The server migration is taking a bit longer than expected, but I hope it’s going to get done tonight. While the scripts are doing their work I’m going to write a bit about the changes that will be introduced with this new server.
I’ve been working with the new server since about December of 2009, so about eight months. The project was a bit larger than I imagined at first, but now I think I’ve got all the important pieces the way I want them. Everything is not 100% finished, and I’m sure you are going to find lots of bugs and unexpected behavior. But most of this will be sorted out in the next couple of weeks. I felt I had to do the migration at some point even if everything was not 100% complete since it would have taken me maybe another year to get everything exactly right 😉 But here we are, I hope it all goes well. Now something about the new configuration.
I’ve posted about the new server hardware before, and a bit about the general software pieces. It’s running VMWare ESXi with a bunch of virtual machines, the one you will probably use the most is Triton. This server will replace titan as the main SSH server where you run all irssi processes etc. There will also be a file server, a firewall, a mail server, a web server, a domain controller and so on. They’re all running a bunch of different OSes, but I will be sticking to Gentoo on the SSH server Triton.
Every user will have a ZFS filesystem on the file server with 100MB quota. This is shared for the normal home directory, public_html/website and email account. It’s also compressed on the fly, so if you save lots of textfiles or logs you can fit a whole lot more than 100MB in there. I think this is a great improvement.
The SSH server Triton is using more features from Grsecurity, most noticeably the RBAC system. This is an added security layer that will help me sleep better at night 😉 The RBAC policy might need some work, if some commands fail with permission denied etc it might be something I forgot to put in the policy. This will get better in the next couple of weeks as users start using the server and reporting bugs to me.
Another thing I’ve decided to change is the website hosting. I was not completely satisfied with the old solution, it was hard to use with dynamic scripts because of the reverse proxy, and the performance was quite bad. I’ve decided to skip the reverse proxy and I’m using another method to execute CGI (and PHP) scripts. However, this new solution does require much more resources on the server. Because of this I’ve decided to make the web hosting with dynamic scripts an optional part that is only available on “supporter” accounts. These accounts will require some payment, more on that later. Websites with static content will not be affected. I will allow users who has previously had a website with dynamic content to continue hosting them at no cost, email me and I’ll fix it. To not expose scripts with passwords etc I’ve set the permissions of all public_html directories to 700 so world can not read them. Change back to 755 if you want to enable your website.
There are lots of other changes too, I’ll keep posting new entries and updating the wiki. But this is it for tonight I think 🙂