Home | panticz.de

OpenStack: Authentificaton (Token, Application credendials)

Token authentificaton

unset $(compgen -v | grep OS_)
 
export OS_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
export OS_AUTH_TYPE=v3token
export OS_AUTH_URL=https://keystone.service.example.com/v3
export OS_IDENTITY_API_VERSION=3
export OS_INTERFACE=public
export OS_REGION_NAME=de-b1
export OS_PROJECT_DOMAIN_NAME=test-domain
export OS_PROJECT_NAME=test-project
#export OS_PROJECT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

OpenStack multi cloud / user configurattion
http://www.panticz.de/openstack-clouds-config

Read more about OpenStack: Authentificaton (Token, Application credendials)

Pyton pyenv & virtualenv

List available pyenv versions
https://www.python.org/ftp/python/

pyenv install --list

virtualenv

pip install -U virtualenv --user
mkdir -vp ~/test
cd ~/test
virtualenv .venv
source .venv/bin/activate
pip install -U pip
pip install -U python-openstackclient

Pyenv and virtualenv

Read more about Pyton pyenv & virtualenv

Remotely unlock encrypted root disk using SSH

sudo apt install dropbear-initramfs
 
sudo sed -i 's/#DROPBEAR_OPTIONS=/DROPBEAR_OPTIONS="-I 180 -j -k -p 4000 -s -c cryptroot-unlock"/g' /etc/dropbear/initramfs/dropbear.conf
 
# optional: configure IP if no DHCP avaiable
# echo 'IP=192.168.2.123::192.168.2.1:255.255.254.0:my-wks01' >> /etc/initramfs-tools/initramfs.conf
 
sudo ssh-import-id gh:<my_user_id> -o /etc/dropbear/initramfs/authorized_keys
 
sudo update-initramfs -u
 
ssh root@your_workstation_ip -p 4444
 
# unlock disk
unlock-cryptroot

Links
https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/
https://realtechtalk.com/Howto_Set_Static_IP_on_boot_in_initramfs_for_dropbear_or_other_purposes_NFS_Linux_Debian_Ubuntu_CentOS-2278-articles

Read more about Remotely unlock encrypted root disk using SSH

Ansible: Collection

Manage collections

# Install collection
ansible-galaxy collection install ansible.posix
ansible-galaxy collection install git@git.example.com:foo/ansible-collections/bar
ansible-galaxy collection install git+file:///home/user/path/to/repo_name
 
# List collections
ansible-galaxy collection list

# default user Ansible collection directory
~/.ansible/collections/ansible_collections/
 
# env vars
ANSIBLE_COLLECTIONS_PATHS
 
# ~/.ansible.cfg 
[defaults]
collections_paths = /path/to/collection
 
# get current path
ansible-config dump | grep -i collection

Include collection in playbook

- hosts: all
  collections:
    - my_namespace.my_collection
 
 
- hosts: all
  tasks:
    - import_role:
        name: my_namespace.my_collection.my_role

Defile collection dependency in role

Read more about Ansible: Collection

OpenStack: Neutron L3 router

Recreate / move qrouter namespace

ROUTER_ID=74490819-028e-424e-b8f9-c7e48cf672af
 
# list router NS
openstack network agent list --router ${ROUTER_ID} --long
 
# list available l3 agents
openstack network agent list --agent-type l3
 
# recreate L3 agent
SOURCE_NODE=ctl1-dev
TARGET_NODE=ctl2-dev
 
SOURCE_L3_ID=$(openstack network agent list --host ${SOURCE_NODE} --agent-type l3 -f value -c ID)
TARGET_L3_ID=$(openstack network agent list --host ${TARGET_NODE} --agent-type l3 -f value -c ID)
 
openstack network agent add router --l3 ${TARGET_L3_ID} ${ROUTER_ID}
openstack network agent remove router --l3 ${SOURCE_L3_ID} ${ROUTER_ID}

Recreate all network agents

openstack router list --agent $SOURCE_L3_ID -f value -c ID | while read ROUTER_ID; do
    openstack network agent add router --l3 ${TARGET_L3_ID} ${ROUTER_ID}
    openstack network agent remove router --l3 ${SOURCE_L3_ID} ${ROUTER_ID}
done
 
openstack network agent set $SOURCE_L3_ID --disable

List floating IP in qrouter namespace

Read more about OpenStack: Neutron L3 router

WireGuard

Server

sudo apt install -y wireguard
 
cd /etc/wireguard
umask 077;
wg genkey | tee privatekey | wg pubkey > publickey
 
/etc/wireguard/wg0.conf
[Interface]
Address = 192.168.6.1/24
ListenPort = 1194
PrivateKey = qz3LQkTEA8tOJEORyUxT2w2SIwdXwCLcO7joKq58tUs=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE     
 
[Peer]
PublicKey = wL+h2EqxaQpcWgwO8SIXPGqhHgssvj9xqjHAPjYLJ28=
AllowedIPs = 192.168.6.2/32
 
sudo ufw allow 1194/udp
sudo ufw status
 
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo systemctl status wg-quick@wg0
 
# watch connections
watch -n1 wg

Client

Read more about WireGuard

Mellanox: Install pre-build driver

https://www.mellanox.com/products/ethernet-drivers/linux/mlnx_en

#VERSION=5.8-1.1.2.1
VERSION=23.04-0.5.3.3
URL=http://www.mellanox.com/downloads/ofed/MLNX_EN-${VERSION}/mlnx-en-${VERSION}-ubuntu$(lsb_release -rs)-$(uname -p).tgz
 
wget ${URL} -q -O /tmp/${URL##*/}
tar -C /tmp -xzf /tmp/mlnx-en-*-ubuntu*.tgz
cd /tmp/mlnx-en-${VERSION}-ubuntu*/
 
# prebuild driver only
./install --add-kernel-support-build-only
 
# install
./install --force
 
# show packages
ll /tmp/mlnx-en-*-generic/mlnx-en-*-ext.tgz
 
# install
# ./install -q --dkms --without-fw-update --force

Links
https://developer.nvidia.com/networking/ethernet-software

Read more about Mellanox: Install pre-build driver

OpenStack: Debug / cleanup DHCP

Restart DHCP namespaces

openstack subnet set --no-dhcp ${SUBNET_ID}
openstack subnet set --dhcp ${SUBNET_ID}

Find unnecessary DHCP namespaces

MAX_DHCP_NS=3
SUBNET_IDS=$(openstack subnet list --dhcp -c ID -f value)
for SUBNET_ID in ${SUBNET_IDS}; do
    NETWORK_ID=$(openstack subnet show ${SUBNET_ID} -c network_id -f value)
    DHCP_PORTS="$(openstack port list --device-owner network:dhcp --network ${NETWORK_ID} -c ID -c binding_host_id -c fixed_ips -c status -f value)"
 
    if [ $(echo "${DHCP_PORTS}" | wc -l) -ne ${MAX_DHCP_NS} ]; then
        echo "NETWORK_ID: ${NETWORK_ID}"
        echo "${DHCP_PORTS}"
 
        echo
    fi
done

Add / remove DHCP ports

Read more about OpenStack: Debug / cleanup DHCP

OpenStack: RBAC shared network

# allow access to RBAC net for project 
openstack network rbac create --target-project foo-project1 --action access_as_shared --type network foo-net-01
 
# show rbac quota
neutron quota-show --tenant_id <PROJECT_ID> | grep rbac_policy
 
# set rbac quota to unlimited
openstack quota set --rbac-policies -1 <PROJECT_ID>
 
openstack network rbac list
 
openstack network rbac show ${RBAC_ID}

Links
https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/network-rbac.html
https://docs.openstack.org/mitaka/networking-guide/config-rbac.html
https://docs.openstack.org/python-openstackclient/pike/cli/command-objects/quota.html
https://docs.openstack.org/ocata/admin-guide/cli-networking-advanced-quotas.html

Read more about OpenStack: RBAC shared network

Create anyconnect VPN connection on command line with nmcli

Create connection

VPN_GATEWAY=vpn1.example.com
VPN_USER=foo
VPN_ROUTES=192.168.11.0/24
 
nmcli connection add \
    connection.id vpn1 \
    connection.type vpn \
    connection.permissions "user:${USER}" \
    ipv4.routes "${VPN_ROUTES}" \
    ipv4.ignore-auto-routes yes \
    vpn.service-type org.freedesktop.NetworkManager.openconnect \
    vpn.data "
        protocol = anyconnect,
        authtype = cert,
        gateway = ${VPN_GATEWAY},
        cacert = ${HOME}/vpn1/ca.pem,
        usercert = ${HOME}/vpn1/certificate.pem,
        userkey = ${HOME}/vpn1/priv.pem,
        cookie-flags = 2
    " \
    vpn.secrets "
        form:main:group_list=CLIENTGROUP,
        form:main:username=${VPN_USER},
        save_passwords=yes
    "

Start connection and enter password once

nmcli connection up vpn1

Debug

#journalctl -fxe NM_CONNECTION=8d5ec3cb-99c5-47ea-84e2-38174cd14702
journalctl -fxe -t NetworkManager
 
cat /etc/NetworkManager/system-connections/vpn1.nmconnection 
nmcli con show vpn1

Links
https://0xsys.blogspot.com/2019/06/configure-vpn-using-nmcli.html

Read more about Create anyconnect VPN connection on command line with nmcli

Subscribe to