Once the basic OpenStack system is installed and running the next steps are to create virtual server instances that can route to and from the Internet. In order to make this happen we need to setup the correct networking topology, configure the local instance to utilize the new network, and ensure that the security/privacy settings are defined correctly. At the end of the tutorial we will be able to login to the newly created instance and be able to access the external network from the instance.
What about accessing the new instance from the Internet? We are leaving this topic for another tutorial where we will discuss how to setup the pools of floating IP addresses within Openstack and how to configure the correct routing and firewall rules.
First, login to the OpenStack controller node using the
_stack_ user created earlier, this will be the CenturyLink Cloud instance that owns the public IP and hosts the Horizon dashboard. Note that if you check the network via
_ifconfig_ this instance has the public IP and also has an associated private IP. This private IP is managed by the CenturyLink Cloud system, in a minute we will add a second private IP that is managed by the OpenStack Cloud system.
Remember, we are running a development version of OpenStack that has facilities to help contributors develop code. As such, it doesn't use the "standard" service interfaces for starting/stopping services but rather runs each of the processes via "screen". This allows a real time view of the development log messages and allows an easy method to switch between views.
_devstack_ directory run
_./rejoin-stack.sh_ to start the screen program and attach all of the
_devstack_ processes. Devstack runs all the processes in different screens, use 'control A' screen # to switch between them.
Also, since there are no services we cannot use service restarts. To restart a process go to the appropriate screen, 'control C' out (stop), up arrow (get the start command back), and then press ENTER.
Set the following environment variables to allow us to issue "nova" and "glance" commands.
$ export OS_USERNAME=admin $ export OS_PASSWORD=stack $ export OS_TENANT_NAME=admin $ export OS_AUTH_URL=http://10.120.85.14:5000/v2.0
Note that the OS_AUTH_URL is the private IP assigned when the CenturyLink Cloud created the instance. The file
_/etc/nova/nova.conf_ should have the following (if not, update to match):
flat_interface = eth0 flat_network_bridge = br100 vlan_interface = eth0 public_interface = br100 network_manager = nova.network.manager.FlatDHCPManager firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
Edit the file to add the following:
network_size = 254 allow_same_net_traffic = False multi-host = True send_arp_for_ha = True share_dhcp_address = True force_dhcp_release = True
There are a couple of networking changes we need to make to ensure that network traffic is correctly routed to the OpenStack instances:
$ sudo bash $ echo 1 > /proc/sys/net/ipv4/ip_forward $ echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp $ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
In order to not lose the configuration changes on reboot go ahead and edit (as root) the file
_/etc/sysctl.conf_ and add the following:
net.ipv4.conf.eth0.proxy_arp = 1 net.ipv4.ip_forward = 1
Finally, restart the network (screen #9).
Create a VM through Horizon
Bring up the Horizon dashboard, and ensure you are in the "admin" project (not the "demo" project). You can check this in the drop down near the top of the screen.
From the navigation pane on the left side select "Project" | "Compute" | "Access & Security".
We are going to edit the "default" security group to make it promiscuous (for demo purposes only and ease of use. Never do this for a production system.). Selecting the "Security Groups" tab find the "default" security group and hit the "Manage Rules" button. Now hit the "+ Add Rule" button on the top right of the screen. We are going to add 3 rules:
- All ICMP -> Remote=Security Group | Security Group=default (current)
- All TCP -> Remote=Security Group | Security Group=default (current)
- All UDP -> Remote=Security Group | Security Group=default (current)
Next, go to the "Key Pairs" tab and "Create Key Pair". I am naming the key pair TestKey. This will create the public and private keys we will use to login to the OpenStack instances. You'll note that the created key has been downloaded to your desktop so we need to upload this back to the OpenStack controller node, to do so use
$ cd $ mkdir .ssh
And from your local desktop scp the key to the stack home directory:
# scp TestKey.pem email@example.com:~
And we need to move the key file and set the appropriate permissions:
$ sudo mv TestKey.pem ~/.ssh $ sudo chmod 600 ~/.ssh/TestKey.pem
Create an OpenStack virtual instance
We are almost ready to create our first instance... But first we are going to download an Ubuntu 14.04 image and make it available as an instance type.
$ mkdir OS-Images $ wget http://uec-images.ubuntu.com/trusty/current/trusty-server-cloudimg-amd64-disk1.img $ mv trusty-server-cloudimg-amd64-disk1.img ./OS-Images $ glance image-create --name 'Ubuntu 14.04' --disk-format=qcow2 --container-format=bare < ~/OS-Images/trusty-server-cloudimg-amd64-disk1.img
List images to make sure it is registered, you should see "Ubuntu 14.04" as one of the supported images:
$ glance image-list
Launch and test a new instance
From the left hand navigation pane select "Project" | "Compute" | "Instances". Find and hit the "Launch Instance" in the upper right corner of the "Instances" page. On the "Details" pane select the following:
- Availability Zone = nova
- Instance name = First Instance
- Flavor = m1.small
- Instance count = 1
- Instance boot source = Boot from image
- Image name = Ubuntu 14.04
Hit the "Launch" button and in a few moments the new instance will be in a "Running" state. Note that since we have only a single key pair the system automatically assigned TestKey.pem key pair:
Test that you can access the new instance:
$ ping 10.0.0.2
Finally, let's SSH into the new instance:
$ ssh -i ~/.ssh/TestKey.pem firstname.lastname@example.org (This sets up the required SSH config)
Ubuntu will now tell you that the default user is ubuntu and close the connection. You can now shell into the default user:
$ ssh -i ~/.ssh/TestKey.pem email@example.com
From the new instance check that you can access the network gateway by:
$ ping 10.0.0.1
From the new instance you can now 'curl 10.0.0.1' to see the HTML for the OpenStack Horizon dashboard. Test that you can see the internet by 'ping www.google.com' or 'curl www.google.com'.
You now have a fully setup, configured, and network routable demo instance of OpenStack. Each new instance will inherit the settings made on the network controller and should be able to see all other OpenStack instances, as well as be able to get to the Internet.