The Learn-smarter-Online Reference Architecture or LORA for short is a study on a IT architecture for a small internet based company that wants to have a place to run their Linux based web applications.
To start off it will be build entirely from base components as found on the CentOS 7.1 Everything DVD, complemented by de EPEL for EL7.
LORA will contain 5 subnets and 9 vm’s. For the purpose of this exercise LORA will be build inside VMWare Workstation 11 but any virtualization platform with 16 GB RAM and 150GB storage will work.
A later serie will cover OpenStack and how you can build LORA on your own private cloud.
Things we will cover:
– Setting up LORA on VMware Workstation
– IP broadcast ranges and basic network security
– safe routing in a multi-subnet network
– design and build a ‘golden’ server
– design and build a typical webserver (based on the golden server)
– design and build a typical database server (based on the golden server)
– design and build a typical Software Defined Storage server with Gluster
– design and build a typical NFS server with iSCSI
– design and build a utility server that contains:
- a PXEboot server
- Kickstart scripts
- Certificate services
- Time services
- IdM services (centralized user and group management)
- a puppet master
– configure SSH to work with SSH-keys alone
– setting up an kerberized NFS4 client
– configure host-based and network firewalls
In this scenario we will be hosting a number of webapplications. Our users connect to us via the WWW and we are not using something like VPN. Traffic will enter LORA via an access firewall (lora-access-fw). Only HTTP and HTTPS traffic will be pass thru to the HAProxy loadbalancer (lora-haproxy01). The load balancer will decide where so send the traffic next, depending or requested URL.
For security reasons the subnets will be watched over by firewalls and no traffic other then absolute needed will be allowed in and out of a specific subnet. It will, for example not be possible for traffic that has it origin on the internet to access the database subnet or the utility subnet. There is no reason for this, so it will be denied.
Identity Management services or IdM
For IdM services we will install IPA. IPA can be found on the CentOS7.1 Everything DVD. This will give us an LDAP/Kerberos service with CA and DNS capabilities. We can store our users and groups inhere and manage SUDO from this centralized tool.
Deployment of LORA will start with a functioning utility server that features all the main network services like DNS, DHCP, time services, PXEboot and kickstart, the IdM functions and offcourse the puppet master. After a vm is been provisioned, it will be PXEbooted into our kickstart where it receives its golden server installation. From there puppet takes over to build the server into its new role in LORA.
When we have the basics down, optimization starts by implementing Katello/Foreman to streamline puppet, software channels and repo management and hosts management.
After that we will replace the two firewalls that are based on CentOS7 with firewalld with pfsense firewalls.
Having only 1 database server could have Business Continuity issues so, building a High Availability database cluster will be the next thing on our list.
and next? ……. its up to you, let me know in the comment box below what you would like to have covered.