OSE Development Server: Difference between revisions
No edit summary |
|||
| (12 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
As of 2019, Open Source Ecology has exactly one development server, and this article is specifically about this development server. | |||
For information about OSE's production server, see [[OSE Server]]. | |||
For information about OSE's staging server, see [[OSE Staging Server]]. | |||
=Purpose= | =Purpose= | ||
The OSE Development Server | The OSE Development Server (osedev1) is a cheap cloud server with a huge network-attahed [[#Disk]]. It is a minimal lxc host that also runs our [[VPN]] server. Development (which could be destructive by definition) should not take place on this osedev1 instance, but rather on lxc containers hosted on osedev1. | ||
=Security= | =Security= | ||
Because this server | Because this development server hosts lxc containers for our [[OSE Staging Server]], it necessarily has mirrored state (ie: DBs & files) from production. This state contains very sensitive content including, for example, databases of our users' PII such as names, addresses, email addresses, usernames, and (hashed) passwords. | ||
And because this server | And because this server also hosts development servers, at any given time it's likely to be running untested code and insecure configurations. | ||
Therefore, to keep the data safe on this machine, only two services should be exposed on the Internet: | Therefore, to keep the data safe on this machine, only two services should be exposed on the Internet: | ||
| Line 17: | Line 23: | ||
Both of these services must be hardened. All developers working on the OSE Dev server should first authenticate to OpenVPN. Once given a "local" IP address by OpenVPN, they can freely & securely interact with the dev server. | Both of these services must be hardened. All developers working on the OSE Dev server should first authenticate to OpenVPN. Once given a "local" IP address by OpenVPN, they can freely & securely interact with the dev server. | ||
==Disk== | |||
Unless otherwise required, the cheapest cloud instance is used for this server. The biggest bottleneck is the disk. The solution to this is to mount a block storage volume. Specifically, a very large (resizeable) disk (max 10T?) is mounted on /var/ <ref>[[Maltfield_Log/2019_Q4#Mon_Oct_07.2C_2019]]</ref> | |||
Note that the rootfs for containers (which accounts for most of the bytes of osedev1's data) lives in /var/lib/lxc. | |||
===Important Files & Directories=== | |||
For more information about our network-attached block volume configuration, please see the following files & directories on the <code>osedev1</code> server: | |||
# <code>/mnt/ose_dev_volume_1/</code> | |||
# <code>/mnt/ose_dev_volume_1/var/lib/lxc/</code> | |||
# <code>/var/</code> | |||
# <code>/etc/crypttab</code> | |||
# <code>/etc/fstab</code> | |||
# <code>/root/keys/</code> | |||
=Useful Commands= | |||
This section will describe useful commands when working with the OSE Dev Server | |||
<pre> | |||
# get list of lxc containers | |||
ls /mnt/ose_dev_volume_1/var/lib/lxc/ | |||
# determine running lxc containers | |||
lxc-top | |||
# start the staging server container | |||
lxc-start --name osestaging1 | |||
# attach to currently-running staging server container | |||
lxc-attach --name osestaging1 | |||
</pre> | |||
=Initial Creation (Aug 2019)= | =Initial Creation (Aug 2019)= | ||
| Line 26: | Line 68: | ||
==See Also== | ==See Also== | ||
* [[OSE Server]] | |||
* [[OSE Staging Server]] | |||
* [[Web server configuration]] | * [[Web server configuration]] | ||
* [[Wordpress]] | * [[Wordpress]] | ||
Latest revision as of 20:57, 28 October 2022
As of 2019, Open Source Ecology has exactly one development server, and this article is specifically about this development server.
For information about OSE's production server, see OSE Server.
For information about OSE's staging server, see OSE Staging Server.
Purpose
The OSE Development Server (osedev1) is a cheap cloud server with a huge network-attahed #Disk. It is a minimal lxc host that also runs our VPN server. Development (which could be destructive by definition) should not take place on this osedev1 instance, but rather on lxc containers hosted on osedev1.
Security
Because this development server hosts lxc containers for our OSE Staging Server, it necessarily has mirrored state (ie: DBs & files) from production. This state contains very sensitive content including, for example, databases of our users' PII such as names, addresses, email addresses, usernames, and (hashed) passwords.
And because this server also hosts development servers, at any given time it's likely to be running untested code and insecure configurations.
Therefore, to keep the data safe on this machine, only two services should be exposed on the Internet:
- SSH
- OpenVPN
All other traffic must be blocked by iptables.
Both of these services must be hardened. All developers working on the OSE Dev server should first authenticate to OpenVPN. Once given a "local" IP address by OpenVPN, they can freely & securely interact with the dev server.
Disk
Unless otherwise required, the cheapest cloud instance is used for this server. The biggest bottleneck is the disk. The solution to this is to mount a block storage volume. Specifically, a very large (resizeable) disk (max 10T?) is mounted on /var/ [1]
Note that the rootfs for containers (which accounts for most of the bytes of osedev1's data) lives in /var/lib/lxc.
Important Files & Directories
For more information about our network-attached block volume configuration, please see the following files & directories on the osedev1 server:
/mnt/ose_dev_volume_1//mnt/ose_dev_volume_1/var/lib/lxc//var//etc/crypttab/etc/fstab/root/keys/
Useful Commands
This section will describe useful commands when working with the OSE Dev Server
# get list of lxc containers ls /mnt/ose_dev_volume_1/var/lib/lxc/ # determine running lxc containers lxc-top # start the staging server container lxc-start --name osestaging1 # attach to currently-running staging server container lxc-attach --name osestaging1
Initial Creation (Aug 2019)
On August 1st, 2019 Marcin approved my (Michael Altfield) request to spend $100/year on a development server to facilitate the a POC for Discourse (and Askbot) without breaking prod.
The intention was to spin-up the cheapest hetzner cloud node with a 50G block volume. So a CX11 @ 2.49 EUR/mo w/ 1 vCPU, 2G RAM, & 20G disk) + 50G block storage @ 2.00 EUR/mo (total @ 4.49 EUR/mo). That's compared to our existing dedicated production server w/ 4 CPUs, 64G RAM, & 2x 250G disks @ 39 EUR/mo.
See Also
- OSE Server
- OSE Staging Server
- Web server configuration
- Wordpress
- Vanilla Forums
- Mediawiki
- Munin
- Awstats
- Ossec
- VPN
FAQ
- What makes VPN and SSH channels secure for staging server purposes? Which other channels are particularly vulnerable?