staging environment discussion
Mike McGrath
mmcgrath at redhat.com
Fri Sep 5 21:47:51 UTC 2008
On Fri, 5 Sep 2008, Stephen John Smoogen wrote:
> there is also a combination of #1 and #2. Basically you have to create
> 3-4 separate network topologies (this is where you have different
> configs), and maybe have your bastion/proxy systems different.
>
> Name Network
> Network A: Development -- 10.10.0.0/21
> Servers -- 10.10.0.0/22
> NFS -- 10.10.4.0/22
> Network B: QA -- 10.10.8.0/21
> Servers -- 10.10.8.0/22
> NFS -- 10.10.12.0/22
> Network C: Staging -- 10.10.16.0/21
> Servers -- 10.10.16.0/22
> NFS -- 10.10.20.0/22
> Network D: Production -- 10.10.24.0/21
> Servers -- 10.10.24.0/22
> NFS -- 10.10.28.0/22
> Network E: Management -- 10.10.32.0/20
> Puppet -- 10.10.32.0/21
> Drac/Serial -- 10.10.48.0/21
> Network F: Bastion Network
>
> [Ok I would love to have done this when I was at RH... but didn't
> really see it in action til later.]
>
> Basically a box would have 3-4 network connections. The puppet and
> drac/serial networks are on all systems so have to be extra protected
> as that is where an attacker could walk from system to system. The
> bastion network is basically the front end that would do rewrites and
> other layers so that configs are the same.
>
> And yes, this might be overkill and probably has holes in it.. I am
> doing it from memory on how a site seemed to be set up and had
> basically little downtime for critical HR services.
>
We are actually looking to get more network separation in place but right
now thats slow and is going to involve the buildsystem first. But at some
point in the not too distant future I would like to separate stg and
production environments.
-Mike
More information about the Fedora-infrastructure-list
mailing list