Install Openstack (Pike) using Devstack in Ubuntu 16

  1. Update and Install required packages:
    1. sudo apt-get update
    2. sudo apt-get install git vim
  2. Setup a user:
    1. sudo useradd -s /bin/bash -d /opt/stack -m stack
    2. echo “stack ALL=(ALL) NOPASSWD: ALL” | sudo tee /etc/sudoers
    3. sudo passwd stack
    4. su – stack
  3. git clone https://git.openstack.org/openstack-dev/devstack -b stable/pike
  4. Add the following into by using “vim ~/devstack/local.conf”
    [[local|localrc]]
    HOST_IP=192.168.97.1
    FLAT_INTERFACE=eth2
    FIXED_RANGE=10.4.128.0/20
    FIXED_NETWORK_SIZE=4096
    FLOATING_RANGE=192.168.42.128/25
    MULTI_HOST=1
    LOGFILE=/opt/stack/logs/stack.sh.log
    ADMIN_PASSWORD=openstack
    DATABASE_PASSWORD=db-secret
    RABBIT_PASSWORD=rb-secret
    SERVICE_PASSWORD=sr-secret
    # Use the following to explore new project
    enable_plugin barbican https://git.openstack.org/openstack/barbican stable/pike
  5. ~/devstack/stack.sh
  6. Logs and samples:
    1. /opt/stack/logs/stack.sh.log
    2. /opt/stack/devstack/samples/local.conf
  7. To uninstall or reinstall run:
    1. ~/devstack/unstack.sh
    2. ~/devstack/clean.sh
Advertisements
Posted in coa, openstack, Other

Install OpenStack (Neutron) using Packstack in CentOS7

i) Install neutron using Packstack:

  1. sudo -i
  2. yum install -y centos-release-openstack-newton
  3. yum install -y openstack-packstack vim
  4. yum update -y
  5. packstack –gen-answer-file rdo.txt
  6. Update the following values in ./rdo.txt
    CONFIG_HEAT_INSTALL=y
    CONFIG_NTP_SERVERS=0.pool.ntp.org
    CONFIG_DEBUG_MODE=y
    CONFIG_KEYSTONE_ADMIN_PW=openstack
  7. packstack –answer-file rdo.txt
  8. (Optional) Verify following default values into /etc/ssh/sshd_config
    • PermitRootLogin yes
      PasswordAuthentication yes
    • systemctl restart sshd

ii) Setup a project/tenant:

  1. sudo -i; source /root/keystonerc_admin
  2. Create a project:
    1. openstack project create proj1
    2. openstack project list
    3. openstack project show proj1
  3. Create a user:
    1. openstack create user –project proj1 –password password –email user1@localhost user1
    2. openstack user list
    3. openstack user show user1
  4. Create a new flavor of a image:
    1. source keystonerc_admin
    2. nova flavor-create flavor1 6 512 2 1   (6=ID; 512=Memory; 2=disk; 1=VCPUs)
    3. nova flavor-list
  5. Configure keystonerc file for proj1:
    1. cp /root/keystonerc_admin /root/keystonerc_user1
    2. Update the following values into /root/keystonerc_user1
      export OS_USERNAME=user1
      export PS1='[\u@\h \W(keystone_user1)]\$ ‘
      export OS_TENANT_NAME=proj1
  6. Create a private network and subnet:
    1. source /root/keystonerc_user1
    2. neutron net-create proj1-int
    3. neutron subnet-create –name proj1-sub-int –gateway  10.10.0.1 \
      proj1-int 10.10.0.0/24
  7. Create a router:
    1. source /root/keystonerc_user1
    2. neutron router-create proj1-router
    3. neutron router-gateway-set proj1-router public
    4. neutron router-interface-add proj1-router proj1-sub-int
  8. Create and ssh key-pair:
    1. source /root/keystonerc_user1
    2. ssh-keygen -f ~/.ssh/proj1-key
    3. nova keypair-add –pub-key ~/.ssh/proj1-key.pub proj1-key
    4. nova keypair-list
  9. Create a security group:
    1. source /root/keystonerc_user1
    2. openstack security group create –description “Allow http and ssh” web-ssh
    3. openstack security group list
    4. openstack security group rule create –protocol tcp –ingress –dst-port 80 web-ssh
    5. openstack security group rule list web-ssh
  10. Launch a new instance:
    1. nova net-list       (Find ID of proj1-net)
    2. nova boot –flavor flavor1 –image cirros –security-group web-ssh  –key-name proj1-key –nic net-id=”58ca83c9-7d62-41b0-a907-b860557e0abb” bc1
    3. nova list; openstack server list
    4. nova show bc1; openstack server show bc1

iii) Openstack commands:

  • openstack:
    • host list|show name
    • hypervisor list|show id
    • server list [–project=proj1]|show name
    • image list|show name
    • flavor list|show name
    • network list|show name
    • user list| show name
    • project list|show name
    • endpoint list|show name
Posted in coa, openstack, Other

Python scripting in CentOS

  • Install and configure git:
    1. yum install git && vim-enhanced
    2. git config –global user.name “User”
    3. git config –global user.email “user@python.local”
    4. cur https://raw.githubusercontent.com/linuxacademy/content-python-for-sys-admins/master/helpers/bashrc -o ~/.bashrc
    5. cur https://raw.githubusercontent.com/linuxacademy/content-python-for-sys-admins/master/helpers/vimrc -o ~/.vimrc
    6. mkdir sample; touch sample.txt; cd sample
    7. git init
    8. git add –all .
    9. git commit -m ‘Initial commit’
Posted in Other, python

Openstack commands

  1. The connection is refused because git is blocked by firewall, run the following cmd:

Miscellaneous:

  • source ~/devstack/openrc admin
  • openstack hypervisor list
  • nova service-list –binary nova-compute

systemd devstack:

  • status:
    • sudo systemctl status devstack@n-*
    • sudo systemctl -a  | grep devstack
  • restart:
    • sudo systemctl restart devstack@*
  • journalctl/logs:
    • sudo journalctl -f –unit devstack@n-*

ip netns:

  1. ip netns list
  2. ip netns exec qrouter-4fd279c4-b125-4611-956d-adc67432e0d2 ssh cirros@10.0.0.71

glance (Image Service):

  • apt-get -y install glance glance-api glance-common glance-registry python-glance
  • /etc/glance/glance-api.conf
  • glance-manage <db_sync>
  • service glance-api  restart; service glance-registry restart
  • glance image-list [–debug] | image-show <id>; echo $?
  • Import an image:
    • wget http://imageurl.com
    • openstack image create –file cirros-0.3-disk.img Cirros-3.5
    • openstack image list

Neutron (Network service):

  • apt-get -y install neutron-server python-cliff neutron-plugin-openvswitch \
    python-pyparsing openvswitch-switch
  • /etc/neutron/neutron.conf
  • openstack network list| neutron net-list |
  • openstack security group list | neutron security-group-list
  • neutron security-group-rule-create –protocol icmp –direction ingres default
  • neutron security-group-rule-create –protocol tcp –port-range-min 22 \
    –port-range-max 22 –direction ingres default

virsh:

  • virsh list
Posted in coa, openstack

Firewalld and iptables commands

i) firewall-cmd (iptables):

  • yum install  firewalld  firewall-config
  • systemctl status|start|stop|enable|disable firewalld
  • firewall-cmd –state
  • firewall-cmd –reload
  • firewall-cmd –list-all | –list-ports
  • firewall-cmd –panic-on |–panic-off    (Block all incoming or outgoing traffic)
  • zones:
    • firewall-cmd  –get-zones|–get-default-zone|–get-active-zone
    • firewall-cmd  –set-default-zone=trusted  [–permanent] 
  • services:
    • firewall-cmd –list-services
    • firewall-cmd –add-service=ftp         [–permanent]  [–zone=public]
    • firewall-cmd –remove-service=ftp  [–permanent] [–zone=public]
  • ports:
    • firewall-cmd –list-ports
    • firewall-cmd  –add-port=80/tcp         [–permanent [–zone=trusted]
    • firewall-cmd –remove-port=80/tcp  [–permanent]   [–zone=trusted]
  • sources:
    • firewall-cmd –add-source=IP|Network/24 | –remove-source [–zone=<zone>]
  • interfaces:
    • firewall-cmd –add-interface=ens33   [–zone=<zone>]
    • firewall-cmd –change-interface=ens33  [–zone=<zone>]
  • Rich rules:
    • firewall-cmd –list-rich-rules
    • firewall-cmd  –add-rich-rule=
      ‘rule family=ipv4  source address=192.168.1.4 reject|drop‘  [–zone=public]
    • firewall-cmd  –remove-rich-rule=
      ‘rule family=ipv4  source address=192.168.1.4 reject’  [–zone=public]’
    • firewall-cmd  –add-rich-rule=
      ‘rule family=ipv4  source address=192.168.1.0/24  protocol value=icmp  reject’
    • firewall-cmd  [–zone=vnc] –add-rich-rule=’rule family=ipv4
      source address=192.168.1.0/24   port   port=7900-7905 protocol=tcp accept’
    • firewall-cmd –add-rich-rule=’rule family=ipv4  source address=1.1.1.0/24 \ service name=http   log  prefix=”HTTP: ” level=notice  limit value=3/s accept’
  • Network Address Translation (NAT):
    • Masquerading:
      • firewall-cmd –add-rich-rule=’rule family=ipv4 source address=1.2.3.0/24 \ masquerade’
    • Port forwarding:
      • firewall-cmd –add-rich-rule=’rule family=ipv4 source address=1.2.3.4/24 \
        forward-port  port=80  protocol=tcp  to-port=8080  [to-addr=1.1.1.1] ‘
  • Config:
    • /etc/firewalld/firewalld.conf
    • /etc/firewalld/*
    • /usr/lib/firewalld/*
  • Man pages:
    • firewall-cmd(1), firewalld.richlanguage(5), firewall-config(1), firewalld(1), firewalld-zones(5),
  • Error:
    Unable to connect to remote host: No route to host
  • Enable following if using multiple network interfaces:
    • echonet.ipv4.ip_forward=1” >> /etc/sysctl.conf
    • sysctl -p

ii) iptables (net-filter):

  • yum install iptables-services
  • Save and Restore rules:
    • iptables-save  >  /etc/sysconfig/iptables
    • iptables-restore  <  /etc/sysconfig/iptables
  • Reload policies:
    • firewall-cmd –reload
  • Flush rules:
    • iptables -F [INPUT|OUTPUT|FORWARD]
  • List all rules:
    • iptables –list (-L) [INPUT|OUTPUT|FORWARD] [–line-numbers]
    • iptables –list-rules (-S)  [INPUT|OUTPUT|FORWARD]
  • Change default policy of a chain: (i.e if no rule matches then either Accept or Drop)
    • iptables  -P INPUT|OUTPUT|FORWARD   DROP|ACCEPT
  • Append (-A) or Insert (-I):
    • Block inbound and outbound traffic for a interface:
      iptables -I INPUT     -i lo|eth0   -j DROP
      iptables -I OUTPUT -o lo|eth0  -j REJECT
    • Block incoming and outgoing icmp traffic (ping):
      iptables -I INPUT     -p icmp  [-i ens33]  -j DROP      (Block incoming ping)
      iptables -I OUTPUT  -p icmp  [-o ens33] -j DROP     (Block outgoing ping)
    • Block an traffic from a specific IP address:  (-s 0/0 [All IPs]| -dport 1024:1030)
      iptables -I INPUT -s 192.168.254.137/24  -p tcp  –dport 22 -j REJECT
    • Forward traffic from eth1 to eth0 interface:
      iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT
    • Allow all returning traffic:
      iptables -I INPUT -m state –state=ESTABLISHED,RELATED -j ACCEPT
  • Delete (-D):
    • iptables -D  INPUT |OUTPUT|FORWARD  1
    • iptables -D INPUT -p icmp -j REJECT
  • Replace (-R):
    • iptables -R INPUT 1 -p icmp -j ACCEPT
  • Options:
    • man pages:
      • man iptables | iptables-extensions
    • -P (–policy): Set the policy for the chain to the given target.
    • -A (–append) : Append rule at the bottom of the chain
    • -I  (–insert) : Insert rule at the top of the chain
    • -R (–replace) : Replace or update an existing rule in the chain
    • -D (–delete) : Delete rules from the chain
    • -s (–source)  address[/mask]: the source IP or network/mask
    • -d (–destination) address[/mask]: the destination IP or network/mask.
    • -p (–protocol) protocol (tcp|udp|icmp): the protocol involved in a rule
    • –sport (–source-port) port: the port where the packet originated
    • –dport (–destination-port) port: the port where the packet is destined
    • –state (NEW, ESTABLISHED, RELATED, or INVALID): manage packets depending on whether they are part of a state connection
    • -i (–in-interface) interface (lo|eth0): input interface of the packet.
    • -o (–out-interface) interface (lo|eth0): the output interface.
    • -j (–jump) target (ACCEPT|REJECT|DROP) : what to do when the packet matches the rule
    • -m (–match): Match criteria:
      • state, tcp, udp, icmp
    • Targets:
      • ACCEPT: Allow the packet
      • REJECT: Send a reply why packet is not allowed (connection refused)
      • DROP: Send no message to the packet just ignore it, suitable for public
      • RETURN: Go back to calling CHAIN and starting processing on next rule
    • Tables:
      • Filter (default): Deals with packet bound for, being routed through, or generated by the process on the local machine.
        • INPUT, OUTPUT, FORWARD
      • Nat: Network address translation
        • PREROUTING, OUTPUT, POSTROUTING
      • Mangle: Specialize manipulation of network packets
        • INPUT, PREROUTING, FORWARD, OUTPUT, POSTROUTING
  • Configs:
    • /etc/sysconfig/iptables-config
  • Auto start iptables service at boot:
    • yum install iptables-services
    • systemctl disable firewalld && systemctl mask firewalld
    • systemctl enable iptables && systemctl restart iptables
    • service iptables save

