From 1fa775cb930c5267d769a0904e3a27db70c072cb Mon Sep 17 00:00:00 2001 From: ebner Date: Mon, 9 Dec 2024 10:58:54 +0100 Subject: [PATCH] update doc --- .../infrastructure_administration.md | 75 +++++++++++++++- engineering-guide/infrastructure_systems.md | 90 ++----------------- 2 files changed, 79 insertions(+), 86 deletions(-) diff --git a/engineering-guide/infrastructure_administration.md b/engineering-guide/infrastructure_administration.md index 6b24bf62..cdda716c 100644 --- a/engineering-guide/infrastructure_administration.md +++ b/engineering-guide/infrastructure_administration.md @@ -14,6 +14,80 @@ To grant access to different environments data-xxx repositories normal Git acces Nothing overrides the access control of the git server. +## SSH Certificates / Signing Public User Keys + +Generate a ssh key e.g. as follows: +```bash +ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/linux_id_ed25519 +``` + +Use the [user ca certificate](https://git.psi.ch/linux-infra/core-linux-secrets/-/blob/main/ssh-ca/user-ca.gpg), but this is automated by pasting below function into your shell +```bash +function sign-user-ssh-key { + ( + name="$1" + pubkey="$2" + + # let the private key flow through a named pipe + # so it never ends up on the file system + + umask 077 + pipe_base="$(mktemp)" # MacOS does not know about --dry-run + pipe="${pipe_base}.pipe" + echo "mkfifo '$pipe'" + mkfifo "$pipe" || return 1 + [ -p "$pipe" ] || return 1 + echo "pass ssh-ca/user-ca > '$pipe' &" + pass ssh-ca/user-ca > "$pipe" & + echo "ssh-keygen -s '$pipe' -I '$name' -n '$name' -V +55w '$pubkey'" + ssh-keygen -s "$pipe" -I "$name" -n "$name" -V +55w "$pubkey" + echo "rm '$pipe' '$pipe_base'" + rm "$pipe" "$pipe_base" + ) +} +``` +and run it with the user name as principal and the public key file +``` +sign-user-ssh-key $PRINCIPAL $PUBKEY_FILE +``` + +More details on how this works can be found in this article: https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/ + + +## Unix Groups + +Currently we have following AD groups to grant access to certain services/systems: + +| Group | Notes | +| ---- | ---- | +| unx-lx_eng | Member of linux engineering - used to give access to management NFS filesystem, sysdb, ... | +| unx-lx_support | used to give Linux supporters access to systems/services | +| unx-puppet_adm -| associated with lxdev environment/systems | +| unx-puppet_dev | developer of puppet code | +| unx-puppet_usr | user of puppet (i.e. need access to linux-infra group/repos) | +| unx-lx_users | all personal linux accounts at PSI (directly updated from SAP) | +| unx-lx_grafana_adm | Grafana Administrators | +| unx-lx_grafana_edi | Group with Grafana editor rights | + +These two groups are used within Service now to assign tickets: +| Group | +| ---- | +| itsm-linux | +| itsm-linux_2nd | + +Access VM infrastructure for linux core employees: +| Group | Notes | +| ---- | ---- | +| VC_Admins_Linux | Access to the PSI VM Infrastructure | + +## AD Users +| Group | Notes | +| ---- | ---- | +| lx-netops-api | (keytab) Used to access the netops api | +| lx_ad_join | (keytab) Used to join a machine to AD | +| linux_ldap ???? | was registered by Derek (he is noted as responsible in AD) - used for ???? | + + ## linux.psi.ch linux.psi.ch is hosted from this git repo as git pages. There is a proxy entry for the domain name linux.psi.ch on the F5 reverse proxy, that is managed by the network team, to reach the git pages by https://linux.psi.ch @@ -52,4 +126,3 @@ This email list is administered by Outlook in the following way (if you have man - Click on Add and add a new email address ![outlook_04.png](infrastructure_administration/outlook_04.png) - diff --git a/engineering-guide/infrastructure_systems.md b/engineering-guide/infrastructure_systems.md index 50b36498..3c327e40 100644 --- a/engineering-guide/infrastructure_systems.md +++ b/engineering-guide/infrastructure_systems.md @@ -1,24 +1,22 @@ # Infrastructure Systems -List of systems and their primary role: +![](_static/overview_linux.drawio.svg) -__Core Infrastructure:__ +## Core Infrastructure * [boot.psi.ch](boot_server.md) - TFTP server for PXE booting * [sysdb.psi.ch](sysdb_server.md) - Runs sysdb, providing the dynamic iPXE, Grub and kickstart files * [puppet.psi.ch](puppet_server.md) - puppet.psi.ch - Puppet server * [repos.psi.ch](repo_server.md) - Repository server * [lx-sync-01.psi.ch](sync_server.md) - System to mirror external yum repositories / packages / ... -* [lxweb00](lxweb00) - http://linux.web.psi.ch - legacy - 129.129.190.46 - Exports further repositories from AFS +* [lxweb00](lxweb00) - http://linux.web.psi.ch - __legacy__ - 129.129.190.46 - Exports further repositories from AFS - -__Additional Infrastructure__ +## Additional Infrastructure Sysdb Access: * [lxsup.psi.ch](lxsup) - Standard node for the linux support, primarily to run bob - Monitoring: * [Icinga2](icinga2) - automatic integration into Icinga2 @@ -26,86 +24,8 @@ Monitoring: * [lx-metrics-01.psi.ch](metrics) - https://metrics.psi.ch - Grafana frontend for Influx -__Enduser Systems__ +## Enduser Systems * [login.psi.ch](login) - Set of nodes for enduser use * lx-term.psi.ch - RDP Linux terminal server * [nx-term.psi.ch](https://nx-term.psi.ch) - NoMachine NX Linux terminal server * cpw.psi.ch - Node to change passwords - - -![](_static/overview_linux.drawio.svg) - - -## SSH Certificates / Signing Public User Keys - -Generate a ssh key e.g. as follows: -```bash -ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/linux_id_ed25519 -``` - -Use the [user ca certificate](https://git.psi.ch/linux-infra/core-linux-secrets/-/blob/main/ssh-ca/user-ca.gpg), but this is automated by pasting below function into your shell -```bash -function sign-user-ssh-key { - ( - name="$1" - pubkey="$2" - - # let the private key flow through a named pipe - # so it never ends up on the file system - - umask 077 - pipe_base="$(mktemp)" # MacOS does not know about --dry-run - pipe="${pipe_base}.pipe" - echo "mkfifo '$pipe'" - mkfifo "$pipe" || return 1 - [ -p "$pipe" ] || return 1 - echo "pass ssh-ca/user-ca > '$pipe' &" - pass ssh-ca/user-ca > "$pipe" & - echo "ssh-keygen -s '$pipe' -I '$name' -n '$name' -V +55w '$pubkey'" - ssh-keygen -s "$pipe" -I "$name" -n "$name" -V +55w "$pubkey" - echo "rm '$pipe' '$pipe_base'" - rm "$pipe" "$pipe_base" - ) -} -``` -and run it with the user name as principal and the public key file -``` -sign-user-ssh-key $PRINCIPAL $PUBKEY_FILE -``` - -More details on how this works can be found in this article: https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/ - - -## Unix Groups - -Currently we have following AD groups to grant access to certain services/systems: - -| Group | Notes | -| ---- | ---- | -| unx-lx_eng | Member of linux engineering - used to give access to management NFS filesystem, sysdb, ... | -| unx-lx_support | used to give Linux supporters access to systems/services | -| unx-puppet_adm -| associated with lxdev environment/systems | -| unx-puppet_dev | developer of puppet code | -| unx-puppet_usr | user of puppet (i.e. need access to linux-infra group/repos) | -| unx-lx_users | all personal linux accounts at PSI (directly updated from SAP) | -| unx-lx_grafana_adm | Grafana Administrators | -| unx-lx_grafana_edi | Group with Grafana editor rights | - -These two groups are used within Service now to assign tickets: -| Group | -| ---- | -| itsm-linux | -| itsm-linux_2nd | - -Access VM infrastructure for linux core employees: -| Group | Notes | -| ---- | ---- | -| VC_Admins_Linux | Access to the PSI VM Infrastructure | - -## AD Users -| Group | Notes | -| ---- | ---- | -| lx-netops-api | (keytab) Used to access the netops api | -| lx_ad_join | (keytab) Used to join a machine to AD | -| linux_ldap ???? | was registered by Derek (he is noted as responsible in AD) - used for ???? | -