Integration Guides

VMware vCenter

Overview

VMware is a very common cloud integration choice supported by Morpheus . They have provided a top notch virtualization solution and one might argue pioneered the virtualization space altogether. As such, many companies utilize this technology and all the features that come with it, so Morpheus covers a broad feature set in vCenter.

Features

  • Virtual Machine Provisioning
  • Backups / Snapshots
  • Resource Groups
  • Datastores and DRS Clusters
  • Distributed Switches
  • Datacenter / Cluster scoping
  • Brownfield VM management and migration
  • VMware to VMware migrations
  • VMDK/OVF image conversion support
  • Hypervisor Remote Console
  • Periodic Synchronization
  • Veeam Backup Integration
  • Lifecycle Management and Resize

On top of all these features, Morpheus also adds additional features to VMware that do not exist out of the box to make it easier to manage in multitenant environments as well as hybrid cloud environments:

  • Cloud-Init Support
  • VHD to VMDK Image Conversion
  • QCOW2 to VMDK Image Conversion
  • Multitenancy resource allocation
  • Virtual Image management (Templates)
  • Auto-scaling and recovery

Getting Started

To get started with vmware, simply start by adding a Cloud in the Infrastructure -> Clouds section.

../_images/add_cloud.png

To start adding a VMware cloud there will be some things you will need:

Vcenter API Url
Typically this is the url to the Vcenter web client with a /sdk in the path
Username/Password
A set of credentials with high level access to VMware (ensure the account has Datacenter level access)

Once these fields are entered, some selections will start pre-populating. A cloud integration must be scoped to a specific data center and cluster. If the drop downs do not populate, please verify the api url and provided credentials have access to Vcenter.

Another cool feature provided with the cloud integration is optional Resource Pool scoping. One can choose to allow the cloud to provision into All Resource Pools or a singular Resource Pool. When choosing All, these Resource Pools can be managed from a sub-account and visibility perspective via the Cloud Detail page (multi-tenancy).

The VMware cloud integration provides a few additional options including allowing users to make host selections or keeping that aspect hidden such that the best host is automatically chosen for the requested provision.

The RPC Mode feature can be configured to allow Morpheus to install its agent on the Guest operating system via either SSH/WinRM or Vmware Tools Guest Process feature. The VMware tools Guest Execution API can be tricky so it is recommended to use SSH/WinRM if possible. However, if it is not possible for the Appliance to have outbound access to all networks in which VMs are being provisioned to the SSH/WinRM ports (22, 5985 respectively) then Guest Execution is the only option.

The Use VNC console option on the VMware cloud requires special configuration on each ESXI host but allowed hypervisor level remote console support. (See the Advanced Section for details)

When following this add cloud wizard an option will be presented to create a group or add to an existing group. These groups can be given provisioning permission via role based access control. It is normally recommended that groups are organized such that one cloud exists in one group unless the networks are setup such that internal routing is possible between the clouds. This is very useful for bursting, or hybrid cloud configurations.

Existing Instances

Morpheus provides several features regarding pulling in existing virtual machines and servers in an environment. Most cloud options contain a checkbox titled ‘Inventory Existing Instances’. When this option is selected, all VMs found within the specified scope of the cloud integration will be scanned periodically and Virtual Machines will be synced into Morpheus . By default these virtual machines are considered ‘unmanaged’ and do not appear in the Provisioning -> Instances area but rather Infrastructure -> Hosts -> Virtual Machines. However, a few features are provided with regards to unmanaged instances. They can be assigned to various accounts if using a multitenant master account, however it may be best suited to instead assign the ‘Resource Pool’ to an account and optionally move all servers with regards to that pool (more on this later). A server can also be made into a managed server. During this process remote access is requested and an agent install is performed on the guest operating system. This allows for guest operations regarding log acquisition and stats. If the agent install fails, a server will still be marked as managed and an Instance will be created in Provisioning, however certain features will not function. This includes stats collection and logs.

Note

All Cloud data is resynchronized on a 5 minute interval. This includes Datastores, Resource Pools, Networks, Templates, and Virtual Machines.

Service Plans

A default set of Service Plans are created in Morpheus for the VMware provisioning engine. These Service Plans can be considered akin to AWS Flavors or Openstack Flavors. They provide a means to set predefined tiers on memory, storage, cores, and cpu. Price tables can also be applied to these so estimated cost per virtual machine can be tracked as well as pricing for customers. By default, these options are fixed sizes but can be configured for dynamic sizing. A service plan can be configured to allow a custom user entry for memory, storage, or cpu. To configure this, simply edit an existing Service Plan tied to VMware or create a new one. These all can be easily managed from the Admin -> Plans & Pricing section.

../_images/service_plans.png

Virtual Images / Templates

Morpheus will automatically take an inventory of all templates configured in Vcenter and present them as options during provisioning. However, in order for Morpheus to properly provision these virtual machines and provide accurate stats and health of these virtual machines, an agent must be installed during virtual machine startup. This means remote access needs to be granted at the guest operating system level to Morpheus . To properly configure these virtual images, find the relevant images in Provisioning -> Virtual Images and edit the entry. On this form, a few options are presented. The first is a check box asking whether or not cloud-init is enabled. If cloud-init is enabled, simply provide the default OS username configured (for Ubuntu the username is ubuntu and for CentOS the username is centos). For those looking to add cloud-init to existing templates Morpheus requires no special configuration and can use the default cloud.cfg settings.

A global cloud-init username/password can also be configured per account as well as a keypair via the Admin->Provisioning settings section. The great benefit of utilizing cloud-init is default templates do not need common credential sets thereby increasing provisioning security.

Windows systems do not typically support cloud-init. So simply turn this checkbox off and provide the Administrator credentials. It should be noted that these credentials are encrypted in the database. If using WinRM for the RPC Mode instead of VMware tools, a Local or Domain Administrator account credential set can be provided instead.

Docker

So far this document has covered how to add the VMware cloud integration and has enabled users the ability to provision virtual machine based instances via the Add Instance catalog in Provisioning. Another great feature provided by Morpheus out of the box is the ability to use Docker containers and even support multiple containers per Docker host. To do this a Docker Host must first be provisioned into VMware (multiple are needed when dealing with horizontal scaling scenarios).

To provision a Docker Host simply navigate to the Cloud detail page or Infrastructure->Hosts section. From there click the + Container Host button to add a VMware Docker Host. This host will show up in the Hosts tab next to other ESXi servers that were inventoried by the VMware cloud integration. Morpheus views a Docker host just like any other Hypervisor with the caveat being that it is used for running containerized images instead of virtualized ones. Once a Docker Host is successfully provisioned a green checkmark will appear to the right of the host marking it as available for use. In the event of a failure click into the relevant host that failed and an error explaining the failure will be displayed in red at the top.

Some common error scenarios include network connectivity. For a Docker Host to function properly, it must be able to resolve the Morpheus appliance url which can be configured in Admin -> Settings. If it is unable to resolve and negotiate with the appliance than the agent installation will fail and provisioning instructions will not be able to be issued to the host.

Multitenancy

A very common scenario for Managed Service Providers is the need to provide access to VMware resources on a customer by customer basis. With VMware several administrative features have been added to ensure customer resources are properly scoped and isolated. For VMware it is possible to assign specific Networks, Datastores, and Resource Pools to customer accounts or even set the public visibility of certain resources, therefore allowing all sub accounts access to the resource.

../_images/cloud_detail.png

Advanced

There are several advanced features provided within Morpheus that can leverage some cool aspects of VMware. One of these features is Remote Console support directly to the hypervisor. To enable this feature a few prerequisites must be met. First, the Morpheus appliance must have network access to the ESXi hosts within VCenter. Secondly, firewall settings need to be adjusted on each ESXi host. This can be done in VSphere under firewall configuration on the host. Simply check the gdbserver option, which will open up the necessary ports (starting at 5900 range).

Now that the ESXi hosts are ready to utilize remote console, simply edit the cloud in Morpheus via Infrastructure -> Clouds. Check the option that says Use VNC. It is important to note that currently this functionality only works for newly provisioned vm’s provisioned directly via Morpheus . This should change soon however.

It is also possible to import vm snapshots for backup or conversion purposes from VCenter and also an ESXi host. However, this does require that the ESXi host license has an enterprise level license as it will not allow the appliance to download a virtual image if it is not a paid VMware license.

AWS

Overview

AWS is the Amazon public cloud, offering a full range of services and features across the globe in various datacenters. AWS provides businesses with a flexible, highly scalable, and low-cost way to deliver a variety of services using open standard technologies as well as proprietary solutions. This section of documentation will help you get Morpheus and AWS connected to utilize the features below:

Features

  • Virtual Machine Provisioning
  • Containers
  • Backups / Snapshots
  • Resources Groups
  • Migrations
  • Auto Scaling
  • Load Balancing
  • AWS Marketplace Search and Provisioning
  • Remote Console
  • Periodic Synchronization
  • Lifecycle Management and Resize
  • Restore from Snapshots
  • EC2
  • RDS
  • S3
  • ELBs
  • ALBs
  • Route53
  • IAM Pofiles
  • Network Sync
  • Security Group Sync
  • Pricing Sync
  • Assign Elastic IP’s
  • Network Pools

Morpheus can provide a single pane of glass and self-service portal for managing instances scattered across both AWS and private cloud offerings like VMWare and Hyper-V.

Requirements

  • AWS IAM Security Credentials

** Access Key ** Secret Key ** Sufficient User Privileges (see Required IAM Policies section for more info) * Security Groups ** Typical Inbound ports open from Morpheus Appliance: 22, 5985, 3389 ** Typical Outbound to Morpheus Appliance: 80, 443 *** These are required for Morpheus agent install, communication, and remote console access for windows and linux. Other configurations, such as docker instances, will need the appropriate ports opened as well. Cloud-init Agent Install mode does not require access to port 22. * Network(s) * Public IP assignment required for Agent install, Script Execution, and Console if the Morpheus Appliance is not able to communicate with AWS instances private ip’s.

NOTE: Each AWS Cloud in Morpheus is scoped to an AWS Region, and multiple AWS Clouds can be added and even Grouped. Verify Security groups are properly configured in all Regions Morpheus will scope to.

Creating an AWS Cloud

  1. Navigate to Infrastructure -> Clouds

  2. Select + Create Cloud

  3. Select AWS

  4. Enter the following:

    Name

    Name of the Cloud in Morpheus

    Location

    Description field for adding notes on the cloud, such as location.

    Visibility

    For setting cloud permissions in a multi-tenant environment. Not applicable in single tenant environments.

    Region

    Select AWS Region for the Cloud

    Access Key

    Access Key ID from AWS IAM User Security Credentials.

    Secret Key

    Secret Access Key associate with the Access Key ID.

    Inventory Existing Instances

    If enabled, existing EC2 Instances will be inventoried and appear as unmanaged Virtual Machines in Morpheus .

  5. The AWS cloud is ready to be added to a group and saved. Additional configuration options available:

Advanced Options

IMAGE TRANSFER STORE
S3 bucket for Image transfers, required for migrations into AWS.

Note

All fields and options can be edited after the Cloud is created.

Minimum AWS IAM Policies

Below are the AWS IAM Policies for EC2, RDS, and S3 covering the minimum access for Morpheus applying to all resources.

See http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html for more information.

