Infra03¶
Purpose¶
The infrastructure host system Infra03 is a dedicated physical machine for the CAcert infrastructure.
Infra03 is a host system for infrustructure containers. The containers are setup using the Linux kernel’s LXC system. The firewall for the running containers is maintained using nftables. The machine provides a DNS resolver based on dnsmasq and forwards DNS requests to Infra02.
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: Dirk Astrath
Contact¶
Additional People¶
No additional people have sudo access on that machine.
Basics¶
Physical Location¶
The machine is located in a server rack at BIT B.V. in the Netherlands.
Physical Configuration¶
The machine has the following hardware parameters:
- Mainboard:
IBM System x3550 M2 49Y6512
- CPU:
Intel(R) Xeon(R) CPU E5506 @ 2.13GHz (4 Cores, 4 Threads)
- RAM:
48 GiB (8 GB DDR3-1600 Registered ECC)
- Disks:
3 x 1TB Seagate Constellation 2 SATA ST91000640NS
- NIC:
eno1 Broadcom Limited NetXtreme II BCM5709 Gigabit Ethernet (rev 20)
eno2 Broadcom Limited NetXtreme II BCM5709 Gigabit Ethernet (rev 20)
See also
Logical Location¶
- IP Internet:
- IP Intranet:
- IP Internal:
- IPv6:
- MAC address:
e4:1f:13:2e:67:86(eno2)fe:2c:b2:f9:c5:41(br0)
See also
See Network
Monitoring¶
- internal checks:
- external checks:
DNS¶
Name |
Type |
Content |
|---|---|---|
infra03.cacert.org. |
IN A |
213.154.225.249 |
infra03.cacert.org. |
IN AAAA |
2001:7b8:616:162:1::9 |
See also
Operating System¶
Debian GNU/Linux 11 Bullseye
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
|---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
53/tcp 53/udp |
dns |
internal |
DNS forwarded for infra.cacert.org |
123/udp |
ntp |
ANY |
network time protocol for host, listening on the Internet IPv6 and IPv4 addresses |
Running services¶
Service |
Usage |
Start mechanism |
|---|---|---|
cron |
job scheduler |
systemd unit |
dbus-daemon |
System message bus |
systemd unit |
dm-event |
Device Mapper event daemon |
systemd unit |
dnsmasq |
DNS forwarder |
systemd unit |
Exim |
SMTP server for local mail submission |
systemd unit |
mdmonitor |
MD array monitor |
systemd unit |
ntpd |
time synchronization service |
systemd unit |
openssh server |
ssh daemon for remote administration |
systemd unit |
Puppet agent |
configuration management agent |
systemd unit |
rsyslog |
syslog daemon |
systemd unit |
smartd |
SMART daemon |
systemd unit |
Todo
add Icinga 2 system monitoring
Connected Systems¶
None yet
Outbound network connections¶
DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
Emailout as SMTP relay
Puppet (tcp/8140) as Puppet master
Todo
use proxyout for outgoing http/https traffic
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
|---|---|
RSA |
|
DSA |
- |
ECDSA |
|
ED25519 |
|
See also
Risk assessments on critical packages¶
The system is the host system for other infrastructure systems. Access to this system has to be tightly controlled.
The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.
Critical Configuration items¶
The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.
Tasks¶
Adding a new container¶
Todo
describe how to add a new container, setup nftables rules, routing, proxying, outgoing mail and monitoring
Changes¶
Planned¶
Setup Icinga2 monitoring
Setup containers for Taiga.io, Gitea, Zulip and other services
Additional documentation¶
See also
