User Tools

Site Tools


guide:cloud:practices

CHPC Cloud Resources

Best Practices

  • Spin up a VM instance corresponding to your needs and ensure that we properly manage cloud compute resources.
  • Always start using virtual machine/instance by applying latest security updates
  • When the instance is terminated or unavailable, any data stored inside it is unavailable or lost.
  • Pull data you need immediate access to into your VM’s local storage. If your workflow needs a large reference dataset.
  • Terminate your VM and, subsequently, the local storage.
  • When editing the security group associated with your virtual machines/instances, only allow access from trusted IP addresses.
  • If you DO have to allow SSH access to your publicly accessible instances from 0.0.0.0/0 (entire Internet), make sure that only SSH key-based authentication is allowed by editing SSH's config file and restarting the ssh service afterwards:

Edit the file /etc/ssh/sshd_config , using text editors such as vim or nano

      PasswordAuthentication no
      ChallengeResponseAuthentication no

And then, restart the sshd service: systemctl restart sshd.service

  • Do not share SSH keys or other credentials.
  • Terminate/delete unused resources (instances, volumes, snapshots).
  • Do not snapshot instances containing credentials and then share them with other users.
  • Do not copy or create large data sets on a virtual machine that you plan to snapshot later, because it will increase the snapshot size and take longer to start instances from it later, as well as taking more storage space.
  • Clean up confidential data (e.g. ssh keys, any saved credentials, bash history) before taking a snapshot of an instance, in case you will want to share that instance with other users later.
  • If planning to later snapshot an instance, use the SMALLEST possible flavor type that will allow you to install your applications because you can not start an instance of a smaller size than the original size used when the snapshot was taken.
  • The snapshot only captures and stores the contents of the root disk (/dev/sda), so do not store data or install applications on attached volumes if you need them to be part of the snapshot.
  • Do not use or upload Openstack images from untrusted sources.
  • Do not install software from untrusted sources.
  • Associate a floating IP only with a single instance and SSH into it before using SSH to connect to your other instances. In this way, you limit your security exposure.
  • Make use of cloud utilities for automating provisioning steps. Cloud-init is a package pre-installed in most modern Linux distributions that allows (among other things) execution of a script upon the initial boot of the instance. More information about using cloud-init and useful examples are available at https://cloudinit.readthedocs.io/en/latest/

Acceptable User Policy (AUP)

The cloud project account will be created and login credentials provided as soon as the registration on the Cloud Database has been approved, to register for cloud resources please following the link https://openstackusers.nicis.ac.za/

An initial vm user account will be setup with sudo privileges.

User accounts / usernames are set up using the standard CHPC user account creation policy, a user’s name consists of the first letter of your name and your surname/last name.

By default projects have limited resources as specified below , unless a request for more resources has been submitted and approved:

  • Total storage = 400G
  • CPU = 16
  • Memory = 32G

The Initial computing resources are determined by a selected resource flavor, each project is allowed a maximum of 400GB of storage by default.

 The storage options are CEPH and local storage. The local storage comes with/derived from the selected
 flavor when launching a virtual machine (VM). The Ceph storage is from creating a separate volume attachable
 to your VM.
 **Note : Ceph = 400GB - local storage**

Should more resources be required when the project has reached the usage limit, project owners should apply for the resource top up by uploading their motivation on the cloud database for a series of approvals.

Users should please note: the allocation of more resources is subjected to resource availability thus not guaranteed.

VM snapshots are provided on request.

For security reasons as passwords are subjected to compromise, please add/use ssh keys for adding ssh keys to your vm, follow the getting started

For paying customers/users the invoices for the previous calendar month are sent on the 5th of every month. If no invoice received on the 5th please email CHPC on helpdesk@chpc.ac.za

CHPC does not provide windows licences, users requesting windows images should produce/ provide their own windows license

To minimize/ prevent data loss CHPC has implemented a ceph storage running on the chpc production cloud that is setup to keep 3 replicas of each set of data on each storage node.

/app/dokuwiki/data/pages/guide/cloud/practices.txt · Last modified: 2022/01/21 12:19 by zmtshali