1 | \section{Services} |
---|
2 | |
---|
3 | \subsection{Web} |
---|
4 | \begin{frame} |
---|
5 | \frametitle{Apache} |
---|
6 | \begin{itemize} |
---|
7 | \item Everyone wants Apache |
---|
8 | \item Apache's default configuration isn't safe for scripting |
---|
9 | \item Scripting \emph{requires} code execution---mod\_php, mod\_perl, mod\_python |
---|
10 | \item Apache normally runs everything as apache/nobody |
---|
11 | \item How to secure? |
---|
12 | \pause |
---|
13 | \item suEXEC---allows Apache to spawn a process as the user\ldots |
---|
14 | \item {\ldots}even for static content! |
---|
15 | \end{itemize} |
---|
16 | \end{frame} |
---|
17 | |
---|
18 | \begin{frame} |
---|
19 | \frametitle{suEXEC} |
---|
20 | \begin{itemize} |
---|
21 | \item setuid program |
---|
22 | \item Passed the request by Apache |
---|
23 | \item Verifies that the script is in the {\tt web\_scripts} directory |
---|
24 | \item Switches to the uid of the file and executes |
---|
25 | \item Even for static files! |
---|
26 | \end{itemize} |
---|
27 | \end{frame} |
---|
28 | |
---|
29 | \subsection{Mail} |
---|
30 | |
---|
31 | \begin{frame}[fragile] |
---|
32 | \frametitle{Postfix} |
---|
33 | \begin{itemize} |
---|
34 | \item Standard Postfix server |
---|
35 | \item No local mailboxes |
---|
36 | \item All mail is passed to procmail |
---|
37 | \end{itemize} |
---|
38 | \begin{verbatim}mailbox_command = /usr/bin/procmail -t \ |
---|
39 | -a "${EXTENSION}" ~/mail_scripts/procmailrc\end{verbatim} |
---|
40 | \end{frame} |
---|
41 | |
---|
42 | \begin{frame}[fragile] |
---|
43 | \frametitle{procmail} |
---|
44 | \begin{itemize} |
---|
45 | \item Reads \verb|~/mail_scripts/procmailrc| from user's home directory |
---|
46 | \item Users can do whatever they want with messages |
---|
47 | \item AFS causes problems---No way to know if failure is temporary (file server is down) or permanent (user isn't signed up for mail scripts) |
---|
48 | \item All procmail failures are treated as temporary, so mail is queued |
---|
49 | \end{itemize} |
---|
50 | \end{frame} |
---|
51 | |
---|
52 | \subsection{Cron (``Shortjobs'')} |
---|
53 | |
---|
54 | \begin{frame}[fragile] |
---|
55 | \frametitle{Cron (cronie)} |
---|
56 | \begin{itemize} |
---|
57 | \item Crontabs are currently stored locally on scripts servers |
---|
58 | \item {\tt cronload} command loads the crontabs from |
---|
59 | \verb|~/cron_scripts/crontab| \pause |
---|
60 | \item Needs improvement |
---|
61 | \item Cron does not fail over with Web and Mail |
---|
62 | \item Plan to move crontabs into AFS and do hot failover |
---|
63 | \end{itemize} |
---|
64 | \end{frame} |
---|
65 | |
---|
66 | \subsection{SQL} |
---|
67 | |
---|
68 | \begin{frame} |
---|
69 | \frametitle{sql.mit.edu} |
---|
70 | Though scripts.mit.edu makes use of sql.mit.edu, it's a separate SIPB service with different maintainers. |
---|
71 | \begin{itemize} |
---|
72 | \item sql.mit.edu provides MySQL databases to scripts users and anyone else |
---|
73 | \item SQL data is stored locally, replicated across multiple servers |
---|
74 | \item Nightly backups go into AFS |
---|
75 | \end{itemize} |
---|
76 | \end{frame} |
---|
77 | |
---|
78 | \subsection{Version control} |
---|
79 | |
---|
80 | \begin{frame} |
---|
81 | \frametitle{SVN and Git hosting} |
---|
82 | \begin{itemize} |
---|
83 | \item New service (September 2008), not well documented |
---|
84 | \item svn://\textit{username}.scripts.mit.edu/ and git://\textit{username}.scripts.mit.edu/ |
---|
85 | \item Uses suEXEC to run a svnserve / git-daemon as the user |
---|
86 | \item /mit/\textit{username}/Scripts/\{svn,git\} |
---|
87 | \item git:// is read-only, so future plans for svn+ssh:// and git+ssh:// |
---|
88 | \end{itemize} |
---|
89 | \end{frame} |
---|