Network Configuration

The following briefly describes the SEE network configuration. 

For more general information on the network set up, refer to the following resources.

  • Open vSwitch: OpenvSwitch is used to provide the internal switches (virtual machine to virtual machine network communication) and also provides switches connecting the physical ports to a virtual switch (often referred to as a network bridge). For more information, refer to the Open vSwitch Documentation
  • Linux iptables Administration Tool: Network address translation (NAT) and port forwarding from the outside world to a virtual machine is achieved using iptables and an internal OpenvSwitch. Note that using NAT and port forwarding is an alternative to using a network bridge – a network bridge exposes an additional MAC address on the same physical network port. For examples and documentation on how to use iptables to achieve NAT and port forwarding, see the Linux man page iptables. Note that OpenvSwitch combined with OpenFlow provides an alternative to NAT and port forwarding.
  • Virtualization Toolkit libvirt: For network details on how the virtualization toolkit libvirt can be configured with using OpenvSwitch and passing the physical network devices to a virtual machine, refer to libvirt.org.

PiLO Network

The PiLO has one network interface located at the back of the SEE server, see Network Ports. All necessary functions relating to the powering on and powering off of the SFP (hypervisor) are controlled by the touchscreen located on the front panel. The network interface allows you to access the GUI (on the touchscreen) via a web browser connected to the same subnet as the PiLO.

The PiLO is running a simple web server that is serving the necessary web pages to the touchscreen or any connected web browser. All functions which are available on the front panel touchscreen are available via the connected web browser.

While the PiLO provides the necessary functionality via the front panel (or a connected web browser), it is the Trust Anchor (TA) that responds to these functions. For example, pressing Power On on the PiLO simply communicates this instruction via a dedicated serial line to the TA. The TA then determines whether or not the SFP will be powered on. If, for example, the SFP OS fails a signature check, the TA will not power on the SFP.

Note that the PiLO doesn't need to connect to a network. When your application is deployed, any network connection to the PiLO should be removed.

Default PiLO Network Configuration

The PiLO network port and IP4 network address are pre-configured, allowing you to SSH into the PiLO and connect a web browser to the PiLO for easier configuration. The default user on the PiLO is root and the corresponding password is root

The SSH access allows you to customize the PiLO user interface of the from panel (or connected web browser) by for example modifying the CSS (Cascading Style Sheets) which is part of the web source code.

There are no sensitive data stored within the PiLO and no mechanism to communicate directly to the TA. All commands and/or data sent to the TA are parsed by the TA and are either rejected or interpreted. Actions that require authentication and authorization cannot be bypassed by accessing the PiLO directly.

Modify Default IP4 Address

The PiLO NETWORK page allows you to modify the default IP4 address. This is useful if you want to connect a web browser to the PiLO and remotely access the PiLO for easier administration.

To modify the default IP4 address set on the PiLO, click CONFIG to display the NETWORK page. Press REFRESH to display the current network configuration of the PiLO and update the network configuration fields.

The following example shows using the onscreen keypad to update the network address fields (the IP4 addresses should be replaced with your values).

 

PiLO displaying the virtual keyboard allowing you to set a new IP4 the network configuration for the PiLO

To reboot the PiLO and ensure that your updates take effect, select MANAGE and press REBOOT TOUCH SCREEN. To confirm that the network address configuration is updated, select CONCIG > NETWORK and press REFRESH.

Trust Anchor (TA) Network

The Trust Anchor (TA) has no network ports available for connection since it is embedded within the epoxy resin and no direct access to it is available. The TA has two serial ports: one port to respond to commands from the PiLO and another serial to respond to commands from the SFP (when the SFP is powered on). Note that the TA will respond to a limited number of requests only. Any other data sent via either serial line which cannot be parsed and therefore interpreted will be dropped.

Secure Foundation Platform (SFP) Network

The following provides information on the Secure Foundation Platform (SFP) network configuration.

Default SFP Network Configuration

The SFP is delivered with the network ports ETH0 and ETH1 pre-configured with a set of network IP4 addresses, see Network Ports.

Modify Default Network Address

The eth0 network port is configured with a default IP4 address. Its primary use is to allow access to the SFP, either via ssh or via a web browser. 

To modify the network address, for example, to access the SFP, select the PiLO option CONFIG PLATFORM > NETWORK and edit the address of the network port eth0.

PiLO displaying the SFP network configuration page

The SFP was must be powered on before you can access the existing default network address to make the necessary modifications. Once the SFP is powered on, display the current network port configuration by pressing the relevant button, in this example eth0. The top bar of the PiLO under MANAGE should be green and display SEE IS CONNECTED TO SFP, indicating that the SFP hypervisor is fully functional.

Unless you require all four of the SEE network ports to be used by your application(s) within one or more virtual machines, the network port eth0 should be reserved for the following administrative tasks:

  • SSH access to the hypervisor for making configuration changes to either the Linux PrimeLFS OS or the virtual machines executed by the PrimeLFS OS. For example, adjusting the time and or date, configure and start the network time daemon, or re-configuring one or more virtual machines.
    (warning) Note that SSH is only available when the SEE is in the operational state OEM (level 1). When the SEE is finally deployed (fielded), the operational state is usually End User (level 3) with no ssh access to the SFP.

  • Web-based configuration (WebConf): Virtual machine and SFP configurations achieved using the web-based graphical user interface. This web-based user interface is executed within a virtual machine also running on the SFP. This virtual machine requires the network port eth0 to be configured so that the UI can be accessed from outside the SFP.