Skip to content

Linux

A full working client environment is configured on the lxplus service but there may be a need to install clients on other machines such as a personal laptop or an application server which needs to interact with OpenStack.

If you are developing an application, it is advised to use one of the software development toolkits rather than scripting around the command line tools.

Note: Currently, local installation of the OpenStack clients provides support for the OS_PASSWORD openrc method of authentication.

Puppet clients

If your machine uses Puppet, you can include the standard OpenStack clients by adding the following to your manifests.

  include 'openstack_clients'

Container image clients

Users can opt for running the clients in a containerised environment using the cci-openstack-client container image to access the CERN OpenStack cloud.

This image can be run via Docker or Podman, usually available in the default repos of the main distributions.

Run commands interactively using kerberos

The image can be used to run commands interactively. In this case, using the default kerberos authentication method is the recommended approach:

username@linux:~$ docker run -it registry.cern.ch/cloud/cci-openstack-client:cern bash
[root@d3b3cba9b18b /]# kinit your-user-name
Password for fernandl@CERN.CH:
[root@d3b3cba9b18b /]# export OS_PROJECT_NAME="Personal your-user-name"
[root@d3b3cba9b18b /]# openstack server list
+--------------------------------------+---------------+--------+------------------------------+
| ID                                   | Name          | Status | Networks                     |
+--------------------------------------+---------------+--------+------------------------------+
| 00000000-0000-0000-0000-000000000000 | instance-name | ACTIVE | CERN_NETWORK=0.0.0.0         |
+--------------------------------------+---------------+--------+------------------------------+

Run commands using password authentication

By default the image is configured to use Kerberos, but it is possible as well to use password based authentication. This approach can be handy while automating tasks:

username@linux:~$ echo "Enter your OpenStack password: " && read -sr OS_PASSWORD_INPUT && export OS_PASSWORD=$OS_PASSWORD_INPUT
username@linux:~$ docker run --env OS_USERNAME=your-user-name --env OS_PASSWORD --env OS_PROJECT_NAME="Personal your-user-name" --env OS_AUTH_TYPE=v3password -it registry.cern.ch/cloud/cci-openstack-client:cern openstack server list
+--------------------------------------+---------------+--------+------------------------------+
| ID                                   | Name          | Status | Networks                     |
+--------------------------------------+---------------+--------+------------------------------+
| 00000000-0000-0000-0000-000000000000 | instance-name | ACTIVE | CERN_NETWORK=0.0.0.0         |
+--------------------------------------+---------------+--------+------------------------------+

Commands accessing local files

Commands that required access to local files (e.g. create glance images) can be executed using the standard docker options to share files from the host to the container. The following example downloads a cloud image and uploads it to glance:

username@linux:~$ curl -L http://download.cirros-cloud.net/0.6.2/cirros-0.6.2-x86_64-disk.img  -o ./Downloads/cirros.img
username@linux:~$ docker run -it -v ./Downloads:/mnt registry.cern.ch/cloud/cci-openstack-client:cern bash
[root@d3b3cba9b18b /]# kinit your-user-name
Password for fernandl@CERN.CH:
[root@d3b3cba9b18b /]# export OS_PROJECT_NAME="Personal your-user-name"
[root@4aa4970972f2 /]# openstack image create cirros-test --file /mnt/cirros.img
+------------------+-----------------------+
| Field            | Value                 |
+------------------+-----------------------+
| container_format | bare                  |
| created_at       | 2024-01-23T12:53:25Z  |
(...)

ciadm container image

We currently recommend using cci-openstack-client container image as it will be the one more actively maintained. If users still rely on the ciadm one, it is still accessible in the existing location:

sudo docker run -it gitlab-registry.cern.ch/cloud/ciadm

If you want your home and afs directories available in the container, do instead (after getting your afs credentials set): 

kinit <YOURAFSUSER>
sudo docker run -it --privileged -e KRB5CCNAME=/tmp/krb5cc_$UID -e AFS_USER=<YOURAFSUSER> -v /tmp:/tmp -v /afs:/afs gitlab-registry.cern.ch/cloud/ciadm

Once you got a shell in the container, you can use the clients as before: 

[root@28ad6acb3783 ]# . Personal\ <username>-openrc.sh
[root@28ad6acb3783 ]# openstack server list

Local installation

If you have a standalone Enterprise Linux like machine (e.g. Red Hat Linux or AlmaLinux) and would like to install the OpenStack clients manually, you can do the following using the RDO packages.

This has been tested on RedHat Enterprise Linux and Almalinux 8 and 9 versions. Installation issues on Fedora should be followed up with the Fedora and RDO community

Enterprise Linux environment

This recipe installs the Yoga version of the OpenStack client packages, which are compatible with the CERN Cloud Infrastructure.

$ sudo yum update -y
$ sudo yum install centos-release-openstack-yoga -y
$ sudo yum install -y /usr/bin/openstack python3-requests-kerberos