|
Size: 1614
Comment: configuring stuff
|
Size: 5018
Comment: debian based package config? Have I gone insane?
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 16: | Line 16: |
=== Tasks === (./) = done, {o} = not done, {X} = gave up or died trying * (./) Set up network bridge * (./) Create test KVM to discover preseed values and other config bits * (./) Generate basic preseed file where login + `kinit && aklog` work * {o} Create local Debian archive for `libnss-afs` * {o} Package `nsswitch.conf` changes and generate preseed for a machine that recognizes pts users (ssh $hcoop-user@machine should work at this point) * {o} Update `domtool` init scripts to work with `insserv` since non-dependency-based init is deprecated and will be removed in `wheezy` * {o} Update FirewallRules `closed.conf` for the modern age and package * {o} Add hostname field `fwtool` firewall config (so that users / services can have different ports on different machines) * {o} Codify universal afs / kerberos / etc. ports that always have to be open in firewall config (can probably mostly yank this info from fritz) * {o} Apply advanced wine making techniques to carefully blend the Apache configurations on `fritz` and `mire` and package the result * {o} Add new `phpVersion 53` to DomTool and (hopefully this can be done) make `phpVersion` support checking if the host supports that version (easy check: if the node is mire, support 4/5, if the node is fritz only support 5.3) * {o} Spin up the fancy new Apache KVM and pray that it works * {o} Move `gitweb` and `git` hosting over * {o} Set up `rcube` * {X} Set up `squirrelmail` (harder than rcube: we have to point `mail.` at the KVM, and then use MX records... punt on this for the time being) * {o} Turn off `fritz`'s Apache (it's the KVM host and KDC ... change of plans, eh) * {X} Point `hcoop.net` at the new machine (also a huge reconfiguration PITA) * {o} Start assisting the first brave users with "moving" to new machine (i.e. `webAt "newNode", or adding an env var to `Easy_Domain` to change the default web node for everything) * After sure of everything working, inspect all user DomTool configs and make the needed changes for the users to switch their hosting to new node (in trivial cases e.g. `mod_proxy` to app on `mire`, static file serving) * {o} Using lessons from above tasks, spin up new user shell machine * {o} Harrass any users who refuse to leave mire * {o} Turn mire off, remove from rack, set on fire |
|
| Line 30: | Line 58: |
| == Debian Based Package Config == Based on http://debathena.mit.edu/config-packages/ and http://wiki.debian.org/ConfigPackages Anything we can't use debconf for in the preseed, we should push using Debian packages. We already need a mirror for `libnss-afs` so we may as well take advantage of it? Packages needing customization on all machines: * ferm (`closed.conf`) * `nsswitch.conf` (not sure of package) * `mdadm`, `rkhunter`, `tripwire`, et al: This will need to be done as a general "CleaningUpOurAtrociouslyNoisyLoggingConfiguration" project (hint, hint). Packages that need customization if installed: * whatever imapd we use on the new machines * exim * ejabberd * apache Ideas: * virtual packages `hcoop-user-node-config` and `hcoop-services-node-config` that conflict and depend on the appropriate basic config settings (e.g. for setting up `login.restrict`, default ulimits, etc.) * If we want to use `runit` for services, we might include the service files and `init.d` overrides |
Initial scratch notes on getting kvm working on fritz. This will need to be integrated into SetupNewMachines and AdminArea after everything is working.
See http://wiki.hcoop.net/Migration2009/SoftwareSetup for the gist of what ClintonEbadi is trying to do here, but s/OpenVZ/KVM via libvirt/g.
1. Test Setup Notes
Nothing in particular order since it's all quite fuzzy
Account clinton_admin has been added to the libvirt group (permits ClintonEbadi to manage kvms as his user remotely using virt-manager
Investigated bridging and firewalling: https://bugzilla.redhat.com/show_bug.cgi?id=512206
- This also implies that using a separate bridge per VM is ideal
- As advised in the bug, we have disabled netfilter on the bridge
Installed and configured: less sudo vim emacs23-nox etckeeper changetrack openssh-server debsums logcheck bzip2 denyhosts rkhunter openafs-client ntp nscd krb5-user libpam-krb5 ssmtp libpam-afs-session openafs-krb5
1.1. Tasks
= done, 
= not done, 
= gave up or died trying
- Set up network bridge
- Create test KVM to discover preseed values and other config bits
- Generate basic preseed file where login + kinit && aklog work
- Create local Debian archive for libnss-afs
- Package nsswitch.conf changes and generate preseed for a machine that recognizes pts users (ssh $hcoop-user@machine should work at this point)
- Update domtool init scripts to work with insserv since non-dependency-based init is deprecated and will be removed in wheezy
- Update FirewallRules closed.conf for the modern age and package
- Add hostname field fwtool firewall config (so that users / services can have different ports on different machines)
- Codify universal afs / kerberos / etc. ports that always have to be open in firewall config (can probably mostly yank this info from fritz)
- Apply advanced wine making techniques to carefully blend the Apache configurations on fritz and mire and package the result
- Add new phpVersion 53 to DomTool and (hopefully this can be done) make phpVersion support checking if the host supports that version (easy check: if the node is mire, support 4/5, if the node is fritz only support 5.3)
- Spin up the fancy new Apache KVM and pray that it works
- Move gitweb and git hosting over
- Set up rcube
- Set up squirrelmail (harder than rcube: we have to point mail. at the KVM, and then use MX records... punt on this for the time being)
- Turn off fritz's Apache (it's the KVM host and KDC ... change of plans, eh)
- Point hcoop.net at the new machine (also a huge reconfiguration PITA)
- Start assisting the first brave users with "moving" to new machine (i.e. webAt "newNode", or adding an env var to Easy_Domain` to change the default web node for everything)
After sure of everything working, inspect all user DomTool configs and make the needed changes for the users to switch their hosting to new node (in trivial cases e.g. mod_proxy to app on mire, static file serving)
- Using lessons from above tasks, spin up new user shell machine
- Harrass any users who refuse to leave mire
- Turn mire off, remove from rack, set on fire
1.2. Packages Config
ssmtp
forward all mail for UID < 1000 to logs
Masquerade as hcoop.net
- PAM
- Newfangled pam-config framework for a fresh squeeze install looks quite promising... (enabled kerberos + unix + afs session)
2. Major Open issues
- Need a Debian mirror for libnss-afs (debarchiver?)
- Exim setup (have to add to forwardable domains on deleuze)
- Automated partitioning (looks like I might have to manually craft the partman template instead of dumping it from d-i)
3. Debian Based Package Config
Based on http://debathena.mit.edu/config-packages/ and http://wiki.debian.org/ConfigPackages
Anything we can't use debconf for in the preseed, we should push using Debian packages. We already need a mirror for libnss-afs so we may as well take advantage of it?
Packages needing customization on all machines:
ferm (closed.conf)
nsswitch.conf (not sure of package)
mdadm, rkhunter, tripwire, et al: This will need to be done as a general "CleaningUpOurAtrociouslyNoisyLoggingConfiguration" project (hint, hint).
Packages that need customization if installed:
- whatever imapd we use on the new machines
- exim
- ejabberd
- apache
Ideas:
virtual packages hcoop-user-node-config and hcoop-services-node-config that conflict and depend on the appropriate basic config settings (e.g. for setting up login.restrict, default ulimits, etc.)
If we want to use runit for services, we might include the service files and init.d overrides