bwCloud-OS - User contributions [en]

Cloud Migration Guide

2026-05-28T09:52:34Z

Sia:

{| class="mw-message-box mw-message-box-warning"
| style="vertical-align:middle;" | '''⚠️ Please Note:''' This guide is still work in progress.
|}

{| class="mw-message-box mw-message-box-warning"
| style="vertical-align:middle;" | '''⚠️ IMPORTANT SHUTDOWN NOTICE:'''
The Gen2 infrastructure will be permanently shut down in '''September 2026''' (refer to the [https://bwcloud-os.de/ '''bwCloud-OS website'''] for the exact date). All projects and data that have not been migrated to Gen3 by this date will be irrevocably deleted. To use Gen3, you must clarify and apply for your entitlements (which are subject to costs) in a timely manner.
|}

{{InANutshell|
<li>There is no automatic migration path: Gen2 and Gen3 are completely separate environments.</li>
<li>Migration requires a new entitlement.</li>
<li>Security Groups and IP addresses will change and must be reconfigured manually.</li>
<li>'''Recommended approach:''' Start a new, fresh instance (VM) in Gen3 and copy your old data over the network (e.g., via rsync).</li>
}}

__TOC__

= General Information =

This guide explains how to migrate your resources from the old bwCloud-OS Gen2 environment to bwCloud-OS Gen3. Because the two environments are completely separated, there is no automatic migration path. You will need to manually export your resources from the old cloud, download them locally, and upload them to the new cloud. Please note that network settings and Security Groups cannot be copied and must be reconfigured manually in the new environment.

== Important Prerequisites: Entitlements and Quotas ==
The new bwCloud-OS Gen3 will become a paid infrastructure platform. Therefore, it is necessary for each participating university or institution to actively assign the corresponding entitlements to its users. You cannot simply transfer your old projects directly without this authorization.

* '''Missing Entitlement?''' If you have not yet been assigned an entitlement, please get in touch directly with your local institution or university's IT support.
* '''Quota Allocation:''' Please note that the allocation of resource quotas is entirely managed and regulated through your respective institution.

Details can be found [https://wiki.bwcloud-os.de/index.php/Guide:_Entitlement_%26_Eligibility here].

{| class="mw-message-box mw-message-box-notice"
| style="vertical-align:middle;" | '''ℹ️ Note on Group Projects:''' Currently, there is no established process for complex group projects and their corresponding quota allocation. If you require resources for such a project, we kindly ask for a little more patience until the procedures are fully defined.
|}
== Dashboard Login ==
* [https://portal.bw-cloud.org/ Old bwCloud-OS Gen2]
* [https://portal.ul.bwcos.de/auth/login/?next=/%20https://portal.ul.bwcos.de/ New bwCloud-OS Gen3]
== Networks ==
The new infrastructure includes not only new networks but also new network-related features such as load balancers. You can find an overview [[Networks_Gen3|here]].

Network-specific differences between regions and details about the individual networks can be found in the following guide.

➡️ [[Guide:_Network_Configuration_by_Region|Guide: Network Configuration by Region]]

= Transferring Data and VMs=

There are basically two ways to transfer your data to the new bwCloud-OS (Gen3): The rsync method over the network and the snapshot method.

== Transferring Volumes ==

While it is technically possible to migrate a Cinder volume by converting it to an image and uploading it to the new cloud, we do not recommend this approach. The process is extremely slow, and depending on the backend configuration, the upload may silently fail entirely.

'''Our recommendation: create a fresh volume and copy your data over the network.'''
* In the new environment, create a new empty volume of the appropriate size and attach it to a new VM.
* Format and mount the volume on the new VM. Detailed instructions can be found [[Guide:_Volumes_and_Images#Create_and_Attach_a_Volume|here]].
* Make sure your old VM (with the old volume mounted) is reachable from the new VM via SSH (either by exchanging SSH keys or setting a password in the VM).
* Sync your data directly over the network using '''rsync'''.

<pre>
rsync -avz --progress /path/to/old/data/ root@<NEW_VM_IP>:/path/to/new/destination/
</pre>

== Transferring VMs ==

=== Prerequisites ===
* Access to both bwCloud-OS environments and
* Application Credentials, as described [[Programmatic_Access_and_Automation#Application_Credentials|here]] and
* OpenStack Client installed, as described [[Programmatic_Access_and_Automation#OpenStack_Client|here]].

=== Procedure ===

When transferring a VM, you create a snapshot of its current state, download it, and use it as a base image in the new environment.

'''Step 1: Create a Snapshot'''

First, source your old bwCloud-OS Gen2 credentials and find the ID of the instance (VM) you want to migrate:

<pre>
source old-creds.sh
openstack server list
openstack server image create --name <snapshot_name> <instance_id>
</pre>

'''Step 2: Download the Snapshot'''

The Image ID should have been prompted in the previous step. However, it is also possible to find the ID of your created snapshot and download it to your local computer later:

<pre>
openstack image list
openstack image save --file myimage.img <snapshot_id>
</pre>

'''Step 3: Upload to the New Environment (bwCloud-OS Gen3)'''

Source your new cloud credentials and upload the image file. '''Important''': Always set the visibility to Private so other users cannot use your image as a base for their services.

<pre>
source new-creds.sh
openstack image create --file myimage.img --private myimage
</pre>

Alternative: You can also upload the downloaded .img file using the new Horizon GUI by navigating to '''Compute -> Images'''.

'''Step 4: Start the Instance'''

You can now start a new instance using this uploaded image. Remember to reconfigure your '''Security Groups''' and note that you will receive a '''new IP address'''.

To start a new instance:
* Log in to the bwCloud-OS Gen3 Dashboard.
* Navigate to Project --> Compute --> Images. The uploaded snapshot should be listed there.
* Click on "Start", choose an instance name, and select the network and SSH key (or create a new one).

Cloud Migration Guide

2026-05-28T09:51:00Z

Sia:

{| class="mw-message-box mw-message-box-warning"
| style="vertical-align:middle;" | '''⚠️ Please Note:''' This guide is still work in progress.
|}

{| class="mw-message-box mw-message-box-warning"
| style="vertical-align:middle;" | '''⚠️ IMPORTANT SHUTDOWN NOTICE:'''
The Gen2 infrastructure will be permanently shut down in '''September 2026''' (refer to the [https://bwcloud-os.de/ '''bwCloud-OS website'''] for the exact date). All projects and data that have not been migrated by this date will be irrevocably deleted. To use Gen3, you must clarify and apply for your entitlements (which are subject to costs) in a timely manner.
|}

{{InANutshell|
<li>There is no automatic migration path: Gen2 and Gen3 are completely separate environments.</li>
<li>Migration requires a new entitlement.</li>
<li>Security Groups and IP addresses will change and must be reconfigured manually.</li>
<li>'''Recommended approach:''' Start a new, fresh instance (VM) in Gen3 and copy your old data over the network (e.g., via rsync).</li>
}}

__TOC__

= General Information =

This guide explains how to migrate your resources from the old bwCloud-OS Gen2 environment to bwCloud-OS Gen3. Because the two environments are completely separated, there is no automatic migration path. You will need to manually export your resources from the old cloud, download them locally, and upload them to the new cloud. Please note that network settings and Security Groups cannot be copied and must be reconfigured manually in the new environment.

== Important Prerequisites: Entitlements and Quotas ==
The new bwCloud-OS Gen3 will become a paid infrastructure platform. Therefore, it is necessary for each participating university or institution to actively assign the corresponding entitlements to its users. You cannot simply transfer your old projects directly without this authorization.

* '''Missing Entitlement?''' If you have not yet been assigned an entitlement, please get in touch directly with your local institution or university's IT support.
* '''Quota Allocation:''' Please note that the allocation of resource quotas is entirely managed and regulated through your respective institution.

Details can be found [https://wiki.bwcloud-os.de/index.php/Guide:_Entitlement_%26_Eligibility here].

{| class="mw-message-box mw-message-box-notice"
| style="vertical-align:middle;" | '''ℹ️ Note on Group Projects:''' Currently, there is no established process for complex group projects and their corresponding quota allocation. If you require resources for such a project, we kindly ask for a little more patience until the procedures are fully defined.
|}
== Dashboard Login ==
* [https://portal.bw-cloud.org/ Old bwCloud-OS Gen2]
* [https://portal.ul.bwcos.de/auth/login/?next=/%20https://portal.ul.bwcos.de/ New bwCloud-OS Gen3]
== Networks ==
The new infrastructure includes not only new networks but also new network-related features such as load balancers. You can find an overview [[Networks_Gen3|here]].

Network-specific differences between regions and details about the individual networks can be found in the following guide.

➡️ [[Guide:_Network_Configuration_by_Region|Guide: Network Configuration by Region]]

= Transferring Data and VMs=

There are basically two ways to transfer your data to the new bwCloud-OS (Gen3): The rsync method over the network and the snapshot method.

== Transferring Volumes ==

While it is technically possible to migrate a Cinder volume by converting it to an image and uploading it to the new cloud, we do not recommend this approach. The process is extremely slow, and depending on the backend configuration, the upload may silently fail entirely.

'''Our recommendation: create a fresh volume and copy your data over the network.'''
* In the new environment, create a new empty volume of the appropriate size and attach it to a new VM.
* Format and mount the volume on the new VM. Detailed instructions can be found [[Guide:_Volumes_and_Images#Create_and_Attach_a_Volume|here]].
* Make sure your old VM (with the old volume mounted) is reachable from the new VM via SSH (either by exchanging SSH keys or setting a password in the VM).
* Sync your data directly over the network using '''rsync'''.

<pre>
rsync -avz --progress /path/to/old/data/ root@<NEW_VM_IP>:/path/to/new/destination/
</pre>

== Transferring VMs ==

=== Prerequisites ===
* Access to both bwCloud-OS environments and
* Application Credentials, as described [[Programmatic_Access_and_Automation#Application_Credentials|here]] and
* OpenStack Client installed, as described [[Programmatic_Access_and_Automation#OpenStack_Client|here]].

=== Procedure ===

When transferring a VM, you create a snapshot of its current state, download it, and use it as a base image in the new environment.

'''Step 1: Create a Snapshot'''

First, source your old bwCloud-OS Gen2 credentials and find the ID of the instance (VM) you want to migrate:

<pre>
source old-creds.sh
openstack server list
openstack server image create --name <snapshot_name> <instance_id>
</pre>

'''Step 2: Download the Snapshot'''

The Image ID should have been prompted in the previous step. However, it is also possible to find the ID of your created snapshot and download it to your local computer later:

<pre>
openstack image list
openstack image save --file myimage.img <snapshot_id>
</pre>

'''Step 3: Upload to the New Environment (bwCloud-OS Gen3)'''

Source your new cloud credentials and upload the image file. '''Important''': Always set the visibility to Private so other users cannot use your image as a base for their services.

<pre>
source new-creds.sh
openstack image create --file myimage.img --private myimage
</pre>

Alternative: You can also upload the downloaded .img file using the new Horizon GUI by navigating to '''Compute -> Images'''.

'''Step 4: Start the Instance'''

You can now start a new instance using this uploaded image. Remember to reconfigure your '''Security Groups''' and note that you will receive a '''new IP address'''.

To start a new instance:
* Log in to the bwCloud-OS Gen3 Dashboard.
* Navigate to Project --> Compute --> Images. The uploaded snapshot should be listed there.
* Click on "Start", choose an instance name, and select the network and SSH key (or create a new one).

Guide: Network Configuration by Region

2026-05-28T09:48:56Z

Sia:

This guide provides details of the VM networks in each '''[[Registration#Regions|bwCloud-OS region]]'''. It describes which networks are available by default, which can be requested, and how IPv4 and IPv6 connectivity is provided.

While core networking concepts are consistent across regions, available networks, IP address ranges, and access methods may differ. Please refer to the section for your specific region.

__TOC__

== Freiburg ==
*Information for this region will be provided soon.*

== Karlsruhe ==
The Karlsruhe region provides a '''default routed network''', as well as additional networks that can be assigned to projects upon request.

=== Default Network ===

* All projects have access to the default network <code>default-network</code>.
* Instances connected to this network receive:
** A '''public IPv6 address'''
** A '''private IPv4 address'''

This is a '''routed network''' using an OpenStack router connected to an external provider network.

* IPv6: Direct public connectivity
* IPv4 (egress): Provided via '''SNAT''' through the router
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])
* This Network is shared between all projects
=== IPv4 Ingress via Floating IPs ===

* '''Floating IPs''' are allocated from the external network <code>provider-network</code>.
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.

Once assigned, a Floating IP can be associated with an instance to provide IPv4 ingress connectivity.

=== Separated Networks ===
If you require a separated Broadcast Domain you can request one via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.

The network will:

* receive a separate private IPv4 Subnet
* receive a separate public IPv6 Subnet
* have a separated Broadcast Domain only accessible by authorized projects
* always use up at least one public IPv4 used for the virtual Router

=== Migration from Gen2 to Gen3 ===

The Karlsruhe region is currently operating two environments in parallel:

* Gen2 (legacy cloud)
* Gen3 (current bwCloud-OS environment)

This setup allows users to migrate their instances and data from Gen2 to Gen3.

* The coexistence period will last until September 2026. Refer to the [https://bwcloud-os.de/ bwCloud-OS website] for the exact date.

After the transition period:

* All IP addresses (Routers and Floating IPs) from <code>provider-network</code> will be migrated to a new IPv4 Subnet.
* This migration will be performed by administrators; no user action is required.
* During the Migration all Floating IPs will be redistributed and some minor connection interruptions will happen.

== Mannheim ==

The Mannheim region provides a '''default routed network''', as well as '''additional networks''' that can be assigned to projects '''upon request'''. Both IPv6 and IPv4 connectivity options are available, depending on the selected network.

=== Default Network ===

* All projects have access to the default network <code>routed_default_net</code>.
* Instances connected to this network receive:
** A '''public IPv6 address'''
** A '''private IPv4 address'''

This is a '''routed network''' using an OpenStack router connected to an external provider network:

* '''IPv6''': Direct public connectivity
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])
📌 '''Note:''' This network extends the legacy IPv6-only network in the Mannheim region, which did not provide IPv4 connectivity. ''Before requesting an IPv4 address via a support ticket, please ensure that the combined connectivity is not already sufficient for your use case.''

=== IPv4 Ingress via Floating IPs ===

* '''Floating IPs''' are allocated from the external network <code>provider_default_net</code>.
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.

Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.

=== Flat External Networks ===

* There are also flat external networks available, such as <code>provider_interim_net</code> .
* They can be assigned to projects via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.

Instances connected directly to this type of network receive:

* A '''public IPv4 address'''
* A '''public IPv6 address'''

This enables dual-stack public connectivity (IPv4 and IPv6) without the need for Floating IPs.

=== Migration from Gen2 to Gen3 ===

The Mannheim region is currently operating two environments in parallel:

* Gen2 (legacy cloud)
* Gen3 (current bwCloud-OS environment)

This setup allows users to migrate their instances and data from Gen2 to Gen3.

* The coexistence period will last until September 2026. Refer to the [https://bwcloud-os.de/ bwCloud-OS website] for the exact date.
* During this period, <code>provider_interim_net</code> is used as the flat external network.

After the transition period:

* All dual-stack IP addresses from <code>provider_interim_net</code> will be migrated to <code>provider_default_net</code>. This migration will be performed by administrators; no user action is required.
* Projects requiring a flat external network will be assigned <code>provider_default_net</code>.

📌 '''Note:''' We do not recommend allocating Floating IPs from the <code>provider_interim_net</code>, because they will be lost after the transition period. Instead, request and associate them from <code>provider_default_net</code>.

== Ulm ==

=== Default Network ===

* All projects have access to the default network <code>virt-shared</code>.
* Instances connected to this network receive:
** A '''public global IPv6 address'''
** A '''private NAT-ed IPv4 address'''

This is a '''routed network''' using an OpenStack router connected to an external provider network:

* '''IPv6''': Direct public connectivity
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router
* '''IPv4 (ingress)''': Optional and possible via '''Floating IPs'''

=== IPv4 Ingress via Floating IPs ===

* Optional '''Floating IPs''' can allocated from the external network <code>public-link</code> quota permitting.
* Once assigned to a project, a '''Floating IP''' can be associated with an instance to provide '''IPv4 ingress connectivity''' for that instance.
* Incoming requests to the '''Floating IP''' will be relayed by the router to the instance's private IPv4 and vice-versa ('''DNAT''' + '''SNAT''').
* The instance internally only sees its private IPv4, but through the '''Floating IP''' external requests will arrive at its private IPv4.

=== Flat External Networks ===

* There are no flat networks available to users in region Ulm.

=== Per Project Networks ===

* If a project with multiple VMs wishes to use a separate network instead of relying on the <code>virt-shared</code> network, it is possible to allocate a private network.
* Private networks have the same properties and limitations as the shared <code>virt-shared</code> network, but receive a smaller private IPv4 range and are not shared with other projects.
* Private networks need to be connected the the internal side of a private router with the external side connected to <code>public-link</code>.
* A VM in a dual-stacked private network will receive a private, NAT-ed IPv4 and a public, global IPv6 address.
** A unique, private IPv4 /26 range can be allocated from the subnet pool <code>tenant-v4-16-26</code>.
** A unique, public IPv6 /64 range can be allocated from the subnet pool <code>tenant-v6-48-64</code>.
* Optional '''Floating IPs''' from <code>public-link</code> can be used for IPv4 ingress, just like with the default <code>virt-shared</code> network.
* The only meaningful advantage of a per project network is that is not shared with VMs from other projects.

=== Network Renumbering ===

* The IPv4 range that Gen3 region Ulm starts with initially is only temporary and will be replaced with an IPv4 range that is currently still in-use in Gen2 region Ulm, once Gen2 shuts down.
** During that IPv4 renumbering all IPv4 '''Floating IPs''' will be removed.
** Afterwards new IPv4 '''Floating IPs''' can be allocated from <code>public-link</code>.
** This affects <code>virt-shared</code> and all per project networks.
** IPv6 ranges and addresses will remain unchanged.
** private IPv4 ranges and addresses will remain unchanged.

Guide: Network Configuration by Region

2026-05-28T09:43:31Z

Sia:

This guide provides details of the VM networks in each '''[[Registration#Regions|bwCloud-OS region]]'''. It describes which networks are available by default, which can be requested, and how IPv4 and IPv6 connectivity is provided.

While core networking concepts are consistent across regions, available networks, IP address ranges, and access methods may differ. Please refer to the section for your specific region.

__TOC__

== Freiburg ==
*Information for this region will be provided soon.*

== Karlsruhe ==
The Karlsruhe region provides a '''default routed network''', as well as additional networks that can be assigned to projects upon request.

=== Default Network ===

* All projects have access to the default network <code>default-network</code>.
* Instances connected to this network receive:
** A '''public IPv6 address'''
** A '''private IPv4 address'''

This is a '''routed network''' using an OpenStack router connected to an external provider network.

* IPv6: Direct public connectivity
* IPv4 (egress): Provided via '''SNAT''' through the router
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])
* This Network is shared between all projects
=== IPv4 Ingress via Floating IPs ===

* '''Floating IPs''' are allocated from the external network <code>provider-network</code>.
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.

Once assigned, a Floating IP can be associated with an instance to provide IPv4 ingress connectivity.

=== Separated Networks ===
If you require a separated Broadcast Domain you can request one via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.

The network will:

* receive a separate private IPv4 Subnet
* receive a separate public IPv6 Subnet
* have a separated Broadcast Domain only accessible by authorized projects
* always use up at least one public IPv4 used for the virtual Router

=== Migration from Gen2 to Gen3 ===

The Karlsruhe region is currently operating two environments in parallel:

* Gen2 (legacy cloud)
* Gen3 (current bwCloud-OS environment)

This setup allows users to migrate their instances and data from Gen2 to Gen3.

* The coexistence period will last until 15. September 2026.

After the transition period:

* All IP addresses (Routers and Floating IPs) from <code>provider-network</code> will be migrated to a new IPv4 Subnet.
* This migration will be performed by administrators; no user action is required.
* During the Migration all Floating IPs will be redistributed and some minor connection interruptions will happen.

== Mannheim ==

The Mannheim region provides a '''default routed network''', as well as '''additional networks''' that can be assigned to projects '''upon request'''. Both IPv6 and IPv4 connectivity options are available, depending on the selected network.

=== Default Network ===

* All projects have access to the default network <code>routed_default_net</code>.
* Instances connected to this network receive:
** A '''public IPv6 address'''
** A '''private IPv4 address'''

This is a '''routed network''' using an OpenStack router connected to an external provider network:

* '''IPv6''': Direct public connectivity
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])
📌 '''Note:''' This network extends the legacy IPv6-only network in the Mannheim region, which did not provide IPv4 connectivity. ''Before requesting an IPv4 address via a support ticket, please ensure that the combined connectivity is not already sufficient for your use case.''

=== IPv4 Ingress via Floating IPs ===

* '''Floating IPs''' are allocated from the external network <code>provider_default_net</code>.
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.

Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.

=== Flat External Networks ===

* There are also flat external networks available, such as <code>provider_interim_net</code> .
* They can be assigned to projects via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.

Instances connected directly to this type of network receive:

* A '''public IPv4 address'''
* A '''public IPv6 address'''

This enables dual-stack public connectivity (IPv4 and IPv6) without the need for Floating IPs.

=== Migration from Gen2 to Gen3 ===

The Mannheim region is currently operating two environments in parallel:

* Gen2 (legacy cloud)
* Gen3 (current bwCloud-OS environment)

This setup allows users to migrate their instances and data from Gen2 to Gen3.

* The coexistence period will last until 31. August 2026.
* During this period, <code>provider_interim_net</code> is used as the flat external network.

After the transition period:

* All dual-stack IP addresses from <code>provider_interim_net</code> will be migrated to <code>provider_default_net</code>. This migration will be performed by administrators; no user action is required.
* Projects requiring a flat external network will be assigned <code>provider_default_net</code>.

📌 '''Note:''' We do not recommend allocating Floating IPs from the <code>provider_interim_net</code>, because they will be lost after the transition period. Instead, request and associate them from <code>provider_default_net</code>.

== Ulm ==

=== Default Network ===

* All projects have access to the default network <code>virt-shared</code>.
* Instances connected to this network receive:
** A '''public global IPv6 address'''
** A '''private NAT-ed IPv4 address'''

This is a '''routed network''' using an OpenStack router connected to an external provider network:

* '''IPv6''': Direct public connectivity
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router
* '''IPv4 (ingress)''': Optional and possible via '''Floating IPs'''

=== IPv4 Ingress via Floating IPs ===

* Optional '''Floating IPs''' can allocated from the external network <code>public-link</code> quota permitting.
* Once assigned to a project, a '''Floating IP''' can be associated with an instance to provide '''IPv4 ingress connectivity''' for that instance.
* Incoming requests to the '''Floating IP''' will be relayed by the router to the instance's private IPv4 and vice-versa ('''DNAT''' + '''SNAT''').
* The instance internally only sees its private IPv4, but through the '''Floating IP''' external requests will arrive at its private IPv4.

=== Flat External Networks ===

* There are no flat networks available to users in region Ulm.

=== Per Project Networks ===

* If a project with multiple VMs wishes to use a separate network instead of relying on the <code>virt-shared</code> network, it is possible to allocate a private network.
* Private networks have the same properties and limitations as the shared <code>virt-shared</code> network, but receive a smaller private IPv4 range and are not shared with other projects.
* Private networks need to be connected the the internal side of a private router with the external side connected to <code>public-link</code>.
* A VM in a dual-stacked private network will receive a private, NAT-ed IPv4 and a public, global IPv6 address.
** A unique, private IPv4 /26 range can be allocated from the subnet pool <code>tenant-v4-16-26</code>.
** A unique, public IPv6 /64 range can be allocated from the subnet pool <code>tenant-v6-48-64</code>.
* Optional '''Floating IPs''' from <code>public-link</code> can be used for IPv4 ingress, just like with the default <code>virt-shared</code> network.
* The only meaningful advantage of a per project network is that is not shared with VMs from other projects.

=== Network Renumbering ===

* The IPv4 range that Gen3 region Ulm starts with initially is only temporary and will be replaced with an IPv4 range that is currently still in-use in Gen2 region Ulm, once Gen2 shuts down.
** During that IPv4 renumbering all IPv4 '''Floating IPs''' will be removed.
** Afterwards new IPv4 '''Floating IPs''' can be allocated from <code>public-link</code>.
** This affects <code>virt-shared</code> and all per project networks.
** IPv6 ranges and addresses will remain unchanged.
** private IPv4 ranges and addresses will remain unchanged.

