Systems administrators are currently undertaking a project to source and equip host machines for VMs for all infrastructure (non-critical) purposes. There are these proposals:
In principle we would like 2 or 3 sites, but let's do this step by step. This project is being handled by the Board for the time being. Contact us if you have a suggestion.
Requirements
- Tech
- static IPs
- High Availability (HA) - especially for the 8 or so services
- remote ssh access to hardware or host OS sufficient to restart hard hung services
- e.g., Java/IP console
- suitable for running Virtualisation.
- lots and lots of main memory
- para-virtualisation is a possibility, but full is much preferred.
- high bandwidth to close hardware independent redundancy for Disaster Recovery (DR)
currently using around 100G out, 15G in, see sysadm post
- (update 2009-09-04 - crl bandwidth by ~33Gpm down due to compression/caching information/less user abuse)
- sufficient instantaneous network bandwidth (20mMbit+) and minimum latency
- flexibility to deploy a semi-standard infrastructure on virtual machines (VMs) - Debian at least
- local response time for non-remotely fixable errors.
- Approx 16 IP numbers.
- eventual IPv6 support
- Business:
- written agreement covering all services and conditions
Minimalist Hosting Agreement is being discussed as possible blanket agreement by board and sysadms.
- reasonably stable/professional business.
- local sysadms (Assurers)
- to set up the Host for rest of team so we can SSH in.
- to hit the reset button...
- to keep an eye on security
- friendly local agent (required by some countries to have local agent).
- written agreement covering all services and conditions
Note that the strict regime of the SecurityPolicy is not necessary here because this is VMs for the infrastructure team, not critical systems for the critical team.
Bandwidth
VM / Server name |
07/2009 |
08/2009 |
09/2009# |
10/2009! |
|
|
|
|
|
|
|
ocsp.cacert.org |
3.3 |
|
3.8 |
5.0 |
|
crl.cacert.org - compression/caching enabled in 08 |
69 |
33* |
64 |
140 |
|
wiki.cacert.org |
3.5 |
|
4.8 |
6.2 |
|
Blog.cacert.org server |
2.4 |
|
3.5 |
4.6 |
|
irc.cacert.org |
0.86 |
|
0.65 |
0.9 |
|
svn.cacert.org |
3.1 |
|
5.1 |
4.7 |
|
bugs.cacert.org |
0.06 |
|
0.03 |
0.04 |
|
lists server |
2.7 |
|
2.0 |
1.7 |
|
transition www.cacert.org server (rehosting-nl) |
0.01 |
|
0 -off |
|
|
email - all @cacert.org POP/IMAP/SMTP |
1.9 |
|
2.6 |
4.9 |
|
webmail/board voting |
0.28 |
|
0.12 |
0.5 |
|
test2 |
off |
|
0.03 |
0.6 |
|
hashserver.cacert.org |
~0 |
|
0.03 |
|
|
translingo.cacert.org |
0.05 |
|
0.08 |
|
|
cats.cacert.org |
0.2 |
|
0.17 |
0.24 |
|
^issue.cacert.org |
0.00 |
|
~0 |
~0 |
|
^logging.cacert.org |
|
|
|
|
|
^forum.cacert.org |
|
|
~0 |
~0 |
|
^cod.cacert.org |
|
|
~0 |
|
|
emailout.cacert.org |
- |
- |
0.05 |
0.09 |
|
^paypal.cacert.org |
|
|
~0 |
~0 |
|
sun2 - probably a lot of backup traffic (local) |
9.4 |
|
9 |
12 |
|
|
|
|
~0 |
|
|
rough total |
100 |
63 |
97 |
181 |
|
- all numbers in Gigabytes outwards per month
- Note *: assumed to be a bad estimate - end of month downloads not taken into account
- Note #: taken as 31 days based on the average daily usage between 21 August and 25 September
- Note ^: in development
- Note !: October's figures run until 7 November (automated monthy tally didn't work). Big problems on CRL - assuming clients don't understand compression/caching
Sonance
Status is at Vienna1.
We believe it is possible to get something up and going in Vienna relatively quickly and cheaply. The following is a paper plan for now:
Server from Sonance, a not heavily used, but old.
- Sonance is happy to make this machine available
- Sonance asks to swap some VMs with VMs on Sonance's primary machine. E.g., the test1 machine. So in essence the 2 machines would be shared to some extent.
FunkFeuer as hoster
- (480 per year or 40 euros a month, they charge for power only.)
- Funkfeuer is the hobbyist data center where the CAcert machines were stored from Dec 2007 to Sep 2008.
- (It is where test1 is located, on Sonance's VM.)
- The security is "moderate". They have keycards and cameras. For the old deal they provided us with a lockable rack.
- Local sysadms for console access and maintenance:
- Sonance guys (Assurers) if needed on emergencies (Matthias Gassner, Matthias Subik).
- There is a list where resets can be begged for from the Funkfeuer access team (around 15 techies, some Assurers).
- Sonance could stand in as the local legal agent
- this role was done in Dec 2007 to Sep 2008, if needed.
- (Access control problem is less relevant this time for infrastructure.)
Iang and PhilippDunkel are often nearby.
Hardware
- Sonance has 2 big iron machines (4U):
bonanza: amd x2 5000+ dual core 64 bit (desktop cpu), 8G ram,
- which runs 10 or so VMs.
- some sort of RAID
- amd x2 3800+ dual core 64 bit. Will be upgraded with memory, maybe also cpu
- 3 year old 4U fast machine,
- 1.5Tb RAID,
- (We night have a new mobo + CPU, can also source 8G memory for it.)
- intention is to move most of sonance VMs to the lower spec machine because CPU usage is very light.
- cost of a new machine is 1800.
- x4 (quad core) dual cpu (so up to 8 cores), up to 64G memory
- delivered with 1 cpu and 16G memory.
- Quotes to hand, MG is buying 3 machines at the moment for work.
- we can upgrade each of the existing machines for 500 each: CPU, mobo, memory to 16G.
VM hosting
The need is to set it up as a dedicated host for VMs. There are two options:
Like current CAcert setup, managed by PG.
- Like Sonance's setup, managed by Matthias G.
- This has the advantage of being managed as a part of a two machine setup, with redundancy possibilities. This is how MG runs the machines at work (indeed, the Sonance machine is almost identical to the work setup).
- test1.co is running this way.
Financing
Funkfeuer has a cost of 480 per year or 40 euros a month.
- Sonance bills CAcert.
- To assist the current account problem, Uli has found some Assurers who are prepared to underwrite the arrangement.
- Sonance manages the machine, does it MG's way.
- donates his account with Funkfeuer to CAcert.
- As sponsor, PG provides his contract and replaces his machine with the Sonance machine. This is a donation of contact by PG.
- Donation of machine by Sonance.
- But it is more complicated because PG and MG haven't figured out how to manage the hosting platform as yet. But presumably this way is then managed by PG.
- Other funding could be found from a bunch of places, in exchange for a logo on the main website (for example).
Concluding remarks
I think there are some advantages. We could get this up and running with what is around right now. Vienna is well known to us. We have a lot of people around here, we all know Funkfeuer and they all know CAcert (many Assurers in the local community). Philipp G can liase directly with infrastructure team. We already did this once with all of the CAcert systems, Jan 2007 to September 2008, both critical and infrastructure, and it's simpler this time. There are future funding possibilities to replace these oldish machines. Etc etc.
For the future
- We could probably find additional machine(s) later on.
I can see these wider issues:
- Austria is in EU. A non-EU center would be an advantage.
Vienna-2
- There is also a possibility in another center. More if it develops...
PD knows a data center here in Vienna that is high security. He believes he can get access on a "power costs" basis as well. PG knows it too.
- Status: machine is delivered in PG's hands, but was borked. Probably requires entirely new guts.
Others
Cloud
We could purchase VMs on demand from cloud providers. E.g.:
- 7.5€/month/VPS 512Mb memory allocation
- 15 EUR for VPS++ with 1GB RAM and 100GB Storage
- add 52.5 EUR for another 7Gigs at 3.75 EUR per 512MB
- 2.50 EUR Basic fee to any above option.
Atlanta (historical)
See m20090422.1
See Board Post
Wikimedia Hardware
Wikimedia offers used machines to open source projects like Drupal and OpenStreetMap. post by Mathieu.
Past Efforts
Good work in the past has been done by:
Category or Categories