Since a cloud image is a copy of an already existing disk image with an operating system already installed, the root users are generally disabled, and if the root password is set, it is usually not distributed. To overcome the inability to authenticate without a password, OpenStack uses SSH key pairs. If you remember, in Chapter 3, Image Management, we discussed the need for cloud-init to be installed in a cloud image. Then, in Chapter 4, Network Management, we discussed how cloud-init would connect to the metadata service via the IP address provided by the router. One of the primary roles of this cloud-init process is to pull down the public SSH key that will be used for authentication. OpenStack provides a facility for you to manage your SSH key pairs so that you can select which will be used when you launch an instance. Let's start by generating a new key pair and listing it, as shown in the following commands:
undercloud# openstack keypair create my_keypair -----BEGIN RSA PRIVATE KEY----- { truncated private key content } -----END RSA PRIVATE KEY----- undercloud# openstack keypair list
This has generated an SSH public/private key pair and listed the record of the key pair. The content that has been put on standard output should end up in a file in your home directory's SSH directory with a mode of 600. The private key just printed to standard out should be treated like a password. Do not share it, do not post it in public places. Keep it safe.
OpenStack has generated the key pair, given you the private key, and stored the public key to place on a future running instance. You could always redirect the output to a file so that you do not have to copy and paste. This is an alternative way to generate that key pair. The only difference is that the private key ends up in a file instead of being printed in the terminal. Issue the following command this way instead to accomplish this:
undercloud# openstack keypair create another_keypair > another.key
Once you have a file that contains the private key, for example, the other key file just created, you can drop this file into your ~/.ssh directory with a mode of 600. Then, that file is referenced to log in to a running instance that has the respective public key.
SSH key pairs are not anything specific to OpenStack. They are very commonly used in the Linux world. OpenStack supports the importing of an already existing public key. Let's walk through generating an SSH key pair outside of OpenStack and importing the public key into OpenStack, as shown in the following commands:
laptop$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/dradez/.ssh/id_rsa): /home/dradez/.ssh/openstack.rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/dradez/.ssh/openstack.rsa. Your public key has been saved in /home/dradez/.ssh/openstack.rsa.pub. The key fingerprint is: 4f:62:ee:b9:0f:97:35:f7:8a:91:37:84:0b:b9:cb:05 dradez@laptop dradez@laptop:~$ ls -l /home/dradez/.ssh/openstack* -rw-------. 1 dradez dradez 1675 /home/dradez/.ssh/openstack.rsa -rw-r--r--. 1 dradez dradez 411 /home/dradez/.ssh/openstack.rsa.pub
As illustrated, on my laptop, I have generated a public/private key pair. You could do this on the undercloud if you wanted. The private key has a mode of 600, and the public key is the file that will be imported into OpenStack. In the OpenStack cluster, we are using the undercloud node to interact with the cluster. Copy the public key to your control node so that it can be imported, and import it into Nova, as shown in the following command:
undercloud# openstack keypair create --public-key openstack.rsa.pub keypair_name
You can also manage key pairs in the web interface. In the Compute menu, select the Access & Security submenu. On this page, there will be a Key Pairs tab. You can click on Create Key Pair or Import Key Pair to manage key pairs through the web interface instead of on the command line. The following screenshot captures how we can manage key pairs in the web interface:
