Linux Conquering Cloud

Friday, October 17, 2014

Logstash to parse Local files,apache/niginx Logs

Filters in logstach
Filters are an in-line processing mechanism which provide the flexibility to slice and dice your data to fit your needs. Let’s see one in action, namely the grok filter.

input { stdin { } }

filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}

output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
}
Run logstash with this configuration:

bin/logstash -f logstash-filter.conf
Now paste this line into the terminal (so it will be processed by the stdin input):

127.0.0.1 - - [11/Dec/2013:00:01:45 -0800] "GET /xampp/status.php HTTP/1.1" 200 3891 "http://cadenza/xampp/navi.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0"

Run Logstash from Local File buy configuring input session. Below we parse a apache access log from local server.

input {
file {
path => "/Users/kurt/logs/access_log"
start_position => beginning
}
}

filter {
if [path] =~ "access" {
mutate { replace => { "type" => "apache_access" } }
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}

output {
elasticsearch {
host => localhost
}
stdout { codec => rubydebug }
}

Logstach Configuration for parsing nginx Logs

input {
file {
path => "/Users/kurt/logs/access_log"
start_position => beginning
}
}

filter {
if [path] =~ "access" {
mutate { replace => { "type" => "apache_access" } }
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}

output {
elasticsearch {
host => localhost
}
stdout { codec => rubydebug }
}

Log Monitoring WIth Kibana+Logstash+elasticsearch

Centralized logging using Logstash and elasticsearch can be very useful when attempting to identify problems with your servers or applications, as it allows you to search through all of your logs in a single place.

Installing Java

yum install java-1.7.0-openjdk-*

Install Elasticsearch

yum install https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.3.4.noarch.rpm

Elasticsearch is now installed. Let's edit the configuration:/etc/elasticsearch/elasticsearch.yml

Add the following line somewhere in the file, to disable dynamic scripts:

script.disable_dynamic: true

You will also want to restrict outside access to your Elasticsearch instance, so outsiders can't read your data or shutdown your Elasticseach cluster through the HTTP API. Find the line that specifies network.host and uncomment it so it looks like this:

network.host: localhost

Then disable multicast by finding the discovery.zen.ping.multicast.enabled item and uncommenting so it looks like this:

discovery.zen.ping.multicast.enabled: false

Now start Elasticsearch:

sudo service elasticsearch restart

Install Nginx

yum install -y http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

yum install nginx -y

Download the sample Nginx configuration from Kibana's github repository to your home directory:

cd ~; curl -OL https://gist.githubusercontent.com/thisismitch/2205786838a6a5d61f55/raw/f91e06198a7c455925f6e3099e3ea7c186d0b263/nginx.conf

Open the sample configuration file for editing:

vi nginx.conf

Find and change the values of the server_name to your FQDN (or localhost if you aren't using a domain name) and root to where we installed Kibana, so they look like the following entries:

server_name FQDN;
root /usr/share/nginx/kibana3;

Save and exit. Now copy it over your Nginx default server block with the following command:

sudo cp ~/nginx.conf /etc/nginx/conf.d/default.conf

Installing Kibana to parse the logs
wget https://download.elasticsearch.org/kibana/kibana/kibana-3.1.1.tar.gz
tar zxvf kibana-3.1.1.tar.gz

Open the Kibana configuration file kibana-3.1.1/config.js and find the line that specifies the elasticsearch server URL, and replace the port number (9200 by default) with 80:

elasticsearch: "http://"+window.location.hostname+":80",

mv kibana-3.1.1 /usr/share/nginx/kibana3

start the Nginx

service nginx start

sudo yum install httpd-tools-2.2.15
Then generate a login that will be used in Kibana to save and share dashboards (substitute your own username):
sudo htpasswd -c /etc/nginx/conf.d/kibana.myhost.org.htpasswd user

Install Logstash

yum install https://download.elasticsearch.org/logstash/logstash/packages/centos/logstash-1.4.2-1_2c0f5a1.noarch.rpm -y

