Monthly Archives: August 2014


Openstack Icehouse on home network – part 2

In  my previous post titled OpenStack Icehouse on Fedora 20 using packstack on home PCI list the steps I followed to install Openstack Icehouse on home network.  This was mostly working from the command line of the Openstack PC.

This posting is part 2.  With the installation from part 1, I can now use the Openstack Dashboard.  It is a nice web interface that contains straight forward menus.  In the sections below, I will show screen captures from a web browser connected to the Dashboard; I will also show some command line text from a putty window.

This writeup will show steps for setting up a public subnet that links Openstack to my home network and setting up a private subnet for my guest instances to use.  Then I will show how to create an instance using the bare-bones cirros image.  And finally, I’ll install into the image repository a Fedora 20 cloud image and spin it up with a basic web server.


Since Openstack and the Openstack Dashboard are new to me,  I do all of this with the generous help of the references listed below, especially recognizing Seth Jenning’s excellent  Openstack Icehouse on Fedora 20 using RDO video.

Create a public network.

Starting with the Openstack Dashboard, logged in as admin, create a public network.  My home network is  The IP address is the address of my home router, gateway to the internet. My Openstack Icehouse host is  And Openstack needs a subnet, referred to as public, that sits in this address range.

The naming convention of calling the network public started with the packstack install scripts.  In the context of Openstack, this network is the one with a gateway to the internet and thus it is referred to as public, even though we know the internet defines 192.168.x.x IP addresses as private.

Openstack Dashboard Menu: Admin->Networks->Create Network


Openstack Dashboard Menu: Admin->Networks->public->Create Subnet


Openstack Dashboard Menu: Admin->Networks->public->Create Subnet 2


Create a private subnet

Next, create  a subnet that is private to the Openstack host.  The addresses must be different from the public_subnet.  These addresses will never leave the Openstack host and it’s underlying Open vSwitch network address space.   The references use as the network and as the gateway address — and that’s what I use below.  Further, the guest instances each need to be given an IP address, and, address are what I choose to be the range for a DHCP address pool.

Openstack Dashboard Menu: Project->Network->Network Topology->Create Network — “private”


Openstack Dashboard Menu: Project->Network->Network Topology->Create Network->Subnet


Openstack Dashboard Menu: Project->Network->Network Topology->Create Network->Subnet Details


Create a router

Ok, there’s a public and a private subnet defined.  Openstack Dashboard has a really simple way to connect them together with a router function.  Create a router, define a default gateway and then add interfaces to private subnets.

Openstack Dashboard Menu: Projects->Network Topology->Create Router


Openstack Dashboard Menu: Project->Routers->Set Gateway


Openstack Dashboard Menu: Project->Routers->router->Add Interface


Verify Network Topology

All the steps upto this point were building a network into which virtual machines connect to the home LAN.  Run the Dashboard command below to see two subnets connect to a router.  The public subnet is on the home LAN.  The private subnet is the address space where the guests instances will connect.

Openstack Dashboard Menu: Project->Network Topology


Setup Security Group Rules

The references suggest that for trial/learning purposes, the Security Group Rules should be wide open.  The idea is while learning the technology, the security settings can obscure basic setup issues.  In the long run, this needs to be managed more carefully.

First, remove the default rules that packstack setup, then install rules that permit incoming and outgoing TCP/UDP/ICMP — all ports.

Openstack Dashboard Menu: Project->Compute->Access and Security->default

Delete all the default rules and rebuild the rules so that the Security Group Rules table looks as follows:


Setup an ssh key pair

Using the normal ssh tools, make an ssh public and private key pair.  The Openstack Dashboard lets you cut / paste your own public key into the project.  The instances that get created will have the  public key pre-installed into it.  To access instances that Openstack creates, use the private key as an option in an ssh command line.

Go to the root login of the Openstack host, at the command prompt create a key and copy the public key into the clipboard.

[root@kozik4 ~]# ssh-keygen -t rsa -f cloud.key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in cloud.key.
Your public key has been saved in
The key fingerprint is:
36:37:4d:d3:5b:82:45:53:48:98:24:00:8b:0b:3b:06 [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
|      .......==o.|
|     . .   .o+.. |
|E . . .     + o .|
| . o .     o . + |
|  + .   S o . .  |
| . .   . o .     |
|                 |
|                 |
|                 |
[root@kozik4 ~]# ls
anaconda-ks.cfg  ifconfig5.out         packstack-answers-20140803-201418.txt
cloud.key        installpackstack.log  packstack.log    keystonerc_admin      rdorelease.log
ifconfig1.out    keystonerc_demo       runpackstack.log
ifconfig2.out    ovs1.out              yumupdate.log
ifconfig3.out    ovs2.out
ifconfig4.out    ovs3.out
[root@kozik4 ~]# cat
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDijKn/k5ejNii3SaNugO75Njz1LQHyDDwI5blZO4+CZTRL/O/8czffrUUfK8+j3QjAx7MByNJVkj8YCGtOAYv5wCFEhzkRhqNNJlH235L++QV6ai/XPD7b0VcqhCjQTkDIfyBMp7fZO+D0BGdvTjBiQXIJdZLqZWV2j9qH8EHHS55OlOXpAAcMHvRRgWFtMdn5YSLUcq8X5HRtvfesLL7quJmNDc8/rS6mhmL/NFU56r+SJpHvr7N59U7ywNejLgFp6hfz4zZw3nWDH9y+by1zdWbNfATIO362SRue+FvuF060ss4Ciesuqw5v3tJMeyq9JM41lu8fQaIeBqoJTB43 [email protected]
[root@kozik4 ~]#

In putty screen like the above example, select the text output from the ‘cat’ command and paste into the Openstack Dashboard as follows.

Openstack Dashboard Menu: Project->Access & Security->Key Pairs->Import Key Pair


Launch Test Instance ‘cirros’ and assign floating IP

To help verify that the Openstack packstack installed correctly, spin-up the barebones cirros image.  This image is a really small linux distribution.  I’ve never heard of cirros, but I get the purpose of it.  My initial setup had troubles, and cirros helped me trouble shoot basic setup problems.  I was glad the initial install pulled it in.

The following steps startup an instance, link it to the private subnet, and map the private IP address of the instance to a floating IP address on the public subnet.  Floating IP addresses were new to me, and it wasn’t obvious how they should be used, at first.  I think of it as a generalized NATing function, that lets me hide my home network topology from the Openstack instances.

Openstack Dashboard Menu: Project->Images->Launch->Details


Connect the instance to the private subnet.  Note: the web page below requires you to drag the private line and drop it into the Selected Networks cyan-colored bar.

Openstack Dashboard Menu: Project->Images->Launch->Networking


Verify the test instance is running:

Openstack Dashboard Menu: Project->Instances


Allocate a Floating IP address

Openstack Dashboard Menu: Projects->Access & Security->Floating IPs->Allocate IP to Project


Associate the instance’s private IP address to an IP address on the public subnet.

Openstack Dashboard Menu: Project->Access & Security->Floating IP->Associate


Verify that the instance has two IP addresses and is running ok.

Openstack Dashboard Menu: Project->Instance


Go back to the host putty prompt (root login, home directory).  Verify that we can setup an ssh connection to the new instance. The default login id is cirros. The Instances web page above tells us to use the

# ssh -i cloud.key [email protected]
The authenticity of host ' (' can't be established.
RSA key fingerprint is 34:51:4c:22:c3:67:d3:47:38:83:c2:ee:55:0f:4b:e5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.

$ ifconfig
eth0      Link encap:Ethernet  HWaddr FA:16:3E:62:7D:36
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::f816:3eff:fe62:7d36/64 Scope:Link

lo        Link encap:Local Loopback
          inet addr:  Mask:
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1

$ ping
PING ( 56 data bytes
64 bytes from seq=0 ttl=47 time=49.484 ms
64 bytes from seq=1 ttl=47 time=121.366 ms
64 bytes from seq=2 ttl=47 time=81.164 ms

Note: the ifconfig shows that the instance only knows about the private_subnet address Also, an important test to verify: check that the instance can access the internet, I used ping

Create a Fedora 20 instance

f20-changeThe cirros instance installation steps above helped to verify that basic functionality worked.  But cirros is not a linux distribution I want to use; I want to use the latest version of Fedora.  In this section I repeat some of the steps from the previous section to get a Fedora 20 instance started.  There’s enough different here that I wanted to document it.

From the Fedora In the Cloud web page, right click the 64-bit qcow2 image and “Copy Link Address.”  The Images page has an option to import new images using a URL.


Create an image from this URL:

Openstack Dashboard Menu: Project->Create Image


Following the same steps as the cirros image, launch the Fedora 20 image.

Openstack Dashboard Menu: Project->Instance->Launch Instance


Be sure to click the Networking tab and select private subnet, then click on Launch.

Once the instance is running, allocate a Floating IP.  Go to the Projects->Access & Security->Floating IP menu. First run Allocate IP to Project then Manage Floating IP Associations for the Fedora 20 instance… just like we did for the cirros instance.

The Instance Dashboard page now shows 2 instances.

Openstack Dashboard Menu: Project->Instance


And the Network Topology page gives a nice picture of how everything is wired together.

Openstack Dashboard Menu:  Project->Network->Network Topology


So, just like with cirros, go to the Openstack host root login  prompt and ssh to the Fedora instance.  The Instance page above show as the IP address.

# ssh -i cloud.key [email protected]
The authenticity of host ' (' can't be established.
RSA key fingerprint is 2e:b3:7b:6b:06:43:cf:d5:95:95:49:38:5f:ab:20:39.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
[fedora@fedora-20 ~]$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::f816:3eff:fe9b:baf5  prefixlen 64  scopeid 0x20																					
        ether fa:16:3e:9b:ba:f5  txqueuelen 1000  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet  netmask
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 0  (Local Loopback)

[fedora@fedora-20 ~]$ ping
PING ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=49 time=1         06 ms
64 bytes from ( icmp_seq=2 ttl=49 time=1         56 ms
64 bytes from ( icmp_seq=3 ttl=49 time=1         02 ms

Note:  the Fedora guest instance only knows the private address  The default login id, fedora, has sudo permissions and access to the root login is done with a ‘sudo su -’ command. It is important also to verify that it can talk to the outside world, and thus verify that ping works.

To further test my Fedora 20 instance, I switched over to the Fedora 20 instance root login and installed apache:

[fedora@fedora-20 ~]$ sudo su -
[root@fedora-20 ~]# yum groupinstall "Web Server"
[root@fedora-20 ~]# systemctl enable httpd.service
[root@fedora-20 ~]# systemctl start  httpd.service

From here, I go to another PC in my home network and verify that the default web server works.




OpenStack Icehouse on Fedora 20 using packstack on home PC

Inspired by the RDO quickstart howto page, I record here the steps I followed to setup OpenStack Icehouse on Fedora 20 on my home server.

Install Fedora 20

f20-changeI have been using Fedora/Redhat for years, but the most recent install I did was Fedora 16, so I am a little out of date with the new processes and procedures. For me, my first step was to go to the Fedora distribution page and down load an ISO to make an install DVD (I selected the Fedora 20 Desktop Edition Live Media).

My hardware was brand new, and I installed Fedora 20 onto a 2T RAID Intel PC box. I let the Fedora installer format my disks to the default settings. I configured a login and timezone and let the install run. Everything worked the first time.

The next couple of steps I follow by sitting infront of the console for my PC. I usually do everything through ssh and/or VNC, but for Openstack setup, I stayed at the console.

Prep for Openstack Icehouse on Fedora 20: Static IP, /etc/hosts, sshd, NetworkManager

Static IP Address

The Fedora install configures the host  to use DHCP to get the initial IP address. The host needs a static IP for Openstack setup to work.  The default  network-scripts for the main host interface are easily edited. For my install, the  interface is named p2p1 (in the old days this would be named eth0).

Configure the ifcfg-p2p1 script to look something like the following:

# vi /etc/sysconfig/network-scripts/ifcfg-p2p1

Note: the host’s IP address and its gateway IP address are inside my private IP address range ( I will use these addresses throughout my write-up.

Before I reboot, I want to change a couple of other host configurations.

/etc/hosts and hostname

It turns hostname must be setup right or the packstack script will get stuck.

# hostname kozik4.lan
# vi /etc/hostname
# vi /etc/hosts kozik4.lan kozik4 localhost.localdomain localhost kozik4.lan kozik4

Note: .lan is my home network private domain name. I don’t share .lan publically.


I turn off SELinux; edit a line in SElinux config file:

# setenforce permissive
# vi /etc/selinux/config

sshd for root

Openstack’s install script requires root access for ssh login. To setup ssh:

# vi /etc/ssh/sshd_config
PermitRootLogin yes
# systemctl  enable sshd.service
# systemctl  start sshd.service

firewalld and NetworkManager

Disable firewalld and NetworkManager as recommended in several of the references.

systemctl disable firewalld

systemctl stop NetworkManager.service
systemctl disable NetworkManager.service
systemctl enable network.service
systemctl start network.service

From here,  reboot. Everything should come back ok. Nothing really changed except switching from dynamic to static IP addressing.  Verify from another PC that ssh [email protected] works. Verify that ping works.

For reference, ifconfig looks like this:

# ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet  netmask
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 0  (Local Loopback)

p2p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::4216:7eff:feb1:64cd  prefixlen 64  scopeid 0x20																				
        ether 40:16:7e:b1:64:cd  txqueuelen 1000  (Ethernet)

Install/update Openstack software


From the host’s root login at /root, run each of the following yum installs, one at a time, verifying that they complete successfully.

yum update -y
yum install -y
yum install -y openstack-packstack 
packstack --allinone --provision-all-in-one-ovs-bridge=n

The last install is the big one.  The packstack script is what puts OpenStack Icehouse on Fedora 20; It will take awhile to run.

It took me a couple of tries to get the last step to work. The hostname must cleanly resolve for the packstack scripts to work. Further, the packstack scripts runs ssh [email protected]. If this is not setup right, packstack will fail. Note: the packstack script prompts you for your root password.

Setup Open vSwitch Bridging

Once done, the packstack scripts sets up an Open vSwitch network as summarized here.

# ifconfig
br-ex: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::3442:c4ff:fe5c:874b  prefixlen 64  scopeid 0x20																				
        ether 36:42:c4:5c:87:4b  txqueuelen 0  (Ethernet)

br-int: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::a817:aff:fee8:934c  prefixlen 64  scopeid 0x20																				
        ether aa:17:0a:e8:93:4c  txqueuelen 0  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet  netmask
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 0  (Local Loopback)

p2p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::4216:7eff:feb1:64cd  prefixlen 64  scopeid 0x20																				
        ether 40:16:7e:b1:64:cd  txqueuelen 1000  (Ethernet)

It turns out that this setup does not connect with the outside world — the default install scripts don’t have a place for me to tell it my home network setup (that I know of). The br-ex needs to connect to the outside world and p2p1 needs to connect to br-ex.

There’s some discussion in RDO community to make it easier for novices like me to connect the packstack install to a home network’s subnet. But for now, there’s a few simple steps to follow to get  the PC’s main interface to connect to the Open vSwitch infrastructure setup by packstack.

For starters, connect the external bridge (named br-ex) to the home network,  by editing the br-ex config file that packstack creates:

# vi /etc/sysconfig/network-scripts/ifcfg-br-ex

Note: the br-ex bridge has the IP address and GATEWAY address that I would normally use to access the PC.

And, the host’s interface p2p1 needs to be updated to become Open vSwitch aware, editting the ifcfg-p2p1 file to look like the following:

# vi /etc/sysconfig/network-scripts/ifcfg-p2p1

And one more thing, the openstack dashboard access is limited to localhost only.  Remove this access control, for now.

# vi /etc/openstack-dashboard/local_settings
#ALLOWED_HOSTS = ['', 'kozik4.lan', 'localhost', ]

From here, reboot. When the computer comes back up,  verify that basic network looks good. Here’s what ifconfig looks like:

# ifconfig
br-ex: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::4216:7eff:feb1:64cd  prefixlen 64  scopeid 0x20																				
        ether 40:16:7e:b1:64:cd  txqueuelen 0  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet  netmask
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 0  (Local Loopback)

p2p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::4216:7eff:feb1:64cd  prefixlen 64  scopeid 0x20																				
        ether 40:16:7e:b1:64:cd  txqueuelen 1000  (Ethernet)
# ovs-vsctl list-ports br-ex

Above, verify that  the host’s IP address is tied to br-ex and the interface p2p1 shows as a port on br-ex. These look good. Also verify that ssh [email protected] works; then go to another PC and run the same command. Finally, to make sure that the host can route to the internet, ping These basic plumbing tests are needed for the rest of openstack to work, and in my case, it didn’t work the first time, and these basic sanity tests helped me troubleshoot.

A stuck point for me:  when I reached this point one time before, I couldn’t ping  Which was disappointing because everything else worked.  So I ran the following command:

# ip route show
default via dev br-ex  # Verify this line is here!! dev p2p1  scope link  metric 1002 dev br-ex  scope link  metric 1004 dev br-int  scope link  metric 1005 dev br-ex  proto kernel  scope link  src

Unlike what I list above, the default route didn’t get configured for my host’s network.  I found some helpful notes that suggested manually adding it in (ip route add default via…).  That worked, but what worked better for me was to disable NetworkManager (see steps I list earlier).

As an aside, the ip route show output above works for me, but doesn’t look right.  The lines that begin with shouldn’t be there (I think).  Something is not quite right, but I don’t know if it is worth fixing.  Anyway…

What I get now, is every time I boot, I get a clean network setup, incoming and outgoing.

Ok, once the PC’s network setup is stable after boot,  run the openstack-status script; the script returns a long list of status lines and two key lines indicate a failed status.

# openstack-status
neutron-server:                         failed
rabbitmq-server:                        failed

For whatever reason (probably some fault in my setup steps), rabbitmq and neutron servers failed to start. I saw this issue addressed in the video referenced below; these services are easily restarted as shown below

systemctl start rabbitmq-server.service
systemctl start neutron-server.service

… everything comes back and the next steps work fine.

Openstack Dashboard

As a last step, go to a web browser and verify that you can login to the openstack dashboard. Once this step works, you should be able to do everything from a web browser or Putty terminal.

The dashboard is found at The User Name is admin, the password for the dashboard is found in the keystone_admin file.  Once you can login, then installing OpenStack Icehouse on Fedora 20 is complete.


Once we are logged in, we need to navigate to the Admin->Routers page and delete the default router that packstack setup for us, select all the routers (only one) and then click on the “Delete Routers” button below:


Then we need to go to the Admin->Networks page and delete the networks.  Select all the Networks, then click on the “Delete Networks” button below:


With the demo network and router setup re-initialized,  we have a clean slate that we can build upon.

End of part 1.  I next need to writeup the steps to configure a OpenStack, including how to load images, create instances, network those instances together, and bridge them to the home network.  In addition, I will writeup how to map a “floating IP address” between an instance and my home network.   All for next time.