Infra03sat

Purpose

Icinga2 monitoring satellite for systems running on Infra03.

Administration

System Administration

Application Administration

Application

Administrator(s)

icinga2

Jan Dittberner

Contact

Additional People

No other people have sudo access on that machine.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra03.

Logical Location

IP Internal:

10.0.3.100

IPv6:

2001:7b8:616:162:3::100

MAC address:

00:16:3e:63:82:e7 (eth0)

See also

See Network

Monitoring

internal checks:

Monitoring checks for infra03sat.infra.cacert.org

DNS

Name

Type

Content

infra03sat.infra.cacert.org.

IN A

10.0.3.100

infra03sat.infra.cacert.org.

IN AAAA

2001:7b8:616:162:3::100

infra03sat.infra.cacert.org.

IN MX

1 emailout.infra.cacert.org.

See also

See Wiki page SystemAdministration/Procedures/DNSChanges

Operating System

  • Debian GNU/Linux 12 Bookworm

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

5665/tcp

icinga2

monitor

remote monitoring service

Running services

Service

Usage

Start mechanism

cron

job scheduler

systemd unit cron.service

dbus-daemon

System message bus

systemd unit dbus.service

Exim

SMTP server for local mail submission

systemd unit exim4.service

icinga2

Icinga2 monitoring agent

systemd unit icinga2.service

openssh server

ssh daemon for remote administration

systemd unit ssh.service

Puppet agent

configuration management agent

systemd unit puppet.service

Connected Systems

  • Icinga2 agents on other systems on Infra03

Outbound network connections

  • DNS (53) resolver at 10.0.0.1 (Infra02)

  • Beholder as Icinga2 master

  • Emailout as SMTP relay

  • Puppet (tcp/8140) as Puppet master

  • Proxyout as HTTP proxy for APT

  • crl.cacert.org (rsync) for getting CRLs

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:5KARMDdwuFdV2oYD43KrHuWu8JcSNG/ESU+2SffAtOM, MD5:67:c2:f5:22:6f:d3:a7:2b:30:f2:52:b5:c0:a2:30:d3

DSA

-

ECDSA

SHA256:3waQg1lkl1VzUQgNn36RZnTnUszM3qdIH5Rj8O/zA00, MD5:6d:16:e1:b3:c9:6e:5e:37:1a:c5:60:a5:45:b0:b9:c7

ED25519

SHA256:1upB/WnbvX+DWgy450hQOwM2/vvyHgqNtApkppJlUUU, MD5:21:dd:1c:45:49:bf:b7:11:1f:c1:33:72:d0:3b:b7:c3

See also

SSH host key list

Dedicated user roles

  • None

Non-distribution packages and modifications

  • None

Risk assessments on critical packages

All packages are installed from security supported Debian repositories.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.

Icinga2 configuration

The monitoring configuration is pulled from the Icinga2 API of Beholder.

Tasks

Changes

Planned

Todo

move systems from Monitor to this one.

System Future

Will be used as part of the replacement for Monitor and Extmon.

Additional documentation

See also

References