[Mageia-sysadm] planning for sysadmin task

[Michael Scherer]

Le lundi 25 octobre 2010 à 10:24 +0100, Buchan Milne a écrit :
> On Sunday, 24 October 2010 11:58:26 Olivier Thauvin wrote:
> > * Michael Scherer (misc at zarb.org) wrote:
> > > Hi,
> > > 
> > > so now the server are in place, we have to install them. Here is a
> > > proposal of the needed services :
> > > 
> > > Then we need to deploy the basic infrastructure for us. Again, I assume
> > > that no one is against apache :
> > > - ldap ( valstar or alamut ? )
> 
> At this stage, I am thinking that we may want 3 servers running LDAP:
> -Master LDAP server, which is primarily not used by read-only clients. I 
> haven't tested referrals yet in my app, so for now CatDap will probably need 
> to use it. Could possibly be used as fall-back for either of the slaves
> -1 slave used primarily for infrastructure support, but not exposed to much 
> external traffic. Mostly nss_ldap/pam_ldap on build hosts, and any other 
> infrastructure stuff which we decide to put in LDAP. If the total userbase is 
> too large we could consider a partial replica (e.g. only posixAccount 
> entries), though we may need to test this a bit ...
> -1 slave used primarily for external traffic, e.g. forum, wiki etc. This could 
> be the web server running some of these applications.
> 
> If this is excessive, we could consider combining master and internal read 
> access on one server (but I would prefer to have at least one fall-back

For the moment, we have 5 servers, so for the beggining, it may indeed
be too much. So basically, ldap master on valstar ( ie, svn hdlist,
etc ) and external on alamut ?

And later, a ldap slave on the server used for forum ?

> > May I suggest to setup all our web on same server, especially since a
> > lot use perl-Catalyst (buchan's one, epoll and the one I did to manage
> > mirror).
> > 
> > May I also suggest all our web be installed using RPM ?
> > Notice I got some issue using catalyst in fcgi mod, but it works fine in
> > server mode + apache as proxy.
> 
> I will try and create a package today. I think all the dependencies should be 
> available for Mdv2010.0 and up. However, if we want to have any contributions 
> (skinning work from web team, localisations) with quick testing, it may be 
> useful to run one instance from an svn checkout.

Ie, have a production instance and a devel instance ?

Nothing prevent us from doing rpm from svn snapshot at regular interval
too.

> BTW., do we want to run these apps on separate virtual hosts? Should I ship 
> vhost definition in apache config (e.g. for identity.mageia.org)?

I would say "yes"

> > > - create account for us.
> 
> Set up host authentication to LDAP first? We will need SSL certificates for 
> LDAP hosts as well. Self-signed certs or certs from self-signed CA are fine.

Ok.

> > Yup, especially if we have to work on them :)
> 
> I have created some accounts in LDAP, and I am happy to create any we need to 
> proceed to the point where the account registration portion of CatDap is 
> running. However, I think we may want to get internal use of it (for 
> registration) before opening the gates ...
> 
> Also, I probably need to start work on the admin features, for now I am 
> planning:
> -user modification (e.g. add posixAccount to existing user account, modify any 
> attributes necessary manually, 
> -group management (add groups, modify group membership etc.)
> 
> Please let me know what other features are important sooner than later.

ssh keys support ( as I think we will use it for us ) ? After a second
tought, we can do it by hand, 

I also think notification of subscription could be interesting, but
again, we may not need it now.

> > > then the rest is less prioritary :
> > > - postfix ( alamut )
> > > - migrate to sympa ( alamut )
> > > - enter everybody in the ldap
> > > - nagios/munin ( or similar ) ( alamut )
> 
> xymon?

yup, why, as long it is packaged, i am ok.


-- 
Michael Scherer