TRW's questions -server

TRW

Asked: 2024-11-05 15:48:35 +0800 CST

Nginx closes connection

4

I'm runnning a default nginx package on Debian Bookworm. Normally I'm just using the HTTPS connections to that service and everything is fine. Default for HTTP port 80 is a redirect to the HTTPS protocol.

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_tokens off;

  return 301 https://$host$request_uri;

  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log error;
}

// vhosts with listen 443 configs omited here, they work

I've an IoT client, that doesnt speak HTTPS. So, I configured it to use HTTP to send sensor data to a hook url on the Nginx server. I added a VHost for that local domain xyz, that doesn't forward the request to HTTPS but processed it with plain HTTP.

server {
  listen 80;
  listen [::]:80;
  server_name xyz;
  server_tokens off;

  location / {
    root /var/www/html/;
  }

  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log error;
}

// vhosts with listen 443 configs omited here, they work

But that request is never processed by the Nginx.

Using curl, I'm getting this response

# curl -v http://localhost/
*   Trying 127.0.0.1:80...
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.88.1
> Accept: */*
> 
* Received HTTP/0.9 when not allowed
* Closing connection 0
curl: (1) Received HTTP/0.9 when not allowed

(Info: Nginx is listening on all devices, no firewall is active, when I stop the service, the port is closed in Linux...).

There is no error log message neither in journald, nor in nginx access or error logs.

Then I tried hardcore telnet to port 80 and got a more strange result:

# telnet localhost 80
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.1
Connection closed by foreign host.

To be clear, I've entered GET / HTTP/1.1\n without a second empty line, only one "enter". When I enter something not HTTP conform, like a random string, the server responses with ??.

So, right after the first line, Nginx is closing the connection (the HTTP/0.9 response comes from curl itself).

Because I could not set the Host: header in the telnet request, this request never checks any virtual host configuration and I asume the curl client has the same issue. It tries to send all the headers to the socket, but the Nginx response is already there.

I don't have an idea, what is wrong. The server should at least wait for the Host-header before closing the connection. The /etc/nginx/nginx.conf is not changed.

According to nginx -t the configuration is ok, the server responses normal on curl -v https://localhost/. The SSL configuration etc. is omitted here. It's working.

TRW

Asked: 2022-04-06 01:04:57 +0800 CST

API-Server on master stops after adding second control-plane

0

In my current test setup I've several VMs running Debian-11. All nodes have a private IP and a second wireguard interface. In the future the nodes will be in different locations with different network and Wireguard is used to "overlay" all the different network environments. I want to install a Kubernetes on all nodes.

node   public ip        wireguard ip
vm1    192.168.10.10    10.11.12.10
vm2    192.168.10.11    10.11.12.11
vm3    192.168.10.12    10.11.12.12
...

So I've installed docker and kubeadm/kubelet/kubectl in version 1.23.5 on all nodes. Also I've installed a haproxy on all nodes too. It works as a load balancer by listing to localhost:443 and forwarding the requests to one of the online control-planes.

Then I started the cluster with kubeadm

vm01> kubeadm init --apiserver-advertise-address=10.11.12.10 --pod-network-cidr=10.20.0.0/16

After that I tested to integrate either flannel or calico. Either by adding --iface=<wireguard-interface> or by setting the custom manifest ...nodeAddressAutodetectionV4.interface: <wireguard-interface>.

When I add a normal node - everything is fine. The node is added, pods are created and the communication is done via the defined network interface.

When I add a control plane without the wireguard interface, I can also add different control planes with

vm2> kubeadm join 127.0.0.1:443 --token ... --discovery-token-ca-cert-hash sha256:...  --control-plane

Of course before that, I've copied several files from vm01 to vm02 from /etc/kubernetes/pki like the ca.*, sa.*, front-proxy-ca.*, apiserver-kubelet-client.* and etcd/ca.*.

But when I use the flannel or calico network together with the wireguard interface, something strange happens after the join command.

root@vm02:~# kubeadm join 127.0.0.1:443 --token nwevkx.tzm37tb4qx3wg2jz --discovery-token-ca-cert-hash sha256:9a97a5846ad823647ccb1892971c5f0004043d88f62328d051a31ce8b697ad4a --control-plane
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[preflight] Running pre-flight checks before initializing the new control plane instance
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [localhost mimas] and IPs [192.168.10.11 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [localhost mimas] and IPs [192.168.10.11 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local mimas] and IPs [10.96.0.1 192.168.10.11 127.0.0.1]
[certs] Using the existing "apiserver-kubelet-client" certificate and key
[certs] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[certs] Using the existing "sa" key
[kubeconfig] Generating kubeconfig files
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
[kubeconfig] Writing "admin.conf" kubeconfig file
[endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[check-etcd] Checking that the etcd cluster is healthy
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...
[etcd] Announced new etcd member joining to the existing etcd cluster
[etcd] Creating static Pod manifest for "etcd"
[etcd] Waiting for the new etcd member to join the cluster. This can take up to 40s
[kubelet-check] Initial timeout of 40s passed.
error execution phase control-plane-join/etcd: error creating local etcd static pod manifest file: timeout waiting for etcd cluster to be available
To see the stack trace of this error execute with --v=5 or higher

And after that timeout even on vm01 the API server stops working, I cannot run any kubeadm or kubectl commands anymore. The HTTPS service on 6443 is dead. But neither I understand why the API server on vm01 stops working when adding a second API server nor I can find a reason, whe the output is talking about the 192.168.... IPs, because the cluster should communicate only via the 10.11.12.0/24 wireguard network.

TRW

Asked: 2022-03-30 08:44:00 +0800 CST

Wrapping Kubernetes with Wireguard

0

I've a scenario with many different nodes. Some have public IPv4, some have IPv6, some are dual stack. So I've created a wireguard network (10.11.12.0/24), so that any peer can reach any other inside a private network regarding of IP-stack and location. I'd like to build a Kubernetes over this wireguard networks.

I've build a small test cluster ...

node   public ip        wireguard ip
vm1    192.168.10.10    10.11.12.10
vm2    192.168.10.11    10.11.12.11
vm3    192.168.10.12    10.11.12.12
...

... in my local playground with kubeadm 1.23.5 based on docker.io (debian default):

vm01> kubeadm init --apiserver-advertise-address=10.11.12.10 --pod-network-cidr=10.20.0.0/16
vm01> kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/k8s-manifests/kube-flannel-rbac.yml
vm01> kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
...
all nodes> kubeadm join 10.11.12.10:6443 --token ... --discovery-token-ca-cert-hash sha256:...
...
vm01> helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace

When I look from vm1 to vm2 via tcpdump -n host 192.168.10.11, I can see only traffic thru wireguard UDP packets. Fine...

Then I've defined a simple Deployment, a Service, a ClusterIP, an Ingress and it's deployed

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kubernetes-tutorial-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: kubernetes-tutorial-deployment
  template:
    metadata:
      labels:
        app: kubernetes-tutorial-deployment
    spec:
      containers:
      - name: kubernetes-tutorial-application
        image: auth0blog/kubernetes-tutorial
        ports:
          - containerPort: 3000
---
apiVersion: v1
kind: Service
metadata:
  name: kubernetes-tutorial-cluster-ip
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 3000
  selector:
    app: kubernetes-tutorial-deployment
  type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kubernetes-tutorial-ingress
spec:
  ingressClassName: nginx
  rules:
  - host: test.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: kubernetes-tutorial-cluster-ip
            port:
              number: 80

When I check with the browser, I'm getting response. But...

The response is very slow (I can confirm via a simple curl, it takes 10-20sec for the service to respond to a single request - that is strange slow for such a simple deployment.

When I look via tcpdump I see traffic outside the wireguard network, which is much more strange.

18:39:18.341836 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 128
18:39:18.344382 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 176
18:39:18.344563 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 1452
18:39:18.344571 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 1452
18:39:18.344572 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 1452
18:39:18.344573 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 96
18:39:18.344711 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96
18:39:18.344711 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96
18:39:18.344711 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96
18:39:20.566833 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 128
18:39:20.566833 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 592
18:39:20.567003 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 96
18:39:20.570978 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 128
18:39:20.571309 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96
18:39:20.572538 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 176
18:39:20.572566 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 592
18:39:20.572764 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96
18:39:20.572764 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96
18:39:23.540401 ARP, Request who-has 192.168.10.11 tell 192.168.10.10, length 28
18:39:23.540646 ARP, Reply 192.168.10.11 is-at 7a:1d:d9:fc:fa:eb, length 28
18:39:23.608703 IP 192.168.10.10.42274 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.0.5.55222 > 10.20.4.2.3000: Flags [S], seq 3011291899, win 64860, options [mss 1410,sackOK,TS val 2531657982 ecr 0,nop,wscale 7], length 0
18:39:23.609071 IP 192.168.10.11.59205 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.4.2.3000 > 10.20.0.5.55222: Flags [S.], seq 1444377380, ack 3011291900, win 64308, options [mss 1410,sackOK,TS val 2546470618 ecr 2531657982,nop,wscale 7], length 0
18:39:23.609112 IP 192.168.10.10.42274 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.0.5.55222 > 10.20.4.2.3000: Flags [.], ack 1, win 507, options [nop,nop,TS val 2531657983 ecr 2546470618], length 0
18:39:23.609140 IP 192.168.10.10.42274 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.0.5.55222 > 10.20.4.2.3000: Flags [P.], seq 1:749, ack 1, win 507, options [nop,nop,TS val 2531657983 ecr 2546470618], length 748
18:39:23.609370 IP 192.168.10.11.59205 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.4.2.3000 > 10.20.0.5.55222: Flags [.], ack 749, win 501, options [nop,nop,TS val 2546470618 ecr 2531657983], length 0
18:39:23.610441 IP 192.168.10.11.36593 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.4.2.33592 > 10.20.0.2.53: 53349+ A? test.example.com.default.svc.cluster.local. (60)
18:39:23.610713 IP 192.168.10.10.58646 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.0.2.53 > 10.20.4.2.33592: 53349 NXDomain*- 0/1/0 (153)
18:39:23.611018 IP 192.168.10.11.32846 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.4.2.40077 > 10.20.0.2.53: 57710+ A? test.example.com.svc.cluster.local. (52)
18:39:23.611134 IP 192.168.10.10.41066 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.0.2.53 > 10.20.4.2.40077: 57710 NXDomain*- 0/1/0 (145)
18:39:23.611427 IP 192.168.10.11.51546 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.4.2.59046 > 10.20.0.3.53: 18849+ A? test.example.com.cluster.local. (48)
18:39:23.611567 IP 192.168.10.10.39789 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.0.3.53 > 10.20.4.2.59046: 18849 NXDomain*- 0/1/0 (141)
18:39:23.611831 IP 192.168.10.11.50067 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.4.2.34442 > 10.20.0.3.53: 49768+ A? test.example.com.sol.system. (45)
18:39:25.329861 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 208
18:39:25.330138 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96
18:39:25.613106 IP 192.168.10.10.52981 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.0.3.53 > 10.20.4.2.34442: 49768 ServFail- 0/0/0 (45)
18:39:25.613542 IP 192.168.10.11.33388 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.4.2.59146 > 10.20.0.3.53: 49768+ A? test.example.com.sol.system. (45)
18:39:27.021478 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 224
18:39:27.021876 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96
18:39:27.614533 IP 192.168.10.10.48157 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.0.3.53 > 10.20.4.2.59146: 49768 ServFail- 0/0/0 (45)
18:39:27.614906 IP 192.168.10.11.52721 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.4.2.33596 > 10.20.0.3.53: 32196+ A? test.example.com. (34)
18:39:28.500696 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 128
18:39:28.503146 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 256
18:39:28.503158 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 1452
18:39:28.503159 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 1452
18:39:28.503161 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 1452
18:39:28.503162 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 96
18:39:28.503453 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96
18:39:28.503453 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96
18:39:28.503453 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96
18:39:28.503453 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96
18:39:28.503453 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96
18:39:28.627012 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 128
18:39:28.627292 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 128
18:39:28.627636 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96
18:39:29.615282 IP 192.168.10.10.52590 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.0.3.53 > 10.20.4.2.33596: 32196 ServFail- 0/0/0 (34)
18:39:29.615672 IP 192.168.10.11.37175 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.4.2.50957 > 10.20.0.3.53: 32196+ A? test.example.com. (34)
18:39:29.877400 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 192
18:39:29.877722 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96
18:39:30.898243 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 128
18:39:30.898243 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 592
18:39:30.898330 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 96
18:39:30.902126 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 128
18:39:30.902362 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96
18:39:30.903556 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 176
18:39:30.903696 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 592
18:39:30.904023 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96
18:39:30.904023 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96
18:39:31.617136 IP 192.168.10.10.38253 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.0.3.53 > 10.20.4.2.50957: 32196 ServFail- 0/0/0 (34)
18:39:31.619778 IP 192.168.10.11.59205 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.4.2.3000 > 10.20.0.5.55222: Flags [P.], seq 1:114, ack 749, win 501, options [nop,nop,TS val 2546478629 ecr 2531657983], length 113
18:39:31.619911 IP 192.168.10.10.42274 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.20.0.5.55222 > 10.20.4.2.3000: Flags [.], ack 114, win 507, options [nop,nop,TS val 2531665993 ecr 2546478629], length 0
18:39:33.434382 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 128
18:39:33.434488 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 96
18:39:33.434537 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 128
18:39:33.434860 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96

What is the possible reason, why the response is so slow in a LAN network. Is it because of wrong routing to "public" IPs instead of using the wireguard IP? Is it possible to configure the Kubernetes to use the wireguard address for port 8472?

TRW

Asked: 2021-07-30 08:53:20 +0800 CST

Wireguard Site2Site with mobile office

0

I've to networks connected with Wireguard.

Lan1:
  10.240.0.0/24
  via 10.100.1.1/32 on public static ip A.B.C.D/32

Lan2:
  192.168.0.0/24
  via 10.100.1.6/32 on dynamic ip from provider

The 10.240.0.0 net is a wireguard net (wg0) over multiple public servers and one server is a "gateway" with a special wg1 interface with 10.100.1.1. So I can reach from the gateway all nodes in the 192.168.0.0 network. On Lan2 it is a classic local network with some servers. Also on that peer I can reach all nodes behind Lan1.

Now I want to add a new peer somewhere in the "wild" - a mobile offce. The user should have access to Lan1 and Lan2 at the same time e.g. reach 10.240.0.0/24 and 192.168.0.0/24. The peer itself is a cell phone with Wireguard client as an example.

Lan1 gateway wg1.conf

[Interface]
Address = 10.100.1.1/32
...

PostUp   = iptables  -A FORWARD -i %i -j ACCEPT; iptables  -A FORWARD -o %i -j ACCEPT; iptables  -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
PostDown = iptables  -D FORWARD -i %i -j ACCEPT; iptables  -D FORWARD -o %i -j ACCEPT; iptables  -t nat -D POSTROUTING -o eth0 -j MASQUERADE;

# road-warrior
[Peer]
PublicKey = ...
AllowedIps = 10.100.1.2/32

# Lan2 gateway
[Peer]
PublicKey = ...
AllowedIps = 10.100.1.6/32, 192.168.0.0/24

And the Lan2 host

[Interface]
Address = 10.100.1.6/32
...

PostUp   = iptables  -A FORWARD -i %i -j ACCEPT; iptables  -A FORWARD -o %i -j ACCEPT; iptables  -t nat -A POSTROUTING -o ens18 -j MASQUERADE
PostDown = iptables  -D FORWARD -i %i -j ACCEPT; iptables  -D FORWARD -o %i -j ACCEPT; iptables  -t nat -D POSTROUTING -o ens18 -j MASQUERADE

# lan1_gate
[Peer]
PublicKey = ...
EndPoint = fqdn:port
AllowedIPs = 10.100.1.1/32, 10.240.0.0/24

I can only define (in my understanding) on that cell phone the peer of the lan1 gateway, because I don't have access to lan2_gateway but I want to route all traffic von 192.168.0.0 over lan1_gateway to lan2_gateway

[Interface]
Address = 10.100.1.2/32
...

[Peer]
PublicKey = ...
EndPoint = fqdn:port
AllowedIPs = 10.100.1.1/32, 192.168.0.0/24, 10.240.0.0/24

When I connect the road warrior with lan1, I can reach 10.240.0.0/24 but not 192.168.0.0. What is wrong? Do I need another forward rule on lan1_gate to forward traffic for 192.168.0.0 to 10.100.1.6? That should be already done.

#> ip r s
default via 172.31.1.1 dev eth0 onlink
...
10.100.1.2 dev wg1 scope link 
10.100.1.6 dev wg1 scope link 
...
10.240.0.4 dev wg0 scope link 
10.240.0.5 dev wg0 scope link 
...
172.31.1.1 dev eth0 proto kernel scope link src A.B.C.D 
192.168.10.0/24 dev wg1 scope link

Any ideas?

TRW

Asked: 2021-02-02 01:44:35 +0800 CST

Dovecot Proxy with Lua or?

1

I've build a Dovecot proxy that sends users to specific backends based on their domain. Domain A goes to server A and domain B goes to server B, etc. The list of domains is not static, but it isn't changing a lot. That works totally ok with a passdb driver sql and a simple SQL statement like:

password_query = SELECT 
    NULL as password, 
    'y' as nopassword, 
    'y' as proxy, 
    NULL as destuser, 
    'y' as proxy_nopipelining, 
    host, 
    'y' as nodelay, 
    'y' as nologin, 
    'any-cert' as 'starttls' 
  FROM proxy_domain WHERE domain = '%d';

The dovecot config contains:

passdb {
  args = /etc/dovecot/sql.conf
  driver = sql
}

userdb {
  args = static uid=5000 gid=5000 home=/dev/null
  driver = static
}

My "problem" is not really a problem - but... I need to install and run a Mysql/MariaDB server only for this job and I think, there must be an easier way to resolve the host for a specific domain. A parallel postfix installation uses a simple transport map for doing the same job. I don't need a SQL server for that simple lookup.

I thought about the Dovecot Lua passdb or static passdb but I can't find any useful example to match a domain against a host with Lua or how I return all the necessary parameters?

So I've installed the debian package dovecot-auth-lua.

I tried with:

passdb {
  driver = lua
  args = file=/etc/dovecot/passdb.lua blocking=yes
  default_fields = password=NULL nopassword=y proxy=y destuser=NULL proxy_nopipelining=y nodelay=y nologin=y starttls=any-cert
}

Is blocking here necessary? It's readonly operation, or?

The Lua script:

local database = "/etc/dovecot/backends"

function auth_passdb_lookup(req)
 for line in io.lines(database) do
   for domain, host in string.gmatch(line, "(.+)%s(.+)") do
     if (domain == req.domain) then
       return dovecot.auth.PASSDB_RESULT_OK, "host=" .. host
     end
   end
 end
 return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, ""
end

and of course the backends file with <domain> <host> per line.

But I got an error on the proxy

pam_unix(dovecot:auth): check pass; user unknown
pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user@domain rhost=<my-ip>
pam(user@domain,ip,<id>): pam_authenticate() failed: Authentication failure (Password mismatch?)

What does it mean? I'm not sure - but is it, because I return "NULL" on some of it. When I remove the both attributes password and destuser it has the same effect.

TRW

Asked: 2020-12-16 14:00:55 +0800 CST

Proxmox Ceph - Got timeout on separate network

0

I've installed on 4 nodes a completly fresh OS with Proxmox. Every node has 2xNVMe und 1xHD, one NIC public, one NIC private. On the public network there is an additional wireguard interface running for PVE cluster communication. The private interface should be used only for the upcoming distributed storage.

# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP group default qlen 1000
    link/ether 6c:b3:11:07:f1:18 brd ff:ff:ff:ff:ff:ff
    inet 10.255.255.2/24 brd 10.255.255.255 scope global enp3s0
       valid_lft forever preferred_lft forever
    inet6 fe80::6eb3:11ff:fe07:f118/64 scope link 
       valid_lft forever preferred_lft forever
3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether b4:2e:... brd ff:ff:ff:ff:ff:ff
    inet 168..../26 brd 168....127 scope global eno1
       valid_lft forever preferred_lft forever
    inet6 2a01:.../128 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::b62e:99ff:fecc:f5d0/64 scope link 
       valid_lft forever preferred_lft forever
4: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether a2:fd:6a:c7:f0:be brd ff:ff:ff:ff:ff:ff
    inet6 2a01:....::2/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::..:f0be/64 scope link 
       valid_lft forever preferred_lft forever
6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.3.0.10/32 scope global wg0
       valid_lft forever preferred_lft forever
    inet6 fd01:3::a/128 scope global 
       valid_lft forever preferred_lft forever

The nodes are fine and the PVE cluster is running as expected.

# pvecm status
Cluster information
-------------------
Name:             ac-c01
Config Version:   4
Transport:        knet
Secure auth:      on

Quorum information
------------------
Date:             Tue Dec 15 22:36:44 2020
Quorum provider:  corosync_votequorum
Nodes:            4
Node ID:          0x00000002
Ring ID:          1.11
Quorate:          Yes

Votequorum information
----------------------
Expected votes:   4
Highest expected: 4
Total votes:      4
Quorum:           3  
Flags:            Quorate 

Membership information
----------------------
    Nodeid      Votes Name
0x00000001          1 10.3.0.4
0x00000002          1 10.3.0.10 (local)
0x00000003          1 10.3.0.13
0x00000004          1 10.3.0.16

The PVE firewall is active in the cluster but there is a rule, that all PVE nodes can talk to each other on any protocol on any port on any interface. This is true - I can ping, ssh, etc. between all nodes on all IPs.

Then I installed ceph.

pveceph install

On the first node I've initialized ceph with

pveceph init -network 10.255.255.0/24
pveceph createmon

That works.

On the second - I tried the same (I'm not sure, if I need to set the -network option - I tried with and without). That works too.

But pveceph createmon fails on any node with:

# pveceph createmon
got timeout

I can also reach port 10.255.255.1:6789 on any node. Whatever I try - I'm getting a "got timeout" on any node then node1. Also disabling firewall doesn't have any effect.

When I remove the -network option, I can run all commands. It looks like it cannot talk via the second interface. But the interface is fine.

When I set network to 10.3.0.0/24 and cluster-network to 10.255.255.0/24 it works too, but I want all ceph communication running via 10.255.255.0/24. What is wrong?

TRW

Asked: 2020-12-05 00:54:10 +0800 CST

Gluster Performance

3

currently I try to setup a Gluster cluster and the performance is strange and I'm not sure, if I configured something wron. I'm using 4x Hetzner root server running Debian Buster with Intel i7, 128GB RAM, two NVMe's and one HDD. Every system has a separate 10Gbs network interface for internal communication (all hosts are directly connected to one switch on one rack).

When I test the network with iperf - I've got around 9.41 Gbits/sec between all peers.

I've installed the Debian default glusterfs-server packages (glusterfs-server_5.5-3_amd64.deb).

I've build three volumes with:

SSD (gv0) on /mnt/ssd/gfs/gv0
HDD (gv1) on /mnt/hdd/gfs/gv1
RAM-disc (gv2) on /mnt/ram/gfs/gv2

With

gluster volume create gv0 replica 2 transport tcp 10.255.255.1:/mnt/ssd/gfs/gv0 10.255.255.2:/mnt/ssd/gfs/gv0 10.255.255.3:/mnt/ssd/gfs/gv0 10.255.255.4:/mnt/ssd/gfs/gv0 force
...

And some configuration changes - all volumes look like this (gv0, gv1 and gv2 are the same)

# gluster volume info gv0
 
Volume Name: gv0
Type: Distributed-Replicate
Volume ID: 0fd68188-2b74-4050-831d-a590ef0faafd
Status: Started
Snapshot Count: 0
Number of Bricks: 2 x 2 = 4
Transport-type: tcp
Bricks:
Brick1: 10.255.255.1:/mnt/ssd/gfs/gv0
Brick2: 10.255.255.2:/mnt/ssd/gfs/gv0
Brick3: 10.255.255.3:/mnt/ssd/gfs/gv0
Brick4: 10.255.255.4:/mnt/ssd/gfs/gv0
Options Reconfigured:
performance.flush-behind: on
performance.cache-max-file-size: 512MB
performance.client-io-threads: off
nfs.disable: on
transport.address-family: inet

Later I found some optimizations in the net. But the performance doesn't change a lot (of course it is a single thread performance test).

# gluster volume info gv0
 
Volume Name: gv0
Type: Distributed-Replicate
Volume ID: 0fd68188-2b74-4050-831d-a590ef0faafd
Status: Started
Snapshot Count: 0
Number of Bricks: 2 x 2 = 4
Transport-type: tcp
Bricks:
Brick1: 10.255.255.1:/mnt/ssd/gfs/gv0
Brick2: 10.255.255.2:/mnt/ssd/gfs/gv0
Brick3: 10.255.255.3:/mnt/ssd/gfs/gv0
Brick4: 10.255.255.4:/mnt/ssd/gfs/gv0
Options Reconfigured:
performance.write-behind-window-size: 1MB
cluster.readdir-optimize: on
server.event-threads: 4
client.event-threads: 4
cluster.lookup-optimize: on
performance.readdir-ahead: on
performance.io-thread-count: 16
performance.io-cache: on
performance.flush-behind: on
performance.cache-max-file-size: 512MB
performance.client-io-threads: on
nfs.disable: on
transport.address-family: inet

Also I tried with jumbo frames and without it. But it also made no difference

# ip a s
...
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP group default qlen 1000
    link/ether 6c:b3:11:07:f1:18 brd ff:ff:ff:ff:ff:ff
    inet 10.255.255.2/24 brd 10.255.255.255 scope global enp3s0
       valid_lft forever preferred_lft forever

All three volumes are mounted directly on one of the peers

10.255.255.1:gv0 /mnt/gv0 glusterfs defaults 0 0
10.255.255.1:gv1 /mnt/gv1 glusterfs defaults 0 0
10.255.255.1:gv2 /mnt/gv3 glusterfs defaults 0 0

Then I created some test data in a separate RAM disk. I wrote a script that generates with dd if=/dev/urandom and a for loop many files. I first generated the files, because /dev/urandom seems to be "end" at around 45Mb/s, when I write to a ram disk.

----- generate files 10240 x 100K
----- generate files 5120 x 1000K
----- generate files 1024 x 10000K
sum: 16000 MB on /mnt/ram1/

And now comes the transfer. I've just called cp -r /mnt/ram1/* /mnt/gv0/ etc. to write and cp -r /mnt/gv0/* /mnt/ram1/ and count the seconds. And that looks terrible.

                    read    write
ram <-> ram           4s       4s
ram <-> ssd           4s       7s
ram <-> hdd           4s       7s
ram <-> gv0 (ssd)   162s     145s
ram <-> gv1 (hdd)   164s     165s
ram <-> gv2 (ram)   158s     133s

So the performance of read and write with local disk compared and gluster cluster is around 40-time faster. That can't be.

What do I miss?

TRW

Asked: 2020-11-10 06:36:24 +0800 CST

Add service check to agent in Icinga Master-Satellite-Agent infrastructure

0

I've an environment like this:

master
some satellites assigned to master
many agents assigned to satellites and some assigned to master (without a satellite).

All systems are ready and the PKI setup is complete. Also most default checks (apt, disk, cpu) are running and I can see the current state on the master. Now I've started to implement custom checks (like check_eth to monitor the network traffic). I've published the script to all hosts and defined also on all hosts the command:

object CheckCommand "check_eth" {
  import "plugin-check-command"
  command = [ "/usr/bin/sudo", PluginDir + "/check_eth" ]
 
  arguments       = {
   "-w" = {
      value                     = "$eth_warning$"
      description               = "Percent free/used when to warn"
      required                  = true
    }
    "-c" = {
      value                     = "$eth_critical$"
      description               = "Percent free/used when critical"
      required                  = true
    }
    "-i" = {
      value                     = "$eth_interface$"
      description               = "Given network interface"
      required                  = true
    }
  }

  vars.eth_interface  = "enp0s31f6"
  vars.eth_warning  = "2048G"
  vars.eth_critical = "4096G"
}

I can run the script on all hosts. On Master, the satellites and all hosts that directly assigned to master the response of the check is visible. On all hosts with parent=satellite the state is UNKNOWN. And that is my problem... why?

The host object is like:

# master: /etc/icinga2/zones.conf

object Endpoint "monitor.domain" {
}

object Zone "master" {
  endpoints = [ "monitor.domain" ]
}

object Endpoint "satellite1.domain" {
    host = "<ip>"
    port = "<port>"
}

object Zone "satellite1.domain" {
    parent = "master"
    endpoints = [ "satellite1.domain" ]
}

The satellite configuration looks like this:

# master: /etc/icinga2/zones.d/satellite1.domain/hosts.conf

object Host "satellite1.domain" {
    import "generic-host"
    check_command = "hostalive"
    zone = "master"

    address = "<ipv4>"
    address6 = "<ipv6>"
    
    vars.agent_endpoint = name
    ...
}

object Host "agent1.domain" {
    import "generic-host"
    check_command = "hostalive"
    zone = "satellite1.domain"

    address = "<ipv4>"
    address6 = "<ipv6>"
    
    vars.agent_endpoint = name
    ...
}
...

The zone incl. endpoint inside satellite is also defined on master:

# master: /etc/icinga2/zones.d/satellite1.domain/zones.conf
object Zone "agent1.domain" {
    parent = "satellite1.domain"
    endpoints = [ "agent1.domain" ]
}

object Endpoint "agent1.domain" {
    host = "<ip>"
    port = "<port>"
}

And now the Apply of the Command to the host (also defined on master)

# master: /etc/icinga2/zones.d/satellite1.domain/services.conf

apply Service "Network Traffic" {
  import "generic-service"

  check_command = "check_eth"
  command_endpoint = host_name

  assign where host.name == "satellite1.domain"
}

apply Service "Network Traffic" {
  import "generic-service"

  check_command = "check_eth"
  command_endpoint = host_name

  assign where host.name == "agent1.domain"
}

What do I miss?

TRW

Asked: 2020-10-21 06:24:20 +0800 CST

Wireguard routing from wg1 to wg0

1

I have two networks configured with Wireguard. wg0 is for servers and wg1 for VPN users. When a VPN user on wg1 wants to reach the wg0 network, the packets should be router over one of the wg0 servers (the VPN gate).

wg0.conf on VPN gateway and on all servers with wg0 interface

[Interface]
Address = 10.1.0.15
ListenPort = 51820
PrivateKey = privatekey1

# node23
[Peer]
PublicKey = pubkey
AllowedIps = 10.1.0.23
Endpoint = node23.fqdn:51820

# node24
[Peer]
PublicKey = pubkey
AllowedIps = 10.1.0.24
Endpoint = node24:51820

# node25
[Peer]
PublicKey = pubkey
AllowedIps = 10.1.0.25
Endpoint = node25.fqdn:51820
...

wg1.conf on VPN gateway

[Interface]
Address = 10.100.0.1/32
ListenPort = 51810
PrivateKey = privatekey2

PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# user1    [Peer]
PublicKey = pubkey
AllowedIps =  10.100.0.2/32
...

