Browse Source

Lots of updates, new co-location

master
Jeff Moe 2 years ago
parent
commit
252a2ccad4
174 changed files with 9655 additions and 330 deletions
  1. +3
    -3
      README.md
  2. +11
    -3
      build.sh
  3. +19
    -0
      rebuild.sh
  4. +358
    -1
      source/Ansible.tex
  5. +0
    -51
      source/ClusterHardware.tex
  6. +49
    -4
      source/Firewalls.tex
  7. +496
    -0
      source/Hardware.tex
  8. +0
    -197
      source/OpenNebula.tex
  9. +230
    -0
      source/Proxmox.tex
  10. +831
    -0
      source/Software-daemons.tex
  11. +196
    -4
      source/Source-gen.tex
  12. +7
    -2
      source/Title.tex
  13. +0
    -21
      source/forksand-it-manual.gst
  14. +0
    -15
      source/forksand-it-manual.ist
  15. +67
    -11
      source/forksand-it-manual.tex
  16. +0
    -0
      source/lib/jebbastrings-captions.sty
  17. +0
    -0
      source/lib/jebbastrings.sty
  18. +66
    -2
      source/resources/SHA256SUM
  19. +2
    -2
      source/resources/STATS
  20. +661
    -0
      source/resources/apps/Ansible-Gitea/LICENSE.AGPLv3
  21. +674
    -0
      source/resources/apps/Ansible-Gitea/LICENSE.GPLv3
  22. +172
    -0
      source/resources/apps/Ansible-Gitea/README.md
  23. +2
    -0
      source/resources/apps/Ansible-Gitea/ansible.cfg
  24. +7
    -0
      source/resources/apps/Ansible-Gitea/inventory.yml
  25. BIN
      source/resources/apps/Ansible-Gitea/roles/gitea/.DS_Store
  26. +34
    -0
      source/resources/apps/Ansible-Gitea/roles/gitea/defaults/main.yml
  27. +5
    -0
      source/resources/apps/Ansible-Gitea/roles/gitea/handlers/main.yml
  28. +6
    -0
      source/resources/apps/Ansible-Gitea/roles/gitea/tasks/create_user.yml
  29. +10
    -0
      source/resources/apps/Ansible-Gitea/roles/gitea/tasks/install_systemd.yml
  30. +47
    -0
      source/resources/apps/Ansible-Gitea/roles/gitea/tasks/main.yml
  31. +454
    -0
      source/resources/apps/Ansible-Gitea/roles/gitea/templates/gitea.ini.j2
  32. +12
    -0
      source/resources/apps/Ansible-Gitea/roles/gitea/templates/gitea.service.j2
  33. +3
    -0
      source/resources/apps/Ansible-Gitea/roles/nginx/defaults/main.yml
  34. +5
    -0
      source/resources/apps/Ansible-Gitea/roles/nginx/handlers/main.yml
  35. +48
    -0
      source/resources/apps/Ansible-Gitea/roles/nginx/tasks/main.yml
  36. +13
    -0
      source/resources/apps/Ansible-Gitea/roles/nginx/templates/nginx.conf.j2
  37. +59
    -0
      source/resources/apps/Ansible-Gitea/roles/nginx/templates/nginxssl.conf.j2
  38. +4
    -0
      source/resources/apps/Ansible-Gitea/site.yml
  39. +1
    -0
      source/resources/apps/ansible-debian-mail/.gitignore
  40. +661
    -0
      source/resources/apps/ansible-debian-mail/LICENSE.AGPLv3
  41. +674
    -0
      source/resources/apps/ansible-debian-mail/LICENSE.GPLv3
  42. +107
    -0
      source/resources/apps/ansible-debian-mail/README.md
  43. +2
    -0
      source/resources/apps/ansible-debian-mail/ansible.cfg
  44. +14
    -0
      source/resources/apps/ansible-debian-mail/group_vars/all.yml
  45. +7
    -0
      source/resources/apps/ansible-debian-mail/inventory.yml
  46. +76
    -0
      source/resources/apps/ansible-debian-mail/roles/dkim_configuration/tasks/main.yml
  47. +3
    -0
      source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/internalhosts.j2
  48. +26
    -0
      source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendkim.conf.j2
  49. +1
    -0
      source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendkim.j2
  50. +16
    -0
      source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendmarc.conf.j2
  51. +0
    -0
      source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendmarc.j2
  52. +5
    -0
      source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/trustedhosts.j2
  53. +5
    -0
      source/resources/apps/ansible-debian-mail/roles/dovecot_configuration/handlers/main.yml
  54. +80
    -0
      source/resources/apps/ansible-debian-mail/roles/dovecot_configuration/tasks/main.yml
  55. +23
    -0
      source/resources/apps/ansible-debian-mail/roles/dovecot_configuration/templates/10-master.conf.j2
  56. +5
    -0
      source/resources/apps/ansible-debian-mail/roles/dovecot_configuration/templates/10-ssl.conf.j2
  57. +8
    -0
      source/resources/apps/ansible-debian-mail/roles/fail2ban_configuration/tasks/main.yml
  58. +11
    -0
      source/resources/apps/ansible-debian-mail/roles/letsencrypt_configuration/tasks/main.yml
  59. +2
    -0
      source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/.gitignore
  60. +18
    -0
      source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/.travis.yml
  61. +25
    -0
      source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/LICENSE
  62. +230
    -0
      source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/README.md
  63. +41
    -0
      source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/Vagrantfile
  64. +33
    -0
      source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/defaults/main.yml
  65. +1
    -0
      source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/.galaxy_install_info
  66. +22
    -0
      source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/main.yml
  67. +8
    -0
      source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/main.yml
  68. +22
    -0
      source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-debian.yml
  69. +23
    -0
      source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-redhat.yml
  70. +28
    -0
      source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/rules.yml
  71. +26
    -0
      source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/generated.v4.j2
  72. +26
    -0
      source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/generated.v6.j2
  73. +68
    -0
      source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tests.yml
  74. +26
    -0
      source/resources/apps/ansible-debian-mail/roles/outputs/tasks/main.yml
  75. +2
    -0
      source/resources/apps/ansible-debian-mail/roles/postfix_configuration/files/auth_header_checks.pcre
  76. +60
    -0
      source/resources/apps/ansible-debian-mail/roles/postfix_configuration/files/master.cf
  77. +18
    -0
      source/resources/apps/ansible-debian-mail/roles/postfix_configuration/handlers/main.yml
  78. +128
    -0
      source/resources/apps/ansible-debian-mail/roles/postfix_configuration/tasks/main.yml
  79. +3
    -0
      source/resources/apps/ansible-debian-mail/roles/postfix_configuration/templates/aliases.j2
  80. +22
    -0
      source/resources/apps/ansible-debian-mail/roles/server_tasks/handlers/main.yml
  81. +186
    -0
      source/resources/apps/ansible-debian-mail/roles/server_tasks/tasks/main.yml
  82. +7
    -0
      source/resources/apps/ansible-debian-mail/roles/spamassassin_configuration/tasks/main.yml
  83. +8
    -0
      source/resources/apps/ansible-debian-mail/roles/sqlgrey_configuration/tasks/main.yml
  84. +58
    -0
      source/resources/apps/ansible-debian-mail/site.yml
  85. +329
    -0
      source/resources/apps/forksand-nodes-bootstrap/forksand-hk1-bootstrap
  86. +329
    -0
      source/resources/apps/forksand-nodes-bootstrap/forksand-hk2-bootstrap
  87. +329
    -0
      source/resources/apps/forksand-nodes-bootstrap/forksand-hk3-bootstrap
  88. +314
    -0
      source/resources/apps/forksand-nodes-bootstrap/forksand-shark4-bootstrap
  89. +375
    -0
      source/resources/apps/forksand-nodes-bootstrap/forksand-the-bootstrap
  90. +393
    -0
      source/resources/apps/forksand-nodes-bootstrap/forksand-truck-bootstrap
  91. +151
    -0
      source/resources/apps/oca-forksand-v1_1/README.rst
  92. +1
    -0
      source/resources/apps/oca-forksand-v1_1/inventory
  93. +31
    -0
      source/resources/apps/oca-forksand-v1_1/playbook.yml
  94. +14
    -0
      source/resources/apps/oca-forksand-v1_1/requirements.yml
  95. +0
    -0
      source/resources/apps/oca/etc/init.d/openerp-server
  96. +0
    -0
      source/resources/apps/oca/oca-install.sh
  97. +0
    -0
      source/resources/apps/odoo/odoo11-deb-install.sh
  98. +0
    -0
      source/resources/apps/ssh/socks-chain.sh
  99. +0
    -0
      source/resources/apps/ssh/socks-proxy.sh
  100. BIN
      source/resources/drawings/sharkfork-cabling-1-dedicated-vlan.pdf
  101. BIN
      source/resources/drawings/sharkfork-cabling-2-mixed-vlan.pdf
  102. BIN
      source/resources/drawings/sharkfork-cabling-3-colo-dedicated.pdf
  103. BIN
      source/resources/drawings/sharkfork-cabling-4-final-colocation.pdf
  104. BIN
      source/resources/images/LetterheadPDF.pdf
  105. BIN
      source/resources/images/proxmox-gui.png
  106. BIN
      source/resources/images/shark2/01.png
  107. BIN
      source/resources/images/shark2/02.png
  108. BIN
      source/resources/images/shark2/03.png
  109. BIN
      source/resources/images/shark2/04.png
  110. BIN
      source/resources/images/shark2/05.png
  111. BIN
      source/resources/images/shark2/06.png
  112. BIN
      source/resources/images/shark2/07.png
  113. BIN
      source/resources/images/shark2/08.png
  114. BIN
      source/resources/images/shark2/09.png
  115. BIN
      source/resources/images/shark2/10.png
  116. BIN
      source/resources/images/shark2/11.png
  117. BIN
      source/resources/images/shark2/12.png
  118. BIN
      source/resources/images/shark2/13.png
  119. BIN
      source/resources/images/shark2/14.png
  120. BIN
      source/resources/images/shark2/15.png
  121. BIN
      source/resources/images/shark2/16.png
  122. BIN
      source/resources/images/shark2/17.png
  123. BIN
      source/resources/images/shark2/18.png
  124. BIN
      source/resources/images/shark2/19.png
  125. BIN
      source/resources/images/shark2/20.png
  126. BIN
      source/resources/images/shark2/21.png
  127. BIN
      source/resources/images/shark2/22.png
  128. BIN
      source/resources/images/shark2/23.png
  129. BIN
      source/resources/images/shark2/24.png
  130. BIN
      source/resources/images/shark3/01.png
  131. BIN
      source/resources/images/shark3/02.png
  132. BIN
      source/resources/images/shark3/03.png
  133. BIN
      source/resources/images/shark3/04.png
  134. BIN
      source/resources/images/shark3/05.png
  135. BIN
      source/resources/images/shark3/06.png
  136. BIN
      source/resources/images/shark3/07.png
  137. BIN
      source/resources/images/shark3/08.png
  138. BIN
      source/resources/images/shark3/09.png
  139. BIN
      source/resources/images/shark3/10.png
  140. BIN
      source/resources/images/shark3/11.png
  141. BIN
      source/resources/images/shark3/12.png
  142. BIN
      source/resources/images/shark3/13.png
  143. BIN
      source/resources/images/shark3/14.png
  144. BIN
      source/resources/images/shark3/15.png
  145. BIN
      source/resources/images/shark3/16.png
  146. BIN
      source/resources/images/shark3/17.png
  147. BIN
      source/resources/images/shark3/18.png
  148. BIN
      source/resources/images/shark3/19.png
  149. BIN
      source/resources/images/shark3/20.png
  150. BIN
      source/resources/images/shark3/21.png
  151. BIN
      source/resources/images/shark3/22.png
  152. BIN
      source/resources/images/shark4/01.png
  153. BIN
      source/resources/images/shark4/02.png
  154. BIN
      source/resources/images/shark4/03.png
  155. BIN
      source/resources/images/shark4/04.png
  156. BIN
      source/resources/images/shark4/05.png
  157. BIN
      source/resources/images/shark4/06.png
  158. BIN
      source/resources/images/shark4/07.png
  159. BIN
      source/resources/images/shark4/08.png
  160. BIN
      source/resources/images/shark4/09.png
  161. BIN
      source/resources/images/shark4/10.png
  162. BIN
      source/resources/images/shark4/11.png
  163. BIN
      source/resources/images/shark4/12.png
  164. BIN
      source/resources/images/shark4/13.png
  165. BIN
      source/resources/images/shark4/14.png
  166. BIN
      source/resources/images/shark4/15.png
  167. BIN
      source/resources/images/shark4/16.png
  168. BIN
      source/resources/images/shark4/17.png
  169. BIN
      source/resources/images/shark4/18.png
  170. BIN
      source/resources/images/shark4/19.png
  171. BIN
      source/resources/images/sharkfork-10U.pdf
  172. BIN
      source/resources/images/sharkfork-21U.png
  173. BIN
      source/resources/images/www-proxmox.png
  174. +22
    -14
      source/resources/make-sources-list.sh

+ 3
- 3
README.md View File

@ -2,15 +2,15 @@
Fork Sand IT Manual
by Fork Sand, Inc.
by Jeff Moe
Copyright 2018, Fork Sand, Inc.
Copyright 2017, Jeff Moe
Permission is granted to copy, distribute and/or modify this document under
the terms of the Creative Commons Attribution 4.0 International Public License
(CC BY-SA 4.0).
Published by Fork Sand Inc., Loveland, Colorado, USA.
Published by Jeff Moe, Loveland, Colorado, USA.
# Sources

+ 11
- 3
build.sh View File

@ -2,11 +2,19 @@
# build.sh
# GPLv3+
set -x
rm -f forksand-it-manual.pdf source/forksand-it-manual.pdf
# A function to jump to application's root, default .../forksand-it-manual
cd $(echo $PWD | sed -e "s/\(.*\/forksand-it-manual\)\/.*/\1/") && echo "current path: $PWD"
rootPath=$PWD
cd source || exit
# Generate Source-gen.tex, for auto source code inclusion
rm -f forksand-it-manual.pdf ../forksand-it-manual.pdf
time ./resources/make-sources-list.sh
cd ~/FORKSAND/IT/forksand-it-manual/source/ || exit
# A function to jump to application's root, default .../forksand-it-manual
cd $(echo $PWD | sed -e "s/\(.*\/forksand-it-manual\)\/.*/\1/") && echo "current path: $PWD"
cd source/ || exit
# Build main LaTeX file
# Run BibTeX
@ -19,7 +27,7 @@ xelatex \
-interaction=nonstopmode \
forksand-it-manual.tex
mv *.pdf ../
for i in $(ls *.pdf); do mv -f $i ../$i ; done # in windows every file must be processed explicitly
exit 0

+ 19
- 0
rebuild.sh View File

@ -0,0 +1,19 @@
#!/bin/bash
# build.sh
# GPLv3+
set -x
# A function to jump to application's root, default .../forksand-it-manual
cd $(echo $PWD | sed -e "s/\(.*\/forksand-it-manual\)\/.*/\1/") && echo "current path: $PWD"
rootPath=$PWD
cd source || exit
rm ./*.aux
rm ./*.l*
rm ./*.glo
rm ./*.idx
rm ./*.out
rm ./*.pyg
rm ./*.toc
rm ./_minted-forksand-it-manual/*.pyg*

+ 358
- 1
source/Ansible.tex View File

@ -20,7 +20,11 @@ Use \texttt{ansible} for management of servers.
\item DebOps: \url{https://docs.debops.org/en/latest/index.html}
\end{itemize}
\subsection{Build Ansible Debian Package}
\subsection{Glossary}
An \texttt{Ansible playbook} is an organized unit of scripts that defines
work for a server configuration managed by the automation tool \texttt{ansible}.
\subsection{Build Ansible Debian Package}\label{ssec:bansdpac}
The version of Ansible is 2.2 in Debian 9 (stable/Stretch).
The current stable release is Ansible 2.4.
Below documents how to build a 2.4 package for Debian 9.
@ -109,3 +113,356 @@ Set up some playbooks, grab examples:
git clone https://github.com/ansible/ansible-examples.git
cd ansible-examples/
\end{minted}
\section{Ansible Debian Mail}
Assuming \texttt{ansible} is built according to section \ref{ssec:bansdpac}
on p.\pageref{ssec:bansdpac}, the following requirements are met.
\subsection{Requirements}
The following applications are required to utilize this this section objectives.
Ansible can be installed using Python PIP.
\begin{itemize}
\item \texttt{Ansible} 2.4.x+
\item \texttt{Python} 2.7.9+
\textcolor[rgb]{0.80,0.00,0.00}{Todo clarify confusion over version requirements}
\end{itemize}
\subsection{Quick Start}
The following steps will help quickly set up and execute this section objectives.
\texttt{Project Configuration}
The following files need to be edited and configured before executing this playbook.
\begin{table}[!htb]
\caption{Files to be edited} % \label{tab:tech}
\begin{tabular}{|l|l|}
\hline
\multicolumn {1}{|l|}{ File}&
\multicolumn {1}{l|}{ Description} \\ \hline
groups\char`_vars/all.yml & Server credential information and domain variables \\ \hline
inventory.yml & List of server IPs to connect to \\ \hline
\end{tabular}
\end{table}
\texttt{Playbook Execution}
After having configured the server credentials and added the server IP to the inventory, use the following command to execute the playbook.
\begin{minted}{sh}
ansible-playbook -i inventory.yml site.yml`
\end{minted}
\subsection{Project Structure}
The following tree depicts the high level structure of this Ansible project.
\begin{minted}{sh}
|-- ansible.cfg
|-- group_vars
|   -- all.yml
|-- inventory.yml
|-- LICENSE.AGPLv3
|-- LICENSE.GPLv3
|-- README.md
|-- roles
|   |-- dkim_configuration
|   |-- dovecot_configuration
|   |-- fail2ban_configuration
|   |-- letsencrypt_configuration
|   |-- mikegleasonjr.firewall
|   |-- outputs
|   |-- postfix_configuration
|   |-- server_tasks
|   |-- spamassassin_configuration
|   -- sqlgrey_configuration
|-- playbook_execution.log
-- site.yml
\end{minted}
\texttt{File and Directory Descriptions}
The following table consists of a description of what each file and directory stands for.
\begin{table}[!htb]
\caption{File and Directory Descriptions} % \label{tab:tech}
\begin{tabular}{|l|l|}
\hline
\multicolumn {1}{|l|}{ Name}&
\multicolumn {1}{l|}{ Description} \\ \hline
site.yml & Master playbook. Executes all roles in sequential order \\ \hline
inventory.yml & Inventory file containing server IP addresses \\ \hline
ansible.cfg & Ansible configuration file for various Ansible options. \\ \hline
group\char`_vars/ & Group\char`_vars directory contains variable files for the entire group. \\
& The files are named according to the group name. 'all.yml' = group 'all' \\ \hline
group\char`_vars/all.yml & Group variables for the 'all' group. Contains server connection \\
& information along with domain variables \\ \hline
roles/ & Directory containing all roles needed by this project \\ \hline
\end{tabular}
\end{table}
\texttt{Role descriptions}
The following table consists of descriptions of each role and their purpose. The roles listed below are listed in the required order of execution to ensure successful completion of the playbook.
\begin{table}[!htb]
\caption{Role descriptions} % \label{tab:tech}
\begin{tabular}{|l|l|l|}
\hline
\multicolumn {1}{|l|}{Role Name}&
\multicolumn {1}{|l|}{Role Description}&
\multicolumn {1}{l|}{Depends on} \\ \hline
server\char`_tasks & This roles performs all server tasks. Updating & mikebleasonjr.firewall \\
& server, configuring SSH, disable IPv6, etc. & \\
& Depends on the mikegleasonjr.firewall role. & \\ \hline
mikegleasonjr.firewall & This role set up iptables rules. It is called & None \\
& and ran by the server\char`_tasks roles. & \\ \hline
letsencrypt\char`_configuration & This role installs and executes let's encrypt & None \\ \hline
postfix\char`_configuration & This roles installs postfix, configures postfix & letsencrypt\char`_configuration \\
& using postconf, and sets up virtual file, & \\
& master.cf file, and aliases file & \\ \hline
dkim\char`_configuration & This roles installs OpenDKIM, OpenDMARC & None \\
& and configures them. & \\ \hline
dovecot\char`_configuration & This role installs and configures dovecot & letsencrypt\char`_configuration \\ \hline
spamassassin\char`_configuration & This role installs spamassassin. & None \\ \hline
sqlgrey\char`_configuration & This role installs sqlgrey. & None \\ \hline
fail2ban\char`_configuration & This role installs fail2ban. & None \\ \hline
outputs & This role gathers DNS information for the & None \\
& SPF, DMARC, and DKIM records and & \\
& outputs them to the screen. & \\ \hline
\end{tabular}
\end{table}
\subsection{Ansible Logging}
Execution processes described in this section are automatically logged to a file called `playbook-execution.log` in the root directory of the project. The path to this log file can be changed by editing `ansible.cfg` in the project root directory and specifying a different path.
\subsection{Troubleshooting}
Ansible has a built in debug output. Simply run Ansible with a `-v`. There are 5 levels of debug output and they are denoted by the number of v's listed. Each level up provide more debug output than the level before it.
\begin{minted}{sh}
Level 1: `-v`
Level 2: `-vv`
Level 3: `-vvv`
Level 4: `-vvvv`
Level 5: `-vvvvv`
\end{minted}
Example execution with level 3 debug output:
\begin{minted}{sh}
ansible-playbook -i inventory.yml site.yml -vvv
\end{minted}
\section{Ansible Gitea}
Assuming \texttt{ansible} is built according to section \ref{ssec:bansdpac}
on p.\pageref{ssec:bansdpac}, the following requirements are met.
\subsection{Requirements}
The following applications are required to utilize this this section objectives.
Ansible can be installed using Python PIP.
\begin{itemize}
\item \texttt{Ansible} 2.4.x+
\item \texttt{Python} 2.7.9+
\textcolor[rgb]{0.80,0.00,0.00}{Todo clarify confusion over version requirements}
\end{itemize}
\subsection{Quick Start}
The following steps will help quickly set up and execute this section objectives.
\texttt{Project Configuration}
The following files need to be edited and configured before executing this playbook.
\begin{table}[!htb]
\caption{Files to be edited} % \label{tab:tech}
\begin{tabular}{|l|l|}
\hline
\multicolumn {1}{|l|}{ File}&
\multicolumn {1}{l|}{ Description} \\ \hline
roles/gitea/default/main.yml & Variables for Gitea configuration \\
& (default - standalone with sqlite) \\ \hline
roles/nginx/default/main.yml & Variables for Nginx and Letsencrypt configuration \\ \hline
inventory.yml & List of server IPs to connect to \\ \hline
\end{tabular}
\end{table}
\qquad \\
\texttt{Playbook Execution}
After having configured the server credentials and added the server IP to the inventory, use the following command to execute the playbook.
\begin{minted}{sh}
ansible-playbook -i inventory.yml site.yml`
\end{minted}
\subsection{Project Structure}
The following tree depicts the high level structure of this Ansible project.
\begin{minted}{sh}
|-- inventory.yml
|-- LICENSE.AGPLv3
|-- LICENSE.GPLv3
|-- README.md
|-- roles
|   |-- gitea
|   -- nginx
|-- playbook_execution.log
-- site.yml
\end{minted}
\texttt{File and Directory Descriptions}
The following table consists of a description of what each file and directory stands for.
\begin{table}[!htb]
\caption{File and Directory Descriptions} % \label{tab:tech}
\begin{tabular}{|l|l|}
\hline
\multicolumn {1}{|l|}{ Name}&
\multicolumn {1}{l|}{ Description} \\ \hline
site.yml & Master playbook. Executes all roles in sequential order \\ \hline
inventory.yml & Inventory file containing server IP addresses \\ \hline
ansible.cfg & Ansible configuration file for various Ansible options. \\ \hline
roles/ & Directory containing all roles needed by this project \\ \hline
\end{tabular}
\end{table}
\qquad \\
\texttt{Role descriptions}
The following table consists of descriptions of each role and their purpose. The roles listed below are listed in the required order of execution to ensure successful completion of the playbook.
\begin{table}[!htb]
\caption{Role descriptions} % \label{tab:tech}
\begin{tabular}{|l|l|l|}
\hline
\multicolumn {1}{|l|}{Role Name}&
\multicolumn {1}{|l|}{Role Description} \\ \hline
gitea & This roles performs installation and configuration of Gitea server \\ \hline
nginx & This roles performs installation and configuration of Nginx server \\ \hline
\end{tabular}
\end{table}
\texttt{Role parameters}
\qquad \\
\texttt{\qquad Gitea role parameters}
\begin{minted}{sh}
# Application name
gitea_app_name: "Gitea"
# Application gitea_user_repo_limit
gitea_user: "gitea"
# Application home
gitea_home: "/var/lib/gitea"
# Repo Limit
gitea_user_repo_limit: -1
# Domain Name (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_http_domain: localhost
# Gitea url (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_root_url: http://localhost:3000
# Protocol (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_protocol: http
# listen IP (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_http_listen: 127.0.0.1
# Listen port (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_http_port: 3000
# HTTP git Options
gitea_disable_http_git: false
# Offline mode options
gitea_offline_mode: true
\end{minted}
\qquad \qquad DB details
\begin{minted}{sh}
# DB Type 'mysql', 'postgres' or 'sqlite3'
gitea_db_type: sqlite3
# DB host
gitea_db_host: 127.0.0.0:3306
# DB name
gitea_db_name: root
# DB username
gitea_db_user: gitea
# DB password
gitea_db_passord: lel
# DB ssl options
gitea_db_ssl: disable
# DB path (Not needed for postgres and mysql hash it in template file )
gitea_db_path: "{{ gitea_home }}/data/gitea.db"
\end{minted}
\qquad \qquad SSH Details
\begin{minted}{sh}
# SSH Listen IP
gitea_ssh_listen: 0.0.0.0
# SSH domain
gitea_ssh_domain: localhost
# SSH options
gitea_start_ssh: true
# SSH post
gitea_ssh_port: 2222
\qquad \qquad Gitea secret key
\begin{minted}{sh}
# gitea key (GENERATE A NEW KEY)
gitea_secret_key: T0pS3cr31
\end{minted}
\qquad \qquad General Settings
\begin{minted}{sh}
# User email settings
gitea_show_user_email: false
# User avatar settings
gitea_disable_gravatar: true
# User register options
gitea_disable_registration: false
# User signup options
gitea_require_signin: true
# User captcha options
gitea_enable_captcha: true
\end{minted}
\qquad \\
\texttt{\qquad Nginx roles parameters}
\begin{minted}{sh}
# Domain name for the server
nginx_domain_name: "test.hostnats.com"
# Gitea listening port
gitea_http_port: 3000
# letsencrypt email address
letsencrypt_email: "test@example.com"
\end{minted}
\subsection{Ansible Logging}
Execution processes described in this section are automatically logged to a file called `playbook-execution.log` in the root directory of the project. The path to this log file can be changed by editing `ansible.cfg` in the project root directory and specifying a different path.
\subsection{Troubleshooting}
Ansible has a built in debug output. Simply run Ansible with a `-v`. There are 5 levels of debug output and they are denoted by the number of v's listed. Each level up provide more debug output than the level before it.
\begin{minted}{sh}
Level 1: `-v`
Level 2: `-vv`
Level 3: `-vvv`
Level 4: `-vvvv`
Level 5: `-vvvvv`
\end{minted}
Example execution with level 3 debug output:
\begin{minted}{sh}
ansible-playbook -i inventory.yml site.yml -vvv
\end{minted}

+ 0
- 51
source/ClusterHardware.tex View File

@ -1,51 +0,0 @@
%
% ClusterHardware.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Cluster Hardware Overview}
The cluster will require rackmountable equipment:
\begin{itemize}
\item GNU/Linux Servers
\end{itemize}
\section{GNU/Linux Servers}
The servers will all run Debian GNU/Linux
\subsection{Denver Server List}
\begin{itemize}
\item \texttt{oc1.forksand.com} --- KVM host.
\item \texttt{rd1.forksand.com} --- Misc.
\end{itemize}
\section{Network Hardware}
The network switches do not run free software.
\section{Disk Drives}
The disk drives do not run free software.
\begin{itemize}
\item Hard drive platters, 7200 RPM, 2.5" and 3.5"
\item SSD
\item NVMe
\end{itemize}
\section{Suppliers}
Who we'll get hardware from.
\begin{itemize}
\item Pogo Linux --- Debian GNU/Linux Servers, USA.
\item Viking.net --- Coreboot Opteron servers in Germany.
\item raptorcs.com --- POWER9, custom Coreboot systems (?), USA.
\end{itemize}

+ 49
- 4
source/Firewalls.tex View File

@ -24,7 +24,7 @@ What is the network doing?
%
% Authentication
\section{Overview}
\section{Authentication}
Two-factor authentication using TOTP.
%
@ -48,7 +48,7 @@ Some resellers:
Various LAN
\item (Hot swap?) Dual Power Supplies
\item (How swap?) RAID (Linux md), with SSD storage.
\item 2.5" drive bays
\item 2.5'' drive bays
\item Total ~8GHz CPU
\item ~8-16 gigs RAM ? Depends on OS.
\item Two servers total, for standby/failover
@ -108,7 +108,8 @@ Notes on some requirements in a firewall.
\section{Firewall Operating Systems in Use}
\subsection{Debian}
\href{https://www.debian.org/}{Debian}
\href{https://www.debian.org/}{Debian}
Debian is used for nearly everything. It could easily be used as a
router/firewall. There are better, more tuned options.
@ -118,6 +119,50 @@ Linux's iptables is used on servers.
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-debian.png}
\caption{Debian Website}
\label{fig:www-debian}
\label{fig:www-debian-in-firewalls-chapter}
\end{figure}
\subsection{Proxmox setups iptables-firewall}
During Proxmox installation on the nodes, firewall is being confugured.
Some of nodes configurations can be found in chapter Free software under
path apps/forksand-nodes-bootstrap/...
especially in two of files is mentioned:
\begin{minted}{sh}
# Firewalling is done through Proxmox.
cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
\end{minted}
\begin{minted}{sh}
# Enable firewall.
# Datacenter --> shark4 (host) --> Firewall --> Add.
# Enable firewall for datacenter:
# Datacenter --> Firewall --> Options --> Firewall --> Yes
# Datacenter --> Firewall --> Options --> Firewall --> Yes
# Enable firewall for shark4:
# Datacenter --> Firewall --> Add.
\end{minted}
\textcolor[rgb]{0.80,0.00,0.00}{
Todo check other nodes, add other shark nodes if similar iptables-firewall related configs. \\
Find out why mention of firewall in hk1 node is discarded.
}
\begin{minted}{sh}
# Enable firewall.
# Datacenter --> truck (host) --> Firewall --> Add.
# Enable firewall for datacenter:
# Datacenter --> Firewall --> Options --> Firewall --> Yes
# Datacenter --> Firewall --> Options --> Firewall --> Yes
# Enable firewall for truck:
# Datacenter --> Firewall --> Add.
\end{minted}
Also Nextcloud chapter mentiones configs of iptables firewall \ref{ssec:nextcloudfirewall} on p.\pageref{ssec:nextcloudfirewall}.
Also certain Ansible including virtual machines enable iptables configuratiion.
For example ansible-debian-male contains mikegleasonjr.firewall.
\href{https://github.com/mikegleasonjr/ansible-role-firewall}{
ansible firewall\char`_v4\char`_configure example on github
}
May be browsed in Free software chapter under path apps/ansible-debian-mail/roles/

+ 496
- 0
source/Hardware.tex View File

@ -0,0 +1,496 @@
%
% Source.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Hardware}
\subsection{Cluster Evolution}
Forksand started deployment on dedicated servers.
\vspace{0.6cm}
First stage. Exclusively dedicated servers (deprecated)
\vspace{0.4cm}
\centering
\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm]
{sharkfork-cabling-1-dedicated-vlan.pdf} \\ %
%
\vspace{0.2cm}
\raggedright
Second stage. Dedicated servers along with a colocation
cabinet. Flat hierarchy. (deprecated)
\vspace{0.1cm}
In progress, services were being migrated one after another to
a colocation instance. On the next stage hierarchy becomes vertical. \\
\vspace{0.1cm}
\centering
\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm]
{sharkfork-cabling-2-mixed-vlan.pdf} \\ %
%
\raggedright
Third stage. Dedicated servers buffered by
a colocation cabinet. Vertical hierarchy. (deprecated)
\vspace{0.4cm}
\centering
\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm]
{sharkfork-cabling-3-colo-dedicated.pdf} \\ %
%
\vspace{0.2cm}
\raggedright
Fourth stage. Dedicated servers discarded.
Colocation cabinet buffered only with a firewall. (current)
\vspace{0.4cm}
\centering
\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm]
{sharkfork-cabling-4-final-colocation.pdf} \\ %
%
\vspace{0.2cm}
\raggedright
Final stage. Firewall discarded. Single colocation cabinet. (in process)
\vspace{0.4cm}
\centering
%\includegraphics[width=115mm,trim=10mm 10mm 10mm 10mm]
%{sharkfork-cabling-4-single-colocation.pdf} \\ %
%
\raggedright
\newpage
\section{Cluster Hardware Overview}
The cluster will require rackmountable equipment:
\begin{itemize}
\item GNU/Linux Servers
\end{itemize}
\begin{minipage}{0.9\textwidth}
\subsection{Sharkfork 21U hardware instance} \label{sec:hardware-sharkfork-21U}
%\includepdf[width=150mm,offset=0 15,clip]
%{sharkfork-21U.pdf}
\includegraphics[keepaspectratio=true,height=0.80\textheight,width=150mm,angle=0]
{sharkfork-21U.png}
% \vspace{150mm}
\label{fig:sharkfork-21U}
%\vspace{60mm}
\end{minipage}
\newpage
%\subsubsection{Sharkfork 21U detail hardware description} \label{sec:hardware-description-sharkfork-21U}
\definecolor{secondary-brown}{HTML}{F3E2C3} % HEX # F3E2C3 R:243 G:226 B:195 C:0 M:7 Y:20 K:5
\definecolor{primary-blue}{HTML}{A1F4FF} % HEX # A1F4FF R:161 G:244 B:255 C:37 M:4 Y:0 K:0
\definecolor{primary-brown}{HTML}{B07E3B} % HEX # B07E3B R:176 G:126 B:56 C:0 M:28 Y:68 K:31
\definecolor{nonbrand-dark-blue}{HTML}{184B6D} % HEX # 184B6D R:19 G:70 B:109 C:0 M:28 Y:68 K:31
\newcommand{\nodeUnitName}[4]{
\rowcolor{#3}\vspace{-1pt}
{{\grenewcommand{\currentColor}{#3}}}
{{\grenewcommand{\currentTextColor}{#4}}}
\Large{\textcolor{#4}{#1}} & \rule[-0.5em]{0pt}{1.8em} \Large{\textcolor{#4}{#2}} \\
\rowcolor{#3}\vspace{-1pt}
}
\newcommand{\nodeUnitParameter}[1]{
\rule[1.0em]{0pt}{-1em} & \small{\textcolor{\currentTextColor}{ - #1}} \\
\rowcolor{\currentColor}\vspace{-1pt}
}
\newcommand{\nodeUnitLastParameter}[1]{
\rule[-0.5em]{0pt}{0em} & \small{\textcolor{\currentTextColor}{ - #1}} \\
\tabucline[0.2pt]{1-2}
}
\newcommand{\nodeUnitSetItem}[2]{
\rowcolor{\currentColor}\vspace{-1pt}
\rule[-0.3em]{0pt}{0em}\small{\textcolor{\currentTextColor}{ ~#1}} & \small{\textcolor{\currentTextColor}{#2}} \\
\tabucline[0.2pt]{1-2}
}
\newcommand{\nodeUnitSetLastItem}[2]{
\rowcolor{\currentColor}\vspace{-1pt}
\rule[-0.3em]{0pt}{0em}\small{\textcolor{\currentTextColor}{ ~#1}} & \small{\textcolor{\currentTextColor}{#2}} \\
\tabucline[2pt]{1-2}
}
%\newcommand{\nodeUnitSetNotes}[2]{
% \pickColor{#2}
% \rule[-0.3em]{0pt}{0em}\small{Notes:} & \small{#1} \\ \tabucline[2pt]{1-2}
%}
\newcommand{\currentColor}{secondary-brown}
\newcommand{\currentTextColor}{secondary-brown}
\begin{table}[!htb]
%\caption{IP configs of nodes} \label{tab:sharkNodeIPConfig}
\begin{tabu}{|[2pt]l|[2pt]p{14.5cm}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} Qty}&
\multicolumn {1}{p{13cm}|[2pt]}{ Description} \\ \tabucline[2pt]{1-2}
%%% UNIT %%%
% Unit name
\nodeUnitName{2}{Iris FW1100 - Firewall System}{secondary-brown}{ao-black}
% Unit configuration parameters
\nodeUnitParameter{ 1U Form Factor ~~- Single Intel Xeon D-1587 CPU }
\nodeUnitParameter{ Up to 128GB DDR4 ECC Reg Memory }
\nodeUnitParameter{ Dual 10G SFP+ and Six Gigabit Ethernet }
\nodeUnitLastParameter{ 400W Platinum Level Redundant Power Supply }
% Unit has a set of components parameters
\nodeUnitSetItem {2}{ 8GB DDR4 2666MHz ECC Registered DIMM }
%\nodeUnitSetItem {1}{ No Operating System. Include testing%
% and customer OS preference in notes. }
%\nodeUnitSetItem {1}{ Return to Depot Warranty (3 Year Hardware%
% Warranty with Standard Advance Parts Replacement) }
\nodeUnitSetItem {1}{ 128GB SATA DOM }
\nodeUnitSetLastItem {1}{ Intel 10G Dual Port RJ45 Ethernet Adapter }
% Unit ends with notes, pass "none" parameter if no notes
%\nodeUnitSetNotes { none }
%%% END UNIT %%%
%%% UNIT %%%
% Unit name
\nodeUnitName{1}{Iris NV2225}{primary-blue}{ao-black}
% Unit configuration parameters
\nodeUnitParameter{ 2U Form Factor ~~- Dual Intel Xeon SP Processor }
\nodeUnitParameter{ Up to 768GB DDR4 2133MHz ECC Registered Memory }
\nodeUnitParameter{ Integrated IPMI 2.0 + KVM with dedicated LAN }
\nodeUnitParameter{ Intel x550 Quad port 10G Ethernet }
\nodeUnitLastParameter{ 1600W Redundant High-efficiency Power Supply }
% Unit has a set of components parameters
\nodeUnitSetItem{2}{ Intel Xeon Gold 5115 10C 2.4GHz 13.75MB Cache }
\nodeUnitSetItem{1}{ 128GB DDR4 2666MHz ECC Reg (4 x 32GB) }
\nodeUnitSetItem{1}{ Samsung 960 EVO M.2 NVME SSD 500GB }
\nodeUnitSetItem{4}{ Ultrastar SN200 800GB NVMe SSD }
%\nodeUnitSetItem{1}{ No Operating System. Include testing and customer%
% OS preference in notes. }
%\nodeUnitSetItem{1}{ Return to Depot Warranty (3 Year Hardware Warranty%
% with Standard Advance Parts Replacement) }
\nodeUnitSetLastItem{1}{ Intel 10G Dual Port RJ45 Ethernet Adapter }
% Unit ends with notes, pass "none" parameter if no notes
%\nodeUnitSetNotes { none }
%%% END UNIT %%%
%%% UNIT %%%
% Unit name
\nodeUnitName{2}{Iris 1292-R4T}{primary-brown}{ao-black}
% Unit configuration parameters
\nodeUnitParameter{ 1U Form Factor ~~- Dual Intel Xeon SP Processors }
\nodeUnitParameter{ Intel C620 Chipset with QPI up to 9.6GT/sec }
\nodeUnitParameter{ Up to 768GB DDR4 2666MHz ECC Registered Memory }
\nodeUnitParameter{ Integrated IPMI 2.0 + KVM with dedicated LAN }
\nodeUnitParameter{ Intel Quad-port 10GBaseT Ethernet Controller }
\nodeUnitParameter{ 4 x 3.5'' Hot-swap Drive Bays For customizable Storage }
\nodeUnitLastParameter{ 750W Redundant Power Supply }
% Unit has a set of components parameters
\nodeUnitSetItem{2}{ Intel Xeon Silver 4110 8C 2.1GHz 11MB Cache }
\nodeUnitSetItem{1}{ 128GB DDR4 2666MHz ECC Reg (8 x 16GB) }
\nodeUnitSetItem{4}{ HGST Ultrastar 6TB 7200RPM SATA 6Gb/s }
%\nodeUnitSetItem{1}{ No Operating System. Include testing and customer%
% OS preference in notes. }
%\nodeUnitSetItem{1}{ Return to Depot Warranty (3 Year Hardware Warranty%
% with Standard Advance Parts Replacement) }
\nodeUnitSetLastItem{1}{ Intel 10G Dual Port RJ45 Ethernet Adapter }
% Unit ends with notes, pass "none" parameter if no notes
%\nodeUnitSetNotes { none }
%%% END UNIT %%%
%%% UNIT %%%
% Unit name
\nodeUnitName{2}{Iris NV1211}{nonbrand-dark-blue}{ao-white}
% Unit configuration parameters
\nodeUnitParameter{ 1U Form Factor ~~- Dual Intel Xeon SP Processor }
\nodeUnitParameter{ Up to 1534GB DDR4 2400MHz ECC Registered Memory }
\nodeUnitParameter{ Integrated IPMI 2.0 + KVM with dedicated LAN }
\nodeUnitParameter{ Intel x540 Dual-port 10Gigabit Ethernet }
\nodeUnitParameter{ 10 x 2.5'' Solid State NVMe Disks }
\nodeUnitLastParameter{ 1000W Redundant High-efficiency Power Supply }
% Unit has a set of components parameters
\nodeUnitSetItem{2}{ Intel Xeon Silver 4114 10C 2.2GHz 13.75MB Cache }
\nodeUnitSetItem{1}{ 64GB DDR4 2666MHz ECC Reg (4 x 16GB) }
\nodeUnitSetItem{1}{ Samsung 960 EVO M.2 NVME SSD 500GB }
\nodeUnitSetItem{6}{ Ultrastar SN200 800GB NVMe SSD }
% \nodeUnitSetItem{1}{ No Operating System. Include testing and customer%
% OS preference in notes. }
% \nodeUnitSetItem{1}{ Return to Depot Warranty (3 Year Hardware Warranty%
% with Standard Advance Parts Replacement) }
\nodeUnitSetLastItem{1}{ Intel X710 Converged Network Adapter Quad-port 10GBaseT }
% Unit ends with notes, pass "none" parameter if no notes
%\nodeUnitSetNotes { none }
%%% END UNIT %%%
\end{tabu}
\end{table}
Notes applicable to all units:
{ 1. No Operating System. Include testing and customer OS preference in notes. }
{ 2. Return to Depot Warranty (3 Year Hardware Warranty with Standard Advance Parts Replacement) }
\newpage
\section{GNU/Linux Servers}
The servers will all run Debian GNU/Linux
\subsection{Denver Server List}
\begin{itemize}
\item \texttt{oc1.forksand.com} --- KVM host.
\item \texttt{rd1.forksand.com} --- Misc.
\end{itemize}
\vspace{10mm}
\texttt{\qquad oc1.forksand.com parameters}
\begin{minted}{sh}
Full Network:
70.39.125.64/27 Network
70.39.125.65 Gateway
70.39.125.66 AVAILABLE
70.39.125.94 AVAILABLE
70.39.125.95 Broadcast
255.255.255.224 Netmask
Break the main IP into a /30
# Main network interface
# 2 IPs
70.39.125.64/30 Network
70.39.125.65 Gateway
70.39.125.66 oc1
70.39.125.67 Broadcast
255.255.255.252 Netmask
# vmbr0 Bridge 0 with 2 IPs
70.39.125.68/30 Network
70.39.125.69 vmbr0 gateway
70.39.125.70 AVAILABLE
70.39.125.71 Broadcast
255.255.255.252 Netmask
# vmbr1 Bridge 1 with 6 IPs
70.39.125.72/29 Network
70.39.125.73 vmbr1 gateway
70.39.125.74 AVAILABLE
70.39.125.76 test99
70.39.125.78 AVAILABLE
70.39.125.79 Broadcast
255.255.255.248 Netmask
# vmbr2 Bridge 2 with 14 IPs
70.39.125.80/28 Network
70.39.125.81 vmbr2 gateway
70.39.125.92 AVAILABLE
70.39.125.94 AVAILABLE
70.39.125.95 Broadcast
255.255.255.240 Netmask
\end{minted}
\newpage
\texttt{\qquad rd1.forksand.com parameters}
\begin{minted}{sh}
Full Network:
174.128.229.128/27 Network
174.128.229.129 Gateway
174.128.229.130 Main rd1 IP
174.128.229.131 AVAILABLE
174.128.229.158 AVAILABLE
174.128.229.159 Broadcast
255.255.255.224 Netmask
Break the main network into a /30
# Main network interface
# 2 IPs
174.128.229.128/30 Network
174.128.229.129 Gateway
174.128.229.130 oc1
174.128.229.131 Broadcast
255.255.255.252 Netmask
# vmbr0 Bridge 0 with 2 IPs
174.128.229.132/30 Network
174.128.229.133 vmbr0 gateway
174.128.229.134 AVAILABLE
174.128.229.135 Broadcast
255.255.255.252 Netmask
# vmbr1 Bridge 1 with 6 IPs
174.128.229.136/29 Network
174.128.229.137 vmbr1 gateway
174.128.229.138 AVAILABLE
174.128.229.140 test99
174.128.229.142 AVAILABLE
174.128.229.143 Broadcast
255.255.255.248 Netmask
# vmbr2 Bridge 2 with 14 IPs
174.128.229.144/28 Network
174.128.229.145 vmbr2 gateway
174.128.229.156 AVAILABLE
174.128.229.158 AVAILABLE
174.128.229.159 Broadcast
255.255.255.240 Netmask
\end{minted}
\section{Network Hardware}
The network switches do not run free software.
\section{Disk Drives}
The disk drives do not run free software.
\begin{itemize}
\item Hard drive platters, 7200 RPM, 2.5'' and 3.5''
\item SSD
\item NVMe
\end{itemize}
\section{Suppliers}
Who we'll get hardware from.
\begin{itemize}
\item Pogo Linux --- Debian GNU/Linux Servers, USA.
\item Viking.net --- Coreboot Opteron servers in Germany.
\item raptorcs.com --- POWER9, custom Coreboot systems (?), USA.
\end{itemize}
\newcommand{\includescreen}[3]{
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{#1}
\caption{#2}
#3
\end{figure}
}
\section{Shark nodes configuration. Using an example Shark2}
%\includescreen{shark2/01.png}{Log in to admin-webview}{}
\includescreen{shark2/02.png}{Log in to admin-webview}{\label{fig:shark2login}}
%\includescreen{shark2/03.png}{Logged in to admin-webview. Notification of no valid subscription}{}
%\includescreen{shark2/04.png}{Browse Datacenter, log hidden}{\label{fig:shark2browsedatacenter}}
%\includescreen{shark2/05.png}{Browse shark2 Node}{\label{fig:shark2browsenode}}
\includescreen{shark2/06.png}{Browse shark2 Network}{\label{fig:shark2network}}
%\includescreen{shark2/07.png}{Select first shark2 Network device}{}
\includescreen{shark2/08.png}{Edit first shark2 Network device}{}
\includescreen{shark2/09.png}{Cleanup first shark2 Network device}{\label{fig:shark2cleanupnetdevice1}}
\includescreen{shark2/10.png}{Browse shark2 Network}{}
\includescreen{shark2/11.png}{Create shark2 Linux Bridge}{\label{fig:shark2linuxbridge}}
%\includescreen{shark2/12.png}{Create shark2 Linux Bridge}{}
\includescreen{shark2/13.png}{Create shark2 Linux Bridge}{}
\begin{table}[!htb]
\caption{IP configs of nodes} \label{tab:sharkNodeIPConfig}
\begin{tabular}{|l|l|l|l|}
\hline
\multicolumn {1}{|l|}{ Parameter}&
\multicolumn {1}{l|}{ Shark2}&
\multicolumn {1}{l|}{ Shark3}&
\multicolumn {1}{l|}{ Shark4} \\ \hline
Linux bridge & & & \\ %\hline
Name & vmbr0 & vmbr0 & vmbr0 \\ %\hline
IP address & 174.128.229.130 & 70.39.103.218 & 70.39.103.210 \\ %\hline
Subnet mask & 255.255.255.224 & 255.255.255.248 & 255.255.255.248 \\ %\hline
Gateway & 174.128.229.129 & 70.39.103.217 & 70.39.103.209 \\ %\hline
Bridge ports & enp2s0 & enp3s0 & enp3s0 \\ \hline
Network Device & & & \\ %\hline
Name & enp3s0 & enp4s0 & enp4s0 \\ %\hline
IP address & 10.2.2.2 & 10.2.2.3 & 10.2.2.4 \\ %\hline
Subnet mask & 255.255.255.0 & 255.255.255.0 & 255.255.255.0 \\ \hline
Network Device & & & \\ %\hline
Name & enp4s0 & enp5s0 & enp5s0 \\ %\hline
IP address & 10.99.99.2 & 10.99.99.3 & 10.99.99.4 \\ %\hline
Subnet mask & 255.255.255.0 & 255.255.255.0 & 255.255.255.0 \\ \hline
\end{tabular}
\end{table}
\includescreen{shark2/14.png}{Browse shark2 Network}{}
%\includescreen{shark2/15.png}{Select second shark2 Network device}{}
%\includescreen{shark2/16.png}{Edit second shark2 Network device}{}
\includescreen{shark2/17.png}{Edit second on the list shark2 Network device}{}
%\includescreen{shark2/18.png}{Browse shark2 Network}{}
%\includescreen{shark2/19.png}{Select third shark2 Network device}{}
%\includescreen{shark2/20.png}{Edit third shark2 Network device}{}
\includescreen{shark2/21.png}{Edit third on the list shark2 Network device}{}
\begin{table}[!htb]
\caption{IP configs of nodes, duplicate of table \ref{tab:sharkNodeIPConfig}} % \label{tab:sharkLinuxBridge}
\begin{tabular}{|l|l|l|l|}
\hline
\multicolumn {1}{|l|}{ Parameter}&
\multicolumn {1}{l|}{ Shark2}&
\multicolumn {1}{l|}{ Shark3}&
\multicolumn {1}{l|}{ Shark4} \\ \hline
Linux bridge & & & \\ %\hline
Name & vmbr0 & vmbr0 & vmbr0 \\ %\hline
IP address & 174.128.229.130 & 70.39.103.218 & 70.39.103.210 \\ %\hline
Subnet mask & 255.255.255.224 & 255.255.255.248 & 255.255.255.248 \\ %\hline
Gateway & 174.128.229.129 & 70.39.103.217 & 70.39.103.209 \\ %\hline
Bridge ports & enp2s0 & enp3s0 & enp3s0 \\ \hline
Network Device & & & \\ %\hline
Name & enp3s0 & enp4s0 & enp4s0 \\ %\hline
IP address & 10.2.2.2 & 10.2.2.3 & 10.2.2.4 \\ %\hline
Subnet mask & 255.255.255.0 & 255.255.255.0 & 255.255.255.0 \\ \hline
Network Device & & & \\ %\hline
Name & enp4s0 & enp5s0 & enp5s0 \\ %\hline
IP address & 10.99.99.2 & 10.99.99.3 & 10.99.99.4 \\ %\hline
Subnet mask & 255.255.255.0 & 255.255.255.0 & 255.255.255.0 \\ \hline
\end{tabular}
\end{table}
\includescreen{shark2/22.png}{Browse shark2 Network}{}
%\includescreen{shark2/23.png}{Browse shark2 node}{}
\includescreen{shark2/24.png}{Restart shark2 node}{}
%\clearpage % avoid LaTeX Error: Too many unprocessed floats.
%\section{Shark3 configuration}
%
%\includescreen{shark3/01.png}{Log in to admin-webview}{\label{fig:shark3login}}
%\includescreen{shark3/02.png}{Logged in to admin-webview. Notification of no valid subscription}{}
%\includescreen{shark3/03.png}{Browse Datacenter, log hidden}{\label{fig:shark3browsedatacenter}}
%\includescreen{shark3/04.png}{Browse Shark3 Node}{\label{fig:shark3browsenode}}
%\includescreen{shark3/05.png}{Shark3 Network}{\label{fig:shark3network}}
%\includescreen{shark3/06.png}{Browse Shark3 Network}{}
%\includescreen{shark3/07.png}{Select first Shark3 Network device}{}
%\includescreen{shark3/08.png}{Edit first Shark3 Network device}{}
%\includescreen{shark3/09.png}{Cleanup first Shark3 Network device}{\label{fig:shark3cleanupnetdevice1}}
%\includescreen{shark3/10.png}{Create Shark3 Linux Bridge}{\label{fig:shark3linuxbridge}}
%\includescreen{shark3/11.png}{Create Shark3 Linux Bridge}{}
%\includescreen{shark3/12.png}{Create Shark3 Linux Bridge}{}
%\includescreen{shark3/13.png}{Create Shark3 Linux Bridge}{}
%\includescreen{shark3/14.png}{Select second Shark3 Network device}{}
%\includescreen{shark3/15.png}{Edit second Shark3 Network device}{}
%\includescreen{shark3/16.png}{Edit second Shark3 Network device}{}
%\includescreen{shark3/17.png}{Select third Shark3 Network device}{}
%\includescreen{shark3/18.png}{Edit third Shark3 Network device}{}
%\includescreen{shark3/19.png}{Edit third Shark3 Network device}{}
%\includescreen{shark3/20.png}{Edit third Shark3 Network device}{}
%\includescreen{shark3/21.png}{Browse Shark3 node}{}
%\includescreen{shark3/22.png}{Restart Shark3 node}{}
%
%\clearpage % avoid LaTeX Error: Too many unprocessed floats.
%\section{Shark4 configuration}
%
%
%\includescreen{shark4/01.png}{Log in to admin-webview}{}
%\includescreen{shark4/02.png}{Log in to admin-webview}{\label{fig:shark4login}}
%\includescreen{shark4/03.png}{Browse Datacenter}{\label{fig:shark4browsedatacenter}}
%\includescreen{shark4/04.png}{Browse Datacenter, log hidden}{}
%\includescreen{shark4/05.png}{Browse Shark4 Node}{\label{fig:shark4browsenode}}
%\includescreen{shark4/06.png}{Shark4 Network}{\label{fig:shark4network}}
%\includescreen{shark4/07.png}{Select first Shark4 Network device}{}
%\includescreen{shark4/08.png}{Edit first Shark4 Network device}{}
%\includescreen{shark4/09.png}{Cleanup first Shark4 Network device}{\label{fig:shark4cleanupnetdevice1}}
%\includescreen{shark4/10.png}{Create Shark4 Linux Bridge}{\label{fig:shark4linuxbridge}}
%\includescreen{shark4/11.png}{Create Shark4 Linux Bridge}{}
%\includescreen{shark4/12.png}{Select second Shark4 Network device}{}
%\includescreen{shark4/13.png}{Select second Shark4 Network device}{}
%\includescreen{shark4/14.png}{Edit second Shark4 Network device}{}
%\includescreen{shark4/15.png}{Edit second Shark4 Network device}{}
%\includescreen{shark4/16.png}{Select second Shark4 Network device}{}
%\includescreen{shark4/17.png}{Edit second Shark4 Network device}{}
%\includescreen{shark4/18.png}{Edit second Shark4 Network device}{}
%\includescreen{shark4/19.png}{Restart Shark4 node}{}

+ 0
- 197
source/OpenNebula.tex View File

@ -1,197 +0,0 @@
%
% OpenNebula.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
% XXX TODO: opennebula-sunstone-login.png
\section{Overview}
OpenNebula is a virtual machine manager.
The private cloud deployment will be based on OpenNebula version 5.4, which
is currently in beta. There are only Debian 8 (Jessie, oldstable) releases.
Debian hasn't packaged OpenNebula since wheezy. It has it in sid, but even
that is an old version. The only packages available for Debian are the
upstream ones for Jessie made by OpenNebula. UPDATE: although it isn't listed
on their website, it does appear their are Debian 9 (Stretch) builds of
OpenNebula for the betas of the forthcoming 5.4 version, which is great.
Documentation:
\url{https://docs.opennebula.org/5.4/}
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-opennebula.png}
\caption{OpenNebula Website}
\label{fig:www-opennebula}
\end{figure}
\begin{itemize}
\item Website: \\ \url{https://opennebula.org/}
\item Debian Stretch Repo: \\
\url{http://downloads.opennebula.org/repo/5.4/Debian/9/pool/opennebula/}
\end{itemize}
The following servers will be deployed to host OpenNebula and the KVMs:
\begin{itemize}
\item \texttt{waz-kvm-001.forksand.com} --- Virtual Machine Server 1
\item \texttt{waz-kvm-002.forksand.com} --- Virtual Machine Server 2
\item \texttt{waz-kvm-003.forksand.com} --- Virtual Machine Server 3
\item \texttt{waz-kvm-004.forksand.com} --- Virtual Machine Server 4
\item \texttt{waz-kvm-005.forksand.com} --- Virtual Machine Server 5
\item \texttt{waz-sun-001.forksand.com} --- OpenNebula Sunstone Web GUI 1
\item \texttt{waz-sun-002.forksand.com} --- OpenNebula Sunstone Web GUI 2
\end{itemize}
\subsection{Virtual Machine Servers}
KVM virtual machine servers. Fast CPU, with lots of RAM. Uses Ceph to store
virtual images.
\subsection{Sunstone Web GUI Servers}
Sunstone is OpenNebula's Web GUI for administration of the cluster.
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{opennebula-sunstone.png}
\caption{OpenNebula Sunstone Web Admin GUI}
\label{fig:opennebula-sunstone}
\end{figure}
\begin{minted}{sh}
wget -q -O- https://downloads.opennebula.org/repo/repo.key | apt-key add -
echo "deb http://downloads.opennebula.org/repo/5.4/Debian/9 stable opennebula" > /etc/apt/sources.list.d/opennebula.list
apt update
apt -y install opennebula-node
service libvirtd restart
\end{minted}
\section{Bugs}
Things that are bugs or at least aren't configured correctly.
\section{Sunstone Configuration}
At this point, you should have the OpenNebula Sunstone server up and running.
See scripts in \texttt{source/resources/ns24} for automation.
\begin{enumerate}
\item Set up ssh tunnel (use Sunstone server name for ns24):
Code: \\ \texttt{ssh -N -C -L 9869:localhost:9869 ns24}
\item In workstation, open browser to url:
URL: \\ \url{http://localhost:9869/}
Info: \\ This goes through the encrypted SSH tunnel, but doesn't use https.
\item Click \texttt{OpenNebula} in the upper right to get the full web console.
\item Click \texttt{Infrastructure}.
\item Click \texttt{Hosts}.
\item Click The \texttt{+} plus icon.
\item Enter the hostname of the KVM server you want to use, such as the Sunstone server itself.
\texttt{Type: KVM}
\texttt{Hostname: ns24}
\item Click \texttt{Create}.
\item Repeatedly hit the reload button that's the two arrows in a circle, as it goes thru
stages of setup, starting at \texttt{INIT}.
\item Confirm status is \texttt{ON}.
\end{enumerate}
\section{Sunstone Deploy Image}
This is a quick and dirty way to deploy a first test image.
NOTE: It is note privacy aware, as it pulls the image from the
OpenNebula ``store''.
How to deploy an image from the OpenNebula App store:
\begin{enumerate}
\item Click \texttt{Storage}.
\item Click \texttt{Apps}
\item Click \texttt{Debian 9 - KVM}.
\item Click on the icon that is a cloud with an arrow in it. This downloads it to OpenNebula.
\item Select a datastore by clicking the \texttt{default} line.
\item Leave name and all that the same, and click \texttt{Download}.
\item Click \texttt{Images} under \texttt{Storage} in the left column.
\item Hit the refresh icon repeatedly.
\item When \texttt{Status} is \texttt{READY}, it is good to go.
\item Click \texttt{Templates} in the left column.
\item Click \texttt{VMs}.
\item Click \texttt{Debian 9 - KVM}.
\item Click \texttt{Instantiate}.
\item \texttt{VM Name} enter \texttt{deb9}.
\item \texttt{Number of instances} enter \texttt{1}.
\item \texttt{Memory} enter \texttt{768}.
\item \texttt{CPU} enter \texttt{1}.
\item Click the slider to \texttt{Instantiate as persistent}.
\item Click \texttt{Instantiate}.
\item Click \texttt{Instances} in the left column.
\item Click \texttt{VMs}.
\item Click the reload icon, repeat.
\item It is good when \texttt{Status} is \texttt{RUNNING}.
\item Set up an \texttt{ssh} tunnel so VNC can be used:
\texttt{ssh -N -C -L 29876:localhost:29876 ns24}
\item Click on the little monitor icon to launch VNC.
\item Look at booted up screen at \texttt{login:} prompt.
\item This means a Debian KVM booted up and the VNC is working.
There is no password for the \texttt{root} account, only \texttt{ssh} is available.
So without network setup, you can't really do anything with this image.
Booted, it just shows it works.
\end{enumerate}
I think delete this section, it would go before the \texttt{Templates} above.:
\begin{enumerate}
\item Click \texttt{Debian 9 - KVM}.
\item PROBABLY NO: Click \texttt{Clone} to make a local copy.
\item PROBABLY NO: It will say \texttt{Copy of Debian 9 - KVM}, leave as-is, click \texttt{Clone}.
\item Click on the icon with three dots.
\item Click \texttt{Make Persistent}.
\item Click on the icon with three dots.
\item Click \texttt{Enable}.
\end{enumerate}
\section{OpenNebula Networking}
XXX Yes, this part needs set up...
\begin{minted}{sh}
# /etc/network/interfaces bridge section, add this:
auto br0
iface br0 inet static
bridge_ports eth0
bridge_fd 0
address 192.168.100.1
netmask 255.255.255.0
network 192.168.100.0
broadcast 192.168.100.255
gateway 192.168.100.1
dns-nameservers 37.235.1.174
dns-search forksand.com
\end{minted}
As user \texttt{jebba}, on the server, run this to generate a key.
Then paste that key into Sunstone under "SSH Public Key".
\begin{minted}{sh}
ssh-keygen -t ed25519
\end{minted}
\begin{minted}{sh}
# XXX test. Use this IP and interface, so no 192.168.0.0 but real IPs.
# Comment this out:
auto eth0:27
iface eth0:27 inet static
address 174.128.229.158
netmask 255.255.255.224
gateway 174.128.229.129
\end{minted}
XXX Check if IP forwarding is needed in \texttt{/etc/sysctl.conf}.
If things are set up to use a bridge and 192.168.100.100,
\texttt{iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE}
Will bring things up to NAT.
XXX The port forwarding is forwarding all port 53 to guest at the moment.

+ 230
- 0
source/Proxmox.tex View File

@ -0,0 +1,230 @@
%
% Proxmox.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
% XXX TODO: Proxmox-GUI-login.png
\section{Overview}
Proxmox is a virtual machine manager.
The private cloud deployment will be based on Proxmox version 5.x.
%There are only Debian 8 (Jessie, oldstable) releases.
%Debian hasn't packaged Proxmox since wheezy. It has it in sid, but even
%that is an old version. The only packages available for Debian are the
%upstream ones for Jessie made by Proxmox.
UPDATE: although Proxmox isn't listed on Debian 9 (Stretch) packages,
there is an installation manual for 5.x version, which is great.
Documentation:
\url{https://pve.proxmox.com/wiki/Documentation}
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-proxmox.png}
\caption{Proxmox Website}
\label{fig:www-proxmox}
\end{figure}
\begin{itemize}
\item Website: \\ \url{https://proxmox.com/}
\item Debian Stretch Repo: \\
\url{http://downloads.Proxmox.com/repo/5.4/Debian/9/pool/Proxmox/}
\end{itemize}
The following servers will be deployed to host Proxmox and the KVMs:
\begin{itemize}
%\item \texttt{waz-kvm-001.forksand.com}
%\item \texttt{waz-kvm-002.forksand.com} --- Virtual Machine Server 2
%\item \texttt{waz-kvm-003.forksand.com} --- Virtual Machine Server 3
%\item \texttt{waz-kvm-004.forksand.com} --- Virtual Machine Server 4
%\item \texttt{waz-kvm-005.forksand.com} --- Virtual Machine Server 5
%\item \texttt{waz-sun-001.forksand.com} --- Proxmox Web GUI 1
%\item \texttt{waz-sun-002.forksand.com} --- Proxmox Web GUI 2
\item \texttt{forksand-hk1} --- Virtual Machine Node 1
\item \texttt{forksand-hk2} --- Virtual Machine Node 2
\item \texttt{forksand-hk3} --- Virtual Machine Node 3
\item \texttt{\textcolor[rgb]{0.80,0.00,0.00}{forksand-shark1}} \textcolor[rgb]{0.80,0.00,0.00}{--- Virtual Machine Node ?}
\item \texttt{forksand-shark2} --- Virtual Machine Node 4
\item \texttt{forksand-shark3} --- Virtual Machine Node 5
\item \texttt{forksand-shark4} --- Virtual Machine Node 6
\item \texttt{forksand-the} --- Virtual Machine Node 7
\item \texttt{forksand-truck} --- Virtual Machine Node 8
\end{itemize}
%\subsection{Virtual Machine Servers}
%KVM virtual machine servers. Fast CPU, with lots of RAM. Uses Ceph to store
%virtual images.
%
%\subsection{Proxmox Web GUI Servers}
%A Proxmox's Web GUI for administration of the cluster.
\subsection{Virtual Machine Nodes}
Virtual machine nodes. Fast CPU, with lots of RAM. Uses Ceph to store
virtual images.
Every node includes a Proxmox's Web GUI for administration of the cluster.
\textcolor[rgb]{0.80,0.00,0.00}{Todo clarify}
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{proxmox-gui.png}
\caption{Proxmox Sunstone Web Admin GUI}
\label{fig:proxmox-gui}
\end{figure}
\begin{minted}{sh}
echo "deb http://download.proxmox.com/debian/pve stretch pve-no-subscription" \
> /etc/apt/sources.list.d/pve-install-repo.list
wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg \
-O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y \
-o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confnew" dist-upgrade
apt-get -y install ksm-control-daemon proxmox-veupdate-grub
apt remove os-prober
\end{minted}
\section{Bugs}
Things that are bugs or at least aren't configured correctly.
\section{GUI Configuration}
At this point, you should have the Proxmox server up and running.
\textcolor[rgb]{0.80,0.00,0.00}{
Todo check related, modify/replace unrelated
}
\begin{minted}{sh}
See scripts in \texttt{source/resources/ns24} for automation.
\begin{enumerate}
\item Set up Linux Bridge (use Sunstone server name for ns24):
Code: \\ \texttt{ssh -N -C -L 9869:localhost:9869 ns24}
\item In workstation, open browser to url:
URL: \\ \url{http://localhost:9869/}
Info: \\ This goes through the encrypted SSH tunnel, but doesn't use https.
\item Click \texttt{Proxmox} in the upper right to get the full web console.
\item Click \texttt{Infrastructure}.
\item Click \texttt{Hosts}.
\item Click The \texttt{+} plus icon.
\item Enter the hostname of the KVM server you want to use, such as the Sunstone server itself.
\texttt{Type: KVM}
\texttt{Hostname: ns24}
\item Click \texttt{Create}.
\item Repeatedly hit the reload button that's the two arrows in a circle, as it goes thru
stages of setup, starting at \texttt{INIT}.
\item Confirm status is \texttt{ON}.
\end{enumerate}
\end{minted}
\section{GUI Deploy Image}
\textcolor[rgb]{0.80,0.00,0.00}{Todo check related, modify/replace unrelated}
\begin{minted}{sh}
This is a quick and dirty way to deploy a first test image.
NOTE: It is note privacy aware, as it pulls the image from the
Proxmox ``store''.
\end{minted}
\textcolor[rgb]{0.80,0.00,0.00}{Todo check related, modify/replace unrelated}
\begin{minted}{sh}
How to deploy an image from the Proxmox App store:
\begin{enumerate}
\item Click \texttt{Storage}.
\item Click \texttt{Apps}
\item Click \texttt{Debian 9 - KVM}.
\item Click on the icon that is a cloud with an arrow in it. This downloads it to Proxmox.
\item Select a datastore by clicking the \texttt{default} line.
\item Leave name and all that the same, and click \texttt{Download}.
\item Click \texttt{Images} under \texttt{Storage} in the left column.
\item Hit the refresh icon repeatedly.
\item When \texttt{Status} is \texttt{READY}, it is good to go.
\item Click \texttt{Templates} in the left column.
\item Click \texttt{VMs}.
\item Click \texttt{Debian 9 - KVM}.
\item Click \texttt{Instantiate}.
\item \texttt{VM Name} enter \texttt{deb9}.
\item \texttt{Number of instances} enter \texttt{1}.
\item \texttt{Memory} enter \texttt{768}.
\item \texttt{CPU} enter \texttt{1}.
\item Click the slider to \texttt{Instantiate as persistent}.
\item Click \texttt{Instantiate}.
\item Click \texttt{Instances} in the left column.
\item Click \texttt{VMs}.
\item Click the reload icon, repeat.
\item It is good when \texttt{Status} is \texttt{RUNNING}.
\item Set up an \texttt{ssh} tunnel so VNC can be used:
\texttt{ssh -N -C -L 29876:localhost:29876 ns24}
\item Click on the little monitor icon to launch VNC.
\item Look at booted up screen at \texttt{login:} prompt.
\item This means a Debian KVM booted up and the VNC is working.
There is no password for the \texttt{root} account, only \texttt{ssh} is available.
So without network setup, you can't really do anything with this image.
Booted, it just shows it works.
\end{enumerate}
I think delete this section, it would go before the \texttt{Templates} above.:
\begin{enumerate}
\item Click \texttt{Debian 9 - KVM}.
\item PROBABLY NO: Click \texttt{Clone} to make a local copy.
\item PROBABLY NO: It will say \texttt{Copy of Debian 9 - KVM}, leave as-is, click \texttt{Clone}.
\item Click on the icon with three dots.
\item Click \texttt{Make Persistent}.
\item Click on the icon with three dots.
\item Click \texttt{Enable}.
\end{enumerate}
\end{minted}
\section{Proxmox Networking}
Create --> Linux Bridge: vmbr0
XXX best way for this server? No subnet.
\textcolor[rgb]{0.80,0.00,0.00}{taken from forksand-shark4-bootstrap}
\begin{minted}{sh}
source /etc/network/interfaces.d/*
auto enp1s0f1
iface enp1s0f1 inet static
address 70.39.103.210/29
gateway 70.39.103.209
dns-nameservers 208.67.222.222
dns-search forksand.com
\end{minted}
As user \texttt{jebba}, on the server, run this to generate a key.
Then paste that key into Sunstone under "SSH Public Key".
\begin{minted}{sh}
ssh-keygen -t ed25519
\end{minted}
\begin{minted}{sh}
# XXX test. Use this IP and interface, so no 192.168.0.0 but real IPs.
# Comment this out:
auto eth0:27
iface eth0:27 inet static
address 174.128.229.158
netmask 255.255.255.224
gateway 174.128.229.129
\end{minted}
XXX Check if IP forwarding is needed in \texttt{/etc/sysctl.conf}.
If things are set up to use a bridge and 192.168.100.100,
\texttt{iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE}
Will bring things up to NAT.
XXX The port forwarding is forwarding all port 53 to guest at the moment.

+ 831
- 0
source/Software-daemons.tex View File

@ -79,6 +79,837 @@ Used on many servers for a database.
Shared calendars, files, collaborative document editing with
LibreOffice Online, videoconferencing.
Some of this is from owncloud era...
\begin{minted}{sh}
#Install debian jessie, ssh server, standard system utilities
#install jebba ssh key
#install sudo
#disable password ssh
#disable root ssh
#==================================
#
#Set up DNS
#Set up Server
#Create new jessie server, and boot it up.
#Copy over key:
ssh-copy-id jebba@pwn.themoes.org
#Log in to new machine:
ssh jebba@pwn.themoes.org
#Change jebba's password.
passwd jebba
#Set a root password:
su -
passwd root
#Disable source repos:
sed -i -e 's/deb-src/#deb-src/g' /etc/apt/sources.list
#Set up `git` as kludge to track /etc
apt-get -y install git
cd /etc
git init
chmod og-rwx /etc/.git
vi /etc/.gitignore
\end{minted}
Add these lines to /etc/.gitignore
\begin{minted}{sh}
prelink.cache
*.swp
ld.so.cache
adjtime
blkid.tab
blkid.tab.old
mtab
resolv.conf
asound.state
mtab.fuselock
aliases.db
\end{minted}
\subsection{Set up a git user:}
\begin{minted}{sh}
vi ~/.gitconfig
[user]
name = Jeff Moe
[color]
branch = auto
diff = auto
status = auto
\end{minted}
\subsection{Create and populate the git repo for /etc:}
\begin{minted}{sh}
git add .
EDITOR=vi git commit -a
Intial setup of pwn.themoes.org jessie owncloud server
#Install some needed stuff:
apt-get -y install sudo vim curl exuberant-ctags rsync ntp vim-scripts
host strace telnet lsb-release unzip bzip2 && apt-get clean
#Set up vim:
echo :syntax on > ~/.vimrc
#Add jebba to sudo group:
adduser jebba sudo
#Make sudoers passwordless:
vim /etc/sudoers
#Change:
%sudo ALL=(ALL:ALL) ALL
#To:
%sudo ALL=(ALL) NOPASSWD: ALL
#Edit /etc/ssh/sshd_config (dodgy way to do this):
sed -i \
-e 's/PermitRootLogin yes/PermitRootLogin no/g' \
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
-e 's/RSAAuthentication yes/RSAAuthentication no/g' \
-e 's/Port 22/Port 43827/g'\
-e 's/X11Forwarding yes/X11Forwarding no/g' \
/etc/ssh/sshd_config
#Disable unneeded services:
for i in nfs-common rpcbind mountkernfs.sh rsync exim4 ; do echo $i ;
sudo /usr/sbin/update-rc.d $i disable ; done
\end{minted}
Todo. Should these be dropped too? mountnfs-bootclean.sh mountnfs.sh
Reboot
\begin{minted}{sh}
#Log in as jebba (from workstation):
ssh -p 43827 -C jebba@pwn.themoes.org
#VIM:
echo :syntax on > ~/.vimrc
\end{minted}
\subsection{Setup}
Update /etc/hosts:
\begin{minted}{sh}
5.152.179.226 pwn pwn.themoes.org
#Comment out:
#127.0.1.1 pwn.themoes.org pwn
#Update /etc/hostname:
pwn
#Commit everything so far to git
sudo su -
cd /etc
git add .
EDITOR=vi git commit -a
# Additional base config for server.
\end{minted}
\subsection{Make IP Static}
\begin{minted}{sh}
vim /etc/network/interfaces
\end{minted}
Comment out:
\begin{minted}{sh}
#allow-hotplug eth0
#iface eth0 inet dhcp
\end{minted}
Add:
\begin{minted}{sh}
auto eth0
iface eth0 inet static
address 5.152.179.226
netmask 255.255.255.0
gateway 5.152.179.1
\end{minted}
\begin{minted}{sh}
# Install Firewall
# =============
# https://wiki.debian.org/iptables
#Create /etc/iptables.up.rules and /etc/network/if-pre-up.d/iptables
touch /etc/iptables.up.rules /etc/network/if-pre-up.d/iptables
/etc/iptables.test.rules
chmod 600 /etc/iptables.test.rules /etc/iptables.up.rules
\end{minted}
\begin{minted}{sh}
vim /etc/iptables.test.rules
\end{minted}
*filter
\begin{minted}{sh}
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that
doesn't use lo0
-A INPUT -i lo -j ACCEPT
#-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for
websites)
#-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
#-A INPUT -p tcp --dport 80 -j ACCEPT
# Accept 443 from everywhere
#-A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
#-A INPUT -p tcp --dport 443 -j ACCEPT
# SSH Access Port 43827