Module1 Concept of OpenStack

Module2 Virtual instances

Module3 Access to virtual instances
Module4 Updating and expanding
Module5 Security
Module6 Virtual appliance
Module1 Concept of OpenStack

1.1 Introduction to OpenStack

1.2 How to operate OpenStack
1.3 Concept of OpenStack management
1.1 Introduction to OpenStack
1.1.1 About OpenStack
OpenStack is a set of open source software
for building and managing IaaS and PaaS cloud platforms.

Features
 Open development model.
 All of the code is freely available under the Apache 2.0 license.
 The project is operated mainly by the OpenStack Foundation.
 Releasing updates every six months.
 A loosely coupled system.
 Multiple independent components collaborate via REST API.
 Written in Python.
 Providing REST API to users.
 Ecosystem
 Company and users are connected via OpenStack and create
business opportunities.
• Developing vender proprietary plugins for OpenStack.
• Developing OpenStack Distributions.
1.1.2 OpenStack Releases

Austin Bexar Cactus Diablo Essex Folsom

2010-10-21 2011- 2011-04-15 2011-09-22 2012-04-05 2012-09-27

02-03

Grizzly Havana Icehouse Juno Kilo

2013-04-04 2013-10-17 2014-04-17 2014-10-16 2015-4-30

Liberty Mitaka Newton Ocata Pike

2015-10-15 2016-04-07 2016-10-06 2017-02-22 Under development

1.1.3 Popular OpenStack components
OpenStack has many individual components.
Only necessary components can be selected and configured.

Core services
Project name Function
Keystone User management, authentication, authorization
Nova Management of hypervisor and virtual machines
Cinder Block storage management
Glance Virtual machine image management
Swift Object Storage
Neutron Virtual network management

Popular optional services

Horizon Dashboard （Web UI）
Ceilometer Measure resource usage
Heat Cloud Orchestration
Magnum Docker container orchestration
Ironic Bare metal provisioning
1.1.4 Overview of cooperation among multiple components

Web UI
Horizon Operation by
Dashboard API
User

Store
Provide VM images
Provide VM images
Glance Swift
VM images Object
virtual network management storage
Neutron for VMs Nova
Virtual network Virtual machines
management

Authentication Provide virtual disks Cinder

Block storage
Authorization for VMs management

Keystone
Authentication
Authorization
 1.2 How to operate OpenStack
OpenStack provides the REST API for using services.
Use tools for sending REST API requests.
 Tools for sending REST API requests.
 OpenStack dashboard

 cURL command
OSS command line tool for send HTTP requests and receive responses.

 REST clients
Browser-based GUI tools for REST API.

 OpenStack command-line client

The OpenStack project provides command-line tools which is written in python.

 OpenStack Python SDK (SDK: Software Development Kit)

The OpenStack project provides Python SDK for write Python automation scripts.
All OpenStack command-line tools are created by using the Python SDK.
 1.3 Concept of OpenStack management
 User
A user is a person who uses OpenStack cloud services. A user can be assigned to projects.

 Project
A project is a container that groups and isolates resources. The administrator can set
resource limits for each projects. Users that are assigned to the same project can share
same resources.

 Role
A role is a set of user rights and privileges to perform a specific set of operations.
The administrator assign roles to users.

 Region
A region is a set of components that share same API endpoints. An API endpoint is a URI
that is used for send HTTP requests.

 Availability zone
A logical set of servers, storages and networks. Different availability zones use different
physical servers, storages and networks.
Module2 Virtual instances

2.1 Elements of virtual instance

2.2 Virtual machine images
2.3 Flavors
2.4 Virtual networks
2.5 Security groups
2.6 Key Pairs
2.7 Floating IPs
2.8 Virtual instances
 2.1 Elements of virtual instance
 Virtual machine images
A virtual machine image is a virtual disk format file that contains a bootable OS.
 Flavors
A flavor is a set of definitions of virtual machine spec for example number of vcpus,
size of memory, size of disk. The user selects a flavor when creating a virtual instance.
 Virtual networks
Virtual switches in the hypervisor that are connect to virtual instances.
 Security groups
Security groups are firewall rules that are applied to all virtual instances. Security
groups define networking access to virtual instances.
 Key Pairs
The Key Pair is a set of the public key and the private key for accessing with SSH.
The Key Pair is injected into a virtual instance automatically when creating it.
 Floating IPs
Floating IPs are IP addresses for accessing to virtual instances from the outside of the
cloud. The virtual router perform NAT.
2.2 Virtual machine images
2.2.1 Create images
2.2.2 Disk formats

 QCOW2 (QCOW: QEMU Copy on Write)

A virtual machine image for creating virtual instances in the KVM environment.
QCOQ2 is dynamically expandable and supports Copy on Write.

 AKI, AMI, ARI

Virtual machine images for creating virtual instances in the AWS environment.
Create one virtual instance by combining AKI, AMI, ARI.
2.3 Flavors

A user who is assigned admin role can create new flavors.

2.3.1 Create Flavors (1)

 Root Disk
Amount of disk space to use for the root partion ( / ).

 Ephemeral Disk
Amount of disk space to use for the ephemeral partition.
When the instance is terminated, the ephemeral disks is erased.
Nova provide ephemeral disks to instances.
2.3.2 Create Flavors (2)
2.4 Virtual networks

Virtual router
(NAT router)

Instance

External network Internal network

2.4.1 Create internal networks (1)
2.4.2 Create internal networks (2)
2.4.3 Create internal networks (3)

Neutron provide DHCP service to instances.

DHCP service sets the IP address, DNS, default gateway
to instances.
2.4.4 Create external networks (1)

A user who is assigned admin role can create new external networks
or change existing network settings to external networks.
2.4.5 Create external networks (2)
2.4.6 Display external networks and internal networks
2.4.7 Create virtual routers (1)
2.4.8 Create virtual routers (2)
2.4.9 Create virtual routers (3)
2.4.10 Create virtual routers (4)

Adding an interface to the virtual router for connecting

to the private network.
2.4.11 Create virtual routers (5)
2.4.12 Display virtual networks
2.5 Security groups
2.5.1 Create Security groups (1)
2.5.2 Create Security groups (2)
2.5.3 Create Security groups (3)
2.5.4 Create Security groups (4)
2.5.5 Create Security groups (5)
2.6 Key Pairs

The Key Pair is used for connecting to instances with SSH

public-key authentication. Public-key authentication is more
secure than password authentication.
For security reasons it is necessary to connect to the instance
using a Key Pair.
Use of password authentication is not recommended.
2.6.1 Create Key Pairs (1)
2.6.2 Create Key Pairs (2)

A Key Pair belongs to an individual user. Each user needs to

manage own Key Pairs. Do not lose your Key Pair files.
To share a Key Pair across multiple users, it is necessary to
copy a Key Pair file between users.
2.7 Floating IPs
2.7.1 About NAT with Floating IPs (1)

Destination
192.168.100.8

Source
192.168.2.5
IP address
192.168.2.5

DHCP-assigned IP
address
user 192.168.100.8
Destination
192.168.2.106 Floating IP
192.168.2.106
Source
192.168.2.5
2.7.2 About NAT with Floating IPs (2)

Destination
192.168.2.5

Source
192.168.100.8
IP address
192.168.2.5

DHCP-assigned IP
address
user 192.168.100.8
Destination
192.168.2.5 Floating IP
192.168.2.106
Source
192.168.2.106
2.7.3 Create Floating IPs (1)
2.7.4 Create Floating IPs (2)
2.7.5 Create Floating IPs (3)
2.7.6 Create Floating IPs (4)
2.8 Virtual instances
2.8.1 Create virtual instances (1)
2.8.2 Create virtual instances (2)

For security reasons it is necessary to connect to the instance

using a Key Pair.
Use of password authentication is not recommended.
2.8.3 Create virtual instances (3)
2.8.4 Create virtual instances (4)

