3

At our lab, we have several services handled by different phd students (like myself). Fluctuation is high and people do the job next to their research duties. Until now, services were running on different machines, with different OS setups that can result in administration hell quickly.

We want to consolidate our service setup. Our main idea is that the guys responsible for the services should not meddle with the underlying system anymore. Apart from core systems like NFS and kerberos, a typical service is able to run as non-root already. I'm talking about apache, mysql, subversion, mail with openxchange, and so on. Redirecting privileged ports is also no issue (source).

What is left is the configuration of the service and its payload. One scenario we envisioned is that every service has its own user and home directory, accessable by the corresponding admins. Backup and fallback of the service is easy, as everything needed for the service to run is found in one place.

  • Are there established ways to create such a setup?
  • Does a mostly unique method exist to make services find their files (other than in system directories) while still using the corresponding debian packages?
  • Are there any catches with our idea that we may have overlooked?
  • Would you maybe claim that virtualization is the answer to our problem? (In our POV, it wouldn't help us keeping system setup strictly separated from service setup.)

Thank you for any advice!

ypnos
  • 334
  • 3
  • 12

2 Answers2

1

I thought sometimes about what you're trying to do, but at the end i always fall back on sudo. I think natively in linux is pretty difficult reach that goal, maybe with some use of SElinux. Look at this article:

http://www.ibm.com/developerworks/linux/library/l-rbac-selinux/

Not very easy but intriguing. Maybe a bit easier would be using solaris and it's rbac possibilities. Moving services configuration files on some others directory it's kind of mess when you have to update the packages. In this case, maybe the best is to repack the software and change the target dirs.

PiL
  • 1,599
  • 8
  • 6
1

it shouldn't be too hard to run a system wide apache2 install, with domain configurations for each user in their own directory.

same goes for mysql, many users can utilize the same mysql server, without bumping elbows, and if needed, mysql can be run non-privileged, within a user's own directory.

not terribly sure about svn, but i presume it would be another case of a server that could run non-privileged, or a system wide install with custom user configurations.

mail and openexchange might be a whole separate issue. not familiar with openexchange, but a mail server, like postfix, could be configured chroot'd in a user's home, running on a non-privileged port.

for apache2, and custom user files, all you need is a line like:

Include /home/*/httpd/

in your system-wide apache configuration. that would allow users to have a directory ~/httpd/ where they could put their configuration files for their own VirtualHosts, and the like.

cpbills
  • 2,720
  • 18
  • 12
  • Thank you for your valuable answer, unfortunately one can only accept one answer per question ;-) – ypnos May 20 '10 at 17:22