Ask Your Question

Eranachandran's profile - activity

2019-02-04 23:37:44 -0600 answered a question How to strictly enable SSL for all the API access URL's for openstack ?

Configuring Self-Signed Certificate for Keystone API Service endpoints

In /etc/apache2/sites-available/ location keystone.conf will be available,this file is used to configure Self-Signed Certificate for this endpoint. Add the client.pem and client-key.pem in <virtualhost *:5000=""> and <virtualhost *:35357="">

Now the Self-Signed Certificate configuration for keystone service API endpoints in done. After this, change the keystone endpoint url from http to https in admin-openrc and demo-openrc files and make the change in endpoints urls from http to https in Database or recreate the endpoints with https url and populate the keystone database by using this command su -s /bin/sh -c “keystone-manage db_sync” keystone and restart the apache2 service. Check this service by issuing this command openstack token issue –insecure Note: –insecure should be added with the commands for skip the verification of Self-Signed Certificate

Configuring Self-Signed Certificate for Glance API Service endpoints

Update /etc/glance/glance-api.conf

[DEFAULT]

cert_file = /etc/ssl/client.pem

key_file = /etc/ssl/client-key.pem

[keystone_authtoken]

auth_uri = https://controller:5000

auth_url = https://controller:35357

certfile = /etc/ssl/client.pem

keyfile = /etc/ssl/client-key.pem

insecure = true

Update /etc/glance/glance-registry.conf

[DEFAULT]

cert_file = /etc/ssl/client.pem

key_file = /etc/ssl/client-key.pem

[keystone_authtoken]

auth_uri = https://controller:5000

auth_url = https://controller:35357

certfile = /etc/ssl/client.pem

keyfile = /etc/ssl/client-key.pem

insecure = true

After this, make the changes in endpoint urls from http to https in Database or recreate the endpoints with https url or recreate endpoints.Then, populate the keystone database by using this command su -s /bin/sh -c “keystone-manage db_sync” keystone and restart glance-api and glance-registry Services. Check this configuration by issuing this command OpenStack image list –insecure, After issuing this command the glance images will be listed .

I have written blog For securing service API endpoint, view blog at eranachandran.com

2019-01-28 05:35:52 -0600 commented answer How to configure a self signed certificate for Horizon Dashboard in Openstack ?

if this worked for you, accept an answer to avoiding too many answers

2019-01-28 00:06:12 -0600 answered a question How to configure a self signed certificate for Horizon Dashboard in Openstack ?

Enable ssl by typing this command sudo a2enmod ssl

Enabling ssl requires the apache2 service should be restarted, so restart apache by using this command service apache2 restart

Create a directory for the Self-Signed certificate by using sudo mkdir /etc/ssl

Generate Self-Signed Certificate by using the below command

       sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048  - keyout  /etc/ssl/client.key -out /etc/ssl/client.crt 

         The above command generates client.key file and client.crt file

Convert the generated files into pem format by using follwing commands

         cat client.key > /etc/ssl/client-key.pem 

         cat client.crt > /etc/ssl/client-cert.pem

Combine the client-key.pem and client-cert.pem by using this command cat client-key.pem client-cert.pem > client.pem

The client-key.pem is the keyfile and the client.pem is the certificate file for Self- signed certificate

Configuring SSL in /etc/apache2/sites-available/default-ssl.conf

 <IfModule mod_ssl.c>
         <VirtualHost _default_:443>
                 ServerAdmin your_email@example.com
                 ServerName server_domain_or_IP

                 DocumentRoot /var/www/html

                 ErrorLog ${APACHE_LOG_DIR}/error.log
                 CustomLog ${APACHE_LOG_DIR}/access.log combined

                 SSLEngine on

                 SSLCertificateFile       /etc/ssl/client.pem 
                 SSLCertificateKeyFile  /etc/ssl/client-key.pem 

                 <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                 SSLOptions +StdEnvVars
                 </FilesMatch>
                 <Directory /usr/lib/cgi-bin>
                                 SSLOptions +StdEnvVars
                 </Directory>

                 BrowserMatch "MSIE [2-6]" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0

         </VirtualHost>  </IfModule>

After making these changes, your server block should look similar to this:

2019-01-27 21:50:48 -0600 received badge  Notable Question (source)
2019-01-27 21:50:28 -0600 received badge  Notable Question (source)
2019-01-27 21:50:28 -0600 received badge  Popular Question (source)
2018-12-29 08:56:21 -0600 received badge  Nice Answer (source)
2018-12-28 03:16:42 -0600 answered a question what are the defaults roles in openstack and how to understand what a role can do

admin - The admin role is global, not per project, so granting a user the admin role in any project gives the user administrative rights across the whole environment. Member and reader roles are the default roles in openstack

You can define actions for OpenStack service roles in the /etc/PROJECT/policy.json files. For example, define actions for Keystone service roles in the /etc/keystone/policy.json file.

image description

You can manage projects, users, and roles independently from each other.

for all projects in OpenStack, you can define the policies by using the above-mentioned method

2018-12-27 23:45:53 -0600 received badge  Popular Question (source)
2018-12-26 07:05:27 -0600 answered a question Is there any service impact (Compute and network services) inside the VM, if the nova and neutron services on the hypervisor are restarted? The VM is an existing VM which has booted successfully.

