Exercise 2
Create a Topology using Neutron CLI Commands as per the below diagram,
Remarks: This exercise demonstrates the Security Groups and VM Initialization Script.
Keypoints :
- Cloud init script to be used for installing the Webserver
- Write the security groups, as per the conditions
Tests to be done:
- From the public network, ping the WebServer - It should fail
- From the public network, http request to the Webserver - it should pass
- From the public network, SSH to the FIP of the webserver - it should pass
Solution:
1. Network and Router Creation:
Create a Network
neutron net-create N1
Create a Subnet
neutron subnet-create --name S1 --gateway 10.10.10.1 --allocation-pool start=10.10.10.10,end=10.10.10.50 N1 10.10.10.0/24
Create a Router
neutron router-create R1
Set the gateway to the Router
neutron router-gateway-set R1 public
Attach a subnet to the Router
neutron router-interface-add R1 S1
2. Security Group Creation:
Create a security group name "webtraffic"
neutron security-group-create webtraffic
create a security rule for alllow port 80(HTTP) from any network
neutron security-group-rule-create --direction ingress --protocol tcp --port-range-min 80 --port-range-max 80 --remote-ip-prefix 0.0.0.0/0 webtraffic
create a security rule for allow port 22(ssh) from public(external) network
Note: In my environment, public network is 172.24.4.0/24
neutron security-group-rule-create --direction ingress --protocol tcp --port-range-min 22 --port-range-max 22 --remote-ip-prefix 172.24.4.0/24 webtraffic
3. Create a VM:
Create a script to install the apache2 server
write the below bash script in a file(bootscript.sh). Make it executable permission.
#!/bin/bash
sudo apt-get update
sudo apt-get -y install apache2
sudo a2enmod ssl
sudo a2ensite default-ssl
sudo service apache2 restart
echo `hostname` | sudo tee /var/www/html/index.html
Create a Port with Fixed IP 10.10.10.100/24 from Network N1
neutron port-create --fixed-ip subnet_id=S1,ip_address=10.10.10.100 --security-group webtraffic N1
Create a VM
Check the flavor, image, keypair details
glance image-list
nova keypair-list
nova flavor-list
Note : Flavor : 6, keypair: testkey, image : ubuntu14, security-group : webtraffic, NIC : Port ID of 10.10.10.100
nova boot --flavor 6 --image ubuntu14 --key-name testkey --security-groups webtraffic --user-data bootscript.sh --nic port-id=297e952a-f491-40fc-b015-94e96f6ea864 Web-Server
Associate the free floatingIP to the Port ID of 10.10.10.100:
neutron floatingip-associate dcb48f7f-cb4c-4289-a27b-62b4e3399647 297e952a-f491-40fc-b015-94e96f6ea864
4. Testing:
HTTP Request to the Web Server floatingIP from the public (external) network
curl 172.24.4.12
It should retrun "web-server"
Ping the Web Server floating IP from the public(external) network
ping 172.24.4.12
It should fail.
SSH to the WebServer floating IP from the public(external) network
ssh -i ../testkey [email protected]
It should allow to login to the Web server.
Execution Logs:
1. Network and Router Creation:
(osclient) cloud@dev1:~/osclient$ neutron net-create N1
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new network:
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| admin_state_up | True |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2017-08-22T05:27:36Z |
| description | |
| id | 332d1aa4-ebc2-468e-a5e0-0d1190ac21d2 |
| ipv4_address_scope | |
| ipv6_address_scope | |
| mtu | 1450 |
| name | N1 |
| port_security_enabled | True |
| project_id | bccf45eee4544264a526c4bca56fdb3c |
| revision_number | 3 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| tenant_id | bccf45eee4544264a526c4bca56fdb3c |
| updated_at | 2017-08-22T05:27:36Z |
+-------------------------+--------------------------------------+
(osclient) cloud@dev1:~/osclient$
(osclient) cloud@dev1:~/osclient$ neutron subnet-create --name S1 --gateway 10.10.10.1 --allocation-pool start=10.10.10.10,end=10.10.10.50 N1 10.10.10.0/24
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new subnet:
+-------------------+------------------------------------------------+
| Field | Value |
+-------------------+------------------------------------------------+
| allocation_pools | {"start": "10.10.10.10", "end": "10.10.10.50"} |
| cidr | 10.10.10.0/24 |
| created_at | 2017-08-22T05:29:04Z |
| description | |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.10.10.1 |
| host_routes | |
| id | bdffb92b-1d1f-4abb-bbc7-c9865b9fa47c |
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | S1 |
| network_id | 332d1aa4-ebc2-468e-a5e0-0d1190ac21d2 |
| project_id | bccf45eee4544264a526c4bca56fdb3c |
| revision_number | 2 |
| service_types | |
| subnetpool_id | |
| tags | |
| tenant_id | bccf45eee4544264a526c4bca56fdb3c |
| updated_at | 2017-08-22T05:29:04Z |
+-------------------+------------------------------------------------+
(osclient) cloud@dev1:~/osclient$
(osclient) cloud@dev1:~/osclient$ neutron router-create R1
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new router:
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| admin_state_up | True |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2017-08-22T05:30:19Z |
| description | |
| external_gateway_info | |
| flavor_id | |
| id | ed17d09c-6015-42ab-90d3-675d48255190 |
| name | R1 |
| project_id | bccf45eee4544264a526c4bca56fdb3c |
| revision_number | 3 |
| routes | |
| status | ACTIVE |
| tags | |
| tenant_id | bccf45eee4544264a526c4bca56fdb3c |
| updated_at | 2017-08-22T05:30:19Z |
+-------------------------+--------------------------------------+
(osclient) cloud@dev1:~/osclient$
osclient) cloud@dev1:~/osclient$ neutron router-gateway-set R1 public
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Set gateway for router R1
(osclient) cloud@dev1:~/osclient$ neutron router-interface-add R1 S1
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Added interface 8e10bb2a-3278-4989-b901-56d1e943b3c8 to router R1.
(osclient) cloud@dev1:~/osclient$
(osclient) cloud@dev1:~/osclient$ neutron router-show R1 --fit-width
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+-------------------------+---------------------------------------------------------------------------------------------------+
| Field | Value |
+-------------------------+---------------------------------------------------------------------------------------------------+
| admin_state_up | True |
| availability_zone_hints | |
| availability_zones | nova |
| created_at | 2017-08-22T05:30:19Z |
| description | |
| external_gateway_info | {"network_id": "975dd3d1-3576-4c34-991e-eaf24f45295e", "enable_snat": true, "external_fixed_ips": |
| | [{"subnet_id": "543ef8a3-5717-44d1-81f9-70c5057e889c", "ip_address": "172.24.4.5"}, {"subnet_id": |
| | "8171e8c6-2953-4ffa-beab-8f07b43a08c4", "ip_address": "2001:db8::1"}]} |
| flavor_id | |
| id | ed17d09c-6015-42ab-90d3-675d48255190 |
| name | R1 |
| project_id | bccf45eee4544264a526c4bca56fdb3c |
| revision_number | 7 |
| routes | |
| status | ACTIVE |
| tags | |
| tenant_id | bccf45eee4544264a526c4bca56fdb3c |
| updated_at | 2017-08-22T05:30:54Z |
+-------------------------+---------------------------------------------------------------------------------------------------+
2. Security Group Creation :
(osclient) cloud@dev1:~/osclient$ neutron security-group-create webtraffic --fit-width
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new security_group:
+----------------------+------------------------------------------------------------------------------------------------------+
| Field | Value |
+----------------------+------------------------------------------------------------------------------------------------------+
| created_at | 2017-08-22T05:34:53Z |
| description | |
| id | 84452f1f-1ba8-49ed-b814-0115e8e7c0f5 |
| name | webtraffic |
| project_id | bccf45eee4544264a526c4bca56fdb3c |
| revision_number | 1 |
| security_group_rules | {"remote_group_id": null, "direction": "egress", "protocol": null, "description": null, "ethertype": |
| | "IPv4", "remote_ip_prefix": null, "port_range_max": null, "updated_at": "2017-08-22T05:34:53Z", |
| | "security_group_id": "84452f1f-1ba8-49ed-b814-0115e8e7c0f5", "port_range_min": null, |
| | "revision_number": 1, "tenant_id": "bccf45eee4544264a526c4bca56fdb3c", "created_at": |
| | "2017-08-22T05:34:53Z", "project_id": "bccf45eee4544264a526c4bca56fdb3c", "id": |
| | "cb39e24f-c738-4a41-8692-adca5ba4fe6e"} |
| | {"remote_group_id": null, "direction": "egress", "protocol": null, "description": null, "ethertype": |
| | "IPv6", "remote_ip_prefix": null, "port_range_max": null, "updated_at": "2017-08-22T05:34:53Z", |
| | "security_group_id": "84452f1f-1ba8-49ed-b814-0115e8e7c0f5", "port_range_min": null, |
| | "revision_number": 1, "tenant_id": "bccf45eee4544264a526c4bca56fdb3c", "created_at": |
| | "2017-08-22T05:34:53Z", "project_id": "bccf45eee4544264a526c4bca56fdb3c", "id": "dd53d1f2-fe40-4910 |
| | -b56a-043976ee5fe5"} |
| tenant_id | bccf45eee4544264a526c4bca56fdb3c |
| updated_at | 2017-08-22T05:34:53Z |
+----------------------+------------------------------------------------------------------------------------------------------+
(osclient) cloud@dev1:~/osclient$
(osclient) cloud@dev1:~/osclient$ neutron security-group-rule-create --direction ingress --protocol tcp --port-range-min 80 --port-range-max 80 --remote-ip-prefix 0.0.0.0/0 webtraffic
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new security_group_rule:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | 2017-08-22T05:38:20Z |
| description | |
| direction | ingress |
| ethertype | IPv4 |
| id | 68cc7d40-610e-485b-ae5e-f44db22ddfab |
| port_range_max | 80 |
| port_range_min | 80 |
| project_id | bccf45eee4544264a526c4bca56fdb3c |
| protocol | tcp |
| remote_group_id | |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 1 |
| security_group_id | 84452f1f-1ba8-49ed-b814-0115e8e7c0f5 |
| tenant_id | bccf45eee4544264a526c4bca56fdb3c |
| updated_at | 2017-08-22T05:38:20Z |
+-------------------+--------------------------------------+
(osclient) cloud@dev1:~/osclient$
(osclient) cloud@dev1:~/osclient$ neutron security-group-rule-create --direction ingress --protocol tcp --port-range-min 22 --port-range-max 22 --remote-ip-prefix 172.24.4.0/24 webtraffic
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new security_group_rule:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | 2017-08-22T05:40:17Z |
| description | |
| direction | ingress |
| ethertype | IPv4 |
| id | 716e51d5-e0b2-4a2f-b9f2-da540ca1f1e3 |
| port_range_max | 22 |
| port_range_min | 22 |
| project_id | bccf45eee4544264a526c4bca56fdb3c |
| protocol | tcp |
| remote_group_id | |
| remote_ip_prefix | 172.24.4.0/24 |
| revision_number | 1 |
| security_group_id | 84452f1f-1ba8-49ed-b814-0115e8e7c0f5 |
| tenant_id | bccf45eee4544264a526c4bca56fdb3c |
| updated_at | 2017-08-22T05:40:17Z |
+-------------------+--------------------------------------+
(osclient) cloud@dev1:~/osclient$ neutron security-group-rule-list | grep webtraffic
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
| 68cc7d40-610e-485b-ae5e-f44db22ddfab | webtraffic | ingress | IPv4 | 80/tcp | 0.0.0.0/0 (CIDR) |
| 716e51d5-e0b2-4a2f-b9f2-da540ca1f1e3 | webtraffic | ingress | IPv4 | 22/tcp | 172.24.4.0/24 (CIDR) |
| cb39e24f-c738-4a41-8692-adca5ba4fe6e | webtraffic | egress | IPv4 | any | any |
| dd53d1f2-fe40-4910-b56a-043976ee5fe5 | webtraffic | egress | IPv6 | any | any |
(osclient) cloud@dev1:~/osclient$
3. Create a VM :
(osclient) cloud@dev1:~$ neutron port-create --fixed-ip subnet_id=S1,ip_address=10.10.10.100 --security-group webtraffic N1
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new port:
+-----------------------+-------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+-------------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:vnic_type | normal |
| created_at | 2017-08-22T05:53:27Z |
| description | |
| device_id | |
| device_owner | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "bdffb92b-1d1f-4abb-bbc7-c9865b9fa47c", "ip_address": "10.10.10.100"} |
| id | 297e952a-f491-40fc-b015-94e96f6ea864 |
| mac_address | fa:16:3e:71:d8:8f |
| name | |
| network_id | 332d1aa4-ebc2-468e-a5e0-0d1190ac21d2 |
| port_security_enabled | True |
| project_id | bccf45eee4544264a526c4bca56fdb3c |
| revision_number | 5 |
| security_groups | 84452f1f-1ba8-49ed-b814-0115e8e7c0f5 |
| status | DOWN |
| tags | |
| tenant_id | bccf45eee4544264a526c4bca56fdb3c |
| updated_at | 2017-08-22T05:53:27Z |
+-----------------------+-------------------------------------------------------------------------------------+
(osclient) cloud@dev1:~$
(osclient) cloud@dev1:~/osclient$ nova boot --flavor 6 --image ubuntu14 --key-name testkey --security-groups webtraffic --user-data bootscript.sh --nic port-id=297e952a-f491-40fc-b015-94e96f6ea864 Web-Server
