Configure Cray NAT Service

The Cray NAT service can be used to enable network access outside the HSN for nodes without interfaces on the external network.

The Cray XC system is booted.

The Cray NAT (network address translation) configuration service provides access to external networks outside the Cray high-speed network (HSN) on CLE nodes that do not have interfaces on the external network. This service configures a group of nodes as NAT servers. The configured NAT servers must all have interfaces on the external network. The Cray NAT service allows for two separate groups of clients. One group of clients, referred to as outbound-only clients, allows only outgoing access to the external network. These clients will not support unsolicited connections originating from the external network. The other group of clients, referred to as one-to-one clients, allow both incoming and outgoing connections with the external network. Each client in the one-to-one group will be given a unique external address in a pool of IP addresses configured in the service.

One use case for the cray_nat configuration service is to enable an AArch64 (ARM) compute node that has been repurposed as a login node to use a NAT server as a default gateway to safely access networks outside the HSN. This may be needed for SSH, license servers, PE debuggers, or X11 forwarding. To provide a repurposed AArch64 node with outgoing access to external networks, add the AArch64 login node to the outbound-only group of clients in the service configuration. This service can also enable users to directly access an AArch64 login node through the external network. To allow direct access to an AArch64 login node, add the desired AArch64 login node to the one-to-one group of clients in the service configuration.

This procedure describes how to configure the Cray NAT service. It begins by showing how to define the node groups that contain the NAT servers, NAT outbound-only clients, and NAT one-to-one clients. The procedure then shows how to use the node groups in the NAT service's configuration, as well as how to properly configure the other settings in the NAT service. The procedure ends with an example of a fully configured NAT service and shows the functionality that it provides.


---------------------------- CONFIGURE NODE GROUPS FOR cray_nat ----------------------------

The cray_nat service uses node groups to configure the NAT servers, the NAT outbound-only clients, and the NAT one-to-one clients. Existing node groups can be used for each of these if appropriate, or new node groups can be created. NAT servers cannot be RSIP servers or clients. The NAT server must have an interface providing access to the external network.

  1. Create and populate a new node group to contain any desired NAT servers.
    Create a new node group nat_servers to contain the desired NAT servers.
    smw# cfgset modify --add nat_servers cray_node_groups.settings.groups.data p0
smw# cfgset get cray_node_groups.settings.groups p0
...
nat_servers
    Add a member node to the new node group nat_servers. Substitute the correct cname for the desired node.
    smw# cfgset modify --add c0-0c1s3n2 \
cray_node_groups.settings.groups.data.nat_servers.members p0
smw# cfgset get cray_node_groups.settings.groups.data.nat_servers.members p0
c0-0c1s3n2
    Add the nat_servers node group to cray_nat.settings.service.data.server_groups in the config set. It is possible to re-use an existing node group if it contains all desired NAT servers. Specify an existing node group as a group of NAT servers by adding the node group to cray_nat.settings.service.data.server_groups.
    smw# cfgset modify --add nat_servers cray_nat.settings.service.data.server_groups p0
smw# cfgset get cray_nat.settings.service.data.server_groups p0
nat_servers
  2. Create and populate node groups for outbound-only NAT clients and for one-to-one NAT clients. Add the node group defining outbound-only NAT clients to cray_nat.settings.service.data.outbound_only_clients in the config set. Add the node group defining one-to-one NAT clients to cray_nat.settings.service.data.one_to_one_clients in the config set.
    The following example demonstrates creating and populating a node group nat_out_clients to contain outbound-only clients and another node group nat_in_clients to contain one-to-one clients. The two node groups are then added to the appropriate cray_nat fields.
    smw# cfgset modify --add nat_out_clients cray_node_groups.settings.groups.data p0
smw# cfgset modify --add nat_in_clients cray_node_groups.settings.groups.data p0
smw# cfgset modify --add c0-0c0s8n3 cray_node_groups.settings.groups.data.nat_out_clients.members p0
smw# cfgset modify --add c0-0c0s8n1 cray_node_groups.settings.groups.data.nat_in_clients.members p0
smw# cfgset modify --add nat_out_clients cray_nat.settings.service.data.outbound_only_clients p0
smw# cfgset modify --add nat_in_clients cray_nat.settings.service.data.one_to_one_clients p0


-------------------- CONFIGURE IP ADDRESS POOL AND EXTERNAL INTERFACE FOR cray_nat --------------------

  1. Configure the ip_address_pool field if any one_to_one_clients are configured. This field contains a list of the external addresses to be leased to NAT clients. The list must contain at least as many addresses as there are one-to-one NAT clients in the one_to_one_clients node group.
    Add an address using the cfgset modify command. Replace the address in the example with the desired IP addresses to lease to one-to-one clients.
    smw# cfgset modify --add 172.30.12.6 cray_nat.settings.service.data.ip_address_pool p0
  2. Ensure the Cray NAT ext_if is set to the external interface on the NAT servers. The default value of eth0 is usually correct. Cray NAT requires all NAT servers to have the same name for their external interface.
    smw# cfgset get cray_nat.settings.service.data.ext_if p0
eth0


---------------------------- ENABLE cray_nat ----------------------------

  1. Ensure that cray_nat is enabled.
    smw# cfgset modify --set true cray_nat.enabled p0


---------------------------- UPDATE AND VALIDATE CLE CONFIG SET ----------------------------

The config set must be updated and validated after cfgset modify is run.

  1. Update the CLE config set.
    smw# cfgset update p0
  2. Validate the CLE config set to ensure config set services are properly configured.
    smw# cfgset validate p0


---------------------------- SHUT DOWN AND REBOOT CLE SYSTEM ----------------------------

The Cray NAT service does not support reconfiguration on a live system. A system reboot is required after configuring Cray NAT.

  1. Shut down the CLE system.
    smw# su - crayadm
    If this site has an auto.hostname.stop file, use it to shut down the system.
    crayadm@smw> xtbootsys -s last -a auto.hostname.stop
    Otherwise, use the following command to shut down the system.
    crayadm@smw> xtbootsys -s last -a auto.xtshutdown
  2. Boot the CLE system.
    Replace auto.hostname.start with the boot automation file used for this system.
    crayadm@smw> xtbootsys -a auto.hostname.start

    Trouble? If there are any problems booting CLE, see the XC™ Series Boot Troubleshooting Guide (S-2565) for techniques to determine what might be causing the problem.

Cray NAT Configuration Example

The following example shows a complete Cray NAT system configuration.

In this example, the node with cname c0-0c0s8n0 has been configured as a NAT server in the p0 config set:
smw# cfgset get cray_nat.settings.service.data.server_groups p0
nat_servers
smw# cfgset get cray_node_groups.settings.groups.data.nat_servers.members p0
c0-0c0s8n0
The server has eth0 as its external interface:
smw# cfgset get cray_nat.settings.service.data.ext_if p0
eth0
One node has been configured as a one-to-one client, and one address has been configured to lease to the one-to-one client:
smw# cfgset get cray_nat.settings.service.data.one_to_one_clients p0
nat_in_clients
smw# cfgset get cray_node_groups.settings.groups.data.nat_in_clients.members p0
c0-0c0s8n3
smw# cfgset get cray_nat.settings.service.data.ip_address_pool p0
172.30.12.6
All compute nodes have been configured as outbound-only clients:
smw# cfgset get cray_nat.settings.service.data.outbound_only_clients p0
compute_nodes
cray_nat has been enabled:
smw# cfgset get cray_nat.enabled p0
true
With the above configuration in place, and after a system reboot, NAT configuration can be validated as follows. Since there is only a single one-to-one NAT client in this example, the IP address assigned to the client is easily known. For more complex configurations, the IP address to client mapping can be obtained from log messages in the boot session's messages log file:
smw# grep "nat client" /var/opt/cray/log/p0-current/messages-20190125 | tail -n 1
<134>1 2019-01-25T04:32:39.564918-06:00 c0-0c0s8n0 xtlog 13951 p0-20190125t024823 [cray_nat@34] 
nat client c0-0c0s8n3 ip 172.30.12.6 served by nat server c0-0c0s8n0
To verify that the one-to-one client is properly configured, SSH to the IP address leased to the client using an external network:
user@site-host ~$ ssh -l root 172.30.12.6 "cat /proc/cray_xt/cname"
Password:
c0-0c0s8n3
To verify that outbound-only clients have been properly configured, ping a host on the external network (e.g. the host my-workstation) from one of the outbound clients:
nid00036:~ # ping -c 1 my-workstation
PING my-workstation.my.site.com (172.30.12.31) 56(84) bytes of data.
64 bytes from my-workstation.my.site.com (172.30.12.31): icmp_seq=1 ttl=63 time=0.343 ms

--- my-workstation.my.site.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.343/0.343/0.343/0.000 ms