Oracle Cloud - First Encounter

The Oracle in many fictional stories and mythology has been a being of ultimate foresight. That is not quite what this blog entry is about.

Oracle, the company has been a major player in the Enterprise IT space for as long as I personally can remember. However, within the last 10 years, they've somehow lost that foresight and let the likes of Amazon, Google, and Microsoft create a massive global market that is today's cloud computing platforms. During this time, Oracle focused on bringing more hardware to the Enterprise through its acquisition of Sun Microsystems among other ventures.

Of course, Oracle was not going to just sit around forever. They've realized the need to move forward and has now been running the second iteration of their Oracle Cloud for the past couple of years. September 16, 2019 marked the date that Oracle started offering an Always-Free tier as well as credits for 30 days to explore additional paid cloud products. This is great news and is a welcoming move by the company to draw more attention to an otherwise overlooked cloud player.

What Oracle is offering:

  • Two compute instances (1/8th OCPU, 1GB)
  • 100GB block storage in two block volumes with 5 free backups
  • 2 Autonomous Databases (Autonomous Data Warehouse or Autonomous Transaction Processing), each with 1 OCPU and 20 GB storage
  • 10 GB Object Storage, 10 GB Archive Storage, and 50,000/month API requests
  • 1 Load Balancer, 10 Mbps bandwidth
  • 10 TB/month Outbound Data Transfer
  • 500 million ingestion Datapoints and 1 billion Datapoints for Monitoring Service
  • 1 million Notification delivery options per month and 1000 emails per month
  • $300USD credit to spend on other paid services within 30 days

Okay, great. But what does this all mean?

OCPU

An OCPU, defined by Oracle Cloud, is one full core with two threads. Other cloud providers advertise vCPUs, which is a single thread. This means that 1/8th OCPU is likely a guarantee of up to 1/2 of one thread's resources. What we actually see in the free VMs when it's spun up is two AMD EPYC CPU threads. It means with two compute instances provided, they're offering equivalent of one full thread for free. This is great!

Autonomous Database

This is Oracle DB, with some magic to automatically scale and tune based on application's usage. I question the practicality of this since Oracle DB is not something that's considered cheap. Oracle has been pushing its customers to move away from Oracle DB Standard Edition by first limiting number of nodes in HA deployments to two, then reduced threads of any deployment single node or HA to 16, and finally at the end of support for version 18c, they will no longer support HA deployments all together. This means the only reliable method of running Oracle DB is via Enterprise edition beyond Aug 2023. Not to mention, if anyone was starting a new project today, it's very unlikely to be running Oracle. However, this does provide a good proof of concept for companies still running Oracle DBs in their infrastructure and cannot afford to rewrite their code to move to another database.

Other Stuff

Rest of the free tier services are fairly self explanatory. Of note here is the combined 2GB and single instance load balancer instance. In the case of Google Cloud Platform, only 600MB is made available and load balancer is not provided free of charge.


So how well does it work?

This is a bit of a tough one to answer. I know what they are trying to do here. Provide free to use program to increase user base, which could then lead to paid customers. With AMD EPYC processors having 32 and 64 cores and thus 64 and 128 threads per processor, it gives a lot of headroom to provide a compelling free tier. Add in the fact that GCP will be charging for all IP addresses coming up which essentially kills off the free compute instance, it means Oracle is now truly the only cloud provider with an always free tier that provides compute services. (Update: Google has since changed the language and clarified that free tier compute instance on GCP will not charge for IP).

For my initial personal usage, I decided to migrate my Ubiquiti Unifi controller from GCP to Oracle Cloud. I also decided to run Ubiquiti UNMS since there is now the capacity to do so under this free tier program.

What worked well?

  • Instances running were fast
  • Less settings in deploying an instance meant less documentation to read
  • Unifi controller now runs much faster thanks to 1GB memory vs 600MB
  • Instance deployment time is reasonable

What didn't go so well?

There were a number of issues running on this platform so let's go through them in detail so you don't have to go through this.

Login

Login in Oracle cloud for each customer is geared towards an organization. So there is a login "account name", separate from login username. If you had a company called Xyz Ltd., you might give it a name of xyzltd, assuming someone hasn't already used it. This gives you a unique login URL that has this string attached...er...sometimes. You cannot bookmark the login URL because it has a randomly generated string each session and so you must login from the main page. NO! It's not at oraclecloud.com because that redirects to oracle.com and the login there is for non-Oracle cloud customers. You need to go to cloud.oracle.com, enter your account name, then you are presented with your login page where you can enter username and password.

