93d934c6883f51908a4464282fbfe3a1dde8fab2
[cacert-infradocs.git] / docs / systems / infra02.rst
1 .. index::
2 single: Systems; Infra02
3
4 =======
5 Infra02
6 =======
7
8 Purpose
9 =======
10
11 The infrastructure host system Infra02 is a dedicated physical machine for the
12 CAcert infrastructure.
13
14 .. index::
15 single: Ferm
16
17 Infra02 is the host system for all infrastructure :term:`containers
18 <container>`. The containers are setup using the Linux kernel's :term:`LXC`
19 system. The firewall for infrastructure is maintained on this machine using
20 Ferm_. The machine provides a DNS resolver based on dnsmasq_ and gives answers
21 for the internal zone infra.cacert.org.
22
23 .. _Ferm: http://ferm.foo-projects.org/
24 .. _dnsmasq: http://www.thekelleys.org.uk/dnsmasq/doc.html
25
26 Administration
27 ==============
28
29 System Administration
30 ---------------------
31
32 * Primary: :ref:`people_jandd`
33 * Secondary: :ref:`people_mario`
34
35 Contact
36 -------
37
38 * infrastructure-admin@cacert.org
39
40 Additional People
41 -----------------
42
43 :ref:`people_wytze` and :ref:`people_mendel` have :program:`sudo` access on that
44 machine too.
45
46 Basics
47 ======
48
49 Physical Location
50 -----------------
51
52 The machine is located in a server rack at BIT B.V. in the Netherlands.
53
54 Physical Configuration
55 ----------------------
56
57 The machine has been sponsored by `Thomas Krenn`_ and has the following hardware
58 parameters:
59
60 :Mainboard: Supermicro X9SCL/X9SCM Version 1.11A
61 :CPU: Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz (4 Cores, 8 Threads)
62 :RAM: 16 GiB ECC
63 :Disks: 2 x 1TB WDC WD1003FBYX-01Y7B1
64 :NIC:
65
66 * eth0 Intel Corporation 82579LM Gigabit Network Connection
67 * eth1 Intel Corporation 82574L Gigabit Network Connection
68
69 There is a 2 TB USB WDC WD20EARS-00MVWB0 backup disk attached to the system.
70
71 .. seealso::
72
73 See :wiki:`SystemAdministration/EquipmentList`
74
75 .. _Thomas Krenn: https://www.thomas-krenn.com/
76
77 Logical Location
78 ----------------
79
80 :IP Internet: :ip:v4:`213.154.225.230`
81 :IP Intranet: :ip:v4:`172.16.2.10`
82 :IP internal: :ip:v4:`10.0.0.1`
83 :IPv6: :ip:v6:`2001:7b8:616:162:1::10`
84 :IPv6 on br0: :ip:v6:`2001:7b8:616:162:2::10`
85 :MAC address:
86
87 * :mac:`00:25:90:a9:66:e9` (eth0)
88 * :mac:`fe:0e:ee:75:a3:a5` (br0)
89
90 .. seealso::
91
92 See :doc:`../network`
93
94 .. index::
95 single: Monitoring; Infra02
96
97 Monitoring
98 ----------
99
100 :internal checks: :monitor:`infra02.infra.cacert.org`
101 :external checks: :monitor:`infra02.cacert.org`
102
103 Remote Console
104 --------------
105
106 This system can be managed through a remote console, which may especially be
107 important during system upgrades and/or reboots.
108
109 The hardware of the system is equipped with a BMC Controller which supports the
110 Intelligent Platform Management Interface (IMPI).
111
112 Due the security design of the CAcert intranet, the network interface of this BMC
113 is not connected to the publicly reachable part of the CAcert intranet,
114 but rather to the management part, and is thus only reachable by members of the
115 critical system administrator team.
116
117 So the following instructions only apply to them.
118
119 The BMC interface can be reached from your local admin machine through the
120 CAcert hopper by setting up the following SSH port forwarding:
121
122 .. code:: bash
123
124 IPMIHOST=infra02ilo.intra.cacert.org
125 LOCALPORT=8082
126 HTTPSPORT=443
127 IKVMPORT=5900
128 ssh -f -N -L ${LOCALPORT}:${IPMIHOST}:${HTTPSPORT} \
129 -L ${IKVMPORT}:${IPMIHOST}:${IKVMPORT} hopper
130
131 and then browsing to the web UI:
132
133 .. code:: bash
134
135 firefox https://127.0.0.1:${LOCALPORT}/
136
137 To use the remote console facility, first install Oracle Java JRE 8.0_211 on
138 your admin machine. Then download the launch.jnlp script offered by the web UI
139 and save it in $HOME. Then use this script "console" to execute it:
140
141 .. code:: bash
142
143 #! /bin/bash
144 # console - run remote console for CAcert infra02 with Oracle Java environment
145
146 export JAVADIR=/opt/java/jre1.8.0_211/bin
147 export JAVA=${JAVADIR}/java
148 export JAVAWS=${JAVADIR}/javaws
149
150 LAUNCH=${HOME}/launch.jnlp
151
152 if [ -f ${LAUNCH} ]
153 then
154 echo "Do not forget to use setupcon if the console keyboard mapping is lame" 1>&2
155 sed -i -e 's/443/8082/' ${LAUNCH}
156 exec ${JAVAWS} ${LAUNCH}
157 else
158 echo $0: cannot read ${LAUNCH} 1>&2
159 fi
160
161 DNS
162 ---
163
164 .. index::
165 single: DNS records; Infra02
166
167 ========================== ======== ====================================================================
168 Name Type Content
169 ========================== ======== ====================================================================
170 infrastructure.cacert.org. IN A 213.154.225.230
171 infrastructure.cacert.org. IN SSHFP 1 1 5A82D3C150AF002C05784F73250A067053AEED63
172 infrastructure.cacert.org. IN SSHFP 1 2 63B0D74A3F1CE61865A5EB0497EF05243BC4067EC983C69AB8E62F3CB940CC82
173 infrastructure.cacert.org. IN SSHFP 2 1 AF8D8E3386EAA72997709632ADF2B457E6FEF0DC
174 infrastructure.cacert.org. IN SSHFP 2 2 3A0188FC47D1FDD14D70A2FB78F51792D06BA11EAE6AB16E73CB7BB8DD6A0DC8
175 infrastructure.cacert.org. IN SSHFP 3 1 3E1B9EBF85B726CF831C76ECB8C17786AEDF40E8
176 infrastructure.cacert.org. IN SSHFP 3 2 3AE7F0035C2172977E99BFE312C7A8299650DEA16A975EA13EECE8FDA426062A
177 infra02.intra.cacert.org. IN A 172.16.2.10
178 ========================== ======== ====================================================================
179
180 .. seealso::
181
182 See :wiki:`SystemAdministration/Procedures/DNSChanges`
183
184 Operating System
185 ----------------
186
187 .. index::
188 single: Debian GNU/Linux; Buster
189 single: Debian GNU/Linux; 10.0
190
191 * Debian GNU/Linux 10.0
192
193 Applicable Documentation
194 ------------------------
195
196 This is it :-)
197
198 Services
199 ========
200
201 Listening services
202 ------------------
203
204 +----------+---------+----------+-----------------------------------------+
205 | Port | Service | Origin | Purpose |
206 +==========+=========+==========+=========================================+
207 | 22/tcp | ssh | ANY | admin console access |
208 +----------+---------+----------+-----------------------------------------+
209 | 25/tcp | smtp | local | mail delivery to local MTA |
210 +----------+---------+----------+-----------------------------------------+
211 | 53/tcp | dns | internal | DNS resolver for infra.cacert.org |
212 | 53/udp | | | |
213 +----------+---------+----------+-----------------------------------------+
214 | 123/udp | ntp | ANY | network time protocol for host, |
215 | | | | listening on the Internet IPv6 and IPv4 |
216 | | | | addresses |
217 +----------+---------+----------+-----------------------------------------+
218 | 5666/tcp | nrpe | monitor | remote monitoring service |
219 +----------+---------+----------+-----------------------------------------+
220
221 Running services
222 ----------------
223
224 .. index::
225 single: acpid
226 single: atop
227 single: atopacctd
228 single: cron
229 single: dbus
230 single: dnsmasq
231 single: lxc
232 single: mdadm
233 single: nrpe
234 single: ntpd
235 single: openssh
236 single: postfix
237 single: radvd
238 single: rsyslog
239 single: smartd
240
241 +--------------------+----------------------+---------------------------------------------+
242 | Service | Usage | Start mechanism |
243 +====================+======================+=============================================+
244 | acpid | ACPI daemon | systemd unit ``acpid.service`` |
245 +--------------------+----------------------+---------------------------------------------+
246 | atop | Advanced system | systemd unit ``atop.service`` |
247 | | and process monitor | |
248 +--------------------+----------------------+---------------------------------------------+
249 | atopacctd | Advanced system | systemd unit ``atopacct.service`` |
250 | | and process monitor | |
251 | | accounting daemon | |
252 +--------------------+----------------------+---------------------------------------------+
253 | cron | job scheduler | systemd unit ``cron.service`` |
254 +--------------------+----------------------+---------------------------------------------+
255 | dbus-daemon | System message bus | systemd unit ``dbus.service`` |
256 | | daemon | |
257 +--------------------+----------------------+---------------------------------------------+
258 | dnsmasq | DNS resolver | systemd unit ``dnsmasq.service`` |
259 +--------------------+----------------------+---------------------------------------------+
260 | LXC | Service for LXC | systemd unit ``lxc.service`` |
261 | | container management | |
262 +--------------------+----------------------+---------------------------------------------+
263 | mdadm | RAID monitoring | systemd unit ``mdmonitor.service`` |
264 +--------------------+----------------------+---------------------------------------------+
265 | Nagios NRPE server | remote monitoring | systemd unit ``nagios-nrpe-server.service`` |
266 | | service queried by | |
267 | | :doc:`monitor` | |
268 +--------------------+----------------------+---------------------------------------------+
269 | ntpd | time server | systemd unit ``ntp.service`` |
270 +--------------------+----------------------+---------------------------------------------+
271 | openssh server | ssh daemon for | systemd unit ``ssh.service`` |
272 | | remote | |
273 | | administration | |
274 +--------------------+----------------------+---------------------------------------------+
275 | postfix | SMTP server for | systemd unit ``postfix.service`` |
276 | | local mail | |
277 | | submission, ... | |
278 +--------------------+----------------------+---------------------------------------------+
279 | radvd | IPv6 route | systemd unit ``radvd.service`` |
280 | | advertisement | |
281 +--------------------+----------------------+---------------------------------------------+
282 | rsyslog | syslog daemon | systemd unit ``rsyslog.service`` |
283 +--------------------+----------------------+---------------------------------------------+
284 | smartd | S.M.A.R.T. HDD | systemd unit ``smartd.service`` |
285 | | monitoring | |
286 +--------------------+----------------------+---------------------------------------------+
287
288 .. Running Guests
289 --------------
290
291 .. some directive to list guests here
292
293 Connected Systems
294 -----------------
295
296 * :doc:`monitor`
297 * :doc:`emailout`
298
299 Outbound network connections
300 ----------------------------
301
302 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
303 * :doc:`emailout` as SMTP relay
304 * ftp.nl.debian.org as Debian mirror
305 * security.debian.org for Debian security updates
306 * all traffic of non-critical infrastructure systems
307
308 Security
309 ========
310
311 .. sshkeys::
312 :RSA: SHA256:Y7DXSj8c5hhlpesEl+8FJDvEBn7Jg8aauOYvPLlAzII MD5:86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c
313 :DSA: SHA256:OgGI/EfR/dFNcKL7ePUXktBroR6uarFuc8t7uN1qDcg MD5:b4:fb:c2:74:33:eb:cc:f0:3e:31:38:c9:a8:df:0a:f5
314 :ECDSA: SHA256:OufwA1whcpd+mb/jEseoKZZQ3qFql16hPuzo/aQmBio MD5:79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0
315 :ED25519: SHA256:eXWoP7L/A25p/YW3vmj+4NFy2lEEVcRaLnNhcelBar8 MD5:25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4
316
317 Dedictated user roles
318 ---------------------
319
320 * None
321
322 Non-distribution packages and modifications
323 -------------------------------------------
324
325 * None
326
327 Risk assessments and critical packages
328 --------------------------------------
329
330 The system is the host system for all other infrastructure systems. Access to
331 this system has to be tightly controlled.
332
333 Tasks
334 =====
335
336 The system can be rebooted safely since the Debian Buster installation on
337 2019-07-13.
338
339 .. todo:: document how to setup a new container
340 .. todo:: document how to setup firewall rules/forwarding
341 .. todo:: document how the backup system works
342 .. todo:: add DNS setup for IPv6 address
343 .. todo:: switch to Puppet management
344 .. todo:: replace nrpe with icinga2 agent
345
346 Planned
347 -------
348
349 * Replace ferm with nftables setup
350
351 Changes
352 =======
353
354 System Future
355 -------------
356
357 * No plans
358
359 Critical Configuration items
360 ============================
361
362 .. index::
363 pair: dnsmasq; configuration
364
365 Dnsmasq configuration
366 ---------------------
367
368 Dnsmasq serves the local DNS zone infra.cacert.org to the `br0` interface. It
369 is configured by :file:`/etc/dnsmasq.d/00infra` and uses :file:`/etc/hosts` as
370 source for IP addresses.
371
372 .. index::
373 pair: Ferm; configuration
374
375 Ferm firewall configuration
376 ---------------------------
377
378 The `Ferm`_ based firewall setup is located in :file:`/etc/ferm` and its
379 subdirectories.
380
381 .. index::
382 pair: LXC; configuration
383
384 Container configuration
385 -----------------------
386
387 The container configuration is contained in files named
388 :file:`/var/lib/lxc/<container>/config`.
389
390 The root filesystems of the containers are stored on :term:`LVM` volumes that
391 are mounted in :file:`/var/lib/lxc/<container>/rootfs` for each container.
392
393 Additional documentation
394 ========================
395
396 .. seealso::
397
398 * :wiki:`PostfixConfiguration`
399
400 References
401 ----------
402
403 Ferm documentation
404 http://ferm.foo-projects.org/download/2.3/ferm.html
405 Ferm Debian Wiki page
406 https://wiki.debian.org/ferm
407 LXC Debian Wiki page
408 https://wiki.debian.org/LXC