While reviewing the comments on the Ironic spec, for Secure RBAC. I had to ask myself if the “project” construct makes sense for Ironic. I still think it does, but I’ll write this down to see if I can clarify it for me, and maybe for you, too.
Continue readingTheJulia was kind enough to update the docs for Ironic to show me how to include IPMI information when creating nodes.
Continue reading“I can do any thing. I can’t do everything.”
The sheer number of projects and problem domains covered by OpenStack was overwhelming. I never learned several of the other projects under the big tent. One project that is getting relevant to my day job is Ironic, the bare metal provisioning service. Here are my notes from spelunking the code.
Continue readingThe key piece of persisted data in an DHCP server is the lease. A lease is a the mapping between a MAC address and an IP address, limited in time. A Lease typically has a start time and an end time, but can be renewed. Because I am still living in an IPV4 world, I have to deal with arbitrarily small pools of IP addresses. Thus, the design needs to strike the balance between static and dynamic: a machine should generally get back the same IP address each time. However, if addresses get tight, address reuse should be aggressive.
Continue readingTo capture DHCP packets I ran:
tcpdump port 67 -i vnet0 -vvvv -w /tmp/packets.bin
That gave me a binary file 940 bytes long. This is actually 2 packets: the request and the response. This has the IP header, the UDP header, and the DHCP packet payload in it.
Continue readingThe Extract Function refactoring is the starting point for much of my code clean up. Once a “Main” function gets sufficiently complicated, I pull pieces of it out into their own functions, often with an eye to making them methods of the involved classes.
While working with some rust code, I encountered an opportunity to execute this refactoring on some logging code. Here’s how I executed it.
Continue readingI had originally run my container registry using a self signed certificate like this:
podman run --name mirror-registry -p 4000:5000 -v /opt/registry/data:/var/lib/registry:z -v /opt/registry/auth:/auth:z -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v /opt/registry/certs:/certs:z -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -e REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true -d docker.io/library/registry:2 |
But now that I am using FreeIPA for my Bastion host, I want to use the IPA CA cert for signing the HTTPS request. The easiest thing to do is to run the registry in the container still, but then to front it with mod_proxy.
Continue readingMy Lab machines do not have direct access to the internet. This mirrors how my customers tend to run their environments. Instead, I run a single bastion host that can connect to the internet, and use that to perform all operations on my lab machines.
While it is great to be able to use the Install media to add packlages to PXE booted systems, after some time, the set of packages available is older than you want. For example, I hit a bug that required an update of Network Manager. So, I want to make a local yum repo from my RHEL 8 subscription. RHEL 8 makes this fairly easy.
Continue readingM<y local PXE setup only puts the minimal set of RPMS on a machine. If want to install additional, I need to get access to the rest of the Repo. Here is what I did:
Continue readingI seem to have a bad Ethernet port on the NUC. Since I have an external Ethernet adapter as well, this is not a show stopper, but it does change the approach I am going to make to my home network. As always: Simplification is preferred. Here’s the current approach:
Continue reading