Difference between revisions of "Educaship Proxmox"
(→Storage for VMs) |
(→Secure Web) |
||
(45 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | [[Educaship Proxmox]] (hereinafter, [[#The | + | [[Educaship Proxmox]] (hereinafter, [[#The Cloud]]) is the combination of [[Proxmox Virtual Environment]] instances, those software packages that support them, as well as complete documentation for all of them that students and other customers of [[Educaship]] may utilize in their vocational skills and career development. |
− | == | + | ==Quadruple Objective== |
− | [[#The | + | [[#The Cloud]] shall serve four objectives, from which (a) the [[#Technology Stack]] and (b) [[#Learning Material]] are primary and important equally. |
+ | |||
+ | ===Learning Material=== | ||
+ | : [[#The Cloud]] shall be a collection of learning materials for those customers who would like to learn and, potentially, get prepared for their practice work in [[#The Cloud]]. Specifically, that means that [[#The Cloud]] shall: | ||
+ | :# '''Be fully documented''' at the [[CNM Lab]] for those students who have a work-alike practice. | ||
+ | :# '''Be well-documented''' without security-sensitive details at the [[CNMCyber.com]] for those students who would like to learn about [[#The Cloud]]. | ||
+ | |||
+ | ===Marketing Resource=== | ||
+ | : [[#The Cloud]] shall be used as resource in marketing of [[Educaship]] products. Particularly, we plan to introduce events such as "Guided Tour to Educaship Proxmox Cloud" and "State of Educaship Proxmox Cloud". | ||
===Technology Stack=== | ===Technology Stack=== | ||
− | : [[#The | + | : [[#The Cloud]] shall technologically support functionality, usability, reliability, performance, security, scalability, and user satisfaction of [[Opplet]], which is the technology where the [[end-user]]s are served. |
− | === | + | ===Work-Alike Playground=== |
− | : [[#The | + | : [[#The Cloud]] shall be a collection of software for those customers who would like to have a work-alike practice in [[#The Cloud]]. Specifically, that means that [[#The Cloud]] shall: |
− | |||
− | |||
:# '''Use various software'''; the students shall have opportunities to practice with as many popular [[COTS]] open-source packages as possible. | :# '''Use various software'''; the students shall have opportunities to practice with as many popular [[COTS]] open-source packages as possible. | ||
+ | :# '''Have advanced backup and recovery''' features; [[#The Cloud]] shall be resistible against incidents accidentally caused by the learners. | ||
+ | :# '''Accommodate hands-on assignments''' during which the learners can test functionality of existing [[#Technology Stack]] and can experiment with new applications. | ||
==Instances== | ==Instances== | ||
− | Currently, [[#The | + | Currently, [[#The Cloud]] consists of the [[#Federated VE]] and one [[#Peripheral VE]]. [[#We]] will consider [[#Adding More VEs]] when such a need emerges. |
===Federated VE=== | ===Federated VE=== | ||
− | : The federated part of [[#The | + | : The federated part of [[#The Cloud]] is called [[CNM Bureau Farm]] and is based on three metal servers of [[Bureau Infrastructure]]. It utilizes [[#Server-Level HA]] and [[Ceph]] storage. |
===Peripheral VE=== | ===Peripheral VE=== | ||
− | : The peripheral part of [[#The | + | : The peripheral part of [[#The Cloud]] is called [[CNM Lab Farm]] and is based on one metal server of [[Lab Infrastructure]]. |
===Adding More VEs=== | ===Adding More VEs=== | ||
: When [[#We]] need more resources, [[#We]] plan to add more instances similar to [[#Peripheral VE]] to the [[#Federated VE]]. | : When [[#We]] need more resources, [[#We]] plan to add more instances similar to [[#Peripheral VE]] to the [[#Federated VE]]. | ||
+ | |||
+ | ==High Availability== | ||
+ | ===Server-Level HA=== | ||
+ | : The [[#Federated VE]] features [[high availability]] ([[high availability|HA]]) at the server level. If one or two of its infrastructure nodes fail, the remaining working node should still perform the work. This feature is implemented while utilizing the <code>ha-manager</code> tool of [[#PVE]]. | ||
+ | |||
+ | ===Application-Level HA=== | ||
+ | : We don't plan to additionally cluster those applications that are located at the [[#Federated VE]]. At the application level, however, we plan to cluster those applications that are in production and are not deployed for experiments. | ||
+ | |||
+ | : We envision that each of those clusters would feature: | ||
+ | :* [[Educaship HAProxy]] and/or similar proxies deployed behind [[Educaship pfSense]] at the [[#Federated VE]] to send outside world requests to one of the application instances. | ||
+ | :* At least three identical application instances deployed at the [[#Peripheral VE]]. If one or two of these instances fail, the remaining working instance should still perform the work. At the same time, if the [[#Peripheral VE]] fail, the application would not be available. | ||
+ | :* Some [[#Distributed Application Storage]]. | ||
+ | |||
+ | ===HA-Less Applications=== | ||
+ | : We don't plan to cluster those applications that are deployed for experiments at the [[#Peripheral VE]]. | ||
+ | |||
+ | ==Secure Web== | ||
+ | The topic that unites web servers and SSL certificates is **secure web communication**. | ||
+ | |||
+ | Web servers are responsible for hosting websites and serving web pages to users. SSL certificates (Secure Sockets Layer certificates) are digital certificates used to establish a secure, encrypted connection between a web server and a user's web browser. This encryption ensures that any data transmitted between the web server and the user is protected from eavesdropping and tampering. | ||
+ | |||
+ | By using SSL certificates, web servers can: | ||
+ | |||
+ | 1. **Encrypt Data**: Protect sensitive information such as login credentials, credit card numbers, and personal data during transmission. | ||
+ | 2. **Authenticate Identity**: Verify the identity of the website, ensuring users are connecting to the legitimate site and not an imposter. | ||
+ | 3. **Establish Trust**: Provide users with visual indicators (like a padlock icon and "https" in the URL) that the connection is secure, thereby building trust. | ||
+ | |||
+ | Together, web servers and SSL certificates enable secure web communication, enhancing both the security and trustworthiness of online interactions. | ||
+ | |||
+ | ===SSL Certificates=== | ||
+ | |||
+ | Discussion around challenges with standalone certificates and better solutions like DNS challenge certificates. | ||
+ | |||
+ | Open Questions: Main issues with standalone certificates for production include renewals and not being the ideal solution. 16:02 | ||
+ | |||
+ | General Information: Better alternative is DNS challenge certificates which require DNS management access but are more stable for renewals. 16:55 | ||
+ | |||
+ | Next Steps: Plan to set up DNS challenge certificate solution during a live event. | ||
+ | |||
+ | ===Web Servers=== | ||
+ | Identifying opportunities to optimize technologies used for similar purposes. | ||
+ | |||
+ | Ideas: Observation that nginx and Apache are used for similar purposes, suggesting consolidating. 28:05 | ||
==Functionality Projects== | ==Functionality Projects== | ||
===Jitsi Functionality=== | ===Jitsi Functionality=== | ||
− | : [[Educaship Jitsi]], which is [[Jitsi]] software deployed at [[Opplet]], is used for webconferencing. Currently, we use some instance outside of [[#The | + | : [[Educaship Jitsi]], which is [[Jitsi]] software deployed at [[Opplet]], is used for webconferencing. Currently, we use some instance outside of [[#The Cloud]] because of challenges as follows. We have multiple Jitsi installations, one of which is in Docker. In this installation, there is no sound at all. Also, when updating Docker, a conference is not created. |
===Openness to the World=== | ===Openness to the World=== | ||
− | : [[Educaship pfSense]], which is [[pfSense]] software deployed at [[Opplet]], is used as a [[firewall]] at [[#Federated VE]]. To utilize pfSense better, we consider | + | : [[Educaship pfSense]], which is [[pfSense]] software deployed at [[Opplet]], is used as a [[firewall]] at [[#Federated VE]]. To utilize pfSense better, we consider the [[#Application-Level HA]]. |
: We are experiencing some issues obtaining SSL certificates for our sites running behind Pfsense. Due to the absence of the certificate, the service becomes completely unavailable. | : We are experiencing some issues obtaining SSL certificates for our sites running behind Pfsense. Due to the absence of the certificate, the service becomes completely unavailable. | ||
Line 40: | Line 91: | ||
==Storage Projects== | ==Storage Projects== | ||
− | ===Backup and Recovery=== | + | ===Backup and Recovery Design=== |
− | : We | + | : We also consider advancing the whole enterprise-wide backup and recovery system, which possibly, would be called [[Opplet Backup]]. |
+ | |||
+ | ===Backup and Recovery Tools=== | ||
+ | : For backups and recovery, | ||
+ | :* [[Educaship Proxmox Backup]], which is [[Proxmox Backup Server]] software deployed at [[Opplet]], is used at [[#Federated VE]]. | ||
+ | :* [[Educaship RAID]], which is [[RAID]] software deployed at [[Opplet]], is used at [[#Peripheral VE]]. | ||
+ | |||
+ | ===Distributed Application Storage=== | ||
+ | : We are looking for solutions for distributed storage available to those applications that are clustered using the [[#Application-Level HA]] model. | ||
+ | |||
+ | : We have several applications such as [[Educaship Moodle]] or [[Educaship MediaWiki]] that use [[Educaship MariaDB]]; their databases are combined in a Galera Cluster, which more or less satisfies our needs. We would like to explore other options and find solutions for those applications such as [[Educaship GitLab]] that don't use [[Educaship MariaDB]]. | ||
===File Storage, Library, or Repository=== | ===File Storage, Library, or Repository=== | ||
Line 48: | Line 109: | ||
