The ansible configuration scripts have done quite a bit of installation of software and configuring to help build your virtualized training platform. Here are a few items we will take a look at:
Log in on your MacMini (if you are not already logged in) and take a look at how your network is now configured:
$ ifconfig br-wan
$ ifconfig br-lan
$ brctl showYou should see the external IP of your MacMini on the "br-wan" entry. This is associated with your eth1 interface, or the USB to Ethernet dongle on your machine.
On the br-lan interface you will see the statically assigned address of 10.10.0.241 that represents your MacMini to your virtualized environment. In the DNS this IP represents s1.ws.nsrc.org. This interface is associated your eth0 interface, or the built-in NIC on your MacMini.
To view where these interfaces are configured take a look at the following files:
$ less /etc/network/interfaces.d/br-wan.cfg
$ less /etc/network/interfaces.d/br-lan.cfgYou should see that the eth1 physical interface is being bridged to the br-wan interface. This will work if your outside interface is a public IP, is a private IP or is obtained via DHCP.
This file is much larger, so you should look at it on your own.
The configuration is more complex, but if you look you'll see that eth0 is bridged to br-lan, and the br-lan interface has a static IP address assigned as well as multiple routes for our various workshop topologies. In addition for the br-lan interface configuration you can see the bridge_ports option that maps the TAP interfaces to allow our virtual routers to attach to our backbone network on one of their network interfaces. By definition a "TAP (namely network tap) simulates a link layer device and it operates with layer 2 packets like Ethernet frames."
We use the iptables firewall facility in linux to do masquerading - that is NAT with no firewall rules applied to our traffic. You could apply rules if you want, but we just want our MacMini to pass all traffic from the outside address (br-wan) destined to 10.0.0.0/8 address on our internal network to be passed along. And, andy traffic outside of the 10.0.0.0/8 network range to go out the br-wan interface.
You can view our iptables rules in the file /etc/iptables/rules.v4:
$ less /etc/iptables/rules.v4These rules are loaded in to iptables at system start time.
To enable forwarding for ipv4 on our network interfaces you need to issue the command:
$ sudo sysctl net.ipv4.ip_forwardYou can see this setting in the file /etc/sysctl.conf
$ cat /etc/sysctl.confOr, to just find the line:
$ grep net.ipv4.ip_forward /etc/sysctl.confYou can view the configuration of the DHCP server in the directory /etc/dhcp. The order in which the DHCP server configuration files are read is:
dhcpd.conf
dhcpd.local.conf
dhcpd.ws.conf
dhcpd.nmm.conf
dhcpd.svc.confFollow through the files using less to see what they are doing. That is:
$ less /etc/dhcp/dhcpd.conf
$ less /etc/dhcp/dhcpd.local.conf
$ less /etc/dhcp/dhcpd.ws.conf
$ less /etc/dhcp/dhcpd.nmm.conf
$ less /etc/dhcp/dhcpd.svc.confEssentially the configuration is set up like this:
DNS is configured in two locations. You can see the general DNS configuration directives in the /etc/bind directory. The configuration is fairly complex so we'll discuss this during class for a few minutes. If you wish to see where hostname IP addresses are defined look in:
$ less /etc/bind/db.ws.nsrc.orgYou should note that the hostname and IP addresses match what you saw in the DHCP configuration. This is how we can ensure that IP and hostnames stay constant for our workshops. The reverse DNS information is configured in the file db.10.10.in-addr.arpa:
$ less /etc/bind/db.10.10.in-addr.arpaIn addition to defining IPs for hostnames we use dynamic dns to push the IP of your Mac Mini's name kitX.lab.nsrc.org to our dns server on nsrc.org so that it become visible in the public Internet in an automated fashion. In some cases you may not be allowed to use port 53 on some networks. The majority of the bind configuration is in the file:
$ less /etc/bind/named.conf.optionsHere you can see what subnets our server will respond to:
allow-recursion {
                127.0.0.1;
                ::1;
                10.0.0.0/8;
                172.16.0.0/12;
                192.168.0.0/16;
        };What to do if dnssec is broken on the network where you are working:
        # If you are somewhere where filtering breaks DNSSEC use this
        # dnssec-validation no;
        dnssec-validation auto;and, detailed logging configuration for bind. If you would like to view the bind logging files they are in /var/log/named and include the file:
dnssec
general
notify
query
transfersTry viewing some of these file using less to see the type of information that is provided.
To finish we can practice pulling the workshop-kit Git repository to see if any changes have been made. This is good practice to do from time to time:
$ cd /home/nsrc/workshop-kit
$ git pullIf prompted for a username or password provide what you used when you first cloned the workshop-kit Git repository in our prior excerises.