"User Data" is a mechanism to inject the information contained

in the local file to the instance at launching.
User can specify shell script or configuration file as "User Data".
2.8.5 Create virtual instances (5)
2.8.6 Create virtual instances (6)
2.8.7 Associate Floating IP (1)
2.8.8 Associate Floating IP (2)
2.8.9 Associate Floating IP (3)
Module3 Access to virtual instances

3.1 Connect to instances with SSH using Tera Term

3.2 Connect to instances with SSH using PuTTy
3.3 Connect to instances with SSH using ssh command
3.4 OpenSSH server (sshd) configuration file
3.1 Connect to instances with SSH using Tera Term
3.1.1 How to use Tera Term (1)
3.1.2 How to use Tera Term (2)
3.1.3 How to use Tera Term (3)
3.1.4 How to use Tera Term (4)

Key Pair file

It is necessary to select "all" for

display Key Pair files.
3.1.5 How to use Tera Term (5)
3.2 Connect to instances with SSH using PuTTy
3.2.1 How to use PuTTy (1)
PuTTY does not support the private key format (.pem).
It is necessary to convert Key Pair file with PuTTYgen.
3.2.2 How to use PuTTy (2)

Key Pair file

It is necessary to select "all" for

display Key Pair files.
3.2.3 How to use PuTTy (3)
3.2.4 How to use PuTTy (4)
3.2.5 How to use PuTTy (5)
3.2.6 How to use PuTTy (6)
3.2.7 How to use PuTTy (7)

Converted Key Pair file

3.2.8 How to use PuTTy (8)
3.3 Connect to instances with SSH using ssh command

Usage
ssh -i <identity_file> -l <login_name> <IP_address>
ssh -i <identity_file> <login_name>@<IP_address>

 Connect to a instance
$ ssh -i keypair.pem -l centos 192.168.2.106
Last login: Sat Jul 1 13:07:52 2017 form 192.168.2.5
[centos@instance ~]$

 Option
-i identity_file : Selects a private key file.
-l login_name : Specifies the user to log in as on the remote machine.
-p port : Port to connect to on the remote host.
3.4 OpenSSH server (sshd) configuration file
3.4.1 Setting items
sshd configuration file is /etc/ssh/sshd_config.
 Main setting items of /etc/ssh/sshd_config
Setting items
Port Specifies the port number that sshd listens on.
Protocol Specifies the protocol versions sshd supports.
PermitRootLogin Specifies whether root can login.
RSAAuthentication Specifies whether RSA1 authentication is allowed.
PubkeyAuthentication Specifies whether RSA2 and DSA authentication is allowed.
PermitEmptyPaswords Specifies whether empty password is allowed.
PasswordAuthentication Specifies whether password authentication is allowed.
MaxAuthTries Specifies the maximum number of authentication attempts
permitted per connection.
LoginGraceTime The server disconnects after this time if the user has not
successfully logged in.
AllowUsers / DenyUsers A list that allows or deny user connections.
3.4.2 Setting example (1)
 Port
SSH default port is 22. The attacker often selects the default port as an attack target.
Changing the port number is more secure setting.

Port 20022

 Protocol
SSH version 1 is vulnerable. It is necessary to use only SSH version 2.

Protocol 2

 PermitRootLogin
The attacker often selects the root user as an attack target.
Disabling root user login increases security.

PermitRootLogin no
3.4.3 Setting example (2)
 RSAAuthentication
Specifies whether RSA1 authentication is allowed. RSA1 is used only in SSH version 1.
It is recommended to comment out if you only use SSH version 2.

#RSAAuthentication yes

 PubkeyAuthentication
Specifies whether RSA2 and DSA authentication is allowed. RSA2 and DSA are used in
SSH version2.

PubkeyAuthentication yes

 PermitEmptyPassword
When password authentication is allowed, it specifies whether the server allows login
to accounts with empty password strings. It is necessary to set "no".

PermitEmptyPassword no
3.4.4 Setting example (3)
 PasswordAuthentication
If public key authentication is set up, password authentication is unnecessary.
It is recommended to set "no".

PasswordAuthentication no

 MaxAuthTries
Specifies the maximum number of authentication attempts permitted per connection.
The default is 6. Reducing this number is more secure setting.

MaxAuthTries 3

 LoginGraceTime
The server disconnects after this time if the user has not successfully logged in.
If the value is 0, there is no time limit. The default is 120 seconds.

LoginGraceTime 60
3.4.5 Setting example (4)
 AllowUsers
By default, login with SSH is allowed for all users.
If specified, login is allowed only for users in this list.

AllowUsers centos userA userB userC

 DenyUsers
By default, login with SSH is allowed for all users.
If specified, login is disallowed for users in this list.

DenyUsers userX userY userZ

3.5 Execute commands as root privilage
3.5.1 sudo command
sudo command allows the user to execute administrator commands.
The user do not need to know the root password.

usage
sudo <command>

 Execute system shutdown

$ shutdown -h now
shutdown: Need to be root
$ sudo shutdown -h now

If asked for a password, enter the password of the user who execute
the sudo command.
3.5.2 sudo command configuration file
sudo command configuration file is /etc/sudoers.
Edit the file using the visudo command with root privilege.

 Setting example 1
(1) The user who are allowed to execute commands. (who)
userA ALL=(ALL) ALL (2) The host on which the user is allowed to execute commands.
(1) (2) (3) (4) (where)
(3) The user at command execution. (as whom)
(4) The commands allowed to execute. (what)
userA can execute all commands with root privilege.

 Setting example 2
%groupA ALL=(ALL) /sbin/shutdown

Prefixed with % means the group.

Users belonging groupA can execute shutdown command with root privilege.

 Important point
Executing visudo will launch the default editor and you will be able to edit
the configuration file. Do not use other editors to edit the configuration file.
Module4 Updating and expanding

4.1 Software update

4.2 Grow partitions and file systems
4.1 Software update
4.1.1 Execute yum command
It is necessary to do software update for fix security holes.
yum command can update the software to the latest state.

 Update all installed packages

# yum update

 Install httpd package

# yum install httpd

 Update httpd package

# yum update httpd

 Uninstall httpd package

# yum erase httpd
4.1.2 Enable EPEL repository
EPEL is a Fedora Special Internet Group for use Fedora packages on
RedHat Enterprise Linux and its compatible distributions.

EPEL (Extra Packages for Enterprise Linux) packages are usually based on their Fedora
counterparts and will never conflict with or replace packages in CentOS.
From EPEL repository, you can get new packages that are not delivered
in the CentOS standard repository.

 EPEL web site

https://fedoraproject.org/wiki/EPEL

 Enable EPEL repository

# yum install epel-release

4.2 Grow partitions and file systems
Cloud-init is a package that provides the initialization of instances.
Cloud-init can grow partitions and file systems at launching instances.

 Virtual machine image  Virtual instance disk

Launch
Image instance
size
Fravor
size

Grow

Cloud-init which installed in the instance executes initialization set in the configuration file
at launching. If you want to expand the disk, you need to install cloud-init, growpart, resize2fs
in the image.
 4.2.1 Cloud-init configuration file
 /etc/cloud/cloud.cfg
users:
- default
…

cloud_init_modules:
- migrator
- bootcmd
- write-files (1)
- growpart
- resizefs
…

cloud_config_modules:
- mounts (2)
…

cloud_final_modules:
- rightscale_userdata (3)
…
4.2.2 Command for grow partitions and file systems
 Grow partitions
# yum install cloud-utils-growpart

# growpart /dev/vda 1

# shutdown -r now
 Grow file systems
# resize2fs /dev/vda1

 Check execution result

$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 252:0 0 20G 0 disk
-vda1 252:1 0 20G 0 part /
vdb 252:16 0 512M 0 disk [SWAP]
$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/vda1 20G 1002M 18G 6% /
tmpfs 499M 0 499M 0% /dev/shm
Module5 Security

5.1 Firewall setting

5.2 Antivirus software
5.1 Firewall setting
5.1.1 Check port used for connection (1)
 Check TCP port
$ netstat -ant

 Check TCP and UDP port

$ netstat -antu

 Options
Option
-a Show all sockets.
-t Show TCP sockets.
-u Show UDP sockets.
-n Show numerical addresses instead of hostname and protocol name.
-p Show the PID and program name which each socket belongs.
5.1.2 Check port used for connection (2)

 Values of the State field

Value
ESTABLISHED The socket has an established connection.
TIME_WAIT The socket is waiting after close to handle packets still in
the network.
CLOSED The socket is not being used.
CLOSE_WAIT The remote end has shutdown, waiting for the socket to
close.
LISTEN The socket is listening for incoming connections.
UNKNOWN The state of the socket is unknown.
5.1.3 Setting up iptables
 Installing system-config-firewall-tui
# yum install system-config-firewall-tui

 Executing system-config-firewall-tui
# system-config-firewall-tui
5.2 Antivirus software
5.2.1 About ClamAV
ClamAV is an open source antivirus software
which support Linux, Windows, BSD, Solaris, macOS.

https://www.clamav.net/
5.2.1 Setting up ClamAV in CentOS 7 (1)

 Installing ClamAV from EPEL repository

# yum install clamav clamav-update clamav-scanner-systemd

 Edit /etc/freshclam.conf
Example

#Example

#DatabaseMirror db.XX.clamav.net

DatabaseMirror db.jp.clamav.net

Specify servers in nearby countries.

5.2.2 Setting up ClamAV in CentOS 7 (2)
 Edit /etc/sysconfig/freshclam
FRESHCLAM_DELAY=disabled-warn

#FRESHCLAM_DELAY=disabled-warn

 Update manually
# freshclam

 Scan manually
# clamscan -r -i <Directory path>

-r : Scan subdirectories recursively.

-i : Only print infected files.
5.2.3 Setting up ClamAV in CentOS 7 (3)
 Create configuration file for the daemon
# ln -s /etc/clam.d/scan.conf /etc/clamd.conf

 Enable and start the daemon

# systemctl enable clamd@scan.service

# systemctl start clamd@scan.service

# systemctl status clamd@scan.service

 Scan with the daemon

# clamdscan <Directory path>

With the daemon, scanning is faster because the virus database has already been loaded
into memory.
Module6 Virtual appliance

6.1 About Turnkey Linux

6.2 Method of using virtual appliances
6.1 About Turnkey Linux
Turnkey Linux is a free Debian based library of virtual machine images.
Free software is preinstalled and configured to be easy to use.

https://www.turnkeylinux.org/
6.2 Method of using virtual appliances
6.2.1 Download virtual appliance image files
 6.2.2 Create virtual appliance images
$ tar xvfz turnkey-moodle-14.1-Jessie-amd64-openstack.tar.gz
turnkey-moodle-14.1-Jessie-amd64/
turnkey-moodle-14.1-Jessie-amd64/turnkey-moodle-14.1-Jessie-amd64-kernel
turnkey-moodle-14.1-Jessie-amd64/turnkey-moodle-14.1-Jessie-amd64-initrd
turnkey-moodle-14.1-Jessie-amd64/turnkey-moodle-14.1-Jessie-amd64.img

$ . openrc.sh

$ cd turnkey-moodle-14.1-Jessie-amd64

$ glance image-create --container-format ari --disk-format ari --name "Moodle.14.1" ¥

> < turnkey-moodle-14.1-Jessie-amd64/turnkey-moodle-14.1-Jessie-amd64-initrd
(Check the displayed id.)

$ glance image-create --container-format aki --disk-format aki --name "Moodle.14.1" ¥

> < turnkey-moodle-14.1-Jessie-amd64/turnkey-moodle-14.1-Jessie-amd64-kernel
(Check the displayed id.)

$ glance image-create --container-format ami --disk-format ami --name "Moodle.14.1" ¥

> --property ramdisk_id=<ARI_ID> --property kernel_id=<AKI_ID> ¥
> < turnkey-moodle-14.1-Jessie-amd64/turnkey-moodle-14.1-Jessie-amd64.img
6.2.3 First boot configuration
It is necessary to use the Key Pair to complete first boot configuration.
Configuration is started when accessing to the instance with SSH.