Differences

This shows you the differences between two versions of the page.

--- sysadmin [2020-05-23 12:05] – [Sysadmin] tim
+++ sysadmin [2022-04-22 13:47] (current) – [Technical Policies] tim
@@ Line 1: / Line 1: @@
 ====== System Administration ======
-This page will describe how we organise ourselves to operate the lab's network and server infrastructure.
+===== What do we maintain? =====
-===== Categories =====
+^ What ^ Who ^
+| Internet connection | Cameron, Simon |
+| Core network router and switches | Cameron, Simon |
+| WiFi access | Cameron |
+| Rack space and network service for member colo servers | Cameron, Simon |
+| Virtual machines for members | Cameron, Simon |
+| DNS & DHCP | Cameron, Simon |
+| Members registration and authentication | Ben, adq, Tim H |
+| Access management (doors, tools and lockers) | Tim H |
+| Shared services: shell, file storage, nextcloud | Cameron |
+| Mailing lists | Ben, Simon, Tim H |
-We separate administration into categories based on the level of security required. This is so that we can make a trade-off between including more interested members vs restricting access to sensitive data or highly critical systems.
+===== What don't we maintain? =====
-| Internet of Things | Lights, sound, automation                           | Inclusive           |
+  * Hacklab email - this is currently hosted on fastmail.com
-| General Systems    | Public-facing webapps                               | Moderate            |
+  * Domain registration - this is closely guarded.
-| Network            | Router, firewall, switches, cabling, DNS, DHCP      | Slightly restricted to manage risk of outage |
+  * Internet of Things at the lab - this is a free-for-all.
-| Personal Data      | Members database, home directories, netflow records, access control | Restricted to meet legal obligations |
+  * Members' servers - these are community-supported, or private.
-===== Network =====
+===== Communications =====
-https://lists.ehlab.uk/mailman/listinfo/netadmin
+There is a //sysadmin// mailing list. We also use the Hacklab IRC channel //#edinhacklab// and //#edinhacklab-sysadmin//.
-There is a netadmin unix group which provides access to network-infrastructure VMs and webapps.
+Users can reach us at //sysadmin// at our usual domain.
-There is a network password for router and switch access.
+===== Access Privileges =====
-===== Sysadmin =====
+Network: The //netadmin// LDAP group provides access to network-related servers. There is a network password for the router, switches, UniFi controller and anything else that doesn't have LDAP user management.
-https://lists.ehlab.uk/mailman/listinfo/sysadmin
+Servers: The //sysadmin// LDAP group will provide access to most other servers, with some sensitive systems excluded. There is a standard root password, but this is only used for console access and is generally disabled for SSH logins.
-There is a sysadmin unix group which provides access to most Linux servers.
+Team members will be expected to agree to the code of conduct before getting any privileges and may not receive all privileges immediately.
-There is a standard root password for most Linux servers, though it is likely to be disabled over SSH in favour of SSH keys.
+===== Code of Conduct =====
-===== Restricted Access =====
+We adopt the [[https://www.usenix.org/system-administrators-code-ethics|System Administrators' Code of Ethics]].
-These are the currently restricted services:
+Of particular interest:
-  * ehl-vm-access:
+> "I will maintain professional conduct in the workplace and will not allow personal feelings or beliefs to cause me to treat people unfairly or unprofessionally."
-    * Access control for doors, tools and lockers.
-    * Hosted on magnesium.
-    * Available to sysadmin unix group.
-  * ehl-vm-admin:
-    * Members database
-    * Hosted on magnesium.
-    * Available to sysadmin unix group.
-  * ehl-vm-audit:
-    * Netflow, syslog, mqtt logs. 30 day retention.
-    * Hosted on Tim's server.
-    * Available to Tim.
-  * magnesium:
-    * Bare-metal VM server.
-    * Contains VMs with personal data, and VM that belong to individual members.
-    * Available to sysadmin unix group.
-  * ganymede and shell server:
-    * Home directories.
-    * Hosted on magnesium.
-    * Available to sysadmin unix group.
-Tim's commentary: I would like to restructure these services so that the sysadmin team can be more inclusive. The members database will be moved to an external VM. I would like to adjust the expectations of privacy for home directories and members VMs so that more people can administrate the underlying host (magnesium).
+This means use your powers only for good. You must not use them to annoy people.
-===== Conduct =====
+> "I will access private information on computer systems only when it is necessary in the course of my technical duties. I will maintain and protect the confidentiality of any information to which I may have access, regardless of the method by which I came into knowledge of it."
-What behaviour do we expect from members with access privileges?
+This is important because the sysadmin team has access to users' VM and stored data, and to personal data entrusted to the organisation.
-  * Respect personal data by only accessing it when legally or technically necessary, or when requested by the owner.
+> "I will strive to ensure the necessary integrity, reliability, and availability of the systems for which I am responsible."
-  * Act in good faith.
+> "I will design and maintain each system in a manner to support the purpose of the system to the organization."
-  * Co-operate with other group members. Don't change the technology choices or methods without discussing first.
-Should we adopt an existing code of conduct? https://www.usenix.org/system-administrators-code-ethics
+This means that we need to co-operate as a team. The services we create should be maintainable after the person who created them has moved on. Technology choices should be shared.
+===== Technical Policies =====
+Server naming:
+  * Bare-metal servers and off-site VMs are named after chemical elements.
+  * On-site VMs are named by function, in the format ehl-vm-xxxxxxx.
+Configuration management:
+  * There is an [[https://gitea.ehlab.uk/hacklab/ansible-hacklab-server|ansible profile]] for low-level configuration.
+  * Use Docker for applications unless they are complex and require a dedicated host.
+Languages:
+  * We prefer Python.
+  * If a custom application is written for Hacklab then Python should be the default choice.
+===== More Pages =====
+  * [[servers|List of servers]]
+  * [[network|Network]]
+  * [[wifi|WiFi]]
+  * [[ehana|Numbering]]
+  * https://netbox.ehlab.uk/
+  * {{ :sysadmin:network-diagrams-20200701.pdf |Network Diagrams}}
+Pages under the sysadmin namespace (login is required to see these):
+<nspages sysadmin -h1 -textPages="" -simpleList>
+~~NOCACHE~~