Creating Certificates

cd /etc/pki/tls; sudo openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt

cat << EOF >> /etc/logstash/conf.d/01-lumberjack-input.conf
input {
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
EOF

cat << EOF >> /etc/logstash/conf.d/10-syslog.conf
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
EOF

cat << EOF >> /etc/logstash/conf.d/30-lumberjack-output.conf
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
}
EOF

On Logstash Server

Copy the SSL certificate to Server (substitute with your own login):

scp /etc/pki/tls/certs/logstash-forwarder.crt user@server_private_IP:/tmp

Install Logstash Forwarder Package

yum install -y http://packages.elasticsearch.org/logstashforwarder/centos/logstash-forwarder-0.3.1-1.x86_64.rpm

Next, you will want to install the Logstash Forwarder init script, so it starts on bootup. We will use the init script provided by logstashbook.com:

cd /etc/init.d/; sudo curl -o logstash-forwarder http://logstashbook.com/code/4/logstash_forwarder_redhat_init
sudo chmod +x logstash-forwarder

The init script depends on a file called /etc/sysconfig/logstash-forwarder. A sample file is available to download:

sudo curl -o /etc/sysconfig/logstash-forwarder http://logstashbook.com/code/4/logstash_forwarder_redhat_sysconfig

sudo vi /etc/sysconfig/logstash-forwarder
And modify the LOGSTASH_FORWARDER_OPTIONS value so it looks like the following:
LOGSTASH_FORWARDER_OPTIONS="-config /etc/logstash-forwarder -spool-size 100"
Save and quit.

Now copy the SSL certificate into the appropriate location (/etc/pki/tls/certs):

sudo cp /tmp/logstash-forwarder.crt /etc/pki/tls/certs/

Configure Logstash Forwarder
On Server, create and edit Logstash Forwarder configuration file, which is in JSON format:

cat << EOF > /etc/logstash-forwarder
{
"network": {
"servers": [ "192.168.255.1:5000" ],
"timeout": 15,
"ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt"
},
"files": [
{
"paths": [
"/var/log/messages",
"/var/log/secure"
],
"fields": { "type": "syslog" }
}
]
}

EOF

Note that this is where you would add more files/types to configure Logstash Forwarder to other log files to Logstash on port 5000.

Now we will want to add the Logstash Forwarder service with chkconfig:

sudo chkconfig --add logstash-forwarder

Now start Logstash Forwarder to put our changes into place:

sudo service logstash-forwarder start

Now checkout the kibana server IP to get the dashboard

Thursday, October 16, 2014

Poodle-SSLv3 Vulnerability

A vulnerability in SSLv3 encryption protocol was disclosed. This vulnerability, known as POODLE (Padding Oracle On Downgraded Legacy Encryption), allows an attacker to read information encrypted with this version of the protocol in plain text using a man-in-the-middle attack.

Although SSLv3 is an older version of the protocol which is mainly obsolete, many pieces of software still fall back on SSLv3 if better encryption options are not available. More importantly, it is possible for an attacker to force SSLv3 connections if it is an available alternative for both participants attempting a connection

How to test for SSL POODLE vulnerability?
$ openssl s_client -connect google.com:443 -ssl3
If there is a handshake failure then the server is not supporting SSLv3 and it is secure from this vulnerability. Otherwise it is required to disable SSLv3 support.

The POODLE vulnerability exists because the SSLv3 protocol does not adequately check the padding bytes that are sent with encrypted messages.

Since these cannot be verified by the receiving party, an attacker can replace these and pass them on to the intended destination. When done in a specific way, the modified payload will potentially be accepted by the recipient without complaint.

The POODLE vulnerability does not represent an implementation problem and is an inherent issue with the entire protocol, there is no workaround and the only reliable solution is to not use it.

