OpenStack EC2 API
Support of EC2 API for OpenStack. This project provides a standalone EC2 API service which pursues two goals:
- Implement VPC API
- Create a standalone service for EC2 API support.
Installation
For more detailed information, please see the Installation Guide.
Installation by install.sh
Run install.sh
The EC2 API service gets installed on port 8788 by default. It can be changed before the installation in install.sh script.
The services afterwards can be started as binaries:
/usr/local/bin/ec2-api /usr/local/bin/ec2-api-metadata /usr/local/bin/ec2-api-s3
or set up as Linux services.
Configuring OpenStack for EC2 API metadata service refering to section "EC2 metadata Configuration".
Installation on devstack
Installation in devstack:
In order to install ec2-api with devstack the following should be added to the local.conf or localrc the following line:
enable_plugin ec2-api https://opendev.org/openstack/ec2-api
Devstack installation with ec2-api and ec2api-tempest-plugin for development:
- install packages: awscli, git, python3, python3-devel, ruby
- clone devstack repository
git clone https://opendev.org/openstack/devstack
- grant all permissions for your user for directory: "/opt"
- create folder "/opt/stack/logs/"
- clone repository "ec2api-tempest-plugin" to stack folder:
git clone https://github.com/openstack/ec2api-tempest-plugin /opt/stack/ec2api-tempest-plugin
- create local.conf:
[[local|localrc]] ADMIN_PASSWORD=secret DATABASE_PASSWORD=$ADMIN_PASSWORD RABBIT_PASSWORD=$ADMIN_PASSWORD SERVICE_PASSWORD=$ADMIN_PASSWORD enable_plugin ec2-api https://opendev.org/openstack/ec2-api enable_plugin neutron-tempest-plugin https://github.com/openstack/neutron-tempest-plugin TEMPEST_PLUGINS='/opt/stack/ec2api-tempest-plugin'
- go to devstack folder and start installation
cd ~/devstack/ ./stack.sh
- check installed devstack
source ~/devstack/accrc/admin/admin tempest list-plugins ps -aux | grep "ec2" aws --endpoint-url http://<IP-ADDRESS> --region <REGION> --profile admin ec2 describe-images openstack catalog list openstack flavor list openstack image list sudo journalctl -u [email protected]
- run integration tests (ec2 tempest test)
cd /opt/stack/tempest tox -eall -- ec2api_tempest_plugin --concurrency 1 tox -eall ec2api_tempest_plugin.api.test_network_interfaces.NetworkInterfaceTest.test_create_max_network_interface
- run ec2-api unit tests
cd /opt/stack/ec2-api tox -epy36 ec2api.tests.unit.test_security_group.SecurityGroupTestCase.test_describe_security_groups_no_default_vpc
Configuring OpenStack for EC2 API metadata service refering to section "EC2 metadata Configuration".
EC2 metadata Configuration
To configure OpenStack for EC2 API metadata service:
- for Nova-network
add:
[DEFAULT] metadata_port = 8789 [neutron] service_metadata_proxy = True
to /etc/nova.conf
then restart nova-metadata (can be run as part of nova-api service) and nova-network services.
- for Neutron
add:
[DEFAULT] nova_metadata_port = 8789
to /etc/neutron/metadata_agent.ini for legacy neutron or to neutron_ovn_metadata_agent.ini for OVN
then restart neutron-metadata service.
S3 server is intended only to support EC2 operations which require S3 server (e.g. CreateImage) in OpenStack deployments without regular object storage. It must not be used as a substitution for all-purposes object storage server. Do not start it if the deployment has its own object storage or uses a public one (e.g. AWS S3).
Usage
Download aws cli from Amazon. Create configuration file for aws cli in your home directory ~/.aws/config:
[default] aws_access_key_id = 1b013f18d5ed47ae8ed0fbb8debc036b aws_secret_access_key = 9bbc6f270ffd4dfdbe0e896947f41df3 region = us-east-1
Change the aws_access_key_id and aws_secret_acces_key above to the values appropriate for your cloud (can be obtained by "openstack ec2 credentials list" command).
