--- /dev/null
+[[!meta author="Martin Zobel-Helas"]]
+
+We are re-purposing raff.debian.org as a new security mirror to be
+shipped to South America. The raff.debian.org most of you have used as
+[buildd.debian.org](http://buildd.debian.org) in the past will cease to exist in the near future.
+
+raff.debian.org will cease acting as a dns server for the debian.org
+zone in a few days, therfore we will add two new hosts, senfl.d.o and
+ravel.d.o.
+
+All other services formerly hosted on raff.d.o should have been already
+moved by now, we just want to encourage those of you who had a login on
+raff, to backup your home directory if you care of the data stored there,
+as we will not move that.
+
+Current plan is to shut down current raff by end of the year (so in about
+7 days).
--- /dev/null
+[[!meta author="Martin Zobel-Helas"]]
+
+The Debian Project currently runs about [100 machines](http://db.debian.org/machines.cgi) all over the
+world with different services. Those are mainly managed by the [Debian
+System Administration team](http://wiki.debian.org/Teams/DSA). For central configuration management we
+use [Puppet](http://reductivelabs.com/products/puppet/).
+The Puppet config we use is publicly available [here](http://git.debian.org/?p=mirror/dsa-puppet.git).
+
+Our next goal is to have a more or less central configuration of our
+iptables rules on all those machines. Some of the machines have
+home-brewed firewall scripts, some use ferm.
+
+
+Your mission, if you choose to accept it, is to provide us with a new
+dsa-puppet git branch with a module "ferm" that we can roll out to all
+our hosts.
+
+It might want to use information from the other puppet modules like
+"apache2_security_mirror" or "buildd" to decide which incoming traffic
+should be allowed.
+
+DSA will of course provide you with all necessary further information.
--- /dev/null
+== Swarm Kernels ==
+
+Aurelien Jarno provided a patch to build kernels for our swarm boxes.
+
+Here are instructions to build a 2.6.32 mipsel kernel. This can be
+easily adapted to other versions and/or mips.
+
+* tar -xvjf linux-2.6.32.tar.bz2
+* cd linux-2.6.32/
+* cat ../[[swarm_ide.2.6.31.patch|swarm_ide.2.6.31.patch]] | patch -p1
+* cp ../config-2.6.32-mipsel-swarm .config
+* fakeroot make-kpkg --append-to-version "-mipsel-swarm" --revision 1
+* kernel_image
--- /dev/null
+diff --git a/arch/mips/include/asm/cacheflush.h b/arch/mips/include/asm/cacheflush.h
+index 03b1d69..d32f12a 100644
+--- a/arch/mips/include/asm/cacheflush.h
++++ b/arch/mips/include/asm/cacheflush.h
+@@ -37,6 +37,7 @@ extern void (*flush_cache_range)(struct vm_area_struct *vma,
+ unsigned long start, unsigned long end);
+ extern void (*flush_cache_page)(struct vm_area_struct *vma, unsigned long page, unsigned long pfn);
+ extern void __flush_dcache_page(struct page *page);
++extern void __flush_icache_page(struct vm_area_struct *vma, struct page *page);
+
+ static inline void flush_dcache_page(struct page *page)
+ {
+@@ -57,11 +58,6 @@ static inline void flush_anon_page(struct vm_area_struct *vma,
+ __flush_anon_page(page, vmaddr);
+ }
+
+-static inline void flush_icache_page(struct vm_area_struct *vma,
+- struct page *page)
+-{
+-}
+-
+ extern void (*flush_icache_range)(unsigned long start, unsigned long end);
+ extern void (*local_flush_icache_range)(unsigned long start, unsigned long end);
+
+@@ -94,6 +90,13 @@ extern void (*flush_icache_all)(void);
+ extern void (*local_flush_data_cache_page)(void * addr);
+ extern void (*flush_data_cache_page)(unsigned long addr);
+
++static inline void flush_icache_page(struct vm_area_struct *vma,
++ struct page *page)
++{
++ __flush_icache_page(vma, page);
++}
++
++
+ /*
+ * This flag is used to indicate that the page pointed to by a pte
+ * is dirty and requires cleaning before returning it to the user.
+diff --git a/arch/mips/mm/cache.c b/arch/mips/mm/cache.c
+index 694d51f..9214d6b 100644
+--- a/arch/mips/mm/cache.c
++++ b/arch/mips/mm/cache.c
+@@ -95,6 +95,14 @@ void __flush_dcache_page(struct page *page)
+
+ EXPORT_SYMBOL(__flush_dcache_page);
+
++void __flush_icache_page(struct vm_area_struct *vma, struct page *page)
++{
++ if (vma->vm_flags & VM_EXEC)
++ flush_icache_range((unsigned long) page_address(page), PAGE_SIZE);
++}
++
++EXPORT_SYMBOL(__flush_icache_page);
++
+ void __flush_anon_page(struct page *page, unsigned long vmaddr)
+ {
+ unsigned long addr = (unsigned long) page_address(page);
* [[howto/install-kvm]]: How to setup a new kvm domain without going through d-i etc.
* [[howto/postgres]]: Random postgres stuff
* [[howto/add-guest]]: How to add guests to ud-ldap
+* [[howto/swarm-kernel]]: How to build kernels for our swarm boxes
## ports
* service domain aliases files
* service domains whitelists/blacklists/neverusers/RBLs
-== make dns auto update on shutdowns ==
-
-one day, when all these dynamic things are in their own dns, we imagine we
-would just do shutdown -r 60 kernel and a nagios check or something will remove
-the node from DNS automatically
-
+== puppet poneys ==
+=== make security.debian.org deployment fully automated ===
+* includes correct rsyncd.conf via xinetd
+* includes correct apache config
+* includes correct vsftpd config
+* includes ferm rules for all those services
+* minimum information provided should be the IPv4 and IPv6 address
projects / mirror / dsa-wiki.git / commitdiff