Milestone 9 OpenStack Tutorials - Oliver-Mustoe/Oliver-Mustoe-Tech-Journal GitHub Wiki
This page journals content related to SYS-350 milestone 9.
Table of Contents:
Services tutorial
Can see services with:
microstack.openstack catalog list
And can see users:
microstack.openstack user list
List images:
microstack.openstack image list
List the networks:
microstack.openstack network list
List hypervisors:
microstack.openstack hypervisor list
Dashboard tutorial
Can use the dropdown in the OpenStack web gui > to change the theme:
I can also go to "Identity" > "Users":
Then "Create User" > create a new admin user named "oliver":
Logged in as that user:
Can see images in "Project" > "Images":
Can list hypervisors in "Admin" > "Compute" > "Hypervisors":
Can see users in "Identity" > "Users":
Template tutorial
Create images
I downloaded the focal image:
wget https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64-disk-kvm.img
Then I created my image:
microstack.openstack image create --disk-format qcow2 --min-disk 8 --min-ram 512 --file ~/focal-server-cloudimg-amd64-disk-kvm.img --private oliver-focal
Image gets created:
I could also create an image from the web gui > "Admin" > "Images":
Then "Create Image":
Create flavors
I could then create my flavor:
microstack.openstack flavor create --ram 1024 --disk 10 --vcpus 1 oliver-flavor
Could also go through the web gui and go to "Admin" > "Compute" > "Flavors":
Then "Create Flavor":
Identities tutorial
Domain management
I created my domain "oliverdomain":
microstack.openstack domain create --description "olivers_domain" oliverdomain
Then I created a admin user "oadmin" and added the admin role (in my domain):
microstack.openstack user create --domain oliverdomain --password <insert_oadmin_password_here> oadmin
microstack.openstack role add --domain oliverdomain --user-domain mydomain --user oadmin admin
I also added the following to "/var/snap/microstack/common/etc/horizon/local_settings.d/_05_snap_tweaks.py" to enable domains:
# Setup multidomain support
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "Default"
Additions seen added to _05_snap_tweaks.py:
Then I ran:
sudo snap restart microstack.horizon-uwsgi
With this I could login as my created user in my domain:
Role management
I could then create a role:
microstack.openstack role create _olivermember_
And could see all roles with:
microstack.openstack role list
Management of projects
I could create a project named "oliverproject" in the domain "oliverdomain":
microstack.openstack project create --domain oliverdomain oliverproject
And then I could list all of the projects in my "oliverdomain":
microstack.openstack project list --domain oliverdomain
I could also create a project by logging into my "oliverdomain" as my "oadmin" user on the web gui > "Identity" > "Projects":
Then I could press "Create Project" > fill it in with the following information:
After pressing "Create Project" > project will be created like it was in the command line:
User and group management
I created a new user in my "oliverdomain":
microstack.openstack user create --domain oliverdomain --password <insert_oadmin2_password_here> oadmin2
And I created a group in my "oliverdomain":
microstack.openstack group create --domain oliverdomain olivergroup
Listed out groups:
microstack.openstack group list --domain mydomain
Membership and assignment management
I could add my "oadmin2" user to the "olivergroup" in the "oliverdomain":
microstack.openstack group add user --group-domain oliverdomain --user-domain oliverdomain olivergroup oadmin2
Then I could assign the oliverproject's "member" role to the "olivergroup":
microstack.openstack role add --project oliverproject --project-domain oliverdomain --group olivergroup --group-domain oliverdomain member
Logged in as oadmin2, can see project:
I also can add a user to a group by going to the web gui > "Identity" > "Groups":
Then selecting a group ("olivergroup" in this case and selecting "Manage Members"):
And finally "Add Users" (no users were added as oadmin2 was already added via cli):
I could add a group to a project by going to "Identity" > "Projects":
Then pressing "Manage Members" > where I could add users or groups to the project (using the "Project Members" or "Project Groups" tabs):
Final Setup
I would add my "oadmin" user to the "oliverproject" as a admin/member:
microstack.openstack role add --project oliverproject --project-domain oliverdomain --user oadmin --user-domain oliverdomain member
microstack.openstack role add --project oliverproject --project-domain oliverdomain --user oadmin --user-domain oliverdomain admin
And after logging in and out I could see I was apart of the project:
As well I clicked on "admin" in the upper right corner > "OpenStack RC File" to download the rc file:
I would (IN A NEW TERMINAL SESSION) rename that downloaded .sh file and source it, allowing me to be logged in as my "oadmin" user, in the "oliverdomain", in the CLI!:
mv ~/Downloads/oliverproject-openrc.sh ~/Downloads/oliverdomain_oadmin.sh
source ~/Downloads/oliverdomain_oadmin.sh
(in Microstack openrc fix for terminal I describe a way to use this with our microstack setup!)
