Add more info for infra02
[cacert-infradocs.git] / docs / infra02.rst
1 =======
2 Infra02
3 =======
4
5 Purpose
6 =======
7
8 The infrastructure host system Infra02 is a dedicated machine for the CAcert
9 infrastructure.
10
11 Infra02 is the host system for all infrastructure containers. The containers
12 are setup using the Linux kernel's LXC_ system. The firewall for infrastructure
13 is maintained on this machine using Ferm_.
14
15 .. _LXC: https://linuxcontainers.org/
16 .. _Ferm: http://ferm.foo-projects.org/
17
18 Basics
19 ======
20
21 Physical Location
22 -----------------
23
24 The machine is located in a server rack at BIT B.V. in the Netherlands.
25
26 Physical Configuration
27 ----------------------
28
29 The machine has been sponsored by Thomas Krenn and has the following hardware
30 parameters:
31
32 :Mainboard: Supermicro X9SCL/X9SCM Version 1.11A
33 :CPU: Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz
34 :RAM: 16 GiB ECC
35 :Disks: 2 x 1TB WDC WD1003FBYX-01Y7B1
36 :NIC:
37
38 * eth0 Intel Corporation 82579LM Gigabit Network Connection
39 * eth1 Intel Corporation 82574L Gigabit Network Connection
40
41 There is a 2 TB USB backup disk attached to the system
42
43 .. seealso::
44
45 See https://wiki.cacert.org/SystemAdministration/EquipmentList
46
47 Logical Location
48 ----------------
49
50 :IP Internet: :ip:v4:`213.154.225.230`
51 :IP Intranet: :ip:v4:`172.16.2.10`
52 :IP internal: :ip:v4:`10.0.0.1`
53 :IPv6: :ip:v6:`2001:7b8:616:162:1::10`
54 :IPv6 on br0: :ip:v6:`2001:7b8:616:162:2::10`
55 :MAC address:
56
57 * :mac:`00:25:90:a9:66:e9` (eth0)
58 * :mac:`fe:0e:ee:75:a3:a5` (br0)
59
60 .. seealso::
61
62 :doc:`network`.
63
64 DNS
65 ---
66
67 * infrastructure.cacert.org. IN A 213.154.225.230
68 * infrastructure.cacert.org. IN SSHFP 1 1 5A82D3C150AF002C05784F73250A067053AEED63
69 * infrastructure.cacert.org. IN SSHFP 1 2 63B0D74A3F1CE61865A5EB0497EF05243BC4067EC983C69AB8E62F3CB940CC82
70 * infrastructure.cacert.org. IN SSHFP 2 1 AF8D8E3386EAA72997709632ADF2B457E6FEF0DC
71 * infrastructure.cacert.org. IN SSHFP 2 2 3A0188FC47D1FDD14D70A2FB78F51792D06BA11EAE6AB16E73CB7BB8DD6A0DC8
72 * infrastructure.cacert.org. IN SSHFP 3 1 3E1B9EBF85B726CF831C76ECB8C17786AEDF40E8
73 * infrastructure.cacert.org. IN SSHFP 3 2 3AE7F0035C2172977E99BFE312C7A8299650DEA16A975EA13EECE8FDA426062A
74 * infra02.intra.cacert.org. IN A 172.16.2.10
75
76 .. seealso::
77
78 See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
79
80 Operating System
81 ----------------
82
83 * Debian GNU/Linux 7.10
84
85 Applicable Documentation
86 ------------------------
87
88 This is it :-)
89
90 Administration
91 ==============
92
93 System Administration
94 ---------------------
95
96 * Primary: `Jan Dittberner`_
97 * Secondary: `Mario Lipinski`_
98
99 .. _Jan Dittberner: jandd@cacert.org
100 .. _Mario Lipinski: mario@cacert.org
101
102 Contact
103 -------
104
105 * infrastructure-admin@cacert.org
106
107 Services
108 ========
109
110 Listening services
111 ------------------
112
113 +----------+-----------+-----------+-----------------------------------------+
114 | Port | Service | Origin | Purpose |
115 +==========+===========+===========+=========================================+
116 | 22/tcp | ssh | ANY | admin console access |
117 +----------+-----------+-----------+-----------------------------------------+
118 | 25/tcp | smtp | local | mail delivery to local MTA |
119 +----------+-----------+-----------+-----------------------------------------+
120 | 123/udp | ntp | ANY | network time protocol for host, |
121 | | | | listening on the Internet IPv6 and IPv4 |
122 | | | | addresses |
123 +----------+-----------+-----------+-----------------------------------------+
124 | 5666/tcp | nrpe | monitor | remote monitoring service |
125 +----------+-----------+-----------+-----------------------------------------+
126
127 Running services
128 ----------------
129
130 +--------------------+--------------------+----------------------------------------+
131 | Service | Usage | Start mechanism |
132 +====================+====================+========================================+
133 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
134 | | remote | |
135 | | administration | |
136 +--------------------+--------------------+----------------------------------------+
137 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
138 +--------------------+--------------------+----------------------------------------+
139 | rsyslog | syslog daemon | init script |
140 | | | :file:`/etc/init.d/syslog` |
141 +--------------------+--------------------+----------------------------------------+
142 | ntpd | time server | init script :file:`/etc/init.d/ntp` |
143 +--------------------+--------------------+----------------------------------------+
144 | Postfix | SMTP server for | init script |
145 | | local mail | :file:`/etc/init.d/postfix` |
146 | | submission, ... | |
147 +--------------------+--------------------+----------------------------------------+
148 | Nagios NRPE server | remote monitoring | init script |
149 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
150 | | :doc:`monitor` | |
151 +--------------------+--------------------+----------------------------------------+
152
153 .. Running Guests
154 --------------
155
156 .. some directive to list guests here
157
158 Connected Systems
159 -----------------
160
161 * :doc:`monitor`
162 * :doc:`emailout`
163
164 Outbound network connections
165 ----------------------------
166
167 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
168 * :doc:`emailout` as SMTP relay
169 * ftp.nl.debian.org as Debian mirror
170 * security.debian.org for Debian security updates
171
172 Security
173 ========
174
175 SSH host keys
176 -------------
177
178 +-----------+-----------------------------------------------------+
179 | Algorithm | Fingerprint |
180 +===========+=====================================================+
181 | RSA | ``86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c`` |
182 +-----------+-----------------------------------------------------+
183 | DSA | ``b4:fb:c2:74:33:eb:cc:f0:3e:31:38:c9:a8:df:0a:f5`` |
184 +-----------+-----------------------------------------------------+
185 | ECDSA | ``79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0`` |
186 +-----------+-----------------------------------------------------+
187 | ED25519 | ``25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4`` |
188 +-----------+-----------------------------------------------------+
189
190 .. seealso::
191
192 See :doc:`sshkeys`
193