Questions regarding Security, SystemD and misc.

[Julian Brown]

Howdy

I am getting ready to start another project and am going to use Bedrock.   When it goes live, I want to deploy to AWS or similar, and have a bedrock server on each website and the bedrocks would do the replications.

For security I can have the "clients" connect to the local bedrock and use the AWS firewall to prevent other machines to connect to that bedrock.    So does the "nodeList" act as security between the bedrock servers?   In other words a bedrock server would only accept a connection from one of the bedrock servers it has in the "nodeList"?

Do you know if anyone has developed a SystemD service file for Bedrock? If not I will work on one for my system, and publish it.  I want Bedrock to come up with the system.

If I add a Bedrock "node" to the cluster, I guess I have to restart each Bedrock node with an updated list of other nodes?

Is their a PR, Feature Request or other to add a "config" file that would have all the command line information in it?  If not I can later create a PR that would do that.

Thanx

Julian

[David Barrett]

Hello, and happy new year!  Sorry for the delayed response.  Answers inline:

On Sat, Dec 30, 2017 at 12:43 PM, Julian Brown <jlb...@gmail.com> wrote:

I am getting ready to start another project and am going to use Bedrock.   When it goes live, I want to deploy to AWS or similar, and have a bedrock server on each website and the bedrocks would do the replications.

Perfect!

 

For security I can have the "clients" connect to the local bedrock and use the AWS firewall to prevent other machines to connect to that bedrock.    So does the "nodeList" act as security between the bedrock servers?   In other words a bedrock server would only accept a connection from one of the bedrock servers it has in the "nodeList"?

That's correct.

 

Do you know if anyone has developed a SystemD service file for Bedrock? If not I will work on one for my system, and publish it.  I want Bedrock to come up with the system.

Hm, we have our own /etc/init.d/bedrock script, but it's configured with our own system configuration and thus not directly reusable.  I'm happy to clean it up and share it if you'd find it helpful.

 

If I add a Bedrock "node" to the cluster, I guess I have to restart each Bedrock node with an updated list of other nodes?

That's correct, it's not really designed for dynamically adding nodes (a requirement that looks sexy in theory but is almost never needed in practice).  That said, not all nodes need to agree on who participates in the cluster, and thus you can add nodes dynamically by hand without overall cluster downtime by just manually configuring one node at a time to use the new cluster definition.  There will be some messiness temporarily as the new node you are adding will initially be refused by the rest of the cluster, but as you reconfigure each of the original nodes one by node, the new node will gradually be welcomed.

 

Is their a PR, Feature Request or other to add a "config" file that would have all the command line information in it?  If not I can later create a PR that would do that.

We haven't done that, and I personally would prefer not to because it brings up all sorts of questions about the format of that config file, whitespace handling, commenting, templating, etc.  Should it be YAML?  JSON?  Something  custom?  Can it access environment variables?  Etc, etc.  In this age of configuration management (we use Salt, but the same principle works with Puppet, Ansible, etc), I recommend just using the extremely robust templating capabilities that already exist to generate the appropriate /etc/init.d/bedrock (or whatever you prefer) file with the correct command line arguments.  This way it's really clear when running `ps aux` exactly how it's configured -- which has saved us countless times when in the midst of a complex administrative task and it's not totally clear if the server process was restarted.   Regardless, I recognize this is a pretty polarizing topic, but that's my take for what it's worth!

Thanks for the questions, and feel free to chat here if you want to discuss in realtime! https://gitter.im/Expensify-Bedrock/Lobby

-david

Founder and CEO of Expensify