Basic Networking¶
Note
Step-by-step instructions for getting started with Chameleon are available in the Getting Started section of this documentation. These instructions include using basic networking functionality.
Multiple Networks¶
Some Chameleon bare metal nodes support connecting to multiple networks. Currently, the number of networks allowed is limited to the number of enabled NICs on the node (currently this is up to 2). It is possible to find such nodes via Resource Discovery by filtering by the “Enabled” flag for a given Network Adapter slot. Note that the slots are 0-indexed, meaning the first NIC is referred to as Network Adapter #0.
When launching a node that supports multiple networks, simply assign multiple networks to the instance when you are launching it. The networks will be mounted on NICs in the same order that the networks are assigned; that is, the first assigned network will be mounted on Network Adapter #0, and the second on Network Adapter #1, and so on.
Floating IP Addresses¶
Instances on Chameleon are assigned a fixed IP address that can be used for local connectivity as well as NAT access to the public Internet. A publicly accessible IPv4 address (Floating IP address) is required in order to access Chameleon instances from the Internet or host public services. CHI@TACC and CHI@UC each have a limited number of public IP addresses that can be allocated to your instances.
The Getting Started guide shows how to allocate Floating IP address to your nodes.
Important
The Chameleon floating IP address pool is a shared and finite resource. Please be responsible and release any unused floating IP address, so other Chameleon users and projects can use them!
Security¶
When your instance has a Floating IP address assigned, it is reachable directly over the public Internet. For this reason, it is important to consider the security of any services running on your instance. In particular, ensure that you have not allowed SSH authentication with passwords (this is disabled by default on Chameleon-supported images.)
There are additional network security mechanisms on the testbed that you should be aware of.
Firewall¶
A configurable Firewall is available on CHI@TACC and CHI@UC. This is built on the OpenStack Neutron Firewall-as-a-Service (FWaaS) system. By default, any instances connected to the sharednet1
or sharedwan1
shared networks automatically have a firewall configured with the following rules:
Source | Destination port | Protocol |
---|---|---|
22 | TCP | |
80 | TCP | |
443 | TCP | |
n/a | ICMP | |
10./8 | TCP/UDP | |
172.16./12 | TCP/UDP | |
192.168./16 | TCP/UDP | |
fe80::/10 | ICMP/UDP |
Note
If you think there is a case for allowing additional services/ports on this default firewall, please open a Help Desk ticket to let us know.