# Mosaic platform 2nd year ## Pfsense *pfSense is an open source firewall and router based on FreeBSD* * IPsec tunnel setting - static 1. VPN -> IPsec -> tunnels 2. add P1 (define which remote gateway to build the tunnel with) 3. add P2 (define the local and remote site network) * mode: tunnel IPv4 * IPsec tunnel setting - dynamic 1. VPN -> IPsec -> tunnels 2. add P1 (define which remote gateway to build the tunnel with) 3. add P2 (define the local and remote site network) * mode: Routed(VTI) * Local network: choose Network and define the virtual interface IP * ex:10.10.10.1/30 * Remote network: choose Address and define the remote virtual interface IP * ex:10.10.10.2 * Note: 2 VTI(Virtual Tunnel Interface) need to be set in the same subnet 4. System -> Package Manager -> download frr package 5. Service -> FRR Global/Zebra -> enable 6. Service -> FRR RIP -> enable -> set the network that you want the routers to communicate with * set the local network of this router (ex: 192.168.56.0/24() * set the neighbor of this router (remote site IP of the tunnel) * Note: FRR RIP need to click the distribution of the route to the neighbor * Firewall Rule * needs to allow the traffic of IPsec * may need to set one more rule to allow TCP with port(BGP) -> I don't know why QQ * needs to disable WAN (can be edit in Interface -> Wan) * Block private networks and loopback addresse * Block bogon networks ## Quagga *Quagga is a network routing software suite providing implementations of Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Gateway Protocol (BGP) and so on.* * installation 1. install the package ``` sudo apt install quagga ``` 2. modify the configuration * sudo vim /etc/quagga/daemons ``` zebra=yes ripd=yes ``` * sudo vim /etc/quagga/zebra.conf (copy from [link](https://github.com/rwestphal/quagga-public/blob/master/zebra/zebra.conf.sample)) ``` ! -*- zebra -*- ! ! zebra sample configuration file ! ! $Id: zebra.conf.sample,v 1.1 2002/12/13 20:15:30 paul Exp $ ! hostname Router password zebra enable password zebra ! ! Interface's description. ! !interface lo ! description test of desc. ! !interface sit0 ! multicast ! ! Static default route sample. ! !ip route 0.0.0.0/0 203.181.89.241 ! !log file zebra.log ``` * sudo vim /etc/quagga/ripd.conf (copy from [link](https://github.com/rwestphal/quagga-public/blob/master/ripd/ripd.conf.sample)) ``` ! -*- rip -*- ! ! RIPd sample configuration file ! ! $Id: ripd.conf.sample,v 1.1 2002/12/13 20:15:30 paul Exp $ ! hostname ripd password zebra ! ! debug rip events ! debug rip packet ! router rip ! network 11.0.0.0/8 (**uncomment it to set the wanted network subnet**) ! network eth0 ! route 10.0.0.0/8 ! distribute-list private-only in eth0 ! !access-list private-only permit 10.0.0.0/8 !access-list private-only deny any ! !log file ripd.log ! log stdout ``` * Note: need to set the local IP subnet including virtual IP subnet 3. start the service ``` service zebra/ripd start ``` ## Monit *Monit is a free, open-source process supervision tool for Unix and Linux* * Installation 1. install the package ``` sudo apt-get install monit ``` 2. modify the configuration * sudo vim /etc/monit/monitrc ``` **uncomment the following line** set httpd port 2812 and use address localhost # only accept connection from localhost allow localhost # allow localhost to connect to the server and allow admin:monit ``` ``` set daemon 30 **check the process every 30 seconds** ``` ``` **the process to monitor on** check process zebra with pidfile /var/run/quagga/zebra.pid start program = "/bin/systemctl start zebra" stop program = "/bin/systemctl stop zebra" if does not exist then exec "/bin/systemctl restart zebra" check process ripd with pidfile /var/run/quagga/ripd.pid start program = "/bin/systemctl start ripd" stop program = "/bin/systemctl stop ripd" if does not exist then exec "/bin/systemctl restart ripd" ``` 3. start the service ``` service monit (re)start ``` 4. command to monitor the process ``` monit summary ``` * let systemd to handle restart 1. go to the path of the service /lib/systemd/system or /etc/systemd/system 2. find the service and edit (ex:ripd.service) 3. add `Restart=always; RestartSec=<second>` at [Service] 4. reload the daemon `systemctl daemon-reload` ## VIPArip *Virtual IP Address by RIP2 protocol. This script manages IP alias in different subnet with quagga/ripd. It can add an IP alias, or remove one.* * crm configure edit ``` primitive VIPArip VIPArip \ params ip=<vip> nic=lo \ op start interval=0 timeout=20s \ op monitor interval=5s timout=20s depth=0 \ op stop interval=5s timeout=20s \ meta target-role=start ``` * some corosync commands ``` # crm resource cleanup <resource name> -> clean the resource error message # crm node standby/online <node name> -> can be used to test the migration of the resource # crm status -> check node/resource status ``` * corosync & pacemaker webUI ``` # sudo apt install pcs # systemctl start pcsd # systemctl enable pcsd # passwd "username" -> setup the webUI username and password *** WebUI url : https://<node IP>:2224 *** ``` ## Redis deployment with persistent volumes *Create redis with storage class longhorn to provide persistent volumes across the nodes in k8s.* * run the following commands in 3 nodes. 1. execute the registry image to provide local repository ``` # docker run --rm -it -p 5000:5000 registry **this command needs to be running when executing the following commands** ``` 2. create Redis docker image and push it to local repository ``` # docker build -t dep-redis:1.0 . # docker image tag dep-redis:1.0 localhost:5000/dep-redis:1.0 # docker push localhost:5000/dep-redis:1.0 ``` * run the following commands in only one node 3. create PV for longhorn, so redis can store the data here ```` # kubectl apply -f pvc-dep-redis.yaml ```` 4. create redis service and deployment ```` # kubectl apply -f redis-service.yaml # kubectl apply -f master-dep-redis.yaml ```` 5. check the pod is running and has successfully attached to the pv ```` # kubectl get po # kubectl get pvc ```` 6. you can access the longhorn UI to check if it has successfully attached the redis with longhorn replica.  * start to use redis ```` **enter the pod** # kubectl exec -it <redis pod name> bash **login redis** # redis-cli -h 127.0.0.1 -p 6379 -a rpasswd ```` ## Get node info inside k8s pod *use python client to get the node info of k8s cluster* 1. add the config file of k8s in the docker container ``` file postition : </root/.kube/config> ``` 2. need to install k8s ``` # pip3 install kubernetes ``` 3. Dockerfile example ``` FROM ubuntu:18.04 RUN apt-get update && apt-get install -y python3 python3-pip vim RUN pip3 install redis kubernetes RUN mkdir /root/.kube/ ADD ./config /root/.kube/ ``` 4. k8s node API ref. https://github.com/kubernetes-client/python/blob/master/kubernetes/docs/V1Node.md