Home Blog Page 8

Install KYPO Cyber Range Platform on Openstack and Ubuntu in AWS cloud

4

KYPO is a Cyber Range Platform (KYPO CRP) developed by Masaryk University since 2013. KYPO CRP is entirely based on state-of-the-art approaches such as containers, infrastructures as code, microservices, and open-source software, including cloud provider technology – OpenStack. (source).

KYPO CRP is now part of CONCORDIA consortium. CONCORDIA H2020 is a dedicated consortium of over 52 partners from academia, industry and public bodies. The main objective of the project is to lead the integration of Europe’s excellent cybersecurity competencies into the network of expertise to build the European secure, resilient and trusted ecosystem for the Digital Sovereignty of Europe.

The CONCORDIA project released KYPO CRP as open source in 2020. The release of an open-source cyber range is part of CONCORDIA strategy to build the European Trusted, Secure and Resilient Ecosystem for Digital Sovereignty of Europe.

KYPO Cyber Range Platform is the European Commission’s Innovation Radar Prize Winner in the ‘Disruptive Tech’ category.

In this article, I describe how to install KYPO Cyber Range Platform (CRP) on Openstack and Ubuntu Server running on the AWS cloud. I installed OpenStack on Ubuntu with DevStack.

What is a Cyber Range ?

Cyber Range is a platform for cyber security research and education – it is a simulated
representation of an organization’s network, system, tools, and applications connected
in an isolated environment.

Cyber Range (a sort of modelized network or a digital twin of a real network) allows Adversary Emulation, a type of ethical hacking engagement where the Red Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organization.

The goal of these engagements is to improve education but also technology and to do some cyber security research.

Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organization.

What is DevStack ?

DevStack is a modular set of scripts that can be run to deploy a basic OpenStack cloud for use as a demo or test environment. The scripts can be run on a single node that is baremetal or a virtual machine. It can also be configured to deploy to multiple nodes. DevStack deployment takes care of tedious tasks like configuring the database and message queueing system, making it possible for developers to quickly and easily deploy an OpenStack cloud.

By default, the core services for OpenStack are installed but users can configure additional services to be deployed. All services are installed from source. DevStack will pull the services from git master unless configured to clone from a stable branch (i.e. stable/pike).

Devstack installed keystone, glance, nova, placement, cinder, neutron, and horizon. But DevStack doesn’t install heat, the orchestration service of Openstack which is required by KYPO CRP. So you have to configure DevStack to enable heat.

Unbun Server Installation on AWS Cloud

This is Ubuntu Server 20.04.3 LTS (HVM) with 4vCPU, 16 Go RAM and 55 Gb SSD Disk.

root# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal

DevStack installation

I followed this official tutorial but also this article. So let’s go step by step.

ubuntu$ sudo apt update
Fetched 20.6 MB in 4s (5862 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
31 packages can be upgraded. Run 'apt list --upgradable' to see them.
ubuntu$ sudo apt -y upgrade
Found linux image: /boot/vmlinuz-5.11.0-1021-aws
Found initrd image: /boot/microcode.cpio /boot/initrd.img-5.11.0-1021-aws
Found linux image: /boot/vmlinuz-5.11.0-1020-aws
Found initrd image: /boot/microcode.cpio /boot/initrd.img-5.11.0-1020-aws
Found Ubuntu 20.04.3 LTS (20.04) on /dev/xvda1
Done
ubuntu$ sudo apt -y dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
ubuntu$ sudo reboot
ubuntu$ sudo useradd -s /bin/bash -d /opt/stack -m stack
ubuntu$ echo "stack ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/stack
ubuntu$ sudo su – stack
stack$ sudo su –
root$ su – stack
stack$ sudo apt -y install git
Reading package lists... Done
Building dependency tree
Reading state information... Done
git is already the newest version (1:2.25.1-1ubuntu3.2).
git set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
stack$ git clone https://git.openstack.org/openstack-dev/devstack
Cloning into 'devstack'...
warning: redirecting to https://opendev.org/openstack/devstack/
remote: Enumerating objects: 27621, done.
remote: Counting objects: 100% (27621/27621), done.
remote: Compressing objects: 100% (9258/9258), done.
remote: Total 47887 (delta 26959), reused 18363 (delta 18363), pack-reused 20266
Receiving objects: 100% (47887/47887), 10.19 MiB | 4.03 MiB/s, done.
Resolving deltas: 100% (33650/33650), done.
stack$ cd devstack
stack$ vi local.conf

Add:

[[local|localrc]]

# Password for KeyStone, Database, RabbitMQ and Service
ADMIN_PASSWORD=StrongAdminSecret
DATABASE_PASSWORD=$ADMIN_PASSWORD
RABBIT_PASSWORD=$ADMIN_PASSWORD
SERVICE_PASSWORD=$ADMIN_PASSWORD

Heat is configured by default on devstack for Icehouse and Juno releases. But as mentioned at the beginning, newer versions of OpenStack require enabling heat services in devstack local.conf. I followed this tutorial.

Add the following to [[local|localrc]] section of local.conf:

[[local|localrc]]

#Enable heat services
enable_service h-eng h-api h-api-cfn h-api-cw

Since Newton release, heat is available as a devstack plugin. To enable the plugin add the following to the [[local|localrc]] section of local.conf:

[[local|localrc]]

#Enable heat plugin
enable_plugin heat https://opendev.org/openstack/heat

I tried to add a stable branches by specifying the branch name to enable_plugin, but it doesn’t work for me so I didn’t add the following line.

enable_plugin heat https://opendev.org/openstack/heat stable/newton

It would also be useful to automatically download and register a VM image that heat can launch. To do that add the following to [[local|localrc]] section of local.conf:

IMAGE_URL_SITE="https://download.fedoraproject.org"
IMAGE_URL_PATH="/pub/fedora/linux/releases/33/Cloud/x86_64/images/"
IMAGE_URL_FILE="Fedora-Cloud-Base-33-1.2.x86_64.qcow2"
IMAGE_URLS+=","$IMAGE_URL_SITE$IMAGE_URL_PATH$IMAGE_URL_FILE

Disable the Ubuntu Firewall

stack$ sudo ufw disable

I then started the installation of Openstack.

stack$ ./stack.sh

This will take a 15 – 20 minutes, largely depending on the speed of the internet connection. At the end of the installation process, you should see output like this:

=========================
DevStack Component Timing
(times are in seconds)
=========================
wait_for_service      16
pip_install          232
apt-get              264
run_process           27
dbsync                15
git_timed            286
apt-get-update         1
test_with_retry        5
async_wait            72
osc                  305
-------------------------
Unaccounted time     155
=========================
Total runtime        1378

=================
Async summary
=================
Time spent in the background minus waits: 367 sec
Elapsed time: 1378 sec
Time if we did everything serially: 1745 sec
Speedup:  1.26633

This is your host IP address: xxx.xxx.xxx.xxx
This is your host IPv6 address: ::1
Horizon is now available at http://xxx.xxx.xxx.xxx/dashboard
Keystone is serving at http://xxx.xxx.xxx.xxx/identity/
The default users are: admin and demo
The password: xxxxxxx

Services are running under systemd unit files.
For more information see:
https://docs.openstack.org/devstack/latest/systemd.html

DevStack Version: yoga
Change: f9a896c6e6afcf52e9a50613285940c26e353ba3 Rehome functions to enable Neutron's QoS service 2021-11-13 19:52:06 +0000
OS Version: Ubuntu 20.04 focal

2021-11-15 20:47:52.095 | stack.sh completed in 1378 seconds.

Copy the Horizon URL shown on the installation output and paste it into your web browser:

http://192.168.10.100/dashboard

Use the default users admin and configured password to login.

I have access to the Horizon web interface dashboard to manage vms, networks, volumes, and images.

Before you can start running client commands, OpenStack RC file must be downloaded from the Horizon dashboard and sourced in the current SHELL environment.

To download OpenStack RC file, log in to the Horizon dashboard. Check that you are in the good project (admin for me) and go to Project > API Access

On the API Access section, use the “Download OpenStack RC File” link to pull and save the “admin-openrc.sh” file on your desktop.

