Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 8. Providing public access to an instance
New instances automatically receive a port with a fixed IP address on the network that the instance is assigned to. This IP address is private and is permanently associated with the instance until the instance is deleted. The fixed IP address is used for communication between instances.
You can connect a public instance directly to a shared external network where a public IP address is directly assigned to the instance. This is useful if you are working in a private cloud.
You can also provide public access to an instance through a project network that has a routed connection to an external provider network. This is the preferred method if you are working in a public cloud, or when public IP addresses are limited. To provide public access through the project network, the project network must be connected to a router with the gateway set to the external network. For external traffic to reach the instance, the cloud user must associate a floating IP address with the instance.
To provide access to and from an instance, whether it is connected to a shared external network or a routed provider network, you must use a security group with the required protocols, such as SSH, ICMP, or HTTP. You must also pass a key pair to the instance during creation, so that you can access the instance remotely.
To execute openstack client commands on the cloud, you must specify the name of the cloud detailed in your clouds.yaml file. You can specify the name of the cloud by using one of the following methods:
Use the
--os-cloudoption with each command, for example:openstack flavor list --os-cloud <cloud_name>
$ openstack flavor list --os-cloud <cloud_name>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Use this option if you access more than one cloud.
Create an environment variable for the cloud name in your
bashrcfile:`export OS_CLOUD=<cloud_name>`
`export OS_CLOUD=<cloud_name>`Copy to Clipboard Copied! Toggle word wrap Toggle overflow
8.1. Prerequisites
- The external network must have a subnet to provide the floating IP addresses.
- The project network must be connected to a router that has the external network configured as the gateway.
- A security group with the required protocols must be available for your project. For more information see Configuring security groups in Managing network resources.
8.2. Securing instance access with security groups and key pairs
Security groups are sets of IP filter rules that control network and protocol access to and from instances, such as ICMP to allow you to ping an instance, and SSH to allow you to connect to an instance.
All projects have a default security group called default, which is used when you do not specify a security group for your instances. By default, the default security group allows all outgoing traffic and denies all incoming traffic from any source other than instances in the same security group. You can apply one or more security groups to an instance during instance creation. To apply a security group to a running instance, apply the security group to a port attached to the instance.
For more information on security groups, see Configuring security groups in Managing network resources.
To execute openstack client commands on the cloud, you must specify the name of the cloud detailed in your clouds.yaml file. You can specify the name of the cloud by using one of the following methods:
Use the
--os-cloudoption with each command, for example:openstack flavor list --os-cloud <cloud_name>
$ openstack flavor list --os-cloud <cloud_name>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Use this option if you access more than one cloud.
Create an environment variable for the cloud name in your
bashrcfile:`export OS_CLOUD=<cloud_name>`
`export OS_CLOUD=<cloud_name>`Copy to Clipboard Copied! Toggle word wrap Toggle overflow
You cannot apply a role-based access control (RBAC)-shared security group directly to an instance during instance creation. To apply an RBAC-shared security group to an instance you must first create the port, apply the shared security group to that port, and then assign that port to the instance. See Adding a security group to a port in Creating and managing instances.
Key pairs are SSH or x509 credentials that are injected into an instance when it is launched to enable remote access to the instance. You can create new key pairs in RHOSP, or import existing key pairs. Each user should have at least one key pair. The key pair can be used for multiple instances.
You cannot share key pairs between users in a project because each key pair belongs to the individual user that created or imported the key pair, rather than to the project.
8.2.1. Adding a security group to a port
The default security group is applied to instances that do not specify an alternative security group. You can apply an alternative security group to a port on a running instance.
Prerequisites
-
The administrator has created a project for you and they have provided you with a
clouds.yamlfile for you to access the cloud. -
You have installed the
python-openstackclientpackage.
Procedure
Determine the port on the instance that you want to apply the security group to:
openstack port list --server myInstancewithSSH
$ openstack port list --server myInstancewithSSHCopy to Clipboard Copied! Toggle word wrap Toggle overflow Apply the security group to the port:
openstack port set --security-group <sec_group> <port>
$ openstack port set --security-group <sec_group> <port>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Replace
<sec_group>with the name or ID of the security group you want to apply to the port on your running instance. You can use the--security-groupoption more than once to apply multiple security groups, as required.
8.2.2. Removing a security group from a port
To remove a security group from a port you need to first remove all the security groups, then re-add the security groups that you want to remain assigned to the port.
Prerequisites
-
The administrator has created a project for you and they have provided you with a
clouds.yamlfile for you to access the cloud. -
You have installed the
python-openstackclientpackage.
Procedure
List all the security groups associated with the port and record the IDs of the security groups that you want to remain associated with the port:
openstack port show <port>
$ openstack port show <port>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Remove all the security groups associated with the port:
openstack port set --no-security-group <port>
$ openstack port set --no-security-group <port>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Re-apply the security groups to the port:
openstack port set --security-group <sec_group> <port>
$ openstack port set --security-group <sec_group> <port>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Replace
<sec_group>with the ID of the security group that you want to re-apply to the port on your running instance. You can use the--security-groupoption more than once to apply multiple security groups, as required.
8.2.3. Generating a new SSH key pair
You can create a new SSH key pair for use within your project.
Use a x509 certificate to create a key pair for a Windows instance.
Prerequisites
-
The administrator has created a project for you and they have provided you with a
clouds.yamlfile for you to access the cloud. -
You have installed the
python-openstackclientpackage.
Procedure
Create the key pair and save the private key in your local
.sshdirectory:ssh-keygen -f '<RSA key>' -e -m pem > ~/.ssh/<keypair>.pem
$ ssh-keygen -f '<RSA key>' -e -m pem > ~/.ssh/<keypair>.pemCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
Replace
<keypair>with the name of your new key pair.
-
Replace
Protect the private key:
chmod 600 ~/.ssh/<keypair>.pem
$ chmod 600 ~/.ssh/<keypair>.pemCopy to Clipboard Copied! Toggle word wrap Toggle overflow
8.2.4. Importing an existing SSH key pair
You can import an SSH key to your project that you created outside of Red Hat OpenStack Services on OpenShift (RHOSO) by providing the public key file when you create a new key pair.
Prerequisites
-
The administrator has created a project for you and they have provided you with a
clouds.yamlfile for you to access the cloud. -
You have installed the
python-openstackclientpackage.
Procedure
Create the key pair from the existing public key file and save the private key in your local
.sshdirectory:openstack keypair create --private-key ~/.ssh/<private_key> \ <keypair> > ~/.ssh/<keypair>.pem
$ openstack keypair create --private-key ~/.ssh/<private_key> \ <keypair> > ~/.ssh/<keypair>.pemCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
Replace
<private_key>with the name of the public key file that you want to use to create the key pair. -
Replace
<keypair>with the name of your new key pair.
-
Replace
Protect the private key:
chmod 600 ~/.ssh/<keypair>.pem
$ chmod 600 ~/.ssh/<keypair>.pemCopy to Clipboard Copied! Toggle word wrap Toggle overflow
8.3. Assigning a floating IP address to an instance
You can assign a public floating IP address to an instance to enable communication with networks outside the cloud, including the Internet. The cloud administrator configures the available pool of floating IP addresses for an external network. You can allocate a floating IP address from this pool to your project, then associate the floating IP address with your instance.
Projects have a limited quota of floating IP addresses that can be used by instances in the project, 50 by default. Therefore, release IP addresses for reuse when you no longer need them.
Prerequisites
- The instance must be on an external network, or on a project network that is connected to a router that has the external network configured as the gateway.
- The external network that the instance will connect to must have a subnet to provide the floating IP addresses.
-
The administrator has created a project for you and they have provided you with a
clouds.yamlfile for you to access the cloud. -
You have installed the
python-openstackclientpackage.
Procedure
Check the floating IP addresses that are allocated to the current project:
openstack floating ip list
$ openstack floating ip listCopy to Clipboard Copied! Toggle word wrap Toggle overflow If there are no floating IP addresses available that you want to use, allocate a floating IP address to the current project from the external network allocation pool:
openstack floating ip create <provider-network>
$ openstack floating ip create <provider-network>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Replace
<provider-network>with the name or ID of the external network that you want to use to provide external access.TipBy default, a floating IP address is randomly allocated from the pool of the external network. A cloud administrator can use the --floating-ip-address option to allocate a specific floating IP address from an external network.
Assign the floating IP address to an instance:
openstack server add floating ip [--fixed-ip-address <ip_address>] \ <instance> <floating_ip>
$ openstack server add floating ip [--fixed-ip-address <ip_address>] \ <instance> <floating_ip>Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
Replace
<instance>with the name or ID of the instance that you want to provide public access to. -
Replace
<floating_ip>with the floating IP address that you want to assign to the instance. -
Optional: Replace
<ip_address>with the IP address of the interface that you want to attach the floating IP to. By default, this attaches the floating IP address to the first port.
-
Replace
Verify that the floating IP address has been assigned to the instance:
openstack server show <instance>
$ openstack server show <instance>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Additional resources
- Creating floating IP pools in the Managing networking resources guide.
8.4. Disassociating a floating IP address from an instance
When the instance no longer needs public access, disassociate it from the instance and return it to the allocation pool.
Prerequisites
-
The administrator has created a project for you and they have provided you with a
clouds.yamlfile for you to access the cloud. -
You have installed the
python-openstackclientpackage.
Procedure
Disassociate the floating IP address from the instance:
openstack server remove floating ip <instance> <ip_address>
$ openstack server remove floating ip <instance> <ip_address>Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
Replace
<instance>with the name or ID of the instance that you want to remove public access from. -
Replace
<floating_ip>with the floating IP address that is assigned to the instance.
-
Replace
Release the floating IP address back into the allocation pool:
openstack floating ip delete <ip_address>
$ openstack floating ip delete <ip_address>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Confirm the floating IP address is deleted and is no longer available for assignment:
openstack floating ip list
$ openstack floating ip listCopy to Clipboard Copied! Toggle word wrap Toggle overflow
8.5. Creating an instance with SSH access
You can provide SSH access to an instance by specifying a key pair when you create the instance. Key pairs are SSH or x509 credentials that are injected into an instance when it is launched. Each project should have at least one key pair. A key pair belongs to an individual user, not to a project.
You cannot associate a key pair with an instance after the instance has been created.
You can apply a security group directly to an instance during instance creation, or to a port on the running instance.
You cannot apply a role-based access control (RBAC)-shared security group directly to an instance during instance creation. To apply an RBAC-shared security group to an instance you must first create the port, apply the shared security group to that port, and then assign that port to the instance. See Adding a security group to a port in Creating and managing instances.
Prerequisites
- A key pair is available that you can use to SSH into your instances. For more information, see Generating a new SSH key pair.
- The network that you plan to create your instance on must be an external network, or a project network connected to a router that has the external network configured as the gateway. For more information, see Adding a router in the Configuring Red Hat OpenStack Platform networking guide.
- The external network that the instance connects to must have a subnet to provide the floating IP addresses.
- The security group allows SSH access to instances. For more information, see Securing instance access with security groups and key pairs.
-
The image that the instance is based on contains the
cloud-initpackage to inject the SSH public key into the instance. - A floating IP address is available to assign to your instance. For more information, see Assigning a floating IP address to an instance.
-
The administrator has created a project for you and they have provided you with a
clouds.yamlfile for you to access the cloud. -
You have installed the
python-openstackclientpackage.
Procedure
Retrieve the name or ID of the flavor that has the hardware profile that your instance requires:
openstack flavor list
$ openstack flavor listCopy to Clipboard Copied! Toggle word wrap Toggle overflow NoteChoose a flavor with sufficient size for the image to successfully boot, otherwise the instance will fail to launch.
Retrieve the name or ID of the image that has the software profile that your instance requires:
openstack image list
$ openstack image listCopy to Clipboard Copied! Toggle word wrap Toggle overflow If the image you require is not available, you can download or create a new image. For information about creating or downloading cloud images, see Creating RHEL KVM images in Performing storage operations.
Retrieve the name or ID of the network that you want to connect your instance to:
openstack network list
$ openstack network listCopy to Clipboard Copied! Toggle word wrap Toggle overflow Retrieve the name of the key pair that you want to use to access your instance remotely:
openstack keypair list
$ openstack keypair listCopy to Clipboard Copied! Toggle word wrap Toggle overflow Create your instance with SSH access:
openstack server create --flavor <flavor> \ --image <image> --network <network> \ [--security-group <secgroup>] \ --key-name <keypair> --wait myInstancewithSSH
$ openstack server create --flavor <flavor> \ --image <image> --network <network> \ [--security-group <secgroup>] \ --key-name <keypair> --wait myInstancewithSSHCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
Replace
<flavor>with the name or ID of the flavor that you retrieved in step 1. -
Replace
<image>with the name or ID of the image that you retrieved in step 2. -
Replace
<network>with the name or ID of the network that you retrieved in step 3. You can use the--networkoption more than once to connect your instance to several networks, as required. -
Optional: The
defaultsecurity group is applied to instances that do not specify an alternative security group. You can apply an alternative security group directly to the instance during instance creation, or to a port on the running instance. Use the--security-groupoption to specify an alternative security group when creating the instance. For information on adding a security group to a port on a running instance, see Adding a security group to a port. -
Replace
<keypair>with the name or ID of the key pair that you retrieved in step 4.
-
Replace
Assign a floating IP address to the instance:
openstack server add floating ip myInstancewithSSH <floating_ip>
$ openstack server add floating ip myInstancewithSSH <floating_ip>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Replace
<floating_ip>with the floating IP address that you want to assign to the instance.Use the automatically created
cloud-useraccount to verify that you can log in to your instance by using SSH:ssh -i ~/.ssh/<keypair>.pem cloud-user@<floatingIP>
$ ssh -i ~/.ssh/<keypair>.pem cloud-user@<floatingIP> [cloud-user@demo-server1 ~]$Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}