Cloud Migration Guide

2026-05-28T09:42:04Z

Sia:

{| class="mw-message-box mw-message-box-warning"
| style="vertical-align:middle;" | '''⚠️ Please Note:''' This guide is still work in progress.
|}

{| class="mw-message-box mw-message-box-warning"
| style="vertical-align:middle;" | '''⚠️ IMPORTANT SHUTDOWN NOTICE:'''
The Gen2 infrastructure will be permanently shut down on '''September 15, 2026'''. All projects and data that have not been migrated by this date will be irrevocably deleted. To use Gen3, you must clarify and apply for your entitlements (which are subject to costs) in a timely manner.
|}

{{InANutshell|
<li>There is no automatic migration path: Gen2 and Gen3 are completely separate environments.</li>
<li>Migration requires a new entitlement.</li>
<li>Security Groups and IP addresses will change and must be reconfigured manually.</li>
<li>'''Recommended approach:''' Start a new, fresh instance (VM) in Gen3 and copy your old data over the network (e.g., via rsync).</li>
}}

__TOC__

= General Information =

This guide explains how to migrate your resources from the old bwCloud-OS Gen2 environment to bwCloud-OS Gen3. Because the two environments are completely separated, there is no automatic migration path. You will need to manually export your resources from the old cloud, download them locally, and upload them to the new cloud. Please note that network settings and Security Groups cannot be copied and must be reconfigured manually in the new environment.

== Important Prerequisites: Entitlements and Quotas ==
The new bwCloud-OS Gen3 will become a paid infrastructure platform. Therefore, it is necessary for each participating university or institution to actively assign the corresponding entitlements to its users. You cannot simply transfer your old projects directly without this authorization.

* '''Missing Entitlement?''' If you have not yet been assigned an entitlement, please get in touch directly with your local institution or university's IT support.
* '''Quota Allocation:''' Please note that the allocation of resource quotas is entirely managed and regulated through your respective institution.

Details can be found [https://wiki.bwcloud-os.de/index.php/Guide:_Entitlement_%26_Eligibility here].

{| class="mw-message-box mw-message-box-notice"
| style="vertical-align:middle;" | '''ℹ️ Note on Group Projects:''' Currently, there is no established process for complex group projects and their corresponding quota allocation. If you require resources for such a project, we kindly ask for a little more patience until the procedures are fully defined.
|}
== Dashboard Login ==
* [https://portal.bw-cloud.org/ Old bwCloud-OS Gen2]
* [https://portal.ul.bwcos.de/auth/login/?next=/%20https://portal.ul.bwcos.de/ New bwCloud-OS Gen3]
== Networks ==
The new infrastructure includes not only new networks but also new network-related features such as load balancers. You can find an overview [[Networks_Gen3|here]].

Network-specific differences between regions and details about the individual networks can be found in the following guide.

➡️ [[Guide:_Network_Configuration_by_Region|Guide: Network Configuration by Region]]

= Transferring Data and VMs=

There are basically two ways to transfer your data to the new bwCloud-OS (Gen3): The rsync method over the network and the snapshot method.

== Transferring Volumes ==

While it is technically possible to migrate a Cinder volume by converting it to an image and uploading it to the new cloud, we do not recommend this approach. The process is extremely slow, and depending on the backend configuration, the upload may silently fail entirely.

'''Our recommendation: create a fresh volume and copy your data over the network.'''
* In the new environment, create a new empty volume of the appropriate size and attach it to a new VM.
* Format and mount the volume on the new VM. Detailed instructions can be found [[Guide:_Volumes_and_Images#Create_and_Attach_a_Volume|here]].
* Make sure your old VM (with the old volume mounted) is reachable from the new VM via SSH (either by exchanging SSH keys or setting a password in the VM).
* Sync your data directly over the network using '''rsync'''.

<pre>
rsync -avz --progress /path/to/old/data/ root@<NEW_VM_IP>:/path/to/new/destination/
</pre>

== Transferring VMs ==

=== Prerequisites ===
* Access to both bwCloud-OS environments and
* Application Credentials, as described [[Programmatic_Access_and_Automation#Application_Credentials|here]] and
* OpenStack Client installed, as described [[Programmatic_Access_and_Automation#OpenStack_Client|here]].

=== Procedure ===

When transferring a VM, you create a snapshot of its current state, download it, and use it as a base image in the new environment.

'''Step 1: Create a Snapshot'''

First, source your old bwCloud-OS Gen2 credentials and find the ID of the instance (VM) you want to migrate:

<pre>
source old-creds.sh
openstack server list
openstack server image create --name <snapshot_name> <instance_id>
</pre>

'''Step 2: Download the Snapshot'''

The Image ID should have been prompted in the previous step. However, it is also possible to find the ID of your created snapshot and download it to your local computer later:

<pre>
openstack image list
openstack image save --file myimage.img <snapshot_id>
</pre>

'''Step 3: Upload to the New Environment (bwCloud-OS Gen3)'''

Source your new cloud credentials and upload the image file. '''Important''': Always set the visibility to Private so other users cannot use your image as a base for their services.

<pre>
source new-creds.sh
openstack image create --file myimage.img --private myimage
</pre>

Alternative: You can also upload the downloaded .img file using the new Horizon GUI by navigating to '''Compute -> Images'''.

'''Step 4: Start the Instance'''

You can now start a new instance using this uploaded image. Remember to reconfigure your '''Security Groups''' and note that you will receive a '''new IP address'''.

To start a new instance:
* Log in to the bwCloud-OS Gen3 Dashboard.
* Navigate to Project --> Compute --> Images. The uploaded snapshot should be listed there.
* Click on "Start", choose an instance name, and select the network and SSH key (or create a new one).

Guide: Load Balancers

2026-05-24T13:06:34Z

Sia:

This guide walks through creating a private network, deploying two web server VMs on it, and exposing them via an OpenStack load balancer to a public network.

__TOC__

= Network Setup =

== Create a private network ==
<pre>
openstack network create myNet
</pre>

== Create a subnet of the private network==
<pre>
openstack subnet create myNet_v4 --network myNet --subnet-range 192.168.100.0/24
</pre>

== Create a router and connect it to a public network ==
<pre>
openstack router create myRouter
openstack router add subnet myRouter myNet_v4
openstack router set myRouter --external-gateway provider_net
</pre>

= Creating Backend Instances for Load Balancing =
As an example, we create two identical web server instances that will serve as backend nodes for the load balancer.

== Create two identical VMs ==
<pre>
openstack server create \
--image ubuntu-24.04 \
--flavor p1.tiny \
--network myNet \
--key-name myKey \
--min 2 --max 2 \
webserver
</pre>

== Associate (temporary) floating IPs to make the VMs accessible ==
<pre>
FIP1=$(openstack floating ip create provider_net -f value -c floating_ip_address)
FIP2=$(openstack floating ip create provider_net -f value -c floating_ip_address)

openstack server add floating ip webserver-1 $FIP1
openstack server add floating ip webserver-2 $FIP2
</pre>

== Install basic web servers on the VMs ==
SSH into each VM and run:<pre>
sudo apt update && \
sudo apt -y install apache2 && \
sudo systemctl enable --now apache2 && \
echo $(hostname) | sudo tee /var/www/html/index.html
</pre>Add security rules to both VMs to allow HTTP access on port 80 as described in the section on [[Security#Example: Opening Port 443 for HTTPS Access|Security Rules.]]

Test the web servers:<pre>curl $FIP1
# Expected output: webserver-1</pre>

= Load Balancer Setup and Backend Integration =

Install the client (preferably in a Python virtual environment):
<pre>pip3 install python-octaviaclient</pre>
== Create the load balancer ==
<pre>

openstack loadbalancer create \
--name myLB \
--vip-subnet-id myNet_v4 \
--provider ovn
</pre>

== Create a listener on port 80 ==
<pre>
openstack loadbalancer listener create \
--name myListener \
--protocol TCP \
--protocol-port 80 \
myLB
</pre>

== Create a pool for the listener ==
<pre>
openstack loadbalancer pool create \
--name myPool \
--listener myListener \
--protocol TCP \
--lb-algorithm SOURCE_IP_PORT
</pre>

== Add web servers to the pool ==
Get the subnet ID and VM IPs in it:
<pre>
SUBNET_ID=$(openstack subnet list --name myNet_v4 -f value -c ID)
WEB1_IP=$(openstack server show webserver-1 -f value -c addresses | grep -o '192\.168\.100\.[0-9]\+')
WEB2_IP=$(openstack server show webserver-2 -f value -c addresses | grep -o '192\.168\.100\.[0-9]\+')
</pre>

Add each VM to the pool:
<pre>
openstack loadbalancer member create \
--subnet-id $SUBNET_ID \
--address $WEB1_IP \
--protocol-port 80 \
myPool

openstack loadbalancer member create \
--subnet-id $SUBNET_ID \
--address $WEB2_IP \
--protocol-port 80 \
myPool
</pre>

== Assign a floating IP to the load balancer ==
Create a floating IP and associate it with the VIP of the load balancer:<pre>
FIP=$(openstack floating ip create provider_net -f value -c floating_ip_address)
VIPPORT=$(openstack loadbalancer show myLB -f value -c vip_port_id)
openstack floating ip set --port $VIPPORT $FIP
</pre>
Test the load balancer:
<pre>
curl $FIP
# Expected output (may alternate between VMs): webserver-1 / webserver-2
</pre>

Guide: Load Balancers

2026-05-24T13:04:18Z

Sia: /* Load Balancer Setup and Backend Integration */

This guide walks through creating a private network, deploying two web server VMs on it, and exposing them via an OpenStack load balancer to a public network.

__TOC__

= Network Setup =

== Create a private network ==
<pre>
openstack network create myNet
</pre>

== Create a subnet of the private network==
<pre>
openstack subnet create myNet_v4 --network myNet --subnet-range 192.168.100.0/24
</pre>

== Create a router and connect it to a public network ==
<pre>
openstack router create myRouter
openstack router add subnet myRouter myNet_v4
openstack router set myRouter --external-gateway provider_net
</pre>

= Creating Backend Instances for Load Balancing =
As an example, we create two identical web server instances that will serve as backend nodes for the load balancer.

== Create two identical VMs ==
<pre>
openstack server create \
--image ubuntu-24.04 \
--flavor p1.tiny \
--network myNet \
--key-name myKey \
--min 2 --max 2 \
webserver
</pre>

== Associate (temporary) floating IPs to make the VMs accessible ==
<pre>
FIP1=$(openstack floating ip create provider_net -f value -c floating_ip_address)
FIP2=$(openstack floating ip create provider_net -f value -c floating_ip_address)

openstack server add floating ip webserver-1 $FIP1
openstack server add floating ip webserver-2 $FIP2
</pre>

== Install basic web servers on the VMs ==
SSH into each VM and run:<pre>
sudo apt update && \
sudo apt -y install apache2 && \
sudo systemctl enable --now apache2 && \
echo $(hostname) | sudo tee /var/www/html/index.html
</pre>Add security rules to both VMs to allow HTTP access on port 80 as described in the section on [[Security#Example: Opening Port 443 for HTTPS Access|Security Rules.]]

Test the web servers:<pre>curl $FIP1
# Expected output: webserver-1</pre>

= Load Balancer Setup and Backend Integration =
<pre>
pip3 install python-octaviaclient
</pre>

== Create the load balancer ==
<pre>
openstack loadbalancer create \
--name myLB \
--vip-subnet-id myNet_v4 \
--provider ovn
</pre>

== Create a listener on port 80 ==
<pre>
openstack loadbalancer listener create \
--name myListener \
--protocol TCP \
--protocol-port 80 \
myLB
</pre>

== Create a pool for the listener ==
<pre>
openstack loadbalancer pool create \
--name myPool \
--listener myListener \
--protocol TCP \
--lb-algorithm SOURCE_IP_PORT
</pre>

== Add web servers to the pool ==
Get the subnet ID and VM IPs in it:
<pre>
SUBNET_ID=$(openstack subnet list --name myNet_v4 -f value -c ID)
WEB1_IP=$(openstack server show webserver-1 -f value -c addresses | grep -o '192\.168\.100\.[0-9]\+')
WEB2_IP=$(openstack server show webserver-2 -f value -c addresses | grep -o '192\.168\.100\.[0-9]\+')
</pre>

Add each VM to the pool:
<pre>
openstack loadbalancer member create \
--subnet-id $SUBNET_ID \
--address $WEB1_IP \
--protocol-port 80 \
myPool

openstack loadbalancer member create \
--subnet-id $SUBNET_ID \
--address $WEB2_IP \
--protocol-port 80 \
myPool
</pre>

== Assign a floating IP to the load balancer ==
Create a floating IP and associate it with the VIP of the load balancer:<pre>
FIP=$(openstack floating ip create provider_net -f value -c floating_ip_address)
VIPPORT=$(openstack loadbalancer show myLB -f value -c vip_port_id)
openstack floating ip set --port $VIPPORT $FIP
</pre>
Test the load balancer:
<pre>
curl $FIP
# Expected output (may alternate between VMs): webserver-1 / webserver-2
</pre>

Main Page

2026-05-01T08:52:31Z

Sia:

__NOTOC__
= bwCloud-OS User Wiki =
Welcome to the '''bwCloud-OS User Wiki -''' the central guide to using the multi-region '''O'''pen'''S'''tack '''cloud''' shared across '''B'''aden-'''W'''ürttemberg, Germany. This cloud is jointly operated by the universities of Freiburg, Karlsruhe, Mannheim, and Ulm, and is available to users from all participating educational institutions.

This wiki is primarily designed to answer '''frequently asked questions (FAQs)''' and provide '''practical guidance''' for common tasks when using the bwCloud-OS service. General information about the bwCloud-OS and related projects is available on the [https://bwcloud-os.de/ '''bwCloud-OS website'''].

If you need technical assistance beyond what is covered here, please open a support '''ticket''' via the [https://bw-support.scc.kit.edu/ '''bwSupportPortal'''].

== Quickstart ==


 

{{Box
|id=register1
|title=I. Register and/or Log in
|content=
<ol>
<li>Go to the bwCloud-OS [https://portal.bw-cloud.org/ Dashboard].</li>
<li>Select '''bwIDM via OpenID Connect''' and click '''Sign In'''.</li>
<li>Choose your home institution and log in with your university credentials.</li>
<li>If logging in for the first time, register for bwCloud SCOPE by accepting the terms of use.</li>
<li>After login or registration, you will be redirected to the bwCloud-OS Dashboard.</li>
</ol>
 
See the [[Registration|Registration page]] for more details.
}}

{{Box
|id=register2
|title=II. Upload or Create an SSH Key
|content=
<ol>
<li>Log in to the [https://portal.bw-cloud.org/ Dashboard].</li>
<li>Go to Project → Compute → Key Pairs.</li>
<li>
Choose one of the following options:
<ul>
<li>To import an existing key: Click Import Public Key, enter a name, select SSH Key type, and upload your '''''public''''' SSH key. Then click Import.</li>
<li>To create a new key pair: Click Create Key Pair, enter a name, select SSH Key type, and click Create. The '''''private''''' key will be downloaded automatically.</li>
</ul>
</li>
<li>Make sure the private key is securely stored and accessible on your local machine.</li>
</ol>
 For help generating an SSH key, see our [[Guide: SSH#Key-Pair-Creation|SSH Guide]].
}}

{{Box
|id=register3
|title=III. Launch a Virtual Machine
|content=

<ol>
<li>
Go to Compute → Instances → Launch Instance and fill out the tabs:
<ol type="a" style="margin-left: 1.5em;">
<li>Details: Assign a name</li>
<li>Source: Choose an image (e.g., ''Debian 12'')</li>
<li>Flavor: Select a resource package (e.g., ''m1.small'')</li>
<li>Networks: Choose the appropriate network</li>
<li>Key Pair: Select your SSH key</li> </ol>
</li>
<li>Click Launch and wait for the instance to finish building and enter Running state.</li>
</ol>
 For full details on managing instances, see the [[Instances (VMs)|Instances page]].
}}

{{Box
|id=register4
|title=IV. Connect to Your VM
|content=
Connect to your VM via SSH from a terminal using the following command:

<pre style="background-color: #f9f9f9; border: 1px solid #ccc; padding: 0.5em;">
ssh -i /path/to/private-key <user>@<address>
</pre>
<ul>
<li>
<code><user></code> is the default username, e.g. <code>ubuntu</code> for Ubuntu images. For other images, see the [[Images|Image Overview]].
</li>
<li>
<code><address></code> is the DNS name ([[Networks#FQDN|FQDN]]) or the public IP address of your running instance. Both can be found in the [https://portal.bw-cloud.org/ Dashboard], on the Instances page.
</li>
</ul>

 For (advanced) SSH connection methods, see our [[Guide: SSH|SSH Guide]].
}}

== Topic Hub '''–''' Sections ==


* '''🆔 [[Registration]]''' '''–''' Identity Management, Entitlements, Regions
* '''🖥️ [[Instances (VMs)]] –''' Launching Virtual Machines (VMs), Access to VMs (SSH), Flavors, Images
* '''🌐 [[Networks]]''' '''–''' IPs, FQDNs & DNS, Public and Private Networks
* '''[[Security|🛡️ Security]]''' '''–''' Open and Closed Ports, Security Groups, Security Incidents
* '''💾 [[Storage]]''' '''–''' Volumes, Snapshots, Backups
* '''👥''' '''[[Projects and Quota|Projects & Quota]]''' '''–''' Projects, Group Management, Quota Changes
* '''⚙️ [[Programmatic Access and Automation|Automation]]''' '''–''' Application Credentials, OpenStack CLI and SDK, Automation Tools
* '''📖 [[Glossary|Glossary]]''' '''–''' Key Terms Used in bwCloud-OS

Security

2026-04-27T12:00:40Z

Sia:

{{InANutshell|
<li>By default, bwCloud-OS VMs are only accessible via SSH (port 22) and ICMP (e.g., ''ping''); all other incoming traffic is blocked for security.</li>
<li>To allow access on additional ports (e.g. HTTPS/443), you can add rules via the Security Groups in the [https://portal.bw-cloud.org/ Dashboard] — changes take effect immediately.</li>
<li>Following our security checklist below can help you harden your bwCloud-OS VM.</li>

<li>If you suspect a security incident, stop the affected VMs and submit a [https://bw-support.scc.kit.edu/ support ticket] immediately.</li>
}}

__TOC__

= Access Control & Firewall Rules =

== What network access is allowed by default in bwCloud-OS instances? ==


By default, '''bwCloud-OS instances''' are accessible via:

* '''SSH (port 22)''' – for remote login and configuration
* '''ICMP''' – to allow basic network diagnostics like <code>ping</code> and <code>traceroute</code>

This initial access is explicitly permitted by the '''automatically assigned security group''' (named <code>default</code>) in our configuration. This is not the default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.

== How do I open additional ports for my instance? ==


A newly created virtual machine in bwCloud-OS is only accessible from the outside via '''SSH (port 22)''' and '''ICMP'''. All other inbound traffic is '''blocked''' by default — meaning external traffic on other ports cannot reach the instance.

To allow access on other ports (e.g. for web servers or applications), you need to '''add a rule''' to the relevant '''security group'''. ''Changes to security group rules apply immediately to all instances using that group'' — there's no need to reboot the instance.

----

=== Example: Opening Port 443 for HTTPS Access ===
If you're running a web server that should be accessible via '''HTTPS''', you typically need to open '''port 443''' in a security group assigned to your instance.

'''Steps in the [https://portal.bw-cloud.org/ Dashboard]:'''
# In the left menu, go to '''Network → Security Groups'''. A list of all defined security groups will appear.
#* '''Recommended:''' Consider creating a dedicated security group (e.g. named <code>https-access</code>), and assign it to your instance using '''Edit Security Groups''' in the instance menu before the next step.
# Find the relevant group and click '''Manage Rules'''. You’ll see all currently defined rules for that group.
# Click '''Add Rule''' to create a new one.
# In the dialog that appears, choose one of the following:
#* '''HTTPS''' from the '''Rule''' dropdown (automatically fills port 443), or
#* '''Custom TCP Rule''', then manually enter '''443''' in the '''Port''' field.
# In the '''CIDR''' field, specify which IP addresses should be allowed to connect:
#* Use a specific IP range (e.g. <code>192.168.0.0/24</code>) to '''limit access'''
#* ⚠️ Using '''<code>0.0.0.0/0</code>''' allows access from '''any IPv4 address''', and '''<code>::/0</code>''' from '''any IPv6 address'''.
# Set the '''Direction''' of the rule:
#* <code>Ingress</code> = incoming connections (usually what you want)
#* <code>Egress</code> = outgoing connections
# Click '''Add'''. The rule will be created and added to the list immediately.

----

=== Example: Opening a Port only for Access from Certain IP Ranges ===
'''➡️''' [[Guide: Security Group|Security Groups Guide]]

== Are some ports blocked in bwCloud-OS? ==


Yes. Some ports are '''centrally''' '''blocked''' in '''certain''' '''bwCloud-OS regions''' due to specific network policies at the participating university data centers. Centrally blocked ports cannot be opened individually.

For more details — including which ports are affected in each region — see the page [[Blocked and Allowed Ports]].

= SSL Certificates & Secure Services =

== Can I get SSL/TLS certificates via bwCloud-OS? ==


No, bwCloud-OS does '''not''' provide '''SSL/TLS certificates.''' However, you can obtain certificates directly from public providers like '''Let’s Encrypt''' using tools such as '''[https://certbot.eff.org/ Certbot]''', which you can install and run on your instance.

This allows you, for example, to enable '''HTTPS''' for services running on your VM. Don't forget to open the necessary ports (e.g., 443) using [[Security#Security-Rules|security group rules]].

= General Security Recommendations =

== Does bwCloud-OS provide a basic security checklist for virtual machines? ==

The following checklist helps you harden your bwCloud-OS instance after creation.

=== Secure SSH access ===
* Read and apply the recommendations in the [[Guide:_SSH|SSH guide]].

=== Keep the system updated ===
Keeping your instance up to date is one of the most effective security measures: security updates fix known vulnerabilities that may otherwise be exploitable.

There are two common approaches:
* '''Manual updates (one-time / on demand):''' You run updates yourself (e.g., after login, on a regular schedule).
* '''Automatic updates:''' The system installs security updates automatically in the background. On Ubuntu/Debian this is commonly done via <code>unattended-upgrades</code>.

==== Example (Ubuntu/Debian) ====
<pre>
# Manual updates (one-time)
sudo apt update
sudo apt -y upgrade

# Automatic security updates (background)
sudo apt -y install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
</pre>

=== Allow only the minimal required ports in bwCloud-OS Security Groups ===
Only open the ports you actually need. This reduces the attack surface and limits who can reach services on your VM.

* Check your instance's security groups in the [https://portal.bw-cloud.org/ Dashboard] and allow only the minimal required inbound rules.
* Restrict access by IP range (CIDR) wherever possible (avoid <code>0.0.0.0/0</code> unless truly required).
* For step-by-step instructions and examples, see: [[Security#Security-Rules|How do I open additional ports for my instance?]]
'''Note:''' some ports may be centrally filtered in certain regions; see [[Blocked_and_Allowed_Ports|Blocked and Allowed Ports]].

=== Optional host firewall ===
Security groups are the primary inbound filter in bwCloud-OS. A host firewall can provide an additional layer (defense-in-depth), e.g., to enforce local policies on the VM.

==== Example (Ubuntu with UFW) ====
<pre>
sudo apt -y install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (ideally restrict in the bwCloud-OS security group as well)
sudo ufw allow 22/tcp

# Example: allow HTTPS if you opened 443 in the security group
sudo ufw allow 443/tcp

sudo ufw enable
sudo ufw status verbose
</pre>

⚠️ If you block SSH on the host firewall while only having SSH access, you may lock yourself out. Always ensure SSH remains permitted (and test from your client).

=== Document your configuration ===
To operate and troubleshoot securely, keep a record of your instance configuration:

* Which security groups/rules are attached (ports, protocols, CIDRs)?
* Host firewall rules (if used), SSH hardening settings, update strategy.
* Installed services and exposed endpoints.
* Where secrets are stored/managed (avoid putting secrets in shell history or plain text files).

=== Plan and test a backup strategy ===
Backups are part of security (availability and recovery).

* Define what needs to be recoverable (system, application data, databases, configuration).
* Decide on backup frequency and retention (e.g., daily incremental + weekly full).
* Store backups separately from the instance (avoid a single point of failure).
* Regularly test restores (a backup that was never restored is an assumption, not a plan).

=== Snapshots and images ===
Snapshots capture the state of a VM or volume at a point in time (e.g., before risky changes). They can help with rollback, but they do not automatically replace a backup strategy.

* Learn more: [[Guide:_Volumes_and_Images|Guide: Volumes and Images]]
* Recommended practice:
** Take a snapshot before major changes (OS upgrades, large configuration changes).
** Remove outdated snapshots according to your retention plan.

=Security Incidents =

== What should I do if I suspect my VM has been compromised? ==


If your virtual machine is behaving unexpectedly (e.g., high CPU/network load, unknown logins, suspicious processes), it could indicate a possible compromise.

If you suspect that your VM has been compromised, please take the following steps '''immediately''':

# '''Log in''' to the '''[https://portal.bw-cloud.org/ Dashboard].'''
# '''Stop the affected instance(s).''' ''Do not delete them!'' This preserves data for further analysis.
# '''Submit a support ticket''' via the [https://bw-support.scc.kit.edu/ bwSupportPortal] with the following details:
#* Which instance(s) are potentially affected?
#* How is the suspicious behavior observed? (e.g. logs, performance, alerts)
#* What actions have you already taken?

Our team will contact you as soon as possible to help investigate and resolve the issue.

== Does the bwCloud-OS operations team inspect running instances (e.g. through penetration tests)? ==


The '''contents and configuration of user instances are not inspected''' — we do '''not''' perform penetration tests or port scans on the instances. We also '''never look inside''' user virtual machines.

However, the overall bwCloud-OS operating environment is actively monitored. For example, network monitoring tracks current inbound and outbound traffic levels. If certain parameters deviate significantly from typical patterns, this may trigger further investigation — including direct contact with the affected user.

Security

2026-04-27T11:54:52Z

Sia:

{{InANutshell|
<li>By default, bwCloud-OS VMs are only accessible via SSH (port 22) and ICMP (e.g., ''ping''); all other incoming traffic is blocked for security.</li>
<li>To allow access on additional ports (e.g. HTTPS/443), you can add rules via the Security Groups in the [https://portal.bw-cloud.org/ Dashboard] — changes take effect immediately.</li>
<li>Some ports are centrally filtered in specific bwCloud-OS regions and cannot be opened individually; refer to this [[Blocked_and_Allowed_Ports|overview]] for region-specific details.</li>
<li>If you suspect a security incident, stop the affected VMs and submit a [https://bw-support.scc.kit.edu/ support ticket] immediately.</li>
}}

__TOC__

= Access Control & Firewall Rules =

== What network access is allowed by default in bwCloud-OS instances? ==


By default, '''bwCloud-OS instances''' are accessible via:

* '''SSH (port 22)''' – for remote login and configuration
* '''ICMP''' – to allow basic network diagnostics like <code>ping</code> and <code>traceroute</code>

This initial access is explicitly permitted by the '''automatically assigned security group''' (named <code>default</code>) in our configuration. This is not the default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.

== How do I open additional ports for my instance? ==


A newly created virtual machine in bwCloud-OS is only accessible from the outside via '''SSH (port 22)''' and '''ICMP'''. All other inbound traffic is '''blocked''' by default — meaning external traffic on other ports cannot reach the instance.

To allow access on other ports (e.g. for web servers or applications), you need to '''add a rule''' to the relevant '''security group'''. ''Changes to security group rules apply immediately to all instances using that group'' — there's no need to reboot the instance.

----

=== Example: Opening Port 443 for HTTPS Access ===
If you're running a web server that should be accessible via '''HTTPS''', you typically need to open '''port 443''' in a security group assigned to your instance.

'''Steps in the [https://portal.bw-cloud.org/ Dashboard]:'''
# In the left menu, go to '''Network → Security Groups'''. A list of all defined security groups will appear.
#* '''Recommended:''' Consider creating a dedicated security group (e.g. named <code>https-access</code>), and assign it to your instance using '''Edit Security Groups''' in the instance menu before the next step.
# Find the relevant group and click '''Manage Rules'''. You’ll see all currently defined rules for that group.
# Click '''Add Rule''' to create a new one.
# In the dialog that appears, choose one of the following:
#* '''HTTPS''' from the '''Rule''' dropdown (automatically fills port 443), or
#* '''Custom TCP Rule''', then manually enter '''443''' in the '''Port''' field.
# In the '''CIDR''' field, specify which IP addresses should be allowed to connect:
#* Use a specific IP range (e.g. <code>192.168.0.0/24</code>) to '''limit access'''
#* ⚠️ Using '''<code>0.0.0.0/0</code>''' allows access from '''any IPv4 address''', and '''<code>::/0</code>''' from '''any IPv6 address'''.
# Set the '''Direction''' of the rule:
#* <code>Ingress</code> = incoming connections (usually what you want)
#* <code>Egress</code> = outgoing connections
# Click '''Add'''. The rule will be created and added to the list immediately.

----

=== Example: Opening a Port only for Access from Certain IP Ranges ===
'''➡️''' [[Guide: Security Group|Security Groups Guide]]

== Are some ports blocked in bwCloud-OS? ==


Yes. Some ports are '''centrally''' '''blocked''' in '''certain''' '''bwCloud-OS regions''' due to specific network policies at the participating university data centers. Centrally blocked ports cannot be opened individually.

For more details — including which ports are affected in each region — see the page [[Blocked and Allowed Ports]].

= SSL Certificates & Secure Services =

== Can I get SSL/TLS certificates via bwCloud-OS? ==


No, bwCloud-OS does '''not''' provide '''SSL/TLS certificates.''' However, you can obtain certificates directly from public providers like '''Let’s Encrypt''' using tools such as '''[https://certbot.eff.org/ Certbot]''', which you can install and run on your instance.

This allows you, for example, to enable '''HTTPS''' for services running on your VM. Don't forget to open the necessary ports (e.g., 443) using [[Security#Security-Rules|security group rules]].

= General Security Recommendations =

== Does bwCloud-OS provide a basic security checklist for virtual machines? ==

The following checklist helps you harden your bwCloud-OS instance after creation.

=== Secure SSH access ===
* Read and apply the recommendations in the [[Guide:_SSH|SSH guide]].

=== Keep the system updated ===
Keeping your instance up to date is one of the most effective security measures: security updates fix known vulnerabilities that may otherwise be exploitable.

There are two common approaches:
* '''Manual updates (one-time / on demand):''' You run updates yourself (e.g., after login, on a regular schedule).
* '''Automatic updates:''' The system installs security updates automatically in the background. On Ubuntu/Debian this is commonly done via <code>unattended-upgrades</code>.

==== Example (Ubuntu/Debian) ====
<pre>
# Manual updates (one-time)
sudo apt update
sudo apt -y upgrade

# Automatic security updates (background)
sudo apt -y install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
</pre>

=== Allow only the minimal required ports in bwCloud-OS Security Groups ===
Only open the ports you actually need. This reduces the attack surface and limits who can reach services on your VM.

* Check your instance's security groups in the [https://portal.bw-cloud.org/ Dashboard] and allow only the minimal required inbound rules.
* Restrict access by IP range (CIDR) wherever possible (avoid <code>0.0.0.0/0</code> unless truly required).
* For step-by-step instructions and examples, see: [[Security#Security-Rules|How do I open additional ports for my instance?]]
'''Note:''' some ports may be centrally filtered in certain regions; see [[Blocked_and_Allowed_Ports|Blocked and Allowed Ports]].

=== Optional host firewall ===
Security groups are the primary inbound filter in bwCloud-OS. A host firewall can provide an additional layer (defense-in-depth), e.g., to enforce local policies on the VM.

==== Example (Ubuntu with UFW) ====
<pre>
sudo apt -y install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (ideally restrict in the bwCloud-OS security group as well)
sudo ufw allow 22/tcp

# Example: allow HTTPS if you opened 443 in the security group
sudo ufw allow 443/tcp

sudo ufw enable
sudo ufw status verbose
</pre>

⚠️ If you block SSH on the host firewall while only having SSH access, you may lock yourself out. Always ensure SSH remains permitted (and test from your client).

=== Document your configuration ===
To operate and troubleshoot securely, keep a record of your instance configuration:

* Which security groups/rules are attached (ports, protocols, CIDRs)?
* Host firewall rules (if used), SSH hardening settings, update strategy.
* Installed services and exposed endpoints.
* Where secrets are stored/managed (avoid putting secrets in shell history or plain text files).

=== Plan and test a backup strategy ===
Backups are part of security (availability and recovery).

* Define what needs to be recoverable (system, application data, databases, configuration).
* Decide on backup frequency and retention (e.g., daily incremental + weekly full).
* Store backups separately from the instance (avoid a single point of failure).
* Regularly test restores (a backup that was never restored is an assumption, not a plan).

=== Snapshots and images ===
Snapshots capture the state of a VM or volume at a point in time (e.g., before risky changes). They can help with rollback, but they do not automatically replace a backup strategy.

* Learn more: [[Guide:_Volumes_and_Images|Guide: Volumes and Images]]
* Recommended practice:
** Take a snapshot before major changes (OS upgrades, large configuration changes).
** Remove outdated snapshots according to your retention plan.

=Security Incidents =

== What should I do if I suspect my VM has been compromised? ==


If your virtual machine is behaving unexpectedly (e.g., high CPU/network load, unknown logins, suspicious processes), it could indicate a possible compromise.

If you suspect that your VM has been compromised, please take the following steps '''immediately''':

# '''Log in''' to the '''[https://portal.bw-cloud.org/ Dashboard].'''
# '''Stop the affected instance(s).''' ''Do not delete them!'' This preserves data for further analysis.
# '''Submit a support ticket''' via the [https://bw-support.scc.kit.edu/ bwSupportPortal] with the following details:
#* Which instance(s) are potentially affected?
#* How is the suspicious behavior observed? (e.g. logs, performance, alerts)
#* What actions have you already taken?

Our team will contact you as soon as possible to help investigate and resolve the issue.

== Does the bwCloud-OS operations team inspect running instances (e.g. through penetration tests)? ==


The '''contents and configuration of user instances are not inspected''' — we do '''not''' perform penetration tests or port scans on the instances. We also '''never look inside''' user virtual machines.

However, the overall bwCloud-OS operating environment is actively monitored. For example, network monitoring tracks current inbound and outbound traffic levels. If certain parameters deviate significantly from typical patterns, this may trigger further investigation — including direct contact with the affected user.

Security

2026-04-27T11:53:18Z

Sia: /* Security Checklist */

{{InANutshell|
<li>By default, bwCloud-OS VMs are only accessible via SSH (port 22) and ICMP (e.g., ''ping''); all other incoming traffic is blocked for security.</li>
<li>To allow access on additional ports (e.g. HTTPS/443), you can add rules via the Security Groups in the [https://portal.bw-cloud.org/ Dashboard] — changes take effect immediately.</li>
<li>Some ports are centrally filtered in specific bwCloud-OS regions and cannot be opened individually; refer to this [[Blocked_and_Allowed_Ports|overview]] for region-specific details.</li>
<li>If you suspect a security incident, stop the affected VMs and submit a [https://bw-support.scc.kit.edu/ support ticket] immediately.</li>
}}

__TOC__

= Access Control & Firewall Rules =

== What network access is allowed by default in bwCloud-OS instances? ==


By default, '''bwCloud-OS instances''' are accessible via:

* '''SSH (port 22)''' – for remote login and configuration
* '''ICMP''' – to allow basic network diagnostics like <code>ping</code> and <code>traceroute</code>

This initial access is explicitly permitted by the '''automatically assigned security group''' (named <code>default</code>) in our configuration. This is not the default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.

== How do I open additional ports for my instance? ==


A newly created virtual machine in bwCloud-OS is only accessible from the outside via '''SSH (port 22)''' and '''ICMP'''. All other inbound traffic is '''blocked''' by default — meaning external traffic on other ports cannot reach the instance.

To allow access on other ports (e.g. for web servers or applications), you need to '''add a rule''' to the relevant '''security group'''. ''Changes to security group rules apply immediately to all instances using that group'' — there's no need to reboot the instance.

----

=== Example: Opening Port 443 for HTTPS Access ===
If you're running a web server that should be accessible via '''HTTPS''', you typically need to open '''port 443''' in a security group assigned to your instance.

'''Steps in the [https://portal.bw-cloud.org/ Dashboard]:'''
# In the left menu, go to '''Network → Security Groups'''. A list of all defined security groups will appear.
#* '''Recommended:''' Consider creating a dedicated security group (e.g. named <code>https-access</code>), and assign it to your instance using '''Edit Security Groups''' in the instance menu before the next step.
# Find the relevant group and click '''Manage Rules'''. You’ll see all currently defined rules for that group.
# Click '''Add Rule''' to create a new one.
# In the dialog that appears, choose one of the following:
#* '''HTTPS''' from the '''Rule''' dropdown (automatically fills port 443), or
#* '''Custom TCP Rule''', then manually enter '''443''' in the '''Port''' field.
# In the '''CIDR''' field, specify which IP addresses should be allowed to connect:
#* Use a specific IP range (e.g. <code>192.168.0.0/24</code>) to '''limit access'''
#* ⚠️ Using '''<code>0.0.0.0/0</code>''' allows access from '''any IPv4 address''', and '''<code>::/0</code>''' from '''any IPv6 address'''.
# Set the '''Direction''' of the rule:
#* <code>Ingress</code> = incoming connections (usually what you want)
#* <code>Egress</code> = outgoing connections
# Click '''Add'''. The rule will be created and added to the list immediately.

----

=== Example: Opening a Port only for Access from Certain IP Ranges ===
'''➡️''' [[Guide: Security Group|Security Groups Guide]]

== Are some ports blocked in bwCloud-OS? ==


Yes. Some ports are '''centrally''' '''blocked''' in '''certain''' '''bwCloud-OS regions''' due to specific network policies at the participating university data centers. Centrally blocked ports cannot be opened individually.

For more details — including which ports are affected in each region — see the page [[Blocked and Allowed Ports]].

= General Security Recommendations =

== Does bwCloud-OS provide a basic security checklist for virtual machines? ==

The following checklist helps you harden your bwCloud-OS instance after creation.

=== Secure SSH access ===
* Read and apply the recommendations in the [[Guide:_SSH|SSH guide]].

=== Keep the system updated ===
Keeping your instance up to date is one of the most effective security measures: security updates fix known vulnerabilities that may otherwise be exploitable.

There are two common approaches:
* '''Manual updates (one-time / on demand):''' You run updates yourself (e.g., after login, on a regular schedule).
* '''Automatic updates:''' The system installs security updates automatically in the background. On Ubuntu/Debian this is commonly done via <code>unattended-upgrades</code>.

==== Example (Ubuntu/Debian) ====
<pre>
# Manual updates (one-time)
sudo apt update
sudo apt -y upgrade

# Automatic security updates (background)
sudo apt -y install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
</pre>

=== Allow only the minimal required ports in bwCloud-OS Security Groups ===
Only open the ports you actually need. This reduces the attack surface and limits who can reach services on your VM.

* Check your instance's security groups in the [https://portal.bw-cloud.org/ Dashboard] and allow only the minimal required inbound rules.
* Restrict access by IP range (CIDR) wherever possible (avoid <code>0.0.0.0/0</code> unless truly required).
* For step-by-step instructions and examples, see: [[Security#Security-Rules|How do I open additional ports for my instance?]]
'''Note:''' some ports may be centrally filtered in certain regions; see [[Blocked_and_Allowed_Ports|Blocked and Allowed Ports]].

=== Optional host firewall ===
Security groups are the primary inbound filter in bwCloud-OS. A host firewall can provide an additional layer (defense-in-depth), e.g., to enforce local policies on the VM.

==== Example (Ubuntu with UFW) ====
<pre>
sudo apt -y install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (ideally restrict in the bwCloud-OS security group as well)
sudo ufw allow 22/tcp

# Example: allow HTTPS if you opened 443 in the security group
sudo ufw allow 443/tcp

sudo ufw enable
sudo ufw status verbose
</pre>

⚠️ If you block SSH on the host firewall while only having SSH access, you may lock yourself out. Always ensure SSH remains permitted (and test from your client).

=== Document your configuration ===
To operate and troubleshoot securely, keep a record of your instance configuration:

* Which security groups/rules are attached (ports, protocols, CIDRs)?
* Host firewall rules (if used), SSH hardening settings, update strategy.
* Installed services and exposed endpoints.
* Where secrets are stored/managed (avoid putting secrets in shell history or plain text files).

=== Plan and test a backup strategy ===
Backups are part of security (availability and recovery).

* Define what needs to be recoverable (system, application data, databases, configuration).
* Decide on backup frequency and retention (e.g., daily incremental + weekly full).
* Store backups separately from the instance (avoid a single point of failure).
* Regularly test restores (a backup that was never restored is an assumption, not a plan).

=== Snapshots and images ===
Snapshots capture the state of a VM or volume at a point in time (e.g., before risky changes). They can help with rollback, but they do not automatically replace a backup strategy.

* Learn more: [[Guide:_Volumes_and_Images|Guide: Volumes and Images]]
* Recommended practice:
** Take a snapshot before major changes (OS upgrades, large configuration changes).
** Remove outdated snapshots according to your retention plan.

= SSL Certificates & Secure Services =

== Can I get SSL/TLS certificates via bwCloud-OS? ==


No, bwCloud-OS does '''not''' provide '''SSL/TLS certificates.''' However, you can obtain certificates directly from public providers like '''Let’s Encrypt''' using tools such as '''[https://certbot.eff.org/ Certbot]''', which you can install and run on your instance.

This allows you, for example, to enable '''HTTPS''' for services running on your VM. Don't forget to open the necessary ports (e.g., 443) using [[Security#Security-Rules|security group rules]].

=Security Incidents =

== What should I do if I suspect my VM has been compromised? ==


If your virtual machine is behaving unexpectedly (e.g., high CPU/network load, unknown logins, suspicious processes), it could indicate a possible compromise.

If you suspect that your VM has been compromised, please take the following steps '''immediately''':

# '''Log in''' to the '''[https://portal.bw-cloud.org/ Dashboard].'''
# '''Stop the affected instance(s).''' ''Do not delete them!'' This preserves data for further analysis.
# '''Submit a support ticket''' via the [https://bw-support.scc.kit.edu/ bwSupportPortal] with the following details:
#* Which instance(s) are potentially affected?
#* How is the suspicious behavior observed? (e.g. logs, performance, alerts)
#* What actions have you already taken?

Our team will contact you as soon as possible to help investigate and resolve the issue.

== Does the bwCloud-OS operations team inspect running instances (e.g. through penetration tests)? ==


The '''contents and configuration of user instances are not inspected''' — we do '''not''' perform penetration tests or port scans on the instances. We also '''never look inside''' user virtual machines.

However, the overall bwCloud-OS operating environment is actively monitored. For example, network monitoring tracks current inbound and outbound traffic levels. If certain parameters deviate significantly from typical patterns, this may trigger further investigation — including direct contact with the affected user.

Security

2026-04-27T11:49:05Z

Sia: /* Optional: host firewall */

{{InANutshell|
<li>By default, bwCloud-OS VMs are only accessible via SSH (port 22) and ICMP (e.g., ''ping''); all other incoming traffic is blocked for security.</li>
<li>To allow access on additional ports (e.g. HTTPS/443), you can add rules via the Security Groups in the [https://portal.bw-cloud.org/ Dashboard] — changes take effect immediately.</li>
<li>Some ports are centrally filtered in specific bwCloud-OS regions and cannot be opened individually; refer to this [[Blocked_and_Allowed_Ports|overview]] for region-specific details.</li>
<li>If you suspect a security incident, stop the affected VMs and submit a [https://bw-support.scc.kit.edu/ support ticket] immediately.</li>
}}

__TOC__

= Access Control & Firewall Rules =

== What network access is allowed by default in bwCloud-OS instances? ==


By default, '''bwCloud-OS instances''' are accessible via:

* '''SSH (port 22)''' – for remote login and configuration
* '''ICMP''' – to allow basic network diagnostics like <code>ping</code> and <code>traceroute</code>

This initial access is explicitly permitted by the '''automatically assigned security group''' (named <code>default</code>) in our configuration. This is not the default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.

== How do I open additional ports for my instance? ==


A newly created virtual machine in bwCloud-OS is only accessible from the outside via '''SSH (port 22)''' and '''ICMP'''. All other inbound traffic is '''blocked''' by default — meaning external traffic on other ports cannot reach the instance.

To allow access on other ports (e.g. for web servers or applications), you need to '''add a rule''' to the relevant '''security group'''. ''Changes to security group rules apply immediately to all instances using that group'' — there's no need to reboot the instance.

----

=== Example: Opening Port 443 for HTTPS Access ===
If you're running a web server that should be accessible via '''HTTPS''', you typically need to open '''port 443''' in a security group assigned to your instance.

'''Steps in the [https://portal.bw-cloud.org/ Dashboard]:'''
# In the left menu, go to '''Network → Security Groups'''. A list of all defined security groups will appear.
#* '''Recommended:''' Consider creating a dedicated security group (e.g. named <code>https-access</code>), and assign it to your instance using '''Edit Security Groups''' in the instance menu before the next step.
# Find the relevant group and click '''Manage Rules'''. You’ll see all currently defined rules for that group.
# Click '''Add Rule''' to create a new one.
# In the dialog that appears, choose one of the following:
#* '''HTTPS''' from the '''Rule''' dropdown (automatically fills port 443), or
#* '''Custom TCP Rule''', then manually enter '''443''' in the '''Port''' field.
# In the '''CIDR''' field, specify which IP addresses should be allowed to connect:
#* Use a specific IP range (e.g. <code>192.168.0.0/24</code>) to '''limit access'''
#* ⚠️ Using '''<code>0.0.0.0/0</code>''' allows access from '''any IPv4 address''', and '''<code>::/0</code>''' from '''any IPv6 address'''.
# Set the '''Direction''' of the rule:
#* <code>Ingress</code> = incoming connections (usually what you want)
#* <code>Egress</code> = outgoing connections
# Click '''Add'''. The rule will be created and added to the list immediately.

----

=== Example: Opening a Port only for Access from Certain IP Ranges ===
'''➡️''' [[Guide: Security Group|Security Groups Guide]]

== Are some ports blocked in bwCloud-OS? ==


Yes. Some ports are '''centrally''' '''blocked''' in '''certain''' '''bwCloud-OS regions''' due to specific network policies at the participating university data centers. Centrally blocked ports cannot be opened individually.

For more details — including which ports are affected in each region — see the page [[Blocked and Allowed Ports]].

= Security Checklist =

== Does bwCloud-OS provide a basic security checklist for virtual machines? ==

The following checklist helps you harden your bwCloud-OS instance after creation.

=== Secure SSH access ===
* Read and apply the recommendations in the [[Guide:_SSH|SSH guide]].

=== Keep the system updated ===
Keeping your instance up to date is one of the most effective security measures: security updates fix known vulnerabilities that may otherwise be exploitable.

There are two common approaches:
* '''Manual updates (one-time / on demand):''' You run updates yourself (e.g., after login, on a regular schedule).
* '''Automatic updates:''' The system installs security updates automatically in the background. On Ubuntu/Debian this is commonly done via <code>unattended-upgrades</code>.

==== Example (Ubuntu/Debian) ====
<pre>
# Manual updates (one-time)
sudo apt update
sudo apt -y upgrade

# Automatic security updates (background)
sudo apt -y install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
</pre>

=== Allow only the minimal required ports in bwCloud-OS Security Groups ===
Only open the ports you actually need. This reduces the attack surface and limits who can reach services on your VM.

* Check your instance's security groups in the [https://portal.bw-cloud.org/ Dashboard] and allow only the minimal required inbound rules.
* Restrict access by IP range (CIDR) wherever possible (avoid <code>0.0.0.0/0</code> unless truly required).
* For step-by-step instructions and examples, see: [[Security#Security-Rules|How do I open additional ports for my instance?]]
'''Note:''' some ports may be centrally filtered in certain regions; see [[Blocked_and_Allowed_Ports|Blocked and Allowed Ports]].

=== Optional host firewall ===
Security groups are the primary inbound filter in bwCloud-OS. A host firewall can provide an additional layer (defense-in-depth), e.g., to enforce local policies on the VM.

==== Example (Ubuntu with UFW) ====
<pre>
sudo apt -y install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (ideally restrict in the bwCloud-OS security group as well)
sudo ufw allow 22/tcp

# Example: allow HTTPS if you opened 443 in the security group
sudo ufw allow 443/tcp

sudo ufw enable
sudo ufw status verbose
</pre>

⚠️ If you block SSH on the host firewall while only having SSH access, you may lock yourself out. Always ensure SSH remains permitted (and test from your client).

=== Document your configuration ===
To operate and troubleshoot securely, keep a record of your instance configuration:

* Which security groups/rules are attached (ports, protocols, CIDRs)?
* Host firewall rules (if used), SSH hardening settings, update strategy.
* Installed services and exposed endpoints.
* Where secrets are stored/managed (avoid putting secrets in shell history or plain text files).

=== Plan and test a backup strategy ===
Backups are part of security (availability and recovery).

* Define what needs to be recoverable (system, application data, databases, configuration).
* Decide on backup frequency and retention (e.g., daily incremental + weekly full).
* Store backups separately from the instance (avoid a single point of failure).
* Regularly test restores (a backup that was never restored is an assumption, not a plan).

=== Snapshots and images ===
Snapshots capture the state of a VM or volume at a point in time (e.g., before risky changes). They can help with rollback, but they do not automatically replace a backup strategy.

* Learn more: [[Guide:_Volumes_and_Images|Guide: Volumes and Images]]
* Recommended practice:
** Take a snapshot before major changes (OS upgrades, large configuration changes).
** Remove outdated snapshots according to your retention plan.

= SSL Certificates & Secure Services =

== Can I get SSL/TLS certificates via bwCloud-OS? ==


No, bwCloud-OS does '''not''' provide '''SSL/TLS certificates.''' However, you can obtain certificates directly from public providers like '''Let’s Encrypt''' using tools such as '''[https://certbot.eff.org/ Certbot]''', which you can install and run on your instance.

This allows you, for example, to enable '''HTTPS''' for services running on your VM. Don't forget to open the necessary ports (e.g., 443) using [[Security#Security-Rules|security group rules]].

=Security Incidents =

== What should I do if I suspect my VM has been compromised? ==


If your virtual machine is behaving unexpectedly (e.g., high CPU/network load, unknown logins, suspicious processes), it could indicate a possible compromise.

If you suspect that your VM has been compromised, please take the following steps '''immediately''':

# '''Log in''' to the '''[https://portal.bw-cloud.org/ Dashboard].'''
# '''Stop the affected instance(s).''' ''Do not delete them!'' This preserves data for further analysis.
# '''Submit a support ticket''' via the [https://bw-support.scc.kit.edu/ bwSupportPortal] with the following details:
#* Which instance(s) are potentially affected?
#* How is the suspicious behavior observed? (e.g. logs, performance, alerts)
#* What actions have you already taken?

Our team will contact you as soon as possible to help investigate and resolve the issue.

== Does the bwCloud-OS operations team inspect running instances (e.g. through penetration tests)? ==


The '''contents and configuration of user instances are not inspected''' — we do '''not''' perform penetration tests or port scans on the instances. We also '''never look inside''' user virtual machines.

However, the overall bwCloud-OS operating environment is actively monitored. For example, network monitoring tracks current inbound and outbound traffic levels. If certain parameters deviate significantly from typical patterns, this may trigger further investigation — including direct contact with the affected user.

Security

2026-04-27T11:46:00Z

Sia:

{{InANutshell|
<li>By default, bwCloud-OS VMs are only accessible via SSH (port 22) and ICMP (e.g., ''ping''); all other incoming traffic is blocked for security.</li>
<li>To allow access on additional ports (e.g. HTTPS/443), you can add rules via the Security Groups in the [https://portal.bw-cloud.org/ Dashboard] — changes take effect immediately.</li>
<li>Some ports are centrally filtered in specific bwCloud-OS regions and cannot be opened individually; refer to this [[Blocked_and_Allowed_Ports|overview]] for region-specific details.</li>
<li>If you suspect a security incident, stop the affected VMs and submit a [https://bw-support.scc.kit.edu/ support ticket] immediately.</li>
}}

__TOC__

= Access Control & Firewall Rules =

== What network access is allowed by default in bwCloud-OS instances? ==


By default, '''bwCloud-OS instances''' are accessible via:

* '''SSH (port 22)''' – for remote login and configuration
* '''ICMP''' – to allow basic network diagnostics like <code>ping</code> and <code>traceroute</code>

This initial access is explicitly permitted by the '''automatically assigned security group''' (named <code>default</code>) in our configuration. This is not the default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.

== How do I open additional ports for my instance? ==


A newly created virtual machine in bwCloud-OS is only accessible from the outside via '''SSH (port 22)''' and '''ICMP'''. All other inbound traffic is '''blocked''' by default — meaning external traffic on other ports cannot reach the instance.

To allow access on other ports (e.g. for web servers or applications), you need to '''add a rule''' to the relevant '''security group'''. ''Changes to security group rules apply immediately to all instances using that group'' — there's no need to reboot the instance.

----

=== Example: Opening Port 443 for HTTPS Access ===
If you're running a web server that should be accessible via '''HTTPS''', you typically need to open '''port 443''' in a security group assigned to your instance.

'''Steps in the [https://portal.bw-cloud.org/ Dashboard]:'''
# In the left menu, go to '''Network → Security Groups'''. A list of all defined security groups will appear.
#* '''Recommended:''' Consider creating a dedicated security group (e.g. named <code>https-access</code>), and assign it to your instance using '''Edit Security Groups''' in the instance menu before the next step.
# Find the relevant group and click '''Manage Rules'''. You’ll see all currently defined rules for that group.
# Click '''Add Rule''' to create a new one.
# In the dialog that appears, choose one of the following:
#* '''HTTPS''' from the '''Rule''' dropdown (automatically fills port 443), or
#* '''Custom TCP Rule''', then manually enter '''443''' in the '''Port''' field.
# In the '''CIDR''' field, specify which IP addresses should be allowed to connect:
#* Use a specific IP range (e.g. <code>192.168.0.0/24</code>) to '''limit access'''
#* ⚠️ Using '''<code>0.0.0.0/0</code>''' allows access from '''any IPv4 address''', and '''<code>::/0</code>''' from '''any IPv6 address'''.
# Set the '''Direction''' of the rule:
#* <code>Ingress</code> = incoming connections (usually what you want)
#* <code>Egress</code> = outgoing connections
# Click '''Add'''. The rule will be created and added to the list immediately.

----

=== Example: Opening a Port only for Access from Certain IP Ranges ===
'''➡️''' [[Guide: Security Group|Security Groups Guide]]

== Are some ports blocked in bwCloud-OS? ==


Yes. Some ports are '''centrally''' '''blocked''' in '''certain''' '''bwCloud-OS regions''' due to specific network policies at the participating university data centers. Centrally blocked ports cannot be opened individually.

For more details — including which ports are affected in each region — see the page [[Blocked and Allowed Ports]].

= Security Checklist =

== Does bwCloud-OS provide a basic security checklist for virtual machines? ==

The following checklist helps you harden your bwCloud-OS instance after creation.

=== Secure SSH access ===
* Read and apply the recommendations in the [[Guide:_SSH|SSH guide]].

=== Keep the system updated ===
Keeping your instance up to date is one of the most effective security measures: security updates fix known vulnerabilities that may otherwise be exploitable.

There are two common approaches:
* '''Manual updates (one-time / on demand):''' You run updates yourself (e.g., after login, on a regular schedule).
* '''Automatic updates:''' The system installs security updates automatically in the background. On Ubuntu/Debian this is commonly done via <code>unattended-upgrades</code>.

==== Example (Ubuntu/Debian) ====
<pre>
# Manual updates (one-time)
sudo apt update
sudo apt -y upgrade

# Automatic security updates (background)
sudo apt -y install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
</pre>

=== Allow only the minimal required ports in bwCloud-OS Security Groups ===
Only open the ports you actually need. This reduces the attack surface and limits who can reach services on your VM.

* Check your instance's security groups in the [https://portal.bw-cloud.org/ Dashboard] and allow only the minimal required inbound rules.
* Restrict access by IP range (CIDR) wherever possible (avoid <code>0.0.0.0/0</code> unless truly required).
* For step-by-step instructions and examples, see: [[Security#Security-Rules|How do I open additional ports for my instance?]]
'''Note:''' some ports may be centrally filtered in certain regions; see [[Blocked_and_Allowed_Ports|Blocked and Allowed Ports]].

=== Optional: host firewall ===
Security groups are the primary inbound filter in bwCloud-OS. A host firewall can provide an additional layer (defense-in-depth), e.g., to enforce local policies on the VM.

==== Example (Ubuntu with UFW) ====
<pre>
sudo apt -y install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (ideally restrict in the bwCloud-OS security group as well)
sudo ufw allow 22/tcp

# Example: allow HTTPS if you opened 443 in the security group
sudo ufw allow 443/tcp

sudo ufw enable
sudo ufw status verbose
</pre>

⚠️ If you block SSH on the host firewall while only having SSH access, you may lock yourself out. Always ensure SSH remains permitted (and test from your client).

=== Document your configuration ===
To operate and troubleshoot securely, keep a record of your instance configuration:

* Which security groups/rules are attached (ports, protocols, CIDRs)?
* Host firewall rules (if used), SSH hardening settings, update strategy.
* Installed services and exposed endpoints.
* Where secrets are stored/managed (avoid putting secrets in shell history or plain text files).

=== Plan and test a backup strategy ===
Backups are part of security (availability and recovery).

* Define what needs to be recoverable (system, application data, databases, configuration).
* Decide on backup frequency and retention (e.g., daily incremental + weekly full).
* Store backups separately from the instance (avoid a single point of failure).
* Regularly test restores (a backup that was never restored is an assumption, not a plan).

=== Snapshots and images ===
Snapshots capture the state of a VM or volume at a point in time (e.g., before risky changes). They can help with rollback, but they do not automatically replace a backup strategy.

* Learn more: [[Guide:_Volumes_and_Images|Guide: Volumes and Images]]
* Recommended practice:
** Take a snapshot before major changes (OS upgrades, large configuration changes).
** Remove outdated snapshots according to your retention plan.

= SSL Certificates & Secure Services =

== Can I get SSL/TLS certificates via bwCloud-OS? ==


No, bwCloud-OS does '''not''' provide '''SSL/TLS certificates.''' However, you can obtain certificates directly from public providers like '''Let’s Encrypt''' using tools such as '''[https://certbot.eff.org/ Certbot]''', which you can install and run on your instance.

This allows you, for example, to enable '''HTTPS''' for services running on your VM. Don't forget to open the necessary ports (e.g., 443) using [[Security#Security-Rules|security group rules]].

=Security Incidents =

== What should I do if I suspect my VM has been compromised? ==


If your virtual machine is behaving unexpectedly (e.g., high CPU/network load, unknown logins, suspicious processes), it could indicate a possible compromise.

If you suspect that your VM has been compromised, please take the following steps '''immediately''':

# '''Log in''' to the '''[https://portal.bw-cloud.org/ Dashboard].'''
# '''Stop the affected instance(s).''' ''Do not delete them!'' This preserves data for further analysis.
# '''Submit a support ticket''' via the [https://bw-support.scc.kit.edu/ bwSupportPortal] with the following details:
#* Which instance(s) are potentially affected?
#* How is the suspicious behavior observed? (e.g. logs, performance, alerts)
#* What actions have you already taken?

Our team will contact you as soon as possible to help investigate and resolve the issue.

== Does the bwCloud-OS operations team inspect running instances (e.g. through penetration tests)? ==


The '''contents and configuration of user instances are not inspected''' — we do '''not''' perform penetration tests or port scans on the instances. We also '''never look inside''' user virtual machines.

However, the overall bwCloud-OS operating environment is actively monitored. For example, network monitoring tracks current inbound and outbound traffic levels. If certain parameters deviate significantly from typical patterns, this may trigger further investigation — including direct contact with the affected user.

Security

2026-04-27T11:43:59Z

Sia: /* Optional host firewall (e.g., UFW on Ubuntu) */

{{InANutshell|
<li>By default, bwCloud-OS VMs are only accessible via SSH (port 22) and ICMP (e.g., ''ping''); all other incoming traffic is blocked for security.</li>
<li>To allow access on additional ports (e.g. HTTPS/443), you can add rules via the Security Groups in the [https://portal.bw-cloud.org/ Dashboard] — changes take effect immediately.</li>
<li>Some ports are centrally filtered in specific bwCloud-OS regions and cannot be opened individually; refer to this [[Blocked_and_Allowed_Ports|overview]] for region-specific details.</li>
<li>If you suspect a security incident, stop the affected VMs and submit a [https://bw-support.scc.kit.edu/ support ticket] immediately.</li>
}}

__TOC__

= Access Control & Firewall Rules =

== What network access is allowed by default in bwCloud-OS instances? ==


By default, '''bwCloud-OS instances''' are accessible via:

* '''SSH (port 22)''' – for remote login and configuration
* '''ICMP''' – to allow basic network diagnostics like <code>ping</code> and <code>traceroute</code>

This initial access is explicitly permitted by the '''automatically assigned security group''' (named <code>default</code>) in our configuration. This is not the default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.

== How do I open additional ports for my instance? ==


A newly created virtual machine in bwCloud-OS is only accessible from the outside via '''SSH (port 22)''' and '''ICMP'''. All other inbound traffic is '''blocked''' by default — meaning external traffic on other ports cannot reach the instance.

To allow access on other ports (e.g. for web servers or applications), you need to '''add a rule''' to the relevant '''security group'''. ''Changes to security group rules apply immediately to all instances using that group'' — there's no need to reboot the instance.

----

=== Example: Opening Port 443 for HTTPS Access ===
If you're running a web server that should be accessible via '''HTTPS''', you typically need to open '''port 443''' in a security group assigned to your instance.

'''Steps in the [https://portal.bw-cloud.org/ Dashboard]:'''
# In the left menu, go to '''Network → Security Groups'''. A list of all defined security groups will appear.
#* '''Recommended:''' Consider creating a dedicated security group (e.g. named <code>https-access</code>), and assign it to your instance using '''Edit Security Groups''' in the instance menu before the next step.
# Find the relevant group and click '''Manage Rules'''. You’ll see all currently defined rules for that group.
# Click '''Add Rule''' to create a new one.
# In the dialog that appears, choose one of the following:
#* '''HTTPS''' from the '''Rule''' dropdown (automatically fills port 443), or
#* '''Custom TCP Rule''', then manually enter '''443''' in the '''Port''' field.
# In the '''CIDR''' field, specify which IP addresses should be allowed to connect:
#* Use a specific IP range (e.g. <code>192.168.0.0/24</code>) to '''limit access'''
#* ⚠️ Using '''<code>0.0.0.0/0</code>''' allows access from '''any IPv4 address''', and '''<code>::/0</code>''' from '''any IPv6 address'''.
# Set the '''Direction''' of the rule:
#* <code>Ingress</code> = incoming connections (usually what you want)
#* <code>Egress</code> = outgoing connections
# Click '''Add'''. The rule will be created and added to the list immediately.

----

=== Example: Opening a Port only for Access from Certain IP Ranges ===
'''➡️''' [[Guide: Security Group|Security Groups Guide]]

== Are some ports blocked in bwCloud-OS? ==


Yes. Some ports are '''centrally''' '''blocked''' in '''certain''' '''bwCloud-OS regions''' due to specific network policies at the participating university data centers. Centrally blocked ports cannot be opened individually.

For more details — including which ports are affected in each region — see the page [[Blocked and Allowed Ports]].

= Security Checklist =

== Does bwCloud-OS provide a basic security checklist for virtual machines? ==

The following checklist helps you harden your bwCloud-OS instance after creation.

=== Secure SSH access ===
* Read and apply the recommendations in the [[Guide:_SSH|SSH guide]].

=== Keep the system updated ===
Keeping your instance up to date is one of the most effective security measures: security updates fix known vulnerabilities that may otherwise be exploitable.

There are two common approaches:
* '''Manual updates (one-time / on demand):''' You run updates yourself (e.g., after login, on a regular schedule).
* '''Automatic updates:''' The system installs security updates automatically in the background. On Ubuntu/Debian this is commonly done via <code>unattended-upgrades</code>.

==== Example (Ubuntu/Debian) ====
<pre>
# Manual updates (one-time)
sudo apt update
sudo apt -y upgrade

# Automatic security updates (background)
sudo apt -y install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
</pre>

=== Allow only the minimal required ports in bwCloud-OS Security Groups ===
Only open the ports you actually need. This reduces the attack surface and limits who can reach services on your VM.

* Check your instance's security groups in the [https://portal.bw-cloud.org/ Dashboard] and allow only the minimal required inbound rules.
* Restrict access by IP range (CIDR) wherever possible (avoid <code>0.0.0.0/0</code> unless truly required).
* For step-by-step instructions and examples, see: [[Security#Security-Rules|How do I open additional ports for my instance?]]
'''Note:''' some ports may be centrally filtered in certain regions; see [[Blocked_and_Allowed_Ports|Blocked and Allowed Ports]].

=== Optional: host firewall ===
Security groups are the primary inbound filter in bwCloud-OS. A host firewall can provide an additional layer (defense-in-depth), e.g., to enforce local policies on the VM.

==== Example (Ubuntu with UFW) ====
<pre>
sudo apt -y install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (ideally restrict in the bwCloud-OS security group as well)
sudo ufw allow 22/tcp

# Example: allow HTTPS if you opened 443 in the security group
sudo ufw allow 443/tcp

sudo ufw enable
sudo ufw status verbose
</pre>

''Important:'' If you block SSH on the host firewall while only having SSH access, you may lock yourself out. Always ensure SSH remains permitted (and test from your client).

=== Document your configuration ===
To operate and troubleshoot securely, keep a record of your instance configuration:

* Which security groups/rules are attached (ports, protocols, CIDRs)?
* Host firewall rules (if used), SSH hardening settings, update strategy.
* Installed services and exposed endpoints.
* Where secrets are stored/managed (avoid putting secrets in shell history or plain text files).

=== Plan and test a backup strategy ===
Backups are part of security (availability and recovery).

* Define what needs to be recoverable (system, application data, databases, configuration).
* Decide on backup frequency and retention (e.g., daily incremental + weekly full).
* Store backups separately from the instance (avoid a single point of failure).
* Regularly test restores (a backup that was never restored is an assumption, not a plan).

=== Snapshots and images ===
Snapshots capture the state of a VM or volume at a point in time (e.g., before risky changes). They can help with rollback, but they do not automatically replace a backup strategy.

* Learn more: [[Guide:_Volumes_and_Images|Guide: Volumes and Images]]
* Recommended practice:
** Take a snapshot before major changes (OS upgrades, large configuration changes).
** Remove outdated snapshots according to your retention plan.

= SSL Certificates & Secure Services =

== Can I get SSL/TLS certificates via bwCloud-OS? ==


No, bwCloud-OS does '''not''' provide '''SSL/TLS certificates.''' However, you can obtain certificates directly from public providers like '''Let’s Encrypt''' using tools such as '''[https://certbot.eff.org/ Certbot]''', which you can install and run on your instance.

This allows you, for example, to enable '''HTTPS''' for services running on your VM. Don't forget to open the necessary ports (e.g., 443) using [[Security#Security-Rules|security group rules]].

=Security Incidents =

== What should I do if I suspect my VM has been compromised? ==


If your virtual machine is behaving unexpectedly (e.g., high CPU/network load, unknown logins, suspicious processes), it could indicate a possible compromise.

If you suspect that your VM has been compromised, please take the following steps '''immediately''':

# '''Log in''' to the '''[https://portal.bw-cloud.org/ Dashboard].'''
# '''Stop the affected instance(s).''' ''Do not delete them!'' This preserves data for further analysis.
# '''Submit a support ticket''' via the [https://bw-support.scc.kit.edu/ bwSupportPortal] with the following details:
#* Which instance(s) are potentially affected?
#* How is the suspicious behavior observed? (e.g. logs, performance, alerts)
#* What actions have you already taken?

Our team will contact you as soon as possible to help investigate and resolve the issue.

== Does the bwCloud-OS operations team inspect running instances (e.g. through penetration tests)? ==


The '''contents and configuration of user instances are not inspected''' — we do '''not''' perform penetration tests or port scans on the instances. We also '''never look inside''' user virtual machines.

However, the overall bwCloud-OS operating environment is actively monitored. For example, network monitoring tracks current inbound and outbound traffic levels. If certain parameters deviate significantly from typical patterns, this may trigger further investigation — including direct contact with the affected user.

Security

2026-04-27T11:43:21Z

Sia: /* Allow only the minimal required ports in bwCloud-OS Security Groups */

{{InANutshell|
<li>By default, bwCloud-OS VMs are only accessible via SSH (port 22) and ICMP (e.g., ''ping''); all other incoming traffic is blocked for security.</li>
<li>To allow access on additional ports (e.g. HTTPS/443), you can add rules via the Security Groups in the [https://portal.bw-cloud.org/ Dashboard] — changes take effect immediately.</li>
<li>Some ports are centrally filtered in specific bwCloud-OS regions and cannot be opened individually; refer to this [[Blocked_and_Allowed_Ports|overview]] for region-specific details.</li>
<li>If you suspect a security incident, stop the affected VMs and submit a [https://bw-support.scc.kit.edu/ support ticket] immediately.</li>
}}

__TOC__

= Access Control & Firewall Rules =

== What network access is allowed by default in bwCloud-OS instances? ==


By default, '''bwCloud-OS instances''' are accessible via:

* '''SSH (port 22)''' – for remote login and configuration
* '''ICMP''' – to allow basic network diagnostics like <code>ping</code> and <code>traceroute</code>

This initial access is explicitly permitted by the '''automatically assigned security group''' (named <code>default</code>) in our configuration. This is not the default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.

== How do I open additional ports for my instance? ==


A newly created virtual machine in bwCloud-OS is only accessible from the outside via '''SSH (port 22)''' and '''ICMP'''. All other inbound traffic is '''blocked''' by default — meaning external traffic on other ports cannot reach the instance.

To allow access on other ports (e.g. for web servers or applications), you need to '''add a rule''' to the relevant '''security group'''. ''Changes to security group rules apply immediately to all instances using that group'' — there's no need to reboot the instance.

----

=== Example: Opening Port 443 for HTTPS Access ===
If you're running a web server that should be accessible via '''HTTPS''', you typically need to open '''port 443''' in a security group assigned to your instance.

'''Steps in the [https://portal.bw-cloud.org/ Dashboard]:'''
# In the left menu, go to '''Network → Security Groups'''. A list of all defined security groups will appear.
#* '''Recommended:''' Consider creating a dedicated security group (e.g. named <code>https-access</code>), and assign it to your instance using '''Edit Security Groups''' in the instance menu before the next step.
# Find the relevant group and click '''Manage Rules'''. You’ll see all currently defined rules for that group.
# Click '''Add Rule''' to create a new one.
# In the dialog that appears, choose one of the following:
#* '''HTTPS''' from the '''Rule''' dropdown (automatically fills port 443), or
#* '''Custom TCP Rule''', then manually enter '''443''' in the '''Port''' field.
# In the '''CIDR''' field, specify which IP addresses should be allowed to connect:
#* Use a specific IP range (e.g. <code>192.168.0.0/24</code>) to '''limit access'''
#* ⚠️ Using '''<code>0.0.0.0/0</code>''' allows access from '''any IPv4 address''', and '''<code>::/0</code>''' from '''any IPv6 address'''.
# Set the '''Direction''' of the rule:
#* <code>Ingress</code> = incoming connections (usually what you want)
#* <code>Egress</code> = outgoing connections
# Click '''Add'''. The rule will be created and added to the list immediately.

----

=== Example: Opening a Port only for Access from Certain IP Ranges ===
'''➡️''' [[Guide: Security Group|Security Groups Guide]]

== Are some ports blocked in bwCloud-OS? ==


Yes. Some ports are '''centrally''' '''blocked''' in '''certain''' '''bwCloud-OS regions''' due to specific network policies at the participating university data centers. Centrally blocked ports cannot be opened individually.

For more details — including which ports are affected in each region — see the page [[Blocked and Allowed Ports]].

= Security Checklist =

== Does bwCloud-OS provide a basic security checklist for virtual machines? ==

The following checklist helps you harden your bwCloud-OS instance after creation.

=== Secure SSH access ===
* Read and apply the recommendations in the [[Guide:_SSH|SSH guide]].

=== Keep the system updated ===
Keeping your instance up to date is one of the most effective security measures: security updates fix known vulnerabilities that may otherwise be exploitable.

There are two common approaches:
* '''Manual updates (one-time / on demand):''' You run updates yourself (e.g., after login, on a regular schedule).
* '''Automatic updates:''' The system installs security updates automatically in the background. On Ubuntu/Debian this is commonly done via <code>unattended-upgrades</code>.

==== Example (Ubuntu/Debian) ====
<pre>
# Manual updates (one-time)
sudo apt update
sudo apt -y upgrade

# Automatic security updates (background)
sudo apt -y install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
</pre>

=== Allow only the minimal required ports in bwCloud-OS Security Groups ===
Only open the ports you actually need. This reduces the attack surface and limits who can reach services on your VM.

* Check your instance's security groups in the [https://portal.bw-cloud.org/ Dashboard] and allow only the minimal required inbound rules.
* Restrict access by IP range (CIDR) wherever possible (avoid <code>0.0.0.0/0</code> unless truly required).
* For step-by-step instructions and examples, see: [[Security#Security-Rules|How do I open additional ports for my instance?]]
'''Note:''' some ports may be centrally filtered in certain regions; see [[Blocked_and_Allowed_Ports|Blocked and Allowed Ports]].

=== Optional host firewall (e.g., UFW on Ubuntu) ===
Security groups are the primary inbound filter in bwCloud-OS. A host firewall can provide an additional layer (defense-in-depth), e.g., to enforce local policies on the VM.

==== Example (Ubuntu with UFW) ====
<pre>
sudo apt -y install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (ideally restrict in the bwCloud-OS security group as well)
sudo ufw allow 22/tcp

# Example: allow HTTPS if you opened 443 in the security group
sudo ufw allow 443/tcp

sudo ufw enable
sudo ufw status verbose
</pre>

''Important:'' If you block SSH on the host firewall while only having SSH access, you may lock yourself out. Always ensure SSH remains permitted (and test from your client).

=== Document your configuration ===
To operate and troubleshoot securely, keep a record of your instance configuration:

* Which security groups/rules are attached (ports, protocols, CIDRs)?
* Host firewall rules (if used), SSH hardening settings, update strategy.
* Installed services and exposed endpoints.
* Where secrets are stored/managed (avoid putting secrets in shell history or plain text files).

=== Plan and test a backup strategy ===
Backups are part of security (availability and recovery).

* Define what needs to be recoverable (system, application data, databases, configuration).
* Decide on backup frequency and retention (e.g., daily incremental + weekly full).
* Store backups separately from the instance (avoid a single point of failure).
* Regularly test restores (a backup that was never restored is an assumption, not a plan).

=== Snapshots and images ===
Snapshots capture the state of a VM or volume at a point in time (e.g., before risky changes). They can help with rollback, but they do not automatically replace a backup strategy.

* Learn more: [[Guide:_Volumes_and_Images|Guide: Volumes and Images]]
* Recommended practice:
** Take a snapshot before major changes (OS upgrades, large configuration changes).
** Remove outdated snapshots according to your retention plan.

= SSL Certificates & Secure Services =

== Can I get SSL/TLS certificates via bwCloud-OS? ==


No, bwCloud-OS does '''not''' provide '''SSL/TLS certificates.''' However, you can obtain certificates directly from public providers like '''Let’s Encrypt''' using tools such as '''[https://certbot.eff.org/ Certbot]''', which you can install and run on your instance.

This allows you, for example, to enable '''HTTPS''' for services running on your VM. Don't forget to open the necessary ports (e.g., 443) using [[Security#Security-Rules|security group rules]].

=Security Incidents =

== What should I do if I suspect my VM has been compromised? ==


If your virtual machine is behaving unexpectedly (e.g., high CPU/network load, unknown logins, suspicious processes), it could indicate a possible compromise.

If you suspect that your VM has been compromised, please take the following steps '''immediately''':

# '''Log in''' to the '''[https://portal.bw-cloud.org/ Dashboard].'''
# '''Stop the affected instance(s).''' ''Do not delete them!'' This preserves data for further analysis.
# '''Submit a support ticket''' via the [https://bw-support.scc.kit.edu/ bwSupportPortal] with the following details:
#* Which instance(s) are potentially affected?
#* How is the suspicious behavior observed? (e.g. logs, performance, alerts)
#* What actions have you already taken?

Our team will contact you as soon as possible to help investigate and resolve the issue.

== Does the bwCloud-OS operations team inspect running instances (e.g. through penetration tests)? ==


The '''contents and configuration of user instances are not inspected''' — we do '''not''' perform penetration tests or port scans on the instances. We also '''never look inside''' user virtual machines.

However, the overall bwCloud-OS operating environment is actively monitored. For example, network monitoring tracks current inbound and outbound traffic levels. If certain parameters deviate significantly from typical patterns, this may trigger further investigation — including direct contact with the affected user.

Security

2026-04-27T11:40:59Z

Sia: /* Does bwCloud-OS provide a basic security checklist for virtual machines? */

{{InANutshell|
<li>By default, bwCloud-OS VMs are only accessible via SSH (port 22) and ICMP (e.g., ''ping''); all other incoming traffic is blocked for security.</li>
<li>To allow access on additional ports (e.g. HTTPS/443), you can add rules via the Security Groups in the [https://portal.bw-cloud.org/ Dashboard] — changes take effect immediately.</li>
<li>Some ports are centrally filtered in specific bwCloud-OS regions and cannot be opened individually; refer to this [[Blocked_and_Allowed_Ports|overview]] for region-specific details.</li>
<li>If you suspect a security incident, stop the affected VMs and submit a [https://bw-support.scc.kit.edu/ support ticket] immediately.</li>
}}

__TOC__

= Access Control & Firewall Rules =

== What network access is allowed by default in bwCloud-OS instances? ==


By default, '''bwCloud-OS instances''' are accessible via:

* '''SSH (port 22)''' – for remote login and configuration
* '''ICMP''' – to allow basic network diagnostics like <code>ping</code> and <code>traceroute</code>

This initial access is explicitly permitted by the '''automatically assigned security group''' (named <code>default</code>) in our configuration. This is not the default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.

== How do I open additional ports for my instance? ==


A newly created virtual machine in bwCloud-OS is only accessible from the outside via '''SSH (port 22)''' and '''ICMP'''. All other inbound traffic is '''blocked''' by default — meaning external traffic on other ports cannot reach the instance.

To allow access on other ports (e.g. for web servers or applications), you need to '''add a rule''' to the relevant '''security group'''. ''Changes to security group rules apply immediately to all instances using that group'' — there's no need to reboot the instance.

----

=== Example: Opening Port 443 for HTTPS Access ===
If you're running a web server that should be accessible via '''HTTPS''', you typically need to open '''port 443''' in a security group assigned to your instance.

'''Steps in the [https://portal.bw-cloud.org/ Dashboard]:'''
# In the left menu, go to '''Network → Security Groups'''. A list of all defined security groups will appear.
#* '''Recommended:''' Consider creating a dedicated security group (e.g. named <code>https-access</code>), and assign it to your instance using '''Edit Security Groups''' in the instance menu before the next step.
# Find the relevant group and click '''Manage Rules'''. You’ll see all currently defined rules for that group.
# Click '''Add Rule''' to create a new one.
# In the dialog that appears, choose one of the following:
#* '''HTTPS''' from the '''Rule''' dropdown (automatically fills port 443), or
#* '''Custom TCP Rule''', then manually enter '''443''' in the '''Port''' field.
# In the '''CIDR''' field, specify which IP addresses should be allowed to connect:
#* Use a specific IP range (e.g. <code>192.168.0.0/24</code>) to '''limit access'''
#* ⚠️ Using '''<code>0.0.0.0/0</code>''' allows access from '''any IPv4 address''', and '''<code>::/0</code>''' from '''any IPv6 address'''.
# Set the '''Direction''' of the rule:
#* <code>Ingress</code> = incoming connections (usually what you want)
#* <code>Egress</code> = outgoing connections
# Click '''Add'''. The rule will be created and added to the list immediately.

----

=== Example: Opening a Port only for Access from Certain IP Ranges ===
'''➡️''' [[Guide: Security Group|Security Groups Guide]]

== Are some ports blocked in bwCloud-OS? ==


Yes. Some ports are '''centrally''' '''blocked''' in '''certain''' '''bwCloud-OS regions''' due to specific network policies at the participating university data centers. Centrally blocked ports cannot be opened individually.

For more details — including which ports are affected in each region — see the page [[Blocked and Allowed Ports]].

= Security Checklist =

== Does bwCloud-OS provide a basic security checklist for virtual machines? ==

The following checklist helps you harden your bwCloud-OS instance after creation.

=== Secure SSH access ===
* Read and apply the recommendations in the [[Guide:_SSH|SSH guide]].

=== Keep the system updated ===
Keeping your instance up to date is one of the most effective security measures: security updates fix known vulnerabilities that may otherwise be exploitable.

There are two common approaches:
* '''Manual updates (one-time / on demand):''' You run updates yourself (e.g., after login, on a regular schedule).
* '''Automatic updates:''' The system installs security updates automatically in the background. On Ubuntu/Debian this is commonly done via <code>unattended-upgrades</code>.

==== Example (Ubuntu/Debian) ====
<pre>
# Manual updates (one-time)
sudo apt update
sudo apt -y upgrade

# Automatic security updates (background)
sudo apt -y install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
</pre>

=== Allow only the minimal required ports in bwCloud-OS Security Groups ===
Only open the ports you actually need. This reduces the attack surface and limits who can reach services on your VM.

* Check your instance's security groups in the [https://portal.bw-cloud.org/ Dashboard] and allow only the minimal required inbound rules.
* Restrict access by IP range (CIDR) wherever possible (avoid <code>0.0.0.0/0</code> unless truly required).
* For step-by-step instructions and examples, see: [[Security#Security-Rules|How do I open additional ports for my instance?]]
* Note: some ports may be centrally filtered in certain regions; see [[Blocked_and_Allowed_Ports|Blocked and Allowed Ports]].

=== Optional host firewall (e.g., UFW on Ubuntu) ===
Security groups are the primary inbound filter in bwCloud-OS. A host firewall can provide an additional layer (defense-in-depth), e.g., to enforce local policies on the VM.

==== Example (Ubuntu with UFW) ====
<pre>
sudo apt -y install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (ideally restrict in the bwCloud-OS security group as well)
sudo ufw allow 22/tcp

# Example: allow HTTPS if you opened 443 in the security group
sudo ufw allow 443/tcp

sudo ufw enable
sudo ufw status verbose
</pre>

''Important:'' If you block SSH on the host firewall while only having SSH access, you may lock yourself out. Always ensure SSH remains permitted (and test from your client).

=== Document your configuration ===
To operate and troubleshoot securely, keep a record of your instance configuration:

* Which security groups/rules are attached (ports, protocols, CIDRs)?
* Host firewall rules (if used), SSH hardening settings, update strategy.
* Installed services and exposed endpoints.
* Where secrets are stored/managed (avoid putting secrets in shell history or plain text files).

=== Plan and test a backup strategy ===
Backups are part of security (availability and recovery).

* Define what needs to be recoverable (system, application data, databases, configuration).
* Decide on backup frequency and retention (e.g., daily incremental + weekly full).
* Store backups separately from the instance (avoid a single point of failure).
* Regularly test restores (a backup that was never restored is an assumption, not a plan).

=== Snapshots and images ===
Snapshots capture the state of a VM or volume at a point in time (e.g., before risky changes). They can help with rollback, but they do not automatically replace a backup strategy.

* Learn more: [[Guide:_Volumes_and_Images|Guide: Volumes and Images]]
* Recommended practice:
** Take a snapshot before major changes (OS upgrades, large configuration changes).
** Remove outdated snapshots according to your retention plan.

= SSL Certificates & Secure Services =

== Can I get SSL/TLS certificates via bwCloud-OS? ==


No, bwCloud-OS does '''not''' provide '''SSL/TLS certificates.''' However, you can obtain certificates directly from public providers like '''Let’s Encrypt''' using tools such as '''[https://certbot.eff.org/ Certbot]''', which you can install and run on your instance.

This allows you, for example, to enable '''HTTPS''' for services running on your VM. Don't forget to open the necessary ports (e.g., 443) using [[Security#Security-Rules|security group rules]].

=Security Incidents =

== What should I do if I suspect my VM has been compromised? ==


If your virtual machine is behaving unexpectedly (e.g., high CPU/network load, unknown logins, suspicious processes), it could indicate a possible compromise.

If you suspect that your VM has been compromised, please take the following steps '''immediately''':

# '''Log in''' to the '''[https://portal.bw-cloud.org/ Dashboard].'''
# '''Stop the affected instance(s).''' ''Do not delete them!'' This preserves data for further analysis.
# '''Submit a support ticket''' via the [https://bw-support.scc.kit.edu/ bwSupportPortal] with the following details:
#* Which instance(s) are potentially affected?
#* How is the suspicious behavior observed? (e.g. logs, performance, alerts)
#* What actions have you already taken?

Our team will contact you as soon as possible to help investigate and resolve the issue.

== Does the bwCloud-OS operations team inspect running instances (e.g. through penetration tests)? ==


The '''contents and configuration of user instances are not inspected''' — we do '''not''' perform penetration tests or port scans on the instances. We also '''never look inside''' user virtual machines.

However, the overall bwCloud-OS operating environment is actively monitored. For example, network monitoring tracks current inbound and outbound traffic levels. If certain parameters deviate significantly from typical patterns, this may trigger further investigation — including direct contact with the affected user.

Security

2026-04-27T11:40:19Z

Sia:

{{InANutshell|
<li>By default, bwCloud-OS VMs are only accessible via SSH (port 22) and ICMP (e.g., ''ping''); all other incoming traffic is blocked for security.</li>
<li>To allow access on additional ports (e.g. HTTPS/443), you can add rules via the Security Groups in the [https://portal.bw-cloud.org/ Dashboard] — changes take effect immediately.</li>
<li>Some ports are centrally filtered in specific bwCloud-OS regions and cannot be opened individually; refer to this [[Blocked_and_Allowed_Ports|overview]] for region-specific details.</li>
<li>If you suspect a security incident, stop the affected VMs and submit a [https://bw-support.scc.kit.edu/ support ticket] immediately.</li>
}}

__TOC__

= Access Control & Firewall Rules =

== What network access is allowed by default in bwCloud-OS instances? ==


By default, '''bwCloud-OS instances''' are accessible via:

* '''SSH (port 22)''' – for remote login and configuration
* '''ICMP''' – to allow basic network diagnostics like <code>ping</code> and <code>traceroute</code>

This initial access is explicitly permitted by the '''automatically assigned security group''' (named <code>default</code>) in our configuration. This is not the default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.

== How do I open additional ports for my instance? ==


A newly created virtual machine in bwCloud-OS is only accessible from the outside via '''SSH (port 22)''' and '''ICMP'''. All other inbound traffic is '''blocked''' by default — meaning external traffic on other ports cannot reach the instance.

To allow access on other ports (e.g. for web servers or applications), you need to '''add a rule''' to the relevant '''security group'''. ''Changes to security group rules apply immediately to all instances using that group'' — there's no need to reboot the instance.

----

=== Example: Opening Port 443 for HTTPS Access ===
If you're running a web server that should be accessible via '''HTTPS''', you typically need to open '''port 443''' in a security group assigned to your instance.

'''Steps in the [https://portal.bw-cloud.org/ Dashboard]:'''
# In the left menu, go to '''Network → Security Groups'''. A list of all defined security groups will appear.
#* '''Recommended:''' Consider creating a dedicated security group (e.g. named <code>https-access</code>), and assign it to your instance using '''Edit Security Groups''' in the instance menu before the next step.
# Find the relevant group and click '''Manage Rules'''. You’ll see all currently defined rules for that group.
# Click '''Add Rule''' to create a new one.
# In the dialog that appears, choose one of the following:
#* '''HTTPS''' from the '''Rule''' dropdown (automatically fills port 443), or
#* '''Custom TCP Rule''', then manually enter '''443''' in the '''Port''' field.
# In the '''CIDR''' field, specify which IP addresses should be allowed to connect:
#* Use a specific IP range (e.g. <code>192.168.0.0/24</code>) to '''limit access'''
#* ⚠️ Using '''<code>0.0.0.0/0</code>''' allows access from '''any IPv4 address''', and '''<code>::/0</code>''' from '''any IPv6 address'''.
# Set the '''Direction''' of the rule:
#* <code>Ingress</code> = incoming connections (usually what you want)
#* <code>Egress</code> = outgoing connections
# Click '''Add'''. The rule will be created and added to the list immediately.

----

=== Example: Opening a Port only for Access from Certain IP Ranges ===
'''➡️''' [[Guide: Security Group|Security Groups Guide]]

== Are some ports blocked in bwCloud-OS? ==


Yes. Some ports are '''centrally''' '''blocked''' in '''certain''' '''bwCloud-OS regions''' due to specific network policies at the participating university data centers. Centrally blocked ports cannot be opened individually.

For more details — including which ports are affected in each region — see the page [[Blocked and Allowed Ports]].

= Security Checklist =

== Does bwCloud-OS provide a basic security checklist for virtual machines? ==

The following checklist helps you harden your bwCloud-OS instance after creation.

The following checklist helps you harden your bwCloud-OS instance after creation.

=== Secure SSH access ===
* Read and apply the recommendations in the [[Guide:_SSH|SSH guide]].

=== Keep the system updated ===
Keeping your instance up to date is one of the most effective security measures: security updates fix known vulnerabilities that may otherwise be exploitable.

There are two common approaches:
* '''Manual updates (one-time / on demand):''' You run updates yourself (e.g., after login, on a regular schedule).
* '''Automatic updates:''' The system installs security updates automatically in the background. On Ubuntu/Debian this is commonly done via <code>unattended-upgrades</code>.

==== Example (Ubuntu/Debian) ====
<pre>
# Manual updates (one-time)
sudo apt update
sudo apt -y upgrade

# Automatic security updates (background)
sudo apt -y install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
</pre>

=== Allow only the minimal required ports in bwCloud-OS Security Groups ===
Only open the ports you actually need. This reduces the attack surface and limits who can reach services on your VM.

* Check your instance's security groups in the [https://portal.bw-cloud.org/ Dashboard] and allow only the minimal required inbound rules.
* Restrict access by IP range (CIDR) wherever possible (avoid <code>0.0.0.0/0</code> unless truly required).
* For step-by-step instructions and examples, see: [[Security#Security-Rules|How do I open additional ports for my instance?]]
* Note: some ports may be centrally filtered in certain regions; see [[Blocked_and_Allowed_Ports|Blocked and Allowed Ports]].

=== Optional host firewall (e.g., UFW on Ubuntu) ===
Security groups are the primary inbound filter in bwCloud-OS. A host firewall can provide an additional layer (defense-in-depth), e.g., to enforce local policies on the VM.

==== Example (Ubuntu with UFW) ====
<pre>
sudo apt -y install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (ideally restrict in the bwCloud-OS security group as well)
sudo ufw allow 22/tcp

# Example: allow HTTPS if you opened 443 in the security group
sudo ufw allow 443/tcp

sudo ufw enable
sudo ufw status verbose
</pre>

''Important:'' If you block SSH on the host firewall while only having SSH access, you may lock yourself out. Always ensure SSH remains permitted (and test from your client).

=== Document your configuration ===
To operate and troubleshoot securely, keep a record of your instance configuration:

* Which security groups/rules are attached (ports, protocols, CIDRs)?
* Host firewall rules (if used), SSH hardening settings, update strategy.
* Installed services and exposed endpoints.
* Where secrets are stored/managed (avoid putting secrets in shell history or plain text files).

=== Plan and test a backup strategy ===
Backups are part of security (availability and recovery).

* Define what needs to be recoverable (system, application data, databases, configuration).
* Decide on backup frequency and retention (e.g., daily incremental + weekly full).
* Store backups separately from the instance (avoid a single point of failure).
* Regularly test restores (a backup that was never restored is an assumption, not a plan).

=== Snapshots and images ===
Snapshots capture the state of a VM or volume at a point in time (e.g., before risky changes). They can help with rollback, but they do not automatically replace a backup strategy.

* Learn more: [[Guide:_Volumes_and_Images|Guide: Volumes and Images]]
* Recommended practice:
** Take a snapshot before major changes (OS upgrades, large configuration changes).
** Remove outdated snapshots according to your retention plan.

= SSL Certificates & Secure Services =

== Can I get SSL/TLS certificates via bwCloud-OS? ==


No, bwCloud-OS does '''not''' provide '''SSL/TLS certificates.''' However, you can obtain certificates directly from public providers like '''Let’s Encrypt''' using tools such as '''[https://certbot.eff.org/ Certbot]''', which you can install and run on your instance.

This allows you, for example, to enable '''HTTPS''' for services running on your VM. Don't forget to open the necessary ports (e.g., 443) using [[Security#Security-Rules|security group rules]].

=Security Incidents =

== What should I do if I suspect my VM has been compromised? ==


If your virtual machine is behaving unexpectedly (e.g., high CPU/network load, unknown logins, suspicious processes), it could indicate a possible compromise.

If you suspect that your VM has been compromised, please take the following steps '''immediately''':

# '''Log in''' to the '''[https://portal.bw-cloud.org/ Dashboard].'''
# '''Stop the affected instance(s).''' ''Do not delete them!'' This preserves data for further analysis.
# '''Submit a support ticket''' via the [https://bw-support.scc.kit.edu/ bwSupportPortal] with the following details:
#* Which instance(s) are potentially affected?
#* How is the suspicious behavior observed? (e.g. logs, performance, alerts)
#* What actions have you already taken?

Our team will contact you as soon as possible to help investigate and resolve the issue.

== Does the bwCloud-OS operations team inspect running instances (e.g. through penetration tests)? ==


The '''contents and configuration of user instances are not inspected''' — we do '''not''' perform penetration tests or port scans on the instances. We also '''never look inside''' user virtual machines.

However, the overall bwCloud-OS operating environment is actively monitored. For example, network monitoring tracks current inbound and outbound traffic levels. If certain parameters deviate significantly from typical patterns, this may trigger further investigation — including direct contact with the affected user.

Security

2026-04-27T11:37:16Z

Sia: /* Security Checklist */

{{InANutshell|
<li>By default, bwCloud-OS VMs are only accessible via SSH (port 22) and ICMP (e.g., ''ping''); all other incoming traffic is blocked for security.</li>
<li>To allow access on additional ports (e.g. HTTPS/443), you can add rules via the Security Groups in the [https://portal.bw-cloud.org/ Dashboard] — changes take effect immediately.</li>
<li>Some ports are centrally filtered in specific bwCloud-OS regions and cannot be opened individually; refer to this [[Blocked_and_Allowed_Ports|overview]] for region-specific details.</li>
<li>If you suspect a security incident, stop the affected VMs and submit a [https://bw-support.scc.kit.edu/ support ticket] immediately.</li>
}}

__TOC__

= Access Control & Firewall Rules =

== What network access is allowed by default in bwCloud-OS instances? ==


By default, '''bwCloud-OS instances''' are accessible via:

* '''SSH (port 22)''' – for remote login and configuration
* '''ICMP''' – to allow basic network diagnostics like <code>ping</code> and <code>traceroute</code>

This initial access is explicitly permitted by the '''automatically assigned security group''' (named <code>default</code>) in our configuration. This is not the default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.

== How do I open additional ports for my instance? ==


A newly created virtual machine in bwCloud-OS is only accessible from the outside via '''SSH (port 22)''' and '''ICMP'''. All other inbound traffic is '''blocked''' by default — meaning external traffic on other ports cannot reach the instance.

To allow access on other ports (e.g. for web servers or applications), you need to '''add a rule''' to the relevant '''security group'''. ''Changes to security group rules apply immediately to all instances using that group'' — there's no need to reboot the instance.

----

=== Example: Opening Port 443 for HTTPS Access ===
If you're running a web server that should be accessible via '''HTTPS''', you typically need to open '''port 443''' in a security group assigned to your instance.

'''Steps in the [https://portal.bw-cloud.org/ Dashboard]:'''
# In the left menu, go to '''Network → Security Groups'''. A list of all defined security groups will appear.
#* '''Recommended:''' Consider creating a dedicated security group (e.g. named <code>https-access</code>), and assign it to your instance using '''Edit Security Groups''' in the instance menu before the next step.
# Find the relevant group and click '''Manage Rules'''. You’ll see all currently defined rules for that group.
# Click '''Add Rule''' to create a new one.
# In the dialog that appears, choose one of the following:
#* '''HTTPS''' from the '''Rule''' dropdown (automatically fills port 443), or
#* '''Custom TCP Rule''', then manually enter '''443''' in the '''Port''' field.
# In the '''CIDR''' field, specify which IP addresses should be allowed to connect:
#* Use a specific IP range (e.g. <code>192.168.0.0/24</code>) to '''limit access'''
#* ⚠️ Using '''<code>0.0.0.0/0</code>''' allows access from '''any IPv4 address''', and '''<code>::/0</code>''' from '''any IPv6 address'''.
# Set the '''Direction''' of the rule:
#* <code>Ingress</code> = incoming connections (usually what you want)
#* <code>Egress</code> = outgoing connections
# Click '''Add'''. The rule will be created and added to the list immediately.

----

=== Example: Opening a Port only for Access from Certain IP Ranges ===
'''➡️''' [[Guide: Security Group|Security Groups Guide]]

== Are some ports blocked in bwCloud-OS? ==


Yes. Some ports are '''centrally''' '''blocked''' in '''certain''' '''bwCloud-OS regions''' due to specific network policies at the participating university data centers. Centrally blocked ports cannot be opened individually.

For more details — including which ports are affected in each region — see the page [[Blocked and Allowed Ports]].

= Security Checklist =

== Does bwCloud-OS provide a basic security checklist for virtual machines? ==

The following checklist helps you harden your bwCloud-OS instance after creation.

The following checklist helps you harden your bwCloud-OS instance after creation.

== Secure SSH access ==
* Read and apply the recommendations in the [[Guide:_SSH|SSH guide]].

== Keep the system updated ==
Keeping your instance up to date is one of the most effective security measures: security updates fix known vulnerabilities that may otherwise be exploitable.

There are two common approaches:
* '''Manual updates (one-time / on demand):''' You run updates yourself (e.g., after login, on a regular schedule).
* '''Automatic updates:''' The system installs security updates automatically in the background. On Ubuntu/Debian this is commonly done via <code>unattended-upgrades</code>.

=== Example (Ubuntu/Debian) ===
<pre>
# Manual updates (one-time)
sudo apt update
sudo apt -y upgrade

# Automatic security updates (background)
sudo apt -y install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
</pre>

== Allow only the minimal required ports in bwCloud-OS Security Groups ==
Only open the ports you actually need. This reduces the attack surface and limits who can reach services on your VM.

* Check your instance's security groups in the [https://portal.bw-cloud.org/ Dashboard] and allow only the minimal required inbound rules.
* Restrict access by IP range (CIDR) wherever possible (avoid <code>0.0.0.0/0</code> unless truly required).
* For step-by-step instructions and examples, see: [[Security#Security-Rules|How do I open additional ports for my instance?]]
* Note: some ports may be centrally filtered in certain regions; see [[Blocked_and_Allowed_Ports|Blocked and Allowed Ports]].

== Optional host firewall (e.g., UFW on Ubuntu) ==
Security groups are the primary inbound filter in bwCloud-OS. A host firewall can provide an additional layer (defense-in-depth), e.g., to enforce local policies on the VM.

