Document external monitoring host
authorJan Dittberner <jandd@cacert.org>
Tue, 6 Aug 2019 20:23:36 +0000 (22:23 +0200)
committerJan Dittberner <jandd@cacert.org>
Tue, 6 Aug 2019 20:23:36 +0000 (22:23 +0200)
docs/external.rst [new file with mode: 0644]
docs/external/extmon.rst [new file with mode: 0644]
docs/index.rst
docs/iplist.rst
docs/network.rst
docs/systems.rst

diff --git a/docs/external.rst b/docs/external.rst
new file mode 100644 (file)
index 0000000..464c569
--- /dev/null
@@ -0,0 +1,11 @@
+================
+External Systems
+================
+
+External systems that are relevant to the CAcert infrastructure but are not
+part of the infrastructure.
+
+.. toctree::
+   :maxdepth: 1
+
+   external/extmon
diff --git a/docs/external/extmon.rst b/docs/external/extmon.rst
new file mode 100644 (file)
index 0000000..6efd51f
--- /dev/null
@@ -0,0 +1,243 @@
+.. index::
+   single: Systems; Extmon
+
+======
+Extmon
+======
+
+Purpose
+=======
+
+Extmon is used as an external Icinga2 agent that monitors the availability of
+CAcert service from the Internet. The system is sponsored by
+:ref:`people_jandd` and is running on a Hetzner cloud instance in Germany.
+
+Application Links
+-----------------
+
+Service checks executed by extmon
+  https://monitor.cacert.org/monitoring/list/servicegroups#!/monitoring/list/services?servicegroup_name=external-checks
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+Application Administration
+--------------------------
+
++---------------+---------------------+
+| Application   | Administrator(s)    |
++===============+=====================+
+| icinga2 agent | :ref:`people_jandd` |
++---------------+---------------------+
+
+Contact
+-------
+
+* extmon-admin@cacert.org
+
+Additional People
+-----------------
+
+No other people have :program:`sudo` access on that machine.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is a virtual KVM machine hosted on a Hetzner cloud server in
+N├╝rnberg, Germany.
+
+Physical Configuration
+----------------------
+
+* 1 VCPU
+* 2 GB RAM
+* 20 GB local disc
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`116.203.192.12`
+:IPv6:        :ip:v6:`2a01:4f8:c2c:a5b9::1`
+:MAC address: :mac:`96:00:00:2c:89:82` (eth0)
+
+.. seealso::
+
+   See :doc:`../network`
+
+.. index::
+   single: Monitoring; Extmon
+
+Monitoring
+----------
+
+:internal checks: :monitor:`extmon.infra.cacert.org`
+
+DNS
+---
+
+The system has no DNS entries.
+
+Operating System
+----------------
+
+.. index::
+   single: Debian GNU/Linux; Stretch
+   single: Debian GNU/Linux; 9.9
+
+* Debian GNU/Linux 9.9
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+-------------------------------+
+| Port     | Service | Origin  | Purpose                       |
++==========+=========+=========+===============================+
+| 22/tcp   | ssh     | ANY     | admin console access          |
++----------+---------+---------+-------------------------------+
+| 25/tcp   | smtp    | local   | mail delivery to local MTA    |
++----------+---------+---------+-------------------------------+
+| 68/udp   | dhcp    | hetzner | dynamic network configuration |
++----------+---------+---------+-------------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service     |
++----------+---------+---------+-------------------------------+
+
+Running services
+----------------
+
+.. index::
+   single: cron
+   single: dbus
+   single: exim4
+   single: icinga2
+   single: openssh
+   single: puppet
+   single: rsyslog
+
++----------------+--------------------------+----------------------------------+
+| Service        | Usage                    | Start mechanism                  |
++================+==========================+==================================+
+| cron           | job scheduler            | systemd unit ``cron.service``    |
++----------------+--------------------------+----------------------------------+
+| dbus-daemon    | System message bus       | systemd unit ``dbus.service``    |
+|                | daemon                   |                                  |
++----------------+--------------------------+----------------------------------+
+| Exim           | SMTP server for          | systemd unit ``exim4.service``   |
+|                | local mail submission    |                                  |
++----------------+--------------------------+----------------------------------+
+| icinga2        | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++----------------+--------------------------+----------------------------------+
+| openssh server | ssh daemon for           | systemd unit ``ssh.service``     |
+|                | remote administration    |                                  |
++----------------+--------------------------+----------------------------------+
+| Puppet agent   | configuration            | systemd unit ``puppet.service``  |
+|                | management agent         |                                  |
++----------------+--------------------------+----------------------------------+
+| rsyslog        | syslog daemon            | systemd unit ``rsyslog.service`` |
++----------------+--------------------------+----------------------------------+
+
+Databases
+---------
+
+* None
+
+Connected Systems
+-----------------
+
+* :doc:`../systems/monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) Hetzner cloud nameservers
+* :doc:`../systems/puppet` (tcp/8140) as Puppet master
+* checked CAcert systems on publicly opened ports
+
+Security
+========
+
+.. sshkeys::
+   :RSA:     SHA256:pRCCUOzQbNf2MSDyq3mt/zCYrf9Cowo0tUp+cLcP5ZU MD5:89:07:d2:68:02:37:73:86:a3:f0:53:46:e9:93:3c:b5
+   :DSA:     SHA256:qQmdmDcCrj9CgGK/LsT0zz8d90wCmn0HlSmt9WRqIF8 MD5:8c:f0:fa:e2:18:98:22:fb:ae:ed:c3:84:78:0e:70:5f
+   :ECDSA:   SHA256:+5X1KhHfqCSfVzNhT6xXpKYwsS/bZvI5rOM7hPogcWo MD5:f3:65:d0:12:a6:e9:cc:91:f4:55:32:c0:ca:75:59:17
+   :ED25519: SHA256:lxUPfNgUMZ/JrZHVG9Qc33x7vqyKGgmIJ54rgx+dZow MD5:39:b7:17:91:05:2d:1c:ad:4b:5a:5e:e0:e6:01:2c:a5
+
+Dedicated user roles
+--------------------
+
+* None
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* None
+
+Risk assessments on critical packages
+-------------------------------------
+
+The system provides no public services besides an Icinga2 agent that executes
+commands sent from :doc:`../systems/monitor`.
+
+The Puppet agent package and a few dependencies are installed from the
+official Puppet APT repository because the versions in Debian are too old to
+use modern Puppet features.
+
+Critical Configuration items
+============================
+
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the :cacertgit:`cacert-puppet`.
+
+Keys and X.509 certificates
+---------------------------
+
+* None
+
+Tasks
+=====
+
+Add a service to be checked by extmon
+-------------------------------------
+
+Service monitoring is configured in the :cacertgit:`cacert-icinga2-conf_d`.
+
+All checks for services on hosts with the following block will be executed by
+extmon:
+
+.. code-block::
+
+   vars.external = true
+
+Changes
+=======
+
+Planned
+-------
+
+.. todo:: update to Debian 10 (when Puppet is available)
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+* None
+
+References
+----------
+
+* https://icinga.com/docs/icinga2/latest/
index d6200dc..c132b7d 100644 (file)
@@ -12,6 +12,7 @@ Table of Contents
 
    critical
    systems
+   external
    lxcsetup
    network
    iplist
index f20050c..16c38dc 100644 (file)
@@ -12,6 +12,10 @@ Internet IP addresses
 
 .. ip:v6range:: 2001:7b8:616:162:2::/80
 
+.. ip:v4range:: 116.203.192.12/32
+
+.. ip:v6range:: 2a01:4f8:c2c:a5b9::1/128
+
 
 Intranet IP addresses
 ---------------------
index 078f3ad..99e9c57 100644 (file)
@@ -22,6 +22,8 @@ IPv6 connectivity is also available. The infrastructure IPv6 addresses are
 taken from the :ip:v6range:`2001:7b8:616:162:1::/80` and
 :ip:v6range:`2001:7b8:616:162:2::/80` ranges.
 
+External monitoring is provided from the ranges :ip:v4range:`116.203.192.12/32`
+and :ip:v6range:`2a01:4f8:c2c:a5b9::1/128`.
 
 Intranet
 --------
index 24e939f..404f430 100644 (file)
@@ -90,28 +90,23 @@ General
    That's it, now the package update status should be properly displayed in
    Icinga.
 
-.. todo:: think about replacing nrpe with Icinga2 satellites
-
 Checklist
 =========
 
 .. index::
    single: etckeeper
+   single: icinga2
    single: nrpe
+   single: puppet
 
 * All containers should be monitored by :doc:`systems/monitor` and should
-  therefore have :program:`nagios-nrpe-server` installed
+  therefore have :program:`icinga2` installed and managed via Puppet (older
+  systems without Puppet have :program:`nagios-nrpe-server` installed)
 * All containers should use :program:`etckeeper` to put their local setup into
   version control. All local setup should use :file:`/etc` to make sure it is
   handled by :program:`etckeeper`
 * All infrastructure systems must send their mail via :doc:`systems/emailout`
 * All infrastructure systems should have an system-admin@cacert.org alias to
   reach their admins
-* The installation of :index:`systemd-sysv` in containers can be blocked by
-  putting the following lines in :file:`/etc/apt/preferences.d/systemd-sysv`::
-
-    Package: systemd-sysv
-    Pin: release a=stable
-    Pin-Priority: -1
 
 .. todo:: document how to setup the system-admin alias on the email system