openstack

OpenStack: quotas

openstack quota show
openstack quota show ${PROJECT_ID}
 
# show default quota
penstack quota show --default
 
# set quotas
openstack quota set --class --instances 20 default
openstack quota set --class --cores 	20 default
openstack quota set --class --ram 	$((68 * 1024)) default
 
openstack quota show
openstack quota set --class --gigabytes 10000 default
 
# show quota (admin only)
openstack quota list --project ${PROJECT_ID} --detail --compute 
openstack quota list --project ${PROJECT_ID} --detail --network 
openstack quota list --project ${PROJECT_ID} --detail --volume 
 
# set quota
openstack quota set --secgroups -1 service
openstack quota set --cores -1 service
openstack quota set --ram -1 service
openstack quota set --floating-ips -1 service
 
openstack quota set --class --floating-ips 50 default
openstack quota set --class --fixed-ips -1 default
openstack quota set --class --secgroups 10 default
openstack quota set --class --secgroup-rules 100 default

Terraform: Create LoadBalancer in OpenStack

provider "openstack" {
  cloud = "lab-admin"
  use_octavia = true
}
 
# data "template_file" "user_data" {
#   template = file("user-data.txt")
# }
 
data "template_file" "user_data" {
  template = <<EOF
#cloud-config
package_update: true
packages:
 - nginx
runcmd:
 - hostname -f | sudo tee /var/www/html/index.nginx-debian.html
 - id > /tmp/debug
EOF
}
 
variable "http_instance_names" {
  type = set(string)
  default = ["www1", "www2"]
}
 
resource "openstack_compute_instance_v2" "http" {
  for_each    = var.http_instance_names
  name        = each.key
 #name = "www${count.index + 1}"
 #count = 2
 image_name = "Ubuntu 20.04 minimal"
 flavor_name = "m1.small"
 key_pair = "lab-key"
 security_groups = ["default"]
 user_data = data.template_file.user_data.rendered
 
 network {
   name = "demo-net"
 }
}
 
data "openstack_networking_network_v2" "network_1" {
  name = "demo-net"
}
 
data "openstack_networking_subnet_v2" "subnet_1" {
  name = "demo-subnet"
  network_id = data.openstack_networking_network_v2.network_1.id
}
 
# Create loadbalancer
resource "openstack_lb_loadbalancer_v2" "http" {
  name          = "demo-lb1"
  vip_subnet_id = data.openstack_networking_subnet_v2.subnet_1.id
}
 

Terraform: OpenStack

OpenStack Providery
https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs

# Configure the OpenStack Provider
provider "openstack" {
  user_name   = "admin"
  tenant_name = "admin"
  password    = "pwd"
  auth_url    = "http://myauthurl:5000/v2.0"
  region      = "RegionOne"
}
 
# cloud.yaml
provider "openstack" {
  cloud      = "dev-foo"
}

Router
https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_router_v2

resource "openstack_networking_router_v2" "router_1" {
  name       = "foo-router"
  external_network_id = "88934cac-8d55-40d5-8ff9-bde65011741d"
}
 
resource "openstack_networking_router_interface_v2" "terraform" {
  router_id = openstack_networking_router_v2.router_1.id
  subnet_id = openstack_networking_subnet_v2.subnet_1.id
}

Compute
https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/compute_instance_v2

Kubernetes the hard way

Links
https://github.com/kelseyhightower/kubernetes-the-hard-way

Configure OpenStack application credentials

mkdir -p ~/.config/openstack
 
cat <<EOF> ~/.config/openstack/clouds.yaml
clouds:
  dev-foo:
    auth_type: "v3applicationcredential"
    auth:
      auth_url: https://keystone.service.dev.example.com/v3
      application_credential_id: "YOUR_CREDENTIAL_ID"
      application_credential_secret: "YOUR_CREDENTIAL_PASS"
EOF

Install Terraform

cat <<EOF> /tmp/install-terraform.yml 
---
- hosts: localhost
  tasks:
    - name: Get latest Terraform version
      uri:
        url: https://checkpoint-api.hashicorp.com/v1/check/terraform
      register: response
 
    - set_fact:
        terraform_download_url: "{{ response.json.current_download_url }}"
        terraform_version: "{{ response.json.current_version }}"
 
    - name: Download Terraform {{ terraform_version }}
      unarchive:
        src: "{{ terraform_download_url }}terraform_{{ terraform_version }}_{{ ansible_system | lower }}_amd64.zip"
        remote_src: yes
        dest: ~/bin
        creates: ~/bin/terraform
        mode: 0550
EOF
 
ansible-playbook /tmp/install-terraform.yml

Create test env on OpenStack

OpenStack: Octavia / Amphora LB check

#!/bin/bash
 
source /etc/kolla/admin-openrc.sh
 
 
function show_lb_owner() {
    LB_ID=$1
 
    # show project
    PROJECT_ID=$(openstack loadbalancer show -c project_id -f value ${LB_ID})
    PROJECT_NAME=$(openstack project show -c name -f value ${PROJECT_ID})
 
    # show domain
    DOMAIN_ID=$(openstack project show -c domain_id -f value ${PROJECT_ID})
    DOMAIN_NAME=$(openstack domain show -c name -f value ${DOMAIN_ID})
 
    echo "Domain: ${DOMAIN_NAME}"
    echo "Project: ${PROJECT_NAME}"
}
 
 
EXIT_CODE=0
 
 
# list broken LB
OUTPUT="$(openstack loadbalancer amphora list --provisioning-status ERROR)"
if [ -n "${OUTPUT}" ]; then
    echo "${OUTPUT}"
 
    EXIT_CODE=1
fi
 
# search for broken LB

LXD: OpenStack CLI (OSC) container

# create container
lxc launch ubuntu:20.04 osc
lxc shell osc
 
# install OpenStack CLI
apt install -y python3-openstackclient python3-neutron-vpnaas python3-octaviaclient python3-barbicanclient
openstack complete | sudo tee /etc/bash_completion.d/openstack
source /etc/bash_completion
 
# configure connection
mkdir -p ~/.config/openstack
cat <<EOF> ~/.config/openstack/clouds.yaml
clouds:
  dev-foo-app:
    auth:
      auth_url: https://keystone.service.example.com/v3
      application_credential_id: "xxxxxxxx"
      application_credential_secret: "xxxxxxxx"
    region_name: "eu-fra1"
    interface: "public"
    identity_api_version: 3
    auth_type: "v3applicationcredential"
EOF
 
echo export OS_CLOUD=dev-foo-app >> .bashrc
 
# test
export OS_CLOUD=dev-foo-app
openstack image list

Side2Side VPN connection between OpenStack VPNaaS and AVM Fritz!Box

FRITZBOX_WAN_IP=111.1.2.3
FRITZBOX_CIDR=192.168.178.0/24
PSK=PASS1234
 
openstack vpn ike policy create ikepolicy \
  --encryption-algorithm aes-256 \
  --auth-algorithm sha512 \
  --pfs group2
 
openstack vpn ipsec policy create ipsecpolicy \
  --encryption-algorithm aes-256 \
  --auth-algorithm sha512 \
  --pfs group2
 
ROUTER_ID=$(openstack router list -c ID -f value)
openstack vpn service create vpn \
  --router ${ROUTER_ID}
 
SUBNET_ID=$(openstack subnet list -c ID -f value)
openstack vpn endpoint group create ep_subnet \
  --type subnet \
  --value ${SUBNET_ID}
 
openstack vpn endpoint group create ep_cidr \
  --type cidr \
  --value ${FRITZBOX_CIDR}
 
openstack vpn ipsec site connection create conn \
  --vpnservice vpn \
  --ikepolicy ikepolicy \
  --ipsecpolicy ipsecpolicy \
  --peer-address ${FRITZBOX_WAN_IP} \
  --peer-id ${FRITZBOX_WAN_IP} \
  --psk ${PSK} \
  --local-endpoint-group ep_subnet \
  --peer-endpoint-group ep_cidr

Add ingress ssh security rule

openstack security group rule create default \
  --protocol tcp \
  --dst-port 22 \
  --remote-ip 192.168.178.0/24

Create S2S VPN connection on Fritz!Box