Hello, Am Freitag, 17. Januar 2020, 22:18:26 CET schrieb Lars Vogdt:
Am January 17, 2020 5:57:44 PM UTC schrieb "Michael Ströder":
Do you still want some help?
Yes, please! :-) We can even deploy additional DNS in Provo or on slimhat (so using different data centers). With a DNS in Provo, we could even think about how-based DNS (later). DNSsec or DNS over http and all the other "playgrounds" should also be on the table... ...and please do not forget that we could fill a book with the "Best practices to run openSUSE (in your) infrastructure" topic. I know some people who are interested to run their infra based on our documented setup! So someone should start to write a bestseller :-)
;-) Feel free to copy&paste whatever you consider interesting in this mail to the admin wiki ;-)
IIRC you've installed bind. At heroes meeting there was a tendency to go for PowerDNS. Backend was still to be decided.
As I wrote: I installed bind because I know it and I see the pressure to have something up and running to become independent. But I
Looks like you wanted to write a bit more here?
I have some preference for launch=ldap to have authc/authz integration to another LDAP server [1] and use native LDAP replication for HA. While I'm more a fan of KISS (means here: having a single, independent service which could run without any outside dependencies - so I would have the data in ldap, but use a local dump), this could of course also be done - and there are people like you, who have a way better knowledge than me on how to do this right. :-) The initial setup should definitively improve over time. And those who do decide.
... and this is why it's unlikely that we'll end up with text/plain zone files ;-) - while I'd prefer them (to keep things simple), I probably won't have time to work on the DNS setup.
I've tried to login to nue-ns1.infra.opensuse.org to have a look at the current setup but are probably not allowed to do so.
You could. But I have to admit that I did not really much to make this easy for you: I only got the machine known by the saltmaster and made sure that the machine accepted the saltmaster for deployments. The rest is on you... ;-).
It would be nice to at least run highstate after setting up a new VM. This does some basic setup, for example the ssh and sssd config that allows ssh logins for FreeIPA users, configuring syslog to log to monitor.o.o etc. Note: If your new VM has a role assigned, you'll need to run a second highstate - the first highstate adds the role to /etc/salt/grains, the second actually applies the "content" of that role. (#62204 makes things slightly ;-) more interesting, but that's a different story.) I just did the highstate for nue-ns{1,2}, therefore everybody with a heroes account should be able to ssh to these machines now. (I'd be surprised if the base setup from salt breaks something in the bind setup, but since I don't know much about bind, please check yourself.) Note that this base setup does not include sudo permissions. If someone submits a MR to our salt repo that adds sudo permissions to a role (the existing ns_slave role uses powerdns and probably doesn't fit, maybe a new role?), I'll happily review that ;-)
=> Just add your ssh-key via Salt.
No, please don't ;-) (unless you have very good reasons [1]) Our usual workflow is to setup a group in FreeIPA (in this case probably "dns-admins"), and then setup a sudo rule for this group in salt (in pillar/role/*). However, I wonder if it makes sense to keep this level of indirection, or if we should switch to listing individual users in salt. The only disadvantage is that we'll have to do a highstate when we add permissions for someone, while we currently only have to do this once to write the sudo rules for the $whatever-admins group. IMHO getting rid of a level of indirection is probably worth that ;-)
If unsure, just ask how this can be done, and I'm sure that Christian (aeh: someone) is able to help. :-))
;-) Regards, Christian Boltz [1] For example, my ssh key is on minnie so that I can login there even if sssd is on "vacation", and can then restart sssd everywhere via salt. -- If nothing else, the 15 years I've been online have impressed upon me the ability of people to be offensive in new and inventive ways. [Joe 'Zonker' Brockmeier in opensuse-marketing] -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org