Difference between revisions of "Intranet"

This page contains technical details on the services of EGI intranet provided by CESNET.

Core of the services was prepared before the actual start of the EGI-InSPIRE project and they were available from day 1.

This page describes the status of the services as of mid June 2010.

Technical background

Hardware

There are two identical servers:

• SuperMicro SuperServer 6016T-NTRF
• 2x Intel Xeon X5560 (QuadCore Nehalem 2.8 GHz)
• 48 GB
• 2x Gbit ethernet
• redundant power supply

Both the machines are connected to the same disk array:

• FlexySTOR 162SS
• 16x 450 GB SAS, 15 krpm disks
• RAID controller, 2 GB cache
• the disks are arranged into 2 RAID-10 partitions, yielding 2x 1.8 TB effective capacity

In normal operation each of the machine works in one of the disk array partition, The actual services are implemented in virtual machines, and they are distributed between the physical machines, in order to optimize load.

In case of failure of any of the physical machines the other one takes over hosting the affected virtual machines. Due to the dual connection of the disk array this can be done without the need of any cable switching. Eventually, an automatic fail-over mechanism can be deployed.

Failure of a single disk in the array is handled transparently by the RAID controller. The disks are hot-swappable, allowing seamless replacement of the failed disk.

The whole system is covered with Next-Business-Day On-Site warranty agreement.

The machines are situated in the computer room of Institute of Computer Science of Masaryk University, Brno, CZ.

Virtual hosts

The physical hardware hosts several virtual hosts which provide the actual services in turn. We trade off flexibility and the cost of management, yielding three virtual hosts currently:

• mail server and request tracker: optimized for high email traffic
• web server, including wiki and the document server: optimized for the web traffic
• backend server providing database backends to the services

Currently the former two are hosted by one of the physical host, the database backend by the other in order to balance the overall load.

Network connectivity

The computer room where the machines are located is in the same building as the Point of Presence of the CESNET network backbone. The LAN segment of the servers is directly attached to the backbone router port.

Backup

Besides the redundancy provided by the hot-swappable RAID-10 disk array all the systems are backed up with the CESNET tape systems.

In general, full file systems are backed up (with the exception of large database files where the usual approach of snapshot + transaction logs is used), therefore disaster recovery is limited by the time to restore full backup, no manual configuration recovery should be required.

Monitoring

The services are covered by the monitoring system of NGI CZ based on nagios. The following probes are deployed:

• CPU load and utilization
• memory usage, including kernel memory
• critical system messages
• network interface status
• file system usage
• HTTP/HTTPS request sanity on selected URLs
• pakiti -- up to date status of installed software (missing security fixes in particular)

Operating system and software environment

The hardware servers run Debian 5.0, Xen Dom0. Otherwise there are virtually no services installed.

The virtual servers are run as Xen DomU, running Debian 5.0 as the guest OS as well. Debian was chosen because of stability; among free Linux distributions it has the longest lifetime of stable major releases. We do not expect the need for bleeding edge functionalities in these services therefore stability is prefered.

As a rule of thumb, the EGI services do not depend on any external services outside of this system. Exceptions are DNS and email, relying on the services provided by Masaryk University and CESNET.

Server certificates

Certificates issued by TERENA SSL CA (generally recognised by web browsers) are used for all the services. Administratively, they are issued to Stichting FOM/Nikhef -- the owner of the egi.eu DNS domain.

Software customization

When setting up the services we could have not avoided modifications of the used sofware (adding or customizing functionality, integration with the common AuthN/Z etc.). We keep records of trivial modifications, non-trivial modifications are kept in CVS repository, allowing fairly easy merging on upgrade to new versions of the software.

Backend server

Hostname: aldor.ics.muni.cz

Service machine (invisible from outside) hosting database backends of the other services. It is a separate Xen host, so that we are able to move it to other hardware for performance tuning.

Common authentication and authorization

Due to the nature of the services, the primary authentication method will be username/password. Over the time we will investigate possibilities to integrate Shibboleth and X509 certificate based AuthN, however, the username/password will remain as the fallback method.

The goal is having a single username/password for all the services. A technical solution is LDAP backend; most services are prepared for LDAP-based authentication out of box, and adaptation of others is relatively easy. Currently we use direct LDAP-based authentication in all the services apart of Mailman, where the user passwords are synchronized with the LDAP every hour.

All users of the services and all people working on the EGI-InSPIRE project are required to register an account at the EGI SSO system. The users can edit properties of their account, and request password reset eventually.

Besides user accounts the LDAP server stores user groups (as groupOfNames) objects. The attribute businessCategory is used to distinguish purpose of the group (multiple values can be specified yielding multi-purpose group):

• mailman -- members of the group are subscribed to the mailing list of the same name
• RT -- group of the same name and members is created in the Request Tracker and can be used for authorization there
• DocDB -- dtto in the Document Database
• wiki -- dtto at wiki

Group membership is managed at EGI SSO as well. Besides adding and removing users from groups, the group owner can invite extrnal people to create their account and to be subscribed to the group.

Besides the intranet services, the EGE SSO is used to authenticate users of the project PPT (timesheet submission system), and integration with the software repository and the application database is planned.

Mailing lists

Hostname: maiman.egi.eu

GNU Mailman software is used, in the version (2.1 currently) provided by Debian OS.

With a few exceptions only the mailing lists membership is controled by EGI SSO (above).

Mailing lists are exposed by the canonical names list-name@mailman.egi.eu.

HTTP server

Apache2, out of the Debian distribution. Its purpose is administrative Mailman interface and access to the mailist archives only. Because most of traffic is expected to be authenticated, port 80 (HTTP default) is redirected to 443 (HTTPS).

Incoming email

The only MX DNS record for mailman.egi.eu points to the Masaryk University mail relay (located in the same building, serving in the same way for several other domains). The relay forwards all mail to mailman.egi.eu via special rule in its config. In this way we gain additional reliability and advanced features of the relay (spam and virus protection).

Outgoing email

Using "smart host" relay.muni.cz for all outgoing email. This is agreed with the relay administrator, and the symmetric setup may have benefits in case of paranoid recipients.

Spam and virus protection

relay.muni.cz (our MX) implements Grey listing technique to ban naive spam attacks.

In addition, we plan to add spam detection set up locally on mailman.egi.eu with Spamassassin, using combination of reliable black lists, static rules for well-known spam patterns (Viagra, Nigerian spam, ...), and dynamic Bayes filters tuned with real trafic gradually.

Exact strategy what to do with spam positives has still to be defined, and it may vary among different lists. In general, as long as it's possible with the amount of the traffic, we are in favour of moderating to let false positives pass rather than discarding automatically.

Viruses are detected at relay.muni.cz with Kaspersky Antivirus, and positives are bounced back to the sender.

Web server

Hostname: www.egi.eu

This is the project web site and a web front-end for all the services. We use Apache2 from Debian distribution.

Content of the web site is managed by OpenCMS. Google Analytics gathering statistics on the access is deployed.

Document server

Hostname: documents.egi.eu

Storing large document files directly on the web site or wiki is not optimal. Instead we provide a dedicated document server for this purpose. Besides optimizing the storage and access, the document server offers the following capabilities:

• metadata associated with each document
• versioning of the documents
• provision of the documents in multiple formats (Word, PDF, ...)
• fine grained access control based on hierarchy of groups

We use DocDB software with a few local customizations.

Meeting planner

Wiki

Virtual host (in terms of Apache, not Xen), on www.egi.eu.

http://wiki.egi.eu/

https://wiki.egi.eu/

TODO:

• select and install some extension for restricting access to selected pages

Status:

• webserver running
• MediaWiki installed
• LDAP plugin installed
• google analytics activated
• real SSL certificate installed

Request tracker

Jabber

Hosted servers

We host

• www.eu-emi-eu Website of the EU EMI project.
• www.einfrastructure-forum.eu Informal organization, forum for the discussion of principles and practices to create synergies for distributed Infrastructures.

Both are provided as virtual hosts (in terms of Apache, not Xen) on www.egi.eu.