File repository

Why?

We are hosting a file repository, mainly for hosting Nvidia GRID drivers, and kernels for PXE-booting Ubuntu 22.04. It's also used to host miscellaneous software no longer available in any public repositories.. The server is a "halvadministrert" ansible configured VM delivered by NTNU IT. The repositori is implemented with Apache webserver

What?

Hostname

Aliases

IP v4

IPv6

OS

repo01.it.ntnu.no

repo.it.ntnu.no

rpm.iik.ntnu.no

129.241.14.11

2001:700:300:7::111

Ubuntu Server 22.04 LTS

Who?

The following BAS-groups are used to grant access

SSH-login	halvadm_openstackadmin
sudo	halvadm_openstackadmin

How?

Most of this is confiugred according to NTNU ITs documentation for "Halvadministrerte Linux-servere"

Firewall

Create the following files, to allow web traffic from NTNU networks. When created, run /local/admin/bin/install-firewall.sh to apply the rules.

/etc/local/firewall.d/ipv4-web.conf

# Slipp inn hele NTNU
-I INPUT -p tcp -m tcp --dport 80 -j permit_ntnu
-I INPUT -p tcp -m tcp --dport 443 -j permit_ntnu

/etc/local/firewall.d/ipv6-web.conf

# Slipp inn hele NTNU
-I INPUT -p tcp -m tcp --dport 80 -j permit_ntnu
-I INPUT -p tcp -m tcp --dport 443 -j permit_ntnu

Install packages

Installing packages is done with pkgsync, and handled by ansible. Configure the following, and run /local/admin/bin/do_pkgsync.sh to apply

/etc/pkgsync/required-packages-webserver

apache2

Configuring apache

Create vhosts for both http and https. Make sure that /srv/repo.it.ntnu.no exists

/etc/apache2/sites-available/repo.it.ntnu.no-http.conf

<VirtualHost *:80>
	ServerName repo.it.ntnu.no
	ServerAlias repo01.it.ntnu.no
	ServerAlias rpm.iik.ntnu.no 

	ServerAdmin eigil.obrestad@ntnu.no
	DocumentRoot /srv/repo.it.ntnu.no

	<Directory /srv/repo.it.ntnu.no/>
        	Options -Indexes +FollowSymLinks
        	AllowOverride None
        	Require all granted
	</Directory>
	
	ErrorLog "/var/log/apache2/repo.it.ntnu.no http_error.log"
	CustomLog "/var/log/apache2/repo.it.ntnu.no http_access.log" combined
	ServerSignature Off

	RewriteEngine On
	
	# Make sure skylow-clients are served nvidia-config belonging to skylow
	RewriteCond expr "-R '10.212.128.0/22'" [OR]
	RewriteCond expr "-R '128.39.45.0/26'" [OR]
	RewriteCond expr "-R '2001:700:1d00:ec00::/56'"
	RewriteRule "^/nvidia/(.*)" "/nvidia-skylow/$1" [PT]
	
	# Make sure skyhigh-clients are served nvidia-config belonging to skyhigh
	RewriteCond expr "-R '10.212.132.0/22'" [OR]
	RewriteCond expr "-R '10.212.136.0/22'" [OR]
	RewriteCond expr "-R '10.212.160.0/21'" [OR]
	RewriteCond expr "-R '10.212.168.0/21'" [OR]
	RewriteCond expr "-R '128.39.143.128/25'" [OR]
	RewriteCond expr "-R '128.39.45.64/26'" [OR]
	RewriteCond expr "-R '129.241.150.0/24'" [OR]
	RewriteCond expr "-R '2001:700:1d00:e800::/54'"
	RewriteRule "^/nvidia/(.*)" "/nvidia-skyhigh/$1" [PT]

	# Make sure stackit-clients are served nvidia-config belonging to stackit
	RewriteCond expr "-R '10.212.0.0/22'" [OR]
	RewriteCond expr "-R '10.212.24.0/22'" [OR]
	RewriteCond expr "-R '129.241.152.0/23'" [OR]
	RewriteCond expr "-R '2001:700:300:6000::/56'"
	RewriteRule "^/nvidia/(.*)" "/nvidia-stackit/$1" [PT]
</VirtualHost>

/etc/apache2/sites-available/repo.it.ntnu.no-https.conf

<VirtualHost *:443>
	ServerName repo.it.ntnu.no
	ServerAlias repo01.it.ntnu.no
	ServerAlias rpm.iik.ntnu.no 

	ServerAdmin eigil.obrestad@ntnu.no
	DocumentRoot /srv/repo.it.ntnu.no

	<Directory /srv/repo.it.ntnu.no/>
        	Options -Indexes +FollowSymLinks
        	AllowOverride None
        	Require all granted
	</Directory>
	
	ErrorLog "/var/log/apache2/repo.it.ntnu.no http_error.log"
	CustomLog "/var/log/apache2/repo.it.ntnu.no http_access.log" combined
	ServerSignature Off

	RewriteEngine On
	
	# Make sure skylow-clients are served nvidia-config belonging to skylow
	RewriteCond expr "-R '10.212.128.0/22'" [OR]
	RewriteCond expr "-R '128.39.45.0/26'" [OR]
	RewriteCond expr "-R '2001:700:1d00:ec00::/56'"
	RewriteRule "^/nvidia/(.*)" "/nvidia-skylow/$1" [PT]
	
	# Make sure skyhigh-clients are served nvidia-config belonging to skyhigh
	RewriteCond expr "-R '10.212.132.0/22'" [OR]
	RewriteCond expr "-R '10.212.136.0/22'" [OR]
	RewriteCond expr "-R '10.212.160.0/21'" [OR]
	RewriteCond expr "-R '10.212.168.0/21'" [OR]
	RewriteCond expr "-R '128.39.143.128/25'" [OR]
	RewriteCond expr "-R '128.39.45.64/26'" [OR]
	RewriteCond expr "-R '129.241.150.0/24'" [OR]
	RewriteCond expr "-R '2001:700:1d00:e800::/54'"
	RewriteRule "^/nvidia/(.*)" "/nvidia-skyhigh/$1" [PT]

	# Make sure stackit-clients are served nvidia-config belonging to stackit
	RewriteCond expr "-R '10.212.0.0/22'" [OR]
	RewriteCond expr "-R '10.212.24.0/22'" [OR]
	RewriteCond expr "-R '129.241.152.0/23'" [OR]
	RewriteCond expr "-R '2001:700:300:6000::/56'"
	RewriteRule "^/nvidia/(.*)" "/nvidia-stackit/$1" [PT]
	
	SSLEngine on
	SSLCertificateFile      "/root/repo.it.ntnu.no.crt"
	SSLCertificateKeyFile   "/root/repo.it.ntnu.no.key"
</VirtualHost>

There is a bit of Rewrite-trickery going on here, to ensure that the different platforms requesting Nvidia GRID drivers get the correct drivers and configuration depending on the network the traffic is origining from.

TLS

TLS certificates are handled by NTNU ITs ansible role "autocert".

Page tree