STCSG - Oracle Compute Cloud Service

Oracle® Cloud
Using Oracle Compute Cloud Service (IaaS)

E63022-07
May 2016
Documentation for Oracle Compute Cloud Service users and
administrators that describes how to provision and manage
instances, configure network and storage resources, add
machine images, and manage SSH keys.
Oracle Cloud Using Oracle Compute Cloud Service (IaaS),
E63022-07
Copyright © 2015, 2016, Oracle and/or its affiliates. All rights reserved.
Primary Author: Kumar Dhanagopal, Anamika Mukherjee, Sylaja Kannan
Contributing Authors: Jeffrey Welsch, Sudipa Bhattacharya, Gururaj BS, Mirek Chocholous, Jitendra
Chouhan, Bryn Divey, Vidya Gopal, Andrei Isaev, Diby Malakar, Stephen Mayer, Tim McDuff, Irina Mok,
Raja Mukherjee, Octave Orgeron, Kiran Palan, Vimal Patel, Jeffrey Pleau, Gary Resnick, Modin Shaik, Vivek
Sedhumadhavan, Costa Siourbas, Sundar Srinivasan, Jeff Welsch, Paul Wickstrom, Chen Xie, Xiaofeng Yang,
Vincent Yee
This software and related documentation are provided under a license agreement containing restrictions on
use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your
license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,
transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse
engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is
prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If
you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on
behalf of the U.S. Government, then the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software,
any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are
"commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-
specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the
programs, including any operating system, integrated software, any programs installed on the hardware,
and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.
No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management applications.
It is not developed or intended for use in any inherently dangerous applications, including applications that
may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you
shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its
safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this
software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of
their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are
used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron,
the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro
Devices. UNIX is a registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information about content, products,
and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly
disclaim all warranties of any kind with respect to third-party content, products, and services unless
otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates
will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party
content, products, or services, except as set forth in an applicable agreement between you and Oracle.
Contents
Preface ................................................................................................................................................................ ix
Audience ....................................................................................................................................................... ix
Related Resources ........................................................................................................................................ ix
Conventions.................................................................................................................................................. ix
1 Getting Started with Oracle Compute Cloud Service

About Oracle Compute Cloud Service .................................................................................................. 1-1
Before You Begin with Oracle Compute Cloud Service...................................................................... 1-3
How to Begin with Oracle Compute Cloud Service Subscriptions................................................... 1-3
Oracle Compute Cloud Service Terminology ...................................................................................... 1-4
Accessing Oracle Compute Cloud Service Using the Web Console ................................................. 1-6
Accessing Oracle Compute Cloud Service Using REST API.............................................................. 1-7
About Oracle Compute Cloud Service Roles........................................................................................ 1-7
Workflow for Using Oracle Compute Cloud Service.......................................................................... 1-8
2 Enabling Secure Access to Instances Using SSH

About SSH Keys........................................................................................................................................ 2-2
Generating an SSH Key Pair ................................................................................................................... 2-3
Adding an SSH Public Key...................................................................................................................... 2-4
Attaching an SSH Public Key to an Instance ........................................................................................ 2-6
Viewing an SSH Public Key .................................................................................................................... 2-6
Updating an SSH Public Key .................................................................................................................. 2-7
Disabling an SSH Public Key .................................................................................................................. 2-8
Enabling an SSH Public Key ................................................................................................................... 2-9
Deleting an SSH Public Key .................................................................................................................. 2-10
3 Managing Instances
About Instances......................................................................................................................................... 3-1
About Machine Images and Shapes....................................................................................................... 3-2
Instance Life Cycle.................................................................................................................................... 3-3
Workflow for Creating Your First Instance .......................................................................................... 3-4
Workflow for Creating Your First Oracle Linux Instance .......................................................... 3-4
iii
Workflow for Creating Your First Oracle Solaris Instance ........................................................ 3-5
Workflow for Creating Your First Windows Instance................................................................ 3-6
Creating Instances..................................................................................................................................... 3-7
Creating an Instance from the Instances Page ............................................................................. 3-7
Creating an Instance Using a Custom Machine Image............................................................. 3-13
Creating an Instance Using an Image from Oracle Cloud Marketplace ................................ 3-18
Creating Instances Using Orchestrations.................................................................................... 3-23
Creating Instances Using Launch Plans...................................................................................... 3-23
Listing Instances...................................................................................................................................... 3-29
Monitoring Instances.............................................................................................................................. 3-30
Logging In to an Instance ...................................................................................................................... 3-31
Retrieving Instance Metadata ............................................................................................................... 3-31
About Instance Metadata .............................................................................................................. 3-32
Retrieving Predefined Instance Metadata .................................................................................. 3-33
Retrieving User-Defined Instance Attributes............................................................................. 3-35
Sample Scenario for Specifying and Using Instance Attributes .............................................. 3-35
Updating an Instance ............................................................................................................................. 3-36
Attaching a Storage Volume to an Instance ............................................................................... 3-36
Detaching a Storage Volume from an Instance.......................................................................... 3-37
Adding an Instance to a Security List.......................................................................................... 3-38
Removing an Instance from a Security List................................................................................ 3-40
Cloning an Instance by Using Instance Snapshots ........................................................................... 3-41
Creating an Instance Snapshot .................................................................................................... 3-42
Registering the Image Generated by an Instance Snapshot..................................................... 3-43
Creating an Instance from an Instance Snapshot....................................................................... 3-44
Deleting an Instance Snapshot .................................................................................................... 3-44
Restarting an Instance ............................................................................................................................ 3-45
Restarting an Oracle Linux Instance............................................................................................ 3-45
Restarting an Oracle Solaris Instance .......................................................................................... 3-45
Restarting a Windows Instance.................................................................................................... 3-46
Deleting an Instance ............................................................................................................................... 3-46
Updating Packages on an Oracle Solaris Instance ............................................................................. 3-47
4 Managing Orchestrations
About Orchestrations ............................................................................................................................... 4-1
Orchestration Templates.......................................................................................................................... 4-7
Workflow for Creating Instances Using Orchestrations ................................................................... 4-15
Building Your First Orchestration........................................................................................................ 4-15
Attributes in Orchestrations.................................................................................................................. 4-19
Top-Level Orchestration Attributes............................................................................................. 4-19
Object Plan Attributes.................................................................................................................... 4-21
Orchestration Attributes Specific to Each Object Type............................................................. 4-22
Uploading an Orchestration.................................................................................................................. 4-38
iv
Orchestration Life Cycle ........................................................................................................................ 4-39
Starting an Orchestration....................................................................................................................... 4-40
Monitoring Orchestrations .................................................................................................................... 4-42
Return Parameters Displayed in an Orchestration ............................................................................ 4-43
Stopping an Orchestration..................................................................................................................... 4-44
Downloading an Orchestration ............................................................................................................ 4-45
Updating an Orchestration.................................................................................................................... 4-46
Deleting an Orchestration...................................................................................................................... 4-47
5 Managing Machine Images

About Oracle-Provided Linux Images................................................................................................... 5-1
About Oracle-Provided Solaris Images ................................................................................................. 5-2
About Oracle-Provided Windows Images............................................................................................ 5-3
Workflow for Creating Instances Using a Custom Machine Image.................................................. 5-4
Building Your Own Machine Images .................................................................................................... 5-4
Guidelines for Building Private Images........................................................................................ 5-4
Building an Oracle Linux Machine Image .................................................................................... 5-5
Uploading Machine Image Files to Oracle Storage Cloud Service.................................................... 5-6
Registering a Machine Image in Oracle Compute Cloud Service ..................................................... 5-8
Listing Machine Images ........................................................................................................................... 5-9
Deleting a Custom Machine Image ...................................................................................................... 5-10
Maintaining Versions of Custom Machine Images............................................................................ 5-11
6 Managing Storage Volumes

About Storage Volumes ........................................................................................................................... 6-1
Creating a Storage Volume...................................................................................................................... 6-2
Creating a Bootable Storage Volume ..................................................................................................... 6-4
Cloning a Storage Volume by Using Storage Volume Snapshots ..................................................... 6-5
Creating a Storage Volume Snapshot ........................................................................................... 6-6
Listing Storage Volume Snapshots ................................................................................................ 6-7
Creating a Storage Volume from a Snapshot ............................................................................... 6-8
Deleting a Storage Volume Snapshot ............................................................................................ 6-9
Attaching a Storage Volume to an Instance........................................................................................ 6-10
Viewing Details of a Storage Volume .................................................................................................. 6-11
Mounting a Storage Volume on a Linux Instance.............................................................................. 6-12
Unmounting a Storage Volume from a Linux Instance .................................................................... 6-13
Mounting a Storage Volume on an Oracle Solaris Instance ............................................................. 6-15
Unmounting a Storage Volume from an Oracle Solaris Instance.................................................... 6-19
Mounting a Storage Volume on a Windows Instance....................................................................... 6-20
Unmounting a Storage Volume from a Windows Instance.............................................................. 6-23
Detaching a Storage Volume from an Instance .................................................................................. 6-24
Deleting a Storage Volume.................................................................................................................... 6-25
v
7 Configuring Network Settings
About Network Settings .......................................................................................................................... 7-1
Managing Security Lists .......................................................................................................................... 7-3
About Security Lists......................................................................................................................... 7-3
Creating a Security List ................................................................................................................... 7-6
Updating a Security List.................................................................................................................. 7-7
Adding an Instance to a Security List............................................................................................ 7-7
Removing an Instance from a Security List.................................................................................. 7-7
Deleting a Security List.................................................................................................................... 7-8
Managing Security Rules ......................................................................................................................... 7-8
About Security Rules ....................................................................................................................... 7-9
Creating a Security Rule .................................................................................................................. 7-9
Updating a Security Rule .............................................................................................................. 7-11
Deleting a Security Rule ................................................................................................................ 7-11
Managing Security Applications .......................................................................................................... 7-12
About Security Applications......................................................................................................... 7-12
Creating a Security Application ................................................................................................... 7-13
Deleting a Security Application .................................................................................................. 7-14
Managing Security IP Lists.................................................................................................................... 7-15
About Security IP Lists .................................................................................................................. 7-15
Creating a Security IP List............................................................................................................. 7-16
Updating a Security IP List ........................................................................................................... 7-17
Deleting a Security IP List ............................................................................................................. 7-18
Managing Public IP Addresses............................................................................................................. 7-18
About Public IP Addresses ........................................................................................................... 7-19
Reserving a Public IP Address ..................................................................................................... 7-19
Updating an IP Reservation.......................................................................................................... 7-20
Attaching a Public IP Address to an Instance ............................................................................ 7-21
Removing a Public IP Address from an Instance ...................................................................... 7-21
Deleting an IP Reservation............................................................................................................ 7-22
Setting Up Firewalls and Opening Ports for a Sample Scenario ..................................................... 7-23
8 Accessing an Oracle Linux Instance Using SSH

Accessing an Instance from UNIX and UNIX-Like Systems.............................................................. 8-1
Accessing an Instance from Windows................................................................................................... 8-2
Adding Users on an Oracle Linux Instance .......................................................................................... 8-3
9 Accessing an Oracle Solaris Instance Using SSH
10 Accessing a Windows Instance Using RDP
vi
11 Connecting to Oracle Compute Cloud Service Instances Using VPN
About Oracle Network Cloud Service – VPN for Dedicated Compute.......................................... 11-1
Requesting Oracle Network Cloud Service – VPN for Dedicated Compute................................. 11-3
Configuring Your VPN Gateway ......................................................................................................... 11-3
Example Configuration of a VPN Gateway ............................................................................... 11-4
Managing Your VPN Connections....................................................................................................... 11-6
Starting a VPN Connection ........................................................................................................... 11-6
Listing Your VPN Connections .................................................................................................... 11-7
Viewing Details of a VPN Connection ........................................................................................ 11-8
Updating a VPN Connection ........................................................................................................ 11-8
Disabling a VPN Connection........................................................................................................ 11-9
Deleting a VPN Connection........................................................................................................ 11-10
Accessing Your Instances Using VPN ............................................................................................... 11-11
12 Automating Instance Configuration Using opc-init

About opc-init ......................................................................................................................................... 12-1
Prerequisites for Using opc-init ............................................................................................................ 12-2
Defining Instance Configuration Attributes ....................................................................................... 12-2
User Data Attributes............................................................................................................................... 12-5
13 Best Practices for Using Oracle Compute Cloud Service
14 Frequently Asked Questions for Oracle Compute Cloud Service

Machine Image ........................................................................................................................................ 14-3
Interfaces .................................................................................................................................................. 14-3
Instance Properties ................................................................................................................................. 14-3
Instance Usage......................................................................................................................................... 14-4
Windows Instances................................................................................................................................. 14-5
Network Settings .................................................................................................................................... 14-5
Storage Management.............................................................................................................................. 14-6
Orchestrations ......................................................................................................................................... 14-6
Using SSH Keys....................................................................................................................................... 14-8
Connecting to Instances ....................................................................................................................... 14-10
Support ................................................................................................................................................... 14-10
15 Troubleshooting Oracle Compute Cloud Service

Web Console Problems .......................................................................................................................... 15-1
Can’t access the web console ........................................................................................................ 15-1
Can’t create, update, or delete objects......................................................................................... 15-2
Can’t upload an orchestration ...................................................................................................... 15-2
My orchestration hasn’t created any instances .......................................................................... 15-3
Error while starting an orchestration .......................................................................................... 15-3
vii
Can’t attach a storage volume to an instance ............................................................................. 15-4
Can't detach a storage volume from an instance ....................................................................... 15-4
Can't delete a storage volume....................................................................................................... 15-5
Can’t remove an IP address from an instance............................................................................ 15-5
Can’t delete a security application............................................................................................... 15-5
Can’t delete an SSH key ................................................................................................................ 15-6
Instance Life Cycle Problems ................................................................................................................ 15-6
My orchestration hasn’t created any instances .......................................................................... 15-6
Can’t create an instance using a launch plan. Error: Shape does not exist ............................ 15-6
Can’t create an instance using a launch plan. Error: Unable to open file .............................. 15-7
Can’t create an instance using a launch plan. Error displayed: Data is invalid JSON......... 15-7
My instance was created using an incorrect image................................................................... 15-7
Unable to restart an instance ........................................................................................................ 15-8
Networking Problems ............................................................................................................................ 15-8
Can’t connect to an instance using SSH ...................................................................................... 15-8
RSA key fingerprint error while connecting to an instance ..................................................... 15-9
Can’t get instances to communicate with each other ............................................................. 15-10
Can’t access my instance even though it has a public IP address......................................... 15-10
Can’t remove an IP address from an instance.......................................................................... 15-11
Can’t delete a security application............................................................................................. 15-11
SSH Key Problems ................................................................................................................................ 15-12
Can’t connect to an instance using SSH .................................................................................... 15-12
Can’t access an instance as a local user over SSH.................................................................... 15-13
RSA key fingerprint error while connecting to an instance ................................................... 15-13
Can’t delete an SSH key .............................................................................................................. 15-14
Storage Volume Problems ................................................................................................................... 15-14
Can’t attach a storage volume to an instance ........................................................................... 15-14
Can’t access a storage volume on my instance ........................................................................ 15-15
I can no longer access my storage volume from my instance................................................ 15-15
Can't detach a storage volume from an instance ..................................................................... 15-16
Can't delete a storage volume..................................................................................................... 15-16
Orchestration Problems ....................................................................................................................... 15-16
Can’t upload an orchestration .................................................................................................... 15-16
My orchestration hasn’t created any instances ........................................................................ 15-17
Error while starting an orchestration ........................................................................................ 15-17
My instance was created using a wrong image ....................................................................... 15-18
My orchestration is stuck in the stopping state ....................................................................... 15-18
Launch Plan Problems ......................................................................................................................... 15-19
Can’t create an instance using a launch plan. Error: Shape does not exist .......................... 15-19
Can’t create an instance using a launch plan. Error: Unable to open file ............................ 15-19
Can’t create an instance using a launch plan. Error displayed: Data is invalid JSON....... 15-19
viii
Preface
Using Oracle Compute Cloud Service describes how to provision and manage Oracle
Compute Cloud Service instances, configure network and storage resources, add
machine images, and manage SSH keys.
Topics
• Audience
• Related Resources
• Conventions
Audience
This document is intended for administrators and users of Oracle Compute Cloud
Service.
Related Resources
For more information, see these Oracle resources:
• REST API for Oracle Compute Cloud Service
• Oracle Compute Cloud Service tutorials
Conventions
This table describes the text conventions used in this document.
Convention Meaning
boldface Boldface type indicates graphical user interface elements associated with an
action, or terms defined in text or the glossary.
italic Italic type indicates book titles, emphasis, or placeholder variables for
which you supply particular values.
monospace Monospace type indicates commands within a paragraph, URLs, code in

examples, text that appears on the screen, or text that you enter.
ix
1
Getting Started with Oracle Compute Cloud
Service
Topics
• About Oracle Compute Cloud Service
• Before You Begin with Oracle Compute Cloud Service
• How to Begin with Oracle Compute Cloud Service Subscriptions
• Oracle Compute Cloud Service Terminology
• Accessing Oracle Compute Cloud Service Using the Web Console
• Accessing Oracle Compute Cloud Service Using REST API
• About Oracle Compute Cloud Service Roles
• Workflow for Using Oracle Compute Cloud Service
About Oracle Compute Cloud Service

You can use Oracle Compute Cloud Service to rapidly provision virtual machines on
Oracle Cloud with all the necessary storage and networking resources, manage and
scale your virtual machine topology in the cloud easily, and migrate your Oracle and
third-party applications to Oracle Cloud.
Oracle Compute Cloud Service is a secure, reliable, low cost, standards-based
infrastructure service. For a brief introduction to the features of the service, watch this
video. Video
Using Oracle Compute Cloud Service, you can do the following:
• Migrate your applications to the public cloud
– When you subscribe to Oracle Compute Cloud Service, you can opt for a
dedicated environment, called a site, that consists of high-performance x86
servers reserved for your use. Depending on the configuration that you
subscribe to, you get compute power equivalent to 500, 1000, 1500, or 2000
physical cores (OCPUs) of a modern Intel Xeon processor with hyperthreading
enabled.
You can migrate your on-premises applications to virtual machines that you
create on these dedicated sites, and take advantage of the elastic compute,
storage, and network capabilities that Oracle Compute Cloud Service provides.
And because you’re the only tenant on the site, you get predictable performance
in the cloud. Besides, you can extend your data center to Oracle Cloud by
requesting Oracle Network Cloud Service - VPN for Dedicated Compute.
Getting Started with Oracle Compute Cloud Service 1-1

About Oracle Compute Cloud Service
– You can also subscribe for the required number of OCPUs in a site that’s shared
with other tenants. You can opt for a metered or nonmetered subscription.
In the case of a nonmetered subscription, you can provision resources up to
twice the subscribed capacity. For example, if you’ve paid for a nonmetered
subscription for 20 OCPUs, you can provision instances that consume up to 40
OCPUs. The additional usage will be charged per hour and billed monthly.
For pricing information, go to https://cloud.oracle.com/compute and click the
Pricing tab.
• Assign processor and memory resources from a range of resource profiles

While creating Oracle Compute Cloud Service instances, you can assign CPU and
memory resources by selecting from a wide range of resource profiles (called
shapes), each of which is a carefully designed combination of processor and
memory limits.
• Automate your VM provisioning and management workflows

You can define all the attributes for multiple, high availability (HA)-enabled virtual
machines of varying shapes and machine images in an orchestration. Using the
web console, you can then easily create, remove, and re-provision all of the virtual
machines and associated resources as required through the orchestration.
• Create instances using Oracle-provided and custom machine images

You can use one of several Oracle-provided machine images to quickly provision
robust virtual machines. In addition, you can build custom machine images based
on the operating system and disk size of your choice and use those images to create
virtual machines.
The operating system and software that you use to build private images must have
the required licenses. You’re responsible for purchasing the required licenses and
ensuring support for any third-party operating systems and software that you run
on Oracle Compute Cloud Service instances.
• Clone your instances using snapshots

After creating and customizing an instance using a nonpersistent boot disk, you
can use instance snapshots to use the instance as a template to create multiple
identical instances.
• Provide a persistent boot disk for your instance

While creating an instance, you can set it up to boot from a persistent disk,
ensuring that any changes that you make at the operating system-level persist
when the instance is re-created.
• Attach high-capacity block storage to instances

You can attach up to 20 TB of block storage to each of your instances for storing
data and applications, by creating multiple persistent storage volumes and
attaching them to the instances. Even after you delete instances, the data stored in
the storage volumes remains intact until you delete the volumes.
• Clone storage volumes using snapshots

With the Dedicated Compute offering of Oracle Compute Cloud Service, you can
use storage volume snapshots to create snapshots of persistent data or boot
volumes. You can then use these storage volume snapshots as a form of data
backup, or to create multiple, identical storage volumes.
1-2 Using Oracle Compute Cloud Service (IaaS)

Before You Begin with Oracle Compute Cloud Service
• Exercise fine-grained control over network traffic

You can control network traffic among individual instances and also between
specific groups of instances and external hosts. You can also control traffic to and
from instances over specific protocols and ports that you can define.
• Reserve and assign fixed public IP addresses

For an instance that requires access to the Internet, you can reserve and use a static
public IP address.
• Monitor and manage all of your resources through a unified interface

You can access, administer, and use Oracle Compute Cloud Service through an
easy-to-use graphical web console. The console provides a single interface that you
can use to monitor and manage all your Oracle Compute Cloud Service resources.
You can also access Oracle Compute Cloud Service and manage resources by using
REST API calls.
• Ensure secure access to instances

You can configure your Oracle Compute Cloud Service Linux and Solaris instances
(virtual machines) to be accessed securely from remote hosts by using SSH, and
you can configure your Windows instances to be accessed securely by using RDP.
Before You Begin with Oracle Compute Cloud Service

Before you begin using Oracle Compute Cloud Service:
• Create and configure your account on Oracle Cloud. See Getting an Oracle.com
Account in Getting Started with Oracle Cloud.
• Understand the features of the service. See About Oracle Compute Cloud Service.
• Be familiar with the Oracle Compute Cloud Service terminology. See Oracle
Compute Cloud Service Terminology.
How to Begin with Oracle Compute Cloud Service Subscriptions

To get started with Oracle Compute Cloud Service, you must request a trial or paid
subscription and activate the service. After you’ve activated the service and reviewed
the terminology, you can get started with creating users and assigning roles.
Here's a summary of the key steps:
1. Request a trial or purchase a subscription. See Subscribing to an Oracle Cloud

Service Trial or Buying a Non-metered Subscription to an Oracle Cloud Service in
Getting Started with Oracle Cloud.
2. Activate the service. See Activating Your Trial Subscription or Activating Your
Order in Getting Started with Oracle Cloud.
3. Verify activation. See Verifying That Your Trial Is Running or Verifying That a
Service Is Running in Getting Started with Oracle Cloud.
4. Learn about the users and roles. See About Oracle Compute Cloud Service Roles.
5. Create users and assign appropriate roles to each user. See Managing User
Accounts and Managing User Roles in Managing and Monitoring Oracle Cloud.

Oracle Compute Cloud Service Terminology
6. Get familiar with Oracle Compute Cloud Service terminology. See Oracle Compute
Cloud Service Terminology.

The following table lists and describes the key terms used in Oracle Compute Cloud
Service.
Term Definition More

Information
Instance An instance is a virtual machine in Oracle Compute About Instances
Cloud Service, created by using a specific machine
image, with CPU and memory resources defined by a
shape.
Machine Image A machine image is a template of a virtual hard disk of Managing

a specific size with an installed operating system. You Machine Images
use machine images to create virtual machine instances
in Oracle Compute Cloud Service.
Image List An image list is a collection of Oracle Compute Cloud Maintaining

Service machine images. Each machine image in an Versions of
image list is identified by a unique entry number. Custom
Machine Images
Shape A shape is a resource profile that specifies the number About Machine
of CPUs and the amount of memory to be allocated to Images and
an instance in Oracle Compute Cloud Service. Shapes
Launch plan A launch plan is a JSON (JavaScript Object Notation)- Creating

formatted file that defines the properties of one or Instances Using
more instances in Oracle Compute Cloud Service. You Launch Plans
can use a launch plan to quickly start multiple
instances in Oracle Compute Cloud Service. The
attributes in a launch plan include the instance label
and name, the image and shape to be used for the
instance, and so on.
Orchestration An orchestration defines the attributes and About

interdependencies of a collection of compute, Orchestrations
networking, and storage resources in Oracle Compute
Cloud Service. You can use orchestrations to automate
the provisioning and lifecycle operations of an entire
virtual compute topology.
IP Reservation An IP reservation is a public IP address that you can About Public IP

attach to an Oracle Compute Cloud Service instance Addresses
that requires access to or from the Internet
Storage Volume A storage volume is a virtual disk that provides About Storage
persistent block storage space for instances in Oracle Volumes
Compute Cloud Service.

Term Definition More

Information
Security List A security list is a group of Oracle Compute Cloud About Security
Service instances that you can specify as the source or Lists
destination in one or more security rules. The instances
in a security list can communicate fully, on all ports,
with other instances in the same security list.
When you add an instance to a security list, the
inbound and outbound policies defined in the security
list are applicable to that instance.
In the API, security lists are called seclists.
Security IP List A security IP list is a list of IP subnets (in the CIDR About Security
format) or IP addresses that are external to instances in IP Lists
Oracle Compute Cloud Service. You can use a security
IP list as the source or the destination in security rules
to control network access to or from Oracle Compute
Cloud Service instances.
In the API, security IP lists are called seciplists.
Security A security application is a protocol-port mapping that About Security

Application you can use in security rules. Applications
In the API, security applications are called
secapplications.
Security Rule A security rule is a firewall rule that you can define to About Security
control network access to Oracle Compute Cloud Rules
Service instances over a specified security application.
You can use a security rule to control network access,
• between instances in two security lists, or
• from a set of external hosts (a security IP list) to
instances in a security list.
In the API, security rules are called secrules.
Site A site consists of the compute, storage, and networking

resources that are dedicated in an Oracle Cloud data
center for hosting your Oracle Compute Cloud Service
instances when you subscribe to the Dedicated
Compute offering. A site is isolated physically from all
the other resources in the data center.
Relationships Between Oracle Compute Cloud Service Resources

The following diagram shows the relationships between the resources that you can use
to create and manage instances in Oracle Compute Cloud Service.
Each oval in the diagram represents a resource in Oracle Compute Cloud Service.
The numbers at either end of each arrow and the text label on the arrow, together,
indicate the relationship between the resources that the arrow connects. For example,
the number 1 at either end of the arrow between IP reservations and instance indicates
that you can associate an IP reservation with only one instance and an instance with
only one IP reservation. Similarly, n at either end of the arrow connecting SSH public
key and instance indicates that you can associate any number of keys with each
instance and a single key with any number of instances.

Accessing Oracle Compute Cloud Service Using the Web Console
Accessing Oracle Compute Cloud Service Using the Web Console

You can manage and monitor your Oracle Compute Cloud Service instances and the
associated storage and networking resources through an easy-to-use graphical web
console.
1. Sign in to the Oracle Cloud My Services application at https://

cloud.oracle.com/sign-in.
See Signing In to the My Services Application in Managing and Monitoring Oracle

Cloud.
The Oracle Cloud My Services Dashboard page is displayed.
2. Click near the upper left corner of the page.
The CLOUD SERVICES menu is displayed.
3. Select Oracle Compute Cloud Service.
The Oracle Compute Cloud Service console is displayed.
4. (Optional) This step is relevant only if your domain contains multiple sites. To
change the site, click Select Site near the upper left corner of the page.

Accessing Oracle Compute Cloud Service Using REST API
Note:
For security, the web console automatically times out after 15 minutes of
inactivity. To continue using the web console, log in again.
Accessing Oracle Compute Cloud Service Using REST API

You can programmatically provision and manage Oracle Compute Cloud Service
instances and the associated storage and networking resources by using a REST
(REpresentational State Transfer) application programming interface (API).
Each REST API call maps to an HTTP request: getting an object (GET), adding an object
(POST), updating an object (PUT), and deleting an object (DELETE). The HTTP
response code indicates whether the request was successful. Each object for which you
can perform the GET, POST, PUT, and DELETE requests is identified uniquely by its
URI.
To access Oracle Compute Cloud Service by using the REST API you must use the
REST endpoint URL that Oracle provided when your administrator subscribed to the
service.
To find out the REST endpoint URL for your service,

cloud.oracle.com/sign-in. See Signing In to the My Services Application in
Managing and Monitoring Oracle Cloud.
The Oracle Cloud My Services Dashboard page is displayed. It lists the services
that are assigned to your account.
2. Look for Oracle Compute Cloud Service.
3. From the menu, select View Details. The Service Details page is displayed.
4. Under Additional Information, look for the REST Endpoint field.

Most requests require authentication, for which you send an authentication request. If
the authentication request succeeds, a cookie is returned, which you must include in
all future requests. The requesting client must always use the latest cookie it receives.
For more information about using the REST API, see REST API for Oracle Compute
Cloud Service.
About Oracle Compute Cloud Service Roles

The following table summarizes the roles you can use to administer and use Oracle
Role Description
TenantAdminGroup (Identity Users who are assigned this role can perform all the tasks in
Domain Administrator) the My Services application, including user and role
management tasks.
Note that Oracle assigns this role to all trial users.

Workflow for Using Oracle Compute Cloud Service
Role Description
service-instance- Users who are assigned this role can view, create, update,
name.Compute_Operations and delete Oracle Compute Cloud Service resources.
(Service Administrator) The identity domain administrator can create additional
service administrators, as required, by assigning this role in
Oracle Cloud My Services.
For business continuity, consider creating at least two users
with the Compute_Operations role. These users must be
IT system administrators in your organization.
service-instance- Users who are assigned this role can view Oracle Compute
name.Compute_Monitor Cloud Service resources.
The identity domain administrator can create users with
this role in Oracle Cloud My Services.
See Adding Users and Assigning Roles in Getting Started with Oracle Cloud.

Oracle Compute Cloud Service supports multiple workflows for creating compute,
network, and storage resources.
For example, you can create the required storage volumes first and then create the
instances to which the storage volumes should be attached. Alternatively, you can
create instances first and then create and attach the required storage volumes to the
instances. Similarly, you can create security lists first and then create instances and
add them to the security lists, or you can create the instances first and then create
security lists and add instances to them.
The following table provides a sample workflow to get an Oracle Compute Cloud
Service account and start creating and accessing instances. Use this workflow as a
guide to get started with Oracle Compute Cloud Service.
Task Description More Information

Request a trial or purchase a Provide your information, and sign up for a How to Begin with Oracle
subscription to Oracle Compute free trial or purchase a subscription. After Compute Cloud Service
Cloud Service. activation, create accounts for your users Subscriptions
and assign appropriate privileges and roles
to each user.
Monitor the service. Check on the day-to-day operation of your Managing and Monitoring
service, monitor performance, and review Oracle Cloud Services in
important notifications. Managing and Monitoring Oracle
Cloud
Understand Oracle Compute Learn about instances, images, shapes, Oracle Compute Cloud Service
Cloud Service terminology. security lists, security rules, and so on. Terminology
Generate SSH key pairs. Generate the SSH key pairs that you plan to Generating an SSH Key Pair
use to access your Linux instances.
Access the service. Access the service through the Oracle Accessing Oracle Compute
Compute Cloud Service web console or Cloud Service Using the Web
RESTful API. Console

Task Description More Information

Add and enable SSH public Add the SSH public keys that you Adding an SSH Public Key
keys. generated, and enable the keys.
(Optional) Build machine Build your own machine images, upload Workflow for Creating
images and add them to Oracle them to Oracle Storage Cloud Service, and Instances Using a Custom
Compute Cloud Service register them in Oracle Compute Cloud Machine Image
Service.
(Optional) Create boot disks. Create storage volumes that can be used as Creating a Bootable Storage
boot disks for instances. Volume
(Optional) Create storage Provide storage for your instances by Managing Storage Volumes
volumes. creating and attaching storage volumes.
Create instances. Create instances with the required CPU, Managing Instances
hard disk, and memory requirements
according to the needs of your business.
(Optional) Configure security Set up firewalls for your instances by using Configuring Network Settings
lists and security rules security lists and security rules.
Log in to the instances. Access your instances securely. Accessing an Oracle Linux
Instance Using SSH
Accessing an Oracle Solaris
Instance Using SSH
Accessing a Windows Instance
Using RDP


2
Enabling Secure Access to Instances Using
SSH
This section provides information about generating and using SSH keys to enable
secure access to your instances.
Note:
You can’t use SSH keys to log in to a Windows instance. However, you must
specify an SSH public key while creating your Windows instance using the
Create Instance wizard. To log in to your Windows instance using RDP, see
Accessing a Windows Instance Using RDP.
For information about using an SSH key to log in to your Linux instance, see
Accessing an Oracle Linux Instance Using SSH or Accessing an Oracle Solaris Instance
Using SSH.
Topics
• About SSH Keys
• Generating an SSH Key Pair
• Adding an SSH Public Key
• Attaching an SSH Public Key to an Instance
• Viewing an SSH Public Key
• Updating an SSH Public Key
• Disabling an SSH Public Key
• Enabling an SSH Public Key
• Deleting an SSH Public Key
Enabling Secure Access to Instances Using SSH 2-1

About SSH Keys
About SSH Keys

You can log in securely to your Oracle Compute Cloud Service instances from a
remote host by using a secure shell (SSH) connection.
Note:
SSH is a cryptographic network protocol that uses two keys, a public key and a private
key, to provide secure communication between two computers. SSH uses port 22 by
default.
Before creating instances, generate at least one SSH key pair and ensure that the
private key is available on each host that you’ll use to access instances. You can use
any SSH utility to generate SSH keys and log in to your instances. For example, if
you’re logging in from a Windows host, you can use PuTTY. If you’re using a Linux
host, you can use OpenSSH.
You can associate a single SSH public key with multiple instances. Also, if you’ve
already created and uploaded SSH public keys to Oracle Compute Cloud Service, then
you can associate multiple SSH keys with an instance when you create the instance. If
you’ve created your instance using an Oracle-provided Oracle Linux image or an
Oracle-provided Oracle Solaris image, then you can use SSH to log in to your instance
as the opc user. You can then inject additional SSH public keys by editing the /home/
opc/.ssh/authorized_keys file on your instance.
Caution:
If you need to edit the ~/.ssh/authorized_keys file of the opc user on an

instance, then before you make any changes to the file, start a second ssh
session and ensure that it remains connected while you edit the
authorized_keys file. This second ssh session serves as a backup. If the
authorized_keys file gets corrupted or you inadvertently make changes
that result in the opc user getting locked out of the instance, then you can use
the backup ssh session to fix or revert the changes. Before closing the backup
session, test the changes you made in the ~/.ssh/authorized_keys file by
logging in with the new or updated SSH key. Remember, if you don’t have
any other user set up on your instance, and if any changes to the ~/.ssh/
authorized_keys file result in the opc user getting locked out, then you
might not be left with any way to access your instance.
Note:
When an instance that’s set up to boot from a nonpersistent boot disk is re-
created, any SSH public keys that you added or edited manually (that is, not
during instance creation) must be added or edited again. To do this, you must
log in to the instance by using the original SSH private key. So retain and
safeguard your original SSH private key.

Generating an SSH Key Pair
To log in to an instance by using SSH, you must provide the private key that matches a
public key associated with the instance.
Generating an SSH Key Pair

You must generate an SSH key pair, associate the public key with your instances, and
use the private key to log in to the instances using SSH.
Note:
Caution:
Keep your SSH keys secure. Lay down policies to ensure that the keys aren’t
lost or compromised when employees leave the organization or move to other
departments. If you lose your private key, then you can’t access your
instances. For business continuity, ensure that the SSH keys of at least two IT
system administrators are added to your instances.
Topics
• Generating an SSH Key Pair on UNIX and UNIX-Like Systems
• Generating an SSH Key Pair on Windows

Generating an SSH Key Pair on UNIX and UNIX-Like Systems
Use the following procedure to generate an SSH key pair on UNIX and UNIX-like
systems:
1. Run the ssh-keygen command.

You can use the -t option to specify the type of key to create.
For example, to create an RSA key, run:
ssh-keygen -t rsa
You can use the -t option to specify the length (bit size) of the key, as shown in
the following example:
ssh-keygen -b 2048 -t rsa
2. The command prompts you to enter the path to the file in which you want to save
the key.
A default path and file name are suggested in parentheses. For example: /home/
user_name/.ssh/id_rsa. To accept the default path and file name, press
Enter. Otherwise, enter the required path and file name, and then press Enter.
3. The command prompts you to enter a passphrase.

The passphrase is not required, but you can use it to protect your private key
against unauthorized use.

Adding an SSH Public Key
4. When prompted, enter the passphrase again to confirm it.

The command generates an SSH key pair consisting of a public key and a private key,
and saves them in the specified path. The file name of the public key is created
automatically by appending .pub to the name of the private key file. For example, if
the file name of the SSH private key is id_rsa, the file name of the public key would
be id_rsa.pub.
Make a note of the path and file names of the private and public keys. When you
create an instance, you must specify the SSH public key value. When you log in to an
instance, you must provide the path to the corresponding SSH private key and you
must enter the passphrase when prompted.
Generating an SSH Key Pair on Windows
You can generate an SSH key pair on a Microsoft Windows machine by using an
application such as PuTTY. See the tutorial, Creating SSH Keys for Use with Oracle
Cloud Services.

Before creating an instance, you must generate at least one SSH key pair and upload
the SSH public key that should be associated with the instance to Oracle Compute
Cloud Service. You’ll use this SSH key to access your instance later on, when your
instance is running.
Note:
Prerequisites
• To complete this task, you must have the Compute_Operations role. If this role
isn’t assigned to you or you’re not sure, then ask your system administrator to
ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying
User Roles in Managing and Monitoring Oracle Cloud.
• You must have generated an SSH key pair. See Generating an SSH Key Pair.
Procedure
1. Go to the Oracle Compute Cloud Service console:
a. Sign in to the Oracle Cloud My Services application at https://


Cloud.
b. Click near the upper left corner of the page.

c. Select Oracle Compute Cloud Service.
d. (Optional) This step is relevant only if your domain contains multiple sites. To
2. Click the Network tab and then click the SSH Public Keys tab in the left pane.
The SSH Public Keys page is displayed.
3. Click Add SSH Public Key.
4. Enter or select the following details:
• Enter a name for the key.

Choose a name that you can use to identify the key easily.
• In the Value field, paste the value of the SSH public key that you want to add.
Important:
Paste the key value exactly as it was generated. Don’t append or insert any
spaces, characters, or line breaks.
See the following example:
• To enable the key, select the Enabled check box. Alternatively, you can deselect
the check box and enable the key later.
5. Click Add.
After adding an SSH public key, you can attach it to an instance when you create the
instance.
To add an SSH public key using the API, use the POST /sshkey/ method. For more
information, see REST API for Oracle Compute Cloud Service.

Attaching an SSH Public Key to an Instance
Attaching an SSH Public Key to an Instance

You must attach an SSH key to an instance when you create the instance. You’ll use
this SSH key to access your instance later on, when your instance is running.
Note:
For more information about creating an instance, see Creating Instances.
Viewing an SSH Public Key

After you’ve generated an SSH key pair and added a public SSH key, you can view the
SSH key name and value.
Note:
You don’t need to do this if you’re creating a Windows instance, because you
can’t log in to a Windows instance using SSH.
To complete this task, you must have the Compute_Monitor or

Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then
ask your system administrator to ensure that the role is assigned to you in Oracle
Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle
Cloud.


Cloud.

Updating an SSH Public Key
3. You can filter the list of SSH public keys according to their category or status. To
list SSH keys with a specific status (such as enabled or disabled), click the Show
menu and select the appropriate filter. To list SSH keys of a specific category (such
as all or personal), click the Category menu and select the appropriate filter.
4. Go to the SSH key that you want to view. From the menu, select View.
To view an SSH public key using the API, use the GET /sshkey/name method. For
more information, see REST API for Oracle Compute Cloud Service.
Updating an SSH Public Key

If an SSH public key that you’ve added to Oracle Compute Cloud Service isn’t
associated with any running instance, then you can change the value of the key. You
can also enable or disable the key.
Note:
To complete this task, you must have the Compute_Operations role. If this role isn’t
assigned to you or you’re not sure, then ask your system administrator to ensure that
the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in


Cloud.
3. Identify the key that you want to update. From the menu, select Update.
The Edit SSH Public Key dialog box is displayed.
4. Paste the new public key value (or enable or disable the key), and click Update.

Disabling an SSH Public Key
If you update the value of an SSH public key, remember to make the new private key
(corresponding to the public key that you just updated) available on each of your local
hosts that’ll be used to access instances.
Note:
If a key is associated with one or more instances, then you can’t update the
key value through the web console. For such instances, you can update SSH
public keys by logging in to the instances and editing the ~/.ssh/
authorized_keys file.
If you need to edit the ~/.ssh/authorized_keys file of a user on your
instance, then before you make any changes to the file, start a second ssh
session and ensure that it remains connected while you edit the
authorized_keys file. This second ssh session serves as a backup. If the
authorized_keys file gets corrupted or you inadvertently make changes
that result in your getting locked out of the instance, then you can use the
backup ssh session to fix or revert the changes. Before closing the backup ssh
session, test the changes you made in the authorized_keys file by logging
in with the new or updated SSH key.
To update an SSH key using the API, use the PUT /sshkey/name method. For more
information, see REST API for Oracle Compute Cloud Service.
Disabling an SSH Public Key

When you add an SSH public key, by default the key is enabled. If a key isn’t being
used by any instance, you can disable the key. You can enable it again later.
Note:


Cloud.

Enabling an SSH Public Key
3. Identify the SSH public key that you want to disable. From the menu, select
Update.
4. In the Edit SSH Public Key dialog box, deselect Enabled and click Update.
To disable an SSH public key using the API, use the PUT /sshkey/name method. For
Enabling an SSH Public Key

When you add an SSH public key, by default the key is enabled. If you’ve disabled a
key, you can enable it at any time.
Note:


Cloud.

Deleting an SSH Public Key
3. Identify the SSH public key that you want to enable. From the menu, select
Update.
4. On the Edit SSH Public Key dialog box, select Enabled and click Update.
To enable an SSH public key using the API, use the PUT /sshkey/name method. For

After adding an SSH public key, if you no longer need the key and it’s not being used
by any instance, you can delete the key.
Note:
Create Instance wizard.
Prerequisites
• Ensure that the SSH public key that you want to delete isn’t used in any instance.
Procedure


Cloud.

3. Identify the SSH key that you want to delete. From the menu, select Delete.
Note that the Delete action is disabled for keys that are associated with instances.
To delete an SSH public key using the API, use the DELETE /sshkey/name method.
For more information, see REST API for Oracle Compute Cloud Service.


3
Managing Instances
Topics
• About Instances
• About Machine Images and Shapes
• Instance Life Cycle
• Workflow for Creating Your First Instance
• Creating Instances
• Listing Instances
• Monitoring Instances
• Logging In to an Instance
• Retrieving Instance Metadata
• Updating an Instance
• Cloning an Instance by Using Instance Snapshots
• Restarting an Instance
• Deleting an Instance
• Updating Packages on an Oracle Solaris Instance
About Instances
An Oracle Compute Cloud Service instance is a virtual machine running a specific
operating system and with CPU and memory resources that you specify.
Defining Instances
An instance is defined by its machine image and shape. A machine image is a virtual
hard disk that has a specific operating system installed. A shape defines the number of
CPUs and RAM available to an instance. See About Machine Images and Shapes.
Identifying Instances
You can specify a name as well as a label to identify your instance. The instance name
that you specify becomes a prefix for an ID that’s generated automatically. If you’ve
specified a label, then the label is displayed in the web console. Otherwise, the system-
generated ID is displayed.
You can assign tags to your instances to make it easy to sort and find instances.
Managing Instances 3-1

About Machine Images and Shapes
Adding Storage
You can attach up to 20 TB of block storage to each of your instances for storing data
and applications, by creating multiple persistent storage volumes and attaching them
to the instances. Even after you delete instances, the data stored in the storage volumes
remains intact until you delete the volumes.
While creating an instance, you can set it up to boot from a persistent disk, ensuring
that any changes that you make at the operating system-level persist when the
instance is re-created.
See Managing Storage Volumes.
Configuring Network Settings
You can implement fine-grained control over network access to your instances, both
from other Oracle Compute Cloud Service instances as well as from external hosts.
When you create an instance, by default, it doesn’t allow access from any other
instance or external host. To enable unrestricted communication among some of your
instances, you can create a security list and add all the instances to that security list.
When you add an instance to a security list, the instance can communicate with all the
other instances in the same list.
By default, the instances in a security list are isolated from hosts outside the list. You
can override this default setting by creating security rules. Each security rule defines a
specific communication path, which consists of a source, a destination, and a protocol-
port combination over which communication is allowed.
See Configuring Network Settings.
About Machine Images and Shapes

A machine image is a template of a virtual hard disk of a specific size with an
installed operating system. A shape is a resource profile that specifies the number of
CPUs and the amount of memory to be allocated to an instance in Oracle Compute
Cloud Service.
For more information about machine images, see Managing Machine Images.
When you select a shape, your instance is created with the corresponding number of
Oracle Compute Units (OCPUs). An OCPU provides CPU capacity equivalent to one
physical core of an Intel Xeon processor with hyper threading enabled. Each OCPU
corresponds to two hardware execution threads, known as vCPUs, as shown in the
following figure.
A wide range of shapes is available to help you select a combination of processing

power and memory for your instances that best suits your business requirement.

Instance Life Cycle
• While selecting the shape for an instance, consider the nature of the applications
that you plan to deploy on the instance, the number of users that you expect to use
the applications, and also how you expect the load to scale in the future. Remember
to also factor in the CPU and memory resources that are necessary for the operating
system.
• Select a shape that meets the requirements of your workload with a sufficient
buffer for intermittent spikes in the load. If you’re not sure what shape is
appropriate for an instance, then start small, experiment with a representative
workload, and then settle on a shape. This approach may help you achieve an
optimal trade-off between resource allocation and performance.
The following tables list the shapes that are currently available in Oracle Compute
Cloud Service.
General Purpose Shapes
Shape OCPUs vCPUs Memory (GB)

OC3 1 2 7.5
OC4 2 4 15
OC5 4 8 30
OC6 8 16 60
OC7 16 32 120
High-Memory Shapes
Shape OCPUs vCPUs Memory (GB)

OC1M 1 2 15
OC2M 2 4 30
OC3M 4 8 60
OC4M 8 16 120
OC5M 16 32 240
Instance Life Cycle

An Oracle Compute Cloud Service instance can have one of the following statuses:
• When you create an instance, the initial status is Preparing. Oracle Compute Cloud
Service allocates resources and prepares to create the instance.
• While the specified image is being installed, the state changes to Initializing.
• After the image is installed and the instance starts, the status changes to Running.
When an instance is in the Running status, you can connect to it. You can also
attach or detach storage volumes and security lists.
• At times, an instance can have the Error status.

Workflow for Creating Your First Instance
For example, when you create an instance by starting its orchestration, if some of
the resources required to create the instance aren’t available, then the status of the
instance changes to Error.
Note:
If you use an orchestration to create an instance, you can control the status of
the instance through its orchestration. For example, you can create or delete an
instance by starting or stopping its orchestration. See About Orchestrations.

Oracle Compute Cloud Service supports several workflows for creating instances and
the associated networking and storage resources.
For example, you can create the required storage volumes first and then create the
instances to which the storage volumes should be attached. Alternatively, you can
create instances first and then create and attach the required storage volumes to the
instances. Similarly, you can create security lists first and then create instances and
add them to the security lists, or you can create the instances first and then create
security lists and add instances to them.
The workflow for creating an instance also varies depending on the type of instance
you want to create. Use the appropriate recommended workflow for creating an
Oracle Linux, Oracle Solaris, or Windows instance.
Topics
• Workflow for Creating Your First Oracle Linux Instance
• Workflow for Creating Your First Oracle Solaris Instance
• Workflow for Creating Your First Windows Instance
Workflow for Creating Your First Oracle Linux Instance

Here’s a simple workflow that you can use to create your first instance.
1. Generate SSH key pairs. See Generating an SSH Key Pair.
2. Sign in to Oracle Compute Cloud Service. See Accessing Oracle Compute Cloud
Service Using the Web Console.
3. Add the SSH public keys. See Adding an SSH Public Key.
4. Create an instance using the web console. See Creating an Instance from the
Instances Page.
After creating the instance, you can do the following:
• Create and attach storage volumes. See Creating a Storage Volume and Attaching a
Storage Volume to an Instance.
• Add your instance to a security list to control network access to the instance. See
Managing Security Lists.
• Access your instance securely by using SSH. See Accessing an Oracle Linux
Instance Using SSH.

See Also:
• Creating an Instance Using an Image from Oracle Cloud Marketplace
• Workflow for Creating Instances Using a Custom Machine Image
• Workflow for Creating Instances Using Orchestrations
• Creating Instances Using Launch Plans
• Tutorial: Creating an Instance Using the Web Console
• Tutorial: Creating Instances Using an Orchestration
Workflow for Creating Your First Oracle Solaris Instance

Here’s a simple workflow that you can use to create your first Oracle Solaris instance.
1. Generate SSH key pairs. See Generating an SSH Key Pair.
2. Sign in to Oracle Compute Cloud Service. See Accessing Oracle Compute Cloud
Service Using the Web Console.
3. Add the SSH public keys. See Adding an SSH Public Key.
4. Create an instance using the web console. See Creating an Instance from the
Instances Page.
• Access your instance securely by using SSH. See Accessing an Oracle Solaris
Instance Using SSH.
See Also:

Workflow for Creating Your First Windows Instance

Here’s a simple workflow that you can use to create your first Windows instance.
1. Sign in to Oracle Cloud Marketplace and go to the Windows image at https://

cloud.oracle.com/marketplace/app/windows-server-2012-R2.
2. Think of a password for the Administrator of your Windows instance and keep
the password handy. You’ll need to set this password while creating the instance.
3. Click Get App and follow the process to create an instance using the web console.
See Creating an Instance Using an Image from Oracle Cloud Marketplace.
Note:
The custom attributes required to enable RDP and set the Administrator
password that you specified are pre-populated in the Create Instance wizard.
If you want to add other users to your Windows instance and enable RDP
access for them, then enter the list of users and passwords. See Attributes
Specific to Windows Instances.
• Access your instance securely by using RDP. See Accessing a Windows Instance
Using RDP.
• Create other Windows instances. After you’ve selected a Windows image from
Oracle Cloud Marketplace and added it to your account, the Windows machine
image is added to the list of images available while creating an instance or while
creating a bootable storage volume. You can then directly select this image to create
another Windows instance or a bootable storage volume. See Creating an Instance
from the Instances Page and Creating a Bootable Storage Volume.
See Also:

Creating Instances
Creating Instances
You can create Oracle Compute Cloud Service instances in several ways.
• To quickly create a single instance using the web console, see Creating an Instance
from the Instances Page.
• To select a custom machine image that you’ve already created, uploaded, and
registered with Oracle Compute Cloud Service and use it to create an instance, see
Creating an Instance Using a Custom Machine Image.
• To create an instance using a machine image that you’ve identified in Oracle Cloud
Marketplace, see Creating an Instance Using an Image from Oracle Cloud
Marketplace.
• To specify one or more instances and associated resources that you want to create
or delete in a synchronized manner, see Creating Instances Using Orchestrations.
• To create one or more instances using the API, see Creating Instances Using
Launch Plans.
Creating an Instance from the Instances Page

You can create a single instance using the Oracle Compute Cloud Service web console.
While creating an instance, you can specify persistent storage volumes to be associated
with your instance. You can also enable access to your instance using SSH, or add
your instance to a security list. If you add your instance to a security list, you can use
that security list in security rules to control access to your instance.
Prerequisites
• Generate an SSH key pair and add the SSH public key. See Enabling Secure Access
to Instances Using SSH.
Note:
• If you want to attach storage volumes while creating the instance, then create the
required storage volumes first. See Creating a Storage Volume.
Note:
You can’t detach storage volumes that are attached during instance creation.
• If you want to add your instance to security list while creating the instance, create
the required security lists first. See Managing Security Lists.

Creating Instances
Procedure
Tip:
Before you begin, read Best Practices for Using Oracle Compute Cloud
Service.


Cloud.
2. On the Instances page, click Create Instance.
The Create Instance wizard starts.
3. On the General page, select or enter the following information:
• Specify a name for the instance.

Note that the full name of an instance consists of several parts.
– If you specify a name in the Create Instance wizard, then the full name of the
instance would be in the format, /Compute-identity_domain/user/
name_you_specify/id.
– If you don’t specify a name in the wizard, then the full name would be in the
format, /Compute-identity_domain/user/id.
In either case, id is an autogenerated ID.
Examples of Instance Names:
– When a name (vm1 in this case) is specified in the Create Instance wizard:
/Compute-myDomain/jack/vm1/300a7479-ec90-4826-98b9-
a725662628f1
– When a name isn’t specified:

/Compute-myDomain/jack/38ef677e-9e13-41a7-
a40c-2d99afce1714
• Enter a label for the instance.

Creating Instances
Enter a label that’s meaningful and that you can use to identify the instance
easily later. Try to assign a unique label for each instance. This label is displayed
on the Instances page and also on other pages that reference the instance.
If you don’t specify a label for the instance, then its name is displayed on the
Instances page.
• Select an image and a shape.

The image specifies the operating system and disk size of the instance. The
shape specifies the CPU and memory resources to be allocated to the instance.
See About Machine Images and Shapes.
• Specify one or more tags to help you identify and categorize the instance.
• In the Custom Attributes field, enter any additional attributes that you want to
store on the instance. This field allows you to customize your instance by
providing additional information specific to each instance. You can enter
arbitrary key-value pairs in plain text. The text you enter here must be in JSON
format. This information is stored as user data on your instance.
If you’re creating a Windows instance, you must specify the following required
attributes:
{
"enable_rdp": true,
"administrator_password": "Specify_password_here"
}
For information about user-defined attributes that can be used to automate

instance configuration, see Automating Instance Configuration Using opc-init.
Note:
Solaris machine images don’t include the opc-init scripts. So you can’t use
opc-init to automate instance configuration of Solaris instances.
After the instance is created, the attributes that you specify here are available
within the instance at http://192.0.0.192/latest/user-data. For
information about retrieving user data, see Retrieving User-Defined Instance
Attributes.
• If you want to be able to delete and re-create the instance after the instance is
created, then select Manage Instance Using an Orchestration. When the
instance is created, an orchestration is automatically created for it. For more
information about orchestrations, see About Orchestrations.
If you select Manage Instance Using an Orchestration, then enter a name, label,
and description for the orchestration and select a high availability (HA) policy.
See About High-Availability Policies in an Orchestration.
4. On the Network page, select or enter the following information:
• Specify a DNS host name prefix, if required.

The host name is visible internally within your DNS space. It is referenced by
other instances in the domain, as well as by the OS and applications running on
your instance. The host name that you specify is suffixed by the domain name.
If you don’t specify a host name, then a host name is generated automatically.

Creating Instances
• If you want to connect to this instance over the Internet, then select an
autogenerated public IP address, or select an IP address from the Persistent
Public IP Reservation list.
If you select an autogenerated public IP address, the IP address persists while
the instance is running, but will change if you delete the instance and create it
again later. See About Public IP Addresses.
• If you want to connect to this instance from the public Internet by using SSH,
select Configure Instance for Public SSH Access.
Note:
can’t log in to a Windows instance using SSH. To log in to your Windows
instance using RDP, see Accessing a Windows Instance Using RDP.
Alternatively, you can add this instance to one or more security lists. You can
then control access to this instance by creating security rules that use the
specified security lists as a source or destination.
If you select Add Instance to Security Lists and don’t select any security lists,
then the instance is added automatically to the default security list, default/
default.
For more information about configuring network settings for your instance, see
About Network Settings.
5. On the Storage page, you can attach data storage volumes and bootable storage
volumes to your instance, if required. To attach data volumes that you’ve already
created:
a. Select all the storage volumes that you want to attach in the Available Storage
Volumes list, and move them to the Selected Storage Volumes list.
A storage volume can be attached to only one instance at a time. If a storage

volume is already attached to another instance, it is greyed out in the Available
Storage Volumes list.
b. If you select multiple storage volumes to attach, you can use the arrows next to
the Available Storage Volumes list to change the order of the storage volumes
in the Selected Storage Volumes list. The order that you specify here
determines the sequence in which the storage volumes are attached as virtual
disks to your instance.
6. By default, the instance is set up to boot from a nonpersistent boot disk and the
Boot Volume field is set to Default Instance Store. To set up the instance to boot
from a persistent storage volume, on the Storage page, do either of the following:
• Option 1: Create and use a bootable storage volume.
a. Select Create Bootable Storage Volume.
b. Enter a name and description for the bootable storage volume.
c. The size is set automatically to accommodate the disk size that’s specified in
the image that you selected earlier. If you want a larger boot disk than that
specified in the image, then enter a larger size.

Creating Instances
d. Select a storage property.

For storage volumes that require low latency and high IOPS, such as for
storing database files, select storage/latency. For all other storage volumes,
select storage/default.
Note:
The web console might show other storage properties. But don’t select any of
them.
A bootable storage volume is created and is used to boot your instance.
• Option 2: Use a bootable storage volume that you’ve already created.
a. Select the required bootable storage volume in the Available Storage

Volumes list, and move it to the Selected Storage Volumes list.
b. Move the bootable storage volume that you want to use to boot your
instance to the top of the Selected Storage Volumes list.
Note:
You can select multiple bootable storage volumes. However, you can specify
only one bootable storage volume to be used to boot your instance. The
storage volume that you want to use to boot your instance must be the first
storage volume in the Selected Storage Volumes list.
c. Select the required bootable storage volume in the Boot Volume list.
Note:
If you’ve selected the option to create a bootable storage volume and you’ve
also specified a bootable storage volume in the Boot Volume list, then the
storage volume specified in the Boot Volume list is used to boot your
instance.
7. On the SSH Public Keys page, select the keys that you want to associate with this
instance from the Available SSH Public Keys list, and move them to the Selected
SSH Public Keys list.
Alternatively, to add a new SSH public key, select Add New SSH Public Key,
enter a name for the SSH public key, and paste the public key in the Value field.
Important:

Creating Instances
Tip:
The keys that you specify are stored as metadata on the instance. This
metadata can be accessed from within the instance at http://
192.0.0.192/{version}/meta-data/public-keys/{index}/
openssh-key.
• Oracle-provided Oracle Linux and Oracle Solaris images include a script

that runs automatically when the instance starts, retrieves the keys, and
adds them to the authorized_keys file of the opc user.
• In images that you build, you can write and include a script that runs
automatically when the instance starts, retrieves the SSH public keys, and
adds the keys to the authorized_keys file of the appropriate users.
8. On the Review page, verify the information that you’ve entered, and then click
Create.
9. Monitor the status of the instance.
• When you create an instance, the initial status is Preparing. Oracle Compute
Cloud Service allocates resources and prepares to create the instance.
• After the image is installed and the instance starts, the status changes to
Running.

For example, when you create an instance by starting its orchestration, if some
of the resources required to create the instance aren’t available, then the status
of the instance changes to Error.
Note:
See Also:

Creating Instances
Creating an Instance Using a Custom Machine Image

You can create a custom machine image and use that image to create Oracle Compute
Cloud Service instances.
Prerequisites
• The custom machine image that you want to use must already be available as a
machine image in Oracle Compute Cloud Service. See Workflow for Creating
Instances Using a Custom Machine Image for information about creating,
uploading, and registering your custom machine images.
Procedure
Tip:
Service.


Cloud.
2. Click the Images tab.
The Private Images page is displayed.
3. Go to the image that you want to use, and from the menu, select Create
Instance.
4. On the General page, select or enter the following information:

Creating Instances
a725662628f1

a40c-2d99afce1714

Instances page.
• The image field contains the name of the machine image that you selected.
Verify that this is the image you want to use. If you want to use another image,
click Cancel to exit the Create Instance wizard. Go back to Step 2 to select
another image.
• Select a shape.
The shape specifies the CPU and memory resources to be allocated to the
instance. See About Machine Images and Shapes.
attributes:
{
"enable_rdp": true,
}


Creating Instances
Note:
Attributes.

Note:
default.

Creating Instances
6. On the Storage page, to specify a bootable storage volume, do either of the

following:
a. Ensure that the Create Bootable Storage Volume option is selected.

Note:
them.
• Option 2: Use a nonpersistent bootable storage volume.

Deselect the Create Bootable Storage Volume option. The instance is then set
up to use the image you selected and boot from a nonpersistent boot disk.
7. To attach data volumes to your instance, on the Storage page, do the following:

Important:

Creating Instances
Tip:
openssh-key.

Create.
Running.

Note:
See Also:

Creating Instances
Creating an Instance Using an Image from Oracle Cloud Marketplace

You can select an image from Oracle Cloud Marketplace and use that image to create
instances in Oracle Compute Cloud Service.
Note:
If you’ve identified an image from Oracle Cloud Marketplace that you’d like
to use, check if that image already exists in your Oracle Compute Cloud
Service account. If another user requested the same image from Oracle Cloud
Marketplace earlier on, it would have already been added to the images listed
in the Private Images page. In that case, to use that machine image to create an
instance, follow the procedure described in Creating an Instance Using a
Custom Machine Image or Creating an Instance from the Instances Page.
Tip:
Service.
1. Go to Oracle Cloud Marketplace at https://cloud.oracle.com/marketplace/faces/

homePage.jspx.
2. From the Products drop-down list, select Infrastructure (IaaS), and then select
Compute Cloud.
3. Enter the name of the image that you want to use in the Search bar at the top of the
page and click Go.
The search results are displayed.
4. Select the image that you want to use by clicking it.
You’re directed to a page with more information for the selected image.
5. Click Get App.
6. Accept the terms of use and click Next.
7. If you see a message asking you to enable permission settings by clicking

Preferences in your Oracle Compute Cloud Service account, follow the instructions
to enable the setting. Then return to Oracle Cloud Marketplace and click Get App
for your image again.
8. Select the required account from the drop-down list and click Next.
9. Review the information on the Review screen and click Submit Request.
You’ll receive an email notification confirming that your application has been
installed.

Creating Instances
10. On the Confirmation screen, after your request is confirmed, to create an instance,
click Start Compute Console.

The image you selected is now listed on the Private Images page and is also
available in the list of images while creating an instance or creating a bootable
storage volume.
11. On the General page of the Create Instance wizard, select or enter the following
information:

a725662628f1

a40c-2d99afce1714

Instances page.
• The image field contains the name of the machine image that you selected.
Verify that this is the image you want to use. If you want to use another image,
click Cancel to exit the Create Instance wizard. Go back to Oracle Marketplace
to select another image.
• Select a shape.
The shape specifies the CPU and memory resources to be allocated to the
instance. See About Machine Images and Shapes.

Creating Instances
attributes:
{
"enable_rdp": true,
}

Note:
Attributes.


Creating Instances
Note:
default.
13. On the Storage page, to specify a bootable storage volume, do either of the
following:
a. Ensure that the Create Bootable Storage Volume option is selected.

Note:
them.
• Option 2: Use a nonpersistent bootable storage volume.

Deselect the Create Bootable Storage Volume option. The instance is then set
up to use the image you selected and boot from a nonpersistent boot disk.
14. To attach data volumes to your instance, on the Storage page, do the following:


Creating Instances
Important:
Tip:
openssh-key.

Create.
Running.


Creating Instances
Note:
See Also:
Creating Instances Using Orchestrations

An orchestration defines the attributes and interdependencies of a collection of
compute, networking, and storage resources in Oracle Compute Cloud Service. You
can use orchestrations to automate the provisioning and lifecycle operations of an
entire virtual compute topology.
To create instances using an orchestration, you define the orchestration offline in a
JSON-formatted file, upload the orchestration to Oracle Compute Cloud Service, and
then start the orchestration. All the instances defined in the orchestration are started
automatically. In addition, any resources specified in the orchestration—storage
attachments, security lists, and so on—are associated with the instances.
At any time, you can delete and re-create all the instances in an orchestration just by
stopping and restarting the orchestration. Storage attachments, security lists, and so on
are re-associated automatically with the appropriate instances.
When the HA policy in an orchestration is set to active, if an instance in such an
orchestration goes down, the instance is restarted automatically.
To learn more about orchestration features, terminology, and concepts, see About
Orchestrations.
To get started with creating instances using orchestrations, see Workflow for Creating
Instances Using Orchestrations.
Creating Instances Using Launch Plans

A launch plan is a JSON-formatted file that defines the properties of one or more
instances. You can use a launch plan to quickly create and start multiple, non-
persistent instances in Oracle Compute Cloud Service.
Topics
• About Launch Plans

Creating Instances
• Sample Launch Plan
• Launch Plan Attributes
• Instance Attributes Specified in a Launch Plan
• Prerequisite for Creating Instances Using Launch Plans
• Procedure for Creating Instances Using Launch Plans
About Launch Plans

A launch plan specifies the provisioning sequence and attributes of the instances that
you want to create. Note that while you can reuse your launch plan JSON file to create
new instances based on the attributes and provisioning sequence specified in the JSON
file, the launch plan itself doesn’t persist in Oracle Compute Cloud Service.
Sample Launch Plan

The following is an example of a JSON-formatted file showing the attributes for two
instances with different shapes and SSH keys but using the same image.
{
"instances":
[
{
"shape": "oc4",
"imagelist": "/oracle/public/oel_6.4_60GB",
"sshkeys": ["/Compute-acme/admin/dev-ssh"],
"name": "/Compute-acme/admin/dev-vm",
"label": "dev-vm"
},
{
"shape": "oc5",
"imagelist": "/oracle/public/oel_6.4_60GB",
"sshkeys": ["/Compute-acme/admin/prod-ssh"],
"name": "/Compute-acme/admin/prod-vm",
"label": "prod-vm"
}
]
}
Launch Plan Attributes
Parameter Required or Description

Optional
instances required A list of instances.

Each instance is defined using the instance attributes.

Creating Instances

Optional
relationsh optional The relationships between various instances.

ips Valid values:
• same_node: The specified instances are created on the
same physical server. This is useful if you want to ensure
low latency across instances.
• different_node: The specified instances aren’t created
on the same physical server. This is useful if you want to
isolate instances for security or redundancy.
Instance Attributes Specified in a Launch Plan

Optional
shape required The name of the shape that defines the number of CPUs and
the RAM that you require for the instance.
name optional The three-part name of the instance (/Compute-

identity_domain/user/name).
If you specify this parameter, then the full name of the
instance would be in the format, /Compute-
identity_domain/user/name_you_specify/id.
If you don’t specify this parameter, then the full name
would be in the format, /Compute-identity_domain/
user/id.
• When you specify /Compute-acme/jack/vm1 as the
value of the name parameter:
/Compute-acme/jack/vm1/300a7479-
ec90-4826-98b9-a725662628f1
• When you don’t specify the name parameter:
/Compute-acme/jack/38ef677e-9e13-41a7-
a40c-2d99afce1714
label optional A text string to identify the instance.

This label is used when defining relationships between
elements. It’s also used to refer to the instance on a few
pages of the web console. So enter a label that’s meaningful.
tags optional A JSON array or list of strings used to tag the instance.
By assigning a human-friendly tag to an instance, you can
identify the instance easily when you perform an instance
listing. These tags aren’t available from within the instance.

Creating Instances

Optional
attributes optional A JSON object or dictionary of user-defined attributes to be

made available to the instance.
If you’re creating a Windows instance, you must specify the
following required attributes:
{
"enable_rdp": true,
"administrator_password":
"Specify_password_here"
}
For more information about specifying user-defined

attributes that can be used to automate instance
configuration, see Automating Instance Configuration
Using opc-init.
Note:
Solaris machine images don’t
include the opc-init scripts. So
you can’t use opc-init to
automate instance configuration
of Solaris instances.
The attributes that you specify can be accessed from within

the instance at http://192.0.0.192/latest/
attributes. For more information about retrieving user-
defined attributes, see Retrieving User-Defined Instance
Attributes.
imagelist optional The three-part name (oracle/public/

imagelist_name) of the image list containing the image to
be used (example: /oracle/public/oel_6.4_60GB.
You must use this attribute if you don’t specify a bootable
storage volume by using the boot_order attribute. If you
specify the imagelist attribute as well as the
boot_order attribute, then the imagelist attribute is
ignored.

Creating Instances

Optional
storage_atta optional If you specify the storage_attachments parameter, then

chments specify the following subparameters for each attachment:
• volume: The three-part name (/Compute-
identity_domain/user/object_name) of the
storage volume that you want to attach to the instance.
Note that volumes attached to an instance at launch time
can't be detached.
• index: The index number for the volume.
The allowed range is 1 to 10. The index determines the
device name by which the volume is exposed to the
instance. Index 0 is allocated to the temporary boot
disk, /dev/xvda. An attachment with index 1 is
exposed to the instance as /dev/xvdb, an attachment
with index 2 is exposed as /dev/xvdc, and so on.
boot_order Specifies the bootable storage volume that should be used to

boot the instance.
Enter the index number of a bootable storage volume
specified in the storage_attachments attribute.
Use the boot_order attribute only when you’ve specified
a bootable storage volume in the volume sub-parameter of
storage_attachments.
When you specify boot_order, you don’t need to specify
the imagelist attribute, because the instance is booted
using the image on the specified bootable storage volume. If
you specify both boot_order and imagelist, the
imagelist attribute is ignored.
hostname optional The host name assigned to the instance.

Only relative DNS is supported. The domain name is
suffixed to the host name that you specify. The host name
must not end with a period. If you don’t specify a host
name, then a name is generated automatically. The DNS
name of an instance depends on its host name, as follows:
• If no DNS name is specified in the networking
attribute, then the DNS name is set to the host name,
and a reverse DNS record (PTR) is created for the host
name.
• If the DNS name specified in the networking attribute
matches the host name, then that record also creates a
reverse DNS record for the host name.
• If the dns attribute under networking is set to an
empty list ([]), then no DNS records are created even if
a host name is specified. The instance still receives its
host name through DHCP, and can perform a reverse
lookup of its host name. However, no other instance can
perform this reverse lookup.

Creating Instances

Optional
reverse_dns optional If set to true (default), then reverse DNS records are
created.
If set to false, no reverse DNS records are created.
networking optional This parameter can contain any or all of the following sub-
parameters:
• seclists: The security lists that you want to add the
instance to.
For each security list, specify the three-part name in
the /Compute-identity_domain/user/
object_name format. You can attach an instance to a
maximum of five security lists. If you launch an instance
without specifying any security list, the instance is
assigned to the /Compute-identity_domain/
default/default security list.
• nat: Indicates whether a temporary or permanent
public IP address should be assigned to the instance.
– To associate a temporary IP address with the
instance for use during the lifetime of the instance,
specify ippool:/oracle/public/ippool.
– To associate a persistent IP address, specify
ipreservation:ipreservation_name, where
ipreservation_name is the three-part name of an
existing IP reservation in the /Compute-
identity_domain/user/object_name format.
If nat is not specified, then no public IP address is
associated with your instance when it is created. If
required, you can associate an IP address with the
instance after the instance has been created.
• dns: DNS name for this instance.
This name is relative to the internal DNS domain.
• model: The type of network interface card (NIC). The
only allowed value is e1000.

Listing Instances

Optional
sshkeys optional A list of the SSH public keys that you want to associate with
the instance.
Note:
You don’t need to provide any
SSH public keys if you’re
creating a Windows instance,
because you can’t access a
Windows instance using SSH.
To access a Windows instance,
see Accessing a Windows
Instance Using RDP.
For each key, specify the three-part name in the /Compute-

You can associate the same key with multiple instances.
The keys that you specify are stored as metadata on the
instance. This metadata can be accessed from within the
instance at http://192.0.0.192/{version}/meta-
data/public-keys/{index}/openssh-key.
• Oracle-provided Oracle Linux and Oracle Solaris images
include a script that runs automatically when the
instance starts, retrieves the keys, and adds them to the
authorized_keys file of the opc user.
• In images that you build, you can write and include a
script that runs automatically when the instance starts,
retrieves the SSH public keys, and adds the keys to the
authorized_keys file of the appropriate users.
Prerequisite for Creating Instances Using Launch Plans

Ensure that you’ve created your launch plan JSON file.
Procedure for Creating Instances Using Launch Plans

To create instances from a launch plan by using the API, use the POST /
launchplan/ method. For more information, see REST API for Oracle Compute Cloud
Service.
Listing Instances
After creating instances in Oracle Compute Cloud Service, you can view a list of your
instances using the web console.
Cloud.

Monitoring Instances


Cloud.
2. Click near the upper left corner of the page.
3. Select Oracle Compute Cloud Service.
4. (Optional) This step is relevant only if your domain contains multiple sites. To
Your instances are listed on the Instances page. For each instance, you can view details
including the label, the current status, the attached storage volumes, and the public
and private IP addresses associated with it.
To list your instances using the API, use the GET /instance/container method.
Monitoring Instances
After creating instances in Oracle Compute Cloud Service, you can view a list of your
instances and get details of each instance.

Cloud.


Cloud.
2. The Instances page shows a list of instances, along with information about each
instance.

Logging In to an Instance
Tip:
You can filter the list of instances according to their category or status. To list
instances with a specific status (such as running, error, or stopped), click the
Show menu and select the appropriate filter. To view instances of a specific
category (such as PaaS, IaaS, or personal), click the Category menu and select
the appropriate filter.
3. Go to the instance that you want to view. From the menu, select View.
The instance details page shows all the details of the selected instance, such as the
public and private IP addresses, and the storage volumes, security lists, and SSH
keys associated with it. You can add or remove storage volumes and security lists
from this page. For more information, see Updating an Instance.
To view details of an instance using the API, use the GET /instance/name method.
Logging In to an Instance
After you’ve associated a public IP address with your instance, you can log in to the
instance.
If you’ve enabled a VPN tunnel to your Oracle Compute Cloud Service site, you can
use the private IP address of your instance to connect to the instance. To set up a VPN
tunnel, see Connecting to Oracle Compute Cloud Service Instances Using VPN.
To connect to your Oracle-provided Oracle Linux instance using ssh, see Accessing an
Oracle Linux Instance Using SSH.
Note:
If you’ve created your instance using an Oracle-provided Oracle Linux image

or an Oracle-provided Oracle Solaris image, then you can log in to the instance
as the opc user. You can’t log in as root.
To connect to your Oracle Solaris instance using ssh, see Accessing an Oracle Solaris
Instance Using SSH.
To connect to your Windows instance using an RDP connection, see Accessing a
Windows Instance Using RDP.
Retrieving Instance Metadata

Topics
• About Instance Metadata
• Retrieving Predefined Instance Metadata
• Retrieving User-Defined Instance Attributes
• Sample Scenario for Specifying and Using Instance Attributes

About Instance Metadata

Two types of metadata are stored within your instances: user-defined instance attributes
that you can define explicitly while creating instances, and predefined instance metadata
fields that are stored by default for all instances. Scripts and applications running on
the instances can use the available metadata to perform certain tasks. For example,
SSH public keys that are specified while creating an instance are stored as metadata on
the instance. A script running on the instance can retrieve these keys and append them
to the authorized_keys file of specified users to allow key-based login to the
instance using ssh.
Predefined Instance Metadata
The following predefined metadata fields are stored on every instance that you create:
Metadata Description Example
local-ipv4 Private IP address of the instance. 10.196.47.210
local-hostname DNS name of the instance. bd6032.compute-

acme.oraclecloud.examp
le.com
instance-id Name of the instance. /Compute-acme/

[email protected]
om/debc974c-852e-4bd2-
acd6-45a2de2109fd
instance-type Memory and CPU resources 7680 ram, 2.0 cpus

available for the instance.
public-hostname DNS name of the instance. bd6032.compute-

acme.oraclecloud.examp
le.com
public-keys/ SSH public key specified while ssh-rsa

{index}/openssh- creating the instance, where AAAAB3NzaC1yc2EAAAABI.
key {index} is a number starting with .. == admin@acme
0.
Note:
You may see certain additional metadata fields, such as reservation-id,

product-codes, kernel-id, and security-groups, that aren’t
documented. Don’t retrieve and use the values in the undocumented fields.
The predefined instance metadata fields are stored at http://192.0.0.192/

{version}/metadata.
The following metadata versions are currently available:
latest
1.0
2007-01-19
2007-03-01
2007-08-29

2007-10-10
2007-12-15
2008-02-01
2009-04-04
Tip:
New metadata versions may be released in the future. Metadata versions may
not be backward compatible. So use metadata from a specific version (for
example, from http://192.0.0.192/2008-02-01/) and not from
http://192.0.0.192/latest/.
For the steps to retrieve the predefined instance metadata, see Retrieving Predefined
Instance Metadata.
User-Defined Instance Attributes
User-defined attributes are key-value pairs that you can specify in the attributes
parameter of machine images, image-list entries, and instance launch plans.
When you create instances, all the attributes that are specified in the attributes
parameter in the orchestration or launch plan, machine image, and image list entry
that are used to create your instances are stored on those instances. If an attribute in an
image-list entry has the same name as an attribute in the machine image
corresponding to that image-list entry, then the attribute in the image-list entry
overrides the attribute in the machine image. Similarly, if an attribute in a launch plan
has the same name as an attribute in an image-list entry or a machine image, then the
attribute in the launch plan takes precedence.
User-defined instance attributes are stored within the instance at http://
192.0.0.192/latest/user-data. For the steps to retrieve these attributes, see
Retrieving User-Defined Instance Attributes.
The following are a few sample use cases for user-defined instance attributes:
• If you want identical user data to be available on a set of instances, then specify the
required user data in the machine image or image list entry that you'll use to create
the instances. For example, you might require a certain pre-bootstrap script to be
executed or specific applications to be installed on all instances that use a particular
image. By specifying this script as user data in the machine image or the image list
entry, you ensure that every instance that’s created with that image has the
specified user data.
• If each instance should have unique user data, use an orchestration to provide
specific user data for each instance. This is useful if, for example, you want to
specify a unique user name and password, or inject a unique SSH public key into
each instance.
• You can automate instance configuration by providing scripts or other instructions

to perform prebootstrapping tasks or install applications when you create an
instance. These instance configuration instructions are provided as user-defined
data using the userdata field under the attributes parameter. For example,
you can use this field to specify the location of a database server and login details.
Retrieving Predefined Instance Metadata

1. Log in to the instance.
See Logging In to an Instance.

2. Get a list of the available metadata versions by running the following command:
curl http://192.0.0.192
Note:
The cURL commands provided in this document are for Linux and Oracle
Solaris instances. On Windows instances, go to the PowerShell, and use the
Invoke-RestMethod command instead of cURL.
3. From the list of versions displayed, select the version that you want to use.
4. Get a list of the top-level metadata fields:
curl http://192.0.0.192/{version}/meta-data
In this command, replace {version} with the version that you identified in the
previous step.
Example:
curl http://192.0.0.192/2007-08-29/meta-data
5. Retrieve the specific metadata that you want, by running one of the following
command examples:
Note:
When you run these commands, replace 2007-08-29 with the metadata
version that you want to use.
• To retrieve the private IP address of the instance:

curl http://192.0.0.192/2007-08-29/meta-data/local-ipv4
10.106.15.70
• To retrieve the host name of the instance:

curl http://192.0.0.192/2007-08-29/meta-data/local-hostname
bd6032.compute-acme.oraclecloud.com
• To retrieve information about the memory and CPU resources of the instance:
curl http://192.0.0.192/2007-08-29/meta-data/instance-type
7680 ram, 2.0 cpus
• To retrieve the instance name:

curl http://192.0.0.192/2007-08-29/meta-data/instance-id
/Compute-acme/[email protected]/4c318760-444b-4b48-83e1-e1b112c201f2
• To find out how many SSH public keys are stored on the instance:
curl http://192.0.0.192/2007-08-29/meta-data/public-keys
0
1
2

In this example, three SSH public keys are stored as metadata, with index
numbers 0, 1, and 2.
• To retrieve the value of a specific SSH public key:

curl http://192.0.0.192/2007-08-29/meta-data/public-keys/0/openssh-key
ssh-rsa AAAAB3NzaC1yc2EAAAABI... == [email protected]
Retrieving User-Defined Instance Attributes

1. Log in to the instance using SSH.
See Logging In to an Instance.
2. Get a list of all the top-level attributes that are specified for the instance, by running
the following command:
curl http://192.0.0.192/latest/user-data
Note:
The cURL commands provided in this document are for Linux and Oracle
Solaris instances. On Windows instances, go to the PowerShell, and use the
Invoke-RestMethod command instead of cURL.
The following is an example of the output:

pre-bootstrap
packages
In this example, the output shows that the instance has two top-level user-defined
attributes: pre-bootstrap and packages.
3. To retrieve the attributes defined under the top-level pre-bootstrap attribute,

run the following command:
curl http://192.0.0.192/latest/user-data/{topLevelAttribute}
Example:
curl http://192.0.0.192/latest/user-data/pre-bootstrap
The following sample output indicates that two attributes are specified under the
pre-bootstrap attribute:
failonerror
scriptURL
4. Run the same command for successive levels of attributes until you get the
required attribute value, as shown in the following example:
curl http://192.0.0.192/latest/user-data/pre-bootstrap/failonerror
true
Sample Scenario for Specifying and Using Instance Attributes

Consider a distributed system where a manager instance must handle requests from a
set of worker instances. The instances in this sample scenario are identical in all other
respects. So they’re based on the same machine image.

