OpenStack: Neutron L3 router
Recreate / move qrouter namespace
ROUTER_ID=74490819-028e-424e-b8f9-c7e48cf672af # list router NS openstack network agent list --router ${ROUTER_ID} --long # list available l3 agents openstack network agent list --agent-type l3 # recreate L3 agent SOURCE_NODE=ctl1-dev TARGET_NODE=ctl2-dev SOURCE_L3_ID=$(openstack network agent list --host ${SOURCE_NODE} --agent-type l3 -f value -c ID) TARGET_L3_ID=$(openstack network agent list --host ${TARGET_NODE} --agent-type l3 -f value -c ID) openstack network agent add router --l3 ${TARGET_L3_ID} ${ROUTER_ID} openstack network agent remove router --l3 ${SOURCE_L3_ID} ${ROUTER_ID}
Recreate all network agents
openstack router list --agent $SOURCE_L3_ID -f value -c ID | while read ROUTER_ID; do openstack network agent add router --l3 ${TARGET_L3_ID} ${ROUTER_ID} openstack network agent remove router --l3 ${SOURCE_L3_ID} ${ROUTER_ID} done openstack network agent set $SOURCE_L3_ID --disable
WireGuard
Server
sudo apt install -y wireguard cd /etc/wireguard umask 077; wg genkey | tee privatekey | wg pubkey > publickey /etc/wireguard/wg0.conf [Interface] Address = 192.168.6.1/24 ListenPort = 1194 PrivateKey = qz3LQkTEA8tOJEORyUxT2w2SIwdXwCLcO7joKq58tUs= PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE [Peer] PublicKey = wL+h2EqxaQpcWgwO8SIXPGqhHgssvj9xqjHAPjYLJ28= AllowedIPs = 192.168.6.2/32 sudo ufw allow 1194/udp sudo ufw status sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0 sudo systemctl status wg-quick@wg0 # watch connections watch -n1 wg
Client
Mellanox: Install pre-build driver
https://www.mellanox.com/products/ethernet-drivers/linux/mlnx_en
VERSION=5.7-1.0.2.0 URL=http://www.mellanox.com/downloads/ofed/MLNX_EN-${VERSION}/mlnx-en-${VERSION}-ubuntu$(lsb_release -rs)-$(uname -p).tgz wget ${URL} -q -O /tmp/${URL##*/} tar -C /tmp -xzf /tmp/mlnx-en-*-ubuntu*.tgz cd /tmp/mlnx-en-${VERSION}-ubuntu*/ # prebuild driver only ./install --add-kernel-support-build-only # install ./install --force # show packages ll /tmp/mlnx-en-*-generic/mlnx-en-*-ext.tgz
Links
https://developer.nvidia.com/networking/ethernet-software
OpenStack: Debug / cleanup DHCP
Restart DHCP namespaces
openstack subnet set --no-dhcp ${SUBNET_ID} openstack subnet set --dhcp ${SUBNET_ID}
Find unnecessary DHCP namespaces
MAX_DHCP_NS=3 SUBNET_IDS=$(openstack subnet list --dhcp -c ID -f value) for SUBNET_ID in ${SUBNET_IDS}; do NETWORK_ID=$(openstack subnet show ${SUBNET_ID} -c network_id -f value) DHCP_PORTS="$(openstack port list --device-owner network:dhcp --network ${NETWORK_ID} -c ID -c binding_host_id -c fixed_ips -c status -f value)" if [ $(echo "${DHCP_PORTS}" | wc -l) -ne ${MAX_DHCP_NS} ]; then echo "NETWORK_ID: ${NETWORK_ID}" echo "${DHCP_PORTS}" echo fi done
Remove unnecessary DHCP port
OpenStack: RBAC shared network
# allow access to RBAC net for project openstack network rbac create --target-project foo-project1 --action access_as_shared --type network foo-net-01 # show rbac quota neutron quota-show --tenant_id <PROJECT_ID> | grep rbac_policy # set rbac quota to unlimited openstack quota set --rbac-policies -1 <PROJECT_ID> openstack network rbac list openstack network rbac show ${RBAC_ID}
Links
https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/network-rbac.html
https://docs.openstack.org/mitaka/networking-guide/config-rbac.html
https://docs.openstack.org/python-openstackclient/pike/cli/command-objects/quota.html
https://docs.openstack.org/ocata/admin-guide/cli-networking-advanced-quotas.html
Create anyconnect VPN connection on command line with nmcli
Create connection
VPN_GATEWAY=vpn1.example.com VPN_USER=foo VPN_ROUTES=192.168.11.0/24 nmcli connection add \ connection.id vpn1 \ connection.type vpn \ connection.permissions "user:${USER}" \ ipv4.routes "${VPN_ROUTES}" \ ipv4.ignore-auto-routes yes \ vpn.service-type org.freedesktop.NetworkManager.openconnect \ vpn.data " protocol = anyconnect, authtype = cert, gateway = ${VPN_GATEWAY}, cacert = ${HOME}/vpn1/ca.pem, usercert = ${HOME}/vpn1/certificate.pem, userkey = ${HOME}/vpn1/priv.pem, cookie-flags = 2 " \ vpn.secrets " form:main:group_list=CLIENTGROUP, form:main:username=${VPN_USER}, save_passwords=yes "
Start connection and enter password once
nmcli connection up vpn1
Debug
#journalctl -fxe NM_CONNECTION=8d5ec3cb-99c5-47ea-84e2-38174cd14702 journalctl -fxe -t NetworkManager cat /etc/NetworkManager/system-connections/vpn1.nmconnection nmcli con show vpn1
Links
https://0xsys.blogspot.com/2019/06/configure-vpn-using-nmcli.html
LXD: Create WireGuard container
Create container
CONTAINER=wireguard # Add ubuntu-minimal repository lxc remote add --protocol simplestreams ubuntu-minimal https://cloud-images.ubuntu.com/minimal/releases/ # Create LXD container #lxc launch ubuntu-minimal:lts ${CONTAINER} lxc launch ubuntu-minimal:22.04 ${CONTAINER} # update APT packages lxc exec ${CONTAINER} -- bash -c "export http_proxy=${http_proxy} && apt update && apt -y dist-upgrade && apt -y autoremove" # Install WireGuard lxc exec ${CONTAINER} -- bash -c "export http_proxy=${http_proxy} && apt install -y wireguard iptables iputils-ping"
Configure UDP 4000 port forward to wireguard container
lxc config device add ${CONTAINER} udp51820 proxy listen=udp:0.0.0.0:51820 connect=udp:127.0.0.1:51820
Configure WireGuard
Rundeck CLI
Install
https://rundeck.github.io/rundeck-cli/
https://github.com/rundeck/rundeck-cli/releases
sudo apt-get install -y default-jre-headless wget -q https://github.com/rundeck/rundeck-cli/releases/download/v2.0.0/rundeck-cli_2.0.0-1_all.deb sudo dpkg -i rundeck-cli_*_all.deb # sudo apt-get install rundeck-cli
Configuration
https://rundeck.github.io/rundeck-cli/configuration/
# ~/.rd/rundeck-dev.conf export RD_URL=http://rundeck.dev.example.com:80 export RD_USER=admin export RD_PASSWORD=admin # load configuration source ~/.rd/rundeck-dev.conf