Tag: security

Posted on

Openstack cookbook list of useful commands with examples

I have decided to summarize in one page all useful Openstack commands. This post will be useful to anyone interested in learning Openstack cloud commands or use it as a daily reference.

Openstack commands:Old equivalents:
General commands:
openstack image list
openstack flavor list
openstack network list
openstack server list		glance image-list
nova flavor-list
neutron net-list
nova list
Server commands:
openstack server show [SERVER]
openstack server stop [SERVER]
openstack server start [SERVER]
openstack server delete [SERVER]
openstack server image create [IMAGE]		nova show [SERVER]
nova stop [SERVER]
nova start [SERVER]
nova delete [SERVER]
nova image-create [IMAGE]
Server console commands:
openstack console log show
openstack console url show		nova console-log
nova get-vnc-console
SSH Keypairs*:
openstack keypair create [KEYPAIR] > key.pem

openstack keypair show[KEYPAIR] --public-key > key.pub

openstack keypair show --public-key [KEYPAIR]		nova keypair-add [KEYPAIR] > key.pem

nova keypair-show [KEYPAIR] | grep Public | awk -F': ' '{print $2}' > ./.ssh/key.pub

nova keypair-show [KEYPAIR]
Metadata**:
Key-value pairs:
openstack server create --property [KEY]=[VALUE]
Script (any language):
openstack server create --user-data [SCRIPT]
Cloud-config file (yaml)
openstack server create --user-data [FILE]
File injection
openstack server create --file [DEST_FILE]=[SRC_FILE]
nova boot --meta [KEY]=[VALUE]


nova boot --user-data [SCRIPT]


nova boot --user-data [FILE]

nova boot --file [DEST_FILE]=[SRC_FILE]
* Don’t forget to chmod 600 key.pem in order to protect it and make it usable by SSH command
** There can only be 1 user-data option, but many property and file options .
Metadata is retrieved by process cloud-int in cloud images .
Server requests with curl http://169.254.169.254 –> Metadata service (nova) which replies with
data in JSON format <– (Restful API).
Openstack network related commands:
Security group:
openstack security group create [SEC_GROUP]
openstack security group rule create --dst-port 12345 [SEC_GROUP]*
openstack server add security group [SERVER] [SEC_GROUP]
openstack security group rule list [SEC_GROUP] --long
Network:
openstack network list
openstack network show [NETWORK]
openstack network create [NETWORK]
openstack network delete [NETWORK]
Subnet:
openstack subnet list
openstack subnet show [SUBNET]
openstack subnet create --network --subnet-range [CIDR] [SUBNET]
openstack subnet delete [SUBNET]
Port:
openstack port list
openstack port show [PORT]
openstack port create --network [NETWORK] [PORT]**
openstack port delete [PORT]
Floating IP:
openstack floating ip list
openstack floating ip create [EXT_NET]***
openstack server add floating ip [SERVER] [IP_ADDRESS]
openstack server remove floating ip [SERVER] [IP_ADDRESS]
openstack floating ip delete [IP_ADDRESS]
openstack floating ip set [IP_ADDRESS]***
Router:
openstack router create [ROUTER]
openstack router show [ROUTER]
openstack router delete [ROUTER]
openstack router list
set [ROUTER] gateway:
neutron router-gateway-set [ROUTER] public
clear [ROUTER] gateway:
neutron router-gateway-clear [ROUTER]
add private subnet to [ROUTER]:
openstack router add subnet [ROUTER] private_subnet
remove private subnet to [ROUTER]:
openstack router remove subnet [ROUTER] private_subnet
list [ROUTER] interfaces:
openstack port list --router [ROUTER]
* You can add additional parameters here like –egress for outgoing traffic or –protocol [UDP|ICMP]
** You can associate floating ip with specific port by adding –port PORT
*** You could also add –fixed-ip [subnet=SUBNET|ip-address=IP_ADDRESS]
Metadata related commands
Server*:
retrieve metadata info:
curl http://169.254.169.254/
retrieve latest metadata:
curl http://169.254.169/254/latest
meta-data/$:
curl http://169.254.169/254/latest/meta-data
retrieve floating ip:
curl http://169.254.169/254/latest/meta-data/public-ipv4
retrieve openstack metadata:
curl http://169.254.169.254/openstack
retrieve latest metadata:
curl http://169.254.169.254/openstack/metadata
retrieve meta_data.json:
curl http://169.254.169.254/openstack/meta_data.json
* Curl commands are to be ran from running server
Openstack commands:Old commands:
Server creation*:
openstack server create \
--image [IMAGE] \
--flavor [FLAVOR] \
--nic [net-id=NETWORK_UUID|port-id=PORT_UUID] \
--key-name [KEYPAIR] \
[SERVER]		nova boot --image [IMAGE] \
--flavor [FLAVOR] \
--nic [net-id=NETWORK_UUID|port-id=PORT_UUID] \
--key-name [KEYPAIR] \
[SERVER]
* You could use –nic net-id=NETWORK_UUID,v4-fixed-ip=IP_ADDRESS to specify fixed IP for SERVER
Few examples:
Create cirros-image:
openstack image create --public --container-format=bare --disk-format=qcow2 --file cirros-0.3.4-x86_64-disk.img cirros-image
Create network:
neutron net-create external_network --provider:network_type flat --provider:physical_network extnet --router:external
Create subnet:
neutron subnet-create --name public_subnet --enable_dhcp=False --allocation-pool=start=172.30.152.10,end=172.30.152.40 --gateway=172.30.152.1 external_network 172.30.152.0/24
Create server:
openstack server create --image 9d904b2f-8774-4db8-b195-8aa47e3ebe3c --flavor 1 --nic net-id=4d75d36b-cc99-46b3-83aa-6ae5a96ae38e cirros
Cloud config* examples:
Configure time zone:
#cloud-config
timezone: "Europe/Sarajevo"
Install packages, specific versions**
#cloud-config
packages:
- pwgen
- pastebinit
- [libpython2.7, 2.7.3-0ubuntu3.1]
Upgrade all packages**:
#cloud-config
package_upgrade: true
Install NTP if neccessary and configure NTP server map
#cloud-config
ntp:
servers:
- my.ntp.server
- ntp.ubuntu.com
- 192.168.23.2
Configure CentOS users centos and root with password
#cloud-config
chpasswd:
list: |
root:changeme
centos:changeme
expire: False
ssh_pwauth: True
* Yaml format text files that begin with #cloud-config and are executed by cloud-init process present in most cloud image files, but not in cirros.
** Works with all package managers if specific distro-package is not specified f.e. 2.7.3-0ubuntu3.1

Posted on

Apache: How to Disable the SSL v3 Protocol on Debian

To prevent POODLE (“Padding Oracle On Downgraded Legacy Encryption”) attach which is a man-in-the-middle exploit that takes advantage of SSL3.0 vulnerability it is necessary to disable SSLv3 in your web server configuration.

To check if you are vulnerable to this attack you can use the form on following website:

https://www.digicert.com/help/ Continue reading “Apache: How to Disable the SSL v3 Protocol on Debian”