Launchpad Mojo Specs

Merge ~ballot/launchpad-mojo-specs/+git/launchpad-mojo-specs:doc_iptables into launchpad-mojo-specs:master

  1. Git
  2. lp:~ballot/launchpad-mojo-specs/+git/launchpad-mojo-specs
  3. doc_iptables
  4. Merge into master
Proposed by Benjamin Allot
Status: Needs review
Proposed branch: ~ballot/launchpad-mojo-specs/+git/launchpad-mojo-specs:doc_iptables
Merge into: launchpad-mojo-specs:master
Diff against target: 61 lines (+53/-0)
1 file modified
lp/README.md (+53/-0)
Reviewer Review Type Date Requested Status
Canonical Launchpad Engineering Pending
Review via email: mp+455577@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Colin Watson (cjwatson) :
Reply

Unmerged commits

12d16b2... by Benjamin Allot

Add documentation about the iptables redirect and SR-IOV setup

Succeeded
[SUCCEEDED] lint:0 (build)
11 of 1 result FirstPreviousNextLast

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/lp/README.md b/lp/README.md
2index 35b3c33..439d7ba 100644
3--- a/lp/README.md
4+++ b/lp/README.md
5@@ -70,3 +70,56 @@ To create the exchange used for OOPSes in the local RabbitMQ instance:
6 ```shell
7 juju run -u rabbitmq-server/leader -- rabbitmqadmin declare exchange name=oopses type=fanout durable=true
8 ```
9+
10+### Production network setup
11+
12+This setup is specific to the production environment.
13+
14+#### SR-IOV
15+
16+Two new units, ppa-lb and launchpad-ppa-publisher, are now on SR-IOV instances.
17+Those instances have a bond on the edge network, bypassing any firewalls.
18+
19+The specific part required for the routing and port forward aspect will be found in /etc/networkd-dispatcher/routable.d on those hosts
20+on top of the netplan config in /etc/netplan/config.yaml
21+
22+### Iptables redirect
23+
24+Because txpkgupload is using port 22 which collides with SSH, and that using charms to modify Openssh on the host, it is now listening on port 5022.
25+
26+The current flow is:
27+
28+client (internet) -> ppa-lb (ipv4/ipv6) on port 22 -> iptables redirect to port 5022 -> haproxy redirect to launchpad-ppa-uploader on port 5022
29+
30+This is required for both IPv4 and IPv6, when a new connection is coming through the edge interface on port 22.
31+
32+The openssh daemon is listening on the private IP only on port 22 and is used for administration purpose.
33+
34+To bring those rules automatically when the bond-edge interface is configured, add this content into `/etc/networkd-dispatcher/routable.d/20-ppa-redirect`
35+
36+WARNING: this must be executable
37+```
38+sudo chmod +x /etc/networkd-dispatcher/routable.d/20-ppa-redirect
39+```
40+
41+```bash
42+#!/bin/bash
43+
44+set -ue
45+# Redirect port 22 when hitting edge interface to 5022 on the same interface
46+EDGE_IF=bond-edge
47+
48+# No op on other interfaces
49+# See https://gitlab.com/craftyguy/networkd-dispatcher
50+if [[ "${IFACE}" != "${EDGE_IF}" ]]; then
51+ exit 0
52+fi
53+
54+# There are 2 variables existing, IP_ADDRS and IP6_ADDRS, but cannot be tested at time of writing, feel free to update
55+EDGE_IP_v4="$(ip -brief -4 addr show ${EDGE_IF?} | awk '{split($3, ip, "/"); print ip[1]}')"
56+EDGE_IP_v6="$(ip -brief -6 addr show ${EDGE_IF?} | awk '{split($3, ip, "/"); print ip[1]}')"
57+
58+# Redirect port 22 coming through the EDGE_IP to port 5022 locally (haproxy)
59+/usr/sbin/iptables -t nat -A PREROUTING -d ${EDGE_IP_v4?}/32 -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 5022
60+/usr/sbin/ip6tables -t nat -A PREROUTING -d ${EDGE_IP_v6?}/112 -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 5022
61+```

Subscribers

People subscribed via source and target branches