[ocaml-infra] Setting up a host "infra.ocaml.org"

Yaron Minsky yminsky at gmail.com
Sun Jan 5 16:25:34 GMT 2014 

I'm not sure what role SKS would play in this, but GPG seems plausible
enough.  That said, I'm more used to people doing this with SSH keys, and I
suspect that's probably an easier and smoother solution.

y


On Sun, Jan 5, 2014 at 9:05 AM, Anil Madhavapeddy <anil at recoil.org> wrote:

> On Tue, Oct 15, 2013 at 12:38:41PM +0200, Sylvain Le Gall wrote:
> > 2013/10/15 Anil Madhavapeddy <anil at recoil.org>:
> > > I agree -- I'd like to have a small host for nothing but password and
> key
> > > information, and use that to bounce off to all the other infrastructure
> > > hosts.  If possible, it would be good not to have any customisation on
> > > there at all (or indeed, Internet-facing web services such as admin
> > > panels) -- could you host those on another VM?
> >
> > Yes, that was the purpose of my request. I want to have in another VM.
> > Given the fact that it will be almost no admin, it would be easy to
> > setup and just create a Debian repository there.
> >
> > I do not want to share forge.ocaml.org or ssh.ocaml.org VM, because it
> > will be too sensitive. This is the reason of my request, you will
> > probably have to set up a VM for those specifically (add my SSH keys
> > that I have sent you for setting up forge.o.o and ssh.o.o).
>
> I'm getting around to creating this VM now, and am looking around for a
> good way to encrypt the passwords held on the virtual machine.  I notice
> several candidates in OPAM that might work.
>
> Yaron: this might be a mad idea, but should we run SKS and use GPG to
> encrypt the keys, so that anyone we add to a ring would get access to the
> infrastructure machines?  Do you know anyone else that uses SKS to help
> with such sysadmin tasks?
>
> -anil
>
>
>
>
> >
> > >
> > > Rackspace has a nice facility for setting up internal networks, so we
> > > could run SSH on other services only exposed to this bounce box.
> > >
> > > -anil
> > >
> > > On Tue, Oct 15, 2013 at 11:27:52AM +0200, Sylvain Le Gall wrote:
> > >> Hi all,
> > >>
> > >> TL;DR I would like to create an isolated host infra.ocaml.org that
> > >> contains at least a Debian repository.
> > >>
> > >> I am considering what need to be done to migrate and improve forge.o.o
> > >> (right now forge.ocamlcore.org, tomorrow forge.ocaml.org).
> > >>
> > >> One of the thing that is "extremly" useful is to have a central,
> > >> secured hosts holding data repository for all other hosts. In my
> > >> current "home" installation, I have one host that contains for
> > >> examples my personnal Debian repository. This repository contains
> > >> Debian packages that need to be installed on every other hosts and I
> > >> use it to distribute home-made program accross all hosts using
> > >> standard Debian apt-get scheme, This may also contains some admin
> > >> panel/monitoring tools. The hosts is particular because it should be
> > >> extra protected against attack, since compromising this hosts can lead
> > >> to compromise all other hosts. In other words you should not use it
> > >> for public facing products.
> > >>
> > >> Right now, the forge.o.o repository is hosted on the forge.o.o itself
> > >> (but it doesn't distribute data to any other hosts).
> > >>
> > >> We may also use a private/public github account to store the
> > >> repository, if it makes more sense to you. But in this case, we will
> > >> need to figure how to GPG sign the release file.
> > >>
> > >> Here are my questions:
> > >> - what would you prefer: dedicated hosts or public github or private
> > >> github (less infra disclosure, less possible attack)
> > >> - would this kind of central repository be used on other .ocaml.orghosts ?
> > >> - in case you prefer a host: Anil can you set a small instance (1CPU,
> > >> 3GB DD, 512MB RAM)
> > >> - in case you prefer a github repository: Am I allowed to create a
> > >> private/public github repository on ocaml.org ?
> > >> - I will inject some fusionforge packages + custom scripts packages,
> > >> OCaml Labs/OCamlPro people do you have some packages to inject as well
> > >> ?
> > >>
> > >> Regards
> > >> Sylvain
> > >> _______________________________________________
> > >> Infrastructure mailing list
> > >> Infrastructure at lists.ocaml.org
> > >> http://lists.ocaml.org/listinfo/infrastructure
> > >>
> > >
> > > --
> > > Anil Madhavapeddy
> http://anil.recoil.org
> > > _______________________________________________
> > > Infrastructure mailing list
> > > Infrastructure at lists.ocaml.org
> > > http://lists.ocaml.org/listinfo/infrastructure
> >
>
> --
> Anil Madhavapeddy                                 http://anil.recoil.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ocaml.org/pipermail/infrastructure/attachments/20140105/b9d2f976/attachment.html>

More information about the Infrastructure mailing list