sysadmin
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
sysadmin [2020-05-23 12:04] – [Network] tim | sysadmin [2020-08-06 18:15] – [What do we maintain?] simon | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== System Administration ====== | ====== System Administration ====== | ||
- | This page will describe how we organise ourselves to operate the lab's network and server infrastructure. | + | ===== What do we maintain? ===== |
- | ===== Categories ===== | + | ^ What ^ Who ^ |
+ | | Internet connection | Cameron, Simon | | ||
+ | | Core network router and switches | Cameron, Simon | | ||
+ | | WiFi access | Cameron | | ||
+ | | Rack space and network service for member colo servers | Cameron, Simon | | ||
+ | | Virtual machines for members | Cameron, Simon | | ||
+ | | DNS & DHCP | Cameron, Simon | | ||
+ | | Members registration and authentication | Ben, aql | | ||
+ | | Access management (doors, tools and lockers) | Tim Hawes | | ||
+ | | Shared services: shell, file storage, nextcloud | Cameron, Tim Hawes | | ||
+ | | Mailing lists | Tim Hawes | | ||
- | We separate administration into categories based on the level of security required. This is so that we can make a trade-off between including more interested members vs restricting access to sensitive data or highly critical systems. | + | ===== What don' |
- | | Internet of Things | + | * Hacklab email - this is currently hosted on fastmail.com |
- | | General Systems | + | * Domain registration - this is closely guarded. |
- | | Network | + | * Internet of Things |
- | | Personal Data | Members | + | |
- | ===== Network | + | ===== Communications |
- | https://lists.ehlab.uk/ | + | There is a //sysadmin// mailing list. We also use the main Hacklab IRC channel. |
- | There is a netadmin unix group which provides access to network-infrastructure VMs and webapps. | + | Users can reach us at // |
- | There is a network password for router and switch access. | + | ===== Access Privileges ===== |
- | ===== Sysadmin ===== | + | Network: The // |
- | https://lists.ehlab.uk/ | + | Servers: The //sysadmin// LDAP group will provide access to most other servers, with some sensitive systems excluded. There is a standard root password, but this is only used for console access and is generally disabled for SSH logins. |
- | ===== Restricted Access ===== | + | Team members will be expected to agree to the code of conduct before getting any privileges and may not receive all privileges immediately. |
- | These are the currently restricted services: | + | ===== Code of Conduct ===== |
- | * ehl-vm-access: | + | We adopt the [[https://www.usenix.org/system-administrators-code-ethics|System Administrators' |
- | * Access control for doors, tools and lockers. | + | |
- | * Hosted on magnesium. | + | |
- | * Available to sysadmin unix group. | + | |
- | * ehl-vm-admin: | + | |
- | * Members database | + | |
- | * Hosted on magnesium. | + | |
- | * Available to sysadmin unix group. | + | |
- | * ehl-vm-audit: | + | |
- | * Netflow, syslog, mqtt logs. 30 day retention. | + | |
- | * Hosted on Tim's server. | + | |
- | * Available to Tim. | + | |
- | * magnesium: | + | |
- | * Bare-metal VM server. | + | |
- | * Contains VMs with personal data, and VM that belong to individual members. | + | |
- | * Available to sysadmin unix group. | + | |
- | * ganymede and shell server: | + | |
- | * Home directories. | + | |
- | * Hosted on magnesium. | + | |
- | * Available to sysadmin unix group. | + | |
- | Tim's commentary: I would like to restructure these services so that the sysadmin team can be more inclusive. The members database will be moved to an external VM. I would like to adjust the expectations of privacy for home directories and members VMs so that more people can administrate the underlying host (magnesium). | + | Of particular interest: |
- | ===== Conduct ===== | + | > "I will maintain professional conduct in the workplace and will not allow personal feelings or beliefs to cause me to treat people unfairly or unprofessionally." |
- | What behaviour do we expect from members with access privileges? | + | This means use your powers only for good. You must not use them to annoy people. |
- | * Respect personal data by only accessing | + | > "I will access private information on computer systems |
- | * Act in good faith. | + | |
- | * Co-operate with other group members. Don't change | + | |
- | Should we adopt an existing code of conduct? https://www.usenix.org/ | + | This is important because the sysadmin team has access to users' VM and stored data, and to personal data entrusted to the organisation. |
+ | > "I will strive to ensure the necessary integrity, reliability, | ||
+ | > "I will design and maintain each system in a manner to support the purpose of the system to the organization." | ||
+ | This means that we need to co-operate as a team. The services we create should be maintainable after the person who created them has moved on. Technology choices should be shared. | ||
+ | ===== Technical Policies ===== | ||
+ | |||
+ | Server naming: | ||
+ | |||
+ | * Bare-metal servers are named after chemical elements. | ||
+ | * VMs are named functionally, | ||
+ | |||
+ | Configuration management: | ||
+ | |||
+ | * There is an [[https:// | ||
+ | * Use Docker for applications unless they are complex and require a dedicated host. | ||
+ | |||
+ | ===== More Pages ===== | ||
+ | |||
+ | * [[servers|List of servers]] | ||
+ | * [[network|Network]] | ||
+ | * [[wifi|WiFi]] | ||
+ | * [[ehana|Numbering]] | ||
+ | * https:// | ||
+ | * {{ : | ||
+ | |||
+ | Pages under the sysadmin namespace (login is required to see these): | ||
+ | |||
+ | <nspages sysadmin -h1 -textPages="" | ||
+ | ~~NOCACHE~~ | ||
sysadmin.txt · Last modified: 2022-04-22 13:47 by tim