...
Creating an initial network topology
Create a network
Create a router, and give the network external access
Configuring access parametres
Open up the firewall
Upload a SSH public key
Have openstack generate a new keypair
Upload an existing public key
...
Before a virtual machine can be booted, there needs to be some infrastructure in place where the machine can live. The first part of this infrastructure is a network, and a router permitting devices on this network access to the internet.
Create a network
Creating this network is done trough the openstack command in two steps. First are the network created, with a name of your choice:
| Code Block |
|---|
eigilo@access:~$ openstack network create MySecondNetwork
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2017-02-02T13:50:12Z |
| description | |
| headers | |
| id | 73a1a530-dbdd-47cc-ab89-e5fa8a58aaf3 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| mtu | 1500 |
| name | MySecondNetwork |
| project_id | 2a4b680765554d728aa2f4d8aadab653 |
| project_id | 2a4b680765554d728aa2f4d8aadab653 |
| revision_number | 2 |
| router:external | Internal |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | [] |
| updated_at | 2017-02-02T13:50:12Z |
+-------------------------+--------------------------------------+ |
Then there are created a subnet withing this network. The subnet are usually adressed using a nettblock within the RFC1918 blocs:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
In this example the network "10.14.2.0/24" is used:
| Code Block |
|---|
eigilo@access:~$ openstack subnet create --subnet-range 10.14.2.0/24 --network MySecondNetwork MySecondSubnet-v4
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| allocation_pools | 10.14.2.2-10.14.2.254 |
| cidr | 10.14.2.0/24 |
| created_at | 2017-02-02T13:52:15Z |
| description | |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.14.2.1 |
| headers | |
| host_routes | |
| id | 10e400ab-bffe-4c3f-8f08-bec9d8e6a81a |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | MySecondSubnet-v4 |
| network_id | 73a1a530-dbdd-47cc-ab89-e5fa8a58aaf3 |
| project_id | 2a4b680765554d728aa2f4d8aadab653 |
| project_id | 2a4b680765554d728aa2f4d8aadab653 |
| revision_number | 2 |
| service_types | [] |
| subnetpool_id | None |
| updated_at | 2017-02-02T13:52:15Z |
+-------------------+--------------------------------------+
|
At this point the network is created, and this can be verified as so:
| Code Block |
|---|
eigilo@access:~$ openstack network list
+-------------------------------+------------------+-------------------------------+
| ID | Name | Subnets |
+-------------------------------+------------------+-------------------------------+
| 22a507fa- | ext-net | 804a1172-0573-43e5-a042-93591 |
| ca51-4b57-bf84-784213917662 | | 4b8be7a |
| 73a1a530-dbdd-47cc- | MySecondNetwork | 10e400ab-bffe-4c3f- |
| ab89-e5fa8a58aaf3 | | 8f08-bec9d8e6a81a |
| 85cdb406-4b53-49d2-bde7-e9aff | MyInitialNetwork | c25fae1e-9654-4364-b8fa- |
| 441e869 | | b9f7c50ede61 |
+-------------------------------+------------------+-------------------------------+ |
Here you can see the network created, in addition to the external network "ext-net" and the network created in the web-interface based guide.
Create a router, and give the network external access
At this point the network is an isolated island within the cloud, an to give the network external acces a router is needed. Routers are created like this:
| Code Block |
|---|
eigilo@access:~$ openstack router create MySecondRouter
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2017-02-02T13:56:18Z |
| description | |
| external_gateway_info | null |
| flavor_id | None |
| headers | |
| id | 766936de-2c5f-44aa-8f38-2f13d6f701ae |
| name | MySecondRouter |
| project_id | 2a4b680765554d728aa2f4d8aadab653 |
| project_id | 2a4b680765554d728aa2f4d8aadab653 |
| revision_number | 2 |
| routes | |
| status | ACTIVE |
| updated_at | 2017-02-02T13:56:18Z |
+-------------------------+--------------------------------------+ |
The router then needs to be given an external gateway. This is currently not possible to do trough the openstack clients, so the "neutron" client need to be used:
| Code Block |
|---|
eigilo@access:~$ neutron router-gateway-set MySecondRouter ext-net
Set gateway for router MySecondRouter |
The router needs to be connected to the subnet like this:
| Code Block |
|---|
eigilo@access:~$ openstack router add subnet MySecondRouter MySecondSubnet-v4 |
Now the network infrastructure inside your cloud is ready to have virtual machines.
Configuring access parametres
The default settings does not allow much access to the resources inside skyhigh. To allow access to the virtual machines we are going to create we need to preform two steps:
- Allow incoming SSH traffic trough our skyhigh firewall
- Create a SSH keypair, where the public key will be injected into linux virtual machines when these are created.
Open up the firewall
It is possible to create multiple firewalls in Openstack, so that they can be tailored to each and every application. For now we are just going to modify the default firewall to allow incoming SSH traffic.
There are 4 firewall rules which are present by default, and these rules allow outgoing traffic both for IPv4 and IPv6 and incoming traffic from other hosts using the same security group. These default settings would thus allow your virtual machines to communicate with each other in addition to accessing the internet. No incoming traffic is allowed per default.
| Code Block |
|---|
eigilo@access:~$ openstack security group rule list default
+--------------------------+-------------+----------+------------+--------------------------+
| ID | IP Protocol | IP Range | Port Range | Remote Security Group |
+--------------------------+-------------+----------+------------+--------------------------+
| 4638b4f3-b1b6-49d6-8a42- | None | None | | 533a2023-35bb-41e2-adbc- |
| abee8fccb606 | | | | d150d56250f0 |
| 829c6797-5978-4c72-854f- | None | None | | None |
| de4d8b8dc32f | | | | |
| 9cd97ab3-9ece- | None | None | | None |
| 406f-8943-667eda08eed9 | | | | |
| e633108d-0bb1-4ab5-ae7c- | None | None | | 533a2023-35bb-41e2-adbc- |
| a82bcbe919f6 | | | | d150d56250f0 |
+--------------------------+-------------+----------+------------+--------------------------+ |
Add two new rules to the default firewall:
- One rule to allow incoming SSH connections (TCP Port 22)
- One rule to allow incoming ICMP
| Code Block |
|---|
eigilo@access:~$ openstack security group rule create --protocol tcp --ingress --dst-port 22 default
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | 2017-02-02T14:24:22Z |
| description | |
| direction | ingress |
| ethertype | IPv4 |
| headers | |
| id | 619ff756-3903-4543-b953-ba371988dd69 |
| port_range_max | 22 |
| port_range_min | 22 |
| project_id | 2a4b680765554d728aa2f4d8aadab653 |
| project_id | 2a4b680765554d728aa2f4d8aadab653 |
| protocol | tcp |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 1 |
| security_group_id | 533a2023-35bb-41e2-adbc-d150d56250f0 |
| updated_at | 2017-02-02T14:24:22Z |
+-------------------+--------------------------------------+
eigilo@access:~$ openstack security group rule create --protocol icmp --ingress default+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | 2017-02-02T14:24:44Z |
| description | |
| direction | ingress |
| ethertype | IPv4 |
| headers | |
| id | 0ac41487-66ae-49f3-bc1a-13e3c8c57d76 |
| port_range_max | None |
| port_range_min | None |
| project_id | 2a4b680765554d728aa2f4d8aadab653 |
| project_id | 2a4b680765554d728aa2f4d8aadab653 |
| protocol | icmp |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 1 |
| security_group_id | 533a2023-35bb-41e2-adbc-d150d56250f0 |
| updated_at | 2017-02-02T14:24:44Z |
+-------------------+--------------------------------------+ |
Upload a SSH public key
Openstack can create a keypair for you, but it also allows you to inject the public part of a keypair you already created.
Have openstack generate a new keypair
You could have openstack create a new keypair for you, and store the public key in the openstack database. The command returns the private-key, which should be stored in a file. It is smart to limit who have access to this file.
| Code Block |
|---|
eigilo@access:~$ openstack keypair create MySecondKey > MySecondKey.priv
eigilo@access:~$ chmod 600 MySecondKey.priv |
Upload an existing public key
To upload a key which already exists (for example ~/.ssh/id_rsa.pub) the following command can be used.
| Code Block |
|---|
eigilo@access:~$ openstack keypair create MySecondExistingKey --public-key .ssh/id_rsa.pub
+-------------+------------------------------------------------------------------+
| Field | Value |
+-------------+------------------------------------------------------------------+
| fingerprint | c7:16:40:92:63:c4:f3:07:bb:43:21:34:82:cb:e9:f8 |
| name | MySecondExistingKey |
| user_id | 1790de92c726dc409c223dcfed7fe2c67d792f3cf8e7f46118e5c2bfd63faff3 |
+-------------+------------------------------------------------------------------+ |
Creating a virtual machine
...