network

Create OpenStack DualStack or IPv6 only VM

# Create router
openstack router create test-router1 \
  --centralized \
  --ha \
  --external-gateway public
 
# Show available tenant IPv6 subnet
openstack subnet pool list --share | grep tenant-subnet-pool-v6
 
# Create network
openstack network create test-network1
 
# DUAL-STACK: Create IPv4 subnet (skip for IPv6 only)
openstack subnet create test-subnet1-ipv4 \
  --network test-network1 \
  --subnet-range 10.11.12.0/24
 
# DUAL-STACK: Attach IPv4 subnet to router (skip for IPv6 only)
openstack router add subnet test-router1 test-subnet1-ipv4
 
# Create IPv6 subnet
openstack subnet create test-subnet1-ipv6 \
  --network test-network1 \
  --ip-version 6 \
  --subnet-pool tenant-subnet-pool-v6 \
  --prefix-length 64 \
  --ipv6-ra-mode dhcpv6-stateless \
  --ipv6-address-mode dhcpv6-stateless
 
# Attach IPv6 subnet to router
openstack router add subnet test-router1 test-subnet1-ipv6
 
# OPTINAL: allow access from outside
SECURITY_GROUP=test-secgroup
openstack security group create ${SECURITY_GROUP}
 
# DUAL-STACK: allow access to Floating FIP from outside (skip for IPv6 only)
openstack security group rule create ${SECURITY_GROUP} --ethertype IPv4 --protocol icmp --ingress --remote-ip 0.0.0.0/0
openstack security group rule create ${SECURITY_GROUP} --ethertype IPv4 --protocol icmp --egress --remote-ip 0.0.0.0/0
openstack security group rule create ${SECURITY_GROUP} --ethertype IPv4 --protocol tcp --dst-port 22 --remote-ip 0.0.0.0/0

Docker networking

docker network ls
docker network inspect bridge
docker network inspect host
docker network inspect none
 
ip addr show docker0
ip link show docker0
ip -c link show type bridge
 
ip netns
docker inspect ${DOCKER_ID}
 
ip link # attached to bridge
# vethxxx@ifx
ip -n ${INTERFACE_ID} # assignet do container
# eth0@ifx
 
ip -n ${NAMESPACE_ID} addr
 
docker run -p 8080:80 nginx # forward internal port 80 to host port 8080
#iptables -t nat -A PREROUTING -j DNAT --dport 8080 -to-destination 80
#iptables -t nat -A Docker -j DNAT --dport 8080 --to-destination 172.17.0.3:80
iptables -nvL -t nat

Find router binding_host_id mismatch

ROUTER_ID=f2d3e40f-cea5-4a2b-bac7-eba0700f449c
 
# DB
openstack port list --device-owner network:router_gateway --router ${ROUTER_ID} -c id -f value | xargs openstack port show -c binding_host_id -f value
 
# active
openstack network agent list --router ${ROUTER_ID} --long -f json | jq -r '.[] | select(."HA State" == "active").Host'
ROUTER_IDS=$(openstack router list  -c ID -f value)
for ROUTER_ID in ${ROUTER_IDS}; do
    ROUTER_PORT_ID=$(openstack port list --device-owner network:router_gateway --router ${ROUTER_ID} -c id -f value)
    ROUTER_NODE_DB=""
    if [ ! -z ${ROUTER_PORT_ID} ]; then
        ROUTER_NODE_DB=$(openstack port show ${ROUTER_PORT_ID} -c binding_host_id -f value)    
    fi
    ROUTER_NODE_ACTIVE=$(openstack network agent list --router ${ROUTER_ID} --long -f json | jq -r '.[] | select(."HA State" == "active").Host')
 

OpenStack: Neutron L3 router

Recreate / move qrouter namespace

ROUTER_ID=74490819-028e-424e-b8f9-c7e48cf672af
 
# list router NS
openstack network agent list --router ${ROUTER_ID} --long
 
# list available l3 agents
openstack network agent list --agent-type l3
 
# recreate L3 agent
SOURCE_NODE=ctl1-dev
TARGET_NODE=ctl2-dev
 
SOURCE_L3_ID=$(openstack network agent list --host ${SOURCE_NODE} --agent-type l3 -f value -c ID)
TARGET_L3_ID=$(openstack network agent list --host ${TARGET_NODE} --agent-type l3 -f value -c ID)
 
openstack network agent add router --l3 ${TARGET_L3_ID} ${ROUTER_ID}
openstack network agent remove router --l3 ${SOURCE_L3_ID} ${ROUTER_ID}

Recreate all network agents

openstack router list --agent $SOURCE_L3_ID -f value -c ID | while read ROUTER_ID; do
    openstack network agent add router --l3 ${TARGET_L3_ID} ${ROUTER_ID}
    openstack network agent remove router --l3 ${SOURCE_L3_ID} ${ROUTER_ID}
done
 
openstack network agent set $SOURCE_L3_ID --disable

List floating IP in qrouter namespace

OpenStack: Debug / cleanup DHCP

Restart DHCP namespaces

openstack subnet set --no-dhcp ${SUBNET_ID}
openstack subnet set --dhcp ${SUBNET_ID}

Find unnecessary DHCP namespaces

MAX_DHCP_NS=3
SUBNET_IDS=$(openstack subnet list --dhcp -c ID -f value)
for SUBNET_ID in ${SUBNET_IDS}; do
    NETWORK_ID=$(openstack subnet show ${SUBNET_ID} -c network_id -f value)
    DHCP_PORTS="$(openstack port list --device-owner network:dhcp --network ${NETWORK_ID} -c ID -c binding_host_id -c fixed_ips -c status -f value)"
 
    if [ $(echo "${DHCP_PORTS}" | wc -l) -ne ${MAX_DHCP_NS} ]; then
        echo "NETWORK_ID: ${NETWORK_ID}"
        echo "${DHCP_PORTS}"
 
        echo
    fi
done

Add / remove DHCP ports

OpenStack: RBAC shared network

# allow access to RBAC net for project 
openstack network rbac create --target-project foo-project1 --action access_as_shared --type network foo-net-01
 
# show rbac quota
neutron quota-show --tenant_id <PROJECT_ID> | grep rbac_policy
 
# set rbac quota to unlimited
openstack quota set --rbac-policies -1 <PROJECT_ID>
 
openstack network rbac list
 
openstack network rbac show ${RBAC_ID}

Links
https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/network-rbac.html
https://docs.openstack.org/mitaka/networking-guide/config-rbac.html
https://docs.openstack.org/python-openstackclient/pike/cli/command-objects/quota.html
https://docs.openstack.org/ocata/admin-guide/cli-networking-advanced-quotas.html

Create anyconnect VPN connection on command line with nmcli

Create connection

VPN_GATEWAY=vpn1.example.com
VPN_USER=foo
VPN_ROUTES=192.168.11.0/24
 
nmcli connection add \
    connection.id vpn1 \
    connection.type vpn \
    connection.permissions "user:${USER}" \
    ipv4.routes "${VPN_ROUTES}" \
    ipv4.ignore-auto-routes yes \
    vpn.service-type org.freedesktop.NetworkManager.openconnect \
    vpn.data "
        protocol = anyconnect,
        authtype = cert,
        gateway = ${VPN_GATEWAY},
        cacert = ${HOME}/vpn1/ca.pem,
        usercert = ${HOME}/vpn1/certificate.pem,
        userkey = ${HOME}/vpn1/priv.pem,
        cookie-flags = 2
    " \
    vpn.secrets "
        form:main:group_list=CLIENTGROUP,
        form:main:username=${VPN_USER},
        save_passwords=yes
    "

Start connection and enter password once

nmcli connection up vpn1

Debug

#journalctl -fxe NM_CONNECTION=8d5ec3cb-99c5-47ea-84e2-38174cd14702
journalctl -fxe -t NetworkManager
 
cat /etc/NetworkManager/system-connections/vpn1.nmconnection 
nmcli con show vpn1

Links
https://0xsys.blogspot.com/2019/06/configure-vpn-using-nmcli.html

tcpdump

# IPMI (ping)
tcpdump -nni eth0 icmp  
tcpdump -i eth0  -e -n -v 'icmp and (ether host 00:16:3e:ec:11:22)'
 
# DHCP
tcpdump -i dev-mgmt  -e -n -v '(udp port 67 or port 68)'
 
tcpdump -i qg-1ee0cec6-62 -n  '(tcp port 110)'
 
# filter IP
tcpdump -i eth0 -e -n -v 'host 10.11.22.33'
 
# filter MAC
tcpdump ether host e8:2a:ea:44:55:66
 
tcpdump -n -i eth0 '(udp port 53 or port 53)'
 
# exclude
tcpdump -i eth1  -s 1500 port not 22 and port not 53

Links
https://arthurchiao.art/blog/tcpdump/