Monday, October 03, 2016

Set up sshuttle connection to TripleO Overcloud been deployed via instack-virt-setup on remote VIRTHOST

Sshuttle may be installed on Fedora 24 via straight forward `dnf -y install sshuttle` [Fedora 24 Update: sshuttle-0.78.0-2.fc24].  Set up F24 as WKS for "TripleO instack-virt-setup overcloud/undercloud deployment to VIRTHOST"  via
ssh (trusted) connection . This setup works much more stable then configuring
FoxyProxy on VIRTHOST running "instack" ( actually undercloud VM) hosting
heat stack "overcloud" and several overcloud Controllers and Compute VMs

Instack-virt-setup deployments don't provide ( vs QuickStart ) ksmd daemon
sharing pages between overcloud VMs ( and supporting copy-on-write feature)
what results significantly more memory utilization on VIRTHOST and require
better CPUs and 48 GB RAM for testing HA overcloud deployments.
Regarding KSM see https://en.wikipedia.org/wiki/Kernel_same-page_merging

The last was verified on RDO Mitaka. Newton seems to have issues with HA overcloud deployments at least at the time of writing. See https://bugs.launchpad.net/tripleo #1585275, #1629366.   

What is sshuttle? It’s a Python app that uses SSH to create a quick and dirty VPN between your Linux, BSD, or Mac OS X machine and a remote system that has SSH access and Python. Been licensed under the GPLv2, sshuttle is a transparent proxy server that lets users fake a VPN with minimal hassle.

***************************************************************************
First install  sshutle on Fedora 24 :-
$ dnf -y install sshuttle
Then switch to VIRTHOST an set up standard Linux Bridge
***************************************************************************

# cat ifcfg-br0
DEVICE=br0
TYPE=Bridge
BOOTPROTO=static
DNS1=192.168.1.1
DNS2=83.221.202.254
GATEWAY=192.168.1.1
IPADDR=192.168.1.57
NETMASK=255.255.255.0
ONBOOT=yes

# cat ifcfg-enp3s0
DEVICE=enp3s0
HWADDR=78:24:af:43:1b:53
ONBOOT=yes
TYPE=Ethernet
IPV6INIT=no
USERCTL=no
BRIDGE=br0

***************************
Then run script
***************************
#!/bin/bash -x
chkconfig network on
systemctl stop NetworkManager
systemctl disable NetworkManager
service network restart

Switch to  VIRTHOST and follow http://lxer.com/module/newswire/view/234346/index.html    until instack VM will be up and running , then shutdown "instack VM" and add third VNIC to this VM and second VNIC to each one baremetal_(X) VMs created by instack-virt-setup  run :-


 

On instack VM create /etc/sysconfig/network-interfaces/ifcfg-eth2 file configured
BOOTPROTO=dhcp && sudo ifup eth2  .

[stack@instack ~]$ sudo su -

Last login: Mon Oct  3 12:32:04 UTC 2016 from 192.168.1.4 on pts/2
[root@instack ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth2
TYPE=Ethernet
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=eth2
DEVICE=eth2
ONBOOT=yes
PREFIX=24
GATEWAY=192.168.1.1
DNS1=83.221.202.254
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_PRIVACY=no

**********************************************************************************
 Issue `ifconfig` and make sure eth2 obtained IP via your office router usually
 192.168.1.1. Thus "instack VM" appears to belong mentioned network and   would serve as ssh tunnel for sshuttle supposed to provide access to external
network 10.0.0.0/24 which would be created in TripleO Master Branch overcloud
after completion of deployment procedure.
**********************************************************************************
[root@instack ~]# ifconfig
br-ctlplane: flags=4163  mtu 1500
        inet 192.0.2.1  netmask 255.255.255.0  broadcast 192.0.2.255
        inet6 fe80::222:cdff:fe52:11cf  prefixlen 64  scopeid 0x20
        ether 00:22:cd:52:11:cf  txqueuelen 0  (Ethernet)
        RX packets 3203772  bytes 242696157 (231.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4663339  bytes 20369572127 (18.9 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163  mtu 1500
        inet 192.168.122.23  netmask 255.255.255.0  broadcast 192.168.122.255
        inet6 fe80::5054:ff:fec7:6356  prefixlen 64  scopeid 0x20
        ether 52:54:00:c7:63:56  txqueuelen 1000  (Ethernet)
        RX packets 50868  bytes 5455013 (5.2 MiB)
        RX errors 0  dropped 2  overruns 0  frame 0
        TX packets 44668  bytes 10199981 (9.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163  mtu 1500
        inet6 fe80::222:cdff:fe52:11cf  prefixlen 64  scopeid 0x20
        ether 00:22:cd:52:11:cf  txqueuelen 1000  (Ethernet)
        RX packets 3218015  bytes 439876673 (419.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4672723  bytes 20370569657 (18.9 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth2: flags=4163  mtu 1500
        inet 192.168.1.14  netmask 255.255.255.0  broadcast 192.168.1.255

        inet6 fe80::5054:ff:fe90:4024  prefixlen 64  scopeid 0x20
        ether 52:54:00:90:40:24  txqueuelen 1000  (Ethernet)
        RX packets 1696493  bytes 2312670704 (2.1 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 927189  bytes 266047551 (253.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 0  (Local Loopback)
        RX packets 2468459  bytes 13170730356 (12.2 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2468459  bytes 13170730356 (12.2 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vlan10: flags=4163  mtu 1500
        inet 10.0.0.1  netmask 255.255.255.0  broadcast 10.0.0.255

        inet6 fe80::48c5:c0ff:feff:3d00  prefixlen 64  scopeid 0x20
        ether 4a:c5:c0:ff:3d:00  txqueuelen 0  (Ethernet)
        RX packets 14440  bytes 196996148 (187.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9337  bytes 947132 (924.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



Thus eth2 on "instack VM" obtained IP address belongs to office network ( 192.168.1.0/24 ) say 192.168.1.14. Switch back F24 remote WKS and issue as user "john"

[john@fedora24wks]$ export VIRTHOST=192.168.1.14
[john@fedora24wks]$ ssh-copy-id root@$VIRTHOST
[john@fedora24wks]$ ssh root@$VIRTHOST uname -a <== no prompt

Login to instack VM from WKS as root && su - stack && source stackrc

Switch back to instructions from http://lxer.com/module/newswire/view/234346
and proceed with build Tripleo Master Branch undercloud/overcloud.
When done open another  terminal session on WKS and issue in this session

[jon@fedora24wks ~]$ export VIRTHOST=192.168.1.14
[jon@fedora24wks ~]$ sshuttle -r root@$VIRTHOST -v 10.0.0.0/24

Due to instack VM is trusting via ssh F24 WKS you won't be prompted to
connection to VIRTHOST and following output will appear in terminal session

Starting sshuttle proxy.
firewall manager: Starting firewall with Python version 3.5.1
firewall manager: ready method name nat.
IPv6 enabled: False
UDP enabled: False
DNS enabled: False
TCP redirector listening on ('127.0.0.1', 12300).
Starting client with Python version 3.5.1
c : connecting to server...
Starting server with Python version 2.7.5
 s: latency control setting = True
 s: available routes:
 s:   2/10.0.0.0/24
 s:   2/192.0.2.0/24
 s:   2/192.168.1.0/24
 s:   2/192.168.122.0/24
c : Connected.
firewall manager: setting up.
>> iptables -t nat -N sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -I OUTPUT 1 -j sshuttle-12300
>> iptables -t nat -I PREROUTING 1 -j sshuttle-12300
>> iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.1/32 -p tcp
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 10.0.0.0/24 -p tcp --to-ports 12300 -m ttl ! --ttl 42
c : Accept TCP: 192.168.1.4:36580 -> 10.0.0.8:80.
c : Accept TCP: 192.168.1.4:36582 -> 10.0.0.8:80.
c : Accept TCP: 192.168.1.4:36584 -> 10.0.0.8:80.
c : Accept TCP: 192.168.1.4:36586 -> 10.0.0.8:80.
c : Accept TCP: 192.168.1.4:36588 -> 10.0.0.8:80.
c : Accept TCP: 192.168.1.4:36590 -> 10.0.0.8:80.

Open SSH window to instak VM
# su - stack
# source stackrc


  Reports above instructs you to launch browser ( on F24 WKS ) to
  http://10.0.0.8/dashboard/  . Login password for "admin" is in "overcloudrc" file
  generated under ~stack/ folder on "instack VM"

  Login to overcloud controller and up on restarting  keepalived daemon you are going  to get :-
 

   Create VM via nova/neutron CLI sourcing overcloudrc  on Controller and make
   sure that remote sshuttle connection to "instack VM" via http://10.0.0.8/dashboard will provide you option to manage vms running on overcloud compute
 nodes  . Also  ctlplane (192.0.2.0/24)  defined  as public network might  serve
 for  outbound Internet connectivity for those vms