Friday, October 27, 2023

OCI Redis Cache Endpoints

 OCI provisions private DNS endpoints for your Redis Cluster as follows.

 

- 1 Primary Endpoint always pointing to the Primary node. In case of a primary node failure, the primary endpoint will automatically failover to the new primary.

 

- 1 Replica Endpoint pointing to one of the Read replicas. If you have more than 1 read replica, the replica end point resolves to one of the read replicas randomly.

 

- Node Endpoints to all the Redis nodes. This will never change.

 

Example:

Primary Endpoint: amaaaaaa2ne4d2g6eiu32jva-p.redis.eu-frankfurt-1.oci.oraclecloud.com

Replica Endpoint: amaaaaaa2ne4d2g6eiu32jva-r.redis.eu-frankfurt-1.oci.oraclecloud.com

Node Endpoints:

amaaaaaa2ne4d2g6eiu32jva-0.redis.eu-frankfurt-1.oci.oraclecloud.com

amaaaaaa2ne4d2g6eiu32jva-1.redis.eu-frankfurt-1.oci.oraclecloud.com

amaaaaaa2ne4d2g6eiu32jva-2.redis.eu-frankfurt-1.oci.oraclecloud.com

 

 

You can see '-p' suffix to the hash prefix for the primary endpoint, '-r' to the replica endpoint and '-n' (node number 0,1,2,3,4,5) suffix to the node endpoints. This way you could identify the endpoints easily.

 

NOTE:

These endpoints are all private DNS names and hence not resolvable outside the VCN.

 

[root@jay ~]# dig amaaaaaa2ne4d2g6eiu32jva-p.redis.eu-frankfurt-1.oci.oraclecloud.com +noall +answer

amaaaaaa2ne4d2g6eiu32jva-p.redis.eu-frankfurt-1.oci.oraclecloud.com. 500 IN A 10.0.1.5

[root@jay ~]#

[root@jay ~]# dig amaaaaaa2ne4d2g6eiu32jva-r.redis.eu-frankfurt-1.oci.oraclecloud.com +noall +answer

amaaaaaa2ne4d2g6eiu32jva-r.redis.eu-frankfurt-1.oci.oraclecloud.com. 350 IN A 10.0.1.223

[root@jay ~]#

[root@jay ~]# dig amaaaaaa2ne4d2g6eiu32jva-0.redis.eu-frankfurt-1.oci.oraclecloud.com +noall +answer

amaaaaaa2ne4d2g6eiu32jva-0.redis.eu-frankfurt-1.oci.oraclecloud.com. 500 IN A 10.0.1.230

[root@jay ~]#

[root@jay ~]# dig amaaaaaa2ne4d2g6eiu32jva-1.redis.eu-frankfurt-1.oci.oraclecloud.com +noall +answer

amaaaaaa2ne4d2g6eiu32jva-1.redis.eu-frankfurt-1.oci.oraclecloud.com. 500 IN A 10.0.1.118

[root@jay ~]#

 

Posted by at No comments:
Labels: ,

How to launch OCI Redis Cache Cluster on OCI

OCI Redis Cache is GA as of now. You can launch Redis Cache clusters using Console, CLI, SDK, Terraform and so on.

 

Using Console :

Launching a Redis cluster using OCI console is even easier.

Just go to Databases --> Redis --> Clusters --> Create cluster and launch selecting required options.

 

Let’s see how to launch a Redis Cluster on OCI using CLI.

Sample Command:

# oci redis redis-cluster create -c ocid1.compartment.oc1..aaaaaaaaognnxXXXxxeiexes6cq --display-name redis_1 --node-count 2 --node-memory-in-gbs 4 --software-version V7_0_5 --subnet-id ocid1.subnet.oc1.eu-frankfurt-1.aaaaaaaader2hzdzsfesxoXXXXj6zq47t3dzpoq

 

Reference:

-c - Compartment under which you want to launch your Redis cluster.

--display-name - Name of your cluster.

--node-count - Number of nodes Min 1, Max 5.  1 primary and rest read replicas.

--node-memory-in-gbs - Amount of Memory. Min 1GB, Max 500GB.

--software-version - Redis server version.

--subnet-id - OCID of the subnet (private).

 

jay@serv ~ % oci redis redis-cluster create -c ocid1.compartment.oc1..aaaaaaaaognnx6wnl3gmXXXXXeiexes6cq

--display-name redis_1 --node-count 2 --node-memory-in-gbs 4 --software-version V7_0_5

--subnet-id ocid1.subnet.oc1.eu-frankfurt-1.aaaaaaaader2hzdzsfesxoXXXXXigfj6zq47t3dzpoq

{

  "data": {

    "compartment-id": "ocid1.compartment.oc1..aaaaaaaaognnx6wnl3gmXXXXXeiexes6cq",

    "defined-tags": {

      "WhoCreated": {

        "Creator": "idcs/jay@abc.com"

      }

    },

    "display-name": "redis_1",

    "freeform-tags": {},

    "id": "ocid1.rediscluster.oc1.eu-frankfurt-1.amaaaaaa2ne4dXXXXzjysjlvetazd2g6eiu32jva",

    "lifecycle-details": null,

    "lifecycle-state": "CREATING",

    "node-collection": null,

    "node-count": 2,

    "node-memory-in-gbs": 4.0,

    "primary-endpoint-ip-address": null,

    "primary-fqdn": null,

    "replicas-endpoint-ip-address": null,

    "replicas-fqdn": null,

    "software-version": "V7_0_5",

    "subnet-id": "ocid1.subnet.oc1.eu-frankfurt-1.aaaaaaaader2hzdzsfesxoXXXXXigfj6zq47t3dzpoq",

    "system-tags": {},

    "time-created": "2023-10-27T13:36:05.893000+00:00",

    "time-updated": "2023-10-27T13:36:05.893000+00:00"

  },

  "etag": "4ccaeb142382b6cbc382c37XXXX26ee8bd4ecad8f000aea0d",

  "opc-work-request-id": "ocid1.redisworkrequest.oc1.eu-frankfurt-1.amaaaaaawwq2pqaaXXXXXwhhf7md73tdwxgbchva"

}

 

NOTE:

As of now 27/Oct/2023:

- OCI Cache on  Redis supports only Single Master Redis cluster with 1 Primary and up to 4 Read Replicas. Sharded Multi-Master Redis cluster is not yet supported even though its on the roadmap.

- Supported Redis version is 7.0.5. We can expect future releases to be supported when available.

 

You can get the details of the Redis cluster using the following CLI commands:

# oci redis redis-cluster get --redis-cluster-id ocid1.rediscluster.oc1.eu-frankfurt-1.amaaaaaa2ne4d2XXXXazd2g6eiu32jv

jay@serv ~ % oci redis redis-cluster get --redis-cluster-id ocid1.rediscluster.oc1.eu-frankfurt-1.amaaaaaa2ne4d2XXXXazd2g6eiu32jva
{
"data": {
"compartment-id": "ocid1.compartment.oc1..aaaaaaaaognnxXXXxxeiexes6cq",
"defined-tags": {
"WhoCreated": {
"Creator": "idcs/jay@abc.com"
}
},
"display-name": "redis_1",
"freeform-tags": {},
"id": "ocid1.rediscluster.oc1.eu-frankfurt-1.amaaaaaa2ne4d2XXXXazd2g6eiu32jva",
"lifecycle-details": null,
"lifecycle-state": "ACTIVE",
"node-collection": {
"items": [
{
"display-name": "redis_1-0",
"private-endpoint-fqdn": "amaaaaxxxxjlvetazd2g6eiu32jva-0.redis.eu-frankfurt-1.oci.oraclecloud.com",
"private-endpoint-ip-address": "10.0.1.230"
},
{
"display-name": "redis_1-1",
"private-endpoint-fqdn": "amaaaaxxxxjlvetazd2g6eiu32jva-1.redis.eu-frankfurt-1.oci.oraclecloud.com",
"private-endpoint-ip-address": "10.0.1.118"
}
]
},
"node-count": 2,
"node-memory-in-gbs": 4.0,
"primary-endpoint-ip-address": "10.0.1.5",
"primary-fqdn": "amaaaaxxxxjlvetazd2g6eiu32jva-p.redis.eu-frankfurt-1.oci.oraclecloud.com",
"replicas-endpoint-ip-address": "10.0.1.223",
"replicas-fqdn": "amaaaaxxxxjlvetazd2g6eiu32jva-r.redis.eu-frankfurt-1.oci.oraclecloud.com",
"software-version": "V7_0_5",
"subnet-id": "ocid1.subnet.oc1.eu-frankfurt-1.aaaaaaaader2hzdzsfesxoXXXXj6zq47t3dzpoq",
"system-tags": {},
"time-created": "2023-10-27T13:36:05.893000+00:00",
"time-updated": "2023-10-27T13:42:49.798000+00:00"
},
"etag": "fb33f38b97b353c81805e7ssXXXc0d936eb2f7d11b404d8bb15239e31b77--gzip"
}


OCI Redis Endpoints:

Each Redis Clusters will have the following DNS endpoints:

- 1 Primary Endpoint always pointing to the Primary node. In case of a primary node failure, the primary endpoint will automatically failover to the new primary.

- 1 Replica Endpoint pointing to one of the Read replicas. If you have more than 1 read replica, the replica end point resolves to one of the read replicas randomly.

- Node Endpoints to all the Redis nodes. This will never change.

Interestingly, you can see '-p' suffix to the hash prefix for the primary endpoint, '-r' to the replicas endpoint and '-n' (node number) suffix to the node endpoints. This way you could identify the endpoints easily.







Posted by at No comments:
Labels:

Wednesday, October 25, 2023

FortiGate VIP responding on telnet to TCP 5060 and 2000

If you have a FortiGate Firewall you might have encountered situation where Fortinet devices appear to have open TCP ports 2000 and 5060, even when firewalls are configured to block them. If an IPSec connection is configured, this even looks like a telnet connection can be established between the devices in each end of the tunnels on TCP 2000 and 5060.

Security scans will flag it a threat.

 

Fortinet's Default Behavior

 

By default, FortiGate (FortiOS 5.2, 5.4 and 5.6) is configured to intercept and inspect all SIP and SCCP traffic by its VoIP ALG configuration 'default-voip-alg-mode' set to 'proxy-based'.

 

When 'default-voip-alg-mode' is set to 'proxy-based' Fortinet treats:


     • TCP ports 5060, 5061 and UDP port 5060 as SIP protocol.
     • TCP port 2000 as Skinny Client Call protocol (SCCP) traffic - a Cisco proprietary protocol for VoIP.

 

Because of this, any telnet connections through FortiGate might looks like open. Security scans such as Port Scans might identify TCP/UDP 5060, TCP 2000 as open.

 

There are few options to prevent this:

 

1.     Change default-voip-alg-mode to kernel-helper-based.

SCCP traffic is not processed if default-voip-alg-mode is set to kernel-helper-based mode.

 

# config system setting
    set default-voip-alg-mode kernel-helper-based
end

            NOTE: If having Multi-VDOM, disable SIP-ALG on all respective VDOM.

 

2.     Disable SIP and SCCP ALG in the default VoIP profile

 

# config voip profile
    edit "default"
        config sip
            set status disable
        end
        config sccp
            set status disable
        end
    next
end

 

This should do the trick. You can verify FortiGate stopped listening on the ports using:

 

dia sys tcpsock | grep 5060

dia sys tcpsock | grep 2000

dia sys udpsock | grep 5060

 

You should not see any o/p.

Posted by at No comments:
Labels:

Monday, October 23, 2023

DHCP deleting custom entries in /etc/resolv.conf file

 

If you are working on cloud environments like AWS, OCI you might have come across a requirement where you need to add custom settings on DNS like name servers, search domains and so on. Any changes to /etc/resolv.conf or the network configuration files will be reverted by the DNS server associated with the cloud virtual network.

 

There are many ways to set custom DNS settings and make sure it’s not overridden by DHCP. Using Dhclient supersede option is one of the best methods.

 

The dhclient.conf file allows you to configure various options for the DHCP client (dhclient) that controls how your system obtains IP addresses and network configuration information from DHCP servers. The supersede directive is used to override and modify DHCP options that are provided by the DHCP server. It allows you to replace or supplement the DHCP options with your own settings.

 

Below, I'll explain how to use the supercede directive in the dhclient.conf file.

 

Config file: /etc/dhcp/dhclient.conf

 

Basic Syntax with usage:

interface "<INTERFACE>" {

supersede domain-search "<OPTION-NAME>", "OPTION-VALUE";

}

 

Example: If you want to set a custom DNS server on Oracle Linux 8.8, you may use dhclient supersede option as follows:

 

interface "ens3" {

supersede domain-name-servers 8.8.8.8;

}

 

You should reboot the server to see this is action or you can manually set the /etc/resolv.conf file with the required DNS but during the next DHCP renewal, dhclient will check the configuration file and update the superseded value for the DNS name server in /etc/resolv.conf.

 

You can supersede a number of DHCP options in the dhclient.conf file. Here's a list of DHCP options that can be superseded, along with their descriptions:

 

1.     subnet-mask: Specifies the subnet mask for the client's IP address.

2.     broadcast-address: Defines the broadcast address for the client's subnet.

3.     routers: Sets the default gateway or router for the client.

4.     domain-name-servers: Specifies the DNS servers used by the client.

5.     domain-name: Specifies the domain name for the client's network.

6.     domain-search: Specifies the domain search list for the client.

7.     host-name: Sets the hostname for the client.

8.     ntp-servers: Specifies the Network Time Protocol (NTP) servers used for time synchronization.

9.     netbios-name-servers: Specifies the NetBIOS name servers for Windows networking.

10.  netbios-scope: Defines the NetBIOS scope for Windows networking.

11.  interface-mtu: Sets the Maximum Transmission Unit (MTU) for the client's network interface.

12.  domain-name-servers-append: Appends DNS servers to the list provided by the DHCP server.

13.  classless-static-routes: Specifies static routes for the client.

14.  nis-domain: Sets the Network Information Service (NIS) domain.

15.  nis-servers: Specifies NIS servers for the client.

16.  nisplus-domain: Sets the NIS+ domain.

17.  nisplus-servers: Specifies NIS+ servers for the client.

18.  nisplus-client: Configures the NIS+ client settings.

19.  slp-directory-agent: Specifies Service Location Protocol (SLP) directory agents.

20.  slp-service-scope: Defines the SLP service scope.

21.  ldap-servers: Specifies LDAP (Lightweight Directory Access Protocol) servers.

22.  ldap-base-dn: Sets the LDAP base domain name.

23.  ldap-raid-info: Configures LDAP RAID (Redundant Array of Independent Disks) information.

24.  vivso: Supports Vendor-Identifying Vendor Specific Options (VIVSO).

These options can be superseded in the dhclient.conf file to customize the client's network configuration. Keep in mind that not all of these options may be present in your DHCP server's response. It's essential to understand which options are provided by your DHCP server and which ones you need to supersede to meet your network's specific requirements.

Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)