Clusterducks

Introduction

What is it?

clusterducks is an open-source web application that allows network administrators to manage thousands of netboot devices that share common golden images.

The platform is written in PHP and has a few components:

  • Web interface (panel) to manage configuration for multiple networks
    • Runs in Docker container or standard virtual / physical machine
    • PHP + MySQL + OpenSSH + InfluxDB
    • Low requirements - runs on a Raspberry Pi, larger networks may run into InfluxDB bottleneck (may be disabled or moved to a separate server)
    • Communicates with server agents via tunnel servers
    • SSL Certificate Authority
  • Tunnel service
    • Broker HTTP API requests from the control panel to remote agents
    • Must be completely accessible via TCP by web panel as a DMZ (via LAN or IPSEC with external firewalls)
    • Typically requires a public hostname for agents to connect to
    • Simple appliance - zero configuration required, just start a container or run the installer
    • Users and keys are automatically managed; provides an authentication wrapper around OpenSSH using AuthorizedKeysCommand + MySQL
    • Integrated with iptables to further isolate connections from one another and secure the tunnel endpoint from untrustworthy operators
  • Server agent
    • Provides HTTPS API and iPXE menu rendering for netboot devices
    • HTTPD / MySQL / DHCP / TFTP / iPXE + ZFS + iSCSI/NFS
    • dnsmasq configuration automatically managed
    • Libvirt for virtualization support (KVM)
    • Multiple active slaves receive updates from a single master server
    • Connects to the tunnel service for NAT bypass to receive API requests
    • Servers can be designated as storage only, compute only, or both
  • Netbooted devices
    • Can be virtual or bare metal
    • Windows (7, 8.1, 10, 2012R2), Linux (dracut)
    • No disk imaging required - no hard drives required, either
    • Must be able to receive DHCP broadcasts from boot server(s); must support iPXE
    • Uses iSCSI (Windows/Linux) for OS storage
    • Custom "vDisks" store persistent data and increase redundancy
    • Overlay filesystems allow transparent separation of OS and instance data for Linux devices using our initrd module
    • Folder Redirection allows transparent separation of OS and user data for Windows users

Isn't that unnecessarily complex?

Managing a large network without the appropriate infrastructure will lead to wasted time and resources.

Our intuitive and robust interface requires minimal training, deployment, operation and maintenance efforts. Central storage is easily managed from a single pane of glass.

Clusterducks has a secure installation by default - the control panel serves the role of Certificate Authority, issuing and revoking certificates for users and devices. The CA root chain can be embedded in any device that will have a role in your network.

  • Multiple distinct networks can be managed from one interface thanks to the segregated client-server architecture
    • Permissions delegation allows administrators to ensure technicians only see networks they are assigned to
  • Tiered storage architecture allows efficient image storage and replication of cloned snapshots
  • By default, devices are non-persistent for security reasons (OS storage is reprovisioned upon boot); If a user is infected with malware, just reboot and the infection is gone
  • Device IP addresses are statically assigned from the web interface; DHCP/BOOTP is abandoned early in boot process
  • vDisks may be assigned to a device for persistent data storage. Because they are never reprovisioned, it is safe for use with volatile data (changes frequently)
    • Integrated support for overlayfs (in Linux) for true separation of OS and instance data

What about the network bottleneck?

Devices are not limited to operating purely from the network; local disks can provide storage in addition to the iSCSI-connected OS volume.

How much does it cost?

clusterducks is free software with a permissive license (AGPL3) that even allows commercial usage.

The AGPL ensures this software will never go away or become vaporware. The principle limitation is that the source must remain as the original copyright holder intended it to be; open.

Your operating costs can be immediately reduced; since devices no longer require hard drives, replacement costs and associated lost data / downtime are eliminated.

Commercial usage

Commercial usage is allowed with the AGPL3 licensed release, however, any modifications must be made available to all users. To this effect, a commercial entity may use, modify, fork, rebrand and rename clusterducks, but must do so under the terms of AGPL3.

Alternative commercial license agreements are negotiable.