User Tools

Site Tools


sysadmin

This is an old revision of the document!


System Administration

This page will describe how we organise ourselves to operate the lab's network and server infrastructure.

Categories

We separate administration into categories based on the level of security required. This is so that we can make a trade-off between including more interested members vs restricting access to sensitive data or highly critical systems.

Internet of Things Lights, sound, automation Inclusive
General Systems Public-facing webapps Moderate
Network Router, firewall, switches, cabling, DNS, DHCP Slightly restricted to manage risk of outage
Personal Data Members database, home directories, netflow records, access control Restricted to meet legal obligations

Network

https://lists.ehlab.uk/mailman/listinfo/netadmin

There is a netadmin unix group which provides access to network-infrastructure VMs and webapps.

There is a network password for router and switch access.

Sysadmin

https://lists.ehlab.uk/mailman/listinfo/sysadmin

There is a sysadmin unix group which provides access to most Linux servers.

There is a standard root password for most Linux servers, though it is likely to be disabled over SSH in favour of SSH keys.

Restricted Access

These are the currently restricted services:

  • ehl-vm-access:
    • Access control for doors, tools and lockers.
    • Hosted on magnesium.
    • Available to sysadmin unix group.
  • ehl-vm-admin:
    • Members database
    • Hosted on magnesium.
    • Available to sysadmin unix group.
  • ehl-vm-audit:
    • Netflow, syslog, mqtt logs. 30 day retention.
    • Hosted on Tim's server.
    • Available to Tim.
  • magnesium:
    • Bare-metal VM server.
    • Contains VMs with personal data, and VM that belong to individual members.
    • Available to sysadmin unix group.
  • ganymede and shell server:
    • Home directories.
    • Hosted on magnesium.
    • Available to sysadmin unix group.

Tim's commentary: I would like to restructure these services so that the sysadmin team can be more inclusive. The members database will be moved to an external VM. I would like to adjust the expectations of privacy for home directories and members VMs so that more people can administrate the underlying host (magnesium).

Conduct

What behaviour do we expect from members with access privileges?

  • Respect personal data by only accessing it when legally or technically necessary, or when requested by the owner.
  • Act in good faith.
  • Co-operate with other group members. Don't change the technology choices or methods without discussing first.

Should we adopt an existing code of conduct? https://www.usenix.org/system-administrators-code-ethics

sysadmin.1590235534.txt.gz · Last modified: 2020-05-23 12:05 by tim

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki