You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

VM setup

For the test and qa platform, as well as for the initial pilot platform the following generic setup will be used as described below.

 

VM pairs

A total of 3 pairs of VMs, 6 in total is allocated.

Each pair has a distinct role in the setup:

  • The LB* nodes represent the nodes that handle load balancing and https termination. LB nodes do not share any state
  • The COAA* pair of nodes provide vhosts for comanage, saml aa and voot vhosts, and has a MySQL database with runs in master/master configuration. COAA nodes share state using the MySQL database.
  • The TEIP* pair of nodes provide a vhost for the TEIP service and have a MySQL database which runs in master/master configuration. TEIP nodes share state trough the MySQL database

VM naming

Technical names

Depending on the physical platform used, the VMs will have technical names, independent of the actual platform we are deploying on. This is done by setting Cnames for various components to point to the physical instances.

Technical names will use the *.vopaas.geant.org subdomain and has a prefix depending on the platform, either DEV, TEST and PILOT

Technical names are used as deployment targets and in logging.

 

VM name (Cname for VM platform name)v4 IPv6 IPVM Platform name
lb1.{dev|test|pilot}.vopaas.geant.orgtbdtbdsomething.okeanos.gr

lb2.{dev|test|pilot}.vopaas.geant.org

tbdtbdip.vms.niif.hu
ns1.{dev|test|pilot}.vopaas.geant.orgtbdtbdsomebox.pt-27.utr.surfcloud.nl
ns2.{dev|test|pilot}.vopaas.geant.orgtbdtbdetc

coaa1.{dev|test|pilot}.vopaas.geant.org

tbdtbd...

coaa2.{dev|test|pilot}.vopaas.geant.org

tbdtbd...

teip1.{dev|test|pilot}.vopaas.geant.org

tbdtbd...
teip1.{dev|test|pilot}.vopaas.geant.orgtbdtbd...

Functional names

Functional names use the eduteams.org domain. 

A srv.{dev|test|pilot}.eduteams.org subdomain is delegated to the DSN nameservers that live on the lb*.{dev|test|pilot}.vopaas.geant.org. This srv.* domain keeps the authoritative name-server for DNS request for various platforms {dev|test|pilot}.

It serves Cnames for functional hosts, informing the proxy on lb* what node to query for delivering the service response.

Functional namestarget
comanage.{dev|test|pilot}.eduteams.org

coaa{1|2}.{dev|test|pilot}.vopaas.geant.org

aa.{dev|test|pilot}.eduteams.orgcoaa{1|2}.{dev|test|pilot}.vopaas.geant.org
voot.{dev|test|pilot}.eduteams.orgcoaa{1|2}.{dev|test|pilot}.vopaas.geant.org
idhub.{dev|test|pilot}.eduteams.orgteip{1|2}.{dev|test|pilot}.vopaas.geant.org

By linking the availability of the technical infra to the DNS configuration on the LB nodes, the LB always only proxies to Vhosts that are actually available.

 

Access to services

For access to the services, the only available ports are HTTPS/443 and DNS/53 on the loadbalancers.

The loadbalancers will proxy traffic HTTP from and to other Vhosts on the VMs on port 80 for their own platform (dev/test/pilot)

Access to VMs

All non public access goes via a bastion host.

Access to port 80 is restricted to the LB nodes, and the bastion host

Access to port 22, 443 and 3306 is restricted to the bastion host

 

 

 

  • No labels