Difference: AnnualReview2015 (15 vs. 16)

Revision 162015-12-20 - kenny

Line: 1 to 1
 

LCFG Annual Review 2015

On Thursday 3rd December 2015 instead of our normal monthly Deployers Meeting we will be holding an Annual Review session.

Line: 70 to 70
 
  • Improving security.
  • Enhancing the client status feedback process.
Added:
>
>
Notes

kenny didn't like including every file in lcfg.sites.d. shane agreed. squinney says don't use the file component for writing files in that dir because it can't delete them. use the apacheconf component instead! gdutton suggested not using the default of Include conf.d/* and having apacheconf write appropriate include statements instead.

it's worth having the apacheconf automatically output the include directive with an easy mechanism to turn off a virtualhost.

kenny suggested it would be handy to put a comment in config files to make it clear that they are disabled.

each vhost has an ssl flag which should feed back to the top level for turning on ssl globally.

there was a long discussion about using \n in verbatim lines, but the solution is to solve the problem at a higher level in lcfg rather than separately in each component

matthew suggested pulling vhost macros into the lcfg layer, squinney agreed. not so much luck with bringing x509 into the mix, though!

geoff's favourite bug was running multiple ssl instances in one virtualhost.

on the topic of cgroups: graeme mentioned that the syntax is quite horrible, consensus was that the simple, common things should be made easy and the rest hidden in a template.

it's worth keeping lcfg running on other distributions, made easier with systemd, and saves a lot of development time by keeping lcfg up to date with changes being made in fedora. it's worth checking whether lcfg works on debian/ubuntu/others.

security: k5login paths are in users home directories by default which is bad. krb5.conf can specify a central path.

squinney: we need to get away from the old single-template method and move to using a directory with a set of templates per component.

matthew suggested looking at things like puppet to see what we should be doing in lcfg. squinney said that looking at ansible would be more instructive since redhat has recently bought ansible and it's much closer to what lcfg already does.

back to security: need to improve client/server relationship security. client doesn't verify ssl certificate at all. would be nice to have encryption and integrity. would also be nice to have secrets passed around properly using e.g. wallet.

kenny is keen to shorten the release latency between RH security updates being released and appearing on machines. there are problems with just using the distro provided packages but there's also a lot of human effort required in filtering the package updates. kenny is happy to patch updaterpms to do security updates on a threshold on a regular basis.

 -- Main.squinney - 2015-11-13

META FILEATTACHMENT attachment="MDP_Review_and_Preview_2015.pdf" attr="" comment="MDP Review 2015" date="1449147637" name="MDP_Review_and_Preview_2015.pdf" path="MDP_Review_and_Preview_2015.pdf" size="588282" user="kenny" version="1"
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback