1 / 11

Integration of LanDB sets in CDB

Integration of LanDB sets in CDB. Vladim í r Bahyl Project ELFms Vladimir.Bahyl@cern.ch. Outline. Introduction to LanDB sets Integration with CDB LanDB; CDB; CDBSQL point of view Users’ requirements CNIC Firewall Discussion topics. LanDB sets introduction.

halla-rodriquez
Download Presentation

Integration of LanDB sets in CDB

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Integration of LanDB setsin CDB Vladimír Bahyl Project ELFms Vladimir.Bahyl@cern.ch

  2. Outline • Introduction to LanDB sets • Integration with CDB • LanDB; CDB; CDBSQL point of view • Users’ requirements • CNIC • Firewall • Discussion topics Project ELFms meeting

  3. LanDB sets introduction • Grouping of nodes based on the IP address • Created manually using LanDB Web interface • Used for: • Network topology authorisation • Firewall configuration Project ELFms meeting

  4. Integration with CDB – LanDB side • Agreed Prefix: “IT CC” • FIO LanDB sets’ owner: ccservic Project ELFms meeting

  5. Integration with CDB – CDB side • New field in CDB: • "/system/set/it_cc_setname/active" = true • Hash with boolean • Allows: • Easy disabling of membership on the machine level • Some complicated structures (thanks to Jan van Eldik): • "/system/set" = if (is_defined(setname)) nlist(setname,nlist("active",true)) Project ELFms meeting

  6. Integration with CDB – CDBSQL side • New view (thanks to Maciej Stepniewski): • vwpathnames • Contains all CDB paths • Not yet periodically updated • Synchronization script • Extract all sets from CDBSQL • Updates LanDB (connecting as user ccservic) • Removes unexpected nodes for all sets defined in CDB\ • (Removal of sets in the “IT CC” domain is not yet possible) • Runs once per day on both LXSERVB* nodes • 7am, 2pm Project ELFms meeting

  7. CNIC requirements 1/2 • Technical network  General Purpose network access restrictions • List of FIO services they need to trust (provided by Stefan Lüders): • AFS • AFS Kerberos (separated from AFS) • CASTOR (!) • Split into small groups would be appreciated • LinuxFC (?) • TSM • Other sets will be: • CA, CMF, CVS, DB, DIP, DFS, LDAP, License, Network, Printing, SMTP/CERNMX, WTS • Some of these are defined in CDB, some are not … Project ELFms meeting

  8. CNIC requirements 2/2 • Keep it minimal = production servers only! • Timeline: autumn 2006 • Important: However, having the sets ready earlier allow us to properly move from the current situation to the new sets. These sets do not necessarily have to be automatically updated, you might do it manually in the first instance. Important to us is that a set contains always all relevant production servers such that the technical network remains functioning. Project ELFms meeting

  9. Computer Security requirements • Firewall configuration • Example – open port in the CERN firewall: • For “IT CC LXPLUS” – port = 22/TCP • For “IT CC SRM” – port = 8443/TCP • Grouping of nodes preferably by service/functionality, not by the port! • I.e.: “IT CC LXPLUS” is OK, “IT CC SSH” is NOT OK • Concentrate only on those group of nodes where there is high fluctuation of machines • I.e. do not care about 1 special server here and there, that will be done by hand • Keep it minimal = production servers only! Project ELFms meeting

  10. Discussion topics • What nodes to group ? • Only those that asked for ? • How to do it ? • Per cluster or per application/service ? • Example: various MySQL servers across several experiments • What to do with non-FIO nodes in CDB ? Project ELFms meeting

  11. Thank you • Vladimir.Bahyl@cern.ch • http://cern.ch/vlado Project ELFms meeting

More Related