Managing Multiple Clouds with OpenStack CLI

When you work with multiple OpenStack clouds, you could be working across multiple projects, regions, and/or Keystone API versions within a given cloud. Additionally, you may have to maintain separate OpenStack RC files to store authentication credentials for each cloud.

This approach to manage multiple cloud environments in Platform9 Managed OpenStack has the following drawbacks.

  • Multiple OpenStack RC files must be maintained.
  • Plain-text passwords are stored in-line with non-sensitive authentication information.
  • Automation can be difficult when utilizing credentials from multiple files.

The aforementioned problems can be resolved by leveraging the additional functionality available in the openstack CLI command which reads authentication credentials from configuration files to authenticate and manage clouds.

Effectively Managing Multiple Clouds

You can make effective use of the openstack CLI command to manage multiple clouds. The openstack CLI command internally uses the os-client-config library for centralized management and maintenance of authentication credentials for more than one clouds.

Security of authentication information is critical when it comes to storing access credentials. Although it is not possible to store encrypted passwords in OpenStack, you can work around this problem by placing passwords and other authentication information into separate files.

You can store your non-sensitive OpenStack configuration in ​~/.config/openstack/clouds.yaml​ and your passwords in ​​~/.config/openstack/secure.yaml​. The passwords would still be in plain-text, but you can protect secure.yaml with Unix file permissions, to enhance the security of sensitive password data.

Note: The os-client-config library looks for clouds.yaml at the following locations and in the given order – the current directory, ~/.config/openstack, and ~/etc/openstack. The os-client-config library uses the first clouds.yaml file it finds. Ensure that you place your clouds.yaml in the appropriate directory.

Here’s an example of authentication credentials from clouds.yaml and secure.yaml.

# ~/.config/openstack/clouds.yaml
clouds:
  cloud1:
    region_name: Region1
    auth:
      auth_url: https://cloud1.platform9.net/keystone/v2.0
      username: john.doe@examplecloudone.com
      project_name: service

  cloud2:
    region_name: Region2
    auth:
      auth_url: https://cloud2.platform9.net/keystone/v3
      username: jane.doe@examplecloudtwo.com
      identity_api_version: 3
      project_name: service
      project_domain_name: default
      user_domain_name: default
# ~/.config/openstack/secure.yaml
clouds:
  cloud1:
    auth:
      password: my_secure_password
  cloud2:
    auth:
      password: theother_secure_password

Using os-client-config from the CLI

You can specify multiple clouds within the YAML files in order to centralize the storage of authentication credentials. The users can then simply switch between clouds by specifying the desired cloud when invoking the openstack CLI command (for example, openstack –os-cloud cloud1).

$ openstack --os-cloud cloud1
(openstack) server list
...
(openstack) volume list
...

Using os-client-config from the API

Scripting or automation code can also leverage os-client-config in order to manage credentials in a uniform way across CLI and API.

#!/usr/bin/env python
import os_client_config

def main():
    """Main Entry point."""

    # Create Nova & Cinder clients.
    # If 'cloud' is left blank, the credentials will be automatically
    # discovered by os-client-config
    nova = os_client_config.make_client('compute', cloud='cloud1')
    cinder = os_client_config.make_client('volume', cloud='cloud1')

    # List Nova Instances
    for server in nova.servers.list():
        print server.name

    # List Cinder Volumes
    for volume in cinder.volumes.list():
        print volume.name

Centralized storage of authentication information simplifies management of authentication information on multiple clouds. You can quickly switch clouds through the command-line, simplifying the process of managing multiple clouds or tenants within a cloud. In case of scripting, os-client-config offers separation of authentication information code while providing a simplified, unified method to access credentials.

The browser you are using is outdated. For the best experience please download or update your browser to one of the following: