https://docs.oracle.com/ja-jp/iaas/Content/Network/Tasks/scenario_e.htm
https://qiita.com/dingtianhongjie/items/485c8abf7b3af9529f69
確認事項: ashburnリージョンでインターネットを使用せずにtokyoリージョンのオブジェクトAPIを実行する
前提:
-- ashburn
subnet01,vm01,sl01,rt01,パブリックサブネット
subnet02,vm02,sl02,rt02,プライベートサブネット,サービス・ゲートウェイのみ
subnet01~subnet02間の全通信許可
subnet02~subnet12間の全通信許可
-- tokyo
subnet11,vm11,sl11,rt11,パブリックサブネット
subnet12,vm12,sl12,rt12,プライベートサブネット,サービス・ゲートウェイのみ
subnet11~subnet12間の全通信許可
subnet02~subnet12間の全通信許可
DRGはrt02やrt12に紐づける
drg01
drg0101 <== VCNアタッチメント名
drg0102 <== RPCアタッチメント名
drg11
drg1101 <== VCNアタッチメント名
drg1102 <== RPCアタッチメント名
-- 1. VCN作成 (ashburn)
mkdir ashburn
cd ashburn
cat <<-'EOF' > variables.tf
locals {
tenancy_ocid = "ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111"
# MYIP
myip = "192.0.2.1/32"
}
variable "compartment_name" {
description = "compartment_name"
type = string
default = "cmp20240421"
}
EOF
cat <<-'EOF' > main.tf
terraform {
required_version = ">= 1.0.0, < 2.0.0"
required_providers {
oci = {
source = "hashicorp/oci"
version = "= 5.23.0"
}
}
}
provider "oci" {
tenancy_ocid = local.tenancy_ocid
user_ocid = "ocid1.user.oc1..111111111111111111111111111111111111111111111111111111111111"
private_key_path = "~/.oci/oci_api_key.pem"
fingerprint = "45:ed:22:e6:cc:fd:63:97:12:9d:62:7a:90:12:65:7a"
region = "us-ashburn-1"
}
resource "oci_identity_compartment" "cmp01" {
# Required
compartment_id = local.tenancy_ocid
description = var.compartment_name
name = var.compartment_name
enable_delete = true
}
resource "oci_core_vcn" "vcn01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
#Optional
cidr_block = "10.0.0.0/16"
display_name = "vcn01"
dns_label = "vcn01"
}
resource "oci_core_internet_gateway" "igw01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
enabled = true
display_name = "igw01"
}
data "oci_core_services" "svc01" {
filter {
name = "name"
values = ["All .* Services In Oracle Services Network"]
regex = true
}
}
resource "oci_core_service_gateway" "sgw01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
services {
#Required
service_id = data.oci_core_services.svc01.services.0.id
}
vcn_id = oci_core_vcn.vcn01.id
#Optional
display_name = "sgw01"
}
resource "oci_core_route_table" "rt01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
display_name = "rt01"
route_rules {
#Required
network_entity_id = oci_core_internet_gateway.igw01.id
#Optional
destination = "0.0.0.0/0"
}
}
resource "oci_core_route_table" "rt02" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
display_name = "rt02"
route_rules {
#Required
network_entity_id = oci_core_service_gateway.sgw01.id
#Optional
destination = "all-iad-services-in-oracle-services-network"
destination_type = "SERVICE_CIDR_BLOCK"
}
}
resource "oci_core_security_list" "sl01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
display_name = "sl01"
egress_security_rules {
destination = "0.0.0.0/0"
protocol = "all"
stateless = false
}
ingress_security_rules {
protocol = "6"
source = local.myip
stateless = false
tcp_options {
max = 22
min = 22
}
}
ingress_security_rules {
protocol = "all"
source = "10.0.2.0/24"
stateless = false
}
}
resource "oci_core_security_list" "sl02" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
display_name = "sl02"
egress_security_rules {
destination = "0.0.0.0/0"
protocol = "all"
stateless = false
}
ingress_security_rules {
protocol = "all"
source = "10.0.1.0/24"
stateless = false
}
ingress_security_rules {
protocol = "all"
source = "10.1.2.0/24"
stateless = false
}
}
resource "oci_core_subnet" "subnet01" {
#Required
cidr_block = "10.0.1.0/24"
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
display_name = "subnet01"
dns_label = "subnet01"
