Develop Reference

Openstack All-In-One Single Machine Networking

I'm having a hard time configuring an Openstack environment based on the All-In-One Single Machine installer for bridged networking in my LAN.
My objective is to SSH into the instances created in Openstack from my LAN.
The server is an Ubuntu 16.04 LTS with minimal installation and OpenSSH. The network configuration of the server is:
auto enp3s0
iface enp3s0 inet static
address 10.4.4.1
netmask 255.255.255.0
gateway 10.4.4.254
broadcast 10.4.4.255
network 10.4.4.0
dns-nameservers 10.4.1.12 10.4.1.10
Basically my network details are the following:
LAN 10.4.4.0
MASK 255.255.255.0
Gateway/DHCP Server 10.4.4.254
The local.conf file I've used for deploying the devstack is the following:
# Sample ``local.conf`` for user-configurable variables in ``stack.sh``
# NOTE: Copy this file to the root DevStack directory for it to work properly.
# ``local.conf`` is a user-maintained settings file that is sourced from ``stackrc``.
# This gives it the ability to override any variables set in ``stackrc``.
# Also, most of the settings in ``stack.sh`` are written to only be set if no
# value has already been set; this lets ``local.conf`` effectively override the
# default values.
# This is a collection of some of the settings we have found to be useful
# in our DevStack development environments. Additional settings are described
# in https://docs.openstack.org/devstack/latest/configuration.html#local-conf
# These should be considered as samples and are unsupported DevStack code.
# The ``localrc`` section replaces the old ``localrc`` configuration file.
# Note that if ``localrc`` is present it will be used in favor of this section.
[[local|localrc]]
# Minimal Contents
# ----------------
# While ``stack.sh`` is happy to run without ``localrc``, devlife is better when
# there are a few minimal variables set:
# If the ``*_PASSWORD`` variables are not set here you will be prompted to enter
# values for them by ``stack.sh``and they will be added to ``local.conf``.
FLOATING_RANGE=10.4.4.192/27
FIXED_RANGE=192.168.0.0/24
FIXED_NETWORK_SIZE=256
FLAT_INTERFACE=enp3s0
ADMIN_PASSWORD=nomoresecret
DATABASE_PASSWORD=stackdb
RABBIT_PASSWORD=stackqueue
SERVICE_PASSWORD=$ADMIN_PASSWORD
# ``HOST_IP`` and ``HOST_IPV6`` should be set manually for best results if
# the NIC configuration of the host is unusual, i.e. ``eth1`` has the default
# route but ``eth0`` is the public interface. They are auto-detected in
# ``stack.sh`` but often is indeterminate on later runs due to the IP moving
# from an Ethernet interface to a bridge on the host. Setting it here also
# makes it available for ``openrc`` to include when setting ``OS_AUTH_URL``.
# Neither is set by default.
HOST_IP=10.4.4.1
#HOST_IPV6=2001:db8::7
# Logging
# -------
# By default ``stack.sh`` output only goes to the terminal where it runs. It can
# be configured to additionally log to a file by setting ``LOGFILE`` to the full
# path of the destination log file. A timestamp will be appended to the given name.
LOGFILE=$DEST/logs/stack.sh.log
# Old log files are automatically removed after 7 days to keep things neat. Change
# the number of days by setting ``LOGDAYS``.
LOGDAYS=2
# Nova logs will be colorized if ``SYSLOG`` is not set; turn this off by setting
# ``LOG_COLOR`` false.
#LOG_COLOR=False
# Using milestone-proposed branches
# ---------------------------------
# Uncomment these to grab the milestone-proposed branches from the
# repos:
#CINDER_BRANCH=milestone-proposed
#GLANCE_BRANCH=milestone-proposed
#HORIZON_BRANCH=milestone-proposed
#KEYSTONE_BRANCH=milestone-proposed
#KEYSTONECLIENT_BRANCH=milestone-proposed
#NOVA_BRANCH=milestone-proposed
#NOVACLIENT_BRANCH=milestone-proposed
#NEUTRON_BRANCH=milestone-proposed
#SWIFT_BRANCH=milestone-proposed
# Using git versions of clients
# -----------------------------
# By default clients are installed from pip. See LIBS_FROM_GIT in
# stackrc for details on getting clients from specific branches or
# revisions. e.g.
# LIBS_FROM_GIT="python-ironicclient"
# IRONICCLIENT_BRANCH=refs/changes/44/2.../1
# Swift
# -----
# Swift is now used as the back-end for the S3-like object store. Setting the
# hash value is required and you will be prompted for it if Swift is enabled
# so just set it to something already:
SWIFT_HASH=66a3d6b56c1f479c8b4e70ab5c2000f5
# For development purposes the default of 3 replicas is usually not required.
# Set this to 1 to save some resources:
SWIFT_REPLICAS=1
# The data for Swift is stored by default in (``$DEST/data/swift``),
# or (``$DATA_DIR/swift``) if ``DATA_DIR`` has been set, and can be
# moved by setting ``SWIFT_DATA_DIR``. The directory will be created
# if it does not exist.
SWIFT_DATA_DIR=$DEST/data
At the end of the deployment I'm able to ping from the instance to my LAN and do nslookup on google.com for example, but I can't do it backwards, ping/ssh/telnet the instance in Openstack.
The security group permits all traffic, all ICMP ingress/egress, SSH from everywhere.
I've tried to telnet on my local computer from the Openstack instance and it's showing the IP of the Openstack host, not the host. So I'm missing something in the network topology.
netstat -ant | grep 1716
tcp6 0 0 :::1716 :::* LISTEN
tcp6 0 0 10.4.3.34:1716 10.4.4.1:42992 ESTABLISHED
Is there any type of network deployment I'm missing?
Any advice would be much appreciated!