iii) TCP Wrappers (tcp_wrappers):

  1. /etc/hosts.allow   (<daemon> : <client>)
    • sshd,vsftpd : ALL
    • ALL : 192.168.254.  EXCEPT 192.168.254.137
    • ALL : LOCAL
    • ALL : .example.com  EXCEPT untrusted.example.com
  2. /etc/hosts.deny
    • ALL : ALL
  3. man hosts_access

 

Posted in LFCE, LFCS, Linux

Setup NFS and Samba servers in Linux

i) NFS server setup:

  1. yum install nfs-utils
  2. Create a shared directory and assign appropriate permission:
    • mkdir   -m 777 /nfs   (All users have read,write and execute access)
    • chown  nfsnobody:nfsnobody  /nfs
  3. Enter the following into /etc/exports:
    • /nfs   192.168.254.132/24(rw)   192.168.254.0/24(ro)
  4. Restart and enable nfs and rpcbind services:
    • exportfs -rv
    • systemctl  enable nfs | rpcbind ]
    • systemctl  restart  [ nfsrpcbind ]
  5. Allow nfs, (rpc-bind & mountd are required for showmount) services in firewall:
    • firewall-cmd   –add-service=[ nfs | rpc-bind | mountd ]   –permanent
    • firewall-cmd –reload
    • ALL: 192.168.1.  >> server:/etc/hosts.allow
  6. Mount it at the client:
    • Temporary mount via mount command:
      • showmount  -e  server
      • mount  server:/nfs  /mnt
    • Persistent mount via /etc/fsatb:
      • server:/nfs    /mnt    nfs   _netdev  0  0
      • systemctl daemon-reload
      • mount -a
    • Automatic mount using systemd.automount (man systemd.mount):
      • server:/nfs  /mnt  nfs  x-systemd.automount,x-systemd.idle-timeout=10,noauto,_netdev   0  0
      • systemctl daemon-reload; systemctl restart remote-fs.target
    • Verify mount directory by:
      • df -hT; ls -l /mnt
  7. (Optional) Verify mount and get NFS server port:
    • showmount -e server  (Show export list from client) 
    • exportfs -s                    (Show export list from server)
    • exportfs -av|-rv          (All-export or Re-export as in /etc/exports)
    • rpcinfo -p | grep nfs   (Get NFS server port) 

ii) Samba: setup writable directory for guest (public) users:

  1. yum install samba  samba-client cifs-utils
  2. Create a directory and set permissions:
    • mkdir  -m 2777 /public
    • chown  nobody:nobody    /public
    • semanag fcontext -at  public_content_rw_t  /public
    • restorecon -rvF /public
    • semanage boolean -m smbd_anon_write –on
  3. Add the following into /etc/samba/smb.conf
    [public]
    path = /public

    public = Yes           (Synonymous -> guest ok = yes)
  4. systemctl restart smb; systemctl enable smb
  5. firewall-cmd –add-service samba –permanent; firewall-cmd –reload
  6. mount  -o guest  //server/public  /mnt
  7. echo “//server/public  /mnt  cifs  guest  0 0”  >> /etc/fstab
  8. smbclient:
    • smbclient -L server                                  (List all samba shared folders) 
    • smbclient  //server/public                       (Connect via samba client)
  9. testparm                                                              (Checks syntax errors)

iii) Samba: setup private share for a single user:

