TWiki> CF Web>CSSaltStackWorkingGroup>CsSaltStackWgMeeting20211124 (2021-11-25, DaveGawley) EditAttach

SaltStack Working Group

Meeting Date

  • TEAMS: 2021-11-24

Invitees - Attendees

  • Dave, Anthony, Lawrence, Lori, Nathan

Review and accept previous meeting minutes.

Agenda Items

Review Action Items

  • CsSaltStackWgMeeting20211027 - Action items:
    • Dave: create an RT to replace the Ugster switch (details to be provided in the ticket)
      • Still to do
    • Anthony: document Mysql workflow - how to integrate service-specific changes
      • Put on hold until Graphics Lab Workstations software update and Fraser is back from vacation
    • Nathan: split Vhost config directory to its own repo
      • Still to do

Review Formulae

Infrastructure formulae list:

  1. Local list of CSCF admin accounts (currently: cscf-adm, root)
    - AB says: no staff time to create customization needed.
    - DG suggests breaking it down this way, of which the first two should be done during the OS install (manual or automated) and only the last step should be handled by SaltStack:
    For each account in admin-list
    1. report error if in ldap or UID, GID exists in UID-GID-registry and proceed to next account,
    2. use Salt built-ins to create account
    3. Install/maintain accounts resource files, ie ~/.bashrc, ~/.forward,~/.profile,~/.ssh/*,~/.vim
  • remote admin accounts -
  • mail forwarding
  • telemetry (prometheus)
  • monitoring (icinga)
  • PKI
  • active directory authentication / 2fa
  • syscall auditing
  • kernel crash dump collection
  • general use server / student general use server
  • internal microservices
  • backups

    • Suggested list of formulae - nfish:

    1. apt
    2. reboot (reboot-info, mollyguard + scripts)
    3. remote_access (sshd, mosh) - done
    4. salt
    5. ceph (client, rgw, server) - done
    6. networking (netplan, generic networking only)
    7. physical (for non-LXC minions)
    8. lxc (lxc containers, not hosts)
    9. iaas (lxc/vm hosts)
    10. logging (syslog_ng, logrotate, trimming)

    Suggested list of formulae - dlgawley:

    1. ssh-only
    2. pam+ssh
    3. ldap+pam+ssh+DUO+yubikey
    4. OpenVPN
    5. Web
      1. Apache
      2. Force HTTPS and Lets Encrypt module
      3. URL case insensitive module
      4. Server side Includes module/setup (use execute bit not file extension).
      5. PAM integration
    6. PostgreSQL
    7. MySQL

    Action Items

    • Appoint new group leader

    Future Items

    • Peer review of formulae
    Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
    Topic revision: r3 - 2021-11-25 - DaveGawley
     
    This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
    Ideas, requests, problems regarding TWiki? Send feedback