476
edits
Docs: Difference between revisions
→Updating Nodes
(added proxmox MC VMs) |
|||
|
=== Updating Nodes ===
Proxmox runs on top of Debian, so the updating process is the mostly same.
# <code>apt update && apt upgrade</code>
# (Optional but recommended) <code>reboot</code> the node
For the yearly major version bumps, you may need to run <code>apt update && apt upgrade</code>, followed by <code>apt dist-upgrade</code>; This is the process on Debian, but I haven't tested it on Proxmox.
Check the [https://pve.proxmox.com/wiki/Category:Upgrade Proxmox wiki's 'Upgrade' category] for specific instructions when the time comes.
== Firewall/Router ==
Our firewall/router runs [https://www.pfsense.org/ pfSense], soon to be [https://opnsense.org/ OPNsense].
All IP addressing of servers and virtual machines happens through DHCP, and can be viewed in the pfSense 'DHCP Leases' tab. (except Proxmox nodes, which don't support DHCP and require static addressing)
Otherwise, most configuration can be viewed by poking around the web interface.
Of note:
We two main networks:
* 10.10.0.0/24 - Management (OOB Management services like [https://www.dell.com/en-us/lp/dt/open-manage-idrac Dell iDRAC] / [https://www.hpe.com/us/en/hpe-integrated-lights-out-ilo.html HP iLO])
* 10.10.1.0/24 - LAN (servers/VMs)
In addition, there are two main VPN networks:
* 10.10.10.0/24 - OpenVPN
* 10.10.11.0/24 - Wireguard
** 10.10.11.0/25 - Wireguard admin range (access to Management+LAN, no WAN)
** 10.10.11.128/25 - Wireguard user range (access to only LAN, no WAN)
=== Firewall rules ===
View the WebUI for the specific firewall rules, but some of the more basic/essential ones are:
# Management cannot communicate with LAN/WAN (the internet), and LAN cannot communicate with Management.
## Generally, Management should be restricted from everything else. (maybe even other iDrac servers?)
## OOB services tend to be ''super'' vulnerable, there are dozens of [https://github.com/mgargiullo/cve-2018-1207 premade scripts] that instapwn iDRACs and give you a root shell by just pointing them at the IP address.
## Because of this, the iDRAC web login interface should only be accessible to anyone you're okay having root on the server.
# Wireguard
## The admin/user split is so all members can be given a wireguard config to the internal network without having to worry about them being able to trivially get root on all servers running premade-exploits like [https://github.com/mgargiullo/cve-2018-1207 these] on the iDracs.
## If someone shows up to a couple meetings they're probably fine to get an admin config; this is more for peace-of-mind to not need to worry about the configs given to people who went to one meeting once at the beginning of the semester and have never been seen again.
## Neither config should have access to WAN, just to prevent someone getting LUG in hot water if they attempt to torrent or something similarly dumb through the VPN.
== Fileserver ==
Coming Soon, currently unprovisioned (waiting on new PSU; and
= Management =
| |||