Ask Your Question

How to login to VM on isolated network

asked 2014-10-17 09:36:45 -0500

wojtylacz gravatar image

Hi everyone.

I have this situation.. I have a isolated network at Openstack deployment with Neutron (quantum gateway). I boot a VM, for example Ubuntu image. And I would like to get into to machine - anyhow.

Due to the isolated network, i cannot use the key pair to someshow ssh to the VM. I can have cirros on the same network of course, but im unable to copy the key to the cirros, because the isolated network. I cannot even copy and paste the key due to fact of using novnc web access console to see the VM. I would need to rewrite each letter. No way.

I cannot log in using console directly due to the fact i dont know the password. Command nova get-password server key returns blank string. I tried to even create own linux system with admin password explicitly set to my custom password, but once i launch the vm in openstack, it denies the access through the console anyway.

Where is the philosophy of accessing VMs at isolated network? How is this intented to work and use?

Thank you very much for any help or ideas...

edit retag flag offensive close merge delete

3 answers

Sort by » oldest newest most voted

answered 2014-10-17 09:45:17 -0500

foexle gravatar image


Due to the isolated network, i cannot use the key pair to someshow ssh to the VM why ?

  • Login to your network host: ssh -l root <network-host> -A -A for key forward
  • Create a keypair with your public key in nova
  • use your keypair for spawning an instance (this example ubuntu)
  • On your network host: ip netns exec qrouter-<router-id> ssh -l ubuntu <fiexd-ip>

Thats it. Don't forget your security rules !!

Cheers Heiko

edit flag offensive delete link more


This requires direct physical access to the network host, which simply isn't going to be possible unless you happen to be the openstack administrator. Ensuring that your keypair is available on the host where you are running "ip netns exec" can also be tricky to get right.

larsks gravatar imagelarsks ( 2014-10-17 09:54:02 -0500 )edit

answered 2014-10-17 10:50:51 -0500

dbaxps gravatar image

updated 2014-10-24 08:59:32 -0500

Install libguestfs-tools

sudo yum install libguestfs-tools      # Fedora/RHEL/CentOS
sudo apt-get install libguestfs-tools  # Debian/Ubuntu

Update /etc/cloud/cloud.cfg in QCOW2 image to allow password

[boris@icehouse1 Downloads]$  guestfish --rw -a trusty-server-cloudimg-amd64-disk1-tw1510.img

Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.

Type: 'help' for help on commands
      'man' to read the manual
      'quit' to quit the shell

><fs> run
 100% ⟦▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒⟧ --:--
><fs> mount /dev/sda1 /
><fs> ls /etc/cloud
><fs> edit  /etc/cloud/cloud.cfg
   # This will affect which distro class gets used
   distro: ubuntu
   # Default user name + that default users groups (if added/used)
     name: ubuntu
     lock_passwd: False
     gecos: Ubuntu
     groups: [adm, audio, cdrom, dialout, dip, floppy, netdev, plugdev, sudo, video]
     sudo: ["ALL=(ALL) NOPASSWD:ALL"]
     shell: /bin/bash
   # Other config here will be given to the distro class and/or path classes
><fs> exit

Upload via glance and launch with both ssh keypair and post customization script :-

password: mysecret
chpasswd: { expire: False }
ssh_pwauth: True

image description

Active instance will allow login within VNC console
View also

[root@dfw02 ~(keystone_admin)]$  nova boot --flavor 2 --user-data=./myfile.txt  
--image 03c9ad20-b0a3-4b71-aa08-2728ecb66210 VF19RS


[root@dfw02 ~(keystone_admin)]$  cat ./myfile.txt
password: mysecret
chpasswd: { expire: False }
ssh_pwauth: True

Login via qdhcp-namespace && ssh keypair will still work

[root@icehouse1 Downloads(keystone_admin)]# ip netns exec qdhcp-c07c3957-b87b-4891-81a1-4119f354a922 ssh -i oskey45.pem ubuntu@
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is 5e:49:4b:62:ca:72:20:11:f1:33:fa:08:9e:6f:de:4c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-37-generic x86_64)

 * Documentation:

  System information as of Fri Oct 17 17:00:50 UTC 2014

  System load:  0.0               Processes:           76
  Usage of /:   15.8% of 4.89GB   Users logged in:     1
  Memory usage: 3%                IP address for eth0:
  Swap usage:   0%                IP address for eth1:

  Graph this data and manage this system at:

  Get cloud support with Ubuntu Advantage Cloud Guest:
2 packages can be updated.
2 updates are security updates.
Last login: Fri Oct 17 17:00:50 2014 from
edit flag offensive delete link more


unfortuantely, even i did exactly what yoou wrote, once i boot the changed trusty-server-cloudimg-amd64-disk1.img , use ubuntu as a user and a specified password, it denies me to log in, using novnc console. Any ideas?

wojtylacz gravatar imagewojtylacz ( 2014-10-24 06:22:20 -0500 )edit

It works for me on RDO IceHouse ( installed on CentOS 7) for Ubuntu,Fedora 20,CentOS 7 VMs

dbaxps gravatar imagedbaxps ( 2014-10-24 06:31:35 -0500 )edit

I've just tested this feature on RDO IceHouse on Fedora 20. It works fine at least for Ubuntu14.04 && Fedora 20 VMs
What OS are you running ?

dbaxps gravatar imagedbaxps ( 2014-10-24 07:17:25 -0500 )edit

OK. I have an idea . Don't change image. Get it as is and try post customization script without assigning ssh keypair . It must work providing you console login everywhere. How about that ?

dbaxps gravatar imagedbaxps ( 2014-10-24 07:55:21 -0500 )edit

i use ubuntu cloud. And ubuntu image. Now just download fedora image, used only the customization script and again. fedora user and the passwd and it kicks me off = login incorrect.

wojtylacz gravatar imagewojtylacz ( 2014-10-24 08:37:21 -0500 )edit

answered 2014-10-17 09:55:02 -0500

larsks gravatar image

updated 2014-10-17 09:55:46 -0500

In general, the way you are supposed to get "external" access to servers on a private network is by assigning a floating ip address to one or more servers on that network. You may elect to assign a floating ip to all services, in which case you could access any of them directly, or you could choose to use one as a gateway (such that you would log into that host first, and from there access other hosts on the isolated network).

Some relevant documentation is available here.

As foexle said, make sure that you create appropriate security rules that will permit ssh access.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-10-17 09:36:45 -0500

Seen: 2,293 times

Last updated: Oct 24 '14