Difference between revisions of "CNMC bare-metal"
(→WordPress) |
(→WordPress) |
||
Line 61: | Line 61: | ||
*WordPress -- VM or container model? we can use kvm based vms as well, but normally containers will be ok. we can use one vps for wordpress also. | *WordPress -- VM or container model? we can use kvm based vms as well, but normally containers will be ok. we can use one vps for wordpress also. | ||
*What would we do for its security? For securety we can use antivirus + CSF firewall | *What would we do for its security? For securety we can use antivirus + CSF firewall | ||
+ | |||
+ | scanners | ||
===App HA=== | ===App HA=== | ||
In addition to the bare-server, we plan to deploy one VPS in the US to extend the high-availability of its core applications. We cannot consider Cloudflare for the project because this would limit hands-on training opportunities for future students. | In addition to the bare-server, we plan to deploy one VPS in the US to extend the high-availability of its core applications. We cannot consider Cloudflare for the project because this would limit hands-on training opportunities for future students. |
Revision as of 16:37, 23 March 2022
The CNMC bare-metal (hereinafter, the Metal) is the technology that supports the Urdu Project. A similar technology supports CNM Cyber's project in Ukraine.
Contents
Needs
The Metal's owner is in a business of workforce development. The Metal shall accommodate a laboratory environment for those employment aspirants who conduct their internships on virtual machines (hereinafter, VMs), containers, and applications. There shall be many applications designed for internships; they would include AVideo, GitLab, HumHub, MediaWiki, Moodle, Odoo, Roundcube, SuiteCRM, and WordPress to name just few.
User stories
- As a workforce developer, I want my learners to have hands-on training opportunities on those software packages that are popular on the market.
- As a training provider, I want to authorize a particular learner to access a VM that hosts a particular software package, so this learner will be able to explore, provision, modify, and restore the software package.
- As a learner, I want to access a VM, which I am authorized to access, in order to explore, provision, modify, and restore the application that this VM hosts.
Milestones
We plan to:
- Purchase the Metal, setup RAID or OpenZFS and ProxmoxVE, as well as secure them.
- Setup a high-availability secure cluster of WordPress instances on the purchased Metal.
- Setup a high-availability cluster of two bare-metal servers, including the main server that has been used in the Ukraine project and and the Metal.
Server layer
To support the project in Ukraine technologically, we created a platform with 3 VPS and one proxmox instance at hetzner.de in Germany. We plan to deploy a similar platform for the project in Pakistan. Alternatively, OVH servers have been considered.
Bare-metal
The characteristics of the server that supports the project in Ukraine are as follows:
- Dedicated Root Server SB35
- Intel Core i7-3930
- 2x HDD SATA 3,0 TB
- 8x RAM 8192 MB DDR3
- NIC 1 Gbit - Intel 82579LM
- Location: FSN1 (Falkenstein/Vogtland, Germany) -- DC7
- Rescue system (English)
For the project in Pakistan, we plan to buy an additional bare-metal server at hetzner.de at the same datacenter with our first one. The additional server shall be similar to the current one, probably, with a half of the RAM.
One expert stated that using i7 processors have some disadvantages. Another expert replied that, indeed, i7 processors may have troubles with something like PCI passthrough, but for this particular project at this particular stage, they are just fine.
Disk-redundancy
RAID (what level? what implementation?) or OpenZFS
Virtualization
OS installation first, so it will be proxmox, so we can create some shared container or kvm based container there as per our usage.
Server security
What do you plan for its security? Firewalls? iptables (ban everything what is not allowed), fail2ban, default ports change
- Config Server Security and Firewall (CSF) (so when anyone do wrong attempt with our server it will auto blocked on three wrong attempt, also we can block any country any location any ip any isp etc with firewall.
- Change a default ssh port to another also we will set it to key based authentication so who have the key they can access.
IP addresses
On the main server, either local IP or private IP range with DHCP is used. Unless specific concerns arise, we plan to use 2 IPv4 addresses. We are also open to explore IPv6. If we use About ipv4 addresses, we need 5 ips: one for main server, two for gateway, three for any vps or container and four for wordpress vps, and 5 for anyother we need in future.
Server monitoring
Zabbix nagios
Server HA
HAProxy or out-of-the-box tools of proxmox
Application layer
We would like to start with Wordpress. Then, we add MediaWiki, Moodle and the rest. Our main server and its WordPress instances were hacked a few times. This is a description of what happened with the server (it is in Russian though) -- https://pravka.bskol.com/ru/%D0%9E%D0%BF%D1%8B%D1%82%D0%BD%D1%8B_%D0%9F%D1%80%D0%BE%D0%B5%D0%BA%D1%82
WordPress
core, plugin, theme cloudflare as web app firewall
- WordPress -- VM or container model? we can use kvm based vms as well, but normally containers will be ok. we can use one vps for wordpress also.
- What would we do for its security? For securety we can use antivirus + CSF firewall
scanners
App HA
In addition to the bare-server, we plan to deploy one VPS in the US to extend the high-availability of its core applications. We cannot consider Cloudflare for the project because this would limit hands-on training opportunities for future students.