| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
This completes the split of Labicolo into two networks.
Henceforth we have two Labicolo network, and any two
Labicolo nodes on different parts of the network will
have to join LabIX, if they want to peer.
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
I want to split Labicolo up in two networks, since
it is a bit silly that we have a internet exchange
prefix allocation, when all members of the IX are
already connected to the same layer 2 network, when
they all have transit through the same network.
Therefore by splitting Labicolo into 2 networks,
we ensure that there is a need for the internet
exchange, since not all nodes are able to talk
directly to eachother over the transit layer 2
network.
Since it would be a bit excessive to allocate another
/26 to Labicolo, thereby using half of our IPv4 space
for Labicolo.
This patch reduces the the current Labicolo network to
a /27 network, a subsequent patch will then add a
second Labicolo network with the other /27 network.
The only issue here is that Labicolo machines, which
haven't been updated to have a /27 netmask, will not
be able to reach endpoints in 185.38.175.96/27, before
they fix their netmask.
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
|
|
|
|
|
|
systemd mechanics reworked by Esmil
Co-developed-by: Emil Renner Berthing <esmil@labitat.dk>
|
|
Before:
- enp1s0: wan
- enp2s0: lan (with VLANs)
- enp3s0: mgt
Changes in this patch:
- wan is moved to VLAN id 5
- bond0 is created, replacing lan as lower device for VLANs
- mgt config is removed (could be reconfigured as a VLAN, and
made a available on a switch port)
- all 3 ports are enslaved in bond0
From the switch towards the space server load-balance algorithm
src-dst-ip* is used.
From the space server towards the switch L3+L4 is used.
Therefore a single IP pair will always use the same 1G
from the swith to the space server, a client therefore
needs to multiplex over multiple IPs in order to
*) The src-dst-ip algorithm on the switch hasn't been
tested with IPv6 yet. Hopefully we can find a better
switch at some point, so we can include the L4 ports in
the hashing on the switch.
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Move the Tor exit nodes to their own VLAN, and
their own address space.
Background for move
-------------------
For the first Tor exit node, we where able to
create inet6num object 2a01:4262:1ab:20::71/128.
So we could assign a specific Tor abuse contact.
When we added the second node it was no longer
possible to create /128 inet6num objects, but
only up to /64. We therefore need to move our
Tor exit nodes to a dedicated address space.
Connection tracking
-------------------
Connection tracking is quite expensive, so
it's better to only do it for Tor traffic,
when we actually need it, which is only when
internal clients need to access the servers.
In the future conntrack could also be disabled
for labicolo in general.
Current stats
~~~~~~~~~~~~~
[root@space ~]# grep -v '185\.38\.175\.7[12] ' /proc/net/nf_conntrack |
grep -v '2a01:4262:01ab:0020:0000:0000:0000:007[12]' | wc -l
4071
[root@space ~]# wc -l /proc/net/nf_conntrack
39138 /proc/net/nf_conntrack
Currently 4071 out of 39138 connections are not Tor related.
Also reading /proc/net/nf_conntrack is quite slow atm.:
[root@space ~]# time cat /proc/net/nf_conntrack > /dev/null
real 0m35.097s
user 0m0.010s
sys 0m28.114s
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
|
|
time.cloudflare.com has much lower ping than any of the
default N.fedora.pool.ntp.org servers.
|
|
|
|
|
|
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Fixes: 78688483 space_server: add Asbjorn's colo addresses and net
|
|
|
|
|
|
|
|
|
|
..rather radvd
|
|
..rather than overriding ExecStart to call
networkd-wait-online with --ignore
|
|
|
|
|
|
|
|
|
|
|
|
..to avoid overlapping /32 announced by DKUUG.
|
|
..to default routes
|
|
The trick to overwriting the ExecStart option is to clear
it first with ExecStart=
|
|
|
|
..on lan interfaces with IPv6
|
|
|
