基于 Linux 的隔离网络的基本组件
我们中的许多人都有断开/隔离的网络,可能需要工具来支持我们的一些基础设施要求。你知道,就像OpenShift 容器平台与OpenShift 容器存储 后端安装或其他类似环境一样。在使用或构建隔离网络时,你可以找到一些标准工具。我在本文中重点介绍了这些工具。
隔离网络是一种自给自足的网络,没有外部或互联网连接。对于需要保密或保密的政府或企业项目,隔离网络通常是一种极端的安全方法。
典型组件
隔离环境中所需的典型组件是域名服务 (DNS)、动态主机配置协议 (DHCP)、简单文件传输协议 (TFTP)、预启动执行环境 (PXE)、负载均衡器 (LB) 和 Web 服务器。
DNS
DNS 为隔离环境提供名称解析服务。DNS 可以通过 BIND、Unbound、dnsmasq 或简单地编辑每台机器上的 hosts 文件来管理。通常,无论使用哪种软件,都需要以下记录:
- A 记录——IPv4 解析记录。
- AAAA 记录——IPv6 解析记录。
- SVC 记录——网络服务的解析记录。
- PTR 记录——A 记录的反向解析。
这些记录提供了客户端在网络上所需的解决方案。
[ 你可能还喜欢: Linux 网络:netstat 的 13 种用途]
DHCP
DHCP 为网络上的客户端提供 IP 地址,无需手动配置每个节点。DHCP 由 dnsmasq 或 dhcpd 提供。DHCP 分配通常提供几个选项。传递给客户端的典型选项包括:
- IP 地址 - 用于在网络上识别主机的唯一 IP。
- 路由器/网关 - 通常,隔离环境是扁平网络,但如果多个隔离网络连接在一起,则有些可能具有路由。
- DNS 服务器——为网络提供名称解析的服务器。
- TFTP 服务器 - 配置文件。
- TFTP 启动文件 - 由 TFTP 传送的附加启动文件。
这些选项提供了节点在隔离网络上相互完全通信所需的网络设置。
Web 服务器
您的工具箱可以包含 Apache、NGINX、NodeJS,或者您可以简单地使用 Python 运行一个快速的 Web 服务器。
远程文件传输协议
A Trivial File Transfer Protocol (TFTP) server serves or transfers files between a server and client, similar to FTP. However, there are some differences between the two, and they have their own respective use cases. TFTP uses UDP and runs on port 69. Typically, TFTP is used in conjunction with PreBoot Execution Environment (PXE) to serve files for diskless booting. However, it is often used to retrieve config files and even small system images, for example, router/switch OS images. A couple of options are :
- Tftp-server
- dnsmasq
PXE
PreBoot Execution Environment (PXE) provides an environment to boot and configure systems that do not have a locally-installed operating system. It is an "environment" and not so much one technology. Typically, the environment consists of a PXE-capable network card, a DHCP server, and a TFTP server. The booting process consists of:
- Booting a small OS on the NIC or provided by CD/USB that broadcasts for an IP.
- DHCP provides that IP and a location of the TFTP server to retrieve more files to boot with.
- The TFTP server serves the remaining boot files/images to continue to boot.
That is a very simplified version of the PXE boot process. The goal is to explain that the system boots without a locally-installed OS. So, as mentioned previously, if you have DHCP, TFTP, and a PXE-compliant network card, you should be able to boot "from the network."
OpenShift
If you're working with OpenShift, you will need a repository and load balancer to help correctly install and run the required computing resources. There are several options for registry services, such as Quay or a simple manual registry using Podman.
HAProxy provides load balancing.
Certificate services can be managed with an install of FreeIPA or Dogtag, or by using simple OpenSSL-deployed certificates.
Alternatives
The software components can be rolled up in a live CD or deployed via a pod. Remember, pods contain containers. An option could be to containerize each component in a pod and deploy it as needed from a private registry. Other alternatives might be to use a proxy server to provide limited access to the network or to have a jump box/bastion host with one foot in the "air-gapped" network and one foot in the "connected" environment.
[ Free cheat sheet: Get a list of Linux utilities and commands for managing servers and networks. ]
Wrap up
As you can see, many of the same services that are required in a "connected" network are also used in air-gapped networks. Services such as IP address allocation and name resolutions are necessary in either case. Just remember, in an air-gapped network, these services operate independently of other similar services.
Many Enable Sysadmin articles have been written on deploying or configuring the aforementioned software.