Compute Cloud@Customer Isolated Infrastructure Administration
The Compute Cloud@Customer Isolated administrators manage and configure the infrastructure from the Service Enclave. This highly restricted part of the system provides tools for hardware and capacity management, tenancy control, and centralized monitoring of components at all system layers.
- Securing the System
-
Compute Cloud@Customer Isolated provides effective and manageable security so you can run mission-critical workloads and store data with confidence. The system is installed by Oracle, which provides a level of security independent of local practices. However, this also requires the system administrators to understand exactly what's provided as a security baseline.
For information about security responsibilities and guidelines for securing the system, see Securing Compute Cloud@Customer.
- Accessing the Service Enclave
-
The Compute Cloud@Customer Isolated administrators manage and configure the infrastructure from the Service Enclave. This highly restricted part of the system provides tools for hardware and capacity management, tenancy control, and centralized monitoring of components at all system layers.
For more information, see Enclaves and Interfaces. General usage is described in the following topics:
- Hardware Administration, External Connections, and Capacity Expansion
-
Task
Links
The compute nodes are the core components for hosting cloud workloads, and require careful management in particular planned or unplanned circumstances.
An administrator must perform certain operations when compute nodes are provisioned, when maintenance or upgrades take place, when an outage occurs, and so on.
To enable GPU-accelerated workloads, Compute Cloud@Customer Isolated can be expanded with server nodes that have GPUs installed. The GPU nodes must be discovered and provisioned before their hardware resources are available for use within compute instances.
GPU nodes are installed in an expansion rack. Its networking components must be connected to the base rack so the new hardware can be integrated into the hardware administration and data networks.
Installation and activation of the expansion rack and GPU nodes are performed by Oracle. After provisioning, appliance administrators can manage and monitor GPU nodes the same way as all other compute nodes.
Compute capacity can be increased by adding a compute expansion rack. Its networking components must be connected to the base rack so the new hardware can be integrated into the hardware administration and data networks.
Installation and activation of the expansion rack and compute nodes are performed by Oracle. After provisioning, appliance administrators can manage and monitor all compute nodes from the Service Enclave.
Optionally, Compute Cloud@Customer Isolated can be integrated with external systems in the on-premises network using direct cable connections to reserved ports on the spine switches.
After connection, the appliance administrator configures a Flex network, which enables traffic between the connected system(s) and a set of compute instances. This direct connectivity for specific workloads is configured through separate physical ports on the spine switches.
The infrastructure network environment is configured during the initial setup of Compute Cloud@Customer Isolated. If necessary, an appliance administrator can update this configuration.
- Other Administration Functions of the Service Enclave
-
Task
Links
The Service Enclave provides control over the privileges, preferences, and passwords of the administrator accounts.
During initial setup, a primary administrative account is configured. With this account, other administrator accounts are created. A built-in authorization group with restricted permissions (
C3IsolatedGroup
) is available to add accounts. Federation with an identity provider is possible.The Limit Service enables you to view and change (override) limits for cloud resources.
The overall health status of Compute Cloud@Customer Isolated is continually monitored, using real-time data from the hardware and platform layers.
Independently of the built-in health checks, an administrator can consult the monitoring data at any time to verify the overall status of the system or the condition of a particular component or service. This is done through the Grafana interface, by querying the system-wide metric data stored in Prometheus.
Note: Oracle Auto Service Request is not supported on Compute Cloud@Customer Isolated. You must collect support bundles and manually log a Service Request.
To obtain support from Oracle you need to create a service request (SR), and will likely be asked to upload a support bundle. On Compute Cloud@Customer Isolated you can generate different types of manual support bundles, which you can attach to the SR.
The integrated backup service protects the system configuration against data loss and corruption. A standard daily backup must be activated by an administrator. Additional manual backups are possible.
High availability (HA) of compute instances is configurable. An administrator can customize the behavior of the Compute service in different scenarios.
The File Storage service enables users of Microsoft Windows instances to map a network drive, or mount a network share. For the SMB protocol, the Active Directory domain must be set up correctly.
Configuring the Active Directory Domain for File Storage Service
To access the external interfaces of Compute Cloud@Customer Isolated, you can provide your own custom Certificate Authority (CA) certificates and include them in your own CA trust chain.
- Disaster Recovery
-
The current controller software provides a Disaster Recovery service with orchestration of DR operations from within the Service Enclave. The service is also called native DR because it's built directly into the infrastructure services layer.
The systems participating in the DR setup are fully operational environments on their own, running in different physical locations. A mutual peer connection must be established first, so they can operate as each other's standby or replica in case an outage occurs at one of the sites.
Administrators must configure the DR service and create DR configurations and plans on each peered system. See Setting Up Disaster Recovery.
- Upgrade
-
New versions of the controller software are made available for download through My Oracle Support. All files required to upgrade the appliance hardware and software components to a given release are packaged into one or more ISO image files.
An administrator makes the ISO files available to the system over HTTP. In preparation of the actual upgrade, preconfiguration operations ensure that the upgrade environment meets all requirements. When the latest version of the Upgrader is up and running, the sources of the new appliance software are set up for use in the system upgrade procedures. At the end of the setup phase, an upgrade plan is generated. It determines which upgrade procedures need to be performed.
In general, the administrator performs a full rack upgrade because it conveniently integrates all steps into a single workflow. In certain situations it might be advisable to upgrade in phases, work through components in groups, or even target an individual component. Those options are also available. Thanks to built-in redundancy at all system levels, the appliance components can be upgraded without service interruptions to the operational environment.
For detailed information and instructions, see the Private Cloud Appliance Upgrade Guide. The upgrade of Compute Cloud@Customer Isolated works exactly the same way.