Skip to main content
IMHCloud Logo
Back to support home

Editing Instance Properties and Metadata in OpenStack

Compute

Overview

OpenStack provides flexible options for modifying instance properties after creation. You can update instance metadata, change names and descriptions, adjust security groups, and modify port security settings without recreating your instances.

This guide covers the essential operations for editing running instances through both the Horizon dashboard and OpenStack CLI.

How to Edit Instance Properties in Horizon Dashboard

Editing Basic Properties (Name, Description)

  1. Log into the Horizon dashboard
  2. Navigate to Project > Compute > Instances
  3. Locate the instance you want to modify
  4. Click the dropdown menu in the Actions column for your instance
  5. Select Edit Instance
  6. Update the instance name in the Name field
  7. Update the description in the Description field (if supported by your OpenStack version)
  8. Click Save to apply the changes

The instance display name updates immediately without affecting the instance ID or internal hostname.

Managing Instance Metadata

  1. Navigate to Project > Compute > Instances
  2. Click the dropdown menu for your instance
  3. Select Update Metadata
  4. In the metadata editor, you will see two columns:
  • Available Metadata: Predefined metadata keys you can use
  • Existing Metadata: Currently assigned metadata on your instance
  1. To add metadata, drag keys from Available Metadata to Existing Metadata
  2. To add custom metadata, click the + button
  3. Enter your custom key-value pairs (such as department=engineering or environment=production)
  4. To remove metadata, click the - button next to the metadata entry
  5. Click Save to apply your changes

You can also set metadata during instance creation by navigating to the Metadata tab in the instance launch dialog and adding custom metadata pairs before completing the launch process.

Changing Security Groups

  1. Navigate to Project > Compute > Instances
  2. Locate your instance in the list
  3. Click the dropdown menu in the Actions column
  4. Select Edit Security Groups
  5. You will see two columns:
  • All Security Groups: Available security groups in your project
  • Instance Security Groups: Currently assigned security groups
  1. To add a security group, click the + button next to it in the All Security Groups column
  2. To remove a security group, click the - button next to it in the Instance Security Groups column
  3. Click Save to apply the changes

The new security group rules apply immediately without interrupting existing connections. Ensure the instance retains at least one security group with appropriate rules to maintain network connectivity.

Editing Port Security Settings

Port security settings in Horizon are managed at the network port level. Port security cannot be modified directly from the instance view.

  1. Navigate to Project > Network > Networks
  2. Click on the network that your instance is connected to
  3. Select the Ports tab
  4. Locate the port associated with your instance (identified by the device ID or fixed IP)
  5. Click Edit Port
  6. Locate the Port Security setting
  7. To disable port security:
  • First, remove all security groups from the port
  • Uncheck the Port Security checkbox
  • Click Update
  1. To enable port security:
  • Check the Port Security checkbox
  • Click Update
  • Return to the port settings and assign appropriate security groups

Important: Port security cannot be disabled if security groups or allowed address pairs are still assigned to the port. You must remove these first.

How to Edit Instance Properties Using OpenStack CLI

Editing Basic Properties

Changing Instance Name

To rename an instance, use the openstack server set command with the --name parameter:

1openstack server set --name web-server-02 web-server-01

This updates the instance display name without affecting the instance ID or internal hostname.

Updating Instance Description

Add or modify the instance description to help document the purpose of each server:

1openstack server set --description "Production web server for customer portal" web-server-02

Note: The --description parameter requires OpenStack API version 2.19 or later.

Setting Custom Properties

You can add custom key-value metadata to instances for organization, automation, or billing purposes:

1openstack server set --property department=engineering web-server-02
2openstack server set --property environment=production web-server-02
3openstack server set --property backup=daily web-server-02

Properties are stored as metadata and can be queried later for filtering and automation workflows.

Managing Instance Metadata

Viewing Current Metadata

Display all metadata associated with an instance:

1openstack server show web-server-02 -c properties

This returns all custom properties and metadata key-value pairs.

Adding Metadata

Set metadata on an existing instance:

1openstack server set --property application=wordpress web-server-02
2openstack server set --property owner=devops web-server-02

Setting Metadata at Launch

When creating instances, you can include metadata from the start:

1openstack server create \
2  --flavor m1.medium \
3  --image ubuntu-22.04 \
4  --property application=wordpress \
5  --property owner=devops \
6  web-server-03

Removing Metadata

To remove a specific metadata key:

1openstack server unset --property department web-server-02

This deletes the specified property from the instance metadata.

Changing Security Groups

Security groups control network traffic to and from your instances. You can add or remove security groups from running instances without downtime.

Viewing Current Security Groups

Check which security groups are assigned to an instance:

1openstack server show web-server-02 -c security_groups

You can also view security groups on individual ports:

1openstack port list --server web-server-02
2openstack port show <port-id> -c security_group_ids

Since security groups are attributes of ports rather than servers, different ports on the same instance can have different security group configurations.

Adding Security Groups

Attach an additional security group to all ports on an instance:

1openstack server add security group web-server-02 web-traffic

This applies the new security group rules immediately without interrupting existing connections.

Removing Security Groups

Detach a security group from an instance:

1openstack server remove security group web-server-02 default

Important: Ensure the instance retains at least one security group with appropriate rules to maintain network connectivity.

Modifying Security Groups on Individual Ports

For more granular control, modify security groups at the port level.

First, identify the port:

1openstack port list --server web-server-02

Then update the security groups for that specific port:

1openstack port set --security-group web-traffic <port-id>

To add multiple security groups to a port:

1openstack port set --security-group web-traffic --security-group ssh-access <port-id>

Editing Port Security Settings

Port security in OpenStack controls whether anti-spoofing rules and security groups are enforced on network ports.

Understanding Port Security

When port security is enabled (the default):

  • Security group rules are enforced
  • Anti-spoofing filters prevent MAC and IP address spoofing
  • Only allowed address pairs can send traffic through the port

When port security is disabled:

  • No packet filtering is applied
  • Security groups have no effect
  • All traffic is allowed in and out

Disabling port security is sometimes necessary for specialized networking scenarios like virtual router appliances or load balancers that need to handle traffic for multiple IP addresses.

Checking Port Security Status

View the current port security setting:

1openstack port show <port-id> -c port_security_enabled

Disabling Port Security

Before disabling port security, remove all security groups from the port.

  1. Remove security groups:
1openstack port set --no-security-group <port-id>
  1. Disable port security:
1openstack port set --disable-port-security <port-id>

Important: Port security cannot be disabled if security groups or allowed address pairs are still assigned to the port.

Enabling Port Security

To re-enable port security on a port:

1openstack port set --enable-port-security <port-id>

After enabling port security, assign appropriate security groups:

1openstack port set --security-group default <port-id>

Setting Port Security at Creation

You can disable port security when creating a new port:

1openstack port create --network private-net --disable-port-security custom-port

Verifying Changes

After making modifications, verify the changes took effect.

Check Instance Properties

1openstack server show web-server-02

Review the output for updated name, description, properties, and security groups.

Verify Port Configuration

1openstack port list --server web-server-02
2openstack port show <port-id>

Confirm security groups and port security settings match your expectations.

Test Network Connectivity

After modifying security groups or port security:

  1. Test inbound connectivity to the instance
  2. Verify outbound connections work as expected
  3. Check application functionality

Common Use Cases

Organizing Instances with Metadata

Use metadata to track ownership, billing codes, or automation tags:

1openstack server set --property cost-center=CC-1234 web-server-02
2openstack server set --property backup-schedule=nightly web-server-02
3openstack server set --property compliance=pci-dss web-server-02

Query instances by metadata later:

1openstack server list --property cost-center=CC-1234

Adjusting Security During Troubleshooting

Temporarily add a permissive security group for debugging:

1openstack server add security group web-server-02 debug-access

Remove it after troubleshooting is complete:

1openstack server remove security group web-server-02 debug-access

Configuring Virtual Appliances

For virtual routers or firewalls that need to handle traffic for multiple IP addresses, disable port security:

1openstack port set --no-security-group router-port-01
2openstack port set --disable-port-security router-port-01

Best Practices

Document Changes with Metadata

Use the description field and custom properties to document instance purpose, configuration, and change history.

1openstack server set --description "Web server - migrated from old-host-01 on 2026-01-29" web-server-02
2openstack server set --property last-updated=2026-01-29 web-server-02

Test Security Changes in Staging

Before modifying security groups on production instances:

  1. Test changes in a non-production environment
  2. Document expected behavior
  3. Have a rollback plan ready

Use Specific Security Groups

Instead of modifying the default security group, create purpose-specific groups:

1openstack server add security group web-server-02 http-https-only

This makes it easier to manage and audit security policies.

Review Port-Level Settings

When troubleshooting connectivity issues, always check both server-level and port-level security configurations:

1openstack server show web-server-02 -c security_groups
2openstack port list --server web-server-02
3openstack port show <port-id> -c security_group_ids -c port_security_enabled

Keep Metadata Consistent

Establish naming conventions for metadata keys across your environment:

1# Good - consistent naming
2openstack server set --property env=production web-server-02
3openstack server set --property app=wordpress web-server-02
4

5# Avoid - inconsistent naming
6openstack server set --property Env=prod web-server-02
7openstack server set --property application_type=WP web-server-02

Troubleshooting

Cannot Remove Security Group

If you receive an error when removing a security group:

  1. Verify the security group name or ID is correct
  2. Ensure at least one other security group will remain
  3. Check for port-level security group assignments

Port Security Changes Not Taking Effect

When port security modifications fail:

  1. Confirm all security groups are removed before disabling port security
  2. Check for allowed address pairs that might prevent disabling
  3. Verify your user role has permission to modify port security

Metadata Not Appearing

If metadata does not display:

  1. Check the correct property key was used
  2. Verify API version supports the feature (2.19+ for description)
  3. Refresh the Horizon dashboard or re-run the CLI command

When to Contact Support

Contact your cloud administrator or support team if:

  • You need to modify instance properties that require administrative privileges
  • Port security or security group changes cause unexpected connectivity loss
  • You encounter permission errors when editing instance metadata
  • You need assistance with complex networking configurations involving multiple ports

Summary

OpenStack provides powerful tools for modifying instance properties after creation. You can update names, descriptions, and custom metadata through both CLI and Horizon. Security groups can be added or removed dynamically, and port security settings offer fine-grained control over network filtering.

Regular use of metadata helps maintain organized, well-documented infrastructure. Security group modifications enable you to adjust firewall rules without recreating instances. Port security settings give you flexibility for specialized networking scenarios while maintaining strong defaults for standard deployments.

By understanding these configuration options, you can maintain agile, well-documented OpenStack environments that adapt to changing requirements.