Is a group of servers (internal, external, cloud etc.), possibly belonging to many different companies, under a single management.
Benefits of installing standalone Server Farmer
Even without (or before) setting a server farm, installing Server Farmer gives you many advantages over default OS configuration:
- monitoring of public IP address changes (if you're behind NAT)
- proper and working MTA configuration (the server is now able to send emails)
- optional SMS notifications about urgent events
- log monitoring (syslog logs are periodically analyzed and you are notified about unusual events)
- log rotation in a proper way (including compression, date markers etc.)
- server hostname is set in a more consistent way, properly recognizable by all system services, on all supported operating systems
- PHP secure configuration
- configuration of many system services are more consistent and secure on all supported operating systems
- automatic daily/weekly, possibly encrypted backups (you only have to copy created archives to some external storage)
- overall securing your system, eg. by cutting down unneeded system directory permissions, disabling unsecure sshd options etc.
Is a central server, which:
- is able to connect via ssh to all other servers from the farm
- holds ssh management (root) keys for all other servers
- has sf-farm-manager, and possibly sf-farm-inspector extensions installed and configured
- optionally has sf-backup-collector extension installed and configured to pull backups from other servers (this role can be as well delegated to other server or servers)
Server role is just a functionality, or group of functionalities, that a given server is supposed to provide. Some roles are meant for all servers (eg. syslog), and some other only for specific servers. Roles are provided by Server Farmer extensions.
Farm manager role is the central role in server farm. It allows connecting to all other servers as root user via ssh and manage them. It is possible to have multiple servers with farm manager role inside a single farm, where one of them is the "master" farm manager, containing management ssh keys, and the other ones contain only replicated, dedicated ssh keys for each server.
Farm manager extension contains several scripts that perform management actions on managed servers.
Farm inspector is the part of farm manager role (and thus separate extension), which is responsible for collecting information about all other servers, and also network devices in the farm: their local user databases, free disk space, router configuration files etc. In typical configuration, this role is installed on the same server as farm manager.
All servers in a farm are responsible for creating daily and weekly backups, that are stored on their local drives. Backup collector is the central server, whose role is to pull these backups using scp and long-term store them.
Backup collector role can be fullfilled by management server, or by separate server. Also, there are many separate backup collector servers possible, where each of them handles backups only for some part of the farm.
All scp connections are done using dedicated ssh keys for backup user.
Management ssh key
Is a root ssh public key installed on all servers (or a group of servers) during Server Farmer setup. It allows passwordless ssh root access from farm manager (central management server) at setup phase.
Associated public key is hardcoded in Server Farmer source code (in sf-keys extension), and the private key should never be disclosed to anyone, regardless of circumstances.
Dedicated ssh key
Dedicated keys are simply ssh keys generated by Server Farmer on managed servers for various users and purposes:
- for passwordless ssh root access from farm manager after the setup phase (this key is generated automatically during setup)
- for transferring backups from managed server to backup collector (this key is also generated automatically, for “backup” system user)
- for secondary administrators and any other people that should have access to this particular server
Managing large number of cheap servers comes with a business risk, that some customer sooner or later can be a subject of investigation - either as a suspect or victim of someone else. For you, both cases can result in getting a court order to disclose key(s) related with this customer. Using the dedicated keys, you can give access only to servers you were asked to, and nothing more.
Registering a server in the farm
Is just executing
add-managed-host servername.domain from management server as root. This:
- makes a connection to the new server using management ssh key
- adds new server to
- adds new server to one of
/etc/local/.farm/*.hostsfiles (depending on detected server type)
- creates 2 dedicated ssh keys (for root and backup), stores key pairs in
/etc/local/.sshdirectory and uploads public keys to new server
- possibly add new server to the backup collector (if installed on the same machine as management server)