Difference between revisions of "Educaship Proxmox"

From CNM Wiki
Jump to: navigation, search
(Storage for VMs)
(Secure Web)
 
(45 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Educaship Proxmox]] (hereinafter, [[#The Platform]]) is the combination of [[ProxmoxVE]] instances, those software packages that support them, as well as complete documentation for all of them that students and other customers of [[Educaship]] may utilize in their vocational skills and career development.
+
[[Educaship Proxmox]] (hereinafter, [[#The Cloud]]) is the combination of [[Proxmox Virtual Environment]] instances, those software packages that support them, as well as complete documentation for all of them that students and other customers of [[Educaship]] may utilize in their vocational skills and career development.
  
  
==Double Objective==
+
==Quadruple Objective==
[[#The Platform]] shall serve two equally-important objectives. It shall be both (a) the [[#Technology Stack]] and (b) [[#Learning Resource]].
+
[[#The Cloud]] shall serve four objectives, from which (a) the [[#Technology Stack]] and (b) [[#Learning Material]] are primary and important equally.
 +
 
 +
===Learning Material===
 +
: [[#The Cloud]] shall be a collection of learning materials for those customers who would like to learn and, potentially, get prepared for their practice work in [[#The Cloud]]. Specifically, that means that [[#The Cloud]] shall:
 +
:# '''Be fully documented''' at the [[CNM Lab]] for those students who have a work-alike practice.
 +
:# '''Be well-documented''' without security-sensitive details at the [[CNMCyber.com]] for those students who would like to learn about [[#The Cloud]].
 +
 
 +
===Marketing Resource===
 +
: [[#The Cloud]] shall be used as resource in marketing of [[Educaship]] products. Particularly, we plan to introduce events such as "Guided Tour to Educaship Proxmox Cloud" and "State of Educaship Proxmox Cloud".
  
 
===Technology Stack===
 
===Technology Stack===
: [[#The Platform]] shall technologically support functionality, usability, reliability, performance, security, scalability, and user satisfaction of [[Opplet]], which is the technology where the end-users are served.
+
: [[#The Cloud]] shall technologically support functionality, usability, reliability, performance, security, scalability, and user satisfaction of [[Opplet]], which is the technology where the [[end-user]]s are served.
  
===Learning Resource===
+
===Work-Alike Playground===
: [[#The Platform]] shall be a collection of learning resources for those customers who would like to learn and have a work-alike practice. Specifically, that means that [[#The Platform]] shall:
+
: [[#The Cloud]] shall be a collection of software for those customers who would like to have a work-alike practice in [[#The Cloud]]. Specifically, that means that [[#The Cloud]] shall:
:# '''Be fully documented''' at the [[CNM Lab]] for those students who have a work-alike practice.
 
:# '''Be well-documented''' without security-sensitive details at the [[CNMCyber.com]] for those students who would like to learn about [[#The Platform]].
 
 
:# '''Use various software'''; the students shall have opportunities to practice with as many popular [[COTS]] open-source packages as possible.
 
:# '''Use various software'''; the students shall have opportunities to practice with as many popular [[COTS]] open-source packages as possible.
 +
:# '''Have advanced backup and recovery''' features; [[#The Cloud]] shall be resistible against incidents accidentally caused by the learners.
 +
:# '''Accommodate hands-on assignments''' during which the learners can test functionality of existing [[#Technology Stack]] and can experiment with new applications.
  
 
==Instances==
 
==Instances==
Currently, [[#The Platform]] consists of two instances, [[#Federated VE]] and [[#Peripheral VE]]. [[#We]] will consider [[#Adding More VEs]] when such a need emerges.
+
Currently, [[#The Cloud]] consists of the [[#Federated VE]] and one [[#Peripheral VE]]. [[#We]] will consider [[#Adding More VEs]] when such a need emerges.
  
 
===Federated VE===
 
===Federated VE===
: The federated part of [[#The Platform]] is called [[CNM Bureau Farm]] and is based on three metal servers of [[Bureau Infrastructure]]. It utilizes <code>ha-manager</code> and [[Ceph]] storage.
+
: The federated part of [[#The Cloud]] is called [[CNM Bureau Farm]] and is based on three metal servers of [[Bureau Infrastructure]]. It utilizes [[#Server-Level HA]] and [[Ceph]] storage.
  
 
===Peripheral VE===
 
===Peripheral VE===
: The peripheral part of [[#The Platform]] is called [[CNM Lab Farm]] and is based on one metal server of [[Lab Infrastructure]].
+
: The peripheral part of [[#The Cloud]] is called [[CNM Lab Farm]] and is based on one metal server of [[Lab Infrastructure]].
  
 
===Adding More VEs===
 
===Adding More VEs===
 
: When [[#We]] need more resources, [[#We]] plan to add more instances similar to [[#Peripheral VE]] to the [[#Federated VE]].
 
: When [[#We]] need more resources, [[#We]] plan to add more instances similar to [[#Peripheral VE]] to the [[#Federated VE]].
 +
 +
==High Availability==
 +
===Server-Level HA===
 +
: The [[#Federated VE]] features [[high availability]] ([[high availability|HA]]) at the server level. If one or two of its infrastructure nodes fail, the remaining working node should still perform the work. This feature is implemented while utilizing the <code>ha-manager</code> tool of [[#PVE]].
 +
 +
===Application-Level HA===
 +
: We don't plan to additionally cluster those applications that are located at the [[#Federated VE]]. At the application level, however, we plan to cluster those applications that are in production and are not deployed for experiments.
 +
 +
: We envision that each of those clusters would feature:
 +
:* [[Educaship HAProxy]] and/or similar proxies deployed behind [[Educaship pfSense]] at the [[#Federated VE]] to send outside world requests to one of the application instances.
 +
:* At least three identical application instances deployed at the [[#Peripheral VE]]. If one or two of these instances fail, the remaining working instance should still perform the work. At the same time, if the [[#Peripheral VE]] fail, the application would not be available.
 +
:* Some [[#Distributed Application Storage]].
 +
 +
===HA-Less Applications===
 +
: We don't plan to cluster those applications that are deployed for experiments at the [[#Peripheral VE]].
 +
 +
==Secure Web==
 +
The topic that unites web servers and SSL certificates is **secure web communication**.
 +
 +
Web servers are responsible for hosting websites and serving web pages to users. SSL certificates (Secure Sockets Layer certificates) are digital certificates used to establish a secure, encrypted connection between a web server and a user's web browser. This encryption ensures that any data transmitted between the web server and the user is protected from eavesdropping and tampering.
 +
 +
By using SSL certificates, web servers can:
 +
 +
1. **Encrypt Data**: Protect sensitive information such as login credentials, credit card numbers, and personal data during transmission.
 +
2. **Authenticate Identity**: Verify the identity of the website, ensuring users are connecting to the legitimate site and not an imposter.
 +
3. **Establish Trust**: Provide users with visual indicators (like a padlock icon and "https" in the URL) that the connection is secure, thereby building trust.
 +
 +
Together, web servers and SSL certificates enable secure web communication, enhancing both the security and trustworthiness of online interactions.
 +
 +
===SSL Certificates===
 +
 +
Discussion around challenges with standalone certificates and better solutions like DNS challenge certificates.
 +
 +
Open Questions: Main issues with standalone certificates for production include renewals and not being the ideal solution. 16:02
 +
 +
General Information: Better alternative is DNS challenge certificates which require DNS management access but are more stable for renewals. 16:55
 +
 +
Next Steps: Plan to set up DNS challenge certificate solution during a live event.
 +
 +
===Web Servers===
 +
Identifying opportunities to optimize technologies used for similar purposes.
 +
 +
Ideas: Observation that nginx and Apache are used for similar purposes, suggesting consolidating. 28:05
  
