[AktiviX-discuss] RFC please .. devloping our infrastructure

GarconDuMonde gdm at fifthhorseman.net
Mon Aug 28 21:20:55 UTC 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hi,

Alan Dawson wrote:
> cat  aktivix-tech-changes
> Start
> -----
> 
> Describe existing machine set up
>    - miserably the machine seems to be broken now.. but this is a dual opteron,
> 2GB ram, 4x250GB SATA disk on a 3ware 9xxx ( i forget the exact number ) raid
> controller in a raid5 configuration, giving a 750GB of useable disk space.  The
> /home partion has 500Gb in it.

nice :)

my one comment here would be - is it possible to get rid of the 3ware raid card
and use software raid instead?

my reasoning: there (appear to?) have been problems with this on other activist
machines, notably traven (imc-uk) but i think others have experienced problems
too; and mdadm is now quite mature. furthermore, using software raid, one
doesn't need to have a 3ware (read proprietary) physical card to recover, should
there be problems.

 <snip>

> Describe Options for virtualisation and the benefits
>         - virtualisation is a way of splitting the resources of a physical
> machine into number of virtual machines.  The virtual machines are logically
> separate from each other and cannot interfere or alter the running of the
> physical host or the other virtual machines. This gives obvious administrative
> and security benefits.
>    -  Virtualisation technology.
>                 -       UML, Linux Vserver, Xen, ...
>                         There are a number of different ways of virtualising
> machines.  They have subtle differences, and actually solve different
> problems.
>                                 UML has made itself into the linux kernel, but I
> am not going to consider use because its performance is not as good as some of
> the others.
>                                 Linux Vserver is a way of creating virtual
> servers, its used by other international tech collectives, and has been used by
> us on the shadow server from the tachanka server collective.  It allows
> vservers to share the ram and cpu of a host machine whilst being locked into a
> secure container which they cannot escape from.  It uses a single kernel which
> is available across all vservers.  CPU and RAM usage can be limited, but its (
> felt at least to me ) relatively difficult.

* /me likes the idea behind vserver. i think it provides the lowest overhead of
the virtualisation technologies for achieving a "basic" activist system as
different forms of linux (red hat, suse, debian, whatever) can still be run from
it. in other words, more kick per server (more virtual servers per physical host)
* there is also a relatively good knowledge base to build on - both aktivix/uk
experience and also within the wider activist community.
* i disagree with cpu/ram limiting being difficult - i think the biggest problem
has been physical remoteness/not having a local dev server to play around with.
however, this is something that should be able to be improved relatively quickly.

>                                 XEN requires allows creation of different
> virtual server, caled domains.  These virtual servers have a hard limits of CPU
> and RAM assigned to them, which cannot be exceeded by the virtual servers. It
> allows many different OS to be run on top of it, but the kernel must be
> modified ( at least on CPU hardware that does not  support native
> virtualisation - everything except the very latest CPU from Intel and AMD. ) 
> Its concievable that a linux vserver virtualisation could be used in a xen
> domain.

yep. downside is that one virtual server can only access the ram/cpu that is
allocated. so each virtual server would be limited to (for example) 1/x of total
physical server ram where x is the number of virtual servers, whereas with
vserver the virtual servers would each have the potential to use up to the total
amount of ram, provided the other virtual servers are not using it.

i dont know if i explained that very well or not. this may, of course, be the
reason that there have been problems with vservers (overcommitted memory leads
to OOM experience and random killing by kernel of various processes, most
importantly sshd) - we might need to find out more about this.

> I prefer to use XEN in the first place, and if we require vserver - because we
> wish to borrow some of the vserver techniques from other collectives we can
> install vserver on a xen domain.

i have no preference as i don't think i have the time to be overly involved in
this at the moment - although might try.

is a good idea, maybe, to use one of the xen doms as a test bed for vserver. at
least would make it easier to restart the server!
> 
>    - Reference server security protocols page

yep, good page.

> Describe how to move to xen
>         - has 100GB disk space in a spare partion
>         - tarball up the existing fs to spare partition
>         - install and reboot to xen
>         - blow away existing /home

need to insert "encrypt disks" ??

>         - convert to LVM
>         - untar existing server to LVM
>         - add a xen kernel and modules to the LVM
>         - boot it as a xen machine
>         - fix any bugs!
>         - Time scale 2 days
>         - Risks
>                 - fuck up and my friends lose their job :-(
>                 - fuck up and i lose my friends  :-(

err, is this already an important machine, or a spare one? i got the impression
of the latter, but maybe i misunderstood.

> Discuss moving lists
>         - easy done this twice now.  Time scale 2 days
> 
> Discuss moving mail
>         - issues passwords, time scale, new structure which has better
> decentralised management using a simple non techy interface.

yeah, i guess this is definitely something that needs some thinking and a bit
more longer term work.

> Time scales ?
>         -  need to discuss some of the details with the NGO who owns the server
>         -  lists can move quickly, mail longer,
>         -  other services can move before mail
> 
> End up
> -----
> 
> Pictures of riseup syscp thing
> 
> http://deb.riseup.net/web-server/syscp/
> 
> though riseup say they would have used ravencore instead.
> also there is
> http://wiki.boum.org/Frangipane
> 
> Talk about web hosts / drupal farm / wiki farm / mkdoc farm

 and can i add links/rubric bookmarking engine onto the end here as well?

nice energy, alan :-)

- --

love and solidarity,

	--gdm

http://docs.indymedia.org/view/Main/GarconDuMonde

i have a NEW key:
gpg --keyserver pgp.mit.edu --recv-keys 594B97C2
Key fingerprint = 7B70 F22D F275 D111 3A04  F9EE 0E25 4944 594B 97C2



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (Darwin)

iD8DBQFE813wDiVJRFlLl8IRAvWjAJ9geNIs8QFAeEz8ADdcxttcNaG+nACdFaR+
Peu4JhomA46RxjMR9kGAFco=
=4OPB
-----END PGP SIGNATURE-----

More information about the AktiviX-discuss mailing list