Infra02

Purpose

The infrastructure host system Infra02 is a dedicated physical machine for the CAcert infrastructure.

Infra02 is a host system for infrastructure containers. The containers are setup using the Linux kernel’s LXC system. The firewall for infrastructure is maintained on this machine using nftables. The machine provides a DNS resolver based on dnsmasq and gives answers for the internal zone infra.cacert.org.

Administration

System Administration

Contact

Additional People

Dirk Astrath has sudo access on that machine too.

Basics

Physical Location

The machine is located in a server rack at BIT B.V. in the Netherlands.

Physical Configuration

The machine has been sponsored by Thomas Krenn and has the following hardware parameters:

Mainboard:

Supermicro X9SCL/X9SCM Version 1.11A

CPU:

Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz (4 Cores, 8 Threads)

RAM:

32 GiB (4x8 GB DDR-3 1600 unbuffered ECC)

Disks:

2 x 1TB WDC WD1003FBYX-01Y7B1, 2 x INTENSO 500 GB SATA SSD

NIC:
  • eno1 Intel Corporation 82579LM Gigabit Network Connection

  • enp2s0 Intel Corporation 82574L Gigabit Network Connection

Logical Location

IP Internet:

213.154.225.230

IP Intranet:

172.16.2.10

IP internal:

10.0.0.1

IP BMC:

172.28.50.56

IPv6:

2001:7b8:616:162:1::10

IPv6 on br0:

2001:7b8:616:162:2::10

MAC address:
  • 00:25:90:a9:66:e9 (eno1)

  • fe:0e:ee:75:a3:a5 (br0)

See also

See Network

Monitoring

internal checks:

Monitoring checks for infra02.infra.cacert.org

external checks:

Monitoring checks for infra02.cacert.org

Remote Console

This system can be managed through a remote console, which may especially be important during system upgrades and/or reboots.

The hardware of the system is equipped with a BMC Controller which supports the Intelligent Platform Management Interface (IMPI).

Due the security design of the CAcert intranet, the network interface of this BMC is not connected to the publicly reachable part of the CAcert intranet, but rather to the management part, and is thus only reachable by members of the critical system administrator team.

So the following instructions only apply to them.

The BMC interface can be reached from your local admin machine through the CAcert hopper by setting up the following SSH port forwarding:

IPMIHOST=infra02ilo.intra.cacert.org
LOCALPORT=8082
HTTPSPORT=443
IKVMPORT=5900
ssh -f -N -L ${LOCALPORT}:${IPMIHOST}:${HTTPSPORT} \
                        -L ${IKVMPORT}:${IPMIHOST}:${IKVMPORT} hopper

and then browsing to the web UI:

firefox https://127.0.0.1:${LOCALPORT}/

To use the remote console facility, first install Oracle Java JRE 8.0_211 on your admin machine. Then download the launch.jnlp script offered by the web UI and save it in $HOME. Then use this script “console” to execute it:

#! /bin/bash
# console - run remote console for CAcert infra02 with Oracle Java environment

export JAVADIR=/opt/java/jre1.8.0_211/bin
export JAVA=${JAVADIR}/java
export JAVAWS=${JAVADIR}/javaws

LAUNCH=${HOME}/launch.jnlp

if [ -f ${LAUNCH} ]
then
      echo "Do not forget to use setupcon if the console keyboard mapping is lame" 1>&2
      sed -i -e 's/443/8082/' ${LAUNCH}
      exec ${JAVAWS} ${LAUNCH}
else
      echo $0: cannot read ${LAUNCH} 1>&2
fi

If there are issues with the BMC (baseband management controller) like inaccessibility of TCP port 443 from the hopper2 critical system, it can be restarted from a shell on infra02 by:

sudo ipmitool mc reset cold

DNS

Name

Type

Content

infrastructure.cacert.org.

IN A

213.154.225.230

infrastructure.cacert.org.

IN SSHFP

1 1 5A82D3C150AF002C05784F73250A067053AEED63

infrastructure.cacert.org.

IN SSHFP

1 2 63B0D74A3F1CE61865A5EB0497EF05243BC4067EC983C69AB8E62F3CB940CC82

infrastructure.cacert.org.

IN SSHFP

2 1 AF8D8E3386EAA72997709632ADF2B457E6FEF0DC

infrastructure.cacert.org.

IN SSHFP

2 2 3A0188FC47D1FDD14D70A2FB78F51792D06BA11EAE6AB16E73CB7BB8DD6A0DC8

infrastructure.cacert.org.

IN SSHFP

3 1 3E1B9EBF85B726CF831C76ECB8C17786AEDF40E8

infrastructure.cacert.org.

IN SSHFP

3 2 3AE7F0035C2172977E99BFE312C7A8299650DEA16A975EA13EECE8FDA426062A

infra02.intra.cacert.org.

IN A

172.16.2.10

Operating System

  • Debian GNU/Linux 11 Bullseye

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

53/tcp 53/udp

dns

internal

DNS resolver for infra.cacert.org

123/udp

ntp

ANY

network time protocol for host, listening on the Internet IPv6 and IPv4 addresses

5666/tcp

nrpe

monitor

remote monitoring service

Running services

Service

Usage

Start mechanism

acpid

ACPI daemon

systemd unit acpid.service

atop

Advanced system and process monitor

systemd unit atop.service

atopacctd

Advanced system and process monitor accounting daemon

systemd unit atopacct.service

cron

job scheduler

systemd unit cron.service

dbus-daemon

System message bus daemon

systemd unit dbus.service

dnsmasq

DNS resolver

systemd unit dnsmasq.service

LXC

Service for LXC container management

systemd unit lxc.service

mdadm

RAID monitoring

systemd unit mdmonitor.service

Nagios NRPE server

remote monitoring service queried by Monitor

systemd unit nagios-nrpe-server.service

ntpd

time server

systemd unit ntp.service

openssh server

ssh daemon for remote administration

systemd unit ssh.service

postfix

SMTP server for local mail submission, …

systemd unit postfix.service

rsyslog

syslog daemon

systemd unit rsyslog.service

smartd

S.M.A.R.T. HDD monitoring

systemd unit smartd.service

Todo

switch monitoring to Icinga 2

Connected Systems

Outbound network connections

  • DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3

  • Emailout as SMTP relay

  • ftp.nl.debian.org as Debian mirror

  • security.debian.org for Debian security updates

  • all traffic of non-critical infrastructure systems

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:Y7DXSj8c5hhlpesEl+8FJDvEBn7Jg8aauOYvPLlAzII, MD5:86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c

DSA

-

ECDSA

SHA256:OufwA1whcpd+mb/jEseoKZZQ3qFql16hPuzo/aQmBio, MD5:79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0

ED25519

SHA256:eXWoP7L/A25p/YW3vmj+4NFy2lEEVcRaLnNhcelBar8, MD5:25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4

Dedictated user roles

  • None

Non-distribution packages and modifications

  • None

Risk assessments and critical packages

The system is the host system for other infrastructure systems. Access to this system has to be tightly controlled.

Critical Configuration items

Dnsmasq configuration

Dnsmasq serves the local DNS zone infra.cacert.org to the br0 interface. It is configured by /etc/dnsmasq.d/00infra and uses /etc/hosts as source for IP addresses.

nftables firewall configuration

The nftables based firewall setup is located in /etc/nftables.conf.

Container configuration

The container configuration is contained in files named /var/lib/lxc/<container>/config.

The root filesystems of the containers are stored on LVM volumes that are mounted in /var/lib/lxc/<container>/rootfs for each container.

Tasks

Todo

document how to setup a new container

Todo

document how to setup firewall rules/forwarding

Todo

document how the backup system works

Reboot

The system can be rebooted safely since the Debian Buster installation on 2019-07-13:

systemctl reboot

Restarting the firewall

To restart the firewall setup perform a configuration syntax check and use systemctl to reload ferm’s configuration.

ferm -n /etc/ferm/ferm.conf
systemctl reload ferm.service

Changes

Planned

Todo

add DNS setup for IPv6 address

Todo

switch to Puppet management

Todo

replace nrpe with icinga2 agent

Todo

replace ferm with nftables setup

System Future

  • No plans

Additional documentation

References

Ferm documentation

http://ferm.foo-projects.org/download/2.3/ferm.html

Ferm Debian Wiki page

https://wiki.debian.org/ferm

LXC Debian Wiki page

https://wiki.debian.org/LXC