Amazon EC2

Amazon supplies a prebuilt Helion Stackato Community AMI on its EC2 platform.

Important

The HPE Helion Stackato image on the Amazon EC2 platform is provided on the basis of the Bring Your Own License model: it is subject to the Software License Terms and requires a software license key.

  • Ensure that you have an Amazon Web Services account with sufficient credit to cover the hosting costs for your image.
  • Ask your administrator to add your Amazon account to your company's AWS account and then log into AWS.

To Create a Virtual Private Cloud

A cluster with multiple nodes must have a persistent internal IP address for the core Helion Stackato node. All the nodes in a cluster must be able to communicate with this internal MBUS IP address which must not change when the node reboots.

  1. On the Amazon Web Services page, in the Networking section, click VPC.

    Note

    Ensure that the region that appears in the upper right-hand corner of the page is the same as the one where you plan to deploy your Helion Stackato instance.

  2. On the VPC Dashboard, click Your VPCs.

  3. On the right panel, click Create VPC.

  4. On the Create VPC dialog box, enter a Name tag and a VPC CIDR block (in CIDR notation), and then click, Yes, Create.

    Your VPC, route table, and default security group are created.

Create an Internet Gateway

  1. On the VPC Dashboard, in the Virtual Private Cloud section, click Internet Gateways.
  2. On the right panel, click Create Internet Gateway.
  3. On the Create Internet Gateway dialog box, enter a Name tag and click Yes, Create.
  4. On the right panel, click Attach to VPC.
  5. On the Attach to VPC dialog box, select the VPC that you have created earlier, and click Yes, Attach.

Add a Route to the Gateway

  1. On the VPC Dashboard, in the Virtual Private Cloud section, click Route Tables.
  2. On the right panel, click the name of your route and, on the bottom of the right panel click the Routes tab.
  3. On the Routes tab, click Edit and then click Add another route.
  4. Enter 0.0.0.0/0 into the Destination field, select the name of the gateway you have created earlier from the Target field, and click Save.

Create a Subnet

  1. On the VPC Dashboard, in the Virtual Private Cloud section, click Subnets.
  2. On the right panel, click Create Subnet.
  3. On the Create Subnet dialog box, enter a Name tag, select the VPC that you have created earlier, enter a CIDR block for the subnet, and then click Yes, Create.

Enable Auto-Assignment of Public IP Addresses

  1. On the VPC Dashboard, in the Virtual Private Cloud section, click Subnets.
  2. On the right panel, click the name of your subnet and then click Subnet Actions > Modify Auto-Assign Public IP.
  3. On the Modify Auto-Assign Public IP dialog box, click Enable auto-assign Public IP and then click Save.

To Configure Security Groups

It is a good practice to set up the smallest possible profile for the public gateway of a cluster while allowing the functional components inside the cluster to communicate freely on various required ports. You can add this functionality by creating two partially-overlapping security groups.

Note

For more information on how Helion Stackato uses ports, see the Helion Stackato port requirements.

  1. On the Amazon Web Services page, in the Networking section, click VPC.
  2. On the VPC Dashboard, in the Security section, click Security Groups.

Using the Default Security Group

When you create a new VPC, the default security group is created. This internal security group allows traffic to pass between all of its members.

Create a Public-Facing Security Group

  1. On the right panel, click Create Security Group.
  2. On the Create Security Group dialog box, enter a Name tag, a Group name, a Description, select the VPC that you have created earlier, and click Yes, Create.
  3. On the right panel, click the name of your security group and, on the bottom of the right panel click the Inbound Rule tab.
  4. On the Inbound Rules tab, click Edit and then click Add another rule.
  5. From the Type drop-down box, select SSH, and enter 0.0.0.0/0 into the Source field.
  6. Repeat this action for HTTP and HTTPS, and click Save.

Create a Security Group for Windows DEA Nodes

Windows DEA nodes have the additional requirements of TCP and UDP access on port 3389 for initial configuration.

Important

After you configure your WinDEA node, make sure that your remove it from this security group. For more information, see the WinDEA documentation.

