercise caution. If you delete the VPC vRouter, the associated VM network services will be unavailable. To solve this issue, create a new VPC vRouter first, and then attach a VPC network that is used by a VM instance. Finally, reboot the VM instance before the network services are recovered. • Create or delete DNS, EIP, IPsec, port forwarding, load balancing, or VIP: Create or delete the DNS, EIP, IPsec, port forwarding, or load balancer. Customize the VIP as needed. • Change Router ID: ▬ A Router ID is a dot decimal binary address (IPv4 IP address) assigned to each router within an OSPF area. ▬ The cloud uses the management network interface of a router to serve as a Router ID by default. Issue: V3.9.0 413User Guide / 7 Cloud Operations Guide ▬ You can manually specify a Router ID. We recommend that you use a steady interface IP address on a router. • Add area: Add the VPC vRouter to an OSPF area. Note that you cannot add the same VPC vRouter to different OSPF areas. • Leave area: Exit the VPC vRouter from the OSPF area. Exercise caution. After you leave the OSPF area, the corresponding OSPF configurations and routing information will be deleted as well. VM instances on the router will not interconnect with the external network through OSPF. • Attach network: Attach a network (VPC network and public network) on the VPC vRouter to the OSPF area. Add only the same VPC vRouter to an OSPF area. • Detach network: Detach the attached network from the OSPF area. After you detach the network, the VPC vRouter will delete the routing information learned by the network interface. In addition, the external routers cannot learn the routing information that reaches the network . Exercise caution. VM instances on the network cannot interconnect to external networks through OSPF. Create VPC vRouter HA Group In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > VPC > VPC vRouter. On the VPC vRouter page, click VPC vRouter HA Group. On the VPC vRouter HA Group page, click Create VPC vRouter HA Group. On the displayed Create VPC vRouter HA Group page, set the following parameters: • Name: Enter a name for the VPC vRouter HA group. • Description: Optional. Enter a description for the VPC vRouter HA group. • Monitor IP: Set an IP address as the monitor IP address used for determining the active backup relationship between two VPC vRouters within the VPC vRouter HA group. Note: • A monitor IP address must be a public IP address that can interconnect to both VPC vRouters within a VPC vRouter HA group. • A monitor IP address must be a steady, secure IP address. You can create a VPC vRouter HA group, as shown in Create VPC vRouter HA Group. 414 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-122: Create VPC vRouter HA Group • Add VPC vRouter: Add the VPC vRouter. If selected, add directly the VPC vRouter to the VPC vRouter HA group. The cloud will create and configure synchronously the identical peer VPC vRouters. Set the following parameters: ▬ Add Method: Select the method to add the VPC vRouter, including create and import. ■ Create: Select the Create method. Create a new VPC vRouter and add it to the VPC vRouter HA group. The cloud will create and configure synchronously the identical peer VPC vRouter. ■ VPC vRouter Name: Enter a name for the VPC vRouter. ■ Description: Optional. Enter a description for the VPC vRouter. ■ vRouter Offering: Select the vRouter offering that you create. Note: • Make sure that you create vRouter offerings in advance. For more information about the vRouter offerings, see vRouter Offering. • After you create a VPC vRouter successfully, set DNS on the VPC vRouter HA group details page to ensure the active backup relationship of the VPC vRouter to ensure that the VPC vRouter works normally. Issue: V3.9.0 415User Guide / 7 Cloud Operations Guide ■ Specify VIP: Optional. Specify a public IP address for the VIP of the VPC vRouter HA group. If null, the cloud will automatically allocate a public IP address for you. You can create a VPC vRouter HA group with Create method, as shown in Create VPC vRouter HA Group with Create Method. Figure 7-123: Create VPC vRouter HA Group with Create Method ■ Import: Import the existing VPC vRouter to the VPC vRouter HA group. After you import the existing VPC vRouter successfully, this VPC vRouter cannot be used independently. The cloud will create and configure synchronously the identical peer VPC vRouters. ■ VPC vRouter: Select the existing VPC vRouter. Note: 416 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • The imported VPC vRouters must in the stopped state. • Exercise caution. If you perform the Import operation, all the configurations of the existing VPC vRouter will be imported synchronously. After you import the existing VPC vRouter successfully, the VPC vRouter cannot be used independently. • If the existing VPC vRouter uses the same network to serve as the public network and the management network, you cannot add this VPC vRouter to the VPC vRouter HA group. ■ If the VPC vRouter that you select does not attach a vRouter offering, select manually the vRouter offering. You can create a VPC vRouter HA group with the import method, as shown in Create VPC vRouter HA Group with Import Method. Figure 7-124: Create VPC vRouter HA Group with Import Method VPC vRouter HA Group Operations You can perform the following operations on a VPC vRouter HA group: • Add VPC vRouter: Add the VPC vRouter to a VPC vRouter HA group. Note: After you create a VPC vRouter successfully, set DNS on the VPC vRouter HA group details page to ensure the active backup relationship of the VPC vRouter to ensure that the VPC vRouter works normally. Issue: V3.9.0 417User Guide / 7 Cloud Operations Guide • Delete: Delete the VPC vRouter HA group. Exercise caution. All the VPC vRouters within the VPC vRouter HA group will be deleted as well. Notice When you use a VPC vRouter, make sure that you pay attention that: • VPC networks in different VPC vRouters are isolated from one another on L2 notworks by default. • IP ranges of different VPC networks under the same VPC vRouter must not overlap from one another. Gateways of any two VPC networks cannot be the same. • Before you create VPC vRouters on a regular account, require your admins to share vRouter offerings. Or otherwise, you cannot create VPC vRouters and VPC networks. • VPC vRouters that are both in the running state and in the connected state can normally provide a group of network services. If the VPC vRouters are in other states, check whether associated resources can work properly. 7.3.6.2 VPC Network A VPC network is a virtual version of a physical network, such as a large corporate network and data center network. On the cloud, you can use the VPC network as a private VPC network which can be attached to a VPC vRouter. • Before you create an L3 VPC network, you must create an L2 network in advance. • When you create a VPC network, you can specify a VPC vRouter. Or, you can attach a VPC vRouter to the VPC network after you create the VPC network. • If your VM instances have an attached VPC network, you cannot detach the VPC network from the VPC vRouter. • The newly created IP range must not overlap with any IP range in the VPC vRouter. Create VPC Network In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > VPC > VPC Network. On the VPC Network page, click Create VPC Network. On the displayed Create VPC Network page, set the following parameters: • Name: Enter a name for the VPC network. • Description: Optional. Enter a description for the VPC network. • L2 Network: Select an L2 network corresponded by the VPC network. 418 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Note: An L2 network can be used to create multiple L3 networks. Click the plus sign (⊕) under the L2 Network field. Then, the Select L2 Network page is displayed on the right. This page has the following two tabs: • Default: Displays a list of L2 networks that do not have an L3 network attached in the current zone. • All: Displays a list of all L2 networks in the current zone, including the L2 networks that have or not have an L3 network attached. • VPC vRouter: Optional. Specify a VPC vRouter when you create the VPC network. Or, attach the VPC vRouter after you create the VPC network. • Stop DHCP server: Choose whether to enable the DHCP service. Note: • By default, this checkbox is not selected, indicating that the DHCP service is enabled, and IP addresses will be automatically allocated to VM instances. In this case, you can customize an IP address for the DHCP service, or let the system randomly specify a DHCP IP address. • If selected, the DHCP service will be disabled, indicating that VM instances that use this network cannot obtain automatically IP addresses, and you need to configure IP addresses manually. In this case, you cannot customize the DHCP IP address. In addition, the system cannot randomly specify DHCP IP addresses. • Add IP Range: Add a network range for the vRouter network, including IP range and CIDR. ▬ If you select IP Range, set the following parameters: ■ Start IP: Enter a start IP address for the network range, such as 172.20.108.100. ■ End IP: Enter an end IP address for the network range, such as 172.20.108.200. ■ Netmask: Enter a netmask for the network range, such as 255.255.0.0. ■ Gateway: Enter a gateway for the network range, such as 172.20.0.1. ■ DHCP IP: Optional. Enter a DHCP IP address as needed, such as 172.20.108.10. Note: Issue: V3.9.0 419User Guide / 7 Cloud Operations Guide • If you create an L3 network and enable the DHCP service for the first time, or if you add the first IP range for the L3 network of the enabled DHCP service, you can customize the DHCP IP address. • If the L3 network has a DHCP IP address, you cannot customize the DHCP IP address when you add an IP range. • The DHCP IP address can be included or excluded on the IP range that you added . However, the DHCP IP address must be within the CIDR to which the added IP range belongs, and must not be occupied. • The IP range specified within the start IP address and end IP address cannot contain IP addresses of the link-local address (169.254.0.0/16). • If not specified, the system will randomly specify an IP address within the IP range that you added. Note: When you add a network range with IP Range, make sure that you pay attention that: • You must not include the gateway (for example, xxx.xxx.xxx.1), broadcast address (for example, xxx.xxx.xxx.255), and network address (for example, xxx.xxx.xxx.0) in the IP range that you added. • The network range of a private network cannot overlap with the public network or management network on a vRouter offering. ▬ If you select CIDR, set the following parameters: ■ CIDR: Enter a CIDR for the network range, such as 192.168.108.1/24. ■ Gateway: Set a gateway, such as 192.168.108.1. Note: • The first or the last allowed CIDR IP address can act as a gateway. • If null, the first IP address that is used by default will serve as a gateway. ■ DHCP IP: Optional. Set a DHCP IP address as needed, such as 192.168.108.10. Note: • If you create an L3 network and enable the DHCP service for the first time, or if you add the first network range for the L3 network of the enabled DHCP service, you can customize the DHCP IP address. 420 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • If the L3 network has a DHCP IP address, you cannot customize the DHCP IP address when you add the IP range. • The DHCP IP address can be included or excluded on the IP range that you added. However, the DHCP IP address must not be in conflict with the current CIDR. • If not specified, the system will randomly specify an IP address within the IP range that you added before. • The first IP address in a CIDR is deemed as a gateway by default, and cannot serve as a DHCP IP address. Note: When you add a network range with CIDR, make sure that you pay attention that: • The IP range specified in the CIDR cannot contain IP addresses of the link-local address (169.254.0.0/16). • The network range of a private network cannot overlap with the public network or management network on a vRouter offering. You can create a VPC network with CIDR, as shown in Create VPC Network with CIDR. Issue: V3.9.0 421User Guide / 7 Cloud Operations Guide Figure 7-125: Create VPC Network with CIDR 422 Issue: V3.9.0User Guide / 7 Cloud Operations Guide VPC Network Operations You can perform the following operations on a VPC network: • Create VPC network: Create a new private network. • Add IP range: Add a new IP range to the VPC network. • Attach VPC vRouter: Attach a VPC vRouter to the VPC network. • Detach VPC vRouter: Detach the VPC vRouter from the VPC network. • Share to all: Share the VPC network to all the projects or regular accounts Make sure that you have installed the License of the Enterprise Management module. • Recall from all: Recall all the projects or regular accounts from the VPC network. You can make these projects or regular accounts invisible. Make sure that you have installed the License of the Enterprise Management module. • Delete: Delete the VPC network. Note: If you delete a VPC network, VM instances that use this VPC network will be detached as well. 7.3.6.3 Routing Protocol Resource A routing protocol specifies routers to automatically learn the routing information of other available routers, to build routing tables, and to make routing decisions. Compared to a static route, a dynamic routing, which can be applied to a large-scale network environment, supports automatic topology change, route recalculation, and unattended interference. A VPC vRouter supports the OSPF dynamic routing protocol. Open Shortest Path First (OSPF): An OSPF is an interior gateway protocol of link states and is used to distribute routing information within a single autonomous system (AS). An OSPF is widely used in a data center network and a campus network. Compared to other routing protocols, the OSPF protocol has the following feature benefits: • The number of router hops (hop counts) are unlimited. • Routing information and network information that are updated and changed by a multicast are used. • The routing convergence speed is faster. • An overhead is served as a metric. • An SPF algorithm is adopted to effectively avoid loops and to minimize the length of the path. Issue: V3.9.0 423User Guide / 7 Cloud Operations Guide Related OSPF definitions: • OSPF area: An OSPF area is a logical grouping of contiguous networks and routers used for hierarchic al managements. Simply, based on a certain technological standard, an OSPF protocol can divide a single autonomous system (AS) into smaller groups called areas, known as OSPF areas. Routers in each OSPF area can only maintain and operate the complete link state information within its own OSPF area. ▬ Area ID: In an autonomous system, each OSPF area adopts an area ID, the identifier of the area where packets are traveling. Note: Area 0 (Area ID: 0.0.0.0) is known as the backbone area. All other areas must be connected to the backbone area. ▬ Area Type: To manage routers effectively, an OSPF area includes the following three area types: • Standard (Standard Area): Support all types of LSAs (link-state advertisement). • Stub (Stub Area): Do not support two types of LSA: Type 4 and Type 5. • NSSA (Not So Stubby Area): Only support one type of LSA: Type 7. An NSSA can function as either a stub or totally stubby area. ▬ Area authentication encryption: To increase securities of OSPF packets, the OSPF protocol supports area authentication encryption. An OSPF area includes the following three authentication modes: • None: Do not require the authentication when routing messages are received. • Plaintext: Require the authentication through a password carried in routing massages when the messages are received. • MD5: Require the authentication through Key ID and Password sum values carried in routing messages when the messages are received. Note: • Significance of OSPF area segmentation: 424 Issue: V3.9.0User Guide / 7 Cloud Operations Guide In the OSPF protocol, neighbors calculate routers by exchanging mutually link states. As your network scale expands, database of link states will be growing, which will bring about a series of questions as follows: • Routing calculation is increasingly slow while convergence time is more time-consuming . • Any network topology change will lead to recalculation of all networks, which will affect your network stability. In this regard, a large-scale network environment is segmented into several smaller areas to effectively address the preceding problems. • Routers within an OSPF area can only maintain the intact link state information of the OSPF area. • Neighbor: A neighbor is routers that can discover and verify each other via the OSPF Hello protocol on the same link. Note: Starting an OSPF and establishing a neighbor relationship will only take seconds (less than 60 seconds) according to different complexities of network topology structure and different settings of OSPF timer. • Router ID: On an autonomous system, each OSPF router adopts a Router ID. A Router ID is a 32-bit binary number (IPv4 address) assigned to each router that is running an OSPF protocol. ▬ A router must have a Router ID before the router can normally use an OSPF protocol. ▬ By default, the system will use a management network interface of a VPC vRouter to serve as a Router ID. ▬ A Router ID of a regular VPC vRouter can be manually specified. We recommend that you use a stable interface IP address on a VPC vRouter. ▬ VPC vRouters within a high availability group do not allow you to change Router IDs. An OSPF protocol principle is as follows: Figure 7-126: OSPF Protocol Workflow For more information on the detailed usage of the OSPF protocol, see OSPF Protocol in Private Network VPC Tutorial. Issue: V3.9.0 425User Guide / 7 Cloud Operations Guide Create OSPF Area In the navigation pane of the ZStackPrivate Cloud UI, choose Network Resource > Routing Protocol. On the OSPF Area tab page, click Create OSPF Area, and set the following parameters: • Area ID: Enter an area ID. An area ID is a dot decimal binary address (IPv4 IP address) assigned to each router within an OSPF area. • Type: Select a type for the OSPF area, including Standard, Stub, and NSSA. ▬ Standard (Standard Area): Support all types of LSAs (link-state advertisement). ▬ Stub (Stub Area): Do not support two types of LSA: Type 4 and Type 5. ▬ NSSA (Not So Stubby Area): Only support one type of LSA: Type 7. An NSSA can function as either a stub or totally stubby area. • Authentication Mode: Select the authentication mode when routers within an OSPF area create neighboring routers. This mode includes None, plaintext, and MD5. ▬ None: Do not require the authentication when routing messages are received. ▬ Plaintext: Require the authentication through a password carried in routing massages when the messages are received. ▬ MD5: Require the authentication through Key ID and Password sum values carried in routing messages when the messages are received. • VPC vRouter: Optional. To add a VPC vRouter to the OSPF area, set the following parameters consecutively: • VPC vRouter: Select the VPC vRouter, and add it to the OSPF area. • Network: Select the network under the VPC vRouter, and add the network to the OSPF area. After you complete the preceding operations, click OK at the lower right to submit the VPC vRouter information. Note: The same VPC vRouter can be added to different OSPF areas. Networks (VPC network and public network) on the same VPC vRouter can only be added to one OSPF area. Click OK to finish creating an SOPF area, as shown in Create OSPF Area. 426 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-127: Create OSPF Area OSPF Area Operations You can perform the following operations on an OSPF area: • Create: Create an OSPF area. • Delete: Delete an OSPF area that you created. After you delete the OSPF area, the corresponding routers will delete OSPF configurations and router information. Exercise caution. VM instances on these routers will not interconnect to the external network through OSPF. 7.4 Network Service ZStack provides VM instances with multiple network resources, including the security group, virtual IP address (VIP), elastic IP address (EIP), port forwarding, load balancing, and IPsec tunnel. ZStack supports the following three network models: • Flat network • vRouter network • VPC Issue: V3.9.0 427User Guide / 7 Cloud Operations Guide Network Service Module Network Service Module provides network services. Note that it has been hidden in the UI. Network Service Module has the following four types: 1. Virtual Router Network Service Module (Not recommended) This module provides the following network services: DNS, SNAT, load balancing, port forwarding, EIP, and DHCP. 2. Flat Network Service Module (Flat Network Service Provider) This module provides the following network services: • Userdata: You can customize some operations, such as ssh-key injection, by using the userdata service. Then, the cloud-init plugin in your VM instance will load and perform these operations when the VM instance is started. • EIP: The elastic IP address realized by distributed EIP can access private networks through public networks. • DHCP: DHCP allows you to dynamically obtain an IP address. Note: The DHCP service covers the DNS feature. • VIP QoS: The upstream bandwidth and downstream bandwidth can be adjusted by setting the VIP QoS. The VIP QoS can only be applied to EIPs. 3. vRouter Network Service Module This module provides the following network services: • IPsec: IPsec tunnels can be used to achieve VPN connections. • vRouter route table: You can manage custom routes by using route tables. • Centralized DNS: The DNS service is provided when the DHCP service is enabled. • VIP QoS: The upstream bandwidth and downstream bandwidth can be adjusted by setting the VIP QoS. • DNS: vRouters can be used to provide the DNS service. • SNAT: VM instances can access directly the Internet by using SNAT. • Load balancing: Inbound traffics from a VIP can be distributed to a group of backend VM instances, and unavailable VM instances will be detected and isolated automatically. 428 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Port forwarding: Port traffics of specified public IP addresses can be forwarded to the ports of corresponding VM instances according to specified protocols. • EIP: vRouters can use EIPs to access private networks of VM instances through public networks. • DHCP: The centralized DHCP service is provided. 4. Security Group Network Service Module This module provides the following network service: • Security group: You can manipulate securities of VM instance firewalls by using iptables. Flat Network Practice In your production environments, we recommend that you use the following combination of network services: • Flat Network Service Module ▬ Userdata: You can customize some operations, such as ssh-key injection, by using the userdata service. Then, the cloud-init plugin in your VM instance will load and perform these operations when the VM instance is started. ▬ EIP: The elastic IP address realized by distributed EIP can access private networks through public networks. ▬ DHCP: DHCP allows you to dynamically obtain an IP address. Note: The DHCP service covers the DNS feature. • Security Group Network Service Module ▬ Security group: You can manipulate securities of VM instance firewalls by using iptables. vRouter Network Practice In your production environments, we recommend that you use the following combination of network services: • Flat Network Service Module ▬ Userdata: You can customize some operations, such as ssh-key injection, by using the userdata service. Then, the cloud-init plugin in your VM instance will load and perform these operations when the VM instance is started. ▬ DHCP: DHCP allows you to dynamically obtain an IP address. Issue: V3.9.0 429User Guide / 7 Cloud Operations Guide • vRouter Network Service Module ▬ DNS: vRouters can be used to provide the DNS service. ▬ SNAT: VM instances can access directly the Internet by using SNAT. ▬ vRouter route table: You can manage custom routes by using route tables. ▬ EIP: vRouters can use EIPs to access private networks of VM instances through public networks. ▬ Port forwarding: Port traffics of specified public IP addresses can be forwarded to the ports of corresponding VM instances according to specified protocols. ▬ Load balancing: Inbound traffics from a VIP can be distributed to a set of backend VM instances, and unavailable VM instances will be detected and isolated automatically. ▬ IPsec: IPsec tunnels can be used to achieve VPN connections. • Security Group Network Service Module ▬ Security group: You can manipulate securities of VM instance firewalls by using iptables. VPC Network Practice In your production environments, we recommend that you use the following combination of network services: • Flat Network Service Module ▬ Userdata: You can customize some operations, such as ssh-key injection, by using the userdata service. Then, the cloud-init plugin in your VM instance will load and perform these operations when the VM instance is started. ▬ DHCP: DHCP allows you to dynamically obtain an IP address. • vRouter Network Service Module ▬ DNS: VPC vRouters can be used to provide DNS services. ▬ SNAT: VM instances can access directly the Internet by using SNAT. ▬ vRouter route table: You can manage custom routes by using route tables. ▬ EIP: VPC vRouters can use EIPs to access private networks of VM instances through public networks. ▬ Port forwarding: Port traffics of specified public IP addresses can be forwarded to the ports of corresponding VM instances according to specified protocols. ▬ Load balancing: Inbound traffics from a VIP can be distributed to a set of backend VM instances, and unavailable VM instances will be detected and isolated automatically. 430 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ▬ IPsec: IPsec tunnels can be used to achieve VPN connections. • Security Group Network Service Module ▬ Security group: You can manipulate securities of VM instance firewalls by using iptables. Advanced Network Services • Dynamic routing: Dynamic routing uses the Open Shortest Path First (OSPF) routing protocol to distribute routing information within a single autonomous system. This service applies to VPC network scenarios. • Multicast routing: Multicast routing forwards the multicast information sent by the multicast source to VM instances, achieving one-to-multi-point communication in the transmission side and receiving side. This service applies to VPC network scenarios. • VPC firewall: VPC firewalls filter the south-north traffic on the VPC vRouter ports, effectively protecting the VPC communication security and VPC vRouter security. This service applies to VPC network scenarios. • Netflow: Netflow monitors and analyzes the inbound and outbound traffics of the VPC vRouter NICs. Currently, the following two types of data-flow output formats are supported: Netflow V5 and Netflow V9. This service applies to VPC network scenarios. • Port mirroring: Port mirroring copies and sends network traffics of VM NICs from a port to another port, and analyzes the business packets on the ports, better monitoring and managing the network data. This service applies to flat network, vRouter network, and VPC network scenarios. 7.4.1 Security 7.4.1.1 VPC Firewall A VPC firewall manages the south-north traffics of VPC networks, and allows you to manage the access control policies by configuring rule sets and rules. Each rule set applies to inbound or outbound traffic, not both, in a VPC vRouter. That is, you can add one inbound or outbound rule set to a VPC vRouter. A rule set contains multiple rules, which effectively secure the entire VPC communication and the VPC vRouter. This complements the security groups that can be applied to VM NICs and mainly protects the east-west communication security. Firewall rule set: • A firewall rule set can be divided into the following two types according to the direction of traffic: Issue: V3.9.0 431User Guide / 7 Cloud Operations Guide ▬ Inbound rule set: manages traffics that come a source through networks to VPC vRouters. ▬ Outbound rule: manges traffics that are sent from VPC vRouters to a destination through networks. Firewall rule: • You can customize the firewall rule priority, which is an integer, as needed. Lower integers indicate higher priorities. ▬ System rule: A system rule is a predefined rule that supports system services. Priority range : 1-1000 or 4000-9999. ▬ Custom rule: A custom rule is a rule set by users. Priority range: 1001-2999. • Firewall rules let you allow or deny incoming and outgoing traffics. ▬ The source and destination IP addresses can be a static IP address, an IP range, or a CIDR . A combination of the above three formats is supported. ▬ You can add up to 10 firewall rules at a time. Note that you need to separate each rule by using a comma (,). As shown in VPC Firewall. 432 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-128: VPC Firewall • Assume that VM-1 attempts to access VM-3: The traffic from VM-1 will match the inbound rule set of the public NIC on the VPC vRouter. If malicious traffic is detected, the access is denied. • Assume that VM-2 attempts to access VM-4: The traffic from VM-2 will match the inbound rule set of the public NIC on the VPC vRouter, and then will match the outbound rule set of the private NIC on the VPC vRouter. If trusted traffic is detected, the access is allowed. • Assume that Server-2 attempts to access Server-1: The traffic from Sever-2 will match the inbound rule set of the private NIC on the VPC vRouter, and then will match the outbound rule set of the public NIC on the VPC vRouter. If trusted traffic is detected, the access is allowed. Difference between a VPC firewall and a security group: A VPC firewall manages the south-north traffic, and can be applied to the entire VPC. On the contrary, a security group mainly manages the east-west traffic, and can be applied to VM NICs. They can complement each other. The detailed differences are as follows. Comparison Security Group VPC Firewall Application scope VM NIC The entire VPC network Deployment mode Distributed Centralized Issue: V3.9.0 433User Guide / 7 Cloud Operations Guide Comparison Security Group VPC Firewall Deployment location VM instance VPC vRouter You can customize the accept Configuration policy Supports only allowed policies policy, drop policy, or reject policy as needed. Takes effect according to the The priority can be customized Priority configuration sequence . Source IP address, source Source IP address, source port port, destination IP address, Matching rules , and source protocol destination port, protocol, and packet status To use a VPC firewall rule, follow the steps below: • Create a VPC firewall. • Add an inbound/outbound rule set to a VPC firewall. • Add a corresponding rule to a rule set. Create VPC Firewall In the navigation pane of the ZStack Private Cloud UI, choose Network Service > VPC Firewall. On the VPC Firewall page, click Create VPC Firewall. On the displayed Create VPC Firewall page, set the following parameters: • Name: Enter a name for the VPC firewall. • Description: Optional. Enter a description for the VPC firewall. • VPC vRouter: Select the VPC vRouter that needs to be protected. Note: When you create a VPC firewall, make sure that the corresponding VPC vRouter is in the running state, and is not attached to any firewall. As shown in Figure 7-129: Create VPC Firewall. 434 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-129: Create VPC Firewall Add Rule Set On the VPC Firewall page, select the target VPC firewall, and choose Actions > Add Rule Set. On the displayed Add Rule Set page, set the following parameters: • Name: Enter a name for the rule set. • Default Action: Select the action to handle network requests. Options: Accept, Drop, and Reject. ▬ Accept: Network requests sent to the VPC vRouter are allowed. ▬ Drop: Network requests sent to the VPC vRouter are not allowed, and no feedback is sent to the request endpoint. ▬ Reject: Network requests sent to the VPC vRouter are not allowed, and a feedback is sent to the request endpoint. • Network: Select the network to which the rule set is added. Note: The newly created rule set applies only to the outbound direction of the NIC. That is, the rule set filters only outbound network requests. As shown in Figure 7-130: Add Rule Set. Issue: V3.9.0 435User Guide / 7 Cloud Operations Guide Figure 7-130: Add Rule Set Add Rule On the Rule Set tab page, select the a rule set of the target network, and choose Actions > Add Rule. On the displayed Add Rule page, set the following parameters: • Rule Set: Select the target rule set to add a rule. • Priority: Set the priority of the rule. Note: • The priority is an integer from 1001 to 2999, inclusive. Lower integers indicate higher priority. • The rule priorities cannot be identical in the same rule set. • Action: Select an action to handle network requests. Options: Accept, Drop, and Reject. ▬ Accept: Network requests sent to the VPC vRouter are allowed. ▬ Drop: Network requests sent to the VPC vRouter are not allowed, and no feedback is sent to the request endpoint. ▬ Reject: Network requests sent to the VPC vRouter are not allowed, and a feedback is sent to the request endpoint. 436 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Packet State: Optional. Select the packet whose state to be matched by the VPC firewall. For example, if you select new, all packets in the new state will be handled according to the current rule. ▬ new: new connection ▬ established: established connection ▬ invalid: unknown connection ▬ related: related connection. The current connection is a new request and belongs to an existing connection. • Protocol: Required. Select the protocol to be used by the VPC firewall to match rules. For example, if you select TCP, all TCP requests will be handled according to the current rule. • Source IP/Destination IP: Optional. Set the source IP address and the destination IP address to be matched by the current rule. ▬ You can enter a fixed IP address, an IP range, or a CIDR. If you enter an IP range, use an en dash (-) to connect the source IP address and the destination IP address, for example, 192.168.0.1-192.168.0.100. ▬ You can add up to 10 single formats or a combination of the 10 formats, and use a comma (,) to separate them. • Apply immediately: If selected, the rule will take effect immediately after you add it. If cleared, the rule will be in the disabled state after you create it. You need to enable it manually for it to take effect. As shown in Figure 7-131: Add Rule. Issue: V3.9.0 437User Guide / 7 Cloud Operations Guide Figure 7-131: Add Rule 438 Issue: V3.9.0User Guide / 7 Cloud Operations Guide VPC Firewall Operations You can perform the following operations on a VPC firewall: • Create VPC firewall: create a VPC firewall. • Update configuration: Modify the configurations of the VPC firewall. • Add rule set: Add a rule set to the VPC firewall. • Add rule: Select a rule set and add a rule to it. • Delete: Delete the VPC firewall. Rule Set Operations You can perform the following operations on a rule set: • Add rule set: Add the rule set to your current VPC firewall. • Add rule: Add a rule to the rule set. • Bind network: Bind a network to the rule set. • Delete: Delete the rule set. Note: Inbound rule sets cannot be deleted. Issue: V3.9.0 439User Guide / 7 Cloud Operations Guide Notice When you use a VPC firewall, note that: • One VPC vRouter can be used to create only one VPC firewall. • One NIC includes an inbound direction and an outbound direction. You can configure only one rule set for each direction. • After you create a VPC firewall, public networks can only access VM instances through EIPs. If you are using static routing or OSPF, note that the static routing and OSPF will not be available when the firewall with the priority 9999 is disabled. If you still want to use static routing and OSPF, add an inbound rule to the public network NIC. When you use a rule set, note that: • One rule set can have up to 9999 rules attached. • Only outbound rule sets can be created. Outbound rule sets apply to the outbound direction of the NIC. • The inbound and outbound directions of a rule set is designed for VPC vRouters. Please exercise caution. • The inbound rule sets are created by the system. You can customize your rules in an inbound rule set, but you cannot delete inbound rule sets. • The rule sets of the same direction can be reused on multiple NICs. When you use a rule, note that: • A rule is a part of a rule set, and cannot be reused on multiple rule sets. • A system rule is a preconfigured rule that supports system services. The system rule has two priority ranges: 1-1000 and 4000-9999. The priority range of a custom rule is 1001-2999. The system reserved priority range is 3000-3999. The lower the number is, the higher priority is. • You cannot add, modify, or delete system rules. 7.4.1.2 Security Group A security group provides L3 network firewall control over the VM instances, and controls TCP, UDP, and ICMP data packets for effective filtering. You can use a security group to effectively control specified VM instances on specified networks according to specified security rules. • Flat networks, vRouter networks, and VPC all support the security group service. The security group service is provided by the security group network service module. You use iptables to 440 Issue: V3.9.0User Guide / 7 Cloud Operations Guide perform firewall security controls over VM instances. This method applies to flat networks, vRouter networks, and VPC. • A security group is actually a distributed firewall. When you modify a rule, or when you add or delete a NIC, note that firewall rules in VM instances are updated as well. Security group rule: • A security group rule has the following two types of traffics according the direction of data packets: ▬ Ingress: inbound data packets that access a VM instance. ▬ Egress: outbound data packets that are sent from a VM instance. • A security group rule supports the following protocol types: ▬ ALL: All protocol types are included, indicating that you cannot specify a port. ▬ TCP: Ports 1-65535 are supported. ▬ UDP: Ports 1-65535 are supported. ▬ ICMP: By default, both the start port and end port are all -1, indicating that all ICMP protocols are supported. • A security group rule can limit data sources that comes either from inside or outside of VM instances. Currently, sources can be set as source CIDR or source security group. ▬ Source CIDR: Only the specified CIDR is allowed. ▬ Source security group: Only the VM instances in a specified security group are allowed. 说明： If you set both CIDR and the security group, note that only the intersection part of them can take effect. A security group topology is shown in # 7-132: Security Group. Issue: V3.9.0 441User Guide / 7 Cloud Operations Guide 图 7-132: Security Group Security Group Usage The basic workflow of using a security group is as follows: Select an L3 network, set the corresponding firewall rule, and add specified VM instances to the rule. Create Security Group In the navigation pane of the ZStack Private Cloud UI, choose Network Service > Security Group. On the Security Group page, click Create Security Group. On the displayed Create Security Group page, set the follwing parameters: • Name: Enter a name for the security group. • Description: Optional. Enter a description for the security group. • IP Address Type: Select an IP address type for your network. Options: IPv4 and IPv6. • Network: Select an existing L3 network according to the selected IP address type. ▬ If the IP addres type is IPv4, the L3 network can be a public network, private network, or VPC network. ▬ If the IP address type is IPv6, the L3 network can be a public netwoek or private network. ▬ You can add more than one L3 network of the same type at a time, but cannot add multiple L3 networks of different types. • Rule: Optional. You can set a firewall rule for the security group when or after you create a security group. 442 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Physical NIC: Optional. Select a VM instance to add its NIC to the security group. You can add a VM NIC directly when or after you create a security group. As shown in # 7-133: Create Security Group. Click OK to finish creating a security group. Issue: V3.9.0 443User Guide / 7 Cloud Operations Guide 图 7-133: Create Security Group 444 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Set Security Group Rule Assume that you set a security group rule directly when you create a security group. On the Create Security Group page, click the plus sign (+) in the Rule section. On the displayed Set Rules page, set the following parameters: • Type: Select the type (direction) of the security group rule, for example, ingress. • Protocol: Select a protocol, for example, TCP. • Start Port: Enter a port between 1 and 65535 as the start port, for example, 23. • End Port: Enter a port between 1 and 65535 as the end port, for example, 1024. • CIDR: Optional. If specified, only the specified CIDR is allowed. • Source Security Group: Optional. If specified, only VM instances in the specified security group are allowed. As shown in # 7-134: Set Rule. Issue: V3.9.0 445User Guide / 7 Cloud Operations Guide 图 7-134: Set Rule Add VM NIC to Security Group Assume that you add a VM NIC directly when you create a security group. On the Create Security Group page, click the plus sign (+) in the NIC section. On the displayed Select NIC page, select the target VM instance. As shown in # 7-135: Add VM NIC to Security Group. 446 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 图 7-135: Add VM NIC to Security Group Security Group Operations You can perform the following operations on a security group. • Enable: Enable the security group. After you enable a security group, all the associated security group rules and services will also be enabled. • Disable: Disable the security group. After you disable a security group, all the associated security group rules and services will be unavailable. • Modify name and description: Modify the name and description of the security group rule. • Attach L3 network: Attach the security group to onr or more L3 networks. Note that these L3 networks will share the same security group rule. • Detach L3 network: Detach an L3 network from the security group. • Add rule: Add a rule to the security group. • Delete rule: Delete a rule from the security group. • Bind VM NIC: Bind the security group to a VM NIC. Note that you can bind a security group to multiple VM instances. NICs of these VM instances will share the same security group rules. • Unbind VM NIC: Unbind the security group from a VM NIC. Issue: V3.9.0 447User Guide / 7 Cloud Operations Guide • Delete: Delete the security group. Deleting a security group will also delete the associated security group rules and services. • Audit: View related operations supported by the security group. Security Group Constraints The constraints of a security group are as follows: • A security group can be attached to more than one VM instance. These VM instances will share the same security group rules. • A security group can be attached to more than one L3 network. These L3 networks will share the same security group rules. • A security group supports whitelists. That is, you can set all security group rules to "Allow". Once you set an allow rule for a port, other ports will not be allowed. • When you create a security group, the system automatically configures two rules (an inbound rule and an outbound rule whose protocol types are both ALL) for communications in the security group. You can delete these two default rules to cancel the intra-group communication. • When you create a security group, if you did not set any rule, incoming traffics are not allowed to access VM instances in the security group. However, outgoing traffics from VM instances in the security group are allowed. • If you are using the security group with other network services, such as load balancing and ruote table, at the same time, make sure that the corresponding rules required by these network services are added to the security group. 7.4.2 VIP In a bridged networking environment, virtual IP addresses (VIPs) are used to provide network services such as elastic IP address (EIP), port forwarding, load balancing, and IPsec tunnel. Packets are sent to VIPs and then routed to the VM networks. • The VIP created from a public network can be used to provide network services such as EIP and load balancing. • The VIP created from a public network can be used to provide network services, such as EIP, port forwarding, load balancing, and IPsec tunnel, for vRouter networks and VPC networks. • The VIP created from a VPC network can be used to provide load balancing services for VPC networks. • The VIP created from a flat network can be used to provide network services, such as EIP and load balancing, for flat networks. 448 Issue: V3.9.0User Guide / 7 Cloud Operations Guide The following is an example of providing the load balancing service by using a VIP, as shown in Provide Load Balancing by Using VIP. Figure 7-136: Provide Load Balancing by Using VIP Definitions related to VIP: • Public VIP: The VIP created from a public network. A public VIP can be created manually, or created automatically by the system after a vRouter is created. ▬ A public VIP can provide network services, such as EIP and load balancing, for flat networks . A public VIP can also provide network services, such as EIP, port forwarding, load balancing, and IPsec tunnel, for vRouter networks and VPC networks. ▬ A public VIP can be simultaneously applied to services such as port forwarding, load balancing, and IPsec tunnel, and supports multiple instances of the same service type. Note that different types of services cannot use the same port No. ▬ A public VIP supports QoS, performance TOP 5, performance analysis, alarm, and other features. • VPC VIP: The VIP created from a VPC network. A VPC VIP can only be created manually. ▬ A VPC private network VIP can provide load balancing services for VPC networks. ▬ Currently, VPC VIPs do not support QoS, monitoring data, performance TOP 5, performanc e analysis, and alarm features. • Flat VIP: The VIP created from a flat network. A flat VIP can be created manually, or created automatically by the system after a vRouter is created. Issue: V3.9.0 449User Guide / 7 Cloud Operations Guide ▬ A flat VIP provides network services, such as EIP and load balancing, for flat networks. ▬ A flat VIP supports QoS, monitoring data, performance TOP 5, performance analysis, alarm , and other features. • Custom VIP: The VIP manually created by a user. Public VIPs, VPC VIPs, and flat network VIPs can be created manually. ▬ One custom public VIP is only applied to one EIP service instance. ▬ Custom VIPs cannot be used across normal vRouters or VPC vRouters. ▬ When you use the EIP, port forwarding, load balancing, or IPsec tunnel service, you can select Create new IP to create a new VIP , or you can select Use existing IP to provide corresponding services. • System VIP: The VIP automatically created by the system by using the L3 network attached by a vRouter (a normal vRouter or VPC vRouter) after the vRouter is successfully created. Both public VIPs and flat VIPs can be created automatically by the system after a vRouter is created. ▬ A system VIP has a one-to-one relationship with a vRouter or VPC vRouter. Each time a vRouter attaches a public network, the system will automatically create a system VIP. In addition, the system VIP is the same as the default IP address of the vRouter or VPC vRouter. ▬ By default, the system VIPs created from public networks are used to provide the source network address translation service. ▬ When you use the EIP, port forwarding, load balancing, or IPsec tunnel service, you can select Use existing IP to provide corresponding services. Create Custom IP In the navigation pane of the ZStack Private Cloud UI, choose Network Service > VIP. On the Custom tab page, click Create VIP. On the displayed Create VIP page, set the following parameters: • Name: Enter a name for the VIP. • Description: Optional. Enter a description for the VIP. • Network: Select the network that provides a VIP. ▬ The VIP created from a public network can be used to provide network services such as EIP and load balancing. 450 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ▬ The VIP created from a public network can be used to provide network services, such as EIP, port forwarding, load balancing, and IPsec tunnel, for vRouter networks and VPC networks. ▬ The VIP created from a VPC network can be used to provide load balancing services for VPC networks. ▬ The VIP created from a flat network can be used to provide network services, such as EIP and load balancing, for flat networks. • IP Range: Optional. Specify an IP range. Note that an IPv4 public network allows you to select a normal IP range or an IP address pool. • Specified IP: Optional. Specify a VIP. If not specified, the system will automatically assign a VIP. • Add VIP QoS: Set the VIP QoS to manage your network bandwidth. You can set the QoS directly when you create a VIP, or add QoS after you create a VIP. • Port: Optional. Specify the QoS policy for a port. Allowed port range: 1-65535. If not specified, the QoS policy applies to ports 1-65535. Note: You can set multiple QoS policies for the same public VIP. The QoS policies without port settings have the lowest priority. • Upstream Bandwidth: Optional. Set the upper limit of the upstream bandwidth for the VIP. Unit: Mbps. If not specified, the upstream bandwidth will not be limited. • Downstream Bandwidth: Optional. Set the upper limit of the downstream bandwidth for the VIP. Unit: Mbps. If not specified, the downstream bandwidth will not be limited. As shown in Figure 7-137: Add VIP QoS. Click OK to submit your settings. Issue: V3.9.0 451User Guide / 7 Cloud Operations Guide Figure 7-137: Add VIP QoS Then, you can click Add VIP QoS to add more QoS policies. The following is an example of creating a public VIP, as shown in Figure 7-138: Create VIP. Click OK to finish creating the VIP. 452 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-138: Create VIP VIP Operations You can perform the following operations on a VIP: • Create VIP: Create a custom VIP. Note that system VIPs are created the system. • Modify name and description: Modify the name and description of the VIP. • Change owner: Change the owner of the VIP. • Delete: Issue: V3.9.0 453User Guide / 7 Cloud Operations Guide ▬ Custom VIP: ■ Deleting a custom VIP will also delete the services associated with the VIP. ■ Deleting a service of a custom VIP does not affect other services associated with the VIP . ▬ System VIP: ■ Deleting a service of a system VIP does not affect other services associated with the VIP . ■ Deleting a normal vRouter or VPC vRouter will also delete the services associated with the corresponding system VIPs. • Add/Delete QoS: Add QoS to or delete QoS from a custom VIP or system VIP on the QoS tab of the VIP details page. Note: • In a flat network scenario, a custom VIP can be used for EIP and load balancing services. Therefore, the QoS feature of a VIP can be applied to EIP and load balancing services. • In a vRouter network or VPC network scenario, a custom VIP can be used for EIP, port forwarding, load balancing, and IPsec tunnel services. Therefore, you can set QoS for custom VIPs that provide these four services. • A system VIP can be used for port forwarding, load balancing, and IPsec tunnel services. Therefore, you can set QoS for system VIPs that provide these three services. • Multiple QoS rules can be set for the same VIP. Note that the QoS rules without port configurations have the lowest priority level. • Currently, VPC VIPs and IPv6 VIPs do not support QoS configurations. If you create a vRouter network by using a vRouter image of the VirtualRouter type, you cannot configure the VIP QoS. • Monitoring alarm: ZStack supports VIP alarms. After you create a VIP alarm and add the corresponding metric items, the system will monitor the metric items of the VIP and send alarm messages through email, DingTalk, HTTP POST, or SMS messages. • View monitoring data: You can view the network traffic and packets of the VIP in real time. • Audit: View related operations supported by the VIP. 454 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 7.4.3 EIP An elastic IP address (EIP) is a method to access a private network through a public network. An EIP converts the IP address of a network into the IP address of another network based on the network address translation (NAT) function. • The following is an example of an EIP application scenario in flat networks, as shown in EIP Application Scenario in Flat Network. Figure 7-139: EIP Application Scenario in Flat Network ▬ Public networks can connect to the Internet through firewalls. ▬ Private networks (flat networks) provide IP addresses for each VM instance in each compute node. Note that these IP addresses cannot connect to the Internet by default. ▬ Distributed EIP is deployed on each compute node. The EIP can be bound to public networks or private networks separately. • The following is an example of an EIP application scenario in vRouter networks or VPC networks, as shown in EIP Application Scenario in vRouter/VPC Network. Issue: V3.9.0 455User Guide / 7 Cloud Operations Guide Figure 7-140: EIP Application Scenario in vRouter/VPC Network Definitions related to EIP: • Public EIP: The EIP service provided by a public VIP created from a public network. ▬ An internal private network is an isolated network space, which cannot be directly accessed by the external network. A public EIP can directly associate the access to a public network with the VM IP of an internal private network. ▬ An EIP can be attached to or detached from a VM instance dynamically. ▬ A public EIP can be attached to VM instances created from private networks, such as flat networks, vRouter networks, and VPC networks. ■ The EIP realized by distributed EIP can access flat networks through public networks. ■ vRouters or VPC vRouters can be used to vRouter networks or VPC networks through public networks. • Flat network private EIP: The EIP service provided by a flat network private VIP created from a flat network. ▬ L3 isolations exist between flat networks of different IP ranges. Therefore, these flat network cannot be accessed directly. A flat network private EIP can be used to associate the access to one flat network with the VM IP created from another flat network. ▬ A flat network private EIP can be attached to or detached from a VM instance dynamically. ▬ A flat network private EIP can be attached to VM instances created from other flat networks. 456 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Create EIP In the navigation pane of the ZStack Private Cloud UI, choose Network Service > EIP. On the EIP page, click Create EIP. On the displayed Create EIP page, set the following parameters: • Name: Enter a name for the EIP. • Description: Optional. Enter a description for the EIP. • Select VIP: Select a VIP for the EIP. The EIP service is provided by a VIP. To use a VIP, select one of the following methods: • Create new IP: To create a new VIP, set the following parameters: • Network: Select a network that provides a VIP. The network can be a public network or a flat network. • IP Range: Optional. Specify an IP range. Note that an IPv4 public network allows you to select a normal IP range or an IP address pool. • Specified IP: Optional. Specify a VIP. If not specified, the system will automatically assign a VIP. As shown in Figure 7-141: Create new VIP. Figure 7-141: Create new VIP Issue: V3.9.0 457User Guide / 7 Cloud Operations Guide • Use existing VIP: To use an existing VIP, set the following parameter: • VIP: Select an existing VIP. As shown in Figure 7-142: Use existing IP. Figure 7-142: Use existing IP As shown in Figure 7-143: Create EIP. 458 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-143: Create EIP Click Next. Then, the Associate VM NIC page is displayed, as shown in Figure 7-144: Associate VM NIC. Figure 7-144: Associate VM NIC Issue: V3.9.0 459User Guide / 7 Cloud Operations Guide Select the target VM instance and click OK. To cancel the operation, click Cancel. After you cancel the operation, you can associate a VM instance in EIP operations. EIP Operations You can perform the following operations on an EIP: • Modify name and description: Modify the name and description of the EIP. • Associate: Associate the EIP with a VM NIC. • Disassociate: Disassociate the EIP from a VM NIC. • Change owner: Change the owner of the EIP. • Delete: Delete the EIP. Note that the IP services provided by the EIP will also be deleted. To delete its associated VIP at the same time, select Delete VIP. • Audit: View related operations supported by the EIP. 7.4.4 Port Forwarding Port forwarding is a layer 3 forwarding service based on vRouters or VPC vRouters. It can forward the port traffics of specified public IP addresses to the ports of corresponding VM IP addresses. If your public IP addresses are insufficient, port forwarding can provide multiple external services for VM instances to save public IP resources. • In private networks that enable the source network address translation (SNAT) service, VM instances can access the external network, but cannot be accessed by the external network. A port forwarding rule can be used to allow the external network to access some specified ports of VM instances behind SNAT. • An elastic port forwarding rule can be dynamically attached to or detached from VM instances. • The port forwarding service can only be provided by vRouters or VPC vRouters. ▬ A port forwarding rule can be created between public networks of a vRouter or VPC vRouter and private networks of VM instances, as shown in Port Forwarding. 460 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-145: Port Forwarding • The port forwarding service is provided by VIP. ▬ A VIP corresponds to an available IP address in a public IP resource pool. ▬ To create port forwarding by using a VIP, you can either create a new VIP or use an existing VIP. ▬ To specify port mapping for port forwarding, you can choose one-to-one port mapping or range-to-range port mapping, as shown in VIP - Port Forwarding. Issue: V3.9.0 461User Guide / 7 Cloud Operations Guide ▬ Figure 7-146: VIP - Port Forwarding Create Port Forwarding Rule In the navigation pane of the ZStack Private Cloud UI, choose Network Service > Port Forwarding. On the Port Forwarding page, click Create Port Forwarding. On the displayedCreate Port Forwarding page, set the following parameters: • Name: Enter a name for the port forwarding rule. • Description: Optional. Enter a description for the port forwarding rule. • Select VIP: Select a VIP for the port forwarding rule. The port forwarding service is provided by a VIP. To use a VIP, select one of the following methods: • Create new IP: 462 Issue: V3.9.0User Guide / 7 Cloud Operations Guide To create a new VIP, set the following parameters: • Network: Select a network that provides a VIP. The network can be a public network or a flat network. • IP Range: Optional. Specify an IP range. Note that an IPv4 public network allows you to select a normal IP range or an IP address pool. • Specified IP: Optional. Specify a VIP. If not specified, the system will automatically assign a VIP. As shown in Figure 7-147: Create new VIP. Figure 7-147: Create new VIP • Use existing IP: To use an existing VIP, set the following parameter: • VIP: Select an existing VIP. As shown in Figure 7-148: Use existing VIP. Issue: V3.9.0 463User Guide / 7 Cloud Operations Guide Figure 7-148: Use existing VIP Note: The system VIPs provided by vRouters or VPC vRouters can be used by the port forwarding service. • Protocol: Select a protocol. Options: TCP and UDP. ▬ TCP: supports ports 1-65535. ▬ UDP: supports ports 1-65535. • Port: Select Specified port (forward traffics from port to port), or Port range (forward traffics in a port range). ▬ Specified port: If you select Specified port, set the following parameters: • Source Start Port: Enter a port between port 1 and port 65535 as the source start port. • Source End Port: This parameter is automatically set by the system, and is the same as the source start port you specified. • VM Start Port: Select a port between port 1 and port 65535 as the start port of the VM instance. • VM End Port: This parameter is automatically set by the system, and is the same as the start port of the VM instance you specified. • Allowed CIDR: Optional. If specified, only the specified CIDR is allowed. For example, if you set the source start port to 24, and the start port of the VM instance to 22, traffics to port 24 of the public IP addresses will be forwarded to port 22 of the VM instance. 464 Issue: V3.9.0User Guide / 7 Cloud Operations Guide As shown in Figure 7-149: Create Port Forwarding Rule - Specified port. Figure 7-149: Create Port Forwarding Rule - Specified port ▬ Port range: If you select Port range, set the following parameters: • Source Start Port: Enter a port between port 1 and port 65535 as the source start port. • Source End Port: Enter a port between port 1 and port 65535 as the source end port. • VM Start Port: This parameter is automatically set by the system, and is the same as the source start port you specified. • VM End Port: This parameter is automatically set by the system, and is the same as the source end port you specified. • Allowed CIDR: Optional. If specified, only the specified CIDR is allowed. Issue: V3.9.0 465User Guide / 7 Cloud Operations Guide For example, if you set the port range to 22-80, the port range of the VM instance will be 22 -80 by default. Then, traffics to ports 22-80 of the public IP addresses will be forwarded to ports 22-80 of the VM instance. As shown in Figure 7-150: Create Port Forwarding Rule - Port range. Figure 7-150: Create Port Forwarding Rule - Port range As shown in Figure 7-151: Create Port Forwarding Rule. 466 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-151: Create Port Forwarding Rule Issue: V3.9.0 467User Guide / 7 Cloud Operations Guide Associate Port Forwarding Rule to VM NIC On the displayed Associate VM NIC page, click the plus sign (+) in the VM Instance section. On the displayed Select VM Instance page, select the target VM instance, and click OK. As shown in Figure 7-152: Select VM NIC and Figure 7-153: Associate Port Forwarding Rule to VM NIC. Figure 7-152: Select VM NIC Figure 7-153: Associate Port Forwarding Rule to VM NIC Port Forwarding Operations You can perform the following operations on a port forwarding rule: • Modify name and description: Modify the name and description of the port forwarding rule. • Associate: Associate the port forwarding rule with a VM NIC. • Disassociate: Disassociate the port forwarding rule from a VM NIC. • Delete: Delete the port forwarding rule. Note that the port forwarding service provided by the port forwarding rule will also be deleted. However, the associated VIP and other services will not be affected. • Audit: View the related operations supported by the port forwarding. Port Forwarding Constraints The constraints of a port forwarding rule are as follows: • To use port forwarding, make sure that the firewall policy in the VM instances can be accessed by the specified ports. • When you use a VIP to provide the port forwarding service, make sure that the ports used by the VIP are not duplicated. 468 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • A VIP can provide the port forwarding service to different ports of multiple VM NICs on the same L3 network. • A VM instance can only use one VIP to provide the port forwarding service. • When you disassociate a VIP from a VM instance and associate a VM instance again, you can only select the VM NIC on the same L3 network of the VM instance that you disassociated before. • If you select port range for port forwarding, make sure that the source port range and the VM port range are the same. For example, if you set the range of the source port to 22-80, the port range of the VM instance is also 22-80. 7.4.5 IPsec Tunnel An IPsec tunnel encrypts and authenticates IP addresses by groups to protect the network transfer data of IP protocols. It provides site-to-site VPN connections. The features of an IPsec tunnel are as follows: • IPsec connection mode For security reasons, we only support Main Mode and the Encapsulating Security Payload ( ESP) protocol. Aggressive Mode is not supported. • IPsec transfer mode Considering the cloud network model, we only support the site-to-site tunnel mode. The point- to-point PC mode is not supported. • IPsec routing model We only support the IPsec routing model that is based on the source-to-destination IP range matching model. The routing forwarding mode is not supported. Note that OSPF and BGP dynamic routing protocols are not supported. This topic mainly introduces the IPsec tunnel usage in vRouter networks. For information about the detailed usage of an IPsec tunnel in VPC, see IPsec Tunnel in the VPC Network Tutorial. The typical application scenario of an IPsec tunnel in vRouter networks is as follows: • You can use vRouter networks in two isolated ZStack Private Cloud environments. In these two environments, the private networks of VM instances cannot be intercommunicated directly. You can use an IPsec tunnel to realize intercommunication between private networks of the VM instances, as shown in IPsec Tunnel Application Scenarios in vRouter Networks. Issue: V3.9.0 469User Guide / 7 Cloud Operations Guide • Figure 7-154: IPsec Tunnel Application Scenarios in vRouter Networks How to Use IPsec Tunnel in vRouter Network The basic workflow of using an IPsec tunnel in a vRouter network is as follows: 1. In the first environment, create an IPsec tunnel, specify the local public IP address of the first environment, and specify a local private network that is available. Enter the public IP address of the second environment as the peer IP address, and enter the private network specified in the second environment as the peer network. 2. In the second environment, create an IPsec tunnel, specify the local public IP address of the second environment, and specify a local private network that is available. Enter the public IP address of the first environment as the peer IP address, and enter the private network specified in the first environment as the peer network. Note: The private IP ranges in these two vRouter network environments cannot overlap. Create IPsec Tunnel in the First Environment In the navigation pane of the ZStack Private Cloud UI, choose Network Service > VPN > IPsec Tunnel. On the IPsec Tunnel page, click Create IPsec Tunnel. On the displayed Create IPsec Tunnel page, set the following parameters: • Name: Enter a name for the IPsec tunnel, for example, IPsecTunnel-1. • Description: Optional. Enter a description for the IPsec tunnel. • Select VIP: Select a VIP for the IPsec tunnel. The IPsec tunnel service is provided by a VIP. To use a VIP, select one of the following methods: • Create new IP: 470 Issue: V3.9.0User Guide / 7 Cloud Operations Guide To create a new VIP, set the following parameters: • Network: Select a network that provides a VIP. The network can be a public network or a flat network. • IP Range: Optional. Specify an IP range. Note that an IPv4 public network allows you to select a normal IP range or an IP address pool. • Specified IP: Optional. Specify a VIP. If not specified, the system will automatically assign a VIP. As shown in Figure 7-155: Create new VIP. Figure 7-155: Create new VIP • Use existing IP: To use an existing VIP, set the following parameter: • VIP: Select an existing VIP. As shown in Figure 7-156: Use existing VIP. Issue: V3.9.0 471User Guide / 7 Cloud Operations Guide Figure 7-156: Use existing VIP Note: The system VIP provided by vRouters can be used to provide IPsec tunnel services. • Local Subnet: Select a private network attached by the local vRouter. If only one private network is attached by the local vRouter, this private network will be selected by default. • Peer Public IP: Enter the public IP address of the peer network. • Peer CIDR: Enter the private CIDR specified on the peer network. • Authentication Key: Enter an authentication key. We recommend that you use a strong authentication key. • Advanced: Configure the advanced options as needed. The default values of the following options can be used to connect the private networks in these two network environments. ▬ Authentication Mode: psk ▬ IPsec Mode: tunnel ▬ IKE Authentication Algorithm: sha1 ▬ IKE Encryption Algorithm: 3des ▬ IKE DH Group: 2 ▬ IPsec Security Protocol: esp ▬ ESP Authentication Algorithm: sha1 ▬ ESP Encryption Algorithm: 3des ▬ Perfect Forward Secrecy: dh-group2 Note: 472 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • In your practice, to connect your vRouter in ZStack Private Cloud to third-party devices that support IPsec tunnels, you need to configure the advanced options on both sides as needed. • When you create an IPsec tunnel, you need to modify the advanced options according to the peer network. As shown in Figure 7-157: Create IPsecTunnel-1. Issue: V3.9.0 473User Guide / 7 Cloud Operations Guide Figure 7-157: Create IPsecTunnel-1 474 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Create IPsec Tunnel in the Second Environment The procedures for creating an IPsec tunnel in the second ZStack environment are the same as those in the first environment. You only need to modify some parameters in the second environment, as shown in Figure 7-158: Create IPsecTunnel-2. Issue: V3.9.0 475User Guide / 7 Cloud Operations Guide Figure 7-158: Create IPsecTunnel-2 476 Issue: V3.9.0User Guide / 7 Cloud Operations Guide After these two IPsec tunnels are created, the private networks in these two ZStack environments can communicate with each other. IPsec Tunnel Operations In the vRouter network scenario, you can perform the following operations on an IPsec tunnel: • Modify name and description: Modify the name and description of the IPsec tunnel. • Delete: Delete the IPsec tunnel. Note that the services provided by the IPsec tunnel will also be deleted. However, the corresponding VIP and services associated with the VIP are not affected. • Audit: View the related operations supported by the IPsec tunnel. In the VPC network scenario, you can perform the following operations on an IPsec tunnel: • Modify name and description: Modify the name and description of the IPsec tunnel. • Attach local subnet: You can attach more than one local private network to the IPsec tunnel in the VPC network scenario. • Detach local subnet: Detach a local private network from the IPsec tunnel. • Add peer CIDR: You can add more than one peer CIDR to the IPsec tunnel in the VPC network scenario. • Delete peer CIDR: Delete a peer CIDR from the IPsec tunnel. • Delete: Delete the IPsec tunnel. Note that the services provided by the IPsec tunnel will also be deleted. However, the corresponding VIP and services associated with the VIP are not affected. • Audit: View the related operations supported by the IPsec tunnel. 7.4.6 Load Balancing Load balancing distributes inbound traffics from a VIP to a group of backend VM instances, and then automatically detects and isolates unavailable VM instances. This improves the service capability and availability of your businesses. • Load balancing automatically distributes your inbound application traffics to the preconfigured backend VM instances, thereby providing highly concurrent and highly reliable access services. • In your practice, you can adjust the VM instances in load balancing listeners to improve your service capability, which will not affect your normal business access. • A load balancing listener supports four types of protocols: TCP, HTTP, HTTPS, and UDP. Issue: V3.9.0 477User Guide / 7 Cloud Operations Guide • If the listener protocol is HTTPS, you need to bind a certificate. Note that you can upload a certificate or a certificate link. • A load balancer allows you to flexibly configure multiple forwarding policies to achieve advanced forwarding controlling. • Load balancing allows you to display real-time SLB business traffics and connections in monitoring data. The following is an example of providing the load balancing service by using a VIP in a flat network, vRouter network, or VPC network scenario, as shown in VIP - Load Balancing. Figure 7-159: VIP - Load Balancing Definitions related to load balancing: • Frontend network: In load balancing network services, a frontend network is used to provide VIP networks. Public networks, flat networks, and VPC networks can be used as frontend networks. • Backend network: In load balancing network services, a backend network is used to create a private network for backend VM instances. Flat networks, vRouter networks, and VPC networks can be used as backend networks. • Internet load balancing: A public network is used as the frontend network to provide Internet- facing load balancing services through routers (VPC vRouters or vRouters). 478 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ▬ A VPC network can be used as a backend network to provide Internet load balancing services based on a VPC network. In this scenario, multiple backend networks can be used . However, these backend networks must be attached to the same VPC vRouter. ▬ A vRouter network can be used as a backend network to provide Internet-facing load balancing services based on a vRouter network. In this scenario, make sure that the L3 networks attached to the frontend network and the vRouter are the same. ▬ A flat network can be used as a backend network to provide Internet-facing load balancing services based on a flat network. In this scenario, the L3 networks attached to the frontend network and the vRouter must be the same. • Intranet load balancing (VPC private network): A VPC network is used as the frontend network to provide intranet load balancing services through VPC vRouters. ▬ A VPC network that shares the same VPC vRouter with a frontend network can be used as a backend network to provide intranet load balancing services based on VPC networks. ▬ In this scenario, multiple backend networks can be used. However, these backend networks must be attached to the same VPC vRouter. • Intranet load balancing (flat network): A flat network is used as the frontend network to provide intranet load balancing services through vRouters. ▬ A frontend network is also used as a backend network to provide intranet load balancing services based on flat networks. In this scenario, the L3 network specified in the vRouter offering that is attached to the frontend network can be either a public network or a flat network. ▬ Other flat networks can be also used as a backend network to provide intranet load balancing services based on flat networks. In this scenario, the L3 networks attached to the frontend network and the vRouter must be the same. Note: To use intranet load balancing (flat network) services, you need to attach a vRouter offering to the flat network in advance. How to Use Load Balancing The basic workflow for using load balancing is as follows: 1. Create a load balancer. Issue: V3.9.0 479User Guide / 7 Cloud Operations Guide 2. Create a listener and add it to the load balancer you created in the preceding step. Then, specify the mapping between the public port and the VM port, and set the rules and algorithms. 3. Select a VM NIC from a specified L3 network and attach the NIC to the listener for the load balancer to take effect. Create Load Balancer In the navigation pane of the ZStack Private Cloud UI, choose Network Service > Load Balancing > Load Balancer. On the Load Balancer page, click Create Load Balancer. On the displayed Create Load Balancer page, set the following parameters: • Name: Enter a name for the load balancer. • Description: Optional. Enter a description for the load balancer. • Select VIP: Select a VIP. The load balancing service is provided by a VIP. To use a VIP, select one of the following methods: • Create new IP: To create a new VIP, set the following parameters: • Network: Select the network that provides a VIP. The network can be a public network, a VPC network, or a flat network. ▬ The VIP created from a public network can be used to provide network services, such as EIP and load balancing, for flat networks. ▬ The VIP created from a public network can be used to provide network services, such as EIP, port forwarding, load balancing, and IPsec tunnel, for vRouter networks and VPC networks. ▬ The VIP created from a VPC network can be used to provide load balancing services for VPC networks. ▬ The VIP created from a flat network can be used to provide network services, such as EIP and load balancing, for flat networks. • IP Range: Optional. Specify an IP range. Note that an IPv4 public network allows you to select a normal IP range or an IP address pool. • Specified IP: Optional. Specify a VIP. If not specified, the system will automatically assign a VIP. As shown in Figure 7-160: Create new VIP. 480 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-160: Create new VIP • Use existing VIP: To use an existing VIP, set the following parameters: • VIP: Select an existing VIP, which can be a custom VIP or a system VIP. ▬ Custom VIP: The VIP manually created by a user. You can create a public VIP, a VPC VIP, or a flat VIP as needed. ▬ System VIP: The VIP automatically created by the system by using the L3 network attached by a vRouter (a vRouter or VPC vRouter) after the vRouter is successfully created. Both public VIPs and flat VIPs can be created automatically by the system after a vRouter is created. As shown in Figure 7-161: Use existing VIP. Issue: V3.9.0 481User Guide / 7 Cloud Operations Guide Figure 7-161: Use existing VIP • Listener: Optional. You can create a listener and add it to the load balancer directly when you create a load balancer, or you can create and add a listener after you create a load balancer. As shown in Figure 7-162: Create Load Balancer. 482 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-162: Create Load Balancer Issue: V3.9.0 483User Guide / 7 Cloud Operations Guide Create Listener Assume that you create a listener directly when creating a load balancer, and add the listener to the load balancer. On the Create Load Balancer page, click Create Listener under Listener. On the displayed Create Listener page, set the following parameters: • Name: Enter a name for the listener. • Description: Optional. Enter a description for the listener. • Protocol: Select a protocol. Options: TCP | HTTP | HTTPS | UDP. ▬ If you select TCP, HTTP, or UDP, ports 1-65535 are supported. ▬ If you select HTTPS, note that: ■ Ports 1-65535 are supported. ■ A certificate is required. You can upload a certificate or the link of a certificate. For information about how to upload and manage a certificate, see the Certificate topic. ■ The Certificate parameter is required. You must attach a certificate to the listener when you select HTTPS. ■ As shown in Figure 7-163: Attach a Certificate When Selecting HTTPS. Figure 7-163: Attach a Certificate When Selecting HTTPS • Load Balancer Port: Select a port between port 1 and port 65535 as the VIP port of the load balancer. • VM Port: Select a port between port 1 and port 65535 as the VM port. For example, if you set the load balancer port to 80, and the VM port to 5000, traffics to port 80 of the load balancer will be forwarded to port 5000 of the VM instance. As shown in Figure 7-164: Create Listener. 484 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-164: Create Listener • Advanced: Configure the advanced options as needed. ▬ Health Check Protocol: Set the health check protocol. Options: TCP | HTTP | UDP. The health check protocol can be different from the listener protocol. ■ If the listener protocol is TCP, HTTP, or HTTPS, the health check protocol can be TCP or HTTP. ■ If the listener protocol is UDP, the health check protocol can be UDP. ■ If you select HTTP, you can configure the normal status code, health check path, and health check method. ■ Normal Status Code: The HTTP status code to be returned when the health check passes. You can select more than codes as needed. Options: http_2xx | http_3xx | http_4xx | http_5xx. Issue: V3.9.0 485User Guide / 7 Cloud Operations Guide ■ Health Check Path: The URI of the page on which health checks are performed. For example, /healthcheck.html. We recommend that you set health check for static pages. When you set a health check path, note that: ■ The health check path must be 2 to 80 characters long. ■ The health check path can contain only letters, numbers, special symbols (-/.%? #&), or a combination of these three types of characters. ■ The health check path must start with a forward slash (/). ■ Health Check Method: Check whether the server application is healthy by sending a HEAD or GET request to simulate the access behavior of a browser. Default method: HEAD. ▬ Idle Connection Timeout: The amount of time that the load balancer terminates the connection between the server and the client when no data is transmitted. Default value: 60 seconds. ▬ Health Check Threshold: The number of consecutive health checks successes required before considering an unhealthy VM instance healthy. Default value: 2. ▬ Health Check Port: Default value: default, indicating that the health check port is the same as that of the VM instance. You can also specify other ports as needed. ▬ Unhealth Check Threshold: The number of consecutive failed health checks required before considering a VM instance unhealthy. Default value: 2. ▬ Health Check Interval: The amount of time between health checks of an individual VM instance. Default value: 5 seconds. ▬ Max Connection: The maximum number of connections of the load balancer. Default value: 5,000. Value range: 1-100,000. ▬ Load Balancer Algorithm: The routing algorithm that the load balancer uses to handle data packets. Default value: roundrobin (round robin). The supported load balancer algorithms are as follows: • roundrobin (round robin) This algorithm is used to sequentially distribute external requests to VM instances specified by the load balancing algorithm. Each VM instance is treated equally without regardless of the actual number of connections and system load. • leastconn (least number of connections) 486 Issue: V3.9.0User Guide / 7 Cloud Operations Guide This algorithm is used to dynamically schedule network requests to the VM instances with the least number of established connections. If the servers (VM instances) in the cluster have similar system performance, the leastconn algorithm can balance the loads better. • source (source hashing scheduling) This algorithm is used to find out target servers from a hash table according to the source IP address (as hash key). If the target servers are available and not overloaded, requests will be sent to these servers. Otherwise, the response is null. • weightroundrobin (weighted round robin) This algorithm is a generalisation of round robin scheduling, and distributes external requests to VM instances specified by the load balancing algorithm according the VM weight. VM instances with higher weight value have higher priority. As shown in Figure 7-165: Create Listener - Advanced Configurations. Issue: V3.9.0 487User Guide / 7 Cloud Operations Guide Figure 7-165: Create Listener - Advanced Configurations Bind VM NIC to Listener In the navigation pane of the ZStack Private Cloud UI, choose Network Service > Load Balancing > Listener. On the Listener page, select the target listener, and choose Actions > Bind VM NIC. On the displayed Bind VM NIC page, set the following parameters: 488 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Network: Select a private network that has available VM NICs. Make sure that the network meets the following requirements: ▬ The network is used to create a VM instance and has an available VM NIC. ▬ If you use a public VIP to provide load balancing services, make sure that the network belongs to the VPC vRouter or vRouter under the public network that provides the VIP. ▬ If you use a private VIP to provide load balancing services, make sure that the network belongs to the VPC vRouter under the private network (the VPC network that provides the VIP). Note: If this listener is used by an elastic scaling group, make sure that the network you selected shares the same vRouter with the L3 network used by the elastic scaling group. • VM NIC: Select a VM NIC. Note: If you select weighted round robin for the load balancing algorithm, you can set the weight value. Value range: 0-100. As shown in Figure 7-166: Bind VM NIC to Listener. Click OK. Then, the chosen VM NICs will be bound to the listener. Issue: V3.9.0 489User Guide / 7 Cloud Operations Guide Figure 7-166: Bind VM NIC to Listener After the preceding configurations are successfully completed, the load balancer will send messages to the destination VM instances according to the specified forwarding policy. Modify Listener Parameters You can modify the following parameters of a listener: health check protocol, idle connection timeout, health check threshold, health check port, unhealth check threshold, health check interval , maximum connection, and load balancer algorithm. If the health check protocol is HTTP, you can modify the normal status code, health check path, and health check method. To modify the parameters of a listener, follow these steps: On the Listener page, click on the name of a listener to go to the details page. On the Basic Attributes tab, click the edit icon on the right of Advanced. As shown in Figure 7-167: Modify Listener Parameters. 490 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-167: Modify Listener Parameters Note: • The modification takes effect immediately. • Modifying the parameters might cause the traffic interruption. We recommend that you stop the listener related businesses before making any modification. • After the load balancing algorithm is changed to weighted round robin, the default weight of VM instances is 100. You can modify the weight value on the VM NIC tab page of the listener. Load Balancer Operations You can perform the following operations on a load balancer: • Modify name and description: Modify the name and description of the load balancer. • Create listener: Create a listener for the load balancer. • Delete: Delete the load balancer. Note that the associated listeners and load balancing service will also be deleted. However, the related VIP and services associated with the VIP will not be affected. • Audit: View related operations supported by the load balancer. You can perform the following operations on a listener: Issue: V3.9.0 491User Guide / 7 Cloud Operations Guide • Modify name and description: Modify the name and description of the listener. • Bind VM NIC: Bind a VM NIC to the listener of a load balancer. Then, the VM instance becomes a load balancing resource that works according to the listener rule. • Unbind VM NIC: Unbind a VM NIC from the listener. Note that the VM NIC will be removed from the load balancing pool. • Set weight value: When the load balancing algorithm uses weighted round robin, set the weight value for the corresponding VM instances as needed. Value range: 0-100. • Bind certificate: If the protocol of your listener is HTTPS, you need to bind a certificate or a certificate link to your listener. Note that this operation is not supported if the listener type is TCP, HTTP, or UDP. • Unbind certificate: If the protocol of your listener is HTTPS, you can unbind a certificate from the listener. Note that this operation is not supported if the listener type is TCP, HTTP, or UDP. • Display the number of healthy VM instances: Display the number of healthy VM instances attached to the listener on the listener page. For example, healthy backend/total backend. • Monitoring data: Display the monitoring data, such as the sessions and inbound/outbound traffics, of the listener. • Delete: Delete the listener. Note that the load balancing service provided by the listener will be automatically deleted. • Audit: View related operations supported by the listener. Load Balancing Constraints The constraints of the load balancing service are as follows: • You can create more than one listener for a load balancer. • The VM NICs bound to the listener of a load balancer must share the same L3 network. • If the protocol of your listener is HTTPS, you can bind only one certificate to your listener at a time. To change your certificate, unbind the current one first. 7.4.7 Flow Monitoring 7.4.7.1 Flow Network A flow network is a dedicated network for port mirroring, and can be used to mirror the network traffic of a NIC to the remote end. A flow network cannot be used as other networks and cannot be used to create VM instances. 492 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Create Flow Network In the navigation pane of the ZStack Private Cloud UI, choose Network Service > Flow Network. On the Flow Network page, click Create Flow Network. On the displayed Create Flow Network page, set the following parameters: • Name: Enter a name for the flow network. • Description: Optional. Enter a description for the flow network. • L2 Network: Select an L2 network that corresponds to the flow network. Note: An L2 network can be used to create multiple L3 networks. Click the plus sign (⊕) under the L2 Network field. Then, the Select L2 Network page is displayed on the right. This page has the following two tabs: • Default: Displays a list of L2 networks that do not have an L3 network attached in the current zone. • All: Displays a list of all L2 networks in the current zone, including the L2 networks that have or not have an L3 network attached. • Add IP Range: Select a method to add an IP range. Options: IP range | CIDR. ▬ If you select IP range, set the following parameters: ■ Start IP: Enter the start IP address, for example, 172.20.108.100. ■ End IP: Enter the end IP address, for example, 172.20.108.120 Note: The IP range specified within the start IP address and end IP address cannot contain IP addresses of the link-local address (169.254.0.0/16). . ■ Netmask: Enter a netmask, for example, 255.255.0.0. ■ Gateway: Set a gateway, for example, 172.20.0.1. ▬ If you select CIDR, set the following parameters: ■ CIDR: Enter a CIDR, for example, 192.168.1.1/24. Note: Issue: V3.9.0 493User Guide / 7 Cloud Operations Guide The IP range specified in the CIDR cannot contain IP addresses of the link-local address (169.254.0.0/16). ■ Gateway: Set a gateway, for example, 192.168.1.1. Note: • The first or last IP address in CIDR can be used as the gateway. • If not specified, the first IP address in the CIDR is used as the gateway by default. As shown in Figure 7-168: Create Flow Network. Figure 7-168: Create Flow Network 494 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Flow Network Operations You can perform the following operations on a flow network: • Create flow network: Create a new flow network. • Add IP range: Add a new IP range to the flow network. • Delete: Delete the flow network. Note: Deleting a flow network will also delete the port mirroring that is using this network. 7.4.7.2 Port Mirroring Port mirroring is used to send a copy of network traffics of a VM NIC from a port to another port, and analyze the business packets on the port. With port mirroring, network data can be monitored and managed. In addition, problems can be quickly located when network failures occur. Create Port Mirroring In the navigation pane of the ZStack Private Cloud UI, choose Network Service > Port Mirroring. On the Port Mirroring page, click Create Port Mirroring. On the displayed Create Port Mirroring page, set the following parameters: Issue: V3.9.0 495User Guide / 7 Cloud Operations Guide • Name: Enter a name for the port mirroring. • Description: Optional. Enter a description for the port mirroring. • Flow Network: Select a flow network used by the port mirroring. Note: • A flow network is a dedicated network for port mirroring, and can be used to mirror the network traffic of a NIC to the remote end. • A flow network applies to only port mirroring and cannot be used as other networks. • One port mirroring occupies one flow network. • Make sure that the VM instances monitored by port mirroring is in the cluster to which the flow network is attached. • Enable immediately after creation: Choose whether to enable port mirroring immediately after it is created. Note that enabling the port mirroring might occupy physical network bandwidth. Before you select this checkbox, make sure that the business can work properly. • Add session immediately after creation: Choose whether to add sessions immediately after the port mirroring is created. A session is used to create a port mirroring of the network traffics for a VM NIC. Note that one port mirroring can add multiple sessions. As shown in Figure 7-169: Create Port Mirroring. 496 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-169: Create Port Mirroring Add Session A session is used to create a port mirroring of the network traffics for a VM NIC. After a session is added, the session will send a copy of the network traffics on the source port to the destination port. You can select Add session immediately after creation to add sessions directly when you create a port mirroring, or add sessions after you create a port forwarding. If you use the second method, set the following parameters: • Name: Enter a name for the session. • Type: Select a direction of the network traffic to be copied by the port mirroring. Options: Ingress | Egress | Bidirection. ▬ Ingress: Sends a copy of packets received from the source port to the destination port. ▬ Egress: Sends a copy packets sent from the source port to the destination port. ▬ Bidirection: Sends a copy of packets received and sent by the source port to the destination port. Issue: V3.9.0 497User Guide / 7 Cloud Operations Guide • VM Instance and NIC of the source port: Select the VM instance and NIC to be monitored. Packets sent from and received by the source port will be copied to the destination port. • VM Instance and NIC of the destination port: Select the VM instance and NIC for receiving the port mirroring. The destination port is used to send the packets copied from the source port to the monitoring device. Note: • The VM NIC of the destination port cannot be the default network NIC. • To ensure the port mirroring work properly, do not set QoS for NICs on the source port and destination port. As shown in Figure 7-170: Add Session. 498 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-170: Add Session Port Mirroring Operations You can perform the following operations on a port mirroring: • Modify name and description: Modify the name and description of the port mirroring. • Enable: Enable the port mirroring. • Disable: Disable the port mirroring. • Delete: Delete the port mirroring. • Add session: Add a session to the port mirroring. Issue: V3.9.0 499User Guide / 7 Cloud Operations Guide • Delete session: Delete a session from the port mirroring. • Audit: View related operations supported by the port mirroring. 7.4.7.3 Netflow Netflow is a network protocol used for analyzing and monitoring inbound and outbound traffics for VPC vRouter NICs. Currently, two types of data stream output format are supported: Netflow V5 and Netflow V9. Add Netflow In the navigation pane of the ZStack Private Cloud UI, choose Network Service > Netflow. On the Netflow page, click Create Netflow. On the displayed Create Netflow page, set the following parameters: • Name: Enter a name for the Netflow. • Description: Optional. Enter a description for the Netflow. • IP: Enter the IP address of the collector. • Port: Enter the port of the collector. Note: The IP and port of the collector must be configured correctly to ensure the Netflow service to work properly. • Version: Select a Netflow version. Note: Different versions of Netflow have different output formats. Please choose the appropriate version. • Export Interval: Set the flow export interval. After specified, the Netflow will send a flow monitoring message to the collector according to the set time. • VPC vRouter: Select the VPC vRouter and network to be monitored. As shown in Figure 7-171: Add Netflow. 500 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-171: Add Netflow Notice • One Netflow can monitor the traffics of multiple networks on multiple VPC vRouters. All networks of a VPC vRouter can only attach the same Netflow. • The IP and port of the collector must be configured correctly. Otherwise, the collected data might be lost. Issue: V3.9.0 501User Guide / 7 Cloud Operations Guide • A Netflow can collect the north-south traffics of a VPC vRouter and the east-west traffics across the network. In the distributed routing mode, data collected from the east-west traffics across the network might be distorted to performance optimization. • When a Netflow monitors the routers in a VPC high availability group, it will continuously monitor the network traffics of the primary router to ensure data integrity. • When a Netflow monitors the network traffics of a VPC vRouter, it will consume the performance of the VPC vRouter. Please select an appropriate monitoring solution to reduce the impact on the performance of the VPC vRouter. The associations between Netflow monitoring and impact on the VPC vRouter performance are as follows: ▬ The greater the number of VPC networks monitored by a Netflow, the greater the impact on the performance of the VPC vRouter. ▬ The smaller the export interval, the greater the impact on the performance of the VPC vRouter, and the greater the pressure on the service network bandwidth. ▬ You need to use a stable network, so that the public network of the VPC vRouter can access the collector, ensuring that the Netflow service works properly. 7.5 Network Tutorial This network tutorial contains the following contents: • Flat network tutorial • vRouter network tutorial • VPC tutorial 7.5.1 VPC Network Tutorial 7.5.1.1 Introduction Virtual Private Cloud (VPC) is a custom network environment that consists of the VPC vRouter and the VPC network. VPC can help enterprise users to build a logically isolated private cloud. VPC vRouter and VPC Network VPC consists of VPC vRouter and VPC network. 1. VPC vRouter: a vRouter that is created based on a vRouter offering. A VPC vRouter has two types of networks: public network and management network. • The VPC vRouter is the core of the VPC. A VPC vRouter can be created by specifying a vRouter offering. 502 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Before you create a vRouter offering, you must create the required public network, management network, and vRouter image in advance. • A VPC vRouter can be attached to or detached from VPC networks or other networks. • The public network and the management network that are defined by a vRouter offering cannot be detached. • You can use the same vRouter offering to create multiple VPC vRouters. These VPC vRouters share both the public IP range and the management IP range defined by the same vRouter offering. • The public network is the default network used to provide network services. • VPC vRouters have higher resource priorities than VM instances. When the host workload rates are extremely high, and then resources contend with each other, the resource priority sequence from low to high is as follows: VM instances with Normal priorities < VM instances with High priorities < VPC vRouters. For example, when CPU resources contend with each other on hosts, VPC vRouters have higher CPU resource grabbing capability. 2. VPC network: a private network that can be attached to a VPC vRouter. • Before you create an L3 VPC network, you must create an L2 network in advance. • When you create a VPC network, you can specify a VPC vRouter. Or, you can attach a VPC vRouter to the VPC network after you create the VPC network. • If your VM instances have an attached VPC network, you cannot detach the VPC network from the VPC vRouter. • The newly created IP range must not overlap with any IP range in the VPC vRouter. The VPC network topology is shown in VPC Network Topology. Issue: V3.9.0 503User Guide / 7 Cloud Operations Guide Figure 7-172: VPC Network Topology High Availability Group of VPC vRouter High availability (HA) group: You can deploy two VPC vRouters according to the active-backup policy. When the active VPC vRouter is abnormal, the backup VPC vRouter will automatically take over to work properly, thus ensuring your business continuity. Note: The VPC vRouters in an HA group will be only displayed on the details page of the HA group, but will not be displayed independently in the vRouter table. VPC Features VPC has the following features: • Flexible network configuration: Different VPC networks can be flexibly attached to the VPC vRouters. You can customize an independent IP range and an independent gateway for each VPC network. VPC vRouters allow you to attach or detach gateways, and also to dynamically configure your route tables and route entries. • Secure and reliable isolation: Different VPC networks in different VPCs are logically isolated. That is, the VPC networks support VLAN and VXLAN for logical layer 2 isolation, and different VPCs of different accounts will not affect each other. 504 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Multi-subnet interconnection: Multiple VPC networks under the same VPC can communicate privately and securely with one another. • Network traffic optimization: VPC supports distributed route features, indicating that it can optimize the east-west network traffic, and reduce the network latency effectively. • VPC vRouter HA: In a VPC vRouter HA group, you can deploy two VPC vRouters according to the active-backup policy. When the active VPC vRouter is abnormal, the backup VPC vRouter will automatically take over to work properly, thus ensuring your business continuity. VPC Network Service The VPC network, which acts as a private network, provides a group of network services by using VPC vRouters. • DHCP: By default, the VPC network provides distributed DHCP services by using the flat network service module. • DNS: A VPC vRouter can act as a DNS server to provide DNS services. The DNS address in a VPC vRouter VM instance is the IP address of the VPC vRouter. Note that the DNS address that you set is forwarded by the VPC vRouter. • SNAT: A VPC vRouter can provide the source network address translation (SNAT) services for VM instances. Then, the VM instances can directly access the Internet by using SNAT. • Route table: Through the route table, you can manage and customize routes. • Security group: The security group service is provided by the security group network service module. You can configure and manage firewalls for VM instances by using iptables. • Elastic IP address (EIP): You can bind an EIP to a VPC network. Then, the public network can interconnect with the private network of the VM instance. • Port forwarding: The port forwarding service allows a public IP address to interconnect with the private IP address of a VM instance. To be more specific, you can create port forwarding rules to allow outside network to reach specific ports of your VM instances. • Load balancing: The load balancing service distributes your inbound traffic from a public IP address to a group of backup VM instances. Then, this service will automatically check and isolate the VM instances that are unavailable. • IPsec tunnel: The IPsec tunnel can be used to achieve interconnection between different virtual private networks (VPNs). • Dynamic routing: The VPC vRouter supports the Open Shortest Path First (OSPF) routing protocol, which is used to distribute routing information within a single autonomous system. Issue: V3.9.0 505User Guide / 7 Cloud Operations Guide • Multicast routing: The VPC vRouter forwards the multicast information sent by the multicast source to VM instances, achieving one-to-multi-point communication in the transmission side and receiving side. • VPC firewall: The VPC firewall filters the south-north traffic on the VPC vRouter ports, effectivel y protecting the VPC communication security and VPC vRouter security. • Netflow: The Netflow service monitors and analyzes the inbound and outbound traffics of the VPC vRouter NICs. Currently, the following two types of data-flow output formats are supported : Netflow V5 and Netflow V9. 7.5.1.2 Prerequisites The latest version of ZStack is installed, and the basic initialization is completed. Specifically, basic hardware resources, such as a zone, cluster, host, backup storage, and primary storage, are added, and an instance offering is created. For more information, see the installation and deployment section and the Wizard configuration section in the User Guide. This tutorial elaborates on the basic deployment of a VPC. 7.5.1.3 Basic Deployment Context The basic procedure for deploying a VPC is as follows: 1. Create an L2 public network and attach it to the corresponding cluster. 2. Create an L3 public network. 3. Create an L2 management network and attach it to the corresponding cluster. 4. Create an L3 management network to communicate with physical resources, such as hosts, primary storages, and backup storages. 5. Add a vRouter image. 6. Create a vRouter offering. 7. Create a VPC vRouter from the vRouter offering you created in the preceding step. 8. Create an L2 private network and attach it to the corresponding cluster. This L2 private network is used to create an L3 VPC network (VPC Network-1). 9. Specify a VPC vRouter to create an L3 VPC network (VPC Network-1). Note that the IP ranges cannot overlap. 10.Create an L2 private network and attach it to the corresponding cluster. This L2 private network is used to create an L3 VPC network (VPC Network-2). 506 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 11.Specify a VPC vRouter to create an L3 VPC network (VPC Network-2). Note that the IP ranges cannot overlap. 12.Use VPC Network-1 and VPC Network-2 to create VM-1 and VM-2, respectively. 13.Test the interoperability between VPC Network-1 and VPC Network-2. Assume that your environment is as follows: 1. Public Network Table 7-5: Configuration Information Public Network Configuration Information NIC em01 VLAN ID No VLAN IP range 10.108.10.100~10.108.10.200 Netmask 255.0.0.0 Gateway 10.0.0.1 DHCP IP 10.108.10.101 2. Management Network Table 7-6: Configuration Information Management Network Configuration Information NIC em02 VLAN ID No VLAN IP range 192.168.29.10~192.168.29.20 Netmask 255.255.255.0 Gateway 192.168.29.1 Note: • For security and stability reasons, we recommend that you deploy an independent management network and separate it from the public networks. • The management network we mentioned here is the same as that in ZStack Private Cloud . That is, the management network is the network used to manage hosts, primary storages, and backup storages. If a management network was created before, you can use it directly. Issue: V3.9.0 507User Guide / 7 Cloud Operations Guide 3. VPC Network-1 Table 7-7: Configuration Information Private Network Configuration Information NIC em01 VLAN ID 2800 IP CIDR 192.168.10.0/24 Gateway 192.168.10.1 DHCP IP 192.168.10.2 4. VPC Network-2 Table 7-8: Configuration Information Private Network Configuration Information NIC em01 VLAN ID 2900 IP CIDR 192.168.11.0/24 Gateway 192.168.11.1 DHCP IP 192.168.11.2 To create a VPC in the cloud, follow these steps: Procedure 1. Create an L2 public network in the ZStack Private Cloud UI. In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > L2 Network Resource > L2 Network. On the L2 Network page, click Create L2 Network. On the displayed Create L2 Network page, set the following parameters according to the Table 7-5: Configuration Information: • Name: Enter a name for the L2 public network. • Description: Optional. Enter a description for the L2 public network. • Type: Select L2NoVlanNetwork. • Physical NIC: Enter em01. • Enable SR-IOV: Choose whether to enable SR-IOV. Here, leave this checkbox unselected. • Cluster: Select a cluster, for example, Cluster-1. 508 Issue: V3.9.0User Guide / 7 Cloud Operations Guide As shown in Figure 7-173: Create L2 Network. Click OK. Then, an L2 public network will be created. Figure 7-173: Create L2 Network 2. Create an L3 public network in the ZStack Private Cloud UI. In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > L3 Network > Public Network. On the Public Network page, click Create Public Network. On the displayed Create Public Network page, set the following parameters according to the Table 7-5: Configuration Information: • Name: Enter a name for the L3 public network. • Description: Optional. Enter a description for the L3 public network. Issue: V3.9.0 509User Guide / 7 Cloud Operations Guide • L2 Network: Select the L2 public network you created in the preceding step. • Stop DHCP server: Choose whether to enable the DHCP service. Note: • By default, this checkbox is not selected, indicating that the DHCP service is enabled, and IP addresses will be automatically allocated to VM instances. In this case, you can customize an IP address for the DHCP service, or let the system randomly specify a DHCP IP address. • If selected, the DHCP service will be disabled, indicating that VM instances that use this network cannot obtain automatically IP addresses, and you need to configure IP addresses manually. In this case, you cannot customize the DHCP IP address. In addition, the system cannot randomly specify DHCP IP addresses. • Add IP Range: Select the IPv4 IP address type and the IP range method. Note: ZStack supports both IPv4 and IPv6. You can choose to add an IP range or a CIDR. This tutorial takes the IPv4 IP address and IP range method as examples. • Start IP: Enter a start IP address, for example, 10.108.10.100. • End IP: Enter an end IP address, for example, 10.108.10.200. • Netmask: Enter a netmask, for example, 255.0.0.0. • Gateway: Enter a gateway, for example, 10.0.0.1. • DHCP IP: Optional. Set a DHCP IP address as needed. Note: • If you create an L3 network and enable the DHCP service for the first time, or if you add the first IP range for the L3 network of the enabled DHCP service, you can customize the DHCP IP address. • If the L3 network has a DHCP IP address, you cannot customize the DHCP IP address when you add an IP range. • The DHCP IP address can be included or excluded on the IP range that you added. However, the DHCP IP address must be within the CIDR to which the added IP range belongs, and must not be occupied. 510 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • The IP range specified within the start IP address and end IP address cannot contain IP addresses of the link-local address (169.254.0.0/16). • If not specified, the system will randomly specify an IP address within the IP range that you added. • DNS: Optional. Set a DNS, for example, 114.114.114.114. As shown in Figure 7-174: Create L3 Public Network. Click OK. Then, an L3 public network will be created. Figure 7-174: Create L3 Public Network Issue: V3.9.0 511User Guide / 7 Cloud Operations Guide 3. Create an L2 management network on the ZStack Private Cloud UI. In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > L2 Network Resource > L2 Network. On the L2 Network page, click Create L2 Network. On the displayed Create L2 Network page, set the following parameters according to the Table 7-6: Configuration Information: • Name: Enter a name for the L2 management network. 512 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Description: Optional. Enter a description for the L2 management network. • Type: Select L2NoVlanNetwork. • Physical NIC: Enter em02. • Enable SR-IOV: Choose whether to enable SR-IOV. Here, leave this checkbox unselected. • Cluster: Select a cluster, for example, Cluster-1. As shown in Figure 7-175: Create L2 Management Network. Click OK. Then, an L2 management network will be created. Figure 7-175: Create L2 Management Network 4. Create an L3 management network in the ZStack Private Cloud UI. Issue: V3.9.0 513User Guide / 7 Cloud Operations Guide In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > L3 Network > System Network. On the System Network page, click Create System Network. On the displayed Create System Network page, set the following parameters according to the Table 7-6: Configuration Information: • Name: Enter a name for the L3 management network. • Description: Optional. Enter a description for the L3 management network. • L2 Network: Select the L2 management network you created in the preceding step. • Add IP Range: Select the IP range method. • Start IP: Enter a start IP address, for example, 192.168.29.10. • End IP: Enter an end IP address, for example, 192.168.29.20. • Netamsk: Enter a netmask, for example, 255.255.255.0. • Gateway: Enter a gateway, for example, 192.168.29.1. As shown in Figure 7-176: Create L3 Management Network. Click OK. Then, an L3 management network will be created. 514 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-176: Create L3 Management Network Issue: V3.9.0 515User Guide / 7 Cloud Operations Guide 5. Add a vRouter image. In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > vRouter Resource > vRouter Image. On the vRouter Image page, click Add vRouter Image. On the displayed Add vRouter Image page, set the following parameters: • Name: Enter a name for the vRouter image. • Description: Optional. Enter a description for the vRouter image. • Backup Storage: Select a backup storage to store the vRouter image, for example, BS-1. • Image URL: Enter a local URL or upload a local file. 1. URL: Enter the path that can download the vRouter image. Note: ZStack provides you with dedicated vRouter images. You can download the latest vRouter images from ZStack Official Website. • File name: zstack-vRouter-3.9.0.qcow2 • Download address: Click ZStack Official Website. 2. Local file: Upload a vRouter image file that can directly be accessed by the current browser. Note: • vRouter images can be uploaded to an ImageStore or a Ceph backup storage. • A local browser will serve as a transmission relay used for uploading vRouter images . Make sure that you do not refresh or stop the current browser, and do not stop your management node. Or otherwise, you will fail to add a vRouter image. As shown in Add vRouter Image. Click OK. Then, a vRouter image will be added. 516 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-177: Add vRouter Image 6. Create a vRouter offering. In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > vRouter Resource > vRouter Offering. On the vRouter Offering page, click Create vRouter Offering. On the displayed Create vRouter Offering page, set the following parameters: • Name: Enter a name for the vRouter offering. • Description: Optional. Enter a description for the vRouter offering. • CPU: Set the CPU count for the vRouter offering. In the production environment, we recommend that the CPU count must be greater than 8. • Memory: Set the memory size for the vRouter offering. Unit: M | G | T. In a production environment, we recommend that you set the memory size to be greater than 8 G. • Image: Select the vRouter image that you added. Issue: V3.9.0 517User Guide / 7 Cloud Operations Guide • Management Network: Select the L3 management network that you created from the network list. • L3 Network: Select the L3 public network that you created from the network list, including public network and flat network. ▬ If the L3 network is a public network, the vRouter or VPC vRouter created from this vRouter offering can provide various network services for vRouter networks and VPC networks. ▬ If the L3 network is a public network, the vRouter created from this vRouter offering can provide load balancing network services for flat networks. ▬ If the L3 network is a flat network, the vRouter created from this vRouter offering can provide load balancing network services for flat networks. As shown in Create vRouter Offering. Click OK. Then, a vRouter offering will be created. 518 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-178: Create vRouter Offering 7. Create a VPC vRouter from the vRouter offering you created in the preceding step. In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > VPC > VPC vRouter. On the VPC vRouter page, click Create VPC vRouter. On the displayed Create VPC vRouter page, set the following parameters: Issue: V3.9.0 519User Guide / 7 Cloud Operations Guide • Name: Enter a name for the VPC vRouter. • Description: Optional. Enter a description for the VPC vRouter. • vRouter Offering: Select the vRouter offering you created in the preceding step. • Specify Default IP: Optional. Specify a public IP address as the default IP address of the VPC vRouter. • DNS: Optional. Set the DNS for the VPC vRouter. Default value: 223.5.5.5. As shown in Figure 7-179: Create VPC vRouter. Click OK. Then, a VPC vRouter will be created. Figure 7-179: Create VPC vRouter 8. Create an L2 private network in the ZStack Private Cloud UI. This L2 private network is used to create an L3 VPC network (VPC Network-1). 520 Issue: V3.9.0User Guide / 7 Cloud Operations Guide In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > L2 Network Resource > L2 Network. On the L2 Network page, click Create L2 Network. On the displayed Create L2 Network page, set the following parameters according to the Table 7-7: Configuration Information: • Name: Enter a name for the L2 private network. • Description: Optional. Enter a description for the L2 private network. • Type: Select L2VlanNetwork. • VLAN ID: Enter 2800. • Physical NIC: Enter em01. • Cluster: Select a cluster, for example, Cluster-1. As shown in Figure 7-180: Create L2 Private Network. Click OK. Then, an L2 private network will be created. Issue: V3.9.0 521User Guide / 7 Cloud Operations Guide Figure 7-180: Create L2 Private Network 9. Specify a VPC vRouter in the ZStack Private Cloud to create an L3 VPC network (VPC Network-1). In he navigation pane of the ZStack Private Cloud UI, choose Network Resource > VPC > VPC Network. On the VPC Network page, click Create VPC Network. On the displayed Create VPC Network page, set the following parameters according to the Table 7-7: Configuration Information: 522 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Name: Enter a name for the VPC network. • Description: Optional. Enter a description for the VPC network. • L2 Network: Select the L2 private network you created in the preceding step. • VPC vRouter: Optional. Specify a VPC vRouter directly, or attach a VPC vRouter after you create a VPC network. • Stop DHCP server: Choose whether to enable the DHCP service. Note: • By default, this checkbox is not selected, indicating that the DHCP service is enabled, and IP addresses will be automatically allocated to VM instances. In this case, you can customize an IP address for the DHCP service, or let the system randomly specify a DHCP IP address. • If selected, the DHCP service will be disabled, indicating that VM instances that use this network cannot obtain automatically IP addresses, and you need to configure IP addresses manually. In this case, you cannot customize the DHCP IP address. In addition, the system cannot randomly specify DHCP IP addresses. • Add IP Range: Select the CIDR method. • CIDR: Enter a CIDR, for example, 192.168.10.0/24. Note: The IP ranges cannot be overlapped. • Gateway: Enter a gateway, for example, 192.168.10.1. • DHCP IP: Optional. Set a DHCP IP address as needed. Note: • If you create an L3 network and enable the DHCP service for the first time, or if you add the first network range for the L3 network of the enabled DHCP service, you can customize the DHCP IP address. • If the L3 network has a DHCP IP address, you cannot customize the DHCP IP address when you add the IP range. • The DHCP IP address can be included or excluded on the IP range that you added. However, the DHCP IP address must not be in conflict with the current CIDR. Issue: V3.9.0 523User Guide / 7 Cloud Operations Guide • If not specified, the system will randomly specify an IP address within the IP range that you added before. • The first IP address in a CIDR is deemed as a gateway by default, and cannot serve as a DHCP IP address. As shown in Figure 7-181: Create VPC Network-1. Click OK. Then, VPC Network-1 will be created. 524 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-181: Create VPC Network-1 Issue: V3.9.0 525User Guide / 7 Cloud Operations Guide 10.Create an L2 private network in the ZStack Private Cloud UI. This L2 private network is used to create an L3 VPC network (VPC Network-2). In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > L2 Network Resource > L2 Network. On the L2 Network page, click Create L2 Network. On the displayed Create L2 Network page, set the following parameters according to the Table 7-8: Configuration Information: • Name: Enter a name for the L2 private network. • Description: Optional. Enter a description for the L2 private network. • Type: Select L2VlanNetwork. • VLAN ID: Enter 2900. • Physical NIC: Enter em01. • Enable SR-IOV: Choose whether to enable SR-IOV. ▬ By default, this checkbox is not selected, indicating that SR-IOV is not enabled. In this case, SR-IOV cannot be enabled for the L3 network corresponding to the L2 network. ▬ If selected, SR-IOV is enabled. You can also enable SR-IOV for the L3 network corresponding to the L2 network. In this case, make sure that VF NICs are generated from physical NICs used by the L2 network. • Cluster: Select a cluster, for example, Cluster-1. As shown in Figure 7-182: Create L2 Private Network. Click OK. Then, an L2 private network will be created. 526 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-182: Create L2 Private Network 11.Specify a VPC vRouter in the ZStack Private Cloud to create an L3 VPC network (VPC Network-2). In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > VPC > VPC Network. On the VPC Network page, click Create VPC Network. On the displayed Issue: V3.9.0 527User Guide / 7 Cloud Operations Guide Create VPC Network page, set the following parameters according to the Table 7-8: Configuration Information: • Name: Enter a name for the VPC network. • Description: Optional. Enter a description for the for the VPC network. • L2 Network: Select the L2 private network you created in the preceding step. • VPC vRouter: Optional. Specify a VPC vRouter directly, or attach a VPC vRouter after you create a VPC network. • Stop DHCP server: Choose whether to enable the DHCP service. Note: • By default, this checkbox is not selected, indicating that the DHCP service is enabled, and IP addresses will be automatically allocated to VM instances. In this case, you can customize an IP address for the DHCP service, or let the system randomly specify a DHCP IP address. • If selected, the DHCP service will be disabled, indicating that VM instances that use this network cannot obtain automatically IP addresses, and you need to configure IP addresses manually. In this case, you cannot customize the DHCP IP address. In addition, the system cannot randomly specify DHCP IP addresses. • Add IP Range: Select the CIDR method. • CIDR: Enter a CIDR, for example, 192.168.11.0/24. Note: The IP ranges cannot be overlapped. • Gateway: Enter a gateway, for example, 192.168.11.1. • DHCP IP: Optional. Set a DHCP IP address as needed. Note: • If you create an L3 network and enable the DHCP service for the first time, or if you add the first network range for the L3 network of the enabled DHCP service, you can customize the DHCP IP address. • If the L3 network has a DHCP IP address, you cannot customize the DHCP IP address when you add the IP range. 528 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • The DHCP IP address can be included or excluded on the IP range that you added. However, the DHCP IP address must not be in conflict with the current CIDR. • If not specified, the system will randomly specify an IP address within the IP range that you added before. • The first IP address in a CIDR is deemed as a gateway by default, and cannot serve as a DHCP IP address. As shown in Figure 7-183: Create VPC Network-2. Click OK. Then, VPC Network-2 will be created. Issue: V3.9.0 529User Guide / 7 Cloud Operations Guide Figure 7-183: Create VPC Network-2 12.Use VPC Network-1 to create VM-1, and use VPC Network-2 to create VM-2. 530 Issue: V3.9.0User Guide / 7 Cloud Operations Guide a) Use VPC Network-1 to create VM-1. In the navigation pane of the ZStack Private Cloud UI, choose Resource Pool > VM Instance. On the VM Instance page, click Create VM Instance. On the displayed Create VM Instance page, set the following parameters: • Add Type: Select Singple. • Name: Enter VM-1. • Description: Optional. Enter a description for VM-1. • Instance Offering: Select an instance offering you created before. • Image: Select a VM image you added before. • Network: Click on the IPv4 tab and select VPC Network-1. As shown in Figure 7-184: Create VM-1. Click OK. Then, VM-1 will be created. Issue: V3.9.0 531User Guide / 7 Cloud Operations Guide Figure 7-184: Create VM-1 b) Use VPC Network-2 to create VM-2 with the same method. 532 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 13.Test the interoperability between VPC Network-1 and VPC Network-2. 1. Log in to VM-1 and check whether VM-1 can ping VM-2, as shown in Figure 7-185: VM-1 Can ping M-2. Figure 7-185: VM-1 Can ping M-2 2. Log in to VM-2 and check whether VM-2 can ping VM-1, as shown in Figure 7-186: VM-2 Can ping VM-1. Figure 7-186: VM-2 Can ping VM-1 What''s next So far, we introduced the basic deployment of a VPC. 7.6 vCenter 7.6.1 Introduction VMware vCenter Server is a centralized management platform of a VMware vCenter. Issue: V3.9.0 533User Guide / 7 Cloud Operations Guide If you deployed VMware vCenter Server, ZStack would allow you to manipulate VMware vCenters via public API interfaces provided by VMware. In addition, ZStack can be highly compatible with and manipulate a portion of features of the VMware virtualization management platform (VMware vCenter Server) to achieve unified managements of multiple virtualization platforms. With ZStack, you can manage VMware virtualization environments in an existing data center, and view vSphere server resources and VM resources managed by VMware vCenter Server. In addition, you can use VMware vSphere resources in a virtual data center, and perform common operations on VM instances in your VMware vCenter cluster. Currently, ZStack supports multiple vCenter versions, including 5.5, 6.0, 6.5, and 6.7. External Access Workflow ZStack sends cloud resource control requests to a vCenter via the asynchronous event listening method, and receives the returned event contents. ZStack can also receive contents that are intuitively pushed by the vCenter to achieve the bidirectional information synchronization. The following figure shows how ZStack logically manages a vCenter, as shown in Figure 7-187: ZStack vCenter Logical Management Graph. Figure 7-187: ZStack vCenter Logical Management Graph 7.6.2 Environment Preparation To manage a vCenter via ZStack, you need to prepare a ZStack Private Cloud environment and a vCenter environment in advance. 534 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Prepare a ZStack Private Cloud Environment You can either deploy a ZStack management node via an independent physical server, or deploy a ZStack management node via a VM instance of a vCenter cluster. 1. Prepare software. • ZStack Custom ISO ▬ File name: ZStack-x86_64-DVD-3.9.0-c76.iso or ZStack-x86_64-DVD-3.9.0-c74.iso ▬ Download address: Click here. • ZStack Installation Package ▬ File name: ZStack-installer-3.9.0.bin ▬ Download address: Click here. Note: After you download the installation package, confirm the integrity of the file by using the MD5 checksum tool. 2. Prepare hardware. Prepare a physical server, or a VM instance of a vCenter cluster. The configuration requirements are listed as follows. Physical Server/vCenter VM Parameter • 64-bit CPU with a minimum of 4 cores • A minimum of 8 GB memory ZStack management node • A minimum of one hard disk with a minimum of 500 GB capacity • A minimum of one Gigabit NIC Allocates network addresses and accesses Network vCenter servers smoothly 3. Install ZStack. Within the physical server or vCenter VM instance, use ZStack Custom ISO to install the operating system, and select ZStack Enterprise Management Node. After you complete installing and rebooting the operating system successfully, ZStack will be automatically installed. For more information, see the Installation and Deployment topic in the User Guide. Note: Issue: V3.9.0 535User Guide / 7 Cloud Operations Guide For a vCenter VM instance, select the CentOS 5/6/7 (64-bit) operating system. 4. Log in to ZStack. We recommend that you use Chrome or Firefox to log in to the ZStack management page via http://your_machine_ip:5000. The default user name is admin, and the default password is password. Figure 7-188: Login Page Note: If you use a vCenter VM instance to install a ZStack management node, we recommend that you create a snapshot (excluding memories) at this time, and name this snapshot Initializa tion. Prepare a vCenter Environment To ensure that ZStack takes over virtualization resources of a vCenter, make sure that this vCenter meets the following requirements: • The vCenter has a resource structure of Data Center, Cluster, and Host. • The vCenter can display added local storages and shared storages such as vSAN, FC, iSCSI, and NFS storages. Note: Currently, Datastore Cluster is not supported. 536 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • The port group information is configured for a distributed switch (dvSwitch) or standard switch (vSwitch) of the vCenter. ▬ dvSwitch scenario: Only resources of the hosts added to a dvSwitch can be imported to ZStack. If you do not add a host to a dvSwitch, the associated resources cannot be imported to ZStack. ▬ vSwitch scenario: Only resources of the hosts in the same cluster, added to at least one same vSwitch, and have at least one same port group attribute (including the same network labels and the same VLAN ID) can be imported to ZStack. Note: ZStack can only take over VM networks rather than VMkernels or management networks. • The existing template VM in a vCenter must be converted to the Template type, as shown in Cluster and Host in vCenter, Distributed Switch in vCenter and Template in vCenter. Figure 7-189: Cluster and Host in vCenter Issue: V3.9.0 537User Guide / 7 Cloud Operations Guide Figure 7-190: Distributed Switch in vCenter Figure 7-191: Template in vCenter 538 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 7.6.3 Basic Resource Context ZStack can manage vCenter basic resources, namely vCenter virtual resources, in a unified manner, including adding a vCenter, synchronizing data for a vCenter, and deleting a vCenter. After you add a vCenter for the first time, ZStack will automatically synchronize the clusters, hosts, VM instances, templates, storages, networks, and other resources in the vCenter. To use a managed vCenter, click Sync Data to synchronize vCenter resources to your current cloud. Then, you can view the associated resources in the UI. • You can add and manage multiple vCenters. • You can filter resources before you import vCenter resources to ZStack. ▬ dvSwitch scenario: Only resources of the hosts added to a dvSwitch can be imported to ZStack. If you do not add a host to a dvSwitch, the associated resources cannot be imported to ZStack. ▬ vSwitch scenario: Only resources of the hosts in the same cluster, added to at least one same vSwitch, and have at least one same port group attribute (including the same network labels and the same VLAN ID) can be imported to ZStack. Note: ZStack can only take over VM networks rather than VMkernels or management networks. Next, we will introduce how to add a vCenter in ZStack. Procedure 1. Prepare the following information in advance. Field Description Example vCenter access address: • vc.test.com Access domain name domain name or IP address • 172.20.1.166 vCenter administrator name, Administrator administrator@vsphere.local including the intact domain vCenter administrator Access password Testing123 password 2. Add a vCenter. Issue: V3.9.0 539User Guide / 7 Cloud Operations Guide In the navigation pane of the ZStack Private Cloud UI, choose vCenter > vCenter. On the vCenter page, click Add vCenter. On the displayed Add vCenter page, set the following parameters: • Name: Enter a name for the vCenter. • Description: Optional. Enter a description for the vCenter. • Domain Name: Enter a domain name for the vCenter. • Port Number: Enter a port No. of the vCenter. • User Name: Enter a user name for the vCenter. • Password: Enter the password that corresponds to the vCenter user name according to your actual practice. Note that the password is case sensitive. • HTTPS/HTTP: Select a transfer protocol when you synchronize the vCenter. The supported transfer protocols include HTTPS and HTTP. Default option: HTTPS. As shown in Add vCenter. Click OK. Then, the vCenter is added. 540 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-192: Add vCenter 3. After you add the vCenter successfully, ZStack will import the existing clusters, hosts, VM instances, templates, storages, networks, and other resources in the vCenter. On the vCenter details page, you can view the basic attributes, clusters, primary storages, backup storages, hosts, resource pools, and audit information. • Specifically, the Basic Attributes tab page displays the overview, resource count, and other information about the vCenter, as shown in Basic Attributes. Issue: V3.9.0 541User Guide / 7 Cloud Operations Guide Figure 7-193: Basic Attributes • The Cluster tab page displays a list of the vCenter clusters managed by the cloud, and displays the cluster name, hypervisor type, host count, state, and other information. • Both the Primary Storage tab page and Backup Storage tab page can display a datastore list, as shown in vCenter Primary Storage and vCenter Backup Storage. Figure 7-194: vCenter Primary Storage 542 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-195: vCenter Backup Storage • The Host tab page displays the state of the maintenance mode, as shown in vCenter Host. Figure 7-196: vCenter Host Note: • If hosts on a remote vCenter enter the maintenance mode, you can view the resource state locally via data synchronization. • The Resource Pool tab page displays a list of the vCenter resource pools managed by the cloud. The resource pools and resources (including another resource pools and VM instances) in these pools are displayed in cascade. In addition, the resource pool tab page displays the resource pool name, type, parent item, VM quota, CPU capacity limit, and memory capacity limit, as shown in Resource Pool. Issue: V3.9.0 543User Guide / 7 Cloud Operations Guide Figure 7-197: Resource Pool Note: • vCenter VM instances that are created in ZStack do not display resource pool attributes, and will not be displayed on the preceding Resource Pool tab page. • After a historical version (earlier than ZStack 3.3.0) is upgraded to the latest version, click Sync Data before you can view the vCenter resource pool information. You can click on the resource pool name or VM name to enter the corresponding details page. The details page of a single resource pool displays information such as the CPU reservation, memory reservation (reserved resource capacities cannot be allocated), limits (the upper limit of allocated resource capacity), and quotas (weight of shared resources), as shown in Single Resource Pool Details Page. • Reservation: Specify a proper CPU quota or memory quota for the resource pool. Default value: 0. • Limit: Specify the upper limit for the CPU quota or memory quota in the resource pool. Default value: unlimited. • Quota: Specify the share (quota) value of the resource pool with respect to the total resources of a parent object (a host, or another resource pool). Sibling resource pools share resources according to their relative share value bounded by the reservation and limit. For more information, see VMware Official Documentation. As shown in Figure 7-198: Single Resource Pool Details Page. 544 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-198: Single Resource Pool Details Page • The Audit tab page displays vCenter operation logs. On the vCenter details page, click Actions to synchronize data or delete a vCenter. What''s next You can perform the following operations on a vCenter: • Add vCenter: Add a vCenter. After you add a vCenter, ZStack will automatically synchronize the clusters, hosts, VM instances, templates, storages, networks, and other resources of the vCenter. You can view the associated resources in the UI. • Synchronize data: After you synchronize the data for the vCenter, vCenter resources will be synchronized locally in real time. Note: • vCenter Server Appliance (vCSA) that you deployed in the remote vCenter will not be synchronized locally to avoid error operations. • ZStack allows you to automatically synchronize vCenter data. The method is as follows: In the navigation pane of the ZStack UI, choose Settings > Global Settings > Advanced. On the Advanced tab page, set vCenter Data Auto Sync Interval, as shown in vCenter Data Auto Sync Interval. Issue: V3.9.0 545User Guide / 7 Cloud Operations Guide Figure 7-199: vCenter Data Auto Sync Interval • Delete: Delete a vCenter. After you delete a vCenter, the local records of associated vCenter resources will be deleted as well. However, the actual resources in the remote vCenter will not be affected. • View cluster: View vCenter cluster information. • View primary storage: View vCenter primary storage information and datastore lists. • View backup storage: View vCenter backup storage information and datastore lists. • View host: View vCenter host information. • View resource pool: View vCenter resource pools, VM lists, and detailed information. 7.6.4 VM Instance Context After you add a vCenter, the vCenter VM instances will be automatically synchronized to ZStack. In addition, you can create vCenter VM instances on your cloud. This topic describes how to create vCenter VM instances in ZStack. Procedure 1. On the VM Instance page, check the details about the VM instances synchronized from the vCenter you added to ZStack. In the navigation pane of the ZStack Private Cloud UI, choose vCenter > VM Instance. Then, the VM Instance page is displayed, as shown in vCenter VM Page. 546 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-200: vCenter VM Page Note: ZStack allows you to manage resources of multiple vCenters. You can view resources of all vCenters or a vCenter by clicking the vCenter drop-down arrow. 2. Create a vCenter VM instance on the current cloud. Before you create a vCenter VM instance on your current cloud, you need to set up a vCenter vRouter network or vCenter flat network in advance in ZStack. For more information, see Network. After you create a vCenter vRouter network or flat network, click Create VM Instance on the VM Instance page of the vCenter. On the displayed Create VM Instance page, set the following parameters: • Add Type: Select an add type to determine whether to create multiple VM instances at a time. Options: Single | Multiple. • VM Name: Enter a name for the vCenter VM instance. Note: The vCenter VM name cannot be identical with the vCenter image name. • VM Description: Optional. Enter a description for the vCenter VM instance. • Instance Offering: Select an instance offering for the vCenter VM instance. • Image: Select a vCenter image to create the vCenter VM instance. • Network: Select a vCenter vRouter network or vCenter flat network that you created before. • Advanced: Optional. Specify resources for the vCenter VM instance. If not specified, the system will automatically specify resources for the vCenter VM instance. ▬ Data Disk Offering: Select a data disk offering for the vCenter VM instance. ▬ Cluster: Specify a cluster in the vCenter for the vCenter VM instance. Issue: V3.9.0 547User Guide / 7 Cloud Operations Guide ▬ Primary Storage: Specify a primary storage in the vCenter for the vCenter VM instance. ▬ Host: Specify a host in the vCenter for the vCenter VM instance. As shown in Create vCenter VM Instance to Your Current Cloud. Click OK. Then, the vCenter VM instance is created. 548 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-201: Create vCenter VM Instance on the Current Cloud Issue: V3.9.0 549User Guide / 7 Cloud Operations Guide What''s next You can perform the following operations on a vCenter VM instance: • Create: Create a vCenter VM instance on the current cloud. • Start: Start a vCenter VM instance that is in the stopped state. • Stop: Stop the vCenter VM instance. • Reboot: Reboot the vCenter VM instance. • Pause: Pause the vCenter VM instance. • Resume: Resume the vCenter VM instance that is in the paused state. • Migrate: Migrate the vCenter VM instance to the other compute node. ▬ Currently, only hot migrations are supported. ▬ Shared storages allow you to perform hot migrations for the vCenter VM instance with data volumes. ▬ Currently, local storages do not support migrations. ▬ The migration speed is associated to network configurations of two hosts. If the network configurations are relatively low, the migration speed will probably be slow. ▬ Before you perform migrations for the vCenter VM instance, make sure that vMotion is enabled. ■ For vCenter 5.5, configure specific VMkernel networks and enable vMotion. In addition, make sure that IP addresses of the vMotion sub-interface for both source VMkernels and destination VMkernels can be intercommunicated. ■ For vCenter 6.0 or later, enable vMotion in management networks. • Clone: Clone a root volume of the vCenter VM instance. According to the instance offering of the vCenter VM instance, the system clones out a VM instance that has the identical system with the current vCenter VM instance. ▬ The vCenter VM instance supports online cloning and offline cloning. ▬ The vCenter VM instance with data volumes cannot be cloned with together with its data volumes. ▬ The vCenter VM instance can be cloned as a VM instance rather than as a template. • Power off: Power off the vCenter VM instance directly. • Change instance offering: Change the CPU or memory offline for the vCenter VM instance. • Change owner: Change the owner of the vCenter VM instance. 550 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Note: ZStack supports multi-tenant management in the managed vCenter. Normal accounts and project members can perform operations on vCenter VM instances. • Set HA level: Set the high availability (HA) level to NeverStop or None. ▬ None: Disable the HA feature for the vCenter VM instance. ▬ NeverStop: Enable the HA feature for the vCenter VM instance. If you set the HA level to NeverStop for a VM instances that is running on the LocalStorage primary storage, note that: • When the host where the vCenter VM instance is running is in the Enable state and the Connected status, this vCenter VM instance will keep running. Even if this vCenter VM instance is forced to stop, this vCenter VM instance will be rebooted. Note: If you want a vCenter VM instance with the NeverStop HA level to not be automatically rebooted, select Check the box will make NeverStop VM instance would not start automatically after stop. in the displayed Stop VM Instance dialog box. • When the host where the vCenter VM instance is running is powered off or disconnected, this vCenter VM instance will enter the Stopped state. ▬ If a remote vCenter environment enabled the Distributed Resource Scheduler (DRS) service to provide HA for the vCenter VM instance, the HA setting in ZStack is not affected. • Open console: Open the console of the vCenter VM instance to log in to and control this vCenter VM instance. Note: After ZStack takes over a vCenter, you cannot directly open the console of the running VM instances synchronized from the vCenter. You can directly open the console of the following vCenter VM instances: • vCenter VM instances that are created in ZStack • vCenter VM instances that are rebooted in ZStack • vCenter VM instances that are dynamically migrated via ZStack based on shared storages • Set console password: Set a console password for the vCenter VM instance. Issue: V3.9.0 551User Guide / 7 Cloud Operations Guide • Cancel console password: Cancel a console password for the vCenter VM instance. • Attach volume: Attach an available volume to the current vCenter VM instance. • Detach volume: Detach a volume that you added before from the vCenter VM instance. • Attach NIC: Attach an available NIC to the current vCenter VM instance. Both public network NICs and private network NICs are supported. • Detach NIC: Detach a NIC that you added before from the vCenter VM instance. • Delete: Delete a vCenter VM instance. If you delete a vCenter VM instance, the local records will be deleted as well. Simultaneously, the actual VM instance in the remote vCenter will be stopped. • Recover: Recover a vCenter VM instance that is in the deleted state. • Expunge: Completely delete a vCenter VM instance that is in the deleted state. If you expunge the vCenter VM instance, the local records and the actual VM instance in the remote vCenter will be expunged. • View monitoring data: View the monitoring data of the vCenter VM instance. On the vCenter VM instance details page, click on the Monitoring Data tab page. Then, you can view real- time display of the CPU, memory, disk, virtual disk, and NIC information about the vCenter VM instance. 7.6.5 Network Before you create new VM instances in the vCenter managed by ZStack, you need to create a vRouter network or a flat network in the vCenter in advance. 7.6.5.1 vRouter Network Context To create vCenter a vRouter network, make sure in advance that a ZStack management node and a vCenter host can communicate with each other. This topic describes how to create a vCenter vRouter network. Procedure 1. Create a public network in the vCenter, including a public L2 network and a public L3 network. In the navigation pane of the ZStack Private Cloud UI, choose vCenter > Network. On the Network page, click Create Network. On the displayed Create Network page, set the following parameters: • Public network: Select public network. 552 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Name: Enter a name for the vCenter public network. • Description: Optional. Enter a description for the vCenter public network. • Type: Select a public L2 network type as needed. ▬ Supported types: L2NoVlanNetwork and L2VlanNetwork. ▬ If you select L2VlanNetwork, enter a VLAN ID. • Switch: Enter the dvSwitch name or vSwitch name of the vCenter as needed. • Cluster: Select a vCenter cluster. • Stop DHCP server: By default, this checkbox is grey, indicating that you are not allowed to make any configuration for this checkbox. Note: vCenter public networks do not support the DHCP service. The DHCP service defaults to be disabled so that you need to manually configure an IP address for a VM instance. • Add IP Range: Select IP Range or CIDR. ▬ IP Range If you use an IP range, enter a start IP address and an end IP address, respectively, for example, 172.20.58.200 and 172.20.58.220. For the netmask, enter 255.255.0.0. For the gateway, enter 172.20.0.1. ▬ CIDR If you use CIDR, enter a CIDR such as 192.168.1.1/24. • Add DNS: Add a DNS server. You can specify 8.8.8.8 or 114.114.114.114. As shown in Create vCenter Public Network. Click OK. Then, the vCenter public network is created. Issue: V3.9.0 553User Guide / 7 Cloud Operations Guide Figure 7-202: Create vCenter Public Network 554 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 2. To create a vCenter vRouter network, prepare a vRouter image and a vRouter offering in advance on the Network Resource page of the cloud. a) Add a vCenter vRouter image. In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > vRouter Resource > vRouter Image. On the vRouter Image page, click Add vRouter Image. On the displayed Add vRouter Image page, set the following parameters: • Name: Enter a name for the vRouter image. • Description: Optional. Enter a description for the vRouter image. • Backup Storage: Select a vCenter backup storage. • Image URL: Currently, you can upload a vCenter vRouter image by enter a URL. Note: ZStack Private Cloud provides users with specific vCenter vRouter images. You can find the download address of the latest vRouter image on ZStack Official Website. • File name: zstack-vRouter-3.9.0.vmdk • Download address: Click here As shown in Add vCenter vRouter Image. Issue: V3.9.0 555User Guide / 7 Cloud Operations Guide Figure 7-203: Add vCenter vRouter Image b) Add a vCenter vRouter offering. In the navigation pane of the ZStack Private Cloud UI, choose Network Resource > vRouter Resource > vRouter Offering. On the vRouter Offering page, click Create vRouter Offering. On the displayed Create vRouter Offering page, set the following parameters: • Name: Enter a name for the vRouter offering. • Description: Optional. Enter a description for the vRouter offering. • CPU: Set a CPU count for the vRouter offering. • Memory: Set the memory size for the vRouter offering. Unit: M | G | T. • Image: Select a vCenter vRouter image that you added before. • Management L3 Network: Select a management network as needed. In the following sample, the management network and the public network are the same network. • L3 Network: Select a vCenter public network that you created before. 556 Issue: V3.9.0User Guide / 7 Cloud Operations Guide As shown in Create vCenter vRouter Offering. Figure 7-204: Create vCenter vRouter Offering 3. Create a vCenter vRouter network. In the navigation pane of the ZStack Private Cloud UI, choose vCenter > Network. On the Network page, click Create Network. On the displayed Create Network page, set the following parameters: Issue: V3.9.0 557User Guide / 7 Cloud Operations Guide • Private network: Select private network. • Name: Enter a name for the vCenter vRouter network. • Description: Optional. Enter a description for the vCenter vRouter network. • Type: Select a public L2 network type as needed. ▬ Supported types: L2NoVlanNetwork and L2VlanNetwork. ▬ If you select L2VlanNetwork, enter a VLAN ID. • Switch: Enter the dvSwitch name or vSwitch name of the vCenter as needed. • Cluster: Select a vCenter cluster. • vRouter: Select the vRouter network architecture type. • vRouter Offering: Select a vCenter vRouter offering that you created before. • Add IP Range: Select IP Range or CIDR. 1. IP Range If you use an IP range, enter a start IP address and an end IP address, respectively, for example, 172.20.58.200 and 172.20.58.220. For the netmask, enter 255.255.0.0. For the gateway, enter 172.20.0.1. 2. CIDR If you use CIDR, enter a CIDR such as 192.168.1.1/24. • Add DNS: Optional. Add a DNS server. You can specify 8.8.8.8 or 114.114.114.114. As shown in Create vCenter vRouter Network. Click OK. Then, a vCenter vRouter network is created. 558 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-205: Create vCenter vRouter Network Issue: V3.9.0 559User Guide / 7 Cloud Operations Guide 7.6.5.2 Flat Network Context This topic describes how to create a vCenter flat network. Procedure 1. Create a vCenter flat network. In the navigation pane of the ZStack Private Cloud UI, choose vCenter > Network. On the Network page, click Create Network. On the displayed Create Network page, set the following parameters: • Private network: Select private network. • Name: Enter a name for the vCenter flat network. • Description: Optional. Enter a description for the vCenter flat network. • Type: Select a private L2 network type as needed. ▬ Supported types: L2NoVlanNetwork and L2VlanNetwork. ▬ If you select L2VlanNetwork, enter a VLAN ID. • Switch: Enter the dvSwitch name or vSwitch name of the vCenter as needed. • Cluster: Select a vCenter cluster. • Flat Network: Select the flat network architecture type. ▬ By default, the Stop DHCP server checkbox is grey, indicating that you are not allowed to make any configuration for this checkbox. ▬ vCenter flat networks do not support the DHCP service. The DHCP service defaults to be disabled so that you need to manually configure an IP address for a VM instance. • Add IP Range: Select IP Range or CIDR. 1. IP Range If you use an IP range, enter a start IP address and an end IP address, respectively, for example, 172.20.58.200 and 172.20.58.220. For the netmask, enter 255.255.0.0. For the gateway, enter 172.20.0.1 2. CIDR If you use CIDR, enter a CIDR such as 192.168.1.1/24. • Add DNS: Add a DNS server. You can specify 8.8.8.8 or 114.114.114.114. 2. Click OK. Then, a vCenter flat network is created. 560 Issue: V3.9.0User Guide / 7 Cloud Operations Guide As shown in Create vCenter Flat Network. Issue: V3.9.0 561User Guide / 7 Cloud Operations Guide Figure 7-206: Create vCenter Flat Network 562 Issue: V3.9.0User Guide / 7 Cloud Operations Guide What''s next You can perform the following operations on a vCenter network: • vCenter public network: Add an IP range, add a DNS, share a public network globally, recall a public network globally, delete a public network, change the name and description for the public network, attach a cluster, delete an IP range, delete a DNS, share a public network to the specified accounts or projects, and recall a public network from the specified accounts or projects. • vCenter flat network: Add an IP range, add DNS, share a flat network globally, recall a flat network globally, delete a flat network, change name and description for the flat network, attach a cluster, delete an IP range, delete a DNS, share a flat network to the specified accounts or projects, and recall the flat network from the specified accounts or projects. • vCenter vRouter network: Add an IP range, add DNS, attach a vRouter offering, detach the vRouter offering, share a vRouter network globally, recall a vRouter network globally, delete a vRouter network, change the name and description for a vRouter network, attach a cluster , delete an IP range, delete a DNS, share a vRouter network to the specified accounts or projects, and recall a vRouter network from the specified accounts or projects. Note: • ZStack supports multi-tenant management in the managed vCenter. Normal accounts and project members can use the vCenter networks shared by an administrator. • If you delete vCenter network resources, the local records will be deleted as well without affecting your actual network resources in your remote vCenter. When you delete an L3 network in your vCenter, the vCenter VM instances that are attached to the L3 network will be detached from the L3 network. 7.6.5.3 Network Service vCenter network services currently support the vRouter network architecture model. A vCenter vRouter network provides network services such as DNS, SNAT, Elastic IP (EIP), port forwarding, load balancing, IPsec tunnel, and Netflow. • DNS: ▬ A vCenter vRouter can act as a DNS server to provide DNS services. Issue: V3.9.0 563User Guide / 7 Cloud Operations Guide ▬ By default, the DNS address that you see in a vCenter VM instance is the IP address of the corresponding vCenter vRouter. The DNS address set by a user is forwarded and configured by the vCenter vRouter. • SNAT: ▬ A vCenter vRouter provides the source network address translation (SNAT) service to vCenter VM instances. ▬ vCenter VM instances can directly access the Internet by using SNAT. • EIP: Allows a vCenter vRouter to access the private network of a vCenter VM instance through a public network. • Port forwarding: Forwards the port traffics of a specified public IP address to the port of a corresponding vCenter VM IP address. • Load balancing: Distributes inbound traffics from a public IP address to a group of backend vCenter VM instances, and then automatically detects and isolates unavailable vCenter VM instances. • IPsec tunnel: Uses the IPsec tunnel protocol to provide site-to-site VPN connections. Note: ZStack supports multi-tenant management in a managed vCenter. Normal accounts and project members can use vCenter network services, including EIP, port forwarding, and load balancing. 7.6.5.3.1 VIP (ESX) A vCenter vRouter network uses ESX virtual IP addresses (VIPs) to provide network services, such as elastic IP address (EIP), port forwarding, load balancing, IPsec tunnel, and Netflow. Similar to KVM VIPs, an ESX VIP has two types: custom ESX VIP and system ESX VIP. 1. Custom ESX VIP • Creation: A custom ESX VIP is manually created by users. • Network service: ▬ The custom VIP in a vCenter vRouter environment can be used for network services, such as EIP, port forwarding, load balancing, and IPsec tunnel. ▬ One custom VIP is used for only one EIP service instance. 564 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ▬ One custom VIP can be used for network services such as port forwarding, load balancing, and IPsec tunnel at the same time, and supports multiple instances of the same service type. Note: Different types of services cannot use the same port No. ▬ Custom VIPs cannot be used across vCenter vRouters. • Deletion: ▬ Deleting a custom VIP will automatically delete all services associated with the VIP. ▬ Deleting a service of a custom VIP does not affect other services associated with the VIP . 2. System ESX VIP • Creation: A system ESX VIP is automatically created by the system after a vCenter vRouter is successfully created. This system VIP is the default public IP address of the routing device. • Network service: ▬ The system VIP in a vCenter vRouter environment can be used for network services, such as port forwarding, load balancing, and IPsec tunnel. ▬ One system VIP can be used for network services such as port forwarding, load balancing, and IPsec tunnel at the same time, and supports multiple instances of the same service type. Note: Different types of services cannot use the same port No. ▬ One system VIP corresponds to one vCenter vRouter. • Deletion: ▬ Deleting a service of a system VIP does not affect other services associated with the VIP . ▬ Deleting a vCenter vRouter will automatically delete the corresponding system VIP and all services associated with the VIP. How to Use ESX VIP The method of using ESX VIPs is basically the same as that of using KVM VIPs. Issue: V3.9.0 565User Guide / 7 Cloud Operations Guide • Custom ESX VIP: The custom VIP in a vCenter vRouter environment can be used for network services, such as EIP, port forwarding, load balancing, and IPsec tunnel. The following are two methods to use custom ESX VIPs: • In the navigation pane of the ZStack Private Cloud UI, choose Network Service > VIP. On the Custom tab page, create a custom VIP. Then, you can choose to use the existing VIP on the EIP, Port Forwarding, Load Balancing, or IPsec Tunnel page. • In the navigation pane of the ZStack Private Cloud UI, choose Network Service > EIP/ Port Forwarding/Load Balancing/IPsec Tunnel. On the EIP, Port Forwarding, Load Balancing, or IPsec Tunnel page, you can choose to create a new VIP. • System ESX VIP The system VIP in a vCenter vRouter environment can be used for network services, such as port forwarding, load balancing, and IPsec tunnel. The method to use system ESX VIPs is as follows: • In the navigation pane of the ZStack Private Cloud UI, choose Network Service > Port Forwarding/Load Balancing/IPsec Tunnel. On the Port Forwarding, Load Balancing, or IPsec Tunnel page, you can choose to use an existing VIP. Create Custom ESX VIP The method of creating a custom ESX VIP is basically the same as that of creating a custom KVM VIP. In the navigation pane of the ZStack Private Cloud UI, choose Network Service > VIP. On the Custom tab page, click Create VIP. On the displayed Create VIP page, set the parameters. Note: For Network, select the public network that you created in vCenter. As shown in Figure 7-207: Create Custom ESX VIP. 566 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-207: Create Custom ESX VIP ESX VIP Operations The operations that you can perform on an ESX VIP are basically the same as those on a KVM VIP. • Create VIP: Create a custom VIP. Note that system VIPs are created the system. • Modify name and description: Modify the name and description of the VIP. • Change owner: Change the owner of the VIP. • Delete: ▬ Custom VIP: ■ Deleting a custom VIP will also delete the services associated with the VIP. ■ Deleting a service of a custom VIP does not affect other services associated with the VIP . ▬ System VIP: Issue: V3.9.0 567User Guide / 7 Cloud Operations Guide ■ Deleting a service of a system VIP does not affect other services associated with the VIP . ■ Deleting a vCenter vRouter will automatically delete the corresponding system VIP and all services associated with the system VIP. 7.6.5.3.2 EIP A vCenter vRouter network uses custom ESX virtual IP addresses (VIPs) to provide elastic IP address (EIP) services. • With an EIP, a vCenter vRouter can access the private network of a vCenter VM instance through a public network. Create EIP The method of creating an EIP in a vCenter vRouter environment is basically the same as that in a KVM vRouter environment. In the navigation pane of the ZStack Private Cloud UI, choose Network Service > EIP. On the EIP page, click Create EIP. On the displayed Create EIP page, set the parameters. Note: • If you choose to create a new VIP, select the public network that you created in the vCenter for Network. As shown in Figure 7-208: Create New VIP. Figure 7-208: Create New VIP • If you choose to use an existing VIP, select an existing custom ESX VIP for VIP. As shown in Figure 7-209: Use Existing VIP. 568 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-209: Use Existing VIP EIP Operations The operations that you can perform on an EIP in a vCenter vRouter environment are basically the same as those in a KVM vRouter environment. • Modify name and description: Modify the name and description of the EIP. • Associate: Associate the EIP with a VM NIC. • Disassociate: Disassociate the EIP from a VM NIC. • Change owner: Change the owner of the EIP. • Delete: Delete the EIP. Note that the IP services provided by the EIP will also be deleted. To delete its associated VIP at the same time, select Delete VIP. • Audit: View related operations supported by the EIP. 7.6.5.3.3 Port Forwarding A vCenter vRouter network uses custom ESX virtual IP addresses (VIPs) or system ESX VIPs to provide port forwarding services. • With the port forwarding service, a vCenter vRouter can forward the port traffics of a specified public IP address to the port of a corresponding vCenter VM IP address. • When public IP addresses are insufficient, the port forwarding service can provide multiple vCenter VM instances, which saves the public IP address resources. Create Port Forwarding Rule The method of creating a port forwarding rule in a vCenter vRouter environment is basically the same as that in a KVM vRouter environment. Issue: V3.9.0 569User Guide / 7 Cloud Operations Guide In the navigation pane of the ZStack Private Cloud UI, choose Network Service > Port Forwarding. On the Port Forwarding page, click Create Port Forwarding. On the displayed Create Port Forwarding page, set the parameters. Note: • If you choose to create a new VIP, select the public network that you created in the vCenter for Network. As shown in Figure 7-210: Create New VIP. Figure 7-210: Create New VIP • If you choose to use an existing VIP, select an existing custom ESX VIP or system ESX VIP for VIP. As shown in Figure 7-211: Use Existing VIP. Figure 7-211: Use Existing VIP 570 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Associate Port Forwarding Rule to VM NIC On the displayed Associate VM NIC page, click the plus sign (+) in the VM Instance section. On the displayed Select VM Instance page, select the target vCenter VM instance, and click OK. As shown in Figure 7-212: Select VM NIC and Figure 7-213: Associate Port Forwarding Rule to VM NIC. Figure 7-212: Select VM NIC Figure 7-213: Associate Port Forwarding Rule to VM NIC Port Forwarding Operations The operations that you can perform on a port forwarding in a vCenter vRouter environment are basically the same as those in a KVM vRouter environment. • Modify name and description: Modify the name and description of the port forwarding rule. • Associate: Associate the port forwarding rule with a VM NIC. • Disassociate: Disassociate the port forwarding rule from a VM NIC. • Delete: Delete the port forwarding rule. Note that the port forwarding service provided by the port forwarding rule will also be deleted. However, the associated VIP and other services will not be affected. • Audit: View the related operations supported by the port forwarding. Port Forwarding Constraints The port forwarding constraints in a vCenter vRouter environment are basically the same as those in a KVM vRouter environment. • To use port forwarding, make sure that the firewall policy in the VM instances can be accessed by the specified ports. Issue: V3.9.0 571User Guide / 7 Cloud Operations Guide • When you use a VIP to provide the port forwarding service, make sure that the ports used by the VIP are not duplicated. • A VIP can provide the port forwarding service to different ports of multiple VM NICs on the same L3 network. • A VM instance can only use one VIP to provide the port forwarding service. • When you disassociate a VIP from a VM instance and associate a VM instance again, you can only select the VM NIC on the same L3 network of the VM instance that you disassociated before. • If you select port range for port forwarding, make sure that the source port range and the VM port range are the same. For example, if you set the range of the source port to 22-80, the port range of the VM instance is also 22-80. 7.6.5.3.4 Load Balancing A vCenter vRouter network uses custom ESX virtual IP addresses (VIPs) or system ESX VIPs to provide load balancing services. • The load balancing service can distribute inbound traffics from a public vCenter IP address to a group of backend vCenter VM instances, and then automatically detect and isolate unavailable vCenter VM instances. This helps to improve the service capability and availability. • A load balancing listener supports HTTP and TCP protocols. • A load balancer allows you to flexibly configure multiple forwarding policies to achieve advanced forwarding controlling. How to Use Load Balancing The basic workflow for using load balancing in a vCenter vRouter environment is basically the same as that in a KVM vRouter environment. 1. Create a load balancer. 2. Create a listener and add it to the load balancer you created in the preceding step. Then, specify the mapping between the public port and the VM port, and set the rules and algorithms. 3. Select a VM NIC from a specified L3 network and attach the NIC to the listener for the load balancer to take effect. Create Load Balancer The method of creating a load balancer in a vCenter vRouter environment is basically the same as that in a KVM vRouter environment. 572 Issue: V3.9.0User Guide / 7 Cloud Operations Guide In the navigation pane of the ZStack Private Cloud UI, choose Network Service > Load Balancing > Load Balancer. On the Load Balancer page, click Create Load Balancer. On the displayed Create Load Balancer page, set the parameters. Note: • If you choose to create a new VIP, select the public network that you created in the vCenter for Network. As shown in Figure 7-214: Create New VIP. Figure 7-214: Create New VIP • If you choose to use an existing VIP, select an existing custom ESX VIP or system ESX VIP for VIP. As shown in Figure 7-215: Use Existing VIP. Figure 7-215: Use Existing VIP Issue: V3.9.0 573User Guide / 7 Cloud Operations Guide Add Listener The method of adding a listener in a vCenter vRouter environment is basically the same as that in a KVM vRouter environment. Bind VM NIC to Listener On the Load Balancer page, click on the name of an existing load balancer. Then, the details page of the load balancer is displayed. Click on the Listener tab. Then, the Listener tab page is displayed. Click on the name of an existing listener. Then, the details page of the listener is displayed. Click on the VM NIC tab. Then, the VM NIC tab page is displayed. Click Actions > Bind VM NIC. Then, the Bind VM NIC page is displayed. As shown in Figure 7-216: Go to Listener Details Page. Figure 7-216: Go to Listener Details Page On the displayed Bind VM NIC page, set the following parameters: • Network: Select the L3 private network attached to the vCenter vRouter. • VM NIC: Select the vCenter VM NIC. As shown in Figure 7-217: Bind VM NIC to Listener. Click OK. Then, the chosen VM NIC will be bound to the listener. 574 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-217: Bind VM NIC to Listener Load Balancer Operations The operations that you can perform on a load balancer in a vCenter vRouter environment are basically the same as those in a KVM vRouter environment. • Modify name and description: Modify the name and description of the load balancer. • Create listener: Create a listener for the load balancer. • Delete: Delete the load balancer. Note that the associated listeners and load balancing service will also be deleted. However, the related VIP and services associated with the VIP will not be affected. • Audit: View related operations supported by the load balancer. The operations that you can perform on a listener in a vCenter vRouter environment are basically the same as those in a KVM vRouter environment. • Modify name and description: Modify the name and description of the listener. • Bind VM NIC: Bind a VM NIC to the listener of a load balancer. Then, the VM instance becomes a load balancing resource that works according to the listener rule. • Unbind VM NIC: Unbind a VM NIC from the listener. Note that the VM NIC will be removed from the load balancing pool. • Set weight value: When the load balancing algorithm uses weighted round robin, set the weight value for the corresponding VM instances as needed. Value range: 0-100. Issue: V3.9.0 575User Guide / 7 Cloud Operations Guide • Bind certificate: If the protocol of your listener is HTTPS, you need to bind a certificate or a certificate link to your listener. Note that this operation is not supported if the listener type is TCP, HTTP, or UDP. • Unbind certificate: If the protocol of your listener is HTTPS, you can unbind a certificate from the listener. Note that this operation is not supported if the listener type is TCP, HTTP, or UDP. • Display the number of healthy VM instances: Display the number of healthy VM instances attached to the listener on the listener page. For example, healthy backend/total backend. • Monitoring data: Display the monitoring data, such as the sessions and inbound/outbound traffics, of the listener. • Delete: Delete the listener. Note that the load balancing service provided by the listener will be automatically deleted. • Audit: View related operations supported by the listener. Load Balancing Constraints The load balancing constraints in a vCenter vRouter environment are basically the same as those in a KVM vRouter environment. • You can create more than one listener for a load balancer. • The VM NICs bound to the listener of a load balancer must share the same L3 network. • If the protocol of your listener is HTTPS, you can bind only one certificate to your listener at a time. To change your certificate, unbind the current one first. 7.6.5.3.5 IPsec Tunnel A vCenter vRouter network uses custom ESX virtual IP addresses (VIPs) or system ESX VIPs to provide IPsec tunnel services. • The IPsec tunnel service provides site-to-site VPN connections. How to Use IPsec Tunnel in vRouter Network The basic workflow of using an IPsec tunnel in a vCenter vRouter environment is basically the same as that in a KVM vRouter environment. 1. In the first environment, create an IPsec tunnel, specify the local public IP address of the first environment, and specify a local private network that is available. Enter the public IP address of the second environment as the peer IP address, and enter the private network specified in the second environment as the peer network. 576 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 2. In the second environment, create an IPsec tunnel, specify the local public IP address of the second environment, and specify a local private network that is available. Enter the public IP address of the first environment as the peer IP address, and enter the private network specified in the first environment as the peer network. Note: The private IP ranges in these two vRouter network environments cannot overlap. Create IPsec Tunnel in the First ZStack Environment The method of creating an IPsec tunnel in a vCenter vRouter environment is basically the same as that in a KVM vRouter environment. In the navigation pane of the ZStack Private Cloud UI, choose Network Service > VPN > IPsec Tunnel. On the IPsec Tunnel page, click Create IPsec Tunnel. On the displayed Create IPsec Tunnel page, set the parameters. Note: • If you choose to create a new VIP, select the public network that you created in the vCenter for Network. As shown in Figure 7-218: Create New VIP. Figure 7-218: Create New VIP • If you choose to use an existing VIP, select an existing custom ESX VIP or system ESX VIP for VIP. As shown in Figure 7-219: Use Existing VIP. Issue: V3.9.0 577User Guide / 7 Cloud Operations Guide Figure 7-219: Use Existing VIP • For Local Subnet, select a private network attached by the local vCenter vRouter. If only one private network is attached by the vCenter vRouter, this private network will be selected by default. As shown in Figure 7-220: Create IPsecTunnel-1. 578 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-220: Create IPsecTunnel-1 Issue: V3.9.0 579User Guide / 7 Cloud Operations Guide Create IPsec Tunnel in the Second ZStack Environment The procedures for creating an IPsec Tunnel in the second ZStack environment are the same as those in the first environment. You only need to modify some parameters in the second environment. After these two IPsec tunnels are created, the private networks in these two ZStack environments can communicate with each other. IPsec Tunnel Operations The operations that you can perform on an IPsec tunnel in a vCenter vRouter environment are basically the same as those in a KVM vRouter environment. • Modify name and description: Modify the name and description of the IPsec tunnel. • Delete: Delete the IPsec tunnel. Note that the services provided by the IPsec tunnel will also be deleted. However, the corresponding VIP and services associated with the VIP are not affected. • Audit: View the related operations supported by the IPsec tunnel. 7.6.6 Volume Context In vCenter, a volume provides storages for vCenter VM instances. A volume can either be a root volume or a data volume. • Root volume: a system disk where the VM instance operating system is installed. • Data volume: a data disk that provides additional storage for a VM instance. In vCenter, data volumes are mainly involved in volume management. The following part describes how to create a vCenter volume in ZStack. Procedure 1. Create a vCenter volume. In the navigation pane of the ZStack Private Cloud UI, choose vCenter > Volume. Then, the Volume page is displayed, as shown in Figure 7-221: vCenter Volume. 580 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-221: vCenter Volume Note: ZStack allows you to manage resources of multiple vCenters. You can view resources of all vCenters or a vCenter by clicking the vCenter drop-down arrow. Click Create Volume. On the displayed Create Volume page, set the following parameters: • Name: Enter a name for the vCenter volume. • Description: Optional. Enter a description for the vCenter volume. • Create Method: Select a method to create the vCenter volume. Options: Disk offering | Volume image. ▬ Disk offering: If you choose to create a vCenter volume by using a disk offering, set the following parameters: • Disk offering: Select a proper disk offering. • Primary Storage and VM Instance: Optional. Select a primary storage or VM instance. ▬ If neither of these two parameters is specified, the volume you created will not be instantiated, and will be displayed on the Not Instantiated tab page. Note: Issue: V3.9.0 581User Guide / 7 Cloud Operations Guide Uninstantiated volumes are only conceptual devices that do not occupy any actual space. These volumes will be instantiated after they are attached to a VM instance. ▬ If both of these two parameters are specified, the volume will be created in the specified primary storage and attached to the specified VM instance. ▬ If only VM Instance is specified, the volume will be created in the primary storage where the VM instance is located. ▬ If only Primary Storage is specified, the volume will be created in the specified primary storage. In addition, the volume will be in the available state and will occupy actual spaces. ▬ Volume image: If you choose to create a vCenter volume by using a volume image, set the following parameters: • Volume image: Select a proper volume image. Note that you need to upload the required volume image to the backup storage in advance. • VM Instance: Select the VM instance to attach the volume. After selected, the volume will be created in the primary storage where the VM instance is located. • Specify primary storage: Optional. If this checkbox is selected, the volume will be created in the specified primary storage. The following figure is an example of creating a vCenter volume by using a disk offering, as shown in Figure 7-222: Create vCenter Volume from Disk Offering. 582 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-222: Create vCenter Volume from Disk Offering The following figure is an example of creating a vCenter volume by using a volume image, as shown in Figure 7-223: Create vCenter Volume from Volume Image. Issue: V3.9.0 583User Guide / 7 Cloud Operations Guide Figure 7-223: Create vCenter Volume from Volume Image 2. Click OK. Then, the vCenter volume is successfully created. What''s next Similar to volumes in a KVM environment, vCenter volumes are divided into existing volumes, uninstantiated volumes, and deleted volumes. You can perform the following operations on an existing volume: • Create: Create a new volume based on a disk offering or volume image. • Enable: Enable a volume that is the stopped state. • Disable: Disable a volume. 584 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Attach: Attach a volume to a specified VM instance to act as a data volume. • Detach: Detach a volume from a VM instance. • Change owner: Change the owner of a volume. Note: ZStack supports multi-tenant management in the managed vCenter. Normal accounts and project members can perform operations on vCenter volumes. • Delete: After you delete a volume, you can view it on the Deleted tab page. • Modify name and description: Modify the name and description of a volume. You can perform the following operations on an uninstantiated volume: • Enable: Enable an uninstantiated volume that is in the disabled state. • Disable: Disable an uninstantiated volume. • Attach: Attach an uninstantiated volume to a specified VM instance to act as a data volume. • Delete: After you delete an uninstantiated volume, you can view it on the Deleted tab page. • Modify name and description: Modify the name and description of an uninstantiated volume. You can perform the following operations on a deleted volume: • Restore: After you restore a deleted volume, you can view it on the Available tab page. • Expunge: Completely delete a volume. When you use a vCenter volume, note that: • Volumes are hypervisor specific. That is, a volume that has been attached to a VM instance of one hypervisor type cannot be attached to a VM instance of another hypervisor type. For example, a volume of KVM VM instances cannot be attached to vCenter VM instances. • A volume can be attached to or detached from different VM instances of the same hypervisor type. • A volume can only be attached to one VM instance at a time. • A volume can have two sizes: real size and virtual size. The space occupied by a volume is calculated by using its virtual size. When you create a volume, the virtual size is occupied, and only a small amount of actual size is used. As the number of written files increases, the real size will gradually increase. • A root volume is always attached to its owner VM instance and cannot be detached. Issue: V3.9.0 585User Guide / 7 Cloud Operations Guide 7.6.7 Image Context In ZStack, you can add a local image of the VMDK format to a vCenter. Then, you can synchronize the vCenter image between the local client and the remote client by synchronizing data. Both system images and volume images can be added. The following part describes how to add a vCenter image in ZStack. Procedure 1. Add a vCenter image. In the navigation pane of the ZStack Private Cloud UI, choose vCenter > Image. Then, the Image page is displayed, as shown in Figure 7-224: vCenter Image. Figure 7-224: vCenter Image Note: ZStack allows you to manage resources of multiple vCenters. You can view resources of all vCenters or a vCenter by clicking the vCenter drop-down arrow. Click Add Image. On the displayed Add Image page, set the following parameters: • Name: Enter a name for the vCenter image. Note: The name of the vCenter image cannot be the same as that of the vCenter VM instance. • Description: Optional. Enter a description for the vCenter image. • Image Type: Select an image type. Options: System image | Volume image. 586 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ▬ System image: If you choose to add a system image, set the following parameters: • Platform: Select a platform on which the vCenter image will be running. Options: Linux | Windows | Other. Note: An image platform decides whether to use a Virtio driver (including disk driver and NIC driver) when you create VM instances. • Linux: Uses a Virtio driver. • Windows: Not to use a Virtio driver. The image operating system is a Windows OS without a Virtio driver installed. • Other: Not to use a Virtio driver. The image operating system can be of any types. • Backup Storage: Select a vCenter backup storage. • URL: Enter the URL from which a system vCenter image can be downloaded. ▬ Volume image: If you choose to add a vCenter volume image, set the following parameters: • Backup Storage: Select a vCenter backup storage. • URL: Enter the URL from which a system vCenter image can be downloaded. The following figure is an example of adding a system vCenter image, as shown in Figure 7-225: Add System vCenter Image. Issue: V3.9.0 587User Guide / 7 Cloud Operations Guide Figure 7-225: Add System vCenter Image The following figure is an example of adding a vCenter volume image, as shown in Figure 7-226: Add vCenter Volume Image. 588 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-226: Add vCenter Volume Image 2. Click OK. Then, the vCenter image is successfully created. What''s next You can perform the following operations on a vCenter image: • Add: Add a local image of the VMDK format to a vCenter. Currently, images of the ISO format cannot be added. • Enable: After you enable an image, the image can be used as a backup. • Disable: After you disable an image, the image cannot be used as a backup. • Share to all: After you share an image globally, all normal accounts and projects can use this image. • Recall from all: After you recall an image globally, the image will be invisible to all accounts and projects. • Share: Share an image to a specified account or project. Issue: V3.9.0 589User Guide / 7 Cloud Operations Guide • Recall: Recall an image from a specified account or project. • Change owner: Change the owner of an image. • Delete: Deleting an image will also delete the local records and the actual image resource in the remote vCenter. Note: ZStack supports multi-tenant management in the managed vCenter. Normal accounts and project members can use the vCenter images shared by an administrator. 7.6.8 Event Message In the navigation pane of the ZStack Private Cloud UI, choose vCenter > Event Message. Then, the Event Message page is displayed, as shown in Event Message. Figure 7-227: Event Message The Event Message feature allows you to check vCenter alarm messages, such as the message description, type, the vCenter from which the event message is sent, triggered user, target, and date. • The UI can display up to 300 event messages. You can set a time range to check alarm messages within the time range via the time adjustment button at the upper left. • You can choose to display alarm message count for each page via the display count button at the upper right. Optional value: 10 | 20 | 50 | 100. In addition, you can turn pages by clicking the left arrow button and the right arrow button. So far, we have introduced how to use a vCenter managed by ZStack. 590 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 7.7 Platform O&M Platform O&M mainly includes performance statistics, notification center, operation log, ZWatch, and notification service. 7.7.1 Performance TOP5 Performance TOP5 is a visual performance monitoring page designed for O&M personnel. This page provides a direct and simple display of the top 5 information of various monitoring metrics such as hosts, VM instances, routers, L3 networks, and VIPs. In this regard, the O&M personnel can directly manipulate the real-time healthy state of resources on the cloud, and can quickly locate problems. In the navigation pane of the ZStackPrivate Cloud UI, choose Platform O&M > Performance TOP5 to enter the Performance TOP5 page. The performance top 5 page includes host, VM instance, router, L3 network, and VIP. • Host tab page: On the host tab page, the cloud analyzes utilizations of CPUs, memories, disks, and network resources of all hosts under the current zone. In addition, the cloud provides a real-time monitoring display of top 5 resources by taking average CPU utilization, memory utilization, disk read/write IPOS, used disk capacity in percent, disk read/write speed, NIC out/in speed, NIC out/in package rate, and NIC out/in error rate as performance metrics. Different colors of real-time percentage ranks and progress bars will directly indicate resource utilizations or performance bottlenecks, as shown in Host Performance TOP5. Issue: V3.9.0 591User Guide / 7 Cloud Operations Guide Figure 7-228: Host Performance TOP5 Click one of the top 5 resource names to check resource details, as shown in Top 5 Resource Details. Figure 7-229: Top 5 Resource Details • VM tab page: The VM instance page includes VM external monitoring and VM internal monitoring. 592 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Similar to the host tab page, the VM external monitoring page provides a utilization analysis of CPUs, memories, disks, network resources of all VM instances under the current zone . In addition, the external monitoring page provides a real-time monitoring display of top 5 resources by taking average CPU utilization, memory utilization, memory free (idle ) in percent, disk read/write IPOS, disk read/write speed, NIC out/in speed, NIC out/in package rate, and NIC out/in error rate as performance metrics. Different colors of real-time percentage ranks and progress bars will directly indicate resource utilizations or performanc e bottlenecks. • If you need to check the internal monitoring of VM instances, install an agent. For more information about the agent installation, see Agent Installation. On the internal monitoring page, the cloud analyzes utilizations of CPUs, memories, and disks of all VM instances under the current zone. In addition, the cloud provides a real-time monitoring display of top 5 resources by taking average CPU utilization, memory utilization, memory free in percent, used disk capacity in percent, and disk free in percent as performance metrics. Different colors of real-time percentage ranks and progress bars will directly indicate resource utilizations or performance bottlenecks, as shown in VM Internal Monitoring TOP5. Figure 7-230: VM Internal Monitoring TOP5 Note: Issue: V3.9.0 593User Guide / 7 Cloud Operations Guide For memory data, internal monitoring is more accurate than external monitoring. We recommend that you use internal monitoring to monitor memory data. • Router tab page: The router tab page includes router external monitoring and router internal monitoring. • Similar to the VM instance tab page, the router external monitoring page provides a utilizatio n analysis of CPUs, memories, disks, and network resources of all routers (including vRouters and VPC vRouters) under the current zone. In addition, the external monitoring page provides a real-time monitoring display of top 5 resources by taking average CPU utilization, memory utilization, memory free (idle) in percent, disk read/write IPOS, disk read/write speed, NIC out/in speed, NIC out/in package rate, and NIC out/in error rate as performance metrics. Different colors of real-time percentage ranks and progress bars will directly indicate resource utilizations or performance bottlenecks. • If you need to check the internal monitoring of routers, install an agent. For more information about the agent installation, see Agent Installation. On the router internal monitoring page, the cloud analyzes utilizations of CPUs, memories, and disks of all VM instances under the current zone. In addition, the cloud provides a real-time monitoring display of top 5 resources by taking average CPU utilization, memory utilization, memory free in percent, used disk capacity in percent, and disk free in percent as performance metrics. Different colors of real-time percentage ranks and progress bars will directly indicate resource utilizations or performance bottlenecks. • L3 network tab page: On the L3 network tab page, the cloud analyzes IP resource utilizations of all L3 networks under the current zone. In addition, the cloud provides a real-time monitoring display of top 5 resources by taking used IP in percent, used IP count, available IP in percent, and available IP count as performance metrics. Different colors of real-time percentage ranks and progress bars will directly indicate IP resource utilizations of L3 networks, as shown in L3 Network Performance TOP5. 594 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-231: L3 Network Performance TOP5 • VIP tab page: On the VIP tab page, the cloud analyzes network transmission performances of all VIPs under the current zone. In addition, the cloud provides a real-time monitoring display of top 5 resources by taking network in (bytes), network out (bytes), network packets in (count), and network packets out (count) as performance metrics. Different colors of real-time percentage ranks and progress bars will directly indicate performance bottlenecks of some VIPs, as shown in VIP Performance TOP5. Issue: V3.9.0 595User Guide / 7 Cloud Operations Guide Figure 7-232: VIP Performance TOP5 Additional Information • On the performance top 5 page at the upper right, select the time drop-down box to set data collection periods for host, VM instance, router, and VIP. Optional period: 1 minute, 1 hour, 1 week, and 1 month. The L3 network tab page does not have data collection period settings. • A regular account can check the performance top 5. Similar to an admin, the regular account can directly and easily check top 5 information of various monitoring metrics such as VM instances, routers, VIPs, and L3 networks on the performance top 5 page. In this regard, you can directly manipulate the real-time healthy states of resources on the cloud, and can quickly locate problems. • A project member can also check the performance top 5. Similar to an admin, the project member can directly and easily check top 5 information of various monitoring metrics such as VM instances, routers, L3 networks, and VIPs on the performance top 5 page. In this regard , you can directly manipulate the real-time healthy state of resources on the cloud, and can quickly locate problems. 596 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 7.7.2 Performance Analysis Performance analysis is a performance statistics page designed for O&M personnel. This page takes resources as a unit to directly and simply display parameters of various monitoring metrics such as VM instances, routers, hosts, L3 networks, VIPs, and backup storages at different time ranges. In this regard, the O&M personnel can directly manipulate the healthy states of resources on the cloud. In the navigation pane of the ZStack Private Cloud UI, choose Platform O&M > Performance Analysis to enter the Performance Analysis page. The performance analysis page includes six tab pages, including VM instance, router, host, L3 network, VIP, and backup storage. • VM instance or router tab page: The VM instance or router page includes VM external monitoring and VM internal monitoring. • On the external monitoring page, the cloud analyzes utilizations of CPUs, memories, disks, and network resources of all VM instances or routers under the current zone. In addition, the cloud provides a direct display of average CPU utilization, memory utilization, disk read/ write speed, and NIC out/in speed. In this regard, you can manipulate directly performance metrics of resources within the cloud, as shown in Performance Analysis of VM or Router External Monitoring. Figure 7-233: Performance Analysis of VM or Router External Monitoring • On the internal monitoring page, the cloud analyzes the plug-in state, operating system, default IP, CPU utilization, memory utilization, and disk used capacity of all VM instances or routers under the current zone. In addition, the cloud provides a direct display of the plug- in state, operating system, default IP, CPU utilization, memory utilization, and disk used capacity as performance metrics. In this regard, you can manipulate directly performance Issue: V3.9.0 597User Guide / 7 Cloud Operations Guide metrics of resources within the cloud, as shown in Performance Analysis of VM or Router Internal Monitoring. Figure 7-234: Performance Analysis of VM or Router Internal Monitoring Note: • On the VM instance tab page, click Stop to stop VM instances. • If you have multiple CPUs, CPU utilizations on the VM external monitoring page will probably exceed 100%. • For memory data, internal monitoring is more accurate than external monitoring. We recommend that you use internal monitoring to monitor memory data. • Host tab page: On the host tag page, the cloud analyzes utilizations of CPUs, memories, disks, and network resources of all hosts under the current zone. In addition, the cloud provides a direct display of the average CPU utilization, memory utilization, disk read speed, disk write speed, NIC in speed, and NIC out speed as performance metrics. In this regard, you can manipulate directly performance metrics of resources within the cloud, as shown in Figure 7-235: Host Performance Analysis. Figure 7-235: Host Performance Analysis 598 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • L3 network tab page: On the L3 network tab page, the cloud analyzes IP utilizations of all L3 networks under the current zone. In addition, the cloud provides a direct display of the used IP count, used IP in percent, available IP count, and available IP in percent as performance metrics. In this regard, you can manipulate directly IP resource utilizations of the current L3 networks within the cloud, as shown in Figure 7-236: L3 Network Performance Analysis. Figure 7-236: L3 Network Performance Analysis • VIP tab page: On the VIP tab page, the cloud analyzes network transmission performances of all VIPs under the current zone. In addition, the cloud provides a direct display of the inbound traffic in bytes, inbound traffic in packages, outbound traffic in bytes, and outbound traffic in packages. In this regard, you can manipulate directly transmission bottlenecks that occur in some VIPs, as shown in Figure 7-237: VIP Performance Analysis. Figure 7-237: VIP Performance Analysis • Backup storage tag page: On the backup storage tab page, the cloud analyzes capacities of all backup storages under the current zone. In addition, the cloud provides a direct display of the available backup storage Issue: V3.9.0 599User Guide / 7 Cloud Operations Guide capacity as a performance unit. In this regard, you can manipulate directly storage utilizations of backup storages, as shown in Figure 7-238: Backup Storage Performance Analysis. Figure 7-238: Backup Storage Performance Analysis Additional Information • You can customize data ranges (defaults to 1 minute). By clicking the time range button at the upper right, specify start time and end time to check data of performance analysis within different time ranges. • The left-side filter allows you to check custom performance analysis list according to the resource range and the filter entry. Specifically, a VM instance, router, and VIP allow you to display a custom performance analysis list according to owners. • By default, each page displays 20 pieces of information. You can choose to display resource counts on a single page. Options: 10, 20, 50, and 100. In addition, you can turn your pages by clicking the left arrow button and the right arrow button. • By clicking the download button at the upper right, export a CVS file of resource information. • A regular account or project member can check performance analysis. Similar to an admin, the regular account or project member can directly and easily check real-time utilizations of VM instances, routers, L3 networks, and VIPs on the performance analysis page. 7.7.3 Capacity Management The capacity management provides direct display of core resource capacity statistics on the cloud. With the capacity management, various storage metrics on the cloud are analyzed and rearranged to display detailed capacities of core resources in card. In addition, Top 10 resource capacities are displayed so that you can directly manipulate resource utilizations on the cloud. Capacity Management | Overview In the navigation pane of the ZStack Private Cloud UI, choose Platform O&M > Capacity Management to enter the Capacity Management management page. 600 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-239: Capacity Management The Capacity Management page mainly includes the following two sections: • Upper section: Displays detailed capacities of various core resources in card, including primary storages, backup storages, compute nodes, VM instances, volumes, images, snapshots, and management nodes. • Lower section: Sorts top 10 capacities of various core resources, including hosts, primary storages, backup storages, VM instances, images, VM instances, volumes, and snapshots. Note: • The resource capacities displayed in this page are all actual physical capacities of your resources. • The data in this page are all static. To obtain the latest data, refresh this page each time when you go to this page. • Currently, capacity statistics of primary storages can be analyzed and provided, such as LocalStorage, SharedBlock, and Ceph. • Currently, capacity statistics of backup storages can be analyzed and provided, such as ImageStore and Ceph. Resource Capacity | Card Details Detailed capacities of various core resources are displayed in card as follows: Issue: V3.9.0 601User Guide / 7 Cloud Operations Guide • Primary storage card: Displays capacity utilizations of primary storages under the current zone. ▬ Resource overview: Displays the resource count, used capacity, and total capacity of primary storages under the current zone. With the resource overview, the total capacity utilization of primary storages is displayed directly in capacity progress bar, where different colors represent different types of capacity utilizations of primary storages under the current zone. In addition, the available capacities are revealed under the progress bar. ■ Resource count: Displays the total count of all primary storages under the current zone. ■ Used capacity: Displays used capacities of all primary storages under the current zone. ■ Total capacity: Displays the total capacity of all primary storages under the current zone. ■ Available capacity: Display the total available capacities of all primary storages under the current zone. ▬ Resource details: Displays capacity details of different types of data in primary storages under the current zone. Table 7-9: Primary Storage Data Type Description Root volume: the system volumes of VM instances to support the system running of the VM instances. Root volume capacity: the total capacity of all root volumes under the current zone. Root volume Note: Statistics of root volume capacities include: • System data of VM instances • System data of VPC vRouters • System data of vRouters Data volume: the data volumes used by VM instances. Generally, the data volume is Data volume used for extensible storages. Data volume capacity: the total capacity of all data volume under the current zone. Image cache: When you create a VM Image cache instance or volume for the first time, images in your backup storage will be downloaded 602 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Data Type Description to your primary storage to serve as image caches. Image cache capacity: the total capacity of image caches in all primary storages under the current zone. Trash: the residual source files in the source primary storage when you migrate VM instances or volumes across primary Trash storages. Trash capacity: the total trash capacity of all primary storages under the current zone. Others: the operating system, logs, and third-party softwares stored in the primary storage. Others Other capacities: the total capacity of other data in all primary storages under the current zone. Note: We do not recommend that you deploy multiple local storages by using the same physical disk. If you do, capacity statistics of primary storages will not be accurate. • Backup storage card: Displays capacity utilizations of backup storages under the current zone. ▬ Resource overview: Displays the resource count, used capacity, and total capacity of backup storages under the current zone. With the resource overview, the total capacity utilization of backup storages is displayed directly in capacity progress bar, where different colors represent different types of capacity utilizations of backup storages under the current zone. In addition, the available capacities are revealed under the progress bar. ■ Resource count: Displays the total count of all backup storages under the current zone. ■ Used capacity: Displays used capacities of all backup storages under the current zone. ■ Total capacity: Displays the total capacity of all backup storages under the current zone. ■ Available capacity: Display the total available capacities of all primary storages under the current zone. ▬ Resource details: Displays capacity details of different types of data in different backup storages under the current zone. Issue: V3.9.0 603User Guide / 7 Cloud Operations Guide Table 7-10: Backup Storage Backup Storage Type Data Type Description Image: the image template files used by VM instances or volumes. Image Image capacity: the total image capacity of all ImageStore backup storages under the current zone. Backup: the stored backup files of all ImageStore backup storages that serve as local backup storages. Backup capacity: the total Backup backup capacity of all ImageStore backup storages that serve as local backup storages under the current zone. Trash: the residual source ImageStore files in the source primary storage when you migrate images across ImageStore backup storages. Trash capacity: the total trash capacity of all ImageStore backup storages under the current zone. Trash Note: Currently, images are not allowed to migrate across ImageStore backup storages. In this regard, statistics of the corresponding trash capacities are excluded. Others: the operating Others system, logs, and third- party softwares stored in 604 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Backup Storage Type Data Type Description ImageStore backup storages . Other capacity: the total capacity of other data in all ImageStore backup storages under the current zone. Image: the image template files used by VM instances or volumes. Image Image capacity: the total image capacity of all Ceph backup storages under the current zone. Trash: the residual source files in the source primary storage when you migrate images across Ceph backup Trash storages. Ceph Trash capacity: the total trash capacity of all Ceph backup storages under the current zone. Others: the operating system, logs, and third-party softwares stored in Ceph backup storages. Others Other capacity: the total capacity of other data in all Ceph backup storages under the current zone. • Compute node card: Displays capacity utilizations of compute nodes under the current zone. ▬ Cloud platform: the total capacity of all compute node disks occupied by the cloud system files under the current cloud. ▬ Others: the total of other used capacities of all compute nodes under the current zone apart from the capacity occupied by the cloud system files. • VM card: Displays capacity utilizations of VM instances under the current zone. ▬ Number: the total number of all VM instances under the current zone. Issue: V3.9.0 605User Guide / 7 Cloud Operations Guide ▬ Used capacity: the total capacity of all VM root volume under the current zone. Note: Capacity statistics of root volumes only include system data of VM instances. • Volume card: Displays capacity utilizations of volumes under the current zone. ▬ Number: the total number of all data volumes under the current zone. ▬ Used capacity: the total capacity of all data volumes under the current zone. • Image card: Displays capacity utilizations of images under the current zone. ▬ Number: the total number of all images under the current zone. ▬ Used capacity: the total capacity of all images under the current zone. • Snapshot card: Displays capacity details of snapshots under the current zone. ▬ Number: the total number of all snapshots under the current zone. Note: • Number statistics of snapshots include snapshots of VM instances and snapshots of volumes. • If you had batch snapshots, these batch snapshots would be divided in to the corresponding VM snapshots and snapshots of all data volume attached by VM instances, and then number statistics of both snapshots are analyzed and displayed respectively. ▬ Used capacity: the total capacity of all snapshots under the current zone. Note: Snapshots on Ceph primary storages do not occupy capacities, so statistics of the corresponding snapshot capacity are excluded. • Management node card: Displays capacity utilization details of the current cloud management node. ▬ Resource overview: Displays the resource count, used capacity, and total capacity of the cloud management node. With the resource overview, the total capacity utilization of the cloud management node is displayed directly in capacity progress bar, where different colors represent capacity utilizations of different types of data in the cloud management node. In addition, the available capacities are revealed under the progress bar. 606 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ■ Single-MN scenario: ■ Used capacity: the used capacity of the current cloud management node. ■ Total capacity: the total capacity of the current cloud management node. ■ Available capacity: the available capacity of the current cloud management node. ■ Multi-MN host HA scenario: ■ Used capacity: the total used capacity of all management nodes in the current cloud. ■ Total capacity: the total capacity of all management nodes in the current cloud. ■ Available capacity: the total available capacity of all management nodes in the current cloud. ▬ Resource details: Displays capacity details of different types of data in the management node. First-Level Data Type Second-Level Data Type Description MN log: the operation log files of the management node. MN log capacity: • Single-MN scenario: the capacity of the MN log management node log in the current cloud. • Multi-MN host HA scenario: Cloud platform the total capacity of all management node logs in the current cloud. Database: the MN database used for storing and managing all MN databases of the cloud. Database Database capacity: • Single-MN scenario: the capacity occupied by the management node Issue: V3.9.0 607User Guide / 7 Cloud Operations Guide First-Level Data Type Second-Level Data Type Description database of the current cloud. • Multi-MN host HA scenario: the total capacity occupied by all databases of the current cloud management node. Database backup: the backup data of the MN database. Database backup capacity: • Single-MN scenario: the capacity occupied by Database backup MN database backup of the current cloud. • Multi-MN host HA scenario: the total capacity of all MN database backup in the current cloud. Monitoring: the cloud monitoring data and audit data stored in the management node. Monitoring capacity: • Single-MN scenario: Monitoring the capacity of the cloud monitoring data and audit data stored in the management node. • Multi-MN host HA scenario: 608 Issue: V3.9.0User Guide / 7 Cloud Operations Guide First-Level Data Type Second-Level Data Type Description the total capacity of the cloud monitoring data and audit data stored in all management nodes. Upgrade backup: the backup data of the management node database and the configuration files when the cloud upgrades. Upgrade backup capacity: • Single-MN scenario: the capacity occupied by Upgrade backup the MN upgrade database of the current cloud. • Multi-MN host HA scenario: the total capacity of all MN upgrade backups in the current cloud. Others: all other data stored in the management node apart from the associated cloud data (MN log, database, database backup , monitoring, and upgrade backup). Others / Other capacity: • Single-MN scenario: other data capacities in the management node of the current cloud. • Multi-MN host HA scenario: Issue: V3.9.0 609User Guide / 7 Cloud Operations Guide First-Level Data Type Second-Level Data Type Description the total capacity of other data of all management nodes in the current cloud . Resource Capacity | Top 10 Capacities of various core resource can be sorted in top 10 order as follows: • Host Sorts hosts under the current zone in top 10 order according to the capacity state, used capacity, available capacity, and total capacity. • Capacity state: the used capacity percentage of the host. Note: Capacity state = used capacity / total capacity • Used capacity: the total used capacity of each partition directory on the host. Note: Used capacity details of different partition directory are displayed, including: • Root partition: the used capacity of the root partition directory on the host. • Others: the total used capacity of other partition directory on the host apart from the root partition. • Available capacity: the total available capacity of each partition directory on the host. • Total capacity: the total capacity of each partition directory on the host. Note: Total capacity = used capacity+ available capacity Hosts in top 10 is shown in Resource Capacity Top 10 | Host. 610 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-240: Resource Capacity Top 10 | Host Besides, the Actions column provides the following two icons: • Copy UUID: Click the copy icon to copy the UUID of the host. • Disk capacity details: Click the disk capacity details icon. On the displayed Disk Capacity Detail page, view each disk partition of the host, and sort each disk partition according to the capacity state, used capacity, and total capacity. ▬ Disk partition: Displays the directory of the disk partition. ▬ Mount point: Displays the mount point of the disk partition. ▬ Capacity state: Displays the used capacity percentage of the disk partition. ▬ Used capacity: Displays the used capacity of the disk partition. ▬ Total capacity: Displays the total capacity of the disk partition. Capacity details of disks are shown in Disk Capacity Detail. Figure 7-241: Disk Capacity Detail Issue: V3.9.0 611User Guide / 7 Cloud Operations Guide • Primary storage Primary storages under the current zone are sorted in top 10 order according to the capacity state, used capacity, available capacity, and total capacity. • Capacity state: the used capacity percentage of the primary storage. Note: Capacity state = used capacity / total capacity • Used capacity: the used capacity of the primary storage. Note: Capacity details of different types of data can be displayed. • Root volume: the total capacity of all root volumes in the primary storage. Note: Statistics of root volume capacities include: • System data of VM instances • System data of VPC vRouters • System data of vRouters • Data volume: the total capacity of all data volumes in the primary storage. • Image cache: the total capacity of all image caches in the primary storage. • Trash: the total capacity of all trashes in the primary storage. • Others: the total capacity of all other data in the primary storage. • Available capacity: the available capacity of the primary storage. • Total capacity: the total capacity of the primary storage. Note: Total capacity = used capacity + available capacity Primary storages in top 10 is shown in Resource Capacity Top 10 | Primary Storage. 