Mindmajix

Using OpenStack Dashboard for Key management, Neutron Networks and Security Group

Using OpenStack Dashboard for key management

SSH keypairs allow users to connect to our Linux instances without requiring to input passwords and is the default access mechanism, for almost all Linux images that you will use for OpenStack. Users manage their own key pairs through OpenStack Dashboard. Usually, this is the first task a new user has to do when given access to our OpenStack environment.

Getting ready

Load a Web browser, point it to our OpenStack Dashboard address at http://172.16.0.200/horizon, and log in as a user, such as the demo user created in Adding Users recipe of Keystone OpenStack Identity Service, with the password openstack.

How to do it…

Management of the logged-in user’s keypairs is achieved with the steps discussed as in the following sections:

Adding keypairs

Keypairs can be added by performing the following steps:

  • A new keypair can be added to our system by clicking on the Access & Security tab:

Screenshot_656

  • We will now see a screen allowing access to security settings and keypair management. Under the Keypairs tab, there will be a list of valid keypairs that we can use when launching and accessing our instances. To create a new keypair, click on the Create Keypair button:

Screenshot_657

  • On the Create Keypair screen, type a meaningful name (for example, demo) ensuring there are no spaces in the name, and then click on the Create Keypair button:

Screenshot_658

  • Once the keypair is created, we will be asked to save the private key portion of our keypair on the disk.

Tip

A private SSH key cannot be recreated, so keep this safe and store it safely and appropriately on the filesystem

Screenshot_659

  • Click on the Access & Security tab to return to our list of keypairs. We will now see the newly created keypair listed. When launching instances, we can select this new keypair and gain access to it only by using the private key that we have stored locally:

Deleting keypairs

Keypairs can be deleted by performing the following steps:

  • When keypairs are no longer required, we can delete them from our OpenStack environment. To do so, click on the Access & Security tab on the left of our screen.
  • We will then be presented with a screen allowing access to security settings and keypair management. Under Keypairs, there will be a list of keypairs that we can use to access our instances. To delete a keypair from our system, click on the Delete Keypair button for the keypair that we want to delete:

Screenshot_661

  • We will be presented with a confirmation dialog box:

Screenshot_662

Once we click on the Delete Keypair button, the keypair will be deleted.

Importing keypairs

If you have your own keypairs that you use to access other systems, these can be imported into our OpenStack environment, so you can continue to use them for accessing instances within our OpenStack Compute environment. To import keypairs, perform the following steps:

  • We can import keypairs that have been created in our traditional Linux-based and Unix-based environments into our OpenStack setup. If you don’t have one already, run the following from your Linux-based or other Unix-based host.
ssh-keygen -t rsa -N "" -f id_rsa
  • This will produce the following two files on our client:
.ssh/id_rsa
.ssh/id_rsa.pub
  • The .ssh/id_rsa file is our private key and has to be protected, as it is the only key that matches the public portion of the keypair, .ssh/id_rsa.pub.
  • We can import this public key to use in our OpenStack environment, so that when an instance is launched, the public key is inserted into our running instance. To import the public key, ensure that you’re at the Access & Security screen, and then under Keypairs, click on the Import Keypair button:

Screenshot_663

  • We are presented with a screen that asks us to name our keypair and paste the contents of our public key. So name the keypair, and then copy and paste the contents of the public key into the space—for example, the contents of .ssh/id_rsa.pub. Once entered, click on the Import Keypair button:

Screenshot_664

  • Once completed, we see the list of keypairs available for that user, including our imported keypair:

Screenshot_665

How it works…

Keypair management is important, as it provides a consistent and secure approach for accessing our running instances. Allowing the user to create, delete, and import keypairs to use within their tenants allows them to create secure systems.

The OpenStack Dashboard allows a user to create keypairs easily. The user must ensure, though, that the private key that he/she downloads is kept secure.

While deleting a keypair is simple, the user must remember that deleted keypairs which are associated with running instances will remove access to the running system. Every keypair created is unique regardless of the name. The name is simply a label, but the unique fingerprint of the key is required and cannot be recreated.

Importing keypairs has the advantage, that we can use our existing secure keypairs that we have been using outside of OpenStack within our new private cloud environment. This provides a consistent user experience when moving from one environment to another.

Using OpenStack Dashboard to manage Neutron networks

The OpenStack Dashboard has the ability to view, create and edit Neutron networks, which makes managing complex software defined networks much easier. Certain functions, such as creating shared networks and provider routers require a user to be logged into the OpenStack Dashboard as a user with admin privileges, but any user can create private networks. To help with managing complex software defined networks, the OpenStack Dashboard provides automatically updating network topography.

Getting ready

Load a Web browser, point it to our OpenStack Dashboard address at http:///172.16.0.200/horizon, and log in as a user, such as the demo user created in Adding users recipe of Keystone OpenStack Identity Service, with the password openstack.

How to do it…

Creating networks

To create a private network for a logged in user, carry out the following steps:

  • To manage networks within our OpenStack Dashboard, select the Networks tab as shown in the following screenshot:

Screenshot_666

  • When this has been selected, we will be presented with a list of networks that we can assign to our instances:

Screenshot_667

  • To create a new network, click the Create Network
  • We are presented with a dialog box that first asks us to name our network:

Screenshot_668

  • After choosing a name, and keeping the Admin State checkbox selected (which means our network will be on and available for instances to connect to), we then assign a subnet to it by selecting the Subnet tab:

Screenshot_669

  • After filling in details for our subnet, we select the Subnet Detail tab that allows us to configure details such as DHCP range, DNS, and any additional routes we want when a user chooses that network:

Screenshot_670

  • After filling in all the details, clicking on the Create button makes this available to users of our tenant and returns us back to the list of available networks:

Screenshot_671

Deleting networks

To delete a private network for a logged in user, carry out the following steps:

  • To manage networks within our OpenStack Dashboard, select the Networks tab as shown in the following screenshot:

Screenshot_672

  • When this has been selected, we will be presented with a list of networks that we can assign to our instances:

Screenshot_673

  • To delete a network, select the checkbox next to the name of the network we want to delete, then click on the Delete Networks
  • We will be presented with a dialog box asking us to confirm the deletion:

Screenshot_674

  • Clicking on the Delete Networks button will remove that network and return us to the list of available networks.

Tip

You can only remove a network that has no instances attached to it. You will be warned that this isn’t allowed if there are instances still attached to that network.

Viewing networks

The OpenStack Dashboard gives users and administrators the ability to view the topography of our environment. To view the topography carry out the following:

  • To manage networks within our OpenStack Dashboard, select the Networks tab as in the following screenshot:

Screenshot_675

  • Clicking on the Network Topology tab brings back a rich interface that gives an overview of our networks and instances attached to them as follows:

Screenshot_676

  • From this interface, we can click on various parts of this interface, such as the networks (which takes us to the manage network interface), the instances (which takes us to the instances interface) as well as being able to create networks, routers, and launch new instances.

How it works…

The ability to view and edit Neutron networks is a new feature in the Grizzly release of OpenStack. Managing Neutron networks can be quite complicated, but having a visual aid such as the one provided by the OpenStack Dashboard makes it much easier.

As an administrator (a user with the admin role), you can create shared networks. The same process applies in the preceding recipes, but you are presented with an extra option to allow any created networks to be seen by all tenants.

Using OpenStack Dashboard for security group management

Security groups are network rules that allow instances in one tenant (project) to be kept separate from other instances. Managing security group rules for our OpenStack instances is done as simply as possible with OpenStack Dashboard.

Tip

As described in the Creating tenants recipe of Keystone OpenStack Identity Service, projects and tenants are used interchangeably and refer to the same thing. Under the OpenStack Dashboard, tenants are referred to as projects, whereas in Keystone projects, they are referred to as tenants.

Getting ready

Load a Web browser, point it to our OpenStack Dashboard address at http://172.16.0.200/horizon, and log in as a user, such as the demo user created in

Adding users recipe of Keystone OpenStack Identity Service, with the password openstack.

How to do it…

To administer security groups under OpenStack Dashboard, carry out the steps discussed in the following sections:

Creating a security group

To create a security group, perform the following steps:

  • A new security group is added to our system by using the Access & Security tab, so click on it:

Screenshot_677

  • Next we see a screen allowing access to security settings and manage keypairs. Under Security Groups, there will be a list of security groups that can be used when we launch our instances. To create a new security group, click on the Create Security Group button:

Screenshot_678

  • We are asked to name the security group and provide a description. The name cannot contain spaces:

Screenshot_679

  • Once a new security group is created, the list of available security groups will appear on screen. From here, we are able to add new network security rules to the new security group.

Editing security groups to add and remove rules

To add and remove rules, security groups can be edited by performing the following steps:

  • When we have created a new security group, or wish to modify the rules in an existing security group, we can click on the Edit Rules button for that particular security group:

Screenshot_680

  • We then click on the Edit Rules button, which takes us to a screen that lists any existing rules as well as enabling us to add new rules to this group:

Screenshot_681

  • To add a rule to our new security group, we click on the Add Rule. This allows us to create rules based on three different protocol types: ICMP, TCP, and UDP. As an example, we will add in a security group rule that allows HTTP and HTTPS access from anywhere. To do this, we choose the following:

Screenshot_682

  • When we click on the Add button, we are returned to the list of rules now associated with our security group. Repeat the previous step, until all the rules related to our security group have been configured.

Screenshot_683

  • Note that we can remove rules from here, too. Simply select the rule that we no longer require and click on the Delete Rule. We are asked to confirm this removal.

Deleting security groups

Security groups can be deleted by performing the following steps:

  • Security groups are deleted by selecting the security group that we want to remove and clicking on the Delete Security Groups button:

Screenshot_684

  • You will be asked to confirm this. Clicking on OK, removes the security group and associated access rules.

Note

You will not be able to remove a security group, while an instance with that assigned security group is running.

How it works…

Rules within a security group are “deny by default” meaning that if there is no rule for that particular protocol, no traffic for that protocol can access the running instance with that assigned security group.

Security groups are associated with instances on creation, so we can’t add a new security group to a running instance. We can, however, modify the rules assigned to a running instance. For example, suppose an instance was launched with only the default security group. The default security group that we have set up, only has TCP port 22 accessible and the ability to ping the instance. If we require access to TCP port 80, we either have to add this rule to the default security group or re-launch the instance with a new security assigned to it, to allow TCP port 80.

Tip

Modifications to security groups take effect immediately, and any instance assigned with that security group will have those new rules associated with it.

Also, be aware that currently, the OpenStack Dashboard for the Grizzly release has a bug whereby rules created using the Neutron CLI don’t display correctly within the dashboard; the dashboard enumerates security groups by name, where Neutron utilizes the associated UUIDs. The effect is that, in Neutron you can create multiple rules using the same display name, but the OpenStack Dashboard will only display one of them, which could cause confusion when it comes to troubleshooting access to instances.

 


 

0 Responses on Using OpenStack Dashboard for Key management, Neutron Networks and Security Group"

Leave a Message

Your email address will not be published. Required fields are marked *

Copy Rights Reserved © Mindmajix.com All rights reserved. Disclaimer.
Course Adviser

Fill your details, course adviser will reach you.