Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity

update doc

Browse Source
This commit is contained in:
ebner
2024-12-09 10:58:54 +01:00
parent 208985b97d
commit 1fa775cb93
2 changed files with 79 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
engineering-guide/infrastructure_administration.md
View File

@@ -14,6 +14,80 @@ To grant access to different environments data-xxx repositories normal Git acces
Nothing overrides the access control of the git server.
## SSH Certificates / Signing Public User Keys
Generate a ssh key e.g. as follows:
```bash
ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/linux_id_ed25519
```
Use the [user ca certificate](https://git.psi.ch/linux-infra/core-linux-secrets/-/blob/main/ssh-ca/user-ca.gpg), but this is automated by pasting below function into your shell
```bash
function sign-user-ssh-key {
(
name="$1"
pubkey="$2"
# let the private key flow through a named pipe
# so it never ends up on the file system
umask 077
pipe_base="$(mktemp)" # MacOS does not know about --dry-run
pipe="${pipe_base}.pipe"
echo "mkfifo '$pipe'"
mkfifo "$pipe" || return 1
[ -p "$pipe" ] || return 1
echo "pass ssh-ca/user-ca > '$pipe' &"
pass ssh-ca/user-ca > "$pipe" &
echo "ssh-keygen -s '$pipe' -I '$name' -n '$name' -V +55w '$pubkey'"
ssh-keygen -s "$pipe" -I "$name" -n "$name" -V +55w "$pubkey"
echo "rm '$pipe' '$pipe_base'"
rm "$pipe" "$pipe_base"
)
}
```
and run it with the user name as principal and the public key file
```
sign-user-ssh-key $PRINCIPAL $PUBKEY_FILE
```
More details on how this works can be found in this article: https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/
## Unix Groups
Currently we have following AD groups to grant access to certain services/systems:
| Group | Notes |
| ---- | ---- |
| unx-lx_eng | Member of linux engineering - used to give access to management NFS filesystem, sysdb, ... |
| unx-lx_support | used to give Linux supporters access to systems/services |
| unx-puppet_adm -| associated with lxdev environment/systems |
| unx-puppet_dev | developer of puppet code |
| unx-puppet_usr | user of puppet (i.e. need access to linux-infra group/repos) |
| unx-lx_users | all personal linux accounts at PSI (directly updated from SAP) |
| unx-lx_grafana_adm | Grafana Administrators |
| unx-lx_grafana_edi | Group with Grafana editor rights |
These two groups are used within Service now to assign tickets:
| Group |
| ---- |
| itsm-linux |
| itsm-linux_2nd |
Access VM infrastructure for linux core employees:
| Group | Notes |
| ---- | ---- |
| VC_Admins_Linux | Access to the PSI VM Infrastructure |
## AD Users
| Group | Notes |
| ---- | ---- |
| lx-netops-api | (keytab) Used to access the netops api |
| lx_ad_join | (keytab) Used to join a machine to AD |
| linux_ldap ???? | was registered by Derek (he is noted as responsible in AD) - used for ???? |
## linux.psi.ch
linux.psi.ch is hosted from this git repo as git pages. There is a proxy entry for the domain name linux.psi.ch on the F5 reverse proxy, that is managed by the network team, to reach the git pages by https://linux.psi.ch
@@ -52,4 +126,3 @@ This email list is administered by Outlook in the following way (if you have man
- Click on Add and add a new email address
![outlook_04.png](infrastructure_administration/outlook_04.png)

90
engineering-guide/infrastructure_systems.md
View File

@@ -1,24 +1,22 @@
# Infrastructure Systems
List of systems and their primary role:
![](_static/overview_linux.drawio.svg)
__Core Infrastructure:__
## Core Infrastructure
* [boot.psi.ch](boot_server.md) - TFTP server for PXE booting
* [sysdb.psi.ch](sysdb_server.md) - Runs sysdb, providing the dynamic iPXE, Grub and kickstart files
* [puppet.psi.ch](puppet_server.md) - puppet.psi.ch - Puppet server
* [repos.psi.ch](repo_server.md) - Repository server
* [lx-sync-01.psi.ch](sync_server.md) - System to mirror external yum repositories / packages / ...
* [lxweb00](lxweb00) - http://linux.web.psi.ch - legacy - 129.129.190.46 - Exports further repositories from AFS
* [lxweb00](lxweb00) - http://linux.web.psi.ch - __legacy__ - 129.129.190.46 - Exports further repositories from AFS
__Additional Infrastructure__
## Additional Infrastructure
Sysdb Access:
* [lxsup.psi.ch](lxsup) - Standard node for the linux support, primarily to run bob
Monitoring:
* [Icinga2](icinga2) - automatic integration into Icinga2
@@ -26,86 +24,8 @@ Monitoring:
* [lx-metrics-01.psi.ch](metrics) - https://metrics.psi.ch - Grafana frontend for Influx
__Enduser Systems__
## Enduser Systems
* [login.psi.ch](login) - Set of nodes for enduser use
* lx-term.psi.ch - RDP Linux terminal server
* [nx-term.psi.ch](https://nx-term.psi.ch) - NoMachine NX Linux terminal server
* cpw.psi.ch - Node to change passwords
![](_static/overview_linux.drawio.svg)
## SSH Certificates / Signing Public User Keys
Generate a ssh key e.g. as follows:
```bash
ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/linux_id_ed25519
```
Use the [user ca certificate](https://git.psi.ch/linux-infra/core-linux-secrets/-/blob/main/ssh-ca/user-ca.gpg), but this is automated by pasting below function into your shell
```bash
function sign-user-ssh-key {
(
name="$1"
pubkey="$2"
# let the private key flow through a named pipe
# so it never ends up on the file system
umask 077
pipe_base="$(mktemp)" # MacOS does not know about --dry-run
pipe="${pipe_base}.pipe"
echo "mkfifo '$pipe'"
mkfifo "$pipe" || return 1
[ -p "$pipe" ] || return 1
echo "pass ssh-ca/user-ca > '$pipe' &"
pass ssh-ca/user-ca > "$pipe" &
echo "ssh-keygen -s '$pipe' -I '$name' -n '$name' -V +55w '$pubkey'"
ssh-keygen -s "$pipe" -I "$name" -n "$name" -V +55w "$pubkey"
echo "rm '$pipe' '$pipe_base'"
rm "$pipe" "$pipe_base"
)
}
```
and run it with the user name as principal and the public key file
```
sign-user-ssh-key $PRINCIPAL $PUBKEY_FILE
```
More details on how this works can be found in this article: https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/
## Unix Groups
Currently we have following AD groups to grant access to certain services/systems:
| Group | Notes |
| ---- | ---- |
| unx-lx_eng | Member of linux engineering - used to give access to management NFS filesystem, sysdb, ... |
| unx-lx_support | used to give Linux supporters access to systems/services |
| unx-puppet_adm -| associated with lxdev environment/systems |
| unx-puppet_dev | developer of puppet code |
| unx-puppet_usr | user of puppet (i.e. need access to linux-infra group/repos) |
| unx-lx_users | all personal linux accounts at PSI (directly updated from SAP) |
| unx-lx_grafana_adm | Grafana Administrators |
| unx-lx_grafana_edi | Group with Grafana editor rights |
These two groups are used within Service now to assign tickets:
| Group |
| ---- |
| itsm-linux |
| itsm-linux_2nd |
Access VM infrastructure for linux core employees:
| Group | Notes |
| ---- | ---- |
| VC_Admins_Linux | Access to the PSI VM Infrastructure |
## AD Users
| Group | Notes |
| ---- | ---- |
| lx-netops-api | (keytab) Used to access the netops api |
| lx_ad_join | (keytab) Used to join a machine to AD |
| linux_ldap ???? | was registered by Derek (he is noted as responsible in AD) - used for ???? |