Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

Enable multi-tenancy and manage global, and tenant resources

1. Overview

Before you get started!

Welcome to OpenStack!

In this series of tutorials, we will walk you through all the necessary steps to install, configure and get started with OpenStack. Using just a single machine, you will learn how to use OpenStack for cloud infrastructure implementation purposes, from a single-node installation to large-scale clusters.

This tutorial is the seventh in the “Phase 1 - Learn OpenStack” series.

Explore other tutorials >

What is OpenStack?

OpenStack is a collection of open source projects designed to work together to form the basis of a cloud. OpenStack can be used for both private and public cloud implementation.

What is Sunbeam?

Sunbeam is an upstream project under the governance of the OpenInfra Foundation (OIF), which was created to lower the barrier to entry for OpenStack, simplify its adoption process, and set the foundation for an autonomous private cloud. Sunbeam uses cloud-native architecture and total bottom-up automation to make OpenStack more accessible to newcomers and to help users get to grips with the platform immediately.

What is MicroStack?

MicroStack (based on Sunbeam) is an OpenStack distribution designed for small-scale cloud environments. While it is available with full commercial support from Canonical, it can also be self-deployed with no friction, effectively eliminating the need for a paid consulting engagement. MicroStack currently includes core OpenStack services only, but is expected to evolve quickly to ensure full feature parity with Canonical’s Charmed OpenStack soon.

In this tutorial, you will learn how to:

  • Enable multi-tenancy in OpenStack
  • Manage global and tenant resources
  • Create key pairs

You will only need:

One fresh physical or virtual machine with:

2. Enable multi-tenancy

OpenStack is a multi-tenant environment by default, meaning that various organisations can use it independently of each other at the same time. This makes OpenStack suitable for the purpose of public cloud implementations.

Multi-tenancy in OpenStack is organised based on the concept of identities as discussed in tutorial 6. Identities. Cloud resources are grouped into projects. Users and groups are assigned with roles on those projects. Finally, domains limit the visibility of their identities to users in other domains.

As a result, enabling multi-tenancy usually involves creating multiple domains and assigning one domain per every organisation. Inside of those domains, multiple projects can be created to further limit cloud resources to a certain project or an organisation’s unit. Every domain can also have its own admin and regular user accounts created, and roles can be assigned according to the tenants’ internal policies.

In tutorial 6. Identities, we created the myproject project and the myuser user inside of the mydomain domain, and granted this user the member role on the project through the group membership and role assignment. In the following tutorials, we’re going to use the mydomain domain and the myproject project as an example of a newly created tenant.

3. Switch to the user account

You may remember from the tutorial 2. Components that the user has to set up the OpenStack client in order to be able to communicate with the OpenStack cloud. This involves installing the client and setting up some environmental variables that are defined in the RC file.

To download the RC file for the myuser user, log in to the OpenStack dashboard with the following credentials:

  • Domain - Type mydomain

  • User Name - Type myuser

  • Password - Type mypassword

From the OpenStack dashboard landing page, navigate to the myuser drop-down menu on the top right, click it, and select OpenStack RC File to download the RC file:


To set up the OpenStack client for the myuser user, open a new terminal window, execute the following command, and type mypassword when asked for the password:

$ source ~/Downloads/

You can now use the OpenStack client to interact with the OpenStack cloud as the myuser user.

4. Manage global resources

In OpenStack, some resources are global, while others are available to a certain tenant only. Global resources are shared across all projects and domains, and can be managed by users with the admin role assigned. Tenant resources are limited to a project or a domain, and can be managed by users with the member role assigned.

Examples of global resources include:

  • Public instance templates, including images and flavors

  • External networks

  • Roles

For example, to list all images, execute the following command:

$ openstack image list

Sample output:

| ID                                   | Name   | Status |
| 4c4fbf96-c5e5-49de-be6d-31bea2ea0ac8 | ubuntu | active |

Alternatively, navigate to ProjectComputeImages from the OpenStack dashboard:


Note that the myuser user cannot see the ubuntu-focal image, which we marked as private in the tutorial 5. Templates.

5. Manage tenant resources

The myuser user can now start creating tenant resources inside of the myproject project.

In the following steps, we’ll create an SSH key pair called mykeypair that we’ll later use during the instance provisioning process.

Create a key pair through the OpenStack client

To create the key pair, execute the following command:

$ openstack keypair create --private-key ./mykeypair.pem --type ssh mykeypair

To list all key pairs, execute the following command:

$ openstack keypair list

Sample output:

| Name      | Fingerprint                                     | Type |
| mykeypair | 62:6c:6c:11:b7:c9:ef:c8:36:b2:f5:28:a0:bf:5e:ce | ssh  |

Create a key pair through the OpenStack dashboard

Navigate to ProjectComputeKey Pairs and click the Create Key Pair button on the right:


To create the keypair, fill in the form as follows:

  • Key Pair Name - Type mykeypair

  • Key Type - Select SSH Key

Then click the Create Key Pair button:


You shall now be able to see the new key pair in Nova’s database:


Note that the key fingerprint may be different in your environment.

6. Next steps