summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2021-08-01 12:52:17 +0200
committerJan Dittberner <jandd@cacert.org>2021-08-01 12:52:17 +0200
commitef5853abbbeb42d2847dc4577c8aa889b4783968 (patch)
tree69abd6700bc61fedaa90bac69b3f00bb4c5ea9e9 /docs
parent324e17f920e0d27a13a8282118d1a808ed925f4c (diff)
downloadcacert-infradocs-ef5853abbbeb42d2847dc4577c8aa889b4783968.tar.gz
cacert-infradocs-ef5853abbbeb42d2847dc4577c8aa889b4783968.tar.xz
cacert-infradocs-ef5853abbbeb42d2847dc4577c8aa889b4783968.zip
Add testmgr and public IPs of critical systems
Diffstat (limited to 'docs')
-rw-r--r--docs/cacert-network.nwdiag19
-rw-r--r--docs/cacert-network.pngbin0 -> 13653 bytes
-rw-r--r--docs/cacert-network.svg64
-rw-r--r--docs/critical.rst6
-rw-r--r--docs/critical/crl.rst15
-rw-r--r--docs/critical/fw01.rst15
-rw-r--r--docs/critical/fw02.rst14
-rw-r--r--docs/critical/gw.rst14
-rw-r--r--docs/critical/ns1.rst14
-rw-r--r--docs/critical/ocsp.rst15
-rw-r--r--docs/critical/vrrp1.rst14
-rw-r--r--docs/critical/vrrp2.rst15
-rw-r--r--docs/critical/webdb.rst8
-rw-r--r--docs/systems/testmgr.rst249
14 files changed, 458 insertions, 4 deletions
diff --git a/docs/cacert-network.nwdiag b/docs/cacert-network.nwdiag
new file mode 100644
index 0000000..253b40e
--- /dev/null
+++ b/docs/cacert-network.nwdiag
@@ -0,0 +1,19 @@
+nwdiag {
+ inet [ shape = cloud ];
+
+ inet -- gw;
+
+ network ipv4public {
+ address = "213.154.225.224/27"
+
+ gw [address = ".225"];
+ vrrp1 [address = ".226"];
+ vrrp2 [address = ".227"];
+
+ group firewall {
+ cacert-fw [address = ".229"];
+ cacert-fw01 [address = ".253"];
+ cacert-fw02 [address = ".254"];
+ }
+ }
+}
diff --git a/docs/cacert-network.png b/docs/cacert-network.png
new file mode 100644
index 0000000..23a7d24
--- /dev/null
+++ b/docs/cacert-network.png
Binary files differ
diff --git a/docs/cacert-network.svg b/docs/cacert-network.svg
new file mode 100644
index 0000000..0647ea5
--- /dev/null
+++ b/docs/cacert-network.svg
@@ -0,0 +1,64 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
+<svg viewBox="0 0 1064 300" xmlns="http://www.w3.org/2000/svg" xmlns:inkspace="http://www.inkscape.org/namespaces/inkscape" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <defs id="defs_block">
+ <filter height="1.504" id="filter_blur" inkspace:collect="always" width="1.1575" x="-0.07875" y="-0.252">
+ <feGaussianBlur id="feGaussianBlur3780" inkspace:collect="always" stdDeviation="4.2" />
+ </filter>
+ </defs>
+ <title>blockdiag</title>
+ <desc>nwdiag {
+ network ipv4public {
+ address = "213.154.225.224/27"
+
+ gw [address = ".225"];
+ vrrp1 [address = ".226"];
+ vrrp2 [address = ".227"];
+
+ group firewall {
+ cacert-fw [address = ".229"];
+ cacert-fw01 [address = ".253"];
+ cacert-fw03 [address = ".254"];
+ }
+ }
+}
+</desc>
+ <rect fill="rgb(243,152,0)" height="92" style="filter:url(#filter_blur)" width="420" x="602" y="130" />
+ <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="104" x="155" y="162" />
+ <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="104" x="307" y="162" />
+ <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="104" x="459" y="162" />
+ <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="104" x="611" y="162" />
+ <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="104" x="763" y="162" />
+ <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="104" x="915" y="162" />
+ <path d="M 131 103 L 1043 103 A2,4 0 0 1 1043 111 L 131 111 A2,4 0 0 1 131 103" fill="rgb(0,0,0)" style="filter:url(#filter_blur)" />
+ <path d="M 128 100 L 1040 100 A2,4 0 0 1 1040 108 L 128 108 A2,4 0 0 1 128 100" fill="rgb(185,203,228)" stroke="rgb(0,0,0)" />
+ <path d="M 1040 108 A2,4 0 0 1 1040 100" fill="none" stroke="rgb(0,0,0)" />
