network

OpenStack: Debug / cleanup DHCP

Restart DHCP namespaces

openstack subnet set --no-dhcp ${SUBNET_ID}
openstack subnet set --dhcp ${SUBNET_ID}

Find unnecessary DHCP namespaces

MAX_DHCP_NS=3
SUBNET_IDS=$(openstack subnet list --dhcp -c ID -f value)
for SUBNET_ID in ${SUBNET_IDS}; do
    NETWORK_ID=$(openstack subnet show ${SUBNET_ID} -c network_id -f value)
    DHCP_PORTS="$(openstack port list --device-owner network:dhcp --network ${NETWORK_ID} -c ID -c binding_host_id -c fixed_ips -c status -f value)"
 
    if [ $(echo "${DHCP_PORTS}" | wc -l) -ne ${MAX_DHCP_NS} ]; then
        echo "NETWORK_ID: ${NETWORK_ID}"
        echo "${DHCP_PORTS}"
 
        echo
    fi
done

Remove unnecessary DHCP port

OpenStack: RBAC shared network

# allow access to RBAC net for project 
openstack network rbac create --target-project foo-project1 --action access_as_shared --type network foo-net-01
 
# show rbac quota
neutron quota-show --tenant_id <PROJECT_ID> | grep rbac_policy
 
# set rbac quota to unlimited
openstack quota set --rbac-policies -1 <PROJECT_ID>
 
openstack network rbac list
 
openstack network rbac show ${RBAC_ID}

Links
https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/network-rbac.html
https://docs.openstack.org/mitaka/networking-guide/config-rbac.html
https://docs.openstack.org/python-openstackclient/pike/cli/command-objects/quota.html
https://docs.openstack.org/ocata/admin-guide/cli-networking-advanced-quotas.html

Create anyconnect VPN connection on command line with nmcli

Create connection

VPN_GATEWAY=vpn1.example.com
VPN_USER=foo
VPN_ROUTES=192.168.11.0/24
 
nmcli connection add \
    connection.id vpn1 \
    connection.type vpn \
    connection.permissions "user:${USER}" \
    ipv4.routes "${VPN_ROUTES}" \
    ipv4.ignore-auto-routes yes \
    vpn.service-type org.freedesktop.NetworkManager.openconnect \
    vpn.data "
        protocol = anyconnect,
        authtype = cert,
        gateway = ${VPN_GATEWAY},
        cacert = ${HOME}/vpn1/ca.pem,
        usercert = ${HOME}/vpn1/certificate.pem,
        userkey = ${HOME}/vpn1/priv.pem,
        cookie-flags = 2
    " \
    vpn.secrets "
        form:main:group_list=CLIENTGROUP,
        form:main:username=${VPN_USER},
        save_passwords=yes
    "

Start connection and enter password once

nmcli connection up vpn1

Debug

#journalctl -fxe NM_CONNECTION=8d5ec3cb-99c5-47ea-84e2-38174cd14702
journalctl -fxe -t NetworkManager
 
cat /etc/NetworkManager/system-connections/vpn1.nmconnection 
nmcli con show vpn1

Links
https://0xsys.blogspot.com/2019/06/configure-vpn-using-nmcli.html

tcpdump

# IPMI (ping)
tcpdump -nni eth0 icmp  
tcpdump -i eth0  -e -n -v 'icmp and (ether host 00:16:3e:ec:11:22)'
 
# DHCP
tcpdump -i dev-mgmt  -e -n -v '(udp port 67 or port 68)'
 
tcpdump -i qg-1ee0cec6-62 -n  '(tcp port 110)'
 
# filter IP
tcpdump -i eth0 -e -n -v 'host 10.11.22.33'
 
# filter MAC
tcpdump ether host e8:2a:ea:44:55:66
 
tcpdump -n -i eth0 '(udp port 53 or port 53)'
 
# exclude
tcpdump -i eth1  -s 1500 port not 22 and port not 53

Links
https://arthurchiao.art/blog/tcpdump/

OpenStack: Floating IP port forward (in development / experimental)

List floatin IPs

openstack floating ip list
+--------------------------------------+---------------------+------------------+--------------------------------------+--------------------------------------+----------------------------------+
| ID                                   | Floating IP Address | Fixed IP Address | Port                                 | Floating Network                     | Project                          |
+--------------------------------------+---------------------+------------------+--------------------------------------+--------------------------------------+----------------------------------+
| dc049c28-6562-4c37-834b-d3a612d4b580 | 1.2.3.4        | None             | None                                 | 39583230-154f-4b56-a56e-2fd83c9986ce | 1eede1bdc28344f3acf6b48b232e406f |
+--------------------------------------+---------------------+------------------+--------------------------------------+--------------------------------------+----------------------------------+

List VMs