And this is the users wg1.conf (actually wg0 because they don't have a 10.1.0.0 address)

[Interface]
Address = 10.100.0.2/32
ListenPort = 21841
PrivateKey = myprivatekey

[Peer]
PublicKey = pubkey
EndPoint = vpngate.fqdn:51810
AllowedIPs = 0.0.0.0/0

PersistentKeepalive = 25

So, on the VPN gate itself I can run curl -v http://10.1.0.23/ and I'm getting a response within the wg0 network. Ping works to. I can reach all servers within the network. The same with wg1-client and wg1-server. Also I can browse the internet via the VPN gate. But when I try to call from my wg1-client a wg0-server like curl -v http://10.1.0.23/ which should be route (I think) thru the vpn-gate and from there via wg1 -> wg0 there is no response.

What do I miss?

TRW

Asked: 2020-08-26 07:03:00 +0800 CST

Dovecot as Proxy with submission

0

In my infrastructure I have several mailservers (mailcow) serving different domains per instance. I want to build a mail-proxy in front of them to reduce the number of used IPs per service and allow customers to have their own domain names in their client presets anyway.

SMTP as MTA is handled differently. Incoming messages via Postfix are handled by a central server (because MX records are not visible for the customer). So this is not my problem.

So I've configured a mail proxy based on Dovecot on Debian Buster with the following config:

ssl_cert = </etc/dovecot/ssl/default.pem
ssl_key = </etc/dovecot/ssl/default.key

# just an example for different domains via SNI
local_name mail.domain1.tld {
  ssl_cert = </etc/dovecot/ssl/mail.domain1.tld.pem
  ssl_key = </etc/dovecot/ssl/mail.domain1.tld.key
}

# just an example for different domains via SNI
local_name mail.domain2.tld {
  ssl_cert = </etc/dovecot/ssl/mail.domain2.tld.pem
  ssl_key = </etc/dovecot/ssl/mail.domain2.tld.key
}

auth_cache_size = 4 k
disable_plaintext_auth = no

passdb {
  args = /etc/dovecot/sql.conf
  driver = sql
}
protocols = "imap pop3 submission"
service auth {
  user = root
}
userdb {
  args = static uid=5000 gid=5000 home=/dev/null
  driver = static
}

And the sql.conf is

## SQL passdb configuration
driver = mysql

# Database options
connect = host=localhost dbname=dovecot user=dovecot password=dovecot

# Query
password_query = SELECT NULL AS password, NULL AS destuser, host, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS nopassword, 'Y' AS proxy, 'any-cert' AS `ssl` FROM proxy_domain WHERE domain = '%d'
# eof

The database contains:

CREATE TABLE `proxy_domain` (
  `domain` varchar(255) NOT NULL,
  `host` varchar(255) NOT NULL,
  PRIMARY KEY (`domain`)
);

insert into proxy_domain (domain, host) values ('domain1.tld','mailhost1');
insert into proxy_domain (domain, host) values ('domain2.tld','mailhost2');

This is more or less the example of

proxy: https://wiki1.dovecot.org/HowTo/ImapProxy (last updated 2011 with very old config params)
SNI: https://wiki.dovecot.org/SSL/DovecotConfiguration

The IMAP and POP3 services are up and with

openssl s_client -connect ac-hcn0002.acoby.net:993

I'm able to login and also SNI is working fine. The backend is reachable via SSL. With starttls (110, 143, 587) only the first certificate is presented. That's ok and acceptable, because I would not recommend that to the customer.

But now submission (and later sieve).

Question #1:

Dovecot is able to open 587 for submission. That is only available via STARTTLS. But the proxy then tries to communicate for submission on the backend system direct with SSL on port 587 (which is not correct, I think - it should start plain and make STARTTLS). I think, this happens, because the passdb returns global SSL=any-cert. Is this a bug? Can I override that behaviour for 587? And maybe is there a way to send the correct certificate with STARTTLS (instead of the default/first)?

Question #2:

Then port 465. Dovecot could also open the submission port 465/SSL in my case for forwarding all authenticated messages to the 465 submission port on backend. But how can I configure that? I couldn't find any example.

I know about Mail infrastructure with dovecot proxy and the solution with postfix - but I'm not really sure, if the answer with the dovecot-socket is working in this scenario and I don't want to install a postfix only for submission, when Dovecot can handle that out-of-the-box.

TRW

Asked: 2020-04-29 02:45:43 +0800 CST

Howto configure Wireguard on Linux router to route all traffic from LAN to remote wireguard VPN server

2

I've an Armbian linux on a NanoPi R1 running. It routes all traffic from eth1 (LAN static IP, dnsmasq for DHCP/DNS) to eth0 (WAN dhcp-client) via IPTables NAT/Masquerading. That works fine. A client behind eth1 in the LAN can reach outside world.

Now I've installed Wireguard on the device. There is a Wireguard VPN service in the cloud. I can reach it on the Pi and it routes all traffic from the Pi thru the wg0 interface.

But the clients in LAN cannot reach anything anymore. I don't understand how to route all traffic from eth1 thru wg0 and reach eth0. There are many examples in the net, how to configure the other way around (the VPN server), but I'm not sure, how to configure the wg interface.

[Interface]
Address = 10.0.0.10/32, fd01:10:0::10/128
ListenPort = 21841
PrivateKey = ...

PostUp   = iptables -A FORWARD -i %i -o eth1 -j ACCEPT; iptables -A FORWARD -o %i -i eth1 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -o eth1 -j ACCEPT; iptables -D FORWARD -o %i -i eth1 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE

DNS = <provider-ip>

[Peer]
PublicKey = <pubkey>
EndPoint = <vpnserver>:<vpnport>
AllowedIPs = 0.0.0.0/0, ::/0

PersistentKeepalive = 25

Even when I remove or change the PostUp/Down, the behaviour doesn't change. IP Forward is enabled in kernel.