Multi-tenant management
(NOTE: Requires Identities tutorial to be finished as this tutorial uses/references its created domains/projects/roles/users & groups!)
Setting up access to multi-environment
First I set a Python virtual environment for openstack up by installing needed Python libraries:
sudo apt install python3-pip python3.10-venv -y
Then I setup my environment, sourced it, and installed python-openstackclient:
python3 -m venv openstack
source openstack/bin/activate
pip install python-openstackclient
After that I sourced my oadmin2 .sh file:
source ~/Downloads/oliverdomain_oadmin2.sh
Setting up openstack SSH keypair
I then created a openstack SSH keypair with the following:
openstack --insecure keypair create --private-key ./mykeypair.pem --type ssh mykeypair
Keypair made:
From the web gui I could have gone from "Project" > "Compute" > "Key Pairs":
Then pressed "Create Key Pair" and created a SSH keypair (SSH was not selected by default, needed to use dropdown):
Could then press "Create Key Pair" to create the key.
Network management
(NOTE: Requires Identities tutorial to be finished as this tutorial uses/references its created domains/projects/roles/users & groups!)
First I made sure I was sourced into my python environment and my oadmin rc file (made in Multi-tenant management):
source ~/openstack/bin/activate
source ~/Downloads/oliverdomain_oadmin2.sh
After setting that up, I went to the web gui and I could navigate to the Network Topology from "Project" > "Network" > "Network Topology":
Create networks and subnets
In the terminal I created my own network:
openstack --insecure network create olivernetwork
Listed networks:
I also created a subnet:
openstack --insecure subnet create --network olivernetwork --subnet-range 192.168.0.0/24 --allocation-pool start=192.168.0.101,end=192.168.0.200 --dns-nameserver 8.8.8.8 oliversubnet
Listed subnets:
I also could have used the web gui and navigated to "Project" > "Network" > "Networks":
And used "Create Network" to create my olivernetwork/oliversubnet:
After pressing the blue "Create" button, network would be created!
(FUN FACT: Can create networks with the same name)
I would delete the web gui created network.
openstack --insecure network delete 07374b42-2d6b-4c9e-a8d1-3976ec000fc3
Create routers
After that I created a router with:
openstack --insecure router create oliverrouter
"oliverrouter" created with a listing of all routers:
Then I set the external gateway as the gateway for "oliverrouter":
openstack --insecure router set --external-gateway external oliverrouter
And attached the router to the "oliversubnet":
openstack --insecure router add subnet oliverrouter oliversubnet
In the web gui I could have gone to "Project" > "Network" > "Routers":
Then "Create Router":
After selecting the router, I could have gone to the "Interfaces" section > then pressed "Add interface" and chosen my subnet from the subnet dropdown.
Create floating IPs
I allocated a floating IP from the external network with the following:
openstack --insecure floating ip create external
And I could list all floating ips as well:
I could have allocated a floating IP by going to the web gui > "Project" > "Network" > "Floating IPs" > pressing "Allocate IP to Project" on the right":
After pressing "Allocate IP":
Create Security Group
I created a security group:
openstack --insecure security group create oliversecuritygroup
And then I could add a rule to the security group allowsing SSH ingress:
openstack --insecure security group rule create --remote-ip 0.0.0.0/0 --dst-port 22:22 --protocol tcp --ingress oliversecuritygroup
As well I could list out all of the security groups rules:
openstack --insecure security group rule list oliversecuritygroup
I also could have gone to the web gui "Project" > "Network" > "Security Groups". Then used the "Create Security Group" button to make a security group, then selected it and used the "Add Rule" button to add a rule for SSH (selected from the dropdown.)
Instances management
(NOTE: Requires Identities tutorial to be finished as this tutorial uses/references its created domains/projects/roles/users & groups!)
First I made sure I was sourced into my python environment and my oadmin rc file (made in Multi-tenant management):
source ~/openstack/bin/activate
source ~/Downloads/oliverdomain_oadmin2.sh
Launch instances
Then I created 2 cirros instances (used "cirros" instead of "ubuntu" since we did not have a ubuntu image by default and seemingly the instances do not need to have certain capabilities.)
openstack --insecure server create --flavor oliver-flavor --image cirros --network olivernetwork --key-name mykeypair --min 2 --max 2 oliverinstance
(Can also see that the instances received IPs above aswell)
I also could have used the web gui by going to "Project" > "Compute" > "Instances" > "Launch Instance" button then filling it out as follows:
-
Under "Details" - fill out instance name and count
-
Under "Source" - choose to create new volume and press UP besides cirros
-
Under "Flavor" - press UP besides oliver-flavor
Associate floating IP to instance
I associated the floating IP to my "oliverinstance-1" I ran the following:
IP=$(openstack --insecure floating ip list | tail -n 2 | head -n 1 | awk '{print $4}')
openstack --insecure server add floating ip oliverinstance-1 $IP
Or I could have gone to the web gui and went to "Project" > "Compute" > "Instances" > dropdown next to "Create Snapshot" on the "Actions" column for "oliverinstance-1" > "Associate Floating IP" > used the dropdown under "IP Address" to select an IP to associate.
Allowing security group to access instance
I added my security group "oliversecuritygroup" (which will allow ingress SSH) to my instance "oliverinstance-1" via the following:
openstack --insecure server add security group oliverinstance-1 oliversecuritygroup
Or I could have gone to the web gui and went to "Project" > "Compute" > "Instances" > dropdown next to "Create Snapshot" on the "Actions" column for "oliverinstance-1" > "Edit Security Groups" > pressed the + button next to "oliversecuritygroup" in "Security Groups" tab > "Save".
Accessing instance
After adding my security group "oliversecuritygroup" to my instance "oliverinstance-1" with openstack --insecure server add security group oliverinstance-1 oliversecuritygroup, I set the permissions on mykepair.pem:
chmod 0400 ~/mykeypair.pem
And could SSH into "oliverinstance-1":
IP=$(openstack --insecure floating ip list | tail -n 2 | head -n 1 | awk '{print $4}')
ssh -i ~/Downloads/mykeypair.pem -o StrictHostKeyChecking=no ubuntu@$IP
Deleting instances
I deleted my "oliverinstance-2" by running the following:
openstack --insecure server delete oliverinstance-2
Or I could have gone in the web gui to "Project" > "Compute" > "Instances" > dropdown next to "Create Snapshot" on the "Actions" column for "oliverinstance-2" > "Delete Instance" > pressed the button to confirm the deletion.
Definitions
Below are copy pasted definitions of terms used for Microstack:
Domain
"Domains are high-level collections of projects, groups and users. They limit the visibility of those identities to other domains. As a result, domains serve as a basis for implementing multi-tenancy in OpenStack." - Ubuntu
Projects
"Projects are an abstraction used by other OpenStack services to group and isolate various types of resources (instances, volumes, and so on). One domain can have multiple projects created inside." - Ubuntu
Troubleshooting
Microstack Domain Fix
I added the following to "/var/snap/microstack/common/etc/horizon/local_settings.d/_05_snap_tweaks.py":
# Setup multidomain support
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "Default"
Additions added to _05_snap_tweaks.py:
Or I could have added just the multidomain support to a new file under "/var/snap/microstack/common/etc/horizon/local_settings.d/_10_enable_multidomain_support.py":
Then I ran:
sudo snap restart microstack.horizon-uwsgi
Microstack openrc fix for terminal
Turns out that "microstack.openstack" overrides any environment variables you want to set (following is a snippet from a "microstack.openstack -vvv server list" command showing that openstack is still using username and domain variables that does not match up with:)
The oadmin2 rc file I sourced for reference (did cut out a line from the screenshot as it was added by me and did not make any differences):
To get around this you can override the defaults in the cli like the following:
microstack.openstack --os-username "oadmin2" \
--os-project-name "oliverproject" \
--os-project-domain-name "oliverdomain" \
--os-user-domain-name "oliverdomain" \
--os-password "<oadmin2_password>" server list
Substituting values for whatever project, domain, or user you are trying to authenticate as.
But a better way is to use [https://github.com/openstack/python-openstackclient]{.underline}. I set this up by first installing needed Python libraries:
sudo apt install python3-pip python3.10-venv -y
Then I setup my environment, sourced it, and installed python-openstack:
python3 -m venv openstack
source openstack/bin/activate
pip install python-openstackclient
Then I could source any .sh file! (below shows comparison after setting up a keypair for oadmin2!):
}
Sources: