Running An Instance In OpenStack

.

Introduction

The instance is a virtual machine that run inside the cloud. So when we say run an instance, we mean run an instance of a specific virtual machine image. The virtual machine image (or simply the image) is a single file that contains a bootable operating system with cloud support. The package “Cloud-init” is installed in the virtual machine image to enable instance activation and initialization. You can NOT use a classic image. You must use “Cloud-Aware” image.

The image format must be supported by the hypervisor. So see your hypervisor and image format compatibility. Here you can find descriptions of different formats.

Upload A Virtual Machine Image

In the dashborad, go to “Project” tab on the left-side navigation menu and click on “Images”. Then click on “Create Image” to upload the image. You will get this dialog box:

Screenshot from 2015-02-22 12:05:50

Here you can find explanations of dialog box fieldsCurrently only images available via an HTTP URL are supported. So i chose the “Image Location” as an “Image Source” and the “Image Location” is: http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/i386/Fedora-Cloud-Base-20141203-21.i386.qcow2

The selected image format “qcow2” which is commonly used with the KVM (default hypervisor). The size of image file is nearly 169 MB. It takes some time for image to be uploaded. Here you can find set of cloud ready images, copy the link location and paste it in the dialog box above in the “Image Location” field.

After the image has been uploaded successfully, you will be here:

Screenshot from 2015-02-22 12:25:00Enable SSH On Your Default Security Group

Click the “Project” tab on the left-side navigation menu. Then click on “Access & Security”. Under the “Security Groups” tab, Select the “default” security group. Click on the “Manage Rules” button, you will get this table of rules:

Screenshot from 2015-02-22 13:01:39Click on “Add Rule”, Enter the “22” in the “Port” field:

Screenshot from 2015-02-22 13:05:51

 Then click the “Add” button. The rule will be added and then SSH can be used.

Screenshot from 2015-02-22 13:09:56

If you create a new security group and you want to apply its rules to an instance, be aware to select it when you launch the instance so the rules of the new security group will be applied to the new instance (launch the instance in specific security group).

Create OR Import Key Pair

To access the instance through SSH, we need to create or import kay pair. Click on “Access & Security” on the left-side navigation menu, and then click on the tab “Key Pairs”.

To create a key pair, click on “Create Key Pair”. The key pair (private an public keys) will be generated. The public key will be registered and the the private key must be saved privately after download.

The public key is injected into the instance using “Cloud-init” package on boot.

Screenshot from 2015-02-22 13:47:53

Screenshot from 2015-02-22 14:05:31The option “Import Key pair” will prompt you to provide a name and a public key.

Launch The Virtual Machine

Go to the uploaded image and click on “Launch” button. You will get this dialog box:

Screenshot from 2015-03-15 18:13:35In the resulting dialog box and under “Details” tab, you can specify number of parameters like the “Instance Name” and “Flavor” (defines the hardware resources of the instance). Check also the configuration under other tabs (Access & Security, Networking, Post-Creation, and Advanced Options). Then click the “Launch” button to ask the Compute service (Compute Node) to launch an instance with your specified parameters.

Now The instance is created. Click “Instances” on the left-side navigation menu, to see the instantiated instances.

Connecting To The Instance Console

In the figure above, click on “Associate Floating IP” on the right side to associate “floating IP” to your instance. Both the floating and the internal IP addresses will be listed in the “IP Address” column for your instance. The internal IP address of the instance is a private IP address used to reach other OpenStack instances. The floating IP address is used to access the instance from other machines in your network (Private IP address) or from the internet (Public IP address). It is called floating because you can associate it to an instance and disassociate it so it is movable (It can move to another instance).

# ssh -i /home/binan/Downloads/binankeypair.pem  fedora@Floating-IP-Address

“fedora” is the default user for fedora instances.

Also you can access the instance console  via the dashboard or by specifying the network namespace where your instance resides:

# ip netns exec qrouter-f96c719a-56e9-4b52-b2cb-da326fc1a429 ssh -i /home/binan/Downloads/binankeypair.pem  fedora@Local-IP-Address

where the “qrouter-f96c719a-56e9-4b52-b2cb-da326fc1a429” is the namespace name.

Congratulation, You have successfully created an instance of a specific virtual machine image and you can SSH to your instance.


More Information


Advertisements

SIP Stress Testing -Part 2 (SIPSAK)

.

This is part 2 of the “SIP Stress Testing” topic. In Part 1, I have talked about the definition of the stress, opensipsctl (command line tool) and OpenSIPS-CP (Web tool) and how they are used in testing. In this part, i will talk about SIPSAK. SIPSAK is a command line tool used by SIP administrators to test the performance and the security of the SIP servers or user agents. SIPSAK is a SIP traffic generator. It generates SIP requests and sends them to the target addressed by SIP-URI . To download SIPSAK on Fedora, simply:

 # yum install sipsak

SIPSAK runs in the following modes:

♣ Default mode: Using the OPTIONS SIP method, you can  ping a target addressed by SIP-URI.

♣ Traceroute mode (-T): This is useful for learning the request’s path. The number of SIP servers on the way to the destination is counted plus the round trip time of each request is printed out.

♣ Message mode (-M): Send a short message using MESSAGE SIP request. The content of the message will be set using the option (-B).

♣ Usrloc mode (-U): Register the user addressed by SIP-URI (Set by option -s).

♣ Randtrash mode (-R) :keeps sending randomly corrupted messages to torture a SIP server’s parser. OPTIONS requests with increasing numbers of randomly crashed characters are sent to the server.

♣ Flood Mode (-F): keeps sending requests to a SIP server at high pace. OPTIONS requests with increasing CSeq numbers are sent to the server.

Current SIPSAK is missing support for the Record-Route and Route headers and IPv6 is not supported. At the stressed SIP server’s side, you need monitoring and analyzing tool which display the state of the server as numbers and figures.

Examples

  • Ping the target “test1”: #sipsak -s sip:test1@testdomain.org. In this tutorial i will ping the user test1@10.0.0.9.

Here is the messages sent by SIPSAK and captured by SIPTRACE. See the User-Agent header field in the traced SIP message (User-Agent: sipsak 0.9.6). The message is taken from OpenSIPPS-CP SIPTRACE page.

If the server allows pinging. It will relay the ping message (SIP OPTION Request) and the response from the pinged target will come back to SIPSAK through the SIP server. The response will look like:

sipsak3The User-Agent: Jitsi2.2.4603.9615Linux . The target user (test1) must be registered otherwise you will get an error response message sent from the server (in case the server is programmed to do this in its routing script). The test server in this tutorial sends “404 Not Found” SIP failure:

sipsak4The server is “OpenSIPS (1.11.2-notls (x86_64/linux))” as written in the server’s response.

If you put the option -F , SIPSAK will flood the server with SIP OPTION Requests.

# sipsak -F  -s sip:test1@testdomain.org

SIPSAK is also used to test the security of the SIP server. In the previous example, flooding the server with OPTIONS SIP Requests (a lot of ping messages) is considered attack because after a short time the SIP service will be not available and the server became unable to handle more SIP requests. The test server in this tutorial sends an error message ” 500 Internal Error” after short time of flooding.

sipsak5Pinging is a way to check that the server is awake and not down. It must be available only for administration’s purposes.

Other SIPSAK examples:

  • Trace a call: # sipsak –T –s sip:test1@testdomain.org
  • Send a message to the user “test1” :# sipsak –M –s sip:test1@testdomain.org –c test2@testdomain.org –B “Message Text”
  • Register the user “test1” # sipsak –U –s sip:test1@testdomain.org

Nagios monitoring tool are good complement to SIPSAK traffic generator.

SO to test the server, generate requests and check the system’s response. If you get something you don’t like, change it and do it again (Make changes, Restart the server, Generate traffic , and Check the server’s response).


More Information


 Next

The Next Part will be about SIPp which is an emulation tool which generates SIP traffic and gives some statistics.


Restrictions of FIFO-based Communications in Linux

Problem Definition

To explain this we will take OpenSIPS’s fifo as an example. It is used to communicate with OpenSIPS’s management interface “Mi”. Assume “/tmp/opensips_fifo” is the fifo file. OpenSIPS is the owner of this pipe and OpenSIPS-CP wants to access/read/write to/from the pipe. As we know everything is a file in Linux so this pipe is just a file and we want to manage how OpenSIPS-CP or other programs can access this pipe to send requests or receive reponses to/from OpenSIPS. OpenSIPS is executed by user=opensips and group=opensips. OpenSIPS-CP is executed by user=apache and group=apache. To see this:  # ps -aux | grep httpd or opensips.

fifo

And we have this error message “Cannot connect to OpenSIPS Server via Management Interface (/tmp/opensips_fifo)“. Be sure you are using the right name of the fifo file. Be aware if there is a space at the front or at the end of file path. Be sure that you are talking with the intended OpenSIPS server in case you have many OpenSIPS instances working on the same machine. Be sure the opensips is simply running (OpenSIPS restart may solve the problem). If all that is ok and still you have the error message then start your journey through this article.

Here i have Fedora 20, PHP 5.5.17 , Apache 2.4, OpenSIPS-CP 6.0 , OpenSIPS 1.11. Do the corresponding of everything in your system.

What to Do

Temporarily disable SeLinux. We will come back to it.

  • Discretionary Access Control (DAC): In OpenSIPS configuration file we have this line “modparam(“mi_fifo”, “fifo_mode”, 0666)”  so OpenSIPs create the fifo file with the permission 666 (Owner=6,Group=6, Others=6) which is “prw-rw-rw-“. This means read and write permission for the owner, group, and the others. The letter p means this file is pipe.
  • User:Group Ownership: OpenSIPS-CP executed by apache so add apache user to opensips group if you don’t want to give permissions to others. For this, you can use # system-config-users. To list the members in the group:

# lid -g $groupName

  • Access Control List (ACL): use ACL to give permissions to a specific user For example let Apache user has rw access to the fifo file:

# setfacl -m u:apache:rw /tmp/opensips_fifo

To check the list

# getfacl /tmp/opensips_fifo

Eiciel is GNOME tool to visually configure the ACL entries. # yum install eiciel and to run it  # eiciel the GUI will open. Choose the directory and start editing the acl. Visual ACL

  • Programming Language Restrictions: The programming language may apply some kind of restrictions on accessing files. Web programming language like PHP has safe_mode and open_basedir features. Open /etc/php.ini to disable these. For example file_exists() php function check whether the file or directory is exists or not. This Function return False due to safe_mode restrictions. When safe_mode is enabled (safe_mode = On in php.ini), PHP checks to see if the owner of the current php script matches the owner of the file to be operated on. Safe_mode is removed in PHP-5  but we have to keep programming language restrictions in our minds.
  • Web Server Restrictions: For example Apache web server protects directories and files from hosts/web clients by defining policy rules in httpd.conf.

Example 1: “Linux root is inaccessible by everyone”

<Directory />
AllowOverride none
Require all denied
</Directory>

The default is denying access to the entirety of your server’s file system. You must explicitly permit access to the server’s directories

Example 2: The area /var/www/opensips-cp/web can be accessed by everyone:

<Directory  /var/www/opensips-cp/web>

Options Indexes FollowSymLinks MultiViews

AllowOverride None
Require all granted

</Directory>

  • PrivateTmp Feature: This is new feature since Fedora 16 and Red Hat Enterprise Linux 7. “PrivateTmp” is an option in systemd unit configuration files.

PrivateTmp: “Takes a boolean argument. If true sets up a new file system namespace for the executed processes and mounts a private /tmp directory inside it, that is not shared by processes outside of the namespace. This is useful to secure access to temporary files of the process, but makes sharing between processes via /tmp impossible. Defaults to false.”

If the fifo file which is shared between two processes (apache and opensips) created in /tmp so you have to disable this feature. To disable it do the following:

# vim /usr/lib/systemd/system/httpd.service

Change the line PrivateTmp=true to PrivateTmp=false

# systemctl –system daemon-reload

# systemctl restart httpd.service

  • Umask

It could be helpful if you check the umask of the running process which accessing the file and the umask of the file. umask of the specific file can be changed by setfacl command and graphically by Eiciel . To change the  umask of running process, take the id of the process for example httpd # ps -ef |grep httpd.  Enter the gdp # gdp –pid=httpd-Process-Id. To change the umask to 0, type  call umask(0) in gdp console. The umask will be 0 and the command will give you the previous umask value.

  • SeLinux: SeLinux might prevent the access to the file (access, link, unlink,…. ). Selinux Troubleshooter can help you to know how to fix this. How to allow for example httpd process to access FIFO file. Keep your eyes on the SeLinux alerts and do what the troubleshooter suggests. The file “/var/log/audit/audit.log”  contain the alerts and what you did is this:

# grep httpd /var/log/audit/audit.log | audit2allow -M minpol
# semodule -i minpol.pp

If you go through all the points above you will be able to solve the problem .Remember if you make any changes in the configuration file, restart the service.

Where to Look to Trace the Error

Reading the log files is the key (basically here /var/log/*). Make some changes in the configuration somewhere, restart the corresponding service and re-read the log files again. Repeat this till you get no errors. Now  in our use case of opensips’s fifo we can see a list of available fifo commands in opensips-cp web interface. This means Apache (opensips-cp) and the opensips can communicates through the fifo file.

snap11

OpenSIPS-CP can request the dialog information from OpenSIPS through the fifo file. See the figures below of the early dialog and the confirmed dialog.

dialog1

dialog2


Below is a php client which try to connect to opensips fifo file and send commands. Copy the text and save it in opensips-cp/web/Fifotest.php and then call it from the browser /ipaddress/cp/Fifotest.php. Use it to test the fifo connection.

Source: FIFO Client PHP Example