[Mageia-sysadm] [LONG] new server to name and password handling

Mon Jan 3 02:00:40 CET 2011

Hi,
+Good news, since we have all been good boys and girls ( at least, I
+was ), some presents were left under Christmas tree ( or whatever is
+used for your local celebration if any ).
+
+Anne just told me that a new server will be donated, sponsored by
+Online.net, thanks to Raphael Gertz efforts. The specs ( in french, I
+can translate if Babelfish is not enough ) are here :
+http://www.online.net/serveur-dedie/offre-dedibox-pro.xhtml
+
+Primary use would likely be "iso creation", a task that requires some
+disk and memory ( and is quite important to do ).
+
+So this bring us some problems :
+
+- the name. Last person to choose was Olivier Blin for friteuse, the
+forum vm ( that still didn't got installed, for those that want to
+know ) and the next one should be decided by Buchan Milne. 
+
+So Buchan it is up to you, and you need to design your successor from
+the list of 1 person, Olivier Thauvin, who is the last remaining admin
+in my list. And then, we start to 0 again, aka the full list.
+
+
+- the installation. I volunteered to install it, and add it to puppet
+( and while on it, document it on the wiki ), but I would wish some
+input on the partition table :
+
+ - use raid 1 or raid 0 ( or both as suggested by Nanar, ie raid 1+0 ) ?
+ - lvm, or no lvm, or partial lvm ? 
+ - raid or lvm stripping, mirroring ?
+ - ext4, others ? 
+
+One of the issue is that the web panel do not support lvm. So I propose
+this :
+
+- 20g, no lvm, for the main system, on ext4 
+- the rest as a big raid 0, or raid 1+0 array. 
+in the array, we add a big lvm, splitted among
+ - mirror of rpm, around 50 go
+ - swap, around 5 go
+ - iso, around X go per run. ( with X to be calculated later or asked to
+someone who know ).
+
+
+Why raid 0 ( or 1+0 ) ? The server main use will be iso creation ( for
+now ), which mean "lots of I/O". And that's the main and only reason to
+use raid 0. But if we can have also some redundancy to avoid issue that
+plagued mandriva iso creation ( aka, cascade failure of the iso creation
+server ), it could be nice.
+
+Why lvm ? For flexibility, if we decide to add other services to the
+server ( think virtualisation, there is 8 CPU and there is maybe a 2nd
+ip ). But adding others services on raid 0 may not be a smart idea on
+the other hand, so maybe using raid 1+0 would be nice too.
+
+
+- the access to the web interface. As the server is hosted at online.net
+datacenter and we do not have access, we need to use the web panel to
+reboot and so one ( or IPMI ). We ( ie, anne and me ) have a
+login/password for that. So we need to store it somewhere so members of
+a strictly defined group ( likely admins, but surely also member of the
+board/council ) can access, and no one else can. This mean that the
+password is changed when a member of the group leave the group, and
+something like every year, to avoid problem in case of password
+theft/lose. 
+
+While I trust everybody who will receive it to not misuse the password,
+I am not trusting people who could steal the laptop, or people who could
+unlawfully access to it. I do use encrypted partition on my laptop, I
+know not everybody do ( for obvious reason like "this reduce my battery
+life by 1 hour" and "this is broken on installation on mdv" and others
+good reason ).
+
+So we need to :
+- define the list of login/password/url to store there. On top of my
+head, I would say :
+  - web interface for online.net ( anne and I )
+  - impi interface password ( not set yet )
+  - bios password, if any, ( I think we didn't set them )
+  - drac interface of alamut ( I think we did set them, and so damien,
+boklm, me and potentially maat know it )
+  - root password of servers ( can be changed )
+  - dns domain at gandi.net, ( romain should have it )
+
+- decide who should have access. Maybe more than one group should be
+required. I would also add a similar system for the access to outside
+services, like twitter account, etc. ( and that's one more reason to
+prefer hosted service ). While such services are important, losing
+facebook account would be less a problem than the dns name. 
+
+- decide how often we change the passwords ( for those that ca be
+changed remotely ), and a process to make sure it was done. Maybe
+somewhere to note when it was done. Or decide to not change it if this
+is too tedious.
+
+- find a system to store them
+ - must be usable offline
+ - should not requires to distribute a master password
+ - must store everything encrypted ( in case of compromission )
+ - must be able to be transmitted over a unsecure channel ( ie, the
+internet )
+ - should be as seamless as possible ( ie, if we requires people to
+download a file, majority will forget to do it ).
+ - must be free software, using a good encryption system ( like not
+3DES ), etc, etc.
+ - a nice addition would be to use our ldap, or ssh keys
+I haven't looked, nor do I have much ideas on that part, so do not be
+shy, express yourself, what do people use in their job ( or
+assimilated ).
+
+At my first mission, we had physical access everywhere so the password
+handling was not a big issue, and used a gpg password file on 2 servers
+( and we used some memory trick to keep the root password of the 20
+servers ).
+ 
+On another job, we used a php interface for that. I lost the name of the
+web application. It was hosted in our office, with a shared password
+given to employees.
+
+And for zarb.org, we use a quite complex system with a file password.gpg
+encrypted with a key given to admin, with a pass phrase meaning "apple
+pie with cream" in navajo or chinese, something like that.
+
+Obviously, no procedures were set to change any password nowhere :)
+( or at least, not disclosed to me )
+
+-- 
+Michael Scherer
+
+