6800abb860
How to use the Python SDK to work with keypairs and security groups. Change-Id: I1a129cc37e841f5b123c446b66d0f4c6817f2485
120 lines
7.3 KiB
XML
120 lines
7.3 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
|
xml:id="sdk_configure_instances">
|
|
<title>Configure access and security for instances</title>
|
|
<?dbhtml stop-chunking?>
|
|
<section xml:id="add_keypair_sdk">
|
|
<title>Add a keypair</title>
|
|
<para>To generate a keypair, call the
|
|
<methodname>
|
|
<link xlink:href="http://docs.openstack.org/developer/python-novaclient/api/novaclient.v1_1.keypairs.html#novaclient.v1_1.keypairs.KeypairManager.create">novaclient.v1_1.keypairs.KeypairManager.create</link>
|
|
</methodname>
|
|
method:
|
|
<programlisting language="python">import novaclient.v1_1.client as nvclient
|
|
nova = nvclient.Client(...)
|
|
keypair_name = "staging"
|
|
keypair = nova.keypairs.create(name=keypair_name)
|
|
print keypair.private_key</programlisting>
|
|
</para>
|
|
<para>The Python script output looks something like this:
|
|
<screen><computeroutput>-----BEGIN RSA PRIVATE KEY-----
|
|
MIIEowIBAAKCAQEA8XkaMqInSPfy0hMfWO+OZRtIgrQAbQkNcaNHmv2GN2G6xZlb\nuBRux5Xk/6SZ
|
|
ABaNPm1nRWm/ZDHnxCsFTcAl2LYOQXx3Cl2qKNY4r2di4G48GAkd\n7k5lDP2RgQatUM8npO0CD9PU
|
|
...
|
|
mmrceYYK08/lQ7JKLmVkdzdQKt77+v1oBBuHiykLfI6h1m77NRDw9r8cV\nzczYeoALifpjTPMkKS8
|
|
ECfDCuDn/vc9K1He8CRaJHf8AMLQLM3MN
|
|
-----END RSA PRIVATE KEY-----</computeroutput></screen></para>
|
|
|
|
<para>You will typically write the private key to a file in order to use it
|
|
later. The file must be readable and writeable by only the file owner,
|
|
otherwise the ssh client will refuse to read the private key file. It
|
|
is safest to create the file with the appropriate permissions, as shown in
|
|
the following example:
|
|
<programlisting language="python">import novaclient.v1_1.client as nvclient
|
|
import os
|
|
nova = nvclient.Client(...)
|
|
keypair_name = "staging"
|
|
private_key_filename = "/home/alice/id-staging"
|
|
keypair = nova.keypairs.create(name=keypair_name)
|
|
|
|
# Create a file for writing that can only be read and written by owner
|
|
fp = os.open(private_key_filename, os.O_WRONLY | os.O_CREAT, 0o600)
|
|
with os.fdopen(fp, 'w') as f:
|
|
f.write(keypair.private_key)</programlisting>
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="import_keypair_sdk">
|
|
<title>Import a keypair</title>
|
|
<para>If you have already generated a keypair with the
|
|
public key located at <filename>~/.ssh/id_rsa.pub</filename>,
|
|
pass the contents of the file to the <methodname>
|
|
<link xlink:href="http://docs.openstack.org/developer/python-novaclient/api/novaclient.v1_1.keypairs.html#novaclient.v1_1.keypairs.KeypairManager.create">
|
|
novaclient.v1_1.keypairs.KeypairManager.create</link></methodname>
|
|
method to import the public key to Compute:
|
|
<programlisting language="python">import novaclient.v1_1.client as nvclient
|
|
import os.path
|
|
with open(os.path.expanduser('~/.ssh/id_rsa.pub')) as f:
|
|
public_key = f.read()
|
|
nova = nvclient.Client(...)
|
|
nova.keypairs.create('mykey', public_key)</programlisting></para>
|
|
</section>
|
|
<section xml:id="list_keypairs_sdk">
|
|
<title>List keypairs</title>
|
|
<para>To list keypairs, call the <methodname>
|
|
<link xlink:href="http://docs.openstack.org/developer/python-novaclient/api/novaclient.v1_1.keypairs.html#novaclient.v1_1.keypairs.KeypairManager.list">novaclient.v1_1.keypairs.KeypairManager.list</link></methodname>
|
|
method:
|
|
<programlisting language="python">import novaclient.v1_1.client as nvclient
|
|
nova = nvclient.Client(...)
|
|
keypairs = nova.keypairs.list()</programlisting></para>
|
|
</section>
|
|
<section xml:id="security_groups_sdk">
|
|
<title>Create and manage security groups</title>
|
|
<para>To list security groups for the current project, call the
|
|
<methodname><link xlink:href="http://docs.openstack.org/developer/python-novaclient/api/novaclient.v1_1.security_groups.html#novaclient.v1_1.security_groups.SecurityGroupManager.list">novaclient.v_1.security_groups.SecurityGroupManager.list</link></methodname> method:
|
|
<programlisting language="python">import novaclient.v1_1.client as nvclient
|
|
nova = nvclient.Client(...)
|
|
security_groups = nova.security_groups.list()</programlisting></para>
|
|
<para>To create a security group with a specified name and description,
|
|
call the <methodname><link xlink:href="http://docs.openstack.org/developer/python-novaclient/api/novaclient.v1_1.security_groups.html#novaclient.v1_1.security_groups.SecurityGroupManager.create">novaclient.v_1.security_groups.SecurityGroupManager.create</link></methodname> method:
|
|
<programlisting language="python">import novaclient.v1_1.client as nvclient
|
|
nova = nvclient.Client(...)
|
|
nova.security_groups.create(name="web", description="Web servers")</programlisting></para>
|
|
<para>To delete a security group, call the
|
|
<methodname>
|
|
<link xlink:href="http://docs.openstack.org/developer/python-novaclient/api/novaclient.v1_1.security_groups.html#novaclient.v1_1.security_groups.SecurityGroupManager.delete">
|
|
novaclient.v_1.security_groups.SecurityGroupManager.delete</link></methodname> method, passing either a <link xlink:href="http://docs.openstack.org/developer/python-novaclient/api/novaclient.v1_1.security_groups.html#novaclient.v1_1.security_groups.SecurityGroup">novaclient.v1_1.security_groups.SecurityGroup</link>
|
|
object or group ID as an argument:
|
|
<programlisting language="python">import novaclient.v1_1.client as nvclient
|
|
nova = nvclient.Client(...)
|
|
group = nova.security_groups.find(name="web")
|
|
nova.security_groups.delete(group)
|
|
# The following lines would also delete the group:
|
|
# nova.security_groups.delete(group.id)
|
|
# group.delete()</programlisting></para>
|
|
</section>
|
|
<section xml:id="sdk_secgroup_rules">
|
|
<title>Create and manage security group rules</title>
|
|
<para>Access the security group rules from the <literal>rules</literal>
|
|
attribute of a <link xlink:href="http://docs.openstack.org/developer/python-novaclient/api/novaclient.v1_1.security_groups.html#novaclient.v1_1.security_groups.SecurityGroup">novaclient.v1_1.security_groups.SecurityGroup</link> object:
|
|
<programlisting language="python">import novaclient.v1_1.client as nvclient
|
|
nova = nvclient.Client(...)
|
|
group = nova.security_groups.find(name="web")
|
|
print group.rules</programlisting></para>
|
|
<para>To add a rule, to a security group, call the <methodname><link xlink:href="http://docs.openstack.org/developer/python-novaclient/api/novaclient.v1_1.security_group_rules.html#novaclient.v1_1.security_group_rules.SecurityGroupRuleManager.create">novaclient.v1_1.security_group_rules.SecurityGroupRuleManager.create</link></methodname>
|
|
method:
|
|
<programlisting language="python">import novaclient.v1_1.client as nvclient
|
|
nova = nvclient.Client(...)
|
|
group = nova.security_groups.find(name="web")
|
|
# Add rules for ICMP, tcp/80 and tcp/443
|
|
nova.security_group_rules.create(group.id, ip_protocol="icmp",
|
|
from_port=-1, to_port=-1)
|
|
nova.security_group_rules.create(group.id, ip_protocol="tcp",
|
|
from_port=80, to_port=80)
|
|
nova.security_group_rules.create(group.id, ip_protocol="tcp",
|
|
from_port=443, to_port=443)</programlisting></para>
|
|
</section>
|
|
</section>
|