Environment options
OpenStack clients find the services to use using environment variables. These are generally stored in a shell file called 'openrc'.
The variables will be different according to the project you are using.
The details of these environment variables can be found in the OpenStack documentation.
In order to avoid setting these environment variables manually, there are several options, detailed hereafter:
Download from the dashboard
Access the OpenStack dashboard, log in, and you will be able to download an openrc file as follows:
- Selecting "Project" from the left menu (right below the "openstack" logo)
- Choose the API Access Tab
- Click on the "DOWNLOAD OPENSTACK RC FILE" button appearing on the right, then click on the "OPENSTACK RC FILE (IDENTITY API V3)":
This will download a .sh
file through your browser that can be used for authentication. The script should be sourced as follows
Note
If you want to download an openrc file for a different project, you must switch the project from the dropdown just right to the "openstack" logo in order to "activate" it in the web interface and thus having the Download buttons produce the file for the desired project.
Local Password script
You can create your own openrc using the following contents. These may vary in the future so the openrc may need to be updated. The script below sets the project to your Personal project but the
OS_PROJECT_NAME
variable can be changed as needed.
Note
After sourcing this script, your password will be available in the environment of your shell. Depending on the computer on which you are running, this may allow the administrator to access your password. Thus, a Kerberos approach is recommended on public computers.
export OS_AUTH_URL=https://keystone.cern.ch/v3
export OS_USERNAME=`id -un`
export OS_PROJECT_NAME="Personal $OS_USERNAME"
export OS_IDENTITY_API_VERSION=3
export OS_VOLUME_API_VERSION=2
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_DOMAIN_ID=default
export OS_REGION_NAME=cern
# With Keystone you pass the keystone password.
echo "Please enter your OpenStack Password: "
read -s OS_PASSWORD_INPUT
export OS_PASSWORD=$OS_PASSWORD_INPUT
Kerberos authentication
Where a valid kerberos environment has been configured, this can be used for authentication. The benefit is that there is no password stored in an environment variable.
CERN public services such as lxplus.cern.ch or aiadm.cern.ch provide this environment.
export OS_AUTH_URL=https://keystone.cern.ch/v3
export OS_AUTH_TYPE=v3fedkerb
export OS_MUTUAL_AUTH=disabled
export OS_IDENTITY_PROVIDER=sssd
export OS_PROTOCOL=kerberos
export OS_USERNAME=`id -un`
export OS_PROJECT_NAME="Personal $OS_USERNAME"
export OS_IDENTITY_API_VERSION=3
export OS_VOLUME_API_VERSION=2
export OS_PROJECT_DOMAIN_ID=default
export OS_REGION_NAME=cern
If you have a valid kerberos identity (as shown by klist), OpenStack can then be accessed using the unified CLI with these credentials.
Note
This is only available with the openstack
unified CLI currently and not with commands such as nova, cinder, etc.
Using aiadm
If you have access to aiadm (machines for administrating nodes in the computer centre), then the ai-rc command might be used to generate the environment variables as follows:
Combined with kerberos, it has proven to be an efficient way to interact with OpenStack services without having to manage rc files.