<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
H<br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span><br>
<blockquote cite="mid:000c01cd04fa$dd2cd390$97867ab0$@jrw.co.uk"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);">OK, requested ERP5 under Software, and from the
next cron run of slapgrid it is building.</span></p>
</div>
</blockquote>
OK. You can also start the slapgrid-cp command through prompt.<br>
<blockquote cite="mid:000c01cd04fa$dd2cd390$97867ab0$@jrw.co.uk"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Networking /
firewalling:<o:p></o:p></span></p>
<o:p></o:p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);">My interpretation of adding a machine to a cloud
system is that the shared storage is made available to the
cloud. This implies two-way traffic, so incoming network
requests. This would require that the local firewall permits
incoming traffic to the node.</span></p>
</div>
</blockquote>
<br>
You are right.<br>
<br>
The provisionning part of VIFIB is designed to be compatible with a
NAT environment and even with a VM and a userland network virtual
interface (in such case, IPv6 is provided through tunnels). The
ideas come from TioLive Grid (
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<a
href="http://www.dailymotion.com/video/xd7fy8_tiolive-grid-demo_tech">http://www.dailymotion.com/video/xd7fy8_tiolive-grid-demo_tech</a>).
The goal is to be able to install about any software or cluster of
services behind a NAT or on a corporate network and have all the
parts configured automatically. The current protocol is based on
polling. It will eventually migrate towards a form of long
polling/web socket over HTTP to accelerate things.<br>
<br>
The services which are provisionned by VIFIB can communicate
directly and can keep on running even if VIFIB is down or no longer
accessible (at least this is the design goal). If all services are
located behind your firewall, then you do not need to change any
rules in your firewall. But if you want other services with a global
IPv6 outside your network to communicate with the services in your
network, you will need to open your firewall.<br>
<br>
One use case could be the following: you can define in VIFIB which
friend you want to share your computer with. By sharing computer,
you can install on their server a replica of your ERP5 and they can
use your server to install a replica of their own applciation (ex. a
Maria database). The automated backup and replication process will
need both computers to be mutually accessible. You will then need to
open your firewall at list for the IPv6 range of your friend. All
this is handled independently of VIFIB. VIFIB tries to be as little
intrusive as possible.<br>
<blockquote cite="mid:000c01cd04fa$dd2cd390$97867ab0$@jrw.co.uk"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">You
also mention this below – ‘One Global IPv6 address to
interconnect all services’?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p><br>
</o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);">Looking again, it seems slapgrid is hierarchical,
slaves send requests to the master & the master never
initiates communications with the slave.</span></p>
</div>
</blockquote>
Yes.<br>
<blockquote cite="mid:000c01cd04fa$dd2cd390$97867ab0$@jrw.co.uk"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);">Should incoming ipv6 traffic be permitted or not?</span></p>
</div>
</blockquote>
Only if you want other IPv6 services (ex. an IPv4 to IPv6 front end)
to access your ERP5 instance. Else no need.<br>
<blockquote cite="mid:000c01cd04fa$dd2cd390$97867ab0$@jrw.co.uk"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">On
the ipv4 side, what is the network in slapos.cfg used for
– the 10.0.0.0/16? <o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">…<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I’m
guessing that it’s for a tunnel to internal VMs rather
than anything external, but not at all clear.</span><o:p></o:p></p>
</div>
<p class="MsoNormal">You can read this:<br>
<a moz-do-not-send="true"
href="http://www.slapos.org/wiki/osoe-Lecture.SlapOS.Extended/developer-Introducing.SlapOS.Architecture">http://www.slapos.org/wiki/osoe-Lecture.SlapOS.Extended/developer-Introducing.SlapOS.Architecture</a><br>
<br>
It explains. Each instance has:<br>
- one local IPv4 address so that any IPv4 software can be used
<br>
- one global IPv6 address, to interconnect all services
between different hosts<br>
- and use stunnel to forward IPv6 to IPv4 (so that two IPv6
incompatible services can connect eachother through IPv6 in a
secure way)<br>
<br>
<span style="color:#1F497D">I have read that, it is still not
clear.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);">If the ipv4 address or subnet given in slapos.cfg
is for local access from other computers, surely it must be
compatible with the local subnet addresses or any other
local machine will try and route via it’s default gateway,
not to the slapos/erp5 machine?</span></p>
</div>
</blockquote>
It is not for local access from other computers. It is only for
loopback access ie. to provide a different IPv4 (non LAN) address to
every process without conflicting with anything else. It also
provides a form a local firewalling (ie. only those services
forwarded by stunnel are open to the world, and go through X509
athentication if needed).<br>
<blockquote cite="mid:000c01cd04fa$dd2cd390$97867ab0$@jrw.co.uk"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);">The slapos.cfg ipv4 option is allocating a large
subnet. Assuming these addresses are for local instances,
how should they relate to the existing site
networks/subnets, if at all, or how should routing be
arranged for local ipv4 to the 10. Network instances.</span></p>
</div>
</blockquote>
They should be independent (ie. no overlap)<br>
<blockquote cite="mid:000c01cd04fa$dd2cd390$97867ab0$@jrw.co.uk"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Other
network queries –<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">In
the bridge setup, for a Production server, it mentions
adding eth0 to the bridge config then removing eth0 from
other use:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";background:white">Please
also take not that any interface added to a bridge should no
longer be configured by the system. The configuration file
for that interface should just be removed.</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);">This is confusing – if eth0 is otherwise removed,
the machine has no local connectivity??</span></p>
</div>
</blockquote>
The bridge is only required if you want to use services such as
qemu-kvm. For ERP5 it is not required. There is a new option not to
use a bridge (it will be added soon to documentation).<br>
<br>
If you use the bridge, you do not need to use eth0 anylonger (as
long as eth0 is part of the bridge). All communication goes through
the bridge.<br>
<br>
It is possible also not to connect any interface to the bridge
(useful for a developer). Here is for example what I am doing for my
own laptop:<br>
<br>
brctl addbr slapbr0<br>
#brctl addif slapbr0 eth0<br>
ip l s dev slapbr0 up<br>
ip a a dev slapbr0 fd00::1/64<br>
<br>
It means that I am creating the bridge but I do not attach to any
interface.<br>
<br>
Then here is my configuration file (/etc/opt/slapos/slapos.cfg):<br>
<br>
[slapos]<br>
software_root = /opt/slapgrid<br>
instance_root = /srv/slapgrid<br>
master_url = <a class="moz-txt-link-freetext" href="https://slap.vifib.com">https://slap.vifib.com</a><br>
computer_id = COMP-179<br>
key_file = /etc/opt/slapos/key<br>
cert_file = /etc/opt/slapos/certificate<br>
certificate_repository_path = /etc/opt/slapos/pki/<br>
<br>
[slapformat]<br>
computer_xml = /etc/opt/slapos/slapos.xml<br>
log_file = /var/log/slapformat.log<br>
partition_amount = 5<br>
bridge_name = slapbr0<br>
partition_base_name = slappart<br>
user_base_name = slapuser<br>
tap_base_name = slaptap<br>
# You can choose any other local network which does not conflict
with your<br>
# current machine configuration<br>
ipv4_local_network = 10.0.0.0/16<br>
<br>
You can find my own configuration bellow.<br>
<br>
<blockquote cite="mid:000c01cd04fa$dd2cd390$97867ab0$@jrw.co.uk"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Mention
of stunnel to connect with remote(?) ipv6 systems is also
worrying.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Any
possible extra route (interface. Tunnel etc) for incoming
network traffic should be documented so appropriate firewall
rules can be implemented.<o:p></o:p></span></p>
<p class="MsoListParagraph"
style="margin-left:20.25pt;text-indent:-18.0pt;mso-list:l0
level1 lfo1"><!--[if !supportLists]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><span
style="mso-list:Ignore">-<span style="font:7.0pt
"Times New Roman""> </span></span></span><!--[endif]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Eg.
Is it purely local request->remote response, so a
stateful firewall can be used, or will there be unsolicited
remote requests – if so on what ports?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);">The tunnel traffic may be encrypted, but without
a firewall the machine is completely exposed and open from
the other end of the tunnel (and anything accessing that
machine).</span></p>
</div>
</blockquote>
It is your choice how you want the server to be used. <br>
<br>
For example, I am myself willing that my own laptop or servers are
exposed to the world through IPv6 because it simplifies a lot
cooperation between people. This is how Internet was operated in the
early days, everyone having a global IPv4 address and doing some
configuration on his unix machine to define who was allowed or not
to connect (ie. share).<br>
<br>
But you may also want to block any incoming traffic through a
firewall and only allow communication through IPv6 between servers
on your local area network. This use case is also covered because
you can specify in SlapOS requests something like "only use servers
on my LAN to deploy my ERP5 cluster".<br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p>
<br>
</o:p></span>
<blockquote cite="mid:000c01cd04fa$dd2cd390$97867ab0$@jrw.co.uk"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);">We’ve lost servers in the past due to bugs in
ipv4 firewalls allowing malicious access. I do not believe
it’s safe to leave any form of external interface without a
firewall that permits only required traffic. </span></p>
</div>
</blockquote>
This can be argued in both ways. Anyway, both use cases are possible
with SlapOS. Most corporate networks where SlapOS is deployed block
incoming traffic as you are doing.<br>
<br>
My personal view is that it is more important to have many replicas
of data and applications in different places in the world and make
this replication process as easy as possible - ie. without having to
ask permission to a human being to add some rules to the firewall.
When I read the list of incidents on the Cloud (
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<a href="http://iwgcr.wordpress.com/">http://iwgcr.wordpress.com/</a>)
I tend to feel safer by knowing that my data and applications are
replicated somewhere, including somewhere I do not know.<br>
<br>
Maybe VIFIB should provide some APIs so that firewall configuration
could be automated by the processes which are instantiated. This
would be an interesting proof of concept.<br>
<br>
<blockquote cite="mid:000c01cd04fa$dd2cd390$97867ab0$@jrw.co.uk"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);">Lastly (for now) – trivia; vifib.net user data
will not accept UK postal codes, it complains they are ‘not
integers’. UK postcodes are alphanumeric with a space before
the last three characters, ie. M1 2AA, A12 4ZZ, DN11 1DD</span></p>
</div>
</blockquote>
Thank you so much.<br>
<br>
Regards,<br>
<br>
JPS.<br>
<blockquote cite="mid:000c01cd04fa$dd2cd390$97867ab0$@jrw.co.uk"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Robert.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Erp5-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Erp5-users@erp5.org">Erp5-users@erp5.org</a>
<a class="moz-txt-link-freetext" href="https://mail.tiolive.com/mailman/listinfo/erp5-users">https://mail.tiolive.com/mailman/listinfo/erp5-users</a>
</pre>
</blockquote>
<br>
<br>
<br>
<br>
<br>
<br>
lo Link encap:Boucle locale <br>
inet adr:127.0.0.1 Masque:255.0.0.0<br>
adr inet6: ::1/128 Scope:Hôte<br>
UP LOOPBACK RUNNING MTU:16436 Metric:1<br>
Packets reçus:1636991 erreurs:0 :0 overruns:0 frame:0<br>
TX packets:1636991 errors:0 dropped:0 overruns:0 carrier:0<br>
collisions:0 lg file transmission:0 <br>
Octets reçus:324181240 (324.1 MB) Octets
transmis:324181240 (324.1 MB)<br>
<br>
slapbr0 Link encap:Ethernet HWaddr 02:71:7e:16:7f:d4 <br>
inet adr:10.0.245.209 Bcast:0.0.0.0
Masque:255.255.255.255<br>
adr inet6: XXXX::XXXX/64 Scope:Global<br>
adr inet6: XXXX::XXXX/64 Scope:Global<br>
adr inet6: XXXX::XXXX/64 Scope:Global<br>
adr inet6: fe80::44cb:95ff:feab:876/64 Scope:Lien<br>
adr inet6: XXXX::XXXX/64 Scope:Global<br>
adr inet6: XXXX::XXXX/64 Scope:Global<br>
adr inet6: XXXX::XXXX/64 Scope:Global<br>
UP BROADCAST MULTICAST MTU:1500 Metric:1<br>
Packets reçus:0 erreurs:0 :0 overruns:0 frame:0<br>
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0<br>
collisions:0 lg file transmission:0 <br>
Octets reçus:0 (0.0 B) Octets transmis:1566 (1.5 KB)<br>
<br>
slaptap0 Link encap:Ethernet HWaddr 1e:44:46:f5:00:42 <br>
UP BROADCAST MULTICAST MTU:1500 Metric:1<br>
Packets reçus:0 erreurs:0 :0 overruns:0 frame:0<br>
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br>
collisions:0 lg file transmission:500 <br>
Octets reçus:0 (0.0 B) Octets transmis:0 (0.0 B)<br>
<br>
slaptap1 Link encap:Ethernet HWaddr 5e:9b:6c:e9:8c:20 <br>
UP BROADCAST MULTICAST MTU:1500 Metric:1<br>
Packets reçus:0 erreurs:0 :0 overruns:0 frame:0<br>
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br>
collisions:0 lg file transmission:500 <br>
Octets reçus:0 (0.0 B) Octets transmis:0 (0.0 B)<br>
<br>
slaptap2 Link encap:Ethernet HWaddr 2e:37:f1:d2:eb:bf <br>
UP BROADCAST MULTICAST MTU:1500 Metric:1<br>
Packets reçus:0 erreurs:0 :0 overruns:0 frame:0<br>
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br>
collisions:0 lg file transmission:500 <br>
Octets reçus:0 (0.0 B) Octets transmis:0 (0.0 B)<br>
<br>
slaptap3 Link encap:Ethernet HWaddr 02:71:7e:16:7f:d4 <br>
UP BROADCAST MULTICAST MTU:1500 Metric:1<br>
Packets reçus:0 erreurs:0 :0 overruns:0 frame:0<br>
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br>
collisions:0 lg file transmission:500 <br>
Octets reçus:0 (0.0 B) Octets transmis:0 (0.0 B)<br>
<br>
slaptap4 Link encap:Ethernet HWaddr ba:d4:05:d9:98:c7 <br>
UP BROADCAST MULTICAST MTU:1500 Metric:1<br>
Packets reçus:0 erreurs:0 :0 overruns:0 frame:0<br>
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br>
collisions:0 lg file transmission:500 <br>
Octets reçus:0 (0.0 B) Octets transmis:0 (0.0 B)<br>
<br>
wlan0 Link encap:Ethernet HWaddr 74:de:2b:e9:40:ea <br>
inet adr:192.168.0.14 Bcast:192.168.0.255
Masque:255.255.255.0<br>
adr inet6: 2a01:e35:8aad:5eb0:76de:2bff:fee9:40ea/64
Scope:Global<br>
adr inet6: fe80::76de:2bff:fee9:40ea/64 Scope:Lien<br>
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
Packets reçus:507007 erreurs:0 :0 overruns:0 frame:0<br>
TX packets:285219 errors:0 dropped:0 overruns:0 carrier:0<br>
collisions:0 lg file transmission:1000 <br>
Octets reçus:442895079 (442.8 MB) Octets transmis:58519015
(58.5 MB)<br>
<br>
<br>
<br>
</body>
</html>