95abd8453c350ef1f874ead8a32fd52baf6da481
[cacert-infradocs.git] / docs / systems / infra02.rst
1 .. index::
2 single: Systems; Infra02
3
4 =======
5 Infra02
6 =======
7
8 Purpose
9 =======
10
11 The infrastructure host system Infra02 is a dedicated physical machine for the
12 CAcert infrastructure.
13
14 .. index::
15 single: LXC
16 single: Ferm
17
18 Infra02 is the host system for all infrastructure containers. The containers
19 are setup using the Linux kernel's LXC_ system. The firewall for infrastructure
20 is maintained on this machine using Ferm_.
21
22 .. _LXC: https://linuxcontainers.org/
23 .. _Ferm: http://ferm.foo-projects.org/
24
25 Administration
26 ==============
27
28 System Administration
29 ---------------------
30
31 * Primary: `Jan Dittberner`_
32 * Secondary: `Mario Lipinski`_
33
34 .. _Jan Dittberner: jandd@cacert.org
35 .. _Mario Lipinski: mario@cacert.org
36
37 Contact
38 -------
39
40 * infrastructure-admin@cacert.org
41
42 Additional People
43 -----------------
44
45 `Wytze van der Raay`_ and `Mendel Mobach`_ have sudo access on that machine
46 too.
47
48 .. _Wytze van der Raay: wytze@cacert.org
49 .. _Mendel Mobach: mendel@cacert.org
50
51 Basics
52 ======
53
54 Physical Location
55 -----------------
56
57 The machine is located in a server rack at BIT B.V. in the Netherlands.
58
59 Physical Configuration
60 ----------------------
61
62 The machine has been sponsored by Thomas Krenn and has the following hardware
63 parameters:
64
65 :Mainboard: Supermicro X9SCL/X9SCM Version 1.11A
66 :CPU: Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz
67 :RAM: 16 GiB ECC
68 :Disks: 2 x 1TB WDC WD1003FBYX-01Y7B1
69 :NIC:
70
71 * eth0 Intel Corporation 82579LM Gigabit Network Connection
72 * eth1 Intel Corporation 82574L Gigabit Network Connection
73
74 There is a 2 TB USB backup disk attached to the system.
75
76 .. seealso::
77
78 See https://wiki.cacert.org/SystemAdministration/EquipmentList
79
80 Logical Location
81 ----------------
82
83 :IP Internet: :ip:v4:`213.154.225.230`
84 :IP Intranet: :ip:v4:`172.16.2.10`
85 :IP internal: :ip:v4:`10.0.0.1`
86 :IPv6: :ip:v6:`2001:7b8:616:162:1::10`
87 :IPv6 on br0: :ip:v6:`2001:7b8:616:162:2::10`
88 :MAC address:
89
90 * :mac:`00:25:90:a9:66:e9` (eth0)
91 * :mac:`fe:0e:ee:75:a3:a5` (br0)
92
93 .. seealso::
94
95 See :doc:`../network`
96
97 DNS
98 ---
99
100 .. index::
101 single: DNS records; Infra02
102
103 ========================== ======== ====================================================================
104 Name Type Content
105 ========================== ======== ====================================================================
106 infrastructure.cacert.org. IN A 213.154.225.230
107 infrastructure.cacert.org. IN SSHFP 1 1 5A82D3C150AF002C05784F73250A067053AEED63
108 infrastructure.cacert.org. IN SSHFP 1 2 63B0D74A3F1CE61865A5EB0497EF05243BC4067EC983C69AB8E62F3CB940CC82
109 infrastructure.cacert.org. IN SSHFP 2 1 AF8D8E3386EAA72997709632ADF2B457E6FEF0DC
110 infrastructure.cacert.org. IN SSHFP 2 2 3A0188FC47D1FDD14D70A2FB78F51792D06BA11EAE6AB16E73CB7BB8DD6A0DC8
111 infrastructure.cacert.org. IN SSHFP 3 1 3E1B9EBF85B726CF831C76ECB8C17786AEDF40E8
112 infrastructure.cacert.org. IN SSHFP 3 2 3AE7F0035C2172977E99BFE312C7A8299650DEA16A975EA13EECE8FDA426062A
113 infra02.intra.cacert.org. IN A 172.16.2.10
114 ========================== ======== ====================================================================
115
116 .. seealso::
117
118 See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
119
120 Operating System
121 ----------------
122
123 .. index::
124 single: Debian GNU/Linux; Wheezy
125 single: Debian GNU/Linux; 7.10
126
127 * Debian GNU/Linux 7.10
128
129 Applicable Documentation
130 ------------------------
131
132 This is it :-)
133
134 Services
135 ========
136
137 Listening services
138 ------------------
139
140 +----------+-----------+-----------+-----------------------------------------+
141 | Port | Service | Origin | Purpose |
142 +==========+===========+===========+=========================================+
143 | 22/tcp | ssh | ANY | admin console access |
144 +----------+-----------+-----------+-----------------------------------------+
145 | 25/tcp | smtp | local | mail delivery to local MTA |
146 +----------+-----------+-----------+-----------------------------------------+
147 | 123/udp | ntp | ANY | network time protocol for host, |
148 | | | | listening on the Internet IPv6 and IPv4 |
149 | | | | addresses |
150 +----------+-----------+-----------+-----------------------------------------+
151 | 5666/tcp | nrpe | monitor | remote monitoring service |
152 +----------+-----------+-----------+-----------------------------------------+
153
154 Running services
155 ----------------
156
157 +--------------------+--------------------+----------------------------------------+
158 | Service | Usage | Start mechanism |
159 +====================+====================+========================================+
160 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
161 | | remote | |
162 | | administration | |
163 +--------------------+--------------------+----------------------------------------+
164 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
165 +--------------------+--------------------+----------------------------------------+
166 | rsyslog | syslog daemon | init script |
167 | | | :file:`/etc/init.d/syslog` |
168 +--------------------+--------------------+----------------------------------------+
169 | ntpd | time server | init script :file:`/etc/init.d/ntp` |
170 +--------------------+--------------------+----------------------------------------+
171 | Postfix | SMTP server for | init script |
172 | | local mail | :file:`/etc/init.d/postfix` |
173 | | submission, ... | |
174 +--------------------+--------------------+----------------------------------------+
175 | Nagios NRPE server | remote monitoring | init script |
176 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
177 | | :doc:`monitor` | |
178 +--------------------+--------------------+----------------------------------------+
179
180 .. Running Guests
181 --------------
182
183 .. some directive to list guests here
184
185 Connected Systems
186 -----------------
187
188 * :doc:`monitor`
189 * :doc:`emailout`
190
191 Outbound network connections
192 ----------------------------
193
194 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
195 * :doc:`emailout` as SMTP relay
196 * ftp.nl.debian.org as Debian mirror
197 * security.debian.org for Debian security updates
198 * all traffic of non-critical infrastructure systems
199
200 Security
201 ========
202
203 SSH host keys
204 -------------
205
206 .. index::
207 single: SSH host keys; Infra02
208
209 +-----------+-----------------------------------------------------+
210 | Algorithm | Fingerprint |
211 +===========+=====================================================+
212 | RSA | ``86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c`` |
213 +-----------+-----------------------------------------------------+
214 | DSA | ``b4:fb:c2:74:33:eb:cc:f0:3e:31:38:c9:a8:df:0a:f5`` |
215 +-----------+-----------------------------------------------------+
216 | ECDSA | ``79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0`` |
217 +-----------+-----------------------------------------------------+
218 | ED25519 | ``25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4`` |
219 +-----------+-----------------------------------------------------+
220
221 .. seealso::
222
223 See :doc:`sshkeys`
224
225 Dedictated user roles
226 ---------------------
227
228 * None
229
230 Non-distribution packages and modifications
231 -------------------------------------------
232
233 * None
234
235 Risk assessments and critical packages
236 --------------------------------------
237
238 The system is the basis for all other infrastructure systems. Access to this
239 system has to be tightly controlled.
240
241 Tasks
242 =====
243
244 .. todo:: find out why the system logs are messed up
245 .. todo:: upgrade to Debian Jessie
246 .. todo:: document whether it is safe to reboot this system
247 .. todo:: document how to setup a new container
248 .. todo:: document how to setup firewall rules/forwarding
249 .. todo:: document how the backup system works
250 .. todo:: add DNS setup for IPv6 address
251
252 Planned
253 -------
254
255 * None
256
257 Changes
258 =======
259
260 System Future
261 -------------
262
263 * No plans
264
265 Additional documentation
266 ========================
267
268 .. seealso::
269
270 * https://wiki.cacert.org/PostfixConfiguration