=== Example (Ubuntu with UFW) ===
<pre>
sudo apt -y install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (ideally restrict in the bwCloud-OS security group as well)
sudo ufw allow 22/tcp

# Example: allow HTTPS if you opened 443 in the security group
sudo ufw allow 443/tcp

sudo ufw enable
sudo ufw status verbose
</pre>

''Important:'' If you block SSH on the host firewall while only having SSH access, you may lock yourself out. Always ensure SSH remains permitted (and test from your client).

== Document your configuration ==
To operate and troubleshoot securely, keep a record of your instance configuration:

* Which security groups/rules are attached (ports, protocols, CIDRs)?
* Host firewall rules (if used), SSH hardening settings, update strategy.
* Installed services and exposed endpoints.
* Where secrets are stored/managed (avoid putting secrets in shell history or plain text files).

== Plan and test a backup strategy ==
Backups are part of security (availability and recovery).

* Define what needs to be recoverable (system, application data, databases, configuration).
* Decide on backup frequency and retention (e.g., daily incremental + weekly full).
* Store backups separately from the instance (avoid a single point of failure).
* Regularly test restores (a backup that was never restored is an assumption, not a plan).

== Snapshots and images ==
Snapshots capture the state of a VM or volume at a point in time (e.g., before risky changes). They can help with rollback, but they do not automatically replace a backup strategy.

* Learn more: [[Guide:_Volumes_and_Images|Guide: Volumes and Images]]
* Recommended practice:
** Take a snapshot before major changes (OS upgrades, large configuration changes).
** Remove outdated snapshots according to your retention plan.

= SSL Certificates & Secure Services =

== Can I get SSL/TLS certificates via bwCloud-OS? ==


No, bwCloud-OS does '''not''' provide '''SSL/TLS certificates.''' However, you can obtain certificates directly from public providers like '''Let’s Encrypt''' using tools such as '''[https://certbot.eff.org/ Certbot]''', which you can install and run on your instance.

This allows you, for example, to enable '''HTTPS''' for services running on your VM. Don't forget to open the necessary ports (e.g., 443) using [[Security#Security-Rules|security group rules]].

=Security Incidents =

== What should I do if I suspect my VM has been compromised? ==


If your virtual machine is behaving unexpectedly (e.g., high CPU/network load, unknown logins, suspicious processes), it could indicate a possible compromise.

If you suspect that your VM has been compromised, please take the following steps '''immediately''':

# '''Log in''' to the '''[https://portal.bw-cloud.org/ Dashboard].'''
# '''Stop the affected instance(s).''' ''Do not delete them!'' This preserves data for further analysis.
# '''Submit a support ticket''' via the [https://bw-support.scc.kit.edu/ bwSupportPortal] with the following details:
#* Which instance(s) are potentially affected?
#* How is the suspicious behavior observed? (e.g. logs, performance, alerts)
#* What actions have you already taken?

Our team will contact you as soon as possible to help investigate and resolve the issue.

== Does the bwCloud-OS operations team inspect running instances (e.g. through penetration tests)? ==


The '''contents and configuration of user instances are not inspected''' — we do '''not''' perform penetration tests or port scans on the instances. We also '''never look inside''' user virtual machines.

However, the overall bwCloud-OS operating environment is actively monitored. For example, network monitoring tracks current inbound and outbound traffic levels. If certain parameters deviate significantly from typical patterns, this may trigger further investigation — including direct contact with the affected user.

Guide: OpenStack Python SDK – Basic Usage

2026-04-27T10:13:25Z

Sia:

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing <code>Enter</code> '''twice'''.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> file.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Images ==
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
import os

image_path = "/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img"
if not os.path.isfile(image_path):
raise FileNotFoundError(f"Image file not found: {image_path}")

with open(image_path, "rb") as img:
image = conn.image.upload_image(
name="ubuntu-24.04",
data=img,
disk_format="qcow2",
container_format="bare"
)

print("Image ID:", image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID>")
</pre>

== Compute ==

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Show details of an instance:

<pre>
server = conn.compute.find_server("myVM")
if server is None:
raise ValueError("Server 'myVM' not found")

server = conn.compute.get_server(server.id)
print(server)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network (after detaching all ports from its subnets):

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Subnets, Routers ===

Create a subnet:

<pre>
network = conn.network.create_network(name="myNet")

subnet = conn.network.create_subnet(
name="mySubnet",
network_id=network.id,
ip_version=4,
cidr="192.168.1.0/24"
)
</pre>

Create a router:

<pre>
router = conn.network.create_router(name="myRouter")
</pre>

Attach a subnet to a router:

<pre>
conn.network.add_interface_to_router(
router,
subnet_id=subnet.id
)
</pre>

Set external gateway of a router:

<pre>
external_net = conn.network.find_network("provider_default_net")

conn.network.update_router(
router,
external_gateway_info={"network_id": external_net.id}
)
</pre>

Detach a subnet from a router:

<pre>
conn.network.remove_interface_from_router(
router,
subnet_id=subnet.id
)
</pre>

Delete a router:

<pre>
conn.network.delete_router(router.id)
</pre>

Delete a subnet (after detaching all ports from the subnet):

<pre>
conn.network.delete_subnet(subnet.id)
</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

List floating IPs:

<pre>
for fip in conn.network.ips():
print(fip.floating_ip_address, fip.status, fip.port_id)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
port = list(conn.network.ports(device_id=server.id))[0]
conn.network.update_ip(fip, port_id=port.id)
</pre>

Disassociate a floating IP:

<pre>
conn.network.update_ip(fip, port_id=None)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule to a security group (e.g., HTTP access via port 80):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Programmatic Access and Automation

2026-04-27T10:06:47Z

Sia: /* How can I connect to the bwCloud-OS using the OpenStack Python SDK? */

{{InANutshell|
<li>'''Application Credentials''' enable secure, token-based access to bwCloud-OS — ideal for CLI usage and automation. </li>
<li>You can use these credentials with the '''OpenStack CLI''' to manage cloud resources from the command line.</li>
<li>You can also use the credentials with the '''OpenStack Python SDK''' to manage cloud resources programmatically from within Python scripts or applications.</li>
<li>'''Automation tools''' like '''Ansible''' or '''Terraform''' can be used for efficient deployment and configuration of instances.</li>
}}

__TOC__

= Application Credentials =

== How can I create an application credential? ==


'''Application Credentials''' (also called '''tokens''') allow access to your OpenStack project in an automated or script-based way — without requiring a password. To create one, you must have the necessary '''member privileges''' in the target project.

=== Steps to Create an Application Credential ===

# '''Log in''' to the '''[https://portal.bw-cloud.org/ Dashboard]''' and select the correct '''region'''.
# Go to '''Identity → Application Credentials''' and click '''Create Application Credential'''.
# In the form that opens, fill out:
#* '''Name''' – a descriptive name for the credential.
#* '''Secret''' – choose a secure secret (password-like).
#* '''Expiration''' – set an (optional) expiration date.
# At the bottom of the form, click '''Create Application Credential'''.
# Download the '''''OpenRC''''' file and save it, for example as <code>my_token.sh</code>. Alternatively, you can download the file <code>'''''clouds.yaml'''''</code>.
''Make sure to protect your secret'' ''— store it securely and do not share it.''

 📌 '''Note:''' The login-based method (via the top-right menu in the '''[https://portal.bw-cloud.org/ Dashboard]''') requires a password, which is not enabled by default in bwCloud-OS.

=== Using the ''OpenRC'' file (Recommended for CLI Usage) ===
Source your credential file ''my_token.sh:''

<pre>source my_token.sh</pre>

The following command (see [[Programmatic Access and Automation#OpenStack-CLI|OpenStack CLI]]) will display the active cloud configuration, including the application credentials:
<pre>openstack configuration show</pre>

==== Optional: Ask for the Secret at Runtime ====
For added security, you can modify your <code>my_token.sh</code> file so that the secret is not stored in plain text within the file. Replace the line:

<code> export OS_APPLICATION_CREDENTIAL_SECRET=******************** </code>

with:<pre>echo "Passphrase: "
read -sr os_credential_secret_input
export OS_APPLICATION_CREDENTIAL_SECRET="$os_credential_secret_input"</pre>This way, you will be prompted for the secret each time you use the credential file.

=== Using the ''clouds.yaml'' file (Recommended for Automation) ===
A <code>'''''clouds.yaml'''''</code> file provides a convenient way to configure access to OpenStack without exporting many environment variables.
==== Example ''clouds.yaml'' ====

<pre>
clouds:
openstack:
auth:
auth_url: https://your-auth-url:5000
application_credential_id: "YOUR_ID"
application_credential_secret: "YOUR_SECRET"
region_name: "RegionOne"
interface: "public"
identity_api_version: 3
auth_type: "v3applicationcredential"
</pre>

==== Loading and Testing the Configuration ====
If this is your only cloud, you can place the file at one of the default locations:

* <code>~/.config/openstack/clouds.yaml</code>
* <code>/etc/openstack/clouds.yaml</code>

OpenStack CLI tools will automatically detect the file there.

If your file is stored in a custom location, you can specify it explicitly:

<code>export OS_CLIENT_CONFIG_FILE=/path/to/clouds.yaml</code>

In multi-cloud setups, you can define multiple entries and select one by specifying the cloud name, e.g.:

<code>export OS_CLOUD=openstack</code>

Once the above configuration is set, the following command (see [[Programmatic Access and Automation#OpenStack-CLI|OpenStack CLI]]) will display the active cloud configuration, including the application credentials:
<pre>
openstack configuration show
</pre>

= OpenStack CLI =


== How can I connect to the bwCloud-OS using the OpenStack CLI? ==


To manage your resources from the command line, you can use the '''OpenStack Client''' (<code>openstack</code> command-line tool, implemented in Python).

Installation of the client depends on your operating system, e.g. for Ubuntu (for other installation methods, see the guide [[Guide: OpenStack CLI – Basic Usage|OpenStack CLI]]):
<pre>
sudo apt install python3-openstackclient
</pre>

=== Authentication Methods ===
See the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

=== Testing the Connection ===

Run the following commands in a terminal:

<pre>
source ./my_token.sh
openstack token issue
</pre>

This will issue a new authentication token, confirming that your configuration works correctly.

== How can I perform basic operations with the OpenStack CLI? ==


For common tasks such as managing instances, volumes, and networks, see:
[[Guide: OpenStack CLI – Basic Usage]].

= OpenStack Python SDK =


== How can I connect to the bwCloud-OS using the OpenStack Python SDK? ==


To manage your resources from within Python scripts, you can use the '''OpenStack Python SDK'''.

Installation depends on your operating system, e.g. for Ubuntu (for other installation methods, see the guide [[Guide: OpenStack Python SDK – Basic Usage|OpenStack Python SDK]]):
<pre>
sudo apt install python3-openstacksdk
</pre>

=== Authentication Methods ===
See the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

For this purpose, we recommend using the <code>clouds.yaml</code> file.

=== Testing the Connection ===

Start a Python shell and run:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
conn.authorize()
token = conn.session.get_token()
print("Token:", token)
</pre>

This will issue a new authentication token, confirming that your configuration works correctly.

== How can I perform basic operations with the OpenStack SDK? ==


For common tasks such as managing instances, volumes, and networks, see:
[[Guide: OpenStack Python SDK – Basic Usage]].

= Auto-Deployment =
The following tools are commonly used for (semi-)automated provisioning of resources.

{| class="wikitable"
! Method !! Usage
|-
| [https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs Terraform] || This tool can be used to create an instance or a defined infrastructure.
|-
| [https://docs.ansible.com/ansible/latest/index.html Ansible] || Create roles or tasks for all customizations that you make in an instance.
|}

== Does bwCloud-OS provide templates for automated deployment of OpenStack instances? ==


Yes. You can use this [https://github.com/bwCloud/ansible-template Ansible template] to get started more easily.

Programmatic Access and Automation

2026-04-27T10:06:12Z

Sia:

{{InANutshell|
<li>'''Application Credentials''' enable secure, token-based access to bwCloud-OS — ideal for CLI usage and automation. </li>
<li>You can use these credentials with the '''OpenStack CLI''' to manage cloud resources from the command line.</li>
<li>You can also use the credentials with the '''OpenStack Python SDK''' to manage cloud resources programmatically from within Python scripts or applications.</li>
<li>'''Automation tools''' like '''Ansible''' or '''Terraform''' can be used for efficient deployment and configuration of instances.</li>
}}

__TOC__

= Application Credentials =

== How can I create an application credential? ==


'''Application Credentials''' (also called '''tokens''') allow access to your OpenStack project in an automated or script-based way — without requiring a password. To create one, you must have the necessary '''member privileges''' in the target project.

=== Steps to Create an Application Credential ===

# '''Log in''' to the '''[https://portal.bw-cloud.org/ Dashboard]''' and select the correct '''region'''.
# Go to '''Identity → Application Credentials''' and click '''Create Application Credential'''.
# In the form that opens, fill out:
#* '''Name''' – a descriptive name for the credential.
#* '''Secret''' – choose a secure secret (password-like).
#* '''Expiration''' – set an (optional) expiration date.
# At the bottom of the form, click '''Create Application Credential'''.
# Download the '''''OpenRC''''' file and save it, for example as <code>my_token.sh</code>. Alternatively, you can download the file <code>'''''clouds.yaml'''''</code>.
''Make sure to protect your secret'' ''— store it securely and do not share it.''

 📌 '''Note:''' The login-based method (via the top-right menu in the '''[https://portal.bw-cloud.org/ Dashboard]''') requires a password, which is not enabled by default in bwCloud-OS.

=== Using the ''OpenRC'' file (Recommended for CLI Usage) ===
Source your credential file ''my_token.sh:''

<pre>source my_token.sh</pre>

The following command (see [[Programmatic Access and Automation#OpenStack-CLI|OpenStack CLI]]) will display the active cloud configuration, including the application credentials:
<pre>openstack configuration show</pre>

==== Optional: Ask for the Secret at Runtime ====
For added security, you can modify your <code>my_token.sh</code> file so that the secret is not stored in plain text within the file. Replace the line:

<code> export OS_APPLICATION_CREDENTIAL_SECRET=******************** </code>

with:<pre>echo "Passphrase: "
read -sr os_credential_secret_input
export OS_APPLICATION_CREDENTIAL_SECRET="$os_credential_secret_input"</pre>This way, you will be prompted for the secret each time you use the credential file.

=== Using the ''clouds.yaml'' file (Recommended for Automation) ===
A <code>'''''clouds.yaml'''''</code> file provides a convenient way to configure access to OpenStack without exporting many environment variables.
==== Example ''clouds.yaml'' ====

<pre>
clouds:
openstack:
auth:
auth_url: https://your-auth-url:5000
application_credential_id: "YOUR_ID"
application_credential_secret: "YOUR_SECRET"
region_name: "RegionOne"
interface: "public"
identity_api_version: 3
auth_type: "v3applicationcredential"
</pre>

==== Loading and Testing the Configuration ====
If this is your only cloud, you can place the file at one of the default locations:

* <code>~/.config/openstack/clouds.yaml</code>
* <code>/etc/openstack/clouds.yaml</code>

OpenStack CLI tools will automatically detect the file there.

If your file is stored in a custom location, you can specify it explicitly:

<code>export OS_CLIENT_CONFIG_FILE=/path/to/clouds.yaml</code>

In multi-cloud setups, you can define multiple entries and select one by specifying the cloud name, e.g.:

<code>export OS_CLOUD=openstack</code>

Once the above configuration is set, the following command (see [[Programmatic Access and Automation#OpenStack-CLI|OpenStack CLI]]) will display the active cloud configuration, including the application credentials:
<pre>
openstack configuration show
</pre>

= OpenStack CLI =


== How can I connect to the bwCloud-OS using the OpenStack CLI? ==


To manage your resources from the command line, you can use the '''OpenStack Client''' (<code>openstack</code> command-line tool, implemented in Python).

Installation of the client depends on your operating system, e.g. for Ubuntu (for other installation methods, see the guide [[Guide: OpenStack CLI – Basic Usage|OpenStack CLI]]):
<pre>
sudo apt install python3-openstackclient
</pre>

=== Authentication Methods ===
See the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

=== Testing the Connection ===

Run the following commands in a terminal:

<pre>
source ./my_token.sh
openstack token issue
</pre>

This will issue a new authentication token, confirming that your configuration works correctly.

== How can I perform basic operations with the OpenStack CLI? ==


For common tasks such as managing instances, volumes, and networks, see:
[[Guide: OpenStack CLI – Basic Usage]].

= OpenStack Python SDK =


== How can I connect to the bwCloud-OS using the OpenStack Python SDK? ==


To manage your resources from within Python scripts, you can use the '''OpenStack Python SDK'''.

Installation depends on your operating system, e.g. for Ubuntu (for other installation methods, see the guide: [[Guide: OpenStack Python SDK – Basic Usage|OpenStack Python SDK]]):
<pre>
sudo apt install python3-openstacksdk
</pre>

=== Authentication Methods ===
See the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

For this purpose, we recommend using the <code>clouds.yaml</code> file.

=== Testing the Connection ===

Start a Python shell and run:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
conn.authorize()
token = conn.session.get_token()
print("Token:", token)
</pre>

This will issue a new authentication token, confirming that your configuration works correctly.

== How can I perform basic operations with the OpenStack SDK? ==


For common tasks such as managing instances, volumes, and networks, see:
[[Guide: OpenStack Python SDK – Basic Usage]].

= Auto-Deployment =
The following tools are commonly used for (semi-)automated provisioning of resources.

{| class="wikitable"
! Method !! Usage
|-
| [https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs Terraform] || This tool can be used to create an instance or a defined infrastructure.
|-
| [https://docs.ansible.com/ansible/latest/index.html Ansible] || Create roles or tasks for all customizations that you make in an instance.
|}

== Does bwCloud-OS provide templates for automated deployment of OpenStack instances? ==


Yes. You can use this [https://github.com/bwCloud/ansible-template Ansible template] to get started more easily.

Programmatic Access and Automation

2026-04-27T10:05:00Z

Sia:

{{InANutshell|
<li>'''Application Credentials''' enable secure, token-based access to bwCloud-OS — ideal for CLI usage and automation. </li>
<li>You can use these credentials with the '''OpenStack CLI''' to manage cloud resources from the command line.</li>
<li>You can also use the credentials with the '''OpenStack Python SDK''' to manage cloud resources programmatically from within Python scripts or applications.</li>
<li>'''Automation tools''' like '''Ansible''' or '''Terraform''' can be used for efficient deployment and configuration of instances.</li>
}}

__TOC__

= Application Credentials =

== How can I create an application credential? ==


'''Application Credentials''' (also called '''tokens''') allow access to your OpenStack project in an automated or script-based way — without requiring a password. To create one, you must have the necessary '''member privileges''' in the target project.

=== Steps to Create an Application Credential ===

# '''Log in''' to the '''[https://portal.bw-cloud.org/ Dashboard]''' and select the correct '''region'''.
# Go to '''Identity → Application Credentials''' and click '''Create Application Credential'''.
# In the form that opens, fill out:
#* '''Name''' – a descriptive name for the credential.
#* '''Secret''' – choose a secure secret (password-like).
#* '''Expiration''' – set an (optional) expiration date.
# At the bottom of the form, click '''Create Application Credential'''.
# Download the '''''OpenRC''''' file and save it, for example as <code>my_token.sh</code>. Alternatively, you can download the file <code>'''''clouds.yaml'''''</code>.
''Make sure to protect your secret'' ''— store it securely and do not share it.''

 📌 '''Note:''' The login-based method (via the top-right menu in the '''[https://portal.bw-cloud.org/ Dashboard]''') requires a password, which is not enabled by default in bwCloud-OS.

=== Using the ''OpenRC'' file (Recommended for CLI Usage) ===
Source your credential file ''my_token.sh:''

<pre>source my_token.sh</pre>

The following command (see [[Programmatic Access and Automation#OpenStack-CLI|OpenStack CLI]]) will display the active cloud configuration, including the application credentials:
<pre>openstack configuration show</pre>

==== Optional: Ask for the Secret at Runtime ====
For added security, you can modify your <code>my_token.sh</code> file so that the secret is not stored in plain text within the file. Replace the line:

<code> export OS_APPLICATION_CREDENTIAL_SECRET=******************** </code>

with:<pre>echo "Passphrase: "
read -sr os_credential_secret_input
export OS_APPLICATION_CREDENTIAL_SECRET="$os_credential_secret_input"</pre>This way, you will be prompted for the secret each time you use the credential file.

=== Using the ''clouds.yaml'' file (Recommended for Automation) ===
A <code>'''''clouds.yaml'''''</code> file provides a convenient way to configure access to OpenStack without exporting many environment variables.
==== Example ''clouds.yaml'' ====

<pre>
clouds:
openstack:
auth:
auth_url: https://your-auth-url:5000
application_credential_id: "YOUR_ID"
application_credential_secret: "YOUR_SECRET"
region_name: "RegionOne"
interface: "public"
identity_api_version: 3
auth_type: "v3applicationcredential"
</pre>

==== Loading and Testing the Configuration ====
If this is your only cloud, you can place the file at one of the default locations:

* <code>~/.config/openstack/clouds.yaml</code>
* <code>/etc/openstack/clouds.yaml</code>

OpenStack CLI tools will automatically detect the file there.

If your file is stored in a custom location, you can specify it explicitly:

<code>export OS_CLIENT_CONFIG_FILE=/path/to/clouds.yaml</code>

In multi-cloud setups, you can define multiple entries and select one by specifying the cloud name, e.g.:

<code>export OS_CLOUD=openstack</code>

Once the above configuration is set, the following command (see [[Programmatic Access and Automation#OpenStack-CLI|OpenStack CLI]]) will display the active cloud configuration, including the application credentials:
<pre>
openstack configuration show
</pre>

= OpenStack CLI =


== How can I connect to the bwCloud-OS using the OpenStack CLI? ==


To manage your resources from the command line, you can use the '''OpenStack Client''' (<code>openstack</code> command-line tool, implemented in Python).

Installation of the client depends on your operating system, e.g. for Ubuntu (for other installation methods, see the guide [[Guide: OpenStack CLI – Basic Usage|OpenStack CLI]]):
<pre>
sudo apt install python3-openstackclient
</pre>

=== Authentication Methods ===
See the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

=== Testing the Connection ===

Run the following commands in a terminal:

<pre>
source ./my_token.sh
openstack token issue
</pre>

This will issue a new authentication token, confirming that your configuration works correctly.

== How can I perform basic operations with the OpenStack CLI? ==


For common tasks such as managing instances, volumes, and networks, see:
[[Guide: OpenStack CLI – Basic Usage]].

= OpenStack Python SDK =


== How can I connect to the bwCloud-OS using the OpenStack Python SDK? ==


To manage your resources from within Python scripts, you can use the '''OpenStack Python SDK'''.

Installation depends on your operating system, e.g. for Ubuntu (for other installation methods, see: [[Guide: OpenStack Python SDK – Basic Usage]]):
<pre>
sudo apt install python3-openstacksdk
</pre>

=== Authentication Methods ===
See the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

For this purpose, we recommend using the <code>clouds.yaml</code> file.

=== Testing the Connection ===

Start a Python shell and run:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
conn.authorize()
token = conn.session.get_token()
print("Token:", token)
</pre>

This will issue a new authentication token, confirming that your configuration works correctly.

== How can I perform basic operations with the OpenStack SDK? ==


For common tasks such as managing instances, volumes, and networks, see:
[[Guide: OpenStack Python SDK – Basic Usage]].

= Auto-Deployment =
The following tools are commonly used for (semi-)automated provisioning of resources.

{| class="wikitable"
! Method !! Usage
|-
| [https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs Terraform] || This tool can be used to create an instance or a defined infrastructure.
|-
| [https://docs.ansible.com/ansible/latest/index.html Ansible] || Create roles or tasks for all customizations that you make in an instance.
|}

== Does bwCloud-OS provide templates for automated deployment of OpenStack instances? ==


Yes. You can use this [https://github.com/bwCloud/ansible-template Ansible template] to get started more easily.

Guide: OpenStack CLI – Basic Usage

2026-04-26T15:57:07Z

Sia:

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack CLI. It covers the most common operations for compute, storage, and networking.

__TOC__

== Prerequisites ==
Install the OpenStack client, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstackclient
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstackclient_venv
source openstackclient_venv/bin/activate
pip install python-openstackclient
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].



== Images ==

List available images:

<pre>
openstack image list
</pre>

Upload a new image:

<pre>
openstack image create ubuntu-24.04 \
--file=/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img \
--disk-format=qcow2 \
--container-format=bare
</pre>

Show image details:

<pre>
openstack image show <IMAGE_ID>
</pre>

Delete an image:

<pre>
openstack image delete <IMAGE_ID>
</pre>

== Compute ==

=== Key Pairs (SSH Access) ===

Create a key pair:

<pre>
openstack keypair create myKey > myKey.pem
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
openstack keypair list
</pre>

Delete a key pair:

<pre>
openstack keypair delete myKey
</pre>

=== Instances ===

List instances:

<pre>
openstack server list
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
openstack server create \
--image ubuntu-24.04 \
--flavor p1.tiny \
--network myNet \
--key-name myKey \
myVM
</pre>

Show details of an instance:

<pre>
openstack server show myVM
</pre>

Delete an instance:

<pre>
openstack server delete myVM
</pre>

== Storage==

=== Volumes ===

List volumes:

<pre>
openstack volume list
</pre>

Create a volume (size in GB):

<pre>
openstack volume create --size 10 myVolume
</pre>

Delete a volume:

<pre>
openstack volume delete myVolume
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
openstack server add volume myVM myVolume
</pre>

Detach a volume from an instance:

<pre>
openstack server remove volume myVM myVolume
</pre>

== Networking ==

=== Networks ===

List networks:

<pre>
openstack network list
</pre>

Create a network:

<pre>
openstack network create myNet
</pre>

Delete a network (after detaching all ports from its subnets):

<pre>
openstack network delete myNet
</pre>

=== Subnets, Routers ===
Create a subnet:

<pre>
openstack subnet create mySubnet \
--network myNet \
--subnet-range 192.168.1.0/24
</pre>

Create a router:

<pre>
openstack router create myRouter
</pre>

Attach a subnet to a router:

<pre>
openstack router add subnet myRouter mySubnet
</pre>

Set external gateway of a router:

<pre>
openstack router set myRouter --external-gateway provider_default_net
</pre>

Detach a subnet from a router:

<pre>
openstack router remove subnet myRouter mySubnet
</pre>

Delete a router:

<pre>
openstack router delete myRouter
</pre>

Delete a subnet (after detaching all ports from the subnet):

<pre>
openstack subnet delete mySubnet

</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>openstack floating ip create provider_default_net</pre>

List floating IPs:

<pre>
openstack floating ip list
</pre>

Associate a floating IP with an instance:

<pre>
openstack server add floating ip myVM <FLOATING_IP>
</pre>

Disassociate a floating IP from an instance:

<pre>
openstack server remove floating ip myVM <FLOATING_IP>
</pre>

Release (delete) a floating IP:
<pre>
openstack floating ip delete <FLOATING_IP>
</pre>

=== Security Groups ===

List security groups:

<pre>
openstack security group list
</pre>

Create a security group:

<pre>
openstack security group create mySecGroup
</pre>

Add a rule to a security group (e.g., HTTP access via port 80):

<pre>
openstack security group rule create \
--ingress \
--proto tcp \
--dst-port 80 \
--ethertype IPv4 \
mySecGroup
</pre>

Assign security group to an instance:

<pre>
openstack server add security group myVM mySecGroup
</pre>

Remove security group from an instance:

<pre>
openstack server remove security group myVM mySecGroup
</pre>

Delete a security group:

<pre>
openstack security group delete mySecGroup
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T15:54:59Z

Sia: /* Basic Connection */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter '''twice'''.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> file.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Images ==
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
import os

image_path = "/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img"
if not os.path.isfile(image_path):
raise FileNotFoundError(f"Image file not found: {image_path}")

with open(image_path, "rb") as img:
image = conn.image.upload_image(
name="ubuntu-24.04",
data=img,
disk_format="qcow2",
container_format="bare"
)

print("Image ID:", image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID>")
</pre>

== Compute ==

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Show details of an instance:

<pre>
server = conn.compute.find_server("myVM")
if server is None:
raise ValueError("Server 'myVM' not found")

server = conn.compute.get_server(server.id)
print(server)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network (after detaching all ports from its subnets):

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Subnets, Routers ===

Create a subnet:

<pre>
network = conn.network.create_network(name="myNet")

subnet = conn.network.create_subnet(
name="mySubnet",
network_id=network.id,
ip_version=4,
cidr="192.168.1.0/24"
)
</pre>

Create a router:

<pre>
router = conn.network.create_router(name="myRouter")
</pre>

Attach a subnet to a router:

<pre>
conn.network.add_interface_to_router(
router,
subnet_id=subnet.id
)
</pre>

Set external gateway of a router:

<pre>
external_net = conn.network.find_network("provider_default_net")

conn.network.update_router(
router,
external_gateway_info={"network_id": external_net.id}
)
</pre>

Detach a subnet from a router:

<pre>
conn.network.remove_interface_from_router(
router,
subnet_id=subnet.id
)
</pre>

Delete a router:

<pre>
conn.network.delete_router(router.id)
</pre>

Delete a subnet (after detaching all ports from the subnet):

<pre>
conn.network.delete_subnet(subnet.id)
</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

List floating IPs:

<pre>
for fip in conn.network.ips():
print(fip.floating_ip_address, fip.status, fip.port_id)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
port = list(conn.network.ports(device_id=server.id))[0]
conn.network.update_ip(fip, port_id=port.id)
</pre>

Disassociate a floating IP:

<pre>
conn.network.update_ip(fip, port_id=None)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule to a security group (e.g., HTTP access via port 80):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T15:54:43Z

Sia:

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter '''twice'''.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> file.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Images ==
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
import os

image_path = "/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img"
if not os.path.isfile(image_path):
raise FileNotFoundError(f"Image file not found: {image_path}")

with open(image_path, "rb") as img:
image = conn.image.upload_image(
name="ubuntu-24.04",
data=img,
disk_format="qcow2",
container_format="bare"
)

print("Image ID:", image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID>")
</pre>

== Compute ==

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Show details of an instance:

<pre>
server = conn.compute.find_server("myVM")
if server is None:
raise ValueError("Server 'myVM' not found")

server = conn.compute.get_server(server.id)
print(server)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network (after detaching all ports from its subnets):

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Subnets, Routers ===

Create a subnet:

<pre>
network = conn.network.create_network(name="myNet")

subnet = conn.network.create_subnet(
name="mySubnet",
network_id=network.id,
ip_version=4,
cidr="192.168.1.0/24"
)
</pre>

Create a router:

<pre>
router = conn.network.create_router(name="myRouter")
</pre>

Attach a subnet to a router:

<pre>
conn.network.add_interface_to_router(
router,
subnet_id=subnet.id
)
</pre>

Set external gateway of a router:

<pre>
external_net = conn.network.find_network("provider_default_net")

conn.network.update_router(
router,
external_gateway_info={"network_id": external_net.id}
)
</pre>

Detach a subnet from a router:

<pre>
conn.network.remove_interface_from_router(
router,
subnet_id=subnet.id
)
</pre>

Delete a router:

<pre>
conn.network.delete_router(router.id)
</pre>

Delete a subnet (after detaching all ports from the subnet):

<pre>
conn.network.delete_subnet(subnet.id)
</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

List floating IPs:

<pre>
for fip in conn.network.ips():
print(fip.floating_ip_address, fip.status, fip.port_id)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
port = list(conn.network.ports(device_id=server.id))[0]
conn.network.update_ip(fip, port_id=port.id)
</pre>

Disassociate a floating IP:

<pre>
conn.network.update_ip(fip, port_id=None)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule to a security group (e.g., HTTP access via port 80):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T14:58:34Z

Sia:

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter '''twice'''.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> file.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
import os

image_path = "/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img"
if not os.path.isfile(image_path):
raise FileNotFoundError(f"Image file not found: {image_path}")

with open(image_path, "rb") as img:
image = conn.image.upload_image(
name="ubuntu-24.04",
data=img,
disk_format="qcow2",
container_format="bare"
)

print("Image ID:", image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Show details of an instance:

<pre>
server = conn.compute.find_server("myVM")
if server is None:
raise ValueError("Server 'myVM' not found")

server = conn.compute.get_server(server.id)
print(server)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network (after detaching all ports from its subnets):

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Subnets, Routers ===

Create a subnet:

<pre>
network = conn.network.create_network(name="myNet")

subnet = conn.network.create_subnet(
name="mySubnet",
network_id=network.id,
ip_version=4,
cidr="192.168.1.0/24"
)
</pre>

Create a router:

<pre>
router = conn.network.create_router(name="myRouter")
</pre>

Attach a subnet to a router:

<pre>
conn.network.add_interface_to_router(
router,
subnet_id=subnet.id
)
</pre>

Set external gateway of a router:

<pre>
external_net = conn.network.find_network("provider_default_net")

conn.network.update_router(
router,
external_gateway_info={"network_id": external_net.id}
)
</pre>

Detach a subnet from a router:

<pre>
conn.network.remove_interface_from_router(
router,
subnet_id=subnet.id
)
</pre>

Delete a router:

<pre>
conn.network.delete_router(router.id)
</pre>

Delete a subnet (after detaching all ports from the subnet):

<pre>
conn.network.delete_subnet(subnet.id)
</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

List floating IPs:

<pre>
for fip in conn.network.ips():
print(fip.floating_ip_address, fip.status, fip.port_id)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
port = list(conn.network.ports(device_id=server.id))[0]
conn.network.update_ip(fip, port_id=port.id)
</pre>

Disassociate a floating IP:

<pre>
conn.network.update_ip(fip, port_id=None)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule to a security group (e.g., HTTP access via port 80):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T14:57:12Z

Sia: /* Authentication */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter twice.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> file.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
import os

image_path = "/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img"
if not os.path.isfile(image_path):
raise FileNotFoundError(f"Image file not found: {image_path}")

with open(image_path, "rb") as img:
image = conn.image.upload_image(
name="ubuntu-24.04",
data=img,
disk_format="qcow2",
container_format="bare"
)

print("Image ID:", image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Show details of an instance:

<pre>
server = conn.compute.find_server("myVM")
if server is None:
raise ValueError("Server 'myVM' not found")

server = conn.compute.get_server(server.id)
print(server)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network (after detaching all ports from its subnets):

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Subnets, Routers ===

Create a subnet:

<pre>
network = conn.network.create_network(name="myNet")

subnet = conn.network.create_subnet(
name="mySubnet",
network_id=network.id,
ip_version=4,
cidr="192.168.1.0/24"
)
</pre>

Create a router:

<pre>
router = conn.network.create_router(name="myRouter")
</pre>

Attach a subnet to a router:

<pre>
conn.network.add_interface_to_router(
router,
subnet_id=subnet.id
)
</pre>

Set external gateway of a router:

<pre>
external_net = conn.network.find_network("provider_default_net")

conn.network.update_router(
router,
external_gateway_info={"network_id": external_net.id}
)
</pre>

Detach a subnet from a router:

<pre>
conn.network.remove_interface_from_router(
router,
subnet_id=subnet.id
)
</pre>

Delete a router:

<pre>
conn.network.delete_router(router.id)
</pre>

Delete a subnet (after detaching all ports from the subnet):

<pre>
conn.network.delete_subnet(subnet.id)
</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

List floating IPs:

<pre>
for fip in conn.network.ips():
print(fip.floating_ip_address, fip.status, fip.port_id)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
port = list(conn.network.ports(device_id=server.id))[0]
conn.network.update_ip(fip, port_id=port.id)
</pre>

Disassociate a floating IP:

<pre>
conn.network.update_ip(fip, port_id=None)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule to a security group (e.g., HTTP access via port 80):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T14:53:29Z

Sia:

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter twice.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
import os

image_path = "/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img"
if not os.path.isfile(image_path):
raise FileNotFoundError(f"Image file not found: {image_path}")

with open(image_path, "rb") as img:
image = conn.image.upload_image(
name="ubuntu-24.04",
data=img,
disk_format="qcow2",
container_format="bare"
)

print("Image ID:", image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Show details of an instance:

<pre>
server = conn.compute.find_server("myVM")
if server is None:
raise ValueError("Server 'myVM' not found")

server = conn.compute.get_server(server.id)
print(server)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network (after detaching all ports from its subnets):

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Subnets, Routers ===

Create a subnet:

<pre>
network = conn.network.create_network(name="myNet")

subnet = conn.network.create_subnet(
name="mySubnet",
network_id=network.id,
ip_version=4,
cidr="192.168.1.0/24"
)
</pre>

Create a router:

<pre>
router = conn.network.create_router(name="myRouter")
</pre>

Attach a subnet to a router:

<pre>
conn.network.add_interface_to_router(
router,
subnet_id=subnet.id
)
</pre>

Set external gateway of a router:

<pre>
external_net = conn.network.find_network("provider_default_net")

conn.network.update_router(
router,
external_gateway_info={"network_id": external_net.id}
)
</pre>

Detach a subnet from a router:

<pre>
conn.network.remove_interface_from_router(
router,
subnet_id=subnet.id
)
</pre>

Delete a router:

<pre>
conn.network.delete_router(router.id)
</pre>

Delete a subnet (after detaching all ports from the subnet):

<pre>
conn.network.delete_subnet(subnet.id)
</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

List floating IPs:

<pre>
for fip in conn.network.ips():
print(fip.floating_ip_address, fip.status, fip.port_id)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
port = list(conn.network.ports(device_id=server.id))[0]
conn.network.update_ip(fip, port_id=port.id)
</pre>

Disassociate a floating IP:

<pre>
conn.network.update_ip(fip, port_id=None)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule to a security group (e.g., HTTP access via port 80):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T14:53:07Z

Sia: /* Networking */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter twice.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
import os

image_path = "/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img"
if not os.path.isfile(image_path):
raise FileNotFoundError(f"Image file not found: {image_path}")

with open(image_path, "rb") as img:
image = conn.image.upload_image(
name="ubuntu-24.04",
data=img,
disk_format="qcow2",
container_format="bare"
)

print("Image ID:", image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Show details of an instance:

<pre>
server = conn.compute.find_server("myVM")
if server is None:
raise ValueError("Server 'myVM' not found")

server = conn.compute.get_server(server.id)
print(server)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network (after detaching all ports from its subnets):

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Subnets, Routers ===

Create a subnet:

<pre>
network = conn.network.create_network(name="myNet")

subnet = conn.network.create_subnet(
name="mySubnet",
network_id=network.id,
ip_version=4,
cidr="192.168.1.0/24"
)
</pre>

Create a router:

<pre>
router = conn.network.create_router(name="myRouter")
</pre>

Attach a subnet to a router:

<pre>
conn.network.add_interface_to_router(
router,
subnet_id=subnet.id
)
</pre>

Set external gateway of a router:

<pre>
external_net = conn.network.find_network("provider_default_net")

conn.network.update_router(
router,
external_gateway_info={"network_id": external_net.id}
)
</pre>

Detach a subnet from a router:

<pre>
conn.network.remove_interface_from_router(
router,
subnet_id=subnet.id
)
</pre>

Delete a router:

<pre>
conn.network.delete_router(router.id)
</pre>

Delete a subnet (after detaching all ports from the subnet):

<pre>
conn.network.delete_subnet(subnet.id)
</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

List floating IPs:

<pre>
for fip in conn.network.ips():
print(fip.floating_ip_address, fip.status, fip.port_id)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
port = list(conn.network.ports(device_id=server.id))[0]
conn.network.update_ip(fip, port_id=port.id)
</pre>

Disassociate a floating IP:

<pre>
conn.network.update_ip(fip, port_id=None)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule to a security group (e.g., HTTP access via port 80):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T14:48:16Z

Sia: /* Subnets, Routers */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter twice.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
import os

image_path = "/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img"
if not os.path.isfile(image_path):
raise FileNotFoundError(f"Image file not found: {image_path}")

with open(image_path, "rb") as img:
image = conn.image.upload_image(
name="ubuntu-24.04",
data=img,
disk_format="qcow2",
container_format="bare"
)

print("Image ID:", image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Show details of an instance:

<pre>
server = conn.compute.find_server("myVM")
if server is None:
raise ValueError("Server 'myVM' not found")

server = conn.compute.get_server(server.id)
print(server)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network:

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Subnets, Routers ===

Create a subnet:

<pre>
network = conn.network.create_network(name="myNet")

subnet = conn.network.create_subnet(
name="mySubnet",
network_id=network.id,
ip_version=4,
cidr="192.168.1.0/24"
)
</pre>

Create a router:

<pre>
router = conn.network.create_router(name="myRouter")
</pre>

Attach a subnet to a router:

<pre>
conn.network.add_interface_to_router(
router,
subnet_id=subnet.id
)
</pre>

Set external gateway of a router:

<pre>
external_net = conn.network.find_network("provider_default_net")

conn.network.update_router(
router,
external_gateway_info={"network_id": external_net.id}
)
</pre>

Detach a subnet from a router:

<pre>
conn.network.remove_interface_from_router(
router,
subnet_id=subnet.id
)
</pre>

Delete a router:

<pre>
conn.network.delete_router(router.id)
</pre>

Delete a subnet (after detaching all ports from the subnet):

<pre>
conn.network.delete_subnet(subnet.id)
</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

List floating IPs:

<pre>
for fip in conn.network.ips():
print(fip.floating_ip_address, fip.status, fip.port_id)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
port = list(conn.network.ports(device_id=server.id))[0]
conn.network.update_ip(fip, port_id=port.id)
</pre>

Disassociate a floating IP:

<pre>
conn.network.update_ip(fip, port_id=None)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule to a security group (e.g., HTTP access via port 80):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T14:47:42Z

Sia:

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter twice.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
import os

image_path = "/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img"
if not os.path.isfile(image_path):
raise FileNotFoundError(f"Image file not found: {image_path}")

with open(image_path, "rb") as img:
image = conn.image.upload_image(
name="ubuntu-24.04",
data=img,
disk_format="qcow2",
container_format="bare"
)

print("Image ID:", image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Show details of an instance:

<pre>
server = conn.compute.find_server("myVM")
if server is None:
raise ValueError("Server 'myVM' not found")

server = conn.compute.get_server(server.id)
print(server)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network:

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Subnets, Routers ===
Create a subnet:

<pre>
openstack subnet create mySubnet \
--network myNet \
--subnet-range 192.168.1.0/24
</pre>

Create a router:

<pre>
openstack router create myRouter
</pre>

Attach a subnet to a router:

<pre>
openstack router add subnet myRouter mySubnet
</pre>

Set external gateway of a router:

<pre>
openstack router set myRouter --external-gateway provider_default_net
</pre>

Detach a subnet from a router:

<pre>
openstack router remove subnet myRouter mySubnet
</pre>

Delete a router:

<pre>
openstack router delete myRouter
</pre>

Delete a subnet (after detaching all ports from the subnet):

<pre>
openstack subnet delete mySubnet

</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

List floating IPs:

<pre>
for fip in conn.network.ips():
print(fip.floating_ip_address, fip.status, fip.port_id)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
port = list(conn.network.ports(device_id=server.id))[0]
conn.network.update_ip(fip, port_id=port.id)
</pre>

Disassociate a floating IP:

<pre>
conn.network.update_ip(fip, port_id=None)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule to a security group (e.g., HTTP access via port 80):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack CLI – Basic Usage

2026-04-26T14:44:41Z

Sia: /* Images */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack CLI. It covers the most common operations for compute, storage, and networking.

__TOC__

== Prerequisites ==
Install the OpenStack client, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstackclient
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstackclient_venv
source openstackclient_venv/bin/activate
pip install python-openstackclient
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].



== Compute ==

=== Images ===

List available images:

<pre>
openstack image list
</pre>

Upload a new image:

<pre>
openstack image create ubuntu-24.04 \
--file=/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img \
--disk-format=qcow2 \
--container-format=bare
</pre>

Show image details:

<pre>
openstack image show <IMAGE_ID>
</pre>

Delete an image:

<pre>
openstack image delete <IMAGE_ID>
</pre>

=== Key Pairs (SSH Access) ===

Create a key pair:

<pre>
openstack keypair create myKey > myKey.pem
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
openstack keypair list
</pre>

Delete a key pair:

<pre>
openstack keypair delete myKey
</pre>

=== Instances ===

List instances:

<pre>
openstack server list
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
openstack server create \
--image ubuntu-24.04 \
--flavor p1.tiny \
--network myNet \
--key-name myKey \
myVM
</pre>

Show details of an instance:

<pre>
openstack server show myVM
</pre>

Delete an instance:

<pre>
openstack server delete myVM
</pre>

== Storage==

=== Volumes ===

List volumes:

<pre>
openstack volume list
</pre>

Create a volume (size in GB):

<pre>
openstack volume create --size 10 myVolume
</pre>

Delete a volume:

<pre>
openstack volume delete myVolume
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
openstack server add volume myVM myVolume
</pre>

Detach a volume from an instance:

<pre>
openstack server remove volume myVM myVolume
</pre>

== Networking ==

=== Networks ===

List networks:

<pre>
openstack network list
</pre>

Create a network:

<pre>
openstack network create myNet
</pre>

Delete a network (after detaching all ports from its subnets):

<pre>
openstack network delete myNet
</pre>

=== Subnets, Routers ===
Create a subnet:

<pre>
openstack subnet create mySubnet \
--network myNet \
--subnet-range 192.168.1.0/24
</pre>

Create a router:

<pre>
openstack router create myRouter
</pre>

Attach a subnet to a router:

<pre>
openstack router add subnet myRouter mySubnet
</pre>

Set external gateway of a router:

<pre>
openstack router set myRouter --external-gateway provider_default_net
</pre>

Detach a subnet from a router:

<pre>
openstack router remove subnet myRouter mySubnet
</pre>

Delete a router:

<pre>
openstack router delete myRouter
</pre>

Delete a subnet (after detaching all ports from the subnet):

<pre>
openstack subnet delete mySubnet

</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>openstack floating ip create provider_default_net</pre>

List floating IPs:

<pre>
openstack floating ip list
</pre>

Associate a floating IP with an instance:

<pre>
openstack server add floating ip myVM <FLOATING_IP>
</pre>

Disassociate a floating IP from an instance:

<pre>
openstack server remove floating ip myVM <FLOATING_IP>
</pre>

Release (delete) a floating IP:
<pre>
openstack floating ip delete <FLOATING_IP>
</pre>

=== Security Groups ===

List security groups:

<pre>
openstack security group list
</pre>

Create a security group:

<pre>
openstack security group create mySecGroup
</pre>

Add a rule to a security group (e.g., HTTP access via port 80):

<pre>
openstack security group rule create \
--ingress \
--proto tcp \
--dst-port 80 \
--ethertype IPv4 \
mySecGroup
</pre>

Assign security group to an instance:

<pre>
openstack server add security group myVM mySecGroup
</pre>

Remove security group from an instance:

<pre>
openstack server remove security group myVM mySecGroup
</pre>

Delete a security group:

<pre>
openstack security group delete mySecGroup
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T14:44:11Z

Sia: /* Images */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter twice.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
import os

image_path = "/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img"
if not os.path.isfile(image_path):
raise FileNotFoundError(f"Image file not found: {image_path}")

with open(image_path, "rb") as img:
image = conn.image.upload_image(
name="ubuntu-24.04",
data=img,
disk_format="qcow2",
container_format="bare"
)

print("Image ID:", image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Show details of an instance:

<pre>
server = conn.compute.find_server("myVM")
if server is None:
raise ValueError("Server 'myVM' not found")

server = conn.compute.get_server(server.id)
print(server)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network:

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

List floating IPs:

<pre>
for fip in conn.network.ips():
print(fip.floating_ip_address, fip.status, fip.port_id)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
port = list(conn.network.ports(device_id=server.id))[0]
conn.network.update_ip(fip, port_id=port.id)
</pre>

Disassociate a floating IP:

<pre>
conn.network.update_ip(fip, port_id=None)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule to a security group (e.g., HTTP access via port 80):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T14:41:33Z

Sia: /* Security Groups */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter twice.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
import os

image_path = "/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img"
if not os.path.isfile(image_path):
raise FileNotFoundError(f"Image file not found: {image_path}")

with open(image_path, "rb") as img:
image = conn.image.upload_image(
name="ubuntu-24.04",
data=img,
disk_format="qcow2",
container_format="bare"
)

print("Image ID:", image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID_OR_NAME>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Show details of an instance:

<pre>
server = conn.compute.find_server("myVM")
if server is None:
raise ValueError("Server 'myVM' not found")

server = conn.compute.get_server(server.id)
print(server)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network:

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

List floating IPs:

<pre>
for fip in conn.network.ips():
print(fip.floating_ip_address, fip.status, fip.port_id)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
port = list(conn.network.ports(device_id=server.id))[0]
conn.network.update_ip(fip, port_id=port.id)
</pre>

Disassociate a floating IP:

<pre>
conn.network.update_ip(fip, port_id=None)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule to a security group (e.g., HTTP access via port 80):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack CLI – Basic Usage

2026-04-26T14:40:18Z

Sia: /* Security Groups */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack CLI. It covers the most common operations for compute, storage, and networking.

__TOC__

== Prerequisites ==
Install the OpenStack client, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstackclient
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstackclient_venv
source openstackclient_venv/bin/activate
pip install python-openstackclient
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].



