Cloud Networking: Difference between revisions
m (→Cloud routers) |
mNo edit summary |
||
Line 19: | Line 19: | ||
* We are authoritative for the *.cloud.csc and *.csclub.cloud DNS zones, so do not use Infoblox for these (except for PTR records) |
* We are authoritative for the *.cloud.csc and *.csclub.cloud DNS zones, so do not use Infoblox for these (except for PTR records) |
||
* All *.csclub.cloud records point to the cloud.csc virtual IP |
* All *.csclub.cloud records point to the cloud.csc virtual IP |
||
* Most *.csclub.cloud TLS certificates are managed with [https://wiki.csclub.uwaterloo.ca/SSL#acme.sh acme.sh] |
|||
== Cloud routers == |
== Cloud routers == |
Latest revision as of 20:52, 29 December 2021
This page gives an overview of the network topology of the CSC cloud.
For the sections below, ".csc" is an abbreviation for ".csclub.uwaterloo.ca".
Hostnames and IP addresses
Some important hostnames and IP addresses to know about:
- VLAN 529 (172.19.168.0/27, fd74:6b6a:8eca:4902::/64) is the cloud management network
- VLAN 425 (172.19.134.0/24, 2620:101:f000:4903::/64) is the cloud user network
- Due to routing decisions, everything in VLAN 529 is accessible from VLAN 425, so make sure to use iptables if there's some service running in VLAN 529 which shouldn't be accessible by regular users. See the routers section below.
- riboflavin, ginkgo and biloba are on VLAN 529 and VLAN 134
- Each of these hosts has a ".cloud" domain record which resolves to their VLAN 529 address, e.g. riboflavin.cloud.csc
- Most Ceph services are explicitly placed on riboflavin and ginkgo, since they have the most storage
- ceph-nfs.cloud.csc and ceph-mon.cloud.csc are CNAMES for riboflavin and ginkgo
- biloba and chamomile are the two CloudStack management servers
- cloud.csc (and csclub.cloud) point to a virtual IP address (in VLAN 529) shared by biloba and chamomile via keepalived
- CloudStack keeps cookie sessions in-memory, so it is important that only one machine is the "active" CloudStack management server at any time (otherwise, if you connect to a different machine, your cookie session will suddenly be invalid)
- mariadb.cloud.csc points to this virtual IP address. We are using master-master replication between two MariaDB instances on biloba and chamomile. To avoid split-brain syndrome, it is very important that only instance gets written to at any time.
- We are authoritative for the *.cloud.csc and *.csclub.cloud DNS zones, so do not use Infoblox for these (except for PTR records)
- All *.csclub.cloud records point to the cloud.csc virtual IP
- Most *.csclub.cloud TLS certificates are managed with acme.sh
Cloud routers
The two cloud routers are router1.cloud.csc and router2.cloud.csc. They each have 3 IP addresses: one for each of VLANs 134, 425 and 529. router1.cloud.csc resolves to the VLAN 529 IP, and router1-cloud.csc resolves to the VLAN 134 IP (same for router2).
The two routers are also sharing the virtual IP addresses for router.cloud.csc (VLAN 529) and nat-gateway.cloud.csc (VLAN 425) via keepalived. For incoming VLAN 425 traffic, the routers basically strip off the VLAN 425 header and replace it with a VLAN 529 header, meaning that VLAN 529 is fully accessible from VLAN 425. (This is actually useful for us since we can access Ceph storage from Kubernetes this way.) Use iptables where necessary.
Setup
The routers are systemd-nspawn containers running on biloba and chamomile. Standard container setup (FQDN, DNS, etc.) applies.
For reference, here's the .nspawn file for router1:
[Exec] Boot=yes Hostname=router1 PrivateUsers=no [Network] Bridge=br134 # These are manually bridged to the host; see # /etc/systemd/system/systemd-nspawn@router1.service.d/override.conf VirtualEthernetExtra=ve-router1-529:veth529 VirtualEthernetExtra=ve-router1-425:veth425
Here's the aforementioned systemd drop-in:
[Service] ExecStartPost=/usr/sbin/ip link set dev ve-router1-529 master br529 ExecStartPost=/usr/sbin/ip link set dev ve-router1-529 up ExecStartPost=/usr/sbin/ip link set dev ve-router1-425 master br425 ExecStartPost=/usr/sbin/ip link set dev ve-router1-425 up
Here's the /etc/network/interfaces in router1:
auto host0 iface host0 inet static address 129.97.134.18/24 gateway 129.97.134.1 iface host0 inet6 static pre-up sysctl net.ipv6.conf.host0.accept_ra=0 pre-up sysctl net.ipv6.conf.host0.accept_dad=0 address 2620:101:f000:4901:c5c::18/64 gateway 2620:101:f000:4901::1 auto veth529 iface veth529 inet static address 172.19.168.19/27 iface veth529 inet6 static pre-up sysctl net.ipv6.conf.veth529.accept_ra=0 pre-up sysctl net.ipv6.conf.veth529.accept_dad=0 address fd74:6b6a:8eca:4902::19/64 auto veth425 iface veth425 inet manual iface veth425 inet6 manual pre-up sysctl net.ipv6.conf.veth425.accept_ra=0 pre-up sysctl net.ipv6.conf.veth425.accept_dad=0
It is very important to disable IPv6 router advertisements. Note how veth425 doesn't have a dedicated IP address because it is provided by keepalived.
Here's the /etc/keepalived/keepalived.conf in router1:
vrrp_instance VI_1 { state MASTER interface veth529 virtual_router_id 21 priority 255 advert_int 2 authentication { auth_type PASS auth_pass ******** } virtual_ipaddress { # VLAN 529 router 172.19.168.21/27 # VLAN 425 router 172.19.134.254/24 dev veth425 } virtual_ipaddress_excluded { # VLAN 529 router fd74:6b6a:8eca:4902::21/64 # VLAN 425 router 2620:101:f000:4903::254/64 dev veth425 } }
Here's a snippet from /etc/sysctl.conf in router1:
net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
Here are the iptables rules in router1:
iptables -t nat -N CLOUD-ROUTER iptables -t nat -A POSTROUTING -j CLOUD-ROUTER iptables -t nat -A CLOUD-ROUTER -d 10.0.0.0/8 -j RETURN iptables -t nat -A CLOUD-ROUTER -d 172.16.0.0/12 -j RETURN iptables -t nat -A CLOUD-ROUTER -d 129.97.0.0/16 -j RETURN iptables -t nat -A CLOUD-ROUTER -s 172.19.168.0/27 -j SNAT --to-source 129.97.134.18 iptables -t nat -A CLOUD-ROUTER -s 172.19.134.0/24 -j SNAT --to-source 129.97.134.18
Note that for on-campus addresses, forwarding is used instead of NAT.