James,We use rsync to sync the /var/snd directories in our servers. Syncing the databases is a little more complicated. If you have the network bandwidth, running a single primary database would be best. Make all they quires to that database. You can do a daily snapshot of the database to keep the standby database server mostly up to date in case of a complete network failure. Also, since Fred implemented keeping a checksum of the audio files in the database, I'd run a periodic consistency check to make sure there hasn't been any corruption in the audio files.
There are a couple ways to set up the firewalls with respect to network traffic that isn't between VPN connected sites. One is to allow each site access to the Internet for non-associated sites and only run the site to site traffic over the VPN. That gives sites the fastest access to non-associated Internet sites. The other way is to send all the traffic of a subsidiary site back to the main site before it goes out on the Internet to non-associated sites. That is a choice that is made for various reasons. The main site might have better restriction controls for Internet access. Their may be a concern about an attack that traffic analysis would play a part in. You can exercise QOS based prioritization if all the traffic going to and from a site is kept within the VPN. Traffic presented to the public Internet doesn't carry QOS so incoming traffic could delay database responses or any live audio you might be transporting.
Bill Putney - WB6RFW District 2 Commissioner - Port of Port Townsend Chief Engineer - KPTZ El Jefe de Contenido - Port Townsend Film FestivalPrivate Pilot-Single Engine Land | Airframe & Powerplant / Inspection Authorization
On 2/27/18 9:37 PM, [email protected] wrote:
BillThanks for bringing this subject on the Forum. we have a similar situation and we are looking to have some solution. Maybe you want to have your edge router setup VPN for your Rivendell So you will have access like the machine is in your current location. I think You have can the edge routers ignor any traffic except the addressees you list in the firewall.James I am interested how you have the 2 rivendell's synced. we are getting ready to build a master server and playout Can you Sen me some info on how you did your 2 servers to work together.Thanks On 2018-02-05 10:47, Bill Putney wrote:We use PFSense software on PC hardware. PFSense implements several different VPN arrangements but we are using IP/SEC since it is one of the very few that hasn't been hacked. Some one I know was looking at Ubiquiti Cloud Key remote and I did a search for exploits and it has been listed as having "Critical" level hacks. Not sure about their edge routers but you should search for exploits for whatever equipment you use that interfaces the Internet. Bill Putney - WB6RFW District 2 Commissioner - Port of Port Townsend Chief Engineer - KPTZ El Jefe de Contenido - Port Townsend Film Festival Private Pilot-Single Engine Land | Airframe & Powerplant / Inspection Authorization On 2/5/18 3:48 AM, Andy Higginson wrote:https://www.smallnetbuilder.com/lanwan/lanwan-reviews/33111-ubiquiti-edgerouter-lite-revisitedThis is probably going off at a slight tangent but.... I was looking at Ubiquiti EdgeRouters over the weekend. They might be an interesting option for getting things up and running for VPN work. It is often said that you should keep your office network and music network separate. However, if you are trying to access the Rivendell machines remotely, you need to have internet access to them, even if it is through a VPN. The Edgerouters (even the cheapest model the lite) have multiple subnets and routing on them. The lite comes with 3 ports - eth0 for the WAN, eth1 for LAN 192.168.101.x and eth2 for LAN 192.168.102.x. Now I don't know what routing it does between ports eth1 and eth2 but it does seem to me that you could use this to allow both of the station networks to access the internet via this router. It also has the ability to run a VPN as well so you should be able to access the Music network from the outside world. How well they run and how they would perform in this context is not something that I would know. However I would be interested if anyone has some input. https://www.ubnt.com/edgemax/edgerouter-lite/Of course, one of the things with getting a VPN up and running is that you could use this for storing a remote off site backup with a NAS drive. That's something for another discussion. Andy ---- On Mon, 05 Feb 2018 10:06:45 +0000 JAMES GREENLEE <[email protected]> wrote ----Isn't this what the Server/Client model is all about? In our deployment, our main studio is located in another town from the owner and myself. There's a "server" at the main studio (which is also the active RDAirPlay host), and workstations at both my location and the owners location. All of our networks (two home locations, the main studio, and translator sites), are linked together with VPNs across the internet. The good: We don't have to drive 30 miles to the main studio to make schedule changes or add/remove content from the Rivendell system. The bad: It's painfully slow doing anything in Rivendell that's not on a local LAN. There are no issues with all of the Rivendell systems running at the same time provided you don't work on the same thing from two different locations. Even if you do though, the last change would win. With the remote workstations, we're able to maintain content, create and edit clocks/logs, pull reports...Pretty much everything you can do locally with Rivendell, it's just slower. The speed penalty is due to network latency. Two things we use to make this easier for us: a NAS (with NFS mounts for the Rivendell Server), and an IP KVM (from Avocent) that gives us a remote console to the Rivendell box for operating it as if we were right there in the studio. The "glue" that makes this all happen is the VPN. There are volumes written on VPNs, network security, remote access technologies and they go far beyond the scope of Rivendell itself. I would not recommend running a VPN directly on the Rivendell host and instead build up a VPN on your network router, or use a VPN service to tie your networks together. Keep in mind your security requirements and trust between your partners network and your own (in a site-to-site VPN, any computer on either side of the VPN has access to all network devices on all VPN end-points). James ----- Original Message ----- From: "Cowboy" <[email protected]> To: "Rivendell-Dev" <[email protected]> Sent: Saturday, February 3, 2018 1:47:01 PM Subject: Re: [RDD] Guidance on remote machine access On Saturday 03 February 2018 12:07:20 pm Rich Lawrence wrote:Hello all.I have a partner helping with my streaming station and I wouldlike him to be able to access the main database, which is housed at my location, from a remote machine at his location.This is mostly going to be used for adding new music, promos,etc. Voice tracking is something g later down the line, but the priority is the former.I’m running 2.10.3 on Ubuntu 12, and would like somesuggestions on the best way to accomplish what I am looking to do. "Access the main database" could be taken a few ways. Literally... I would first offer an EXTREME CAUTION doing this !! The likelihood of completely trashing your database, resulting in the loss of EVERYTHING is not trivial ! Fred and I have discussed this many times. The problem is two people accessing the same thing at the same time. Which is the "valid" data ? The first one to commit, or the last one to commit, neither being aware of the other, thus commiting conflicting data. OK, got that ? You have been warned ! Figuratively, meaning able to work with the system, and not directly access the database. You could add his remote host, assuming he has a public IP on that machine, the same as any other. I'd strongly recommend against, as it involves a good deal of risky exposure at both ends, but you're not exposing your database directly on the open internet. Across a VPN this should work easily. Setting up a VPN on an unfamiliar OS ( Ubuntu ) is beyond me, but once done his remote machine is "local" as far as the system is concerned, albeit slower. Probably, you'd actually be creating the VPN firewall to firewall so that the Rivendell machines don't even need be aware it's not physically local. You could give him remote access to a local workstation via ssh -X Safer, but not without pitfalls, as music and such would have to be first transfered onto that machine, then imported "locally" at your location though he'd be the one actually doing it via remote access. That's probably the way I'd approach it, based on familiarity though the idea of a VPN approach is probably the better way. -- Cowboy http://cowboy.cwf1.com This Fortue Examined By INSPECTOR NO. 2-14 _______________________________________________ Rivendell-dev mailing list [email protected] http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev _______________________________________________ Rivendell-dev mailing list [email protected] http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev_______________________________________________ Rivendell-dev mailing list [email protected] http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev_______________________________________________ Rivendell-dev mailing list [email protected] http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev
_______________________________________________ Rivendell-dev mailing list [email protected] http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev
