Introduction to Ironic

“I can do any thing. I can’t do everything.”

The sheer number of projects and problem domains covered by OpenStack was overwhelming. I never learned several of the other projects under the big tent. One project that is getting relevant to my day job is Ironic, the bare metal provisioning service. Here are my notes from spelunking the code.

Continue reading

DHCP Lease Design

The key piece of persisted data in an DHCP server is the lease. A lease is a the mapping between a MAC address and an IP address, limited in time. A Lease typically has a start time and an end time, but can be renewed. Because I am still living in an IPV4 world, I have to deal with arbitrarily small pools of IP addresses. Thus, the design needs to strike the balance between static and dynamic: a machine should generally get back the same IP address each time. However, if addresses get tight, address reuse should be aggressive.

Continue reading

Extract Function Refactoring using inline functions.

The Extract Function refactoring is the starting point for much of my code clean up. Once a “Main” function gets sufficiently complicated, I pull pieces of it out into their own functions, often with an eye to making them methods of the involved classes.

While working with some rust code, I encountered an opportunity to execute this refactoring on some logging code. Here’s how I executed it.

Continue reading

Podman login to a secured registry

I took the container registry I ran via podman and put it behind an Apache HTTPD instance secured with mod_ssl. Now when I try to log in to it, I get:

error authenticating creds for “nuzleaf.home.younglogic.net”: error pinging docker registry nuzleaf.home.younglogic.net: invalid status code from registry 403 (Forbidden)

Here’s my debugging notes.

Continue reading

Running git and gitweb in a container with Fedora

There are many reasons to run a web service in a container. One of the remote services I rely on most heavily is git. While git local operations are fine in a global namespace, running a shared git repository on a remote server is a web-service based use case. There are three protocols used most commonly to remotely access git: git, ssh, and https. I am going to focus on the last one here.

Continue reading

Running a Container Registry Behind Apache HTTPD

I had originally run my container registry using a self signed certificate like this:

podman run --name mirror-registry -p 4000:5000     -v /opt/registry/data:/var/lib/registry:z      -v /opt/registry/auth:/auth:z      -e "REGISTRY_AUTH=htpasswd"      -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"      -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd      -v /opt/registry/certs:/certs:z      -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt      -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key      -e REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true -d docker.io/library/registry:2

But now that I am using FreeIPA for my Bastion host, I want to use the IPA CA cert for signing the HTTPS request. The easiest thing to do is to run the registry in the container still, but then to front it with mod_proxy.

Continue reading

Syncing and Serving Yum Repos on RHEL 8

My Lab machines do not have direct access to the internet. This mirrors how my customers tend to run their environments. Instead, I run a single bastion host that can connect to the internet, and use that to perform all operations on my lab machines.

While it is great to be able to use the Install media to add packlages to PXE booted systems, after some time, the set of packages available is older than you want. For example, I hit a bug that required an update of Network Manager. So, I want to make a local yum repo from my RHEL 8 subscription. RHEL 8 makes this fairly easy.

Continue reading