Skip to content

Environment options

OpenStack clients find the services to use using environment variables. These are generally stored in a shell file called 'openrc'.

The variables will be different according to the project you are using.

The details of these environment variables can be found in the OpenStack documentation.

In order to avoid setting these environment variables manually, there are several options, detailed hereafter:

Download from the dashboard

Access the OpenStack dashboard, log in, and you will be able to download an openrc file as follows:

  1. Selecting "Project" from the left menu (right below the "openstack" logo)
  2. Choose the API Access Tab Project API access tag
  3. Click on the "DOWNLOAD OPENSTACK RC FILE" button appearing on the right, then click on the "OPENSTACK RC FILE (IDENTITY API V3)": Download Link

This will download a .sh file through your browser that can be used for authentication. The script should be sourced as follows

. openrc.sh

Note: If you want to download an openrc file for a different project, you must switch the project from the dropdown just right to the "openstack" logo in order to "activate" it in the web interface and thus having the Download buttons produce the file for the desired project.

Local Password script

You can create your own openrc using the following contents. These may vary in the future so the openrc may need to be updated. The script below sets the project to your Personal project but the OS_PROJECT_NAME variable can be changed as needed.

Note: After sourcing this script, your password will be available in the environment of your shell. Depending on the computer on which you are running, this may allow the administrator to access your password. Thus, a Kerberos approach is recommended on public computers.

export OS_AUTH_URL=https://keystone.cern.ch/v3
export OS_USERNAME=`id -un`
export OS_PROJECT_NAME="Personal $OS_USERNAME"
export OS_IDENTITY_API_VERSION=3
export OS_VOLUME_API_VERSION=2
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_DOMAIN_ID=default
export OS_REGION_NAME=cern

# With Keystone you pass the keystone password.
echo "Please enter your OpenStack Password: "
read -s OS_PASSWORD_INPUT
export OS_PASSWORD=$OS_PASSWORD_INPUT

Kerberos authentication

Where a valid kerberos environment has been configured, this can be used for authentication. The benefit is that there is no password stored in an environment variable.

CERN public services such as lxplus8.cern.ch, lxplus7.cern.ch or aiadm.cern.ch provide this environment.

export OS_AUTH_URL=https://keystone.cern.ch/v3
export OS_AUTH_TYPE=v3fedkerb
export OS_MUTUAL_AUTH=disabled
export OS_IDENTITY_PROVIDER=sssd
export OS_PROTOCOL=kerberos
export OS_USERNAME=`id -un`
export OS_PROJECT_NAME="Personal $OS_USERNAME"
export OS_IDENTITY_API_VERSION=3
export OS_VOLUME_API_VERSION=2
export OS_PROJECT_DOMAIN_ID=default
export OS_REGION_NAME=cern

If you have a valid kerberos identity (as shown by klist), OpenStack can then be accessed using the unified CLI with these credentials.

Note: This is only available with the openstack unified CLI currently and not with commands such as nova, cinder, etc.

Using aiadm

If you have access to aiadm (machines for administrating nodes in the computer centre), then the ai-rc command might be used to generate the environment variables as follows:

eval $(ai-rc 'Personal $OS_USERNAME')

Combined with kerberos, it has proven to be an efficient way to interact with OpenStack services without having to manage rc files.