This is my ruleset after I started wg0:

$> iptables -L -n -x -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
      12     1752 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    4267   282274 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
     273    24031 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
   0        0 ACCEPT     all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
     825    87848 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
     701    85098 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
     419    26498 ACCEPT     all  --  eth1   eth0    192.168.11.0/24      0.0.0.0/0            ctstate NEW
   15343  6475800 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       0        0 ACCEPT     all  --  wg0    eth1    0.0.0.0/0            0.0.0.0/0           
      69    12915 ACCEPT     all  --  eth1   wg0     0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

I can see, that eth1 sends packets to wg0, but they don't come back. What is wrong?

The masq table looks like that:

$> iptables -L -n -x -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
     742    52126 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
       0        0 MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

TRW

Asked: 2020-03-24 01:18:54 +0800 CST

Icinga PKI Agent-Satellite-Master

0

According to the documentation on https://icinga.com/docs/icinga2/latest/doc/06-distributed-monitoring/, all nodes in an Icinga Monitoring need to have one CA which is on the master node. But I think, I miss something here, because the agent is normally only talking to the satellite and not to the master and so TLS can't be correct.

I have a master node, multiple satellites and agents behind that satellites. The master has a CA. The satellites and most of the >20 agents are working fine. I'm using Ansible to manage all the installation and configuration - so the configuration is similar to all agents. Furthermore the master is a docker container - but that isn't a problem here. Only one single agent on one satellite has a problem. Maybe that is problem of first setup (without satellites). I removed all the PKI informations on the agent and started again.

I did the following:

agent> icinga2 pki save-cert \
               --key agent.key --cert agent.crt \
               --trustedcert master.crt \
               --host ${masterhost} --port ${masterport}

On the master I created a ticket

master> icinga2 icinga2 pki ticket --cn ${agent}

So I get the agent ticket.

Then I requested the certificate.

agent> icinga2 pki request \
               --host ${masterhost} --port ${masterport} \
               --ticket ${agentticket} \
               --key agent.key --cert agent.crt \
               --trustedcert master.crt --ca /etc/icinga2/pki/ca.key

Now I think, the agent would communicate with the master. But it should not communicate with the master but with the satellite.

The zones configuration is:

/* Agent /etc/icinga2/zones.conf */

/* Define Monitoring Master Endpoint */
object Endpoint "satellite1.network" {
  host = "ip"
  port = "5665"
}

/* Define Monitoring Master Zone */
object Zone "satellite1.network" {
  endpoints = [ "satellite1.network" ]
}

/* Define Monitoring Agent Endpoint (this host) */
object Endpoint NodeName {
  host = NodeName
}

/* Define Monitoring Agent Zone */
object Zone ZoneName {
  endpoints = [ NodeName ]
  parent = "satellite1.network"
}

So, the agent doesn't know about the master, it communicated only to the satellite host. So - it happens what must happen on the satellite. It is ignoring the agent, because it doesn't know the certificate.

satellite> tail /var/log/icinga2/icinga2.log
...
... warning/ApiListener: Certificate validation failed for endpoint 'agent': code 18: self signed certificate
...

So, I did the things above not against the master, but against the satellite (replacing the masterhost with satellitehost. But that ends with the situation, that the satellite needs its own CA (which isn't was in documented in the manual). I could create one. But is this correct?

TRW

Asked: 2020-01-16 02:21:12 +0800 CST

Manage Ansible Inventory with dynamic and static hosts and vars

1

I wonder what would be a good solution to manage an environment with a combination of dynamic and static hosts and vars and groups.

I'm thinking of a combination of physical hosts in a datacenter with a combination of specific tasks (physical database node) plus Proxmox Hosts managing some dynamic VMs, together with some cloud providers for managing new VMs in some situation, where the physical performance is not enough (outsource performance peeks).

In that case - a dynamic inventory is a good practice. Of course there are some plugins for AWS, Hetzner, etc. But is it possible to combine that together with static entries?

I build a database with all the entries and scripts that updates the list of cloud VMs per request in the database. All the dynamic hosts together with the static hosts and some group vars, host vars are stored in the database. And there is a webservice that outputs the JSON dynamic inventory that a python script loads and that is used as a dynamic inventory in my playbooks.

My question is - am I the only one with this kind of setup? When I think of a company with some VMWare hosts together with dynamic number of VMs on that hosts plus some other physical systems it would be "clear" that there should be some kind of "tool" or help for this setup. But as far as I can see, there is either a static inventory (YAML, INI) or a dynamic inventory (JSON). But does every admin develops their own dynamic inventory database? Or is there a given software "product" or "project"? Or is it a "better" practice to have different inventories for "static" and "dynamic" environments?

Nginx closes connection

API-Server on master stops after adding second control-plane

Wrapping Kubernetes with Wireguard

Wireguard Site2Site with mobile office

Dovecot Proxy with Lua or?

Proxmox Ceph - Got timeout on separate network

Gluster Performance

Add service check to agent in Icinga Master-Satellite-Agent infrastructure

Wireguard routing from wg1 to wg0

Dovecot as Proxy with submission

Howto configure Wireguard on Linux router to route all traffic from LAN to remote wireguard VPN server

Icinga PKI Agent-Satellite-Master

Manage Ansible Inventory with dynamic and static hosts and vars

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?