Finalize Infra02 documentation
[cacert-infradocs.git] / docs / systems / infra02.rst
1 .. index::
2 single: Systems; Infra02
3
4 =======
5 Infra02
6 =======
7
8 Purpose
9 =======
10
11 The infrastructure host system Infra02 is a dedicated physical machine for the
12 CAcert infrastructure.
13
14 .. index::
15 single: LXC
16 single: Ferm
17
18 Infra02 is the host system for all infrastructure containers. The containers
19 are setup using the Linux kernel's LXC_ system. The firewall for infrastructure
20 is maintained on this machine using Ferm_.
21
22 .. _LXC: https://linuxcontainers.org/
23 .. _Ferm: http://ferm.foo-projects.org/
24
25 Administration
26 ==============
27
28 System Administration
29 ---------------------
30
31 * Primary: `Jan Dittberner`_
32 * Secondary: `Mario Lipinski`_
33
34 .. _Jan Dittberner: jandd@cacert.org
35 .. _Mario Lipinski: mario@cacert.org
36
37 Contact
38 -------
39
40 * infrastructure-admin@cacert.org
41
42 Basics
43 ======
44
45 Physical Location
46 -----------------
47
48 The machine is located in a server rack at BIT B.V. in the Netherlands.
49
50 Physical Configuration
51 ----------------------
52
53 The machine has been sponsored by Thomas Krenn and has the following hardware
54 parameters:
55
56 :Mainboard: Supermicro X9SCL/X9SCM Version 1.11A
57 :CPU: Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz
58 :RAM: 16 GiB ECC
59 :Disks: 2 x 1TB WDC WD1003FBYX-01Y7B1
60 :NIC:
61
62 * eth0 Intel Corporation 82579LM Gigabit Network Connection
63 * eth1 Intel Corporation 82574L Gigabit Network Connection
64
65 There is a 2 TB USB backup disk attached to the system.
66
67 .. seealso::
68
69 See https://wiki.cacert.org/SystemAdministration/EquipmentList
70
71 Logical Location
72 ----------------
73
74 :IP Internet: :ip:v4:`213.154.225.230`
75 :IP Intranet: :ip:v4:`172.16.2.10`
76 :IP internal: :ip:v4:`10.0.0.1`
77 :IPv6: :ip:v6:`2001:7b8:616:162:1::10`
78 :IPv6 on br0: :ip:v6:`2001:7b8:616:162:2::10`
79 :MAC address:
80
81 * :mac:`00:25:90:a9:66:e9` (eth0)
82 * :mac:`fe:0e:ee:75:a3:a5` (br0)
83
84 .. seealso::
85
86 :doc:`network`.
87
88 DNS
89 ---
90
91 .. index::
92 single: DNS records; Infra02
93
94 ========================== ======== ====================================================================
95 Name Type Content
96 ========================== ======== ====================================================================
97 infrastructure.cacert.org. IN A 213.154.225.230
98 infrastructure.cacert.org. IN SSHFP 1 1 5A82D3C150AF002C05784F73250A067053AEED63
99 infrastructure.cacert.org. IN SSHFP 1 2 63B0D74A3F1CE61865A5EB0497EF05243BC4067EC983C69AB8E62F3CB940CC82
100 infrastructure.cacert.org. IN SSHFP 2 1 AF8D8E3386EAA72997709632ADF2B457E6FEF0DC
101 infrastructure.cacert.org. IN SSHFP 2 2 3A0188FC47D1FDD14D70A2FB78F51792D06BA11EAE6AB16E73CB7BB8DD6A0DC8
102 infrastructure.cacert.org. IN SSHFP 3 1 3E1B9EBF85B726CF831C76ECB8C17786AEDF40E8
103 infrastructure.cacert.org. IN SSHFP 3 2 3AE7F0035C2172977E99BFE312C7A8299650DEA16A975EA13EECE8FDA426062A
104 infra02.intra.cacert.org. IN A 172.16.2.10
105 ========================== ======== ====================================================================
106
107 .. seealso::
108
109 See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
110
111 Operating System
112 ----------------
113
114 .. index::
115 single: Debian GNU/Linux; Wheezy
116 single: Debian GNU/Linux; 7.10
117
118 * Debian GNU/Linux 7.10
119
120 Applicable Documentation
121 ------------------------
122
123 This is it :-)
124
125 Services
126 ========
127
128 Listening services
129 ------------------
130
131 +----------+-----------+-----------+-----------------------------------------+
132 | Port | Service | Origin | Purpose |
133 +==========+===========+===========+=========================================+
134 | 22/tcp | ssh | ANY | admin console access |
135 +----------+-----------+-----------+-----------------------------------------+
136 | 25/tcp | smtp | local | mail delivery to local MTA |
137 +----------+-----------+-----------+-----------------------------------------+
138 | 123/udp | ntp | ANY | network time protocol for host, |