Restarting Compute and network services will not affect the running Virtual Machines in the hypervisor.

boot, reboot, rebuild operations will be affected by service restart

2018-12-22 06:41:05 -0600 edited answer Change nova_cell0 from previous installation

if you changed your management ip,

i)You need to change bind-ip in MySQL configuration

ii)if created an endpoint like this using management ip (http://10.10.236.2:8778), the endpoint should be changed and keystone database should be synced and apache service requires the restart.

iii)If you mentioned the management ip in OpenStack service's configuration files, that is also should be changed and service requires restart and databases also requires sync

iv)If you enabled memcahed in the horizon, the memcached.conf should be changed and Memcached service should be restarted

In nova api-database host mapping table will there,you can manually map your hosts in that table

2018-12-19 23:47:34 -0600 commented question unable to establish connection with glance registry

what about your glance log?

2018-12-17 05:45:37 -0600 asked a question keystone token flushing

Hi Techies,

I am using OpenStack Mitaka version, I have done a multi-node installation. In my keystone database's token table all expired tokens are not flushed. There are 10,000,00 token remains in my token table. I know keystone-manage token_flush is used to flush the token.

My question is how to enable auto flushing for Keystone tokens?

If changing token provider from UUID to fernet, will it affect OpenStack environment's authentication?

2018-12-05 06:52:27 -0600 answered a question neutron warning No controller found for: floatingips

This will choose the web framework in which to run the Neutron API server. 'pecan' is a new rewrite of the API routing components.

Allowed values: legacy, pecan

web_framework = pecan

In neutron.conf , if you used pecan as a value for web_framework change that value to legacy

2018-12-05 03:40:55 -0600 answered a question How to upload files from windows base machine to instances ?

you can use PuTTYgen for converting keys to ppk format.

1)First you need to install puttygen

2)Then load the key file in the PuTTYgen

3)after this, convert ssh key to ppk using PuTTYgen

now you have ssh key in ppk format. now you can connect the instance using WinSCP and you can upload files

puttygen link: https://www.ssh.com/ssh/putty/windows...

2018-11-30 23:36:16 -0600 answered a question REST API to access volumeid

Here https://developer.openstack.org/api-r..., the block storage api available

/v3/{project_id}/volumes/detail - (this api Lists all Block Storage volumes, with details, that the project can access, since v3.31 if non-admin users specify invalid filters in the url, API will return bad request.)

2018-11-28 05:26:54 -0600 answered a question cloudkitty deployment

CloudKitty is a Rating As A Service project aimed at translating metrics to prices.

https://docs.openstack.org/cloudkitty...

2018-11-27 23:46:45 -0600 received badge  Civic Duty (source)
2018-11-27 05:35:19 -0600 answered a question OpenStack NAT Logs

Neutron Packet Logging Framework may do this,

Packet logging service is designed as a Neutron plug-in that captures network packets for relevant resources (e.g. security group or firewall group) when the registered events occur.

refer to: https://docs.openstack.org/neutron/ro...

2018-11-27 05:28:39 -0600 answered a question How to Upgrage openstack kilo to rocky

planning an OpenStack upgrade

The following points will help you plan for a successful OpenStack upgrade:

Identify any potential incompatibilities between releases by reading the OpenStack release notes.

Decide on the appropriate method for the upgrade.

Ensure that you are able to roll back if the upgrade fails.

Ensure that your data is backed up, including configuration files and databases.

Based on SLAs for your services, determine the acceptable downtime and inform users about the downtime in advance.

Use a test environment to verify that the selected upgrade method will work for your production environment.

Prerequisites

Before you upgrade, clean the environment to ensure a consistent state. For example, if some instances are not fully purged from the system after deletion, unexpected behavior might occur.

For environments using the OpenStack Networking service (neutron), verify the release version of the database.

Taking a Backup

Take a backup of the current configurations and database. Save the configuration files on all nodes. Upgrading OpenStack Sequence for upgrading services

The sequence for upgrading the OpenStack services is important as upgrading services in wrong order can break the cloud easily. The following order is recommended:

Upgrade database
Upgrade RabbitMQ
Upgrade Memcached
Upgrade OpenStack Identity service (Keystone)
Upgrade the OpenStack image service (Glance)
Upgrade OpenStack compute (Nova)
Upgrade OpenStack networking (Neutron)
Upgrade the OpenStack dashboard (Horizon)
Upgrade the OpenStack orchestration (Heat)

refer to : https://developer.ibm.com/in/2017/11/27/

refer to: https://docs.openstack.org/tripleo-do...

2018-11-27 03:33:19 -0600 commented question openstack server list ERROR STATUS

what about nova logs?

is Your scenario instance works fine, but in instance's status details showing as an error?

2018-11-27 01:37:24 -0600 answered a question Problem with spice Console

check rabbit-mq status and rabbit-mq logs.check the rabbit-mq credential in nova configuration file .some times restarting rabbit-mq will fix the problem, restart rabbit-mq by service rabbitmq-server restart.

create another rabbit-mq user and change rabbit-mq credentials in config files and try

rabbitmqctl add_user openstack RABBIT_PASS

rabbitmqctl set_permissions openstack ".*" ".*" ".*"

check the transport url in nova config file

2018-11-27 01:18:59 -0600 answered a question Instance launch error.
  1. check the core service is running by typing command " netstat -an | grep LISTENING". In the controller node,it should contains listening port 8778(placement_api service), 8774(compute-service),9292(Image service),9696(network),5000(Identify service),5672(rabbitmq server), 11211( memcache server),35357(Identify service)

    2.confirm that you have enough resources to allocate your instance, if enough resource available, then the issue comes from networking (neutron) and not from Nova itself. (Trace neutron logs for "PortBindingFailed")

    3.check your host's hardware supports virtualization or not by issuing "virt-host-validate",if fails change to virt_type to qemu

2018-11-27 00:24:05 -0600 commented question openstack server list ERROR STATUS

is it showing correct status in dashboard?

2018-11-27 00:06:58 -0600 answered a question collect up and down time for deployed openstack resources

You can use cloud kitty,

CloudKitty proposes the following way to interact with it :

Horizon API Python Binding

refer to https://wiki.openstack.org/wiki/Cloud...

The Ceilometer project is a data collection service that provides the ability to normalize and transform data across all current OpenStack core components with work underway to support future OpenStack components.

refer to https://docs.openstack.org/ceilometer...

2018-11-26 23:59:22 -0600 answered a question how to install rpm from coltroller to an instance

you can install rpm from controller to an instance using, including shell script within in the heat template like below mentioned.

   resources:
      the_server:
        type: OS::Nova::Server
        properties:
          # flavor, image etc
          user_data: |
            #!/bin/bash
            echo "Running boot script"
            # ..

For more information about this, refer to this link https://docs.openstack.org/heat/lates...

2018-11-26 11:00:45 -0600 edited answer What is the best OpenStack tool/report to see our instance and host CPU, RAM, utilization?

You can use Zabbix monitoring tool, it is not the OpenStack tool, but it is used to monitoring your instance and you can also trigger a mail alert. Zabbix is an open source monitoring software tool for diverse IT components, including networks, servers, virtual machines (VMs) and cloud services. Zabbix provides monitoring metrics, such as network utilization, CPU load, and disk space consumption. The software monitors operations on Linux, Hewlett Packard Unix (HP-UX), Mac OS X, Solaris and other operating systems (OSes); however, Windows monitoring is only possible through agents

features of Zabbix Send messages, Let Zabbix fix issues automatically, Escalate problems according to flexible user-defined Service Levels, Customize messages based on recipient's role, Customize messages with runtime and inventory information.

For ubuntu follow this link for Zabbix configuration and adding the new host to Zabbix serverhttps://www.digitalocean.com/communit...

configure mail alerts on Zabbix serverhttps://www.oodlestechnologies.com/bl...

zabbix Documentationhttps://www.zabbix.com/documentation/...

2018-11-25 05:00:25 -0600 edited answer Heat vs Ansible Questions

Basically, OpenStack heat and Ansible were created to doing different things, HEAT is developed to detect details related to infrastructure and complete provisioning of that infrastructure on OpenStack.

HEAT provides a way to define compute, storage, network, and other infrastructure related resources. This includes the interrelationships between infrastructure resources, such as associating floating IPs with compute resources or binding a compute resource to a specific network. This assigning key pairs for authentication and naming resources.The result of a heat template is a collection of one or more infrastructure resources based on existing images.The software integrates other components of OpenStack. The templates allow the creation of most OpenStack resource types (such as instances, floating IPs, volumes, security groups, users, etc), as well as some more advanced functionality such as for instance high availability, instance autoscaling, and nested stacks. Heat primarily manages infrastructure, but the templates integrate well with software configuration management tools such as Puppet and Ansible.

Ansible is developed to configuring the infrastructure after provisioning, This includes activities like installing libraries and setting up a specific runtime environment.ansible also supports the provisioning.

so we can use both ansible and heat.....both are created for different purposes....

ref: https://software.danielwatrous.com/he...

https://docs.openstack.org/heat/latest/

The Heat Engine now supports only Resource Plugin modules, which allows operators of OpenStack clouds to provide custom Resource handlers to their users.

ref: https://wiki.openstack.org/wiki/Heat/...