Managing Multiple Clouds with OpenStack CLI

When you work with multiple OpenStack clouds, you could be working across multiple projects, regions, and/or Keystone API versions within a given cloud. Additionally, you may have to maintain separate OpenStack RC files to store authentication credentials for each cloud.

This approach to manage multiple cloud environments in Platform9 Managed OpenStack has the following drawbacks.

• Multiple OpenStack RC files must be maintained.
• Plain-text passwords are stored in-line with non-sensitive authentication information.
• Automation can be difficult when utilizing credentials from multiple files.

The aforementioned problems can be resolved by leveraging the additional functionality available in the openstack CLI command which reads authentication credentials from configuration files to authenticate and manage clouds.

Effectively Managing Multiple Clouds

You can make effective use of the openstack CLI command to manage multiple clouds. The o_penstack_ CLI command internally uses the os-client-config library for centralized management and maintenance of authentication credentials for more than one clouds.

Security of authentication information is critical when it comes to storing access credentials. Although it is not possible to store encrypted passwords in OpenStack, you can work around this problem by placing passwords and other authentication information into separate files.

You can store your non-sensitive OpenStack configuration in ​~/.config/openstack/clouds.yaml​and your passwords in ​​~/.config/openstack/secure.yaml​. The passwords would still be in plain-text, but you can protect secure.yaml with Unix file permissions, to enhance the security of sensitive password data.

Here’s an example of authentication credentials from clouds.yaml and secure.yaml.

# ~/.config/openstack/clouds.yaml

clouds:

  cloud1:

    region_name: Region1

​

    auth:

      auth_url: https://cloud1.platform9.net/keystone/v2.0

      username: john.doe@examplecloudone.com

      project_name: service

  cloud2:

    region_name: Region2

    identity_api_version: 3

    auth:

      auth_url: https://cloud2.platform9.net/keystone/v3

      username: jane.doe@examplecloudtwo.com

      project_name: service

      project_domain_name: default

      user_domain_name: default

# ~/.config/openstack/secure.yaml

clouds:

  cloud1:

    auth:

      password: my_secure_password

  cloud2:

    auth:

      password: theother_secure_password

Using os-client-config from the CLI

You can specify multiple clouds within the YAML files in order to centralize the storage of authentication credentials. The users can then simply switch between clouds by specifying the desired cloud when invoking the openstack CLI command (for example, openstack –os-cloud cloud1).

$ openstack --os-cloud cloud1

(openstack) server list

...

(openstack) volume list

...

Using os-client-config from the API

Scripting or automation code can also leverage os-client-config in order to manage credentials in a uniform way across CLI and API.

#!/usr/bin/env python

import os_client_config

def main():

    """Main Entry point."""

    # Create Nova And Cinder Clients.

    # If 'cloud' is left blank, the credentials will be automatically

    # discovered by os-client-config

    nova = os_client_config.make_client('compute', cloud='cloud1')

    cinder = os_client_config.make_client('volume', cloud='cloud1')

​

    # List Nova Instances

    for server in nova.servers.list():

        print server.name

​

    # List Cinder Volumes

    for volume in cinder.volumes.list():

        print volume.name

Centralized storage of authentication information simplifies management of authentication information on multiple clouds. You can quickly switch clouds through the command-line, simplifying the process of managing multiple clouds or tenants within a cloud. In case of scripting, os-client-config offers separation of authentication information code while providing a simplified, unified method to access credentials.