Move systems to separate folder
[cacert-infradocs.git] / docs / systems / infra02.rst
1 .. index::
2 single: Systems; Infra02
3
4 =======
5 Infra02
6 =======
7
8 Purpose
9 =======
10
11 The infrastructure host system Infra02 is a dedicated physical machine for the
12 CAcert infrastructure.
13
14 .. index::
15 single: LXC
16 single: Ferm
17
18 Infra02 is the host system for all infrastructure containers. The containers
19 are setup using the Linux kernel's LXC_ system. The firewall for infrastructure
20 is maintained on this machine using Ferm_.
21
22 .. _LXC: https://linuxcontainers.org/
23 .. _Ferm: http://ferm.foo-projects.org/
24
25 Administration
26 ==============
27
28 System Administration
29 ---------------------
30
31 * Primary: `Jan Dittberner`_
32 * Secondary: `Mario Lipinski`_
33
34 .. _Jan Dittberner: jandd@cacert.org
35 .. _Mario Lipinski: mario@cacert.org
36
37 Contact
38 -------
39
40 * infrastructure-admin@cacert.org
41
42 Basics
43 ======
44
45 Physical Location
46 -----------------
47
48 The machine is located in a server rack at BIT B.V. in the Netherlands.
49
50 Physical Configuration
51 ----------------------
52
53 The machine has been sponsored by Thomas Krenn and has the following hardware
54 parameters:
55
56 :Mainboard: Supermicro X9SCL/X9SCM Version 1.11A
57 :CPU: Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz
58 :RAM: 16 GiB ECC
59 :Disks: 2 x 1TB WDC WD1003FBYX-01Y7B1
60 :NIC:
61
62 * eth0 Intel Corporation 82579LM Gigabit Network Connection
63 * eth1 Intel Corporation 82574L Gigabit Network Connection
64
65 There is a 2 TB USB backup disk attached to the system.
66
67 .. seealso::
68
69 See https://wiki.cacert.org/SystemAdministration/EquipmentList
70
71 Logical Location
72 ----------------
73
74 :IP Internet: :ip:v4:`213.154.225.230`
75 :IP Intranet: :ip:v4:`172.16.2.10`
76 :IP internal: :ip:v4:`10.0.0.1`
77 :IPv6: :ip:v6:`2001:7b8:616:162:1::10`
78 :IPv6 on br0: :ip:v6:`2001:7b8:616:162:2::10`
79 :MAC address:
80
81 * :mac:`00:25:90:a9:66:e9` (eth0)
82 * :mac:`fe:0e:ee:75:a3:a5` (br0)
83
84 .. seealso::
85
86 :doc:`network`.
87
88 DNS
89 ---
90
91 * infrastructure.cacert.org. IN A 213.154.225.230
92 * infrastructure.cacert.org. IN SSHFP 1 1 5A82D3C150AF002C05784F73250A067053AEED63
93 * infrastructure.cacert.org. IN SSHFP 1 2 63B0D74A3F1CE61865A5EB0497EF05243BC4067EC983C69AB8E62F3CB940CC82
94 * infrastructure.cacert.org. IN SSHFP 2 1 AF8D8E3386EAA72997709632ADF2B457E6FEF0DC
95 * infrastructure.cacert.org. IN SSHFP 2 2 3A0188FC47D1FDD14D70A2FB78F51792D06BA11EAE6AB16E73CB7BB8DD6A0DC8
96 * infrastructure.cacert.org. IN SSHFP 3 1 3E1B9EBF85B726CF831C76ECB8C17786AEDF40E8
97 * infrastructure.cacert.org. IN SSHFP 3 2 3AE7F0035C2172977E99BFE312C7A8299650DEA16A975EA13EECE8FDA426062A
98 * infra02.intra.cacert.org. IN A 172.16.2.10
99
100 .. seealso::
101
102 See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
103
104 Operating System
105 ----------------
106
107 * Debian GNU/Linux 7.10
108
109 Applicable Documentation
110 ------------------------
111
112 This is it :-)
113
114 Services
115 ========
116
117 Listening services
118 ------------------
119
120 +----------+-----------+-----------+-----------------------------------------+
121 | Port | Service | Origin | Purpose |
122 +==========+===========+===========+=========================================+
123 | 22/tcp | ssh | ANY | admin console access |
124 +----------+-----------+-----------+-----------------------------------------+
125 | 25/tcp | smtp | local | mail delivery to local MTA |
126 +----------+-----------+-----------+-----------------------------------------+
127 | 123/udp | ntp | ANY | network time protocol for host, |
128 | | | | listening on the Internet IPv6 and IPv4 |
129 | | | | addresses |
130 +----------+-----------+-----------+-----------------------------------------+
131 | 5666/tcp | nrpe | monitor | remote monitoring service |
132 +----------+-----------+-----------+-----------------------------------------+
133
134 Running services
135 ----------------
136
137 +--------------------+--------------------+----------------------------------------+
138 | Service | Usage | Start mechanism |
139 +====================+====================+========================================+
140 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
141 | | remote | |
142 | | administration | |
143 +--------------------+--------------------+----------------------------------------+
144 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
145 +--------------------+--------------------+----------------------------------------+
146 | rsyslog | syslog daemon | init script |
147 | | | :file:`/etc/init.d/syslog` |
148 +--------------------+--------------------+----------------------------------------+
149 | ntpd | time server | init script :file:`/etc/init.d/ntp` |
150 +--------------------+--------------------+----------------------------------------+
151 | Postfix | SMTP server for | init script |
152 | | local mail | :file:`/etc/init.d/postfix` |
153 | | submission, ... | |
154 +--------------------+--------------------+----------------------------------------+
155 | Nagios NRPE server | remote monitoring | init script |
156 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
157 | | :doc:`monitor` | |
158 +--------------------+--------------------+----------------------------------------+
159
160 .. Running Guests
161 --------------
162
163 .. some directive to list guests here
164
165 Connected Systems
166 -----------------
167
168 * :doc:`monitor`
169 * :doc:`emailout`
170
171 Outbound network connections
172 ----------------------------
173
174 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
175 * :doc:`emailout` as SMTP relay
176 * ftp.nl.debian.org as Debian mirror
177 * security.debian.org for Debian security updates
178
179 Security
180 ========
181
182 SSH host keys
183 -------------
184
185 +-----------+-----------------------------------------------------+
186 | Algorithm | Fingerprint |
187 +===========+=====================================================+
188 | RSA | ``86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c`` |
189 +-----------+-----------------------------------------------------+
190 | DSA | ``b4:fb:c2:74:33:eb:cc:f0:3e:31:38:c9:a8:df:0a:f5`` |
191 +-----------+-----------------------------------------------------+
192 | ECDSA | ``79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0`` |
193 +-----------+-----------------------------------------------------+
194 | ED25519 | ``25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4`` |
195 +-----------+-----------------------------------------------------+
196
197 .. seealso::
198
199 See :doc:`sshkeys`
200
201 Dedictated user roles
202 ---------------------
203
204 * None
205
206 Non-distribution packages and modifications
207 -------------------------------------------
208
209 * None
210
211 Risk assessments and critical packages
212 --------------------------------------
213
214 The system is the basis for all other infrastructure systems. Access to this
215 system has to be tightly controlled.
216
217 Tasks
218 =====
219
220 .. todo:: find out why the system logs are messed up
221 .. todo:: upgrade to Debian Jessie
222 .. todo:: document whether it is safe to reboot this system
223 .. todo:: document how to setup a new container
224 .. todo:: document how to setup firewall rules/forwarding
225 .. todo:: document how the backup system works
226
227 Planned
228 -------
229
230 * None
231
232 Changes
233 =======
234
235 System Future
236 -------------
237
238 * No plans
239
240 Additional documentation
241 ========================
242
243 .. seealso::
244
245 * https://wiki.cacert.org/PostfixConfiguration