Integration of LanDB sets

in CDB

Vladimír BahylProject ELFms

Vladimir.Bahyl@cern.ch

Project ELFms meeting 24 July 2005

Outline

Introduction to LanDB sets Integration with CDB

LanDB; CDB; CDBSQL point of view Users’ requirements

CNICFirewall

Discussion topics

Project ELFms meeting 34 July 2005

LanDB sets introduction

Grouping of nodes based on the IP address

Created manually using LanDB Web interface

Used for:Network topology authorisationFirewall configuration

Project ELFms meeting 44 July 2005

Integration with CDB – LanDB side

Agreed Prefix: “IT CC” FIO LanDB sets’ owner: ccservic

Project ELFms meeting 54 July 2005

Integration with CDB – CDB side

New field in CDB: "/system/set/it_cc_setname/active" = true

Hash with boolean

Allows:Easy disabling of membership on the machine

levelSome complicated structures (thanks to Jan van Eldik):

"/system/set" = if (is_defined(setname)) nlist(setname,nlist("active",true))

Project ELFms meeting 64 July 2005

Integration with CDB – CDBSQL side

New view (thanks to Maciej Stepniewski): vwpathnames

Contains all CDB paths Not yet periodically updated

Synchronization script Extract all sets from CDBSQL Updates LanDB (connecting as user ccservic)

Removes unexpected nodes for all sets defined in CDB\ (Removal of sets in the “IT CC” domain is not yet possible)

Runs once per day on both LXSERVB* nodes 7am, 2pm

Project ELFms meeting 74 July 2005

CNIC requirements 1/2 Technical network General Purpose network access

restrictions List of FIO services they need to trust (provided by Stefan

Lüders): AFS AFS Kerberos (separated from AFS) CASTOR (!)

Split into small groups would be appreciated LinuxFC (?) TSM

Other sets will be: CA, CMF, CVS, DB, DIP, DFS, LDAP, License, Network,

Printing, SMTP/CERNMX, WTS Some of these are defined in CDB, some are not …

Project ELFms meeting 84 July 2005

CNIC requirements 2/2

Keep it minimal = production servers only! Timeline: autumn 2006 Important: However, having the sets ready

earlier allow us to properly move from the current situation to the new sets. These sets do not necessarily have to be automatically updated, you might do it manually in the first instance. Important to us is that a set contains always all relevant production servers such that the technical network remains functioning.

Project ELFms meeting 94 July 2005

Computer Security requirements

Firewall configuration Example – open port in the CERN firewall:

For “IT CC LXPLUS” – port = 22/TCP For “IT CC SRM” – port = 8443/TCP

Grouping of nodes preferably by service/functionality, not by the port! I.e.: “IT CC LXPLUS” is OK, “IT CC SSH” is NOT OK

Concentrate only on those group of nodes where there is high fluctuation of machines I.e. do not care about 1 special server here and there,

that will be done by hand Keep it minimal = production servers only!

Project ELFms meeting 104 July 2005

Discussion topics

What nodes to group ?Only those that asked for ?How to do it ?

Per cluster or per application/service ? Example: various MySQL servers across several

experiments

What to do with non-FIO nodes in CDB ?

Project ELFms meeting 114 July 2005

Thank you

Vladimir.Bahyl@cern.ch

http://cern.ch/vlado