Skip to content

BS2020 (RE)Install

NotesInstalling devstack on server left entirely too much shit everywhere. Realized that devstack should be installed in a container or vm. This page documents the reinstallation of bs2020 using the remote console and admin network.

Firewall Setup

Allowing access to the server is discussed in the [wiki:OpenWRT OpenWRT notes] section.

Loading a new os via the idrac 6

  • log into idrac by browsing (https://vpn.suspectdevices.com)
  • open the virtual console. (accept all responsibility for allowing it to run)
  • launch virtual media
  • attach ubuntu 16.04 server iso (on your local workstation)
  • boot the iso and install the server according to either the official server install instructions or your favorite i.e. https://ittutorials.net/linux/ubuntu/install-ubuntu-16-04-lts/
  • While booting adjust the bios settings to skip PXE booting and memory testing which takes for ever
  • Let the vpn on the admin lan provide the address and network settings on the first interface (will fix later)
  • Select ssh server (dns,lamp, and mail will be handled by containers anything else will be faster over the net)
  • ssh into box once the os is installed.

Post install configuration

Make primary interface static (on admin lan) 

root@bs2020:~# nano /etc/network/interfaces
...
# The primary network interface
auto eno1
iface eno1 inet static
    address 192.168.1.158/24
    gateway 192.168.1.1
    dns-nameservers 192.168.1.1 198.202.31.132 198.202.31.141
    dns-search vpn suspectdevices.com digithink.com 
...
root@bs2020:~#

Update server

feurig@bs2020:~$ sudo bash
[sudo] password for feurig: 
root@bs2020:~# apt-get update
... Done
root@bs2020:~# apt-get dist-upgrade
root@bs2020:~# apt-get install openssl-server


Add second admin user

root@bs2020:~# useradd -m joe -c"Joe Dumoulin" -Gsudo,root
root@bs2020:~# su - joe
joe@bs2020:~$ nano
joe@bs2020:~$ mkdir .ssh
joe@bs2020:~$ nano .ssh/authorized_keys
paste key from vpn /etc/dropbear/autorized_keys

Set initial password so that admin can sudo.

root@bs2020:~# vipw -s
... paste hash from medea ...

Consider removing password based ssh authentication once both admins can connect.

LXC

_ This should probably move to its own section once stable _

We want to do 3 things with lxc. * create a public facing server for dns/email/and other services which is isolated from other containers and can not access the host directly * create a similarly isolated server for openstack/devstack that can be uninstalled and which will not shit all over everything. (Attempting to containerize devstack was as disastrous as trying to uninstall it) * create user space containers for experimentation which are in themselves isolated from everything else.

