Skip to content

GitLab

Commit 87c9d271 authored by JackV's avatar JackV
Browse files
Options

Fixes, add additional images

parent 5490dc28
Pipeline #581 passed with stage
    in 58 seconds
    Hide whitespace changes
    Inline Side-by-side
    Showing with 51 additions and 39 deletions
    slides/content.md
    View file @ 87c9d271
    ......@@ -3,9 +3,9 @@
    * Networking & NFtables basics
    * How to debug network problems
    * Wireguard: easy to setup vpn
    * Ansible: how to manange many computers
    * Ansible: how to manage many computers
    * Why have servers running at home
    * Internet connections technologies
    * Internet connection technologies
    * How to build a linux home router
    ---
    ......@@ -21,7 +21,7 @@ A lot of what we are going to
    cover today has been done in depth
    in previous Linux courses
    (links in the relevant sections)
    This talk focuses more on how
    This talk will focus more on how
    all these topics can come together
    ----
    ......@@ -59,7 +59,7 @@ Software stack: `ip {address,route}`
    ## Transport Layer
    Works to provide a usable implementation (socket) to the
    program, provide important feature such as:
    program, it provides important feature such as:
    * Ports
    * Packet reliability
    ......@@ -83,20 +83,20 @@ Main technologies: HTTP, HTTPS, IMAP, gRPC
    other computers
    * IPs have a __subnet mask__ that indicates which other IPs
    can be contacted directly through the link layer
    * Computer use ARP/NDP to have a **IP <-> MAC** translation
    * This also means that there is a ARP/NDP record that tells us
    * Computers use ARP/NDP to have a **IP <-> MAC** translation
    * Also there is a ARP/NDP record that tells us
    the **MAC address** relative to the IP we want to contact
    ---
    ## What is important to remember /2
    <h2 style="min-width: 110%">What is important to remember /2</h2>
    * For all other IPs (eg. `176.31.102.216`) we need to have
    a **default gateway** where we deliver our IP packets to have
    * For any other IP (eg. `176.31.102.216`) we need to have
    a **default gateway** to which we deliver our IP packets to have
    them sent to the Internet
    * Computers that act as default gateways are called **routers**
    (since they **route** packets) and usually take the form of
    those boxes that ISP give to you
    those boxes that ISPs give to you
    ---
    ......@@ -137,7 +137,7 @@ $ ip address show
    ## Important information
    ```
    ```bash
    3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
    ```
    ......@@ -148,6 +148,8 @@ $ ip address show
    ---
    ## Important information /2
    ```bash
    link/ether 9c:b6:d0:06:87:35
    ```
    ......@@ -163,6 +165,8 @@ Our interface's IP addresses
    ---
    ## Important information /3
    ```bash
    $ ip route show
    default via 192.168.0.1 dev wlp2s0 <clipped>
    ......@@ -187,11 +191,12 @@ packet filter (firewall) allowing us to block out unwanted traffic
    ---
    ## NFtables vs IPtables vs firewalld (& co.)
    <h2 style="min-width: 110%">NFtables vs IPtables vs firewalld (& co.)</h2>
    * **iptables**: frontend for `xt_*` kernel modules, old (1998)
    * **nftables**: frontend for `nf_*` kernel modules, "new" (2014)
    * **firewalld & co.**: allow easier configuration, under the hood all use iptables
    * **firewalld & co.**: allow easier configuration, under the hood
    they all use iptables
    ---
    ......@@ -226,7 +231,7 @@ Source: [Wikipedia](https://commons.wikimedia.org/wiki/File:Netfilter-packet-flo
    2 separate interfaces (like a switch)
    * The **routing decision** step is also what decides the output interface,
    the __forward__ hook is the first to know the output interface
    * There are **4** chains: **filter** and **nat** (common), mangle and raw (rarely used)
    * There are **4** chains: **filter** and **nat** (common), `mangle` and `raw` (rarely used)
    * There are **5** hooks:
    * filter: **input**, **forward**, **output**
    * nat: **prerouting**, **postrouting**
    ......@@ -300,10 +305,10 @@ network configuration problems
    ### Network checklist
    * Does the network have working routing?
    * Can the network route to another address?
    * Does the network resolve domain names?
    * Are response packets coming back?
    * Are there problems in upper layers?
    * Is everything ok in upper layers?
    ---
    ......@@ -322,7 +327,7 @@ network configuration problems
    * Again **ping** can be used to quickly check if DNS resolution
    is working as intended, `ping poul.org` will return an ip
    address is DNS is working
    address if DNS is working
    * **dig** can help to check more complex problems,
    using `dig poul.org` will tell us if the system DNS
    ......@@ -340,7 +345,7 @@ network configuration problems
    * Only have ssh but want to have a gui? No problem!<br>
    ```
    ssh root@<ip> 'tcpdump -i eth0 -s0 -w -' | wireshark -k -i -
    ssh root@<ip> "tcpdump -i eth0 -s0 -w - 'not port 22'" | wireshark -k -i -
    ```
    ---
    ......@@ -431,11 +436,11 @@ Endpoint = <server public ip>:51820
    ---
    ```
    wg-quick server.conf
    wg-quick up server.conf
    ```
    ```
    wg-quick client.conf
    wg-quick up client.conf
    ```
    ---
    ......@@ -447,7 +452,8 @@ wg-quick client.conf
    ## Well not so fast
    Due to the fail-open nature, it is sometimes difficult to debug
    Some debugging techniques are shown in the previous sections.
    Some debugging techniques are shown in the previous sections.
    Ping tends to report an error if wireguard is misconfigured.
    The linked slides offer a more in-depth explaination of the
    configuration that might help to debug problems.
    ......@@ -467,14 +473,15 @@ Strong points:
    * Only Python and SSH need to be installed to have a machine
    be controlled by Ansible
    * Idempotent (multiple runs have the same result as one)
    * Declarative/Stateless - what is on the config files dictates the end result
    * Declarative/Stateless - what is on the config files dictates the end result,
    not how to get there
    ---
    ## What can you do with ansible?
    * Maintain consistent configurations across machines
    * Have all your machines have a set of installed packages
    * Have set of installed packages on all your machines
    * Manage installation/upgrade of services in a reproducible way
    ---
    ......@@ -487,7 +494,7 @@ Strong points:
    ---
    ## Anatony of an inventory
    ## Anatomy of an inventory
    ```ini
    [webservers]
    ......@@ -522,7 +529,7 @@ apk:
    remote_user: root
    tasks:
    - name: install webserver
    apk:
    package:
    name: lighthttpd
    state: latest
    - name: start webserver
    ......@@ -552,15 +559,15 @@ apk:
    ---
    ### Server
    ### Cloud Server
    * Usually have better uptime (much closer to 100%)
    * Usually has better uptime (much closer to 100%)
    * Storage has magic underneath
    * Usually have higher network bandwidth
    * Usually has higher network bandwidth
    ---
    ### What to consider to do cost/benefit
    ### What to consider to do cost/benefit-wise
    * On cloud servers the entire infrastructure
    is redundant, and if a component breaks the
    ......@@ -589,11 +596,15 @@ apk:
    ## SBC ARM/Router
    <img src="assets/rpi4.jpg" style="max-height: 30%">
    <div style="display: block; margin: 0 auto">
    <img src="assets/rpi4.jpg" style="max-width: 27%">
    <img src="assets/tinkerboard.png" style="max-width: 30%">
    <img src="assets/rockpro64.png" style="max-width: 25%">
    </div>
    * Cost: 20-100€
    * Computing power: Medium-Low
    * Storage: scarce (eccetto usb 3)
    * Storage: scarce/decent
    * Power consumption: > 10W
    ---
    ......@@ -612,14 +623,15 @@ apk:
    ## Why you shouldn't buy a RPi
    * 1-3 have usb ports behind an hub
    * 1-3 have usb ports behind a hub
    * 1-3 have ethernet behind an usb adapter<br>(guess where it is attached?)
    * Wifi tends to be very crappy without
    an u.FL connector and a proper antenna
    * Computing power is generally poorer than
    * Computing power is generally lower than
    competitors for the same price point
    * RPi linux distributions tend to come with
    a lot of propietary broadcom blobs
    a lot of proprietary broadcom blobs
    * Generally poor power supply circuitry
    ---
    ......@@ -632,7 +644,7 @@ apk:
    * Cost: 50-200€
    * Computing power: Medium-High
    * Storage: sufficent
    * Storage: usually quite decent
    * Power consumption: 10-50W
    ---
    ......@@ -646,9 +658,9 @@ apk:
    * Cost: 100-2000€
    * Computing power: High
    * Storage: sufficent-plenty (SAN)
    * Storage: sufficent-plenty (NAS)
    * Power Consuption: 200-2000W
    * Pros: no house heating costs
    * Pros: [no house heating costs](https://hardware.slashdot.org/story/17/09/13/002250/french-company-plans-to-heat-homes-offices-with-amd-ryzen-pro-processors)
    ---
    ......@@ -735,7 +747,7 @@ AFAIK there is no ONT with OpenWRT support
    <img src="assets/ethernet.jpg" style="max-height: 30%" />
    Some provides (eg. Eolo) use alternative transmission mediums,
    Some providers (eg. Eolo) use alternative transmission mediums,
    usually these will have an ordinary ethernet cable attached
    to a mundane wifi router
    ......@@ -757,7 +769,7 @@ to a mundane wifi router
    ## Small digression: Modem Libero
    At the end of 2018 the AGCOM (italian telecomunications agency) approved
    a set of rules that force ISP to provide appropiate means to allow consumers
    a set of rules that forces ISPs to provide appropiate means to allow consumers
    to choose their own router (ONT are still part of the ISP's network)
    Obtaining the various settings for connecting to the ISP's network varies
    by difficulty and amount of call centers you have to contact based on the ISP you pick
    ......
    Markdown is supported
    0% or .
    You are about to add 0 people to the discussion. Proceed with caution.
    Finish editing this message first!
    Please register or to comment