This guide serves to explain how you can SSH into an instance.

The OpenStackClient can be used to SSH into instances. Instances can be created on both public and private networks. The location from where the SSH command is being issued has to be able to access the instance over the network. Typically instances created either on the provider network or that have been assigned a floating IP can be accessed from any machine that is connected to the Internet.


Access Instance associated with a Public IP

If the instance has a floating IP or is on the provider network, then the instance can be accessed by any machine that has OpenSSH installed or from any machine that has OpenStackClient installed.

Using SSH

To SSH into an instance, the machine you connect from has to be able to connect to the SSH port (typically 22) of the instance. This means the security group associated with the instance must allow SSH traffic from the machine you intend to SSH from. See the create an instance guide for how to create security groups.

An example command to SSH into an instance:

$ ssh -i ~/.ssh/KEY USER@50.50.50.50

In this example, ~/.ssh/KEY is your private key, USER is the SSH username, and 50.50.50.50 is an IP you can connect to from the machine you intend to SSH from.

Using OpenStackClient

It is also possible to use OpenStackClient to SSH into a machine. To be able to use OpenStackClient for this purpose, the machine you connect from must have SSH access to the instance. Again, ensure the instance has a security group that allows SSH access from the host you intend to connect with.

Base command to SSH into an instance:

$ openstack server ssh

Example command to SSH into an instance which has been created on the provider network:

$ openstack server ssh --login centos --identity ~/.ssh/ssh_key --address-type fixed cf491bcc-6050-4024-a72e-70d4e8fe8db6

--address-type can be public, private, or fixed

A fixed--address-type means the IP assigned to the instance is a static IP. When an instance is created on the public network, a fixed IP will be assigned to it.


 

Access Instance associated with a Private IP

It is also possible to SSH into an instance that is on a private network. This will have to be done from one of the hardware nodes which has to be associated with the appropriate private network. The private key of the SSH key pair should be on that node as well.

Listed is the instance in question to connect to:

$ openstack server list
+--------------------------------------+-----------------------------+---------+-------------------------+-----------------------------+------------+
| ID                                   | Name                        | Status  | Networks                | Image                       | Flavor     |
+--------------------------------------+-----------------------------+---------+-------------------------+-----------------------------+------------+
| e93b3344-6d78-4273-880f-220b7fbec417 | test_5                      | ACTIVE  | Internal=192.168.0.186  | CentOS 8 (ce8-x86_64)       | hc1.small  |
+--------------------------------------+-----------------------------+---------+-------------------------+-----------------------------+------------+

It can be seen the IP associated with it is on a private network.

Determine what compute node the instance is on:

$ openstack server show e93b3344-6d78-4273-880f-220b7fbec417
+-------------------------------------+--------------------------------------------------------------+
| Field                               | Value                                                        |
+-------------------------------------+--------------------------------------------------------------+
| OS-DCF:diskConfig                   | AUTO                                                         |
| OS-EXT-AZ:availability_zone         | nova                                                         |
| OS-EXT-SRV-ATTR:host                | hc1.example.com                                              |
| OS-EXT-SRV-ATTR:hypervisor_hostname | hc1.example.com                                              |

Note that some of the output is truncated.

Next, SSH into the appropriate compute node and then find the appropriate private network. This can be done by listing the network namespaces on that node.

List network namespaces:

# ip netns
qrouter-4dc1debc-ecf3-42e1-89c6-e2b99fc2c3dd (id: 0)
qdhcp-a54fc8a3-89b1-4ec3-a441-79c6cfe0e915 (id: 3)
qdhcp-55d31bd5-77ba-4ed0-ab6e-99554b33aa90 (id: 1)

List the interfaces for a network namespace using the format ip netns exec $network_namespace $command, so for example:

# ip netns exec qdhcp-a54fc8a3-89b1-4ec3-a441-79c6cfe0e915 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
164: tapaa57977f-ca: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether fa:16:3e:a3:db:34 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global tapaa57977f-ca
       valid_lft forever preferred_lft forever
    inet 169.254.169.254/16 brd 169.254.255.255 scope global tapaa57977f-ca
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fea3:db34/64 scope link
       valid_lft forever preferred_lft forever

From here the output shows the subnet 192.168.0.2/24 listed and 192.168.0.186 is on that network, so to SSH into this instance, an example command would take a form like this:

# ip netns exec qdhcp-a54fc8a3-89b1-4ec3-a441-79c6cfe0e915 ssh -i $ssh_key centos@192.168.0.186
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Mon Aug 24 21:59:47 2020 from 192.168.0.2
[centos@test-5 ~]$

 

Next Steps

The next guide explains how to manage images in OpenStack.