A proposal of an uniform way to give a dns name to machines, services, and network equipments on all sites.
For some time now, several sites have applied network golden-rules. Thus the networks on those sites are known and documented on the golden-rules page. So for most ip addresses in those sites, it is possible to retrieve the corresponding vlan by browsing the golden-rules page. But not all networks are declared on the golden-rules page. Local lab networks for examples are not documented on the golden-rules page.
Moreover some services like kadeploy or frontend, or dhcp have multiple interfaces and/or ip addresses. But only they main ip address has an entry on the dns. So even golden rules networks are full of ip addresses that are not easily recognized. A section below explains how to use the tool net-scan to consult the network names utilization. Anyway, those orphan ip addresses are mainly secondary service network addresses, and network equipments addresses.
For sites that have not applied golden-rules yet, the task of retrieving in which network is a given ip address is much more difficult. To remedy to this situation, this document propose a solution that :
- makes sure it is possible to identify in which network/vlan (the name) is any ip address just with a simple reverse dns,
- makes sure that any ip address has an entry in dns,
- gives instructions on how to organize dns configuration files so that filling dns entries would be easy,
naming networks and vlans
The best way to make sure it is possible to identify in which network/vlan (the name) is any ip address just with a simple reverse dns is by adding a word on the dns entry that correspond to the corresponding network. The Naming machines convention is already well implemented throughout grid'5000 and should not be changed. But all those names are linked to ip addresses that are necessarily in a network. So by applying a golden-names on those networks, current naming machines conventions would be aliases.
The following examples tries to covers cases where the user resolves names :
- node in production network (network = prod)
frontend:~$ host sol-1.sophia.grid5000.fr sol-1.sophia.grid5000.fr CNAME sol-1.prod.sophia.grid5000.fr sol-1.prod.sophia.grid5000.fr A 172.16.129.1
- node's management interface (network = admin)
frontend:~$ host sol-1-bmc.sophia.grid5000.fr sol-1-bmc.sophia.grid5000.fr CNAME sol-1.admin.sophia.grid5000.fr sol-1.admin.sophia.grid5000.fr A 172.17.129.1
- node's myrinet interface (network = mx)
frontend:~$ host sol-1-myri0.sophia.grid5000.fr sol-1-myri0.sophia.grid5000.fr CNAME sol-1.mx.sophia.grid5000.fr sol-1.mx.sophia.grid5000.fr A 172.18.129.1
- service in production network (network = prod)
frontend:~$ host fsophia.sophia.grid5000.fr fsophia.sophia.grid5000.fr CNAME fsophia.prod.sophia.grid5000.fr fsophia.prod.sophia.grid5000.fr A 172.16.143.1
- service in administration network (network = admin)
frontend:~$ host fsophia.admin.sophia.grid5000.fr fsophia.admin.sophia.grid5000.fr A 172.17.143.1
- Where is the virtual network gateway,
frontend:~$ host gw.virtual.sophia.grid5000.fr gw.virtual.sophia.grid5000.fr A 10.167.255.254
- node in kavlan local network (network = kavlan-1). This would be the same for kavlan-2 and kavlan-3
frontend:~$ host sol-1.kavlan-1.sophia.grid5000.fr sol-1.kavlan-1.sophia.grid5000.fr A 192.168.194.1
- where is the kavlan-[1,2,3] gateway. These are isolated kavlan networks. They are neither routed globally nor locally. But the gateway is just symbolic since they are used for ssh gateways.
frontend:~$ host gw.kavlan-1.sophia.grid5000.fr gw.kavlan-1.sophia.grid5000.fr CNAME kavlan-1.kavlan-1.sophia.grid5000.fr kavlan-1.kavlan-1.sophia.grid5000.fr A 192.168.207.254
- Where is the kavlan-[4-9] gateway. These are routed kavlan networks. They are routed locally and globally. They gateway are the site main router.
frontend:~$ host gw.kavlan-4.sophia.grid5000.fr gw.kavlan-5.sophia.grid5000.fr CNAME fastiron.kavlan-5.sophia.grid5000.fr fastiron.kavlan-5.sophia.grid5000.fr A 10.32.63.254
- Where is the kavlan-18 gateway. This is a global kavlan network. This same vlan is propagated on all sites and its only gateway (throughout all grid5000)is the sophia's main router.
frontend:~$ host gw.kavlan-18.sophia.grid5000.fr gw.kavlan-18.sophia.grid5000.fr CNAME fastiron.kavlan-18.sophia.grid5000.fr fastiron.kavlan-5.sophia.grid5000.fr A 10.35.255.254
- Where is the kavlan-10 gateway. This is another global kavlan network. This same vlan is propagated on all sites and its only gateway (throughout all grid5000) is the bordeaux main router.
frontend:~$ host gw.kavlan-10.sophia.grid5000.fr gw.kavlan-10.sophia.grid5000.fr CNAME gw.kavlan-10.bordeaux.grid5000.fr gw.kavlan-10.bordeaux.grid5000.fr CNAME gw-bdx.kavlan-10.bordeaux.grid5000.fr gw-bdx.kavlan-10.sophia.grid5000.fr A 10.3.255.254
- Where is the kavlan-18 gateway. This is a global kavlan network. This same vlan is propagated on all sites and its only gateway (throughout all grid5000) is the sophia's main router. But this time, the dns request is sent to the nancy dns server.
frontend:~$ host gw.kavlan-18.nancy.grid5000.fr gw.kavlan-18.nancy.grid5000.fr CNAME gw.kavlan-18.sophia.grid5000.fr gw.kavlan-18.sophia.grid5000.fr CNAME fastiron.kavlan-18.sophia.grid5000.fr fastiron.kavlan-5.sophia.grid5000.fr A 10.35.255.254
- Main networks equipments within the Grid5000 inter-site interco vlan (550) (network = g5k)
frontend:~$ host gw.g5k.sophia.grid5000.fr gw.g5k.sophia.grid5000.fr CNAME fastiron.g5k.sophia.grid5000.fr fastiron.g5k.sophia.grid5000.fr A 192.168.4.12
- Labo network. What is the bordeaux main router's address within the local laboratoire network (network = vlan-labri-exp). And what about the gateway of that gateway of that labo vlan
frontend:~$ host gw-bdx.vlan-labri-exp.bordeaux.grid5000.fr gw-bdx.vlan-labri-exp.bordeaux.grid5000.fr A 192.168.100.231
frontend:~$ host gw.vlan-labri-exp.bordeaux.grid5000.fr gw.vlan-labri-exp.bordeaux.grid5000.fr CNAME gw1-labri.vlan-labri-exp.bordeaux.grid5000.fr gw1-labri.vlan-labri-exp.bordeaux.grid5000.fr A 192.168.100.254
- RENATER intercos. Some sites' main routers have a logical connection with renater. This logical network is often made through a vlan. It is the case for example for sophia and lille. gw.lille and gw.sophia are both connected to a renater router through a different vlan (536 at lille and 535 at sophia). With that said, what is the sophia main router's address within its interco with renater (network = renater). What about the gateway of this vlan.
frontend:~$ host fastiron.renater.sophia.grid5000.fr fastiron.renater.sophia.grid5000.fr A 22.214.171.124
frontend:~$ host gw.renater.sophia.grid5000.fr gw.renater.sophia.grid5000.fr CNAME renater-sophia.renater.sophia.grid5000.fr renater-sophia.renater.sophia.grid5000.fr A 126.96.36.199
For each network/vlan, a dns zone is created.
- The zone should have the a name as close as possible to the vlan name within the network equipments.
- The name network in a zone should reference to the network ip address :
frontend:~$ host network.prod.sophia.grid5000.fr network.prod.sophia.grid5000.fr A 172.16.128.0
net-scan is a tool that :
- probes the network to know which ip are being currently used an a given vlan. This is either done by arp requests :) or by ping requests :(
- make reverse dns requests to know the name of each ip address in the given vlan
The results are printed on stdout, but they are also savec in a yaml file for possible later use.
ARP stands for Address Resolution Protocol. The prober machine sends an ARP request on the network for find the mac address of the machine which has a given ip address. The ARP requests contains a given ip address and is sent in a broadcast packet. All machines within this vlan will receive the same ARP request packet. But only the machine with the requested IP address will respond to the arp requests and send an ARP response to the prober machine.
This probing method is very effective because :
- + it is very fast since only 2 packets are sent for each probed ip address. It can probe a /20 network within less than 10 seconds.
- + No need to have an ip address in the probing. Since ARP is a level 2 protocol, the probing machine just need to have an interface in that vlan. Even if it is a simple virtual network interface which does not have any ip address. The prober can create the virtual interface bond0.102, then probe the network 172.16.128.0/20 without having to assign an ip address to that interface. Of course, this supposes that on the switch/router side, the vlan 102 is well configured to reach the probing machine.
- + most machines respond to ping, but everybody respond to ARP.
But this method has some limitations :
- - does not work on rapid networks (Infiniband, Myrinet)
- - Can only probe connected vlans. So to probe a given vlan, you have to find a service that has an interface within that vlan.
TODO : write how to use the tool net-scan
Ping is the standard and most common way to check if the machine which has a given ip address is alive. The prober machine sends a ping packet on the network, and the machine which has the requested ip address responds. PING lies on TCP, UDP or ICMP. The most common protocol used is ICMP. OSI lvels are 2.5 or 3, depending the protocol used.
This is the most common probing method because :
- + it is simple to use
- + it can probe a remote network.
But it is really not recommended for probing whole networks since :
- - it is very slow for large network
- - it is very intrusive
- - it require activities on routers for remote networks
- - it sends arp packet for each ping request in a local network
- - it generates much more traffic ( packets sent and received), compared to arp scan