: We envision that the solution will play a role similar to the role of Wikimedia Commons. The Commons is a media repository of images, sounds, videos and other media that various Wikimedia Foundation projects use. | : We envision that the solution will play a role similar to the role of Wikimedia Commons. The Commons is a media repository of images, sounds, videos and other media that various Wikimedia Foundation projects use. | ||
− | + | Exploring storage options and budgets for file storage needs. | |
− | : | + | |
+ | Next Steps: Agreement to further research storage options based on core requirements and budget. 30:45 | ||
+ | |||
+ | Storage Options and Estimates | ||
+ | Discussing storage needs and getting estimates for solutions. | ||
+ | |||
+ | Next Steps: Natalia explains she needs to expand storage but doesn't have the right now. Natalia will search for solutions and provide estimates. 40:06 | ||
+ | |||
+ | Next Steps: Natalia says she will appreciate the estimates. 40:28 | ||
==Service Projects== | ==Service Projects== | ||
− | === | + | ===Monitoring Design=== |
− | : We would like to decide where to locate monitoring tools -- (a) on [[#Federated VE]], (b) on [[#Peripheral VE]], (c) outside of the servers that serve [[#The | + | : We consider advancing the whole enterprise-wide monitoring system, which possibly, would be called [[Opplet Monitor]]. |
+ | |||
+ | : Particularly, we would like to decide where to locate monitoring tools -- (a) on [[#Federated VE]], (b) on [[#Peripheral VE]], (c) outside of the servers that serve [[#The Cloud]], or (d) some combination of something above. | ||
===Monitoring Tools=== | ===Monitoring Tools=== |
Latest revision as of 20:38, 24 May 2024
Educaship Proxmox (hereinafter, #The Cloud) is the combination of Proxmox Virtual Environment instances, those software packages that support them, as well as complete documentation for all of them that students and other customers of Educaship may utilize in their vocational skills and career development.
Contents
Quadruple Objective
#The Cloud shall serve four objectives, from which (a) the #Technology Stack and (b) #Learning Material are primary and important equally.
Learning Material
- #The Cloud shall be a collection of learning materials for those customers who would like to learn and, potentially, get prepared for their practice work in #The Cloud. Specifically, that means that #The Cloud shall:
- Be fully documented at the CNM Lab for those students who have a work-alike practice.
- Be well-documented without security-sensitive details at the CNMCyber.com for those students who would like to learn about #The Cloud.
Marketing Resource
- #The Cloud shall be used as resource in marketing of Educaship products. Particularly, we plan to introduce events such as "Guided Tour to Educaship Proxmox Cloud" and "State of Educaship Proxmox Cloud".
Technology Stack
- #The Cloud shall technologically support functionality, usability, reliability, performance, security, scalability, and user satisfaction of Opplet, which is the technology where the end-users are served.
Work-Alike Playground
- #The Cloud shall be a collection of software for those customers who would like to have a work-alike practice in #The Cloud. Specifically, that means that #The Cloud shall:
- Use various software; the students shall have opportunities to practice with as many popular COTS open-source packages as possible.
- Have advanced backup and recovery features; #The Cloud shall be resistible against incidents accidentally caused by the learners.
- Accommodate hands-on assignments during which the learners can test functionality of existing #Technology Stack and can experiment with new applications.
Instances
Currently, #The Cloud consists of the #Federated VE and one #Peripheral VE. #We will consider #Adding More VEs when such a need emerges.
Federated VE
- The federated part of #The Cloud is called CNM Bureau Farm and is based on three metal servers of Bureau Infrastructure. It utilizes #Server-Level HA and Ceph storage.
Peripheral VE
- The peripheral part of #The Cloud is called CNM Lab Farm and is based on one metal server of Lab Infrastructure.
Adding More VEs
- When #We need more resources, #We plan to add more instances similar to #Peripheral VE to the #Federated VE.
High Availability
Server-Level HA
- The #Federated VE features high availability (HA) at the server level. If one or two of its infrastructure nodes fail, the remaining working node should still perform the work. This feature is implemented while utilizing the
ha-manager
tool of #PVE.
Application-Level HA
- We don't plan to additionally cluster those applications that are located at the #Federated VE. At the application level, however, we plan to cluster those applications that are in production and are not deployed for experiments.
- We envision that each of those clusters would feature:
- Educaship HAProxy and/or similar proxies deployed behind Educaship pfSense at the #Federated VE to send outside world requests to one of the application instances.
- At least three identical application instances deployed at the #Peripheral VE. If one or two of these instances fail, the remaining working instance should still perform the work. At the same time, if the #Peripheral VE fail, the application would not be available.
