THIS IS NOT DC19 Infrastructure This is a cut and paste to be used as a template....
Infrastructure Team
Contents
Technical documentation
The NOC - Network Operations Center is located in room B-2206. The thermal properties of the room should be sufficient since it's large enough for effective heat dissipation.
APT proxy
An APT proxy is setup in the NOC room to alleviate upstream bandwidth needs and accelerate repeated builds. It's currently running on the gateway which has only a HDD (spinning disk, 7200 rpm, Seagate ST1000DM003-9YN1) so it may not be as fast as your favorite mirror running a shiny SSD drive. But we'll fix this eventually as well.
To configure your clients, see the quick tutorial for autoconfiguration. The address of the proxy is http://proxy:3142, if you prefer manual configuration. That assumes you obey DHCP search domain directives, if not, you'll need the full domain (http://proxy.dc17.debconf.org:3142).
DNS cache
We are providing a DNS caching server ("unbound") that provides DNS to the network. The domain "dc17.debconf.org" is reserved for the internal network and records are added on the DHCP/DNS server (noc0gw0) in the unbound.conf file, using entries like:
- local-data: "proxy.dc17.debconf.org. IN A 10.17.127.100"
Backend documentation
Maisonneuve IT has four gigabit ethernet drops directly from the nearby distribution switch (with 10gbit uplink) in the NOC, near the teacher's desk. The four ports are in the NOC room, next to the teacher's desk, and labeled B-2206 D1, 2, 3 and 4. The top port shouldn't be used: it's in the "teacher's" VLAN and has some ports blocked.
Here's the current port usage for the drops:
Port |
Device |
D1 |
noc0sw0 |
D2 |
noc0sw1 |
D3 |
free |
D4 |
free |
So the two core switches are independently connected to the backend distribution switches. From those distribution switches, we are in Maisonneuve's IT network, which interconnects the other rooms. They do propagate VLANs and routing (incl. NAT) for us, and also handle Wifi hotspots which are bridged with our VLANs.
All NATed traffic will come from 206.167.44.0/24.
Wifi
APs connected to our network have the ESSID "DebConf17" with the password "stretch17". The other ESSID ("cmaisonneuve"/"sansfil3800") is in a different network with blocked some ports.
IP allocation
Host |
IP |
Notes |
noc0sw0 |
10.17.127.0/17 |
core switch near teacher desk |
noc0sw1 |
10.17.127.1/17 |
core switch on table |
hacklabsw{0-6} |
10.17.127.1{0-6}/17 |
hacklab switches |
noc0gw0 |
10.17.127.100/17 |
DHCP / DNS server wired VLAN |
noc0gw0 |
10.17.254.100/17 |
DHCP / DNS server wireless VLAN |
noc0gw0 |
10.18.0.2/24 |
DNS server (not used) |
gw |
10.18.0.3/24 |
DHCP, PXE, DNS server video VLAN |
noc0gw0 |
206.167.36.194/26 |
DHCP / DNS server public VLAN |
noc1st0 |
206.167.36.195/26 |
8TB media server |
odroid4 |
206.167.36.196/26 |
Atlys debugging odroid |
noc0stream0 |
206.167.36.197/26 |
Local Stream mirror |
noc0stream1 |
206.167.36.198/26 |
Stream master |
VLAN and network allocations
Name |
Network |
Gateway (ingress) |
Egress IP |
VLAN id |
dc_wired |
10.17.0.0/17 |
10.17.0.1 |
206.167.44.200-210 |
901 (default) |
dc_wireless |
10.17.128.0/127 |
10.17.128.1 |
206.167.44.200-210 |
902 |
dc_video |
10.18.0.0/24 |
10.18.0.1 |
206.167.44.99 |
903 |
dc_public |
206.167.36.192/26 |
206.167.36.193 |
same IP |
904 |
More IP space can be allocated as needed, but do not use any of 10.20.0.0/16, 10.30.0.0/16, 10.80.0.0/16, which are used internally by Maisonneuve
Outgoing IP addresses are for the dc_wired and dc_wireless are spooled in the range 206.167.44.200-210.
Core switch port allocation
Ports are allocated to certain VLANs. They were grouped by columns to ease labeling and identification...
VLAN 903 |
VLAN 902 |
VLAN 904 |
Misc. |
1 |
7 |
13 |
19: 902 |
2 |
8 |
14 |
20: 902 |
3 |
9 |
15 |
21: trunk |
4 |
10 |
16 |
22: trunk |
5 |
11 |
17 |
23: trunk |
6 |
12 |
18 |
24: trunk |
Each cell in the table is a port, and unless otherwise noted, is in the VLAN identified by the column heading.
Bandwidth and capacity
The total available Internet bandwidth at Maisonneuve will be 450mbit.
Teachers and students will be absent from the venue in August, so a big chunk of that bandwidth should be available to the conferece.
The building are wired, most ports should be gig. Physical ports are all numbered which will make tagging them to specific VLANs easy.
We will also be provided with a block of public IP addresses, while most ports and wireless access will be NATed. A dedicated, password-protected SSID will be setup for the conference.
Setting up our own network services (DHCP, DNS, etc.) will be required. We'll use a debian box for these things, but it will probably not act as router, we'll rely on IT for that.
Cisco configuration tricks
We have Cisco switches. Proprietary hardware, we know, but that's what we have. This is the dumbest, simplest Cisco configuration primer ever.
First things, you need to connect, either through the "console" port, which is a basic serial console (9600 bauds etc)
- conf t
Sample configs, for the core switches:
- interface range GigabitEthernet1/0/1-6
- switchport access vlan 901 switchport mode access spanning-tree portfast end
Global configuration to make STP faster:
- no spanning-tree portfast bpdufilter default spanning-tree portfast bpdufilter default
The above enters configuration mode on the terminal, then sets up gigabit ports 1 through 6 (inclusively) to be in "access" (untagged) mode on VLAN id 901. For trunked ports:
- interface range GigabitEthernet1/0/21-24
- switchport trunk allowed vlan 901-904 switchport mode trunk switchport nonegotiate end
We also disable the HTTP server:
- no ip telnet no ip http server no ip http secure-server
And configure SSH:
- hostname noc0sw0 ip domain-name noc0sw0 crypto key generate rsa modulus 2048 ip ssh version 2 ip ssh authentication-retries 5 ip ssh logging events username root secret XXXXXXXXXX line vty 5 15
- login local transport input ssh end
Note that Cisco switches may use older SSH crypto that will cause problems in newer versions of SSH (e.g. in stretch). To workaround, use:
ssh -o ?KexAlgorithms=diffie-hellman-group1-sha1 ...
Tasks
- NOC setup: done!
- Hacklab setup: done!
- Installfest room setup: done!
apt-cache-ng proxy setup (antoine): done!
- crazy 20*800GB SSD machine setup (jerome, antoine): done!
- NOC, Hacklab teardown
Rooms
- NOC (B-2206): done!
- Hacklabs
- Hamm (D-2632A): done
- Slink (B-2660): done?
- Interior garden: done!
- BOF rooms: to do
- Potato (E-2205) - done?
- Woody (E-2212) - done?
- Talk rooms: video setup to be done on saturday
- Buzz (Salle Sylvain-Lelièvre - main auditorium)
- Rex ("Vivoir", the day camp room next to the NOC): done
- Bo (B-5501DEF)
We get access to all rooms Monday July 31, and that will be the day we setup most infrastructure.
Note that the reference list of all rooms is in ?DebConf17/Venue, this is merely a convenience copy to keep track of our presences and setup.
Known issues
core switch (noc0sw0) can't be pinged from wifi, because it's on the "network IP" (x.y.z.0). need to renumber --?TheAnarcat (?talk) 21:25, 3 August 2017 (UTC)
Resolved
there were sporadic reports of issues with the cafeteria AP during early debcamp. it is believe this may have been resolved, because last tests were positive. --?TheAnarcat (?talk) 19:24, 2 August 2017 (UTC)
wifi in cafeteria was broken broken with our APs - cmaisonneuve ESSIDs work, but debconf17 do not give DHCP: contacted upstream who fixed the switches VLANs. ?TheAnarcat (?talk) 01:36, 1 August 2017 (UTC)
alioth.debian.org seems to have blocked our network, #alioth channel notified on OFTC. --?TheAnarcat (?talk) 18:14, 1 August 2017 (UTC) - seems to have been resolved! -- ?TheAnarcat (?talk) 13:23, 2 August 2017 (UTC)
wifi AP 24:a4:3c:04:52:0d may have authentication isssues, in room E-3114, to be confirmed / verified --?TheAnarcat (?talk) 19:29, 2 August 2017 (UTC) / seems to have resolved itself --?TheAnarcat (?talk) 21:25, 3 August 2017 (UTC)
wifi in jardin is flaky when the place gets crowded. upstream will drop lines by tomorrow and we'll setup switches and a new AP. --?TheAnarcat (?talk) 19:23, 2 August 2017 (UTC) A new AP was put online and switches deployed this morning, network should be good now. --?TheAnarcat (?talk) 19:02, 4 August 2017 (UTC)
one of the cafeteria AP still has reliability issue. the APs with the BSSID C2:9F:DB:1B:87:DC (debconf17) and C6:9F:DB:1B:87:DC (cmaisonneuve) do not work very well: either they don't let you join at all or they let you long enough to get DHCP and then kick you out. the workaround right now is to move away from the AP, which is located in the south-west of the cafeteria (near the entrance leading to the front desk). the hamm hacklab, nearby, has good wifi and switches that work excellently. issue was reported upstream and we'll look into it. -- ?TheAnarcat (?talk) 19:51, 4 August 2017 (UTC) Wifi parameters were changed to lower power and some other settings, things are better now. --?TheAnarcat (?talk) 14:39, 5 August 2017 (UTC)
no wiring available in cafeteria for the installfest. we have access to the wooden cabinet, but the network drop there (d-3671) is on the wrong VLAN. --?TheAnarcat (?talk) 14:41, 5 August 2017 (UTC) Cafeteria wired for the installfest, whoohoo! Will be available to all attendees after today. Note that we seem restricted to VLAN 901, which is fine for now. --?TheAnarcat (?talk) 16:06, 5 August 2017 (UTC)
Volunteers
- abdelq / abdel
- anarcat / antoine
- gfa
- jathan
- lavamind / jerome - works in the IT department
- lhark / goulven
- martin - also IP
- olasd / Nicolas Dandrimont
- pollo / louis-philippe - works for the student union
- taggart - coming from seattle, can bring equipment/cabling/etc if it makes sense
- taowa
- tumbleweed / stefanor
Meetings
?DebConf17/Meetings/2017-07-31
Hardware inventory
Provided by Maisonneuve IT
- A dozen desktop lab computers (i7-3770 3.40Ghz, 16GB RAM, 1TB hard disk)
- ~6 Cisco 2960/2950 24-port 100mbit switches w/ gigabit uplink (possibly more, tbc)
- 2 Cisco 2960X 24-port gigabit switches (those need to stay in the NOC)
- ~10 tl-sg105 5 port unmanaged gig switches
- Ethernet patch cables (various lengths)
- Extra electrical panel (will be installed in Vivoir)
1 Dell ?PowerEdge 2950 server (2U rackmount)
Powerstrips and consumables (eg. tape) won't be provided.
Old wishlist
This was written before debconf and is no longer relevant but could be useful for next ones!
Todo: merge that stuff into ?Teams/Infrastructure and subpages.
Power
- 10-12 power strips: mostly north american, but a few universal would be nice - mostly got that, although we need more power bars still
- 4-6 power extensions of varying length, high amperage rated
- high amperage power splitters (??)
- lots of north american laptop power supply cords for common brands (get from computer recycle)
Network
- 8-10 network switches: 24+ ports, gig uplink, all ports gig preferred (done: from Maisonneuve IT)
- pre-fab cat6 jumpers (maybe enough for now?)
- 4 50ft
- 4 25ft
- 20 10ft
- 40 5ft
- a spool of cat6, cable ends, crimper, tester
Video team needs
- Per talk room (3 rooms in total):
- 2 ports at the front of the room
- 2 ports at the video desk (back of the room)
- These should all be gigabit, with full gigabit bandwidth between each other, and aggregate gigabit connectivity to the NOC
Usually we use a single drop & switch in the room
- NOC:
Storage server (>= 10TB), >= Gigabit uplink
- Streaming: 2 (maybe more) PCs / VMs, lots of CPU, some RAM.
- Video NOC:
- gigabit drop + switch
- Per talk room (3 rooms in total):
Other
- multiple rolls of gaffer's tape
- zip ties
- velcro straps