In nginx configuration, just after the "ssl on;" line, add the following to allow only TLS protocols:

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

Apache Web Server

Inside /etc/httpd/conf.d/ssl.conf or httpd.conf you can find the SSLProtocol directive. If this is not available, create it. Modify this to explicitly remove support for SSLv3:

SSLProtocol all -SSLv3 -SSLv2

Ha-Proxy
To disable SSLv3 in an HAProxy load balancer, you will need to open the haproxy.cfg file.

sudo nano /etc/haproxy/haproxy.cfg
frontend name
bind public_ip:443 ssl crt /path/to/certs no-sslv3

Postfix

In Postfix conf /etc/postfix/main.cf add.
smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3

In Dovecot

sudo nano /etc/dovecot/conf.d/10-ssl.conf
ssl_protocols = !SSLv3 !SSLv2

Tomcat

Edit @ $TOMCAT_HOME/conf/server.xml.

Tomcat 5 and 6:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslEnabledProtocols = "TLSv1,TLSv1.1,TLSv1.2" />
Tomcat >= 7

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" />

Openstack Juno -Part 3 -Compute service Nova

Creating Nova Database
create database nova;
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'mar4nova';
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'mar4nova';
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'10.0.0.200' IDENTIFIED BY 'mar4nova';
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'10.0.0.202' IDENTIFIED BY 'mar4nova';
flush privileges;

Configuring User's in keystone
source admin-openrc.sh
keystone user-create --name nova --pass mar4nova --email EMAIL_ADDRESS
keystone user-role-add --user nova --tenant service --role admin
keystone service-create --name nova --type compute --description "OpenStack Compute"
keystone endpoint-create --service-id $(keystone service-list | awk '/ compute / {print $2}') --publicurl http://controller:8774/v2/%$tenant_id$s --internalurl http://controller:8774/v2/%$tenant_id$s --adminurl http://controller:8774/v2/%$tenant_id$s --region regionOne

#On Controller

Installing packages
yum -y install openstack-nova-api openstack-nova-cert openstack-nova-conductor openstack-nova-console openstack-nova-novncproxy openstack-nova-scheduler python-novaclient

Configuring Service
openstack-config --set /etc/nova/nova.conf database connection mysql://nova:mar4nova@controller/nova

openstack-config --set /etc/nova/nova.conf DEFAULT rpc_backend rabbit
openstack-config --set /etc/nova/nova.conf DEFAULT rabbit_host controller
openstack-config --set /etc/nova/nova.conf DEFAULT rabbit_password guest

#On Controller1 #Public IP on contreller server. Hostname don't work. configure the my_ip option to use the management interface IP address of the controller node
openstack-config --set /etc/nova/nova.conf DEFAULT my_ip 10.1.15.142
openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_listen 10.1.15.142
openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_proxyclient_address 10.1.15.142

openstack-config --set /etc/nova/nova.conf DEFAULT auth_strategy keystone
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_uri http://controller:5000/v2.0
openstack-config --set /etc/nova/nova.conf keystone_authtoken identity_uri http://controller:35357
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_user nova
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_tenant_name service
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_password mar4nova

openstack-config --set /etc/nova/nova.conf glance host controller

#Populate the database

su -s /bin/sh -c "nova-manage db sync" nova

Database changed
MariaDB [nova]> show tables;
+--------------------------------------------+
| Tables_in_nova |
+--------------------------------------------+
| agent_builds |
| aggregate_hosts |
| aggregate_metadata |
| aggregates |
| block_device_mapping |
| bw_usage_cache |
| cells |
| certificates |
| compute_nodes |
| console_pools |
| consoles |
| dns_domains |
| fixed_ips |
| floating_ips |
| instance_actions |
| instance_actions_events |
| instance_extra |
| instance_faults |
| instance_group_member |
| instance_group_policy |
| instance_groups |
| instance_id_mappings |
| instance_info_caches |
| instance_metadata |
| instance_system_metadata |
| instance_type_extra_specs |
| instance_type_projects |
| instance_types |
| instances |
| iscsi_targets |
| key_pairs |
| migrate_version |
| migrations |
| networks |
| pci_devices |
| project_user_quotas |
| provider_fw_rules |
| quota_classes |
| quota_usages |
| quotas |
| reservations |
| s3_images |
| security_group_default_rules |
| security_group_instance_association |
| security_group_rules |
| security_groups |
| services |
| shadow_agent_builds |
| shadow_aggregate_hosts |
| shadow_aggregate_metadata |
| shadow_aggregates |
| shadow_block_device_mapping |
| shadow_bw_usage_cache |
| shadow_cells |
| shadow_certificates |
| shadow_compute_nodes |
| shadow_console_pools |
| shadow_consoles |
| shadow_dns_domains |
| shadow_fixed_ips |
| shadow_floating_ips |
| shadow_instance_actions |
| shadow_instance_actions_events |
| shadow_instance_extra |
| shadow_instance_faults |
| shadow_instance_group_member |
| shadow_instance_group_policy |
| shadow_instance_groups |
| shadow_instance_id_mappings |
| shadow_instance_info_caches |
| shadow_instance_metadata |
| shadow_instance_system_metadata |
| shadow_instance_type_extra_specs |
| shadow_instance_type_projects |
| shadow_instance_types |
| shadow_instances |
| shadow_iscsi_targets |
| shadow_key_pairs |
| shadow_migrate_version |
| shadow_migrations |
| shadow_networks |
| shadow_pci_devices |
| shadow_project_user_quotas |
| shadow_provider_fw_rules |
| shadow_quota_classes |
| shadow_quota_usages |
| shadow_quotas |
| shadow_reservations |
| shadow_s3_images |
| shadow_security_group_default_rules |
| shadow_security_group_instance_association |
| shadow_security_group_rules |
| shadow_security_groups |
| shadow_services |
| shadow_snapshot_id_mappings |
| shadow_snapshots |
| shadow_task_log |
| shadow_virtual_interfaces |
| shadow_volume_id_mappings |
| shadow_volume_usage_cache |
| shadow_volumes |
| snapshot_id_mappings |
| snapshots |
| task_log |
| virtual_interfaces |
| volume_id_mappings |
| volume_usage_cache |
| volumes |
+--------------------------------------------+
108 rows in set (0.00 sec)

MariaDB [nova]>

systemctl enable openstack-nova-api.service
systemctl enable openstack-nova-cert.service
systemctl enable openstack-nova-consoleauth.service
systemctl enable openstack-nova-scheduler.service
systemctl enable openstack-nova-conductor.service
systemctl enable openstack-nova-novncproxy.service
systemctl start openstack-nova-api.service
systemctl start openstack-nova-cert.service
systemctl start openstack-nova-consoleauth.service
systemctl start openstack-nova-scheduler.service
systemctl start openstack-nova-conductor.service
systemctl start openstack-nova-novncproxy.service

On compute Node

Installing Packages
yum install openstack-nova-compute -y

Configuring Service
openstack-config --set /etc/nova/nova.conf DEFAULT rpc_backend rabbit
openstack-config --set /etc/nova/nova.conf DEFAULT rabbit_host controller
openstack-config --set /etc/nova/nova.conf DEFAULT rabbit_password guest

openstack-config --set /etc/nova/nova.conf DEFAULT auth_uri = http://controller:5000/v2.0
openstack-config --set /etc/nova/nova.conf DEFAULT identity_uri = http://controller:35357
openstack-config --set /etc/nova/nova.conf DEFAULT admin_tenant_name = service
openstack-config --set /etc/nova/nova.conf DEFAULT admin_user = nova
openstack-config --set /etc/nova/nova.conf DEFAULT admin_password = mar4nova

#On Controller1 #Public IP on contreller server. Hostname don't work. configure the my_ip option to use the management interface IP address of the controller node
openstack-config --set /etc/nova/nova.conf DEFAULT my_ip 10.1.15.144
openstack-config --set /etc/nova/nova.conf DEFAULT vnc_enabled True
openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_listen 0.0.0.0
openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_proxyclient_address 10.1.15.144
openstack-config --set /etc/nova/nova.conf DEFAULT novncproxy_base_url http://controller:6080/vnc_auto.html

openstack-config --set /etc/nova/nova.conf glance host controller

Determine whether your compute node supports hardware acceleration for virtual machines:
$ egrep -c '(vmx|svm)' /proc/cpuinfo
If this command returns a value of one or greater, your compute node supports hardware acceleration which typically requires no additional configuration.
If this command returns a value of zero, your compute node does not support hardware acceleration and you must configure libvirt to use QEMU instead of KVM.
Edit the [libvirt] section in the /etc/nova/nova.conf file as follows:
[libvirt]
...
virt_type = qemu

openstack-config --set /etc/nova/nova.conf libvirt virt_type qemu

systemctl enable libvirtd.service
systemctl start libvirtd.service
systemctl enable openstack-nova-compute.service
systemctl start openstack-nova-compute.service

#Verify operation

$ nova service-list
+----+------------------+------------+----------+---------+-------+----------------------------+-----------------+
| Id | Binary | Host | Zone | Status | State | Updated_at | Disabled Reason |
+----+------------------+------------+----------+---------+-------+----------------------------+-----------------+
| 1 | nova-conductor | controller | internal | enabled | up | 2014-09-16T23:54:02.000000 | - |
| 2 | nova-consoleauth | controller | internal | enabled | up | 2014-09-16T23:54:04.000000 | - |
| 3 | nova-scheduler | controller | internal | enabled | up | 2014-09-16T23:54:07.000000 | - |
| 4 | nova-cert | controller | internal | enabled | up | 2014-09-16T23:54:00.000000 | - |
| 5 | nova-compute | compute1 | nova | enabled | up | 2014-09-16T23:54:06.000000 | - |
+----+------------------+------------+----------+---------+-------+----------------------------+-----------------+

[root@controller ~]# nova image-list
+--------------------------------------+---------------------+--------+--------+
| ID | Name | Status | Server |
+--------------------------------------+---------------------+--------+--------+
| e54cb5b2-4717-4139-8258-2a0366216b92 | cirros-0.3.3-x86_64 | ACTIVE | |
+--------------------------------------+---------------------+--------+--------+
[root@controller ~]#

Wednesday, October 15, 2014

Openstack Juno - Part 2 - Image Service Glance

Create the database
create database glance;
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'mar4glance';
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'mar4glance';
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'10.0.0.200' IDENTIFIED BY 'mar4glance';
flush privileges;

Creating the Keystone Endpoints and User's
source /root/admin-openrc.sh
keystone user-create --name=glance --pass=mar4glance --email=glance@example.com
keystone user-role-add --user=glance --tenant=service --role=admin
keystone service-create --name=glance --type=image --description="OpenStack Image Service"
keystone endpoint-create --service-id=$(keystone service-list | awk '/ image / {print $2}') --publicurl=http://controller:9292 --internalurl=http://controller:9292 --adminurl=http://controller:9292

Install the packages
yum install openstack-glance python-glanceclient -y

Configuring the service
openstack-config --set /etc/glance/glance-api.conf database connection mysql://glance:mar4glance@controller/glance
openstack-config --set /etc/glance/glance-registry.conf database connection mysql://glance:mar4glance@controller/glance

openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_uri http://controller:5000/v2.0
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken identity_uri http://controller:35357
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_tenant_name service
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_user glance
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_password mar4glance
openstack-config --set /etc/glance/glance-api.conf paste_deploy flavor keystone

openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken auth_uri http://controller:5000/v2.0
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken identity_uri http://controller:35357
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_tenant_name service
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_user glance
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_password mar4glance
openstack-config --set /etc/glance/glance-registry.conf paste_deploy flavor keystone

Populating the DB
su -s /bin/sh -c "glance-manage db_sync" glance

Database changed
MariaDB [glance]> show tables;
+----------------------------------+
| Tables_in_glance |
+----------------------------------+
| image_locations |
| image_members |
| image_properties |
| image_tags |
| images |
| metadef_namespace_resource_types |
| metadef_namespaces |
| metadef_objects |
| metadef_properties |
| metadef_resource_types |
| migrate_version |
| task_info |
| tasks |
+----------------------------------+
13 rows in set (0.00 sec)

systemctl enable openstack-glance-api.service
systemctl enable openstack-glance-registry.service
systemctl start openstack-glance-api.service
systemctl start openstack-glance-registry.service

Verifying the Glance
mkdir /tmp/images
cd /tmp/images
wget http://cdn.download.cirros-cloud.net/0.3.3/cirros-0.3.3-x86_64-disk.img
source admin-openrc.sh
glance image-create --name "cirros-0.3.3-x86_64" --file /tmp/images/cirros-0.3.3-x86_64-disk.img --disk-format qcow2 --container-format bare --is-public True --progress
glance image-list
rm -r /tmp/images

Tuesday, October 14, 2014

Openstack Juno -Part 2 -Keystone

Keystone : The Identity Service

Create the database

$ mysql -u root -p
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'ram4key';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'ram4key';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'10.0.0.200' IDENTIFIED BY 'ram4key';
flush privileges;

Install the Packages

yum install openstack-keystone python-keystoneclient -y

Configure the Service

openstack-config --set /etc/keystone/keystone.conf database connection mysql://keystone:ram4key@controller/keystone
ADMIN_TOKEN=$(openssl rand -hex 10)
echo $ADMIN_TOKEN
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN
openstack-config --set /etc/keystone/keystone.conf DEFAULT verbose True
keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
chown keystone:keystone /var/log/keystone/keystone.log
chown -R keystone:keystone /etc/keystone/ssl
chmod -R o-rwx /etc/keystone/ssl

Populate the Database
su -s /bin/sh -c "keystone-manage db_sync" keystone

MariaDB [(none)]> use keystone;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [keystone]> show tables;
+-----------------------+
| Tables_in_keystone |
+-----------------------+
| assignment |
| credential |
| domain |
| endpoint |
| group |
| id_mapping |
| migrate_version |
| policy |
| project |
| region |
| revocation_event |
| role |
| service |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
+-----------------------+
18 rows in set (0.00 sec)

MariaDB [keystone]>

systemctl enable openstack-keystone.service
systemctl start openstack-keystone.service

(crontab -l -u keystone 2>&1 | grep -q token_flush) || echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/keystone

Define users, tenants, and roles
=========================
*********Replace ADMIN_TOKEN with your authorization token
#export OS_SERVICE_TOKEN=$ADMIN_TOKEN
echo $ADMIN_TOKEN
export OS_SERVICE_TOKEN=$(echo $ADMIN_TOKEN)
export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0

#Create an administrative user
#========================
keystone user-create --name=admin --pass=admin4mar --email=ADMIN_EMAIL
keystone role-create --name=admin
keystone tenant-create --name=admin --description="Admin Tenant"
keystone user-role-add --user=admin --tenant=admin --role=admin

keystone role-create --name _member_

#Create a normal user
#================
keystone user-create --name=demo --pass=demo4mar --email=DEMO_EMAIL
keystone tenant-create --name=demo --description="Demo Tenant"
keystone user-role-add --user=demo --role=_member_ --tenant=demo
keystone user-role-add --tenant admin --user admin --role _member_

#Create a service tenant
#=====================
keystone tenant-create --name=service --description="Service Tenant"

#Define services and API endpoints
#===========================

keystone service-create --name=keystone --type=identity --description="OpenStack Identity"
keystone endpoint-create --service-id=$(keystone service-list | awk '/ identity / {print $2}') --publicurl=http://controller:5000/v2.0 --internalurl=http://controller:5000/v2.0 --adminurl=http://controller:35357/v2.0 --region regionOne

#Verify the Identity Service installation
#=============================

unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
keystone --os-username=admin --os-password=admin4mar --os-auth-url=http://controller:35357/v2.0 token-get
keystone --os-username=admin --os-password=admin4mar --os-tenant-name=admin --os-auth-url=http://controller:35357/v2.0 token-get
keystone --os-username=admin --os-password=admin4mar --os-tenant-name=admin --os-auth-url=http://controller:35357/v2.0 tenant-list
keystone --os-username=admin --os-password=admin4mar --os-tenant-name=admin --os-auth-url=http://controller:35357/v2.0 user-list
keystone --os-username=admin --os-password=admin4mar --os-tenant-name=admin --os-auth-url=http://controller:35357/v2.0 role-list

#Adding User profile
#==========================

echo "
export OS_USERNAME=admin
export OS_PASSWORD=admin4mar
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://controller:35357/v2.0" >> /root/admin-openrc.sh

cat /root/admin-openrc.sh

source /root/admin-openrc.sh
keystone token-get
keystone user-list
keystone user-role-list --user admin --tenant admin

Openstack Juno- Part 1 - Basic Configuration

Juno is the latest version of Openstack which is expected to once of the main milestone in the Openstack releases with a good set of updated to all the Services and First one of its series which will run over Rhel/Centos 7

Making Selinux to Permissive ON ALL THE NODE
=============================================
sed -i "s/SELINUX=.*/SELINUX=permissive/g" /etc/sysconfig/selinux
sed -i "s/SELINUX=.*/SELINUX=permissive/g" /etc/selinux/config ; setenforce 0

Configure Sysctl.conf ON ALL THE NODE
=============================================
echo 1 > /proc/sys/net/ipv4/ip_forward
grep -q net.ipv4.ip_forward /etc/sysctl.conf ||echo "net.ipv4.ip_forward = 1 " >> /etc/sysctl.conf

grep -q net.ipv4.conf.all.rp_filter /etc/sysctl.conf || echo "net.ipv4.conf.all.rp_filter=0" >> /etc/sysctl.conf

grep -q net.ipv4.conf.default.rp_filter /etc/sysctl.conf || echo "net.ipv4.conf.default.rp_filter = 0 " >> /etc/sysctl.conf

grep -q net.ipv4.ip_nonlocal_bind /etc/sysctl.conf || echo "net.ipv4.ip_nonlocal_bind = 1" >> /etc/sysctl.conf

sysctl -p

https://github.com/brightbox/bootstaller/blob/master/auto/CentOS-7-x86_64-Brightbox-7.0_20140717.ks
sed -i "s/10.0.0.2/8.8.8.8/g" /etc/resolv.conf

Installing Needed Packages ON THE NODE
=============================================
yum -y upgrade
yum install http://rdo.fedorapeople.org/openstack-juno/rdo-release-juno.rpm -y
yum -y install https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm -y
yum -y install policycoreutils setroubleshoot
setenforce 0
yum install -y euca2ools
yum install -y yum-plugin-priorities gedit curl wget nc
yum -y install ntp
service ntpd start
chkconfig ntpd on
yum -y install openstack-utils
yum -y install openstack-selinux

On all compute node
yum -y install sysfsutils sg3_utils

Installing Mysql Server in Controller
============================================
yum install mariadb mariadb-server MySQL-python -y

Into /etc/my.cnf
-----
default-storage-engine = innodb
innodb_file_per_table
collation-server = utf8_general_ci
init-connect = 'SET NAMES utf8'
character-set-server = utf8
-----

systemctl enable mariadb.service
systemctl start mariadb.service

mysql_secure_installation

Installing The Broker Service
============================================

yum install rabbitmq-server -y

systemctl enable rabbitmq-server.service
systemctl start rabbitmq-server.service

rabbitmqctl change_password guest RABBIT_PASS

Pages

Friday, October 17, 2014

Thursday, October 16, 2014

Wednesday, October 15, 2014

Tuesday, October 14, 2014