openstack

OpenStack address scopes / subnet pools / network segments

Documentation
https://docs.openstack.org/neutron/latest/admin/config-address-scopes.html

openstack address scope create --share --ip-version 4 test-scope-v4
 
openstack subnet pool create --share --pool-prefix 10.0.0.0/8 --default-prefix-length 24 --address-scope test-scope-v4 test-subnet-pool-v4
 
openstack network create test-network2
 
openstack subnet create --network test-network2 --subnet-pool test-subnet-pool-v4 test-subnet2
 
openstack network show test-network2
 
# disable address scope
openstack subnet pool set --no-address-scope provider-subnet-pool
 
# disable enable scope
openstack subnet pool set --address-scope provider-addr-scope-v4 provider-subnet-pool

Debug Iptables

ssh -t control1-dev sudo ip netns exec qrouter-cca1d315-c56e-41ed-9a4d-1af6ca092f1a bash
 
iptables -S
...
-A neutron-l3-agent-scope -o qr-80ae710a-ec -m mark ! --mark 0x4000000/0xffff0000 -j DROP
 
iptables -t mangle -n -v -L neutron-l3-agent-scope
 
iptables -t filter -vL neutron-l3-agent-scope
 
iptables -t mangle -vL neutron-l-agent -POSTROUTING
iptables -t nat -vL neutorn-l3-agent-snat

Network segments

openstack network segment list 

Links
https://www.youtube.com/watch?v=VsCYSZUOB6U

Designate as authenticator for Lets Encrypt

Prerequisites
Install OpenStack CLI client (OSC)
http://www.panticz.de/osc

OpenStack Application credentials
~/.config/openstack/clouds.yaml

Generate Lets Encrypt certificate

sudo apt install -y certbot
 
pyenv activate osc
pip install python-designateclient certbot-dns-openstack zope
 
# list available zones
openstack zone list
 
# Create letsencrypt directory
mkdir ~/letsencrypt
 
# Request wildcard certificate
DOMAIN=example.com
certbot -a dns-openstack certonly \
    --agree-tos \
    --register-unsafely-without-email \
    --work-dir ~/letsencrypt/work \
    --config-dir ~/letsencrypt/etc \
    --logs-dir ~/letsencrypt/log \
    --dns-openstack-propagation-seconds 60 \
    -d *.${DOMAIN}
#    -d *.example.com,example.com
 
# List certificates
ls -l ~/letsencrypt/etc/archive/*/*

DEBUG (second terminal)

watch -n1 openstack recordset list example.com

Links
https://docs.binero.com/guides/designate-as-authenticator-for-lets-encrypt.html
https://letsencrypt.org/docs/challenge-types/

Create OpenStack DualStack or IPv6 only VM

# Create router
openstack router create test-router1 \
  --centralized \
  --ha \
  --external-gateway public
 
# Show available tenant IPv6 subnet
openstack subnet pool list --share | grep tenant-subnet-pool-v6
 
# Create network
openstack network create test-network1
 
# DUAL-STACK: Create IPv4 subnet (skip for IPv6 only)
openstack subnet create test-subnet1-ipv4 \
  --network test-network1 \
  --subnet-range 10.11.12.0/24
 
# DUAL-STACK: Attach IPv4 subnet to router (skip for IPv6 only)
openstack router add subnet test-router1 test-subnet1-ipv4
 
# Create IPv6 subnet
openstack subnet create test-subnet1-ipv6 \
  --network test-network1 \
  --ip-version 6 \
  --subnet-pool tenant-subnet-pool-v6 \
  --prefix-length 64 \
  --ipv6-ra-mode dhcpv6-stateless \
  --ipv6-address-mode dhcpv6-stateless
 
# Attach IPv6 subnet to router
openstack router add subnet test-router1 test-subnet1-ipv6
 
# OPTINAL: allow access from outside
SECURITY_GROUP=test-secgroup
openstack security group create ${SECURITY_GROUP}
 
# DUAL-STACK: allow access to Floating FIP from outside (skip for IPv6 only)
openstack security group rule create ${SECURITY_GROUP} --ethertype IPv4 --protocol icmp --ingress --remote-ip 0.0.0.0/0
openstack security group rule create ${SECURITY_GROUP} --ethertype IPv4 --protocol icmp --egress --remote-ip 0.0.0.0/0
openstack security group rule create ${SECURITY_GROUP} --ethertype IPv4 --protocol tcp --dst-port 22 --remote-ip 0.0.0.0/0

Show neutron router namespaces by floating IP (FIP)

FLOATING_IP=1.2.3.4
 
# search in floating IP table
ROUTER_ID=$(openstack floating ip list --floating-ip-address ${FLOATING_IP} --long -c Router -f value)
if [ -z ${ROUTER_ID} ]; then
    # search in router
    ROUTER_ID=$(openstack router list --long | grep ${FLOATING_IP} | cut -d" " -f2)
fi
 
PROJECT_ID=$(openstack router show ${ROUTER_ID} -c project_id -f value)
 
echo -e "\e[34m# Project"
openstack router show ${ROUTER_ID} -c id -c name 
 
echo
echo -e "\e[34m# Router"
openstack project show ${PROJECT_ID} -c id -c name -c description
 
echo
echo -e "\e[34m# Router namespaces"
openstack network agent list --router ${ROUTER_ID} --long --sort-column 'HA State'
echo
 

Terraform: OpenStack

OpenStack Providery
https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs

# Configure the OpenStack Provider
provider "openstack" {
  user_name   = "admin"
  tenant_name = "admin"
  password    = "pwd"
  auth_url    = "http://myauthurl:5000/v2.0"
  region      = "RegionOne"
}
 
# cloud.yaml
provider "openstack" {
  cloud      = "dev-foo"
}

Router
https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_router_v2

resource "openstack_networking_router_v2" "router_1" {
  name       = "foo-router"
  external_network_id = "88934cac-8d55-40d5-8ff9-bde65011741d"
}
 
resource "openstack_networking_router_interface_v2" "terraform" {
  router_id = openstack_networking_router_v2.router_1.id
  subnet_id = openstack_networking_subnet_v2.subnet_1.id
}

Compute
https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/compute_instance_v2

resource "openstack_compute_instance_v2" "basic" {
  name            = "basic"
  image_id        = "ad091b52-742f-469e-8f3c-fd81cadf0743"
  flavor_id       = "3"
  key_pair        = "my_key_pair_name"
  security_groups = ["default"]
 
  metadata = {
    this = "that"
  }
 
  network {
    name = "my_network"
  }
}

Image

Find router binding_host_id mismatch

ROUTER_ID=f2d3e40f-cea5-4a2b-bac7-eba0700f449c
 
# DB
openstack port list --device-owner network:router_gateway --router ${ROUTER_ID} -c id -f value | xargs openstack port show -c binding_host_id -f value
 
# active
openstack network agent list --router ${ROUTER_ID} --long -f json | jq -r '.[] | select(."HA State" == "active").Host'
ROUTER_IDS=$(openstack router list  -c ID -f value)
for ROUTER_ID in ${ROUTER_IDS}; do
    ROUTER_PORT_ID=$(openstack port list --device-owner network:router_gateway --router ${ROUTER_ID} -c id -f value)
    ROUTER_NODE_DB=""
    if [ ! -z ${ROUTER_PORT_ID} ]; then
        ROUTER_NODE_DB=$(openstack port show ${ROUTER_PORT_ID} -c binding_host_id -f value)    
    fi
    ROUTER_NODE_ACTIVE=$(openstack network agent list --router ${ROUTER_ID} --long -f json | jq -r '.[] | select(."HA State" == "active").Host')
 

Debug VPN script

#!/bin/bash
 
export DEBUG=@option.debug@
export VPN_CONNECTION_ID=$(echo @option.vpn_connection_id@ | sed -e 's/^[[:space:]]*//')
 
[ "${DEBUG}" == "yes" ] && set -x
 
source /etc/kolla/admin-openrc.sh
source /usr/local/pyenv/versions/osc/bin/activate
 
# check parameter
if [[ ! ${VPN_CONNECTION_ID//-/} =~ ^[[:xdigit:]]{32}$ ]]; then
#if [ -z "${VPN_CONNECTION_ID}" ]; then
    echo -e "\e[34mPlease specify the VPN ipsec site connection ID"
    openstack vpn ipsec site connection list --long
 
    exit
fi 
 
 
VPN_CONNECTION_JSON=$(openstack vpn ipsec site connection show ${VPN_CONNECTION_ID} -f json)