Enable multi-tenancy and manage global, and tenant resources

1. Overview

Before you get started!

Welcome to OpenStack!

In this series of tutorials, we will walk you through all the necessary steps to install, configure and get started with OpenStack. Using just your workstation, you will learn how to use OpenStack for cloud infrastructure implementation purposes, from a single-node installation to large-scale clusters.

This tutorial is the seventh in the “Phase I - Single-node OpenStack on your workstation” series.

Explore other tutorials >

What is OpenStack?

OpenStack is a collection of open-source projects designed to work together to form the basis of a cloud. OpenStack can be used for both private and public cloud implementation.

What is Sunbeam?

Sunbeam is an OpenStack project created to set the foundation for zero-ops OpenStack. By using highly opinionated architecture and native Kubernetes principles, Sunbeam delivers distilled OpenStack excellence on top of K8s.

What is MicroStack?

MicroStack (based on Sunbeam) is an OpenStack flavour designed for small-scale cloud environments, edge deployments, testing and development, with full commercial support available from Canonical.

In this tutorial, you will learn how to:

Enable multi-tenancy in OpenStack
Manage global and tenant resources
Create key pairs

You will only need:

One fresh physical or virtual machine with:

The latest Ubuntu LTS installed,
Static IP address assigned to its primary network interface,
OpenSSH server installed and configured,
4+ core amd64 CPU,
16 GB of RAM,
50 GB of storage,
OpenStack cloud bootstrapped, configured and sample instance launched,
OpenStack client set up,
Sample instance templates created,
Sample identities created.

2. Enable multi-tenancy

OpenStack is a multi-tenant environment by default, meaning that various organisations can use it independently of each other at the same time. This makes OpenStack suitable for the purpose of public cloud implementations.

Multi-tenancy in OpenStack is organised based on the concept of identities as discussed in tutorial 6. Identities. Cloud resources are grouped into projects. Users and groups are assigned with roles on those projects. Finally, domains limit the visibility of their identities to users in other domains.

As a result, enabling multi-tenancy usually involves creating multiple domains and assigning one domain per every organisation. Inside of those domains, multiple projects can be created to further limit cloud resources to a certain project or an organisation’s unit. Every domain can also have its own admin and regular user accounts created, and roles can be assigned according to the tenants’ internal policies.

In tutorial 6. Identities, we created the myproject project and the myuser user inside of the mydomain domain, and granted this user the member role on the project through the group membership and role assignment. In the following tutorials, we’re going to use the mydomain domain and the myproject project as an example of a newly created tenant.

3. Switch to the user account

You may remember from the tutorial 2. Components that the user has to set up the OpenStack client in order to be able to communicate with the OpenStack cloud. This involves installing the client and setting up some environmental variables that are defined in the RC file.

To download the RC file for the myuser user, log in to the OpenStack dashboard with the following credentials:

Domain - Type mydomain
User Name - Type myuser
Password - Type mypassword

From the OpenStack dashboard landing page, navigate to the myuser drop-down menu on the top right, click it, and select OpenStack RC File to download the RC file:

To set up the OpenStack client for the myuser user, open a new terminal window, execute the following command, and type mypassword when asked for the password:


$ source ~/Downloads/myproject-openrc.sh

You can now use the OpenStack client to interact with the OpenStack cloud as the myuser user.

4. Manage global resources

In OpenStack, some resources are global, while others are available to a certain tenant only. Global resources are shared across all projects and domains, and can be managed by users with the admin role assigned. Tenant resources are limited to a project or a domain, and can be managed by users with the member role assigned.

Examples of global resources include:

Public instance templates, including images and flavors
External networks
Roles

For example, to list all images, execute the following command:


$ openstack image list

Sample output:


+--------------------------------------+--------+--------+
| ID                                   | Name   | Status |
+--------------------------------------+--------+--------+
| 4c4fbf96-c5e5-49de-be6d-31bea2ea0ac8 | ubuntu | active |
+--------------------------------------+--------+--------+

Alternatively, navigate to Project -> Compute -> Images from the OpenStack dashboard:

Note that the myuser user cannot see the ubuntu-focal image, which we marked as private in the tutorial 5. Templates.

5. Manage tenant resources

The myuser user can now start creating tenant resources inside of the myproject project.

In the following steps, we’ll create an SSH key pair called mykeypair that we’ll later use during the instance provisioning process.

Create a key pair through the OpenStack client

To create the key pair, execute the following command:


$ openstack keypair create --private-key ./mykeypair.pem --type ssh mykeypair

To list all key pairs, execute the following command:


$ openstack keypair list

Sample output:


+-----------+-------------------------------------------------+------+
| Name      | Fingerprint                                     | Type |
+-----------+-------------------------------------------------+------+
| mykeypair | 62:6c:6c:11:b7:c9:ef:c8:36:b2:f5:28:a0:bf:5e:ce | ssh  |
+-----------+-------------------------------------------------+------+