Updating an Instance
Create an image list containing two entries, both for the same machine image, but one
entry with the attribute {"role":"manager"} and the other with the attribute
{"role":"worker"} in the attributes field. To create an image list entry using
the API, use the POST /imagelist/name/entry method. See REST API for Oracle
Compute Cloud Service
In the launch plan that you use to provision the instances in the distributed system,
define a number of worker instances that use the image list entry with the
{"role":"worker"} attribute, and define a manager instance that uses the image
list entry with the {"role":"manager"} attribute.
After the instances are created, the software running on each instance can determine
the role that the instance should play based on the value of the role attribute stored
at http://192.0.0.192/version/user-data.
Topics
• Attaching a Storage Volume to an Instance
• Detaching a Storage Volume from an Instance
• Adding an Instance to a Security List
• Removing an Instance from a Security List
Attaching a Storage Volume to an Instance

A storage volume is a virtual disk that provides persistent block storage space for
instances in Oracle Compute Cloud Service. You can provide or increase the block
storage capacity for an instance by attaching storage volumes.
Prerequisites
• You must have created the storage volume that you want to attach to your instance.
See Creating a Storage Volume.
Procedure


Cloud.

2. On the Instances page, identify the instance to which you want to attach a storage
volume. From the menu, select View.
3. On the instance details page, click Attach Storage Volume.
4. Select the volume that you want to attach.
5. The Attach as Disk # field is filled automatically with the next available index at
which the volume can be attached. You can leave this field at the automatically
selected disk number or enter a higher number up to 10.
The disk number that you specify here determines the device name. The disk
attached at index 1 is named /dev/xvdb, the disk at index 2 is /dev/xvdc, the
disk at index 3 is /dev/xvdd, and so on.
Make a note of the disk number. You’ll need it later when you mount the storage
volume on the instance.
6. Click Attach.
You can also attach a storage volume to a running instance from the Storage page. See
Attaching a Storage Volume to an Instance.
To attach a storage volume to an instance using the API, you must add a storage
attachment object by using the POST /storage/attachment method. See REST
API for Oracle Compute Cloud Service.
After attaching a storage volume to an instance, to access the block storage, you must
mount the storage volume on your instance. See Mounting a Storage Volume on a
Linux Instance.
Detaching a Storage Volume from an Instance

When you no longer require access to a storage volume, you can unmount it and
detach it from your instance.
After you detach a storage volume from an instance, you can no longer read from or
write data to the storage volume, unless you attach the volume to any instance.
Note:
You can’t detach or delete a storage volume that was attached while creating
an instance.
If you’re sure that a storage volume is no longer required, then back up the
data elsewhere and delete the storage volume.

Prerequisites
• Ensure that you’ve unmounted the storage volume that you want to detach. See
Unmounting a Storage Volume from a Linux Instance.
Procedure


Cloud.
2. On the Instances page, identify the instance that you want to update. From the
menu, select View.
3. On the instance details page, identify the storage volume that you want to detach.
From the menu, select Detach Storage Volume.
To detach a storage volume from an instance using the API, you must remove a
storage attachment object, by using the DELETE /storage/attachment/name
method. For more information, see REST API for Oracle Compute Cloud Service.
Adding an Instance to a Security List

When you add an instance to a security list, the instance can communicate freely with
all the other instances in the same security list. Any security rules that are defined for
the security list are applicable to all the instances in that security list.
Internally, an instance is associated with security lists by using the instance’s vcable,
which provides an attachment point to a specific network interface on the instance.
You can dynamically add or remove an instance from a security list, without stopping
the instance.
You can add an instance to up to five security lists.

Caution:
When you add an instance to a security list, all the security rules that use that
security list—as either the source or destination—are applicable to the
instance. Consider a security list that is the destination in two security rules,
one rule that allows SSH access from the public Internet and another rule
permitting HTTPS traffic from the public Internet. When you add an instance
to this security list, the instance is accessible from the public Internet over both
SSH and HTTPS. Keep this in mind when you decide the security lists that you
want to add an instance to.
Prerequisites
• You must have created the security list that you want to add your instance to. See
Creating a Security List.
Procedure


Cloud.
menu, select View.
3. On the instance details page, click Add to Security List.
4. Select the security list that you want to add your instance to, and click Attach.
To add an instance to a security list using the API, you must first find out the vcable
ID of the instance. To find out the vcable ID of an instance using the API, use the
GET /instance/name method. Next, to create an association between the vcable ID
and the security list, use the POST /secassociation/ method and specify the
vcable ID. See REST API for Oracle Compute Cloud Service.

Note:
When an instance is deleted and re-created, any security lists to which you
had added the instance manually (that is, not during instance creation), must
be associated again.
Removing an Instance from a Security List

To prevent other hosts from accessing an instance, you can remove the instance from
the security lists that it is attached to. This may be required when you want to perform
maintenance activities, change or upgrade applications, and so on.
Internally, an instance is associated with security lists by using the instance’s vcable.
When you add an instance to a security list, a security association is created between
the vcable and the specified security list. To remove an instance from a security list,
you must delete the security association that binds the instance to the security list.
Note:
When you remove an instance from a security list, the security rules that are
defined for the security list are no longer applicable to the instance, and the
instance can’t communicate with other instances in the security list. An
instance that isn’t associated with any security list is completely inaccessible.
When an instance that you had previously removed from the /default/
default security list is re-created, you must remove the instance from the
security list again after the instance is re-created.
To remove an instance from a security list using the web console:


Cloud.

Cloning an Instance by Using Instance Snapshots
menu, select View.
3. On the instance details page, go to the security list that you want to remove your
instance from. From the menu, select Remove from Security List.
To remove an instance from a security list using the API, you must remove a security
association, by using the DELETE /secassociation/name method. See REST API
for Oracle Compute Cloud Service.

Instance snapshots provide an easy way to create a customized machine image using
an existing instance as a template. You can then use this customized machine image to
create multiple instances with identical configurations.
To create an instance snapshot, first create an instance using an appropriate machine
image. This instance must use a nonpersistent boot volume.
Note:
If your instance uses a bootable storage volume and you want to clone the
storage volume, see Cloning a Storage Volume by Using Storage Volume
Snapshots.
When your instance is running, customize your instance as required, by adding users,
or installing and configuring applications. These changes are stored on your
nonpersistent boot disk.
When you’re done customizing your instance, to use the instance as a template to
create other instances, create an instance snapshot. Instance snapshots capture the
current state of your boot disk and create a corresponding machine image, which is
uploaded to your Oracle Storage Cloud Service account. You can then register this
machine image with your Oracle Compute Cloud Service account and use it to create
instances. These instances will contain all the configuration and customization that
you’d done on the original instance when you took the snapshot.
When you create an instance using a nonpersistent boot disk, if you want to delete the
instance, then using instance snapshots also allows you to preserve the changes you’ve
made to your instance before you delete the instance. Later on, you can use this
machine image to create another instance identical to the one you deleted.
Topics
• Creating an Instance Snapshot
• Registering the Image Generated by an Instance Snapshot
• Creating an Instance from an Instance Snapshot
• Deleting an Instance Snapshot

Creating an Instance Snapshot

Creating a snapshot of an instance allows you to capture the current state of the
nonpersistent boot disk used by an instance, including all customization that you may
have made at the operating-system level after creating the instance.
Note:
Instance snapshots capture the state of your nonpersistent boot disk. You can’t
create an instance snapshot if your instance uses a bootable storage volume.
To create a snapshot of a storage volume, see Cloning a Storage Volume by
Using Storage Volume Snapshots.
To create an instance snapshot:


Cloud.
2. Go to the instance that you want to create a snapshot of. From the menu, select
Create Snapshot.
Alternatively, you can also create an instance snapshot from the instance details
page.
a. On the Instances page, go to the instance that you want to create a snapshot of,
and from the menu, select View.
b. On the instance details page, go to the Instance Snapshots section and click
Create Snapshot.
3. Enter a name for the snapshot and click Create.

An instance snapshot is generated and it creates a custom image. While the image
is being created, the instance details page shows the state of the instance snapshot
as Active. When the image has been created and is available in your Oracle
Storage Cloud Service account, the state of the instance snapshot changes to
Complete. Next, to register this image, see Registering the Image Generated by an
Instance Snapshot.
To create an instance snapshot using the API, use the POST /snapshot/ method.
Registering the Image Generated by an Instance Snapshot

An instance snapshot captures the current state of the nonpersistent boot disk of an
instance and uses it to create a corresponding machine image. You can then use this
machine image to create other instances. These instances are clones of the instance that
you created the snapshot of. Any customization done on that instance is automatically
part of instances created using the snapshot.
The image created by an instance snapshot is stored in your Oracle Storage Cloud
Service account. Before you can use this image to create an instance, you must register
this image in your Oracle Compute Cloud Service account.


Cloud.
2. Click the Instance Snapshots tab in the left pane.
3. Go to the snapshot that you want to use. From the menu, select Associate
Image.
Alternatively, you can also register a snapshot from the instance details page.
• On the Instances page, go to the instance that you want to clone. From the
menu, select View.
• On the instance details page, in the Instance Snapshots section, go to the

snapshot that you want to use. From the menu, select Associate Image.

4. Enter a description for the image and click Ok.
The image is added as a private image on the Private Images page.

To do this using the API, invoke the POST /imagelist/ and the POST /
imagelistentry/ methods, in that order. For more information, see REST API for
Oracle Compute Cloud Service.
After registering the image generated by an instance snapshot, to create an instance
using this machine image, see Creating an Instance Using a Custom Machine Image.
Creating an Instance from an Instance Snapshot

An instance snapshot captures the current state of an instance and uses it to generate
an image is uploaded to your Oracle Storage Cloud Service account. You can then
register this image with your Oracle Compute Cloud Service account and use it to
create instances.
After you’ve registered the image generated by an instance snapshot, the machine
image is added to the list of custom images on your Private Images page. To create an
instance using this machine image, see Creating an Instance Using a Custom Machine
Image.
Deleting an Instance Snapshot

An instance snapshot allows you to capture the current state of an instance and use it
to launch other instances. When an instance snapshot is completed, it creates a
machine image and stores it in your Oracle Storage Cloud Service account.
After an instance snapshot has completed creating a machine image of an instance, the
instance snapshot record on the web console only provides information about when a
machine image was created from a given instance. You can also view the
autogenerated name of an instance snapshot, which helps to identify the
corresponding machine image file in you Oracle Storage Cloud Service account. If you
don’t require this information for record-keeping purposes, you can delete the
instance snapshot. Deleting an instance snapshot has no impact on the machine image
file stored in your Oracle Storage Cloud Service account, or on the private image that
you might have registered in your Oracle Compute Cloud Service account.
To delete an instance snapshot:


Cloud.

Restarting an Instance
2. Go to the instance that you want to view. From the menu, select View.
3. On the instance details page, in the Instance Snapshots section, go to the instance
snapshot that you want to delete. From the menu, click Delete.
To delete an instance snapshot using the API, use the DELETE /snapshot/ method.
Restarting an Instance
When your instance is running, if required, you can log in to your instance and restart
it.
Topics
• Restarting an Oracle Linux Instance
• Restarting an Oracle Solaris Instance
• Restarting a Windows Instance
Restarting an Oracle Linux Instance

To restart an instance:
1. Log in to the instance using ssh. See Accessing an Oracle Linux Instance Using
SSH.
2. Run the following command:
sudo /sbin/shutdown -r now
Caution:
Don’t use the -h option of the shutdown command . If you stop an instance by
using the -h option of the shutdown command or by using the halt
command, you can’t restart the instance. The status of the instance on the web
console doesn’t get updated to Stopped. It continues to show the status of the
instance as Running. If you used an orchestration to create the instance, the
status of the orchestration continues to show as Ready. You’ll have to delete
the instance and create it again. To shut down and delete an Oracle Linux
instance, see Deleting an Instance or Stopping an Orchestration.
Restarting an Oracle Solaris Instance

To restart an Oracle Solaris instance:
1. Log in to the instance using ssh. See Accessing an Oracle Solaris Instance Using
SSH.

Deleting an Instance
2. Assume the root role, by running the following command:
su -
When prompted, enter the root password.
3. Run any one of the following commands:
• reboot
• init 6
• shutdown -y -i6 -g0
Wait for the instance to be shut down and rebooted.
To check whether the instance has been rebooted, try connecting to it using ssh.
Until the instance is up again, the No route to host error is displayed.
Note:
To delete an instance created by using an orchestration, stop the orchestration.

See Stopping an Orchestration. To delete an instance that wasn’t created using
an orchestration, see Deleting an Instance.
Restarting a Windows Instance

To restart a Windows instance:
1. Log in to the instance as an administrator. See Accessing a Windows Instance

Using RDP.
2. Click the Start button.
3. Click the power button at the top right corner and select Restart.
Caution:
Don’t use the Shutdown option to stop your Windows instance. If you do,
you can’t restart that instance. The status of the instance on the web console
doesn’t get updated to Stopped. It continues to show the status of the instance
as Running. If you used an orchestration to create the instance, the status of
the orchestration continues to show as Ready. You’ll have to delete the
instance and create it again. To shut down and delete a Windows instance, see
Deleting an Instance or Stopping an Orchestration.
Deleting an Instance
When you delete an instance, its status changes to stopping. After the instance is
shut down, it is deleted.
Caution:
When you delete an instance that uses a nonpersistent boot disk, any changes
you may have made to the boot disk after the instance was created are lost.

Updating Packages on an Oracle Solaris Instance
Prerequisites
• Ensure that you didn’t create the instance with the HA policy set to active. If the
HA policy is set to active, then when the instance is deleted, it is re-created
automatically. To delete such an instance, you must stop the orchestration. See
Stopping an Orchestration.
• Any storage volumes that are attached to an instance are detached (but not deleted)
when you delete the instance. You must unmount attached storage volumes before
deleting an instance. See Unmounting a Storage Volume from a Linux Instance.
Procedure


Cloud.
2. On the Instances page, identify the instance that you want to delete. From the
menu, select Delete.
When you delete an instance, its status changes to stopping. After the instance is
shut down, it is deleted.
To delete an instance using the API, use the DELETE /instance/name method. See
REST API for Oracle Compute Cloud Service.
If you created an instance using an orchestration, then you can delete the instance by
stopping the orchestration. See Stopping an Orchestration.

When you create instances by using an Oracle-provided Oracle Solaris image, you get
a support entitlement for Oracle Solaris. You can update packages from the support
repository, file service requests to get support, and so on. The default IPS publisher,
named solaris, is preconfigured to use the Oracle Solaris support repository
(https://pkg.oracle.com/solaris/support/).

Checking Whether the SSL Key and Certificate of the IPS Publisher Are
Associated
1. Log in to your Oracle Solaris instance as the opc user:

ssh opc@ip_address -i /path/to/private_key

pkg publisher solaris
• If the SSL Key and SSL Cert fields have values and if the certificate hasn’t
expired yet (see the Cert. Expiration Date) field, as shown in the
following example, then proceed to Updating Packages.
Publisher: solaris
Alias:
Origin URI: https://pkg.oracle.com/solaris/support/
SSL Key: /var/pkg/ssl/0ea8b04aa00e4ea1621aa66cab649778b67ef486
SSL Cert: /var/pkg/ssl/66aac7c266473f285641fef2b8e6817248cb7f4e
Cert. Effective Date: March 27, 2016 09:10:48 AM
Cert. Expiration Date: April 4, 2018 09:10:48 AM
Client UUID: 0717ae7e-bb12-11e5-9a62-9bd968ceffe9
Catalog Updated: March 24, 2016 03:53:33 PM
Enabled: Yes
• If the SSL Key and SSL Cert fields show None, or if they show a value but
the certificate has expired, then complete the steps in Associating the SSL Key
and Certificate for the IPS Publisher.
Associating the SSL Key and Certificate for the IPS Publisher
You must complete the steps in this section if the pkg publisher solaris
command shows that the SSL key and certificate are not associated, or if the command
shows that the certificate is associated but has expired.
1. Go to https://pkg-register.oracle.com/.
2. Click Request Certificates.
3. On the Available Repositories page, look for the Oracle Solaris 11 Support row,
and click Request Access.
4. Read and accept the My Oracle Support terms.
5. Go to https://pkg-register.oracle.com/register/certificate/ and download your

key and certificate to your local host.
6. Copy the key and certificate to from your local host to your Oracle Solaris
instance:
scp pkg.oracle.com.*.pem opc@ip_address:~
Here, ip_address is the public IP address of your Oracle Solaris instance. This
command copies
pkg.oracle.com.key.pem and pkg.oracle.com.certificate.pem from
your local host to the /export/home/opc directory of your Oracle Solaris
instance.
7. Log in to your Oracle Solaris instance as the opc user:

ssh opc@ip_address -i /path/to/private_key

8. Assume the root role:

su -
9. Set up the publisher configuration:

pkg set-publisher \
-k /export/home/opc/pkg.oracle.com.key.pem \
-c /export/home/opc/pkg.oracle.com.certificate.pem \
-G "*" -g https://pkg.oracle.com/solaris/support/ solaris
Updating Packages
1. Verify that the SSL key and certificate are set for the IPS publisher.
See Checking Whether the SSL Key and Certificate of the IPS Publisher Are
Associated.
2. Update the packages:
• To list the packages available in the repository:

pkg list -a 'pkg://solaris/*'
• To do a dry run of an update:

pkg update -nv
• To update all packages:

pkg update
3. Wait for the update operation to be completed.

After all the packages are updated, messages such as the following are displayed:
Packages to install: 1
Packages to update: 154
Create boot environment: Yes
Create backup boot environment: No
DOWNLOAD PKGS FILES XFER (MB) SPEED

Completed 155/155 7607/7607 307.0/307.0 3.0M/s
ITEMS
Removing old actions 732/732
Installing new actions 1317/1317
Updating modified actions 7658/7658
Updating package state database Done
Updating package cache 154/154
Updating image state Done
Creating fast lookup database Done
A clone of solaris exists and has been updated and activated.

On the next boot the Boot Environment solaris-1 will be
mounted on '/'. Reboot when ready to switch to this updated BE.
---------------------------------------------------------------
NOTE: Please review release notes posted at:

https://support.oracle.com/rs?type=doc&id=2045311.1
---------------------------------------------------------------
4. In the output, note the name of the new boot environment (BE), solaris-1 in
this example.
5. To verify that the new BE exists, run the following command:

beadm list
Here’s an example of the output of this command:
BE Flags Mountpoint Space Policy Created
-- ----- ---------- ----- ------ -------
solaris N - 58.68M static 2016-02-23 23:59
solaris-1 R / 6.49G static 2016-04-04 11:34
In this example, two BEs exist on the instance:
• The currently active solaris BE, indicated by the N (=active now) flag
• The new solaris-1 BE, indicated by the R (=active on reboot) flag
6. For the new BE to take effect, restart the instance. See Restarting an Oracle Solaris
Instance.

4
Managing Orchestrations
Topics
• About Orchestrations
• Orchestration Templates
• Building Your First Orchestration
• Attributes in Orchestrations
• Uploading an Orchestration
• Orchestration Life Cycle
• Starting an Orchestration
• Monitoring Orchestrations
• Return Parameters Displayed in an Orchestration
• Stopping an Orchestration
• Downloading an Orchestration
• Updating an Orchestration
• Deleting an Orchestration
About Orchestrations
Topics
• What Is an Orchestration?
• Orchestration Terminology
• Object Types in an Orchestration
• Relationships Between Object Plans
• Relationships Between Objects Within a Launch Plan Object
• About Nested Orchestrations
• About High-Availability Policies in an Orchestration
Managing Orchestrations 4-1

What Is an Orchestration?
For example, you can use orchestrations to create and manage a collection of instances
hosting a multitiered application stack with all the necessary networking, storage, and
security settings.
At any time, you can delete and re-create all the instances in an orchestration just by
stopping and restarting the orchestration. Storage attachments, security lists, and so on
are re-associated automatically. When the HA policy in an orchestration is set to
active, if an instance in such an orchestration goes down, the instance is re-created
automatically.
Note that networking and storage objects needn’t be defined in the same
orchestrations that you use to create instances. You can define the networking and
storage objects in separate orchestrations, and then refer to them in the orchestrations
that define the instances. With this approach, you can remove and re-create instances
independent of the associated resources.
To create instances using orchestrations, you build an orchestration in a JSON-
formatted file, upload it to Oracle Compute Cloud Service, and then start the
orchestration. For a simple example of an orchestration file that you can use to learn
how to build your first orchestration, see Building Your First Orchestration. But before
that, do read the remainder of this topic and become familiar with the features,
terminology, and concepts of orchestrations.
Orchestration Terminology
Term Description
object plan (oplan) An object plan, or oplan, is the primary building block of an
orchestration.
Each oplan contains all the attributes for the object type defined
in that oplan.
An orchestration can contain up to 10 object plans, and each
oplan can include up to 10 objects.
object type (obj_type) An object type refers to the Oracle Compute Cloud Service
resource that you want to create.
For example, if you want to create a storage volume, the
obj_type would be storage/volume. If you want to create an
instance, the obj_type would be launchplan.
See Object Types in an Orchestration.

Term Description
object (objects) The objects attribute defines the properties or characteristics

of the the Oracle Compute Cloud Service resource that you want
to create, as specified by the obj_type attribute.
The fields in the objects section vary depending on the
specified obj_type.
For example, if you want to create a storage volume, the
obj_type would be storage/volume, and the objects
would include size and bootable. If you want to create an
instance, the obj_type would be launchplan, and the
objects would include instances, along with instance-
specific attributes, such as imagelist and shape.
For information about the attributes of each object type, see Attributes in
Orchestrations.
Object Types in an Orchestration
In an orchestration, you can define any of the following object types:
Object Type Description
ip/reservation Reserves an IP address.

To associate an IP reservation with an instance that’s defined in
the same orchestration, you must specify a relationship between
the ip/reservation and the launchplan object plans.
launchplan Creates an instance.

To add an instance to a security list that’s defined in the same
orchestration, you must specify a relationship between the
launchplan and the seclist object plans.
orchestration Starts a set of orchestrations. See About Nested Orchestrations.
storage/volume Creates a storage volume.

To attach this storage volume to an instance that’s defined in the
same orchestration, you must specify a relationship between the
storage/volume and the launchplan object plans.
secapplication Creates a security application.

To use this security application in a security rule that’s defined
in the same orchestration, you must specify a relationship
between these objects.
seciplist Creates a security IP list.

To use this security IP list in a security rule that’s defined in the
same orchestration, you must specify a relationship between
these objects.
seclist Creates a security list.

To use this security list in a security rule that’s defined in the
same orchestration, you must specify a relationship between
these objects.

Object Type Description
secrule Creates a security rule.

If this security rule uses security applications, security lists, or
security IP lists that are defined in the same orchestration, then
you must specify a relationship between these objects.
An orchestration can contain up to 10 object plans, and each oplan can contain up to
10 objects.
An orchestration can also contain up to three levels of nested orchestrations. So you
can use a single orchestration to manage many individual components. See About
Nested Orchestrations.
Relationships Between Object Plans
You can use the relationships attribute in an orchestration to specify the sequence
in which the objects in the orchestration must be created.
The relationships attribute specifies the two objects that have a relationship,
identified by their oplan labels. It also specifies the relationship type, which is set to
depends.
For example, if you define a storage volume in an orchestration and you also define an
instance that the storage volume is attached to, then in the relationships section of
the orchestration, you can specify that the launchplan object plan depends on the
storage/volume object plan. This ensures that the storage volume is created before
the instance is created.
So if you define a storage volume in an orchestration with the oplan label
storagevolume1, and a launch plan with the oplan label boot-from-
storagevolume1, then define the relationship between these objects as follows:
"relationships": [
{
"oplan": "boot-from-storagevolume1",
"to_oplan": "storagevolume1",
"type": "depends"
}
]
For more complex scenarios, you can define multiple relationships.

For example, to create a security list (seclist1), a security application
(secapplication1), and a security rule (secrule1) in a single orchestration, define
the following relationships to ensure that both the security application and the
security list are created before the security rule:
"relationships": [
{
"oplan": "secrule1",
"to_oplan": "seclist1",
"type": "depends"
},
{
"oplan": "secrule1",
"to_oplan": "secapplication1",
"type": "depends"
}
]

Relationships Between Objects Within a Launch Plan Object

You can also specify relationships within launchplan objects (that is, instances).
For example, if you define two instances with the labels instanceA and instanceB
in an orchestration and you want those instances to be created on separate nodes, then
in the launchplan object plan, define the relationship between the instances as
follows:
"relationships": [
{
"instances": [
"instanceA",
"instanceB"
],
"type": "different_node"
}
]
The type attribute under relationships in a launch plan can have one of the
following values:
• same_node: The specified instances are created on the same physical server. This
is useful if you want to ensure low latency across instances.
• different_node: The specified instances aren’t created on the same physical

server. This is useful if you want to isolate instances for security or redundancy.
About Nested Orchestrations
You can specify orchestration as an object type within an orchestration. You can
use such an orchestration to start and stop multiple other orchestrations.
For example, if you’ve defined the following orchestrations:
• /Compute-acme/[email protected]/instances_orch: An
orchestration that defines multiple instances.
• /Compute-acme/[email protected]/networking_orch: An
orchestration that defines networking objects such as security lists and security
rules.
• /Compute-acme/[email protected]/storage_orch: An
orchestration that defines storage volumes.
You can synchronize the management of all the resources defined in these
orchestrations, through the following master orchestration:
{
"name": "/Compute-acme/[email protected]/master_orch",
"oplans": [
{
"label" : "master-orchestration",
"obj_type" : "orchestration",
"objects": [
{
"name": "/Compute-acme/[email protected]/instances_orch"
},
{
"name": "/Compute-acme/[email protected]/networking_orch"
},
{

"name": "/Compute-acme/[email protected]/storage_orch"
}
]
}
]
}
When you start the master orchestration, all of the nested orchestrations are started.
Note that when you add a master orchestration to Oracle Compute Cloud Service, the
nested orchestrations are not added automatically. You must add each of the nested
and master orchestrations separately.
Depending on the nature of the orchestrations, you might also need to define
relationships between the different orchestration object plans in the master
orchestration, to ensure that the objects defined in the various orchestrations are
created in the appropriate sequence.
For example, to ensure that your network and storage resources are created before the
orchestration that defines the instances is started, you can create a master
orchestration with relationships defined as follows:
{
"name": "/Compute-acme/[email protected]/master_orch",
"oplans": [
{
"label": "instances-orchestration",
"obj_type": "orchestration",
"objects": [
{
"name": "/Compute-acme/[email protected]/instances_orch"
}
]
},
{
"label": "network-orchestration",
"objects": [
{
"name": "/Compute-acme/[email protected]/networking_orch"
}
]
},
{
"label": "storage-orchestration",
"objects": [
{
"name": "/Compute-acme/[email protected]/storage_orch"
}
]
}
],
"relationships": [
{
"oplan": "instances-orchestration",
"to_oplan": "network-orchestration",
"type": "depends"
},
{
"oplan": "instances-orchestration",

Orchestration Templates
"to_oplan": "storage-orchestration",
"type": "depends"
}
]
You can stop and restart the sub-orchestrations individually as required. When you
stop the master orchestration, all the nested orchestrations are stopped, and the objects
created by those orchestrations are deleted.
If you delete the master orchestration, the nested orchestrations and the objects
defined in them aren’t deleted.
An orchestration can contain up to three levels of nested objects.
About High-Availability Policies in an Orchestration
You can specify a high availability (HA) policy in the ha_policy attribute of an
orchestration, to specify the behavior when an object stops unexpectedly.
You can specify one of following HA policies:
• active
You can specify this policy only for instances, that is, only for objects of type
launchplan.
When the HA policy for an instance is set to active, if the instance stops
unexpectedly, it is re-created automatically. Note, however, that the instance is re-
created automatically only if the orchestration was in the Ready state and the
instance was running without an error. If an instance is in an error state, it isn’t re-
created automatically.
• monitor
You can specify this policy only for instances, storage volumes, and orchestrations,
that is, for objects of type launchplan, storage/volume, and orchestration.
When the HA policy for an object is set to monitor, if the object goes to an error
state or stops unexpectedly, the orchestration changes to the Error state.
However, the object isn’t re-created automatically.
You can’t specify an HA policy for any objects other than instances, storage volumes,
and orchestrations. Attempting to do so results in an error. Also, if you don’t specify
an HA policy for instances, storage volumes, or orchestrations explicitly, then no HA
policy is applied. That is, the policy is set to none by default.
The following sample JSON file illustrates the high-level structure of an orchestration.
For templates for individual object types, see Orchestration Templates for Each Object
Type.
The orchestration templates provided here might not illustrate the use of all the
attributes of each object. For a complete list of attributes and their description, see
Attributes in Orchestrations. To get started with building an orchestration, see
Building Your First Orchestration.

Note:
These orchestration templates use placeholder text for object names, labels,
and other user-specific values. When you use these templates to build your
orchestration, remember to replace placeholder values with values specific to
your environment.
{
"description": "someDescriptionHere",
"name": "/Compute-identity_domain/user/name",
"relationships: [see Relationships Between Object Plans],
"oplans": [
{
"label": "someText",
"obj_type": "objectType", (see Object Types in an Orchestration)
"ha_policy: "policy", (see About High-Availability Policies in an Orchestration)
"objects": [
{
attributes (see Attributes in Orchestrations)
}
]
},
{
"label": "someText",
"obj_type": "objectType", (see Object Types in an Orchestration)
"objects": [
{
attributes (see Attributes in Orchestrations)
}
]
},
.
. up to 10 oplans
.
]
}
Template for Top-Level Attributes of an Orchestration

Top-level attributes contain the name and description of an orchestration, along with
other information such as the relationship between objects defined in the
orchestration, start and stop times for the orchestration, and the list of objects in the
orchestration.
{
"name": "/Compute-acme/[email protected]/myOrchestration",
"description": "sample orchestration",
"relationships": [],
"schedule": {"start_time": "2015-06-21T12:00:00Z"},
"oplans": [
{
<Define your oplans here. See Orchestration Template for oplans.>
}
]
}

Orchestration Template for oplans

An object plan, or oplan, is a top-level orchestration attribute. Within an object plan,
you can specify various object types and define one or more object for each object type.
{
<Define the top-level attributes of your orchestration here. See Template for Top-Level
Attributes of an Orchestration.>
"oplans": [
{
"label": "My orchestration",
"objects": [
<Define your objects here. See Orchestration Templates for Each Object Type.>
]
}
]
Orchestration Templates for Each Object Type
• Orchestration Template for IP Reservations
• Orchestration Template for Launch Plans
– Orchestration Template for Instances
• Template for Nested Orchestrations
• Orchestration Template for Security Applications
• Orchestration Template for Security IP Lists
• Orchestration Template for Security Lists
• Orchestration Template for Security Rules
• Orchestration Template for Storage Volumes

Orchestration Template for IP Reservations
Use this object type if you want to reserve permanent IP addresses to associate with
your instances. For more information, see About Public IP Addresses.
To associate an IP reservation with an instance that’s defined in the same
orchestration, you must specify a relationship between the ip/reservation and the
launchplan object plans.
{
"oplans": [
{
"label": "My IP reservations",
"obj_type": "ip/reservation",
"objects": [
{

"name": "/Compute-acme/[email protected]/ipres1",
"parentpool": "/oracle/public/ippool",
"permanent": true
},
{
"name": "/Compute-acme/[email protected]/ipres2",
"permanent": true
}
<Define other IP reservations here.>
]
}
<Define other objects here. See Orchestration Templates for Each Object Type.>
]
<Define other oplans here. See Orchestration Template for oplans.>
}
Orchestration Template for Launch Plans

Use this object type if you want to define one or more instances. In an orchestration,
instance is an attribute of the launchplan object type.
{
"oplans": [
{
"label": "My instances",
"obj_type": "launchplan",
"objects": [
{
"instances": [
{
<Define your instance here. See Orchestration Template for Instances.>
}
<Define other instances here.>
]
}
]
}
]
}
Orchestration Template for Instances

In an orchestration, instance is an attribute of the launchplan object type. If any of
the objects referred to in instance attributes are defined in the same orchestration as
the instance, you must specify a relationship between each such object and the
instance launch plan. For more information, see Relationships Between Object Plans.
{
"oplans": [
{

"objects": [
{
"instances": [
{
"shape": "oc3",
"boot_order": [1],
"label": "vm-1",
"networking": {
"eth0": {
"seclists": ["/Compute-acme/[email protected]/
wlsadmin_seclist"],
"nat": "ipreservation:/Compute-acme/[email protected]/
ipres1"
}
},
"sshkeys": ["/Compute-acme/[email protected]/key1"],
"storage_attachments": [
{
"index": 1,
"volume": "/Compute-acme/[email protected]/boot"
}
]
}
<Define other instances here.>
]
}
]
}
]
}
Template for Nested Orchestrations

Use this object type if you want to use an orchestration to start or stop multiple nested
orchestrations. For more information, see About Nested Orchestrations.
{
"oplans": [
{
"label": "My orchestration",
"objects": [
{
"name": "/Compute-acme/[email protected]/myInstances"
},
{
"name": "/Compute-acme/[email protected]/myStorageVolumes"
}
<Add names of other nested orchestrations here.>
]
}
]


}
Orchestration Template for Security Applications

Use this object type to define security applications to use in security rules. For more
information, see About Security Applications.
To associate an IP reservation with an instance that’s defined in the same
orchestration, you must specify a relationship between the ip/reservation and the
launchplan object plans.
{
"oplans": [
{
"label": "My security applications",
"obj_type": "secapplication",
"objects": [
{
"name": "/Compute-acme/[email protected]/wlsadmin_ssl",
"dport": 7002,
"protocol": "tcp"
}
<Define other security applications here.>
]
}
]
}
Orchestration Template for Security IP Lists

Use this object type to define a set of IP addresses that you want to use as a source in a
security rule. For more information, see About Security IP Lists.
To use this security IP list in a security rule that’s defined in the same orchestration,
you must specify a relationship between these objects.
{
"oplans": [
{
"label": "admin-ip-list",
"obj_type": "seciplist",
"objects": [
{
"name": "/Compute-acme/[email protected]/admin_ips",
"secipentries": ["203.0.113.0/30"]
}
<Define other security IP lists here.>
]
}
]


}
Orchestration Template for Security Lists

Use this object type to define security lists to group your instances. For more
information, see About Security Lists.
To use this security list in a security rule that’s defined in the same orchestration, you
must specify a relationship between these objects.
{
"oplans": [
{
"label": "admin-seclists",
"obj_type": "seclist",
"objects": [
{
"name": "/Compute-acme/[email protected]/sysadmin_seclist"
},
{
"name": "/Compute-acme/[email protected]/wlsadmin_seclist"
}
<Define other security lists here.>
]
}
]
}
Orchestration Template for Security Rules

Use this object type to define security rules that control access to your instances. For
more information, see About Security Rules.
If this security rule uses security applications, security lists, or security IP lists that are
defined in the same orchestration, then you must specify a relationship between these
objects.
{
"oplans": [
{
"label": "My security rules",
"obj_type": "secrule",
"objects": [
{
"name": "/Compute-acme/[email protected]/
admin_ssh_to_sysadmin_rule",
"application": "/oracle/public/ssh",
"src_list": "seciplist:/Compute-acme/[email protected]/admin_ips",
"dst_list": "seclist:/Compute-acme/[email protected]/
sysadmin_seclist",
"action": "PERMIT"

},
{
"name": "/Compute-acme/[email protected]/dbadmin_ssh_to_db_rule",
"src_list": "seclist:/Compute-acme/[email protected]/
dbadmin_seclist",
"dst_list": "seclist:/Compute-acme/[email protected]/db_seclist",
"action": "PERMIT"
}
<Define other security rules here.>
]
}
]
}
Orchestration Template for Storage Volumes

Use this object type to create storage volumes that you want to attach to your
instances. For more information, see About Storage Volumes.
Note:
Don’t define storage volumes and instances in the same orchestration. By

keeping storage volumes and instances in separate orchestrations, you can
stop and start the instances when required and yet preserve the attached
storage volumes. Note that the recommendation here is to define the storage
volumes outside the instance orchestration. To ensure that the storage volumes
remain attached after an instance is re-created, you must define the storage
attachments within the instance orchestration.
{
"oplans": [
{
"label": "My storage volumes",
"obj_type": "storage/volume",
"objects": [
{
"name": "/Compute-acme/[email protected]/boot",
"bootable": true,
"imagelist": "/oracle/public/oel_6.6_20GB_x11_RD",
"properties": ["/oracle/public/storage/default"],
"size": "22548578304"
},
{
"name": "/Compute-acme/[email protected]/data",
"properties": ["/oracle/public/storage/latency"],
"size": "32212254720"
}
<Define other storage volumes here.>
]
}

Workflow for Creating Instances Using Orchestrations
]
}
Workflow for Creating Instances Using Orchestrations

To use an orchestration to create and manage compute, networking, or storage

resources:
1. Build your orchestration.
An orchestration is defined in a JavaScript Object Notation (JSON) file that contains

the attributes of the Oracle Compute Cloud Service objects that you want to create.
See Building Your First Orchestration.
2. Upload the orchestration to Oracle Compute Cloud Service. See Uploading an

Orchestration.
3. To create the objects defined in the orchestration, start the orchestration. See
Starting an Orchestration.
4. To delete the objects defined in the orchestration, stop the orchestration. See
Building Your First Orchestration

Topics
• Before You Begin
• Sample Orchestration for Creating a Single Instance
• Steps for Building Your First Orchestration
Before You Begin

Before building your orchestration JSON file, do the following:
• Read Best Practices for Using Oracle Compute Cloud Service.
• Create the security, storage, and networking resources that you plan to reference in
your orchestration.
These tasks require the Compute_Operations role. If this role isn’t assigned to
you or you’re not sure, then ask your system administrator to ensure that the role is
assigned to you in Oracle Cloud My Services. See Modifying User Roles in
– If you want to create a Linux instance with SSH access enabled, upload your
SSH public keys to Oracle Compute Cloud Service. See Adding an SSH Public
Key.

