Dealing with OpenStack

We were granted access to Linaro's OpenStack cluster.

Preparation

You first need a adminrc.sh file with the right configuration and credentials. That is stored in ticket 453 at Linaro and the password prompted is the login.linaro.org SSO password stored in tor-passwords.git.

Then you need to install some OpenStack clients:

apt install openstack-clients

Yes, that installs 74 packages, no kidding.

Add your SSH key to the server:

openstack keypair create --public-key=~/.ssh/id_rsa.pub anarcat

You will need to create a floating IP if the server is to be public:

openstack floating ip create ext-net

The network name (ext-net above) can be found in the network list:

openstack network list

The IP address will be shown in the output:

| floating_ip_address | 213.146.141.28 |

You'll also need to link the router in the private network if not already done:

openstack router add subnet router-tor 7452852a-8b5c-43f6-97f1-72b1248b2638

The subnet UUID comes from the Subnet column in the output of openstack network list for the "internal network" (the one that is not ext-net.

During this entire process, it's useful to take a look at the effect of the various steps through the web interface:

https://uk.linaro.cloud/

The commandline instructions are provided below because they are easier to document. But an equivalent can be followed through the web interface as well.

Launching an instance

This procedure will create a new VM in the OpenStack cluster. Make sure you first source the adminrc.sh script you found in the previous step.

  1. list the known flavors and images:

    openstack flavor list
    openstack image list
    

    let's say we deploy a uk.nano flavor with debian-10-openstack-arm64 image.

  2. create the server (known as an "instance" in the GUI):

    openstack server create --key-name=anarcat --security-group=torproject-admin@torproject.org-security-group --image=debian-10-openstack-arm64 --flavor=uk.nano build-arm-10.torproject.org
    

    In the above:

    • --keypair=anarcat refers to the keypair created in the preparation
    • --security-group is taken from the first non-default line in the openstack security group list output
    • --image and --flavor were picked from the previous step
  3. you can see the status of the process with:

    openstack server list
    
  4. then map the floating IP address to the server:

    openstack server add floating ip build-arm-10.torproject.org 213.146.141.28
    

    The floating IP is the one created at step two and the other argument is the server name.

  5. inspect the server console log to fetch the SSH public keys:

    openstack console log show build-arm-10.torproject.org | sed '0,/-----BEGIN SSH HOST KEY KEYS-----/d;/-----END SSH HOST KEY KEYS-----/,$d;s/^/213.146.141.28 /' >> ~/.ssh/known_hosts
    
  6. the VM should be up by now, and you should be able to SSH in:

    openstack server ssh -l debian build-arm-10.torproject.org
    

    You unfortunately have to blindly TOFU (Trust On First Use) the SSH server's public key because it's not visible in the API or web interface. The debian user has sudo access.

References