OpenStack

Integration with OpenStack

This section provides information on how to set up a Resource Centre providing cloud resources in the EGI infrastructure. Integration with FedCloud requires a working OpenStack installation as a pre-requirement. EGI supports any recent OpenStack version (tested from OpenStack Mitaka).

The following OpenStack services are expected to be available and accessible from outside the site:

  • Keystone
  • Nova
  • Cinder
  • Glance
  • Neutron
  • Swift (if providing Object Storage)

The integration is performed by a set of EGI components that interact with the OpenStack services APIs:

image

Installation options

cASO and SSM releases can be be obtained from GitHub:

Open Ports

Inbound

The following services must be accessible to allow access to an OpenStack-based FedCloud site (default ports listed below, can be adjusted to your installation).

PortApplicationNote
5000/TCPOpenStack/KeystoneAuthentication to your OpenStack.
8776/TCPOpenStack/cinderBlock Storage management.
8774/TCPOpenStack/novaVM management.
9696/TCPOpenStack/neutronNetwork management.
9292/TCPOpenStack/glanceVM Image management.

Outbound

The EGI Cloud components require the following outgoing connections open:

PortHostNote
443/TCPmsg.argo.grnet.grARGO Messaging System (used to send accounting records by SSM).
8443/TCPmsg.argo.grnet.grAMS authentication (used to send accounting records by SSM).

Users

Local Users

In order to get accounting information from your OpenStack, cASO needs to be run with a user that is a member of the projects to extract accounting information from and it’s allowed to access identity:list_users and identity:list_projects in Keystone. Check cASO documentation for further information.

Federated Users

Regular user accounts will be managed by the Federated Identity features of OpenStack. These users are created into a specific OpenStack domain for every configured identity provider. All users within the egi.eu domain will have a unique username. For users whose community identity is managed by Check-in, this identifier is of the form <uniqueID>@egi.eu. The <uniqueID> portion is an opaque identifier issued by Check-in, for example:

$ openstack domain list
+----------------------------------+----------------------------------+---------+---------------------------------------------------------------+
| ID                               | Name                             | Enabled | Description                                                   |
+----------------------------------+----------------------------------+---------+---------------------------------------------------------------+
| 0125ed0ebc8045a49ed8c34c2a78740d | 0125ed0ebc8045a49ed8c34c2a78740d | True    | Auto generated federated domain for Identity Provider: egi.eu |
| default                          | Default                          | True    | The default domain                                            |
+----------------------------------+----------------------------------+---------+---------------------------------------------------------------+

$ openstack user list --domain 0125ed0ebc8045a49ed8c34c2a78740d
+------------------------------------------------------------------+-------------------------------------------------------------------------+
| ID                                                               | Name                                                                    |
+------------------------------------------------------------------+-------------------------------------------------------------------------+
| 2c096b11a1410d44e3936fa40479ad26eaa649cfd6887f06b3c6669e5d6c03d0 | efb8534478028XXXXXXXXXXXXXXXfeed9766fafc@sram.surf.nl                   |
| 933c692b53192e4d893e5ed5c026aa444acb4d75f6ee6c304422861207ce1ea5 | e9c37aa0d1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX2867bc43581b835c@egi.eu |
| d52112709a37975903576f80f37dde4604d1a227c53cb1fef43c45981673640c | 529a87e5ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe714cb1309cc3907@egi.eu |
+------------------------------------------------------------------+-------------------------------------------------------------------------+

If you have set the email of the user in the mapping, you will be able to also get this information:

$ openstack user show d52112709a37975903576f80f37dde4604d1a227c53cb1fef43c45981673640c
+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field               | Value                                                                                                                                                      |
+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
| domain_id           | 0125ed0ebc8045a49ed8c34c2a78740d                                                                                                                           |
| email               | XXXX-redacted@example.com                                                                                                                                   |
| enabled             | True                                                                                                                                                       |
| federated           | [{'idp_id': 'egi.eu', 'protocols': [{'protocol_id': 'openid', 'unique_id': '529a87e5ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe714cb1309cc3907%40egi.eu'}]}] |
| id                  | d52112709a37975903576f80f37dde4604d1a227c53cb1fef43c45981673640c                                                                                           |
| name                | 529a87e5ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe714cb1309cc3907@egi.eu                                                                                    |
| options             | {}                                                                                                                                                         |
| password_expires_at | None                                                                                                                                                       |
+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+

Every VO has a VO identity card available via the Operations Portal, where you can also get contact information for the VO managers.

VMs created by EGI’s Infrastructure Manager have additional metadata properties that can help to identify the workload:

$ openstack server show 0f3e1420-4480-4bea-95f1-9920a70b324d -c properties -f yaml
properties:
  eu.egi.cloud.orchestrator: es.upv.grycap.im
  eu.egi.cloud.orchestrator.id: 0afdc7ba-bf5d-11ed-9e89-86ce117c3fcf
  eu.egi.cloud.orchestrator.url: https://im.egi.eu/im
  eu.egi.cloud.orchestrator.user: __OPENID__XXXXXXredacted
Next topics:
Check-in

Authentication and Authorization integration

Accounting

Accounting integration

Catch-all components

Configuration of the catch-all components

GPU flavours

Configuring GPU flavours

VO Configuration guide

Summary of steps for configuring new VOs in OpenStack

Useful Resources

Collection of useful resources for OpenStack administrators

Last modified July 24, 2025 by Enol Fernández : fix(providers/cloud-compute): update to cover the catchall ops (#751)