[Infrastructures] Re: Host installs?
Heilke, Rainer
Rainer.Heilke@atcoitek.com
Tue, 4 Feb 2003 08:24:23 -0700
This is actually the source of some disagreement in our group. I am of the
"Don't install anything beyond what you need" variety. The other two admins
are of the "install everything, disable what you don't use" type.
There are pros and cons to each approach. You lose some abilities in the
"repurpose" area with my approach, but then, we don't do this here any way.
When we move a server to a new role, we do a fresh install (and our Kerberos
and DNS servers are completely unique, as are a couple other servers). So,
when only one server provides X services, why do we install and run all of X
on all systems...? It is also true that HDD space is increasingly cheap, but
then, you are also installing all of the security holes.
Regardless which approach you take, make sure that all systems are as
similar as possible, using cfengine (isconf, whatever) to keep the
individual systems in sync with their roles and each other. Use tools like
cfengine to maintain order, and they can also act as documentation tools.
Some of the compromise involves the size of your infrastructure, smaller
ones typically being a bit looser, I would guess. This is all stuff I am
still thinking about, and trying to get the two others on my team to look at
with new eyes. The latter can be the greatest challenge.
Rainer Heilke
> -----Original Message-----
> From: Stephen Schaefer [mailto:SSchaefer@rfmd.com]
> Sent: Tuesday, February 04, 2003 7:08 AM
> To: infrastructures@roton.terraluna.org
> Subject: RE: [Infrastructures] Re: Host installs?
>
>
> This is a good answer for well understood, static environments -
> especially those exposed to the security threats of the internet, or
> indeed at any security boundary. You do, however, gain from
> *uniformity* of systems, both from the ability to rapidly
> repurpose and
> from the decrease in management complexity. That means on internal
> systems you install everything you use or are likely to use anywhere,
> which is almost everything (though probably not <a
> href="http://www.xbill.com">xbill</a> :-). I do take the
> security issue
> seriously, and no one can afford not to when dealing with the
> opportunistic threats from the internet -- but you need to find the
> balance between your own internal capabilities and
> vulnerabilities that
> matches the level of threat you have. That means assessing
> the attitude
> of you colleagues and establishing the right security boundaries. A
> military unit has different requirements than a local auto mechanic.
>
> - Stephen
>
> -----Original Message-----
> From: Daniel Pittman [mailto:daniel@rimspace.net]
> Sent: Tuesday, February 04, 2003 7:36 AM
> To: Harry Hoffman
> Cc: infrastructures@terraluna.org
> Subject: [Infrastructures] Re: Host installs?
>
>
> On Tue, 4 Feb 2003, Harry Hoffman wrote:
> > Hi All, When doing host based installs are most people installing
> > everything available from the vendor - ie Full+OEM->Solaris,
> > Everything->Redhat?
>
> Heck, no. That's the *last* thing you want to do.
>
> > Everything->Or are you only installing certain packages
> > (clusters) for any given OS?
>
> Not only do I select based on the purpose of the machine, I
> tend to trim
> the list down to exclude a number of packages that the vendor[1]
> installs in the "base" system.
>
> > Do most people not really care anymore, because disks have
> become so
> > large? If everything is installed then how do most people deal with
> > making sure services aren't started, cfengine?
>
> If you don't need it, don't put it on there. Aside from the issue of
> disk use, and of security holes as highlighted elsewhere, you
> complicate
> backups and hide important information in the mass of unused files.
>
> Daniel
>
> Footnotes:
> [1] Debian, primarily.
>
> --
> A companion, unobtrusive
> Plays the song that's so elusive
> And the magic music makes your morning mood.
> -- Rush, _The Spirit of Radio_, 1980
> _______________________________________________
> Infrastructures mailing list Infrastructures@mailman.terraluna.org
> http://mailman.terraluna.org/mailman/listinfo/infrastructures
> _______________________________________________
> Infrastructures mailing list
> Infrastructures@mailman.terraluna.org
> http://mailman.terraluna.org/mailman/listinfo/infrastructures
>