Copy the contents of the file on the server.

stack$ vi admin-openrc.sh

Source the file. As a security mechanism the file won’t contain the user password. You’ll be asked to set the password when sourcing the file.

source admin-openrc.sh
Please enter your OpenStack Password for project admin as user admin:

Test some OpenStack client commands just to confirm it is working. Check mainly that heat service is started.

stack$ openstack service list
+----------------------------------+-------------+----------------+
| ID                               | Name        | Type           |
+----------------------------------+-------------+----------------+
| 0b293dc58885450bad190bbfe3bacc40 | nova_legacy | compute_legacy |
| 1c05400514e341d09bd5a973136a9789 | cinderv3    | volumev3       |
| 3049ac1cc4a84b81a41d9fdb559ce922 | heat        | orchestration  |
| 775998becd0142579289a613a4313e1a | keystone    | identity       |
| 840023d4bc6f4e75a7fdb6e7d49ed28e | placement   | placement      |
| b9a2b39775a94d4f8a5fdfb25b9e4dc1 | neutron     | network        |
| c7b83375dafa428cbc21ceafb8611fbe | heat-cfn    | cloudformation |
| e62bfc0c37774f8da910b3062df43d53 | cinder      | block-storage  |
| f2ffbf578599481295140dec77bcd549 | nova        | compute        |
| f619511aea824a59a76e66702de4e1c2 | glance      | image          |
+----------------------------------+-------------+----------------+

In order to avoid to set the password each time you source the RC file, you can optionally comment out the lines that prompts you the password and provide it statically:

stack$ vi admin-openrc.sh
# With Keystone you pass the keystone password.
#echo "Please enter your OpenStack Password for project $OS_PROJECT_NAME as user $OS_USERNAME: "
#read -sr OS_PASSWORD_INPUT
#export OS_PASSWORD=$OS_PASSWORD_INPUT
export OS_PASSWORD='xxxxxxxxxxx'

You can copy the RC file to keystonerc_admin

stack$ cp admin-openrc.sh keystonerc_admin
stack$ source keystonerc_admin

You can run some others OpenStack client commands to confirm that all is working properly:

stack$ openstack catalog list
+-------------+----------------+----------------------------------------------------------------------------+
| Name        | Type           | Endpoints                                                                  |
+-------------+----------------+----------------------------------------------------------------------------+
| nova_legacy | compute_legacy | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx/compute/v2/d81af43ddd074376a8e7fff88d61c905  |
|             |                |                                                                            |
| cinderv3    | volumev3       | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx/volume/v3/d81af43ddd074376a8e7fff88d61c905   |
|             |                |                                                                            |
| heat        | orchestration  | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx/heat-api/v1/d81af43ddd074376a8e7fff88d61c905 |
|             |                |                                                                            |
| keystone    | identity       | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx/identity                                     |
|             |                |                                                                            |
| placement   | placement      | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx/placement                                    |
|             |                |                                                                            |
| neutron     | network        | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx:9696/                                        |
|             |                |                                                                            |
| heat-cfn    | cloudformation | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx/heat-api-cfn/v1                              |
|             |                |                                                                            |
| cinder      | block-storage  | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx/volume/v3/d81af43ddd074376a8e7fff88d61c905   |
|             |                |                                                                            |
| nova        | compute        | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx/compute/v2.1                                 |
|             |                |                                                                            |
| glance      | image          | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx/image                                        |
|             |                |                                                                            |
+-------------+----------------+----------------------------------------------------------------------------+

I checked the endpoint list to find public endpoint for orchestration service (heat).

stack$ openstack endpoint list
+----------------------------------+-----------+--------------+----------------+---------+-----------+------------------------------------------------+
| ID                               | Region    | Service Name | Service Type   | Enabled | Interface | URL                                            |
+----------------------------------+-----------+--------------+----------------+---------+-----------+------------------------------------------------+
| 064822424bfe4c4394951dce1832e316 | RegionOne | cinder       | block-storage  | True    | public    | http://xxx.xxx.xxx.xxx/volume/v3/$(project_id)s  |
| 11fbdcab6dfe42cb82c3ac4c3f61296a | RegionOne | nova         | compute        | True    | public    | http://xxx.xxx.xxx.xxx/compute/v2.1              |
| 2cb9561aa98a4c079d0c7f35ba347647 | RegionOne | keystone     | identity       | True    | public    | http://xxx.xxx.xxx.xxx/identity                  |
| 52bcd8dde6fb4f7b82d976cf71a0d37e | RegionOne | cinderv3     | volumev3       | True    | public    | http://xxx.xxx.xxx.xxx/volume/v3/$(project_id)s  |
| 82d29e1ceb464b7f831b84434ebb0be3 | RegionOne | glance       | image          | True    | public    | http://xxx.xxx.xxx.xxx/image                     |
| 98037666c0e74127ab713bd4865b062d | RegionOne | neutron      | network        | True    | public    | http://xxx.xxx.xxx.xxx:9696/                     |
| 9bda08ed79fe4fc399f94f6274ceaca0 | RegionOne | placement    | placement      | True    | public    | http://xxx.xxx.xxx.xxx/placement                 |
| cc35f42f35304534b83301f4fc70e778 | RegionOne | nova_legacy  | compute_legacy | True    | public    | http://xxx.xxx.xxx.xxx/compute/v2/$(project_id)s |
+----------------------------------+-----------+--------------+----------------+---------+-----------+------------------------------------------------+
stack$ openstack orchestration service list
+-----------------+-------------+--------------------------------------+-----------------+--------+----------------------------+--------+
| Hostname        | Binary      | Engine ID                            | Host            | Topic  | Updated At                 | Status |
+-----------------+-------------+--------------------------------------+-----------------+--------+----------------------------+--------+
| xxxxxxxxxxxxxxx | heat-engine | 5ffc9a0d-2756-462a-8da1-b5f2aeca165b | xxxxxxxxxxxxxxx | engine | 2021-11-15T21:40:55.000000 | up     |
| xxxxxxxxxxxxxxx | heat-engine | 54387f8e-44d7-4749-853a-c06d6be92ace | xxxxxxxxxxxxxxx | engine | 2021-11-15T21:40:55.000000 | up     |
+-----------------+-------------+--------------------------------------+-----------------+--------+----------------------------+--------+

KYPO CRP installation

OpenStack Requirements

Check before the OpenStack Requirements here

root# openstack flavor create --ram 2048 --disk 20 --vcpus 1 csirtmu.tiny1x2
+----------------------------+--------------------------------------+
| Field                      | Value                                |
+----------------------------+--------------------------------------+
| OS-FLV-DISABLED:disabled   | False                                |
| OS-FLV-EXT-DATA:ephemeral  | 0                                    |
| description                | None                                 |
| disk                       | 20                                   |
| id                         | 69fb4a25-d8f3-4a5b-afbd-8a4823210733 |
| name                       | csirtmu.tiny1x2                      |
| os-flavor-access:is_public | True                                 |
| properties                 |                                      |
| ram                        | 2048                                 |
| rxtx_factor                | 1.0                                  |
| swap                       |                                      |
| vcpus                      | 1                                    |
+----------------------------+--------------------------------------+
stack$ wget https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img -P /tmp/
Resolving cloud-images.ubuntu.com (cloud-images.ubuntu.com)... 91.189.88.248, 91.189.88.247, 2001:67c:1360:8001::33, ...
Connecting to cloud-images.ubuntu.com (cloud-images.ubuntu.com)|91.189.88.248|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 568131584 (542M) [application/octet-stream]
Saving to: ‘/tmp/focal-server-cloudimg-amd64.img.1’

focal-server-cloudimg-amd64.img.1      100%[===========================================================================>] 541.81M  87.5MB/s    in 6.2s

2021-11-15 21:50:30 (88.1 MB/s) - ‘/tmp/focal-server-cloudimg-amd64.img.1’ saved [568131584/568131584]
stack$ openstack image create --disk-format qcow2 --container-format bare --public --property \
> os_type=linux --file /tmp/focal-server-cloudimg-amd64.img ubuntu-focal-x86_64

+------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field            | Value                                                                                                                                                                    |
+------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| container_format | bare                                                                                                                                                                     |
| created_at       | 2021-11-15T21:49:14Z                                                                                                                                                     |
| disk_format      | qcow2                                                                                                                                                                    |
| file             | /v2/images/f748c173-c9d7-4ded-92c2-d84d9d6bcd82/file                                                                                                                     |
| id               | f748c173-c9d7-4ded-92c2-d84d9d6bcd82                                                                                                                                     |
| min_disk         | 0                                                                                                                                                                        |
| min_ram          | 0                                                                                                                                                                        |
| name             | ubuntu-focal-x86_64                                                                                                                                                      |
| owner            | d81af43ddd074376a8e7fff88d61c905                                                                                                                                         |
| properties       | os_hidden='False', os_type='linux', owner_specified.openstack.md5='', owner_specified.openstack.object='images/ubuntu-focal-x86_64', owner_specified.openstack.sha256='' |
| protected        | False                                                                                                                                                                    |
| schema           | /v2/schemas/image                                                                                                                                                        |
| status           | queued                                                                                                                                                                   |
| tags             |                                                                                                                                                                          |
| updated_at       | 2021-11-15T21:49:14Z                                                                                                                                                     |
| visibility       | public                                                                                                                                                                   |
+------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Base Infrastructure

