AdminSysGNULinux

Outils pour utilisateurs

Outils du site

Piste : blog
blog

Table des matières

4 billet(s) pour janvier 2026

AWX sur K8S Kind - partage de fichier pour les blob - Execution pods2026/01/26 10:15Jean-Baptiste
Notes rsh rcp2026/01/21 18:08Jean-Baptiste
Git - Duplication d'un dépôt2026/01/19 10:22Jean-Baptiste
Exemple simple de conf Nagios2026/01/14 10:07Jean-Baptiste

Notes OpenStack Glance (images)

Install de Glance (Pour gérer les images)

Voir : 

sudo yum install openstack-glance penstack-glance-doc
sudo su - postgres
CREATE ROLE glanceuser WITH LOGIN PASSWORD 'toor';
CREATE DATABASE glance OWNER glanceuser ;
source openrc
openstack project create service
 
openstack user create --domain default --password-prompt glance
openstack role add --project service --user glance admin
openstack service create image --name glance --description "Glance Image Service"
 
openstack endpoint create --region RegionOne glance public http://srv-openstack-controller:9292

Conf

  • /etc/glance/glance-api.conf
  • /etc/glance/glance-registry.conf

/etc/glance/glance-api.conf 

[DEFAULT]
debug = true
 
[database]
connection = postgresql://glanceuser:toor@127.0.0.1/glance
 
[glance_store]
stores = file,http
default_store = file
filesystem_store_datadir = /var/lib/glance/images
 
[keystone_authtoken]
www_authenticate_uri = http://srv-openstack-controller:5000/v3:
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = glance
password = toor
 
[paste_deploy]
flavor = keystone

Idem pour /etc/glance/glance-registry.conf 

su -s /bin/sh -c 'glance-manage db_sync' glance
 
mkdir /var/lib/glance/images
chown glance:nobody /var/lib/glance/images/
 
systemctl start openstack-glance-api.service
systemctl start openstack-glance-registry.service
 
systemctl enable openstack-glance-api.service
systemctl enable openstack-glance-registry.service

Test 

openstack image list
 
wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img
openstack image create cirros --file cirros-0.3.4-x86_64-disk.img --disk-format qcow2 --container-format bare --public

API CLI

openstack.rc 

unset $(set |grep _ENDPOINT_ |cut -d= -f1)
unset $(set |grep ^OS_ |cut -d= -f1)
 
export LC_ALL=C
# LC_ALL=C.UTF-8
export OS_NO_CACHE='true'
export OS_CACERT=/etc/ssl/certs/
 
export OS_IDENTITY_API_VERSION='3'
export OS_AUTH_URL='https://192.168.21.53:5000/v3'
export OS_USERNAME=admin
export OS_PASSWORD='P@ssw0rd'
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
glance image-list
 
glance image-create --name plop --file plop.vmdk --disk-format vmdk --container-format bare --visibility private

Policy

Voir

OpenStack Glance: allow user to create public images

Source : https://www.sebastien-han.fr/blog/2014/10/30/openstack-glance-allow-user-to-create-public-images/

2025/03/24 15:06

Notes OpenStack - Nova - console VNC NOVNC spice serial

/opt/stack/horizon/openstack_dashboard/dashboards/project/instances/templates/instances/_detail_console.html /usr/share/qemu/keymaps/

/etc/nova/nova-cpu.conf 

[vnc]
# Keymap is depecated 
keymap = fr

/etc/libvirt/qemu/instance-00000023.xml 

<graphics type='vnc' port='-1' autoport='yes' listen='0.0.0.0' keymap='fr'>
 
    <graphics type='vnc' port='-1' autoport='yes' listen='0.0.0.0' keymap='fr'>
    <graphics type='spice' autoport='yes' listen='0.0.0.0' keymap='fr'>
apt-get install spice-vdagent

/opt/stack/noVNC/vnc_auto.html

Slice à la place de VNC

Voir :

/etc/nova/nova-cpu.conf 

[vnc]
server_proxyclient_address = 0.0.0.0
server_listen = 0.0.0.0
xvpvncproxy_base_url = http://192.168.56.11:6081/console
novncproxy_base_url = http://192.168.56.11:6080/vnc_auto.html
vnc_enabled = False
novnc_enabled = False
 
 
[spice]
html5proxy_base_url = http://192.168.56.11:6082/spice_auto.html
agent_enabled = True
enabled = True
server_listen = 0.0.0.0
server_proxyclient_address = 192.168.56.11

PS : Two keymap-related configuration options have been deprecated:

  • [vnc] keymap
  • [spice] keymap

Voir https://docs.openstack.org/releasenotes/nova/rocky.html 

systemctl restart devstack@n-*

Certaines modif ne s’appliqueront que sur les nouvelles VMs déployées. puisque c'est la conf /etc/libvirt/qemu/ qui est définie. 

apt-get install nova-spiceproxy
WebSocket error: Can't connect to websocket on URL: ws://192.168.56.11:6082/websockify

[object Event]

Log de la console KVM/Libvirt

/opt/stack/data/nova/instances/4aa28898-07ce-4f16-8666-4e33e32a7450/console.log

voir /etc/libvirt/qemu/instance-00000006.xml

A tester 

aptitude install uwsgi-plugin-python
nova get-vnc-console INSTANCE_NAME VNC_TYPE
2025/03/24 15:06
, ,

Notes OpenStack - Horizon Web UI

Changer le délai de déconnexion

Horizon session timeout

Fichier

  • /etc/openstack-dashboard/local_settings.py
  • /opt/stack/horizon/openstack_dashboard/local/local_settings.py

local_settings.py 

# dashboard session timeout in seconds
SESSION_TIMEOUT = 3600
systemctl restart httpd

Voir aussi

/etc/keystone/keystone.conf 

[token]
expiration = 36000
systemctl restart devstack@keystone.service

Ou encore sous K8S 

kubectl -n openstack edit horizon
spec:
  conf:
    horizon:
      local_settings:
        config:
          horizon_session_timeout: 14400
2025/03/24 15:06

Notes OpenStack - Cinder volumes

losetup -f --show  /opt/stack/data/stack-volumes-*

Créer un volume puis effacer un volume pour tester. 

openstack volume create --size 20 plop
openstack volume delete plop

Pb

Pb1
stack@oslack1:~/devstack$ openstack volume service list
+------------------+---------------------+------+---------+-------+----------------------------+
| Binary           | Host                | Zone | Status  | State | Updated At                 |
+------------------+---------------------+------+---------+-------+----------------------------+
| cinder-volume    | oslack1@lvmdriver-1 | nova | enabled | down  | 2019-04-05T15:22:35.771203 |
| cinder-scheduler | oslack1             | nova | enabled | up    | 2019-04-05T15:23:16.619859 |
+------------------+---------------------+------+---------+-------+----------------------------+

stack@oslack1:~/devstack$ openstack volume service set --enable oslack1@lvmdriver-1 cinder-volume
stack@oslack1:~/devstack$ openstack volume service list
+------------------+---------------------+------+---------+-------+----------------------------+
| Binary           | Host                | Zone | Status  | State | Updated At                 |
+------------------+---------------------+------+---------+-------+----------------------------+
| cinder-volume    | oslack1@lvmdriver-1 | nova | enabled | down  | 2019-04-05T15:23:24.881781 |
| cinder-scheduler | oslack1             | nova | enabled | up    | 2019-04-05T15:23:26.621806 |
+------------------+---------------------+------+---------+-------+----------------------------+

Solution

/etc/cinder/cinder.conf 

[lvmdriver-1]
#volume_group = stack-volumes-lvmdriver-1
volume_group = ubuntu-vg
systemctl restart  'devstack@c-*'
Pb2

Impossible d'effacer un volume Le pb venait que le volume était en état “reserved” 

openstack volume set --state available 671c5fc7-00bd-4452-be82-645e10d59236
openstack volume delete 671c5fc7-00bd-4452-be82-645e10d59236
2025/03/24 15:06

Notes OpenSSL

Voir aussi les implémentations :

Voir :

Voir aussi :

Général

Get the location of your openssl files 

openssl version -d

Sécurité - Cipher suite

Il est recommandé de désactiver ces suites de chiffrement afin d'opter pour des suites de chiffrement robustes, en évitant d'utiliser des algorithmes tels que DES, RC4, MD5 et une taille de clé ECDH >= 256 bits ou DH >= 2048.

Il est recommandé de n'accepter que le protocole TLSv1.2 ou de désactiver les algorithmes utilisant le mode CBC. (et ECB)

La conformité standard de protection des données de secteur de carte de paiement (norme PCI DSS) exige des chiffrements CBC d'être désactivés.

Tester TLS / SSL

Liens :

LibreSSL

Vous pouvez compiler LibreSSL, la réécriture d'OpenSSL nettoyé par l’équipe d'OpenBSD Ça compile très bien sous Debian. L'exécutable s'appelle toujours *openssl*. Par défaut il s'installera dans /usr/local/ donc aucun pb, ça ne va pas cassez votre Debian.

A voir également pour les curieux la lib gnurl lié au projet GNUnet. Une réécriture de curl avec GnuTLS à la place d'OpenSSL.

Autre

Quelles versions de SSL/TLS sont prises en charge par ma version d'OpenSSL ? 

openssl s_client -help 2>&1  > /dev/null | egrep "\-(ssl|tls)[^a-z]"

Pour chiffrement de fichier voir scrypt

Voir SSL/TLS - Benjamin Sonntag Il était une fois Internet https://www.youtube.com/watch?v=7SEp9C1aBFE

SSL Config Generator Generateur de conf pour Gninx, Apache, HAProxy… https://mozilla.github.io/server-side-tls/ssl-config-generator/

Pour se s’amplifier la vie, alias bash à OpenSSL https://certsimple.com/blog/openssl-shortcuts

gnutls-cli-debug gnunet.org sslscan --no-failed gnunet.org

Voir aussi sslscan

http://www.unilim.fr/pages_perso/olivier.ruatta/CRYPTO/TP1openssl.pdf

http://perso.crans.org/~raffo/docs/openssl-qref.pdf

https://www.madboa.com/geek/openssl/

http://kb.paessler.com/en/topic/58793-how-to-get-a-godaddy-ssl-certificate-running-with-prtg 

openssl s_client -connect host:443 -servername www.test.fr -cert cert_and_key.pem -key cert_and_key.pem -state -debug
openssl enc -bf -in fichier.txt -out fichier.txt.enc -pass file:key.txt
openssl enc -d -bf -in fichier.txt.enc -out fichier.txt -pass file:key.txt
nmap --script ssl-enum-ciphers www.test.fr

Emprunte / Hash d'un certificat 

$ openssl s_client -connect gnunet.org:443 </dev/null | openssl x509 -fingerprint | grep Fingerprint
depth=3 C = DE, O = Deutsche Telekom AG, OU = T-TeleSec Trust Center, CN = Deutsche Telekom Root CA 2
verify error:num=19:self signed certificate in certificate chain
verify return:0
DONE
SHA1 Fingerprint=9E:F2:A0:31:77:42:B6:0E:92:D0:9D:C7:1A:C3:DF:1C:9D:D3:CB:DC

ou 

gnutls-cli --print-cert acme.fr </dev/null |certtool -i

Vérifier la chaîne de certification 

gnutls-cli --print-cert acme.fr </dev/null |certtool -e

Connaître la date d'expiration d'un certificat 

$ openssl s_client -connect gnunet.org:443 </dev/null 2>/dev/null| openssl x509 -enddate -noout
notAfter=Feb 12 00:00:00 2019 GM

ssl-cert-check s'appuie sur OpenSSL mais ne gère pas le SNI (Server Name Indication, RFC 6066) Voir 

$ ./ssl-cert-check -s gnunet.org -p 443

Host                                            Status       Expires      Days
----------------------------------------------- ------------ ------------ ----
gnunet.org:443                                  Valid        Feb 12 2019  1371
http2

Voir aussi :

  • nghttp2-client
  • h2load
$ echo -n|openssl s_client -connect www.acme.fr:443 -nextprotoneg NULL
CONNECTED(00000003)
Protocols advertised by server: h2, http/1.1
...
Next protocol: (2) NULL
nmap --script=tls-nextprotoneg -p 443 www.acme.fr
openssl s_client -connect www.acme.fr:443 -nextprotoneg "h2"

GnuTLS

$ gnutls-cli-debug gnunet.org
Checking for SSL 3.0 support... no
Checking whether %COMPAT is required... no
Checking for TLS 1.0 support... yes
Checking for TLS 1.1 support... yes
Checking fallback from TLS 1.1 to... N/A
Checking for TLS 1.2 support... yes
Checking whether we need to disable TLS 1.2... N/A
Checking whether we need to disable TLS 1.1... N/A
Checking whether we need to disable TLS 1.0... N/A
Checking for Safe renegotiation support... no
Checking for Safe renegotiation support (SCSV)... no
Checking for HTTPS server name... not checked
Checking for version rollback bug in RSA PMS... dunno
Checking for version rollback bug in Client Hello... no
Checking whether the server ignores the RSA PMS version... yes
Checking whether the server can accept Hello Extensions... yes
Checking whether the server can accept HeartBeat Extension... no
Checking whether the server can accept small records (512 bytes)... yes
Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
Checking whether the server can accept a bogus TLS record version in the client hello... yes
Checking for certificate information... N/A
Checking for trusted CAs... N/A
Checking whether the server understands TLS closure alerts... yes
Checking whether the server supports session resumption... yes
Checking for anonymous authentication support... no
Checking anonymous Diffie-Hellman group info... N/A
Checking for ephemeral Diffie-Hellman support... yes
Checking ephemeral Diffie-Hellman group info... N/A
Checking for ephemeral EC Diffie-Hellman support... yes
Checking ephemeral EC Diffie-Hellman group info...
 Curve SECP256R1 
Checking for AES-128-GCM cipher support... yes
Checking for AES-128-CBC cipher support... yes
Checking for CAMELLIA-128-GCM cipher support... no
Checking for CAMELLIA-128-CBC cipher support... yes
Checking for 3DES-CBC cipher support... yes
Checking for ARCFOUR 128 cipher support... no
Checking for MD5 MAC support... no
Checking for SHA1 MAC support... yes
Checking for SHA256 MAC support... yes
Checking for ZLIB compression support... no
Checking for max record size... no
Checking for OpenPGP authentication support... no

SMTP (StartTLS) 

openssl s_client -tls1 -starttls smtp -crlf -connect smtp.acme.fr:25

Liste des courbes elliptiques disponibles 

openssl ecparam -list_curves
Perf
openssl speed
gnutls-cli --benchmark-ciphers
2025/03/24 15:06
, , ,

<< Billets récents | Anciens billets >>

blog.txt · Dernière modification : de 127.0.0.1
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki