diff options
| author | Jan Dittberner <jan@dittberner.info> | 2016-04-17 20:31:19 +0200 |
|---|---|---|
| committer | Jan Dittberner <jan@dittberner.info> | 2016-04-17 20:44:46 +0200 |
| commit | 799ac295121feef1af0858b323670fa644026fb5 (patch) | |
| tree | 2c81545cff4449ba41f8c3e49811d12f2d4835e5 /docs/systems | |
| parent | d6caf89f21a24a36c69eae7732d2a025a5fe75e7 (diff) | |
| download | cacert-infradocs-799ac295121feef1af0858b323670fa644026fb5.tar.gz cacert-infradocs-799ac295121feef1af0858b323670fa644026fb5.tar.xz cacert-infradocs-799ac295121feef1af0858b323670fa644026fb5.zip | |
Move systems to separate folder
Refine structure of the Infra02 documentation and the machine template
Diffstat (limited to 'docs/systems')
| -rw-r--r-- | docs/systems/infra02.rst | 245 | ||||
| -rw-r--r-- | docs/systems/template.rst | 276 |
2 files changed, 521 insertions, 0 deletions
diff --git a/docs/systems/infra02.rst b/docs/systems/infra02.rst new file mode 100644 index 0000000..9cb621d --- /dev/null +++ b/docs/systems/infra02.rst @@ -0,0 +1,245 @@ +.. index:: + single: Systems; Infra02 + +======= +Infra02 +======= + +Purpose +======= + +The infrastructure host system Infra02 is a dedicated physical machine for the +CAcert infrastructure. + +.. index:: + single: LXC + single: Ferm + +Infra02 is the host system for all infrastructure containers. The containers +are setup using the Linux kernel's LXC_ system. The firewall for infrastructure +is maintained on this machine using Ferm_. + +.. _LXC: https://linuxcontainers.org/ +.. _Ferm: http://ferm.foo-projects.org/ + +Administration +============== + +System Administration +--------------------- + +* Primary: `Jan Dittberner`_ +* Secondary: `Mario Lipinski`_ + +.. _Jan Dittberner: jandd@cacert.org +.. _Mario Lipinski: mario@cacert.org + +Contact +------- + +* infrastructure-admin@cacert.org + +Basics +====== + +Physical Location +----------------- + +The machine is located in a server rack at BIT B.V. in the Netherlands. + +Physical Configuration +---------------------- + +The machine has been sponsored by Thomas Krenn and has the following hardware +parameters: + +:Mainboard: Supermicro X9SCL/X9SCM Version 1.11A +:CPU: Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz +:RAM: 16 GiB ECC +:Disks: 2 x 1TB WDC WD1003FBYX-01Y7B1 +:NIC: + + * eth0 Intel Corporation 82579LM Gigabit Network Connection + * eth1 Intel Corporation 82574L Gigabit Network Connection + +There is a 2 TB USB backup disk attached to the system. + +.. seealso:: + + See https://wiki.cacert.org/SystemAdministration/EquipmentList + +Logical Location +---------------- + +:IP Internet: :ip:v4:`213.154.225.230` +:IP Intranet: :ip:v4:`172.16.2.10` +:IP internal: :ip:v4:`10.0.0.1` +:IPv6: :ip:v6:`2001:7b8:616:162:1::10` +:IPv6 on br0: :ip:v6:`2001:7b8:616:162:2::10` +:MAC address: + + * :mac:`00:25:90:a9:66:e9` (eth0) + * :mac:`fe:0e:ee:75:a3:a5` (br0) + +.. seealso:: + + :doc:`network`. + +DNS +--- + +* infrastructure.cacert.org. IN A 213.154.225.230 +* infrastructure.cacert.org. IN SSHFP 1 1 5A82D3C150AF002C05784F73250A067053AEED63 +* infrastructure.cacert.org. IN SSHFP 1 2 63B0D74A3F1CE61865A5EB0497EF05243BC4067EC983C69AB8E62F3CB940CC82 +* infrastructure.cacert.org. IN SSHFP 2 1 AF8D8E3386EAA72997709632ADF2B457E6FEF0DC +* infrastructure.cacert.org. IN SSHFP 2 2 3A0188FC47D1FDD14D70A2FB78F51792D06BA11EAE6AB16E73CB7BB8DD6A0DC8 +* infrastructure.cacert.org. IN SSHFP 3 1 3E1B9EBF85B726CF831C76ECB8C17786AEDF40E8 +* infrastructure.cacert.org. IN SSHFP 3 2 3AE7F0035C2172977E99BFE312C7A8299650DEA16A975EA13EECE8FDA426062A +* infra02.intra.cacert.org. IN A 172.16.2.10 + +.. seealso:: + + See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges + +Operating System +---------------- + +* Debian GNU/Linux 7.10 + +Applicable Documentation +------------------------ + +This is it :-) + +Services +======== + +Listening services +------------------ + ++----------+-----------+-----------+-----------------------------------------+ +| Port | Service | Origin | Purpose | ++==========+===========+===========+=========================================+ +| 22/tcp | ssh | ANY | admin console access | ++----------+-----------+-----------+-----------------------------------------+ +| 25/tcp | smtp | local | mail delivery to local MTA | ++----------+-----------+-----------+-----------------------------------------+ +| 123/udp | ntp | ANY | network time protocol for host, | +| | | | listening on the Internet IPv6 and IPv4 | +| | | | addresses | ++----------+-----------+-----------+-----------------------------------------+ +| 5666/tcp | nrpe | monitor | remote monitoring service | ++----------+-----------+-----------+-----------------------------------------+ + +Running services +---------------- + ++--------------------+--------------------+----------------------------------------+ +| Service | Usage | Start mechanism | ++====================+====================+========================================+ +| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` | +| | remote | | +| | administration | | ++--------------------+--------------------+----------------------------------------+ +| cron | job scheduler | init script :file:`/etc/init.d/cron` | ++--------------------+--------------------+----------------------------------------+ +| rsyslog | syslog daemon | init script | +| | | :file:`/etc/init.d/syslog` | ++--------------------+--------------------+----------------------------------------+ +| ntpd | time server | init script :file:`/etc/init.d/ntp` | ++--------------------+--------------------+----------------------------------------+ +| Postfix | SMTP server for | init script | +| | local mail | :file:`/etc/init.d/postfix` | +| | submission, ... | | ++--------------------+--------------------+----------------------------------------+ +| Nagios NRPE server | remote monitoring | init script | +| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` | +| | :doc:`monitor` | | ++--------------------+--------------------+----------------------------------------+ + +.. Running Guests + -------------- + + .. some directive to list guests here + +Connected Systems +----------------- + +* :doc:`monitor` +* :doc:`emailout` + +Outbound network connections +---------------------------- + +* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3 +* :doc:`emailout` as SMTP relay +* ftp.nl.debian.org as Debian mirror +* security.debian.org for Debian security updates + +Security +======== + +SSH host keys +------------- + ++-----------+-----------------------------------------------------+ +| Algorithm | Fingerprint | ++===========+=====================================================+ +| RSA | ``86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c`` | ++-----------+-----------------------------------------------------+ +| DSA | ``b4:fb:c2:74:33:eb:cc:f0:3e:31:38:c9:a8:df:0a:f5`` | ++-----------+-----------------------------------------------------+ +| ECDSA | ``79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0`` | ++-----------+-----------------------------------------------------+ +| ED25519 | ``25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4`` | ++-----------+-----------------------------------------------------+ + +.. seealso:: + + See :doc:`sshkeys` + +Dedictated user roles +--------------------- + +* None + +Non-distribution packages and modifications +------------------------------------------- + +* None + +Risk assessments and critical packages +-------------------------------------- + +The system is the basis for all other infrastructure systems. Access to this +system has to be tightly controlled. + +Tasks +===== + +.. todo:: find out why the system logs are messed up +.. todo:: upgrade to Debian Jessie +.. todo:: document whether it is safe to reboot this system +.. todo:: document how to setup a new container +.. todo:: document how to setup firewall rules/forwarding +.. todo:: document how the backup system works + +Planned +------- + +* None + +Changes +======= + +System Future +------------- + +* No plans + +Additional documentation +======================== + +.. seealso:: + + * https://wiki.cacert.org/PostfixConfiguration diff --git a/docs/systems/template.rst