Controls-docs/infrastructure-guide/home.md

Infrastructure Systems

List of systems and their primary role:

• pxeserv01 - 129.129.190.59 - TFTP server for PXE booting

• boot00 - 129.129.160.210 - Runs sysdb, providing the dynamic iPXE, Grub and kickstart files

• puppet01 - 129.129.160.118 - Runs the puppet server for the RHEL7 infra

• repo00 - 129.129.160.212 - RPM/Yum repository server for RHEL7

• repo01 - 129.129.190.190 - RPM/Yum repository server for RHEL8

• reposync - 129.129.161.222 - RPM/Yum repository server for RHEL8

• lxweb00 - 129.129.190.46 - Exports further repositories from AFS

• login - 129.129.190.131 129.129.190.132 129.129.190.133 - Shell login service for users

• influx00 - 129.129.190.225 - Influx database server

• metrics00 - 129.129.190.226 - Grafana frontend for Influx

• lxsup00 - 129.129.190.24 - Shell for linux support, primarily to run bob

• satint - 129.129.160.114 - PSI Satellite server

Misc

There is a keepass file with passwords (Heinz or Edgar)

Access to the redhat.com knowledge base:

Login: kbaccess
Passwort: Kb4cc3ss

Metrics

• Overview Infrastructure

Procedures

• Adding a new RHEL version to the RHEL7 install mechanism
• How to grant access to RHEL7 infrastructure
• Grant new person right for bob/sysdb
• How to reinstall a machine

Tools

• SSH config

HTTPS Certificates

• HTTPS Certificates

SSH Certificates / Signing Public User Keys

Use the ca certificate that is on the "Kai special USB stick" (the certificate permissions needs to be 600 !)

The signing is done like this:

ssh-keygen -s user-ca -I <username> -n <username> -V +55w id_ed25519.pub

More details on how this works can be found in this article: https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/