Actions
Support #37279
closedSepia Lab Access Request
% Done:
0%
Tags:
Reviewed:
Affected Versions:
Description
1) Do you just need VPN access or will you also be running teuthology jobs?
Both.
2) Desired Username: rishabh
3) Alternate e-mail address(es) we can reach you at: rishabhddave@gmail.com
4) If you don't already have an established history of code contributions to Ceph, is there an existing community or core developer you've worked with who has reviewed your work and can vouch for your access request?
If you answered "No" to # 4, please answer the following (paste directly below the question to keep indentation):
4a) Paste a link to a Blueprint or planning doc of yours that was reviewed at a Ceph Developer Monthly.
4b) Paste a link to an accepted pull request for a major patch or feature.
4c) If applicable, include a link to the current project (planning doc, dev branch, or pull request) that you are looking to test.
https://github.com/ceph/ceph/pull/21948
https://github.com/ceph/ceph-ansible/pull/3326
5) Paste your SSH public key(s) between the pre tags
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4NYxUHx8HMgbVIHadruN1kAJS5be0aZA9rvGtYDfwD5siKNfXFRyLG3thkjxtEi7DPYMxgbpFOXW9EQKh5sQ0ohsADZOi8FSIAfQlOQ+7HAEp7DjBtjxoqB31jJ1e293YtO+nqAhcOMyGfDx+71w5sS2EFqy7PscA9gD9aV2iMxIR/JD1LxXabiqj12jU5AOxr7ZQ1+gM9aroQuDpNxY4U8jBTxx5OtIYRkeI/aN2gQj1mXGMKGo0ItFn4lsXGLxGxMpa9K2UFw2dWQVTw9VNm79nixrCX+lC2nyaJPsRYZipXF1ID2NRk7oJ79dJ/uRBBXpunihlEC3aF+nOgEPH ridave@redhat.com
6) Paste your hashed VPN credentials between the pre tags (Format: user@hostname 22CharacterSalt 65CharacterHashedPassword)
rishabh@p50 wzzfm4Jk+HWJRnXZvXsK8g d2e6751125e7c334e4ea5bfb0de73aeb61d2cca58af65d7723c4f8b5b8bae995
Updated by David Galloway over 5 years ago
- Category set to User access
- Status changed from New to 4
- Assignee set to David Galloway
I pushed the new VPN credential. Can you verify it works please?
Updated by Rishabh Dave over 5 years ago
I did not have `client` directory in `/etc/openvpn` unlike the instructions in wiki[1], however my systemd file for `openvpn-client@.service` had the following options `WorkingDirectory=/etc/openvpn/client`. So, I ran the following command `sudo mkdir /etc/openvpn/client/ && sudo cd /etc/openvpn && sudo mv sepia* client/`. Copying files mentioned in this comment and directory structure below -
$ tree /etc/openvpn/
/etc/openvpn/
└── client
├── sepia
│ ├── ca.crt
│ ├── client.conf
│ ├── new-client
│ ├── secret
│ └── tlsauth
├── sepia.conf -> sepia/client.conf
├── sepia-vpn-client.tar.gz
└── sepia-vpn-client.tar.gz.1
2 directories, 8 files
sepia.conf -
$ cat client/sepia.conf script-security 1 client remote vpn.sepia.ceph.com 1194 dev sepia0 dev-type tun remote-random resolv-retry infinite nobind user openvpn group openvpn persist-tun persist-key comp-lzo verb 2 mute 10 remote-cert-tls server tls-auth sepia/tlsauth 1 ca sepia/ca.crt auth-user-pass sepia/secret
systemd file -
$ find /etc/systemd -name '*openvpn*' /etc/systemd/system/multi-user.target.wants/openvpn-client@.service $ cat /etc/systemd/system/multi-user.target.wants/openvpn-client@.service [Unit] Description=OpenVPN tunnel for %I After=syslog.target network-online.target Wants=network-online.target Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] Type=notify PrivateTmp=true WorkingDirectory=/etc/openvpn/client ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true ProtectHome=true KillMode=process [Install] WantedBy=multi-user.target
Updated by Rishabh Dave over 5 years ago
Output from troubleshooting command -
$ sudo openvpn --config /etc/openvpn/client/sepia.conf --cd /etc/openvpn/client --verb 5 [sudo] password for rishabh: Mon Dec 3 22:01:59 2018 us=131143 WARNING: file 'sepia/tlsauth' is group or others accessible Mon Dec 3 22:01:59 2018 us=131184 Current Parameter Settings: Mon Dec 3 22:01:59 2018 us=131191 config = '/etc/openvpn/client/sepia.conf' Mon Dec 3 22:01:59 2018 us=131196 mode = 0 Mon Dec 3 22:01:59 2018 us=131200 persist_config = DISABLED Mon Dec 3 22:01:59 2018 us=131204 persist_mode = 1 Mon Dec 3 22:01:59 2018 us=131208 show_ciphers = DISABLED Mon Dec 3 22:01:59 2018 us=131212 show_digests = DISABLED Mon Dec 3 22:01:59 2018 us=131215 show_engines = DISABLED Mon Dec 3 22:01:59 2018 us=131220 genkey = DISABLED Mon Dec 3 22:01:59 2018 us=131225 key_pass_file = '[UNDEF]' Mon Dec 3 22:01:59 2018 us=131229 NOTE: --mute triggered... Mon Dec 3 22:01:59 2018 us=131239 271 variation(s) on previous 10 message(s) suppressed by --mute Mon Dec 3 22:01:59 2018 us=131245 OpenVPN 2.4.4 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017 Mon Dec 3 22:01:59 2018 us=131254 library versions: OpenSSL 1.1.0i-fips 14 Aug 2018, LZO 2.08 Mon Dec 3 22:01:59 2018 us=131630 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Dec 3 22:01:59 2018 us=131644 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Dec 3 22:01:59 2018 us=131651 LZO compression initializing Mon Dec 3 22:01:59 2018 us=131695 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ] Mon Dec 3 22:01:59 2018 us=220102 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ] Mon Dec 3 22:01:59 2018 us=220247 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' Mon Dec 3 22:01:59 2018 us=220273 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' Mon Dec 3 22:01:59 2018 us=223734 TCP/UDP: Preserving recently used remote address: [AF_INET]8.43.84.129:1194 Mon Dec 3 22:01:59 2018 us=223835 Socket Buffers: R=[212992->212992] S=[212992->212992] Mon Dec 3 22:01:59 2018 us=223858 UDP link local: (not bound) Mon Dec 3 22:01:59 2018 us=223876 UDP link remote: [AF_INET]8.43.84.129:1194 Mon Dec 3 22:01:59 2018 us=223889 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay WRMon Dec 3 22:01:59 2018 us=574499 TLS: Initial packet from [AF_INET]8.43.84.129:1194, sid=1a8b5adb d041c01f WMon Dec 3 22:01:59 2018 us=574714 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this WRMon Dec 3 22:01:59 2018 us=985074 VERIFY OK: depth=1, O=Redhat, CN=openvpnca-sepia Mon Dec 3 22:01:59 2018 us=985572 VERIFY KU OK Mon Dec 3 22:01:59 2018 us=985607 Validating certificate extended key usage Mon Dec 3 22:01:59 2018 us=985623 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Mon Dec 3 22:01:59 2018 us=985635 VERIFY EKU OK Mon Dec 3 22:01:59 2018 us=985650 VERIFY OK: depth=0, O=Redhat, CN=openvpn-sepia WRWRWRWMon Dec 3 22:02:01 2018 us=827202 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2432 bit RSA Mon Dec 3 22:02:01 2018 us=827287 [openvpn-sepia] Peer Connection Initiated with [AF_INET]8.43.84.129:1194 Mon Dec 3 22:02:03 2018 us=44603 SENT CONTROL [openvpn-sepia]: 'PUSH_REQUEST' (status=1) WRRMon Dec 3 22:02:03 2018 us=466149 AUTH: Received control message: AUTH_FAILED Mon Dec 3 22:02:03 2018 us=466384 TCP/UDP: Closing socket Mon Dec 3 22:02:03 2018 us=466441 SIGTERM[soft,auth-failure] received, process exiting
Updated by David Galloway over 5 years ago
Check the paths in sepia.conf
In mine, there are absolute paths set in the last 3 lines that may not be correct for your setup.
Updated by Rishabh Dave over 5 years ago
Didn't work for me -
$ cat /etc/openvpn/client/sepia.conf script-security 1 client remote vpn.sepia.ceph.com 1194 dev sepia0 dev-type tun remote-random resolv-retry infinite nobind user openvpn group openvpn persist-tun persist-key comp-lzo verb 2 mute 10 remote-cert-tls server tls-auth /etc/openvpn/client/sepia/tlsauth 1 ca /etc/openvpn/client/sepia/ca.crt auth-user-pass /etc/openvpn/client/sepia/secret $ ls /etc/openvpn/client/sepia/tlsauth /etc/openvpn/client/sepia/tlsauth $ ls /etc/openvpn/client/sepia/ca.crt /etc/openvpn/client/sepia/ca.crt $ ls /etc/openvpn/client/sepia/secret /etc/openvpn/client/sepia/secret
$ systemctl status openvpn-client@sepia.service
● openvpn-client@sepia.service - OpenVPN tunnel for sepia
Loaded: loaded (/usr/lib/systemd/system/openvpn-client@.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Dec 03 22:21:48 p50 openvpn[16455]: VERIFY OK: depth=1, O=Redhat, CN=openvpnca-sepia
Dec 03 22:21:48 p50 openvpn[16455]: VERIFY KU OK
Dec 03 22:21:48 p50 openvpn[16455]: Validating certificate extended key usage
