Skip to content
Snippets Groups Projects

Add documentation for working with FIPs/jump host/sshuttle

Merged Add documentation for working with FIPs/jump host/sshuttle
fip_doc into master
Merged Tomáš Sapák requested to merge fip_doc into master
Compare
and
2 files
+ 16
1
Compare changes
  • Side-by-side
  • Inline
Files
2
faq/README.md
+ 15
0
@@ -25,3 +25,18 @@ OpenStack instances use 1442 bytes MTU (maximum transmission unit) instead of st
@@ -25,3 +25,18 @@ OpenStack instances use 1442 bytes MTU (maximum transmission unit) instead of st
able to setup correct MTU with its counterpart via Path MTU Discovery. Docker needs MTU setup explicitly. Refer documentation for setting up
able to setup correct MTU with its counterpart via Path MTU Discovery. Docker needs MTU setup explicitly. Refer documentation for setting up
1442 MTU in [Docker](https://docs.docker.com/v17.09/engine/userguide/networking/default_network/custom-docker0/) or
1442 MTU in [Docker](https://docs.docker.com/v17.09/engine/userguide/networking/default_network/custom-docker0/) or
[Kubernetes](https://docs.projectcalico.org/v3.5/usage/configuration/mtu).
[Kubernetes](https://docs.projectcalico.org/v3.5/usage/configuration/mtu).
 
 
## How many floating IPs does my group project need?
 
One floating IP per project should generally suffice. All OpenStack instances are deployed on top of internal OpenStack networks. These internal networks are not by default accessible from outside of OpenStack, but instances on top of same internal network can communicate with each other.
 
 
To access internet from an instance, or access instance from the internet, you could allocate floating public IP per instance. Since there are not many public IP addresses available and assigning public IP to every instance is not security best practise, both in public and private clouds these two concepts are used:
 
* **internet access is provided by virtual router** - all new OpenStack projects are created with *group-project-network* internal network connected to virtual router with public IP as a gateway. Every instance created with *group-project-network* can access internet through NAT provided by it's router by default.
 
* **accessing the instances:**
 
* **I need to access instances by myself** - best practice for accessing your instances is creating one server with floating IP called [jump host](https://en.wikipedia.org/wiki/Jump_server) and then access all other instances through this host. Simple setup:
 
1. Create instance with any Linux.
 
2. Associate floating IP with this instance.
 
3. Install [sshuttle](https://github.com/sshuttle/sshuttle) on your client.
 
4. `sshuttle -r root@jump_host_fip 192.168.0.1/24`. All your traffic to internal OpenStack network *192.168.0.1/24* is now tunneled through jump host.
 
* **I need to serve content (e.g. webservice) to other users** - public and private clouds provide LBaaS (Load-Balancer-as-a-Service) service, which proxies users traffic to instances. We are planning to deploy this functionality in 2020. Currently you can create LB manually by installing and configuring e.g. HAproxy on your jump host.
 
 
In case, that these options are not suitable for you usecase, you can still request multiple floating IPs.