From fb4c2b7401f407b1080e18a1d3f14023e644713c Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Mon, 25 Mar 2024 11:48:16 +0100 Subject: [PATCH] DMZ deployment with commissioning interface --- admin-guide/deployment/dmz.md | 75 ++++++++++++++++++++++++++++++++++- 1 file changed, 74 insertions(+), 1 deletion(-) diff --git a/admin-guide/deployment/dmz.md b/admin-guide/deployment/dmz.md index afe3c598..3af5eae6 100644 --- a/admin-guide/deployment/dmz.md +++ b/admin-guide/deployment/dmz.md @@ -1,3 +1,76 @@ # DMZ deployment -The deployment in the DMZ ist the same as [internaly](sample), the only exception is that for Puppet you need to [order a firewall rule](https://psi.service-now.com/psisp?id=psi_new_sc_cat_item&sys_id=faccb8644fe58f8422b0119f0310c7f7) from your machine to `puppet01.psi.ch` using TCP port 8140. +The deployment in the DMZ ist the basically the same as [internaly](sample), but there are a few points to consider: + +- a firewall rule for puppet is needed +- the commissioning can only be done in the special DMZ commissioning network + +Because of this commissioning network we suggest that the DMZ VM gets for commissioning two interfaces, a "front-door" to the actual network where it will finally provide its service and the "back-door" in the commissioning network. After successful setup that interface will be removed. + +## Preparation + +- get static IP addresss for "front-door" interface +- For Puppet you need to [order a firewall rule](https://psi.service-now.com/psisp?id=psi_new_sc_cat_item&sys_id=faccb8644fe58f8422b0119f0310c7f7) from your machine to `puppet01.psi.ch` using TCP port 8140. +- (let) the VM be set up with to interfaces, the first one in the final network ("front-door") and the second one attached to `172.23.206.0/24` ("back-door") +- get both MAC addresses +- prepare the node in Sysdb/`bob` with the "back-door" MAC address +- in Hiera following network configuration is suggested which keeps the "front-door" interface disabled for the start: +``` +networking::setup: managed + +networking::connections: + - dmz_network + - commissioning_netzwork + +networking::connection::dmz_network: + mac_address: '00:50:56:9d:47:eb' + ipv4_method: 'disabled' + ipv6_method: 'disabled' + +networking::connection::commissioning_network: + mac_address: '00:50:56:9d:c7:fe' + ipv4_method: 'auto' + ipv6_method: 'disabled' +``` +## Commissioning/Kickstart + +- commission/kickstart the node via network boot +- if the configuration is fully ready, configure the "front-door" interface: +``` +networking::setup: managed + +networking::connections: + - dmz_network + - commissioning_netzwork + +networking::connection::dmz_network: + mac_address: '00:50:56:9d:47:eb' + ipv4_method: 'manual' + ipv4_address: '192.33.120.60/24' + ipv4_gateway: '192.33.120.1' + ipv6_method: 'disabled' + +networking::connection::commissioning_network: + mac_address: '00:50:56:9d:c7:fe' + ipv4_method: 'auto' + ipv6_method: 'disabled' +``` + +## Cleanup + +- check if you still have management access (`ssh`) over the front door interface +- remove the configuration of the "back-door" interface: +``` +networking::setup: managed + +networking::connections: + - dmz_network + +networking::connection::dmz_network: + mac_address: '00:50:56:9d:47:eb' + ipv4_method: 'manual' + ipv4_address: '192.33.120.60/24' + ipv4_gateway: '192.33.120.1' + ipv6_method: 'disabled' +``` +- remove the "back-door" interface from the VM