Bamboozle is an ISO 27001-certified, environmental friendly cloud service provider. The company, which was established in 2015 and is run by its founders, offers premium cloud services with a focus on simplicity, efficiency and price/performance for all kinds of companies.

Find the documentation for our products and services below:

Only the x64 architecture is supported.

Windows

* CPU hot plug does not work properly due to a Windows bug with a wrongly installed driver.

Linux

You can change amount of CPU and RAM resources used by a virtual machine by applying another flavor to it. To be able to resize a running VM, you need to enable CPU and RAM hot plug for it first. You can change the hot plug settings for both new and existing VMs.

A running virtual machine has a resize limit, which defines the maximum number of vCPUs and the maximum amount of RAM you can allocate to the VM. The resize limit on vCPUs is static and equal to 64 for all VMs. The resize limit on RAM, on the contrary, is dynamic and depends on the amount of RAM a running VM is currently using. This limit is updated on a VM startup, and its values are listed in the table below.

For example, you can resize a running VM with a flavor that has 16 GiB to a flavor with 256 GiB in two iterations:

1. Resize the VM to a flavor with 64 GiB.

2. Restart the VM to update the RAM size limit.

3. Resize the VM to a flavor with 256 GiB.

Limitations

• You cannot change the flavor for shelved VMs. To resize such a VM, unshelve it first.

• You cannot decrease the number of CPUs and the amount of RAM for running VMs.

• [For all Linux guests] If a VM has no guest tools installed, new cores may be offline after CPU hot plugging

Prerequisites

• Before changing a flavor, ensure that the node hosting the VM has at least as much free CPU and RAM resources as the new VM size. For example, to resize a VM to the large flavor, the host must have at least 4 vCPUs and 8 GiB of RAM free.

• CPU and RAM hot plug is enabled by the system administrator.

• Before resizing a running VM, ensure that the guest operating system supports CPU and RAM hot plug (refer to Supported guest operating systems). Note that otherwise the guest operating system may become unstable after a resize. To increase CPU or RAM resources for such a guest operating system, you need to stop the virtual machine first.

• Before resizing a running VM, ensure that the guest operating system has the latest updates installed.

To enable or disable CPU and RAM hot plug for a virtual machine

1. On the Virtual machines screen, ensure that the required virtual machine in the "Shut down" state, and then click it.

2. On the Overview tab, click the pencil icon in the CPU and RAM hot plug field.

   If you do not see this field, CPU and RAM hot plug is disabled in your project. To enable it, contact your system administrator.

3. Select or clear the Enable hot plug check box, and then click the tick icon to save the changes.

With CPU and RAM hot plug enabled, you can change the flavor of a running VM.

To change the virtual machine flavor

1. On the Virtual machines screen, click the required virtual machine.

2. On the Overview tab, click the pencil icon in the Flavor field.

3. In the Flavor window, select a new flavor, and then click Done.

Once you create a virtual machine, you can manage its CPU and RAM resources, as well as network interfaces and volumes.

Prerequisites

• Virtual machines are created, as described in Creating virtual machines.

Changing virtual machine resources

Configuring network interfaces of virtual machines

Configuring virtual machine volumes

Managing virtual machines

Each virtual machine (VM) is an independent system with an independent set of virtual hardware. Its main features are the following:

• A virtual machine resembles and works like a regular computer. It has its own virtual hardware. Software applications can run in virtual machines without any modifications or adjustment.

• Virtual machine configuration can be changed easily, for example, by adding new virtual disks or memory.

• Although virtual machines share physical hardware resources, they are fully isolated from each other (file system, processes, sysctl variables) and the compute node.

• A virtual machine can run any supported guest operating system.

The following table lists the current virtual machine configuration limits:

Supported guest operating systems

Creating virtual machines

Connecting to virtual machines

Managing virtual machine power state

Attaching ISO images to virtual machines

Reconfiguring virtual machines

Monitoring virtual machines

Shelving virtual machines

Rescuing virtual machines

Managing guest tools

Troubleshooting virtual machines

Deleting virtual machines

Prerequisites

• Virtual machines are created, as described in Creating virtual machines.

• To be able to connect via SSH, the virtual machine must have cloud-init and OpenSSH installed.

To connect to a virtual machine via the VNC console

Select a VM, and then click Console on its right pane. The console will open in a separate browser window. In the console, you can send a key combination to a VM, take a screenshot of the console window, and download the console log (refer to Troubleshooting virtual machines).

To connect to a virtual machine via SSH

During the launch an instance, a default user will be created, and this user will have no password set. Instead, your SSH key is copied to the VM and you will be able to login to the machine via SSH using the default username. The default username varies between Operating Systems. Here are the usernames for our official distributions:

Specify the username and VM IP or Elastic IP address in the SSH terminal:

# ssh <username>@<VM_IP_address>

Linux cloud images have the default login, depending on the operating system, for example, centos or ubuntu. To connect to a Windows VM, enter the username that you specified during Cloudbase-Init installation.

If you have deployed a VM without specifying an SSH key, you also need to enter a password to log in to the VM.

Prerequisites

• Virtual machines are created, as described in Creating virtual machines.

To manage the power state of a virtual machine

Click the virtual machine or the ellipsis button next to it to see the full list of actions available for the current state.

• To power up a VM, click Run.

• To gracefully shut down a running VM, click Shut down. The default shutdown timeout, after which a virtual machine will be powered off, is 10 minutes.

• To forcibly cut off power from a VM, click Power off.

• To softly reboot a running VM, click Reboot.

• To reboot a VM without the guest OS graceful shutdown, click Hard reboot.

• To save the current VM state to a file, click Suspend. This may prove useful, for example, if you need to restart the host but do not want to quit the applications currently running in the VM or restart its guest OS.

• To restore a VM from the suspended state, click Resume.

You can add new volumes to your virtual machines, attach existing volumes, and detach unneeded volumes from virtual machines.

Limitations

• You cannot change, detach, or delete the boot volume.

• You can only attach and detach non-boot volumes.

• You cannot manage volumes of shelved VMs.

Prerequisites

• To be able to use volumes attached to VMs, they must be initialized inside the guest OS by standard means.

To attach a volume to a virtual machine

1. On the Virtual machines screen, click the required virtual machine.

2. On the Overview tab, click the pencil icon in the Disks field.

3. In the Volumes window:

   • Click Attach to attach an existing volume, and then select the volume in the Attach volume window.

   • Click Add to create a new volume, and then specify the volume name, size, and storage policy. The created volume will be automatically added to the VM disks.

4. Click Done to finish editing VM disks and save your changes.

To detach a volume from a virtual machine

1. On the Virtual machines screen, click the required virtual machine.

2. On the Overview tab, click the pencil icon in the Disks field.

3. In the Volumes window:

   • Click Detach to detach a volume from a stopped virtual machine.

   • Click Force detach to detach a volume from a running virtual machine.

   • There is a risk of data loss.

4. Click Done to finish editing VM disks and save your changes.

Prerequisites

• Virtual machines are created, as described in Creating virtual machines.

To monitor virtual machine’s CPU, storage, and network usage

Select the VM and open the Monitoring tab.

The default time interval for the charts is twelve hours. To zoom into a particular time interval, select the internal with the mouse; to reset zoom, double-click any chart.

The following performance charts are available:

CPU / RAMCPU and RAM usage by the VM.NetworkIncoming and outgoing network traffic.Storage read/writeAmount of data read and written by the VM.Read/write latencyRead and write latency. Hovering the mouse cursor over a point on the chart, you can also see the average and maximum latency for that moment, as well as the 95 and 99 percentiles.

Averaged values are calculated every five minutes.

You can unbind a stopped VM from the node it is hosted on and release its reserved resources such as CPU and RAM. A shelved VM remains bootable and retains its configuration, including the IP addresses.

Prerequisites

• Virtual machines are created, as described in Creating virtual machines.

To shelve a virtual machine

1. Click the desired virtual machine.

2. If the VM is stopped, click Shelve on its right pane.

3. If the VM is running or suspended, click Shut down or Power off on its right pane, and then select Shelve virtual machine in the confirmation window.

To spawn a shelved VM on a node with enough resources to host it

1. Click a shelved virtual machine.

2. On the VM right pane, click Unshelve.

You can add new network interfaces to your virtual machines, edit IP addresses and security groups for the existing interfaces, and remove network interfaces by detaching them.

Limitations

• You cannot manage network interfaces of shelved VMs.

• A VM that is connected to a dual-stack network always receives an IPv6 address, if the IPv6 subnet is in the SLAAC or DHCPv6 stateless mode.

To attach a network interface to a virtual machine

1. On the Virtual machines screen, click the required virtual machine.

2. On the Overview tab, click Edit in the Network interfaces section.

3. In the Network interfaces window, click Add to attach a network interface.

4. In the Add network interface window, select a compute network to connect to, and then specify MAC address, IPv4 and/or IPv6 addresses, and security groups. By default, MAC and primary IP addresses are assigned automatically. To specify them manually, clear the Assign automatically check boxes, and enter the desired addresses. Optionally, assign additional IP addresses to the network interface in the Secondary IP addresses section. Note that a secondary IPv6 address is not available for an IPv6 subnet that works in the SLAAC or DHCPv6 stateless mode.

