Kubernetes the hard way
Configure OpenStack application credentials
mkdir -p ~/.config/openstack cat <<EOF> ~/.config/openstack/clouds.yaml clouds: dev-foo: auth_type: "v3applicationcredential" auth: auth_url: https://keystone.service.dev.example.com/v3 application_credential_id: "YOUR_CREDENTIAL_ID" application_credential_secret: "YOUR_CREDENTIAL_PASS" EOF
Install Terraform
cat <<EOF> /tmp/install-terraform.yml --- - hosts: localhost tasks: - name: Get latest Terraform version uri: url: https://checkpoint-api.hashicorp.com/v1/check/terraform register: response - set_fact: terraform_download_url: "{{ response.json.current_download_url }}" terraform_version: "{{ response.json.current_version }}" - name: Download Terraform {{ terraform_version }} unarchive: src: "{{ terraform_download_url }}terraform_{{ terraform_version }}_{{ ansible_system | lower }}_amd64.zip" remote_src: yes dest: ~/bin creates: ~/bin/terraform mode: 0550 EOF ansible-playbook /tmp/install-terraform.yml
Create test env on OpenStack
OpenStack: Octavia / Amphora LB check
#!/bin/bash source /etc/kolla/admin-openrc.sh function show_lb_owner() { LB_ID=$1 # show project PROJECT_ID=$(openstack loadbalancer show -c project_id -f value ${LB_ID}) PROJECT_NAME=$(openstack project show -c name -f value ${PROJECT_ID}) # show domain DOMAIN_ID=$(openstack project show -c domain_id -f value ${PROJECT_ID}) DOMAIN_NAME=$(openstack domain show -c name -f value ${DOMAIN_ID}) echo "Domain: ${DOMAIN_NAME}" echo "Project: ${PROJECT_NAME}" } EXIT_CODE=0 # list broken LB OUTPUT="$(openstack loadbalancer amphora list --provisioning-status ERROR)" if [ -n "${OUTPUT}" ]; then echo "${OUTPUT}" EXIT_CODE=1 fi # search for broken LB
NVMe
Install
sudo apt install -y nvme-cli
CLI
# list devices nvme list nvme smart-log /dev/nvme0n1 isdct show -d DeviceStatus,Index,Firmware,FirmwareUpdateAvailable -intelssd
Fix nvme1: ignoring ctrl due to duplicate subnqn
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1803692
# dmesg | grep nvme [ 2.546620] nvme nvme0: pci function 0000:5e:00.0 [ 2.552447] nvme nvme1: pci function 0000:5f:00.0 [ 2.768347] nvme nvme1: ignoring ctrl due to duplicate subnqn (nqn.2017-12.org.nvmexpress:uuid:11111111-2222-3333-4444-555555555555). [ 2.775422] nvme nvme1: Removing after probe failure status: -22 [ 2.779813] nvme0n1: p1 p2
Fix by upgrade NVMe firmware
http://www.panticz.de/intel/nvme
Delete
nvme format --ses=1 /dev/nvme1
Octavia: proxy protocol
openstack loadbalancer listener create --name foo-lb1-tcp-80 --protocol TCP --protocol-port 80 foo-lb1 openstack loadbalancer pool create --name foo-lb1-proxy-pool --lb-algorithm ROUND_ROBIN --listener foo-lb1-tcp-80 --protocol PROXY openstack loadbalancer member create --subnet-id foo-subnet --address 10.0.1.13 --protocol-port 80 foo-lb1-proxy-pool # configure nginx cat /etc/nginx/sites-enabled/default ... server { listen 80 default_server proxy_protocol; set_real_ip_from 10.0.1.17; # incomming proxy IP #set_real_ip_from 192.168.1.0/24; real_ip_header proxy_protocol; ...
