From 01e836fa7a3df6251c479b996875080c11f8c775 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Sat, 18 Oct 2025 08:05:41 +0200 Subject: [PATCH 1/4] Pick correct interface for centos/rocky 10 --- etc/kayobe/inventory/group_vars/compute/network-interfaces | 2 +- etc/kayobe/inventory/group_vars/controllers/network-interfaces | 2 +- etc/kayobe/inventory/group_vars/seed/network-interfaces | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/kayobe/inventory/group_vars/compute/network-interfaces b/etc/kayobe/inventory/group_vars/compute/network-interfaces index 4667b04..f47a0de 100644 --- a/etc/kayobe/inventory/group_vars/compute/network-interfaces +++ b/etc/kayobe/inventory/group_vars/compute/network-interfaces @@ -5,7 +5,7 @@ # Controller interface on all-in-one network. aio_interface: "br{{ aio_bridge_ports[0] }}" aio_bridge_ports: - - "{{ 'ens2' if os_distribution == 'ubuntu' else 'eth0' }}" + - "{{ 'eth0' if (os_release | string).startswith('9') else 'ens2' }}" # Route via the seed-hypervisor to the outside world. aio_gateway: 192.168.33.4 diff --git a/etc/kayobe/inventory/group_vars/controllers/network-interfaces b/etc/kayobe/inventory/group_vars/controllers/network-interfaces index ce72526..04d737a 100644 --- a/etc/kayobe/inventory/group_vars/controllers/network-interfaces +++ b/etc/kayobe/inventory/group_vars/controllers/network-interfaces @@ -5,7 +5,7 @@ # Controller interface on all-in-one network. aio_interface: "br{{ aio_bridge_ports[0] }}" aio_bridge_ports: - - "{{ 'ens2' if os_distribution == 'ubuntu' else 'eth0' }}" + - "{{ 'eth0' if (os_release | string).startswith('9') else 'ens2' }}" # Route via the seed-hypervisor to the outside world. aio_gateway: 192.168.33.4 diff --git a/etc/kayobe/inventory/group_vars/seed/network-interfaces b/etc/kayobe/inventory/group_vars/seed/network-interfaces index 52bfa49..0d4a2dc 100644 --- a/etc/kayobe/inventory/group_vars/seed/network-interfaces +++ b/etc/kayobe/inventory/group_vars/seed/network-interfaces @@ -2,7 +2,7 @@ ############################################################################### # Network interface definitions for the seed group. -aio_interface: "{{ 'ens2' if os_distribution == 'ubuntu' else 'eth0' }}" +aio_interface: "{{ 'eth0' if (os_release | string).startswith('9') else 'ens2' }}" # Route via the seed-hypervisor to the outside world. # FIXME: Circular reference between seed & seed-hypervisor? From a5595fee4a450d06dbadea43d05994d2fdc5d44c Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Sat, 18 Oct 2025 10:35:00 +0200 Subject: [PATCH 2/4] Add extra step to update packages and reboot This is required on Rocky Linux 10 where the kolla-ansible neutron role may try to load modules that do not match the running kernel. --- a-universe-from-nothing.sh | 2 ++ etc/kayobe/ansible/reboot.yml | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 etc/kayobe/ansible/reboot.yml diff --git a/a-universe-from-nothing.sh b/a-universe-from-nothing.sh index 7256505..95f35b9 100755 --- a/a-universe-from-nothing.sh +++ b/a-universe-from-nothing.sh @@ -87,6 +87,8 @@ kayobe overcloud hardware inspect kayobe overcloud introspection data save kayobe overcloud provision kayobe overcloud host configure +kayobe overcloud host package update --packages '*' +kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/reboot.yml kayobe overcloud container image pull kayobe overcloud service deploy source ~/deployment/src/kayobe-config/etc/kolla/public-openrc.sh diff --git a/etc/kayobe/ansible/reboot.yml b/etc/kayobe/ansible/reboot.yml new file mode 100644 index 0000000..599c9e4 --- /dev/null +++ b/etc/kayobe/ansible/reboot.yml @@ -0,0 +1,18 @@ +--- +- name: Reboot overcloud hosts if required + hosts: overcloud + tags: + - reboot + tasks: + - block: + - name: Check if hosts need restarting + ansible.builtin.command: + cmd: needs-restarting -r + failed_when: false + register: needs_restarting + + - name: Reboot and wait + become: true + ansible.builtin.reboot: + when: needs_restarting.rc == 1 + when: ansible_facts.os_family == 'RedHat' From 53bfc41ed9dd32d4215b485b042d4b8fa84af60f Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 29 Oct 2025 14:32:15 +0100 Subject: [PATCH 3/4] Update bootstrap and docs for Rocky Linux 10 --- README.rst | 20 +++++--------------- a-universe-from-nothing.sh | 16 +++------------- 2 files changed, 8 insertions(+), 28 deletions(-) diff --git a/README.rst b/README.rst index 724bb02..1f7386e 100644 --- a/README.rst +++ b/README.rst @@ -20,7 +20,7 @@ Requirements For this workshop, we require the use of a single server, configured as a *seed hypervisor*. This server should be a bare metal node or VM running -Ubuntu Jammy or Rocky 9, with the following minimum requirements: +Ubuntu Noble or Rocky Linux 10, with the following minimum requirements: * 64GB RAM (more is recommended when growing the lab deployment) * 100GB disk @@ -59,7 +59,7 @@ There are four parts to this guide: exercise, and fetching the necessary source code. *Deploying a Seed* includes all instructions necessary to download and install -the Kayobe prerequisites on a plain Rocky 9 or Ubuntu Jammy cloud image, +the Kayobe prerequisites on a plain Rocky Linux 10 or Ubuntu Noble cloud image, including provisioning and configuration of a seed VM. Optionally, snapshot the instance after this step to reduce setup time in the future. @@ -81,15 +81,10 @@ already logged in (e.g. ``ssh rocky@``, or ``ssh ubuntu@``). # Install git and tmux. if $(which dnf 2>/dev/null >/dev/null); then - sudo dnf -y install git tmux + sudo dnf -y install git python3 tmux else sudo apt update - sudo apt -y install git tmux - fi - - # Install Python 3.12 on Rocky Linux 9 - if $(which dnf 2>/dev/null >/dev/null); then - sudo dnf -y install python3.12 + sudo apt -y install git python3 tmux fi # Disable the firewall. @@ -114,12 +109,7 @@ already logged in (e.g. ``ssh rocky@``, or ``ssh ubuntu@``). [[ -d beokay ]] || git clone https://github.com/stackhpc/beokay.git # Use Beokay to bootstrap your control host. - if $(which dnf 2>/dev/null >/dev/null); then - PYTHON_ARG=" --python /usr/bin/python3.12" - else - PYTHON_ARG="" - fi - [[ -d deployment ]] || beokay/beokay.py create --base-path ~/deployment --kayobe-repo https://opendev.org/openstack/kayobe.git --kayobe-branch master --kayobe-config-repo https://github.com/stackhpc/a-universe-from-nothing.git --kayobe-config-branch master $PYTHON_ARG + [[ -d deployment ]] || beokay/beokay.py create --base-path ~/deployment --kayobe-repo https://opendev.org/openstack/kayobe.git --kayobe-branch master --kayobe-config-repo https://github.com/stackhpc/a-universe-from-nothing.git --kayobe-config-branch master # Clone the Tenks repository. cd ~/deployment/src diff --git a/a-universe-from-nothing.sh b/a-universe-from-nothing.sh index 95f35b9..addc8f3 100755 --- a/a-universe-from-nothing.sh +++ b/a-universe-from-nothing.sh @@ -7,15 +7,10 @@ set -eu # Install git and tmux. if $(which dnf 2>/dev/null >/dev/null); then - sudo dnf -y install git tmux + sudo dnf -y install git python3 tmux else sudo apt update - sudo apt -y install git tmux -fi - -# Install Python 3.12 on Rocky Linux 9 -if $(which dnf 2>/dev/null >/dev/null); then - sudo dnf -y install python3.12 + sudo apt -y install git python3 tmux fi # Disable the firewall. @@ -37,12 +32,7 @@ cd [[ -d beokay ]] || git clone https://github.com/stackhpc/beokay.git # Use Beokay to bootstrap your control host. -if $(which dnf 2>/dev/null >/dev/null); then - PYTHON_ARG=" --python /usr/bin/python3.12" -else - PYTHON_ARG="" -fi -[[ -d deployment ]] || beokay/beokay.py create --base-path ~/deployment --kayobe-repo https://opendev.org/openstack/kayobe.git --kayobe-branch master --kayobe-config-repo https://github.com/stackhpc/a-universe-from-nothing.git --kayobe-config-branch master $PYTHON_ARG +[[ -d deployment ]] || beokay/beokay.py create --base-path ~/deployment --kayobe-repo https://opendev.org/openstack/kayobe.git --kayobe-branch master --kayobe-config-repo https://github.com/stackhpc/a-universe-from-nothing.git --kayobe-config-branch master # Clone the Tenks repository. cd ~/deployment/src From c8466f89e46ea317dc7abfc73d349f681a7baac8 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 9 Dec 2025 14:42:05 +0100 Subject: [PATCH 4/4] [WIP] Replace iptables with nft --- configure-local-networking.sh | 47 ++++++++++++++++++++++++----------- 1 file changed, 33 insertions(+), 14 deletions(-) diff --git a/configure-local-networking.sh b/configure-local-networking.sh index 5d6af41..f47065e 100755 --- a/configure-local-networking.sh +++ b/configure-local-networking.sh @@ -28,7 +28,7 @@ public_ip="10.0.2.1" # Install iptables. if $(which dnf >/dev/null 2>&1); then - sudo dnf -y install iptables + sudo dnf -y install nftables fi if $(which apt >/dev/null 2>&1); then @@ -51,22 +51,41 @@ if ! sudo ip l show dummy1 >/dev/null 2>&1; then sudo ip l set dummy1 master braio fi -# Configure IP routing and NAT to allow the seed VM and overcloud hosts to -# route via this route to the outside world. -sudo iptables -A POSTROUTING -t nat -o $iface -j MASQUERADE sudo sysctl -w net.ipv4.conf.all.forwarding=1 -# Configure port forwarding from the hypervisor to the Horizon GUI on the -# controller. -sudo iptables -A FORWARD -i $iface -o braio -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -sudo iptables -A FORWARD -i braio -o $iface -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +sudo nft add rule ip nat postrouting oif "$iface" masquerade + +# Create tables if not existing +sudo nft add table inet filter 2>/dev/null +sudo nft add table ip nat 2>/dev/null + +# Create chains if not existing +sudo nft add chain inet filter forward '{ type filter hook forward priority 0; }' 2>/dev/null +sudo nft add chain ip nat prerouting '{ type nat hook prerouting priority -100; }' 2>/dev/null +sudo nft add chain ip nat postrouting '{ type nat hook postrouting priority 100; }' 2>/dev/null + +# ----- FILTER RULES ----- + +# Allow established/related traffic: $iface → braio +sudo nft add rule inet filter forward iif "$iface" oif "$braio" ct state established,related accept + +# Allow established/related traffic: braio → $iface +sudo nft add rule inet filter forward iif "$braio" oif "$iface" ct state established,related accept + +# ----- PORT-SPECIFIC RULES ----- + for port in $forwarded_ports; do - # Allow new connections. - sudo iptables -A FORWARD -i $iface -o braio -p tcp --syn --dport $port -m conntrack --ctstate NEW -j ACCEPT - # Destination NAT. - sudo iptables -t nat -A PREROUTING -i $iface -p tcp --dport $port -j DNAT --to-destination $controller_vip - # Source NAT. - sudo iptables -t nat -A POSTROUTING -o braio -p tcp --dport $port -d $controller_vip -j SNAT --to-source $seed_hv_private_ip + # Allow NEW TCP connections from $iface → braio on this port + sudo nft add rule inet filter forward \ + iif "$iface" oif "$braio" tcp dport "$port" ct state new accept + + # DNAT: incoming traffic on $iface to controller VIP + sudo nft add rule ip nat prerouting \ + iif "$iface" tcp dport "$port" dnat to "$controller_vip" + + # SNAT: return traffic going to controller VIP on braio + sudo nft add rule ip nat postrouting \ + oif "$braio" ip daddr "$controller_vip" tcp dport "$port" snat to "$seed_hv_private_ip" done # Configure an IP on the 'public' network to allow access to/from the cloud.