Verified Commit 33dd30af authored by Andri Steiner's avatar Andri Steiner
Browse files

Reorganize content #1

parent eb77c795
h1. Accessing the Infrastructure
_Target audience: Community members that are responsible for a service that is running within the typo3.org infrastructure._
Currently, the *.typo3.org server infrastructure is undergoing changes towards a new architecture. This has implications for all community members that need to access any servers via SSH or responsible for a service that requires incoming connections.
h2. tl;dr
Before you can connect to the server again, you need to
* Install "OpenVPN":https://openvpn.net/index.php/open-source/downloads.html.
* If you are using Windows, make sure that OpenVPN is run with administrator rights. (Right-click the Desktop icon → Properties → Compatibility → Settings → Mark "Run this program as an administrator".)
* Download our OpenVPN configuration file from "add-link-here":here and move it into the @config/@ subfolder inside the OpenVPN program folder (e.g. C:\Programme\OpenVPN\config).
* Start OpenVPN using the Desktop icon.
* Connecting/Disconnecting can be done by right-clicking the symbol in the task bar.
h2. Overview
* KVM is used for virtualization
* All servers are located in one data center (at Hetzner)
* All VMs have only private IP addresses. While they have unregulated internet access (via NAT), the cannot be reached directly from the outside - except using VPN.
* _Nginx_ is used as HTTPS proxy in front of all HTTP(S)-based services
* _haproxy_ is used to make non-HTTP services available from public
h2. VPN Access
* VPN access to the internal network is provided via OpenVPN (you need to install an OpenVPN client and setup the configuration that you receive from us).
* VPN clients (aka _you_!) receive an address from the @10.187.0.0/16@ range
* Infrastructure IP range: @10.186.0.0/16@ (route pushed via VPN)
** 10.186.0.x - network infrastructure
** 10.186.1.x - physical servers
** 10.186.2.x - VMs
* You can test connectivity, by pinging @10.186.0.1@.
* Host names often resolve to internal IP addresses (srvXXX.typo3.org -> 10.186.2.XXX). You can use these hostnames once connected via VPN.
h2. SSH Accounts
* User accounts are managed by the Server Admin Team and provisioned via Chef ("cookbook":https://github.com/typo3-cookbooks/t3-base#users)
* SSH pubkeys will be automatically deployed. Do not modify @~/.ssh/authorized_keys@ - it will be overwritten.
* If you have a new SSH key, please contact us.
h2. DNS Load Balancing
* Frontend servers are redundant and use DNS load balancing. All (usually 2) frontend servers run the HTTPS proxy as well as haproxy.
h2. HTTPS Proxy
* All applications are running behind Nginx-based HTTPS proxies. No need to set up HTTP for your application.
* HTTPS is mandatory, all HTTP requests will be automatically redirected.
* The proxy adds some headers (@Strict-Transport-Security@ and friends) automatically. Please don't duplicate them in your application. Verify the correct setup using "securityheaders.io":https://securityheaders.io / "ssllabs.com":https://www.ssllabs.com/ssltest/. See the @add_headers@ section in the "Chef cookbook":https://github.com/TYPO3-cookbooks/site-proxytypo3org/blob/master/attributes/nginx.rb.
* Make sure that your application logs the correct end-user's IP address. Respect the usual proxy headers (see the @proxy_set_header@ part of the "Chef cookbook":https://github.com/TYPO3-cookbooks/site-proxytypo3org/blob/master/attributes/nginx.rb).
h2. Public Access to non-HTTP(S) Ports
* TCP services that are not based on HTTP (e.g. Git) can be forwarded, too.
h1. Howto Schroot
Schroot allows users to execute commands or interactive shells in different chroots (see schroot).
More info:
- http://wiki.ubuntuusers.de/schroot (in German)
Notice, this tutorial was made in the context of installing "svn2git" with a special version of Git provided by Debian Sid.
h2. Install Software
<pre>
apt-get -u install schroot debootstrap
</pre>
h2. Create the destination folder
<pre>
mkdir -p /srv/chroot/debian-sid-amd64
</pre>
h2. Install a Debian base system into a subdirectory of another with debootstrap
<pre>
debootstrap --arch amd64 sid /srv/chroot/debian-sid-amd64 http://ftp.de.debian.org/debian
</pre>
h2. Configure schroot
<pre>
cd /etc/schroot
mcedit chroot.d/debian-sid-amd64.conf
[sid64]
description=Debian Sid (amd64)
directory=/srv/chroot/debian-sid-amd64
users=fudriot,mstucki
#groups=...
#root-users=...
type=directory
# old versions use "script-config", newer versions use "profile"
script-config=default/config
#profile=default
# personalities: linux=amd64, linux32=x64
personality=linux
preserve-environment=true
</pre>
Comment:
if you need to have a folder mounted in the schroot, then you can define it in fstab
or create a new profile dedicated for your usage
h2. Enter schroot and install necessary software
<pre>
schroot -c sid64
</pre>
h3. Install LOCALE
<pre>
sudo vi /etc/locale.gen # add de_CH.UTF-8 en_US.UTF-8
sudo locale-gen
</pre>
h3. Install packages
<pre>
aptitude install debian-keyring -y
aptitude install php5 git debian-keyring rubygems1.8
gem install --no-ri --no-rdoc svn2git
</pre>
h2. Run command
Running a command sudo schroot -c sid64 "whoami"
Notice "schroot" command may have problem if having white space arguments -> solution wrap commands within a script
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment