So a customer trying to add an SSL key to an Load Balancer which is passworded. No good!
openssl rsa -in SSL.key -out nopass-SSL.key
Thanks to my colleague Mike, who I stole this handy oneliner for.
Author Archives: azio
Adding mail ports to Linux firewall with iptables
So a customer had flushed his iptables rules, and sadly wasn’t able to use SMTP and POP. So I put together this basic tutorial explaining how to do it!
The following ports are used for mail commonly: SMTP 587 POP 110 POPS 995 IMAP 143 IMAP3 993 To add these ports to the firewall rules; # Allows SMTP access iptables -A INPUT -p tcp --dport 25 -j ACCEPT # Allows pop and pops connections iptables -A INPUT -p tcp --dport 110 -j ACCEPT iptables -A INPUT -p tcp --dport 995 -j ACCEPT # Allows imap and imaps connections iptables -A INPUT -p tcp --dport 143 -j ACCEPT iptables -A INPUT -p tcp --dport 993 -j ACCEPT
Ansible roles/glance/task/main.yml playbook for Glance API Deployment
I am working on a project at work to deploy Keystone and Glance. I’ve currently been tasked with finishing off the glance role part of the playbook with the basic setup tasks and retrieving the basic qcow2 images for the various distributions and automatically retrieving and populating the glance API image-list. Here is how I did it;
This is using an encrypted group_vars all vars.yml which contains sensitive password variables like GLANCE_DBPASS
This file shows how Glance SQL database, permissions, population and images are uploaded to glance for use by openstack compute.
File: osan/roles/glance/tasks/main.yml
---
- name: Create keystone database
mysql_db:
name: glance
- name: Configure database user privileges
mysql_user:
name: glance
host: "{{ item }}"
password: "{{ GLANCE_DBPASS }}"
priv: glance.*:ALL
with_items:
- "%"
- localhost
# - name: Set credentials to admin
# command: source admin-openrc.sh
- name: Create the Glance user service credentials
command: openstack user create --domain default --password {{ GLANCE_PASS }} glance
environment: admin_env
ignore_errors: yes
- name: Add the admin role to the glance user and service project
command: openstack role add --project service --user glance admin
environment: admin_env
ignore_errors: yes
- name: Create the glance service entity
command: openstack service create --name glance --description "OpenStack Image service" image
environment: admin_env
ignore_errors: yes
- name: Create the Image service API endpoints for glance
command: openstack endpoint create --region RegionOne image public http://controller:9292
environment: admin_env
ignore_errors: yes
- name: Create the Image service API endpoints for glance
command: openstack endpoint create --region RegionOne image internal http://controller:9292
environment: admin_env
ignore_errors: yes
- name: Create the Image service API endpoints for glance
command: openstack endpoint create --region RegionOne image admin 'http://controller:9292'
environment: admin_env
ignore_errors: yes
- name: Install Glance and Dependencies
yum: pkg={{item}} state=installed
with_items:
- openstack-glance
- python-glance
- python-glanceclient
- name: replace glance-api.conf file
template: src=glance-api.conf.ansible dest=/etc/glance/glance-api.conf owner=root
- name: replace glance-registory.conf file
template: src=glance-registry.conf.ansible dest=/etc/glance/glance-registory.conf owner=root
- name: Populate the Image service database
command: su -s /bin/sh -c "glance-manage db_sync" glance
- name: Start & Enable openstack-glance-registry.service
service: name=openstack-glance-registry.service enabled=yes state=started
- name: Start & Enable openstack-glance-api.service
service: name=openstack-glance-api.service enabled=yes state=started
- name: Retrieve CentOS 7 x86_64.qcow2
get_url: url=http://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud-1503.qcow2 dest=/root/CentOS-7-x86_64-GenericCloud-1503.qcow2 mode=0600
- name: Populate Glance DB with CentOS 7 qcow2 Image
command: glance image-create --name "centos7-x86_x64" --file /root/CentOS-7-x86_64-GenericCloud-1503.qcow2 --disk-format qcow2 --container-format bare --visibility public --progress
- name: Retrieve Cirros qcow2 Image
get_url: url=http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img dest=/root/cirros-0.3.4-x86_64-disk.img mode=0600
- name: Import Cirros qcow Image to Glance
command: glance image-create --name "cirros-0.3.4_x86_64" --file /root/cirros-0.3.4-x86_64-disk.img --disk-format qcow2 --container-format bare --visibility public --progress
- name: Retrieve Ubuntu 14.04 Trusty Tahr qcow2 Image
get_url: url=http://cloud-images.ubuntu.com/releases/14.04/release-20140416.1/ubuntu-14.04-server-cloudimg-amd64-disk1.img dest=/root/ubuntu-14.04-server-cloudimg-amd64-disk1.img mode=0600
- name: Import Ubuntu 14.04 Trusty Tahr to Glance
command: glance image-create --name "ubuntu-14.04-lts-trusty-tahr-amd64" --file /root/ubuntu-14.04-server-cloudimg-amd64-disk1.img --disk-format qcow2 --container-format bare --visibility public --progress
- name: Retrieve Fedora 23 qcow2 Image
get_url: url=https://download.fedoraproject.org/pub/fedora/linux/releases/23/Cloud/x86_64/Images/Fedora-Cloud-Base-23-20151030.x86_64.qcow2 dest=/root/Fedora-Cloud-Base-23-20151030.x86_64.qcow2 mode=0600
- name: Import Fedora 23 qcow2 Image to Glance
command: glance image-create --name "fedora-23-amd64" --file /root/Fedora-Cloud-Base-23-20151030.x86_64.qcow2 --disk-format qcow2 --container-format bare --visibility public --progress
- name: Retrieve Debian 8 amd64 qcow2 Image
get_url: url=http://cdimage.debian.org/cdimage/openstack/current/debian-8.2.0-openstack-amd64.qcow2 dest=/root/debian-8.2.0-openstack-amd64.qcow2 mode=0600
- name: Import Debian 8 to Glance
command: glance image-create --name "debian8-2-0-amd64" --file /root/debian-8.2.0-openstack-amd64.qcow2 --disk-format qcow2 --container-format bare --visibility public --progress
- name: Retrieve OpenSuSE 13.2 Guest Qcow2 Image
get_url: url=http://download.opensuse.org/repositories/Cloud:/Images:/openSUSE_13.2/images/openSUSE-13.2-OpenStack-Guest.x86_64.qcow2 dest=/root/openSUSE-13.2-OpenStack-Guest.x86_64.qcow2 mode=0600
- name: Import OpenSuSE 13.2 to Glance
command: glance image-create --name "opensuse-13-2-amd64" --file /root/openSUSE-13.2-OpenStack-Guest.x86_64.qcow2 --disk-format qcow2 --container-format bare --visibility public --progress
The above is in yaml format which is really tricky so what your syntax when using it. It is VERY sensitive.
After this runs we are left with a nice glance image-list output. Glance is ready for compute to use the qcow2 images we associated using the openstack Glance API.
+--------------------------------------+------------------------------------+ | ID | Name | +--------------------------------------+------------------------------------+ | f58aaed4-fda7-41b3-a0c9-e99d6c956afd | centos7-x86_x64 | | b4c7224b-0e0d-475c-880c-f48e1c0608b2 | cirros-0.3.4_x86_64 | | 975accd5-d9bc-4485-86df-88e97e7f3237 | debian8-2-0-amd64 | | 41e7949c-3e17-434f-8008-4551673da496 | fedora-23-amd64 | | 092338df-6e8e-471b-93ff-07b339510636 | opensuse-13-2-amd64 | | ae707804-3dd5-474f-ab8d-3d6e855e420d | ubuntu-14.04-lts-trusty-tahr-amd64 | +--------------------------------------+------------------------------------+
Deleting Glance Images one liner
I’ve been working on some glance automation and I wanted to quickly delete all the glance images so I can test if my ansible playbook is downloading all the reference cloud qcow2 images and populating glance with them correctly.
bash-4.2# glance image-list | awk '{print $2}' | grep -v ID | xargs -i echo glance image-delete {}
glance image-delete 8d73249e-c616-4481-8256-f634877eb5a2
glance image-delete 2ea3faef-530c-4679-9faf-b11c7e7889eb
glance image-delete 697efb18-72fe-4305-8e1d-18e0f1481bd6
glance image-delete 555811e2-f941-4cb5-bba2-6ed8751bf188
glance image-delete 7182dca4-f0f4-4176-a706-d8ca0598ef9f
glance image-delete 0f5f2bc5-94a4-4361-a17e-3fed96f07c4e
glance image-delete a01580c2-f264-4058-a366-30d726c2c496
glance image-delete 92a39f49-b6e5-4d32-9856-37bbdac6c285
glance image-delete c01a6464-8e2c-4edb-829e-6d123bc3c8f4
-bash-4.2# glance image-delete 8d73249e-c616-4481-8256-f634877eb5a2
-bash-4.2# glance image-delete 2ea3faef-530c-4679-9faf-b11c7e7889eb
-bash-4.2# glance image-delete 697efb18-72fe-4305-8e1d-18e0f1481bd6
-bash-4.2# glance image-delete 555811e2-f941-4cb5-bba2-6ed8751bf188
-bash-4.2# glance image-delete 7182dca4-f0f4-4176-a706-d8ca0598ef9f
-bash-4.2# glance image-delete 0f5f2bc5-94a4-4361-a17e-3fed96f07c4e
-bash-4.2# glance image-delete a01580c2-f264-4058-a366-30d726c2c496
-bash-4.2# glance image-delete 92a39f49-b6e5-4d32-9856-37bbdac6c285
-bash-4.2# glance image-delete c01a6464-8e2c-4edb-829e-6d123bc3c8f4
Downloading exported Cloud Server Image from Cloud Files using BASH/curl/API
So, after succesfully exporting the image in the previous article, I wanted to download the VHD so I could use it on virtualbox at home.
#!/bin/bash
# Username used to login to control panel
USERNAME='adambull'
# Find the APIKey in the 'account settings' part of the menu of the control panel
APIKEY='mycloudapikey'
# Find the image ID you'd like to make available on cloud files
# Simply replace mytenantidgoeshere10011111etc with just the account number, the number given in the url in mycloud control panel! replace everything after _ so it looks like _101110
TENANTID='MossoCloudFS_mytenantidgoeshereie1001111etc'
# This section simply retrieves the TOKEN
TOKEN=`curl https://identity.api.rackspacecloud.com/v2.0/tokens -X POST -d '{ "auth":{"RAX-KSKEY:apiKeyCredentials": { "username":"'$USERNAME'", "apiKey": "'$APIKEY'" }} }' -H "Content-type: application/json" | python -mjson.tool | grep -A5 token | grep id | cut -d '"' -f4`
# Download the cloud files image
VHD_FILENAME=5fb64bf2-afae-4277-b8fa-0b69bc98185a.vhd
curl -o -i -X GET "https://storage101.lon3.clouddrive.com/v1/$TENANTID/exports/$VHD_FILENAME" \
-H "X-Auth-Token: $TOKEN"
Really really easy
Output looks like;
./download-image-id.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5143 100 5028 100 115 4470 102 0:00:01 0:00:01 --:--:-- 4473
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
1 3757M 1 38.1M 0 0 7231k 0 0:08:52 0:00:05 0:08:47 7875k
Exporting Rackspace Cloud Server Image to Cloud Files (so you can download it)
So today, a customer wanted to know if there was a way to export a Rackspace Cloud Server image out of Rackspace to download it. Yes, this is possible and can be done using the Images API and Cloud Files. Here is a summary of the basic process below;
Step 1: Make container called ‘export’ in cloud files; You can do this thru the mycloud control panel by navigating to your cloud files and simply clicking create container, call it ‘export’.
