Create OpenStack VPNaaS with Terraform
terraform.tfvars
os_user = "foo" psk = "pass1234" fritzbox_wan_ip = "1.2.3.4" fritzbox_cidr = "192.168.178.0/24"
terraform.tf
openstack
gnocchi
openstack metric resource show ${SERVER_ID} openstack metric measures show ${METRICS_ID} openstack metric archive-policy list gnocchi resource list | grep ${PROJECT_ID} | grep disk gnocchi resource show 592a1d1f-696d-4f58-ba5e-9e1367ffef62 gnocchi measures show 031ec7f2-2d14-4adf-a632-ec765c36bad6 gnocchi resource list | grep ${SERVER_ID} gnocchi archive-policy show evw_min_max_mean gnocchi measures show 7f6f6744-2f7a-47c5-9740-dbeca6eee5a2 --granularity 3600
Side2Side IPSec VPN connection between OpenStack VPN and AVM Fritz!Box
Define variables for OpenStack VPN configuration
FRITZBOX_EXTERNAL_IP=x.x.x.x # curl ipinfo.io/ip FRITZBOX_NETWORK=192.168.178.0/24 # Heimnetz > Netzwerk > Netzwerkeinstellungen > IPv4-Einstellungen PASSWORD='xxxxxxxx' # apg -m 32 OPENSTACK_SUBNET_ID=$(openstack subnet list -c ID -f value) OPENSTACK_ROUTER_ID=$(openstack router list -c ID -f value)
Define variables
Cleanup / delete OpenStack objects
PROJECT_ID=f0f745a9c79c47fdbbdd187d728f9e41 # Delete VMs openstack server list --project ${PROJECT_ID} openstack server delete ${SERVER_ID} openstack volume list --project ${PROJECT_ID} openstack volume delete ${VOLUME_ID} openstack image list --private --long | grep ${PROJECT_ID} openstack image delete ${IMAGE_ID} # Delete loadbalancer openstack loadbalancer list --project ${PROJECT_ID} openstack loadbalancer delete --cascade ${LOADBALANCER_ID} # Delete secrets openstack secret list openstack secret delete ${SECRET_URL} # Delete VPNs openstack vpn ipsec site connection list --long | grep ${PROJECT_ID} openstack vpn ipsec site connection delete ${IPSEC_SITE_CONNECTION_ID} openstack vpn endpoint group list --long | grep ${PROJECT_ID} openstack vpn endpoint group delete ${VPN_LOCAL_ENDPOINT_GROUP_ID} ${VPN_PEER_ENDPOINT_GROUP_ID} openstack vpn service list --long | grep ${PROJECT_ID} openstack vpn service delete ${VPN_SERVICE_ID} openstack vpn ipsec policy list --long | grep ${PROJECT_ID} openstack vpn ipsec policy delete ${VPN_IPSEC_POLICY_ID} openstack vpn ike policy list --long | grep ${PROJECT_ID} openstack vpn ike policy delete ${VPN_IKE_POLICY_ID} # Delete k8s openstack coe cluster list # Delete floating ip openstack floating ip list --project ${PROJECT_ID} openstack floating ip delete ${FLOATING_IP} # Delete router
OpenStack Debug VPN
Find the VPN server and the relevant router UUID
# get VPN connection ID openstack vpn ipsec site connection list | grep foo openstack vpn ipsec site connection list --long | grep <project_id> VPN_CONNECTION_ID=142dc25f-13bb-4fda-b093-edf13df98ed8 openstack vpn ipsec site connection show ${VPN_CONNECTION_ID} VPN_SERVICE_ID=$(openstack vpn ipsec site connection show ${VPN_CONNECTION_ID} -c 'VPN Service' -f value) openstack vpn service show ${VPN_SERVICE_ID} # get router ID ROUTER_ID=$(openstack vpn service show ${VPN_SERVICE_ID} -c Router -f value) echo "ROUTER_ID=${ROUTER_ID}"
Find the ctl Node where the active router is running
ROUTER_PORT_ID=$(openstack port list --device-owner network:router_gateway -f value -c id --router ${ROUTER_ID}) CONTROL_NODE=$(openstack port show ${ROUTER_PORT_ID} -c binding_host_id -f value) echo "CONTROL_NODE: ${CONTROL_NODE}" echo "ssh ${CONTROL_NODE} sudo ip netns exec qrouter-${ROUTER_ID} ip a s"
Connect to that ctl node and "jump" in its neutron-l3-agent docker container
Snapshot
Create VM image / snapshot
# backup openstack --os-cloud=openstack-lab server image create foo-vm1 --name foo-vm1-$(date -I) openstack --os-cloud=openstack-lab image list
Links
https://docs.openstack.org/ocata/user-guide/cli-use-snapshots-to-migrate-instances.html
Terraform: Create LoadBalancer in OpenStack
provider "openstack" { cloud = "lab-admin" use_octavia = true } # data "template_file" "user_data" { # template = file("user-data.txt") # } data "template_file" "user_data" { template = <<EOF #cloud-config package_update: true packages: - nginx runcmd: - hostname -f | sudo tee /var/www/html/index.nginx-debian.html - id > /tmp/debug EOF } variable "http_instance_names" { type = set(string) default = ["www1", "www2"] } resource "openstack_compute_instance_v2" "http" { for_each = var.http_instance_names name = each.key #name = "www${count.index + 1}" #count = 2 image_name = "Ubuntu 20.04 minimal" flavor_name = "m1.small" key_pair = "lab-key" security_groups = ["default"] user_data = data.template_file.user_data.rendered network { name = "demo-net" } } data "openstack_networking_network_v2" "network_1" { name = "demo-net" } data "openstack_networking_subnet_v2" "subnet_1" { name = "demo-subnet" network_id = data.openstack_networking_network_v2.network_1.id } # Create loadbalancer resource "openstack_lb_loadbalancer_v2" "http" { name = "demo-lb1" vip_subnet_id = data.openstack_networking_subnet_v2.subnet_1.id }