  1. Create a user and group:  (student uid/gid must be same b/w server and client)
    1. useradd student  [-u 9999  -s /sbin/nologin]
    2. smbpasswd -a student       (Add student in samba)
    3. pdbedit -Lv                           (List all samba users)
  2. Create a directory and set SELinux file context:
    • mkdir  -m 2770 /private           (No read/write access for others)       
    • chown  student   /private          
    • semanage fcontext  -at  samba_share_t  ‘/private(/.*)?’
    • restorecon -rvF /private
  3. Add the following into /etc/sama/smb.conf:
    [private]
        path = /private
        write list = student         (valid users = student)
    public = No
  4. testparm                             (Verify config changes)
  5. systemctl restart smb; systemctl enable smb
  6. At server:
    1. mount -o  username=student,password=student  //server/private   /mnt
    2. df -hT
  7. At client:
    1. smbclient  -L server              (List all samba share directories)
      • smbclient  -U student   //server/private
    2. useradd student  [-u 9999] (student uid/gid must be same as in server)
    3. echo “username=student” > /etc/samba/std
    4. echo “password=student” >> /etc/samba/std
    5. chmod 600 /etc/samba/std
    6. Persistent mount via /etc/fstab:  (Use any one of the following)
      • //server/private  /mnt  cifs   credentials=/etc/samba/std,_netdev   0   0
      • systemd.automount (man systemd.mount):
        //server/private  /mnt  cifs  credentials=/etc/samba/std,x-systemd.automount,x-systemd.idle-timeout=10,noauto,_netdev   0  0
    7. systemctl daemon-reload; systemctl restart remote-fs.target
    8. mount -av; df  -h; ls -l /mnt

iv) Samba: Share home directories:

  1. Add the following into /etc/samba/smb.conf:
    [homes]
    valid users = %S
  2. Add user into samba:
    • smbpasswd -a user
  3. Enable selniux boolean context:
    • semanage boolean -m samba_enable_home_dirs –on
  4. Test it using:
    • smbclient //server/user
    • mount -o username=user,password=password  //server/user  /mnt
Posted in LFCE, LFCS

Setup Squid proxy server in Linux

Squid:

  • Allow access for a local network:
    1. yum install squid
    2. Add the following in /etc/squid/squid.conf after:
      # INSERT YOUR OWN RULE(S) HERE
      acl mynetwork src 192.168.254.0/24
      http_access allow mynetwork
      #http_access allow localnet       (Comment it because it contains 192.168.0.0)
    3. squid -k parse
    4. systemctl restart squid
    5. firewall-cmd   –add-service squid   –permanent
      1. firewall-cmd –reload
      2. firewall-cmd –list-all
    6. curl -x http://squidhost:3128   http://google.com
    7. Add the following to auto load proxy in browser:
  • Restrict access by website:
    • acl googlemaps url_regex  ^http://.*.google.com/maps/.*$
    • http_access deny googlemaps
  • Restrict access by client:
    • acl mynetwork src 192.168.254.0/24
    • acl  host  src 192.168.254.104
    • http_access allow mynetwork  !host
  • Restrict access by domains:
    • acl mynetwork src 192.168.254.0/24
    • acl forbidden dstdomain “/etc/squid/domains
    • http_access allow mynetwork !forbidden
    • /etc/squid/domains:
      • .facebook.com
      • .twitter.com
  • Restrict Access by user authentication:
    • htpasswd   -c /etc/squid/passwd   student
    • Add the following into /etc/squid/squid.conf:
      auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
      auth_param basic credentialsttl 30 minutes auth_param basic casesensitive on
      auth_param basic realm Squid proxy-caching web server for Tecmint’s LFCE
      series acl ncsa proxy_auth REQUIRED
      http_access allow ncsa
  • Setup cache:
    • Make a cache directory, set SELinux context and grant access for squid user:
      • mkdir  -m 775  /var/cache/squid
        • chgrp  squid  /var/cache/squid
      • mkdir -m 640 /var/log/squid
        • chgrp  squid  /var/log/squid
      • semanage fcontext  -at cache_squid_t   ‘/var/cache/squid(/.*)?’
        • restorecon -rv /var/cache/squid
      • semange fcontext -at squid_log_t ‘/var/log/squid(/.*)’
        • restorecon -rvF /var/log/squid
    • Add the followings into /etc/squid/squid.conf
      maximum_object_size 100 MB
      cache_dir ufs /var/cache/squid 1000 16 256
      refresh_pattern -i \.(mp4|iso) 1440  50%  1440
      cache_log /var/log/squid/cache.log
    • squid -k parse
    • systemctl restart squid
Posted in LFCE, LFCS, Linux