------------------------------------------------------------ revno: 245 committer: Sylvain Beucler <[email protected]> branch nick: infra timestamp: Sat 2010-12-18 20:56:20 +0100 message: Update documentation for Dom0 + start backup scripts added: TODO backup/ backup/dl-confidential.sh backup/dl.sh modified: dom0.txt
=== added file 'TODO' --- a/TODO 1970-01-01 00:00:00 +0000 +++ b/TODO 2010-12-18 19:56:20 +0000 @@ -0,0 +1,2 @@ +- Mount filesystems with noatime +- Update cvs/check_cvsroot
=== added directory 'backup' === added file 'backup/dl-confidential.sh' --- a/backup/dl-confidential.sh 1970-01-01 00:00:00 +0000 +++ b/backup/dl-confidential.sh 2010-12-18 19:56:20 +0000 @@ -0,0 +1,9 @@ +#!/bin/bash + +# Confidential files + +rsync -avHS [email protected]:/ colonialone.fsf.org/ \ + --include '/root/' \ + --include '/root/.ssh/' \ + --include '/root/.ssh/authorized_keys' \ + --exclude '*' === added file 'backup/dl.sh' --- a/backup/dl.sh 1970-01-01 00:00:00 +0000 +++ b/backup/dl.sh 2010-12-18 19:56:20 +0000 @@ -0,0 +1,90 @@ +#!/bin/bash + +# These are the files necessary to rebuild the system. They come as a +# complement to the .txt instructions files from the 'administration' +# repository. Ideally we should automatically generate this file +# using the '#file:' annotations in those files (we could also check +# if all files are well rsync'd, so we could track typos). + +# Do not backup generatable or sed-able files. Document how to +# produce them instead. + +# We should make these files public so that people could easily +# reproduce the Savannah configuration. Backup confidential files +# (such as 'authorized_files') using 'dl-confidential.sh'. + +rsync -avHS [email protected]:/ colonialone.fsf.org/ \ + \ + --exclude '*~' \ + \ + --include '/root/' \ + --include '/root/.profile' \ + --include '/root/remote_backup.sh' \ + \ + --include '/home/' \ + --include '/home/syncaliases/' \ + --include '/home/syncaliases/00_aliases/' \ + --include '/home/syncaliases/00_aliases/aliases' \ + --include '/home/syncaliases/00_aliases/README' \ + --include '/home/syncaliases/.ssh/' \ + --include '/home/syncaliases/.ssh/authorized_keys' \ + \ + --include '/etc/' \ + --include '/etc/aliases' \ + --include '/etc/cron.daily/' \ + --include '/etc/cron.daily/backup-bind' \ + --include '/etc/diffmon/' \ + --include '/etc/diffmon/diffmon.cf' \ + \ + --include '/etc/' \ + --include '/etc/xen/' \ + --include '/etc/xen/xend-config.sxp' \ + --include '/etc/xen/auto/***' \ + --include '/etc/xen/disabled/***' \ + \ + --include '/etc/' \ + --include '/etc/network/' \ + --include '/etc/network/interfaces' \ + --include '/etc/network/firewall.sh' \ + \ + --exclude '*' + +rsync -avHS [email protected]:/ vcs-noshell.in.sv.gnu.org/ \ + \ + --include '/etc/' \ + --include '/etc/init.d/' \ + --include '/etc/init.d/cvs-permissions' \ + --include '/etc/init.d/cvs_lockdirs' \ + --include '/etc/libnss-mysql.cfg' \ + --include '/etc/libnss-mysql-root.cfg' \ + \ + --exclude '*' +# Mangle passwords (TODO: split them in separate file) +sed -i -e 's/^password.*/password XXXXX/' \ + vcs-noshell.in.sv.gnu.org/etc/libnss-mysql.cfg \ + vcs-noshell.in.sv.gnu.org/etc/libnss-mysql-root.cfg + +rsync -avHS [email protected]:/ frontend.in.sv.gnu.org/ \ + \ + --exclude '*~' \ + \ + --include '/etc/' \ + --include '/etc/cron.daily/' \ + --include '/etc/cron.daily/sv_list_groups' \ + \ + --include '/etc/' \ + --include '/etc/apache2/' \ + --include '/etc/apache2/sites-availables/***' \ + --include '/etc/apache2/conf.d/' \ + --include '/etc/apache2/conf.d/detect_bot.conf' \ + \ + --include '/etc/' \ + --include '/etc/savane/' \ + --include '/etc/savane/.savane.conf.php' \ + --include '/etc/savane/savane.conf.pl' \ + \ + --exclude '*' +# Mangle passwords (TODO: split them in separate file) +sed -i -e 's/\$sys_dbpasswd=.*/$sys_dbpasswd=XXXXX/' \ + frontend.in.sv.gnu.org/etc/savane/.savane.conf.php \ + frontend.in.sv.gnu.org/etc/savane/savane.conf.pl === modified file 'dom0.txt' --- a/dom0.txt 2009-06-22 22:10:58 +0000 +++ b/dom0.txt 2010-12-18 19:56:20 +0000 @@ -1,54 +1,58 @@ -dom0 - or the host/root system, in which the guest/vservers live - -# Replicate /etc/passwd and /etc/group -# file: /etc/cron.d/savane - -# Check for cracking attemps -# file: /etc/cron.d/check_cvsroot - -Other things of interest: - -- The data filesystem is mounted with acl,noatime options - -- alternate SSH running on port 24 in case you crash port 22's - -- user 'root2' with a different password can be used via the virtual - console - -- offline Apache with "sorry we're in maintenance" message ready to be - run in case of downtime - -- exim4 is configured to forward to 10.0.0.101 - - -Special files and dirs: -/root/ -/usr/src/ -/etc/cron.d/savane -/etc/cron.d/check_cvsroot -/etc/snmp/snmpd.conf -/etc/network/interfaces -/etc/network/firewall.sh -/etc/modules -/etc/munin/munin-node.conf -/etc/munin/plugin-conf.d/munin-node -/home/svadmin/ -/home/syncaliases/ -/var/www/ -/etc/aliases - -/etc/mdadm/mdadm.conf -# notification to root-all (i.e. Savannah Hackers + FSF Sysadmins)q: -MAILADDR root-all - -# Disabled: -#aptitude install chkrootkit tiger -# adapt Debian-specific configuration, attempting to reduce noise: -#sed -i -e 's/DIFF_MODE=.*/DIFF_MODE="true"/' /etc/chkrootkit.conf +# dom0 - or the host/root system, in which the guest/VMs live + +# FSF sysadmin: +# /etc/snmp/snmpd.conf +# mdadm +# Check that notifications are sent to both Savannah Hackers and FSF Sysadmins +#sed -i -e 's/AUTOCHECK=.*/# Caused troubles when it happened during the backup\nAUTOCHECK=false/' /etc/default/mdadm + +#file: /etc/xen/auto/ +#file: /etc/xen/disabled/ +# Disable snapshotting on shutdown: +sed -i -e 's,XENDOMAINS_SAVE="",XENDOMAINS_SAVE=/var/lib/xen/save,' +# Configure /etc/xen/xend-config.sxp to work with virt-manager +# [(xend-unix-server yes)], and disable use of 'peth0' +# [(network-script network-dummy)]; not sure what FSF sysadmin +# configure, so backing it up: +#file: /etc/xen/xend-config.sxp + +# TODO: Rebuild /etc/xen/mbr/ by script +# (empty fake MBRs to fool GRUB in the VMs) + + +apt-get install ntp +# Install /root/.ssh/authorized_keys (confidential) + +# file: /root/remote_backup.sh +# file: /root/.profile + +apt-get install diffmon +# file: /etc/diffmon/diffmon.cf + +# file: /etc/cron.daily/backup-bind + +# file: /etc/aliases +sed -i -e 's/^root:.*/root: [email protected], [email protected], root/' /etc/aliases +# Aliases @savannah.gnu.org: +adduser syncaliases +# file: /home/syncaliases/00_aliases/aliases +# file: /home/syncaliases/00_aliases/README +# file: /home/syncaliases/.ssh/authorized_keys + + + +# Add user 'root2' with a different password can be used via the virtual console + +# Network: +# file: /etc/network/interfaces +# file: /etc/network/firewall.sh apt-get install munin-node -- munin-node.conf: -allow ^10\.0\.0\.101$ -- plugin-conf.d: -[cpu*] -env.scaleto100 yes +echo "allow ^10\.1\.0\.101$" >> /etc/munin/munin-node.conf +invoke-rc.d numunin-node restart + +# Optional: +#cat <<EOF >> /etc/munin/plugin-conf.d/munin-node +#[cpu*] +#env.scaleto100 yes +#EOF
_______________________________________________ Savannah-cvs mailing list [email protected] http://lists.gnu.org/mailman/listinfo/savannah-cvs
