Deployment
Carinet Responsibilities
Provision hardware and VMs
All machines
- OS: Centos 5 64 bit
Software requirements
Install Apache web server on the web server VM.
All other software will be installed by city employees.
Security
...
| Table of Contents |
|---|
...
Diagram - Single Environment
...
...
RAM (GB)
...
| web | db | geo | total |
|---|---|---|---|---|
DEV | 3 | 4 | 5 | 12 |
QA | 4 | 8 | 8 | 20 |
PROD | 4 | 8 | 8 | 20 |
TOTAL | 48 |
...
DISK (GB)
...
| web | db | geo | total |
|---|---|---|---|---|
DEV | 10 GB | 32GB | 200GB | 242GB |
QA | 10 GB | 32GB | 200GB | 242GB |
PROD | 10 GB | 32GB | 200GB | 242GB |
...
failover
...
Application failover must be achieved within 2-4 hours and proceeds several ways depending on the nature of the failure. Here we discuss fail-over only in the context of lost connectivity to the data center with an uncertain time to restore operations at that datacenter. When there is a configuration change, either at the VM level or at the application level, we clone the entire application and store it offsite (at the city?). Should the datacenter fail badly (fire, etc), we provide carinet with the application, and carinet brings up the application at another location.
...
portibility
...
We plan to move the application to our data center by midyear 2011. We want to insure that the application is portable. The chips in our data center will be Intel Xeon. We expect to do a VM copy (or similar) and do not need v-motion. Does this all seem right?
...
vm admin
...
We're planning to use VMware vSphere Essentials Kits to manage the VMs. This will be a Carinet responsibility to setup the Essential Kits on all VMs, SFGov should be able to connect to the VMs remotely via vSphere Client.
...
SE Linux
...
Do not enable SE Linux.
...
SSH Access
...
All access will be through VMs shall be accessible via ssh.
The city will provide public keys for those that will have linux root access.
...
linux services
...
All services shall be disabled unless otherwise requested.
This shall include Specifically, the following :shall be disabled
- NFS
- FTP
- incoming mail
The And the following services shall be enabled.
- outgoing mail
- SSH
- firewall
...
Firewall Configuration
...
Web Server VM
Allow access from
- ssh
- port 80
Geo Server VM
Allow access from
- ssh
- port 8080 from web server
DB Server VM
Allow access from
- ssh
- port 5432 from web server
- port 5432 from geo server
...
TCP Wrapper
...
Can we restrict port level access?
- web
- Allow request from all host on port 80
- Allow ssh request from all
- Deny requests on all other ports
- geo
- Allow request from web server on port 8080
- Allow ssh request from all
- Deny request from all other host on port 8080
- db
- Allow request from web & geo server on port 5432
- Allow ssh request from all
- Deny request from all other host on port 5432
Packages/Modules: Barebones from VMware on all servers with firewall enabled and package manager(yum or Apt-get) installed
SFGov Responsibilites
Install application software including the following:
- java virutal machine
- tomcat
- postresql
Set up appropriate new users, restricting root access
File system security: Umask settings, setting up appropriate file permissions
Password & Access security: Use of public/private keys, SSH tunnels.
Tests
...
- (see below)
...
firewall
...
Allow access only as specified in the deployment diagram.