I then followed this tutorial that describes how to prepare the KYPO base infrastructure used by the KYPO Cyber Range Platform.

stack$ sudo apt install python3-pip openssh-client jq
Reading package lists... Done
Building dependency tree
Reading state information... Done
openssh-client is already the newest version (1:8.2p1-4ubuntu0.3).
openssh-client set to manually installed.
python3-pip is already the newest version (20.0.2-5ubuntu1.6).
The following NEW packages will be installed:
  jq libjq1 libonig5
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 313 kB of archives.
After this operation, 1062 kB of additional disk space will be used.
Get:1 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu focal/universe amd64 libonig5 amd64 6.9.4-1 [142 kB]
Get:2 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu focal-updates/universe amd64 libjq1 amd64 1.6-1ubuntu0.20.04.1 [121 kB]
Get:3 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu focal-updates/universe amd64 jq amd64 1.6-1ubuntu0.20.04.1 [50.2 kB]
Fetched 313 kB in 0s (2145 kB/s)
Selecting previously unselected package libonig5:amd64.
(Reading database ... 140023 files and directories currently installed.)
Preparing to unpack .../libonig5_6.9.4-1_amd64.deb ...
Unpacking libonig5:amd64 (6.9.4-1) ...
Selecting previously unselected package libjq1:amd64.
Preparing to unpack .../libjq1_1.6-1ubuntu0.20.04.1_amd64.deb ...
Unpacking libjq1:amd64 (1.6-1ubuntu0.20.04.1) ...
Selecting previously unselected package jq.
Preparing to unpack .../jq_1.6-1ubuntu0.20.04.1_amd64.deb ...
Unpacking jq (1.6-1ubuntu0.20.04.1) ...
Setting up libonig5:amd64 (6.9.4-1) ...
Setting up libjq1:amd64 (1.6-1ubuntu0.20.04.1) ...
Setting up jq (1.6-1ubuntu0.20.04.1) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9.2) ...
stack$ sudo pip3 install pipenv
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
Collecting pipenv
  Downloading pipenv-2021.11.15-py2.py3-none-any.whl (3.6 MB)
     |████████████████████████████████| 3.6 MB 25.8 MB/s
Requirement already satisfied: virtualenv in /usr/local/lib/python3.8/dist-packages (from pipenv) (20.10.0)
Requirement already satisfied: setuptools>=36.2.1 in /usr/local/lib/python3.8/dist-packages (from pipenv) (59.1.0)
Collecting virtualenv-clone>=0.2.5
  Downloading virtualenv_clone-0.5.7-py3-none-any.whl (6.6 kB)
Requirement already satisfied: certifi in /usr/lib/python3/dist-packages (from pipenv) (2019.11.28)
Requirement already satisfied: pip>=18.0 in /usr/local/lib/python3.8/dist-packages (from pipenv) (21.3.1)
Requirement already satisfied: filelock<4,>=3.2 in /usr/local/lib/python3.8/dist-packages (from virtualenv->pipenv) (3.3.2)
Requirement already satisfied: platformdirs<3,>=2 in /usr/local/lib/python3.8/dist-packages (from virtualenv->pipenv) (2.4.0)
Requirement already satisfied: distlib<1,>=0.3.1 in /usr/local/lib/python3.8/dist-packages (from virtualenv->pipenv) (0.3.3)
Requirement already satisfied: six<2,>=1.9.0 in /usr/local/lib/python3.8/dist-packages (from virtualenv->pipenv) (1.16.0)
Requirement already satisfied: backports.entry-points-selectable>=1.0.4 in /usr/local/lib/python3.8/dist-packages (from virtualenv->pipenv) (1.1.1)
Installing collected packages: virtualenv-clone, pipenv
Successfully installed pipenv-2021.11.15 virtualenv-clone-0.5.7
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

Create application credentials with this video. Be sure to generate Application Credentials with the parameter unrestricted.

After application credentials created, download on your desktop the “app-cred-kypo-openrc.sh” file from the Horizon dashboard and copy/paste the contents of the file on the server.

stack$ vi app-cred-kypo-openrc.sh

Source the file

stack$ source app-cred-kypo-openrc.sh
stack$ git clone https://gitlab.ics.muni.cz/muni-kypo-crp/devops/kypo-crp-openstack-base.git
Cloning into 'kypo-crp-openstack-base'...
remote: Enumerating objects: 269, done.
remote: Counting objects: 100% (138/138), done.
remote: Compressing objects: 100% (80/80), done.
remote: Total 269 (delta 54), reused 129 (delta 47), pack-reused 131
Receiving objects: 100% (269/269), 78.56 KiB | 1.31 MiB/s, done.
Resolving deltas: 100% (111/111), done.
stack$ cd kypo-crp-openstack-base
stack$ pipenv install
Creating a virtualenv for this project...
Pipfile: /opt/stack/devstack/kypo-crp-openstack-base/Pipfile
Using /usr/bin/python3.8 (3.8.10) to create virtualenv...
⠴ Creating virtual environment...created virtual environment CPython3.8.10.final.0-64 in 235ms
  creator CPython3Posix(dest=/opt/stack/.local/share/virtualenvs/kypo-crp-openstack-base-5QbM23-5, clear=False, no_vcs_ignore=False, global                                                                                        =False)
  seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=/opt/stack/.local/share/virtualenv                                                                                        )
    added seed packages: pip==21.3.1, setuptools==58.3.0, wheel==0.37.0
  activators BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator,PythonActivator
✔ Successfully created virtual environment!
Virtualenv location: /opt/stack/.local/share/virtualenvs/kypo-crp-openstack-base-5QbM23-5
Installing dependencies from Pipfile.lock (5ccba9)...
  🐍   ▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉ 61/61 — 00:01:39
To activate this project's virtualenv, run pipenv shell.
Alternatively, run a command inside the virtualenv with pipenv run.
stack$ pipenv shell
Creating a virtualenv for this project...
Pipfile: /opt/stack/Pipfile
Using /usr/bin/python3 (3.8.10) to create virtualenv...
⠋ Creating virtual environment...created virtual environment CPython3.8.10.final.0-64 in 619ms
  creator CPython3Posix(dest=/opt/stack/.local/share/virtualenvs/stack-mJieuOd4, clear=False, no_vcs_ignore=False, global=False)
  seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=/opt/stack/.local/share/virtualenv)
    added seed packages: pip==21.3.1, setuptools==58.3.0, wheel==0.37.0
  activators BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator,PythonActivator
✔ Successfully created virtual environment!
Virtualenv location: /opt/stack/.local/share/virtualenvs/stack-mJieuOd4
Creating a Pipfile for this project...
Launching subshell in virtual environment...
stack$  . /opt/stack/.local/share/virtualenvs/stack-mJieuOd4/bin/activate
((kypo-crp-openstack-base) ) stack$ pipenv sync

Installing dependencies from Pipfile.lock (5ccba9)...
  🐍   ▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉ 0/0 — 00:00:00
All dependencies are now up-to-date!

Before to go to the deployment, you need to obtain several configuration values that might be specific to your OpenStack instance.

stack$ openstack network list --external --column Name
+--------+
| Name   |
+--------+
| public |
+--------+
stack$ openstack image list --column Name
+---------------------------------+
| Name                            |
+---------------------------------+
| Fedora-Cloud-Base-33-1.2.x86_64 |
| cirros-0.5.2-x86_64-disk        |
| ubuntu-focal-x86_64             |
+---------------------------------+
stack$ openstack flavor list --column Name
+-----------+
| Name      |
+-----------+
| m1.tiny   |
| m1.small  |
| m1.medium |
| m1.large  |
| m1.nano   |
| m1.xlarge |
| m1.micro  |
| cirros256 |
| ds512M    |
| ds1G      |
| ds2G      |
| ds4G      |
+-----------+

Un-Source all variables from previous source command

stack$ unset "${!OS_@}"

Below is the default openstack-defaults.sh file.

stack$ cat openstack-defaults.sh
#!/usr/bin/env bash

export KYPO_HEAD_FLAVOR="standard.large"
export KYPO_HEAD_IMAGE="ubuntu-focal-x86_64"
export KYPO_HEAD_USER="ubuntu"
export KYPO_PROXY_FLAVOR="standard.medium"
export KYPO_PROXY_IMAGE="ubuntu-focal-x86_64"
export KYPO_PROXY_USER="ubuntu"
export DNS1="1.1.1.1"
export DNS2="1.0.0.1"

Modify this file and edit the desired values for images (<kypo_base_image>) and flavors (<kypo_base_flavor>). On my side, I remove “standard.large” flavor and “standard.medium” flavor. I replaced them with “m1.small” beause my config is not very strong.

stack$ cat openstack-defaults.sh
#!/usr/bin/env bash

export KYPO_HEAD_FLAVOR="m1.small"
export KYPO_HEAD_IMAGE="ubuntu-focal-x86_64"
export KYPO_HEAD_USER="ubuntu"
export KYPO_PROXY_FLAVOR="m1.small"
export KYPO_PROXY_IMAGE="ubuntu-focal-x86_64"
export KYPO_PROXY_USER="ubuntu"
export DNS1="1.1.1.1"
export DNS2="1.0.0.1"
stack$ source openstack-defaults.sh

I checked default Security Group Rules. I’m not sure if I have to delete them or not. The tutorial is not clear about this point.

stack$ openstack security group rule list default
+--------------------------------------+-------------+-----------+-----------+------------+--------------------------------------+
| ID                                   | IP Protocol | Ethertype | IP Range  | Port Range | Remote Security Group                |
+--------------------------------------+-------------+-----------+-----------+------------+--------------------------------------+
| 38b8c48a-494c-49bd-bee3-51e2c415f30b | None        | IPv4      | 0.0.0.0/0 |            | d18b863a-0b8d-4110-878a-de40e24307a5 |
| 7e5ae97e-cb42-4024-aeef-ed631a2b567c | None        | IPv6      | ::/0      |            | None                                 |
| d8808eb1-1edc-4e3f-8ddb-7061927fe9a3 | None        | IPv6      | ::/0      |            | d18b863a-0b8d-4110-878a-de40e24307a5 |
| de4d2cce-2fee-4e01-b966-5f7420c5d484 | None        | IPv4      | 0.0.0.0/0 |            | None                                 |
+--------------------------------------+-------------+-----------+-----------+------------+--------------------------------------+

I then bootstraped Floating IPs and Keypair. The results will be saved into kypo-base-params.yml file. Private key of the keypair will be saved into <openstack-project>_kypo-base-key.key

stack$ ./bootstrap.sh public
Floating IP kypo-base-head for network public does not exist. Creating...
Floating IP kypo-base-proxy for network public does not exist. Creating...
No keypair with a name or ID of 'admin_kypo-base-key' exists.
Creating keypair admin_kypo-base-key.
fingerprint: 86:8f:ea:34:dc:4b:bc:77:a8:6d:d5:7b:42:3c:a4:e4
name: admin_kypo-base-key
user_id: 042e20a21d0f4cf2a8473daf72ca2193
Private key for user access does not exist. Creating...
Generating RSA private key, 2048 bit long modulus (2 primes)
......................+++++
..+++++
e is 65537 (0x010001)
stack$ ./create-base.sh

2021-11-15 23:57:31Z [kypo-base-networking-stack]: CREATE_IN_PROGRESS  Stack CREATE started
2021-11-15 23:57:31Z [kypo-base-networking-stack.kypo-base-net]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:57:31Z [kypo-base-networking-stack.kypo-base-net]: CREATE_COMPLETE  state changed
2021-11-15 23:57:31Z [kypo-base-networking-stack.kypo-base-subnet]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:57:32Z [kypo-base-networking-stack.kypo-base-router-public]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:57:32Z [kypo-base-networking-stack.kypo-base-subnet]: CREATE_COMPLETE  state changed
2021-11-15 23:57:32Z [kypo-base-networking-stack.kypo-base-router-public-port]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:57:33Z [kypo-base-networking-stack.kypo-base-router-public-port]: CREATE_COMPLETE  state changed
2021-11-15 23:57:34Z [kypo-base-networking-stack.kypo-base-router-public]: CREATE_COMPLETE  state changed
2021-11-15 23:57:34Z [kypo-base-networking-stack.kypo-base-router-public-interface]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:57:36Z [kypo-base-networking-stack.kypo-base-router-public-interface]: CREATE_COMPLETE  state changed
2021-11-15 23:57:36Z [kypo-base-networking-stack]: CREATE_COMPLETE  Stack CREATE completed successfully
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| id                  | cb20a1c9-da98-4699-a14e-09b4d2ee78a4 |
| stack_name          | kypo-base-networking-stack           |
| description         | KYPO base networking.                |
| creation_time       | 2021-11-15T23:57:30Z                 |
| updated_time        | None                                 |
| stack_status        | CREATE_COMPLETE                      |
| stack_status_reason | Stack CREATE completed successfully  |
+---------------------+--------------------------------------+
2021-11-15 23:57:42Z [kypo-base-security-groups-stack]: CREATE_IN_PROGRESS  Stack CREATE started
2021-11-15 23:57:43Z [kypo-base-security-groups-stack.kypo-base-head-sg]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:57:43Z [kypo-base-security-groups-stack.kypo-base-head-sg]: CREATE_COMPLETE  state changed
2021-11-15 23:57:44Z [kypo-base-security-groups-stack.kypo-global-ingress-icmp]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:57:44Z [kypo-base-security-groups-stack.kypo-global-ingress-icmp]: CREATE_COMPLETE  state changed
2021-11-15 23:57:45Z [kypo-base-security-groups-stack.kypo-base-proxy-sg]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:57:45Z [kypo-base-security-groups-stack.kypo-base-proxy-sg]: CREATE_COMPLETE  state changed
2021-11-15 23:57:45Z [kypo-base-security-groups-stack.kypo-global-remote-security-groups]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:57:57Z [kypo-base-security-groups-stack.kypo-global-remote-security-groups]: CREATE_COMPLETE  state changed
2021-11-15 23:57:57Z [kypo-base-security-groups-stack]: CREATE_COMPLETE  Stack CREATE completed successfully
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| id                  | 0b52e47b-45d8-47cb-aa06-c204feedb038 |
| stack_name          | kypo-base-security-groups-stack      |
| description         | KYPO base security groups.           |
| creation_time       | 2021-11-15T23:57:42Z                 |
| updated_time        | None                                 |
| stack_status        | CREATE_COMPLETE                      |
| stack_status_reason | Stack CREATE completed successfully  |
+---------------------+--------------------------------------+
2021-11-15 23:58:00Z [kypo-head-stack]: CREATE_IN_PROGRESS  Stack CREATE started
2021-11-15 23:58:00Z [kypo-head-stack.kypo-head-port]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:58:01Z [kypo-head-stack.kypo-head-port]: CREATE_COMPLETE  state changed
2021-11-15 23:58:01Z [kypo-head-stack.kypo-head-floating-ip]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:58:01Z [kypo-head-stack.kypo-head]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:58:01Z [kypo-head-stack.kypo-head-floating-ip]: CREATE_COMPLETE  state changed
2021-11-15 23:58:06Z [kypo-head-stack.kypo-head]: CREATE_COMPLETE  state changed
2021-11-15 23:58:06Z [kypo-head-stack]: CREATE_COMPLETE  Stack CREATE completed successfully
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| id                  | 043f10e3-a13d-4e87-9732-e85e13eb6e6c |
| stack_name          | kypo-head-stack                      |
| description         | KYPO Head server.                    |
| creation_time       | 2021-11-15T23:58:00Z                 |
| updated_time        | None                                 |
| stack_status        | CREATE_COMPLETE                      |
| stack_status_reason | Stack CREATE completed successfully  |
+---------------------+--------------------------------------+
2021-11-15 23:58:12Z [kypo-proxy-jump-stack]: CREATE_IN_PROGRESS  Stack CREATE started
2021-11-15 23:58:12Z [kypo-proxy-jump-stack.kypo-proxy-jump-port]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:58:13Z [kypo-proxy-jump-stack.kypo-proxy-jump-port]: CREATE_COMPLETE  state changed
2021-11-15 23:58:13Z [kypo-proxy-jump-stack.kypo-proxy-jump-floating-ip]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:58:13Z [kypo-proxy-jump-stack.kypo-proxy-jump]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:58:14Z [kypo-proxy-jump-stack.kypo-proxy-jump-floating-ip]: CREATE_COMPLETE  state changed
2021-11-15 23:58:19Z [kypo-proxy-jump-stack.kypo-proxy-jump]: CREATE_COMPLETE  state changed
2021-11-15 23:58:19Z [kypo-proxy-jump-stack]: CREATE_COMPLETE  Stack CREATE completed successfully
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| id                  | 479af43a-a6f8-4413-8291-5ce03eb56a4b |
| stack_name          | kypo-proxy-jump-stack                |
| description         | KYPO Proxy Jump server.              |
| creation_time       | 2021-11-15T23:58:12Z                 |
| updated_time        | None                                 |
| stack_status        | CREATE_COMPLETE                      |
| stack_status_reason | Stack CREATE completed successfully  |
+---------------------+--------------------------------------+

I checked the stack list

stack$ openstack stack list
+--------------------------------------+---------------------------------+-----------------+----------------------+--------------+
| ID                                   | Stack Name                      | Stack Status    | Creation Time        | Updated Time |
+--------------------------------------+---------------------------------+-----------------+----------------------+--------------+
| 479af43a-a6f8-4413-8291-5ce03eb56a4b | kypo-proxy-jump-stack           | CREATE_COMPLETE | 2021-11-15T23:58:12Z | None         |
| 043f10e3-a13d-4e87-9732-e85e13eb6e6c | kypo-head-stack                 | CREATE_COMPLETE | 2021-11-15T23:58:00Z | None         |
| 0b52e47b-45d8-47cb-aa06-c204feedb038 | kypo-base-security-groups-stack | CREATE_COMPLETE | 2021-11-15T23:57:42Z | None         |
| cb20a1c9-da98-4699-a14e-09b4d2ee78a4 | kypo-base-networking-stack      | CREATE_COMPLETE | 2021-11-15T23:57:30Z | None         |
+--------------------------------------+---------------------------------+-----------------+----------------------+--------------+

I checked all the installation on GUI Horizon dashboard

I launched Ansible scripts to test connectivity. PING and SSH are OK.

((kypo-crp-openstack-base) ) root@xxxxxxxx:~/kypo-crp-openstack-base# ./ansible-check-base.sh

PLAY [Check Base Stack] *********************************************************************************************************************************************************************************************************************

TASK [ping : Wait for ssh connection] *******************************************************************************************************************************************************************************************************
ok: [kypo-base-head]
ok: [kypo-base-proxy]

TASK [Try to reach the machine via ping] ****************************************************************************************************************************************************************************************************
ok: [kypo-base-head]
ok: [kypo-base-proxy]

PLAY RECAP **********************************************************************************************************************************************************************************************************************************
kypo-base-head             : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
kypo-base-proxy            : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
((kypo-crp-openstack-base) ) root@xxxx:~/kypo-crp-openstack-base# ./ansible-user-access.sh

PLAY [Create Access for KYPO User] **********************************************************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************************************************************************
ok: [kypo-base-proxy]

TASK [user : Ensure group kypo] *************************************************************************************************************************************************************************************************************
changed: [kypo-base-proxy]

TASK [Ensure user kypo] *********************************************************************************************************************************************************************************************************************
changed: [kypo-base-proxy]

TASK [Set authorized key for kypo user] *****************************************************************************************************************************************************************************************************
changed: [kypo-base-proxy]

TASK [Add kypo user to sudoers] *************************************************************************************************************************************************************************************************************
changed: [kypo-base-proxy]

PLAY RECAP **********************************************************************************************************************************************************************************************************************************
kypo-base-proxy            : ok=5    changed=4    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

All seem to be OK.

Now I have a problem. I rebooted my OpenStack server and I lost connectivity between Openstask host and instances VM. Ping and SSH was NOK.

After several researches, I found that a Devstack environment is not persistent across server reboots.

DevStack provides a set of scripts for automated installation of OpenStack on Ubuntu as well as Fedora Linux. It is a tool to help OpenStack developers to quickly set up an OpenStack environment using scripts. These scripts automatically download or clone the required packages and repositories from the OpenStack website that are necessary for setting up an OpenStack cloud. One drawback with this approach is that the environment is not persistent across server reboots.

Newer versions of DevStack runs it’s services as systemd unit files so, you can use systemctl to manage them. I checked Openstask services. All seem to be OK

((kypo-crp-openstack-base) ) root@ip-172-31-6-66:~/kypo-crp-openstack-base# sudo systemctl list-units devstack@*
  UNIT                                  LOAD   ACTIVE SUB     DESCRIPTION
  devstack@c-api.service                loaded active running Devstack devstack@c-api.service
  devstack@c-sch.service                loaded active running Devstack devstack@c-sch.service
  devstack@c-vol.service                loaded active running Devstack devstack@c-vol.service
  devstack@dstat.service                loaded active running Devstack devstack@dstat.service
  devstack@etcd.service                 loaded active running Devstack devstack@etcd.service
  devstack@g-api.service                loaded active running Devstack devstack@g-api.service
  devstack@h-api-cfn.service            loaded active running Devstack devstack@h-api-cfn.service
  devstack@h-api.service                loaded active running Devstack devstack@h-api.service
  devstack@h-eng.service                loaded active running Devstack devstack@h-eng.service
  devstack@keystone.service             loaded active running Devstack devstack@keystone.service
  devstack@n-api-meta.service           loaded active running Devstack devstack@n-api-meta.service
  devstack@n-api.service                loaded active running Devstack devstack@n-api.service
  devstack@n-cond-cell1.service         loaded active running Devstack devstack@n-cond-cell1.service
  devstack@n-cpu.service                loaded active running Devstack devstack@n-cpu.service
  devstack@n-novnc-cell1.service        loaded active running Devstack devstack@n-novnc-cell1.service
  devstack@n-sch.service                loaded active running Devstack devstack@n-sch.service
  devstack@n-super-cond.service         loaded active running Devstack devstack@n-super-cond.service
  devstack@placement-api.service        loaded active running Devstack devstack@placement-api.service
  devstack@q-ovn-metadata-agent.service loaded active running Devstack devstack@q-ovn-metadata-agent.service
  devstack@q-svc.service                loaded active running Devstack devstack@q-svc.service

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

20 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.

I also restarted all services without change

sudo systemctl restart devstack@*

I checked the status of Open Vswitch

((kypo-crp-openstack-base) ) root@ip-172-31-6-66:~/kypo-crp-openstack-base# ovs-vsctl show
95bd0929-30f8-42d8-9a66-699036952e8c
    Manager "ptcp:6640:127.0.0.1"
        is_connected: true
    Bridge br-ex
        Port br-ex
            Interface br-ex
                type: internal
        Port patch-provnet-b606a04f-2955-4f7d-807b-3677bb3cb4e3-to-br-int
            Interface patch-provnet-b606a04f-2955-4f7d-807b-3677bb3cb4e3-to-br-int
                type: patch
                options: {peer=patch-br-int-to-provnet-b606a04f-2955-4f7d-807b-3677bb3cb4e3}
    Bridge br-int
        fail_mode: secure
        datapath_type: system
        Port br-int
            Interface br-int
                type: internal
        Port tapf147ff8d-9b
            Interface tapf147ff8d-9b
        Port tapc6517e8f-b0
            Interface tapc6517e8f-b0
        Port tap7e86de1c-70
            Interface tap7e86de1c-70
        Port patch-br-int-to-provnet-b606a04f-2955-4f7d-807b-3677bb3cb4e3
            Interface patch-br-int-to-provnet-b606a04f-2955-4f7d-807b-3677bb3cb4e3
                type: patch
                options: {peer=patch-provnet-b606a04f-2955-4f7d-807b-3677bb3cb4e3-to-br-int}
    ovs_version: "2.13.3"
((kypo-crp-openstack-base) ) root@ip-172-31-6-66:~/kypo-crp-openstack-base# ovs-vsctl list-ports br-ex
patch-provnet-b606a04f-2955-4f7d-807b-3677bb3cb4e3-to-br-int
((kypo-crp-openstack-base) ) root@ip-172-31-6-66:~/kypo-crp-openstack-base# ovs-vsctl list-ports br-int
patch-br-int-to-provnet-b606a04f-2955-4f7d-807b-3677bb3cb4e3
tap7e86de1c-70
tapc6517e8f-b0
tapf147ff8d-9b

I found some error but I don’t if it’s important

((kypo-crp-openstack-base) ) root@ip-172-31-6-66:~/kypo-crp-openstack-base# ovs-ofctl dump-ports br-ex
2021-11-29T18:15:59Z|00001|vconn|WARN|unix:/var/run/openvswitch/br-ex.mgmt: version negotiation failed (we support version 0x01, peer supports versions 0x04, 0x06)
ovs-ofctl: br-ex: failed to connect to socket (Broken pipe)
((kypo-crp-openstack-base) ) root@ip-172-31-6-66:~/kypo-crp-openstack-base# ovs-dpctl show -s
system@ovs-system:
  lookups: hit:8565 missed:364 lost:0
  flows: 4
  masks: hit:14131 total:2 hit/pkt:1.58
  port 0: ovs-system (internal)
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 aborted:0 carrier:0
    collisions:0
    RX bytes:0  TX bytes:0
  port 1: br-ex (internal)
    RX packets:0 errors:0 dropped:4285 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 aborted:0 carrier:0
    collisions:0
    RX bytes:0  TX bytes:0
  port 2: br-int (internal)
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 aborted:0 carrier:0
    collisions:0
    RX bytes:0  TX bytes:0
  port 3: tap7e86de1c-70
    RX packets:407 errors:0 dropped:0 overruns:0 frame:0
    TX packets:38 errors:0 dropped:0 aborted:0 carrier:0
    collisions:0
    RX bytes:30048 (29.3 KiB)  TX bytes:2668 (2.6 KiB)
  port 4: tapc6517e8f-b0
    RX packets:4 errors:0 dropped:0 overruns:0 frame:0
    TX packets:16 errors:0 dropped:0 aborted:0 carrier:0
    collisions:0
    RX bytes:360  TX bytes:1216 (1.2 KiB)
  port 5: tapf147ff8d-9b
    RX packets:1592 errors:0 dropped:0 overruns:0 frame:0
    TX packets:119 errors:0 dropped:0 aborted:0 carrier:0
    collisions:0
    RX bytes:115182 (112.5 KiB)  TX bytes:6126 (6.0 KiB)

For the moment, I stopped the procedure at this level. I come back quickly. If you have some idea to help me to find connectivity between the OpenStack Host and instances VM, you are welcome !

Ressources

Website: https://www.kypo.cz/
Documentation: https://docs.crp.kypo.muni.cz/
Gitlab: https://gitlab.ics.muni.cz/muni-kypo-crp
Twitter: https://twitter.com/KYPOCRP

What are the components of a generic Space System

3

Space Policy Directive-5 (SPD-5), the Nation’s first comprehensive cybersecurity policy for space systems, defines “Space System” as “a combination of systems, to include ground systems, sensor networks, and one or more space vehicles, that provides a space-based service.”

A space system typically has three segments:

  • a ground control network,
  • a space vehicle,
  • a user or mission network.

These systems include Government national security space systems, Government civil space systems, and private space systems.

“Space Vehicle” means the portion of a space system that operates in space. Examples include satellites, space stations, launch vehicles, launch vehicle upper stage
components, and spacecraft.

The following article is relative to the “Description of the Elements of a Satellite Command and Control System” and this one is relative to “Threats, Vulnerabilities and Risks to Space Systems“.

Space Cyber Security Watch N°7 (November 7, 2021)

0

Find below the new Space Cyber Security Watch No 7 (November 7, 2021). In this paper, you will find everything that has caught our attention since the last time : news, articles, papers, Space CTI, videos, webinars, events, attacks, podcats … This work is not exhaustive, so comments and observations are welcome.

Contents

Articles

Videos

Webinars

Past Events

Upcoming Events

This work is not exhaustive, so comments and observations are welcome.

Cartographie de la communauté publique de la Défense Spatiale Française

0

Le Commandement De l’Espace (CDE) a été créé par arrêté le 3 septembre 2019. Il a succédé au Commandement Interarmées de l’Espace (CIE). Il rassemble désormais, au sein d’un unique grand commandement de l’Armée de l’Air et de l’Espace (AAE), la majorité des acteurs experts du domaine spatial militaire.

Afin d’atteindre l’ambition politique fixée par la stratégie de défense spatiale, le CDE poursuit une montée en puissance sans précédent en s’appuyant notamment sur le Centre National des Etudes Spatiales (CNES).

Pour satisfaire la stratégie de défense spatiale, le CDE doit, à l’horizon 2025, être en mesure de conduire les premières actions défensives dans l’Espace. La connaissance permanente de la situation spatiale et l’acquisition d’un démonstrateur satellite manœuvrant sont les principaux jalons capacitaires de cette feuille de route.

Aujourd’hui, le CDE est réparti sur quatre sites :

  • A Balard, la direction, le niveau de conception et de mise en œuvre sont structurés par 4 piliers : opérations, capacités, coopérations et organique ;
  • A Toulouse, l’échelon précurseur du centre de commandement et de contrôle des opérations spatiales ;
  • Le COSMOS (Centre opérationnel de surveillance militaire des objets spatiaux) et le CMOS (Centre militaire d’observation par satellites), respectivement localisés à Lyon et à Creil.

A terme, la transformation du CDE vise à concentrer toute l’expertise militaire du domaine spatial dans un bâtiment dédié, implanté au plus près du CNES. Il abritera des fonctions multiples comme la formation, l’innovation, ou encore le cœur de la conduite des opérations spatiales. Il accueillera près de 500 experts en 2025.

Dans cette nouvelle organisation, le CMOS devient l’Escadron de Conduite des Actions Spatiales (ECAS), situé à Toulouse au CNES, qui aura pour objectif le maintien à poste des moyens spatiaux opérationnels. Le COSMOS devient l’Escadron de Surveillance de l’Espace (ESE), qui aura pour objectif la surveillance des objets spatiaux et de l’espace en général.

Toute cette architecture est représentée dans la cartographie ci-dessous (cartographie non officielle réalisée à titre personnel)

Télécharger la version haute-définition

De façon plus détaillée, voici une description des principales entités de l’infographie.

Office Nationale d’Etudes et  de Recherches Aérospatiales (ONERA)

L’Office Nationale d’Etudes et  de Recherches Aérospatiales (ONERA) est le principal centre de recherche français du secteur aéronautique, spatial et défense. Il a pour mission de développer et d’orienter les recherches dans le domaine aérospatial, de concevoir, de réaliser, de mettre en œuvre les moyens nécessaires à l’exécution de ces recherches, et d’assurer la diffusion des résultats de ces recherches.

Centre Nationale d’Etudes Spatiales (CNES)

Le Centre Nationale d’Etudes Spatiales (CNES) est un établissement public à caractère industriel et commercial (EPIC) chargé d’élaborer et de proposer au gouvernement français le programme spatial français et de le mettre en œuvre. Le CNES est placé sous la tutelle conjointe des ministères de l’enseignement supérieur, de la recherche et de l’innovation et des Armées.

Commandement de la Cyberdéfense (COMCYBER)

Le Commandement de la Cyberdéfense (COMCYBER), placé sous l’autorité du chef d’Etat-Major des armées rassemble à compter du 1er janvier 2017, l’ensemble des forces de cyberdéfense des armées française

Direction du Renseignement Militaire (DRM)

La Direction du Renseignement Militaire (DRM) est un organisme interarmées responsable du renseignement militaire pour l’ensemble des forcées armées française. Elle fixe les priorités en matière de renseignement d’intérêt militaire et reçoit, avec le CNES, les données récoltées par le CMOS

Commandement de l’Espace (CDE)

Le Commandement de l’Espace (CDE) rassemble désormais, au sein d’un unique et grand commandement de l’armée de l’Air, la majorité des acteurs experts du domaine spatial militaire.

Centre Militaire d‘Observation par Satellites (CMOS)

Situé sur la base aérienne 110 de Creil, le Centre Militaire d’Observation par Satellites (CMOS) 1/92 « Bourgogne » est une unité de l’armée de l’air française spécialisée dans le domaine de l’observation par satellites.

Centre opérationnel de surveillance militaire des objets spatiaux (COSMOS)

Situé sur la base aérienne 942 de Lyon Mont Verdun, le Centre Opérationnel de Surveillance Militaire des Objects Spatiaux (COSMOS) est une unité de l’armée de l’air française spécialisée dans le domaine de la surveillance de l’espace.

Centre de Commandement et de Contrôle des Opérations Spatiales de Paris (C3OS)

Situé à l’Etat-Major des Armées à Paris, le Centre de Commandement et de Contrôle des Opérations Spatiales (C3OS) est le vecteur de direction des opérations spatiales.

Escadron de Conduite des Actions Spatiales (ECAS)

Situé à Toulouse au CNES, l’Escadron de Conduite des Actions Spatiales (ECAS) a pour objectif le maintien à poste des moyens spatiaux opérationnels.

Escadron de Surveillance de l’Espace (ESE)

Situé à Toulouse au CNES, l’Escadron de Surveillance de l’Espace (ESE), ex-COSMOS, a pour objectif la surveillance des objets spatiaux et de l’espace en général.

Cartographie des services spécialisés de la communauté du renseignement (1er et 2ème cercle)

0

L’illustration ci-dessous est une carte heuristique qui présente les services spécialisés de la communauté du renseignement du 1er cercle. Cette cartographie est mise à jour des derniers changements en matière de chefs de service notamment. L’axe des temps relatif à la DPR intègre le lien vers le rapport public 2020-2021 relatif à l’activité des services de renseignement. Ce dernier rapport effectue notamment un focus particulier sur le renseignement territorial.

Télécharger la version haute-définition

Il existe aussi la même cartographie des services de renseignement mais du second cercle

Télécharger la version haute-définition

Hemeria réunit les acteurs français des nanosatellites lors de la Small Sat Day du 11/10/2021 à la Cité de l’Espace de Toulouse

0
Crédits photos : Hemeria

Après, l’alliance des entreprises françaises du newspace sous le nom de “Alliance NewSpace France“, au tour de l’écosystème français des smallsats et des nanosatellites de se réunir.

C’est ce qu’a réussi à faire Hemeria, l’industriel toulousain spécialisé dans la conception, la production et la maintenance de systèmes spatiaux et de défense, en réunissant ce lundi 11 octobre 2021 à la Cité de l’espace de Toulouse, une trentaine d’acteurs français des nanosatellites (smallsats), lors de la “Small Sat Day”.

La liste des acteurs présents (clients, partenaires, institutions étatiques, financiers, startups) : ACB, Aerospace Valley, Airbus Defence and Space, Alliance NewSpace France, ANYWAVES, ArianeGroup, ARIANESPACE, Arianeworks, Astreos, Bpifrance CLS Group (Collecte Localisation Satellites), CLUB GALAXIE, CNES, CNRS (Centre National de la Recherche Scientifique), COMAT, CDE (Commandement De l’Espace), CS GROUP, DGA (Direction Générale de l’Armement), Euroconsult, EREMS, Exotrail, Hybridpropulsion, Infinite Orbits, IRT AESE – Saint Exupéry, Kinéis, La French Fab, Leanspace SAS, LISI AEROSPACE, Loft Orbital, MECANO ID, Secrétariat Général pour l’Investissement, Newspace Factory, Nex Afrika, Nimesis Technology, ONERA – The French Aerospace Lab, Parangon European Partners, PROMÉTHÉE NewSpace, La Région Occitanie / Pyrénées-Méditerranée, Share Myspace, Sodern, SOTEREM, SPACEBEL, STEEL ELECTRONIQUE, SYRLINKS, Telnet, Thales Alenia Space, ThrustMe, TRAD, Tests & Radiations, USpace, Venture Orbital System

Hemeria conçoit et fabrique des équipements et systèmes à forte intensité technologique et sécurité de fonctionnement pour deux marchés exigeants : l’industrie spatiale et la dissuasion française.

L’occasion pour Hemeria d’annoncer qu’elle vient d’être sélectionnée par l’Etat et le CNES dans le cadre du Programme d’Investissements d’Avenir (PIA) pour le développement d’une Plateforme nanosatellite.

Plus concrètement, il s’agit de réaliser une plateforme générique, modulaire, multimissions, pour des missions civiles, militaires ou scientifiques d’ici à 2024 dans un objectif de créer une filière française des nanosatellites sur un marché en forte croissance, largement dominé par les Américains.

Les nanosatellites et les smallsats correspondent au marché des satellites de moins de 500 kg qui a explosé en l’espace de quelques années. Près de 14.000 petits satellites devraient être envoyés en orbite dans les dix prochaines années.

Face à un marché concentré autour de quelques acteurs américains, la concurrence est rude pour les projets européens. Il était temps de réagir.

Dernières minutes

HEMERIA vient de rejoindre le GIE Défense NBC en tant qu’acteur majeur et reconnu de l’excellence de l’Industrie Française de la Défense et de la Protection NRBCE (Nucléaire, Radiologique, Biologique, Chimique et Explosifs).

Le GIE Défense NBC a pour mission de promouvoir à l’international les savoir-faire, les technologies, les produits et les services des entreprises françaises du domaine NRBCE.

Formation des Ambassadeurs du Spatial avec Connect by CNES

0

Connect by CNES est une structure du CNES (Centre National d’Études Spatiales), l’agence spatiale française. Elle a mis en place un parcours de formation pour devenir Ambassadeurs du Spatial. Ayant moi-même suivant cette formation et étant désormais officiellement Ambassadeur du Spatial, je vous livre ci-dessous mon retour d’expérience.

✅ Je vous conseille vivement cette formation. Elle est gratuite et ouverte au grand public. Elle livre les concepts essentiels des outils et des solutions spatiales, et dresse un panorama des applications attendues à court/moyen terme.
✅ Elle est composée de multiples modules et de sessions d’échanges sur différents sujets (géolocalisation, télécommunication, imagerie par satellite, space business, …), avec des experts du CNES.
✅ C’est une formation très complète, enrichissante, sur des sujets très techniques. Elle offre une vue d’ensemble des usages du spatial, de ses avantages, et des solutions existantes dans les domaines de la santé, l’environnement, la mobilité… On y découvre l’ampleur du sujet ainsi que tous les domaines que peut couvrir le spatial et que l’on n’imagine pas forcément.
✅ Au final, je recommande cette formation à toute personne intéressée par le secteur du spatial et tout ce qu’il peut apporter.

Si à votre tour, vous souhaitez devenir Ambassadeur du spatial, et aider le CNES à relayer leurs messages auprès du grand public, alors inscrivez-vous à la formation. Et si vous êtes suffisemment assidu, vous aurez le droit à un beau diplôme comme celui-ci :

Pour en savoir plushttps://www.connectbycnes.fr/formation

Les vidéos ci-dessous sont issues directement du parcours de formation. Elles sont mises régulièrement à jour. En vous inscrivant, vous aurez accès aux dernières versions accompagnées de supports de qualité.

Formation Ambassadeurs // Présentation de Connect by CNES

Formation Ambassadeurs // Imagerie Spatiale, principe de fonctionnement

Formation Ambassadeurs / Imagerie Spatiale – Applications

Formation Ambassadeurs // Imagerie spatiale – Copernicus

Formation Ambassadeurs // Imagerie Spatiale, nouveau paradigme de la donnée

Formation Ambassadeurs // Géolocalisation par satellite et applications

Formation Ambassadeurs // Géolocalisation – Introduction GALILEO

Formation Ambassadeurs // Géolocalisation par satellite – Principes de fonctionnement Galileo

Formation Ambassadeurs // Télécom Présentation

Formation Ambassadeurs // Télécom par satellite & Applications

Formation Ambassadeurs // Idéation, Incubation, Financement

Formation Ambassadeurs // Demain vers un nouvel espace économique

Space Cyber Security Watch N°6 (October 3, 2021)

0

PDF VERSION AVALAIBLE SOON HERE

Find below the new Space Cyber Security Watch No 6 (october 3, 2021). In this paper, you will find everything that has caught our attention since the last time : news, articles, papers, Space CTI, videos, webinars, events, attacks, podcats … This work is not exhaustive, so comments and observations are welcome.

Contents

Articles

Papers

Webinars

  • August 31, 2021 : The Cyber Hero Adventures Show: “Securing Space” Preview – Matt Desch, CEO of Iridium and others discuss the cybersecurity of our nation’s space systems.
  • October 6–8, 2021 : New online course : Understanding Cybersecurity in the Space Domain – The Space Domain Cybersecurity (SpaDoCs) Framework provides a comprehensive and systematic model for understanding and tackling cybersecurity in the space domain. This online course examines the practical issues of developing and sustaining a secure cyber environment through all phases of the space mission lifecycle. At the conclusion of the course, you will be able to formulate inputs and issues to a cybersecurity assessment plan for a given space domain scenario.

Past Events

Upcoming Events

  • October 4-7, 2021 : 32nd Aerospace Testing Seminar has new dates – Theme for the 2021 ATS is “Smart Testing for Today’s Missions.”
  • October 5 – 7, 2021 : ESA Software Product Assurance Workshop 2021. There will be one full day of ECSS training, followed by 3 days of interesting presentations and discussions on various topics. Registration here
  • October 5 – 7, 2021 : CyberSatGov – To bring together the satellite community with the government and military markets to have a comprehensive, progressive discussion about cybersecurity. The CyberSatGov Agenda is Here!
    • Security in LEO: Can the US Government Trust it?
    • Solarwinds, Colonial Pipeline: Impact on Satellite Cybersecurity
    • Supply Chain Risk Management: Keeping It Secure
    • Blackjack 2022: Prime Time is Fast Approaching
    • Cloud and Data Processing: Space Systems Applications and Threats and Vulnerabilities Management
    • Value Of Space: How Space Systems’ Critical Infrastructure Will Apply to Future National Critical Functions
  • October 7-8, 2021 : Global Resilience Federation (GRF) Summit on Security and Third-Party Risk
    • Networking and education on critical third-party and supply chain security issues
    • Featuring over 300 security professionals, third-party risk managers, IT directors, intelligence analysts, and more
    • Sessions will cover risk management, cybersecurity, intelligence sharing, geopolitical threat mitigation, and emerging compliance/regulation
  • October 13, 2021 : Space Cybersecurity Symposium II: Applied Cybersecurity for Space – The Department of Commerce (DOC) and the Department of Homeland Security (DHS) invite you to their second jointly hosted space cybersecurity symposium.
  • October 19-20, 2021 : 2nd annual Value of Space Summit – The Space Information Sharing and Analysis Center (Space ISAC) and The Aerospace Corporation are pleased to host the 2021 Value of Space Summit, a 2-day virtual community event to convene a variety of perspectives from across the space enterprise.
  • October 19 – 21, 2021 : 11th IAASS conference : Managing Risk in Space – The 11th IAASS Conference “Managing Risk in Space”, organized in cooperation with the Japan Aerospace Exploration Agency (JAXA) is an invitation to reflect and exchange information on a number of space safety and sustainability topics of national and international interest.
  • October 25-29, 2021 : IAF’s IAC 21 in Dubaï – 72nd International Astronautical Congress 2021 (Dubai, United Arab Emirates) will have two security sessions :
    • D5 is 54th IAA Symposium on Safety, Quality and Knowledge Management in Space Activities (D5.4 will be more technical : Cybersecurity in space systems, risks and countermeasures)
    • E9 is IAF Symposium on Space Security (E9.2 is more strategic and legal focused : Cyber-based security threats to space missions – establishing the legal, institutional and collaborative framework to counteract them)
    • Papers have been selected and the program will be published shortly
  • November 8, 2021 : COMET CYBersécurité du CNES –  Journée « Menaces “cybersécurité” et secteur spatial » à Toulouse et en distanciel.
  • April 2022 : Breaking news! CYSAT will be back for the second edition and we selected Paris as our home!

This work is not exhaustive, so comments and observations are welcome.

DEF CON 29 Aerospace Village Videos

1

DEF CON Aerospace Village is a researcher led, non-profit whose mission is to build a diverse community focussed on the security of everything from airports, air traffic management, aircraft and space.

The Challenge: The aerospace ecosystem is a cornerstone of the global infrastructure and economy. While passenger safety is at an all-time high, the increasing adoption of connected technologies exposes aircraft, airports, satellites, and the interdependent aerospace ecosystem to new types of risks. The consequences of a cybersecurity failure in a ground, air, or space-based system can impact human life and public safety; a crisis of confidence in the trustworthiness of air travel and space operations can undermine economic and (inter)national security.

The Aerospace Village is a unique community that bridges the gap across security researchers, the aerospace industry, public sector, academia and all.

At Virtual DEF CON 29 this year the Aerospace Village is full of talks, virtual workshops and CTFs that will have something for you to get involved in irrespective of your experience level, or what bit of the aerospace world you are interested in.

In this article, we will focus on the space cybersecurity videos recorded at the DEF CON 29 Aerospace Village held on 6-7 August in Las Vegas. All sessions were online and hybrid.

Deep Space Networking 2021 Workshops

This training session includes three Wireshark analysis sessions of Green Data transmission (with data loss), simple Red Data transmission, and Red Data transmission/retransmission after data loss.

To know more about these workshops and to download file, check here.

Part I: Ground Control to Major Licklider: Analyzing LTP

Part II: Build an LTP-Analysis Wireshark Profile

Part III: An Outage in Space — Take the LTP Wireshark Challenge

AIAA Cubesat Hacking Workshop

AIAA CubeSat Hacking Workshop is learning laboratory intended to demonstrate satellite operations cybersecurity defense and hacking principals and techniques to participants of all levels of cybersecurity proficiency, through hand-on instruction conducted by space systems experts. Participants will learn and practice hacking techniques on a simulated, remotely accessible CUBESAT system.

To know more about these workshops and to download file, check here.

Workshop 01 Section 1 : CubeSAT 101

AIAA CubeSat Hacking Workshop 02 Section 2 : Attack Methodology

AIAA CubeSat Hacking Workshop 03 : The CubeSAT User Interface

AIAA CubeSat Hacking Workshop 04 : Cyberattack Scenario 1

AIAA CubeSat Hacking Workshop 05 : Cyberattack Scenario 2 Prelude

AIAA CubeSat Hacking Workshop 06 : Cyberattack Scenario 2

AIAA CubeSat Hacking Workshop 07 : Cyberattack Scenario 3

AIAA CubeSat Hacking Workshop 08 : After the Cyber Attack

Others videos

Fuzzing NASA Core Flight System Software

Lost In Space: No one Can Hear Your Breach Choose Wisely

Unboxing the Spacecraft Software BlackBox Hunting for Vulnerabilities

Threat Modeling for Space Hitchhikers

Hack A Sat 2 – The Good, the Bad and the Cyber Secure

Official DC29 Aerospace Village schedule is available here

Join the Aerospace Village Discord server and follow us on Twitter @SecureAerospace for latest Aerospace Village DC29 updates!

Space Cyber Security Watch N°5 (August 31, 2021)

0

PDF VERSION IS AVALAIBLE HERE

Find below the new Space Cyber Security Watch No 5 (August 31, 2021). In this paper, you will find everything that has caught our attention since the last time : news, articles, papers, Space CTI, videos, webinars, events, attacks, podcats … This work is not exhaustive, so comments and observations are welcome.

Contents

Attacks on Space Systems

Articles

May 2021

June 2021

Juillet 2021

August 2021

Papers

Videos

Webinars

Past Events

Upcoming Events

This work is not exhaustive, so comments and observations are welcome.

Last Posts

My experience and tips after successfully passed the CISM (Certified Information Security Manager) from...

0
🌟 I'm thrilled to share that I've earned the CISM (Certified Information Security Manager) from ISACA. You can view my achievement on Credly. 🌍 This...

How to model an attack on an Industrial Control Systems (ICS)

0
Attacks on OT (Operational Technology) systems are made easier due to the OT/IT convergence. The figure below is showing an example of OT/IT convergence. Attacks on OT...

Space and Satellites Security Conferences at DEF CON 32 (and a little bit Aviation...

0
The videos from the Def Con 32 conference held in Las Vegas from August 8th to 11th are now online. Perfect for keeping busy...

My cybersecurity review from the beginning of 2024

0
What an incredible start to 2024. I've had some incredible opportunities and I've been able to do some really interesting things. I continue my role as...

Very proud to receive the certificate of completion : « Introduction to Cybersecurity in...

0
I’m very proud to receive the following certificate of completion for having successfully completed the training course : « Introduction to Cybersecurity in Space...

Popular posts

Description of the Elements of a Satellite Command and Control System

1
In order to be able to analyse the various threats and identify the risks facing a space system, it is necessary to describe precisely...

Install KYPO Cyber Range Platform on Openstack and Ubuntu in AWS cloud

4
KYPO is a Cyber Range Platform (KYPO CRP) developed by Masaryk University since 2013. KYPO CRP is entirely based on state-of-the-art approaches such as...

Cartographie des acteurs étatiques du cyber en France

0
Avec l'aimable autorisation de Martial Le Guédard, nous reproduisons ci-dessous sa cartographie au sujet des différents acteurs étatiques évoluant dans le domaine du Cyber...

What are the threats to space systems?

0
In this article, we will try to identify the various threats to space systems. This article is a synthesis of the CSIS (Center for Strategic...

Qu’est-ce que le grand Commandement De l’Espace (CDE) créé par la France pour la...

0
Le Commandement De l’Espace (CDE) a été créé par arrêté le 3 septembre 2019. Il succède au Commandement interarmées de l’espace (CIE). Il rassemble...