diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/2011-January/001472.html')
| -rw-r--r-- | zarb-ml/mageia-sysadm/2011-January/001472.html | 187 |
1 files changed, 187 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2011-January/001472.html b/zarb-ml/mageia-sysadm/2011-January/001472.html new file mode 100644 index 000000000..0ca7e1cac --- /dev/null +++ b/zarb-ml/mageia-sysadm/2011-January/001472.html @@ -0,0 +1,187 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-sysadm] [LONG] new server to name and password handling + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5BLONG%5D%20new%20server%20to%20name%20and%20password%20handling&In-Reply-To=%3C1294016440.2046.59.camel%40akroma.ephaone.org%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="001471.html"> + <LINK REL="Next" HREF="001499.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-sysadm] [LONG] new server to name and password handling</H1> + <B>Michael Scherer</B> + <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5BLONG%5D%20new%20server%20to%20name%20and%20password%20handling&In-Reply-To=%3C1294016440.2046.59.camel%40akroma.ephaone.org%3E" + TITLE="[Mageia-sysadm] [LONG] new server to name and password handling">misc at zarb.org + </A><BR> + <I>Mon Jan 3 02:00:40 CET 2011</I> + <P><UL> + <LI>Previous message: <A HREF="001471.html">[Mageia-sysadm] Puppet Report for alamut.mageia.org +</A></li> + <LI>Next message: <A HREF="001499.html">[Mageia-sysadm] [LONG] new server to name and password handling +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#1472">[ date ]</a> + <a href="thread.html#1472">[ thread ]</a> + <a href="subject.html#1472">[ subject ]</a> + <a href="author.html#1472">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>Hi, +Good news, since we have all been good boys and girls ( at least, I +was ), some presents were left under Christmas tree ( or whatever is +used for your local celebration if any ). + +Anne just told me that a new server will be donated, sponsored by +Online.net, thanks to Raphael Gertz efforts. The specs ( in french, I +can translate if Babelfish is not enough ) are here : +<A HREF="http://www.online.net/serveur-dedie/offre-dedibox-pro.xhtml">http://www.online.net/serveur-dedie/offre-dedibox-pro.xhtml</A> + +Primary use would likely be "iso creation", a task that requires some +disk and memory ( and is quite important to do ). + +So this bring us some problems : + +- the name. Last person to choose was Olivier Blin for friteuse, the +forum vm ( that still didn't got installed, for those that want to +know ) and the next one should be decided by Buchan Milne. + +So Buchan it is up to you, and you need to design your successor from +the list of 1 person, Olivier Thauvin, who is the last remaining admin +in my list. And then, we start to 0 again, aka the full list. + + +- the installation. I volunteered to install it, and add it to puppet +( and while on it, document it on the wiki ), but I would wish some +input on the partition table : + + - use raid 1 or raid 0 ( or both as suggested by Nanar, ie raid 1+0 ) ? + - lvm, or no lvm, or partial lvm ? + - raid or lvm stripping, mirroring ? + - ext4, others ? + +One of the issue is that the web panel do not support lvm. So I propose +this : + +- 20g, no lvm, for the main system, on ext4 +- the rest as a big raid 0, or raid 1+0 array. +in the array, we add a big lvm, splitted among + - mirror of rpm, around 50 go + - swap, around 5 go + - iso, around X go per run. ( with X to be calculated later or asked to +someone who know ). + + +Why raid 0 ( or 1+0 ) ? The server main use will be iso creation ( for +now ), which mean "lots of I/O". And that's the main and only reason to +use raid 0. But if we can have also some redundancy to avoid issue that +plagued mandriva iso creation ( aka, cascade failure of the iso creation +server ), it could be nice. + +Why lvm ? For flexibility, if we decide to add other services to the +server ( think virtualisation, there is 8 CPU and there is maybe a 2nd +ip ). But adding others services on raid 0 may not be a smart idea on +the other hand, so maybe using raid 1+0 would be nice too. + + +- the access to the web interface. As the server is hosted at online.net +datacenter and we do not have access, we need to use the web panel to +reboot and so one ( or IPMI ). We ( ie, anne and me ) have a +login/password for that. So we need to store it somewhere so members of +a strictly defined group ( likely admins, but surely also member of the +board/council ) can access, and no one else can. This mean that the +password is changed when a member of the group leave the group, and +something like every year, to avoid problem in case of password +theft/lose. + +While I trust everybody who will receive it to not misuse the password, +I am not trusting people who could steal the laptop, or people who could +unlawfully access to it. I do use encrypted partition on my laptop, I +know not everybody do ( for obvious reason like "this reduce my battery +life by 1 hour" and "this is broken on installation on mdv" and others +good reason ). + +So we need to : +- define the list of login/password/url to store there. On top of my +head, I would say : + - web interface for online.net ( anne and I ) + - impi interface password ( not set yet ) + - bios password, if any, ( I think we didn't set them ) + - drac interface of alamut ( I think we did set them, and so damien, +boklm, me and potentially maat know it ) + - root password of servers ( can be changed ) + - dns domain at gandi.net, ( romain should have it ) + +- decide who should have access. Maybe more than one group should be +required. I would also add a similar system for the access to outside +services, like twitter account, etc. ( and that's one more reason to +prefer hosted service ). While such services are important, losing +facebook account would be less a problem than the dns name. + +- decide how often we change the passwords ( for those that ca be +changed remotely ), and a process to make sure it was done. Maybe +somewhere to note when it was done. Or decide to not change it if this +is too tedious. + +- find a system to store them + - must be usable offline + - should not requires to distribute a master password + - must store everything encrypted ( in case of compromission ) + - must be able to be transmitted over a unsecure channel ( ie, the +internet ) + - should be as seamless as possible ( ie, if we requires people to +download a file, majority will forget to do it ). + - must be free software, using a good encryption system ( like not +3DES ), etc, etc. + - a nice addition would be to use our ldap, or ssh keys +I haven't looked, nor do I have much ideas on that part, so do not be +shy, express yourself, what do people use in their job ( or +assimilated ). + +At my first mission, we had physical access everywhere so the password +handling was not a big issue, and used a gpg password file on 2 servers +( and we used some memory trick to keep the root password of the 20 +servers ). + +On another job, we used a php interface for that. I lost the name of the +web application. It was hosted in our office, with a shared password +given to employees. + +And for zarb.org, we use a quite complex system with a file password.gpg +encrypted with a key given to admin, with a pass phrase meaning "apple +pie with cream" in navajo or chinese, something like that. + +Obviously, no procedures were set to change any password nowhere :) +( or at least, not disclosed to me ) + +-- +Michael Scherer + +</PRE> + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="001471.html">[Mageia-sysadm] Puppet Report for alamut.mageia.org +</A></li> + <LI>Next message: <A HREF="001499.html">[Mageia-sysadm] [LONG] new server to name and password handling +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#1472">[ date ]</a> + <a href="thread.html#1472">[ thread ]</a> + <a href="subject.html#1472">[ subject ]</a> + <a href="author.html#1472">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm +mailing list</a><br> +</body></html> |