VMware Deploy

Deployment

Diagram - Single Environment

RAM (GB)

DISK

For our first pass, we would like to set up 3 machines in an as shown in the diagram above. Let us call the 3 machines together the "application". We will have 3 environments: DEV, QA, PROD. We want to be able to promote the application from DEV to QA, and from QA to PROD.

Application failover must be achieved within 2-4 hours and proceeds several ways depending on the nature of the failure. Here we discuss fail-over only in the context of lost connectivity to the data center with an uncertain time to restore operations at that datacenter. When there is a configuration change, either at the VM level or at the application level, we clone the entire application and store it offsite (at the city?). Should the datacenter fail badly (fire, etc), we provide carinet with the application, and carinet brings up the application at another location.

We plan to move the application to our data center by midyear 2011. We want to insure that the application is portable. The chips in our data center will be Intel Xeon. We expect to do a VM copy (or similar) and do not need v-motion. Does this all seem right?

We're planning to use VMware vSphere Essentials Kits to manage the VMs. This will be a Carinet responsibility to setup the Essential Kits on all VMs, SFGov should be able to connect to the VMs remotely via vSphere Client.

Carinet Responsibilities

• Provision hardware
• Provide 3 VMs
• VMWare version 4.1
• install Centos 5 64-bit on each VM
• install package manager (yum or Apt-get)

All other software will be installed by city employees.

Security

We assume the following.

• The data center is physically secure.
• VMware installation has latest kernel updates/patches

Please let us know if any of these assumptions is incorrect.

SE Linux

Do not enable SE Linux.

SSH Access

All VMs shall be accessible via ssh.
The city will provide public keys for those that will have linux root access.

Services

All services shall be disabled unless otherwise requested.
Specifically, the following shall be disabled

• NFS
• FTP
• incoming mail

And the following shall be enabled

• outgoing mail
• SSH
• firewall (see below)

Firewall Configuration

Allow access to the web server VM from

• ssh
• port 80

Allow access to the geo server VM from

• ssh
• port 8080 from web server

Allow access to the db server VM from

• ssh
• port 5432 from web server
• port 5432 from geo server

TCP Wrapper Configuration

Can we restrict port level access?

• web

1. Allow request from all host on port 80
2. Allow ssh request from all
3. Deny requests on all other ports

• geo

1. Allow request from web server on port 8080
2. Allow ssh request from all
3. Deny request from all other host on port 8080

• db

1. Allow request from web & geo server on port 5432
2. Allow ssh request from all
3. Deny request from all other host on port 5432

Is there anything we missed?
Any changes that you recommend?

SFGov Responsibilites

Install application software including the following.

You (city employees) will need to see the EAS SVN readme for all the excruciating details.

Geoserver

• java virutal machine
• tomcat
• geoserver

Database

• GEOS
• proj4
• postresql with postgis
• we want the DBA team and the postgresql consultant involved here

Web Server

• gdal
• python
• django
• geo-django

All VMs

• set up nagios
  • what version?
  • monitor and notify for the follow
    • disk space
    • what else?

linux admin

• set up appropriate new linux users
  • Password & Access security
  • use of public/private keys
• limit root access
• use sudo as needed
• provide file system security
  • umask settings
  • setting up appropriate file permissions

Tests

Test the following application/server connection pairs via SSH tunnel

1. browser/geoserver - localhost:8080
2. pgadmin/database- localhost:5432

Test the EAS application