+ <path d="M 128 100 L 1040 100" fill="none" stroke="none" />
+ <path d="M 584 35 L 584 100" fill="none" stroke="rgb(0,0,0)" />
+ <text fill="rgb(0,0,0)" font-family="sans-serif" font-size="11" font-style="normal" font-weight="normal" text-anchor="middle" textLength="55" x="92.5" y="103">ipv4public</text>
+ <text fill="rgb(0,0,0)" font-family="sans-serif" font-size="11" font-style="normal" font-weight="normal" text-anchor="middle" textLength="113" x="63.5" y="117">213.154.225.224/27</text>
+ <path d="M 204 108 L 204 156" fill="none" stroke="rgb(0,0,0)" />
+ <text fill="rgb(0,0,0)" font-family="sans-serif" font-size="11" font-style="normal" font-weight="normal" text-anchor="middle" textLength="24" x="228.0" y="135">.225</text>
+ <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="104" x="152" y="156" />
+ <text fill="rgb(0,0,0)" font-family="sans-serif" font-size="11" font-style="normal" font-weight="normal" text-anchor="middle" textLength="15" x="204.5" y="182">gw</text>
+ <path d="M 356 108 L 356 156" fill="none" stroke="rgb(0,0,0)" />
+ <text fill="rgb(0,0,0)" font-family="sans-serif" font-size="11" font-style="normal" font-weight="normal" text-anchor="middle" textLength="24" x="380.0" y="135">.226</text>
+ <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="104" x="304" y="156" />
+ <text fill="rgb(0,0,0)" font-family="sans-serif" font-size="11" font-style="normal" font-weight="normal" text-anchor="middle" textLength="27" x="356.5" y="182">vrrp1</text>
+ <path d="M 508 108 L 508 156" fill="none" stroke="rgb(0,0,0)" />
+ <text fill="rgb(0,0,0)" font-family="sans-serif" font-size="11" font-style="normal" font-weight="normal" text-anchor="middle" textLength="24" x="532.0" y="135">.227</text>
+ <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="104" x="456" y="156" />
+ <text fill="rgb(0,0,0)" font-family="sans-serif" font-size="11" font-style="normal" font-weight="normal" text-anchor="middle" textLength="27" x="508.5" y="182">vrrp2</text>
+ <path d="M 660 108 L 660 156" fill="none" stroke="rgb(0,0,0)" />
+ <text fill="rgb(0,0,0)" font-family="sans-serif" font-size="11" font-style="normal" font-weight="normal" text-anchor="middle" textLength="24" x="684.0" y="135">.229</text>
+ <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="104" x="608" y="156" />
+ <text fill="rgb(0,0,0)" font-family="sans-serif" font-size="11" font-style="normal" font-weight="normal" text-anchor="middle" textLength="48" x="660.0" y="181">cacert-fw</text>
+ <path d="M 812 108 L 812 156" fill="none" stroke="rgb(0,0,0)" />
+ <text fill="rgb(0,0,0)" font-family="sans-serif" font-size="11" font-style="normal" font-weight="normal" text-anchor="middle" textLength="24" x="836.0" y="135">.253</text>
+ <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="104" x="760" y="156" />
+ <text fill="rgb(0,0,0)" font-family="sans-serif" font-size="11" font-style="normal" font-weight="normal" text-anchor="middle" textLength="61" x="812.5" y="181">cacert-fw01</text>
+ <path d="M 964 108 L 964 156" fill="none" stroke="rgb(0,0,0)" />
+ <text fill="rgb(0,0,0)" font-family="sans-serif" font-size="11" font-style="normal" font-weight="normal" text-anchor="middle" textLength="24" x="988.0" y="135">.254</text>
+ <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="104" x="912" y="156" />
+ <text fill="rgb(0,0,0)" font-family="sans-serif" font-size="11" font-style="normal" font-weight="normal" text-anchor="middle" textLength="61" x="964.5" y="181">cacert-fw03</text>
+</svg>
diff --git a/docs/critical.rst b/docs/critical.rst
index 2419461..a727730 100644
--- a/docs/critical.rst
+++ b/docs/critical.rst
@@ -6,7 +6,13 @@ Critical Systems
:maxdepth: 1
critical/crl
+ critical/fw01
+ critical/fw02
+ critical/gw
+ critical/ns1
critical/ocsp
+ critical/vrrp1
+ critical/vrrp2
critical/webdb
.. add more systems here. https://wiki.cacert.org/SystemAdministration/Systems/
diff --git a/docs/critical/crl.rst b/docs/critical/crl.rst
index 6a8d88c..08decf3 100644
--- a/docs/critical/crl.rst
+++ b/docs/critical/crl.rst
@@ -1,10 +1,21 @@
-=====
+.. index::
+ single: Systems; Crl
+
+===
Crl
-=====
+===
.. copy content structure from critical/template.rst and adapt to the needs for
this system
+Basics
+======
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.236`
+
Critical Configuration items
============================
diff --git a/docs/critical/fw01.rst b/docs/critical/fw01.rst
new file mode 100644
index 0000000..9603543
--- /dev/null
+++ b/docs/critical/fw01.rst
@@ -0,0 +1,15 @@
+.. index::
+ single: Systems; fw01
+
+====
+fw01
+====
+
+Basics
+======
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.229`, :ip:v4:`213.154.225.253`
+
diff --git a/docs/critical/fw02.rst b/docs/critical/fw02.rst
new file mode 100644
index 0000000..3ea4138
--- /dev/null
+++ b/docs/critical/fw02.rst
@@ -0,0 +1,14 @@
+.. index::
+ single: Systems; fw02
+
+====
+fw02
+====
+
+Basics
+======
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.229`, :ip:v4:`213.154.225.254`
diff --git a/docs/critical/gw.rst b/docs/critical/gw.rst
new file mode 100644
index 0000000..00109b8
--- /dev/null
+++ b/docs/critical/gw.rst
@@ -0,0 +1,14 @@
+.. index::
+ single: Systems; gw
+
+==
+gw
+==
+
+Basics
+======
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.225`
diff --git a/docs/critical/ns1.rst b/docs/critical/ns1.rst
new file mode 100644
index 0000000..d0eb9b9
--- /dev/null
+++ b/docs/critical/ns1.rst
@@ -0,0 +1,14 @@
+.. index::
+ single: Systems; ns1
+
+===
+ns1
+===
+
+Basics
+======
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.251`
diff --git a/docs/critical/ocsp.rst b/docs/critical/ocsp.rst
index 583fdb1..bb44efd 100644
--- a/docs/critical/ocsp.rst
+++ b/docs/critical/ocsp.rst
@@ -1,10 +1,21 @@
-=====
+.. index::
+ single: Systems; ocsp
+
+====
Ocsp
-=====
+====
.. copy content structure from critical/template.rst and adapt to the needs for
this system
+Basics
+======
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.237`
+
Critical Configuration items
============================
diff --git a/docs/critical/vrrp1.rst b/docs/critical/vrrp1.rst
new file mode 100644
index 0000000..0aa22fb
--- /dev/null
+++ b/docs/critical/vrrp1.rst
@@ -0,0 +1,14 @@
+.. index::
+ single: Systems; vrrp1
+
+=====
+vrrp1
+=====
+
+Basics
+======
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.226`
diff --git a/docs/critical/vrrp2.rst b/docs/critical/vrrp2.rst
new file mode 100644
index 0000000..15039a0
--- /dev/null
+++ b/docs/critical/vrrp2.rst
@@ -0,0 +1,15 @@
+.. index::
+ single: Systems; vrrp2
+
+=====
+vrrp2
+=====
+
+Basics
+======
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.227`
+
diff --git a/docs/critical/webdb.rst b/docs/critical/webdb.rst
index 6565a60..35df905 100644
--- a/docs/critical/webdb.rst
+++ b/docs/critical/webdb.rst
@@ -5,6 +5,14 @@ Webdb
.. copy content structure from critical/template.rst and adapt to the needs for
this system
+Basics
+======
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.245`, :ip:v4:`213.154.225.246`, :ip:v4:`213.154.225.247`
+
Critical Configuration items
============================
diff --git a/docs/systems/testmgr.rst b/docs/systems/testmgr.rst
new file mode 100644
index 0000000..a503adc
--- /dev/null
+++ b/docs/systems/testmgr.rst
@@ -0,0 +1,249 @@
+.. index::
+ single: Systems; Testmgr
+
+=======
+Testmgr
+=======
+
+Purpose
+=======
+
+This system is used for managing test users and reading mails from the test
+system inbox.
