MariaDB

Purpose

The system provides a central MariaDB database server for other CAcert infrastructure services.

Administration

System Administration

• Primary: Jan Dittberner

• Secondary: none

Application Administration

Application	Administrator(s)
mariadb	Jan Dittberner

Contact

• mariadb-admin@cacert.org

Basics

Physical Location

This system is located in an LXC container on physical machine Infra03.

Logical Location

IP Internal:

10.0.3.11

IPv6:

2001:7b8:616:162:3::11

MAC address:

00:ff:8f:bc:23:47 (eth0)

See also

See Network

Monitoring

internal checks:

Monitoring checks for mariadb.infra.cacert.org

DNS

Name	Type	Content
mariadb.cacert.org.	IN AAAA	2001:7b8:616:162:3::11
mariadb.infra.cacert.org.	IN A	10.0.3.11
mariadb.infra.cacert.org.	IN AAAA	2001:7b8:616:162:3::11

See also

See Wiki page SystemAdministration/Procedures/DNSChanges

Operating System

• Debian GNU/Linux 11 Bullseye

Services

Listening services

Port	Service	Origin	Purpose
22/tcp	ssh	ANY	admin console access
25/tcp	smtp	local	mail delivery to local MTA
3306/tcp	mariadb	infra	mariadb database service
5665/tcp	icinga2	monitor	remote monitoring service

Running services

Service	Usage	Start mechanism
cron	job scheduler	systemd unit cron.service
dbus-daemon	System message bus	systemd unit dbus.service
Exim	SMTP server for local mail submission	systemd unit exim4.service
icinga2	Icinga2 monitoring agent	systemd unit icinga2.service
openssh server	ssh daemon for remote administration	systemd unit ssh.service
mariadb	MariaDB database server	systemd unit mariadb.service
Puppet agent	configuration management agent	systemd unit puppet.service
rsyslog	syslog daemon	systemd unit rsyslog.service

Connected Systems

• Monitor

• Nextcloud Nextcloud service

Outbound network connections

• DNS (53) resolver at 10.0.0.1 (Infra02)

• Emailout as SMTP relay

• Puppet (tcp/8140) as Puppet master

• Proxyout as HTTP proxy for APT

Security

SSH host keys

Algorithm	Fingerprints
RSA	SHA256:BAoKSGc5ri54/upuMwCAIZbSaOqAGTnLPAavMcNOoRA, MD5:36:fc:66:82:dc:94:3b:e3:50:97:83:fc:5a:5e:36:61
DSA	-
ECDSA	SHA256:q2d/j0gU2/akCdqYz6o1dS5gP1gh6JMI5msIbeR8k3Q, MD5:ea:64:f2:2e:6d:39:a0:61:6d:b2:07:ba:db:17:5c:81
ED25519	SHA256:6jpSzqsnKON8WrgimzmRBeMhOj23WfTHdB9Nh9FCr5I, MD5:04:1a:a8:a9:29:c4:67:8b:68:3d:40:55:fc:0d:7b:39

See also

SSH host key list

Non-distribution packages and modifications

The Puppet agent packages and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

Risk assessments on critical packages

The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.

Todo

manage mariadb configuration in Puppet code

Tasks

Adding new databases

Database setup should be coordinated via mariadb-admin@cacert.org.

Changes

Nothing planned.

Additional documentation

See also

• Wiki page Exim4Configuration

• https://mariadb.com/kb/en/documentation/