Difference between revisions of "Educaship Proxmox"

From CNM Wiki
Jump to: navigation, search
(Instances)
(Secure Web)
 
(87 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Educaship Proxmox]] (hereinafter, [[#The VE]]) is the [[ProxmoxVE]] instances and supporting software packages that are used at [[CNM Farms]].
+
[[Educaship Proxmox]] (hereinafter, [[#The Cloud]]) is the combination of [[Proxmox Virtual Environment]] instances, those software packages that support them, as well as complete documentation for all of them that students and other customers of [[Educaship]] may utilize in their vocational skills and career development.
  
  
==Double Objective==
+
==Quadruple Objective==
===Functional Platform===
+
[[#The Cloud]] shall serve four objectives, from which (a) the [[#Technology Stack]] and (b) [[#Learning Material]] are primary and important equally.
===Learning Resource===
+
 
 +
===Learning Material===
 +
: [[#The Cloud]] shall be a collection of learning materials for those customers who would like to learn and, potentially, get prepared for their practice work in [[#The Cloud]]. Specifically, that means that [[#The Cloud]] shall:
 +
:# '''Be fully documented''' at the [[CNM Lab]] for those students who have a work-alike practice.
 +
:# '''Be well-documented''' without security-sensitive details at the [[CNMCyber.com]] for those students who would like to learn about [[#The Cloud]].
 +
 
 +
===Marketing Resource===
 +
: [[#The Cloud]] shall be used as resource in marketing of [[Educaship]] products. Particularly, we plan to introduce events such as "Guided Tour to Educaship Proxmox Cloud" and "State of Educaship Proxmox Cloud".
 +
 
 +
===Technology Stack===
 +
: [[#The Cloud]] shall technologically support functionality, usability, reliability, performance, security, scalability, and user satisfaction of [[Opplet]], which is the technology where the [[end-user]]s are served.
 +
 
 +
===Work-Alike Playground===
 +
: [[#The Cloud]] shall be a collection of software for those customers who would like to have a work-alike practice in [[#The Cloud]]. Specifically, that means that [[#The Cloud]] shall:
 +
:# '''Use various software'''; the students shall have opportunities to practice with as many popular [[COTS]] open-source packages as possible.
 +
:# '''Have advanced backup and recovery''' features; [[#The Cloud]] shall be resistible against incidents accidentally caused by the learners.
 +
:# '''Accommodate hands-on assignments''' during which the learners can test functionality of existing [[#Technology Stack]] and can experiment with new applications.
 +
 
 
==Instances==
 
==Instances==
Currently, [[#The VE]] consists of two instances, [[#Federated VE]] and [[#Peripheral VE]]. [[#We]] will consider [[#Adding More VEs]] when such a need emerges.
+
Currently, [[#The Cloud]] consists of the [[#Federated VE]] and one [[#Peripheral VE]]. [[#We]] will consider [[#Adding More VEs]] when such a need emerges.
  
 
===Federated VE===
 
===Federated VE===
: The federated part of [[#The VE]] is called [[CNM Bureau Farm]] and is based on three metal servers of [[Bureau Infrastructure]]. It utilizes <code>ha-manager</code> and [[Ceph]] storage.
+
: The federated part of [[#The Cloud]] is called [[CNM Bureau Farm]] and is based on three metal servers of [[Bureau Infrastructure]]. It utilizes [[#Server-Level HA]] and [[Ceph]] storage.
  
 
===Peripheral VE===
 
===Peripheral VE===
: The peripheral part of [[#The VE]] is called [[CNM Lab Farm]] and is based on one metal server of [[Lab Infrastructure]].
+
: The peripheral part of [[#The Cloud]] is called [[CNM Lab Farm]] and is based on one metal server of [[Lab Infrastructure]].
  
 
===Adding More VEs===
 
===Adding More VEs===
 
: When [[#We]] need more resources, [[#We]] plan to add more instances similar to [[#Peripheral VE]] to the [[#Federated VE]].
 
: When [[#We]] need more resources, [[#We]] plan to add more instances similar to [[#Peripheral VE]] to the [[#Federated VE]].
  
==Projects==
+
==High Availability==
 +
===Server-Level HA===
 +
: The [[#Federated VE]] features [[high availability]] ([[high availability|HA]]) at the server level. If one or two of its infrastructure nodes fail, the remaining working node should still perform the work. This feature is implemented while utilizing the <code>ha-manager</code> tool of [[#PVE]].
 +
 
 +
===Application-Level HA===
 +
: We don't plan to additionally cluster those applications that are located at the [[#Federated VE]]. At the application level, however, we plan to cluster those applications that are in production and are not deployed for experiments.
 +
 
 +
: We envision that each of those clusters would feature:
 +
:* [[Educaship HAProxy]] and/or similar proxies deployed behind [[Educaship pfSense]] at the [[#Federated VE]] to send outside world requests to one of the application instances.
 +
:* At least three identical application instances deployed at the [[#Peripheral VE]]. If one or two of these instances fail, the remaining working instance should still perform the work. At the same time, if the [[#Peripheral VE]] fail, the application would not be available.
 +
:* Some [[#Distributed Application Storage]].
 +
 
 +
===HA-Less Applications===
 +
: We don't plan to cluster those applications that are deployed for experiments at the [[#Peripheral VE]].
 +
 
 +
==Secure Web==
 +
The topic that unites web servers and SSL certificates is **secure web communication**.
 +
 
 +
Web servers are responsible for hosting websites and serving web pages to users. SSL certificates (Secure Sockets Layer certificates) are digital certificates used to establish a secure, encrypted connection between a web server and a user's web browser. This encryption ensures that any data transmitted between the web server and the user is protected from eavesdropping and tampering.
  
===Jitsi functionality===
+
By using SSL certificates, web servers can:
: Jitsi software is selected to be used for webconferencing. Currently, we use some instance outside of [[#The VE]] because of challenges as follows. We have multiple Jitsi installations, one of which is in Docker. In this installation, there is no sound at all. Also, when updating Docker, a conference is not created.
 
  
===Openness to the world===
+
1. **Encrypt Data**: Protect sensitive information such as login credentials, credit card numbers, and personal data during transmission.
: To utilize pfSense better, we consider clustering VMs at [[#Peripheral VE]] and placing [[HAProxy]] and similar proxies behind pfSense on the [[#Federated VE]].
+
2. **Authenticate Identity**: Verify the identity of the website, ensuring users are connecting to the legitimate site and not an imposter.
 +
3. **Establish Trust**: Provide users with visual indicators (like a padlock icon and "https" in the URL) that the connection is secure, thereby building trust.
 +
 
 +
Together, web servers and SSL certificates enable secure web communication, enhancing both the security and trustworthiness of online interactions.
 +
 
 +
===SSL Certificates===
 +
 
 +
Discussion around challenges with standalone certificates and better solutions like DNS challenge certificates.
 +
 
 +
Open Questions: Main issues with standalone certificates for production include renewals and not being the ideal solution. 16:02
 +
 
 +
General Information: Better alternative is DNS challenge certificates which require DNS management access but are more stable for renewals. 16:55
 +
 
 +
Next Steps: Plan to set up DNS challenge certificate solution during a live event.
 +
 
 +
===Web Servers===
 +
Identifying opportunities to optimize technologies used for similar purposes.
 +
 
 +
Ideas: Observation that nginx and Apache are used for similar purposes, suggesting consolidating. 28:05
 +
 
 +
==Functionality Projects==
 +
 
 +
===Jitsi Functionality===
 +
: [[Educaship Jitsi]], which is [[Jitsi]] software deployed at [[Opplet]], is used for webconferencing. Currently, we use some instance outside of [[#The Cloud]] because of challenges as follows. We have multiple Jitsi installations, one of which is in Docker. In this installation, there is no sound at all. Also, when updating Docker, a conference is not created.
 +
 
 +
===Openness to the World===
 +
: [[Educaship pfSense]], which is [[pfSense]] software deployed at [[Opplet]], is used as a [[firewall]] at [[#Federated VE]]. To utilize pfSense better, we consider the [[#Application-Level HA]].
  
 
: We are experiencing some issues obtaining SSL certificates for our sites running behind Pfsense. Due to the absence of the certificate, the service becomes completely unavailable.
 
: We are experiencing some issues obtaining SSL certificates for our sites running behind Pfsense. Due to the absence of the certificate, the service becomes completely unavailable.
  
===Storage for VMs===
+
===VM Automation===
: We are looking for solutions for distributed storage available to several VMs. We have several websites that use [[MariaDB]]; their databases are combined in a Galera Cluster. We need a solution for these websites' files to have a shared storage. We tried GlusterFS, but it seemed too slow to us. We copied the files to this storage for almost a week, and as a result, the website did not work.
+
: We would like [[#Peripheral VE]] and [[#Peripheral VE]] only to create a VM for each VM customer automatically. In some cases, we have used Ansible. For that purpose, we tentatively plan to establish [[Educaship Ansible]] and [[Educaship Terraform]]. However, we are open to any other solution as well.
  
===VM automation===
+
==Storage Projects==
: We would like [[#The VE]] to create a VM for each VM customer automatically. In some cases, we have used Ansible. We are open to any solution.
+
===Backup and Recovery Design===  
 +
: We also consider advancing the whole enterprise-wide backup and recovery system, which possibly, would be called [[Opplet Backup]].
  
===Monitoring===
+
===Backup and Recovery Tools===
: Our current monitoring doesn't satisfy us. We use Grafana for Proxmox. We would like to add several servers that do not use Proxmox, configure communication channels, and expand monitoring according to our tasks.
+
: For backups and recovery,
 +
:* [[Educaship Proxmox Backup]], which is [[Proxmox Backup Server]] software deployed at [[Opplet]], is used at [[#Federated VE]].  
 +
:* [[Educaship RAID]], which is [[RAID]] software deployed at [[Opplet]], is used at [[#Peripheral VE]].
  
===Security===
+
===Distributed Application Storage===
 +
: We are looking for solutions for distributed storage available to those applications that are clustered using the [[#Application-Level HA]] model.
 +
 
 +
: We have several applications such as [[Educaship Moodle]] or [[Educaship MediaWiki]] that use [[Educaship MariaDB]]; their databases are combined in a Galera Cluster, which more or less satisfies our needs. We would like to explore other options and find solutions for those applications such as [[Educaship GitLab]] that don't use [[Educaship MariaDB]].
 +
 
 +
===File Storage, Library, or Repository===
 +
: Our various applications may utilize the same files. We are looking for a solution for these websites' files to have a shared storage or library. We tried GlusterFS, but it seemed too slow to us. We copied the files to this storage for almost a week, and as a result, the website did not work.
 +
 
 +
: We envision that the solution will play a role similar to the role of Wikimedia Commons. The Commons is a media repository of images, sounds, videos and other media that various Wikimedia Foundation projects use.
 +
 
 +
Exploring storage options and budgets for file storage needs.
 +
 
 +
Next Steps: Agreement to further research storage options based on core requirements and budget. 30:45
 +
 
 +
Storage Options and Estimates
 +
Discussing storage needs and getting estimates for solutions.
 +
 
 +
Next Steps: Natalia explains she needs to expand storage but doesn't have the right now. Natalia will search for solutions and provide estimates. 40:06
 +
 
 +
Next Steps: Natalia says she will appreciate the estimates. 40:28
 +
 
 +
==Service Projects==
 +
 
 +
===Monitoring Design===
 +
: We consider advancing the whole enterprise-wide monitoring system, which possibly, would be called [[Opplet Monitor]].
 +
 
 +
: Particularly, we would like to decide where to locate monitoring tools -- (a) on [[#Federated VE]], (b) on [[#Peripheral VE]], (c) outside of the servers that serve [[#The Cloud]], or (d) some combination of something above.
 +
 
 +
===Monitoring Tools===
 +
: Our current monitoring doesn't satisfy us. We use [[Educaship Grafana]] for Proxmox. We would like to add several servers that do not use Proxmox, configure communication channels, and expand monitoring according to our tasks. We would also like to add [[Educaship Zabbix]] and [[Educaship Nagios]].
 +
 
 +
===Security Outline===
 
: Our security outline shall be reviewed and improved.
 
: Our security outline shall be reviewed and improved.
 
===Backup and recovery===
 
: We use [[Proxmox Backup Server]] on the [[#Federated VE]]. We consider adding NAS, as well as advancing backup and recovery systems.
 
  
 
==See also==
 
==See also==
  
 
[[Category:CNM COTS products]]
 
[[Category:CNM COTS products]]

Latest revision as of 20:38, 24 May 2024

Educaship Proxmox (hereinafter, #The Cloud) is the combination of Proxmox Virtual Environment instances, those software packages that support them, as well as complete documentation for all of them that students and other customers of Educaship may utilize in their vocational skills and career development.


Quadruple Objective

#The Cloud shall serve four objectives, from which (a) the #Technology Stack and (b) #Learning Material are primary and important equally.

Learning Material

#The Cloud shall be a collection of learning materials for those customers who would like to learn and, potentially, get prepared for their practice work in #The Cloud. Specifically, that means that #The Cloud shall:
  1. Be fully documented at the CNM Lab for those students who have a work-alike practice.
  2. Be well-documented without security-sensitive details at the CNMCyber.com for those students who would like to learn about #The Cloud.

Marketing Resource

#The Cloud shall be used as resource in marketing of Educaship products. Particularly, we plan to introduce events such as "Guided Tour to Educaship Proxmox Cloud" and "State of Educaship Proxmox Cloud".

Technology Stack

#The Cloud shall technologically support functionality, usability, reliability, performance, security, scalability, and user satisfaction of Opplet, which is the technology where the end-users are served.

Work-Alike Playground

#The Cloud shall be a collection of software for those customers who would like to have a work-alike practice in #The Cloud. Specifically, that means that #The Cloud shall:
  1. Use various software; the students shall have opportunities to practice with as many popular COTS open-source packages as possible.
  2. Have advanced backup and recovery features; #The Cloud shall be resistible against incidents accidentally caused by the learners.
  3. Accommodate hands-on assignments during which the learners can test functionality of existing #Technology Stack and can experiment with new applications.

Instances

Currently, #The Cloud consists of the #Federated VE and one #Peripheral VE. #We will consider #Adding More VEs when such a need emerges.

Federated VE

The federated part of #The Cloud is called CNM Bureau Farm and is based on three metal servers of Bureau Infrastructure. It utilizes #Server-Level HA and Ceph storage.

Peripheral VE

The peripheral part of #The Cloud is called CNM Lab Farm and is based on one metal server of Lab Infrastructure.

Adding More VEs

When #We need more resources, #We plan to add more instances similar to #Peripheral VE to the #Federated VE.

High Availability

Server-Level HA

The #Federated VE features high availability (HA) at the server level. If one or two of its infrastructure nodes fail, the remaining working node should still perform the work. This feature is implemented while utilizing the ha-manager tool of #PVE.

Application-Level HA

We don't plan to additionally cluster those applications that are located at the #Federated VE. At the application level, however, we plan to cluster those applications that are in production and are not deployed for experiments.
We envision that each of those clusters would feature:

HA-Less Applications

We don't plan to cluster those applications that are deployed for experiments at the #Peripheral VE.

Secure Web

The topic that unites web servers and SSL certificates is **secure web communication**.

Web servers are responsible for hosting websites and serving web pages to users. SSL certificates (Secure Sockets Layer certificates) are digital certificates used to establish a secure, encrypted connection between a web server and a user's web browser. This encryption ensures that any data transmitted between the web server and the user is protected from eavesdropping and tampering.

By using SSL certificates, web servers can:

1. **Encrypt Data**: Protect sensitive information such as login credentials, credit card numbers, and personal data during transmission. 2. **Authenticate Identity**: Verify the identity of the website, ensuring users are connecting to the legitimate site and not an imposter. 3. **Establish Trust**: Provide users with visual indicators (like a padlock icon and "https" in the URL) that the connection is secure, thereby building trust.

Together, web servers and SSL certificates enable secure web communication, enhancing both the security and trustworthiness of online interactions.

SSL Certificates

Discussion around challenges with standalone certificates and better solutions like DNS challenge certificates.

Open Questions: Main issues with standalone certificates for production include renewals and not being the ideal solution. 16:02

General Information: Better alternative is DNS challenge certificates which require DNS management access but are more stable for renewals. 16:55

Next Steps: Plan to set up DNS challenge certificate solution during a live event.

Web Servers

Identifying opportunities to optimize technologies used for similar purposes.

Ideas: Observation that nginx and Apache are used for similar purposes, suggesting consolidating. 28:05

Functionality Projects

Jitsi Functionality

Educaship Jitsi, which is Jitsi software deployed at Opplet, is used for webconferencing. Currently, we use some instance outside of #The Cloud because of challenges as follows. We have multiple Jitsi installations, one of which is in Docker. In this installation, there is no sound at all. Also, when updating Docker, a conference is not created.

Openness to the World

Educaship pfSense, which is pfSense software deployed at Opplet, is used as a firewall at #Federated VE. To utilize pfSense better, we consider the #Application-Level HA.
We are experiencing some issues obtaining SSL certificates for our sites running behind Pfsense. Due to the absence of the certificate, the service becomes completely unavailable.

VM Automation

We would like #Peripheral VE and #Peripheral VE only to create a VM for each VM customer automatically. In some cases, we have used Ansible. For that purpose, we tentatively plan to establish Educaship Ansible and Educaship Terraform. However, we are open to any other solution as well.

Storage Projects

Backup and Recovery Design

We also consider advancing the whole enterprise-wide backup and recovery system, which possibly, would be called Opplet Backup.

Backup and Recovery Tools

For backups and recovery,

Distributed Application Storage

We are looking for solutions for distributed storage available to those applications that are clustered using the #Application-Level HA model.
We have several applications such as Educaship Moodle or Educaship MediaWiki that use Educaship MariaDB; their databases are combined in a Galera Cluster, which more or less satisfies our needs. We would like to explore other options and find solutions for those applications such as Educaship GitLab that don't use Educaship MariaDB.

File Storage, Library, or Repository

Our various applications may utilize the same files. We are looking for a solution for these websites' files to have a shared storage or library. We tried GlusterFS, but it seemed too slow to us. We copied the files to this storage for almost a week, and as a result, the website did not work.
We envision that the solution will play a role similar to the role of Wikimedia Commons. The Commons is a media repository of images, sounds, videos and other media that various Wikimedia Foundation projects use.

Exploring storage options and budgets for file storage needs.

Next Steps: Agreement to further research storage options based on core requirements and budget. 30:45

Storage Options and Estimates Discussing storage needs and getting estimates for solutions.

Next Steps: Natalia explains she needs to expand storage but doesn't have the right now. Natalia will search for solutions and provide estimates. 40:06

Next Steps: Natalia says she will appreciate the estimates. 40:28

Service Projects

Monitoring Design

We consider advancing the whole enterprise-wide monitoring system, which possibly, would be called Opplet Monitor.
Particularly, we would like to decide where to locate monitoring tools -- (a) on #Federated VE, (b) on #Peripheral VE, (c) outside of the servers that serve #The Cloud, or (d) some combination of something above.

Monitoring Tools

Our current monitoring doesn't satisfy us. We use Educaship Grafana for Proxmox. We would like to add several servers that do not use Proxmox, configure communication channels, and expand monitoring according to our tasks. We would also like to add Educaship Zabbix and Educaship Nagios.

Security Outline

Our security outline shall be reviewed and improved.

See also