This page provides some considerations and recommendation on the tenancy management. There are no one correct answer but rather things to consider for each specific situation.

Tenant admins

VM Updates

  1. Keep Your VMs Up to Date
    Regularly update your virtual machines (VMs) to ensure they have the latest security patches and performance improvements. This helps protect against vulnerabilities and enhances overall system stability.

  2. Turning On/Off Automatic Updates 
    By default, EWC Ubuntu VMs have automatic security updates turned on to ensure the installation of security patches. While you can disable the automatic updates it's recommended to keep them on. In all cases, make sure to monitor the installation of the critical updates. 

  3. Private IPs and Security Groups 
    Assign only private IP addresses to VMs where public access is not required. This minimises exposure to potential threats. Additionally, configure security groups to open only the necessary ports, reducing the attack surface and enhancing security.

  4. Follow Security Guidelines 
    Adhere to the security guidelines provided (to be published). These guidelines will offer comprehensive advice on maintaining a secure and resilient VM environment.

Deployment

  1. Infrastructure as Code 
    Implement infrastructure as code practices to manage and provision your deployment environments. This ensures consistency and allows you to reproduce environments easily, reducing the risk of configuration drift.

  2. Log Management 
    Keep detailed logs of your deployment processes and system activities. Logs are crucial for troubleshooting issues, monitoring system performance, and maintaining compliance with regulatory requirements.

Backups

  1. Data backup
    In order to keep the data safe, especially the most critical ones, it is a good practice to make them redundant and store them in multiple places, also leveraging the different storage solutions provided by EWC. As examples: data could be synced across multiple volumes attached to different VMs; data could be also saved on the object storage in S3 buckets; where needed it is also possible to replicate on multiple clouds within EWC (e.g. at both ECMWF and EUMETSAT clouds); finally a copy of the data could also be stored externally to EWC, e.g. in local premises or other infrastructure providers. 
  2. Applications backup
    When it is required to have a resilient and faults tolerant application, it is usually chosen a design and deployment that allows to run it in a high availability mode so that if an instance is down, the overall service is not impacted and the application remains available to the end users. In other cases, where it is not possible to implement an active high availability setup, it is at least advisable to take a regular backup of the application and relevant data in order to make it possible a quick service restoration in case of outage or redeployment.   
  3. Virtual Machines backup
    Beside the above mentioned backups, the users of the EWC has the possibility to take a backup of the deployed Virtual Machines by following the steps described in VM Backups in Morpheus .
    However the VM backup is just an additional complementary tool to create a backup, but it shall not be the primary and neither the only one to rely on. It is indeed meant to be used in conjunction with data/application backups and automated deployment.

Resource management

  1. Delete unused VMs
    Regularly review your Virtual Machines, and delete unused ones. Note that switched off VMs will still be counted, in both your quota and your consumption. If a VM is only needed for a fixed period of time, set a reminder to delete it.
  2. Keep eye on budget vs. consumption
    Regularly look at your EWC Accounting Dashboard to ensure you're spending your allowance at the right speed. Your resource allowance is per year and is not a hard limit, so it's fine to spend more one month and less the next month. 
  3. Be aware of your quotas
    The quotas on the other hand are technical limits, so they will block you from using more resource. They are default limits for the number of VMs, the amount of RAM, etc. But they are primarily implemented to prevent you from using too much by mistake. Ask support to increase a quota if you need it.

Communications

The tenant administrator is the primary point of contact from EWC support and the corresponding Computing Representative, and should act as a bridge to the rest of the tenancy users. As tenant administrator, you may be contacted by the Computing Representative or EWC support to discuss any matters relevant to your tenancy. At the same time, you should make sure all the users in the tenancy are kept informed about relevant news, important updates, and events that may be of their interest. It is also very important to make sure their contact details are up to date.

User management

  1. Review active users and their permissions
    You must ensure that only those users that require access to the tenancy have an active account, and review periodically their level of access and permissions. Any users that leave the project or organisation, or who do not require access any longer, should be disabled or deleted. This way you help keep your tenancy secure. That applies both to the access to the EWC portals to manage the infrastructure and resources, as well as to the resources such as Virtual Machines.

  2. Identity provider integration
    You may choose to integrate your own organisation identity provider into the Morpheus portal to simplify the management of the tenancy users. If so, you 

  3. User provision in the virtual resources
    You may choose the best strategy for your use case when it comes to user account manatement in the virtual Machines of the tenancy. Morpheus Linux Users or Local users in VMs and LDAP users serve specific purposes and require different account creation methods. Local users are local to the VMs and they do not exists in the other VMs. If you need to add others users, they need to be created manually using linux commands. LDAP users instead realy on a central user management VM that creates LDAP users in all VMs in your tenancy, therefore this type of users exists in all VMs and can access all of them by default (RBAC and policies can be added in order to reduce access or privilegies on certain machines)

Computing Representatives

Tenancy division models

Typically there are two models to handle division of resources:


Description
one tenancy for the whole Member State

Member State will have one tenancy for all users/projects.

Tenant admins need to handle the division of resources and access inside the tenancy using user management tools.

specific tenancies for each use case

Different tenancies for different users/projects.

Users have to identify the number of resources required. Comp.repr needs approve different projects/resources.

Note: The model selected can be modified under request.

Resource management

  1. Assign the appropriate budget to new tenancies
    When a new tenancy is created, it is important to estimate the amount of resources they may require and allocate the appropriate budget for them. It is a good idea to make sure 
  2. Keep eye on budget vs. consumption of the different tenancies
    Regularly look at your EWC Accounting Dashboard to ensure all tenancies are spending their allowance at the right speed. Resource allowance is per year and is not a hard limit, so it's fine to spend more one month and less the next month. 
  3. Review distribution of your national resource budget
    Resource needs may vary throughout a year, if new tenancies are created or certain projects are discontinued or have a sudden change of resource requirements. You may need to amend how your national budget is distributed amongst your tenancies throughout the year. Get in touch with EWC support to make any changes.
  4. Periodically review active tenancies
    Review existing tenancies and request their decommissioning if they are no longer in use or required.

Communications

The Computing Representative is the primary point of contact from EWC support for the Member or Cooperating state. As Computing Representative, you will keep your communication channels open between EWC support and the different tenant administrators. At the same time, you should make sure all users within your country are kept informed about relevant news, important updates, and events that may be of their interest. It is also very important to make sure every tenancy has got an active tenancy administrator and their contact details are up to date.