Site to Site IPSec VPN with strongSwan and OpenStack VPNaaS (IPsec)

List

openstack vpn ipsec site connection list
openstack vpn endpoint group list
openstack vpn service list
openstack vpn ipsec policy list
openstack vpn ike policy list

Setup

# install
sudo apt-get install -y strongswan
 
# Left (Peer client, behind NAT)
Ubuntu Client IP: 212.8.9.10
Ubuntu net: 192.168.178.0/24
 
OpenStack VPN IP: 217.50.60.70
OpenStack Net: 10.0.1.0/24

Create OpenStack VPN endpoint
http://www.panticz.de/openstack/vpn-fritzbox

/etc/ipsec.conf

OpenStack: Output VM list with project and domain as JSON file

IFS=$(echo -en "\n\b")
 
PROJECTS_JSON=$(openstack project list --long -f json)
for PROJECT_JSON in $(echo "${PROJECTS_JSON}" | jq -c '.[]'); do
    PROJECT_ID=$(echo ${PROJECT_JSON} | jq -r .ID)
    PROJECT_NAME=$(echo ${PROJECT_JSON} | jq -r .Name)
    DOMAIN_ID=$(echo ${PROJECT_JSON} | jq -r '."Domain ID"')
    DOMAIN_JSON=$(openstack domain show  ${DOMAIN_ID} -f json)
    DOMAIN_NAME=$(echo ${DOMAIN_JSON} | jq -r .name)
 
    openstack server list --all-projects --long --project ${PROJECT_ID} --sort-column Name -f json | jq .[] | \

script-server (Web UI for scripts)

Install

# install reuired packages
apt install -y unzip python3-tornado
 
# download and instal script-server
mkdir script-server
cd script-server
wget https://github.com/bugy/script-server/releases/download/1.15.2/script-server.zip
unzip script-server.zip
rm script-server.zip
 
# start script-server
./launcher.py

Add job

# cat ./conf/runners/certgen.json 
{
  "name": "certgen",
  "description": "Request Lets Encrypt certificate",
  "script_path": "/usr/local/bin/certgen",
  "parameters": [
    {
      "name": "Domain",
      "default": "example.com"
    }
  ],
  "output_files": [
      "/home/local/certificates/*${Domain}*"
  ]
}

WebUI
http://SERVER_IP:5000/

Redirect port 5000 to 80

iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 5000

Links
https://github.com/bugy/script-server

Vagrant

Install
https://www.vagrantup.com/downloads.html

# sudo apt install -y jq
 
URL=$(wget https://checkpoint-api.hashicorp.com/v1/check/vagrant -qO- | jq  -r '"https://releases.hashicorp.com/vagrant/" + .current_version + "/vagrant_" + .current_version + "_x86_64.deb"')
wget ${URL} -qP /tmp
sudo dpkg -i /tmp/${URL##*/}
 
vagrant --version

Install with Ansible

- name: Get latest vagrant version
  uri:
    url: https://checkpoint-api.hashicorp.com/v1/check/vagrant
  register: release
 
- set_fact:
    version: "{{ release.json | json_query('current_version') }}"
 
- name: Install Vagrant
  apt:
    deb: https://releases.hashicorp.com/vagrant/{{ version }}/vagrant_{{ version }}_x86_64.deb
  become: yes
 
- name: Adding user ubuntu to group libvirt
  user:
    name: ubuntu
    groups: libvirt
    append: yes
  become: yes
 
- name: Install vagrant-libvirt plugin
  command: sudo -H -u ubuntu vagrant plugin install vagrant-libvirt
  become: yes

CLI

topgrade

Install
https://github.com/r-darwish/topgrade/releases/

URL=https://github.com/r-darwish/topgrade/releases/download/v5.5.0/topgrade-v5.5.0-x86_64-unknown-linux-gnu.tar.gz
 
wget ${URL} -qP /tmp
tar -C /tmp -xzf /tmp/topgrade-v*-x86_64-unknown-linux-gnu.tar.gz
sudo mv /tmp/topgrade /usr/local/sbin

Custom configuration

# ~/.config/topgrade.toml
...
remote_topgrades = ["www.example.com", "db.example.com"]
 
[git]
repos = [
    "~/git/repository_1",
    "~/git/repository_2"
]
...

Run update

topgrade -cy

Run on specific remote host

topgrade -cy --only remotes --remote-host-limit ".*.example.com"

Links
https://github.com/r-darwish/topgrade
https://github.com/r-darwish/topgrade/releases

Get noisy neighbor VMs

source /etc/kolla/admin-openrc.sh
 
IFS=$(echo -en "\n\b")
 
function get_vm_details() {
    LINE=$1
 
    SERVER_ID=$(echo ${LINE} | cut -d" " -f3)
    SERVER_JSON=$(openstack server show ${SERVER_ID} -f json)
    SERVER_NAME=$(echo ${SERVER_JSON} | jq -r .name)
    SERVER_PROJECT_ID=$(echo ${SERVER_JSON} | jq -r .project_id)
    SERVER_PROJECT_JSON=$(openstack project show ${SERVER_PROJECT_ID} -f json)
    SERVER_PROJECT_NAME=$(echo ${SERVER_PROJECT_JSON} | jq -r .name)
 
    echo "${LINE} ${SERVER_NAME} ${SERVER_PROJECT_NAME}"
}
 

Mellanox ConnectX-3 Pro UEFI iPXE boot

  Device Type:      ConnectX3Pro
  Part Number:      MCX312B-XCC_Ax
  Description:      ConnectX-3 Pro EN network interface card; 10GigE; dual-port SFP+; PCIe3.0 x8 8GT/s; RoHS R6
  PSID:             MT_1200111023
  PCI Device Name:  /dev/mst/mt4103_pci_cr0
  Port1 MAC:        ec0d9a00aab1
  Port2 MAC:        ec0d9a00aab2
  Versions:         Current        Available    
     FW             2.42.5000      N/A          
     PXE            3.4.0752       N/A          

Flash UEFI firmware
Request UEFI firmware from support@mellanox.com
http://www.panticz.de/mellanox/firmware-update

Install MFT
http://www.panticz.de/install-mellanox-mft

Flash firmware

flint -y -d /dev/mst/mt4103_pci_cr0 -i firmware fw-ConnectX3Pro-rel-2_42_5000-MCX312B-XCC_Ax-FlexBoot-3.4.752-UEFI-14.11.46.bin b
  Device Type:      ConnectX3Pro
  Part Number:      MCX312B-XCC_Ax
  Description:      ConnectX-3 Pro EN network interface card; 10GigE; dual-port SFP+; PCIe3.0 x8 8GT/s; RoHS R6
  PSID:             MT_1200111023
  PCI Device Name:  /dev/mst/mt4103_pci_cr0
  Port1 MAC:        ec0d9a00aab1
  Port2 MAC:        ec0d9a00aab2
  Versions:         Current        Available    
     FW             2.42.5000      N/A          
     PXE            3.4.0752       N/A          
     UEFI           14.11.0046     N/A     

Fix iPXE boot issue (recompile ipxe.efi) when connected to LACP swith port
http://www.panticz.de/ipxe/compile

Yamaha RX-D485 / RX-V485

Yamaha Web Control
Live demo: http://yamaha.panticz.de/
Repository: https://github.com/panticz/yamaha-web-control

API

curl -q http://192.168.178.4/YamahaExtendedControl/v1/system/getFeatures  | jq .

Control
# Volume Up / Down
http://192.168.178.4/YamahaExtendedControl/v1/main/setVolume?volume=up&step=5
http://192.168.178.4/YamahaExtendedControl/v1/main/setVolume?volume=down&step=5

# Change input
http://192.168.178.4/YamahaExtendedControl/v1/main/prepareInputChange?input=usb
http://192.168.178.4/YamahaExtendedControl/v1/main/setInput?input=net_radio
http://192.168.178.4/YamahaExtendedControl/v1/main/setInput?input=server
http://192.168.178.4/YamahaExtendedControl/v1/main/setInput?input=spotify

# Power
http://192.168.178.4/YamahaExtendedControl/v1/main/setPower?power=on
http://192.168.178.4/YamahaExtendedControl/v1/main/setPower?power=standby

# Get Device info
http://192.168.178.4/YamahaExtendedControl/v1/system/getDeviceInfo

# Get Available Device Features
http://192.168.178.4/YamahaExtendedControl/v1/system/getFeatures

# Get Network Status
http://192.168.178.4/YamahaExtendedControl/v1/system/getNetworkStatus

# Get Function Status (e.g.: Auto Power Standby)
http://192.168.178.4/YamahaExtendedControl/v1/system/getFuncStatus

# Get Location info and zone list (device)
http://192.168.178.4/YamahaExtendedControl/v1/system/getLocationInfo

# Get zone info (device|zone)
http://192.168.178.4/YamahaExtendedControl/v1/main/getStatus

# Get Sound Program List (device|zone)
http://192.168.178.4/YamahaExtendedControl/v1/main/getSoundProgramList