I decided the time had come to step down from the administrative role and take a look at the life of a normal user of our cloud. A user can apply to receive an account through the cloud web interface (Homer's IP:8443), after which an administrator can approve the account through the same interface.
I experienced no trouble downloading my user credentials and accessing the cloud. The view of the cloud from a regular user is a bit different, with all information about the available resources within the cloud hidden, as well as any information about the instances, volumes, etc. of other users. I was able to create my own instance without issue, create and attach a volume, create a snapshot of a volume, and perform any other task without incident.
This did, however, highlight a problem that we are all too aware of: our cloud runs in its own disconnected network, with Homer as the only point of access to the rest of the world. This means that once an instance has been started, there is no way to actually connect to it from outside of the private cloud network. Our interim solution has been to ssh into Homer and connect to the other machines and running instances from there. This works for us as administrators, but is a poor solution for general use. It also does not allow us to easily access other services running on an instance, for example, a web server.
To solve this problem, I decided to set up a VPN server on Homer to allow us to join the private cloud network from the outside, freely accessing any instance and viewing web pages served from them right from our browser. I installed OpenVPN server on Homer. Installation and configuration was straight forward and quick. Since our firewall on Homer was already disabled, the only system configuration I needed to perform was to enable NAT for the internal network Ethernet card (eth1).
Keys and certificates must be generated for each user of the VPN, using the easy-rsa tools with OpenVPN on the server. The user requires the OpenVPN client, the aforementioned certificate and key files, and a config file that contains some basic information (IP address of server, location of key/certificate files). A script to quickly build all of this for a new user could easily be written.
I was able to run the client and connect to Homer's VPN server without difficulty, and everything operates as expected. This seems to be a workable solution for general access to the cloud, and it doesn't seem unreasonable to require that students use VPN, should a cloud be deployed for academic use.
Adios amigos,
Mike
Posts
1 comment:
That was really useful. No more ssh through homer!! :]
Post a Comment