HomeDevCentral

Resolve private network interface

Description

Resolve private network interface

Summary:
Currently, node.resolve_network() gives the "most public" IP address
available on a node.

For tasks like T1826 or T1829, we need to know the "most private" IP address
to allow servers like SSH or Alkane to listen there, restricting those services
for internal use.

For example, this allows to pass the following Jinja template expression
to any configuration needing a private IP address to listen to:

{{ network["private_ipv4_address"] | default("localhost") }}

By heuristics, the method will recommend through is_private_network_stable
if the private network is stable, i.e. suitable to listen to critical
services like SSH. A network is currently unstable if it needs a GRE tunnel
to connect to the private network. The goal is to avoid to be locked
outside a machine if the tunnel is broken: a SSH connection is useful
to debug it. In the future, we can declare stable the nodes with a KVM,
and documented procedure to relink quickly to the private network.

Ref T1829

Test Plan: salt '*' node.resolve_network

Reviewers: dereckson

Reviewed By: dereckson

Maniphest Tasks: T1829

Differential Revision: https://devcentral.nasqueron.org/D3004

Details

Provenance
derecksonAuthored on Apr 12 2023, 17:52
derecksonPushed on Apr 12 2023, 20:17
Reviewer
dereckson
Differential Revision
D3004: Resolve private network interface
Parents
rOPSfc68688d0e13: Update Let's Encrypt configuration for webserver-core role
Branches
Unknown
Tags
Unknown
Tasks
T1829: Don't listen to world SSH for IntraNought servers