Run aws cli commands using new EC2 API endpoint URL (can be obtained from openstack cli with the new port 8788) like this:
aws --endpoint-url http://10.0.2.15:8788 ec2 describe-instances
Supported Features and Limitations
- General:
- DryRun option is not supported.
- Some exceptions are not exactly the same as reported by AWS.
| AWS Component | Command | Functionality group | Limitations |
|---|---|---|---|
| Â | bold - supported, normal - supported with limitations, italic -not supported | Â | Â |
| VPC | AcceptVpcPeeringConnection | cross-VPC connectivity | not supported |
| EC2, VPC | AllocateAddress | addresses | Â |
| Â | AllocateHosts | dedicated hosts | not supported |
| Â | AssignIpv6Addresses | network interfaces | not supported |
| VPC | AssignPrivateIpAddresses | network interfaces | allowReassignment parameter |
| EC2, VPC | AssociateAddress | addresses | Â |
| VPC | AssociateDhcpOptions | DHCP options | Â |
| VPC | AssociateRouteTable | routes | Â |
| Â | AssociateSubnetCidrBlock | subnets | not supported |
| Â | AssociateVpcCidrBlock | VPC | not supported |
| VPC | AttachClassicLinkVpc | cross-VPC connectivity | not supported |
| VPC | AttachInternetGateway | internet gateways | Â |
| VPC | AttachNetworkInterface | network interfaces | Â |
| EC2, EBS | AttachVolume | volumes | Â |
| VPC | AttachVpnGateway | VPN | Â |
| EC2, VPC | AuthorizeSecurityGroupEgress | security groups | EC2 classic way to pass cidr, protocol, sourceGroup, ports parameters |
| EC2, VPC | AuthorizeSecurityGroupIngress | security groups | EC2 classic way to pass cidr, protocol, sourceGroup, ports parameters |
| Â | BundleInstance | tasks,s3 | not supported |
| Â | CancelBundleTask | tasks,s3 | not supported |
| Â | CancelConversionTask | tasks,s3 | not supported |
| Â | CancelExportTask | tasks,s3 | not supported |
| Â | CancelImportTask | tasks,s3 | not supported |
| Â | CancelReservedInstancesListing | market | not supported |
| Â | CancelSpotFleetRequests | market | not supported |
| Â | CancelSpotInstanceRequests | market | not supported |
| Â | ConfirmProductInstance | product codes | not supported |
| EBS | CopyImage | image provisioning | not supported |
| EBS | CopySnapshot | snapshots,s3 | not supported |
| VPC | CreateCustomerGateway | VPC gateways | BGPdynamicrouting |
| VPC | CreateDhcpOptions | DHCP options | Â |
| Â | CreateEgressOnlyInternetGateway | VPC gateways | not supported |
| Â | CreateFlowLogs | infrastructural | not supported |
| EBS | CreateImage | images | blockDeviceMapping parameter |
| Â | CreateInstanceExportTask | tasks,s3 | not supported |
| VPC | CreateInternetGateway | VPC gateways | Â |
| EC2 | CreateKeyPair | key pairs | Â |
| Â | CreateNatGateway | NAT gateways | not supported |
| VPC | CreateNetworkAcl | ACL | not supported |
| VPC | CreateNetworkAclEntry | ACL | not supported |
| VPC | CreateNetworkInterface | network interfaces | Â |
| Â | CreatePlacementGroup | clusters | not supported |
| Â | CreateReservedInstancesListing | market | not supported |
| VPC | CreateRoute | routes | vpcPeeringConnection parameter |
| VPC | CreateRouteTable | routes | Â |
| EC2, VPC | CreateSecurityGroup | security groups | Â |
| EBS | CreateSnapshot | snapshots | Â |
| Â | CreateSpotDatafeedSubscription | market | not supported |
| VPC | CreateSubnet | subnets | availabilityZone parameter |
| EC2 | CreateTags | tags | Â |
