This is an old revision of the document!
Table of Contents
System Administration
This page will describe how we organise ourselves to operate the lab's network and server infrastructure.
Categories
We separate administration into categories based on the level of security required. This is so that we can make a trade-off between including more interested members vs restricting access to sensitive data or highly critical systems.
Internet of Things | Lights, sound, automation | Inclusive |
General Systems | Public-facing webapps | Moderate |
Network | Router, firewall, switches, cabling, DNS, DHCP | Slightly restricted to manage risk of outage |
Personal Data | Members database, home directories, netflow records, access control | Restricted to meet legal obligations |
Network
https://lists.ehlab.uk/mailman/listinfo/netadmin
There is a netadmin unix group which provides access to network-infrastructure VMs and webapps.
There is a network password for router and switch access.
Sysadmin
https://lists.ehlab.uk/mailman/listinfo/sysadmin
There is a sysadmin unix group which provides access to most Linux servers.
There is a standard root password for most Linux servers, though it is likely to be disabled over SSH in favour of SSH keys.
Restricted Access
These are the currently restricted services:
- ehl-vm-access:
- Access control for doors, tools and lockers.
- Hosted on magnesium.
- Available to sysadmin unix group.
- ehl-vm-admin:
- Members database
- Hosted on magnesium.
- Available to sysadmin unix group.
- ehl-vm-audit:
- Netflow, syslog, mqtt logs. 30 day retention.
- Hosted on Tim's server.
- Available to Tim.
- magnesium:
- Bare-metal VM server.
- Contains VMs with personal data, and VM that belong to individual members.
- Available to sysadmin unix group.
- ganymede, shell server, radon:
- Home directories.
- Nextcloud storage.
- Hosted on magnesium.
- Available to sysadmin unix group.
Tim's commentary: I would like to restructure these services so that the sysadmin team can be more inclusive. The members database will be moved to an external VM. I would like to adjust the expectations of privacy for home directories and members VMs so that more people can administrate the underlying host (magnesium).
Conduct
What behaviour do we expect from members with access privileges?
- Respect personal data by only accessing it when legally or technically necessary, or when requested by the owner.
- Act in good faith.
- Co-operate with other group members. Don't change the technology choices or methods without discussing first.
Should we adopt an existing code of conduct? https://www.usenix.org/system-administrators-code-ethics
Technical Policies
Server naming:
- Bare-metal servers are named after chemical elements.
- VMs are named functionally, in the format ehl-vm-xxxxxxx.
Configuration management:
- There is an ansible profile for low-level configuration.
- Use Docker for applications unless they are complex and require a dedicated host.