OSE Development Server

From Open Source Ecology
Jump to: navigation, search

Purpose

The OSE Development Server (osedev1) is a cheap cloud server with a huge network-attahed #Disk. It is a minimal lxc host that also runs our VPN server. Development (which could be destructive by definition) should not take place on this osedev1 instance, but rather on lxc containers hosted on osedev1.

Security

Because this development server hosts lxc containers for our OSE Staging Server, it necessarily has mirrored state (ie: DBs & files) from production. This state contains very sensitive content including, for example, databases of our users' PII such as names, addresses, email addresses, usernames, and (hashed) passwords.

And because this server also hosts development servers, at any given time it's likely to be running untested code and insecure configurations.

Therefore, to keep the data safe on this machine, only two services should be exposed on the Internet:

  1. SSH
  2. OpenVPN

All other traffic must be blocked by iptables.

Both of these services must be hardened. All developers working on the OSE Dev server should first authenticate to OpenVPN. Once given a "local" IP address by OpenVPN, they can freely & securely interact with the dev server.

Disk

Unless otherwise required, the cheapest cloud instance is used for this server. The biggest bottleneck is the disk. The solution to this is to mount a block storage volume. Specifically, a very large (resizeable) disk (max 10T?) is mounted on /var/ [1]

Note that the rootfs for containers (which accounts for most of the bytes of osedev1's data) lives in /var/lib/lxc.

Important Files & Directories

For more information about our network-attached block volume configuration, please see the following files & directories on the osedev1 server:

  1. /mnt/ose_dev_volume_1/
  2. /var/
  3. /etc/crypttab
  4. /etc/fstab
  5. /root/keys/

Initial Creation (Aug 2019)

On August 1st, 2019 Marcin approved my (Michael Altfield) request to spend $100/year on a development server to facilitate the a POC for Discourse (and Askbot) without breaking prod.

The intention was to spin-up the cheapest hetzner cloud node with a 50G block volume. So a CX11 @ 2.49 EUR/mo w/ 1 vCPU, 2G RAM, & 20G disk) + 50G block storage @ 2.00 EUR/mo (total @ 4.49 EUR/mo). That's compared to our existing dedicated production server w/ 4 CPUs, 64G RAM, & 2x 250G disks @ 39 EUR/mo.

See Also

FAQ

  1. What makes VPN and SSH channels secure for staging server purposes? Which other channels are particularly vulnerable?
    1. Maltfield_Log/2019_Q4#Mon_Oct_07.2C_2019
    Retrieved from "https://wiki.opensourceecology.org/index.php?title=OSE_Development_Server&oldid=201756"