Create application credentials as Openstack admin for federated user(s)
Single user
# user OS_TOKEN export OS_TOKEN=gAAAAABjtUl_4LZr3iNqI7dOoBYMw-... # cat ~/.config/openstack/clouds.yaml clouds: dev-admin-token: auth: auth_url: https://keystone.service.examle.com/v3 region_name: "eu-south" interface: "public" identity_api_version: 3 project_domain_name: "my-foo" project_name: "foo" auth_type: "v3token" OS_AC=$(openstack application credential create ${OS_AC_NAME} --unrestricted --os-cloud dev-admin-token -f json)
Multiple user
OpenStack: Authentificaton (Token, Application credendials)
Token authentificaton
unset $(compgen -v | grep OS_) export OS_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx export OS_AUTH_TYPE=v3token export OS_AUTH_URL=https://keystone.service.example.com/v3 export OS_IDENTITY_API_VERSION=3 export OS_INTERFACE=public export OS_REGION_NAME=de-b1 export OS_PROJECT_DOMAIN_NAME=test-domain export OS_PROJECT_NAME=test-project #export OS_PROJECT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
OpenStack multi cloud / user configurattion
http://www.panticz.de/openstack-clouds-config
Pyton pyenv & virtualenv
List available pyenv versions
https://www.python.org/ftp/python/
pyenv install --list
virtualenv
pip install -U virtualenv --user mkdir -vp ~/test cd ~/test virtualenv .venv source .venv/bin/activate pip install -U pip pip install -U python-openstackclient
Pyenv and virtualenv
Remotely unlock encrypted root disk using SSH
sudo apt install dropbear-initramfs sudo sed -i 's/#DROPBEAR_OPTIONS=/DROPBEAR_OPTIONS="-I 180 -j -k -p 4000 -s -c cryptroot-unlock"/g' /etc/dropbear/initramfs/dropbear.conf # optional: configure IP if no DHCP avaiable # echo 'IP=192.168.2.123::192.168.2.1:255.255.254.0:my-wks01' >> /etc/initramfs-tools/initramfs.conf sudo ssh-import-id gh:<my_user_id> -o /etc/dropbear/initramfs/authorized_keys sudo update-initramfs -u ssh root@your_workstation_ip -p 4444 # unlock disk unlock-cryptroot
Links
https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/
https://realtechtalk.com/Howto_Set_Static_IP_on_boot_in_initramfs_for_dropbear_or_other_purposes_NFS_Linux_Debian_Ubuntu_CentOS-2278-articles
Ansible: Collection
Manage collections
# Install collection ansible-galaxy collection install ansible.posix ansible-galaxy collection install git@git.example.com:foo/ansible-collections/bar ansible-galaxy collection install git+file:///home/user/path/to/repo_name # List collections ansible-galaxy collection list
# default user Ansible collection directory ~/.ansible/collections/ansible_collections/ # env vars ANSIBLE_COLLECTIONS_PATHS # ~/.ansible.cfg [defaults] collections_paths = /path/to/collection # get current path ansible-config dump | grep -i collection
Include collection in playbook
- hosts: all collections: - my_namespace.my_collection - hosts: all tasks: - import_role: name: my_namespace.my_collection.my_role
Defile collection dependency in role
OpenStack: Neutron L3 router
Recreate / move qrouter namespace
ROUTER_ID=74490819-028e-424e-b8f9-c7e48cf672af # list router NS openstack network agent list --router ${ROUTER_ID} --long # list available l3 agents openstack network agent list --agent-type l3 # recreate L3 agent SOURCE_NODE=ctl1-dev TARGET_NODE=ctl2-dev SOURCE_L3_ID=$(openstack network agent list --host ${SOURCE_NODE} --agent-type l3 -f value -c ID) TARGET_L3_ID=$(openstack network agent list --host ${TARGET_NODE} --agent-type l3 -f value -c ID) openstack network agent add router --l3 ${TARGET_L3_ID} ${ROUTER_ID} openstack network agent remove router --l3 ${SOURCE_L3_ID} ${ROUTER_ID}
Recreate all network agents
openstack router list --agent $SOURCE_L3_ID -f value -c ID | while read ROUTER_ID; do openstack network agent add router --l3 ${TARGET_L3_ID} ${ROUTER_ID} openstack network agent remove router --l3 ${SOURCE_L3_ID} ${ROUTER_ID} done openstack network agent set $SOURCE_L3_ID --disable
List floating IP in qrouter namespace
WireGuard
Server
sudo apt install -y wireguard cd /etc/wireguard umask 077; wg genkey | tee privatekey | wg pubkey > publickey /etc/wireguard/wg0.conf [Interface] Address = 192.168.6.1/24 ListenPort = 1194 PrivateKey = qz3LQkTEA8tOJEORyUxT2w2SIwdXwCLcO7joKq58tUs= PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE [Peer] PublicKey = wL+h2EqxaQpcWgwO8SIXPGqhHgssvj9xqjHAPjYLJ28= AllowedIPs = 192.168.6.2/32 sudo ufw allow 1194/udp sudo ufw status sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0 sudo systemctl status wg-quick@wg0 # watch connections watch -n1 wg
Client
Mellanox: Install pre-build driver
https://www.mellanox.com/products/ethernet-drivers/linux/mlnx_en
VERSION=5.8-1.1.2.1 URL=http://www.mellanox.com/downloads/ofed/MLNX_EN-${VERSION}/mlnx-en-${VERSION}-ubuntu$(lsb_release -rs)-$(uname -p).tgz wget ${URL} -q -O /tmp/${URL##*/} tar -C /tmp -xzf /tmp/mlnx-en-*-ubuntu*.tgz cd /tmp/mlnx-en-${VERSION}-ubuntu*/ # prebuild driver only ./install --add-kernel-support-build-only # install ./install --force # show packages ll /tmp/mlnx-en-*-generic/mlnx-en-*-ext.tgz
Links
https://developer.nvidia.com/networking/ethernet-software
OpenStack: Debug / cleanup DHCP
Restart DHCP namespaces
openstack subnet set --no-dhcp ${SUBNET_ID} openstack subnet set --dhcp ${SUBNET_ID}
Find unnecessary DHCP namespaces
MAX_DHCP_NS=3 SUBNET_IDS=$(openstack subnet list --dhcp -c ID -f value) for SUBNET_ID in ${SUBNET_IDS}; do NETWORK_ID=$(openstack subnet show ${SUBNET_ID} -c network_id -f value) DHCP_PORTS="$(openstack port list --device-owner network:dhcp --network ${NETWORK_ID} -c ID -c binding_host_id -c fixed_ips -c status -f value)" if [ $(echo "${DHCP_PORTS}" | wc -l) -ne ${MAX_DHCP_NS} ]; then echo "NETWORK_ID: ${NETWORK_ID}" echo "${DHCP_PORTS}" echo fi done
Remove unnecessary DHCP port