OpenStack SDK

The python OpenStack SDK is a library that exposed the OpenStack API to the developers. The following use information provided by Enos to connect to OpenStack and then programmatically create a project, users and networks. It assumes Enos has already deployed an OpenStack and your are in the virtual environment if you have created one.

First install the OpenStack SDK.

(venv) $ pip install python-openstacksdk

Then asks enos where is your admin-openrc, source it and check everything is OK.

(venv) $ source $(enos info --out json|jq -r '.resultdir')/admin-openrc
(vnev) $ env|fgrep OS|sort
OS_AUTH_PLUGIN=password
OS_AUTH_URL=http://10.24.189.255:35357/v3
OS_IDENTITY_API_VERSION=3
OS_INTERFACE=internal
OS_PASSWORD=demo
OS_PROJECT_DOMAIN_NAME=Default
OS_PROJECT_NAME=admin
OS_REGION_NAME=RegionOne
OS_TENANT_NAME=admin
OS_USER_DOMAIN_NAME=Default
OS_USERNAME=admin

And that’s it!

Now, you can execute the following openstacksdk.py file that reads OS_* variables from you environment to instantiate the cloud REST client. Executes it with python openstacksdk.py.

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import logging
import os

import openstack


logging.basicConfig(level=logging.INFO)
LOG   = logging.getLogger(__name__)


def make_cloud():
    """Connects to OpenStack cloud using environment variables

    Returns:
        An new openstack.connection.Connection

    Refs:
        - https://docs.openstack.org/openstacksdk/latest/user/connection.html
    """
    LOG.info("New admin authentication on %s" % os.environ['OS_AUTH_URL'])
    return openstack.connect(cloud='envvars')


def make_account(identity, users):
    """Create a new project an put `users` in it.

    Create a new project if it doesn't exists and put
    users `users` in it. Then assigne member and heat roles
    to these users in the newly created project.

    Args:
        identity: Proxy for identity aka keystone [1]
        users: A list of users name to create and put into the project,
            users can access OpenStack with the password "demo".

    Returns:
        The newly created project [2]

    Refs:
        [1] https://docs.openstack.org/openstacksdk/latest/user/proxies/identity_v3.html
        [2] https://docs.openstack.org/openstacksdk/latest/user/resources/identity/v3/project.html#openstack.identity.v3.project.Project
    """
    # Compute project name from users name
    project_name = "project-%s" % '-'.join(u for u in users)

    # Test if the project exists and create it if need be
    project = identity.find_project(project_name)
    if not project:
        project = identity.create_project(
            name=project_name,
            description="Project of %s." % ', '.join(u for u in users))
        LOG.info("Created a new project %s" % project)

    for user_name in users:
        # Test if user exists and create it if need be
        user = identity.find_user(user_name)
        if not user:
            user = identity.create_user(
                name=user_name, password="demo")
        LOG.info("Created a new user %s with password demo" % user)

        # Assign user to member and heat_stack_owner role in newly
        # created project.
        for r in ["member", "heat_stack_owner"]:
            role = identity.find_role(r)

            # The `heat_stack_owner` role only exists if heat is deployed
            if role:
                identity.assign_project_role_to_user(project, user, role)
                LOG.info("Assigne role %s to user %s in project %s"
                        % (role, user, project))

    return project


def make_private_net(net, project):
    """Create a new private network only visible by members of `project`.

    Args:
        net: Proxy for network aka neutron [1]
        project: An OpenStack project [2]

    Returns:
        The subnet of the newly created private network [3]

    Refs:
        [1] https://docs.openstack.org/openstacksdk/latest/user/proxies/network.html
        [2] https://docs.openstack.org/openstacksdk/latest/user/resources/identity/v3/project.html#openstack.identity.v3.project.Project
        [3] https://docs.openstack.org/openstacksdk/latest/user/resources/network/v2/subnet.html#openstack.network.v2.subnet.Subnet
    """
    # Test if the private network exists and create it if need be
    # https://docs.openstack.org/openstacksdk/latest/user/resources/network/v2/network.html#openstack.network.v2.network.Network
    private_net = net.find_network("private", project_id=project.id)
    if not private_net:
        private_net = net.create_network(
            name="private",
            project_id=project.id,
            provider_network_type="vxlan")
        LOG.info("Created a new private network %s" % private_net)

    # Test if the subntet exists and create it if need be
    # https://docs.openstack.org/openstacksdk/latest/user/resources/network/v2/subnet.html#openstack.network.v2.subnet.Subnet
    private_snet = net.find_subnet("private-subnet", network_id=private_net.id)
    if not private_snet:
        private_snet = net.create_subnet(
            name="private-subnet",
            network_id=private_net.id,
            project_id=project.id,
            ip_version=4,
            is_dhcp_enable=True,
            cidr="10.0.0.0/24",
            gateway_ip="10.0.0.1",
            allocation_pools=[{"start": "10.0.0.2", "end": "10.0.0.254"}],
            # dns.watch
            dns_nameservers=["84.200.69.80", "84.200.70.40"])
        LOG.info("Created a new private subnet %s" % private_snet)

    return private_snet


def make_router(net, project, priv_snet):
    """Make a router for communications between private and public net.

    Enos comes with a public network setup in a KaVLAN. This function
    makes a router between the public network and a `priv_sunet`.
    Args:
        net: Proxy for network aka neutron [1]
        project: An OpenStack project [2]
        priv_snet: The subnet of private network to put in the router [3]

    Refs:
        [1] https://docs.openstack.org/openstacksdk/latest/user/proxies/network.html
        [2] https://docs.openstack.org/openstacksdk/latest/user/resources/identity/v3/project.html#openstack.identity.v3.project.Project
        [3] https://docs.openstack.org/openstacksdk/latest/user/resources/network/v2/subnet.html#openstack.network.v2.subnet.Subnet
    """
    # Get the public net from Enos
    public_net  = net.find_network("public", ignore_missing=False)
    public_snet = net.find_subnet("public-subnet", ignore_missing=False)

    # Test if the router exists and create it if need be
    # https://docs.openstack.org/openstacksdk/latest/user/resources/network/v2/router.html#openstack.network.v2.router.Router
    router = net.find_router("router", project_id=project.id)
    if not router:
        router = net.create_router(
            name="router",
            project_id=project.id,
            # Add public gateway
            external_gateway_info={
                'network_id': public_net.id,
                'enable_snat': True,
                'external_fixed_ips': [{'subnet_id': public_snet.id,}]
            })
        LOG.info("Created a new router %s" % router)

        # Add private interface
        res = net.add_interface_to_router(router, subnet_id=priv_snet.id)
        LOG.info("Added private interface %s to router" % res)


def make_sec_group_rule(net, project):
    """Enable every kind of communication (icmp, http, ssh) in `project`.

    Args:
        net: Proxy for network aka neutron [1]
        project: An OpenStack project [2]

    Refs:
        [1] https://docs.openstack.org/openstacksdk/latest/user/proxies/network.html
        [2] https://docs.openstack.org/openstacksdk/latest/user/resources/identity/v3/project.html#openstack.identity.v3.project.Project
    """
    # Delete default security group rules
    sgrs = [sgr for sgr in net.security_group_rules()
                if sgr.project_id == project.id]
    for sgr in sgrs:
        net.delete_security_group_rule(sgr)
        LOG.info("Delete sgr %s" % sgr)

    # Find the sec group for this project
    sg_default = net.find_security_group("default", project_id=project.id)

    # Let all traffic goes in/out
    protocols = ["icmp", "udp", "tcp"]
    directions = ["ingress", "egress"]
    crit = [(p, d) for p in protocols for d in directions]

    for (p, d) in crit:
        sgr = net.create_security_group_rule(
            direction=d,
            ether_type="IPv4",
            port_range_min=None if p == "icmp" else 1,
            port_range_max=None if p == "icmp" else 65535,
            project_id=project.id,
            protocol=p,
            remote_ip_prefix="0.0.0.0/0",
            security_group_id=sg_default.id)

        LOG.info("Created a new sgr %s" % sgr)


cloud = make_cloud()
project = make_account(cloud.identity, [
    "Leonardo", "Michelangelo", "Donatello", "Raphael"])
priv_snet = make_private_net(cloud.network, project)
make_router(cloud.network, project, priv_snet)
make_sec_group_rule(cloud.network, project)