This section discusses the following main topics:
- Configuration Overview
- Configuration Considerations
- Example Configuration File
- YAML Configuration File Example
- Default Value of an Empty Dictionary
- Deciding to Leave the Proxy Parameter Empty
- Docker Log Driver Settings
- Network File System (NFS) Overview
- Redsocks Overview
- Networking Configuration Example Diagram
Nauta's configuration is specified by a YAML Configuration file. Nauta looks for this file at the location defined in the ENV_CONFIG environment variable (explained in the Installation Process, and in the example configuration file shown in the example configuration file below). This configuration file specifies network proxies, DNS server locations, and other Nauta related parameters listed below. For Inventory file information, refer to Inventory File Example for more information.
In the examples shown, Green indicates a parameter name, and Blue indicates an example parameter value.
Some configuration variables are of the dictionary type, and for these: {} indicates an empty dictionary. Likewise, some variables are of the list type, and for these: [] indicates an empty list.
Host names must conform to standard host naming rules and each element of the hostname must be from 1 to 63 characters long. The entire host name, including the dots must not exceed 253 characters long. Valid characters for host and domain names are ASCII(7) letters from a to z (lowercase), the digits from 0 to 9, and a hyphen. Furthermore, do not start a host and domain names with a hyphen.
All parameters present in the configuration file must have values. Setting the configuration file with no value causes errors, for example, proxy:.
This is an example file, containing dummy values for a few of the supported configuration values. For a complete list, refer to the section after the YAML file example below (YAML File Example). For YAML file information, refer to YAML Format Overview.
-
In the YAML file, the list of items is a sequence of elements starting in a new line with a dash at the beginning. For example, an empty list: []. In an abbreviated form, elements can also be enclosed in a single line.
-
In the YAML file, a dictionary is a sequence of pairs for the element's key: value. It can also be presented with each pair in a new line or abbreviated in a single line.
Below is an example YAML file that provides examples of proxy settings, DNS server settings, Kubernetes, and so on. For detailed instructions on how to complete this, see the example Inventory File Example and refer to the Configuration File Example and refer to the Installation Process.
# Proxy Settings
proxy:
http_proxy: http://<your proxy address and port>
ftp_proxy: http://<your proxy address and port>
https_proxy: http://<your proxy address and port>
no_proxy: <localhost, any other addresses>, 10.0.0.1,localhost,.nauta
# This is a list of DNS servers used for resolution: a maximum of three entries.
dns_servers:
- 8.8.8.8
- 8.8.4.4
# This is a domain used as part of a domain search list.
dns_search_domains:
- example.com
# This is place to define additional domain names for cluster to allow secure communication.
dns_names_for_certificate:
DNS.7: "mycluster1.domain.name"
DNS.8: "mycluster2.domain.name"
# This is the Internal domain name.
domain: nauta
# Internal subdomain for infrastructure.
nodes_domain: lab007
# This is the Internal Subdomain for Kubernetes resources.
k8s_domain: kubernetes
# This is the Network Range for Kubernetes pods.
kubernetes_pod_subnet: 10.3.0.0/16
# This is the Network Range for Kubernetes services.
kubernetes_svc_subnet: 10.4.0.0/16For empty dictionaries, there are two defaults:
-
If a parameter is not included in the configuration file, the default value is utilized.
-
If a parameter is present in the configuration file with a default value included, it appears as shown below.
proxy: {}
There may be reasons to leave the proxy parameter set with an empty dictionary. Should you decide to do this, it may be for the following reasons:
-
You do not need a proxy because you do not have one in your network.
-
You intentionally do not want to use a proxy to connect your cluster as an external network to keep it isolated from the Internet.
- Description: These are the Proxy settings for internal applications.
- Default value: {}
proxy:
http_proxy: http://<your proxy address and port>
ftp_proxy: http://<your proxy address and port>
https_proxy: http://<your proxy address and port>
no_proxy: <localhost, any other addresses>, 10.0.0.1,localhost,.nauta
HTTP_PROXY: http://:<your proxy address and port>
FTP_PROXY: http://<your proxy address and port>
HTTPS_PROXY: http://<your proxy address and port>
NO_PROXY: .<localhost, any other addresses>, 10.0.0.1,localhost,.nautaNote: Proxy addresses should be replaced by a specific value by a client.
- Description: This is a list of DNS servers used for resolution: a maximum of three entries.
- Default value: []
dns_servers:
- 8.8.8.8
- 8.8.4.4-
Description: This is a list of DNS names of the cluster. The values from this parameter use acceptable addresses when accessing a cluster in securely. Key values have to be in the format
DNS.XwhereXis a number greater than 6 (internally allocated symbolic addresses). -
Default value: []
- Description: This is a domain used as part of a domain search list.
- Default value: []
dns_search_domains:
- example.com- Description: This is the Internal domain name. This variable and nodes_domain (defined below) together form the full domain (
<nodes_domain>.<domain>) for Nauta's internal domain. For example, ifdomainis nauta andsub_domainis infra, the full domain isinfra.nauta. - Default value: nauta
domain: nauta- Description: This is the Internal subdomain for infrastructure. Full domain for an infrastructure is:
- Default value: infra
nodes_domain: lab007Note: These IP addresses should not conflict with Internal IP address ranges.
- Description: This is the Internal subdomain for Kubernetes resources. The full domain for infrastructure is:
<k8s_domain>.<domain> - Default value: kubernetes
k8s_domain: kubernetes-
Description: Password and username which will be set for authorized access to elasticsearch. Authorized access allows usage of HTTP methods other than GET. Changing these parameters is recommended.
-
Default value: {admin_username: esadmin, admin_password: esadmin}
elasticsearch:
admin_username: esadmin
admin_password: esadmin- Description: This is the Network Range for Kubernetes pods. Kubernetes, by default, allocates
/24pod CIDR block per node, so the size ofkubernetes_pod_subnetmust be big enough: e.g. for three node environment you will need at least/22CIDR subnet, as it allows to create 4/24blocks within it (see for reference: https://kb.wisc.edu/ns/page.php?id=3493). In case of doubt, use the default mask size of/16. - Default value: 10.3.0.0/16
kubernetes_pod_subnet: 10.3.0.0/16- Description: This is the Network Range for Kubernetes services. Mask size should be the same as in
kubernetes_pod_subnetparameter. - Default value: 10.4.0.0/16
kubernetes_svc_subnet: 10.4.0.0/16- Description: This is the maximum age in days for Kubernetes apiserver audit logs.
- Default value: 7
apiserver_audit_log_maxage: 7- Description: This is the maximum number of log files kept for Kubernetes apiserver audit.
- Default value: 10
apiserver_audit_log_maxbackup: 10- Description: The maximum audit log file size in MB.
- Default value: 1024
apiserver_audit_log_maxsize: 1024- Description: This is a list of insecure Docker registries added to configuration.
- Default value: []
insecure_registries:
- my.company.registry:9876Note: This refers to Docker registries only.
- Description: This is a list of enabled Yum plugins.
- Default value: []
enabled_plugins:
- presto- Description: This is a list of disabled Yum plugins.
- Default value: []
disabled_plugins:
- presto- Description: This defines if Yum should use system-enabled plugins.
- Default value: False
use_system_enabled_plugins: False- Description: This is a list of enabled repositories, and is used for external dependencies installation.
- Default value: []
enabled_repos:
- rhel- Description: This is a list of disabled repositories, and is used for external dependencies installation.
- Default value: []
disabled_repos:
- rhel- Description: This defines if the default system repositories should be enabled in external dependencies installation.
- Default value: True
use_system_enabled_repos: True- Description: Definition of the input NFS mounts for Samba. By default, internal NFS provisioner is used.
- Default value: {}
- Fields
- path: NFS path to mount
- server: NFS server
-
Description: Definition of the input NFS mounts for Samba. By default, internal NFS provisioner is used. By default, internal NFS provisioner is used.
-
Default value: {}
-
Fields
- path: NFS path to mount
- server: NFS server
- Note For NFS information, see below.
nauta_extra_configuration:
input_nfs:
path: "{{ nfs_base_path }}/input"
server: "{{ nfs_server }}"
output_nfs:
path: "{{ nfs_base_path }}/output"
server: "{{ nfs_server }}"This is the Docker log driver settings for controlling rotation of a containers' logs on bare metal environments. In case of cloud deployments, such as Google Cloud Platform, instead of changing this parameter, refer to your cloud provider instructions for log rotation configuration.
-
Refer to Docker Log Driver Settings for more information.
-
Default value:
docker_log_driver_settings:
max_size: 5g
max_file: 1- Fields
- max_size: Maximum size of log file
- max_file: Maximum count of present log files
The Network File System (NFS) allows a system to share directories and files with others over a network. The advantage of using NFS is that end-users, as well as programs can access files on remote systems in the same way as local files. In addition, NFS uses less disk space, as it can store data on a single machine while remaining accessible to others over a network.
Either NFS or Redsocks is installed and configured during the installation process. By default, Redsocks is not installed; however, NFS is installed by default.
features:
nfs: True
redsocks: True- NFS: default: True
- Redsocks: default: False
Redsocks is a tool that allows you to redirect network traffic through a socket. For example: SOCKS4, SOCKS5 or HTTPs proxy server. Redsocks operates through a proxy server, and as a result it is referred to as a transparent proxy redirector.
- Refer to How to transparently use a proxy with any application (Docker) using Iptables and Redsocks for more information.
Redsocks configuration is an optional part of the installer; however, if you choose this option then configure Redsocks appropriately in your environment/organization.
Redsocks is not enabled during the installation, as the default is set to False (shown in the example below). Therefore, if you want to install Redsocks, you must set the feature switch to True.
WARNING: After the installation if you decide you want to install Redsocks, you will need to redo the entire installation to include Redsocks, and set the feature switch to True. It cannot be changed to False in your configuration file after the initial install. Redsocks and NFS are independent of each other, so use judgment when initially setting these feature switches.
Additional features can be enabled using features in the configuration, as shown below.
features:
redsocks: Falsefeatures:
redsocks: True
features_config:
redsocks:
IP: 10.217.247.236
Port: 1080- Description: This is the IP address of Socks5 proxy.
Required: True- Description: This is the port address of Socks5 proxy.
Required: True- Description: Comma-separated list of interfaces from which traffic should be managed by RedSocks.
Required: False
Default: cni0The Figure below shows an example Nauta Networking Diagram. While you can build a cluster with 1 machine to run all the examples, it is suggested to utilize at least 4 worker nodes (as shown in the example). The worker nodes should run Red Hat Enterprise Linux 7.6. All interfaces (both external and internal) are Ethernet interfaces.