   Secondary IP addresses, unlike the primary one, will not be automatically assigned to the network interface inside the virtual machine guest OS. You should assign them manually.

   • If you selected a virtual network with enabled IP address management

   • If you selected a virtual network with disabled IP address management

   • If you selected a shared physical network

   After specifying the network interface parameters, click Add.

5. Click Done to finish editing VM network interfaces and save your changes.

To edit a network interface of a virtual machine

1. On the Virtual machines screen, click the required virtual machine.

2. On the Overview tab, click Edit in the Network interfaces section.

3. In the Network interfaces window, click the ellipsis button next to the interface you want to edit, and then click Edit.

4. In the Edit network interface window, modify the network interface parameters as follows:

   • Change the primary IP address. To update the address inside the VM guest OS, restart the network interface.

   • Add or remove secondary IP addresses.

   • Modify security groups assigned to the VM.

   After updating the required parameters, click Save.

5. Click Done to finish editing VM network interfaces and save your changes.

To detach a network interface from a virtual machine

1. On the Virtual machines screen, click the required virtual machine.

2. On the Overview tab, click Edit in the Network interfaces section.

3. In the Network interfaces window, click the ellipsis button next to the interface you want to detach, and then click Remove.

4. Click Done to finish editing VM network interfaces and save your changes.

Prerequisites

• You have a guest OS source prepared, as described in Managing images.

• One or more compute networks are created by using the instructions in Managing virtual networks.

• Custom security groups are configured, as instructed in Managing security groups.

• An SSH key is added, as outlined in Managing SSH keys. You can specify an SSH key only when creating VMs from a template or boot volume.

To create a virtual machine

1. On the Virtual machines screen, click Create virtual machine. A window will open where you will need to specify the VM parameters.

2. Specify a name for the new VM.

3. Select the VM boot media:

   • If you have an ISO image or a template

   • If you have a compute boot volume

   If you select an image or volume with an assigned placement, the created VM will also inherit this placement.

   After selecting the boot media, volumes required for this media to boot will be automatically added to the Volumes section.

4. Configure the VM disks:

   1. In the Volumes window, make sure the default boot volume is large enough to accommodate the guest OS. Otherwise, click the ellipsis icon next to it, and then Edit. Change the volume size and click Save.

   2. Add more disks to the VM by creating or attaching volumes. To do this, click the pencil icon in the Volumes section, and then Add or Attach in the Volumes window.

   3. Select volumes that will be removed during the VM deletion. To do this, click the pencil icon in the Volumes section, click the ellipsis icon next to the needed volume, and then Edit. Enable Delete on termination and click Save.

   4. When you finish configuring the VM disks, click Done.

5. Choose the amount of RAM and CPU resources that will be allocated to the VM in the Flavor section. In the Flavor window, select a flavor, and then click Done.

   When choosing a flavor for a VM, ensure it satisfies the hardware requirements of the guest OS.

   To select a flavor with an assigned placement, you can filter flavors by placement. The VM created from such a flavor will also inherit this placement

1. Add network interfaces to the VM in the Networks section:

   1. In the Network interfaces window, click Add to attach a network interface.

   2. In the Add network interface window, select a compute network to connect to, and then specify MAC address, IPv4 and/or IPv6 addresses, and security groups. By default, MAC and primary IP addresses are assigned automatically. To specify them manually, clear the Assign automatically check boxes, and enter the desired addresses. Optionally, assign additional IP addresses to the network interface in the Secondary IP addresses section. Note that a secondary IPv6 address is not available for an IPv6 subnet that works in the SLAAC or DHCPv6 stateless mode.

      Secondary IP addresses, unlike the primary one, will not be automatically assigned to the network interface inside the virtual machine guest OS. You should assign them manually.

      • If you selected a virtual network with enabled IP address management

      • If you selected a virtual network with disabled IP address management

      • If you selected a shared physical network

      After specifying the network interface parameters, click Add. The network interface will appear in the Network interfaces list.
   3. If required, edit IP addresses and security groups of newly added network interfaces. To do this, click the ellipsis icon, click Edit, and then set the parameters.

   4. When you finish configuring the VM network interfaces, click Done.

2. If you have chosen to boot from a template or volume, which has cloud-init and OpenSSH installed:

   As cloud images have no default password, you can access VMs deployed from them only by using the key authentication method with SSH.

   • Add an SSH key to the VM, to be able to access it via SSH without a password.

   • Add user data to customize the VM after launch, for example, change a user password.

3. Enable CPU and RAM hot plug for the VM in Advanced options, to be able to change its flavor when the VM is running. You can also enable hot plug after the VM is created.

   If you do not see this option, CPU and RAM hot plug is disabled in your project. To enable it, contact your system administrator.

4. If you have chosen to boot from an ISO image, enable UEFI boot in Advanced options, to be able to boot the VM in the UEFI mode. This option cannot be configured after the VM is created.

   You cannot configure UEFI boot if you have selected a template as the VM boot media. If your template has UEFI boot enabled, the option is automatically enabled for the VM, and vice versa.

5. After configuring all of the VM parameters, click Deploy to create and boot the VM.

If you are deploying the VM from an ISO image, you need to install the guest OS inside the VM by using the built-in VNC console. For VMs with UEFI boot enabled, open the VNC console, and then press any key to boot from the chosen ISO image. Virtual machines created from a template or a boot volume already have a preinstalled guest OS.

If a VM experiences boot problems, you can send it to the rescue mode to access its boot volume. When a VM in the “Active” state is sent to the rescue mode, it is shut down softly first. Once the VM is in the rescue mode, you can connect to it via SSH or via the console. Its previous boot disk is now attached as a secondary one. You can mount the disk and repair it.

Limitations

• The rescue mode can use ISO images for booting both Linux and Windows virtual machines and QCOW2 images (templates) for booting Linux VMs.

• You can send a VM to the rescue mode only if its current status is “Active” or “Shut down”.

• There are only three actions available for the VM in the rescue mode: Console, Exit rescue mode, and Delete.

• If a rescue image has cloud-init installed, then the VM booted from it can be accessed with the same SSH key that was used for its creation.

Prerequisites

To put a virtual machine to the rescue mode

1. On the Virtual machines screen, click the required VM on the list.

2. On the VM right pane, click the ellipsis button on the toolbar. Then, click Enter rescue mode.

3. In the Enter rescue mode window, select an image to rescue the VM with. By default, the initial image used for creating the VM is selected. Click Enter.

The machine status changes to “Rescue”.

To return a virtual machine to normal operation

1. On the Virtual machines screen, click the required VM on the list.

2. On the VM right pane, click Exit rescue mode.

3. In the Exit rescue mode window, click Exit. The VM will be automatically rebooted.

The VM status changes to “Active” and it boots from the original root disk.

If the VM status changes to “Error” when exiting the rescue mode, you can reset its status with the Reset state action. The VM should then return to the “Rescue” status again.

To exit the rescue mode for a Windows VM

There might be an issue of exiting the rescue mode for a Windows VM. If in the rescue mode you set the original system disk online, its ID becomes the same as that of the rescue disk. Then, when you try to exit the rescue mode, the boot loader cannot find the proper boot disk. To resolve the ID conflict, follow the steps:

1. With the VM in the rescue mode, open the Disk Management window and note the numbers of the original system disk (offline) and the rescue disk (online). Set the original system disk to Online.

2. To edit the boot configuration, enter the following command in the Command Prompt window:
3. Review the output and check that the rescue disk is the target for objects in the output (partition=<the rescue disk name>).

   If the objects do not point to drive C, fix it with the following commands:
4. To view the available disks, enter the following commands in the command line:

   Match the disk number and name to those displayed in the Disk Management window.

5. To get the ID of the rescue disk, run the following commands:

   Record the disk ID, you will need it later.

6. Change this ID by using the following command:

   Make sure that the value has changed with the UNIQUEID DISK command.

7. Assign the ID that you recorded previusly to the original system disk:

   Make sure that the value has changed with the UNIQUEID DISK command.

You should now be able to exit the rescue mode.

This section explains how to install and uninstall the guest tools. This functionality is required for creating consistent snapshots of a running VM’s disks.

Limitations

• Guest tools rely on the QEMU guest agent that is installed alongside the tools. The agent service must be running for the tools to work.

Prerequisites

• The virtual machine has a guest operating system installed.

If a virtual machine fails to deploy

Review the error message on the VM right pane. One of the possible root causes is that compute nodes lack free RAM or CPU resources to host the VM.

If a virtual machine is in the error state

Examine the VM history in the History tab on the VM right pane. The event log will contain all of the VM management operations performed by users in the user or command-line interface. You can expand each log entry to view operation details by clicking the arrow icon next to it. The details include the operation name, date and time, status, initiator, and request ID.

If a virtual machine is stuck in a failed or transitional state

Reset the VM to its last stable state: active, shut down or shelved:

1. Click the stuck VM.

2. On the VM right pane, click Reset state.

If a virtual machine fails to boot

Examine the VM console log by clicking Download console log on the VM right pane. The log will contain log messages only if logging is enabled inside the VM (refer to Enabling logging for virtual machines).

Limitations

• You cannot delete a security group if it is assigned to a VM.

To create a security group

1. On the Security groups screen, click Add security group.

2. In the Add security group window, specify a name and description for the group, and then click Add.

By default, the new security group will deny all incoming traffic and allow only outgoing traffic to assigned virtual machines.

To delete a security group

1. On the Security groups screen, click the required security group.

2. On the group right pane, click Delete.

3. Click Delete in the confirmation window.

If you find out that the guest tools are incompatible with some software inside a virtual machine, you can uninstall them by doing the following:

• Inside a Windows VM:

  1. Remove the QEMU device drivers from the device manager.

     Do not remove the VirtIO/SCSI hard disk driver and NetKVM network driver. Without the former, the VM will not boot; without the latter, the VM will lose network connectivity.

  2. Uninstall the QEMU guest agent and guest tools from the list of installed applications.

  3. Stop and delete Guest Tools Monitor:

     Copy

     > sc stop VzGuestToolsMonitor
     > sc delete VzGuestToolsMonitor

  4. Unregister Guest Tools Monitor from Event Log:

     Copy

     > reg delete HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application\\
     VzGuestToolsMonitor

  5. Delete the autorun registry key for RebootNotifier:

     Copy

     > reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v \
     VzRebootNotifier

  6. Delete the C:\Program Files\Qemu-ga\ directory.

     If VzGuestToolsMonitor.exe is locked, close all the Event Viewer windows. If it remains locked, restart the eventlog service:

     Copy

     > sc stop eventlog
     > sc start eventlog

  After removing the guest tools, restart the virtual machine.

• Inside a Linux VM:

  1. Remove the packages:

     1. On RPM-based systems (CentOS and other):

        Copy

        # yum remove dkms-vzvirtio_balloon prl_nettool qemu-guest-agent-vz \
        vz-guest-udev

     2. On DEB-based systems (Debian and Ubuntu):

        Copy

        # apt-get remove vzvirtio-balloon-dkms prl-nettool qemu-guest-agent-vz \
        vz-guest-udev

        If any of the packages listed above are not installed on your system, the command will fail. In this case, exclude these packages from the command and run it again.

  2. Remove the files:

     Copy

     # rm -f /usr/bin/prl_backup /usr/share/qemu-ga/VERSION \
     /usr/bin/install-tools \
     
     /etc/udev/rules.d/90-guest_iso.rules /usr/local/bin/fstrim-static \
     /etc/cron.weekly/fstrim

  3. Reload the udev rules:

     Copy

     # udevadm control --reload

  After removing guest tools, restart the virtual machine.

1. Create a compute volume from the vz-guest-tools-win or vz-guest-tools-lin image, depending on the VM operating system:

   1. On the Images screen, click the vz-guest-tools-win or vz-guest-tools-lin image.

   2. On the image right pane, click Create volume.

   3. In the Create volume from image window, specify a name for the volume, and then click Create.

2. Attach the volume with the guest tools to the virtual machine:

   1. On the Virtual machines screen, click the required VM.

   2. On the VM right pane, click the pencil icon in the Volumes field.

   3. In the Volumes window, click Attach.

   4. In the Attach volume window, select the created volume with the guest tools, and then click Attach. The attached volume will be marked as ISO.

   5. In the Volumes window, click Done, to save your changes.

3. Log in to the virtual machine.

4. Inside the VM, do the following:

   • Inside a Windows VM, go to the mounted optical drive in Explorer and install the guest tools by running setup.exe. After the installation is complete, restart the VM.

   • Inside a Linux VM, create a mount point for the optical drive with the guest tools image and run the installer:

     Copy

     # mkdir /mnt/cdrom
     # mount <path_to_guest_tools_iso> /mnt/cdrom
     # bash /mnt/cdrom/install					

Limitations

• A VM is removed along with its disks that have the Delete on termination option enabled during the VM deployment.

Prerequisites

• Virtual machines are created, as described in Creating virtual machines.

To remove one virtual machine

1. Click the ellipsis button next to a VM you want to delete, and then click Delete.

2. Click Delete in the confirmation window.

To remove multiple virtual machines

1. Select the check boxes next to VMs you want to delete.

2. Over the VM list, click Delete.

3. Click Delete in the confirmation window.

A security group is a set of network access rules that control incoming and outgoing traffic to virtual machines assigned to this group. With security group rules, you can specify the type and direction of traffic that is allowed access to a virtual interface port. Traffic that does not satisfy any rule is dropped.

For each project, the default security group is automatically created in the compute cluster. This group allows all traffic on all ports for all protocols and cannot be deleted. When you attach a network interface to a VM, the interface is associated with the default security group, unless you explicitly select a custom security group.

You can assign one or more security groups to both new and existing virtual machines. When you add rules to security groups or remove them, the changes are enforced at runtime.

Limitations

• You can manage only IPv4 security group rules.

Creating and deleting security groups

Managing security group rules

Changing security group assignment

You can modify security groups by adding and removing rules. Editing rules is not available. If you need to change the existing rule, remove it and recreate with the required parameters.

Prerequisites

• You have a security group created, as described in Creating and deleting security groups.

To add a rule to a security group

1. On the Security groups screen, click the security group to add a rule to.

2. On the group right pane, click Add in the Inbound or Outbound section to create a rule for incoming or outgoing traffic.

3. Specify the rule parameters:

   1. Select a protocol from the list or enter a number from 0 to 255.

   2. Enter a single port or a port range. Some protocols already have a predefined port range. For example, the port for SSH is 22.

   3. Select a predefined subnet CIDR or an existing security group.
4. Click the check mark to save the changes.

As soon as the rule is created, it is applied to all of the virtual machines assigned to the security group.

To remove a rule from a security group

1. On the Security groups screen, click the required security group.

2. On the group right pane, click the bin icon next to a rule you want to remove.

As soon as the rule is removed, this change is applied to all of the virtual machines assigned to the security group.

When you create a VM, you select security groups for the VM network interfaces. You can also change assigned security groups later.

Limitations

• You cannot configure security groups if spoofing protection is disabled or IP address management is disabled for the selected network.

To view virtual machines assigned to a security group

1. On the Security groups screen, click the required security group.

2. On the group right pane, navigate to the Assigned VMs tab. All the assigned virtual machines will be shown along with their status.

You can click the VM name to go to the VM Overview pane and change the security group assignment for its network interfaces.

To assign a security group to a virtual machine

1. On the Virtual machines screen, click the required virtual machine.

2. On the Overview tab, click the pencil icon in the Networks section.

3. Click the ellipsis icon next to the network interface to assign a security group to, and then click Edit.

4. In the Edit network interface window, go to the Security groups tab.

5. Select one or more security groups from the drop-down list, and then click Save.

The rules from chosen security groups will be applied at runtime.

Virtuozzo Hybrid Infrastructure allows you to upload ISO images and templates that can be used to create VM volumes:

Please note a lot of templates are already installed and ready to be deployed right away. Check first if a OS Image is already available before creating a new one.

• An ISO image is a typical OS distribution that needs to be installed on disk. You can upload an ISO image to the compute cluster.

• A template is a ready boot volume in the QCOW2 format with an installed operating system and applications. Many OS vendors offer templates of their operating systems under the name “cloud images”. You can upload a cloud image from the OS official repository or prepare your own template in the compute cluster.

Prerequisites

• Knowledge of the supported guest operating systems listed in Supported guest operating systems.

Uploading images

Creating volumes from images

Preparing templates

To upload an image

1. On the Images screen, click Add image.

2. In the Add image window, do the following:

   1. Click Browse and select a file in one of the supported formats: .iso, .img, .qcow2, .raw.

   2. Specify an image name to be shown in the admin panel.

   3. Select the correct OS type from the drop-down list.

      The OS type affects VM parameters such as hypervisor settings. VMs created from an image with an incorrect OS type may not work correctly, for example, they may crash
3. If you have chosen an image in the QCOW2, RAW, or IMG format, select the UEFI boot check box, to mark the image as UEFI bootable. This option cannot be configured after the image is uploaded.

4. Click Add to start uploading the image. The upload progress will be shown in the bottom right corner.

You can hide the pop-up window without interrupting the upload process. The upload progress will be available in the notification center.

You can create volumes from both ISO images and templates.

To make a volume from an image

1. Go to the Images screen, and then click the required image.

2. On the image panel, click Create volume.

3. In the Create volume window, specify the volume name, size, and select a storage policy.
4. Click Create.

The new volume will appear on the Volumes screen.

You may need to create a template in these cases:

• To rescue a virtual machine

• To create a VM accessible via SSH

• To create a VM customizable with user data

Preparation overview

1. Install cloud-init and OpenSSH Server in the virtual machine.

2. Enable logging for virtual machines that will be created from the template.

3. Convert the VM boot volume to the template, as described in Creating images from volumes.

Preparing Linux templates

Preparing Windows templates

Enabling logging for virtual machines

As all Linux guests have OpenSSH Server preinstalled by default, you only need to make sure a Linux template has cloud-init installed.

The easiest way to get a Linux template with cloud-init installed is to obtain it from its official repository. You can also create a Linux template from an existing boot volume.

A volume in Bamboozle Cloud (Public and Private) is a virtual disk drive that can be attached to a virtual machine. The integrity of data in volumes is protected by the redundancy mode specified in the storage policy.

Creating and deleting volumes

Attaching and detaching volumes

Resizing volumes

Changing the storage policy for volumes

Creating images from volumes

Cloning volumes

Managing volume snapshots

Transferring volumes between projects

Windows guests have neither Cloudbase-Init nor OpenSSH Server preinstalled by default. You need to install and configure them manually.

To install Cloudbase-Init and OpenSSH Server inside a Windows virtual machine

1. Log in to a Windows VM.

2. Create a new administrator account that will be used for SSH connections and log in with it.

3. To install and configure OpenSSH Server:

   1. Run Windows PowerShell with administrator privileges and set the execution policy to unrestricted to be able to run scripts:

      Copy

      > Set-ExecutionPolicy Unrestricted

   2. Download OpenSSH Server (for example, from the GitHub repository), extract the archive into the C:\Program Files directory, and then install it by running:

      Copy

      > & 'C:\Program Files\OpenSSH-Win64\install-sshd.ps1'

   3. Start the sshd service and set its startup type to “Automatic”:

      Copy

      > net start sshd
      > Set-Service sshd -StartupType Automatic

   4. Open TCP port 22 for the OpenSSH service in the Windows Firewall:

      • On Windows 8.1, Windows Server 2012, and newer versions, run:

        Copy

        > New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName OpenSSH

      • On Windows Server 2008/2008 R2, run:

        Copy

        > netsh advfirewall firewall add rule name=sshd dir=in action=allow protocol=TCP localport=22

   5. Open the C:\ProgramData\ssh\sshd_config file:

      Copy

      > notepad 'C:\ProgramData\ssh\sshd_config'

      Comment out the following lines at the end of the file:

      Copy

      #Match Group administrators
      #AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

      Save the changes.

   6. Create the .ssh directory in C:\Users\<current_user> and an empty authorized_keys file inside it:

      Copy

      > cd C:\Users\<current_user>
      > mkdir .ssh
      > notepad .\.ssh\authorized_keys

      Remove the .txt extension from the created file:

      Copy

      > move .\.ssh\authorized_keys.txt .\.ssh\authorized_keys

   7. Modify the permissions for the created file to disable inheritance:

      Copy

      > icacls .\.ssh\authorized_keys /inheritance:r

4. Download Cloudbase-Init from https://cloudbase.it/cloudbase-init/#download, and then install it by following the procedure from the Installation section at https://cloudbase.it/cloudbase-init/.

   1. The password for the user specified during the Cloudbase-Init installation will be reset on the next VM startup. If this user does not exist, a new user account will be created. You will be able to log in with this account by using the key authentication method or you can set a new password with a customization script. If there are multiple Windows users at the image preparation time, the passwords for other users will not be changed.

   2. When the Cloudbase-Init installation is complete, do not select the option to run Sysprep before clicking Finish. Otherwise, you will not be able to modify cloudbase-init.conf.

5. Run Windows PowerShell with administrator privileges and open the file C:\Program Files\Cloudbase Solutions\Cloudbase-Init\conf\cloudbase-init.conf:

   Copy

   > notepad 'C:\Program Files\Cloudbase Solutions\Cloudbase-Init\conf\cloudbase-init.conf'

   Add metadata_services and plugins on two lines:

   Copy

   metadata_services=\
   cloudbaseinit.metadata.services.configdrive.ConfigDriveService,\
   cloudbaseinit.metadata.services.httpservice.HttpService
   plugins=cloudbaseinit.plugins.common.mtu.MTUPlugin,\
   cloudbaseinit.plugins.windows.ntpclient.NTPClientPlugin,\
   cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin,\
   cloudbaseinit.plugins.windows.createuser.CreateUserPlugin,\
   cloudbaseinit.plugins.common.networkconfig.NetworkConfigPlugin,\
   cloudbaseinit.plugins.windows.licensing.WindowsLicensingPlugin,\
   cloudbaseinit.plugins.common.sshpublickeys.SetUserSSHPublicKeysPlugin,\
   cloudbaseinit.plugins.windows.extendvolumes.ExtendVolumesPlugin,\
   cloudbaseinit.plugins.common.setuserpassword.SetUserPasswordPlugin,\
   cloudbaseinit.plugins.common.userdata.UserDataPlugin,\
   cloudbaseinit.plugins.windows.winrmlistener.ConfigWinRMListenerPlugin,\
   cloudbaseinit.plugins.windows.winrmcertificateauth.\
   ConfigWinRMCertificateAuthPlugin,\
   cloudbaseinit.plugins.common.localscripts.LocalScriptsPlugin

   Make sure to remove all backslashes in the lines above.

   Save the changes.

Limitations

• A volume is removed along with all of its snapshots.

To create a volume

1. On the Volumes screen, click Create volume.
2. In the Create volume window, specify a volume name and size in gigabytes, select a storage policy, and then click Create.

To remove a volume

1. On the Volumes tab, check the status of the volume you want to remove.

2. If the status is "In use", click the volume, and then click Force detach.

3. If the status is "Available", click the volume, and then click Delete.

The console log of a virtual machine can be used for troubleshooting boot issues. The log contains messages only if logging is enabled inside the VM, otherwise the log is empty.

The logging can be turned on by enabling the TTY1 and TTYS0 logging levels in Linux VMs and Emergency Management Services (EMS) console redirection in Windows VMs. You may also enable driver status logging in Windows VMs, to see the list of loaded drivers. This can be useful for troubleshooting a faulty driver or long boot process.

To enable TTY1 and TTYS0 logging in Linux virtual machines

1. Add the line GRUB_CMDLINE_LINUX_DEFAULT="console=tty1 console=ttyS0" to the file /etc/default/grub.

2. Depending on the boot loader, run either

   Copy

   # grub-mkconfig -o /boot/grub/grub.cfg

   or

   Copy

   # grub2-mkconfig -o /boot/grub2/grub.cfg

3. Reboot the VM.

To enable EMS console redirection in Windows virtual machines

1. Start Windows PowerShell by using administrator privileges.

2. In the PowerShell console, set the COM port and baud rate for EMS console redirection. As Windows VMs have only the COM1 port with the transmission rate of 9600 bps, run:

   Copy

   bcdedit /emssettings EMSPORT:1

3. Enable EMS for the current boot entry:

   Copy

   bcdedit /ems on

To enable driver status logging in Windows virtual machines

1. Start System Configuration by using administrator privileges.

2. In the System Configuration windows, open the Boot tab, and select the check boxes OS boot information and Make all boot settings permanent.

3. Confirm the changes and restart the system.

You can change volume size only by increasing it. Volumes can be extended for both running (online resizing) and stopped (offline resizing) virtual machines. Online volume resizing allows users to avoid downtime and enables scaling VM storage capacity on the fly without service interruption.

Limitations

• You cannot shrink volumes.

• During volume resizing, the file system inside the guest OS is not extended.

• If you revert a volume to a snapshot that was taken before the volume extension, the new volume size will be retained.

Prerequisites

• A volume is created, as described in Creating and deleting volumes.

To extend a volume

1. On the Volumes screen, click a volume.

2. Click the pencil icon in the Size field.

3. Enter the desired volume capacity, and then click the tick icon.

After the volume is extended, you will need to re-partition the disk inside the guest OS to allocate the added disk space.

Limitations

• You can only attach and detach non-boot volumes.

Prerequisites

• A volume is created, as described in Creating and deleting volumes.

• To be able to use volumes attached to VMs, they must be initialized inside the guest OS by standard means.

To attach a volume to a virtual machine

1. On the Volumes screen, click an unused volume.

2. On the volume right pane, click Attach.

3. In the Attach volume window, select the VM from the drop-down list, and then click Done.

To detach a volume from a virtual machine

1. On the Volumes screen, click a volume that is in use.

2. If the VM is stopped, click Detach on the volume right pane.

3. If the VM is running, click Force detach on the volume right pane.

   There is a risk of data loss.

To create multiple VMs with the same boot volume, you can create a template from an existing boot volume and deploy VMs from it.

Prerequisites

• Linux virtual machines have cloud-Init installed, as described in Preparing Linux templates.

• Windows virtual machines have Cloudbase-Init and OpenSSH Server installed, as described in Preparing Windows templates.

• Logging is enabled inside a virtual machine, as instructed in Enabling logging for virtual machines.

To create a template from a boot volume

1. Power off the VM that the original volume is attached to.

2. Switch to the Volumes screen, click volume’s ellipsis button and select Create image.

3. In the Create image window, enter an image name, and then click Create

The new image will appear on the Images screen.

You can save the current state of a VM file system or user data by creating a snapshot of a volume. A snapshot of a boot volume may be useful, for example, before updating VM software. If anything goes wrong, you will be able to revert the VM to a working state at any time. A snapshot of a data volume can be used for backing up user data and testing purposes.

Prerequisites

To create a snapshot of a volume

1. On the Volumes screen, click a volume.

2. In the volume right pane, switch to Snapshots, and then click Create snapshot.

To manage a volume snapshot

Select a volume and open the Snapshots tab on its right pane.

You can do the following:

• Create a new volume from the snapshot.

• Create a template from the snapshot.

• Discard all changes that have been made to the volume since the snapshot was taken. This action is available only for VMs with the "Shut down" and "Shelved offloaded" statuses.

  As each volume has only one snapshot branch, all snapshots created after the snapshot you are reverting to will be deleted. If you want to save a subsequent snapshot before reverting, create a volume or an image from it first.

• Change the snapshot name and description.

• Reset the snapshot stuck in an "Error" state or transitional state to the "Available" state.

• Remove the snapshot.

To perform these actions, click the ellipsis button next to a snapshot, and then click the corresponding action.

Limitations

• You can clone volumes that are not attached to VMs or attached to stopped VMs.

Prerequisites

• A volume is created, as described in Creating and deleting volumes.

To clone a volume

1. On the Volumes screen, click a volume.

2. On the volume right pane, click Clone.

3. In the Clone volume window, specify a volume name, size, and storage policy. Click Clone.

Limitations

• You can delete a compute network only if no VMs are connected to it.

To add a new virtual network

1. On the Networks screen, click Create virtual network.

2. On the Network configuration step, do the following:

   1. Enable or disable IP address management:

      • With IP address management enabled, VMs connected to the network will automatically be assigned IP addresses from allocation pools by the built-in DHCP server and use custom DNS servers. Additionally, spoofing protection will be enabled for all VM network ports by default. Each VM network interface will be able to accept and send IP packets only if it has IP and MAC addresses assigned. You can disable spoofing protection manually for a VM interface, if required.

      • With IP address management disabled, VMs connected to the network will obtain IP addresses from the DHCP servers in that network, if any. Also, spoofing protection will be disabled for all VM network ports, and you cannot enable it manually. This means that each VM network interface, with or without assigned IP and MAC addresses, will be able to accept and send IP packets.

      In any case, you will be able to manually assign static IP addresses from inside the VMs.

   2. Specify a name, and then click Next.
3. If you enabled IP address management, you will move on to the IP address management step, where you can add an IPv4 subnet:

   1. In the Subnets section, click Add and select IPv4 subnet.

   2. In the Add IPv4 subnet window, specify the network’s IPv4 address range and, optionally, specify a gateway. If you leave the Gateway field blank, the gateway will be omitted from network settings.

   3. Enable or disable the built-in DHCP server:

      • With the DHCP server enabled, VM network interfaces will automatically be assigned IP addresses: either from allocation pools or, if there are no pools, from the network’s entire IP range. The DHCP server will receive the first two IP addresses from the IP pool. For example:

        • In a subnet with CIDR 192.168.128.0/24 and without a gateway, the DHCP server will be assigned the IP addresses 192.168.128.1 and 192.168.128.2.

        • In a subnet with CIDR 192.168.128.0/24 and the gateway IP address set to 192.168.128.1, the DHCP server will be assigned the IP addresses 192.168.128.2 and 192.168.128.3.

      • With the DHCP server disabled, VM network interfaces will still get IP addresses, but you will have to manually assign them inside VMs.

      The virtual DHCP service will work only within the current network and will not be exposed to other networks.

   4. Specify one or more allocation pools (ranges of IP addresses that will be automatically assigned to VMs).

   5. Specify DNS servers that will be used by virtual machines. These servers can be delivered to VMs via the built-in DHCP server or by using the cloud-init network configuration (if cloud-init is installed in the VM).

   6. Click Add.
4. On the Summary step, review the configuration, and then click Create virtual network.

To edit parameters of a virtual network

1. On the Networks screen, click the required network.

2. On the network right pane, click the pencil icon next to the network name or IPv4 subnet.

3. Make changes and save them.

To delete a compute network

Click the ellipsis icon next to the required network, and then click Delete. To remove multiple compute networks at once, select them, and then click Delete.

After a VPN connection is created, you can change its endpoint groups and VPN settings at any time.

Limitations

• You cannot change the virtual router and security policies used to establish a VPN connection.

Prerequisites

• A VPN connection is created, as described in Creating VPN connections.

To edit a VPN connection

1. On the VPN screen, click a VPN connection to modify.

2. On the connection right pane, click Edit.

3. In the Edit VPN window, configure local and remote endpoints, if required, and then click Next.

4. On the next step, change VPN parameters such as the VPN connection name, peer IP address, and PSK key. If necessary, you can also configure additional settings by selecting Advanced settings and editing the required parameters.

5. Click Save to apply your changes.

After you update the connection parameters, its status will change to "Down". The connection will re-initiate once the parameters are similarly updated by the other VPN party.

The IKE and IPsec configuration must match for both communicating parties. Otherwise, the VPN connection between them will not be established.

Prerequisites

• You have a virtual router created, as described in Managing virtual routers.

• The virtual router connects the physical network with virtual networks that you want to be exposed.

• Networks that will be connected via a VPN tunnel must have non-overlapping IP ranges.

• [For Virtuozzo Hybrid Infrastructure 5.4 Update 1 and earlier versions] If a virtual machine has a floating IP address assigned to its private network interface, configure static routes of a virtual router, for the VM traffic to be routed through a VPN tunnel.

To create a VPN connection

1. On the VPN screen, click Create VPN.

2. On the Configure IKE step, specify parameters for the IKE policy that will be used to establish a VPN connection. You can choose to use an existing IKE policy or create a new one. For the new IKE policy, do the following:

   1. Specify a custom name for the IKE policy.

   2. Specify the key lifetime, in seconds, that will define the rekeying interval. The IKE key lifetime must be greater than that of the IPsec key.

   3. Select the authentication algorithm that will be used to verify the data integrity and authenticity.

   4. Select the encryption algorithm that will be used to ensure that data is not viewable while in transit.

   5. Select the IKE version 1 or 2. Version 1 has limitations, for example, it does not support multiple subnets.

   6. Select the Diffie-Hellman (DH) group that will be used to build the encryption key for the key exchange process. Higher group numbers are more secure but require additional time for the key to compute.

   7. Click Next.

3. On the Configure IPsec step, specify parameters for the IPsec policy that will be used to encrypt the VPN traffic. You can choose to use an existing IPsec policy or create a new one. For the new IPsec policy, do the following:

   1. Specify a custom name for the IPsec policy.

   2. Specify the key lifetime, in seconds, that will define the rekeying interval. The IPsec key lifetime must not be greater than that of the IKE key.

   3. Select the authentication algorithm that will be used to verify the data integrity and authenticity.

   4. Select the encryption algorithm that will be used to ensure that data is not viewable while in transit.

   5. Select the Diffie-Hellman (DH) group that will be used to build the encryption key for the key exchange process. Higher group numbers are more secure but require additional time for the key to compute.

   6. Click Next.

4. On the Create endpoint groups step, select a virtual router and specify local and remote subnets that will be connected by the VPN tunnel. You can choose to use existing local and remote endpoints, or create new ones. For the new endpoints, do the following:

   1. Specify a custom name for the local endpoint, and then select local subnets.

   2. Specify a custom name for the remote endpoint, and then add remote subnets in the CIDR format.

   3. Click Next.

5. On the Configure VPN step, specify parameters to establish the VPN connection with a remote gateway:

   1. Specify a custom name for the VPN connection.

   2. Specify the public IPv4 address of the remote gateway, that is, peer IP address.

   3. Generate the pre-shared key that will be used for the peer authentication.

   4. If necessary, you can also configure additional settings by selecting Advanced settings and specifying the following parameters:

      • The peer ID for authentication and the mode for establishing a connection.

      • The Dead Peer Detection (DPD) policy, interval, and timeout, in seconds.

   5. Click Next.

6. On the Summary step, review the configuration, and then click Create.

When the VPN connection is created, its status will change from "Pending creation" to "Down". The connection will become active once the VPN tunnel is configured by the other VPN party and the IKE authorization is successful.

The IKE and IPsec configuration must match for both communicating parties. Otherwise, the VPN connection between them will not be established.

You can forcefully re-initiate a VPN connection by manually restarting it. When you delete a VPN connection, you also delete the IKE and IPsec policies and endpoint groups that were created during the VPN creation.

Prerequisites

• A VPN connection is created, as described in Creating VPN connections.

To restart a VPN connection

1. On the VPN screen, click a VPN connection to restart.

2. On the connection right pane, click Restart.

3. Click Restart VPN in the confirmation window.

To delete a VPN connection

1. On the VPN screen, click a VPN connection to delete.

2. On the connection right pane, click Delete.

3. Click Delete in the confirmation window.

Virtual routers provide L3 services such as routing and Source Network Address Translation (SNAT) between virtual and physical networks, or different virtual networks:

• A virtual router between virtual and physical networks provides access to public networks, such as the Internet, for VMs connected to this virtual network.

• A virtual router between different virtual networks provides network communication for VMs connected to these virtual networks.

A virtual router has two types of ports:

• An external gateway that is connected to a physical network.

• An internal port that is connected to a virtual network.

With virtual routers, you can do the following:

• Create virtual routers

• Change external or internal router interfaces

• Create, edit, and delete static routes

• Change a router name

• Delete a router

Limitations

• A router can only connect networks that have IP management enabled.

• You can delete a virtual router if no floating IP addresses are associated with any network it is connected to.

Prerequisites

• Compute networks are created, as described in Managing virtual networks.

• The compute networks that are to be connected to a router have a gateway specified.

To create a virtual router

1. Navigate to the Routers screen, and then click Add router.

2. In the Add router window:

   1. Specify a router name.

   2. From the Network drop-down menu, select a physical network through which external access will be provided via an external gateway. The new external gateway will pick an unused IP address from the selected physical network.

