allomov
10/4/2013 - 4:04 PM

create_secure_groups_openstack

create_secure_groups_openstack

---
name: microbosh-openstack

logging:
  level: DEBUG

network:
  type: dynamic
  vip: <...>  # free floating IP
  cloud_properties:
    net_id: <...>

resources:
  persistent_disk: 20480
  cloud_properties:
    instance_type: m1.small

cloud:
  plugin: openstack
  properties:
    openstack:
      auth_url: <...>
      username: <...>
      api_key: <...>
      tenant: <...>
      default_security_groups: ["ssh", "bosh"]
      default_key_name: microbosh
      private_key: "/home/ubuntu/.ssh/microbosh"

apply_spec:
  properties:
    director:
      max_threads: 3
    hm:
      resurrector_enabled: true
    ntp:
      - 0.north-america.pool.ntp.org
      - 1.north-america.pool.ntp.org
# scp /home/ubuntu/.ssh/microbosh

sudo apt-get -y install libmysqlclient-dev libxslt-dev libxml2-dev libpq-dev libsqlite3-dev genisoimage

\curl -sSL https://get.rvm.io | bash
rvm install 1.9.3
gem install --no-ri --no-rdoc bosh_cli
gem install --no-ri --no-rdoc bosh_cli_plugin_micro



wget http://bosh-jenkins-artifacts.s3.amazonaws.com/bosh-stemcell/openstack/bosh-stemcell-latest-openstack-kvm-ubuntu.tgz
bosh upload stemcell bosh-stemcell-latest-openstack-kvm-ubuntu.tgz



# install spiff
sudo apt-get install go
mkdir $HOME/go
echo "export GOPATH=\$HOME/go" >> ~/.bashrc
echo "export PATH=\$PATH:$GOPATH/bin" >> ~/.bashrc
source ~/.bashrc
go get github.com/cloudfoundry-incubator/spiff

# install cf-release
git clone https://github.com/cloudfoundry/cf-release.git
cd cf-release
git checkout v176
./update
bosh upload release releases/cf-176.yml
./generate_deployment_manifest openstack templates/cf-minimal-dev.yml ~/deployments/cf-lomov/cf-openstack.yml > ~/deployments/cf-lomov/cf.yml
bosh deployment ~/deployments/cf-lomov/cf.yml





sudo apt-get install python-novaclient
# . "./etc/localrc" # load password and etc.

export OS_USERNAME=admin
export OS_PASSWORD=$ADMIN_PASSWORD
export OS_TENANT_NAME=demo
export OS_AUTH_URL=http://192.168.100.2:5000/v2.0

nova secgroup-add-rule default udp 68 68 0.0.0.0/0

nova secgroup-create ssh "SSH"
nova secgroup-add-rule ssh tcp 22 22 0.0.0.0/0
nova secgroup-add-rule ssh icmp -1 -1 0.0.0.0/0
nova secgroup-add-rule ssh udp 68 68 0.0.0.0/0


# All ports (from 1 to 65535) where the source group is the current security group
# Port 22 from source 0.0.0.0/0 (CIDR): Used for inbound SSH access
# Port 53 from source 0.0.0.0/0 (CIDR): Used for inbound DNS requests
# Port 4222 from source 0.0.0.0/0 (CIDR): Used by NATS
# Port 6868 from source 0.0.0.0/0 (CIDR): Used by BOSH Agent
# Port 25250 from source 0.0.0.0/0 (CIDR): Used by BOSH Blobstore
# Port 25555 from source 0.0.0.0/0 (CIDR): Used by BOSH Director
# Port 25777 from source 0.0.0.0/0 (CIDR): Used by BOSH Registry


nova secgroup-create bosh "BOSH"
nova secgroup-add-group-rule bosh bosh tcp 1 65535 
nova secgroup-add-rule bosh tcp 4222 4222 0.0.0.0/0
nova secgroup-add-rule bosh tcp 6868 6868 0.0.0.0/0
nova secgroup-add-rule bosh tcp 25250 25250 0.0.0.0/0
nova secgroup-add-rule bosh tcp 25555 25555 0.0.0.0/0
nova secgroup-add-rule bosh tcp 25777 25777 0.0.0.0/0
nova secgroup-add-rule bosh tcp 53 53 0.0.0.0/0
nova secgroup-add-rule bosh udp 53 53 0.0.0.0/0
nova secgroup-add-rule bosh udp 68 68 0.0.0.0/0


nova secgroup-create cf-public "cf-public"
nova secgroup-add-rule cf-public tcp 80 80 0.0.0.0/0
nova secgroup-add-rule cf-public tcp 443 443 0.0.0.0/0
nova secgroup-add-rule cf-public udp 68 68 0.0.0.0/0


nova secgroup-create cf-private "cf-private"
nova secgroup-add-group-rule cf-private cf-private tcp 1 65535 
nova secgroup-add-rule cf-private udp 68 68 0.0.0.0/0


# add ssh key to 
nova keypair-add microbosh > ~/.ssh/microbosh



nova dns-create-public-domain cf-lomov
name: lomov-cf

releases:
- name: cf
  version: 176



director_uuid: ab3dec87-3877-4169-97bc-5c62c765fe46

meta:
  # releases: ~
  # environment: ~
  # networks:
  #   cf1:
  #     type: manual
  #     subnets:
  #       - range: 192.168.115.0/24
  #         name: default
  #         reserved:
  #           - 192.168.115.0 - 192.168.115.10
  #         static:
  #           - 192.168.115.20 - 192.168.115.254
  #         gateway: 192.168.115.1
  #         dns:
  #           - 192.168.0.202
  #           - 8.8.8.8

  openstack:
    auth_url:  http://172.16.0.2:5000/v2.0
    username: lomov
    api_key: qwaszx
    tenant: CF-Lomov
    default_security_groups: ["lomov-ssh", "lomov-bosh", "lomov-cf-private", "lomov-cf-public"]
    default_key_name: microbosh

  stemcell:
    name: bosh-openstack-kvm-ubuntu
    version: 2427


  floating_static_ips:
    - 172.16.0.69
    # - 172.16.0.75 - 172.16.0.79

networks:
- name: floating
  type: vip
  cloud_properties: {}
- name: cf2
  type: vip
  cloud_properties: {}
- name: cf1
  type: manual
  subnets:
    - range: 192.168.115.0/24
      name: default
      default:
        - dns
        - gateway
      reserved:
      - 192.168.115.2 - 192.168.115.10
      static:
      - 192.168.115.20 - 192.168.115.254
      gateway: 192.168.115.1
      dns:
        - 192.168.0.202
        - 8.8.8.8
      cloud_properties: {}

properties:
  domain: lomov-cf.altoros.com
  cc:
    app_events:
      cutoff_age_in_days: 31
    app_usage_events:
      cutoff_age_in_days: 31
    audit_events:
      cutoff_age_in_days: 31
    billing_event_writing_enabled: true
    broker_client_timeout_seconds: 70
    buildpacks:
      resource_directory_key: cc-buildpacks
    bulk_api_password: B1gP_ss0rd
    client_max_body_size: 256M
    db_encryption_key: DB_ENG_CC
    default_app_memory: 1024
    default_quota_definition: default
    development_mode: false
    diego: false
    disable_custom_buildpacks: false
    droplets:
      resource_directory_key: cc-droplets
    hm9000_noop: false
    maximum_app_disk_in_mb: 2048
    packages:
      resource_directory_key: cc-packages
    process_group: cloud_controller
    quota_definitions:
      default:
        memory_limit: 10240
        non_basic_services_allowed: true
        total_routes: 1000
        total_services: 100
        trial_db_allowed: false
      runaway:
        memory_limit: 102400
        non_basic_services_allowed: true
        total_routes: 1000
        total_services: 100
        trial_db_allowed: false
    resource_pool:
      resource_directory_key: cc-resources
    srv_api_uri: http://api.lomov-cf.altoros.com
    staging_upload_password: Stg1ng
    staging_upload_user: staging
    tasks_disabled: false

  ccdb:
    db_scheme: postgres
    address: 0.data.cf1.cf.microbosh
    port: 5524
    roles:
      - tag: admin
        name: ccadmin
        password: c1oudc0w
    databases:
      - tag: cc
        name: ccdb
        citext: true

  databases:
    db_scheme: postgres
    address: 0.data.cf1.cf.microbosh
    port: 5524
    roles:
      - tag: admin
        name: ccadmin
        password: c1oudc0w
      - tag: admin
        name: uaaadmin
        password: c1oudc0w
    databases:
      - tag: cc
        name: ccdb
        citext: true
      - tag: uaa
        name: uaadb
        citext: true

  uaa:
    url: http://uaa.lomov-cf.altoros.com
    spring_profiles: postgresql
    no_ssl: true
    catalina_opts: -Xmx768m -XX:MaxPermSize=256m
    resource_id: account_manager
    jwt:
      signing_key: "-----BEGIN RSA PRIVATE KEY----- \nMIIEpQIBAAKCAQEA11TXSiFRMTwP5KOQSWZoh3Cv8ZhOrZ0uBwNX/qkZTOz/HMEy\n0zJj6sjTWRkQAUgC3bwA3FKXvwYXwSvgpktxGpKABH5EXb3ZC9KG/4ZhzG3n9LxP\nIngUCCRDdWkyoV8R6zjkyrVfpK8Hu1VA6SDdlxfKNvdGrdfqdldiNt1QjkGIQB/O\nNreOXB7w6lMV3GY5t5W3aBC9o2cpl6Ubwar1Nkvy8MY3V6gUCthS8gpaJn6cJF2A\n1NUWnYx66Mv9qUIG+DAtmTv65h+27OhMqs/lO3fj/RS4rrgHwHQNYism9fiE8dJZ\nHcr4w7YH7uAKVJZsrrKahdYvdm2b/koRIuUCRQIDAQABAoIBAQChG79AnZDr725M\nuPwZjt+ihnN9pWEokLOBV8UcqlRds+xkDUEDt23+mmdXAGNzMffDAwj5z2nt6JcZ\nVsTsZwGmyfmyYu6v3H1qVQfgYyEFHS4xdDsZJRKHzOoUDLNu/Xygq56y8+UtiC+W\nwACi7I4eoBQR8A0XwLaR+GtpdUjyRUJbllFZcP6Y5ohuDLXE0HV14WP1WUbN9GC1\nQELZh6u/PmMLwRNYqEegOA6XvTaG2BQO6niO/F22EYy2D8x9nduQVBp8L5wLnSL1\nbFuOk3VYDzU9Eulcgxomex41Eb7ixrgOqUWwVDBYXW4MfnQ7go/88LErcDkSNaQb\nGw3uHRWBAoGBAO02y1R9v8PBpFHgcx1fnAXujEUSGBTThQnmqFSHkunLGLWrlcXx\n6H5jmbWBrhMmxw16BiB+RZe6sHtVCp6l0AkscruN6QFSolB17ukg3Phb3EfEJwED\nXcwZ6ouustR8QjfRElHPuZZ9Q4zmu2DKGxbAgLPZftKqwhEWLBKttsdVAoGBAOhi\nZ6btEgVWt3f+b2uOz6QYRlf6Ho/m7raLhyF0fehRvhThgwVZCEScxe+FvwNTYium\n1INHbPYQ2+vSzMVIaT7YzesVU6mwwyXmjDR2cD9VmLi3Zej1FEJt7QXx1ArnsmxM\nu/RVm4OaMOovOVfzDTWVpT1peb6UhgjEeTUij28xAoGBAKIctFCFr6wkhhu+fG0y\njfov0ITTnMl+1IizrY43KNvGBJkDLlQcwnq9rqowebp04cv//HfwU7chysI+mAdb\n4hSi37X1gat5wZujPSbtYpYIkT4qe01h85QskfHr7iLw2IA0zYRDpd2GtcdxV9UJ\nygF+hXZjyRxHvmDW+j+5oBQRAoGBAN7CzgenA/pYKSF+poIdcRAlMPFO05MwVS5p\nzAyW5ccY7LSJhJZQxWs4OUmlFPj0KowbrWV2x42NlbOW7DJFepYDMEmktQFab4da\nXJZB3tHnlLGlJKzOmjAfvfFP4urdNh045YePtLbPzQoAYODdHZF7NN4MyOaW63Fm\nHaaAzaxRAoGAY3I3IzGUGiYbI4MZiqeUeRf1QyMjgkurfPJB21b5N7LDVnZ3VhiI\n0hhNp7xKCbn0TIqTbMq9UBQlAfyf4t1cZomKSFrg9euWKh50Z+2rwLfyMBeYLHqp\ns1q2Nsw0Q6zyPADaCPsSU5GhQvZI+rSFSIHdKwP6jrlX+/Zn6x3RWnA=\n-----END RSA PRIVATE KEY-----\n"
      verification_key: |
        -----BEGIN PUBLIC KEY-----

        MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA11TXSiFRMTwP5KOQSWZo

        h3Cv8ZhOrZ0uBwNX/qkZTOz/HMEy0zJj6sjTWRkQAUgC3bwA3FKXvwYXwSvgpktx

        GpKABH5EXb3ZC9KG/4ZhzG3n9LxPIngUCCRDdWkyoV8R6zjkyrVfpK8Hu1VA6SDd

        lxfKNvdGrdfqdldiNt1QjkGIQB/ONreOXB7w6lMV3GY5t5W3aBC9o2cpl6Ubwar1

        Nkvy8MY3V6gUCthS8gpaJn6cJF2A1NUWnYx66Mv9qUIG+DAtmTv65h+27OhMqs/l

        O3fj/RS4rrgHwHQNYism9fiE8dJZHcr4w7YH7uAKVJZsrrKahdYvdm2b/koRIuUC

        RQIDAQAB

        -----END PUBLIC KEY-----

    cc:
      client_secret: c1oudc0w
    admin:
      client_secret: c1oudc0w
    batch:
      username: batchuser
      password: c1oudc0w
    client:
      autoapprove:
      - cf
    clients:
      cf:
        override: true
        authorized-grant-types: password,implicit,refresh_token
        authorities: uaa.none
        scope: cloud_controller.read,cloud_controller.write,openid,password.write,cloud_controller.admin,scim.read,scim.write
        access-token-validity: 7200
        refresh-token-validity: 1209600
      login:
        override: true
        scope: openid
        authorities: oauth.login
        secret: c1oudc0w
        authorized-grant-types: authorization_code,client_credentials,refresh_token
        redirect-uri: http://login.lomov-cf.altoros.com
      app-direct: 
        secret: c1oudc0w
      developer_console:
        secret: c1oudc0w
      notifications:
        secret: c1oudc0w
      servicesmgmt:
        secret: c1oudc0w
      space-mail:
        secret: c1oudc0w
      support-services:
        secret: c1oudc0w
    login:
      addnew: false
    scim:
      users:
      - admin|c1oudc0w|scim.write,scim.read,openid,cloud_controller.admin
      - services|c1oudc0w|scim.write,scim.read,openid,cloud_controller.admin
  uaadb:
    db_scheme: postgresql
    address: 0.data.cf1.cf.microbosh
    port: 5524
    roles:
    - tag: admin
      name: uaaadmin
      password: c1oudc0w
    databases:
    - tag: uaa
      name: uaadb
      citext: true

  loggregator_endpoint:
    host: 0.loggregator-trafficcontroller.cf1.cf.microbosh
    shared_secret: L0gregAt0rSecret

  nats:
    address: 0.core.cf1.cf.microbosh
    debug: false
    machines:
    - 0.core.cf1.cf.microbosh
    password: Natspass0wrd
    port: 4222
    trace: false
    use_gnatsd: true
    user: nats
  dea_next:
    directory_server_protocol: https
    disk_mb: 32768
    disk_overcommit_factor: 2
    evacuation_bail_out_time_in_seconds: 600
    instance_disk_inode_limit: 200000
    kernel_network_tuning_enabled: true
    memory_mb: 16368
    memory_overcommit_factor: 3
    staging_disk_inode_limit: 200000

  router:
    status:
      port: 8080
      password: P_ssw0td
      user: gorouter