Skip to content

Frequently Asked Questions

How do I start a Linux-based instance in OpenStack?

Please visit Starting a Linux-based Instance for detailed instructions.

What are the rules in the 'default' Security Group for? Can I delete them?

Under each of your OpenStack Projects, you will find a Security Group called default.

Initially, it will contain four rules: a pair of egress and ingress rules for both IPv4 and IPv6.

Egress rules allow traffic from your instance to anywhere on the Internet. This makes it possible for your instance to initiate connections to the outside. This is necessary for things such as:

  • Accessing operation system package distributions for regular software updates
  • DNS requests for converting hostnames to IP addresses (for example to find the servers mentioned above)
  • Querying Network Time Protocol (NTP) servers to discipline the system clock
  • Accessing the OpenStack Metadata Service during system boot.

Ingress rules that allow all incoming traffic from other members of the same security group. Thus, when you create several instances sharing this Security Group, they will have unlimited connectivity between each other—you won't need any specific rules to allow those internal communications.

Note that no other traffic is allowed by default. In particular, external hosts will not be able to connect to your instances unless you explicitly allow that by adding your own security groups/rules.

You may be tempted to remove these four default rules in order to improve security, but there are important caveats:

If you delete the egress rules altogether, your instances will take a long time to start up, because they won't be able to access the Metadata Service. They will also miss the information from that service. In particular, they won't be able to provision the trusted SSH public key for the default account. So unless you have configured SSH authorization in some other way, you won't be able to log in.

We mentioned a few other uses of the egress rules: Our standard images are configured to periodically check for and download software updates, which is considered a best practice for security reasons. They will also synchronize their system clocks using remote NTP servers. Without the egress rules that won't work.

The ingress-from-same-security-group rules are less critical. If you remove them, you will simply have to explicitly allow traffic from your other instances, in the same way as you have to allow traffic from external hosts.

What is the username / password for my virtual machine?

Linux Virtual Machines

When you launch a linux virtual machine, a default user will be created, and this user will have no password set. Instead, your SSH key is copied to the VM and you will be able to login to the machine via SSH using the default username. The default username varies between Operating Systems.

List of usernames for our official images:

  • Ubuntu: ubuntu
  • Debian: debian
  • Rocky Linux: rocky

Example:

ssh ubuntu@86.123.123.123

86.123.123.123 is the Floating IP (public IP) address that you have assigned to the virtual machine.

The reason for this behavior is that a pre-defined password would lead to inherently insecure virtual machines (as each VM ever launched would have the same default password).

Why can't I SSH into my virtual machine?

There might be two reasons for this:

Your virtual machine has no Floating IP assigned to it

A newly started VM will get an internal IP address from a 192.168.x.x network. These addresses are not reachable from the Internet. You will need to assign a Floating IP address.

  • Ensure that you have created a Router and attached an interface to the IPv4 subnet where your VM is located.
  • Navigate to Project > Network > Floating IPs.
  • Click Allocate IP to project - you will see an Allocate Floating IP form. Click Allocate IP in the bottom section of the form (optionally you can add a description). You should see your new public IP (86.119.x.y) being listed in the table.
  • You can now associate this IP to a running virtual machine.

Security group has no entries for SSH traffic

There is a firewall functionality, that protects all running virtual machines by not allowing any kind of traffic to enter the virtual machine. You will need to selectively open the ports your machine needs. The firewall rules are managed in Security Groups. You if you plan to run services on the VM that need to be accessible from outside we recommend that you create new, specific groups for these cases (for example a Web group with ports 80 and 443 open) and assign those security groups to your VMs (via the Instances view, and the Edit Security Groups menu entry in the dropdown menu for a specific instance). For the information on how to create your custom security group and how to add and inbound rules visit Create and Manage Security Groups.