====== Installation des serveurs ====== # Commun ## Reseau `nano /etc/network/interfaces` ``` auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 10.0.0.3 netmask 255.255.255.248 gateway 10.0.0.1 auto eth1 iface eth1 inet static address 10.10.0.3 netmask 255.255.255.248 mtu 9000 auto vmbr0 iface vmbr0 inet static address 10.20.10.3 netmask 255.255.255.248 ovs_type OVSBridge post-up ovs-vsctl add-port vmbr0 gre0 -- set interface gre0 type=gre options:remote_ip='10.10.0.4' auto vmbr1 iface vmbr1 inet manual ovs_type OVSBridge post-up ovs-vsctl add-port vmbr1 gre1 -- set interface gre1 type=gre options:remote_ip='10.10.0.4' post-up ip link set dev vmbr1 up ``` `net.ipv4.ip_forward=1` `nano /etc/hosts` ## apt `rm /etc/apt/sources.list.d/pve-enterprise.list` `echo 'deb http://download.proxmox.com/debian jessie pve-no-subscription' > /etc/apt/sources.list.d/pve-no-subscription.list` ``` apt install glusterfs-server iptables-persistent cron-apt safe-rm molly-guard sshguard systemctl enable sshguard systemctl enable netfilter-persistent ``` ## Iptabes `nano /etc/iptables/rules.v4` ``` # Generated by iptables-save v1.4.21 on *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed on # Generated by iptables-save v1.4.21 on *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :sshguard - [0:0] :TCP-FORWARD - [0:0] :UDP-FORWARD - [0:0] :TCP - [0:0] :UDP - [0:0] :LOG-IN - [0:0] :LOG-FW - [0:0] -A LOG-IN -m limit --limit 2/min -j LOG --log-prefix "[LOG-IN] " -A LOG-IN -p udp -j REJECT --reject-with icmp-port-unreachable -A LOG-IN -p tcp -j REJECT --reject-with tcp-reset -A LOG-IN -j REJECT --reject-with icmp-proto-unreachable -A LOG-FW -m limit --limit 2/min -j LOG --log-prefix "[LOG-FW] " -A LOG-FW -p udp -j REJECT --reject-with icmp-port-unreachable -A LOG-FW -p tcp -j REJECT --reject-with tcp-reset -A LOG-FW -j REJECT --reject-with icmp-proto-unreachable -A INPUT -j sshguard -A FORWARD -j sshguard -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A FORWARD -i lo -j ACCEPT -A INPUT -s 10.10.0.0/29 -d 10.10.0.0/29 -i eth1 -j ACCEPT -A INPUT -s 10.10.0.0/29 -d 239.192.217.120 -i eth1 -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j REJECT -A FORWARD -m conntrack --ctstate INVALID -j REJECT -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT -A FORWARD -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT -A FORWARD -i vmbr0 -o vmbr0 -j ACCEPT -A FORWARD -s 192.168.100.0/24 -i vmbr0 -o eth0 -j ACCEPT -A FORWARD -s 172.16.42.0/24 -i vmbr0 -o eth0 -j ACCEPT -A FORWARD -d 172.16.42.0/24 -o vmbr0 -i eth0 -j ACCEPT -A INPUT -p udp -m conntrack --ctstate NEW -j UDP -A FORWARD -p udp -m conntrack --ctstate NEW -j UDP-FORWARD -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP -A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP-FORWARD -A TCP -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -j LOG-IN -A FORWARD -j LOG-FW COMMIT # Completed on # Generated by iptables-save v1.4.21 on *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on ``` ``` cfdisk /dev/sdb mkfs.xfs -i size=512 /dev/sdb1 mkdir -p /data echo '/dev/sdb1 /data xfs defaults 1 2' >> /etc/fstab mount -a && mount systemctl enable glusterfs-server systemctl start glusterfs-server mkdir /data/vm-data gluster volume create vm-data kush:/data/vm-data gluster volume start vm-data mkdir /data/vm-vpn gluster volume create vm-vpn kush:/data/vm-vpn gluster volume start vm-vpn ``` * Add glusterfs in proxmox * create vm vpn ----- Add node glusterfs (ne pas crer les volume sur amnesia) ``` gluster peer probe amnesia gluster volume add-brick vm-vpn replica 2 amnesia:/data/vm-vpn gluster volume add-brick vm-data replica 2 amnesia:/data/vm-data ``` Creation du node proxmox : ``` pvecm create neutrinet pvecm add kush quorum { provider: corosync_votequorum two_node: 1 } ```