OpenStack openvpn access

Neutron networking in OpenStack does not support cloudpipe anymore and no alternative is available. In the openstack setup we use, we do not have enough route-able IP addresses available to give every virtual machine an IP that is accessible from outside OpenStack.

I solved this by running a virtual machine inside OpenStack with a public (floating) IP. This virtual machine runs a OpenVPN server with password based authentication that is passed through to Keystone, so the credentials for OpenVPN and OpenStack are the same.

OpenVPN can use a script to verify user credentials. The tries to authenticate to keystone with the credentials of the user and to the openvpn tenant. This allows the administrator to limit openvpn access. Change the address on line 29 to the address of your keystone server.

In the OpenVPN config add this line:

auth-user-pass-verify /etc/openvpn/ via-file

DHCPv6 on Fedora (14)

DHCPv6 does not work on Fedora. The router/dhcp server gets a icmp6-adm-prohibited. Adding this to /etc/sysconfig/ip6tables before the -A INPUT -j REJECT … line.

-A INPUT -m state --state NEW -m udp -p udp --dport 546 --sport 547 -s fe80::/10 -d fe80::/10 -j ACCEPT

and restart the firewall:

service ip6tables restart

eAccelerator 0.9.6

We released eAccelerator 0.9.6 today. Next release should be 1.0.

Last few days I have been hacking on new caching code. You can get the code from this git repo:

I hop to get this ready, stable and fast enough for a 1.0 release.


This weekend I attended the devopsdays. The conference topic was “agility in system administration”, and breaking down the wall between development and operation. I like the idea and I think this is the way forward. This is also import for me from a research perspective, because an important aspect is the use of system configuration tools. By using this tools operations also becomes development using the API provided by the tool.

Although the conference was nice and I especially liked Teyo from reductive labs talk, I was a bit disappointed. Most of the attendees where part of small companies or startups. As Teyo said in his talk, this is where a lot of these new ideas are formed and they trickle up to enterprises. The second part of the conference, after the presentations, was an openspace meeting. It was there that I got a bit disappointed. Most discussions were at a low level and did not touch the real problems that the devops concept faces.

Instead of talking about the next generation patch tools, how to migrate partially puppet manged debian boxes, how evil mailing lists are or the “next yet another” cloud management tool. These are all really interesting discussions if I was wearing my sysadmin hat, but they do not have much to do with devops (and I was wearing my researcher hat).

Devops is much easier to do when you talk about a small team, where the developer is setting next to the sysadmin. This is, like Teyo said, much the case in small companies or startups. According to me the discussions should have been about:

  1. How do you move from the current model in enterprises to the devops model?
  2. How do you make devops compatible with stuff like ITIL or COBIT? This is important for enterprises, you can not ignore this.
  3. What about security? Are you going to give everyone access to the API? How do you control access? ACHEL is a step in the right direction according to me.
  4. How far do you want to go? Will everyone be dev and ops? Or is there still some specialization? Because even in development, nobody does everything.

I know this is the whole point of open space, everyone can propose a session. I tried one about the security aspect, without talking about ACHEL. But nobody was interested. I also did not want to push this, because forcing would have been contra productive. Maybe a last question: How do you bring these kinds of questions on as a sysadmin, without looking like a researcher in his ivory tower? I have no idea …