Openstack / SWITCHengine

• SWITCHengine use presented in class

---

Introduction to openstack

Getting the credentials

You have received an invitation for joining an SwitchEngine project. Follow the instructions to get access to the platform. Once you do have access, it is important you get the Openstack credentials by going to https://engines.admin.switch.ch/ and do the following : 1. Click on Profile 2. Click on Select Users

Warning

The credentials will be shown only for as long as you do not click on Update password(s). So, make sure you copy the information into your password manager!.

Creating networks

Here examples how to create networks through cli:

# create a network
openstack network create office
# create the corresponding subnetwork
openstack subnet create --network office --subnet-range 192.168.100.0/24 --allocation-pool start=192.168.100.100,end=192.168.100.200 --dns-nameserver 8.8.8.8 office
# create another network (dmz)
openstack network create dmz
openstack subnet create --network dmz --subnet-range 10.10.10.0/24 --allocation-pool start=10.10.10.100,end=10.10.10.200 --dns-nameserver 8.8.8.8 dmz
# create network plant
openstack network create plant
openstack subnet create --network plant --subnet-range 172.16.16.0/24 --allocation-pool start=172.16.16.100,end=172.16.16.200 --dns-nameserver 8.8.8.8 plant
# create network segregated
openstack network create segregated
openstack subnet create --network segregated --subnet-range 172.16.32.0/24 --allocation-pool start=172.16.32.100,end=172.16.32.200 --dns-nameserver 8.8.8.8 segregated

Creating routers

# create a router
openstack router create main_router 
# associate it to network dmz
openstack router add subnet main_router dmz 
# associate it to network office
openstack router add subnet main_router office 
# make it the one accessing the internet
openstack router set --external-gateway public main_router

Creating virtual machines

Import your ssh key

See https://help.switch.ch/engines/documentation/creating—importing-ssh-keys/ for details. On the command line :

• ssh-keygen -t rsa will create a key put under ~/.ssh/id_openstack
• openstack keypair create --public-key ~/.ssh/id_openstack.pub mighty_openstack

Create hosts

# create an instance and associate it with the dmz and office networks
openstack server create --image "Debian Bullseye 11 (SWITCHengines)" --flavor c1.small --key-name "Mighty Beast" --network office --network dmz client1
# another client only bound to office
openstack server create --image "Debian Bullseye 11 (SWITCHengines)" --flavor c1.small --key-name "Mighty Beast" --network office client2
# a server instance in the dmz
openstack server create --image "Debian Bullseye 11 (SWITCHengines)" --flavor c1.small --key-name "Mighty Beast" --network dmz server1
# an instance in a segreated network
openstack server create --image "Debian Bullseye 11 (SWITCHengines)" --flavor c1.small --key-name "Mighty Beast" --network segregated ultraold
# yet another instance
openstack server create --image "Debian Bullseye 11 (SWITCHengines)" --flavor c1.small --key-name "Mighty Beast" --network plant plant_client1
# yet another instance
openstack server create --image "Debian Bullseye 11 (SWITCHengines)" --flavor c1.small --key-name "Mighty Beast" --network plant plant_server1
# yet another instance BUT using cloud-init
openstack server create --image "Debian Bullseye 11 (SWITCHengines)" --flavor c1.small --key-name "Mighty Beast" --user-data cloud-init.yml --network office dns_server
openstack server list

Using cloud-init

The flag --user-data cloud-init.yaml can be used for passing parameters at instance creation. See also

• https://cloudinit.readthedocs.io/en/latest/reference/modules.html#keyboard
• https://cloudinit.readthedocs.io/en/latest/explanation/format.html

#cloud-config
package_reboot_if_required: true
package_update: true
package_upgrade: true
packages:
- iputils-ping 
- dnsutils
- htop
- bind9
- nano

users:
  - default
  - name: debian
    gecos: Debian
    primary-group: debian
    groups: sudo,adm
    passwd: $1$XXXXXXXXXXXXXXX0
    lock-passwd: false

Tip

In order to debug what may have gone wrong, issue the command sudo cat /var/log/cloud-init-output.log

Associate a floating IP

# create a floating IP
openstack floating ip create public 
# associate it to a port
openstack floating ip set --port e9d2ccf4-b291-43ce-b315-b158000fe149 a7610fb9-862e-400c-befb-a0464abcc6f5

Warning

Do remember to modify the ressource id to be able to use the above command successfully.

Access control lists

# show groups
openstack security group list
# show the content of a specific group
openstack security group show MyApp
# add a rule to a group
openstack security group rule create --ingress --protocol tcp --dst-port 22 --ethertype IPv4 MyApp