jcarr
/
wit-network-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Commit Graph

  • e404a21e92 making it even more obvious that we *want* an ipsec cert master toby 2019-05-03 15:34:53 +0000
  • 4177964e8f better help output on qemu-ifup-public toby 2019-05-01 23:48:45 +0000
  • 78a2a7b13f better comments on firewall rules toby 2019-05-01 05:04:29 +0000
  • 313ea1085f adding local connections for zebra/frr to the individual services. I can't believe I have not yet noticed this. seems like-frr reload is however relying on this toby 2019-05-01 04:37:44 +0000
  • 05bc412860 MAJOR: static hostname assignments in favor of disabling ipv4 on mgmt1, frr reload, and simple rename of a couple of files to make it simpler toby 2019-05-01 03:49:00 +0000
  • b37d2b5c74 adding new 3300 port for ceph msgr2 protocol toby 2019-04-29 07:06:51 +0000
  • e907220280 apperently interfaces can't have comments toby 2019-04-27 05:21:56 +0000
  • e1eac9c8c7 quick if test so one can just synlink trunk uplinks using qemu-ifup-TRUNKNAME syntax and be done with it toby 2019-04-26 18:34:16 +0000
  • 0493a328ff re-addign ipv4 dhcp for mgmt1, still need it for the hostname for, but prob gonna hardcode the dns/sntp/hostname at this point soon toby 2019-04-23 06:42:40 +0000
  • c5ecd31709 nicer output on ifdown... being anal toby 2019-04-22 23:56:23 +0000
  • d3a64d956c fix updating resolv.conf for IPv6 stateless DHCP6 toby 2019-04-19 20:34:35 +0000
  • ff5df9e336 swtiching to statleless dhcp6 and trying to disable ipv4 now that mirrors is ipv6 it should work in theory. we'll have to fix SNTP dhcp client script probably though toby 2019-04-19 19:12:12 +0000
  • f293436c67 just like I assumed, SAN header not needed for ipsec and moved the CA handler to mirrors toby 2019-04-18 05:33:21 +0000
  • 4f0c28d56b starting to migrate to a more meaningfull DN for ipsec toby 2019-04-17 02:42:36 +0000
  • 99773128d3 we're ready now to roll out ikev2 as a given toby 2019-04-16 23:20:23 +0000
  • 60b16ebddc forcing the curl to be over IPv6, allows us to close the firewall for ipv4 toby 2019-04-16 21:48:29 +0000
  • 182de8533f removing ipsec reload upon cert *creation*, no point in doing it, we don't have the signed cert yet. we just risk breaking a working setup while being sure we won't get it working right away. the cron job, pulling the actual signed cert will be doing this part toby 2019-04-16 21:21:29 +0000
  • 088830f07a removing legacy net-tools dependency, going to iproute2 tools toby 2019-04-12 05:22:28 +0000
  • d3f593888e remove some dependencies, that aren't really needed. we should move them to optional package toby 2019-04-12 04:34:50 +0000
  • 54b08d2f38 upping the char limit by 1 toby 2019-04-10 22:46:48 +0000
  • 0d20e9c028 removing the default publicmac value to be sure it's always set. it just NEEDS to match what libvirt/qemu thinks it is toby 2019-04-10 22:03:01 +0000
  • 0bed52d345 conffiles name is not variable after all :) toby 2019-04-10 22:02:22 +0000
  • 8f76828d0b not sure if this is needed - actually I know its not - but it seems like a good idea as it may be needed for compat level 12+?... who knows toby 2019-04-10 04:30:09 +0000
  • fa496d25c5 making sure the new cert is tried to be pulled over the mgmt vrf since it doesn't have connectivity on the frontend without a cert toby 2019-04-09 23:26:37 +0000
  • a000b9e2de firewall: moving the http rule to ipv6 - doh - and killing the etcd/stackapi rules again since we decided to go without them toby 2019-04-09 22:47:57 +0000
  • 47b2e0b3e6 adding firewall http over VPN rule for bastion cert exchange and possibly more in the future toby 2019-04-09 21:27:28 +0000
  • c53f3e2219 making sysctl tweaks more versatile and just reload sysctl settings toby 2019-04-09 21:00:11 +0000
  • 1c38fef482 updateting qemu-ifup to support the VNI passed in the ifname toby 2019-04-09 20:38:44 +0000
  • 7d5a761793 Merge branch 'master' of https://git.wit.com/netops/wit-network-config toby 2019-04-05 18:09:30 +0000
  • 68f8088b55 drone and gitignore toby 2019-04-05 18:09:20 +0000
  • 7a00635a57 adding curl supprt to the qemu-ifup script again toby 2019-04-05 17:58:55 +0000
  • b8e6a8a418 doh, ipv6 we want not ipv4 ;) toby 2019-04-05 00:17:39 +0000
  • 30eecc7f51 allowing stackapi traffic over the VPN toby 2019-04-04 23:35:07 +0000
