Conceptual HorizonOverview Horizon and OpenStack CLIHow can I use an OpenStack cloud?As an OpenStack cloud end user, you can provision your own
resources within the limits set by administrators. The examples
in this guide show you how to complete these tasks by using the
OpenStack dashboard and command-line clients. The dashboard,
also known as horizon, is a Web-based graphical interface. The
command-line clients let you run simple commands to create and
manage resources in a cloud and automate tasks by using scripts.
Each of the core OpenStack projects has its own command-line
client.You can modify these examples for your specific use
cases.In addition to these ways of interacting with a cloud, you
can access the OpenStack APIs indirectly through cURLcommands
or open SDKs, or directly through the APIs. You can automate
access or build tools to manage resources and services by using
the native OpenStack APIs or the EC2 compatibility API.To use the OpenStack APIs, it helps to be familiar with
HTTP/1.1, RESTful web services, the OpenStack services, and JSON
or XML data serialization formats.OpenStack dashboardAs a cloud end user, the OpenStack dashboard lets you to
provision your own resources within the limits set by
administrators. You can modify these examples to create other
types and sizes of server instances.OverviewThe following requirements must be fulfilled to access the
OpenStack dashboard:The cloud operator has set up an OpenStack
cloud.You have a recent Web browser that supports HTML5. It
must have cookies and JavaScript enabled. To use the VNC
client for the dashboard, which is based on noVNC, your
browser must support HTML5 Canvas and HTML5 WebSockets.
For more details and a list of browsers that support
noVNC, seehttps://github.com/kanaka/noVNC/blob/master/README.md,
andhttps://github.com/kanaka/noVNC/wiki/Browser-support,
respectively.Learn how to log in to the dashboard and get a short
overview of the interface.Log in to the dashboardTo log in to the dashboardAsk your cloud operator for the following
information:The hostname or public IP address from which you can
access the dashboard.The dashboard is available on the node that has the
nova-dashboard server role.The username and password with which you can log in to
the dashboard.Open a Web browser that supports HTML5. Make sure that
JavaScript and cookies are enabled.As a URL, enter the host name or IP address that you
got from the cloud operator.https://IP_ADDRESS_OR_HOSTNAME/On the dashboard log in page, enter your user name and
password and click Sign In.After you log in, the following page appears:The top-level row shows the username that you logged in
with. You can also access Settingsor Sign Outof the Web
interface.If you are logged in as an end user rather than an admin
user, the main screen shows only the Projecttab.OpenStack dashboard – Project tabThis tab shows details for the projects, or projects, of
which you are a member.Select a project from the drop-down list on the left-hand
side to access the following categories:OverviewShows basic reports on the project.InstancesLists instances and volumes created by users of the
project.From here, you can stop, pause, or reboot any instances or
connect to them through virtual network computing
(VNC).VolumesLists volumes created by users of the project.From here, you can create or delete volumes.Images &
SnapshotsLists images and snapshots created by users of the
project, plus any images that are publicly available. Includes
volume snapshots. From here, you can create and delete images
and snapshots, and launch instances from images and
snapshots.Access &
SecurityOn the Security
Groupstab, you can list, create, and delete security
groups and edit rules for security groups.On the Keypairstab, you
can list, create, and import keypairs, and delete keypairs.On the Floating IPstab,
you can allocate an IP address to or release it from a
project.On the API Accesstab, you
can list the API endpoints.Manage imagesDuring setup of OpenStack cloud, the cloud operator sets
user permissions to manage images. Image upload and management
might be restricted to only cloud administrators or cloud
operators. Though you can complete most tasks with the OpenStack
dashboard, you can manage images through only the glance and
nova clients or the Image Service and Compute APIs.Set up access and securityBefore you launch a virtual machine, you can add security
group rules to enable users to ping and SSH to the instances. To
do so, you either add rules to the default security group or add a
security group with rules. For information, seethe section called “Add security group rules”.Keypairs are SSH credentials that are injected into images
when they are launched. For this to work, the image must contain
the cloud-init package. For information, seethe section called “Add keypairs”.Add security group rulesThe following procedure shows you how to add rules to the
default security group.To add rules to the default security groupLog in to the OpenStack dashboard.If you are a member of multiple projects, select a
project from the drop-down list at the top of the
Projecttab.Click the Access & Securitycategory.The dashboard shows the security groups that are
available for this project.Select the default security group and click Edit
Rules.The Security Group Rulespage appears:Add a TCP ruleClick Add Rule.The Add Rulewindow appears.In the IP Protocollist, select TCP.In the Openlist, select Port.In the Portbox, enter 22.In the Sourcelist, select CIDR.In the CIDRbox, enter 0.0.0.0/0.Click Add.Port 22 is now open for requests from any IP
address.If you want to accept requests from a particular range
of IP addresses, specify the IP address block in the
CIDRbox.Add an ICMP ruleClick Add Rule.The Add Rulewindow appears.In the IP Protocollist, select ICMP.In the Typebox, enter -1.In the Codebox, enter -1.In the Sourcelist, select CIDR.In the CIDRbox, enter 0.0.0.0/0.Click Add.Add keypairsCreate at least one keypair for each project. If you have
generated a keypair with an external tool, you can import it
into OpenStack. The keypair can be used for multiple instances
that belong to a project.To add a keypairLog in to the OpenStack dashboard.If you are a member of multiple projects, select a
project from the drop-down list at the top of the
Projecttab.Click the Access & Securitycategory.Click the Keypairstab. The dashboard shows the
keypairs that are available for this project.To add a keypairClick Create Keypair.The Create Keypairwindow appears.In the Keypair Namebox, enter a name for your
keypair.Click Create Keypair.Respond to the prompt to download the keypair.To import a keypairClick Import Keypair.The Import Keypairwindow appears.In the Keypair Namebox, enter the name of your
keypair.In the Public Keybox, copy the public key.Click Import Keypair.Save the *.pem file locally and change its permissions
so that only you can read and write to the file:$ chmod 0600 MY_PRIV_KEY.pemUse the ssh-addcommand to make the keypair known to
SSH:$ ssh-add MY_PRIV_KEY.pemThe public key of the keypair is registered in the Nova
database.The dashboard lists the keypair in the Access &
Securitycategory.Launch instancesInstances are virtual machines that run inside the cloud.
You can launch an instance directly from one of the available
OpenStack images or from an image that you have copied to a
persistent volume. The OpenStack Image Service provides a pool
of images that are accessible to members of different
projects.Launch an instance from an imageWhen you launch an instance from an image, OpenStack
creates a local copy of the image on the respective compute
node where the instance is started.To launch an instance from an imageLog in to the OpenStack dashboard.If you are a member of multiple projects, select a
project from the drop-down list at the top of the
Projecttab.Click the Images & Snapshotcategory.The dashboard shows the images that have been uploaded
to OpenStack Image Service and are available for this
project.Select an image and click Launch.In the Launch Imagewindow, specify the
following:Enter an instance name to assign to the virtual
machine.From the Flavordrop-down list, select the size of the
virtual machine to launch.Select a keypair.In case an image uses a static root password or a
static key set (neither is recommended), you do not need
to provide a keypair to launch the instance.In Instance Count, enter the number of virtual
machines to launch from this image.Activate the security groups that you want to assign
to the instance.Security groups are a kind of cloud firewall that
define which incoming network traffic should be forwarded to
instances. For details, seethe section called “Add security group
rules”.If you have not created any specific security groups,
you can only assign the instance to the default security
group.If you want to boot from volume, click the respective
entry to expand its options. Set the options as described
inthe section called “Launch an instance from a
volume”.Click Launch Instance. The instance is started on any
of the compute nodes in the cloud.After you have launched an instance, switch to the
Instancescategory to view the instance name, its (private or
public) IP address, size, status, task, and power
state.Figure 5. OpenStack dashboard – InstancesIf you did not provide a keypair, security groups, or
rules so far, by default the instance can only be accessed
from inside the cloud through VNC at this point. Even pinging
the instance is not possible. To access the instance through a
VNC console, seethe section called “Get a console to an
instance”.Launch an instance from a volumeYou can launch an instance directly from an image that has
been copied to a persistent volume.In that case, the instance is booted from the volume,
which is provided by nova-volume, through iSCSI.For preparation details, seethe section called “Create or delete a
volume”.To boot an instance from the volume, especially note the
following steps:To be able to select from which volume to boot, launch
an instance from an arbitrary image. The image you select
does not boot. It is replaced by the image on the volume
that you choose in the next steps.In case you want to boot a Xen image from a volume,
note the following requirement: The image you launch in
must be the same type, fully virtualized or
paravirtualized, as the one on the volume.Select the volume or volume snapshot to boot
from.Enter a device name. Enter vda for KVM images or xvda
for Xen images.To launch an instance from a volumeYou can launch an instance directly from one of the images
available through the OpenStack Image Service or from an image
that you have copied to a persistent volume. When you launch
an instance from a volume, the procedure is basically the same
as when launching an instance from an image in OpenStack Image
Service, except for some additional steps.Create a volume as described inthe section called “Create or delete a
volume”.It must be large enough to store an unzipped
image.Create an image.For details, see Creating images manually in the
OpenStack Virtual Machine Image Guide.
Launch an instance.Attach the volume to the instance as described inthe section called “Attach volumes to
instances”.Assuming that the attached volume is mounted as
/dev/vdb, use one of the following commands to copy the
image to the attached volume:For a raw image:$ cat IMAGE >/dev/nullAlternatively, use dd.For a non-raw image:$ qemu-img convert -O raw IMAGE /dev/vdbFor a *.tar.bz2 image:$ tar xfjO IMAGE >/dev/nullOnly detached volumes are available for booting.
Detach the volume.To launch an instance from the volume, continue
withthe section called “Launch an instance from an
image”.You can launch an instance directly from one of the
images available through the OpenStack Image Service. When
you do that, OpenStack creates a local copy of the image
on the respective compute node where the instance is
started.SSH in to your instanceTo SSH into your instance, you use the downloaded keypair
file.To SSH into your instanceCopy the IP address for your instance.Use the SSH command to make a secure connection to the
instance. For example:$ ssh -i MyKey.pem ubuntu@10.0.0.2A prompt asks, "Are you sure you want to continue
connection (yes/no)?" Type yes and you have successfully
connected.Manage instancesCreate instance snapshotsTo create instance snapshotsLog in to the OpenStack dashboard.If you are a member of multiple projects, select a
project from the drop-down list at the top of the
Projecttab.Click the Instancescategory.The dashboard lists the instances that are available
for this project.Select the instance of which to create a snapshot.
From the Actionsdrop-down list, select Create
Snapshot.In the Create Snapshotwindow, enter a name for the
snapshot. Click Create Snapshot. The dashboard shows the
instance snapshot in the Images &
Snapshotscategory.To launch an instance from the snapshot, select the
snapshot and click Launch. Proceed withthe section called “Launch an instance from an
image”.Control the state of an instanceTo control the state of an instanceLog in to the OpenStack dashboard.If you are a member of multiple projects, select a
project from the drop-down list at the top of the
Projecttab.Click the Instancescategory.The dashboard lists the instances that are available
for this project.Select the instance for which you want to change the
state.In the Moredrop-down list in the Actionscolumn,
select the state.Depending on the current state of the instance, you
can choose to pause, un-pause, suspend, resume, soft or
hard reboot, or terminate an instance.Track usageUse the dashboard's Overviewcategory to track usage of
instances for each project.You can track costs per month by showing metrics like
number of VCPUs, disks, RAM, and uptime of all your
instances.To track usageIf you are a member of multiple projects, select a
project from the drop-down list at the top of the
Projecttab.Select a month and click Submitto query the instance
usage for that month.Click Download CSV Summaryto download a CVS
summary.Manage volumesVolumes are block storage devices that you can attach to
instances. They allow for persistent storage as they can be
attached to a running instance, or detached and attached to
another instance at any time.In contrast to the instance's root disk, the data of volumes
is not destroyed when the instance is deleted.Create or delete a volumeTo create or delete a volumeLog in to the OpenStack dashboard.If you are a member of multiple projects, select a
Projectfrom the drop-down list at the top of the
tab.Click the Volumescategory.To create a volumeClick Create Volume.In the window that opens, enter a name to assign to a
volume, a description (optional), and define the size in
GBs.Confirm your changes.The dashboard shows the volume in the
Volumescategory.To delete one or multiple volumesActivate the checkboxes in front of the volumes that
you want to delete.Click Delete Volumesand confirm your choice in the
pop-up that appears.A message indicates whether the action was
successful.After you create one or more volumes, you can attach them
to instances.You can attach a volume to one instance at a time.View the status of a volume in the Instances &
Volumescategory of the dashboard: the volume is either
available or In-Use.Attach volumes to instancesTo attach volumes to instancesLog in to OpenStack dashboard.If you are a member of multiple projects, select a
Projectfrom the drop-down list at the top of the
tab.Click the Volumescategory.Select the volume to add to an instance and click Edit
Attachments.In the Manage Volume Attachmentswindow, select an
instance.Enter a device name under which the volume should be
accessible on the virtual machine.Click Attach Volumeto confirm your changes. The
dashboard shows the instance to which the volume has been
attached and the volume's device name.Now you can log in to the instance, mount the disk,
format it, and use it.To detach a volume from an instanceSelect the volume and click Edit Attachments.Click Detach Volumeand confirm your changes.A message indicates whether the action was
successful.OpenStack command-line clientsOverviewYou can use the OpenStack command-line clients to run
simple commands that make API calls and automate tasks by
using scripts. Internally, each client command runs cURL
commands that embed API requests. The OpenStack APIs are
RESTful APIs that use the HTTP protocol, including methods,
URIs, media types, and response codes.These open-source Python clients run on Linux or Mac OS X
systems and are easy to learn and use. Each OpenStack service
has its own command-line client. On some client commands, you
can specify a debugparameter to show the underlying API
request for the command. This is a good way to become familiar
with the OpenStack API calls.The following command-line clients are available for the
respective services' APIs:cinder(python-cinderclient)Client for the Block Storage Service API. Use to create
and manage volumes.glance(python-glanceclient)Client for the Image Service API. Use to create and manage
images.keystone(python-keystoneclient)Client for the Identity Service API. Use to create and
manage users, tenants, roles, endpoints, and
credentials.nova(python-novaclient)Client for the Compute API and its extensions. Use to
create and manage images, instances, and flavors.neutron(python-neutronclient)Client for the Networking API. Use to configure networks
for guest servers. This client was previously known as
neutron.swift(python-swiftclient)Client for the Object Storage API. Use to gather
statistics, list items, update metadata, upload, download and
delete files stored by the object storage service. Provides
access to a swift installation for ad hoc processing.heat(python-heatclient)Client for the Orchestration API. Use to launch stacks
from templates, view details of running stacks including
events and resources, and update and delete stacks.Install the OpenStack command-line clientsTo install the clients, install the prerequisite software
and the Python package for each OpenStack client.Install the clientsUse pipto install the OpenStack clients on a Mac OS X
or Linux system. It is easy and ensures that you get the
latest version of the client from thePython Package
Index. Also, piplets you update or remove a
package. After you install the clients, you must source an
openrc file to set required environment variables before you
can request OpenStack services through the clients or the
APIs.To install the clientsYou must install each client separately.Run the following command to install or update a
client package:$ sudo pip install [--update]
python-<project>clientWhere <project> is the project name and has one
of the following values:nova. Compute API and extensions.neutron. Networking API.keystone. Identity Service API.glance. Image Service API.swift. Object Storage API.cinder. Block Storage Service API.heat. Orchestration API.For example, to install the nova client, run the
following command:$ sudo pip install python-novaclientTo update the nova client, run the following
command:$ sudo pip install --upgrade
python-novaclientTo remove the nova client, run the following
command:$ sudo pip uninstall python-novaclientBefore you can issue client commands, you must
download and source the openrc file to set environment
variables. Proceed tothe section called “OpenStack RC file”.Get the version for a clientAfter you install an OpenStack client, you can search for
its version number, as follows:$ pip freeze | grep python-python-glanceclient==0.4.0python-keystoneclient==0.1.2-e
git+https://github.com/openstack/python-novaclient.git@077cc0bf22e378c4c4b970f2331a695e440a939f#egg=python_novaclient-devpython-neutronclient==0.1.1python-swiftclient==1.1.1You can also use the yolk -lcommand to see which version of
the client is installed:$ yolk -l | grep python-novaclientpython-novaclient - 2.6.10.27 - active development
(/Users/your.name/src/cloud-servers/src/src/python-novaclient)python-novaclient
- 2012.1 - non-activeOpenStack RC fileTo set the required environment variables for the OpenStack
command-line clients, you must download and source an
environment file, openrc.sh. It is project-specific and contains
the credentials used by OpenStack Compute, Image, and Identity
services.When you source the file and enter the password, environment
variables are set for that shell. They allow the commands to
communicate to the OpenStack services that run in the
cloud.You can download the file from the OpenStack dashboard as an
administrative user or any other user.To download the OpenStack RC fileLog in to the OpenStack dashboard.On the Projecttab, select the project for which you
want to download the OpenStack RC file.Click Access & Security. Then, click Download
OpenStack RC Fileand save the file.Copy the openrc.sh file to the machine from where you
want to run OpenStack commands.For example, copy the file to the machine from where you
want to upload an image with a glance client command.On any shell from where you want to run OpenStack
commands, source the openrc.sh file for the respective
project.In this example, we source the demo-openrc.sh file for
the demo project:$ source demo-openrc.shWhen you are prompted for an OpenStack password, enter
the OpenStack password for the user who downloaded the
openrc.sh file.When you run OpenStack client commands, you can override
some environment variable settings by using the options that
are listed at the end of the nova helpoutput. For example,
you can override the OS_PASSWORD setting in the openrc.sh
file by specifying a password on a nova command, as
follows:$ nova --password <password> image-listWhere password is your password.Manage imagesDuring setup of OpenStack cloud, the cloud operator sets
user permissions to manage images.Image upload and management might be restricted to only
cloud administrators or cloud operators.After you upload an image, it is considered golden and you
cannot change it.You can upload images through the glance client or the Image
Service API. You can also use the nova client to list images,
set and delete image metadata, delete images, and take a
snapshot of a running instance to create an image.Manage images with the glance clientTo list or get details for imagesTo list the available images:$ glance image-listYou can use grep to filter the list, as
follows:$ glance image-list | grep 'cirros'To get image details, by name or ID:$ glance image-show myCirrosImageTo add an imageThe following example uploads a CentOS 6.3 image in
qcow2 format and configures it for public access:$glance image-create --name centos63-image
--disk-format=qcow2 --container-format=bare
--is-public=True ./centos63.qcow2To create an imageWrite any buffered data to disk.For more information, see theTaking Snapshots in the OpenStack Operations
Guide.To create the image, list instances to get the server
ID:$ nova listIn this example, the server is named myCirrosServer.
Use this server to create a snapshot, as follows:$ nova image-create myCirrosServer
myCirrosImageThe command creates a qemu snapshot and automatically
uploads the image to your repository. Only the tenant that
creates the image has access to it.Get details for your image to check its status:$ nova image-show IMAGEThe image status changes from SAVING to ACTIVE. Only
the tenant who creates the image has access to it.To launch an instance from your imageTo launch an instance from your image, include the
image ID and flavor ID, as follows:$ nova boot newServer --image
7e5142af-1253-4634-bcc6-89482c5f2e8a --flavor 3Troubleshoot image creationYou cannot create a snapshot from an instance that
has an attached volume. Detach the volume, create the
image, and re-mount the volume.Make sure the version of qemu you are using is
version 0.14 or greater. Older versions of qemu result
in an "unknown option -s" error message in the
nova-compute.log.Examine the /var/log/nova-api.log and
/var/log/nova-compute.log log files for error
messages.Set up access and security for instancesWhen you launch a virtual machine, you can inject a key
pair, which provides SSH access to your instance. For this to
work, the image must contain the cloud-init package. Create at
least one key pair for each project. If you generate a keypair
with an external tool, you can import it into OpenStack. You can
use the keypair for multiple instances that belong to that
project. In case an image uses a static root password or a
static key set – neither is recommended – you must not provide a
keypair when you launch the instance.A security group is a named collection of network access
rules that you use to limit the types of traffic that have
access to instances. When you launch an instance, you can assign
one or more security groups to it. If you do not create security
groups, new instances are automatically assigned to the default
security group, unless you explicitly specify a different
security group. The associated rules in each security group
control the traffic to instances in the group. Any incoming
traffic that is not matched by a rule is denied access by
default. You can add rules to or remove rules from a security
group. You can modify rules for the default and any other
security group.You must modify the rules for the default security group
because users cannot access instances that use the default group
from any IP address outside the cloud.You can modify the rules in a security group to allow access
to instances through different ports and protocols. For example,
you can modify rules to allow access to instances through SSH,
to ping them, or to allow UDP traffic – for example, for a DNS
server running on an instance. You specify the following
parameters for rules:Source of traffic. Enable traffic to instances from
either IP addresses inside the cloud from other group
members or from all IP addresses.Protocol. Choose TCP for SSH, ICMP for pings, or
UDP.Destination port on virtual machine. Defines a port
range. To open a single port only, enter the same value
twice. ICMP does not support ports: Enter values to define
the codes and types of ICMP traffic to be allowed.Rules are automatically enforced as soon as you create or
modify them.You can also assign a floating IP address to a running
instance to make it accessible from outside the cloud. You
assign a floating IP address to an instance and attach a block
storage device, or volume, for persistent storage.Set up access and security for instancesWhen you launch a virtual machine, you can inject a key
pair, which provides SSH access to your instance. For this to
work, the image must contain the cloud-init package. Create at
least one key pair for each project. If you generate a keypair
with an external tool, you can import it into OpenStack. You can
use the key pair for multiple instances that belong to that
project. In case an image uses a static root password or a
static key set – neither is recommended – you must not provide a
key pair when you launch the instance.A security group is a named collection of network access
rules that you use to limit the types of traffic that have
access to instances. When you launch an instance, you can assign
one or more security groups to it. If you do not create security
groups, new instances are automatically assigned to the default
security group, unless you explicitly specify a different
security group. The associated rules in each security group
control the traffic to instances in the group. Any incoming
traffic that is not matched by a rule is denied access by
default. You can add rules to or remove rules from a security
group. You can modify rules for the default and any other
security group.You must modify the rules for the default security group
because users cannot access instances that use the default group
from any IP address outside the cloud.You can modify the rules in a security group to allow access
to instances through different ports and protocols. For example,
you can modify rules to allow access to instances through SSH,
to ping them, or to allow UDP traffic – for example, for a DNS
server running on an instance. You specify the following
parameters for rules:Source of traffic. Enable traffic to instances from
either IP addresses inside the cloud from other group
members or from all IP addresses.Protocol. Choose TCP for SSH, ICMP for pings, or
UDP.Destination port on virtual machine. Defines a port
range. To open a single port only, enter the same value
twice. ICMP does not support ports: Enter values to define
the codes and types of ICMP traffic to be allowed.Rules are automatically enforced as soon as you create or
modify them.You can also assign a floating IP address to a running
instance to make it accessible from outside the cloud. You
assign a floating IP address to an instance and attach a block
storage device, or volume, for persistent storage.Add or import keypairsTo add a keyYou can generate a keypair or upload an existing public
key.To generate a keypair, run the following
command:$ nova keypair-add KEY_NAME > MY_KEY.pemThe command generates a keypair named KEY_NAME, writes
the private key to the MY_KEY.pem file, and registers the
public key at the Nova database.To set the permissions of the MY_KEY.pem file, run the
following command:$ chmod 600 MY_KEY.pemThe command changes the permissions of the MY_KEY.pem
file so that only you can read and write to it.To import a keyIf you have already generated a keypair with the
public key located at ~/.ssh/id_rsa.pub, run the following
command to upload the public key:$ nova keypair-add --pub_key ~/.ssh/id_rsa.pub
KEY_NAMEThe command registers the public key at the Nova
database and names the keypair KEY_NAME.List keypairs to make sure that the uploaded keypair
appears in the list:$ nova keypair-listConfigure security groups and rulesTo configure security groupsTo list all security groupsTo list security groups for the current project,
including descriptions, enter the following
command:$ nova secgroup-listTo create a security groupTo create a security group with a specified name and
description, enter the following command:$ nova secgroup-create SEC_GROUP_NAME
GROUP_DESCRIPTIONTo delete a security groupTo delete a specified group, enter the following
command:$ nova secgroup-delete SEC_GROUP_NAMETo configure security group rulesModify security group rules with the nova
secgroup-*-rulecommands.On a shell, source the OpenStack RC file. For details,
seethe section called “OpenStack RC file”.To list the rules for a security group$ nova secgroup-list-rules SEC_GROUP_NAMETo allow SSH access to the instancesChoose one of the following sub-steps:Add rule for all IPsEither from all IP addresses (specified as IP subnet
in CIDR notation as 0.0.0.0/0):$ nova secgroup-add-rule SEC_GROUP_NAME tcp 22 22
0.0.0.0/0Add rule for security groupsAlternatively, you can allow only IP addresses from
other security groups (source groups) to access the
specified port:$ nova secgroup-add-group-rule --ip_proto tcp
--from_port 22 \ --to_port 22 SEC_GROUP_NAME
SOURCE_GROUP_NAMETo allow pinging the instancesChoose one of the following sub-steps:To allow pinging from IPsSpecify all IP addresses as IP subnet in CIDR
notation: 0.0.0.0/0. This command allows access to all
codes and all types of ICMP traffic, respectively:$ nova secgroup-add-rule SEC_GROUP_NAME icmp -1 -1
0.0.0.0/0To allow pinging from other security groupsTo allow only members of other security groups (source
groups) to ping instances:$ nova secgroup-add-group-rule --ip_proto icmp
--from_port -1 \ --to_port -1 SEC_GROUP_NAME
SOURCE_GROUP_NAMETo allow access through UDP portTo allow access through a UDP port, such as allowing
access to a DNS server that runs on a VM, complete one of
the following sub-steps:To allow UDP access from IPsSpecify all IP addresses as IP subnet in CIDR
notation: 0.0.0.0/0.$ nova secgroup-add-rule SEC_GROUP_NAME udp 53 53
0.0.0.0/0To allow UDP accessTo allow only IP addresses from other security groups
(source groups) to access the specified port:$ nova secgroup-add-group-rule --ip_proto udp
--from_port 53 \ --to_port 53 SEC_GROUP_NAME
SOURCE_GROUP_NAMETo delete a security group rule, specify the same
arguments that you used to create the rule.To delete the security rule that you created inStep 3.a:$ nova secgroup-delete-rule SEC_GROUP_NAME tcp 22 22
0.0.0.0/0To delete the security rule that you created inStep 3.b:$ nova secgroup-delete-group-rule --ip_proto tcp
--from_port 22 \ --to_port 22 SEC_GROUP_NAME
SOURCE_GROUP_NAMELaunch instancesInstances are virtual machines that run inside the
cloud.Before you can launch an instance, you must gather
parameters such as the image and flavor from which you want to
launch your instance.You can launch an instance directly from one of the
available OpenStack images or from an image that you have copied
to a persistent volume. The OpenStack Image Service provides a
pool of images that are accessible to members of different
projects.Gather parameters to launch an instanceTo launch an instance, you must specify the following
parameters:The instance source, which is an image or snapshot.
Alternatively, you can boot from a volume, which is block
storage, to which you've copied an image or
snapshot.The imageor snapshot, which represents the operating
system.A namefor your instance.The flavorfor your instance, which defines the
compute, memory, and storage capacity of nova computing
instances. A flavor is an available hardware configuration
for a server. It defines the "size" of a virtual server
that can be launched. For more details and a list of
default flavors available, see Section 1.5, "Managing
Flavors," (⇽ User Guide for Administrators ).User Data is a special key in the metadata service
which holds a file that cloud aware applications within
the guest instance can access. For example thecloudinitsystem is an open source package from
Ubuntu that handles early initialization of a cloud
instance that makes use of this user data.Access and security credentials, which include one or
both of the following credentials:A key-pair for your instance, which are SSH
credentials that are injected into images when they are
launched. For this to work, the image must contain the
cloud-init package. Create at least one keypair for each
project. If you already have generated a key-pair with an
external tool, you can import it into OpenStack. You can
use the keypair for multiple instances that belong to that
project. For details, refer to Section 1.5.1, Creating or
Importing Keys.A security group, which defines which incoming network
traffic is forwarded to instances. Security groups hold a
set of firewall policies, known as security group rules.
For details, see xx.If needed, you can assign a floating (public) IP
addressto a running instance and attach a block storage
device, or volume, for persistent storage. For details,
see Section 1.5.3, Managing IP Addresses and Section 1.7,
Managing Volumes.After you gather the parameters you need to launch an
instance, you can launch it from animageor avolume.To gather the parameters to launch an instanceOn a shell, source the OpenStack RC file.List the available flavors:$ nova flavor-listNote the ID of the flavor that you want to use for
your instance.List the available images:$ nova image-listYou can also filter the image list by using grep to
find a specific image, like this:$ nova image-list | grep 'kernel'Note the ID of the image that you want to boot your
instance from.List the available security groups:$ nova secgroup-list --all-tenantsIf you have not created any security groups, you can
assign the instance to only the default security
group.You can also list rules for a specified security
group:$ nova secgroup-list-rules defaultIn this example, the default security group has been
modified to allow HTTP traffic on the instance by
permitting TCP traffic on Port 80.List the available keypairs.$ nova keypair-listNote the name of the keypair that you use for SSH
access.Launch an instance from an imageUse this procedure to launch an instance from an
image.To launch an instance from an imageNow you have all parameters required to launch an
instance, run the following command and specify the server
name, flavor ID, and image ID. Optionally, you can provide
a key name for access control and security group for
security. You can also include metadata key and value
pairs. For example you can add a description for your
server by providing the --meta description="My
Server"parameter.You can pass user data in a file on your local system
and pass it at instance launch by using the flag
--user-data <user-data-file>.$ nova boot --flavor FLAVOR_ID --image IMAGE_ID
--key_name KEY_NAME --user-data mydata.file \
--security_group SEC_GROUP NAME_FOR_INSTANCE --meta
KEY=VALUE --meta KEY=VALUEThe command returns a list of server properties,
depending on which parameters you provide.A status of BUILD indicates that the instance has
started, but is not yet online.A status of ACTIVE indicates that your server is
active.Copy the server ID value from the id field in the
output. You use this ID to get details for or delete your
server.Copy the administrative password value from the
adminPass field. You use this value to log into your
server.Check if the instance is online:$ nova listThis command lists all instances of the project you
belong to, including their ID, their name, their status,
and their private (and if assigned, their public) IP
addresses.If the status for the instance is ACTIVE, the instance
is online.To view the available options for the nova
listcommand, run the following command:$ nova help listIf you did not provide a keypair, security groups, or
rules, you can only access the instance from inside the
cloud through VNC. Even pinging the instance is not
possible.Launch an instance from a volumeAfter youcreate a bootable volume, youlaunch an instance from the volume.To launch an instance from a volumeTo create a bootable volumeTo create a volume from an image, run the following
command:# cinder create --image-id
397e713c-b95b-4186-ad46-6126863ea0a9 --display-name
my-bootable-vol 8Optionally, to configure your volume, see the
Configuring Image Service and Storage for Computechapter
in the OpenStack Configuration Reference.To list volumesEnter the following command:$ nova volume-listCopy the value in the ID field for your volume.To launch an instanceEnter the nova boot command with the
--block_device_mapping parameter, as follows:$ nova boot --flavor <flavor>
--block_device_mapping
<dev_name>=<id>:<type>:<size>:<delete_on_terminate>
<name>The command arguments are:--flavor flavorThe flavor ID.--block_device_mapping dev-
name=id:type:size:delete-on-terminatedev-name. A device name where the volume is attached
in the system at /dev/dev_name. This value is typically
vda.id. The ID of the volume to boot from, as shown in the
output of nova volume-list.type. Either snap or any other value, including a
blank string. snap means that the volume was created from
a snapshot.size. The size of the volume, in GBs. It is safe to
leave this blank and have the Compute service infer the
size.delete-on-terminate. A boolean that indicates whether
the volume should be deleted when the instance is
terminated. You can specifyTrue or 1False or 0nameThe name for the server.For example, you might enter the following command to
boot from a volume with ID
bd7cf584-45de-44e3-bf7f-f7b50bf235e. The volume is not
deleted when the instance is terminated:$ nova boot --flavor 2 --image
397e713c-b95b-4186-ad46-6126863ea0a9
--block_device_mapping
vda=bd7cf584-45de-44e3-bf7f-f7b50bf235e3:::0
myInstanceFromVolumeNow when you list volumes, you can see that the volume
is attached to a server:$ nova volume-listAdditionally, when you list servers, you see the
server that you booted from a volume:$ nova listManage instances and hostsInstances are virtual machines that run inside the
cloud.Manage IP addressesEach instance can have a private, or fixed, IP address and
a public, or floating, one.Private IP addresses are used for communication between
instances, and public ones are used for communication with the
outside world.When you launch an instance, it is automatically assigned
a private IP address that stays the same until you explicitly
terminate the instance. Rebooting an instance has no effect on
the private IP address.A pool of floating IPs, configured by the cloud operator,
is available in OpenStack Compute.You can allocate a certain number of these to a project:
The maximum number of floating IP addresses per project is
defined by the quota.You can add a floating IP address from this set to an
instance of the project. Floating IP addresses can be
dynamically disassociated and associated with other instances
of the same project at any time.Before you can assign a floating IP address to an
instance, you first must allocate floating IPs to a project.
After floating IP addresses have been allocated to the current
project, you can assign them to running instances.One floating IP address can be assigned to only one
instance at a time. Floating IP addresses can be managed with
the nova *floating-ip-*commands, provided by the
python-novaclient package.To list pools with floating IP addressesTo list all pools that provide floating IP
addresses:$ nova floating-ip-pool-listTo allocate a floating IP address to the current
projectThe output of the following command shows the freshly
allocated IP address:$ nova floating-ip-pool-listIf more than one pool of IP addresses is available,
you can also specify the pool from which to allocate the
IP address:$ floating-ip-create POOL_NAMETo list floating IP addresses allocated to the current
projectIf an IP is already associated with an instance, the
output also shows the IP for the instance, thefixed IP
address for the instance, and the name of the pool that
provides the floating IP address.$ nova floating-ip-listTo release a floating IP address from the current
projectThe IP address is returned to the pool of IP addresses
that are available for all projects. If an IP address is
currently assigned to a running instance, it is
automatically disassociated from the instance.$ nova floating-ip-delete FLOATING_IPTo assign a floating IP address to an instanceTo associate an IP address with an instance, one or
multiple floating IP addresses must be allocated to the
current project. Check this with:$ nova floating-ip-listIn addition, you must know the instance's name (or
ID). To look up the instances that belong to the current
project, use the nova list command.$ nova add-floating-ip INSTANCE_NAME_OR_ID
FLOATING_IPAfter you assign the IP with nova add-floating-ipand
configure security group rules for the instance, the
instance is publicly available at the floating IP
address.To remove a floating IP address from an instanceTo remove a floating IP address from an instance, you
must specify the same arguments that you used to assign
the IP.$ nova remove-floating-ip INSTANCE_NAME_OR_ID
FLOATING_IPChange the size of your
serverYou change the size of a server by changing its
flavor.To change the size of your serverList the available flavors:$ nova flavor-listShow information about your server, including its
size:$ nova show myCirrosServerThe size of the server is m1.small (2).To resize the server, pass the server ID and the
desired flavor to the nova resizecommand. Include the
--poll parameter to report the resize progress.$ nova resize myCirrosServer 4 --pollInstance resizing... 100% completeFinishedShow the status for your server:$ nova listWhen the resize completes, the status becomes
VERIFY_RESIZE. To confirm the resize:$ nova resize-confirm
6beefcf7-9de6-48b3-9ba9-e11b343189b3The server status becomes ACTIVE.If the resize fails or does not work as expected, you
can revert the resize:$ nova resize-revert
6beefcf7-9de6-48b3-9ba9-e11b343189b3The server status becomes ACTIVE.Stop and start an instanceUse one of the following methods to stop and start an
instance.Pause and un-pause an instanceTo pause and un-pause a serverTo pause a server, run the following command:$ nova pause SERVERThis command stores the state of the VM in RAM. A
paused instance continues to run in a frozen
state.To un-pause the server, run the following
command:$ nova unpause SERVERSuspend and resume an instanceTo suspend and resume a serverAdministrative users might want to suspend an
infrequently used instance or to perform system
maintenance.When you suspend an instance, its VM state is stored
on disk, all memory is written to disk, and the virtual
machine is stopped. Suspending an instance is similar to
placing a device in hibernation; memory and vCPUs become
available.To initiate a hypervisor-level suspend operation,
run the following command:$ nova suspend SERVERTo resume a suspended server:$ nova resume SERVERReboot an instanceYou can perform a soft or hard reboot of a running
instance. A soft reboot attempts a graceful shutdown and
restart of the instance. A hard reboot power cycles the
instance.To reboot a serverBy default, when you reboot a server, it is a soft
reboot.$ nova reboot SERVERTo perform a hard reboot, pass the --hard parameter, as
follows:$ nova reboot --hard SERVEREvacuate instancesIf a cloud compute node fails due to a hardware
malfunction or another reason, you can evacuate instances to
make them available again.You can choose evacuation parameters for your use
case.To preserve user data on server disk, you must configure
shared storage on the target host. Also, you must validate
that the current VM host is down. Otherwise the evacuation
fails with an error.To evacuate your serverTo find a different host for the evacuated instance,
run the following command to lists hosts:$ nova host-listYou can pass the instance password to the command by
using the --password <pwd> option. If you do not
specify a password, one is generated and printed after the
command finishes successfully. The following command
evacuates a server without shared storage:$ nova evacuate evacuated_server_name host_bThe command evacuates an instance from a down host to
a specified host. The instance is booted from a new disk,
but preserves its configuration including its ID, name,
uid, IP address, and so on. The command returns a
password:To preserve the user disk data on the evacuated
server, deploy OpenStack Compute with shared
filesystem.$ nova evacuate evacuated_server_name host_b
--on-shared-storageDelete an instanceWhen you no longer need an instance, you can delete
it.To delete an instanceList all instances:$ nova listUse the following command to delete the newServer
instance, which is in ERROR state:$ nova delete newServerThe command does not notify that your server was
deleted.Instead, run the nova listcommand:$ nova listThe deleted instance does not appear in the
list.Get a console to an instanceTo get a console to an instanceTo get a VNC console to an instance, run the following
command:$ nova get-vnc-console myCirrosServer xvpvncThe command returns a URL from which you can access your
instance:Manage bare metal nodesIf you use the bare metal driver, you must create a bare
metal node and add a network interface to it. You then launch
an instance from a bare metal image. You can list and delete
bare metal nodes. When you delete a node, any associated
network interfaces are removed. You can list and remove
network interfaces that are associated with a bare metal
node.Commandsbaremetal-interface-addAdds a network interface to a bare metal node.baremetal-interface-listLists network interfaces associated with a bare metal
node.baremetal-interface-removeRemoves a network interface from a bare metal
node.baremetal-node-createCreates a bare metal node.baremetal-node-deleteRemoves a bare metal node and any associated
interfaces.baremetal-node-listLists available bare metal nodes.baremetal-node-showShows information about a bare metal node.To manage bare metal nodesCreate a bare metal node.$ nova baremetal-node-create --pm_address=1.2.3.4
--pm_user=ipmi --pm_password=ipmi $(hostname -f) 1 512 10
aa:bb:cc:dd:ee:ffAdd network interface information to the node:$ nova baremetal-interface-add 1
aa:bb:cc:dd:ee:ffLaunch an instance from a bare metal image:$ nova boot --image my-baremetal-image --flavor
my-baremetal-flavor test|... wait for instance to become active ...You can list bare metal nodes and interfaces. When a
node is in use, its status includes the UUID of the
instance that runs on it:$ nova baremetal-node-listShow details about a bare metal node:$ nova baremetal-node-show 1Show usage statistics for hosts and instancesYou can show basic statistics on resource usage for hosts
and instances.To show host usage statisticsList the hosts and the nova-related services that run
on them:$ nova host-listGet a summary of resource usage of all of the
instances running on the host.$ nova host-describe devstack-grizzlyThe cpu column shows the sum of the virtual CPUs for
instances running on the host.The memory_mb column shows the sum of the memory (in
MB) allocated to the instances that run on the
hosts.The disk_gb column shows the sum of the root and
ephemeral disk sizes (in GB) of the instances that run on
the hosts.To show instance usage statisticsGet CPU, memory, I/O, and network statistics for an
instance.First, list instances:$ nova listThen, get diagnostic statistics:$ nova diagnostics myCirrosServerGet summary statistics for each tenant:$ nova usage-listUsage from 2013-06-25 to 2013-07-24:Create and manage networksBefore you run commands, set the following environment
variables:export OS_USERNAME=adminexport OS_PASSWORD=passwordexport
OS_TENANT_NAME=adminexport
OS_AUTH_URL=http://localhost:5000/v2.0To create and manage networksList the extensions of the system:$ neutron ext-list -c alias -c nameCreate a network:$ neutron net-create net1Created a new network:Create a network with specified provider network
type:$ neutron net-create net2 --provider:network-type
localCreated a new network:Just as shown previous, the unknown option
--provider:network-type is used to create a local provider
network.Create a subnet:$ neutron subnet-create net1 192.168.2.0/24 --name
subnet1Created a new subnet:In the previous command, net1 is the network name,
192.168.2.0/24 is the subnet's CIDR. They are positional
arguments. --name subnet1 is an unknown option, which
specifies the subnet's name.Create a port with specified IP address:$ neutron port-create net1 --fixed-ip
ip_address=192.168.2.40Created a new port:In the previous command, net1 is the network name, which
is a positional argument. --fixed-ip ip_address=192.168.2.40
is an option, which specifies the port's fixed IP address we
wanted.Create a port without specified IP address:$ neutron port-create net1Created a new port:We can see that the system will allocate one IP address
if we don't specify the IP address in command line.Query ports with specified fixed IP addresses:$ neutron port-list --fixed-ips ip_address=192.168.2.2
ip_address=192.168.2.40--fixed-ips ip_address=192.168.2.2
ip_address=192.168.2.40 is one unknown option.How to find unknown options?The unknown options can be
easily found by watching the output of create_xxx or
show_xxx command. For example, in the port creation command,
we see the fixed_ips fields, which can be used as an unknown
option.Create and manage stacksTo create a stack from an example template fileTo create a stack, or template, from anexample template file, run following
command:$ heat stack-create mystack
--template-file=/path/to/heat/templates/WordPress_Single_Instance.template--parameters="InstanceType=m1.large;DBUsername=wp;DBPassword=verybadpassword;KeyName=heat_key;LinuxDistribution=F17"The --parameters values that you specify depend on which
parameters are defined in the template. If the template file
is hosted on a website, you can specify the URL with
--template-url parameter instead of the --template-file
parameter.The command returns the following output:You can also use the stack-createcommand to validate a
template file without creating a stack from it.To do so, run the following command:$ heat stack-create mystack
--template-file=/path/to/heat/templates/WordPress_Single_Instance.templateIf validation fails, the response returns an error
message.To list stacksTo see which stacks are visible to the current user, run
the following command:$ heat stack-listTo view stack detailsTo explore the state and history of a particular stack, you
can run a number of commands.To show the details of a stack, run the following
command:$ heat stack-show mystackA stack consists of a collection of resources. To list
the resources, including their status, in a stack, run the
following command:$ heat resource-list mystackTo show the details for the specified resource in a
stack, run the following command:$ heat resource-show mystack WikiDatabaseSome resources have associated metadata which can change
throughout the life-cycle of a resource:$ heat resource-metadata mystack WikiDatabaseA series of events is generated during the life-cycle of
a stack. This command will display those events.$ heat event-list mystackTo show the details for a particular event, run the
following command:$ heat event-show WikiDatabase 1To update a stackTo update an existing stack from a modified template
file, run a command like the following command:$ heat stack-update mystack
--template-file=/path/to/heat/templates/WordPress_Single_Instance_v2.template
--parameters="InstanceType=m1.large;DBUsername=wp;DBPassword=verybadpassword;KeyName=heat_key;LinuxDistribution=F17"Some resources are updated in-place, while others are
replaced with new resources.