Table of Contents
Setting up VPN
Obtaining VPN credentials
Once access is approved send the following information to opnfv-helpdesk@rt.linuxfoundation.org along with attached approval email
- Your name and email address
- Add a copy of your PGP public key, as attachment
- If you do not have a PGP key, please generate it following this guide
- Export your public key using "
gpg --export -a [your@email.addr] > pgp-key.asc" and attach pgp-key.asc to the request
It is important to send the request to opnfv-helpdesk@rt.linuxfoundation.org as opposed to any individual administrator, as we require the ticket number for the necessary papertrail.
Setting up OpenVPN
Prerequisites: Make sure that you have openvpn installed (e.g. "apt-get install openvpn" on a Debian system) on your system. Also make sure that you have a user and a group "openvpn" configured (e.g. "addgroup openvpn", "adduser openvpn openvpn").
Note: In case you're behind a firewall (e.g. a corporate firewall), udp port 1203 needs to be open - or you experience issues (i.e it won't work).
You should have received an encrypted tarball with your credentials. This tarball includes the following files:
- opnfv.ovpn : configuration file for the command-line client
- opnfv-ca.crt : CA certificate for the VPN
- opnfv-ta.key : TLS Authentication key
- your@email.addr.crt : Your VPN certificate
- your@email.addr.key : Your VPN private key
- admin-credentials.txt : admin credentials to access the UCS manager
Command-line client
To use the command-line client, just copy these files into /etc/openvpn/ and run:
sudo openvpn --config /etc/openvpn/opnfv.ovpn
Graphical client (Network Manager)
- Click on Add→VPN→OpenVPN
- Name: opnfv VPN
- Firewall Zone: default
- Gateway: vpn.opnfv.org
- Type: Certificates (TLS)
- User Certificate: Choose your@email.addr.crt from the bundle
- CA Certificate: Choose opnfv-ca.crt from the bundle
- Private key: Choose your@email.addr.key from the bundle
- Private key password: leave blank
- Click the "Advanced" button
- General Tab:
- Use custom gateway port: 1203
- Use LZO data compression: yes
- Set virtual device type: Choose TUN, name: tun
- Use custom UDP fragment size: 1400
- TLS Authentication tab:
- Use additional TLS authentication: yes
- Key file: Choose opnfv-ta.key from the bundle
- Key direction: 1
Checking connectivity
Once you establish the VPN connection, you should be able to access two private subnets:
- 172.30.8.0/24 : lights-out management subnet
- 172.30.9.0/24 : POD1 subnet
- 172.30.10.0/24 : POD2 subnet
- 172.30.11.0/24 : POD3 subnet
- 172.30.12.0/24 : POD4 subnet
- 172.30.13.0/24 : POD5 subnet
You can test your connectivity by pinging 172.30.[8-13].1 for each range.
NOTE: Traffic between 172.30.8.0/24 and 172.30.9-13.0/24 is filtered. If you need specific ports to be open, contact opnfv-helpdesk@rt.linuxfoundation.org with details.
Accessing the UCS manager
To access UCS infrastructure, please connect to the following addresses:
- https://172.30.8.21/ : UCS Manager (make sure that you have JRE (pick Oracle's Java) installed on your machine)
- 172.30.8.11:22 : SSH access for fiber interconnect A
- 172.30.8.12:22 : SSH access for fiber interconnect B
The credentials have been shared with you as part of the encrypted bundle.
POD1 jump host opnfv@172.30.9.66 POD2 jump host opnfv@172.30.10.72
Hardware setup
IP rules for the class-C networks: (UCSM, CIMC usage)
- 172.30.8.1-63 : reserved LF use
- 172.30.8.64-255 : project use
similar rules for 172.30.9-13.0/24 subnet: (POD1-POD5 subnets)
- 172.30.x.1-63 : reserved LF use
- 172.30.x.64-255 : project use
Traffic filtering
There are three main firewall zones:
| Zone name | VLAN | IP range | Description |
|---|---|---|---|
| nfvad | - | 172.30.15.0/24 | Admin P2P VPN access |
| nfvlo | 410 | 172.30.8.0/24 | Lights-out Management |
| nfvp1-5 | 411-415 | 172.30.9-13/0/24 | POD1-5 subnets |
| ext | - | - | Public internet |
The following traffic is allowed:
| From | To | Proto | Ports | Description |
|---|---|---|---|---|
| nfvad | nfvp1,nfvp2 | all | all | |
