From 8ae552ebda2e348e6774ad843192fa67131b439c Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Wed, 27 Feb 2019 23:26:57 -0800 Subject: [PATCH] Update documentation for use with Ubiquiti EdgeOS * Show creation of a PXE-enabled network boot environment when using dnsmasq as the DHCP server * Recommend TFTP be served from /config/tftpboot since /config is preserved between firmware upgrades * Recommend compiling undionly.kpxe from source to enable TLS features * Add a note that equal-cost multi-path service IP routing (e.g. for ingress) requires EdgeOS v2.0. Previously, it was known that TLS handshakes couldn't be completed with packet balacing. I've verified this is no longer the case when using the v2.0 EdgeOS firmware, ECMP works as expected. --- docs/topics/hardware.md | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/docs/topics/hardware.md b/docs/topics/hardware.md index 4715e0a8..385a1fee 100644 --- a/docs/topics/hardware.md +++ b/docs/topics/hardware.md @@ -4,7 +4,7 @@ Typhoon ensures certain networking hardware integrates well with bare-metal Kube ## Ubiquiti -Ubiquiti EdgeRouters work well with bare-metal Kubernetes clusters. Knowledge about how to setup an EdgeRouter and use the CLI is required. +Ubiquiti EdgeRouters and EdgeOS work well with bare-metal Kubernetes clusters. Familiarity with EdgeRouter setup and CLI usage is required. ### PXE @@ -12,7 +12,7 @@ Ubiquiti EdgeRouters can provide a PXE-enabled network boot environment for clie #### ISC DHCP -Add a subnet parameter to the LAN DHCP server to include an ISC DHCP config file. +With ISC DHCP, add a subnet parameter to the LAN DHCP server to include an ISC DHCP config file. ``` configure @@ -21,7 +21,7 @@ set service dhcp-server shared-network-name NAME subnet SUBNET subnet-parameters commit-confirm ``` -Switch to root (i.e. `sudo -i`) and write the ISC DHCP config `/config/scripts/ipxe.conf`. iPXE client machines will chainload to `matchbox.example.com`, while non-iPXE clients will chainload to `undionly.kpxe` (requires TFTP to be enabled). +Switch to root (i.e. `sudo -i`) and write the ISC DHCP config `/config/scripts/ipxe.conf`. iPXE client machines will chainload to `matchbox.example.com`, while non-iPXE clients will chainload to `undionly.kpxe` (requires TFTP). ``` allow bootp; @@ -35,14 +35,23 @@ if exists user-class and option user-class = "iPXE" { } ``` +#### dnsmasq + +With dnsmasq for DHCP, add options to chainload PXE clients to iPXE `undionly.kpxe` (requires TFTP), tag iPXE clients, and chainload iPXE clients to `matchbox.example.com`. + +``` +set service dns forwarding options 'dhcp-userclass=set:ipxe,iPXE' +set service dns forwarding options 'pxe-service=tag:#ipxe,x86PC,PXE chainload to iPXE,undionly.kpxe' +set service dns forwarding options 'pxe-service=tag:ipxe,x86PC,iPXE,http://matchbox.example.com/boot.ipxe' +``` + ### TFTP -Use `dnsmasq` as a TFTP server to serve [undionly.kpxe](http://boot.ipxe.org/undionly.kpxe). +Use `dnsmasq` as a TFTP server to serve `undionly.kpxe`. Compiling from [source](https://github.com/ipxe/ipxe) with TLS support is recommended, but you may also download a [pre-compiled](http://boot.ipxe.org/undionly.kpxe) copy. ``` sudo -i -mkdir /var/lib/tftpboot -cd /var/lib/tftpboot +mkdir /config/tftpboot && cd /config/tftpboot curl http://boot.ipxe.org/undionly.kpxe -o undionly.kpxe ``` @@ -52,13 +61,10 @@ Add `dnsmasq` command line options to enable the TFTP file server. configure show service dns forwarding set service dns forwarding options enable-tftp -set service dns forwarding options tftp-root=/var/lib/tftpboot +set service dns forwarding options tftp-root=/config/tftpboot commit-confirm ``` -!!! warning - After firmware upgrades, the `/var/lib/tftpboot` directory will not exist and dnsmasq will not start properly. Repeat this process following an upgrade. - ### DHCP Assign static IPs to clients with known MAC addresses. This is called a static mapping by EdgeOS. Configure the router with the commands based on region inventory. @@ -106,6 +112,9 @@ set protocols static route 10.3.0.0/16 next-hop NODE_IP commit-confirm ``` +!!! note + Adding multiple next-hop nodes provides equal-cost multi-path (ECMP) routing. EdgeOS v2.0+ is required. The kernel in prior versions used flow-hash to balanced packets, whereas with v2.0, round-robin sessions are used. + ### Port Forwarding Expose the [Ingress Controller](/addons/ingress.md#bare-metal) by adding `port-forward` rules that DNAT a port on the router's WAN interface to an internal IP and port. By convention, a public Ingress controller is assigned a fixed service IP (e.g. 10.3.0.12).