>**TODO** user is admin of virtual machines... etc.
## SSH keys
## Pre-runtime measures
### Endorsed images
endorsements for virtual machine images implemented directly, as cryptographically signed hashes, indirectly, based on verbal agreements only virtual machine instances based on endorsed images are allowed to have public IP addresses modified and subsequently saved images are no longer considered to be endorsed by the original endorser
##Trusted users
trusted users defined as users with high-level identity verification or explicit endorsement from other trusted users or site managers. Only trusted users have access to pools of public IP addresses
##Restricted remote access to running virtual machines
only the following combinations of access methods and authentication methods are allowed
SSH with public key authentication
SSH with GSS API authentication
##Encrypted RDP/VNC
password-based remote authentication methods are not allowed (e.g. SSH with a plain password)
Automated pre-runtime compliance testing
all virtual machine images and virtual machine instances based on said images must be tested for explicit compliance with the defined security profile (Cloud_Security_Policy#Security_Profile)
only compliant images and virtual machine instances based on said images can
be published (made available to other users)
be assigned public IP addresses
be launched outside isolated private networks
##Runtime measures
* Networking isolation for L2
* running virtual machine instance will be isolated in a VLAN if the image of the instance is based on is not endorsed by a trusted user
it does not belong to a trusted user
it is running OS Windows
its owner chooses to isolate it
##Networking isolation for L3
running virtual machine instance will be isolated using firewall if
it has a public IP address
its owner chooses to isolate it in a private network
##IP logging
* every IP address given to a virtual machine instance will be tied to its owner for the duration of its lifetime (i.e. until shutdown)
owner of the virtual machine instance is responsible for any illegal activity during its lifetime
* Anti-spoofing rules for networking
network addresses assigned to a virtual machine instance by the cloud platform are mandatory and cannot be changed by the owner at runtime. Anti-spoofing rules are enforced by the hypervisor or local network infrastructure
an attempt to change the assigned network addresses will immediately cut off the virtual machine instance from any subsequent network communication
##Automated runtime compliance testing
All running virtual machine instances are periodically tested for compliance with the defined security profile (Cloud_Security_Policy#Security_Profile)
repeated or long-running non-compliance will result in an immediate forced shutdown of the given instance
##Automated configuration changes in virtual machines
all virtual machine images must support contextualization to the following extent
* boot-time injection of a public key for the root user (where applicable)
* boot-time change of the RDP/VNC credentials (where applicable)
* Post-runtime measures
##Extraction of virtual machine logs
At the end of its lifetime (i.e. after shutdown), the contents of /var/log from the root file system of every virtual machine instance will be archived
##Extraction of timestamps
At the end of its lifetime (i.e. after shutdown), timestamps from the root file system of every virtual machine instance will be archived
##Security Profile
TBD
##Incident Response
whenever possible follow general procedures stipulated by CESNET and EGI
First thing you need to do is to sign up at MetaCenter and create an account. Use this [link](https://perun.metacentrum.cz/fed/registrar/?vo=meta&group=metacloud).
## I have an issue with OpenStack. Where do I report it?
First try to search the guide and see if you can find an answer to your problem in there. If all else fails, you can open a ticket with user support. To do so, click on your project name in the upper right corner and hit "Help".
You will be redirected to your e-mail client and you can send your request to [helpdesk@ics.muni.cz](mailto:helpdesk@ics.muni.cz).
-TODO prokonzultovat obvykle use casy- Here is a list of typical use cases our support team can help you with:
* Your VM is crashing / stuck in a boot loop / cannot spin up / ...
* You cannot log on to your VM.
* You need to reassign your project to another user as an owner.
The service is provided for free to Masaryk University employees and workgroups. The service includes creation of a virtual server on the OpenStack platform. The service does NOT include installation and management of an operation system or server applications. You may contact the service desk which will help you find a qualified administrator for your endeavour, if your skills are limited.
The membership in MetaCentre is allowed without any restrictions only to persons from academic environment of the Czech republic with research objectives. In a case of interest from commercial company (i.e. its research part), it is necessary to consult your interest and its possible fulfillment. As the MetaCentre user you are allowed to use currently available computational resources for your research aims and projects. As a MetaCentre employee your membership brings you access to resources, information and materials necessary for your work.
By submitting an application you also accept the following rules which had to be checked in MetaCentrum end user statement before application submission. Using MetaVO is free of charge but these rules are obligatory and they should be observed as their violation can lead to termination of your MetaCentre membership.
[MetaCentrum end user statement](https://www.metacentrum.cz/en/about/rules/index.html)
[Terms and conditions for the access to the CESNET e-infrastructure](https://www.cesnet.cz/conditions/?lang=en)
At the end of each year, the system will ask you to prolong your account. You will be asked to fill out your MetaCentre usage description, description of achieved results and a list of publications for the last year.
