.. keep this in sync with the 'sysadm' section in swh-docs/docs/index.rst
This section regroups the knowledge base for our network components.
.. toctree::
:maxdepth: 2
:titlesonly:
Network architecture
********************
The network is split in several VLANs provided by the INRIA network team:
.. thumbnail:: ../images/network.png
Firewalls
=========
The firewalls are 2 `OPNsense <https://opnsense.org>`_ VMs deployed on the PROXMOX cluster with an `High Availability <https://docs.opnsense.org/manual/hacarp.html?highlight=high%20availability>`_ configuration.
They are sharing a virtual IP on each VLAN to act as the gateway. Only one of the 2 firewalls is owning all the GW ips at the same time. The owner is called the ``PRIMARY``
+Once the tunnel is created, the gui is accessible at https://localhost:8443 in any browser
+
Configuration backup
--------------------
The configuration is automatically committed on a `git repository <https://forge.softwareheritage.org/source/iFWCFG/branches/master/>`_.
Each firewall regularly pushes its configuration on a dedicated branch of the repository.
The configuration is visible on the `System / Configuration / Backups <https://pushkin.internal.softwareheritage.org/diag_backup.php>`_ page
of each one.
Upgrade procedure
-----------------
Initial status
^^^^^^^^^^^^^^
This is the nominal status of the firewalls:
.. list-table::
:header-rows: 1
* - Firewall
- Status
* - pushkin
- PRIMARY
* - glyptotek
- BACKUP
Preparation
^^^^^^^^^^^
* Connect to the `principal <https://pushkin.internal.softwareheritage.org>`_ (pushkin here)
* Check the `CARP status <https://pushkin.internal.softwareheritage.org/carp_status.php>`_ to ensure the firewall is the principal (must have the status MASTER for all the IPS)
* Connect to the `backup <https://glyptotek.internal.softwareheritage.org>`_ (glytotek here)
* Check the `CARP status <https://glyptotek.internal.softwareheritage.org/carp_status.php>`__ to ensure the firewall is the backup (must have the status BACKUP for all the IPS)
* Ensure the 2 firewalls are in sync:
* On the principal, go to the `High availability status <https://pushkin.internal.softwareheritage.org/status_habackup.php>`_ and force a synchronization
* click on the button on the right of ``Synchronize config to backup``
* check the status of the VIPs, they must be ``BACKUP`` on pushkin and ``PRIMARY`` on glyptotek
* wait a few minutes to let the monitoring detect if there are connection issues, check ssh connection on several servers on different VLANs (staging, admin, ...)
If everything is ok, proceed to the next section.
Upgrade the first firewall
^^^^^^^^^^^^^^^^^^^^^^^^^^
Before starting this section, the firewall statuses should be:
.. list-table::
:header-rows: 1
* - Firewall
- Status
* - pushkin
- BACKUP
* - glyptotek
- PRIMARY
If not, be sure of what you are doing and adapt the links accordingly
* [2] go to the `System Firmware: status <https://pushkin.internal.softwareheritage.org/ui/core/firmware#status>`_ page (pushkin here)