[H-SASIG] Proposed changes to Excalibur

matt matheist76 at westnet.com.au
Mon Nov 30 01:30:51 EST 2009 

Just a general reply. Sounds good to me.

Matt.

On Mon, 2009-11-30 at 10:08 +1000, Russell Stuart wrote:
> Below are some proposed changes to our Excalibur setup.  If you have
> comments reply ASAP, as silence will be taken as agreement with the
> proposed changes.
> 
> Most of these changes will be transparent.  One won't.  Unless there are
> objections posted here, sshd will be moved to port 24 some time next
> weekend (probably on 5-Dec-2009).  Consider this your official notice of
> the change.  Unless you are interested in the minutiae of the changes,
> you can safely stop reading now.
> 
> 
> 1. Moving Excalibur.
> 
> Currently Excalibur is hosted on a linode machine which is being paid
> for by a Humbug member.  Netbox Blue has offered to host Excalibur for
> free.  The plan was to move Excalibur onto the new VM offered by Netbox
> Blue some time ago, but this has hit some administrative snags on the
> Netbox Blue end and so hasn't happened yet.
> 
> In the mean time we have been offered another temporary host by Stephen
> Thorne (our man in Netbox Blue).  It is actually the VM used at one
> stage by this years OSDC.  It is also a linode box, as it happens.
> Stephen can't give us total control of this machine, but we can run as a
> chroot inside of it.  We (myself and Stephen Thomas, humbugs
> librarian/SysAdmin head honcho) believe the only externally visible
> change for most users (including the sysadmins) will be the sshd one.
> 
> The downsides of doing a move to a temporary machine are we have to do
> it twice, and a chroot environment requires some tweaks.  Stephen and I
> have already done the tweaks we think are needed (see below), and tested
> them by pointing DNS entries at the new chroot environment and verifying
> it looks like the current Excalibur.  From my point of view, doing it is
> the only way to test the backup system, and the sooner that gets a real
> test the better.
> 
> The rest of the points below cover things that have to happen to
> facilitate this move.
> 
> 
> 2.  Ssh port
> 
> The only service that runs on the OSDC that clashes with the current
> Excalibur is sshd.  The easy fix for this is to move it to a different
> port.  This is actually a good thing to do in itself for security
> reasons.  I am planning to move the the current Excalibur sshd to port
> 24 next weekend.  Thus, assuming there aren't howls of protest here, you
> will need a "ssh -p 24" to connected to Excalibur as of next weekend.
> Also notice this won't work from within a Humbug meeting.
> 
> 
> 3.  DNS Changes.
> 
> Humbug.org.au's registrar is www.enetica.com.au.  Currently our DNS
> servers are Excalibur itself (the primary) and cartman.pipegrep.com.au,
> a secondary kindly provided by Humbug's immediate past president James
> Iseppi.  Humbug doesn't have direct control of cartman.pipegrep and so
> if something has to be done quickly and James is unavailable things can
> get awkward.  The plan is to use a free DNS service such as
> www.zoneedit.com to add secondaries we do control.  I have contacted
> James about this, and he seems happy with the proposed change.
> 
> 
> 4.  Changes for running in a chroot.
> 
> Since Excalibur will be running in a chroot, the normal boot process
> (kernel, init, rcS, etc) is not run.  Stephen has written replacements
> which you can find on the current Excalibur under /usr/local/sbin. There
> are two scripts in this replacement:
> 
> humbug-host-initd.sh
> 
>         The real VM contains symlinks to this script from /etc/init.d
>         and /etc/rc[1-6].d.  In other words it is a boot script run by
>         the chroot host that starts the chroot host on boot up. Thus
>         "humbug-host-initd.sh start" starts the Excalibur chroot, and
>         "humbug-host-initd.sh stop" stops it.  Its jobs are:
> 
>         -- mount /dev/pts, /proc, and /sys file systems in what will
>         become  the chroot'ed environment.
>         -- Do the chroot, and run in-chroot-startup.sh
> 
> in-chroot-startup.sh
> 
>         This is the part of the boot up that runs inside of the chroot.
>         It just starts a series of hand picked services in the
>         chroot's /etc/init.d.
> 
> That's it.
> 
> _______________________________________________
> Sasig mailing list
> Sasig at lists.humbug.org.au
> http://lists.humbug.org.au/mailman/listinfo/sasig

More information about the Sasig mailing list