| EBS | CreateVolume | volumes | iops, encrypted, kmsKeyId parameters |
| VPC | CreateVpc | VPC | Â |
| VPC | CreateVpcEndpoint | cross-VPC connectivity | not supported |
| VPC | CreateVpcPeeringConnection | cross-VPC connectivity | not supported |
| VPC | CreateVpnConnection | VPN | BGP dynamic routing |
| VPC | CreateVpnConnectionRoute | VPN | Â |
| VPC | CreateVpnGateway | VPN | BGP dynamic routing |
| VPC | DeleteCustomerGateway | VPC gateways | Â |
| VPC | DeleteDhcpOptions | DHCP options | Â |
| Â | DeleteEgressOnlyInternetGateway | VPC gateways | not supported |
| Â | DeleteFlowLogs | infrastructural | not supported |
| VPC | DeleteInternetGateway | VPC gateways | Â |
| EC2 | DeleteKeyPair | key pairs | Â |
| Â | DeleteNatGateway | NAT gateways | not supported |
| VPC | DeleteNetworkAcl | ACL | not supported |
| VPC | DeleteNetworkAclEntry | ACL | not supported |
| VPC | DeleteNetworkInterface | network interfaces | Â |
| EC2 | DeletePlacementGroup | clusters | not supported |
| VPC | DeleteRoute | routes | Â |
| VPC | DeleteRouteTable | routes | Â |
| EC2, VPC | DeleteSecurityGroup | security groups | Â |
| EBS | DeleteSnapshot | snapshots | Â |
| Â | DeleteSpotDatafeedSubscription | market | not supported |
| VPC | DeleteSubnet | subnets | Â |
| EC2 | DeleteTags | tags | Â |
| EBS | DeleteVolume | volumes | Â |
| VPC | DeleteVpc | VPC | Â |
| VPC | DeleteVpcEndpoints | cross-VPC connectivity | not supported |
| VPC | DeleteVpcPeeringConnection | cross-VPC connectivity | not supported |
| VPC | DeleteVpnConnection | VPN | Â |
| VPC | DeleteVpnConnectionRoute | VPN | Â |
| VPC | DeleteVpnGateway | VPN | Â |
| EBS | DeregisterImage | images | Â |
| EC2 | DescribeAccountAttributes | infrastructural | vpc-max-security-groups-per-interface, max-elastic-ips, vpc-max-elastic-ips attributes |
| EC2, VPC | DescribeAddresses | addresses | Â |
| EC2 | DescribeAvailabilityZones | availability zones | Â |
| Â | DescribeBundleTasks | tasks,s3 | not supported |
| VPC | DescribeClassicLinkInstances | cross-VPC connectivity | not supported |
| Â | DescribeConversionTasks | tasks,s3 | not supported |
| VPC | DescribeCustomerGateways | gateways | Â |
| VPC | DescribeDhcpOptions | DHCP options | Â |
| Â | DescribeEgressOnlyInternetGateways | VPC gateways | not supported |
| Â | DescribeExportTasks | tasks,s3 | not supported |
| Â | DescribeFlowLogs | infrastructural | not supported |
| Â | DescribeHosts | dedicated hosts | not supported |
| Â | DescribeIdentityIdFormat | resource IDs | not supported |
| Â | DescribeIdFormat | resource IDs | not supported |
| EBS | DescribeImageAttribute | images | productCodes, sriovNetSupport attributes |
| EBS | DescribeImages | images | Â |
| Â | DescribeImportImageTasks | tasks,s3 | not supported |
| Â | DescribeImportSnapshotTasks | tasks,s3 | not supported |
| EC2 | DescribeInstanceAttribute | instances | same limitations as for ModifyInstanceAttribute |
| EC2, EBS, VPC | DescribeInstances | instances | Â |
| Â | DescribeInstanceStatus | monitoring | not supported |
| VPC | DescribeInternetGateways | gateways | Â |
| EC2 | DescribeKeyPairs | key pairs | Â |
| VPC | DescribeMovingAddresses | infrastructural | not supported |
| Â | DescribeNatGateways | NAT gateways | not supported |
| VPC | DescribeNetworkAcls | ACL | not supported |
| VPC | DescribeNetworkInterfaceAttribute | network interfaces | Â |
| VPC | DescribeNetworkInterfaces | network interfaces | Â |
| EC2 | DescribePlacementGroups | clusters | not supported |
| VPC | DescribePrefixLists | cross-VPC connectivity | not supported |
| EC2 | DescribeRegions | availability zones | RegionNameparameter |
| Â | DescribeReservedInstances | market | not supported |
| Â | DescribeReservedInstancesListings | market | not supported |
| Â | DescribeReservedInstancesModifications | market | not supported |
| Â | DescribeReservedInstancesOfferings | market | not supported |
| VPC | DescribeRouteTables | routes | Â |
| Â | DescribeScheduledInstanceAvailability | scheduled instances | not supported |
| Â | DescribeScheduledInstances | scheduled instances | not supported |
| Â | DescribeSecurityGroupReferences | security groups | not supported |
| EC2, VPC | DescribeSecurityGroups | security groups | cidr, protocol, port, sourceGroup parameters |
| EBS | DescribeSnapshotAttribute | snapshots | not supported |
| EBS | DescribeSnapshots | snapshots | Â |
| Â | DescribeSpotDatafeedSubscription | market | not supported |
| Â | DescribeSpotFleetInstances | market | not supported |
| Â | DescribeSpotFleetRequestHistory | market | not supported |
| Â | DescribeSpotFleetRequests | market | not supported |
| Â | DescribeSpotInstanceRequests | market | not supported |
| Â | DescribeSpotPriceHistory | market | not supported |
| Â | DescribeStaleSecurityGroups | security groups | not supported |
| VPC | DescribeSubnets | subnets | Â |
| EC2 | DescribeTags | tags | Â |
| EBS | DescribeVolumeAttribute | volumes | not supported |
| EBS | DescribeVolumes | volumes | Â |
| Â | DescribeVolumeStatus | monitoring | not supported |
| VPC | DescribeVpcAttribute | VPC | not supported |
| VPC | DescribeVpcClassicLink | cross-VPC connectivity | not supported |
| Â | DescribeVpcClassicLinkDnsSupport | cross-VPC connectivity | not supported |
| VPC | DescribeVpcEndpoints | cross-VPC connectivity | not supported |
| VPC | DescribeVpcEndpointServices | cross-VPC connectivity | not supported |
| VPC | DescribeVpcPeeringConnections | cross-VPC connectivity | not supported |
| VPC | DescribeVpcs | VPC | Â |
| VPC | DescribeVpnConnections | VPN | Â |
| VPC | DescribeVpnGateways | VPN | Â |
| VPC | DetachClassicLinkVpc | cross-VPC connectivity | not supported |
| VPC | DetachInternetGateway | VPC | Â |
| VPC | DetachNetworkInterface | network interfaces | Â |
| EC2, EBS | DetachVolume | volumes | instance_id, device, force parameters |
| VPC | DetachVpnGateway | VPN | Â |
| VPC | DisableVgwRoutePropagation | VPN | Â |
| VPC | DisableVpcClassicLink | cross-VPC connectivity | not supported |
| Â | DisableVpcClassicLinkDnsSupport | cross-VPC connectivity | not supported |
| EC2, VPC | DisassociateAddress | addresses | Â |
| VPC | DisassociateRouteTable DisassociateSubnetCidrBlock | routes subnets | not supported |
| Â | DisassociateVpcCidrBlock | VPC | not supported |
| VPC | EnableVgwRoutePropagation | VPN | Â |
| EBS | EnableVolumeIO | monitoring | not supported |
| VPC | EnableVpcClassicLink | cross-VPC connectivity | not supported |
| Â | EnableVpcClassicLinkDnsSupport | cross-VPC connectivity | not supported |
| EC2 | GetConsoleOutput | instances | Â |
| Â | GetConsoleScreenshot | instances | not supported |
| EC2 | GetPasswordData | instances | Â |
| Â | ImportImage | tasks,s3 | not supported |
| Â | ImportInstance | tasks,s3 | not supported |
| EC2 | ImportKeyPair | keypairs | Â |
| Â | ImportSnapshot | tasks,s3 | not supported |
| Â | ImportVolume | tasks,s3 | not supported |
| Â | ModifyHosts | dedicated hosts | not supported |
| Â | ModifyIdentityIdFormat | resource IDs | not supported |
| Â | ModifyIdFormat | resource IDs | not supported |
| EBS | ModifyImageAttribute | images | productCodes attribute |
| EC2 | ModifyInstanceAttribute | instances | only disableApiTermination, sourceDestCheck,instanceType supported |
| Â | ModifyInstancePlacement | dedicated hosts | not supported |
| VPC | ModifyNetworkInterfaceAttribute | network interfaces | Â |
| Â | ModifyReservedInstances | market | not supported |
| EBS | ModifySnapshotAttribute | snapshots | not supported |
| Â | ModifySpotFleetRequest | market | not supported |
| VPC | ModifySubnetAttribute | subnets | not supported |
| EBS | ModifyVolumeAttribute | volumes | not supported |
| VPC | ModifyVpcAttribute | VPC | not supported |
| VPC | ModifyVpcEndpoint | cross-VPC connectivity | not supported |
| Â | ModifyVpcPeeringConnectionOptions | cross-VPC connectivity | not supported |
| Â | MonitorInstances | monitoring | not supported |
| VPC | MoveAddressToVpc | infrastructural | not supported |
| Â | PurchaseReservedInstancesOffering | market | not supported |
| Â | PurchaseScheduledInstances | scheduled instances | not supported |
| EC2 | RebootInstances | instances | Â |
| EBS | RegisterImage | images | virtualizationType, sriovNetSupport parameters |
| VPC | RejectVpcPeeringConnection | cross-VPC connectivity | not supported |
| EC2, VPC | ReleaseAddress | addresses | Â |
| Â | ReleaseHosts | dedicated hosts | not supported |
| VPC | ReplaceNetworkAclAssociation | ACL | not supported |
| VPC | ReplaceNetworkAclEntry | ACL | not supported |
| VPC | ReplaceRoute | routes | Â |
| VPC | ReplaceRouteTableAssociation | routes | Â |
| Â | ReportInstanceStatus | monitoring | not supported |
| Â | RequestSpotFleet | market | not supported |
| Â | RequestSpotInstances | market | not supported |
| EBS | ResetImageAttribute | images | Â |
| EC2 | ResetInstanceAttribute | instances | same limitations as for ModifyInstanceAttribute |
| VPC | ResetNetworkInterfaceAttribute | network interfaces | Â |
| EBS | ResetSnapshotAttribute | snapshots | not supported |
| VPC | RestoreAddressToClassic | infrastructural | not supported |
| EC2, VPC | RevokeSecurityGroupEgress | security groups | EC2 classic way to pass cidr, protocol, sourceGroup, ports parameters |
| EC2, VPC | RevokeSecurityGroupIngress | security groups | EC2 classic way to pass cidr, protocol, sourceGroup, ports parameters |
| EC2, VPC, EBS | RunInstances | instances | placement, block_device_mapping partial support, monitoring, iamInstanceProfile, ebsOptimized, shutdownInitiatedInstanceBehavior parameters |
| Â | RunScheduledInstances | scheduled instances | not supported |
| EC2 | StartInstances | instances | Â |
| EC2 | StopInstances | instances | Â |
| EC2 | TerminateInstances | instances | Â |
| Â | UnassignIpv6Addresses | network interfaces | not supported |
| VPC | UnassignPrivateIpAddresses | network interfaces | Â |
| Â | UnmonitorInstances | monitoring | not supported |
References
Documentation: https://docs.openstack.org/ec2-api/latest/
Wiki: https://wiki.openstack.org/wiki/EC2API
Bugs: https://launchpad.net/ec2-api
Source: https://opendev.org/openstack/ec2-api
Blueprint: https://blueprints.launchpad.net/nova/+spec/ec2-api