Managing Multiple Clouds with OpenStack CLI
When you work with multiple OpenStack clouds, you could be working across multiple projects, regions, and/or Keystone API versions within a given cloud. Additionally, you may have to maintain separate OpenStack RC files to store authentication credentials for each cloud.
This approach to manage multiple cloud environments in Platform9 Managed OpenStack has the following drawbacks.
- Multiple OpenStack RC files must be maintained.
- Plain-text passwords are stored in-line with non-sensitive authentication information.
- Automation can be difficult when utilizing credentials from multiple files.
The aforementioned problems can be resolved by leveraging the additional functionality available in the openstack CLI command which reads authentication credentials from configuration files to authenticate and manage clouds.
Effectively Managing Multiple Clouds
You can make effective use of the openstack CLI command to manage multiple clouds. The openstack CLI command internally uses the os-client-config library for centralized management and maintenance of authentication credentials for more than one clouds.
Security of authentication information is critical when it comes to storing access credentials. Although it is not possible to store encrypted passwords in OpenStack, you can work around this problem by placing passwords and other authentication information into separate files.
You can store your non-sensitive OpenStack configuration in ~/.config/openstack/clouds.yaml and your passwords in ~/.config/openstack/secure.yaml. The passwords would still be in plain-text, but you can protect secure.yaml with Unix file permissions, to enhance the security of sensitive password data.
Note: The os-client-config library looks for clouds.yaml at the following locations and in the given order – the current directory, ~/.config/openstack, and /etc/openstack. The os-client-config library uses the first clouds.yaml file it finds. Ensure that you place your clouds.yaml in the appropriate directory.
Here’s an example of authentication credentials from clouds.yaml and secure.yaml.
# ~/.config/openstack/clouds.yaml
clouds:
cloud1:
region_name: Region1
auth:
auth_url: https://cloud1.platform9.net/keystone/v2.0
username: john.doe@examplecloudone.com
project_name: servicecloud2:
region_name: Region2
auth:
auth_url: https://cloud2.platform9.net/keystone/v3
username: jane.doe@examplecloudtwo.com
identity_api_version: 3
project_name: service
project_domain_name: default
user_domain_name: default
# ~/.config/openstack/secure.yaml
clouds:
cloud1:
auth:
password: my_secure_password
cloud2:
auth:
password: theother_secure_password
Using os-client-config from the CLI
You can specify multiple clouds within the YAML files in order to centralize the storage of authentication credentials. The users can then simply switch between clouds by specifying the desired cloud when invoking the openstack CLI command (for example, openstack –os-cloud cloud1).
[bash linenum=”false”]$ openstack –os-cloud cloud1
(openstack) server list
…
(openstack) volume list
…
[/bash]
Using os-client-config from the API
Scripting or automation code can also leverage os-client-config in order to manage credentials in a uniform way across CLI and API.
[python]#!/usr/bin/env python
import os_client_config
def main():
“””Main Entry point.”””
# Create Nova & Cinder clients.
# If ‘cloud’ is left blank, the credentials will be automatically
# discovered by os-client-config
nova = os_client_config.make_client(‘compute’, cloud=’cloud1′)
cinder = os_client_config.make_client(‘volume’, cloud=’cloud1′)
# List Nova Instances
for server in nova.servers.list():
print server.name
# List Cinder Volumes
for volume in cinder.volumes.list():
print volume.name
[/python]
Centralized storage of authentication information simplifies management of authentication information on multiple clouds. You can quickly switch clouds through the command-line, simplifying the process of managing multiple clouds or tenants within a cloud. In case of scripting, os-client-config offers separation of authentication information code while providing a simplified, unified method to access credentials.