Skip to content
Snippets Groups Projects
  1. Feb 12, 2020
    • McConahy, Renee Margaret's avatar
      Vagrantfile: Use VBox's linked clones. · 33022f10
      McConahy, Renee Margaret authored
      This reduces the time and space required to spin up a new VM.
      33022f10
    • McConahy, Renee Margaret's avatar
      Generate development passwords. · 6157983e
      McConahy, Renee Margaret authored
      I see little risk in using known passwords here, but it's such a bad
      practice that I'd rather avoid it entirely.
      
      (The worst case I can imagine is that a malicious process running on the
      developer's workstation would be able to manipulate the configuration.)
      6157983e
    • McConahy, Renee Margaret's avatar
      Shut down LOCKSS stack before loading secrets. · 61734a10
      McConahy, Renee Margaret authored
      Docker secrets cannot be changed (at least through the Ansible module)
      while their are in use.
      
      This breaks idempotency.
      61734a10
    • McConahy, Renee Margaret's avatar
      Add documentation. · 9734ce8a
      McConahy, Renee Margaret authored
      9734ce8a
    • McConahy, Renee Margaret's avatar
      Remove firewall tasks. · 9398f92b
      McConahy, Renee Margaret authored
      Ordinary firewall filtering rules, placed in iptables's "INPUT" chain in
      the "filter" table, aren't applied to Docker's ingress traffic, which is
      redirected ("NATted") to Docker's interface by the "PREROUTING" chain in
      the "nat" table. Hence, the rules pretending to allow LOCKSS management
      traffic from trusted hosts are superfluous and misleading: traffic to
      those ports is instead restricted by LOCKSS according to its
      "LOCKSS_ACCESS_SUBNET" variable.
      
      I could write rules to filter Docker's ingress traffic, but I would
      rather not take the time--I would need to take care that they were
      always given priority over Docker's rules, even when Docker were
      restarted--and LOCKSS's own handling of matters ought to be sufficient
      for now.
      
      With that, the base firewall rules (enabling a default-deny ingress
      policy with an exception for ssh) seem out of scope for this role.
      9398f92b
    • McConahy, Renee Margaret's avatar
      Make minor stylistic changes. · 1df60fea
      McConahy, Renee Margaret authored
      - Vagrantfile: Correct the path to the parsed YAML file. (This caused
        'vagrant global-status' to fail when called from outside the project's
        directory.)
      
      - Vagrantfile: As we do not use it, disable the default sharing of the
        project's directory with the VMs.
      
      - lockss: Use /tmp as temporary directory.
      
      - Other trivialities.
      1df60fea
  2. Feb 11, 2020
  3. Jan 28, 2020
  4. Jan 24, 2020
  5. Jan 17, 2020
Loading