Support #14430
closedneed access to Sepia Lab
90%
Description
Mark Nelson wants Joe Mario and I to run Ceph CBT and profile using perf "C2C" NUMA profiling tool, because of high-speed storage in this config. I'm following instructions to best of my ability at:
http://ceph.github.io/sepia/adding_users/
Please let me know if this is not the right way to do this,
thx
Ben England, perf. engr., Red Hat
Files
Updated by David Galloway about 8 years ago
- Status changed from New to In Progress
- Assignee set to David Galloway
Ben,
Step 4 should probably be clarified but we need the output from 'new-client USER$HOST'
https://ceph.github.io/sepia/adding_users/#setting-up-vpn-client
I'm not sure what that private key is for but I'd consider it burned.
Updated by Ben England about 8 years ago
Sorry I don't follow instructions well, it was all there, is this what you want?
[root@bene-laptop sepia]# ./new-client bengland@bene-laptop
Please submit the following line to the OpenVPN admin:
bengland@bene-laptop N2xWg5kXL5r4Ky2l0OWSdw 1a3557b0852bf212a096c8442b1f25fe2e02df358a66d0fb4e198c99c09cbfe6
Updated by David Galloway about 8 years ago
- Status changed from In Progress to 4
- % Done changed from 0 to 90
Ben,
You should now have access to the sepia lab. Please restart the openvpn connection on your workstation to verify VPN access.
Then, using the private key that matches the pubkey you sent me, ssh as bengland to teuthology.front.sepia.ceph.com.
Let me know if everything looks good or if you need anything else.
Updated by Ben England about 8 years ago
I'm sorry, I really don't get what I'm supposed to do. I went into GUI, added an OpenVPN connect, importing it from the client.conf file, watched logs to see what OpenVPN was saying, made sure that my files in /etc/openvpn were where it expected them to be. I then edited this connection to have username "ben@bene-laptop". Then I tried different passwords such as the hex string generated by ./new-client above, but they didn't work. The logs show this:
Jan 25 17:27:33 bene-laptop NetworkManager976: nm-openvpn-Message: openvpn started with pid 409
Jan 25 17:27:33 bene-laptop NetworkManager976: <info> VPN plugin state changed: starting (3)
Jan 25 17:27:33 bene-laptop NetworkManager976: <info> VPN connection 'sepia VPN client' (ConnectInteractive) reply received.
Jan 25 17:27:33 bene-laptop nm-openvpn409: OpenVPN 2.3.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 16 2015
Jan 25 17:27:33 bene-laptop nm-openvpn409: library versions: OpenSSL 1.0.2e-fips 3 Dec 2015, LZO 2.08
Jan 25 17:27:33 bene-laptop nm-openvpn409: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 25 17:27:33 bene-laptop nm-openvpn409: WARNING: file '/etc/openvpn/sepia/sepia/tlsauth' is group or others accessible
Jan 25 17:27:33 bene-laptop nm-openvpn409: Control Channel Authentication: using '/etc/openvpn/sepia/sepia/tlsauth' as a OpenVPN static key file
Jan 25 17:27:37 bene-laptop nm-openvpn409: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jan 25 17:27:37 bene-laptop nm-openvpn409: UDPv4 link local: [undef]
Jan 25 17:27:37 bene-laptop nm-openvpn409: UDPv4 link remote: [AF_INET]8.43.84.129:1194
Jan 25 17:27:38 bene-laptop nm-openvpn409: [openvpn-sepia] Peer Connection Initiated with [AF_INET]8.43.84.129:1194
Jan 25 17:27:40 bene-laptop nm-openvpn409: AUTH: Received control message: AUTH_FAILED
Jan 25 17:27:40 bene-laptop nm-openvpn409: SIGUSR1[soft,auth-failure] received, process restarting
Jan 25 17:27:40 bene-laptop NetworkManager976: (nm-openvpn-service:31498): nm-openvpn-WARNING **: Password verification failed
Jan 25 17:27:42 bene-laptop NetworkManager976: <info> VPN plugin requested secrets; state connect (4)
ssh bengland@teuthology.front.sepia.ceph.com
fails, but then I can't ping teuthology.front.sepia.ceph.com either. I think this is because the VPN never really came up - there is no route to it.
[ben@bene-laptop ceph-ansible]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default gateway 0.0.0.0 UG 100 0 0 enp0s25
infoblox-trust0 gateway 255.255.255.255 UGH 100 0 0 enp0s25
10.18.80.0 0.0.0.0 255.255.254.0 U 100 0 0 enp0s25
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
Updated by David Galloway about 8 years ago
Ben,
I just run all my OpenVPN tunnels as a background service so I don't have much experience with setting this up in NetworkManager but I'll try to help.
Change the Authentication type to just 'Password'
You should have a 'secret' file that was created when you ran the new-client script. Looks like it should be in /etc/openvpn/sepia/sepia/ if that's where tlsauth file is.
For Username: put the first line in your 'secret' file
For Password: put the second line in your 'secret' file
The CA cert should be ca.crt from the same directory
Updated by Ben England about 8 years ago
That worked! I can now ssh to bengland@teuthology.front.sepia.ceph.com. Thanks for the help logging in.
Updated by David Galloway about 8 years ago
- Status changed from 4 to Resolved
Access granted and confirmed
Updated by Ben England over 6 years ago
I had to reinstall sepia VPN, so I had to regenerate my client credentials, can you update the lab key for me? Where should I post the results of sepia/new-client command? What is the IP address/hostname that acts as the VPN portal? Thanks -bene
Updated by David Galloway over 6 years ago
- Status changed from Resolved to In Progress
Ben England wrote:
I had to reinstall sepia VPN, so I had to regenerate my client credentials, can you update the lab key for me? Where should I post the results of sepia/new-client command? What is the IP address/hostname that acts as the VPN portal? Thanks -bene
You can paste the output of sepia/new-client as a comment in this ticket. The IP/hostname of the vpn server hasn't changed. Still vpn.sepia.ceph.com. If you look back in this ticket's history, there's some info setting up NetworkManager.
Updated by Ben England over 6 years ago
This one is done. I have VPN access, though I don't know how to get at files within sepia. I had to manually run openvpn to get it to work though.
Updated by David Galloway over 6 years ago
- Status changed from In Progress to Resolved
Ben England wrote:
This one is done. I have VPN access, though I don't know how to get at files within sepia. I had to manually run openvpn to get it to work though.
Assuming your SSH key hasn't changed, you should still be able to SSH to teuthology.front.sepia.ceph.com and/or to whatever machines you need access to.
https://wiki.sepia.ceph.com/doku.php?id=testnodeaccess
I don't know where or what the CBT results are. Mark Nelson can probably point you in the right direction.