Upload
halla-rodriquez
View
16
Download
0
Embed Size (px)
DESCRIPTION
Integration of LanDB sets in CDB. Vladim í r Bahyl Project ELFms [email protected]. Outline. Introduction to LanDB sets Integration with CDB LanDB; CDB; CDBSQL point of view Users’ requirements CNIC Firewall Discussion topics. LanDB sets introduction. - PowerPoint PPT Presentation
Citation preview
Project ELFms meeting 24 July 2005
Outline
Introduction to LanDB sets Integration with CDB
LanDB; CDB; CDBSQL point of view Users’ requirements
CNICFirewall
Discussion topics
Project ELFms meeting 34 July 2005
LanDB sets introduction
Grouping of nodes based on the IP address
Created manually using LanDB Web interface
Used for:Network topology authorisationFirewall configuration
Project ELFms meeting 44 July 2005
Integration with CDB – LanDB side
Agreed Prefix: “IT CC” FIO LanDB sets’ owner: ccservic
Project ELFms meeting 54 July 2005
Integration with CDB – CDB side
New field in CDB: "/system/set/it_cc_setname/active" = true
Hash with boolean
Allows:Easy disabling of membership on the machine
levelSome complicated structures (thanks to Jan van Eldik):
"/system/set" = if (is_defined(setname)) nlist(setname,nlist("active",true))
Project ELFms meeting 64 July 2005
Integration with CDB – CDBSQL side
New view (thanks to Maciej Stepniewski): vwpathnames
Contains all CDB paths Not yet periodically updated
Synchronization script Extract all sets from CDBSQL Updates LanDB (connecting as user ccservic)
Removes unexpected nodes for all sets defined in CDB\ (Removal of sets in the “IT CC” domain is not yet possible)
Runs once per day on both LXSERVB* nodes 7am, 2pm
Project ELFms meeting 74 July 2005
CNIC requirements 1/2 Technical network General Purpose network access
restrictions List of FIO services they need to trust (provided by Stefan
Lüders): AFS AFS Kerberos (separated from AFS) CASTOR (!)
Split into small groups would be appreciated LinuxFC (?) TSM
Other sets will be: CA, CMF, CVS, DB, DIP, DFS, LDAP, License, Network,
Printing, SMTP/CERNMX, WTS Some of these are defined in CDB, some are not …
Project ELFms meeting 84 July 2005
CNIC requirements 2/2
Keep it minimal = production servers only! Timeline: autumn 2006 Important: However, having the sets ready
earlier allow us to properly move from the current situation to the new sets. These sets do not necessarily have to be automatically updated, you might do it manually in the first instance. Important to us is that a set contains always all relevant production servers such that the technical network remains functioning.
Project ELFms meeting 94 July 2005
Computer Security requirements
Firewall configuration Example – open port in the CERN firewall:
For “IT CC LXPLUS” – port = 22/TCP For “IT CC SRM” – port = 8443/TCP
Grouping of nodes preferably by service/functionality, not by the port! I.e.: “IT CC LXPLUS” is OK, “IT CC SSH” is NOT OK
Concentrate only on those group of nodes where there is high fluctuation of machines I.e. do not care about 1 special server here and there,
that will be done by hand Keep it minimal = production servers only!
Project ELFms meeting 104 July 2005
Discussion topics
What nodes to group ?Only those that asked for ?How to do it ?
Per cluster or per application/service ? Example: various MySQL servers across several
experiments
What to do with non-FIO nodes in CDB ?