Meghdoot_ Administration -Guide

Meghdoot Administration Guide Version 1.0 Meghdoot Administration Manual Revision: 1.0 (Beta Release) Document Id: CDAC/CHN/Cloud/Meg-Adm-001 You Can find the most up-to-date documentation on our Web site at http://cdaccloud.com Copyright © 2012 CDAC Chennai. All rights reserved. CDAC Page 2 Contents 1. Introduction to Meghdoot and its components 1.1Terms & Conditions 1.2Meghdoot 1.1.1 Meghdoot Architecture 2. Installation of Meghdoot and its Components 2.1Installation/Configuration of Cloud Components 2.2 Cloud Installation in Nodes 2.3 Management of Cloud 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.3.6 Image Management Storage Management Instance Management Security Management Monitoring Elasticity 3. Portal 3.1 Cloud Management 3.2 Security Console 3.3 Resource Request 3.4 Resource Info 3.5 User Info 3.6 Administration CDAC Page 3 Troubleshooting 4.4.1Meghdoot Log Files CDAC Page 4 . Chapter 1 Introduction to Meghdoot and its components 1. view usage and billing information and administrator users to manage their entire cloud environment and security administrators to monitor the security violations. Features of Meghdoot            Operating system kernel identification for incorporating advanced cloud features Hypervisor of stable version which falls under open source compliance and compatible with OS identified Identification of Advanced tools and cloud features which is compatible with identified OS and hypervisor Security Management which provides the security solutions for the cloud environment User management portal with administrative capabilities including adding/editing users and roles Module for Infrastructure request. Application hosting. Storage and SaaS Modules for monitoring Infrastructure request . Application hosting and billing information about cloud usage Modules which include customizing contents of the portal Modules for incorporating elasticity features at Cloud services Modules for achieving high availability at cloud stack components and virtual machines Modules for software management CDAC Page 5 .1 Meghdoot The product features automated deployment of cloud stack and provided a convenient environment through portal for infrastructure request. application hosting. 1.1.1 Meghdoot Architecture CDAC Page 6 . > Click Advanced -> Click Network tab -> Settings -> Select “No proxy” option and then “ok”. First login using the user name and password you mentioned during installation and then make the following changes to login as root user. Note: Login as “root” user to proceed with cloud installation. Click Applications -> Accessories -> Terminal Run command “ifconfig” Note: Check whether you have an IP Address assigned over “eth0” interface. Disable “peth0” interface Note: If peth0 interface not created. check if you have booted in Xen Kernel. CDAC Page 7 .Chapter 2 Installation of Meghdoot and Components Setting up the machine for installation of Cloud Components checking valid IP address make sure that your machine has a valid IP address by using following procedure. Click Applications -> Accessories -> Terminal Run command “ifconfig peth0 0” Disable “Proxy” in web browser Open “Iceweasel Browser” -> Edit -> Preferences . If not contact the system Administrator and checks your Network Configuration. 2. Click on the I hearby agree to the CDAC Page 8 .1 Installation/Configuration of Cloud Components Getting started with installation of Cloud Components Double click the icon checkbox and click proceed. at the Desktop. use the check box option and finally click “Proceed” button.Installation of Cloud Controller Click the option “Configure Cloud” To install the necessary cloud components. CDAC Page 9 . For first time installation. select option “Cloud Controller (CLC)” and click “Proceed”. Note: If you machine is a Node Controller stop Postgres & mysql services Enter password for the machine. You can select option “Self” to install component on the same machine or option “Other” for installing on another machine. CDAC Page 10 . Select option “Now” for all components and then click “Proceed”. Installation of Cluster Controller Enter the name of your Cluster. provide the IP address and Password of the desired machine and click “Proceed” button.If you select option “Other”. CDAC Page 11 . If you select option “Other”.Installation of Walrus You can select option “Self” to install the component on the same machine or option “Other” for installing on another machine. CDAC Page 12 . provide the IP address and Password of the desired machine and click “Proceed” button. If you select option “Other”. CDAC Page 13 . provide the IP address and Password of the desired machine and click “Proceed” button.Installation of Storage Controller You can select option “Self” to install the component on the same machine and option “Other” for installing on another machine. provide the IP address and Password of the desired machine and click “Proceed” button. CDAC Page 14 .2. If option “Other” is selected.2 Cloud Installation in Nodes You can select option “Self” to install the component on the same machine or option “Other” for installing on another machine. Finish Installation Check the IPs which you have given for each component. Click “Finish” button to complete the installation of all components. CDAC Page 15 . will configure and deploy the CloudPortal automatically. Note : This installer must be run as root user. Hence the User has manually trust the certificate. Eucalyptus Portal is SSL Enabled by default.”Click here to open Eucalyptus Page”. This will open a browser. The following screen appears. To change the Password of the Eucalyptus Administrator. User has click on “I understand the Risks”.Portal Configuration Wizard Meghdoot Installer . click on. Meghdoot Portal requires the password of the Eucalyptus Administrator to be enabled and modified. and click on the “Confirm Security Exception” button. CDAC Page 16 . CDAC Page 17 . click on the Next button. CDAC Page 18 . Eucalyptus Portal will be displayed. click on logout link and close the browser.t the Installer. Now w. click Ok and continue. if you have changed the password. Username Password admin admin Once the Password is updated. Default User name and password is given below.r. A confirmation will appear.Once the certificate is confirmed by the User. as shown below. CDAC Page 19 .The Meghdoot Portal configuration wizard appears. click Next Button. The Meghdoot Portal configuration wizard display Configuring Meghdoot Portal and Configuring SaaS. This screen involved configuration of Cloud Controller IP Address. Eucalyptus Cloud Controller Portal. Default Eucalyputs Machine Image (EMI) to be used for AppHosting Part. WAF Console and HIDS Console. By Clicking on Configuring Meghdoot Portal. URL of Hyperic (Monitoringl). CDAC Page 20 . Once the details are entered click on the Next button. Configuring Database Server and SMTP (for sending E-Mail to Users). Metering Cost for Storage and IP Address to be used for AppHosting. click on the Next button. Once the information are entered click on the Next button.Configuring Elasticity Server component Path. A confirmation pop dialog will appear.Once the configuration information are entered. You may click on Previous button to make the necessary changes. If any modifications are required to be done. click on Ok button. If the configuration is finalized. click on cancel button. CDAC Page 21 . A Message dialog will appear. once the configuration details are saved. CDAC Page 22 . Click on Deploy Portal button to install the portal. The next part involves deployment of the Cloud Portal. Installation of portal requires restart of Apache Tomcat Server. Now the required files for the Portal are copies. Hence a confirmation dialog will prompt the user. to confirm the Apache Tomcat Server restart once.Click on Ok Button. CDAC Page 23 . The Apache Tomcat server will be automatically restarted after the completion of the portal deployment. Once the Apache Tomcat Server is started. CDAC Page 24 . In the Status URL to access the portal will be shown. CDAC Page 25 . Once the details are entered.t. Now in the next screen specify Database URL.Configuring SaaS Click on “Proceed with configuring SaaS” button. Database Username and Database Password.r. The Meghdoot portal configuring wizard for SaaS The Next screen involves configuration database w. Cloud Portal. click on 'Test Database Connection' button. If the database related configurations are wrong , the status could be identified and the installer cannot proceed until correct details are entered. If the database configuration is correct, the Next button in the screen will be enabled. Click on the Next button to continue. CDAC Page 26 Now in the following screen, enter the Application Name, Application URL, Application Description and Billing Amount is required to be entered. Once the inputs are given, click on 'Add SaaS Details' button to save the details. To exit the installer clicks on Exit the Wizard button. CDAC Page 27 2.3 Management of Cloud CDAC Page 28 61. Enter the IP address and associated root password for that machine and then click “Test” Button. then the URL is http://192.19:5454/ meghdootnodeinstaller Add a Node Controller: To add a Node Controller.19. CDAC Page 29 .168. The various cloud components are as follows      Cloud Controller Cluster Controller Walrus Storage Controller Node Controller URL to Access the Application http://IP-Address-of-Cloud:5454/meghdootnodeinstaller For Example. click “Operation” and select “Add a Node”. if the IP Address of cloud machine is 192.168.Cloud Web Management Interface Cloud Web management Interface is designed to have an admin control over the cloud components.61. A Node Controller can be added to any Cluster Controller. admin password and IP Address of the Cluster Controller is required. The Cloud Management tool itself detects these pre-requisites. Once the condition is satisfied. The default value for the instances directory location is set to “/usr/local/instances” and user can change accordingly if they need another location. Click “Proceed” to continue. the designated machine should have been booted in Xen Kernel and services “xend” as well as “libvirt” must be running. the following screen will appear. To add a Node Controller. Installation of Node Controller requires. A Cloud can have any number of Cluster Controller. a user account “eucalyptus”. Now click „Install Node Services’ button to continue. Specify the password for the user “eucalyptus”. CDAC Page 30 .Note: To register a machine as a Node Controller. Click ”Next” to continue until you get a window as follows CDAC Page 31 . After the complete installation of Node Controller a window will appear as follows The details about the Node Controller can be downloaded in PDF (Encrypted and Unencrypted) format and user can select option “Default” or “With Password” and then click “Submit” button.Click “Next” to complete the Node Controller installation. Download PDF in Encrypted form. CDAC Page 32 . Remove Node To remove a Node Controller click “Operation” and select option “Remove a Node”. the following screen will be displayed. enter the IP Address and password of the desired Node Controller and then click “Submit” button. Once the node has been removed successfully. CDAC Page 33 . Process ID. Status Cloud Host Status To know about the information about Cloud Controller. CDAC Page 34 .If an attempt is made to remove a machine that is not in the cloud the Management tool will intimate an error. this will provide information about IP Address. The Following figure illustrates a sample output. Ping Status and Service Status. click “Status” and select “Cloud Host Status”. CDAC Page 35 . In the option “Select a Cloud Service” select Walrus/Storage Controller” and provide the IP Address and password accordingly. Click “Submit” to get the information about Walrus/Storage Controller. Sample figures were illustrated as follows.Storage Service Status To know about the status of Storage Controller/Walrus click “Status” and select “Storage Service Status”. Cluster Status To know about the information about Cluster Controller.If you choose option “Storage Controller” the following page will be displayed. User can choose option “Check Node Service Status/Check Node Availability Status (PING)”. CDAC Page 36 . click “Status” and select “Cluster Status” and then provide IP Address and password and click “Submit” this will provide the status of the Cluster and Node Machine(s) and a sample output is shown as follows. in Node Status and check accordingly. CDAC Page 37 . will be displayed as follows.. select “View” and select option “Cloud Host Configuration”. Network Mode.View Cloud Host Configuration To know the information about the Cloud configuration. the configuration information which consist of IP Address of Cloud Controller. Scheduling Policy etc. click “View” and select option “Other Host Configuration” and then provide IP Address and password to know about the configuration details. A sample output is shown below User can save this information by clicking “Save as Report”. CDAC Page 38 .Other Host Configuration To know the information about another Cloud Controller. Second. Each is added to Walrus and registered with Eucalyptus separately.xml euca-register <initrd bucket>/<initrd file>.tar. add the ramdisk image to Walrus: euca-bundle-image -i <initrd file> --ramdisk true euca-upload-bundle -b <initrd bucket> -m /tmp/<initrd file>. Note Images are available at /our website . The following example uses the test image that we provide.2. install them if you haven't done so already.xml Next.com/Images tar –zxvf centos. Note that all users may upload and register images (depending on access granted to them by the Eucalyptus administrator).manifest. the instructions below rely on the euca2ools command-line tools distributed by the Eucalyptus Team. but only the admin user may ever upload/register kernels or ramdisks.gz Adding Images To enable a VM image as an executable entity.1 Image Management Managing Eucalyptus Images First.tar.cdaccloud.gz/debianos. using three EC2 commands. be sure to source your 'eucarc' file before running the commands below.xml euca-register <kernel-bucket>/<kernel file>. a kernel/ramdisk pair (ramdisk may be optional) to Walrus and register the uploaded data with Eucalyptus. Unpack it to any directory: Add the kernel to Walrus.3. and register it with Eucalyptus (WARNING: your bucket names must not end with a slash!): Adding Kernel image to Walrus: euca-bundle-image -i <kernel file> --kernel true euca-upload-bundle -b <kernel bucket> -m /tmp/<kernel file>. a user/admin must add a root disk image.manifest. Please.manifest.xml CDAC Page 39 .Please download it from www.manifest. Deleting Images In order to delete an image.xml Our test kernel does not require a ramdisk to boot. Assuming you have sourced your 'eucarc' to set up EC2 client tools: CDAC Page 40 .manifest. A user may associate a specific kernel/ramdisk identifier with an image at the 'euca-bundleimage' step euca-bundle-image -i <emi-XXXXXXXX> --kernel <eki-XXXXXXXX> --ramdisk <eri-XXXXXXXX> A user may choose a specific kernel/ramdisk at instance run time as an option to 'eucarun-instances' euca-run-instances --kernel <eki-XXXXXXXX> --ramdisk <eri-XXXXXXXX> <emi-XXXXXXXX> The administrator can set 'default' registered kernel/ramdisk identifiers that will be used if a kernel/ramdisk is unspecified by either of the above options. If the administrator would like to upload/register a kernel/ramdisk pair.xml euca-register <image bucket>/<vm image file>.manifest. the procedure is similar to the above: Associating kernels and ramdisks with instances There are three ways that one can associate a kernel (and ramdisk) with a VM instance. you must first de-register the image: euca-deregister <emi-XXXXXXXX> Then. clicking on the 'Configuration' tab and adding an <eki-xxxxxxxx> and optionally an <eri-xxxxxxxx> as the defaults kernel/ramdisk to be used.server:8443). add the root filesystem image to Walrus: euca-bundle-image -i <vm image file> euca-upload-bundle -b <image bucket> -m /tmp/<vm image file>.cloud. This is accomplished by logging in to the administrative interface (https://your.Next. you can remove the files stored in your bucket. 