Configuring the network on the master node

You can configure the network on the x86 server to ensure that the master node is connected with other cluster nodes on the IBM Z or LinuxONE system.

This procedure is intended for users with role cloud administrator.

Before you begin

Procedure

On the x86 server, complete the following steps as a root user.

  1. Configure the network interface on the master node.

    • If the master node is connected to an ethernet-type connection, add the IP address of the master node by using the following command syntax.

      ip addr add <IP>/<Netmask> dev <DevName>
      

      Where

      • IP: The IP address of the master node. Note that only IPv4 addresses are supported. For example, 192.168.0.251.
      • NetMask: The netmask of the mesh network in CIDR notation. For example, 24.
      • DevName: The name of the primary network device on the x86 server. You can get the value by running the ifconfig -a command. For example,
        ip addr add 192.168.0.251/24 dev eth0
        
        Note: This command does not persist across restarts of the x86 server. You can include this command in your server boot-up initialization script or service.
    • If the master node is connected with the trunk port of the switch, create the VLAN interface that is connected to the trunk port of the switch. For example, the trunk port is ens224 and VLAN ID is 1121.

      ip link add link ens224 name ens224.1121 type vlan id 1121
      ip addr add 192.168.0.251/24 dev ens224.1121
      ip link set up ens224.1121
      
  2. Configure IPSec to ensure that the data traffic within the network is encrypted. IPSec can operate in two different modes: transport or tunnel. The transport mode is sufficient for encryption of the provided IP traffic. To configure IPSec, you must ensure that the strongswan daemon is installed. See strongSwan for more details.

    a. Install the strongswan daemon on your x86 server. The version of strongswan must be 5.6.2 or later.

    • For Ubuntu 16.04, you have to replace the bundled strongswan binary with version 5.6.2 or later.
      sudo apt-get remove strongswan
      sudo apt-get purge strongswan
      sudo apt-get autoremove
      apt-get -y install build-essential libunbound-dev libldns-dev libgmp3-dev
      wget http://download.strongswan.org/strongswan-5.6.2.tar.bz2
      tar xjvf strongswan-5.6.2.tar.bz2
      cd strongswan-5.6.2/
      ./configure --prefix=/usr --sysconfdir=/etc
      make
      make install
      ipsec version
      ipsec start
      
    • For Ubuntu 18.04:
      apt-get install strongswan
      
    • For Redhat:
      yum install http://ftp.nluug.nl/pub/os/Linux/distr/fedora-epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm
      yum install strongswan
      
    • For SUSE Linux:
      zypper addrepo http://download.opensuse.org/distribution/leap/15.0/repo/oss/ openSUSE:Leap:15.0
      zypper install strongswan
      
      Note: When you install the strongswan on the SUSE Linux, choose to trust the new repository or package signing key for the added repository, and select Solution 1 for installing the strongswan package dependencies when being prompted. After the strognswan is installed, you can disable the added repository by using the following command so that the standard SUSE Linux 12 SP3 packages are used for other installations.
      zypper modifyrepo --disable openSUSE:Leap:15.0
      

    b. Copy the following two files into the /etc (on Ubuntu and SUSE Linux) or /etc/strongswan (on RedHat) directory. Those two files are generated in the config/<ClusterName> directory after the Secure Service Container for IBM Cloud Private CLI tool is installed.

    • config/<ClusterName>/ipsec.conf, this file contains the network topology of the cluster.
    • config/<ClusterName>/ipsec.secret, this file contains a randomly generated Pre-Shared-Key (PSK) that will be used as an authorization token to the IPSec network.

    c. Start the strongswan daemon to apply the changes.

    service strongswan restart
    

    Note: You might have to run the command again for some Linux distributions if you reboot the x86 server.

  3. Test the internal and external connection to each cluster node on the IBM Z or LinuxONE system by using the ping command. For example,

    ping 192.168.0.252
    ping 192.168.0.253
    ping 192.168.0.254
    ping 172.16.0.4
    
  4. In a layer 3 network, if the external IP address of the proxy node is accessible but the internal IP address is inaccessible, you must log into the proxy node by using the external IP address, and then add the routing entry of any other cluster nodes on the proxy node. Note that 10.162.161.0/24 is the layer 3 IP address and netmask of the master node, and 10.152.151.1 is the gateway of internal network of cluster nodes in the following example.

    ssh -i config/ssh_key root@172.16.0.4
    ip route add 10.162.161.0/24 via 10.152.151.1
    

    Note: This IP routing rule will not persist after the restart of the proxy node. You must run the command again after the proxy node is restarted.

  5. To enhance the security on the proxy node, use the following command to enable the firewall on the proxy node.

    ssh -i config/ssh_key root@172.16.0.4
    iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP
    

    Note: If the commands are applied successfully and then the terminal hangs, you can verify the firwewall status by using the command ssh -i config/ssh_key root@172.16.0.4 again. If the connection fails, it means the firewall is enabled successfully.

Next

Follow the instructions in the Installing IBM Cloud Private topic to deploy the IBM Cloud Private on your cluster nodes.