summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Dittberner <jan@dittberner.info>2016-04-24 16:19:58 +0200
committerJan Dittberner <jan@dittberner.info>2016-04-24 16:19:58 +0200
commitc9e625f59df5e55b8ae7440c3eda7a016589f5c1 (patch)
treea5bdfebb94ae87b35696527e0ca409deae844fe6
parent9fc48cee69e324e253452afe11c7c073fbba9471 (diff)
downloadcacert-infradocs-c9e625f59df5e55b8ae7440c3eda7a016589f5c1.tar.gz
cacert-infradocs-c9e625f59df5e55b8ae7440c3eda7a016589f5c1.tar.xz
cacert-infradocs-c9e625f59df5e55b8ae7440c3eda7a016589f5c1.zip
Describe LVM and finish arbitration system
This commit finishes the documentation of the arbitration system. The general systems section got index terms and a description how to avoid systemd-sysv in containers. A new section that describes critical configuration items has been added to the infra02 page.
-rw-r--r--docs/glossary.rst10
-rw-r--r--docs/systems.rst10
-rw-r--r--docs/systems/arbitration.rst53
-rw-r--r--docs/systems/infra02.rst28
4 files changed, 82 insertions, 19 deletions
diff --git a/docs/glossary.rst b/docs/glossary.rst
index 19e6811..02977b4 100644
--- a/docs/glossary.rst
+++ b/docs/glossary.rst
@@ -10,3 +10,13 @@ Glossary
A container is an isolated system with a separate root file system and
operating system userland. The containers share a common operating system
kernel.
+
+ LVM
+ Logical volume manager. The LVM allows to allocate space on block
+ devices more dynamically than with traditional partitions. The block
+ devices are managed as physical volumes (PVs) that are grouped in volume
+ groups (VGs). Space can be allocated as logical volumes (LVs) that can be
+ formatted using regular file system tools. LVs can be resized without
+ reboot. LVM provides snapshot functionality that is useful for backup and
+ upgrade procedures.
+
diff --git a/docs/systems.rst b/docs/systems.rst
index 8a28601..40b8bf9 100644
--- a/docs/systems.rst
+++ b/docs/systems.rst
@@ -26,6 +26,10 @@ General
Checklist
---------
+.. index::
+ single: etckeeper
+ single: nrpe
+
* All containers should be monitored by :doc:`systems/monitor` and should
therefore have :program:`nagios-nrpe-server` installed
* All containers should use :program:`etckeeper` to put their local setup into
@@ -34,6 +38,12 @@ Checklist
* All infrastructure systems must send their mail via :doc:`systems/emailout`
* All infrastructure systems should have an system-admin@cacert.org alias to
reach their admins
+* The installation of :index:`systemd-sysv` in containers can be blocked by
+ putting the following lines in :file:`/etc/apt/preferences.d/systemd-sysv`::
+
+ Package: systemd-sysv
+ Pin: release a=stable
+ Pin-Priority: -1
.. todo:: think about replacing nrpe with Icinga2 satellites
.. todo:: document how to setup the system-admin alias on the email system
diff --git a/docs/systems/arbitration.rst b/docs/systems/arbitration.rst
index 36bffc2..7496fcf 100644
--- a/docs/systems/arbitration.rst
+++ b/docs/systems/arbitration.rst
@@ -128,6 +128,15 @@ Listening services
Running services
----------------
+.. index::
+ single: openssh
+ single: nginx
+ single: cron
+ single: PostgreSQL
+ single: MySQL
+ single: Exim
+ single: nrpe
+
+--------------------+--------------------+----------------------------------------+
| Service | Usage | Start mechanism |
+====================+====================+========================================+
@@ -167,6 +176,10 @@ Databases
.. todo:: setup databases
+.. note::
+ There is a PostgreSQL server setup in this container but it contains
+ no database yet.
+
Connected Systems
-----------------
@@ -198,7 +211,7 @@ SSH host keys
| ED25519 | - |
+-----------+-----------------------------------------------------+
-.. todo:: setup ED255519 host key
+.. todo:: setup ED25519 host key
.. seealso::
@@ -216,15 +229,17 @@ Dedicated user roles
Non-distribution packages and modifications
-------------------------------------------
-.. * None
+* some experimental nmp/nodejs/etherpad things in :file:`/home/magu` not
+ running yet
+
+..
or
* List of non-distribution packages and modifications
Risk assessments on critical packages
-------------------------------------
-Tasks
-=====
+* No exposed services yet.
Critical Configuration items
============================
@@ -232,24 +247,31 @@ Critical Configuration items
Keys and X.509 certificates
---------------------------
-* :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>)
-* :file:`/etc/apache2/ssl/<path to server key>` server key
+* No keys or certificates setup yet
-.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
- * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
+..
+ * :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>)
+ * :file:`/etc/apache2/ssl/<path to server key>` server key
+ * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
+ * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
.. seealso::
* :doc:`../certlist`
* https://wiki.cacert.org/SystemAdministration/CertificateList
+Nginx configuration
+-------------------
+
+* :file:`/etc/nginx/sites/available/default` default nginx configuration
+
Tasks
=====
Planned
-------
-.. todo:: install application
+.. todo:: Evaluate and setup a collaboration system for arbitrators.
.. todo:: setup IPv6
Changes
@@ -266,19 +288,12 @@ Additional documentation
.. add inline documentation
-.. remove unneeded links from the list below, add other links that apply
-
-.. seealso:
+.. seealso::
* https://wiki.cacert.org/Exim4Configuration
- * https://wiki.cacert.org/PostfixConfiguration
- * https://wiki.cacert.org/QmailConfiguration
- * https://wiki.cacert.org/SendmailConfiguration
- * https://wiki.cacert.org/StunnelConfiguration
References
----------
-.. can be used to provide links to reference documentation
- * http://product.site.com/docs/
- * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]]
+Arbitration nginx welcome page
+ http://arbitration.cacert.org/
diff --git a/docs/systems/infra02.rst b/docs/systems/infra02.rst
index 35b054a..eb521b7 100644
--- a/docs/systems/infra02.rst
+++ b/docs/systems/infra02.rst
@@ -155,6 +155,14 @@ Listening services
Running services
----------------
+.. index::
+ single: openssh
+ single: cron
+ single: rsyslog
+ single: ntpd
+ single: Postfix
+ single: nrpe
+
+--------------------+--------------------+----------------------------------------+
| Service | Usage | Start mechanism |
+====================+====================+========================================+
@@ -263,6 +271,26 @@ System Future
* No plans
+Critical Configuration items
+============================
+
+.. index:: Ferm
+
+Ferm firewall configuration
+---------------------------
+
+The `Ferm`_ based firewall setup is located in :file:`/etc/ferm` and its
+subdirectories.
+
+Container configuration
+-----------------------
+
+The container configuration is contained in files named
+:file:`/var/lib/lxc/<container>/config`.
+
+The root filesystems of the containers are stored on :term:`LVM` volumes that
+are mounted in :file:`/var/lib/lxc/<container>/rootfs` for each container.
+
Additional documentation
========================