[H-SASIG] Proposed changes to Excalibur

Sun Nov 29 19:08:45 EST 2009

Below are some proposed changes to our Excalibur setup.  If you have
comments reply ASAP, as silence will be taken as agreement with the
proposed changes.

Most of these changes will be transparent.  One won't.  Unless there are
objections posted here, sshd will be moved to port 24 some time next
weekend (probably on 5-Dec-2009).  Consider this your official notice of
the change.  Unless you are interested in the minutiae of the changes,
you can safely stop reading now.

1. Moving Excalibur.

Currently Excalibur is hosted on a linode machine which is being paid
for by a Humbug member.  Netbox Blue has offered to host Excalibur for
free.  The plan was to move Excalibur onto the new VM offered by Netbox
Blue some time ago, but this has hit some administrative snags on the
Netbox Blue end and so hasn't happened yet.

In the mean time we have been offered another temporary host by Stephen
Thorne (our man in Netbox Blue).  It is actually the VM used at one
stage by this years OSDC.  It is also a linode box, as it happens.
Stephen can't give us total control of this machine, but we can run as a
chroot inside of it.  We (myself and Stephen Thomas, humbugs
librarian/SysAdmin head honcho) believe the only externally visible
change for most users (including the sysadmins) will be the sshd one.

The downsides of doing a move to a temporary machine are we have to do
it twice, and a chroot environment requires some tweaks.  Stephen and I
have already done the tweaks we think are needed (see below), and tested
them by pointing DNS entries at the new chroot environment and verifying
it looks like the current Excalibur.  From my point of view, doing it is
the only way to test the backup system, and the sooner that gets a real
test the better.

The rest of the points below cover things that have to happen to
facilitate this move.

2.  Ssh port

The only service that runs on the OSDC that clashes with the current
Excalibur is sshd.  The easy fix for this is to move it to a different
port.  This is actually a good thing to do in itself for security
reasons.  I am planning to move the the current Excalibur sshd to port
24 next weekend.  Thus, assuming there aren't howls of protest here, you
will need a "ssh -p 24" to connected to Excalibur as of next weekend.
Also notice this won't work from within a Humbug meeting.

3.  DNS Changes.

Humbug.org.au's registrar is www.enetica.com.au.  Currently our DNS
servers are Excalibur itself (the primary) and cartman.pipegrep.com.au,
a secondary kindly provided by Humbug's immediate past president James
Iseppi.  Humbug doesn't have direct control of cartman.pipegrep and so
if something has to be done quickly and James is unavailable things can
get awkward.  The plan is to use a free DNS service such as
www.zoneedit.com to add secondaries we do control.  I have contacted
James about this, and he seems happy with the proposed change.

4.  Changes for running in a chroot.

Since Excalibur will be running in a chroot, the normal boot process
(kernel, init, rcS, etc) is not run.  Stephen has written replacements
which you can find on the current Excalibur under /usr/local/sbin. There
are two scripts in this replacement:

humbug-host-initd.sh

        The real VM contains symlinks to this script from /etc/init.d
        and /etc/rc[1-6].d.  In other words it is a boot script run by
        the chroot host that starts the chroot host on boot up. Thus
        "humbug-host-initd.sh start" starts the Excalibur chroot, and
        "humbug-host-initd.sh stop" stops it.  Its jobs are:

        -- mount /dev/pts, /proc, and /sys file systems in what will
        become  the chroot'ed environment.
        -- Do the chroot, and run in-chroot-startup.sh

in-chroot-startup.sh

        This is the part of the boot up that runs inside of the chroot.
        It just starts a series of hand picked services in the
        chroot's /etc/init.d.

That's it.