Opened 4 years ago

Closed 8 months ago

#11829 closed task (fixed)

Form an opinion if/which services running on baron directly should better be moved to a VM

Reported by: zooey Owned by: haiku-web
Priority: normal Milestone:
Component: Sys-Admin Version:
Keywords: Cc:
Blocked By: Blocking:
Has a Patch: no Platform: All

Description

Currently, a couple of services run on baron directly:

  • buildbot master
  • downloads.haiku-os.org
  • server-stats.haiku-os.org
  • web-stats.haiku-os.org
  • rsync daemon feeding our mirrors

From a security perspective, this isn't very nice, as baron is the hypervisor, which means that any break-in via a service running on it could provide access to all VMs, too. Having those services run in a (maybe additional) VM would limit the risk of an intrusion at least to some extent.

Some of these services (most notable: download.haiku-os.org and the mirror feed) have been put onto baron for a reason: they place considerable demands on network bandwidth and disk space, so moving them to a VM isn't straightforward.

Change History (2)

comment:1 Changed 11 months ago by nielx

Owner: changed from haiku-sysadmin to haiku-web
Status: newassigned

The haiku-sysadmin user no longer exists, changing to haiku-web.

comment:2 Changed 8 months ago by kallisti5

Resolution: fixed
Status: assignedclosed

This is no longer relevant. All services run isolated within containers on the new infrastructure.

The code for all of our infrastructure is in git at: http://github.com/haiku/infrastructure You can standup "everything" based on that.

Note: See TracTickets for help on using tickets.