OpenStack: Connecting to VMs via SSH

Introduction

It’s a fairly common issue for OpenStack users to be unable to connect to newly created VM’s via SSH after creation. This can be due to security groups, or it can be caused by using the incorrect virtual router. In the following article, I will go through several troubleshooting steps to help you connect to VM instances in an OpenStack environment.

Getting Started

The first thing you will want to verify is that the security group your instance is connected to allows both ICMP & SSH traffic. To list out current groups, run the following command:

# nova secgroup-list

Most OpenStack environments will have a “default” security group that attaches to all newly created instances. The “default” security group does not allow ping or SSH connectivity but you can add it either through the Horizon dashboard, or with NovaCLI, as demonstrated below.

This will allow ping access to an instance from anywhere:

nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
This will allow SSH access from anywhere:
nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
If you are still unable to connect to an instance after verifying that ping & SSH are not being refused due to Security Group settings, you may need to switch router namespaces in order to access the correct routes.
To print out current namespaces, run the following:

ip netns

This should print out the DHCP & router namespaces living in your environment, as shown below.

user_67949_5893a8de6695f.png_800.jpg
There is only one network available in my OpenStack deployment, so I will use the “qrouter-*” virtual router to connect to any VM instances connected to that network. If you have more than one network, you can print out information about each router with the command:

ip netns exec qrouter-[UUID] ip address

Which should give an output similar to the screenshot below.

user_67949_5893aaec4ea7d.png_800.jpg
In my example, I have a VM with the IP address 10.0.0.3. To access that VM using my router namespace, I can use the following syntax:
ip netns exec qrouter-[UUID] ssh cirros@10.0.0.3

In the screenshot below, you can see that I was successfully able to login to my instance through my virtual router.
user_67949_5893b106cfa53.png_800.jpg
If I wanted persistent access to that namespace for connection to multiple VMs on the same network, I can run the following:

ip netns exec qrouter-[UUID] bash
which will start a shell in the network namespace. To disconnect from the shell, simply type “exit” to return to the original network shell.
That’s it! You should now have full access to virtual machines via command line.
Sources / Resources

https://docs.openstack.org/ops-guide/ops-network-troubleshooting.html

http://man7.org/linux/man-pages/man8/ip-netns.8.html

Looking for team training?