OpenStack APIs and Command Line Interface
All of the functionality provided by the dashboard is also accessible through the OpenStack APIs (e.g. launching instances, creating images, etc). They are useful for scripting/automating your cloud configuration and setup. Many cloud configuration and automation software packages already exist that make use of these APIs (e.g. Terraform, Packer) but even if you have no need for them, you may find the OpenStack Command Line Interface (CLI) useful and/or more powerful than the dashboard, which makes use of the OpenStack APIs.
Credentials
To use the APIs you need to have the correct OpenStack credentials loaded into your environment. These are just a set of environment variables that describe the connection details required to authenticate with OpenStack/Nectar.
User Credentials
Each user has their own set of credentials. You can download your credentials by going to Project > API Access
then selecting Download OpenStack RC File > OpenStack RC File
.
Alternatively, you can download your user credentials by clicking your username/email in the top right corner and selecting OpenStack RC File
.
Either way, your browser will download your credentials as a shell script named e.g.my-project-openrc.sh
. Its contents should look something like this
#!/usr/bin/env bash
# To use an OpenStack cloud you need to authenticate against the Identity
# service named keystone, which returns a **Token** and **Service Catalog**.
# The catalog contains the endpoints for all services the user/tenant has
# access to - such as Compute, Image Service, Identity, Object Storage, Block
# Storage, and Networking (code-named nova, glance, keystone, swift,
# cinder, and neutron).
#
# *NOTE*: Using the 3 *Identity API* does not necessarily mean any other
# OpenStack API is version 3. For example, your cloud provider may implement
# Image API v1.1, Block Storage API v2, and Compute API v2.0. OS_AUTH_URL is
# only for the Identity API served through keystone.
export OS_AUTH_URL=https://keystone.rc.nectar.org.au:5000/v3/
# With the addition of Keystone we have standardized on the term **project**
# as the entity that owns the resources.
export OS_PROJECT_ID=<your project ID>
export OS_PROJECT_NAME="my-project"
export OS_USER_DOMAIN_NAME="Default"
if [ -z "$OS_USER_DOMAIN_NAME" ]; then unset OS_USER_DOMAIN_NAME; fi
export OS_PROJECT_DOMAIN_ID="default"
if [ -z "$OS_PROJECT_DOMAIN_ID" ]; then unset OS_PROJECT_DOMAIN_ID; fi
# unset v2.0 items in case set
unset OS_TENANT_ID
unset OS_TENANT_NAME
# In addition to the owning entity (tenant), OpenStack stores the entity
# performing the action as the **user**.
export OS_USERNAME="your@email.edu.au"
# With Keystone you pass the keystone password.
echo "Please enter your OpenStack Password for project $OS_PROJECT_NAME as user $OS_USERNAME: "
read -sr OS_PASSWORD_INPUT
export OS_PASSWORD=$OS_PASSWORD_INPUT
# If your configuration has multiple regions, we set that information here.
# OS_REGION_NAME is optional and only valid in certain environments.
export OS_REGION_NAME="Melbourne"
# Don't leave a blank variable, unset it if it was empty
if [ -z "$OS_REGION_NAME" ]; then unset OS_REGION_NAME; fi
export OS_INTERFACE=public
Before you can use your credentials however, you will also need to generate a credentials password. This is different from your user login password.
Click your username/email in the top right corner and select Settings
from the dropdown menu. Then select Reset Password
on the left hand side menu to open the Password Rest Form.
To generate a new password click the Rest Password
button.
Important
Your credentials password will only appear once! Make sure you save it somewhere safe immediately. If you lose it, or forget it, you can always generate a new one.
To use your credentials, simply load the script into your environment and enter your credentials password when prompted.
$ source ~/Download/my-project-openrc.sh
Please enter your OpenStack Password for project my-project as user your@email.edu.au:
If all went well, you won't see anything special. But you can check to see if any of the environment variables were set. For example,
$ echo $OS_PROJECT_NAME
my-project
Tip
You can edit your script so that OS_PASSWORD
is hard-coded and you are not prompted each time you load your credentials.
Application Credentials
Alternatively, you can also generate credentials suitable for applications to authenticate with the APIs, without having to expose your main/personal credentials. Application credentials can be easily revoked and recreated, they can have an automatic expiry, and they are more secure than user credentials since, by default, they do not allow certain actions to be performed (e.g. creating additional application credentials).
To generate an application credential, go to Identity > Application Credentials
on the dashboard, then select + Create Application Credential
.
Give your credential a name, and select Member
and SUT-Access
(as a minumum) under Roles. The latter role is required for launching instances on the Swinburne availability zone. You may optionally also give your credential an expiry and choose its secret/password.
Press the Create Application Credential
button, and then click Download openrc file
. This will download your credentials into a script named e.g. app-cred-my-application-openrc.sh
. Your secret/password will be hard-coded into the script. Its contents should look something like this
#!/usr/bin/env bash
export OS_AUTH_TYPE=v3applicationcredential
export OS_AUTH_URL=https://keystone.rc.nectar.org.au:5000/v3/
export OS_IDENTITY_API_VERSION=3
export OS_REGION_NAME="Melbourne"
export OS_INTERFACE=public
export OS_APPLICATION_CREDENTIAL_ID=<your application credential id>
export OS_APPLICATION_CREDENTIAL_SECRET=<your application credential secret>
You load your application credentials in the same manner as you would your user credentials
$ source ~/Downloads/app-cred-my-application-openrc.sh
OpenStack CLI (Python)
The OpenStack Command Line Interface gives you the power to do everything that you can in the dashboard via the terminal instead. It is written in Python, so you can install it via the Python Package Index (PyPI)
$ pip install python-openstackclient
Next, load your credentials into your environment. You can use either your user credentials or application credentials.
$ source my-project-openrc.sh
Now you can run openstack
commands to view and manage your Nectar resources.
For example, to create an m3.xsmall
VM from the official Nectar Centos 7 image
$ openstack server create my_first_vm \
--image "NeCTAR CentOS 7 x86_64" \
--flavor "m3.xsmall" \
--security-group "SSH" \
--key-name "nectarkey"
To list all your current instances/VMs
$ openstack server list
+--------------------------------------+-------------+--------+-------------------------------------+------------------------+-----------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+-------------+--------+-------------------------------------+------------------------+-----------+
| 11977445-e189-4d0a-bbb0-3d0c181adca0 | my_first_vm | ACTIVE | swinburne-01-public=136.186.108.181 | NeCTAR CentOS 7 x86_64 | m3.small |
+--------------------------------------+-------------+--------+-------------------------------------+------------------------+-----------+
To list all available commands
$ openstack --help
To get a description of a specific command
$ openstack help <command>
To get a complete list of all available options, visit the OpenStack Client website.