Octavia: Allow SSH login to Amphora VM

Allow SSH access

LB_ID=foo-lb01-prod
 
AMPHORA_ID=$(openstack loadbalancer amphora list --loadbalancer ${LB_ID} --role MASTER -c id -f value)
AMPHORA_COMPUTE_ID=$(openstack loadbalancer amphora show ${AMPHORA_ID} -c compute_id -f value)
LB_NETWORK_IP=$(openstack loadbalancer amphora show ${AMPHORA_ID} -c lb_network_ip -f value)
SECURITY_GROUP_ID=$(openstack port list --server ${AMPHORA_COMPUTE_ID} --fixed-ip "ip-address=${LB_NETWORK_IP}" -c security_group_ids -f value)
 
# DEBUG: show ingress tcp rules
openstack security group rule list --ingress --protocol tcp ${SECURITY_GROUP_ID}
openstack security group rule create --protocol tcp --dst-port 22:22 --remote-ip 172.16.0.0/12  ${SECURITY_GROUP_ID}
openstack loadbalancer amphora list --loadbalancer ${LB_ID} -c  lb_network_ip -c role -f value
openstack loadbalancer amphora list --loadbalancer ${LB_ID} -c  lb_network_ip --role MASTER -f value
 
# login to amphora VM from OpenStack control node
ssh local@ctl1-dev.dev.i.example.com
ssh -i ~/.ssh/id_rsa_octavia ubuntu@${AMPHORA_VM_IP}

Manuall SSH access

# Get loadbalancer ID
openstack loadbalancer list | grep foo
| aa3328bb-fbf8-4d3d-8bb3-99966b860006 | foo-lb01-prod                                                             | 6df9bd4956404f06bf169a382fe4035a | 192.168.248.6 | ACTIVE              | amphora  |
 
# Get port ID
LB_ID=aa3328bb-fbf8-4d3d-8bb3-99966b860006
 
openstack loadbalancer amphora list --loadbalancer ${LB_ID}
+--------------------------------------+--------------------------------------+-----------+--------+---------------+---------------+
| id                                   | loadbalancer_id                      | status    | role   | lb_network_ip | ha_ip         |
+--------------------------------------+--------------------------------------+-----------+--------+---------------+---------------+
| 0389bb5e-2e62-4be1-971e-2b897bf8366b | aa3328bb-fbf8-4d3d-8bb3-99966b860006 | ALLOCATED | BACKUP | 172.16.100.23 | 192.168.248.6 |
| 5555fd70-bbbb-4760-8b02-999999999999 | aa3328bb-fbf8-4d3d-8bb3-99966b860006 | ALLOCATED | MASTER | 172.16.100.31 | 192.168.248.6 |
+--------------------------------------+--------------------------------------+-----------+--------+---------------+---------------+
 
# Get Amphora VM ID
AMPHORA_ID=5555fd70-bbbb-4760-8b02-999999999999
 
nova interface-list amphora-${AMPHORA_ID} | grep 172
| ACTIVE     | 9a03e657-7743-4722-a518-b1ea38fb068a | ef82886a-1a24-4870-a5a2-d35cad85ead4 | 172.16.100.31  | fa:16:3e:39:05:06 |
 
# Get security group ID
PORT_ID=9a03e657-7743-4722-a518-b1ea38fb068a
 
openstack port show ${PORT_ID} -c security_group_ids
+--------------------+--------------------------------------+
| Field              | Value                                |
+--------------------+--------------------------------------+
| security_group_ids | d0e78d24-ead8-4392-985e-f495b818a83c |
+--------------------+--------------------------------------+
 
# Alow SSH ingress from control nodes
SECURITY_GROUP_ID=d0e78d24-ead8-4392-985e-f495b818a83c
 
openstack security group rule create --protocol tcp --dst-port 22:22 --remote-ip 0.0.0.0/0  ${SECURITY_GROUP_ID}
+-------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field             | Value                                                                                                                                                                                   |
+-------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at        | 2019-09-06T13:27:00Z                                                                                                                                                                    |
| description       |                                                                                                                                                                                         |
| direction         | ingress                                                                                                                                                                                 |
| ether_type        | IPv4                                                                                                                                                                                    |
| id                | b4e3e757-00ae-462d-a922-5f1daafa7502                                                                                                                                                    |
| location          | Munch({'zone': None, 'project': Munch({'domain_name': 'Default', 'domain_id': None, 'id': 'a772e4ab888e4f039b3430d688f4559d', 'name': 'admin'}), 'cloud': '', 'region_name': 'ch-zh1'}) |
| name              | None                                                                                                                                                                                    |
| port_range_max    | 22                                                                                                                                                                                      |
| port_range_min    | 22                                                                                                                                                                                      |
| project_id        | a772e4ab888e4f039b3430d688f4559d                                                                                                                                                        |
| protocol          | tcp                                                                                                                                                                                     |
| remote_group_id   | None                                                                                                                                                                                    |
| remote_ip_prefix  | 172.16.0.0/12                                                                                                                                                                           |
| revision_number   | 0                                                                                                                                                                                       |
| security_group_id | d0e78d24-ead8-4392-985e-f495b818a83c                                                                                                                                                    |
| tags              | []                                                                                                                                                                                      |
| updated_at        | 2019-09-06T13:27:00Z                                                                                                                                                                    |
+-------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

SSH login to Amphora VM

#ssh -t -A -i /etc/kolla/config/foo/octavia_key control-node-1 ssh ubuntu@172.16.100.31
ssh -J control-node-1 ssh ubuntu@172.16.100.31

Remove role SSH access role

openstack security group show -c rules ${SECURITY_GROUP_ID} | grep 22
|       | created_at='2019-09-06T13:27:00Z', direction='ingress', ethertype='IPv4', id='b4e3e757-00ae-462d-a922-5f1daafa7502', port_range_max='22', port_range_min='22', protocol='tcp', remote_ip_prefix='172.16.0.0/12', updated_at='2019-09-06T13:27:00Z' |
 
SECURITY_GROUP_ROLE_ID=b4e3e757-00ae-462d-a922-5f1daafa7502
 
openstack security group rule delete ${SECURITY_GROUP_ROLE_ID}
 
openstack security group show ${SECURITY_GROUP_ID}

Debug

# Get amphora VM console URL
openstack console url show amphora-${AMPHORA_ID}