Unixchips : openstack command line administration

Here we are going through some openstack administration commands which is used in day to day operations , even though we have horizon graphical user interface many of us prefer to use commands for a better visibility .. let's start

Each openstack services has its own command line client in some commands we can put debug parameter to identify the API requests for the command

Following are the command line clients are available for the respective API's

ceilometer (python-ceilometerclient). Client for the Telemetry API that lets you create and collect measurements across OpenStack.

cinder (python-cinderclient). Client for the Block Storage Service API that lets you create and manage volumes.

glance (python-glanceclient). Client for the Image Service API that lets you create and manage images.

heat (python-heatclient). Client for the Orchestration API that lets you launch stacks from templates, view details of running stacks including events and resources, and update and delete stacks.

keystone (python-keystoneclient). Client for the Identity Service API that lets you create and manage users, tenants, roles, endpoints, and credentials.

neutron (python-neutronclient). Client for the Networking API that lets you configure networks for guest servers. This client was previously known as quantum.

nova (python-novaclient). Client for the Compute API and its extensions. Use to create and manage images, instances, and flavors.

swift (python-swiftclient). Client for the Object Storage API that lets you gather statistics, list items,update metadata, upload, download and delete files stored by the Object Storage service. Provides access to a swift installation for ad hoc processing.

To get the version of the above mentioned clients

$ nova --version

2.14.1.17

$ keystone --version

0.3.1.73

To get the help for client commands

$ swift help

Usage: swift [--version] [--help] [--snet] [--verbose]

[--debug] [--quiet] [--auth <auth_url>]

[--auth-version <auth_version>] [--user <username>]

[--key <api_key>] [--retries <num_retries>]

[--os-username <auth-user-name>] [--os-password <auth-password>]

[--os-tenant-id <auth-tenant-id>]

[--os-tenant-name <auth-tenant-name>]

[--os-auth-url <auth-url>] [--os-auth-token <auth-token>]

[--os-storage-url <storage-url>] [--os-region-name <region-name>]

[--os-service-type <service-type>]

[--os-endpoint-type <endpoint-type>]

[--os-cacert <ca-certificate>] [--insecure]

[--no-ssl-compression]

<subcommand> ...

Command-line interface to the OpenStack Swift API.

Positional arguments:

delete Delete a container or objects within a container

download Download objects from containers

list Lists the containers for the account or the objects

for a container

post Updates meta information for the account, container,

or object

stat Displays information for the account, container,

or object

upload Uploads files or directories to the given container

Examples:

swift -A https://auth.api.rackspacecloud.com/v1.0 -U user -K api_key stat -v

swift --os-auth-url https://api.example.com/v2.0 --os-tenant-name tenant \

--os-username user --os-password password list

swift --os-auth-token 6ee5eb33efad4e45ab46806eac010566 \

--os-storage-url https://10.1.5.2:8080/v1/AUTH_ced809b6a4baea7aeab61a \

list

swift list --lh

Users/Tenants/Roles - keystone commands

To get the service details

$keystone service-list

To get the details of a service

$ keystone service-get 08741d8ed88242ca88d1f61484a0fe3b

To delete a service

$ keystone service-delete 08741d8ed88242ca88d1f61484a0fe3b

To list the tanents ( projects) with their id,name and status

$ keystone tenant-list

+----------------------------------+--------------------+---------+

| id | name | enabled |

+----------------------------------+--------------------+---------+

| f7ac731cc11f40efbc03a9f9e1d1d21f | admin | True |

| c150ab41f0d9443f8874e32e725a4cc8 | alt_demo | True |

| a9debfe41a6d4d09a677da737b907d5e | demo | True |

| 9208739195a34c628c58c95d157917d7 | invisible_to_admin | True |

| 3943a53dc92a49b2827fae94363851e1 | service | True |

| 80cab5e1f02045abad92a2864cfd76cb | test_project | True |

+----------------------------------+--------------------+---------+

To create a new project

$ keystone tenant-create --name new-project --description 'my new project'

+-------------+----------------------------------+

| Property | Value |

+-------------+----------------------------------+

| description | my new project |

| enabled | True |

| id | 1a4a0618b306462c9830f876b0bd6af2 |

| name | new-project |

+-------------+----------------------------------+

To temporarily disable a project

$ keystone tenant-update PROJECT_ID --enabled false

To enable a disabled project

$ keystone tenant-update PROJECT_ID --enabled true

To update the name of the project

$ keystone tenant-update PROJECT_ID --name project-new

To delete a project

$ keystone tenant-delete PROJECT_ID

To verify the changes above

$ keystone tenant-get 1a4a0618b306462c9830f876b0bd6af2

+-------------+----------------------------------+

| Property | Value |

+-------------+----------------------------------+

| description | my new project |

| enabled | True |

| id | 1a4a0618b306462c9830f876b0bd6af2 |

| name | project-new |

+-------------+----------------------------------+

To list all users

$keystone user-list

+----------------------------------+----------+---------+-----------------

-----+

| id | name | enabled | email

+----------------------------------+----------+---------+-----------------

-----+

| 352b37f5c89144d4ad0534139266d51f | admin | True |

admin@example.com |

| 86c0de739bcb4802b8dc786921355813 | demo | True |

demo@example.com |

| 32ec34aae8ea432e8af560a1cec0e881 | glance | True |

glance@example.com |

| 7047fcb7908e420cb36e13bbd72c972c | nova | True |

nova@example.com |

+----------------------------------+----------+---------+-----------------

-----+

To create a user

$ keystone user-create --name USER_NAME --tenant_id TENANT_ID --pass

PASSWORD

$ keystone user-create --name demo --tenant_id

1a4a0618b306462c9830f876b0bd6af2 --pass myPASS

+----------+----------------------------------+

| Property | Value |

+----------+----------------------------------+

| email | |

| enabled | True |

| id | 6e5140962b424cb9814fb172889d3be2 |

| name | new-user |

| tenantId | 1a4a0618b306462c9830f876b0bd6af2 |

+----------+----------------------------------+

To temporarily disable a user ID

$ keystone user-update USER_ID --enabled false

To enable a disabled user account

$ keystone user-update USER_ID --enabled true

Users can be part of multiple projects with the help of assigned roles.

To list the available roles

$ keystone role-list

To create a new role

$ keystone role-create --name new-role

+----------+----------------------------------+
| Property |Value
|
+----------+----------------------------------+
|
id bef1f95537914b1295da6aa038ef4de6 |
|
name new-role
|
+----------+----------------------------------+

To assign a a role to a user tenant pair

$ keystone user-role-add --user demo --role new-role --tenant test-
project
(here we will add role new-role to demo user and tenant pair)

$ keystone user-role-list --user demo --tenant test-project

+----------------------------------+----------+---------------------------
-------+----------------------------------+
|
id name user_id tenant_id
|
+----------------------------------+----------+---------------------------
-------+----------------------------------+
| bef1f95537914b1295da6aa038ef4de6 | new-role |86c0de739bcb4802b8dc786921355813 | 80cab5e1f02045abad92a2864cfd76cb |
+----------------------------------+----------+---------------------------
-------+----------------------------------+

Manage Project Security&Networking ( Nutron commands)

Security groups are the IP rules which will control the in and out traffic to projects. Whether the security rules needs to be applied to all projects which will share the network or to individual projects depends up on the allow_same_net_traffic option in the /etc/nova/nova.conf.

True (default), hosts on the same subnet are not filtered and are allowed to pass all types of trafficbetween them. On a flat network, this allows all instances from all projects unfiltered communication.With VLAN networking, this allows access between instances within the same project. You can alsosimulate this setting by configuring the default security group to allow all traffic from the subnet.
False, security groups are enforced for all connections

Before proceeding the security group commands please make sure system variables are set for the user and the tenant which we will check the security rules

export OS_USERNAME=demo00
export OS_TENANT_NAME=tenant01

To list security groups

To view the details of a security group

To create a security group

neutron security-group-create [securitygroupname]

$ neutron secgroup-create global_http "Allows Web traffic anywhere on the
Internet."
+--------------------------------------+-------------+--------------------
--------------------------+
| Id Name Description
|
+--------------------------------------+-------------+--------------------
--------------------------+
| 1578a08c-5139-4f3e-9012-86bd9dd9f23b | global_http | Allows Web traffic
anywhere on the Internet. |
+--------------------------------------+-------------+--------------------

To create a security group rule

neutron security-group-rule-create [Security-groupID]

$ nutron security-group-rule-create global_http tcp 80 80 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp 80 80 0.0.0.0/0 |
|
+-------------+-----------+---------+-----------+--------------+

$ nutron security-group-add-rule global_http tcp 443 443 0.0.0.0/0

$ nutron security-group-list-rules global_http
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp 80 80 0.0.0.0/0 |
|
| tcp 443 443 0.0.0.0/0 |
|
+-------------+-----------+---------+-----------+--------------+

To delete a security group

neutron security-group-delete [securitygroupID/name]

neutron secrity-group-delete global_http

To delete a security group rule

neutron security-group-rule-delete [secrity group name-rule name]

$neutron security-group-rule-delete global_http tcp 443 443 0.0.0.0/0

----------------------------------------------------------------------

To update a security group

neutron security-group-update [securitygroupname]

$neutron security-group-update global_http tcp 443 80 0.0.0.0/0
$ nutron security-group-list-rules global_http

----------------------------------------------------------------------

To list the routers

$neutron router-list

+----------------------- +--------------------------------------+

| Id | name |

+-----------------------+--------------------------------------+

1e4g48d3-a9d0-3567-3f1c-29cd8b83345d

tuxfixer-router

---------------------------------------------------------------------

To create a router

$neutron router-create tuxfixer-router

Created a new router:

+-----------------------+--------------------------------------+

| Field | Value |

+-----------------------+--------------------------------------+

| admin_state_up | True |

| external_gateway_info | |

| id | 1e4g48d3-a9d0-3567-3f1c-29cd8b83345d |

| name | tuxfixer-router |

| routes | |

| status | ACTIVE |

| tenant_id | dbe3cf30f46b446fcfe84b205459780d |

To add an interface to a router

$neutron router-interface-add tuxfixer-router tuxfixer-subnet

Added interface 445d79cb-3dcf-5f88-963c-aa054f7ce758 to router tuxfixer-router

To set the gateway for the router

$neutron router-gateway-set tuxfixer-router ext-net

Set gateway for router tuxfixer-router

To view the details of newly created router

$neutron router-port-list tuxfixer-router

+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+

+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+

| |1e4g48d3-a9d0-3567-3f1c-29cd8b83345d | fc:16:4d:13:32:21 | {"subnet_id": "f6523637-7162-449d-b12c-e1f0eda6196d", "ip_address": "192.168.5.1"} |

To create the network

$ neutron net-create tuxfixer-net

Created a new network:

+-----------------+--------------------------------------+

| Field | Value |

+-----------------+--------------------------------------+

| admin_state_up | True |

| id | 2c0dh763-3fd4-2f8c-743f-7h0j35cv6cde |

| name | tuxfixer-net |

| router:external | False |

| shared | False |

| status | ACTIVE |

| subnets | |

| tenant_id | dbe3cf30f46b446fcfe84b205459780d |

+-----------------+--------------------------------------

To create a subnet for the network

neutron subnet-create --name <SUBNET-NAME> <NET-NAME> <GATEWAY IP><SUBNET-CIDR>

$neutron subnet-create tuxfixer-net --name tuxfixer-subnet --gateway 192.168.5.1 192.168.5.0/24

Created a new subnet:

+-------------------+--------------------------------------------------+

| Field | Value |

+-------------------+--------------------------------------------------+

| allocation_pools | {"start": "192.168.5.2", "end": "192.168.5.254"} |

| cidr | 192.168.5.0/24 |

| dns_nameservers | |

| enable_dhcp | True |

| gateway_ip | 192.168.5.1 |

| host_routes | |

| id | ac05bc74-eade-4811-8e7b-8de021abe0c1 |

| ip_version | 4 |

| ipv6_address_mode | |

| ipv6_ra_mode | |

| name | tuxfixer-subnet |

| network_id | 2c0dh763-3fd4-2f8c-743f-7h0j35cv6cde |

| tenant_id | dbe3cf30f46b446fcfe84b205459780d |

Network quotas

Quota related details like network,subnet,port will be mentioned in openstack network configuration file nutron.conf. If we need to remove any particular item from the quota we have to remove from quota_items in nutron.conf

**********************************************************
[quotas]
# resource name(s) that are supported in quota features
quota_items = network,subnet,port
# number of networks allowed per tenant, and minus means unlimited
quota_network = 10
# number of subnets allowed per tenant, and minus means unlimited
quota_subnet = 10
# number of ports allowed per tenant, and minus means unlimited
quota_port = 50
# default driver to use for quota checks
quota_driver = neutron.quota.ConfDriver

***********************************************************
For L3 quotas like router quotas we need to define as below in nutron.conf

************************************************************
[quotas]
# number of routers allowed per tenant, and minus means unlimited
quota_router = 10
# number of floating IPs allowed per tenant, and minus means unlimited
quota_floatingip = 50

************************************************************

For security group quotas
*************************************************
[quotas]
# number of security groups per tenant, and minus means unlimited
quota_security_group = 10
# number of security rules allowed per tenant, and minus means unlimited
quota_security_group_rule = 100
***********************************************

To show the quota details per tenant

To get the quota detail of a particular tenant id

To update the quota of a particular tenant

update the multiple values of the quota

$ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 --network 3

--subnet 3 --port 3 -- --floatingip 3 --router 3

+------------+-------+

| Field Value |

+------------+-------+

| floatingip | 3

| network 3

| port 3

| router 3

| subnet 3

+------------+-------+

Floating IP details

To list floatingIP for this tenant

To list all floatingIP pools

$ nova floating-ip-pool-list

+--------+

| name |

+--------+

| public |

| test |

+--------+

To allocating a new floatingIP

$ nova floating-ip-create pblic

+--------------+-------------+----------+--------+

+--------------+-------------+----------+--------+

+--------------+-------------+----------+--------+

To disallocate a floating ip

$nova floating-ip-delete 172.24.4.255

To attach a floating ip to an instance

$nova floating-ip-associate VM1 172.24.4.225

$nova list

+------------------+------+--------+------------+-------------+-------------------------------+

+------------------+------+--------+------------+-------------+-------------------------------+

| 42290b01-0968... | VM2 | SHUTOFF| - | Shutdown | private=10.0.0.4 |

+------------------+------+--------+------------+-------------+-------------------------------+

To detach a floating ip from an instance

$ nova floating-ip-delete FLOATING_IP_ADDRESS

$nova floating-ip-delete 172.24.4.255

$nova list

+------------------+------+--------+------------+-------------+-------------------------------+

+------------------+------+--------+------------+-------------+-------------------------------+

| 42290b01-0968... | VM2 | SHUTOFF| - | Shutdown | private=10.0.0.4 |

+------------------+------+--------+------------+-------------+-------------------------------+

More commands will be explained in another session

Thank you for reading

Unixchips

Tuesday, October 2, 2018

openstack command line administration - PART1

No comments:

Post a Comment