Difference between revisions of "Intranet"
(Created page with 'This page contains technical details on the services of [http://www.egi.eu/about/intranet EGI intranet] provided by [http://www.cesnet.cz CESNET]. == Technical background == ==…') |
|||
Line 8: | Line 8: | ||
* [http://www.supermicro.com/products/system/1U/6016/SYS-6016T-NTRF.cfm SuperMicro SuperServer 6016T-NTRF] | * [http://www.supermicro.com/products/system/1U/6016/SYS-6016T-NTRF.cfm SuperMicro SuperServer 6016T-NTRF] | ||
* 2x Intel Xeon X5560 (QuadCore Nehalem 2.8 GHz) | * 2x Intel Xeon X5560 (QuadCore Nehalem 2.8 GHz) | ||
* 48 GB | * 48 GB | ||
* 2x Gbit ethernet | * 2x Gbit ethernet | ||
* redundant power supply | * redundant power supply | ||
Line 17: | Line 17: | ||
* RAID controller, 2 GB cache | * RAID controller, 2 GB cache | ||
* the disks are arranged into 2 RAID-10 partitions, yielding 2x 1.8 TB effective capacity | * the disks are arranged into 2 RAID-10 partitions, yielding 2x 1.8 TB effective capacity | ||
In normal operation | In normal operation | ||
Line 30: | Line 28: | ||
the affected virtual machines. Due to the dual connection of the disk array | the affected virtual machines. Due to the dual connection of the disk array | ||
this can be done without the need of any cable switching. | this can be done without the need of any cable switching. | ||
Eventually, an automatic | Eventually, an automatic fail-over mechanism can be deployed. | ||
Failure of a single disk in the array is handled transparently by the RAID | |||
controller. The disks are hot-swappable, allowing seamless replacement | |||
of the failed disk. | |||
The whole system is covered with Next-Business-Day On-Site warranty agreement. | |||
The machines are situated in the computer room of [http://www.ics.muni.cz Institute of Computer Science] of Masaryk University, Brno, CZ. | The machines are situated in the computer room of [http://www.ics.muni.cz Institute of Computer Science] of Masaryk University, Brno, CZ. | ||
=== Network connectivity === | === Network connectivity === | ||
Line 42: | Line 44: | ||
of the CESNET network backbone. | of the CESNET network backbone. | ||
The LAN segment of the servers is directly attached to the backbone router | The LAN segment of the servers is directly attached to the backbone router | ||
port | port. | ||
=== Backup === | === Backup === | ||
Besides the redundancy provided | Besides the redundancy provided by the hot-swappable RAID-10 disk array | ||
all the systems are backed up with the [http://meta.cesnet.cz/cms/opencms/en/resources/backups.html CESNET tape systems]. | all the systems are backed up with the [http://meta.cesnet.cz/cms/opencms/en/resources/backups.html CESNET tape systems]. | ||
In general, full file systems are backed up (with the exception of | |||
configuration | large database files where the usual approach of snapshot + transaction logs | ||
is used), therefore disaster recovery is limited by the time to restore | |||
full backup, no manual configuration recovery should be required. | |||
=== Monitoring === | |||
=== Operating system and software environment === | === Operating system and software environment === | ||
Line 79: | Line 82: | ||
=== Software customization === | === Software customization === | ||
=== Backend server === | |||
Hostname: aldor.ics.muni.cz | |||
Service machine (invisible from outside) hosting database backends | |||
of the other services. | |||
It is a separate Xen host, so that we are able to move it to other hardware | |||
for performance tuning. | |||
== Common authentication and authorization == | == Common authentication and authorization == | ||
Line 270: | Line 281: | ||
== Jabber == | == Jabber == | ||
== | == Hosted servers == | ||
We host | |||
* [http://www.eu-emi.eu] Website of the EU EMI project. | |||
* [http://www.einfrastructure-forum.eu] Informal organization, forum for the discussion of principles and practices to create synergies for distributed Infrastructures. | |||
Both are provided as | |||
virtual hosts (in terms of Apache, not Xen) on www.egi.eu. | |||
Revision as of 17:04, 17 June 2010
This page contains technical details on the services of EGI intranet provided by CESNET.
Technical background
Hardware
There are two identical servers:
- SuperMicro SuperServer 6016T-NTRF
- 2x Intel Xeon X5560 (QuadCore Nehalem 2.8 GHz)
- 48 GB
- 2x Gbit ethernet
- redundant power supply
Both the machines are connected to the same disk array:
- FlexySTOR 162SS
- 16x 450 GB SAS, 15 krpm disks
- RAID controller, 2 GB cache
- the disks are arranged into 2 RAID-10 partitions, yielding 2x 1.8 TB effective capacity
In normal operation each of the machine works in one of the disk array partition, The actual services are implemented in virtual machines, and they are distributed between the physical machines, in order to optimize load.
In case of failure of any of the physical machines the other one takes over hosting the affected virtual machines. Due to the dual connection of the disk array this can be done without the need of any cable switching. Eventually, an automatic fail-over mechanism can be deployed.
Failure of a single disk in the array is handled transparently by the RAID controller. The disks are hot-swappable, allowing seamless replacement of the failed disk.
The whole system is covered with Next-Business-Day On-Site warranty agreement.
The machines are situated in the computer room of Institute of Computer Science of Masaryk University, Brno, CZ.
Network connectivity
The computer room where the machines are located is in the same building as the Point of Presence of the CESNET network backbone. The LAN segment of the servers is directly attached to the backbone router port.
Backup
Besides the redundancy provided by the hot-swappable RAID-10 disk array all the systems are backed up with the CESNET tape systems.
In general, full file systems are backed up (with the exception of large database files where the usual approach of snapshot + transaction logs is used), therefore disaster recovery is limited by the time to restore full backup, no manual configuration recovery should be required.
Monitoring
Operating system and software environment
The servers above run Debian 5.0, Xen Dom0. Otherwise there are virtually no services installed.
The virtual servers described bellow are run as Xen DomU, running Debian 5.0 as the guest OS as well. Debian was chosen because of stability; among free Linux distributions it has the longest lifetime of stable major releases. We do not expect the need for bleeding edge functionalities in these services therefore stability is prefered.
As a rule of thumb, the EGI services do not depend on any external services outside of this system, apart of DNS and email.
Server certificates
The policy of TERENA SSL CA (used by CESNET servers) does not allow issuing a certificate for servers in the egi.eu domain to CESNET, we have to receive it via EGI.EU organization and/or NIKHEF.
Status: done
Software customization
Backend server
Hostname: aldor.ics.muni.cz
Service machine (invisible from outside) hosting database backends of the other services. It is a separate Xen host, so that we are able to move it to other hardware for performance tuning.
Common authentication and authorization
Due to the nature of the services, the primary authentication method will be username/password. Over the time we will investigate possibilities to integrate Shibboleth and X509 certificate based AuthN, however, the username/password will remain as the fallback method.
The goal is having a single username/password for all the services. Candidate technical solution is LDAP.
Status:
- LDAP server installed and running
- user accounts created from mailing lists' members, username were manually invented
- groups for lists created, marked with attribute "businessCategory: mailman", users assigned to groups
- Mailman list members and their passwords are synchronized (daily) with LDAP
- Mediawiki has LDAP extension installed, all users from LDAP can log in
- DocDB authentication is based on LDAP
- web application for editing passwords and registration is at https://egi.eu/sso/
- group owners can manage group members thru the same https://egi.eu/sso/
- group owners can ask new people to become users and specify groups for them
TODO
- Mediawiki needs exntension for page protrection based on LDAP groups
- OpenCMS needs LDAP plugin
- Indico LDAP support is not known, but there are some remarks about CERN lightweight account in the documentation
Mailing lists
Status: Done.
Disk partitions
For the purpose of mutual isolation, separate partitions are used:
The sizes are minimalistic, and the filesystems (using XFS) can be extended as needed./ | 5 GB | root filesystem |
/var/logs | 2 GB | all logs |
/var/lib/mailman/archives | 2 GB | mailman archives |
HTTP server
Apache2, out of the Debian distribution. Its purpose is administrative Mailman interface and access to the mailist archives only.
Because most of traffic is expected to be authenticated, port 80 (HTTP default) is redirected to 443 (HTTPS).
Status: done
Mailman software
Out of Debian distribution.
Individual mailing lists will be created and removed by the server admins (the set is expected to be semi-static).
Management of the individual lists can be delageted to any of the system users. Technically done by access control in Apache configuration (each Mailman list has a unique URL prefix).
Status: done.
Incoming email
The only MX DNS record for mailman.egi.eu points to the Masaryk University mail relay (located in the same building, serving in the same way for several other domains). The relay forwards all mail to mailman.egi.eu via special rule in its config.
In this way we gain additional reliability and advanced features of the relay (spam and virus protection).
Status: done
Outgoing email
Using "smart host" relay.muni.cz for all outgoing email. The relay admin accepts it, and the symmetric setup may have benefits in case of paranoid recipients.
Status: done
Spam and virus protection
relay.muni.cz (our MX) implements Grey listing technique to ban naive spam attacks.
In addition, spam detection will be set up locally on mailman.egi.eu with Spamassassin, using combination of reliable black lists, static rules for well-known spam patterns (Viagra, Nigerian spam, ...), and dynamic Bayes filters tuned with real trafic gradually.
Exact strategy what to do with spam positives has still to be defined, and it may vary among different lists. In general, as long as it's possible with the amount of the traffic, I'm in favour of moderating to let false positives pass rather than discarding automatically.
Viruses are detected at relay.muni.cz with Kaspersky Antivirus, and positives are bounced back to the sender.
Status:
- Spamassassin to be deployed and configured
- Spam handling strategies to be defined
Web server
www.egi.eu
WWW front-end for all the services.
Apache2 from Debian distribution.
http://www.egi.eu/ https://www.egi.eu/
OpenCMS
- Installation of OpenCMS done.
- Accounts for content maintainers created.
- page template created from eu-egi.eu pages
- menu and breadcrumbs implemented
- Google Analytics deployed
- news and their RSS feed created
- administration interface is at https://www.egi.eu/cms/system/login/
- real SSL certificate installed
TODO:
- install LDAP plugin for CMS
Document server
Basic setup of DocDB done here (requires authentication) but not fully working yet.
TODO:
- broken help
- accents in names
- manually introduced institutions
Status: done except LDAP authentication in OpenCMS
Meeting planner
Wiki
Virtual host (in terms of Apache, not Xen), on www.egi.eu.
TODO:
- select and install some extension for restricting access to selected pages
Status:
- webserver running
- MediaWiki installed
- LDAP plugin installed
- google analytics activated
- real SSL certificate installed
Request tracker
Jabber
Hosted servers
We host
- [1] Website of the EU EMI project.
- [2] Informal organization, forum for the discussion of principles and practices to create synergies for distributed Infrastructures.
Both are provided as virtual hosts (in terms of Apache, not Xen) on www.egi.eu.