3. Learn about OpenStack services and their functions

Our system meets the recommended specifications.

Services

List registered microstack services with microstack.openstack catalog list

Each service has three endpoints:

• internal provides access for other OpenStack services.
• admin provides access for the admin project.
• public provides access for other projects.

Keystone

Microstack uses keystone to manage identities, domains and projects. It is what it uses to handle authentication

To list all users, run microstack.openstack user list

Glance

Micostack uses Glance to manage images (templates for provisioning instances)

list all of microstack's instances with microstack.openstack image list

CirrOS is already present in Glance

Neutron

Neutron is how MicroStack manages networks and network devices. This includes virtual networks, subnets, routers, and security groups.

To list all of MicroStack's virtual networks, use microstack.openstack network list

Nova

Nova is how MicroStack manages computing resources. It handles scheduling, resource provisioning, and termination.

List all hypervisors managed by Nova with microstack.openstack hypervisor list

4. Navigate through the OpenStack dashboard menu

The dashboard is how we manage Microstack

Change the theme

Go ahead and sign in to the MicroStack dashboard with your credentials

(if you forget your password, you can retrieve it with sudo snap get microstack config.credentials.keystone-password)

Go to Admin->Themes

Picking a different theme will change the visual appearance of the Dashboard

Change Admin password

Go to admin->Settings

and on the left bar, click "Change Password"

Here, you can change your password. This is a good idea, because the default one is kind of unwieldy. You will need to log back in afterward.

Also on this menu, Openstack RC File

And execute it: source ~/Downloads/admin-openrc.sh

Enter your new password

This is necessary for us to continue managing MicroStack from the command line.

Adding a new admin

(go to the "users" menu on the sidebar)

Relog as this new account and repeat the Open RC process:

Navigate through the project menu

Click the "admin" icon in the upper left, and you can see the current project. So far, there are no others.

Click "Project on the left to go to the project menu

API Access has to do with API endpoints

Compute has to do with computing resources

Network has to do with networking resources

To list all images for project "admin" go to Project->Compute->Images

We only have the Cirros image so far.

Navigate through the admin menu

If we go to Admin->Compute->Hypervisors, we can see all hypervisors. Explore other sections of the Admin menu

Navigate through the Identity Menu

The Identity menu (also on the left bar) has 5 sections:

• Projects (access to project accounts)

• Users (access to user accounts)

• Groups (access to user groups)

• Roles (Access to user roles)

• Application credentials (access to application credentials)

For example To list all user user roles, go to Identity->Roles

5. Manage instance templates, including images and flavors

Manage Images

Images are roughly equivalent to vcenter's templates. They contain a guest OS and are used for provisioning instances. '

Let's start by downloading the Ubuntu 20.04 LTS image at:

https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64-disk-kvm.img?_gl=1*ook7lr*_gcl_au*MzQ0MDkzMzkxLjE3MzAyOTUzMTM.&_ga=2.91766234.1152698332.1730295311-1441464494.1730295311

To upload the image to Glance:

microstack.openstack image create --disk-format qcow2 --min-disk 8 --min-ram 512 --file ~/Downloads/focal-server-cloudimg-amd64-disk-kvm.img --private ubuntu-focal

Output should look something like this

to list all images, run microstack.openstack image list

As we can see, the ubuntu-focal image was added

Back on the web UI, if we go to Admin->Compute->Images

It is now available here as well

You can also upload images using this menu by clicking the "Create Image" button

Manage flavors

Flavors are used alongside instances to choose which/how much resources are assigned to a VM. They are equivalent to vcenter's Customization Specifications.

To create a basic flavor, run microstack.openstack flavor create --ram 1024 --disk 10 --vcpus 1 myflavor

To list all flavors, run microstack.openstack flavor list

As we can see, the new myflavor is now here

We can also create the flavor in the web UI by going to Admin->Compute->Flavors->Create Flavor

6. Use the concept of domains, roles, users and groups to manage identities

Manage Domains

Domains are high-level collections of projects, groups, and users. They are used for multi-tenancy in MicroStack/OpenStack

We will create a simple domain with microstack.openstack domain create --description "test" newdomain

Then list all domains with microstack.openstack domain list

We create a new admin user for this domain with:

microstack.openstack user create --domain newdomain --password admin admin

and

microstack.openstack role add --domain newdomain --user-domain newdomain --user admin admin

You need to complete an extra step to enable multi-domain to get this to work properly.

sudo bash -c 'cat > /var/snap/microstack/common/etc/horizon/local_settings.d/_10_enable_multidomain_support.py' << EOF

OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = TRUE

EOF

You should now be able to log into the web UI with these credentials

Success!

Manage Roles

Roles are used for managing RBAC in OpenStack, for domains and projects. All roles are shared across all domains.

Create a new role "member" with microstack.openstack role create _member_

List all existing roles with microstack.openstack role list

Manage Projects

Projects are used to organize resources such as instances and volumes. One domain can have multiple projects inside.

