1 Working in the Compute Enclave

The Compute Enclave is the part of the Private Cloud Appliance where you work with and manage cloud resources. This section describes the general usage principles of the graphical user interface and command line interface to the Compute Enclave.

Using the Compute Web UI

The Compute Web UI is the graphical interface to the Compute Enclave. You can use the Compute Web UI on its own or with the OCI CLI to complete tasks. The Compute Web UI provides the same core functionality as the OCI CLI; however, the OCI CLI has some additional functionality.

This section provides instructions for logging into the Compute Web UI, navigating the dashboard, and working with resources using resource type and resource detail pages. Within the rest of the Oracle Private Cloud Appliance User Guide you learn how to use the Compute Web UI to complete tasks within the context of the step-by-step procedures.

Note:

You access the Compute Web UI using a web browser. For support information, please refer to the Oracle software web browser support policy.

Logging In

Before you log into the Compute Web UI, make sure you have the Private Cloud Appliance system and domain names, the tenancy name, and your user name and password. If you do not have these details, ask your administrator. If you have access to the Service Web UI, you can locate the tenancy name and the system and domain names for your Private Cloud Appliance.

To log into the Compute Web UI, complete the following steps.

1. From a browser, enter the URL for your Private Cloud Appliance.

   For example, https://console.pcasys1.example.com where pcasys1 is the name of your Private Cloud Appliance and example.com is your domain.

   The Compute Enclave Select Tenancy page is displayed.

2. Enter your tenancy name and click Continue.

   The Sign In page is displayed.

3. Enter your Username and Password, and then click Sign In.

   The Private Cloud Appliance dashboard displays with quick action tiles.

   Note:

   If you are prompted to change a temporary password, see Setting Your Password.

Navigating the Dashboard

When you log into the Compute Enclave, the dashboard is displayed with quick action tiles for common tasks, such as viewing compute instances, block and file storage, and VCNs. There is also a quick action tile to create a virtual machine instance.

Note:

The dashboard is static and not configurable.

You can click on or tab to the dashboard tiles and the navigation menu. The navigation menu (the three lines to the left of "Oracle Private Cloud Appliance") is a list of services. When you click on a service, the sub-menu expands and displays the resource types for that service. When you click on a resource type, a page is displayed that contains a tabular list of resources related to that resource type. The following table provides the Private Cloud Appliance services and their respective resource types as they are displayed in the navigation menu.

Service	Resource Types in Sub-Menu
Compute	Instances Instance Configurations Instance Pools Custom Images For more information, see Compute Instance Deployment.
Block Storage	Block Volumes Boot Volumes Block Volume Backups Boot Volume Backups Backup Policies Volume Groups Volume Group Backups For more information, see Block Volume Storage.
File Storage	File Systems Mount Targets For more information, see File System Storage.
Object Storage	Object Storage For more information, see Object Storage.
Networking	Virtual Cloud Networks Dynamic Routing Gateways For more information, see Networking.
DNS	Zones Steering Policies TSIG Keys For more information, see Networking.
Identity	Users Federation Groups Policies Compartments For more information, see Identity and Access Management.
Governance	Tag Namespaces For more information, see Creating and Managing Tag Namespaces.

Using Resource Type and Resource Detail Pages

Resource type and resource detail pages are what you use to work with resources in a tenancy or other compartment. A resource type page displays a list of all resources of that type and also contains the service's sub-menu. When you click on a resource in the list, its own detail page is displayed. Every resource detail page has some general information about the resource, such as its OCID, when it was created, the compartment it is in, and any tags associated with it.

About Resource Type Pages

A resource type page contains a list of resources in table format, one resource per row. The rows of the table are in alphabetical order by the name of the resource.

Columns in a resource type table include the name of the resource type, State, Created, and Actions, as well as columns that are specific to that resource type. The Actions column contains the Actions menu (three dots) for the resource, which contains options such as View Details, Edit, Delete, and Copy OCID, as well as options that are specific to that resource type.

To the left of the table is a menu that shows all resource types available for this service. Click a different type to show the page for that resource type.

Above the table, you can select Auto Reload, Refresh, and Filter by Tags. The Compute service instance resource type page also has a Filter by Status option.

The number of resources in the table is displayed above and below the table, along with page navigation buttons if the list of resources is longer than one page.

At the top of the page is the compartment menu, which enables you to view resources of this type in a different compartment. Click the name of the compartment to view a hierarchical list of all compartments in the tenancy.

The top of the page also has a button to create a new resource of this type.

Each resource listed on a resource type page has its own page with more detail about the resource. See About Resource Detail Pages. To view the details page for the resource, click the name of the resource, or select View Details from the Actions menu.

The remainder of this section describes information in resource lists that is specific to each resource type.

Compute

The following compute resource types have additional information in their resource list.

Resource Type	Resource-specific Elements
Instances	Status or Filter by Status - Allows you to see the status of an instance or filter by the instance state: Creating Image Provisioning Running Starting Stopped Stopping Terminated Terminating Shape - The shape of the instance, which determines the number of CPUs and the amount of memory allocated to the instance. Fault Domain - The name of the fault domain (a grouping of hardware and infrastructure) the instance is running in. Fault domains let you distribute your instances so that they are not on the same physical hardware. For more information, see Working with Instances.
Instance Pools	Lifecycle State - The current state of the instance pool: Provisioning Scaling Starting Running Stopping Stopped Terminating Terminated Target Instance Count - Number of instances in a pool. Instance Configuration - The name of the instance configuration associated with the instance pool. For more information, see Working with Instance Configurations and Instance Pools.
Custom Images	Status - The current state of a custom image: Provisioning Importing Available Exporting Stopping Disabled Deleted For more information, see Managing Images.

Block Storage

The following block storage resource types have additional information in their resource list.

Resource Type	Resource-specific Elements
Block Volumes	Status - The current state of a volume: Provisioning Restoring Available Terminating Terminated Faulty Size - The size of the volume in GBs. Backup Policy - The name of the backup policy. For more information, see Managing Block Volumes.
Block Volume Backups	Status - The current state of a volume backup: Creating Available Terminating Terminated Faulty Request Received Total Size - The size used by the backup, in GBs, which is typically smaller than size of the block volume depending on the space consumed on the boot volume and whether the backup is full or incremental. For more information, see Backing Up Block Volumes.
Boot Volumes	State - The current state of a boot volume: Provisioning Restoring Available Terminating Terminated Faulty Attached to Instance - Displays Yes if the boot volume is attached to an instance and No if it is not. Size in GB - The size of the boot volume in GBs. For more information, see Managing Boot Volumes.
Boot Volume Backups	Status - The current state of a boot volume backup: Creating Available Terminating Terminated Faulty Request Received Total Size - The size used by the backup, in GBs, which is typically smaller than size of the boot volume depending on the space consumed on the boot volume. For more information, see Backing Up Block Volumes.
Volume Groups	Status - The current state of a volume group: Provisioning Available Terminating Terminated Faulty Total Size - The aggregate size of the volume group in GBs. Source Volume Group - Specifies the source for a volume group which can be a volume group backup ID, a volume group ID, or a volume ID. For more information, see Managing Volume Groups.
Volume Group Backups	Status - The current state of a volume group backup: Creating Committed Available Terminating Terminated Faulty Request Received Backup Size (in GB) - The aggregate size of the volume group backup, in GBs, which is typically smaller than the size of a volume group depending on the space consumed on the volume group. For more information, see Backing Up Block Volumes.

File Storage

The following file storage resource types have additional information in their resource list.

Resource Type	Resource-specific Elements
File Systems	State - The current state of the file system: Creating Active Deleting Deleted Utilization - The number of bytes consumed by the file system, including any snapshots. This number reflects the metered size of the file system and is updated asynchronously with respect to updates to the file system. For more information, see Managing File Systems.
Mount Targets	State - The current state of the mount target: Creating Active Deleting Deleted Failed For more information, see Managing Mount Targets and Exports.

Object Storage

The following object storage resource types have additional information in their resource list.

Resource Type

Resource-specific Elements

Object Storage

Default Storage Tier - The storage tier type of Standard or Archive assigned to the bucket. A bucket is set to Standard tier by default, which means objects uploaded or copied to the bucket will be in the standard storage tier. When the Archive tier type is set explicitly for a bucket, objects uploaded or copied to the bucket will be stored in archive storage. Visibility - Whether or not this bucket is read only. By default, a bucket is not read-only. A bucket is set to read-only when it is configured as a destination in a replication policy. For more information, see Managing Object Storage Buckets.

Networking

The following networking resource types have additional information in their resource list.

Resource Type	Resource-specific Elements
Virtual Cloud Networks	Status - The current state of the virtual cloud network: Provisioning Available Terminating Terminated Updating CIDR Block - The list of IPv4 CIDR blocks the VCN uses. DNS Domain Name - Name of the associated DNS domain. For more information, see Managing VCNs and Subnets.
Dynamic Routing Gateways	Status - The current state of the dynamic routing gateway: Provisioning Available Terminating Terminated For more information, see Connecting to the On-Premises Network through a Dynamic Routing Gateway.

DNS

The following DNS resource types have additional information in their resource list.

Resource Type	Resource-specific Elements
Zones	Status - The current state of the zone resource: Creating Active Deleting Deleted Failed Updating Zone Type - The type of the zone which must be either Primary or Secondary. For more information, see Managing Public DNS Zones.
Steering Policies	Status - The current state of the steering policy: Creating Active Deleting Deleted Policy Type - The type of steering policy which is either Load Balancer or IP Prefix Steering. Load Balancer policies allow distribution of traffic across multiple endpoints. Endpoints can be assigned equal weights to distribute traffic evenly across the endpoints or custom weights may be assigned for ratio load balancing. IP Prefix steering policies enable customers to steer DNS traffic based on the IP Prefix of the originating query. For more information, see Managing Traffic with Steering Policies.
TSIG Keys	Status - The current state of the tag signature key: Creating Active Deleting Deleted Failed Updating Algorithm - The type of algorithm used for the tag signature key: hmac-md5 hmac-sha1 hmac-sha224 hmac-sha256 hmac-h384 hmac-sha512 For more information, see Working with Transaction Signature Keys.

Identity

The following identity resource types have additional information in their resource list.

Resource Type	Resource-specific Elements
Users	Status - The current state of the user: Creating Active Inactive Deleting Deleted Email - The email address assigned to the user which does not have to be unique across all users in the tenancy; multiple user accounts can have the same email address. For more information, see Creating and Managing User Accounts.
Federation	Status - The current state of an identity provider: Creating Active Inactive Deleting Deleted Type - The type identity provider service or product which is either Security Assertion Markup Language (SAML) 2.0 protocol or Microsoft Active Directory Federation Services (ADFS). Redirect URL - The identity provider-provided URL that enables a service provider to get required information to federate with that identity provider. For more information, see Federating with Microsoft Active Directory.
Groups	Status - The current state of a group: Creating Active Inactive Deleting Deleted For more information, see Creating and Managing User Groups.
Policies	Status - The current state of a policy: Creating Active Inactive Deleting Deleted Statements - The number of statements attached to a policy. For more information, see Managing Policies.
Compartments	Status - The current state of a compartment: Creating Active Inactive Deleting Deleted For more information, see Creating and Managing Compartments.

Governance

The following governance resource types have additional information in their resource list.

Resource Type	Resource-specific Elements
Tag Namespaces	Status - The current state of a tag namespace: Active Inactive Deleting Deleted For more information, see Creating and Managing Tag Namespaces.

About Resource Detail Pages

A resource details page has a section of general information about a particular resource, such as its OCID, when it was created, and the compartment it is in. Tags associated with the resource are shown on a separate Tags tab in the general information section. Some resources have other tabs as well. For example, instance details pages have separate tabs for Configuration and Networking information.

Above the general information section is the name of the resource and often one or more buttons that enable you to perform operations similar to the operations on the Actions menu on the resource type page.

To the left of the general information section is a box that shows the status of the resource.

Below the resource status box is a Resources box that lists resources that are associated with the resource that is named at the top of this resource details page. For example, on a VCN details page, the Resources box includes subnets, route tables, and security lists.

Click on a resource type in the Resources box to list all the resources of that type that are associated with the resource named at the top of this page. These resources are listed in a table that is very similar to the tables on resource type pages described in About Resource Type Pages. The resource tables in a Resources section have similar rows and columns, including an Actions menu for each resource, and have a compartment selector and usually a create button above the table.

One difference between resource tables on a resource type page and in the Resources section of a resource details page is that the column headings of resource tables in a Resources section have arrow buttons that enable you to sort the rows of the table by the content in that column. You are not limited to sorting the table only by the name of the resource. For example, you can click the arrows to sort an IP address table by the private or public IP address or by the create date of the resource.

Click the name of a resource in a Resources section table to display the details page for that resource.

The following table shows you some of the tasks you can only do from a resource's detail page.

Task	Resource Detail Page
Create a volume group clone	Volume group
Create a schedule for a backup policy	Backup policy
Create file system export	Mount target
Create file system snapshot or create file system export	File system
Upload an API key	User
View or configure policy statements	Policy
View or create a tag key definition	Tag namespace
Attach a DRG to a VCN	Dynamic routing gateway
View or add the following for VCNs: Subnets Route Tables View or add route rules from a route table's detail page Internet Gateways Local Peering Gateway DHCP Options Security Lists View or create ingress or egress rules from a security list's detail page NAT Gateways Network Security Groups Service Gateways Dynamic Routing Gateway	Virtual cloud network
View or create DNS zone records	Zone
View or add attached domains page	Steering policy

Locating Tenancy and Profile Information

For many tasks in Private Cloud Appliance OCI CLI, you need the tenancy OCID, which you can find on a tenancy's detail page in the Compute Web UI. You can find this page by clicking your user name in the top menu bar and selecting Tenancy or using the OCI CLI after you have installed and configured it.

A tenancy detail page provides you with some general information (which includes the OCID), object storage settings, and any associated tags. Within the Compute Web UI you cannot make any changes to a tenancy; rather, this is done by an administrator of the Service Web UI. For more information about tenancies, see Understanding the Tenancy.

Every user in the system has an associated profile. The information in a user's profile can be found in the user detail pages. Users with administrative privileges (or through group membership or policies) have access to all user profiles.

You can find your profile page by logging into a tenancy for which you have access, clicking your user name in the top menu bar and selecting Profile. From your profile page, you can view general information and your OCID, view any tags associated with your profile, and view, add or delete API keys. You can also see which groups you belong to; however, you cannot change any of your group assignments unless you have administrative privileges.

For more information about user profiles, see Creating and Managing User Accounts.

Using the OCI CLI

This section provides instructions for installing and configuring the OCI CLI as well as some general information to help you use it. The rest of the Oracle Private Cloud Appliance User Guide shows you how to use the OCI CLI to complete tasks within the context of the step-by-step procedures.

The OCI CLI is the command line interface to the Compute Enclave. You can use the OCI CLI on its own or with the Compute Web UI to complete tasks. The OCI CLI provides the same core functionality as the Compute Web UI, plus additional commands, such as the ability to run scripts that extend the functionality. The OCI CLI's functionality is based on REST APIs which you can access from a browser with this URL:

https://console.pcasysname.example.com/api-reference

where pcasysname is the name of your Private Cloud Appliance and example.com is your domain. You can find the system and domain names on the dashboard of the Service Web UI or you can ask an administrator for this information.

Before You Begin

To install and use the OCI CLI, you must have:

• A user account for the Compute Web UI.

• An RSA public/private keypair used for signing API requests, with the public key uploaded for the user through the Compute Web UI.

  Important:

  In the configuration steps, you have the option of using existing API public and private keys or creating new keys. If you do not already have an existing key pair, we recommend that you create them as part of the manual or automated OCI CLI configuration.

• A Private Cloud Appliance self-signed certificate.

  This requirement is satisfied during the configuration steps.

You can install the OCI CLI on macOS, Microsoft Windows, or any supported Linux/UNIX operating system:

• Oracle Linux 7 and Oracle Linux 8

• CentOS 7.0 and CentOS 8.x

• Ubuntu 16.04, Ubuntu 18.04, and Ubuntu 20.04

Installing the OCI CLI

You can install the OCI CLI on Oracle Linux or macOS operating systems using a package manager. To install on Microsoft Windows or some other operating system, use the install script.

Important:

If you already have the CLI installed and configured, you can skip to Configuring the OCI CLI to learn how to further configure the CLI for Private Cloud Appliance.

To install the CLI, its dependencies, and Python, follow the steps for your operating system. During installation, respond to the prompts for information as described in "Responding to the Install Script Prompts."

Oracle Linux 8

Run the following commands to install the CLI:

$ sudo dnf -y install oraclelinux-developer-release-el8
$ sudo dnf install python36-oci-cli

To uninstall the CLI, run:

$ sudo dnf remove python36-oci-cli

Oracle Linux 7

Run the following command to install the CLI:

$ sudo yum install python36-oci-cli

To uninstall the CLI, run:

$ sudo yum remove python36-oci-cli

macOS

You can use Homebrew to install, upgrade, and uninstall the CLI on macOS.

Note:

Optionally, you can install the CLI using the install script. See "Using the Install Script for Other Operating Systems" in this section for details.

• To install the CLI, run:

  $ brew update && brew install oci-cli

• To upgrade the CLI, run:

  $ brew update && brew upgrade oci-cli

• To uninstall the CLI, run:

  $ brew uninstall oci-cli

Microsoft Windows

You can use Microsoft Windows PowerShell to install the CLI.

