[Mageia-sysadm] planning for sysadmin task

[Buchan Milne]

On Sunday, 24 October 2010 11:58:26 Olivier Thauvin wrote:
> * Michael Scherer (misc at zarb.org) wrote:
> > Hi,
> > 
> > so now the server are in place, we have to install them. Here is a
> > proposal of the needed services :
> > 
> > Then we need to deploy the basic infrastructure for us. Again, I assume
> > that no one is against apache :
> > - ldap ( valstar or alamut ? )

At this stage, I am thinking that we may want 3 servers running LDAP:
-Master LDAP server, which is primarily not used by read-only clients. I 
haven't tested referrals yet in my app, so for now CatDap will probably need 
to use it. Could possibly be used as fall-back for either of the slaves
-1 slave used primarily for infrastructure support, but not exposed to much 
external traffic. Mostly nss_ldap/pam_ldap on build hosts, and any other 
infrastructure stuff which we decide to put in LDAP. If the total userbase is 
too large we could consider a partial replica (e.g. only posixAccount 
entries), though we may need to test this a bit ...
-1 slave used primarily for external traffic, e.g. forum, wiki etc. This could 
be the web server running some of these applications.

If this is excessive, we could consider combining master and internal read 
access on one server (but I would prefer to have at least one fall-back

> > - apache
> > - buchan application

Interim name for my app is CatDap, but feel free to suggest a better name.

> May I suggest to setup all our web on same server, especially since a
> lot use perl-Catalyst (buchan's one, epoll and the one I did to manage
> mirror).
> 
> May I also suggest all our web be installed using RPM ?
> Notice I got some issue using catalyst in fcgi mod, but it works fine in
> server mode + apache as proxy.

I will try and create a package today. I think all the dependencies should be 
available for Mdv2010.0 and up. However, if we want to have any contributions 
(skinning work from web team, localisations) with quick testing, it may be 
useful to run one instance from an svn checkout.

BTW., do we want to run these apps on separate virtual hosts? Should I ship 
vhost definition in apache config (e.g. for identity.mageia.org)?

> > - create account for us.

Set up host authentication to LDAP first? We will need SSL certificates for 
LDAP hosts as well. Self-signed certs or certs from self-signed CA are fine.

> Yup, especially if we have to work on them :)

I have created some accounts in LDAP, and I am happy to create any we need to 
proceed to the point where the account registration portion of CatDap is 
running. However, I think we may want to get internal use of it (for 
registration) before opening the gates ...

Also, I probably need to start work on the admin features, for now I am 
planning:
-user modification (e.g. add posixAccount to existing user account, modify any 
attributes necessary manually, 
-group management (add groups, modify group membership etc.)

Please let me know what other features are important sooner than later.

> > Then we have to take care of installing the first web applications, and
> > that requires a db :
> > - postgresql ( alamut )
> > - epoll ( alamut )
> 
> + MGA::Mirror, the tools currently on distrib-coffee to manage mirrors.
> 
> I want to migrate it ASAP because http on distrib-coffee is not reliable
> due to load made by some distributions.
> 
> Can I take this part since I know pgsql and I'll need them myself.
> 
> BTW: I hope pgsql can have a dedicated fs, it can help to avoid out of
> space.
> 
> > then the rest is less prioritary :
> > - postfix ( alamut )
> > - migrate to sympa ( alamut )
> > - enter everybody in the ldap
> > - nagios/munin ( or similar ) ( alamut )

xymon?

> > - migrate blogs
> > - migrate wiki
> > - nanar application for mirror
> 
> Once pgsql + catalyst is installed, this part is easy to do. Notice it
> need a MTA to work, only to send mail.

CatDap also requires an MTA for registration (sending only).

Regards,
Buchan