2016년 6월 18일 토요일

irssi 0.8.18+ SASL / SSL authentication config

As of v0.8.18, irssi irc client has native support for SASL (Simple Authentication and Security Layer). Because irssi < 0.8.18 didn't have SASL support, the old workaround was to copy the Perl script cap_sasl.pl to ~/.irssi/scripts/autorun/ . My old irssi config file contained something like the following:

Freenode = {
    type = "IRC";
    max_kicks = "1";
    max_msgs = "4";
    max_whois = "1";
    sasl_mechanism = "plain";
    sasl_username = "archjun";
    sasl_password = "myPlainTextPW";
  };

Hardcoding my Freenode password into the irssi config was dumb because this file managed in my dotfiles repository on github so everyone could see the password. I later realized my mistake and had to remove the file from my git repo, rewrite the git history and remove refs to the deleted file:

git filter-branch --index-filter 'git rm --cached --ignore-unmatch fileName

Beware that the command above will DELETE fileName despite the --cached flag. Before you run this command make sure to backup the original file somewhere.

I decided not to use regular passwords for irc authentication on Freenode and to use SSL passwordless auth instead. There is a great guide for this on the Archlinux wiki:

https://wiki.archlinux.org/index.php/irssi#SSL_Connection

After following the steps now my Freenode entry in ~/.irssi/config looks like this:

...
  {
    address = "chat.freenode.net";
    chatnet = "Freenode";
    port = "6697";
    use_ssl = "yes";
    ssl_cert = "~/.irssi/irssi.pem";
    ssl_pass = "";
    ssl_verify = "yes";
    ssl_capath = "/etc/ssl/certs";
  },
...

*Note 2016-12-13: You should no longer specify ssl_capath when defining servers in the irssi config file. Reference: https://github.com/NixOS/nixpkgs/issues/16651

The above was automatically generated by irssi when I invoked /save after registering my SSL key with Freenode NickServ.

Looking at this syntax, I think it might be possible to replace the plain-text sasl_password in my old irssi config file with something like:

sasl_password = "~/.irssi/mypw.txt"

And then add mypw.txt to .gitignore to avoid accidentally including my password in a public git repo.

Now when I /connect Freenode with SSL cert auth enabled, my nick is authenticated automatically. Very convenient!

2016년 6월 11일 토요일

Opening Ports for Openstack in Firewalld

Last week I made a post about opening ports in Ubuntu's ufw firewall when using Devstack (Openstack upstream). Today I will show you how to do the same thing in firewalld dynamic firewall which is now the default in RHEL 7+ and Fedora.

The ports to be opened are the same, but you must also enable two additional services in firewalld, namely http and vnc-server. If you don't enable the former, you will be unable to access Horizon web UI, and if you don't enable the latter, you will not be able to see the console through Horizon when you launch an instance on Nova compute.

In the case of ufw, however, http port 80 was opened by default and vnc was enabled by simply opening 6080/tcp.

I wrote a Bash script to open the necessary ports for Openstack in firewalld. I have tested it on Openstack Kilo running on F23. You can find the script at the following link:

https://gitlab.com/gojun077/openstack-conf/blob/67f98aa4b93ab268e386028ec0e764547d0a1bb2/firewalld_openstack_rdo.sh

#!/bin/bash
# firewalld_openstack_rdo.sh
# Created by Jun Go gojun077@gmail.com
# Last Updated 2016-06-07

# Script that will permanently open ports needed by
# Redhat Distribution of Openstack (RDO) in Firewalld

# Tested with Openstack Kilo RDO 7

# This script should be run as root

# DEFAULT FIREWALLD ZONE
DZONE=FedoraServer

#################
#   NETWORK
#   IFACES
#################
EXT0=br-ex
INT0=br-enp5s0

#################
#   TCP PORTS
#################
AMQP=5672
CEILOM=8777
CINDER=8776
GLANCE=9292
GLANCEREG=9191
NEUTRON=9696
NOVNCPROX=6080
#NOVAEC2=8773
#NOVAMETA=8775
#NOVAISCSI=3260
#NOVAREDIS=6379
#NOVAS3=3333
SHEEPDOG=7000

#################
#   UDP PORTS
#################
CEILUDP=4952
OVSNEUTRONVXLAN=4789

TCPPORTS=($AMQP
   $CEILOM
   $CINDER
   $GLANCE
   $GLANCEREG
   $NEUTRON
   $NOVNCPROX
   $SHEEPDOG
  )

UDPPORTS=($CEILUDP
   $OVSNEUTRONVXLAN
   )

# ADD NETWORK IFACES TO DEFAULT ZONE
firewall-cmd --permanent --zone=$DZONE --add-interface=$EXT0
firewall-cmd --permanent --zone=$DZONE --add-interface=$INT0

# ENABLE SERVICES REQ'D FOR OPENSTACK
# Horizon (http)
firewall-cmd --permanent --zone=$DZONE --add-service=http
# vnc-server (for some reason, enabling TCP 6080 is not enough)
firewall-cmd --permanent --zone=$DZONE --add-service=vnc-server

for i in ${TCPPORTS[*]}; do
  firewall-cmd --permanent --zone=$DZONE --add-port="$i"/tcp
done

for j in ${UDPPORTS[*]}; do
  firewall-cmd --permanent --zone=$DZONE --add-port="$j"/udp
done

# Apply permanent rules as the current runtime config
firewall-cmd --reload

# List Default Zone Firewall Info (along with ports & svcs)
firewall-cmd --list-all

2016년 6월 4일 토요일

Openstack - List of ports which must be opened in the firewall

I must confess that when testing new Openstack releases on a variety of different Linux distros (RHEL, Fedora, Ubuntu) I often disable the firewall in the interests of expediency. While this might be OK for internal testing in a lab environment or while preparing a Proof of Concept (PoC) for a client, this is definitely a bad habit that is unacceptable for a production environment.

I recently did a Devstack install on Ubuntu 15.10 to test upstream Openstack compatibility with the Sheepdog distributed storage backend. This time I left the firewall running (ufw, aka uncomplicated firewall for Ubuntu) and opened the ports necessary for Openstack to run.

Before I present the list of ports which must be opened, note that you can find all these port numbers in the conf files for Glance, Cinder, Nova, Keystone, etc. in /etc/glance/glance-api.conf, /etc/nova/nova.conf, /etc/cinder/cinder.conf, and so on.

In the conf files, many ports will be commented out. For example, it is possible to connect Nova Compute with Amazon EC2 so it can launch instances from AWS. To do so, you would have to open TCP port 8773 in your firewall on your compute node, but this is commented out by default in nova.conf.

Here is the list of ports I have compiled. All ports are TCP unless specified otherwise:

AMQP/RabbitMQ: 5672 (5671 if rabbitmq uses SSL auth)
Ceilometer: 8777
Ceilometer: udp_port=4952
Cinder: sheepdog_store_port=7000
Cinder: 8776
Glance: 9292
Glance glance-api.conf: registry_port=9191
Neutron: 9696
Nova novncproxy: 6080
Nova ec2_port: 8773 (commented out by default)
Nova metadata: 8775 (commented out by default)
Nova iSCSI target: 3260 (commented out by default)
Nova nova.virt.xenapi.image.bittorrent: 6881~6891 (commented out by default)
Nova redis host: 6379 (commented out by default)
Neutron ovs_neutron_plugin.ini: vxlan_udp_port=4789
Nova s3_port=3333 (commented out by default)
...
(there are more, but those ports are optional)

I have written a simple bash script that can be used to open the necessary ports in ufw. You can find the script at the following URL:

https://gitlab.com/gojun077/openstack-conf/blob/master/ufw_openstack.sh

#!/bin/bash
# ufw_openstack.sh
# Created by Jun Go gojun077@gmail.com
# Last Updated 2016-05-25

# Script that will open ports needed by Openstack in
# UFW Firewall

# This script should be run as root

#################
#   TCP PORTS
#################
AMQP=5672
CEILOM=8777
CINDER=8776
GLANCE=9292
GLANCEREG=9191
NEUTRON=9696
NOVNCPROX=6080
#NOVAEC2=8773
#NOVAMETA=8775
#NOVAISCSI=3260
#NOVAREDIS=6379
#NOVAS3=3333
SHEEPDOG=7000

#################
#   UDP PORTS
#################
CEILUDP=4952
OVSNEUTRONVXLAN=4789

TCPPORTS=($AMQP
   $CEILOM
   $CINDER
   $GLANCE
   $GLANCEREG
   $NEUTRON
   $NOVNCPROX
   $SHEEPDOG
  )

UDPPORTS=($CEILUDP
   $OVSNEUTRONVXLAN
   )

for i in ${TCPPORTS[*]}; do
  ufw allow "$i"/tcp
done

for j in ${UDPPORTS[*]}; do
  ufw allow "$j"/udp
done

# List Open Ports
ufw status