. '''To [[SystemAdministration/Systems|Systems Overview]]''' - '''To [[SystemAdministration/IPList|Systems IP List]]''' - '''To [[SystemAdministration/Team|System Administrators Team]]''' <> ---- = System Administration = The System Administration team is responsible for operation and maintenance of the servers and services provided by CAcert. == Talking to us == * '''Contact your local sysadmin''' directly using the '''[[https://selfservice.cacert.org/staff | FULL LISTING]]''' or the '''[[https://selfservice.cacert.org/staff#aliases|-admin@cacert.org aliases]]'''. * For more general things, join the [[https://lists.cacert.org/wws/info/cacert-sysadm|Sysadm Maillist]] and ask there. * For more formal things (bug reports) mail to support@cacert.org. == People == See also: [[SystemAdministration/Team]] === Infrastructure team === * [[JanDittberner|Jan Dittberner]] - infrastructure team lead, infrastructure general, svn * [[Mario Lipinski]] - wiki, previous team lead, infrastructure general * [[BernhardFröhlich|Ted]] - CATS * [[Jochim Selzer]] - email, community We are always looking for '''new System Administrators!''' To see what's going on, join the [[https://lists.cacert.org/wws/info/cacert-sysadm|Sysadm Maillist]]. If you have specific questions or want to know how to help, post there. The (non-critical) infrastructure is based on [[https://www.debian.org/|Debian GNU/Linux]] mainly running in LXC containers running on two physical machines and configured using [[https://puppet.com/docs/puppet/latest/puppet_index.html|Puppet]] from a [[https://git.cacert.org/gitweb/?p=cacert-puppet.git;a=summary|Git repository]]. [[https://infradocs.cacert.org/|Current documentation]] is built using [[http://www.sphinx-doc.org/en/master/|Sphinx]] on our [[https://jenkins.cacert.org/job/cacert-infradocs/|Jenkins CI server]]. We use [[https://icinga.com/docs/icinga2/latest/|Icinga 2]] for Monitoring. If you want to help with infrastructure administration you need some knowledge of at least Git and should be willing to learn Puppet and Sphinx. Knowledge of Nagios checks or Icinga 2 would be a nice addition. We have some old systems that are not yet managed by Puppet and using outdated OS versions. Getting these systems and the software running on these systems up-to-date and managed by Puppet would be a great help. There are a lot of [[https://infradocs.cacert.org/|open TODO-items in our documentation]] that require work/investigation and we have some issues in the "Infrastructure" project of the [[https://bugs.cacert.org/|CAcert bug tracker]]. [[JanDittberner|Jan Dittberner]] currently leads the team. === Critical Servers team === * Dirk Astrath Above, people marked (BIT) above are listed on the Firewall/OS Access list in Appendix B, [[https://svn.cacert.org/CAcert/CAcert_Inc/hosting/MoU-CAcert-secure-u-20130624-michael-bernhard-sebastian-werner-sig.pdf|MoU with secure-u]]. These people are able to get direct physical (console) access to the machines with secure-u assistance under [[SecurityManual]]. You can send encrypted e-mail to the critical server team by importing this certificate: [[attachment:critical-admin@cacert.org.crt]] into your e-mail client and using S/MIME encryption. For verification purposes we include the decoded certificate header here: {{{ Certificate: Data: Version: 3 (0x2) Serial Number: 159760 (0x27010) Signature Algorithm: sha512WithRSAEncryption Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root Validity Not Before: Jul 25 08:35:21 2015 GMT Not After : Jul 24 08:35:21 2016 GMT Subject: C=AU, ST=NSW, L=Sydney, O=CAcert Inc., OU=Critical System Administrators, CN=Critical System Administrators/emailAddress=critical-admin@cacert.org }}} === Access Engineers Team === * Bas van den Dikkenberg * Hans Verbeek * Rudi van Drunen * Rudi Engelbertink * Stefan Kooman Access Engineers provide physical gate-keeping to the BIT facility. They have to be present for all direct access by Critical admins. They are listed on the Firewall/Site Access list in Appendix B, [[https://svn.cacert.org/CAcert/CAcert_Inc/hosting/MoU-CAcert-secure-u-20130624-michael-bernhard-sebastian-werner-sig.pdf|MoU with secure-u]]. === Documents === * The System Administrator's "bible" is the [[SecurityManual]]. * which is ruled by the [[http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html|(DRAFT) Security Policy]]. As the SP is now in DRAFT, it is binding on the system administrators (more precisely the critical sysadm team and the access engineers team). * All are under [[http://www.cacert.org/policy/CAcertCommunityAgreement.php|CCA]] as Members of CAcert. All are also Assurers, so are fully known to us. All are encouraged to be members of the [[CAcertInc|Association]] so as to have a say in big community decisions. * See also the [[https://www.cacert.org/policy/CertificationPracticeStatement.php|(DRAFT) CPS]] which describes what it is the application delivers. * [[https://svn.cacert.org/CAcert/principles.html|Principles]] of CAcert and some common good practices regarding privacy and professionalism from SAGE's [[http://sage.org/ethics/|Code of Ethics]]. '''List of Guides:''' <> '''List of Procedures:''' * [[SystemAdministration/Procedures|SystemAdministration/Procedures]] <> '''Projects:''' * [[SystemAdministration/InfrastructureHost|new Host for Infrastructure]] == Systems == '''List of Systems:''' <> == Roles == * Public Services * Revocation Services * Support for CATS, audit * test services == How to become team member == === Critical Roles === SP says that board has to approve ABC'd roles: * crit sysadms * access engineers * support engineers * software analysts Board or t/l has to start the process with filing a dispute for ABC over new candidate. === Non-critical roles === Please contact Non-Critical-Infrastructure t/l eg for becoming * Wiki admin * Blog admin * Email admin * Lists admin * svn admin * irc admin * and others Non-critical t/l will check the candidates and provide the access. ---- . CategorySupport . CategoryInfrastructure . CategorySystems