[ocaml-infra] Setting up a host "infra.ocaml.org"

Anil Madhavapeddy anil at recoil.org
Sun Jan 5 14:05:07 GMT 2014 

On Tue, Oct 15, 2013 at 12:38:41PM +0200, Sylvain Le Gall wrote:
> 2013/10/15 Anil Madhavapeddy <anil at recoil.org>:
> > I agree -- I'd like to have a small host for nothing but password and key
> > information, and use that to bounce off to all the other infrastructure
> > hosts.  If possible, it would be good not to have any customisation on
> > there at all (or indeed, Internet-facing web services such as admin
> > panels) -- could you host those on another VM?
> 
> Yes, that was the purpose of my request. I want to have in another VM.
> Given the fact that it will be almost no admin, it would be easy to
> setup and just create a Debian repository there.
> 
> I do not want to share forge.ocaml.org or ssh.ocaml.org VM, because it
> will be too sensitive. This is the reason of my request, you will
> probably have to set up a VM for those specifically (add my SSH keys
> that I have sent you for setting up forge.o.o and ssh.o.o).

I'm getting around to creating this VM now, and am looking around for a
good way to encrypt the passwords held on the virtual machine.  I notice
several candidates in OPAM that might work.

Yaron: this might be a mad idea, but should we run SKS and use GPG to
encrypt the keys, so that anyone we add to a ring would get access to the
infrastructure machines?  Do you know anyone else that uses SKS to help
with such sysadmin tasks?

-anil




> 
> >
> > Rackspace has a nice facility for setting up internal networks, so we
> > could run SSH on other services only exposed to this bounce box.
> >
> > -anil
> >
> > On Tue, Oct 15, 2013 at 11:27:52AM +0200, Sylvain Le Gall wrote:
> >> Hi all,
> >>
> >> TL;DR I would like to create an isolated host infra.ocaml.org that
> >> contains at least a Debian repository.
> >>
> >> I am considering what need to be done to migrate and improve forge.o.o
> >> (right now forge.ocamlcore.org, tomorrow forge.ocaml.org).
> >>
> >> One of the thing that is "extremly" useful is to have a central,
> >> secured hosts holding data repository for all other hosts. In my
> >> current "home" installation, I have one host that contains for
> >> examples my personnal Debian repository. This repository contains
> >> Debian packages that need to be installed on every other hosts and I
> >> use it to distribute home-made program accross all hosts using
> >> standard Debian apt-get scheme, This may also contains some admin
> >> panel/monitoring tools. The hosts is particular because it should be
> >> extra protected against attack, since compromising this hosts can lead
> >> to compromise all other hosts. In other words you should not use it
> >> for public facing products.
> >>
> >> Right now, the forge.o.o repository is hosted on the forge.o.o itself
> >> (but it doesn't distribute data to any other hosts).
> >>
> >> We may also use a private/public github account to store the
> >> repository, if it makes more sense to you. But in this case, we will
> >> need to figure how to GPG sign the release file.
> >>
> >> Here are my questions:
> >> - what would you prefer: dedicated hosts or public github or private
> >> github (less infra disclosure, less possible attack)
> >> - would this kind of central repository be used on other .ocaml.org hosts ?
> >> - in case you prefer a host: Anil can you set a small instance (1CPU,
> >> 3GB DD, 512MB RAM)
> >> - in case you prefer a github repository: Am I allowed to create a
> >> private/public github repository on ocaml.org ?
> >> - I will inject some fusionforge packages + custom scripts packages,
> >> OCaml Labs/OCamlPro people do you have some packages to inject as well
> >> ?
> >>
> >> Regards
> >> Sylvain
> >> _______________________________________________
> >> Infrastructure mailing list
> >> Infrastructure at lists.ocaml.org
> >> http://lists.ocaml.org/listinfo/infrastructure
> >>
> >
> > --
> > Anil Madhavapeddy                                 http://anil.recoil.org
> > _______________________________________________
> > Infrastructure mailing list
> > Infrastructure at lists.ocaml.org
> > http://lists.ocaml.org/listinfo/infrastructure
> 

-- 
Anil Madhavapeddy                                 http://anil.recoil.org

More information about the Infrastructure mailing list