Here is how I currently have my machines connected. Posted here for documentation, and to get it straight in my own head.
Getting the NUC (named Nuzleaf) seems to have been the critical factor to making progress. It can host enough VMs to run an OpenShift control plane, and it has Wireless, which means the setup is no longer dependant on a physical wire for external connectivity. I have been able to migrate most of the functions I need to run on the base OS of the NUC as opposed to running in VMs. right now this is:
Here’s a list of its capabilities
- FreeIPA for DNS and Certificates
- Generic Web Hosting for ISOs, Kickstarts, and ignition files.
- PXE Provisioning (The three previous features combined)
- Container Registry Mirroring (run in a container)
- Virtual Machine Hosting
- Routing between Different Physical and Virtual Networks
The NUC has one built in physical Ethernet port (Fedora labels this as enp3s0.) This Was originally used only for communication with the outside world. I’ve switched that function over to the Wireless network. However, I plan on using it for internal (laptop to NUC) communication that I am calling DMZ for the moment. I got a USB Ethernet adapter for the traffic to the three rack-mounted Dell r610 Servers.
I’ve allocated a Class C from the 192.168.X.X range to each of the networks on which Nuzleaf serves DHCP. 2 Of these are from DHCPD, and one is from the libvirt managed dnsmasq server. These are
Why do they get different subdomain? Because some of them, maybe most of them, are going to be put on multiple networks, and need to be distinguishable based on their IP address. For example, Nuzleaf is going to be on all of these networks, and needs to operate as the IDM server for machines on all of them. When Nuzleaf was initially setup, I put the following into the /etc/hosts file on it:
This is allocated from the DHCP off the the WIFI network. However, that IP address is not accessible to machines not on that network.
It might end up that only the IDM server needs multiple Identities, but I suspect that the HAProxy node will as well. If I can collapse this down to a single subdomain, I will.
EDIT: OK, So even this IDM setup is making it hard.impossible to register Clients. I redid the IDM server so that instead of using the 10.0.0.238 IP address from the Wireless router, it uses the 192.168.122.1 IP address for the Default network from the dnsmasq associated wiuth Libvirt.
I also created an Firewalld zone called libvirt. It looks like this:
# firewall-cmd --list-all --zone=libvirt libvirt (active) target: ACCEPT icmp-block-inversion: no interfaces: virbr0 virbr1 virbr2 virbr3 sources: services: dhcp dhcpv6 dns freeipa-ldap freeipa-ldaps http kerberos kpasswd ldap ssh tftp ports: protocols: icmp ipv6-icmp masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule priority="32767" reject
Notice that this has all the internal virtual bridges for VM traffic. I might need to move the Rack network onto this firewall Zone as well.
The lesson learned here is that IDM should have a “good” name associated with the Subnet that it is managing.
Note that If I want to keep an entry for Nuzleaf in my Laptop’s /etc/hosts I can do so. However, the routing on Nuzleaf seems to make it such that I can connect to all hosts from my Laptop via all networks except “Default” which is natted.