[PCA 2.x] How to Create Service Virtual Machines by using Internal Networks
(Doc ID 2017593.1)
Last updated on AUGUST 28, 2022
Applies to:
Private Cloud Appliance - Version 1.0.1 and laterPrivate Cloud Appliance X8-2 - Version All Versions and later
Linux x86-64
Goal
The Private Cloud Appliance (PCA) uses servers that are exclusively on networks that are internal to the appliance unit. By default, datacenter network access is restricted to the management servers and virtual machines. This design provides network isolation and enhances security, but complicates monitoring, administering, and backing up the appliance contents. The management nodes are on the public datacenter networks, and can be used as bastion hosts for those purposes. However, that does not offer a browser or GUI interface, and would require tunneling or that extra management software be installed on the management nodes, with possible side-effects, and be reinstalled every time the appliance is upgraded. A flexible alternative is to deploy 'service virtual machines', also called appliance or utility virtual machines, for administrative functions. A more straightforward and effective method would be to use SSL tunnels, which do not require changing PCA
Virtual machines are on the public datacenter network, and potentially on internal networks as described in this note. That lets them be used as administrative appliances by providing concurrent access to the external networks and the servers on the PCA internal networks. This adds function without having to add new software to the management nodes. They can even be backed up and distributed to other PCA environments. This approach can host customer-selected management software, provide access to the ZFS appliance browser GUI interface, to GUI access to the compute nodes ILOMs, and to access NFS exports of the Oracle VM repository.
Appliance VM Use Cases
- GUI access to services within the appliance rack, such as browser interface to ZFS appliance for DTrace analytics, or ILOM access via browser or Java console redirection. Note that this could also be addressed by SSH tunnelling.
- Use for custom or third-party software for monitoring or management. This avoids having to add such software to the management nodes, which could compromise operation and would have to be re-installed whenever the PCA is upgraded and re-imaged.
- For portable tools and configurations in a VM that can be transported from one PCA to another.
Example appliance VM applications
- Install Oracle Secure Global Desktop (SGD) or a VNC server for public network access by administrators.
- Install SNMP-based monitoring tools.
- Install Oracle Enterprise Manager.
- Browse to DTrace analytics on the internal ZFS appliance. If this is the only use case, it is simpler to use SSH tunneling: from a terminal window "ssh -L2001:192.168.4.1:215 -l root $PCAVIP" where $PCAVIP is the PCA's management virtual IP address, and then use your browser to connect to https://localhost:2001
- Set up monitoring jobs using cron, sendmail, etc
- Mount NFS exports of the Oracle VM Repositories for backing their contents up to external storage.
The method is not necessary for command line access to the management nodes, compute nodes, or other components. For that use case, the administrator can login to the management node, which is always available as a bastion host. Nonetheless, utility VMs may be useful even for capabilities that could technically be done on the management node, since it provides functionality without adding more work and user access to the management nodes. NOTE: Contact Oracle if you are not sure if the use case you have will be safe in this environment.
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Goal |
| Appliance VM Use Cases |
| Example appliance VM applications |
| Solution |
| Overall steps |
| Rules, Notes and Restrictions |
| Detailed Steps |
| References |