LXC and the first infrastructure container

Lxd is installed but lxc is not. Install lxc lxc templates bridge utilities and zfs. In the example below we leverage lxd to create the zfs pool and to point the lxc network to the the existing bridge. Once we work enough with LXC/LXD and zfs to identify the relative merits of each approach I will backfill how to do these tasks manually.

``` root@bs2020:~# sudo apt-get install lxc lxc-templates wget \ zfsutils-linux bridge-utils ebtables openvswitch-common ... root@bs2020:~# nano /etc/network/interfaces

The primary network interface

auto eno1 iface eno1 inet static address 192.168.1.158/24 gateway 192.168.1.1 dns-nameservers 192.168.1.1 198.202.31.132 198.202.31.141 dns-search vpn suspectdevices.com digithink.com

auto br0 iface br0 inet static address 0.0.0.0 bridge_ports eno4

iface eno4 inet manual

... root@bs2020:~# lxd init Name of the storage backend to use (dir or zfs) [default=zfs]: Create a new ZFS pool (yes/no) [default=yes]? yes Name of the new ZFS pool [default=lxd]: lxd4infra Would you like to use an existing block device (yes/no) [default=no]? yes Path to the existing block device: /dev/sde1 Would you like LXD to be available over the network (yes/no) [default=no]? Do you want to configure the LXD bridge (yes/no) [default=yes]? no .... root@bs2020:~# dpkg-reconfigure -p medium lxd ... no yes br0... Warning: Stopping lxd.service, but it can still be activated by: lxd.socket

root@bs2020:~# lxc-create -n naomi -t ubuntu -B zfs --zfsroot=lxd4infra lxc.rootfs = /var/lib/lxc/naomi/rootfs lxc.rootfs.backend = zfs lxc.utsname = naomi lxc.arch = amd64 .. root@bs2020:~# nano /var/lib/lxc/naomi/config ..... check network ....

Network configuration

lxc.network.type = veth lxc.network.link = br0 lxc.network.flags = up lxc.network.hwaddr = 00:16:3e:dc:6d:b4

Assign static IP Address (currently done by continer)

lxc.network.ipv4 = 192.168.1.161/24

lxc.network.ipv4.gateway = 192.168.1.1

..... add this ....

Autostart

lxc.start.auto = 1 lxc.start.delay = 5 lxc.start.order = 100 .... root@bs2020~# reboot 

### adding admin users and basic services (lock ubuntu user before starting network)
root@bs2020~# lxc-attach -n naomi root@naomi:~# passwd -l ubuntu root@naomi:~# vi /etc/network/interfaces ... add the following ... auto eth0 iface eth0 inet static address 198.202.31.142/25 gateway 198.202.31.129 dns-nameservers 198.202.31.132 198.202.31.141 8.8.8.8 dns-search vpn suspectdevices.com digithink.com

root@naomi:~# ifdown eth0 && ifup eth0 root@naomi:~# ping digithink.com root@naomi:~# apt-get update root@naomi:~# apt-get install openssl-server nano root@naomi:~# useradd -Gsudo,root -m -c"Donald Delmar Davis" feurig root@naomi:~# useradd -Gsudo,root -m -c"Joe Dumoulin" joe root@naomi:~# vipw -s ... paste hash from other system.... root@naomi:~# tail -2 /etc/passwd >passwd.add root@naomi:~# tail -2 /etc/shadow >shadow.add root@naomi:~# tar -czvf fnj.tgz /home root@naomi:~# exit root@bs2020~# cp /var/lib/lxc/naomi/rootfs/root/*.add ~feurig/ root@bs2020~# cp /var/lib/lxc/naomi/rootfs/root/fnj.tgz ~feurig/ ```

tuning bs2020

TODO: https://github.com/lxc/lxd/blob/master/doc/production-setup.md

devstack lxc container (FAIL)

This does not work. As far as I can tell you can only install devstack on raw hardware and let it install all of its ever moving dependencies. I was able to do this where pike was 6 months ago but not uninstall and reinstall is using the same version.

I don't believe it can trust anything this moving to be sane let alone secure.

SEE: GoodByeOpenstack

I may attempt this again within a KVM once I establish that the KVM framework is securable and that it will play nice with the existing containers.

LXD Container and Docker Install

SEE: [wiki:LXDContainerWithDockerNotes Creating LXD Container with static ip and Docker Profile]

lxc docker references

  • https://www.flockport.com/lxc-vs-docker/
  • https://www.upguard.com/articles/docker-vs-lxc
  • http://www.zdnet.com/article/ubuntu-lxd-not-a-docker-replacement-a-docker-enhancement/
  • https://stackoverflow.com/questions/37227349/unable-to-start-docker-service-in-ubuntu-16-04
  • https://stackoverflow.com/questions/32002882/error-starting-docker-daemon-on-ubuntu-14-04-devices-cgroup-isnt-mounted
  • https://help.ubuntu.com/lts/serverguide/cgroups-overview.html
  • https://askubuntu.com/questions/836469/install-cgconfig-in-ubuntu-16-04
  • https://help.ubuntu.com/lts/serverguide/cgroups.html

lxc references

  • https://www.ubuntu.com/containers/lxd
  • https://insights.ubuntu.com/2016/04/07/lxd-networking-lxdbr0-explained/
  • https://bayton.org/docs/linux/lxd/lxd-zfs-and-bridged-networking-on-ubuntu-16-04-lts/
  • https://www.simpleprecision.com/ubuntu-16-04-lxd-networking-simple-bridge/
  • https://askubuntu.com/questions/453659/lxc-containers-fail-to-autoboot-in-14-04-trusty-using-lxc-start-auto-1
  • https://help.ubuntu.com/lts/serverguide/lxc.html
  • http://www.itzgeek.com/how-tos/linux/ubuntu-how-tos/setup-linux-container-with-lxc-on-ubuntu-16-04-14-04.html
  • https://bayton.org/docs/linux/lxd/lxd-zfs-and-bridged-networking-on-ubuntu-16-04-lts/
  • https://stgraber.org/2016/03/15/lxd-2-0-installing-and-configuring-lxd-212/
  • https://wiki.ubuntu.com/LxcSecurity
  • https://insights.ubuntu.com/2016/03/16/lxd-2-0-installing-and-configuring-lxd-212/

fuckups

  • openstack/devstack shits all over your server you uninstall it by starting over
  • CHECK TO MAKE SURE YOU ARE IN A CONTAINER BEFORE INSTALLING THE POS THE BARE METAL INTALL IS TOLERABLE BUT NOT FUN.
  • installing the virtual server host installs KVM and its kernel. uninstalling it leaves you with a kernel that can't find the network.
  • don't press f10 during boot whatever you do and if you do follow this... http://crtech.tips/lifecycle-controller-hanging-during-post/
  • do not give br0 an address as it will then become a public facing interface with direct access to the host server.
  • local.conf password can't contain any shell characters (%$@!) much like the puppet installer...
  • host must also have bridge tables (ebtables) and openvswitch installed.
  • kernel modules needed in lxc containers need to be installed in the host.

  • deleting container zfs pool and storage without telling lxd not to use it is problematic. Hint

    root@bs2020:~# lxc config show config: storage.zfs_pool_name: lxd4dev