OpenStack provides you with several tools to manage your OpenStack project: you can manage your project through both a web interface and command-line tools.
This tutorial walks you through all the steps necessary to create a new OpenStack instance in OpenStack using command-line tools.
For the steps in this tutorial, the OpenStack command-line tools are required. In our 'OpenStack CLI tools installation' tutorial, we show you how to install these.
Adding a Keypair
An OpenStack key pair consists of the 'public key' and the 'private key' of an 'SSH key pair'. You use this in OpenStack to retrieve the password for a Windows Server instance or for an SSH connection of a Linux instance.
Our installation images use Cloud Init to place the key on the instance during its first start.
Start a terminal (Linux/MacOS) or PowerShell as administrator (Windows) and generate a key pair with the command:
openstack keypair create my_keypair > my_keypair.pem
For security reasons, it is recommended to only give the owner of the my_keypair.pem file read and write permissions. To do this, use the command:
chmod 600 my_keypair.pem
Windows users can do this by right-clicking the file in Explorer, selecting 'Properties'. In the 'Security' tab, click 'Advanced' and then click 'Disable Inheritance' > 'Apply'. Then select 'Edit' and remove all users except the desired user. Finally, click 'Apply' > 'OK'.
Creating Security Groups
A security group is essentially a form of a 'network-level firewall' and is a requirement for creating an OpenStack instance. It controls (in contrast to the firewall within your operating system) network-level traffic before it reaches the actual instance.
Creating a security group consists of the following steps:
- Create a security group.
- Delete all existing rules.
- Allow outbound traffic.
- Open specific ports (at least for RDP/SSH traffic).
Note that if you change the RDP/SSH port after creating your instance, you should also open the corresponding port in your security group before changing the port.
Step 1
Create a security group with the command:
openstack security group create <groupname>
Replace <groupname> with a name of your choice and leave out the angle brackets. Note that you'll also replace <groupname> with the name of your security group
Step 2
After creating, a security group can come with a set of predefined rules for various reasons. Delete these rules as follows in Linux/MacOS:
for RULE_ID in $(openstack security group rule list-f value -c ID) do openstack security group rule delete $RULE_ID done
or in Windows PowerShell:
$rules = openstack security group rule list --security-group-f value -c ID $ruleIDs = $rules -split "`n" foreach ($ruleID in $ruleIDs) { openstack security group rule delete $ruleID }
Step 3
With all existing rules deleted, you can create new rules. Start by allowing all outbound traffic with the command:
openstack security group rule create --proto any --egress
Replace
Step 4
Open specific ports as desired using the command:
openstack security group rule create --protocol tcp --dst-port
Replace tcp with udp if needed,
# Add rule for HTTP openstack security group rule create --protocol tcp --dst-port 80 secgroup # Add rule for HTTPS openstack security group rule create --protocol tcp --dst-port 443 secgroup # Add rule for SSH openstack security group rule create --protocol tcp --dst-port 22 secgroup # Add rule for RDP openstack security group rule create --protocol tcp --dst-port 3389 secgroup
For completeness, below are some commonly used commands for managing and working with security groups that have not been covered yet. You do not need to execute these now; you can proceed directly to the next section.
Allow Ping (ICMP) Traffic
openstack security group rule create --protocol icmp
Replace
Delete a Security Group
openstack security group delete
Replace
Show Rules
openstack security group rule list
Delete Specific Rules
openstack security group rule delete $ID
Replace $ID with the ID as visible in the output of the 'openstack security group rule list
Creating a Private Network
If you only use the public internet and do not want to connect the instance to a private/internal network, proceed to the next section.
If you want to connect your instance to a private/internal network, follow the steps below to create the network and assign an IP subnet to it. For completeness, we also show how to view and delete networks and subnets.
Step 1
Create a private network using the command:
openstack network create
Replace
Step 2
Next, assign a subnet (i.e., an IP range) to your private network.
openstack subnet create --network--subnet-range 192.168.0.0/24
- Replace
with the name of your private network. - Replace
with a name for your subnet.
This command automatically reserves the first IP address (here 192.168.0.1) as the default gateway.
You can now proceed directly to the next section. Below, we provide you with some commands for managing your private networks.
Show Subnets
openstack subnet list
Delete Subnets
openstack subnet delete $subnetID
Replace $subnetID with the ID of the subnet you want to delete (see the output of the command 'openstack subnet list').
Show Networks
openstack network list
Delete Networks
openstack network delete $networkID
Replace $networkID with the ID of the network you want to delete (see the output of the command 'openstack network list').
Creating an Instance
Step 1
For creating an instance, you need several pieces of information:
- The ID of the security group to which the instance will be attached.
- The IDs of the networks to which the instance will be attached (both public and private).
- The ID of the installation image you want to use on the instance.
- The ID of the flavor on which to create the instance.
- The name of the key pair you created in the first section.
Retrieve the IDs using the following commands:
openstack security group list
openstack network list
openstack image list
openstack flavor list
Take note of the following details:
- The ID of the security group you created in step 1 of the section 'Creating a Security Group'.
- The IDs of the private network you created in step 1 of the section 'Creating a Private Network' (if applicable), and those of the networks 'net-public' and 'net-public-ipv6'.
- The ID of the installation image or operating system you want to install.
- The IDs of the flavors on which you want to base the instance.
Step 2
Now, create an instance using this information. Replace placeholders like <ImageID> with the ID you noted in the previous step, <my_keypair> with the name of your key pair from the first section, and <demo_instance> with the name you want to give the instance (also remove the < >):
If not specified, the first available IP address within your subnet will be used for the private network. Automatically assigned available addresses will be used for your public IPv4 and IPv6 addresses.
Linux/MacOS:
openstack server create \ --image <ImageID> \ --flavor <FlavorID> \ --key-name <my_keypair> \ --network <PrivNetworkID> \ --network <PubNetworkID> \ --network <PubIPv6NetworkID> \ --security-group <SecgroupID> \ <demo_instance>
Windows PowerShell:
In Windows PowerShell, the entire command must be written on one line (note the scrollbar):
openstack server create --image--flavor --key-name my_keypair --network --network --network --security-group demo_instance
An example with the security group 'demogroup', a private network 'demonetwork', installation based on Ubuntu 22.04 on a Standard 4GB flavor:
Linux/MacOS:
openstack server create \ --image 6e4b4289-22d2-4c8b-8a61-18266e4f1a04 \ --flavor 1004 \ --key-name my_keypair \ --network 03708997-16bd-43d8-9b51-24e3b3d6a759 \ --network81f28916-fb20-49e6-a8d9-622325069cac\ --network83f9a88b-c933-4586-ae8a-7a399ff794f8\ --security-group c6347cbb-f3cb-432b-8f9d-3f072cb78aec \ demo_instance
Windows PowerShell:
In Windows PowerShell, the entire command must be written on one line (note the scrollbar):
openstack server create --image 6e4b4289-22d2-4c8b-8a61-18266e4f1a04 --flavor 1004 --key-name my_keypair --network 03708997-16bd-43d8-9b51-24e3b3d6a759 --network81f28916-fb20-49e6-a8d9-622325069cac--network83f9a88b-c933-4586-ae8a-7a399ff794f8--security-group c6347cbb-f3cb-432b-8f9d-3f072cb78aec demo_instance
You will receive a confirmation that looks something like this:
+-----------------------------+-----------------------------------------------------------+ | Field | Value | +-----------------------------+-----------------------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | AMS-EQ1 | | OS-EXT-STS:power_state | NOSTATE | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | building | | OS-SRV-USG:launched_at | None | | OS-SRV-USG:terminated_at | None | | accessIPv4 | | | accessIPv6 | | | addresses | | | adminPass | Rfgw7KjMmLsj | | config_drive | | | created | 2023-08-03T13:36:00Z | | flavor | Standard 4GB (1004) | | hostId | | | id | 3614d853-0991-4a40-ba2f-9bcee920151b | | image | Ubuntu 22.04 (LTS) (6e4b4289-22d2-4c8b-8a61-18266e4f1a04) | | key_name | my_keypair | | name | demo_instance | | progress | 0 | | project_id | 45c8362ff22e4dfda722e999af592872 | | properties | | | security_groups | name='c6347cbb-f3cb-432b-8f9d-3f072cb78aec' | | status | BUILD | | updated | 2023-08-03T13:36:00Z | | user_id | tip:a283a80bb8ff4d2a8db81eea7adec887 | | volumes_attached | | +-----------------------------+-----------------------------------------------------------+
Congratulations! Your instance has just been created. Useful information, such as the IP addresses assigned to the instance, can be viewed with the command:
openstack server show
Replace