If you are trying to access your instances from the "outside", you will need to create a floating IP pool and assign a floating IP to one of your instances.

CentOS 6.4 + Nginx + uwsgi + (13: Permission denied) while connecting to upstream

As mentioned in the title, I'm experiencing a permission denied error in my nginx + uwsgi setup in my CentOS 6.4. I'm running uwsgi as root already. Below are my configuration files. Take note that I've already linked (ln -s) the mysite_nginx.conf to /etc/nginx/sites-enabled/. Also I've already changed the owner of /home/user1/location/mysite to nginx user.
mysite_uwsgi.ini
#mysite_uwsgi.ini file
[uwsgi]
# Django-related settings
# the base directory (full path)
chdir = /home/user1/location/mysite/myapp
# Django wsgi file
module = mysite.wsgi
# the virtualenv (full path)
home = /home/user1/location/mysite
# process-related settings
# master
master = true
# maximum number of worker processes
processes = 4
# the socket (use the full path to be safe
socket = /home/user1/location/mysite/myapp/myapp.sock
# ... with appropriate permissions - may be needed
chmod-socket = 666
chown-socket = nginx:nginx
# clear environment on exit
vacuum = true
# other config options
uid = nginx
gid = nginx
processes = 4
mysite_nginx.conf
# mysite_nginx.conf
# the upstream component nginx needs to connect to
upstream mysite {
server unix:///home/user1/location/mysite/myapp/myapp.sock; se this first)
}
# configuration of the server
server {
# the port your site will be served on
listen 8082;
# the domain name it will serve for
server_name 192.168.X.X; #
charset utf-8;
# max upload size
client_max_body_size 75M; # adjust to taste
# Django media
location /media {
alias /home/user1/location/mysite/media;
}
location /static {
alias /home/user1/location/mysite/static;
}
I already followed the answers related to the same issue here in stackoverflow but none of them help. What am I lacking? doing wrong?
Thanks in advance!

I had the same problem. the problem is because of selinux policies. you can find the solution in the following link, follow Option 2: Extend the httpd_t Domain Permissions instructions:
http://nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/

Basic Auth on Nginx server on Elastic Beanstalk

I am trying to set up basic auth on my elastic beanstalk instance running nodejs, however, I cannot seem to get this working. I have followed this guide Nginx Server on Amazon EC2, but http traffic is still getting through the nginx instance. I think its because the nginx server on the ec2 instance is not the one I need to be altering the virtual.conf file for. I think the nginx server is on another instance entirely, but I cant seem to find it. I think this because when I ping the Domain name for my site its IP is that of the nginx server and not my Elastic IP. Any ideas on how to configure nginx to restrict http and https traffic to my site on Elastic beanstalk?

Although this isn't a direct answer to your question, I had a lot of trouble finding resources for HTTP Basic Authentication for AWS.
I ended up switching from Nginx to Apache and used this configuration in PROJECT_ROOT/.ebextensions/apache.conf:
files:
"/etc/httpd/conf.d/allow_override.conf":
mode: "000644"
owner: ec2-user
group: ec2-user
encoding: plain
content: |
<Directory /var/app/current/>
AllowOverride AuthConfig
</Directory>
"/etc/httpd/conf.d/auth.conf":
mode: "000644"
owner: ec2-user
group: ec2-user
encoding: plain
content: |
<Directory /var/app/current/>
AuthType Basic
AuthName "Myproject Prototype"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory>
"/etc/httpd/.htpasswd":
mode: "000644"
owner: ec2-user
group: ec2-user
encoding: plain
content: |
myusername:mypassword-generated-by-htpasswd
Note, this is not ideal as you end up having password protection in the source code of the repo... But, I couldn't find a better way documented anywhere. I'm currently exploring baking the HTTP Auth into the ec2 instance, saving the instance as an AMI, and using that AMI for the instances that are auto-generated in my beanstalk.
Don't even get me started on HTTP Auth in front of s3 buckets, which is not supported by AWS and requires you point your DNS at a third-party service!

The key factor of managing Elastic Beanstalk's nginx Basic auth is to recognize the conf file is managed by beanstalk, so when you modify it, you need to edit the file in /tmp/deployment/config. All the files in there will be copied to destination, and the destination is calculated by replacing the filename's # character to /. And since the /tmp/deployment/config/#etc#nginx#conf.d#00_elastic_beanstalk_proxy.conf file is not created on the commands step, you need to modify it on the container_commands step.
For me, following worked.
files:
/etc/nginx/.htpasswd:
mode: "000755"
owner: root
group: root
# the content of htpasswd.
# Obtain it by `htpasswd -nb USER PASSWORD`
content: "USER_NAME:HASHED_PASS"
container_commands:
add-basic:
command: |
set -ex
EB_CONFIG_STAGING_DIR=$(/opt/elasticbeanstalk/bin/get-config container -k config_staging_dir)
file_name="${EB_CONFIG_STAGING_DIR}/$(echo /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf | sed -e 's|/|#|g')"
sed -i -e '
/location \// {
s|$|\nauth_basic "Restricted Area";\nauth_basic_user_file /etc/nginx/.htpasswd;|
:loop
n
b loop
}' "$file_name"

Unable to see LDAP references after adding them but still able to ldapsearch them

I have set up two OpenLDAP servers on my network and am trying to enable authentication through LDAP. I am able to login to my servers if users are authenticated on the local LDAP server. However, after I add a reference object to the other server I can't see the object through phpldapadmin. Here's what I am adding with ldapadd.
dn: uid=server2,ou=People,dc=example,dc=com
objectClass: referral
objectClass: extensibleObject
cn: server2
ref: ldap://192.168.4.105/ou=People,dc=server2,dc=example,dc=com
It successfully adds but I am unable to see it through phpldapadmin. I can view it through ldapsearch this is what I get.
$ ldapsearch -h 192.168.4.106 -x -b "uid=server2,ou=People,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=server2,ou=People,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 10 Referral
matchedDN: uid=server2,ou=People,dc=example,dc=com
ref: ldap://192.168.4.106/ou=People,dc=server2,dc=example,dc=com??sub
The fact that I can't see the objects and that they don't give me access to the other server is driving me nuts. I have nss_ldap and pam_ldap installed as well as the phpldapadmin module. I am running Ubuntu 13.04 on both servers. This is my slapd.conf for my client.
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/share/slapd/etc/openldap/schema/core.schema
include /usr/share/slapd/etc/openldap/schema/cosine.schema
include /usr/share/slapd/etc/openldap/schema/nis.schema
include /usr/share/slapd/etc/openldap/schema/corba.schema
include /usr/share/slapd/etc/openldap/schema/misc.schema
include /usr/share/slapd/etc/openldap/schema/inetorgperson.schema
allow bind_v2
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
referral ldap://server2.example.com:389
pidfile /usr/share/slapd/var/run/slapd.pid
argsfile /usr/share/slapd/var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
moduleload back_bdb.la
# moduleload back_hdb.la
moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
overlay chain
chain-max-depth 1 #allows 1 referral hop
chain-uri "ldap://192.168.4.106"
chain-rebind-as-user yes
chain-idassert-bind bindmethod="simple"
binddn="cn=admin,dc=example,dc=com"
credentials="{SSHA}****"
mode="self"
chain-tls start
chain-idassert-authzFrom "*"
chain-return-error TRUE
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=server2,dc=example,dc=com"
rootdn "cn=admin,dc=server2,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(9) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}*********
defaultaccess none
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
I would be really grateful if someone could point me in the direction of my problem. I'm not sure if this is related but I am unable to view my OpenLDAP server through Apache Directory Studio but I can see it through phpldapadmin.
ldap.conf
host 192.168.4.105
base dc=server2,dc=example,dc=com
uri ldap://192.168.4.105
ldap_version 3
rootbinddn cn=admin,dc=server2,dc=example,dc=com
rootpw {SSHA}blah
scope sub
timelimit 5
bind_timelimit 5
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
pam_password exop
nss_base_passwd ou=People,dc=server2,dc=example,dc=com?sub
nss_base_shadow ou=People,dc=server2,dc=example,dc=com?sub
nss_base_group ou=Group,dc=server2,dc=example,dc=com?sub
nss_base_hosts ou=Hosts,dc=server2,dc=example,dc=com?sub
nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,messagebus,news,nslcd,openldap,proxy,root,sshd,statd,sync,sys,syslog,uucp,whoopsie,www-data

Xampp local Drupal install image path problems

I've got Drupal 6.19 installed locally in a xampp SUBDIRECTORY. Everything works great with the exception of the images are broken. The path being created is missing my subdirectory where Drupal is installed.
The path should start with:
http://localhost/drupal6.19/sites/default/files/
but is instead
http://localhost/sites/default/files.
I've tried setting base url in the setting php file and clearing my cache:
$base_url = 'http://localhost/drupal6.19';
did not work. I've also tried uncommenting this line in the htaccess file and clearing cache:
# RewriteBase /drupal6.19
nothing.
I'm running out of ideas. Any help?
I won't do a clean install as I've already spent a lot of time migrating content over and configuring the site. I need to get this fixed somehow...

Have you changes something in the hosts file. Its located at C:\Windows\System32\drivers\etc. The content of the file look like
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost