Achieving NIS2 Compliance for GitHub Organizations with Mondoo
In the rapidly evolving world of software development, securing and managing the integrity of codebases is paramount, particularly for organizations subject to
In a joint effort Jannis Rake-Revelant, Jürgen Brüder, and myself Edmund Haselwanter had a look at several what we call "Openstack Lifecycle Management tools".
This time Jürgen Brüder did most of the work, so thanks for sharing your findings :-)
Stackforge provides an open-source repository to setup Openstack with Chef. You can deploy it with a Chef-Server or simply by using Chef-Zero.
It currently includes all OpenStack core projects: Compute, Dashboard, Identity, Image, Network, Object Storage, Block Storage, Telemetry and Orchestration.
Stackforge also comes with a couple of Vagrantfiles that can be used to create a multi-node test deployment from scratch. This way, you also won't need a Chef Server for deployment.
The following Git repository contains good documentation about using Stackforge: https://github.com/stackforge/openstack-chef-repo/tree/stable/icehouse
It also contains example configuration files for environments and roles.
Vagrant can be installed on nearly all operating systems. We will be using Mac OS X for this example.
If you are on Mac OS X, you'll need to install Xcode Command Line Tools from https://developer.apple.com/downloads/
To ensure a proper working deployment, we recommend using the ChefDK for installing all needed Gem dependencies. This will also install Berkshelf etc.
Just follow this link a download the version that fits your OS. Then install it: http://downloads.getchef.com/chef-dk/
Install the latest VirtualBox for your operating system: https://www.virtualbox.org/wiki/Downloads
Then install the latest version of Vagrant: https://www.vagrantup.com/downloads
To make the Vagrantfiles work, we need three additonal plugins for Vagrant. Open a terminal window and run these commands:
Now install the Omnibus, Chef-Zero and Berkshelf Vagrant plugin like this (order!)
1vagrant plugin install vagrant-berkshelf
2vagrant plugin install vagrant-chef-zero
3vagrant plugin install vagrant-omnibus
Please make sure to stick to the installation-order as listed above. Some plugins can have issues if installed in the wrong order.
Check the three plugins are really installed
1vagrant plugin list
Here is what we got back:
1vagrant-berkshelf (3.0.1)
2vagrant-chef-zero (0.7.1)
3vagrant-login (1.0.1, system)
4vagrant-omnibus (1.4.1)
5vagrant-share (1.1.2, system)
Clone the Stackforge openstack-chef-repo into your home directory:
1git clone -b stable/icehouse https://github.com/stackforge/openstack-chef-repo
Navigate into the created directory and rename the Vagrantfile-multi-neutron to Vagrantfile
1mv Vagrantfile-multi-neutron Vagrantfile
Now install all gems and cookbooks that are needed
1bundle install
2berks install
Now you can simply run this command to let Vagrant provision two VMs for you:
1vagrant up /ubuntu1204/
One will be an all-in-one node, the second one will be an additional compute node.
If you run into any problems with Vagrant try setting:
1export VAGRANT_LOG=debug
Also make sure that the Vagrant Plugins are compatible to each other. They are developed on independent release schedules and a new version of a plugin might not work with an older version of the other plugins.
You can now login at the URL of the first VM. Use the username admin and the password admin for this. If you navigate to Admin -> System Panel -> Host Aggregates you should see both nodes listed.
To be able to create a production ready bare-metal deployment without Vagrant, we need to understand what Vagrant is doing to deploy Openstack on VMs.
Vagrant uses two VMs with each having 2 CPUs and 2048MB memory. It also adds two promiscuous interfaces to each VM and allows all frames through.
Each machine will need access to two private networks. Vagrant is configuring this for each VM. The additional Compute node will have only these two networks configured:
1# Vagrantfile excerpt
2ubuntu1204comp1.vm.network "private_network", ip: "192.168.3.61"
3ubuntu1204comp1.vm.network "private_network", ip: "172.16.10.61"
Additionally, the Controller/Compute node will have three ports forwarded. Here the configuration of the Controller/Compute node:
1# Vagrantfile excerpt
2ubuntu1204cont.vm.network "forwarded_port", guest: 443, host: 8443 # dashboard-ssl
3ubuntu1204cont.vm.network "forwarded_port", guest: 8773, host: 8773 # compute-ec2-api
4ubuntu1204cont.vm.network "forwarded_port", guest: 8774, host: 8774 # compute-api
5ubuntu1204cont.vm.network "private_network", ip: "192.168.3.60"
6ubuntu1204cont.vm.network "private_network", ip: "172.16.10.60"
Vagrant is using Chef-Zero to setup the deployment. This means, that there is no actual Chef-Server necessary. This is a good approach for small deployments. It will also install all needed Chef dependencies (e.g. Berkshelf) on the VM with an omnibus installer.
During its run it will upload all needed cookbooks, all Openstack projects (Nova, Swift etc.) are available as a Chef cookbook, to Chef-Zero. On a bare machine you would run:
1# Install Chef-Omnibus
2curl -L https://www.opscode.com/chef/install.sh | bash
3
4# Checkout Stackforge repo
5git clone -b stable/icehouse https://github.com/stackforge/openstack-chef-repo
6cd openstack-chef-repo
7
8# Installing Berkshelf gem and cookbooks
9/opt/chef/embedded/bin/gem install berkshelf --no-ri --no-rdoc
10/opt/chef/embedded/bin/berks vendor ./cookbooks
The environment provides an overall configuration for our deployment. It can tell each VM where to look for specific services, which network interface to use for what etc. Stackforge comes with a number of predefined environments. For a production deployment we recommend to write your own.
We will modify one of the provided environments to fit our scenario better. Here you can see the environment that we will be using:
1{
2 "name": "vagrant-multi-neutron",
3 "description": "Environment used in testing the upstream cookbooks and reference Chef repository with vagrant. To be used with the Vagrantfile-multi-neutron vagrantfile. Defines the necessary attributes for a working mutltinode (1 controller/n computes) openstack deployment, using neutron (with gre tunnels between hosts) for the networking component.",
4 "cookbook_versions": {},
5 "json_class": "Chef::Environment",
6 "chef_type": "environment",
7 "default_attributes": {},
8 "override_attributes": {
9 "mysql": {
10 "allow_remote_root": true,
11 "root_network_acl": ["%"]
12 },
13 "openstack": {
14 "developer_mode": true,
15 "identity": {
16 "bind_interface": "eth1"
17 },
18 "endpoints": {
19 "host": "192.168.3.60",
20 "mq": {
21 "host": "192.168.3.60",
22 "bind_interface": "eth1"
23 },
24 "db": {
25 "host": "192.168.3.60",
26 "bind_interface": "eth1"
27 },
28 "network": {
29 "debug": "True",
30 "dhcp": {
31 "enable_isolated_metadata": "True"
32 },
33 "metadata": {
34 "nova_metadata_ip": "192.168.3.60"
35 },
36 "openvswitch": {
37 "tunnel_id_ranges": "1:1000",
38 "enable_tunneling": "True",
39 "tenant_network_type": "gre",
40 "local_ip_interface": "eth2"
41 },
42 "api": {
43 "bind_interface": "eth1"
44 }
45 },
46 "image": {
47 "api": {
48 "bind_interface": "eth1"
49 },
50 "registry": {
51 "bind_interface": "eth1"
52 },
53 "image_upload": true,
54 "upload_images": [
55 "cirros",
56 "ubuntu"
57 ],
58 "upload_image": {
59 "ubuntu": "http://cloud-images.ubuntu.com/precise/current/precise-server-cloudimg-amd64-disk1.img",
60 "cirros": "https://launchpad.net/cirros/trunk/0.3.0/+download/cirros-0.3.0-x86_64-disk.img"
61 }
62 },
63 "compute": {
64 "xvpvnc_proxy": {
65 "bind_interface": "eth1"
66 },
67 "novnc_proxy": {
68 "bind_interface": "eth1"
69 },
70 "libvirt": {
71 "virt_type": "qemu"
72 },
73 "network": {
74 "public_interface": "eth1",
75 "service_type": "neutron"
76 },
77 "config": {
78 "ram_allocation_ratio": 5
79 }
80 }
81 }
82 }
83 }
84}
You can create your the environment file under /openstack-chef-repo/environments/. The filename will needs to be vagrant-multi-neutron.json.
Each machine gets it's own run_list. The run_list defines which roles or recipes are being used on that machine.
Here a listing of the run_list of each machine:
1# Controller/Compute node
2role[os-compute-single-controller-no-network]
3recipe[openstack-network::identity_registration]
4role[os-network-openvswitch]
5role[os-network-dhcp-agent]
6role[os-network-metadata-agent]
7role[os-network-server]
8
9# Compute node
10role[os-compute-worker]
11recipe[apt::cacher-client]
If you would want to add a role to a machine manually, you can do this with this command:
1knife node run_list add NODE_NAME -z 'role[NAME_OF_ROLE]'
After everything is configured, Vagrant runs the Chef-Client on each VM. This will install everything that is needed and will create running deployment. This would be an equivalent command to run this manually:
1# Assuming you have a my-deployment.json inside the environments directory
2chef-client -z -E my-deployment
You are interested in our courses or you simply have a question that needs answering? You can contact us at anytime! We will do our best to answer all your questions.
Contact us