Note:
– If you want your instances to boot from a persistent storage disk, create
bootable storage volumes. See Creating a Bootable Storage Volume.
– Create storage volumes for the data and applications that you plan to deploy on
your instances. See Creating a Storage Volume. When you create the storage
volumes, don’t attach them to any existing instance. You’ll specify the storage
volumes later in the orchestration.
– If you want your instances to have fixed public IP addresses, then create the
required IP reservation. See Reserving a Public IP Address.
– Create the required security lists. See Creating a Security List.
Sample Orchestration for Creating a Single Instance

You can use the following sample orchestration as a starting point for building your
first orchestration.
{
"description": "Simple oplan with an ssh key and a security list",
"name": "/Compute-acme/[email protected]/simple_orchestration",
"oplans": [
{
"label": "simple_oplan",
"objects": [
{
"instances": [
{
"imagelist": "/oracle/public/ol_6.6_20GB",
"label": "OL_6.6_20GB",
"networking": {
"eth0": {
"seclists": [
"/Compute-acme/[email protected]/my_instances"
],
"nat": "ipreservation:/Compute-acme/[email protected]/ip1"
}
},
"shape": "oc3",
{
"index": 1,
"volume": "/Compute-acme/[email protected]/OL66_boot",
},
{
"index": 2,
"volume": "/Compute-acme/[email protected]/data1"
}
],
"boot_order": [1],
"sshkeys": [
"/Compute-acme/[email protected]/ssh-key1"

]
}
]
}
]
}
]
}
This sample orchestration does the following:
• Defines an instance with the label OL_6.6_20GB, the oc3 shape, and using the /
oracle/public/ol_6.6_20GB image.
• Adds the instance to the security list/Compute-acme/

[email protected]/my_instances.
• Associates the IP reservation /Compute-acme/

[email protected]/ip1 with the instance.
• Attaches the bootable storage volume /Compute-acme/

[email protected]/OL66_boot to the instance.
• Attaches the data storage volume /Compute-acme/

[email protected]/data1 to the instance.
• Associates the SSH public key /Compute-acme/[email protected]/

ssh-key1 with the instance.
Note:
To learn about the structure of an orchestration, see Orchestration Templates.

For information about all the attributes that you can define in an orchestration,
see Attributes in Orchestrations.
Steps for Building Your First Orchestration
1. Copy the sample orchestration to a plain text file, and open the file in any text
editor.
2. Replace the name of the orchestration with an appropriate three-part name (/

Compute-identity_domain/user/object).
3. Change the value of the imagelist attribute to any image that you want to use.
4. Under instances, change the value of the label attribute to any label that you
want.
5. Replace the security list /Compute-acme/[email protected]/

my_instances with a security list that you’ve already created.
If you want to attach the instance to more security lists, remember to enclose each
security-list name in double quotation marks and separate the security-list names
by using commas. See the following example:
"seclists": [
"/Compute-acme/[email protected]/my_instances",
"/Compute-acme/[email protected]/dev_instances",

"/Compute-acme/[email protected]/prod_instances"
]
6. Replace the IP reservation /Compute-acme/[email protected]/ip1

with an IP reservation that you’ve already created.
7. Replace the oc3 shape with the shape that you want to use.
8. Replace the storage volume /Compute-acme/[email protected]/

OL66_boot with the bootable storage volume that your instance should boot from.
9. Replace the storage volume /Compute-acme/[email protected]/

data1 with a storage volume that you want to attach to the instance.
If you don’t want to attach any storage volume, then remove the following section
(and the comma preceding it) from the orchestration.
{
"index": 2,
}
If you want to attach more storage volumes, then specify the index for the storage
attachment and the name of the storage volume as follows. Separate the storage
volume definitions using commas. See the following example:
{
"index": 2,
"volume": "/Compute-acme/[email protected]/admin/data1"
},
{
"index": 3,
}
10. If you’re creating a Linux instance enabled for SSH access, replace the SSH key /
Compute-acme/[email protected]/ssh-key1 with a key that
you’ve created and added to Oracle Compute Cloud Service.
If you want to add more SSH keys, then enclose each key in double quotation
marks and separate the keys by using commas. See the following example:
"sshkeys": [
"/Compute-acme/[email protected]/ssh-key1",
"/Compute-acme/[email protected]/ssh-key2",
"/Compute-acme/[email protected]/ssh-key3"
]
Note:
11. Save the orchestration file.
You should also validate your JSON file. You can do this by using a third-party
tool, such as JSONLint, or any other validation tool of your choice. If your JSON

Attributes in Orchestrations
format isn’t valid, then an error message is displayed when you upload the
orchestration.
Note:
Oracle doesn’t support or endorse any third-party JSON-validation tool.
Your orchestration file is now ready.

To create instances by using this orchestration, you must upload it to Oracle Compute
Cloud Service. See Uploading an Orchestration.
You specify attributes in orchestrations at several levels. At the highest level, you
specify certain attributes for the orchestration as a whole. Then, you specify attributes
for each object plan defined in the orchestration. Finally, there are attributes that are
specific to each object type.
• Top-level attributes
Top-level attributes contain the name and description of an orchestration, along
with other information such as the relationship between objects defined in the
orchestration. See Top-Level Orchestration Attributes. For a template of top-level
orchestration attributes, see Template for Top-Level Attributes of an Orchestration.
• Object plan attributes

An object plan, or oplan, is a top-level orchestration attribute. Within an object
plan, you can specify various object types and define one or more object for each
object type. Object plan attributes define the characteristics of each oplan, including
its label, object type and list of objects, and the HA policy, if applicable. See Object
Plan Attributes. For an oplan template, see Orchestration Template for oplans.
• Attributes specific to each object type

These are the characteristics specific to each object type. See Orchestration
Attributes Specific to Each Object Type. The attributes that you can specify for each
object type in an orchestration are the same as the parameters that you can specify
with the POST method for that resource using the API.
For orchestration templates that you can use to create individual objects, see
Orchestration Templates for Each Object Type.
Top-Level Orchestration Attributes

Top-level attributes contain the name and description of an orchestration, along with
other information such as the relationship between objects defined in the
orchestration.
Attributes for objects defined in an orchestration vary according to the object type. For
a list of object-specific attributes, see Orchestration Attributes Specific to Each Object
Type
The following sample JSON shows the required top-level orchestration attributes,
name and oplans. A description of each of the required and optional top-level
attributes is provided in the table below.


Optional
name required The three-part name of the orchestration (/Compute-

identity_domain/user/object_name).
description optional Text string describing the orchestration.
relationship optional The relationship between the objects that are created by
s this orchestration.
The only supported relationship type for orchestrations
is depends. The depends relationship type specifies
that one object must be instantiated first. For example,
you could define a storage volume in one oplan and
attach that storage volume to an instance in another
oplan. The second oplan would then depend on the
first.
schedule optional The start and stop dates and times, in ISO 8601 format.
You must specify the time zone as UTC.
• start_time
(Optional) Date and time when you want the
orchestration to start. For example, to start an
orchestration at noon on 6/21/2015, UTC, enter the
start time as 2015-06-21T12:00:00Z. Here Z
denotes UTC.
If you enter a start time that is earlier than the time
you upload the orchestration, then the orchestration
starts immediately.
• stop_time
(Optional) Date and time when you want the
orchestration to stop. For example, to stop an
orchestration at 11:59 p.m. on 12/31/2015, enter the
stop time as 2015–12–31T23:59:59Z. Here Z
denotes UTC.
The stop time must be at least 120 seconds after the
start time.
oplans required The list of object plans (oplans) in the orchestration.

An oplan is the primary building block of an
orchestration. Each oplan contains all the attributes
for the object type defined in it. An orchestration can
contain up to 10 object plans.

Object Plan Attributes

An object plan, or oplan, is a top-level orchestration attribute. Within an object plan,
you can specify various object types and define one or more object for each object type.
You must provide a label for each oplan. You can also specify a High Availability
policy, if applicable.
The following sample JSON shows the required attributes of an object plan. A
description of each of the required and optional attributes is provided in the table
below.

Optional
label required Text string describing the object plan.

Maximum length: 256 characters.
obj_type required The type of object that you want to create.

Specify one of the following object types.
• ip/reservation
• launchplan
• orchestration
• storage/volume
• secapplication
• seciplist
• seclist
• secrule
For a brief description of each object type, see Object
Types in an Orchestration.
Each object type has a specific set of attributes. See
Orchestration Attributes Specific to Each Object Type.
objects required The list of objects, depending on the type of object that
you’re creating, as defined in the obj_type attribute.
See Orchestration Attributes Specific to Each Object
Type


Optional
ha_policy optional The high availability policy: active or monitor.

You can specify either active or monitor for
instances, and monitor for storage volumes or
orchestrations. You can’t specify a high availability
policy for other objects. Attempting to do so results in
an error. If you don’t specify a high availability policy
for instances, storage volumes, or orchestrations, no
high availability policy is applied. That is, by default,
ha_policy is set to none.
See About High-Availability Policies in an
Orchestration.
Orchestration Attributes Specific to Each Object Type

You can specify various object types in an orchestration, including launch plans,
networking objects such as security lists and security rules, storage volumes, and even
other orchestrations. The attributes for each object vary depending on the object type.
The following sections describe the attributes for each object type that you can create
using an orchestration. Each set of attributes corresponds to an object under the
specified obj_type in the orchestration file.
Note:
An instance is not in itself an object type. It is an attribute of the launchplan

object type.
• Object Type: IP Reservation
• Object Type: Launch Plan
– Instance Attributes
• Object Type: Orchestration
• Object Type: Security Application
• Object Type: Security IP List
• Object Type: Security List
• Object Type: Security Rule
• Object Type: Storage Volume

All objects in an orchestration are contained within an object plan. For information
about object plan attributes, see Object Plan Attributes. For information about defining
the name and other characteristics of an orchestration, see Top-Level Orchestration
Attributes.

Object Type: IP Reservation

The following sample JSON shows the required attributes of the ip/reservation
object type. A description of each of the required and optional attributes of this object
type is provided in the table below.

Optional
parentpool required Specify /oracle/public/ippool
permanent required Set to True
account optional Specify /Compute-identity_domain/default
name optional The three-part name of the object (/Compute-

identity_domain/user/object).
If you don’t specify a name for this object, then the
name is generated automatically.
Object names can contain only alphanumeric
characters, hyphens, underscores, and periods. Object
names are case-sensitive.
Object Type: Launch Plan

Launch plan objects are used to define instances. The following sample JSON shows
the required attributes of the launchplan object type. A description of each of the
required and optional attributes of this object type is provided in the table below.


Optional
instances required A list of instances.

For instance attributes, see Instance Attributes.
relationship optional The relationships between instances.

s Valid values:
• same_node: The specified instances are created on
the same physical server. This is useful if you want
to ensure low latency across instances.
• different_node: The specified instances aren’t
created on the same physical server. This is useful if
you want to isolate instances for security or
redundancy.
Instance Attributes
Instances are an attribute of the launchplan object type. Instances have a number of
required and optional attributes. The following sample JSON shows some of the key
instance attributes. A description of each of the required and optional instance
attributes is provided in the table below.


Optional
shape required The name of the shape that defines the number of CPUs and
the RAM that you require for the instance.


Optional
name optional The three-part name of the instance (/Compute-

identity_domain/user/name).
If you specify this parameter, then the full name of the
instance would be in the format, /Compute-
identity_domain/user/name_you_specify/id.
If you don’t specify this parameter, then the full name
would be in the format, /Compute-identity_domain/
user/id.
• When you specify /Compute-acme/jack/vm1 as the
value of the name parameter:
/Compute-acme/jack/vm1/300a7479-
ec90-4826-98b9-a725662628f1
• When you don’t specify the name parameter:
/Compute-acme/jack/38ef677e-9e13-41a7-
a40c-2d99afce1714
label optional A text string to identify the instance.

This label is used when defining relationships between
elements. It’s also used to refer to the instance on a few
pages of the web console. So enter a label that’s meaningful.
tags optional A JSON array or list of strings used to tag the instance.
By assigning a human-friendly tag to an instance, you can
identify the instance easily when you perform an instance
listing. These tags aren’t available from within the instance.


Optional
attributes optional A JSON object or dictionary of user-defined attributes to be

made available to the instance.
If you’re creating a Windows instance, you must specify the
following required attributes:
{
"enable_rdp": true,
"administrator_password":
"Specify_password_here"
}
For more information about specifying user-defined

attributes that can be used to automate instance
configuration, see Automating Instance Configuration
Using opc-init.
Note:
Solaris machine images don’t
include the opc-init scripts. So
you can’t use opc-init to
automate instance configuration
of Solaris instances.
The attributes that you specify can be accessed from within

the instance at http://192.0.0.192/latest/
attributes. For more information about retrieving user-
defined attributes, see Retrieving User-Defined Instance
Attributes.
imagelist optional The three-part name (oracle/public/

imagelist_name) of the image list containing the image to
be used (example: /oracle/public/oel_6.4_60GB.
You must use this attribute if you don’t specify a bootable
storage volume by using the boot_order attribute. If you
specify the imagelist attribute as well as the
boot_order attribute, then the imagelist attribute is
ignored.


Optional
storage_atta optional If you specify the storage_attachments parameter, then

chments specify the following subparameters for each attachment:
• volume: The three-part name (/Compute-
storage volume that you want to attach to the instance.
Note that volumes attached to an instance at launch time
can't be detached.
• index: The index number for the volume.
The allowed range is 1 to 10. The index determines the
device name by which the volume is exposed to the
instance. Index 0 is allocated to the temporary boot
disk, /dev/xvda. An attachment with index 1 is
exposed to the instance as /dev/xvdb, an attachment
with index 2 is exposed as /dev/xvdc, and so on.
boot_order Specifies the bootable storage volume that should be used to

boot the instance.
Enter the index number of a bootable storage volume
specified in the storage_attachments attribute.
Use the boot_order attribute only when you’ve specified
a bootable storage volume in the volume sub-parameter of
storage_attachments.
When you specify boot_order, you don’t need to specify
the imagelist attribute, because the instance is booted
using the image on the specified bootable storage volume. If
you specify both boot_order and imagelist, the
imagelist attribute is ignored.
hostname optional The host name assigned to the instance.

Only relative DNS is supported. The domain name is
suffixed to the host name that you specify. The host name
must not end with a period. If you don’t specify a host
name, then a name is generated automatically. The DNS
name of an instance depends on its host name, as follows:
• If no DNS name is specified in the networking
attribute, then the DNS name is set to the host name,
and a reverse DNS record (PTR) is created for the host
name.
• If the DNS name specified in the networking attribute
matches the host name, then that record also creates a
reverse DNS record for the host name.
• If the dns attribute under networking is set to an
empty list ([]), then no DNS records are created even if
a host name is specified. The instance still receives its
host name through DHCP, and can perform a reverse
lookup of its host name. However, no other instance can
perform this reverse lookup.


Optional
reverse_dns optional If set to true (default), then reverse DNS records are
created.
If set to false, no reverse DNS records are created.
networking optional This parameter can contain any or all of the following sub-
parameters:
• seclists: The security lists that you want to add the
instance to.
For each security list, specify the three-part name in
the /Compute-identity_domain/user/
object_name format. You can attach an instance to a
maximum of five security lists. If you launch an instance
without specifying any security list, the instance is
assigned to the /Compute-identity_domain/
default/default security list.
• nat: Indicates whether a temporary or permanent
public IP address should be assigned to the instance.
– To associate a temporary IP address with the
instance for use during the lifetime of the instance,
specify ippool:/oracle/public/ippool.
– To associate a persistent IP address, specify
ipreservation:ipreservation_name, where
ipreservation_name is the three-part name of an
existing IP reservation in the /Compute-
If nat is not specified, then no public IP address is
associated with your instance when it is created. If
required, you can associate an IP address with the
instance after the instance has been created.
• dns: DNS name for this instance.
This name is relative to the internal DNS domain.
• model: The type of network interface card (NIC). The
only allowed value is e1000.


Optional
sshkeys optional A list of the SSH public keys that you want to associate with
the instance.
Note:
You don’t need to provide any
SSH public keys if you’re
creating a Windows instance,
because you can’t access a
Windows instance using SSH.
To access a Windows instance,
see Accessing a Windows
Instance Using RDP.
For each key, specify the three-part name in the /Compute-

You can associate the same key with multiple instances.
The keys that you specify are stored as metadata on the
instance. This metadata can be accessed from within the
instance at http://192.0.0.192/{version}/meta-
data/public-keys/{index}/openssh-key.
• Oracle-provided Oracle Linux and Oracle Solaris images
include a script that runs automatically when the
instance starts, retrieves the keys, and adds them to the
authorized_keys file of the opc user.
• In images that you build, you can write and include a
script that runs automatically when the instance starts,
retrieves the SSH public keys, and adds the keys to the
authorized_keys file of the appropriate users.
Object Type: Orchestration

The orchestration object type is used in nested orchestrations, when you want to
launch one or more orchestrations from within an orchestration. See About Nested
Orchestrations. The orchestration object type has only a single attribute, name.
The following sample JSON shows this attribute and the table below provides a
description of this attribute.


Optional
name required The three-part name of the orchestration (/Compute-

identity_domain/user/object_name).
Object Type: Security Application

The following sample JSON shows the required attributes of the secapplication
object type. A description of each of the required and optional attributes of this object
type is provided in the table below.


Optional
name required The three-part name of the object (/Compute-

Object names can contain only alphanumeric characters,
hyphens, underscores, and periods. Object names are case-
sensitive.
protocol required The protocol to use.

The value that you specify can be either a text
representation of a protocol or any unsigned 8-bit assigned
protocol number in the range 0–254. See Assigned Internet
Protocol Numbers (http://www.iana.org/
assignments/protocol-numbers/protocol-
numbers.xhtml).
For example, you can specify either tcp or the number 6.
The following text representations are allowed: tcp, udp,
icmp, igmp, ipip, rdp, esp, ah, gre, icmpv6, ospf, pim,
sctp, mplsip, all.
To specify all protocols, set this to all.
dport optional The TCP or UDP destination port number.

You can also specify a port range, such as 5900-5999 for
TCP.
If you specify tcp or udp as the protocol, then the dport
parameter is required; otherwise, it is optional.
This parameter isn’t relevant to the icmp protocol.
Note: This request fails if the range-end is lower than the
range-start. For example, if you specify the port range as
5000–4000.
icmptype optional The ICMP type.

This parameter is relevant only if you specify icmp as the
protocol. You can specify one of the following values:
echo
reply
ttl
traceroute
unreachable
If you specify icmp as the protocol and don't specify
icmptype or icmpcode, then all ICMP packets are
matched.


Optional
icmpcode optional The ICMP code.

This parameter is relevant only if you specify icmp as the
protocol. You can specify one of the following values:
network
host
protocol
port
df
admin
If you specify icmp as the protocol and don't specify
icmptype or icmpcode, then all ICMP packets are
matched.
description optional A description of the security application.
Object Type: Security IP List

The following sample JSON shows the required attributes of the seciplist object
type. A description of each of the required and optional attributes of this object type is
provided in the table below.

Optional



Optional
secipentries required A comma-separated list of the subnets (in CIDR

format) or IPv4 addresses for which you want to create
this security IP list.
For example, to create a security IP list containing the
IP addresses 203.0.113.1 and 203.0.113.2, enter one of
the following:
“203.0.113.0/30”
“203.0.113.1”, “203.0.113.2”
description optional A description of the security IP list.
Object Type: Security List

The following sample JSON shows the required attributes of the seclist object type.
A description of each of the required and optional attributes of this object type is
Parameters Required or Description

Optional

Object names can contain only alphanumeric characters,
hyphens, underscores, and periods. Object names are case-
sensitive.

Parameters Required or Description

Optional
policy optional The policy for inbound traffic to the security list. You can
specify one of the following values:
deny (default): Packets are dropped. No response is
sent.
reject: Packets are dropped, but a response is sent.
permit: Packets are allowed. This policy effectively
turns off the firewall for all instances in this security list.
outbound_cid optional The policy for outbound traffic from the security list. You
r_policy can specify one of the following values:
deny: Packets are dropped. No response is sent.
reject: Packets are dropped, but a response is sent.
permit (default): Packets are allowed.
description optional A description of the security list.
Object Type: Security Rule

The following sample JSON shows the required attributes of the secrule object type.
A description of each of the required and optional attributes of this object type is


Optional

src_list required The three-part name (/Compute-

source security list or security IP list.
You must use the prefix seclist: or seciplist: to
identify the list type.
dst_list required The three-part name (/Compute-

destination security list or security IP list.
You must use the prefix seclist: or seciplist: to
identify the list type.
Note: You can specify a security IP list as the
destination in a secrule, provided src_list is a
security list that has DENY as its outbound policy.
application required The three-part name of the security application: (/

Compute-identity_domain/user/object_name)
for user-defined security applications and /oracle/
public/object_name for predefined security
applications.
action required Set this parameter to PERMIT.
description optional A description of the security rule.
disabled optional Indicates whether the security rule is enabled (set to

True) or disabled (False). The default setting is
False.
Object Type: Storage Volume

The following sample JSON shows the key attributes of the storage/volume object
type. A description of each of the required and optional attributes of this object type is


Optional

size required The size of this storage volume. Use one of the
following abbreviations for the unit of measurement:
• B or b for bytes
• K or k for kilobytes
• M or m for megabytes
• G or g for gigabytes
• T or t for terabytes
For example, to create a volume of size 10 gigabytes,
you can specify 10G, or 10240M, or 10485760K, and
so on.
The allowed range is from 1 GB to 2 TB, in increments
of 1 GB.
properties required The storage-pool property.

For storage volumes that require low latency and high
IOPS, such as for storing database files, specify /
oracle/public/storage/latency.
For all other storage volumes, specify /oracle/
public/storage/default.

Uploading an Orchestration

Optional
description optional The description of the storage volume.
bootable optional A boolean field that indicates whether the storage

volume can be used as the boot disk for an instance.
The default value is False.
If you set the value to True, then you must specify
values for the following parameters:
• imagelist
The machine image that you want to extract on to
the storage volume that you’re creating.
• imagelist_entry
(Optional) The version of the image list entry that
you want to extract. The default value is 1.
tags optional Strings that you can use to tag the storage volume.
Uploading an Orchestration
To use an orchestration to control the provisioning and life cycle of resources in Oracle
Compute Cloud Service, you must define the orchestration in a JSON-format file and
then upload the orchestration to Oracle Compute Cloud Service.
Prerequisites
• You must have already created the orchestration file that you want to upload. See
Building Your First Orchestration.
You should also validate your JSON file. You can do this by using a third-party
tool, such as JSONLint, or any other validation tool of your choice. If your JSON
isn’t valid, then an error occurs when you upload the orchestration. Oracle doesn’t
support or endorse any third-party JSON-validation tool.
Procedure


Cloud.

Orchestration Life Cycle
2. Click the Orchestrations tab.
3. Click Upload Orchestration and select the orchestration file that you want to
upload.
To upload an orchestration using the API, use the POST /orchestration/ method.
To create the resources defined in your orchestration, see Starting an Orchestration.
Orchestration Life Cycle

When you start an orchestration, the objects defined in it are created and the
orchestration moves to the ready state. When you stop an orchestration, the objects
defined in it are deleted and the orchestration moves to the stopped state.
The following figure shows the states that an orchestration can be in.
starting
The orchestration is starting.
scheduled
A future start_time has been specified for the orchestration.
• When the current time is equal to or past the start_time value, then the state of
the orchestration changes to starting.
• To cancel a current schedule, stop the orchestration. The state of the orchestration
then changes to stopping.
ready
The orchestration is running.
• Note that, for any object where the HA policy isn’t specified or is set to none, you
can still update or delete the object using the web console or the API. In this case,

Starting an Orchestration
the orchestration continues to be in the ready state, even though some or all of the
objects created using that orchestration may have been deleted.
• For instances where the HA policy is set to active, if the orchestration is in the
ready state, you can update the instance using the web console or the API, but
you can’t delete the instance, because it is re-created automatically. To delete such
instances, you must stop the orchestration.
updating
The orchestration is being updated.
• When an orchestration is in the ready or error state, you can update it by using
the PUT /orchestration/name API call. This causes the state of the
orchestration to change to updating.
• When an orchestration is in the updating state, no further updates can be made.

Attempts to update such an orchestration are rejected with a validation error.
• If an orchestration in the updating state encounters an error, its state changes

error. If no errors are encountered, then the orchestration completes the updates
and returns to the ready state.
• When you stop an orchestration that’s in the updating state, it transitions to the
stopping state.
error
One or more instances in the orchestration have encountered an error.
• The orchestration remains in the error state until all the instances defined in it
are running.
• Wait to see if all the instances start running and the state of the orchestration
changes automatically to ready. If that doesn’t happen, then stop the
orchestration, identify and fix the error, and start the orchestration again.
stopping
The orchestration is stopping.
If any of the objects defined in an orchestration are used or referenced by another
object, the orchestration won’t be able to delete the referenced objects, and it can get
stuck in the Stopping state. See My orchestration is stuck in the stopping state.
stopped
The orchestration has stopped. All the objects defined in the orchestration have been
deleted.
When you start an orchestration, the objects defined in it are created, and when you
stop an orchestration, those objects are deleted.
Plan your orchestrations carefully, so that you can control the creation and deletion of
objects that consume resource quotas. For example, if you’re about to start an
orchestration that creates a large number of storage volumes, consider whether you
really need all those resources. If not, redefine your orchestration to create only the
resources that you need.

Prerequisites
• You must have uploaded the orchestration to Oracle Compute Cloud Service. See
Uploading an Orchestration.
• You must have already created all the objects or orchestrations that this
orchestration depends on.
Procedure


Cloud.
3. Go to the orchestration that you want to start. From the menu, select Start.
When you start an orchestration, its status changes to Starting and the objects defined
in the orchestration are provisioned. When all the objects have been created, the status
of the orchestration changes to Ready.
If the orchestration can’t create an object, its status changes to Error. An orchestration
might transition from the Error to the Ready state when it completes creating all the
specified objects.
If the status of your orchestration continues to show Error, then stop the orchestration,
identify and fix the issue in an offline copy of the orchestration JSON file, upload the
modified orchestration file, and start the orchestration.
To start an orchestration using the API, use the PUT /orchestration/name
method with the query argument action=START. For more information, see REST
After starting an orchestration, you can view its status on the Orchestrations page. If
you no longer require the objects created by an orchestration, then to delete the
objects, stop the orchestration. See Stopping an Orchestration.

Monitoring Orchestrations
Monitoring Orchestrations
The Orchestrations page shows you a list of your orchestrations and the status of each
orchestration.

Cloud.


Cloud.
All orchestrations are displayed, with information about their description and
status.
Tip:
You can filter the list of orchestrations according to their category or status. To
view orchestrations with a specific status (such as ready, error, or stopped),
click the Show menu and select the appropriate filter. To view orchestrations
of a specific category (such as all or personal), click the Category menu and
select the appropriate filter.
3. Go to the orchestration that you want to view and, from the menu, select View.
The orchestration details page shows you the details of the current state of the
orchestration, including return parameters, in JSON format. For information about
the return parameters of an instance, see Return Parameters Displayed in an
Orchestration.
To get a list of your orchestrations using the API, use the GET /orchestration/
container method and to view the details of an orchestration, use the GET /
orchestration/name method. For more information, see REST API for Oracle

Return Parameters Displayed in an Orchestration
For information about the status of an orchestration, see Orchestration Life Cycle. To
start an orchestration, see Starting an Orchestration and to stop an orchestration, see
Return Parameters Displayed in an Orchestration

When you view an orchestration using the web console, you’ll see that the
orchestration contains additional information about your instances, such as its status
and the most recent start or stop time. This information contains return parameters
that tell you about the current state of your instance. These return parameters are not
part of the input that you provided in the JSON file that you uploaded.
You’ll also see that the orchestration includes certain optional parameters that you
might not have specified in the JSON that you uploaded. These optional parameters
are displayed either empty, or with a default value. For a description of optional input
parameters, see Attributes in Orchestrations.
You might also notice that the sequence of objects is different from the sequence of
objects in the JSON file that you uploaded. This happens because Oracle Compute
Cloud Service rearranges the objects according to a certain internal sequence.
However, this has no impact on the values you provided or the way your
orchestration works.
The following table shows the return parameters displayed for your instance when
you view an orchestration using the web console.
Return Parameters Description
Top-level Parameters
status Shows the current status of the orchestration.
account Shows the default account for your identity domain.
uri Shows the complete URI of the orchestration.
info The nested parameter errors shows which object in the orchestration has
encountered an error. Empty if there are no errors.
status_timestamp This information is generally displayed at the end of the orchestration JSON. It
indicates the time that the current view of the orchestration was generated.
This information shows only when the orchestration is running.
Oplan Parameters
status Shows the current status of the oplan.
info If the orchestration has encountered an error, the nested parameter errors
shows the errors. Empty if there are no errors.
status_timestamp This information is generally displayed towards the end of the orchestration
JSON. It indicates the time that the current view of the orchestration was
generated. This information shows only when the orchestration is running.
Instance Parameters
placement_requirements Empty. This parameter is not used.

Stopping an Orchestration
Return Parameters Description
ip If the instance is running, this parameter shows its private IP address. This
information doesn’t show when an instance is not running.
state If the orchestration is running, this parameter shows the current state of the
instance. This information doesn’t show when an orchestration is stopped or if
the instance couldn’t be created due to an error.
start_time If the orchestration is running, this parameter shows the time the instance was
created. This information doesn’t show when an orchestration is stopped or if
the instance couldn’t be created due to an error.
error_reason If the instance goes into an error state, this parameter shows the reason for the
error. This information doesn’t show when an instance is not in an error state.
nimbula_orchestration If any user-defined attributes are entered using the attributes parameter,
then the nested parameter nimbula_orchestration shows the three-part
name of the orchestration used to create the instance.
Stopping an Orchestration
When you stop an orchestration, all the instances and other resources that were
provisioned by that orchestration are deleted.
Note:
When you stop an orchestration, only the resources that are created by the
orchestration are deleted. For example, if you use an orchestration to create
storage volumes and attach them to your instances, then such storage volumes
are deleted when you stop the orchestration, and you lose the data stored on
those storage volumes. However, if an orchestration specifies only attachments
to storage volumes that are created outside the orchestration, then when you
stop the orchestration, the storage volumes aren’t deleted.


Cloud.

Downloading an Orchestration
3. Identify the orchestration that you want to stop. From the menu, select Stop.
The status of the orchestration changes to Stopping.
Note:
If any of the objects defined in an orchestration are used or referenced by

another object, the orchestration won’t be able to delete the referenced objects,
and it can get stuck in the Stopping state. See My orchestration is stuck in the
stopping state.
After all objects have been deleted, the status of the orchestration changes to Stopped.
You can view the orchestration, download it, or start it again.
To stop an orchestration using the API, use the PUT /orchestration/name
method with the query argument action=STOP. For more information, see REST API
for Oracle Compute Cloud Service.
When you no longer need an orchestration, you can delete it. See Deleting an
Orchestration.
Downloading an Orchestration
You can download the orchestration file to your local host, edit it, and upload a
modified orchestration file as a new orchestration.


Cloud.

Updating an Orchestration
3. Identify the orchestration that you want to download. From the menu, select
Download, and save the orchestration file on your local host.
You can edit the downloaded orchestration file on your local host, as required, by
using any text editor, and then upload the edited orchestration file as a new
orchestration. Remember to change the name attribute in the JSON file.
For the procedure to upload an orchestration to Oracle Compute Cloud Service, see
To download an orchestration using the API, use the GET /orchestration/name
method. After editing an orchestration, to upload it using the API, use the PUT /
Updating an Orchestration
To update an orchestration, download the orchestration file to your local host, edit it,
and upload the modified orchestration.


Cloud.
3. Identify the orchestration that you want to download. From the menu, select
Download, and save the orchestration file on your local host.
4. Delete the orchestration from Oracle Compute Cloud Service. See Deleting an
Orchestration.

Deleting an Orchestration
5. Edit the downloaded orchestration file on your local host, as required, by using any
text editor.
6. Upload the edited orchestration file to Oracle Compute Cloud Service. See
To download an orchestration using the API, use the GET /orchestration/name

method. After editing an orchestration, to upload it using the API, use the PUT /
When you start an orchestration, the objects defined in it are created, and when you
stop an orchestration, those objects are deleted. However, stopping an orchestration
doesn’t cause the orchestration itself to be deleted. After you stop an orchestration, the
orchestration continues to be listed on the Orchestrations page, where its status is
shown as Stopped. You can still start, view, or download the orchestration. When you
delete an orchestration, however, it’s no longer listed on the Orchestrations page, and
you can’t perform any action on it.
Prerequisites
• You must have stopped the orchestration that you want to delete. See Stopping an
Orchestration.
Procedure


Cloud.
3. Identify the orchestration that you want to delete. From the menu, select Delete.

To delete an orchestration using the API, use the DELETE /orchestration/name


5
Managing Machine Images
A machine image is a template of a virtual hard disk of a specific size with an

installed operating system. You use machine images to create virtual machine
You can create instances by using either your own machine images or images
provided by Oracle.
Topics
• About Oracle-Provided Linux Images
• About Oracle-Provided Solaris Images
• About Oracle-Provided Windows Images
• Building Your Own Machine Images
• Uploading Machine Image Files to Oracle Storage Cloud Service
• Registering a Machine Image in Oracle Compute Cloud Service
• Listing Machine Images
• Deleting a Custom Machine Image
• Maintaining Versions of Custom Machine Images
About Oracle-Provided Linux Images

Releases
Oracle provides machine images for Oracle Linux 6.4 and 6.6.
The Oracle-provided images include the essential packages that are necessary to get
started using the instance that you create in Oracle Compute Cloud Service.
Specifically, they include the basic packages required for the following:
• Development tools: Expect, Java OpenJDK, GCC suite, GNU utilities, Perl, Ruby,
Python, and so on.
• Basic X11 desktop
• Remote X11 access with VNC
• Xterm client
• Security and auditing with OpenSCAP and AIDE
Managing Machine Images 5-1

About Oracle-Provided Solaris Images
• Integration with name services such as OpenLDAP, Kerberos, and NIS
• System administration tools
• Firefox and Elinks web browsers
• EMACs and vim editors

Users
In instances created by using any of the Oracle-provided Oracle Linux images, a user
named opc is preconfigured. The opc user has sudo privileges and is configured for
remote access over the SSH v2 protocol using RSA keys. The SSH public keys that you
specify while creating instances are added to the /home/opc/.ssh/
Note that root login is disabled.
Remote Access
Access to the instance is permitted only over the SSH v2 protocol. All other remote
access services are disabled.
Disk Layout
• /boot: 500 MB
• swap: 4 GB
• / (root): Remainder
Oracle Linux Repositories Enabled for Yum Configuration
• public_ol6_latest
• public_ol6_UEK_latest
• public_ol6_UEKR3_latest
Language Support
Arabic, Chinese - Simplified, Chinese - Traditional, Czech, Danish, Dutch, English,
Finnish, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean,
Norwegian, Polish, Portuguese - Brazilian, Romanian, Russian, Slovak, Spanish,
Swedish, Thai, Turkish
About Oracle-Provided Solaris Images

Releases
Oracle provides machine images for Oracle Solaris 11.3.
The Oracle-provided images include the essential packages for getting started using
the instance that you create in Oracle Compute Cloud Service. These images will be
updated according to Oracle's quarterly critical patch update schedule.
Note:
Oracle Solaris Kernel Zones are not supported. The only virtualization that’s
supported within Oracle Solaris instances in Oracle Compute Cloud Service is
native non-global zones.

About Oracle-Provided Windows Images
Users
In instances created by using any of the Oracle-provided Oracle Solaris images, a user
named opc is preconfigured. The opc user is assigned the System Administrator
profile and can perform basic administration tasks without entering a password by
using pfexec. The opc user is configured for remote access over the SSH v2 protocol
using RSA keys. The SSH public keys that you specify while creating instances are
added to the /export/home/opc/.ssh/authorized_keys file.
Note:
Direct login as root is disabled. You can assume the root role by running su
-. The password is solaris_opc and is marked as expired. You must change
the password the first time that you assume the root role.
Disk Layout
The images include a single disk that’s mapped to the root ZFS storage pool (rpool).
Support and Package Updates
When you create instances by using an Oracle-provided Oracle Solaris image, you get
a support entitlement for Oracle Solaris. You can update packages from the support
repository, file service requests to get support, and so on. The default IPS publisher,
named solaris, is preconfigured to use the Oracle Solaris support repository
(https://pkg.oracle.com/solaris/support/).
Language Support
See Managing Available Locales in International Language Environments Guide for Oracle
Solaris 11.3.
About Oracle-Provided Windows Images

Releases
Oracle provides machine images in Oracle Cloud Marketplace for Microsoft Windows
Server 2012 R2 Standard Edition.
Licensing Requirements
When you obtain a Windows image from Oracle Cloud Marketplace, the terms and
conditions for using the image are displayed. You must read and accept those terms.
See Creating an Instance Using an Image from Oracle Cloud Marketplace.
Users
On instances created by using any of the Oracle-provided Windows images, a user
named Administrator is created automatically. This user is configured for accessing
the instance through a remote desktop protocol (RDP) connection. You must set the
password for this user while creating the instance.
Remote Access
Access to the instance is permitted only over RDP. All other remote access services are
disabled.
Disk Layout
The images contain a single disk that’s mapped to the C drive.

