Bastion+ / WebSocket / Portal Dédiée
Présentation d’une mise en place type Bastion+ mode WebSocket permettant d’avoir une rupture protocolaire et un accès à un environnement de travail
Prérequis
Récupérer les différents roles Ansible suivants:
reemo-infra
reemo-infra-images
reemo-provision
reemo-relayws
Avoir un clé license
Architecture
Matrice de flux
DESCRIPTION |
TRANSPORT |
SOURCE IP |
SOURCE PORT |
DESTINATION IP |
DESTINATION PORT |
SERVICES |
|---|---|---|---|---|---|---|
Portal -> API |
TCP |
10.1.1.1 |
1024:65535 |
10.3.1.1 |
443 |
HTTPS |
API -> PROVISION |
TCP |
10.3.1.1 |
1024:65535 |
10.4.1.1 |
8443 |
HTTPS |
API -> RELAY |
TCP |
10.3.1.1 |
1024:65535 |
10.2.1.1 |
443,8443 |
HTTPS |
Portal Admin -> API |
TCP |
10.5.1.1 |
1024:65535 |
10.3.1.1 |
443 |
HTTPS |
Admin -> Portal Admin |
TCP |
10.6.1.0/24 |
1024:65535 |
10.5.1.1 |
443 |
HTTPS |
PROVISION -> Portal Internet |
TCP |
10.4.1.0/24 |
1024:65535 |
10.1.1.1 |
8443 |
HTTPS |
PROVISION -> RELAY |
TCP |
10.4.1.0/24 |
1024:65535 |
10.2.1.1 |
443 |
HTTPS |
INTERNET -> RELAY |
TCP |
WAN |
1024:65535 |
10.2.1.1 |
443 |
HTTPS |
INTERNET -> INFRA |
TCP |
WAN |
1024:65535 |
10.1.1.1 |
443 |
HTTPS |
Initialisation
Sur l’ensemble des 3 environnements, taper la commande suivante pour initialiser Docker Swarm
docker swarm init
Dans des environnements à plusieurs machines, relier les différents noeuds entre eux avec les commandes docker swarm join
Environnement Infra : Swarm Manager Environnement Provision : Swarm Manager + Worker Environnement Relay : Swarm Manager
Fichier inventaire Ansible
all:
vars:
ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
INIT_TYPE: "bastion"
DOCKER_VERSION: preprod
API_LICENSE: "ewogICAg ... Uw5NXhGVDF0NFU2TkxOdjQvZU53PT0iCiAgICC9Cn0="
HMACSECRET: "Taikohshugh8tahb2m"
portal_manager:
children:
portaluser_manager:
vars:
PORTAL_URL: "url.domain.tld"
PORTAL_TYPE: "user"
TRAEFIK_SSL_CERTS:
- cert_file: "/localpath/to/cert_domain.tld.crt"
key_file: "/localpath/to/key_domain.tld.key"
API_IP:
- ip: "10.3.1.1"
hosts:
portaluser1:
ansible_host: "10.1.1.1"
portaladmin_manager:
vars:
PORTAL_URL: "admin.domain.local"
PORTAL_TYPE: "admin"
TRAEFIK_SSL_CERTS:
- cert_file: "/localpath/to/cert_domain.local.crt"
key_file: "/localpath/to/key_domain.local.key"
API_IP:
- ip: "10.3.1.1"
hosts:
portaladmin1:
ansible_host: "10.5.1.1"
api_manager:
vars:
RELAYS_URL: "relay.domain.tld"
PROVISION_SIGNAL_IP:
- ip: "10.1.1.1"
PROVISION_IP:
- ip: "10.4.1.1"
RELAYS_IP:
- ip: "10.2.1.1"
hosts:
api1:
ansible_host: "10.3.1.1"
provision:
vars:
PROVISION_SWARM_ADVERTISE_ADDR: "10.4.1.1"
children:
provision_manager:
hosts:
provision_manager1:
ansible_host: "10.4.1.1"
provision_worker:
hosts:
provision_worker1:
nsible_host: "10.4.1.2"
relayws_manager:
vars:
TRAEFIK_SSL_CERTS:
- cert_file: "/localpath/to/cert_domain.tld.crt"
key_file: "/localpath/to/key_domain.tld.key"
hosts:
relayws_manager1:
ansible_host: "10.2.1.1"
Installation
pré-requis
Avoir les roles Ansible suivants:
reemo-infra-images
reemo-infra
reemo-provision
reemo-relayws
Avoir les playbooks suivants:
reemo-infra-images.yml
- name: Load Reemo Docker Image
hosts: infra_manager,api_manager,portal_manager,relayws_manager
gather_facts: yes
roles:
- role: reemo-infra-images
become: yes
reemo-infra.yml
- name: Installation Reemo Infra Server
hosts: infra_manager,portal_manager,api_manager
gather_facts: yes
roles:
- role: reemo-infra
become: yes
reemo-provision.yml
- name: Deploy Provision Reemo environment in swarm cluster
hosts: provision,provision_manager
gather_facts: yes
roles:
- role: reemo-provision
become: yes
reemo-relayws.yml
- name: Installation Reemo Relay WebSocket
hosts: relayws_manager
gather_facts: yes
roles:
- role: reemo-relayws
become: yes
Avec Internet
Si vos machines ont accès à Internet et que vous souhaitez automatiser l’installation et l’initialisation de Docker Swarm, uilisez les commandes suivantes:
ansible-playbook -i inventory.yml playbooks/reemo-infra-images.yml --extra-vars "INSTALL_DOCKER=true"
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --limit api_manager --extra-vars "INIT_DB=true" --extra-vars "INSTALL_DOCKER=true"
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --limit portaladmin_manager --extra-vars "INSTALL_DOCKER=true"
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --limit portaluser_manager --extra-vars "INSTALL_DOCKER=true"
ansible-playbook -i inventory.yml playbooks/reemo-provision.yml --extra-vars "PROVISION_INSTALL_DOCKER=true"
ansible-playbook -i inventory.yml playbooks/reemo-relayws.yml --extra-vars "RELAYWS_INSTALL_DOCKER=true"
Sans Internet
Si pas d’accès Internet, il faut avant de lancer les roles avoir installé Docker sur l’ensemble des machines et initialiser l’environnement Docker Swarm
ansible-playbook -i inventory.yml playbooks/reemo-infra-images.yml
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --limit api_manager --extra-vars "INIT_DB=true"
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --limit portaladmin_manager
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --limit portaluser_manager
ansible-playbook -i inventory.yml playbooks/reemo-provision.yml
ansible-playbook -i inventory.yml playbooks/reemo-relayws.yml
Vous pouvez passer à la suite de la documentation sur la page suivante : Guide de démarrage