yum install perl-Pod-Perldoc perl-CPAN openssl-devel
# wget http://dl.fedoraproject.org/pub/epel/6/i386/perl-Nagios-Plugin-0.35-1.el6.noarch.rpm
# wget http://mirror.centos.org/centos/6/os/i386/Packages/perl-Config-Tiny-2.12-7.1.el6.noarch.rpm
# wget http://mirror.centos.org/centos/6/os/i386/Packages/perl-Params-Validate-0.92-3.el6.i686.rpm
# rpm -ivh perl-Nagios-Plugin-0.35-1.el6.noarch.rpm perl-Config-Tiny-2.12-7.1.el6.noarch.rpm perl-Params-Validate-0.92-3.el6.i686.rpm
# cd /root
# tar xvzf VMware-vSphere-Perl-SDK-4.1.0-254719.i386.tar.gz
# cd vmware-vsphere-cli-distrib/
# ./vmware-install.pl
# cd /usr/lib/nagios/plugins/
Download check_esx3.pl and make it executable
http://exchange.nagios.org/components/com_mtree/attachment.php?link_id=2154&cf_id=29
chmod +x check_esx3.pl
vim /usr/local/nagios/etc/objects/vmware.cfg
First define all your hosts as shown below
# Host esx01
define host{
use vmware-server
host_name esxi01
alias VMWare ESXi 01
address IP Address
}
define host{
use vmware-server
host_name esxi02
alias VMWare ESXi 02
address IP Address
}
# Similarly you can define all the hosts
# Now define a hostgroup for your Esxi Hosts:
define hostgroup{
hostgroup_name Esxi-Servers ; The name of the hostgroup
alias Vmware Servers ; Long name of the group
members esxi01,esxi02
}
# Now create the service definition as shown below
# check cpu
define service{
use generic-service
host_name esxi01
service_description ESXi CPU Load
check_command check_esx_cpu!80!90
}
# check memory usage
define service{
use generic-service
host_name esxi01
service_description ESXi Memory usage
check_command check_esx_mem!80!90
}
# check net
define service{
use generic-service
host_name esxi01
service_description ESXi Network usage
check_command check_esx_net!102400!204800
}
# check runtime status
define service{
use generic-service
host_name esxi01
service_description ESXi Runtime status
check_command check_esx_runtime
}
# check io read
define service{
use generic-service
host_name esxi01
service_description ESXi IO read
check_command check_esx_ioread!40!90
}
# check io write
define service{
use generic-service
host_name esxi01
service_description ESXi IO write
check_command check_esx_iowrite!40!90
}
Define the commands related to ESXi in the /usr/local/nagios/etc/objects/command.cfg file
vim /usr/local/nagios/etc/objects/commands.cfg
# check vmware esxi machine
# check cpu
define command{
command_name check_esx_cpu
command_line $USER1$/check_esx -H $HOSTADDRESS$ -u $USER11$ -p $USER12$ -l cpu -s usage -w $ARG1$ -c $ARG2$
}
# check memory usage
define command{
command_name check_esx_mem
command_line $USER1$/check_esx -H $HOSTADDRESS$ -u $USER11$ -p $USER12$ -l mem -s usage -w $ARG1$ -c $ARG2$
}
# check net usage
define command{
command_name check_esx_net
command_line $USER1$/check_esx -H $HOSTADDRESS$ -u $USER11$ -p $USER12$ -l net -s usage -w $ARG1$ -c $ARG2$
}
# check runtime status
define command{
command_name check_esx_runtime
command_line $USER1$/check_esx -H $HOSTADDRESS$ -u $USER11$ -p $USER12$ -l runtime -s status
}
# check io read
define command{
command_name check_esx_ioread
command_line $USER1$/check_esx -H $HOSTADDRESS$ -u $USER11$ -p $USER12$ -l io -s read -w $ARG1$ -c $ARG2$
}
# check io write
define command{
command_name check_esx_iowrite
command_line $USER1$/check_esx -H $HOSTADDRESS$ -u $USER11$ -p $USER12$ -l io -s write -w $ARG1$ -c $ARG2$
}
Adding configuration to nagios
vim /usr/local/nagios/etc/nagios.cfg
cfg_file=/usr/local/nagios/etc/objects/vmware.cfg
Tuesday, April 22, 2014
Tuesday, April 15, 2014
Openssl-heartbleed-fix
Downloading and updating the SSL.
cd /usr/src
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -zxf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config shared
make
make test
make install
cd /usr/src
rm -rf openssl-1.0.1g.tar.gz
rm -rf openssl-1.0.1g
to over write the current open ssl use the following config mode .
./config --prefix=/usr --openssldir=/usr/local/openssl shared Sunday, April 13, 2014
Ubuntu- DNS - setting it to static and dynamic
In case of static
cat /etc/network/interfaces
cat /etc/network/interfaces
# The loopback network interfaceSetting it to dhcp
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.58
gateway 192.168.1.1
network 192.168.1.0
broadcast 192.168.1.255
dns-nameservers 66.212.63.228 66.212.48.10
iface eth0 inet dhcp
Friday, April 11, 2014
Mod-Security Installing Along with - Open Source Rules
Installing the Mod Security.
## For RHEL/CentOS 6.2/6.1/6/5.8 ##
Installing needed Modules
yum install gcc make
yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel\
Installing the Mod-Security
## For RHEL/CentOS 6.2/6.1/6/5.8 ##
cd /usr/src
wget http://www.modsecurity.org/download/modsecurity-apache_2.6.6.tar.gz
tar xzf modsecurity-apache_2.6.6.tar.gz
cd modsecurity-apache_2.6.6
./configure
make install
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
Adding the Mod-security Module to the Apache
# vi /etc/httpd/conf/httpd.conf
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so
[root@54 modsecurity-apache_2.6.6]# httpd -t -D DUMP_MODULES |grep sec
security2_module (shared)
Syntax OK
[root@54 modsecurity-apache_2.6.6]#
<IfModule security2_module>
Include conf.d/modsecurity.conf
</IfModule>
Adding new Mod-Security Rules ..
OWASP core rule set
wget http://pkgs.fedoraproject.org/repo/pkgs/mod_security_crs/modsecurity-crs_2.2.5.tar.gz/a
aeaa1124e8efc39eeb064fb47cfc0aa/modsecurity-crs_2.2.5.tar.gz
tar zxvf modsecurity-crs_2.2.5.tar.gz
mv modsecurity-crs_2.2.5 modsecurity-crs
mv modsecurity-crs /etc/httpd/conf.d/
Adding the rules to httpd
<IfModule security2_module>
Include conf.d/modsecurity.conf
Include conf.d/modsecurity-crs/activated_rules/*.conf
Include conf.d/modsecurity-crs/base_rules/*.conf
Include conf.d/modsecurity-crs/optional_rules/*.conf
Include conf.d/modsecurity-crs/slr_rules/*.conf
</IfModule>
More rules are available at
## For RHEL/CentOS 6.2/6.1/6/5.8 ##
Installing needed Modules
yum install gcc make
yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel\
Installing the Mod-Security
## For RHEL/CentOS 6.2/6.1/6/5.8 ##
cd /usr/src
wget http://www.modsecurity.org/download/modsecurity-apache_2.6.6.tar.gz
tar xzf modsecurity-apache_2.6.6.tar.gz
cd modsecurity-apache_2.6.6
./configure
make install
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
Adding the Mod-security Module to the Apache
# vi /etc/httpd/conf/httpd.conf
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so
[root@54 modsecurity-apache_2.6.6]# httpd -t -D DUMP_MODULES |grep sec
security2_module (shared)
Syntax OK
[root@54 modsecurity-apache_2.6.6]#
<IfModule security2_module>
Include conf.d/modsecurity.conf
</IfModule>
Adding new Mod-Security Rules ..
OWASP core rule set
wget http://pkgs.fedoraproject.org/repo/pkgs/mod_security_crs/modsecurity-crs_2.2.5.tar.gz/a
aeaa1124e8efc39eeb064fb47cfc0aa/modsecurity-crs_2.2.5.tar.gz
tar zxvf modsecurity-crs_2.2.5.tar.gz
mv modsecurity-crs_2.2.5 modsecurity-crs
mv modsecurity-crs /etc/httpd/conf.d/
Adding the rules to httpd
<IfModule security2_module>
Include conf.d/modsecurity.conf
Include conf.d/modsecurity-crs/activated_rules/*.conf
Include conf.d/modsecurity-crs/base_rules/*.conf
Include conf.d/modsecurity-crs/optional_rules/*.conf
Include conf.d/modsecurity-crs/slr_rules/*.conf
</IfModule>
More rules are available at
sudo wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
Now the Mod Security is in the detect mode . once we are set we need to move it to on mode
[root@54 conf]# cat /etc/httpd/conf.d/modsecurity.conf |grep SecRuleEngine -i
SecRuleEngine DetectionOnly
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
[root@54 conf]#
Change to
SecRuleEngine on
Thursday, April 10, 2014
Setting the Mysql into a ReadOnly mode..
whole database to read only mode by this commands:
In the MySQL Prompt
FLUSH TABLES WITH READ LOCK;
SET GLOBAL read_only = 1;
and back to normal mode with:
SET GLOBAL read_only = 0;
UNLOCK TABLES;
In the MySQL Prompt
FLUSH TABLES WITH READ LOCK;
SET GLOBAL read_only = 1;
and back to normal mode with:
SET GLOBAL read_only = 0;
UNLOCK TABLES;
Thursday, February 27, 2014
OpenStack Installation And Configuring
The OpenStack project is an open source cloud computing platform for all types of clouds, which aims to be simple to implement, massively scalable, and feature rich. Developers and cloud computing technologists from around the world create the OpenStack project.
OpenStack provides an Infrastructure as a Service (IaaS) solution through a set of interrelated services. Each service offers an application programming interface (API) that facilitates this integration. Depending on your needs, you can install some or all services.
Dashboard ---Horizon
Compute ---Nova
Networking ---Neutron
Object Storage ---Swift
Block Storage ---Cinder
Identity Service---Keystone
Image Service ---Glance
Telemetry ---Ceilometer
Orchestration ---Heat
Dashboard : Horizon Provides a web-based self-service portal to interact with underlying OpenStack services, such as launching an instance, assigning IP addresses and configuring access controls.
Compute : Nova Manages the lifecycle of compute instances in an OpenStack environment. Responsibilities include spawning, scheduling and decomissioning of machines on demand.
Networking : Neutron Enables network connectivity as a service for other OpenStack services, such as OpenStack Compute. Provides an API for users to define networks and the attachments into them. Has a pluggable architecture that supports many popular networking vendors and technologies.
Storage
Object Storage : Swift Stores and retrieves arbitrary unstructured data objects via a RESTful, HTTP based API. It is highly fault tolerant with its data replication and scale out architecture. Its implementation is not like a file server with mountable directories.
Block Storage : Cinder Provides persistent block storage to running instances. Its pluggable driver architecture facilitates the creation and management of block storage devices.
Shared services
Identity Service : Keystone Provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
Image Service : Glance Stores and retrieves virtual machine disk images. OpenStack Compute makes use of this during instance provisioning.
Telemetry : Ceilometer Monitors and meters the OpenStack cloud for billing, benchmarking, scalability, and statistical purposes.
Higher-level services
Orchestration : Heat Orchestrates multiple composite cloud applications by using either the native HOT template format or the AWS CloudFormation template format, through both an OpenStack-native REST API and a CloudFormation-compatible Query API.
Please run a 64 bit Os in your compute node, else you will be having issue while creating Vm running 64 bit Os.
Steps Need to Done on the Controller Server
Networking
service iptables stop
chkconfig iptables off
/etc/sysconfig/network-scripts/ifcfg-eth0
# Internal Network
DEVICE=eth0
TYPE=Ethernet
BOOTPROTO=static
IPADDR=192.168.0.10
NETMASK=255.255.255.0
DEFROUTE=yes
ONBOOT=yes
/etc/sysconfig/network-scripts/ifcfg-eth1
# External Network
DEVICE=eth1
TYPE=Ethernet
BOOTPROTO=static
IPADDR=10.0.0.10
NETMASK=255.255.255.0
DEFROUTE=yes
ONBOOT=yes
service network restart
yum -y install policycoreutils setroubleshoot
setenforce 0
yum install -y euca2ools
yum install -y yum-plugin-priorities gedit curl wget nc
Setting Hostname
echo " HOSTNAME=controller" > /etc/hostname
cat /etc/hostname
echo "\n142.0.42.46 controller" >> /etc/hosts
cat /etc/hosts
hostname controller
hostname
ping -c 3 controller
Installing Ntpd Server
yum -y install ntp
service ntpd start
chkconfig ntpd on
Installing Mysql Server
yum -y install mysql mysql-server MySQL-python
service mysqld start
chkconfig mysqld on
mysql_install_db
mysql_secure_installation
set and remember the mysql root password, it will be needed through out further installation.
Installing OpenStack Yum Repos
rpm -ivUh http://repos.fedorapeople.org/repos/openstack/openstack-havana/rdo-release-havana-6.noarch.rpm
rpm -ivUh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Installing OpenStack Packages
yum -y install openstack-utils
yum -y install openstack-selinux
yum -y install qpid-cpp-server memcached
vi /etc/qpidd.conf
auth=no
service qpidd start
chkconfig qpidd on
Installing And Configuring KeyStone
yum -y install openstack-keystone python-keystoneclient
The Identity Service uses a database to store information. Specify the location of the database in the configuration file. In this guide, we use a MySQL database on the controller node with the username keystone.
openstack-config --set /etc/keystone/keystone.conf sql connection mysql://keystone:password@controller/keystone
Use the openstack-db command to create the database and tables, as well as a database user called keystone to connect to the database.
openstack-db --init --service keystone --password password
Define an authorization token to use as a shared secret between the Identity Service and other OpenStack services. Use openssl to generate a random token and store it in the configuration file:
ADMIN_TOKEN=$(openssl rand -hex 10)
echo $ADMIN_TOKEN
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN
keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
By default, Keystone uses PKI tokens. Create the signing keys and certificates:
chown -R keystone:keystone /etc/keystone/* /var/log/keystone/keystone.log
service openstack-keystone start
chkconfig openstack-keystone on
Define users, tenants, and roles
export OS_SERVICE_TOKEN=$ADMIN_TOKEN
export OS_SERVICE_ENDPOINT=http://142.0.42.46:35357/v2.0
keystone tenant-create --name=admin --description="Admin Tenant"
keystone tenant-create --name=service --description="Service Tenant"
keystone user-create --name=admin --pass=password
keystone role-create --name=admin
keystone user-role-add --user=admin --tenant=admin --role=admin
[root@server ~]# keystone tenant-create --name=admin --description="Admin Tenant"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Admin Tenant |
| enabled | True |
| id | 56b2c2009ac4402996df23f85587eb60 |
| name | admin |
+-------------+----------------------------------+
[root@server ~]# keystone tenant-create --name=service --description="Service Tenant"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Service Tenant |
| enabled | True |
| id | 48606f4b78024ba5b34f1854154be27e |
| name | service |
+-------------+----------------------------------+
[root@server ~]# keystone user-create --name=admin --pass=password
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | 72d9b80b1e464558ab9f563241106a69 |
| name | admin |
+----------+----------------------------------+
[root@server ~]# keystone role-create --name=admin
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | ba0ed19af57f4122b4c43c8868bfb47c |
| name | admin |
+----------+----------------------------------+
[root@server ~]# keystone user-role-add --user=admin --tenant=admin --role=admin
Define services and API endpoints
keystone service-create --name=keystone --type=identity --description="Keystone Identity Service"
keystone endpoint-create --service-id=the_service_id_above --publicurl=http://142.0.42.46:5000/v2.0 --internalurl=http://142.0.42.46:5000/v2.0 --adminurl=http://142.0.42.46:35357/v2.0
[root@server ~]# keystone service-create --name=keystone --type=identity --description="Keystone Identity Service"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Keystone Identity Service |
| id | 05c8b4bcd2b44b59a5f8a3a8cde43c2e |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
[root@server ~]# keystone endpoint-create --service-id=05c8b4bcd2b44b59a5f8a3a8cde43c2e --publicurl=http://142.0.42.46:5000/v2.0 --internalurl=http://142.0.42.46:5000/v2.0 --adminurl=http://142.0.42.46:35357/v2.0
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://142.0.42.46:35357/v2.0 |
| id | c91bacef4e0549709109d102d26d940e |
| internalurl | http://142.0.42.46:5000/v2.0 |
| publicurl | http://142.0.42.46:5000/v2.0 |
| region | regionOne |
| service_id | 05c8b4bcd2b44b59a5f8a3a8cde43c2e |
+-------------+----------------------------------+
[root@server ~]#
unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
keystone --os-username=admin --os-password=password --os-auth-url=http://142.0.42.46:35357/v2.0 token-get
keystone --os-username=admin --os-password=password --os-tenant-name=admin --os-auth-url=http://142.0.42.46:35357/v2.0 token-get
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://142.0.42.46:35357/v2.0
keystone token-get
keystone user-list
+----------------------------------+-------+---------+-------+
| id | name | enabled | email |
+----------------------------------+-------+---------+-------+
| 72d9b80b1e464558ab9f563241106a69 | admin | True | |
+----------------------------------+-------+---------+-------+
[root@server ~]#
Install and Configure the Image Service
openstack-config --set /etc/glance/glance-api.conf sql connection mysql://glance:password@controller/glance
openstack-config --set /etc/glance/glance-registry.conf sql connection mysql://glance:password@controller/glance
openstack-db --init --service glance --password password
keystone user-create --name=glance --pass=password
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | 903ccd5db7da45d9a15a52f37634652f |
| name | glance |
+----------+----------------------------------+
keystone user-role-add --user=glance --tenant=service --role=admin
Configure the Image Service to use the Identity Service for authentication.
Run the following commands and replace Password with the password you chose for the
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_url http://142.0.42.46:5000
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_host controller
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_tenant_name service
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_user glance
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_password password
openstack-config --set /etc/glance/glance-api.conf paste_deploy flavor keystone
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken auth_url http://142.0.42.46:5000
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken auth_host controller
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_tenant_name service
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_user glance
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_password password
openstack-config --set /etc/glance/glance-registry.conf paste_deploy flavor keystone
On CentOS
cp /usr/share/glance/glance-api-dist-paste.ini /etc/glance/glance-api-paste.ini
cp /usr/share/glance/glance-registry-dist-paste.ini /etc/glance/glance-registry-paste.ini
Edit each file to set the following options in the [filter:authtoken] section and leave any other existing option as it is.
