Saturday, 6 January 2018

How to install openstack in ubuntu 16.04

The hardware we’ll be using is based on the following specifications:
  • 1 x MAAS Rack with Region controller: 8GB RAM, 2 CPUs, 1 NIC, 40GB storage
  • 1 x Juju node: 4GB RAM, 2 CPUs, 1 NIC, 40GB storage
  • 4 x OpenStack cloud nodes: 8GB RAM, 2 CPUs, 2 NICs, 80GB storage

Installing MAAS

root@maas:~# add-apt-repository ppa:maas/stable
root@maas:~# apt-get -y update;apt-get -y upgrade;apt-get -y dist-upgrade
root@maas:~# reboot
root@maas:~# cat /etc/lsb-release;uname -r
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS"
4.4.0-101-generic
root@maas:~# apt-get -y update;apt-get -y install maas

NOTE: When asked for the Ubuntu MAAS API address, double check the detected URL uses eth0’s (external) IP address: http://10.10.2.37 /MAAS/. You can later change this by running:

root@maas:~# dpkg-reconfigure maas-rack-controller

Also, double check that running below command shows the IP of management interface same as the MAAS url.

root@maas:~# sudo dpkg-reconfigure maas-region-controller

root@maas:~# maas createadmin --username=maasadmin --password='maas@123' --email=maasadmin@maas

A final question will ask whether you want to import SSH keys. MAAS uses the public SSH key of a user to manage and secure access to deployed nodes, just as you might with managed servers or remote machines. Press Enter to skip this as we’ll do this from the web UI in the next step.

root@maas:~# maas-region apikey --username=admin > api_key
root@maas:~# maas login admin http://10.10.2.37:5240/MAAS/api/2.0 - < api_key

You are now logged in to the MAAS server at
http://10.10.2.37:5240/MAAS/api/2.0/ with the profile name 'admin'.

For help with the available commands, try:

  maas admin --help
A handy shell script, say maas-login.sh, is provided:

#!/bin/sh
PROFILE=admin
API_KEY_FILE= /root/api_key
API_SERVER=10.10.2.37
MAAS_URL=http://$API_SERVER/MAAS/api/2.0
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE

Once you are done with the CLI you can log out from the given profile, flushing the stored credentials.

root@maas:~# maas logout admin

Use this url to login to MAAS console. http://10.10.2.37:5240/MAAS

In the intro page enter domain name, dns forwarder for name resolution if required proxy ip for syncing images and then select required ubuntu release. 

Keys: You can conveniently import your public SSH key(s) from both Launchpad and Github by entering your user id for these services. To add a local public key file, usually HOME/ssh/id_rsa.pub, select Upload and paste file contents into the box that appears. Click Import to fix the setting.

If you need to generate a local SSH public/private key pair, type ssh-keygen -t rsa from the Linux account you’ll control MAAS from, and when asked, leave the passphrase blank.

maasadmin@maas:~$ cat /home/maasadmin/.ssh/id_rsa.pub

Manually update the above key in the keys field and click import. Adding SSH keys completes this initial MAAS configuration. Click Go to the dashboard to move to the MAAS dashboard and the device discovery process

In subnets tab click on first subnet and provide dhcp range for assigning ip to other nodes for pxe boot.

In settings tab

Global Kernel Parameters field enter below values
net.ifnames=0 biosdevname=0

Proxy:
http://10.10.1.16:8080

DNS:
10.10.2.55

Storage:
LVM layout

Now lets discover the nodes. Select first boot as network boot in remaining server and reboot. The servers will get booted in pxe and adds as node in MAAS server. Rename the nodes as required and select all then give commission. Click the nodes which has 2 nic cards and make sure second interface shows subnet address and ip address as unconfigured.

Now our MAAS is done. Lets fire up confure-up and configure openstack nodes.

My environment is beyond proxy so i have excluded entire subnet in no-proxy so proxy will not be used for internal connectivity.

Take putty session of MAAS server:

#conjure-up --http-proxy "http://10.10.1.16:8080" --apt-proxy "http://10.10.1.16:8080" --apt-https-proxy "http://10.10.1.16:8080" --https-proxy "http://10.10.1.16:8080" --no-proxy "localhost,127.0.0.1,10.10.2.1,10.10.2.2,10.10.2.3,10.10.2.4,10.10.2.5,10.10.2.6,10.10.2.7,10.10.2.8,10.10.2.9,10.10.2.10,10.10.2.11,10.10.2.12,10.10.2.13,10.10.2.14,10.10.2.15,10.10.2.16,10.10.2.17,10.10.2333.18,10.10.2.19,10.10.2.20,10.10.2.21,10.10.2.22,10.10.2.23,10.10.2.24,10.10.2.25,10.10.2.26,10.10.2.27,10.10.2.28,10.10.2.29,10.10.2.30,10.10.2.31,10.10.2.32,10.10.2.33,10.10.2.34,10.10.2.35,10.10.2.36,10.10.2.37,10.10.2.38,10.10.2.39,10.10.2.40,10.10.2.41,10.10.2.42,10.10.2.43,10.10.2.44,10.10.2.45,10.10.2.46,10.10.2.47,10.10.2.48,10.10.2.49,10.10.2.50,10.10.2.51,10.10.2.52,10.10.2.53,10.10.2.54,10.10.2.55,10.10.2.56,10.10.2.57,10.10.2.58,10.10.2.59,10.10.2.60,10.10.2.61,10.10.2.62,10.10.2.63,10.10.2.64,10.10.2.65,10.10.2.66,10.10.2.67,10.10.2.68,10.10.2.69,10.10.2.70,10.10.2.71,10.10.2.72,10.10.2.73,10.10.2.74,10.10.2.75,10.10.2.76,10.10.2.77,10.10.2.78,10.10.2.79,10.10.2.80,10.10.2.81,10.10.2.82,10.10.2.83,10.10.2.84,10.10.2.85,10.10.2.86,10.10.2.87,10.10.2.88,10.10.2.89,10.10.2.90,10.10.2.91,10.10.2.92,10.10.2.93,10.10.2.94,10.10.2.95,10.10.2.96,10.10.2.97,10.10.2.98,10.10.2.99,10.10.2.100,10.10.2.101,10.10.2.102,10.10.2.103,10.10.2.104,10.10.2.105,10.10.2.106,10.10.2.107,10.10.2.108,10.10.2.109,10.10.2.110,10.10.2.111,10.10.2.112,10.10.2.113,10.10.2.114,10.10.2.115,10.10.2.116,10.10.2.117,10.10.2.118,10.10.2.119,10.10.2.120,10.10.2.121,10.10.2.122,10.10.2.123,10.10.2.124,10.10.2.125,10.10.2.126,10.10.2.127,10.10.2.128,10.10.2.129,10.10.2.130,10.10.2.131,10.10.2.132,10.10.2.133,10.10.2.134,10.10.2.135,10.10.2.136,10.10.2.137,10.10.2.138,10.10.2.139,10.10.2.140,10.10.2.141,10.10.2.142,10.10.2.143,10.10.2.144,10.10.2.145,10.10.2.146,10.10.2.147,10.10.2.148,10.10.2.149,10.10.2.150,10.10.2.151,10.10.2.152,10.10.2.153,10.10.2.154,10.10.2.155,10.10.2.156,10.10.2.157,10.10.2.158,10.10.2.159,10.10.2.160,10.10.2.161,10.10.2.162,10.10.2.163,10.10.2.164,10.10.2.165,10.10.2.166,10.10.2.167,10.10.2.168,10.10.2.169,10.10.2.170,10.10.2.171,10.10.2.172,10.10.2.173,10.10.2.174,10.10.2.175,10.10.2.176,10.10.2.177,10.10.2.178,10.10.2.179,10.10.2.180,10.10.2.181,10.10.2.182,10.10.2.183,10.10.2.184,10.10.2.185,10.10.2.186,10.10.2.187,10.10.2.188,10.10.2.189,10.10.2.190,10.10.2.191,10.10.2.192,10.10.2.193,10.10.2.194,10.10.2.195,10.10.2.196,10.10.2.197,10.10.2.198,10.10.2.199,10.10.2.200,10.10.2.201,10.10.2.202,10.10.2.203,10.10.2.204,10.10.2.205,10.10.2.206,10.10.2.207,10.10.2.208,10.10.2.209,10.10.2.210,10.10.2.211,10.10.2.212,10.10.2.213,10.10.2.214,10.10.2.215,10.10.2.216,10.10.2.217,10.10.2.218,10.10.2.219,10.10.2.220,10.10.2.221,10.10.2.222,10.10.2.223,10.10.2.224,10.10.2.225,10.10.2.226,10.10.2.227,10.10.2.228,10.10.2.229,10.10.2.230,10.10.2.231,10.10.2.232,10.10.2.233,10.10.2.234,10.10.2.235,10.10.2.236,10.10.2.237,10.10.2.238,10.10.2.239,10.10.2.240,10.10.2.241,10.10.2.242,10.10.2.243,10.10.2.244,10.10.2.245,10.10.2.246,10.10.2.247,10.10.2.248,10.10.2.249,10.10.2.250,10.10.2.251,10.10.2.252,10.10.2.253,10.10.2.254" openstack

Follow below steps in setup screen.

Select openstack with nova-kvm
select maas
Enter maas url and api key use below command to get api-key of admin user.
root@maas:~# maas-region apikey --username=admin
click next
Configure netutron-gateway to use the 2nd interface which is detected in the server.
In this deployment 2nd interface is detected as eth3 so rename the data-port: as shown below.
To do this click configure in neutron-gateway 
Scroll down to data-port: br-ex:eth3
Save and select deploy all 16 applications.

I hardly takes 30 to 60min to complete.

maasadmin@maas:~$ juju status openstack-dashboard/0|grep openstack-dashboard/0
openstack-dashboard/0*  active    idle   0/lxd/0  10.10.2.46    80/tcp,443/tcp  Unit is ready
maasadmin@maas:~$

Access the openstack url
https://10.10.2.46/horizon/auth/login/?next=/horizon/

Username: admin
Password: openstack

Post configuration

#juju config nova-cloud-controller console-access-protocol=novnc
#juju config nova-compute config-flags="default_ephemeral_format=ext4,block_device_allocate_retries=300,block_device_allocate_retries_interval=10,block_device_creation_timeout=300"
#juju config openstack-dashboard password-retrieve=true
#juju config ntp source=10.10.2.37

Adding new machine

#juju add-machine
#juju add-unit nova-compute --to 4
#juju add-unit ceph-osd --to 4
#juju add-unit --to lxd:4 ceph-mon

Reference:
https://docs.openstack.org/charm-deployment-guide/latest


Monday, 3 July 2017

HTTP TRACE / TRACK Methods Enabled (CVE-2004-2320, CVE-2010-0386, CVE-2003-1567)

Treat: "The remote Web server supports the TRACE and/or TRACK HTTP methods, which makes it easier for remote attackers to steal cookies and authentication credentials or bypass the HttpOnly protection mechanism.
 
Track / Trace are required to be disabled to be PCI compliance."

Impact: If this vulnerability is successfully exploited, attackers can potentially steal cookies and authentication credentials, or bypass the HttpOnly protection mechanism.

Solution: Disable these methods in your web server's configuration file.

Fix:  echo TraceEnable off >>/etc/httpd/conf/httpd.conf

Restart apache service