Difference between revisions of "Infrastructure:Sysadmin Handbook"
| Line 1: | Line 1: | ||
This page describes how to manage the infra. See [https://vtluug.github.io/rtfm.txt rtfm.txt] for a guide to build it from scratch. | This page describes how to manage the infra. See [https://vtluug.github.io/rtfm.txt rtfm.txt] for a guide to build it from scratch. | ||
| − | This is | + | This covers setup of a VM on [[Infrastructure:Meltdown|meltdown]] or [[Infrastructure:Spectre|spectre]] depending on if the service is critical or not. (This guide uses [[Infrastructure:Meltdown|meltdown]] for examples) |
| − | + | == Networks == | |
| + | ''Further information: [[Infrastructure:Network|Network]] | ||
| − | |||
We ''should'' have the following networks in place: | We ''should'' have the following networks in place: | ||
| − | * | + | * [[Infrastructure:Meltdown|meltdown]] br0 on eno1 <--> enp4s0 on [[Infrastructure:Joey|joey]]. This is the main LUUG network. |
| − | ** 10.0.0 | + | ** 10.98.0.0/16 for VTLUUG NAT |
| − | ** IPv6 via | + | ** IPv6 via prefix delegation on 607:b400:6:cc80/64 |
| − | ** Global IPv4s via ARP proxying ( | + | ** Global IPv4s via ARP proxying (See https://github.com/vtluug/scripts). Gateway is 128.173.88.1/22. |
| − | * | + | * Static hosts are on 10.98.0.0/24, and DHCP is enabled on 10.98.1.0/24. This is mainly just useful for organization and quickly finding new hosts or other hosts on the network. |
| − | * "Internet" (a CNS portal) <--> | + | ** Static host IPs are assigned via static DHCP leases for IPv4. |
| − | + | ** Since we can't do this with IPv6, physical host IPs are determined upon first boot and VMs are assigned a specific MAC to pre-determine the SLAAC IP. | |
| − | + | * "Internet" (a CNS portal) <--> enp2s0 on [[Infrastructure:Joey|joey]]. LUUG only has one of these, and port security is probably enabled. | |
DNS/DHCP: | DNS/DHCP: | ||
| − | * | + | * All DNS entries for services run by VTLUUG are hosted on [https://gandi.net Gandi]. Ask an officer if you want to change something. |
* jkh and Roddy own ece.vt.edu. DNS updates don't happen. echarlie can add IPv6-only records if needed to wuvt.vt.edu so we have PTRs. | * jkh and Roddy own ece.vt.edu. DNS updates don't happen. echarlie can add IPv6-only records if needed to wuvt.vt.edu so we have PTRs. | ||
| − | * | + | * [[Infrastructure:Joey|joey]] runs DHCP via dnsmasq on enp4s0 (that is, 10.98.0.0/16). To change anything, modify it on https://github.com/vtluug/scripts first then pull that into root's homedir on [[Infrastructure:Joey|joey]]. Please don't just update it on a machine without pushing your updates. |
| + | * By default, hosts are accessible via SSH on ports 22 and 2222. | ||
| + | |||
| + | == Adding a VTLUUG Service VM == | ||
| + | ''VMs in this category are deployed to [[Infrastructure:Meltdown|meltdown]]'' | ||
| + | |||
| + | Prerequisites: | ||
| + | * Clone <code>https://github.com/vtluug/scripts</code>. This is referred to as 'SCRIPTS' in this guide. | ||
| + | * Clone <code>https://github.com/vtluug/ansible</code> and install ansible. This repo is referred to as 'ANSIBLE' in this guide. | ||
| + | * Have access to the vtluug-admin repo on gitolite. | ||
| + | * Understand the VTLUUG network and how things work in general. | ||
| + | * Put your SSH key on [[Infrastructure:Meltdown|meltdown]] | ||
| + | |||
| + | === Configure the network === | ||
| + | * Decide on a MAC address for the host and add it to <code>SCRIPTS/router/lan/local_hosts</code> | ||
| + | * Add an entry to <code>SCRIPTS/router/lan/dnsmasq.conf</code> for static DHCP leases. | ||
| + | * If a new IP in 128.173.88.1/22 is being added, also add it to <code>SCRIPTS/router/proxy/arp_proxy.sh</code> | ||
| − | + | '''Note''': It is '''not''' recommended that you do the following steps if nobody is on campus in case something breaks. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | Pull the latest changes to <code>/root/scripts</code>, update the configuration files, and restart the services: | |
| − | + | * Dnsmasq configuration is at <code>/etc/dnsmasq.conf</code> | |
| − | + | * ARP Proxy configuration is in <code>/usr/local/bin</code> | |
| − | + | === Add the VM configuration to ansible === | |
| − | + | Edit <code>ANSIBLE_PATH/roles/deploy-vms/defaults/main.yml</code> and add a new entry, following the existing format. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | </ | ||
| − | + | '''Note''': if there are any entries in this file that are '''not''' present on the VM host, they will also be created. Comment out entries that shouldn't be created. Existing hosts are skipped. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | Run <code>ansible-playbook -v deploy.yml -i hosts.cfg -u papatux -k -K -e @VTLUUG_ADMIN_REPO/accounts.yml</code>, using the correct vtluug-admin repo path. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | === Testing === | |
| + | The new host should be accessible by papatux on via SSH port 2222 (and 22) over IPv6 and IPv4 from the internal network. Check 10.98.1.0/24 to see if it correctly received a DHCP lease and if the MAC is correct. | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | == | + | == Adding a User VM == |
| − | + | ''VMs in this category are deployed to [[Infrastructure:Spectre|spectre]]'' | |
Revision as of 06:33, 5 January 2019
This page describes how to manage the infra. See rtfm.txt for a guide to build it from scratch.
This covers setup of a VM on meltdown or spectre depending on if the service is critical or not. (This guide uses meltdown for examples)
Contents
Networks
Further information: Network
We should have the following networks in place:
- meltdown br0 on eno1 <--> enp4s0 on joey. This is the main LUUG network.
- 10.98.0.0/16 for VTLUUG NAT
- IPv6 via prefix delegation on 607:b400:6:cc80/64
- Global IPv4s via ARP proxying (See https://github.com/vtluug/scripts). Gateway is 128.173.88.1/22.
- Static hosts are on 10.98.0.0/24, and DHCP is enabled on 10.98.1.0/24. This is mainly just useful for organization and quickly finding new hosts or other hosts on the network.
- Static host IPs are assigned via static DHCP leases for IPv4.
- Since we can't do this with IPv6, physical host IPs are determined upon first boot and VMs are assigned a specific MAC to pre-determine the SLAAC IP.
- "Internet" (a CNS portal) <--> enp2s0 on joey. LUUG only has one of these, and port security is probably enabled.
DNS/DHCP:
- All DNS entries for services run by VTLUUG are hosted on Gandi. Ask an officer if you want to change something.
- jkh and Roddy own ece.vt.edu. DNS updates don't happen. echarlie can add IPv6-only records if needed to wuvt.vt.edu so we have PTRs.
- joey runs DHCP via dnsmasq on enp4s0 (that is, 10.98.0.0/16). To change anything, modify it on https://github.com/vtluug/scripts first then pull that into root's homedir on joey. Please don't just update it on a machine without pushing your updates.
- By default, hosts are accessible via SSH on ports 22 and 2222.
Adding a VTLUUG Service VM
VMs in this category are deployed to meltdown
Prerequisites:
- Clone
https://github.com/vtluug/scripts. This is referred to as 'SCRIPTS' in this guide. - Clone
https://github.com/vtluug/ansibleand install ansible. This repo is referred to as 'ANSIBLE' in this guide. - Have access to the vtluug-admin repo on gitolite.
- Understand the VTLUUG network and how things work in general.
- Put your SSH key on meltdown
Configure the network
- Decide on a MAC address for the host and add it to
SCRIPTS/router/lan/local_hosts - Add an entry to
SCRIPTS/router/lan/dnsmasq.conffor static DHCP leases. - If a new IP in 128.173.88.1/22 is being added, also add it to
SCRIPTS/router/proxy/arp_proxy.sh
Note: It is not recommended that you do the following steps if nobody is on campus in case something breaks.
Pull the latest changes to /root/scripts, update the configuration files, and restart the services:
- Dnsmasq configuration is at
/etc/dnsmasq.conf - ARP Proxy configuration is in
/usr/local/bin
Add the VM configuration to ansible
Edit ANSIBLE_PATH/roles/deploy-vms/defaults/main.yml and add a new entry, following the existing format.
Note: if there are any entries in this file that are not present on the VM host, they will also be created. Comment out entries that shouldn't be created. Existing hosts are skipped.
Run ansible-playbook -v deploy.yml -i hosts.cfg -u papatux -k -K -e @VTLUUG_ADMIN_REPO/accounts.yml, using the correct vtluug-admin repo path.
Testing
The new host should be accessible by papatux on via SSH port 2222 (and 22) over IPv6 and IPv4 from the internal network. Check 10.98.1.0/24 to see if it correctly received a DHCP lease and if the MAC is correct.
Adding a User VM
VMs in this category are deployed to spectre
