 | huit_infrastructure_governance_-_software_sourcing_guidelines.pdf | 483 KB |
The purpose of these guidelines, hereinafter “Guidelines”, is to provide guidance and governance for the sourcing of software and packages installed standalone or as part of an operating system on HUIT supported systems. Such software, hereinafter “Software,” includes components commonly referred to as application servers and “middleware” as well as packages and libraries required to run internally developed and off-the-shelf applications.
Software shall be installed via automation and infrastructure as code. Installation processes shall source approved software from designated sources as outlined in this document.
These guidelines assume that Software will be installed on HUIT supported operating systems which currently include:
These Sourcing Guidelines recognizes that there is no one-size fits all standard that will satisfy all software installation needs. Accordingly, these guidelines reflect both the type of software being installed as well as the operating system onto which it is being installed.
Special Note for Windows systems:
There is no concept of a package manager or standard distribution repository for Windows systems. Updates to the Windows operating system are handled via the Windows update utility. In addition, SCCM is used on Windows systems for certain software installations and handled via group policy.
For software not installed by Windows updates and SCCM, software may be sourced from Artifactory or from S3.
Accordingly, references to RHEL Satellite server below do not apply to Windows systems. However, “standard distribution repositories”, for Windows systems, may be interpreted as those software sources which Windows uses for processing updates to the Windows operating system.
Software supporting HUIT-developed and purchased systems shall be sourced from the repositories detailed in the following diagram:
Artifactory provides multiple repository types – RPM, DEB, Maven, Python, etc. It can also operate as a generic fileserver with a “generic” repository type.
Artifactory will provide repositories for custom RPM/DEB packages provided by Harvard (e.g. various SMVP tools that need to be installed on servers).
Artifactory will also serve as a mirror to “authorized” upstream repositories (e.g., EPEL) authorized by the IGC. These will be repositories that provide useful packages that are verified to be updated in a timely manner and to follow security best practices.
Satellite server is systems management software provided by Red Hat to manage servers running RHEL. HUIT uses satellite server to deploy RHEL specific operating system patches and software packages.
For RHEL servers OS patches shall always be deployed from satellite server. In addition, required system software available in satellite server shall be sourced from satellite server as primary. If required system software is not available in satellite server then Artifactory should be consulted.
Certain large software installers (e.g. Oracle database software, Weblogic application server software) will be staged in AWS S3 and shall be sourced from S3 for download and install on servers.
An application server will have the following options from which to fetch artifacts.
Standard OS Distribution Repositories / Satellite: Your first choice for finding packages and should be used for packages provided by the Linux distribution. This will be core OS files and often interpreters/compilers such as Java, Python, etc. that are provided by your distribution (Amazon Linux, RedHat, Ubuntu, etc.). This should be the preferred route for any dependencies as security updates are provided by the upstream providers in a timely manner and fetching new versions is easy and standardized.
Artifactory.HUIT: Your next choice for finding packages. Shall be used as an additional package repository for RPM or APT as well as a repository for application builds (e.g. custom python, Java, etc. applications). Generally speaking, application builds should be stored in Artifactory to be deployed to an application server.
S3: Your last choice for finding packages. Similar to Artifactory S3 shall be used to store large installation files for anything not found in either the standard package management or Artifactory sources. This may be things like Weblogic or other proprietary installation materials.
The application server shall be built from an approved machine image (e.g. AMIBuilder AMI for RHEL9).
To complete the software build out for an Apache Tomcat Java application:
The application server shall be built from an approved machine image (e.g. AMIBuilder AMI for Windows 2022).
To complete the software build out for an Apache Tomcat Java application:
*note that some software installation packages including .exe and .msi installer may include dependent software which will be installed as required and as such will not be subject to these software sourcing guidelines.
Artifactory: artifactory.huit.harvard.edu
AWS S3: sharedservices-prod- huit-devops-software-repository: https://s3.console.aws.amazon.com/s3/buckets/huit-devops-software-reposi...
For Java and Weblogic (others to be added):
|
Component |
Vendor |
Source |
Lifecycle Management |
|
|
|
|
|
|
Java |
Oracle |
S3 – via Oracle provided software bundle (e.e. EBusiness Suite, PeopleSoft) for Linux or Windows |
Via Oracle quarterly CPU/PSU |
|
Java |
OpenJDK |
Linux systems: |
Via OS patching schedules |
|
Weblogic |
Oracle |
S3 – via Oracle provided software bundle (e.e. EBusiness Suite, PeopleSoft) for Linux or Windows |
Via Oracle quarterly CPU/PSU |