   3. In the Add internal interfaces section, select one or more virtual networks to connect to a router via internal interfaces. The new internal interfaces will attempt to use the gateway IP address of the selected virtual networks by default.

   4. Select or deselect the SNAT check box to enable or disable SNAT on the external gateway of the router. With SNAT enabled, the router replaces VM private IP addresses with the public IP address of its external gateway.

3. Click Create.

With Virtual Private Network (VPN) as a service, users can extend virtual networks across public networks, such as the Internet. To connect two or more remote endpoints, VPNs use virtual connections tunneled through physical networks. To secure VPN communication, the traffic that flows between remote endpoints is encrypted. The VPN implementation uses the Internet Key Exchange (IKE) and IP Security (IPsec) protocols to establish secure VPN connections and is based on the strongSwan IPsec solution.

VPN as a service can be used to establish a Site-to-Site VPN connection between a virtual network configured in Bamboozle Cloud and any other network with a VPN gateway that uses the IPsec and IKE protocols. With VPN as a service, you can connect the following workloads:

• On-premises workloads with workloads hosted in Bamboozle Cloud

• Workloads hosted in other clouds with workloads hosted in Bamboozle Cloud

• Workloads hosted in different Bamboozle Cloud Locations

To better understand how a VPN works, consider the following example:

• In the cluster 1, the virtual machine VM1 is connected to the virtual network privnet1 (192.168.10.0/24) via the network interface with IP address 192.168.10.10. The network privnet1 is exposed to public networks via the router router1 with the external port 10.10.10.5.

• In the cluster 2, the virtual machine VM2 is connected to the virtual network privnet2 (192.168.20.0/24) via the network interface with IP address 192.168.20.20. The network privnet2 is exposed to public networks via the router router2 with the external port 10.10.10.4.

• The VPN tunnel is created between the routers router1 and router2 that serve as VPN gateways, thus allowing mutual connectivity between the networks privnet1 and privnet2.

• The virtual machines VM1 and VM2 are visible to each other at their private IP addresses. That is, VM1 can access VM2 at 192.168.20.20, and VM2 can access VM1 at 192.168.10.10.

For key exchange between communicating parties, two IKE versions are available: IKE version 1 (IKEv1) and IKE version 2 (IKEv2). IKEv2 is the latest version of the IKE protocol and it supports connecting multiple remote subnets.

In the example above:

• VPN1 uses the IKEv1 and connects the network network1 with the network3.

• VPN2 uses the IKEv2 and connects the network network2 with the two networks network4 and network5.

Limitations

• Currently, we support only Site-to-Site VPN connections. Point-to-Site VPN connections are not supported.

Prerequisites

To add an external router interface

1. If you already have an external gateway, remove the existing one first.

2. On the Routers screen, click the router name. Open the Interfaces tab to view the list of its interfaces.

3. Click Add on the toolbar, or click Add interface if there are no interfaces to show.

4. In the Add interface window, do the following:

   1. Select External gateway.

   2. From the Network drop-down menu, select a physical network to connect to the router. The new interface will pick an unused IP address from the selected physical network. You can also provide a specific IP address from the selected physical network to assign to the interface in the IP address field.

   3. Select or deselect the SNAT check box to enable or disable SNAT on the external gateway of the router. With SNAT enabled, the router replaces VM private IP addresses with the public IP address of its external gateway.

5. Click Add.

To add an internal router interface

1. On the Routers screen, click the router name to open the list of its interfaces.

2. Click Add.

3. In the Add interface window, select a network to connect to the router from the Network drop-down menu. The new interface will attempt to use the gateway IP address of the selected virtual network by default. If it is in use, specify an unused IP address from the selected virtual network to assign to the interface in the IP address field.

4. Click Add.

To edit external interface parameters

1. Click the ellipsis icon next to the external interface, and then click Edit.

2. In the Edit interface window, change the IP address or configure SNAT.

3. Click Save to save your changes.

To remove a router interface

1. Select the interface you want to remove.

2. Click the ellipsis icon next to it, and then click Delete.

3. In the confirmation window, click Delete.

You can also configure static routes of a router by manually adding entries into its routing table. This can be useful, for example, if you do not need a mutual connection between two virtual networks and want only one virtual network to be accessible from the other.

Consider the following example:

• The virtual machine VM1 is connected to the virtual network private1 (192.168.128.0/24) via the network interface with IP address 192.168.128.10.

• The virtual machine VM2 is connected to the virtual network private2 (192.168.30.0/24) via the network interface with IP address 192.168.30.10.

• The router router1 connects the network private1 to the physical network via the external gateway with the IP address 10.94.129.73.

• The router router2 connects the network private2 to the physical network via the external gateway with the IP address 10.94.129.74.

To be able to access VM2 from VM1, you need to add a static route for router1, specifying the CIDR of private2, that is 192.168.30.0/24, as the destination subnet and the external gateway IP address of router2, that is 10.94.129.74, as the next hop IP address. In this case, when an IP packet for 192.168.30.10 reaches router1, it will be forwarded to router2 and then to VM2.

Prerequisites

• You have a virtual router created, as described in Managing virtual routers.

To create a static route for a router

1. On the Routers screen, click the router name. Open the Static routes tab, and then click Add on the right pane. If there are no routes to show, click Add static route.

2. In the Add static route window, specify the destination subnet range and mask in CIDR notation and the next hop’s IP address. The next hop’s IP address must belong to one of the networks that the router is connected to.

3. Click Add.

To edit a static route

1. Click the ellipsis icon next to the required static route, and then click Edit.

2. In the Edit static route window, change the desired parameters, and then click Save.

To remove a static route

Click the ellipsis icon next to the static route you want to remove, and then click Delete.

1. Sign up for an Instance in our Portal

2. Choose your package

3. Click the Activate button and confirm with Yes, activate. Deploying an Object Storage instance takes a few minutes.

4. Once the instance is created, follow the on how to access it.

Bamboozle Kubernetes is a managed Kubernetes service lets you deploy scalable and secure Kubernetes clusters without the complexities of administrating the control plane. We manage the Kubernetes control plane and the underlying containerized infrastructure.

Clusters are compatible with standard Kubernetes toolchains and integrate natively with our Load Balancers and block storage volumes.

There are no restrictions on the API objects you can create as long as the underlying Kubernetes version supports them. We offer the latest version of Kubernetes as well as earlier patch levels of the latest minor version for special use cases. You can also install popular tools like Helm, metrics-server, and Istio.

Nodes

Worker and Master nodes are built on instaces, but unlike standalone instances, worker nodes are managed with the Kubernetes command-line client kubectl and are not accessible with SSH. On both the control plane and the worker nodes, Flow maintains the system updates, security patches, operating system configuration and installed packages. Worker nodes are automatically deleted and respawned when needed, and you can manually rebuild worker nodes.

Persistent Data

You can persist data in Kubernetes clusters to block storage volumes using the Flow CSI plugin, the CSI Plugin is already preinstalled and is used for the default storage class. You can also persist data to Flow object storage by using the S3 API to interact with the storage from your application.

Load Balancing

The Flow Kubernetes Cloud Controller supports provisioning external Load Balancers.

VPC Support

Clusters are added to a VPC network for the datacenter region by default. This keeps traffic between clusters and other applicable resources from being routed outside the datacenter over the public internet.

Plans and Pricing

The cost of a Kubernetes cluster is based on the cluster’s resources:

• Nodes (Workers and Master / Control plane ) are built on Instances.

• Integration Load Balancers is charged at the same rate as common Load Balancers.

• Integration with block storage volumes is charged at the same rate as volumes.

All charges for Kubernetes clusters appear in the Kubernetes detail view section. For pricing details please consult our pricing page.

Regional Availability

Kubernetes Clusters are available in all regions. They are region-specific resources and can only be assigned within the same region.

Limits

At the moment IPv6 is not supported.

The control plane is not highly available and may be temporarily unavailable during upgrades or maintenance. This does not affect running clusters and does not make the cluster workers or workloads unavailable if external load balancers are used.

Prerequisites

• You have a network that will interconnect the Kubernetes master and worker nodes. It can be either a shared physical network or a virtual network linked to a physical one via a virtual router. The virtual network needs to have a gateway and a DNS server specified.

• An SSH key is added. It will be installed on both the master and worker nodes.

• Youhave enough resources for all of the Kubernetes nodes, taking their flavors into account.

• It is also required that the network where you create a Kubernetes cluster does not overlap with these default networks:

• 10.100.0.0/24—Used for pod-level networking

• 10.254.0.0/16—Used for allocating Kubernetes cluster IP addresses

To create a Kubernetes cluster

1. Go to the Kubernetes clusters screen, and then click Create on the right. A window will open where you can set your cluster parameters

2. Enter the cluster name, and then select a Kubernetes version and an SSH key.

3. In the Network section, select a network that will interconnect the Kubernetes nodes in the cluster. If you select a virtual network, decide whether you need access to your Kubernetes cluster via a floating IP address:

• If you select None, you will not have access to the Kubernetes API.

• If you select For Kubernetes API, a floating IP address will be assigned to the master node or to the load balancer if the master node is highly available.

• If you select For Kubernetes API and nodes, floating IP addresses will be additionally assigned to all of the Kubernetes nodes (masters and workers).

