cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Jan Dittberner <jandd AT cacert.org>
- To: Mario Lipinski <mario AT cacert.org>
- Cc: cacert-sysadm AT lists.cacert.org
- Subject: Re: SVN setup on infra01 (nearly) completed
- Date: Tue, 19 Apr 2011 22:00:03 +0200
On Mon, Apr 18, 2011 at 09:31:50PM -0700, Mario Lipinski wrote:
> Hi Jan,
>
> good work!
>
> Just some small comments and suggestions.
>
> Am 2011-04-18 15:11, schrieb Jan Dittberner:
> > on infra01. I'd also like to know whether it is ok to publish the
> > documentation or whether some of the information should not be
> > disclosed.
>
> Yes. Documentation SHOULD be published. I would prefer wiki pages, than
> PDF. But you could also just upload them to the wiki. But makes it
> harder to maintain for others.
> See https://wiki.cacert.org/SystemAdministration/Systems
I create the PDF from ReST (ReStructured Text) including the actual
configuration files. I would like to put these in SVN
(https://svn.cacert.org/CAcert/Sysadm/ where I already put the client
certificate guide). I don't know whether there is an easy way to create valid
Wiki markup and include (ideally syntax highlighted) configuration files. Does
the Wiki have some remote API (SOAP, REST, ...) to automatically update Wiki
pages?
> > I attach the LXC container setup script and my infra01 specific ini file.
>
> I do not understand much python. So just two simple questions: Why exim?
> I'd prefer Postfix. I don't know what is widely used with CAcert on
> every single VM, but I think we mostly run Postfix. Especially on the
> mail servers. So going with the same everywhere, might make sense.
I don't have much knowledge of Postfix but know Exim quite well for many
years.
I use it on some production systems, current work projects and it is the
Debian
default MTA since ages. I will evaluate whether I can automatically configure
Postfix in a similar way using debconf and will evaluate a MTA change if it is
easily possible.
> And why not using a mirror like ftp.nl.debian.org - might be more stable
> against future changes (OK, this is really a minor issue).
The mirror was configured on existing hosts and I just took it from there
because I thought some previous admin had a reason to choose it. I can easily
change this in the .ini file.
> > The documentation for the infra01 changes and the SVN LXC container is
> > available at [2] and [3] (because of message size limits on
> > lists.cacert.org).
>
> I think it would make sense to create some methods for adding firewall
> rules for VMs. Sth. like &NAT_CONTAINER(name, INT_IP, EXT_IP, proto,
> service), &CONTAINER(name, INT_IP, proto, service) and maybe also for
> adding single rules for in and out traffic.
> Also we might think about filtering outgoing traffic from the host and
> be more restrictive with outgoing traffic in general (target hosts).
I already thought about this. Ferm allows functions and maybe I can use these
in combination with some more code.
> > If I get no negative feedback until next Sunday (April 24th), I will
> > set the existing SVN repository read only, perform a last
> > synchronization of the SVN repository and switch to the new container.
>
> sounds good.
Fine :-) Thanks for your feedback.
Kind Regards,
Jan
--
Jan Dittberner - CAcert Infrastructure Team
GPG-key: 4096R/558FB8DD 2009-05-10
B2FF 1D95 CE8F 7A22 DF4C F09B A73E 0055 558F B8DD
http://www.dittberner.info/
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- SVN setup on infra01 (nearly) completed, Jan Dittberner, 04/18/2011
- Re: SVN setup on infra01 (nearly) completed, Mario Lipinski, 04/19/2011
- Re: SVN setup on infra01 (nearly) completed, Jan Dittberner, 04/19/2011
- Re: SVN setup on infra01 (nearly) completed, Mario Lipinski, 04/20/2011
- Re: SVN setup on infra01 (nearly) completed, Jan Dittberner, 04/19/2011
- SVN machine move postponed, Jan Dittberner, 04/24/2011
- Re: SVN setup on infra01 (nearly) completed, Mario Lipinski, 04/19/2011
Archive powered by MHonArc 2.6.16.