  1. On the right panel, click Create Security Group.
  2. On the Create Security Group dialog box, enter a Name tag, a Group name, a Description, select the VPC that you have created earlier, and click Yes, Create.
  3. On the right panel, click the name of your security group and, on the bottom of the right panel click the Inbound Rule tab.
  4. On the Inbound Rules tab, click Edit and then click Add another rule.
  5. To enable RDP access, from the Type drop-down box select Custom TCP Rule, enter 3389 into the Port Range field, and enter 0.0.0.0/0 into the Source field.
  6. Repeat the step for Custom UDP Rule, and click Save.

To Deploy a Helion Stackato Instance

  1. On the Amazon Web Services page, in the Compute section, click EC2.
  2. On the EC2 Dashboard, in the Images section, click AMIs.
  3. On the right panel, select Public images from the drop-down list, enter Helion Stackato into the Filter field, press Enter, and click the HPE Helion Stackato row.
  4. Select the HPE Helion Stackato image and click Launch.

Choose an Instance Type

  1. On the Step 2: Choose an Instance Type page, select the virtual machine size. The following minimum instance types are recommended.

    t2.medium m3.medium m3.large
    • 2 vCPUs
    • 4 GB
    • Elastic Block Store (EBS) only
    • Low to moderate network performance
    • 1 vCPU
    • 3.75 GB
    • SSD
    • Moderate network performance
    • 2 vCPUs
    • 7.5 GB
    • SSD
    • Moderate network performance
  2. Click Next: Configure Instance Details.

Configure Instance Details

  1. On the Step 3: Configure Instance Details page, select the VPC that you have created earlier from the Network drop-down list.
  2. Click Next: Add Storage.

Add Storage

  1. On the Step 4: Add Storage page, enter 30 for the Size (GiB) field of the Root partition.

  2. From the Volume Type drop-down list, select General Purpose (SSD).

  3. Click Next: Tag Instance.

    Tip

    You can create a more robust instance by moving the Helion Stackato droplets and data services to an EC2 EBS (Elastic Block Store) volume.

Tag Instance

  1. On the Step 5: Tag Instance page, enter a descriptive title for your instance into the Value field.
  2. Click Next: Configure Security Group.

Configure Security Group

  1. On the Step 6: Configure Security Group page, click Select an existing security group.
  2. For your core instance, select the the public-facing security group that you have created earlier as well as the the default security group.
  3. For subsequent nodes:
    • For Linux nodes, select only the default security group.
    • For Windows DEA nodes, select only the default and Windows DEA security groups.
  4. Click Review and Launch.

Review Instance Launch

  1. On the Step 7: Review Instance Launch page, review the configuration of your instance.
  2. When you are satisfied with the settings, click Launch.
  3. On the Select an existing key pair or create a new key pair dialog box, select Proceed without a key pair from the first drop-down box.
  4. Click I acknowledge and then click Launch Instances.

To Configure a Helion Stackato Instance

Add an Elastic IP

An elastic IP address allocates a static external address to your cluster and exposes this address on the border router where the cluster is hosted. The router associates this address with a corresponding dynamic address local to your cluster. This address is leased over DHCP, together with the address of the local DNS server which keeps track of private addresses allocated by the DHCP server. Thus, each node in your cluster is aware of the private address of the core node, while outside traffic is aware of the public address.

  1. On the Amazon Web Services page, in the Compute section, click EC2.
  2. On the EC2 Dashboard, in the Network & Security section, click Elastic IPs.
  3. On the right panel, click Allocate New Address.
  4. On the Allocate New Address dialog box, click Yes, Allocate and then click Close.
  5. On the right panel, click your Elastic IP address and then click Actions > Associate Address.
  6. On the Associate Address dialog box, enter the name of the instance that you have created earlier into the Instance field and click Associate.

You can now ssh to the Elastic IP address of your instance using the stackato username and password.

Set the Hostname and DNS

To be able to access the web interface and applications that will be hosted on Helion Stackato, you must set the hostname on your public-facing node to a corresponding wildcard DNS record. You can use the xip.io or nip.io service to obtain wildcard DNS resolution for your Elastic IP address.

  1. ssh to your instance. For example:

    $ ssh stackato@203.0.113.0
    

    You will receive the following warning:

    WARNING: Your password is set to the default. Please update it.
    
  2. Rename the hostname. For example:

    $ kato node rename 203.0.113.0.xip.io
    

    At the end of the process, the address of the API endpoint is displayed. For example:

    Stackato Micro Cloud:-
      endpoint: api.203.0.113.0.xip.io
      mbusip: 127.0.0.1
      micro cloud: true
      eth0 IP: 198.0.2.0
    

You can now connect to the web console of your instance by entering the API endpoint into your browser.

Configure the First Administrator

  1. Enter the address of the web console of your instance into a web browser. For example:

    api.203.0.113.0.xip.io
    

    When you first connect to the web console, you will receive a warning about an untrusted connection. Add an exception for the provided certificate and proceed.

    Important

    For production systems, add a signed certificate and a real DNS record to your domain. You can publish the public-facing address of your domain name either using DNS or dynamic DNS. For example, a static DNS zone file for stackato-test on example.com would have the following entries (note the . that terminates the A record):

    stackato-test      IN  A       <Elastic-IP>.
    \*.stackato-test   IN  CNAME   stackato-test
    

    For more information on DNS configuration, see DNS.

  2. On the Set Up First Admin User page, enter the Username, Email Address, and Password for the first administrator, the first organization Name and Space Name.

    Tip

    The password you specify for this account will also become the password for the stackato system user, removing the warning displayed after connecting to the instance using ssh.

  3. Review the Stackato Terms of use, click Yes, I agree, and click Set Up First Admin User.

To Deploy a Helion Stackato Cluster

Create Non-Core Instances

You can add Helion Stackato instances to an existing VPC in a process similar to creating your core instance. For more information on configuring multi-node clusters, see Cluster Setup.

Configure the Core Node

  1. ssh to your core instance. For example:

    $ ssh stackato@203.0.113.0
    
  2. Set up the core node:

    $ kato node setup core
    
  3. Press y when prompted for an endpoint or enter a name for the endpoint.

  4. Enter your password when prompted.

    Helion Stackato disables all the roles that will be delegated to other nodes and configures itself to listen on the node's internal MBUS IP address. At the end of the process, the internal MBUS IP address and the assigned and available roles are displayed. For example:

    Stackato Cluster:-
      endpoint: api.203.0.113.0.xip.io
      mbusip: 198.0.2.24
      micro cloud: false
    Stackato Node [198.0.2.0]
      assigned roles : base,controller,primary,router
      available roles: base,mdns,primary,controller,router,dea,postgresql,mysql,rabbit,rabbit3,mongodb,redis,filesystem,harbor,memcached,load_balancer
    

    Tip

    Note the internal MBUS IP address. You will need it to configure your non-core nodes.

Configure the Non-Core Nodes

  1. On the Amazon Web Services page, in the Compute section, click EC2.

  2. On the EC2 Dashboard, in the Instances section, click Instances.

  3. On the right panel, click the name of your instance and note its Private IPs listed on its Description tab at the bottom.

  4. ssh to your core instance. For example:

    $ ssh stackato@203.0.113.0
    
  5. ssh to your non-core instance from the core instance. For example:

    $ ssh stackato@198.0.2.24
    

    Important

    There is no other way to access the non-core instances. When you ssh into non-core instances, use the stackato username and password. You can later simplify setup and maintenance operations by configuring passwordless SSH authentication between the core and non-core nodes.

Create Droplet Execution Agent (DEA) Nodes

  1. Create the required number of DEAs from the non-core node using the internal MBUS IP of the core node. For example:

    $ kato node attach -e dea 198.0.2.0
    

    Note

    The -e option enables the specified role on the node and disables all other roles. While kato node attach commands run on various cluster nodes, the web console may display Node Degraded! error messages. However after the commands finish, you can view the operational cluster nodes by navigating to the Helion Stackato web console and clicking Admin > Cluster or by running the kato node list and kato status commands after you ssh into your core node.

  2. Enter your password for the non-core node and core node when prompted.

Create a Data Service Node

data-services is a meta-tag that enables support for MySQL, PostreSQL, MongoDB, RabbitMQ, Memcached, and the Filesystem service.

  1. Create a data service node from the non-core node using the internal MBUS IP of the core node. For example:

    $ kato node attach -e data-services 198.0.2.1
    
  2. Enter your password for the non-core node and core node when prompted.

Create a Windows DEA Node

  1. Create a security group which allows RDP access or add rule for port 3389 to an existing (internal) security group.
  2. Boot an instance of the Microsoft Windows Server 2012 R2 Base AMI within the RDP-enabled security group.
  3. Once the instance has booted, start a Remote Desktop session with the Windows Server instance and follow the steps in the Windows DEA Nodes section.

Configuring Additional Settings

Configuring an EC2 Elastic Load Balancer

To spread web traffic between two or more Helion Stackato Router nodes, you can set up Helion Stackato clusters behind an EC2 Elastic Load Balancer.

The load balancer must be part of a security group that allows HTTP and HTTPS access. If there are no other gateways into the Helion Stackato cluster, you must also allow access to an arbitrary external port between 1024 and 4999 that can be forwarded internally to port 22 for administrative ssh access.

Tip

When exposing ssh access, setting up passwordless SSH authentication is recommended.

For instructions on setting up certificates on router nodes, see Replacing the Default SSL Certificate and CA Certificate Chaining.

To Configure an EC2 EBS Volume

Helion Stackato stores its services data in the root filesystem. However, the following issues exist for a new EC2 instance:

  • the default set of disks is limited
  • the root volumes are limited in size
  • the disk mounted on /mnt is ephemeral
  • the size of the ephemeral disk varies by instance type

It is a good practice to check EC2 instances for disk use. In the following example, running the df -h command on a new, medium Helion Stackato instance shows that the root filesystem is already almost half-full:

$ df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda1             7.9G  3.3G  4.3G  43% /
none                  3.7G  112K  3.7G   1% /dev
none                  3.8G     0  3.8G   0% /dev/shm
none                  3.8G   80K  3.8G   1% /var/run
none                  3.8G     0  3.8G   0% /var/lock
none                  3.8G     0  3.8G   0% /lib/init/rw
/dev/sdb              414G  199M  393G   1% /mnt

You can create a more robust instance by moving the Helion Stackato droplets and data services to an EC2 EBS (Elastic Block Store) volume.

Create an EBS Volume

  1. On the Amazon Web Services page, in the Compute section, click EC2.

  2. On the EC2 Dashboard, in the Elastic Block Store section, click Volumes.

  3. On the right panel, click Create Volume.

  4. On the Create Volume dialog box, select the Type and Size of the volume. Ensure that the Availability Zone matches the zone your instance is running in.

  5. When the State of the volume becomes Available, click the name of your volume on the right panel and then click Actions > Attach Volume.

  6. On the Attach Volume dialog box, enter the name of your Instance.

    Important

    To ensure that your instance is not already using the specified device name, you can use the mount or df command to view the devices already in use.

  7. Click Attach.

Create and Mount a Filesystem on the EBS Volume

  1. ssh to your core instance. For example:

    $ ssh stackato@203.0.113.0
    
  2. Run the sudo fdisk -l command to identify your device. In the following example, it is /dev/xvdf:

    Disk /dev/xvdf: 214.7 GB, 214748364800 bytes
    255 heads, 63 sectors/track, 26108 cylinders, total 419430400 sectors
    Units = sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disk identifier: 0x00000000
    

    Note

    It is unnecessary to partition the device before building a filesystem on it.

  3. Run the sudo mkfs command to make a new filesystem on the device. For maximum compatibility, specify the filesystem type that matches your root partition. In the following example, it is ext3:

    $ sudo mkfs -t ext3 /dev/xvdf
    mke2fs 1.42 (29-Nov-2011)
    Filesystem label=
    OS type: Linux
    Block size=4096 (log=2)
    Fragment size=4096 (log=2)
    Stride=0 blocks, Stripe width=0 blocks
    13107200 inodes, 52428800 blocks
    2621440 blocks (5.00%) reserved for the super user
    First data block=0
    Maximum filesystem blocks=4294967296
    1600 block groups
    32768 blocks per group, 32768 fragments per group
    8192 inodes per group
    Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
        4096000, 7962624, 11239424, 20480000, 23887872
    
    Allocating group tables: done
    Writing inode tables: done
    Creating journal (32768 blocks): done
    Writing superblocks and filesystem accounting information: done
    
  4. Create a directory to serve as the mount point. For example:

    $ sudo mkdir /mnt/ebs
    
  5. Make the stackato user the owner of the directory and give the user read and write permissions. For example:

    $ sudo chown stackato /mnt/ebs
    $ sudo chmod +rw /mnt/ebs
    
  6. Add the directory to /etc/fstab. In the following example, the directory is configured on the last line:

    # file system           mount point     type    options                                  dump   fsck order
    LABEL=cloudimg-rootfs   /               ext4    defaults                                 0      0
    /dev/xvdb               /mnt            auto    defaults,nobootwait,comment=cloudconfig  0      2
    /dev/xvdf               /mnt/ebs        auto    defaults                                 0      0
    

    Tip

    For detailed instructions on the fstab file, see its manpage.

  7. Mount the EBS volume. For example:

    $ sudo mount /dev/xvdf /mnt/ebs
    

    Tip

    For instructions on mounting volumes with quotas enabled, see Enabling Filesystem Quotas.

Move Your Data to the EBS Volume

For more information, see Relocating Services, Droplets, and Containers.

Preparing to Add a Relational Database Service (RDS) Instance as an External Service

You can create an RDS instance and use the Universal Service Broker to add the RDS instance as an external service to Helion Stackato.

To Prepare VPC Networking for your RDS Instance

To ensure that your RDS instance can correctly communicate with Helion Stackato, you must place your EC2 instance and RDS instance in different subnets within the same VPC.

  1. Create two additional subnets on the VPC that you have created earlier.

    Important

    The two subnets must be in different availability zones.

  2. On the Amazon Web Services page, in the Database section, click RDS.

  3. On the RDS Dashboard, click Subnet Groups.

  4. On the right panel, click Create DB Subnet Group.

  5. On the Create DB Subnet Group page, enter a Name and a Description for the subnet group and select the the VPC that you have created earlier.

  6. Click add all the subnets to add all of the subnets from your VPC to your subnet group, and then click Create.

To Enable Contained Database Authentication for an MSSQL-Compatible RDS Instance

If you want to create an MSSQL-compatible RDS instance, you must enable contained database authentication by creating and configuring a parameter group that you will specify when creating your RDS instance.

  1. On the RDS Dashboard, click Parameter Groups.
  2. On the right panel, click Create Parameter Group.
  3. Select a Parameter Group Family that matches your RDS instance (for example, sqlserver-ex-12.0), enter a Group Name and Description, and click Create.
  4. Click the name of your parameter group and then click Edit Parameters.
  5. Enter authentication into the Filter field and press Enter.
  6. Next to contained database authentication, under Edit Values, select 1 and click Save Changes.

Note

To allow this setting to take effect on an existing RDS instance, right-click the instance and then click Reboot.

To Create an RDS Instance (SQL Server Express)

In the following examples, the SQL Server Express RDS instance is created. You can install any number of additional RDS instances using a similar process. To see a list of available drivers, run the usbc drivers command.

  1. On the Amazon Web Services page, in the Database section, click RDS.

    Note

    Ensure that the region that appears in the upper right-hand corner of the page is the same as the one where you plan to deploy your Helion Stackato instance.

  2. On the RDS Dashboard, click Instances.

  3. On the right panel, click Launch DB Instance.

  4. On the Select Engine panel, click the tab of a database engine (for example, Microsoft SQL Server), and then click Select next to one of its flavors (for example, SQL Server Express).

  5. On the Specify DB Details panel, in the Instance Specifications section select a License Model, the DB Engine Version, the DB Instance Class, the Storage Type, and enter the amount of Allocated Storage.

  6. In the Settings section, enter a unique DB Instance Identifier, the Master Username, and the Master Password.

    Tip

    Note these settings. You will need them to install your RDS instance as an external service using the Universal Service Broker.

  7. On the Configure Advanced Settings panel, in the Network and Security section, select the following parameters:

  8. Click Launch DB Instance.

To Expose the RDS Instance as a Service

Once the RDS instance has been created, expose it as a service to system users with the usbc utility. See the Universal Service Broker documentation for instructions.