Skip to Content.
Sympa Menu

cacert-sysadm - Development of infrastructure

cacert-sysadm AT lists.cacert.org

Subject: CAcert System Admins discussion list

List archive

Development of infrastructure


Chronological Thread 
  • From: Mario Lipinski <mario AT cacert.org>
  • To: cacert-sysadm AT lists.cacert.org
  • Subject: Development of infrastructure
  • Date: Thu, 05 Aug 2010 05:22:25 +0200
  • Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none
  • Organization: CAcert (Organisation Assurance Germany, Wiki/Issue admin)

Hi all,

after the recent developments I do not expect CAcert to have additional hardware available for running infrastructure during the next year. Since the current situation does not give us any more resources for running additional infrastructure (as I understood from dans mails), we have to see how we can use our current hardware to be more flexible again.

Taken from the documentation I have, currently sun1 and sun2 are running infrastructure services. sun2 is somehow documented. What services are running on sun1? I would assume sun1 to have resources left.

So one possibility might be to move the running services off sun1, reinstall it or (depending on the current setup) adjust the setup to run VMs in a to be choosen way. For this it also should be considered for the future, to have a distributed setup with VMs in different locations and to be able to move them around. Backup should be an important thing either. If we are changing the way we run VMs move them all to the new setup system, adjust setup of sun2 and after that distribute them to spread the load.

If this cannot work, we might need to consider to reduce the number of VMs by installing nearly all services just on one host. This might reduce security, but should give us some air to move again.

Another point we need to consider is, that the infrastructure at BIT currently is tied to the critical services. When doing changes here, we should consider to seperate these. This ideally would mean to have a seperate uplink for the infrastructure subnet and attach it directly to the infrastructure boxes. If a physical extra uplink is not possible we maybe could just simulate it. So no firewalls which are also linked to the critical systems. Firewalling (packet filtering) then has to be done on the infrastructure hosts - another factor reducing security, but this should be acceptable.

After having restructured infrastructure at BIT, we can consider bringing other single virtual hosts in. One topic here is backup: We need to be able to bring a VM up at another location in a timely manner if something breaks.
Also after doing changes here, we should be able to move out of BIT (with infrastructure - this is no plan for critical stuff) quickly, once there are resources.

So these are just some thoughts on infrastructure. Could this be realised? Any other ideas?

--
Mit freundlichen Grüßen / Best regards

Mario Lipinski
Board member,                       E-Mail: 
mario AT cacert.org
Organisation Assurer (Germany),     Internet: http://www.cacert.org
Wiki/Issue admin
CAcert

Support CAcert: http://www.cacert.org/index.php?id=13
                http://wiki.cacert.org/wiki/HelpingCAcert

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.16.

Top of Page