From: paulr Date: Tue, 2 Nov 2010 13:52:19 +0000 (+1100) Subject: just thinking how things are working on paper X-Git-Url: http://git.pjr.cc/?a=commitdiff_plain;h=refs%2Fheads%2Fmaster;p=ipcontrol.git just thinking how things are working on paper --- diff --git a/doc/readme.txt b/doc/readme.txt index 35dfd87..2152ad1 100644 --- a/doc/readme.txt +++ b/doc/readme.txt @@ -34,3 +34,78 @@ What we want to be able to do? 2) define networks (ipv6 and ipv4) 3) define hosts 4) connect them all via xmpp + + +Use Cases +========= + +So this little bit will hopefully get people to understand (including myself) what im trying to achieve here. + +first we want to be able to define networks, zones and areas. +Networks are just "ranges" we use eg: +- 123.4.5.0/24 +- 10.175.0.0/16 +- 10.172.0.0/16 +- 2001:123:123::0/48 + +then we want to define the areas where things exist, for eg: +- external (the rest of the world) +- datacenter (our datacenter space) +- clients (where we host stuff) +- office (our office network) + +Zones define how we "see" things, for eg: +- external may be a zone called outside +- clients may also be in the outside zone +- datacenter may be internal +- office may be internal +This is used to define who sees what in terms of dns entries. For eg people on the internal zones will see +web01.www.us.int as 10.175.1.2, but on the outside zones as 123.4.5.1 - make sense? + +Then we want to define how we associate area's with addresses, for eg: +- 123.4.5.0/24 is our externally addressable space +- 10.175.1-10.0/24 might be our datacenter space +- 10.175.11-20.0/24 might be our client space +- 10.172.1.0/24 might be our office space. + +now we want to intelligently allocate things around such that firewall rules are created and the like, for eg: + +Lets say i want to deploy a 3 tier web service thats externally accessible via 80 and 443 in our idc. So we go and define +3 new networks in the thing and it should auto-allocate us 3 new ranges (we tell it size, i.e. 255 ip's for each) +We then define 3 web servers with 1 ip each in our "web tier" with the zone name of web.us.int. The softare automatically allocates 3 ip addresses in our +web tier range (lets say 10.175.1.2 web01, 10.175.1.3 as web02 , 10.175.1.4 as web03). +We then say our web servers are accissible as an external address (which is then allocated to us) on ports 80 and 443 as www.ourspace.int + +So now the software will go out and do some kewl things (lets assume we want to use dns load balancing). What it will do is: + +create 3 dns entries for our external zone called www.ourspace.int pointing at 3 external addresses, 123.4.5.1, 123.4.5.2, 123.4.5.3 and give out each address randomally + +then it'll create 3 dns entries for internally facing dns called web01.web.us.int (10.175.1.2), etc. + +It'll then automagically create natting rules allowing 123.4.5.1 -> 10.175.1.2 and ip fw rules allowing in-bound traffic on port 80 and 443 to hit our webservers + +You can see where im going with this. + +Lets look at a mail-router example. So we define a domain a.b.c and say the mx is mx01.a.b.c in area datacenter and zone internal, externally named mx01.a.b.c. The framework +should automatically allocate an external ip address, an internal one on an appropriate network setup the mx records AND publish dns entries as well as NAT and allow access +on port 25 via ip tables to the hosts... make sense? The steps to do this should be: +1. create domain name +2. create server in existing network (which already has a zone and area assocaiated with it) +3. add server as mx for domain. +Yeah, THAT SIMPLE. Thats what we're aiming for here. + + +gateways and servers +==================== + +these are simply machines that are part of our control mechanism. i.e. dns, dhcp, routers etc. (it would be nice to have a build for this) + +so like if we say a network has a dhcp range, we should also have to define a dhcp server to hand out addresses. + +Server builds +============= + +We want our "Servers" that form part of this solution to have a standard (and secure) build. Lets assume redhat/centos 5 as a base (i.e. someone builds a machine with standard redhat) +Then we have a script they run which tightens it up. i.e. disables all the stuff we dont need, adds software we do need. More then just that, but basically the initial script +will just add the software we need for the "Server" to be an xmpp client to our central xmpp server. Then as we define rolls for the server it'll change its config and so forth +depending on its role... i.e. for dns, it'll do a yum install bind, for dhcp yum install dhcpd, etc. \ No newline at end of file