Bastion: VPN, centralized SSH access, Web proxy, Central syslog server, other business

From: Andrea Veri <av gnome org>
To: GNOME Infrastructure <gnome-infrastructure gnome org>
Subject: Bastion: VPN, centralized SSH access, Web proxy, Central syslog server, other business
Date: Wed, 17 Jul 2013 16:29:56 +0200

Hey guys,

I did several changes lately on how we manage and access our machines. Finally the GNOME Infrastructure has an up and running openvpn istance that allowed us to connect non-phx2-machines (socket, signal, progress) to our -back channel.

Many machines had their public ip removed (yeah, we were out of free IPs) thanks to the recent proxy move of all our services and to the setup of bastion.gnome.org. I'll keep working on this in the next couple of weeks making sure port 22 is restricted from the outside world from all machines except on bastion itself. I did setup a wiki page with all the relevant information about how you can connect to GNOME machines after this change at [1].

These machines will connect to the public internet through a web proxy (Squid) installed on bastion. In addition a central syslog istance has been installed at chooser.gnome.org (aka log01-back) and it's currently tracking down all the logs from all the various nodes we're currently hosting. (the only remaining thing to do on this side is configuring apache to send its logs there as well, we're on it)

I've been spending some time working on the GNOME Hispano server and on the new testing boxes we received from OSU OSL for their Supercell program. [2]

All the GNOME Hispano's services have been moved from their old Sun machine to a new VM hosted at OSU OSL. The domains gnomehispano.{org,es}, guadec.es and soon gnome-db.org have been transferred to the GNOME Foundation.

About the Supercell program, we received two VMs (with the possibility to create more thanks to the Ganeti cluster they host) that are available through a VPN connection. I did document everything at [3], please look further into that wiki page if you have any doubt about how this is setup. As a side note one of the machines was set up for the GNOME websites team that is currently hosting a test istance of the www.gnome.org's website and cgit.

But that's not all, yesterday we did a complete reinstall of progress.gnome.org, which is currently running the latest Ubuntu's LTS. The migration went fine and both ns-slave.gnome.org and l10n.gnome.org are behaving good today.

That should be it for now! Let's keep rocking!

P.S the latest old machines (fixed, label, window) have been pulled out from our rack at PHX2, we're currently in touch with the RHIT to get a management console attached to our switch, that should help non-RH-employees to look at machine's consoles even without standing on the RH's VPN connection.

[1] https://wiki.gnome.org/Sysadmin/Bastion

[2] http://supercell.osuosl.org/

[3] https://wiki.gnome.org/Sysadmin/SOP/VPNConnectionOSUOSL

--
Cheers,

Andrea

Debian Developer,
Fedora / EPEL packager,
GNOME Sysadmin,
GNOME Foundation Membership & Elections Committee Chairman

Homepage: http://www.gnome.org/~av

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]