Ansible Role for tinc VPN

When setting up Kubernetes clusters, it makes sense for the individual nodes of Kubernetes to live in the same private network. If Kubernetes is set up on bare metal machines from suppliers such as Hetzner, it may not necessarily be possible to set up a common network of this kind natively. This is where tinc comes in: it makes it very easy to set up a virtual network across all participating nodes. To keep the configuration of tinc parallel to that of Kubernetes (I use Kubespray for my Kubernetes setup), I developed an Ansible Role for tinc VPN and made it available on GitHub.

Features

  • Installing and setting up tinc VPN service
  • In-place private key generation (private keys are never copied)
  • Support for additional nodes where host machines are not covered by the playbook
  • Support for custom routes for the VPN interface
  • Support for joining existing bridge interfaces on the host machine
  • Custom scripting for up/down hook scripts

Setup

For setup instructions or a tutorial how to use my Ansible Role for tinc VPN please check the README. It always contains the up-to-date instructions for using this role and will be updated, if new features come up.

High Availability Java Enterprise Operations

High Availability Java Enterprise Operations

Java is still one of the most widely used programming languages. Especially in the enterprise environment, the use of Java for the development of web applications is often without alternatives. Accordingly, we had to set up an infrastructure for JavaEE operations for one of our customers in which a Java application can run fail-safe. The application uses a MySQL database as data storage.

The functionality of the application depends on the availability of the database, so it was necessary to run the database with appropriate replication and redundancy. For this purpose we use MariaDB with the replication layer Galera with a multi-master replication.

The application servers use a current Tomcat version with the corresponding application and an upstream HTTP load balancer (from Amazon AWS). However, the database access of the Java apps does not run directly to the DB servers, but via an intermediate instance of HAProxy. This makes it possible for us to detect database errors more quickly and to switch to intact nodes without the application itself having to know the status of the database.

Benchmarking Results

With this architecture, we achieve a performance of more than 1500 possible HTTP requests per second, with an average load of approx. 60 requests/s in normal operation.

GitLab Munin Plugins

 

Improved Monitoring Support for GitLab: GitLab Munin Plugins

GitLab has recently made a great name for itself in the world of project management software (read this article for a comparision between several source code management systems). Unfortunately, the possibilities for monitoring statistics are still relatively simple at present. For this reason I started a collection of small Python-scripts, which can be integrated in a munin monitoring environment. The code is open source and can be viewed and downloaded on GitHub at https://github.com/MatthiasLohr/munin-plugins-gitlab. Contributions are highly welcome!

Android App Minis@Rom

For a great service pilgrimage to Rome of the Catholic Church in Germany I was asked to develop the app Minis@Rom.

The special feature here was that the app could only use offline functionalities because of the very high roaming charges in Europe. The aim was to avoid high mobile phone charges for the mainly young pilgrimage participants.

Therefore, large parts of the app consisted of edited, static content such as the program, general information, various tourist information, a small dictionary and a great collection of sightseeing tours. There were also small games and an audio guide for selected routes.

The app was implemented with the framework of Apache Cordova. For the editors, a web-based possibility was created for the implementation phase to formulate parts of the content via Markdown, which was then automatically integrated into the app during the build process. For budget reasons, this app was released exclusively on the Google Play Store. As the app was developed exclusively for the duration of the pilgrimage, it was removed from the Play Store at the end of the event.

802.1X

802.1X – Enterprise WiFi for the University of Trier

In addition to running water and electricity, one could assume that Internet access has also become a basic requirement of our society. (Like: “Do you want something to drink? Do you need the Internet?”).

Here too, the possibilities range from maximum simplicity (public WiFi, everyone can connect and access everything) to maximum complexity (WiFi for connections per se open, but often access is only possible via a – in the worst case – proprietary VPN software). The latter is – for reasons not known to me – apparently the preferred option for a large number of universities. Although to be fair, the Cisco VPN, which is almost always used, can be seen as a standard rather than a proprietary solution. This solution is established, works and is relatively secure compared to open WiFis or WebAuth solutions. Only question: What if the end device does not support Cisco VPN? This is the case, for example, with small IoT devices or some smartphone solutions, and not every user is experienced or interested enough to deal with the special features of a VPN solution.

802.1X – a well defined standard

For years now (I don’t know exactly when, but the RFC document is dated September 2003) there has been a standard that offers quite comprehensive and almost everywhere supported authentication options: 802.1X is the official name, often called Enterprise WiFi.

Restructuring the University Network

As part of the restructuring work in the network of the University of Trier, we  now have decided that we should migrate from the VPN solution to 802.1X authentication. After some planning work and test setups, we have now decided on the following structure: Cisco AccessPoints, which are connected to a so-called Concentrator that controls both access and data traffic, serve as access points. The university’s central user directory is an Active Directory, so we had to connect Concentrator and Active Directory. Since the Concentrator did not offer a satisfactory direct integration for the Active Directory, we decided to add a FreeRadius installation (consisting of 2 servers in HA mode) in between. (Free)Radius is fully supported by the Concentrator appliance as a standard triple-A system (Authentication, Authorization and Accouting). The ntlm_auth tool provided with FreeRadius then offers a simple interface for authentication against the Active Directory.

We also implemented the connection to the Eduroam network during the conversion.

phpDNSAdmin

phpDNSAdmin – Modular DNS Administration Tool

Those who work a lot with DNS know that bind zone files are quite cumbersome to manage for larger zones. Since I work a lot with DNS servers both professionally and privately, I have been looking for ways to solve this problem. A finding in this search was PowerDNS, a database based solution for DNS servers that also supports DNSSEC. At the same time, however, there was no reasonable UI tool to meet my requirements. There are many alternatives to Bind (besides PowerDNS, e. g. MyDNS etc.), but apparently you have to decide together with the DNS servers which GUI features you want to have. Many user interfaces, for example, do not support all resource record types provided by the server. So I came up with the idea to start a new web-based GUI project: phpDNSAdmin.  The goal here is to provide a frontend that provides all possible RR types and functions regardless of the DNS daemon used. New RRTypes, DNS-Dameons, authentication methods etc. can be easily added by a module structure. The tool was written in PHP, as frontend framework ExtJS is used.

You can find phpDNSAdmin at GitHub.

SwitchDB

The SwitchDB – a web based network management tool

My first project at the university, or rather the project for which I was originally hired, was the SwitchDB.

Requirements

The university’s network consists of over 200 switches, together with over 6,000 Ethernet ports. Each of these ports must be configured according to location and usage. Since there are different departments, each of which should have different authorizations. E. g. the representative of the IT department should only be able to configure the switches located there, but only with the VLANs belonging to the IT department – and not those of e. g. mathematics. There were also roles that should only enable/disable ports without changing any other settings, and also roles that should have global (or limited) read-only access. In short: The rights model was very extensive and complex and no known solution had the necessary functions at the start of the project to map this appropriately.

The idea: Developing the SwitchDB

Therefore the development of the SwitchDB was decided: A web-based tool written in PHP for managing the entire university network. A MySQL database served as data storage, the connection to the switches was implemented via SNMPv2 protocol.

How it works

Changes are transmitted directly to switches via SNMP, so that the success or possible errors in the configuration can be directly controlled. Extensive cronjobs scan the entire network at regular intervals in order to map the current state of the database. Later, time-based changes (for scheduled business events, for example) were implemented. The Neighbour Discovery Protocol also enabled newly connected switches to be automatically detected and integrated. A service for receiving SNMP traps even made it possible to react directly to events that have just occurred (e. g.”end device plugged in”,”switch rebooted”, etc.). The implemented rights management was able to control valid values for each property to be set per role as well as accesses that were exact down to the port.

SMS Gateway with Siemens TC35i

To support the computer monitoring at the University of Trier, a Nagios system was set up, which tests the function of important systems at regular intervals and notifies the administrators of problems if necessary. However, there was initially only email notification, so that the problem report was sometimes seen very late, which in exceptional cases may cause further problems. That’s why we wanted to implement a faster notification, in this case via an SMS Gateway. Read more “SMS Gateway with Siemens TC35i”