If you've used a login URL that you've bookmarked. Say you use a password manager. You'll find that you're greeted sometimes with a login error and other times with a valid login to the console, only to find that none of the regions beyond your home region is available and there's no way to create any resources.

Login using bookmarked URL.

You'll need to logout, then login again using the newly presented login page which looks completely different. After which, you can finally get access to your full account.

Logout?

Just discovered today that I simply cannot logout of my session. I would logout, then go back to login page, only to be presented by an active session. This seems like a possible security risk, as in it points to potential session hijacking possibilities.

Host out of resources

There are entire threads online regarding not being able to spin up free tier instances due to maxing out resources going back to first day after program launch. My guess is Oracle underestimated the demand of a free tier program. At the same time, it's also good news. It means they've created a very compelling free tier program.

At one point however, I wasn't able to spin up any resources in my home region.

Firewall

Upon successfully creating my instances almost a week after initial free tier announcement, I was met with a challenge. How do I expose my TCP and UDP ports to the Internet?

I could not find the functionality under networking or security sections of the console. There was also no useful information around firewalls inside the documentation. After reading documentation further, focusing on networking, I was able to find "Security Lists" and "Network Security Groups". Security Lists apply to all resources and subnets within each virtual cloud network (VCN), while network security groups (NSGs) apply to only resources like virtual NICs you assign it to. To find these, you must go into Networking, then go into each VCN.

Documentation

In my opinion, other cloud providers have much better documentation with well organized instructions, examples, and tutorials. Just look at this screenshot of the Network Security Group documentation at https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/networksecuritygroups.htm.

How to create NSGs, with no information on how to actually create it.

You wouldn't know where to begin until you realize that at the bottom of every documenation page, there are the sections "Using the Console" and "Using the API", in which luckily, you'd find the following:

Scroll to the bottom to find actual instructions! The top sections just tell you what each function is.

iptables

After you've set up your rules in either Security Lists or NSGs, you'll find that inbound traffic from Internet still will not be allowed into the compute instance. I'm using Ubuntu 18.04 Minimal image. By default, Oracle has decided to add some iptables rules which I think looks like they allow all traffic even though NTP and SSH are also specified. Install UFW in Ubuntu to manage firewall did nothing to help the situation as it did not affect these default rules. After clearing them, I was finally able to make inbound connections from the Internet.

This is odd because why are there separate iptables rules created inside the compute instance when external firewall exist and by default block traffic? Maybe to prevent other instances on the same subnet? As it turns out, ACCEPT all from anywhere to anywhere was only applied to 'lo' interface. So one would need to modify iptables rules directly, or clear it, then manage with another tool such as UFW if that level of protection within the subnet is desired.

This again, was not made known in the documentation and thus would require some knowledge of iptables to troubleshoot. It's just fairly non-intuitive for new users since there are two firewalls to open up and neither are documented very well.

Other minor items

It's not possible to create smaller than 50GB boot disks with compute instances (or at least that's what it said and I didn't try to use smaller boot disks). So if I only need 10GB for a Unifi controller and decided I wanted to run say Nextcloud on the other 90GB of free block storage, I'm not allowed to. In a way this also doesn't make sense because why do I need a minimum of 50GB for a Linux distro anyway?

Deselecting Oracle's instance agent that can provide statistics on system resources does not remove the default installed Oracle Cloud Agent software on your instance. If you're running a fairly lightweight instance such as the 1GB memory instance in free tier, you may want to manually remove it as it does take up 100MB memory. To do so in Ubuntu 18.04, issue the following command.

snap remove oracle-cloud-agent

Conclusion

The second generation of Oracle Cloud has come a long way from when I first used it. There are still a number of minor bugs and there is still a lot of work needed to make the platform easier to use including improvements on documentation. There is a lot of simplicity in the platform right now but this is also due to lack of features and services that compete with other cloud providers. I think there's potential and Oracle is showing the world it's committed to a wider audience by offering a free tier.

For now, the free tier has given me some insight on the platform which means an exploration into using it for database workloads at my day job will be an easier process.

If someone at Oracle is reading this, I'm hoping they take this as constructive criticism to help improve the platform. I do welcome more competition.