TELEICU/Current state assessment: Difference between revisions
From OHC Network Wiki
More languages
More actions
Content deleted Content added
Automated edit (via update-page on MediaWiki MCP Server) |
Fix bullet lists: convert - to * for proper MediaWiki unordered lists (via update-page on MediaWiki MCP Server) |
||
| Line 13: | Line 13: | ||
'''Impact:''' |
'''Impact:''' |
||
* Nodes go offline without graceful shutdown, risking data corruption on the underlying filesystem |
|||
* Configuration pull agents (once deployed) will have irregular check-in windows |
|||
* Monitoring must account for nodes that are expected to be offline for hours at a time |
|||
* Alerting must distinguish between a genuinely failed node and one that is simply disconnected |
|||
== Factor 2: Tampering and configuration drift == |
== Factor 2: Tampering and configuration drift == |
||
| Line 22: | Line 22: | ||
Hospital PCs are physically accessible to local staff. This has led to: |
Hospital PCs are physically accessible to local staff. This has led to: |
||
* Cloudflare tunnel credentials being modified or replaced |
|||
* Docker Compose files being hand-edited, breaking expected service definitions |
|||
* System configuration (networking, firewall rules) being changed without change control |
|||
* No audit trail for who made what change |
|||
'''Impact:''' |
'''Impact:''' |
||
* Declared state and actual state diverge silently |
|||
* Support calls increase as nodes exhibit non-standard behavior |
|||
* Security posture degrades as tunnel creds may be compromised |
|||
Both upgrade paths address this differently: |
Both upgrade paths address this differently: |
||
* '''Ansible''': ansible-pull reverts drift on each run (soft guarantee — drift can exist between pull intervals) |
|||
* '''NixOS''': Immutable /etc — tampering is impossible without rebooting to a different generation (hard guarantee) |
|||
== Factor 3: OS security and maintenance gaps == |
== Factor 3: OS security and maintenance gaps == |
||
| Line 40: | Line 40: | ||
The fleet is fragmented across three Ubuntu versions: |
The fleet is fragmented across three Ubuntu versions: |
||
* Ubuntu 20.04 — several nodes, nearing or past EOL for some packages |
|||
* Ubuntu 22.04 — the majority |
|||
* Ubuntu 24.04 — newer additions |
|||
'''Impact:''' |
'''Impact:''' |
||
* No consistent patch cadence across the fleet |
|||
* Security patches applied ad-hoc or not at all |
|||
* Ansible roles / NixOS modules must handle version-specific differences |
|||
* Upgrade path to a single baseline requires either OS reinstall (NixOS) or an in-place upgrade playbook (Ansible) |
|||
== Summary == |
== Summary == |
||