route_table_id = oci_core_route_table.rt01.id
security_list_ids = [oci_core_security_list.sl01.id]
}
resource "oci_core_subnet" "subnet02" {
#Required
cidr_block = "10.0.2.0/24"
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
display_name = "subnet02"
dns_label = "subnet02"
route_table_id = oci_core_route_table.rt02.id
security_list_ids = [oci_core_security_list.sl02.id]
}
EOF
cat <<-'EOF' > instance.tf
resource "oci_core_instance" "vm01" {
#Required
availability_domain = "OEIw:US-ASHBURN-AD-1"
compartment_id = oci_identity_compartment.cmp01.id
shape = "VM.Standard.E2.1"
#Optional
create_vnic_details {
#Optional
assign_public_ip = true
subnet_id = oci_core_subnet.subnet01.id
}
display_name = "vm01"
metadata = {
ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
}
source_details {
#Required
source_id = "ocid1.image.oc1.iad.111111111111111111111111111111111111111111111111111111111111"
source_type = "image"
#Optional
boot_volume_size_in_gbs = 50
}
preserve_boot_volume = false
}
resource "oci_core_instance" "vm02" {
#Required
availability_domain = "OEIw:US-ASHBURN-AD-1"
compartment_id = oci_identity_compartment.cmp01.id
shape = "VM.Standard.E2.1"
#Optional
create_vnic_details {
#Optional
assign_public_ip = false
subnet_id = oci_core_subnet.subnet02.id
}
display_name = "vm02"
metadata = {
ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
}
source_details {
#Required
source_id = "ocid1.image.oc1.iad.111111111111111111111111111111111111111111111111111111111111"
source_type = "image"
#Optional
boot_volume_size_in_gbs = 50
}
preserve_boot_volume = false
}
EOF
cat <<-'EOF' > bucket.tf
data "oci_objectstorage_namespace" "ns01" {
compartment_id = local.tenancy_ocid
}
resource "oci_objectstorage_bucket" "bucket01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
name = "bucket01"
namespace = data.oci_objectstorage_namespace.ns01.namespace
#Optional
access_type = "NoPublicAccess"
auto_tiering = "Disabled"
object_events_enabled = false
storage_tier = "Standard"
versioning = "Disabled"
}
EOF
cat <<-'EOF' > outputs.tf
output "cmp01_id" {
value = oci_identity_compartment.cmp01.id
description = "cmp01.id"
}
output "vcn01_id" {
value = oci_core_vcn.vcn01.id
description = "vcn01.id"
}
output "igw01_id" {
value = oci_core_internet_gateway.igw01.id
description = "igw01.id"
}
output "sgw01_id" {
value = oci_core_service_gateway.sgw01.id
description = "sgw01.id"
}
output "rt01_id" {
value = oci_core_route_table.rt01.id
description = "rt01.id"
}
output "rt02_id" {
value = oci_core_route_table.rt02.id
description = "rt02.id"
}
output "sl01_id" {
value = oci_core_security_list.sl01.id
description = "sl01.id"
}
output "sl02_id" {
value = oci_core_security_list.sl02.id
description = "sl02.id"
}
output "subnet01_id" {
value = oci_core_subnet.subnet01.id
description = "subnet01.id"
}
output "subnet02_id" {
value = oci_core_subnet.subnet02.id
description = "subnet02.id"
}
output "vm01_id" {
value = oci_core_instance.vm01.id
description = "vm01.id"
}
output "vm02_id" {
value = oci_core_instance.vm02.id
description = "vm02.id"
}
output "vm01_public_ip" {
value = oci_core_instance.vm01.public_ip
description = "vm01.public_ip"
}
output "vm01_private_ip" {
value = oci_core_instance.vm01.private_ip
description = "vm01.private_ip"
}
output "vm02_private_ip" {
value = oci_core_instance.vm02.private_ip
description = "vm02.private_ip"
}
EOF
terraform init
terraform fmt
terraform -version
terraform plan
terraform apply -auto-approve
-- 2. OCIインストール (ashburn)
-- 2.1 vm01からvm02にログイン
scp -i $HOME/.ssh/id_rsa $HOME/.ssh/id_rsa opc@192.0.2.2:/home/opc
scp -i $HOME/.ssh/id_rsa oci-cli-3.39.0-Oracle-Linux-9-Offline.zip opc@192.0.2.2:/home/opc
ssh -i $HOME/.ssh/id_rsa opc@192.0.2.2
scp -i $HOME/id_rsa oci-cli-3.39.0-Oracle-Linux-9-Offline.zip opc@10.0.2.162:/home/opc
ssh -i $HOME/id_rsa opc@10.0.2.162
-- 2.2 vm02からインターネットアクセスできないことを確認
curl --connect-timeout 10 https://www.oracle.com/
-- 2.3 OCIインストール (vm02での作業)
unzip oci-cli-3.39.0-Oracle-Linux-9-Offline.zip
cd oci-cli-installation
bash install.sh --offline-install
exec -l $SHELL
oci -v
-- 3. VCN作成 (tokyo)
mkdir tokyo
cd tokyo
cat <<-'EOF' > variables.tf
locals {
tenancy_ocid = "ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111"
# MYIP
myip = "192.0.2.1/32"
}
#variable "compartment_name" {
# description = "compartment_name"
# type = string
# default = "cmp21240419"
#}
variable "compartment_id" {
description = "compartment_id"
type = string
default = "ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111"
}
EOF
cat <<-'EOF' > main.tf
terraform {
required_version = ">= 1.0.0, < 2.0.0"
required_providers {
oci = {
source = "hashicorp/oci"
version = "= 5.23.0"
}
}
}
provider "oci" {
tenancy_ocid = local.tenancy_ocid
user_ocid = "ocid1.user.oc1..111111111111111111111111111111111111111111111111111111111111"
private_key_path = "~/.oci/oci_api_key.pem"
fingerprint = "45:ed:22:e6:cc:fd:63:97:12:9d:62:7a:90:12:65:7a"
region = "ap-tokyo-1"
}
#resource "oci_identity_compartment" "cmp11" {
# # Required
# compartment_id = local.tenancy_ocid
# description = var.compartment_name
# name = var.compartment_name
#
# enable_delete = true
#}
resource "oci_core_vcn" "vcn11" {
#Required
compartment_id = var.compartment_id
#Optional
cidr_block = "10.1.0.0/16"
display_name = "vcn11"
dns_label = "vcn11"
}
resource "oci_core_internet_gateway" "igw11" {
#Required
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.vcn11.id
#Optional
enabled = true
display_name = "igw11"
}
data "oci_core_services" "svc11" {
filter {
name = "name"
values = ["All .* Services In Oracle Services Network"]
regex = true
}
}
resource "oci_core_service_gateway" "sgw11" {
#Required
compartment_id = var.compartment_id
services {
#Required
service_id = data.oci_core_services.svc11.services.0.id
}
vcn_id = oci_core_vcn.vcn11.id
#Optional
display_name = "sgw11"
}
resource "oci_core_route_table" "rt11" {
#Required
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.vcn11.id
#Optional
display_name = "rt11"
route_rules {
#Required
network_entity_id = oci_core_internet_gateway.igw11.id
#Optional
destination = "0.0.0.0/0"
}
}
resource "oci_core_route_table" "rt12" {
#Required
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.vcn11.id
#Optional
display_name = "rt12"
route_rules {
#Required
network_entity_id = oci_core_service_gateway.sgw11.id
#Optional
destination = "all-nrt-services-in-oracle-services-network"
destination_type = "SERVICE_CIDR_BLOCK"
}
}
resource "oci_core_security_list" "sl11" {
#Required
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.vcn11.id
#Optional
display_name = "sl11"
egress_security_rules {
destination = "0.0.0.0/0"
protocol = "all"
stateless = false
}
ingress_security_rules {
protocol = "6"
source = local.myip
stateless = false
tcp_options {
max = 22
min = 22
}
}
ingress_security_rules {
protocol = "all"
source = "10.1.2.0/24"
stateless = false
}
}
resource "oci_core_security_list" "sl12" {
#Required
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.vcn11.id
#Optional
display_name = "sl12"
egress_security_rules {
destination = "0.0.0.0/0"
protocol = "all"
stateless = false
}
ingress_security_rules {
protocol = "all"
source = "10.1.1.0/24"
stateless = false
}
ingress_security_rules {
protocol = "all"
source = "10.0.2.0/24"
stateless = false
}
}
resource "oci_core_subnet" "subnet11" {
#Required
cidr_block = "10.1.1.0/24"
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.vcn11.id
#Optional
display_name = "subnet11"
dns_label = "subnet11"
route_table_id = oci_core_route_table.rt11.id
security_list_ids = [oci_core_security_list.sl11.id]
}
resource "oci_core_subnet" "subnet12" {
#Required
cidr_block = "10.1.2.0/24"
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.vcn11.id
#Optional
display_name = "subnet12"
dns_label = "subnet12"
route_table_id = oci_core_route_table.rt12.id
security_list_ids = [oci_core_security_list.sl12.id]
}
EOF
cat <<-'EOF' > instance.tf
resource "oci_core_instance" "vm11" {
#Required
availability_domain = "OEIw:AP-TOKYO-1-AD-1"
compartment_id = var.compartment_id
shape = "VM.Standard.E2.1"
#Optional
create_vnic_details {
#Optional
assign_public_ip = true
subnet_id = oci_core_subnet.subnet11.id
}
display_name = "vm11"
metadata = {
ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
}
source_details {
#Required
source_id = "ocid1.image.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111"
source_type = "image"
#Optional
boot_volume_size_in_gbs = 50
}
preserve_boot_volume = false
}
resource "oci_core_instance" "vm12" {
#Required
availability_domain = "OEIw:AP-TOKYO-1-AD-1"
compartment_id = var.compartment_id
shape = "VM.Standard.E2.1"
#Optional
create_vnic_details {
#Optional
assign_public_ip = false
subnet_id = oci_core_subnet.subnet12.id
}
display_name = "vm12"
metadata = {
ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
}
source_details {
#Required
source_id = "ocid1.image.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111"
source_type = "image"
#Optional
boot_volume_size_in_gbs = 50
}
preserve_boot_volume = false
}
EOF
cat <<-'EOF' > bucket.tf
data "oci_objectstorage_namespace" "ns11" {
compartment_id = local.tenancy_ocid
}
resource "oci_objectstorage_bucket" "bucket11" {
#Required
compartment_id = var.compartment_id
name = "bucket11"
namespace = data.oci_objectstorage_namespace.ns11.namespace
#Optional
access_type = "NoPublicAccess"
auto_tiering = "Disabled"
object_events_enabled = false
storage_tier = "Standard"
versioning = "Disabled"
}
EOF
cat <<-'EOF' > outputs.tf
#output "cmp11_id" {
# value = oci_identity_compartment.cmp11.id
# description = "cmp11.id"
#}
output "vcn11_id" {
value = oci_core_vcn.vcn11.id
description = "vcn11.id"
}
output "igw11_id" {
value = oci_core_internet_gateway.igw11.id
description = "igw11.id"
}
output "sgw11_id" {
value = oci_core_service_gateway.sgw11.id
description = "sgw11.id"
}
output "rt11_id" {
value = oci_core_route_table.rt11.id
description = "rt11.id"
}
output "rt12_id" {
value = oci_core_route_table.rt12.id
description = "rt12.id"
}
output "sl11_id" {
value = oci_core_security_list.sl11.id
description = "sl11.id"
}
output "sl12_id" {
value = oci_core_security_list.sl12.id
description = "sl12.id"
}
output "subnet11_id" {
value = oci_core_subnet.subnet11.id
description = "subnet11.id"
}
output "subnet12_id" {
value = oci_core_subnet.subnet12.id
description = "subnet12.id"
}
output "vm11_id" {
value = oci_core_instance.vm11.id
description = "vm11.id"
}
output "vm12_id" {
value = oci_core_instance.vm12.id
description = "vm12.id"
}
output "vm11_public_ip" {
value = oci_core_instance.vm11.public_ip
description = "vm11.public_ip"
}
output "vm11_private_ip" {
value = oci_core_instance.vm11.private_ip
description = "vm11.private_ip"
}
output "vm12_private_ip" {
value = oci_core_instance.vm12.private_ip
description = "vm12.private_ip"
}
EOF
terraform init
terraform fmt
terraform -version
terraform plan
terraform apply -auto-approve
-- 4. OCIインストール (tokyo)
-- 4.1 vm11からvm12にログイン
scp -i $HOME/.ssh/id_rsa $HOME/.ssh/id_rsa opc@192.0.2.3:/home/opc