Links
https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
https://www.scaleway.com/en/docs/configure-proxy-protocol-with-a-load-balancer/
Mellanox: SR-IOV (Single Root IO Virtualization)
Install Mellanox Driver
http://www.panticz.de/mellanox/install-dirver
mstconfig -y -d 18:00.1 set SRIOV_EN=1 NUM_OF_VFS=16 #cat /etc/modprobe.d/mlnx.conf #options mlx4_core num_vfs=5 probe_vf=5 apt install -y sysfsutils cat <<EOF> /etc/sysfs.d/mlnx-sriov_numvfs.conf class/net/ens6f0/device/sriov_numvfs = 8 class/net/ens6f1/device/sriov_numvfs = 8 class/net/ens7f0/device/sriov_numvfs = 8 class/net/ens7f1/device/sriov_numvfs = 8 EOF # /boot/grub/grub.cf intel_iommu=on ll /sys/class/net/en{p,s}* echo 8 > /sys/class/net/ens6f0/device/sriov_numvfs
Configure VLAN
LXD: OpenStack CLI (OSC) container
# create container lxc launch ubuntu:20.04 osc lxc shell osc # install OpenStack CLI apt install -y python3-openstackclient python3-neutron-vpnaas python3-octaviaclient openstack complete | sudo tee /etc/bash_completion.d/openstack source /etc/bash_completion # configure connection mkdir -p .config/openstack cat <<EOF> .config/openstack/clouds.yaml clouds: dev-foo-app: auth: auth_url: https://keystone.service.example.com/v3 application_credential_id: "xxxxxxxx" application_credential_secret: "xxxxxxxx" region_name: "eu-fra1" interface: "public" identity_api_version: 3 auth_type: "v3applicationcredential" EOF echo export OS_CLOUD=dev-foo-app >> .bashrc # test export OS_CLOUD=dev-foo-app openstack image list
Side2Side VPN connection between OpenStack VPNaaS and AVM Fritz!Box
FRITZBOX_WAN_IP=111.1.2.3 FRITZBOX_CIDR=192.168.178.0/24 PSK=PASS1234 openstack vpn ike policy create ikepolicy \ --encryption-algorithm aes-256 \ --auth-algorithm sha512 \ --pfs group2 openstack vpn ipsec policy create ipsecpolicy \ --encryption-algorithm aes-256 \ --auth-algorithm sha512 \ --pfs group2 ROUTER_ID=$(openstack router list -c ID -f value) openstack vpn service create vpn \ --router ${ROUTER_ID} SUBNET_ID=$(openstack subnet list -c ID -f value) openstack vpn endpoint group create ep_subnet \ --type subnet \ --value ${SUBNET_ID} openstack vpn endpoint group create ep_cidr \ --type cidr \ --value ${FRITZBOX_CIDR} openstack vpn ipsec site connection create conn \ --vpnservice vpn \ --ikepolicy ikepolicy \ --ipsecpolicy ipsecpolicy \ --peer-address ${FRITZBOX_WAN_IP} \ --peer-id ${FRITZBOX_WAN_IP} \ --psk ${PSK} \ --local-endpoint-group ep_subnet \ --peer-endpoint-group ep_cidr
Add ingress ssh security rule
openstack security group rule create default \ --protocol tcp \ --dst-port 22 \ --remote-ip 192.168.178.0/24
Create S2S VPN connection on Fritz!Box
Site to Site IPSec VPN with strongSwan and OpenStack VPNaaS (IPsec)
Setup
# Left (Ubuntu client, behind NAT) Ubuntu Client IP: 212.8.9.10 Ubuntu net: 192.168.178.0/24 # Right (OpenStack VPNaaS) VPN_SERVICE_ID=$(openstack vpn service list -c ID -f value) VPN_SERVICE_IP=$(openstack vpn service show ${VPN_SERVICE_ID} -c external_v4_ip -f value) echo ${VPN_SERVICE_IP} OpenStack VPN IP: 217.50.60.70 OpenStack Net: 10.0.1.0/24
Create OpenStack VPN endpoint
http://www.panticz.de/openstack/vpnaas
/etc/ipsec.secrets
217.50.60.70 : PSK "PASS1234"/etc/ipsec.conf
config setup conn vpn1 keyexchange=ikev1 left=%defaultroute leftid=212.8.9.10 leftsubnet=192.168.178.0/24 leftauth=psk leftfirewall=yes authby=psk auto=start ike=aes256-sha512-modp1024 esp=aes256-sha512 right=217.50.60.70 rightsubnet=10.0.1.0/24 rightauth=psk ikelifetime=3600s keylife=3600s type=tunnel
CLI
sudo ipsec status sudo ipsec statusall sudo ipsec restart sudo ipsec up vpn1 sudo ipsec down vpn1 sudo ipsec listalgs
List
Install Mellanox MFT
https://www.mellanox.com/products/adapter-software/firmware-tools
URL=https://www.mellanox.com/downloads/MFT/mft-4.15.0-104-x86_64-deb.tgz wget -q ${URL} -P /tmp tar xzf /tmp/mft-*-x86_64-deb.tgz -C /tmp/ sudo apt-get update sudo apt install -y gcc make dkms linux-headers-$(uname -r) /tmp/mft-*-x86_64-deb/install.sh mst start