Setting Up OpenStack Prerequisites for Launching Instances

Introduction

Before you can launch your first OpenStack instance, you must configure several prerequisite components that provide secure access, network connectivity, and firewall rules. These one-time setup tasks create the infrastructure foundation for all your future instances.

This guide walks you through creating SSH key pairs for secure access, configuring security groups for firewall rules, and setting up networks for instance connectivity using both the Horizon dashboard and the OpenStack CLI.

What You Need Before Starting

Before configuring OpenStack prerequisites, ensure you have:

• An active InMotion Cloud account with a project created
• Access to the OpenStack Horizon dashboard
• OpenStack CLI installed and configured (for CLI methods)
• Basic understanding of SSH, firewall concepts, and networking

Creating SSH Key Pairs

SSH key pairs provide secure, password-free access to your instances. Each project should have at least one key pair, and you can create multiple key pairs for different use cases or team members.

Understanding Key Pairs

A key pair consists of:

• Private key: Stored securely on your local machine and never shared
• Public key: Injected into instances at launch time by cloud-init

When you create a key pair through Horizon, OpenStack generates both keys and provides the private key as a download. You are responsible for keeping this private key secure.

Creating a Key Pair Using Horizon

1. Log in to your OpenStack Horizon dashboard
2. Navigate to Project > Compute > Key Pairs
3. Click Create Key Pair
4. Enter a descriptive name for your key pair (example: "web-server-key")
5. Select SSH Key as the key type
6. Click Create Key Pair

The private key file (.pem format) downloads automatically to your computer. Save this file in a secure location. You cannot download it again.

Setting Correct Permissions on Private Key

Before using your private key, set the correct file permissions:

Linux/macOS:

1chmod 600 ~/Downloads/web-server-key.pem
Copy

Windows: Right-click the file, select Properties > Security, and ensure only your user account has read access.

Creating a Key Pair Using CLI

Generate a new key pair and save it locally:

1openstack keypair create web-server-key > ~/web-server-key.pem
2chmod 600 ~/web-server-key.pem
Copy

Verify the key pair was created:

1openstack keypair list
Copy

Importing an Existing Public Key

If you already have an SSH key pair on your local machine, you can import the public key into OpenStack instead of generating a new pair.

Using Horizon:

1. Navigate to Project > Compute > Key Pairs
2. Click Import Public Key
3. Enter a name for the key pair
4. Paste your public key content or upload the public key file
5. Click Import Public Key

Using CLI:

1openstack keypair create --public-key ~/.ssh/id_rsa.pub existing-key
Copy

Configuring Security Groups

Security groups act as virtual firewalls that control inbound and outbound traffic to your instances. Each instance must be assigned to at least one security group, and the default security group blocks all incoming traffic.

Understanding Security Group Rules

Security group rules define:

• Direction: Ingress (incoming) or egress (outgoing)
• Protocol: TCP, UDP, ICMP, or all protocols
• Port range: Specific ports (22 for SSH) or port ranges (8000-9000)
• Remote source: IP address ranges (CIDR notation) or other security groups

Creating a Security Group Using Horizon

1. Navigate to Project > Network > Security Groups
2. Click Create Security Group
3. Enter a name (example: "web-server-sg")
4. Add a description (example: "Allow SSH and HTTP/HTTPS traffic")
5. Click Create Security Group

The new security group appears in the list and includes default egress (outbound) rules that allow all outgoing traffic.

Adding Rules to Security Groups Using Horizon

After creating a security group, add rules to allow specific traffic.

Allow SSH Access (Port 22):

1. Click Manage Rules next to your security group
2. Click Add Rule
3. Select SSH from the Rule dropdown
4. Set Remote to CIDR
5. Enter 0.0.0.0/0 to allow SSH from any IP, or specify your IP range (example: 203.0.113.0/24)
6. Click Add

Allow ICMP (Ping):

1. Click Add Rule
2. Select All ICMP from the Rule dropdown
3. Set Remote to CIDR
4. Enter 0.0.0.0/0
5. Click Add

Allow HTTP Traffic (Port 80):

1. Click Add Rule
2. Select HTTP from the Rule dropdown
3. Set Remote to CIDR
4. Enter 0.0.0.0/0
5. Click Add

Allow HTTPS Traffic (Port 443):

1. Click Add Rule
2. Select HTTPS from the Rule dropdown
3. Set Remote to CIDR
4. Enter 0.0.0.0/0
5. Click Add

Creating Security Groups and Rules Using CLI

Create a new security group:

1openstack security group create web-server-sg --description "Allow SSH and HTTP/HTTPS traffic"
Copy

Add SSH rule:

1openstack security group rule create --protocol tcp --dst-port 22 --remote-ip 0.0.0.0/0 web-server-sg
Copy

Add ICMP rule:

1openstack security group rule create --protocol icmp web-server-sg
Copy

Add HTTP rule:

1openstack security group rule create --protocol tcp --dst-port 80 --remote-ip 0.0.0.0/0 web-server-sg
Copy

Add HTTPS rule:

1openstack security group rule create --protocol tcp --dst-port 443 --remote-ip 0.0.0.0/0 web-server-sg
Copy

List security group rules to verify:

1openstack security group show web-server-sg
Copy

Setting Up Networks

Networks provide IP connectivity for instances. Most OpenStack projects include a default network, but you may need to create additional networks for isolation or multi-tier architectures.

Understanding Network Components

OpenStack networks consist of:

• Network: A virtual isolated layer 2 broadcast domain
• Subnet: An IP address range (CIDR) within a network
• Router: Connects networks together and provides external connectivity

Verifying Existing Networks Using Horizon

Before creating new networks, check what already exists:

1. Navigate to Project > Network > Networks
2. Review the list of available networks
3. Click on a network name to view its subnets and details

If you see a network with a subnet already configured, you can skip network creation and use the existing network when launching instances.

Creating a Network Using Horizon

If you need to create a new network:

1. Navigate to Project > Network > Networks
2. Click Create Network
3. Enter a network name (example: "private-network")
4. Click Next

Create Subnet:

1. Enter a subnet name (example: "private-subnet")
2. Enter network address in CIDR notation (example: 192.168.1.0/24)
3. Select IP version (IPv4 or IPv6)
4. Click Next

Configure Subnet Details:

1. Enable DHCP (recommended)
2. Optionally configure allocation pools (IP ranges available for instances)
3. Enter DNS nameservers (example: 8.8.8.8, 8.8.4.4)
4. Click Create

Creating a Network Using CLI

Create a network:

1openstack network create private-network
Copy

Create a subnet within the network:

1openstack subnet create --network private-network \
2  --subnet-range 192.168.1.0/24 \
3  --dns-nameserver 8.8.8.8 \
4  --dns-nameserver 8.8.4.4 \
5  private-subnet
Copy

Verify network creation:

1openstack network list
2openstack subnet list
Copy

Connecting Networks to Routers

If your network needs external connectivity (internet access), connect it to a router.

Using Horizon:

1. Navigate to Project > Network > Routers
2. Click Create Router
3. Enter a router name
4. Select an external network for the gateway
5. Click Create Router
6. Click on the router name
7. Select the Interfaces tab
8. Click Add Interface
9. Select your private subnet
10. Click Submit

Using CLI:

1openstack router create my-router
2openstack router set --external-gateway public my-router
3openstack router add subnet my-router private-subnet
Copy

Verifying Prerequisites

Before launching your first instance, confirm all prerequisites are configured correctly.

Check Key Pairs

Horizon: Navigate to Project > Compute > Key Pairs and verify at least one key pair exists.

CLI:

1openstack keypair list
Copy

Check Security Groups

Horizon: Navigate to Project > Network > Security Groups and verify your security group has rules allowing SSH and ICMP.

CLI:

1openstack security group list
2openstack security group show web-server-sg
Copy

Check Networks

Horizon: Navigate to Project > Network > Networks and verify at least one network with a subnet exists.

CLI:

1openstack network list
2openstack subnet list
Copy

Next Steps

With prerequisites configured, you are ready to launch your first instance. Refer to the "Launching Your First Instance in OpenStack Horizon" guide for step-by-step instructions on creating and connecting to your instance.

Troubleshooting Common Issues

Cannot Download Private Key After Creation

Cause: The private key is only available for download once, immediately after creation.

Solution: Delete the key pair and create a new one, or import an existing public key from your local machine instead.

Security Group Rules Not Working

Cause: Rules may be configured incorrectly, or you may be testing from the wrong source IP.

Solution: Verify the CIDR range matches your source IP address:

1curl ifconfig.me
Copy

Use this IP in your security group rule, or use 0.0.0.0/0 for testing (restrict it later for security).

Network Has No Subnet

Cause: A network was created without a subnet.

Solution: Add a subnet to the existing network:

1openstack subnet create --network <network-name> \
2  --subnet-range 192.168.1.0/24 \
3  <subnet-name>
Copy

Cannot Access External Networks

Cause: Router is not connected to an external gateway or subnet.

Solution: Verify router configuration:

1openstack router show my-router
Copy

Ensure the external gateway is set and the private subnet is attached as an interface.

Related Resources

• Configure access and security for instances — OpenStack Horizon Documentation
• Launch an instance — OpenStack Installation Guide
• OpenStack Networking (Neutron) Official Documentation