[Server-devel] XS server addons

David Van Assche dvanassche at gmail.com
Tue Aug 5 05:38:58 EDT 2008


On Tue, Aug 5, 2008 at 3:01 PM, Martin Langhoff
<martin.langhoff at gmail.com> wrote:
> On Tue, Aug 5, 2008 at 8:07 PM, David Van Assche <dvanassche at gmail.com> wrote:
>>  This is bound to be a controversial email, but its a path we have
>> chosen to take in order to make the XS server more functional for a
>> wider audience:
>
> I find it understandable, but see the notes below
>
>> 1. Install Dansguardian for content filtering
>
> Yup, expected.
>
>> 2. Install Shorewall for trafficshaping, routing and firewalling
>
> Instead of that, I suggest expanding on the fw rules that
> /etc/sysconfig/olpc-scripts/network_config creates - they land in the
> same directory and they are defaulting to just the NAT entries, so no
> firewalling.
>
> If you add good sane fw rules on the WAN if there, then
>
> 1 - I'll incorporate them into xs-config :-)
> 2 - don't have to hack the network startup scripts to remove the part
> that reloads rules
> 3 - you don't have to redo the in step 2 hack with every upgrade - as
> xs-config updates will nuke your changes

The main reason for shorewall is traffic shaping... its the only
solution that makes using kernel tc easy. I can specify tcclasses for
different types of traffic and that way really improve bandwidth
management, where there is hardly any... here in Kathmandu we're lucky
to get 30 kbit....

It could be overkill, but I know it well, and it works fine with the
existing fw rules you set... or rule as there is only one :-) It also
ties in well with webmin (and I'm not getting into a flame war about
it. ubuntu just recently re-included it in their repos after
reassessing it.)

Anyway, shorewall is already a done deal for us and works wonderfully...

>> 3. Install LDAP server (non encrypted) for centralized authentication
>
> I heavily recommend *against* it. I've done a ton of ldap work, I've
> written and/or maintained the ldap plugins in moodle, and rest
> assured, *no* LDAP will be part of the XS. There are far better ways
> to do this - what do you want to achieve?
>
> If you want email + moodle to all dance in sync, pick which one is master, and
>
>  - Moodle is master: it's easy to config postfix to read Pg database
> tables or even views so it reads the live data from Moodle. And the
> postfix-pg configuration is easier than the postfix-ldap
> configuration, and SQL is infinitely more flexible.
>
> Note: postfix-pg documentation is nonexistent. Use the postfix-mysql
> documentation, replacing mysql for pg liberally :-)
>
>  - Postfix is master: configure moodle to use auth/imap or auth/pop3 -
> easy as pie.
>

Would u care to elaborate on how to do this, and I'll gladly dump
openldap in favour of this... openldap is the only way I know how to
do this... + it integrates with webmin =)

>> 4. Install postfix and courier for email
>
> And a webmail I guess? There are patches (by yours truly) to do SSO
> between Squirrelmail and Moodle.

coolness... yes squirrelmail for sure...

>> 5. Install Webmin for overall (internal) gui manipulation of the server...
>
> Ugh! Not recommended and xs-config in its current incarnation is
> lilkely to just make a mess of it all. I am not too proud of
> xs-config, and Webmin is too horrible for words.

Its a matter of opinion...  webmin in no way touches the underlying
config files, and in terms of security, we are using internally
only... its not accessible to the outside interface...
Webmin allows for easy pruning of modules so that we have just what we
need... I have no idea what xs-config is... but I'll gladly take a
look...

>> 6. Install various server monitoring tools
>
> Install whatever tickles your fancy but do install sysstat and make
> sure it's logging. If you need help, or can provide load stats, it
> will be the sysstat logs that we'll want to look at.

yeah, I think we've settled for Nagios... seems to be allround for
what we need... Ill make sure to sysstat and post the logs...

David

> cheers,
>
>
>
> m
> --
>  martin.langhoff at gmail.com
>  martin at laptop.org -- School Server Architect
>  - ask interesting questions
>  - don't get distracted with shiny stuff - working code first
>  - http://wiki.laptop.org/go/User:Martinlanghoff
>


More information about the Server-devel mailing list