User Tools

Site Tools


sysadmin

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
sysadmin [2020-05-23 12:05]
tim [Sysadmin]
sysadmin [2020-06-02 21:36] (current)
tim [More Pages]
Line 1: Line 1:
 ====== System Administration ====== ====== System Administration ======
  
-This page will describe how we organise ourselves to operate ​the lab's network and server infrastructure.+At the time of writing, most of Hacklab's network and server infrastructure ​is maintained by two people. At least one of them wants an escape plan. We need a bigger sysadmin team.
  
-===== Categories ​=====+===== What do we maintain? ​=====
  
-We separate administration into categories based on the level of security required. This is so that we can make a trade-off between including more interested members vs restricting ​access ​to sensitive data or highly critical systems.+  * Internet connection 
 +  * Core network router and switches 
 +  * WiFi access 
 +  * Rack space and network service for member colo servers 
 +  * Virtual machines for members 
 +  * DNS & DHCP 
 +  * Members registration and authentication 
 +  * Access management (doors, tools and lockers) 
 +  * Shared services: shell, file storage, nextcloud 
 +  * Mailing lists
  
-| Internet of Things | Lights, sound, automation ​                          | Inclusive ​          | +===== What don't we maintain? =====
-| General Systems ​   | Public-facing webapps ​                              | Moderate ​           | +
-| Network ​           | Router, firewall, switches, cabling, DNS, DHCP      | Slightly restricted to manage risk of outage | +
-| Personal Data      | Members database, home directories,​ netflow records, access control | Restricted to meet legal obligations |+
  
-===== Network =====+  * Hacklab email - this is currently hosted on fastmail.com 
 +  * Domain registration - this is closely guarded. 
 +  * Internet of Things at the lab - this is a free-for-all. 
 +  * Members'​ servers - these are community-supported,​ or private.
  
-https://​lists.ehlab.uk/​mailman/​listinfo/​netadmin+===== Communications =====
  
-There is a netadmin unix group which provides access to network-infrastructure VMs and webapps.+There is a //​sysadmin//​ mailing list. We also use the main Hacklab IRC channel.
  
-There is a network password for router and switch access.+Users can reach us at //​sysadmin//​ at our usual domain.
  
-===== Sysadmin ​=====+===== Access Privileges ​=====
  
-https://lists.ehlab.uk/​mailman/​listinfo/​sysadmin+NetworkThe //netadmin// LDAP group provides access to network-related serversThere is a network password for the router, switches, UniFi controller and anything else that doesn'​t have LDAP user management.
  
-There is a sysadmin ​unix group which provides ​access to most Linux servers.+Servers: The //sysadmin// LDAP group will provide ​access to most other servers, with some sensitive systems excluded. There is a standard root password, but this is only used for console access and is generally disabled for SSH logins.
  
-There is a standard root password for most Linux servers, though it is likely to be disabled over SSH in favour ​of SSH keys.+Team members will be expected to agree to the code of conduct before getting any privileges and may not receive all privileges immediately.
  
-===== Restricted Access ​=====+===== Code of Conduct ​=====
  
-These are the currently restricted services:+We adopt the [[https://​www.usenix.org/​system-administrators-code-ethics|System Administrators'​ Code of Ethics]].
  
-  * ehl-vm-access: +Of particular interest:
-    * Access control for doors, tools and lockers. +
-    * Hosted on magnesium. +
-    * Available to sysadmin unix group. +
-  * ehl-vm-admin:​ +
-    * Members database +
-    * Hosted on magnesium. +
-    * Available to sysadmin unix group. +
-  * ehl-vm-audit:​ +
-    * Netflow, syslog, mqtt logs. 30 day retention. +
-    * Hosted on Tim's server. +
-    * Available to Tim. +
-  * magnesium:​ +
-    * Bare-metal VM server. +
-    * Contains VMs with personal data, and VM that belong to individual members. +
-    * Available to sysadmin unix group. +
-  * ganymede and shell server: +
-    * Home directories. +
-    * Hosted on magnesium. +
-    * Available to sysadmin unix group.+
  
-Tim's commentary: ​would like to restructure these services so that the sysadmin team can be more inclusive. The members database ​will be moved to an external VM. I would like to adjust the expectations of privacy for home directories and members VMs so that more people ​can administrate the underlying host (magnesium).+> "will maintain professional conduct in the workplace and will not allow personal feelings or beliefs ​to cause me to treat people ​unfairly or unprofessionally."
  
-===== Conduct =====+This means use your powers only for good. You must not use them to annoy people.
  
-What behaviour do we expect from members with access ​privileges?+> "I will access ​private information on computer systems only when it is necessary in the course of my technical duties. I will maintain and protect the confidentiality of any information to which I may have access, regardless of the method by which I came into knowledge of it."
  
-  * Respect personal data by only accessing it when legally or technically necessary, or when requested by the owner. +This is important because ​the sysadmin team has access to users' ​VM and stored data, and to personal data entrusted to the organisation.
-  * Act in good faith. +
-  * Co-operate with other group members. Don't change ​the technology choices or methods without discussing first.+
  
-Should we adopt an existing code of conduct? https://www.usenix.org/system-administrators-code-ethics+> "I will strive to ensure the necessary integrity, reliability,​ and availability ​of the systems for which I am responsible.
 +> "I will design and maintain each system ​in a manner to support the purpose of the system to the organization."​
  
 +This means that we need to co-operate as a team. The services we create should be maintainable after the person who created them has moved on. Technology choices should be shared.
  
 +===== Technical Policies =====
  
 +Server naming:
 +
 +  * Bare-metal servers are named after chemical elements.
 +  * VMs are named functionally,​ in the format ehl-vm-xxxxxxx.
 +
 +Configuration management:
 +
 +  * There is an [[https://​gitea.ehlab.uk/​hacklab/​ansible-hacklab-server|ansible profile]] for low-level configuration.
 +  * Use Docker for applications unless they are complex and require a dedicated host.
 +
 +===== More Pages =====
 +
 +  * [[servers|List of servers]]
 +  * [[network|Network]]
 +  * [[private:​sysadmin_todo|Projects and Issues]]
 +  * [[wifi|WiFi]]
 +  * [[dnsdhcp|DNS and DHCP]]
 +  * [[ehana|Numbering]]
 +  * https://​netbox.ehlab.uk/​
 +
 +Pages under sysadmin:*
 +
 +<nspages sysadmin -h1 -textPages=""​ -simpleList>​
 +~~NOCACHE~~
  
sysadmin.1590235534.txt.gz · Last modified: 2020-05-23 12:05 by tim