All posts by Jack Kozik

Openstack Kilo on home network – part 2

In my previous post, I outlined the steps followed to install OpenStack Kilo on CENTOS7.  In this post I show the steps to setup networking, routing, and spinning up a couple of test instances.

Create Networks

In this section, I list the steps to create two OpenStack networks:

  1. Homelan. This network connects the OpenStack VMs to an external network, which in my case is my home LAN.
  2. Tenant.  This network connects the OpenStack VMs internally.

From the root login,  run the following neutron commands:

Create network homelan-net, subnet homelan-subnet

My OpenStack Kilo server sits in my home network,  The server is .154 and gateway .162.  The homelan-net network gateways to my home LAN and through my cable modem, to the internet.   The virtual machines that sit inside the OpenStack cloud on a different network and will map their IP addresses to one of the IP addresses in the allocation pool .70 thru .99.  This mapping is assigned one at a time as the VMs are created.

# source keystonerc_admin
# neutron net-create homelan-net --router:external
# neutron subnet-create homelan-net \
   --name homelan-subnet \
   --allocation-pool start=,end= \
   --disable-dhcp --gateway
Create network tenant-net, subnet tenant-subnet

The neutron commands below create a tentant-net that has a DHCP-based address pool  in the address block.  Virtual machines will be created  with an address from this DHCP address pool.

# neutron net-create tenant-net
# neutron subnet-create tenant-net \
    --name tenant-subnet --gateway --dns-nameservers list=true\

Verify the setup by going to the OpenStack  dashboard. It displays the networks:



Create Router

After creating the networks, connect them together through a router, using the following neutron commands:

# neutron router-create router1
# neutron router-interface-add router1 tenant-subnet
# neutron router-gateway-set router1 homelan-net

The router setup can be verified at the OpenStack dashboard:



The OpenStack Dashboard displays the same thing, but graphically.



The tenant-net is where the instances will connect.  Let’s bring up two.

Spin-up Cirros Instance

WIth the networks and router setup, we have the base for spinning up the default image supplied with the packstack installation.

Cirros is a barebones linux distribution well-suited for verifying OpenStack installations.

You can see the cirros image in the OpenStack dashboard:



To spin-up cirros, first setup a key-pair and some access control rules:

# nova keypair-add 080315-key > 080315-key.key
# chmod 600 080315-key.key
# nova keypair-list
| Name       | Fingerprint                                     |
| 080315-key | c9:02:a4:18:f5:32:f4:3c:64:5a:0e:e1:5e:be:f8:39 |
# nova secgroup-add-rule default icmp -1 -1
# nova secgroup-add-rule default tcp 22 22
# nova secgroup-add-rule default tcp 80 80


Now use the nova command to boot-up a cirros instance.  The nova command needs to know the id of the tenant-net.  I can get this with the neutron net-list command.

# neutron net-list
| id                                   | name        | subnets                                               |
| f8f04abf-dcba-46b7-9094-910e58530f0f | tenant-net  | 4a626740-7a14-443a-873d-d490132bbe10      |
| dbc40c3e-0175-4774-8b63-20896990c806 | homelan-net | 81f1eb33-0265-4d23-b668-d69b7a29c4b1 |

# nova boot --flavor m1.tiny --image cirros 
       --nic net-id=f8f04abf-dcba-46b7-9094-910e58530f0f   
       --security-group default --key-name 080315-key cirros081315

The new image, named  cirros081315, interfaces to the tenant-net network; it is allocated a DHCP-based address from the pool.  The virtual machine needs to have it’s IP address mapped through the router to a floating IP address on  the homelan interface of the router.

The following commands allocates a floating IP address,  then the IP address gets associated with the cirros instance.

# neutron floatingip-create homelan-net
Created a new floatingip:
| Field               | Value                                |
| fixed_ip_address    |                                      |
| floating_ip_address |                       |
| floating_network_id | dbc40c3e-0175-4774-8b63-20896990c806 |
| id                  | f104ccad-7227-4bc8-8bc5-e74a9656cfd5 |
| port_id             |                                      |
| router_id           |                                      |
| status              | DOWN                                 |
| tenant_id           | 0487893a0cdb4ac18c8837f9e7e177ab     |
# nova floating-ip-associate cirros081315

The new instance can be found in the OpenStack dashboard:



Login to the instance using the following:

ssh -i 080315-key.key [email protected]

Verify that  pings to  the internet work, verify ssh to other servers on the homelan. If you get this far, things are in pretty good shape.

Spin-up a Fedora instance

With cirros working, I want to verify that I can import my usual image and spin it up.    And, I haven’t used Fedora 22 yet and this will give me a chance to see what’s changed.

The following commands imports a Fedora image, spins it up into instance, then using a floating IP address, maps the instance to my home LAN.

# glance image-list
| ID                                   | Name                   |
| 571a3d1f-afce-4e8b-b180-acf11903ada2 | cirros                 |
| e6c70bd3-dd5c-4687-ba5f-2bf6c6196b22 | Fedora 22 Cloud x86_64 |

# nova boot --flavor m1.small --image "Fedora 22 Cloud x86_64" \
  --nic net-id=f8f04abf-dcba-46b7-9094-910e58530f0f \  
  --security-group default \
  --key-name 080315-key fedora22080315
# neutron floatingip-create homelan-net
Created a new floatingip:
| Field               | Value                                |
| fixed_ip_address    |                                      |
| floating_ip_address |                       |
| floating_network_id | dbc40c3e-0175-4774-8b63-20896990c806 |
| id                  | d23783fe-18bc-44b8-9ba6-299c7917046c |
| port_id             |                                      |
| router_id           |                                      |
| status              | DOWN                                 |
| tenant_id           | 0487893a0cdb4ac18c8837f9e7e177ab     |
# nova floating-ip-associate fedora22080315

Note that this new Fedora instance uses the same key-name and net-id as the cirros instance.  Login to the instance and verify connectivity:

# ssh -i 080315-key.key [email protected]
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is 1a:60:ef:e1:9b:f1:78:72:61:47:01:54:ab:21:6e:5d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
$ ping
PING ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=47 time=107 ms
64 bytes from ( icmp_seq=2 ttl=47 time=135 ms
64 bytes from ( icmp_seq=3 ttl=47 time=120 ms

The OpenStack dashboard screen caps below show the Fedora and Cirros instances:

Projects->Network->Network Topology

Web Server on Fedora 22

Just to confirm end-to-end networking, the following steps setup a web server on the Fedora 22 instance.  Continuing from the Fedora ssh session above, run the following:

$ sudo su -
# yum groupinstall "Web Server"
# systemctl enable httpd.service
Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/httpd.service.
# systemctl start  httpd.service

The IP address for the Fedora instance is .72.  Go to another PC on the homelan and verify that the newly installed web server works. The default apache test page looks like the following:



In my write-up here, I setup the networks, router, image, and instances using OpenStack command lines.  In past installations, I used the OpenStack dashboard.  This time around I took the extra effort to learn the command lines.   I would say that the web interface was easier and probably what I will use going forward.

For my records, and the potential benefit of others, here’s the entire sequence of commands all in one big gist:



OpenStack Kilo on CENTOS7 using packstack on home server

I have a home network server (with one NIC) that I dedicate to OpenStack testing. It is time for me to migrate to OpenStack Kilo on CENTOS7. As with my previous OpenStack setup, I am using the RDO community’s packstack tool. This note logs my experience, for my notes, and the potential benefit of others.

I generally followed the RDO Quickstart instructions, so chapeau to the community for laying out the steps for me.

CENTOS7 with Static IP.

Centos7logo072215I picked CENTOS7 and did a bare-metal install usinga DVD I burned from the iso image named CentOS-7-x86_64-LiveKDE-1503.  I installed new disk partitions, reformatting my drives.

As I learned from previous packstack installs, the networking needs to be configured with a static IP address. This can be done at CENTOS7 install time.  Look for the “Networking & Hosts” button. Click it. On the next screen, there will be an icon at the bottom right; click it and edit the interface: change it from DHCP to manual.

The following screen cap from CENTOS7 install gives  an idea of what I did.



My passed Fedora/Centos install experience is to let the default DHCP networking  get installed, then manually change things to static IP address. Not this time; here, I found setting the static IP at install time was easier for me.

Setup network, ssh, hosts and selinux

/etc/hosts and hostname

The packstack scripts need the hosts file and the hostname setup correctly.

# hostnamectl set-hostname kozik4.lan
# vi /etc/hostname
# vi /etc/hosts kozik4.lan kozik4 localhost.localdomain localhost kozik4.lan kozik4


I turn SELinux to permissive mode ; edit a line in SElinux config file:

# setenforce permissive
# vi /etc/selinux/config

sshd for root login

OpenStack’s install script requires root access for ssh login. To setup ssh:

# vi /etc/ssh/sshd_config
PermitRootLogin yes
# systemctl  enable sshd.service
# systemctl  start sshd.service

When done with the install, I will turned off root login access.

Network Manager

Following the RDO Quickstart guide, turn off NetworkManager and turn on network

# systemctl stop NetworkManager.service
# systemctl disable NetworkManager.service
# systemctl enable network.service
# systemctl start network.service

Then reboot. Make sure basic networking is running. Verify ssh for root login works.  Use another PC on the same LAN and verify ssh into the server works.

Install OpenStack Kilo on CENTOS7

In the root login, run the following steps. Make sure each one runs successfully before starting the next.

# yum update -y
# yum install -y
# yum install -y openstack-packstack

At this point, I insert a work around that is specific to my setup. This particular CENTOS7 distribution pulls in mariaDB as part of KDE. I found that this created a conflict with the packstack scripts. As I documented in a previous post, uninstall mariaDB as follows.

# yum remove mariadb-server

Run packstack

Now run the main install script, packstack. Note, I am adding orchestration in addition to the default install.

# packstack --allinone --os-heat-install=y

Note that this last step is the big installation step. It runs for a long time, and if it fails, it will give detailed error messages and pointers to log files. If you run into troubles, apply workarounds and to re-try, run packstack with an answer file, as follows:

# packstack  --answer-file=packstack-answers-20150704-200908.txt

Assuming the packstack install works, verify the basic dashboard works by bringing-up the login screen. For my home server,


Setup Bridging

In order for the OpenStack VM to network with my home lan, I needed to get bridging setup. First, I made the br-ex bridge points to the IP address/gateway that I originally setup for the NIC (in CENTOS7, the NIC is assigned a name enp3s0).

I edited ifcfg-br-ex as follows:

# vi /etc/sysconfig/network-scripts/ifcfg-br-ex

By default, the NIC (enp3s0) has the external IP address and gateway. Since we moved that to the external bridge, we need to make the NIC card look like a member of the bridge. I edited the ifcfg-enp3s0 as follows:

# vi /etc/sysconfig/network-scripts/ifcfg-enp3s0

At this point, I rebooted. When done, check everything. Verify ping to the Internet, verify the same, inbound. Verify ssh, both inbound and outbound.

For reference, I record my network setup here:

[root@kozik4 ~]# ifconfig
br-ex: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::4216:7eff:feb1:64cd  prefixlen 64  scopeid 0x20
        ether 40:16:7e:b1:64:cd  txqueuelen 0  (Ethernet)
        RX packets 142320  bytes 27075628 (25.8 MiB)
        RX errors 0  dropped 15257  overruns 0  frame 0
        TX packets 3632  bytes 1435026 (1.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::4216:7eff:feb1:64cd  prefixlen 64  scopeid 0x20
        ether 40:16:7e:b1:64:cd  txqueuelen 1000  (Ethernet)
        RX packets 149724  bytes 27519634 (26.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4016  bytes 1460686 (1.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet  netmask
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 0  (Local Loopback)
        RX packets 2627327  bytes 289453679 (276.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2627327  bytes 289453679 (276.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
# ip route show
default via dev br-ex dev enp3s0  scope link  metric 1002 dev br-ex  scope link  metric 1004 dev br-ex  proto kernel  scope link  src

OpenStack Dashboard

openstack-cloud-softwareThe dashboard is found at The User Name is admin, the password for the dashboard is found in the /root/keystone_admin file. By default, I was able to access the dashboard from any PC on my home lan. For access from outside of my home LAN, I setup a NAT mapping in my home gateway, but I had to setup an alias in the OpenStack horizon apache configuration.

# vi /etc/httpd/conf.d/15-horizon_vhost.conf
ServerName kozik4.lan
ServerAlias # Add this line
# systemctl restart httpd.service

The name is a sub-domain name that I own, where I map it to the Internet routable IP address my ISP gives me. Verifiy that works.

Once  logged in,  the dashboard shows the network setup that packstack installs for us by default.  It sets up a private and public networks IP addresses that don’t match my needs.  So I need to clear this out.   The way OpenStack works, you cannot delete everything in one hammer-style step; you need to disassemble the networking one step at a time.

First, you need to delete the router, then delete the networks.

Remove the packstack default router and networks

Delete the pre-installed router

This step deletes the default router that packstack setup for us. The dashboard gives a nice GUI to do this.  Navigate to Admin->Routers.


Before we can delete router1, we need to delete its interfaces.  Click on “router1″

AdminRouterDetails072215Using he GUI, we can delete these two interfaces, and then we can delete the router.

But for my own education and the potential automation of future installs, I figured out how to do this with  OpenStack command line scripts.  The easiest way to display this is to screen scrape my putty commands and insert it inline below:

Go back to the dashboard Admin->Routers page, verify that the router has been cleared. I know, the command line steps are alot more difficult than clicking the “Delete Router” button, but this is how I learn.


Delete Pre-Installed Networks

From the dashboard Admin->Networks. We want to delete the two networks packstack setup for us. In packstack (OpenStack?) terminology, the private network is the range of IP addresses used by the virtual machines used by the admin project within this OpenStack installation. The public network maps to the interface that routes packets to outside networks… in this case, the public network will eventually be assigned addresses that fit within my home lan (not Internet addressable IP address).

The Networks dashboard shows two networks. I want to remove them. It turns out you need to click on each of the networks and delete the subnets attached to the network.  On the dash board it is pretty easy to do.



Here’s the command lines that will delete these two networks.  Note, again, I typed the commands into my putty screen, and scraped them and inserted them inline below.

Verify that the Networks are gone in the dashboard.



Ok, to this point we have a clean slate ready to bring in images, spin up instances, and network them together.