  Then, choose whether or not to enable High availability for the master node. If you enable high availability, three master node instances will be created. They will work in the Active/Active mode.

1. In the Master node section, select a flavor for the master node. For production clusters, it is strongly recommended to use a flavor with at least 2 vCPUs and 8 GiB of RAM.

2. Optionally, enable Integrated monitoring to automatically deploy the cluster-wide monitoring solution, which includes the following components: Prometheus, Alertmanager, and Grafana.

** This feature is experimental and not supported in production environments. **

1. In the Container volume section, select a storage policy, and then enter the size for volumes on both master and worker nodes.

2. In the Default worker group section, select a flavor for each worker, and then decide whether you want to allow automatic scaling of the worker group:

• With Autoscaling enabled, the number of workers will be automatically increased if there are pods stuck in the pending state due to insufficient resources, and reduced if there are workers with no pods running on them. For scaling of the worker group, set its minimum and maximum size.

• With Autoscaling disabled, the number of worker nodes that you set will be permanent.

1. In the Labels section, enter labels that will be used to specify supplementary parameters for this Kubernetes cluster in the key=value format. For example: selinux_mode=permissive. Currently, only the selinux label is supported. You can use other labels at your own risk. To see the full list of supported labels, refer to the OpenStack documentation.

2. Click Create.

Creation of the Kubernetes cluster will start. The master and worker nodes will appear on the Virtual machines screen, while their volumes will show up on the Volumes screen.

After the cluster is ready, click Kubernetes access for instructions on how you can access the dashboard. You can also access the Kubernetes master and worker nodes via SSH, by using the assigned SSH key and the user name core.

To delete a Kubernetes cluster

Click the required Kubernetes cluster on the Kubernetes clusters screen and click Delete. The master and worker VMs will be deleted along with their volumes.

Introduction

Bamboozle Object Storage is an S3-compatible object storage service that lets you store and serve large amounts of data. You can create them in a few seconds and use them immediately with no configuration. Data transfer is automatically secured with HTTPS, and the available storage capacity scales seamlessly.

Object Storage are ideal for storing static, unstructured data like audio, video, and images as well as large amounts of text. Use cases like databases, applications written in server-side languages, and mission-critical applications will work best with local storage (volumes).

Introduction

Bamboozle Object Storage is an S3-compatible object storage service that lets you store and serve large amounts of data. The Bamboozle Object Storage API is inter-operable with the AWS S3 API, meaning you can use existing S3 tools and libraries with Spaces. A common use case is managing Bamboozle Object Storage programmatically with AWS’ S3 SDKs.

Install the SDK

Install the AWS SDK using the package manager for your language of choice.

npm install aws-sdk                

go get -u github.com/aws/aws-sdk-go

php composer.phar require aws/aws-sdk-php

pip install boto3

gem install aws-sdk-s3

Obtain Access & Secret Keys

You are able to retrieve the access & secret keys in our customer portal:.

The examples below rely on environment variables to access these keys. Export ACCESS_KEY and SECRET_KEY to your environment (e.g. export ACCESS_KEY=DSJE2334BBZ) to make them available to your code.

SDKs

After you set up and configure an SDK, you can follow the examples below to see how to perform common Bamboozle Object Storage operations in JavaScript, Go, PHP, Python and Ruby.

To access Flow Object Storage with Cyberduck, please follow these steps:

1. Download (https://cyberduck.io) and install Cyberduck

2. Open CyberDuck and click Open Connection.

3. Specify your the credentials which are provided in our customer portal (https://portal.bamboozle.me):

   • Server: Insert the DNS name of the S3 endpoint (Your location is mentioned in your account in our portal): Location Dubai: dxb.bbzs3.com

   • Access Key ID: Insert the displayed Access Key from our portal.

   • Secret Access Key ID: Insert the displayed Secret Key from our portal.

4. Press the connect button

Example for DXB:

o access Flow Object Storage with Mountainduck, please follow these steps:

1. Download (https://mountainduck.io) and install Mountainduck

2. Open CyberDuck and click Open Connection.

3. Specify your the credentials which are provided in our customer portal (https://portal.bamboozle.me):

   • Server: Insert the DNS name of the S3 endpoint (Your location is mentioned in your account in our portal): Location Dubai: dxb.bbzs3.com

   • Access Key ID: Insert the displayed Access Key from our portal.

   • Secret Access Key ID: Insert the displayed Secret Key from our portal.

4. Press the connect button

Cyber Protect represents an all-in-one cyber protection solution that integrates backup and recovery, disaster recovery, malware prevention, security controls, remote assistance, monitoring, and reporting.

It protects your entire business and businesses of your customers through layered protection approach, an innovative combination of proactive, active, and reactive data protection technologies:

• Proactive actions, such as vulnerability assessment/patch management, predictive analysis of hard drive health based on machine learning technologies, allow you to prevent any threats to your machines.

• Active actions, such as protection against malware, self-protection, allow you to detect threats.

• Reactive actions, such as backup and recovery (on-premises and cloud), disaster recovery (on-premises and cloud), allow you to respond to any failures.

Cyber Protect provides you with one protection agent, one service console that is easy to manage, and one protection plan that covers all security and data protection aspects.

Key functionality

Cyber Protect provides the following functionality:

• Backup and recovery allows you to back up and recover physical machines, virtual machines, and applications.

• Disaster recovery allows you to protect your local environment from disasters by launching the exact copies of machines in the cloud and switching the workload to the cloud servers.

• Antimalware and web protection provides you with the top multi-layered protection based on four different antimalware technologies inside. You will also be able to manage Microsoft Security Essentials and Windows Defender Antivirus from the service console. The URL filtering functionality allows you to prevent malicious file download and block access to suspicious web resources.

• Autodiscovery of machines provides you with an easy and automatic way to register a large number of machines and install a protection agent and additional components.

• Vulnerability assessment allows you to scan Microsoft, Linux, macOS, Microsoft third-party products, and macOS third-party products for vulnerabilities.

• Patch management integrated with backup provides you with the following capabilities: automatic and manual patch approval, scheduled and on-demand patch installation, flexible reboot and maintenance window options, staged deployment.

• Hard drive health control allows you to track the status of hard disks and prevent their crash. Disk control uses a combination of machine learning and SMART reporting to predict disk failures.

• Remote management and assistance allows you to connect and manage machines remotely.

• #CyberFit Score provides you with a security assessment and scoring mechanism that evaluates the security posture of your machine.

• Device control enables you to limit the user access to local and redirected peripheral devices, ports, and clipboard on machines under protection plans.

Why Cyber Protection is special

Cyber Protection has the following unique features:

• Backup scanning in non-endpoint environments that ensures malware-free restores. It increases the potential of rootkits and bootkits detection and reduces loads on your machines.

• Safe recovery based on integrated antimalware scanning and malware deletion to prevent recurrence of an infection.

• Smart protection built on the basis of alarms received from Cyber Protection Operations Center (CPOC). This feature allows you to minimize business process downtime when facing issues like a malware attack, natural disaster, to reduce reaction time, and to avoid data loss.

• Protection from bad patches by creating pre-update backups.

• Continuous data protection that ensures that you will not lose your data changes made between scheduled backups. You can control what will be continuously backed up – Office documents, financial forms, graphic files, and so on. You get improved RPOs due to continuous backups.

• A data protection map that ensures tracking data distribution across the machines, monitoring the protection status of files, and using the collected data as the basis for compliance reports.

• Forensic backup that allows you to collect digital evidence data, include them in a disk-level backup, and use them for future investigations.

• Company-wide allowlist built on backups that allows you to prevent false detections. This feature eliminates time-consuming manual listing of trusted corporate applications, ensures greater productivity, and improves the detection rate by using improved heuristics.

Besides basic Amazon S3 operations like GET, PUT, COPY, DELETE, the Bamboozle Object Storage implementation of the Amazon S3 protocol supports the following features:

• Multipart upload

• Access control lists (ACLs)

• Versioning

• Signed URLs

• Object locking

• Geo-replication

• Server access logging

• Object storage classes

• Cross-region replication (CRR)

• Bucket policies

• Object expiration

• Cross-origin resource sharing (CORS)

Supported authentication schemes

The following authentication schemes are supported by the Bamboozle Object Storage implementation of the Amazon S3 protocol:

• Signature Version 2

• Signature Version 4

The following authentication methods are supported by the Bamboozle Object Storage implementation of the Amazon S3 protocol:

• Using the authorization header

  • Transferring payload in a single chunk

• Using query parameters

• Browser-based uploads using POST

The following authentication method is not supported:

• Transferring payload in multiple chunks

Supported Amazon request headers

The following Amazon S3 REST request headers are currently supported by the Bamboozle Object Storage implementation of the Amazon S3 protocol:

• Authorization

• Content-Length

• Content-Type

• Content-MD5

• Date

• Host

• x-amz-content-sha256

• x-amz-date

• x-amz-security-token

• x-amz-object-lock-retain-until-date

• x-amz-object-lock-mode

• x-amz-object-lock-legal-hold

• x-amz-bypass-governance-retention

• x-amz-bucket-object-lock-enabled

• x-amz-geo-endpoint

• x-amz-geo-access-key

• x-amz-geo-access-secret

Supported Amazon response headers

The following Amazon S3 REST response headers are currently supported by the Bamboozle Object Storage implementation of the Amazon S3 protocol:

• Content-Length

• Content-Type

• Connection

• Date

• ETag

• x-amz-delete-marker

• x-amz-request-id

• x-amz-version-id

• x-amz-object-lock-retain-until-date

• x-amz-object-lock-mode

• x-amz-object-lock-legal-hold

• x-amz-geo-endpoint

• x-amz-geo-access-key

• x-amz-geo-access-secret

The following Amazon S3 REST response headers are not used:

• Server

• x-amz-id-2

Supported Amazon error response headers

The following Amazon S3 REST error response headers are currently supported by the Bamboozle Object Storage implementation of the Amazon S3 protocol:

• Code

• Error

• Message

The following Amazon S3 REST error response headers are not supported:

• RequestId (not used)

• Resource

Supported Amazon S3 object expiration actions

The Flow Object Storage implementation of the Amazon S3 object lifecycle only supports object expiration by prefix. Deleting objects by tag is not available. The rule definition for object expiration is similar to that for bucket policies.

The following S3 object expiration actions are currently supported:

• Expiration. Deletes objects by age or by date. In case of versioning, inserts a delete marker, which becomes the latest version of an object. Delete markers are not removed.

• NonCurrentVersionExpiration. Deletes an object version after it has become non-current for the specified number of days.

• AbortIncompleteMultipartUpload. Aborts a multipart upload that has not completed during the specified number of days.

• ExpiredObjectDeleteMarker. Deletes a delete marker as soon as there are no other versions of an object.

Once you register in our portal an activation link is sent to the email provided in the system. Please follow the steps to activate your account.

• Activate account button. Click the button and set the password for your account. Ensure that your password is at least nine characters long. For more information about the password, refer to Password requirements.

If your administrator has enabled two-factor authentication, you will be prompted to set it up for your account. For more information about it, refer to Two-factor authentication.

Password requirements

Two-factor authentication

The password for a user account must be at least 9 characters long. Passwords are also checked for complexity, and fall into one of the following categories:

• Weak

• Medium

• Strong

You cannot save a weak password, even though it might contain 9 characters or more. Passwords that repeat the user name, the login, the user email, or the name of the tenant to which a user account belongs are always considered weak. Most common passwords are also considered weak.

To strengthen a password, add more characters to it. Using different types of characters, such as digits, uppercase and lowercase letters, and special characters, is not mandatory but it results in stronger passwords that are also shorter.

The Cyber Protection console provides access to additional services or features, such as File Sync & Share or Antivirus and Antimalware protection, Patch management, Device control, and Vulnerability assessment. The type and number of these services and features vary according to your Cyber Protection license.

To check the dashboard with the most important information about your protection, go to Monitoring > Overview.

Depending on your access permissions, you can manage the protection for one or multiple customer tenants or units in a tenant. To switch the hierarchy level, use the drop-down list in the navigation menu. Only the levels to which you have access are shown. To go to the management portal, click Manage.

The Devices section is available in simple and table view. To switch between them, click the corresponding icon in the top right corner.

The simple view shows only a few workloads.

Two-factor authentication provides extra protection from unauthorized access to your account. When two-factor authentication is set up, you are required to enter your password (the first factor) and a one-time code (the second factor) to log in to the service console. The one-time code is generated by a special application that must be installed on your mobile phone or another device that belongs to you. Even if someone finds out your login and password, they still will not be able to login without access to your second-factor device.

The one-time code to configure two-factor authentication for your account is generated based on the device's current time and the secret provided by the Cyber Protection service as the QR code or alphanumeric code. During the first login, you need to enter this secret to the authentication application.

To set up two-factor authentication for your account

You can and must configure two-factor authentication for your account when two-factor authentication has been enabled by an administrator for your organization. If two-factor authentication has been enabled while you are logged in to the Cyber Protection service console, you will have to configure it when your current session expires.

Prerequisites:

• Two-factor authentication is enabled for your organization.

• You are logged out of the Cyber Protection service console.

1. Choose a second-factor device.

   Most commonly it is a mobile phone, but you can also use a tablet, laptop, or desktop.

2. Ensure that the device time settings are correct and reflect the actual current time, and that the device locks itself after a period of inactivity.

3. Install the authentication application on the device. The recommended applications are Google Authenticator or Microsoft Authenticator.

4. Go to the Cyber Protection service console sign in page and set your password.

   The service console shows the QR code and the alphanumeric code.

5. Save the QR code and the alphanumeric code in any convenient way (such as, print out the screen, write down the code, or save the screenshot in cloud storage). If you lose the second-factor device, you will be able to reset the two-factor authentication by using these codes.

6. Open the authentication application, and then do one of the following:

   • Scan the QR code

   • Manually enter the alphanumeric code to the application

   The authentication application generates a one-time code. A new code will be generated every 30 seconds.

7. Return to the service console login page and enter the generated code.

   A one-time code is valid for 30 seconds. If you wait longer than 30 seconds, use the next generated code.

When logging in the next time, you can select the checkbox Trust this browser.... If you do this, the one-time code will not be required when you log in by using this browser on this machine.

What if...

...I lost the second-factor device?

If you have a trusted browser, you will be able to log in by using this browser. Nevertheless, when you have a new device, repeat steps 1-3 and 6-7 of the above procedure by using the new device and the saved QR code or alphanumeric code.

If you have not saved the code, ask the administrator or service provider to reset the two-factor authentication for your account, and then repeat steps 1-3 and 6-7 of the above procedure by using the new device.

...I want to change the second-factor device?

When logging in, click the Reset two-factor authentication settings link, confirm the operation by entering the one-time code, and then repeat the above procedure by using the new device.

After you activate your account, you can access the Cyber Protection service by logging in to the Cyber Protection console or via the management portal.

To log in to the Cyber Protection console

1. Go to the Cyber Protection service login page.

2. Type your login, and then click Next.

3. Type your password, and then click Next.

4. [If you use more than one Cyber Protect Cloud service] Click Cyber Protection.

   Users who only have access the Cyber Protection service, log in directly to the Cyber Protection console.

The timeout period for the Cyber Protection console is 24 hours for active sessions and 1 hour for idle sessions.

You can change the language of the web interface by clicking the account icon in the upper-right corner.

To access the Cyber Protection console via the management portal

1. In the management portal, go to Monitoring > Usage.

2. Under Cyber Protect, select Protection, and then click Manage service.

   Alternatively, under Clients, select a customer, and then click Manage service.

As a result, you are redirected to the Cyber Protection console.

To reset your password

1. Go to the Cyber Protection service login page.

2. Type your login, and then click Next.

3. Click Forgot password?

4. Confirm that you want further instructions by clicking Send.

5. Follow the instructions in the email that you have received.

6. Set up your new password.

The Cyber Protect features are supported on the following operating systems:

• Windows: Windows 7 Service Pack 1 and later, Windows Server 2008 R2 Service Pack 1 and later.

  Windows Defender Antivirus management is supported on Windows 8.1 and later.

• Linux: CentOS 6.10, 7.8+, CloudLinux 6.10, 7.8+, Ubuntu 16.04.7+, where plus refers to minor versions of these distributions.

  Other Linux distributions and versions might be supported, but have not been tested.

• macOS: 10.13.x and later (only Antivirus and Antimalware protection, and Device control are supported). Device control functionality is supported on macOS 10.15 and later or macOS 11.2.3 and later.

  Agent for Data Loss Prevention might be installed on unsupported macOS systems because it is an integral part of Agent for Mac. In this case, the Cyber Protect console will display that Agent for Data Loss Prevention is installed on the computer, but the device control functionality will not work. Device control functionality will only work on macOS systems that are supported by Agent for Data Loss Prevention.

Backup operations require about 1 GB of RAM per 1 TB of backup size. The memory consumption may vary, depending on the amount and type of data being processed by the agents.

On x64 systems, operations with bootable media and disk recovery with restart require at least 2 GB of memory.

In Windows, Agent for Exchange, Agent for SQL, Agent for Active Directory, and Agent for Oracle require that Agent for Windows is also installed. Thus, if you install, for example, Agent for SQL, you also will be able to back up the entire machine where the agent is installed.

It is recommended to install Agent for Windows when you install also Agent for VMware (Windows) and Agent for Hyper-V.

In Linux, Agent for Oracle and Agent for Virtuozzo require that Agent for Linux (64-bit) is also installed. These three agents share one installer.

*During the installation, Agent for Exchange checks for enough free space on the machine where it will run. Free space equal to 15 percent of the biggest Exchange database is temporarily needed during a granular recovery.

**If your ESXi uses a SAN attached storage, install the agent on a machine connected to the same SAN. The agent will back up the virtual machines directly from the storage rather than via the ESXi host and LAN. For detailed instructions, refer to "Agent for VMware - LAN-free backup".

***For Virtuozzo 7, only ploop containers are supported. Virtual machines are not supported.

****A virtual machine is considered virtual if it is backed up by an external agent. If an agent is installed in the guest system, the backup and recovery operations are the same as with a physical machine. Nevertheless, if Cyber Protection can identify a virtual machine by using the CPUID instruction, a virtual machine service quota is assigned to it. If you use direct passthrough or another option that masks the CPU manufacturer ID, only service quotas for physical machines can be assigned.