[filter:authtoken]
paste.filter_factory=keystoneclient.middleware.auth_token:filter_factory
auth_host=controller
admin_user=glance
admin_tenant_name=service
admin_password=GLANCE_PASS
keystone service-create --name=glance --type=image --description="Glance Image Service"
keystone endpoint-create --service-id=the_service_id_above --publicurl=http://142.0.42.46:9292 --internalurl=http://142.0.42.46:9292 --adminurl=http://142.0.42.46:9292
Output
[root@server ~]# keystone service-create --name=glance --type=image --description="Glance Image Service"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Glance Image Service |
| id | 75a7bef17f9b4329bb84aab14e3a01ae |
| name | glance |
| type | image |
+-------------+----------------------------------+
[root@server ~]# keystone endpoint-create --service-id=75a7bef17f9b4329bb84aab14e3a01ae --publicurl=http://142.0.42.46:9292 --internalurl=http://142.0.42.46:9292 --adminurl=http://142.0.42.46:9292
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://142.0.42.46:9292 |
| id | 10fb121e1190488a85341fe34d567c36 |
| internalurl | http://142.0.42.46:9292 |
| publicurl | http://142.0.42.46:9292 |
| region | regionOne |
| service_id | 75a7bef17f9b4329bb84aab14e3a01ae |
+-------------+----------------------------------+
[root@server ~]#
service openstack-glance-api start
service openstack-glance-registry start
chkconfig openstack-glance-api on
chkconfig openstack-glance-registry on
Verify the Image Service installation
mkdir images
cd images/
wget http://cdn.download.cirros-cloud.net/0.3.1/cirros-0.3.1-x86_64-disk.img
glance image-create --name="CirrOS 0.3.1" --disk-format=qcow2 --container-format=bare --is-public=true < cirros-0.3.1-x86_64-disk.img
glance image-list
[root@server ~]# cd images/
[root@server images]# wget http://cdn.download.cirros-cloud.net/0.3.1/cirros-0.3.1-x86_64-disk.img
--2014-02-27 11:48:30-- http://cdn.download.cirros-cloud.net/0.3.1/cirros-0.3.1-x86_64-disk.img
Resolving cdn.download.cirros-cloud.net... 204.188.136.134, 204.188.136.74, 2001:559:0:5a::1743:3c82, ...
Connecting to cdn.download.cirros-cloud.net|204.188.136.134|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13147648 (13M) [application/octet-stream]
Saving to: “cirros-0.3.1-x86_64-disk.img”
100%[===========================================================================================================>] 13,147,648 10.1M/s in 1.2s
2014-02-27 11:48:32 (10.1 MB/s) - “cirros-0.3.1-x86_64-disk.img” saved [13147648/13147648]
[root@server images]# glance image-create --name="CirrOS 0.3.1" --disk-format=qcow2 --container-format=bare --is-public=true < cirros-0.3.1-x86_64-disk.img
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | d972013792949d0d3ba628fbe8685bce |
| container_format | bare |
| created_at | 2014-02-27T16:50:47 |
| deleted | False |
| deleted_at | None |
| disk_format | qcow2 |
| id | 886c9f6a-f38c-491d-a2b4-220cf90bd064 |
| is_public | True |
| min_disk | 0 |
| min_ram | 0 |
| name | CirrOS 0.3.1 |
| owner | 56b2c2009ac4402996df23f85587eb60 |
| protected | False |
| size | 13147648 |
| status | active |
| updated_at | 2014-02-27T16:50:48 |
+------------------+--------------------------------------+
[root@server images]# glance image-list
+--------------------------------------+--------------+-------------+------------------+----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+--------------+-------------+------------------+----------+--------+
| 886c9f6a-f38c-491d-a2b4-220cf90bd064 | CirrOS 0.3.1 | qcow2 | bare | 13147648 | active |
+--------------------------------------+--------------+-------------+------------------+----------+--------+
[root@server images]#
Install And Configure Compute controller service
yum -y install openstack-glance
openstack-config --set /etc/glance/glance-api.conf sql connection mysql://glance:password@controller/glance
openstack-config --set /etc/glance/glance-registry.conf sql connection mysql://glance:password@controller/glance
openstack-db --init --service glance --password password
Set the my_ip, vncserver_listen, and vncserver_proxyclient_address configuration options to the internal IP address of the controller node:
openstack-config --set /etc/nova/nova.conf DEFAULT my_ip 142.0.42.46
openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_listen 142.0.42.46
openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_proxyclient_address 142.0.42.46
keystone user-create --name=nova --pass=password
keystone user-role-add --user=nova --tenant=service --role=admin
Configure Compute to use these credentials with the Identity Service running on the controller. Replace password with your Compute password.
openstack-config --set /etc/nova/nova.conf DEFAULT auth_strategy keystone
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_host controller
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_protocol http
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_port 35357
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_user nova
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_tenant_name service
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_password password
Add the credentials to the /etc/nova/api-paste.ini file. Add these options to the [filter:authtoken] section:
You might sometimes have to edit .ini files during initial setup. However, do not edit these files for general configuration tasks.
[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = controller
auth_port = 35357
auth_protocol = http
auth_uri = http://controller:5000/v2.0
admin_tenant_name = service
admin_user = nova
admin_password = password
Ensure that the api_paste_config=/etc/nova/api-paste.ini option is set in the /etc/nova/nova.conf file.
keystone service-create --name=nova --type=compute --description="Nova Compute service"
keystone endpoint-create --service-id=the_service_id_above --publicurl=http://controller:8774/v2/%\(tenant_id\)s --internalurl=http://controller:8774/v2/%\(tenant_id\)s --adminurl=http://controller:8774/v2/%\(tenant_id\)s
service openstack-nova-api start
service openstack-nova-cert start
service openstack-nova-consoleauth start
service openstack-nova-scheduler start
service openstack-nova-conductor start
service openstack-nova-novncproxy start
chkconfig openstack-nova-api on
chkconfig openstack-nova-cert on
chkconfig openstack-nova-consoleauth on
chkconfig openstack-nova-scheduler on
chkconfig openstack-nova-conductor on
chkconfig openstack-nova-novncproxy on
nova image-list
+--------------------------------------+--------------+--------+--------+
| ID | Name | Status | Server |
+--------------------------------------+--------------+--------+--------+
| 886c9f6a-f38c-491d-a2b4-220cf90bd064 | CirrOS 0.3.1 | ACTIVE | |
+--------------------------------------+--------------+--------+--------+
[root@server images]#
Installing And Configuring the dashboard
yum -y install memcached python-memcached mod_wsgi openstack-dashboard
Update the ALLOWED_HOSTS in local_settings.py to include the addresses you wish to access the dashboard from.
Edit /etc/openstack-dashboard/local_settings:
ALLOWED_HOSTS = ['localhost', 'my-desktop', '*']
This guide assumes that you are running the Dashboard on the controller node. You can easily run the dashboard on a separate server, by changing the appropriate settings in local_settings.py.
Edit /etc/openstack-dashboard/local_settings and change OPENSTACK_HOST to the hostname of your Identity Service:
OPENSTACK_HOST = "controller"
Start the Apache web server and memcached:
service httpd start
service memcached start
chkconfig httpd on
chkconfig memcached on
You can now access the dashboard at http://controller/dashboard .
Configure a Compute node
yum -y install openstack-nova-compute
Edit the /etc/nova/nova.conf configuration file:
# openstack-config --set /etc/nova/nova.conf database connection mysql://nova:NOVA_DBPASS@controller/nova
# openstack-config --set /etc/nova/nova.conf DEFAULT auth_strategy keystone
# openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_host controller
# openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_protocol http
# openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_port 35357
# openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_user nova
# openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_tenant_name service
# openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_password NOVA_PASS
Configure Compute to provide remote console access to instances.
# openstack-config --set /etc/nova/nova.conf DEFAULT my_ip 192.168.0.11
# openstack-config --set /etc/nova/nova.conf DEFAULT vnc_enabled True
# openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_listen 0.0.0.0
# openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_proxyclient_address 192.168.0.11
# openstack-config --set /etc/nova/nova.conf \
DEFAULT novncproxy_base_url http://controller:6080/vnc_auto.html
Specify the host that runs the Image Service.
# openstack-config --set /etc/nova/nova.conf DEFAULT glance_host controller
Edit the /etc/nova/api-paste.ini file to add the credentials to the [filter:authtoken] section
[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = controller
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = nova
admin_password = NOVA_PASS
Start the Compute service and configure it to start when the system boots.
# service libvirtd start
# service messagebus start
# chkconfig libvirtd on
# chkconfig messagebus on
# service openstack-nova-compute start
# chkconfig openstack-nova-compute on
OpenStack provides an Infrastructure as a Service (IaaS) solution through a set of interrelated services. Each service offers an application programming interface (API) that facilitates this integration. Depending on your needs, you can install some or all services.
Dashboard ---Horizon
Compute ---Nova
Networking ---Neutron
Object Storage ---Swift
Block Storage ---Cinder
Identity Service---Keystone
Image Service ---Glance
Telemetry ---Ceilometer
Orchestration ---Heat
Dashboard : Horizon Provides a web-based self-service portal to interact with underlying OpenStack services, such as launching an instance, assigning IP addresses and configuring access controls.
Compute : Nova Manages the lifecycle of compute instances in an OpenStack environment. Responsibilities include spawning, scheduling and decomissioning of machines on demand.
Networking : Neutron Enables network connectivity as a service for other OpenStack services, such as OpenStack Compute. Provides an API for users to define networks and the attachments into them. Has a pluggable architecture that supports many popular networking vendors and technologies.
Storage
Object Storage : Swift Stores and retrieves arbitrary unstructured data objects via a RESTful, HTTP based API. It is highly fault tolerant with its data replication and scale out architecture. Its implementation is not like a file server with mountable directories.
Block Storage : Cinder Provides persistent block storage to running instances. Its pluggable driver architecture facilitates the creation and management of block storage devices.
Shared services
Identity Service : Keystone Provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
Image Service : Glance Stores and retrieves virtual machine disk images. OpenStack Compute makes use of this during instance provisioning.
Telemetry : Ceilometer Monitors and meters the OpenStack cloud for billing, benchmarking, scalability, and statistical purposes.
Higher-level services
Orchestration : Heat Orchestrates multiple composite cloud applications by using either the native HOT template format or the AWS CloudFormation template format, through both an OpenStack-native REST API and a CloudFormation-compatible Query API.
Please run a 64 bit Os in your compute node, else you will be having issue while creating Vm running 64 bit Os.
Steps Need to Done on the Controller Server
Networking
service iptables stop
chkconfig iptables off
/etc/sysconfig/network-scripts/ifcfg-eth0
# Internal Network
DEVICE=eth0
TYPE=Ethernet
BOOTPROTO=static
IPADDR=192.168.0.10
NETMASK=255.255.255.0
DEFROUTE=yes
ONBOOT=yes
/etc/sysconfig/network-scripts/ifcfg-eth1
# External Network
DEVICE=eth1
TYPE=Ethernet
BOOTPROTO=static
IPADDR=10.0.0.10
NETMASK=255.255.255.0
DEFROUTE=yes
ONBOOT=yes
service network restart
yum -y install policycoreutils setroubleshoot
setenforce 0
yum install -y euca2ools
yum install -y yum-plugin-priorities gedit curl wget nc
Setting Hostname
echo " HOSTNAME=controller" > /etc/hostname
cat /etc/hostname
echo "\n142.0.42.46 controller" >> /etc/hosts
cat /etc/hosts
hostname controller
hostname
ping -c 3 controller
Installing Ntpd Server
yum -y install ntp
service ntpd start
chkconfig ntpd on
Installing Mysql Server
yum -y install mysql mysql-server MySQL-python
service mysqld start
chkconfig mysqld on
mysql_install_db
mysql_secure_installation
set and remember the mysql root password, it will be needed through out further installation.
Installing OpenStack Yum Repos
rpm -ivUh http://repos.fedorapeople.org/repos/openstack/openstack-havana/rdo-release-havana-6.noarch.rpm
rpm -ivUh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Installing OpenStack Packages
yum -y install openstack-utils
yum -y install openstack-selinux
yum -y install qpid-cpp-server memcached
vi /etc/qpidd.conf
auth=no
service qpidd start
chkconfig qpidd on
Installing And Configuring KeyStone
yum -y install openstack-keystone python-keystoneclient
The Identity Service uses a database to store information. Specify the location of the database in the configuration file. In this guide, we use a MySQL database on the controller node with the username keystone.
openstack-config --set /etc/keystone/keystone.conf sql connection mysql://keystone:password@controller/keystone
Use the openstack-db command to create the database and tables, as well as a database user called keystone to connect to the database.
