DebConf17/InfrastructureTeam

Contents 1 Technical documentation 1.1 APT proxy 1.2 DNS cache 1.3 Backend documentation 1.4 Wifi 1.5 IP allocation 1.6 VLAN and network allocations 1.7 Core switch port allocation 1.8 Bandwidth and capacity 1.9 Cisco configuration tricks 2 Tasks 2.1 Rooms 3 Known issues 3.1 Resolved 4 Volunteers 5 Meetings 6 Hardware inventory 6.1 Provided by Maisonneuve IT 7 Old wishlist

[edit] Technical documentation

The NOC is located in room B-2206. The thermal properties of the room should be sufficient since it's large enough for effective heat dissipation.

[edit] APT proxy

An APT proxy is setup in the NOC room to alleviate upstream bandwidth needs and accelerate repeated builds. It's currently running on the gateway which has only a HDD (spinning disk, 7200 rpm, Seagate ST1000DM003-9YN1) so it may not be as fast as your favorite mirror running a shiny SSD drive. But we'll fix this eventually as well.

To configure your clients, see the quick tutorial for autoconfiguration. The address of the proxy is `http://proxy:3142`, if you prefer manual configuration. That assumes you obey DHCP search domain directives, if not, you'll need the full domain (http://proxy.dc17.debconf.org:3142).

[edit] DNS cache

We are providing a DNS caching server ("unbound") that provides DNS to the network. The domain "dc17.debconf.org" is reserved for the internal network and records are added on the DHCP/DNS server (noc0gw0) in the unbound.conf file, using entries like:

       local-data: "proxy.dc17.debconf.org. IN A 10.17.127.100"

[edit] Backend documentation

Maisonneuve IT has four gigabit ethernet drops directly from the nearby distribution switch (with 10gbit uplink) in the NOC, near the teacher's desk. The four ports are in the NOC room, next to the teacher's desk, and labeled B-2206 D1, 2, 3 and 4. The top port shouldn't be used: it's in the "teacher's" VLAN and has some ports blocked.

Here's the current port usage for the drops:

Port	Device
D1	noc0sw0
D2	noc0sw1
D3	free
D4	free

So the two core switches are independently connected to the backend distribution switches. From those distribution switches, we are in Maisonneuve's IT network, which interconnects the other rooms. They do propagate VLANs and routing (incl. NAT) for us, and also handle Wifi hotspots which are bridged with our VLANs.

All NATed traffic will come from 206.167.44.0/24.

[edit] Wifi

APs connected to our network have the ESSID "DebConf17" with the password "stretch17". The other ESSID ("cmaisonneuve"/"sansfil3800") is in a different network with blocked some ports.

[edit] IP allocation

Host	IP	Notes
noc0sw0	10.17.127.0/17	core switch near teacher desk
noc0sw1	10.17.127.1/17	core switch on table
hacklabsw{0-6}	10.17.127.1{0-6}/17	hacklab switches
noc0gw0	10.17.127.100/17	DHCP / DNS server wired VLAN
noc0gw0	10.17.254.100/17	DHCP / DNS server wireless VLAN
noc0gw0	10.18.0.2/24	DNS server (not used)
gw	10.18.0.3/24	DHCP, PXE, DNS server video VLAN
noc0gw0	206.167.36.194/26	DHCP / DNS server public VLAN
noc1st0	206.167.36.195/26	8TB media server
odroid4	206.167.36.196/26	Atlys debugging odroid
noc0stream0	206.167.36.197/26	Local Stream mirror
noc0stream1	206.167.36.198/26	Stream master

[edit] VLAN and network allocations

Name	Network	Gateway (ingress)	Egress IP	VLAN id
dc_wired	10.17.0.0/17	10.17.0.1	206.167.44.200-210	901 (default)
dc_wireless	10.17.128.0/127	10.17.128.1	206.167.44.200-210	902
dc_video	10.18.0.0/24	10.18.0.1	206.167.44.99	903
dc_public	206.167.36.192/26	206.167.36.193	same IP	904

More IP space can be allocated as needed, but do not use any of 10.20.0.0/16, 10.30.0.0/16, 10.80.0.0/16, which are used internally by Maisonneuve

Outgoing IP addresses are for the dc_wired and dc_wireless are spooled in the range 206.167.44.200-210.

[edit] Core switch port allocation

Ports are allocated to certain VLANs. They were grouped by columns to ease labeling and identification...

VLAN 903	VLAN 902	VLAN 904	Misc.
1	7	13	19: 902
2	8	14	20: 902
3	9	15	21: trunk
4	10	16	22: trunk
5	11	17	23: trunk
6	12	18	24: trunk

Each cell in the table is a port, and unless otherwise noted, is in the VLAN identified by the column heading.

[edit] Bandwidth and capacity

The total available Internet bandwidth at Maisonneuve will be 450mbit.

Teachers and students will be absent from the venue in August, so a big chunk of that bandwidth should be available to the conferece.

The building are wired, most ports should be gig. Physical ports are all numbered which will make tagging them to specific VLANs easy.

We will also be provided with a block of public IP addresses, while most ports and wireless access will be NATed. A dedicated, password-protected SSID will be setup for the conference.

Setting up our own network services (DHCP, DNS, etc.) will be required. We'll use a debian box for these things, but it will probably not act as router, we'll rely on IT for that.

[edit] Cisco configuration tricks

We have Cisco switches. Proprietary hardware, we know, but that's what we have. This is the dumbest, simplest Cisco configuration primer ever.

First things, you need to connect, either through the "console" port, which is a basic serial console (9600 bauds etc)

 conf t

Sample configs, for the core switches:

 interface range GigabitEthernet1/0/1-6
  switchport access vlan 901
  switchport mode access
  spanning-tree portfast
  end

Global configuration to make STP faster:

 no spanning-tree portfast bpdufilter default
 spanning-tree portfast bpdufilter default

The above enters configuration mode on the terminal, then sets up gigabit ports 1 through 6 (inclusively) to be in "access" (untagged) mode on VLAN id 901. For trunked ports:

 interface range GigabitEthernet1/0/21-24
  switchport trunk allowed vlan 901-904
  switchport mode trunk
  switchport nonegotiate
  end

We also disable the HTTP server:

 no ip telnet
 no ip http server
 no ip http secure-server

And configure SSH:

 hostname noc0sw0
 ip domain-name noc0sw0
 crypto key generate rsa modulus 2048
 ip ssh version 2
 ip ssh authentication-retries 5
 ip ssh logging events
 username root secret XXXXXXXXXX
 line vty 5 15
   login local
   transport input ssh
   end

Note that Cisco switches may use older SSH crypto that will cause problems in newer versions of SSH (e.g. in stretch). To workaround, use:

ssh -o KexAlgorithms=diffie-hellman-group1-sha1 ...

[edit] Tasks

• NOC setup: done!
• Hacklab setup: done!
• Installfest room setup: done!
• apt-cache-ng proxy setup (antoine): done!
• crazy 20*800GB SSD machine setup (jerome, antoine): done!
• NOC, Hacklab teardown

[edit] Rooms

• NOC (B-2206): done!
• Hacklabs
  • Hamm (D-2632A): done
  • Slink (B-2660): done?
  • Interior garden: done!
• BOF rooms: to do
  • Potato (E-2205) - done?
  • Woody (E-2212) - done?
• Talk rooms: video setup to be done on saturday
  • Buzz (Salle Sylvain-Lelièvre - main auditorium)
  • Rex ("Vivoir", the day camp room next to the NOC): done
  • Bo (B-5501DEF)

We get access to all rooms Monday July 31, and that will be the day we setup most infrastructure.

Note that the reference list of all rooms is in DebConf17/Venue, this is merely a convenience copy to keep track of our presences and setup.

[edit] Known issues

• core switch (noc0sw0) can't be pinged from wifi, because it's on the "network IP" (x.y.z.0). need to renumber --TheAnarcat (talk) 21:25, 3 August 2017 (UTC)

[edit] Resolved

• there were sporadic reports of issues with the cafeteria AP during early debcamp. it is believe this may have been resolved, because last tests were positive. --TheAnarcat (talk) 19:24, 2 August 2017 (UTC)
• wifi in cafeteria was broken broken with our APs - cmaisonneuve ESSIDs work, but debconf17 do not give DHCP: contacted upstream who fixed the switches VLANs. TheAnarcat (talk) 01:36, 1 August 2017 (UTC)
• alioth.debian.org seems to have blocked our network, #alioth channel notified on OFTC. --TheAnarcat (talk) 18:14, 1 August 2017 (UTC) - seems to have been resolved! -- TheAnarcat (talk) 13:23, 2 August 2017 (UTC)
• wifi AP 24:a4:3c:04:52:0d may have authentication isssues, in room E-3114, to be confirmed / verified --TheAnarcat (talk) 19:29, 2 August 2017 (UTC) / seems to have resolved itself --TheAnarcat (talk) 21:25, 3 August 2017 (UTC)
• wifi in jardin is flaky when the place gets crowded. upstream will drop lines by tomorrow and we'll setup switches and a new AP. --TheAnarcat (talk) 19:23, 2 August 2017 (UTC) A new AP was put online and switches deployed this morning, network should be good now. --TheAnarcat (talk) 19:02, 4 August 2017 (UTC)
• one of the cafeteria AP still has reliability issue. the APs with the BSSID C2:9F:DB:1B:87:DC (debconf17) and C6:9F:DB:1B:87:DC (cmaisonneuve) do not work very well: either they don't let you join at all or they let you long enough to get DHCP and then kick you out. the workaround right now is to move away from the AP, which is located in the south-west of the cafeteria (near the entrance leading to the front desk). the hamm hacklab, nearby, has good wifi and switches that work excellently. issue was reported upstream and we'll look into it. -- TheAnarcat (talk) 19:51, 4 August 2017 (UTC) Wifi parameters were changed to lower power and some other settings, things are better now. --TheAnarcat (talk) 14:39, 5 August 2017 (UTC)
• no wiring available in cafeteria for the installfest. we have access to the wooden cabinet, but the network drop there (d-3671) is on the wrong VLAN. --TheAnarcat (talk) 14:41, 5 August 2017 (UTC) Cafeteria wired for the installfest, whoohoo! Will be available to all attendees after today. Note that we seem restricted to VLAN 901, which is fine for now. --TheAnarcat (talk) 16:06, 5 August 2017 (UTC)

[edit] Volunteers

• abdelq / abdel
• anarcat / antoine
• gfa
• jathan
• lavamind / jerome - works in the IT department
• lhark / goulven
• martin - also IP
• olasd / Nicolas Dandrimont
• pollo / louis-philippe - works for the student union
• taggart - coming from seattle, can bring equipment/cabling/etc if it makes sense
• taowa
• tumbleweed / stefanor

[edit] Meetings

• DebConf17/Meetings/2017-07-31

[edit] Hardware inventory

[edit] Provided by Maisonneuve IT

• A dozen desktop lab computers (i7-3770 3.40Ghz, 16GB RAM, 1TB hard disk)
• ~6 Cisco 2960/2950 24-port 100mbit switches w/ gigabit uplink (possibly more, tbc)
• 2 Cisco 2960X 24-port gigabit switches (those need to stay in the NOC)
• ~10 tl-sg105 5 port unmanaged gig switches
• Ethernet patch cables (various lengths)
• Extra electrical panel (will be installed in Vivoir)
• 1 Dell PowerEdge 2950 server (2U rackmount)

Powerstrips and consumables (eg. tape) won't be provided.

[edit] Old wishlist

This was written before debconf and is no longer relevant but could be useful for next ones!

Todo: merge that stuff into Teams/Infrastructure and subpages.

• Power
  • 10-12 power strips: mostly north american, but a few universal would be nice - mostly got that, although we need more power bars still
  • 4-6 power extensions of varying length, high amperage rated
  • high amperage power splitters (??)
  • lots of north american laptop power supply cords for common brands (get from computer recycle)

• Network
  • 8-10 network switches: 24+ ports, gig uplink, all ports gig preferred (done: from Maisonneuve IT)
  • pre-fab cat6 jumpers (maybe enough for now?)
    • 4 50ft
    • 4 25ft
    • 20 10ft
    • 40 5ft
  • a spool of cat6, cable ends, crimper, tester

• Video team needs
  • Per talk room (3 rooms in total):
    • 2 ports at the front of the room
    • 2 ports at the video desk (back of the room)
    • These should all be gigabit, with full gigabit bandwidth between each other, and aggregate gigabit connectivity to the NOC
    • Usually we use a single drop & switch in the room
  • NOC:
    • Storage server (>= 10TB), >= Gigabit uplink
    • Streaming: 2 (maybe more) PCs / VMs, lots of CPU, some RAM.
  • Video NOC:
    • gigabit drop + switch

• Other
  • multiple rolls of gaffer's tape
  • zip ties
  • velcro straps