Dec 03 22:21:48 p50 openvpn[16455]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Dec 03 22:21:48 p50 openvpn[16455]: VERIFY EKU OK
Dec 03 22:21:48 p50 openvpn[16455]: VERIFY OK: depth=0, O=Redhat, CN=openvpn-sepia
Dec 03 22:21:49 p50 openvpn[16455]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2432 bit RSA
Dec 03 22:21:49 p50 openvpn[16455]: [openvpn-sepia] Peer Connection Initiated with [AF_INET]8.43.84.129:1194
Dec 03 22:21:51 p50 openvpn[16455]: AUTH: Received control message: AUTH_FAILED
Dec 03 22:21:51 p50 openvpn[16455]: SIGTERM[soft,auth-failure] received, process exiting
$ sudo openvpn --config /etc/openvpn/client/sepia.conf --cd /etc/openvpn/client --verb 5
Mon Dec 3 22:22:49 2018 us=589304 WARNING: file '/etc/openvpn/client/sepia/tlsauth' is group or others accessible
Mon Dec 3 22:22:49 2018 us=589353 Current Parameter Settings:
Mon Dec 3 22:22:49 2018 us=589360 config = '/etc/openvpn/client/sepia.conf'
Mon Dec 3 22:22:49 2018 us=589366 mode = 0
Mon Dec 3 22:22:49 2018 us=589372 persist_config = DISABLED
Mon Dec 3 22:22:49 2018 us=589377 persist_mode = 1
Mon Dec 3 22:22:49 2018 us=589382 show_ciphers = DISABLED
Mon Dec 3 22:22:49 2018 us=589387 show_digests = DISABLED
Mon Dec 3 22:22:49 2018 us=589392 show_engines = DISABLED
Mon Dec 3 22:22:49 2018 us=589400 genkey = DISABLED
Mon Dec 3 22:22:49 2018 us=589406 key_pass_file = '[UNDEF]'
Mon Dec 3 22:22:49 2018 us=589409 NOTE: --mute triggered...
Mon Dec 3 22:22:49 2018 us=589422 271 variation(s) on previous 10 message(s) suppressed by --mute
Mon Dec 3 22:22:49 2018 us=589428 OpenVPN 2.4.4 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017
Mon Dec 3 22:22:49 2018 us=589436 library versions: OpenSSL 1.1.0i-fips 14 Aug 2018, LZO 2.08
Mon Dec 3 22:22:49 2018 us=589902 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 3 22:22:49 2018 us=589915 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 3 22:22:49 2018 us=589922 LZO compression initializing
Mon Dec 3 22:22:49 2018 us=589964 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Mon Dec 3 22:22:49 2018 us=672300 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Mon Dec 3 22:22:49 2018 us=672414 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Mon Dec 3 22:22:49 2018 us=672439 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Mon Dec 3 22:22:49 2018 us=673005 TCP/UDP: Preserving recently used remote address: [AF_INET]8.43.84.129:1194
Mon Dec 3 22:22:49 2018 us=673075 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Dec 3 22:22:49 2018 us=673096 UDP link local: (not bound)
Mon Dec 3 22:22:49 2018 us=673146 UDP link remote: [AF_INET]8.43.84.129:1194
Mon Dec 3 22:22:49 2018 us=673162 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
WRMon Dec 3 22:22:50 2018 us=99943 TLS: Initial packet from [AF_INET]8.43.84.129:1194, sid=6b860114 fe1efba9
WMon Dec 3 22:22:50 2018 us=100182 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
WRMon Dec 3 22:22:50 2018 us=509952 VERIFY OK: depth=1, O=Redhat, CN=openvpnca-sepia
Mon Dec 3 22:22:50 2018 us=510464 VERIFY KU OK
Mon Dec 3 22:22:50 2018 us=510501 Validating certificate extended key usage
Mon Dec 3 22:22:50 2018 us=510517 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Dec 3 22:22:50 2018 us=510530 VERIFY EKU OK
Mon Dec 3 22:22:50 2018 us=510542 VERIFY OK: depth=0, O=Redhat, CN=openvpn-sepia
WRWRWWRWMon Dec 3 22:22:52 2018 us=354378 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2432 bit RSA
Mon Dec 3 22:22:52 2018 us=354464 [openvpn-sepia] Peer Connection Initiated with [AF_INET]8.43.84.129:1194
RMon Dec 3 22:22:53 2018 us=800771 SENT CONTROL [openvpn-sepia]: 'PUSH_REQUEST' (status=1)
WRRMon Dec 3 22:22:54 2018 us=196587 AUTH: Received control message: AUTH_FAILED
Mon Dec 3 22:22:54 2018 us=196831 TCP/UDP: Closing socket
Mon Dec 3 22:22:54 2018 us=196892 SIGTERM[soft,auth-failure] received, process exiting
Updated by Rishabh Dave over 5 years ago
$ sudo ./new-client rishabh@p50
Please submit the following line to the OpenVPN admin:
rishabh@p50 zdJ4XsBdVugwMrqJOSBi3Q c78bb28ba5cf2bf9c8edb80fe57814d60cd2ffdbd874cf9a271e5adf171bb0c4
Actions