This is a follow-up to our previous tutorial setting up an OpenStack Cloud on the CenturyLink Cloud. If you haven't done so, the instructions for setting up OpenStack are here.

Once the basic OpenStack system is installed and running the next steps are to create virtual server instances that can route to and from the Internet. In order to make this happen we need to setup the correct networking topology, configure the local instance to utilize the new network, and ensure that the security/privacy settings are defined correctly. At the end of the tutorial we will be able to login to the newly created instance and be able to access the external network from the instance.

What about accessing the new instance from the Internet? We are leaving this topic for another tutorial where we will discuss how to setup the pools of floating IP addresses within Openstack and how to configure the correct routing and firewall rules.

Initial configuration

First, login to the OpenStack controller node using the _stack_ user created earlier, this will be the CenturyLink Cloud instance that owns the public IP and hosts the Horizon dashboard. Note that if you check the network via _ifconfig_ this instance has the public IP and also has an associated private IP. This private IP is managed by the CenturyLink Cloud system, in a minute we will add a second private IP that is managed by the OpenStack Cloud system.

Remember, we are running a development version of OpenStack that has facilities to help contributors develop code. As such, it doesn't use the "standard" service interfaces for starting/stopping services but rather runs each of the processes via "screen". This allows a real time view of the development log messages and allows an easy method to switch between views.

From the _devstack_ directory run _./rejoin-stack.sh_ to start the screen program and attach all of the _devstack_ processes. Devstack runs all the processes in different screens, use 'control A' screen # to switch between them.

Also, since there are no services we cannot use service restarts. To restart a process go to the appropriate screen, 'control C' out (stop), up arrow (get the start command back), and then press ENTER.

Set the following environment variables to allow us to issue "nova" and "glance" commands.

$ export OS_USERNAME=admin
$ export OS_PASSWORD=stack
$ export OS_TENANT_NAME=admin
$ export OS_AUTH_URL=

Note that the OS_AUTH_URL is the private IP assigned when the CenturyLink Cloud created the instance. The file _/etc/nova/nova.conf_ should have the following (if not, update to match):

flat_interface = eth0
flat_network_bridge = br100
vlan_interface = eth0
public_interface = br100
network_manager =
firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver

Edit the file to add the following:

network_size = 254
allow_same_net_traffic = False
multi-host = True
send_arp_for_ha = True
share_dhcp_address = True
force_dhcp_release = True

There are a couple of networking changes we need to make to ensure that network traffic is correctly routed to the OpenStack instances:

$ sudo bash
$ echo 1 > /proc/sys/net/ipv4/ip_forward
$ echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

In order to not lose the configuration changes on reboot go ahead and edit (as root) the file _/etc/sysctl.conf_ and add the following:

net.ipv4.conf.eth0.proxy_arp = 1 net.ipv4.ip_forward = 1

Finally, restart the network (screen #9).

Create a VM through Horizon

Bring up the Horizon dashboard, and ensure you are in the "admin" project (not the "demo" project). You can check this in the drop down near the top of the screen.


From the navigation pane on the left side select "Project" | "Compute" | "Access & Security".


We are going to edit the "default" security group to make it promiscuous (for demo purposes only and ease of use. Never do this for a production system.). Selecting the "Security Groups" tab find the "default" security group and hit the "Manage Rules" button. Now hit the "+ Add Rule" button on the top right of the screen. We are going to add 3 rules:

  • All ICMP -> Remote=Security Group | Security Group=default (current)
  • All TCP -> Remote=Security Group | Security Group=default (current)
  • All UDP -> Remote=Security Group | Security Group=default (current)

Next, go to the "Key Pairs" tab and "Create Key Pair". I am naming the key pair TestKey. This will create the public and private keys we will use to login to the OpenStack instances. You'll note that the created key has been downloaded to your desktop so we need to upload this back to the OpenStack controller node, to do so use _scp_:

$ cd $ mkdir .ssh

And from your local desktop scp the key to the stack home directory:

# scp TestKey.pem [email protected]:~

And we need to move the key file and set the appropriate permissions:

$ sudo mv TestKey.pem ~/.ssh
$ sudo chmod 600 ~/.ssh/TestKey.pem

Create an OpenStack virtual instance

We are almost ready to create our first instance... But first we are going to download an Ubuntu 14.04 image and make it available as an instance type.

$ mkdir OS-Images
$ wget
$ mv trusty-server-cloudimg-amd64-disk1.img ./OS-Images
$ glance image-create --name 'Ubuntu 14.04' --disk-format=qcow2 --container-format=bare < ~/OS-Images/trusty-server-cloudimg-amd64-disk1.img

List images to make sure it is registered, you should see "Ubuntu 14.04" as one of the supported images:

$ glance image-list

Launch and test a new instance

From the left hand navigation pane select "Project" | "Compute" | "Instances". Find and hit the "Launch Instance" in the upper right corner of the "Instances" page. On the "Details" pane select the following:

  • Availability Zone = nova
  • Instance name = First Instance
  • Flavor = m1.small
  • Instance count = 1
  • Instance boot source = Boot from image
  • Image name = Ubuntu 14.04


Hit the "Launch" button and in a few moments the new instance will be in a "Running" state. Note that since we have only a single key pair the system automatically assigned TestKey.pem key pair:


Test that you can access the new instance:

$ ping

Finally, let's SSH into the new instance:

$ ssh -i ~/.ssh/TestKey.pem [email protected] (This sets up the required SSH config)

Ubuntu will now tell you that the default user is ubuntu and close the connection. You can now shell into the default user:

$ ssh -i ~/.ssh/TestKey.pem [email protected]

From the new instance check that you can access the network gateway by:

$ ping

From the new instance you can now 'curl' to see the HTML for the OpenStack Horizon dashboard. Test that you can see the internet by 'ping' or 'curl'.


You now have a fully setup, configured, and network routable demo instance of OpenStack. Each new instance will inherit the settings made on the network controller and should be able to see all other OpenStack instances, as well as be able to get to the Internet.