scp -i $HOME/.ssh/id_rsa oci-cli-3.39.0-Oracle-Linux-9-Offline.zip opc@192.0.2.3:/home/opc
ssh -i $HOME/.ssh/id_rsa opc@192.0.2.3
scp -i $HOME/id_rsa oci-cli-3.39.0-Oracle-Linux-9-Offline.zip opc@10.1.2.10:/home/opc
ssh -i $HOME/id_rsa opc@10.1.2.10
-- 4.2 vm12からインターネットアクセスできないことを確認
curl --connect-timeout 10 https://www.oracle.com/
-- 4.3 OCIインストール (vm12での作業)
unzip oci-cli-3.39.0-Oracle-Linux-9-Offline.zip
cd oci-cli-installation
bash install.sh --offline-install
exec -l $SHELL
oci -v
-- 5. DRG作成
oci network drg list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1
oci network drg create \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1 \
--display-name drg01
oci network drg list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region ap-tokyo-1
oci network drg create \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region ap-tokyo-1 \
--display-name drg11
-- 6. DRGアタッチメント(VCN側)作成
oci network drg-attachment create --generate-full-command-json-input
oci network drg-attachment list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1
oci network drg-attachment create \
--region us-ashburn-1 \
--drg-id ocid1.drg.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--display-name drg0101 \
--network-details '{
"id": "ocid1.vcn.oc1.iad.111111111111111111111111111111111111111111111111111111111111",
"route-table-id": null,
"type": "VCN",
"vcn-route-type": "SUBNET_CIDRS"
}'
oci network drg-attachment list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region ap-tokyo-1
oci network drg-attachment create \
--region ap-tokyo-1 \
--drg-id ocid1.drg.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111 \
--display-name drg1101 \
--network-details '{
"id": "ocid1.vcn.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111",
"route-table-id": null,
"type": "VCN",
"vcn-route-type": "SUBNET_CIDRS"
}'
-- 7. DRGアタッチメント(RPC側)作成
oci network remote-peering-connection list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1
oci network remote-peering-connection create \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1 \
--drg-id ocid1.drg.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--display-name drg0102
oci network remote-peering-connection list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region ap-tokyo-1
oci network remote-peering-connection create \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region ap-tokyo-1 \
--drg-id ocid1.drg.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111 \
--display-name drg1102
-- 8. RPC接続
oci network remote-peering-connection connect \
--peer-id ocid1.remotepeeringconnection.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111 \
--peer-region-name ap-tokyo-1 \
--remote-peering-connection-id ocid1.remotepeeringconnection.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1
oci network remote-peering-connection list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1
oci network remote-peering-connection list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region ap-tokyo-1
-- 9. ルートテーブルにルートルール追加
cd ashburn
vi main.tf
resource "oci_core_route_table" "rt02" {
route_rules {
#Required
network_entity_id = "ocid1.drg.oc1.iad.111111111111111111111111111111111111111111111111111111111111"
#Optional
destination = "10.1.0.0/16"
}
terraform plan
terraform apply -auto-approve
cd tokyo
vi main.tf
resource "oci_core_route_table" "rt12" {
route_rules {
#Required
network_entity_id = "ocid1.drg.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111"
#Optional
destination = "10.0.0.0/16"
}
terraform plan
terraform apply -auto-approve
-- 10. 疎通確認
ping 10.1.2.10
ping 10.0.2.162
-- 11. 動的グループ作成
oci iam dynamic-group list
oci iam dynamic-group create \
--description dg01 \
--matching-rule "Any {instance.compartment.id = 'ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111'}" \
--name dg01
-- 12. 動的グループポリシー作成
oci iam policy list \
--compartment-id ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111
oci iam policy create \
--compartment-id ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111 \
--description policy11 \
--name policy11 \
--statements '[
"Allow dynamic-group dg01 to manage all-resources in tenancy"
]'
-- 13. squidインストール (vm12での作業)
※サービスゲートウェイがあるため、dnfでsquidインストール可能な模様
sudo su -
dnf install squid
cp /etc/squid/squid.conf /etc/squid/squid.conf.org
cat <<-'EOF' > /etc/squid/squid.conf
# should be allowed
acl localnet src 10.0.0.0/16
# Squid normally listens to port 3128
http_port 3128
# Wite List
acl whitelist dstdomain "/etc/squid/whitelist"
http_access allow whitelist
EOF
cat <<-'EOF' > /etc/squid/whitelist
objectstorage.ap-tokyo-1.oraclecloud.com
auth.ap-tokyo-1.oraclecloud.com
EOF
systemctl restart squid
systemctl status squid
systemctl enable squid
systemctl stop firewalld
systemctl status firewalld
systemctl disable firewalld
tail -f /var/log/squid/access.log
-- 14. 動作確認 (vm02での作業)
export OCI_CLI_AUTH=instance_principal
oci os object list \
--bucket-name bucket11 \
--region ap-tokyo-1
tokyoのプライベートサブネットのプロキシを使用する
※auth.us-ashburn-1.oraclecloud.com への通信が発生するので、ashburnのサービスゲートウェイも必要
※auth.us-ashburn-1.oraclecloud.com への通信はプロキシ対象外とする必要あり
export https_proxy="http://10.1.2.10:3128"
export no_proxy=auth.us-ashburn-1.oraclecloud.com
env | grep proxy
oci os object list \
--bucket-name bucket11 \
--region ap-tokyo-1
-- 15. クリーンアップ
-- 動的グループポリシー削除
oci iam policy list \
--compartment-id ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111
oci iam policy delete \
--policy-id ocid1.policy.oc1..111111111111111111111111111111111111111111111111111111111111 \
--force
-- 動的グループ削除
oci iam dynamic-group list
oci iam dynamic-group delete \
--dynamic-group-id ocid1.dynamicgroup.oc1..111111111111111111111111111111111111111111111111111111111111 \
--force
-- DRGアタッチメント(RPC側)削除
oci network remote-peering-connection list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1
oci network remote-peering-connection delete \
--region us-ashburn-1 \
--remote-peering-connection-id ocid1.remotepeeringconnection.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--force
oci network remote-peering-connection list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region ap-tokyo-1
oci network remote-peering-connection delete \
--region ap-tokyo-1 \
--remote-peering-connection-id ocid1.remotepeeringconnection.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111 \
--force
-- DRGアタッチメント(VCN側)削除
oci network drg-attachment list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1
oci network drg-attachment delete \
--region us-ashburn-1 \
--drg-attachment-id ocid1.drgattachment.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--force
oci network drg-attachment list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region ap-tokyo-1
oci network drg-attachment delete \
--region ap-tokyo-1 \
--drg-attachment-id ocid1.drgattachment.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111 \
--force
-- DRG削除
oci network drg list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1
oci network drg delete \
--region us-ashburn-1 \
--drg-id ocid1.drg.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--force
oci network drg list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region ap-tokyo-1
oci network drg delete \
--region ap-tokyo-1 \
--drg-id ocid1.drg.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111 \
--force
cd tokyo
terraform destroy -auto-approve
cd ashburn
terraform destroy -auto-approve
