C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 1 z 21
User Guide
-
First Run
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 2 z 21
Content
Content ...................................................................................................... 2
Introduction ............................................................................................... 3
Glossary .................................................................................................... 3
First run ..................................................................................................... 5
Login and basic overview ........................................................................ 5
Project> Basic overview ................................................................................................... 5
SSH key ..................................................................................................... 6
Compute > Key Pairs ....................................................................................................... 7
Networking ................................................................................................ 7
Project > Networking ........................................................................................................ 8
Router ........................................................................................................ 9
Project > Network > Routers ............................................................................................ 9
Access & Security .................................................................................. 10
Project > Network > Security Groups ............................................................................. 10
First run instance .................................................................................... 11
Project > Compute > Images ......................................................................................... 11
Floating IP allocation .............................................................................. 19
Project > Network > Floating IPs ................................................................................... 19
Insert metadata into the image .............................................................. 20
Project > Compute > Images ......................................................................................... 20
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 3 z 21
Introduction
This document aims to familiarize the user with the basics of using the OpenStack dashboard.
OpenStack dashboard is a web-based graphical interface that cloud administrators and users can
access to access the cloud, manage and perform computing, storage, and network operations.
For example, administrators can use the dashboard to run virtual machine instances, view the size
and current deployment status of the OpenStack cloud, manage networks, and set limits on the
cloud resources available to users.
The OpenStack dashboard offers three versions of management dashboards:
● User Dashboard - Dashboard for regular users
● System Dashboard - a panel for cloud administrators
● Setting Dashboard - a panel designed especially for developers
Cloud administrators can customize Horizon visuals, including the navigation bar, spreadsheets,
alerts, and more. Developers can extend any existing dashboard to include additional features by
creating an application that integrates directly into the dashboard.
Glossary
Application Programming Interface (API)- A collection of specifications used to access a
service, application, or program. It includes service communication, requires specific parameters
for individual communication queries and expected responses with certain values.
Authentication- The process of confirming the identity of the user to confirm the incoming request.
The first step is to verify the user name and password or to verify the user name and API key. The
token needs to be documented in the subsequent scans.
Availability Zone (AZ)- A group of servers that make up the cloud. Each AZ is accessed by
different instances of the API and Dashboard, independently of the other AZs.
Command-line interface (CLI)- a text interface for interacting with your cloud.
Credentials- personally identifiable information. For example, the username and password, the
user name and API key, or the authentication token that the identity service provides.
Dashboard- OpenStack's web interface to interact with your cloud. The dashboard is a subset of
the functions available through the API and CLI.
Domain- API v3 service identity entity. Domains are collections of projects and users that define
administrative boundaries for managing identity entities. Domains can be individuals, companies,
or operators of their own hardware space. They provide administrative activities directly to system
users. Users can be given the administrator role for the domain. A domain administrator can create
projects, users, and groups in a domain, and then assign roles to users and groups in the domain.
Drivers- drivers or back-end services are integrated into a centralized server. They are used to
access identity information in non-cloud repositories and can already exist in an infrastructure
where Metacloud is implemented (such as SQL databases or LDAP servers).
Endpoint - a network-accessible address, usually a URL that you can use to access the service.
Flavour- A virtual hardware profile that applies to instances when they are created. Flavor controls
the number of vCPUs, memory, root disk size, and temporary instance storage size.
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 4 z 21
Floating IP- An IP address (usually public) that is mapped to a particular instance to allow external
connections to that instance. Technically speaking, one-to-one NAT is dynamically created from a
floating IP address to a fixed IP address of your instance.
Instance- a virtual PC running in the cloud, sometimes referred to as a virtual machine / machine
(VM).
Local Network- A network of interconnected servers that allows communication within individual
users, not across the entire network. Local networks are mainly intended for one-node test
scenarios, but may be different. Currently, OpenStack cloud also supports VLANs.
Matacloud Controle Plane (MCP) - Servers that handle cloud scheduling and orchestration
functions.
Metacloud Hypervisor (MHV) - Servers that run instances created in a cloud environment.
Network Attached Storage (NAS) - File-level data storage attached to a network that provides
data access to a selected group of clients.
OpenStackClient (OSC) - It is a command line interface for several cloud services including API
identity. For example, you can run openstack image create and openstack volume create to create
instances and repositories.
Object Storage Device (OSD) - A storage system that organizes data into containers.
Physical Network - A network that connects virtualized nodes with other network resources.
Project - a container that groups or isolates sources or identity objects. Depending on your
preferences, an individual project can be mapped to a customer, account, organization, or
individual project.
Project Network - a virtual network that the administrator creates. The physical details of the
network are not exposed outside of the project.
Provider Network - a virtual network created to connect to a specific network in a data center.
Role - Defines the rights and permissions granted to user accounts. The cloud has essentially two
roles: admin and user. A role can be assigned to a user account or to an entire user group.
Administrators can also create new roles. Identity issues a token to the user that contains the role
list. When a user starts a service, the user then interprets the user's role set and determines which
operation the user is authorized to perform or what resources he can use.
Security Group - a list of firewall security rules applied to instances.
Server - The centralized server provides authorization services using the RESTful interface.
Tenant - a logical distribution of the availability of individual zones, created from a VLAN and a
unique network address space. The term tenant is interchangeable with the project.
Token - an alphanumeric text string that allows access to APIs and resources.
User - Digital representation of a person, company, or organization that uses cloud services. Users
have a login and access using assigned tokens. Users can be directly assigned specific projects to
use.
Virtual Network - a virtual network of interconnected virtual servers that allows communication
within individual users, not across the entire network. Virtual network is similar to classic network,
except that virtualized in OpenStack.
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 5 z 21
First run
The OpenStack dashboard offers users and administrators easy access through a graphical
interface to manage, deliver, and automate processes inside cloud servers.
The dashboard is accessed via an Internet browser. In the following chapters the basic functions of
OpenStack will be described and at the same time there will be detailed instructions on how to
achieve the individual steps.
Login and basic overview
As mentioned above, the OpenStack dashboard is accessed through the web interface. Along with
this documentation, there is a document with credentials where the IP address to log in is listed on
the first page. Copy and paste the IP address into the search engine, then confirm with the Enter
key.
Project> Basic overview
After successfully entering the IP address into the search engine, a window will open with login to
OpenStack. Fill in the login data according to the above-mentioned document with credentials and
click on the Sign In button to login and enter the OpenStack graphical interface.
After a successful login, the start overview page will appear with a menu of features. Here the
number of used and remaining resources, used capacity and overview of utilization of network
resources are clearly displayed in pie charts.
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 6 z 21
Before you release your first instance, there are a few other things to do.
SSH key
SSH is also a program for secure communication protocol in computer networks that use TCP / IP.
SSH was designed to replace older and other unsecured remote shells (rlogin, rsh, etc.) that send
the password in an unsecured form, allowing it to be tapped when transmitted over a computer
network. SSH provides data encryption to secure data when transmitted over an untrusted
network, such as the Internet.
You can use the public key in SSH to authenticate the user. First, a pair of encryption keys is
generated - private (private) key and public key. Private is securely stored with the user and is
password protected. The public key is stored on the target server (typically in the user's home
directory, on Unix systems, in the ~ / .ssh / authorized_keys file). When attempting to log on, the
server uses the public key it has available to encrypt a block of random data (a challenge-
response) that cannot be easily inferred or guessed and sends it to the client. The client decrypts
the prompt using a private key and sends the decrypted message back to the server. If the prompt
is decrypted correctly, the server verifies that the client has a private key that matches the public
key that the server has, and can then authorize (authorize) the access. If the prompt is not
decrypted correctly, client access will be denied. This implies that the private key does not leave
the client's computer, so that it cannot be stolen while transmitting it over the network, yet the
client's authenticity and access can be verified.
In the next chapter, you will find step-by-step instructions on how to use secure SSH
communications in OpenStack.
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 7 z 21
Compute > Key Pairs
In the menu in the upper left column select the tab compute and then Key Pairs.
There are two ways to add the public part of your SSH key - we can create a new key, in this case
you create both the public key and the private key, or import the existing key. On the right side of
the screen are the corresponding buttons. After selecting the Create Key tab, enter the key name
first. Then the key is created, downloaded to the PC and automatically added to the OpenStack
environment.
When importing an SSH key, you only need to select the path to the directory where the key is
stored and assign a name for the key in the OpenStack environment.
It can also be pasted by simply copying (eg, CTRL + C and CTRL + V) from a key text file to a free
field at the bottom of the pop-up window
Networking
Networking inside OpenStack is a virtual network service that provides a powerful API that defines
connections to networks and IP addresses. This virtual network connection is essential for all
services and servers to communicate with each other across the cloud.
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 8 z 21
Network APIs use a virtual network, subnet, and ports to define network resources. In this section
you can define your own virtual networks as needed. Furthermore, we have the possibility to define
subnets and ports to control the communication channels of OpenStack.
Project > Networking
Select Networks in the right column.
In the right corner, click on “Create Networks”. In the first tab “Networks” fill in the network name
and whether we require the network to create Subnet.
In the “Subnet” tab, we need to name the subnet and fill in its non-public IP address with the prefix
(default / 24). Next, select IPv4 and choose Gateway. The gat
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 9 z 21
There are more optional values in the "Subnet Details" tab. You can define Allocation Pools
assignments, which are subsets of all available subnet addresses to be used for addressing, for
example. You can also specify multiple DNS servers and custom host routes. After filling in the
form click on the "Create" button. We have now created a virtual network that is ready for future
operations.
Router
A router is a logical component of the cloud that forwards data packets between networks. It
provides Layer 3 communication and also provides external access for network servers. We create
a router in the OpenStack environment mainly because of the need to connect networks with each
other and also to ensure communication with the public Internet.
Project > Network > Routers
In order for networks to communicate with each other, or for servers to communicate with public
Internet addresses, it is necessary to create routers. In the right menu, select the Network tab and
the Routers option.
To create a router, click on the “Create router” box. Then a pop-up window will appear where you
need to enter the router name and connect it directly to the required external network. After
confirming the pop-up window, it is possible to connect other necessary networks to the router
according to local needs.
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 10 z 21
Access & Security
Before you run an instance, you must add specific security group rules that allow users to ping and
use SSH to connect to the instance. Security groups are sets of IP filter rules that define network
access and that are applied to all instances in a project. There are two ways to add rules. Either we
can modify the default rule group, which is already pre-set inside OpenStack by inserting the rules
we require, or we can create a completely new rule group according to our needs.
Project > Network > Security Groups
On the Network tab, select “Security Groups” from the menu. After opening the relevant page, click
on the “Create Security Group” field. In the window, fill in the name of the group and its description,
from which you can easily deduce the purpose of this security group.
In order to be able to set up a newly created rule, we have to click “Manage Rules” next to the rule
in its row. In order to be able to understand security groups properly, it is necessary to explain what
some terms mean. This is mainly about the meaning of the words EGRESS and INGRESS.
EGRESS means communication from the private network out to the public network. Ingress is
communication from a public network through a router to a private network. In the basic rule group,
all INGRESS communication is prohibited on all ports. EGRESS communication is enabled. In
order to be able to use servers and networks through SSH remote access, it is necessary to
enable INGRESS communication for SSH on a specific single port. OpenStack contains several
pre-created rules that can be used, including enabling INGRESS communication for SSH.
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 11 z 21
Click the “+ Add Rule” button in the upper right corner. Select SSH protocol from the list of preset
rules. OpenStack will add a specific port for the user, which will be opened for subsequent
communication. In CIDR input, you can enter a single remote IP address or range in CIDR format
that allows SSH access, or you can leave the default - 0.0.0.0/0 to enable SSH from any remote IP
address. Click the "Add" button. Now we have successfully added and edited the Security Group.
First run instance
OpenStack is primarily a virtualization platform for managing virtual machines. In the next section,
we will introduce how to create your own new instance. We'll go through step-by-step how to
prepare an instance and set it up correctly. Next, we'll show you how to run an instance and what
operations it can do.
Project > Compute > Images
To create and run the first instances in OpenStack, select the images tab in the upper right corner
of the menu. Here we have a few pre-made images to choose from, which we can start using right
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 12 z 21
from the start.
After clicking on the Launch button, a pop-up window will appear, in which we will fill in more
detailed requirements for the instance being started. In the first Details tab, enter the name and
description of the instance, if any. You must also specify the Availability Zone. Availability zone -
Use the availability zone to make network resources work in high availability mode. Availability
zone provides nodes for Nova computing, Cinder block storage, or Neutron network services. Then
you have to choose the number of instances that we want to run at once. On the right side of the
window is a counter that displays the maximum number of instances that can be created, how
many instances are created, and the percentage usage of the allocated limit..
In the second tab named Source. Choose a template here. which will be used to create a new
instance. You can use image, instance snapshots, and snapshots. In the right part of the window
there are two radio buttons. These buttons can affect the sub-settings between the instance and
the assigned volume. the first button affects whether we want to create a new volume for an
instance or whether we want to create an instance without creating a new volume. The second
button allows you to request whether the volume that is attached to the instance is automatically
deleted when the volume is deleted.
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 13 z 21
In the following tab Flavor select from the pre-prepared items that best suits us according to the
sources used, such as VCPU, RAM, DISK etc.
On the Networks tab, assign the network to the instance. Networks are the basic communication
channel for instances in the cloud. Now we have filled in the last tab marked *. All bookmarks
marked with this symbol must be filled in because they are the key instance settings.
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 14 z 21
Ports provide additional communication channels to your instances. Primarily, all communication
through ports is blocked for increased security.
Then you can set up Security Group. Here we select the required group of rules that we want to
apply to the created instance. Groups can be selected more as needed.
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 15 z 21
Key Pair allows you to apply the SSH function to a newly created instance. You can select an
existing key pair, import a key pair, or generate a new key pair.
In the Configuration tab it is possible to directly insert a script for Linux or a command line file for
Windows into the instance. Furthermore, you can choose to automatically adapt the discs to the
size of the Flavor. Finally, you can enable or disable Configuration Drive. Configuration drive is
used for metadata transmission. You can configure OpenStack to write metadata to a special
configuration unit that connects to the instance at startup. An instance can mount this drive and
read files from it to obtain information that is commonly available through the metadata service.
This metadata is different from user data.
Server Groups assign instances and virtual machines specific properties. For example, by setting
up a server group, you can specify that VMs in this group cannot be located on the same physical
hardware due to availability requirements or vice versa.
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 16 z 21
Scheduler hints, also simply referred to as “hints” or “tips”, can be specified during server creation
to affect server settings depending on which filters and settings we choose. Hints are mapped as
specific filters. You can use Scheduler to schedule certain instance behaviors. You can specify
scheduling requirements by moving items from the left column to the right column. The left column
contains the scheduler name definitions from the Glance Metadata Catalog. Use the "Costume"
option to add help of your choice.
This step allows you to add metadata items to your instance. Metadata is used in OpenStak for
most types of sources (image, artifacts, nodes, flavors, etc.). Thanks to metadata, we can put
properties, keys, descriptions, and instance constraints already set in these resources. You can
specify resource metadata by moving items from the left column to the right column. In the left
column are metadata definitions from the View Metadata catalog. Use the "Costume" option to add
metadata using the key of your choice.
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 17 z 21
Click the Launch button to start the selected instance. When the startup is complete, the new
instance appears in the overall view of all running instances, as well as in the network topology
model. The network technology model can be viewed in the tab Project> Networks> Network
Topology. Here you can see how the individual networks are interconnected through routers and
how the instances are linked to each network.
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 18 z 21
After running the instance, we have the option to work directly with the instance. From the list of
instances, select the instance you want to test and click on the blue highlighted instance name.
In the next overview it is necessary to click on the “Console” tab. A window with loaded console will
appear on the tab. There is a possibility to open the console in a new window. You can type in the
console by clicking on the top blue bar.
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 19 z 21
Floating IP allocation
Project > Network > Floating IPs
For the instance to have Internet access, select Floating IPs from the menu. Here you can assign
individual public IP addresses to specific instances so that the instances are accessible from the
Internet. If we do not already have specific IP addresses added, it is necessary to allocate
addresses from the provider to the project. This is done by clicking the Allocate IP To Project
button.
If we want the instances to have access to the Internet, it is necessary to create a new router and
then connect it to the external Internet.
After allocating a Floating IP address to a project, the public IP address can be assigned directly to
a specific instance to provide access to the instance through public networks. To do this, expand
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 20 z 21
the menu and select Associate Floating IP on the Instances tab of the instance to which you want
to assign a Floating IP address. Then select the IP address to be assigned to the instance.
Insert metadata into the image
Project > Compute > Images
Any embedded image can be further edited to include new metadata to match the image to our
requirements. Image file editing is done via the Images tab. In the list choose the image into which
we want to insert metadata. When you expand the menu for the image, select Update Metadata.
The following window is divided into two parts. Metadata is added by inserting keywords into the
left column according to the datasheet and clicking the + icon. Then the functionality name moves
to the right part of the window. In this section, it is necessary to specify metadata, for example, the
version of the operating system again according to the data sheet. Once filled in, you can click the
Save button and the metadata will then be uploaded to Image. As an example, we used the
addition of os_distro for Ubuntu Image.
A TECHNOLOGICKÉ CENTRUM PÍSEK S.R.O.
VLADISLAVOVA 250
397 01 PÍSEK
C 16416 vedená u Krajského soudu v Českých Budějovicích, IČO: 279 42 368, DIČ: CZ27942368
T +420 382 424 411 E [email protected] W www.tcpisek.cz 21 z 21
Datasheet available at:
https://docs.openstack.org/glance/latest/admin/useful-image-properties.html