Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity
Files
2a04343c9f709ceb3db3f0ceb77aaa7a7c1952bf
gitea-pages/admin-guide/deployment/dmz_installation.md
ebner efe9024e6d reshuffling
2024-08-08 13:07:25 +02:00

2.8 KiB
Raw Blame History

DMZ Installation

The deployment in the DMZ ist the basically the same as internaly, but there are a few points to consider:

  • a firewall rule for puppet is needed
  • the commissioning can only be done in the special DMZ commissioning network

Because of this commissioning network we suggest that the DMZ VM gets for commissioning two interfaces, a "front-door" to the actual network where it will finally provide its service and the "back-door" in the commissioning network. After successful setup that interface will be removed.

Preparation

  • get static IP addresss for "front-door" interface
  • For Puppet you need to order a firewall rule from your machine to puppet01.psi.ch using TCP port 8140.
  • (let) the VM be set up with to interfaces, the first one in the final network ("front-door") and the second one attached to 172.23.206.0/24 ("back-door")
  • get both MAC addresses
  • prepare the node in Sysdb/bob with the "back-door" MAC address
  • in Hiera following network configuration is suggested which keeps the "front-door" interface disabled for the start:
networking::setup: managed

networking::connections:
  - dmz_network
  - commissioning_network

networking::connection::dmz_network:
  mac_address: '00:50:56:9d:47:eb'
  ipv4_method: 'disabled'
  ipv6_method: 'disabled'

networking::connection::commissioning_network:
  mac_address: '00:50:56:9d:c7:fe'
  ipv4_method: 'auto'
  ipv6_method: 'disabled'

Commissioning/Kickstart

  • commission/kickstart the node via network boot
  • for SSH access get assigned IP address from VMWare or Puppet facts or QIP
  • at the moment puppet will fail, provide the IP address to your fellow friendly Core Linux Team member to manually finish the first boot
  • if the configuration is fully ready, configure the "front-door" interface:
networking::setup: managed

networking::connections:
  - dmz_network
  - commissioning_network

networking::connection::dmz_network:
  mac_address: '00:50:56:9d:47:eb'
  ipv4_method: 'manual'
  ipv4_address: '192.33.120.60/24'
  ipv4_gateway: '192.33.120.1'
  ipv6_method: 'disabled'

networking::connection::commissioning_network:
  mac_address: '00:50:56:9d:c7:fe'
  ipv4_method: 'auto'
  ipv6_method: 'disabled'

Cleanup

  • check if you still have management access (ssh) over the front door interface
  • remove the configuration of the "back-door" interface:
networking::setup: managed

networking::connections:
  - dmz_network

networking::connection::dmz_network:
  mac_address: '00:50:56:9d:47:eb'
  ipv4_method: 'manual'
  ipv4_address: '192.33.120.60/24'
  ipv4_gateway: '192.33.120.1'
  ipv6_method: 'disabled'
  • remove the "back-door" interface from the VM
View Git Blame Copy Permalink