What servers/services do we need to bootstrap ourselves

I’d also avoid InfluxDB (why add another tool for metric collection on top of Prometheus?) as I see mentions of data loss.

(I can’t seem to post more than 3 posts in a topic. Do @moderators mind to increase my trust level?)

cc @MiCruz This is a very simple view.

How do you run services like this without infrastructure to do so.

How do users login. How do you monitor the servers for issues. Make sure they are healthy. Etc.

That is what we are doing. We ARE working on the things you two have mentioned. But we NEED the other things FIRST. Period.

Do random internet users need to login to a koji system, or can it be set up to run with next to no interactions from an ansible playbook until there is a stable “version 8” build?

I want to make it clear that we’re not not working on a build system.

There are people working in tandem to pull sources, including from CentOS to get an MVP.

We want your comments, totally. Greg started a discussion here that we absolutely want comments on and discussions about. https://github.com/rocky-linux/rocky/discussions/13

I apologize if my comment earlier was short and, well, bad. I can make excuses for it, but at the end of the day, I can and will do better.

I’m working on an infrastructure roadmap right now, and plan to have it out tonight.

Virtualization via https://xcp-ng.org/ provides a very accessible platform. Hope it’s considered when tooling the back end.

Petasan is a great tool to get distributed ceph up and running. This is a great way to provide storage services .

I was purposely being simple. I could only assume other things were happening in-tandem (but you know what they say when you assume something…), and I know there are Organizational steps that must happen to make sure that as an organization this effort is successful.

To me, all of this sounds like too many nagios alerts just making noise (due to the volume) therefore I wanted to try and “ground” the requirements to what would be needed for an MVP.

I do know we need auth/monitoring/HA/alerting etc… but I do not think they are needed just to get going. However, knowing that other things are happening elsewhere is good to know.

I’m going to my corner now

Strongly agree. I’m open to being pitched a solution that is self-hosted, but it’s going to be a REALLY hard sell. For the time being, self-hosting is off the table. We’re just at too early a stage to have an error with something self-hosted and have a bunch of early work lost. God forbid we do some kind of self-hosted secrets management, for example, and have something happen to that and things get lost.

that would be awsome indeed…

just thinking about it… I would say an easy to download small container called by a script using podman/buildah should do the trick…

ah … just rambling out loud… forget it… first get things going then start tweaking for maximum performance and lessening the load and maybe after that …

Looking though all this, my fear is that a lot of people are rushing ahead in their excitement and putting the cart before the horse.

Talking about specific storage products and monitoring is all very nice, but what we need for now is the MVP. For now all we need is some some sort of issue tracker (github issues?), a wiki (also Github?) repos (Github), and something to build/run stuff (hosted runners for now? perhaps that needs to be dedicated).

A couple of CentOS 8 (until we can dog-food) boxes running Libvirt and/or podman is probably all that is necessary. For now at least

We’re already doing a lot in GitHub. See: https://github.com/rocky-linux

Hi @nazunalika ,

I’ve been installing IPA on CentOS 8.3 today and have had some issues getting it working. I bring this up in case you run into similar ones when installing them for Rocky.

If the CA installation in the ipaserver role times out, try updating using yum update -y. This fixed it for me.

My replica install, I’m promoting an existing client to be a replica, this isn’t the same as what I think you’re doing but this is what I’ve ended up with:

- name: Kinit
  command:
    cmd: "kinit admin"
    stdin: "{{ipaadmin_password}}"
  no_log: true
- name: Add to ipa servers
  block:
  - command:
      cmd: "ipa hostgroup-add-member ipaservers --hosts {{ansible_fqdn}}"
  rescue:
  - debug:
      msg: "Unable to add to IPA servers, skipping"
- name: Install IPA replica
  include_role:
    name: ipareplica
  vars:
    ipareplica_setup_firewalld: false
    ipareplica_setup_kra: false
    ipareplica_setup_ca: false
  tags: ipa-replica
- name: Install CA
  command:
    cmd: "ipa-ca-install"
    stdin: "{{ipaadmin_password}}"
    creates: "/var/log/ipareplica-ca-install.log"
- name: Install KRA
  command:
    cmd: "ipa-kra-install"
    stdin: "{{ipaadmin_password}}"
    creates: "/var/log/ipaserver-kra-install.log"

The main takeaways are that (for me at least) the KRA install doesn’t work from the ipareplica role and I have to add the replica to the ipaservers hostgroup before trying the replica install to avoid it exploding on the task: “ipareplica : Install - Add to ipaservers”.

I’ve ended up installing the CA and then KRA as (on CentOS 8.2) I wasn’t able to make the KRA install work unless I installed the CA separately.

Fingers crossed your luck is better than mine.

All tests I run are on fully updated CentOS 8.3 systems. I am unable to reproduce your issue with the domain (replicas). Everything works for me.

My tests are following the recommended specs from the IPA documentation.

CPU: 1 or 2 cores
RAM: 4GB
Storage: 10G for /var/lib/dirsrv

Playbook logs

[ansible@ipa001 ansible]$ ansible-playbook -i inventory/ipainventory playbooks/role-rocky-ipa.yml  --ask-vault-pass
Vault password:

PLAY [Configure IPA server] ****************************************************

TASK [Gathering Facts] *********************************************************
ok: [ipa001.rockylinux.org]

TASK [Check if ansible cannot be run here] *************************************
ok: [ipa001.rockylinux.org]

TASK [Verify if we can run ansible] ********************************************
ok: [ipa001.rockylinux.org] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [Ensure 'dns=none' is set for Network Manager to avoid change] ************
ok: [ipa001.rockylinux.org]

TASK [ipaserver : Import variables specific to distribution] *******************
ok: [ipa001.rockylinux.org] => (item=/usr/share/ansible/roles/ipaserver/vars/CentOS-8.yml)

TASK [ipaserver : Install IPA server] ******************************************
included: /usr/share/ansible/roles/ipaserver/tasks/install.yml for ipa001.rockylinux.org

TASK [ipaserver : Install - Ensure that IPA server packages are installed] *****
ok: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Ensure that IPA server packages for dns are installed] ***
ok: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Ensure that IPA server packages for adtrust are installed] ***
skipping: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Ensure that firewall packages installed] ***********
ok: [ipa001.rockylinux.org]

TASK [ipaserver : Firewalld service - Ensure that firewalld is running] ********
ok: [ipa001.rockylinux.org]

TASK [ipaserver : include_tasks] ***********************************************
skipping: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Server installation test] **************************
ok: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Master password creation] **************************
changed: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Use new master password] ***************************
ok: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Server preparation] ********************************
changed: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Setup NTP] *****************************************
skipping: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Setup DS] ******************************************
changed: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Setup KRB] *****************************************
changed: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Setup custodia] ************************************
changed: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Setup CA] ******************************************
changed: [ipa001.rockylinux.org]

TASK [ipaserver : Copy /root/ipa.csr to "ipa001.rockylinux.org-ipa.csr"] *******
skipping: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Setup otpd] ****************************************
changed: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Setup HTTP] ****************************************
changed: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Setup KRA] *****************************************
changed: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Setup DNS] *****************************************
changed: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Setup ADTRUST] *************************************
skipping: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Set DS password] ***********************************
changed: [ipa001.rockylinux.org]

TASK [Install - Setup client] **************************************************

TASK [ipaclient : Import variables specific to distribution] *******************
ok: [ipa001.rockylinux.org] => (item=/usr/share/ansible/roles/ipaclient/vars/CentOS-8.yml)

TASK [ipaclient : Install IPA client] ******************************************
included: /usr/share/ansible/roles/ipaclient/tasks/install.yml for ipa001.rockylinux.org

TASK [ipaclient : Install - Ensure that IPA client packages are installed] *****
ok: [ipa001.rockylinux.org]

TASK [Install - Set ipaclient_servers] *****************************************
skipping: [ipa001.rockylinux.org]

TASK [Install - Set ipaclient_servers from cluster inventory] ******************
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Check that either principal or keytab is set] ******
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Set default principal if no keytab is given] *******
ok: [ipa001.rockylinux.org]

TASK [ipaclient : Install - IPA client test] ***********************************
ok: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Cleanup leftover ccache] ***************************
ok: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Configure NTP] *************************************
ok: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Make sure One-Time Password is enabled if it's already defined] ***
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Disable One-Time Password for on_master] ***********
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Test if IPA client has working krb5.keytab] ********
ok: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Disable One-Time Password for client with working krb5.keytab] ***
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Keytab or password is required for getting otp] ****
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Get One-Time Password for client enrollment] *******
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Report error for OTP generation] *******************
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Store the previously obtained OTP] *****************
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Store predefined OTP in admin_password] **********************
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Check if principal and keytab are set] *************
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Check if one of password or keytabs are set] *******
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Purge ROCKYLINUX.ORG from host keytab] *************
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Backup and set hostname] ***************************
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Join IPA] ******************************************
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : fail] ********************************************************
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : fail] ********************************************************
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : fail] ********************************************************
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Configure IPA default.conf] ************************
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Configure SSSD] ************************************
changed: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Configure krb5 for IPA realm] **********************
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Install - IPA API calls for remaining enrollment parts] ******
changed: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Fix IPA ca] ****************************************
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Create IPA NSS database] ***************************
changed: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Configure SSH and SSHD] ****************************
changed: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Configure automount] *******************************
changed: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Configure firefox] *********************************
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Configure NIS] *************************************
changed: [ipa001.rockylinux.org]

TASK [ipaclient : Install - Restore original admin password if overwritten by OTP] ***
skipping: [ipa001.rockylinux.org]

TASK [ipaclient : Cleanup leftover ccache] *************************************
ok: [ipa001.rockylinux.org]

TASK [ipaclient : Uninstall IPA client] ****************************************
skipping: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Enable IPA] ****************************************
changed: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Cleanup root IPA cache] ****************************
ok: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Configure firewalld] *******************************
changed: [ipa001.rockylinux.org]

TASK [ipaserver : Install - Configure firewalld runtime] ***********************
changed: [ipa001.rockylinux.org]

TASK [ipaserver : Cleanup temporary files] *************************************
ok: [ipa001.rockylinux.org] => (item=/etc/ipa/.tmp_pkcs12_dirsrv)
ok: [ipa001.rockylinux.org] => (item=/etc/ipa/.tmp_pkcs12_http)
ok: [ipa001.rockylinux.org] => (item=/etc/ipa/.tmp_pkcs12_pkinit)

TASK [ipaserver : Uninstall IPA server] ****************************************
skipping: [ipa001.rockylinux.org]

TASK [Touching run file that ansible has ran here] *****************************
changed: [ipa001.rockylinux.org]

PLAY RECAP *********************************************************************
ipa001.rockylinux.org      : ok=43   changed=20   unreachable=0    failed=1    skipped=31   rescued=0    ignored=0

[ansible@ipa001 ansible]$ ansible-playbook -i inventory/ipainventory playbooks/role-rocky-ipa-replica.yml  --ask-vault-pass
Vault password:

PLAY [Configure IPA server] ****************************************************

TASK [Gathering Facts] *********************************************************
ok: [ipa002.rockylinux.org]

TASK [Check if ansible cannot be run here] *************************************
ok: [ipa002.rockylinux.org]

TASK [Verify if we can run ansible] ********************************************
ok: [ipa002.rockylinux.org] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [Ensure 'dns=none' is set for Network Manager] ****************************
changed: [ipa002.rockylinux.org]

TASK [Ensure resolv.conf is pointing to main master] ***************************
changed: [ipa002.rockylinux.org]

RUNNING HANDLER [reload_networkmanager] ****************************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Import variables specific to distribution] ******************
ok: [ipa002.rockylinux.org] => (item=/usr/share/ansible/roles/ipareplica/vars/CentOS-8.yml)

TASK [ipareplica : Install IPA replica] ****************************************
included: /usr/share/ansible/roles/ipareplica/tasks/install.yml for ipa002.rockylinux.org

TASK [ipareplica : Install - Ensure IPA replica packages are installed] ********
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Ensure IPA replica packages for dns are installed] ***
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Ensure IPA replica packages for adtrust are installed] ***
skipping: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Ensure that firewall packages installed] **********
ok: [ipa002.rockylinux.org]

TASK [ipareplica : Firewalld service - Ensure that firewalld is running] *******
ok: [ipa002.rockylinux.org]

TASK [Install - Set ipareplica_servers] ****************************************
ok: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Set default principal if no keytab is given] ******
skipping: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Replica installation test] ************************
ok: [ipa002.rockylinux.org]

TASK [Install - Setup client] **************************************************

TASK [ipaclient : Import variables specific to distribution] *******************
ok: [ipa002.rockylinux.org] => (item=/usr/share/ansible/roles/ipaclient/vars/CentOS-8.yml)

TASK [ipaclient : Install IPA client] ******************************************
included: /usr/share/ansible/roles/ipaclient/tasks/install.yml for ipa002.rockylinux.org

TASK [ipaclient : Install - Ensure that IPA client packages are installed] *****
ok: [ipa002.rockylinux.org]

TASK [Install - Set ipaclient_servers] *****************************************
skipping: [ipa002.rockylinux.org]

TASK [Install - Set ipaclient_servers from cluster inventory] ******************
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Check that either principal or keytab is set] ******
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Set default principal if no keytab is given] *******
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : Install - IPA client test] ***********************************
ok: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Cleanup leftover ccache] ***************************
ok: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Configure NTP] *************************************
changed: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Make sure One-Time Password is enabled if it's already defined] ***
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Disable One-Time Password for on_master] ***********
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Test if IPA client has working krb5.keytab] ********
ok: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Disable One-Time Password for client with working krb5.keytab] ***
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Keytab or password is required for getting otp] ****
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Get One-Time Password for client enrollment] *******
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Report error for OTP generation] *******************
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Store the previously obtained OTP] *****************
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : Store predefined OTP in admin_password] **********************
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Check if principal and keytab are set] *************
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Check if one of password or keytabs are set] *******
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Purge ROCKYLINUX.ORG from host keytab] *************
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Backup and set hostname] ***************************
changed: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Join IPA] ******************************************
changed: [ipa002.rockylinux.org]

TASK [ipaclient : fail] ********************************************************
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : fail] ********************************************************
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : fail] ********************************************************
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Configure IPA default.conf] ************************
changed: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Configure SSSD] ************************************
changed: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Configure krb5 for IPA realm] **********************
changed: [ipa002.rockylinux.org]

TASK [ipaclient : Install - IPA API calls for remaining enrollment parts] ******
changed: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Fix IPA ca] ****************************************
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Create IPA NSS database] ***************************
changed: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Configure SSH and SSHD] ****************************
changed: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Configure automount] *******************************
changed: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Configure firefox] *********************************
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Configure NIS] *************************************
changed: [ipa002.rockylinux.org]

TASK [ipaclient : Install - Restore original admin password if overwritten by OTP] ***
skipping: [ipa002.rockylinux.org]

TASK [ipaclient : Cleanup leftover ccache] *************************************
ok: [ipa002.rockylinux.org]

TASK [ipaclient : Uninstall IPA client] ****************************************
skipping: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Configure firewalld] ******************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Configure firewalld runtime] **********************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Replica preparation] ******************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Add to ipaservers] ********************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Create dirman password] ***************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Set dirman password] ******************************
ok: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Setup certmonger] *********************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Install CA certs] *********************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Setup DS] *****************************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Create IPA conf] **********************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Setup KRB] ****************************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Create override IPA conf] *************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - DS enable SSL] ************************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Setup http] ***************************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Create original IPA conf again] *******************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Setup otpd] ***************************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Setup custodia] ***********************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Setup CA] *****************************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - KRB enable SSL] ***********************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - DS apply updates] *********************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Setup kra] ****************************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Restart KDC] **************************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Custodia import dm password] **********************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Promote SSSD] *************************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Promote openldap.conf] ****************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Setup DNS] ****************************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Setup adtrust] ************************************
skipping: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Enable IPA] ***************************************
changed: [ipa002.rockylinux.org]

TASK [ipareplica : Install - Cleanup root IPA cache] ***************************
ok: [ipa002.rockylinux.org]

TASK [ipareplica : Cleanup temporary files] ************************************
ok: [ipa002.rockylinux.org] => (item=/etc/ipa/.tmp_pkcs12_dirsrv)
ok: [ipa002.rockylinux.org] => (item=/etc/ipa/.tmp_pkcs12_http)
ok: [ipa002.rockylinux.org] => (item=/etc/ipa/.tmp_pkcs12_pkinit)

TASK [ipareplica : Uninstall IPA replica] **************************************
skipping: [ipa002.rockylinux.org]

TASK [Touching run file that ansible has ran here] *****************************
changed: [ipa002.rockylinux.org]

PLAY RECAP *********************************************************************
ipa002.rockylinux.org      : ok=62   changed=43   unreachable=0    failed=0    skipped=26   rescued=0    ignored=0

Here’s the server report:

[ansible@ipa001 ansible]$ ipa server-show ipa001.rockylinux.org
  Server name: ipa001.rockylinux.org
  Managed suffixes: domain, ca
  Min domain level: 1
  Max domain level: 1
  Enabled server roles: CA server, DNS server, IPA master, KRA server
[ansible@ipa001 ansible]$ ipa server-show ipa002.rockylinux.org
  Server name: ipa002.rockylinux.org
  Managed suffixes: domain, ca
  Min domain level: 1
  Max domain level: 1
  Enabled server roles: CA server, DNS server, IPA master, KRA server

Have a look at what ClearOS is doing here: http://mirror2-frankfurt.clearos.com/clearos/7.7.2.280072/infra/x86_64/RPMS/

ClearOS rebuilds RHEL from sources just like Centos does. They call it ClearOS Core. ClearOS uses github. The developers name who set it all up is Shad Lords. You should be able to find some contact information for him on the ClearOS site. I’m sure he could give some pointers and advice.

Update: https://www.clearos.com/clearos-professional/2-features/273-clearfoundation-team

https://wiki.centos.org/action/show/Manuals/ReleaseNotes/CentOS8.2011#Packages_and_Applications - This is also of use. This lists the packages that get de-branded before rebuild for CentOS. We are actually still discussing this in the slack and are still coming up with a plan to tackle this.

For monitoring look at something simple on the front end like LibreNMS. It can feed data into Grafana via InfluxDB or Prometheus if you want a fancy dashboard. And it has a ton of alerting options for when things aren’t running right.

If you want to “stitch” multiple systems together to form an infrastructure, take a look at using tinc for a true mesh type VPN. Setup is pretty simple and in the true mesh config, if a system can’t talk to something directly it will route it via another node.

SaltStack is a good option for management and with the reactor it has it does orchestration and event management. It is written in python and uses jinja templates for a lot of stuff. VMWare just acquired them, but there is a community edition of salt that is available that works well.

For log management, I’d recommend Graylog since it takes a lot of the pieces from the ELK stack and combines them with some good event management and alerting features out of the box. It has some reporting features with dashboards, but you can always throw in Kibana iif you want better dash boards for things.

For a good HV, look at Proxmox VE. Subscriptions aren’t required and you get all the features without one. The subscription is for updates. It can do live migrations, HA, ceph, etc.

I’d also recommend a mailing list for those who don’t want to use Discourse and prefer announcements via email. Mailman 2 comes to mind.

Just a few suggestions.

For the configuration management, we have already decided on AWX/Ansible alongside other tooling. We are currently emulating as close as possible to the CentOS and Fedora projects respectively, who use ansible to stand-up and operate their infrastructure. This part is important to us. Currently, our contributors and some of leadership have more experience in Ansible, and thus it was the chosen tool to handle infrastructure and beyond. This isn’t to say saltstack is bad (it isn’t, I used to maintain it at another job in a past life), we just made the choice to stick with Ansible as we have a lot of resources to bring it together.

We know we need a mail list, this is a big thing for us. This is on our list of things to do. We have someone setting up a mailkitty3/mailman playbook for us that we’ll merge into the infra git. However, I believe we’ll keep this forum around for end-user support for people who do not want to use a mail list or even visit IRC at anytime, whilst also having the mail list. The mail list is definitely an important part of an open source project.

Good points. Makes sense to try to mirror the “source” as closely as possible when first standing up.

As for the forum/mailing list, I’ve found from being involved in another project (wiki.allstarlink.org) that while a forum is good, not everyone will want to use it and instead you will have a good chunk of users opt to strictly use a mailing list instead.

I do recommend that if both are kept up that you look at doing a tie-in/sync between certain mailing list groups and forums here. It will help a lot with participation between those who hate mailing lists and like forums, and who who hate forums and like mailing lists.