b/docs/systems/template.rst new file mode 100644 index 0000000..ee6de53 --- /dev/null +++ b/docs/systems/template.rst @@ -0,0 +1,276 @@ +================== +Systems - TEMPLATE +================== + +Purpose +======= + +.. <SHORT DESCRIPTION> + +Administration +============== + +System Administration +--------------------- + +* Primary: <SYSADMIN's NAME> +* Secondary: <secondary name> + +Application Administration +-------------------------- + +* <application>: <sysadmin's name> + +Contact +------- + + * <system>-admin@cacert.org + +Basics +====== + +Physical Location +----------------- + +.. <PHYSICAL HOST, VM GUEST, APACHE VIRTUAL HOST, etc.> + +.. ## Use the following for containers on Infra02: + +This system is located in an LXC_ container on physical machine :doc:`infra02`. + +Physical Configuration +---------------------- + +.. seealso:: + + See https://wiki.cacert.org/SystemAdministration/EquipmentList + +Logical location +---------------- + + * IP Internet: <IP> + * IP Intranet: <IP> + * IP Internal: <IP> + * MAC address: <MAC> (interfacename) + +.. seealso:: + + See :doc:`../network` + +DNS +--- + + * <HOSTNAME>.cacert.org. IN A <IP> + * <HOSTNAME>.intra.cacert.org. IN A <IP> + +.. seealso:: + + See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges + +Operating System +---------------- + + * Debian GNU/Linux x.y + +Applicable Documentation +------------------------ + +This is it :-) + +Services +======== + +Listening services +------------------ + ++----------+-----------+-----------+-----------------------------------------+ +| Port | Service | Origin | Purpose | ++==========+===========+===========+=========================================+ +| 22/tcp | ssh | ANY | admin console access | ++----------+-----------+-----------+-----------------------------------------+ +| 25/tcp | smtp | local | mail delivery to local MTA | ++----------+-----------+-----------+-----------------------------------------+ +| 80/tcp | http | ANY | application | ++----------+-----------+-----------+-----------------------------------------+ +| 443/tcp | https | ANY | application | ++----------+-----------+-----------+-----------------------------------------+ +| 5666/tcp | nrpe | monitor | remote monitoring service | ++----------+-----------+-----------+-----------------------------------------+ + +.. below are some definitions of commonly open ports, choose those that are applicable and order the table by port number + || 3306/tcp || mysql || local || MySQL database for ... || + || 5432/tcp || pgsql || local || PostgreSQL database for ... || + || 465/udp || syslog || local || syslog port || + +Running services +---------------- + ++--------------------+--------------------+----------------------------------------+ +| Service | Usage | Start mechanism | ++====================+====================+========================================+ +| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` | +| | remote | | +| | administration | | ++--------------------+--------------------+----------------------------------------+ +| Apache httpd | Webserver for ... | init script | +| | | :file:`/etc/init.d/apache2` | ++--------------------+--------------------+----------------------------------------+ +| cron | job scheduler | init script :file:`/etc/init.d/cron` | ++--------------------+--------------------+----------------------------------------+ +| rsyslog | syslog daemon | init script | +| | | :file:`/etc/init.d/syslog` | ++--------------------+--------------------+----------------------------------------+ +| PostgreSQL | PostgreSQL | init script | +| | database server | :file:`/etc/init.d/postgresql` | +| | for ... | | ++--------------------+--------------------+----------------------------------------+ +| MySQL | MySQL database | init script | +| | server for ... | :file:`/etc/init.d/mysql` | ++--------------------+--------------------+----------------------------------------+ +| Postfix | SMTP server for | init script | +| | local mail | :file:`/etc/init.d/postfix` | +| | submission, ... | | ++--------------------+--------------------+----------------------------------------+ +| Exim | SMTP server for | init script | +| | local mail | :file:`/etc/init.d/exim4` | +| | submission, ... | | ++--------------------+--------------------+----------------------------------------+ +| Nagios NRPE server | remote monitoring | init script | +| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` | +| | :doc:`monitor` | | ++--------------------+--------------------+----------------------------------------+ + +Databases +--------- + ++-------------+--------------+---------------------------+ +| RDBMS | Name | Used for | ++=============+==============+===========================+ +| MySQL | application1 | fictional application one | ++-------------+--------------+---------------------------+ +| PostgreSQL | application2 | fictional application two | ++-------------+--------------+---------------------------+ + +Running Guests +-------------- + ++----------------+-------------+---------------+---------+---------------+ +| Machine | IP Intranet | IP Internet | Ports | Purpose | ++================+=============+===============+=========+===============+ +| :doc:`machine` | <LOCAL IP> | <INTERNET IP> | <PORTS> | <DESCRIPTION> | ++----------------+-------------+---------------+---------+---------------+ + +Connected Systems +----------------- + +* :doc:`monitor` + +Outbound network connections +---------------------------- + +* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3 +* :doc:`emailout` as SMTP relay +* ftp.nl.debian.org as Debian mirror +* security.debian.org for Debian security updates +* crl.cacert.org (rsync) for getting CRLs + +Security +======== + +SSH host keys +------------- + ++-----------+-----------------------------------------------------+ +| Algorithm | Fingerprint | ++===========+=====================================================+ +| RSA | | ++-----------+-----------------------------------------------------+ +| DSA | | ++-----------+-----------------------------------------------------+ +| ECDSA | | ++-----------+-----------------------------------------------------+ +| ED25519 | | ++-----------+-----------------------------------------------------+ + +.. seealso:: + + See :doc:`../sshkeys` + +Dedicated user roles +-------------------- + +.. If the system has some dedicated user groups besides the sudo group used for administration it should be documented here + Regular operating system groups should not be documented + +.. || '''Group''' || '''Purpose''' || + || goodguys || Shell access for the good guys || + +Non-distribution packages and modifications +------------------------------------------- + +.. * None + or + * List of non-distribution packages and modifications + +Risk assessments on critical packages +------------------------------------- + +Tasks +===== + +Critical Configuration items +============================ + +Keys and X.509 certificates +--------------------------- + +* :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>) +* :file:`/etc/apache2/ssl/<path to server key>` server key + +.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates) + * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate) + +.. seealso:: + + * :doc:`../certlist` + * https://wiki.cacert.org/SystemAdministration/CertificateList + +Tasks +===== + +Planned +------- + +.. add a paragraph for each larger planned task that seems to be worth + mentioning. You may want to link to specific issues if you use some issue + tracker. + +Changes +======= + +System Future +------------- + +.. * No plans + +Additional documentation +======================== + +.. add inline documentation + +.. remove unneeded links from the list below, add other links that apply + +.. seealso: + + * https://wiki.cacert.org/Exim4Configuration + * https://wiki.cacert.org/PostfixConfiguration + * https://wiki.cacert.org/QmailConfiguration + * https://wiki.cacert.org/SendmailConfiguration + * https://wiki.cacert.org/StunnelConfiguration + +References +---------- + +.. can be used to provide links to reference documentation + * http://product.site.com/docs/ + * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]] |