EC2

{
  "Version": "2012-10-17",
  "Statement": [
   {
     "Effect": "Allow",
     "Action": [
       "ec2:AllocateAddress",
       "ec2:AssignPrivateIpAddress",
       "ec2:AttachVolume",
       "ec2:AuthorizeSecurityGroupEgress",
       "ec2:AuthorizeSecurityGroupIngress",
       "ec2:CancelExportTask",
       "ec2:CancelImportTask",
       "ec2:CopyImage",
       "ec2:CreateImage",
       "ec2:CopySnapshot",
       "ec2:CreateInstanceExportTask",
       "ec2:CreateKeyPair",
       "ec2:CreateNetworkAcl",
       "ec2:CreateNetworkAclEntry",
       "ec2:CreateNetworkInterface",
       "ec2:CreateSecurityGroup",
       "ec2:CreateSnapshot",
       "ec2:CreateTags",
       "ec2:CreateVolume",
       "ec2:DeleteKeyPair",
       "ec2:DeleteNetworkAcl",
       "ec2:DeleteNetworkAclEntry",
       "ec2:DeleteNetworkInterface",
       "ec2:DeleteSecurityGroup",
       "ec2:DeleteSnapshot",
       "ec2:DeleteTags",
       "ec2:DeleteVolumes",
       "ec2:DeregisterImage",
       "ec2:DescribeAccountAttributes",
       "ec2:DescribeAddresses",
       "ec2:DescribeAvailabilityZones",
       "ec2:DescribeClassicLinkInstances",
       "ec2:DescribeConversionTasks",
       "ec2:DescribeExportTasks",
       "ec2:DescribeImageAttribute",
       "ec2:DescribeImages",
       "ec2:DescribeImportImageTasks",
       "ec2:DescribeImportSnapshotTasks",
       "ec2:DescribeInstances",
       "ec2:DescribeInstanceStatus",
       "ec2:DescribeKeyPairs",
       "ec2:DescribeNetworkAcls",
       "ec2:DescribeNetworkInterfaceAttribute",
       "ec2:DescribeNetworkInterfaces",
       "ec2:DescribeRegions",
       "ec2:DescribeSecurityGroupReferences",
       "ec2:DescribeSecurityGroups",
       "ec2:DescribeSnapshotAttribute",
       "ec2:DescribeSnapshots",
       "ec2:DescribeStaleSecurityGroups",
       "ec2:DescribeSubnets",
       "ec2:DescribeTags",
       "ec2:DescribeVolumeAttribute",
       "ec2:DescribeVolumes",
       "ec2:DescribeVolumeStatus",
       "ec2:DescribeVpcAttribute",
       "ec2:DescribeVpcClassicLink",
       "ec2:DescribeVpcClassicLinkDnsSupport",
       "ec2:DescribeVpcEndpoints",
       "ec2:DescribeVpcEndpointsServices",
       "ec2:DescribeVpcs",
       "ec2:DetachNetworkInterface",
       "ec2:DetachVolume",
       "ec2:DisassociateAddress",
       "ec2:ImportImage",
       "ec2:ImportInstance",
       "ec2:ImportKeyPair",
       "ec2:ImportSnapshot",
       "ec2:ImportVolume",
       "ec2:ModifyImageAttribute",
       "ec2:ModifyInstanceAttribute",
       "ec2:ModifyNetworkInterfaceAttribute",
       "ec2:ModifySnapshotAttribute",
       "ec2:ModifyVolumeAttribute",
       "ec2:RebootInstances",
       "ec2:RegisterImage",
       "ec2:ReleaseAddress",
       "ec2:ReplaceNetworkAclAssociation",
       "ec2:ReplaceNetworkAclEntry",
       "ec2:ResetImageAttribute",
       "ec2:ResetInstanceAttribute",
       "ec2:ResetNetworkInterfaceAttribute",
       "ec2:ResetSnapshotAttribute",
       "ec2:RevokeSecurityGroupEgress",
       "ec2:RevokeSecurityGroupIngress",
       "ec2:RunInstances",
       "ec2:StartInstances",
       "ec2:StopInstances",
       "ec2:TerminateInstances",
       "ec2:UnassignPrivateIpAddresses"
     ],
     "Resource": "*"
   }
 ]
}

RDS:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": [
       "rds:AddRoleToDBCluster",
       "rds:AddTagsToResource",
       "rds:ApplyPendingMaintenanceAction",
       "rds:AuthorizeDBSecurityGroupIngress",
       "rds:CopyDBClusterParameterGroup",
       "rds:CopyDBClusterSnapshot",
       "rds:CopyDBSnapshot",
       "rds:CreateDBCluster",
       "rds:CreateDBClusterSnapshot",
       "rds:CraeteDBInstance",
       "rds:CreateDBInstnaceReadReplica",
       "rds:CreateDBSecurityGroup",
       "rds:CreateDBSnapshot",
       "rds:DeleteDBCluster",
       "rds:DeleteDBInstance",
       "rds:DeleteDBSecurityGroup",
       "rds:DeleteDBSnapshot",
       "rds:DescribeAccountAttributes",
       "rds:DescribeCertificates",
       "rds:DescribeDBClusterParameterGroups",
       "rds:DescribeDBClusterParameters",
       "rds:DescribeDBClusters",
       "rds:DescribeDBClusterSnapshotAttributes",
       "rds:DescribeDBClusterSnapshots",
       "rds:DescribeDBEngineVersions",
       "rds:DescribeDBInstances",
       "rds:DescribeDBLogFiles",
       "rds:DescribeDBParameterGroups",
       "rds:DescribeDBParameters",
       "rds:DescribeDBSecurityGroups",
       "rds:DescribeDBSnapshotAttributes",
       "rds:DescribeDBSnapshots",
       "rds:DescribeDBSubnetGroups",
       "rds:DescribeEngineDefaultClusterParameters",
       "rds:DescribeEngineDefaultParameters",
       "rds:DescribeEventCatagories",
       "rds:DescrbieEvents",
       "rds:DescribeOptionGroupOptions",
       "rds:DescribeOptionGroups",
       "rds:DescribeOrderableDBInstanceOptions",
       "rds:DescribeSourceRegions",
       "rds:ListTagsForResource",
       "rds:ModifyDBCluster",
       "rds:ModifyDBClusterParameterGroup",
       "rds:ModifyDBClusterSnapshotAttribute",
       "rds:ModifyDBInstance",
       "rds:ModifyDBParameterGroup",
       "rds:ModifyDBSnapshot",
       "rds:ModifyDBSnapshotAttribute",
       "rds:PromoteReadReplica",
       "rds:PromoteReadReplicaDBCluster",
       "rds:RebootDBInstance",
       "rds:RemoveRoleFromDBCluster",
       "rds:RemoveTagsFromResource",
       "rds:RestoreDBClusterFromS3",
       "rds:RestoreDBClusterFromSnapshot",
       "rds:RestoreDBClusterToPointInTime",
       "rds:RestoreDBInstanceFromDBSnapshot",
       "rds:RestoreDBInstanceToPointInTime",
       "rds:RevokeDBSecurityGroupIngress"
     ],
     "Resource": "*"
   }
  ]
}

S3

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Sid": "access-1",
     "Effect": "Allow",
     "Action": [
       "s3:AbortMultipartUpload",
       "s3:DeleteObject",
       "s3:DeleteObjectVersion",
       "s3:GetBucketLocation",
       "s3:GetObject",
       "s3:GetObjectVersion”,
       "s3:ListBucket",
       "s3:ListBucketMultipartUploads",
       "s3:ListBucketVersions",
       "s3:ListMultipartUploads",
       "s3:PutObject"
     ],
     "Resource": [
       "arn:aws:s3:::bucketname",
       "arn:aws:s3:::bucketname/*"
     ]
   }
 ]
}

Resource Filter

If you need to limit actions based on filters you have to pull out the action and put it in a resource based policy since not all the actions support resource filters.

See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html for more info on limiting resources by filter.

Resource filter example:

{
  "Effect": "Allow",
  "Action": [
   "ec2:StopInstances",
   "ec2:StartInstances"
  ],
  "Resource": *
 },
 {
  "Effect": "Allow",
  "Action": "ec2:TerminateInstances",
  "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
  "Condition": {
    "StringEquals": {
       "ec2:ResourceTag/purpose": "test"
     }
   }
 }

Azure

Overview

Azure is Microsoft’s public cloud offering. Offering a full range of services and features across the globe in various datacenters. It is the equivalent of AWS for Microsoft running primarily on the Hyper-V based hypervisor. While it is a great public cloud offering, it can be somewhat difficult to get integrated with which is what this guide aims to cover.

Features

  • Virtual Machine Provisioning
  • Azure SQL Database
  • Backups / Snapshots
  • Resource Group Sync & Selection
  • Network Sync & Selection
  • Security Group Sync & Selection
  • Storage Account Sync & Selection
  • Marketplace Search and Provisioning
  • Azure Marketplace Custom Library Item Support
  • Remote Console
  • Periodic Synchronization
  • Lifecycle Management and Resize
  • Availability Set Support
  • Azure Load Balancers
  • Azure Storage
  • Docker Host Provisioning & Management
  • Service Plan Sync
  • Pricing Sync with markup options
  • Cost Estimator

Combine these features with on premise solutions like Azure-Stack and Morpheus can provide a single pane of glass and self service portal for managing instances scattered across both public Azure and private Azure Stack offerings.

Note

Morpheus even supports integrating with CSP based accounts in Azure (typically used by managed service providers).

Requirements

  • Azure Active Directory Application & Credentials
    • Client ID (old portal) / Application ID (new portal)
    • Client Secret (old portal) / Key Value (new portal)
    • Tenant ID (old Portal) / Directory ID (new portal)
    • Azure Subscription ID
  • Above Active Directory App added as owner of this Azure Subscription
  • Existing Azure Resources
    • Network Security Group(s) * Typical Inbound ports open from Morpheus Appliance: 22, 5985, 3389
      • Typical Outbound to Morpheus Appliance: 80, 443
        • These are required for Morpheus agent install, communication, and remote console access for windows and linux. Other configurations, such as docker instances, will need the appropriate ports opened as well.
    • Virtual Network(s)
      • Public IP assignment required for instances if Morpheus Appliance is not able to communicate with Azure instances private ip’s.
    • Resource Group(s)
    • Storage Account(s)

Note

Morpheus v2.10.3 added support for multiple Resource Groups and Storage Accounts per cloud, making our Azure integration more capable and easier to configure. Prior versions of Morpheus supported one resource group and one storage account per cloud, with the security group and network selection limited to the scoped Resource Group. If you are on an earlier version of Morpheus , please note you will need to add an Azure cloud integration for each Resource Group and Storage Account you would like to use.

Azure Active Directory Credentials

If you do not already have the Azure Active Directory credentials required to add an Azure cloud to Morpheus , use the steps below to obtain them.

Important

Microsoft recently added support for Active Directory application configuration in the new Azure portal. Previously, users had to use the old portal to get the required credentials to integrate Azure with Morpheus . The instructions below are updated for the new portal. Microsoft also changed the naming conventions of the credentials:

Old and New Portal Naming Conventions:

Old Azure Portal Name New Azure Portal Name
Tenant ID Directory ID
Client ID Application ID

Creating an Azure Active Directory Application

If you do not have an existing Azure Active Directory application for Morpheus , you will need to create a new on by:

  1. Log into the Azure portal

  2. Select “Azure Active Directory”

  3. Select “App Registrations”

  4. Select “New Application Registration”

    ../_images/newazure-f3af4.png
  5. Next, give your new AD app a name, specify Web app / API for the type (default) and enter any url for the Sign-on URL:

    ../_images/newazure-8c7ca.png
  6. Click Create and your new Azure Active Directory Application will be created.

    ../_images/newazure-f4e2d.png

Now that we have (or already had) our AD app, we will gather the credentials required for the Morpheus Azure integration.

Tenant ID/Directory ID

While still in the Active Directory Section:

  1. Select Properties

  2. Copy the Directory ID

  3. Store/Paste for use as the Tenant ID when Adding your Azure cloud in Morpheus

    ../_images/newazure-044cf.png

Client ID/Application ID

  1. Select App Registrations

  2. Select your Active Directory Application

  3. Copy the Application ID

  4. Store/Paste for use as the Client ID when Adding your Azure cloud in Morpheus

    ../_images/newazure-3c6fa.png

Client Secret/Key Value

While still in your Active Directory Application:

  1. Select Keys in the Settings pane

  2. Enter a name for the key

  3. Select a duration

  4. Select save

  5. Copy the Key Value

  6. Store/Paste for use as the Client ID when Adding your Azure cloud in Morpheus

    Important

    Copy the key value. You won’t be able to retrieve after you leave this blade.

    ../_images/newazure-7b82b.png

You now have the 3 Active directory credentials required for Morpheus Azure cloud integration.

Subscription ID

The last credential required for the Morpheus Azure cloud integration is the Azure Subscription ID

  1. Select Resource Groups

  2. Select a Resource Group (instruction below if you do not have an existing resource group)

  3. Copy the Subscription ID

  4. Store/Paste for use as the Subscription ID when Adding your Azure cloud in Morpheus

    ../_images/newazure-e446f.png

Make Azure Active Directory Application owner of Subscription

The Active Directory Application used needs to be an owner of the subscription used for the Azure Morpheus cloud integration.

  1. In the Subscription pane, select “Access Control (IAM)”

    ../_images/newazure-bd9f1.png
  2. Click “+ Add”, in the pane to the right, select “1 Select a role” and then select “Owner”

    ../_images/newazure-cfd51.png
  3. Select “2. Add Users” and in the search box begin to type the name of the AD Application created earlier.

    Note

    the AD Application will not display by default and must be searched for.

    ../_images/newazure-7f61c.png
  4. Select the Application, then click “Select” at the bottom of the Add Users pane, and the select “OK” at the bottom of the Add Access pane.

    Important

    Be sure to select “OK” at the bottom of the Add Access pane or the user addition will not save.

    ../_images/newazure-560be.png

You now have the required Credentials to add an Azure cloud integration into Morpheus .

Important

You will also need to have existing Network Security Group(s), Virtual Networks(s) and Storage Accounts(s). Instructions for creating these can be found later in this article.

Add Azure cloud in Morpheus

Azure is now ready to be added into Morpheus . Ensure you have the noted Subscription ID, Tenant ID, Client ID, and Client Secret accessible.

  1. In Infrastructure - Clouds, select “+ Create Cloud” and select Azure from the cloud widget.

    OR

  2. In Infrastructure, Groups- you can select the Clouds tab of a Group and click “+ ADD” next to Azure in the Public Cloud section

  3. Enter the following:

    • Name
    • Location (optional)
    • Domain (if not localdomain)
    • Scale Priority
    • Subscription ID (from step 18)
    • Tenant ID (from step 16)
    • Client ID (from step 13)
    • Client Secret (from step 13)

    If everything is entered correctly, the Location dropdown will populate.

  4. Select the Location/Region to scope the cloud to (additional Clouds can be added for multiple regions)

  5. Select All or specify a Resource Group to scope this cloud to

  6. Optionally select “Inventory Existing Instances” (This will inventory your existing vm’s in Azure and list them in Morpheus as unmanaged instances.)

  7. Click “Save Changes”

    ../_images/newazure-5f512.png

Your Azure Cloud will be created.

