Tuesday, October 2, 2018

openstack command line administration - PART1





Here we are going through some openstack administration commands which is used in day to day operations , even though we have horizon graphical user interface many of us prefer to use commands for a  better visibility .. let's start

Each openstack services has its own command line client in some commands we can put debug parameter to identify the API requests for the command

Following are the command line clients are available for the respective API's

  • ceilometer (python-ceilometerclient). Client for the Telemetry API that lets you create and collect measurements across OpenStack.
  • cinder (python-cinderclient). Client for the Block Storage Service API that lets you create and manage volumes.
  • glance (python-glanceclient). Client for the Image Service API that lets you create and manage images.
  • heat (python-heatclient). Client for the Orchestration API that lets you launch stacks from templates, view details of running stacks including events and resources, and update and delete stacks.
  • keystone (python-keystoneclient). Client for the Identity Service API that lets you create and manage users, tenants, roles, endpoints, and credentials.
  • neutron (python-neutronclient). Client for the Networking API that lets you configure networks for guest servers. This client was previously known as quantum.
  • nova (python-novaclient). Client for the Compute API and its extensions. Use to create and manage images, instances, and flavors.
  • swift (python-swiftclient). Client for the Object Storage API that lets you gather statistics, list items,update metadata, upload, download and delete files stored by the Object Storage service. Provides access to a swift installation for ad hoc processing.

  • To get the version of the above mentioned clients 
$ nova --version
2.14.1.17

$ keystone --version
0.3.1.73

  • To get the help for client commands 
$ swift help

Usage: swift [--version] [--help] [--snet] [--verbose]
[--debug] [--quiet] [--auth <auth_url>]
[--auth-version <auth_version>] [--user <username>]
[--key <api_key>] [--retries <num_retries>]
[--os-username <auth-user-name>] [--os-password <auth-password>]
[--os-tenant-id <auth-tenant-id>]
[--os-tenant-name <auth-tenant-name>]
[--os-auth-url <auth-url>] [--os-auth-token <auth-token>]
[--os-storage-url <storage-url>] [--os-region-name <region-name>]
[--os-service-type <service-type>]
[--os-endpoint-type <endpoint-type>]
[--os-cacert <ca-certificate>] [--insecure]
[--no-ssl-compression]
<subcommand> ...
Command-line interface to the OpenStack Swift API.
Positional arguments:
<subcommand>
delete Delete a container or objects within a container
download Download objects from containers
list Lists the containers for the account or the objects
for a container
post Updates meta information for the account, container,
or object
stat Displays information for the account, container,
or object
upload Uploads files or directories to the given container
Examples:
swift -A https://auth.api.rackspacecloud.com/v1.0 -U user -K api_key stat -v
swift --os-auth-url https://api.example.com/v2.0 --os-tenant-name tenant \
--os-username user --os-password password list
swift --os-auth-token 6ee5eb33efad4e45ab46806eac010566 \
--os-storage-url https://10.1.5.2:8080/v1/AUTH_ced809b6a4baea7aeab61a \
list
swift list --lh

Users/Tenants/Roles - keystone commands 
  • To get the service details 
$keystone service-list

  • To get the details of a service 
$ keystone service-get 08741d8ed88242ca88d1f61484a0fe3b

  • To delete a service 
$ keystone service-delete 08741d8ed88242ca88d1f61484a0fe3b


  • To list the tanents ( projects) with their id,name and status 
$ keystone tenant-list
+----------------------------------+--------------------+---------+
| id | name | enabled |
+----------------------------------+--------------------+---------+
| f7ac731cc11f40efbc03a9f9e1d1d21f | admin | True |
| c150ab41f0d9443f8874e32e725a4cc8 | alt_demo | True |
| a9debfe41a6d4d09a677da737b907d5e | demo | True |
| 9208739195a34c628c58c95d157917d7 | invisible_to_admin | True |
| 3943a53dc92a49b2827fae94363851e1 | service | True |
| 80cab5e1f02045abad92a2864cfd76cb | test_project | True |
+----------------------------------+--------------------+---------+

  • To create a new project 
$ keystone tenant-create --name new-project --description 'my new project'

+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | my new project |
| enabled | True |
| id | 1a4a0618b306462c9830f876b0bd6af2 |
| name | new-project |
+-------------+----------------------------------+

  • To temporarily disable a project 
$ keystone tenant-update PROJECT_ID --enabled false
  • To enable a disabled project 
$ keystone tenant-update PROJECT_ID --enabled true
  • To update the name of the project 
$ keystone tenant-update PROJECT_ID --name project-new
  • To delete a project 
$ keystone tenant-delete PROJECT_ID
  • To verify the changes above 
$ keystone tenant-get 1a4a0618b306462c9830f876b0bd6af2