== Compute ==

=== Images ===

List available images:

<pre>
openstack image list
</pre>

Upload a new image:

<pre>
openstack image create ubuntu-24.04 \
--file=/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img \
--disk-format=qcow2 \
--container-format=bare
</pre>

Show image details:

<pre>
openstack image show <IMAGE_ID>
</pre>

Delete an image:

<pre>
openstack image delete <IMAGE_ID_OR_NAME>
</pre>

=== Key Pairs (SSH Access) ===

Create a key pair:

<pre>
openstack keypair create myKey > myKey.pem
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
openstack keypair list
</pre>

Delete a key pair:

<pre>
openstack keypair delete myKey
</pre>

=== Instances ===

List instances:

<pre>
openstack server list
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
openstack server create \
--image ubuntu-24.04 \
--flavor p1.tiny \
--network myNet \
--key-name myKey \
myVM
</pre>

Show details of an instance:

<pre>
openstack server show myVM
</pre>

Delete an instance:

<pre>
openstack server delete myVM
</pre>

== Storage==

=== Volumes ===

List volumes:

<pre>
openstack volume list
</pre>

Create a volume (size in GB):

<pre>
openstack volume create --size 10 myVolume
</pre>

Delete a volume:

<pre>
openstack volume delete myVolume
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
openstack server add volume myVM myVolume
</pre>

Detach a volume from an instance:

<pre>
openstack server remove volume myVM myVolume
</pre>

== Networking ==

=== Networks ===

List networks:

<pre>
openstack network list
</pre>

Create a network:

<pre>
openstack network create myNet
</pre>

Delete a network (after detaching all ports from its subnets):

<pre>
openstack network delete myNet
</pre>

=== Subnets, Routers ===
Create a subnet:

<pre>
openstack subnet create mySubnet \
--network myNet \
--subnet-range 192.168.1.0/24
</pre>

Create a router:

<pre>
openstack router create myRouter
</pre>

Attach a subnet to a router:

<pre>
openstack router add subnet myRouter mySubnet
</pre>

Set external gateway of a router:

<pre>
openstack router set myRouter --external-gateway provider_default_net
</pre>

Detach a subnet from a router:

<pre>
openstack router remove subnet myRouter mySubnet
</pre>

Delete a router:

<pre>
openstack router delete myRouter
</pre>

Delete a subnet (after detaching all ports from the subnet):

<pre>
openstack subnet delete mySubnet

</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>openstack floating ip create provider_default_net</pre>

List floating IPs:

<pre>
openstack floating ip list
</pre>

Associate a floating IP with an instance:

<pre>
openstack server add floating ip myVM <FLOATING_IP>
</pre>

Disassociate a floating IP from an instance:

<pre>
openstack server remove floating ip myVM <FLOATING_IP>
</pre>

Release (delete) a floating IP:
<pre>
openstack floating ip delete <FLOATING_IP>
</pre>

=== Security Groups ===

List security groups:

<pre>
openstack security group list
</pre>

Create a security group:

<pre>
openstack security group create mySecGroup
</pre>

Add a rule to a security group (e.g., HTTP access via port 80):

<pre>
openstack security group rule create \
--ingress \
--proto tcp \
--dst-port 80 \
--ethertype IPv4 \
mySecGroup
</pre>

Assign security group to an instance:

<pre>
openstack server add security group myVM mySecGroup
</pre>

Remove security group from an instance:

<pre>
openstack server remove security group myVM mySecGroup
</pre>

Delete a security group:

<pre>
openstack security group delete mySecGroup
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T14:36:52Z

Sia:

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter twice.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
import os

image_path = "/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img"
if not os.path.isfile(image_path):
raise FileNotFoundError(f"Image file not found: {image_path}")

with open(image_path, "rb") as img:
image = conn.image.upload_image(
name="ubuntu-24.04",
data=img,
disk_format="qcow2",
container_format="bare"
)

print("Image ID:", image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID_OR_NAME>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Show details of an instance:

<pre>
server = conn.compute.find_server("myVM")
if server is None:
raise ValueError("Server 'myVM' not found")

server = conn.compute.get_server(server.id)
print(server)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network:

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

List floating IPs:

<pre>
for fip in conn.network.ips():
print(fip.floating_ip_address, fip.status, fip.port_id)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
port = list(conn.network.ports(device_id=server.id))[0]
conn.network.update_ip(fip, port_id=port.id)
</pre>

Disassociate a floating IP:

<pre>
conn.network.update_ip(fip, port_id=None)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule (HTTP):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T14:35:50Z

Sia: /* Floating IPs */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter twice.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
import os

image_path = "/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img"
if not os.path.isfile(image_path):
raise FileNotFoundError(f"Image file not found: {image_path}")

with open(image_path, "rb") as img:
image = conn.image.upload_image(
name="ubuntu-24.04",
data=img,
disk_format="qcow2",
container_format="bare"
)

print("Image ID:", image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID_OR_NAME>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Show details of an instance:

<pre>
server = conn.compute.find_server("myVM")
if server is None:
raise ValueError("Server 'myVM' not found")

server = conn.compute.get_server(server.id)
print(server)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network:

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

List floating IPs:

<pre>
for fip in conn.network.ips():
print(fip.floating_ip_address, fip.status, fip.port_id)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
port = list(conn.network.ports(device_id=server.id))[0]
conn.network.update_ip(fip, port_id=port.id)
</pre>

Disassociate a floating IP:

<pre>
conn.network.update_ip(fip, port_id=None)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule (HTTP):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T14:30:13Z

Sia: /* Floating IPs */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter twice.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
import os

image_path = "/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img"
if not os.path.isfile(image_path):
raise FileNotFoundError(f"Image file not found: {image_path}")

with open(image_path, "rb") as img:
image = conn.image.upload_image(
name="ubuntu-24.04",
data=img,
disk_format="qcow2",
container_format="bare"
)

print("Image ID:", image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID_OR_NAME>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Show details of an instance:

<pre>
server = conn.compute.find_server("myVM")
if server is None:
raise ValueError("Server 'myVM' not found")

server = conn.compute.get_server(server.id)
print(server)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network:

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

List floating IPs:

<pre>
for fip in conn.network.ips():
print(fip.floating_ip_address, fip.status, fip.port_id)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
port = list(conn.network.ports(device_id=server.id))[0]
conn.network.update_ip(fip, port_id=port.id)

Disassociate a floating IP:

<pre>
conn.compute.remove_floating_ip_from_server(server, fip.floating_ip_address)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule (HTTP):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T14:20:32Z

Sia: /* Floating IPs */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter twice.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
import os

image_path = "/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img"
if not os.path.isfile(image_path):
raise FileNotFoundError(f"Image file not found: {image_path}")

with open(image_path, "rb") as img:
image = conn.image.upload_image(
name="ubuntu-24.04",
data=img,
disk_format="qcow2",
container_format="bare"
)

print("Image ID:", image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID_OR_NAME>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Show details of an instance:

<pre>
server = conn.compute.find_server("myVM")
if server is None:
raise ValueError("Server 'myVM' not found")

server = conn.compute.get_server(server.id)
print(server)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network:

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

List floating IPs:

<pre>
for fip in conn.network.ips():
print(fip.floating_ip_address, fip.status, fip.port_id)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_floating_ip_to_server(server, fip.floating_ip_address)
</pre>

Disassociate a floating IP:

<pre>
conn.compute.remove_floating_ip_from_server(server, fip.floating_ip_address)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule (HTTP):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T14:18:03Z

Sia: /* Floating IPs */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter twice.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
import os

image_path = "/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img"
if not os.path.isfile(image_path):
raise FileNotFoundError(f"Image file not found: {image_path}")

with open(image_path, "rb") as img:
image = conn.image.upload_image(
name="ubuntu-24.04",
data=img,
disk_format="qcow2",
container_format="bare"
)

print("Image ID:", image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID_OR_NAME>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Show details of an instance:

<pre>
server = conn.compute.find_server("myVM")
if server is None:
raise ValueError("Server 'myVM' not found")

server = conn.compute.get_server(server.id)
print(server)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network:

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_floating_ip_to_server(server, fip.floating_ip_address)
</pre>

Disassociate a floating IP:

<pre>
conn.compute.remove_floating_ip_from_server(server, fip.floating_ip_address)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule (HTTP):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T14:12:37Z

Sia: /* Instances */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter twice.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
import os

image_path = "/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img"
if not os.path.isfile(image_path):
raise FileNotFoundError(f"Image file not found: {image_path}")

with open(image_path, "rb") as img:
image = conn.image.upload_image(
name="ubuntu-24.04",
data=img,
disk_format="qcow2",
container_format="bare"
)

print("Image ID:", image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID_OR_NAME>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Show details of an instance:

<pre>
server = conn.compute.find_server("myVM")
if server is None:
raise ValueError("Server 'myVM' not found")

server = conn.compute.get_server(server.id)
print(server)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network:

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Floating IPs ===

Create a floating IP:

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_floating_ip_to_server(server, fip.floating_ip_address)
</pre>

Disassociate a floating IP:

<pre>
conn.compute.remove_floating_ip_from_server(server, fip.floating_ip_address)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule (HTTP):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T13:59:03Z

Sia: /* Compute */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter twice.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
import os

image_path = "/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img"
if not os.path.isfile(image_path):
raise FileNotFoundError(f"Image file not found: {image_path}")

with open(image_path, "rb") as img:
image = conn.image.upload_image(
name="ubuntu-24.04",
data=img,
disk_format="qcow2",
container_format="bare"
)

print("Image ID:", image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID_OR_NAME>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network:

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Floating IPs ===

Create a floating IP:

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_floating_ip_to_server(server, fip.floating_ip_address)
</pre>

Disassociate a floating IP:

<pre>
conn.compute.remove_floating_ip_from_server(server, fip.floating_ip_address)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule (HTTP):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T13:45:31Z

Sia:

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

'''Note:''' In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter twice.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
image = conn.image.upload_image(
name="ubuntu-24.04",
filename="/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img",
disk_format="qcow2",
container_format="bare"
)
print(image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID_OR_NAME>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network:

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Floating IPs ===

Create a floating IP:

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_floating_ip_to_server(server, fip.floating_ip_address)
</pre>

Disassociate a floating IP:

<pre>
conn.compute.remove_floating_ip_from_server(server, fip.floating_ip_address)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule (HTTP):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T13:43:43Z

Sia:

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

{{Note| In the interactive Python shell, multi-line blocks (e.g., loops or function definitions) are executed after pressing Enter twice.}}

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
image = conn.image.upload_image(
name="ubuntu-24.04",
filename="/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img",
disk_format="qcow2",
container_format="bare"
)
print(image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID_OR_NAME>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network:

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Floating IPs ===

Create a floating IP:

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_floating_ip_to_server(server, fip.floating_ip_address)
</pre>

Disassociate a floating IP:

<pre>
conn.compute.remove_floating_ip_from_server(server, fip.floating_ip_address)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule (HTTP):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack CLI – Basic Usage

2026-04-26T13:38:18Z

Sia: /* Security Groups */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack CLI. It covers the most common operations for compute, storage, and networking.

__TOC__

== Prerequisites ==
Install the OpenStack client, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstackclient
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstackclient_venv
source openstackclient_venv/bin/activate
pip install python-openstackclient
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].



== Compute ==

=== Images ===

List available images:

<pre>
openstack image list
</pre>

Upload a new image:

<pre>
openstack image create ubuntu-24.04 \
--file=/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img \
--disk-format=qcow2 \
--container-format=bare
</pre>

Show image details:

<pre>
openstack image show <IMAGE_ID>
</pre>

Delete an image:

<pre>
openstack image delete <IMAGE_ID_OR_NAME>
</pre>

=== Key Pairs (SSH Access) ===

Create a key pair:

<pre>
openstack keypair create myKey > myKey.pem
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
openstack keypair list
</pre>

Delete a key pair:

<pre>
openstack keypair delete myKey
</pre>

=== Instances ===

List instances:

<pre>
openstack server list
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
openstack server create \
--image ubuntu-24.04 \
--flavor p1.tiny \
--network myNet \
--key-name myKey \
myVM
</pre>

Show details of an instance:

<pre>
openstack server show myVM
</pre>

Delete an instance:

<pre>
openstack server delete myVM
</pre>

== Storage==

=== Volumes ===

List volumes:

<pre>
openstack volume list
</pre>

Create a volume (size in GB):

<pre>
openstack volume create --size 10 myVolume
</pre>

Delete a volume:

<pre>
openstack volume delete myVolume
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
openstack server add volume myVM myVolume
</pre>

Detach a volume from an instance:

<pre>
openstack server remove volume myVM myVolume
</pre>

== Networking ==

=== Networks ===

List networks:

<pre>
openstack network list
</pre>

Create a network:

<pre>
openstack network create myNet
</pre>

Delete a network (after detaching all ports from its subnets):

<pre>
openstack network delete myNet
</pre>

=== Subnets, Routers ===
Create a subnet:

<pre>
openstack subnet create mySubnet \
--network myNet \
--subnet-range 192.168.1.0/24
</pre>

Create a router:

<pre>
openstack router create myRouter
</pre>

Attach a subnet to a router:

<pre>
openstack router add subnet myRouter mySubnet
</pre>

Set external gateway of a router:

<pre>
openstack router set myRouter --external-gateway provider_default_net
</pre>

Detach a subnet from a router:

<pre>
openstack router remove subnet myRouter mySubnet
</pre>

Delete a router:

<pre>
openstack router delete myRouter
</pre>

Delete a subnet (after detaching all ports from the subnet):

<pre>
openstack subnet delete mySubnet

</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>openstack floating ip create provider_default_net</pre>

List floating IPs:

<pre>
openstack floating ip list
</pre>

Associate a floating IP with an instance:

<pre>
openstack server add floating ip myVM <FLOATING_IP>
</pre>

Disassociate a floating IP from an instance:

<pre>
openstack server remove floating ip myVM <FLOATING_IP>
</pre>

Release (delete) a floating IP:
<pre>
openstack floating ip delete <FLOATING_IP>
</pre>

=== Security Groups ===

List security groups:

<pre>
openstack security group list
</pre>

Create a security group:

<pre>
openstack security group create mySecGroup
</pre>

Add a rule to a security group (e.g., HTTP access via port 80):

<pre>
openstack security group rule create \
--ingress \
--proto tcp \
--dst-port 80 \
--ethertype IPv4 \
mySecGroup
</pre>

Assign security group to instance:

<pre>
openstack server add security group myVM mySecGroup
</pre>

Remove security group from instance:

<pre>
openstack server remove security group myVM mySecGroup
</pre>

Delete a security group:

<pre>
openstack security group delete mySecGroup
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T13:38:16Z

Sia: /* Security Groups */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
image = conn.image.upload_image(
name="ubuntu-24.04",
filename="/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img",
disk_format="qcow2",
container_format="bare"
)
print(image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID_OR_NAME>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network:

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Floating IPs ===

Create a floating IP:

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_floating_ip_to_server(server, fip.floating_ip_address)
</pre>

Disassociate a floating IP:

<pre>
conn.compute.remove_floating_ip_from_server(server, fip.floating_ip_address)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule (HTTP):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
direction="ingress",
protocol="tcp",
port_range_min=80,
port_range_max=80,
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack CLI – Basic Usage

2026-04-26T13:33:45Z

Sia: /* Floating IPs */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack CLI. It covers the most common operations for compute, storage, and networking.

__TOC__

== Prerequisites ==
Install the OpenStack client, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstackclient
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstackclient_venv
source openstackclient_venv/bin/activate
pip install python-openstackclient
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].



== Compute ==

=== Images ===

List available images:

<pre>
openstack image list
</pre>

Upload a new image:

<pre>
openstack image create ubuntu-24.04 \
--file=/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img \
--disk-format=qcow2 \
--container-format=bare
</pre>

Show image details:

<pre>
openstack image show <IMAGE_ID>
</pre>

Delete an image:

<pre>
openstack image delete <IMAGE_ID_OR_NAME>
</pre>

=== Key Pairs (SSH Access) ===

Create a key pair:

<pre>
openstack keypair create myKey > myKey.pem
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
openstack keypair list
</pre>

Delete a key pair:

<pre>
openstack keypair delete myKey
</pre>

=== Instances ===

List instances:

<pre>
openstack server list
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
openstack server create \
--image ubuntu-24.04 \
--flavor p1.tiny \
--network myNet \
--key-name myKey \
myVM
</pre>

Show details of an instance:

<pre>
openstack server show myVM
</pre>

Delete an instance:

<pre>
openstack server delete myVM
</pre>

== Storage==

=== Volumes ===

List volumes:

<pre>
openstack volume list
</pre>

Create a volume (size in GB):

<pre>
openstack volume create --size 10 myVolume
</pre>

Delete a volume:

<pre>
openstack volume delete myVolume
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
openstack server add volume myVM myVolume
</pre>

Detach a volume from an instance:

<pre>
openstack server remove volume myVM myVolume
</pre>

== Networking ==

=== Networks ===

List networks:

<pre>
openstack network list
</pre>

Create a network:

<pre>
openstack network create myNet
</pre>

Delete a network (after detaching all ports from its subnets):

<pre>
openstack network delete myNet
</pre>

=== Subnets, Routers ===
Create a subnet:

<pre>
openstack subnet create mySubnet \
--network myNet \
--subnet-range 192.168.1.0/24
</pre>

Create a router:

<pre>
openstack router create myRouter
</pre>

Attach a subnet to a router:

<pre>
openstack router add subnet myRouter mySubnet
</pre>

Set external gateway of a router:

<pre>
openstack router set myRouter --external-gateway provider_default_net
</pre>

Detach a subnet from a router:

<pre>
openstack router remove subnet myRouter mySubnet
</pre>

Delete a router:

<pre>
openstack router delete myRouter
</pre>

Delete a subnet (after detaching all ports from the subnet):

<pre>
openstack subnet delete mySubnet

</pre>

=== Floating IPs ===

Create a floating IP (requires access to the provider network):

<pre>openstack floating ip create provider_default_net</pre>

List floating IPs:

<pre>
openstack floating ip list
</pre>

Associate a floating IP with an instance:

<pre>
openstack server add floating ip myVM <FLOATING_IP>
</pre>

Disassociate a floating IP from an instance:

<pre>
openstack server remove floating ip myVM <FLOATING_IP>
</pre>

Release (delete) a floating IP:
<pre>
openstack floating ip delete <FLOATING_IP>
</pre>

=== Security Groups ===

List security groups:

<pre>
openstack security group list
</pre>

Create a security group:

<pre>
openstack security group create mySecGroup
</pre>

Add a rule to a security group (e.g., HTTP access via port 80):

<pre>
openstack security group rule create \
--proto tcp \
--dst-port 80 \
--ingress \
mySecGroup
</pre>

Assign security group to instance:

<pre>
openstack server add security group myVM mySecGroup
</pre>

Remove security group from instance:

<pre>
openstack server remove security group myVM mySecGroup
</pre>

Delete a security group:

<pre>
openstack security group delete mySecGroup
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T13:33:21Z

Sia: /* Floating IPs */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
image = conn.image.upload_image(
name="ubuntu-24.04",
filename="/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img",
disk_format="qcow2",
container_format="bare"
)
print(image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID_OR_NAME>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network:

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Floating IPs ===

Create a floating IP:

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_floating_ip_to_server(server, fip.floating_ip_address)
</pre>

Disassociate a floating IP:

<pre>
conn.compute.remove_floating_ip_from_server(server, fip.floating_ip_address)
</pre>

Release (delete) a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule (HTTP):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
protocol="tcp",
port_range_min=80,
port_range_max=80,
direction="ingress",
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T13:32:50Z

Sia: /* Volume Management for Instances */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
image = conn.image.upload_image(
name="ubuntu-24.04",
filename="/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img",
disk_format="qcow2",
container_format="bare"
)
print(image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID_OR_NAME>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume from an instance:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network:

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Floating IPs ===

Create a floating IP:

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_floating_ip_to_server(server, fip.floating_ip_address)
</pre>

Disassociate a floating IP:

<pre>
conn.compute.remove_floating_ip_from_server(server, fip.floating_ip_address)
</pre>

Delete a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule (HTTP):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
protocol="tcp",
port_range_min=80,
port_range_max=80,
direction="ingress",
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>

Guide: OpenStack Python SDK – Basic Usage

2026-04-26T13:31:11Z

Sia: /* Security Groups */

This guide provides a quick introduction to managing your bwCloud-OS resources using the OpenStack Python SDK. It covers the most common operations for compute, storage, and networking.

In the following, we demonstrate the routines using an interactive Python shell. In practice, these routines are typically used within Python scripts.

__TOC__

== Prerequisites ==
Install the OpenStack SDK, e.g. for Ubuntu:

<pre>
sudo apt install python3-openstacksdk
</pre>

Alternatively, you can install it via <code>pip</code> (preferably inside a virtual environment):

<pre>
python3 -m venv openstacksdk_venv
source openstacksdk_venv/bin/activate
pip install openstacksdk
</pre>

== Authentication ==
You can either:

* source an OpenRC file, or
* use a <code>clouds.yaml</code> file
For details, see the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].

In the following, we use the <code>clouds.yaml</code> method.

== Basic Connection ==
Create a connection in Python:

<pre>
import openstack
conn = openstack.connect(cloud="openstack")
</pre>

== Compute ==

=== Images ===
List available images:

<pre>
for image in conn.image.images():
print(image.name, image.id)
</pre>

Upload a new image:

<pre>
image = conn.image.upload_image(
name="ubuntu-24.04",
filename="/path/to/images/ubuntu-24.04-server-cloudimg-amd64.img",
disk_format="qcow2",
container_format="bare"
)
print(image.id)
</pre>

Show image details:

<pre>
image = conn.image.get_image("<IMAGE_ID>")
print(image)
</pre>

Delete an image:

<pre>
conn.image.delete_image("<IMAGE_ID_OR_NAME>")
</pre>

=== Key Pairs (SSH Access) ===
Create a key pair:

<pre>
keypair = conn.compute.create_keypair(name="myKey")
with open("myKey.pem", "w") as f:
f.write(keypair.private_key)
</pre>

Set correct permissions (outside Python shell):

<pre>
chmod 600 myKey.pem
</pre>

List key pairs:

<pre>
for kp in conn.compute.keypairs():
print(kp.name)
</pre>

Delete a key pair:

<pre>
conn.compute.delete_keypair("myKey")
</pre>

=== Instances ===
List instances:

<pre>
for server in conn.compute.servers():
print(server.name, server.status)
</pre>

Create an instance (ensure that the specified image, flavor, network, and key pair exist):

<pre>
image = conn.compute.find_image("ubuntu-24.04")
flavor = conn.compute.find_flavor("p1.tiny")
network = conn.network.find_network("myNet")
server = conn.compute.create_server(
name="myVM",
image_id=image.id,
flavor_id=flavor.id,
networks=[{"uuid": network.id}],
key_name="myKey"
)
server = conn.compute.wait_for_server(server)
print("Created:", server.name)
</pre>

Delete an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.delete_server(server.id)
</pre>

== Storage ==

=== Volumes ===

List volumes:

<pre>
for vol in conn.block_storage.volumes():
print(vol.name, vol.size)
</pre>

Create a volume (size in GB):

<pre>
volume = conn.block_storage.create_volume(
name="myVolume",
size=10
)
</pre>

Delete a volume:

<pre>
volume = conn.block_storage.find_volume("myVolume")
conn.block_storage.delete_volume(volume.id)
</pre>

=== Volume Management for Instances ===

Attach a volume to an instance:

<pre>
server = conn.compute.find_server("myVM")
volume = conn.block_storage.find_volume("myVolume")
conn.compute.create_volume_attachment(
server,
volumeId=volume.id
)
</pre>

Detach a volume:

<pre>
attachments = conn.compute.volume_attachments(server)
for att in attachments:
if att.volume_id == volume.id:
conn.compute.delete_volume_attachment(att.id, server)
</pre>

== Networking ==

=== Networks ===
List networks:

<pre>
for net in conn.network.networks():
print(net.name)
</pre>

Create a network:

<pre>
network = conn.network.create_network(name="myNet")
</pre>

Delete a network:

<pre>
network = conn.network.find_network("myNet")
conn.network.delete_network(network.id)
</pre>

=== Floating IPs ===

Create a floating IP:

<pre>
network = conn.network.find_network("provider_default_net")
fip = conn.network.create_ip(floating_network_id=network.id)
print(fip.floating_ip_address)
</pre>

Associate a floating IP with an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_floating_ip_to_server(server, fip.floating_ip_address)
</pre>

Disassociate a floating IP:

<pre>
conn.compute.remove_floating_ip_from_server(server, fip.floating_ip_address)
</pre>

Delete a floating IP:

<pre>
conn.network.delete_ip(fip.id)
</pre>

=== Security Groups ===

List security groups:

<pre>
for sg in conn.network.security_groups():
print(sg.name)
</pre>

Create a security group:

<pre>
sg = conn.network.create_security_group(name="mySecGroup")
</pre>

Add a rule (HTTP):

<pre>
conn.network.create_security_group_rule(
security_group_id=sg.id,
protocol="tcp",
port_range_min=80,
port_range_max=80,
direction="ingress",
ethertype="IPv4"
)
</pre>

Assign security group to an instance:

<pre>
server = conn.compute.find_server("myVM")
conn.compute.add_security_group_to_server(server, sg.name)
</pre>

Remove a security group from an instance:

<pre>
conn.compute.remove_security_group_from_server(server, sg.name)
</pre>

Delete a security group:

<pre>
conn.network.delete_security_group(sg.id)
</pre>