Workflow for Creating Instances Using a Custom Machine Image
Language Support
English only.
Workflow for Creating Instances Using a Custom Machine Image

You can create instances in Oracle Compute Cloud Service by using either Oracle-
provided machine images or your own custom machine images. In either case, you
can set up the instances to boot from a persistent disk. This workflow summarizes the
high-level steps for building a custom machine image, adding it to Oracle Compute
Cloud Service, and using that machine image to create instances.
1. Build your machine image. See Building Your Own Machine Images.
2. Upload the tar.gz machine image file to Oracle Storage Cloud Service. See
Uploading Machine Image Files to Oracle Storage Cloud Service.
3. Create a machine image in Oracle Compute Cloud Service corresponding to the

machine image file stored in Oracle Storage Cloud Service. See Registering a
Machine Image in Oracle Compute Cloud Service.
4. (Optional) Create a bootable storage volume using the machine image. See
Creating a Bootable Storage Volume.
5. Create instances. See Creating Instances.
Building Your Own Machine Images

Topics
• Guidelines for Building Private Images
• Building an Oracle Linux Machine Image
Guidelines for Building Private Images

When you build images, consider the following guidelines:
• Supported operating systems

You can build private images using x86, 64-bit versions of the following operating
systems:
– Oracle Linux 6.4
– Oracle Linux 6.6
– Oracle Solaris 11.3

Oracle Linux images must be set up to boot using kernel version 2.6.36 or later.
Kernels starting from v2.6.36 contain PVHVM drivers, which are required for
instances to work in Oracle Compute Cloud Service.
• Image disk count and size

The image must contain only one disk.
Keep your image disk size just as small as is essential. A large image requires more
time to be uploaded to Oracle Storage Cloud Service, and costs more to store. In
addition, creating instances and bootable storage volumes from a large image
requires more time. Before uploading image files to Oracle Storage Cloud Service,

Building Your Own Machine Images
make them sparse files. On Linux, you can convert a file to the sparse format by
running the command, cp --sparse=always original_file
sparse_file. And when creating the tar archive, to ensure that the tar utility
stores the sparse file appropriately, specify the -S option.
• User access
Before creating the final image file, plan ahead and provision any users that you'd
like to be available when instances are created using the image.
Note:
While creating instances, you can specify one or more SSH public keys.
openssh-key.
– Oracle-provided Oracle Linux and Oracle Solaris images include a script

– In images that you build, you can write and include a script that runs
• Format
The image must be a full disk image, including a partition table and boot loader.
The virtual disk image must be converted to the raw format, packaged in a tar
archive that contains only the image, and compressed using gzip. The final image
must be a tar.gz file.
Choose a tar.gz file name that you can use later to easily identify the key
characteristics of the image, such as the OS name, OS version, and the disk size. For
example, for a root-disabled, Oracle Linux 6.6 image with a 20-GB disk, consider
using a file name such as OL66_20GB_RD.tar.gz.
Building an Oracle Linux Machine Image

Oracle provides several ready-to-use Oracle Linux machine images that you can use to
create instances in Oracle Compute Cloud Service. You can build your own machine
images and create instances using them.
For detailed instructions about installing Oracle Linux on Oracle VM VirtualBox;

customizing the operating system for enabling key-based SSH access; changing the
default kernel; installing Apache HTTP Server, MySQL, and PHP; and then creating a
raw image that you can use to launch instances in Oracle Compute Cloud Service, see
the Building a Custom Oracle Linux Machine Image with the LAMP Stack tutorial.
After building a machine image, to use it to launch instances, you must upload the
tar.gz image file to Oracle Storage Cloud Service. See Uploading Machine Image
Files to Oracle Storage Cloud Service.

Uploading Machine Image Files to Oracle Storage Cloud Service

After building your machine images, to use the images to launch instances in Oracle
Compute Cloud Service, you must first upload the machine image files to Oracle
Storage Cloud Service.
Oracle Storage Cloud Service is an Infrastructure as a Service (IaaS) product, which

provides an enterprise-grade, large-scale, object storage solution for files and
unstructured data. When your Oracle Compute Cloud Service account was activated,
an Oracle Storage Cloud Service instance would’ve been autoprovisioned.
Note:
For information about the operating systems that you can use to build
machine images, see Guidelines for Building Private Images.
Tip:
You can also upload machine image files to Oracle Cloud Storage Service by
using the upload-img CLI tool. With the CLI tool, you can upload multiple
files by using a single command. See the Uploading a Machine Image to Oracle
Storage Cloud Service tutorial.
Prerequisites
• Make sure that the .tar.gz file that you want to upload is available on the host
from which you’re accessing the web console.
• Make sure that you have the required role to upload images to Oracle Storage
Cloud Service.
– If this is the first machine image being uploaded to Oracle Storage Cloud
Service, then you must have the Storage Administrator role.
– If one or more machine images have previously been uploaded to Oracle

Storage Cloud Service, then any user with the Storage_ReadWriteGroup
role can upload images.
If you don’t have the required role or aren’t sure, then ask your service
administrator to ensure that you have the required role in Oracle Cloud My
Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
• Make sure that a replication policy has been set for your Oracle Storage Cloud
Service account:
1. Sign in to the Oracle Cloud My Services application. See Signing In to the My

Services Application in Managing and Monitoring Oracle Cloud.
The My Services Dashboard is displayed. It lists the services that are assigned
to your account.
2. Look for Oracle Storage Cloud Service.
3. If a replication policy is already set, the Set Replication Policy link is disabled.
If the Set Replication Policy link is enabled, then click it to set the policy for

your account. See Selecting a Data Center for Oracle Storage Cloud Service in
Using Oracle Storage Cloud Service.
Procedure


Cloud.
3. Click Upload Image.
4. Enter your password, and then click Continue.
The Upload Image page is displayed in a new tab.
5. In the Image File field, browse to select the .tar.gz machine image file that you
want to upload.
The path where the machine image will be uploaded and the size of the machine
image are displayed.
6. In the Target Object field, enter the name of the object that the machine image file
should be stored as in Oracle Storage Cloud Service.
By default, this field is filled automatically with the name of the selected machine
image file. You can use that name or enter a new name. The name must be unique
and it must end with .tar.gz (example: myImage.tar.gz).
Note this name. You’ll need it later when you want to add a machine image to
Oracle Compute Cloud Service using the POST /machineimage/ HTTP request or
delete the machine image file from Oracle Storage Cloud Service.
7. Click Upload.
If a machine image already exists with the name specified in the Target Object
field, you’re prompted to enter another name. If you proceed with the upload
without changing the name, the existing machine image is overwritten.

Registering a Machine Image in Oracle Compute Cloud Service
The progress indicator shows the percentage of task that is complete. The time
taken to upload the file varies depending the size of the machine image file. Do not
close this browser window while the upload is still in progress.
If you want to cancel the upload, click Cancel.
After the file is uploaded to the compute_images container in Oracle Cloud

Storage Service, a message is displayed to indicate that the machine image file was
successfully uploaded. If you want to upload another machine image file, click
Upload More.
To launch instances using the machine image files that you uploaded to Oracle Storage
Cloud Service, you must register the machine images in Oracle Compute Cloud
Service. See Registering a Machine Image in Oracle Compute Cloud Service.
Tip:
By default, any user in your Oracle Storage Cloud Service account who has the
Storage_ReadWriteGroup role has full read and write access to the
compute_images container in which you store machine image files. To
restrict access to the compute_images container, create a custom role in
Oracle Cloud My Services, assign that role to only the users who must be
allowed to access the compute_images container, and then assign the role to
the X-Container-Write ACL of the container. See the Restrict Read and
Write Access to Containers by Using the REST API tutorial.
Registering a Machine Image in Oracle Compute Cloud Service

You can create your own machine images, register them in Oracle Compute Cloud
Service, and then use the images to launch instances.
Note:
Prerequisites
• You must have uploaded the machine image file to Oracle Storage Cloud Service.
See Uploading Machine Image Files to Oracle Storage Cloud Service.
Procedure


Cloud.

Listing Machine Images
3. Click Associate Image.
4. Enter a name and description for the new image, select the image file, and click
Add.
You can now use your machine image to launch instances.

To do this using the API, invoke the POST /machineimage/, POST /imagelist/,
and POST /imagelistentry/ methods, in that order. For more information, see
Listing Machine Images

A machine image can be either an Oracle-provided image or a private image that you
added.
Listing All Machine Images

When you create instances by using the web console, the Image field displays a list of
all the available machine images.
Listing Oracle-Provided Images

When you create instances by using the web console, the Image field displays a list of
all the available machine images. The names of the Oracle-provided images have the
prefix /oracle/public/.
To view a list of Oracle-provided machine images using the API, use the GET /
machineimage/oracle/public method. For more information, see REST API for
Oracle Compute Cloud Service.
Listing Private Images

Cloud.


Deleting a Custom Machine Image

Cloud.
The Private Images page displays all the images that you’ve added.
To view a list of private machine images using the API, use the GET /
machineimage/Compute-account/user method. For more information, see REST
Deleting a Custom Machine Image

When you no longer need a custom machine image that you registered in Oracle
Compute Cloud Service, you can delete the image.
Prerequisites
• Make sure that the machine image isn’t used in any orchestration.
Caution:
If you delete a machine image that’s used in an orchestration, then when that
orchestration is stopped and re-started, the instances won’t be created.
Procedure


Cloud.

Maintaining Versions of Custom Machine Images
3. Go to the image that you want to delete, and from the menu, select Delete.
To delete an image using the API, use the DELETE /machineimage/name method.
Note:
When you delete a machine image from Oracle Compute Cloud Service, the
image file that’s stored in Oracle Storage Cloud Service is not removed.
• At any time, you can register the machine image again in Oracle Compute
Cloud Service and then use the image to launch instances.
• For instructions to permanently remove a machine image file from Oracle

Storage Cloud Service, see the Deleting Machine Image Files from Oracle
Storage Cloud Service tutorial.

You can group multiple versions or flavors of machine images that you build, using
image lists. An image list is a collection of Oracle Compute Cloud Service machine
images. Each machine image in an image list is identified by a unique entry number.
Image lists enable you to administer and use related machine images easily.
Note:
For example, you can group multiple versions of an Oracle Linux 6.6 machine image,
each containing a different set of packages, in an image list. To view the details of all
your Oracle Linux 6.6 image versions, all you need to do is view the details of the
image list that contains those images. In an orchestration, you can quickly change the
machine image that must be used, say from one Oracle Linux 6.6 image version to
another, by simply changing the imagelist_entry number.
When you add a machine image using the web console, an image list is created
automatically by using the name that you specified for the image. The new machine
image becomes the default (and only) entry in the image list.


6
Managing Storage Volumes
Topics
• About Storage Volumes
• Creating a Storage Volume
• Creating a Bootable Storage Volume
• Cloning a Storage Volume by Using Storage Volume Snapshots
• Attaching a Storage Volume to an Instance
• Viewing Details of a Storage Volume
• Mounting a Storage Volume on a Linux Instance
• Unmounting a Storage Volume from a Linux Instance
• Mounting a Storage Volume on an Oracle Solaris Instance
• Unmounting a Storage Volume from an Oracle Solaris Instance
• Mounting a Storage Volume on a Windows Instance
• Unmounting a Storage Volume from a Windows Instance
• Detaching a Storage Volume from an Instance
• Deleting a Storage Volume
About Storage Volumes

You can use storage volumes to store data and applications.
You can also associate a storage volume with a machine image and then, while
creating an instance, you can specify that volume as a persistent boot disk for the
instance.
• When you create a storage volume, you can specify the capacity that you need. The
allowed range is from 1 GB to 2 TB, in increments of 1 GB.
• Up to 10 storage volumes can be attached to each Oracle Compute Cloud Service

instance. A storage volume can be attached to only one instance at a time.
• You can attach one or more storage volumes to an instance either while creating the
instance or later, while the instance is running.
Managing Storage Volumes 6-1

Creating a Storage Volume
• After creating an instance, you can easily scale up or scale down the block storage
capacity for the instance by attaching or detaching storage volumes. However, you
can’t detach a storage volume that was attached during instance creation. Note
that, when a storage volume is detached from an instance or when the instance is
deleted, data stored on the storage volume isn’t lost.

instances in Oracle Compute Cloud Service. You can create storage volumes and
attach them to instances to provide block storage capacity for storing data and
applications. You can also associate a storage volume with a machine image, and then
use the storage volume as the boot disk for an instance.
Note:
When an instance is re-created, storage volumes that were attached manually

(that is, not attached automatically through the orchestration that was used to
create the instance) must be attached again.
Tip:
Before you begin, read the storage-related recommendations in Best Practices

for Using Oracle Compute Cloud Service.


Cloud.
2. Click the Storage tab.
3. Click Create Storage Volume.
4. Select or enter the required information:

• Enter a name for the storage volume. Note this name. You’ll need it later to
search for the storage volume on the Storage page.
Pick a name that you can use later to quickly identify the key characteristics of
the storage volume.
• To make this storage volume a boot disk, select a machine image in the Boot
Image field. Later, while creating an instance, you can specify this volume as
the boot disk for the instance.
If you select a machine image with a large disk size, it may take a while for the
storage volume to be created.
• Enter the size, in GB, of the storage volume. The allowed range is 1 GB to 2 TB.
Consider the storage capacity needs of the applications that you plan to deploy
on the instance, and leave some room for attaching more storage volumes in the
future. This approach helps you use the available block storage capacity
efficiently in the long run.
If you intend to use this storage volume as a boot disk, then the size must be at
least 5% higher than the boot image disk size.
• Select a storage property.

For storage volumes that require low latency and high IOPS, such as for storing
database files, select storage/latency. For all other storage volumes, select
storage/default.
Note:
them.
• Enter a description for the storage volume.
5. Click Create.
The Storage page is displayed.
While the new storage volume is being created, the Status field for the storage volume
shows Initializing.
When the storage volume is ready, the Status field changes to Online.
To view details of the new storage volume, search for it by using the name that you
noted earlier. From the menu, select View.
To create a storage volume using the API, use the POST /storage/volume/
method. To attach a storage volume to an instance, you must add a storage attachment
object, by using the POST /storage/attachment/ method. For more information
about these API methods, see REST API for Oracle Compute Cloud Service.
After creating a storage volume, you must attach the storage volume to an instance
and then mount the storage volume on the instance. See Attaching a Storage Volume
to an Instance and Mounting a Storage Volume on a Linux Instance.

Creating a Bootable Storage Volume
Creating a Bootable Storage Volume

instances in Oracle Compute Cloud Service. While creating a storage volume, you can
associate it with a machine image and later use this storage volume as the boot disk for
an instance. When you boot an instance from such a storage volume, any changes you
make to the boot disk aren’t lost when the instance is deleted and re-created..


Cloud.
3. Click Create Storage Volume.
4. Select or enter the required information:
• Enter a name for the storage volume. Note this name. You’ll need it later to
search for the storage volume on the Storage page.
Pick a name that you can use later to quickly identify the key characteristics of
the storage volume. For example, consider a name such as boot-OL66-20G for
a bootable storage volume with an Oracle Linux 6.6 machine image on a 20-GB
disk).
• Select a machine image in the Boot Image field.

If you select a machine image with a large disk size, it may take a while for the
storage volume to be created.
• Enter the size, in GB, of the storage volume. The allowed range is 1 GB to 2 TB.
The size you enter must be at least 5% higher than the boot image disk size.
• Select a storage property.

Cloning a Storage Volume by Using Storage Volume Snapshots
database files, select storage/latency. For all other storage volumes, select
storage/default.
Note:
them.
• Enter a description for the storage volume.
5. Click Create.
The Storage page is displayed.
While the new storage volume is being created, the Status field for the storage volume
shows Initializing.
When the storage volume is ready, the Status field changes to Online. You can then
specify this storage volume as the boot disk while creating an instance.
To view details of the new storage volume, search for it using the name you noted
earlier. From the menu, select View.
To create a storage volume using the API, use the POST /storage/volume/
method. To attach a storage volume to an instance, you must add a storage attachment
object, by using the POST /storage/attachment/ method. For more information
about these API methods, see REST API for Oracle Compute Cloud Service.

Cloning storage volumes allows you to create multiple identical storage volumes. You
can use these storage volumes to boot instances, to add identical data volumes to
multiple instances, or to create a backup of your data.
Note:
This feature is available only in the Dedicated Compute offering of Oracle

Topics
• Creating a Storage Volume Snapshot
• Listing Storage Volume Snapshots
• Creating a Storage Volume from a Snapshot
• Deleting a Storage Volume Snapshot

Creating a Storage Volume Snapshot

Creating a snapshot of a storage volume enables you to capture the current state of the
storage volume. You can retain snapshots as a backup, or use them to create new,
identical storage volumes.
Note:
This feature is available only in the Dedicated Compute offering of Oracle

You can create a snapshot of a storage volume either when it is attached to an instance
or after detaching it. If the storage volume is attached to an instance, then only data
that has already been written to the storage volume will be captured in the snapshot.
Data that is cached by the application or the operating system will be excluded from
the snapshot. To create a snapshot of a bootable storage volume that is currently being
used by an instance, you should delete the instance before you create the snapshot, to
ensure the consistency of data. You can create the instance again later on, after the
snapshot is created.
To create a storage volume snapshot:


Cloud.
The Storage Volumes page is displayed.
3. Go to the storage volume that you want to create a snapshot of. From the menu,
select Create Snapshot.

4. In the Create Storage Snapshot dialog box, enter a name for the snapshot and, if
required, specify a description and tags to help you identify your storage snapshot.
Then click Create.
A storage volume snapshot is generated.
5. To see a list of storage snapshots, click Storage Snapshots in the left pane.
The Storage Snapshots page is displayed. On this page, you can view a list of
storage snapshots as well as other information including the volume used to create
the snapshot, and storage volumes cloned from a snapshot.
After you’ve created a storage volume snapshot, to use this snapshot to create a
storage volume, see Creating a Storage Volume from a Snapshot.
Listing Storage Volume Snapshots

Storage volume snapshots allow you to create a new storage volume from an existing
storage volume. You can take multiple snapshots of a storage volume and create
multiple storage volumes from a snapshot. After you’ve created a snapshot, you can
see a list of snapshots and view information about each of your snapshots including
the storage volumes created from each snapshot.

Cloud.


Cloud.
3. Click the Storage Snapshots tab in the left pane.
The Storage Snapshots page is displayed. On this page, you can view the list of
snapshots with related information including the name of the storage volume that the

snapshot was created from, the date the snapshot was created, and the new storage
volumes created from the snapshot, if any.
Tip:
You can filter the list of storage volume snapshots according to their category.
To view storage volumes of a specific category (such as IaaS, PaaS, or
personal), click the Category menu and select the appropriate filter.
After you’ve created a storage volume snapshot, to use this snapshot to create a
storage volume, see Creating a Storage Volume from a Snapshot.
Creating a Storage Volume from a Snapshot

You can clone an existing storage volume by creating a snapshot of the storage volume
and using the snapshot to create a new storage volume.


Cloud.
4. Go to the snapshot that you want to create a storage volume from. From the
menu, select Clone.
5. In the Clone Storage Volume dialog box, enter a name for the new storage volume,
specify a description if required, and select the required storage property.
database files, select storage/latency. For all other storage volumes, select storage/
default.

Note:
them.
6. Click Clone.
A new storage volume is created.

After you’ve created a storage volume, to view details of your storage volume, see
Viewing Details of a Storage Volume. To attach a storage volume to an instance, see
Attaching a Storage Volume to an Instance.
Deleting a Storage Volume Snapshot

You can clone an existing storage volume by creating a snapshot of the storage volume
and using the snapshot to create a new storage volume. You can create multiple
snapshots of a storage volume. If a storage volume snapshot gets outdated, or if you
no longer need a snapshot, you can delete it. You can’t delete a snapshot if it has been
used to create a new storage volume.


Cloud.
4. Go to the snapshot that you want to delete. From the menu, select Delete.

Note:
You can’t delete a snapshot if it has been used to create new storage volumes.
In this case, the Delete option is disabled.

You can provide or increase block storage capacity for an instance by attaching storage
volumes.


Cloud.
3. Identify the storage volume that you want to attach. From the menu, select
Attach Instance.
4. Select the instance to which you want to attach the volume.
5. The Attach as Disk # field is filled automatically with the next available index at
which the volume can be attached. You can leave this field at the automatically
selected disk number or enter a higher number up to 10.
attached at index 1 is named /dev/xvdb, the disk at index 2 is /dev/xvdc, the
disk at index 3 is /dev/xvdd, and so on.
Make a note of the disk number. You’ll need it later when you mount the storage
volume on the instance.
6. Click Attach.
You can also attach a storage volume to a running instance from the Instances page.
See Attaching a Storage Volume to an Instance.

Viewing Details of a Storage Volume
To attach a storage volume to a running instance using the API, use the POST /
storage/attachment/ method. For more information, see REST API for Oracle
After attaching a storage volume to an instance, to access the block storage, you must
mount the storage volume on your instance. See Mounting a Storage Volume on a
Linux Instance.
Viewing Details of a Storage Volume

You can use the web console to view details of a storage volume, such as the status,
size, and the instance to which it is attached.

Cloud.


Cloud.
All storage volumes are displayed, along with information about each storage
volume.
Tip:
You can filter the list of storage volumes according to their category or status.
To view storage volumes with a specific status (such as online, offline, or
attached), click the Show menu and select the appropriate filter. To view
storage volumes of a specific category (such as IaaS, PaaS, or personal), click
the Category menu and select the appropriate filter.
3. Go to the storage volume that you want to view. From the menu, select View.
To view the details of a storage volume using the API, use the GET /storage/
volume/name method. For more information, see REST API for Oracle Compute Cloud
Service.

Mounting a Storage Volume on a Linux Instance
Mounting a Storage Volume on a Linux Instance

To access a storage volume, you must attach it to your instance and mount it.
For the steps to mount a volume on a Windows instance, see Mounting a Storage
Volume on a Windows Instance.
For the steps to mount a volume on an Oracle Solaris instance, see Mounting a Storage
Volume on an Oracle Solaris Instance.
Note:

created, all the storage volumes attached to the instance must be mounted
again.
After attaching a storage volume to an instance (see Attaching a Storage Volume to an

Instance), mount it as follows:
1. Identify the disk number of the storage volume that you want to mount. See
Viewing Details of a Storage Volume.
2. Log in to the instance. See Accessing an Oracle Linux Instance Using SSH.
3. List the devices available on your instance:
ls /dev/xvd*
Device names start from /dev/xvdb and are determined by the index number that
you assigned when you attached the storage volumes. For example, if you attached
a storage volume at index 1, the volume gets the device name, /dev/xvdb. The
storage volume at index 2 would be /dev/xvdc, the storage volume at index 3
would be /dev/xvdd, and so on.
4. Identify the device name corresponding to the disk number that you want to
mount.
For example, if you want to mount the storage volume that you had attached at
index 3, the device name would be /dev/xvdd.
5. Use a tool such as mkfs to create a file system on the storage volume. For example,
to create an ext3 file system on /dev/xvdd, run the following command:
sudo mkfs -t ext3 /dev/xvdd

Unmounting a Storage Volume from a Linux Instance
Note:
If the Extended File System utilities aren’t available on your instance, a

message such as the following is displayed:
mkfs.ext3: No such file or directory
To install the Extended File System utilities, run the following command:
sudo yum install e4fsprogs
6. Create a mount point on your instance. For example, to create the mount
point /mnt/store, run the following command:
sudo mkdir /mnt/store
7. Mount the storage volume on the mount point that you created on your instance.
For example, to mount the device /dev/xvdd at the /mnt/store directory, run
the following command:
sudo mount /dev/xvdd /mnt/store
If you prefer, you can specify the disk UUID instead of the device name in the
mount command. To find out the UUID of the disks attached to your instance, run
the blkid command.
8. To make the mount persistent across instance restarts, edit the /etc/fstab file
and add the mount as an entry in that file.
Note:
created, any mount points that you defined are lost. You must create the
mount points again.

To detach a storage volume from your instance, or to delete the instance that a storage
volume is attached to, you must first unmount the storage volume.
Note:
For the steps to unmount a volume from a Windows instance, see

Unmounting a Storage Volume from a Windows Instance.
For the steps to unmount a volume from an Oracle Solaris instance, see
Unmounting a Storage Volume from an Oracle Solaris Instance.
To unmount a storage volume from a Linux instance:
1. Identify the disk number of the storage volume that you want to unmount. See
Viewing Details of a Storage Volume.
2. Log in to the instance. See Accessing an Oracle Linux Instance Using SSH.
3. List the devices available on your instance and their mount points:

sudo df -hT
Filesystem Type Size Used Avail Use% Mounted on

/dev/xvdb2 ext4 16G 2.9G 12G 20% /
tmpfs tmpfs 3.7G 0 3.7G 0% /dev/shm
/dev/xvdb1 ext4 194M 90M 94M 49% /boot
/dev/mapper/vg_binaries-lv_tools
ext4 9.9G 156M 9.2G 2% /u01/app/oracle/tools
/dev/mapper/vg_backup-lv_backup
ext4 20G 4.0G 15G 21% /u01/data/backup
/dev/mapper/vg_domains-lv_domains
ext4 9.9G 1.2G 8.3G 12% /u01/data/domains
/dev/mapper/vg_binaries-lv_mw
ext4 9.9G 2.0G 7.4G 21% /u01/app/oracle/middleware
/dev/mapper/vg_binaries-lv_jdk
ext4 2.0G 334M 1.6G 18% /u01/jdk
Device names start from /dev/xvdb and are determined by the index number that
you assigned when you attached the storage volumes. For example, if you attached
a storage volume at index 1, then the volume gets the device name, /dev/xvdb.
The storage volume at index 2 would be /dev/xvdc, the storage volume at index 3
would be /dev/xvdd, and so on.
Note:
For an instance that’s set up to boot from a nonpersistent boot disk, /dev/
xvda is used for the boot disk.
4. Identify the device name corresponding to the disk number that you want to
unmount, and note the mount point for that device.
For example, to unmount the storage volume that is attached at index 3, you must
unmount /dev/xvdd.
5. Run the umount command.
sudo umount mount_point

For example, to unmount the device mounted at /mnt/store, run the following
command:
sudo umount /mnt/store
6. If you had defined this mount point in /etc/fstab file, then edit /etc/fstab
and remove the mount.
If you no longer need the volume that you just unmounted, then you can detach it
from the instance and delete it. See Detaching a Storage Volume from an Instance and
Deleting a Storage Volume.

Mounting a Storage Volume on an Oracle Solaris Instance

After attaching a storage volume to your Oracle Solaris instance, to be able to access
the new disk, you must mount it. You do this by creating a ZFS storage pool using the
disk that you want to mount.
Note:

again.
The steps to mount a storage volume on an Oracle Solaris instance vary depending on
whether a ZFS storage pool exists for the volume.
• If the storage volume that you want to mount was attached previously to any
Oracle Solaris instance, or if you’re not sure about this, then start with the steps in
Importing a ZFS Storage Pool.
• If the storage volume that you want to mount has just been created, or if you’re
sure that it has never been attached previously to any Oracle Solaris instance, then
proceed to Creating a ZFS Pool.
Importing a ZFS Storage Pool

Complete the steps in this section if the storage volume that you want to mount was
attached previously to any Oracle Solaris instance or if you’re not sure about that.
Otherwise, go to Creating a ZFS Pool.
1. Identify and make a note of the disk number of the storage volume that you want
to mount.
See Viewing Details of a Storage Volume.
2. Log in to the instance on which you want to mount the storage volume.
See Accessing an Oracle Solaris Instance Using SSH.

su -
Note:
If this is the first time that you’re assuming the root role on the instance, then
a prompt to change the password is displayed. Change the password as
prompted and then proceed.

zpool import

5. Examine the output of the command:
• If the command returns the message no pools available to import,

then proceed to Creating a ZFS Pool.
• If the command lists one or more pools, then pick the pool that you want to
import.
Here’s an example of the output of the zpool import command:
pool: mypool2
id: 14352758040898370875
state: ONLINE
action: The pool can be imported using its name or numeric identifier.
config:
mypool2 ONLINE
c2t2d0 ONLINE
pool: mypool3
id: 1124470769081803325
state: ONLINE
config:
mypool3 ONLINE
c2t3d0 ONLINE
In this example, two pools are available for importing: mypool2 (for disk
c2t2d0) and mypool3 (for disk c2t3d0).
In the disk names—that is, c2t2d0, c2t3d0, and so on—look at the t1, t2, t3, ...
number. This number, technically known as the target number, matches the index
that was specified when the volume was attached to the Oracle Solaris instance.
For example, c2t3d0 is the disk that’s attached to the instance at index 3.
6. Identify the disk that you want to mount, and note its pool name.
For example, if you want to mount the storage volume that’s attached to the
instance at index 3, then the disk in this example would be c2t3d0 in mypool3.
Note:
If the index number of the storage volume that you want to mount doesn’t
match the target number of any of the disks listed by the zpool import
command, then you must create a ZFS storage pool. See Creating a ZFS Pool.
7. Import the ZFS pool that you noted earlier, by running the zpool import
command, as shown in the following example:
zpool import mypool3
The storage volume and the ZFS file systems defined in it, if any, are now
mounted on the instance.
8. Verify that the volume is mounted.

See Verifying that the Storage Volume is Mounted.

Creating a ZFS Pool

Complete the steps in this section if the storage volume that you want to mount has
just been created, or if you’re sure that it has never been attached previously to any
Oracle Solaris instance. Otherwise, see Importing a ZFS Storage Pool.
to mount.
See Viewing Details of a Storage Volume.
2. Log in to the instance on which you want to mount the storage volume.
See Accessing an Oracle Solaris Instance Using SSH.
3. Assume the root role, by running the following command: su -

Note:
If this is the first time that you’re assuming the root role on the instance, then
a prompt to change the password is displayed. Change the password as
prompted and then proceed.
4. Find out the names of the disks attached to your instance, by running the format
command:
format
The following is an example of the output of this command:
Searching for disks...done
AVAILABLE DISK SELECTIONS:

0. c2t1d0 <Unknown-Unknown-0001-34.00GB>
/xpvd/xdf@51728
1. c2t2d0 <Unknown-Unknown-0001-10.00GB>
/xpvd/xdf@51744
2. c2t3d0 <Unknown-Unknown-0001 cyl 1024 alt 0 hd 64 sec 32>
/xpvd/xdf@51872
Specify disk (enter its number):
In this example, three disks are attached to the instance: c2t1d0, c2t2d0 and
c2t3d0.
In the disk names—that is, c2t2d0, c2t3d0, and so on—look at the t1, t2, t3, ...
number. This number, technically known as the target number, matches the index
that was specified when the volume was attached to the Oracle Solaris instance.
For example, c2t3d0 is the disk that’s attached to the instance at index 3.
5. Using the storage volume index number that you noted earlier, identify and make
a note of the disk name of the storage volume that you want to mount.
For example, if you want to mount the storage volume that was attached at index
3, then the disk name in this example would be c2t3d0.
6. Kill the format process by pressing Ctrl+c.
7. Create a ZFS storage pool for the disk that you want to mount:
Command syntax: zpool create pool_name disk_file_name

Command example: zpool create mypool3 c2t3d0

The storage volume is now mounted on the instance. By default, the mount point
is the name of the pool.
8. If required, create ZFS file systems in the new ZFS storage pool.
Command syntax: zfs create pool_name/filesystem_name
Command example: zfs create mypool3/myfs1
The ZFS file systems are mounted automatically. By default, the mount point of
each file system is its name.
9. To give the opc user access to the ZFS storage pool and its filesystems, make the
opc user the owner of the mount by using the chown command, as shown in the
following example:
chown -R opc /mypool
10. Verify that the volume is mounted.
See Verifying that the Storage Volume is Mounted.
Verifying that the Storage Volume is Mounted

To verify that the ZFS pool and file systems are mounted, run the zfs mount
command on the instance.
The following is an example of the output of the zfs mount command:
rpool/ROOT/solaris /
rpool/ROOT/solaris/var /var
rpool/VARSHARE /var/share
rpool/export /export
rpool/export/home /export/home
rpool/export/home/opc /export/home/opc
rpool /rpool
rpool/VARSHARE/zones /system/zones
rpool/VARSHARE/pkg /var/share/pkg
rpool/VARSHARE/pkg/repositories /var/share/pkg/repositories
mypool3 /mypool3
mypool3/myfs1 /mypool3/myfs1
In this example,
• The rpool entries are for the root pool that contains the boot disk of the instance.
• mypool3 is the ZFS storage pool of the storage volume that you mounted. It is
mounted at /mypool3.
• mypool3/myfs1 is a filesystem in the ZFS storage pool, and it’s mounted at /

mypool3/myfs1.
See Also:
• Unmounting a Storage Volume from an Oracle Solaris Instance
• Managing ZFS File Systems in Oracle Solaris 11.3

Unmounting a Storage Volume from an Oracle Solaris Instance
Unmounting a Storage Volume from an Oracle Solaris Instance

To detach a storage volume from your instance, or to delete the instance that a storage
volume is attached to, you must first unmount the storage volume.
To unmount a storage volume from an Oracle Solaris instance:
to unmount. See Viewing Details of a Storage Volume.
2. Log in to the instance. See Accessing an Oracle Solaris Instance Using SSH.
su -
4. Find out the names of the disks mounted on your instance and the ZFS pool to
which each disk belongs, by running the following command:
zpool status
The following is an example of the output of this command:
pool: mypool
state: ONLINE
scan: none requested
config:
NAME STATE READ WRITE CKSUM

mypool ONLINE 0 0 0
c2t2d0 ONLINE 0 0 0
errors: No known data errors
pool: rpool
state: ONLINE
scan: none requested
config:
NAME STATE READ WRITE CKSUM

rpool ONLINE 0 0 0
c2t1d0 ONLINE 0 0 0
errors: No known data errors
In this example, two disks are mounted on the instance: c2t1d0 (in rpool) and
c2t2d0 (in mypool)
Focus on the t1, t2, ... number in the disk file names. This number corresponds to
the index that was specified while attaching the storage volume to the instance.
5. Identify and make a note of the disk file name of the storage volume that you want
to unmount.
For example, if you want to unmount the storage volume that was attached at
index 2, then the disk file name in this example would be c2t2d0.

Mounting a Storage Volume on a Windows Instance
Caution:
rpool is the pool that contains the boot disk. Do NOT unmount it.
6. Export the ZFS pool that contains the disk that you want to unmount:
Command syntax: zpool export pool_name
Command example: zpool export mypool
This command unmounts the ZFS pool and any file systems in it. To verify that the
pool has been exported, run the zpool import command. The output shows that the
pool that you exported is available for importing, as shown in the following example:
pool: mypool
id: 1124470769081803325
state: ONLINE
config:
mypool ONLINE
c2t2d0 ONLINE
To mount the volume again, run the zpool import command, as shown in the
following example:
zpool import mypool
See Also:
• Exporting a ZFS Storage Pool in Managing ZFS File Systems in Oracle Solaris
11.3.
• Importing a ZFS Storage Pool in Managing ZFS File Systems in Oracle Solaris
11.3.

To access a storage volume from a Windows instance, you must attach the volume to
the instance and mount it.
Note:
again.

After attaching a storage volume to a Windows instance (see Attaching a Storage

Volume to an Instance), mount it as follows:
1. Log in to the Windows instance.
See Accessing a Windows Instance Using RDP.
2. From the Start menu, select Server Manager.
3. Navigate to File and Storage Services, and from there to Volumes, and then
Disks.
The storage volumes that are attached to the instance are listed as disks.
For newly attached disks, the Partition type would be Unknown and the
Unallocated capacity would be equal to the total size of the disks.
See the following example:
4. Select the disk that you want to mount.
5. If the Status of the disk is Offline, right-click and select Bring Online.
6. At the confirmation prompt, click Yes.
7. Wait until the status changes to Online.
Refresh the page after a few seconds.

You can now create partitions, format them, and assign each partition to a drive
letter or folder.
8. In the Volumes pane, click Tasks and select New Volume, as shown in the
following example:

Note:
Don’t confuse the term volume that you see in Windows with the concept of
storage volumes in Oracle Compute Cloud Service.
A storage volume in Oracle Compute Cloud Service is a virtual disk that you
can attach to an instance. In the context of Windows, a volume is essentially a
partition on a disk that’s attached to a server. You can create multiple
partitions on each storage volume that you attach to your Windows instance.
9. Follow the instructions in the New Volume Wizard to complete creation of the
partition.
After the partition is created, it's displayed in the Volumes pane.
10. Create more partitions, if required.
The new partitions are now available at the drive letters that you assigned while
partitioning the disk, as shown in the following example:

Unmounting a Storage Volume from a Windows Instance
In this example, on a 1-GB storage volume attached to a Windows Server 2012

Standard instance, two 400-MB partitions were created, formatted, and assigned to the
drives D and E.
For detailed instructions for managing disks & partitions (changing the drive
assignment, changing the file system type, extending the partition or deleting it), see
the Windows Server documentation.
Unmounting a Storage Volume from a Windows Instance

When you no longer need a storage volume for a Windows instance, you can take the
disk offline and detach it from the instance.
To unmount a storage volume from a Windows instance:
1. Log in to the Windows instance.
See Accessing a Windows Instance Using RDP.
2. From the Start menu, select Server Manager.
3. Navigate to File and Storage Services, and from there to Volumes, and then
Disks.
The storage volumes that are attached to the instance are listed as disks.
4. Select the disk that you want to unmount.

5. Right-click and select Take Offline.
Wait for a few seconds, until the Status of the disk changes to Offline.
Note:
The partitions and data on the disk are intact. You can either bring the disk
online later on the same instance, or detach it from this instance and attach it
to another instance.
For detailed instructions for managing disks and partitions, see the Windows Server
documentation.

instances in Oracle Compute Cloud Service. When you no longer require access to a
storage volume, you can unmount it and detach it from your instance.
After you detach a storage volume from an instance, you can no longer read from or
write data to the storage volume, unless you attach it to any instance.
Note:
You can’t detach or delete a storage volume that was attached while creating
an instance.
If you’re sure that a storage volume is no longer required, then back up the
data elsewhere and delete the storage volume.
Prerequisites
• Ensure that you’ve unmounted the storage volume that you want to detach. See
Unmounting a Storage Volume from a Linux Instance.
Procedure


Cloud.

Deleting a Storage Volume
3. Go to the storage volume that you want to detach. From the menu, select Detach
Instance.
You can also detach a storage volume from the Instances page. See Detaching a
Storage Volume from an Instance.
To detach a storage volume from an instance using the API, you must remove a
storage attachment object, by using the DELETE /storage/attachment/name

If you delete a storage volume, all the data and applications that were saved on that
storage volume are lost. Delete a storage volume only when you’re sure that you no
longer need any of the data that’s stored on that volume.
Prerequisites
• Ensure that the storage volume that you want to delete isn’t attached to any
instance. See Detaching a Storage Volume from an Instance.
• Ensure that there are no snapshots of the storage volume that you want to delete.
See Listing Storage Volume Snapshots.
Procedure


Cloud.

3. Go to the storage volume that you want to delete. From the menu, select Delete.
To delete a storage volume using the API, use the DELETE /storage/volume/name

7
Topics
• About Network Settings
• Managing Security Lists
• Managing Security Rules
• Managing Security Applications
• Managing Security IP Lists
• Managing Public IP Addresses
• Setting Up Firewalls and Opening Ports for a Sample Scenario
About Network Settings

You can implement fine-grained control over network access to your Oracle Compute
Cloud Service instances, both from other instances as well as from external hosts.
When you create an instance, by default, it doesn’t allow access from any other
instance or external host.
To enable unrestricted communication among some of your instances (for example, to
enable all the instances hosting your development environment to communicate with
each other), you can create a security list and add the instances to that security list.
When you add an instance to a security list, the instance can communicate with all the
other instances in the same security list.
By default, the instances in a security list are isolated from hosts outside the security
list. You can override this default setting by creating security rules. Each security rule
defines a specific source, a destination, and a protocol-port combination over which
communication is allowed. For example, you can set up a security rule to permit SSH
access over port 22 from a set of external hosts (specified in a security IP list) to all the
instances in a security list.
A security list can be used as a source or destination in up to 10 security rules.
The following diagram illustrates how you can use security lists and security rules to
restrict traffic between your instances and control access to them.
Configuring Network Settings 7-1

About Network Settings
This diagram shows the following communication paths:
• Instances in Security-list-a can send traffic to instances in Security-list-

b over any protocol, as defined by Security-rule-a.
• Instances in Security-list-a can receive HTTPS traffic from any host on the
public internet, as defined by Security-rule-b.
• Instances in Security-list-b can receive traffic over SSH from any of the IP
addresses specified in Security-IP-list-a, as defined by Security-rule-c.
If no security rules are defined for a security list, then, by default, instances in that
security list can’t receive traffic from hosts outside the security list. However, instances
in the security list can still access other instances in the same security list.