 
==Functionality Projects==
 
==Functionality Projects==
  
 
===Jitsi Functionality===
 
===Jitsi Functionality===
: [[Educaship Jitsi]], which is [[Jitsi]] software deployed at [[Opplet]], is used for webconferencing. Currently, we use some instance outside of [[#The Platform]] because of challenges as follows. We have multiple Jitsi installations, one of which is in Docker. In this installation, there is no sound at all. Also, when updating Docker, a conference is not created.
+
: [[Educaship Jitsi]], which is [[Jitsi]] software deployed at [[Opplet]], is used for webconferencing. Currently, we use some instance outside of [[#The Cloud]] because of challenges as follows. We have multiple Jitsi installations, one of which is in Docker. In this installation, there is no sound at all. Also, when updating Docker, a conference is not created.
  
 
===Openness to the World===
 
===Openness to the World===
: [[Educaship pfSense]], which is [[pfSense]] software deployed at [[Opplet]], is used as a [[firewall]] at [[#Federated VE]]. To utilize pfSense better, we consider clustering VMs at [[#Peripheral VE]] and placing [[HAProxy]] and similar proxies behind pfSense on the [[#Federated VE]].
+
: [[Educaship pfSense]], which is [[pfSense]] software deployed at [[Opplet]], is used as a [[firewall]] at [[#Federated VE]]. To utilize pfSense better, we consider the [[#Application-Level HA]].
  
 
: We are experiencing some issues obtaining SSL certificates for our sites running behind Pfsense. Due to the absence of the certificate, the service becomes completely unavailable.
 
: We are experiencing some issues obtaining SSL certificates for our sites running behind Pfsense. Due to the absence of the certificate, the service becomes completely unavailable.
Line 40: Line 91:
  
 
==Storage Projects==
 
==Storage Projects==
===Backup and Recovery===
+
===Backup and Recovery Design===  
: We use [[Proxmox Backup Server]] on the [[#Federated VE]]. We consider adding NAS, as well as advancing backup and recovery systems.
+
: We also consider advancing the whole enterprise-wide backup and recovery system, which possibly, would be called [[Opplet Backup]].
 +
 
 +
===Backup and Recovery Tools===
 +
: For backups and recovery,
 +
:* [[Educaship Proxmox Backup]], which is [[Proxmox Backup Server]] software deployed at [[Opplet]], is used at [[#Federated VE]].  
 +
:* [[Educaship RAID]], which is [[RAID]] software deployed at [[Opplet]], is used at [[#Peripheral VE]].
 +
 
 +
===Distributed Application Storage===
 +
: We are looking for solutions for distributed storage available to those applications that are clustered using the [[#Application-Level HA]] model.
 +
 
 +
: We have several applications such as [[Educaship Moodle]] or [[Educaship MediaWiki]] that use [[Educaship MariaDB]]; their databases are combined in a Galera Cluster, which more or less satisfies our needs. We would like to explore other options and find solutions for those applications such as [[Educaship GitLab]] that don't use [[Educaship MariaDB]].
  
 
===File Storage, Library, or Repository===
 
===File Storage, Library, or Repository===
Line 48: Line 109:
 
: We envision that the solution will play a role similar to the role of Wikimedia Commons. The Commons is a media repository of images, sounds, videos and other media that various Wikimedia Foundation projects use.
 
: We envision that the solution will play a role similar to the role of Wikimedia Commons. The Commons is a media repository of images, sounds, videos and other media that various Wikimedia Foundation projects use.
  
===Storage for VMs===
+
Exploring storage options and budgets for file storage needs.
: We are looking for solutions for distributed storage available to those VMs that would be clustered on the [[#Peripheral VE]]. We have several websites that use [[Educaship MariaDB]]; their databases are combined in a Galera Cluster, which more or less satisfies our needs. We would like to explore other options and find solutions for those applications that don't use [[Educaship MariaDB]].
+
 
 +
Next Steps: Agreement to further research storage options based on core requirements and budget. 30:45
 +
 
 +
Storage Options and Estimates
 +
Discussing storage needs and getting estimates for solutions.
 +
 
 +
Next Steps: Natalia explains she needs to expand storage but doesn't have the right now. Natalia will search for solutions and provide estimates. 40:06
 +
 
