User Tools

Site Tools


Sidebar

General Lab Info (Mainly for Devs)

Hardware

Lab Infrastructure Services

Misc Admin Tasks
These are infrequently completed tasks that don't fit under any specific service

Production Services

OVH = OVH
RHEV = Sepia RHE instance
Baremetal = Host in Sepia lab

The Attic/Legacy Info

services:openvpn

OpenVPN

Summary

Users access the sepia lab by tunnelling through an OpenVPN server run at gw.sepia.ceph.com. It's a Highly Available VM living in RHEV.

Managed by Ansible using the gateway role in ceph-cm-ansible.

The process for requesting lab access is documented here.

Ops Tasks

Adding Users

A ticket should be filed for paper trail purposes. Put the ticket in the commit messages for the PRs created below.

To grant a new user access to the VPN,

  1. Add the user's public key to the keys.git repo. 1)
  2. Add their credentials to the ceph-sepia-secrets.git repo.
    1. If they only need VPN access, add them to openvpn_users 2)
    2. Otherwise, add their username (name) and ovpn credentials to lab_users
  3. Once your PR has been merged, run the gateway role in ceph-cm-ansible to push the new user entry to the server. 3)
ansible-playbook gateway.yml --tags="users"

fail2ban

fail2ban is configured via the gateway role. It's configured to work with firewalld. Run ipset list to see list of currently banned IPs.

An additional filter is in place in /etc/fail2ban/filter.d/sshd.conf that needs to be added to the role.

^%(__prefix_line)sReceived disconnect from <HOST>: 11: (Bye Bye)? \[preauth\]$

Updating sepia-vpn-client.tar.gz

This shouldn't need to happen often but was necessary when python3 came out.

  1. ssh www.ceph.com
  2. sudo -i
  3. cd /var/www/ceph.com/sage/
  4. mkdir wip && cp sepia-vpn-client.tar.gz wip/ && cd wip && tar xzf sepia-vpn-client.tar.gz
  5. Make your edits in the sepia dir
  6. When you're done, tar -czvf sepia-vpn-client.tar.gz sepia
  7. mv sepia-vpn-client.tar.gz /var/www/ceph.com/sage/
  8. chown dgalloway:www-data /var/www/ceph.com/sage/sepia-vpn-client.tar.gz
  9. rm -rf /var/www/ceph.com/sage/wip

Troubleshooting

ValueError: need more than 2 values to unpack

Resolution: You likely forgot a space in a user's hashed credential. Check recent commits in ceph-sepia-secrets.git and make sure all users have three values per ovpn key.

To-Do

DNS

In order to stop serving our private DNS records, we're going to need an OS-agnostic script (shipped with the client archive) that will add the internal DNS server to OpenVPN clients' /etc/resolv.conf. This works natively on Windows and with OS X clients already with the push “dhcp-option DNS 172.21.0.1” directive.

Historical Info

Detailed information on our particular setup (how auth works and such) can be found in the old cookbook-gw.git repo.

1)
This step is not required for non-humans or humans that don't need access to schedule runs.
2)
This will not create an SSH user account on any lab hosts including teuthology.front. It only grants VPN access. An example of this use case would be for accessing the Reference Architecture lab in Sepia.
3)
WARNING: Running with just the users tag will not restart the OpenVPN service. Running the rest of the role will.
services/openvpn.txt · Last modified: 2020/10/27 19:22 by djgalloway