OpenStack command line

There are many options and tools for using the OpenStack API from the command line. Follow the instructions in the table below to set up a security policy and network, launch and manage a VM and then remove the entire structure.  

NOTE: There is also an API tutorial that the Jetstream team uses here: - this tutorial goes into greater detail on some topics and may be of value to those learning the Openstack CLI.


  • You should be running the latest version of the clients.  We recommend using python-openstack >= 4.0 as it uses Python3 and removes the dependencies on the now deprecated Python2 
  • It is possible to create entities with the same name; e.g. you could create two networks with the same name; however, they will have different UUIDs.  When this occurs you may get a cryptic error message about that entity may not exist or some other baffling error.  In this case, you must address the entity by its UUID.  
  • In the examples below we often use ${OS_USERNAME}-api-whatnot to name an entity.  We do this so that a first time user could more or less cut and paste the example and create a working instance that is unique to you and to distinguish from other users in your project.
  • It is important to understand that everything is owned by the project.  Other users in your project can see and manipulate entities that you have created. Be careful in your naming and pay attention to the things you are manipulating. 

  • In older OpenStack documentation you may come across the term tenant.  The terms tenants and the newer  projects are interchangeable
# Get help from a command line tool (an example): openstack security group create
usage: openstack security group create <name>
Creates a security group.

Positional arguments:

  <name>         Name of security group

The first thing you'll need to do before being able to do any CLI commands is source the openrc file you created.

source openrc-file-name

You can also make the output look nicer in your terminal with the --fit-width option:

openstack image show JS-API-Featured-Centos7-Latest --fit-width

You can make that permanent by adding


to your environment.

Create a security group - do this once at IU and/or TACC before
launching instances.

Command line

Create a security group that will enable inbound ping & SSH. For more info see,

Important note: On OpenStack, the default is that NO ports are open versus the traditional all ports are open unless specifically closed. For this reason, a security group must be established and the SSH port opened in order to allow login.

openstack security group create --description "ssh & icmp enabled" ${OS_USERNAME}-global-ssh
openstack security group rule create --protocol tcp --dst-port 22:22 --remote-ip ${OS_USERNAME}-global-ssh
openstack security group rule create --protocol icmp ${OS_USERNAME}-global-ssh

Upload SSH key - do this once

If you have an SSH key upload id_rsa & to nova

(note: Key filenames may vary)

cd ~/.ssh

openstack keypair create --public-key ${OS_USERNAME}-api-key

If you don't have an SSH key then create a new key and upload to nova.

ssh-keygen -b 2048 -t rsa -f ${OS_USERNAME}-api-key -P ""

openstack keypair create --public-key ${OS_USERNAME} ${OS_USERNAME}-api-key

Setup the network - do this onceOpenStack command
Create a private network

openstack network create ${OS_USERNAME}-api-net

Verify that the private network was created

openstack network list

Create a subnet within the private network space

openstack subnet create --network ${OS_USERNAME}-api-net --subnet-range ${OS_USERNAME}-api-subnet1

Verify that subnet was createdopenstack subnet list
Create a router

openstack router create ${OS_USERNAME}-api-router

Connect the newly created subnet to the router

openstack router add subnet ${OS_USERNAME}-api-router ${OS_USERNAME}-api-subnet1

Connect the router to the gateway named "public"

openstack router set --external-gateway public ${OS_USERNAME}-api-router

Verify that the router has been connected to the gateway

openstack router show ${OS_USERNAME}-api-router

Create and launch a VMOpenStack commands
See what flavors (sizes) are availableopenstack flavor list

See what Images are available for API use 

The Jetstream team makes JS-API-Featured* images available from which to build. Using images from Atmosphere WILL LIKELY NOT WORK CORRECTLY.

openstack image list --limit 1000  |  grep JS-API-Featured

Create and boot an instance


  • Make sure your SSH keyname matches.
  • ${OS_USERNAME}-api-u-1 is the name of the instance; make it something meaningful for you.

openstack server create ${OS_USERNAME}-api-U-1 \
--flavor m1.tiny \
--image IMAGE-NAME \
--key-name ${OS_USERNAME}-api-key \
--security-group ${OS_USERNAME}-global-ssh \
--nic net-id=${OS_USERNAME}-api-net

Create a public IP address for an instance

openstack floating ip create public

Add that public IP address with that instance
openstack server add floating ip ${OS_USERNAME}-api-U-1
Things to do once the instance is running
You're ready to log in to the running instance  via ssh'ing into public IP

ssh -i ${OS_USERNAME}-api-key


ssh -i ${OS_USERNAME}-api-key

Reboot, suspend, stop, or shelve an instance

openstack server reboot ${OS_USERNAME}-api-U-1
openstack server suspend ${OS_USERNAME}-api-U-1
openstack server stop ${OS_USERNAME}-api-U-1
openstack server shelve ${OS_USERNAME}-api-U-1

Commands to clean up what was created above
Remove the public IP address from the instanceopenstack server remove floating ip ${OS_USERNAME}-api-U-1
Delete an instance

openstack server delete ${OS_USERNAME}-api-U-1

Return the public IP address to the pool of IP numbers

openstack floating ip delete

Clean up commands for other entities.

Note that you often want to create infrastructure such as networks, subnets, routers, etc. only once and not delete them. These entities are reusable by all members of your project.
Disconnect the router from the gateway

openstack router unset --external-gateway ${OS_USERNAME}-api-router

Delete the subnet from the router

openstack router remove subnet ${OS_USERNAME}-api-router ${OS_USERNAME}-api-subnet1

Delete the router

openstack router delete ${OS_USERNAME}-api-router