7325
Comment: website stuff
|
7413
wsgi looks like a better idea than fastcgi
|
Deletions are marked like this. | Additions are marked like this. |
Line 21: | Line 21: |
* March 2013: Catch the sales on the last generation Dell 2U/2-socket machines and create a clean counterpart to fritz. | * FTP * Webalizer * March/April 2013: Catch the sales on the last generation Dell 2U/2-socket machines and create a clean counterpart to fritz. |
Line 46: | Line 48: |
* Reattempt contacting members who have ignored the roll-call * Each board member gets 15, mail Non-HCoop Email, application email if it is available |
|
Line 49: | Line 49: |
* `fwtool regen` with no host (= all hosts) | |
Line 55: | Line 54: |
* Upgrade bugzilla * Restore phpmyadmin |
|
Line 58: | Line 55: |
* Upgrade wiki | |
Line 61: | Line 57: |
* Wiki user reg spam: http://paste.conkeror.org/?236 * At least sab mag faq has it (11k users!), we need to help members fix this unfortunate interaction between moin, the file system, and evildoers. |
|
Line 63: | Line 61: |
== fastcgi setup notes == Notes to self about configuring fastcgi for at least php http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html * Depend on `libapache2-mod-fcgid` * `a2enmod fcgid` in postinst (the package seems to enable itself, but en/dis anyway) * Need to install our own `mods-available/fcgid.conf` * Do NOT enable `fcgid-script` script hander by default, require use of `fastCgiExtension` in DomTool * `FcgidFixPathinfo 1` to let php work properly (seems to not affect anything else) * Need to configure process limits (expire fairly quickly to prevent issues with tokens/memory exhaustion) * Have to write a wrapper shell script to exec `php5-cgi`, placed within `/afs/hcoop.net/` (but where?) * Wrapper script needs to gain kerberos/afs credentials... but `$USER` is not available (`whoami` works however) * suexec also wants the file to be owned by the user... hrm. http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives WSGI looks much easier to set up, at least enough for moin. We could get away with enabling it and supporting only `WSGIScriptAlias` initially. Not sure about interaction with mod_waklog. |
|
Line 77: | Line 93: |
* Move back into public_html | |
Line 80: | Line 95: |
=== Wiki === | |
Line 81: | Line 97: |
== Terrible Things == Since we are having a roll call soon, we need to deal with these. * phpVersion needs to change |
* [[http://moinmo.in/MacroMarket/ChildPages|child pages macro]] for listing the section of the member manual in the sidebar? |
Line 91: | Line 102: |
* SSL improvements (SNI, intermediate certificates, ...) | |
Line 98: | Line 108: |
* Improve `fwtool` as needs become clearer * `fwtool regen` without node to regen all nodes, `fwtool verify` and possibly something akin to `visudo` * Programmitic interface to adding/removing/etc rules? * At least need a way to kill rules when destroying the user, ideally just disabling them? (existing code ignores users who do not exist, so it sort of works to ignore it, but cleanliness of the rules file will become a problem). * "Proper" parser. Read rules into typed structure using the magic of SML, and work on that form (more natural, type safe, etc.) * groups or similar for common ports * We need a way to grant users who just want general net access a reasonably unrestrictive firewall, without needlessly opening things for members who don't use our shell services extensively. Since we can't restrict socket permissions generally, defining groups that provide common firewall rules seems like an ok solution. |
* Improve `fwtool` as needs become clearer (FirewallTool) |
Line 127: | Line 131: |
Write SQL to extract initial member app email and non-hcoop email so that we can either automatically or manually re-contact everyone. | The board contacted everyone again. A few folks responded. |
Line 129: | Line 133: |
* Can we use paypal/wallet addresses? It might be against the TOS for those services to email members like that, but if it's not... paying us is basically the only contact we have with most members so I bet they'd be the most reliable. | The following are excused: |
Line 131: | Line 135: |
* WebUser.paypal, WebUser.checkout, MemberApp.email, Contact.v (what ContactKind for email?) | * regadou (actually not a member any more) * bailey (actually not a member any more) * mcarberry (rejoined at the same time as the roll call, is aware but did not get the email) * ethanh (his email was horribly broken due to a stupid bug freezing, destroying, and then re-creating members) |
I am Clinton Ebadi. I am the reluctant President of the coop (someone has to do it), and the current lead sysadmin / DomTool maintainer / lo-fi AdamChlipala replacement.
1. Board Statements
See /BoardStatements
2. General Coop Goals
Unstructured musing on when/what I think the coop ought to be.
January 2013: New website online, navajos and bog both up with new members using them
February 2013->December 2013: Big push for new members. New website should make us seem more alive, we've finally fixed about 3/4 of the "temporary" hacks from when we first moved to Peer1, etc. mire is gone (less work: we just have to get people off of it), but also work toward getting rid of deleuze. Web services first (low hanging fruit), even if it means punting on fully converting to domtool managed sites (at least packaged and documented). AFAICT other than those we're just left with:
- March/April 2013: Catch the sales on the last generation Dell 2U/2-socket machines and create a clean counterpart to fritz.
- Minimal KVM host setup for base OS. We might run the KDC and OpenAFS on the bare metal, not entirely certain.
- Create new wheezy based VMs, duplicating (and turning into master) services hosted in VMs on fritz
For the first time, this is realistic: all of those months packaging our configuration pay off by sparing future-me from herculean efforts. And SteveKillen, BtTempleton, and I are probably available for a road trip to Peer1.
March 2013->July 2013: Transition remaining services off of deleuze onto KernelVirtualMachines on new kvm host
- April 2013: Election and hopefully 120 members. Mire has been turned off for at least a month at this point.
- Winter 2013: Assuming 150+ members, perhaps more bandwidth is in order. Deleuze should be safe to turn off by now at the latest.
- Spring 2014: Ponies for everyone.
IPv6, mediagoblin, diaspora, gitorious, xmpp works again (and ability to use vanity domains), ...
3. Contact
<clinton at unknownlamer dot org> (Email)
- unknownlamer (AOL Instant Messenger)
<clinton at hcoop dot net> (Jabber)
unknown_lamer on freenode (IRC) in #hcoop
- +1 443 538 8058 (Phone, SMS preffered)
4. Websites
http://unknownlamer.org Personal Homepage
5. Immediate Tasks
- Networked domtool-tail
- Possible donations for new server
- Board meeting
- Backups (blocked by lack of hardware)
- Spec out new server
- Consolidate web stuff onto navajos
- Upgrade squirrelmail
- webdav/svn
- Can we support gssapi negotiate? Seems like it should be trivial on the server side.
Wiki user reg spam: http://paste.conkeror.org/?236
- At least sab mag faq has it (11k users!), we need to help members fix this unfortunate interaction between moin, the file system, and evildoers.
6. Admin Stuff
6.1. fastcgi setup notes
Notes to self about configuring fastcgi for at least php
http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
Depend on libapache2-mod-fcgid
a2enmod fcgid in postinst (the package seems to enable itself, but en/dis anyway)
Need to install our own mods-available/fcgid.conf
Do NOT enable fcgid-script script hander by default, require use of fastCgiExtension in DomTool
FcgidFixPathinfo 1 to let php work properly (seems to not affect anything else)
- Need to configure process limits (expire fairly quickly to prevent issues with tokens/memory exhaustion)
Have to write a wrapper shell script to exec php5-cgi, placed within /afs/hcoop.net/ (but where?)
Wrapper script needs to gain kerberos/afs credentials... but $USER is not available (whoami works however)
- suexec also wants the file to be owned by the user... hrm.
http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives WSGI looks much easier to set up, at least enough for moin. We could get away with enabling it and supporting only WSGIScriptAlias initially. Not sure about interaction with mod_waklog.
6.2. etc.
default DirectoryIndex does not include index.shtml, should this be changed?
6.3. Website
(create Website bugzilla product and move these there)
- Convert hcoop.net into domtool config (looks trivial, a few rewrites... except for userdir support?)
- On the topic of user dirs: allow members to register a redirect for hcoop.net/~foo?)
- Replace facebook links with other "get to know the members" text
- Inspire members to join the planet
- Make the locations tool usable again (something we can use with Openstreetmap).
Give BtTempleton and LaurenMcNees write access as needed
6.3.1. Wiki
child pages macro for listing the section of the member manual in the sidebar?
6.4. domtool plans
- Feature backlog
- Networked domtool-tail
- FastCGI
Seems like the most straightforward of the fancy CGI to persistent server replacement to gets working, and has wide support. MoinMoin can use it... and it's a lot less tricky for members to get working than proxied servers on another host.
- Ideally, support wsgi and whatnot later, assuming they can do suexec
default CSymbol = Value for binding default environment variable settings
Expands the scope of extensions that can be written in pure DomTool, slight flexibility gains
Improve fwtool as needs become clearer (FirewallTool)
6.5. Major Sysadmin Tasks for 2013
- Acquire and install new server, cleaning up the back of the rack in the process
- Get everything off of deleuze
Clean up keytabs (at least $user.mail for mail delivery, sync to as few nodes as needed, etc.)
- Overhaul mail delivery
- Revisit routing/transport; the current routing config has too many entry and exit points making changes extremely complicated (i.e. likely to break mail delivery)
- Take advantage of new exim features like DKIM.
- Secondary MX
7. Board Stuff
- What address should we be using for the "owner" of hcoop services? It's a mix of the current treasurer, registered agent, and data center right now... is the registered agent correct? Do we need to get a PO Box or something?
- We need a private wiki of some sort for filing sensitive information like welcome emails for services and various credentials... is it safe enough to do that using the public moin and acls? I'm not sure sure...
7.1. Roll Call
https://members.hcoop.net/portal/roll?view=10
After an initial burst of acknowledgement, acknowledgements came to a stand still after only four days. We need to contact everyone by alternate means.
The board contacted everyone again. A few folks responded.
The following are excused:
- regadou (actually not a member any more)
- bailey (actually not a member any more)
- mcarberry (rejoined at the same time as the roll call, is aware but did not get the email)
- ethanh (his email was horribly broken due to a stupid bug freezing, destroying, and then re-creating members)