Hi,
for the individual sites it is very advisable to keep their config
files in a version control system. However, this should not be a
public accessible CVS repository. Editing out the sensitive information
didn't work in the past for LCFGng.
In a WIKI based system the sites can publish the principal setup of
their sites (in case there is something special about this site)
without publishing
the details of the actual setup.
The CVS repository that we used for the LCFGng configuration was a
reasonable idea during the startup phase, but even then it was only
used in
earnest by some of the sites, when we tried to use it for debugging it
was quite often stale. For this kind of support the sites better
communicate their
used files directly with their ROCs. The ROC is an entity trustworthy
enough to handle config. files in a secure way and use this knowledge
to support other
sites.
markus
On Feb 21, 2005, at 8:39 PM, Jeff Templon wrote:
> Hi,
>
> either one needs to limit these things, or else someone will have to
> spend a lot of time editing out the sensitive information. maybe it's
> not so bad with YAIM, but I wouldn't want to deposit my quattor
> profiles somewhere. complete user lists, in some cases password hashes
> ... ugh.
>
>
> On Feb 21, 2005, at 18:27, William Hay wrote:
>
>>> This is a multi-part message in MIME format.
>>> --------------050208030205010002030909
>>> Content-Type: text/plain; charset=us-ascii; format=flowed
>>> Content-Transfer-Encoding: 7bit
>>>
>>> Hi all,
>>>
>>> re: yaim knowledge repository. Great idea!
>>>
>>> When sites first joined LCG there was a central CVS repository for
>>> the
>>> LCFG configuration scripts for each site. Rather than, or in
>>> addition
>>> to, a wiki, would it be possible to extend this to a YAIM CVS
>>> repository
>>> of scripts for each site? This would be more in the spirit of YAIM
>>> scripts as a "non ambiguous description of the configuration" than
>>> descriptions on a wiki page.
>>>
>>> Of course, this would have to be more secure than the LCFG CVS
>>> repository (or wiki). Updates to site configuration should be
>>> restricted to the administrators of that site and a trusted core
>>> team,
>>> and most importantly all scripts should be readable only by the core
>>> team and the set of all administrators of all registered sites...
>>>
>>> cheers,
>>> Owen.
>>>
>>
>> Would it not be more in keeping with the distributed nature of the
>> grid
>> to use Arch or DARCS rather than CVS. Gets rid of the requirement for
>> a "trusted core team". Not sure why you want to keep the scripts
>> readable only by administrators, surely you're not advocating security
>> through obscurity?
>>
>> William
>
>
************************************************************************
*******
Markus Schulz
CERN IT
|