There are four network types used in CloudCIX deployments.
Public Link Networks
Management Networks
OOB Network
Private Networks
The following table lists the network technologies, and what purpose those technologies are used for, in constructing CloudCIX networks.
PodNet Appliance |
Hosts |
|
|---|---|---|
Netplan A wrapper for IP commands. |
Pod Install to bring the PodNet appliance to a reachable state via the Management Network (and hense Robot). #. Hardware Interfaces #. Static Routes #. Initial Floating Bridge Robot to build: #. Flaoting Bridges #. To run default NF Tables |
Pod Install is not used for Hosts. Manual Netplan config is setup to make the Host reachable. Robot to build #. VLAN Bridges |
Virsh |
Not Used |
Robot to build: #. VMs
|
IP Commands |
Robot to build: #. Network Namespaces #. VLAN Briges #. Veth Interfaces #. Run NF Tables in Nmaespaces |
Not Used |
NF Tables |
Pod Install to Robot |
Not Used |
strongSwan |
Robot |
Not Used |
Public and private key pairs are used in CloudCIX to facilitate secure automation. The PAT has responsibility for generating its own, retreiving keys from other Pods and managing and backing up all key pairs.
Every Pod has a key pair. The files containing the public and private keys are…
Private Key: id_rsa
Public Key: id_rsa.pub
The general rules for Key Distribution are.
The Private Key is generated on the appliance on initial install.
The appliance key pair of a Pod is copied to the PAT during adoption for backup purposes.
If an appliance is being recovered the private key is copied from PAT to the appliance.
All key pairs stored on the PAT are backed up offline to allow recovery of the PAT.
Flavor Functionality |
Key utilisation… |
|---|---|
PAT |
In adopted COP and Region appliances to allow retreival of their private keys. |
COP |
In adopted Region PodNet Appliances to allow logs to be collected for tenant VRFs. In the COP PodNet Appliance to apply initial configuration. |
Region |
In all hosts in the Region to allow Robot to build infrastructure. In the Region PodNet Appliance to allow initial configuration and to allow Robot to configure tenant VRFs. |
Setting up a Pod
Pod Application generates a Key Pair in the folder /home/administrator/.ssh
If COP or Region, during first boot the CIDATA installs PAT user “pat” Public key in /home/administrator/.ssh/known_hosts
PAT retrieves POD appliance’s Public/Private Key pair and stores them as backups in the event of appliance failure
Adopt a COP
PAT retrieves COP appliance’s Public/Private Key pair and stores them as backups in the event of appliance failure
Adopt a Region
PAT retrieves Region appliance’s Public/Private Key pair and stores them as backups in the event of appliance failure
Adopt a Host
Pod Applicaiton installs Region Public Key on each host for user “robot” /home/administrator/.ssh
Recover a COP
COP retrieves CIDATA files from PAT.
PAT copies backed up COP Public/Private Keys to the new instance of the COP and stores keys in /home/administrator/.ssh/
Recover a Region
Region retrieves CIDATA files from PAT.
PAT copies backed up Region Public/Private Keys to the new instance of the Region and stores keys in /home/administrator/.ssh/
Each Pod is allocated a /48 Subnet (a.b.c::/48).
The first /64 is assigned for Management of Hosts within the Pod (a:b:c::/64).
A /64 is assigned for Docker Management within the Pod (a:b:c:d0c6::/64).
Each network within a Project can, if requires by the User, be assigned a /64 (a:b:c:1/64 - a:b:c:feff::/64).
The last /56 is allocated for, up to 256, link subnets (a:b:c:ff00::/56). These link subnets are used to route Project assignments to the correct Namespace.
1st Link Subnet is a:b:c:ff00::/64 with a:b:c:ff00::1 assigned to an interface on the Region Border Namespace.
256th Link Subnet is a:b:c:ffff::/64 with a:b:c:ffff::1 assigned to an interface on the Region Border Namespace.
Range |
Reserved For |
||||
1 - 999 |
CloudCIX system use
|
||||
1000 - 2999 |
Project Networks |
||||
3000 - 3499 |
Member Owned Intra Region Shared Networks |
||||
3500 - 3999 |
Member Owned Inter Region Shared Networks |
A single VLAN can contain one private RFC 1918 address range and one IPv6/64 range, both of which will have a Gateway. A VM will have one interface for each Network it is connected to, with one necessarily being selected by the VM owner as the Default Gateway.
Cloud-Init Metadata services are implemented by Podnet in CloudCIX.
Network isolation in CloudCIX is implemented by using Linux Network Namespaces. If a network is used as a Gateway by one or more VMs that can utilise Cloud-Init then that Network Namespace will contain a Metadata Server running on NGINX. Cloud-Init metadata is always read only served from IP address 169.254.169.254. Each VM requiring metadata will have a route to the Metadata Server added to its Default Gateway interface. NGINX uses a reverse proxy based on the source address to determine the correct metadata to return.