120 likes | 216 Views
Integration of LanDB sets in CDB. Vladim í r Bahyl Project ELFms Vladimir.Bahyl@cern.ch. Outline. Introduction to LanDB sets Integration with CDB LanDB; CDB; CDBSQL point of view Users’ requirements CNIC Firewall Discussion topics. LanDB sets introduction.
E N D
Integration of LanDB setsin CDB Vladimír Bahyl Project ELFms Vladimir.Bahyl@cern.ch
Outline • Introduction to LanDB sets • Integration with CDB • LanDB; CDB; CDBSQL point of view • Users’ requirements • CNIC • Firewall • Discussion topics Project ELFms meeting
LanDB sets introduction • Grouping of nodes based on the IP address • Created manually using LanDB Web interface • Used for: • Network topology authorisation • Firewall configuration Project ELFms meeting
Integration with CDB – LanDB side • Agreed Prefix: “IT CC” • FIO LanDB sets’ owner: ccservic Project ELFms meeting
Integration with CDB – CDB side • New field in CDB: • "/system/set/it_cc_setname/active" = true • Hash with boolean • Allows: • Easy disabling of membership on the machine level • Some complicated structures (thanks to Jan van Eldik): • "/system/set" = if (is_defined(setname)) nlist(setname,nlist("active",true)) Project ELFms meeting
Integration with CDB – CDBSQL side • New view (thanks to Maciej Stepniewski): • vwpathnames • Contains all CDB paths • Not yet periodically updated • Synchronization script • Extract all sets from CDBSQL • Updates LanDB (connecting as user ccservic) • Removes unexpected nodes for all sets defined in CDB\ • (Removal of sets in the “IT CC” domain is not yet possible) • Runs once per day on both LXSERVB* nodes • 7am, 2pm Project ELFms meeting
CNIC requirements 1/2 • Technical network General Purpose network access restrictions • List of FIO services they need to trust (provided by Stefan Lüders): • AFS • AFS Kerberos (separated from AFS) • CASTOR (!) • Split into small groups would be appreciated • LinuxFC (?) • TSM • Other sets will be: • CA, CMF, CVS, DB, DIP, DFS, LDAP, License, Network, Printing, SMTP/CERNMX, WTS • Some of these are defined in CDB, some are not … Project ELFms meeting
CNIC requirements 2/2 • Keep it minimal = production servers only! • Timeline: autumn 2006 • Important: However, having the sets ready earlier allow us to properly move from the current situation to the new sets. These sets do not necessarily have to be automatically updated, you might do it manually in the first instance. Important to us is that a set contains always all relevant production servers such that the technical network remains functioning. Project ELFms meeting
Computer Security requirements • Firewall configuration • Example – open port in the CERN firewall: • For “IT CC LXPLUS” – port = 22/TCP • For “IT CC SRM” – port = 8443/TCP • Grouping of nodes preferably by service/functionality, not by the port! • I.e.: “IT CC LXPLUS” is OK, “IT CC SSH” is NOT OK • Concentrate only on those group of nodes where there is high fluctuation of machines • I.e. do not care about 1 special server here and there, that will be done by hand • Keep it minimal = production servers only! Project ELFms meeting
Discussion topics • What nodes to group ? • Only those that asked for ? • How to do it ? • Per cluster or per application/service ? • Example: various MySQL servers across several experiments • What to do with non-FIO nodes in CDB ? Project ELFms meeting
Thank you • Vladimir.Bahyl@cern.ch • http://cern.ch/vlado Project ELFms meeting