CAcert System Admins discussion list

[Martin Gummi <martin.gummi AT cacert.org>]

Dear Jan,

thanks for this report and your very good documentation.


-- 
mit freundlichen Grüßen / best regards
Martin Gummi
CAcert.org - Free Certificates
E-Mail: 
martin.gummi AT cacert.org

On 02.02.2015 22:12, Jan Dittberner wrote:
> Dear system administrators,
> 
> this is the first edition of a hopefully regular series of "State of the
> CAcert Infrastructure" mails. I will prepare future editions in the Wiki [1]
> and welcome contributions from all of you. I hope this mail will help us to
> get a better overview of what is happening and what everbody is doing.
> Another idea is to reuse most of this mail and its successors as input for
> our part for the AGM report [2].
> 
> [1] https://wiki.cacert.org/SystemAdministration/StateOfInfrastructureMail
> [2] https://wiki.cacert.org/AGM/TeamReports
> 
> 
> Infrastructure team lead
> ========================
> 
> Soon after the last AGM in July 2014 I had a discussion with Mario where I
> volunteered to take over the team leader position for the infrastructure
> team. Mario informed the board in October that he decided to step back and
> proposed that I would take that position. A board vote took place in January
> and I seem to be officially appointed as Infrastructure Team leader [3].
> 
> I thank Mario for all his work, especially the support with the system
> updates of outdated infrastructure systems. Mario will thankfully continue
> to help with system administration.
> 
> I hope to do something positive with the team leader role and would like to
> hear what you expect from your team leader (besides writing AGM report
> parts). I will lurk in #sysadm on irc.cacert.org. More in depth discussions
> should take place on the cacert-sysadm list [4] or via private mail if you
> have something personal/sensitive to discuss.
> 
> [3] https://community.cacert.org/board/motions.php?motion=m20150111.2
> [4] https://lists.cacert.org/wws/info/cacert-sysadm
> 
> 
> Documentation status
> ====================
> 
> In February I started to update our systems documentation [5] and announced
> it to the sysadm list [6]. I continued the effort and got valuable input
> from Wytze. We now have an up-to-date IP address list [7] and updated pages
> for many of the systems on our infrastructrure host. I will continue to get
> the documentation complete and current and would appreciate any help.
> 
> [5] https://wiki.cacert.org/SystemAdministration/Systems
> [6] https://lists.cacert.org/wws/arc/cacert-sysadm/2014-02/msg00000.html
> [7] https://wiki.cacert.org/SystemAdministration/IPList
> 
> 
> Monitoring
> ==========
> 
> Martin Gummi maintains an Icinga instance [8] that tracks some metrics for
> our infrastructure systems. At the moment we have checks for APT update
> status, SSH access and other public services. If you have more ideas of
> useful monitoring data please give your suggestions via the cacert-sysadm
> list or via tickets in the Infrastructure category of our bug tracker [8].
> 
> [8] https://monitor.cacert.org/
> [9] https://bugs.cacert.org/
> 
> 
> Team census
> ===========
> 
> I would like to know whether the infrastructure systems are well maintained
> and where we need more manpower. From my observation there are only a few
> active administrators. I will create a list of systems with the list of
> people that have sudo accounts on these systems and will ask all of you
> whether you are still doing work. So be prepared for some mail from me.
> 
> 
> System changes
> ==============
> 
> During the last few months we had some system changes that where not
> announced (as far as I know):
> 
> 
> Irc -> Ircserver
> ----------------
> 
> The existing container irc [10] that runs a manually compiled version of the
> oftc-hybrid ircd is showing its age. I updated the system to Debian Wheezy
> but where not able to bring the broken ircservices back to life.
> 
> Martin Gummi asked me to setup a new container to provide a new irc system.
> That container is ircserver [11] and will replace the old irc container
> hopefully sooner than later.
> 
> [10] https://wiki.cacert.org/SystemAdministration/Systems/Irc
> [11] https://wiki.cacert.org/SystemAdministration/Systems/Ircserver
> 
> 
> Webstatic
> ---------
> 
> Shortly before FOSDEM Martin Gummi asked me to setup a new container
> webstatic [12] that will be used to serve static websites for different
> purposes. The first application on that container is the funding page [13].
> 
> Martin and Benny Baumann take care of that container and setup a gitolite
> instance to allow publishing pages via Git.
> 
> [12] https://wiki.cacert.org/SystemAdministration/Systems/Webstatic
> [13] https://funding.cacert.org/
> 
> 
> Jenkins
> -------
> 
> I started working on a Jenkins instance on a new container jenkins after
> some discussion on the policy list [14] and will setup a job to build policy
> documents from textual sources. The Jenkins instance may also be used for
> other continous integration scenarios (i.e. automated software builds)
> later.
> 
> [14] https://lists.cacert.org/wws/arc/cacert-policy/2015-01/msg00053.html
> 
> 
> Emailout
> --------
> 
> I just switched emailout to a new container running Debian Wheezy. According
> to the system logs everything seems to work properly. If you see any problem
> with outgoing mails please tell me.
> 
> The only visible changes from the old container to the new one are changes
> are new SSH host keys. I documented the changes in the Wiki [15] and asked
> our fellow DNS admins to replace the SSHFP records for emailout earlier
> today.
> 
> [15] https://wiki.cacert.org/SystemAdministration/Systems/Emailout
> 
> 
> Fate of webmail and email
> -------------------------
> 
> I'm planning to replace the webmail and email containers in the next few 
> days too.
> 
> 
> DKIM and DMARC
> --------------
> 
> I plan to enable DKIM signing of our outgoing mails once the setup of the
> mail containers is done. Do you have any doubts or remarks regarding this
> plan?
> 
> Benny Baumann suggested to consider adding DMARC records when DKIM is
> working properly.
> 
> 
> Kind regards
> Jan
> 
> PS: please excuse my English, I'm not a native speaker
>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature