In this page:

Additional page:


early availability:  

start of pre-production:  

start of production:   

Model: DUal-Socket Dell PowerEdge
Cloud Platform: OpenStack version Wallaby
Nodes: 71
Processors:2xCPU 8260 Intel CascadeLake (24c, 2.4Ghz)
Cores:48 cores/node, Hyperthreading x2
Internal Network: Ethernet 100GbE

System Architecture

The HPC cloud infrastructure, named ADA cloud is based on OpenStack Wallaby.


This cloud infrastructure is tightly connected both to the LUSTRE storage of 20 PB raw capacity, and to the GSS storage of 6 PB seen by all other infrastructure. This setup enables the use of all available HPC systems (Tier-0 Marconi, Tier-1 Galileo100), addressing HPC workloads in conjunction with cloud resources.

Cloud Model

From the user's perspective, ADA cloud can be seen as both a public cloud and a community cloud, with a federation of European data-centers providing features targeting specific scientific communities (i.e. the flagship Human Brain project).  ADA cloud HPC infrastructure is a resource that CINECA already adopts in several internal projects and services.  The deployment model is well represented by the picture below.    

The ADA cloud HPC infrastructure integrates and completes the HPC ecosystem, providing a tightly-integrated infrastructure that covers both high performance and high flexible computing. We expect the flexibility of the cloud to better adapt to the diversity of user workloads, while still providing high-end computing power. If the need for High-Performance Computing increases, or scale beyond the ADA cloud HPC provision, the other world-class HPC systems (MARCONI, MARCONI100, GALILEO100) can be integrated into the workflow to cover all computing needs. For example, data can be stored on areas ($DRES ) that are seen by all HPC systems.  

Service model

ADA cloud HPC infrastructure provides users an Infrastructure as a Service (IaaS). Along with all the advantages in terms of flexibility, there is an increased responsibility shifted from CINECA staff to users. A clear separation of roles in using the service is represented in the scheme below. This has to be understood by all actors accessing the service,  even if we can provide assistance and share our expertise to help you set-up your application workflow.     

There are clear benefits in using a CLOUD infrastructure with access to Virtual Machines (VMs) with respect to our traditional HPC resources.  These benefits can be summarized in the table below:

Traditional HPC resourcesVirtual Machines
PerformanceTarget the highest possibledepend on workload, but generally, virtualization has a small impact
User accessCINECA staff authorizationOnce a project is granted, it is managed by the user
Operating SystemIt is chosen by CINECA staff given the HW constraints. Security updates are managed by CINECA.Selected by the user. Security patch and updates are managed by the user.
Software stackMostly installed by CINECA staff. Users can install their own without "root" privilege. The environment  is provided "as is"The user is root on the VMs and can install all the required software stack. Users can modify the environment to suit their needs.
Snapshots of the environmentCannot be doneUser can save snapshot images of the VMs
Running simulationsUsers are provided with a job scheduler (SLURM)Users can install a job scheduler or chose alternatives. 

Flexible authentication model

A more flexible authentication method has been deployed in the CLOUD.HPC instance. It is based on OpenID (, and decouples authentication (access with credentials) from authorization (application permissions after user access), as represented in the schema below.

The Identity provider (IdP) can be internal (CINECA) or can be another trusted external service provider. This approach allows having in place federated identity, with a central (proxy) IdP servicing federated data-centers, as in the ICEI-Fenix model (     

Roles and responsibilities  

In the context cloud HPC resources provisioning, CINECA acts accordingly to the following division of roles:   


Any user (“User Admins" or “Users”) with administration privileges on IaaS resources (VMs) have the responsibility to maintain the security (security patch, fix) on those resources.  In particular, he/she has the responsibility to perform VMs and volume data backup also.

From the project management perspective, CINECA will interact only with “User Admins" (User Admins are user associated to the project in CINECA resource provisioning portal,

At the end of the project validity, the “User Admins” will receive communication from CINECA staff that the project as expired with the date by when the resources will be removed. It is “User Admins” responsibility to make copy of the necessary VMs or data before that date.


Log in to the OpenStack dashboard

Go to the OpenStack dashboard at, select "CINECA ldP" as Authentication method, then insert your HPC-CINECA credentials to log in.

After the log in, on the top-right  of the window is displayed your user name, while on the top-left. are listed in a menu all the Projects you are associated with.

Projects are organizational units in the cloud. Each user is a member of one or more projects. Within a Project, a user can create and manage instances, security groups, volumes, images, and more.

From the Project tab, you can view and manage the resources assigned in a particular project, including instances, images and volumes. Moreover you can select a period of interest  and have the usage summary.

You can select one of the project you are associated with the menu on the top-left side of the window.

Log in to the virtual machine

After you have created your virtual machine ( see the following section) you can log in directly using:

 - the default user and key ( if you have used a native default image for cloud)

 - another username (if you have used your personal image with a custom user defined in it)

Suppose you have used the default Ubuntu cloud image, you can login as:

$ ssh -i MyKey.pem ubuntu@<floating IP address> 

Creation of an instance of the virtual machine in your Project

In order to create your own virtual machine you have to perform all the following eight steps

  1. Log in to the dashboard as described in the Access section.

  2. Check and configure the Internal Network in the Project

    In order to build and use virtual machine within a specific Project, it is mandatory the presence of the internal network, subnet and router.

    Select the Project of interest and check the presence of such components click on tab Project → Network → Network Topology.

    If it is present only the "external network", you must create network, subnet and router.  Please, follow the instruction below: 

    Click on: Project -> Network -> Network Topology -> Create Network.  

    Then set:

    Network name: <the name you want>

    Enable Admin State: check

    Create Subnet: check

    Availability Zone Hints: set "nova"

    MTU:set it blank. The default is 1450

    Subnet name: <the name you want> 

    Network Address (eg.

    IP Version (IPv4)

    Gateway IP (eg, the last address for subnet

    Disable Gateway: disabled, uncheck

    Enable DHCP: enabled, check

    Allocation Pools: leave blank

    Host Routers: leave blank

    Finally, click on "create"

    Click on: Project -> Network -> Routers -> Create Router.

    Then set:

    Router name: <the name you want>

    Enable Admin State: check

    External Network: select "externalNetwork"

    Availability Zone Hints: leave "nova"

    Finally, click on "create router".

    Now, select the router just created and click on "Interfaces" and then on "Add interface"

    subnet: select the subnet just created

    IP address (write THE SAME IP ADDRESS of the gateway, in this example, it is

    Finally, click on "Submit".

    Verify that the Status of router is “ACTIVE” and the Admin state is “UP”.

  3. Set up a keypairs

    Keypairs are used to access virtual machines when:

    1. the instance is launched using a default image for cloud (e.g. centos or ubuntu)
    2. in the virtual machine is set a login with ssh -key

    You can set up a keypair in two ways. From "Project →  Compute →  Key Pairs" menu, you can:

    Remember to modify the permission of the key file to 600 in order to avoid errors when you use it to login to your virtual machine.

  4. Set the security rules, that will be the firewall of your virtual machine

    The firewall of the virtual machine must be defined using the OpenStack Security Groups and Security Rules.

    Inside the virtual machine, the firewall must be disabled.

    A security rule defines which traffic is allowed to instances assigned to the security group.

    A security group is a group of security rules that can be assigned to an instance.

    The security groups and security rules can be created click on "Project →  Network → Security Groups ".

    Common default rules are: 

    Note: It is always possible to modify, add and remove security groups in a virtual machine after its creation.

  5. Launch an instance of Linux virtual machine

    Once your key pair and your security group are defined, proceed building the virtual machine.

  6. Follow the boot process

    The boot process can be followed on the instances screen. Once the VM is in state ACTIVE, you will be able to open the console and follow the boot process. 

    To follow the installation, you can access the graphical console using the browser once the VM is in BUILD state.

    The console is accessed by selecting the "Instance Details" for the machine and then click on the tab "Console".

  7. Associate a Floating IP (FIP) to the virtual machine

    Where floating IPs are configured in a deployment, each project will have a limited number of floating IPs controlled by a quota. However these need to be allocated to the project from the central pool prior to their use.

    To allocate a floating IP to a project, click on "Project → Network → Floating IPs", then click on the button "Allocate IP to project" on the right side of the dashboard page. Once allocated, a floating IP can be associated with running istances. Just click on "Associate" action on the right of the page. In the popup, select your virtual machine by the menu in "Port to be associated".
    The inverse action, Dissociate Floating IP, is available from the "Instances" page.

  8. Login to the virtual machine using ssh

    After the association of a Floating IP to your virtual machine, you can login using the default user and key ( if you have used a native default image for cloud), or using another username (if you have used your personal image with a custom user defined in it). Suppose you have used the default ubuntu cloud image, you can login as:

    $ ssh -i MyKey.pem ubuntu@<floating IP address> 

Quotas, Flavors and Images


Each project is assigned a quota that defines the resources it can use.

When resource consuming operations such as virtual machine creation are performed, the request is validated against the maximum quota permitted for the current project (as set by the environment variables or Horizon dashboard).

The default project quota is:

Volume Storage10
Volume Snapshots10
RAM (GB)30
Volume Storage (GB)512
Floating IPs1
Security Groups10
Security Group Rules20


flavor defines the virtual machine size such as

A standard set of flavors allows predictable distribution of applications across multiple hypervisors.

Flavour NameVCPUsRAM GBDisk GBPublic-available for all projects




OpenStack images provide the source for booting a virtual machine. An image consists of an operating system, some optional additional packages and some flags to help OpenStack place these on the right hypervisor.

For more detailed information about OpenStack's image management, the OpenStack image creation documentation provides further references and links.

The complete list of provided images is available by click on the tab "Images" and then on "Public" tab on the right in the Openstack Dashbord. 

In what follow there is the list of the default images provided for all projects.

IMPORTANT NOTE: It is not admitted building Windows virtual machine on ADA cloud, even if the user has its own windows licence.

Image NameImage informationDefault userPassword

CentOS-7-x86_64-GenericCloud-2009.qcow2, last modified 2020-11-12


centosssh access by key

CentOS-8-GenericCloud-8.4.2105-20210603.0.x86_64, last modified 2021-06-03


centosssh access by key
Ubuntu 18.04 LTS (Bionic Beaver)

Ubuntu server 18.04 (Bionic Beaver) LTS for cloud


ubuntussh access by key
Ubuntu Server 20.04 LTS (Focal Fossa)

focal-server-cloudimg-amd64.img, last modified 2021-07-20


ubuntussh access by key
Ubuntu Server 21.04 (Hirsute Hippo)

hirsute-server-cloudimg-amd64.img, last modified 2021-07-20


ubuntussh access by key

Operations with an instance

Create an instance snapshot

  1. Log in to the virtual machine and shutdown the instance
  2. Log in to the dashboard, choose the right project, and click Instances.
  3. Check that the instance to snapshot is Shutoff
  4. Select such instance
  5. In the Actions column, click Create Snapshot.
  6. In the Create Snapshot dialog box, enter a name for the snapshot, and click Create Snapshot.The Images category shows the instance snapshot.

To launch an instance from the snapshot, select the snapshot and click Launch. Proceed with launching an instance.

Manage an instance

  1. Log in to the virtual machine and shutdown the instance
  2. Log in to the dashboard, choose the right project, and click Instances.

  3. Select an instance.

  4. In the More list in the Actions column, select the state.

    You can resize or rebuild an instance. You can also choose to view the instance console log, edit instance or the security groups. Depending on the current state of the instance, you can pause, resume, suspend, soft or hard reboot, or terminate it.

Track usage for instances

You can track usage for instances for each project. You can track costs per month by showing metrics like number of vCPUs, disks, RAM, and uptime for all your instances.

  1. Log in to the dashboard, choose a project, and click Overview.

  2. To query the instance usage for a month, select a month and click Submit.

  3. To download a summary, click Download CSV Summary.

Monitor instances

You can monitor the high-level actions (creation, start, stop) on the instances for each project via offered logs in the dashboard.

  1. Log in to the dashboard, choose a project, and click Instances.
  2. To monitor the logs of the instance usage for a month, select the instance of your interest.
  3. Go to the Action log

More detailed monitoring logs can be set-up by you within the specific instance.

Cinder Volumes

Volumes are block storage devices that you attach to instances to enable persistent storage.

After the creation, you must attach the volume to a running instance and then mount it from inside the virtual machine. A volume can be also detached from an instance, and attached to another instance at any time. It is also possible to create a snapshot from a volume and/ or delete it.

Operations with Cinder Volumes

  1. Creation of a Cinder Volume

    a) Log in to the dashboard, choose a project, and click on "Projects → Volumes → Volumes".

    b) Click on "Create Volume" button:

    In the dialog box that opens, enter or select the following values.

    Volume Name: Specify a name for the volume.

    Description: Optionally, provide a brief description for the volume.

    Volume Source: Select one of the following options:


Size (GiB): The size of the volume in gibibytes (GiB).

c) Finally, click on Create Volume button.

The dashboard shows the volume on the Volumes tab.

After a cinder volume has been created and attached to a virtual machine using the OpenStack, in order to use for storing data its needed to partition, format and mount it. This operations has to be done inside the virtual machine.

Following, some suggestion to perform these operations

Partition Table

Suppose that the volume is attached to the virtual machine as device /dev/vdc.

Login in to the virtual machine and use fdisk to modify the partition table. 

sudo fdisk -l  

sudo fdisk /dev/vdc

# 1 new partition, primary, with default  sector numbers and type "Linux"

 ==> n; p; 1 ; ...default ;

# check and write

 ==> p; w

Format the device /dev/vdc just partitioned as xfs: 

sudo mkfs -t xfs /dev/vdc1

Mount the volume: 

sudo mkdir /mnt/stuff_1

sudo mount /dev/vdc1 /mnt/stuff_1

To mount the volume automatically at each boot of the virtual machine, please modify the /etc/fstab file. 

Following the example, in the /etc/fstab could be written:

/dev/vdc1 /mnt/stuff_1 xfs auto,nofail,defaults 0 0

4. Detach a volume from an instance

    1. Log into the virtual machine and  umount the volume. 

      Take care: if you had written the automatic mount of the volume in the file /etc/fstab, please comment or cancel the line in the file.

    2. Log in to the dashboard, choose a project, and click Volumes.
    3. Select the volume and click Edit Attachments.
    4. Click Detach Volume and confirm your changes.

A message indicates whether the action was successful.

5. Create a snapshot from a volume

    1. Log in to the dashboard, choose a project, and click Volumes.

    2. Select a volume from which to create a snapshot.

    3. From the More list, select Create Snapshot.

    4. In the dialog box that opens, enter a snapshot name and a brief description.

    5. Confirm your changes.

The dashboard shows the new volume snapshot in Volume Snapshots tab.

6. Delete a volume

When you delete an instance, the data in its attached volumes is not destroyed.

    1. Log in to the dashboard, choose a project, and click Volumes.

    2. Select the check boxes for the volumes that you want to delete.

    3. Click Delete Volumes and confirm your choice. A message indicates whether the action was successful.

Sharing a filesystem among virtual machines: the Manila service

An user can create volumes ("shares") that are shared among virtual machines. This is provided by the Manila service inside Openstack.
Instruction to be followed to create this storage can be found in this dedicated page.

Storing of sensitive data

Sensitive data can be stored on special encrypted Cinder Volume of type LUKS.  

By using the Openstack dashboard, every user can create such volumes and then attach them to a virtual machine.  Due to a limitation of the crypto library, the maximum size of each volume is 15 TB.

The user can access the data stored in such LUKS volumes by login into the corresponding virtual machine. Only the users with authorisation to login into the virtual machine will access the data "in clear", even if it is encrypted by key.  

The keys used by the Openstack volume encryption feature are managed by Barbican, the official OpenStack Key Manager service. Barbican provides secure storage, provisioning and management of secret data. This includes keying material such as Symmetric Keys, Asymmetric Keys, Certificates and raw binary data.