+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | my new project |
| enabled | True |
| id | 1a4a0618b306462c9830f876b0bd6af2 |
| name | project-new |
+-------------+----------------------------------+ 

  • To list all users 
$keystone user-list

+----------------------------------+----------+---------+-----------------
-----+
| id | name | enabled | email
|
+----------------------------------+----------+---------+-----------------
-----+
| 352b37f5c89144d4ad0534139266d51f | admin | True |
admin@example.com |
| 86c0de739bcb4802b8dc786921355813 | demo | True |
demo@example.com |
| 32ec34aae8ea432e8af560a1cec0e881 | glance | True |
glance@example.com |
| 7047fcb7908e420cb36e13bbd72c972c | nova | True |
nova@example.com |
+----------------------------------+----------+---------+-----------------
-----+

  • To create a user 
$ keystone user-create --name USER_NAME --tenant_id TENANT_ID --pass
PASSWORD

$ keystone user-create --name demo --tenant_id
1a4a0618b306462c9830f876b0bd6af2 --pass myPASS

+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | 6e5140962b424cb9814fb172889d3be2 |
| name | new-user |
| tenantId | 1a4a0618b306462c9830f876b0bd6af2 |
+----------+----------------------------------+

  • To temporarily disable a user ID
$ keystone user-update USER_ID --enabled false

  • To enable a disabled user account 
$ keystone user-update USER_ID --enabled true

Users can be part of multiple projects with the help of assigned roles.


  • To list the available roles 

$ keystone role-list

+----------------------------------+---------------+
|
id
|
name
|
+----------------------------------+---------------+
| 71ccc37d41c8491c975ae72676db687f |
Member
|
| 149f50a1fe684bfa88dae76a48d26ef7 | ResellerAdmin |
| 9fe2ff9ee4384b1894a90878d3e92bab |
_member_
|
| 6ecf391421604da985db2f141e46a7c8 |
admin
|
| deb4fffd123c4d02a907c2c74559dccf | anotherrole |
+----------------------------------+---------------+

  • To create a new role
$ keystone role-create --name new-role


+----------+----------------------------------+
| Property |Value
|
+----------+----------------------------------+
|
id          bef1f95537914b1295da6aa038ef4de6 |
|
name     new-role
|
+----------+----------------------------------+


  • To assign a a role to a user tenant pair


$ keystone user-role-add --user demo --role new-role --tenant test-
project
(here we will add role new-role to demo user and tenant pair)

$ keystone user-role-list --user demo --tenant test-project

+----------------------------------+----------+---------------------------
-------+----------------------------------+
|
id                                 name            user_id         tenant_id
|
+----------------------------------+----------+---------------------------
-------+----------------------------------+
| bef1f95537914b1295da6aa038ef4de6 | new-role |86c0de739bcb4802b8dc786921355813 | 80cab5e1f02045abad92a2864cfd76cb |
+----------------------------------+----------+---------------------------
-------+----------------------------------+

Manage Project Security&Networking ( Nutron commands) 

Security groups are the IP rules which will control the in and out traffic to projects. Whether the security rules needs to be applied to all projects which will share the network or to individual projects depends up on the allow_same_net_traffic option in the /etc/nova/nova.conf.


  • True (default), hosts on the same subnet are not filtered and are allowed to pass all types of trafficbetween them. On a flat network, this allows all instances from all projects unfiltered communication.With VLAN networking, this allows access between instances within the same project. You can alsosimulate this setting by configuring the default security group to allow all traffic from the subnet.
  • False, security groups are enforced for all connections

Before proceeding the security group commands please make sure system variables are set for the user and the tenant which we will check the security rules

export OS_USERNAME=demo00
export OS_TENANT_NAME=tenant01


  • To list security groups


$nova secgroup-list
+---------+-------------+
| Name  Description |
+---------+-------------+
| default | default
|
| open    all ports
|
+---------+----------


  • To view the details of a security group

$ nova secgroup-list-rules open
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp              -1              255         0.0.0.0/0 |
|
| tcp                  1               65535     0.0.0.0/0 |
|
|
| udp                  1              65535      0.0.0.0/0 |
|
----------------------------------------------------------------------------


  • To create a security group
neutron security-­group-­create [securitygroupname]

$ neutron secgroup-create global_http "Allows Web traffic anywhere on the
Internet."
+--------------------------------------+-------------+--------------------
--------------------------+
| Id                         Name              Description
|
+--------------------------------------+-------------+--------------------
--------------------------+
| 1578a08c-5139-4f3e-9012-86bd9dd9f23b | global_http | Allows Web traffic
anywhere on the Internet. |
+--------------------------------------+-------------+--------------------


  • To create a security group rule

neutron security­-group-­rule­-create [Security-groupID]

$ nutron security­-group-­rule­-create global_http tcp 80 80 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp                 80              80          0.0.0.0/0 |
|
+-------------+-----------+---------+-----------+--------------+

$ nutron security-group-add-rule global_http tcp 443 443 0.0.0.0/0

$ nutron security-group-list-rules global_http
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp                 80               80            0.0.0.0/0 |
|
| tcp                 443            443            0.0.0.0/0 |
|
+-------------+-----------+---------+-----------+--------------+

  • To delete a security group

neutron security-­group­-delete [securitygroupID/name]

neutron secrity-group-delete global_http


  • To delete a security group rule

neutron security-group-rule-delete [secrity group name-rule name]

$neutron security-group-rule-delete global_http tcp 443 443 0.0.0.0/0

$ nutron security-group-list-rules global_http
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp                 80               80            0.0.0.0/0 |
----------------------------------------------------------------------


  •     To update a security group

neutron security-­group-­update [securitygroupname]

$neutron security-group-update global_http tcp 443 80 0.0.0.0/0
$ nutron security-group-list-rules global_http
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp                 443               80            0.0.0.0/0 |
----------------------------------------------------------------------
  • To list the routers 

$neutron router­-list

+----------------------- +--------------------------------------+
| Id                    | name                               |
+-----------------------+--------------------------------------+
1e4g48d3-a9d0-3567-3f1c-29cd8b83345d
tuxfixer-router 
---------------------------------------------------------------------
  • To create a router 
$neutron router-create tuxfixer-router
Created a new router:
+-----------------------+--------------------------------------+
| Field                 | Value                                |
+-----------------------+--------------------------------------+
| admin_state_up        | True                                 |
| external_gateway_info |                                      |
| id                    | 1e4g48d3-a9d0-3567-3f1c-29cd8b83345d |
| name                  | tuxfixer-router                       |
| routes                |                                      |
| status                | ACTIVE                               |
| tenant_id             | dbe3cf30f46b446fcfe84b205459780d     |

  • To add an interface to a router 
$neutron router-interface-add tuxfixer-router tuxfixer-subnet
Added interface 445d79cb-3dcf-5f88-963c-aa054f7ce758 to router tuxfixer-router
  • To set the gateway for the router 
$neutron router-gateway-set tuxfixer-router ext-net
Set gateway for router tuxfixer-router
  • To view the details of newly created router 
$neutron router-port-list tuxfixer-router
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| id                                   | name | mac_address       | fixed_ips                                                                          |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
|  |1e4g48d3-a9d0-3567-3f1c-29cd8b83345d       | fc:16:4d:13:32:21 | {"subnet_id": "f6523637-7162-449d-b12c-e1f0eda6196d", "ip_address": "192.168.5.1"} |

  • To create the network 
$ neutron net-create tuxfixer-net
Created a new network:
+-----------------+--------------------------------------+
| Field           | Value                                |
+-----------------+--------------------------------------+
| admin_state_up  | True                                 |
| id              | 2c0dh763-3fd4-2f8c-743f-7h0j35cv6cde |
| name            | tuxfixer-net                          |
| router:external | False                                |
| shared          | False                                |
| status          | ACTIVE                               |
| subnets         |                                      |
| tenant_id       | dbe3cf30f46b446fcfe84b205459780d     |
+-----------------+--------------------------------------

  • To create a subnet for the network
neutron subnet-create --name <SUBNET-NAME> <NET-NAME> <GATEWAY IP><SUBNET-CIDR>

$neutron subnet-create tuxfixer-net --name tuxfixer-subnet --gateway 192.168.5.1 192.168.5.0/24
Created a new subnet:
+-------------------+--------------------------------------------------+
| Field             | Value                                            |
+-------------------+--------------------------------------------------+
| allocation_pools  | {"start": "192.168.5.2", "end": "192.168.5.254"} |
| cidr              | 192.168.5.0/24                                   |
| dns_nameservers   |                                                  |
| enable_dhcp       | True                                             |
| gateway_ip        | 192.168.5.1                                      |
| host_routes       |                                                  |
| id                | ac05bc74-eade-4811-8e7b-8de021abe0c1             |
| ip_version        | 4                                                |
| ipv6_address_mode |                                                  |
| ipv6_ra_mode      |                                                  |
| name              | tuxfixer-subnet                                   |
| network_id        | 2c0dh763-3fd4-2f8c-743f-7h0j35cv6cde            |
| tenant_id         | dbe3cf30f46b446fcfe84b205459780d                |

Network quotas 

Quota related details like network,subnet,port will be mentioned in openstack network configuration file nutron.conf. If we need to remove any particular item from the quota we have to remove from quota_items in nutron.conf

