Re: [CentOS-virt] virtual sprawl - managing password changes
"Jeff Larsen" <[EMAIL PROTECTED]> writes: > I'm wondering how the rest of the community is managing updates of > root (and other local account) passwords in a virtual sprawl > environment (or a physical environment with lots of hosts). > I have read about things like expect, puttycs, centralize with kerberos, etc. the way I've seen it done at every large installation I've worked is some sort of auto-pushed password files for authorization, but no valid passwords in the password file (except for root as explained below) the authentication is either handled with ssh public keys (authorized_keys files distributed via rsync or NFS) or with kerberos. I like kerberos, personally, but the ssh authorized_keys setup is harder to screw up, and it works fine as well. As for the root password, the best practice is to make it so that the root password is *only* useful once you have console. (Of course we have all disabled remote root login with password long ago- disable su and prune /etc/securetty - force your SysAdmins to use ksu or sudo instead of su if they log in remotely, and log.) - if you do this correctly, the root password becomes much less sensitive, and you can keep it in the password files you rsync around. I worked at one place that used the rsync of the password file and ~user/.ssh/authorized_keys setup that had tens of thousands of servers. the copy became a bit more complicated than just an rsync, but the system did scale. ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] virtual sprawl - managing password changes
Jeff Larsen wrote: We are using the free VMware Server on CentOS 4. Almost all of our VMs are CentOS 4 as well. We have 7 VMware hosts with about 40 total virtual machines. It's been a very successful architecture for us. I'm wondering how the rest of the community is managing updates of root (and other local account) passwords in a virtual sprawl environment (or a physical environment with lots of hosts). I have read about things like expect, puttycs, centralize with kerberos, etc. But I'm not looking for "options" here, I want to hear actual experiences! What has worked for you, what hasn't worked? Or do you feel that the chance for failure is to great and the results too catastrophic? Puppet can control user attributes like passwords quite easily, provided you set it up right. http://www.reductivelabs.com/trac/puppet/wiki/PuppetRedHatCentos CFengine can as well but not so elegantly as puppet which implements a provider model (users, group, packages, cronjobs etc) -- Some days it's just not worth chewing through the restraints... Mark D. Foster, CISSP <[EMAIL PROTECTED]> http://mark.foster.cc/ ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] virtual sprawl - managing password changes
Theres nothing unique about VM's vs. standard machine deployments, you're looking at a standard UNIX admin practice. I personally run cfengine for maintaining everything configuration-related across all *NIX'es, and LDAP/kerberos (via AD) for all non-root logins, across our entire enterprise. There are numerous ways to achieve "it" with varying levels of security, work, and knowledge required, but at the _simplest_ you could just maintain passwd/shadow/group/etc users via cfengine, or set up a basic NIS deployment for users (more trivial and easy to pick up than LDAP/. The topic is more general than Centos/Xen, and you have an entire world of options in reality. Pick one that you're comfortable with and meets your needs after asking (which you are). If you ask a wide enough audience, you'll inevitably get pros/cons for each and every method, thus the requirement for you to do the research into them after. So to answer as it sounds you want, I've been immensely happy with cfengine for handling anything you can conceive of as an administrator. If you can do something from a shell, you can do it with cfengine in a very complex manner. For authentication, I actually recommend Active Directory, the ONLY microsoft product I recommend. Unfortunately they don't have a Linux package :) Cheers, /eli Jeff Larsen wrote: We are using the free VMware Server on CentOS 4. Almost all of our VMs are CentOS 4 as well. We have 7 VMware hosts with about 40 total virtual machines. It's been a very successful architecture for us. I'm wondering how the rest of the community is managing updates of root (and other local account) passwords in a virtual sprawl environment (or a physical environment with lots of hosts). I have read about things like expect, puttycs, centralize with kerberos, etc. But I'm not looking for "options" here, I want to hear actual experiences! What has worked for you, what hasn't worked? Or do you feel that the chance for failure is to great and the results too catastrophic? Thanks, -- Jeff ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
[CentOS-virt] virtual sprawl - managing password changes
We are using the free VMware Server on CentOS 4. Almost all of our VMs are CentOS 4 as well. We have 7 VMware hosts with about 40 total virtual machines. It's been a very successful architecture for us. I'm wondering how the rest of the community is managing updates of root (and other local account) passwords in a virtual sprawl environment (or a physical environment with lots of hosts). I have read about things like expect, puttycs, centralize with kerberos, etc. But I'm not looking for "options" here, I want to hear actual experiences! What has worked for you, what hasn't worked? Or do you feel that the chance for failure is to great and the results too catastrophic? Thanks, -- Jeff ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
[CentOS-virt] Virtual Iron
Guys FYI, A couple of people from VirtualIron got in touch with me following on from the flexiscale donation (we have a few i386/x86_64 VM's hosted there, we == CentOS Project, that the QA guys are looking at using to do some of their work in ) Over the next few days, the Virtual Iron guys will prolly touch base with this list and see how the centos project might be able to work with them on varios centos specific things. - KB ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
[CentOS-virt] xm new
Hello, i have Centos5.1 64bit, with xen3.2, using centos xen kernel, xen3.2 builded from source rpm for centos. Virtual machines work fine trough xm create configname ,but when i am trying to add them to xen source : xm new configname, this is what i get : [EMAIL PROTECTED] xen]# xm new test01.hvm Unexpected error: exceptions.ImportError Please report to [EMAIL PROTECTED] Traceback (most recent call last): File "/usr/sbin/xm", line 10, in ? main.main(sys.argv) File "/usr/lib64/python2.4/site-packages/xen/xm/main.py", line 2531, in main _, rc = _run_cmd(cmd, cmd_name, args) File "/usr/lib64/python2.4/site-packages/xen/xm/main.py", line 2555, in _run_cmd return True, cmd(args) File "", line 1, in File "/usr/lib64/python2.4/site-packages/xen/xm/main.py", line 1308, in xm_importcommand cmd = __import__(command, globals(), locals(), 'xen.xm') File "/usr/lib64/python2.4/site-packages/xen/xm/new.py", line 26, in ? from xen.xm.xenapi_create import * File "/usr/lib64/python2.4/site-packages/xen/xm/xenapi_create.py", line 23, in ? from xml.parsers.xmlproc import xmlproc, xmlval, xmldtd ImportError: No module named xmlproc Thanks in advance! D. ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