139 | | | | listening on the Internet IPv6 and IPv4 |
140 | | | | addresses |
141 +----------+-----------+-----------+-----------------------------------------+
142 | 5666/tcp | nrpe | monitor | remote monitoring service |
143 +----------+-----------+-----------+-----------------------------------------+
144
145 Running services
146 ----------------
147
148 +--------------------+--------------------+----------------------------------------+
149 | Service | Usage | Start mechanism |
150 +====================+====================+========================================+
151 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
152 | | remote | |
153 | | administration | |
154 +--------------------+--------------------+----------------------------------------+
155 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
156 +--------------------+--------------------+----------------------------------------+
157 | rsyslog | syslog daemon | init script |
158 | | | :file:`/etc/init.d/syslog` |
159 +--------------------+--------------------+----------------------------------------+
160 | ntpd | time server | init script :file:`/etc/init.d/ntp` |
161 +--------------------+--------------------+----------------------------------------+
162 | Postfix | SMTP server for | init script |
163 | | local mail | :file:`/etc/init.d/postfix` |
164 | | submission, ... | |
165 +--------------------+--------------------+----------------------------------------+
166 | Nagios NRPE server | remote monitoring | init script |
167 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
168 | | :doc:`monitor` | |
169 +--------------------+--------------------+----------------------------------------+
170
171 .. Running Guests
172 --------------
173
174 .. some directive to list guests here
175
176 Connected Systems
177 -----------------
178
179 * :doc:`monitor`
180 * :doc:`emailout`
181
182 Outbound network connections
183 ----------------------------
184
185 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
186 * :doc:`emailout` as SMTP relay
187 * ftp.nl.debian.org as Debian mirror
188 * security.debian.org for Debian security updates
189 * all traffic of non-critical infrastructure systems
190
191 Security
192 ========
193
194 SSH host keys
195 -------------
196
197 .. index::
198 single: SSH host keys; Infra02
199
200 +-----------+-----------------------------------------------------+
201 | Algorithm | Fingerprint |
202 +===========+=====================================================+
203 | RSA | ``86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c`` |
204 +-----------+-----------------------------------------------------+
205 | DSA | ``b4:fb:c2:74:33:eb:cc:f0:3e:31:38:c9:a8:df:0a:f5`` |
206 +-----------+-----------------------------------------------------+
207 | ECDSA | ``79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0`` |
208 +-----------+-----------------------------------------------------+
209 | ED25519 | ``25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4`` |
210 +-----------+-----------------------------------------------------+
211
212 .. seealso::
213
214 See :doc:`sshkeys`
215
216 Dedictated user roles
217 ---------------------
218
219 * None
220
221 Non-distribution packages and modifications
222 -------------------------------------------
223
224 * None
225
226 Risk assessments and critical packages
227 --------------------------------------
228
229 The system is the basis for all other infrastructure systems. Access to this
230 system has to be tightly controlled.
231
232 Tasks
233 =====
234
235 .. todo:: find out why the system logs are messed up
236 .. todo:: upgrade to Debian Jessie
237 .. todo:: document whether it is safe to reboot this system
238 .. todo:: document how to setup a new container
239 .. todo:: document how to setup firewall rules/forwarding
240 .. todo:: document how the backup system works
241 .. todo:: add DNS setup for IPv6 address
242
243 Planned
244 -------
245
246 * None
247
248 Changes
249 =======
250
251 System Future
252 -------------
253
254 * No plans
255
256 Additional documentation
257 ========================
258
259 .. seealso::
260
261 * https://wiki.cacert.org/PostfixConfiguration