You have a user in a shiny, new OpenStack cloud. Now what?

In our previous article, we described how to create a simple OpenStack environment with a couple spare laptops.Now let’s assume you are a user in that cloud, and need to do something useful with it. What’s next?

If you are impatient or want to script the initial setup, you can skip to the last section.

Initially, you will log in to your OpenStack dashboard, pointing your browser to your controller machine (in our example, Enter your user credentials, and you will see your overview page.

Configuring your virtual network

Your first task will be to set up a virtual network infrastructure. Look at the menu on the left, then select Network -> Networks. You will see there is no network to connect your virtual machines to, so let’s create one by clicking on + Create Network.

network1There’s not a lot to specify in the first wizard screen, just choose a network name, and make sure you select Create Subnet before clicking Next.

network2Now, select a name for your subnet (any name will do) and a network address. Since we have configured Neutron, your network will be isolated from other user’s networks. This means it does not really matter which network address you use. In the example, we chose, and another user could be using the same address range. Also, note we are selecting IPv4 and we are not specifying a Gateway IP address here, because it will be automatically selected.

network3Finally, we can specify additional parameters for our subnet. We can specify an allocation pool (make sure it is in the same range as the network address specified in the previous step), which DNS name servers we want to use, and we can even inject host routes to our VMs. For now, we’ll keep it simple and just specify the DNS servers.

We now have a network, but an isolated one! If we want our VMs to connect to the outside world, we need to create a virtual router and connect it to our private network and the public network defined by the administrator. To do so, let’s select Network -> Routers and click on + Create Router.

router1All we have to specify is the router name, and the name of the external network it will be connected to (public in our case).

router2Once the router is created, we will wire it to our private network. Click on the router name, go to the Interfaces tab and click on + Add Interface:

router3Again, not a lot to add. Just select your private subnet, and leave the IP address field empty to get it automatically selected.

And that’s it! You now have a complete virtual networking infrastructure. Feel free to go to Networks -> Network Topology, where you can see a nice graphical representation of your virtual network.

Configuring security for your virtual infrastructure

You next step will be to set up some security-related aspects of your project:

  • First, you will upload an SSH key, that will be used to access your VMs
  • Then, you will set up a Security Group, that allows IP traffic to your VMs

Upload your SSH key

Go to Compute -> Access & Security, and select the Key Pairs tab. We want to use an already existing SSH key to access any new VM we create. Remember, in a cloud environment passwords are usually a bad idea. So, click on Import Key Pair:

keypairUse any key pair name you want, then paste the contents of your public key file, e.g.

Create a security group

Security groups define which traffic we want to allow to pass to/from our VMs. We can think of them as a kind of firewall, because we set up similar rules. We can allow traffic from anywhere, from specific IP addresses, and even from other security groups. so we can create complex filtering rules. For now, we will create a simple security group to allow ICMP and SSH traffic to pass. Let’s go to Compute -> Access & Security, and select the Security Groups tab.

There is always a default security group created, with no incoming traffic allowed, but we want to create a new one, so click on + Create Security Group and just specify a name. Once it is created, click on the Manage Rules button for the new security group:

secgroup1By default, we just have Egress rules (rules for outgoing traffic) to allow our VMs to go anywhere using IPv4 and IPv6. Click on + Add Rule to define a rule:

secgroup2The Rule drop-down box contains some predefined templates, and we can also create custom rules if we select Custom TCP Rule. For now, let’s just add SSH and ALL ICMP, and leave Remote and CIDR with the default value.

secgroup3This is the end result for our security group. We can come back to it later if we want to enable additional ports, or we want to be more restrictive with the networks we want to allow.

Uploading an image

We have configured a virtual network and the basic security parameters, but we need some operating system to run, don’t we? Usually, your cloud administrator will have uploaded some images for you, but just in case let’s upload our own one. Go to Compute -> Images and click on + Create Image:

image1We are going to use a Cirros image, which is a minimal image used for testing. You can download it from, but if your cloud has direct Internet access you can also instruct it to download it for you, as we do in the screenshot.

The only other important information you need to know is the image format. We know in this case it is QCOW2. We can leave the remaining options with default values for now.

Boot your first VM

This is the moment you’ve been longing for! We have everything ready to boot our first VM. So let’s go to Compute -> Instances and click on Launch Instance:

vm1Here, write a name for your instance, specify a flavor (size for your VM, look at the Flavor Details box for information), and set the image we just uploaded as base image. Now, let’s go to Access & Security.

vm2Here, we set the Key Pair and Security Group we created earlier. Let’s go to Networking.

vm3Since there is only a private network, it is automatically created for us. We don’t want to run any special script or make use of the advanced options, to click on Launch.

vm4And there it is! We have our first VM running. Note, however, that its IP address is in the internal network, so we have no way to access it from the outside. That’s where floating IPs come to play.

Associate a floating IP to access your VM

On the actions menu for your VM, select Associate Floating IP. Initially, you will have no floating IPs allocated to your project, so click on the + sign to get one from the public Pool.

floating1Once the IP is allocated, it will be automatically selected for you, and it will be associated to your VM when you click on Associate:

floating2And that’s it! Now connect to the VM using SSH, and enjoy your first working instance.

vm5From there on, you can go ahead and take full advantage of your cloud environment. The OpenStack User Guide is a great resource to get information on what else you can do.

TL; DR, or what if I want to script all of this?

The above actions can be time-consuming if you need to do it more than once, so let’s have a quick look at how to script it. Here, we will assume the following:

  • The OpenStack and Neutron command-line clients are installed on your machine
  • You have downloaded the OpenStack RC file (Compute -> Access & Security -> API Acess -> Download OpenStack RC file)
  • You have sourced the file in your shell

So, the steps will be:

$ neutron net-create private
$ neutron  subnet-create private --name private_subnet  --enable-dhcp=True --dns-nameserver --dns-nameserver
$ neutron router-create router1
$ neutron router-gateway-set router1 public
$ neutron router-interface-add router1 private_subnet
$ openstack keypair create --public-key ~/.ssh/ mykey
$ neutron security-group-create mysecgroup
$ neutron security-group-rule-create --direction ingress --protocol ICMP mysecgroup
$ neutron security-group-rule-create --direction ingress --protocol tcp --port-range-min 22 --port-range-max 22  mysecgroup
$ openstack image create --copy-from --disk-format qcow2 test-cirros
$ openstack server create --flavor m1.tiny --image test-cirros --security-group mysecgroup --key-name mykey  testinstance
$ FLOATING_IP=$(openstack ip floating create public --format shell | grep ^ip | awk -F" '{print $2}')
$ openstack ip floating add ${FLOATING_IP} testinstance



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s