- Some #Distributed Application Storage.
HA-Less Applications
- We don't plan to cluster those applications that are deployed for experiments at the #Peripheral VE.
Secure Web
The topic that unites web servers and SSL certificates is **secure web communication**.
Web servers are responsible for hosting websites and serving web pages to users. SSL certificates (Secure Sockets Layer certificates) are digital certificates used to establish a secure, encrypted connection between a web server and a user's web browser. This encryption ensures that any data transmitted between the web server and the user is protected from eavesdropping and tampering.
By using SSL certificates, web servers can:
1. **Encrypt Data**: Protect sensitive information such as login credentials, credit card numbers, and personal data during transmission. 2. **Authenticate Identity**: Verify the identity of the website, ensuring users are connecting to the legitimate site and not an imposter. 3. **Establish Trust**: Provide users with visual indicators (like a padlock icon and "https" in the URL) that the connection is secure, thereby building trust.
Together, web servers and SSL certificates enable secure web communication, enhancing both the security and trustworthiness of online interactions.
SSL Certificates
Discussion around challenges with standalone certificates and better solutions like DNS challenge certificates.
Open Questions: Main issues with standalone certificates for production include renewals and not being the ideal solution. 16:02
General Information: Better alternative is DNS challenge certificates which require DNS management access but are more stable for renewals. 16:55
Next Steps: Plan to set up DNS challenge certificate solution during a live event.
Web Servers
Identifying opportunities to optimize technologies used for similar purposes.
Ideas: Observation that nginx and Apache are used for similar purposes, suggesting consolidating. 28:05
Functionality Projects
Jitsi Functionality
- Educaship Jitsi, which is Jitsi software deployed at Opplet, is used for webconferencing. Currently, we use some instance outside of #The Cloud because of challenges as follows. We have multiple Jitsi installations, one of which is in Docker. In this installation, there is no sound at all. Also, when updating Docker, a conference is not created.
Openness to the World
- Educaship pfSense, which is pfSense software deployed at Opplet, is used as a firewall at #Federated VE. To utilize pfSense better, we consider the #Application-Level HA.
- We are experiencing some issues obtaining SSL certificates for our sites running behind Pfsense. Due to the absence of the certificate, the service becomes completely unavailable.
VM Automation
- We would like #Peripheral VE and #Peripheral VE only to create a VM for each VM customer automatically. In some cases, we have used Ansible. For that purpose, we tentatively plan to establish Educaship Ansible and Educaship Terraform. However, we are open to any other solution as well.
Storage Projects
Backup and Recovery Design
- We also consider advancing the whole enterprise-wide backup and recovery system, which possibly, would be called Opplet Backup.
Backup and Recovery Tools
- For backups and recovery,
- Educaship Proxmox Backup, which is Proxmox Backup Server software deployed at Opplet, is used at #Federated VE.
- Educaship RAID, which is RAID software deployed at Opplet, is used at #Peripheral VE.
Distributed Application Storage
- We are looking for solutions for distributed storage available to those applications that are clustered using the #Application-Level HA model.
- We have several applications such as Educaship Moodle or Educaship MediaWiki that use Educaship MariaDB; their databases are combined in a Galera Cluster, which more or less satisfies our needs. We would like to explore other options and find solutions for those applications such as Educaship GitLab that don't use Educaship MariaDB.
File Storage, Library, or Repository
- Our various applications may utilize the same files. We are looking for a solution for these websites' files to have a shared storage or library. We tried GlusterFS, but it seemed too slow to us. We copied the files to this storage for almost a week, and as a result, the website did not work.
- We envision that the solution will play a role similar to the role of Wikimedia Commons. The Commons is a media repository of images, sounds, videos and other media that various Wikimedia Foundation projects use.
Exploring storage options and budgets for file storage needs.
Next Steps: Agreement to further research storage options based on core requirements and budget. 30:45
Storage Options and Estimates Discussing storage needs and getting estimates for solutions.
Next Steps: Natalia explains she needs to expand storage but doesn't have the right now. Natalia will search for solutions and provide estimates. 40:06
Next Steps: Natalia says she will appreciate the estimates. 40:28
Service Projects
Monitoring Design
- We consider advancing the whole enterprise-wide monitoring system, which possibly, would be called Opplet Monitor.
- Particularly, we would like to decide where to locate monitoring tools -- (a) on #Federated VE, (b) on #Peripheral VE, (c) outside of the servers that serve #The Cloud, or (d) some combination of something above.
Monitoring Tools
- Our current monitoring doesn't satisfy us. We use Educaship Grafana for Proxmox. We would like to add several servers that do not use Proxmox, configure communication channels, and expand monitoring according to our tasks. We would also like to add Educaship Zabbix and Educaship Nagios.
Security Outline
- Our security outline shall be reviewed and improved.