Integration of Lan DB sets in CDB Vladimr

Integration of Lan. DB sets in CDB Vladimír Bahyl Project ELFms 4 July 2005 Vladimir. Bahyl@cern. ch Project ELFms meeting

Outline Introduction to Lan. DB sets n Integration with CDB n ¨ Lan. DB; n CDB; CDBSQL point of view Users’ requirements ¨ CNIC ¨ Firewall n Discussion topics 4 July 2005 Project ELFms meeting 2

Lan. DB sets introduction Grouping of nodes based on the IP address n Created manually using Lan. DB Web interface n Used for: n ¨ Network topology authorisation ¨ Firewall configuration 4 July 2005 Project ELFms meeting 3

Integration with CDB – Lan. DB side Agreed Prefix: “IT CC” n FIO Lan. DB sets’ owner: ccservic n 4 July 2005 Project ELFms meeting 4

Integration with CDB – CDB side n New field in CDB: ¨ "/system/set/it_cc_setname/active" = true n n Hash with boolean Allows: ¨ Easy disabling of membership on the machine level ¨ Some complicated structures (thanks to Jan van Eldik): n 4 July 2005 "/system/set" = if (is_defined(setname)) nlist(setname, nlist("active", true)) Project ELFms meeting 5

Integration with CDB – CDBSQL side n New view (thanks to Maciej Stepniewski): ¨ vwpathnames n n n Contains all CDB paths Not yet periodically updated Synchronization script ¨ Extract all sets from CDBSQL ¨ Updates Lan. DB (connecting as user ccservic) n Removes unexpected nodes for all sets defined in CDB n (Removal of sets in the “IT CC” domain is not yet possible) ¨ Runs n 4 July 2005 once per day on both LXSERVB* nodes 7 am, 2 pm Project ELFms meeting 6

CNIC requirements n n Technical network General Purpose network access restrictions List of FIO services they need to trust (provided by Stefan Lüders): ¨ ¨ ¨ AFS Kerberos (separated from AFS) CASTOR (!) n ¨ ¨ n 1/2 Split into small groups would be appreciated Linux. FC (? ) TSM Other sets will be: CA, CMF, CVS, DB, DIP, DFS, LDAP, License, Network, Printing, SMTP/CERNMX, WTS ¨ Some of these are defined in CDB, some are not … ¨ 4 July 2005 Project ELFms meeting 7

CNIC requirements 2/2 Keep it minimal = production servers only! n Timeline: autumn 2006 n Important: However, having the sets ready n earlier allow us to properly move from the current situation to the new sets. These sets do not necessarily have to be automatically updated, you might do it manually in the first instance. Important to us is that a set contains always all relevant production servers such that the technical network remains functioning. 4 July 2005 Project ELFms meeting 8

Computer Security requirements n n Firewall configuration Example – open port in the CERN firewall: ¨ For “IT CC LXPLUS” – port = 22/TCP ¨ For “IT CC SRM” – port = 8443/TCP n Grouping of nodes preferably by service/functionality, not by the port! ¨ I. e. : “IT CC LXPLUS” n is OK, “IT CC SSH” is NOT OK Concentrate only on those group of nodes where there is high fluctuation of machines ¨ I. e. do not care about 1 special server here and there, that will be done by hand n Keep it minimal = production servers only! 4 July 2005 Project ELFms meeting 9

Discussion topics n What nodes to group ? ¨ Only those that asked for ? ¨ How to do it ? Per cluster or per application/service ? n Example: various My. SQL servers across several experiments n n What to do with non-FIO nodes in CDB ? 4 July 2005 Project ELFms meeting 10

Thank you n Vladimir. Bahyl@cern. ch n http: //cern. ch/vlado 4 July 2005 Project ELFms meeting 11