How to launch an instance on OpenStack (I): Horizon

The OpenStack project is a libre software cloud computing platform for private and public clouds, which aims to be simple to implement, massively scalable, and feature rich. OpenStack provides an Infrastructure as a Service (IaaS) solution through a set of interrelated services. Each service offers an application programming interface (API) that facilitates this integration.

Users getting started with OpenStack can find useful this and related posts, where different ways of how to launch and instance on OpenStack are given. First method proposed is the simplest one: using OpenStack Dashboard (Horizon), a step-by-step procedure that could be useful for new OpenStack users.


The procedure followed is quite general, but it is appropriate to note specific parameters used:

  • OpenStack Grizzly (2013.1) deployed on Debian Wheezy with gplhost repositories, but there should be no major differences with others ditros or later OpenStack releases.
  • OpenStack Quantum with OpenvSwitch plugin in a «Per tenant routers with private networks» setup:
    • Router has IP, which is the default gateway for all instances. The router has ability to access public networks.
    • Floating IP network
    • When an instance is launched a fixed IP from subnet is assigned.
  • username: bisharron
  • tenant name: proy-bisharron

The starting point is illustrated in following figure, where the router connected to external and internal networks is represented:

initial network

Log In

The first step is obviously log into OpenStack, so open a browser and type the OpenStack dashboard url, you’ll see something similar to next figure:


Create ssh keypair

For security reasons, images used in OpenStack do not usually contain a password defined for any user, only publickey ssh is generally allowed. When an instance is spawned, the ssh public key is injected into it and only the holder of the corresponding private key is able to access to the instance.

In order to create a ssh keypair click on «keypairs» tab (Access & Security):

click on keypair

There are two options: Create a keypair or import it.

    • Create a keypair: If this option is selected a RSA key pair is generated. Public key is stored into OpenStack and Private key is downloaded.
    • Import Keypair: If this option is selected a RSA public key must be uploaded

We select the first option:

creating keypair

The private key is downloaded:


Private key must be readable only by owner and usually these keys are stored in ~/.ssh directory:

$ mv ~/Downloads/openstack-bisharron.pem ~/.ssh
$ chmod 600 ~/.ssh/openstack-bisharron.pem

Allocate Floating IP to project

Floating IPs (elastic IPs in Amazon terminology) allow instances to talk to an external host or access to the instances from an external network. A floating IP can be allocated to a project before or after launching an instance, we’ll do it before.

Click on «Floating IPs» tab (Access & Security):

allocate floating IP 1

Floating IP pools and project quotas are shown. In this case, project has 10 floating IPs available, so it is possible to allocate a new one.

allocate floating IP 2

Floating IP is now allocated to project, but it is not yet associated with any instance.

allocate floating IP 3

Launch an instance

Click on «Images & Snapshots» and launch a required instance from the list of images available (in this case we’ll use Debian wheezy image).


Provide an instance name and select a flavor in «Details» tab:


Click on «Access & security» tab and select the right keypair:


Click on «Networking» tab and select desired network from available networks. Volume options and post-Creation can be ignored in this simple test, so click on launch bottom:


After a few seconds the instance is active and a fixed IP has been assigned to it. Clicking on «More» button shows several options, click on «Associate Floating IP»:

Floting IP is now associated to port with IP


It is possible to see instance virtual console, but it is not possible to log in because user password is not set.


Security Group rules

Instance is launched and floating IP associated so it should be possible to access via ssh, but this is not yet possible due to default firewall behavior. Incoming connections must be explicitly allowed as rules in a security group.

Click on Security groups tab in «Access & security» and click on «Edit Rules» button:


Add a rule to allow incoming ssh connections (22/tcp):


Add a rule to allow all incoming icmp connections:


Two rules are now defined:


Access to the launched instance

Now we can ping to the instance:

$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_req=1 ttl=62 time=621 ms
64 bytes from icmp_req=2 ttl=62 time=136 ms
64 bytes from icmp_req=3 ttl=62 time=143 ms
--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 136.858/300.532/621.666/227.090 ms

And use the ssh command to make a secure connection to the instance (specifying the private key to use):

$ ssh -i ~/.ssh/openstack-bisharron.pem debian@
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is 2f:23:72:6f:13:b8:f0:00:9a:fb:90:64:da:3f:58:9d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

Clicking on «Network topology» we can see a nice representation of the project elements (routers, networks and servers):


That concludes this post, so enjoy your OpenStack expirence!


Related posts

How to launch an instance on OpenStack (I): Horizon

2 comentarios en “How to launch an instance on OpenStack (I): Horizon

  1. visayafan dijo:

    Sorrry to trouble, but what is the IP of your computer? Is it necessary that the floating ip in the same LAN with your IP?

    Me gusta

    1. Hi visayafan,

      For floating IPs it’s not mandatory to use a subnet of your LAN but that’s the case in the example shown. In this case the LAN uses IPs in the range

      When the external network was specified the commands used were:

      # neutron net-create ext_net — –router:external=True
      # neutron subnet-create ext_net \
      –allocation-pool start=,end= \
      –disable-dhcp –gateway

      With allocation-pool it’s possible to define a subset of IP address in your LAN to be used as floating IPs.

      Me gusta

Deja una respuesta

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de

Estás comentando usando tu cuenta de Salir /  Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Salir /  Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Salir /  Cambiar )

Conectando a %s