Step 2: Create bash script to query API with correct user, apikey and imageid;
vim mybashscript.sh
#!/bin/bash
# Username used to login to control panel
USERNAME='mycloudusernamehere'
# Find the APIKey in the 'account settings' part of the menu of the control panel
APIKEY='mycloudapikeyhere'
# Find the image ID you'd like to make available on cloud files
# set the image id below of the image you want to copy to cloud files, see in control panel
IMAGEID="5fb24bf2-afae-4277-b8fa-0b69bc98185a"
# This section simply retrieves the TOKEN
TOKEN=`curl https://identity.api.rackspacecloud.com/v2.0/tokens -X POST -d '{ "auth":{"RAX-KSKEY:apiKeyCredentials": { "username":"'$USERNAME'", "apiKey": "'$APIKEY'" }} }' -H "Content-type: application/json" | python -mjson.tool | grep -A5 token | grep id | cut -d '"' -f4`
# This section requests the Glance API to copy the cloud server image uuid to a cloud files container called export
curl https://lon.images.api.rackspacecloud.com/v2/10045567/tasks -X POST -H "X-Auth-Token: $TOKEN" -H "Content-Type: application/json" -d '{"type": "export", "input": {"image_uuid": "'"$IMAGEID"'", "receiving_swift_container": "exports"}}'
It’s so simple I had to check myself that it was really this simple.
It is. yay! Next guide shows you how to download the image you made.
Manually change Rackspace root password for Cloud Server
If you lose your password to your machine, and aren’t able to reset the password for your VM thru the mycloud control panel, then it’s possible to do this manually by putting the server into rescue mode and chrooting. Here is how ;
1. Put server into rescue mode. Noting the root password autogenerated for the rescue mode.
2. Login to server via web console or ssh
3. Mount the ‘old’ original disk (usually partition xvdb1).
mount /dev/xvdb1 /mnt
4. Chroot to the ‘old’ original disk
chroot /mnt
5. Change the root passwd
passwd
7. Take the server out of rescue mode.
8. You should now be able to login to the server using the new root password. (done in the same way as putting it into rescue mode)
Testing your servers available bandwidth & DDOS resiliency with iperf
So, if you buy a server with say a 1.6Gbps connection in this customers case, you might want to test you have the bandwidth you need, for instance to be resilient against small DOS and DDOS in the sub 500mbit -1000mbit range.
Here is how I did it (quick summary)
$ iperf -c somedestipiwanttospeedtest-censored -p 80 -P 2 -b 100m WARNING: option -b implies udp testing ------------------------------------------------------------ Client connecting to somedestipiwanttospeedtest-censored, UDP port 80 Sending 1470 byte datagrams UDP buffer size: 208 KByte (default) ------------------------------------------------------------ [ 4] local someipsrc port 53898 connected with somedestipiwanttospeedtest-censored port 80 [ 3] local someipsrc port 50460 connected with somedestipiwanttospeedtest-censored port 80 [ ID] Interval Transfer Bandwidth [ 4] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 4] Sent 85471 datagrams [ 3] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 3] Sent 85471 datagrams [SUM] 0.0-10.0 sec 240 MBytes 201 Mbits/sec [ 3] WARNING: did not receive ack of last datagram after 10 tries. [ 4] WARNING: did not receive ack of last datagram after 10 tries. $ iperf -c somedestipiwanttospeedtest-censored -p 80 -P 10 -b 100m WARNING: option -b implies udp testing ------------------------------------------------------------ Client connecting to somedestipiwanttospeedtest-censored, UDP port 80 Sending 1470 byte datagrams UDP buffer size: 208 KByte (default) ------------------------------------------------------------ [ 12] local someipsrc port 50725 connected with somedestipiwanttospeedtest-censored port 80 [ 5] local someipsrc port 40410 connected with somedestipiwanttospeedtest-censored port 80 [ 6] local someipsrc port 51075 connected with somedestipiwanttospeedtest-censored port 80 [ 4] local someipsrc port 58020 connected with somedestipiwanttospeedtest-censored port 80 [ 3] local someipsrc port 50056 connected with somedestipiwanttospeedtest-censored port 80 [ 7] local someipsrc port 57017 connected with somedestipiwanttospeedtest-censored port 80 [ 8] local someipsrc port 49473 connected with somedestipiwanttospeedtest-censored port 80 [ 9] local someipsrc port 50491 connected with somedestipiwanttospeedtest-censored port 80 [ 10] local someipsrc port 40974 connected with somedestipiwanttospeedtest-censored port 80 [ 11] local someipsrc port 38348 connected with somedestipiwanttospeedtest-censored port 80 [ ID] Interval Transfer Bandwidth [ 12] 0.0-10.0 sec 114 MBytes 95.7 Mbits/sec [ 12] Sent 81355 datagrams [ 5] 0.0-10.0 sec 114 MBytes 95.8 Mbits/sec [ 5] Sent 81448 datagrams [ 6] 0.0-10.0 sec 114 MBytes 95.8 Mbits/sec [ 6] Sent 81482 datagrams [ 4] 0.0-10.0 sec 114 MBytes 95.7 Mbits/sec [ 4] Sent 81349 datagrams [ 3] 0.0-10.0 sec 114 MBytes 95.7 Mbits/sec [ 3] Sent 81398 datagrams [ 7] 0.0-10.0 sec 114 MBytes 95.8 Mbits/sec [ 7] Sent 81443 datagrams [ 8] 0.0-10.0 sec 114 MBytes 95.7 Mbits/sec [ 8] Sent 81408 datagrams [ 9] 0.0-10.0 sec 114 MBytes 95.8 Mbits/sec [ 9] Sent 81421 datagrams [ 10] 0.0-10.0 sec 114 MBytes 95.7 Mbits/sec [ 10] Sent 81404 datagrams [ 11] 0.0-10.0 sec 114 MBytes 95.8 Mbits/sec [ 11] Sent 81427 datagrams [SUM] 0.0-10.0 sec 1.11 GBytes 957 Mbits/sec It looks like you are getting the bandwidth you desire, when repeating the test with 20 connections I can see the bandwidth hits a total of 2.01Gbits/sec # iperf -c somedestipiwanttospeedtest-censored -p 80 -P 20 -b 100m WARNING: option -b implies udp testing ------------------------------------------------------------ Client connecting to somedestipiwanttospeedtest-censored, UDP port 80 Sending 1470 byte datagrams UDP buffer size: 208 KByte (default) ------------------------------------------------------------ [ 22] local someipsrc port 44231 connected with somedestipiwanttospeedtest-censored port 80 [ 4] local someipsrc port 55259 connected with somedestipiwanttospeedtest-censored port 80 [ 7] local someipsrc port 49519 connected with somedestipiwanttospeedtest-censored port 80 [ 3] local someipsrc port 45301 connected with somedestipiwanttospeedtest-censored port 80 [ 6] local someipsrc port 48654 connected with somedestipiwanttospeedtest-censored port 80 [ 5] local someipsrc port 33666 connected with somedestipiwanttospeedtest-censored port 80 [ 8] local someipsrc port 33963 connected with somedestipiwanttospeedtest-censored port 80 [ 9] local someipsrc port 39593 connected with somedestipiwanttospeedtest-censored port 80 [ 10] local someipsrc port 36229 connected with somedestipiwanttospeedtest-censored port 80 [ 11] local someipsrc port 36331 connected with somedestipiwanttospeedtest-censored port 80 [ 14] local someipsrc port 54622 connected with somedestipiwanttospeedtest-censored port 80 [ 13] local someipsrc port 36159 connected with somedestipiwanttospeedtest-censored port 80 [ 12] local someipsrc port 53881 connected with somedestipiwanttospeedtest-censored port 80 [ 15] local someipsrc port 43221 connected with somedestipiwanttospeedtest-censored port 80 [ 16] local someipsrc port 60284 connected with somedestipiwanttospeedtest-censored port 80 [ 17] local someipsrc port 49735 connected with somedestipiwanttospeedtest-censored port 80 [ 18] local someipsrc port 43866 connected with somedestipiwanttospeedtest-censored port 80 [ 19] local someipsrc port 44631 connected with somedestipiwanttospeedtest-censored port 80 [ 20] local someipsrc port 56852 connected with somedestipiwanttospeedtest-censored port 80 [ 21] local someipsrc port 59338 connected with somedestipiwanttospeedtest-censored port 80 [ ID] Interval Transfer Bandwidth [ 22] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 22] Sent 85471 datagrams [ 4] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 4] Sent 85449 datagrams [ 7] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 7] Sent 85448 datagrams [ 3] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 3] Sent 85448 datagrams [ 6] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 6] Sent 85449 datagrams [ 5] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 5] Sent 85448 datagrams [ 8] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 8] Sent 85453 datagrams [ 9] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 9] Sent 85453 datagrams [ 10] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 10] Sent 85454 datagrams [ 11] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 11] Sent 85456 datagrams [ 14] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 14] Sent 85457 datagrams [ 13] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 13] Sent 85457 datagrams [ 12] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 12] Sent 85457 datagrams [ 15] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 15] Sent 85460 datagrams [ 16] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 16] Sent 85461 datagrams [ 17] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 17] Sent 85462 datagrams [ 18] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 18] Sent 85464 datagrams [ 19] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 19] Sent 85467 datagrams [ 20] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 20] Sent 85467 datagrams [ 21] 0.0-10.0 sec 120 MBytes 101 Mbits/sec [ 21] Sent 85467 datagrams [SUM] 0.0-10.0 sec 2.34 GBytes 2.01 Gbits/sec The last test I did used 2 connections only at 500mbit each; # iperf -c somedestipiwanttospeedtest-censored -p 80 -P 2 -b 500m WARNING: option -b implies udp testing ------------------------------------------------------------ Client connecting to somedestipiwanttospeedtest-censored, UDP port 80 Sending 1470 byte datagrams UDP buffer size: 208 KByte (default) ------------------------------------------------------------ [ 4] local someipsrc port 60841 connected with somedestipiwanttospeedtest-censored port 80 [ 3] local someipsrc port 51495 connected with somedestipiwanttospeedtest-censored port 80 [ ID] Interval Transfer Bandwidth [ 4] 0.0-10.0 sec 570 MBytes 479 Mbits/sec [ 4] Sent 406935 datagrams [ 3] 0.0-10.0 sec 570 MBytes 479 Mbits/sec [ 3] Sent 406933 datagrams [SUM] 0.0-10.0 sec 1.11 GBytes 957 Mbits/sec
Resizing a Rackspace Performance Server
It’s possible for the customer to do this thru the API, but it is without express warantee. It’s not possible to resize performance servers thru the mycloud control panel, so, to do it you will need to use curl API, or what I like to use, supernova wrapper for nova or nova. It’s quite simple really;
The below example is how to resize a performance server to 4 gigs (this was from 2 gigs)
supernova customer resize --poll uuidgoeshere performance1-4
Disable TCP Offloading on Linux NIC
# read -p "Interface: " iface; ethtool -k $iface | awk -F: '/offload: on$/{print$1}' | sed 's/^\(.\).*-\(.\).*-\(.\).*/\1\2\3/' | xargs --no-run-if-empty -n1 -I{} ethtool -K $iface {} off
Disable offloading for all interfaces:
# for iface in $(cd /sys/class/net; echo *); do ethtool -k $iface | awk -F: '/offload: on$/{print$1}' | sed 's/^\(.\).*-\(.\).*-\(.\).*/\1\2\3/' | xargs --no-run-if-empty -n1 -I{} ethtool -K $iface {} off; done
A big thank you to Daniel C. for this!