Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade

[Bernie Innocenti]

On Wed, 2011-02-16 at 21:12 +0100, Sylvain Beucler wrote: 
> > A few weeks ago, I upgraded a test Dom0 from Lenny to Squeeze. It required 
> > some fixes to the scripts for configuring the 
> > bridge, but otherwise it seems to be working. There's just one DomU running 
> > on this box, so it was tested very lightly.
> 
> OK.
> What do you generally use for Dom0?

For the new ones, we use Debian Lenny. The older ones are Ubuntu 6.06.

If we were to install a new Dom0 today, we'd probably risk using
Squeeze, but there's no need to upgrade the production ones that been
running working without a glitch for years (one has an uptime of over
1000 days).


> SSH is visible but Debian 5 is still supported for at least a year, so
> no impact on security.

SSH is also not accessible from the public internet on most of our
Dom0s... Colonialone seems to be the only exception.

For improved security, we could limit access to the IPs of people how
need to have access? Regardless of which version of Debian we use, this
would protect us from 0-day exploits and compromised keys.


> It's more a matter of avoiding last minute upgrades, and leveraging
> newer features (iptables TARPIT comes to mind :)).

That's right. The moment we need a feature worth the risk and downtime
of a Dom0 upgrade, then I see no reason to hold back.


> > Whenever you choose to go ahead, I could assist you any day from 10am to 
> > 4pm.
> 
> Does that include going at the colo?

As long as we don't make the machine unbootable, we should be able to
recover it remotely from the serial console.

-- 
   // Bernie Innocenti - http://codewiz.org/
 \X/  Sugar Labs       - http://sugarlabs.org/