  • 50688b3188 adding changelog to gitignore since it's generated out of the git history toby 2019-04-01 18:57:16 +0000
  • d2a7099392 pulling out all the bastion related rules and moving them to tha bastion ansible... this may break shit... toby 2019-03-29 22:40:03 +0000
  • a2201fd74b adding debheler log to gitignore toby 2019-03-29 19:58:35 +0000
  • d3ecbaf20b fixing ipsec cert generation section in postscript toby 2019-03-29 19:57:08 +0000
  • ebc7c6a5ff screw it, allowing undefined vars for now, will fix that eventually toby 2019-03-29 18:46:22 +0000
  • 3a08cb5182 trying to be more specific on the variables and fail if var has not been defined, also fixing some drone stuff toby 2019-03-29 18:33:34 +0000
  • 3e5b0e21a6 drone fixes toby 2019-03-29 18:10:33 +0000
  • 22008293c5 updating .drone file for mirrors toby 2019-03-29 18:07:01 +0000
  • ec5869cba8 adding ipsec node cerd self generation and sign req to bastion toby 2019-03-29 17:57:21 +0000
  • 2b6992eec1 qemu-ifup: use variable for consistency toby 2019-03-22 19:55:03 +0000
  • ff8f9fa025 default frr logging verbosity to debug. so when debug is enabled it's actually logged as well toby 2019-03-18 22:58:00 +0000
  • 9fa840a956 fixing typo in firewall rules toby 2019-03-13 01:32:01 +0000
  • 73b2389f08 adding iptables comments to all rules toby 2019-03-13 00:14:17 +0000
  • 0c2e02c1b8 removing old prometheus rules that were once hosted in aws toby 2019-03-11 21:51:06 +0000
  • c760ae7c2c firewall: updating mirrors.wit.com to allow the new location in usw1 over ipv6 toby 2019-03-11 21:48:58 +0000
  • eeb6cedbf6 bugfix wit-gc: changing the way to quickly add the blackhole route. this way it does not get advertised over BGP (it's considered invalid) and so it doesn't create any hickups if the same route would already be used somewhere else toby 2019-03-11 19:30:52 +0000
  • 73ae7b9680 accepting up to /56 on ipv6 and bugfixing for wit-gc toby 2019-03-11 18:59:24 +0000
  • 2e9317222e minor bugfix on wit-gc... more to come on stale routes toby 2019-03-11 07:19:09 +0000
  • 5be0d4b8fc updated qemu scripts and wit-gc to support new ipv4 forwarding toby 2019-03-11 02:16:33 +0000
  • bc47af367a we definitely wanna support more than /64 on ipv6, upping it to /60 for now, but prob wanna do more eventually toby 2019-03-09 13:13:36 -0800
  • f44ff9304e disabling arp on the vm interface all together. we have the static entries from the unnumbered system, reduces the attack surface and DOS potentially on the hypervisor toby 2019-03-09 12:05:45 -0800
  • 51d76bc101 more testing... toby 2019-03-08 23:37:53 -0800
  • 268dd01421 another attempt at the rules file toby 2019-03-08 23:21:18 -0800
  • cfeef0de5b ... seriously,... running out of ideas ... toby 2019-03-08 23:19:39 -0800
  • 396b2899ae ... seriously,... running out of ideas ... toby 2019-03-08 22:53:21 -0800
  • b63d21ba83 ... seriously,... running out of ideas ... toby 2019-03-08 22:42:11 -0800
  • 2b1c7b34a6 trying a whole new approach, seems like it worked on my wit-vm-router-config package, lets see what it does here ... toby 2019-03-08 22:14:00 -0800
  • 1cf4ef12f7 migrating to the more conventional static arp/unnumbered ipv4 routing based on the BGP unnumbered RFC just without the BGP ;) ... its nice this way cause if we do decide to add BGP on top on a later time it will look essentially the same, just dynamic... for now it's static though ;) toby 2019-03-08 20:09:13 +0000
  • 22b4da07a3 removing jumbo frames from uplinks. it aint happening.... toby 2019-02-23 06:22:12 +0000
  • af873ce08e adding interface length safety toby 2019-02-23 05:16:27 +0000
  • 15c67eae20 since we changed the manual vmrun script we can now force the if-variable file to be present in qemu-ifup toby 2019-02-23 05:05:21 +0000
  • a497c70abe adding mgmt dhcp6 - so we get ntp and dns over ipv6 - and timesyncd dhcp6 exit script toby 2019-02-23 04:09:55 +0000
  • fc197c9fce just comments... toby 2019-02-21 04:31:18 +0000
  • fb96f1daa8 adding more resiliancy to the ifup-public script. we want it to maybe fail if it doesn't know what to do with the variable. not just silently continue toby 2019-02-21 01:02:35 +0000
  • 13be20d519 writing out ipsec.secrets through postinst again since apparmor blocks any type of hide/displace action toby 2019-02-14 22:15:36 -0800
  • 477b89aa0e fixing major bug in ipsec.secrets toby 2019-02-14 17:46:50 -0800
  • 289b42e100 fixing sysctl tweak path toby 2019-02-14 17:31:38 -0800
  • 3003509bf4 trying yet again a different approach to update files correctly upon install toby 2019-02-14 16:43:13 -0800
  • a3934b7014 evidently everything is breaking right now, so trying a different approach toby 2019-02-14 14:43:53 -0800
  • 1066e48dc7 evidently everything is breaking right now, so trying a different approach toby 2019-02-14 14:38:06 -0800
  • 7ef14c0794 adding some comments to the dynamic files toby 2019-02-14 13:24:08 -0800
  • db0f639547 switching the debian install around: all 'templates' are modified in the local folder and are than installed when already modified using isc-dhcp-server as an example in hope to imporove upgrade-consistency. toby 2019-02-14 12:35:33 -0800
  • 94b3a68407 allow Default fallback route by default on eBGPv6-IN as well toby 2019-02-14 03:25:27 -0800
  • 30ac6534a3 adding first very very basic old-school vlan support root 2019-02-14 08:34:11 +0000
  • 5363feff09 firewall: adding new approach to stackapi over VPN, ipsec.conf: no changes, just nicer grouping toby 2019-02-09 19:48:51 -0800
  • 90e3484f5c firewall: adding TTL hop-check on the BGP firewall rules. this makes it a bit more secure on fairly wide open BGP rules toby 2019-02-05 20:42:36 -0800
  • b9d53909b8 starting to use ceph on ipv6 as well .... toby 2019-02-05 20:23:44 -0800
  • c99727567d frr.conf: setting timers manually that would be set by the --enable-datacenter flag on frr. this way we don't have to compile our own frr. --enable-cumulus at this point only enables and alias for bgp address-family of evpn vs address-family l2vpn evpn. which we don't use anyway or already do it the right way toby 2019-02-05 19:16:03 -0800
  • 48abb08b5a setting loopback source IP on all bgp routes for IPv6 as well - did this on ipv4 but may need patching as I wanted to use only the public IP for public routes on IPv4. may still break if for whatever reason it prefers the mgmtgw/ipmigw IP like it just happened on ipv6 toby 2019-02-04 18:09:28 -0800
  • d8245c2223 limiting lldp to only mgmt interfaces and avoid VMs to see lldp neigh requests toby 2019-01-30 11:36:56 -0800
  • 78d6e4d4ff less output on qemu ifup scripts toby 2019-01-29 22:31:07 -0800
  • 2af76bb4e8 qemu-ifup/public scritps, replaced dig loopback lookup with ip, for more stability and better all round support for outside of libvirt toby 2019-01-29 18:51:02 +0000
  • 39d7830086 IPsec: ipsec.conf config items typoed. auth vs authby need to make sure it does't break but this shuold be the right way toby 2019-01-24 14:12:41 -0800
  • c3df5d6f12 just some comments and to test the new signing machinery ... toby 2019-01-23 14:50:54 -0800
  • a1d5439422 firewall: allowing ipmi calles to be routed so that VPN clients and other boxes can make calls to ipmi toby 2019-01-11 18:09:37 +0100
  • 0de30974af fixing the copyright in debian to be GPLv3 toby 2019-01-09 23:20:40 +0100
  • 277cd58eaa completely removing grub left overs toby 2019-01-08 21:00:46 +0100
  • afdcd416b7 removing ssh-password less which is now default anyway, and also remove grub config which needs to be broken out since it differes on various platforms like arm and s86 toby 2019-01-08 19:11:29 +0100
  • 643519147d removing grub-pc from dependencies again, PXE has more issues anyway and we wanna work towards the EFI boot options and it bites grub-efi toby 2019-01-03 15:48:13 +0100
  • e88b13e51d adding customer interface bgp firewall fules toby 2019-01-02 22:29:23 +0100
  • 7468e4fddf more work on customer link support on edges toby 2019-01-02 22:05:35 +0100
  • 2a4150aa41 firewall cleanup and organization toby 2018-12-21 17:41:04 +0100
  • 83332a7f74 just formatting toby 2018-12-20 15:28:27 +0100
  • 6114dffa19 Merge branch 'prometheus-exporters' of netops/wit-network-config into master toby 2018-12-20 08:21:00 +0000
  • dfa58f6089 Allow hosts to communicate with prometheus exporters Tim Sogard 2018-12-20 02:27:37 -0500
  • fcfdc8b19c mistakenly commited initial work for customer peering. so fixing the problem now by disabling the parts that would break things toby 2018-12-20 00:01:59 +0100
  • 279648eeb3 adding frr-pythontools and grub-pc as dependencies toby 2018-12-19 23:53:35 +0100