Yocto Installer
The compilation and installation of the Yocto version of SEAPATH is entirely described on the GitHub repository seapath/yocto-bsp.
The build of Yocto based SEAPATH require significant ressources because the entire Linux distribution is built from the source code.
In order to build efficiently the SEAPATH project, we recommend not to use Virtual Machine. The Yocto project will ensure to multi-thread your build, so try to use a build machine with many CPU cores.
Here is a discussion on the Yocto Project mailing list: https://lists.yoctoproject.org/g/yocto/topic/72047879#48815
Tips for building
About 250GB is needed for building SEAPATH.
A USB attached storage may be too slow to be practical for a successful build.
Ensure you use an ext 2/ ext3 / ext4 filesystem for the build directory. NTFS will not work.
Watch out with only manually deleting the /tmp/work directory. Instead delete the whole tmp directory.
When deleting the tmp, it may take a very long time, and might cause
rm -rf
to fail with an error.find . -delete
will work better, as it will not try to index all files before deleting them.
Debian Installer
To install the cluster, you need to generate an ISO, based on Debian 11, for each host with this repository here.
...
See the below section for more details on the configuration file.
Configuration
In the configuration file, you must define these variables:
FAI_ALLOW_UNSIGNED
: Boolean to allow installation of packages from unsigned repositories (0 => true)UTC
: Boolean to set the system clock to UTC (possible values: yes or no)TIMEZONE
: Time to chooseKEYMAP
: Keyboard translation to chooseROOTPW
: Crypted password for rootSTOP_ON_ERROR
: TODOMAXPACKAGES
: TODOusername
: ID of the user account to be createdUSERPW
: Crypted password for the user account to be createdusernameansible
: ID of the ansible account to be createdmyrootkey
: TODOmyuserkey
: TODOansiblekey
: TODOapt_cdn
: TODOREMOTENIC
: Network interface to be setREMOTEADDR
: IP address to be set onREMOTENIC
with the maskREMOTEGW
: IP address for the gateway to be set onREMOTENIC
However, all host will be with the same IP address.
Disks
The disk is composed:
(If the installation is in UEFI) EFI partition in
/boot/efi
with VFAT filesystem (512 MB).Boot partition in
/boot
with ext4 filesystem (500 B).Main partition with LVM configuration (30 GB). This partition is divided into 3 parts:
Root partition in
/
with ext4 filesystem (7 GB).Log partition in
/var/log
with ext4 filesystem (1 GB).Swap partition (500 B).
This can be changed in the build_debian_iso/srv_fai_config/disk_config/
directory. There is always 2 versions (one in Legacy BIOS and an other in UEFI mode with the suffix "_EFI
").
Prerequisite
When the host is installed, the ansible/playbooks/cluster_setup_prerequisdebian.yaml
need to launch to finish the installation.
The inventory must define these variables to run the playbook:
admin_user
: Default user with admin privilegesadmin_passwd
: Password hash (optional)admin_ssh_keys
: (optional)apply_network_config
: Boolean to apply the network configurationadmin_ip_addr
: IP address for SNMPcpumachinesnort
: Range of allowed CPUs for no RT machinescpumachines
: Range of allowed CPUs for machines (RT and no RT)cpumachinesrt
: Range of allowed CPUs for RT machinescpuovs
: Range of allowed CPUs for OpenVSwitchcpusystem
: Range of allowed CPUs for the systemcpuuser
: Range of allowed CPUs for the userirqmask
: Set theIRQBALANCE_BANNED_CPUS
environment variable, seeirqbalance
manuallivemigration_user
:logstash_server_ip
: IP address forlogstash-seapath
alias in/etc/hosts
main_disk
: Main disk device to observe his temperatureworkqueuemask
: The negation of theirqmask
(= ~irqmask
)
In this part, the playbook define the scheduling and the prioritization (see the section).
Playbook's tasks
Hardening
The ansible/playbooks/cluster_setup_hardening_debian.yaml
playbook enables system hardening and the ansible/playbooks/cluster_setup_unhardening_debian.yaml
playbook disables it.
The hardened elements are:
- the kernel with the parameters of the command line (see below section), the sysfs and modules;
- the GRUB;
- the systemd services;
- adding of bash profiles;
- SSH server;
- adding of
sudo
rules; - the shadow password suite configuration;
- the secure tty;
- the audit daemon.
Kernel
The project uses a real-time kernel, the Linux kernel with the PREEMPT_RT patch. So, he needs to have some parameters as:
...
)
...
In the hardening system, the kernel has these parameters:
...
.
...
More details on the kernel's parameters here.
Virtual cluster
On the host, you must set these sysctl settings:
Code Block | ||
---|---|---|
| ||
net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0 |
You must define 3 network interfaces on each host of your cluster.
...