2 Administering Oracle Container Cloud Service

Learn how to order an Oracle Container Cloud Service subscription and how to access the Oracle Container Cloud Service Console to administer Oracle Container Cloud Service instances.

Typical Workflow for Setting Up and Administering Oracle Container Cloud Service

Here’s a typical workflow showing the tasks you’ll usually perform to set up and administer Oracle Container Cloud Service.

Task Description More Information
Order and activate a subscription for Oracle Container Cloud Service

You choose whether to:

  • request a trial subscription

  • buy a nonmetered subscription

  • buy a metered subscription

When you order a subscription for Oracle Container Cloud Service, you automatically get a subscription for Oracle Developer Cloud Service as an entitlement.

You can also purchase other subscriptions, such as Oracle Database Cloud Service and Oracle Messaging Cloud Service, if needed for your application.

Note: Oracle Container Cloud Service requires access to block and object storage in Oracle Cloud. You’ll probably already have access to this storage through your subscriptions to other cloud services (for example, Oracle Storage Cloud Service, Oracle Compute Cloud Service, Oracle Database Cloud Service, Oracle Java Cloud Service). If not, you’ll have to order a subscription to a service that does provide Oracle Cloud block and object storage.

Ordering a Subscription for Oracle Container Cloud Service
Create an Oracle Container Cloud Service service instance Sign in to the My Services application to access the Oracle Container Cloud Service Console and create a service instance.

Accessing the Service Console for Oracle Container Cloud Service

Creating Oracle Container Cloud Service Instances

Administer Oracle Container Cloud Service Use the Oracle Container Cloud Service Console to administer Oracle Container Cloud Service and service instances, including to:
  • create additional service instances

  • manage SSH keys

  • manage access rules

  • view activity

  • delete unrequired service instances

Accessing the Service Console for Oracle Container Cloud Service

Creating Oracle Container Cloud Service Instances

Adding Public SSH Keys to Oracle Container Cloud Service Instances

Managing Access Rules for Oracle Container Cloud Service Instances

Viewing Activity for Oracle Container Cloud Service Instances

Deleting Oracle Container Cloud Service Instances

Ordering a Subscription for Oracle Container Cloud Service

Before you can start using Oracle Container Cloud Service, you have to order a subscription.

To order a subscription for Oracle Container Cloud Service:
  1. If you don’t have one already, get an Oracle.com account (see Getting an Oracle.com Account in Getting Started with Oracle Cloud).
  2. Decide the type of Oracle Container Cloud Service subscription that’s most appropriate for your current requirement.
    If you’re not sure which type of subscription is right for you, see Overview of Oracle Cloud Subscriptions in Getting Started with Oracle Cloud.
  3. Order the Oracle Container Cloud Service subscription you’ve decided on by following the corresponding instructions in Getting Started with Oracle Cloud, as shown below:
  4. If you want other users to be able to create Oracle Container Cloud Service service instances, grant them the following roles:
    • Oracle Compute Cloud Service instance administrator (the 'Compute Compute Operations' role)
    • Oracle Container Cloud Service instance administrator (the 'CONTAINER Administrator' role)
    As the user who obtained the Oracle Container Cloud Service subscription, you're granted these roles automatically. See Creating a User and Assigning a Role in Getting Started with Oracle Cloud.
Oracle Cloud sends designated administrators the following information required to access the My Services application:
  • Sign-in credentials (a username, temporary password, identity domain, and data center where the service is located)

  • My Services URL

Administrators can now create Oracle Container Cloud Service service instances by following the instructions in Creating Oracle Container Cloud Service Instances.

Administering Oracle Container Cloud Service Instances

Learn how to administer Oracle Container Cloud Service instances.

Accessing the Service Console for Oracle Container Cloud Service

If you’re responsible for administering and monitoring Oracle Container Cloud Service instances, you’ll be using the Service Console.

To access the Oracle Container Cloud Service Console:
  1. Sign in to the My Services application at the URL and using the credentials you’ve received, either from your administrator or in an email from Oracle Cloud.
  2. In the My Services dashboard, navigate to the Oracle Container Cloud Service entry and select Open Service Console from the menu.
  3. On the Service Details page, click Open Service Console to display the Services tab of the Oracle Container Cloud Service Console.
  4. Administer Oracle Container Cloud Service instances by performing tasks such as:

Creating Oracle Container Cloud Service Instances

You can use a simple wizard to define and create Oracle Container Cloud Service instances, specifying (amongst other things) the number of worker nodes that can run Docker containers.

When you create an Oracle Container Cloud Service instance, you specify the username and password for an instance administrator. Use these credentials to launch the Oracle Container Cloud Service Container Console from the Oracle Container Cloud Service Console. You can change the instance administrator’s username and/or password later:

Every Oracle Container Cloud Service instance you create will always have one manager node, and the number of worker nodes that you specify. Oracle Container Cloud Service software running on the manager node orchestrates the deployment of Docker containers to the worker nodes in the instance.

Manager nodes and worker nodes are Oracle Compute virtual machines (VMs), also known as compute nodes or compute VMs. When you create an Oracle Container Cloud Service instance, you’re billed for the total number of compute VMs you request for the instance (the number of worker nodes, plus one manager node).

To create a new Oracle Container Cloud Service service instance using the Oracle Container Cloud Service Console:

  1. Navigate to the Service Console Services tab.
    If you’re not sure how to do this, see Accessing the Service Console for Oracle Container Cloud Service.
  2. Click Create Service to display the Oracle Container Cloud Service Instance Creation Wizard.
  3. Enter properties for the new service instance on the Details page of the Instance Creation Wizard as follows:
    Option Use to specify:
    Service Name A name for the service instance that is unique within the identity domain.
    Service Description An optional description to identify the service instance.
    SSH Public Key An existing public key (or a file containing the public key). Alternatively, you can generate a new public key.
    Admin Username The instance administrator’s username to use when logging into the Container Console. The default username in this field is ‘admin’, but you can change it now before you create the instance. And you can change the instance administrator’s username later if you need to, using the Container Console (see Changing the Username or Password for an Oracle Container Cloud Service Instance Administrator).
    Admin Password and Confirm Admin Password The instance administrator’s password to use when logging into the Container Console.

    The password can be a minimum of 8 and a maximum of 32 characters with at least 1 uppercase letter, 1 lowercase letter, and 1 number.

    Worker node Compute Shape The shape, or resource profile, that determines the number of CPUs and amount of memory assigned to each worker node in the service instance.
    Number of worker nodes The number of worker nodes (between 1 and 999) to create with the service instance.
    Worker node data volume size (GB) The size of the data volume available to each worker node.
    Manager node Compute Shape The shape, or resource profile, that determines the number of CPUs and amount of memory assigned to the manager node in the service instance.
  4. Click Next and review the details you’ve entered on the Confirmation page of the Oracle Container Cloud Service Instance Creation Wizard.
  5. Click Create to create the Oracle Container Cloud Service instance. The message Creating service ... appears in the Status field.

    Tip:

    Click Creating service ... to see the progress and the messages output during the instance creation process.

    Within a few minutes, the Oracle Container Cloud Service instance is created with the details you specified.

  6. Click the name of the newly created instance to see the virtual machines that have been created on the Service Details page.
  7. Optional: You can now administer the new Oracle Container Cloud Service instance by clicking the Menu icon Menu icon (beside the service instance name at the top of the page) and selecting:
  8. Optional: If other users are going to be using Oracle Container Cloud Service to manage and monitor your Docker environment, notify them of the URL and credentials to use to access the Container Console.
    The URL is in the format https://<manager-node-ip-address>/#/dashboard, where <manager-node-ip-address> is the public IP address of the manager node. For example, http://192.0.2.254/#/dashboard. You can find out the Container Console’s URL in either of the following ways:
    • On the Service Details page, click the Menu icon Menu icon (beside the service instance name at the top of the page), select Container Console, and copy the URL that’s used to launch the Container Console.

    • On the Service Details page, locate the manager node (the VM with the Instance Type set to MANAGER), copy the value in the Public IP field, and use that to construct the URL. For example, if the value in the Public IP field is 192.0.2.254, the Container Console’s URL is http://192.0.2.254/#/dashboard.

Viewing Information about Oracle Container Cloud Service Instances

Use the Oracle Container Cloud Service Console to see summary and detailed information about Oracle Container Cloud Service instances in the identity domain.

To view information about Oracle Container Cloud Service instances:
  1. Navigate to the Oracle Container Cloud Service Console Services tab.
    If you’re not sure how to do this, see Accessing the Service Console for Oracle Container Cloud Service.
  2. On the Services tab:
    1. View summary information for all the Oracle Container Cloud Service instances in the identity domain, including:
      • the total number of service instances

      • the total number of OCPUs allocated to all instances

      • the total amount of memory available to all instances

      • the total amount of storage available to all instances

      • the total number of public IP addresses

    2. View a selection of detailed information for all the Oracle Container Cloud Service instances in the identity domain. For each instance, you can see:
      • the type of subscription

      • the number of nodes and OCPUs allocated to the instance

      • the Oracle Container Cloud Service version

      • the amount of memory and storage available to the instance

    3. View a log of service creation and deletion operations by expanding the Service Create and Delete History section.
  3. On the Services tab, click the name of an Oracle Container Cloud Service instance about which you want to see more detailed information.
  4. On the Service Details page:
    1. View summary information for the selected instance, including:
      • the number of nodes allocated to the instance

      • the total number of allocated OCPUs across all nodes in the instance

      • the total amount of allocated memory and storage across all nodes in the instance

    2. View detailed information for VMs in the selected instance. For each VM, you can see the VM's:
      • host name

      • number of OCPUs

      • public IP address

      • memory and storage

      • description and type

    3. View detailed metrics information about each VM in the selected instance by clicking Healthcheck. For each VM, you can see:
      • the CPU utilization

      • the available memory

      • the number of deployed applications (manager nodes only)

      • the status of the Docker daemon (worker nodes only)

      • the number of running Docker containers (worker nodes only)

    4. View additional detailed information about the selected instance by expanding the More Information section, including:
      • the type of subscription

      • the Oracle Container Cloud Service version

      • the data center location

      • the compute shape of manager and worker nodes

    5. View detailed information about operations on the instance by expanding the Activity section. For each operation, you can see:
      • the type of operation

      • when the operation started and finished

      • the status of the operation

Stopping, Starting, and Restarting Oracle Container Cloud Service Instances

Learn about how to stop, start, and restart Oracle Container Cloud Service instances.

Stopping an Oracle Container Cloud Service Instance

When you stop an Oracle Container Cloud Service instance using the Oracle Container Cloud Service Console, the manager node and all worker nodes in the instance are stopped. You cannot perform management operations on a stopped instance except to start it or to delete it. When you stop an instance, its CPU and RAM are stopped.

To stop an Oracle Container Cloud Service instance:

  1. Navigate to the Oracle Container Cloud Service Console Services tab.
    If you’re not sure how to do this, see Accessing the Service Console for Oracle Container Cloud Service.
  2. Click the Menu icon Menu icon beside the service instance that you want to stop, and select Stop.
  3. When prompted, click OK to confirm that you want to stop the instance.
    The manager node and all worker nodes in the instance are stopped. In addition, the OCPUs and Memory fields indicate that the resources are not currently in use.
Starting an Oracle Container Cloud Service Instance

When you start a stopped Oracle Container Cloud Service instance using the Oracle Container Cloud Service Console, the manager node and all worker nodes in the instance are started. You can once again perform management operations such as changing the number of worker nodes and backing up the instance.

To start an Oracle Container Cloud Service instance:

  1. Navigate to the Oracle Container Cloud Service Console Services tab.
    If you’re not sure how to do this, see Accessing the Service Console for Oracle Container Cloud Service.
  2. Click the Menu icon Menu icon beside the service instance that you want to stop, and select Start.
  3. When prompted, click OK to confirm that you want to start the instance.
    The manager node and all worker nodes in the instance are started.
Restarting an Oracle Container Cloud Service Instance

When you restart an Oracle Container Cloud Service instance using the Oracle Container Cloud Service Console, the manager node and all worker nodes in the instance are stopped and then immediately started again.

To re-start an Oracle Container Cloud Service instance:

  1. Navigate to the Oracle Container Cloud Service Console Services tab.
    If you’re not sure how to do this, see Accessing the Service Console for Oracle Container Cloud Service.
  2. Click the Menu icon Menu icon beside the service instance that you want to stop, and select Restart.
  3. When prompted, click OK to confirm that you want to re-start the instance.
    The manager node and all worker nodes in the instance are stopped, and then started.

Stopping, Starting, and Restarting Manager and Worker Nodes

Learn about how to stop, start, and restart Oracle Container Cloud Service manager nodes and worker nodes.

Stopping, Starting, and Restarting Manager Nodes

You use the Oracle Container Cloud Service Console to restart the manager node in an Oracle Container Cloud Service instance. While the manager node is being restarted, the instance is not available for Oracle Container Cloud Service operations.

Manager nodes are implicitly stopped, started, and restarted when you stop, start, and restart Oracle Container Cloud Service instances. When you:

  • Stop a running instance, the manager node and all worker nodes in the instance are stopped. You cannot start worker nodes while the manager node is stopped.

  • Start a stopped instance, the manager node and all worker nodes in the instance are started.

  • Restart a running instance, the manager node and all worker nodes in the instance are stopped, and then started.

What happens when you explicitly restart the manager node of an Oracle Container Cloud Service instance depends on whether the instance is running:

  • If you restart the manager node of a running instance, the manager node and all running worker nodes are first stopped. Then the manager node is started, followed by all the worker nodes. The instance is returned to a running state.

  • If you restart the manager node of a stopped instance (that is, an instance in which the manager node and all worker nodes are already stopped), the manager node is started. However, note that worker nodes are not restarted. You have to restart the worker nodes individually, starting with the original worker nodes that were originally defined when the instance was initially created. When the original worker nodes have all been restarted, you can restart additional worker nodes that were added after the instance was initially created.

To explicitly restart the manager node in an Oracle Container Cloud Service instance:

  1. Navigate to the Oracle Container Cloud Service Console Services tab.
    If you’re not sure how to do this, see Accessing the Service Console for Oracle Container Cloud Service.
  2. On the Services tab, click the name of the Oracle Container Cloud Service instance in which you want to restart the manager node.
  3. Click the Menu icon Menu icon beside the manager node and select Restart.
  4. When prompted, click OK to confirm that you want to restart the manager node.
    What happens next depends on whether the Oracle Container Cloud Service instance is running when you perform the operation:
    • If the instance is running, the manager node and all running worker nodes are first stopped. Then the manager node is started, followed by all the worker nodes. The instance is returned to a running state.

    • If the instance is not running, only the manager node is started. You have to start the worker nodes individually.

Stopping, Starting, and Restarting Worker Nodes

You use the Oracle Container Cloud Service Console to stop, start, and restart the worker nodes in an Oracle Container Cloud Service instance.

Worker nodes are implicitly stopped, started, and restarted when you stop, start, and restart Oracle Container Cloud Service instances. When you:

  • Stop a running instance, the manager node and all worker nodes in the instance are stopped. You cannot start worker nodes while the manager node is stopped.

  • Start a stopped instance, the manager node and all worker nodes in the instance are started.

  • Restart a running instance, the manager node and all worker nodes in the instance are stopped, and then started.

Whether you can explicitly stop, start, and restart individual worker nodes depends on:

  • Whether the worker node is the first of the original worker nodes defined and created when the instance itself was first created, or whether the worker node is a second (or subsequent) original worker node or an additional worker node that was added to the instance later.

  • Whether the instance and/or manager node is currently running. If the instance and/or manager node is currently stopped, you cannot stop, start, or restart any worker nodes. If the instance and/or manager node is currently running:

    • you can restart the first of the original worker nodes (this node usually has a name that ends with "-occs-wkr-1")

    • you can stop, start, and restart other worker nodes, provided the first of the original worker nodes is already running

Note:

Before you stop a worker node, it is generally good practice to first use the Oracle Container Cloud Service Container Console to stop any deployments that are running on that worker node.

In particular, note that when you stop a worker node, any deployments currently running on the worker node are restarted on the remaining nodes in the resource pool according to the service’s orchestration policy (see Creating a Service with Oracle Container Cloud Service). If you don’t want deployments restarted on other nodes in the resource pool, use the Oracle Container Cloud Service Container Console to stop deployments running on the worker node before you stop it.

To explicitly stop, start, or restart individual worker nodes in an Oracle Container Cloud Service instance:

  1. Navigate to the Oracle Container Cloud Service Console Services tab.
    If you’re not sure how to do this, see Accessing the Service Console for Oracle Container Cloud Service.
  2. On the Services tab, click the name of the Oracle Container Cloud Service instance in which you want to stop, start, or restart individual worker nodes.
  3. Click the Menu icon Menu icon beside the individual worker node and select Stop, Start, or Restart as appropriate.
  4. When prompted, click OK to confirm that you want to stop, start, or restart the worker node.
    What happens next depends on whether the Oracle Container Cloud Service instance and/or manager node is running when you perform the operation:
    • If the instance and/or manager node is not running, all worker nodes are already stopped. You cannot start or restart worker nodes. If you attempt to start or restart worker nodes, an error message is shown.

    • If the instance and/or manager node is running:

      • you can restart the first of the original worker nodes (this node usually has a name that ends with "-occs-wkr-1")

      • you can stop, start, and restart other worker nodes, provided the first of the original worker nodes is already running

Enabling and Disabling Secure Shell (SSH) Access to Oracle Container Cloud Service Manager and Worker Nodes

Learn how to connect to Oracle Container Cloud Service manager and worker nodes using SSH, and how to enable and disable SSH access.

About SSH Access to Oracle Container Cloud Service Manager and Worker Nodes

You have SSH (Secure Shell) access to the manager and worker nodes in an Oracle Container Cloud Service instance to perform a number of administrative tasks.

When you create an Oracle Container Cloud Service instance, you’re prompted to enter the public key of an SSH public/private key pair.

Later on, you might want to connect to a manager or worker node from an SSH client (for example, to reset the admin password, to retrieve support logs, or to upload your own signed SSL certificates). By default, port 22 on manager and worker nodes (the port used for SSH access) is open. If you want to connect to the node from an SSH client, you’ll have to use the paired private key when logging in.

If you want to connect to a manager or worker node from a machine other than the one where you originally ran the Oracle Container Cloud Service Console to create the Oracle Container Cloud Service instance, the other machine must have access to the original private key (for example, by copying the private key to the other machine).