 +
Next Steps: Natalia says she will appreciate the estimates. 40:28
  
 
==Service Projects==
 
==Service Projects==
  
===Monitor Location===
+
===Monitoring Design===
: We would like to decide where to locate monitoring tools -- (a) on [[#Federated VE]], (b) on [[#Peripheral VE]], (c) outside of the servers that serve [[#The Platform]], or (d) some combination of something above.
+
: We consider advancing the whole enterprise-wide monitoring system, which possibly, would be called [[Opplet Monitor]].
 +
 
 +
: Particularly, we would like to decide where to locate monitoring tools -- (a) on [[#Federated VE]], (b) on [[#Peripheral VE]], (c) outside of the servers that serve [[#The Cloud]], or (d) some combination of something above.
  
 
===Monitoring Tools===
 
===Monitoring Tools===

Latest revision as of 20:38, 24 May 2024

Educaship Proxmox (hereinafter, #The Cloud) is the combination of Proxmox Virtual Environment instances, those software packages that support them, as well as complete documentation for all of them that students and other customers of Educaship may utilize in their vocational skills and career development.


Quadruple Objective

#The Cloud shall serve four objectives, from which (a) the #Technology Stack and (b) #Learning Material are primary and important equally.

Learning Material

#The Cloud shall be a collection of learning materials for those customers who would like to learn and, potentially, get prepared for their practice work in #The Cloud. Specifically, that means that #The Cloud shall:
  1. Be fully documented at the CNM Lab for those students who have a work-alike practice.
  2. Be well-documented without security-sensitive details at the CNMCyber.com for those students who would like to learn about #The Cloud.

Marketing Resource

#The Cloud shall be used as resource in marketing of Educaship products. Particularly, we plan to introduce events such as "Guided Tour to Educaship Proxmox Cloud" and "State of Educaship Proxmox Cloud".

Technology Stack

#The Cloud shall technologically support functionality, usability, reliability, performance, security, scalability, and user satisfaction of Opplet, which is the technology where the end-users are served.

Work-Alike Playground

#The Cloud shall be a collection of software for those customers who would like to have a work-alike practice in #The Cloud. Specifically, that means that #The Cloud shall:
  1. Use various software; the students shall have opportunities to practice with as many popular COTS open-source packages as possible.
  2. Have advanced backup and recovery features; #The Cloud shall be resistible against incidents accidentally caused by the learners.
  3. Accommodate hands-on assignments during which the learners can test functionality of existing #Technology Stack and can experiment with new applications.

Instances

Currently, #The Cloud consists of the #Federated VE and one #Peripheral VE. #We will consider #Adding More VEs when such a need emerges.

Federated VE

The federated part of #The Cloud is called CNM Bureau Farm and is based on three metal servers of Bureau Infrastructure. It utilizes #Server-Level HA and Ceph storage.

Peripheral VE

The peripheral part of #The Cloud is called CNM Lab Farm and is based on one metal server of Lab Infrastructure.

Adding More VEs

When #We need more resources, #We plan to add more instances similar to #Peripheral VE to the #Federated VE.

High Availability

Server-Level HA

The #Federated VE features high availability (HA) at the server level. If one or two of its infrastructure nodes fail, the remaining working node should still perform the work. This feature is implemented while utilizing the ha-manager tool of #PVE.

Application-Level HA

We don't plan to additionally cluster those applications that are located at the #Federated VE. At the application level, however, we plan to cluster those applications that are in production and are not deployed for experiments.
We envision that each of those clusters would feature:

HA-Less Applications

We don't plan to cluster those applications that are deployed for experiments at the #Peripheral VE.

Secure Web

The topic that unites web servers and SSL certificates is **secure web communication**.

Web servers are responsible for hosting websites and serving web pages to users. SSL certificates (Secure Sockets Layer certificates) are digital certificates used to establish a secure, encrypted connection between a web server and a user's web browser. This encryption ensures that any data transmitted between the web server and the user is protected from eavesdropping and tampering.

By using SSL certificates, web servers can:

1. **Encrypt Data**: Protect sensitive information such as login credentials, credit card numbers, and personal data during transmission. 2. **Authenticate Identity**: Verify the identity of the website, ensuring users are connecting to the legitimate site and not an imposter. 3. **Establish Trust**: Provide users with visual indicators (like a padlock icon and "https" in the URL) that the connection is secure, thereby building trust.

Together, web servers and SSL certificates enable secure web communication, enhancing both the security and trustworthiness of online interactions.

SSL Certificates

Discussion around challenges with standalone certificates and better solutions like DNS challenge certificates.

Open Questions: Main issues with standalone certificates for production include renewals and not being the ideal solution. 16:02

General Information: Better alternative is DNS challenge certificates which require DNS management access but are more stable for renewals. 16:55

Next Steps: Plan to set up DNS challenge certificate solution during a live event.

Web Servers

Identifying opportunities to optimize technologies used for similar purposes.

Ideas: Observation that nginx and Apache are used for similar purposes, suggesting consolidating. 28:05

Functionality Projects

Jitsi Functionality

Educaship Jitsi, which is Jitsi software deployed at Opplet, is used for webconferencing. Currently, we use some instance outside of #The Cloud because of challenges as follows. We have multiple Jitsi installations, one of which is in Docker. In this installation, there is no sound at all. Also, when updating Docker, a conference is not created.

Openness to the World

Educaship pfSense, which is pfSense software deployed at Opplet, is used as a firewall at #Federated VE. To utilize pfSense better, we consider the #Application-Level HA.
We are experiencing some issues obtaining SSL certificates for our sites running behind Pfsense. Due to the absence of the certificate, the service becomes completely unavailable.

VM Automation

We would like #Peripheral VE and #Peripheral VE only to create a VM for each VM customer automatically. In some cases, we have used Ansible. For that purpose, we tentatively plan to establish Educaship Ansible and Educaship Terraform. However, we are open to any other solution as well.

Storage Projects

Backup and Recovery Design

We also consider advancing the whole enterprise-wide backup and recovery system, which possibly, would be called Opplet Backup.

Backup and Recovery Tools

For backups and recovery,

Distributed Application Storage

We are looking for solutions for distributed storage available to those applications that are clustered using the #Application-Level HA model.
We have several applications such as Educaship Moodle or Educaship MediaWiki that use Educaship MariaDB; their databases are combined in a Galera Cluster, which more or less satisfies our needs. We would like to explore other options and find solutions for those applications such as Educaship GitLab that don't use Educaship MariaDB.

File Storage, Library, or Repository

Our various applications may utilize the same files. We are looking for a solution for these websites' files to have a shared storage or library. We tried GlusterFS, but it seemed too slow to us. We copied the files to this storage for almost a week, and as a result, the website did not work.
We envision that the solution will play a role similar to the role of Wikimedia Commons. The Commons is a media repository of images, sounds, videos and other media that various Wikimedia Foundation projects use.

Exploring storage options and budgets for file storage needs.

Next Steps: Agreement to further research storage options based on core requirements and budget. 30:45

Storage Options and Estimates Discussing storage needs and getting estimates for solutions.

Next Steps: Natalia explains she needs to expand storage but doesn't have the right now. Natalia will search for solutions and provide estimates. 40:06

Next Steps: Natalia says she will appreciate the estimates. 40:28

Service Projects

Monitoring Design

We consider advancing the whole enterprise-wide monitoring system, which possibly, would be called Opplet Monitor.
Particularly, we would like to decide where to locate monitoring tools -- (a) on #Federated VE, (b) on #Peripheral VE, (c) outside of the servers that serve #The Cloud, or (d) some combination of something above.

Monitoring Tools

Our current monitoring doesn't satisfy us. We use Educaship Grafana for Proxmox. We would like to add several servers that do not use Proxmox, configure communication channels, and expand monitoring according to our tasks. We would also like to add Educaship Zabbix and Educaship Nagios.

Security Outline

Our security outline shall be reviewed and improved.

See also