How to share OpenStack network to other projects

Purpose and Applications

Our cloud infrastructure may be spread across different OpenStack projects. However, some resources should be available in most or even all of those projects. In some cases we want to share some resources with other cloud users directly. This can be achieved by sharing networks between OpenStack projects, which is technically possible by creating Role-Based Access Control (RBAC) for networks.

About RBAC

In OpenStack, RBAC (Role-Based Access Control) is a framework that enables OpenStack admins and users to grant access to resources. It is a part of the OpenStack SDN (Software Defined Networking) component Neutron and can be used to grant access to network resources. 

In this article, we will show how to share networks and security groups with other projects. 

Procedure

To learn about network sharing, we will create an entire environment to clearly see all steps.

Creating OpenStack Projects

Please start by creating two OpenStack projects by following these documents: 

• How to Create and Configure New OpenStack Project Through Horizon on CREODIAS
• How to create a network with router in Horizon Dashboard on CREODIAS

The first project, named "source," should be a complete project with default resources such as a router attached to an external network, a local network (this local network will be shared), and default security groups.

The second project, named "destination," may be empty without any networks. 

Selecting Network Address

For this exercise, the network address and mask selection is not very important. However, in a production environment where the network will be shared with many projects and a lot of hosts will be attached, the address and mask must be considered. The network address should be chosen to avoid repeating the address of an existing network and to prevent routing problems if networks are interconnected for some reason. A unique network address should be documented clearly. Additionally, the network mask should be wide enough to contain all host addresses from all projects.

Identifying Destination Project IDs

To identify destination project IDs, we have to switch to each project in Horizon to which the network will be shared. Once a project is selected, we have multiple options to get the project ID. Two of them are: 

• Go to "Project -> API Access" in the left side menu, and then click the "👁 View Credentials" button on the right side. Copy the "Project ID" from the popup window. 
• Alternatively, you can get it from the credential file. Click your username on the top right of the Horizon interface to unfold the menu. Select "OpenStack RC File" to download. Open the file in any text editor and copy the value of the "OS_PROJECT_ID" variable. 

In our exercise, checking one destination project is required. 

Sharing Network from Source Project

Creating a Role-Based Access Control is now only possible with the OpenStack command-line interface. 

To install and configure OpenStack CLI at Linux, please follow this document:

• How to install OpenStackClient for Linux on CREODIAS

If you are using Windows, Please follow:

• How to install OpenStackClient GitBash for Windows on CREODIAS

Then configure access for the project from the network that will be shared: 

• How to activate OpenStack CLI access to CREODIAS cloud using one- or two-factor authentication

When you are able to use OpenStack CLI with source project, please execute the command: 

openstack network rbac create \ 

--target-project <ID_OF_PROJECT_TO_SHARE_NETWORK> \ 

--action access_as_shared \ 

--type network \ 

<ID_OF_SHARED_NETWORK> 

Example with mocked IDs: 

openstack network rbac create \ 

--target-project a1b2c3d4e5f6ab12cd24ef567890abcd \ 

--action access_as_shared \ 

--type network \ 

d4e5f6ab-12cd-24ef-5678-90abcda1b2c3

Please note that instances created in the destination project will not be accessible from the source project. You need to create in the destination project a dedicated security group allowing access from the netmask of the shared network.

To set up a Security Group, follow the documentation: How to use Security Groups in Horizon on CREODIAS

If we share the network with more than one project, creating the dedicated security group in each of those projects would be time-consuming and error-prone. An alternative solution is to create a security group in the source project and share it using also RBAC.   

If you have such a security group prepared in the source project, please execute the command: 

openstack network rbac create \ 

--target-project <ID_OF_PROJECT_TO_SHARE_SG> \ 

--action access_as_shared \ 

--type security_group \ 

<ID_OF_SHARED_SG> 

Example with mocked IDs:

openstack network rbac create \ 

--target-project 4c0a13a686234a6c9ca9a4cba2833f49 \ 

--action access_as_shared \ 

--type security_group \ 

bd3c348c-c3be-d669-4f54-936396d3c369b 

Testing

• Create a virtual machine in the source project. Please follow the documentation:
  • How to create a Linux VM and access it from Linux command line on CREODIAS
  • How to create a VM using the OpenStack CLI client on CREODIAS cloud

• Create a virtual machine in the destination project following the same documents.
• Assign a security group allowing access to the shared network to the instance in the destination network.
• Log in to both instances with ssh in separate terminals
• Check the IP address in the shared network for both instances by executing the command ip a

• Ping and try run ssh between virtual machines. You should be able to get ping and ssh response in both directions. 

Happy network sharing! 

---

Author: Mateusz Ślaski, Sales Support Engineer, CloudFerro