Versions Compared

Old Version 18

changes.mady.by.user Paul McCullough

Saved on

compared with

New Version 19

changes.mady.by.user Paul McCullough

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For our first pass, we would like to set up 3 machines as shown in the diagram above.
We expect that we'll have to do some experimenting to get these "right".
Once we are happy with these 3 VMs and (the "application assembly",
) we plan to clone the VMs to create a QA, and a PROD environment.
Is there a way to clone the entire assembly?
Will we have to tweak the firewall settings each time we clone to a new environment?

Our primitive datacenter BCP plan is as follows.
Whenever we change a VM configuration, we take copy the VM and store it offsite (at the city?).
Should the datacenter fail badly (fire, etc), we provide carinet with the VMs,
and carinet brings up the VMs at another location.
Does this sound sane?
Note that we handle DB backups separately.

We plan to move these VMs to our datacenter data center by midyear 2011.
We want to insure that these VMs are portable.
. The chips in our data center will be Intel Xeon. We expect to do a simple VM copy and do not need v-motion.
Is this reasonableDoes this all seem right?

Carinet Responsibilities

  • Provision hardware
  • Provide 3 VMs using barebones(question)
  • VMWare version x.x (todo - need version number)4.1
  • install Centos 5 64 bit on each VM
  • install Apache web server on the web server VM only
  • install package manager (yum or Apt-get)

...

  • The data center is physically secure.
  • VMware installation has latest kernel updates/patches

Please let us know if any of these assumptions is incorrect.

SE Linux

Do not enable SE Linux.

...

All VMs shall be accessible via ssh.
The city will provide public keys for those that will have linux root access.

...

Services

...

All services shall be disabled unless otherwise requested.
The Specifically, the following shall be disabled:

  • NFS
  • FTP
  • incoming mail

The And the following shall be enabled.

  • outgoing mail
  • SSH
  • firewall (see below)
Firewall Configuration

Web Server VM
Allow access to the web server VM from

  • ssh
  • port 80

...

Allow access to the geo server VM from

  • ssh
  • port 8080 from web server

...

Allow access to the db server VM from

  • ssh
  • port 5432 from web server
  • port 5432 from geo server

...

TCP Wrapper Configuration

...

Can we restrict port level access?

...

  1. Allow request from web & geo server on port 5432
  2. Allow ssh request from all
  3. Deny request from all other host on port 5432

Is there anything we missed?
Any changes that you recommend?

SFGov Responsibilites
Install application software including the following.

You (city employees) will need to see the EAS SVN readme for all the excruciating details.

...

  • java virutal machine
  • tomcat
  • geoserver

Database

  • GEOS
  • proj4
  • postresql with postgis
  • we want the DBA team and the postgresql consultant involved here

Web Server

  • gdal
  • python
  • django
  • geo-django

...

  1. browser/geoserver - localhost:8080
  2. pgadmin/database- localhost:5432

Test the EAS application connection