**********************************************************
[quotas]
# resource name(s) that are supported in quota features
quota_items = network,subnet,port
# number of networks allowed per tenant, and minus means unlimited
quota_network = 10
# number of subnets allowed per tenant, and minus means unlimited
quota_subnet = 10
# number of ports allowed per tenant, and minus means unlimited
quota_port = 50
# default driver to use for quota checks
quota_driver = neutron.quota.ConfDriver
***********************************************************
For L3 quotas like router quotas we need to define as below in nutron.conf

************************************************************
[quotas]
# number of routers allowed per tenant, and minus means unlimited
quota_router = 10
# number of floating IPs allowed per tenant, and minus means unlimited
quota_floatingip = 50
************************************************************
For security group quotas
*************************************************
[quotas]
# number of security groups per tenant, and minus means unlimited
quota_security_group = 10
# number of security rules allowed per tenant, and minus means unlimited
quota_security_group_rule = 100
***********************************************


  • To show the quota details per tenant 

$ neutron quota-list
+------------+---------+------+--------+--------+------------------------------
----+
| floatingip | network | port | router | subnet | tenant_id
|
+------------+---------+------+--------+--------+-----------------------------
|            20               5          20           10               5        6f88036c45344d9999a1f971e4882723 |
              25                  10              30              10                 10    bff5c9455ee24231b5bc713c1b96d422 |
+------------+---------+------+--------+--------+------------------------------


  • To get the quota detail of a particular tenant id


$ neutron quota-show --tenant_id 6f88036c45344d9999a1f971e4882723
+------------+-------+
| Field
| Value |
+------------+-------+
| floatingip | 20
|
| network      5
|
| port           20
|
| router        10
|
| subnet        5
|+------------+-------+
  • To update the quota of a particular tenant

$ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 --network 5
+------------+-------+
| Field          Value |
+------------+-------+
| floatingip | 50
|
| network     5
|
| port          50
|
| router      10
|
| subnet      10
|
+------------+-------+


  • update the multiple values of the quota

$ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 --network 3
--subnet 3 --port 3 -- --floatingip 3 --router 3
+------------+-------+
| Field          Value |
+------------+-------+
| floatingip | 3
|
| network     3
|
| port           3
|
| router        3
|
| subnet       3
|
+------------+-------+

Floating IP details


  • To list floatingIP for this tenant

$nova floating-­ip-­list

+--------------+--------------------------------------+----------+--------+
| Ip           | Instance Id                          | Fixed Ip | Pool   |
+--------------+--------------------------------------+----------+--------+
| 172.24.4.225 | 4a60ff6a-7a3c-49d7-9515-86ae501044c6 | 10.0.0.2 | public |
| 172.24.4.226 | None                                 | None     | public |
+--------------+--------------------------------------+----------+--------+
| tenant_id         | dbe3cf30f46b446fcfe84b205459780d                |
+-------------------+--------------------------------------------------+


  • To list all floatingIP pools

$ nova floating-ip-pool-list
+--------+
| name   |
+--------+
| public |
| test   |
+--------+
  • To allocating a new floatingIP
$ nova floating-ip-create pblic
+--------------+-------------+----------+--------+
| IP           | Instance Id | Fixed IP | Pool   |
+--------------+-------------+----------+--------+
| 172.24.4.225 | None        | None     | public |
+--------------+-------------+----------+--------+

  • To disallocate a floating ip 

$nova floating-ip-delete 172.24.4.255

  • To attach a floating ip to an instance 
$nova floating-ip-associate VM1 172.24.4.225
 $nova list
+------------------+------+--------+------------+-------------+-------------------------------+
| ID               | Name | Status | Task State | Power State | Networks                      |
+------------------+------+--------+------------+-------------+-------------------------------+
| d5c854f9-d3e5... | VM1  | ACTIVE | -          | Running     | private=10.0.0.3, 172.24.4.225|
| 42290b01-0968... | VM2  | SHUTOFF| -          | Shutdown    | private=10.0.0.4              |
+------------------+------+--------+------------+-------------+-------------------------------+

  • To detach a floating ip from an instance 
$ nova floating-ip-delete FLOATING_IP_ADDRESS

$nova floating-ip-delete 172.24.4.255
$nova list
+------------------+------+--------+------------+-------------+-------------------------------+
| ID               | Name | Status | Task State | Power State | Networks                      |
+------------------+------+--------+------------+-------------+-------------------------------+
| d5c854f9-d3e5... | VM1  | ACTIVE | -          | Running     | private=10.0.0.3
| 42290b01-0968... | VM2  | SHUTOFF| -          | Shutdown    | private=10.0.0.4              |
+------------------+------+--------+------------+-------------+-------------------------------+

More commands will be explained in another session

Thank you for reading 













No comments:

Post a Comment