From Fedora Project Wiki
mNo edit summary
 
(2 intermediate revisions by one other user not shown)
Line 47: Line 47:


(from https://lists.fedoraproject.org/pipermail/server/2014-February/000753.html )
(from https://lists.fedoraproject.org/pipermail/server/2014-February/000753.html )
Very much so. This is something Dan and I talked about at DevConf,
actually. One of the things we'd probably want to do in each of the
various Products is break out our default configurations into a
subpackage that be pulled in by the respective Product release package
as a way to install differing defaults. NetworkManager was the
poster-child for this idea, though I expect there are plenty of other
services that could benefit from this as well.
(from https://lists.fedoraproject.org/pipermail/server/2014-February/000754.html)
= 3. SSH key handling =
FreeIPA / OpenLMI integration so root doesn't need a password so when ssh into box on a fresh install you don't need to use passwords can use your SSH key.
* For machines that are enrolled with FreeIPA, this is already the case. We still need to address the bootstrapping, though: enrolling a machine in the domain or creating the Domain Controller in a fresh environment. [[User:Sgallagh|Sgallagh]] ([[User talk:Sgallagh|talk]]) 19:34, 25 February 2014 (UTC)

Latest revision as of 19:34, 25 February 2014

1. System Identification

When you ssh into people.fedoraproject.org, you get some information including this bit:

Security Category: Low Primary Contact: Fedora Admins - admin@fedoraproject.org Purpose: Provide hosting space for Fedora contributors and Fedora Planet


This comes from http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-single/#HostGeneralSecurity-System-Identification

That's pretty neat. A lot of big organizations may have policies and a system like that, but it strikes me as something that would be neat to integrate into Fedora Server by default.

(from https://lists.fedoraproject.org/pipermail/server/2014-February/000737.html)


To be honest I think it is a terrible idea to drop this information into an /etc file, because it would be a maintenance burden with the very plausible outcome of being a source of confusion.

This kind of information is normally held into a centralized catalog for obvious reasons, if you have that many systems that you need to write this down, you have to many to consult them one by one anyway, you need a central place where you can report on this stuff.

And you do not want to have to create services to synchronize this information locally. It is just useless busy work. But once the file exist you have to do it because otherwise people can get confused (or worse, programs can misbehave) if the information in the local file is wrong.

(from https://lists.fedoraproject.org/pipermail/server/2014-February/000779.html)

2. Network Configuration

"You might install NetworkManager-config-server, which drops some server-type config files into /etc/NetworkManager/conf.d that do things like ignoring the carrier on all interfaces and ensuring NM never creates the default DHCP connections that are useful on desktops. There are other options in there, like making NM stop touching /etc/resolv.conf if you know you never need to update it. See "man NetworkManager.conf" for more details on all these options."

(from https://lists.fedoraproject.org/pipermail/server/2014-February/000753.html )

Very much so. This is something Dan and I talked about at DevConf, actually. One of the things we'd probably want to do in each of the various Products is break out our default configurations into a subpackage that be pulled in by the respective Product release package as a way to install differing defaults. NetworkManager was the poster-child for this idea, though I expect there are plenty of other services that could benefit from this as well.

(from https://lists.fedoraproject.org/pipermail/server/2014-February/000754.html)

3. SSH key handling

FreeIPA / OpenLMI integration so root doesn't need a password so when ssh into box on a fresh install you don't need to use passwords can use your SSH key.

  • For machines that are enrolled with FreeIPA, this is already the case. We still need to address the bootstrapping, though: enrolling a machine in the domain or creating the Domain Controller in a fresh environment. Sgallagh (talk) 19:34, 25 February 2014 (UTC)