LanDB-CDB-Sets - Indico

Download Report

Transcript LanDB-CDB-Sets - Indico 

Integration of
LanDB sets
in CDB
Vladimír Bahyl
Project ELFms
[email protected]
Outline
Introduction to LanDB sets
 Integration with CDB

 LanDB;

CDB; CDBSQL point of view
Users’ requirements
 CNIC
 Firewall

Discussion topics
4 July 2005
Project ELFms meeting
2
LanDB sets introduction
Grouping of nodes based on the IP
address
 Created manually using LanDB Web
interface
 Used for:

 Network
topology authorisation
 Firewall configuration
4 July 2005
Project ELFms meeting
3
Integration with CDB – LanDB side
Agreed Prefix: “IT CC”
 FIO LanDB sets’ owner: ccservic

4 July 2005
Project ELFms meeting
4
Integration with CDB – CDB side

New field in CDB:

"/system/set/it_cc_setname/active" = true


Hash with boolean
Allows:
 Easy
disabling of membership on the machine
level
 Some complicated structures (thanks to Jan van Eldik):

4 July 2005
"/system/set" = if (is_defined(setname)) nlist(setname,nlist("active",true))
Project ELFms meeting
5
Integration with CDB – CDBSQL side

New view (thanks to Maciej Stepniewski):
 vwpathnames



Contains all CDB paths
Not yet periodically updated
Synchronization script
 Extract
all sets from CDBSQL
 Updates LanDB (connecting as user ccservic)

Removes unexpected nodes for all sets defined in CDB\

(Removal of sets in the “IT CC” domain is not yet possible)
 Runs

4 July 2005
once per day on both LXSERVB* nodes
7am, 2pm
Project ELFms meeting
6
CNIC requirements


Technical network  General Purpose network access
restrictions
List of FIO services they need to trust (provided by Stefan
Lüders):



AFS
AFS Kerberos (separated from AFS)
CASTOR (!)




1/2
Split into small groups would be appreciated
LinuxFC (?)
TSM
Other sets will be:


CA, CMF, CVS, DB, DIP, DFS, LDAP, License, Network, Printing,
SMTP/CERNMX, WTS
Some of these are defined in CDB, some are not …
4 July 2005
Project ELFms meeting
7
CNIC requirements
2/2
Keep it minimal = production servers only!
 Timeline: autumn 2006
 Important: However, having the sets ready

earlier allow us to properly move from the current
situation to the new sets. These sets do not
necessarily have to be automatically updated, you
might do it manually in the first instance.
Important to us is that a set contains always all
relevant production servers such that the
technical network remains functioning.
4 July 2005
Project ELFms meeting
8
Computer Security requirements


Firewall configuration
Example – open port in the CERN firewall:
 For “IT CC LXPLUS” – port = 22/TCP
 For “IT CC SRM” – port = 8443/TCP

Grouping of nodes preferably by
service/functionality, not by the port!
 I.e.: “IT CC LXPLUS”

is OK, “IT CC SSH” is NOT OK
Concentrate only on those group of nodes
where there is high fluctuation of machines
 I.e.
do not care about 1 special server here and there,
that will be done by hand

Keep it minimal = production servers only!
4 July 2005
Project ELFms meeting
9
Discussion topics

What nodes to group ?
 Only
those that asked for ?
 How to do it ?
Per cluster or per application/service ?
 Example: various MySQL servers across several
experiments


What to do with non-FIO nodes in CDB ?
4 July 2005
Project ELFms meeting
10
Thank you

[email protected]

http://cern.ch/vlado
4 July 2005
Project ELFms meeting
11