Add CAcert specific styling
[cacert-infradocs.git] / docs / systems.rst
1 Systems
2 =======
3
4 .. toctree::
5 :maxdepth: 1
6
7 systems/infra02
8 systems/arbitration
9 systems/blog
10 systems/board
11 systems/emailout
12 systems/monitor
13 systems/webmail
14
15 General
16 -------
17
18 .. todo:: consider whether a central MySQL service should be setup
19
20 Many containers contain their own instance of MySQL. It might be a better
21 idea to centralize the MySQL setups in a single container.
22
23 .. todo:: consider whether a central PostgreSQL service should be setup
24
25 .. todo::
26
27 setup a central syslog service and install syslog clients in each container
28
29 .. _setup_apt_checking:
30
31 .. topic:: Setup package update monitoring for a new container
32
33 For Icinga to be able to check the update status of packages on you server
34 you need to install NRPE, a helper service. Install the necessary packages::
35
36 sudo aptitude install nagios-plugins-basic nagios-nrpe-server
37
38 Put :doc:`systems/monitor` on the list of allowed hosts to access the NRPE
39 service by adding the following line to :file:`/etc/nagios/nrpe_local.cfg`::
40
41 allowed_hosts=172.16.2.18
42
43 Tell the NRPE service that there is such a thing as the check_apt command by
44 creating the file :file:`/etc/nagios/nrpe.d/apt.cfg` with the following
45 contents::
46
47 # 'check_apt' command definition
48 command[check_apt]=/usr/lib/nagios/plugins/check_apt
49
50 # 'check_apt_distupgrade' command definition
51 command[check_apt_distupgrade]=/usr/lib/nagios/plugins/check_apt -d
52
53 Restart the NRPE service::
54
55 sudo service nagios-nrpe-server restart
56
57 Check that everything went well by going to https://monitor.cacert.org/,
58 going to the APT service on the host and clicking :guilabel:`"Re-schedule
59 the next check of this service"`. Make sure that :guilabel:`"Force Check"`
60 is checked and click :guilabel:`"Commit"`. Now you should see a page with a
61 green background. If not something went wrong, please contact the
62 :doc:`systems/monitor` administrators with the details.
63
64 That's it, now the package update status should be properly displayed in
65 Icinga.
66
67 .. todo:: think about replacing nrpe with Icinga2 satellites
68
69 Checklist
70 ---------
71
72 .. index::
73 single: etckeeper
74 single: nrpe
75
76 * All containers should be monitored by :doc:`systems/monitor` and should
77 therefore have :program:`nagios-nrpe-server` installed
78 * All containers should use :program:`etckeeper` to put their local setup into
79 version control. All local setup should use :file:`/etc` to make sure it is
80 handled by :program:`etckeeper`
81 * All infrastructure systems must send their mail via :doc:`systems/emailout`
82 * All infrastructure systems should have an system-admin@cacert.org alias to
83 reach their admins
84 * The installation of :index:`systemd-sysv` in containers can be blocked by
85 putting the following lines in :file:`/etc/apt/preferences.d/systemd-sysv`::
86
87 Package: systemd-sysv
88 Pin: release a=stable
89 Pin-Priority: -1
90
91 .. todo:: document how to setup the system-admin alias on the email system