Infra02¶
Purpose¶
The infrastructure host system Infra02 is a dedicated physical machine for the CAcert infrastructure.
Infra02 is a host system for infrastructure containers. The containers are setup using the Linux kernel’s LXC system. The firewall for infrastructure is maintained on this machine using nftables. The machine provides a DNS resolver based on dnsmasq and gives answers for the internal zone infra.cacert.org.
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: None
Contact¶
Additional People¶
Dirk Astrath has sudo access on that machine too.
Basics¶
Physical Location¶
The machine is located in a server rack at BIT B.V. in the Netherlands.
Physical Configuration¶
The machine has been sponsored by Thomas Krenn and has the following hardware parameters:
- Mainboard:
Supermicro X9SCL/X9SCM Version 1.11A
- CPU:
Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz (4 Cores, 8 Threads)
- RAM:
32 GiB (4x8 GB DDR-3 1600 unbuffered ECC)
- Disks:
2 x 1TB WDC WD1003FBYX-01Y7B1, 2 x INTENSO 500 GB SATA SSD
- NIC:
eno1 Intel Corporation 82579LM Gigabit Network Connection
enp2s0 Intel Corporation 82574L Gigabit Network Connection
See also
Logical Location¶
- IP Internet:
- IP Intranet:
- IP internal:
- IP BMC:
- IPv6:
- IPv6 on br0:
- MAC address:
00:25:90:a9:66:e9
(eno1)fe:0e:ee:75:a3:a5
(br0)
See also
See Network
Monitoring¶
- internal checks:
- external checks:
Remote Console¶
This system can be managed through a remote console, which may especially be important during system upgrades and/or reboots.
The hardware of the system is equipped with a BMC Controller which supports the Intelligent Platform Management Interface (IMPI).
Due the security design of the CAcert intranet, the network interface of this BMC is not connected to the publicly reachable part of the CAcert intranet, but rather to the management part, and is thus only reachable by members of the critical system administrator team.
So the following instructions only apply to them.
The BMC interface can be reached from your local admin machine through the CAcert hopper by setting up the following SSH port forwarding:
IPMIHOST=infra02ilo.intra.cacert.org
LOCALPORT=8082
HTTPSPORT=443
IKVMPORT=5900
ssh -f -N -L ${LOCALPORT}:${IPMIHOST}:${HTTPSPORT} \
-L ${IKVMPORT}:${IPMIHOST}:${IKVMPORT} hopper
and then browsing to the web UI:
firefox https://127.0.0.1:${LOCALPORT}/
To use the remote console facility, first install Oracle Java JRE 8.0_211 on your admin machine. Then download the launch.jnlp script offered by the web UI and save it in $HOME. Then use this script “console” to execute it:
#! /bin/bash
# console - run remote console for CAcert infra02 with Oracle Java environment
export JAVADIR=/opt/java/jre1.8.0_211/bin
export JAVA=${JAVADIR}/java
export JAVAWS=${JAVADIR}/javaws
LAUNCH=${HOME}/launch.jnlp
if [ -f ${LAUNCH} ]
then
echo "Do not forget to use setupcon if the console keyboard mapping is lame" 1>&2
sed -i -e 's/443/8082/' ${LAUNCH}
exec ${JAVAWS} ${LAUNCH}
else
echo $0: cannot read ${LAUNCH} 1>&2
fi
If there are issues with the BMC (baseband management controller) like inaccessibility of TCP port 443 from the hopper2 critical system, it can be restarted from a shell on infra02 by:
sudo ipmitool mc reset cold
DNS¶
Name |
Type |
Content |
---|---|---|
infrastructure.cacert.org. |
IN A |
213.154.225.230 |
infrastructure.cacert.org. |
IN SSHFP |
1 1 5A82D3C150AF002C05784F73250A067053AEED63 |
infrastructure.cacert.org. |
IN SSHFP |
1 2 63B0D74A3F1CE61865A5EB0497EF05243BC4067EC983C69AB8E62F3CB940CC82 |
infrastructure.cacert.org. |
IN SSHFP |
2 1 AF8D8E3386EAA72997709632ADF2B457E6FEF0DC |
infrastructure.cacert.org. |
IN SSHFP |
2 2 3A0188FC47D1FDD14D70A2FB78F51792D06BA11EAE6AB16E73CB7BB8DD6A0DC8 |
infrastructure.cacert.org. |
IN SSHFP |
3 1 3E1B9EBF85B726CF831C76ECB8C17786AEDF40E8 |
infrastructure.cacert.org. |
IN SSHFP |
3 2 3AE7F0035C2172977E99BFE312C7A8299650DEA16A975EA13EECE8FDA426062A |
infra02.intra.cacert.org. |
IN A |
172.16.2.10 |
See also
Operating System¶
Debian GNU/Linux 11 Bullseye
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
53/tcp 53/udp |
dns |
internal |
DNS resolver for infra.cacert.org |
123/udp |
ntp |
ANY |
network time protocol for host, listening on the Internet IPv6 and IPv4 addresses |
5666/tcp |
nrpe |
monitor |
remote monitoring service |
Running services¶
Service |
Usage |
Start mechanism |
---|---|---|
acpid |
ACPI daemon |
systemd unit |
atop |
Advanced system and process monitor |
systemd unit |
atopacctd |
Advanced system and process monitor accounting daemon |
systemd unit |
cron |
job scheduler |
systemd unit |
dbus-daemon |
System message bus daemon |
systemd unit |
dnsmasq |
DNS resolver |
systemd unit |
LXC |
Service for LXC container management |
systemd unit |
mdadm |
RAID monitoring |
systemd unit |
Nagios NRPE server |
remote monitoring service queried by Monitor |
systemd unit |
ntpd |
time server |
systemd unit |
openssh server |
ssh daemon for remote administration |
systemd unit |
postfix |
SMTP server for local mail submission, … |
systemd unit |
rsyslog |
syslog daemon |
systemd unit |
smartd |
S.M.A.R.T. HDD monitoring |
systemd unit |
Todo
switch monitoring to Icinga 2
Connected Systems¶
Outbound network connections¶
DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
Emailout as SMTP relay
ftp.nl.debian.org as Debian mirror
security.debian.org for Debian security updates
all traffic of non-critical infrastructure systems
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
---|---|
RSA |
|
DSA |
- |
ECDSA |
|
ED25519 |
|
See also
Dedictated user roles¶
None
Non-distribution packages and modifications¶
None
Risk assessments and critical packages¶
The system is the host system for other infrastructure systems. Access to this system has to be tightly controlled.
Critical Configuration items¶
Dnsmasq configuration¶
Dnsmasq serves the local DNS zone infra.cacert.org to the br0 interface. It
is configured by /etc/dnsmasq.d/00infra
and uses /etc/hosts
as
source for IP addresses.
nftables firewall configuration¶
The nftables based firewall setup is located in /etc/nftables.conf
.
Container configuration¶
The container configuration is contained in files named
/var/lib/lxc/<container>/config
.
The root filesystems of the containers are stored on LVM volumes that
are mounted in /var/lib/lxc/<container>/rootfs
for each container.
Tasks¶
Todo
document how to setup a new container
Todo
document how to setup firewall rules/forwarding
Todo
document how the backup system works
Reboot¶
The system can be rebooted safely since the Debian Buster installation on 2019-07-13:
systemctl reboot
Restarting the firewall¶
To restart the firewall setup perform a configuration syntax check and use systemctl to reload ferm’s configuration.
ferm -n /etc/ferm/ferm.conf
systemctl reload ferm.service
Changes¶
Planned¶
Todo
add DNS setup for IPv6 address
Todo
switch to Puppet management
Todo
replace nrpe with icinga2 agent
Todo
replace ferm with nftables setup
System Future¶
No plans
Additional documentation¶
See also
References¶
- Ferm documentation
- Ferm Debian Wiki page
- LXC Debian Wiki page