Re: Report from the DSA Team Sprint 2013-06

To: Brian Gupta <brian.gupta@brandorr.com>
Cc: debian-project@lists.debian.org
Subject: Re: Report from the DSA Team Sprint 2013-06
From: Martin Zobel-Helas <zobel@ftbfs.de>
Date: Sat, 22 Jun 2013 21:05:10 +0200
Message-id: <[🔎] 20130622190510.GC25451@ftbfs.de>
In-reply-to: <[🔎] CACFaiRy7j-YUA42KBvaLkoMsER3DMa-LFSm_BkYuwN2FcVk5dA@mail.gmail.com>
References: <[🔎] 20130621180752.GA12975@valiant.palfrader.org> <[🔎] CACFaiRy7j-YUA42KBvaLkoMsER3DMa-LFSm_BkYuwN2FcVk5dA@mail.gmail.com>

Hi, 

On Fri Jun 21, 2013 at 14:57:09 -0400, Brian Gupta wrote:
> > o) User and Group Management:
> >    Last year we estimated the number of active shell accounts to be on
> >    the order of 50.000 over all users/hosts.  We still would like to
> >    disable unused accounts as described in last year's summary mail
> >    but nothing has happened to actually implement that.  Help welcome.
> 
> What kind of skills are required to help with this?

in general: python know-how.
in detail: We need to track users over all hosts, collect that
information somewhere and need to integrate that data into 'ud'. 

> > o) Configuration Management:
> >    The DSA team uses several tools to help them maintain and monitor
> >    Debian's infrastructure and to keep track of what systems there
> >    are, how to access them if things go wrong, when to purchase new
> >    warranty contracts and so on.  Currently information is kept in a
> >    large number of different and not cross-referenced systems,
> >    including the puppet git repository, LDAP, the nagios
> >    configuration, our password database and a spreadsheet file.
> >
> >    The distributed nature of this setup makes it difficult to get a
> >    good, consistent overview and to give other teams like the
> >    auditor/asset tracking folks the information they require to do
> >    their job.
> >
> >    We agreed upon one desired solution:  We would like to have one
> >    location, presumably a git repository, that has all the information
> >    we have about a VM or piece of hardware.  Parts of that data would
> >    have to be encrypted to privileged information, but the majority of
> >    it should be available publicly.  Systems like LDAP, our nagios and
> >    parts of the puppet configuration should then get the data they
> >    need from this new single source of truth.  This is going to be a
> >    lot of work and it will probably take a long time to get there.  If
> >    you would like to help please contact us.
> 
> I am involved with a project called "theforeman" which might be useful
> as it integrates tightly with Puppet. http://theforeman.org/ It's
> currently not part of Debian, but the project does build nightly debs,
> and there is a general will to get forman into Debian. (PPAMAIN will
> be a real big help here, since it's a fairly fast moving project and
> having multiple version support within a single stable lifetime would
> be strongly desired.)
> 
> Although it also can handle full provisioning of baremetal, VMs, and
> cloud instances, I think the big win will be its puppet integration.
> It provides an inventory service (central database of facts),
> customizable metadata, puppet ENC facilities, support for multiple
> Datacenters, RBAC, option LDAP integration for authentication, a rich
> query/search interface, and robust puppet reporting capabilities. (The
> Foreman team impressed the audience last PuppetConf when they
> announced that they were the first ENC to support parameterized
> classes.)
> 
> Another nice thing about Foreman is that it supports all versions of
> Puppet going back to Puppet 0.24.4.
> 
> It's also very automatable since it has a REST API and CLI.
> 
> Bonus for me is that even though RedHat is now funding much of the
> ongoing development, there is no single copyright holder, and it is
> licensed GPLv3+. (So clearly DFSG compliant.)
> 
> I'm not sure if a tool like this fits into your plans for a "single
> source of truth" since you mentioned git. But I strongly encourage you
> to consider it, and would be happy to answer any questions you might
> have, or discuss offline in IRC (bgupta@oftc).

As alreday disussed on IRC yesterday, we are open to it, if you help us
deploying it and if you can send patches for our config management. I
see the problem that foreman will only scale well four our big hosting
locations, where we can use the full set of features of foreman.

Cheers,
Martin
-- 
 Martin Zobel-Helas <zobel@debian.org>    Debian System Administrator
 Debian & GNU/Linux Developer                       Debian Listmaster
 http://about.me/zobel                               Debian Webmaster
 GPG Fingerprint:  6B18 5642 8E41 EC89 3D5D  BDBB 53B1 AC6D B11B 627B

Reply to:

Follow-Ups:
- Re: Report from the DSA Team Sprint 2013-06
  - From: Brian Gupta <brian.gupta@brandorr.com>

References:
- Report from the DSA Team Sprint 2013-06
  - From: Peter Palfrader <weasel@debian.org>
- Re: Report from the DSA Team Sprint 2013-06
  - From: Brian Gupta <brian.gupta@brandorr.com>

Prev by Date: Re: Report from the DSA Team Sprint 2013-06
Next by Date: Re: Report from the DSA Team Sprint 2013-06
Previous by thread: Re: Report from the DSA Team Sprint 2013-06
Next by thread: Re: Report from the DSA Team Sprint 2013-06
Index(es):
- Date
- Thread