../_images/newazure-2a7fe.png

Creating Resources in Azure

If you do not have existing Network Security Groups, Virtual Networks, or Storage Accounts, you can create them by following the steps below:

Create a Network Security Group

  1. In the main Azure toolbar, select the right arrow at the bottom of the toolbar (if collapsed) and search for and select Network Security Groups.

    ../_images/newazure-83506.png
  2. Click “+ Add” at the top of the Network security groups pane

    ../_images/newazure-3357f.png
  3. Enter a unique name for the security group, select the correct subscription, and either select the resource group being used, or create a new one as shown below. Also verify the Location is the same, and then click “Create” at the bottom of the pane.

    ../_images/newazure-7c098.png
  4. Configure inbound and outbound rules for the security group. Ports 80 (http), 443 (https) 22 (ssh) and 5985 (winrm) need to be open to and from the Morpheus appliance.

Create a Virtual Network

  1. In the main Azure toolbar, select the right arrow at the bottom of the toolbar (if collapsed) and search for and select Virtual Networks.

    ../_images/newazure-7ecb2.png
  2. Click “+ Add” at the top of the Virtual Networks pane

    ../_images/newazure-db3a5.png
  3. Enter a unique name for the virtual network, the correct subscription, select “Use existing” and select the same resource group as the Network Security Group. Also verify the Location is the same, and then click “Create” at the bottom of the pane.

    ../_images/newazure-a3066.png

Create a Storage Account

  1. In the main Azure toolbar, select the right arrow at the bottom of the toolbar (if collapsed) and search for and select Storage Accounts.

    ../_images/newazure-4429f.png
  2. Click “+ Add” at the top of the Storage accounts pane

  3. Enter a unique name for the storage account, select “Locally-redundant storage (LRS) for Replication, select the correct subscription, select “Use existing” and select the same resource group as the Network Security Group and Virtual Network. Also verify the Location is the same, and finally click “Create” at the bottom of the pane.

    ../_images/newazure-b89ea.png

Docker

So far this document has covered how to add the Azure cloud integration and has enabled users the ability to provision virtual machine based instances via the Add Instance catalog in Provisioning. Another great feature provided by Morpheus out of the box is the ability to use Docker containers and even support multiple containers per Docker host. To do this a Docker Host must first be provisioned into Azure (multiple are needed when dealing with horizontal scaling scenarios).

../_images/newazure-7971d.png

To provision a Docker Host simply navigate to the Cloud detail page or Infrastructure?Hosts section. From there click the + Container Host button to add a Azure Docker Host. This host will show up in the Hosts tab. Morpheus views a Docker host just like any other Hypervisor with the caveat being that it is used for running containerized images instead of virtualized ones. Once a Docker Host is successfully provisioned a green checkmark will appear to the right of the host marking it as available for use. In the event of a failure click into the relevant host that failed and an error explaining the failure will be displayed in red at the top.

Some common error scenarios include network connectivity. For a Docker Host to function properly, it must be able to resolve the Morpheus appliance url which can be configured in Admin|Settings. If it is unable to resolve and negotiate with the appliance than the agent installation will fail and provisioning instructions will not be able to be issued to the host.

Multi-tenancy

A very common scenario for Managed Service Providers is the need to provide access to Azure resources on a customer by customer basis. With Azure several administrative features have been added to ensure customer resources are properly scoped and isolated. For Azure it is possible to assign specific Networks, and Resource Groups to customer accounts or even set the public visibility of certain resources, therefore allowing all sub accounts access to the resource.

Azure Stack

Overview

Azure Stack is Microsoft’s Azure Cloud for on-premises environments. Azure Stack contains the core Azure services, allowing organizations to take advantage of Azure’s offerings with the security, compliance, and financial benefits of hosting it in their own data-centers.

  • Virtual Machine Provisioning
  • Backups / Snapshots
  • Resource Group Sync & Selection
  • Network Sync & Selection
  • Security Group Sync & Selection
  • Storage Account Sync & Selection
  • Marketplace Search and Provisioning
  • Remote Console
  • Periodic Synchronization
  • Lifecycle Management and Resize
  • Availability Set Support
  • Azure Load Balancers
  • Azure Storage
  • Docker Host Provisioning & Management
  • Service Plan Sync
  • Pricing Sync with markup options
  • Cost Estimator

Combine these features with public Azure and Morpheus can provide a single pane of glass and self service portal for managing instances scattered across both Azure offerings.

Requirements

Azure Stack Accessibility

By default, the Azure Stack management url’s are not accessible from an external network. Port mappings and DNS must be configured for communication between the Morpheus Appliance and Azure Stack.

Important

In order to communicate with Azure Stack, Morpheus must be able to reach the internal Azure Stack network. The Azure Stack Portal needs to be exposed to the Morpheus Appliances’ network with corresponding entries added to DNS.

One option to expose the Internal Azure Stack network to the Morpheus Appliances’ network is to use the ‘Expose-AzureStackPortal.ps1’ powershell script from https://gallery.technet.microsoft.com/scriptcenter/Expose-the-Azure-Stack-7ef68b19. An Azure Stack Port Mapping Tool is also available.

Below is a sample output from the script for reference:

[Admin Portal] Created port mappings on 10.30.23.120 to 192.168.102.8
[Admin Portal] Ports: 13011 30015 13001 13010 13021 13020 443 13003 12646 12647 12648 12649 12650 12495 13026 12499
[Admin Portal] DNS: 10.30.23.120 - adminportal.local.azurestack.external adminmanagement.local.azurestack.external

[Tenant Portal] Created port mappings on 10.30.23.121 to 192.168.102.10
[Tenant Portal] Ports: 13011 30015 13001 13010 13021 13020 443 13003 12646 12647 12648 12649 12650 12495 13026 12499
[Tenant Portal] DNS: 10.30.23.121 - portal.local.azurestack.external management.local.azurestack.external

[Blob Storage] Created port mappings on 10.30.23.122 to 192.168.102.4
[Blob Storage] Ports: 80 443
[Blob Storage] DNS: 10.30.23.122  *.blob.local.azurestack.external

VERBOSE: DNS delegation/forwarding is optional, change the DNS records on MAS-DC01 manually (dnsmgmt.msc from Host).
[DNS Delegation] Created port mappings on 10.30.23.120 to 192.168.200.224
[DNS Delegation] Ports: 53 (TCP/UDP)
[DNS Delegation] DNS: local.azurestack.external NS 10.30.23.120
[DNS Delegation] Change records on MAS-DC01 manually if you plan to use DNS forwarding.
[DNS Delegation] Change records back to the original internal IPs before running this script again.

VERBOSE: App Service detected and external IP's specified, creating mappings....
[App Service API] Created port mappings on 10.30.23.123 to 192.168.102.17
[App Service API] Ports: 443
[App Service API] DNS: 10.30.23.123  api.appservice.local.azurestack.external

[App Service Apps] Created port mappings on 10.30.23.124 to 192.168.102.15
[App Service Apps] Ports: 80 443 21 990
[App Service Apps] DNS: 10.30.23.124  *.appservice.local.azurestack.external

Azure Stack Resources

The following resources need to be created and configured inside Azure Stack for successful provisioning:

  • Resource Group(s)
  • Virtual Network(s)
  • Storage Account(s)
  • Network Security Group(s) * Inbound ports open from Morpheus Appliance: 22, 5985, 3389 * Outbound ports open to Morpheus Appliance: 80, 443

Note

Proper Network and Network Security Group configuration is required for Morpheus agent install, communication, and remote console access. Other configurations, such as docker instances, will need the appropriate ports opened as well.

Required Credentials & Permissions

Credentials to integrate Morpheus with Azure Stack are located in both the public Azure Portal and the Private Azure Stack Portal. The Azure Active Directory Application used must be an owner of the Azure Stack subscription.

  • Azure Portal: * Azure Active Directory Application Credentials

    • Directory ID
    • Management URL
    • Identity Resource URL
    • Application ID
    • Key Value
  • Azure Stack Portal: * Azure Stack Subscription ID * Active Directory App from Azure portal added as owner of the Azure Stack Subscription in Azure Stack.

Adding an Azure Stack Cloud

Configure

  1. In the Morpheus UI, navigate to Infrastructure -> Clouds and Select + CREATE CLOUD

  2. Select AZURE STACK (PRIVATE) from the Clouds list and select NEXT

  3. In the Configure section, enter:

    NAME

    Internal name for the Cloud in Morpheus

    LOCATION

    (Optional) Can be used to specify the location of the Cloud or add a description.

    VISIBILITY
    Determines Tenant visibility for the Cloud.
    • Private: Access to the Cloud is limited to the assigned Tenant (Master Tenant by default)
    • Public: Access to the Cloud can be configured for Tenants in their Tenant Role permissions.
    IDENTITY URL

    https://login.microsoftonline.com

    MANAGEMENT URL*

    Azure AD Azure Stack Administrator app or Microsoft Azure Stack Administrator app url. Example: https://adminmanagement.local.azurestack.external/

    IDENTITY RESOURCE URL

    Azure AD Azure Stack Administrator App ID URI Example: https://adminmanagement.xxxxxxx.onmicrosoft.com/4a80e607-4259-4ac6-83e2-2fabeaf2eh83

    BASE DOMAIN

    This should match the base domain in your Management url. Example: local.azurestack.external

    SUBSCRIPTION ID

    Subscription ID from Azure Stack portal (this is different from the Subscription ID in you Azure portal used when configuring Azure Stack)

    TENANT ID

    This is the Directory ID from the Azure AD directory

    CLIENT ID

    Application ID of Azure AD app with Azure Stack permissions granted, and has been added as an owner of the Azure Stack subscription (in the Azure Stack portal).

    CLIENT SECRET

    Key Value of Application ID used above

  4. Once all credentials are entered and validated, the Location and Resource Group fields will populate.

    Location

    Select an Azure Stack region for the cloud to scope to. This typically will be “local”.

    Resource Group

    Select All or a single Resource Group to scope the cloud to. Selecting a single Resource Group will only sync resources in that Resource Group and disable Resource Group selection during provisioning. All will sync all resources and allow specifying the Resource Group during provisioning.

    Inventory Existing Instances

    If enabled, existing Virtual Machines will be inventoried and appear as unmanaged Virtual Machines in Morpheus .

  5. The Azure Stack cloud is ready to be added to a group and saved. Additional configuration options available:

Note

All fields and options can be edited after the Cloud is created.

Advanced Options
DOMAIN
Specify a default domain for instances provisioned to this Cloud.
SCALE PRIORITY
Specifies the priority with which an instance will scale into the cloud. A lower priority number means this cloud integration will take scale precedence over other cloud integrations in the group.
APPLIANCE URL
Alternate Appliance url for scenarios when the default Appliance URL (configured in admin -> settings) is not reachable or resolvable for Instances provisioned in this cloud. The Appliance URL is used for Agent install and reporting.
TIME ZONE
Configures the time zone on provisioned VM’s if necessary.
DATACENTER ID
Used for differentiating pricing among multiple datacenters. Leave blank unless prices are properly configured.
HYPER-CONVERGED ENABLED
Not applicable for Azure Stack
DNS INTEGRATION
Records for instances provisioned in this cloud will be added to selected DNS integration.
SERVICE REGISTRY
Services for instances provisioned in this cloud will be added to selected Service Registry integration.
CONFIG MANAGEMENT
Select a Chef, Salt, Ansible or Puppet integration to be used with this Cloud.
AGENT INSTALL MODE
  • SSH / WINRM: Morpheus will use SSH or WINRM for Agent install.
  • Cloud-Init (when available): Morpheus will utilize Cloud-Init or Cloudbase-Init for agent install when provisioning images with Cloud-Init/Cloudbase-Init installed. Morpheus will fall back on SSH or WINRM if cloud-init is not installed on the provisioned image.
API PROXY
Required when a Proxy Server blocks communication between the Morpheus Appliance and the Cloud. Proxies can be added in the Infrastructure -> Networks -> Proxies tab.
Provisioning Options
API PROXY
Required when a Proxy Server blocks communication between an Instance and the Morpheus Appliance. Proxies can be added in the Infrastructure -> Networks -> Proxies tab.
Bypass Proxy for Appliance URL
Enable to bypass proxy settings (if added) for Instance Agent communication to the Appliance URL.
USER DATA (LINUX)
Add cloud-init user data using bash syntax.

Once all options are configured, select NEXT to add the cloud to a Group.

Group

A Group must be specified or created for the new Cloud to be added to. Clouds can be added to additional Groups or removed from Groups after being created.

USE EXISTING
Add the new Cloud to an exiting Group in Morpheus .
CREATE NEW
Creates a new Group in Morpheus and adds the Cloud to the Group.

Review

Confirm all settings are correct and select COMPLETE. The Azure Stack Cloud will be added, and Morpheus will perform the initial cloud sync of:

  • Virtual Machines (if Inventory Existing Instances is enabled)
  • Networks
  • Virtual Images/Templates
  • Network Security Groups
  • Storage Accounts
  • Marketplace Catalog
  • Availability Sets

Tip

Synced Networks can be configured or deactivated from the Networks section in this Clouds detail page, or in the Infrastructure -> Networks section.

Cloud Foundry

Configuration

Adding PCF Cloud From Infrastructure -> Clouds

  1. Navigate to Infrastructure -> Clouds

  2. Select + ADD

  3. Select CLOUD FOUNDRY from the Clouds list

  4. Select NEXT

  5. Populate the following:

    Name

    Name of the Cloud in Morpheus

    Location

    Description field for adding notes on the cloud, such as location.

    Visibility

    For setting cloud permissions in a multi-tenant environment. Not applicable in single tenant environments.

    API URL

    Cloud Foundry API Url

    CLIENT ID

    Typically cf

    CLIENT SECRET

    Typically blank

    USERNAME

    Enter Username. If using an API Key, enter apikey for username, and the API Key as the password.

    PASSWORD

    Enter Password. If using an API Key, the API Key as the password.

    ORGANIZATION

    Select Organization. Dropdown populates upon successful authorization.

  6. Select NEXT .. include:: advanced_options.rst

  7. Select NEXT

  8. Select an existing or create a new Group to add the Cloud to. The Cloud can be added to additional Groups in a Groups Clouds tab.

  9. Select NEXT

  10. Review and then Select COMPLETE

Adding PCF Cloud From Infrastructure -> Groups

  1. Navigate to Infrastructure -> Groups

  2. Select a Group

  3. Select the CLOUDS tab

  4. Scroll down to CLOUD FOUNDRY and select + ADD

  5. Populate the following:

    Name

    Name of the Cloud in Morpheus

    Location

    Description field for adding notes on the cloud, such as location.

    Visibility

    For setting cloud permissions in a multi-tenant environment. Not applicable in single tenant environments.

    TENANT

    Select a Tenant if Visibility is set to Private to assign to Cloud to that Tenant. Multiple Tenants can be added by editing the cloud after creation.

    API URL

    Cloud Foundry API Url. Example https://api.cf.morpheusdata.com

    CLIENT ID

    Typically cf

    CLIENT SECRET

    Typically blank

    USERNAME

    Enter Username. If using an API Key, enter apikey for username, and the API Key as the password.

    PASSWORD

    Enter Password. If using an API Key, the API Key as the password.

    ORGANIZATION

    Select Organization. Dropdown populates upon successful authorization.

    DOMAIN

    Specify a default domain for instances provisioned to this Cloud.

    SCALE PRIORITY

    Specifies the priority with which an instance will scale into the cloud. A lower priority number means this cloud integration will take scale precedence over other cloud integrations in the group.

    APPLIANCE URL

    Alternate Appliance url for scenarios when the default Appliance URL (configured in admin -> settings) is not reachable or resolvable for Instances provisioned in this cloud. The Appliance URL is used for Agent install and reporting.

    TIME ZONE

    Configures the time zone on provisioned VM’s if necessary.

    DATACENTER ID

    Used for differentiating pricing among multiple datacenters. Leave blank unless prices are properly configured.

    DNS INTEGRATION

    Records for instances provisioned in this cloud will be added to selected DNS integration.

    SERVICE REGISTRY

    Services for instances provisioned in this cloud will be added to selected Service Registry integration.

    CONFIG MANAGEMENT

    Select a Chef, Salt, Ansible or Puppet integration to be used with this Cloud.

    AGENT INSTALL MODE
    • SSH / WINRM: Morpheus will use SSH or WINRM for Agent install.
    • Cloud-Init (when available): Morpheus will utilize Cloud-Init or Cloudbase-Init for agent install when provisioning images with Cloud-Init/Cloudbase-Init installed. Morpheus will fall back on SSH or WINRM if cloud-init is not installed on the provisioned image.
    API PROXY

    Required when a Proxy Server blocks communication between the Morpheus Appliance and the Cloud. Proxies can be added in the Infrastructure -> Networks -> Proxies tab.

    API PROXY

    Required when a Proxy Server blocks communication between an Instance and the Morpheus Appliance. Proxies can be added in the Infrastructure -> Networks -> Proxies tab.

    Bypass Proxy for Appliance URL

    Enable to bypass proxy settings (if added) for Instance Agent communication to the Appliance URL.

    USER DATA (LINUX)

    Add cloud-init user data using bash syntax.

  6. Select NEXT

  7. Review and then Select COMPLETE

Adding Spaces

Cloud Foundry Spaces are referred to as Resource Pools in Morpheus. You can add a new Space by:

  1. Navigating to the Cloud and selecting the Resources tab.
  2. Then, click ‘+ Add Resource’.
  3. Give the Resource a Name
  4. Expand the Managers, Developers, and Auditors section to add specific Cloud Foundry users to the roles. When adding a user to these sections, use their Cloud Foundry email addresses.

Provisioning

Morpheus automatically seeds MySQL, Redis and RabbitMQ PCF Instance Types, as well as a generic Cloud Foundry Instance Type that will create a shell app used in conjunction with deployments. PCF Marketplace items can also be added to the Provisioning Library in the Cloud detail view Marketplace tab. The Marketplace item will be added to the selected Instance Type and available when selecting the Cloud Foundry Cloud during Instance or App Template creation.

Deployments

The Cloud Foundry App Instance Type is used in conjunction with deployments. Users do not have to pick deployment when creating a Cloud Foundry App Instance Type, but then Instance will only be a shell of a Cloud Foundry Application.

A deployment in Morpheus can either point to a git hub repository or contain the actual manifest.yml and associated artifacts required for a Cloud Foundry deployment. During the deployment, Morpheus will gather up the files required. Therefore, if the deployment points to a git hub repository, Morpheus will fetch the files from git hub. Once the files are obtained, Morpheus will deploy the artifacts in a similar fashion to the Cloud Foundry cli. This includes parsing the manifest to obtain the parameters to create or update the Cloud Foundry application. Morpheus will ignore certain fields such as memory and disk size because they are dictated by the selected plan. Other fields are utilized such as routes. After parsing the manifest.yml file (including overwriting certain fields), Morpheus is ready to update or create the App in Cloud Foundry.

After the App is configured, the artifacts references in the Morpheus deployment are uploaded to Cloud Foundry for the App. Note that when paths are referenced in the manifest.yml file, the paths continue to be relative to the manifest. So, a jar file under build/libs would need to be found under the build/libs directory.

If Cloud Foundry services are specified in the manifest, they must already exist within Cloud Foundry. Morpheus App templates can be utilized to wire up Cloud Foundry services created by Morpheus. In this case, Morpheus will add all of the included service names defined in the App template to the manifest.yml services section. Therefore, multiple services can be used and wired up by Morpheus.”

Example

To better understand how Morpheus parses the manifest.yml file, lets take a closer look at the Cloud Foundry ‘spring-music’ project. The project can be found here (https://github.com/cloudfoundry-samples/spring-music).

The project contains the required manifest.yml file as well as the source code and build.gradle file to define how the project is to be built. After downloading the project to your local machine, build the project to generate the jar.

Now, let’s take a look at the manifest.yml file:

---
applications:
- name: spring-music
  memory: 1G
  random-route: true
  path: build/libs/spring-music.jar

Using the Cloud Foundry docs (https://docs.cloudfoundry.org/devguide/deploy-apps/manifest.html), we can gain a better understanding of how this file is utilized by Cloud Foundry.

  • The -name parameter defines the name that will be given to the application in Cloud Foundry. Morpheus will overwrite this value with the name given to the Instance being created in Morpheus.
  • The -memory parameter (as well as the disk_quota parameter if specified) will be overwritten by Morpheus based on the plan specified for the Instance.
  • The -path parameter defines, where relative to the manifest.yml file, your Cloud Foundry application can be found.
  • The -random-route parameter, as well as all other parameters described in the Cloud Foundry documentation will simply be passed through to Cloud Foundry.

Adding Marketplace Items

  1. Navigate to Infrastructure -> Clouds and select your Cloud Foundry Cloud
  2. Select the MARKETPLACE tab
  3. Select + ADD MARKETPLACE ITEM
  4. Select the Morpheus Instance Type to add the Marketplace Item to.
  5. Enter version
  6. Search for and select Marketplace Item
  7. Select SAVE CHANGES

A Node Type and layout will be created in the Provisioning -> Library section and the layout will be automatically added to the Instance Type selected when adding the Marketplace Item.

Provisioning Instances

Seeded and Marketplace Items

Morpheus automatically seeds MySQL, Redis and RabbitMQ PCF Instance Types, and PCF Marketplace items can also be easily added to the Provisioning Library in the Cloud detail view Marketplace tab. The Marketplace item will be added to the selected Instance Type and available when selecting the Cloud Foundry Cloud during Instance or App Template creation.

  1. Navigate to Provisioning -> Instances and select an Instance Type with a Cloud Foundry layout (MySQL, Redis and RabbitMQ plus Marketplace additions)
  2. Select NEXT
  3. Select a Group and PCF Cloud
  4. Add an Instance Name
  5. Optionally select and Environment Tag and/or add a custom Tag
  6. Select NEXT
  7. Select Version and Instance Configuration for a Cloud Foundry layout, ex: Cloud Foundry MySQL
  8. Select a Plan and available options for the Plan, or use the custom Plan
  9. Select a Space to add the Instance to
  10. Optionally configure advanced options
  11. Select NEXT
  12. Optionally configure Automation options
  13. Select NEXT
  14. Select COMPLETE

Note

Compute, Memory, and CPU stats will be pulled, and a Cloud Foundry monitoring health check will be automatically configured for the instance.

Cloud Foundry App Instance Type

Important

Add Deployments in Provisioning -> Deployments to be used when provisioning a Cloud Foundry App Instance Type.

Note

Minimal options are outlined below.

  1. Navigate to Provisioning -> Instances and select the Cloud Foundry App Instance Type

  2. Select NEXT

  3. Select a Group and PCF Cloud

  4. Add an Instance Name

  5. Optionally select and Environment Tag and/or add a custom Tag

  6. Select NEXT

  7. Select a Plan and available options for the Plan, or use the custom Plan

  8. Select a Space to add the Instance to

  9. Select NEXT

  10. In the Deployments section, select a Deployment and Version to be deployed. These can be git repos or files added in Provisioning -> Deployments

    Important

    If services are specified in a git repo manifest, Morpheus assumes they are already exist in the PCF cloud with matching names.

  11. Select NEXT

  12. Select COMPLETE

This will quickly create the Cloud Foundry Application, and then the deployment will follow which may take longer depending on the app configuration. The location will be updated with the route once it is configured.

Note

Compute, Memory, and CPU stats will be pulled, and a Cloud Foundry monitoring health check will be automatically configured for the instance.

Digital Ocean

Add a Digital Ocean Cloud

DigitalOcean Cloud Integration Detail fields:

Name
Name of the Cloud in Morpheus
Location
Description field for adding notes on the cloud, such as location.
Visibility
For setting cloud permissions in a multi-tenant environment. Not applicable in single tenant environments.
Username
DigitalOcean Username
API Key
Personal access tokens/Key from the DigitalOcean API -> Tokens/Keys section.
Data Center
Select DigitalOcean DataCenter Region

The Cloud can now be added to a Group or configured with additional Advanced options.

Advanced Options

DOMAIN
Specify a default domain for instances provisioned to this Cloud.
SCALE PRIORITY
Specifies the priority with which an instance will scale into the cloud. A lower priority number means this cloud integration will take scale precedence over other cloud integrations in the group.
APPLIANCE URL
Alternate Appliance url for scenarios when the default Appliance URL (configured in admin -> settings) is not reachable or resolvable for Instances provisioned in this cloud. The Appliance URL is used for Agent install and reporting.
TIME ZONE
Configures the time zone on provisioned VM’s if necessary.
DATACENTER ID
Used for differentiating pricing among multiple datacenters. Leave blank unless prices are properly configured.
DNS INTEGRATION
Records for instances provisioned in this cloud will be added to selected DNS integration.
SERVICE REGISTRY
Services for instances provisioned in this cloud will be added to selected Service Registry integration.
CONFIG MANAGEMENT
Select a Chef, Salt, Ansible or Puppet integration to be used with this Cloud.
AGENT INSTALL MODE
  • SSH / WINRM: Morpheus will use SSH or WINRM for Agent install.
  • Cloud-Init (when available): Morpheus will utilize Cloud-Init or Cloudbase-Init for agent install when provisioning images with Cloud-Init/Cloudbase-Init installed. Morpheus will fall back on SSH or WINRM if cloud-init is not installed on the provisioned image.
API PROXY
Required when a Proxy Server blocks communication between the Morpheus Appliance and the Cloud. Proxies can be added in the Infrastructure -> Networks -> Proxies tab.

Provisioning Options

API PROXY
Required when a Proxy Server blocks communication between an Instance and the Morpheus Appliance. Proxies can be added in the Infrastructure -> Networks -> Proxies tab.
Bypass Proxy for Appliance URL
Enable to bypass proxy settings (if added) for Instance Agent communication to the Appliance URL.
USER DATA (LINUX)
Add cloud-init user data using bash syntax.

ESXi

Important

The VMware ESXi integration is for adding a single ESXi / vSphere Hypervisor host. If you have vCenter please use the VMWare vCenter cloud type.

To get started with VMware ESXi, simply add a VMware ESXi Cloud in either the Infrastructure -> Clouds or Infrastructure -> Groups section.

