CAcert System Admins discussion list

[Jan Dittberner <jandd AT cacert.org>]

Dear system administrators,

this is the first edition of a hopefully regular series of "State of the
CAcert Infrastructure" mails. I will prepare future editions in the Wiki [1]
and welcome contributions from all of you. I hope this mail will help us to
get a better overview of what is happening and what everbody is doing.
Another idea is to reuse most of this mail and its successors as input for
our part for the AGM report [2].

[1] https://wiki.cacert.org/SystemAdministration/StateOfInfrastructureMail
[2] https://wiki.cacert.org/AGM/TeamReports


Infrastructure team lead
========================

Soon after the last AGM in July 2014 I had a discussion with Mario where I
volunteered to take over the team leader position for the infrastructure
team. Mario informed the board in October that he decided to step back and
proposed that I would take that position. A board vote took place in January
and I seem to be officially appointed as Infrastructure Team leader [3].

I thank Mario for all his work, especially the support with the system
updates of outdated infrastructure systems. Mario will thankfully continue
to help with system administration.

I hope to do something positive with the team leader role and would like to
hear what you expect from your team leader (besides writing AGM report
parts). I will lurk in #sysadm on irc.cacert.org. More in depth discussions
should take place on the cacert-sysadm list [4] or via private mail if you
have something personal/sensitive to discuss.

[3] https://community.cacert.org/board/motions.php?motion=m20150111.2
[4] https://lists.cacert.org/wws/info/cacert-sysadm


Documentation status
====================

In February I started to update our systems documentation [5] and announced
it to the sysadm list [6]. I continued the effort and got valuable input
from Wytze. We now have an up-to-date IP address list [7] and updated pages
for many of the systems on our infrastructrure host. I will continue to get
the documentation complete and current and would appreciate any help.

[5] https://wiki.cacert.org/SystemAdministration/Systems
[6] https://lists.cacert.org/wws/arc/cacert-sysadm/2014-02/msg00000.html
[7] https://wiki.cacert.org/SystemAdministration/IPList


Monitoring
==========

Martin Gummi maintains an Icinga instance [8] that tracks some metrics for
our infrastructure systems. At the moment we have checks for APT update
status, SSH access and other public services. If you have more ideas of
useful monitoring data please give your suggestions via the cacert-sysadm
list or via tickets in the Infrastructure category of our bug tracker [8].

[8] https://monitor.cacert.org/
[9] https://bugs.cacert.org/


Team census
===========

I would like to know whether the infrastructure systems are well maintained
and where we need more manpower. From my observation there are only a few
active administrators. I will create a list of systems with the list of
people that have sudo accounts on these systems and will ask all of you
whether you are still doing work. So be prepared for some mail from me.


System changes
==============

During the last few months we had some system changes that where not
announced (as far as I know):


Irc -> Ircserver
----------------

The existing container irc [10] that runs a manually compiled version of the
oftc-hybrid ircd is showing its age. I updated the system to Debian Wheezy
but where not able to bring the broken ircservices back to life.

Martin Gummi asked me to setup a new container to provide a new irc system.
That container is ircserver [11] and will replace the old irc container
hopefully sooner than later.

[10] https://wiki.cacert.org/SystemAdministration/Systems/Irc
[11] https://wiki.cacert.org/SystemAdministration/Systems/Ircserver


Webstatic
---------

Shortly before FOSDEM Martin Gummi asked me to setup a new container
webstatic [12] that will be used to serve static websites for different
purposes. The first application on that container is the funding page [13].

Martin and Benny Baumann take care of that container and setup a gitolite
instance to allow publishing pages via Git.

[12] https://wiki.cacert.org/SystemAdministration/Systems/Webstatic
[13] https://funding.cacert.org/


Jenkins
-------

I started working on a Jenkins instance on a new container jenkins after
some discussion on the policy list [14] and will setup a job to build policy
documents from textual sources. The Jenkins instance may also be used for
other continous integration scenarios (i.e. automated software builds)
later.

[14] https://lists.cacert.org/wws/arc/cacert-policy/2015-01/msg00053.html


Emailout
--------

I just switched emailout to a new container running Debian Wheezy. According
to the system logs everything seems to work properly. If you see any problem
with outgoing mails please tell me.

The only visible changes from the old container to the new one are changes
are new SSH host keys. I documented the changes in the Wiki [15] and asked
our fellow DNS admins to replace the SSHFP records for emailout earlier
today.

[15] https://wiki.cacert.org/SystemAdministration/Systems/Emailout


Fate of webmail and email
-------------------------

I'm planning to replace the webmail and email containers in the next few days 
too.


DKIM and DMARC
--------------

I plan to enable DKIM signing of our outgoing mails once the setup of the
mail containers is done. Do you have any doubts or remarks regarding this
plan?

Benny Baumann suggested to consider adding DMARC records when DKIM is
working properly.


Kind regards
Jan

PS: please excuse my English, I'm not a native speaker

-- 
Jan Dittberner - CAcert Infrastructure Team
Software Architect, Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
         B2FF 1D95 CE8F 7A22 DF4C  F09B A73E 0055 558F B8DD
https://jan.dittberner.info/

Attachment: smime.p7s
Description: S/MIME cryptographic signature