We will create a project "newproject" in the domain "newdomain" with the following command:

microstack.openstack project create --domain newdomain newproject

To list all projects, do microstack.openstack project list --domain newdomain

Back on the web interface, go to Identity->Projects and click "Create Project"

We can create a project this way too

Manage Users and Groups

Users and groups are entities given access to resources within projects and domains (via roles). One domain can contain multiple users and groups.

We will create a new user "newuser" with password "newpassword" within "newdomain" with the command microstack.openstack user create --domain newdomain --password newpassword newuser

To list all users in domain "newdomain", run microstack.openstack user list --domain newdomain

We will create a new group "newgroup" in domain "newdomain" with microstack.openstack group create --domain newdomain newgroup

To list all groups in the domain "newdomain", microstack.openstack group list --domain newdomain

Switch to the web UI and go to Identity->Users and click "Create User"

We can create a user from this screen too.

Whether created from the CLI or GUI, you should be able to see the new user "newuser"

Now go to Identity->Groups and click "Create Group"

We can create a group from this screen too.

Whichever way you created "newuser", it should now be visible on this screen.

Manage Membership and Assignments

We will add newuser to newgroup on newdomain with the following command:

microstack.openstack group add user --group-domain newdomain --user-domain newdomain newgroup newuser

We will assign the member role to the newgroup group on the newproject project with the following command:

microstack.openstack role add --project newproject --project-domain newdomain --group newgroup --group-domain newdomain member

Back on the web UI, go to Identity->Groups, and under actions, click "Manage Members"

Notice user "newuser" has been added to the group. Click "Add Users"

We can add users to groups from this screen too.

Go to Identity->Projects and click "Manage Memebers"

Under the "Project Groups" tab, we can add groups to projects

Finishing Setting up Admin User

To finish setting up the "admin" user in "newdomain" we need to assign the roles member and admin to this user in the project newproject. Use these commands:

microstack.openstack role add --project newproject --project-domain newdomain --user admin --user-domain newdomain member

microstack.openstack role add --project newproject --project-domain newdomain --user admin --user-domain mydomain admin

Back on the web UI, click the dropdown in the upper-left and select newproject

To download the RC file, go to Admin->OpenStack RC File

We will not proceed with executing the file because it caused problems the first time I did this in the tutorial.

7. Multi-tenancy

Enable Multi-Tenancy

OpenStack is multi-tenant by default; Multi-tenancy allows multiple organizations to use the same OpenStack server simultaneously. OpenStack uses its identity features to sort tenant resources. Specifically, using domains, users, groups, and projects.

Microstack will need to have a setting changed to allow for multiple domains. We already did this in part 6, but here is a refresher.

sudo bash -c 'cat > /var/snap/microstack/common/etc/horizon/local_settings.d/_10_enable_multidomain_support.py' << EOF

OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = TRUE

EOF

Each domain has its own set of accounts and roles.

Switch to the User Account

Log into the web UI with the newuser account

Download the OpenStack RC File

And run it with source ~/Downloads/myproject-openrc.sh

Manage Global Resources

In OpenStack, global resources are shared across all projects and domains and can be managed by all users with the "admin" role assigned. Tenent resources are limited to a single project or domain, of which "member" users can manage.

To list all images, execute microstack.openstack image list

NOTE: I could not access this after using the RC file from the last step. So I re-remoted as the default admin user to get this to work again.

We can also open the web UI and go to Project->Computer->Images

Manage Tenant Resources

We need to install some things to get this to work properly.

Install python3-pip and python 3.10 with sudo apt install python3-pip python3.10-venv -y

startup venv with python3 -m venv venv

execute venv with source venv/bin/activate

Install openstack client with pip install python-openstackclient

executing OpenRC file for newuser with source newproject-openrc.sh

Then, create a key pair for this user with openstack --insecure keypair create --private-key ./newkeypair.pem --type ssh newkeypair

Back in the web UI, go to Key Pairs in the sidebar and you will see that the key pair has been added!

8. Networks

Credentials

I tried a really long time to log in and send commands as "newuser" from the CLI and I couldn't get it to work, issue with certificates. So I will simply proceed as the admin account. But I will show tasks as newuser from the web UI where possible.

Display Network Topology

Neutron is how microstack handles network resources. It can set up networks, subnets, virtual routers, floating IPs, and security groups for the sake of setting up robust, fully-featured virtual networks for the virtual machines.

To display network topology in the web UI, go to Project->Network->Network Topology

At this moment, we can only see external-network.

Manage Networks and Subnets

In the CLI, we will create a new network called "newnetwork" with the command:

microstack.openstack network create newnetwork

To list all networks, use microstack.openstack network list

To create a new subnet "newsubnet" on network "newnetwork", run:

microstack.openstack subnet create --network newnetwork --subnet-range 192.168.0.0/24 --allocation-pool start=192.168.0.101,end=192.168.0.200 --dns-nameserver 8.8.8.8 newsubnet

To list all subnets, use openstack subnet list

On the Web UI, go to Project->Network->Networks and click "Create Network"

We can create a network from here as well.

Now go to subnet from the top bar, you can create a subnet from this window as well.

You define details in the third tab, "Subnet Details"

Manage Routers

We will create a new virtual router called "newrouter" with the following command:

microstack.openstack router create newrouter

To list all routers, use microstack.openstack router list

We will set "external-network" as the gateway for "newrouter" with microstack.openstack router set --external-gateway external newrouter

To add "newrouter" to "newsubnet", use microstack.openstack router add subnet newrouter newsubnet

Go to the web UI and go to Project->Network->Routers and Click "Create Router"

We can create a router from here too.

It should now be available in Neutron

Click on its name and go to the interfaces tab, and click "Add Interface"

We can use this screen to add newnetwork (with newsubnet) to the router

The new interface should now be in Neutron's database

Manage Floating IPs

To allocate a floating IP, use the command "microstack.openstack floating ip create external"

List all floating IPs with microstack.openstack floating ip list

In the Web UI, go to Project->Network->Floating IPs, click "Allocate IP to Project"

From this screen, you may allocate an IP from a virtual network.

It will now be available in the Neutron database.

Manage Security Groups

We will create a new security group with the command: microstack.openstack security group create newsecuritygroup

To list all security groups, use microstack.openstack security group list

We will add a simple rule to the security group with:

microstack.openstack security group rule create --remote-ip 0.0.0.0/0 --dst-port 22:22 --protocol tcp --ingress newsecuritygroup

To list all rules in the security group, use microstack.openstack security group rule list newsecuritygroup

On the web UI, go to Project->Network->Security Groups and click "Create Security Group"

We can create a security group from here too.

Notice the list has populated with default rules. Click "Add Rule" to change it up

We can create Security Group rules here too.

The new rule should now be visible.

9. Instances

Credentials

Once again, I cannot get credentials to work properly other than the default admin from the CLI so I will simply use that. I will try to show commands on the web UI as myuser whenever possible.

Launch Instances

We will create a simple ubuntu-focal instance "newinstance" on "newnetwork" with the following command:

microstack.openstack --insecure server create --flavor myflavor --image ubuntu-focal --network newnetwork --key-name newkeypair --min 2 --max 2 newinstance

NOTE: I had to manually create newkeypair in here to get this to work

Launching takes a minute. Wait a second, and then view all instances with microstack.openstack server list

Notice, the new instances are here.

Now on the Web UI, go to Project->Computer->Instances, click "Launch Instance"

We can create instances from here too! Set these settings and leave the rest default

Then click "Launch Instance" It will take a second to spin up the new instances, but they should load after a bit and be available in the Instances page.

Associate Floating IP

We use the following commands to associate a floating IP with newinstance-1

IP=$(microstack.openstack floating ip list | tail -n 2 | head -n 1 | awk '{print $4}')

and

microstack.openstack server add floating ip newinstance-1 $IP

On the Web UI, go to Project->Compute->Instances and for newinstance-1, go to Actions->Associate Floating IP

From here, you can associate a floating IP Address with an instance

Notice, newinstance-1 now has this IP address

Attach Security Group

Before we do anything with SSH, we must narrow down the default permissions of the key newkeypair.pem. Do this with: chmod 0400 newkeypair.pem

To attempt SSH into the instance, use:

IP=$(microstack.openstack floating ip list | tail -n 2 | head -n 1 | awk '{print $4}')

and

ssh -i ~/Downloads/newkeypair.pem -o ubuntu@$IP

For some reason it worked perfectly the first time, which shouldn't be true because the default security group does not allow ingress SSH. This may be because we are the admin user. So we will pretend it failed and make the required changes to the security group.

Run: microstack.openstack server add security group newinstance-1 newsecuritygroup

Open the web UI and go to Project->Computer->Instances and for newinstance-1, go to Actions->Edit Security Groups

We will add newsecuritygroup from All Security Groups and Save.

Access Instances

Try again to SSH into newinstance-1

It worked!

Disconnect with exit

Delete Instances

To delete newinstance-2, use microstack.openstack server delete newinstance-2

In the Web UI, go to Project->Computer->Instances and for myinstance-1, go to Actions->Delete Instance

I deleted both of them and now they are gone.

Reflection

I thought this was a pretty good way to learn about The basic functionality of OpenStack. It contained a decent theoretical explanation of the different services that allow OpenStack to function properly. However, it is clear that these tutorials do not 100% carry over to MicroStack, and at times I felt like I was fighting the program to complete tasks that seemed like they should have been simple. Examples of this include changing CLI user with OpenRC files and enabling multi-domain support. I think that Ubuntu should create a version of this tuorial for MicroStack specifically. Lastly, I enjoyed learning about how to handle virtualization tasks from a command line interface (as opposed to vCenter's GUI) because it opens the potential for shell scripting.