  1. Select + Create Cloud Button
  2. Select ESXi from the Add Cloud modal
  3. Select NEXT
  4. Provide the following information.
    • Cloud Name
    • ESXi Host name or IP address
    • Username ( This is normally root )
    • Password

Note

If you receive the message “Error! Invalid cloud config” Please ensure you have ssh enabled on the vSphere Hypervisor / ESXi. To do this please follow the these instructions on how to set-up ssh on vSphere Hypervisor / ESXi

Google

Add a Google Cloud

Tip

All of the required Goole Cloud credentials can be found in the .json file created when generating a key for a Google Cloud service account.

  1. Navigate to Infrastructure -> Clouds

  2. Select + CREATE CLOUD, select Google Cloud, and then click Next.

  3. Enter the following into the Create Cloud modal:

    Name

    Name of the Cloud in Morpheus

    Location

    Description field for adding notes on the cloud, such as location.

    Visibility

    For setting cloud permissions in a multi-tenant environment. Not applicable in single tenant environments.

    Project ID

    Google Cloud Project ID

    Private Key

    Service Account Private key, begging with —–BEGIN PRIVATE KEY—–` and ending with `—–END PRIVATE KEY—–

    Client Email

    Service Account Client Email. ex: morpheus@morpheus.iam.gserviceaccount.com

    Region

    Regions will auto-populate upon successful authentication with the above credentials. Select appropriate region for this Cloud.

    Inventory Existing Instances

    If enabled, existing Google Instances will be inventoried and appear as unmanaged Virtual Machines in Morpheus .

Note

Morpheus scopes clouds to single regions. Multiple clouds can be added for multi-region support, and then optionally added to the same group.

The Cloud can now be added to a Group or configured with additional Advanced options.

Finally, add Google Cloud to an existing Group or create a new Group, and you have now integrated Morpheus with Google Cloud!

Hyper-V

Hyper-V is the virtualized server computing environment introduced by Microsoft. Hyper-V is consumed by Morpheus as a private cloud offering and is a common hypervisor technology in data centers. Morpheus provides and avenue to aggregate Hyper-V resources together to allow efficient and seamless deployment of applications as a virtual machine (VM) or Docker host in the world of Hyper-V.

Features

  • Virtual Machine Provisioning
  • Containers
  • Backups / Snapshots
  • Resources Groups
  • Migrations
  • Auto Scaling
  • Load Balancing
  • Remote Console
  • Periodic Synchronization
  • Veeam Integration
  • Lifecycle Management and Resize
  • Unique Kerberos Authentication

Morpheus can provide a single pane of glass and self-service portal for managing instances scattered across both Hyper-V and public cloud offerings like Azure.

Getting Started

To get started this a few prerequisites must first be met. The Hyper-V host most be installed with its firewall enabled and it can either be joined to a domain or standalone. The Hyper-V host must also have the external network of Hyper-V configured and it can share this network with the management operating system. This document covers Hyper-V 2008 and Hyper-V 2012.

A user account that is part of the local administrators group on the Hyper-V host is also required.

Understand WinRM

Morpheus uses WinRM to communicate to the Hyper-V host for deployment of the Morpheus agent. The Morpheus agent allows for the host dashboard to be populated with information in the form of graphs that cover CPU, Network, Storage, and memory consumption. Furthermore, this agent provides logging and monitoring capabilities.

If Windows Remote Management (WinRM) is not installed and configured, WinRM scripts do not run and the WinRM command-line tool cannot perform data operations or allow for the Morpheus agent to be installed. WinRM uses Http port 5985 or Https port 5986 for communications.

To better understand all of the default settings of WinRM please refer to the below Microsoft link:

https://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx

Native Authentication

To configure WinRM with default settings (WINRM_NATIVE)

Type the following command at a command prompt:

$ winrm quickconfig

If you are not running under the local computer Administrator account, you must either select Run as Administrator from the Start menu or use the Runas command at a command prompt.

When the tool displays Make these changes [y/n]?, type y.

If configuration is successful, the following output is displayed:

$ WinRM has been updated for remote management.
$ WinRM service type changed to delayed auto start.
$ WinRM service started.
$ Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.

Keep the default settings for client and server components of WinRM, or customize them. By default Kerberos is enabled and if domain authentication is not being used we want to disable that. Issue the below commands to setup basic authentication:

$ winrm set winrm/config/service/Auth @{Basic="true"}
$ winrm set winrm/config/service @{AllowUnencrypted="true"}
$ winrm set winrm/config/service/Auth @{Kerberos="false"}

Domain Authentication

To configure WinRM with Domain Authentication (WINRM_INTERNAL)

Type the following command at a command prompt

$ winrm quickconfig

If you are not running under the local computer Administrator account, you must either select Run as Administrator from the Start menu or use the runas command at a command prompt.

When the tool displays Make these changes [y/n]?, type y.

If configuration is successful, the following output is displayed:

$ WinRM has been updated for remote management.
$ WinRM service type changed to delayed auto start.
$ WinRM service started.
$ Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.

Keep the default settings for client and server components of WinRM, or customize them. Issue the below commands to setup domain authentication:

$ winrm set winrm/config/service/Auth @{Basic="true"}
$ winrm set winrm/config/service @{AllowUnencrypted="false"}
$ winrm set winrm/config/service/Auth @{Kerberos="true"}

Kerberos authentication will also need to be configured on the Morpheus appliance to support Windows domain accounts to access the remote host with WINRM_INTERNAL connection type.

On the Morpheus appliance the krb5-user package must be installed. For Ubuntu the command is as follows:

$ sudo apt-get install krb5-user

Create a file in /etc called krb5.conf and replace the domain name with the name of the domain to be used. In this case we used Morpheus .com as the domain.

[libdefaults]
        default_realm = |morpheus| .COM
            dns_lookup_kdc = true
            verify_ap_req_nofail = false
        default_tgs_enctypes = rc4-hmac
        default_tkt_enctypes = rc4-hmac
[realms]
        |morpheus| .COM = {
                kdc = win-ad.|morpheus| .COM:88
                admin_server = win-ad.|morpheus| .COM:749
     }
[domain_realm]
    .|morpheus| .COM = |morpheus| .COM
        |morpheus| .COM = |morpheus| .COM
[login]
     krb4_convert = true
     krb4_get_tickets = false

After creation of the krb5.conf a keytab file is also required. See below on instructions on how to create a keytab file. http://www.itadmintools.com/2011/07/creating-kerberos-keytab-files.html

Adding Hyper-V as a Private Cloud

The Hyper-V host is prepared for Morpheus to communicated with it via WinRM so the Hyper-V private cloud is ready to be configured. Create a group and then create a Morpheus cloud for Hyper-V. Populated the information as show in Figure 1: specific for the environment being configured.

../_images/hyperv1_original.png

Note

The working path, vm path, and disk path should be created on the Hyper-V host by the Hyper-V administrator. If these paths are not created they will need to be setup and the Hyper-V settings will need to adjusted to reference them.

../_images/hyperv2_original.png

Service Plans

A default set of Service Plans are created in Morpheus for the VMware provisioning engine. These Service Plans can be considered akin to AWS Flavors or Openstack Flavors. They provide a means to set predefined tiers on memory, storage, cores, and cpu. Price tables can also be applied to these so estimated cost per virtual machine can be tracked as well as pricing for customers. By default, these options are fixed sizes but can be configured for dynamic sizing. A service plan can be configured to allow a custom user entry for memory, storage, or cpu. To configure this, simply edit an existing Service Plan tied to Hyper-V or create a new one. These all can be easily managed from the Admin | Service Plans & Pricing section.

../_images/hyperv3_original.png

Docker

So far this document has covered how to add the Hyper-V cloud integration and has enabled users the ability to provision virtual machine based instances via the Add Instance catalog in Provisioning. Another great feature provided by Morpheus out of the box is the ability to use Docker containers and even support multiple containers per Docker host. To do this a Docker Host must first be provisioned into Hyper-V (multiple are needed when dealing with horizontal scaling scenarios).

To provision a Docker Host simply navigate to the Cloud detail page or Infrastructure | Hosts section. From there click the + Container Host button to add a Hyper-V Docker Host. Morpheus views a Docker host just like any other Hypervisor with the caveat being that it is used for running containerized images instead of virtualized ones. Once a Docker Host is successfully provisioned a green checkmark will appear to the right of the host marking it as available for use. In the event of a failure click into the relevant host that failed and an error explaining the failure will be displayed in red at the top.

Some common error scenarios include network connectivity. For a Docker Host to function properly, it must be able to resolve the Morpheus appliance url which can be configured in Admin | Settings. If it is unable to resolve and negotiate with the appliance than the agent installation will fail and provisioning instructions will not be able to be issued to the host.

Kubernetes

Overview

The Kubernetes Cloud type allow users to inventory and provision to existing Kubernetes clusters. New Kubernetes clusters can also be provisioning using Docker mode setting in clouds and provisioning new Docker hosts.

Add Kubernetes Cloud

  1. Navigate to Infrastructure -> Clouds

  2. Select + CREATE CLOUD, select Kubernetes Cloud, and then click Next.

  3. Enter the following into the Create Cloud modal:

    Name

    Name of the Cloud in Morpheus

    Location

    Description field for adding notes on the cloud, such as location.

    Visibility

    For setting cloud permissions in a multi-tenant environment. Not applicable in single tenant environments.

    API URL

    Kubernetes API URL

    API TOKEN

    Kubernetes User API Token

    Inventory Existing Instances

    If enabled, existing Containers will be inventoried and appear in the Containers tab for the Kubernetes Cloud..

  4. Save Changes

Create Kubernetes Cluster

Kubernetes Clusters can be provisioned into any Cloud Type by setting the CONTAINER MODE to Kubernetes in the Advanced Settings of a Cloud.

Important

The CONTAINER MODE must be set prior to provisioning any Docker Hosts. Once Docker Hosts exist in a Cloud, the CONTAINER MODE setting cannot be changed.

Once the CONTAINER MODE is set on a Cloud, a Kubernetes Cluster can be created by adding 3 Docker Hosts to the cloud. The first 3 hosts will be the cluster, and additional host will be configured as workers.

IMPORTANT:: For the Kubernetes Cluster to be successfully created, each host must finish provisioning before the next host is created. Do not start provisioning the second host in the cluster until the first is completed, and the third until the second is finished being created.

Nutanix

Overview

Nutanix simplifies datacenter infrastructure by integrating server and storage resources allowing applications to run at scale. Morpheus provides and avenue to enhance the Nutanix resources to allow efficient and seamless deployment of applications as a virtual machine (VM) or as a container on a Docker host.

Features

  • Virtual Machine Provisioning
  • Containers
  • Backups / Snapshots
  • Resources Groups
  • Migrations
  • Auto Scaling
  • Load Balancing
  • Remote Console
  • Periodic Synchronization
  • Lifecycle Management and Resize

Morpheus can provide a single pane of glass and self-service portal for managing multiple Nutanix Clusters and allowing the seamless deployment of applications.

Getting Started

To get started this a few prerequisites must first be met. The Nutanix cluster should be provisioned and available on the network. Morpheus will look login to the Nutanix cluster with the Nutanix admin credentials and is typically located at the https://fqdn:9440 url.

Adding a Nutanix Cloud

The Nutanix cluster should be available and responding to the https://fqdn:9440 url for authentication by Morpheus .

API URL
example: https://10.30.21.220:9440
USERNAME
Nutanix admin username
PASSWORD
Nutanix admin password
Inventory Existing Instances
If enabled, existing Virtual Machines will be inventoried and appear as unmanaged Virtual Machines in Morpheus .

Service Plans

A default set of Service Plans are created in Morpheus for the VMware provisioning engine. These Service Plans can be considered akin to AWS Flavors or Openstack Flavors. They provide a means to set predefined tiers on memory, storage, cores, and cpu. Price tables can also be applied to these so estimated cost per virtual machine can be tracked as well as pricing for customers. By default, these options are fixed sizes but can be configured for dynamic sizing. A service plan can be configured to allow a custom user entry for memory, storage, or cpu. To configure this, simply edit an existing Service Plan tied to Nutanix or create a new one. These all can be easily managed from the Admin | Service Plans & Pricing section.

Docker

So far this document has covered how to add the Nutanix cloud integration and has enabled users the ability to provision virtual machine based instances via the Add Instance catalog in Provisioning. Another great feature provided by Morpheus out of the box is the ability to use Docker containers and even support multiple containers per Docker host. To do this a Docker Host must first be provisioned into Nutanix (multiple are needed when dealing with horizontal scaling scenarios).

To provision a Docker Host simply navigate to the Cloud detail page or Infrastructure Hosts section. From there click the + Container Host button to add a Nutanix Docker Host. Morpheus views a Docker host just like any other Hypervisor with the caveat being that it is used for running containerized images instead of virtualized ones. Once a Docker Host is successfully provisioned a green checkmark will appear to the right of the host marking it as available for use. In the event of a failure click into the relevant host that failed and an error explaining the failure will be displayed in red at the top.

Some common error scenarios include network connectivity. For a Docker Host to function properly, it must be able to resolve the Morpheus appliance url which can be configured in Admin Settings. If it is unable to resolve and negotiate with the appliance than the agent installation will fail and provisioning instructions will not be able to be issued to the host.

