ba71bb9db928c09eadeefe2db575d57ad6bab925
[cacert-infradocs.git] / docs / systems.rst
1 ====================
2 Non-Critical Systems
3 ====================
4
5 Non-critical systems are those that are managed by the infrastructure
6 administrator team.
7
8 .. toctree::
9 :maxdepth: 1
10
11 systems/infra02
12 systems/blog
13 systems/board
14 systems/bugs
15 systems/cats
16 systems/email
17 systems/emailout
18 systems/git
19 systems/ircserver
20 systems/issue
21 systems/lists
22 systems/jenkins
23 systems/monitor
24 systems/puppet
25 systems/proxyin
26 systems/proxyout
27 systems/svn
28 systems/translations
29 systems/web
30 systems/webmail
31 systems/webstatic
32
33
34 General
35 =======
36
37 .. todo:: consider whether a central MySQL service should be setup
38
39 Many containers contain their own instance of MySQL. It might be a better
40 idea to centralize the MySQL setups in a single container.
41
42 .. todo:: consider whether a central PostgreSQL service should be setup
43
44 .. todo::
45
46 setup a central syslog service and install syslog clients in each container
47
48 .. _setup_apt_checking:
49
50 .. topic:: Setup package update monitoring for a new container
51
52 For Icinga to be able to check the update status of packages on you server
53 you need to install NRPE, a helper service. Install the necessary packages::
54
55 sudo aptitude install nagios-plugins-basic nagios-nrpe-server
56
57 Put :doc:`systems/monitor` on the list of allowed hosts to access the NRPE
58 service by adding the following line to :file:`/etc/nagios/nrpe_local.cfg`::
59
60 allowed_hosts=172.16.2.18
61
62 Tell the NRPE service that there is such a thing as the check_apt command by
63 creating the file :file:`/etc/nagios/nrpe.d/apt.cfg` with the following
64 contents::
65
66 # 'check_apt' command definition
67 command[check_apt]=/usr/lib/nagios/plugins/check_apt
68
69 # 'check_apt_distupgrade' command definition
70 command[check_apt_distupgrade]=/usr/lib/nagios/plugins/check_apt -d
71
72 Restart the NRPE service::
73
74 sudo service nagios-nrpe-server restart
75
76 Check that everything went well by going to https://monitor.cacert.org/,
77 going to the APT service on the host and clicking :guilabel:`"Re-schedule
78 the next check of this service"`. Make sure that :guilabel:`"Force Check"`
79 is checked and click :guilabel:`"Commit"`. Now you should see a page with a
80 green background. If not something went wrong, please contact the
81 :doc:`systems/monitor` administrators with the details.
82
83 That's it, now the package update status should be properly displayed in
84 Icinga.
85
86 .. todo:: think about replacing nrpe with Icinga2 satellites
87
88 Checklist
89 =========
90
91 .. index::
92 single: etckeeper
93 single: nrpe
94
95 * All containers should be monitored by :doc:`systems/monitor` and should
96 therefore have :program:`nagios-nrpe-server` installed
97 * All containers should use :program:`etckeeper` to put their local setup into
98 version control. All local setup should use :file:`/etc` to make sure it is
99 handled by :program:`etckeeper`
100 * All infrastructure systems must send their mail via :doc:`systems/emailout`
101 * All infrastructure systems should have an system-admin@cacert.org alias to
102 reach their admins
103 * The installation of :index:`systemd-sysv` in containers can be blocked by
104 putting the following lines in :file:`/etc/apt/preferences.d/systemd-sysv`::
105
106 Package: systemd-sysv
107 Pin: release a=stable
108 Pin-Priority: -1
109
110 .. todo:: document how to setup the system-admin alias on the email system