04-x86_64/kvm-kernel/initrd.xml CDAC Page 41 .manifest. # source /root/. tar zxvf euca-ubuntu-9.28-11-generic.6. add the '--clear' option: euca-delete-bundle -a $EC2_ACCESS_KEY -s $EC2_SECRET_KEY --url $S3_URL -b <bucket> -p <file prefix> --clear Note: Instead of Specifying EC2_ACCESS_KEY & EC2_SECRET_KEY.28-11generic.6.euca-delete-bundle -a $EC2_ACCESS_KEY -s $EC2_SECRET_KEY --url $S3_URL -b <bucket> -p <file prefix> If you would like to remove the image and the bucket.6.img-2. you can source the eucarc file at each terminal as follows.28-11generic.04-x86_64/kvm-kernel/vmlinuz-2.tar.manifest.6.euca/eucarc Examples Following is an example using the Ubuntu pre-packaged image that we provide using the included KVM compatible kernel/ramdisk (a Xen compatible kernel/ramdisk is also included). See this page to get more pre-packaged images.img-2.04-x86_64.28-11-generic -kernel true euca-upload-bundle -b ubuntu-kernel-bucket -m /tmp/vmlinuz-2.28-11-generic --ramdisk true euca-upload-bundle -b ubuntu-ramdisk-bucket -m /tmp/initrd.6.gz euca-bundle-image -i euca-ubuntu-9.manifest.xml (set the printed eki to $EKI) euca-bundle-image -i euca-ubuntu-9.xml euca-register ubuntu-kernel-bucket/vmlinuz-2. install them if you haven't done so already. 2.manifest.28-11-generic. the newly uploaded image(s) should be ready to start using. CDAC Page 42 .img.1 Storage Management Interacting With Block Storage The Block Storage Service in Eucalyptus is interface-compatible with Amazon's Elastic Block Store.x86-64.euca-register ubuntu-ramdisk-bucket/initrd.x8664.img-2.6.manifest.xml (set the printed eri to $ERI) euca-bundle-image -i euca-ubuntu-9. Creating volumes You may create a volume either from scratch or from an existing snapshot.3. Please.xml Now. euca-create-volume --size <size> --zone <zone> Where <size> is the size in GB and <zone> is the availability zones you wish to create the volume in (use euca-describe-availability-zones to discover zones).04-x86_64/ubuntu.img --kernel $EKI -ramdisk $ERI euca-upload-bundle -b ubuntu-image-bucket -m /tmp/ubuntu.9-04.9-04. For instance.manifest.x86-64.xml euca-register ubuntu-image-bucket/ubuntu.img. The instructions below rely on the euca2ools command-line tools distributed by the Eucalyptus Team.9-04. You can therefore use either EC2 commands or euca2ools commands to control it. The following operations are possible. You may attach a volume to only one instance at a time. Attaching a volume You can attach volumes to existing instances (that have been started with euca-runinstances). euca-create-volume --snapshot <snapshot id> --zone <zone> Where <snapshot id> is the unique identifier for a snapshot and <zone> is the availability zone you wish to create the volume in. euca-create-volume --snapshot --zone myzone snap-EF4323 Will create a volume from the snapshot "snap-EF4323" in the zone "myzone" Query the status of volumes euca-describe-volumes Volumes marked "available" are ready for use. For instance.euca-create-volume --size 1 --zone myzone Will create a 1GB volume in the availability zone "myzone" To create a volume from a snapshot. euca-attach-volume -i <instance id> -d <local device name> <volume id> CDAC Page 43 . <instance id> is a unique instance identifier and <local device name> is the name of the local device in the guest VM. euca-attach-volume -i i-345678 -d /dev/sdb vol-FG6578 Will attach the previously unattached volume "vol-FG6578" to instance "i-345678" with the local device name "/dev/sdb" Detaching a volume euca-detach-volume <volume id> Where <volume id> is the unique identifier for a previously attached volume (volXXXX). euca-create-snapshot <volume id> CDAC Page 44 . euca-detach-volume vol-FG6578 Will detach volume "vol-FG6578". Deleting a volume euca-delete-volume <volume id> Where <volume id> is the unique identifier for a volume (vol-XXXX).where <volume id> is the unique identifier for a volume (vol-XXXX). Detach cannot ensure the consistency of user data if the user detaches a volume that is in use. Important! The user of the instance is responsible for making sure that the block device is unmounted before a detach. For instance. For instance. Creating a snapshot from a volume You can snapshot a volume so that you can create volumes in the future from the snapshot. 3. Querying the status of snapshots euca-describe-snapshots You may create volumes from snapshots that are marked "completed. 2. you may be required to allow logins to your instance. allocate a public IP (if you have not CDAC Page 45 . The volume to be snapshotted needs to be "available" or "in-use." You cannot snapshot a volume that is in the "creating" state.3 Instance Management Running a VM Instance You can now run instances that are accessible with the newly generated private key: euca-run-instances -k mykey -n <number of instances to start> <emi-id> euca-describe-instances Authorizing Security Groups and Allocating IPs If your administrator has configured Eucalyptus to provide security groups and elastic IPs. For instance. euca-create-snapshot vol-GH4342 Will snapshot the volume "vol-GH4342".Where <volume id> is the unique identifier for a volume (vol-XXXX)." Deleting a snapshot euca-delete-snapshot <snapshot id> where <snapshot id> is the unique identifier for a snapshot. and assign it to your running instance: Allow 'ssh' connections from the Internet: euca-authorize -P tcp -p 22 -s 0.0.private root@<accessible-instance-ip> To terminate instances. it will also show two IP addresses assigned to it. use: euca-terminate-instances <instance-id1> For more information on Euca2ools. some command line tools may not be applicable (security groups/elastic IPs. CDAC Page 46 . etc. Logging into a VM Instance You can now log into it with the SSH key that you created: ssh -i mykey. see our Euca2ools User Guide.0. see the EC2 Getting Started Guide. For more information on EC2 command line tools.). check 'euca-describe-addresses' as a reminder). Please note that depending on the networking mode used to implement your Eucalyptus cloud.0/0 default Allocate a public IP if you have not done so already: euca-allocate-address Associate an allocated IP with your running instance: euca-associate-address <IP from allocate> -i <instance ID> Once the instance is shown as 'Running'.done so before. Cloud –Head Node OSSEC (HIDS) SERVER ModSecurity (WAF – Reverse proxy mode) WAF-Console (Internal Access) HIDS.Console (Internal Access) Compute Node-1 OSSEC AGENT Compute Node-2 OSSEC AGENT VM-1 OSSEC AGENT VM-2 OSSEC AGENT VM-3 OSSEC AGENT VM-4 OSSEC AGENT CDAC Page 47 . Security in private cloud could be achieved with existing security solution with slight modification and cloud aware configuration. Security Integrated Architecture This tells us where specific security control & software should be installed in cloud so that minimal security requirement of Private cloud environment is satisfied.2.3.4 Security Management Security implementation for Private Cloud Overview Security in private cloud deployment has very less concern as compare to public cloud deployment model. This document describes how security could be implemented and what security controls are competent enough for ensuring security in private cloud. ModSecurity Installation on RHEL/Centos/ platform To achieve security using some sort of existing security controls is very complex and required specific policy and design models. following OSSEC monitors:    System logs (http. it immediately denies to access. OSSEC An open-source “Host-Based Intrusion Detection System” (HIDS). In context of cloud. Depending on the alert level. an email or SMS can be sent. For reducing complexity and security risk in private cloud environment. In addition to this. Moreover. with this kind of deployment and configuration . In embedded mode. meaning that it works by monitoring conditions on a host machine and reporting possible security breaches. OSSEC logs the event and assigns it an alert level. OSSEC is not a Network-Based Intrusion Detection System (NIDS). we have devised strategy for their deployment and policy for their configuration as per cloud computing model.However Snort's logs could be monitored through ossec log monitor. It has rule based detection mechanism. auth. reverse proxy mode of ModSecurity is recommended. following open source security controls have been selected and integrated in Meghdooth cloud stack. This ModSecurity can be deployed in two modes: embedded mode and network mode (reverse proxy mode). it can protect single web server only (apache web server) while in case reverse proxy mod.log. syslog etc) File integrity in system directories System processes VM When a possible security breach is detected. like Snort . when particular rule matches against incoming HTTP request.log. In addition. OSSEC provides limited “active-response” functionality to respond automatically to an event immediately after its detection CDAC Page 48 .different tenants „application running on different application server will be monitored and protected from web attacks/threats. ModSecurity An open source Web application firewall (WAF) cum web intrusion prevention system. multiple application or web server could be protected. we modified source code of some tools and also developed decoder for managing specifc kind of events or alert such as for cloud access logs. org/libxml2/libxml2-sources-2.29. HIDS-Console An Alert and log management GUI for OSSEC that allows us to see alert and events occurred to particular host or VM.an Alert and log management GUI for ModSecurity that provides complete view of who has accessed web application at what time with report generation facility.29 .org/download.gz cd libxml2-2.gz tar -xvzf libxml2-sources-2. ModSecurity Installation On Debian based BOSS Linux flavor Prerequisites: 1 2 3 4 5 6 7 apache or httpd mod_unique_id libapr and libapr-util libpcre libxml2 libcurl v7./configure make make install Installation of libapr and libaprutil:   Download the tar file from the following link o http://apr.tar.6.29.WAF AuditConsole.apache.1 or Higher mlogc-( for forwarding logs to remote location) Installation of libxml2:       wget ftp://xmlsoft.6.tar.15.6.cgi Untar the file o tar zxvf /<path to the file> CDAC Page 49 . modsecurity. Extract the tar file as follows tar zxvf /opt/<filename> Step. Make mlogc Step. Make install CDAC Page 50 ./configure make make install Installation of libpcre:  yum install pcre pcre-devel Installation of curl:  yum install curl Installation steps for ModSecurity from source Package Step 1.5. Execute configure binary . Change working directory to untared directory cd modsecurity-apache_<version> Step.6. Move the downloaded tar file into /opt directory mv /<path to downloaded file> /opt Step 3. Copy from Meghdoot DVD or Download the tar file from the following link http://www.org/download/ Step 2.4./configure Step. Make Step 7.8.    cd apr<version> . ModSecurity Configuration On RHEL/ CentOS  Create necessary directories            mkdir /opt/modsecurity mkdir /opt/modsecurity/etc mkdir /opt/modsecurity/var mkdir /opt/modsecurity/var/audit mkdir /opt/modsecurity/var/data mkdir /opt/modsecurity/var/log mkdir /opt/modsecurity/var/tmp mkdir /opt/modsecurity/var/upload mkdir /opt/modsecurity/bin  Creating user and group groupadd apache useradd -g apache apache  Change the ownership of the directories      chown apache /opt/modsecurity/var/audit chown apache /opt/modsecurity/var/data chown apache /opt/modsecurity/var/tmp/ chown apache /opt/modsecurity/var/upload/ Changing the permissions of the created directories         chmod 750 /opt/modsecurity/ chmod 750 /opt/modsecurity/bin/ chmod 700 /opt/modsecurity/etc/ chmod 750 /opt/modsecurity/var/ chmod 750 /opt/modsecurity/var/tmp/ chmod 700 /opt/modsecurity/var/audit/ chmod 700 /opt/modsecurity/var/data/ chmod 700 /opt/modsecurity/var/log/ Page 51 CDAC . CDAC Page 52 .conf Copy the following contents into above file ( modsecurity.so LoadModule security2_module /usr/lib64/httpd/modules/mod_security2.log" SecRequestBodyLimit 1310720 SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecResponseBodyAccess Off SecResponseBodyMimeType text/plain text/html SecResponseBodyLimit 524288 SecResponseBodyLimitAction ProcessPartial SecTmpDir /opt/modsecurity/var/tmp/ SecDataDir /opt/modsecurity/var/data/ SecUploadDir /opt/modsecurity/var/upload/ SecUploadKeepFiles Off SecUploadFileMode 0600 # Debug log SecDebugLog /opt/modsecurity/var/log/debug.deny.log SecDebugLogLevel 3 # Log only what is really necessary.  chmod 700 /opt/modsecurity/var/upload/ Create ModSecurity Config file   touch /opt/modsecurity/etc/modsecurity.conf ) LoadModule unique_id_module modules/mod_unique_id.so SecRuleEngine On SecRequestBodyAccess On SecDefaultAction "phase:2. SecAuditLogStorageDir /var/log/mlogc/data Include /opt/modsecurity-apache_2.5. SecAuditLogParts ABCDEFGHIJKZ # Use a single file for logging.conf  Download the rules from ModSecurity website http://sourceforge.conf files according to the version you downloaded CDAC Page 53 .conf  Now.13/rules/base_rules/*.conf file of apache server and include the modsecurity configuration file as follows.conf" # Specify the path for concurrent audit logging. Include /opt/modsecurity/etc/modsecurity.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/  Untar the file to /opt directory and edit the last line /opt/ModSecurity/etc/modsecurity. SecAuditLogRelevantStatus ^(5|4) # Log everything we know about a transaction.SecAuditEngine RelevantOnly # Also log requests that cause a server error. open the httpd. SecAuditLogType Concurrent SecAuditLog "|/usr/local/bin/mlogc /etc/httpd/mlogc. OK\n" CDAC Page 54 ... apt-get install apache2 # command to install modsecurity. # # command to update repository echo " Updating the repository " echo "-----------------------------\n\n" apt-get update # command to install apache2.. apt-get install libapache-mod-security echo "\n\n Creating the necessory directories.. Installing mlogc: We built the mlogc binary.." if [ -d /opt/modsecurity ] then echo "\n Directory /opt/modsecurity is already existing ...sh extension and execute that file in the command prompt... OK\n" else mkdir /opt/modsecurity echo "\n Directoty /opt/modsecurity is crteated. So copy the mlogc binary into /usr/local/bin directory cp <path to modsecurity-apache directory>/tools/mlogc /usr/local/bin ModSecurity Installation On Debian based BOSS Linux flavor ModSecurity installation using Binary Script inbuilt in Security-Packages of Meghdoot DVD Copy the following script to a file with ... .... OK\n" fi if [ -d /opt/modsecurity/var/data ] then echo "\n Directory /opt/modsecurity/var/data is already existing .fi if [ -d /opt/modsecurity/etc ] then echo "\n Directory /opt/modsecurity/etc is already existing . OK\n" else mkdir /opt/modsecurity/var echo "\n Directoty /opt/modsecurity/var is crteated... OK\n" fi if [ -d /opt/modsecurity/var/audit ] then echo "\n Directory /opt/modsecurity/var/audit is already existing ... OK\n" else CDAC Page 55 . OK\n" fi if [ -d /opt/modsecurity/var ] then echo "\n Directory /opt/modsecurity/var is already existing ...... OK\n" else mkdir /opt/modsecurity/var/audit echo "\n Directoty /opt/modsecurity/var/audit is crteated... OK\n" else mkdir /opt/modsecurity/etc echo "\n Directoty /opt/modsecurity/etc is crteated... OK\n" fi if [ -d /opt/modsecurity/var/log ] then echo "\n Directory /opt/modsecurity/var/log is already existing . OK\n" else mkdir /opt/modsecurity/var/upload echo "\n Directoty /opt/modsecurity/var/upload is crteated. OK\n" fi if [ -d /opt/modsecurity/var/tmp ] then echo "\n Directory /opt/modsecurity/var/tmp is already existing .. OK\n" else mkdir /opt/modsecurity/var/log echo "\n Directoty /opt/modsecurity/var/log is crteated............ OK\n" fi if [ -d /opt/modsecurity/bin ] CDAC Page 56 ..mkdir /opt/modsecurity/var/data echo "\n Directoty /opt/modsecurity/var/data is crteated. OK\n" else mkdir /opt/modsecurity/var/tmp echo "\n Directoty /opt/modsecurity/var/tmp is crteated. OK\n" fi if [ -d /opt/modsecurity/var/upload ] then echo "\n Directory /opt/modsecurity/var/upload is already existing ...... ...then echo "\n Directory /opt/modsecurity/bin is already existing ." chown apache /opt/modsecurity/var/audit chown apache /opt/modsecurity/var/data chown apache /opt/modsecurity/var/tmp/ chown apache /opt/modsecurity/var/upload/ echo "Done\n" echo "\n Changing the permssions of the created directories .. OK\n" else mkdir /opt/modsecurity/bin echo "\n Directoty /opt/modsecurity/bin is crteated. OK\n" fi echo " \n Creating the the user apache and group apache ....\n" groupadd apache useradd -g apache apache echo "\n Changing the ownership of created directories....." chmod 750 /opt/modsecurity/ chmod 750 /opt/modsecurity/bin/ chmod 700 /opt/modsecurity/etc/ chmod 750 /opt/modsecurity/var/ chmod 750 /opt/modsecurity/var/tmp/ chmod 700 /opt/modsecurity/var/audit/ CDAC Page 57 ... .. OK\n" else touch /opt/modsecurity/etc/reverse-proxy.chmod 700 /opt/modsecurity/var/data/ chmod 700 /opt/modsecurity/var/log/ chmod 700 /opt/modsecurity/var/upload/ echo ".conf is already existing ...Done\n" echo "\n Creating the necessary config files..conf echo "\n File /opt/modsecurity/etc/modsecurity...conf ] then echo "\n File /opt/modsecurity/etc/reverse-proxy .... OK\n" fi # Creation of reverse-proxy configuration file which need to be configured when ModSecurity(WAF) is # deployed in Network mode(reverse proxy mode) if [ -f /opt/modsecurity/etc/reverse-proxy.. OK\n" else touch /opt/modsecurity/etc/modsecurity." if [ -f /opt/modsecurity/etc/modsecurity..conf is already existing ..conf is created.conf ] then echo "\n File /opt/modsecurity/etc/modsecurity.conf echo "\n File /opt/modsecurity/etc/reverse-proxy. OK\n" fi if [ -f /opt/modsecurity/etc/main.conf is created.conf ] CDAC Page 58 .. OK\n" else touch /opt/modsecurity/etc/main. OK\n" else touch /opt/modsecurity/etc/rules-last..conf is already existing . OK\n" fi if [ -f /opt/modsecurity/etc/rules-last. OK\n" else touch /opt/modsecurity/etc/rules-first.conf is created...conf echo "\n File /opt/modsecurity/etc/rules. OK\n" fi if [ -f /opt/modsecurity/etc/rules..conf is created. OK\n" fi if [ -f /opt/modsecurity/etc/rules-first. OK\n" else touch /opt/modsecurity/etc/rules...conf ] then echo "\n File /opt/modsecurity/etc/rules-last......conf echo "\n File /opt/modsecurity/etc/main... OK\n" fi CDAC Page 59 ..conf is already existing ..conf ] then echo "\n File /opt/modsecurity/etc/rules...conf echo "\n File /opt/modsecurity/etc/rules-last..conf is already existing .conf is created.then echo "\n File /opt/modsecurity/etc/main..conf echo "\n File /opt/modsecurity/etc/rules-first.conf is created.conf is already existing .conf ] then echo "\n File /opt/modsecurity/etc/rules-first.. In the tar file all rules will be present.log SecDebugLogLevel 3 # Log only what is really necessary. Now open modsecurity.log" SecRequestBodyLimit 1310720 SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecResponseBodyAccess Off SecResponseBodyMimeType text/plain text/html SecResponseBodyLimit 524288 SecResponseBodyLimitAction ProcessPartial SecTmpDir /opt/modsecurity/var/tmp/ SecDataDir /opt/modsecurity/var/data/ SecUploadDir /opt/modsecurity/var/upload/ SecUploadKeepFiles Off SecUploadFileMode 0600 # Debug log SecDebugLog /opt/modsecurity/var/log/debug.deny.org/download/. SecAuditEngine RelevantOnly # Also log requests that cause a server error.Modsecurity. So extract those rules directory to opt folder.conf file ( which will be in /opt/modsecurity/etc / folder ) and add the following configuration SecRuleEngine On SecRequestBodyAccess On SecDefaultAction "phase:2. SecAuditLogRelevantStatus ^5 CDAC Page 60 .Configuring Mod-security Download the core rule set from http: //www. conf file ( which will be in /opt/modsecurity/etc / folder ) and add the following configuration ProxyRequests Off # following two lines needs to be added for each User Applications/other web server # that you want to protect Proxy Pass <resource> <Target URI> ProxyPassReverse <resource> <Target URI> Sample example of configuration for cloudforum application #ProxyRequests Off #ProxyPass /cloudforum http://cdaccloud.5.com/cloudforum CDAC Page 61 . SecAuditLogParts ABCDEFGHIJKZ # Use a single file for logging. SecAuditLogStorageDir /var/log/mlogc/data Include /opt/modsecurity-apache_2.conf Open reverse-proxy.conf" # Specify the path for concurrent audit logging.13/rules/base_rules/*.com/cloudforum #ProxyPassReverse /cloudorum http://cdaccloud. SecAuditLogType Concurrent SecAuditLog "|/usr/local/bin/mlogc /etc/apache2/mlogc.# Log everything we know about a transaction. conf file of apache server and include the modsecurity configuration file as follows.modsecurity.conf  Include /opt/modsecurity/etc/reverse-proxy.Open the httpd. Copy that file to a safer location like /usr/local/bin. Now edit the mlogc.  Include /opt/modsecurity/etc/modsecurity.conf Now restart your apache web server. CDAC Page 62 .org/download/ Untar the file and change directory to mlogc-src folder cd mlogc-src Execute the command 'make' Now we can see a executable file with the name mlogc in the same folder.  /etc/init.  apache2-threaded-dev  libcurl3  libc6  curl  libcurl4-openssl-dev  pcre Download the mlogc source from .http://www.conf file which will be in the same directory by providing the sensor and remote location of WAF-AuditConsole. Install all the following dependencies.d/apache2 restart Mlogc Installation: Description: mlogc is ModSecurity Audit Log Collector which is used to connect a ModSecurity sensor to the central audit log repository. CDAC Page 63 .      mkdir /var/log/mlogc/ mkdir /var/log/mlogc/data touch /var/log/mlogc/mlogc-error. Now create necessary directories and files which are needed for mlogc. Install apache-tomcat software and copy that war file into webapps folder and re start apache-tomcat.log touch /var/log/mlogc/mlogc-queue. Once cloud head node established completely. just you have to configure database settings through initial window of WAF-Console.  /etc/init.d/apache2 restart WAF-Audit console Installations and configuration WAF installation and configuration is platform independent (RHEL/ Centos/ Debian/ BOSS).log Now restart your apache web server.Note: For sensor creation and deployment of AuditConsole you need to follow the installation steps of AuditConsole. Following set of steps need to be performed Prerequisites  Jre (java run time environment)  apache-Tomcat application server  Mysql/postgresql database server Installation from Meghdooth cloud DVD ModSecurity would be installed automatically if you are using Meghdooth cloud DVD for installation.log touch /var/log/mlogc/mlogc-transaction. 0.  FLUSH PRIVILEGES. If you have any already existing .  mysqladmin -u root -p create <database-name>  mysql -u root -p <database-name>  GRANT ALL on <database-name>.* to Username@localhost IDENTIFIED BY '<password>'. So we need to create a database and a user who is having access to this database.Configuration WAF.sql back up files you can dump them as follows mysql -u root -p <database-name> < <pat to dump file > Now open web browser and access the following URL http://localhost:8080/WAF-Console-<version number> Login using admin and admin as username and password and set a temporary directory location as /opt/audit and click OK Configuring Database Give your database details URL: jdbc:mysql://127.1/<database-name> Username: <username> Password: <password> Configuring sensors Create a sensor and its password System → sensors → addsensor CDAC Page 64 .0.Console stores all ModSecurity events into mysql backend database. directories and processes. the clients.” can run virtually any operating system. it uses a set of rules to determine when an alert should be triggered. Prerequisites for OSSEC Installation from source package(tar package)  Gcc complier  Make  Opesssl  Iptables firewall OSSEC Installation OSSEC works on a server-client model. The server must be a UNIX /Linux machine.conf  mention the username and password  mention the Console URI according to your AuditConsole deployment  Ex: http://localhost:8080/AuditConsole-<version number> /rpc/ auditLogReceiver OSSEC Installation and Configuration OSSEC performs log analysis.conf file  cp <path to modsecurity-apache directory>/apache2/mlogc-src/mlogc-default.conf /etc/httpd/mlogc. policy monitoring. As OSSEC monitors system logs. real-time alerting and active response. which OSSEC calls “agents. So there are three deployments mode of Ossec is available:    Local mode Server mode Agent mode CDAC Page 65 . file integrity checking. rootkit detection.mlogc configuration Same sensor name and password must be mentioned in the mlogc. OSSEC Server and local installation is independent to Linux Operating Sytem distribution  Step 1: Download the OSSEC from the following URL http: //www.net/files/  Step 2: Un-tar the files to a local directory and change to that directory.sh  What kind of installation do you want (server. local or help)? agent  What is IP of your Cloud Head Node (OSSEC HIDS) Server? IP (www. agent.sh  What kind of installation do you want (server. agent./install.Ossec. Local Installation  Run the following Installation shell scripts # ./install.xxx. agent. local or help)? local  Setting up the installation environment.zzz) CDAC Page 66 .sh  What kind of installation do you want (server. local or help)? server Installing OSSEC Agent on Linux  Run the following Installation shell scripts # . Installing the Server:  Run the following Installation shell scripts # .Press ENTER to continue -- Once you press the enter key the source code will be compiled and ossec will be deployed into the system in local mode. Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec --./install.yyy. net/main/downloads  Click on the downloaded file Enter the source ip of server and authentication key CDAC Page 67 .exe file from the following site http://www.Installing OSSEC agents on windows Host :  Download the .ossec. Managing Agents: The server-agent traffic is encrypted and validated using pre-shared keys. These keys must be generated on the server and then imported on the agent side. The procedure is the same regardless of the agent platform. All agent key management is done using the manage agents utility in the OSSEC HIDS bin directory Now, execute the following line in the command prompt. /opt/ossec/bin/manage agents Then the following information will be displayed in the command prompt. **************************************** * OSSEC HIDS v1.4 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: Now select your option … If you select A, following info will be displayed. - Adding a new agent (use „\q‟ to return to the main menu). Please provide the following: * A name for the new agent: <give a name for agent> * The IP Address of the new agent: < enter IP address of the agent> * An ID for the new agent [001] : < ID of the Agent > Agent information: CDAC Page 68 Confirm adding it?(y/n): y Agent added. Managing Rule-base of OSSEC These rules reside in /var/ossec/rules and are XML files. A rule “fires” when certain Conditions are met.For example, Foolowing, contained in syslog_rules.xml, will fire when OSSEC detects the strings “Promiscuous mode enabled” or “device [non white space string] entered promiscuous mode” within the Linux system log. <rule id="5104" level="8"> <if_sid>5100</if_sid> <regex>Promiscuous mode enabled|</regex> <regex>device \S+ entered promiscuous mode</regex> <description>Interface entered in promiscuous(sniffing) mode.</description> <group>promisc,</group> </rule> OSSEC comes with a comprehensive set of rules that should cover virtually every security-related aspect of the system. Nonetheless, there may be times when you want to write a custom rule. Since rules are XML files, they are easy to edit. However the OSSEC manual recommends that instead of editing the rules themselves, you modify their behavior by writing custom rules and adding them to the local_rules.xml file. The procedures for writing custom rules are explained in the OSSEC manual or online. Rules can be made highly granular so that they will only fire for certain hosts involving certain IP addresses at certain times of the day, etc. For example, OSSEC by default will generate an alert and an email whenever an agent connects or disconnects. Chances are that you don't care very much if a workstation disconnects, as this happens whenever someone with a laptop goes home for the day. But you probably want to know if a machine in the server room stops responding. You could write a custom rule to modify the behavior of rules 503 and 504 (the agent-connect and agent-disconnect rules) so that they would only fire when servers disconnect. Again, see the OSSEC manual for the specifics of writing such a rule. CDAC Page 69 HIDS-Console Installation and Configuration It is Web based PHP GUI Application for OSSEC-HIDS alert and log management .it also displays configuration information about deployed agents and server. Prerequisites   Apache with PHP (>= 4.1 or >= 5.0) installed. (with posix support) OR Lighttpd (>= 1.x) with PHP-cgi (php4-cgi or php5-cgi) in FastCGI OSSEC (version >= 0.9-3) already installed. Installation HIDS-Console package in Meghdoot DVD--Copy Package at respective location (refer integration architecture)     tar -zxvf HIDS-Console-1.0.tar.gz mv HIDS-Console-1.0 /var/www/HIDS-Console cd /var/www/HIDS-Console ./setup.sh Configuration Fix /tmp permissions or Add your web server user (www-data) to the ossec group Check & Edit the file using “vi /etc/group “.If this file contains the line "ossec: x: 1002: www-data" then leave it. Otherwise add this line at the end of the file and save it.     Run command “chmod 770 /var/ossec/tmp” Run command “chmod 770 /var/ossec/logs/alerts/alerts.log” Run command “chgrp www-data /var/ossec/tmp “ Run command “/etc/init.d/apache2 restart” CDAC Page 70 General syntax: htpasswd -c password-file username Where. If it does exist. it is rewritten and truncated.conf Add following lines <Directory /var/www> AuthType Basic AuthName "Blocked Restricted Access" AuthUserFile /etc/apache2/passwd Require user </Directory> Create a password file with htpasswd htpasswd command is used to create and update the flat-files (text file) used to store usernames and password for basic authentication of Apache users. If password-file already exists.d/apache2 restart CDAC Page 71 . an entry is added. the password is changed Restart Apache # /etc/init.Enable some of the specific authentication module available for apache : Type of Auth_Modules: Basic. Pam # vi /etc/apache2/httpd. Digest. If username does not exist in this file.-c : Create the password-file. Username: The username to create or update in password-file. an open source Host intrusion cum prevention(limited) system HIDS-Console.An open source web application firewall cum intrusion detection WAF-Console .An ModSecurity alert and log management Console Meghdoot-End Point Security This Solution includes two components:   HIDS-OSSEC.   WAF -ModSecurity .An HIDS alert and log management console CDAC Page 72 .Product /Solution –Snapshots of after deployment Meghdoot-AppSecurity This Solution includes two components. CDAC Page 73 . Click System -> Logout root Now login again as root user. In our case . For example .5 Monitoring Hyperic HQ Pre-requisites    Postgres 8. Open a terminal and type the following commands as root user.3 or above postgresql-client-common Java Development Kit 1.6 or above Type the following commands to set a host name for the Machine. Note: By default Hyperic is Installed & Configured Mapping the Hostname Now open a terminal /etc/hosts file should look like as follows.1 localhost <LAN IP Address> <Hostname> # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes CDAC Page 74 .0.2.3.0. If you wish to set the host name as portalserver. Replace the <LAN IP Address> part with the IP Address of your machine Replace the <Hostname> part with the Host name of your machine. hostname portalserver echo “portalserver” > /etc/hostname Now exit the Terminal.the host name is portalserver. 127. Unable to locate tools. Initializing HQ server configuration.2..7/lib/tools. Login to HQ at: http://127.ff02::2 ip6-allrouters ff02::3 ip6-allhosts Starting the Hyperic Open a Terminal and execute the following commands as root user.1:7080/ CDAC Page 75 ../hq-server... Starting HQ server..sh . Checking jboss mbean port.0...jar... HQ server booted... Verify HQ database schema. Checking jboss jndi port. cd /home/hyperic/server-4.2. Taskdefs loaded Booting the HQ server (Using JAVA_OPTS=-XX:MaxPermSize=192m Xmx512m -Xms512m -XX:+HeapDumpOnOutOfMemoryError).0...jar Loading taskdefs.. Expected to find it in /home/hyperic/server4.0.0.sh start This will give the following log messages in the terminal.7/bin export JAVA_HOME=/usr/lib/jvm/java-6-openjdk/ chmod 777 *. Virtual Machine(s) where Hyperic Agent is about to be deployed. If any port blocking software like firewall is running. (/etc/hostname) . kindly disable it. Check whether Java is installed or not. telnet < Hyperic Server Machine> 7080 to check whether the agent machine is able to connect to the Machine where Hyperic Server is installed. o echo $JAVA_HOME Must display some values such as o /usr/lib/jvm/java-6-openjdk/ CDAC Page 76 . must have unique host name. (Commands java must work) Check whether JAVA_HOME environment variable is defined. Hyperic Architecture Diagram: Registering Hyperic Agent with Hyperic Server : Preliminary Tests to be done from Agent Side :       Check whether the Machine is able to ping the Machine where Hyperic Server is installed.The same host name must be linked with the IP Address in /etc/hosts file. .Note: All the Physical Servers. 2. Kindly sync the date between Hyperic Server Machine and Hyperic Agent Machine. /home/hyperic/agent-4.r.sh To confirm whether the agent has started successfully.2.2. execute the following command as root user.7 cd ..0./check_launch_agent.7bin chmod 777 *.7 and put it in the Machine in the location ( /home/hyperic/agent4. lsof -i :2144 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME java 19544 root 129u IPv4 14144078 0t0 TCP *:2144 (LISTEN) To see the logs.0.0.0.2.0.7/log CDAC Page 77 ..sh . Installing & Starting Hyperic Agent In the Machine where Hyperic Server is installed. go to the following directory. cd /home/hyperic/agent-4.7 ) where the Agent is to be deployed Execute the following commands in the terminal as root user cd /home/hyperic/agent-4.2. copy the following directory /home/hyperic/agent-4. This is for generating graph(s) and for accuracy of data w.t time. cd data rm -rf * cd . Setting up Agent CDAC Page 78 . it is suggested to change the default password. The default User name and password are as follows : Default User Name Default Password hqadmin hqadmin Once you have logged in. CDAC Page 79 . Click on HQ link.Accessing the Monitoring Tool Now you can login to the Monitoring Tool. To access the tool. open a browser and enter the URL as http://<Cloud IP Address>::7080 The following page will appear in the browser. Once you have logged in. at the top right of the Screen. Now enter the password in new password field and confirm new password field and click ok button.Now click on the Change link. CDAC Page 80 . At first the Agent will be reporting the details such as system configuration. Click on the Add-To-Inventory Button in the Auto-Discovery Frame. and each autogroup of network services. The Screen shot is shown below. with few exceptions. The "Warning" state is reported for an autogroup of network services. indicates that a service (or all of the services in an autogroup) is available. the agent reports that a network service is either "Available" (green) or "Not Available" (red). Generally. hardware details to the Hyperic Server. the resource is added for monitoring. the status will be grey color (collecting phase) The availability of each network service."Available". is indicated by an icon:   Green .At that time. Yellow . CDAC Page 81 .Now the password of the user “hqadmin” is changed.The "Warning" availability state does not apply to an individual network service. Monitoring Hyperic Agents Once a resource is approved. and indicates that not all of the services in the group are available. For more details kindly refer. the availability status will be changed to green.hyperic. because the service was created."Unknown". Note: This is just an getting started manual for installing and configuration of Hyperic. Grey ."Not available".com/display/DOC/Installation+Requirements CDAC Page 82 . indicates that availability cannot be determined. but not configured correctly. Availability Status Once the resource is added for monitoring and completed the collection phase.  Red . http://support. indicates that the service (or all of the services in an autogroup) is not available. Recently Added Resources The recently added resource will be shown in the dashboard. CDAC Page 83 . Monitoring Resources Once the installation and working of the agent is complete. under the Recently Added strip. the details will be displayed in a graphical form as shown below. 3. The Folder Structure are as follows.> Configuration File. |--->start.once the configuration is done |--->typica → Code Restore the Dump The Schema file is located inside the schema folder Open a terminal and type. |--->schema → Schema is located here. ELASTICITY-SERVER |--->cloud.properties -. instanceid character varying(15). |---> db → Code |---> jar → API Jar Files are loated here. Configuring Elasticity Server Service First untar the ELASTICITY-SERVER Package.sh → Shell Script to start the Elasticity Service at the Server Side. newinstanceid character varying(15) ) CREATE TABLE elasticityinstancedetails( newinstanceid character varying(15). "time" bigint.6 Elasticity Location of Elasticity Packages The Elasticity Server Components and Elasticity Agent Components are located at the folder /home/elasticity as a tar file. ipaddress character varying(15) ) CDAC Page 84 .2. pgadmin3 Now execute the following queries in the SQL Editor CREATE TABLE elasticitydetails ( ipaddress character varying(15). connection.sh . ipaddress=IP Address of Cloud Host port=8773 (Default) Cloud Host Port Number.sh Once the Service is started. the following log messages will be printed.) vmelasticityport=5678 (Default)Port Used by Load balancer to communicate with virtual machine jdbc.databasename=postgres jdbc.CREATE TABLE terminatedinstancedetails( instanceid character varying(20). "time" bigint ) Set the Properties in the Configuration file accesskey= Query ID of Admin account from the Cloud Host Portal . chmod 777 start. appport=8080 (The port used by the web application./start. secretkey=Secret Key of Admin account from the Cloud Host Portal . ipaddress character varying(20).url=jdbc:postgresql://localhost jdbc. Once the configuration is completed. Elasticity Server Service can be invoked. Now execute the following commands as root.username=postgres (Default) jdbc. /root/Desktop/cloud_src/ELASTICITY-LATEST-BUILD/ELASTICITY/ELASTICITYSERVER Info: CDAC AWSKey: XYSXYSXYSXYSXYSXYSXYSXYSXYSXYS Page 85 .password=<Password for the postgres user> It is not required to change the properties mentioned as default. .properties → Configuration File.Secret Key :SKEYSKEYSKEYSKEYSKEYSKEYSKEY Head Node IP Address:A.loadbalancer.elasticity_agent.D Service Running on Port : 6666 Service Started @ Tue Aug 30 00:41:59 IST 2011 ******************************************************************** ELASTICITY_INFO: Waiting for connection. CDAC Page 86 .B.ramcode |-.. Untar the Elasticity-Agent Package.lib → Elasticity Agent Service → API Files |-.sh |-..C. Configuring Elasticity Agent : The Elasticity Agent needs to bundle along with the Virtual Machine Image.C.B.elasticity `-. Elasticity Agent package which will reside at the Virtual Machine can be located at /home/elasticity as a tar file. The Folder structure for the Elasticity Agent package is as follows ELASTICITY-AGENT/ `-.client |-.D Web Service Port:8773 VM Web App Port:8080 VM Intimation Port:5678 JDBC Connection URL:jdbc:postgresql://localhost JDBC DB Name:postgres JDBC User Name:postgres *************** Elasticity Server Side Service ********************* NOTICE: Please Check whether the date and time in this Machine is synced with the Machine : A. Open the configuration file and enter the IP Address of the Load Balancer. Please avoid spaces. Now Open a terminal and execute the following commands as root.d elasticity_agent. CDAC Page 87 .The following command can be used to specify the IP Address of the Load Balancer.sh start 24 2 .d update-rc. and execute the following commands.elasticity/ramcode chmod 777 elasticity_agent.elasticity Copy the ramcode folder inside the elasticity folder. mkdir temp-mnt mount -o loop debian.new line etc. cd /root/.sh /etc/init. cp -r ramcode temp-mount/root/.img temp-mnt/ mount -o bind /proc temp-mnt/proc mount -o bind /sys temp-mnt/sys mount -o bind /dev temp-mnt/dev chroot temp-mnt cd /root mkdir .Now open another terminal .properties Deploying Elasticity-Agent Package inside the Virtual Machine Image: You can get the Virtual Machine Image along with the DVD.sh cp elasticity_agent. echo “<IP ADDRESS of the Load Balancer>” > loadbalancer.elasticity exit Now goto the previous terminal. log Once the deploying of Services are complete. umount temp-mnt/proc umount temp-mnt/dev umount temp-mnt/sys umount temp-mnt/ exit Bundling and Uploading Virtual Machine Image to the Cloud. Now Bundle and upload the Virtual Machine Image to the Cloud. Remember to stop all the process inside the Virtual Machine Image. This will generate an Image ID . so that these services will be invoked once the Virtual Machine is booted.Also deploy your web application inside the Virtual Machine Image. The log messages can be found at /var/log/elasticity. execute the following commands as root.The Image ID will starts with emi-. CDAC Page 88 .(Eucalyptus Machine Image). Now launch the Virtual Machine Image via euca2ools utility. if you have reset the password while configuring the cloud use the same password to login in to the portal. after login reset your password for security purpose. CDAC Page 89 .Chapter 3 Portal I the address bar of the browser type the following http://<Your-IP-Address>:5454/cloudportal The default user name is admin and password is admin. CDAC Page 90 .After login as “Admin” the following screen appears. CDAC Page 91 . After login reset your password for security purpose.1 Cloud Management Select “Cloud Management” tab and click “Eucalyptus” to proceed to the following screen. the default user is admin and password is admin.3. CDAC Page 92 . the default user is admin and password is admin.2 Security Console Select “Security Console” tab and click “WAF Console” to proceed to the following screen.3. After login as admin the following screen appears Select “Security Console” tab and click “HIDS Console” to proceed to the following screen. 3.3 Resource Request Select “Resource Request” tab select “IaaS” CDAC Page 93 . CDAC Page 94 . Key pair generation has two options. for the first time IaaS request select new option and click create for generation of keypair. Type and OS click Proceed for Key Pair screen as follows.After specifying Instance Name. The user can launch instance by clicking confirm button. After clicking proceed the configuration details screen will appears as follows. Software configuration screen will appears and it is of optional for user. The user can select Web Server. CDAC Page 95 . and click Proceed button.The user can also select Use Existing option. App Server and Data Base Server if needed. Select “Resource Request” tab select “AppHosting” CDAC Page 96 . The user can select Web Server. from “Volumes” click “list Volumes” CDAC Page 97 . App Server and DB Server. Select “Resource Request” tab select “SaaS” Select “Resource Request” tab select “Volumes”. The Instance type should also be specified along with the URL Name and Elasticity option and click create for launching application. Available Zones and Volume Snapshot option. CDAC Page 98 .The user can create volumes by selecting the Size. The user has also can attach or detach volume by clicking volumes “Attach” and “Detach ”. CDAC Page 99 . The User can also create snapshot for the created volumes. 4 Resource Info Select “Resource Info” tab select “Service Status”. The user can monitor Resource. Select “Resource Info” tab select “Monitor”. The status about the cloud components can be viewed using “Service Status” from ”Resource Info” tab. CDAC Page 100 . Instance and Application.3. information for Infrastructure.5 User Info Select “User Info” tab and click “User List”. CDAC Page 101 .Select “Resource Info” tab and using option “Billing Info”. for the list of user registered in the cloud and users waiting for approval. Storage and Application can be viewed. 3. Select “User Info” tab and click “Edit” for updating user information. Select “User Info” tab and click “Change Password” for updating password. CDAC Page 102 . For Infrastructure configuration instance type. For Elasticity configuration the admin can configure Max. CDAC Page 103 . Pulse rate and amount should be specified.3. Load Balancer IP and no off instances for Elasticity.6 Administration The “Administration” tab has options “Manage Contents” “Manage Elasticity” and “Manage Metering” for updating Contents. Min Threshold. The “Administration” tab has options “Manage Metering” for infrastructure and platform. Elasticity configuration and Metering for software and applications. Component. CDAC Page 104 .For platform configuration Type. Pulse rate and Amount should be specified. log – Cloud Logs /usr/share/dbdump.DataBase Logs CDAC Page 105 .Chapter 4 Troubleshooting 4.1 Meghdoot Log Files /var/www/cloudportallog/ .Portal /opt/eucalyptus/var/log/eucalyptus/cloud-error.log .