[ocaml-infra] Setting up a host "infra.ocaml.org"

Anil Madhavapeddy anil at recoil.org
Tue Oct 15 11:05:06 BST 2013 

I agree -- I'd like to have a small host for nothing but password and key
information, and use that to bounce off to all the other infrastructure
hosts.  If possible, it would be good not to have any customisation on
there at all (or indeed, Internet-facing web services such as admin
panels) -- could you host those on another VM?

Rackspace has a nice facility for setting up internal networks, so we
could run SSH on other services only exposed to this bounce box.

-anil

On Tue, Oct 15, 2013 at 11:27:52AM +0200, Sylvain Le Gall wrote:
> Hi all,
> 
> TL;DR I would like to create an isolated host infra.ocaml.org that
> contains at least a Debian repository.
> 
> I am considering what need to be done to migrate and improve forge.o.o
> (right now forge.ocamlcore.org, tomorrow forge.ocaml.org).
> 
> One of the thing that is "extremly" useful is to have a central,
> secured hosts holding data repository for all other hosts. In my
> current "home" installation, I have one host that contains for
> examples my personnal Debian repository. This repository contains
> Debian packages that need to be installed on every other hosts and I
> use it to distribute home-made program accross all hosts using
> standard Debian apt-get scheme, This may also contains some admin
> panel/monitoring tools. The hosts is particular because it should be
> extra protected against attack, since compromising this hosts can lead
> to compromise all other hosts. In other words you should not use it
> for public facing products.
> 
> Right now, the forge.o.o repository is hosted on the forge.o.o itself
> (but it doesn't distribute data to any other hosts).
> 
> We may also use a private/public github account to store the
> repository, if it makes more sense to you. But in this case, we will
> need to figure how to GPG sign the release file.
> 
> Here are my questions:
> - what would you prefer: dedicated hosts or public github or private
> github (less infra disclosure, less possible attack)
> - would this kind of central repository be used on other .ocaml.org hosts ?
> - in case you prefer a host: Anil can you set a small instance (1CPU,
> 3GB DD, 512MB RAM)
> - in case you prefer a github repository: Am I allowed to create a
> private/public github repository on ocaml.org ?
> - I will inject some fusionforge packages + custom scripts packages,
> OCaml Labs/OCamlPro people do you have some packages to inject as well
> ?
> 
> Regards
> Sylvain
> _______________________________________________
> Infrastructure mailing list
> Infrastructure at lists.ocaml.org
> http://lists.ocaml.org/listinfo/infrastructure
> 

-- 
Anil Madhavapeddy                                 http://anil.recoil.org

More information about the Infrastructure mailing list