Add description how to setup apt update monitoring
[cacert-infradocs.git] / docs / systems / infra02.rst
1 .. index::
2 single: Systems; Infra02
3
4 =======
5 Infra02
6 =======
7
8 Purpose
9 =======
10
11 The infrastructure host system Infra02 is a dedicated physical machine for the
12 CAcert infrastructure.
13
14 .. index::
15 single: Ferm
16
17 Infra02 is the host system for all infrastructure :term:`containers
18 <container>`. The containers are setup using the Linux kernel's :term:`LXC`
19 system. The firewall for infrastructure is maintained on this machine using
20 Ferm_.
21
22 .. _Ferm: http://ferm.foo-projects.org/
23
24 Administration
25 ==============
26
27 System Administration
28 ---------------------
29
30 * Primary: :ref:`people_jandd`
31 * Secondary: :ref:`people_mario`
32
33 Contact
34 -------
35
36 * infrastructure-admin@cacert.org
37
38 Additional People
39 -----------------
40
41 :ref:`people_wytze` and :ref:`people_mendel` have :program:`sudo` access on that
42 machine too.
43
44 Basics
45 ======
46
47 Physical Location
48 -----------------
49
50 The machine is located in a server rack at BIT B.V. in the Netherlands.
51
52 Physical Configuration
53 ----------------------
54
55 The machine has been sponsored by `Thomas Krenn`_ and has the following hardware
56 parameters:
57
58 :Mainboard: Supermicro X9SCL/X9SCM Version 1.11A
59 :CPU: Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz
60 :RAM: 16 GiB ECC
61 :Disks: 2 x 1TB WDC WD1003FBYX-01Y7B1
62 :NIC:
63
64 * eth0 Intel Corporation 82579LM Gigabit Network Connection
65 * eth1 Intel Corporation 82574L Gigabit Network Connection
66
67 There is a 2 TB USB backup disk attached to the system.
68
69 .. seealso::
70
71 See https://wiki.cacert.org/SystemAdministration/EquipmentList
72
73 .. _Thomas Krenn: https://www.thomas-krenn.com/
74
75 Logical Location
76 ----------------
77
78 :IP Internet: :ip:v4:`213.154.225.230`
79 :IP Intranet: :ip:v4:`172.16.2.10`
80 :IP internal: :ip:v4:`10.0.0.1`
81 :IPv6: :ip:v6:`2001:7b8:616:162:1::10`
82 :IPv6 on br0: :ip:v6:`2001:7b8:616:162:2::10`
83 :MAC address:
84
85 * :mac:`00:25:90:a9:66:e9` (eth0)
86 * :mac:`fe:0e:ee:75:a3:a5` (br0)
87
88 .. seealso::
89
90 See :doc:`../network`
91
92 DNS
93 ---
94
95 .. index::
96 single: DNS records; Infra02
97
98 ========================== ======== ====================================================================
99 Name Type Content
100 ========================== ======== ====================================================================
101 infrastructure.cacert.org. IN A 213.154.225.230
102 infrastructure.cacert.org. IN SSHFP 1 1 5A82D3C150AF002C05784F73250A067053AEED63
103 infrastructure.cacert.org. IN SSHFP 1 2 63B0D74A3F1CE61865A5EB0497EF05243BC4067EC983C69AB8E62F3CB940CC82
104 infrastructure.cacert.org. IN SSHFP 2 1 AF8D8E3386EAA72997709632ADF2B457E6FEF0DC
105 infrastructure.cacert.org. IN SSHFP 2 2 3A0188FC47D1FDD14D70A2FB78F51792D06BA11EAE6AB16E73CB7BB8DD6A0DC8
106 infrastructure.cacert.org. IN SSHFP 3 1 3E1B9EBF85B726CF831C76ECB8C17786AEDF40E8
107 infrastructure.cacert.org. IN SSHFP 3 2 3AE7F0035C2172977E99BFE312C7A8299650DEA16A975EA13EECE8FDA426062A
108 infra02.intra.cacert.org. IN A 172.16.2.10
109 ========================== ======== ====================================================================
110
111 .. seealso::
112
113 See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
114
115 Operating System
116 ----------------
117
118 .. index::
119 single: Debian GNU/Linux; Wheezy
120 single: Debian GNU/Linux; 7.10
121
122 * Debian GNU/Linux 7.10
123
124 Applicable Documentation
125 ------------------------
126
127 This is it :-)
128
129 Services
130 ========
131
132 Listening services
133 ------------------
134
135 +----------+-----------+-----------+-----------------------------------------+
136 | Port | Service | Origin | Purpose |
137 +==========+===========+===========+=========================================+
138 | 22/tcp | ssh | ANY | admin console access |
139 +----------+-----------+-----------+-----------------------------------------+
140 | 25/tcp | smtp | local | mail delivery to local MTA |
141 +----------+-----------+-----------+-----------------------------------------+
142 | 123/udp | ntp | ANY | network time protocol for host, |
143 | | | | listening on the Internet IPv6 and IPv4 |
144 | | | | addresses |
145 +----------+-----------+-----------+-----------------------------------------+
146 | 5666/tcp | nrpe | monitor | remote monitoring service |
147 +----------+-----------+-----------+-----------------------------------------+
148
149 Running services
