[Mageia-sysadm] Infos about the machines

nicolas vigier boklm at mars-attacks.org
Fri Oct 8 16:29:30 CEST 2010


On Fri, 08 Oct 2010, Michael Scherer wrote:

> > 
> > Later, the machines in the datacenter can be used for this :
> >  - Server1: bugzilla/nagios/dns1/sql/ldap/api/mail/mailling/pastebin/wiki/planet
> John have working on updating planet on zarb.org, i guess he will be
> able to transfer that.

Good !

> 
> >  - Server2: svn/git/BS scheduler/hdlists/primary mirror
> is this were the key to sign packages will be kept ?

Yes, at least for Cooker.

> 
> >  - Server3: BS node
> >  - Server4: BS node
> 
> Does people have direct access on both ?

I think that for security, we should not allow people to log in to the
build nodes and Server2 (which replace kenobi). Except minimal access
with restricted commands to allow "mdvsys submit" to work.

About servers for packagers to test package builds, I think we should
have separate servers.

With current Mandriva build system, any contributor (even apprentice
without submit rights) can easily become root with iurt (or using a
security issue in any package, because any package from the repository
can be installed), access the mandrake account and then login to almost
any server in the BS using mandrake ssh key, and then silently replace
packages on the repository. We can probably trust long time
contributors, but it's difficult to trust people we don't know who asked
for an apprentice account.

> 
> > If you have any other ideas, comments or questions, don't hesitate to
> > reply.
> 
> No backup server ? No postfix ( primary and secondary ) ? No wiki ?
> Would all web applications be hosted on the same server ( ie epoll,
> transifex and other applications ? )

Yes, backup server is still missing. We will maybe need to buy one, or
find an other server to do it. For now, maybe the servers can backup
each others.

For the wiki and all web apps, yes they will be on the same server. I
think the server is quite fast.

> We should have a secondary ldap. I would also add a ticket system which
> is not bugzilla ( as infrastructure as a product would be weird ).

Do you have some suggestions for the ticket system ?

> 
> And we may need somewhere to write the doc, if possible something that
> can be used offline.

So something other than the wiki ?

> 
> We also need to discuss what is our responsibility and what is not ( ie,
> who is root on what server, mainly the website one, and who decide of
> the various setting, mainly php/apache ). I would propose that we
> leverage a VCS + some soft like cfengine/puppet to delegate some part
> ( like some vhosts settings on some server ) to some others groups ( and
> this would also provides tracability, ie, no direct root access ).  

Yes, good idea. We should also send commit logs to this mailing so we
know when something is changed.

Nicolas



More information about the Mageia-sysadm mailing list