diff --git a/sysadm/images/.gitignore b/sysadm/images/.gitignore --- a/sysadm/images/.gitignore +++ b/sysadm/images/.gitignore @@ -1,2 +1,2 @@ staging-environment.svg - +network.svg diff --git a/sysadm/images/network.uml b/sysadm/images/network.uml new file mode 100644 --- /dev/null +++ b/sysadm/images/network.uml @@ -0,0 +1,48 @@ +@startuml + +nwdiag { + inet [ shape = cloud ]; + inet -- inria_gw; + + network VLAN1300 { + address = "128.93.166.0/26" + workers; + kafka; + inria_gw; + forge; + pergamon; + moma; + + group { + pushkin [shape = boundary]; + glyptotek [shape = boundary]; + } + + } + network VLAN440 { + address = "192.168.100.0/24" + workers; + pushkin; + glyptotek; + forge; + kafka; + pergamon; + moma; + production_nodes [description = "Production nodes"]; + } + + network VLAN443 { + address = "192.168.130.0/24" + pushkin; + glyptotek; + staging_nodes [description = "Staging nodes"]; + } + + network VLAN442 { + address = "192.168.50.0/24" + pushkin; + glyptotek; + admin_nodes [description = "Admin nodes"]; + } +} +@enduml diff --git a/sysadm/network-architecture/reference-network-configuration.rst b/sysadm/network-architecture/reference-network-configuration.rst --- a/sysadm/network-architecture/reference-network-configuration.rst +++ b/sysadm/network-architecture/reference-network-configuration.rst @@ -3,5 +3,61 @@ Reference: Network configuration ================================ +The network is split in several VLANs provided by the INRIA network team: + +.. thumbnail:: ../images/network.svg + +VLANs +----- + +All inter vlan communications are filtered by our firewalls `pushkin` and `glyptotek`. + .. todo:: - This page is a work in progress. For now, please refer to the :ref:`swh-devel:network_configuration`. \ No newline at end of file + Check the for more information. + +VLAN1300 - Public network +~~~~~~~~~~~~~~~~~~~~~~~~~ + +The detail of this range is available in this `VLAN1300 inventory page `_ + +All the inbound traffic is firewalled by the INRIA gateway. The detail of the opened ports is +visible on the private archive in the file :file:`sysadm/Software_Heritage_VLAN1300_plan.ods` + +Some nodes are directly exposed on this network for special needs: + +* moma: the main archive entry point +* production workers: to have different visible ips during forge crawling +* pergamon: act as a reverse proxy for some public sites (debian repository, annex, sentry, ...) +* forge: needs some special rules + +VLAN440 - Production network +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +All the nodes dedicated to the main archive are deployed in this network. + +The detail of this range is available in this `VLAN440 inventory page `_ + +For historical reasons, some admin nodes are deployed in this range (monitoring, ci, ...) +and will be progressively moved into the admin network. + +The internal domain associted to ththis vlan is ``.internal.staging.swh.network`` + +VLAN443 - Staging network +~~~~~~~~~~~~~~~~~~~~~~~~~ + +All the nodes dedicated to the staging version of the archive are deployed on this network. +POCs and temporary nodes can also take place in the range. + +The detail of this range is visible in this `VLAN443 inventory page `_ + +The internal domain associted to this vlan is ``.internal.staging.swh.network`` + +VLAN442 - Admin network +~~~~~~~~~~~~~~~~~~~~~~~ + +This network is dedicated for admin and support nodes. + +The detail of this range is visible in this `VLAN442 inventory page `_. + +The internal domain associted to this vlan is ``.internal.admin.swh.network`` +