[Erp5-users] Installation problem - missing template.cfg

[Robert Jenkins]

Hi,

 

OK, requested ERP5 under Software, and from the next cron run of slapgrid it
is building.

 

[I've Removed all non relevant bits of previous posts]

 

Networking / firewalling:

----

I've set it to also permit incoming tcp & udp traffic to my test machine on
port 1024, but after realising that vifib is showing a completely different
target address, I'm thoroughly confused.

I do not understand.



My interpretation of adding a machine to a cloud system is that the shared
storage is made available to the cloud. This implies two-way traffic, so
incoming network requests. This would require that the local firewall
permits incoming traffic to the node.

 

You also mention this below - 'One Global IPv6 address to interconnect all
services'?

 

Looking again, it seems slapgrid is hierarchical, slaves send requests to
the master & the master never initiates communications with the slave.

 

Should incoming ipv6 traffic be permitted or not?

 

-----

 

On the ipv4 side, what is the network in slapos.cfg used for - the
10.0.0.0/16? 

.

I'm guessing that it's for a tunnel to internal VMs rather than anything
external, but not at all clear.

You can read this:
http://www.slapos.org/wiki/osoe-Lecture.SlapOS.Extended/developer-Introducin
g.SlapOS.Architecture

It explains. Each instance has:
- one local IPv4 address so that any IPv4 software can be used 
- one global IPv6 address, to interconnect all services between different
hosts
- and use stunnel to forward IPv6 to IPv4 (so that two IPv6 incompatible
services can connect eachother through IPv6 in a secure way)

I have read that, it is still not clear.

 

If the ipv4 address or subnet given in slapos.cfg is for local access from
other computers, surely it must be compatible with the local subnet
addresses or any other local machine will try and route via it's default
gateway, not to the slapos/erp5 machine?

 

The slapos.cfg ipv4 option is allocating a large subnet. Assuming these
addresses are for local instances, how should they relate to the existing
site networks/subnets, if at all, or how should routing be arranged for
local ipv4 to the 10. Network instances.

 

Other network queries -

 

In the bridge setup, for a Production server, it mentions adding eth0 to the
bridge config then removing eth0 from other use:

Please also take not that any interface added to a bridge should no longer
be configured by the system. The configuration file for that interface
should just be removed.

 

This is confusing - if eth0 is otherwise removed, the machine has no local
connectivity??

 

 

Mention of stunnel to connect with remote(?) ipv6 systems is also worrying.

 

Any possible extra route (interface. Tunnel etc) for incoming network
traffic should be documented so appropriate firewall rules can be
implemented.

-          Eg. Is it purely local request->remote response, so a stateful
firewall can be used, or will there be unsolicited remote requests - if so
on what ports?

The tunnel traffic may be encrypted, but without a firewall the machine is
completely exposed and open from the other end of the tunnel (and anything
accessing that machine).

 

We've lost servers in the past due to bugs in ipv4 firewalls allowing
malicious access. I do not believe it's safe to leave any form of external
interface without a firewall that permits only required traffic. 

 

Lastly (for now) - trivia; vifib.net user data will not accept UK postal
codes, it complains they are 'not integers'. UK postcodes are alphanumeric
with a space before the last three characters, ie. M1 2AA, A12 4ZZ, DN11 1DD

 

Regards,

Robert.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.tiolive.com/pipermail/erp5-users/attachments/20120318/56f0dd76/attachment.htm>