openstack-db --init --service keystone --password password
Define an authorization token to use as a shared secret between the Identity Service and other OpenStack services. Use openssl to generate a random token and store it in the configuration file:
ADMIN_TOKEN=$(openssl rand -hex 10)
echo $ADMIN_TOKEN
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN
keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
By default, Keystone uses PKI tokens. Create the signing keys and certificates:
chown -R keystone:keystone /etc/keystone/* /var/log/keystone/keystone.log
service openstack-keystone start
chkconfig openstack-keystone on
Define users, tenants, and roles
export OS_SERVICE_TOKEN=$ADMIN_TOKEN
export OS_SERVICE_ENDPOINT=http://142.0.42.46:35357/v2.0
keystone tenant-create --name=admin --description="Admin Tenant"
keystone tenant-create --name=service --description="Service Tenant"
keystone user-create --name=admin --pass=password
keystone role-create --name=admin
keystone user-role-add --user=admin --tenant=admin --role=admin
[root@server ~]# keystone tenant-create --name=admin --description="Admin Tenant"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Admin Tenant |
| enabled | True |
| id | 56b2c2009ac4402996df23f85587eb60 |
| name | admin |
+-------------+----------------------------------+
[root@server ~]# keystone tenant-create --name=service --description="Service Tenant"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Service Tenant |
| enabled | True |
| id | 48606f4b78024ba5b34f1854154be27e |
| name | service |
+-------------+----------------------------------+
[root@server ~]# keystone user-create --name=admin --pass=password
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | 72d9b80b1e464558ab9f563241106a69 |
| name | admin |
+----------+----------------------------------+
[root@server ~]# keystone role-create --name=admin
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | ba0ed19af57f4122b4c43c8868bfb47c |
| name | admin |
+----------+----------------------------------+
[root@server ~]# keystone user-role-add --user=admin --tenant=admin --role=admin
Define services and API endpoints
keystone service-create --name=keystone --type=identity --description="Keystone Identity Service"
keystone endpoint-create --service-id=the_service_id_above --publicurl=http://142.0.42.46:5000/v2.0 --internalurl=http://142.0.42.46:5000/v2.0 --adminurl=http://142.0.42.46:35357/v2.0
[root@server ~]# keystone service-create --name=keystone --type=identity --description="Keystone Identity Service"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Keystone Identity Service |
| id | 05c8b4bcd2b44b59a5f8a3a8cde43c2e |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
[root@server ~]# keystone endpoint-create --service-id=05c8b4bcd2b44b59a5f8a3a8cde43c2e --publicurl=http://142.0.42.46:5000/v2.0 --internalurl=http://142.0.42.46:5000/v2.0 --adminurl=http://142.0.42.46:35357/v2.0
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://142.0.42.46:35357/v2.0 |
| id | c91bacef4e0549709109d102d26d940e |
| internalurl | http://142.0.42.46:5000/v2.0 |
| publicurl | http://142.0.42.46:5000/v2.0 |
| region | regionOne |
| service_id | 05c8b4bcd2b44b59a5f8a3a8cde43c2e |
+-------------+----------------------------------+
[root@server ~]#
Verify the Identity Service installation
unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
keystone --os-username=admin --os-password=password --os-auth-url=http://142.0.42.46:35357/v2.0 token-get
keystone --os-username=admin --os-password=password --os-tenant-name=admin --os-auth-url=http://142.0.42.46:35357/v2.0 token-get
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://142.0.42.46:35357/v2.0
keystone token-get
keystone user-list
+----------------------------------+-------+---------+-------+
| id | name | enabled | email |
+----------------------------------+-------+---------+-------+
| 72d9b80b1e464558ab9f563241106a69 | admin | True | |
+----------------------------------+-------+---------+-------+
[root@server ~]#
Install and Configure the Image Service
openstack-config --set /etc/glance/glance-api.conf sql connection mysql://glance:password@controller/glance
openstack-config --set /etc/glance/glance-registry.conf sql connection mysql://glance:password@controller/glance
openstack-db --init --service glance --password password
keystone user-create --name=glance --pass=password
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | 903ccd5db7da45d9a15a52f37634652f |
| name | glance |
+----------+----------------------------------+
keystone user-role-add --user=glance --tenant=service --role=admin
Configure the Image Service to use the Identity Service for authentication.
Run the following commands and replace Password with the password you chose for the
glance user in the Identity Service:openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_url http://142.0.42.46:5000
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_host controller
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_tenant_name service
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_user glance
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_password password
openstack-config --set /etc/glance/glance-api.conf paste_deploy flavor keystone
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken auth_url http://142.0.42.46:5000
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken auth_host controller
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_tenant_name service
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_user glance
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_password password
openstack-config --set /etc/glance/glance-registry.conf paste_deploy flavor keystone
On CentOS
cp /usr/share/glance/glance-api-dist-paste.ini /etc/glance/glance-api-paste.ini
cp /usr/share/glance/glance-registry-dist-paste.ini /etc/glance/glance-registry-paste.ini
Edit each file to set the following options in the [filter:authtoken] section and leave any other existing option as it is.
[filter:authtoken]
paste.filter_factory=keystoneclient.middleware.auth_token:filter_factory
auth_host=controller
admin_user=glance
admin_tenant_name=service
admin_password=GLANCE_PASS
keystone service-create --name=glance --type=image --description="Glance Image Service"
keystone endpoint-create --service-id=the_service_id_above --publicurl=http://142.0.42.46:9292 --internalurl=http://142.0.42.46:9292 --adminurl=http://142.0.42.46:9292
Output
[root@server ~]# keystone service-create --name=glance --type=image --description="Glance Image Service"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Glance Image Service |
| id | 75a7bef17f9b4329bb84aab14e3a01ae |
| name | glance |
| type | image |
+-------------+----------------------------------+
[root@server ~]# keystone endpoint-create --service-id=75a7bef17f9b4329bb84aab14e3a01ae --publicurl=http://142.0.42.46:9292 --internalurl=http://142.0.42.46:9292 --adminurl=http://142.0.42.46:9292
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://142.0.42.46:9292 |
| id | 10fb121e1190488a85341fe34d567c36 |
| internalurl | http://142.0.42.46:9292 |
| publicurl | http://142.0.42.46:9292 |
| region | regionOne |
| service_id | 75a7bef17f9b4329bb84aab14e3a01ae |
+-------------+----------------------------------+
[root@server ~]#
service openstack-glance-api start
service openstack-glance-registry start
chkconfig openstack-glance-api on
chkconfig openstack-glance-registry on
Verify the Image Service installation
mkdir images
cd images/
wget http://cdn.download.cirros-cloud.net/0.3.1/cirros-0.3.1-x86_64-disk.img
glance image-create --name="CirrOS 0.3.1" --disk-format=qcow2 --container-format=bare --is-public=true < cirros-0.3.1-x86_64-disk.img
glance image-list
[root@server ~]# cd images/
[root@server images]# wget http://cdn.download.cirros-cloud.net/0.3.1/cirros-0.3.1-x86_64-disk.img
--2014-02-27 11:48:30-- http://cdn.download.cirros-cloud.net/0.3.1/cirros-0.3.1-x86_64-disk.img
Resolving cdn.download.cirros-cloud.net... 204.188.136.134, 204.188.136.74, 2001:559:0:5a::1743:3c82, ...
Connecting to cdn.download.cirros-cloud.net|204.188.136.134|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13147648 (13M) [application/octet-stream]
Saving to: “cirros-0.3.1-x86_64-disk.img”
100%[===========================================================================================================>] 13,147,648 10.1M/s in 1.2s
2014-02-27 11:48:32 (10.1 MB/s) - “cirros-0.3.1-x86_64-disk.img” saved [13147648/13147648]
[root@server images]# glance image-create --name="CirrOS 0.3.1" --disk-format=qcow2 --container-format=bare --is-public=true < cirros-0.3.1-x86_64-disk.img
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | d972013792949d0d3ba628fbe8685bce |
| container_format | bare |
| created_at | 2014-02-27T16:50:47 |
| deleted | False |
| deleted_at | None |
| disk_format | qcow2 |
| id | 886c9f6a-f38c-491d-a2b4-220cf90bd064 |
| is_public | True |
| min_disk | 0 |
| min_ram | 0 |
| name | CirrOS 0.3.1 |
| owner | 56b2c2009ac4402996df23f85587eb60 |
| protected | False |
| size | 13147648 |
| status | active |
| updated_at | 2014-02-27T16:50:48 |
+------------------+--------------------------------------+
[root@server images]# glance image-list
+--------------------------------------+--------------+-------------+------------------+----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+--------------+-------------+------------------+----------+--------+
| 886c9f6a-f38c-491d-a2b4-220cf90bd064 | CirrOS 0.3.1 | qcow2 | bare | 13147648 | active |
+--------------------------------------+--------------+-------------+------------------+----------+--------+
[root@server images]#
Install And Configure Compute controller service
yum -y install openstack-glance
openstack-config --set /etc/glance/glance-api.conf sql connection mysql://glance:password@controller/glance
openstack-config --set /etc/glance/glance-registry.conf sql connection mysql://glance:password@controller/glance
openstack-db --init --service glance --password password
Set the my_ip, vncserver_listen, and vncserver_proxyclient_address configuration options to the internal IP address of the controller node:
openstack-config --set /etc/nova/nova.conf DEFAULT my_ip 142.0.42.46
openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_listen 142.0.42.46
openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_proxyclient_address 142.0.42.46
keystone user-create --name=nova --pass=password
keystone user-role-add --user=nova --tenant=service --role=admin
Configure Compute to use these credentials with the Identity Service running on the controller. Replace password with your Compute password.
openstack-config --set /etc/nova/nova.conf DEFAULT auth_strategy keystone
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_host controller
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_protocol http
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_port 35357
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_user nova
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_tenant_name service
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_password password
Add the credentials to the /etc/nova/api-paste.ini file. Add these options to the [filter:authtoken] section:
You might sometimes have to edit .ini files during initial setup. However, do not edit these files for general configuration tasks.
[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = controller
auth_port = 35357
auth_protocol = http
auth_uri = http://controller:5000/v2.0
admin_tenant_name = service
admin_user = nova
admin_password = password
Ensure that the api_paste_config=/etc/nova/api-paste.ini option is set in the /etc/nova/nova.conf file.
keystone service-create --name=nova --type=compute --description="Nova Compute service"
keystone endpoint-create --service-id=the_service_id_above --publicurl=http://controller:8774/v2/%\(tenant_id\)s --internalurl=http://controller:8774/v2/%\(tenant_id\)s --adminurl=http://controller:8774/v2/%\(tenant_id\)s
service openstack-nova-api start
service openstack-nova-cert start
service openstack-nova-consoleauth start
service openstack-nova-scheduler start
service openstack-nova-conductor start
service openstack-nova-novncproxy start
chkconfig openstack-nova-api on
chkconfig openstack-nova-cert on
chkconfig openstack-nova-consoleauth on
chkconfig openstack-nova-scheduler on
chkconfig openstack-nova-conductor on
chkconfig openstack-nova-novncproxy on
nova image-list
+--------------------------------------+--------------+--------+--------+
| ID | Name | Status | Server |
+--------------------------------------+--------------+--------+--------+
| 886c9f6a-f38c-491d-a2b4-220cf90bd064 | CirrOS 0.3.1 | ACTIVE | |
+--------------------------------------+--------------+--------+--------+
[root@server images]#
Installing And Configuring the dashboard
yum -y install memcached python-memcached mod_wsgi openstack-dashboard
Update the ALLOWED_HOSTS in local_settings.py to include the addresses you wish to access the dashboard from.
Edit /etc/openstack-dashboard/local_settings:
ALLOWED_HOSTS = ['localhost', 'my-desktop', '*']
This guide assumes that you are running the Dashboard on the controller node. You can easily run the dashboard on a separate server, by changing the appropriate settings in local_settings.py.
Edit /etc/openstack-dashboard/local_settings and change OPENSTACK_HOST to the hostname of your Identity Service:
OPENSTACK_HOST = "controller"
Start the Apache web server and memcached:
service httpd start
service memcached start
chkconfig httpd on
chkconfig memcached on
You can now access the dashboard at http://controller/dashboard .
Configure a Compute node
yum -y install openstack-nova-compute
Edit the /etc/nova/nova.conf configuration file:
# openstack-config --set /etc/nova/nova.conf database connection mysql://nova:NOVA_DBPASS@controller/nova
# openstack-config --set /etc/nova/nova.conf DEFAULT auth_strategy keystone
# openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_host controller
# openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_protocol http
# openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_port 35357
# openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_user nova
# openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_tenant_name service
# openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_password NOVA_PASS
- Configure the Compute Service to use the Qpid message broker by setting these configuration keys:
# openstack-config --set /etc/nova/nova.conf \ DEFAULT rpc_backend nova.openstack.common.rpc.impl_qpid # openstack-config --set /etc/nova/nova.conf DEFAULT qpid_hostname
controller
Configure Compute to provide remote console access to instances.
# openstack-config --set /etc/nova/nova.conf DEFAULT my_ip 192.168.0.11
# openstack-config --set /etc/nova/nova.conf DEFAULT vnc_enabled True
# openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_listen 0.0.0.0
# openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_proxyclient_address 192.168.0.11
# openstack-config --set /etc/nova/nova.conf \
DEFAULT novncproxy_base_url http://controller:6080/vnc_auto.html
Specify the host that runs the Image Service.
# openstack-config --set /etc/nova/nova.conf DEFAULT glance_host controller
Edit the /etc/nova/api-paste.ini file to add the credentials to the [filter:authtoken] section
[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = controller
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = nova
admin_password = NOVA_PASS
Start the Compute service and configure it to start when the system boots.
# service libvirtd start
# service messagebus start
# chkconfig libvirtd on
# chkconfig messagebus on
# service openstack-nova-compute start
# chkconfig openstack-nova-compute on
Thursday, May 16, 2013
Atomic mod security rules
ConfigServer ModSecurity Control provides an easy way of monitoring which rules are being triggered on the server in real time but more importantly, you can whitelist certain rules either globally accross the entire server or on a per account/domain basis if some of the rules conflict with a particular script or functionality (e.g. FrontPage). To install CMC, run the following:
rm -fv cmc.tgz
wget http://www.configserver.com/free/cmc.tgz
tar -xzf cmc.tgz
cd cmc
sh install.sh
cd ..
rm -Rfv cmc/ cmc.tgz
If you log in to WHM you will now see “ConfigServer ModSec Control” under “Plugins”. It’s important that you click on it because when it’s run the first time, it will create the file “modsec2.whitelist.conf” if it doesn’t already exist. If that file doesn’t exist then you’ll find Apache won’t start when we come to the end of this guide. Also while you’re here, click on “Disable modsecparse.pl”. This will disable the cPanel cron job that processes and empties the mod_security log, allowing you to use the log watching tool built in to CMC.
As to help our VPS and Dedicated Server customers who might also be effected by this we have designed the following guide to make installing Atmoic Mod Security into cPanel with little to no fuss.
Stage 1: Run the following commands at command line:
mkdir /var/asl
mkdir /var/asl/tmp
mkdir /var/asl/data
mkdir /var/asl/data/msa
mkdir /var/asl/data/audit
mkdir /var/asl/data/suspicious
chown nobody.nobody /var/asl/data/msa
chown nobody.nobody /var/asl/data/audit
chown nobody.nobody /var/asl/data/suspicious
chmod o-rx -R /var/asl/data/*
chmod ug+rwx -R /var/asl/data/*
mkdir /var/asl/updates
mkdir /var/asl/rules/
mkdir /var/asl/rules/clamav
mkdir /etc/asl/
touch /etc/asl/whitelist
cd /usr/local/src/
wget http://updates.atomicorp.com/channels/rules/delayed/modsec-2.7-free-latest.tar.gz
tar zxvf modsec-2.7-free-latest.tar.gz
mkdir /usr/local/apache/conf/modsec_rules/
cp modsec/* /usr/local/apache/conf/modsec_rules/
These command will create the required directory’s and download the latest free version of the Atomic Mod Security rules. It will also directly install them into the location of Apache designed for cPanel and configure the permission.
Stage 2: Configure cPanel to use the Mod Security Rules
In this stage, you can do everything from WHM as long as you have Mod Security already installed as part of your EasyApache build. If you do not, you will need to rebuild apache with Mod Security.
In go to: WHM -> Plugins -> Mod Security and then click: Edit Config
In this section, delete all the current content and then paste in the following configuration:
SecRequestBodyAccess On
SecAuditLogType Concurrent
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial
Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf
Save this and restart Apache.
This should now have successfully installed the Atomic mod security rules into cPanel which are a much more secure rule base and include extra protection which is important for the latest hacks.
Testing
http://YOUR_HOST/foo.php?foo=http://www.example.com
should give 403
rm -fv cmc.tgz
wget http://www.configserver.com/free/cmc.tgz
tar -xzf cmc.tgz
cd cmc
sh install.sh
cd ..
rm -Rfv cmc/ cmc.tgz
If you log in to WHM you will now see “ConfigServer ModSec Control” under “Plugins”. It’s important that you click on it because when it’s run the first time, it will create the file “modsec2.whitelist.conf” if it doesn’t already exist. If that file doesn’t exist then you’ll find Apache won’t start when we come to the end of this guide. Also while you’re here, click on “Disable modsecparse.pl”. This will disable the cPanel cron job that processes and empties the mod_security log, allowing you to use the log watching tool built in to CMC.
As to help our VPS and Dedicated Server customers who might also be effected by this we have designed the following guide to make installing Atmoic Mod Security into cPanel with little to no fuss.
Stage 1: Run the following commands at command line:
mkdir /var/asl
mkdir /var/asl/tmp
mkdir /var/asl/data
mkdir /var/asl/data/msa
mkdir /var/asl/data/audit
mkdir /var/asl/data/suspicious
chown nobody.nobody /var/asl/data/msa
chown nobody.nobody /var/asl/data/audit
chown nobody.nobody /var/asl/data/suspicious
chmod o-rx -R /var/asl/data/*
chmod ug+rwx -R /var/asl/data/*
mkdir /var/asl/updates
mkdir /var/asl/rules/
mkdir /var/asl/rules/clamav
mkdir /etc/asl/
touch /etc/asl/whitelist
cd /usr/local/src/
wget http://updates.atomicorp.com/channels/rules/delayed/modsec-2.7-free-latest.tar.gz
tar zxvf modsec-2.7-free-latest.tar.gz
mkdir /usr/local/apache/conf/modsec_rules/
cp modsec/* /usr/local/apache/conf/modsec_rules/
These command will create the required directory’s and download the latest free version of the Atomic Mod Security rules. It will also directly install them into the location of Apache designed for cPanel and configure the permission.
Stage 2: Configure cPanel to use the Mod Security Rules
In this stage, you can do everything from WHM as long as you have Mod Security already installed as part of your EasyApache build. If you do not, you will need to rebuild apache with Mod Security.
In go to: WHM -> Plugins -> Mod Security and then click: Edit Config
In this section, delete all the current content and then paste in the following configuration:
SecRequestBodyAccess On
SecAuditLogType Concurrent
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial
Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf
Save this and restart Apache.
This should now have successfully installed the Atomic mod security rules into cPanel which are a much more secure rule base and include extra protection which is important for the latest hacks.
Testing
http://YOUR_HOST/foo.php?foo=http://www.example.com
should give 403
Subscribe to:
Posts (Atom)