Infrastructure Unit Forum Planning

NOTE: we specifically DON'T address the network here. That's being planned separately.

KB

We should have a "full inf-unit presence" at KB. That means: a KDC, a LDAP slave, and a network infrastructure machine. We'll leave the existing KDC there. We'll run the LDAP slave on the same machine for now, though in due course we'll probably redeploy one of the KDC machines from BP or FH. A new netinf machine was recently installed, which we'll leave there.

Consoles: a lantronix box would require a Linux server as well for logging, so we might as well just use the existing machine(s) for now, even though they're out of warranty.

Cosign?

Total rack space required: 5U plus console serial boxes plus switch(es) plus UPSes.

Kerberos

  • Move master KDC to Forum
  • Existing slave KDC in AT
  • No need for a separate slave KDC in the Forum
  • Existing slave KDC at KB
  • Migrate all KDCs onto wire B
  • Current BP and FH KDC machines have a couple of years of warranty left -- redeploy them (one as KB LDAP slave, one as ??)

  • Suggest running AFSDB on KDCs

For Forum:

  • 1 existing machine
  • Dual network path desirable
  • Dual power required
  • Remote management required
  • No particular bandwidth requirements

Other authentication services

We believe the authportal can become unsupported in due course. Unfortunately that might not be in time for when we leave FH. If absolutely necessary we could park the existing machine in a corner somewhere for a while!

Other things are co-located with KDCs anyway.

Cosign

  • Move KB cosign server to Forum
  • (Alternatively leave it there and redeploy ex-BP/FH KDC as a third cosign server in the Forum)
  • Leave the AT server there

For Forum:

  • 1 existing machine
  • Dual network path useful
  • Remote management required
  • No particular bandwidth requirements

LDAP

  • Move master to Forum
  • Move all read functionality to the slaves
  • Shift towards caching clients means we'll need beefy slaves. These will have to be new machines, as we don't have anything suitable still on warranty. Three required for load-sharing and resilience -- two in Forum and one in AT.
  • KB site slave will probably be a redeployed KDC from either BP or FH
  • Probably now safe to run lcfg2ldap on one of the main LDAP machines
  • (Might be easiest in practice to install three new machines in Forum (1 x master, 2 x slaves) and convert existing master in AT to be third slave)

For Forum:

  • 3 machines (1 existing, 2 new, plus 1 new for AT)
  • Dual network path desirable
  • Dual power required
  • Remote management required
  • 1Gb links required
  • Machines distributed across racks, power and switches

Monitoring

  • Move KB monitor host to Forum
  • Leave existing AT monitor host there
  • Reconfigure so each monitors its own site

For Forum:

  • 1 existing machine
  • Dual network path desirable
  • Dual power requred
  • Remote management desirable
  • Probably no particular bandwidth requrements

Consoles

  • Each group of racks will require at least one (new) lantronix console server
  • A (new) Linux server will be required to control these and hold logs

RADIUS

  • Stalled project
  • Probably one server in Forum and one at AT (what about KB?)
  • No kit yet; 2 new machines in due course

Routing, filtering and other network infrastructure

  • New AT network machines were installed recently -- keep them there
  • New network infrastructure machine installed at KB -- keep it there
  • ALL other routers, nameservers, etc are out of warranty, so...
  • New routers required for Forum
  • Probably OK to run nameservers on out-of-warranty kit for now (leave darwin in AT, move linnaeus to Forum)
  • Leave OpenVPN endpoint in AT for now

For Forum:

  • 3 machines (2 new, 1 existing)
  • Special-purpose network connectivity
  • Dual power required (x 2)
  • Good disc performance required
  • Remote management required
  • Network connectivity critical

Ether and fibrechannel switches

Dealt with elsewhere.

Summary of new machine requirements

  • 2 x Dell PE1950 or better, required in advance of occupation (routers/infrastructure)
  • 3 x Dell PE2950 or equivalent, required in due course (LDAP slaves)
  • 1 x mid-spec machine with a decent amount of disc space, ideally required in advance of occupation
  • Sundry lantronix boxes

-- GeorgeRoss - 17 Dec 2007


This topic: DICE > InfrastructureUnit > InfForumPlanning
Topic revision: r6 - 18 Dec 2007 - 15:07:08 - GeorgeRoss
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies