Walt Disney said it best: We keep moving forward, opening new doors, and doing new things, because we’re curious and curiosity keeps leading us down new paths. The world of technology is all about change. We tear down the old things that get in our way and we build new technology that takes us to new heights. Tearing down these old things can often be difficult and that forces us to make difficult choices....
After a recent OpenStack-Ansible (OSA) deployment on CentOS, I found that keepalived was not starting properly at boot time: Keepalived_vrrp[801]: Cant find interface br-mgmt for vrrp_instance internal !!! Keepalived_vrrp[801]: Truncating auth_pass to 8 characters Keepalived_vrrp[801]: VRRP is trying to assign ip address 172.29.236.11/32 to unknown br-mgmt interface !!! go out and fix your conf !!! Keepalived_vrrp[801]: Cant find interface br-mgmt for vrrp_instance external !!! Keepalived_vrrp[801]: Truncating auth_pass to 8 characters Keepalived_vrrp[801]: VRRP is trying to assign ip address 192....
The latest release of the Red Hat Enterprise Linux Security Technical Implementation Guide (STIG) was published last week. This release is Version 1, Release 3, and it contains four main changes: V-77819 - Multifactor authentication is required for graphical logins V-77821 - Datagram Congestion Control Protocol (DCCP) kernel module must be disabled V-77823 - Single user mode must require user authentication V-77825 - Address space layout randomization (ASLR) must be enabled Deep dive Let’s break down this list to understand what each one means....
I’ve been working through some patches to OpenStack-Ansible lately to optimize how we configure yum repositories in our deployments. During that work, I ran into some issues where pgp.mit.edu was returning 500 errors for some requests to retrieve GPG keys. Ansible was returning this error: curl: (22) The requested URL returned error: 502 Proxy Error error: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x61E8806C: import read failed(2) How does the rpm command know which keyserver to use? Let’s use the --showrc argument to show how it is configured:...
I merged some initial Debian support into the openstack-ansible-security role and ran into an issue enabling AppArmor. The apparmor service failed to start and I found this output in the system journal: kernel: AppArmor: AppArmor disabled by boot time parameter Digging in That was unexpected. I was using the Debian jessie cloud image and it uses extlinux as the bootloader. The file didn’t reference AppArmor at all: # cat /boot/extlinux/extlinux.conf default linux timeout 1 label linux kernel boot/vmlinuz-3....
I opened up a noVNC console to a virtual machine today in my OpenStack cloud but found that the console wouldn’t take keyboard input. The Send Ctrl-Alt-Del button in the top right of the window worked just fine, but I couldn’t type anywhere in the console. This happened on an Ocata OpenStack cloud deployed with OpenStack-Ansible on CentOS 7. Test the network path The network path to the console is a little deep for this deployment, but here’s a quick explanation:...
The OpenStack Summit wrapped up today in Boston and it was a great week! There were plenty of informative breakouts and some interesting keynotes. Keynotes Beth Cohen shared some of the work that Verizon has done with software-defined WAN on customer-premises equipment (CPE). She showed a demo of how customers could easily provision virtual network hardware, such as firewalls or intrusion detection systems, without waiting for hardware or cabling changes. I’m less familiar with the world of telcos, so I found this really interesting....
Although OpenStack-Ansible doesn’t fully support CentOS 7 yet, the support is almost ready. I have a four node Ocata cloud deployed on CentOS 7, but I decided to change things around a bit and use systemd-networkd instead of NetworkManager or the old rc scripts. This post will explain how to configure the network for an OpenStack-Ansible cloud on CentOS 7 with systemd-networkd. Each one of my OpenStack hosts has four network interfaces and each one has a specific task:...
DISA’s final release of the Red Hat Enterprise Linux (RHEL) 7 Security Technical Implementation Guide (STIG) came out a few weeks ago and it has plenty of improvements and changes. The openstack-ansible-security role has already been updated with these changes. Quite a few duplicated STIG controls were removed and a few new ones were added. Some of the controls in the pre-release were difficult to implement, especially those that changed parameters for PKI-based authentication....
NOTE: The opinions shared in this post are mine alone and are not related to my employer in any way. The first OpenStack Project Teams Gathering (PTG) event was held this week in Atlanta. The week was broken into two parts: cross-project work on Monday and Tuesday, and individual projects Wednesday through Friday. I was there for the first two days and heard a few discussions that started the same way....