config management Re: [nycbug-talk] A couple of security related questions

Isaac Levy ike
Tue Oct 5 15:40:12 EDT 2004


Hi George, All,

On Oct 5, 2004, at 1:15 PM, George Georgalis wrote:

> On Mon, Oct 04, 2004 at 01:33:58PM -0600, Tillman Hodgson wrote:

[... snip- lots of fun sync stuff ...]

> first off I'm thinking to use CVSup and unison [1] to resolve.
>
> Three problems,
> 1) for the purpose of NFS, sync /etc/passwd, group and mount points.
> 2) get "root read only" (and other ownership/perms) files from golden
>    box to production.
> 3) sync data partitions in real or near real time for 3 or more sites
>    with slow links. (boss says need functionality, not perfection, in
>    practice only one site will change at a time, heh)
>
> So what are people doing about #1?
> Will CVSup do for #2? how?
> Is unison going to work for #3? Anybody do something similar?
>
> Anybody who can solve any two of above gets all their drinks on me at
> next meeting! slosh the sysmin (tm)

Well, George, I can't say that I'm answering these very directly, but 
for everyone's edification here, there is a VERY cool distributed data 
toolkit I wanted to mention called spread-

http://www.spread.org/

I've experienced it in the context of Zope/ZEO use, basically keeping 
concurrency between object databases across hardwares, and in one case, 
across geo-diverse servers.  It's cool, simple to use, and FAST (in the 
context of what it is designed to do!).

It's darned cool stuff, and I've found it to be clean and portable 
across various open *NIX's so far.

In a nutshell, you can write shell scripts that use spread, or an app 
(with bindings likely in your language of choice), to keep concurrency 
between files across a network.  Spread does not make any assumptions 
about lower levels of the network, so you can secure it however you 
wish (stunnel or vpn perhaps?).

--
Now, I'd imagine, that it wouldn't be all that difficult to write a 
daemon that maintains real-time (er, network real-time <g>) concurrency 
between the config files on one machine, and 'backups' on another 
machine, where hooks to spread could be used to pump each change into a 
CVS or SVN repository.

It would be the way I'd go- but I'm not doing this right now.  (Though 
this sounds fun, and I'd love to figure it into a short paying Job in 
the future, therefore enabling it to get in my current radar...).  Hrm.

But, there may be much better ways, so I'll keep lurking on this 
thread...

Rocket-
.ike



>
> // George
>
> [1] http://www.cis.upenn.edu/~bcpierce/unison/index.html
>  Unison is a file-synchronization tool for Unix and Windows. It allows
>  two replicas of a collection of files and directories to be stored
>  on different hosts (or different disks on the same host), modified
>  separately, and then brought up to date by propagating the changes in
>  each replica to the other. like rsync but bidirectional





More information about the talk mailing list