To Systems Overview - To Systems IP List - To System Administrators Team
The system documentation is currently rewritten in a new system that builds HTML from ReStructuredText/Sphinx sources.
The git-Repository is at https://git.cacert.org/cacert-infradocs.git/
The generated documentation is published to https://infradocs.cacert.org/.
Instructions on how to work on the new documentation are available at https://infradocs.cacert.org/building.html.
For some more background information see the mailing list thread at https://lists.cacert.org/wws/arc/cacert-sysadm/2016-05/msg00000.html.
System Administration
The System Administration team is responsible for operation and maintenance of the servers and services provided by CAcert.
Talking to us
Contact your local sysadmin directly using the FULL LISTING or the <system>-admin@cacert.org aliases.
For more general things, join the Sysadm Maillist and ask there.
For more formal things (bug reports) mail to support@cacert.org.
People
See also: SystemAdministration/Team
Infrastructure team
Jan Dittberner - infrastructure team lead, infrastructure general, svn
Mario Lipinski - wiki, previous team lead, infrastructure general
Ted - CATS
Jochim Selzer - email, community
We are always looking for new System Administrators! To see what's going on, join the Sysadm Maillist. If you have specific questions or want to know how to help, post there.
The (non-critical) infrastructure is based on Debian GNU/Linux mainly running in LXC containers running on two physical machines and configured using Puppet from a Git repository. Current documentation is built using Sphinx on our Jenkins CI server. We use Icinga 2 for Monitoring.
If you want to help with infrastructure administration you need some knowledge of at least Git and should be willing to learn Puppet and Sphinx. Knowledge of Nagios checks or Icinga 2 would be a nice addition.
We have some old systems that are not yet managed by Puppet and using outdated OS versions. Getting these systems and the software running on these systems up-to-date and managed by Puppet would be a great help. There are a lot of open TODO-items in our documentation that require work/investigation and we have some issues in the "Infrastructure" project of the CAcert bug tracker.
Jan Dittberner currently leads the team.
Critical Servers team
- Dirk Astrath
Above, people marked (BIT) above are listed on the Firewall/OS Access list in Appendix B, MoU with secure-u. These people are able to get direct physical (console) access to the machines with secure-u assistance under SecurityManual.
You can send encrypted e-mail to the critical server team by importing this certificate: critical-admin@cacert.org.crt into your e-mail client and using S/MIME encryption. For verification purposes we include the decoded certificate header here:
Certificate: Data: Version: 3 (0x2) Serial Number: 159760 (0x27010) Signature Algorithm: sha512WithRSAEncryption Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root Validity Not Before: Jul 25 08:35:21 2015 GMT Not After : Jul 24 08:35:21 2016 GMT Subject: C=AU, ST=NSW, L=Sydney, O=CAcert Inc., OU=Critical System Administrators, CN=Critical System Administrators/emailAddress=critical-admin@cacert.org
Access Engineers Team
- Bas van den Dikkenberg
- Hans Verbeek
- Rudi van Drunen
- Rudi Engelbertink
- Stefan Kooman
Access Engineers provide physical gate-keeping to the BIT facility. They have to be present for all direct access by Critical admins. They are listed on the Firewall/Site Access list in Appendix B, MoU with secure-u.
Documents
The System Administrator's "bible" is the SecurityManual.
which is ruled by the (DRAFT) Security Policy. As the SP is now in DRAFT, it is binding on the system administrators (more precisely the critical sysadm team and the access engineers team).
All are under CCA as Members of CAcert. All are also Assurers, so are fully known to us. All are encouraged to be members of the Association so as to have a say in big community decisions.
See also the (DRAFT) CPS which describes what it is the application delivers.
Principles of CAcert and some common good practices regarding privacy and professionalism from SAGE's Code of Ethics.
List of Guides:
- CategoryGuidesByOS
- CategoryMacintosh
- SystemAdministration
- Technology/KnowledgeBase/Server/SimpleApacheCert
- Technology/KnowledgeBase/Server/SimpleApacheCert/CZ
- Technology/KnowledgeBase/WebAppCertLogin/Drupal
- Technology/KnowledgeBase/WebAppCertLogin/dotProject
- Technology/KnowledgeBase/WebAppCertLogin/dotProject/CZ
List of Procedures:
- CategoryProcedures
- Community/HomePagesMembers/EvaStöwe/KPL_process
- Roots/CreationCeremony
- SecurityManual
- SecurityManual/CZ
- Software/Assessment/Documentation/EmergencyPatches
- SystemAdministration
- SystemAdministration/Procedures/CertificateIssuing
- SystemAdministration/Procedures/DNSChanges
- SystemAdministration/Procedures/DiskEncryption
- SystemAdministration/Procedures/DiskMirroring
- SystemAdministration/Procedures/DriveRetirement
- SystemAdministration/Procedures/FirewallChanges
- SystemAdministration/Procedures/FullBackupRestore
- SystemAdministration/Procedures/InfrastructureTeam
- SystemAdministration/Procedures/KeyPeopleContacts
- SystemAdministration/Procedures/KeysEscrow
- SystemAdministration/Procedures/OcspResponder
- SystemAdministration/Procedures/OperatingSystemPatches
- SystemAdministration/Procedures/PasswordManagement
- SystemAdministration/Procedures/SoftwarePatches
Projects:
Systems
List of Systems:
- CategoryCommunication
- CategorySystems
- DebianVulnerabilityHandling
- DebianVulnerabilityHandling/CZ
- DisasterRecovery
- EmailListsOverview
- IPv6
- IPv6/CZ
- InfrastructureReDesign
- OcspResponder
- OcspResponder/CZ
- SecurityManual
- SecurityManual/CZ
- Software/Assessment/testserver
- Software/Assessment/testserver/CZ
- Software/Assessment/testserver/setup
- Software/DevelopmentWorkflow
- Software/Webdb
- Software/Webdb/Maintenance/AddNewRoots
- Software/Webdb/Maintenance/DatabaseUpgrades
- SuggestKeySizes
- SuggestKeySizes/CZ
- SystemAdministration
- SystemAdministration/AdminCandidates
- SystemAdministration/CableIndex
- SystemAdministration/CertificateList
- SystemAdministration/EmergencyLogs
- SystemAdministration/EquipmentList
- SystemAdministration/IPList
- SystemAdministration/InfrastructureHost
- SystemAdministration/InfrastructureHost/MinimalistHostingAgreement
- SystemAdministration/Procedures
- SystemAdministration/Procedures/DNSChanges
- SystemAdministration/Procedures/SoftwarePatches
- SystemAdministration/SshHostKeyList
- SystemAdministration/Systems
- SystemAdministration/Systems/Archive
- SystemAdministration/Systems/Cisco1_and_2
- SystemAdministration/Systems/Community
- SystemAdministration/Systems/Development
- SystemAdministration/Systems/Development/Prepare
- SystemAdministration/Systems/Hopper
- SystemAdministration/Systems/Infra01
- SystemAdministration/Systems/Logger
- SystemAdministration/Systems/Ns
- SystemAdministration/Systems/Ocsp
- SystemAdministration/Systems/SLS
- SystemAdministration/Systems/Signer
- SystemAdministration/Systems/Sun1
- SystemAdministration/Systems/Sun2
- SystemAdministration/Systems/Sun3
- SystemAdministration/Systems/Sun4
- SystemAdministration/Systems/Test
- SystemAdministration/Systems/Translingo
- SystemAdministration/Systems/Webdb
- SystemAdministration/Systems/Wiki/update201009
- SystemAdministration/Systems/ca-mgr1-test
- SystemAdministration/Systems/cacert2-test
- SystemAdministration/Systems/fiddle
- SystemAdministration/Systems/git
- SystemAdministration/Systems/template
- SystemAdministration/Team
- Technology/Laboratory/Hardware/InfrastructureHost/Infra-redevelopment-plan
- Technology/Laboratory/Hardware/InfrastructureHost/Vienna1
- Twitter/CZ
- WeakKeys
- WeakKeys/CZ
- WeakKeys/SmallExponent
- WeakKeys/SmallExponent/CZ
- WeakKeys/SmallKey
- WeakKeys/SmallKey/CZ
- comma/Arsenal/IRC
- comma/Arsenal/IRC/improvement
Roles
- Public Services
- Revocation Services
- Support for CATS, audit
- test services
How to become team member
Critical Roles
SP says that board has to approve ABC'd roles:
- crit sysadms
- access engineers
- support engineers
- software analysts
Board or t/l has to start the process with filing a dispute for ABC over new candidate.
Non-critical roles
Please contact Non-Critical-Infrastructure t/l
eg for becoming
- Wiki admin
- Blog admin
- Email admin
- Lists admin
- svn admin
- irc admin
- and others
Non-critical t/l will check the candidates and provide the access.