[ocaml-infra] Setting up a host "infra.ocaml.org"

Sylvain Le Gall sylvain at le-gall.net
Tue Oct 15 11:38:41 BST 2013


2013/10/15 Anil Madhavapeddy <anil at recoil.org>:
> I agree -- I'd like to have a small host for nothing but password and key
> information, and use that to bounce off to all the other infrastructure
> hosts.  If possible, it would be good not to have any customisation on
> there at all (or indeed, Internet-facing web services such as admin
> panels) -- could you host those on another VM?

Yes, that was the purpose of my request. I want to have in another VM.
Given the fact that it will be almost no admin, it would be easy to
setup and just create a Debian repository there.

I do not want to share forge.ocaml.org or ssh.ocaml.org VM, because it
will be too sensitive. This is the reason of my request, you will
probably have to set up a VM for those specifically (add my SSH keys
that I have sent you for setting up forge.o.o and ssh.o.o).

>
> Rackspace has a nice facility for setting up internal networks, so we
> could run SSH on other services only exposed to this bounce box.
>
> -anil
>
> On Tue, Oct 15, 2013 at 11:27:52AM +0200, Sylvain Le Gall wrote:
>> Hi all,
>>
>> TL;DR I would like to create an isolated host infra.ocaml.org that
>> contains at least a Debian repository.
>>
>> I am considering what need to be done to migrate and improve forge.o.o
>> (right now forge.ocamlcore.org, tomorrow forge.ocaml.org).
>>
>> One of the thing that is "extremly" useful is to have a central,
>> secured hosts holding data repository for all other hosts. In my
>> current "home" installation, I have one host that contains for
>> examples my personnal Debian repository. This repository contains
>> Debian packages that need to be installed on every other hosts and I
>> use it to distribute home-made program accross all hosts using
>> standard Debian apt-get scheme, This may also contains some admin
>> panel/monitoring tools. The hosts is particular because it should be
>> extra protected against attack, since compromising this hosts can lead
>> to compromise all other hosts. In other words you should not use it
>> for public facing products.
>>
>> Right now, the forge.o.o repository is hosted on the forge.o.o itself
>> (but it doesn't distribute data to any other hosts).
>>
>> We may also use a private/public github account to store the
>> repository, if it makes more sense to you. But in this case, we will
>> need to figure how to GPG sign the release file.
>>
>> Here are my questions:
>> - what would you prefer: dedicated hosts or public github or private
>> github (less infra disclosure, less possible attack)
>> - would this kind of central repository be used on other .ocaml.org hosts ?
>> - in case you prefer a host: Anil can you set a small instance (1CPU,
>> 3GB DD, 512MB RAM)
>> - in case you prefer a github repository: Am I allowed to create a
>> private/public github repository on ocaml.org ?
>> - I will inject some fusionforge packages + custom scripts packages,
>> OCaml Labs/OCamlPro people do you have some packages to inject as well
>> ?
>>
>> Regards
>> Sylvain
>> _______________________________________________
>> Infrastructure mailing list
>> Infrastructure at lists.ocaml.org
>> http://lists.ocaml.org/listinfo/infrastructure
>>
>
> --
> Anil Madhavapeddy                                 http://anil.recoil.org
> _______________________________________________
> Infrastructure mailing list
> Infrastructure at lists.ocaml.org
> http://lists.ocaml.org/listinfo/infrastructure


More information about the Infrastructure mailing list