150 ----------------
151
152 .. index::
153 single: openssh
154 single: cron
155 single: rsyslog
156 single: ntpd
157 single: Postfix
158 single: nrpe
159
160 +--------------------+--------------------+----------------------------------------+
161 | Service | Usage | Start mechanism |
162 +====================+====================+========================================+
163 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
164 | | remote | |
165 | | administration | |
166 +--------------------+--------------------+----------------------------------------+
167 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
168 +--------------------+--------------------+----------------------------------------+
169 | rsyslog | syslog daemon | init script |
170 | | | :file:`/etc/init.d/syslog` |
171 +--------------------+--------------------+----------------------------------------+
172 | ntpd | time server | init script :file:`/etc/init.d/ntp` |
173 +--------------------+--------------------+----------------------------------------+
174 | Postfix | SMTP server for | init script |
175 | | local mail | :file:`/etc/init.d/postfix` |
176 | | submission, ... | |
177 +--------------------+--------------------+----------------------------------------+
178 | Nagios NRPE server | remote monitoring | init script |
179 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
180 | | :doc:`monitor` | |
181 +--------------------+--------------------+----------------------------------------+
182
183 .. Running Guests
184 --------------
185
186 .. some directive to list guests here
187
188 Connected Systems
189 -----------------
190
191 * :doc:`monitor`
192 * :doc:`emailout`
193
194 Outbound network connections
195 ----------------------------
196
197 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
198 * :doc:`emailout` as SMTP relay
199 * ftp.nl.debian.org as Debian mirror
200 * security.debian.org for Debian security updates
201 * all traffic of non-critical infrastructure systems
202
203 Security
204 ========
205
206 SSH host keys
207 -------------
208
209 .. index::
210 single: SSH host keys; Infra02
211
212 +-----------+-----------------------------------------------------+
213 | Algorithm | Fingerprint |
214 +===========+=====================================================+
215 | RSA | ``86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c`` |
216 +-----------+-----------------------------------------------------+
217 | DSA | ``b4:fb:c2:74:33:eb:cc:f0:3e:31:38:c9:a8:df:0a:f5`` |
218 +-----------+-----------------------------------------------------+
219 | ECDSA | ``79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0`` |
220 +-----------+-----------------------------------------------------+
221 | ED25519 | ``25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4`` |
222 +-----------+-----------------------------------------------------+
223
224 .. seealso::
225
226 See :doc:`../sshkeys`
227
228 Dedictated user roles
229 ---------------------
230
231 * None
232
233 Non-distribution packages and modifications
234 -------------------------------------------
235
236 * None
237
238 Risk assessments and critical packages
239 --------------------------------------
240
241 The system is the basis for all other infrastructure systems. Access to this
242 system has to be tightly controlled.
243
244 Tasks
245 =====
246
247 .. todo:: find out why the system logs are messed up
248 .. todo:: upgrade to Debian Jessie
249 .. todo:: document whether it is safe to reboot this system
250 .. todo:: document how to setup a new container
251 .. todo:: document how to setup firewall rules/forwarding
252 .. todo:: document how the backup system works
253 .. todo:: add DNS setup for IPv6 address
254
255 Planned
256 -------
257
258 * None
259
260 Changes
261 =======
262
263 System Future
264 -------------
265
266 * No plans
267
268 Critical Configuration items
269 ============================
270
271 .. index:: Ferm
272
273 Ferm firewall configuration
274 ---------------------------
275
276 The `Ferm`_ based firewall setup is located in :file:`/etc/ferm` and its
277 subdirectories.
278
279 Container configuration
280 -----------------------
281
282 The container configuration is contained in files named
283 :file:`/var/lib/lxc/<container>/config`.
284
285 The root filesystems of the containers are stored on :term:`LVM` volumes that
286 are mounted in :file:`/var/lib/lxc/<container>/rootfs` for each container.
287
288 Additional documentation
289 ========================
290
291 .. seealso::
292
293 * https://wiki.cacert.org/PostfixConfiguration