<p>When you import a RedHat VM, say from VMWare, to a KVM environment like OpenStack it probably won't boot and instead goes straight to the dracut prompt.</p>
<p>This happens because the ramdisk doesn't have virtio drivers. You need to inject them. Import the volume and attach it to a running Linux server.
Personally I use Ubuntu, but it doesn't matter since you'll <code>chroot</code> in.</p>
<h1>Steps</h1>
<h2>Mount the volume</h2>
<ol>
<li>In your cloud environment, mount the RedHat boot volume to your working Ubuntu (or whatever) machine.</li>
<li>Find the boot and data volumes, and mount them too.</li>
<li>bind-mount your system paths into the root volume's mount point</li>
</ol>
<pre><code class="language-bash">mkdir /mnt/boot /mnt/root
mount &#x3C;boot device> /mnt/boot
mount &#x3C;root device> /mnt/root

for x in sys proc run dev tmp; do mount --bind /$x /mnt/root/$x; done
</code></pre>
<h2>Use Dracut to update the initrd file</h2>
<ol>
<li>chroot into the volume</li>
<li>Check <code>/etc/grub/grub.conf</code> to see which initrd file is being used. Something like <code>3.10.0-1062.1.2.el7.x86_64</code>.</li>
<li>check if the drivers are present</li>
<li>install the drivers</li>
<li>confirm they're present</li>
</ol>
<pre><code class="language-bash"># chroot in
cd /mnt
chroot root bash

# set the version
cat /etc/grub/grub.cnf
version=
# example: version=3.10.0-1062.1.2.el7.x86_64

# check for virtio drivers
lsinitrd /boot/initramfs-$version.img | grep virtio

# if not found, add them
cd /boot
dracut -f \
  /boot/initramfs-$version.img \
  $version \
  --add-drivers "virtio virtio_pci virtio_blk virtio_net"

# prove it worked
lsinitrd /boot/initramfs-$version.img | grep virtio

# leave the chroot
exit
</code></pre>
<p>This is a good time to do any other modifications you like, such as installing cloud-init or enabling DHCP.</p>
<h2>Clean up</h2>
<p>Remove the mounts</p>
<pre><code class="language-bash">for x in sys proc run dev tmp; do umount /mnt/root/$x; done
umount /mnt/root
umount /mnt/boot
</code></pre>
<h2>Validate</h2>
<p>Now you should be able to boot your RedHat VM without dracut coming up.</p>


<h1>TL;DR</h1>
<pre><code># replace "import queue" with:
from multiprocessing import Queue as queue
</code></pre>
<hr>
<h1>Steps to fix</h1>
<p>In Ubuntu 18.04 you'd typically install the openstack CLI client like this:</p>
<pre><code class="language-bash">pip install python-openstackclient
</code></pre>
<p>Sadly, this installs a broken version of the client. If you try and run any command you get a stack trace:</p>
<pre><code class="language-bash">Traceback (most recent call last):
  File "/usr/local/bin/openstack", line 6, in &#x3C;module>
    from openstackclient.shell import main
  File "/usr/local/lib/python2.7/dist-packages/openstackclient/shell.py", line 24, in &#x3C;module>
    from osc_lib import shell
  File "/usr/local/lib/python2.7/dist-packages/osc_lib/shell.py", line 33, in &#x3C;module>
    from osc_lib.cli import client_config as cloud_config
  File "/usr/local/lib/python2.7/dist-packages/osc_lib/cli/client_config.py", line 18, in &#x3C;module>
    from openstack.config import exceptions as sdk_exceptions
  File "/usr/local/lib/python2.7/dist-packages/openstack/__init__.py", line 16, in &#x3C;module>
    import openstack.config
  File "/usr/local/lib/python2.7/dist-packages/openstack/config/__init__.py", line 17, in &#x3C;module>
    from openstack.config.loader import OpenStackConfig  # noqa
  File "/usr/local/lib/python2.7/dist-packages/openstack/config/loader.py", line 33, in &#x3C;module>
    from openstack.config import cloud_region
  File "/usr/local/lib/python2.7/dist-packages/openstack/config/cloud_region.py", line 44, in &#x3C;module>
    from openstack import proxy
  File "/usr/local/lib/python2.7/dist-packages/openstack/proxy.py", line 24, in &#x3C;module>
    from openstack import resource
  File "/usr/local/lib/python2.7/dist-packages/openstack/resource.py", line 49, in &#x3C;module>
    from openstack import utils
  File "/usr/local/lib/python2.7/dist-packages/openstack/utils.py", line 13, in &#x3C;module>
    import queue
ImportError: No module named queue
</code></pre>
<p>To fix it, replace <code>import queue</code> with <code>from multiprocessing import Queue as queue</code> everywhere that it's called.</p>
<p>In my case:</p>
<ul>
<li><code>usr/local/lib/python2.7/dist-packages/openstack/utils.py</code> - line 13</li>
<li><code>/usr/local/lib/python2.7/dist-packages/openstack/cloud/openstackcloud.py</code> - line 14</li>
</ul>


<p>This post is a follow-up to my <a href="/aws-api-gateway-iam.html">authenticated API Gateway post</a>.</p>
<p>I've written a Lambda function and presented it using API Gateway. The API
uses Amazon's AIM keys for authentication. The next step is to write the code
to source control (AWS CodeBuild Git) and have it automatically deploy.</p>
<p><strong>Note</strong>: <a href="https://docs.aws.amazon.com/lambda/latest/dg/build-pipeline.html">This official guide on AWS</a>
is really good, and I copied big parts it. I use Python instead of
JavaScript in this post, and include my own experience while following the
guide.</p>
<hr>
<h3>Table of Contents</h3>
<ul>
<li><a href="#create-an-s3-bucket">Create an S3 Bucket</a></li>
<li><a href="#commit-your-function-to-source-control">Commit your function to source control</a></li>
<li><a href="#define-an-aws-sam-template">Define an AWS SAM template</a>
<ul>
<li><a href="#write-the-template-file">Write the template file</a></li>
<li><a href="#test-the-template">Test the template</a></li>
</ul>
</li>
<li><a href="#create-a-codebuild-project">Create a CodeBuild Project</a>
<ul>
<li><a href="#write-the-buildspecyml">Write the buildspec.yml</a></li>
<li><a href="#create-a-role-for-codebuild">Create a role for CodeBuild</a></li>
<li><a href="#define-the-build-project">Define the build project</a></li>
</ul>
</li>
<li><a href="#create-a-pipeline">Create a Pipeline</a>
<ul>
<li><a href="#create-iam-policy-for-codedeploy">Create IAM Policy for CodeDeploy</a></li>
<li><a href="#create-iam-role-for-codedeploy">Create IAM Role for CodeDeploy</a></li>
<li><a href="#create-the-pipeline">Create the Pipeline</a></li>
</ul>
</li>
</ul>
<h1>Create an S3 Bucket</h1>
<p>Open the <a href="https://s3.console.aws.amazon.com/s3/">S3 Console</a> and create a
bucket to store your build artifacts.</p>
<hr>
<hr>
<h1>Commit your function to source control</h1>
<p>I'm using a dedicated repository on AWS CodeCommit to store the code, and
Python3 for the language. Here's a very simple Lambda function I use for
testing:</p>
<pre><code class="language-python">def lambda_handler(event, context):
    """ run a hello function """
    body = 'NO HTTP METHOD'
    if 'httpMethod' in event and event['httpMethod'] == 'POST':
        request_body = event['body']
        request_user = event['requestContext']['identity']['userArn']
        body = f'{request_user} sent a POST with body: {request_body}'
    elif 'httpMethod' in event and event['httpMethod'] == 'GET':
        request_user = event['requestContext']['identity']['userArn']
        body = f'{request_user} sent a GET'
    return {
        'statusCode': 200,
        'body': json.dumps(body)
    }
</code></pre>
<hr>
<h1>Define an AWS SAM template</h1>
<h2>Write the template file</h2>
<p>This was my first time using AWS SAM, so consider these my observations and not
necessarily fact.</p>
<p>SAM stands for Serverless Application Model.</p>
<ul>
<li><a href="https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html">SAM Reference Page</a></li>
<li><a href="https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-api.html">API Event type</a></li>
<li><a href="https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-sam.html">What is SAM</a></li>
<li><a href="https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification.html">SAM Specification</a></li>
</ul>
<p>The fields I've changed from Amazon's example for this post:</p>
<ul>
<li><strong>Description</strong> - string describing the serverless application. This
description will be attached to the CloudFormation stack.</li>
<li><strong>Resources.[resourceName]</strong> - self-defined resource, my function.
The resource is a Lambda function because it's type is
<code>AWS::Serverless::Function</code></li>
<li><strong>Handler</strong> - Which method will run in the function</li>
<li><strong>Runtime</strong> - The language to be used</li>
<li><strong>CodeUri</strong> - Path to my file defining the function</li>
<li><strong>Resource.[resourceName].Events[eventName]</strong> - Name of the event which
triggers the function.</li>
<li><strong>Resource.[resourceName].Events[eventName].path</strong> - path for the URL</li>
</ul>
<pre><code class="language-yaml"># template.yaml
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Sample Continuously deploy function
Resources:
  TestCicdFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: cicd-test.lambda_handler
      Runtime: python3.8
      CodeUri: ./cicd-test.py
      Events:
        TestCicdAPI:
          Type: Api
          Properties:
            Path: /Test
            Method: GET
</code></pre>
<h2>Test the template</h2>
<p>Install the AWS SAM CLI application.</p>
<pre><code class="language-bash">pip install --user aws-sam-cli
</code></pre>
<p>Build the package and upload it to your S3 bucket. From your project
root, set your bucket name then run the following.</p>
<pre><code class="language-bash"># Set the bucket name first
BUCKET=''

aws cloudformation package \
  --template-file template.yml \
  --s3-bucket $BUCKET \
  --output-template-file outputtemplate.yml
</code></pre>
<p>The package command will upload your python file to S3 and output a new
template file with the S3 path replacing the <code>CodeUri</code>.</p>
<pre><code class="language-text">Uploading to &#x3C;ID>  381 / 381.0  (100.00%)
Successfully packaged artifacts and wrote output template to file outputtemplate.yml.
Execute the following command to deploy the packaged template
aws cloudformation deploy --template-file /home/vagrant/arcus-lambda/outputtemplate.yml --stack-name &#x3C;YOUR STACK NAME>
</code></pre>
<p>Now deploy it. Since there's no CloudFormation stack created yet, I make a new
one named <code>test-cicd-lambda</code>. Note that in the above command output, the
example they give for deploy is wrong. You need to include the
<code>--capabilities CAPABILITY_IAM</code> argument for this template too.</p>
<pre><code class="language-bash">aws cloudformation deploy \
  --capabilities CAPABILITY_IAM \
  --template-file /home/vagrant/arcus-lambda/outputtemplate.yml \
  --stack-name test-cicd-lambda
</code></pre>
<p>The application is now deployed.</p>
<ul>
<li>Stack is visible in the  <a href="https://ca-central-1.console.aws.amazon.com/cloudformation">CloudFormation console</a></li>
<li>API is created in the <a href="https://ca-central-1.console.aws.amazon.com/apigateway/">API Gateway console</a></li>
<li>Function is created in the <a href="https://ca-central-1.console.aws.amazon.com/lambda/">Lambda console</a>.
The function also has an Application page in the web console now.</li>
</ul>
<hr>
<h1>Create a CodeBuild Project</h1>
<p>I recently did a whole post on this <a href="/aws-codepipeline-ecr.html">here</a>, so I'm
going to be light on the details. Head over to that post to fill in any blanks.
In that post I was building Docker images and pushing them to ECR. This is
similar, except we push python files to Lambda instead.</p>
<h2>Write the buildspec.yml</h2>
<p>Put this in the project root, it defines what CodeBuild will do. We'll use an
environment variable for the <code>BUCKET</code> definition.</p>
<p>If you're not sure what to pick for a runtime, check <a href="https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html">this list</a>.</p>
<pre><code class="language-yaml"># buildspec.yml
version: 0.2
phases:
  install:
    runtime-versions:
        python: 3.8
  build:
    commands:
      - aws cloudformation package --template-file template.yml --s3-bucket $BUCKET --output-template-file outputtemplate.yml
artifacts:
  type: zip
  files:
    - template.yml
    - outputtemplate.yml
</code></pre>
<p>Commit the file to source control.</p>
<h2>Create a role for CodeBuild</h2>
<p>I use the role I defined for CodeBuild in my previous post. It's a bit overly
permissive but it works. Other than the policies which get created
automatically, mine has these:</p>
<ul>
<li><code>AWSCodeCommitFullAccess</code></li>
<li><code>AmazonEC2ContainerRegistryFullAccess</code></li>
<li><code>AmazonS3FullAccess</code></li>
<li><code>CloudWatchLogsFullAccess</code></li>
<li><code>AWSCodeBuildAdminAccess</code></li>
</ul>
<h2>Define the build project</h2>
<ol>
<li>Open the <a href="https://ca-central-1.console.aws.amazon.com/codesuite/codebuild/">CodeBuild console</a></li>
<li>Create build project</li>
<li>Name the build and give it a description</li>
<li>Source: Add your repository</li>
<li>Environment
<ol>
<li>Managed Image</li>
<li>Operating system: Ubuntu</li>
<li>Runtimes: Standard</li>
<li>Image: the newest one</li>
<li>Environment type: Linux</li>
<li>Privileged: False
<ol>
<li>Service Role: Existing role - choose the one you made above</li>
</ol>
</li>
<li>Additional Configuration - environment variables
<ul>
<li>name: BUCKET</li>
<li>value: Your bucket name</li>
</ul>
</li>
</ol>
</li>
<li>Buildspec: use buildspec file</li>
<li>Artifacts: no artifacts</li>
<li>Logs: set a group name for CloudWatch</li>
<li>Create build project</li>
</ol>
<p>Test the build before moving on and make sure it works.</p>
<hr>
<h1>Create a Pipeline</h1>
<h2>Create IAM Policy for CodeDeploy</h2>
<p>Open the IAM console and create a new policy.
Define the policy using the following JSON.
These wildcards will cover everything you need, though it might be a bit
permissive.</p>
<pre><code class="language-json">{
    "Statement": [
        {
            "Action": [
                "apigateway:*",
                "codedeploy:*",
                "lambda:*",
                "cloudformation:CreateChangeSet",
                "iam:GetRole",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:PutRolePolicy",
                "iam:AttachRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:PassRole",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:GetBucketVersioning"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ],
    "Version": "2012-10-17"
}
</code></pre>
<h2>Create IAM Role for CodeDeploy</h2>
<p>In the role wizard of the IAM page:</p>
<ol>
<li>Create role</li>
<li>Trusted Entity: <code>CloudFormation</code></li>
<li>Permissions:
<ol>
<li><code>AWSLambdaExecute</code></li>
<li>Your new policy created above</li>
</ol>
</li>
<li>Role Name: assign a name</li>
</ol>
<h2>Create the Pipeline</h2>
<p>When code is committed, you want CodeBuild to run and re-deploy your serverless
application.</p>
<ol>
<li>Open the <a href="https://ca-central-1.console.aws.amazon.com/codesuite/codepipeline/pipelines">CodePipeline console</a></li>
<li>Click Create Pipeline</li>
<li>Name the pipeline</li>
<li>Service Role: Create a new service role for the pipeline. AWS will set sane
permissions for it, no special role is needed. I like to have a consistent
naming convention as you end up with a ton of IAM entities after a while.</li>
<li>Role Name: Pick a name</li>
<li>Allow AWS CodePipeline to create a role</li>
<li>Next</li>
<li>Source Provider: AWS CodeCommit</li>
<li>Repository Name: Select the repository name</li>
<li>Branch name: master</li>
<li>Change detection: Amazon CloudWatch Events</li>
<li>Next</li>
<li>Build Provider: AWS CodeBuild</li>
<li>Project Name: Choose the project you just made</li>
<li>Next</li>
<li>Deploy Provider: AWS CloudFormation</li>
<li>Action Mode: Create or replace a change set</li>
<li>Stack Name: choose a name. I used the one from the test above.</li>
<li>Change Set Name: choose a name</li>
<li>Template:
<ul>
<li>Artifact name: <code>BuildArtifact</code></li>
<li>File name: <code>outputtemplate.yml</code></li>
</ul>
</li>
<li>Capabilities: <code>CAPABILITY_IAM</code></li>
<li>Role Name: The role you defined for CodeDeploy above</li>
<li>Next</li>
<li>Create Pipeline</li>
</ol>
<p>That should do it. Now whenever you push code to your master branch, the
serverless application will re-deploy.</p>


<p><strong>This post is linked to from the <a href="/openstack.html">OpenStack Deep Dive Project</a></strong></p>
<hr>
<p>When you launch an instance in OpenStack, you can provide a script to
cloud-init that will be executed at startup time. The glance template needs to
have <a href="https://cloudinit.readthedocs.io/en/latest/">cloud-init</a> installed
(linux) or <a href="https://cloudbase.it/cloudbase-init/">Cloudbase-init</a> (windows).</p>
<h1>Write your Powershell Script</h1>
<p>You need to define the script ahead of time. Here's a super simple script
to add a local administrator:</p>
<pre><code class="language-powershell">#ps1
$name = "MyUser"
$password = "MyPassword"
$password_secure_string = ConvertTo-SecureString -AsPlainText -Force $password
$new_user = New-LocalUser -Name $name -Password $password_secure_string -AccountNeverExpires
Add-LocalGroupMember -Group "Administrators" -Member $new_user
</code></pre>
<hr>
<h1>Create the Instance</h1>
<p>There's more than one way to do just about everything, but here's how I do it.</p>
<pre><code class="language-bash"># source openrc file
source my-openrc.sh

# Collect environment details
openstack flavor list
openstack network list
openstack image list

# Set the VM specs
flavor=""
network=""
image=""
name="CloudInitDemo"
size=60
vol_name="$name-boot"

# Create a boot volume
openstack volume create --image $image --bootable --size $size $vol_name

# create server and specify cloud-init script
script_file="/home/kyle/localAdmin.ps1"
openstack server create \
  --volume $vol_name \
  --flavor $flavor \
  --network $network \
  --user-data $script_file \
  $name
</code></pre>


<h3>Table of Contents</h3>
<ul>
<li><a href="#build-an-api-gateway-resource">Build an API Gateway resource</a>
<ul>
<li><a href="#build-a-lambda-function-for-it-to-run">Build a Lambda function for it to run</a></li>
<li><a href="#define-the-api">Define the API</a></li>
</ul>
</li>
<li><a href="#iam-setup">IAM Setup</a>
<ul>
<li><a href="#create-policy">Create Policy</a></li>
<li><a href="#bind-policy-to-a-user">Bind policy to a user</a></li>
</ul>
</li>
<li><a href="#test-the-api-in-postman">Test the API in Postman</a></li>
<li><a href="#execute-the-api-from-python">Execute the API from Python</a></li>
</ul>
<h1>Build an API Gateway resource</h1>
<h2>Build a Lambda function for it to run</h2>
<p>Open the lambda console and create a function. Here's an example python
function that says hello to whoever sent the authenticated request.</p>
<pre><code class="language-python">def lambda_handler(event, context):
    """ run a hello function """
    body = 'NO HTTP METHOD'
    if 'httpMethod' in event and event['httpMethod'] == 'POST':
        request_body = event['body']
        request_user = event['requestContext']['identity']['userArn']
        body = f'{request_user} sent a POST with body: {request_body}'
    elif 'httpMethod' in event and event['httpMethod'] == 'GET':
        request_user = event['requestContext']['identity']['userArn']
        body = f'{request_user} sent a GET'
    return {
        'statusCode': 200,
        'body': json.dumps(body)
    }
</code></pre>
<h2>Define the API</h2>
<ol>
<li>Go to the <a href="https://ca-central-1.console.aws.amazon.com/apigateway/">API Gateway Console</a></li>
<li>Create</li>
<li>Protocol: REST</li>
<li>New API</li>
<li>API Name: <code>&#x3C;name></code></li>
<li>Endpoint type: Regional</li>
<li>Create API</li>
</ol>
<p>Create a method:</p>
<ol>
<li>Actions</li>
<li>Create Method</li>
<li>POST</li>
<li>Check mark</li>
<li>Integration Type: Lambda Function</li>
<li>Use Lambda Proxy Integration: Checked</li>
<li>Lambda Region: ca-central-1</li>
<li>Lambda Function: HelloWorld</li>
</ol>
<p>Enable IAM Authorization</p>
<ol>
<li>Click Method Request</li>
<li>Set authorization to <code>AWS_IAM</code></li>
</ol>
<h1>IAM Setup</h1>
<h2>Create Policy</h2>
<p>Collect the ARN of the API Gateway. Click your endpoint, then the method.
The ARN will display under Method Request in the Method Execution diagram.</p>
<p>Navigate to the IAM console and create a new policy.</p>
<pre><code class="language-json">{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "execute-api:Invoke"
            ],
            "Resource": [
								"arn:aws:execute-api:ca-central-1:850047500507:42mydti3lg/*/POST/*"
            ]
        }
    ]
}
</code></pre>
<h2>Bind policy to a user</h2>
<p>Here's how I do it:</p>
<ol>
<li>Open the IAM console</li>
<li>If you don't have a group yet, make one</li>
<li>Attach the policy to the group</li>
<li>Attach the group to a user</li>
</ol>
<p>Collect the key and key ID of that user.</p>
<h1>Test the API in Postman</h1>
<p>Postman is nice since you know it works, and it natively handles building the
AWS request headers. It's the easiest way I know to run a one-off test of your
API.</p>
<p>Install <a href="https://www.getpostman.com/">Postman</a>.</p>
<ol>
<li>New > Request - fill in some names.</li>
<li>Set the request type to POST</li>
<li>Enter the URL</li>
<li>Enter any request data</li>
<li>Go to the Authorization tab and choose AWS signature</li>
<li>Enter the key and key ID from your IAM user</li>
<li>Set the region, in my case ca-central-1</li>
<li>Send</li>
</ol>
<p>You should get a valid response from your API. If you skip any of the
authorization steps you'll get an error instead.</p>
<h1>Execute the API from Python</h1>
<p>End users don't use postman. Usually they'd be using JavaScript, and in my case
they use Python to access my API. This was <strong>really complicated</strong>.</p>
<p><a href="https://github.com/DavidMuller/aws-requests-auth">Here's an open source library that can do it</a>.</p>
<p>I've written my own version of this for the Breqwatr deployment tool. I didn't
want to depend on the above link. Also I tried to rewrite the client as
functions with the hope of making it easier to read.</p>
<p>You can find it in <a href="https://github.com/breqwatr/breqwatr-deployment-tool">Breqwatr's GitHub</a>
under <code>lib/aws</code>.</p>
<p>Here's the high level flow of how it gets the auth header:</p>
<pre><code class="language-python">def get_authorization_header(time, key_id, secret_key, region, method, host,
                             body, uri, query):
    """ Return an aws authorization header """
    # canonical request is a multi-line string with a particular format
    canonical_headers = get_canonical_headers(host, time)
    payload_hash = get_payload_hash(body)
    canonical_request = get_canonical_request(
         method=method,
         uri=uri,
         query=query,
         canonical_headers=canonical_headers,
         payload_hash=payload_hash)
    # create a string-to-sign from the canonical requests' digest
    cr_digest = hashlib.sha256(canonical_request.encode('utf-8')).hexdigest()
    credential_scope = get_credential_scope(time, region)
    string_to_sign = get_string_to_sign(time, credential_scope, cr_digest)
    # sign the String-To-Sign with a signing key derived from secret iam key
    signing_key = get_signing_key(secret_key, time, region)
    signature = get_signature(signing_key, string_to_sign)
    # return the headers all in one string
    return (
        f'AWS4-HMAC-SHA256 Credential={key_id}/{credential_scope}, '
        f'SignedHeaders=host;x-amz-date, '
        f'Signature={signature}')
</code></pre>


<p><strong>This post is linked to from the <a href="/aws.html">AWS: Deep Dive Project</a></strong></p>
<hr>
<h1>Workflow</h1>
<ol>
<li>Commit code to AWS CodeCommit</li>
<li>CloudWatch rule triggers CodePipeline</li>
<li>CodePipeline uses CodeBuild to build the Docker image</li>
<li>CodePipeline pushes the image to ECR</li>
</ol>
<hr>
<h1>Deploy Code to CodeCommit</h1>
<ol>
<li>Open <a href="https://ca-central-1.console.aws.amazon.com/codesuite/codecommit/repositories">CodeCommit</a>.</li>
<li>Create a repository</li>
<li>Go to your IAM page and edit your user.
<ol>
<li>Look for "HTTPS Git credentials for AWS CodeCommit"</li>
<li>click Generate Credentials</li>
<li>Save your credentials.</li>
</ol>
</li>
<li>Grab the HTTPS URL for your repository and <code>git clone</code> it. Use your new
credentials.</li>
<li>Commit your code (including a Dockerfile) to the CodeCommit repository.</li>
</ol>
<hr>
<h1>Write buildspec.yml</h1>
<p>AWS CodeBuild will look for a <code>buildspec.yml</code> file to dictate its actions.
This is where we define how the image will be built. Put it in your CodeCommit
project's root directory.</p>
<p>Here's mine. This will build a docker image and tag it with a timestamp, then
push it to ECR as the timestamp and latest. The variables are defined inside
the build as Environment Variables.</p>
<pre><code class="language-yml"># buildspec.yml
version: 0.2

phases:
  install:
    runtime-versions:
      docker: 18
  pre_build:
    commands:
      - echo Logging in to Amazon ECR...
      - $(aws ecr get-login --no-include-email --region ca-central-1)
      - IMAGE_TAG=$(date +%Y.%m.%d.%I.%M)
  build:
    commands:
      - echo Build started on `date`
      - echo "Building the Docker image."
      - docker build -t $IMAGE_REPO_NAME:$IMAGE_TAG .
      - docker tag $IMAGE_REPO_NAME:$IMAGE_TAG $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$IMAGE_TAG
      - docker tag $IMAGE_REPO_NAME:$IMAGE_TAG $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:latest
  post_build:
    commands:
      - echo Build completed on `date`
      - echo Pushing the Docker image...
      - docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$IMAGE_TAG
      - docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:latest
</code></pre>
<hr>
<h1>Define the Pipeline</h1>
<h2>Cloud Build Role</h2>
<p><strong>Bad Practice Alert</strong>: These steps don't apply the principal of least
privilege. You should lock down your role to be allowed to do only the minimum
that it needs to do.</p>
<ol>
<li>In the IAM page, create a new role.</li>
<li>It will be used by CodeBuild.</li>
<li>Assing the following policies (again, more than it needs)
<ul>
<li>CloudWatchLogsFullAccess</li>
<li>AWSCodeBuildAdminAccess</li>
<li>AmazonS3FullAccess</li>
<li>AmazonEC2ContainerRegistryFullAccess</li>
<li>AWSCodeCommitFullAccess</li>
</ul>
</li>
<li>Name: Assign a name, such as <code>CloudBuild-Admin</code></li>
</ol>
<h2>Define CloudBuild project</h2>
<ol>
<li>Navigate to the <a href="https://ca-central-1.console.aws.amazon.com/codesuite/codebuild/projects">CloudBuild Console</a></li>
<li>Create build project</li>
<li>No build badge</li>
<li>Source provider: CodeCommit</li>
<li>Choose your repository</li>
<li>Choose your branch</li>
<li>Managed Image</li>
<li>Operating System: Ubuntu</li>
<li>Runtime: Standard</li>
<li>Image: aws/codebuild/standard:3.0</li>
<li>Image version: latest</li>
<li>Environment type: Linux</li>
<li>Privileged: true</li>
<li>Service Role: Existing service role. Use the one you just made.</li>
<li>Allow CodeBuild to modify this role: False (we gave it admin)</li>
<li>Additional Configuration - Environment variables (click Add to get more)
- IMAGE_REPO_NAME: (your image name)
- AWS_ACCOUNT_ID: (your numeric AWS account iD)
- AWS_DEFAULT_REGION: ca-central-1</li>
<li>Buildspec: Use a buildspec file</li>
<li>Artifacts: No artifacts</li>
<li>Logs: Give a group and stream name for CloudWatch</li>
<li>Create Build Project</li>
</ol>
<p>Now test the build by clicking "Start build". It should create your image.
You'll need to disable artifacts.</p>
<p>Once the build works and your image is pushed successfully to ECR, you can move
on to setting up a pipeline so this happens automatically.</p>
<h2>Create Pipeline Role</h2>
<p><strong>Bad Practice Alert</strong>: These steps don't apply the principal of least
privilege. You should lock down your role to be allowed to do only the minimum
that it needs to do.</p>
<ol>
<li>In the IAM page, create a new role.</li>
<li>It will be used by CodeBuild.</li>
<li>Assing the following policies (again, more than it needs)
<ul>
<li>CloudWatchLogsFullAccess</li>
<li>AWSCodeBuildAdminAccess</li>
<li>AmazonS3FullAccess</li>
<li>AmazonEC2ContainerRegistryFullAccess</li>
<li>AWSCodeCommitFullAccess</li>
</ul>
</li>
<li>Name: Assign a name, such as <code>CloudBuild-Admin</code></li>
</ol>
<h2>Define the pipeline</h2>
<ol>
<li>Open the <a href="https://ca-central-1.console.aws.amazon.com/codesuite/codepipeline/pipelines">CodePipeline console</a></li>
<li>Click Create Pipeline</li>
<li>Name the pipeline</li>
<li>Service Role: New service role</li>
<li>Role Name: Pick a name</li>
<li>Allow AWS CodePipeline to create a role</li>
<li>Next</li>
<li>Source Provider: AWS CodeCommit</li>
<li>Repository Name: Select the repository name</li>
<li>Branch name: master</li>
<li>Change detection: Amazon CloudWatch Events</li>
<li>Next</li>
<li>Build Provider: AWS CodeBuild</li>
<li>Region: Canada (Central)</li>
<li>Project Name: Create Project
<ol>
<li>Project Name: Choose a name</li>
<li>Description: Add a description</li>
<li>Environment image: Managed Image</li>
<li>Operating System: Ubuntu</li>
<li>Runtimes: Standard</li>
<li>Image: aws/codebuild/standard:3.0</li>
<li>Image version: Always use the latest</li>
<li>Environment type: Linux</li>
<li>Privileged: True</li>
<li>Service Role: New service role</li>
<li>Role Name: default name is fine</li>
<li>Advanced Configuration - Environment variables (click Add to get more)
<ul>
<li>IMAGE_REPO_NAME: (your image name)</li>
<li>AWS_ACCOUNT_ID: (your numeric AWS account iD)</li>
<li>AWS_DEFAULT_REGION: ca-central-1</li>
</ul>
</li>
<li>Build specifications: Use a buildspec file</li>
<li>Buildspec name: Leave it blank so it uses buildspec.yml</li>
<li>CloudWatch logs: True</li>
<li>Group name: pick a name</li>
<li>Stream name: pick a name</li>
<li>S3 logs: false</li>
<li>Continue to CodePipeline</li>
</ol>
</li>
<li>Next</li>
<li>Skip deploy stage, pushing to ECR is enough</li>
<li>Create pipeline</li>
</ol>
<p>This will re-run the build that you tested before. It should pass again.</p>


<p><strong>This post is linked to from the <a href="/aws.html">AWS: Deep Dive Project</a></strong></p>
<h1>Create &#x26; Terminate an EC2 Instance from Python</h1>
<p>The IAM user tested for this task has the <code>AmazonEC2FullAccess</code> policy.</p>
<h2>Create</h2>
<p>Before you begin, determine the following:</p>
<ul>
<li>Image AMI: The example I provide here works, it's for Ubuntu 18.04 in Canada</li>
<li>Security group name</li>
<li>Instance name</li>
<li>Instance type</li>
</ul>
<pre><code class="language-python">import boto3

key_id = 'XXXXXXXXXXXXXX'
key_secret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXX'

session = boto3.Session(
    aws_access_key_id=key_id,
    aws_secret_access_key=key_secret)

# Define the VM properties
image_id='ami-0d0eaed20348a3389' # bionic ca-central LTS
instance_name='Test9'
security_group_name = 'SupportService'
instance_type = 't2.micro'

# Put the properties into the expected format
tag_spec = [{
    'ResourceType': 'instance',
    'Tags': [{
        'Key': 'Name',
        'Value': instance_name }]}]
security_groups=[security_group_name]

# Reserve the instance
ec2_client = session.client('ec2')
reservation = ec2_client.run_instances(
        ImageId=image_id,
        MinCount=1,
        MaxCount=1,
        InstanceType=instance_type,
        KeyName='bwsupport',
        TagSpecifications=tag_spec,
        SecurityGroups=security_groups )

# Now the VM is creating. Optionally you can wait and inspect the instace
instance_data = reservation['Instances'][0]
iid = instance_data['InstanceId']
print(f'Reserved instance "{instance_name}" as {iid}. Waiting until running.')
ec2_resource = session.resource('ec2')
instance = ec2_resource.Instance(iid)
instance.wait_until_running()
state = instance.state['Name']
print(f'Instancei {iid} is {state} - Public IP: {instance.public_ip_address}')
</code></pre>
<h2>Terminate</h2>
<p>You can use the same code as above to get the <code>instance</code> variable.
From there, it's this easy:</p>
<pre><code class="language-python">instance.terminate()
instance.wait_until_terminated()
</code></pre>


<p><strong>This post is linked to from the <a href="/aws.html">AWS: Deep Dive Project</a></strong></p>
<hr>
<p>This post covers how to restrict access to a Lambda function using AWS IAM
roles. It builds on the function written <a href="/aws-lambda.html">in my last post</a></p>
<hr>
<h3>Table of Contents</h3>
<ul>
<li><a href="#create-a-policy-for-your-lambda-function">Create a policy for your lambda function</a>
<ul>
<li><a href="#get-the-arn-of-your-function">Get the ARN of your function</a></li>
<li><a href="#create-the-policy">Create the policy</a></li>
</ul>
</li>
<li><a href="#invoke-lambda-from-python">Invoke Lambda from Python</a></li>
</ul>
<h1>Create a policy for your lambda function</h1>
<h2>Get the ARN of your function</h2>
<p>Navigate to your function in the AWS Lambda Console. On the top right, the ARN
is displayed. Copy it, you'll use it in the policy.</p>
<h2>Create the policy</h2>
<p>Open the IAM Console and create a new policy.
The JSON looks like this. Note the ARN copied from the Function.</p>
<pre><code class="language-JSON">{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LambdaInvokeHelloWorld",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction",
                "lambda:InvokeAsync"
            ],
            "Resource": "arn:aws:lambda:ca-central-1:850047500507:function:HelloWorld"
        }
    ]
}
</code></pre>
<p>Name the policy and assign it to your user. This user should have a Key ID and
Secret Key.</p>
<hr>
<h1>Invoke Lambda from Python</h1>
<p>Note that the payloads are in byte format.</p>
<pre><code class="language-python">import json
import boto3

key_id = 'XXXXXXXXXXXXXXXXX'
key_secret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

session = boto3.Session(
    aws_access_key_id=key_id,
    aws_secret_access_key=key_secret)

client = session.client('lambda')

body = {'name': 'Kyle'}
payload = str.encode(json.dumps(body))
response = client.invoke(FunctionName='HelloWorld', Payload=payload)
print(response['Payload'].read())
</code></pre>
<p>If the user identified by that key has the above permission, they'll be able
to execute this function. Otherwise they'll get a nice permissions error.</p>


<p>This post covers the basics of using AWS Lambda functions.</p>
<h3>Table of Contents</h3>
<ul>
<li><a href="#pricing">Pricing</a></li>
<li><a href="#hello-world-lambda-function">Hello World Lambda Function</a>
<ul>
<li><a href="#create-the-function">Create the function</a></li>
<li><a href="#define-a-test-event">Define a test event</a></li>
<li><a href="#write-the-function-code">Write the function code</a></li>
<li><a href="#define-a-trigger">Define a trigger</a>
<ul>
<li><a href="#test-the-api">Test the API</a></li>
</ul>
</li>
<li><a href="#what-are-layers">...What are layers?</a></li>
</ul>
</li>
</ul>
<h1>Pricing</h1>
<p>For the most accurate data, see the <a href="https://aws.amazon.com/lambda/pricing/">official pricing documentation</a>.</p>
<p>Lambda charges you for each request invocation, and also for how long the
request took to run. These prices are probably in USD.</p>
<ul>
<li><strong>Region</strong>: Canada (Central)</li>
<li><strong>Requests</strong>: $0.20 / 1M Requests, or $0.0000002 / Request</li>
<li><strong>Duration (General)</strong>: $0.000016667 for every GB-second</li>
<li><strong>Duration (128MB)</strong>: $0.00000208/sec, or ~$0.0075/hour.
I think if it as 3/4 of a cent per hour.</li>
</ul>
<hr>
<h1>Hello World Lambda Function</h1>
<h2>Create the function</h2>
<ol>
<li>In your browser, open the AWS console <a href="https://console.aws.amazon.com/lambda">Lambda Page</a>.</li>
<li>Click the orange Create Function button</li>
<li>Author from scratch</li>
<li>Function name: HelloWorld</li>
<li>Runtime: Python 3.7</li>
<li>Permissions: Create a new role with basic lambda permissions</li>
<li>click Create Function on the bottom right</li>
</ol>
<h2>Define a test event</h2>
<ol>
<li>In the dropdowns along the top, one is called "Select a test event".</li>
<li>Click it, and choose Configure test events</li>
<li>Event template: Hello World</li>
<li>Event name: <code>HelloWorldTest1</code></li>
<li>Enter some sample data and click Create.</li>
</ol>
<p><strong>Sample Data</strong>:</p>
<pre><code class="language-JSON">{
  "body": "{\"name\": \"Test User\"}"
}
</code></pre>
<h2>Write the function code</h2>
<p>Click on the orange lambda icon with the text "HelloWorld" to open the
"Function code" form. Expand it to full screen (button on top right) so the
Save and Test buttons appear along the top.</p>
<p>Write your Hello World function. This was the shortest one I could come up with
that wouldn't throw 500's if you called it with the wrong data.</p>
<pre><code class="language-python">import json

def lambda_handler(event, context):
    name = 'UNDEFINED'
    if 'body' in event:
        try:
            ebody = json.loads(event['body'])
            name = ebody['name']
        except:
            pass
    greeting = f'Hello {name}!'
    body = json.dumps(greeting)
    return {
        'statusCode': 200,
        'body': body
    }
</code></pre>
<p>Click Save, then Test. You should get a response with body <code>'Hello TestUser'</code>.</p>
<h2>Define a trigger</h2>
<ol>
<li>Click the "+ Add trigger" button.</li>
<li>API Gateway</li>
<li>REST API</li>
<li>Security: Open (in this case)</li>
<li>Additional Settings: Leave the defaults</li>
</ol>
<p>Now if you click on the purple API Gateway button it will open the API Gateway
form. In there, you can get the URL. Copy the link address.</p>
<h3>Test the API</h3>
<p>From bash:</p>
<pre><code class="language-bash">curl \
  -X POST \
  -H 'Content-Type: application/json' \
  -d '{"name": "MyName"}' \
  https://wg8p74asah.execute-api.us-east-1.amazonaws.com/default/HelloWorld
</code></pre>
<p>It should reply "Hello MyName".</p>
<h2>...What are layers?</h2>
<p>Prominently displayed beneath the function's name in the Designer form
is a button to manage Layers.</p>
<p><a href="https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html">Here's their official documentation</a>.</p>
<p>Layers are dependencies like archives and libraries.
Any one function can use up to 5 of them, and they have a 250MB limit.
They land in <code>/opt</code> when extracted.</p>
<p>We don't need layers for this Hello World app.</p>


<h3>Table of Contents</h3>
<ul>
<li><a href="#prepare-the-image-in-guest">Prepare the image in-guest</a>
<ul>
<li><a href="#remove-vmware-tools">Remove VMWare Tools</a></li>
<li><a href="#install-cloudbase-init--sysprep-if-needed">Install cloudbase-init &#x26; sysprep (if needed)</a></li>
<li><a href="#shut-down-the-vm--export-the-drive">Shut down the VM &#x26; Export the drive</a></li>
</ul>
</li>
<li><a href="#inject-the-kvm-drivers">Inject the KVM Drivers</a></li>
</ul>
<h1>Prepare the image in-guest</h1>
<p>From VMWare or HyperV, launch your template Windows VM and log in as an
administrative user. Make any firewall changes you need, install any packages,
and ensure that RDP is enabled.</p>
<h2>Remove VMWare Tools</h2>
<p>If the guest has VMWare tools installed, remove them. They won't be needed
where we're going.</p>
<h2>Install cloudbase-init &#x26; sysprep (if needed)</h2>
<p>This isn't so much for KVM as it is for OpenStack, but cloudbase-init is the
Windows version of cloud-init. This will set your hostname and such when the VM
is created.</p>
<ol>
<li><a href="https://cloudbase.it/cloudbase-init/">Download the Cloudbase-init installer</a></li>
<li>Run through the installer.
<ol>
<li>Don't run as Local System.</li>
<li>Don't name your user Administrator, the named user is made by this
service to run the startup tasks.</li>
</ol>
</li>
<li>At the end of the installation, you'll be prompted to sysprep. If this VM
will be re-used as a template and not just a one-off VM, then sysprep it.</li>
</ol>
<h2>Shut down the VM &#x26; Export the drive</h2>
<p>Shut down the VM and grab the VMDK or VHDX file it booted from. Copy that file
to a directory on your computer, such as <code>C:\Temp</code>.</p>
<hr>
<h1>Inject the KVM Drivers</h1>
<ol>
<li><a href="https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso">Download the VirtIO ISO</a></li>
<li>Mount the ISO to your workstation. In these examples, it's E:</li>
<li>Open PowerShell as admin and verify that the file is where you put it. You
can show some basic info about it like this: <code>get-vhd C:\Temp\Win10.vhdx</code></li>
<li>Create a mount-point for Dism: <code>mkdir C:\mount</code></li>
<li>Mount the volume with Dism:
<code>Dism /mount-image /ImageFile:C:\Temp\Win10.vhdx /Index:1 /MountDir:C:\mount</code></li>
<li>Inject the <code>viostor</code> driver:
<code>Dism /image:C:\mount /Add-Driver /Driver:E:\viostor\w10\amd64 /Recurse</code></li>
<li>Inject the <code>Baloon</code> driver:
<code>Dism /image:C:\mount /Add-Driver /Driver:E:\Balloon\w10\amd64 /Recurse</code></li>
<li>Inject the <code>NetKVM</code> driver:
<code>Dism /image:C:\mount /Add-Driver /Driver:E:\NetKVM\w10\amd64 /Recurse</code></li>
<li>Confirm the drivers injected: <code>Dism /image:C:\mount /Get-Drivers</code></li>
<li>Unmount the image: <code>Dism /Unmount-image /MountDir:c:\mount /commit</code></li>
</ol>
<p>Now the image is ready to be converted to raw/qcow2 and uploaded to OpenStack.</p>
<p><strong>Note</strong>: CloudBase has released a Windows version of <code>qemu-img</code> so you can do
the conversions on Windows now without VirtualBox tools. You can download it
<a href="https://cloudbase.it/qemu-img-windows/">here</a></p>


<p><strong>This post is linked to from the <a href="/gcp.html">GCP: Deep Dive Project</a></strong></p>
<hr>
<p>This post covers how to interact with Google's Cloud Firestore, using examples
written in Python. The concepts should apply to any language.</p>
<p>Firestore is the newer version of Datastore. You can find the differences
<a href="https://cloud.google.com/firestore/docs/firestore-or-datastore">here</a>.
In this post, the  database is configured in Native mode.
Other than some extra language support, Native mode's coolest new feature seems
to be the ability to listen to a post. From what I can tell, this could replace
the need for pub/sub in some scenarios.</p>
<p>Throughout the post I'll use a project named "example". Be sure to replace this
with your own project name.</p>
<hr>
<h1>Pricing</h1>
<p>Official Firestore pricing data is <a href="https://cloud.google.com/firestore/pricing">here</a>.</p>
<p><strong>Note that Firestore mode is almost twice the price of Datastore mode.</strong>
Datastore pricing can be found <a href="https://cloud.google.com/datastore/pricing">here</a>.</p>
<p>Every day a number of free operations are allowed, which for a small
application makes Datastore very affordable. Even after the free tier though,
the pricing is pretty good. Firestore and Datastore have the same free tiers.</p>
<h2>Summary of pricing: Datastore vs Firestore</h2>
<ul>
<li>Storage: $/GB/Month
<ul>
<li>Datastore: 0.108</li>
<li>Firestore: 0.180</li>
</ul>
</li>
<li>Reads: $/100,000
<ul>
<li>Datastore: 0.036</li>
<li>Firestore: 0.060</li>
</ul>
</li>
<li>Writes: $/100,000
<ul>
<li>Datastore: $0.108</li>
<li>Firestore: $0.180</li>
</ul>
</li>
<li>Deletes: $/100,000
<ul>
<li>Datastore: 0.012</li>
<li>Firestore: 0.020</li>
</ul>
</li>
</ul>
<p>Max entity size and document size are both 1MB, so you could realistically just
use JSON strings in entities instead to save money if you don't need any of
Firestore's other features.</p>
<hr>
<h1>Datastore/Firestore Concepts</h1>
<p>Both options use a non-relational/NoSQL database. NoSQL databases in general
allow for the direct serialization of a programs objects/dictionaries.</p>
<h2>Firestore</h2>
<p><a href="https://cloud.google.com/firestore/docs/data-model">Official Firestore data model docs</a></p>
<p>Firestore uses a document database organized into documents and collections.
This is a change from the older Datastore model of Entities organized by Kinds.</p>
<p>Documents support nested data structures ("Maps"). Think of them like JSON
objects, but with more types supported. Documents are limited to 1MB each.</p>
<p>Documents are stored in Collections.
Collections are containers for documents, like a filesystem's directories.
Documents can also contain their own nested collections, which store other
documents. Nesting has a depth limit of 100.</p>
<p>Documents are identified by References. In python, a reference looks like
this:</p>
<pre><code class="language-python">collection('collection1').document('document1')
</code></pre>
<h2>Datastore</h2>
<p>In Datastore, objects are called Entities. The key-value data pairs stored by
entities are called properties.</p>
<p>Entities are uniquely identified by keys.
Entity Keys consists of the following components:</p>
<ul>
<li><em>Namespace</em>: Basically a tenant identifier, like a user ID. By default, the
namespace is an empty string. Any entity created as a "child" will inherit
its parent's namespace.</li>
<li><em>Kind</em>: A string describing the category or purpose of the entity.</li>
<li><em>Identifier</em>: Unlike namespace and kind which are shared between like
entities, the identifier is unique to each entity. This is either a string
called a "key name", or an integer numeric ID.</li>
<li><em>Ancestor Path</em>: An optional component of the key, identifying its parents to
form a database hierarchy.</li>
</ul>
<hr>
<h1>Create IAM Service Account</h1>
<p>Before your code can access Datastore/Firestore, access needs to be configured
in the <a href="https://console.cloud.google.com/iam-admin">Identity Access Management</a>
tool.</p>
<p>First, create a <a href="https://console.cloud.google.com/iam-admin/serviceaccounts">Service Account</a>:</p>
<ol>
<li>Open the Service Account page</li>
<li>Select your project</li>
<li>Click "Create Service Account"</li>
<li>Service Account Details:
<ol>
<li>Service account name: <code>PythonDatastoreAdmin</code></li>
<li>Service account ID: <code>pythondatastoreadmin</code></li>
<li>Service account description: SA with Full Datastore Access for Python</li>
</ol>
</li>
<li>Grant this service account access to project (optional)
<ol>
<li>Select a role: Datastore > Cloud Datastore Owner</li>
<li>Continue</li>
</ol>
</li>
<li>Grant users access to this service account (optional)
<ol>
<li>Download a key file for Python to use. Use JSON as the key type.</li>
<li>Done</li>
</ol>
</li>
</ol>
<p>I downloaded my key to <code>$HOME/gcp_keys/datastore_admin.json</code></p>
<hr>
<h1>Python Environment Setup</h1>
<p>Build a virtualenv. If you're in a git repo, don't forget to ignore this
directory.</p>
<pre><code class="language-bash">python3 -m venv env3
source env3/bin/activate
</code></pre>
<p>Write the requirement file</p>
<p><code>vi requirements.txt</code></p>
<pre><code class="language-text">google-cloud-firestore
</code></pre>
<p>Install the requirements</p>
<pre><code class="language-bash">pip install -r rqeuirements.txt
</code></pre>
<hr>
<h1>Python Code Examples</h1>
<p>A fake project name of "example" will be used. Be sure to use a valid one.</p>
<p>Some notes about the Firestore python API:</p>
<ul>
<li><code>firestore.client().collection</code> returns a <a href="https://googleapis.dev/python/firestore/latest/collection.html">CollectionReference</a>,
which allows you to operate on the named collection.</li>
<li><code>firestore.client().collection().list_documents</code> returns a <a href="google.api_core.page_iterator.GRPCIterator">Page Iterator</a>.
Casting a page iterator to a list will trigger a read operation, returning a
list of <code>DocumentReference</code> objects.</li>
<li><code>firestore.client().collection().document</code> returns
a <a href="https://googleapis.dev/python/firestore/latest/document.html">DocumentReferece</a>,
which interacts with the actual Firestore documents. The <code>DocumentReference</code>
object can operate (get/set/create) on the actual Document.</li>
<li><code>firestore.client().collection().document().get()</code> will return
a <a href="https://developers.google.com/android/reference/com/google/firebase/firestore/DocumentSnapshot">DocumentSnapshot</a>
of the document. The document snapshot is how you read data from a document.
Document snapshots are a representation of the document state taken at the
instant of their creation.</li>
<li><code>firestore.client().collection().document().create()</code> makes a new document.
If the object already  existed, a <code>google.api_core.exceptions.AlreadyExists</code>
exception is thrown.</li>
<li>Write operations (create &#x26; set) return a <a href="https://cloud.google.com/firestore/docs/reference/rest/v1/WriteResult">WriteResult</a>.</li>
</ul>
<pre><code class="language-python">from os import environ
from google.cloud import firestore

# The key file is an exported JSON file from the IAM tool
key_file_path = '{}/gcp_keys/datastore_admin.json'.format(environ['HOME'])

# When running this on a local system, the cloud.google package from GCP
# expects the GOOGLE_APPLICATION_CREDENTIALS environment variable to be set
# to the exported IAM key file's path
environ['GOOGLE_APPLICATION_CREDENTIALS'] = key_file_path

# google.cloud.datastore.Client expects the project name as an argument
project = 'example'

# Instantiate the datastore client. This step authenticates to GCP.
# See the Credential Error note below if authentication fails
client = firestore.Client(project)

# Get a reference to the test collection. This returns a
# google.cloud.firestore_v1.collection.CollectionReference object
ref_col_test = client.collection('test')

# Get a reference to a document which may or may not exist. This returns a
# google.cloud.firestore_v1.document.DocumentReference object
ref_doc_document1 = ref_col_test.document('document1')

# Perform the actual database query to get the document. get() returns a
# google.cloud.firestore_v1.document.DocumentSnapshot object.
snapshot_document1 = ref_doc_document1.get()

# Note that there is no data
assert document1.to_dict() is None

# You can use document.exists to check if the document already exists.
# Here's an example of doing a safe insert of some sample data:
sample_data = {
    'nums': {'num1': 100, 'num2': 200},
    'strs': {'animal1': 'dog', 'animal2': 'cat'}}
if snapshot_document1.exists is False:
    createe_write_result = ref_doc_document1.create(sample_data)

document1_data = ref_doc_document1.get().to_dict()

# Finally, update the data
sample_data['strs']['animal3'] = 'bird'
set_write_result = ref_doc_document1.set(sample_data)

# List the documents in the collection. The iterator returns a paginated list
# of document references. You can then operate on those references.
doc_list_iterator = ref_col_test.list_documents()
doc_ref_list = list(doc_list_iterator)
sample_document_snapshot = doc_ref_list[0].get()

# Show that the changes were applied to the data. This will return 'bird'
animal3 = sample_document_snapshot.to_dict()['strs']['animal3']
</code></pre>
<h2>Troubleshooting</h2>
<h3>Credentials Error</h3>
<p>If your local google cloud authentication isn't set up correctly, you'll get an
error saying:</p>
<pre><code class="language-text">google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials. Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application. For more information, please see https://cloud.google.com/docs/authentication/getting-started
</code></pre>
<p>If that happens, review the IAM Service account steps.</p>
<h3>Iterator has already started</h3>
<p>If you try and cast a <code>GRPCIterator</code> to list twice, you get a <code>ValueError</code>.</p>
<pre><code class="language-text">ValueError: ('Iterator has already started', &#x3C;google.api_core.page_iterator.GRPCIterator object)
</code></pre>
<p>The <code>ValueError</code> is thrown because <code>._started</code> is <code>True</code> in the iterator. It has
already done its thing and won't work again. I didn't see any good way to
restart the iterator without discarding it.
You can see the details in the <a href="https://github.com/googleapis/google-cloud-python/blob/master/api_core/google/api_core/page_iterator.py">page iterator source code</a>.</p>
<p>Best course is just to get a new iterator from the reference object.
See in the following example how the ID changes. The <code>doc_list_iterator</code> var is
being pointed at a new iterator. The old iterator gets gc'd by Python as usual.</p>
<pre><code>>>> id(doc_list_iterator)
4422123408
>>> doc_list_iterator = ref_col_test.list_documents()
>>> id(doc_list_iterator)
4422123472
</code></pre>
<p>It will work as expected.</p>


<p>This post covers getting started with a very simple Google Cloud Functions API,
a great serverless solution with affordable pricing. This API will pull the
IP address from the HTTP request, and return <code>Hello &#x3C;source IP></code>.</p>
<hr>
<h3>Table of Contents</h3>
<ul>
<li><a href="#pricing-details">Pricing Details</a></li>
<li><a href="#deploy-hello-world-function">Deploy Hello World Function</a>
<ul>
<li><a href="#mainpy">main.py</a></li>
<li><a href="#requirementspy">requirements.py</a></li>
</ul>
</li>
<li><a href="#accessing-the-function">Accessing the Function</a>
<ul>
<li><a href="#from-the-console-web-ui">From the Console Web UI</a></li>
<li><a href="#from-the-request-url">From the Request URL</a></li>
</ul>
</li>
</ul>
<h1>Pricing Details</h1>
<p>Cloud Functions pricing is pretty affordable for most use cases, assuming you
write your functions in such a way that they don't get invoked a few too many
millions of times.</p>
<p>Check the official <a href="https://cloud.google.com/functions/pricing">Google docs</a>
for accurate and up-to-date pricing, but here's what it looked like at the time
of my writing this.</p>
<p>Pricing is broken into a few fees:</p>
<ul>
<li><em>Invocations</em>: A flat fee per function execution. $0.0000004 per invocation,
excluding the first 2 million.</li>
<li><em>Compute Time</em>: At the lowest clock speed (200MHz x 128MB RAM), compute costs
$0.000000231/100ms, ceil 100.</li>
<li><em>Networking</em>: $0.12/GB egress for data, while ingress is free.</li>
</ul>
<hr>
<h1>Deploy Hello World Function</h1>
<p>Open <a href="https://console.cloud.google.com/functions/">Google Cloud Functions</a> in
your browser.</p>
<p>Create a function.</p>
<ul>
<li>Name: HelloWorld</li>
<li>Memory Allocated: 128 MB</li>
<li>Trigger: HTTP</li>
<li>Authentication: Allow unauthenticated invocations</li>
<li>Source code: Inline Editor</li>
<li>Runtime: Python 3.7</li>
<li>Other settings: Leave them as defaults</li>
</ul>
<h2>main.py</h2>
<p>The API function defined by <code>Function to execute</code> accepts a
<a href="https://flask.palletsprojects.com/en/1.1.x/api/#incoming-request-data">flask.Request</a>
argument.</p>
<pre><code class="language-python">def hello_world(request):
    """" Return a Hello message to sender of the API call """
		return 'Hello {}!'.format(request.remote_addr)
</code></pre>
<h2>requirements.py</h2>
<p>You can leave this blank. It's a list of libraries that will be used.</p>
<hr>
<h1>Accessing the Function</h1>
<h2>From the Console Web UI</h2>
<ol>
<li>Navigate to the <a href="https://console.cloud.google.com/functions">Functions page</a>.</li>
<li>Click on the 3 dots next to the function name, and choose "Test function".</li>
<li>Populate and JSON for the GET request in "Triggering event". The above
example doesn't accept any input data so <code>{}</code> is all you need.</li>
<li>Click "Test the function"</li>
</ol>
<h2>From the Request URL</h2>
<ol>
<li>Navigate to the <a href="https://console.cloud.google.com/functions">Functions page</a>.</li>
<li>Click the function's name to navigate to the "Function details" page</li>
<li>Go to the 'Trigger" tab</li>
<li>Find the URL. Copy it.</li>
</ol>
<p>You can now test the URL with curl, your browser, httpie, python, etc.</p>
<pre><code class="language-bash">https://&#x3C;region>-&#x3C;project>.cloudfunctions.net/HelloWorld
</code></pre>


<p><strong>This post is linked to from the <a href="/aws.html">AWS: Deep Dive Project</a></strong></p>
<hr>
<p>This post covers how to upload and download files from Amazon's S3 using
Python. Setup is done from the web UI.</p>
<h1>Create a Bucket</h1>
<p>Go to the <a href="https://s3.console.aws.amazon.com">AWS S3 page</a>.</p>
<p>Click on "+ Create Bucket" and fill out the form. For access, choose
Block all public access. For the rest of the options, the defaults are fine.</p>
<hr>
<h1>Create IAM Credentials</h1>
<p>IAM stands for Identity and Access Management.</p>
<h2>Create a Policy</h2>
<p>From the left nav-bar, go to policies. The default policies don't grant
programmatic access, so you need to make a new one.</p>
<p>For admin rights, I just used the visual policy builder and granted it
access to everything. I'll come back and update this guide with how to lock
that down later.</p>
<hr>
<h1>Add the policy to a group</h1>
<p>Go to the groups on the left. Either make a new one or edit an existing one.
Under Permissions, click Attach Policy. If you want, you can also add
<code>AmazonS3FullAccess</code> to see the difference between the two.</p>
<h2>Create/Edit a User</h2>
<p>On the left nav-bar, go to Users > Add User. Or edit a user that exists.
Fill in the wizard and assign the group.</p>
<hr>
<h1>Use Python to interact with S3</h1>
<h2>Install Boto3</h2>
<p>Python needs boto3 installed to interact with AWS.</p>
<pre><code class="language-bash">pip install boto3
</code></pre>
<h2>Uploading and Downloading Files</h2>
<pre><code class="language-python">import boto3

# Fill in the key and key id, or read them from stdin/file/whatever
key_id = ''
key = ''

# Create the authenticated s3 client
session = boto3.Session(aws_access_key_id=key_id, aws_secret_access_key=key)
client = session.client('s3')

# Define the file/object
filename = '/example/file/path'
bucket_name = 'my_bucket'
key = 'my_key'

# Upload Example
client.upload_file(filename, bucket_name, key)

# Download Example
client.download_file(bucket_name, object_name, path)
</code></pre>


<p>How to run a docker container on AWS ECS (Elastic Compute Cloud)  using the AWS
web console. A container from the Elastic Container Registry will be launched.
It will run on Amazon's <a href="https://aws.amazon.com/fargate/">Fargate Container-as-a-Service</a>.</p>
<hr>
<h3>Table of Contents</h3>
<ul>
<li><a href="#launch-a-container-on-fargate">Launch a container on Fargate</a></li>
<li><a href="#publish-containers-network-to-the-internet">Publish container's network to the internet</a></li>
<li><a href="#using-a-custom-domain-name">Using a custom domain name</a></li>
</ul>
<h1>Launch a container on Fargate</h1>
<ol>
<li>Upload an image to AWS ECR. <a href="/aws-ecr.html">See my guide on using AWS ECR</a>.</li>
<li>Open <a href="https://ca-central-1.console.aws.amazon.com/ecs/">AWS ECS</a></li>
<li>Under Container Definition, select Configure</li>
<li>Fill in the form
<ol>
<li>For the image URL, use the URL of the image uploaded to
ECR. I was testing a reverse proxy image, so it looked like this:
<code>000000000000.dkr.ecr.ca-central-1.amazonaws.com/test/revproxy:latest</code></li>
<li>I have my nginx reverse proxy a 256MB soft limit for RAM</li>
<li>For my reverse proxy I made port mappings for port 80 and 443</li>
<li>No need to fill out any of the advanced fields</li>
</ol>
</li>
<li>Fill out the Task Definition section, click Next</li>
<li>Define your service
<ol>
<li>Without a load-balancer, the only way to access your container will be by
using <a href="https://aws.amazon.com/blogs/compute/access-private-applications-on-aws-fargate-using-amazon-api-gateway-privatelink/">PrivateLink</a>.</li>
<li>During the initial cluster create wizard you can choose an Application
Load Balancer. That seems to work well.</li>
</ol>
</li>
<li>Name the Fargate cluster, next</li>
<li>Click create</li>
</ol>
<p>It will take a little while. Once its finished you can click on View Service.</p>
<hr>
<h1>Publish container's network to the internet</h1>
<p>Navigate to the newly created service and go to the Details tab. From there you
can see a Load Balancing section. It should have a link to the new load
balancer.</p>
<p>You can also access this page from the left nav-bar by going to Load Balancing,
then choosing the new load balancer.</p>
<p>In the Description tab here, you can find the DNS name that AWS has assigned
to this load balancer. Unfortunately you can't depend on the IP address behind
this FQDN to stay the same.</p>
<hr>
<h1>Using a custom domain name</h1>
<p>I'm working on that. Its not intuitive. If you know how, I'd like to hear about
it..</p>


<p><strong>This post is linked to from the <a href="/aws.html">AWS: Deep Dive Project</a></strong></p>
<hr>
<p>This post covers how to make a Docker registry on AWS Elastic Container
Registry (ECR).
To secure the registry, least-privilege roles are created and assigned to
service account users in the AWS AIM tool</p>
<hr>
<h3>Table of contents</h3>
<ul>
<li><a href="#create-an-aws-ecr-repository">Create an AWS ECR Repository</a></li>
<li><a href="#create-an-aws-iam-user-for-the-registry">Create an AWS IAM User For the Registry</a>
<ul>
<li><a href="#create-groups-for-ecr-access">Create Groups for ECR Access</a>
<ul>
<li><a href="#make-a-group-with-write-access">Make a group with write access</a></li>
<li><a href="#make-a-read-only-group">Make a read-only group</a></li>
</ul>
</li>
<li><a href="#create-users-for-ecr-access">Create Users for ECR Access</a></li>
</ul>
</li>
<li><a href="#connect-docker-to-the-new--registry">Connect Docker to the new  Registry</a>
<ul>
<li><a href="#install-the-aws-cli">Install the AWS CLI</a></li>
<li><a href="#configure-the-aws-cli-user">Configure the AWS CLI USER</a></li>
<li><a href="#get-the-docker-login-command">Get the docker login command</a></li>
</ul>
</li>
<li><a href="#push-images-to-the-ecr-registry">Push Images to the ECR Registry</a></li>
</ul>
<h1>Create an AWS ECR Repository</h1>
<p>Navigate to the
<a href="https://ca-central-1.console.aws.amazon.com/ecr/repositories">AWS ECR Repositories page</a>
and click Create a repository.</p>
<p>Fill in the form to name your repository.</p>
<h1>Create an AWS IAM User For the Registry</h1>
<p>Its a good idea to have user accounts with write access, and others with
read-only access. This way you can push to the registry with your privileged
user but you never need to expose those credentials outside your development
or CI/CD environment.</p>
<h2>Create Groups for ECR Access</h2>
<p>First, review the AWS Group access levels <a href="https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html">here</a>.</p>
<h3>Make a group with write access</h3>
<p>Users in this group can push to existing registries but they can't use the CLI
to make new ones.</p>
<ol>
<li>Go to the <a href="https://console.aws.amazon.com/iam">AWS IAM page</a></li>
<li>Click Groups on the sidebar</li>
<li>Name the group, ex: <code>ecr-write</code></li>
<li>Attach Policy: <code>AmazonEC2ContainerRegistryPowerUser</code>, next</li>
<li>Create Group</li>
</ol>
<h3>Make a read-only group</h3>
<p>Its the same procedure as above, but use the read-only policy instead:
<code>AmazonEC2ContainerRegistryReadOnly</code>.</p>
<p>Consider also making an admin group with the
<code>AmazonEC2ContainerRegistryFullAccess</code> permission.</p>
<h2>Create Users for ECR Access</h2>
<p>Make two users, one for pushing and one for pulling. You can share the user
will read access to anyone who needs to consume the images.</p>
<p>To make a user:</p>
<ol>
<li>Go to the <a href="https://console.aws.amazon.com/iam">AWS IAM page</a></li>
<li>Click Users on the sidebar</li>
<li>Add User</li>
<li>Enter user name, check Programmatic Access, next</li>
<li>Choose from the groups you just created to grant read/write access, next</li>
<li>Skip the tags, next</li>
<li>Create User. Be sure to save the secret access key in your password manager.</li>
</ol>
<h1>Connect Docker to the new  Registry</h1>
<h2>Install the AWS CLI</h2>
<p>The one from apt is really old and doesn't work. Use pip.</p>
<pre><code class="language-bash">apt-get install -y python python-pip
pip install aws awscli
</code></pre>
<p>Test it out</p>
<pre><code class="language-bash">python -m awscli help
</code></pre>
<h2>Configure the AWS CLI USER</h2>
<p>When prompted, enter your key, secret key, region (ca-central-1), and output
format (none):</p>
<pre><code class="language-bash">aws configure
</code></pre>
<h2>Get the docker login command</h2>
<p>Use the AWS CLI to fetch and execute the docker login command. You can also
export this command to a file to run it, but there's no point since the token
gets invalidated after 12 hours.</p>
<pre><code class="language-bash">$(aws ecr get-login --no-include-email --region ca-central-1)
</code></pre>
<hr>
<h1>Push Images to the ECR Registry</h1>
<p>If you click on the Push Commands button in the ECR registry page you'll get
examples programmatically generated for your registry.</p>
<p>Pushing is kind of unintuitive. Unlike a normal <code>registry:2</code> docker registry,
ECR won't automatically create your repositories for you. You have to manually
create each one. You can use the web UI, or log in as an admin user and run the
following:</p>
<pre><code class="language-bash">aws ecr create-repository --repository-name kolla/ubuntu-source-base
</code></pre>
<p>For scripting, this is a handy way of creating the repo if it doesn't exist:</p>
<pre><code class="language-bash">aws ecr describe-repositories --repository-names $repo_name \
  || aws ecr create-repository --repository-name $repo_name
</code></pre>
<p>Then you can push.</p>
<pre><code class="language-bash">docker push $myId.dkr.ecr.ca-central-1.amazonaws.com/$repo:$tag
</code></pre>
<p>If you first create the repository, you get an error like this: <code>name unknown: The repository with name 'kolla/ubuntu-source-base' does not exist in the registry with id '...'</code></p>


<p><strong>This post is linked to from the <a href="/openstack.html">OpenStack Deep Dive Project</a></strong></p>
<hr>
<p><a href="https://docs.openstack.org/cinder/latest/">OpenStack Cinder</a> needs some
special software installed to work with certain storage backends.</p>
<p><a href="https://docs.openstack.org/kolla/latest/">Kolla</a> builds Docker containers for
OpenStack.</p>
<p>This post documents the steps to customize how Kolla builds containers. In
particular, these steps add the Pure Storage plugin to the Cinder-Volume
service's Docker image.</p>
<hr>
<h1>Install Kolla</h1>
<p>This example uses the Rocky checkout to make Rocky based images. Use the stable
branch matching your OpenStack version else things get weird.</p>
<pre><code class="language-bash">apt-get install -y git python python-pip
git clone https://github.com/openstack/kolla.git
get checkout stable/rocky
cd kolla
pip install .
</code></pre>
<h2>Configure Kolla</h2>
<p>Use tox's <code>genconfig envlist</code> to generate a commented config file:</p>
<pre><code class="language-bash">tox -e genconfig
mkdir -p /etc/kolla
mv etc/kolla/kolla-build.conf /etc/kolla/
</code></pre>
<p>Then make any changes to the new config file as needed.</p>
<hr>
<h1>Add the Modifications</h1>
<p>Here's an example of adding the Pure Storage's plugin to the cinder_volume
image.</p>
<p><code>vi /etc/kolla/template-overrides.j2</code></p>
<pre><code class="language-jinja2">{% extends parent_template %}

# Cinder Volume
{% block cinder_volume_ubuntu_setup %}
RUN pip install purestorage
{% endblock %}
</code></pre>
<hr>
<h1>Build the Image w/ Modifications</h1>
<pre><code class="language-bash">kolla-build \
  --tag rocky-test-20190826-01 \
  --template-override /etc/kolla/template-overrides.j2  \
  cinder-volume
</code></pre>
<p>That's it. You can now use this image with the included plugin.</p>


<p>This guide installs OpenStack on a single metal server.</p>
<p>To install OpenStack, I use <a href="https://github.com/openstack/kolla-ansible">Kolla-Ansible</a>,
an open source Ansible project that deploys Kolla OpenStack images.</p>
<p>OpenStack <a href="https://www.openstack.org/software/rocky/">Rocky</a> will be installed,
configured with a
<a href="https://docs.openstack.org/ocata/networking-guide/intro-os-networking.html#intro-os-networking-provider">VLAN provider network</a>
for overcloud networking, and include the following OpenStack APIs:</p>
<ul>
<li>Keystone</li>
<li>Cinder</li>
<li>Nova</li>
<li>Glance</li>
<li>Neutron</li>
<li>Heat</li>
<li>Magnum</li>
</ul>
<hr>
<h3>Table of Contents</h3>
<ul>
<li><a href="#environment">Environment</a></li>
<li><a href="#update--prepare-system">Update &#x26; Prepare System</a></li>
<li><a href="#configure-networking">Configure Networking</a></li>
<li><a href="#enable-vlans-for-neutron">Enable VLANs for Neutron</a></li>
<li><a href="#globals-file">Globals file</a></li>
<li><a href="#install-openstack-using-kolla-ansible">Install OpenStack using Kolla-Ansible</a></li>
<li><a href="#overcloud-cluster-configuration">Overcloud Cluster Configuration</a></li>
<li><a href="#create-a-test-vm">Create a test VM</a></li>
</ul>
<h1>Environment</h1>
<p>This was the hardware used while writing this guide. It's neither the minimum
nor recommended hardware setup for any sort of cloud.</p>
<p><strong>Hardware:</strong></p>
<p>Intel NUC with two drives, one interface, 32G RAM, running Ubuntu 18.04.</p>
<p><strong>Drive Labels:</strong></p>
<ul>
<li>Boot drive: <code>/dev/nvme0n1</code></li>
<li>Cinder LVM backup: <code>dev/sda</code></li>
</ul>
<p><strong>Networking</strong></p>
<ul>
<li>Physical interface <code>eno1</code></li>
<li>VLAN subinterface <code>vlan.2@eno1</code></li>
<li>Host IP: <code>10.254.2.2</code></li>
<li>Cloud VIP: <code>10.254.2.254</code></li>
</ul>
<hr>
<h1>Update &#x26; Prepare System</h1>
<p>Configure the VG for cinder and install Kolla-Ansible</p>
<pre><code class="language-bash"># Update and install deps
apt-get update &#x26;&#x26; apt-get upgrade -y
apt-get -y install python python-pip
pip install \
  ansible \
  python-openstackclient \
  python-neutronclient \
  python-magnumclient

# Create VG for cinder LVM
pvcreate /dev/sda
vgcreate cinder-volumes /dev/sda

# Install Kolla-Ansible
cd ~
git clone https://github.com/openstack/kolla-ansible.git
cd ~/kolla-ansible
git checkout stable/rocky
pip install .

# Deploy initial KA config files
mkdir -p /etc/kolla/config
cp ~/kolla-ansible/etc/kolla/passwords.yml /etc/kolla/
cp ~/kolla-ansible/ansible/inventory/all-in-one /etc/kolla/inventory
kolla-genpwd
</code></pre>
<h1>Configure Networking</h1>
<p>The Intel NUC only has one Ethernet port, but Kolla-Ansible requires two ports.
One port is for the APIs, and another can't have any addresses on it as it ends
up being controlled by OpenVSwitch and Neutron.</p>
<p>To get around this, I use VLAN subinterfaces. This works well, but it does
require that you add a layer 3 route from the overcloud subnet to the
undercloud API network the guests need to connect to the host.</p>
<p>OVS creates a bridge bound to the physical port, where the VLAN modules
work alongside it. The only drawback is you can't use those VLANs in the
overcloud.</p>
<p><code>vi /etc/netplan/01-netcfg.yaml</code></p>
<pre><code class="language-text">network:
  version: 2
  renderer: networkd
  ethernets:
      eno1:
        dhcp4: false
        dhcp6: false
  vlans:
    vlan.2:
      id: 2
      link: eno1
      addresses: [ 10.254.2.2/24 ]
      gateway4: 10.254.2.1
      nameservers:
        addresses: ["8.8.8.8", "8.8.4.4"]
</code></pre>
<p>Apply the changes. This might kick you.</p>
<pre><code class="language-bash">netplan try
</code></pre>
<h1>Enable VLANs for Neutron</h1>
<p>Create this config file to enable VLAN support</p>
<pre><code class="language-bash">mkdir -p /etc/kolla/config/neutron
</code></pre>
<p><code>vi /etc/kolla/config/neutron/ml2_conf.ini</code></p>
<pre><code class="language-ini">[ml2_type_vlan]
network_vlan_ranges = physnet1:1:4094
</code></pre>
<h1>Globals file</h1>
<p><code>vi /etc/kolla/globals.yml</code></p>
<pre><code class="language-yaml">---

kolla_internal_vip_address: "10.254.2.254"
neutron_external_interface: "eno1"
network_interface: "vlan.2"
keepalived_virtual_router_id: "66"

kolla_base_distro: "ubuntu"
kolla_install_type: "source"
openstack_release: "rocky"

enable_keepalived: "yes"
enable_mariadb: "yes"
enable_memcached: "yes"
enable_rabbitmq: "yes"
enable_chrony: "yes"
enable_fluentd: "yes"
enable_nova_ssh: "yes"
enable_ceph: "no"
enable_horizon: "yes"

enable_haproxy: "yes"
kolla_enable_tls_external: "yes"

enable_nova: "yes"
nova_compute_virt_type: "kvm"

enable_keystone: "yes"
keystone_admin_user: "admin"
keystone_admin_project: "admin"

enable_glance: "yes"
glance_backend_file: "yes"

enable_cinder: "yes"
enable_cinder_backup: "no"
enable_cinder_backend_lvm: "yes"
cinder_volume_group: "cinder-volumes"
cinder_backend_ceph: "no"

enable_neutron: "yes"
enable_neutron_lbaas: "yes"
neutron_extension_drivers:
  - name: "port_security"
    enabled: true
  - name: "dns"
    enabled: true

enable_magnum: "yes"
enable_octavia: "no"
default_docker_volume_type: "local-lvm"
</code></pre>
<hr>
<h1>Install OpenStack using Kolla-Ansible</h1>
<pre><code class="language-bash">kolla-ansible certificates
kolla-ansible -i /etc/kolla/inventory bootstrap-servers
kolla-ansible -i /etc/kolla/inventory deploy
kolla-ansible -i /etc/kolla/inventory post-deploy
</code></pre>
<hr>
<h1>Overcloud Cluster Configuration</h1>
<p>The OpenStack services are deployed, now to configure the cloud to be usable.</p>
<p>For details about these commands, see my previous VM guide <a href="/openstack-aio-ka-vm..html">here</a>.</p>
<p>These commands are ran right on the physical OpenStack host.</p>
<pre><code class="language-bash"># Authenticate to the cloud
source /etc/kolla/admin-openrc.sh

# Define the volume type in cinder
openstack volume type create --public local-lvm

# Create a provider network on VLAN 3
openstack network create --external --share \
  --provider-physical-network physnet1 --provider-network-type vlan \
  --provider-segment 3 --disable-port-security vlan3-net

# Assign a subnet to the vlan3-net network
openstack subnet create \
  --dhcp --network vlan3-net \
  --subnet-range 10.254.3.0/24 \
  vlan3-subnet

# Create a small cirros-sized flavor
openstack flavor create tiny --disk 1 --vcpus 1 --ram 256

# Download and import Cirros as a glance image
wget http://download.cirros-cloud.net/0.4.0/cirros-0.4.0-x86_64-disk.img
apt-get install -y qemu-utils
qemu-img convert -f qcow2 -O raw cirros-0.4.0-x86_64-disk.img cirros.raw
openstack image create --container-format bare --disk-format raw \
  --file cirros.raw --public "cirros"

# Open up the firewall rules for the admin project
proj_id=$(openstack project list | grep admin | awk '{print $2}')
group_id=$(openstack security group list | grep $proj_id | awk '{print $2}')

openstack security group rule create --proto icmp $group_id
openstack security group rule create --proto tcp --dst-port 1:65535 $group_id
openstack security group rule create --proto udp --dst-port 1:65535 $group_id
</code></pre>
<hr>
<h1>Create a test VM</h1>
<pre><code class="language-bash">openstack server create --image cirros --flavor tiny --network vlan3-net test
</code></pre>
<p>The cloud is now ready for use. If layer 3 routing from VLAN 2 to VLAN 3 is
configured, then the VM will be accessible.</p>


<h3>Table of Contents</h3>
<ul>
<li><a href="#environment">Environment</a>
<ul>
<li><a href="#openstack-on-openstack-considerations">OpenStack-on-OpenStack Considerations</a>
<ul>
<li><a href="#disable-port-security">Disable Port Security</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#update-the-os">Update the OS</a></li>
<li><a href="#create-volume-group-for-cinder">Create Volume Group for Cinder</a></li>
<li><a href="#install-ansible">Install Ansible</a></li>
<li><a href="#install-kolla-ansible">Install Kolla-Ansible</a>
<ul>
<li><a href="#check-out-the-kolla-ansible-code">Check out the Kolla-Ansible code</a></li>
</ul>
</li>
<li><a href="#generate-openstack-config-files">Generate OpenStack Config Files</a>
<ul>
<li><a href="#openstack-service-config-files">OpenStack service config files</a></li>
<li><a href="#globals-file">Globals file</a></li>
<li><a href="#passwords-file">Passwords file</a></li>
<li><a href="#ansible-inventory">Ansible Inventory</a></li>
</ul>
</li>
<li><a href="#install-openstack-using-kolla-ansible">Install OpenStack using Kolla-Ansible</a>
<ul>
<li><a href="#install-the-openstack-command-line">Install the OpenStack Command Line</a></li>
</ul>
</li>
<li><a href="#overcloud-cluster-configuration">Overcloud Cluster Configuration</a>
<ul>
<li><a href="#source-the-admin-openrc-file">Source the Admin OpenRC file</a></li>
<li><a href="#create-a-cinder-volume-type">Create a Cinder Volume Type</a></li>
<li><a href="#create-a-flat-provider-network">Create a Flat Provider Network</a></li>
<li><a href="#up-the-interface">Up the interface</a></li>
<li><a href="#create-a-vxlan-for-workloads">Create a VXLAN for workloads</a></li>
<li><a href="#create-a-flavor">Create a flavor</a></li>
<li><a href="#create-an-image">Create an image</a></li>
<li><a href="#open-up-the-firewall">Open up the firewall</a></li>
</ul>
</li>
<li><a href="#create-a-test-vm">Create a test VM</a></li>
</ul>
<h1>Environment</h1>
<p>These specs are what was used while writing this guide.
They are neither the minimum nor recommended requirements for a virtual
OpenStack cluster.</p>
<ul>
<li>VM hosted by <a href="https://breqwatr.com">Breqwatr</a>'s on-prem OpenStack
<ul>
<li>AWS/GCP/Azure can also host suitable VMs</li>
</ul>
</li>
<li>Ubuntu 18.04</li>
<li>2 vSSD volumes: 200GB for the OS and 300GB for Cinder LVM</li>
<li>2 VLAN ports: API interface and neutron interface</li>
<li>Docker images are the public Rocky images from Kolla on Docker Hub</li>
</ul>
<h2>OpenStack-on-OpenStack Considerations</h2>
<p>Skip this section if the installation is not on OpenStack.</p>
<h3>Disable Port Security</h3>
<p>Turn off neutron port-security on each port.
Otherwise the unknown IPs will be blocked.</p>
<pre><code class="language-bash">for x in \
    3f664e5e-dd67-4fe5-b2cc-86c2918b6a2f \
    c44da3d5-00e7-4e41-af39-7010d70ac6a5; do
  echo $x
  openstack port set --no-security-group $x
  openstack port set --disable-port-security $x
done
</code></pre>
<hr>
<h1>Update the OS</h1>
<p>It will never be less risky to run an update than right now!</p>
<pre><code class="language-bash">apt-get update &#x26;&#x26; apt-get upgrade -y
</code></pre>
<hr>
<h1>Create Volume Group for Cinder</h1>
<p>OpenStack Cinder supports a huge <a href="https://docs.openstack.org/cinder/rocky/reference/support-matrix.html">list of back-end storage providers</a>,
but the simplest to set up is just using an LVM volume group on the host.</p>
<p>Cinder will use LVM to carve out logical volumes for each cloud block storage
device. This isn't highly available, but that's OK for a dev cloud.</p>
<p>Create a volume group using a dedicated disk.
In this example, I'll use <code>/dev/vdb</code> for VMs.</p>
<p>The name of this volume group is defined in the globals.yml file as
<code>cinder_volume_group</code>, and can be changed as needed.</p>
<pre><code class="language-bash">pvcreate /dev/vdb
vgcreate cinder-volumes /dev/vdb
</code></pre>
<hr>
<h1>Install Ansible</h1>
<p>Kolla-Ansible requires that Ansible be pre-installed. Apt can install it too,
but pip tends to install a newer version. Some old versions aren't compatible
with Kolla-Ansible.</p>
<pre><code class="language-bash">apt-get -y install python python-pip
pip install ansible
</code></pre>
<hr>
<h1>Install Kolla-Ansible</h1>
<h2>Check out the Kolla-Ansible code</h2>
<p>Git comes pre-installed on many Ubuntu 18.04, but install it otherwise.</p>
<pre><code class="language-bash">apt-get install -y git
</code></pre>
<p>Clone a stable branch of Kolla-Ansible.
Check out the code and use pip to install it.</p>
<p>Make sure to use the stable branch associated with Rocky. Kolla-Ansible doesn't
work right when installing versions of OpenStack that don't match git stable
branch used.</p>
<pre><code class="language-bash">cd ~
git clone https://github.com/openstack/kolla-ansible.git
cd ~/kolla-ansible
git checkout stable/rocky
pip install .
</code></pre>
<hr>
<h1>Generate OpenStack Config Files</h1>
<h2>OpenStack service config files</h2>
<p>Create a directory to store the OpenStack config changes.</p>
<pre><code class="language-bash">mkdir -p /etc/kolla/config
</code></pre>
<h2>Globals file</h2>
<p>The globals file contains most of the important deployment settings for KA.</p>
<p>Check these two links for more info:</p>
<ul>
<li><a href="https://docs.openstack.org/kolla-ansible/latest/admin/advanced-configuration.html">openstack.org KA advanced reference</a></li>
<li><a href="https://github.com/openstack/kolla-ansible/blob/master/etc/kolla/globals.yml">GitHub page for globals file</a></li>
</ul>
<p>Any configs not defined are set by defaults.yml files in KA's Ansible roles.</p>
<p>The globals file can specify your OpenStack version, where it will pull its
containers from, and which containers will be deployed. Be sure to replace
<code>kolla_internal_vip_address</code>'s value with your VIP address.</p>
<p>The VIP can't be used by your existing network card, else HAproxy will throw a
fit and Kolla-Ansible will fail at the MariaDB step.</p>
<p>The networking in this example is as simple as it gets. You can really split
things up in this file if you want to. Note the network interface name too, it
may be different from yours.</p>
<p><code>vi /etc/kolla/globals.yml</code></p>
<pre><code class="language-yaml">---
# APIs listen on this VIP
kolla_internal_vip_address: "10.100.202.254"

# Interface used for VXLANS and APIs. See docs to split this out into many nics
network_interface: "ens3"

# Used for the VLANS, give it the whole device
neutron_external_interface: "ens6"

# If you have more than one install in the broadcast domain, make this unique
keepalived_virtual_router_id: "77"

# Define the docker image names and tag (kolla/ubuntu-source-&#x3C;name>:rocky)
kolla_base_distro: "ubuntu"
kolla_install_type: "source"
openstack_release: "rocky"

# Which containers will be deployed
enable_keepalived: "yes"
enable_mariadb: "yes"
enable_memcached: "yes"
enable_rabbitmq: "yes"
enable_chrony: "yes"
enable_fluentd: "yes"
enable_nova_ssh: "yes"
enable_ceph: "no"
enable_horizon: "yes"

# Use HAProxy load balancer but disable TLS certs
enable_haproxy: "yes"
kolla_enable_tls_external: "yes"

# Use qemu for nested hypervisors, kvm for metal
enable_nova: "yes"
nova_compute_virt_type: "qemu"

# The default username and project can be changed here
enable_keystone: "yes"
keystone_admin_user: "admin"
keystone_admin_project: "admin"

# Glance stores VM templates. Use a file backend with cinder's LVM backend
enable_glance: "yes"
glance_backend_file: "yes"

# Configure Cinder to use the 'cinder-volumes' vg for virtual block devices
enable_cinder: "yes"
enable_cinder_backup: "no"
enable_cinder_backend_lvm: "yes"
cinder_volume_group: "cinder-volumes"
cinder_backend_ceph: "no"

# Enable the DNS ml2 extension driver in neutron &#x26; lbaas
enable_neutron: "yes"
enable_neutron_lbaas: "yes"
neutron_extension_drivers:
  - name: "port_security"
    enabled: true
  - name: "dns"
    enabled: true

# Configure magnum to look for the 'local-lvm' cinder volume type
enable_magnum: "yes"
default_docker_volume_type: "local-lvm"
</code></pre>
<h2>Passwords file</h2>
<p>The passwords file is empty initially, its just a template to be filled in with
random password from KA. The <code>kolla-genpwd</code> command populates it.</p>
<pre><code class="language-bash">cp ~/kolla-ansible/etc/kolla/passwords.yml /etc/kolla
kolla-genpwd
</code></pre>
<h2>Ansible Inventory</h2>
<p>The KA Ansible inventory defines which roles will be assigned to which hosts.
The all-in-one inventory file assigns all roles to localhost.</p>
<pre><code class="language-bash">cp ~/kolla-ansible/ansible/inventory/all-in-one /etc/kolla/inventory
</code></pre>
<hr>
<h1>Install OpenStack using Kolla-Ansible</h1>
<p>First run the bootstrap command to install docker and tune the server. In older
branches it will add the wrong key for the apt repo, so do that yourself.</p>
<pre><code class="language-bash">kolla-ansible certificates
kolla-ansible -i /etc/kolla/inventory bootstrap-servers
kolla-ansible -i /etc/kolla/inventory deploy
kolla-ansible -i /etc/kolla/inventory post-deploy
</code></pre>
<h2>Install the OpenStack Command Line</h2>
<p>This will enable the <code>openstack</code> command.</p>
<pre><code class="language-bash">pip install python-openstackclient python-neutronclient python-magnumclient
</code></pre>
<p>To configure the OpenStack CLI, source the openrc file that was created by KA's
post-deploy step.</p>
<pre><code class="language-bash">source /etc/kolla/admin-openrc.sh
</code></pre>
<hr>
<h1>Overcloud Cluster Configuration</h1>
<p>Now that the undercloud is functional and the OpenStack services are running,
its time to configure the overcloud to be useful.</p>
<p>These commands are ran directly on the new virtual OpenStack host.</p>
<h2>Source the Admin OpenRC file</h2>
<p>Kolla-Ansible's post-deploy task created an openrc file which can be used to
authenticate as the admin user it created. It's a good idea to make your own
user and openrc file, but for now this will do.</p>
<pre><code class="language-bash">source /etc/kolla/admin-openrc.sh
</code></pre>
<h2>Create a Cinder Volume Type</h2>
<p>If no cinder volume type has been created, one must be made. These is required
for Magnum and for other storage backends, and also good practice.</p>
<pre><code class="language-bash">openstack volume type create --public local-lvm
</code></pre>
<h2>Create a Flat Provider Network</h2>
<p>Since this is OpenStack on OpenStack, using VLANs for the provider network is
more trouble than its worth. Make a flat network that shares the hosts
interface to provide workloads external network connectivity.</p>
<pre><code class="language-bash">openstack network create --share --external --disable-port-security \
  --provider-physical-network physnet1 --provider-network-type flat \
  infra-net

openstack subnet create \
  --no-dhcp --network infra-net \
  --allocation-pool start=10.100.202.180,end=10.100.202.199 \
  --subnet-range 10.100.202.0/24 \
  infra-subnet
</code></pre>
<h2>Up the interface</h2>
<p><code>physnet1</code> is bound to <code>ens6</code> in this example, but that interface is down. Start
the interface.</p>
<pre><code class="language-bash">ip link set dev ens6 up
</code></pre>
<p>This is sort of a pain since it doesn't happen on reboot. There's a
<a href="https://bugs.launchpad.net/netplan/+bug/1763608">bug</a> in netplan about it, so
you can't just make a netplan entry.</p>
<p>One solution would be to make a crontab entry for <code>@reboot</code>, but I won't be
covering that here.</p>
<h2>Create a VXLAN for workloads</h2>
<p>Create a VXLAN for VMs to use and plug it into the host's network using the
flat provider network.</p>
<pre><code class="language-bash">openstack network create vx1-net

openstack subnet create --network vx1-net --dhcp \
  --subnet-range 192.168.0.0/24 vx1-subnet

openstack router create --no-ha vx1-router
openstack router set --external-gateway infra-net vx1-router
openstack router add subnet vx1-router vx1-subnet
</code></pre>
<p>This flat provider network will now provide outbound internet access and the
ability to connect into workloads using floating IP addresses.</p>
<h2>Create a flavor</h2>
<pre><code class="language-bash">openstack flavor create tiny --disk 1 --vcpus 1 --ram 256
</code></pre>
<h2>Create an image</h2>
<p>This is the template used to launch our test VM</p>
<pre><code class="language-bash">wget http://download.cirros-cloud.net/0.4.0/cirros-0.4.0-x86_64-disk.img
apt-get install -y qemu-utils
qemu-img convert -f qcow2 -O raw cirros-0.4.0-x86_64-disk.img cirros.raw
openstack image create --container-format bare --disk-format raw \
  --file cirros.raw --public "cirros"
</code></pre>
<h2>Open up the firewall</h2>
<p>Get the ID of the security group for the scoped project, in this case <code>admin</code>,
then open up ICMP, TCP, and UDP for that project.</p>
<pre><code>proj_id=$(openstack project list | grep admin | awk '{print $2}')
group_id=$(openstack security group list | grep $proj_id | awk '{print $2}')

openstack security group rule create --proto icmp $group_id
openstack security group rule create --proto tcp --dst-port 1:65535 $group_id
openstack security group rule create --proto udp --dst-port 1:65535 $group_id
</code></pre>
<hr>
<h1>Create a test VM</h1>
<pre><code class="language-bash">openstack server create --image cirros --flavor tiny --network vx1-net test
# This server was assigned 192.168.0.13

openstack floating ip create infra-net
# The floating IP created was 10.100.202.226

openstack server add floating ip \
  --fixed-ip-address 192.168.0.13 test 10.100.202.226
</code></pre>
<p>You can now ping or SSH to your VM. The cloud is ready for use.</p>


<p>Google Cloud Storage has a feature where storage buckets can be used as a cost
effective web server. It can only host static sites, but that works just fine
for anything with all the logic on the client side.</p>
<p>Hosting a static website using Cloud Storage is <strong>extremely affordable</strong>.</p>
<p>This site is using this approach for hosting.</p>
<p><a href="https://cloud.google.com/storage/docs/hosting-static-website">The official documentation can be found here</a>.</p>
<hr>
<h3>Table of Contents</h3>
<ul>
<li><a href="#pricing">Pricing</a></li>
<li><a href="#add-the-domain-to-google-search-console">Add the Domain to Google Search Console</a></li>
<li><a href="#link-the-domain-name-to-your-storage-bucket">Link the Domain Name to Your Storage Bucket</a>
<ul>
<li><a href="#update-dns-cname-record">Update DNS CNAME Record</a></li>
<li><a href="#create-a-storage-bucket-with-matching-name">Create a Storage Bucket with Matching Name</a></li>
<li><a href="#configure-storage-bucket-for-access-control--index-file">Configure Storage Bucket for Access Control &#x26; Index File</a>
<ul>
<li><a href="#update-cloud-storage-bucket-permissions">Update Cloud Storage Bucket Permissions</a></li>
<li><a href="#configure-indexhtml-as-the-mainpagesuffix">Configure index.html as the MainPageSuffix</a></li>
<li><a href="#set-the-default-acl-for-the-bucket">Set the default ACL for the bucket</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#push-site-content-to-cloud-storage">Push Site Content to Cloud Storage</a></li>
</ul>
<h1>Pricing</h1>
<p><a href="https://cloud.google.com/storage/pricing">Find the latest pricing data from Google here</a>.</p>
<p>Google doesn't seem to actually charge for the static website hosting feature
of Cloud Storage. Instead, it just bills you for the storage usage. Notable is
that the operation usage cost will be far higher, and the data storage cost far
lower than in a typical Cloud Storage use case.</p>
<p>These prices are rough and there are lots of edge cases:</p>
<ul>
<li><strong>Data Storage</strong>: Free for the first 5GB, which will cover basically any
website. After that it's around  $0.026 US / GB / Month.</li>
<li><strong>Network Egress</strong>: Around $0.12/ GB</li>
<li><strong>Operations</strong>: This one will be higher. Every file served is an operation.
This includes the .html files, each image, the .css files, and so on. A CDN
such as <a href="https://dash.cloudflare.com/">Cloudflare</a> can help reduce the number
of read operations. After the first 50,000 free reads, Cloud Storage will
charge $0.004 / 10,000 operations.</li>
</ul>
<p>As you can see, for anything but hugely popular sites this will usually work
out to <em>almost free</em>.</p>
<hr>
<h1>Add the Domain to Google Search Console</h1>
<p>A DNS TXT record containing a special string needs to be assigned to the domain
name that will be applied to the storage bucket. This is used to confirm
ownership of the domain.</p>
<p><strong>To add the domain to the search console:</strong></p>
<ol>
<li>Open the <a href="https://search.google.com/search-console/welcome">Google Search Console</a></li>
<li>Enter your domain name</li>
<li>Copy the TXT record they gave you and apply it to your domain. In Cloudflare
you go to your site, click DNS, Add Record, TXT. For kyle.pericak.com I used
<code>kyle</code> as the "Name" and the string from Google as the "Content". TTL Auto.</li>
<li>Go back to the search console page and verify</li>
<li>Click the link to go to your domain</li>
</ol>
<p>The domain name can now be bound to a Cloud Storage bucket.</p>
<p><strong>Note:</strong> I had a really hard time doing this with GoDaddy. The TXT change
would not propagate even after over 24 hours. I transferred my domain to
<a href="https://cloudflare.com/">Cloudflare</a>. Their updates apply basically right
away!</p>
<p>See also: <a href="/dns-xfer-godaddy-cloudflare">How I transferred the domain from GoDaddy to Cloudflare</a>.</p>
<hr>
<h1>Link the Domain Name to Your Storage Bucket</h1>
<h2>Update DNS CNAME Record</h2>
<p>Update the subdomain CNAME record to point to Google's API URL.
In Cloudflare I made a CNAME entry for <code>kyle.pericak.com</code> that looked like
this:</p>
<ul>
<li>Name: <code>kyle</code></li>
<li>Content: <code>c.storage.googleapis.com</code></li>
</ul>
<h2>Create a Storage Bucket with Matching Name</h2>
<p>Go to the <a href="https://console.cloud.google.com/storage/browser">Google Cloud Storage Browser</a>.
Click Create Bucket up at the top.</p>
<ol>
<li>Enter your FQDN in the bucket name. For example, I used <code>kyle.pericak.com</code></li>
<li>Location Type: Region</li>
<li>Location: northamerica-northeast1</li>
<li>Storage Class: standard</li>
<li>Access Control: Per-object (not bucket-only)</li>
<li>Encryption: Google managed keys</li>
<li>Create</li>
</ol>
<p>The storage bucket now exists and is ready to host the static content.</p>
<h2>Configure Storage Bucket for Access Control &#x26; Index File</h2>
<h3>Update Cloud Storage Bucket Permissions</h3>
<p>Permit everyone to read the website files from Cloud Storage:</p>
<ol>
<li>From the sidebar go Storage</li>
<li>Click the 3 dots to the right of this storage bucket</li>
<li>Edit Bucket Permissions</li>
<li>New Members: <code>allUsers</code></li>
<li>Add the role <code>Storage Object Viewer</code></li>
</ol>
<h3>Configure index.html as the MainPageSuffix</h3>
<p>Cloud Storage doesn't know where the page root is by default. Define it:</p>
<ol>
<li>Click on the 3 dots to the right of the bucket name</li>
<li>Click Edit Website Configuration</li>
<li>Main page: index.html</li>
</ol>
<h3>Set the default ACL for the bucket</h3>
<p>If this isn't done then the website will show XML with an error stating
<code>Anonymous caller does not have storage.objects.list access</code>.</p>
<p><strong>Option 1: Using gsutil:</strong></p>
<pre><code class="language-bash">gsutil defacl ch -u AllUsers:R gs://kyle.pericak.com
</code></pre>
<p><strong>Option 2: From the web UI:</strong></p>
<ol>
<li>Open <a href="https://console.cloud.google.com/storage/">console.cloud.google.com/storage/</a>.</li>
<li>Go to the bucket named after the domain</li>
<li>Permissions</li>
<li>The permissions can be modified here.</li>
</ol>
<hr>
<h1>Push Site Content to Cloud Storage</h1>
<p>While its possible to manually upload each file using the web UI, it would be
super tedious.</p>
<p>Run the <code>gsutil rsync</code> module to upload files at all once.
Note that <code>$dst_url</code> is pointing at my domain-associated cloud storage bucket.</p>
<pre><code class="language-bash"># -r    recurse - sync directories
# -c    compare checksums instead of mtime
# -d    Delete extra files under dst_url not found under src_url
src_url="./output"
dst_url="gs://kyle.pericak.com"
gsutil -m rsync -r -c -d $src_url $dst_url
</code></pre>


<h3>Table of Contents</h3>
<ul>
<li><a href="#pricing">Pricing</a></li>
<li><a href="#write-the-cloud-build-file">Write the Cloud Build file</a></li>
<li><a href="#iam-roles">IAM Roles</a>
<ul>
<li><a href="#docker-image-to-cloud-registry">Docker Image to Cloud Registry</a></li>
<li><a href="#static-website-to-google-cloud-storage">Static Website to Google Cloud Storage</a></li>
</ul>
</li>
<li><a href="#define-cloud-build-triggers">Define Cloud Build Triggers</a></li>
</ul>
<h1>Pricing</h1>
<p>Current pricing data can be found <a href="https://cloud.google.com/cloud-build/pricing">here</a>.</p>
<ul>
<li>For the first 120 builds in a day, cloud build is <strong>free</strong>.</li>
<li>each build after the free quota costs $0.003 US / build-minute when using the
single core build server with no additional SSD storage</li>
</ul>
<h1>Write the Cloud Build file</h1>
<p>Google Cloud Build uses a file, <code>cloudbuild.yml</code>, to define the tasks that will
be executed when a build is triggered.</p>
<p>The online references for the syntax are pretty good:</p>
<ul>
<li><a href="https://cloud.google.com/cloud-build/docs/build-config">Google's Cloud-Build Documentation</a></li>
<li><a href="https://cloud.google.com/cloud-build/docs/configuring-builds/substitute-variable-values">Variables Available in cloudbuild.yaml</a></li>
</ul>
<p>Below are some example configuration files used for this site.</p>
<h1>IAM Roles</h1>
<p><a href="https://cloud.google.com/cloud-build/docs/securing-builds/configure-access-control">Official Documentation</a></p>
<ul>
<li>Cloud Build Editor</li>
<li>Cloud Build Viewer</li>
</ul>
<h2>Docker Image to Cloud Registry</h2>
<p>Cloud Build is great for keeping your Docker Registry images aligned with your
version control code.</p>
<p>In this example I use Cloud Build to build and push a <a href="/docker-pelican-image">pelican image</a>
to the <a href="/google-container-registry">Google Container Registry</a>.</p>
<p>Be sure to keep the Dockerfile code in version control. Aside from being a good
idea in general, Cloud Build can also use Git commits as a build trigger.
<a href="https://github.com/kylep/pelican">Here's my Pelican Docker image repository</a>.</p>
<pre><code class="language-yaml">steps:
- name: 'gcr.io/cloud-builders/docker'
  args: [ 'build', '-t', 'gcr.io/$PROJECT_ID/pelican', '.' ]
images:
- 'gcr.io/$PROJECT_ID/pelican'
</code></pre>
<h2>Static Website to Google Cloud Storage</h2>
<p>Another use for Cloud Builder is to generate static website files and then sync
them up with Cloud Storage every time the source control files or template are
changed.</p>
<p>Here's an example that triggers when I commit code to my
<a href="https://github.com/kylep/kyle.pericak.com">blog content git repository</a>. It
copies the content into <code>/workspace</code> and uses the above pelican image to render
the content and output it to the <code>output/</code> directory.</p>
<p>Once the site content is generated, the next step uses the <code>gcloud</code> image's
<code>gsutil -m rsync</code> command to upload the files to the Google Storage Bucket.</p>
<hr>
<h1>Define Cloud Build Triggers</h1>
<p>Here's the procedure I used to link a Cloud Build trigger to my Pelican image.</p>
<ol>
<li>Go to <a href="https://console.cloud.google.com/cloud-build">Google Cloud-Build</a>.</li>
<li>On the left side-bar, navigate to Triggers</li>
<li>Add Trigger</li>
<li>Select source: GitHub</li>
<li>Authenticate: Log in if needed</li>
<li>Select Repository: This is the repo that will be watched for changes</li>
<li>Name: This is the name of the trigger</li>
<li>Description: Something like <code>Push to master branch</code></li>
<li>Trigger Type: <code>Branch</code></li>
<li>Branch: <code>master</code></li>
<li>Build Configuration: <code>cloudbuild.yaml</code></li>
<li><strong>Create Trigger</strong></li>
</ol>
<p>With this trigger in place, all pushes to the pelican project will trigger the
rebuilding of its image, followed by updating the image in GCR with the latest
changes.</p>


<h3>Table of Contents</h3>
<ul>
<li><a href="#why-use-google-container-registry">Why use Google Container Registry</a></li>
<li><a href="#pricing">Pricing</a></li>
<li><a href="#command-line">Command Line</a></li>
<li><a href="#authentication">Authentication</a>
<ul>
<li><a href="#create-a-service-account">Create a service account</a></li>
<li><a href="#authenticate-your-local-docker-client">Authenticate your local Docker client</a></li>
</ul>
</li>
<li><a href="#using-the-google-container-registry">Using the Google Container Registry</a>
<ul>
<li><a href="#pull-image">Pull Image</a></li>
<li><a href="#push-image">Push Image</a>
<ul>
<li><a href="#access-denied">Access Denied</a></li>
</ul>
</li>
<li><a href="#delete-an-image">Delete an Image</a></li>
</ul>
</li>
</ul>
<h1>Why use Google Container Registry</h1>
<p>The Google Container Registry is a SaaS version of the public <a href="https://hub.docker.com/_/registry">Registry</a>
docker image. It solves a number of problems that the public Docker image has.
Namely:</p>
<ul>
<li><strong>Authentication</strong>: GCR has built-in access controls, where the Registry image
does not. With the Docker Registry you need to put something like NGINX in
front of it to provide access control.</li>
<li><strong>HTTPS</strong>: Like with the authentication problem, Registry needs a reverse proxy
in front of it to serve a certificate. Also, you need to worry about
obtaining and maintaining the valid cert files. Without a valid cert, each
Docker client needs to list the registry as an insecure registry, which is
both insecure and inconvenient.</li>
<li><strong>Serverless</strong>: To host a traditional Docker registry, you need a public
server running Docker. With Google's Container Registry, there's no server to
maintain.</li>
<li><strong>Vulnerability Scanning</strong>: GCR can <a href="https://cloud.google.com/container-registry/docs/get-image-vulnerabilities">scan your images for security issues</a>.</li>
</ul>
<hr>
<h1>Pricing</h1>
<p>The pricing is well documented <a href="https://cloud.google.com/container-registry/pricing">here</a>,
and it has a lot of variables.</p>
<p>Basically though, it boils down to the following approximate costs:</p>
<ul>
<li><strong>Storage</strong>: $0.026 USD / GB / month</li>
<li><strong>Network</strong>: ~ $0.12 USD / GB</li>
<li><strong>Vulnerability Scanning</strong>: $0.26 per scanned image</li>
</ul>
<hr>
<h1>Command Line</h1>
<p>GCR can be managed from the web UI or the command line. I try and keep my steps
limited to the web UI, but the command line is really easy to use. You can find
its documentation <a href="https://cloud.google.com/sdk/gcloud/reference/container/images">here</a>.</p>
<hr>
<h1>Authentication</h1>
<p>Before you start, be sure to install:</p>
<ul>
<li><a href="https://cloud.google.com/sdk/">Google Cloud SDK</a></li>
<li><a href="https://docs.docker.com/install/">Docker</a></li>
</ul>
<p>To interact with Google Container Registry you need to first authenticate your
local Docker client. Usually this is done with the <code>docker login &#x3C;registry></code>
command, but that's not how it's done with Google container registry. Instead
we'll use the <code>gcloud</code> command line.</p>
<h2>Create a service account</h2>
<p>While this isn't strictly necessary, it's good practice.</p>
<p>The container registry uses GCS buckets to store the images. It doesn't have
dedicated roles, and instead uses the GCS roles. You can find a detailed list
of the roles <a href="https://cloud.google.com/container-registry/docs/access-control">here</a>.
The two important roles are <code>roles/storage.admin</code> for write and
<code>roles/storage.objectViewer</code> for read.</p>
<p>To create the SA from the Google Cloud Web UI:</p>
<ol>
<li>Open the <a href="https://console.cloud.google.com/iam-admin/serviceaccounts">IAM Service Accounts page</a></li>
<li>If needed, select or create your project</li>
<li>Click <code>Create Service Account</code></li>
<li>Create a member, such as <code>gcr-readonly</code> or <code>gcr-admin</code>.
When possible, its nice to have the account name and account ID match.</li>
<li>Assign a useful description to the service-account.</li>
<li>Assign a role. <code>Storage Object Viewer</code> grants read access and
<code>Storage Admin</code>.</li>
<li>Create and download a key. Name it something like <code>gcr-readonly.json</code>.</li>
</ol>
<h2>Authenticate your local Docker client</h2>
<p>Use the <code>gcloud</code> tool to deploy some <code>credHelpers</code> to <code>~/.docker/config.json</code>.</p>
<pre><code class="language-bash">gcloud auth configure-docker --project &#x3C;project name>
</code></pre>
<p>Next up, it's time to authenticate.</p>
<p>You could run <code>gcloud auth login</code>, but that doesn't use the service account we
just created and also requires a browser to open a generated link.</p>
<p>Instead, use the service account's JSON file generated in the above step with
the <code>--key-file</code> argument as follows:</p>
<pre><code class="language-bash">gcloud auth activate-service-account --key-file /vagrant/auth/gcr-readonly.json
</code></pre>
<p>If successful, you'll get a confirmation message:</p>
<pre><code class="language-bash">Activated service account credentials for: [gcr-readonly@*.gserviceaccount.com]
</code></pre>
<hr>
<h1>Using the Google Container Registry</h1>
<p>The GCR works just like any other registry once you've ran the <code>gcloud auth</code>
command. You don't need to run any <code>docker login</code> command.</p>
<h2>Pull Image</h2>
<p>Here's how to pull a Pelican image from GCR:</p>
<pre><code class="language-bash">docker pull gcr.io/myProject/pelican
</code></pre>
<h2>Push Image</h2>
<p>It's pretty straightforward. Replace <code>myProject</code> with your project name.</p>
<p>In this example I add a tag to my pelican image, calling it <code>pelican2</code>, and
push it up to the registry as a new image. You'd normally make your own Docker
image.</p>
<pre><code class="language-bash">sudo docker tag gcr.io/myProject/pelican gcr.io/myProject/pelican2
sudo docker push gcr.io/myProject/pelican2
</code></pre>
<p>If you didn't get an error, then the image is now pushed.</p>
<h3>Access Denied</h3>
<p>If you receive the following message, your user account lacks write access:</p>
<pre><code class="language-text">denied: Token exchange failed for project 'myProject'. Caller does not have permission 'storage.buckets.get'.
</code></pre>
<p>To resolve this, create a service account  with the role <code>roles/storage.admin</code>.
If there's a finer grained access level to permit this, I'd be interested to
hear about it.</p>
<pre><code class="language-bash">gcloud auth activate-service-account --key-file /vagrant/auth/gcr-admin.json
sudo docker push gcr.io/kylepericak/pelican2
</code></pre>
<h2>Delete an Image</h2>
<p>At the time of writing this, there's a warning in the cloud UI saying that you
can't delete images unless you use the CLI.</p>
<p>Here's how to do that. Be sure to replace <code>myProject</code> with your project.</p>
<pre><code class="language-bash"># List current images
gcloud config set project myProject

# Ignore this warning if you're using a service account:
# WARNING: You do not appear to have access to project [myProject] or it does not exist.

# Delete the image
cloud container images delete gcr.io/myProject/pelican2
</code></pre>


Kyle Pericak

"It works in my environment"

Categories

Tags