The OpenStack project is a libre software cloud computing platform for private and public clouds, which aims to be simple to implement, massively scalable, and feature rich. OpenStack provides an Infrastructure as a Service (IaaS) solution through a set of interrelated services. Each service offers an application programming interface (API) that facilitates this integration.
Users getting started with OpenStack can find useful this and related posts, where different ways of how to launch and instance on OpenStack are given. First method proposed is the simplest one: using OpenStack Dashboard (Horizon), a step-by-step procedure that could be useful for new OpenStack users.
The procedure followed is quite general, but it is appropriate to note specific parameters used:
- OpenStack Grizzly (2013.1) deployed on Debian Wheezy with gplhost repositories, but there should be no major differences with others ditros or later OpenStack releases.
- OpenStack Quantum with OpenvSwitch plugin in a “Per tenant routers with private networks” setup:
- Router has IP 10.0.0.1, which is the default gateway for all instances. The router has ability to access public networks.
- Floating IP network 172.22.196.0/22
- When an instance is launched a fixed IP from 10.0.0.0/24 subnet is assigned.
- username: bisharron
- tenant name: proy-bisharron
The starting point is illustrated in following figure, where the router connected to external and internal networks is represented:
The first step is obviously log into OpenStack, so open a browser and type the OpenStack dashboard url, you’ll see something similar to next figure:
Create ssh keypair
For security reasons, images used in OpenStack do not usually contain a password defined for any user, only publickey ssh is generally allowed. When an instance is spawned, the ssh public key is injected into it and only the holder of the corresponding private key is able to access to the instance.
In order to create a ssh keypair click on “keypairs” tab (Access & Security):
There are two options: Create a keypair or import it.
- Create a keypair: If this option is selected a RSA key pair is generated. Public key is stored into OpenStack and Private key is downloaded.
- Import Keypair: If this option is selected a RSA public key must be uploaded
We select the first option:
The private key is downloaded:
Private key must be readable only by owner and usually these keys are stored in ~/.ssh directory:
$ mv ~/Downloads/openstack-bisharron.pem ~/.ssh $ chmod 600 ~/.ssh/openstack-bisharron.pem
Allocate Floating IP to project
Floating IPs (elastic IPs in Amazon terminology) allow instances to talk to an external host or access to the instances from an external network. A floating IP can be allocated to a project before or after launching an instance, we’ll do it before.
Click on “Floating IPs” tab (Access & Security):
Floating IP pools and project quotas are shown. In this case, project has 10 floating IPs available, so it is possible to allocate a new one.
Floating IP 172.22.196.59 is now allocated to project, but it is not yet associated with any instance.
Launch an instance
Click on “Images & Snapshots” and launch a required instance from the list of images available (in this case we’ll use Debian wheezy image).
Provide an instance name and select a flavor in “Details” tab:
Click on “Access & security” tab and select the right keypair:
Click on “Networking” tab and select desired network from available networks. Volume options and post-Creation can be ignored in this simple test, so click on launch bottom:
After a few seconds the instance is active and a fixed IP 10.0.0.2 has been assigned to it. Clicking on “More” button shows several options, click on “Associate Floating IP”:
Floting IP 172.22.196.59 is now associated to port with IP 10.0.0.2:
It is possible to see instance virtual console, but it is not possible to log in because user password is not set.
Security Group rules
Instance is launched and floating IP associated so it should be possible to access via ssh, but this is not yet possible due to default firewall behavior. Incoming connections must be explicitly allowed as rules in a security group.
Click on Security groups tab in “Access & security” and click on “Edit Rules” button:
Add a rule to allow incoming ssh connections (22/tcp):
Add a rule to allow all incoming icmp connections:
Two rules are now defined:
Access to the launched instance
Now we can ping to the instance:
$ ping 172.22.196.59 PING 172.22.196.59 (172.22.196.59) 56(84) bytes of data. 64 bytes from 172.22.196.59: icmp_req=1 ttl=62 time=621 ms 64 bytes from 172.22.196.59: icmp_req=2 ttl=62 time=136 ms 64 bytes from 172.22.196.59: icmp_req=3 ttl=62 time=143 ms ^C --- 172.22.196.59 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2001ms rtt min/avg/max/mdev = 136.858/300.532/621.666/227.090 ms
And use the ssh command to make a secure connection to the instance (specifying the private key to use):
$ ssh -i ~/.ssh/openstack-bisharron.pem email@example.com The authenticity of host '172.22.196.59 (172.22.196.59)' can't be established. ECDSA key fingerprint is 2f:23:72:6f:13:b8:f0:00:9a:fb:90:64:da:3f:58:9d. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.22.196.59' (ECDSA) to the list of known hosts. Linux debian.example.com 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. debian@debian-test:~$
Clicking on “Network topology” we can see a nice representation of the project elements (routers, networks and servers):
That concludes this post, so enjoy your OpenStack expirence!