Openstack

Overview

Openstack is becoming a widely used on-premise infrastructure orchestration platform. It has a wide array of contributors and enterprise sponsorships. There are several variations on openstack as well ranging from HP’s Helion Cloud to Cisco’s Metapod / Metacloud offering. Morpheus supports integration with all the various platform offerings and ranges in support all the way back to Openstack Icehouse. It leverages the APIs and provides full functionality as a self service portal in front of Openstack.

Features

  • Virtual Machine Provisioning
  • Backups / Snapshots
  • Security Group Management
  • Disk Mode support Local/Image (via Ceph)
  • Floating IP Assignment support
  • Brownfield VM management and migration
  • Lifecycle Management and Resize
  • Docker Host management / configuration

On top of all these features, Morpheus also adds additional features to Openstack that do not exist out of the box to make it easier to manage in multitenant environments as well as hybrid cloud environments:

  • Image to QCOW2 Image Conversion
  • QCOW2 to RAW Image Conversion
  • Multitenancy resource allocation
  • Virtual Image management (Templates)
  • Auto-scaling and recovery

Getting Started

Adding an Openstack cloud to Morpheus is one of the simpler cloud integrations to get started with. First go to the Infrastructure -> Clouds section and click add cloud. From here there are several options including Metapod, Helion, and general Openstack. Any of these options will actually work and for the most part the branded Openstack options are represented to make it clearer to the user as to the capabilities of Morpheus .

Most of the information in the dialog can be acquired from the openstack dashboard. under Project -> Access & Security -> API Access. The API Url that is needed is the one tied to Identity. The Domain and Project inputs typically correlate to the multitenant domain setup within openstack (sometimes just left at default) as well as the project name given to instances. Morpheus allows multiple integrations to the same openstack cluster scopable to domains and projects as needed. The remaining options help Morpheus determine what api capabilities exist in the selected openstack environment. Hence the need for the Openstack version and image format. If a newer openstack cluster is being used then exists in the dropdown, simply select the most recent version in the dropdown and this should function sufficiently until the new version is added.

Tip

Some Openstack environments do not support QCOW2 and force RAW image formats (like metapod). This is due to some network overhead in Ceph created by using QCOW2. Morpheus keeps 2 copies of openstack image templates for this exact purpose.

Saving this cloud integration should perform a verification step and close upon successful completion.

Existing Instances

Morpheus provides several features regarding pulling in existing virtual machines and servers in an environment. Most cloud options contain a checkbox titled ‘Inventory Existing Instances’. When this option is selected, all VMs found within the specified scope of the cloud integration will be scanned periodically and Virtual Machines will be synced into Morpheus . By default these virtual machines are considered ‘unmanaged’ and do not appear in the Provisioning -> Instances area but rather Infrastructure -> Hosts -> Virtual Machines. However, a few features are provided with regards to unmanaged instances. They can be assigned to various accounts if using a multitenant master account, however it may be best suited to instead assign the ‘Resource Pool’ to an account and optionally move all servers with regards to that pool (more on this later). A server can also be made into a managed server. During this process remote access is requested and an agent install is performed on the guest operating system. This allows for guest operations regarding log acquisition and stats. If the agent install fails, a server will still be marked as managed and an Instance will be created in Provisioning, however certain features will not function. This includes stats collection and logs.

Note

All Cloud data is resynchronized on a 5 minute interval. This includes Datastores, Resource Pools, Networks, Templates, and Virtual Machines.

Advanced

There are a few advanced features when it comes to provisioning on top of Openstack. Most of these present themselves in the provisioning wizard. They include OS Volume Type (Local or Volume). This basically dictates wether the main OS disk is copied and run off the hypervisor or remotely mounted as a volume via Glacier. Some openstack setups only configure hypervisors with minimal local disks so Volume type is needed.

Another option during provisioning is “Assign Floating IP”. This option does exactly what it says and is similar to the feature on the Openstack instances dashboard itself. It should be noted that this will attempt to acquire a floating IP from the project and if out of capacity will attempt to increase capacity to the project if the cloud credentials provided have sufficient administrative privileges to do so.

Docker

So far this document has covered how to add the Openstack cloud integration and has enabled users the ability to provision virtual machine based instances via the Add Instance catalog in Provisioning. Another great feature provided by Morpheus out of the box is the ability to use Docker containers and even support multiple containers per Docker host. To do this a Docker Host must first be provisioned into Openstack (multiple are needed when dealing with horizontal scaling scenarios).

To provision a Docker Host simply navigate to the Cloud detail page or Infrastructure->Hosts section. From there click the + Container Host button to add a Openstack Docker Host. This host will show up in the Hosts tab. Morpheus views a Docker host just like any other Hypervisor with the caveat being that it is used for running containerized images instead of virtualized ones. Once a Docker Host is successfully provisioned a green checkmark will appear to the right of the host marking it as available for use. In the event of a failure click into the relevant host that failed and an error explaining the failure will be displayed in red at the top.

Some common error scenarios include network connectivity. For a Docker Host to function properly, it must be able to resolve the Morpheus appliance url which can be configured in Admin -> Settings. If it is unable to resolve and negotiate with the appliance than the agent installation will fail and provisioning instructions will not be able to be issued to the host.

Oracle VM

Add a Oracle VM Cloud

Name
Name of the Cloud in Morpheus
Location
Description field for adding notes on the cloud, such as location.
Visibility
For setting cloud permissions in a multi-tenant environment. Not applicable in single tenant environments.
API URL
Oracle VM API URL. ex: https://10.20.30.40:7002/ovm/core/wsapi/rest
USERNAME
Oracle VM User
PASSWORD
Oracle VM User Password
REPOSITORY
Available repositories will auto-populate upon successful authentication with the above credentials. Select appropriate repository for this Cloud.
SERVER POOL
Available server pools will auto-populate upon successful authentication with the above credentials. Select appropriate server pool for this Cloud.
Inventory Existing Instances
If enabled, existing Virtual Machines will be inventoried and appear as unmanaged Virtual Machines in Morpheus .

The Cloud can now be added to a Group or configured with additional Advanced options.

SCVMM

Add a SCVMM Cloud

  1. Navigate to Infrastructure -> Clouds

  2. Select + CREATE CLOUD, select SCVMM, and then click Next.

  3. Enter the following into the Create Cloud modal:

    Name

    Name of the Cloud in Morpheus

    Location

    Description field for adding notes on the cloud, such as location.

    Visibility

    For setting cloud permissions in a multi-tenant environment. Not applicable in single tenant environments.

    SCVMM HOST

    IP or url of SCVMM host

    USERNAME

    SCVMM Username. ex: svc.scvmm

    PASSWORD

    SCVMM User Password

    CLOUD

    Select a Cloud from the available Clouds in SCVMM.

    WORKING PATH

    Path for Morpheus to write to. ex: c:\Cloud

    DISK PATH

    Path for Virtual Disks. ex: c:\VirtualDisks

  4. The Cloud can now be added to a Group or configured with additional Advanced options.

Softlayer

Add a Softlayer Cloud

Name
Name of the Cloud in Morpheus
Location
Description field for adding notes on the cloud, such as location.
Visibility
For setting cloud permissions in a multi-tenant environment. Not applicable in single tenant environments.
Username
Softlayer Username
API Key
Softlayer User API Key, accessible in the Softlayer Portal under Account -> Users -> View API Key
Datacenter
Datacenters will auto-populate upon successful authentication with the above credentials. Select appropriate Datacenter for this Cloud.
Object Store
Select the destination Object Store
Inventory Existing Instances
If enabled, existing Softlayer Instances will be inventoried and appear as unmanaged Virtual Machines in Morpheus .

The Cloud can now be added to a Group or configured with additional Advanced options.

UpCloud

Overview

UpCloud is a cloud hosting provider that offers both Linux and Windows virtual machines on their MAXIOPS infrastructure which is billed as I.A.A.S ( infrastructure-as-a-service ). They have datacenters based in the UK, USA, Germany, Netherlands, Singapore and Finland. Servers can be created a lightning fast 45 seconds with their faster than SSD technology.

Features

  • Virtual Machine Provisioning
  • Containers
  • Backups / Snapshots
  • Migrations
  • Auto Scaling
  • Load Balancing
  • Remote Console
  • Periodic Synchronization
  • Lifecycle Management and Resize
  • Inventory
  • Cloudinit

Requirements

An UpCloud User with API, Server and Storage permissions is required.

To enable API access for a Main Account UpCloud User:

  1. Login to UpCloud
  2. Select My Account -> User Accounts
  3. Select Change on the target user
  4. Check the box for API connections: Allow API connections from
  5. Under Access Permissions -> Allow access to individual servers, check the box for User has control access to all servers.
  6. Under Access Permissions -> Allow control access to individual storages, check the box for User has control access to all storages
  7. Save

To Enable API, API, Server and Storage permissions for a SubAccount User:

When creating or editing a Sub Account UpCloud user:

  1. Check the box for API connections: Allow API connections from
  2. Under Access Permissions -> Allow access to individual servers, check the box for User has control access to all servers.
  3. Under Access Permissions -> Allow control access to individual storages, check the box for User has control access to all storages
  4. Save

Adding an UpCloud Cloud

Configure

  1. Navigate to Infrastructure -> Clouds

  2. Select + Create Cloud Button

  3. Select UpCloud from the Add Cloud modal

  4. Select NEXT

  5. Enter the following:

    Name

    Name of the Cloud in Morpheus

    Location

    Description field for adding notes on the cloud, such as location.

    Visibility

    For setting cloud permissions in a multi-tenant environment. Not applicable in single tenant environments.

    USERNAME

    UpCloud User Account Username

    PASSWORD

    UpCloud User Account Password

    ZONE

    Select UpCloud Datacenter to scope cloud to

    INVENTORY
    • Off: Existing UpCloud Servers will not be inventoried in Morpheus
    • Basic: Existing Servers are Inventoried with Power state, Memory and Cores statistics synced.
    • Full: Existing Servers are Inventoried with Power state, Memory and Cores statistics, plus IP Addresses, Storage Info, and Console VNC Information.

Note

Full Inventory level recommended. Basic Inventory level can reduce Cloud Sync times when inventorying Datacenters with large amounts of servers. Credentials need to be added by editing the Virtual Machine in order to connect.

The Cloud can now be added to a Group or configured with additional Advanced options.

Group

A Group must be specified or created for the new Cloud to be added to. Clouds can be added to additional Groups or removed from Groups after being created.

  • USE EXISTING: Add the new Cloud to an exiting Group in Morpheus .
  • CREATE NEW: Creates a new Group in Morpheus and adds the Cloud to the Group.

Review

Confirm all settings are correct and select COMPLETE.

The UpCloud Cloud will be added, and Morpheus will perform the initial cloud sync of:

  • UpCloud Servers will added as Virtual Machines (if Inventory is enabled)
  • UpCloud Templates (My Templates) will sync and be added to Provisioning -> Virtual Images.

Note

The Console tab will only appear for Inventoried Servers if Inventory Level is set to Full

Provisioning to UpCloud

Instances and Apps can be created using the private Images synced from UpCloud or from the Morpheus provided Image Catalog.

Provision a synced Image

Images synced from UpCloud can be provisioned by using:

  • The UPCLOUD Instance Type and selecting the Image from the Image dropdown in the configure section when provisioning and Instance, App, or creating an App Template.
  • Creating custom Library Instance Types and selecting a synced Image when creating a Node Type for the custom Instance Type.

Important

Synced images should be configured prior to provisioning by editing the Image in the Provisioning -> Virtual Images section.

Provision a Morpheus provided UpCloud Image

{morpheus] provides a number of pre-configured Images that are available in the default Morpheus Catalog when provisioning and Instance, App, or creating an App Template. UpCloud Images are included in the following Instance Types in the default Morpheus catalog.

  • ACTIVEMQ
  • APACHE
  • CASSANDRA
  • DEBIAN
  • ELASTICSEARCH
  • GRAILS
  • JAVA
  • MONGO
  • MYSQL
  • NGINX
  • PHP
  • RABBITMQ
  • REDIS
  • OMCAT
  • UBUNTU
  • WINDOWS
  • GRAILS

Virtualbox

  1. Navigate to Infrastructure -> Clouds

  2. Select + CREATE CLOUD, select Virtual Box, and then click Next.

  3. Enter the following into the Create Cloud modal:

    Name

    Name of the Cloud in Morpheus

    Location

    Description field for adding notes on the cloud, such as location.

    Visibility

    For setting cloud permissions in a multi-tenant environment. Not applicable in single tenant environments.

    VIRTUALBOX HOST

    IP or URL of the VirtualBox Host

    WORKING PATH

    Path Morpheus will write to. ex: ~/virtualbox

    USERNAME

    Host Username

    PASSWORD

    Host Password

    BRIDGE NAME

    Will auto-populate upon successful authentication with the VirtualBox Host (E.X. ‘EN0: ETHERNET’)

    VBOXMANAGE EXECUTABLE

    Defaults to /urs/local/bin/vboxmanage if left blank

  4. The Cloud can now be added to a Group or configured with additional Advanced options.

Advanced Options

DOMAIN
Specify a default domain for instances provisioned to this Cloud.
SCALE PRIORITY
Specifies the priority with which an instance will scale into the cloud. A lower priority number means this cloud integration will take scale precedence over other cloud integrations in the group.
APPLIANCE URL
Alternate Appliance url for scenarios when the default Appliance URL (configured in admin -> settings) is not reachable or resolvable for Instances provisioned in this cloud. The Appliance URL is used for Agent install and reporting.
TIME ZONE
Configures the time zone on provisioned VM’s if necessary.
DATACENTER ID
Used for differentiating pricing among multiple datacenters. Leave blank unless prices are properly configured.
DNS INTEGRATION
Records for instances provisioned in this cloud will be added to selected DNS integration.
SERVICE REGISTRY
Services for instances provisioned in this cloud will be added to selected Service Registry integration.
CONFIG MANAGEMENT
Select a Chef, Salt, Ansible or Puppet integration to be used with this Cloud.
AGENT INSTALL MODE
  • SSH / WINRM: Morpheus will use SSH or WINRM for Agent install.
  • Cloud-Init (when available): Morpheus will utilize Cloud-Init or Cloudbase-Init for agent install when provisioning images with Cloud-Init/Cloudbase-Init installed. Morpheus will fall back on SSH or WINRM if cloud-init is not installed on the provisioned image.
API PROXY
Required when a Proxy Server blocks communication between the Morpheus Appliance and the Cloud. Proxies can be added in the Infrastructure -> Networks -> Proxies tab.

Provisioning Options

API PROXY
Required when a Proxy Server blocks communication between an Instance and the Morpheus Appliance. Proxies can be added in the Infrastructure -> Networks -> Proxies tab.
Bypass Proxy for Appliance URL
Enable to bypass proxy settings (if added) for Instance Agent communication to the Appliance URL.
USER DATA (LINUX)
Add cloud-init user data using bash syntax.

VMware Fusion

Add a VMware Fusion Cloud

  1. Navigate to Infrastructure -> Clouds

  2. Select + CREATE CLOUD, select VMware Fusion, and then click Next.

  3. Enter the following into the Create Cloud modal:

    Name

    Name of the Cloud in Morpheus

    Location

    Description field for adding notes on the cloud, such as location.

    Visibility

    For setting cloud permissions in a multi-tenant environment. Not applicable in single tenant environments.

    VMWARE FUSION HOST

    IP or URL of VMware Fusion Host

    WORKING PATH

    Existing folder Morpheus will write to on Host

    USERNAME

    Host Username

    PASSWORD

    Host Password

    BRIDGE NAME

    Will auto-populate upon successful authentication with the Fusion Host (E.X. ‘EN0: ETHERNET’)

  4. The Cloud can now be added to a Group or configured with additional Advanced options.

Advanced Options

DOMAIN
Specify a default domain for instances provisioned to this Cloud.
SCALE PRIORITY
Specifies the priority with which an instance will scale into the cloud. A lower priority number means this cloud integration will take scale precedence over other cloud integrations in the group.
APPLIANCE URL
Alternate Appliance url for scenarios when the default Appliance URL (configured in admin -> settings) is not reachable or resolvable for Instances provisioned in this cloud. The Appliance URL is used for Agent install and reporting.
TIME ZONE
Configures the time zone on provisioned VM’s if necessary.
DATACENTER ID
Used for differentiating pricing among multiple datacenters. Leave blank unless prices are properly configured.
DNS INTEGRATION
Records for instances provisioned in this cloud will be added to selected DNS integration.
SERVICE REGISTRY
Services for instances provisioned in this cloud will be added to selected Service Registry integration.
CONFIG MANAGEMENT
Select a Chef, Salt, Ansible or Puppet integration to be used with this Cloud.
AGENT INSTALL MODE
  • SSH / WINRM: Morpheus will use SSH or WINRM for Agent install.
  • Cloud-Init (when available): Morpheus will utilize Cloud-Init or Cloudbase-Init for agent install when provisioning images with Cloud-Init/Cloudbase-Init installed. Morpheus will fall back on SSH or WINRM if cloud-init is not installed on the provisioned image.
API PROXY
Required when a Proxy Server blocks communication between the Morpheus Appliance and the Cloud. Proxies can be added in the Infrastructure -> Networks -> Proxies tab.

Provisioning Options

API PROXY
Required when a Proxy Server blocks communication between an Instance and the Morpheus Appliance. Proxies can be added in the Infrastructure -> Networks -> Proxies tab.
Bypass Proxy for Appliance URL
Enable to bypass proxy settings (if added) for Instance Agent communication to the Appliance URL.
USER DATA (LINUX)
Add cloud-init user data using bash syntax.

Xen Server

Add a Xen Server Cloud

  1. Navigate to Infrastructure -> Clouds

  2. Select + CREATE CLOUD, select Xen, and then click Next.

  3. Enter the following into the Create Cloud modal:

    Name

    Name of the Cloud in Morpheus

    Location

    Description field for adding notes on the cloud, such as location.

    Visibility

    For setting cloud permissions in a multi-tenant environment. Not applicable in single tenant environments.

    API URL

    IP or URL of Xen Host. ex: xenserver.domain.com

    USERNAME

    Xen Host Username

    PASSWORD

    Xen Host Password

    Inventory Existing Instances

    If enabled, existing Google Instances will be inventoried and appear as unmanaged Virtual Machines in Morpheus .

    Note

    Morpheus scopes clouds to single regions. Multiple clouds can be added for multi-region support, and then optionally added to the same group.

  4. The Cloud can now be added to a Group or configured with additional Advanced options.

Creating a CentOS 7 Morpheus Image

Overview

Morpheus comes out of the box with a default set of templates for use in many modern deployment scenarios. These consist mostly of base operating system images with a few additional adjustments. These adjustments typically include the addition of cloud-init (which is highly recommended to be used in most environments, but not mandatory). However, in many on-premise deployments there are custom image requirements as well as networking requirements. This guide will go over how to create a base CentOS 7 Image for use within Morpheus .

Creating a CentOS 7 Morpheus VMware Image

VMWare

When running in VMWare it is highly recommended that VMware Tools be installed. Without it, Morpheus will have difficulty assessing the host ip address and performing some additional automation tasks for the operating system.

Cloud-Init

To get started with a base CentOS image we first install cloud-init. This is a relatively simple process using yum:

yum -y install epel-release
yum -y install git wget ntp curl cloud-init dracut-modules-growroot
rpm -qa kernel | sed 's/^kernel-//'  | xargs -I {} dracut -f /boot/initramfs-{}.img {}

There are two parts to this yum installation. We are first ensuring some core dependencies are installed for automation as well as cloud-init. git for example is installed for use by ansible playbook automation down the line and is therefore optional if not using ansible. The dracut-modules-growroot is responsible for resizing the root partition upon first boot to match the virtual disk size that was potentially adjusted during provisioning.

A great benefit to using cloud-init is credentials don’t have to be locked into the template. It is advisable, within Morpheus , to configure the default cloud-init user that gets created when the vm boots automatically by cloud-init. This is located in the Administration -> Provisioning -> Cloud-Init Settings section.

Network Interfaces

A slightly annoying change with centOS 7 is that the network interfaces have changed naming convention. You may notice when running ifconfig that the primary network interface is set to something like ens2344 or some other random number. This naming is dynamic typically by hardware id and we don’t want this to fluctuate when provisioning the template in various VMware environments. Fortunately, there is a way to turn this functionality off and restore the interface back to eth0.

Firstly we need to adjust our bootloader to disable interface naming like this.

sed -i -e 's/quiet/quiet net.ifnames=0 biosdevname=0/' /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg

The above command adds a few arguments to the kernel args list (namely net.ifnames=0 and biosdevname=0. It may be useful to view the /etc/default/grub file and ensure these settings were indeed applied.

The next step is to adjust the network-scripts in centOS. we need to ensure we have a file called /etc/sysconfig/network-scripts/ifcfg-eth0

Below is a script that we run on our packer builds to prepare the machines network configuration files.

export iface_file=$(basename "$(find /etc/sysconfig/network-scripts/ -name 'ifcfg*' -not -name 'ifcfg-lo' | head -n 1)")
export iface_name=${iface_file:6}
echo $iface_file
echo $iface_name
sudo mv /etc/sysconfig/network-scripts/$iface_file /etc/sysconfig/network-scripts/ifcfg-eth0
sudo sed -i -e "s/$iface_name/eth0/" /etc/sysconfig/network-scripts/ifcfg-eth0
sudo bash -c 'echo NM_CONTROLLED=\"no\" >> /etc/sysconfig/network-scripts/ifcfg-eth0'

This script tries to ensure there is a new ifcfg-eth0 config created to replace the old ens config file. Please do verify this config exists after running. If it does not you will have to be sure to build one on your own.

TYPE=Ethernet
DEVICE=eth0
NAME=eth0
ONBOOT=yes
NM_CONTROLLED="no"
BOOTPROTO="dhcp"
DEFROUTE=yes

Gotyas

SELinux can cause issues with cloud-init when in enforced mode. It may be advisable to set this to permissive unless it is mandatory within your organization to use an enforced SELinux configuration. If that is the case please see the documentation for the cloud_init_t security policies.

Network Manager will also prevent the required restart of the Network Service when assigning static IP’s. Disable Network Manager when possible or Static IP assignment may not work until the Network Service is restarted manually.

A Note on Proxies

Proxy configurations are known to vary in some organizations and makes building a base template a little more difficult. In order to fully configure proxies a few environment variables must be set in the /etc/environment file (This can be done automatically in a default user-data script for cloud-init as well in edit cloud).

http_proxy="http://myproxyaddress:8080"
https_proxy="http://myproxyaddress:8080"
ftp_proxy="http://myproxyaddress:8080"
no_proxy=127.0.0.1,localhost,applianceUrl
https_no_proxy=127.0.0.1,localhost,applianceUrl

Important

It is very important to properly set the no_proxy list (applianceUrl) should be replaced with the actual appliance url. In future releases, morpheus plans to automatically take care of this.

Note

If using cloud-init agent install mode these settings need to be set in the custom Cloud-Init User data section of “Edit Cloud” or “Edit Virtual Image”

Important

If using this virtual machine as a docker host, proxy settings must also be configured in the docker config. See Docker guides for instructions on how to properly set this. If necessary this can be wrapped in a task automation workflow for your own use.

Windows Image with Cloudbase-Init

|Morphues| supports provisioning Windows images with Cloudbase-init to set user data, network setting and other data at boot time. The following is an example of how to prepare a Windows image with cloudbase-init and optionally sysprep it.

Setup

..NOTE:: The Morpheus agent requires .net 4.0+. For TSL 1.2 .net 4.5.2 is required. Ensure a compatible version is installed on your Windows image.

  1. On your Windows VM download and install Cloudbase-init from https://cloudbase.it/cloudbase-init/

  2. Use the default settings, and do not run sysprep at the end of the install.

  3. Under C:Program FilesCloudbase SolutionsCloudbase-Initconf, edit the cloudbase-init.conf file, referring to the sample configuration below. If the image will be sysprepped, edit cloudbase-init-unattend.conf and unattend.xml as well.

    Note

    Sample configurations only, user configurations may vary.

    cloudbase-init.conf

    [DEFAULT]
    # username=Admin
    # groups=Administrators
    # inject_user_password=true
    inject_user_password=false
    first_logon_behaviour=no
    config_drive_raw_hhd=true
    config_drive_cdrom=true
    config_drive_vfat=true
    bsdtar_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\bsdtar.exe
    mtools_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\
    verbose=true
    debug=true
    logdir=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\log\
    logfile=cloudbase-init.log
    default_log_levels=comtypes=INFO,suds=INFO,iso8601=WARN,requests=WARN
    logging_serial_port_settings=
    mtu_use_dhcp_config=true
    ntp_uce_dhcp_config=true
    local_script_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\LocalScripts\
    
    # servers - tried in order until success
    metadata_services=cloudbaseinit.metadata.services.configdrive.ConfigDriveService,
            cloudbaseinit.metadata.services.httpservice.HttpService,
            cloudbaseinit.metadata.services.ec2service.EC2Service,
            cloudbaseinit.metadata.services.maasservice.MaaSHttpService
    
    # What plugins to execute.
    plugins=cloudbaseinit.plugins.common.mtu.MTUPlugin,
            cloudbaseinit.plugins.windows.extendvolumes.ExtendVolumesPlugin,
      cloudbaseinit.plugins.common.userdata.UserDataPlugin,
      cloudbaseinit.plugins.common.networkconfig.NetworkConfigPlugin
    
    # disabled plugins
    # cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin
    # cloudbaseinit.plugins.windows.createuser.CreateUserPlugin
    # cloudbaseinit.plugins.windows.setuserpassword.SetUserPasswordPlugin
    # cloudbaseinit.plugins.common.networkconfig.NetworkConfigPlugin
    # cloudbaseinit.plugins.common.sshpublickeys.SetUserSSHPublicKeysPlugin
    # cloudbaseinit.plugins.windows.winrmlistener.ConfigWinRMListenerPlugin
    # cloudbaseinit.plugins.windows.licensing.WindowsLicensingPlugin
    # cloudbaseinit.plugins.windows.ntpclient.NTPClientPlugin
    # cloudbaseinit.plugins.common.userdata.UserDataPlugin
    
    # Miscellaneous.
    allow_reboot=false    # allow the service to reboot the system
    # stop_service_on_exit=false
    

    cloudbase-init-unattend.conf

    [DEFAULT]
    username=Admin
    groups=Administrators
    inject_user_password=true
    config_drive_raw_hhd=true
    config_drive_cdrom=true
    config_drive_vfat=true
    bsdtar_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\bsdtar.exe
    mtools_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\
    verbose=true
    debug=true
    logdir=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\log\
    logfile=cloudbase-init-unattend.log
    default_log_levels=comtypes=INFO,suds=INFO,iso8601=WARN,requests=WARN
    logging_serial_port_settings=
    mtu_use_dhcp_config=true
    ntp_use_dhcp_config=true
    local_scripts_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\LocalScripts\
    metadata_services=cloudbaseinit.metadata.services.configdrive.ConfigDriveService,cloudbaseinit.metadata.services.httpservice.HttpService,cloudbaseinit.metadata.services.ec2service.EC2Service,cloudbaseinit.metadata.services.maasservice.MaaSHttpService
    plugins=cloudbaseinit.plugins.common.mtu.MTUPlugin,cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin,cloudbaseinit.plugins.windows.extendvolumes.ExtendVolumesPlugin
    allow_reboot=false
    stop_service_on_exit=false
    check_latest_version=false
    

    unattend.xml

    <?xml version="1.0" encoding="utf-8"?>
    <unattend xmlns="urn:schemas-microsoft-com:unattend">
      <settings pass="generalize">
        <component name="Microsoft-Windows-Security-SPP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
          <SkipRearm>1</SkipRearm>
        </component>
        <component name="Microsoft-Windows-PnpSysprep" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
          <PersistAllDeviceInstalls>false</PersistAllDeviceInstalls>
          <DoNotCleanUpNonPresentDevices>false</DoNotCleanUpNonPresentDevices>
        </component>
      </settings>
      <settings pass="oobeSystem">
        <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
          <InputLocale>en-US</InputLocale>
          <SystemLocale>en-US</SystemLocale>
          <UILanguage>en-US</UILanguage>
          <UserLocale>en-US</UserLocale>
        </component>
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
          <OOBE>
            <HideEULAPage>true</HideEULAPage>
            <ProtectYourPC>1</ProtectYourPC>
            <NetworkLocation>Home</NetworkLocation>
            <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
          </OOBE>
          <TimeZone>UTC</TimeZone>
          <UserAccounts>
            <AdministratorPassword>
              <Value>administratorPassword</Value>
              <PlainText>true</PlainText>
            </AdministratorPassword>
            <LocalAccounts>
              <LocalAccount wcm:action="add">
                <Password>
                  <Value>password</Value>
                  <PlainText>true</PlainText>
                </Password>
                <Group>administrators</Group>
                <DisplayName>morpheus</DisplayName>
                <Name>morpheus</Name>
                <Description>Morpheus User</Description>
              </LocalAccount>
            </LocalAccounts>
          </UserAccounts>
        </component>
      </settings>
      <settings pass="specialize"></settings>
    </unattend>
    
  4. Save and changes to cloudbase-init.conf, cloudbase-init-unattend.conf, and unattend.xml files.

    Note

    The Administrator password is being set in the unattend.xml file to be set upon boot after sysprep. This is not required if sysprep is not being used, and may not be preferred. Other mechanisms such as requiring the Administrator password to be reset or randomly generated can be used. Morpheus can also securely via the user_data file at provision time.

  5. To run a sysprep using the cloudbase-init configuraiton, run the following in a command prompt:

    cd C:\Program Files\Cloudbase Solutions\Cloudbase-Init\conf
    
    C:\Windows\System32\sysprep\sysprep.exe /generalize /oobe /unattend:Unattend.xml
    
  6. Sysprep will run and Windows will be powered down. The VM can now be converted to an Image/Template and synced or uploaded to Morpheus and used for Provisioning.

Important

Upon upload or sync of the Virtual Image, ensure cloudbase enable is checked in the Virtual Image config, and the existing or unattend.xml credentials when using sysprep are populated.

Active Directory

Overview

Active Directory is Microsoft’s primary authentication service widely used in Enterprise organizations and even via Microsoft’s cloud services. While Active Directory also supports LDAP protocol support (which Morpheus can integrate with as well), the main Active Directory integration can also be utilized. It is even possible to map Active Directory groups to equivalent Roles within Morpheus .

Note

To use Active Directory, a valid / trusted SSL certificate must be in place on the Active Directory services (self signed will not work).

Adding an Active Directory Integration

  1. Navigate to Administration -> Tenants

  2. Select a Tenant

  3. Select IDENTITY SOURCES

  4. Select + IDENTITY SOURCE

  5. Choose “Active Directory”

  6. Populate the following:

    Name

    Unique name for authentication type.

    AD Server

    Hostname or IP address of AD Server.

    Domain

    Domain name of AD Domain.

    Binding Username

    Service account username for bind user.

    Binding Password

    Password for bind service account.

    Required Group

    The AD group users must be in to have access (optional)

    Default Role

    The default role a user is assigned if no group is listed under AD user that maps under Role Mappings section.

    Service Account Holder

    This is the admin account type in Morpheus and an AD group can be created and populated to a user that this role should be assigned. Roles are assigned dynamically based on group membership.

  7. Select SAVE CHANGES.

Now allowed AD users can login to Morpheus via their Active Directory credentials and a User will be automatically generated to Morpheus with matching metadata and mapped Role permissions.

Note

Only the username is required with password, not the username@domain.

Note

Sub-tenant Morpheus API authentication for Active Directory generated users is not currently supported.

Service Now

Add Service Now Integration

  1. Navigate to Administration -> Integrations

  2. Select + NEW INTEGRATION

  3. Select ServiceNow from the TYPE dropdown.

  4. Add the following:

    NAME

    Name of the Integration in Morpheus.

    ENABLED

    Leave checked to enable the Integration.

    HOST

    Url of the ServiceNow Instance ex: https://your.instance.service-now.com

    USER

    A user in ServiceNow that is able to access the REST interface and create/update/delete incidents, requests, requested items, item options, catalog items, workflows, etc.

    PASSWORD

    Above ServiceNow user’s password

  5. Save Changes

ServiceNow Approval Policies

Add ServiceNow Provision Approval Policy to a Cloud

Note

Any Instance provisioned into a Cloud with an Approval Policy enabled will require approval.

To add a ServiceNow Approval policy to a Cloud:

  1. Navigate to Infrastructure -> Clouds

  2. Select a Cloud by clicking on the Cloud Name link

  3. Select the POLICIES tab

  4. Select + ADD POLICY

  5. Select Provision Approval

  6. Optionally enter a description for the Policy

  7. Configure the following:

    APPROVAL INTEGRATION

    Select the ServiceNow Integration already configured in Administration -> Integrations to use for the Approval Policy.

    WORKFLOW

    Select the ServiceNow workflow for the Approval workflow in ServiceNow. Note these workflows are configured and synced in from the ServiceNow Integration.

    TENANTS (if applicable)

    Only required for multi-tenant permission scoping. For the policy to apply to a sub-tenant, type the name of the tenant(s) and select the Tenant(s) from the list.

  8. Save Changes

Add ServiceNow Provision Approval Policy to a Group

Note

Any Instance provisioned into a Group with an Approval Policy enabled will require approval.

To add a ServiceNow Approval policy to a Group:

  1. Navigate to Infrastructure -> Groups

  2. Select a Group by clicking on the Group Name link

  3. Select the POLICIES tab

  4. Select + ADD POLICY

  5. Select Provision Approval

  6. Optionally enter a description for the Policy

  7. Configure the following:

    APPROVAL INTEGRATION

    Select the ServiceNow Integration already configured in Administration -> Integrations to use for the Approval Policy.

    WORKFLOW

    Select the ServiceNow workflow for the Approval workflow in ServiceNow. Note these workflows are configured and synced in from the ServiceNow Integration.

    TENANTS (if applicable)

    Only required for multi-tenant permission scoping. For the policy to apply to a sub-tenant, type the name of the tenant(s) and select the Tenant(s) from the list.

  8. Save Changes

Using ServiceNow Approval Policies

Any Instance provisioned into a Cloud or Group with an Approval Policy enabled will be in a PENDING state until the request in Approved.

Instances pending a ServiceNow approval will show “Waiting for Approval” with the Requested Item number and Request number, ex: Waiting for Approval [RITM0010002 - REQ0010002].

ServiceNow Approval requests are displayed in Operations -> Approvals. Instances pending a ServiceNow approval must be Approved in ServiceNow for provisioning to initiate. Approval requests from a ServiceNow Approval Policy cannot be approved in Morpheus, only Internal Approvals.

ServiceNow Approval requests are displayed in Morpheus under Operations -> Approvals. Pending ServiceNow Approval requests can be cancelled in Morpheus by selecting the request and then selecting ACTIONS -> Cancel.

Once a pending ServiceNow Approval request is Approved in ServiceNow, the Instance(s) will begin to provision in Morpheus within 5 minutes of being approved in ServiceNow.

ServiceNow Service Catalog Integration

The following is a guide to installing the Morpheus ServiceNow application.

ServiceNow Configuration

  1. Install the Morpheus Application from the ServiceNow store

  2. Navigate to Morpheus Catalog -> Properties

  3. Set the following properties:

    Morpheus Appliance Endpoint

    The full url to your Morpheus appliance

    Password

    Password of the Morpheus Administrator

    Username

    Username of the Morpheus Administrator

  4. Create a new User

  5. Assign the following roles to the user:

    • x_moda_morpheus_ca.integration
    • catalog_admin
    • itil
    • rest_service

Morpheus Configuration

  1. Navigate to Administration -> Integrations
  2. Click + NEW INTEGRATION
  3. Select ‘ServiceNow’ in the Type field
  4. Fill in the Host, User and Password fields (using the User and Password created in the previous section)

ServiceNow Monitoring Notifications

ServiceNow Monitoring Integration Settings

Note

A ServiceNow Integration must be already configured in Administration -> Integrations to enable the ServiceNow Monitoring Integration.

Enabled
Enables the ServiceNow Monitoring Integration
Integration
Select from a ServiceNow Integration added in Administration -> Integrations
New Incident Action
The Service Now action to take when a Morpheus incident is created.
Close Incident Action
The Service Now action to take when a Morpheus incident is closed.

Incident Severity Mapping

Morpheus Severity ServiceNow Impact
Info Low/Medium/High
Warning Low/Medium/High
Critical Low/Medium/High

SAML Integration

Overview

The Morpheus SAML identity source integration allows customers to add user SSO to Morpheus , authenticated by external login SAML providers.

../_images/saml-2f9c4.png

Adding a SAML Integration

To add a SAML integration:

  1. Navigate to Settings - Accounts
  2. Select an account.
  3. Select IDENTITY SOURCES in the Account detail page
  4. Select + ADD IDENTITY SOURCE.
  5. Select SAML (external login) from the TYPE field
  6. Add a Name and optional Description for the SAML integration
../_images/saml-cf2bf.png

There are 3 sections with fields that need to be populated depending on the desired configuration:

  • SAML Configuration
  • Role Mappings
  • User Attribute Names

SAML Configuration

LOGIN REDIRECT URL
This is the SAML endpoint Morpheus will redirect to when a user signs into Morpheus via SAML.
LOGOUT POST URL
The url morpheus will post to when a SAML user log out of Morpheus to log out of the SAML provider as well.
SIGNING PUBLIC KEY
Add the X.509 Certificate public key from the SAML provider.

Role Mappings

DEFAULT ROLE
Role a saml user will be assigned by default when no role is mapped
ROLE ATTRIBUTE NAME
The name of the attribute filed that will map to morpheus roles, such a MemberOf
REQUIRED ROLE ATTRIBUTE VALUE
Role attribute value that a user must be assigned/a member of to be authorized, such as group or role in the SAML SP.

The rest of the Role Mapping Fields will be the existing Roles in morpheus with a Role Attribute Value field.

User Attribute Names

GIVEN NAME ATTRIBUTE NAME
SAML SP field value to map to Morpheus user First Name
SURNAME ATTRIBUTE NAME
SAML SP field value to map to Morpheus user Last Name
EMAIL ATTRIBUTE NAME
SAML SP field value to map to Morpheus user email address
../_images/saml-c4576.png

Once populated, select SAVE CHANGES and the SAML identity source integration will be added.

In the Identity Sources section, important information for configuration of the SAML integration is provided. Use the SP ENTITY ID and SP ACS URL for configuration on the external login SAML provider side.

  • SP ENTITY ID
  • SP ACS URL*
  • IDP LOGIN REDIRECT URL
  • IDP LOGOUT POST URL
  • SP METADATA
../_images/saml-1ef5f.png

Sample Metadata code output:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><EntityDescriptor entityID="https://someip.com/saml/CDWPjmZt" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"><SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat><AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://someip.com/externalLogin/callback/CDWPjmZt"/></SPSSODescriptor></EntityDescriptor>

Note

Different SAML providers will have different field names and requirements. A onelogin SAML Test Connector (IdP w/attr) was used for the example integration this article.

Onelogin SAML SSO

For Onelogin SAML integration, the following fields are mapped:

  • LOGIN REDIRECT URL : SAML 2.0 Endpoint (HTTP)
  • LOGOUT POST URL : SLO Endpoint (HTTP)
  • SIGNING PUBLIC KEY : X.509 Certificate
  • SP ENTITY ID: ACS (Consumer) URL Validator
  • SP ACS URL: ACS (Consumer) URL