+
+Application Links
+-----------------
+
+Testmgr application
+ https://test.cacert.org:14843/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_ted`
+* Secondary: :ref:`people_dirk`
+
+Application Administration
+--------------------------
+
++--------------+-------------------+
+| Application | Administrator(s) |
++==============+===================+
+| Test manager | :ref:`people_ted` |
++--------------+-------------------+
+
+Contact
+-------
+
+* bernhard@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_jandd` and :ref:`people_mario` have :program:`sudo` access on that
+machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.248`
+:IP Intranet: :ip:v4:`172.16.2.248`
+:IP Internal: :ip:v4:`10.0.0.148`
+:IPv6: :ip:v6:`2001:7b8:616:162:2::148`
+:MAC address: :mac:`00:16:3e:13:87:cc` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+.. index::
+ single: Monitoring; testmgr
+
+Monitoring
+----------
+
+.. add links to monitoring checks
+
+:internal checks: :monitor:`template.infra.cacert.org`
+:external checks: :monitor:`template.cacert.org`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Wheezy
+ single: Debian GNU/Linux; 8.10
+
+* Debian GNU/Linux 8.10
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+--------+-----------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+========+=============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+--------+-----------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+--------+-----------------------------+
+| 80/tcp | http | ANY | application |
++----------+---------+--------+-----------------------------+
+| 443/tcp | https | ANY | application |
++----------+---------+--------+-----------------------------+
+| 3306/tcp | mysql | local | MySQL database for testmgr |
++----------+---------+--------+-----------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: apache httpd
+ single: cron
+ single: mysql
+ single: openssh
+ single: postfix
+ single: rsyslog
+
++----------------+-----------------------+-----------------------------------------+
+| Service | Usage | Start mechanism |
++================+=======================+=========================================+
+| Apache httpd | Webserver for testmgr | init script :file:`/etc/init.d/apache2` |
++----------------+-----------------------+-----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++----------------+-----------------------+-----------------------------------------+
+| MySQL | MySQL database | init script |
+| | server for testmgr | :file:`/etc/init.d/mysql` |
++----------------+-----------------------+-----------------------------------------+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote administration | |
++----------------+-----------------------+-----------------------------------------+
+| Postfix | SMTP server for | init script :file:`/etc/init.d/postfix` |
+| | local mail submission | |
++----------------+-----------------------+-----------------------------------------+
+| rsyslog | syslog daemon | init script :file:`/etc/init.d/rsyslog` |
++----------------+-----------------------+-----------------------------------------+
+
+Databases
+---------
+
++--------+-------------+-----------------------------+
+| RDBMS | Name | Used for |
++========+=============+=============================+
+| MySQL | ca_mgr | testmgr |
++--------+-------------+-----------------------------+
+| MySQL | cats_db | CATS test instance |
++--------+-------------+-----------------------------+
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolver at 10.0.0.1 (:doc:`infra02`)
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:CPeGCQX1p4hITy3IbTURQSZUQDBg9gg8I5jgf3m9+hs MD5:16:60:fe:47:49:e3:4a:5e:de:86:ae:be:66:29:b7:1e
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+The testmgr software is a custom PHP application installed in
+/var/www/ca-mgr1.it-sls.de.
+
+The CATS test setup is a custom PHP application installed in
+/var/www/cats1.it-sls.de.
+
+Risk assessments on critical packages
+-------------------------------------
+
+The system uses an unsupported OS version and needs to be updated as soon as
+possible.
+
+Critical Configuration items
+============================
+
+The system uses certificates issued by a test CA.
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: mgr.test.cacert.org
+ :altnames: DNS:mgr.test.cacert.org
+ :certfile: /etc/ssl/certs/mgr_test_cacert_org.crt
+ :keyfile: /etc/ssl/private/mgr_test_cacert_org.pem
+ :serial: 5BAB
+ :expiration: Nov 04 22:07:32 2019 GMT
+ :sha1fp: 92:C4:CE:9F:C1:24:E2:93:52:AC:74:1F:8A:9B:F6:06:65:5F:D7:2E
+ :issuer: CAcert Testserver Class 3
+
+.. sslcert:: cats.test.cacert.org
+ :altnames: DNS:cats.test.cacert.org
+ :certfile: /etc/ssl/certs/cats_test_cacert_org.crt
+ :keyfile: /etc/ssl/private/cats_test_cacert_org.pem
+ :serial: 5BAA
+ :expiration: Nov 04 22:06:48 2019 GMT
+ :sha1fp: 53:EA:FA:7E:C7:6E:F3:74:5E:6F:80:46:24:CD:D1:E9:48:25:8F:8D
+ :issuer: CAcert Testserver Class 3
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+Apache2 configuration
+---------------------
+
+The Apache web server is configured using the usual Debian :file:`/etc/apache2`
+configuration directory. The VirtualHost entries are linked to
+:file:`/etc/apache2/sites-enabled`.
+
+Changes
+=======
+
+Planned
+-------
+
+.. todo:: setup monitoring for testmgr
+
+.. todo:: make testmgr available on default ports via :doc:`proxyin`
+
+.. todo:: setup proper DNS entries for testmgr
+
+.. todo::
+
+ upgrade testmgr to a supported OS version (depends on upgraded CATS and
+ testmgr software)
+
+.. todo:: use Puppet to manage testmgr
+
+System Future
+-------------
+
+The testmgr system should support all test systems/stages. The testmgr
+application should either be rolled out multiple times or should have support
+for multiple test systems. This needs to be discussed in a broader group of
+software development, software assessment and system administration teams.
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`