| nfvad | nfvlo | all | all | |
| nfvp1-5 | ext | tcp | 80, 443 | Web |
| nfvp1-5 | ext | udp | 123 | NTP |
| nfvp1-5 | ext:8.8.8.8, ext:8.8.4.4 | udp | 53 | DNS |
| nfvlo | ext | tcp | 80, 443 | Web |
| nfvlo | ext | udp | 123 | NTP |
| nfvlo | ext:8.8.8.8, ext:8.8.4.4 | udp | 53 | DNS |
| nfvp1-5 | nfvlo | udp | 623 | IPMI |
POD1
Same topology as POD2
Jumpserver public IP: 172.30.9.66 (opnfv/octopus)
| Slot | Role | PXE MAC 1st interface | Private MAC 2nd interface | IPMI IP | IPMI MAC | IPMI usr/pass |
|---|---|---|---|---|---|---|
subnet 192.168.1.0/24 | subnet 192.168.0.0/24 | |||||
| 1 | Jumpserver | 00:25:B5:cc:00:4e | 172.30.8.79 | a8:9d:21:c9:82:7c | admin/octopus | |
| 2 | node1 | 00:25:B5:cc:00:1e | 172.30.8.69 | a8:9d:21:c9:84:ee | admin/octopus | |
| 3 | node2 | 00:25:B5:cc:00:5d | 172.30.8.78 | a8:9d:21:7d:e1:ce | admin/octopus | |
| 4 | node3 | 00:25:B5:cc:00:1d | 172.30.8.80 | 4e:aa:5d:ee:09:7e | admin/octopus | |
| 5 | node4 | 00:25:B5:cc:00:3c | 172.30.8.76 | A8:9D:21:c9:60:da | admin/octopus | |
| 6 | node5 | 00:25:B5:A0:00:5b | 172.30.8.71 | A8:9D:21:c9:67:28 | admin/octopus |
POD2
Jumpserver public IP: 172.30.10.72 (opnfv/octopus)
| Slot | Role | PXE MAC 1st interface | Private MAC 2nd interface | IPMI IP | IPMI MAC | IPMI usr/pass |
|---|---|---|---|---|---|---|
subnet 192.168.1.0/24 | subnet 192.168.0.0/24 | |||||
| 1 | Jumpserver | 00:25:B5:A0:00:1A | 00:25:B5:A0:00:1B | 172.30.8.66 | a8:9d:21:c9:c4:9e | admin/octopus |
| 2 | node1 | 00:25:B5:A0:00:2A | 00:25:B5:A0:00:2B | 172.30.8.75 | a8:9d:21:c9:8b:56 | admin/octopus |
| 3 | node2 | 00:25:B5:A0:00:3A | 00:25:B5:A0:00:3B | 172.30.8.65 | a8:9d:21:c9:4d:26 | admin/octopus |
| 4 | node3 | 00:25:B5:A0:00:4A | 00:25:B5:A0:00:4B | 172.30.8.74 | a8:9d:21:c9:3a:92 | admin/octopus |
| 5 | node4 | 00:25:B5:A0:00:5A | 00:25:B5:A0:00:5B | 172.30.8.73 | 74:a2:e6:a4:14:9c | admin/octopus |
| 6 | node5 | 00:25:B5:A0:00:6A | 00:25:B5:A0:00:6B | 172.30.8.72 | a8:9d:21:a0:15:9c | admin/octopus |
POD2 Topology
CIMC/Lights+out management Admin Private Public Storage
PXE
vlan 300
172.30.8.64/26 192.168.1.0/24 +
+ + 192.168.0.0/24| |
| | + + |
| | | 172.30.10.0/24 |
| +-----------------+ | | + |
| | | enp6 | | | |
+--------+ Jumpserver | 192.168.1.66 | | | |
| | CentOS 7 +-----------------------------+ | | |
| | | | | | |
| | | enp7 | | | |
| | | 192.168.0.66 | | | |
| | user/pass +---------------------------------------+ | |
| | opnfv/octopus | | | | |
| | | enp8 | | | |
| | | 172.30.10.72 | | | |
| | +-------------------------------------------------+ |
| | | | | | |
| | | enp9 | | | |
| | | | | | |
| | +----------------------------------------------------------+
| | | | | | |
| +-----------------+ | | | |
| | | | |
| | | | |
| | | | |
| +----------------+ | | | |
| | 1 | | | | |
+-------+ +--------------+-+ | | | |
| | | 2 | | | | |
| | | +--------------+-+ | | | |
| | | | 3 | | | | |
| | | | +--------------+-+ | | | |
| | | | | 4 | | | | |
| +-+ | | +--------------+-+ | | | |
| | | | | 5 +-----------------------+ | | |
| +-+ | | nodes for | | | | |
| | | | deploying +---------------------------------+ | |
| +-+ | opnfv | | | | |
| | | +-------------------------------------------+ |
| +-+ | | | | |
| | +----------------------------------------------------+
| +----------------+ | | | |
| | | | |
| | | | |
| + + + +
POD3
This pod is used for virtual deployments. Each server is connected to separate public subnet (if connected).
| Slot | Public IP | SSH usr/pass | Operating system | IPMI IP | IPMI MAC | IPMI usr/pass | Current Use |
|---|---|---|---|---|---|---|---|
| 1 | N/A | opnfv/octopus | N/A | a8:9d:21: | admin/octopus | Blade failing | |
| 2 | 172.30.11.66 | opnfv/octopus | N/A | a8:9d:21: | admin/octopus | Reinstalling system | |
| 3 | 172.30.12.66 | opnfv/octopus | Ubuntu 14.04.3 | a8:9d:21: | admin/octopus | joid virtual | |
| 4 | 172.30.13.66 | opnfv/octopus | Ubuntu 14.04.3 | a8:9d:21: | admin/octopus | Not in use |
Note: IPMI IPs can be also used for console connection. Use web browser to access them through https (java is required)
