Clarification on ca and certificates

[Brian Candler]

At https://www.synnefo.org/docs/synnefo/latest/install-guide-debian.html#certificate-creation it describes the creation of a CA and signing of a certificate on node1.

Then at the end it says:

"Note You will have to do the same on node2 as well."

Presumably this doesn't mean the whole set of steps, i.e. creating a new CA? But rather, that you'd create a key and cert for node2 on node1, and then copy them to node 2, along with the CA cert?

Regards,

Brian.

[Filippos Giannakos]

Hello Brian,

You are right. There is no need to do the exact same process, but rather what you describe.
Maybe this is not properly worded. Could you do a pull request on github, along with the
other documentation issues you’ve mentioned?

Kind Regards,
Filippos

[Brian Candler]

> Could you do a pull request on github, along with the 
> other documentation issues you’ve mentioned?

OK, but which branch should I work against? The "origin/develop" branch is already being changed for Jessie. Possibly "origin/debian" ?

Regards,

Brian.

[Filippos Giannakos]

I’d suggest against origin/develop so the changes will be in the next Synnefo release.

Filippos

> --
> You received this message because you are subscribed to the Google Groups "Synnefo" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to synnefo+u...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Brian Candler]

> I’d suggest against origin/develop so the changes will be in the next Synnefo release.

I haven't tested the jessie instructions, so some of the "corrections" I make may not be corrections at all.

I'm happy to submit them, but I'd still like to know which branch is the current live website built from?

[Filippos Giannakos]

That would be the ‘master' branch. The ‘debian' is the ‘master' branch merged
with the debian folder needed for debian packaging.

I’d still suggest to use the ‘develop’ branch, as the errors you’ve mentioned so far should
not have changed. However if you feel more comfortable against the current branch,
you can choose to do so.

Kind Regards,
Filippos

[Brian Candler]

Submitted both as #391 and #392 (the "drbd8-utils" update had already been fixed in develop for jessie)

I do have some more general suggestions which I don't know if you want to include or not.

The examples for configuration of various things show the "temporary" way of doing them, rather than the way which persists through a reboot, and I think the latter would be better.

* Configuring the nfs client on node2 would be better done by adding a line to /etc/fstab:

203.0.113.1:/srv/archip/ /srv/archip/ nfs defaults 0 0

and then doing "mount /srv/archip"

* Configuring the network would be best done by adding to /etc/network/interfaces:

----

auto eth1

iface eth1 inet manual

auto eth2

iface eth2 inet manual

auto br1

iface br1 inet manual

### node 1 only:

#address 10.0.0.1/24

#post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

bridge_ports eth1

bridge_stp off

bridge_fd 0

bridge_maxwait 0

auto br2

iface br2 inet manual

bridge_ports eth2

bridge_stp off

bridge_fd 0

bridge_maxwait 0

----

and then doing "ifup br1; ifup br2".  Or for vlans, it's identical except replace "eth1" and "eth2" with "eth0.1" and "eth0.2" respectively.

What do you think? I realise these are things that a competent sysadmin could work out for themselves, but it's annoying if you reboot a node and suddenly find a load of stuff which needs to be redone.

Regards,

Brian.

[Filippos Giannakos]

It sounds good. The guide indeed takes for granted that the admin can work these things out,
but it sure doesn’t hurt to provide a permanent way of setting them up. Can you create a PR
with everything you think that can be improved? We can comment then on the changes.

Kind Regards,
Filippos