If the private key that you use to access the manager and worker nodes is lost or gets corrupted, you can add a new public key to the service instance. You might also want to add a new public key to a service instance to comply with your organization’s security policies or regulations. When you add a new public key to a service instance:
  • The new key is appended to any existing public keys in the /.ssh/authorized_keys file on the instance’s manager and worker nodes. Existing public SSH keys can still be used to connect to the manager and worker nodes.

  • All the VMs in the service instance are restarted.

To connect to a manager or worker node using SSH and the new public key, the machine you’re connecting from must have access to the private key that is paired with the new public key.

To prevent a particular public SSH key from being used to gain SSH access to a manager or worker node, you remove the public key from the /.ssh/authorized_keys file on the node.

Connecting to Oracle Container Cloud Service Manager and Worker Nodes Through SSH

To perform administrative tasks (for example, to reset the admin password, to retrieve support logs, or to upload your own signed SSL certificates) on an Oracle Container Cloud Service manager or worker node, you use SSH client software to establish a secure connection and log in.

A number of SSH clients are freely available for different platforms, including:

  • the ssh utility for UNIX and UNIX-like platforms

  • the PuTTY program for Windows

Connecting to Manager and Worker Nodes Using the ssh Utility on UNIX

On UNIX and UNIX-like platforms (including Solaris and Linux), you can connect through SSH to Oracle Container Cloud Service manager and worker nodes using the ssh utility (an SSH client) to perform administrative tasks.

Note the instructions below assume the UNIX machine you use to connect to the manager or worker node:
  • Has the ssh utility installed.

  • Has access to the SSH private key file paired with the SSH public key that was specified when the service instance was created.

To connect to a manager or worker node through SSH from a UNIX machine using the ssh utility:
  1. Navigate to the Oracle Container Cloud Service Console Services tab.
    If you’re not sure how to do this, see Accessing the Service Console for Oracle Container Cloud Service.
  2. On the Services tab, click the name of the Oracle Container Cloud Service instance to which you want to connect using the ssh utility.
  3. Locate the manager node (the VM for which the Instance Type field is set to MANAGER) or worker node to which you want to connect and make a note of the IP address shown in its Public IP field. For example, 192.0.2.254.
  4. On your UNIX machine, open a command line terminal window.
  5. In the terminal window, type ssh opc@<node_ip_address> to connect to the manager or worker node, where <node_ip_address> is the IP address of the manager or worker node shown on the Services tab that you made a note of earlier. For example, ssh opc@192.0.2.254

    Note:

    If the SSH private key is not stored in the file or in the path that the ssh utility expects (for example, the ssh utility might expect the private key to be stored in ~/.ssh/id_rsa), you must explicitly specify the private key filename and location in one of two ways:
    • Use the -i option to specify the filename and location of the private key. For example, ssh -i ~/.ssh/my_keys/my_occs_host_key_filename opc@192.0.2.254

    • Add the private key filename and location to an SSH configuration file, either the client configuration file (~/.ssh/config) if it exists, or the system-wide client configuration file (/etc/ssh/ssh_config). For example, you might add the following:

      Host 192.0.2.254
      	IdentityFile ~/.ssh/my_keys/my_occs_host_key_filename

    For more about the ssh utility’s configuration file, type man ssh_config

    Note also that permissions on the private key file must allow you read/write/execute access, but prevent other users from accessing the file. For example, to set appropriate permissions, you might type chmod 600 ~/.ssh/my_keys/my_occs_host_key_filename. If permissions are not set correctly and the private key file is accessible to other users, the ssh utility will simply ignore the private key file.

  6. In the terminal window, perform administrative tasks on the manager or worker node using SSH.
  7. When you’re finished, close the SSH connection by typing exit in the terminal window.
Connecting to Manager and Worker Nodes Using PuTTY on Windows

On Windows platforms, you can connect through SSH to Oracle Container Cloud Service manager and worker nodes using the PuTTY program (a freely available SSH client) to perform administrative tasks.

Note the instructions below assume the Windows machine you use to connect to the manager or worker node:
  • Has the PuTTY program installed.

    If PuTTY is not installed, go to http://www.putty.org/ to download and install it.

  • Has access to the SSH private key file paired with the SSH public key that was specified when the service instance was created.

    The private key file must in the PuTTY .ppk format. If the private key file was originally created on the Linux platform, use the PuTTYgen program to convert it to the .ppk format.

To connect to a manager or worker node through SSH from a Windows machine using the PuTTY program:
  1. Navigate to the Oracle Container Cloud Service Console Services tab.
    If you’re not sure how to do this, see Accessing the Service Console for Oracle Container Cloud Service.
  2. On the Services tab, click the name of the Oracle Container Cloud Service instance to which you want to connect using the ssh utility.
  3. Locate the manager node (the VM for which the Instance Type field is set to MANAGER) or worker node to which you want to connect and make a note of the IP address shown in its Public IP field. For example, 192.0.2.254.
  4. On your Windows machine, run the PuTTY program.

    The PuTTY Configuration window is displayed, showing the Session panel.

  5. In the Host Name (or IP address) box, enter the IP address of the manager or worker node.
  6. Confirm that the Connection type option is set to SSH.
  7. In the Category tree, expand Connection if necessary and then click Data.

    The Data panel is displayed.

  8. In the Auto-login username box, type opc.
  9. Confirm that the When username is not specified option is set to Prompt.
  10. In the Category tree, expand SSH and then click Auth.

    The Auth panel is displayed.

  11. Click the Browse button next to the Private key file for authentication box. Then, in the Select private key file window, navigate to and open the private key file that matches the public key.
  12. In the Category tree, click Session.

    The Session panel is displayed.

  13. In the Saved Sessions box, enter a name for this connection configuration. Then, click Save.
  14. Click Open to open the connection.

    The PuTTY Configuration window is closed and the PuTTY terminal window is displayed.

    If this is the first time you’re connecting to the manager or worker node, the PuTTY Security Alert window is displayed, prompting you to confirm the public key. Click Yes to continue connecting.

  15. In the PuTTY terminal window, perform administrative tasks on the manager or worker node using SSH.
  16. When you’re finished, close the SSH connection by typing exit in the PuTTY terminal window.
Adding Public SSH Keys to Oracle Container Cloud Service Instances

You can add additional public SSH keys to Oracle Container Cloud Service instances in your identity domain using the Oracle Container Cloud Service Console (for example, if you lose the original private key or it gets corrupted).

When you add a new public SSH key, it’s appended to any existing public SSH keys in the /.ssh/authorized_keys file on the instance’s manager and worker nodes (the existing public SSH keys can still be used). To connect to the manager node or worker nodes using the new public SSH key, the machine from which you’re connecting must have access to the private key paired with the new SSH public key.

To add a new SSH public key to an Oracle Container Cloud Service instance:

  1. Navigate to the Oracle Container Cloud Service Console Services tab.
    If you’re not sure how to do this, see Accessing the Service Console for Oracle Container Cloud Service.
  2. Click the Menu icon Menu icon beside the service instance to which you want to add a new public SSH key, and select SSH Access.
    The Add New Key dialog is displayed, showing the value of the most recent SSH public key.
  3. Specify the new public key using one of the following methods:
    • Select Upload a new SSH Public Key value and click Browse to select a file that contains the public key.
    • Select Key value, delete the current key value, and paste the new public key into the text area. Make sure the value doesn’t contain line breaks or end with a line break.
  4. Click Add New Key.
    The new public key is added to the /.ssh/authorized_keys file on the manager and worker nodes.
  5. When prompted, confirm that you want to restart the VMs for the Oracle Container Cloud Service instance.
Removing Public SSH Keys from Oracle Container Cloud Service Manager and Worker Nodes Using SSH

You can prevent a particular public SSH key from being used to gain SSH access to an Oracle Container Cloud Service instance’s manager or worker node by removing the public SSH key from the /.ssh/authorized_keys file on the node.

Note the instructions below assume:
  • you know the public SSH key that you want to prevent from accessing the manager or worker node

  • the machine you use to connect to the manager or worker node:
    • has an SSH client installed

    • has access to the SSH private key file paired with the SSH public key that was specified when the service instance was created

To prevent a particular public SSH key from being used to gain SSH access to a manager or worker node:
  1. Use SSH to connect to the manager or worker node.
  2. In the terminal window, navigate to the /.ssh directory on the manager or worker node. For example, by typing:
    cd /.ssh
  3. Open the authorized_keys file in a text editor.
  4. Delete the public SSH key that you want to prevent from being used to gain SSH access to the manager or worker node.
  5. Save and close the authorized_keys file.
  6. Close the SSH connection by typing exit in the terminal window.

Uploading Your Own SSL Certificates to a Manager Node Using SSH

By default, the NGINX web server that runs on the Oracle Container Cloud Service manager node uses self-signed SSL certificates. If you prefer, you can upload your own SSL certificates that have been signed by a Certificate Authority for NGINX to use.

As with certificates signed by a Certificate Authority, self-signed SSL certificates securely encrypt user credentials. However, self-signed SSL certificates cause some browsers to display a connection warning message the first time users go to the Container Console. In the case of Oracle Container Cloud Service, it’s fine for users to ignore the warning message. However, you might want to use your own signed SSL certificates with Oracle Container Cloud Service to:
  • avoid users seeing the initial security warning

  • discourage users from simply ignoring security warnings

  • show the secure padlock icon in the browser url field (rather than an insecure icon)

  • ensure the Oracle Container Cloud Service REST API is accessed via https

Note the instructions below assume you’re using the Bourne shell on a UNIX machine to connect to the manager node, and the machine:
  • has the ssh utility installed

  • has access to the SSH private key file paired with the SSH public key that was specified when the service instance was created

To upload SSL certificates to a manager node from a UNIX machine using the ssh utility:
  1. On the UNIX machine where the SSL certificates currently reside, open a terminal window.
  2. Create a new local directory named /certs at the root level.
  3. Copy the SSL certificate file to the local /certs directory. If the SSL certificate file you just copied into the /certs directory is not already named cert.crt, rename it to cert.crt now.
  4. Copy the corresponding SSL key file to the local /certs directory. If the SSL key file you just copied into the /certs directory is not already named cert.key, rename it to cert.key now.
  5. Set the values of two variables called CERT and KEY to the contents of the /certs/cert.crt and /certs/cert.key files respectively, by typing:
    export CERT=$(cat certs/cert.crt) && export KEY=$(cat certs/cert.key)
  6. Connect to the manager node using the ssh utility as the default opc user, and create new files called cert.crt and cert.key in the /certs directory on the manager node from the contents of the CERT and KEY variables by typing:
    ssh -i <private_key> opc@<mgr_node_ip_address> "echo \"${CERT}\" > certs/cert.crt; echo \"${KEY}\" > certs/cert.key"
    where:
    • <private_key> is the full path and name of the file that contains the SSH private key corresponding to the SSH public key associated with the instance that you want to access

    • <mgr_node_ip_address> is the IP address of the manager node

    For example:
    ssh -i ~/.ssh/my_keys/my_private_key_file opc@192.0.2.254 "echo \"${CERT}\" > /certs/cert.crt; echo \"${KEY}\" > /certs/cert.key"
    For more information about connecting to the manager node using the ssh utility, see Connecting to Manager and Worker Nodes Using the ssh Utility on UNIX
    A script on the manager node regularly scans the /certs directory for new SSL certificate files (approximately once a minute). If it detects new SSL certificate files and determines they are valid, the script copies the certificate files from the root directory to the appropriate subdirectories for use by NGINX.
  7. Optional: To confirm that the certificates have been copied successfully and that NGINX is now using them, you can view the messages written to the certificator-nginx.log file on the manager node as follows:
    1. Connect to the manager node using the ssh utility as the default opc user by typing:
      ssh -i <private_key> opc@<mgr_node_ip_address>
      where:
      • <private_key> is the full path and name of the file that contains the SSH private key corresponding to the SSH public key associated with the instance that you want to access

      • <mgr_node_ip_address> is the IP address of the manager node

      For example:
      ssh -i ~/.ssh/my_keys/my_private_key_file opc@192.0.2.254
    2. From the root directory on the manager node, type cat /log/certificator-nginx.log
      Messages are written to the certificator-nginx.log file every minute. From the log file, you can see that:
      • before you copied your SSL certificates file, NGINX was regularly issuing warning messages like:

        issuer certificate not found for certificate "/etc/nginx/tls/certs/cert.crt"

      • Shortly after you copied your SSL certificates to the manager node, the log file shows messages like:
        copied /u01/data/opc/certs/cert.crt to /etc/nginx/tls/certs
        copied /u01/data/opc/certs/cert.key to /etc/nginx/tls/private
      • Subsequently, after NGINX has started using the SSL certificates you copied, the log file shows messages like:
        checking /u01/data/opc/certs
        checked - nginx certificates have not changed
    3. When you’re finished, close the SSH connection by typing exit in the terminal window.

Changing the Number of Worker Node Hosts in Oracle Container Cloud Service Instances

To improve the performance and efficiency of your Docker environment, you can optimize the number of worker node hosts that are available to run Docker containers in an Oracle Container Cloud Service instance.

You ‘scale out’ an Oracle Container Cloud Service instance by adding worker node hosts.

You ‘scale in’ an Oracle Container Cloud Service instance by removing worker node hosts.

Adding Worker Node Hosts

You can improve the performance and resilience of your Docker environment by increasing the number of worker node hosts available to run Docker containers in an Oracle Container Cloud Service instance.

To add a new worker node host to an Oracle Container Cloud Service instance:

  1. Navigate to the Oracle Container Cloud Service Console Services tab.
    If you’re not sure how to do this, see Accessing the Service Console for Oracle Container Cloud Service.
  2. On the Services tab, click the name of the Oracle Container Cloud Service instance to which you want to add worker node hosts.
  3. In the header region of the Service Overview page, click the Menu icon Menu icon beside the name of the service instance, and select Scale Out.
  4. In the Scale Out dialog, specify the number of additional worker node hosts to add (between 1 and 50) and click Scale Out.
    A message confirms the service scale out request has been accepted, and a process begins to create the new worker node hosts you requested.
  5. Refresh the Oracle Container Cloud Service Console page periodically, until the new worker node host appears in the OCCS Worker Component - Resources list.
    Typically, it takes around ten minutes to create a new worker node host.
    Worker node hosts that you create using the Scale Out dialog appear in the OCCS Worker Component - Resources list with a Menu icon Menu icon beside them. Worker node hosts that were created when the Oracle Container Cloud Service instance was initially created don’t have a Menu icon Menu icon beside them
    When the new worker node host is shown in the OCCS Worker Component - Resources list, the host can be used to run deployed containers by adding it to a resource pool using the Oracle Container Cloud Service Container Console (see Managing Hosts).
Removing Worker Node Hosts

You can reduce your usage of Oracle Compute resources by decreasing the number of worker node hosts available to run Docker containers in an Oracle Container Cloud Service instance.

When you initially create an Oracle Container Cloud Service instance, you specify the number of worker node hosts to create. Later on, you can add more worker node hosts in addition to the worker node hosts you initially specified. If you subsequently decide you no longer need the additional worker node hosts, you can remove them. Note that you can only remove the additional worker node hosts. You can’t remove the worker node hosts that were initially created.

Note:

When you remove a worker node host, any deployments currently running on the worker node host are restarted on the remaining hosts in the resource pool according to the service’s orchestration policy (see Creating a Service with Oracle Container Cloud Service). If you don’t want deployments restarted on other hosts in the resource pool, use the Oracle Container Cloud Service Container Console to stop deployments running on the worker node host before you remove it.

To remove a worker node host from an Oracle Container Cloud Service instance:

  1. Navigate to the Oracle Container Cloud Service Console Services tab.
    If you’re not sure how to do this, see Accessing the Service Console for Oracle Container Cloud Service.
  2. On the Services tab, click the name of the Oracle Container Cloud Service instance from which you want to remove worker node hosts.
  3. On the Service Overview page, expand the OCCS Worker Component region to see the worker node hosts in the Resources list.
  4. Click the Menu icon Menu icon beside the worker node host that you want to remove, and select Remove Node.
    Note that the Menu icon Menu icon only appears beside worker node hosts that have been added to the Oracle Container Cloud Service instance after it was initially created. Worker node hosts that do not have a Menu icon Menu icon beside them were created when the Oracle Container Cloud Service instance was initially created and can’t be removed.
  5. When prompted, click Remove Node to confirm that you want to remove the node from the service instance.
    A message confirms the service scale in request has been accepted, and a process begins to remove the worker node host you selected. Any deployments currently running on the worker node host are redistributed between other available hosts in the resource pool according to the service’s orchestration policy (see Creating a Service with Oracle Container Cloud Service).
  6. Refresh the Oracle Container Cloud Service Console page periodically, until the worker node host no longer appears in the Resources list.
    Typically, it takes around ten minutes to remove a worker node host.

Managing Access Rules for Oracle Container Cloud Service Instances

You can control access to an Oracle Container Cloud Service instance by creating and managing access rules using the Oracle Container Cloud Service Console.

Access rules enable you to control access to the virtual machines (VMs) that make up a service instance. When you create a service instance, the system automatically creates and enables all the access rules you'll need for Oracle Container Cloud Service. For example:

  • access from the public internet to the manager node VM on port 22

  • access from the public internet to worker node VMs on all ports (ports 1 to 65535)

Since the necessary access rules have already been created for you, you probably won't need to change them. However, if you do want to change the access rules (for example, to explicitly restrict access to worker nodes to particular ports), you can use the Oracle Container Cloud Service Console to disable the default rules and create new rules.

To create a new access rule for an Oracle Container Cloud Service instance:
  1. Navigate to the Oracle Container Cloud Service Console Services tab.
    If you’re not sure how to do this, see Accessing the Service Console for Oracle Container Cloud Service.
  2. Click the Menu icon Menu icon beside the service instance to which you want to add an access rule and select Access Rules. The Access Rules page is displayed, showing the list of all access rules.
  3. Click Create Rule to display the Create Access Rule dialog.
  4. Specify a unique name for the access rule.
    The name must begin with a letter, and can contain numbers, hyphens, or underscores. The name mustn’t be longer than 50 characters. When you create a rule, you can’t use the prefixes ora_ or sys_.
  5. Optional: Specify a description of the rule.
  6. Specify a source for the rule:
    Source option: Use to permit access from:
    MANAGER_ADMIN_HOST The host running as the Oracle Container Cloud Service manager node.
    MANAGER_MANAGER The host running as the Oracle Container Cloud Service manager node.
    PUBLIC-INTERNET Any host on the internet
    WORKER_ADMIN_HOST The first host in the list of Oracle Container Cloud Service worker nodes shown on the Service Details page.
    WORKER_WORKER Any host running as an Oracle Container Cloud Service worker node.
    <custom> A list of IP addresses from which to permit traffic. In the field that displays when you select this option, enter a comma-separated list of the subnets (in CIDR format, such as 192.0.2.254/24) or IPv4 addresses from which you want to permit access.
  7. Specify a destination for the rule:
    Destination option: Use to permit access to:
    MANAGER_ADMIN_HOST The host running as the Oracle Container Cloud Service manager node.
    MANAGER_MANAGER The host running as the Oracle Container Cloud Service manager node.
    WORKER_ADMIN_HOST The first host in the list of Oracle Container Cloud Service worker nodes shown on the Service Details page.
    WORKER_WORKER Host running as Oracle Container Cloud Service worker node.

    The source and the destination must be different.

  8. Specify a port or ports through which the source will access the destination.
    You can specify a single port or a range of ports (for example, 7001–8001).
  9. Click Create to create and enable the rule.
  10. Optional: You can later disable, re-enable, or delete access rules on the Access Rules page, by clicking the Menu icon Menu icon beside a rule and choosing the appropriate option. The options available depend on the type of rule and its current status:
    Rule Type: Can be enabled? Can be disabled? Can be deleted?
    USER Yes Yes Yes
    DEFAULT Yes Yes No
    SYSTEM No No No

    Icons in the Status column indicate whether an access rule is enabled or disabled:

    Icon Indicates access rule is:
    Access rule enabled Enabled
    Access rule disabled Disabled

Viewing Activity for Oracle Container Cloud Service Instances

You can view the activities of Oracle Container Cloud Service instances in your identity domain using the Oracle Container Cloud Service Console Activity page.

To view activities of Oracle Container Cloud Service instances:
  1. Navigate to the Oracle Container Cloud Service Console Services tab.
    If you’re not sure how to do this, see Accessing the Service Console for Oracle Container Cloud Service.
  2. You can view activity for all instances in the identity domain, or just for a particular instance:
    • Click the Activity tab to view activity for all instances in the identity domain. Use the options in the Search Activity Log section to filter the results to meet your needs.
    • Click the name of the instance on the Services tab to view activity for a particular instance. On the Instance Details page, click the Activity link to see activities of that instance.

    Tip:

    If you only want to see information related specifically to instance creation or deletion, click the Service Create and Delete History link on the Services tab to see instance creation or deletion activities.

Viewing Log Files on Oracle Cloud Container Service Manager and Worker Nodes Using SSH

You can view the log files on the manager node and worker nodes in an Oracle Container Cloud Service instance using SSH (for example, for support purposes).

Three different Oracle Container Cloud Service components save log files on the manager node:

  • the Cluster Manager (which handles communication between the manager node and worker nodes) saves log files named occs-cluster-manager.log

  • the Service Manager (which handles API calls and the parsing of data structures) saves files named occs-data-manager.log

  • the Data Manager (which manages the local Oracle Container Cloud Service database) saves files named occs-service-manager.log

The Oracle Container Cloud Service Cluster Agent component runs on worker nodes and saves files named occs-cluster-agent.log.

Note the instructions below assume the machine you use to connect to the manager or worker node:
  • has an SSH client installed

  • has access to the SSH private key paired with the SSH public key that was specified when the service instance was created

To view the log file on a manager or worker node using SSH:
  1. Use SSH to connect to the manager or worker node of the Oracle Container Cloud Service instance for which you want to view the log files.
  2. In the terminal window, navigate to the /var/log/occs directory on the manager or worker node. For example, by typing:
    cd /var/log/occs
    This directory contains the Oracle Container Cloud Service log files.
  3. In the terminal window, list the available log files. For example, by typing:
    ls -al
    You’ll see output similar to this:
    drwxr-xr-x  2 501 501     4096 Sep 12 07:46 .
    drwxr-xr-x. 7   0   0     4096 Sep 11 17:30 ..
    -rw-r--r--  1 501 501  4395961 Sep 12 16:19 occs-cluster-manager.log
    -rw-r--r--  1 501 501  9007241 Sep 12 16:19 occs-data-manager.log
    -rw-r--r--  1 501 501   390113 Sep 12 16:19 occs-service-manager.log
  4. Decide the log file you want to look at, and open it using a file-viewing program. For example, to view the occs-cluster-manager.log file using the more command, type:
    more occs-cluster-manager.log
  5. When you’ve finished looking at the log file, quit the file-viewing program without making any changes. For example, if you used the more command to view the file, type q to exit.
  6. Close the SSH connection by typing exit in the terminal window.

Changing the Username or Password for an Oracle Container Cloud Service Instance Administrator

Having specified a username and password for the instance administrator when you created an Oracle Container Cloud Service instance, you can change either or both later if you need to.

The instance administrator’s username and password are used to log into the Oracle Container Cloud Service Container Console.
To change the instance administrator’s username and/or password using the Oracle Container Cloud Service Container Console:
  1. Sign in to the Container Console as the instance administrator.
  2. In the Container Console, select My Profile from the Settings menu and enter either or both:
    • a new username in the Username field
    • a new password in the Password field

    Note:

    If you change the username, note the following:
    • Make sure you take a note of the new username because there’s no way to recover or reset it later.

    • When you click Save, the Container Console session ends immediately and you’re prompted to re-enter the username and password.

    • A new API token value is generated, so you’ll have to update any scripts that included the old API token.

  3. Click Save to apply the changes.
    If you changed the username, the Container Console session ends immediately and you’re prompted to re-enter the username and password.

Resetting the Password for an Oracle Container Cloud Service Instance Administrator Using SSH

You can change an Oracle Container Cloud Service instance administrator’s password using SSH rather than using the Oracle Container Cloud Service Container Console.

Having specified an instance administrator’s username and password when you created an Oracle Container Cloud Service instance, you can normally change either or both later by logging into the Container Console.
However, if you don’t know the instance administrator’s password (perhaps because another person has changed the password and subsequently left the company), you won’t be able to log into the Container Console to reset it. In this situation, provided you know the instance administrator’s username, the solution is to use SSH to log into the manager node and change the password.
Note the instructions below assume:
  • You know the instance administrator’s current username. When creating a new instance, ‘admin’ is suggested as the administrator username, but a different username can be entered. Even if ‘admin’ was originally specified as the instance administrator’s username, the username can also be changed later on the My Profile page of the Container Console. You must know the instance administrator’s current username. If you don’t, you won’t be able to reset the administrator’s password.

  • The machine you use to connect to the manager node:
    • has an SSH client installed

    • has access to the SSH private key paired with the SSH public key that was specified when the service instance was created

To change the instance administrator’s password using SSH:
  1. Use SSH to connect to the manager node of the Oracle Container Cloud Service instance for which you want to change the instance administrator’s password.
  2. In the terminal window, type change-admin-password.sh <admin-username> where <admin-username> is the current username of the instance administrator.
  3. In the terminal window, when prompted for a password, enter the new password.
  4. Close the SSH connection by typing exit in the terminal window.
  5. To verify the password has changed:
    1. Go back to the Oracle Container Cloud Service Console Services tab.
    2. Click the Menu icon Menu icon beside the service instance, and choose Container Console.
    3. On the Login page, enter the instance administrator’s username and the new password you’ve just specified.
    Assuming you successfully changed the instance administrator’s password, the Container Console is displayed.

Backing Up and Restoring Oracle Container Cloud Service Instances

Learn about how to back up and restore Oracle Container Cloud Service instances.

Backing Up an Oracle Container Cloud Service Instance

To avoid data loss as a result of hardware failure, file corruption, or accidental file deletion, it’s always good practice to back up Oracle Container Cloud Service instances regularly.

When you back up an Oracle Container Cloud Service instance, you’re taking a copy of configuration information about:
  • deployments

  • registries

  • services

  • stacks

You might back up an instance regularly as part of a disaster recovery policy. It’s also good practice to take a backup of the current state of an Oracle Container Cloud Service instance before restoring from an earlier backup file, and especially before deleting an instance. And you can also use back up (and restore) as a way to preserve instance configuration information when moving from a trial subscription to a paid subscription.

In addition, backing up an instance is a mandatory step when you upgrade to a new version of Oracle Container Cloud Service.

To back up an Oracle Container Cloud Service instance using the Oracle Container Cloud Service Container Console:

  1. Sign in to the Container Console.
  2. In the Container Console, select Backup/Restore from the Settings menu.
  3. Click Download a Backup Image, select Save File, and click OK.
  4. Specify a name and location for the backup file, and click Save.

The backup file is saved with the name and in the location that you specified.

If you’re taking a backup as part of upgrading an instance, avoid making changes to the instance until you’ve completed the upgrade process. Any changes you do make will be lost. See Upgrading Oracle Container Cloud Service Instances.

Restoring an Oracle Container Cloud Service Instance

You can restore an Oracle Container Cloud Service instance to the state saved in a backup file.

When you back up an Oracle Container Cloud Service instance, you’re taking a copy of configuration information about:

  • deployments

  • registries

  • services

  • stacks

See Backing Up an Oracle Container Cloud Service Instance.

You might restore an instance from a backup file to recover from hardware failure, file corruption, or accidental file deletion. And you can also use back up (and restore) as a way to preserve instance configuration information when moving from a trial subscription to a paid subscription.

In addition, restoring from a backup file into a new instance is a mandatory step when you upgrade to a new version of Oracle Container Cloud Service.

Note that when you restore an existing instance from a backup file, the current state of the instance is completely replaced by the contents of the backup file. Because there’s no Undo option, it’s therefore a good idea to take a backup of the current state of the instance immediately before restoring from the backup file. That way, you can roll back the changes if restoring the instance from the backup file doesn’t progress as you expected.

To restore an Oracle Container Cloud Service instance from a backup file:

  1. Recommended: Before restoring the instance from an existing backup file, save the current state of the instance to a new backup file (see Backing Up an Oracle Container Cloud Service Instance).
  2. Sign in to the Oracle Container Cloud Service Container Console.
  3. In the Container Console, select Backup/Restore from the Settings menu.
  4. On the Backup/Restore page, click Choose File, specify the name and location of the backup file from which you want to restore the instance, and click Open.

    Tip:

    If you prefer, you can also drag and drop the backup file from another window onto the area indicated on the Backup/Restore page.
  5. Click Restore.
The instance is restored to the state saved in the backup file, and the Container Console Dashboard page is displayed.

Upgrading Oracle Container Cloud Service Instances

When you’re notified that a new version of Oracle Container Cloud Service has been released, you’ll probably want to upgrade existing Oracle Container Cloud Service instances to take advantage of enhancements and bug fixes in the new version.

To upgrade an Oracle Container Cloud Service instance to a new version:
  1. Save the current state of the existing instance to a new backup file (see Backing Up an Oracle Container Cloud Service Instance).
    Avoid making changes to the instance after taking the backup. Any changes you do make will be lost.
  2. On the Oracle Container Cloud Service Console Services tab, create a new instance (see Creating Oracle Container Cloud Service Instances).
  3. Sign in to the new instance using the Oracle Container Cloud Service Container Console.
  4. In the Container Console for the new instance, select Backup/Restore from the Settings menu.
  5. On the Backup/Restore page, click Choose File, specify the name and location of the backup file that you want to restore into the new instance, and click Open.

    Tip:

    If you prefer, you can also drag and drop the backup file from another window onto the area indicated on the Backup/Restore page.
  6. Click Restore.
    The new instance is restored to the state saved in the backup file, and the Container Console Dashboard page is displayed.
  7. Test the new instance to verify that the upgrade has progressed as expected.
  8. When you’re satisfied that the new instance is performing as expected, delete the old instance (see Deleting Oracle Container Cloud Service Instances).

Deleting Oracle Container Cloud Service Instances

When you no longer require an Oracle Container Cloud Service instance, you can delete it. Your account is no longer charged for the instance.

Tip:

When you delete an Oracle Container Cloud Service instance, all the configuration information held in the instance (for example, service and stack definitions, entries in the Service Discovery database) is permanently deleted. It’s therefore a really good idea to take a backup of the instance before you delete it, just in case you need to retrieve the information later (see Backing Up an Oracle Container Cloud Service Instance).

To delete an Oracle Container Cloud Service instance:

  1. Navigate to the Oracle Container Cloud Service Console Services tab.
    If you’re not sure how to do this, see Accessing the Service Console for Oracle Container Cloud Service.
  2. Click the Menu icon Menu icon beside the service instance that you want to delete and select Delete.
  3. When prompted, confirm that you want to delete the Oracle Container Cloud Service instance.
The instance you’ve deleted no longer appears in the Service Console.