Redhat Setup Hints

Redhat has many modification from regular popular linux distributions. Hostname To change hostname on redhat7, simple as issuing following commands, no needs to change hosts file one by one: hostnamectl set-hostname name Network Manager Redhat uses NM to manage all interface settings, including IP, DNS and Routes. It’s also supported to use traditional script under /etc/sysconfig/network-scripts/ifcfg-*. To show current interface: nmcli con show To add a new interface profile with static IP:

Continue reading

To remotely control AD add/delete user via Powershell: ssh -i lab.key -o StrictHostKeyChecking=No [email protected] "powershell New-ADUser -Server 10.1.1.1 -Enabled \$True -SAMAccountName $newaccount -DisplayName $newaccount -Givenname $givenname -Surname $surname -Name '$givenname $surname' -UserPrincipalName [email protected] -HomeDirectory \\\\xxx\\userdata\$\\$newaccount -AccountPassword (ConvertTo-SecureString "password" -AsPlainText -force) -PassThru" Note: the \ mark needs to be escaped in regular ssh session, that’s why I use \\\\ to express \\, but if we use this on Spinnaker, the Java interpretor will automatically add escape mark, so \ is not required.

Continue reading

转自int32bit blgo OpenStack高级特性简介 1. 虚拟机软删除 通常情况下,当用户删除虚拟机时,虚拟机会立即从hypervisor底层删除,不可撤回。为了防止人为误操作,Nova支持开启软删除(soft delete)功能,或者称为延迟删除,延迟删除时间通过Nova配置项/etc/nova/nova.conf的reclaim_instance_interval项指定,如下: [DEFAULT] ... reclaim_instance_interval = 120 此时虚拟机执行普通删除操作时,Nova不会立即删除虚拟机,而是会等待两分钟的时间,在此时间间隔内,管理员可以随时恢复虚拟机,只有在超过120秒后虚拟机才会真正执行删除操作,不可恢复。 为了演示该功能,我们删除一台虚拟机int32bit-test-2: # nova list +--------------------------------------+-----------------+--------+------------+-------------+-------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+-----------------+--------+------------+-------------+-------------------+ | 8f082394-ffd2-47db-9837-a8cbd1e011a1 | int32bit-test-1 | ACTIVE | - | Running | private=10.0.0.6 | | 9ef2eea4-77dc-4994-a2d3-a7bc59400d22 | int32bit-test-2 | ACTIVE | - | Running | private=10.0.0.13 | +--------------------------------------+-----------------+--------+------------+-------------+-------------------+ # nova delete 9ef2eea4-77dc-4994-a2d3-a7bc59400d22 Request to delete server 9ef2eea4-77dc-4994-a2d3-a7bc59400d22 has been accepted.

Continue reading

转自int32bit blog OpenStack中那些很少见但很有用的操作 Glance member 镜像是OpenStack中非常重要的数据,保存了用户的操作系统数据,因此保证镜像的安全性非常重要。通常上传到Glance的镜像可见性(visibility)可以设置为public和private,public的镜像表示对所有的租户可见,而private镜像只有租户自己以及管理员可见。在新版本的Glance中,引入了一种新的可见性状态–shared,该状态的镜像允许设置共享给指定的一个或者多个租户。共享的租户我们称为member,我们只需要把租户加到镜像的member中就可以访问其它租户的镜像了。 在测试环境下实验下,首先我们在admin租户下创建一个镜像如下: glance image-create --disk-format raw --container-format bare --name cirror-3.0 --file cirros-3.0.img 在demo租户下该镜像不可见: $ source openrc_demo $ glance image-list +----+------+ | ID | Name | +----+------+ +----+------+ 我们把demo租户加到镜像member中: $ glance member-create ec5426f5-ab4d-43a6-a1e1-5a1919aa7bea fb498fdd27e74750a6b209158437696c +--------------------------------------+----------------------------------+---------+ | Image ID | Member ID | Status | +--------------------------------------+----------------------------------+---------+ | ec5426f5-ab4d-43a6-a1e1-5a1919aa7bea | fb498fdd27e74750a6b209158437696c | pending | +--------------------------------------+----------------------------------+---------+ admin这边把demo加入到member中,还需要demo这边确认,把member状态更新为accepted,表示接收共享的镜像: $ glance member-update ec5426f5-ab4d-43a6-a1e1-5a1919aa7bea fb498fdd27e74750a6b209158437696c accepted +--------------------------------------+----------------------------------+----------+ | Image ID | Member ID | Status | +--------------------------------------+----------------------------------+----------+ | ec5426f5-ab4d-43a6-a1e1-5a1919aa7bea | fb498fdd27e74750a6b209158437696c | accepted | +--------------------------------------+----------------------------------+----------+ 此时在demo租户下可以看到共享的镜像了:

Continue reading

转自int32bit blog如何阅读OpenStack源码 OpenStack基础 OpenStack组件介绍 OpenStack是一个IaaS云计算平台开源实现,其对标产品为AWS。最开始OpenStack只有两个组件,分别为提供计算服务的Nova以及提供对象存储服务的Swift,其中Nova不仅提供计算服务,还包含了网络服务、块存储服务、镜像服务以及裸机管理服务。之后随着项目的不断发展,从Nova中根据功能拆分为多个独立的项目,如nova-volume拆分为Cinder项目提供块存储服务,nova-image拆分为Glance项目,提供镜像存储服务,nova-network则是neutron的前身,裸机管理也从Nova中分离出来为Ironic项目。最开始容器服务也是由Nova提供支持的,作为Nova的driver之一来实现,而后迁移到Heat,到现在已经独立为一个单独的项目Magnum,后来Magnum的愿景调整为主要提供容器编排服务,单纯的容器服务则由Zun项目接管。最开始OpenStack并没有认证功能,从E版开始才加入认证服务Keystone。 目前OpenStack基础服务组件如下: Keystone:认证服务。 Glance:镜像服务。 Nova:计算服务。 Cinder:块存储服务。 Neutorn:网络服务。 Swift:对象存储服务。 E版之后,在这些核心服务之上,又不断涌现新的服务,如面板服务Horizon、编排服务Heat、数据库服务Trove、文件共享服务Manila、大数据服务Sahara、工作流服务Mistral以及前面提到的容器编排服务Magnum等,这些服务几乎都依赖于以上的基础服务。比如Sahara大数据服务会先调用Heat模板服务,Heat又会调用Nova创建虚拟机,调用Glance获取镜像,调用Cinder创建数据卷,调用Neutron创建网络等。 目前最新发布的版本为第15个版本,代号为Pike,Queens版本已经进入快速开发阶段。 OpenStack服务越来越多、越来越复杂,覆盖的技术生态越来越庞大,宛如一个庞然大物,刚接触如此庞大的分布式系统,都或多或少感觉有点如”盲人摸象”的感觉。不过不必先过于绝望,好在OpenStack项目具有非常良好的设计,虽然OpenStack项目众多,组件繁杂,但几乎所有的服务骨架脉络基本是一样的,熟悉了其中一个项目的架构,深入读了其中一个项目源码,再去看其它项目可谓轻车熟路。 本文章会以Nova项目为例,一步一步剖析源码结构,希望读者阅读完之后再去看Cinder项目会是件非常轻松的事。 工欲善其事必先利其器 要阅读源代码首先需要安装科学的代码阅读工具,图形界面使用pycharm没有问题,不过通常在虚拟机中是没有图形界面的,首选vim,需要简单的配置使其支持代码跳转和代码搜索,可以参考GitHub - int32bit/dotfiles: A set of vim, zsh, git, and tmux configuration files。如图: OpenStack所有项目都是基于Python开发,并且都是标准的Python项目,通过setuptools工具管理项目,负责Python模块的安装和分发。想知道一个项目有哪些服务组成,最直接有效的办法就是找到入口函数(main函数)在哪里,只要是标准的基于setuptools管理的项目的所有入口函数都会在项目根目录的setup.cfg文件中定义,console_scripts就是所有服务组件的入口,比如nova(Mitaka版本)的setup.cfg的console_scripts如下: [entry_points] console_scripts = nova-all = nova.cmd.all:main nova-api = nova.cmd.api:main nova-api-metadata = nova.cmd.api_metadata:main nova-api-os-compute = nova.cmd.api_os_compute:main nova-cells = nova.cmd.cells:main nova-cert = nova.cmd.cert:main nova-compute = nova.cmd.compute:main nova-conductor = nova.cmd.conductor:main nova-console = nova.cmd.console:main nova-consoleauth = nova.cmd.consoleauth:main nova-dhcpbridge = nova.cmd.dhcpbridge:main nova-idmapshift = nova.

Continue reading

Kubespray Hints

I’ve been using Kubespray to deploy Kubernetes since Kube version 1.9. It’s by far the most customizable and flexible deployment tool for Kubernetes on the open-source market. So I think it’s worth a post for it. To begin with, let’s talk about the dark and stone-age time when Kubespray just came out as “Kargo”, it used to be so confusing and felt like today’s Kubeadm which is using command-line option to interact and deploy, but now, it’s well maintained and fully Ansible based, which means all variables and parameters are configured inside script, not more command-line options.

Continue reading

Python Hints

Pip dependency failure Sometimes when install pip package it may result in dependency failure: Downloading/unpacking cffi>=1.4.1 (from cryptography>=1.7->pyOpenSSL>=0.14->pyvmomi) Running setup.py (path:/tmp/pip_build_root/cffi/setup.py) egg_info for package cffi unable to execute 'x86_64-linux-gnu-gcc': No such file or directory unable to execute 'x86_64-linux-gnu-gcc': No such file or directory No working compiler found, or bogus compiler options passed to the compiler from Python's distutils module. See the error messages above. (If they are about -mno-fused-madd and you are on OS/X 10.

Continue reading

Ansible Hints

Ansible works against multiple systems in your infrastructure at the same time. It does this by selecting portions of systems listed in Ansible’s inventory, which defaults to being saved in the location /etc/ansible/hosts. You can specify a different inventory file using the -i <path> option on the command line. To ingore RSA key fingerprint concerns: Setting the environment variable ANSIBLE_HOST_KEY_CHECKING to False. Put it in an ansible.cfg file, either set that globally (at system or user level, in /etc/ansible/ansible.

Continue reading

IS-IS Memo

IS-IS Areas In OSPF protocol any of the router’s interfaces can be assigned to a particular area, however the concept of area in IS-IS is different. Here in general, every single router belongs to an Area. The idea of this comes from the fact that IS-IS was initially created to route Connectionless Network Protocol (CLNP) where the address belongs to a device (Router), whereas in Internet Protocol (IP) the address belongs to the particular interface.

Continue reading

Gitlab Hint

gitlab.yml sample config Gitlab Helm install needs to work with certmanager, if you are not using it at all, you can manually bind your certs with nginx, just create secret with tls.crt and tls.key, Where tls.crt would need to include the entire bundle from root CA all the way to your Cert, otherwise you may face weird errors, such as: x509: certificate signed by unknown authority and error authorizing context: authorization token required.

Continue reading

Author's picture

LuLU

Love coding and new technologies

Cloud Solution Consultant

Canada