# Infrastructure Systems List of systems and their primary role: * [pxeserv01](pxeserv01) - 129.129.190.59 - TFTP server for PXE booting * [boot00](boot00) - 129.129.160.210 - Runs sysdb, providing the dynamic iPXE, Grub and kickstart files * [puppet01](puppet01) - 129.129.160.118 - Runs the puppet server for the RHEL7 infra * [repo00](repo00) - 129.129.160.212 - RPM/Yum repository server for RHEL7 * [repo01](repo01) - 129.129.190.190 - RPM/Yum repository server for RHEL8 * [reposync](reposync) - 129.129.161.222 - RPM/Yum repository server for RHEL8 * [lxweb00](lxweb00) - 129.129.190.46 - Exports further repositories from AFS * [login](login) - 129.129.190.131 129.129.190.132 129.129.190.133 - Shell login service for users * [influx00](influx00) - 129.129.190.225 - Influx database server * [metrics00](metrics00) - 129.129.190.226 - Grafana frontend for Influx * [lxsup00](lxsup00) - 129.129.190.24 - Shell for linux support, primarily to run bob * [satint](satint) - 129.129.160.114 - PSI Satellite server * http://linux.web.psi.ch - YUM Repositories SL6 / RHEL7 ![](overview_linux.drawio.svg) ## Misc There is a keepass file with passwords (Heinz or Edgar) Access to the redhat.com knowledge base: Login: kbaccess Passwort: Kb4cc3ss ## Metrics * [Overview Infrastructure](https://metrics.psi.ch/d/1SL13Nxmz/gfa-linux-tabular?orgId=1&from=now-6h&to=now&refresh=30s&var-env=telegraf_pli&var-host=boot00.psi.ch&var-host=influx00.psi.ch&var-host=lxweb00.psi.ch&var-host=metrics00.psi.ch&var-host=puppet01.psi.ch&var-host=pxeserv01.psi.ch&var-host=repo00.psi.ch&var-host=reposync.psi.ch) # Procedures * [Adding a new RHEL version to the RHEL7 install mechanism](newver) * [How to grant access to RHEL7 infrastructure](https://git.psi.ch/linux-infra/user-ca/blob/master/README.md#automated-with-ansible-for-pli-infrastructure-systems-of-rhel-7) * [Grant new person right for bob/sysdb](newbob) * [How to reinstall a machine](howtoreinstall) # Tools * [SSH config](sshconf) # HTTPS Certificates * [HTTPS Certificates](https://linux.psi.ch/admin-guide/operations/certificates.html) # SSH Certificates / Signing Public User Keys Generate a ssh key e.g. as follows: ```bash ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/linux_id_ed25519 ``` Use the [user ca certificate](https://git.psi.ch/linux-infra/core-linux-secrets/-/blob/main/ssh-ca/user-ca.gpg), but this is automated by pasting below function into your shell ```bash function sign-user-ssh-key { ( name="$1" pubkey="$2" # let the private key flow through a named pipe # so it never ends up on the file system umask 077 pipe_base="$(mktemp)" # MacOS does not know about --dry-run pipe="${pipe_base}.pipe" echo "mkfifo '$pipe'" mkfifo "$pipe" || return 1 [ -p "$pipe" ] || return 1 echo "pass ssh-ca/user-ca > '$pipe' &" pass ssh-ca/user-ca > "$pipe" & echo "ssh-keygen -s '$pipe' -I '$name' -n '$name' -V +55w '$pubkey'" ssh-keygen -s "$pipe" -I "$name" -n "$name" -V +55w "$pubkey" echo "rm '$pipe' '$pipe_base'" rm "$pipe" "$pipe_base" ) } ``` and run it with the user name as principal and the public key file ``` sign-user-ssh-key $PRINCIPAL $PUBKEY_FILE ``` More details on how this works can be found in this article: https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/ # Unix Groups Currently we have following AD groups to grant access to certain services/systems: | Group | Notes | | ---- | ---- | | unx-lx_eng | Member of linux engineering - used to give access to management NFS filesystem, sysdb, ... | | unx-linux_support | used to give Linux supporters access to systems/services | | unx-puppet_adm -| associated with lxdev environment/systems | | unx-puppet_dev | developer of puppet code | | unx-puppet_usr | user of puppet (i.e. need access to linux-infra group/repos) | These two groups are used within Service now to assign tickets: | Group | | ---- | | itsm-linux | | itsm-linux_2nd | Access VM infrastructure for linux core employees: | Group | Notes | | ---- | ---- | | VC_Admins_Linux | Access to the PSI VM Infrastructure |