Skip to end of metadata
Go to start of metadata

There are many options and tools for using the OpenStack API from the command line. Follow the instructions in the table below to set up a security policy and network, launch and manage a VM and then remove the entire structure.  All of the commands EXCEPT creating and removing security groups may be done from the Horizon OpenStack dashboard.  

For more information, see the OpenStack command-line interface cheat sheet. Help is also available directly from the command line tools as shown in this example.


  • It is possible to create entities with the same name; e.g. you could create two networks with the same name; however, they will have different UUIDs.  When this occurs you may get a cryptic error message about that entity may not exist or some other baffling error.  In this case, you must address the entity by its UUID.  
  • In the examples below we often use ${OS_USERNAME}-api-whatnot to name an entity.  We do this so that a first time user could more or less cut and paste the example and create a working instance that is unique to you and to distinguish from other users in your project (tenant).
  • It is important to understand that everything is owned by the project(tenant).  Other users in your project can see and manipulate entities that you have created. Be careful in your naming and pay attention to the things you are manipulating. 

# Get help from a command line tool (an example): openstack security group create
usage: openstack security group create <name>
Creates a security group.

Positional arguments:

  <name>         Name of security group

Create a security group - do this once at IU and/or TACC before
launching instances.

Command line

Create a security group that will enable inbound ping & SSH. For more info see,

See also Add/Remove security groups.

Important note: On OpenStack, the default is that NO ports are open versus
the traditional all ports are open unless specifically closed. For this reason,
a security group must be established and the SSH port opened in order to allow login.

openstack security group create --description "ssh & icmp enabled" ${OS_USERNAME}-global-ssh
openstack security group rule create --protocol tcp --dst-port 22:22 --remote-ip ${OS_USERNAME}-global-ssh
openstack security group rule create --protocol icmp ${OS_USERNAME}-global-ssh

Upload SSH key - do this once 

If you have an SSH key upload id_rsa & to nova

(note: Key filenames may vary)

cd ~/.ssh

openstack keypair create --public-key ${OS_USERNAME}-api-key

If you don't have an SSH key then create a new key and upload to nova.

ssh-keygen -b 2048 -t rsa -f ${OS_USERNAME}-api-key -P ""

openstack keypair create --public-key ${OS_USERNAME}-api-key

Setup the network - do this onceOpenStack command
Create a private network

openstack network create ${OS_USERNAME}-api-net

Verify that the private network was created

openstack network list

Create a subnet within the private network space

openstack subnet create --network ${OS_USERNAME}-api-net --subnet-range ${OS_USERNAME}-api-subnet1

Verify that subnet was createdopenstack subnet list
Create a router

openstack router create ${OS_USERNAME}-api-router

Connect the newly created subnet to the router (use names instead of UUIDs)

openstack router add subnet ${OS_USERNAME}-api-router ${OS_USERNAME}-api-subnet1

Connect the router to the gateway named "public"

openstack router set --external-gateway public ${OS_USERNAME}-api-router

Verify that the router has been connected to the gateway

openstack router show ${OS_USERNAME}-api-router

Create and launch a VMOpenStack commands
See what sizes (flavors) are availableopenstack flavor list
See what Images are availableopenstack image list

Create and boot an instance


  • Make sure your SSH keyname matches.
  • ${OS_USERNAME}-api-u-1 is the name of the instance; make it something meaningful for you.

openstack server create ${OS_USERNAME}-api-U-1 \
--flavor m1.tiny \
--image IMAGE-NAME \
--key-name ${OS_USERNAME}-api-key \
--security-group ${OS_USERNAME}-global-ssh \
--nic net-id=${OS_USERNAME}-api-net

Create a public IP address for an instance

openstack floating ip create public

Associate that IP address with that instance
openstack server add floating ip ${OS_USERNAME}-api-U-1
SSH in! Note that your key was inserted in root's .ssh dir.SSH

Reboot, suspend, stop an instance

openstack server reboot ${OS_USERNAME}-api-U-1
openstack server suspend ${OS_USERNAME}-api-U-1
openstack server stop ${OS_USERNAME}-api-U-1
openstack server shelve ${OS_USERNAME}-api-U-1

Remove an instanceOpenStack commands
Delete an instance

openstack server delete ${OS_USERNAME}-api-U-1

Disassociate the IP address from the instance

openstack server remove floating ip ${OS_USERNAME}-api-U-1

Disconnect the router from the gateway

openstack router unset --external-gateway ${OS_USERNAME}-api-router

Delete the subnet from the router

openstack router remove subnet ${OS_USERNAME}-api-router ${OS_USERNAME}-api-subnet1

Delete the router

openstack router delete ${OS_USERNAME}-api-router

Add/Remove security groups


These commands do not have an equivalent GUI operation and
can only be performed via the command line clients.
When using the GUI, security groups must be associated with an
instance when it is created and/or booted.

openstack server add security group  ${OS_USERNAME}-api-U-1 ${OS_USERNAME}-global-ssh
openstack server remove remove security group ${OS_USERNAME}-api-U-1 ${OS_USERNAME}-global-ssh

  • No labels