Managing Security Lists
When you remove an instance from a security list, the instance can no longer
communicate with other instances in that security list, and traffic to and from that
instance is no longer controlled by the security rules defined for that security list.
A security IP list specifies a set of IP addresses that can be used as a source or a
destination in security rules. See Managing Security IP Lists.
An instance can be added to multiple security lists. In case of conflicts in policy, the
most restrictive policy takes precedence. For example if an instance belongs to one
security list with the inbound policy permit and the same instance is added to
another security list with the inbound policy deny, effectively the inbound policy for
that instance would be deny.
See Also:
• Permitting Public TCP Traffic to Instances
• Permitting Traffic Between Instances
• Permitting SSH Access to Instances
• Permitting Ping Requests to Instances

Topics
• About Security Lists
• Creating a Security List
• Updating a Security List
• Adding an Instance to a Security List
• Removing an Instance from a Security List
• Deleting a Security List
About Security Lists

A security list is a group of Oracle Compute Cloud Service instances that you can
specify as the source or destination in one or more security rules. The instances in a
security list can communicate fully, on all ports, with other instances in the same
security list.
When you add an instance to a security list, the inbound and outbound policies of the
security list are applicable to that instance.
• The inbound policy controls the flow of traffic into the security list. For example, if
the inbound policy is set to permit, packets from all sources using any port or
protocol are permitted to the instances in the security list. To control the flow of
traffic to the instances in a security list, ensure that the inbound policy is set to
deny, and then define security rules to allow only traffic from specified sources to
access your instances using specified ports and protocols.

• The outbound policy controls the flow of traffic out of the security list. For
example, if the outbound policy is set to deny, packets can’t flow out of the
security list. To allow instances in a security list to communicate with hosts outside
the security list, set the outbound policy to permit.
By default, a security list has its inbound policy set to deny and outbound policy set to
permit. However, you can specify a different inbound or outbound policy when you
create a security list. If you specify either the inbound or the outbound policy as deny,
then you can set up security rules to override that policy. For example, if a security list
has its inbound policy set to deny, you can create security rules to permit traffic from
specified sources, over specified protocols and ports, to the instances in that security
list.
Note:
A security rule acts only on a policy that is set to deny. If a security list has its
inbound policy set to permit, then you don’t need to define security rules to
permit traffic to instances in that security list.
When you create a security rule, you can specify a security list as a source or
destination in that security rule. A security list can be specified as the source or
destination in up to 10 security rules.
The following diagram shows the relationship between instances and security lists.

In this diagram,
• Security-list-c has the inbound policy set to permit. So traffic from the other
security lists can reach the instances in this security list, as indicated by the arrows.
Traffic from the Internet can also reach the instances in this security list.
• For Security-list-a and Security-list-b, the inbound policy is deny. So

the instances in these security lists can’t receive traffic from any host outside their
security lists.
You can add an instance to up to five security lists.

Note:
If an instance is added to multiple security lists that have different policies,

then the most restrictive policy is applicable to the instance. For example, in
the previous diagram, Inst_4 is in Security-list-c, which has the
inbound policy permit. If you were to add Inst_4 to Security-list-b as
well (inbound policy is deny), then the effective inbound policy for Inst_4
would be deny.
Remember, however, that all instances in a security list can communicate with
each other across all protocols and ports. So in this scenario, Inst_4 would be
able to communicate with Inst_5 in Security-list-c, as well as with
Inst_6, Inst_7, Inst_8, and Inst_9 in Security-list-b.
Creating a Security List

A security list is a group of Oracle Compute Cloud Service instances that you can
specify as the source or destination in one or more security rules. The instances in a
security list can communicate fully, on all ports, with other instances in the same
security list.


Cloud.
2. Click the Network tab.
3. Click the Security Lists tab in the left pane.
4. Click Create Security List.
5. Enter or select the required details—a name and description, and the inbound and
outbound policies—and click Create.
To create a security list using the API, use the POST /seclist/ method. See REST

You can also create a security list by using an orchestration. See Orchestration
Attributes Specific to Each Object Type.
Updating a Security List

After creating a security list, at any time, you can update it to change its description as
well the inbound and outbound policies.


Cloud.
4. Identify the security list that you want to update. From the menu, select Update.
5. Make the required changes, and click Update.
To update a security list using the API, use the PUT /seclist/name method. See
Adding an Instance to a Security List

You can add an instance to a security list either when you create the instance or later
by updating the instance.
See Creating an Instance from the Instances Page and Updating an Instance.
Removing an Instance from a Security List

To prevent other hosts from accessing an instance, you can remove the instance from
the security lists that it is attached to. This may be useful when you want to perform
maintenance activities, change or upgrade applications, and so on.
See Updating an Instance.

Managing Security Rules
Deleting a Security List

You can delete a security list that isn’t being used by any instance or security rule.
Prerequisites
• Ensure that no instance is attached to the security list that you want to delete.
• Ensure that no security rule uses the security list that you want to delete.
Procedure


Cloud.
4. Identify the security list that you want to delete. From the menu, select Delete.
To delete a security list using the API, use the DELETE /seclist/name method. See
If you created a security list using an orchestration, then you can delete the security
list by stopping the orchestration. See Stopping an Orchestration.

Topics
• About Security Rules

• Creating a Security Rule
• Updating a Security Rule
• Deleting a Security Rule
About Security Rules

Security rules are essentially firewall rules, which you can use to permit traffic
between Oracle Compute Cloud Service instances in different security lists, as well as
between instances and external hosts.
The source and destination specified in a security rule can be either a security IP list
(that is, a list of external hosts) or a security list.
When you create an instance by using the web console, you can specify that the
instance be configured to allow SSH access from hosts on the Internet. When you
select this option, your instance is added to a default security list, and a security rule
called DefaultPublicSSHAccess is created to enable SSH access to instances in the
default security list.
Note:
If you don’t enable SSH access during instance creation, then to enable SSH access to
your instance later, you must create a security list, add the instance to it, and set up a
security rule to permit SSH traffic to the security list.
Creating a Security Rule

A security rule is a firewall rule that you can define to control network access to
Oracle Compute Cloud Service instances over a specified security application.
Prerequisites
• Identify (or create) the following:
– The security application that you want to use in your security rule. See Creating
a Security Application.
– The security list for which you want to create the security rule. See Creating a
Security List.
– Either a security IP list or a security list that you want to use as the source in the
security rule. See Creating a Security IP List.

Caution:
Use security rules carefully and open only a minimal and essential set of ports.
Keep in mind your business needs and the IT security policies of your
organization.
Procedure


Cloud.
3. Click Create Rule.
The Create Security Rule dialog box is displayed.
4. Enter or select the following:
• Enter a name for the new security rule.
• By default, new security rules are enabled. If you’d like to enable the rule later,
then set Status to Disabled.
• In the Security Application field, select the protocol for which you want to
create this security rule.
• In the Source field, select the security list or security IP list from which traffic
over the specified protocol should be allowed.
• In the Destination field, select the security list to which traffic should be
allowed.
• Enter a meaningful description for the rule.
5. Click Create.
To create a security rule using the API, use the POST /secrule/ method. See REST

You can also create a security rule by using orchestrations. See Orchestration
Updating a Security Rule

You can update a security rule to enable or disable it.


Cloud.
3. Identify the security rule that you want to update. From the menu, select
Update.
4. In the Update Security Rule dialog box, change the Status as required, and click
Update.
To update a security rule using the API, use the PUT /secrule/name method. For
Deleting a Security Rule

If a security rule is no longer required, you can delete it.


Managing Security Applications

Cloud.
3. Go to the security rule that you want to delete. From the menu, select Delete.
To delete a security rule using the API, use the DELETE /secrule/name method.
See REST API for Oracle Compute Cloud Service.
If you created a security rule using an orchestration, then you can delete the security
rule by stopping the orchestration. See Stopping an Orchestration.

Topics
• About Security Applications
• Creating a Security Application
• Deleting a Security Application
About Security Applications

You can define security applications to manage network protocols and ports.A
security application is a protocol-port mapping that you can use in security rules.
You can either create a security application by specifying the port type and port, or use
one of the following predefined security applications in security rules.
Security Application Port Type Port

all all None
cloudservice tcp 5020
dns-tcp tcp 53
dns-udp udp 53
http tcp 80
https tcp 443

Security Application Port Type Port

icmp icmp None
ldap tcp 389
ldaps tcp 636
mail tcp 25
mysql tcp 3306
nfs tcp 2049
ntp-tcp tcp 123
ntp-udp udp 123
ping-reply icmp None

icmptype:reply
pings icmp None

icmptype:echo
rdp tcp 3389
rpcbind tcp 111
rsync tcp 873
snmp-tcp tcp 161
snmp-trap-tcp tcp 162
snmp-trap-udp udp 162
snmp-udp udp 161
squid tcp 3128
ssh tcp 22
tcp5900 tcp 5900
telnet tcp 23
udp443 udp 443
Creating a Security Application

Oracle Compute Cloud Service provides a number of predefined security applications
that you can use. You can also create your own security applications.



Cloud.
3. Click the Security Applications tab in the left pane.
4. Click Create Security Application.
5. Enter or select the following information:
• Enter a name for the security application.
• Select the port type.
– If you select the tcp or udp port type, then enter the port range.
– If you select the icmp port type, then enter the ICMP type.
• Enter a meaningful description.
6. Click Create.
To create a security application using the API, use the POST /secapplication/
method. See REST API for Oracle Compute Cloud Service.
You can also create a security application by using orchestrations. See Orchestration
Deleting a Security Application

You can delete a security application that isn’t being used by any security rule.
Prerequisites
• Ensure that no security rule is using the security application that you want to
delete.

Managing Security IP Lists
Procedure


Cloud.
3. Click the Security Applications tab in the left pane.
4. Identify the security application that you want to delete. From the menu, select
Delete.
To delete a security application using the API, use the DELETE /secapplication/
name method. See REST API for Oracle Compute Cloud Service.
If you created a security application using an orchestration, then you can delete the
security application by stopping the orchestration. See Stopping an Orchestration.

Topics
• About Security IP Lists
• Creating a Security IP List
• Updating a Security IP List
• Deleting a Security IP List
About Security IP Lists

A security IP list is a list of IP subnets (in the CIDR format) or IP addresses that are
external to instances in Oracle Compute Cloud Service. You can use a security IP list
as the source or the destination in security rules to control network access to or from
Oracle Compute Cloud Service instances.
The following table lists the predefined security IP lists that are available in Oracle

Security IP List Description

/oracle/public/instance Don’t use this security IP list as the source in any security
rule.
/oracle/public/public-internet You can use this security IP list as the source in security
rules to permit traffic from any host on the Internet.
/oracle/public/site Don’t use this security IP list as the source in any security
rule.
Creating a Security IP List

To permit traffic from external hosts to Oracle Compute Cloud Service instances, you
must define those hosts in a Security IP List.


Cloud.
3. Click the Security IP Lists tab in the left pane.
4. Click Create Security IP List. Enter the required details and click Create.
5. In the Create Security IP List dialog box, enter the following details:
• In the Name field, enter a name for the security IP list.
• In the IP List field, enter a comma-separated list of the subnets (in CIDR format)
or IPv4 addresses for which you want to create the security IP list.
For example, to create a security IP list containing the IP addresses 203.0.113.1
and 203.0.113.2, enter one of the following in the IP List field:
203.0.113.0/30

203.0.113.1, 203.0.113.2
• In the Description field, enter a description for the security IP list.
6. Click Create.
To create a security IP list using the API, use the POST /seciplist/ method. See
You can also create a security IP list by using an orchestration. See Orchestration
Updating a Security IP List

You can update the IP addresses and description for a Security IP List.


Cloud.
3. Identify the security IP list that you want to update. From the menu, select
Update.
4. In the Update Security IP List dialog box, change the IP List or Description field, as
required, and click Update.
To update a security IP list using the API, use the PUT /seciplist/name method.
You can use this method to replace the list of IP addresses and change the description.
To add IP addresses to the list, use the POST /seciplist/ method and specify the
new IP addresses. See REST API for Oracle Compute Cloud Service.

Managing Public IP Addresses
Deleting a Security IP List

If a security IP list isn’t used in any security rule and if you don’t plan to use the
security IP list in the future, then you can delete it.
Prerequisites
• Ensure that no security rule is using the security list that you want to delete.
Procedure


Cloud.
3. Click the Security IP Lists tab in the left pane.
4. Identify the security IP list that you want to delete. From the menu, select
Delete.
To delete a security IP list using the API, use the DELETE /seciplist/name
If you created a security IP list using an orchestration, then you can delete the list by
stopping the orchestration. See Stopping an Orchestration.

Topics
• About Public IP Addresses

• Reserving a Public IP Address
• Updating an IP Reservation
• Attaching a Public IP Address to an Instance
• Removing a Public IP Address from an Instance
• Deleting an IP Reservation
About Public IP Addresses

If you want to enable access to your instance over the public Internet, you must
associate a public IP address with your instance. You can associate either a temporary
or a persistent public IP address with an instance when you create the instance.
Temporary public IP addresses are assigned dynamically from a pool of public IP
addresses. When you associate a temporary public IP address with an instance, if the
instance is restarted or is deleted and created again later, its public IP address might
change. If you want to assign a persistent public IP address to your instance, you must
first create an IP reservation, and then associate the IP reservation with the instance.
Note:
Each instance also has a private IP address associated with it. When an
instance is created, its private IP address is assigned dynamically from a range
of private IP addresses. When an instance is restarted, its private IP address
might change.
To find out the public IP address or the private IP address of your instance, view the
information on the Instances page. See Listing Instances.
Reserving a Public IP Address

An IP reservation is a public IP address that you can attach to an Oracle Compute
Cloud Service instance that requires access to or from the Internet. You can create an
IP reservation and associate it with an instance to enable access to the instance from
the public Internet.


Cloud.

3. Click the IP Reservations tab in the left pane.
4. Click Create IP Reservation.
5. Enter a name for the IP reservation.
6. In the For Instance field, you can select the instance that the IP address must be
attached with.
Alternatively, you can create the IP reservation now without attaching it to any
instance, and attach it later. See Attaching a Public IP Address to an Instance.
7. Click Create.
To create an IP reservation using the API, use the POST /ip/reservation/

You can also create an IP reservation by using an orchestration. See Orchestration
Updating an IP Reservation
You can change the status of an IP reservation or attach it to an instance by updating
the IP reservation.


Cloud.

4. Identify the IP reservation that you want to update. From the menu, select
Update.
• If the selected IP reservation isn’t attached to an instance, then you can attach it
now.
• If the IP reservation is attached to an instance, then you can change its status to
Temporary or Permanent.
To change the status of an IP reservation using the API, use the PUT /ip/
reservation/name method. See REST API for Oracle Compute Cloud Service.
Attaching a Public IP Address to an Instance

You can attach an IP reservation to an instance either while creating the instance or by
updating the IP reservation.
For information about creating instances, see Creating an Instance from the Instances
Page. For information about updating an IP reservation, see Updating an IP
Reservation.
You can also associate an IP reservation with an instance when you create instances
using an orchestration. See Orchestration Attributes Specific to Each Object Type.
Internally, an IP reservation is associated with an instance through the instance’s
vcable. A vcable provides an attachment point to a specific network interface on an
instance. The vcable of an instance is created automatically when the instance is
launched and is deleted when the instance is deleted.
The process of adding a virtual link between an instance and an IP reservation is also
referred to as IP association.
To find out the vcable ID of your instance using the API, use the GET /instance/
name method. To associate an IP reservation with an instance using the API, use the
POST /ip/association/ method. See REST API for Oracle Compute Cloud Service.
Removing a Public IP Address from an Instance

If you want to change the public IP address of an instance, or if you no longer need a
public IP address for the instance, then you can remove the IP Reservation from the
instance.
Note:
You can’t remove a temporary IP address from an instance. You can only
remove a persistent IP address. If you created an instance with an
autogenerated IP address or if you changed the status of the IP address
associated with an instance to temporary, then to remove that IP address from
the instance, first update it to change its status to permanent. See Updating an
IP Reservation.



Cloud.
4. Identify the IP reservation that you want to detach. From the menu, select
Remove Instance.
Internally, an IP reservation is associated with an instance by using a vcable. A vcable

provides an attachment point to a specific network interface on an instance. A vcable
is created automatically when an instance is launched and is deleted when the
instance is deleted.
The process of adding a virtual link between an instance and an IP reservation is also
referred to as IP association.
To find out the vcable ID of your instance using the API, use the GET /instance/
name method. To remove an IP reservation from an instance using the API, use the
DELETE /ip/association/name method. See REST API for Oracle Compute Cloud
Service.
If you specified an IP reservation to be associated with an instance in an orchestration,
then, when you stop the orchestration, the IP reservation is detached, and the instance
is deleted. See Stopping an Orchestration.
Deleting an IP Reservation
When you no longer need an IP reservation, you can delete it.
Prerequisites

Setting Up Firewalls and Opening Ports for a Sample Scenario
• Ensure that no instance is using the IP reservation that you want to delete.
Procedure


Cloud.
4. Identify the IP reservation that you want to delete. From the menu, select
Delete.
To delete an IP reservation using the API, use the DELETE /ip/reservation/name

If you created an IP reservation by using an orchestration, then you can delete the IP
reservation by stopping the orchestration. See Stopping an Orchestration.

This section illustrates how you can use security lists and security rules to create
firewalls and open ports in a sample topology.
Sample Scenario and Firewall Requirements

In this scenario, you’ll create a topology with eight Oracle Compute Cloud Service
Linux instances: four used for development (dev1 through dev4) and four for
production (prod1 through prod4).
Let’s assume that you have the following firewall requirements:
Requirement Source Destination Protocol and Policy

Port
1 Any development Any development All Allow traffic

instance instance

Requirement Source Destination Protocol and Policy

Port
2 Any development Any production SSH/22 Allow traffic

instance instance
3 Any production Any production All Allow traffic

instance instance
4 Any production Any development All Deny traffic

instance instance
5 Any development Internet All Deny traffic

instance
6 Internet Any development All Deny traffic

instance
7 Any host in the Instances dev3 and SSH/22 Allow traffic

subnets dev4
203.0.113.1/28 and
203.0.113.32/28
8 Internet Any production HTTPS/443 Allow traffic

instance
The following graphic illustrates the required communication routes between your
production and development instances and from external hosts over the public
Internet.

To implement these firewall rules using the web console, see Procedure Using the Web
Console.
To implement these firewall rules using orchestrations, see Procedure Using
Orchestrations.
For a graphic showing the topology with the firewall rules implemented, see Topology
with Firewall Rules Implemented.
Procedure Using the Web Console

To create the required instances and set up the required security rules for this scenario,
complete the following tasks:
1. Generate at least one SSH key pair and upload the SSH public key to Oracle
Compute Cloud Service. See Generating an SSH Key Pair and Adding an SSH
Public Key.
2. Reserve public IP addresses for the instances that will be accessed over SSH:
dev3, dev4, prod1, prod2, prod3, and prod4.
See Reserving a Public IP Address.
3. Create the following security lists, as described in Creating a Security List.

Security List Inbound Policy Outbound Policy

dev Deny Deny
dev_allow_access Deny Deny
prod Deny Deny
4. Create a bootable storage volume for each of your instances, as described in

Creating a Bootable Storage Volume.
5. Create your instances. Remember to associate an SSH public key and a public IP
address with each of the instances that you will access over SSH: dev3, dev4,
prod1, prod2, prod3, and prod4. See Creating Instances.
6. Add your instances to the required security lists as follows:
• Add dev1 and dev2 to the dev security list.
• Add dev3 and dev4 to the dev and the dev_allow_access security lists.
• Add prod1, prod2, prod3, and prod4 to the prod security list.
See Adding an Instance to a Security List.
Adding all the development instances to the dev security list enables all instances
in the development environment to communicate with each other over any
protocol. By default, no host outside this security list can communicate with any
development instance, and no development instance can communicate with any
host outside this security list. This fulfils firewall requirements 1, 4, 5, and 6.
Adding all the production instances to the prod security list enables all instances
in the production environment to communicate with each other over any protocol.
This fulfils firewall requirement 3.
7. Create a security IP list named ip_list1 consisting of the subnets 203.0.113.1/28

and 203.0.113.32/28. See Creating a Security IP List.
8. Create the following security rules, as described in Creating a Security Rule.
Security Rule Parameters Description

dev-to-prod Security application: ssh Any development instance
Source security list: dev can communicate over SSH
with any production
Destination security list:
instance.
prod
This fulfils firewall
requirement 2.
iplist-to-dev Security application: ssh Any host in the

Source security IP list: 203.0.113.1/28 and
ip_list1 203.0.113.32/28 subnets can
connect to instances dev3
and dev4 using SSH.
dev_allow_access
requirement 7.


internet-to-prod Security application: https Any host on the Internet can
Source security IP list: send HTTPS requests to any
public-internet production instance.
Destination security list: This fulfils firewall
prod requirement 8.
Procedure Using Orchestrations
1. Generate at least one SSH key pair and upload the SSH public key to Oracle
Compute Cloud Service. See Generating an SSH Key Pair and Adding an SSH
Public Key.
2. Reserve public IP addresses for the instances that will be accessed over SSH:
dev3, dev4, prod1, prod2, prod3, and prod4 . You can use the following
sample orchestration to reserve public IP addresses. This sample shows you how
to reserve two public IP addresses. Use a similar JSON construct to reserve
another four IP addresses.
{
"name": "/Compute-acme/joe/myIPreservations",
"oplans": [
{
"label": "My IP reservations",
"obj_type": "ip/reservation",
"objects": [
{
"name": "/Compute-acme/joe/ipres1",
"permanent": true
},
{
"name": "/Compute-acme/joe/ipres2",
"permanent": true
},
<Add more IP reservations here.>
]
}
]
}
3. Create the following security lists.
Security List Inbound Policy Outbound Policy

dev Deny Deny
dev_allow_access Deny Deny
prod Deny Deny
You can use the following sample orchestration to create security lists. This
sample shows you how to create the dev security list. Use a similar JSON
construct to create another two security lists.

{
"name": "/Compute-acme/joe/mySecurityLists",
"oplans": [
{
"label": "seclists",
"obj_type": "seclist",
"objects": [
{
"name": "/Compute-acme/joe/dev",
"outbound_cidr_policy": "deny"
},
<Add more security lists here.>
]
}
]
}
4. Create a bootable storage volume for each of your instances. You can use the
following sample orchestration to create storage volumes. This sample shows you
how to create one storage volume. Use a similar JSON construct to create all the
required storage volumes.
{
"name": "/Compute-acme/joe/myStorageVolumes",
"oplans": [
{
"label": "My storage volumes",
"obj_type": "storage/volume",
"objects": [
{
"name": "/Compute-acme/joe/boot",
"bootable": true,
"imagelist": "/oracle/public/oel_6.6_20GB_x11_RD",
"properties": ["/oracle/public/storage/default"],
"size": "22548578304"
},
<Add more bootable storage volumes here.>
]
}
]
}
Note:
Don’t define storage volumes and instances in the same orchestration. By

keeping storage volumes and instances in separate orchestrations, you can
stop and start the instances when required and yet preserve the attached
storage volumes. Note that the recommendation here is to define the storage
volumes outside the instance orchestration. To ensure that the storage volumes
remain attached after an instance is re-created, you must define the storage
attachments within the instance orchestration.
5. Create your instances. Remember to associate an SSH public key and a public IP
address with each of the instances that you will access over SSH: dev3, dev4,
prod1, prod2, prod3, and prod4. You can also specify the security lists that you
want to add each instance to. Add your instances to the required security lists as
follows:

• Add dev1 and dev2 to the dev security list.
• Add dev3 and dev4 to the dev and the dev_allow_access security lists.
• Add prod1, prod2, prod3, and prod4 to the prod security list.
Adding all the development instances to the dev security list enables all instances
in the development environment to communicate with each other over any
protocol. By default, no host outside this security list can communicate with any
development instance, and no development instance can communicate with any
host outside this security list. This fulfils firewall requirements 1, 4, 5, and 6.
Adding all the production instances to the prod security list enables all instances
in the production environment to communicate with each other over any protocol.
This fulfils firewall requirement 3.
You can use the following sample orchestration to create your instances. This
sample shows you how to create the dev3 instance, and associate an SSH public
key and a public IP address with the instance. This sample orchestration also
shows you how to add this instance to the required security lists, dev and
dev_allow_access. Use similar JSON constructs to define each of the required
instances.
{
"name": "/Compute-acme/joe/myInstances",
"oplans": [
{
"objects": [
{
"instances": [
{
"name": "/Compute-acme/joe/dev3",
"shape": "oc3",
"boot_order": [1],
"label": "dev3",
"networking": {
"eth0": {
"seclists": ["/Compute-acme/joe/dev", "/Compute-acme/joe/
dev_allow_access"],
"nat": "ipreservation:/Compute-acme/joe/ipres1"
}
},
"sshkeys": ["/Compute-acme/joe/key1"],
{
"index": 1,
"volume": "/Compute-acme/joe/boot"
}
]
},
<Add more instances here.>
]
}
]
}
]
}

6. Create a security IP list named ip_list1 consisting of the subnets 203.0.113.1/28

and 203.0.113.32/28. You can use the following sample orchestration to create
your security IP list.
{
"name": "/Compute-acme/joe/mySecipLists",
"oplans": [
{
"label": "secip-list",
"obj_type": "seciplist",
"objects": [
{
"name": "/Compute-acme/joe/ip_list1",
"secipentries": ["203.0.113.1/28", "203.0.113.32/28"]
}
]
}
]
}
7. Create the following security rules.

dev-to-prod Security application: ssh Any development instance
Source security list: dev can communicate over SSH
with any production
instance.
prod
requirement 2.
iplist-to-dev Security application: ssh Any host in the

Source security IP list: 203.0.113.1/28 and
ip_list1 203.0.113.32/28 subnets can
connect to instances dev3
and dev4 using SSH.
dev_allow_access
requirement 7.
internet-to-prod Security application: https Any host on the Internet can

Source security IP list: send HTTPS requests to any
public-internet production instance.
Destination security list: This fulfils firewall
prod requirement 8.
You can use the following sample orchestration to create your security rules. This
sample shows you how to create the iplist-to-dev security rule. Use a similar
JSON construct to create another two security rules.
{
"name": "/Compute-acme/joe/mySecRules",
"oplans": [
{
"label": "My security rules",
"obj_type": "secrule",
"objects": [
{
"name": "/Compute-acme/joe/iplist-to-dev",

"src_list": "seciplist:/Compute-acme/joe/ip_list1",
"dst_list": "seclist:/Compute-acme/joe/dev_allow_access",
"action": "PERMIT"
},
<Add more security rules here.>
]
}
]
}
After you’ve created all the required orchestrations, upload and start your
orchestrations to create the required objects and instances. See Uploading an
Orchestration and Starting an Orchestration.
Remember that you must define relationships for objects referenced by another object
in the same orchestration. For example, if you create IP reservations or security lists
and instances in the same orchestration, you must define relationships to ensure that
the required IP reservations and security lists are created before the instances that use
them. Similarly, if you create security lists or security IP lists and security rules in the
same orchestration, define relationships to ensure that the security lists and security IP
lists are created before the security rules that use them. See Relationships Between
Object Plans.
Topology with Firewall Rules Implemented

The following graphic shows the topology with the security rules, security lists, and
security IP list set up to enable the communication routes required in this scenario.


8
Accessing an Oracle Linux Instance Using
SSH
If you’ve created your instance using an Oracle-provided Oracle Linux image or an

Oracle-provided Oracle Solaris image, then you can log in to your instance using SSH
as the opc user.
If you’ve created your instance using a custom machine image, then ensure that
you’ve added a script to copy SSH public keys to the appropriate files for default
users. This script must run automatically when your instance starts. It must retrieve
the SSH public keys from the metadata stored in the instance, and copy these keys to
the following path for one or more default users: /home/user/.ssh/
authorized_keys. For information about retrieving SSH public keys, see Retrieving
Instance Metadata.
Topics
• Accessing an Instance from UNIX and UNIX-Like Systems
• Accessing an Instance from Windows
• Adding Users on an Oracle Linux Instance
Accessing an Instance from UNIX and UNIX-Like Systems

You can log in to an Oracle-provided Oracle Linux instance instance as the default
user, opc. The opc user has sudo privileges.
Prerequisites
• Ensure that the SSH private key corresponding to the public key that you
associated with your instance while creating it is available on the host from which
you want to ssh to the instance.
• Ensure that the instance has a public IP address. See Managing Public IP
Addresses. To find out the public IP address of your instance, view the information
on the Instances page. See Listing Instances.
• While creating the instance, if you didn’t select the option to enable SSH access,
then you must enable SSH access now before attempting to access the instance
using SSH.
See the tutorial Permitting SSH Access to Oracle Compute Cloud Service Instances.
Procedure
You can use SSH to log in to your instance as the default user, opc, by using the
following command:
Accessing an Oracle Linux Instance Using SSH 8-1

Accessing an Instance from Windows
ssh opc@ip_address —i private_key

In this command, ip_address is the public IP address of the instance, and private_key is
the full path and name of the file that contains the private key corresponding to the
public key associated with the instance that you want to access.
Note:
If you’ve enabled a VPN tunnel to your Oracle Compute Cloud Service site,
you can use the private IP address of your instance to connect to the instance.
To set up a VPN tunnel, see Connecting to Oracle Compute Cloud Service
Instances Using VPN.
If an error occurs, see Can’t connect to an instance using SSH.

When you’re logged in as the default user, opc, use the sudo command to run
administrative tasks.
Accessing an Instance from Windows

You can log in to an Oracle-provided Oracle Linux instance as the default user, opc.
The opc user has sudo privileges. If you’re using a Windows host, you can use PuTTY
or any other similar client to connect to your instance using SSH.
Prerequisites
• This procedure assumes you’re using PuTTY to connect to your instance. Ensure
that you have PuTTY installed on your Windows host. To download PuTTY, go to
http://www.putty.org/.
associated with your instance while creating it is available on the Windows host
from which you want to ssh to the instance.
• While creating the instance, if you didn’t select the option to enable SSH access,
then you must enable SSH access now before attempting to access the instance
using SSH.
See the tutorial Permitting SSH Access to Oracle Compute Cloud Service Instances.
Procedure
1. Run the PuTTY program.
The PuTTY Configuration window is displayed, showing the Session panel.
2. In Host Name (or IP address) box, enter the public IP address of your instance.

Adding Users on an Oracle Linux Instance
Note:
3. Confirm that the Connection type option is set to SSH.
4. In the Category tree, expand Connection if necessary and then click Data.
The Data panel is displayed.
5. In Auto-login username box, enter opc.
6. Confirm that the When username is not specified option is set to Prompt.
7. In the Category tree, expand SSH and then click Auth.
The Auth panel is displayed.
8. Click the Browse button next to the Private key file for authentication box.
Navigate to and open the private key file that matches the public key that is
associated with your instance.
9. In the Category tree, click Session.
The Session panel is displayed.
10. In the Saved Sessions box, enter a name for this connection configuration and click
Save.
11. Click Open to open the connection.
The PuTTY Configuration window is closed and the PuTTY window is displayed.
12. If this is the first time you are connecting to an instance, the PuTTY Security Alert
window is displayed, prompting you to confirm the public key. Click Yes to
continue connecting.

When you’re logged in as the default user, opc, use the sudo command to run

If you’ve created your instance using an Oracle-provided Oracle Linux image or an
Oracle-provided Oracle Solaris image, then you can use SSH to access your Oracle-
provided Oracle Linux instance from a remote host as the opc user. After logging in,
you can add users on your instance.
Note:
created, any users that were added manually (that is, users that weren’t
defined in the machine image) must be added again.

1. Generate an SSH key pair for the new user. See Generating an SSH Key Pair on
UNIX and UNIX-Like Systems.
2. Copy the public key value to a text file. You’ll use this key later in this procedure.
3. Log in to your instance. See Accessing an Instance from UNIX and UNIX-Like
Systems.
4. Become the root user.
sudo su
5. Create the new user:
useradd new_user
6. Create a .ssh directory in the new user’s home directory.
mkdir /home/new_user/.ssh
7. Copy the SSH public key that you noted earlier to the /home/new_user/.ssh/
echo "key" > /home/new_user/.ssh/authorized_keys
Here, key is the SSH public key value from the key pair that you generated earlier,
enclosed in double quotation marks.
8. Add the new user to the list of allowed users in the /etc/ssh/sshd_config file
on your instance, by editing the AllowUsers parameter, as shown in the following
example:
AllowUsers opc myadmin
In this example, the AllowUsers parameter already had the opc user. The
myadmin user has now been added.
9. Change the owner and group of the /home/username/.ssh directory to the new
user:
chown -R new_user:group /home/new_user/.ssh
10. Restart the SSH daemon on your instance.
/sbin/service sshd restart
11. To enable sudo privileges for the new user, edit the /etc/sudoers file by
running the visudo command.
In /etc/sudoers, look for the following line:

%opc ALL=(ALL) NOPASSWD: ALL
Add the following line right after the preceding line:
%group_of_new_user ALL=(ALL) NOPASSWD: ALL
You can now log in as the new user:

ssh new_user@ip_address -i private_key

public key that you added to the authorized_keys file earlier in this procedure.
Note:

Use the sudo command to run administrative tasks.
See Also:
Creating an SSH-Enabled User on an Oracle Compute Cloud Service Instance


9
Accessing an Oracle Solaris Instance Using
SSH
In instances created by using any of the Oracle-provided Oracle Solaris images, a user
named opc is preconfigured. The opc user is assigned the System Administrator
profile and can perform basic administration tasks without entering a password by
using pfexec.
Prerequisites
associated with your instance while creating it is available on the host from which
you want to ssh to the instance.
Procedure
You can use SSH to log in to your instance as the default user, opc, by using the
following command:
ssh opc@ip_address —i private_key
public key associated with the instance that you want to access.
Note:

When you’re logged in as the opc user, you can use the pfexec command to run
Accessing an Oracle Solaris Instance Using SSH 9-1

Note:
Direct login as root is disabled. You can assume the root role by running su
-. The password is solaris_opc and is marked as expired. You must change
the password the first time that you assume the root role.

10
Accessing a Windows Instance Using RDP
Remote desktop protocol (RDP) allows you to securely access your Windows instance
from a remote host. To access a Windows instance from a Windows host, you can use
the default RDP client, Remote Desktop Connection.
Prerequisites
Note:
This procedure assumes that your local host runs a Windows operating
system and that you’re using the Remote Desktop Connection client to access
your Windows instance. If your local host has another operating system, use
an appropriate RDP client to access your Windows instance.
• Ensure that you’ve created your Windows instance with the required userdata
attributes. See Creating an Instance from the Instances Page for information about
the required attributes. See Retrieving Instance Metadata to find out how to view
the metadata associated with your instance. If you’re using an orchestration to
manage your instance, you can view the orchestration to check the specified
attributes. See Monitoring Orchestrations.
• Ensure that your instance has a public IP address. See Managing Public IP
Procedure
RDP access to your Windows instance is not enabled by default. Before accessing your
Windows instance using RDP, you must add your instance to a security list and create
a security rule to enable RDP access.


Cloud.
Accessing a Windows Instance Using RDP 10-1

4. Click Create Security List.
5. Enter or select the required details and then click Create.
• Name: Enter Enable RDP access
• Description: Enter an appropriate description
• Inbound policy: Retain the default setting, deny.
• Outbound policy: Retain the default setting, permit.
The Enable RDP access security list is created.
6. Click the Instances tab.
menu, select View.
8. On the instance details page, click Add to Security List.
9. Select the Enable RDP access security list and click Attach.
The instance is added to the Enable RDP access security list.
11. Click Create Security Rule.
12. Enter or select the required detail and then click Create.
• Name: Enter an appropriate name.
• Status: Retain the default setting, Enabled.
• Security application: Select the predefined security application, rdp.
• Source: From the Security IP Lists drop down list, select public-internet, or
select any other security IP list as the source.
• Destination: Select the Enable RDP access security list that you just created.
• Description: Enter an appropriate description.
13. Next, on your Windows local host, start Remote Desktop Connection.
• To start Remote Desktop Connection from the GUI:
– Click the Start button and type Remote Desktop in the search field.

– In the search result, click Remote Desktop Connection.
– In the Computer field, enter the public IP address of your Windows instance
and then click Connect.
• To start Remote Desktop Connection from the command line, enter:
– mstsc /v:public-IP-address-of-your-instance
Note:
If you’ve enabled a VPN tunnel to your Oracle Compute Cloud Service site, you
can use the private IP address of your instance to connect to the instance. To set up
a VPN tunnel, see Connecting to Oracle Compute Cloud Service Instances Using
VPN.
The Remote Desktop Connection client starts.
14. In the Windows security dialog box, enter the user name and password that you
specified in userdata attributes while creating the instance.
Note:
The first time you log in to your Windows instance, you must log in as
Administrator using the administrator_password that you specified while
creating the instance. After logging in, you can specify a list of users who are
allowed to access the Windows instance remotely using RDP. Subsequently, you
can log in as one of the new users. Alternatively, you can provide userdata
attributes while creating the instance, to add users with RDP access enabled. For
more information, see Attributes Specific to Windows Instances.
Note:
You can change the Administrator password after logging in. However, if
you’re using an orchestration to manage your Windows instance, then if you stop
the orchestration and start it again later, the Administrator password that you
specified in the orchestration will overwrite the password that you specified on
your Windows instance. This is true for any user password that you specify in an
orchestration. If you specify all administrators and users of an instance in an
orchestration and you stop and start that orchestration, all passwords will be reset
to the values specified in the orchestration. If you’ve lost or forgotten those
passwords, you can get locked out of your instance. For this reason, it is advisable
to create — directly on your Windows instance — additional administrators and
users who are enabled for remote access.
After you’ve logged in to your Windows instance, to change the administrator

password, add users, enhance security, or perform other customization and
configuration tasks, see the Windows Server documentation.
Accessing a Windows Instance Using RDP 10-3

11
Connecting to Oracle Compute Cloud
Service Instances Using VPN
Oracle Network Cloud Service – VPN for Dedicated Compute allows you to establish
a secure communication channel between your data center and the instances in your
Oracle Compute Cloud Service site.
Topics
• About Oracle Network Cloud Service – VPN for Dedicated Compute
• Requesting Oracle Network Cloud Service – VPN for Dedicated Compute
• Configuring Your VPN Gateway
• Managing Your VPN Connections
• Accessing Your Instances Using VPN
About Oracle Network Cloud Service – VPN for Dedicated Compute

With Oracle Network Cloud Service – VPN for Dedicated Compute you can configure
a site-to-site VPN connection to access your instances. While you can continue to
access your instances over the public internet securely using SSH or RDP, using a site-
to-site VPN connection enhances security by creating secure IPSec-based tunnels
between your data center and the instances in your Oracle Compute Cloud Service
site.
Note:
Oracle Network Cloud Service – VPN for Dedicated Compute is not available
by default with Oracle Compute Cloud Service. It must be requested
separately. See Requesting Oracle Network Cloud Service – VPN for
Dedicated Compute.
Using Oracle Network Cloud Service – VPN for Dedicated Compute, you can create
up to 20 VPN tunnels to your Oracle Compute Cloud Service site. You can use any
internet service provider to access your Oracle Compute Cloud Service site, provided
you have a VPN device to terminate an IPSec VPN tunnel.
IPSec is a suite of protocols designed to authenticate and encrypt all IP traffic between
two locations. This allows sensitive data to pass securely over networks that would
otherwise be considered insecure. Traffic between your data center and your Oracle
Compute Cloud Service site is encrypted and transmitted through this secure tunnel.
So your data can’t be stolen or intercepted. In other words, by using a site-to-site VPN
Connecting to Oracle Compute Cloud Service Instances Using VPN 11-1

About Oracle Network Cloud Service – VPN for Dedicated Compute
connection, you're effectively extending your data center network to include instances
in your Oracle Compute Cloud Service site.

Requesting Oracle Network Cloud Service – VPN for Dedicated Compute
Requesting Oracle Network Cloud Service – VPN for Dedicated Compute

To set up your VPN connection, you must first request the Oracle Network Cloud
Service – VPN for Dedicated Compute service.
You can request this service either while subscribing to Oracle Compute Cloud
Service, or later on. To request the Oracle Network Cloud Service – VPN for Dedicated
Compute service, work with your Oracle sales representative to raise a Service
Request (SR). You’ll receive a form asking you to provide detailed information. Use
this form to provide the following information:
• A preshared key (PSK) in the 128-bit/SHA1 format.
• (Optional) A range of 8000 private IP addresses. These should be provided as

network prefixes in the CIDR format (for example, n.n/19). When you create
instances or restart existing instances, the private IP address of each instance is
dynamically assigned from this range of IP addresses. Note that when your Oracle
Compute Cloud Service account is provisioned, a range of private IP addresses is
assigned from the 100.64/10 address range. You can either use this assigned range
or specify another range of private IP addresses. An 8000-address block can meet
the IP address requirements of up to 2000 instances.
Note:
Ensure that the range of IP addresses that you provide doesn’t overlap with
the private IP addresses used by other devices on your on-premises network.
Also check that the private IP addresses of existing Oracle Compute Cloud
Service instances do not conflict with private IP addresses used by any of your
on-premises devices. Such a conflict becomes relevant only when you
configure a VPN tunnel and your Oracle Compute Cloud Service instances
become an extension of you on-premises network.
It can take up to two weeks to process your request. After your SR is processed, Oracle
provides you the encoded PSK along with the name and public IP address of the
Oracle Cloud VPN gateway. Use these to configure your VPN gateway to connect to
the Oracle Cloud VPN gateway. See Configuring Your VPN Gateway.
Configuring Your VPN Gateway

After the Oracle Network Cloud Service – VPN for Dedicated Compute service is
provisioned, you must configure your VPN gateway to connect to the Oracle Cloud
VPN gateway.
Do the following:
1. Configure Internet Key Exchange (IKE)
2. Configure IPSec
3. Configure a tunnel interface
4. Configure a static route
For a sample configuration of a VPN gateway, see Example Configuration of a VPN

Gateway.

After configuring your VPN gateway, to start a VPN connection, see Managing Your
VPN Connections.
Example Configuration of a VPN Gateway

This example provides the a sample configuration for your VPN gateway. You must
perform this configuration for each VPN tunnel that you create.
This example is specific to Junos SRX series VPN devices. However, the IKE & IPSec
parameters should generally be applicable to any device complying to IPSec VPN. As
long as your VPN device is compatible with the IPSec VPN standards, and your VPN
device is set up according to IKE and IPSec parameters specified in this example, you
should be able to configure your VPN connection.
#
# VPN identifier in the e.g. below is tagged as, "vpn-dcz-site-1", to represent vpn
connection to
# Oracle "dcz" from a customer site "site-1". Customers can create VPN connections
from other sites as well. Each zone
# supports up to five different VPN tunnels.
# VPN Connection ID : vpn-dcz-site-1
#
#
# --------------------------------------------------------------------------------
# IPSec Tunnel #1
# --------------------------------------------------------------------------------
# #1: Internet Key Exchange (IKE) Configuration
#
# A proposal is established for the supported IKE encryption,
# authentication, Diffie-Hellman, and lifetime parameters.
#
set security ike proposal pre-g2-aes128-sha authentication-method pre-shared-keys
set security ike proposal pre-g2-aes128-sha dh-group group2
set security ike proposal pre-g2-aes128-sha authentication-algorithm sha1
set security ike proposal pre-g2-aes128-sha encryption-algorithm aes-128-cbc
set security ike proposal pre-g2-aes128-sha lifetime-seconds 86400
# An IKE policy is established to associate a Pre Shared Key with the

# defined proposal.Customer can have different sites where they are connecting from.
# Replace the the ike policy names appropriately for the site in the statements
below.
# "dcz" below refers to "Dedicated Compute Zone".
#
set security ike policy dcz-site-1-ike-policy mode main
set security ike policy dcz-site-1-ike-policy proposals pre-g2-aes128-sha
set security ike policy dcz-site1-ike-policy pre-shared-key ascii-text
"Use_pre_shared_key_received_from_Oracle"
# The IKE gateway is defined to be the Virtual Private Gateway. The gateway
# configuration associates a local interface, remote IP address, and
# IKE policy.
#
# This example shows the outside of the tunnel as interface ge-0/0/0.0.
# This should be set to the interface that IP address 192.168.111.3 is
# associated with.
# This address is configured with the setup for your Customer Gateway.
#
# If the address changes, the Customer Gateway and VPN Connection must be recreated.
#

set security ike gateway gw-vpn-site-1 ike-policy dcz-site-1-ike-policy

set security ike gateway gw-vpn-site-1 external-interface ge-0/0/0.0
set security ike gateway gw-vpn-site-1 address 192.168.111.3
# Troubleshooting IKE connectivity can be aided by enabling IKE tracing.

# The configuration below will cause the router to log IKE messages to
# the 'kmd' log. Run 'show messages kmd' to retrieve these logs.
# set security ike traceoptions file kmd
# set security ike traceoptions file size 1024768
# set security ike traceoptions file files 10
# set security ike traceoptions flag all
# #2: IPSec Configuration

#
# The IPSec proposal defines the protocol, authentication, encryption, and
# lifetime parameters for our IPSec security association.
#
set security ipsec proposal ipsec-phase2-prposal protocol esp
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-
sha1-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
# The IPSec policy incorporates the Diffie-Hellman group and the IPSec
# proposal.
#
set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
# A security association is defined here. The IPSec Policy and IKE gateways
# are associated with a tunnel interface (st0.0).
# The tunnel interface ID is assumed; if other tunnels are defined on
# your router, you will need to specify a unique interface name
# (for example, st0.10).
#
set security ipsec vpn vpn-dcz-site-1 bind-interface st0.0
set security ipsec vpn vpn-dcz-site-1 ike gateway gw-vpn-site-1
set security ipsec vpn vpn-dcz-site-1 ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn vpn-dcz-site-1 establish-tunnels-immediately
# #3: Tunnel Interface Configuration

#
# The tunnel interface is configured with the internal IP address &

# recommended that IP address in the same subnet as the remote end IP address.
# This IP will be conveyed to the customer.
set interfaces st0.0 family inet
set interfaces st0.0 family inet mtu 1436 -- (Actual value needs to investigated)
set security zones security-zone trust interfaces st0.0
# The security zone protecting external interfaces of the router must be

# configured to allow IKE traffic inbound.
#
set security zones security-zone untrust host-inbound-traffic system-services ike
# This option causes the router to reduce the Maximum Segment Size of
# TCP packets to prevent packet fragmentation.
#
set security flow tcp-mss ipsec-vpn mss 1350

Managing Your VPN Connections
# --------------------------------------------------------------------------------
# #4: Static Route Configuration
#
# Your Customer Gateway needs to set a static route for the prefix corresponding to
your VPC on the tunnel.
# An example for a VPC with the prefix 10.0.0.0/16 is provided below
# set routing-options static route 10.0.0.0/16 next-hop st0.0
#

After you’ve configured your VPN gateway device, you can manage your VPN
connections using the REST API or the Oracle Compute Cloud Service web console.
Topics
• Starting a VPN Connection
• Listing Your VPN Connections
• Viewing Details of a VPN Connection
• Updating a VPN Connection
• Disabling a VPN Connection
• Deleting a VPN Connection
Starting a VPN Connection

After you’ve configured your VPN gateway to connect to the Oracle Cloud VPN
gateway, you can start a VPN connection. You can create up to 20 VPN tunnels
between your data center and your Oracle Compute Cloud Service site.
To start a VPN connection using the web console, do the following:


Cloud.
2. Click near the upper right corner, and select Manage VPN Endpoints.

The VPN Endpoints page is displayed.
3. To create a VPN tunnel, click Create VPN Endpoint.
4. Enter the following:
• Name: Specify a name for the VPN tunnel.
• VPN Gateway IP: Enter the IP address of the VPN gateway in your data center
through which you want to connect to the Oracle Cloud VPN gateway. Your
gateway device must support route-based VPN and IKE (Internet Key
Exchange) configuration using pre-shared keys.
• Pre-shared Key: Enter the 128-bit/SHA1 pre-shared key. This must be the same
key that you provided when you requested the service.
• Reachable Routes: Enter a list of routes (network prefixes in CIDR notation)

that are reachable through this VPN tunnel.
5. To start the VPN connection as soon as the tunnel is created, click Enabled.
To start a VPN connection using the API, use the POST /vpnendpoint/ method
with the enabled parameter.
Cloud Service.
After you’ve established a VPN connection to your Oracle Compute Cloud Service
site, if you want to end the VPN connection, see Disabling a VPN Connection.
Listing Your VPN Connections

To list your VPN connections using the web console, do the following:


Cloud.

On this page, you can see all the VPN endpoints that you’ve created, and you can
start, stop, view, update, or delete your VPN endpoints.
To list your VPN connections using the API, use the GET /vpnendpoint/
container method.
Cloud Service.
Viewing Details of a VPN Connection

To view details of a VPN connection using the web console, do the following:


Cloud.
3. Go to the VPN endpoint that you want to view. From the menu, select Update.
The Edit VPN Endpoint page shows the details of the VPN endpoint.
To view details of a VPN connection using the API, use the GET /vpnendpoint/
name method.
Cloud Service.
Updating a VPN Connection

After you’ve configured your VPN connection, you can update the connection to
enable or disable the VPN tunnel or to change other connection details.
To update a VPN connection using the web console, do the following:



Cloud.
3. Go to the VPN endpoint that you want to update. From the menu, select
Update. Enter the details that you want to change and then click Update. You can
update any of the details, except name.
To update a VPN connection using the API, use the PUT /vpnendpoint/name
method. You can update any of the parameters, except name.
Cloud Service.
Disabling a VPN Connection

To disable or end a VPN connection using the web console, do the following:


Cloud.

3. Go to the VPN endpoint that you want to disable. From the menu, select
Update.
4. In the Edit VPN Endpoint page, deselect the Enabled check box, and then click
Update.
To disable or end a VPN connection using the API, use the PUT /vpnendpoint/
name method without the enabled parameter.
Cloud Service.
After disabling a VPN connection, you can start it again later on. See Starting a VPN
Connection.
Deleting a VPN Connection

To delete a VPN connection using the web console, do the following:


Cloud.
3. Go to the VPN endpoint that you want to delete. From the menu, select Delete.
To delete a VPN connection using the API, use the DELETE /vpnendpoint/name
method.
Cloud Service.
After deleting a VPN connection, you can create it again later on. See Starting a VPN
Connection.

Accessing Your Instances Using VPN

After you’ve configured your VPN gateway and started a VPN connection, you can
securely access your Oracle Compute Cloud Service site by using the private IP
address of each instance.
Note:
When an instance is created, its private IP address is assigned dynamically

from a range of private IP addresses. When an instance is restarted, its private
IP address might change.
Do the following:


Cloud.
2. Go to the instance that you want to access. Make a note of the private IP address of
the instance.
3. After you’ve enabled a VPN tunnel, the instances in your Oracle Compute Cloud
Service site appear as an extension of the network in your site. You can use the
private IP address of an Oracle Compute Cloud Service instance to connect to the
instance as you would connect to any host in your data center.
Note:
After you’ve enabled a VPN tunnel, you can also continue to access your
instances over the public Internet, as you did earlier. Any security rules that
you might have defined for your instances continue to apply.


12
Automating Instance Configuration Using
opc-init
Topics
• About opc-init
• Prerequisites for Using opc-init
• Defining Instance Configuration Attributes
• User Data Attributes
About opc-init
When you create an instance in Oracle Compute Cloud Service, you get a virtual
machine running the operating system specified by the image that you had selected
while creating the instance. Before you start using the instance, you may want to
customize it based on your business needs. For example, you may want to create
users, install additional packages, add SSH keys, run certain scripts, and so on. Instead
of doing all of this initial configuration manually every time an instance starts, you can
use the opc-init package to set up these steps to be performed automatically when an
instance starts.
The opc-init package contains scripts provided by Oracle that allow you to perform
specified instance configuration tasks automatically every time an instance is created.
You specify the required instance configuration tasks in the form of user data when
you create an instance. The opc-init scripts query the metadata service on the instance
for this user data. The specified user data is then used by the opc-init scripts to
perform the required prebootstrapping tasks. If no user data attributes are specified,
then no bootstrapping tasks are performed by opc-init.
The opc-init scripts are included by default in Oracle-provided Linux and Windows
machine images.
Note:
If you specify user data while creating an instance, the opc-init package retrieves this
data and uses it to do the following:
• Run the specified scripts
• Execute the specified operations for yum elements
Automating Instance Configuration Using opc-init 12-1

Prerequisites for Using opc-init
• Process chef elements and execute chef.

For user data attributes and templates, see User Data Attributes.
Prerequisites for Using opc-init

You can use the opc-init package to automate instance configuration. To effectively
use this tool, you must:
• Be familiar with chef-solo
• Be familiar with orchestrations
• Know JSON
• Be aware of the Ruby syntax
• Have root access to the instance you want to configure
• Know the public IP address of the instance
• Have the required permissions and licences for installing Chef, Ruby, and the
associated Ruby gems
In addition, if you want to write your own scripts, you must be familiar with Python.
Defining Instance Configuration Attributes

You can automate instance configuration by providing scripts that install applications
or perform other prebootstrap tasks when you create an instance. These scripts are
specified as user data when you create an instance. If you specify user data while
creating an instance, the opc-init package retrieves this data and uses it to perform the
specified prebootstrap tasks.
You can specify user data in the following ways:
• If you create an instance using the web console, use the Custom Attributes field to
specify user data. The text you enter in this field must be in JSON format.

• If you create an instance using an orchestration or a launch plan, use the

attributes parameter of the instance object type to enter user data.
• If you use the API to create an image list entry or to add a custom machine image
to Oracle Compute Cloud Service, then you can use the attributes parameter of

the POST /machineimage/name method or the POST imagelist/name/

entry/ method to enter user data. This user data is then added to all instances
created using this machine image. See REST API for Oracle Compute Cloud Service.
Note:
• If you want identical user data to be available to a set of instances, use a

machine image or image list entry to add user data. For example, you
might require a particular prebootstrap script to be executed or specific
applications to be installed on all instances that use a particular image. By
adding the user data in the machine image or the image list entry, you
ensure that each time you use that image, your instance is created with the
specified user data.
• If each instance should have unique user data, use an orchestration or the
web console to provide specific user data for each instance. This is useful if,
for example, you want to specify a unique user name and password, or
inject a unique SSH public key into each instance.
If you specify identical attributes in a machine image, an image list entry, and while
creating an instance, then the values specified in the image list entry override the
values specified in the machine image, and the values specified while creating the
instance override the values specified in the image list entry and in the machine
image. Attributes with unique keys are appended. For example, consider that in the
machine image attributes, you specify the following key-value pairs:
• {”key1”: “value1”}
In the image list entry attributes, you specify the following key-value pairs:
• {”key1”: “value1–a”}
And in the attributes entered while creating an instance using the web console or an
orchestration, you specify the following key-value pairs:
• {”key1”: “value1–b”}
Then, when your instance is created, key1 will contain the value specified while
creating the instance, while the other attributes specified in the machine image, image
list entry, and while creating the instance will get appended. When you view user data
on the instance, you’ll see the following attributes:
• {”key1”: “value1–b”}
Although you can use custom attributes to enter any custom data that you require, if
you want the opc-init package to use this information, you must use the userdata

User Data Attributes
attribute of the attributes parameter. You can use userdata to specify the
following instance configuration instructions:
• Prebootstrap scripts. You can either provide the script inline, or point to a URL
where the script is available. This URL must be accessible from the instance.
• Chef attributes. You can provide instructions for the instance to be configured
either using chef solo, or as a chef client.
• Yum repositories. If you specify a yum repository, that repository is used to

download and install the specified packages.
• A list of packages to be installed on the instance.

The information that you enter as userdata is stored on the instance at the location:
http://192.0.0.192/latest/user-data. You can view the user data on your
instance at this location using curl. For example:
curl http://192.0.0.192/latest/user-data
For information about the specific nested attributes that you can use in the userdata
attribute, see User Data Attributes. For more details about retrieving user data, see
Retrieving User-Defined Instance Attributes.

You can automate instance configuration by providing scripts or other instructions to
perform prebootstrapping tasks or install applications when you create an instance.
These instance configuration instructions are provided as user-defined data using the
userdata attribute when you create an instance.
The following attributes of the userdata attribute are used by the opc-init package to
perform instance configuration tasks.
• Prebootstrap Attributes
• Chef Solo Attributes
• Chef Client Attributes
• Yum Repository Attributes
• Packages and Package Upgrade Attributes
• Attributes Specific to Windows Instances

Prebootstrap Attributes
The following sample JSON shows the prebootstrap attribute of the userdata
attribute, with the script specified in a URL.
"instances": [
{
<Specify other instance attributes. See Instance Attributes
"attributes": {
"userdata": {
"pre-bootstrap": {
"scriptURL": "http://location_of_script",
"failonerror": true,
}
<Specify other userdata attributes here, if required.>
}

<Specify other attributes here, if required.>

}
}
]
The following sample JSON shows the prebootstrap attribute of the userdata
attribute, with the script specified inline.
"instances": [
{
"attributes": {
"userdata": {
"pre-bootstrap": {
"failonerror": true,
"script": [
"line1_ofscript",
"line2_ofscript",
...,
"lineN_ofscript"
]
}
}
}
}
]
A description of the prebootstrap attributes is provided in the following table.

Nested attributes are indented in the Attributes column to indicate their hierarchy.
Attribute Required or Description

Optional
pre- Optional This attribute allows you to specify a script that must be run
bootstrap prior to any instance configuration that is performed by the
opc-init package. You can either enter the script here, or
point to a URL. This attribute contains the following nested
attributes:
Optional Enter the lines of the prebootstrapping script, formatted as a

script
JSON array with each line of the script represented as one
element of the array. The metadata service presents this
array to the instance as text, with each array element
separated by a line break.
Optional Enter the script location. This location must be accessible to

the instance.
scriptURL
If you enter both script and scriptURL, scriptURL
overrides the inline script.


Optional
Optional Specifies whether the prebootstrapping process should stop

if the script encounters an error. To stop bootstrapping,
failonerror
specify failonerror as true. The default is false. If set
to false, the bootstrapping operations continue and any
errors encountered by the script are logged in
the /var/log/opc-compute/opc-init.log file.
Chef Solo Attributes

The following sample JSON shows the chef attribute of the userdata attribute, for a
chef solo configuration.
"instances": [
{
"attributes": {
"userdata": {
"chef": {
"run_list": ["recipe[apache2]"],
"cookbooks_url": ["http://location_of_cookbooks/cookbooks.zip"],
"version": "11.4.2",
"initial_attributes": {
"apache": {
"prefork": {
"maxclients": 100,
"keepalive": "off"
}
}
}
}
}
}
}
]
A description of the chef attributes for a chef solo configuration is provided in the
following table. Nested attributes are indented in the Attributes column to indicate
their hierarchy.

Optional
chef Required This attribute allows you to specify data used by chef for a
chef solo configuration. This attribute contains the following
nested attributes:
Required A JSON array of publicly accessible URLs containing the

cookbook archives that you want to use, in zip, tar, or tgz
cookbooks_url
format.


Optional
Required A JSON array of recipes that chef runs to configure your

instance.
run_list
Optional Data in JSON format (elements, arrays, or values) that is

translated into node level attributes to be consumed by chef
initial_attribu
tes recipes.
Optional The chef version to install when using gem files. The default
version
is 11.4.2.
Optional The Ruby version to install when using gem files. The
default is 1.8.
ruby_version
Optional The install type. You can specify gems, packages, or

omnibus. The default is gems.
install_type
Optional This attribute allows you to specify whether chef should be

installed even if it has been installed earlier. The default is
force_install
false.
Optional The location to download the omnibus chef installer if the

install_type attribute is specified as omnibus. The
omnibus-url
default location is https://www.opscode.com/chef/
install.sh.
Optional A comma-separated list of publicly accessible anonymous

HTTP URLs pointing to chef databag files.
databag_file
Chef Client Attributes

The following sample JSON shows the chef attribute of the userdata attribute, for a
chef client configuration.
"instances": [
{
"attributes": {
"userdata": {
"chef": {
"run_list": ["recipe[oui]"],
"chef_server_url": "https://server IP",
"mode": "client",
"chef_node_name": "testnode1",
"chef_validator_location": "download (http:// or file:/) location with
filename" ,
"version": "11.4.2",
"initial_attributes": {
"oui": {

"response_file_url": "responsefile url/filename.rsp",

"installer_url": "installer url/filename.zip",
"ignoreSysPrereqs": true
}
}
}
}
}
}
]
A description of the chef attributes for a chef client configuration is provided in the
following table. Nested attributes are indented in the Attributes column to indicate
their hierarchy.

Optional
chef Required This attribute allows you to specify data used by chef for a
chef client configuration. This attribute contains the
following nested attributes:
Optional/ A JSON array of recipes that chef runs to configure your

Required instance. If the node is predefined on your Chef server with
run_list
appropriate roles, this attribute is optional. Otherwise, it is
required.
Optional Data in JSON format (elements, arrays, or values) that is

translated into node level attributes to be consumed by chef
initial_attribu
tes recipes.
Optional The chef version to install when using gem files. The default
version
is 11.4.2.
Required The mode must be set to client.

mode
Required The URL where the chef client can access the chef server.
chef_server_url
Required A unique name used by the chef client to register with the
chef sever.
chef_node_name
Required The URL from where validation.pem is downloaded

to /etc/chef.
chef_validator_
location


Optional
Optional The name used by the validator to communicate with the

chef server. Default is chef-validator.
validator_clien
t_name
Optional The Ruby version to install when using gem files. The
default is 1.8.
ruby_version
Optional The install type. You can specify gems, packages, or

omnibus. The default is gems.
install_type
Optional This attribute allows you to specify whether chef should be

installed even if it has been installed earlier. The default is
force_install
false.
Optional The location to download the omnibus chef installer if the

install_type attribute is specified as omnibus. The
omnibus-url
default location is https://www.opscode.com/chef/
install.sh.
Optional A comma-separated list of publicly accessible anonymous

HTTP URLs pointing to chef databag files.
databag_file
Yum Repository Attributes

The following sample JSON shows the yum_repos attribute of the userdata
attribute.
"instances": [
{
"attributes": {
"userdata": {
"yum_repos": {
"repo1": {
"baseurl": "http://location_of_yum_repo",
"enabled": "false",
"failovermethod": "priority",
"gpgcheck": "true",
"gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL",
"name": "Extra Packages for Enterprise Linux 5 - Testing",
"proxy": "http://proxy_server:80"
}
}
<Specify packages and package_upgrade here.>
}
}
}
]

A description of the yum_repos attributes is provided in the following table.

Optional
yum_repos Optional This attribute allows you to specify the desired .repo file
and the name of the yum repository. This attribute contains
the following nested attributes:
Name of the Required This attribute has no name. You must specify the name of
yum repository the yum repository to be added. This is used as the
repository filename in the format filename.repo.
Required The URL of the yum repository.

baseurl
Other optional Optional You can add all other repository file configuration options
attributes as nested attributes under the repository name.
Packages and Package Upgrade Attributes

The following sample JSON shows the packages and package_upgrade attributes
of the userdata attribute. These attributes are used to specify packages for yum
install and yum upgrade.
"instances": [
{
"attributes": {
"userdata": {
<Specify yum attributes here.>
"packages": ["git-core",["sysstat", "v1"]],
"package_upgrade": true
}
}
}
]
A description of the packages and package_upgrade attributes is provided in the

following table.

Optional
packages Optional A JSON array of the packages you want yum to install from
the repositories. Each list entry consists of a single package.
If you want to specify a package version, then the list entry
is represented as a two-element array of the format [name,
version].
package_upgr Optional A boolean value indicating whether you want to run yum
ade update on the instance.

Attributes Specific to Windows Instances

While creating Windows instances, you can specify certain userdata attributes that
opc-init will consume to perform post-launch configuration tasks.
• Enabling RDP access and specifying the password for the Administrator user
To enable the Administrator user to connect to the instance by using a remote
desktop protocol (RDP) connection, you must specify the password for the user
and also enable RDP access. You can do this by specifying the
administrator_password and enable_rdp attributes in the userdata
section of your orchestration, as shown in the following example:
"instances": [
{
"attributes": {
"userdata": {
"administrator_password": "somePassword",
"enable_rdp": true
}
}
}
]
• Creating users
You can also specify a list of users that must be created automatically after the
Windows instance is launched, by specifying the required users and their
passwords in the users attribute, as shown in the following example:
"instances": [
{
"attributes": {
"userdata": {
"administrator_password": "somePassword",
"enable_rdp": true,
"users": [
{
"name": "john",
"password": "somePassword"
}
{
"name": "amelia",
"password": "somePassword"
}]
}
}
}
]
• Enabling Windows Remote Management (WinRM)

You can allow users from other hosts to access the Windows instance by specifying
those trusted hosts, as shown in the following example:
"instances": [
{

"attributes": {
"userdata": {
"winrm": {
"trustedhosts": "app1.prod.example.com,*.dev.example.com,203.0.113.25"
}
}
}
}
]


13
Best Practices for Using Oracle Compute
Cloud Service
As you create and manage instances and the associated resources in Oracle Compute
Cloud Service, consider the following guidelines and recommendations to get the best
out of the service in terms of cost, manageability, and performance.
Topics
• Managing Users and Roles
• Building Machine Images
• Naming Objects
• Selecting Shapes
• Using Orchestrations to Automate Resource Provisioning
• Managing Block Storage
• Configuring Network Settings
• Ensuring Secure Access to Instances
Managing Users and Roles
• Only users with the Compute_Operations role can perform write operations
(that is, create, update, and delete resources) in Oracle Compute Cloud Service.
When you create users in Oracle Cloud My Services, assign the
Compute_Operations role to only those users who'll be responsible for creating,
updating, and deleting instances and the associated storage and networking
resources.
• For business continuity, consider creating at least two users with the
Compute_Operations role. These users must be IT system administrators in your
organization.
Building Machine Images
• The operating system and software that you use to build private images must have
the required licenses. You’re responsible for purchasing the required licenses and
ensuring support for any third-party operating systems and software that you run
on Oracle Compute Cloud Service instances.
• Plan the packages that you want to include in your images keeping in mind the
workload that you want to deploy.
Best Practices for Using Oracle Compute Cloud Service 13-1

• Before creating the final image file, plan ahead and provision any users that you'd
like to be available when instances are created using the image.
Note:
While creating instances, you can specify one or more SSH public keys.
openssh-key.
– Oracle-provided Oracle Linux and Oracle Solaris images include a script

– In images that you build, you can write and include a script that runs
• Keep your image disk size just as small as is essential. A large image requires more
time to be uploaded to Oracle Storage Cloud Service, and costs more to store. In
addition, creating instances and bootable storage volumes from a large image
requires more time. Before uploading image files to Oracle Storage Cloud Service,
make them sparse files. On Linux, you can convert a file to the sparse format by
running the command, cp --sparse=always original_file
sparse_file. And when creating the tar archive, to ensure that the tar utility
stores the sparse file appropriately, specify the -S option.
• Choose a tar.gz file name that you can use later to easily identify the key
characteristics of the image, such as the OS name, OS version, and the disk size. For
example, for a root-disabled, Oracle Linux 6.6 image with a 20-GB disk, consider
using a file name such as OL66_20GB_RD.tar.gz.
Naming Objects
When you create instances, storage volumes, security lists, and so on, select the name
of the object carefully. Pick a name that helps you quickly identify the key
characteristics of the object later. For example, when creating a bootable storage
volume, consider including the operating system name and the image disk size in the
name of the storage volume.
Selecting Shapes
• While selecting the shape for an instance, consider the nature of the applications
that you plan to deploy on the instance, the number of users that you expect to use
the applications, and also how you expect the load to scale in the future. Remember
to also factor in the CPU and memory resources that are necessary for the operating
system.
• Select a shape that meets the requirements of your workload with a sufficient
buffer for intermittent spikes in the load. If you’re not sure what shape is
appropriate for an instance, then start small, experiment with a representative
workload, and then settle on a shape. This approach may help you achieve an
optimal trade-off between resource allocation and performance.

Using Orchestrations to Automate Resource Provisioning
• When using orchestrations to create and manage instances, set the high-availability
policy to active, to ensure minimal disruption to your operations.
• To be able to stop and start instances individually, define them in separate

orchestrations.
• Don’t define storage volumes and instances in the same orchestration. By keeping
storage volumes and instances in separate orchestrations, you can stop and start
the instances when required and yet preserve the attached storage volumes. Note
that the recommendation here is to define the storage volumes outside the instance
orchestration. To ensure that the storage volumes remain attached after an instance
is re-created, you must define the storage attachments within the instance
orchestration.
• Using orchestrations, you can control the placement of instances. You can opt to
have instances placed on the same or on different physical nodes. When you use
the instance placement feature, consider your requirements for application
isolation and affinity. See Relationships Between Objects Within a Launch Plan
Object.
Managing Block Storage
• When you decide the number and size of your storage volumes, consider the limits:
minimum 1 GB, maximum 2 TB, one-GB increments, and 10 volumes per instance.
– If you attach too many small storage volumes to an instance, then you may not
be able to scale block storage for the instance up to the full limit of 20 TB.
– If you attach many large volumes to an instance, then the opportunities to

spread and isolate storage are limited. In addition, too many large volumes may
result in lower overall utilization of block storage space, particularly if data
isolation is also critical for your business.
Consider the storage capacity needs of the applications that you plan to deploy on
the instance, and leave some room for attaching more storage volumes in the
future. This approach helps you use the available block storage capacity efficiently
in the long run.
• Create and use separate storage volumes for your applications, data, and the
operating system. Use a configuration management framework such as Chef or
Puppet for managing the configuration of the operating system and applications.
• To ensure that storage volumes remain attached and mounted after instances are
stopped and re-created, do both of the following:
– Define the storage attachments within the orchestration that you use to create
instances. Note that the recommendation here is to define the storage
attachments, and not the storage volumes, in the orchestration that you use to
create instances.
– Set up the instance to boot from a bootable storage volume.
• If you’re sure that a storage volume is no longer required, then back up the data
elsewhere and delete the storage volume.

• When you create an instance, if you opt for an autogenerated public IP address,
then the IP address so allocated persists only during the life of the instance. If the
instance is deleted and re-created by stopping and starting its orchestration, then
the instance gets a new public IP address. To assign a fixed public IP address to an
instance, reserve a public IP address, and attach it to the instance—either when you
create the instance or, later, by updating the IP reservation.
• If you no longer need an IP reservation, delete it.
• You can attach an instance to a maximum of five security lists, and you can use a
security list as the source or destination in up to 10 security rules. Plan your
security lists and security rules keeping these overall limits in mind.
Note:
If an instance is added to multiple security lists that have different policies,

then the most restrictive policy is applicable to the instance.
Ensuring Secure Access to Instances
• Ensure instance isolation by creating security lists and adding instances to the
appropriate security lists. Instances within a security list can inter-communicate
freely over any protocol. To allow incoming traffic to all the instances in a security
list, set up a security rule with the security list as the destination and with the
required source and protocol settings.
• Use security rules carefully and open only a minimal and essential set of ports.
Keep in mind your business needs and the IT security policies of your
organization.
• When you add an instance to a security list, all the security rules that use that
security list—as either the source or destination—are applicable to the instance.
Consider a security list that is the destination in two security rules, one rule that
allows SSH access from the public Internet and another rule permitting HTTPS
traffic from the public Internet. When you add an instance to this security list, the
instance is accessible from the public Internet over both SSH and HTTPS. Keep this
in mind when you decide the security lists that you want to add an instance to.
• If you’re creating a Linux or Oracle Solaris instance, then try to determine, up front,
how many users you expect to access the instance and plan for a separate SSH key
pair for each user.
• Keep your SSH keys secure. Lay down policies to ensure that the keys aren’t lost or
compromised when employees leave the organization or move to other
departments. If you lose your private key, then you can’t access your instances. For
business continuity, ensure that the SSH keys of at least two IT system
administrators are added to your instances.
•
If you need to edit the ~/.ssh/authorized_keys file of a user on your instance,
then before you make any changes to the file, start a second ssh session and ensure
that it remains connected while you edit the authorized_keys file. This second
ssh session serves as a backup. If the authorized_keys file gets corrupted or
you inadvertently make changes that result in your getting locked out of the

instance, then you can use the backup ssh session to fix or revert the changes.
Before closing the backup ssh session, test the changes you made in the
authorized_keys file by logging in with the new or updated SSH key.

14
Frequently Asked Questions for Oracle
Compute Cloud Service
This section provides answers to frequently asked questions about Oracle Compute
Cloud Service.
Topics
• Machine Image
– What base images can I use to create instances?
– After creating instances using Oracle-provided images, if I update the operating

system and kernel with additional packages, will the updated operating system
and kernel continue to be supported?
• Interfaces
– What user interfaces does this service provide?
– Why does the web console time out frequently?
– How do I connect to the service using the API?
• Instance Properties
– How much CPU and memory can I assign to an instance?
– What’s the maximum amount of memory that I can allocate across all my
instances?
– How do I provide persistent storage for my instances?
– Why do some of my instances have three-part names (Compute-

identity_domain/user/id), while others have four-part names (Compute-
identity_domain/user/name/id)?
• Instance Usage
– What can I install on the Oracle Compute Cloud Service instances?
– How can I stop an instance?
– Why is the Delete option for my instance disabled?
• Windows Instances
– Who is responsible for the Windows license? Does Oracle provide it, or should I
bring my own?
Frequently Asked Questions for Oracle Compute Cloud Service 14-1

– What about licenses for other Microsoft products? Can I use my own licenses to
install Microsoft products on Oracle Compute Cloud Service Windows
instances?
– Can I use my own Windows license with Oracle Compute Cloud Service
Windows instances?
– Oracle Compute Cloud Service allows me to create custom images and use them
to create instances. Using the same process, can I create a Windows image and
use it to create Windows instances in Oracle Compute Cloud Service?
– What support, if any, does Oracle provide for Windows instances?
• Network Settings
– Are the public IP addresses of instances fixed or dynamic?
– Are the private IP addresses of instances fixed or dynamic?
– How can I find out the IP address of my instance?
– How can I restrict and isolate traffic between my instances?
• Storage Management
– How can I add block storage to my instance after I’ve created the instance?
– How many storage volumes can I attach to an instance?
– What is the allowed size for a storage volume?
• Orchestrations
– What kinds of resources can I create using an orchestration?
– I added an orchestration and started it, but nothing seems to be happening.
– Can I update an orchestration?
– I defined the attributes in my orchestration in a certain order. But when I view

the orchestration in the web console or download it, the attributes are in a
different order. Why?
– I created five instances by using an orchestration. Now I want to delete three

instances but keep the other two. How can I do that?
– How are orchestrations different from launch plans?
• Using SSH Keys
– Can I associate multiple SSH public keys with an instance?
– Can I associate a single SSH public key with more than one instance?
– I’ve lost access to my SSH private key. What do I do now?
– My SSH private key has been compromised. I’ve generated a new SSH key pair
and I want to update the SSH public key on my running instances. How can I
do that?

Machine Image
– I want to give other users access to my instance, but I don’t want to share my
SSH private key. What should I do?
• Connecting to Instances
– How can I connect (log in) to an instance?
– How can I log in to an Oracle Linux instance as a non-opc user?
• Support
– To what extent will Oracle support the applications and services deployed on
Oracle Compute Cloud Service instances?
Machine Image
What base images can I use to create instances?
You can use Oracle-provided or your own images to create instances. See Managing
Machine Images.
After creating instances using Oracle-provided images, if I update the operating

system and kernel with additional packages, will the updated operating system
and kernel continue to be supported?
The operating system and kernel will continue to be supported as long as they are
updated using Oracle public or support repositories.
Interfaces
What user interfaces does this service provide?
You can access Oracle Compute Cloud Service through the web console, or by using
the REST API. See Accessing Oracle Compute Cloud Service Using the Web Console.
Why does the web console time out frequently?

For security, the web console times out automatically after 15 minutes of inactivity.
Log in again to continue using the web console.
How do I connect to the service using the API?

See REST API for Oracle Compute Cloud Service.
Instance Properties
How much CPU and memory can I assign to an instance?
The number of CPUs and RAM allocated to an instance are determined by the shape
that you select while creating the instance. See About Machine Images and Shapes.
What’s the maximum amount of memory that I can allocate across all my
instances?
The memory allocated to each instance is determined by the shape that you select
while creating the instance. So the maximum amount of memory that you can use

Instance Usage
across all your instances is the total amount of RAM associated with the shape that
you select for each of your instances. There’s no separate upper limit on memory
allocation. For the amount of RAM associated with each shape, see About Machine
Images and Shapes.
How do I provide persistent storage for my instances?

You can provide block storage space by creating storage volumes and attaching them
to the instances. See Managing Storage Volumes.
Why do some of my instances have three-part names (Compute-

identity_domain/user/id), while others have four-part names (Compute-
identity_domain/user/name/id)?
The id in the instance name is generated automatically when the instance is created. If
you specify a name (an optional parameter) while creating the instance, then the name
that you specify precedes the id in the four-part name.
Instance Usage
What can I install on the Oracle Compute Cloud Service instances?
You can deploy any application—Oracle or third-party—that’s supported on the
operating system included in the machine image that you used to create the instance,
subject to the licensing and support terms of the vendor of that application. Oracle
doesn’t provide support or indemnification for any third-party applications and
software.
How can I stop an instance?

You can’t stop an instance, but you can restart it. See Restarting an Instance.
If you no longer require an instance, then you can delete it. See Deleting an Instance.
If you used an orchestration to create an instance, then when you stop the
orchestration, the instance and all the other objects defined in the orchestration are
deleted. See Stopping an Orchestration.
Why is the Delete option for my instance disabled?

When you create an instance by using either the web console or an orchestration, you
can set the HA policy for that instance to active. Then, whenever the instance stops
or is deleted, it is re-created automatically. You can’t delete such an instance by using
the Delete option in the web console. So the Delete option is disabled for these
instances. To delete an instance that has the HA policy set to active, stop the
orchestration that you used to create the instance.
See Also:
• About High-Availability Policies in an Orchestration
• Stopping an Orchestration

Windows Instances
Windows Instances
Who is responsible for the Windows license? Does Oracle provide it, or should I
bring my own?
When you get a Windows image from Oracle Cloud Marketplace, the terms and
conditions for using the image are displayed. You must read and accept those terms
before you can create a Windows instance. When you create an instance from an
Oracle-provided Windows image, you get a Microsoft Windows license. You needn't
purchase the license separately
What about licenses for other Microsoft products? Can I use my own licenses to
install Microsoft products on Oracle Compute Cloud Service Windows
instances?
Yes, you can use Microsoft’s License Mobility through Software Assurance to use
licenses for other Microsoft products on your Windows instances. See https://
www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-
license-mobility.aspx.
Can I use my own Windows license with Oracle Compute Cloud Service
Windows instances?
No. If you want to create a Windows instance in Oracle Compute Cloud Service, you
must use the Oracle-provided Windows images, available on Oracle Cloud
Marketplace. A bring-your-own-licence (BYOL) model is not currently supported.
Oracle Compute Cloud Service allows me to create custom images and use
them to create instances. Using the same process, can I create a Windows
image and use it to create Windows instances in Oracle Compute Cloud
Service?
No. If you want to create a Windows instance in Oracle Compute Cloud Service, you
must use the Oracle-provided Windows images, available on Oracle Cloud
Marketplace. A bring-your-own-VM (BYOVM) model is not currently supported.
What support, if any, does Oracle provide for Windows instances?

Oracle provides support for the operating system on Windows instances. Oracle
doesn't provide support for any other Microsoft products or any third-party or open-
source applications that you deploy on your Windows instances.
Network Settings
Are the public IP addresses of instances fixed or dynamic?
While creating instances, you can choose whether the public IP address must be fixed
or assigned dynamically from a pool.

Storage Management
See Also:
• Reserving a Public IP Address
• Creating an Instance from the Instances Page
• Instance Attributes
• Updating an IP Reservation
Are the private IP addresses of instances fixed or dynamic?

Private IP addresses are assigned dynamically to each instance from a pool of private
IP addresses. If an instance is restarted, its private IP address might change.
How can I find out the IP address of my instance?

The Instances page displays both the public and the private IP address of the instance.
You can also see these and other details of an instance on the instance details page.
How can I restrict and isolate traffic between my instances?

Add the instances that should be able to communicate with each other to the same
security lists. To isolate instances from other instances, add them to different security
lists. By default, instances in different security lists can’t communicate with each other.
You can use security rules to override the default policies of security lists. See
Configuring Network Settings.
Storage Management
How can I add block storage to my instance after I’ve created the instance?
If you’ve already created the storage volume that you want to attach to a running
instance, see Attaching a Storage Volume to an Instance. If you want to create a
storage volume and attach it to an instance, see Creating a Storage Volume.
How many storage volumes can I attach to an instance?
You can attach up to 10 block storage volumes to an instance.
What is the allowed size for a storage volume?
The allowed range is from 1 GB to 2 TB, in increments of 1 GB. You can specify the size
of a storage volume when you create the volume.
Orchestrations
What kinds of resources can I create using an orchestration?
You can use orchestrations to create instances, storage volumes, or networking objects
such as security rules or security lists.

Orchestrations
See Also:
• Object Types in an Orchestration
• Attributes in Orchestrations
I added an orchestration and started it, but nothing seems to be happening.

When you start an orchestration, its status changes to Starting. Depending on the
number and type of objects defined in the orchestration, it can take quite a while for all
the objects to be created. While the objects are being created, the orchestration
continues to show the status Starting. After all the objects are created, the status of the
orchestration changes to Ready. If any of the objects can’t be created, then the state of
the orchestration changes to Error. If the status of your orchestration doesn’t change to
Error, then the objects are being created. Wait till the status changes to either Ready or
Error.
Can I update an orchestration?

To update an orchestration, download and modify it and then upload it. Note that you
can’t upload the modified orchestration with the same name. Either give the modified
orchestration a new name, or delete the existing orchestration in Oracle Compute
Cloud Service and then upload the modified orchestration.
See Also:
• Deleting an Orchestration
• Uploading an Orchestration
I defined the attributes in my orchestration in a certain order. But when I view

the orchestration in the web console or download it, the attributes are in a
different order. Why?
When you build an orchestration file (in JSON format), you can arrange the attributes
in any order as long as the attribute hierarchy is as described in Attributes in
Orchestrations. After you upload the orchestration to Oracle Compute Cloud Service,
the attributes are stored in a different order. For example, you may have defined the
ha_policy attribute at the beginning of the orchestration, but when you view or
download the orchestration, the ha_policy attribute is at the very end of the
orchestration. These changes don’t affect the orchestration and the attributes defined
in it.
I created five instances by using an orchestration. Now I want to delete three

instances but keep the other two. How can I do that?
If you’ve not specified any HA policy for the instances that you want to delete, then
you can delete the instances by using the Delete option in the web console. See
Deleting an Instance.
If you’ve created your instances with the HA policy set to active, then you can’t
delete the instances from the web console by using Delete option. If you do this, the
instances are re-created automatically. The only way to delete such instances is to stop

Using SSH Keys
the orchestration. See Stopping an Orchestration. Note, however, that when you stop
an orchestration, all the resources defined in it are deleted.
How are orchestrations different from launch plans?
Capability Launch Plans Orchestrations
Lets you create multiple Yes. Yes.

instances?
Lets you specify the HA No. Yes.

policy for an instance? Instances don’t persist. If The HA policy can be specified for
you delete an instance, each instance.
you must create it again. See About High-Availability
Policies in an Orchestration.
Lets you create other No. Yes.

object types? See Object Types in an
Orchestration.
Lets you stop and re- No. Yes.

create multiple objects at You can use the API or You can stop or start an
once? web console to manage orchestration to create or destroy all
individual instances. the resources specified in the
orchestration.
See Managing Orchestrations.
Is stored on Oracle No. Yes.

Compute Cloud Service? You can view, monitor, download,
start, stop, or delete an
orchestration.
See Managing Orchestrations.
Using SSH Keys

Can I associate multiple SSH public keys with an instance?
Yes, you can associate multiple SSH public keys with your instance when you create
the instance. To do this, you must upload all the required SSH public keys to Oracle
Compute Cloud Service before you start creating the instance.
Additionally, after creating a Linux or Oracle Solaris instance, you can inject more SSH
public keys into the instance by logging in to the instance and editing the ~/.ssh/
authorized_keys file of the user.
that it remains connected while you edit the authorized_keys file. This second ssh
session serves as a backup. If the authorized_keys file gets corrupted or you
inadvertently make changes that result in your getting locked out of the instance, then
you can use the backup ssh session to fix or revert the changes. Before closing the
backup ssh session, test the changes you made in the authorized_keys file by
logging in with the new or updated SSH key.

Using SSH Keys
Note:
Can I associate a single SSH public key with more than one instance?
Yes, you can associate an SSH public key with multiple instances.
I’ve lost access to my SSH private key. What do I do now?

A private SSH key is the only way you can access your Linux instances. If you don’t
have the private key, then you can’t access your instances. Always back up an
encrypted copy of your private SSH keys, and keep the keys secure.
My SSH private key has been compromised. I’ve generated a new SSH key pair
and I want to update the SSH public key on my running instances. How can I do
that?
To modify an SSH public key on a running instance, log in to the instance, and edit the
~/.ssh/authorized_keys file of the user. Remove the existing SSH public key in
this file and replace it with the new key.
Note:

that it remains connected while you edit the authorized_keys file. This second ssh
session serves as a backup. If the authorized_keys file gets corrupted or you
inadvertently make changes that result in your getting locked out of the instance, then
you can use the backup ssh session to fix or revert the changes. Before closing the
backup ssh session, test the changes you made in the authorized_keys file by
logging in with the new or updated SSH key.
Note:

Connecting to Instances
I want to give other users access to my instance, but I don’t want to share my
SSH private key. What should I do?
You can create new local users on your instance, generate SSH key pairs for these
users offline, and append the new public keys in the ~/.ssh/authorized_keys file
of the new users. These users can then ssh to the instance by using the appropriate
private keys. See Adding Users on an Oracle Linux Instance.
Note:
created, any users that were added manually (that is, users that weren’t
defined in the machine image) must be added again.
Connecting to Instances
How can I connect (log in) to an instance?
• Oracle Linux images: See Accessing an Oracle Linux Instance Using SSH
• Oracle Solaris image: See Accessing an Oracle Solaris Instance Using SSH
• Windows instances: See Accessing a Windows Instance Using RDP
How can I log in to an Oracle Linux instance as a non-opc user?

See Adding Users on an Oracle Linux Instance.
Support
To what extent will Oracle support the applications and services deployed on
Oracle Compute Cloud Service instances?
• Support for Oracle applications that you deploy on Oracle Compute Cloud Service
instances will be provided according to the prevailing support policies for those
applications.
• Oracle won’t provide support for any third-party or open-source applications

deployed on Oracle Compute Cloud Service instances.

15
Troubleshooting Oracle Compute Cloud
Service
This section describes common problems that you might encounter when using Oracle
Compute Cloud Service and explains how to solve them.
Topics
• Web Console Problems
• Instance Life Cycle Problems
• Networking Problems
• SSH Key Problems
• Storage Volume Problems
• Orchestration Problems
• Launch Plan Problems
Web Console Problems

This section lists problems that you might encounter while using the Oracle Compute
Cloud Service web console.
Can’t access the web console
Description
When I try to log in to the web console, the following error message is displayed:
You are not authorized to access the Oracle Compute Cloud Service (0706_043942.887).\
If the problem persists, contact Oracle Support.
Solution
This error indicates that you are not assigned any Oracle Compute Cloud Service role.
See About Oracle Compute Cloud Service Roles.
Ask your service administrator to assign the appropriate roles to you in Oracle Cloud
My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Troubleshooting Oracle Compute Cloud Service 15-1

Can’t create, update, or delete objects
Description
When I try to create, update, or delete any object, an error message similar to the
following is displayed:
Unable to create security rule. [[email protected]_0706_045758.332] :
User /Compute-acme/[email protected] is not permitted to perform "secrule.add"
on
secrule:/Compute-acme/[email protected]/mysecrule
Unable to add IP reservation. [[email protected]_0706_050517.177] :

User /Compute-acme/[email protected] is not permitted to perform
"ipreservation.add" on
ipreservation:/Compute-acme/[email protected]/myipres
Unable to update SSH key "mykey". [[email protected]_0706_052418.475] :

"sshkey.update" on
sshkey:/Compute-acme/[email protected]/mykey
Unable to delete SSH key "mykey". [[email protected]_0706_052437.025] -

"sshkey.delete" on
sshkey:/Compute-acme/[email protected]/mykey
Unable to detach storage volume "myvol1" from this instance.

[[email protected]_0706_052512.984] -
"attachment.delete" on
storage/attachment:/Compute-acme/[email protected]/vm-1/3b515fae.../...
55a31eaee6b5
Solution
This error indicates that you’re not authorized to create, update, or delete resources in
Oracle Compute Cloud Service. Ask your service administrator to assign the
Compute_Operations role to you in Oracle Cloud My Services. See Modifying User
Roles in Managing and Monitoring Oracle Cloud.
Can’t upload an orchestration
Description
When I try to upload my orchestration file, I get the following error: “Unable to create
an orchestration from the JSON file.”
Solution
This error indicates that there are errors in the syntax of your orchestration JSON file.
Open the JSON file in a text editor to identify and fix the problems. You should also
validate your JSON file. You can do this by using a third-party tool, such as JSONLint,
or any other validation tool of your choice.

Note:
My orchestration hasn’t created any instances
Description
I’ve uploaded my orchestration file but I don’t see my instances. What should I do?
Solution
After uploading your orchestration, the status of your orchestration is automatically
set to Stopped. To create the resources defined in your orchestration, start your
orchestration. See Starting an Orchestration.
Error while starting an orchestration
Description
I’ve uploaded my orchestration, but when I start it, the following error occurs:
Specify either an ImageList or boot_order and StorageVolume.
Solution
This error indicates that your orchestration doesn’t specify either an image or a
bootable storage volume for your instance.
• To set up the instance to boot from a persistent disk, you must attach a bootable
storage volume by using the storage_attachment instance attribute, and then
specify the index number of the attached storage volume as the boot disk by using
the boot_order instance attribute.
{
"objects": [
{
"instances": [
{
"boot_order": [
1
],
{
"index": 1,
"volume": "/Compute-acme/joe/bootable-vol1"
}
]
}
]
}
]
}
• To set up the instance to boot from a nonpersistent disk, specify the image that you
want to use by using the imagelist attribute.

{
"objects": [
{
"instances": [
{
"imagelist": "/oracle/public/oel6"
}
]
}
]
}
Note:
If you specify both boot_order and imagelist for an instance in an

orchestration, the imagelist attribute is ignored and the instance is booted
using the bootable storage volume specified by the boot_order attribute. See
Instance Attributes.
Can’t attach a storage volume to an instance
Description
When I try to attach my storage volume to an instance, the following error occurs:
APIConflictError: Attachment index 1 is already in use on instance /Compute-acmecorp/
acmeadmin/dev2/6073c806-f7da-47eb-9678-6e618931b29a
Solution
The index number that you’re trying to assign to this storage volume is already used
for another storage volume. Select a different index number and try again.
Note:
attached at index 1 is named /dev/xvdb, the disk at index 2 is /dev/xvdc,
the disk at index 3 is /dev/xvdd, and so on.
Can't detach a storage volume from an instance
Description
I've attached three storage volumes to my instance. Now I want to delete the instance.
So I started to detach the storage volumes. I detached two of the storage volumes, but
can’t detach the third one.
Solution
You can detach storage volumes that were attached to an instance after the instance
was created. You can’t detach storage volumes that were attached during instance
creation.

Can't delete a storage volume
Description
I want to delete a storage volume that I no longer need, but the web console doesn’t
show the delete option for the storage volume.
Solution
You can't delete a storage volume if it’s attached to an instance. To find out whether a
storage volume is attached to an instance, view the storage volume information in the
web console. Click the Storage tab, scroll down to the storage volume that you want to
delete, and check the displayed details. If the storage volume that you want to delete is
attached to an instance, then you must detach it first. See Detaching a Storage Volume
from an Instance.
Also, you can’t delete a storage volume if you’ve created any snapshots or clones of
the storage volume. This feature is available only in the Dedicated Compute offering
of Oracle Compute Cloud Service. See Cloning a Storage Volume by Using Storage
Volume Snapshots.
Can’t remove an IP address from an instance
Description
I associated a temporary IP address with my instance while creating the instance using
the Create Instance wizard. Now I want to remove the temporary IP address and use
an IP address reservation instead. How can I remove the temporary IP address from
my instance? The Remove Instance option in the web console is disabled.
Solution
You can’t remove a temporary IP address from an instance. You can only remove a
persistent IP address. If you created an instance with an autogenerated IP address or if
you changed the status of the IP address associated with an instance to temporary,
then to remove that IP address from the instance, first update it to change its status to
permanent. See Updating an IP Reservation.
Can’t delete a security application
Description
When I tried to delete the security application /oracle/public/snmp-trap-udp,
the following error message was displayed:
APIUnauthorizedError: User /Compute-acmecorp/acmeadmin is not permitted to perform
"secapplication.delete" on secapplication: /oracle/public/snmp-trap-udp
Solution
Oracle Compute Cloud Service has a set of predefined security applications. The
names of these security applications start with /oracle/public container. You can’t
delete these predefined security applications.

Instance Life Cycle Problems
Tip:
To view a list of predefined security applications from the web console, click
the Network tab and then the Security Applications tab in the left pane. The
list of available security applications is displayed. In the search field, enter /
oracle/public, and click . A list of all the predefined security
applications is displayed.
Can’t delete an SSH key
Description
How can I delete an SSH key? There is no delete option in the web console.
Solution
You can't delete an SSH key if it’s associated with an instance. Remember, an SSH key
can be associated with multiple instances. To delete an SSH key that’s associated with
one or more instances, you must first delete all the instances that are associated with
the key.

This section lists issues that you might encounter while creating and deleting
instances.
Description
Solution
Can’t create an instance using a launch plan. Error: Shape does not exist
Description
When I try to create an instance using a launch plan, I get the error, "Shape does
not exist."
Solution
This error indicates that you might have entered the name of the shape incorrectly in
your launch plan. Check that your launch plan refers to one of the available shapes.
Then run the launch command again.

Can’t create an instance using a launch plan. Error: Unable to open file
Description
When I try to create an instance using a launch plan, I get the error, "Unable to
open file."
Solution
This error indicates that you might have entered the name or path to your JSON file
incorrectly. Check the filename and location of the JSON file that you want to use and
then run the launch command again.
Can’t create an instance using a launch plan. Error displayed: Data is invalid JSON
Description
When I try to create an instance using a launch plan, I get the error, "Data is
invalid JSON."
Solution
There may be an error in the JSON file that you specified with the launch command.
To identify the error in the JSON file, look at the text displayed on the console
immediately before this error message appeared. You might see a message similar to
the following:
Expecting delimiter: line 10 column 13 (char 314).
Open your JSON file in a text editor and use the information in the error message to
identify and fix the problem. You should also validate your JSON file. You can do this
by using a third-party tool, such as JSONLint, or any other validation tool of your
choice. Then run the launch command again.
Note:
My instance was created using an incorrect image
Description
I created an instance using the web console and I specified an image in the Create
Instance wizard, but the instance was created using a different image.
Solution
When you create an instance using the web console, you can set up the instance to use
the image on a persistent boot disk that you’ve already created. To do this, you must
select a bootable storage volume in the Boot Volume field on the Storage page of the
Create Instance wizard. The instance is then created by using the image that you
specified while creating the bootable storage volume.

Networking Problems
If you don’t select the bootable storage volume in the Boot Volume field, then the
instance is created using the image that you selected in the General screen of the
For more information, see Creating an Instance from the Instances Page.
Unable to restart an instance
Description
I tried to restart my instance, but it didn't come back up.
Solution
Your instance might have hung or gone into an unknown state. Delete the instance, as
described in Deleting an Instance and then create a new instance.
Networking Problems
This section lists problems that you might encounter while setting up security rules to
implement firewalls for your instances.
Can’t connect to an instance using SSH
Description
I've created an instance but can’t connect to it using SSH.
Solution
Check for each of the following possible causes:
1. Did you use the correct user?
• To log in to an instance that was created by using an Oracle-provided Oracle

Linux machine image, use the opc user.
For instances created by using other machine images, find out which SSH-
enabled users are defined in that machine image, and log in as one of those
users.
• To log in to an instance as a user that was created after the instance was
provisioned, you must generate an SSH key pair for the new user and copy the
public key to the ~/.ssh/authorized_keys file of the user. You must also
add the new user to the list of allowed users in the /etc/ssh/sshd_config
file on the instance. See Adding Users on an Oracle Linux Instance.
2. Did you specify the correct public IP address of the instance?

To find out the public IP address of your instance, view the information on the
Instances page. See Listing Instances.
If no public IP address is associated with the instance, reserve and associate a
public IP address. See Reserving a Public IP Address and Updating an IP
Reservation.
3. Did you specify the correct private key?

Networking Problems
The private key that you specify must correspond to one of the public keys
associated with the instance.
4. Does the instance belong to a security list with the inbound policy set to deny?
An instance can be associated with multiple security lists. You can find out which
security lists an instance is attached to by viewing the details of the instance. See
Monitoring Instances.
You can see the policies used by each security list by viewing the details of the
security list from the web console.
If there’s a conflict between the policies of the various security lists, then the most
restrictive policy is applicable. This means that if even one of the security lists that
your instance is attached to has the inbound policy set to deny, then your instance
can’t receive traffic.
If this is the case, then create a security rule to explicitly allow traffic to a security
list that your instance is attached to.
5. Does the error message contain the following warning?

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
If yes, then see RSA key fingerprint error while connecting to an instance.
RSA key fingerprint error while connecting to an instance
Description
When I try to SSH to my Oracle Compute Cloud Service instance, I get a warning
message like the following:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
d2:aa:50:d4:ff:dc:76:1d:16:95:4a:77:c4:12:87:0f.
Please contact your system administrator.
Add correct host key in /home/joe/.ssh/known_hosts to get rid of this message.
Offending key in /home/joe/.ssh/known_hosts:63
RSA host key for 11.12.13.14 has changed and you have requested strict checking.
Host key verification failed.
Solution
This error occurs when you use SSH to connect to an Oracle-provided Oracle Linux
instance that has a new RSA key fingerprint.
The RSA key fingerprint of an Oracle Compute Cloud Service instance changes when,
for example, an instance that isn’t set up to boot from a persistent disk is re-created.
When you first connected to your Oracle Compute Cloud Service instance, the original
RSA key fingerprint was stored on your local host. Subsequently, whenever you use
SSH to connect to your instance, the instance sends its current fingerprint. The SSH
client compares the received fingerprint with the locally stored fingerprint. If the
fingerprints don’t match, then this error occurs, and the ssh command fails.

Networking Problems
Note that this warning message is returned by the OpenSSH client on an Oracle Linux
host. If you’re using a different SSH client or a different operating system, then the
error message may be different.
To solve this error, you must remove the old (and now invalid) RSA fingerprint of the
instance from the local host.
• In Linux, the RSA key fingerprints are usually stored in the /home/user/.ssh/
known_hosts file on the host from which you are trying to ssh to the instance.
Each line in this file starts with the IP address or host name of a remote host. Open
the file in a text editor, identify the line corresponding to the IP address of the
instance that you’re trying to access, and delete that line.
• In Windows, by default, PuTTY stores keys for known hosts in the

HKEY_CURRENT_USER\SoftWare\SimonTatham\PuTTY\SshHostKeys
registry. Each key has a name in the format, rsa2@22:ip_address. Using the
Registry Editor, identify the key corresponding to the IP address of the instance
that you’re trying to access, and delete it.
Caution:
Improper use of the Windows Registry Editor can cause serious problems.
Before you do this, make sure that you’re aware of the associated risks. See the
documentation accompanying the operating system of your local host.
The next time you use SSH to connect to the Oracle Compute Cloud Service instance, a
message is displayed indicating that the authenticity of the host can’t be established.
At the prompt to continue connecting, enter yes. The new fingerprint is added to the
local host, and the connection goes through.
Can’t get instances to communicate with each other
Description
I’ve created multiple instances, but am unable to configure them to communicate with
each other.
Solution
By default, instances can communicate with each other only if they’re part of the same
security list. If your instances aren’t part of the same security list, then you can add
them to a security list, as described in Adding an Instance to a Security List.
Alternatively, if you want to keep your instances in separate security lists, then you
can define security rules that enable all instances in a specified security list to
communicate with all instances in another security list. See Managing Security Rules.
Can’t access my instance even though it has a public IP address
Description
I created an instance and associated a public IP address with it. I had earlier created an
instance that doesn’t have a public IP address. I tried to access the second instance
from the first instance, but ssh times out without connecting.

Networking Problems
Solution
An instance that doesn’t have a public IP address can connect to any other instance
only over the private IP address of the destination instance. If you attempt to connect
to the public IP address of the newer instance, it will fail.
For example, let's say you created Inst1 without a public IP address. You subsequently
created Inst2 and associated a public IP address with Inst2. Now Inst1 can connect to
Inst2 using the private IP address of Inst2. However, Inst1 can’t connect to Inst2 using
the public IP address of Inst2.
To find out the public IP address or the private IP address of your instance, view the
information on the Instances page. See Listing Instances.
Can’t remove an IP address from an instance
Description
I associated a temporary IP address with my instance while creating the instance using
the Create Instance wizard. Now I want to remove the temporary IP address and use
an IP address reservation instead. How can I remove the temporary IP address from
my instance? The Remove Instance option in the web console is disabled.
Solution
You can’t remove a temporary IP address from an instance. You can only remove a
persistent IP address. If you created an instance with an autogenerated IP address or if
you changed the status of the IP address associated with an instance to temporary,
then to remove that IP address from the instance, first update it to change its status to
permanent. See Updating an IP Reservation.
Can’t delete a security application
Description
When I tried to delete the security application /oracle/public/snmp-trap-udp,
the following error message was displayed:
APIUnauthorizedError: User /Compute-acmecorp/acmeadmin is not permitted to perform
"secapplication.delete" on secapplication: /oracle/public/snmp-trap-udp
Solution
Oracle Compute Cloud Service has a set of predefined security applications. The
names of these security applications start with /oracle/public container. You can’t
delete these predefined security applications.
Tip:
To view a list of predefined security applications from the web console, click
the Network tab and then the Security Applications tab in the left pane. The
list of available security applications is displayed. In the search field, enter /
oracle/public, and click . A list of all the predefined security
applications is displayed.

SSH Key Problems
SSH Key Problems

This section lists problems you might encounter while using SSH public keys to
securely access your Oracle Compute Cloud Service Linux instances.
Can’t connect to an instance using SSH
Description
I've created an instance but can’t connect to it using SSH.
Solution
Check for each of the following possible causes:
1. Did you use the correct user?
• To log in to an instance that was created by using an Oracle-provided Oracle

Linux machine image, use the opc user.
For instances created by using other machine images, find out which SSH-
enabled users are defined in that machine image, and log in as one of those
users.
• To log in to an instance as a user that was created after the instance was
provisioned, you must generate an SSH key pair for the new user and copy the
public key to the ~/.ssh/authorized_keys file of the user. You must also
add the new user to the list of allowed users in the /etc/ssh/sshd_config
file on the instance. See Adding Users on an Oracle Linux Instance.
2. Did you specify the correct public IP address of the instance?

To find out the public IP address of your instance, view the information on the
Instances page. See Listing Instances.
If no public IP address is associated with the instance, reserve and associate a
public IP address. See Reserving a Public IP Address and Updating an IP
Reservation.
3. Did you specify the correct private key?

The private key that you specify must correspond to one of the public keys
associated with the instance.
4. Does the instance belong to a security list with the inbound policy set to deny?
An instance can be associated with multiple security lists. You can find out which
security lists an instance is attached to by viewing the details of the instance. See
Monitoring Instances.
You can see the policies used by each security list by viewing the details of the
security list from the web console.
If there’s a conflict between the policies of the various security lists, then the most
restrictive policy is applicable. This means that if even one of the security lists that
your instance is attached to has the inbound policy set to deny, then your instance
can’t receive traffic.
If this is the case, then create a security rule to explicitly allow traffic to a security
list that your instance is attached to.

SSH Key Problems
5. Does the error message contain the following warning?

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
If yes, then see RSA key fingerprint error while connecting to an instance.
Can’t access an instance as a local user over SSH
Description
I created a local user on an instance by using the useradd command, but I can't access
the instance over SSH as that user.
Solution
To SSH into an instance using a local user account created with useradd, you must
generate an SSH key pair for the new user and copy the SSH public key to the
appropriate path for the new user. You must also add the new user to the list of
allowed users in the /etc/ssh/sshd_config file on the instance. See Adding Users
on an Oracle Linux Instance.
RSA key fingerprint error while connecting to an instance
Description
When I try to SSH to my Oracle Compute Cloud Service instance, I get a warning
message like the following:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
d2:aa:50:d4:ff:dc:76:1d:16:95:4a:77:c4:12:87:0f.
Please contact your system administrator.
Add correct host key in /home/joe/.ssh/known_hosts to get rid of this message.
Offending key in /home/joe/.ssh/known_hosts:63
RSA host key for 11.12.13.14 has changed and you have requested strict checking.
Host key verification failed.
Solution
This error occurs when you use SSH to connect to an Oracle-provided Oracle Linux
instance that has a new RSA key fingerprint.
The RSA key fingerprint of an Oracle Compute Cloud Service instance changes when,
for example, an instance that isn’t set up to boot from a persistent disk is re-created.
When you first connected to your Oracle Compute Cloud Service instance, the original
RSA key fingerprint was stored on your local host. Subsequently, whenever you use
SSH to connect to your instance, the instance sends its current fingerprint. The SSH
client compares the received fingerprint with the locally stored fingerprint. If the
fingerprints don’t match, then this error occurs, and the ssh command fails.
Note that this warning message is returned by the OpenSSH client on an Oracle Linux
host. If you’re using a different SSH client or a different operating system, then the
error message may be different.

Storage Volume Problems
To solve this error, you must remove the old (and now invalid) RSA fingerprint of the
instance from the local host.
• In Linux, the RSA key fingerprints are usually stored in the /home/user/.ssh/
known_hosts file on the host from which you are trying to ssh to the instance.
Each line in this file starts with the IP address or host name of a remote host. Open
the file in a text editor, identify the line corresponding to the IP address of the
instance that you’re trying to access, and delete that line.
• In Windows, by default, PuTTY stores keys for known hosts in the

HKEY_CURRENT_USER\SoftWare\SimonTatham\PuTTY\SshHostKeys
registry. Each key has a name in the format, rsa2@22:ip_address. Using the
Registry Editor, identify the key corresponding to the IP address of the instance
that you’re trying to access, and delete it.
Caution:
Improper use of the Windows Registry Editor can cause serious problems.
Before you do this, make sure that you’re aware of the associated risks. See the
documentation accompanying the operating system of your local host.
The next time you use SSH to connect to the Oracle Compute Cloud Service instance, a
message is displayed indicating that the authenticity of the host can’t be established.
At the prompt to continue connecting, enter yes. The new fingerprint is added to the
local host, and the connection goes through.
Can’t delete an SSH key
Description
How can I delete an SSH key? There is no delete option in the web console.
Solution
You can't delete an SSH key if it’s associated with an instance. Remember, an SSH key
can be associated with multiple instances. To delete an SSH key that’s associated with
one or more instances, you must first delete all the instances that are associated with
the key.

This section lists problems you might encounter while creating and using storage
volumes.
Can’t attach a storage volume to an instance
Description
When I try to attach my storage volume to an instance, the following error occurs:
APIConflictError: Attachment index 1 is already in use on instance /Compute-acmecorp/
acmeadmin/dev2/6073c806-f7da-47eb-9678-6e618931b29a

Solution
The index number that you’re trying to assign to this storage volume is already used
for another storage volume. Select a different index number and try again.
Note:
attached at index 1 is named /dev/xvdb, the disk at index 2 is /dev/xvdc,
the disk at index 3 is /dev/xvdd, and so on.
Can’t access a storage volume on my instance
Description
I successfully created a storage volume by using the web console, but I can't see that
disk when I log in to my instance.
Solution
After creating a storage volume, you must attach it to your instance. Then you must
format the volume and mount it on your instance. See Attaching a Storage Volume to
an Instance and Mounting a Storage Volume on a Linux Instance.
I can no longer access my storage volume from my instance
Description
I had mounted a storage volume on my instance some time ago, but I don’t see it in
the list of devices mounted on the instance today.
Solution
In certain circumstances, storage volumes that were attached to and mounted on your
instance might need to be attached and mounted again. This happens if your instance
stopped and was re-created automatically, or if you deleted your instance and re-
created it. Consider the following:
• Is your instance set up to boot from a nonpersistent disk?

If yes, then when the instance is re-created, all the attached storage volumes must
be mounted again.
• Did you attach the storage volume to the instance after creating the instance?
If yes, then when the instance is re-created, you must attach the storage volume
again.
Note that, though you might need to attach and mount a storage volume again after
an instance is re-created, the data stored on the storage volume isn’t lost.

Orchestration Problems
Can't detach a storage volume from an instance
Description
I've attached three storage volumes to my instance. Now I want to delete the instance.
So I started to detach the storage volumes. I detached two of the storage volumes, but
can’t detach the third one.
Solution
You can detach storage volumes that were attached to an instance after the instance
was created. You can’t detach storage volumes that were attached during instance
creation.
Can't delete a storage volume
Description
I want to delete a storage volume that I no longer need, but the web console doesn’t
show the delete option for the storage volume.
Solution
You can't delete a storage volume if it’s attached to an instance. To find out whether a
storage volume is attached to an instance, view the storage volume information in the
web console. Click the Storage tab, scroll down to the storage volume that you want to
delete, and check the displayed details. If the storage volume that you want to delete is
attached to an instance, then you must detach it first. See Detaching a Storage Volume
from an Instance.
Also, you can’t delete a storage volume if you’ve created any snapshots or clones of
the storage volume. This feature is available only in the Dedicated Compute offering
of Oracle Compute Cloud Service. See Cloning a Storage Volume by Using Storage
Volume Snapshots.
This section lists issues that you might encounter while using orchestrations to create
and manage objects.
Can’t upload an orchestration
Description
When I try to upload my orchestration file, I get the following error: “Unable to create
an orchestration from the JSON file.”
Solution
This error indicates that there are errors in the syntax of your orchestration JSON file.
Open the JSON file in a text editor to identify and fix the problems. You should also
validate your JSON file. You can do this by using a third-party tool, such as JSONLint,
or any other validation tool of your choice.

Note:
Description
Solution
Error while starting an orchestration
Description
I’ve uploaded my orchestration, but when I start it, the following error occurs:
Specify either an ImageList or boot_order and StorageVolume.
Solution
This error indicates that your orchestration doesn’t specify either an image or a
bootable storage volume for your instance.
• To set up the instance to boot from a persistent disk, you must attach a bootable
storage volume by using the storage_attachment instance attribute, and then
specify the index number of the attached storage volume as the boot disk by using
the boot_order instance attribute.
{
"objects": [
{
"instances": [
{
"boot_order": [
1
],
{
"index": 1,
"volume": "/Compute-acme/joe/bootable-vol1"
}
]
}
]
}
]
}
• To set up the instance to boot from a nonpersistent disk, specify the image that you
want to use by using the imagelist attribute.

{
"objects": [
{
"instances": [
{
"imagelist": "/oracle/public/oel6"
}
]
}
]
}
Note:
If you specify both boot_order and imagelist for an instance in an

orchestration, the imagelist attribute is ignored and the instance is booted
using the bootable storage volume specified by the boot_order attribute. See
Instance Attributes.
My instance was created using a wrong image
Description
I created an instance using an orchestration. I specified an image in the orchestration
file, but my instance was created using a different image.
Solution
Check your orchestration file. In the instance attributes, did you specify a bootable
storage volume using the storage_attachment attribute? Did you also specify an
image in the imagelist attribute?
If you want to use a bootable storage volume to boot your instance, use the
boot_order instance attribute to specify the appropriate storage volume index
number. If you’ve not specified the appropriate index number in the boot_order
attribute, then your instance will be booted using the image you’ve specified in the
imagelist attribute.
If you want to boot your instance using a default, non-persistent storage volume,
ensure that you’ve not specified the boot_order attribute and that you’ve specified a
valid image for the instance using the imagelist attribute instead. Remember, if you
specify a valid value for both boot_order and imagelist, the imagelist attribute
is ignored and the instance is booted using the image stored on the bootable storage
volume specified by the boot_order attribute.
For more information about instance attributes, see Instance Attributes.
My orchestration is stuck in the stopping state
Description
I tried to stop an orchestration but it’s been stuck in the Stopping state for a long time
and the objects defined in that orchestration haven’t been deleted. Why did this
happen and what should I do?

Launch Plan Problems
Solution
An orchestration can get stuck in the Stopping state if any of the objects defined in the
orchestration are used or referenced by other objects. While stopping an orchestration,
ensure that none of the objects in that orchestration are used or referenced by any
other object.
For example, let’s say you’ve created an orchestration, seclist_orch, which defines
a set of security lists. If any security list in this orchestration is used in a security rule,
or has any running instances added to it, then that security list can’t be deleted. So the
seclist_orch orchestration can’t be stopped. In this example, you’d have to delete
any security rules that use any of the security lists in the seclist_orch
orchestration. You’d also have to detach any instances that have been added to any of
the security lists in the seclist_orch orchestration.
When you’ve cleared all existing dependencies, the orchestration that’s in the
Stopping state will automatically transition to the Stopped state.

This section lists issues that you might encounter when you use launch plans to create
instances.
Can’t create an instance using a launch plan. Error: Shape does not exist
Description
When I try to create an instance using a launch plan, I get the error, "Shape does
not exist."
Solution
This error indicates that you might have entered the name of the shape incorrectly in
your launch plan. Check that your launch plan refers to one of the available shapes.
Then run the launch command again.
Can’t create an instance using a launch plan. Error: Unable to open file
Description
When I try to create an instance using a launch plan, I get the error, "Unable to
open file."
Solution
This error indicates that you might have entered the name or path to your JSON file
incorrectly. Check the filename and location of the JSON file that you want to use and
then run the launch command again.
Can’t create an instance using a launch plan. Error displayed: Data is invalid JSON
Description
When I try to create an instance using a launch plan, I get the error, "Data is
invalid JSON."

Solution
There may be an error in the JSON file that you specified with the launch command.
To identify the error in the JSON file, look at the text displayed on the console
immediately before this error message appeared. You might see a message similar to
the following:
Expecting delimiter: line 10 column 13 (char 314).
Open your JSON file in a text editor and use the information in the error message to
identify and fix the problem. You should also validate your JSON file. You can do this
by using a third-party tool, such as JSONLint, or any other validation tool of your
choice. Then run the launch command again.
Note:

STCSG - Oracle Compute Cloud Service

Uploaded by

Copyright:

Available Formats

STCSG - Oracle Compute Cloud Service

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

STCSG - Oracle Compute Cloud Service

Uploaded by

Copyright:

Available Formats

Oracle® Cloud

Using Oracle Compute Cloud Service (IaaS)

Primary Author: Kumar Dhanagopal, Anamika Mukherjee, Sylaja Kannan

1 Getting Started with Oracle Compute Cloud Service

2 Enabling Secure Access to Instances Using SSH

5 Managing Machine Images

6 Managing Storage Volumes

8 Accessing an Oracle Linux Instance Using SSH

9 Accessing an Oracle Solaris Instance Using SSH

10 Accessing a Windows Instance Using RDP

12 Automating Instance Configuration Using opc-init

13 Best Practices for Using Oracle Compute Cloud Service

14 Frequently Asked Questions for Oracle Compute Cloud Service

15 Troubleshooting Oracle Compute Cloud Service

• REST API for Oracle Compute Cloud Service

• Oracle Compute Cloud Service tutorials

monospace Monospace type indicates commands within a paragraph, URLs, code in

• About Oracle Compute Cloud Service

• Before You Begin with Oracle Compute Cloud Service

• How to Begin with Oracle Compute Cloud Service Subscriptions

• Oracle Compute Cloud Service Terminology

• Accessing Oracle Compute Cloud Service Using the Web Console

• Accessing Oracle Compute Cloud Service Using REST API

• About Oracle Compute Cloud Service Roles

• Workflow for Using Oracle Compute Cloud Service

About Oracle Compute Cloud Service

• Migrate your applications to the public cloud

Getting Started with Oracle Compute Cloud Service 1-1

• Assign processor and memory resources from a range of resource profiles

• Automate your VM provisioning and management workflows

• Create instances using Oracle-provided and custom machine images

• Clone your instances using snapshots

• Provide a persistent boot disk for your instance

• Attach high-capacity block storage to instances

• Clone storage volumes using snapshots

1-2 Using Oracle Compute Cloud Service (IaaS)

• Exercise fine-grained control over network traffic

• Reserve and assign fixed public IP addresses

• Monitor and manage all of your resources through a unified interface

• Ensure secure access to instances

Before You Begin with Oracle Compute Cloud Service

How to Begin with Oracle Compute Cloud Service Subscriptions

Here's a summary of the key steps:

1. Request a trial or purchase a subscription. See Subscribing to an Oracle Cloud

Getting Started with Oracle Compute Cloud Service 1-3

Oracle Compute Cloud Service Terminology

Term Definition More

Machine Image A machine image is a template of a virtual hard disk of Managing

Image List An image list is a collection of Oracle Compute Cloud Maintaining

Launch plan A launch plan is a JSON (JavaScript Object Notation)- Creating

Orchestration An orchestration defines the attributes and About

IP Reservation An IP reservation is a public IP address that you can About Public IP

1-4 Using Oracle Compute Cloud Service (IaaS)

Term Definition More

Security A security application is a protocol-port mapping that About Security

Site A site consists of the compute, storage, and networking

Relationships Between Oracle Compute Cloud Service Resources

Getting Started with Oracle Compute Cloud Service 1-5

Accessing Oracle Compute Cloud Service Using the Web Console

1. Sign in to the Oracle Cloud My Services application at https://