Terraform: OpenStack

OpenStack Providery
https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs

# Configure the OpenStack Provider
provider "openstack" {
  user_name   = "admin"
  tenant_name = "admin"
  password    = "pwd"
  auth_url    = "http://myauthurl:5000/v2.0"
  region      = "RegionOne"
}
 
# cloud.yaml
provider "openstack" {
  cloud      = "dev-foo"
}

Router
https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_router_v2

resource "openstack_networking_router_v2" "router_1" {
  name       = "foo-router"
  external_network_id = "88934cac-8d55-40d5-8ff9-bde65011741d"
}
 
resource "openstack_networking_router_interface_v2" "terraform" {
  router_id = openstack_networking_router_v2.router_1.id
  subnet_id = openstack_networking_subnet_v2.subnet_1.id
}

Compute
https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/compute_instance_v2

nextcloud

# install nextcloud with snap
snap install nextcloud
 
sudo snap enable nextcloud
sudo snap disable nextcloud
 
# set domain
nextcloud.occ config:system:set trusted_domains 0 --value="nextcloud.example.com"

User
https://docs.nextcloud.com/server/15/admin_manual/configuration_server/occ_command.html#file-operations-label

# create user
export OC_PASS=pass1234
nextcloud.occ user:add --display-name "Foo Bar" --group=bar --password-from-env foo

Email

# create email
nextcloud.occ mail:account:create fobr "Foo Bar" foo.bar@example.com imap.example.com 143 off foo.bar pass1234 smtp.example.com 25 off foo.bar pass1234

Files
https://docs.nextcloud.com/server/15/admin_manual/configuration_server/occ_command.html#file-operations-label

# path
/var/snap/nextcloud/common/nextcloud/data/admin/file
 
# rescan files
nextcloud.occ files:scan --path=admin
nextcloud.occ files:scan --all
 
# external files
nextcloud.occ files_external:list
sudo snap connect nextcloud:removable-media

Calendar

cloud-config / cloud-init

Cloud config examples
https://cloudinit.readthedocs.io/en/latest/reference/examples.html

Network
https://cloudinit.readthedocs.io/en/latest/topics/network-config-format-v1.html

user.network-config: |
version: 1
config:
    - type: physical
    name: dev-mgmt
    subnets:
      - type: static
        address: 10.33.20.40/20
        gateway: 10.33.16.1
        routes:
            - gateway: 10.33.16.1
              network: 10.33.0.0/16
        dns_nameservers:
            - 10.8.3.74
            - 10.8.3.174
        dns_search:
            - dev.i.example.com
    - type: physical
      name: dev-ipmi
      subnets:
    - type: static
      address: 10.32.20.40/20
      gateway: 10.32.16.1
network:
  version: 1
  config:
  - type: physical
    name: eth0
    subnets:
      - type: dhcp

Links
https://cloudinit.readthedocs.io/en/latest/topics/examples.html
https://wiki.archlinux.org/index.php/Cloud-init
https://www.digitalocean.com/community/tutorials/how-to-use-cloud-config-for-your-initial-server-setup
https://learn.hashicorp.com/tutorials/terraform/cloud-init

Microsoft teams under Linux / Ubuntu

Install Microsoft Teams

wget https://packages.microsoft.com/keys/microsoft.asc -qO-| sudo apt-key add -
sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/ms-teams stable main" > /etc/apt/sources.list.d/teams.list'
sudo apt update
sudo apt install -y teams

Ansible

cat <<EOF> /tmp/teams.yml
---
- hosts: localhost
  tasks:
    - name: Add teams APT key
      apt_key:
        url: https://packages.microsoft.com/keys/microsoft.asc
      become: yes
 
    - name: Add teams repository
      apt_repository:
        repo: "deb [arch=amd64] https://packages.microsoft.com/repos/ms-teams stable main"
      become: yes
 
    - name: Install teams
      apt:
        update_cache: yes
        name: teams
      become: yes
EOF
 
ansible-playbook /tmp/teams.yml --ask-become-pass

Install by snap

sudo snap install teams

2Factor authentification
# Google Authentificaor
https://mysignins.microsoft.com/security-info
https://blog.paranoidpenguin.net/2018/06/office-365-multi-factor-authentication-with-google-authenticator/

# Microsoft Authenticator for Android
https://play.google.com/store/apps/details?id=com.azure.authenticator

Webclient
https://teams.microsoft.com

Links
https://docs.microsoft.com/de-de/microsoftteams/get-clients

Kubernetes the hard way

Links
https://github.com/kelseyhightower/kubernetes-the-hard-way

Configure OpenStack application credentials

mkdir -p ~/.config/openstack
 
cat <<EOF> ~/.config/openstack/clouds.yaml
clouds:
  dev-foo:
    auth_type: "v3applicationcredential"
    auth:
      auth_url: https://keystone.service.dev.example.com/v3
      application_credential_id: "YOUR_CREDENTIAL_ID"
      application_credential_secret: "YOUR_CREDENTIAL_PASS"
EOF

Install Terraform

cat <<EOF> /tmp/install-terraform.yml 
---
- hosts: localhost
  tasks:
    - name: Get latest Terraform version
      uri:
        url: https://checkpoint-api.hashicorp.com/v1/check/terraform
      register: response
 
    - set_fact:
        terraform_download_url: "{{ response.json.current_download_url }}"
        terraform_version: "{{ response.json.current_version }}"
 
    - name: Download Terraform {{ terraform_version }}
      unarchive:
        src: "{{ terraform_download_url }}terraform_{{ terraform_version }}_{{ ansible_system | lower }}_amd64.zip"
        remote_src: yes
        dest: ~/bin
        creates: ~/bin/terraform
        mode: 0550
EOF
 
ansible-playbook /tmp/install-terraform.yml

Create test env on OpenStack

OpenStack: Octavia / Amphora LB check

#!/bin/bash
 
source /etc/kolla/admin-openrc.sh
 
 
function show_lb_owner() {
    LB_ID=$1
 
    # show project
    PROJECT_ID=$(openstack loadbalancer show -c project_id -f value ${LB_ID})
    PROJECT_NAME=$(openstack project show -c name -f value ${PROJECT_ID})
 
    # show domain
    DOMAIN_ID=$(openstack project show -c domain_id -f value ${PROJECT_ID})
    DOMAIN_NAME=$(openstack domain show -c name -f value ${DOMAIN_ID})
 
    echo "Domain: ${DOMAIN_NAME}"
    echo "Project: ${PROJECT_NAME}"
}
 
 
EXIT_CODE=0
 
 
# list broken LB
OUTPUT="$(openstack loadbalancer amphora list --provisioning-status ERROR)"
if [ -n "${OUTPUT}" ]; then
    echo "${OUTPUT}"
 
    EXIT_CODE=1
fi
 
# search for broken LB

NVMe

Install

sudo apt install -y nvme-cli

CLI

# list devices
nvme list
 
nvme smart-log /dev/nvme0n1
 
isdct show -d DeviceStatus,Index,Firmware,FirmwareUpdateAvailable -intelssd

Fix nvme1: ignoring ctrl due to duplicate subnqn
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1803692

# dmesg | grep nvme
[    2.546620] nvme nvme0: pci function 0000:5e:00.0
[    2.552447] nvme nvme1: pci function 0000:5f:00.0
[    2.768347] nvme nvme1: ignoring ctrl due to duplicate subnqn (nqn.2017-12.org.nvmexpress:uuid:11111111-2222-3333-4444-555555555555).
[    2.775422] nvme nvme1: Removing after probe failure status: -22
[    2.779813]  nvme0n1: p1 p2

Fix by upgrade NVMe firmware
http://www.panticz.de/intel/nvme

Delete

nvme format --ses=1 /dev/nvme1

Namespaces
https://www.linuxjournal.com/content/data-flash-part-ii-using-nvme-drives-and-creating-nvme-over-fabrics-network

Octavia: proxy protocol

openstack loadbalancer listener create --name foo-lb1-tcp-80 --protocol TCP --protocol-port 80 foo-lb1
openstack loadbalancer pool create --name foo-lb1-proxy-pool --lb-algorithm ROUND_ROBIN --listener foo-lb1-tcp-80 --protocol PROXY
openstack loadbalancer member create --subnet-id foo-subnet --address 10.0.1.13 --protocol-port 80 foo-lb1-proxy-pool
 
# configure nginx
cat /etc/nginx/sites-enabled/default 
...
server {
	listen 80 default_server proxy_protocol;
    set_real_ip_from 10.0.1.17; # incomming proxy IP
    #set_real_ip_from 192.168.1.0/24;
    real_ip_header proxy_protocol;
...

Links
https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
https://www.scaleway.com/en/docs/configure-proxy-protocol-with-a-load-balancer/