infrastructure:servers:chaosknoten
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
infrastructure:servers:chaosknoten [2023-07-22 17:09 UTC] – [Gast-VMs] stb | infrastructure:servers:chaosknoten [2024-05-26 15:53 UTC] (current) – add zfs unlock instructions dario | ||
---|---|---|---|
Line 2: | Line 2: | ||
---- dataentry server ---- | ---- dataentry server ---- | ||
- | hostname: | + | hostname |
- | location: | + | location |
- | maintainers: | + | maintainers : Infra-Team |
- | netbox_url: | + | netbox_url |
---- | ---- | ||
+ | |||
<WRAP column half> | <WRAP column half> | ||
Line 33: | Line 34: | ||
===== Gast-VMs ===== | ===== Gast-VMs ===== | ||
- | Die VMs sind in Netbox dokumentiert. | + | Die VMs sind in Netbox dokumentiert: [[https:// |
===== Firewall-Freischaltung ===== | ===== Firewall-Freischaltung ===== | ||
Line 40: | Line 41: | ||
* CCCHH-Z9: 185.161.129.132 und 2a07: | * CCCHH-Z9: 185.161.129.132 und 2a07: | ||
* stb: 213.240.180.39 und 2a01: | * stb: 213.240.180.39 und 2a01: | ||
- | * haegar: 136.243.3.60 | + | * haegar: |
===== Netzwerkanbindung ===== | ===== Netzwerkanbindung ===== | ||
- | * Ethernet 1 - Untagged | + | Chaosknoten hat vier physikalische Interfaces |
- | * 212.12.48.0/ | + | * '' |
- | * 212.12.48.122: VM turing-router: | + | * '' |
- | * 2a00:14b0: | + | * '' |
- | * Route zu /64 2a00: | + | * 1G Kupfer |
- | * Einige Subnetze werden hierrüber geroutet | + | * verbunden mit IRZ42-Netz VLAN 48 (aber bei uns ungetaggt) |
- | * 212.12.48.123: | + | * von hinten gesehen linker Port |
- | * 212.12.48.124: | + | * grünes Patchkabel zu Switchport 15 |
- | * 212.12.48.125: ESXi10.ccchh-temp.vm.irz42.net. | + | * '' |
- | * 212.12.48.126: chaosknoten | + | * 1G Kupfer |
- | * Ethernet 2 - Untagged (auf IRZ-Seite 512) | + | * verbunden mit IRZ42-Netz VLAN 512 (aber bei uns ungetaggt) |
- | * Alle VMs | + | * von hinten gesehen rechter Port |
- | * Geroutet sowohl von Wieske | + | * rotes Patchkabel zu Switchport 18 |
- | * 212.12.50.208/ | + | * IPMI-iDRAC-Interface: |
- | * 212.12.50.209: | + | * 1G Kupfer |
- | * 212.12.50.210: lokal.ccc.de | + | * verbunden mit IRZ42-Netz VLAN 512 (aber bei uns ungetaggt) |
- | * 212.12.50.211: | + | * Switchport |
- | * 212.12.50.212: | + | |
- | * 212.12.50.213: | + | |
- | * 212.12.50.214: | + | |
- | * 172.31.17.128/ | + | |
- | * 172.31.17.53 + 172.31.17.153 2a00: | + | |
- | * 172.31.17.135 2a00: | + | |
- | * 172.31.0.5 + 172.31.17.136 + 172.31.255.53 cvpn-dns.hamburg.ccc.de (chaosvpn) | + | |
- | * 172.31.17.122 + 172.31.17.142 2a00:14b0: | + | |
- | * 172.31.17.14 + 172.31.17.137 2a00: | + | |
- | * 172.31.17.134 2a00: | + | |
- | * 172.31.17.17 172.31.17.133 2a00: | + | |
- | * 172.31.17.138 2a00: | + | |
- | * 172.31.17.138 2a00: | + | |
- | * 172.31.17.180 2a00: | + | |
- | * 172.31.17.124 172.31.17.131 2a00: | + | |
- | * 172.31.17.199 2a00: | + | |
- | * 212.12.50.210 172.31.17.210 2a00: | + | |
- | * 212.12.50.212 172.31.17.212 2a00: | + | |
- | * 212.12.50.213 172.31.17.213 2a00: | + | |
- | * 212.12.51.140 2a00: | + | |
- | * 212.12.51.128/ | + | |
- | * 212.12.51.129: | + | |
- | * 212.12.51.130: | + | |
- | * 212.12.51.131: | + | |
- | * 212.12.51.132: | + | |
- | * 212.12.51.133: | + | |
- | * 212.12.51.134: | + | |
- | * 212.12.51.135: | + | |
- | * 212.12.51.136: | + | |
- | * 212.12.51.137: | + | |
- | * 212.12.51.138: | + | |
- | * 212.12.51.139: | + | |
- | * 212.12.51.140: | + | |
- | * 212.12.51.141: | + | |
- | * 212.12.51.142: | + | |
- | * 212.12.51.143: | + | |
- | {{:infrastructure:worker-alte-vms-1.png?400|}}{{:infrastructure:worker-alte-vms-2.png?400|}} | + | '' |
+ | |||
+ | '' | ||
+ | |||
+ | DIe VMs haben Adressen aus verschiedenen Netzen. Siehe [[https:// | ||
+ | |||
+ | ==== IPv4 ==== | ||
+ | |||
+ | === Public IPv4s === | ||
+ | |||
+ | We have the following public IPv4 subnets/ | ||
+ | |||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | === Private IPv4s === | ||
+ | |||
+ | We use the following private IPv4 ranges: | ||
+ | |||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | ==== IPv6 ==== | ||
+ | |||
+ | We have 2 IPv6-64-Prefixes, | ||
+ | |||
+ | === 2a00: | ||
+ | |||
+ | '' | ||
+ | This subnet corresponds to the following IPv4-Subnets: | ||
+ | * '' | ||
+ | |||
+ | To generate an IPv6 corresponding to an IPv4, we use the following convention: Take the last octet of the IPv4-address in decimal and use it for the first two bytes of the localpart, but with the digits as hex.\\ | ||
+ | So e.g.: '' | ||
+ | |||
+ | === 2a00: | ||
+ | |||
+ | '' | ||
+ | This subnet corresponds to the following IPv4-Subnets: | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | To generate an IPv6 corresponding to an IPv4 from either '' | ||
+ | So e.g.: | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | To generate an IPv6 corresponding to an IPv4 from '' | ||
+ | So e.g.: | ||
+ | * '' | ||
- | Patchkanel | ||
- | * 15 512 VMs, rechts rot | ||
- | * 17 512 IPMI (nicht angeschlossen weil keine Firewall) | ||
- | * 18 48 Proxmox, links grün | ||
===== Konfiguration ===== | ===== Konfiguration ===== | ||
- | TODO | + | |
+ | ===== Zugriff auf VMs ===== | ||
+ | |||
+ | SSH auf allen VMs läuft auf nicht-Standard-Ports, | ||
+ | |||
+ | Alle VMs, die eine RFC1918-Adresse haben, können über turing-router oder turing-main als Jumphost erreicht werden. Als Beispiel hier ein Snippet für '' | ||
+ | |||
+ | < | ||
+ | Host turing | ||
+ | HostName turing.hamburg.ccc.de | ||
+ | Port 4222 | ||
+ | User chaos | ||
+ | |||
+ | Host turing-main | ||
+ | HostName turing.hamburg.ccc.de | ||
+ | Port 42666 | ||
+ | User chaos | ||
+ | |||
+ | Host ns-intern | ||
+ | HostName ns-intern.hamburg.ccc.de | ||
+ | User chaos | ||
+ | ProxyJump turing | ||
+ | |||
+ | Host rproxy-intern | ||
+ | HostName rproxy-intern.hamburg.ccc.de | ||
+ | User chaos | ||
+ | ProxyJump turing | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== HOWTO Chaosknoten-Reboot ===== | ||
+ | |||
+ | ==== Vor dem Reboot ==== | ||
+ | |||
+ | === VMs hibernaten === | ||
+ | |||
+ | Eine Reihe von VMs brauchen beim Booten ein Secret über die Konsole, z. B. für LUKS. Wenn man das nicht machen will, kann mann die betreffenden VMs in den Winterschlaf schicken. Wir haben alle VMs, für die das notwendig ist, mit dem Tag " | ||
+ | |||
+ | # ./ | ||
+ | |||
+ | ==== Nach dem Reboot ==== | ||
+ | |||
+ | Was nach einem reboot alles passieren muss, damit alle services wieder hochkommen. | ||
+ | |||
+ | === ZFS encrypted Dataset entsperren === | ||
+ | |||
+ | Key liegt im pass unter '' | ||
+ | |||
+ | zfs load-key rust0/ | ||
+ | |||
+ | ===== Assigned Services ===== | ||
+ | |||
+ | ---- datatable ---- | ||
+ | headers : Service, Service-URLs, | ||
+ | cols : %pageid%, service-urls_urls, | ||
+ | filter | ||
+ | and : %pageid%!=infrastructure: | ||
+ | and : server_page==infrastructure: | ||
+ | ---- |
infrastructure/servers/chaosknoten.1690045769.txt.gz · Last modified: 2023-07-22 17:09 UTC by stb