Install sshd initramfs onto servers with better-initramfs

[ck2qsuZT]

https://github.com/slashbeast/better-initramfs

If we install an initramfs with an ssh deamon then an admin can ssh into the server even if the server has some issue, like a faulty debian install =) better-initramfs is also kernel independent so it would stick around even after upgrades

[ck2qsuZT]

IPMI is better for this, so we should probably just create a VLAN specific to IPMI for security purposes since IPMI is fairly insecure on its own. The router or a raspberry pi can then be a gateway into that VLAN through VPN or SSH. We could then have full remote server access (BIOS included) in case of errors while away. We would just have to make absolute sure it's well secured since IPMI has little to no logging to couple it's weak or non-existent encryption. Also, what about the hypothetical situation of a corrupt network manager having access to servers after, say, being PNGed?

https://www.us-cert.gov/ncas/alerts/TA13-207A

[mitar]

I think this can be solved by simply asking a fellow network manager to help you, if one is not around. Also, good documentation can help as well.

Not sure if we really need technical solutions here.

[ck2qsuZT]

¯(ツ)/¯ I can foresee times when this would not be possible. But nothing of ours is probably important enough to not be able to wait for network manager return.

[mitar]

I mean, the best would be that servers have necessary hardware module which gives you access to VGA and keyboard and this is it. It works across machines, and you can login remotely.

[ck2qsuZT]

Is that something you know exists or is it only theory right now?

[ck2qsuZT]

If theory then better put a license on this github repo or patent the idea then or someone will steal it because America ^_^

[mitar]

This is how you have in datacenters. :-)

https://en.wikipedia.org/wiki/Out-of-band_management

[mitar]

BTW, if there is no license, then it is copyrighted by default.

[mitar]

BTW, server3 had this card in: http://www.newegg.com/Product/Product.aspx?Item=9SIA5EM2JS7201

If you figure how to use it, maybe we can try. :-)

[ck2qsuZT]

"BTW, if there is no license, then it is copyrighted by default." yay? IPMI seems to be a form of Out-of-band since it does include remote KVM and power on even if the server is off. I'll check it out since I'm mucking around with IPMI right now anyways.

[mitar]

So depends. But yes, what we want is KVM. Whatever gives us it.

[mitar]

https://www.supermicro.com/products/nfo/IPMI.cfm

[ck2qsuZT]

right now I'm mostly just trying to figure out how to use IPMI from unix client but I might not get to it for awhile since I have alot of class work to do right now. After that, I'll look at how to configure server3's specific module since all the servers with IPMI I'm dealing with have a dedicated IPMI port

[mitar]

I think the issue is that IPMI is so broad that it can be very limited, or useful.

[mitar]

So, what should we do about this?

[ck2qsuZT]

I can let you know once I've had time to look at IPMI =p it seems like it would work even though it's broad. either IPMI or better-initramfs the former can do more and is more industry standard, the latter is easier to use since it's just SSH

[ck2qsuZT]

IPMI is kind of annoying/insecure, it's industry standard but it also doesn't seem like it has much great reason to be. I had to learn it for my job but I wouldn't really expect most future Cloyne network managers to know/learn it. I wasn't really able to find many hardware options that aren't restrictively expensive but remote KVM is something to consider more heavily if we do migrate servers to HE. It seems simple enough to have a device with VGA and network input and USB HID output but this doesn't seem to be very available. I think better initram-fs would be good enough unless I find something better.