Sunday, December 14, 2014

Running Nova-Docker on OpenStack RDO Juno (CentOS 7)

Quote ([2]) :-

The Docker driver is a hypervisor driver for Openstack Nova Compute. It was introduced with the Havana release, but lives out-of-tree for Icehouse and Juno. Being out-of-tree has allowed the driver to reach maturity and feature-parity faster than would be possible should it have remained in-tree. It is expected the driver will return to mainline Nova in the Kilo release.

This post in general follows up ([2]) with detailed instructions of nova-docker
driver install on RDO Juno (CentOS 7) ([3]).

Install required packages to install nova-dockker driver per https://wiki.openstack.org/wiki/Docker

***************************
Initial docker setup
***************************

# yum install docker-io -y
# yum install -y python-pip git
# git clone https://github.com/fikovnik/nova-docker.git
# cd nova-docker
# git branch -v -a

#  master                1ed1820 A note no firewall drivers.
  remotes/origin/HEAD   -> origin/master
  remotes/origin/juno   1a08ea5 Fix the problem when an image
            is not located in the local docker image registry.
  remotes/origin/master 1ed1820 A note no firewall drivers.
# git checkout -b juno origin/juno
# python setup.py install
# systemctl start docker
# systemctl enable docker
# chmod 660  /var/run/docker.sock
# pip install pbr
#  mkdir /etc/nova/rootwrap.d


******************************
Update nova.conf
******************************
vi /etc/nova/nova.conf
set "compute_driver = novadocker.virt.docker.DockerDriver"

************************************************
Next, create the docker.filters file:
************************************************

vi /etc/nova/rootwrap.d/docker.filters

Insert Lines

# nova-rootwrap command filters for setting up network in the docker driver
# This file should be owned by (and only-writeable by) the root user
[Filters]
# nova/virt/docker/driver.py: 'ln', '-sf', '/var/run/netns/.*'
ln: CommandFilter, /bin/ln, root

*****************************************
Add line /etc/glance/glance-api.conf
*****************************************
container_formats=ami,ari,aki,bare,ovf,ova,docker
:wq

************************
Restart Services
************************
usermod -G docker nova
systemctl restart openstack-nova-compute
systemctl status openstack-nova-compute
systemctl restart openstack-glance-api

******************************
Verification docker install
******************************

[root@juno ~]# docker run -i -t fedora /bin/bash
Unable to find image 'fedora' locally
fedora:latest: The image you are pulling has been verified

00a0c78eeb6d: Pull complete
2f6ab0c1646e: Pull complete
511136ea3c5a: Already exists
Status: Downloaded newer image for fedora:latest
bash-4.3# cat /etc/issue
Fedora release 21 (Twenty One)
Kernel \r on an \m (\l)

[root@juno ~]# docker ps -a

CONTAINER ID        IMAGE                    COMMAND             CREATED             STATUS                        PORTS               NAMES
738e54f9efd4        fedora:latest            "/bin/bash"         3 minutes ago       Exited (127) 25 seconds ago                       stoic_lumiere                              
14fd0cbba76d        ubuntu:latest            "/bin/bash"         3 minutes ago       Exited (0) 3 minutes ago                          prickly_hypatia                            
ef1a726d1cd4        fedora:latest            "/bin/bash"         5 minutes ago       Exited (0) 3 minutes ago                          drunk_shockley                             
0a2da90a269f        ubuntu:latest            "/bin/bash"         11 hours ago        Exited (0) 11 hours ago                           thirsty_kowalevski                         
5a3288ce0e8e        ubuntu:latest            "/bin/bash"         11 hours ago        Exited (0) 11 hours ago                           happy_leakey                               
21e84951eabd        tutum/wordpress:latest   "/run.sh"           16 hours ago        Up About an hour                                  nova-bf5f7eb9-900d-48bf-a230-275d65813b0f  

*******************
Setup Wordpress
*******************


# docker pull tutum/wordpress
# . keystonerc_admin
# docker save tutum/wordpress | glance image-create --is-public=True --container-format=docker --disk-format=raw --name tutum/wordpress


[root@juno ~(keystone_admin)]# glance image-list
+--------------------------------------+-----------------+-------------+------------------+-----------+--------+
| ID                                   | Name            | Disk Format | Container Format | Size      | Status |
+--------------------------------------+-----------------+-------------+------------------+-----------+--------+
| c6d01e60-56c2-443f-bf87-15a0372bc2d9 | cirros          | qcow2       | bare             | 13200896  | active |
| 9d59e7ad-35b4-4c3f-9103-68f85916f36e | tutum/wordpress | raw         | docker           | 517639680 | active |
+--------------------------------------+-----------------+-------------+------------------+-----------+--------+

********************
Start container
********************
$ . keystonerc_demo

[root@juno ~(keystone_demo)]# neutron net-list
+--------------------------------------+--------------+-------------------------------------------------------+
| id                                   | name         | subnets                                               |
+--------------------------------------+--------------+-------------------------------------------------------+
| ccfc4bb1-696d-4381-91d7-28ce7c9cb009 | private      | 6c0a34ab-e3f1-458c-b24a-96f5a2149878 10.0.0.0/24      |
| 32c14896-8d47-4a56-b3c6-0dd823f03089 | public       | b1799aef-3f69-429c-9881-f81c74d83060 192.169.142.0/24 |
| a65bff8f-e397-491b-aa97-955864bec2f9 | demo_private | 69012862-f72e-4cd2-a4fc-4106d431cf2f 70.0.0.0/24      |
+--------------------------------------+--------------+-------------------------------------------------------+
$ nova boot --image "tutum/wordpress" --flavor m1.tiny --key-name  osxkey --nic net-id=a65bff8f-e397-491b-aa97-955864bec2f9 WordPress

 [root@juno ~(keystone_demo)]# nova list
+--------------------------------------+-----------+---------+------------+-------------+-----------------------------------------+
| ID                                   | Name      | Status  | Task State | Power State | Networks                                |
+--------------------------------------+-----------+---------+------------+-------------+-----------------------------------------+

| bf5f7eb9-900d-48bf-a230-275d65813b0f |  WordPress   | ACTIVE  | -          | Running     | demo_private=70.0.0.16, 192.169.142.153 |
+--------------------------------------+-----------+---------+------------+-------------+-----------------------------------------+

[root@juno ~(keystone_demo)]# docker ps -a

CONTAINER ID        IMAGE                    COMMAND             CREATED             STATUS                   PORTS               NAMES
21e84951eabd        tutum/wordpress:latest   "/run.sh"           About an hour ago   Up 11 minutes                                nova-bf5f7eb9-900d-48bf-a230-275d65813b0f 


**************************
Starting Wordpress
**************************

Immediately after VM starts (on non-default Libvirts Subnet 192.169.142.0/24) status WordPress  is SHUTOFF, so we start WordPress (browser launched to
Juno VM 192.169.142.45 from KVM Hypervisor Server ) :-


   Browser launched to WordPress container 192.169.142.153  from KVM  Hypervisor Server
 


 **********************************************************************************
  Floating IP assigned to Wordpress container  been used to launch browser:-
 ********************************************************************************** 

     



*******************************************************************************************
Another sample to demonstrating nova-docker container functionality. Browser launched to Wordpress nova-docker container   (192.169.142.155)   from KVM Hypervisor Server hosting Libvirt's Subnet (192.169.142.0/24)
*******************************************************************************************


 



  

*****************
MySQL Setup
*****************

  # docker pull tutum/mysql
  # .   keystonerc_admin
  *****************************
  Creating Glance Image
  *****************************
  #   docker save tutum/mysql:latest | glance image-create --is-public=True --container-format=docker --disk-format=raw --name tutum/mysql:latest

  ****************************************
  Starting Nova-Docker container
  ****************************************
  # .   keystonerc_demo
  #   nova boot --image "tutum/mysql:latest" --flavor m1.tiny --key-name  osxkey --nic net-id=5fcd01ac-bc8e-450d-be67-f0c274edd041 mysql
 

 [root@ip-192-169-142-45 ~(keystone_demo)]# nova list
+--------------------------------------+---------------+--------+------------+-------------+-----------------------------------------+
| ID                                   | Name          | Status | Task State | Power State | Networks                                |
+--------------------------------------+---------------+--------+------------+-------------+-----------------------------------------+
| 3dbf981f-f28c-4abe-8fd1-09b8b8cad930 | WordPress     | ACTIVE | -          | Running     | demo_network=70.0.0.16, 192.169.142.153 |
| 39eef361-1329-44d9-b05a-f6b4b8693aa3 | mysql         | ACTIVE | -          | Running     | demo_network=70.0.0.19, 192.169.142.155 |
| 626bd8e0-cf1a-4891-aafc-620c464e8a94 | tutum/hipache | ACTIVE | -          | Running     | demo_network=70.0.0.18, 192.169.142.154 |
+--------------------------------------+---------------+--------+------------+-------------+-----------------------------------------+

[root@ip-192-169-142-45 ~(keystone_demo)]# docker ps -a
CONTAINER ID        IMAGE                          COMMAND               CREATED             STATUS                         PORTS               NAMES
3da1e94892aa        tutum/mysql:latest             "/run.sh"             25 seconds ago      Up 23 seconds                                      nova-39eef361-1329-44d9-b05a-f6b4b8693aa3 
77538873a273        tutum/hipache:latest           "/run.sh"             30 minutes ago                                                         condescending_leakey                      
844c75ca5a0e        tutum/hipache:latest           "/run.sh"             31 minutes ago                                                         condescending_turing                      
f477605840d0        tutum/hipache:latest           "/run.sh"             42 minutes ago      Up 31 minutes                                      nova-626bd8e0-cf1a-4891-aafc-620c464e8a94 
3e2fe064d822        rastasheep/ubuntu-sshd:14.04   "/usr/sbin/sshd -D"   About an hour ago   Exited (0) About an hour ago                       test_sshd                                 
8e79f9d8e357        fedora:latest                  "/bin/bash"           About an hour ago   Exited (0) About an hour ago                       evil_colden                               
9531ab33db8d        ubuntu:latest                  "/bin/bash"           About an hour ago   Exited (0) About an hour ago                       angry_bardeen                             
df6f3c9007a7        tutum/wordpress:latest         "/run.sh"             2 hours ago         Up About an hour                                   nova-3dbf981f-f28c-4abe-8fd1-09b8b8cad930

 
[root@ip-192-169-142-45 ~(keystone_demo)]# docker logs 3da1e94892aa
=> An empty or uninitialized MySQL volume is detected in /var/lib/mysql
=> Installing MySQL ...
=> Done!
=> Creating admin user ...
=> Waiting for confirmation of MySQL service startup, trying 0/13 ...
=> Creating MySQL user admin with random password
=> Done!
========================================================================
You can now connect to this MySQL Server using:

    mysql -uadmin -pfXs5UarEYaow -h -P

Please remember to change the above password as soon as possible!
MySQL user 'root' has no password but only allows local connections
========================================================================
141218 20:45:31 mysqld_safe Can't log to error log and syslog at the same time.
Remove all --log-error configuration options for --syslog to take effect.

141218 20:45:31 mysqld_safe Logging to '/var/log/mysql/error.log'.
141218 20:45:31 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql

[root@ip-192-169-142-45 ~(keystone_demo)]# mysql -uadmin -pfXs5UarEYaow -h 192.169.142.155  -P 3306
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.5.40-0ubuntu0.14.04.1 (Ubuntu)

Copyright (c) 2000, 2014, Oracle, Monty Program Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases ;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
3 rows in set (0.01 sec)

MySQL [(none)]>


*******************************************
Setup Ubuntu 14.04 with SSH access
*******************************************

# docker pull rastasheep/ubuntu-sshd:14.04

# . keystonerc_admin
# docker save rastasheep/ubuntu-sshd:14.04 | glance image-create --is-public=True   --container-format=docker --disk-format=raw --name rastasheep/ubuntu-sshd:14.04

# . keystonerc_demo
# nova boot --image "rastasheep/ubuntu-sshd:14.04" --flavor m1.tiny --key-name  osxkey    --nic net-id=5fcd01ac-bc8e-450d-be67-f0c274edd041 ubuntuTrusty

***********************************************************
Login to dashboard && assign floating IP via dashboard:-
***********************************************************




  [root@ip-192-169-142-45 ~(keystone_demo)]# nova list
+--------------------------------------+--------------+---------+------------+-------------+-----------------------------------------+
| ID                                   | Name         | Status  | Task State | Power State | Networks                                |
+--------------------------------------+--------------+---------+------------+-------------+-----------------------------------------+
| 3dbf981f-f28c-4abe-8fd1-09b8b8cad930 | WordPress    | SHUTOFF | -          | Shutdown    | demo_network=70.0.0.16, 192.169.142.153 |
| 7bbf887f-167c-461e-9ee0-dd4d43605c9e | lamp         | ACTIVE  | -          | Running     | demo_network=70.0.0.20, 192.169.142.156 |
| 39eef361-1329-44d9-b05a-f6b4b8693aa3 | mysql        | SHUTOFF | -          | Shutdown    | demo_network=70.0.0.19, 192.169.142.155 |
| f21dc265-958e-4ed0-9251-31c4bbab35f4 | ubuntuTrusty | ACTIVE  | -          | Running     | demo_network=70.0.0.21, 192.169.142.157 |
+--------------------------------------+--------------+---------+------------+-------------+-----------------------------------------+
[root@ip-192-169-142-45 ~(keystone_demo)]# ssh root@192.169.142.157
root@192.169.142.157's password:
Last login: Fri Dec 19 09:19:40 2014 from ip-192-169-142-45.ip.secureserver.net
root@instance-0000000d:~# cat /etc/issue
Ubuntu 14.04.1 LTS \n \l

root@instance-0000000d:~# ifconfig
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

nse49711e9-93 Link encap:Ethernet  HWaddr fa:16:3e:32:5e:d8 
          inet addr:70.0.0.21  Bcast:70.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80::f816:3eff:fe32:5ed8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2574 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1653 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2257920 (2.2 MB)  TX bytes:255582 (255.5 KB)


root@instance-0000000d:~# df -h
Filesystem                                                                                         Size  Used Avail Use% Mounted on
/dev/mapper/docker-253:1-4600578-76893e146987bf4b58b42ff6ed80892df938ffba108f22c7a4591b18990e0438  9.8G  302M  9.0G   4% /
tmpfs                                                                                              1.9G     0  1.9G   0% /dev
shm                                                                                                 64M     0   64M   0% /dev/shm
/dev/mapper/centos-root                                                                             36G  9.8G   26G  28% /etc/hosts
tmpfs                                                                                              1.9G     0  1.9G   0% /run/secrets
tmpfs                                                                                              1.9G     0  1.9G   0% /proc/kcore


  

************************************************************
Set up VNC with Ubuntu SSH nova-docker container
************************************************************

root@instance-0000000e:~# cat /etc/issue
Ubuntu 14.04.1 LTS \n \l

root@instance-0000000e:~#apt-get install xorg fluxbox vnc4server -y
root@instance-0000000e:~# echo "exec fluxbox">> ~/.xinitrc


root@instance-0000000e:~# ifconfig                            
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ns6006a533-77 Link encap:Ethernet  HWaddr fa:16:3e:26:64:d2 
          inet addr:70.0.0.22  Bcast:70.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80::f816:3eff:fe26:64d2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4284 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5771 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:706698 (706.6 KB)  TX bytes:2866607 (2.8 MB)

root@instance-0000000e:~# ps -ef | grep vnc
root        33     1  0 15:48 pts/0    00:00:02 Xvnc4 :1 -desktop instance-0000000e:1 (root) -auth /root/.Xauthority -geometry 1024x768 -depth 16 -rfbwait 30000 -rfbauth /root/.vnc/passwd -rfbport 5901 -pn -fp /usr/X11R6/lib/X11/fonts/Type1/,/usr/X11R6/lib/X11/fonts/Speedo/,/usr/X11R6/lib/X11/fonts/misc/,/usr/X11R6/lib/X11/fonts/75dpi/,/usr/X11R6/lib/X11/fonts/100dpi/,/usr/share/fonts/X11/misc/,/usr/share/fonts/X11/Type1/,/usr/share/fonts/X11/75dpi/,/usr/share/fonts/X11/100dpi/ -co /etc/X11/rgb
root        39     1  0 15:48 pts/0    00:00:00 vncconfig -iconic
root       148     9  0 15:59 pts/0    00:00:00 grep --color=auto vnc



  



 References

Thursday, December 11, 2014

Testing Juno on CentOS 7 with SELINUX enforced

AVC denial during packstack run :-


  

****************************************************************************
Attempt restart neutron-dhcp-agent.service with dnsmasq enabled
****************************************************************************

[root@juno ~]# systemctl status  neutron-dhcp-agent.service -l
neutron-dhcp-agent.service - OpenStack Neutron DHCP Agent
   Loaded: loaded (/usr/lib/systemd/system/neutron-dhcp-agent.service; enabled)
   Active: active (running) since Thu 2014-12-11 08:17:45 EST; 23s ago
 Main PID: 10255 (neutron-dhcp-ag)
   CGroup: /system.slice/neutron-dhcp-agent.service
           └─10255 /usr/bin/python /usr/bin/neutron-dhcp-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/dhcp_agent.ini --log-file /var/log/neutron/dhcp-agent.log

Dec 11 08:17:45 juno.localdomain systemd[1]: Starting OpenStack Neutron DHCP Agent...
Dec 11 08:17:45 juno.localdomain systemd[1]: Started OpenStack Neutron DHCP Agent.
Dec 11 08:17:47 juno.localdomain sudo[10266]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qdhcp-ccfc4bb1-696d-4381-91d7-28ce7c9cb009 ip link set tap6d7e5854-58 up
Dec 11 08:17:48 juno.localdomain sudo[10269]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qdhcp-ccfc4bb1-696d-4381-91d7-28ce7c9cb009 ip addr show tap6d7e5854-58 permanent scope global
Dec 11 08:17:48 juno.localdomain sudo[10276]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qdhcp-ccfc4bb1-696d-4381-91d7-28ce7c9cb009 ip route list dev tap6d7e5854-58 scope link
Dec 11 08:17:48 juno.localdomain sudo[10285]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qdhcp-ccfc4bb1-696d-4381-91d7-28ce7c9cb009 ip route list dev tap6d7e5854-58
Dec 11 08:17:48 juno.localdomain sudo[10289]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qdhcp-ccfc4bb1-696d-4381-91d7-28ce7c9cb009 env NEUTRON_NETWORK_ID=ccfc4bb1-696d-4381-91d7-28ce7c9cb009 dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tap6d7e5854-58 --except-interface=lo --pid-file=/var/lib/neutron/dhcp/ccfc4bb1-696d-4381-91d7-28ce7c9cb009/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/ccfc4bb1-696d-4381-91d7-28ce7c9cb009/host --addn-hosts=/var/lib/neutron/dhcp/ccfc4bb1-696d-4381-91d7-28ce7c9cb009/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/ccfc4bb1-696d-4381-91d7-28ce7c9cb009/opts --leasefile-ro --dhcp-range=set:tag0,10.0.0.0,static,86400s --dhcp-lease-max=256 --conf-file=/etc/neutron/dnsmasq.conf --domain=openstacklocal
Dec 11 08:17:49 juno.localdomain dnsmasq[10291]: cannot open log /var/log/neutron/dnsmasq.log: Permission denied
Dec 11 08:17:49 juno.localdomain dnsmasq[10291]: FAILED to start up

*************************************************
 cat  /var/log/audit/audit.log | grep -i avc
************************************************

type=USER_AVC msg=audit(1418301241.093:22175): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1418302563.923:26020): avc:  denied  { signal } for  pid=11874 comm="keystone-all" scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:system_r:keystone_t:s0 tclass=process
type=AVC msg=audit(1418302655.746:250): avc:  denied  { search } for  pid=4126 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302655.754:252): avc:  denied  { search } for  pid=4126 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302655.754:253): avc:  denied  { search } for  pid=4126 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302655.754:254): avc:  denied  { search } for  pid=4126 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302655.754:255): avc:  denied  { search } for  pid=4126 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302655.968:260): avc:  denied  { search } for  pid=4128 comm="nova-rootwrap" name=".local" dev="dm-1" ino=138303468 scontext=system_u:system_r:nova_api_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir
type=AVC msg=audit(1418302656.488:272): avc:  denied  { search } for  pid=4138 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302656.496:274): avc:  denied  { search } for  pid=4138 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302656.496:275): avc:  denied  { search } for  pid=4138 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302656.496:276): avc:  denied  { search } for  pid=4138 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302656.496:277): avc:  denied  { search } for  pid=4138 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302656.543:280): avc:  denied  { search } for  pid=4139 comm="nova-rootwrap" name=".local" dev="dm-1" ino=138303468 scontext=system_u:system_r:nova_api_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir
type=AVC msg=audit(1418303504.663:3261): avc:  denied  { search } for  pid=8861 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303535.870:3369): avc:  denied  { search } for  pid=8986 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303567.129:3480): avc:  denied  { search } for  pid=9086 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303598.400:3593): avc:  denied  { search } for  pid=9217 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303629.511:3716): avc:  denied  { search } for  pid=9368 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303660.889:3834): avc:  denied  { search } for  pid=9503 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303692.339:3938): avc:  denied  { search } for  pid=9626 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303723.502:4053): avc:  denied  { search } for  pid=9767 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303754.847:4159): avc:  denied  { search } for  pid=9875 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303786.015:4272): avc:  denied  { search } for  pid=9984 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303817.131:4378): avc:  denied  { search } for  pid=10089 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303848.215:4491): avc:  denied  { search } for  pid=10198 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303869.080:4574): avc:  denied  { search } for  pid=10293 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303900.477:4690): avc:  denied  { search } for  pid=10425 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303931.657:4793): avc:  denied  { search } for  pid=10542 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303962.808:4911): avc:  denied  { search } for  pid=10669 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303993.921:5012): avc:  denied  { search } for  pid=10782 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418304025.148:5137): avc:  denied  { search } for  pid=10916 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir

*******************
Disabling SELINUX
*******************

[root@juno ~]# systemctl status  neutron-dhcp-agent.service
neutron-dhcp-agent.service - OpenStack Neutron DHCP Agent
   Loaded: loaded (/usr/lib/systemd/system/neutron-dhcp-agent.service; enabled)
   Active: active (running) since Thu 2014-12-11 08:25:52 EST; 14s ago
 Main PID: 12515 (neutron-dhcp-ag)
   CGroup: /system.slice/neutron-dhcp-agent.service
           ├─12515 /usr/bin/python /usr/bin/neutron-dhcp-agent --config-file /usr/share/neutron/neutro...
           └─12542 dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tap6d7e...

Dec 11 08:25:52 juno.localdomain systemd[1]: Starting OpenStack Neutron DHCP Agent...
Dec 11 08:25:52 juno.localdomain systemd[1]: Started OpenStack Neutron DHCP Agent.
Dec 11 08:25:53 juno.localdomain sudo[12526]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/... up
Dec 11 08:25:53 juno.localdomain sudo[12529]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/...bal
Dec 11 08:25:54 juno.localdomain sudo[12532]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/...ink
Dec 11 08:25:54 juno.localdomain sudo[12535]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/...-58
Dec 11 08:25:54 juno.localdomain sudo[12538]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/...ace
Dec 11 08:25:56 juno.localdomain python[12544]: SELinux is preventing /usr/sbin/dnsmasq from write ...y .
                                               
                                                *****  Plugin catchall (100. confidence) suggests   **...
Dec 11 08:25:56 juno.localdomain python[12544]: SELinux is preventing /usr/sbin/dnsmasq from write ...y .
                                               
                                                *****  Plugin catchall (100. confidence) suggests   **...
Dec 11 08:25:56 juno.localdomain python[12544]: SELinux is preventing /usr/sbin/dnsmasq from write ...y .
                                               
                                                *****  Plugin catchall (100. confidence) suggests   **...
Dec 11 08:25:56 juno.localdomain python[12544]: SELinux is preventing /usr/sbin/dnsmasq from write ...y .
                                               
                                                *****  Plugin catchall (100. confidence) suggests   **...
Dec 11 08:25:56 juno.localdomain python[12544]: SELinux is preventing /usr/sbin/dnsmasq from setatt...e .
                                               
                                                *****  Plugin catchall (100. confidence) suggests   **...
Hint: Some lines were ellipsized, use -l to show in full.

Virt-install W7 (Evaluation copy ) with virtio-win-0.1-81.iso

**************
Virt-install
**************

qemu-img create -f qcow2 win7.img 15G
 
virt-install --connect qemu:///system \
    --name WIN7KVM --ram 2048 --vcpus=2 --cpuset=auto \
    --disk path=/var/lib/libvirt/images/win7.img,bus=virtio \
    --network=network=openstackvms,model=virtio,mac=RANDOM  \
    --graphics vnc,port=5903 \
    --disk device=cdrom,path=/home/boris/isos/virtio-win-0.1-81.iso  \
    --disk device=cdrom,path=/home/boris/isos/Win7.iso \
    --os-type=windows --os-variant=win7 --boot cdrom,hd



 

 

  


[boris@juno2 ~]$ virt-install --connect qemu:///system \
>     --name WIN7KVM --ram 2048 --vcpus=2 --cpuset=auto \
>     --disk path=/var/lib/libvirt/images/win7.img,bus=virtio \
>     --network=network=openstackvms,model=virtio,mac=RANDOM  \
>     --graphics vnc,port=5904 \
>     --disk device=cdrom,path=/home/boris/isos/virtio-win-0.1-81.iso  \
>     --disk device=cdrom,path=/home/boris/isos/Win7.iso \
>     --os-type=windows --os-variant=win7 --boot cdrom,hd

Starting install...
Creating domain...                                                                |    0 B  00:00:00    

(virt-viewer:4713): Gtk-WARNING **: Attempting to add a widget with type VncDisplay to a container of type VirtViewerDisplayVnc, but the widget is already inside a container of type VirtViewerDisplayVnc, please use gtk_widget_reparent()

Domain creation completed. You can restart your domain by running:
  virsh --connect qemu:///system start WIN7KVM


  
************************
Virt-Manager
************************



 

 

 

 


Convertion raw => qcow2

qemu-img convert -f raw -O qcow2 Windows7.img  Windows7.qcow2
virsh edit Windows7 => /var/lib/libvirt/images/Windows7.qcow2
Update Virt-manager page Virtio Disk1=>Advanced Options=>Storage format=>qcow2
   

Friday, November 28, 2014

VXLAN tenants subnets and "VLAN tags" on Juno


  In case of GRE or VXLAN tenants L2 networks the VLAN tags you see in the output of "ovs-vsctl show" and in output of "ovs-ofctl dump-flows br-tun" (mod_vlan_vid) are only locally significant. This VLAN tags are not really L2 tags added to the frames leaving on the physical interface. They are only used by openvswitch to separate traffic on the br-int, so the different tap interfaces corresponding to different neutron subnets do not see each other's traffic. As far as this tags are not 12-bits segments , number 4096 is not important.

 
**************************
ON CONTROLLER
**************************

[root@juno1 ~(keystone_admin)]# neutron net-list
+--------------------------------------+-----------------+-----------------------------------------------------+
| id                                   | name            | subnets                                             |
+--------------------------------------+-----------------+-----------------------------------------------------+
| 90b574e2-f51a-423e-aef9-c201f6f68b76 | kashyap_private | 5fe9e3cc-feee-4f51-bed8-f4891bd8aafe 40.0.0.0/24    |
| 65cbd354-daae-41bb-9d3c-e58b1062be19 | public          | 147d5ecd-fe39-489e-8901-3b20a2c50148 192.168.1.0/24 |
| 8b2de478-de3f-448e-8ec1-8f973a762daf | boris_network   | 4142d2c6-220c-4b47-8147-cf512f7a753b 15.0.0.0/24    |
| 3fdb2eb7-fff8-4633-824b-1da4c38ccbd5 | kashyap_network | 8bee3a8d-7fac-4d05-84e3-bbe52a601084 70.0.0.0/24    |
| 951715cc-2a19-470e-9987-25b3b7906756 | demo_network    | d512bb49-29f0-4fe2-886a-10d880cc83fc 10.0.0.0/24    |
+--------------------------------------+-----------------+-----------------------------------------------------+
[root@juno1 ~(keystone_admin)]# ip netns exec qdhcp-90b574e2-f51a-423e-aef9-c201f6f68b76 ifconfig
lo: flags=73  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 0  (Local Loopback)
        RX packets 1  bytes 576 (576.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1  bytes 576 (576.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap5532b72d-8c: flags=4163  mtu 1500
        inet 40.0.0.11  netmask 255.255.255.0  broadcast 40.0.0.255
        inet6 fe80::f816:3eff:fe6e:91a7  prefixlen 64  scopeid 0x20
        ether fa:16:3e:6e:91:a7  txqueuelen 0  (Ethernet)
        RX packets 27  bytes 2982 (2.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12  bytes 2112 (2.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@juno1 ~(keystone_admin)]# ovs-vsctl show
f2113bd0-c4ca-4c4b-af16-928ff03e53da
    Bridge br-int
        fail_mode: secure
        Port "tap37cfc1fc-09"
            tag: 1
            Interface "tap37cfc1fc-09"
                type: internal
        Port int-br-ex
            Interface int-br-ex
                type: patch
                options: {peer=phy-br-ex}
        Port "qr-7ff72517-f3"
            tag: 4
            Interface "qr-7ff72517-f3"
                type: internal
        Port patch-tun
            Interface patch-tun
                type: patch
                options: {peer=patch-int}
        Port "tap2d26c49a-37"
            tag: 5
            Interface "tap2d26c49a-37"
                type: internal
        Port "tap5532b72d-8c"
            tag: 4    <==== tag 4 on Controller Node
            Interface "tap5532b72d-8c"

                type: internal
        Port "qr-bd92408c-b4"
            tag: 5
            Interface "qr-bd92408c-b4"
                type: internal
        Port "qr-a494fcc8-e5"
            tag: 2
            Interface "qr-a494fcc8-e5"
                type: internal
        Port "qr-4162d98e-5c"
            tag: 1
            Interface "qr-4162d98e-5c"
                type: internal
        Port br-int
            Interface br-int
                type: internal
        Port "tap305cff35-34"
            tag: 2
            Interface "tap305cff35-34"
                type: internal
    Bridge br-ex
        Port "qg-88b1ef62-2c"
            Interface "qg-88b1ef62-2c"
                type: internal
        Port phy-br-ex
            Interface phy-br-ex
                type: patch
                options: {peer=int-br-ex}
        Port "qg-d3e929c6-ba"
            Interface "qg-d3e929c6-ba"
                type: internal
        Port "enp2s0"
            Interface "enp2s0"
        Port "qg-5c6dd032-a8"
            Interface "qg-5c6dd032-a8"
                type: internal
        Port br-ex
            Interface br-ex
                type: internal
        Port "qg-7b037650-10"
            Interface "qg-7b037650-10"
                type: internal
    Bridge br-tun
        Port "vxlan-c0a80089"
            Interface "vxlan-c0a80089"
                type: vxlan
                options: {df_default="true", in_key=flow, local_ip="192.168.0.127", out_key=flow, remote_ip="192.168.0.137"}
        Port br-tun
            Interface br-tun
                type: internal
        Port patch-int
            Interface patch-int
                type: patch
                options: {peer=patch-tun}
    ovs_version: "2.1.3"


************************************************************************
So kashyap_private network corresponds tag 4 on Controller
************************************************************************
**********************
ON COMPUTE
**********************
[root@juno2 ~(keystone_kashyap)]# nova list
+--------------------------------------+------------+--------+------------+-------------+------------------------------------------+
| ID                                   | Name       | Status | Task State | Power State | Networks                                 |
+--------------------------------------+------------+--------+------------+-------------+------------------------------------------+
| 1359ac92-8092-47bc-b7d6-ee474b641355 | CirrOS321  | ACTIVE | -          | Running     | kashyap_private=40.0.0.12, 192.168.1.155 |
+--------------------------------------+------------+--------+------------+-------------+------------------------------------------+

VM is running on kashyap_private network (40.0.0.0/24)

[root@juno2 ~(keystone_kashyap)]# nova show 1359ac92-8092-47bc-b7d6-ee474b641355
+--------------------------------------+----------------------------------------------------------+
| Property                             | Value                                                    |
+--------------------------------------+----------------------------------------------------------+
| OS-DCF:diskConfig                    | AUTO                                                     |
| OS-EXT-AZ:availability_zone          | nova                                                     |
| OS-EXT-STS:power_state               | 1                                                        |
| OS-EXT-STS:task_state                | -                                                        |
| OS-EXT-STS:vm_state                  | active                                                   |
| OS-SRV-USG:launched_at               | 2014-11-28T15:21:59.000000                               |
| OS-SRV-USG:terminated_at             | -                                                        |
| accessIPv4                           |                                                          |
| accessIPv6                           |                                                          |
| config_drive                         |                                                          |
| created                              | 2014-11-28T15:21:48Z                                     |
| flavor                               | m1.tiny (1)                                              |
| hostId                               | 7339f21099a5d4d918b8e69302c1dab2d5f7af63babf36d02057177d |
| id                                   | 1359ac92-8092-47bc-b7d6-ee474b641355                     |
| image                                | cirros (6f7d1877-9b6b-4530-b868-9fe42a71bca9)            |
| kashyap_private network              | 40.0.0.12, 192.168.1.155                                 |
| key_name                             | oskey37                                                  |
| metadata                             | {}                                                       |
| name                                 | CirrOS321                                                |
| os-extended-volumes:volumes_attached | []                                                       |
| progress                             | 0                                                        |
| security_groups                      | default                                                  |
| status                               | ACTIVE                                                   |
| tenant_id                            | 2a8be6536a864dd0b73782fd0fb2faff                         |
| updated                              | 2014-11-28T15:21:59Z                                     |
| user_id                              | bce3ed8aaa97447b8edfe3cf734b0793                         |
+--------------------------------------+----------------------------------------------------------+

****************************
Identifying qvo* port
****************************

[root@juno2 ~(keystone_kashyap)]# brctl show

bridge name    bridge id        STP enabled    interfaces
qbr23b93632-0d        8000.1e955c2e4f2e    no        qvb23b93632-0d
                            tap23b93632-0d

qbr37f299e0-de        8000.1a32e0906384    no        qvb37f299e0-de
qbra0fa9687-39        8000.f6fd5e4399e7    no        qvba0fa9687-39
qbrff853471-05        8000.9ef67b07ba76    no        qvbff853471-05

[root@juno2 ~(keystone_admin)]# virsh dumpxml 1359ac92-8092-47bc-b7d6-ee474b641355 | grep 23b93632-0d
     
      <source bridge='qbr23b93632-0d'/>
      <target dev='tap23b93632-0d'/>


***********************************************************
Tracking veth-pair ( qvb23b93632-0d, qvo23b93632-0d )
***********************************************************
[root@juno2 ~(keystone_kashyap)]# ovs-vsctl

79e82e7f-9040-4789-b8c8-d7d397ec230b
    Bridge br-tun
        Port "vxlan-c0a8007f"
            Interface "vxlan-c0a8007f"
                type: vxlan
                options: {df_default="true", in_key=flow, local_ip="192.168.0.137", out_key=flow, remote_ip="192.168.0.127"}
        Port br-tun
            Interface br-tun
                type: internal
        Port patch-int
            Interface patch-int
                type: patch
                options: {peer=patch-tun}
    Bridge br-ex
        Port phy-br-ex
            Interface phy-br-ex
                type: patch
                options: {peer=int-br-ex}
        Port br-ex
            Interface br-ex
                type: internal
    Bridge br-int
        fail_mode: secure
        Port "qvoff853471-05"
            tag: 2
            Interface "qvoff853471-05"
        Port "qvoa0fa9687-39"
            tag: 1
            Interface "qvoa0fa9687-39"
        Port "qvod282b303-3a"
            tag: 5
            Interface "qvod282b303-3a"
        Port int-br-ex
            Interface int-br-ex
                type: patch
                options: {peer=phy-br-ex}
        Port "qvo23b93632-0d"
            tag: 6  <=== tag 6 on Compute Node
            Interface "qvo23b93632-0d"

        Port patch-tun
            Interface patch-tun
                type: patch
                options: {peer=patch-int}
        Port br-int
            Interface br-int
                type: internal
        Port "qvo37f299e0-de"
            tag: 1
            Interface "qvo37f299e0-de"
    ovs_version: "2.1.3"

****************************************************************************
So kashyap_private network corresponds tag 6 ( Compute Node)
****************************************************************************