Initial scratch notes on getting kvm working on fritz. This will need to be integrated into SetupNewMachines and AdminArea after everything is working. See http://wiki.hcoop.net/Migration2009/SoftwareSetup for the gist of what ClintonEbadi is trying to do here, but `s/OpenVZ/KVM via libvirt/g`. == Test Setup Notes == Nothing in particular order since it's all quite fuzzy * Account `clinton_admin` has been added to the `libvirt` group (permits ClintonEbadi to manage kvms as his user remotely using [[http://virt-manager.et.redhat.com/|virt-manager]] * Investigated bridging and firewalling: https://bugzilla.redhat.com/show_bug.cgi?id=512206 * This also implies that using a separate bridge per VM is ideal * As advised in the bug, we have disabled netfilter on the bridge * Installed and configured: `less sudo vim emacs23-nox etckeeper changetrack openssh-server debsums logcheck bzip2 denyhosts rkhunter openafs-client ntp nscd krb5-user libpam-krb5 ssmtp libpam-afs-session openafs-krb5` === Tasks === (./) = done, {o} = not done, {X} = gave up or died trying * (./) Set up network bridge * (./) Create test KVM to discover preseed values and other config bits * (./) Generate basic preseed file where login + `kinit && aklog` work * {o} Create local Debian archive for `libnss-afs` * {o} gnupg keyring etc. for verified package builds * {o} Archive key for secure apt installs * {o} Package `nsswitch.conf` changes and generate preseed for a machine that recognizes pts users (ssh $hcoop-user@machine should work at this point) * {o} Update `domtool` init scripts to work with `insserv` since non-dependency-based init is deprecated and will be removed in `wheezy` * {o} Update FirewallRules `closed.conf` for the modern age and package * {o} Add hostname field `fwtool` firewall config (so that users / services can have different ports on different machines) * {o} Codify universal afs / kerberos / etc. ports that always have to be open in firewall config (can probably mostly yank this info from fritz) * {o} Apply advanced wine making techniques to carefully blend the Apache configurations on `fritz` and `mire` and package the result * {o} Add new `phpVersion 53` to DomTool and (hopefully this can be done) make `phpVersion` support checking if the host supports that version (easy check: if the node is mire, support 4/5, if the node is fritz only support 5.3) * {o} Spin up the fancy new Apache KVM and pray that it works * {o} Move `gitweb` and `git` hosting over * {o} Set up `rcube` * {X} Set up `squirrelmail` (harder than rcube: we have to point `mail.` at the KVM, and then use MX records... punt on this for the time being) * {o} Turn off `fritz`'s Apache (it's the KVM host and KDC ... change of plans, eh) * {X} Point `hcoop.net` at the new machine (also a huge reconfiguration PITA) * {o} Start assisting the first brave users with "moving" to new machine (i.e. `webAt "newNode", or adding an env var to `Easy_Domain` to change the default web node for everything) * After sure of everything working, inspect all user DomTool configs and make the needed changes for the users to switch their hosting to new node (in trivial cases e.g. `mod_proxy` to app on `mire`, static file serving) * {o} Using lessons from above tasks, spin up new user shell machine * {o} Harrass any users who refuse to leave mire * {o} Turn mire off, remove from rack, set on fire === Packages Config === Things not mentioned on SetupNewMachines that had to have their default debconf values changed. * `ssmtp` * forward all mail for UID < 1000 to logs * Masquerade as `hcoop.net` * PAM * Newfangled pam-config framework for a fresh squeeze install looks quite promising... (enabled kerberos + unix + afs session) === Major Open issues === * Need a Debian mirror for libnss-afs (debarchiver?) * Exim setup (have to add to forwardable domains on deleuze) * Automated partitioning (looks like I might have to manually craft the partman template instead of dumping it from d-i) == Debian Mirror == * Using debarchiver on hopper (we want to run as little as possible on fritz) * `/afs/hcoop.net/common/debian/...` * `.../old/` = current contents (obsolete package sources / builds) * `.../src/` = git source packages (this must be symlinked into `~hcoop/.hcoop-git/ * `.../archive/` = debarchiver * Export `/afs/hcoop.net/debian/archive/` @ http://hcoop.net/debian/ (open to suggestions on this) * Using `debuild` on ClintonEbadi's personal workstation for now (only going to package the `amd64` version of `libnss-afs` (for now) and arch independent config file debs) * Ideally, we'd use `pbuilder` on an amd64 KVM; in the real world we'll probably end up with `pbuilder` on fritz (using `debuild` directly on fritz has the unfortunate consequence of installing lots of unecessary build deps) == Debian Based Package Config == Based on http://debathena.mit.edu/config-packages/ and http://wiki.debian.org/ConfigPackages Anything we can't use debconf for in the preseed, we should push using Debian packages. We already need a mirror for `libnss-afs` so we may as well take advantage of it? Packages needing customization on all machines: * ferm (`closed.conf`) * `nsswitch.conf` (not sure of package) * `mdadm`, `rkhunter`, `tripwire`, et al: This will need to be done as a general "CleaningUpOurAtrociouslyNoisyLoggingConfiguration" project (hint, hint). Packages that need customization if installed: * whatever imapd we use on the new machines * exim * ejabberd * apache Ideas: * virtual packages `hcoop-user-node-config` and `hcoop-services-node-config` that conflict and depend on the appropriate basic config settings (e.g. for setting up `login.restrict`, default ulimits, etc.) * If we want to use `runit` for services, we might include the service files and `init.d` overrides ---- CategorySystemAdministration CategoryWorkInProgress