OSE Development Server
As of 2019, Open Source Ecology has exactly one development server, and this article is specifically about this development server.
For information about OSE's production server, see OSE Server.
For information about OSE's staging server, see OSE Staging Server.
Contents
Purpose
The OSE Development Server (osedev1) is a cheap cloud server with a huge network-attahed #Disk. It is a minimal lxc host that also runs our VPN server. Development (which could be destructive by definition) should not take place on this osedev1 instance, but rather on lxc containers hosted on osedev1.
Security
Because this development server hosts lxc containers for our OSE Staging Server, it necessarily has mirrored state (ie: DBs & files) from production. This state contains very sensitive content including, for example, databases of our users' PII such as names, addresses, email addresses, usernames, and (hashed) passwords.
And because this server also hosts development servers, at any given time it's likely to be running untested code and insecure configurations.
Therefore, to keep the data safe on this machine, only two services should be exposed on the Internet:
- SSH
- OpenVPN
All other traffic must be blocked by iptables.
Both of these services must be hardened. All developers working on the OSE Dev server should first authenticate to OpenVPN. Once given a "local" IP address by OpenVPN, they can freely & securely interact with the dev server.
Disk
Unless otherwise required, the cheapest cloud instance is used for this server. The biggest bottleneck is the disk. The solution to this is to mount a block storage volume. Specifically, a very large (resizeable) disk (max 10T?) is mounted on /var/ [1]
Note that the rootfs for containers (which accounts for most of the bytes of osedev1's data) lives in /var/lib/lxc.
Important Files & Directories
For more information about our network-attached block volume configuration, please see the following files & directories on the osedev1
server:
-
/mnt/ose_dev_volume_1/
-
/mnt/ose_dev_volume_1/var/lib/lxc/
-
/var/
-
/etc/crypttab
-
/etc/fstab
-
/root/keys/
Useful Commands
This section will describe useful commands when working with the OSE Dev Server
# get list of lxc containers ls /mnt/ose_dev_volume_1/var/lib/lxc/ # determine running lxc containers lxc-top # start the staging server container lxc-start --name osestaging1 # attach to currently-running staging server container lxc-attach --name osestaging1
Initial Creation (Aug 2019)
On August 1st, 2019 Marcin approved my (Michael Altfield) request to spend $100/year on a development server to facilitate the a POC for Discourse (and Askbot) without breaking prod.
The intention was to spin-up the cheapest hetzner cloud node with a 50G block volume. So a CX11 @ 2.49 EUR/mo w/ 1 vCPU, 2G RAM, & 20G disk) + 50G block storage @ 2.00 EUR/mo (total @ 4.49 EUR/mo). That's compared to our existing dedicated production server w/ 4 CPUs, 64G RAM, & 2x 250G disks @ 39 EUR/mo.
See Also
- OSE Server
- OSE Staging Server
- Web server configuration
- Wordpress
- Vanilla Forums
- Mediawiki
- Munin
- Awstats
- Ossec
- VPN
FAQ
- What makes VPN and SSH channels secure for staging server purposes? Which other channels are particularly vulnerable?