Update documentation for use with Ubiquiti EdgeOS
* Show creation of a PXE-enabled network boot environment when using dnsmasq as the DHCP server * Recommend TFTP be served from /config/tftpboot since /config is preserved between firmware upgrades * Recommend compiling undionly.kpxe from source to enable TLS features * Add a note that equal-cost multi-path service IP routing (e.g. for ingress) requires EdgeOS v2.0. Previously, it was known that TLS handshakes couldn't be completed with packet balacing. I've verified this is no longer the case when using the v2.0 EdgeOS firmware, ECMP works as expected.
This commit is contained in:
parent
daee5a9d60
commit
8ae552ebda
|
@ -4,7 +4,7 @@ Typhoon ensures certain networking hardware integrates well with bare-metal Kube
|
||||||
|
|
||||||
## Ubiquiti
|
## Ubiquiti
|
||||||
|
|
||||||
Ubiquiti EdgeRouters work well with bare-metal Kubernetes clusters. Knowledge about how to setup an EdgeRouter and use the CLI is required.
|
Ubiquiti EdgeRouters and EdgeOS work well with bare-metal Kubernetes clusters. Familiarity with EdgeRouter setup and CLI usage is required.
|
||||||
|
|
||||||
### PXE
|
### PXE
|
||||||
|
|
||||||
|
@ -12,7 +12,7 @@ Ubiquiti EdgeRouters can provide a PXE-enabled network boot environment for clie
|
||||||
|
|
||||||
#### ISC DHCP
|
#### ISC DHCP
|
||||||
|
|
||||||
Add a subnet parameter to the LAN DHCP server to include an ISC DHCP config file.
|
With ISC DHCP, add a subnet parameter to the LAN DHCP server to include an ISC DHCP config file.
|
||||||
|
|
||||||
```
|
```
|
||||||
configure
|
configure
|
||||||
|
@ -21,7 +21,7 @@ set service dhcp-server shared-network-name NAME subnet SUBNET subnet-parameters
|
||||||
commit-confirm
|
commit-confirm
|
||||||
```
|
```
|
||||||
|
|
||||||
Switch to root (i.e. `sudo -i`) and write the ISC DHCP config `/config/scripts/ipxe.conf`. iPXE client machines will chainload to `matchbox.example.com`, while non-iPXE clients will chainload to `undionly.kpxe` (requires TFTP to be enabled).
|
Switch to root (i.e. `sudo -i`) and write the ISC DHCP config `/config/scripts/ipxe.conf`. iPXE client machines will chainload to `matchbox.example.com`, while non-iPXE clients will chainload to `undionly.kpxe` (requires TFTP).
|
||||||
|
|
||||||
```
|
```
|
||||||
allow bootp;
|
allow bootp;
|
||||||
|
@ -35,14 +35,23 @@ if exists user-class and option user-class = "iPXE" {
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### dnsmasq
|
||||||
|
|
||||||
|
With dnsmasq for DHCP, add options to chainload PXE clients to iPXE `undionly.kpxe` (requires TFTP), tag iPXE clients, and chainload iPXE clients to `matchbox.example.com`.
|
||||||
|
|
||||||
|
```
|
||||||
|
set service dns forwarding options 'dhcp-userclass=set:ipxe,iPXE'
|
||||||
|
set service dns forwarding options 'pxe-service=tag:#ipxe,x86PC,PXE chainload to iPXE,undionly.kpxe'
|
||||||
|
set service dns forwarding options 'pxe-service=tag:ipxe,x86PC,iPXE,http://matchbox.example.com/boot.ipxe'
|
||||||
|
```
|
||||||
|
|
||||||
### TFTP
|
### TFTP
|
||||||
|
|
||||||
Use `dnsmasq` as a TFTP server to serve [undionly.kpxe](http://boot.ipxe.org/undionly.kpxe).
|
Use `dnsmasq` as a TFTP server to serve `undionly.kpxe`. Compiling from [source](https://github.com/ipxe/ipxe) with TLS support is recommended, but you may also download a [pre-compiled](http://boot.ipxe.org/undionly.kpxe) copy.
|
||||||
|
|
||||||
```
|
```
|
||||||
sudo -i
|
sudo -i
|
||||||
mkdir /var/lib/tftpboot
|
mkdir /config/tftpboot && cd /config/tftpboot
|
||||||
cd /var/lib/tftpboot
|
|
||||||
curl http://boot.ipxe.org/undionly.kpxe -o undionly.kpxe
|
curl http://boot.ipxe.org/undionly.kpxe -o undionly.kpxe
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -52,13 +61,10 @@ Add `dnsmasq` command line options to enable the TFTP file server.
|
||||||
configure
|
configure
|
||||||
show service dns forwarding
|
show service dns forwarding
|
||||||
set service dns forwarding options enable-tftp
|
set service dns forwarding options enable-tftp
|
||||||
set service dns forwarding options tftp-root=/var/lib/tftpboot
|
set service dns forwarding options tftp-root=/config/tftpboot
|
||||||
commit-confirm
|
commit-confirm
|
||||||
```
|
```
|
||||||
|
|
||||||
!!! warning
|
|
||||||
After firmware upgrades, the `/var/lib/tftpboot` directory will not exist and dnsmasq will not start properly. Repeat this process following an upgrade.
|
|
||||||
|
|
||||||
### DHCP
|
### DHCP
|
||||||
|
|
||||||
Assign static IPs to clients with known MAC addresses. This is called a static mapping by EdgeOS. Configure the router with the commands based on region inventory.
|
Assign static IPs to clients with known MAC addresses. This is called a static mapping by EdgeOS. Configure the router with the commands based on region inventory.
|
||||||
|
@ -106,6 +112,9 @@ set protocols static route 10.3.0.0/16 next-hop NODE_IP
|
||||||
commit-confirm
|
commit-confirm
|
||||||
```
|
```
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
Adding multiple next-hop nodes provides equal-cost multi-path (ECMP) routing. EdgeOS v2.0+ is required. The kernel in prior versions used flow-hash to balanced packets, whereas with v2.0, round-robin sessions are used.
|
||||||
|
|
||||||
### Port Forwarding
|
### Port Forwarding
|
||||||
|
|
||||||
Expose the [Ingress Controller](/addons/ingress.md#bare-metal) by adding `port-forward` rules that DNAT a port on the router's WAN interface to an internal IP and port. By convention, a public Ingress controller is assigned a fixed service IP (e.g. 10.3.0.12).
|
Expose the [Ingress Controller](/addons/ingress.md#bare-metal) by adding `port-forward` rules that DNAT a port on the router's WAN interface to an internal IP and port. By convention, a public Ingress controller is assigned a fixed service IP (e.g. 10.3.0.12).
|
||||||
|
|
Loading…
Reference in New Issue