1. Open the PowerShell console using the Run as Administrator option.

2. Set the http_proxy and https_proxy environment variables.

   Important:

   The value of https_proxy is the hostname or IP address of your HTTP proxy server.

   $Env:http_proxy="http://www-proxy.example.com:80"
   $Env:https_proxy="http://www-proxy.example.com:80"

   If your proxy server requires a username and password, or uses a port number other than 80, include that information, as shown in the following example:

   $Env:https_proxy=http://username:password@proxy.example.com:port

   Check that your proxy variables are set correctly. Make sure you can connect to internet locations.

   $Env:http_proxy
   $Env:https_proxy
   ping https://raw.githubusercontent.com

3. The installer enables auto-complete by installing and running a script. To allow this script to run, you must enable the RemoteSigned execution policy.

   To configure the remote execution policy for PowerShell, run the following command:

   $ Set-ExecutionPolicy RemoteSigned

4. Force PowerShell to use TLS 1.2 for Microsoft Windows 2012 and Microsoft Windows 2016:

   $ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 

5. Download the install script:

   $ Invoke-WebRequest ^
   https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.ps1 ^
   -OutFile install.ps1

6. Run the install script with or without prompts.

   Run the install.ps1 script that you downloaded in the previous step.

   To avoid prompts and accept the default values, run the script with the following option:

   $ install.ps1 -AcceptAllDefaults

7. Unset the proxy environment variables.

   $Env:http_proxy=""
   $Env:https_proxy=""

Using the Install Script for Other Operating Systems

For any other operating system, run the following install script to install the CLI, its dependencies, and Python.

$ bash -c "$(curl -L https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh)"

To avoid prompts and accept the default values, add the --accept-all-defaults option.

Responding to the Install Script Prompts

• If you do not have a compatible version of Python installed in Linux or Microsoft Windows, you are prompted to provide a location for installing the binaries and executables. The script installs Python for you.

• If you do not have a compatible version of Python installed in macOS, you are notified that your version of Python is incompatible. You must upgrade before you can proceed with the installation. The script does not install Python for you.

• When prompted to upgrade the CLI to the newest version, respond with Y to overwrite an existing installation.

• When prompted to update your PATH, respond with Y to be able to invoke the oci command without providing the full path to the executable.

Configuring the OCI CLI

Before using the OCI CLI, you must configure it for working with Private Cloud Appliance and obtain the system's certificate authority (CA) chain. You can complete the configuration manually or use the config setup tool to help you.

Important:

If you are already using the OCI CLI and have it configured for other purposes, read this section entirely before proceeding with any of the configuration steps.

Obtain the Required Information

Whether you manually configure the OCI CLI or use the setup config tool, there is required information you must provide for the configuration file. Before you begin the configuration process, ensure you have the following:

• User OCID

  The user's OCID is in ocid1.user.unique_ID format. You can copy the user's OCID from the user details page in the Compute Web UI. To navigate to your user details page, click your user name in the Compute Web UI dashboard and then click My Profile.

• Tenancy OCID

  The tenancy OCID is in ocid1.tenancy..unique_ID format. You can copy the tenancy OCID from the tenancy details page in the Compute Web UI. To navigate to the tenancy details page, click your user name in the Compute Web UI dashboard and then click Tenancy.

• Region name

  The region name is in pcasys1.example.com format, where pcasys1 is the name of your Private Cloud Appliance and example.com is your domain.

  If you have access to the Service Web UI, you can find the system and domain names on the dashboard. Otherwise, ask a Service Web UI administrator for the information.

If you do not already have an existing API public and private key pair, we recommend that you create them as part of the manual or automated OCI CLI configuration. For more information, see the Manual Configuration or Automated Configuration section.

If you have an existing API public and private key pair that you want to use, make sure:

• They are in PEM format.

• Your public key is added to your user profile.

• You know the full path and file name of the private key. For example, ~/.oci/oci_api_key.pem .

• You have your public key fingerprint, which is in xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx format. You can find this fingerprint on your profile page in the Compute Web UI or through a terminal using a command. For example:

  openssl rsa -pubout -outform DER -in ~/.oci/oci_api_key.pem | openssl md5 -c

Manual Configuration

Complete the following steps to manually configure the OCI CLI for Private Cloud Appliance. Ensure you have gathered all the required information.

The steps below assume you are on a Linux system and that you have already created a user through the Compute Web UI. However, the basic procedure is the same for other system types.

1. From a terminal, log into the system where you installed the CLI and create an API key pair. For example:

   $ oci setup keys
   Enter a passphrase for your private key (empty for no passphrase):
   Public key written to: /home/username/.oci/oci_api_key_public.pem
   Private key written to: /home/username/.oci/oci_api_key.pem
   Public key fingerprint: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

2. From a browser, log into the Web UI.

3. Navigate to your user details page. Click your user name in the top right of the page, and then click My Profile. Your user details page is displayed.

4. In the Resources section of your user details page, click API Keys, and then click the Add API Key button.

5. Navigate to the location of your public key or paste the public key contents and then click Upload Key.

6. In your /home/username/.oci directory, create a file named config. Add a profile section with the required information:

   [PCA1]
   user=ocid1.user...unique_id
   key_file=/home/username/.oci/oci_api_key.pem
   tenancy=ocid1.tenancy.unique_ID
   region=pcasys1.example.com
   fingerprint=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

   In this example, pcasys1 is the name of your Private Cloud Appliance and example.com is your domain.

   If you have access to the Service Web UI, you can find the system and domain names on the dashboard. Otherwise, ask a Service Web UI administrator for the information.

Automated Configuration

If this is the first time you are using the OCI CLI, the setup config tool helps you walk you through setup process. When you enter the oci setup config command it prompts you for the information required for the config file and the API public/private keys and then generates an API key pair and creates the config file.

To configure the OCI CLI using the setup config tool:

1. From a command window, enter oci setup config and follow the prompts, for example:

   $ oci setup config
   This command provides a walkthrough of creating a valid CLI config file.
   Enter a location for your config [/home/myuserdir/.oci/config]:
   Enter a user OCID: ocid1.user.unique_ID
   Enter a tenancy OCID: ocid1.tenancy.unique_ID

   Important:

   For the step Enter a region by index or name, you cannot enter the region in the required system.domain format. Rather, enter any value from the list as the value is meaningless to Private Cloud Appliance. In Step 2 you will modify the config file to provide the information needed by Private Cloud Appliance.

   Enter a region by index or name(e.g.
   1: ap-chiyoda-1, 2: ap-chuncheon-1, 3: ap-hyderabad-1, 4: ap-melbourne-1, 5: ap-mumbai-1,
   6: ap-osaka-1, 7: ap-seoul-1, 8: ap-sydney-1, 9: ap-tokyo-1, 10: ca-montreal-1,
   11: ca-toronto-1, 12: eu-amsterdam-1, 13: eu-frankfurt-1, 14: eu-zurich-1, 15: me-dubai-1,
   16: me-jeddah-1, 17: sa-santiago-1, 18: sa-saopaulo-1, 19: sa-vinhedo-1, 20: uk-cardiff-1,
   21: uk-gov-cardiff-1, 22: uk-gov-london-1, 23: uk-london-1, 24: us-ashburn-1, 
   25: us-gov-ashburn-1, 26: us-gov-chicago-1, 27: us-gov-phoenix-1, 28: us-langley-1, 
   29: us-luke-1, 30: us-phoenix-1, 31: us-sanjose-1): 24

   Do you want to generate a new API Signing RSA key pair? 
   (If you decline you will be asked to supply the path to an existing key.) [Y/n]: Y
   Enter a directory for your keys to be created [/home/myuserdir/.oci]:
   Enter a name for your key [oci_api_key]:
   Public key written to: /home/myuserdir/.oci/oci_api_key_public.pem
   Enter a passphrase for your private key (empty for no passphrase):
   Private key written to: /home/myuserdir/.oci/oci_api_key.pem
   Fingerprint: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
   Config written to /home/myuserdir/.oci/config

2. Navigate to the ~/myuserdir/.oci directory and modify the config file to use the correct region, for example:

   [DEFAULT]
   user=ocid1.user.unique_ID
   fingerprint=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
   key_file=/home/myuserdir/.oci/oci_api_key.pem
   tenancy=ocid1.tenancy.unique_ID
   region=pcasys1.example.com

   where pcasys1 is the name of your Private Cloud Appliance and example.com is your domain.

   If you have access to the Service Web UI, you can find the system and domain names on the dashboard. Otherwise, ask a Service Web UI administrator for the information.

3. If you haven't already, upload your API Signing public key through the Compute Web UI. For more information, see Adding an API Public Key to a User Profile.

Obtaining the Certificate Authority Bundle

Whether you configured the CLI manually or used the automated tool, you must obtain the Private Cloud Appliance external silo CA chain before you can run commands.

The external silo CA chain must be copied to the system where you are installing the CLI and referenced in the oci_cli_rc file.

1. Navigate to your ~/.oci directory.

2. Copy the external silo CA chain from the following location:

   https://iaas.system-name.domain-name/cachain

   Save the CA chain in a file. In this example, the file is named ca.crt and is saved in the ~/.oci directory.

3. In the ~/.oci directory, create a file named oci_cli_rc. Add the profile name and the path to your copy of the external silo CA chain. For example:

   [PCA1]
   cert-bundle=/home/username/.oci/ca.crt

4. Set the OCI_CLI_CERT_BUNDLE environment variable to the same path as in the previous step.

Testing the OCI CLI Configuration

Important:

If you followed the manual configuration process and attempt to test the configuration by running the commands in this section, you might encounter a warning message stating the permissions on the config file are too open. If this happens, follow the instructions in the warning message to resolve the issue.

After you have installed and configured the OCI CLI, enter a list command to verify that the OCI CLI is working correctly. For example:

$ oci iam user list

Using Multiple Profiles

The OCI CLI configuration files config and oci_cli_rc can define more than one profile. Each profile section in the config file references a tenancy within a Private Cloud Appliance. The tenancies can be on different appliances.

In the following example ~/.oci/config file, the PCA1 profile is for a tenancy on the pcasys1 appliance, the PCA2 profile is for a tenancy on the pcasys2 appliance, and the DEFAULT profile is a copy of the PCA1 profile. The DEFAULT profile is used when you have not specified which profile to use.

In this example, the key file and fingerprint are the same in each profile, but the user OCID will be different on the two different appliances or in two different tenancies on the same appliance.

[DEFAULT]
user=ocid1.user.unique_ID_1
key_file=/home/username/.oci/oci_api_key.pem
tenancy=ocid1.tenancy.unique_ID_1
region=pcasys1.example.com
fingerprint=58:f8:69:13:e1:a8:51:4d:5a:a0:11:69:ca:09:48:73
[PCA1]
user=ocid1.user.unique_ID_1
key_file=/home/username/.oci/oci_api_key.pem
tenancy=ocid1.tenancy.unique_ID_1
region=pcasys1.example.com
fingerprint=58:f8:69:13:e1:a8:51:4d:5a:a0:11:69:ca:09:48:73
[PCA2]
user=ocid1.user.unique_ID_2
key_file=/home/username/.oci/oci_api_key.pem
tenancy=ocid1.tenancy.unique_ID_2
region=pcasys2.example.com
fingerprint=58:f8:69:13:e1:a8:51:4d:5a:a0:11:69:ca:09:48:73

Note:

If you do not specify a profile to use, the DEFAULT profile is used. If you do not specify a profile and do not have a DEFAULT profile, you must use the --profile option in your commands.

To specify a profile, set the profile name as the value of the OCI_CLI_PROFILE environment variable:

export OCI_CLI_PROFILE=PCA1

The --profile option is a global option, specified on oci, as in the following example:

$ oci --profile PCA2 iam user list

You must specify the same profiles in your oci_cli_rc file that you specified in your config file:

[DEFAULT]
cert-bundle=/home/username/.oci/pca1/ca.crt
[PCA1]
cert-bundle=/home/username/.oci/pca1/ca.crt
[PCA2]
cert-bundle=/home/username/.oci/pca2/ca.crt

If you have configured multiple profiles, consider creating subdirectories within the .oci directory to store the different API keys and external silo CA chains for each profile.

Consider creating a file of environment variables for each profile. In addition to setting OCI_CLI_PROFILE, set OCI_CLI_CERT_BUNDLE to the same path that you specified in your oci_cli_rc file. Set OCI_CLI_TENANCY to the OCID of the tenancy for this profile. Giving other compartments and resources names makes commands easier to enter and read. For example:

$ oci network subnet create -c $Networking --vcn-id $VCN1 ...

Working with API Signing Keys

If you need to use the OCI CLI or make REST API requests, you must have an API signing public and private key pair. API requests are signed with the private key, and the public key is used to verify the authenticity of the request. The private key is stored locally and the public key is uploaded to a user account. You can have a maximum of three (3) public keys per user account.

Important:

The API signing key pair is not the SSH key that you use to access compute instances. Both the private key and public key (minimum 2048 bits) must be in PEM format (not SSH-RSA format).

Generating an API Key Pair

If you do not already have an existing API signing public and private key pair, we recommend that you create the key pair as part of the manual or automated configuration. To do so, use the oci setup keys command as shown in the Manual Configuration section or follow the prompts in the Automated Configuration section.

If you want to create a key pair independent of the OCI CLI configuration, the following sections show you how to do this on Linux, macOS, and Microsoft Windows operating systems. You can then use these keys when you configure the OCI CLI.

Using Linux or macOS

1. Generate the private key.

   • Generate the key encrypted with a passphrase:

     $ openssl genrsa -out ~/.oci/oci_api_key.pem -aes128 2048

     Note:

     Use of a passphrase is strongly recommended.

   • Generate the key with no passphrase:

     $ openssl genrsa -out ~/.oci/oci_api_key.pem 2048

2. Check the permission on the private key file and change if necessary.

   The file permission should be 600 or 400 to ensure that only you can read the private key file.

3. Generate the public key from your new private key:

   $ openssl rsa -pubout -in ~/.oci/oci_api_key.pem -out ~/.oci/oci_api_key_public.pem

   This public key file can have the same permissions as the private key file or can be readable by everyone.

Using Microsoft Windows

1. Install Git Bash for Microsoft Windows.

   See https://git-scm.com/download/win.

2. Include the OpenSSL binary in your Microsoft Windows path.

   On default installations, the openssl.exe binary is in the following directory:

   C:\Program Files\Git\mingw64\bin

3. Generate the private key.

   • Generate the key encrypted with a passphrase:

     $ openssl genrsa -out %HOMEDRIVE%%HOMEPATH%\.oci\oci_api_key.pem -aes128 -passout  ^
     stdin 2048

     Note:

     Use of a passphrase is strongly recommended.

   • Generate the key with no passphrase:

     $ openssl genrsa -out %HOMEDRIVE%%HOMEPATH%\.oci\oci_api_key.pem 2048

4. Check the permission on the private key file and change if necessary.

   The file permission should be set so that only you can read the private key file.

5. Generate the public key from your new private key:

   $ openssl rsa -pubout -in %HOMEDRIVE%%HOMEPATH%\.oci\oci_api_key.pem -out  ^
   %HOMEDRIVE%%HOMEPATH%\.oci\oci_api_key_public.pem

   This public key file can have the same permissions as the private key file or can be readable by everyone.

Adding an API Public Key to a User Profile

You add your own API public key to your profile using the Compute Web UI. If you do not have a login and password for the Compute Web UI, contact an administrator.

Using the Compute Web UI

1. From a browser, log into the Compute Web UI.

2. Navigate to your user details page, click your user name in the dashboard, and then click My Profile.

   Your user details page is displayed.

3. In the Resources section, click API Keys and then click Add API Key.

4. In the Add Public Key dialog, navigate to the location of your public key or paste the public key contents and then click Upload Key.

Users can have a maximum of three (3) public keys added to their profile.

Using the OCI CLI

After you've installed and configured the OCI CLI, you can also use the api-key upload command to upload additional keys. If you have more than one API public key, you must specify the key's fingerprint to indicate which key you're using to sign the request.

1. Get the OCID of the user that needs an API signing key (oci iam user list).

2. Use the user API key list command to ensure that your account does not already have the maximum three API signing keys.

   Syntax:

   $ oci iam user api-key list --user-id user_OCID

3. Run the API key upload command.

   Syntax:

   $ oci iam user api-key upload --user-id ocid1.user.unique_ID { --key key | --key-file  \
   file://keyfile.pem }

   • key – an RSA public key in PEM format

   • keyfile.pem – a file that contains an RSA public key in PEM format

Finding an API Public Key Fingerprint

Your public key fingerprint, which is in xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx format, can be found on your profile page in the Compute Web UI or through a terminal using the following OpenSSL commands:

Linux and macOS:

$ openssl rsa -pubout -outform DER -in ~/.oci/oci_api_key.pem | openssl md5 -c

Microsoft Windows:

$ openssl rsa -pubout -outform DER -in \.oci\oci_api_key.pem | openssl md5 -c

Deleting an API Signing Key from a User Profile

You can delete your own API signing keys, and tenancy administrators can delete API signing keys for any user in their tenancy.

Using the Compute Web UI

1. In the navigation menu, click Identity, and then click Users.

2. Click the name of the user account for which you want to delete an API signing key.

3. Scroll to the Resources section of the user details page.

4. For the API key that you want to delete, click the Actions icon (three dots) and then click Delete.

Using the OCI CLI

1. Get the following information:

   • The OCID of the user account from which you want to delete an API signing key.

