First Steps

Accessing VMs

For the first access to VMs, before they are configured and host higher-level services, SSH is used.

Before spawning a VM, a SSH keypair must be created and either uploaded via the JUSUF OpenStack Dashboard or the CLI. For the later one, make sure you followed the procedure mentioned here to make the CLI libraries and access available.

$ openstack keypair create --public-key ~/.ssh/id_rsa.pub my_user

Network Setup

Important

Due to site security constraints its only allowed to use the following ports for services you want to provide to the global internet:

  • 22

  • 80

  • 443

  • 7000-7020

Create and manage networks

Create a network

WebUI
  1. Go to the Project → Network → Networks tab and select Create network.

  2. Define a name for the network, Admin status and Create subnet should both be “enabled”. Select Next.

  3. Define a Name for the subnet. You could have several subnets per network. If you only intend to use one, then the Subnet name may be the same as the Network name chosen on the previous tab. The same holds true for the first network you create.

  4. The network address should be a private network range, such as 192.168.42.0/16 or 10.0.0.0/8. This range is only available within your network and by the connected router (see next section). In the subnet details, it is important to set the following three DNS servers:

134.94.32.3
134.94.32.4
134.94.32.5
Command Line Interface

Make sure you followed the procedure mentioned here to make the CLI libraries and access available.

openstack network create --no-share my-projects-internal-network
openstack subnet create my-projects-internal-network-subnet --network my-projects-internal-network --subnet-range 192.0.2.0/24

Create a router

A router is required to allow for virtual machines (VMs) on your internal network to reach the outside world or other networks within your project. You will also need a router to reach VMs from the outside, which is the case if you want to offer services on your VMs.

WebUI
  1. Go to the Project → Network → Routers tab and select Create router

  2. Define a Name for the router, Admin status “enabled”, and an External network, which for the JUSUF CLOUD will be “dmz-jusuf-cloud”.

  3. The router is already connected to the DMZ network automatically, but you still need to connect it to your internal networks. This is done at Project → Network → Router, select the router, then Interfaces, then Add interface. Add an interface in your internal network.

Command Line Interface

Make sure you followed the procedure mentioned here to make the CLI libraries and access available.

openstack router create my-projects-internal-network-to-internet
openstack router set my-projects-internal-network-to-internet --external-gateway dmz-jusuf-cloud
openstack router add subnet my-projects-internal-network-to-internet my-projects-internal-network-subnet

Generic OpenStack documentation

If you prefer the generic documentation that may be lacking important information regarding our local installation, please refer to the OpenStack documentation..

Security Groups

Security groups are a means to control inbound and outbound network traffic for your VMs. This includes protection of network traffic even among your VMs. The default security group in every new project limits network traffic to the bare minimum that is required to run a VM. It does not even allow for incoming connections via SSH or ICMP traffic (ping). Therefore, you will want to add rules to the default security group or add additional groups containing such rules.

In order to be able to access a VM via SSH once you have started it, you will at least have to add a rule to allow for this.

WebUI

  1. Go to the Project → Network → Security groups tab

  2. Select Create security group and create a group with a meaningful name, e.g. ssh_external

  3. Select Manage rules on the newly created security group

  4. From the number of predefined rules select SSH

  5. For the remote select CIDR, which, plainly put, is a way to express network ranges

  6. If you really want to allow SSH traffic from anywhere, then the default 0.0.0.0/0 is the right choice. In order to limit traffic to sources within the Juelich campus, you would use 134.94.0.0/16.

Keep in mind that the granularity of assigning rules to VMs is by security group only. Therefore, it is advisable to group rules that are commonly used together in security groups. Again, should you prefer to use the generic documentation, please refer to the OpenStack Documentation. This may help you get a better understanding of the concept of security rules, but uses the command-line interface to set everything up.

Command Line Interface

Make sure you followed the procedure mentioned here to make the CLI libraries and access available.

openstack security group create test-securitygroup
openstack security group rule create --protocol tcp --dst-port 22 test-securitygroup
openstack security group rule create --protocol icmp test-securitygroup