82 lines
2.8 KiB
Markdown
82 lines
2.8 KiB
Markdown
# DMZ Installation
|
|
|
|
The deployment in the DMZ ist the basically the same as [internaly](basic_installation), but there are a few points to consider:
|
|
|
|
- a firewall rule for puppet is needed
|
|
- the commissioning can only be done in the special DMZ commissioning network
|
|
|
|
Because of this commissioning network we suggest that the DMZ VM gets for commissioning two interfaces, a "front-door" to the actual network where it will finally provide its service and the "back-door" in the commissioning network. After successful setup that interface will be removed.
|
|
|
|
## Preparation
|
|
|
|
- get static IP addresss for "front-door" interface
|
|
- For Puppet you need to [order a firewall rule](https://psi.service-now.com/psisp?id=psi_new_sc_cat_item&sys_id=faccb8644fe58f8422b0119f0310c7f7) from your machine to `puppet01.psi.ch` using TCP port 8140.
|
|
- (let) the VM be set up with to interfaces, the first one in the final network ("front-door") and the second one attached to `172.23.206.0/24` ("back-door")
|
|
- get both MAC addresses
|
|
- prepare the node in Sysdb/`bob` with the "back-door" MAC address
|
|
- in Hiera following network configuration is suggested which keeps the "front-door" interface disabled for the start:
|
|
|
|
```yaml
|
|
networking::setup: managed
|
|
|
|
networking::connections:
|
|
- dmz_network
|
|
- commissioning_network
|
|
|
|
networking::connection::dmz_network:
|
|
mac_address: '00:50:56:9d:47:eb'
|
|
ipv4_method: 'disabled'
|
|
ipv6_method: 'disabled'
|
|
|
|
networking::connection::commissioning_network:
|
|
mac_address: '00:50:56:9d:c7:fe'
|
|
ipv4_method: 'auto'
|
|
ipv6_method: 'disabled'
|
|
```
|
|
## Commissioning/Kickstart
|
|
|
|
- commission/kickstart the node via network boot
|
|
- for SSH access get assigned IP address from VMWare or Puppet facts or QIP
|
|
- at the moment puppet will fail, provide the IP address to your fellow friendly Core Linux Team member to manually finish the first boot
|
|
- if the configuration is fully ready, configure the "front-door" interface:
|
|
|
|
```yaml
|
|
networking::setup: managed
|
|
|
|
networking::connections:
|
|
- dmz_network
|
|
- commissioning_network
|
|
|
|
networking::connection::dmz_network:
|
|
mac_address: '00:50:56:9d:47:eb'
|
|
ipv4_method: 'manual'
|
|
ipv4_address: '192.33.120.60/24'
|
|
ipv4_gateway: '192.33.120.1'
|
|
ipv6_method: 'disabled'
|
|
|
|
networking::connection::commissioning_network:
|
|
mac_address: '00:50:56:9d:c7:fe'
|
|
ipv4_method: 'auto'
|
|
ipv6_method: 'disabled'
|
|
```
|
|
|
|
## Cleanup
|
|
|
|
- check if you still have management access (`ssh`) over the front door interface
|
|
- remove the configuration of the "back-door" interface:
|
|
|
|
```yaml
|
|
networking::setup: managed
|
|
|
|
networking::connections:
|
|
- dmz_network
|
|
|
|
networking::connection::dmz_network:
|
|
mac_address: '00:50:56:9d:47:eb'
|
|
ipv4_method: 'manual'
|
|
ipv4_address: '192.33.120.60/24'
|
|
ipv4_gateway: '192.33.120.1'
|
|
ipv6_method: 'disabled'
|
|
```
|
|
- remove the "back-door" interface from the VM
|