612 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-242: Resource Capacity Top 10 | Primary Storage Besides, the Actions column provides the following one icon: • Copy UUID: Click this icon to copy the UUID of a primary storage. • Backup storage Backup storages under the current zone is sorted in top 10 order according to the capacity state, used capacity, available capacity, and total capacity. • Capacity state: the used capacity percentage of the backup storage. Note: Capacity state = used capacity / total capacity • Used capacity: the used capacity of the backup storage. Note: Capacity details of different types of data can be displayed. • Image: the total capacity of all images in the backup storage. • Backup: the total capacity of all backups (this backup storage serves as a local backup storage). • Trash: the total capacity of all trashes in the backup storage. Note: Currently, images are not allowed to migrate across ImageStore backup storages. In this regard, statistics of the corresponding trash capacities are excluded. • Others: the total capacity of all other data in the backup storage. • Available capacity: the available capacity of the backup storage. Issue: V3.9.0 613User Guide / 7 Cloud Operations Guide • Total capacity: the total capacity of the backup storage. Note: Total capacity = used capacity + available capacity Backup storages in top 10 are shown in Resource Capacity Top 10 | Backup Storage. Figure 7-243: Resource Capacity Top 10 | Backup Storage Besides, the Actions column provides the following one icon: • Copy UUID: Click this icon to copy the UUID of a backup storage. • Image Images under the current zone are sorted in top 10 order according to the image used capacity. • Image used capacity: the actual physical capacity of the image. Images in top 10 are shown in Resource Capacity Top 10 | Image. Figure 7-244: Resource Capacity Top 10 | Image 614 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Besides, the Actions column provides the following one icon: • Copy UUID: Click this icon to copy the UUID of an image. • VM Instance VM instances under the current zone are sorted in top 10 order according to the actual capacity and capacity. • Actual capacity: the actual physical capacity of the VM root volume, including the actual capacity whose root volume is on the disk and all snapshot capacities. • Capacity: the virtual capacity of the VM root volume. That is, the cloud allocates a capacity for the root volume according to the disk offering. VM instances in top 10 are shown in Resource Capacity Top 10 | VM Instance. Figure 7-245: Resource Capacity Top 10 | VM Instance Besides, the Actions column provides the following one icon: • Copy UUID: Click this icon to copy the UUID of a VM instance. • Volume Data volumes under the current zone are sorted in top 10 order according to the actual capacity and capacity. • Actual capacity: the actual physical capacity of the data volume, including the actual capacity whose data volume is on the disk and all snapshot capacities. • Capacity: the virtual capacity of the VM data volume. That is, the cloud allocates a capacity for the data volume according to the disk offering. Data volumes in top 10 are shown in Resource Capacity Top 10 | Volume. Issue: V3.9.0 615User Guide / 7 Cloud Operations Guide Figure 7-246: Resource Capacity Top 10 | Volume Besides, the Actions column provides the following one icon: • Copy UUID: Click this icon to copy the UUID of a data volume. • Snapshot Snapshots under the current zone are sorted in top 10 order according to the snapshot capacity. • Snapshot capacity: the actual physical capacity of the snapshot. Note: • Two types of snapshots are supported, including VM snapshot and volume snapshot, • If you had batch snapshots, these batch snapshots would be divided into the correspond ing VM snapshots and snapshots of all data volume attached by VM instances, and then capacities of both snapshots are analyzed and sorted respectively. • Snapshots on Ceph primary storages do not occupy capacities, so statistics of the corresponding snapshot capacity are excluded. Snapshots in top 10 are shown in Resource Capacity Top 10 | Snapshot. Figure 7-247: Resource Capacity Top 10 | Snapshot 616 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Besides, the Actions column provides the following one icon: • Copy UUID: Click this icon to copy the UUID of a snapshot. Note • If your primary storages or backup storages are in the disconnected status, statistics data accuracies of associated resource capacity card tabs and top 10 resource capacities will be affected. • After you delete or reconnect primary storages and backup storages, wait a while and refresh the capacity management page to obtain the latest capacity data. 7.7.4 ZWatch ZStack supports a brand-new ZWatch alarm monitoring system. • ZWatch provides a diversity of alarm metric items and supports multiple endpoint types, including email, DingTalk, HTTP application, and short message service. • Design principle: An alarm or event sends messages to a theme of the SNS notification system . Then, the messages will be automatically pushed to an endpoint that has subscribed the theme. The messages that are sent to the endpoint will be pushed to a specified address by means of email, DingTalk, HTTP POST, or short message. • ZWatch monitoring system can be thoroughly, loosely coupled to the SNS notification system . Based on open designs, you can customize alarms and events, and extend more resource types as needed. As a result, all system information can be monitored in a comprehensive, fine -grained, and flexible manner. • Monitoring data retention defaults to 6 months. On the advanced settings, customize your monitoring data retention cycle. Steps for data retention is as follows: On the UI, choose Settings > Global Settings > Advanced, and set Retention time of Monitoring data. Default value: 6. Unit: month. Value range (integer): 1-12. 7.7.4.1 Alarm ZWatch alarm monitoring system allows you to set an alarm for time series data and events. This chapter describes resource alarm and event alarm respectively. 7.7.4.1.1 Resource Alarm A resource alarm mainly monitors time series data of the system, such as VM memory utilization and host CPU utilization. You can customize a resource alarm. Issue: V3.9.0 617User Guide / 7 Cloud Operations Guide Resource Alarm Page In the navigation pane of the ZStack Private Cloud UI, choose Platform O&M > ZWatch > Alarm. Then, the Resource Alarm page is displayed, as shown in Resource Alarm Page. Figure 7-248: Resource Alarm Page On the Resource Alarm tab page, the system provides the following default resource alarms. Default Resource Alarm Description Db Fencer Ip Reachable Alarm • By default, the monitor IP state of a multi- MN environment is monitored. • If a monitor IP cannot be reached for 10 consecutive minutes, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you will receive alarm notifications via the endpoint. Time Needed To Sync DB Alarm • By default, the database state of a multi-MN environment is monitored. • If the database of the multi-MN environmen t is detected that the data of the database are out of synchronization for one hour consecutively, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you will receive alarm notifications via the endpoint. 618 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Default Resource Alarm Description License Enabled Days Alarm • By default, the license of the cloud, module license, and distributed storage license are monitored. • If the expiration time of any license is less than or equal to 15 days, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you will receive alarm notifications via the endpoint. Primary Storage Physical Available Capacity • By default, all primary storages on the cloud Alarm are monitored. • If the available physical capacity of any primary storage exceeds 80%, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you will receive alarm notifications via the endpoint. Host Root File System Used Capacity Alarm • By default, all hosts on the cloud are monitored. • If the root disk utilization of any host exceeds 80%, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you will receive alarm notifications via the endpoint. Backup Storage Available Capacity Alarm • By default, all backup storages on the cloud are monitored. • If the available capacity of any backup storage is less than 20%, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you will receive alarm notifications via the endpoint. Primary Storage Available Capacity Alarm • By default, all primary storages on the cloud are monitored. Issue: V3.9.0 619User Guide / 7 Cloud Operations Guide Default Resource Alarm Description • If available capacity of any primary storage is less than 20%, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you will receive alarm notifications via the endpoint. System Data Directory Capacity Alarm • By default, all data directory disk capacity on the cloud are monitored. • If the data directory disk capacity of any management node is greater than or equal to 70%, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you will receive alarm notifications via the endpoint. Note: • By default, a resource alarm (except for License Enabled Days Alarm) allows you to change the emergency level, alarm condition (if you have set), period, alarm period type, repeat interval, and whether to receive recover message. • A resource alarm allows you to add an endpoint and remove a newly added endpoint. • A resource alarm does not allows you to remove the system alarm endpoint and delete default resource alarms. • If you upgrade the cloud from an earlier version to 3.8.0, the emergency level of the default resource alarms is Emergent. If you customize a resource alarm, the emergent level is Major. Create Resource Alarm Apart from the default resource alarms provided by the system, you can create resource alarms as needed. On the Resource Alarm tab page, click Create Resource Alarm to enter the Create Resource Alarm page. To create a resource alarm, complete the following two steps: 1. Configure the following basic settings: • Name: Enter a name for the resource alarm. • Description: Optional. Enter a description for the resource alarm. 620 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Resource Type: Select a resource type, including VM instance, BareMetal VM, vRouter, image, backup storage, system data directory, host, L3 network, volume, VIP, primary storage, load balancer listener, and management node. • Metric Item: Select a metric item as needed according to the resource type that you selected. Note: • Each resource alarm corresponds to multiple alarm metric items. Here, metric items will not be further introduced. You can customize your configurations as needed. • After you select some metric items, you probably need to enter other parameters as required. You can customize your configurations as needed. • Some metric items need to install agents before you use these items. Set these items as needed. For more information about how to install an agent, see Internal Monitoring. • For memory data, internal monitoring is more accurate than external monitoring. We recommend that you use internal monitoring to monitor memory data. • On the resource details page, core resources such as VM instances, hosts, and primary storages can be used to create resource alarms. • Range: Select a range, including multiple resources and single resource, when the metric alarm that you selected is applied to bulk resources and a single resource at the same time. ▬ Multiple Resources: After you create a resource alarm by selecting multiple resources, this alarm will monitor these multiple resources that have been attached to this alarm. If any resource meets the alarm condition, this alarm will be triggered, as shown in Multiple Resources Issue: V3.9.0 621User Guide / 7 Cloud Operations Guide Figure 7-249: Multiple Resources ▬ Single Resource: After you create a resource alarm by selecting a single resource, this alarm will monitor this single resource that has been attached to this alarm. If this single resource meets the alarm condition, this alarm will be triggered, as shown in Single Resource. Note: • A single resource can be monitored and alarmed at a fine-grained level. • For example, a CPU utilization of a VM instance can be monitored and alarmed. 622 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-250: Single Resource Click Next, as shown in Create Resource Alarm: Basic Setting. Issue: V3.9.0 623User Guide / 7 Cloud Operations Guide Figure 7-251: Create Resource Alarm: Basic Setting 2. Configure the following alarm setting: • Alarm Condition: Select a judgment type and enter a threshold value. Options: ＞ | ≥ | ＜ | ≤. • Period: Enter a period of a threshold value. Unit: second, minute, and hour. • Alarm Period Type: Select an alarm period type, including repeat and once. ▬ Repeat: 624 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ■ The alarm of the same resource can be triggered repeatedly for many times. For example, • The alarm can attach multiple resources. If any resource meets the alarm condition, the alarm will be triggered. Specifically, if a resource triggers the alarm once and continues to meet this alarm condition, this alarm will be triggered repeatedly by obeying a specified alarm policy. This alarm can also attach a single resource. If this single resource meets the alarm condition, the alarm will be triggered. Specifically, if this single resource is triggered once and continues to meet this alarm condition, this alarm will be triggered repeatedly by obeying a specified alarm policy. ■ An endpoint (if specified) will receive alarm messages of each alarm, while the notification center will display message records of each alarm. ▬ Once: ■ The alarm of the same resource can be triggered once. For example, • The alarm can attach multiple resources. If any resource meets the alarm condition, the alarm will be triggered. Specifically, if a resource triggers the alarm once and continues to meet this alarm condition, this alarm will be no longer triggered. The alarm can also attach a single resource. If this single resource meets the alarm condition, the alarm will be triggered. Specifically, if the single resource triggers the alarm once and continues to meet this alarm condition, this alarm will be no longer triggered. ■ An endpoint (if specified) will receive alarm messages of one-time alarming, while the notification center will display message records of the one-time alarming. ■ If this resource recovers and continues to meet the alarm condition, this alarm will be triggered once again. • Repeat Interval: Optional. When the alarm period type is Repeat, set a repeat interval. Unit: second, minute, and hour. If null, the repeat interval of the system defaults to 30 minutes. • Receive recover message: Optional. By default, this check box is not selected, indicating that the system will not receive recover messages of an alarm. If selected, the system will Issue: V3.9.0 625User Guide / 7 Cloud Operations Guide receive recover messages once when any resource that is monitored by the alarm recovers from the alarm status. Recover messages will be sent to the system according to the default recover SNS text template. You can set message contents on the SNS text template page as needed. • Emergency Level : Select an emergency level, including emergent, major, and information. Different levels of alarms will send out the corresponding levels of alarm messages. • Endpoint: Optional. If not selected, an endpoint is not specified. If selected, alarm messages will be sent to a specified endpoint. Note: • You can add multiple endpoints. • You can either select a system default endpoint or create an endpoint as needed. • For more information about how to create an endpoint, see Endpoint. Click OK to complete creating a resource alarm, as shown in Create Resource Alarm: Alarm Setting. 626 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-252: Create Resource Alarm: Alarm Setting Resource Alarm Operations You can perform the following operations on a resource alarm: • Create: Create a new resource alarm. • Enable: Enable a resource alarm that is disabled. • Disable: Disable a resource alarm that you are using. • Add endpoint: Add an endpoint to a resource alarm that you selected. • Remove endpoint: Remove an endpoint from a resource alarm. Issue: V3.9.0 627User Guide / 7 Cloud Operations Guide • Delete: Delete a resource alarm. Exercise caution. If you delete the resource alarm, all resources on the resource alarm will be deleted as well. This resource alarm will not be triggered. • Change: ▬ Custom resource alarm allows you to change a name and a description for a resource alarm . ▬ By default, a resource alarm (except for License Enabled Days Alarm) allows you to change the emergency level, alarm condition (if you have set), period, alarm period type, repeat interval, and whether to receive recover message. ▬ Custom resource alarm allows you to change the emergency level, alarm condition, period, alarm period type, repeat interval, and whether to receive recover message. • Check alarm log: Set a time range to check alarm logs sent by the resource alarm within the time range. • Audit: Check related operations of this resource alarm. 7.7.4.1.2 Event Alarm An event alarm mainly monitors system events, such as the VM state change event, and the host disconnected event. You can customize an event alarm. Event Alarm Page In the navigation pane of the ZStackPrivate Cloud UI, choose Platform O&M > ZWatch > Alarm > Event Alarm to enter the Event Alarm tab page, as shown in Event Alarm Page. 628 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-253: Event Alarm Page On the Event Alarm tab page, the system provides a series of default event alarms as follows: Default Event Alarm Description Short Message Sent Error • By default, all short message endpoints on the cloud are monitored. • If any short message endpoint cannot receive alarm messages, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you will receive alarm notifications via the endpoint. Management Node Join • By default, all management nodes on the cloud are monitored. • If any management node reconnects from the disconnected status, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you will receive alarm notifications via the endpoint. Issue: V3.9.0 629User Guide / 7 Cloud Operations Guide Default Event Alarm Description Host Connected • By default, all hosts on the cloud are monitored. • If any host reconnects from the disconnect ed status, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you will receive alarm notifications via the endpoint. vRouter Connected • By default, all routers on the cloud are monitored. • If any router reconnects from the disconnect ed status, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you will receive alarm notifications via the endpoint. Host Disconnected • By default, all hosts on the cloud are monitored. • If any host is disconnected, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you will receive alarm notifications via the endpoint. Backup Storage Connected • By default, all backup storages on the cloud are monitored. • If any backup storage reconnects from the disconnected status, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you will receive alarm notifications via the endpoint. Primary Storage Connected • By default, all primary storages on the cloud are monitored. 630 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Default Event Alarm Description • If any primary storage reconnects from the disconnected status, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you will receive alarm notifications via the endpoint. Primary Storage Disconnected • By default, all primary storages on the cloud are monitored. • If any primary storage is disconnected, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you will receive alarm notifications via the endpoint. Management Node Left • By default, all management nodes on the cloud are monitored. • If any management node is disconnected, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you will receive alarm notifications via the endpoint. Backup Storage Disconnected • By default, all backup storages on the cloud are monitored. • If any backup storage is disconnected, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you will receive alarm notifications via the endpoint. vRouter Disconnected • By default, all routers on the cloud are monitored. • If any router is disconnected, this alarm will be triggered. • By default, the cloud notification will be triggered. After you bind an endpoint, you Issue: V3.9.0 631User Guide / 7 Cloud Operations Guide Default Event Alarm Description will receive alarm notifications via the endpoint. Note: • By default, an event alarm allows you to change the emergency level. • An event alarm allows you to add an endpoint and remove a newly added endpoint. • An event alarm does not allow you to remove system alarm endpoints and delete default event alarms. • If you upgrade the cloud from an earlier version to 3.8.0, the emergency level of the default event alarms is Emergent. If you customize an event alarm, the emergent level is Major. Create Event Alarm Apart from the default event alarms provided by the system, you can create event alarms as needed. On the Event Alarm tab page, click Create Event Alarm. On the Create Event Alarm page, set the following parameters: • Resource Type: Select a resource type, including VM instance, vRouter, backup storage, management node, host, primary storage, vCenter, and backup task. • Metric Item: Select a metric item as needed according to the resource type that you selected. • Emergency Level: Select an emergency level, including emergent, major, and information. Different levels of alarms will send out the corresponding levels of alarm messages. • Endpoint: Optional. If not selected, an endpoint is not specified. If selected, alarm messages will be sent to a specified endpoint. Note: • You can add multiple endpoints. • You can either select a system default endpoint or create an endpoint as needed. • For more information about how to create an endpoint, see Endpoint. You can create an event alarm, as shown in Create Event Alarm. 632 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-254: Create Event Alarm Note: • An event alarm will only be triggered once after an event happens, and does not allow you to set repeated alarms. • When any resource monitored by an event alarm recovers from the alarm status, recover messages will be sent for one time. You can set message contents on the SNS text template page as needed. • If an event alarm recovers from the alarm status and then continue to meet the alarm condition , this alarm will be triggered for one time again. Event Alarm Operations You can perform the following operations on an event alarm: • Create: Create an event alarm. Issue: V3.9.0 633User Guide / 7 Cloud Operations Guide • Add endpoint: Add an endpoint to the event alarm that you selected. • Remove endpoint: Remove an endpoint from an event alarm. • Delete: Delete an event alarm. Exercise caution. If you delete an event alarm, all resources on the event alarm will be deleted as well. This resource alarm will not be triggered. • Change: Change an emergency level of an event alarm, which is supported by default event alarms and custom event alarms. • Check alarm log: Set a time range to check alarm logs sent by the event alarm within the time range that you set. • Audit: Check related operations of this event alarm. Check related operations of this event alarm. 7.7.4.2 SNS Text Template An SNS text template is a text template that is used when an alarm or event sends messages to themes of the SNS system. • The system contains a default template of an alarm message and a recovered message. If you do not create a template, the system will use this default template. • You can create multiple message templates, but can only specify a default template. Specifical ly, when messages are sent, the default formatted message will be used. • With ${}, you can use variables provided by an alarm or event in the template. • Currently, an SNS text template supports three types of endpoint platform: email, DingTalk, and short message. If you use an SNS text template, formatted alarm messages will be sent to you via email, DingTalk, or short messages. Create SNS Text Template In the navigation pane of the ZStackPrivate Cloud UI, choose Platform O&M > ZWatch > SNS Text Template. On the SNS Text Template page, click Create SNS Text Template. On the displayed Create SNS Text Template page, set the following parameters: • Name: Enter a name for the SNS text template. • Description: Optional. Enter a description for the SNS text template. • Platform Type: Select an endpoint platform type. Currently, an SNS text template supports three types of endpoint platform: email, DingTalk, and short message. • Alarm Message Text: Either customize an SNS text template or use the default template native to the system. 634 Issue: V3.9.0User Guide / 7 Cloud Operations Guide The following examples are the email or DingTalk template text: Alarm ${ALARM_NAME} status changes to ${ALARM_CURRENT_STATUS} Alarm details UUID: ${ALARM_UUID} Namespace: ${ALARM_NAMESPACE} Conditions: ${ALARM_METRIC} ${ALARM_COMPARISON_OPERATOR} ${ ALARM_THRESHOLD} Duration: ${ALARM_DURATION} seconds Previous status: ${ALARM_PREVIOUS_STATUS} Current value: ${ALARM_CURRENT_VALUE} Tag: ${ALARM_LABELS.join(",")} Note: If you set an SNS text template in DingTalk, follow the Markdown syntax. Currently, DingTalk only supports a subset of Markdown syntax. For more information about the subset of Markdown syntax, see Message Types and Data Format on DingTalk Official Documentaion. The following examples are the short message template: • Resource alarm: Alarm:${ALARM_NAME},ResourceName:${ALARM_RESOURCE_NAME},Condition: ${ALARM_CONDITION},CurrentValue:${ALARM_CURRENT_VALUE} • Event alarm: Alarm:${EVENT_NAME},ResourceName:${EVENT_RESOURCE_NAME},EmergencyL evel:${EVENT_EMERGENCY_LEVEL},Error:${EVENT_ERROR} Note: If you set an alarm message template in short message, apply for a third-party SMS signature and a third-party SMS template in advance. To change the template, complete your application again on the third party. • Message restoring text: When any resource monitored by an alarm recovers from the alarm status, alarm recovered messages will be sent to all platforms that you selected for one time. You can customize recovered messages texts. An SNS text template in short message does not support recover messages. • Make default: If selected, the currently created SNS text template will be set as the default template. You can create an SNS text template, as shown in Create SNS Text Template. Issue: V3.9.0 635User Guide / 7 Cloud Operations Guide Figure 7-255: Create SNS Text Template 636 Issue: V3.9.0User Guide / 7 Cloud Operations Guide SNS Text Template Operations You can perform the following operations on an SNS text template: • Create: Create an SNS text template. • Make default: Set the SNS text template that you selected as the system default template. • Cancel Default: Cancel the defaulted SNS text template that you set. • Delete: Delete an SNS text alarm. • Change name and description: Change a name and description of the SNS text template. • Change message content: Change the contents of the alarm message text and message restoring text. • Audit: Check related operations of this SNS text template. 7.7.5 Notification Service 7.7.5.1 Endpoint You can use different endpoint subscription themes. Currently, the supported endpoint types include system, email, DingTalk, HTTP application, and short message service. Issue: V3.9.0 637User Guide / 7 Cloud Operations Guide • By default, the cloud provides a system-native endpoint. If an alarm binds the system endpoint, you are prompted for alarm notifications displayed near the Messages button at the upper right on the UI. • You can also create an email, DingTalk, HTTP application, or short message service endpoint as needed. Create Email Endpoint • Messages that send to themes will be sent to a specified email address via an email server. • You can either create an SNS text template in advance or use the system default template. Alarm messages will be sent to your email with a unified format. • You need to add an email server in advance under the current zone, and test whether the email server can work properly. In the navigation pane of the ZStackPrivate Cloud UI, choose Platform O&M > Notification Service > Endpoint. On the Endpoint page, click Create Endpoint. On the displayed Create Endpoint page, set the following parameters: • Name: Enter a name for the endpoint. • Description: Optional. Enter a description for the endpoint. • Endpoint Type: Select email. • Email Address: Enter an email address. A maximum of 100 emails are supported. • Email Server: Select an email server that you added. For more information about how to add an email server, see Email Server. • Validate: Test whether the email server can work properly. You can create an email endpoint, as shown in Create Email Endpoint. 638 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-256: Create Email Endpoint Create DingTalk Endpoint • Messages that send to themes will be sent to a specified DingTalk robot address via DingTalk . If you appoint members, alarm notifications will be sent to corresponding DingTalk members via phone numbers. • You can either create an SNS text template in advance or use the system default template. Alarm messages will be sent to your DingTalk group with a unified format. • If you set an SNS text template in DingTalk, follow the Markdown syntax. Currently, DingTalk only supports a subset of Markdown syntax. For more information about the subset of Markdown syntax, see DingTalk Official Website. Issue: V3.9.0 639User Guide / 7 Cloud Operations Guide • Name: Enter a name for the endpoint. • Description: Optional. Enter a description for the endpoint. • Endpoint Type: Select DingTalk. • URL Address: Enter DingTalk robot address. • Member: Specify nobody, specify all members in a group, or appoint members. Note: If you appoint members, alarm notifications will be sent to the corresponding members via phone numbers, such as +86-13800000000. You can create a DingTalk endpoint, as shown in Create DingTalk Endpoint. 640 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-257: Create DingTalk Endpoint Create HTTP Application Endpoint • Messages that send to themes will be sent to a specified HTTP address via HTTP POST. • If the specified HTTP application sets a user name and password, enter accurately the user name and the password. • Name: Enter a name for the endpoint. • Description: Optional. Enter a description for the endpoint. • Endpoint Type: Select HTTP application. Issue: V3.9.0 641User Guide / 7 Cloud Operations Guide • URL Address: Enter an HTTP service address. • User Name: Optional. If the specified HTTP application sets a user name and password for access, enter accurately the user name. • Password: Optional. Enter accurately the corresponding password. You can create an HTTP application endpoint, as shown in Create HTTP Application Endpoint. Figure 7-258: Create HTTP Application Endpoint 642 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Create Short Message Service Endpoint • Messages that send to themes will be sent to a specified phone number via short message service. • You can create an SNS text template in advance and set it as the default template. Alarm short messages will be sent to your phone according to the template that you set. • Name: Enter a name for the endpoint. • Description: Optional. Enter a description for the endpoint. • Endpoint Type: Select short message service. • AccessKey: Select a third-party AccessKey that you added. • Phone Number: Enter a phone number that can receive short messages. You can create a short message service, as shown in Create Short Message Service Endpoint. Issue: V3.9.0 643User Guide / 7 Cloud Operations Guide Figure 7-259: Create Short Message Service Endpoint Endpoint Operations You can perform the following operations on an endpoint: • Create: Create an endpoint. • Enable: Enable an endpoint that has been stopped. • Disable: Disable a running endpoint. • Add alarm: Add an alarm to the endpoint that you selected. • Remove alarm: Remove an alarm from the endpoint. 644 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Delete: Delete an endpoint. • Change name and description: Change a name and description for the endpoint. • Receive message: Set a time range to check message logs of the endpoint within the time range. • Audit: Check related operations of this endpoint. 7.7.6 Notification Center Notification Center Page The notification center provides notifications and view features of resource alarms or event alarms on ZStack. Shortcut operations are supported, such as converging alarm messages and jumping to alarms or resource details page from alarm message details. With the notification center, you can quickly locate problems. In the navigation pane of the ZStackPrivate Cloud UI, choose Platform O&M > Notification Center to enter the Notification Center management page, as shown in Notification Center Page. Figure 7-260: Notification Center Page Notification Center Operations • Check Alarm Message: The notification center provides the view feature of alarm messages. You can check message contents, emergency levels, message types, message dates, and read and unread states. ▬ The left-side dot displays the read state and unread state of alarm messages. Specifically, the red dot means unread. Issue: V3.9.0 645User Guide / 7 Cloud Operations Guide ▬ The message content supports filters operations. Specifically, you can click the drop-down arrow of the message content. Options: all, read, and unread. ▬ The emergency level also supports filters operations. Specifically, you can click the drop- down arrow of the emergency level. Options: all, emergent, major, information. ▬ The message type also supports filters operations. Specifically, you can click the drop-down arrow of the message type. Options: all, resource alarm, and event alarm. ▬ You can set a time range to filter alarm messages via the time adjustment button at the upper left. You can check the recent 300 alarm messages within the time range that you set , including message contents, message types, message dates, and the read and unread states. ▬ You can choose to display alarm message count for each page via the display count button at the upper right. Optional value: 10, 20, 50, and 100. In addition, you can turn pages by clicking the left arrow button and the right arrow button. • Mark All Message As Read: Mark all unread messages (including all time ranges) as read. If you have too many unread messages on the notification center, you may take some time to display the messages. Be patient. Notice • Subjects of read and unread messages are any role who has the operation permission for the messages. If a role reads alarm messages for the first time or mark alarm messages as read, the read and unread states of these alarm messages will be synchronized to other roles. • An admin or platform admin can check all alarm messages. The admin or platform admin can perform Mark All Message As Read operation for alarm messages that are generated by an admin, regular account, or project. After the marking, the read and unread states of these alarm messages will be synchronized to the admin, regular account, and the project. • The markings of alarm messages among regular accounts are independent, indicating that these alarm messages are invisible mutually among different accounts. Different accounts can only mark their corresponding alarm messages generated by the alarms of the accounts. • In the Enterprise Management, alarm messages take projects as units. After a project member , project operator, or project admin reads or marks alarm messages as read, the read and unread states of these alarm messages will be synchronized to other members of this project. 646 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 7.7.7 Operation Log The operation log is the user operation records on ZStack, including three tab pages: completed, ongoing, and audit. Completed Tab Page On the Operation Log page, click Completed to enter the Completed tab page, as shown in Completed Tab Page. Figure 7-261: Completed Tab Page On the Completed tab page, check logs of completed operations. Specifically, you can check the operation description, task result, operator, login IP, creation time, completion time, and information details returned by operations to achieve more granular managements. • You can set a time range to check logs of completed operations within the time range. • You can search logs of completed operations via the operation description or login IP. • You can export operation logs in the CSV format. • You can display log counts of completed operations for each page. Optional value: 10, 20, 50 , and 100. In addition, you can turn pages by clicking the left arrow button and the right arrow button. • The creation time and completion time are added on the information details page to directly display information details. Issue: V3.9.0 647User Guide / 7 Cloud Operations Guide Ongoing Tab Page In the navigation pane of the ZStackPrivate Cloud UI, choose Platform O&M > Operation Log to enter the Ongoing tab page of the Operation Log page, as shown in Ongoing Tab Page. Figure 7-262: Ongoing Tab Page On the Ongoing tab page, check logs of ongoing operations. Specifically, you can check the operation description, task result, and creation time. In addition, you can cancel the ongoing tasks. • The progress bar displays real-time task progresses. You can click Cancel Task to cancel the ongoing tasks. Note: Only a portion of tasks support cancellation operations. • You can search logs of ongoing operations via the operation description. • You can choose to display log counts of ongoing operations for each page. Optional value: 10 , 20, 50, and 100. In addition, you can turn pages by clicking the left arrow button and the right arrow button. • The creation time and completion time are added on the information details page to directly display information details. Audit Tab Page On the Operation Log page, click Audit to enter the Audit tab page, and click Audit Type to check Resource audits or Login audits. • On the Resource page, check audits for call API operations. Specifically, you can check the API name, resource type, time consumption, task result, operator, creation time, completion time, and information details of API actions, as shown in Resource Operation Audit. 648 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-263: Resource Operation Audit ▬ You can set a time range to check audit information of call APIs within the time range. Note: The UI can display 300 pieces of audit information at most. Make sure that you adjust an appropriate time range before searching target audit information. ▬ You can search the audit information of call APIs via the resource type, resource UUID, API name, and operator. ▬ You can export audit information in the CSV format. ▬ You can choose to display audit information counts for each page. Optional value: 10, 20, 50, and 100. In addition, you can turn pages by clicking the left arrow button and the right arrow button. • On the Login tab page, check audits for login and logout operations using APIs. Specifically, you can check the API name, operator, time consumption, login IP, browser, task result, creation time, completion time, and information details of API actions, as shown in Login Operation Audit. Issue: V3.9.0 649User Guide / 7 Cloud Operations Guide Figure 7-264: Login Operation Audit ▬ You can set a time range to check audit information of call APIs within the time range. Note: The UI can display 300 pieces of audit information at most. Make sure that you adjust an appropriate time range before searching target audit information. ▬ You can search the audit information of call APIs via the operator, API name, login IP, or browser. ▬ You can export audit information in the CSV format. ▬ You can choose to display audit information counts for each page. Optional value: 10, 20, 50, and 100. In addition, you can turn pages by clicking the left arrow button and the right arrow button. Notice • By default, an operation log is reserved for 90 days. To set log reservation days, choose Global Settings > Advanced. Note: Exercise caution when you change log reservation days, if a value that you entered is smaller than the preconfigured log reservation days, logs that exceed the current reservation days will be deleted after the value takes effect. 7.7.8 CloudFormation 7.7.8.1 Introduction ZStack CloudFormation is a service that helps you simplify the cloud computing resource management and automate the deployment and O&M. With a resource stack template, you can 650 Issue: V3.9.0User Guide / 7 Cloud Operations Guide define what cloud resources you need, the dependency between the resources, and the resource configuration. With the cloudformation engine, CloudFormation can provide automatic batch deployment and resource configuration, as well as easy lifecycle management of cloud resources. You can also use API and SDK to integrate the automatic O&M capabilities. The advantages of CloudFormation are as follows: 1. You only need to create a stack template or modify an existing one to define what cloud resources you need, the dependency between the resources, and the resource configuration. With the cloudformation engine, CloudFormation will automatically complete the creation and configuration of all resources. 2. The cloud provides sample templates and a designer to create stack templates quickly. 3. You can dynamically update a stack template based on your business needs, and then you can update the related resource stack to flexibly meet the needs of business development. 4. If you no longer need a resource stack, you can simply delete it by one click, which also deletes all of the resources in the stack. 5. You can reuse an existing stack template to quickly duplicate all stack resources without repeated configuration. 6. You can flexibly combine cloud services based on different scenarios to meet the needs of automatic maintenance. 7.7.8.2 Preparations This Tutorial will elaborate on how to use CloudFormation. Before you start using CloudFormation, install the latest version of ZStack and complete the initialization wizard. For more information, see the installation and deployment section in the User Guide. 7.7.8.3 Typical Practice Workflow By using CloudFormation, you can create a stack template that describes all the resources you want, and CloudFormation can quickly create and configure those resources. You can also easily manage the collection of resources as a single unit. The typical workflow of CloudFormation is as follows: 1. Prepare a stack template. Issue: V3.9.0 651User Guide / 7 Cloud Operations Guide • First, you need to prepare a stack template. CloudFormation will create and configure a related resource stack based on the template prepared. • You can check whether the sample template provided by the cloud meets the business needs in advance. If it meets the needs, you can use the sample template directly to create a related resource stack. • If the sample template does not meet the business needs, you can create a new template or modify an existing one. For more information about how to create a custom template, see the Stack Template topic. Furthermore, you can use the designer to fast create a custom template. For more information about the designer, see the Designer topic. 2. Create a resource stack. • If the sample template meets the business needs, you can use the sample template directly to create a resource stack. For more information about how to create a resource stack by using a sample template, see the Sample Template topic. • You can also create a resource stack by using a custom template. For more information about how to create a resource stack by using a custom template, see the Stack Template topic. Furthermore, you can use the designer to fast create a resource stack. For more information about the designer, see the Designer topic. 3. Manage the resource stack. • CloudFormation provides lifecycle management of the resource stack. • You can check the information of all resources in the resource stack. • When you delete a resource stack, you delete the resource stack and all of its resources. • For more information about the resource stack management, see the Resource Stack topic. 7.7.8.4 Resource Stack CloudFormation allows you to quickly create and configure a group of resources by using a stack template. This group of resources is defined as a resource stack. You can manage resources in a stack by creating, updating, or deleting the stack. Supported operations on resource stack are as follows: • Create a resource stack • Get the details of a resource stack • Delete a resource stack 652 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Create a Resource Stack In the navigation pane of the ZStack Private Cloud UI, choose Platform O&M > CloudFormation > Resource Stack. On the Resource Stack page, click Create Resource Stack. Then, the Create Resource Stack page is displayed. To create a resource stack, follow the steps below: 1. Configure the following parameters: • Zone: The current zone is automatically displayed. • Name: Enter a name for the resource stack. • Description: Optional. Enter a description for the resource stack. • Timeout: Specify the timeout during the resource stack creation. If the timeout period expires before the resource stack creation completes, CloudFormation marks the resource stack as failed. The timeout is 60 minutes by default. • Rollback on failure: Specify whether to roll back the resource stack if the creation fails. The checkbox is selected by default. • Create Mode: Select the resource stack creation mode. The following three methods for creating a resource stack are available: • Choose a stack template: Select a custom template or a sample template for resource stack creation. As shown in Figure 7-265: Choose a stack template. Figure 7-265: Choose a stack template Note: For more information about how to create a custom template, see the Stack Template topic. Issue: V3.9.0 653User Guide / 7 Cloud Operations Guide • Upload a template file: Upload a UTF8-encoded template file for resource stack creation. As shown in Figure 7-266: Upload a template file. Figure 7-266: Upload a template file Note: For more information about the template syntax, see the Stack Template Syntax topic. • Create a template: Create a template in a text editor for resource stack creation. As shown in Figure 7-267: Create a template. 654 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-267: Create a template You can zoom in the text editor, as shown in Figure 7-268: Zoom in the text editor. Issue: V3.9.0 655User Guide / 7 Cloud Operations Guide Figure 7-268: Zoom in the text editor Note: For more information about the template syntax, see the Stack Template Syntax topic. As shown in Figure 7-269: Create resource stack 1. Click Next. 656 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-269: Create resource stack 1 2. Specify each parameter according to the needed stack resource. Different parameters are specified according to different types of resource stacks. Note: • Mechanism: For the stack template you submitted, if CloudFormation decides what resource the Resource filed in Parameters is specified as, the UI will provide a drop-down menu for you to select a corresponding resource. Otherwise, the UI will provide an input box for you to enter a field value (a string or a number). Issue: V3.9.0 657User Guide / 7 Cloud Operations Guide The following is an example of creating a resource stack by using a selected custom template above. CloudFormation will automatically create a VM instance and attach a volume to it. Configure the following parameters: • Instance Offering: Select the instance offering for VM instance creation. • Image: Select the image for VM instance creation. • Private IP: Select the private network for VM instance creation. As shown in Figure 7-270: Create resource stack 2. Click OK. Then, the resource stack creation starts. Figure 7-270: Create resource stack 2 Note: • Before the resource stack creation starts, you can click Preview to check the resource list to be created. • It will take some time to create a resource stack. Please wait for the completion. Get the Details of a Resource Stack On the Resource Stack page, select a resource stack and expand its details page. You can get the current details of the resource stack, including basic attributes, resource stack content, resource, event, and audit. • Basic attributes: Displays the current status, name, description, and UUID of the resource stack . The name and description can be modified. 658 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Resource stack content: Includes the details of the template and the parameters configuration. ▬ Template: Displays the details of the template used by the resource stack. ▬ Parameters: Displays the details of the parameters specified for resource stack creation. • Resource: Displays the details of all resources in the resource stack. • Event: Displays each event in the resource stack lifecycle. • Audit: Checks related operations about the resource stack. Delete a Resource Stack You can delete a resource stack if you no longer need it. Note: • When you delete a resource stack, all resources in the stack will be deleted by default. • In the stack template used by a resource stack, if the DeletionPolicy field is set to Retain , all resources in the stack will be retained after you delete the resource stack. For more information about DeletionPolicy, see the Resources topic. 7.7.8.5 Stack Template You can quickly create a resource stack based on a stack template. CloudFormation provides two types of stack templates: sample template and custom template. This topic mainly introduces the custom template. For information about the sample template, see the Sample Template topic. Supported operations on stack template are as follows: • Create a stack template • Get the details of a stack template • Enable a stack template • Disable a stack template • Generate a resource stack • Modify a stack template • Delete a stack template Create a Stack Template In the navigation pane of the ZStack Private Cloud UI, choose Platform O&M > CloudFormation > Stack Template. On the Stack Template page, click Create Stack Issue: V3.9.0 659User Guide / 7 Cloud Operations Guide Template. Then, the Create Stack Template page is displayed. Configure the following parameters: • Name: Enter a name for the stack template. • Description: Optional. Enter a description for the stack template. • Create Mode: Select the stack template creation mode. The following two methods for creating a stack template are available: • Create a template: Create a template in a text editor. As shown in Figure 7-271: Create a template. Figure 7-271: Create a template You can zoom in the text editor, as shown in Figure 7-272: Zoom in the text editor. 660 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-272: Zoom in the text editor Note: For more information about the template syntax, see the Stack Template Syntax topic. • Upload a template file: Upload a UTF8-encoded template file. As shown in Figure 7-273: Upload a template file. Figure 7-273: Upload a template file Note: For more information about the template syntax, see the Stack Template Syntax topic. Issue: V3.9.0 661User Guide / 7 Cloud Operations Guide As shown in Figure 7-274: Create a stack template. Click OK. Figure 7-274: Create a stack template Get the Details of a Stack Template On the Stack Template page, select a stack template and expand its details page. You can get the current details of the stack template, including basic attributes, stack template content, and audit. • Basic attributes: Displays the current status, name, description, UUID, and md5sum of the stack template. The name and description can be modified. • Stack template content: Displays the details of the template. Note: For more information about the template syntax, see the Stack Template Syntax topic. • Audit: Checks related operations about the template. 662 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Enable/Disable a Stack Template • Enable a stack template: If a stack template is disabled, you can enable it as needed. • Disable a stack template: You can disable a stack template as needed. Note: You are not allowed to create a resource stack by using a disabled stack template. Generate a Resource Stack On the Stack Template page, select a stack template and click Actions > Generate Resource Stack. Then, the Generate Resource Stack page is displayed. To create a resource stack by using a custom template, follow the steps below: 1. Configure the following parameters: • Zone: The current zone is automatically displayed. • Name: Enter a name for the resource stack. • Description: Optional. Enter a description for the resource stack. • Timeout: Specify the timeout during the resource stack creation. If the timeout period expires before the resource stack creation completes, CloudFormation marks the resource stack as failed. The timeout is 60 minutes by default. • Rollback on failure: Specify whether to roll back the resource stack if the creation fails. The checkbox is selected by default. • Choose a stack template: The selected template is automatically displayed. As shown in Figure 7-275: Create resource stack 1. Click Next. Issue: V3.9.0 663User Guide / 7 Cloud Operations Guide Figure 7-275: Create resource stack 1 2. Specify each parameter according to the needed stack resource. Different parameters are specified according to different types of resource stacks. Note: • Mechanism: For the stack template you submitted, if CloudFormation decides what resource the Resource filed in Parameters is specified as, the UI will provide a drop-down menu for you to select a corresponding resource. Otherwise, the UI will provide an input box for you to enter a field value (a string or a number). The following is an example of creating a resource stack by using a selected custom template above. CloudFormation will automatically create a VM instance and attach a volume to it. Configure the following parameters: • Instance Offering: Select the instance offering for VM instance creation. 664 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Image: Select the image for VM instance creation. • Private IP: Select the private network for VM instance creation. As shown in Figure 7-276: Create resource stack 2. Click OK. Then, the resource stack creation starts. Figure 7-276: Create resource stack 2 Note: • Before the resource stack creation starts, you can click Preview to check the resource list to be created. • It will take some time to create a resource stack. Please wait for the completion. Modify a Stack Template You can modify a stack template in a text editor. Delete a Stack Template You can delete a stack template if you no longer need it. Constraints • The maximum size of a template is 4 MB. • If you use the CLI or API to create a stack, you can upload a template with a maximum size of 64 KB. Issue: V3.9.0 665User Guide / 7 Cloud Operations Guide 7.7.8.6 Sample Template The cloud provides some commonly used sample templates for you to quickly create resource stacks in CloudFormation. Supported operations on sample template are as follows: • Get the details of a sample template • Generate a resource stack by using a sample template Get the Details of a Sample Template In the navigation pane of the ZStack Private Cloud UI, choose Platform O&M > CloudFormation > Sample Template. On the Sample Template page, select a sample template and expand its details page. You can get the details of the sample template, including basic attributes, stack template content, and audit. • Basic attributes: Displays the current status, name, description, UUID, and md5sum of the sample template. Note: The sample template remains enabled and cannot be modified. • Stack template content: Displays the details of the template. Note: For more information about the template syntax, see the Stack Template Syntax topic. • Audit: Checks related operations about the template. Generate a Resource Stack by Using a Sample Template On the Sample Template page, select a sample template and click Actions > Generate Resource Stack. Then, the Generate Resource Stack page is displayed. To create a resource stack by using a sample template, follow the steps below: 1. Configure the following parameters: • Zone: The current zone is automatically displayed. • Name: Enter a name for the resource stack. • Description: Optional. Enter a description for the resource stack. 666 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Timeout: Specify the timeout during the resource stack creation. If the timeout period expires before the resource stack creation completes, CloudFormation marks the resource stack as failed. The timeout is 60 minutes by default. • Rollback on failure: Specify whether to roll back the resource stack if the creation fails. The checkbox is selected by default. • Choose a stack template: The selected template is automatically displayed. As shown in Figure 7-277: Create resource stack 1. Click Next. Figure 7-277: Create resource stack 1 2. Specify each parameter according to the needed stack resource. Different parameters are specified according to different types of resource stacks. The following is an example of creating a resource stack by using the selected sample template (ZStack.System.v1.EIP) above. CloudFormation will automatically create an EIP and attach it to a VM instance. Configure the following parameters: • Instance Offering: Select the instance offering for VM instance creation. Issue: V3.9.0 667User Guide / 7 Cloud Operations Guide • Image: Select the image for VM instance creation. • Private IP: Select the private network for VM instance creation. • Public IP: Select the public network for VIP provision. The EIP service can be provided by a VIP. As shown in Figure 7-278: Create resource stack 2. Click OK. Then, the resource stack creation starts. Figure 7-278: Create resource stack 2 Note: • Before the resource stack creation starts, you can click Preview to check the resource list to be created. • It will take some time to create a resource stack. Please wait for the completion. 7.7.8.7 Designer With CloudFormation Designer, you can view the graphic representations of resources in a stack template, and author and edit the stack template in a more visual and simple way. 668 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Designer Interface Overview In the navigation pane of the ZStack Private Cloud UI, choose Platform O&M > CloudFormation > Designer. Then, the Designer interface is displayed. As shown in Figure 7-279: Designer. Figure 7-279: Designer The Designer panes and its main components are as follows: • Toolbar at the top The toolbar provides quick access to commands for common actions, such as previewing a template, generating a resource stack, and saving the diagram as a stack template. • Resource pool pane on the right The resource pool pane lists all of the template resources that you can add to your template in Designer. You can add resources by dragging them from the resource pool pane to the canvas. The supported resources are listed as follows: • Resource pool: VM instance, Volume • Network resource: L2 Network, Private Network, Public Network, VPC Network, and VPC vRouter • Network service: Security Group, EIP, Port Forwarding, Load Balancing, and Listener Issue: V3.9.0 669User Guide / 7 Cloud Operations Guide • Canvas pane in the middle The canvas pane displays the template resources as a diagram. • You can add resources, create relationships between resources, and arrange their layout. • You can undo or redo changes, remove resources, and clear the canvas. The changes that you make in the canvas automatically modify the template. • You can specify the details of the template such as resource properties or template parameters with the Configure Parameter button. • You can drag the thumbnail at bottom right to adjust the canvas pane to fit your template''s diagram. • You can zoom in or zoom out the canvas by clicking the + or - button. 7.7.8.8 Typical Scenario-based Practice 7.7.8.8.1 Sample Template-Based Practice Context This topic introduces how to use the sample template ZStack.System.v1.VPC to quickly deploy the VPC network. Procedure 1. Prepare a stack template. In the navigation pane of the ZStack Private Cloud UI, choose Platform O&M > CloudFormation > Sample Template. On the Sample Template page, select the sample template ZStack.System.v1.VPC and expand its details page. You can get the details of the sample template as below. { "ZStackTemplateFormatVersion": "2018-06-18", "Description": "Creates VPC network. This template creates a VPC network. Make sure that the public network and management network are working as expected. Note that the VXLAN VTEP CIDR is required .", "Parameters": { "VrouterImageUrl": { "Type": "String", "Label":"vRouter image", "Description":"vRouter image URL", "DefaultValue": "http://cdn.zstack.io/product_downloads/ vrouter/2.3/zstack-vrouter-2.3.2.qcow2" }, "VmImageUrl": { "Type": "String", "Label": "VM image url", "Description":"VM image url", 670 Issue: V3.9.0User Guide / 7 Cloud Operations Guide "DefaultValue": "http://cdn.zstack.io/zstack_repo/latest /zstack-image-1.4.qcow2" }, "BackupStorage":{ "Type": "CommaDelimitedList", "Label": "BackupStorage UUID", "Description":"BackStorage UUID" }, "ManagementNetworkUuid":{ "Type": "String", "Label": "Management network", "Description":"You can use public network as management network" }, "PublicNetworkUuid":{ "Type": "String", "Label": "Public network", "Description":"Public network UUID" }, "ZoneUuid":{ "Type": "String", "Label": "Zone", "Description":"Zone UUID" }, "ClusterUuid":{ "Type": "String", "Label": "Cluster", "Description":"Cluster UUID" }, "Cidr":{ "Type": "String", "Description":"VTEP CIDR. Use the correct CIDR", "DefaultValue":"{10.0.0.0/8}" }, "Vni":{ "Type": "Number", "DefaultValue":222 }, "StartVni":{ "Type": "Number", "DefaultValue":100 }, "EndVni":{ "Type": "Number", "DefaultValue":300 }, "StartIp":{ "Type": "String", "DefaultValue":"192.168.20.2" }, "EndIp":{ "Type": "String", "DefaultValue":"192.168.20.200" }, "Netmask":{ "Type": "String", "DefaultValue":"255.255.255.0" }, "Gateway":{ "Type": "String", "DefaultValue":"192.168.20.1" } Issue: V3.9.0 671User Guide / 7 Cloud Operations Guide }, "Resources": { "VrouterImage": { "Type": "ZStack::Resource::Image", "Properties": { "name": {"Fn::Join":["-",[{"Ref":"ZStack::StackName "}, {"Ref":"ZStack::StackUuid"},{"Ref":"ZStack::AccountUuid"},{"Ref ":"ZStack::AccountName"},"Vrouter-Image"]]}, "url": {"Ref":"VrouterImageUrl"}, "system": true, "format": "qcow2", "backupStorageUuids":{"Ref":"BackupStorage"} } }, "VMImage": { "Type": "ZStack::Resource::Image", "Properties": { "name": {"Fn::Join":["-",[{"Ref":"ZStack::StackName "}, "VmImage"]]}, "url": {"Ref":"VmImageUrl"}, "format": "qcow2", "backupStorageUuids":{"Ref":"BackupStorage"} } }, "VirtualRouterOffering":{ "Type":"ZStack::Resource::VirtualRouterOffering", "Properties":{ "name": {"Fn::Join":["-",[{"Ref":"ZStack::StackName "}, "Vrouter-Offering"]]}, "zoneUuid":{"Ref":"ZoneUuid"}, "managementNetworkUuid":{"Ref":"ManagementNetworkUui d"}, "publicNetworkUuid":{"Ref":"PublicNetworkUuid"}, "imageUuid":{"Fn::GetAtt":["VrouterImage", "uuid"]}, "cpuNum":2, "memorySize":2147483648 } }, "VpcVRouter":{ "Type":"ZStack::Resource::VpcVRouter", "Properties":{ "name": {"Fn::Join":["-",[{"Ref":"ZStack::StackName "}, "VPC-Router"]]}, "virtualRouterOfferingUuid":{"Fn::GetAtt":[" VirtualRouterOffering","uuid"]} } }, "L2VxlanNetworkPool":{ "Type":"ZStack::Resource::L2VxlanNetworkPool", "Properties":{ "name": {"Fn::Join":["-",[{"Ref":"ZStack::StackName "}, "L2VxlanNetworkPool"]]}, "zoneUuid":{"Ref":"ZoneUuid"} } }, "VniRange":{ "Type":"ZStack::Resource::VniRange", "Properties":{ "name": {"Fn::Join":["-",[{"Ref":"ZStack::StackName "}, "VniRange"]]}, "startVni":{"Ref":"StartVni"}, "endVni":{"Ref":"EndVni"}, 672 Issue: V3.9.0User Guide / 7 Cloud Operations Guide "l2NetworkUuid":{"Fn::GetAtt":["L2VxlanNetworkPool ","uuid"]} } }, "L2VxlanNetwork":{ "Type":"ZStack::Resource::L2VxlanNetwork", "Properties":{ "name": {"Fn::Join":["-",[{"Ref":"ZStack::StackName "}, "L2VxlanNetwork"]]}, "poolUuid":{"Fn::GetAtt":["L2VxlanNetworkPool","uuid "]}, "zoneUuid":{"Ref":"ZoneUuid"}, "vni":{"Ref":"Vni"} } }, "VpcL3Network":{ "Type":"ZStack::Resource::L3Network", "Properties":{ "name": {"Fn::Join":["-",[{"Ref":"ZStack::StackName "}, "VPC-Network"]]}, "l2NetworkUuid":{"Fn::GetAtt":["L2VxlanNetwork"," uuid"]}, "category":"Private", "type":"L3VpcNetwork", "systemTags":["networkservices::VRouter"] } }, "InstanceOffering":{ "Type":"ZStack::Resource::InstanceOffering", "Properties":{ "name": {"Fn::Join":["-",[{"Ref":"ZStack::StackName "}, "1cpu","4G"]]}, "cpuNum": 1, "memorySize" : 4294967296 } }, "AttachL3ToVm":{ "Type":"ZStack::Action::AttachL3NetworkToVm", "Properties":{ "vmInstanceUuid": {"Fn::GetAtt":["VpcVRouter","uuid "]}, "l3NetworkUuid":{"Fn::GetAtt":["VpcL3Network","uuid "]} }, "DependsOn":[{"Ref":"AddIpRange"}] }, "AddIpRange" :{ "Type":"ZStack::Action::AddIpRange", "Properties":{ "name": {"Fn::Join":["-",[{"Ref":"ZStack::StackName "}, "iprange"]]}, "l3NetworkUuid":{"Fn::GetAtt":["VpcL3Network","uuid "]}, "startIp":{"Ref":"StartIp"}, "endIp":{"Ref":"EndIp"}, "netmask":{"Ref":"Netmask"}, "gateway":{"Ref":"Gateway"} } }, "AttachL2NetworkToCluster":{ "Type":"ZStack::Action::AttachL2NetworkToCluster", Issue: V3.9.0 673User Guide / 7 Cloud Operations Guide "Properties":{ "l2NetworkUuid":{"Fn::GetAtt":["L2VxlanNetworkPool ","uuid"]}, "clusterUuid":{"Ref":"ClusterUuid"}, "systemTags":[{"Fn::Join":["::",["l2NetworkUuid ",{"Fn::GetAtt":["L2VxlanNetwork","uuid"]},"clusterUuid",{"Ref":" ClusterUuid"},"cidr",{"Ref":"Cidr"}]]}] } }, "TestVm":{ "Type":"ZStack::Resource::VmInstance", "Properties":{ "name": {"Fn::Join":["-",[{"Ref":"ZStack::StackName "}, "TestVm"]]}, "instanceOfferingUuid": {"Fn::GetAtt":["InstanceOf fering","uuid"]}, "l3NetworkUuids": [{"Fn::GetAtt":["VpcL3Network"," uuid"]}], "imageUuid": {"Fn::GetAtt":["VMImage", "uuid"]} }, "DependsOn":[{"Ref":"AttachL3ToVm"}] } }, "Outputs": { "vpc": { "Value": { "Ref": "VpcL3Network" } } } } The template above includes the following five top-level fields: • "ZStackTemplateFormatVersion": "2018-06-18" It declares the version of the template. • "Description": "Creates VPC network. This template creates a VPC network. Make sure that the public network and management network are working as expected. Note that the VXLAN VTEP CIDR is required." It declares the description of the template. • "Parameters": { } It declares a list of parameters in the template. In this example, it declares the following parameters: • VrouterImageUrl • VmImageUrl • BackupStorage • ManagementNetworkUuid 674 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • PublicNetworkUuid • ZoneUuid • ClusterUuid • Cidr • Vni • StartVni • EndVni • StartIp • EndIp • Netmask • Gateway • "Resources": { } It declares the resources to be created by the template. In this example, it declares the following resources to be created: • Add a vRouter image. • Add a VM image. • Create a vRouter offering. • Create a VPC vRouter. • Create a VXLAN pool. • Create a L2 VXLAN network. • Create a VPC network. • Create an instance offering. • Attach the VPC network to the VM instance. • Specify the IP range of the VPC network. • Attach the L2 VXLAN network to the cluster. • Create a VM instance. The properties of the resources declared in "Resources": { } can reference the parameters declared in "Parameters": { }. • "Outputs": { } After the declared resources complete their creations, it provides useful information such as resource properties. Issue: V3.9.0 675User Guide / 7 Cloud Operations Guide For more information about the template syntax, see the Stack Template Syntax topic. 2. Create a resource stack by using a sample template. On the Sample Template page, select the sample template ZStack.System.v1.VPC and click Actions > Generate Resource Stack. Then, the Generate Resource Stack page is displayed. 1. Configure the following parameters: • Zone: The current zone is automatically displayed. • Name: Enter a name for the resource stack. • Description: Optional. Enter a description for the resource stack. • Timeout: Specify the timeout during the resource stack creation. If the timeout period expires before the resource stack creation completes, CloudFormation marks the resource stack as failed. The timeout is 60 minutes by default. • Rollback on failure: Specify whether to roll back the resource stack if the creation fails. The checkbox is selected by default. • Choose a stack template: The selected template is automatically displayed. As shown in Figure 7-280: Create resource stack 1. Click Next. 676 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-280: Create resource stack 1 2. Specify each parameter according to the needed stack resource. Different parameters are specified according to different types of resource stacks. • vRouter Image URL: Add a vRouter image for VPC vRouter creation • VM Image URL: Add an image for VM instance creation • Backup Storage: Select a backup storage. • Management IP: Select an existing management network. Note: We recommend that you deploy a separate management network that is isolated from public network for better security and stability. • Public IP: Select an existing public network. • Zone: The current zone is automatically displayed. • Cluster: Optional. You can select the cluster loaded by the VXLAN pool. • VTEP CIDR: Set the CIDR corresponding to VTEP. Issue: V3.9.0 677User Guide / 7 Cloud Operations Guide • Vni: Optional. You can select a specified Vni from the VXLAN pool. If this field is blank, the system will automatically allocate a Vni. • Start Vni: Set the start Vni in the VXLAN pool. • End Vni: Set the end Vni in the VXLAN pool. • Start IP: Set the start IP address of the VPC network. • End IP: Set the end IP address of the VPC network. • Netmask: Set the netmask of the VPC network. • Gateway: Set the gateway of the VPC network. As shown in Figure 7-281: Create resource stack 2. Click OK. Then, the resource stack creation starts. 678 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-281: Create resource stack 2 Issue: V3.9.0 679User Guide / 7 Cloud Operations Guide Note: • Before the resource stack creation starts, you can click Preview to check the resource list to be created. • It will take some time to create a resource stack. Please wait for the completion. 3. Manage the resource stack. After a resource stack is successfully created, you can click the stack name on the Resource Stack page to view the stack status and details. • Basic attributes: Displays the current status, name, description, and UUID of the resource stack. The name and description can be modified. 680 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Resource stack content: Includes the details of the template and the parameters configuration. ▬ Template: Displays the details of the template used by the resource stack. ▬ Parameters: Displays the details of the parameters specified for resource stack creation. • Resource: Displays the details of all resources in the resource stack. • Event: Displays each event in the resource stack lifecycle. • Audit: Checks related operations about the resource stack. You can delete the resource stack if you no longer need it. 7.7.8.9 Appendices 7.7.8.9.1 Stack Template Syntax Stack template is a UTF8-encoded file. You can quickly create a resource stack based on a stack template. With a stack template, you can define what cloud resources you need, the dependency between the resources, and the resource configuration. CloudFormation analyzes the stack template and automatically creates and configures all resources. Stack Template Structure The stack template structure is as follows. { "ZStackTemplateFormatVersion" : "YYYY-MM-DD", "Description" : "The description of the stack template, which is used to provide information such as application scenarios and the structure of the stack template.", "Parameters" : { // The parameters you can specify when creating a resource stack . }, "Mappings" : { // The mapping tables. Mapping tables are nested tables. }, "Resources" : { // The detailed information of resources, including configurat ions and dependencies. }, "Outputs" : { // The outputs that are used to provide useful information such as resource properties. You can use API to obtain this information. } • ZStackTemplateFormatVersion (Required) The version of the stack template. Issue: V3.9.0 681User Guide / 7 Cloud Operations Guide • Format: YYYY-MM-DD • Description (Optional) The description of the stack template, which is used to provide information such as application scenarios and the structure of the stack template. • A detailed description can help users better understand the content of the stack template. • Parameters (Optional) The parameters you can specify when creating a resource stack. • For example, an instance offering is often defined as a parameter. • Parameters have default values. • Parameters can improve the flexibility and reusability of the stack template. • For more information about Parameters, see the Parameters topic. • Mappings (Optional) The mapping tables. Mapping tables are nested tables. • You can use Fn::FindInMap to select values through corresponding keys. • You can use parameter values as keys. • For example, you can search the region-image mapping table for desired images by region. • For more information about Mappings, see the Mappings topic. • Resources (Optional) The detailed information of resources, including configurations and dependencies. • For more information about Resources, see the Resources topic. • Outputs (Optional) The outputs that are used to provide useful information such as resource properties. You can use API to obtain this information. • For more information about Outputs, see the Outputs topic. 7.7.8.9.1.1 Parameters The parameters you can specify when creating a resource stack. • When you create a stack template, you can use parameters to improve the flexibility and reusability of the stack template. • When you create a resource stack, you can specify parameter values as needed. 682 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Syntax Each parameter consists of a name and properties. • The parameter name can only contain letters and digits and must be unique in the template. • You can use the Label field to define user-friendly parameter names. The properties of Parameters are as follows. Property Description Required Example The parameter type. Options: • String • Number (An integer or floating-point Type number) Yes "Type": "String" • CommaDelim itedList (List in Java equivalently) • Boolean The alias of the parameter. When forms are previewed "Label": "The Label or generated using No password of the templates, labels VM instance" can be mapped to parameter names. "Description The string that ": "The login Description describes the No password of the parameter. VM instance" Specifies whether to mask a parameter "NoEcho": true value as asterisks (*****). If you set Note: NoEcho this property to true, No This property cannot CloudFormation be configured returns the parameter currently. value masked as asterisks (*****). Issue: V3.9.0 683User Guide / 7 Cloud Operations Guide Property Description Required Example The default value of "DefaultValue": " DefaultValue No the parameter. password" CloudFormation also provides some pseudo parameters. • Pseudo parameters are parameters that are predefined by CloudFormation. They can be referenced directly. You do not need to declare them in Parameters. (You are actually not allowed to declare them.) • The values of the pseudo parameters are determined when CloudFormation is running. Supported pseudo parameters are as follows. Pseudo Parameter Name Description ZStack::StackName The name of the current resource stack ZStack::StackUuid The UUID of the current resource stack ZStack::AccountUuid The AccountUuid of the current resource stack The AccountName of the current resource ZStack::AccountName stack Example The following example shows the Parameters syntax. "Parameters" : { "username" : { "Label": "Login name", "Description" : "Login name", "DefaultValue": "root", "Type" : "String" }, "password" : { "Label": "Password", "NoEcho" : "true", "Description" : "Login password", "Type" : "String", } } In this example, two parameters are declared in Parameters. • username ▬ A string type parameter with a default value of root. ▬ The username must contain 2 to 12 characters. 684 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Note: The default value of username must also meet the length and valid values requirements. • password ▬ A string type parameter with no default value. ▬ If you set NoEcho to true, CloudFormation returns the parameter value masked as asterisks (*****). Note: The NoEcho property cannot be configured currently. ▬ The password must contain 6 to 41 characters. ▬ The password can contain uppercase/lowercase letters and digits. 7.7.8.9.1.2 Resources The detailed information of resources, including configurations and dependencies. • Resources can reference Parameters, Mappings, and Functions. • Resources can be referenced by other Resources and Outputs. Syntax Each resource consists of a logical UUID and a description. • All resource descriptions are enclosed in braces { }. • Multiple resources are separated with commas ,. The key fields of Resources are as follows. Key Field Description Required Example • "Type": " ZStack:: The type of the Resource:: resource that is being VmInstance" declared. Options: • "Type": " Type Yes ZStack::Action • Resource ::AddIpRange" • Action • For more information, see Type Issue: V3.9.0 685User Guide / 7 Cloud Operations Guide Key Field Description Required Example The resource properties that specify For more information, Properties Yes parameters for see Properties resource creation. • "DependsOn Specifies that the ": [{"Ref": " creation of a specific WebServer1"}] DependsOn No resource follows • For more another. information, see DependsOn • Specifies whether to retain a resource after its stack is deleted. Options: ▬ Retain ▬ Delete • If this field is set • "DeletionPo to Retain, a licy": "Retain specific resource " DeletionPolicy and its dependent No • For more resource will information, see be retained. DeletionPolicy (The system automatically retains the dependent resource.) • The default value is Delete. • "Description The string that " : "attach ip Description describes the resource No range to l3 . network" Example The following example shows the Parameters syntax. "Resources" : { "UUID-1" : { 686 Issue: V3.9.0User Guide / 7 Cloud Operations Guide "Description" : "The resource description", "Type" : "The resource type", "Properties" : { The resource properties } }, "UUID-2" : { "Description" : "The resource description" "Type" : "The resource type", "Properties" : { The resource properties }， "DependsOn":"The dependent resource. Take UUID-1 for example. Note that this dependent resource should be contained in the context .", "DeletionPolicy":"The deletion policy" } } In this example, two resources are declared in Resources. The description of key fields are as follows: • Resource UUID ▬ UUID-1 and UUID-2 are the resource UUIDs. Both of them are variables. ▬ You can use the resource UUID to reference the resource in other parts of the template. ▬ The resource UUID is unique in a template. • Type ▬ The type of the resource that is being declared, including the Resource type and Action type. ▬ For example, "Type": "ZStack::Resource::VmInstance" indicates that the resource is a VM instance. "Type": "ZStack::Action::AddIpRange" indicates the IP range to be added. ▬ For more information about the resource types supported by CloudFormation, see the Resource Index topic. • Properties ▬ The resource properties that specify parameters for resource creation. ▬ The following example shows the Properties syntax. "Resources" : { "InstanceOffering" : { "Type" : "ZStack::InstanceOffering", "Properties" : { "cpuNum" : "1", "cpuSpeed" : "1", "memorySize" : "1073741824", "name" : "instance-offering", Issue: V3.9.0 687User Guide / 7 Cloud Operations Guide "type" : "UserVm", "sortKey": 0, "allocatorStrategy": "LeastVmPreferredHostAllocatorS trategy" } } } ▬ The rules of defining resource property values are as follows: ■ Property values can be text strings, string lists, boolean values, references, or return values of functions. ■ Text strings are enclosed with double quotation marks "". ■ String lists are enclosed with brackets []. ■ Return values of intrinsic functions and references are enclosed with braces {}. ■ The preceding rules also apply when property values are the combinations of text strings , string lists, references, and return values of functions. ■ The following example shows how to declare different types of properties. "Properties" : { "String" : "string", "LiteralList" : [ "value1", "value2" ], "Boolean" : "true" "ReferenceForOneValue" : { "Ref" : "ResourceID" } , "FunctionResultWithFunctionParams" : { "Fn::Join" : [ "%", [ "Key=", { "Ref" : "SomeParameter " } ] ] } } ▬ If the resource does not require you to declare a property, this part can be skipped. • DependsOn ▬ With the DependsOn attribute, you can specify that the creation of a specific resource follows another. ▬ When you add a DependsOn attribute to a resource, the resource is created only after the creation of the resource specified in the DependsOn attribute. ▬ The following example shows the DependsOn syntax. { "ZStackTemplateFormatVersion" : "2018-06-18", "Resources" : { "WebServer": { "Type": "ZStack::Resource::VmInstance", "DependsOn": "DatabseServer" }, "DatabseServer": { "Type": "ZStack::Resource::VmInstance", "Properties": { "name": {"Fn::Join":["-",[{"Ref":"ZStack:: StackName"},"VM"]]}, 688 Issue: V3.9.0User Guide / 7 Cloud Operations Guide "instanceOfferingUuid": {"Ref":"InstanceOf feringUuid"}, "imageUuid":{"Ref":"ImageUuid"}, "l3NetworkUuids":[{"Ref":"PrivateNetworkUuid"}], "dataDiskOfferingUuids":[{"Ref":"DiskOfferingUuid "}], "hostUuid":{"Ref":"HostUuid"} } } } } This example indicates that WebServer is created only after DatabaseServer is created. • DeletionPolicy ▬ DeletionPolicy specifies whether to retain a resource after its stack is deleted. ▬ DeletionPolicy has two options: Retain and Delete. ■ Delete: The default value, which indicates that after a resource stack is deleted, all resources in the stack will be deleted. ■ Retain: If the DeletionPolicy attribute is set to Retain, the specific resource will be retained after its stack is deleted. Furthermore, the dependent resource of the resource will also be retained. (The system automatically retains the dependent resource.) The following example shows that the VM instance is retained after the template-based resource stack is deleted. "Resources" : { "VMInstance" : { "Type" : "ZStack::Resource::VmInstance", "Properties": { "name": {"Fn::Join":["-",[{"Ref":"ZStack::StackName "},"VM"]]}, "instanceOfferingUuid": {"Ref":"InstanceOf feringUuid"}, "imageUuid":{"Ref":"ImageUuid"}, "l3NetworkUuids":[{"Ref":"PrivateNetworkUuid"}], "dataDiskOfferingUuids":[{"Ref":"DiskOfferingUuid "}], "hostUuid":{"Ref":"HostUuid"} }, "DeletionPolicy" : "Retain" } } 7.7.8.9.1.3 Outputs The outputs that are used to provide useful information such as resource properties. You can use API to obtain this information. Issue: V3.9.0 689User Guide / 7 Cloud Operations Guide Syntax Each output item consists of a UUID and a description. • All output descriptions are enclosed in braces {}. • Multiple output items are separated with commas ,. The key fields of Outputs are as follows. Key Field Description Required Example • "Description " : "print l3 The string that network" Description No describes the output. • For more information, see Description • "Value" : {"Ref": " The content of the WebServer1"} Value Yes output. • For more information, see Value Example The following example shows the Outputs syntax. "Outputs" : { "UUID-1" : { "Description" : "The output description", "Value" : "The output content" }, "UUID-2" : { "Description" : "The output description", "Value" : "The output content" } } In this example, two outputs are declared in Outputs. The description of key fields are as follows: • Output UUID ▬ The output UUID is unique in a template. • Description ▬ The description of the output item. The description must be a string. 690 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Value ▬ The content of the output. ▬ The following example shows the Value syntax. { "ZStackTemplateFormatVersion": "2018-06-18", "Description": "This template creates a VM instance with a volume attached (based on the local storage). Prerequisites: The instance offering, image, disk offering, private network, and available host are created.", "Parameters": { "InstanceOfferingUuid": { "Type": "String", "Label": "Instance Offering", "Description": "The instance offering uuid" }, "ImageUuid": { "Type": "String", "Label": "Image", "Description": "The Image uuid for creating VmInstance. Please choose an image not iso" }, "PrivateNetworkUuid": { "Type": "String", "Label": "Private Network", "Description" : "The private network uuid for creating VmInstance" }, "DiskOfferingUuid": { "Type": "String", "Label": "Disk Offering", "Description": "Volume size offering uuid" }, "HostUuid": { "Type": "String", "Label": "Host", "Description": "Host uuid, that vm will start on" } }, "Resources": { "VmInstance": { "Type": "ZStack::Resource::VmInstance", "Properties": { "name": {"Fn::Join":["-",[{"Ref":"ZStack::StackName"},"VM "]]}, "instanceOfferingUuid": {"Ref":"InstanceOfferingUuid"}, "imageUuid":{"Ref":"ImageUuid"}, "l3NetworkUuids":[{"Ref":"PrivateNetworkUuid"}], "dataDiskOfferingUuids":[{"Ref":"DiskOfferingUuid"}], "hostUuid":{"Ref":"HostUuid"} } } }, "Outputs": { "VmInstance": { "Value": { "Ref": "VmInstance" } } Issue: V3.9.0 691User Guide / 7 Cloud Operations Guide } } In this example, there is one output item, which contains the property value of VmInstance. 7.7.8.9.1.4 Functions CloudFormation provides several intrinsic functions for your resource stack management. You can use intrinsic functions to define Resources, Outputs, and Mappings. Supported intrinsic functions are as follows: • Fn::Base64 • Fn::FindInMap • Fn::GetAtt • Fn::Join • Fn::Split • Fn::Select • Ref • Fn::If • Fn::Equal • Fn::And • Fn::Not • Fn::Or Fn::Base64 It returns the Base64 representation of an input string. • Declaration "Fn::Base64" : stringToEncode • Parameter ▬ stringToEncode: The string value you want to convert to Base64. • Example "Fn::Base64" : "password" • Return Value The Base64 representation of the input string. 692 Issue: V3.9.0User Guide / 7 Cloud Operations Guide "cGFzc3dvcmQ=" is returned in this example. Fn::FindInMap It returns the values corresponding to keys in a two-level mapping that is declared in Mappings. • Declaration "Fn::FindInMap" : ["MapName", "TopLevelKey", "SecondLevelKey"] • Parameters ▬ MapName: The ID of a mapping declared in Mappings that contains the keys and values. ▬ TopLevelKey: The top-level key name. The value is a list of key-value pairs. ▬ SecondLevelKey: The second-level key name. The value is a string or number. • Example "Fn::FindInMap" : ["RegionMap", "cn-shanghai", "32"] • Return Value The value that is assigned to SecondLevelKey. • MapName is set to the map of interest, which is "RegionMap" in this example. • TopLevelKey is set to the region where the stack is created, which is "cn-shanghai" in this example. • SecondLevelKey is set to the required architecture, which is "32" in this example. • Supported Functions The following functions can be nested in Fn::FindInMap: • Fn::FindInMap • Ref Fn::GetAtt It returns the value of a property from a resource in a template. • Declaration "Fn::GetAtt": ["resourceUuid", "attributeName"] • Parameters ▬ resourceUuid: The UUID of the resource. ▬ attributeName: The name of the resource property. Issue: V3.9.0 693User Guide / 7 Cloud Operations Guide • Example "Fn::GetAtt" : ["MyVMInstance", "ImageUuid"] • Return Value The property value. In this example, the returned resource UUID is the "ImageUuid" property of "MyVMInstan ce". Fn::Join It appends a set of values into a single value separated with a specified delimiter. • Declaration "Fn::Join" : ["delimiter", ["string1", "string2", ...]] • Parameters ▬ delimiter: The value used to divide a string. The delimiter value can be left blank so that all the values are directly combined. ▬ ["string1", "string2", ...]: The list of values that are combined into a string. • Example "Fn::Join" : ["-", ["a", "b", "c"]] • Return Value The combined string. "a-b-c" is returned in this example. • Supported Functions The following functions can be nested in Fn::Join: • Fn::Base64 • Fn::GetAtt • Fn::Join • Fn::Select • Ref Fn::Split It splits a string into a list of values separated with a specified delimiter. 694 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Declaration "Fn::Split" : ["delimiter", "original_string"] • Parameters ▬ delimiter: The value used to divide a string. This value can be a comma ,, a semicolon ;, a \n, or a \t. ▬ original_string: The string to be split. • Example "Fn::Split": [";", "foo; bar; achoo"] • Return Value A list of string values. ["foo", " bar", "achoo"] is returned in this example. • Supported Functions The following functions can be nested in Fn::Split: • Fn::Base64 • Fn::FindInMap • Fn::GetAtt • Fn::Join • Fn::Select • Ref Fn::Select It returns a single object from a list of objects by using an index. • Declaration ▬ If the list of objects is an array, the syntax is as follows. "Fn::Select" : ["index", ["value1", "value2", ...]] ▬ If the list of objects is a mapping table, the syntax is as follows. "Fn::Select" : ["index", {"key1": "value1", ...}] • Parameters ▬ index: The index of the object you want to retrieve. Issue: V3.9.0 695User Guide / 7 Cloud Operations Guide ■ If the list of objects is an array, the index must be an integer ranging from 0 to N-1, where N indicates the number of elements in the array. ■ If the list of objects is a mapping table, the index must be a key in the mapping table. ■ If the corresponding value of the index cannot be found, the system returns an empty string. • Examples ▬ Example 1: The list of objects is an array. "Fn::Select" : ["2", ["foo", " bar", "achoo"]] ▬ Example 2: The list of objects is a mapping table. "Fn::Select" : ["shape", {"shape": "circle", "height": "80"}] ▬ Example 3: The list of objects is a CommaDelimitedList. "Parameters" : { "userParam": { "Type": "CommaDelimitedList", "Default": "10.0.100.0/24, 10.0.101.0/24, 10.0.102.0/24 " } }, "Resources": { "resourceUuid": { "Properties": { "CidrBlock": {"Fn::Select" : [0, {"Ref":"userParam "}]} } } } Note: • If there is no nested function in Fn::Select, the first parameter is a string. For more information, see Example 1 ("2") and Example 2 ("shape"). • If there is a nested function in Fn::Select, the first parameter is a number. For more information, see Example 3 (0). • Return Value The selected object. • Example 1: "achoo" is returned. • Example 2: "circle" is returned. • Example 3: "10.0.100.0/24" is returned. 696 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Supported Functions ▬ For the Fn::Select index value, you can use Ref as a nested function in Fn::Select. ▬ For the Fn::Select list of objects, you can use the following as nested functions in Fn:: Select: ■ Fn::Base64 ■ Fn::FindInMap ■ Fn::GetAtt ■ Fn::Join ■ Fn::Select ■ Ref Ref It returns the value of a specified parameter or resource. • If the specified parameter is a resourceUuid, the value of the resource is returned. • Otherwise, the system will return the value of the specified parameter. • Declaration "Ref":"logicalName" • Parameter ▬ logicalName: The logical name of the resource or parameter to reference. • Example diskOfferingParam is specified as follows. "diskOfferingParam": { "allocatorStrategy": "DefaultPrimaryStorageAllocationStrategy", "diskSize": "21474836480", "type": "DefaultDiskOfferingType", "sorkKey": "0" } "Ref":"diskOfferingParam" • Return Value The value of the resource or parameter. In this example, the value of diskOfferingParam is returned. { "allocatorStrategy": "DefaultPrimaryStorageAllocationStrategy", Issue: V3.9.0 697User Guide / 7 Cloud Operations Guide "diskSize": "21474836480", "type": "DefaultDiskOfferingType", "sorkKey": "0" } • Supported Functions You are not allowed to use any nested functions in Ref. Ref should be specified as a string of resourceUuid. Fn::If If a specified condition is evaluated as true, a value is returned. If the specified condition is evaluated as false, a different value is returned. • The Resources and Outputs property values in templates support the Fn::If function. • Declaration "Fn::If": ["condition_name", "value_if_true", "value_if_false"] • Parameters ▬ condition_name: The name of the condition in Conditions. A condition is referenced by using the condition name. ▬ value_if_true: If the specified condition is evaluated as true, this value is returned. ▬ value_if_false: If the specified condition is evaluated as false, this value is returned. • Example "Fn::If": ["condition16", "vm-true", "vm-false"] • Return Value The value based on an evaluated result of a specified condition. In this example, if condition16 is evaluated as true, vm-true is returned. If condition16 is evaluated as false, vm-false is returned. • Supported Functions The following functions can be nested in Fn::If: • Fn::FindInMap • Ref • Fn::Equal • Fn::And • Fn::Not 698 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Fn::Or Fn::Equal It compares whether two values are equal. If the two values are equal, true is returned. If the two values are not equal, false is returned. • Declaration "Fn::Equal": [value_1, value_2] • Parameter ▬ value: The values to be compared. These values can be of any type. • Example "Fn::Equal": [true, false] • Return Value true or false. In this example, false is returned. • Supported Functions The following functions can be nested in Fn::Equal: • Fn::FindInMap • Ref • Fn::Equal • Fn::And • Fn::Not • Fn::Or Fn::And It represents the AND operator, and must contain at least two conditions. If all the specified conditions are evaluated as true, true is returned. If any condition is evaluated as false, false is returned. • Declaration "Fn::And": [condition, ...] • Parameter Issue: V3.9.0 699User Guide / 7 Cloud Operations Guide ▬ condition: The condition to be evaluated. • Example "Fn::And": [true, false] • Return Value true or false. In this example, false is returned. • Supported Functions The following functions can be nested in Fn::And: • Fn::FindInMap • Ref • Fn::Equal • Fn::And • Fn::Not • Fn::Or Fn::Not It represents the NOT operator. If a condition is evaluated as false, true is returned. If a condition is evaluated as true, false is returned. • Declaration "Fn::Not": condition • Parameter ▬ condition: The condition to be evaluated. • Example "Fn::Not": true • Return Value true or false. In this example, false is returned. • Supported Functions The following functions can be nested in Fn::Not: 700 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Fn::FindInMap • Ref • Fn::Equal • Fn::And • Fn::Not • Fn::Or Fn::Or It represents the OR operator, and must contain at least two conditions. If any specified condition is evaluated as true, true is returned. If all the conditions are evaluated as false, false is returned. • Declaration "Fn::Or": [condition, ...] • Parameter ▬ condition: The condition to be evaluated. • Example "Fn::Or": [true, false] • Return Value true or false. In this example, true is returned. • Supported Functions The following functions can be nested in Fn::Or: • Fn::FindInMap • Ref • Fn::Equal • Fn::And • Fn::Not • Fn::Or 7.7.8.9.1.5 Mappings The mapping tables. Mapping tables are nested tables. Issue: V3.9.0 701User Guide / 7 Cloud Operations Guide • The Mappings section is a Key-Value mapping table. • When mappings are used in Resources or Outputs definitions, use Fn::FindInMap to find their values by using corresponding keys. Syntax A mapping consists of Key-Value pairs. • Both the keys and values can be strings or numbers. • Multiple mappings are separated with commas ,. • Mapping names must be unique. Example The following example shows the Mappings syntax. "Mappings" : { "Mapping01" : { "Key01" : { "Name" : "Value01" }, "Key02" : { "Name" : "Value02" }, "Key03" : { "Name" : "Value03" } } } The following example shows how to use Fn::FindInMap to find the return value. { "ZStackTemplateFormatVersion": "2018-06-18", "Parameters": { "regionParam": { "Description": "Select the region for VM instance creation.", "Type": "String", "AllowedValues": ["cn-hangzhou", "cn-shanghai"] } }, "Mappings" : { "ImageInRegions" : { "cn-hangzhou" : { "32" : "imageUuid-1", "64" : " imageUuid-2" }, "cn-shanghai" : { "32" : "imageUuid-3", "64" : " imageUuid-4" } } }, "Resources": { "WebServer": { "Type": "ZStack::Resource::VmInstance", "Properties": { "name" : "test-vm", 702 Issue: V3.9.0User Guide / 7 Cloud Operations Guide "imageUuid" : {"Fn::FindInMap": ["ImageInRegions", {"Ref":"regionParam"}, "64"]}, "instanceOfferingUuid": {"Ref":"instanceOf feringUuid"}, "l3NetworkUuids": [{"Ref":"l3NetworkUuid"}] }, "DeletionPolicy": "Retain" } } } 7.7.8.9.2 Resource Index When you create a stack template, you can use Type and Properties to declare detailed requirements of the resources you need. Two resource types supported by CloudFormation are as follows: • Resource • Action 7.7.8.9.2.1 Resource Table 7-11: Resource Index of the Resource Type Resource References ZStack::Resource::VmInstance CreateVmInstance ZStack::Resource::DataVolume CreateDataVolume ZStack::Resource::Image AddImage ZStack::Resource::RootVolumeTemplate CreateRootVolumeTemplateFromRootVolume ZStack::Resource::DataVolumeTemplate CreateDataVolumeTemplateFromVolume ZStack::Resource::AffinityGroup CreateAffinityGroup ZStack::Resource::InstanceOffering CreateInstanceOffering ZStack::Resource::DiskOffering CreateDiskOffering ZStack::Resource::L2VxlanNetworkPool CreateL2VxlanNetworkPool ZStack::Resource::L2NoVlanNetwork CreateL2NoVlanNetwork ZStack::Resource::L2VlanNetwork CreateL2VlanNetwork ZStack::Resource::L2VxlanNetwork CreateL2VxlanNetwork ZStack::Resource::L3Network CreateL3Network ZStack::Resource::VRouterRouteTable CreateVRouterRouteTable Issue: V3.9.0 703User Guide / 7 Cloud Operations Guide Resource References ZStack::Resource::VpcVRouter CreateVpcVRouter ZStack::Resource::SecurityGroup CreateSecurityGroup ZStack::Resource::SecurityGroupRule AddSecurityGroupRule ZStack::Resource::Vip CreateVip ZStack::Resource::Eip CreateEip ZStack::Resource::PortForwardingRule CreatePortForwardingRule ZStack::Resource::LoadBalancer CreateLoadBalancer ZStack::Resource::LoadBalancerListener CreateLoadBalancerListener ZStack::Resource::IPsecConnection CreateIPsecConnection ZStack::Resource::VirtualRouterOffering CreateVirtualRouterOffering ZStack::Resource::VniRange CreateVniRange ZStack::Resource::UserTag CreateUserTag ZStack::Resource::DataVolumeFromVolume CreateDataVolumeFromVolumeTemplate Template ZStack::Resource::Tag CreateTag 7.7.8.9.2.2 Action Table 7-12: Resource Index of the Action Type Action References ZStack::Action::AddIpRange AddIpRange ZStack::Action::AddDnsToL3Network AddDnsToL3Network ZStack::Action::AddVmToAffinityGroup AddVmToAffinityGroup ZStack::Action::AddVRouterRouteEntry AddVRouterRouteEntry ZStack::Action::AddCertificateToLoad AddCertificateToLoadBalancerListener BalancerListener ZStack::Action::AddIpRangeByNetworkCidr AddIpRangeByNetworkCidr ZStack::Action::AddVmNicToLoadBalancer AddVmNicToLoadBalancer ZStack::Action::AddVmNicToSecurityGroup AddVmNicToSecurityGroup ZStack::Action::AddRemoteCidrsToIPse AddRemoteCidrsToIPsecConnection cConnection 704 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Action References ZStack::Action::AttachEip AttachEip ZStack::Action::AttachDataVolumeToVm AttachDataVolumeToVm ZStack::Action::AttachPortForwardingRule AttachPortForwardingRule ZStack::Action::AttachIsoToVmInstance AttachIsoToVmInstance ZStack::Action::AttachPciDeviceToVm AttachPciDeviceToVm ZStack::Action::AttachUsbDeviceToVm AttachUsbDeviceToVm ZStack::Action::AttachL2NetworkToCluster AttachL2NetworkToCluster ZStack::Action::AttachL3NetworkToVm AttachL3NetworkToVm ZStack::Action::AttachNetworkService AttachNetworkServiceToL3Network ToL3Network ZStack::Action::AttachSecurityGroupT AttachSecurityGroupToL3Network oL3Network ZStack::Action::AttachL3NetworksToIP AttachL3NetworksToIPsecConnection secConnection ZStack::Action::AttachVRouterRouteTa AttachVRouterRouteTableToVRouter bleToVRouter ZStack::Action::AddCertificateToLoad AddCertificateToLoadBalancerListener BalancerListener ZStack::Action::AddHostRouteToL3Network AddHostRouteToL3Network ZStack::Action::SetL3NetworkRouterInterfaceIp SetL3NetworkRouterInterfaceIp ZStack::Action::AddDnsToVpcRouter AddDnsToVpcRouter ZStack::Action::AttachTagToResources AttachTagToResources ZStack::Action::UpdateTag UpdateTag 7.8 Platform Management Platform Management mainly includes billing management, console proxy management, and AccessKey management. Issue: V3.9.0 705User Guide / 7 Cloud Operations Guide 7.8.1 Billing Management 7.8.1.1 Bills Bills of different resources under different projects, departments, and accounts are calculated and displayed in real time based on the unit price and time of usage defined in a pricing list. The time is accurate to seconds. Bills Page In the navigation pane of the ZStack Private Cloud UI, choose Platform Management > Billing Management > Bills. Then, the Bills page is displayed, as shown in Figure 7-282: Bills Page. Figure 7-282: Bills Page The Bills page displays the bills generated in a specified period of time, allowing you to view the recent spendings conveniently. By default, bills of the latest three days are displayed. You can view bills of different time periods by selecting different time ranges. The Bills page includes the following tab pages: • Project: The project tab page displays the bills of different projects within a specified period of time in a list in real time. Note: • To view the project bills, you need to obtain and install the license of the Enterprise Management Module in advance. • After you attach a pricing list to a project and set the unit price for each resource to be billed, the billing starts and project bills will be generated accordingly. • Project bills can be viewed by the administrators, platform members, and project members. • Department: The department tab page displays the bills of different department within a specified period of time in real time in the form of an organizational structure tree. Note: 706 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • To view the department bills, you need to obtain and install the license of the Enterprise Management Module in advance. • After you add a project to a department, you can obtain the billing data, including the historical data, of the project and generate bills by department. • The billing data is directly related to projects. After you remove a project from a department , all relevant billing data (including the historical data) will be removed from the department bills. • Department bills can be viewed by the administrators, platform members, and head of departments. • Account: The account tab page displays the bills of different accounts within a specified period of time in a list in real time. Note: • After you attach a pricing list to an account and set the unit price for each resource to be billed, the billing starts and account bills will be generated accordingly. • Account bills can be viewed by the administrators, platform members, and account owners. ZStack supports multi-tenant management on the vCenter that you took over. Common accounts and project members can view the of KVM or vCenter as needed. Resource Bills The bill list on the Bills page allows you to view the resource bills of different projects, departments, and accounts. • The project details page and the account details page allow you view the bills according to different resources, as shown in Figure 7-283: Project/Account Billing Details Page. Issue: V3.9.0 707User Guide / 7 Cloud Operations Guide Figure 7-283: Project/Account Billing Details Page Note: • Resource bills are generated at a specified time, not in real time. By default, the system generates bills at 00:00 on a daily basis. You can set the bill generation time as needed. The method is as follows: Go to Settings > Global Settings > Advanced, locate The time point of billing generation, and click the Edit icon. The default value is 0. • The resource bills of VM instances and routers (including vRouters and VPC vRouters) are displayed on the VM instance tab page. • The resource bill of a VM instance includes the total billed amount of the compute resources, such as the memory and CPU. • The public IP resource bill includes two bill lists: public IP (flat network) and public IP ( virtual IP). • The billing details, such as the bills of VM instances, root volumes, data volumes, GPU devices, and public IP addresses, in an account can be viewed by normal accounts and project members. • The department billing details page allows you to view the project fees of the current department and fees of subsidiary departments, as shown in Figure 7-284: Department Billing Details Page.The project bills of the current department are displayed in a list. 708 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-284: Department Billing Details Page Note: • Project fees of the current department: Only displays the total billed amount of the projects added to the current department. • Project fees of subsidiary departments: Displays the total billed amount of the projects added to all subsidiary departments. Billing Details You can view the billing details of a project or an account by specifying a resource. To view the details, click Details next to the resource fees, as shown in Figure 7-285: Billing Details. Issue: V3.9.0 709User Guide / 7 Cloud Operations Guide Figure 7-285: Billing Details Note: • Resource bills are generated at a specified time, not in real time. By default, the system generates bills at 00:00 on a daily basis. You can set the bill generation time as needed. The method is as follows: Go to Settings > Global Settings > Advanced, locate The time point of billing generation, and click the Edit icon. The default value is 0. • If you change the pricing list of a project or an account, bills of the associated resources will be generated immediately. • If you delete a historical price in a pricing list, bills of the associated resources will be generated immediately. • The billing details, such as the bills of VM instances, root volumes, data volumes, GPU devices, and public IP addresses, in an account can be viewed by normal accounts and project members. 710 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Additional Information • When a VM instance is deleted but not expunged (completely deleted), computing resources , such as the CPU and memory, and IP resources, such as the public IP (flat network), will be released immediately. Therefore, the CPU, memory, and public IP resources are no longer billed. • When a VM instance or volume is deleted but not expunged, the VM instance or volume still occupies the physical storage resources (root volume and data volume). Therefore, the root volume and data volume continue to be billed until the corresponding VM instance or volume is completely deleted. • A VM instance in the Stopped state still occupies storage resources and IP resources. Therefore, the root volumes, data volumes, and public IP (flat network) will continue to be billed . • An uninstantiated VM instance is not billed. However, the VM instance will be immediately billed once instantiated. For example, a project or an account has an instantiated data volume , and does not attach the data volume to a VM instance. In this case, the data volume is still billed. • Change the resource owner: The fees generated before the resource owner change are retained in the old accounts and projects, and new fees will be charged for the new accounts and project are the resource owner change. 7.8.1.2 Pricing List Pricing list, also known as price table, defines the unit price of different resources based on the resource specification and time of usage. After you attach a pricing list to a project or an account, the corresponding bills of resources will be generated accordingly. Pricing List Page In the navigation pane of the ZStack Private Cloud UI, choose Platform Management > Billing Management > Pricing List. Then, the Pricing List page is displayed, as shown in Figure 7-286: Pricing List Page. Issue: V3.9.0 711User Guide / 7 Cloud Operations Guide Figure 7-286: Pricing List Page The pricing list page displays the created pricing lists and related information. When you use a pricing list, note that: • A pricing list can be attached to more than one project or account. A project or an account can have only one pricing list attached. • The system provides a default pricing list, which cannot be deleted. When you upgrade the cloud, a default pricing list will be automatically created according to the previous billing setting. Create Pricing List On the Pricing List page, click Create Pricing List. On the displayed Create Pricing List page, set the following parameters: • Name: Enter a name for the pricing list. • Description: Optional. Enter a description for the pricing list. • Set Unit Price: Click Add Unit Price to set unit price for different prices, including CPU, memory, root volume, data volume, GPU device, public IP (flat network), and public network (virtual IP). • To set the unit price for CPU, configure the following parameters: ▬ Resource Type: Select CPU. ▬ Price: Customize the billing price. Value range: 0-10,000, inclusive. Five decimal places are supported. ▬ Unit of Time: Set the billing cycle. Options: second | minute | hour | day | week | month (30 days). As shown in Figure 7-287: Set Unit Price for CPU. Click OK to submit the settings. 712 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-287: Set Unit Price for CPU • To set the unit price for memory, configure the following parameters: ▬ Resource Type: Select memory. ▬ Price: Customize the billing price. Value range: 0-10,000, inclusive. Five decimal places are supported. ▬ Size: Set the resource unit. Options: MB | GB | TB. ▬ Unit of Time: Set the billing cycle. Options: second | minute | hour | day | week | month (30 days). As shown in Figure 7-288: Set Unit Price for Memory. Click OK to submit the settings. Issue: V3.9.0 713User Guide / 7 Cloud Operations Guide Figure 7-288: Set Unit Price for Memory • To set the unit price for root volume, configure the following parameters: ▬ Resource Type: Select root volume. ▬ Price: Customize the billing price. Value range: 0-10,000, inclusive. Five decimal places are supported. ▬ Size: Set the resource unit. Options: MB | GB | TB. ▬ Unit of Time: Set the billing cycle. Options: second | minute | hour | day | week | month (30 days). ▬ Advanced: Configure advanced parameters in JSON format to customize the billing based on the disk performance. The following is an example: { "priceUserConfig": { "priceKeyName": "Enter the value of priceKeyName in the advanced parameters of the corresponding instance offering." } 714 Issue: V3.9.0User Guide / 7 Cloud Operations Guide } Note: This configuration item depends on the priceUserConfig field in the advanced parameters of the corresponding instance offering. Therefore, make sure that the value of priceUserConfig here is the same as that in the advanced parameters of the corresponding instance offering. Otherwise, the bill will fail to be generated. As shown in Figure 7-289: Set Unit Price for Root Volume. Click OK to submit the settings. Issue: V3.9.0 715User Guide / 7 Cloud Operations Guide Figure 7-289: Set Unit Price for Root Volume • To set the unit price for data volume, configure the following parameters: ▬ Resource Type: Select data volume. ▬ Price: Customize the billing price. Value range: 0-10,000, inclusive. Five decimal places are supported. ▬ Size: Set the resource unit. Options: MB | GB | TB. 716 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ▬ Unit of Time: Set the billing cycle. Options: second | minute | hour | day | week | month (30 days). ▬ Advanced: Configure advanced parameters in JSON format to customize the billing based on the disk performance. The following is an example: { "priceUserConfig": { "priceKeyName": "Enter the value of priceKeyName in the advanced parameters of the corresponding disk offering." } } Note: This configuration item depends on the priceUserConfig field in the advanced parameters of the corresponding disk offering. Therefore, make sure that the value of priceUserConfig here is the same as that in the advanced parameters of the corresponding disk offering. Otherwise, the bill will fail to be generated. As shown in Figure 7-290: Set Unit Price for Root Volume. Click OK to submit the settings. Issue: V3.9.0 717User Guide / 7 Cloud Operations Guide Figure 7-290: Set Unit Price for Root Volume • To set the unit price for GPU device, configure the following parameters: ▬ Resource Type: Select GPU device. ▬ Price: Customize the billing price. Value range: 0-10,000, inclusive. Five decimal places are supported. ▬ Type: Select a GPU type. Options: Desktop GPU | Compute GPU. 718 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ▬ Model: Select the model of the GPU device that was passed through. ▬ Unit of Time: Set the billing cycle. Options: second | minute | hour | day | week | month (30 days). As shown in Figure 7-291: Set Unit Price for GPU Device. Click OK to submit the settings. Figure 7-291: Set Unit Price for GPU Device • To set the unit price for public IP, configure the following parameters: Note: Public IP addresses are billed by bandwidth. When you set the unit price for public IP addresses, note that: • Changes of public IP addresses are incurred only after QoS is set. • Currently, virtual IP addresses of the IPv6 type cannot be billed. ▬ Resource Type: Select public IP (flat network) or public IP (virtual IP). Issue: V3.9.0 719User Guide / 7 Cloud Operations Guide ■ Public IP (flat network): VM instances that were created directly from public networks are billed by public IP (flat network). The billing starts after the QoS is set for the corresponding VM NICs. ■ Public IP (virtual IP): Elastic IP addresses, port forwarding, load balancing, and IPsec network services are billed by public IP (virtual IP). The billing starts after the QoS is set. ▬ Upstream Bandwidth Price: Customize the billing price for the upstream bandwidth. Value range: 0-10,000, inclusive. Five decimal places are supported. Note: The upstream bandwidth and downstream bandwidth can be billed separately. However, the upstream bandwidth and downstream bandwidth cannot be left unspecified at the same time. ▬ Downstream Bandwidth Price: Customize the billing price for the downstream bandwidth. Value range: 0-10,000, inclusive. Five decimal places are supported. ▬ Size: Set the resource unit. Options: Kbps | Mbps | Gbps. ▬ Unit of Time: Set the billing cycle. Options: second | minute | hour | day | week | month (30 days). As shown in Figure 7-292: Set Unit Price for Public IP. Click OK to submit the settings. 720 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-292: Set Unit Price for Public IP As shown in Figure 7-293: Create Pricing List. Click OK to finish creating a pricing list. Issue: V3.9.0 721User Guide / 7 Cloud Operations Guide Figure 7-293: Create Pricing List Pricing List Operations • Create pricing list: Create a pricing list, and set the unit price for CPU, memory, root volume, data volume, GPU device, public IP (flat network), and public IP (virtual IP) as needed. • Modify pricing list: Modify the pricing list information, such as the resource price, resource unit, unit of time, and advanced parameters. • Delete: Delete a pricing list that is not attached to a project or an account. Bulk delete operations are supported. 722 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Note: When you delete pricing lists, note that: • The default pricing list cannot be deleted. • The pricing list that is being used by a project or an account cannot be deleted. To delete such a pricing list, change a pricing list for the associated project or account, and then delete the pricing list. • Attach project/account: Attach a pricing list to a project or an account. Then, the associated account will be billed according to the pricing list. Note: A pricing list can be attached to more than one project or account, while a project or an account must have only one pricing list attached. • Change pricing list: Replace the pricing list attached to a project or an account with another pricing list. After the pricing list is changed, the associated account will be billed according to the new pricing list. • Delete pricing history: Delete a pricing history that you no longer need. Note: When you delete a pricing history, note that: • When you delete a pricing history whose end date is the current date, the pricing records will also be deleted. Meanwhile, the corresponding bills will be generated immediately, and no more fees will be incurred any longer. • When you delete a pricing history whose end date is not the current date, only the pricing records will be deleted. The billing and bills are not affected. • Set billing currency symbol: Set the currency symbol for billing. The method is as follows: Go to Settings > Global Settings > Advanced, locate Billing currency symbol, and click the Edit icon. Options: RMB (¥) | USD ($) | EUR (€) | GBP (£) | AUD (A$) | HKD (HK$) | JPY (¥) | CHF | CAD (C$). 7.8.2 Tag You can create tags for resources as needed, and quickly locate the required resources according to the tag type and tag name. Issue: V3.9.0 723User Guide / 7 Cloud Operations Guide • You can create tags with different colors, simple style, and brief language. You can also bind tags to resources and search for resources by using tags. This will improve the search efficiency. • Two types of tags are available: admin tags and tenant tags. ▬ Admin tags are created and owned by administrators (admins or platform admins), and can be bound to VM instances, volumes, and hosts. ▬ Tenant tags are created and owned by tenants (normal accounts or projects), and can be bound to VM instances and volumes. • Currently, you can bind tags to or unbind tags from VM instances, volumes, and hosts. Currently, you can bind tags to or unbind tags from VM instances, volumes, and hosts. Tag Page In the navigation pane of the ZStack Private Cloud UI, choose Platform Management > Tag. Then, the Tag page is displayed, as shown in Figure 7-294: Tag Page. Figure 7-294: Tag Page The tag page displays the created tags and the related information, such as the tag name, color, total count of resources to which the tags bind, and the tag owner. You can search for a created tag by using the search box in the upper left corner, or view the created tags by clicking the page flip button or the drop-down menu in the upper right corner. Create Tag On the Tag page, click Create Tag. On the displayed Create Tag page, set the following parameters: • Name: Enter a name for the tag. ▬ The length of the tag name cannot exceed 20 characters. ▬ The tag name is case sensitive. ▬ Tags are unique. The same roles can have only one tag with the same name and color. 724 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Color: Select a tag color. As shown in Figure 7-295: Create Tag. Figure 7-295: Create Tag Tag Operations • Create tag: Create a new tag. • Delete: Delete an existing tag. Deleting a tag will also unbind the tag from the associated resources. • Unbind resource: Unbind a tag from a resource. Notice • Admin tags are created and owned by administrators (admins or platform admins), while tenant tags are created and owned by tenants (normal accounts or projects). • Tags created by tenants can only be bound to resources of the corresponding tenants, while admin tags can be bound to all of your resources. • Administrators can unbind or delete tenant tags. • Tags in a project are owned by the project. Therefore, all members, including the head of project, project administrator, and project member, can perform operations on these tags. • Currently, tag owners cannot be changed. • When you change a resource owner, all tenant tags bound to the resource will be unbound. However, the admin tags are not affected. Issue: V3.9.0 725User Guide / 7 Cloud Operations Guide • After the cloud is upgraded seamlessly, the existing tags will be updated accordingly and displayed in the latest way. If an exception occurs, refresh your browser or create a new tag. 7.8.3 Application Center The Application Center provides enhanced functionality and fast access to various third- party applications. You can add the URLs of different third-party applications for centralized management and quick access. Add Application In the navigation pane of the ZStack Private Cloud UI, choose Platform Management > Application Center. On the displayed Application Center page, click Add Application and set the following parameters: • Application Type: Select an application type. Different icons will be displayed according to the application type you selected. Options: Storage | Database | Security | IaaS | PaaS | SaaS. • Application: Select an application. Options: Recommended (such as Rancher) | Other. • Name: Enter a name for the application. • Description: Optional. Enter a description for the application. • URL: Enter the URL of the application. • Share Permissions: Set whether to share the permissions. Options: custom sharing | share to all. Specifically, the custom sharing allows you to select one or more existing projects or accounts as needed. As shown in Figure 7-296: Add Application. Click OK to finish adding an application. 726 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-296: Add Application After you add an application, you can view the application on the Application Center page, as shown in Figure 7-297: Added an Application. (Make sure that you installed the Enterprise Management license). Issue: V3.9.0 727User Guide / 7 Cloud Operations Guide Figure 7-297: Added an Application • Move the pointer over the application card and click Enter. Then, the destination path will be redirected. • In the upper right corner of the application card, click Update Application. Then, you can change the name, description, type, URL, and whether to share the permissions. • In the upper right corner of the application card, click Delete Application. Then, you can delete the application card. 7.8.4 Email Server ZStack provides the ZWatch feature. If you select an email as the endpoint when you use ZWatch, you need to set the email server to receive alarm emails. Add Email Server In the navigation pane of the ZStack Private Cloud UI, choose Platform Management > Email Server. On the Email Server page, click Add Email Server. On the displayed Add Email Server page, set the following parameters: • Name: Enter a name for the email server. • Description: Optional. Enter a description for the email server. • User Name: Enter a user name. 728 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Password: Enter a password corresponding to the user name. Note: If you use a third-party email as the email server, you need to enable the SMTP service in the third-party email settings in advance, and enter the obtained authorization code in the password text box. • Email Server Type: By default, smtp is selected. • Email Server: Enter the address of the email server. • Email Server Port: Enter the port of the email server. Default port: 25. • Encryption Type: Optional. Select an encryption type to encrypt the email server port. Options: STARTTLS | SSL/TLS | NONE. Note: • The default encryption type is STARTTLS, which corresponds to port 25. • If you select SSL/TLS, note that the default port is 465. • If you do not want to encrypt the SMTP server, select NONE. As shown in Figure 7-298: Add Email Server. Issue: V3.9.0 729User Guide / 7 Cloud Operations Guide Figure 7-298: Add Email Server Click OK. Then, the system automatically checks whether the user name, password, email server address, email server port, and encryption type are correct. The waiting time does not exceed five seconds. If an error occurs, modify your settings as promoted and submit your settings again. If no error is detected, the system returns to the Email Server page, indicating that the email server is added successfully. 730 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Note: Enter the relevant information according to your actual situation. If you have any questions, contact the relevant email server provider. 7.8.5 Log Server ZStack allows you to add a log server to the cloud. With the log server, you can collect management node logs and quickly locate problems, thereby improving the cloud O&M efficiency. Add Log Server In the navigation pane of the ZStack Private Cloud UI, choose Platform Management > Log Server. On the Log Server page, click Add Log Server. On the displayed Add Log Server page, set the following parameters: • Name: Enter a name for the log server. • Description: Optional. Enter a description for the log server. • IP Address: Enter the IP address of the log server. • UDP Port: Enter a port to provide services for the user datagram protocol (UDP). • Log Level: Select the level of log to be received. Note: Make sure that the log level you selected here is the same as that of the log server. Otherwise, the log server might fail to receive the logs. As shown in Figure 7-299: Add Log Server. Issue: V3.9.0 731User Guide / 7 Cloud Operations Guide Figure 7-299: Add Log Server Click Test Connection. Then, the system automatically checks the connectivity of the IP address. If the connection fails, check whether the IP address is correct, whether the network is available, and whether the log level is the same as that of the log server. If the check passed, click OK. Note: Enter the relevant information according to your actual situation. If you have any questions, contact the relevant log server provider. 7.8.6 Console Proxy In the navigation pane of the ZStack Private Cloud UI, choose Platform Management > Console Proxy. The Console Proxy page displays the information about the console proxy. These 732 Issue: V3.9.0User Guide / 7 Cloud Operations Guide information is used to open the console of the corresponding VM instance, as shown in Figure 7-300: Console Proxy Page. Figure 7-300: Console Proxy Page • You need to modify the console proxy address only in the management node. • The default proxy address is the IP address of the management node. • The displayed type is ManagementServerConsoleProxy. • You can open the console of a VM instance only when the state of the console proxy is Enabled and the status is Connected. You can perform the following operations on a console proxy: • Reconnect: You can reconnect the console proxy if the console of a VM instance fails to be opened. After reconnection, you can open the console again when the proxy state is Enabled and the proxy status is Connected. • Set the console proxy address: ZStack allows you to set the console proxy address in the UI. ▬ The console proxy address can be the public IP address of the management node, the NAT address, or the domain name. Port settings are not supported. ▬ The setting takes effect immediately with no need to restart the management node. 7.8.7 MN Monitoring The Management Node Monitoring (MN Monitoring) feature allows you to view the health status of each node in a multi-management node environment. In the navigation pane of the ZStack Private Cloud UI, choose Platform Management > MN Monitoring. Then, the MN Monitoring page is displayed. As shown in Figure 7-301: MN Monitoring Page. Issue: V3.9.0 733User Guide / 7 Cloud Operations Guide Figure 7-301: MN Monitoring Page The MN Monitoring feature displays the management IP address, node status, VIP, and management service status of different management nodes. The management service includes: • Whether monitor IP is reachable Checks whether the monitor IP address of the active and standby management nodes is reachable. If unreachable, the high availability feature of the management node might be invalid. • Whether peer management node is reachable Checks whether the standby management node is reachable. If unreachable, the standby management node cannot be communicated. • Whether VIP is reachable Checks whether the VIP is reachable. If unreachable, the active management node cannot access the UI through the VIP. • Database status Monitors the status of the database. If the database is abnormal or the databases of multiple management nodes are not synchronized, the data might be lost. We recommend that you troubleshot this issue as soon as possible. Notice • The management node area includes three colors: green, red, and gray. Green indicates that the management node or related information is normal. Red and gray indicate that the 734 Issue: V3.9.0User Guide / 7 Cloud Operations Guide management node or the related information is abnormal. If red or gray is displayed, perform troubleshooting as soon as possible. • The multi-management node environment uses the active-standby mode, and the environmen t has only one active management node. The active management node displays its VIP, while standby management nodes do not display their VIPs. • If all standby management nodes are abnormal, after the active management node fails, services in the active management node cannot be switched to standby management nodes and the active management node is down. Therefore, if you find an exception in a management node, perform troubleshooting as soon as possible. 7.8.8 IP Blacklist/Whitelist ZStack allows you to configure a blacklist or whitelist for login IP addresses to protect your cloud. You can configure a blacklist or whitelist as needed to identify and filter the identities of those who access your cloud, thereby enhancing the access control and security of your cloud. To use the IP Blacklist/Whitelist feature, go to Settings > Global Settings > Advanced, locate IP Blacklist/Whitelist, and change the value to true. Add IP Blacklist/Whitelist On the IP blacklist/whitelist page, you can add an IP blacklist or whitelist as needed. The methods for adding IP blacklist and whitelist are the same. The following is an example of add an IP blacklist: In the navigation pane of the ZStack Private Cloud UI, choose Platform Management > IP Blacklist/Whitelist. On the IP Blacklist/Whitelist page, click Add IP Blacklist. On the displayed Add IP Blacklist page, set the following parameters: • Name: Enter a name for the IP blacklist. • Description: Optional. Enter a description for the IP blacklist. • IP Address: Enter the IP addresses to be added to the blacklist. Note: • You can add static IP addresses, IP ranges, or CIDRs, and separate them by using commas (,). • You can add a combination of up to 100 items of the supported formats. As shown in Figure 7-302: Add IP Blacklist. Issue: V3.9.0 735User Guide / 7 Cloud Operations Guide Figure 7-302: Add IP Blacklist Notice The implementation mechanism of IP blacklist and whitelist is as follows: • By default, if no IP blacklist or whitelist is added, the access requests from all IP addresses are allowed. • If only an IP blacklist is added, the access requests from all IP addresses in the blacklist are denied, while the access requests from IP addresses outside of the blacklist are allowed. • If only an IP whitelist is added, the access requests from both IP addresses in and outside of the whitelist are allowed. • If both an IP blacklist and an IP whitelist are added, the whitelist takes precedence over the blacklist. For example, if an IP address is added to a blacklist and a whitelist at the same time, the access requests from the IP address will be allowed. 736 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 7.8.9 Certificate The Certificate feature complies with the digital certificate protocol. Trusted certificate authorities (CAs) issue digital certificates after verifying the identity of a server. The issued certificates can verify server identities and encrypt data transmission. Currently, the Certificate feature is only applied to load balancing services. If you use HTTPS for your load balancing listener, you need to bind a certificate. • Prepare a certificate in advance. You can use relevant tools to generate a self-signed certificat e or purchase a certificate issued by a CA. • Upload the prepared certificate to the cloud. Note that both certificates and certificate chains can be uploaded. • Note that the load balancing service supports only PEM certificates. Before you upload a certificate, make sure that the certificate, private key, and certificate chain meet the format requirements. Create Certificate In the navigation pane of the ZStack Private Cloud UI, choose Platform Management > Certificate. On the Certificate page, click Create Certificate. On the displayed Create Certificate page, set the following parameters: • Name: Enter a name for the certificate. • Description: Optional. Enter a description for the certificate. • Certificate Text: Enter the certificate text you prepared before. ▬ The certificate text starts from and ends with -----BEGIN CERTIFICATE-----, ----- END CERTIFICATE-----, respectively. ▬ The certificate text cannot contain spaces. ▬ Example: -----BEGIN CERTIFICATE----- #end-user certificate# -----END CERTIFICATE----- • Private Key: Enter the private key you prepared before. ▬ The private key starts from and ends with -----BEGIN PRIVATE KEY-----, -----END PRIVATE KEY-----, respectively. ▬ The private key cannot contain spaces. Issue: V3.9.0 737User Guide / 7 Cloud Operations Guide ▬ Example: -----BEGIN PRIVATE KEY----- #private key# -----END PRIVATE KEY----- • Certificate Chain: Optional. If you needs to upload multiple certificates, you must combine the root certificate and intermediate certificates into a chain and upload the certificate chain instead. ▬ Put the root certificate in the first place, and intermediate certificates from the second place in sequence. Note that no blank lines can be contained between certificates. ▬ The certificate text cannot contain spaces. ▬ Example: -----BEGIN CERTIFICATE----- #root certificate# -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- #intermediates certificate# -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- #intermediates certificate# -----END CERTIFICATE----- As shown in Figure 7-303: Create Certificate. 738 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-303: Create Certificate Certificate Operations • Change name and description: Change the name and description of a certificate. • Delete: Delete a certificate. If the certificate is bound with one or more listeners, deleting the certificate will also unbind it from the listeners. • Unbind certificate: Unbind a certificate from a listener. 7.8.10 AccessKey Management An AccessKey can either be a local AccessKey or a third-party AccessKey. Issue: V3.9.0 739User Guide / 7 Cloud Operations Guide • In ZStack Private Cloud , a local AccessKey (which contains an AccessKey ID and an AccessKey Secret) is a security credential authorized by the cloud to third-party users. With the authorized AccessKey, third-party users can access cloud resource by calling ZStack Private Cloud APIs. We recommend that you keep your AccessKey confidential to maintain security. • A third-party AccessKey (which contains an AccessKey ID and an AccessKey Secret) is a security credential authorized by third-party users to the cloud. With the authorized AccessKey , the cloud can access cloud resources of the third-party users by calling APIs. Third-party AccessKey must also be kept confidential to maintain security. AccessKey is a key factor for ZStack Private Cloud to perform security authentication on API requests. We recommend that you keep your AccessKey confidential to maintain security. If your AccessKey is at risk of leakage, we recommend that you delete it and create a new one. 7.8.10.1 Local AccessKey Create Local AccessKey In the navigation pane of the ZStack Private Cloud UI, choose Platform Management > AccessKey Management. On the AccessKey Management page, click Create AccessKey. Then, an AccessKey is created. Notice • Admins and platform admins can create multiple AccessKeys, while the tenants (normal accounts and project members) can create only two AccessKeys. • Admins and platform admins can enable, disable, or delete AccessKeys created by themselves and those created by tenants at any time. • Tenants can enable, disable, or delete AccessKeys created by themselves at any time. • An AccessKey has all permissions of the person who created it. A Third-Party Platform Calls ZStack APIs by Using an AccessKey After you created an AccessKey successfully, a third-party platform can call ZStack Private Cloud APIs by using the AccessKey. The methods are as follows: • Use SDK: Take CreateVmInstance as an example. When you call ZStack Private Cloud APIs by using an AccessKey, enter accessKeyId and accessKeySecret. For example, 740 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • Java SDK CreateVmInstanceAction action = new CreateVmInstanceAction(); action.name = "vm1"; action.instanceOfferingUuid = "ae97ced44efc3314b8f7798972b4ba1a"; action.imageUuid = "da119f7906513eccabf271991c35a65e"; action.l3NetworkUuids = asList("cc0e4c5e77df3af68e59668e7f9e06c5 "); action.dataDiskOfferingUuids = asList("19d22d051b063d379a28 16daaf431838","905d94a6abb5398fa1995f6398e3f6fc"); action.clusterUuid = "a0468dc645223f67bd0f2ab95276bbae"; action.description = "this is a vm"; action.strategy = "InstantStart"; action.accessKeyId = "Fnxc7KIQAdGTvXfx8OjC"; action.accessKeySecret = "Do0AJUGVPrT9iJZlc1QOtk7kzEusYidyqJxSmKOb "; CreateVmInstanceAction.Result res = action.call(); • Python SDK CreateVmInstanceAction action = CreateVmInstanceAction() action.name = "vm1" action.instanceOfferingUuid = "ae97ced44efc3314b8f7798972b4ba1a" action.imageUuid = "da119f7906513eccabf271991c35a65e" action.l3NetworkUuids = [cc0e4c5e77df3af68e59668e7f9e06c5] action.dataDiskOfferingUuids = [19d22d051b063d379a2816daaf431838, 905d94a6abb5398fa1995f6398e3f6fc] action.clusterUuid = "a0468dc645223f67bd0f2ab95276bbae" action.description = "this is a vm" action.strategy = "InstantStart" action.accessKeyId = "Fnxc7KIQAdGTvXfx8OjC" action.accessKeySecret = "Do0AJUGVPrT9iJZlc1QOtk7kzEusYidyqJxSmKOb " CreateVmInstanceAction.Result res = action.call() • Call directly ZStack Private Cloud RESTful APIs. 1. Create an AccessKey. CreateAccessKey accountUuid=dff4fb9bbff14e97a67ab894c7b8c528 userUuid=dff4fb9bbff14e97a67ab894c7b8c528 { "inventory": { "AccessKeyID": "N3Tf05yXZUmSjCf6mYIB", "AccessKeySecret": "XAlrsYvswmnEV3X1KWNs1WfZHD6aBI IphmI0rX9S", "accountUuid": "dff4fb9bbff14e97a67ab894c7b8c528", "createDate": "Sep 6, 2018 1:50:06 PM", "lastOpDate": "Sep 6, 2018 1:50:06 PM", "userUuid": "dff4fb9bbff14e97a67ab894c7b8c528", "uuid": "ae353717ca7b4182bb87fb5d010235e8" }, "success": true } 2. Generate date. python get_time.py Issue: V3.9.0 741User Guide / 7 Cloud Operations Guide Thu, 06 Sep 2018 13:54:10 PRC import datetime import time date = time.time() #EEE, dd MMM yyyy HH:mm:ss z str = datetime.datetime.fromtimestamp(date).strftime(''%a, %d %b %Y %H:%M:%S PRC'') print str Note: The time format must be EEE, dd MMM yyyy HH:mm:ss zzz. 3. Generate digest. # python get_accesskey.py "N3Tf05yXZUmSjCf6mYIB" "XAlrsYvswm nEV3X1KWNs1WfZHD6aBIIphmI0rX9S" \ "GET" "" "application/x-www-form-urlencoded" "Thu, 06 Sep 2018 13: 54:10 PRC" "/v1/vm-instances" args: Namespace(Content_MD5='''', Content_Type=''application/x-www- form-urlencoded'', \ acesskey_id=''N3Tf05yXZUmSjCf6mYIB'', acesskey_secret=''XAlrsYvswm nEV3X1KWNs1WfZHD6aBIIphmI0rX9S'', \ date=''Thu, 06 Sep 2018 13:54:10 PRC'', method=''GET'', uri=''/v1/vm- instances'') Signature: S3vm7u7/+n+sIQe72lgia08I30U= Authoration ZStack N3Tf05yXZUmSjCf6mYIB:S3vm7u7/+n+sIQe72lgia 08I30U= #/usr/bin/python import base64 import hmac import sha import argparse from hashlib import sha1 parser = argparse.ArgumentParser(description=''calculate zstack access key digit.'') parser.add_argument(''acesskey_id'') parser.add_argument(''acesskey_secret'') parser.add_argument(''method'') parser.add_argument(''date'') parser.add_argument(''uri'') args = parser.parse_args() print "args: %s" % args h = hmac.new(args.acesskey_secret, args.method + "\n" + args.date + "\n" + args.uri, sha1) Signature = base64.b64encode(h.digest()) print "Signature: %s" % Signature 742 Issue: V3.9.0User Guide / 7 Cloud Operations Guide print "Authoration %s" % ("ZStack " + args.acesskey_id + ":" + Signature) 4. Send requests. curl -H "Authorization:ZStack N3Tf05yXZUmSjCf6mYIB:S3vm7u7/+n+ sIQe72lgia08I30U=" \ -H "Content-Type:application/x-www-form-urlencoded" \ -H "Date:Thu, 06 Sep 2018 13:54:10 PRC" \ -X GET http://172.20.11.134:8080/zstack/v1/vm-instances 7.8.10.2 Third-Party AccessKey Add Third-Party AccessKey On the AccessKey Management page, click the Third Party tab. On the Third Party tab page, click Add AccessKey. On the displayed Add AccessKey page, set the following parameters: • Name: Enter a name for the third-party AccessKey. • Description: Optional. Enter a description for the third-party AccessKey. • AccessKey ID and AccessKey Secret: Enter the AccessKey ID and AccessKey Secret that you applied for on the third-party platform. As shown in Figure 7-304: Add Third-Party AccessKey. Issue: V3.9.0 743User Guide / 7 Cloud Operations Guide Figure 7-304: Add Third-Party AccessKey Notice • Admins and platform admins can delete third-party AccessKeys added by themselves or by tenants at any time. • Tenants can delete third-party AccessKeys added by themselves. 7.9 Advanced Function (Plus) ZStack provides the following advanced functions: • Enterprise Management • BareMetal Management • Backup Service • Migration Service Advanced functions are provided as separate feature modules. To use an advanced function, purchase both the Base License and the corresponding Plus License. The Plus License cannot be used independently 744 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 7.9.1 Migration Service 7.9.1.1 Overview ZStack provides the V2V Migration Service, allowing you to migrate VM systems and data from other virtualization platforms to the current cloud. Currently, with the V2V Migration Service, you can: • Migrate VM instances from the vCenter that you took over to the current cloud. The supported versions of the source vCenter platform include 5.0, 5.1, 5.5, 6.0, 6.5, and 6.7. Note that the version of vCenter Server must be consistent with that of ESXi Host. • Migrate VM instances from a KVM cloud platform to the current cloud. As shown in V2V Migration. Figure 7-305: V2V Migration The V2V Migration Service is a separate feature module. To use this feature, you need to purchase both the Base License and the Plus License of the V2V Migration Service. The Plus License cannot be used independently. With the V2V Migration Service, you can: • Perform one-click V2V migrations in bulk for VM instances. Issue: V3.9.0 745User Guide / 7 Cloud Operations Guide • Only need to add a conversion host and create a V2V job. The cloud will do the rest of your work. • Configure an independent migration network and a network QoS for a conversion host to control transmission bottlenecks and to improve migration efficiencies. • Customize configurations for destination VM instances when you create a V2V job. • Monitor and manage the entire migration process in the visualized, well-designed UI. 7.9.1.2 Preparation • An admin must install the latest version of ZStack in advance, and deploy necessary resources used for creating VM instances. For more information, see related topics in the User Guide. • The admin must purchase a Plus License of the Migration Service module in advance, and then install the Migration Service module. • If the source cloud platform is VMware, take over the vCenter to ZStack Private Cloud in advance. For more information, see vCenter Management Tutorial. 7.9.1.3 Quick Start You can quickly start to use the V2V Migration Services as follows: 1. Add a V2V conversion host. For more information about how to add a V2V conversion host, see V2V Conversion Host. 2. Create a V2V job to migrate VM instances from other virtualization platforms to the current cloud. For more information about how to create a V2V job, see V2V Migration. 7.9.1.4 V2V Migration Currently, the V2V Migration Service allows you to migrate VM instances from a VMware cloud platform or a KVM cloud platform to the current cloud. 7.9.1.4.1 Source Cloud Platform: VMware By creating V2V migration jobs, you can migrate VM instances from the vCenter that you took over to the current cloud. • Before migration, perform data synchronization on the vCenter that you took over to manually synchronize the latest status of vCenter resources. 746 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • You can perform bulk V2V migrations for VM instances, and customize configurations of the destination VM instances to be migrated. • The supported versions of the source vCenter platform include 5.0, 5.1, 5.5, 6.0, 6.5, and 6.7. Note that the version of vCenter Server must be consistent with that of ESXi Host. • The supported systems of source vCenter VM instances include RHEL/CentOS 4.x, 5.x, 6.x, 7. x, SLES 11, 12, 15, Ubuntu 12, 14, 16, 18, and Windows 7, 2003, 2008, 2012, 2016. • The VM instances will be forced to shut down during the V2V migration process. Therefore, pay attention to the business impact. Note: The system firstly attempts to shut down the VM instances softly. If the shutdown fails, the system will shut down the VM instances forcibly. • The type of the source primary storage is not enforced. The type of the destination primary storage can be LocalStorage, NFS, Ceph, and Shared Block. • For Windows VM instances, the Windows VirtIO driver is automatically installed during the migration, which improves the NIC and disk efficiencies. • You can perform V2V migration for VM instances booted by UEFI. After migration, these VM instances are also booted by UEFI. You can perform the following operations on a V2V job: • Create a V2V job • Restart a V2V job • Delete a V2V job Create V2V Job In the navigation pane of the ZStack Private Cloud UI, choose Advanced Function > Migration Service > V2V Job. On the V2V Job page, click Create V2V Job. Then, the Create V2V Job page is displayed. To create a V2V job, follow these five steps: 1. Configure source resources. Set the following parameters: • Source Platform: Select VMware. • Name: Enter a name for the V2V job. Issue: V3.9.0 747User Guide / 7 Cloud Operations Guide • Description: Optional. Enter a description for the V2V job. • V2V Conversion Host: Specify a V2V conversion host. Note: • Before you create a V2V job, you must add a V2V conversion host to the cloud. • The type of the V2V conversion host must be consistent with that of the source cloud platform. • The V2V conversion host is a host in the specified destination cluster. Make sure that the hardware resources are sufficient for V2V migration. • For more information about V2V conversion hosts, see V2V Conversion Host. • If you select multiple source VM instances, note that multiple V2V jobs will be created accordingly, and these V2V jobs will share the same V2V conversion host. • Source Cluster: Select a cluster from the vCenter that you took over as the source cluster. • Source VM: Select one or more vCenter VM instances from the source cluster as the source VM instance or VM instances. You can select up to 50 VM instances at a time. Note: • If you select more than one VM instance, corresponding V2V jobs will be created in bulk . Note that one V2V job corresponds to one source VM instance. • For Windows 2012, 2016 VM instances, you need to manually disable the hibernation feature before you create a V2V job. To disable or enable the Windows hibernation feature, run the following commands: • Disable Windows hibernation: cmd-->“powercfg -h off” • Enable Windows hibernation: cmd-->“powercfg -h on” • If one of the source VM instances has a data volume, make sure that the disk mode of the data volume is Dependent. Otherwise, the V2V job might fail. As shown in Figure 7-306: Disk Mode: Dependent. 748 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-306: Disk Mode: Dependent As shown in Figure 7-307: Configure Source Resources. Issue: V3.9.0 749User Guide / 7 Cloud Operations Guide Figure 7-307: Configure Source Resources 2. Configure destination resources. Set the following parameters: • Destination Zone: By default, the current zone is displayed. • Destination Cluster: Select a destination cluster. After selected, the estimated CPU usage and memory usage are displayed. ▬ CPU usage: includes the number of the used CPUs of the source VM instances and the total number of available CPUs in the destination cluster. ▬ Memory usage: includes the used memory size of the source VM instances and the total available memory size in the destination cluster. • Destination Primary Storage: Select a destination primary storage. After selected, the estimated storage usage is displayed. ▬ Storage usage: includes the used storage of the source VM instances and the total available storage of the destination primary storage. • Compression mode: ▬ By default, this checkbox is selected, indicating that the compression mode is used. This will compress the caches of the migration data and improve the cache space utilization of the V2V conversion host. 750 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ▬ If not selected, the compression mode is not used. If the destination primary storage is Ceph, we recommend that you do not use the compression mode. As shown in Figure 7-308: Configure Destination Resources. Figure 7-308: Configure Destination Resources 3. Configure network mapping. This step configures the network architecture of the destination VM instances according to the source VM network architecture. All source networks used by the source VM instances are displayed in the form of network mapping cards. Note that a network mapping card shows the correspondence between a source network and a destination network. a. If all the chosen source VM instances have a NIC attached: Configure each network mapping as follows: • Network mapping: ▬ Source network: The source vCenter network is displayed. ▬ IP usage: The estimated IP usage of the source network. ▬ Destination network: Select a corresponding destination network as needed. The destination network is the network attached to the specified destination cluster. • Use IP and MAC of source VM: ▬ By default, this checkbox is not selected. In the next step, you can customize the MAC address and IP address for the destination NIC. If you do configure them, the destination NIC MAC address will be the same as the source NIC MAC address after migration, and the IP address of the destination NIC will be allocated by the system. Issue: V3.9.0 751User Guide / 7 Cloud Operations Guide ▬ If selected, the destination NIC will use the MAC address and IP address of the source NIC in the next step. If the source NIC does not have an IP address, the IP address of the destination NIC will be allocated by the system. As shown in Figure 7-309: Configure Network Mapping | All Source VMs Have a NIC Attached. Figure 7-309: Configure Network Mapping | All Source VMs Have a NIC Attached b. If a chosen VM instance does not have a NIC attached: Go to the next step to manually configure the destination NIC. As shown in Figure 7-310: Configure Network Mapping | A Source VM Does Not Have a NIC Attached. 752 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-310: Configure Network Mapping | A Source VM Does Not Have a NIC Attached 4. Configure destination VM instances. a. If all the chosen VM instances have a NIC attached: Go to the next step if no further modification is needed. Parameters of the destination VM instances are configured by the system by default. You can also configure the destination VM instances by setting the following parameters: • Auto start VM after V2V migration: By default, this checkbox is selected, indicating that the destination VM instances will be automatically started after migration. • Destination VM Info: ▬ Name: Set the name of the destination VM instance. • Source NIC No.: The NIC No. of the source VM instance is displayed. • Source NIC Info: The NIC information about the source VM instance, including the source network, MAC address, and IP address, is displayed. • Destination NIC Info: ▬ L3 Network: Select an L3 network used by the destination VM instance. ▬ MAC Address: Optional. You can manually configure the MAC address of the destination NIC. If not configured, the MAC address of the destination NIC will be the same as that of the source NIC after migration. ▬ IP Address: Optional. You can manually configure the IP address of the destination NIC. If not configured, the IP address of the destination NIC will be allocated by the system. Issue: V3.9.0 753User Guide / 7 Cloud Operations Guide Note: • Before you migrate a VM instance to the current cloud, make sure that the VM instance has at least one NIC attached. • You can manually configure the MAC address and IP address for the destination NIC, or let the system configure them automatically. ▬ Manual configuration: You can use the MAC address and IP address of the source NIC as the destination MAC address and IP address, respectively. ▬ Auto configuration: After migration, the MAC address of the destination NIC is the same as that of the source NIC, and the IP address of the destination NIC is allocated by the system. As shown in Figure 7-311: Configure Destination VMs | All Source VMs Have a NIC Attached. Figure 7-311: Configure Destination VMs | All Source VMs Have a NIC Attached 754 Issue: V3.9.0User Guide / 7 Cloud Operations Guide b. If a chosen VM instance does not have a NIC attached: If No network is displayed next to the name of the source VM instance, you must manually configure the corresponding destination NIC. To configure the destination NIC, set the following parameters: • Destination NIC Info: ▬ L3 Network: Select an L3 network used by the destination VM instance. ▬ MAC Address: Optional. You can manually configure the MAC address of the destination NIC. If not configured, the MAC address of the destination NIC will be allocated by the system. ▬ IP Address: Optional. You can manually configure the IP address of the destination NIC. If not configured, the IP address of the destination NIC will be allocated by the system. As shown in Figure 7-312: Configure Destination VMs | A Source VM Does Not Have a NIC Attached. Issue: V3.9.0 755User Guide / 7 Cloud Operations Guide Figure 7-312: Configure Destination VMs | A Source VM Does Not Have a NIC Attached 5. Confirm and submit. Confirm the information about the V2V job. You can modify the information by clicking the Edit icon next to each step. As shown in Figure 7-313: Confirm and Submit. Figure 7-313: Confirm and Submit 756 Issue: V3.9.0User Guide / 7 Cloud Operations Guide V2V Job Details Page On the V2V Job page, click on the name of a V2V job. Then, the details page of the V2V job is displayed. On the details page, you can view the job status and job information, and the basic information about the source VM instance and destination VM instance. As shown in Figure 7-314: V2V Job Details Page. Figure 7-314: V2V Job Details Page Restart V2V Job You can restart a V2V job if the job fails. Note: Issue: V3.9.0 757User Guide / 7 Cloud Operations Guide • If migration data caches exist, restarting the V2V job can improve the migration efficiency. • You can set the period for retaining the migration data caches. The method is as follows: Go to Settings > Global Settings > Advanced, locate Retention time of migrating data, and click the Edit icon. The default value is 86,400 seconds (one day). Delete V2V Job You can delete a V2V job after it is completed. Additional Information When you migrate VM instances from the vCenter that you took over to the current cloud, note that: • During the V2V migration process, do not power on the source vCenter VM instances that were stopped. Otherwise, the migration might fail. • During the V2V migration process, do not restart the V2V conversion host. Otherwise, the migration might fail. • After the V2V migration is completed, the number of drivers from which the destination VM instances are started will be set according to the number of source VM drivers. Currently, up to three drivers can be set. • Assume that you enabled the switch for automatically starting VMs after migration. If the physical resources in your destination cluster are insufficient, the destination VM instances will fail to start and enter the stopped state. At this time, the status of the V2V job is displayed as Succeeded. • For Windows VM instances, the Windows VirtIO driver is automatically installed during the migration process. You need to manually update the driver after migration. Note that the Windows VirtIO driver will be installed in the local directory, and you can search for it and then update it. • For Windows VM instances that have volumes, the volumes are in offline mode after migration. You need to manually change the mode to online. • For Linux and Windows VM instances that have volumes, the drive letter of the volumes might be modified after migration. You need to manually modify the drive letter according to the drive letter order of the source VM instances. We recommend that you record the drive letter order of the source VM instances before migration. 758 Issue: V3.9.0User Guide / 7 Cloud Operations Guide • For Linux and Windows VM instances whose volumes are in SCSI mode, the volume mode can be automatically recognized during the migration process. You can set the volume mode for the destination VM instances after migration. ▬ For Windows VM instances, the volume mode defaults to non-VirtioSCSI after migration. ▬ For Linux VM instances, the volume mode defaults to VirtioSCSI after migration. Note: If the kernel version is relatively old, such as RHEL5 (kernel 2.x), the volumes cannot be in VirtioSCSI mode. You need to manually change the volume mode to non-VirtioSCSI after migration. For example, if a destination VM instance fails to start after migration, and an error "Cannot find hard disk" is reported, and the kernel version is relatively old (such as kernel 2.x), the reason may be that the old version of the Virtio driver does not support SCSI. In this case, you need to manually change the volume mode to non-VirtioSCSI. Then, the VM instance can enter the system after restart. • For Linux VM instances, if these VM instances were started in GUI mode before migration, you might need to update the display configuration of the VM instances for the first startup after migration. • For Linux VM instances that are booted by UEFI and whose system version is RHEL/CentOS 5.x, 6.x, or 7.x, you need to delete the rhgb parameter in the startup option for the VM instances to start successfully after migration. • For Linux VM instances that are booted by UEFI and whose version is CentOS 7.4 or later, the VM instances will enter the UEFI Shell if you start them after migration. To enter the operating system, run the following commands: Shell> fs0: FS0:\> cd EFI FS0:\EFI\> cd centos FS0:\EFI\centos\> shimx64-centos.efi If you want the VM instances to automatically enter the operating system instead of the UEFI Shell upon restart, run the vim /boot/efi/startup.nsh command to create a script and save the following content: FS0: CD EFI CD centos Issue: V3.9.0 759User Guide / 7 Cloud Operations Guide shimx64-centos.efi • You can set the maximum number of V2V jobs that can run at a time. The method is as follows: Go to Settings > Global Settings > Advanced, locate ParallelismDegree, and click the Edit icon. The default value is 10. • You can set the host allocator strategy for starting the destination VM instances after migration. The method is as follows: Go to Settings > Global Settings > Advanced, locate HostAllocatorStrategy, and click the Edit icon. The default option is Host with min. running VMs. 7.9.1.4.2 Source Cloud Platform: KVM You can migrate VM instances from a KVM cloud platform to the current cloud by creating V2V migration jobs. • You can perform bulk V2V migrations for VM instances, and customize configurations of the destination VM instances to be migrated. • You can migrate the VM instances that are running or paused. Do not power off the VM instances that need to be migrated. • You can perform V2V migration for VM instances booted by UEFI. After migration, these VM instances are also booted by UEFI. • The type of the source primary storage is not enforced. The type of the destination primary storage can be LocalStorage, NFS, Ceph, and Shared Block. • For different types of source primary storage or destination primary storage, the libvirt version and QEMU version must meet the following requirements: ▬ If either the source primary or destination primary storage is Ceph, use libvirt 1.2.16 and QEMU 1.1 or their later versions. ▬ If neither the source primary storage nor destination primary storage is Ceph, use libvirt 1.2. 9 and QEMU 1.1 or their later versions. You can perform the following operations on a V2V job: • Create a V2V job • Restart a V2V job • Delete a V2V job 760 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Create V2V Job In the navigation pane of the ZStack Private Cloud UI, choose Advanced Function > Migration Service > V2V Job. On the V2V Job page, click Create V2V Job. Then, the Create V2V Job page is displayed. To create a V2V job, follow these five steps: 1. Configure source resources. Set the following parameters: • Source Platform: Select KVM. • Name: Enter a name for the V2V job. • Description: Optional. Enter a description for the V2V job. • V2V Conversion Host: Specify a V2V conversion host. Note: • Before you create a V2V job, you must add a V2V conversion host to the cloud. • The type of the V2V conversion host must be consistent with that of the source cloud platform. • The V2V conversion host is a host in the specified destination cluster. Make sure that the hardware resources are sufficient for V2V migration. • For more information about V2V conversion hosts, see V2V Conversion Host. • If you select multiple source VM instances, note that multiple V2V jobs will be created accordingly, and these V2V jobs will share the same V2V conversion host. • Configure Source Platform: ▬ Source Host IP: Enter the IP address of the source host. ▬ Source Host SSH Port: Set the SSH port of the source host. Default port: 22. ▬ SSH User Name: The default user name is root. You can also enter a normal user name. ▬ Password Type: ■ If you select Password, set the following parameters: ■ SSH Password: Enter the corresponding SSH password. You can log in to the source host through the SSH password authentication. ■ If you select Key, set the following parameters: Issue: V3.9.0 761User Guide / 7 Cloud Operations Guide ■ PrivKey: Enter the corresponding SSH private key. You can log in to the source host through the SSH private key authentication. Note: Before you select this option, you need to create an SSH private key for the source host in advance. ▬ Configure virsh: ■ By default, this checkbox is not selected, indicating that the virtual resources of the source host are not remotely accessed through virsh. ■ If selected, you need to enter the SASL Username and SASL Password when the remote libvirtd requires Simple Authentication and Security Layer (SASL) authentication. You can securely connect to the remote libvirtd only after passing the verification. ■ SASL Username: Enter the corresponding SASL username. ■ SASL Password: Enter the corresponding SASL password. • Select Source VM: ▬ Get VM information: Obtain information about the running or paused VM instances that are available for migration. ▬ Source VM: Select one or more KVM VM instances from the source host as the source VM instance or VM instances. You can select up to 50 VM instances at a time. Note: • Do not power off the VM instances to be migrated. • If you select more than one VM instance, corresponding V2V jobs will be created accordingly in bulk. Note that one V2V job corresponds to one source VM instance. ▬ Pause running VMs: ■ By default, this checkbox is not selected, indicating that the VM instances continue to run during the migration. This ensures the business continuity of the source VM instances. ■ If selected, the source VM instances will be paused when the migration starts, and the data written to the disk at that time will be migrated. After the migration is completed, you need to manually start the paused source VM instances. 762 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Note: For VM instances with high I/O, we recommend that you pause them before migration to ensure the data integrity. As shown in Figure 7-315: Configure Source Resources. Figure 7-315: Configure Source Resources 2. Configure destination resources. Set the following parameters: Issue: V3.9.0 763User Guide / 7 Cloud Operations Guide • Destination Zone: By default, the current zone is displayed. • Destination Cluster: Select a destination cluster. After selected, the available CPUs and memory in the destination cluster are displayed. ▬ Available CPU: the total number of available CPUs in the destination cluster. ▬ Available memory: the total available memory in the destination cluster. • Destination Primary Storage: Select a destination primary storage. After selected, the available storage of the primary storage is displayed. ▬ Available storage: the total available storage of the destination primary storage. • Compression mode: ▬ By default, this checkbox is selected, indicating that the compression mode is used. This will compress the caches of the migration data and improve the cache space utilization of the V2V conversion host. ▬ If not selected, the compression mode is not used. If the destination primary storage is Ceph, we recommend that you do not use the compression mode. As shown in Figure 7-316: Configure Destination Resources. Figure 7-316: Configure Destination Resources 3. Configure network mapping. This step configures the network architecture of the destination VM instances according to the source VM network architecture. All source networks used by the source VM instances are displayed in the form of network mapping cards. Note that a network mapping card shows the correspondence between a source network and a destination network. 764 Issue: V3.9.0User Guide / 7 Cloud Operations Guide a. If all the chosen source VM instances have a NIC attached: Configure each network mapping as follows: • Network mapping: ▬ Source NIC: The information about the source NIC is displayed. ▬ IP usage: The estimated IP usage of the source NIC. ▬ Destination network: Select a corresponding destination network as needed. The destination network is the network attached to the specified destination cluster. b. If a chosen VM instance does not have a NIC attached: Go to the next step to manually configure the destination NIC. As shown in Figure 7-317: Configure Network Mapping. Figure 7-317: Configure Network Mapping 4. Configure destination VM instances. a. If all the chosen VM instances have a NIC attached: Configure the destination VM instances by setting the following parameters: • Auto start VM after V2V migration: By default, this checkbox is selected, indicating that the destination VM instances will be automatically started after migration. • Destination VM Info: ▬ Name: Set the name of the destination VM instance. ▬ CPU Core Count: Set the number of CPU cores for the destination VM instance. ▬ Memory: Set the memory capacity for the destination VM instance. ▬ Platform: Select an operating system type for the destination VM instance. • Destination Data Volume Info: Issue: V3.9.0 765User Guide / 7 Cloud Operations Guide ▬ Root Volume Info: Set a display name for the root volume of the destination VM instance. ▬ Size (Root Volume): The root volume capacity of the destination VM instance is displayed. ▬ Data Volume Info: Set a display name for the data volume of the destination VM instance. ▬ Size (Data Volume): The data volume capacity of the destination VM instance is displayed. Note: • By default, the root volume of a source VM instance is migrated. • If a source VM instance has multiple data volumes attached, you can select one or more data volume to migrate. • You can change the display name of a data volume migrated to the current cloud. However, you cannot change its real name that is used for distinguishing itself from others. • Destination NIC Info: ▬ L3 Network: Select an L3 network used by the destination VM instance. ▬ VM NIC Setting: ■ Fixed IP: Optional. You can manually configure the IP address of the destination NIC. If not configured, the IP address of the destination NIC will be allocated by the system. ■ MAC Address: Optional. You can manually configure the MAC address of the destination NIC. If not configured, the MAC address of the destination NIC will be the same as that of the source NIC after migration. Note: • Before you migrate a VM instance to the current cloud, make sure that the VM instance has at least one NIC attached. • You can manually configure the MAC address and IP address for the destination NIC, or let the system to configure them automatically. 766 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ▬ Manual configuration: You can use the MAC address and IP address of the source NIC as the destination MAC address and IP address, respectively. ▬ Auto configuration: After migration, the MAC address of the destination NIC is the same as that of the source NIC, and the IP address of the destination NIC is allocated by the system. b. If a chosen VM instance does not have a NIC attached: If No network is displayed next to the name of the source VM instance, you must manually configure the corresponding destination NIC. To configure the destination NIC, set the following parameters: • Destination NIC Info: ▬ L3 Network: Select an L3 network used by the destination VM instance. ▬ VM NIC Setting: ■ Fixed IP: Optional. You can manually configure the IP address of the destination NIC. If not configured, the IP address of the destination NIC will be allocated by the system. ■ MAC Address: Optional. You can manually configure the MAC address of the destination NIC. If not configured, the MAC address of the destination NIC will be allocated by the system. As shown in Figure 7-318: Configure Destination VMs. Figure 7-318: Configure Destination VMs Issue: V3.9.0 767User Guide / 7 Cloud Operations Guide 5. Confirm and submit. Confirm the information about the V2V job. You can modify the information by clicking the Edit icon next to each step. As shown in Figure 7-319: Confirm and Submit. Figure 7-319: Confirm and Submit 768 Issue: V3.9.0User Guide / 7 Cloud Operations Guide View V2V Job Details On the V2V Job page, click on the name of a V2V job. Then, the details page of the V2V job is displayed. On the details page, you can view the job status and information, and the basic information about the source VM instance and destination VM instance. As shown in Figure 7-320: V2V Job Details Page. Figure 7-320: V2V Job Details Page Restart V2V Job You can restart a V2V job if the job fails. Note: • If migration data caches exist, restarting the V2V job can improve the migration efficiency. • You can set the period for retaining the migration data caches. The method is as follows: Go to Settings > Global Settings > Advanced, locate Retention time of migrating data, and click the Edit icon. The default value is 86,400 seconds (one day). Delete V2V Job You can delete a V2V job after it is completed. Additional Information When you migrate VM instances from a KVM cloud platform to the current cloud, note that: Issue: V3.9.0 769User Guide / 7 Cloud Operations Guide • For VM instances with high I/O, we recommend that you pause them before migration to ensure the data integrity. When you perform V2V migrations for VM instances that undergoing high I/O operations, a portion of data in the memory might not be saved to hard disks. In this case, this portion of data might be lost after V2V migration. • During the V2V migration process, do not power the source VM instances. • During the V2V migration process, do not restart the V2V conversion host. Otherwise, the migration might fail. • After the V2V migration is completed, you need to manually start the source VM instances that were paused. • Assume that you enabled the switch for automatically starting VMs after migration. If the physical resources in your destination cluster are insufficient, the destination VM instances will fail to start and enter the Stopped state. At this time, the status of the V2v job is displayed as Succeeded. • You can set the maximum number of V2V jobs that can run at a time. The method is as follows: Go to Settings > Global Settings > Advanced, locate ParallelismDegree, and click the Edit icon. The default value is 10. • You can set the host allocator strategy for starting the destination VM instances after migration. The method is as follows: Go to Settings > Global Settings > Advanced, locate HostAllocatorStrategy, and click the Edit icon. The default option is Host with min. running VMs. 7.9.1.5 V2V Conversion Host To perform V2V migration, you need to specify a host in a destination cluster as the V2V conversion host. • A V2V conversion host must have sufficient hardware resources, such as network bandwidth and disk space. The following table lists the minimum configuration requirements. Table 7-13: Minimum Configuration Requirements for V2V Conversion Host Hardware Configuration Requirements CPU Minimum 8 cores Memory Minimum 16 GB Network Minimum 1 Gigabyte NIC 770 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Hardware Configuration Requirements Minimum 50 GB for the rest of storage spaces Storage Note: You can modify the storage configuration according to the number of VM instances to be migrated. • The type of the V2V conversion host must be consistent with that of the source cloud platform. • You can set an independent migration network and a network QoS for a V2V conversion host to control transmission bottlenecks and to improve migration efficiencies. You can perform the following operations on a V2V conversion host: • Add a conversion host • Enable or disable a conversion host • Set or cancel the network bandwidth • Delete a conversion host Add Conversion Host In the navigation pane of the ZStack Private Cloud UI, choose Advanced Function > Migration Service > V2V Conversion Host. On the V2V Conversion Host page, click Add V2V Conversion Host. On the displayed Add V2V Conversion Host page, set the following parameters: • Name: Enter a name for the V2V conversion host. • Description: Optional. Enter a description for the V2V conversion host. • Type: Select a V2V conversion host type, including VMware and KVM. Note: The type of the V2V conversion host must be consistent with that of the source cloud platform. • Host: Select a host from the destination cluster as the V2V conversion host. Note: A host cannot be used as both the VMware conversion host and the KVM conversion host at the same time. • Storage Path: Enter a local path on the V2V conversion host as the storage path. Issue: V3.9.0 771User Guide / 7 Cloud Operations Guide Note: During the V2V migrations process, the VM system and data will be cached to the V2V conversion host, and then imported to a destination primary storage. • Migration Network: Optional. If you deployed an independent network for V2V migration, enter the CIDR of the network. Note: • If you deployed an independent network for V2V migration, you could add the network to the cloud directly. • In a V2V migration scenario, the migration network is used to convert data migrated from the destination primary storage to the V2V conversion host. • Using an independent migration network can avoid network congestion and improve transmission efficiencies. • If not set, the management network will be used by default for V2V migration. • Upstream Bandwidth: Optional. Set the upstream bandwidth of the V2V conversion host. This parameter limits the speed of uploading data from the V2V conversion host to the destination primary storage. Note: This parameter must be an integer. Unit: Kbps, Mbps, or Gbps. Range: 8 Kbps-32 Gbps. • Downstream Bandwidth: Optional. Set the downstream bandwidth for the V2V conversion host. This parameter limits the speed of downloading data from the source primary storage to the V2V conversion host. Note: This parameter must be an integer. Unit: Kbps, Mbps, or Gbps. Range: 8 Kbps-32 Gbps. As shown in Add V2V Conversion Host. 772 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-321: Add V2V Conversion Host V2V Conversion Host Details Page On the V2V Conversion Host page, click on the name of a V2V conversion host. Then, the details page of the V2V conversion host is displayed. On the details page, you can view the conversion host status and information, including the basic attributes, monitoring data, and audit. Issue: V3.9.0 773User Guide / 7 Cloud Operations Guide • Basic attributes: Displays the current state, name, description, storage path, total capacity, available capacity, migration network, conversion host type, upstream bandwidth, downstream bandwidth, total CPU core count, available CPU core count, total size (total memory capacity), available size (available memory capacity), UUID, and information about the related host. The name, description, upstream bandwidth, and downstream bandwidth of the V2V conversion host can be modified. Note: • Total capacity or available capacity of a V2V conversion host: ▬ Total capacity: the total capacity of the disk where the storage path is located ▬ Available capacity: the available capacity of the disk where the storage path is located - the used capacity of a running V2V job (sum of root volume capacity and disk volume capacity of related source VM instances) • Monitoring data: allows you to view the real-time capacity of the disk where the storage path for the V2V conversion host is located by selecting different time ranges. ▬ Supported time range: 15 minutes, 1 hour, 6 hours, 1 day, 2 weeks, 8 weeks, and 1 year. ▬ Monitoring item: ■ Used capacity in percent: displays the percentage of the used capacity of the disk where the storage path of the V2V conversion host is located. Unit: %. ▬ Monitoring object: the capacity of disk where the storage path of the V2V conversion host is located. • Audit: allows you to check related operations of the V2V conversion host. Enable/Disable V2V Conversion Host • Enable V2V conversion host: Enable the V2V conversion host that you stopped. • Disable V2V conversion host: Disable a V2V conversion host. Note: If you disable a V2V conversion host when you perform a V2V job, the job will not be affected. Set or Cancel Network Bandwidth • Set network bandwidth: Set the upstream or downstream bandwidth for a V2V conversion host. • Cancel network bandwidth: Cancel the configured upstream or downstream bandwidth of the V2V conversion host. 774 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Delete V2V Conversion Host Delete V2V conversion host: Delete a V2V conversion host. Note: If you delete a V2V conversion host, the running V2V jobs will be canceled automatically, but the resources that are migrated successfully will not be affected. 7.9.1.6 Example Application Scenario 7.9.1.6.1 Source Cloud Platform: VMware Context Assume that you deployed a vCenter environment and the latest ZStack Private Cloud, and took over vCenter in ZStack Private Cloud. Due to business needs, you need to migrate VM instances from your vCenter to the current cloud. Assume that you have purchased and installed the Migration Service module. Before V2V migration, you need to specify a host in the destination cluster as the V2V conversion host. In this scenario, assume that you have prepared a storage server in advance and added the storage server to the destination cluster as a compute node. You use this compute node as the V2V conversion host. The following table lists the information about the source cloud platform and the destination cloud platform. Source Cloud Platform Destination Cloud Platform vCenter ZStack Private Cloud • Version: 6.0 • Version: the latest version • Primary storage type: LocalStorage • Primary storage type: SharedBlock • Network: public network and private network • Network: public network and private network (flat network and vRouter network) (flat network, vRouter network, and VPC • Number of appliance VMs: 4 network) ▬ VM-1-centos7 (with 1 data volume) ▬ VM-2-win2008 (with 2 data volumes) ▬ VM-3-win2016 (with 1 data volume) ▬ VM-4-win2012 (with 2 data volumes) The workflow is as follows: Issue: V3.9.0 775User Guide / 7 Cloud Operations Guide 1. Add a V2V conversion host. 2. Create a V2V job to migrate the 4 VM instances from the vCenter that you took over to the current cloud. Procedure 1. Add a V2V conversion host. In this scenario, you will add a compute node prepared in the destination cluster as the V2V conversion host. In the navigation pane of the ZStack Private Cloud UI, choose Advanced Function > Migration Service > V2V Conversion Host. On the V2V Conversion Host page, click Add V2V Conversion Host. On the displayed Add V2V Conversion Host page, set the following parameters: • Name: Enter a name for the V2V conversion host. • Description: Optional. Enter a description for the V2V conversion host. • Type: Select VMware. • Host: Select a compute node you prepared before from the destination cluster as the V2V conversion host. • Storage Path: Enter a local path on the V2V conversion host as the storage path. • Migration Network: Optional. If you deployed an independent network for V2V migration, enter the CIDR of the network. • Upstream Bandwidth: Optional. Set the upstream bandwidth of the V2V conversion host. • Downstream Bandwidth: Optional. Set the downstream bandwidth of the V2V conversion host. As shown in Figure 7-322: Add V2V Conversion Host. 776 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-322: Add V2V Conversion Host 2. Create a V2V job to migrate the 4 VM instances from the vCenter that you took over to the current cloud. In the navigation pane of the ZStack Private Cloud UI, choose Advanced Function > Migration Service > V2V Job. On the V2V Job page, click Create V2V Job. Then, the Create V2V Job page is displayed. Issue: V3.9.0 777User Guide / 7 Cloud Operations Guide a) Configure the source resources. Set the following parameters: • Source Platform: Select VMware. • Name: Enter a name for the V2V job. • Description: Optional. Enter a description for the V2V job. • V2V Conversion Host: Select a V2V conversion host of the VMware type you added before. • Source Cluster: Select a source vCenter cluster. • Source VM: Select four vCenter VM instances from the source cluster you selected in the preceding step. Note: • If you select more than one VM instance, corresponding V2V jobs will be created in bulk. Note that one V2V job corresponds to one source VM instance. • For Windows 2012, 2016 VM instances, you need to manually disable the hibernation feature before you create a V2V job. To disable or enable the Windows hibernation feature, run the following commands: • Disable Windows hibernation: cmd-->“powercfg -h off” • Enable Windows hibernation: cmd-->“powercfg -h on” • If one of the source VM instances has a data volume, make sure that the disk mode of the data volume is Dependent. Otherwise, the V2V job might fail. As shown in Figure 7-323: Disk Mode: Dependent. 778 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-323: Disk Mode: Dependent As shown in Figure 7-324: Configure Source Resources. Issue: V3.9.0 779User Guide / 7 Cloud Operations Guide Figure 7-324: Configure Source Resources b) Configure destination resources. Set the following parameters: • Destination Zone: By default, the current zone is displayed. • Destination Cluster: Select a destination cluster. After selected, the estimated CPU usage and memory usage are displayed. • Destination Primary Storage: Select a destination primary storage. After selected, the estimated primary storage usage is displayed. • Compression mode: Select this checkbox. As shown in Figure 7-325: Configure Destination Resources. Figure 7-325: Configure Destination Resources c) Configure network mapping. 780 Issue: V3.9.0User Guide / 7 Cloud Operations Guide In this scenario, all the chosen VM instances have a NIC attached. Configure each network mapping as follows: • Network mapping: ▬ Source network: The source vCenter network is displayed. ▬ IP usage: The estimated IP usage of the source network. ▬ Destination network: Select a corresponding destination network as needed. The destination network is the network attached to the specified destination cluster. • Use IP and MAC of source VM: Do not select this checkbox and go to the next step instead. In the next step, you can customize the MAC address and IP address for the destination NIC. If you do not configure them, the destination NIC MAC address will be the same as the source NIC MAC address after migration, and the IP address of the destination NIC will be allocated by the system. As shown in Figure 7-326: Configure Network Mapping | All Source VMs Have a NIC Attached. Figure 7-326: Configure Network Mapping | All Source VMs Have a NIC Attached d) Configure destination VM instances. Go to the next step if no further modification is needed. Parameters of the destination VM instances are configured by the system by default. Issue: V3.9.0 781User Guide / 7 Cloud Operations Guide You can also configure the destination VM instances by setting the following parameters: • Auto start VM after V2V migration: By default, this checkbox is selected, indicating that the destination VM instances will be automatically started after migration. • Destination VM Info: ▬ Name: Set the name of the destination VM instance. • Source NIC No.: The NIC No. of the source VM instance is displayed. • Source NIC Info: The NIC information about the source VM instance, including the source network, MAC address, and IP address, is displayed. • Destination NIC Info: ▬ L3 Network: Select an L3 network used by the destination VM instance. ▬ MAC Address: Optional. You can manually configure the MAC address of the destination NIC. If not configured, the MAC address of the destination NIC will be the same as that of the source NIC after migration. ▬ IP Address: Optional. You can manually configure the IP address of the destination NIC. If not configured, the IP address of the destination NIC will be allocated by the system. Note: • Before you migrate a VM instance to the current cloud, make sure that the VM instance has at least one NIC attached. • You can manually configure the MAC address and IP address for the destination NIC, or let the system configure them automatically. ▬ Manual configuration: You can use the MAC address and IP address of the source NIC as the destination MAC address and IP address, respectively. ▬ Auto configuration: After migration, the MAC address of the destination NIC is the same as that of the source NIC, and the IP address of the destination NIC is allocated by the system. As shown in Figure 7-327: Configure Destination VMs | All Source VMs Have a NIC Attached. 782 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-327: Configure Destination VMs | All Source VMs Have a NIC Attached e) Confirm and submit. Confirm the information about the V2V job. You can modify the information by clicking the Edit icon next to each step. As shown in Figure 7-328: Confirm and Submit. Issue: V3.9.0 783User Guide / 7 Cloud Operations Guide Figure 7-328: Confirm and Submit 3. The chosen four vCenter VM instances are successfully migrated to the current cloud. As shown in Figure 7-329: List of V2V Jobs. Figure 7-329: List of V2V Jobs 784 Issue: V3.9.0User Guide / 7 Cloud Operations Guide 7.9.1.6.2 Source Cloud Platform: KVM Context Assume that you deployed an open source, KVM-based cloud environment and the latest ZStack Private Cloud. Due to business needs, you need to migrate VM instances from your KVM cloud platform to the current cloud Assume that you have purchased and installed the Migration Service module. Before V2V migration, you need to specify a host in the destination cluster as the V2V conversion host. In this scenario, assume that you have prepared a storage server in advance and added the storage server to the destination cluster as a compute node. You use this compute node as the V2V conversion host. The following table lists the information about the source cloud platform and the destination cloud platform. Source Cloud Platform Destination Cloud Platform An open-source, KVM-based cloud platform ZStack Private Cloud • Primary storage type: SAN storage • Version: the latest version • Number of appliance VMs: 4 • Primary storage type: SharedBlock ▬ VM-1-CentOS7 (without disk volumes) • Network: private network (flat network and ▬ VM-2-Win2012 (without disk volumes) vRouter network) ▬ VM-3-Win2016 (with 1 disk volume) ▬ VM-4-Ubuntu18 (without disk volumes) The workflow is as follows: 1. Add a conversion host. 2. Create a V2V migration job to migrate 4 KVM instances from the source cloud platform to the current cloud. Procedure 1. Add a V2V conversion host. In this scenario, you will add a compute node prepared in the destination cluster as the V2V conversion host. In the navigation pane of the ZStack Private Cloud UI, choose Advanced Function > Migration Service > V2V Conversion Host. On the V2V Conversion Host page, click Add Issue: V3.9.0 785User Guide / 7 Cloud Operations Guide V2V Conversion Host. On the displayed Add V2V Conversion Host page, set the following parameters: • Name: Enter a name for the V2V conversion host. • Description: Optional. Enter a description for the V2V conversion host. • Type: Select KVM. • Host: Select a compute node you prepared before from the destination cluster as the V2V conversion host. • Storage Path: Enter a local path on the V2V conversion host as the storage path. • Migration Network: Optional. Optional. If you deployed an independent network for V2V migration, enter the CIDR of the network. • Upstream Bandwidth: Optional. Set the upstream bandwidth of the V2V conversion host. • Downstream Bandwidth: Optional. Set the downstream bandwidth of the V2V conversion host. As shown in Add V2V Conversion Host. 786 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-330: Add V2V Conversion Host 2. Create a V2V migration job to migrate 4 KVM instances from the source cloud platform to the current cloud. Issue: V3.9.0 787User Guide / 7 Cloud Operations Guide In the navigation pane of the ZStack Private Cloud UI, choose Advanced Function > Migration Service > V2V Job. On the V2V Job page, click Create V2V Job. Then, the Create V2V Job page is displayed. a) Configure the source resources. Set the following parameters: • Source Platform: Select KVM. • Name: Enter a name for the V2V job. • Description: Optional. Enter a description for the V2V job. • V2V Conversion Host: Select a V2V conversion host of the KVM type you added before. • Configure Source Platform: ▬ Source Host IP: Enter the IP address of the source host. ▬ Source Host SSH Port: Set the SSH port of the source host. Default port: 22. ▬ SSH User Name: The default user name is root. You can also enter a normal user name. ▬ Password Type: Select Password. ▬ SSH Password: Enter the corresponding SSH password. You can log in to the source host through the SSH password authentication. ▬ Configure virsh: Do not select the checkbox. Then, the virtual resources of the source host are not remotely accessed through virsh. • Select Source VM: ▬ Get VM information: Obtain information about the running or paused VM instances that are available for migration. ▬ Source VM: Select four KVM instances from the source host. Note: • Do not power off the VM instances to be migrated. • If you select more than one VM instance, corresponding V2V jobs will be created accordingly in bulk. Note that one V2V job corresponds to one source VM instance. ▬ Pause running VMs: Select this checkbox. Then, the source VM instances will be paused when a V2V job starts. 788 Issue: V3.9.0User Guide / 7 Cloud Operations Guide As shown in Figure 7-331: Configure Source Resources. Figure 7-331: Configure Source Resources b) Configure destination resources. Set the following parameters: • Destination Zone: By default, the current zone is displayed. • Destination Cluster: Select a destination cluster. After selected, the available CPUs and memory in the destination cluster are displayed. Issue: V3.9.0 789User Guide / 7 Cloud Operations Guide • Destination Primary Storage: Select a destination primary storage. After selected, the available storage of the primary storage is displayed. • Compression mode: Select this checkbox. As shown in Figure 7-332: Configure Destination Resources. Figure 7-332: Configure Destination Resources c) Configure network mapping. In this scenario, a chosen VM instance does not have a NIC attached. 1. For source VM instances that have a NIC attached, Configure each network mapping as follows: • Network mapping: ▬ Source NIC: The information about the source NIC is displayed. ▬ IP usage: The estimated IP usage of the source NIC. ▬ Destination network: Select a corresponding destination network as needed. The destination network is the network attached to the specified destination cluster. 2. For the source VM instance that does not have a NIC attached, Go to the next step to manually configure the destination NIC. As shown in Figure 7-333: Configure Network Mapping. 790 Issue: V3.9.0User Guide / 7 Cloud Operations Guide Figure 7-333: Configure Network Mapping d) Configure destination VM instances. 1. For source VM instances that have a NIC attached, Configure the destination VM instances by setting the following parameters: • Auto start VM after V2V migration: By default, this checkbox is selected, indicating that the destination VM instances will be automatically started after migration. • Destination VM Info: ▬ Name: Set the name of the destination VM instance. ▬ CPU Core Count: Set the number of CPU cores for the destination VM instance. ▬ Memory: Set the memory capacity for the destination VM instance. ▬ Platform: Select an operating system type for the destination VM instance. • Destination Data Volume Info: ▬ Root Volume Info: Set a display name for the root volume of the destination VM instance. ▬ Size (Root Volume): The root volume capacity of the destination VM instance is displayed. ▬ Data Volume Info: Set a display name for the data volume of the destination VM instance. ▬ Size (Data Volume): The data volume capacity of the destination VM instance is displayed. Note: • By default, the root volume of a source VM instance is migrated. Issue: V3.9.0 791User Guide / 7 Cloud Operations Guide • If a source VM instance has multiple data volumes attached, you can select one or more data volume to migrate. • You can change the display name of a data volume migrated to the current cloud . However, you cannot change its real name that is used for distinguishing itself from others. • Destination NIC Info: ▬ L3 Network: Select an L3 network used by the destination VM instance. ▬ VM NIC Setting: ■ Fixed IP: Optional. You can manually configure the IP address of the destination NIC. If not configured, the IP address of the destination NIC will be allocated by the system. ■ MAC Address: Optional. You can manually configure the MAC address of the destination NIC. If not configured, the MAC address of the destination NIC will be the same as that of the source NIC after migration. Note: • Before you migrate a VM instance to the current cloud, make sure that the VM instance has at least one NIC attached. • You can manually configure the MAC address and IP address for the destination NIC, or let the system to configure them automatically. ▬ Manual configuration: You can use the MAC address and IP address of the source NIC as the destination MAC address and IP address, respectively. ▬ Auto configuration: After migration, the MAC address of the destination NIC is the same as that of the source NIC, and the IP address of the destination NIC is allocated by the system. 2. For the source VM instance that does not have a NIC attached, If No network is displayed next to the name of the source VM instance, you must manually configure the corresponding destination NIC. To configure the destination NIC, set the following parameters: • Destination NIC Info: ▬ L3 Network: Select an L3 network used by the destination VM instance. 792 Issue: V3.9.0User Guide / 7 Cloud Operations Guide ▬ VM NIC Setting: ■ Fixed IP: Optional. You can manually configure the IP address of the destination NIC. If not configured, the IP address of the destination NIC will be allocated by the system. ■ MAC Address: Optional. You can manually configure the MAC address of the destination NIC. If not configured, the MAC address of the destination NIC will be allocated by the system. As shown in Figure 7-334: Configure Destination VMs. Figure 7-334: Configure Destination VMs a) Confirm and submit. Confirm the information about the V2V job. You can modify the information by clicking the Edit icon next to each step. As shown in Figure 7-335: Confirm and Submit. Issue: V3.9.0 793User Guide / 7 Cloud Operations Guide Figure 7-335: Confirm and Submit 3. Migrate 4 KVM instances from the source platform to the current cloud, as shown in V2V Migration Job Page Figure 7-336: V2V Migration Job Page What''s next 794 Issue: V3.9.0User Guide / 7 Cloud Operations Guide So far, we have described the example application scenarios of the V2V Migration Service. Issue: V3.9.0 795User Guide / Glossary Glossary Zone A zone is a logical group of resources such as clusters, L2 networks, and primary storages. Zone is the largest resource scope defined in ZStack. Cluster A cluster is a logical group of analogy hosts (compute nodes). Hosts in the same cluster must be installed with the same operating system, have the same network configuration, and be able to access the same primary storage. In a real data center, a cluster usually maps to a rack. Management Node A management node is a host with operating system installed to provide UI management and cloud platform deployment. Compute Node A compute node is a physical server (also known as a host) that provides VM instances with compute, network, and storage resources. Primary Storage A primary storage is a storage server used to store disk files in VM instances. Local storage, NFS, Ceph, Shared Mount Point, and Shared Block are supported. Backup Storage A backup storage is a storage server used to store image template files. ImageStore, SFTP (Community Edition), and Ceph are supported. We recommend that you deploy backup storage separately. ImageStore ImageStore is a type of backup storage. You can use ImageStore to create images for VM instances that are in the running state and manage image version updates and release. ImageStore allows you quickly upload, download, export images, and create image snapshots as needed. 796 Issue: V3.9.0User Guide / Glossary VM Instance A VM instance is a virtual machine instance running on a host. A VM instance has its own IP address to access public network and run application services. Image An image is an image template used by a VM instance or volume. Image templates include system volume images and data volume images. Volume A volume can either be a data volume or a root volume. A volume provides storage to a VM instance. A shared volume can be attached to one or more VM instances. Instance Offering An instance offering is a specification of the VM instance CPU and memory, and defines the host allocator strategy, disk bandwidth, and network bandwidth. Disk Offering A disk offering is a specification of a volume, which defines the size of a volume and how the volume will be created. L2 Network An L2 network is a layer 2 broadcast domain used for layer 2 isolation. Generally, L2 networks are identified by names of devices on the physical network. L3 Network An L3 network is a collection of network configurations for VM instances, including the IP range, gateway, and DNS. Public Network A public network is generally allocated with a public IP address by Network Information Center (NIC) and can be connected to IP addresses on the Internet. Private Network A private network is the internal network that can be connected and accessed by VM instances. Issue: V3.9.0 797User Guide / Glossary L2NoVlanNetwork L2NoVlanNetwork is a network type for creating an L2 network. If L2NoVlanNetwork is selected, VLAN settings are not used for host connection. L2VlanNetwork L2VlanNetwork is a network type for creating an L2 network. If L2VlanNetwork is selected, VLAN settings are used for host connection and need to be configured on the corresponding switches in advance. VXLAN Pool A VXLAN pool is an underlay network in VXLAN. You can create multiple VXLAN overlay networks (VXLAN) in a VXLAN pool. The overlay networks can operate on the same underlay network device. VXLAN A VXLAN network is a L2 network encapsulated by using the VXLAN protocol. A VXLAN network belongs to a VXLAN pool. Different VXLAN networks are isolated from each other on the L2 network. vRouter A vRouter is a custom Linux VM instance that provides various network services. Security Group A security group provides L3 network firewall control over the VM instances. It can be used to set different security rules to filter IP addresses, network packet types, and the traffic flow of network packets. EIP An elastic IP address (EIP) is a method to access a private network through a public network. Snapshot A snapshot is a point-in-time capture of data status in a disk. A snapshot can be either an automatic snapshot or a manual snapshot. 798 Issue: V3.9.0">