Creating and Managing Keypairs - OpenStack

When you launch a virtual machine, you can inject a keypair. Keypairs refer to SSH keypairs and consist of two elements—a public key and a private key. The most common way is to use the OpenStack Dashboard, Horizon, to set up public/private keypairs to properly protect the instance at launch time.

At least one key for each project can be created. Keypairs are used for access to our Linux hosts via SSH. The public portion of our keypair is injected into our instance at boot-time through a service known as cloud-init. The Cloud-init can perform many tasks, one of which is managing this public keypair injection. Only this specific combination of the public and private key will allow us access to our instances.

Even if keypair is generated by an external tool, it can be imported into OpenStack and can be used for multiple instances. Now let’s look at how to set up key pairs in OpenStack. Basically, there are three steps: create a key pair, add it to an instance, and modify it for increased security.

How to Create and Manage Key

To begin with, assure that you are logged into your Ubuntu client that has access to the Nova Client tools. This can be installed using the following commands:
sudo apt-get update
sudo apt-get –y install python-novaclient

And ensure you have set the following credentials set:
export OS_TENANT_NAME=cookbook
export OS_USERNAME=admin
export OS_PASSWORD=openstack
export OS_AUTH_URL=https://172.16.0.200:5000/v2.0/
export OS_NO_CACHE=1

To create a keypair, we use the nova keypair -add command. We name the key accordingly, which we will refer to when launching instances subsequently. The output of the command is the SSH private key that we will use to access a shell on our instance:
1. First, create the key pair as follows:
nova keypair-add myKey > myKey.pem
2. We must then protect the private key output so that only our logged-in user account can read it:
chmod 0600 myKey.pem
3. This command generates a key pair and stores the public portion within our database, in the heart of our OpenStack environment. The private portion has been written to a file on our client, which we then protect by making sure that only our user can access this file.

When we want to use this new key under Nova Client, this looks as follows, using the command:
nova boot myInstance –image 0e2f43a8-e614-48ff-92bd-be0c68da19f4 — flavor 2 –key_name myKey
And when we want SSH to this running instance, we specify the private key on the SSH command line with the -i option:
ssh ubuntu@172.16.1.1 -i myKey.pem

As with most of the things in Unix, the values and files specified are case-sensitive.

Listing and deleting keypairs using Nova Client

To list and delete keypairs using Nova Client, carry out the set of commands in the following sections:

Listing the keypairs

To list the keypairs in our project using Nova Client, we simply run the nova keypair-list command, as follows:

nova keypair-list

This brings back a list of keypairs in our project, such as the following:

Deleting the keypairs

To delete a keypair from our project, we simply specify the name of the key as an option
nova keypair-delete tool:

1. To delete the myKey keypair, we do the following:
nova keypair-delete myKey

2. We can verify this by listing the keys available, thus:
nova keypair-list

Keypairs- OpenStack

Deleting keypairs is an irreversible action. Deleting a keypair to a running instance will prevent you from accessing that instance.

Keypairs are important in our cloud environment as most Linux images don’t allow access to a command-line prompt using usernames and passwords. An exception to this is the Cirros image which comes with a default username cirros and password cubswin:). The Cirros image is a cut-down image that is used for troubleshooting and testing OpenStack environments. Images like Ubuntu only allow access using keypairs.

The creation of a keypair allows SSH access to our instance and it is carried out using the nova keypair-add command. This stores the public key in our backend database store that will be injected into the .ssh/authorized_keys file on our Cloud instance, as a part of the cloud instance’s boot/cloud-init script. We can then use the private key that gets generated to access the system by specifying this on the ssh command line with the -i option.

We can, of course, have the possibility of removing keys from our project, and we do this to prevent further access by that particular keypair. The command nova keypair-delete does this for us, and we can verify what keys are available to us in our project by running the nova commands.