I’ve enabled blog comments using Disqus. This is something of an experiment, since (a) I’m not really happy with how Disqus is handling user registration these days and (b) I don’t know that I have the time to moderate anything. But we’ll see.

Interacting with JSON-based APIs from the command line can be difficult, and OpenStack is filled with REST APIs that consume or produce JSON. I’ve just put pair of tools for generating and filtering JSON on the command line, called collectively json-tools.

Both make use of the Python dpath module to populate or filter JSON objects.

The jsong command generates JSON on stdout. You provide /-delimited paths on the command line to represent the JSON structure. For example, if you run:

I originally posted this article on the RDO website.

The players

This document describes the architecture that results from a particular OpenStack configuration, specifically:

• Quantum networking using GRE tunnels;
• A dedicated network controller;
• A single instance running on a compute host

Much of the document will be relevant to other configurations, but details will vary based on your choice of layer 2 connectivity, number of running instances, and so forth.

The examples in this document were generated on a system with Quantum networking but will generally match what you see under Neutron as well, if you replace quantum by neutron in names. The OVS flow rules under Neutron are somewhat more complex and I will cover those in another post.

This blog has been hosted on scriptogram for the past year or so. Unfortunately, while I like the publish-via-Dropbox mechanism, there have been enough problems recently that I’ve finally switched over to using GitHub Pages for hosting. I’ve been thinking about doing this for a while, but the things that finally pushed me to make the change were:

• Sync problems that would prevent new posts from appearing (and that at least once caused posts to disappear).
• Lack of any response to bug reports by the site maintainers.

A benefit of the publish-via-Dropbox mechanism is, of course, that I already had all the data and didn’t need to go through any sort of export process.

I’ve been working with OpenStack a lot recently, and I’ve ended up with a small collection of utilities that make my life easier. On the odd chance that they’ll make your life easier, too, I thought I’d hilight them here.

Crux

Crux is a tool for provisioning tenants, users, and roles in keystone. Instead of a sequence of keystone command, you can provision new tenants, users, and roles with a single comand.

The documentation for configuring Neutron recommends that a network controller has three physical interfaces:

Before you start, set up a machine to be a dedicated network node. Dedicated network nodes should have the following NICs: the management NIC (called MGMT_INTERFACE), the data NIC (called DATA_INTERFACE), and the external NIC (called EXTERNAL_INTERFACE).

People occasionally ask, “why three interfaces? What if I only have two?”, so I wanted to provide an extended answer that might help people understand what the interfaces are for and what trade-offs are involved in using fewer interfaces.

Have you ever wished that you could use libvirt domain names as hostnames? So that you could do something like this:

$ virt-install -n anewhost ...
$ ssh clouduser@anewhost

Since this is something that would certainly make my life convenient, I put together a small script called virt-hosts that makes this possible. You can find virt-hosts in my virt-utils GitHub repository:

• https://raw.github.com/larsks/virt-utils/master/virt-hosts

Run by itself, with no options, virt-hosts will scan through your running domains for interfaces on the libvirt default network, look up those MAC addresses up in the corresponding default.leases file, and then generate a hosts file on stdout like this:

I recently acquired both a Raspberry Pi and a PiFace IO board. I had a rough time finding examples of how to read the input ports via interrupts (rather than periodically polling for values), especially for the newer versions of the PiFace python libraries.

After a little research, here’s some simple code that will print out pin names as you press the input buttons. Button 3 will cause the code to exit:

#!/usr/bin/python

import pifacecommon.core
import pifacecommon.interrupts
import os
import time

quit = False

def print_flag(event):
    print 'You pressed button', event.pin_num, '.'

def stop_listening(event):
    global quit
    quit = True

pifacecommon.core.init()

# GPIOB is the input ports, including the four buttons.
port = pifacecommon.core.GPIOB

listener = pifacecommon.interrupts.PortEventListener(port)

# set up listeners for all buttons
listener.register(0, pifacecommon.interrupts.IODIR_ON, print_flag)
listener.register(1, pifacecommon.interrupts.IODIR_ON, print_flag)
listener.register(2, pifacecommon.interrupts.IODIR_ON, print_flag)
listener.register(3, pifacecommon.interrupts.IODIR_ON, stop_listening)

# Start listening for events.  This spawns a new thread.
listener.activate()

# Hang around until someone presses button 3.
while not quit:
    time.sleep(1)

print 'you pressed button 3 (quitting)'
listener.deactivate()

This showed up on #openstack earlier today:

2013-07-22T13:56:10  <m0zes> hello, all. I am looking to
setup keystone with an ldap backend. I need to filter
users based on group membership, in this case a
non-rfc2307 posixGroup. This means that memberOf doesn't
show up, and that the memberUid in the group is not a
dn. any thoughts on how to accomplish this?

It turns out that this is a not uncommon question, so I spent some time today working out a solution using the dynlist overlay for OpenLDAP.

This is a short script that takes a list of concatenated certificates as input (such as a collection of CA certificates) and produces a collection of numbered files, each containing a single certificate.

#!/bin/awk -f
 
# This script expects a list of concatenated certificates on input and
# produces a collection of individual numbered files each containing
# a single certificate.
 
BEGIN {incert=0}
 
/-----BEGIN( TRUSTED)? CERTIFICATE-----/ {
certno++
certfile=sprintf("cert-%d.crt", certno)
incert=1
}
 
/-----END( TRUSTED)? CERTIFICATE-----/ {
print >> certfile
incert=0
}
 
incert==1 { print >> certfile }