One of the things that’s been bugging me about NetScaler and OpenStack is the lack of basic integration. Its management network is configured via DHCP on first boot, or via config drive and userdata if DHCP is not available, but it doesn’t import SSH keys or runs userdata scripts for its initial configuration.
Thankfully, the above limitation maybe easily alleviated using the nsbefore.sh and nsafter.sh boot-time configuration backdoors. Here is a sample nsbefore.sh, based on the OpenStack docs, for VPX that can handle import of SSH keys:
root@ns# cat /nsconfig/nsbefore.sh #!/usr/bin/bash # Fetch public key using HTTP ATTEMPTS=10 FAILED=0 while [ ! -f /nsconfig/ssh/authorized_keys ]; do curl -f http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key > /tmp/metadata-key 2>/dev/null if [ $? -eq 0 ]; then cat /tmp/metadata-key >> /nsconfig/ssh/authorized_keys chmod 0600 /nsconfig/ssh/authorized_keys rm -f /tmp/metadata-key echo "Successfully retrieved public key from instance metadata" echo "*****************" echo "AUTHORIZED KEYS" echo "*****************" cat /nsconfig/ssh/authorized_keys echo "*****************" else FAILED=`expr $FAILED + 1` if [ $FAILED -ge $ATTEMPTS ]; then echo "Failed to retrieve public key from instance metadata after $FAILED attempts, quitting" break fi echo "Could not retrieve public key from instance metadata (attempt #$FAILED/$ATTEMPTS), retrying in 5 seconds..." ifconfig 0/1 sleep 5 fi done
Courtesy of the RedHat documentation a simple nsafter.sh that can retrieve and run a userdata is the following:
#!/usr/bin/bash # Fetch userdata using HTTP ATTEMPTS=10 FAILED=0 while [ ! -f /nsconfig/userdata ]; do curl -f http://169.254.169.254/openstack/2012-08-10/user_data > /tmp/userdata 2>/dev/null if [ $? -eq 0 ]; then cat /tmp/userdata >> /nsconfig/userdata chmod 0700 /nsconfig/userdata rm -f /tmp/userdata echo "Successfully retrieved userdata" echo "*****************" echo "USERDATA" echo "*****************" cat /nsconfig/userdata echo "*****************" /nsconfig/userdata else FAILED=`expr $FAILED + 1` if [ $FAILED -ge $ATTEMPTS ]; then echo "Failed to retrieve public key from instance metadata after $FAILED attempts, quitting" break fi echo "Could not retrieve public key from instance metadata (attempt #$FAILED/$ATTEMPTS), retrying in 5 seconds..." sleep 5 fi done
Simple enough. Now to put these to the test:
- Create a simple HEAT template
- Import in Glance a NetScaler image with the above changes for nsbefore.sh and nsafter.sh; name it NS_userdata
- Create a simple test provisioning script
- Create a stack and identify the NetScaler floating IP address
# more template ################################################################################ heat_template_version: 2015-10-15 ################################################################################ description: > Simple template to deploy a NetScaler with floating IP ################################################################################ resources: testvpx: type: OS::Nova::Server properties: key_name: mysshkey image: NS_userdata flavor: m1.vpx networks: - network: private_network user_data_format: "RAW" user_data: get_file: provision.sh testvpx_floating_ip: type: OS::Neutron::FloatingIP properties: floating_network: external_network testvpx_float_association: type: OS::Neutron::FloatingIPAssociation properties: floatingip_id: { get_resource: testvpx_floating_ip } port_id: {get_attr: [testvpx, addresses, private_network, 0, port]}
# cat provision.sh #!/usr/bin/bash echo foo touch /var/tmp/foobar echo bar >> /var/tmp/foobar nscli -U :nsroot:nsroot add ns ip 172.16.30.40 255.255.255.0
# heat stack-create -f template vpx__userdata +--------------------------------------+------------------+--------------------+---------------------+--------------+ | id | stack_name | stack_status | creation_time | updated_time | +--------------------------------------+------------------+--------------------+---------------------+--------------+ | 540cb3d2-3b21-443c-a43b-10c745d28498 | vpx__userdata | CREATE_IN_PROGRESS | 2016-04-17T16:49:49 | None | +--------------------------------------+------------------+--------------------+---------------------+--------------+ # # nova list | grep testvpx | 77388ebc-97e8-4a74-b863-40e822cb88c7 | vpx__userdata-testvpx-t3r3avxl7unc | ACTIVE | - | Running | private_network=192.168.100.200, 10.78.16.139
This should be it. In order to verify everything went smoothly SSH into the instance using your private SSH key and run “sh ns ip” to verify that the provisioning script properly executed.
# ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i privatekey.pem nsroot@10.78.16.139 Warning: Permanently added '10.78.16.139' (RSA) to the list of known hosts. ############################################################################### # # # WARNING: Access to this system is for authorized users only # # Disconnect IMMEDIATELY if you are not an authorized user! # # # ############################################################################### Last login: Sun Apr 17 16:51:06 2016 from 10.78.16.59 Done > sh ns ip Ipaddress Traffic Domain Type Mode Arp Icmp Vserver State --------- -------------- ---- ---- --- ---- ------- ------ 1) 192.168.100.200 0 NetScaler IP Active Enabled Enabled NA Enabled 2) 172.16.30.40 0 SNIP Active Enabled Enabled NA Enabled