[Micronet] database support

classic Classic list List threaded Threaded
23 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] database support

Scot Hacker

On Aug 26, 2010, at 1:51 PM, Bill Clark wrote:

> Scot wrote:
>> By default, cPanel users do not get shell access.
>> The admin can enable either jailed or unjailed
>> shells for individual accounts. No real admin
>> overhead there.
>
> I meant that if cPanel is compromised, it potentially exposes the  
> entire
> system to risk.

Which is potentially true of any system, where you have the potential  
for both root-level compromises and account-level compromises (which  
in turn may be vulnerable to privilege escalation). Yes, partitioning  
things off into multiple VMs is a great response to that.

FWIW, privs on a stock cPanel system are set up so that users cannot  
even see that other user accounts exist. "ls -l /home" just gives  
"permission denied."

> My understanding is that commodity hosting services
> minimize this risk by running each customer instance in its own jail  
> (or
> outright VM in some cases) effectively isolating it from other  
> customers.
> The admin overhead is in setting up the server to work that way, not
> anything having to do with cPanel itself.

Right - there are lots of deployment details and options to be worked  
out, depending on the use case.

>
>
> Taking CalWeb Pro as an example, each Apache instance (other than the
> shared reverse proxy) runs under a specific user account -- so  
> everything
> already is isolated down to the level of individual user  
> permissions.  But
> if any one of those user accounts is compromised, that can still  
> grant an
> intruder account access to a shared multi-user system.

There are also options like suexec and  safe_mode which can greatly  
mitigate what privileges a process has access to in case it were to  
"break out."

>
> I'm not saying IS&T shouldn't provide a service like this -- I tend to
> think the benefits probably do outweigh the extra costs, since it's
> probably even less coss-effective to have departmental IT staff  
> running
> and administering individual websites and databases -- I'm just  
> pointing
> out that there are additional infrastructure-related expenses to
> supporting a tool like cPanel that need to be taken into account when
> estimating the full cost.
>

Absolutely.

./s


--
Scot Hacker, Webmaster
Knight Digital Media Center
UC Berkeley Graduate School of Journalism
http://kdmc.berkeley.edu
http://twitter.com/kdmcinfo
http://journalism.berkeley.edu









 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] database support

Erik Klavon
In reply to this post by Scot Hacker
On Thu, Aug 26, 2010 at 10:59:38AM -0700, Scot Hacker wrote:

> On Aug 25, 2010, at 11:01 PM, Erik Klavon wrote:
> > Based on what Scot has reported, it sounds like he may have arrived at
> > a solution worth exploring further. Scot, on what terms do you think
> > it would be possible to provide the service you've created to other
> > departments on campus? How much do you think it would cost to fund
> > such a service?
>
> I'm not in a position to estimate labor costs for the DC, but there  
> shouldn't be any material costs involved. The investment would be in  
> time for someone at the datacenter to get trained on cPanel system  
> management, then to experiment with and establish a cPanel/WHM VM  
> template. Some support staff at the datacenter would also need  
> training or expertise. There are tons of resources out there, and a  
> thriving community of administrators to lean on, in addition to very  
> good documentation. There should not be any licensing fees. It would  
> be up to the data center to estimate costs based on labor needs.

What you outline above sounds fine, but I think it is several steps
away from where we are now. Since you have done all of the above
within your department, I'd like to know what your estimate of
your local costs (hardware and software requirements, and staff time)
are, and how many websites are supported by those costs. This is a
rough way estimate answers to my above questions without going into
a level of detail you suggest this early on.

Erik

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] database support

Scot Hacker
On Aug 31, 2010, at 10:51 PM, Erik Klavon wrote:

What you outline above sounds fine, but I think it is several steps
away from where we are now. Since you have done all of the above
within your department, I'd like to know what your estimate of
your local costs (hardware and software requirements, and staff time)
are, and how many websites are supported by those costs. This is a
rough way estimate answers to my above questions without going into
a level of detail you suggest this early on.

Material:

$2000: SunFire X2100 server,  two years ago. We would have purchased it whether we used cPanel or not. Housed in our own rack but moving to the DC this winter.

$0: Backups via rsync cron  to our own backup unit (will switch to DC backup this winter).

$0: cPanel/WHM .edu license

$0: CentOS (Red Hat compatible)

$0: MySQL database server included with Linux, managed via tools provided w/cPanel . MySQL backups via nightly mysqldump to backup unit above.

Labor:

10-15 hrs: Initial time setting up RAID, partitioning disks, installing WHM/cPanel, setting up ConfigServer firewall for auto-firewalling of bad behavior and IPs of  failed logon attempts to any service (mail, shell, sftp, http). Set up ssh/sftp for key-based authentication only. This time would have been mostly erased by using a standard commercial cPanel provider (dedicated server or VPS at a provider like ServInt).

10 hrs: Researching, compiling and configuring mod_wsgi for serving Django sites (Django not currently supported out of the box by cPanel, but most UC departments will not have this need; PHP, many common CMSs, Rails are supported natively).

Ongoing maintenance needs don't require much effort - things like setting up new accounts, checking on backups, clearing out old cruft, setting up caching systems for high-traffic sites, etc. consume not more than a few hours per month. 

We use wp-mass-tools to manage all WordPress installations so they can all be updated immediately when WordPress security releases are made.

The server also handles a number of git and svn repositories driving both staging and production sites. We do not use a physically separate staging/development server - staging and/or dev sites are set up as dev.example.com or staging.example.com under the same accounts on an as-needed basis. This reduces costs and guarantees that site managers won't be surprised by different environments in production than in dev.

A new user account and accompanying domain or domains can be set up in under five minutes.

Sites served:

Currently handles 112 databases and 33 domains (mix of Django and WordPress sites) without breaking a sweat. In August served 406GBs of traffic.

A similarly configured server I manage privately currently handles 229 databases in 109 accounts and did ~300GBs of traffic in August. That one is a VPS at servint.net.

HTH,
Scot


--
Scot Hacker, Webmaster
Knight Digital Media Center
UC Berkeley Graduate School of Journalism









 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
12