LAB project: Difference between revisions

From Essential
Jump to navigation Jump to search
 
(86 intermediate revisions by the same user not shown)
Line 1: Line 1:
Resilient, low power and encrypted LAB CLOUD project.
Resilient, low power and encrypted LAB CLOUD project.


=Diagram=
==Diagram==
[[file:Infocepo.drawio.png]]
[[file:Infocepo.drawio.png]]
==Data security==
* Availability is via [[LAB project#HA]] & RSYNC & another location & another internet provider & public DNS
* Integrity is provided by BTRFS and will be provided by MINIO for large static files
* Theft protection is provided by AC and FDE encryption
* Loss protection is performed via AC & RSYNC & BTRFS and locks/unlocks FDE drives
* Scalability will be via the CEPH


=ha.sh code=
==My LAB tools==
*MEDIAWIKI (sharing editor)
*DEBIAN
*[https://app.diagrams.net app.diagrams.net] (diagram editors)
*x86 CPU (for ARM I will use QEMU emulator)
*OPENCL GPU (AI&SIGNAL processing)
*LXD/SNAP/MICROK8S (virtualization&container)
*LSOF (system&network audit)
*NMAP (Network scanner)
*TCPDUMP (Network monitoring)
 
==Tested in this LAB==
*NEXTCLOUD [https://nextcloud.infocepo.com/index.php/s/oKrHsMX9bmxcjMf nextcloud.infocepo.com] (aFM8yKYmDa)
*MEDIAWIKI [https://infocepo.com/wiki infocepo.com]
*KUBERNETES Cluster [https://wiki.infocepo.com/wiki wiki.infocepo.com] (demo available, ask me)
*MARIADB GALERA Cluster
*OPENSTACK
*PROMETHEUS [https://prometheus.infocepo.com prometheus.infocepo.com] (demo available, ask me)
*YACY [https://google.infocepo.com google.infocepo.com] (decentralized search engine) (demo available, ask me)
*GLUSTERFS
*KATA (container runtime like a VM)
*AWS CLI
*ANSIBLE
*GIT
 
==HA==
I love COROSYNC/PACEMAKER, but for this LAB I wanted something from scratch:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
#!/bin/bash
#!/bin/bash
#pacheco at infocepo.com
#ynotopec at gmail.com
 
domainName=$(cat domainName)
portNumber=$(cat portNumber)
publicHost1=$(cat publicHost1)
publicHost2=$(cat publicHost2)


echo "$(date): init"
echo "$(date): init"
#Screen off
vbetool dpms off


#Clean
#Clean
cd /share/admin &&./stopInfocepo.sh
stop${domainName}.sh


#If I was the master sleep a little !
#If I was the master sleep a little !
ipPublic="$(dig +short myip.opendns.com @resolver1.opendns.com )"
ipPublic="$(dig +short myip.opendns.com @resolver1.opendns.com )"
ipMasterOld="$(nslookup infocepo.com |sed -rn 's#^Address: (.*)$#\1#p' )"
ipMasterOld="$(nslookup ${domainName} |sed -rn 's#^Address: (.*)$#\1#p' )"
[ "${ipPublic}" = "${ipMasterOld}" ] &&sleep 240
[ "${ipPublic}" = "${ipMasterOld}" ] &&sleep 240
#Wait Internet
while (! ping -w2 -c1 ${publicHost1} >/dev/null 2>&1 );do
  sleep 10
done
#Wait Admin Unlock Backup
waitAdminUnLockBCK.sh
#If passif merge backup
if (nc -zw2 ${domainName}  443 >/dev/null 2>&1 ||(sleep 10 ;nc -zw4 ${domainName}  443 >/dev/null 2>&1 ) ) ;then
  rsync --max-size=4M --ignore-existing --numeric-ids --modify-window=1 --ignore-errors --block-size=128.00K --inplace --no-whole-file \
  -z --compress-level=9 \
  -aAXxv \
  --exclude=.rsync_* \
  --rsh="ssh -i ~/.ssh/storage@${domainName}.key -p ${portNumer} -oStrictHostKeyChecking=no" \
  ${domainName}:/storage/rsync-rollback/ /storage/rsync-rollback/
fi
#lock bck source after merge
lockBckSource.sh


#Wait master down (big loop)
#Wait master down (big loop)
while (nc -zw2 infocepo.com 443 >/dev/null 2>&1 ||(sleep 10 ;nc -zw4 infocepo.com 443 >/dev/null 2>&1 ) );do
while (nc -zw2 ${domainName} ${portNumber} >/dev/null 2>&1 ||(sleep 10 ;nc -zw4 ${domainName} ${portNumber} >/dev/null 2>&1 ) );do
   if [ -z "$(find /root/ha_synced -type f -mmin -60 2>/dev/null )" ] ;then
   if [ -z "$(find ha_synced -type f -mmin -60 2>/dev/null )" ] ;then
#    haUpdate="$(cd /share/admin ;./bisync.sh /share/admin/ /share/admin/ infocepo.com |grep -w ha.sh )"
#    if [ ! -z "${haUpdate}" ] ;then
#      echo "Alert! ha.sh updated"
#      (bash -x /root/enable/ha.sh >>/var/log/ha.log 2>&1 )&
#      kill -9 $$
#    fi
     rsync --numeric-ids --delete --force --modify-window=1 --ignore-errors --block-size=128.00K --inplace --no-whole-file \
     rsync --numeric-ids --delete --force --modify-window=1 --ignore-errors --block-size=128.00K --inplace --no-whole-file \
     -z --compress-level=9 \
     -z --compress-level=9 \
Line 37: Line 86:
     --exclude=rsync-rollback \
     --exclude=rsync-rollback \
     --exclude=.rsync_* \
     --exclude=.rsync_* \
     --rsh="ssh -i /root/.ssh/me@infocepo.com.key -p 1901 -oStrictHostKeyChecking=no" \
     --rsh="ssh -i ~/.ssh/storage@${domainName}.key -p ${portNumer} -oStrictHostKeyChecking=no" \
     infocepo.com:/share/ /share/ &&touch /root/ha_synced
     ${domainName}:/storage/ /storage/ &&touch ha_synced
   fi
   fi
   sleep 10
   sleep 10
Line 44: Line 93:


#Maybe it's me down ! If INTERNET down, reboot
#Maybe it's me down ! If INTERNET down, reboot
! ping -w2 -c1 wikipedia.org >/dev/null 2>&1 &&systemctl start kexec.target
! ping -w2 -c1 ${publicHost1} >/dev/null 2>&1 &&reboot


#Become master
#Become master
#lock Backup (integrity protection against attacks)
lockBCK.sh


#Register DNS
#Register DNS
ipMasterDown="$(nslookup infocepo.com |sed -rn 's#^Address: (.*)$#\1#p' )"
ipMasterDown="$(nslookup ${domainName} |sed -rn 's#^Address: (.*)$#\1#p' )"
curl 'https://dynamicdns.park-your-domain.com/update?host=@&domain=infocepo.com&password='"$(cat /share/admin/.namecheap-password )"'&ip='"${ipPublic}"
updateDns.sh "${ipPublic}"


#Random startup time
#Random startup time
sleep $((RANDOM%10))
sleep $((RANDOM%10))
cd /share/admin &&./infocepoStart.sh &
${domainName}Start.sh &


#Wait DNS propagation
#Wait DNS propagation
Line 62: Line 114:
echo "$(date): up"
echo "$(date): up"
[ "${ipPublic}" = "${ipMasterDown}" ] &&ipMasterDown=""
[ "${ipPublic}" = "${ipMasterDown}" ] &&ipMasterDown=""
while [ "${ipPublic}" = "$(nslookup infocepo.com |sed -rn 's#^Address: (.*)$#\1#p' )" ] \
while [ "${ipPublic}" = "$(nslookup ${domainName} |sed -rn 's#^Address: (.*)$#\1#p' )" ] \
  &&( ! nc -zw2 "${ipMasterDown}" 443 >/dev/null 2>&1 ) \
  &&( ! nc -zw2 "${ipMasterDown}" 443 >/dev/null 2>&1 ) \
  &&(nc -zw2 "${ipPublic}" 443 >/dev/null 2>&1 ||nc -zw4 "${ipPublic}" 443 >/dev/null 2>&1 ) \
  &&(nc -zw2 "${ipPublic}" 443 >/dev/null 2>&1 ||nc -zw4 "${ipPublic}" 443 >/dev/null 2>&1 ) \
  &&(nc -zw2 "${ipMasterDown}" 1901 >/dev/null 2>&1 ||ping -w2 -c1 debian.org >/dev/null 2>&1 ||ping -w2 -c1 wikipedia.org >/dev/null 2>&1 ) ;do
  &&(nc -zw2 "${ipMasterDown}" ${portNumer} >/dev/null 2>&1 ||ping -w2 -c1 ${publicHost1} >/dev/null 2>&1 ||ping -w2 -c1 ${publicHost2} >/dev/null 2>&1 ) ;do
   sleep 4
   sleep 4
done
done
Line 71: Line 123:


#Stop
#Stop
cd /share/admin &&./stopInfocepo.sh
stop${domainName}.sh
 
reboot
</syntaxhighlight>
 
==Optimizations explained==
To reduce Network data I added options to rsync:
*only send modified data blocks from files
--inplace --block-size=128.00K
*compress transfer
-z --compress-level=9
To increase flash storage life:
--inplace --no-whole-file
 
==Cost per month==
<pre>
800€*2=1600€ :hypervisors (popular CPU X86 notebook, 8GB+)
-400€*2=-800€ :sale after one year
800€/12m=33€ :price/month
30*2=60€ :Internet (~1PB outbound/month)
(7.5W+7.5W)*24h*30.5d/1000Wh*.15€*2~=3.3€ :electricity


#Comment these lines for production
33+60+3.3~=96€ :cost/month
#if ping -w2 -c1 wikipedia.org >/dev/null 2>&1 ;then
</pre>
#  (bash -x /root/enable/ha.sh >>/var/log/ha.log 2>&1 )&
#  kill -9 $$
#fi


#Reboot
==Futur==
systemctl start kexec.target
*Migrate rsync to real time replication.
</syntaxhighlight>
*Add MINIO for objects storage and streaming.
=== CV ===
*Improve synchronization algorithm ([[bisync.sh]]):
[[CV_PACHECO]]
#The NEXTCLOUD algorithm is very good average, but is very poor for dynamic big files like DB or virtual images.
#OSYNC is slow, and I don't know for big files.
#RSYNC is very good average but not dealing with inodes (moving files).
*Alert passive location locked and add de-lock page.
*Double storage to have active/active locations. Storage 1 location A to B. Storage 2 location B to A.

Latest revision as of 10:12, 28 August 2024

Resilient, low power and encrypted LAB CLOUD project.

Diagram

Infocepo.drawio.png

Data security

  • Availability is via LAB project#HA & RSYNC & another location & another internet provider & public DNS
  • Integrity is provided by BTRFS and will be provided by MINIO for large static files
  • Theft protection is provided by AC and FDE encryption
  • Loss protection is performed via AC & RSYNC & BTRFS and locks/unlocks FDE drives
  • Scalability will be via the CEPH

My LAB tools

  • MEDIAWIKI (sharing editor)
  • DEBIAN
  • app.diagrams.net (diagram editors)
  • x86 CPU (for ARM I will use QEMU emulator)
  • OPENCL GPU (AI&SIGNAL processing)
  • LXD/SNAP/MICROK8S (virtualization&container)
  • LSOF (system&network audit)
  • NMAP (Network scanner)
  • TCPDUMP (Network monitoring)

Tested in this LAB

HA

I love COROSYNC/PACEMAKER, but for this LAB I wanted something from scratch:

#!/bin/bash
#ynotopec at gmail.com

domainName=$(cat domainName)
portNumber=$(cat portNumber)
publicHost1=$(cat publicHost1)
publicHost2=$(cat publicHost2)

echo "$(date): init"

#Clean
stop${domainName}.sh

#If I was the master sleep a little !
ipPublic="$(dig +short myip.opendns.com @resolver1.opendns.com )"
ipMasterOld="$(nslookup ${domainName} |sed -rn 's#^Address: (.*)$#\1#p' )"
[ "${ipPublic}" = "${ipMasterOld}" ] &&sleep 240

#Wait Internet
while (! ping -w2 -c1 ${publicHost1} >/dev/null 2>&1 );do
  sleep 10
done

#Wait Admin Unlock Backup
waitAdminUnLockBCK.sh

#If passif merge backup
if (nc -zw2 ${domainName}  443 >/dev/null 2>&1 ||(sleep 10 ;nc -zw4 ${domainName}  443 >/dev/null 2>&1 ) ) ;then
  rsync --max-size=4M --ignore-existing --numeric-ids --modify-window=1 --ignore-errors --block-size=128.00K --inplace --no-whole-file \
   -z --compress-level=9 \
   -aAXxv \
   --exclude=.rsync_* \
   --rsh="ssh -i ~/.ssh/storage@${domainName}.key -p ${portNumer} -oStrictHostKeyChecking=no" \
   ${domainName}:/storage/rsync-rollback/ /storage/rsync-rollback/
fi

#lock bck source after merge
lockBckSource.sh

#Wait master down (big loop)
while (nc -zw2 ${domainName} ${portNumber} >/dev/null 2>&1 ||(sleep 10 ;nc -zw4 ${domainName} ${portNumber} >/dev/null 2>&1 ) );do
  if [ -z "$(find ha_synced -type f -mmin -60 2>/dev/null )" ] ;then
    rsync --numeric-ids --delete --force --modify-window=1 --ignore-errors --block-size=128.00K --inplace --no-whole-file \
     -z --compress-level=9 \
     -aAXxv \
     --backup-dir=rsync-rollback/$(date '+%Y-%m-%d') \
     --exclude=rsync-rollback \
     --exclude=.rsync_* \
     --rsh="ssh -i ~/.ssh/storage@${domainName}.key -p ${portNumer} -oStrictHostKeyChecking=no" \
     ${domainName}:/storage/ /storage/ &&touch ha_synced
  fi
  sleep 10
done

#Maybe it's me down ! If INTERNET down, reboot
! ping -w2 -c1 ${publicHost1} >/dev/null 2>&1 &&reboot

#Become master

#lock Backup (integrity protection against attacks)
lockBCK.sh

#Register DNS
ipMasterDown="$(nslookup ${domainName} |sed -rn 's#^Address: (.*)$#\1#p' )"
updateDns.sh "${ipPublic}"

#Random startup time
sleep $((RANDOM%10))
${domainName}Start.sh &

#Wait DNS propagation
sleep $((240-25))

#Monitor
echo "$(date): up"
[ "${ipPublic}" = "${ipMasterDown}" ] &&ipMasterDown=""
while [ "${ipPublic}" = "$(nslookup ${domainName} |sed -rn 's#^Address: (.*)$#\1#p' )" ] \
 &&( ! nc -zw2 "${ipMasterDown}" 443 >/dev/null 2>&1 ) \
 &&(nc -zw2 "${ipPublic}" 443 >/dev/null 2>&1 ||nc -zw4 "${ipPublic}" 443 >/dev/null 2>&1 ) \
 &&(nc -zw2 "${ipMasterDown}" ${portNumer} >/dev/null 2>&1 ||ping -w2 -c1 ${publicHost1} >/dev/null 2>&1 ||ping -w2 -c1 ${publicHost2} >/dev/null 2>&1 ) ;do
  sleep 4
done
echo "$(date): down"

#Stop
stop${domainName}.sh

reboot

Optimizations explained

To reduce Network data I added options to rsync:

  • only send modified data blocks from files
--inplace --block-size=128.00K
  • compress transfer
-z --compress-level=9

To increase flash storage life:

--inplace --no-whole-file

Cost per month

800€*2=1600€ :hypervisors (popular CPU X86 notebook, 8GB+)
-400€*2=-800€ :sale after one year
800€/12m=33€ :price/month
30*2=60€ :Internet (~1PB outbound/month)
(7.5W+7.5W)*24h*30.5d/1000Wh*.15€*2~=3.3€ :electricity

33+60+3.3~=96€ :cost/month

Futur

  • Migrate rsync to real time replication.
  • Add MINIO for objects storage and streaming.
  • Improve synchronization algorithm (bisync.sh):
  1. The NEXTCLOUD algorithm is very good average, but is very poor for dynamic big files like DB or virtual images.
  2. OSYNC is slow, and I don't know for big files.
  3. RSYNC is very good average but not dealing with inodes (moving files).
  • Alert passive location locked and add de-lock page.
  • Double storage to have active/active locations. Storage 1 location A to B. Storage 2 location B to A.