Skip to content

Goodbye Openstack

This does not work. As far as I can tell you can only install devstack on raw hardware and let it install all of its ever moving dependencies. I was able to do this where pike was 6 months ago but not uninstall and reinstall is using the same version.

I don't believe it can trust anything this moving to be sane let alone secure.

FUCK THIS.

Best attempt at lxc in a container

Now we want to see about the devstack container. It should have its own network interface (eno3) and disk /dev/sdf.

  • use lxd init to create zfs filesystem for devstack At some point we should figure out how to configure both zfs and the appropriate bridge configuration without these two steps.
 root@bs2020:~# lxd init
 ...
 root@bs2020:~# zfs list
 NAME                          USED  AVAIL  REFER  MOUNTPOINT
 lxd4devstack                  243M   132G    19K  none
 lxd4infra                     200M   132G    19K  none
 lxd4infra/naomi               200M   132G   200M  /var/lib/lxc/naomi/rootfs
 root@bs2020:~# 

 https://docs.openstack.org/devstack/latest/guides/lxc.html
  • setup br1 use dpkg-reconfigure to point the network at br1
root@bs2020:~# nano /etc/network/interfaces
... add the following ...
auto br1
iface br1 inet static
 address 0.0.0.0
 dns-nameservers 198.202.31.132 198.202.31.141 8.8.8.8
 bridge_ports eno3

iface eno3 inet manual
root@bs2020:~# ifdown br1 && ifup br1
root@bs2020:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
...
12: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
 link/ether d4:be:d9:ec:ee:d2 brd ff:ff:ff:ff:ff:ff
 inet6 fe80::d6be:d9ff:feec:eed2/64 scope link 
  valid_lft forever preferred_lft forever
  • set up lxc config file
root@bs2020:~# nano /etc/lxc/devstack.conf 
# from https://docs.openstack.org/devstack/latest/guides/lxc.html
# Permit access to /dev/loop*
lxc.cgroup.devices.allow = b 7:* rwm

# Setup access to /dev/net/tun and /dev/kvm
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file 0 0
lxc.mount.entry = /dev/kvm dev/kvm none bind,create=file 0 0

# Networking
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br1
lxc.network.hwaddr = 00:16:3d:xx:xx:xx

lxc.network.ipv4 = 198.202.31.160/25
lxc.network.ipv4.gateway = 198.202.31.129

lxc.start.auto = 1
lxc.start.delay = 7
lxc.start.order = 150
  • create the image
root@bs2020:~# lxc-create -n theswedishchef  -t ubuntu -f /etc/lxc/devstack.conf -B zfs \        
         --zfsroot=lxd4devstack \
        -- --packages=bsdmainutils,git,nano,ebtables,openvswitch-common
  • add local admin users, setup network and lockdown ubuntu user.
root@bs2020:~# passwd -l ubuntu -R /var/lib/lxc/theswedishchef/rootfs
passwd: password expiry information changed.
root@bs2020:~# cd /var/lib/lxc/theswedishchef/rootfs/
root@bs2020:~# cat ~feurig/passed.add>>etc/passwd
root@bs2020:~# cat ~feurig/shadow.add>>etc/shadow
root@bs2020:~# tar -xzvf ~feurig fnj.tgz
drwxr-xr-x root/root         0 2017-09-27 17:58 home/
... home directories for admins mostly for the following file ...
-rw-rw-r-- joe/joe         402 2017-09-25 23:51 home/joe/.ssh/authorized_keys
root@bs2020:~# cd 
root@bs2020:~# usermod -R /var/lib/lxc/theswedishchef/rootfs -G sudo,root joe
root@bs2020:~# usermod -R /var/lib/lxc/theswedishchef/rootfs -G sudo,root feurig
root@bs2020:~# groupadd -R /var/lib/lxc/theswedishchef/rootfs -g 1001 feurig
root@bs2020:~# groupadd -R /var/lib/lxc/theswedishchef/rootfs -g 1002 feurig
root@bs2020:~# groupadd -R /var/lib/lxc/theswedishchef/rootfs -g 1002 joe
root@bs2020:~#  cat <<eod >>/var/lib/lxc/theswedishchef/rootfs/etc/resolvconf/resolv.conf.d/base 
dns-nameserver 198.202.31.132 8.8.8.8
nameserver 198.202.31.132 8.8.8.8
eod
root@bs2020:~#  cat <<eod2 >>/var/lib/lxc/theswedishchef/rootfs/etc/network/interfaces
iface eth0 inet static
 address 198.202.31.160/25
 gateway 198.202.31.129
 dns-nameservers 198.202.31.132 198.202.31.141 8.8.8.8
 dns-search suspectdevices.com digithink.com
eod2
  • check for ebtables module
 root@bs2020:~# lsmod |grep ebt
 ebtable_broute         16384  0
 ebtable_nat            16384  0
 ebtable_filter         16384  0
 ebtables               36864  3 ebtable_broute,ebtable_nat,ebtable_filter
 x_tables               36864  9 xt_CHECKSUM,ip_tables,xt_tcpudp,ipt_MASQUERADE,xt_conntrack,iptable_filter,ebtables,ipt_REJECT,iptable_mangle
 bridge                126976  1 ebtable_broute
  • run up instance and install devstack
 root@bs2020:~# lxc-start -n theswedishchef
 root@bs2020:~# lxc-attach -n theswedishchef
 root@theswedishchef:~# apt-get install --reinstall ca-certificates
 root@theswedishchef:/# useradd -s /bin/bash -d /opt/stack -m stack
 root@theswedishchef:/#  echo "stack ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/stack
 stack ALL=(ALL) NOPASSWD: ALL
 root@theswedishchef:/# su - stack
 stack@theswedishchef:~$ git clone https://git.openstack.org/openstack-dev/devstack
 Cloning into 'devstack'...
 ... done.
 stack@theswedishchef:~$  cd devstack/
 stack@theswedishchef:~/devstack$ nano local.conf
 [[local|localrc]]
 ADMIN_PASSWORD=B0rkB0rkB0rk
 DATABASE_PASSWORD=$ADMIN_PASSWORD
 RABBIT_PASSWORD=$ADMIN_PASSWORD
 SERVICE_PASSWORD=$ADMIN_PASSWORD
 PUBLIC_INTERFACE=eth0
 HOST_IP=127.0.0.1
 FLOATING_RANGE=198.202.31.160/28
 PUBLIC_NETWORK_GATEWAY=198.202.31.129
 Q_FLOATING_ALLOCATION_POOL=start=198.202.31.161,end=192.202.31.173
 #IPV4_ADDRS_SAFE_TO_USE=172.31.1.0/24
  stack@theswedishchef:~/devstack$ ./stack.sh
 ... don't even look at it just walk away ....

Approaches Attempted

  • https://stgraber.org/2016/10/26/lxd-2-0-lxd-and-openstack-1112/ (lxd fights with yet another fucking automated deployment system (snapd) this is lxd not lxc.... Bottom line snapd and therefore juju wont run in a container on LTS until at least 18.04
  • All three "stable" releases. Most of them had issues with different kernel dependencies.

wasted time