Category Archives: OpenStack

Install OpenStack nova CLI on MacOS X

1. Check the Python installation. Currently, the nova client does not support Python 3.

$ python -V
Python 2.7.2

2. Install python-novaclient using pip, don’t panic if you already installed python-novaclient using easy_install.

$ sudo easy_install pip
Searching for pip
Best match: pip 1.3.1
Processing pip-1.3.1-py2.7.egg
pip 1.3.1 is already the active version in easy-install.pth
Installing pip script to /usr/local/bin
Installing pip-2.7 script to /usr/local/bin
 
Using /Library/Python/2.7/site-packages/pip-1.3.1-py2.7.egg
Processing dependencies for pip
Finished processing dependencies for pip
 
$ sudo pip install python-novaclient
Requirement already satisfied (use --upgrade to upgrade): python-novaclient in /Library/Python/2.7/site-packages
Requirement already satisfied (use --upgrade to upgrade): iso8601>=0.1.4 in /Library/Python/2.7/site-packages/iso8601-0.1.4-py2.7.egg (from python-novaclient)
Requirement already satisfied (use --upgrade to upgrade): prettytable>=0.6,<0.8 in /Library/Python/2.7/site-packages/prettytable-0.7.2-py2.7.egg (from python-novaclient)
Requirement already satisfied (use --upgrade to upgrade): requests>=0.8 in /Library/Python/2.7/site-packages/requests-1.2.3-py2.7.egg (from python-novaclient)
Requirement already satisfied (use --upgrade to upgrade): simplejson in /Library/Python/2.7/site-packages/simplejson-3.3.0-py2.7-macosx-10.8-intel.egg (from python-novaclient)
Cleaning up...

as you can see pip listed python-novaclient in their packages. but you always can delete and reinstall python-novaclient using pip now, or simple use update option.

Openstack VNC Security

If we want to secure connections to VNC ports we should add an iptables rules like:

-A INPUT -s MYNETWORK/24 -p tcp -m multiport –dports 5900:5910 -j  ACCEPT
-A INPUT -p tcp -m multiport –dports 5900:5910 -j REJECT

But in this case we should know how much VNC ports will be running on hardware node (5900+N)… Do you know that iptables can use extended packet matching modules? For example the OWNER module. This module attempts to match various characteristics of the packet creator, for locally generated packets. And we try to use it for block all outgoing (n.b. match is only valid in the OUTPUT and POSTROUTING chains) connections from all VNC servers:

-A OUTPUT -d MYNETWORK/24 -m owner –uid-owner qemu -j ACCEPT
-A OUTPUT -m owner –uid-owner qemu -j REJECT