     $ oci iam user list

   • The fingerprint of the API signing key that you want to delete.

     $ oci iam user api-key list --user-id user_OCID

2. Run the user API key delete command.

   Syntax:

   $ oci iam user api-key delete --user-id user_OCID --fingerprint fingerprint

Understanding Command Syntax and Finding Help

This section provides some basic information to help you as you begin using the OCI CLI, such as command syntax, how to find OCIDs, and where to get help with commands.

Command Syntax

In general, commands entered in the OCI CLI have the following syntax:

$ oci service type action required-parameters optional-parameters

For example, in the following command:

$ oci iam user create --name joeb --description "Product test" \
--email joeb@example.com

• iam is the service

• user is the resource type

• create is the action

• name and description are required parameters

• email is an optional parameter

Obtaining OCIDs

When you use the OCI CLI, the majority of commands require an OCID:

• list commands require the OCID of the compartment where you are looking for the resource.

• create commands require the OCID of the compartment where you want to create the resource.

• get, update, and delete commands require the OCID of the resource.

• move commands require the OCID of the resource and the OCID of the destination compartment.

Some commands require the OCID of a different resource. For example, creating a route table for a DRG requires the OCID of the DRG.

You can find OCIDs using the OCI CLI or the Compute Web UI. The following lists show you how to find the most commonly needed OCIDs using the OCI CLI.

Block volume service OCIDs

• Boot volume

  $ oci bv boot-volume list --availability-domain availability_domain_name \
  --compartment-id compartment_OCID

• Volume

  $ oci bv volume list --compartment-id compartment_OCID

• Volume backup policy

  $ oci bv volume-backup-policy list --compartment-id compartment_OCID

• Volume group

  $ oci bv volume-group list --compartment-id compartment_OCID

Compute service OCIDs

• Instance

  $ oci compute instance list --compartment-id compartment_OCID

• Instance VNIC

  $ oci compute instance list-vnics --compartment-id compartment_OCID

• Volume attachment

  $ oci compute volume-attachment list --compartment-id compartment_OCID

Identity and access management service OCIDs

• Availability domain name

  $ oci iam availability-domain list

• Compartments within a tenancy

  $ oci iam compartment list

• Compartments within a tenancy and including the tenancy

  $ oci iam compartment list --include-root

• Compartments and all sub-compartments in a tenancy

  $ oci iam compartment list --compartment-id-in-subtree true

• Compartment including its sub-compartments

  $ oci iam compartment list --compartment-id compartment_OCID \
  --compartment-id-in-subtree

• Group

  $ oci iam group list

• Policy

  $ oci iam policy list --compartment-id compartment_OCID

• Tag namespace

  $ oci iam tag-namespace list --compartment-id compartment_OCID

• User

  $ oci iam user list

Network service OCIDs

• DHCP options

  $ oci network dhcp-options list --compartment-id compartment_OCID \
  [--vcn-id VCN_OCID]

• Route table

  $ oci network route-table list --compartment-id compartment_OCID \
  [--vcn-id VCN_OCID]

• Subnet

  $ oci network subnet list --compartment-id compartment_OCID \
  [--vcn-id VCN_OCID]

• VCN

  $ oci network vcn list --compartment-id compartment_OCID

In the Compute Web UI, an OCID Copy button is available on the details page of a resource and often also on the Actions menu for the resource in the resource list.

To more easily specify OCIDs, and to make your commands more readable, you might want to set frequently used OCIDs in environment variables. For example, you could set the tenancy to T. Compartments are the most frequently used OCIDs, and the --compartment-id option can be shortened to -c.

The following examples show listing all VCNs in the NET compartment and using the large shape instance configuration to launch an instance.

$ oci compute vcn list -c $NET
$ oci compute-management instance-configuration launch-compute-instance \
--instance-configuration-id $INST_CFG_LRG

Getting Help with Commands

You can get inline help by appending --help, -h or -? to a command:

• oci --help returns a list of commands and global command options.

• oci service --help returns a summary of the command reference for a service. For example:

  $ oci compute -h
  Usage: oci compute [OPTIONS] COMMAND [ARGS]...
    Compute Service CLI
  
  Options:
    -?, -h, --help  For detailed help on any of these individual commands, enter 
                    <command> --help.
  Commands:
    boot-volume-attachment          Represents an attachment between a...
    capacity-reservation            A template that defines the...
    console-history                 An instance's serial console data.
    dedicated-vm-host               A dedicated virtual machine host...
    dedicated-vm-host-instance      Condensed instance data when...
    device                          Device Path corresponding to the...
    global-image-capability-schema  Global Image Capability Schema
    global-image-capability-schema-version
                                    Global Image Capability Schema...
    image                           A boot disk image for launching an...
    image-capability-schema         Image Capability Schema
    image-shape-compatibility-entry An image and shape that are...
    instance                        A compute host.
    instance-console-connection     The `InstanceConsoleConnection`...
    measured-boot-report            The measured boot report for a...
    pic                             Partner image catalog (PIC).
    shape                           A compute instance shape that can...
    vnic-attachment                 Represents an attachment between a...
    volume-attachment               A base object for all types of...

• oci service resource_type --help returns a summary of the command reference for a resource type. For example:

  $ oci compute image -h
  Usage: oci compute image [OPTIONS] COMMAND [ARGS]...
    A boot disk image for launching an instance. For more information, see
    [Overview of the Compute Service].
  
    To use any of the API operations, you must be authorized in an IAM policy.
    If you're not authorized, talk to an administrator. If you're an
    administrator who needs to write policies to give users access, see
    [Getting Started with Policies].
  
    **Warning:** Oracle recommends that you avoid using any confidential
    information when you supply string values using the API.
  
  Options:
    -?, -h, --help  For detailed help on any of these individual commands, enter
                    <command> --help.
  
  Commands:
    change-compartment  Moves an image into a different compartment within...
    create              Creates a boot disk image for the specified instance...
    delete              Deletes an image.
    export              Exports an image to the Oracle Cloud Infrastructure...
    get                 Gets the specified image.
    import              Imports an exported image from the Oracle Cloud...
    list                Lists a subset of images available in the specified...
    update              Updates the display name of the image.

• oci service resource_type action --help returns the complete command reference for the specified service resource action. For example, the following command displays a full description of creating a compute image, and describes all options:

  $ oci compute image create -h

For more information, see the Oracle Cloud Infrastructure CLI Command Reference.

Using JSON for Complex Command Input

Complex command input includes arrays and objects with more than one value. Complex input is passed as a block of key/value pairs in JSON format. The JSON-formatted input can be provided as a string in the command line or as a file that is referenced in the command line.

The OCI CLI supports using both JSON strings and file references in the same command line. However, if the same values are provided in a file and in a string in the same command, the string value takes precedence.

Using a JSON String

To pass a JSON block as a string in the OCI CLI command line, remove the newlines. On macOS, Linux, or UNIX, enclose the entire JSON block in single quotation marks. In Microsoft Windows command lines, enclose the JSON block in double quotation marks, and escape the double quotation marks that are within the block (\").

On any operating system or shell, you might need to escape other characters such as dollar signs.

If you receive the message "Parameter 'parameter_name' must be in JSON format," then your JSON formatting is not correct. If you copied the JSON format as described in Generating JSON Format, then recheck your command-line format, especially characters that might need to be escaped.

• macOS, Linux, or UNIX

  $ oci compute instance update --instance-id ocid1.image.unique_ID \
  --freeform-tags '{"Department":"Finance"}'

• Microsoft Windows

  > oci compute instance update --instance-id ocid1.image.unique_ID \
  --freeform-tags "{\"Department\":\"Finance\"}"

Using a JSON File

An advantage of storing complex option arguments in files is that you can easily reuse arguments that you know are in correct format. You can store the data exactly the way you copy it from output of the --generate-param-json-input option or of the get command: You do not need to remove newlines and escape certain characters as you need to do for command-line strings.

When you pass input using a JSON file, the option argument is the file name prefixed with file://. The file name can be the name of the file in the same directory where you are running the command, the relative path to the file, or the full path to the file.

Generating JSON Format

If you receive the message "Parameter 'parameter_name' must be in JSON format," then your JSON formatting is not correct. The following methods will help you format the data correctly.

JSON Format for a Single Complex Type Option Value

If an option is complex type, then you can generate the JSON format for that option value by using the --generate-param-json-input option. The argument for the --generate-param-json-input option is the name of the option for which you want the JSON format, without the -- option specifier. For example, the following command shows the JSON format to use to specify route rules (--route-rules option) for a route table:

$ oci network route-table update --generate-param-json-input route-rules
[
  {
    "cidrBlock": "string",
    "description": "string",
    "destination": "string",
    "destinationType": "string",
    "networkEntityId": "string"
  },
  {
    "cidrBlock": "string",
    "description": "string",
    "destination": "string",
    "destinationType": "string",
    "networkEntityId": "string"
  }
]

Values that you provide in the option argument replace any existing values. For example, if you already have an ingress rule and you want to add an egress rule, you must specify both the existing ingress rule and the new egress rule. If you specify only the rule that you want to add, any previously existing rules will be gone. Similarly, if you want to add a policy statement or add values for a defined tag, for example, you must respecify the existing statements or values that you want to keep in addition to what you want to add.

Sometimes the output contains a message about choices, such as in the following example:

$ oci compute instance launch --generate-param-json-input source-details
[
  "This parameter should actually be a JSON object rather than an array - pick one of the
  following object variants to use",
  {
    "bootVolumeId": "string",
    "sourceType": "bootVolume"
  },
  {
    "bootVolumeSizeInGBs": 0,
    "imageId": "string",
    "kmsKeyId": "string",
    "sourceType": "image"
  }
]

When you use the Compute Web UI to create an instance, you select either a Custom Image or a Boot Volume. Similarly, the message in the preceding example tells you to specify either the boot volume block or the image block, not both.

JSON Format for Values of All Options of a Command

The --generate-full-command-json-input option shows JSON format for values of all options of the specified command, including values that are not complex values.

$ oci network route-table update --generate-full-command-json-input > route_table_update.json

Use the --from-json option to pass in your customized version of this output.

$ oci network route-table update --from-json file://route_table_update.json

JSON Format of Existing Values

If resources of this type already exist, do a get or list of the resources to see the JSON formatting and also to check the current values.

$ oci network route-table get --rt-id ocid1.routetable.unique_ID

Copy the block you want directly from this output, and then change the values as needed.

In the case where multiple values are allowed, use this method to avoid overwriting values that you want to keep. Copy the block you want from the get or list output, and then change, add, or delete values as needed.

Formatting and Filtering Command Output

By default, all command output is in JSON format:

$ oci iam region list
{
  "data": [
    {
      "key": "pcasysname",
      "name": "pcasysname"
    }
  ]
}

If you prefer, command output can be formatted as a table:

$ oci iam region list --output table
+------------+------------+
| key        | name       |
+------------+------------+
| pcasysname | pcasysname |
+------------+------------+

You can filter output using the JMESPath query option for JSON. Filtering is useful when when you have a large amount of output. The --output table option shows a column for each property of a resource. The output table for an instance, for example, has almost 30 columns and probably overflows the width of your display.

To output only the data that you want, use the --query option with the --output table option, as shown in the following example:

$ oci compute image list -c ocid1.compartment.unique_ID --output table \
--query "data [*].{ImageOCID:id, OperatingSystem:\"operating-system\"}"
+-------------------------+-----------------+
| ImageOCID               | OperatingSystem |
+-------------------------+-----------------+
| ocid1.image.unique_ID_1 | OracleLinux     |
| ocid1.image.unique_ID_2 | OracleLinux     |
+-------------------------+-----------------+

For more information about the JMESPath query language for JSON, see JMESPath.