Block Storage Overview (cinder)
What is Cinder? Cinder is the OpenStack Block Storage service for providing volumes to Nova virtual machines, Ironic bare metal hosts, containers and more. Some of the goals of Cinder are to be/have: For end users As an end user of Cinder, you’ll use Cinder to create and manage volumes using the Horizon user interface, […]
Security Group Rules in CLI
security group rule¶ A security group rule specifies the network access rules for servers and other resources on the network. Compute v2, Network v2 security group rule create¶ Create a new security group rule openstack security group rule create [–extra-property type=<property_type>,name=<property_name>,value=<property_value>] [–remote-ip <ip-address> | –remote-group <group>] [–dst-port <port-range>] [–protocol <protocol>] [–description <description>] [–icmp-type <icmp-type>] [–icmp-code […]
Manage Project Security
Security groups are sets of IP filter rules that are applied to all project instances, which define networking access to the instance. Group rules are project specific; project members can edit the default rules for their group and add new rule sets. All projects have a default security group which is applied to any instance that has […]
Routers
router¶ A router is a logical component that forwards data packets between networks. It also provides Layer 3 and NAT forwarding to provide external network access for servers on project networks. Network v2 router add port¶ Add a port to a router openstack router add port <router> <port> router¶ Router to which port will be […]
Role-Based Access Control (RBAC)
The Role-Based Access Control (RBAC) policy framework enables both operators and users to grant access to resources for specific projects. Supported objects for sharing with specific projects Currently, the access that can be granted using this feature is supported by: Sharing an object with specific projects Sharing an object with a specific project is accomplished […]
Volume encryption supported by the key manager
We recommend the Key management service (barbican) for storing encryption keys used by the OpenStack volume encryption feature. It can be enabled by updating cinder.conf and nova.conf. Initial configuration Configuration changes need to be made to any nodes running the cinder-api or nova-compute server. Steps to update cinder-api servers: Update nova-compute servers: Note Use a ‘#’ prefix to comment out the line in this section that […]
Emulated Trusted Platform Module (vTPM)
Enabling vTPM The following are required on each compute host wishing to support the vTPM feature: With the above requirements satisfied, verify vTPM support by inspecting the traits on the compute node’s resource provider: Configuring a flavor or image A vTPM can be requested on a server via flavor extra specs or image metadata properties. […]
Overcommitting CPU and RAM
OpenStack allows you to overcommit CPU and RAM on compute nodes. This allows you to increase the number of instances running on your cloud at the cost of reducing the performance of the instances. The Compute service uses the following ratios by default: Caution Using a RAM allocation ratio above 1:1 can impact running VMs […]
Get Images
The simplest way to obtain a virtual machine image that works with OpenStack is to download one that someone else has already created. Most of the images contain the cloud-init package to support the SSH key pair and user data injection. Because many of the images disable SSH password authentication by default, boot the image with an […]
Manage images
The cloud operator assigns roles to users. Roles determine who can upload and manage images. The operator might restrict image upload and management to only cloud administrators or operators. You can upload images through the glance image-create or glance image-create-via-import command or the Image service API. You can use the glance client for the image management. It provides mechanisms to do […]