Open Telekom Cloud for Business Customers

Open Telekom Cloud Image Factory - get in touch with an Open Telekom image

The motivation:

Why do I want special images and what does it mean for me?

Standard OS images typically run in a cloud environment, but they may not be optimized; they do not accept configuration injected from the cloud platform or lack drivers to perform well. It’s better to use images that have been built for the cloud.

Please refer to the blog post “Open Telekom Cloud Image Factory - Introduction“ from Daniela Ebert to understand the design criteria behind the Image Factory.

Open Telekom Cloud wants to make this job for you and provides standard OS distributions which:

  • are prepared for running on OpenTelekomCloud - cloud ready
  • are more secure - image hardening
  • have some litte tools installed, which make life easier - additional packages

The Image Factory produces open Linux images with the prefix Standard_ as well as commercial Linux images with the Enterprise_ prefix. Note that the images with the Community_ prefix do not originate from the Image Factory.

This blog post uses the Standard_OpenSuSE_42.1_JeOS Image as an example.

The Journey:

Why I need them ...

To start a Virtual Machine (ECS = Elastic Cloud Server), you need to boot an Operating System Image. After the successful creation of the ECS (this is your cloud server in Open Telekom Cloud- elastic cloud server) you want to work with it.

In this blog post we want to give you a short impression about cloud images and a little overview of your first steps.

Cloud ready:

If you download an original OS image - we name it OpenSuSE -  and install it on the hardware, think about you home pc, you have to run through an configuration phase. In this phase OpenSuSE gets information about your disk size and your root password, for example.

If you create an OpenSuSE ECS on Open Telekom Cloud, this configuration job will be done by Open Telekom Cloud internally. For this Open Telekom Cloud needs a way to communicate with OpenSuSE itself. This way is prepared by an standard package named "cloud-init".

Having cloud-init included in your images, the started VMs can be configured and customiyed in many ways on the first start. So Open Telekom Cloud does. Because of this, an image doesn't exactly behave as the way you are familiar with.

Some points you surely get in touch with are:

What does it mean for me ...
Login

After creating an Linux ECS, you have two methods to login

  1. login via console (noVNC) with passoword
  2. login via ssh (Version 2) with your own ssh public key, you have deployed to ECS on its creation

Login as user root via SSH is disabled - sshd_config
Use user linux, instead of user root.

While creating an ECS you have to either set a root password or an ssh key (misnamed as “certificate” in the web service console”); when launching a VM via the API/command line, you can also chose to set both. Depending on your choice, you can login:

  • If you set password for root you can login via console as user root with your own password
  • If you deploy ssh key you can login via ssh as user linux
  • Always you can login via console as user linux (default password is set and listed to you in cosole, you don't need to know it yet)
  • You can't login via ssh as user root
  • You can't login via ssh with password

The standard way of accessing (Linux) VMs in the cloud is via ssh, so we recommend you to use this method and use the console login with user linux and standard password as the emergency fallback.

FAQ: I'm user linux and want to be root. What should I do?Answer: linux@<ecs-server>#  sudo su -

Be aware: User linux is ready for login, even you only set password for root

SSH:
 sometimes it is easier to simply see the config:
 sshd_config:
 Protocol 2
 PermitRootLogin without-password
 PasswordAuthentication no
 X11Forwarding yes
 X11UseLocalhost yes
 AllowAgentForwarding no
 PermitEmptyPasswords no

Note that the root login via is prevented using a different mechanism, where a message is displayed.

Prepared Environment

  • locale: en_US
  • timezone: Europe Berlin
  • DNS: ready to use
  • Repositories: ready to use  // preconfigured wih local repositories (SMT) - see Repositories
  • Internet connection ready to use // Only if you have assigned an EIP
  • Firewall: ready to use // be aware: some distributions are preconfigured - image specifics - firewall

Please note that the cloud platform uses security groups which define the allowed network connections per VM. The default configuration allows all outgoing but only incoming traffic from VMs that are in the same security group. You need to create a security group that allows incoming ssh connections if you want to connect to the VM from the internet or some VM in another security group.

Image specifics

ssh
Described above, but remember: no root login, no login with password.

Firewall:
No special firewall rules are provided by Open Telekom Cloud, but be aware of OpenSuSE: a preconfigured firewall is running

  • all outgoing traffic is allowed
  • ping is allowd
  • incoming traffic is denied, except for port 22 (ssh)


If you get problem with connecting your ECS you have to check your local firewall on ECS:# iptables -L -n

Example:
 s# iptables -L input_ext
 Chain input_ext (1 references)
 target prot opt source destination
 DROP all -- anywhere anywhere PKTTYPE = broadcast -> this is your restriction
 ACCEPT icmp -- anywhere anywhere icmp source-quench
 ACCEPT icmp -- anywhere anywhere icmp echo-request
 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
 DROP all -- anywhere anywhere PKTTYPE = multicast
 DROP all -- anywhere anywhere PKTTYPE = broadcast

If you are unsure with firewall you can disable it, to try your connection: # /sbin/rcSuSEfirewall2 stop  [start, status]

Repositories:
are preconfigured to Open Telekom Cloud internal repository servers
you will find them in zypper repo configurations,

# cat /etc/zypp/repos.d/openSUSE_Leap_42.1_OSS.repo
 [openSUSE_Leap_42.1_OSS]
 name=openSUSE_Leap_42.1_OSS
 baseurl=http://smt01-suse.eu-de.otc-service.com/repo/RPMMD/opensuse_oss_leap

These smt repo server are mirrors to the original vendor repos and gets up to date each night
you can choose your own repo server, if you want.

Why not configure original repos out of the box?
Only VMS with an EIP have an internet connection. As EIPs are a scarce resource, you will probably create most VMs without a public IP address. The Images are configured to use the internal SMT mirrors to allow these VMs to receive security updates and to install packages from vendor repositories. You can change it, if you want.    

Hardening:
No details here, follows up in another blog post. But short: some changes are done at kernel parameter, like tcp and memory, and sshd config is set. Check kernel parameter if you have trouble with tcp_forwarding for example

Special Open Telekom Cloud features

The Images have the needed xen drivers included; the normal paravirtualized drivers in modern (kernel 3.x+ based) distributions will work well out of the box; for openSUSE and SLES, the xen kernel module package is needed and included in the ImageFactory Images.

Open Telekom Cloud provides a nice monitoring feature that you can access from your Web Service Console:

Dashboard - Cloud Eye 
Monitoring your ECS server and look graphs in dashboard

The monitoring data is collected by the uvp-monitor package, which has been published on github, built on open Build Service and is included in each image. Some distributions (openSUSE42.1 and CentOS-6.7) require patched xen drivers to avoid a xenbus deadlock; these are included in the images as well (uvpmod-kmp-default on openSUSE).   

Learnings and key findings

After creating an ECS successfully, you can directly work with it. Starting with an Open Telekom Cloud Image is not the same as starting with an original vendor image. But its easy too.

Outlook

Image internals ( additional packages, driver)


Sabrina Müller Sabrina Müller is currently working as product developer for Open Telekom Cloud. At the Deutsche Telekom AG she built up backend projects in the Data Center Management and ensured the operation. Main focus: Solaris. After a change to the Developing & Testing the department she built up a new automated platform on XEN basis for virtual systems and migrated the existing hardware to the virtual world. In parallel she developed a fully automated Cloud platform on OpenStack basis for internal Telekom customers.

Book now and claim starting credit of EUR 250* (code: 4UOTC250)
24/7 Service
Take advantage of our consulting services!

Our experts will be happy to help you.

We will answer any questions you have regarding testing, booking and usage – free and tailored to your needs. Try it out today!

Hotline: 24 hours a day, seven days a week 

0800 33 04477 from Germany
00800 44 556 600 from abroad

* Voucher can be redeemed until June 30, 2020. Please contact us when using the voucher for booking. The discount is only valid for customers with a billing address in Germany and expires two months after conclusion of the contract. The credit is deducted according to the valid list prices as per the service description. Payment of the credit in cash is excluded.


  • Test it today – with no obligation and free of charge

    Book now and claim starting credit of EUR 250*
    Code: 4UOTC250

    Book now

  • Telefon

    Free expert hotline

    Our certified cloud experts provide you with personal service free of charge.

    0800 33 04477 (from Germany)

    24 hours a day, seven days a week

  • E-Mail

    Our customer service is available free of charge via E-Mail

    Write an E-Mail

  • Arrange an appointment

    Our Open Telekom Cloud experts provide you with free, non-binding and idividual support

    Arrange an appointment