+--------------------------------------+-------------------------------------------------+
| Property | Value |
+--------------------------------------+-------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | - |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| adminPass | CPBn3TMrsK7C |
| config_drive | |
| created | 2017-08-22T05:58:21Z |
| description | - |
| flavor | m1.tiny2 (6) |
| hostId | |
| id | c31476b6-6ee0-4621-8914-709f7284e65c |
| image | ubuntu14 (eb570c2e-46e2-4cc3-928a-fe5cdffa7822) |
| key_name | testkey |
| locked | False |
| metadata | {} |
| name | Web-Server |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| security_groups | webtraffic |
| status | BUILD |
| tags | [] |
| tenant_id | bccf45eee4544264a526c4bca56fdb3c |
| updated | 2017-08-22T05:58:21Z |
| user_id | 9b2d58dc14b2456fa5b7e5adae366f04 |
+--------------------------------------+-------------------------------------------------+
(osclient) cloud@dev1:~/osclient$
(osclient) cloud@dev1:~/osclient$ nova list
+--------------------------------------+------------+--------+------------+-------------+-----------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+------------+--------+------------+-------------+-----------------+
| c31476b6-6ee0-4621-8914-709f7284e65c | Web-Server | ACTIVE | - | Running | N1=10.10.10.100 |
+--------------------------------------+------------+--------+------------+-------------+-----------------+
(osclient) cloud@dev1:~/osclient$ neutron floatingip-list
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+------------------+---------------------+---------+
| id | fixed_ip_address | floating_ip_address | port_id |
+--------------------------------------+------------------+---------------------+---------+
| 110f5f61-1f30-4ad6-8aca-40bfcf485af4 | | 172.24.4.2 | |
| dcb48f7f-cb4c-4289-a27b-62b4e3399647 | | 172.24.4.12 | |
+--------------------------------------+------------------+---------------------+---------+
(osclient) cloud@dev1:~/osclient$ neutron floatingip-associate dcb48f7f-cb4c-4289-a27b-62b4e3399647 297e952a-f491-40fc-b015-94e96f6ea864
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Associated floating IP dcb48f7f-cb4c-4289-a27b-62b4e3399647
(osclient) cloud@dev1:~/osclient$ neutron floatingip-list
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+------------------+---------------------+--------------------------------------+
| id | fixed_ip_address | floating_ip_address | port_id |
+--------------------------------------+------------------+---------------------+--------------------------------------+
| 110f5f61-1f30-4ad6-8aca-40bfcf485af4 | | 172.24.4.2 | |
| dcb48f7f-cb4c-4289-a27b-62b4e3399647 | 10.10.10.100 | 172.24.4.12 | 297e952a-f491-40fc-b015-94e96f6ea864 |
+--------------------------------------+------------------+---------------------+--------------------------------------+
(osclient) cloud@dev1:~/osclient$ nova list
+--------------------------------------+------------+--------+------------+-------------+------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+------------+--------+------------+-------------+------------------------------+
| c31476b6-6ee0-4621-8914-709f7284e65c | Web-Server | ACTIVE | - | Running | N1=10.10.10.100, 172.24.4.12 |
+--------------------------------------+------------+--------+------------+-------------+------------------------------+
(osclient) cloud@dev1:~/osclient$
4.Testing :
(osclient) cloud@dev1:~/osclient$ curl 172.24.4.12
web-server
(osclient) cloud@dev1:~/osclient$ ping 172.24.4.12
PING 172.24.4.12 (172.24.4.12) 56(84) bytes of data.
^C
--- 172.24.4.12 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
(osclient) cloud@dev1:~/osclient$
(osclient) cloud@dev1:~/osclient$ ssh -i ../testkey [email protected]
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-126-generic x86_64)
* Documentation: https://help.ubuntu.com/
System information disabled due to load higher than 1.0
Get cloud support with Ubuntu Advantage Cloud Guest:
http://www.ubuntu.com/business/services/cloud
Last login: Tue Aug 22 06:10:21 2017 from 172.24.4.1
ubuntu@web-server:~$
ubuntu@web-server:~$
ubuntu@web-server:~$
ubuntu@web-server:~$