OpenStack Nova API Introduction

OpenStack is a free and open-source software cloud computing software platform that can be accessed an managed through a restfull API. This post is an introduction to this API using a well known OpenStack implementation at Rackspace .

Prerequisites: You need to open a rackspace account https://cart.rackspace.com/cloud/

Generating API Keys

First Thing we need to de is generate a valid key to access the API, to do that we must login to the control panel and Follow this instructions.

Note: for security reasons is recommended create a separate user only for API access and generate a key for this user.

Command Line Rackspace Nova API Client Tool

Nova is the project name for OpenStack Compute. The command line tool is a python application that can be installed via pip:

  pip install rackspace-novaclient

You can check your installation running nova help command.

Configuring Nova API Client

We need to define environment variables:

    export OS_AUTH_URL=https://identity.api.rackspacecloud.com/v2.0/
    export OS_AUTH_SYSTEM=rackspace
    export OS_REGION_NAME=DFW
    export OS_USERNAME=
    export OS_TENANT_NAME=
    export NOVA_RAX_AUTH=1
    export OS_PASSWORD=
    export OS_PROJECT_ID=
    export OS_NO_CACHE=1  

Note: tenant_id is your account number Check if your configuration is correct:

    nova credentials

OpenStack Flavors

Virtual hardware templates are called "flavors" in OpenStack, defining sizes for RAM, disk, number of cores, and so on. To get a list of flavors use the command nova flavor-list

OpenStack Images

A virtual machine image is a single file which contains a virtual disk that has a bootable operating system installed on it. To get a list of images run the command nova image-list

SSH keypair

In order to access virtual machines a ssh keypair is required, you can create one using the command nova keypair-add keypairname

    nova keypair-add key_test >> key_file.pem

Managing Servers

List Servers

We can use the command nova list to get a list of all the servers that we have, at the beginning this list will be empty.

Create a server

We want to create a 512MB Standard Instance (CODE 2) with Debian 7 Wheezy (CODE 06cbc0a2-a906-4e6a-8ed7-bd7c952c9f81). We will pass the ssh key as well in order to grant ssh access:

    nova boot testServer --image 06cbc0a2-a906-4e6a-8ed7-bd7c952c9f81 --flavor 2 --key-name key_test

The result of this operation include a server id, we can check the status of this server with the command nova show server-id At the beginning the server status is BUILD, that means that the server is being built. Run this command till the status change to ACTIVE , this can take some minutes.

SSH Access

When the server change its status to ACTIVE you can access via ssh with the user root and public ip

    ssh root@public-ip -i yourkey.pem

    Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64

    The programs included with the Debian GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.

    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    Last login: Thu Jan  1 00:00:10 1970
    root@testserver:~# 

Note: This server is insecure for default, if you have plans to follow this guide to deploy a production server you must configure the security policies.

Securing your server

Change root password

    #passwd

Adding an admin user:

    #adduser admin

Add the user to the sudo group:

    # usermod -a -G sudo admin

Update Apt

    #apt-get update
    #apt-get upgrade

SSH Config

Edit /etc/ssh/sshd_config and change the next values :


  Port 9999
  PermitRootLogin PermitRootLogin no
  PasswordAuthentication no

Firewall config

By default, all ports are open in debian systems, to verify that you can use the iptables command:

    admin@testserver:~$ sudo iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         

    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         

    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination  

Grant access to ssh port:

  sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  sudo iptables -I INPUT -p tcp --dport 9999 -m state --state NEW,ESTABLISHED -j ACCEPT  

Grant http (port 80) access

:
 sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Reject any other external traffic

 sudo iptables -A INPUT -j DROP

Allow internal traffic:

  iptables -I INPUT 1 -i lo -j ACCEPT  

Verify iptables config:

    admin@testserver:~$ sudo iptables -L -v
'
'   Chain INPUT (policy ACCEPT 0 packets, 0 bytes)'    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination         
       15  1148 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:9999 state NEW,ESTABLISHED
        6   568 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:9999 state NEW,ESTABLISHED
        0     0 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
        1    44 DROP       all  --  any    any     anywhere             anywhere            

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         

    Chain OUTPUT (policy ACCEPT 3 packets, 348 bytes)
     pkts bytes target     prot opt in     out     source               destination

Save your rules to the iptables.rules file in the /etc directory

    #iptables-save > /etc/iptables.rules

Edit or create the file /etc/network/if-pre-up.d/iptaload in order to create a service that applies the rules at server start-up and add the following lines:


    #!/bin/sh
    iptables-restore < /etc/iptables.rules
    exit 0

Give execution permit to the file:

  sudo chmod +x /etc/network/if-pre-up.d/iptaload

Restart the server and verify configuration with sudo iptables -L

References