Administration Docs for server.oekonux.de
Overview
The Oekonux server, server.oekonux.de (213.146.167.186), is a virtual server currently running Debian GNU/Linux 3.1 (Sarge), hosted by VD-Server. Apart from the kernel, Oekonux is solely responsible for maintaining the Debian system and keeping the software up-to-date. The server operates with 192 MB of RAM (plus an 100 MB swap file) and has 10 GB of hard disk space available. Next to that, we have an account on backup2.vdserver.de, which provides 750 MB of backup space, accessible via FTP or RSYNC.
Maintainers
Currently, the following people have shell accounts (accessed via SSH) and full root access on the server:
General maintenance is done by HolgerWeiss, certain facilities are maintained mainly by StefanMerten.
Services
server.oekonux.de runs the following services:
- HTTP
- SMTP
- FTP
- SSH
- ht://Dig
- SpamAssassin
- Majordomo
- TheClerk
- Backup
- Nagios (run remotely, currently on corona.jhweiss.de)
- ...
While most of the "base system software" is installed from the normal, official Debian packages using apt(8), some of the software needed for actually providing the above services is compiled and installed manually. This software resides in /srv/foo, where foo is the service name. This gives us full control over the software versions and configurations. Since these software packages typically aren't packages which other software would depend on, installing them manually doesn't lead to dependency problems within the Debian package database. qmail is an exception, though: Various Debian packages expect an MTA to be installed. Hence, we created and installed an dummy MTA package (see /srv/src/mta-dummy). Another drawback of installing software manually is, of course, that it won't be updated via apt-get upgrade. Hence, (at least) in case of security and bug fixes, it must be updated manually (which is especially important as we're talking about software where security problems may be exploitable remotely).
Domain Names
The following domain names point to 213.146.167.186 (server.oekonux.de):
- oekonux.org
- oekonux.de
- oekonux-conference.org
- oekonux-konferenz.de
For all of these domains, a wildcard is used, so that (for example) foobar.oekonux.org also resolves to the IP address of our server. Also, an MX entry pointing to (for example) mail.oekonux.org exists for all of the domains. Apart from that, there is an A record for download.oekonux-conference.org pointing to 86.59.13.82.
The authoritative DNS servers are:
- ns1.beastsassociated.de
- gamma.beastsassociated.de
Additional records or changes to the records can only be done by the VD-Server support.
TODO
- Reanimate http://traffic.oekonux.de/ (preferably using some better solution than IPAC-NG, which we used in the past).
- Add new (passive) service checks to our Nagios installation: Monitor spamd(8), syslogd(8), cron(8), and stuff like mail queue size or memory usage. Also, create graphs from the performance data.
- Grep logs for unusual activity automagically (and submit the results to Nagios)?
- Cleanup /srv, probably by creating a new directory /server and moving
everything from /srv/* to the new place step by step. Things that need
to be done:
- Create a user/group for every service. The home directory will be /service/foo, where foo is the name of the software. This user should be able to do everything, including installing and running the software in question.
- Therefore, add some custom init-script mechanism which starts/stops the services via scripts in /server/*/etc/rc.d/. We can then purge any custom scripts from /etc/init.d/, apart from a single script which calls this mechanism.
- Also, for consistency, purge the DJB daemontools and start/stop qmail using the new mechanism.
- Cleanup the files accessible via HTTP: Make a clean distinction between files which must be writeable by www-run and everything else, which should belong www-adm.
- Move /backup to /server/backup.
- Let all services listen on ports > 1024 and map the ports using NAT.
- Add appropriate lines to /etc/sudoers for anything which still cannot be run by the generic service user.
- Delete the not yet documented section of this page
Not Yet Documented
Topics
Topics that should be documented:
- Installation/configuration of our services. In particular, an explanation of the complicated mail setup involving qmail, SpamAssassin, Majordomo, optionally TheClerk and a couple of scripts.
- Cronjobs, such as running dpkg(8), debsums(1), ntpdate(1), and so on.
- Specifics of our Debian installation/configuration. That is, our file system layout, users/groups, UIDs/GIDs, and so on.
- Custom commands and TCSH aliases.
- Crashes/downtimes/outages.
- VD-Server technical support address.
- ...
Convert Existing Docs
Most of the following stuff should be brought up-to-date and then incorporated into these wiki pages:
/etc/README:
# $Id: README,v 1.22 2004/11/15 00:38:53 holger Exp $ - default login shell: tcsh, because Holger likes it ;-) Use chsh(1) if you want /bin/sh or /bin/bash as login shell. Let me know if you want ksh, zsh or some other shell which isn't installed. - use RCS for all config files (TODO: write a quick HOWTO) - only the 'wheel' group may 'su root' (-> /etc/pam.d/su) - only users listed in /etc/ssh/sshd_config may login remotely - special users/groups: srv-adm, www-adm, www-run, the FTP- and the Mail-stuff - sudo - HTTPd (including mod_python), FTPd and Qmail, that is, the services serving data, are installed to /srv: http://www.pathname.com/fhs/pub/fhs-2.3.html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM - DJB stuff in /bin, /command, /package, /service, /srv/mail, and /usr/local: daemontools, ucspi-tcp, checkpassword, dot-forward, qmailanalog, netqmail and tai64nfrac (which isn't written by DJB, but needed by qmailanalog) - everything else is installed as Debian package (Sarge), use the command 'dpkg -l | grep "^ii"' to get a list of all installed packages - mta-dummy package (-> /usr/local/src/mta-dummy/) - Qmail startup/shutdown is not handled via SysV init, but by DJBs supervise from the daemontools package (-> /service/), which in turn is called in /etc/inittab. Qmail and the POP3 daemon can be controlled with qmailctl, see 'qmailctl help'. - HTTPd logs are rotated via 'logrotate /etc/logrotate_apache.conf', which is called once a week from roots crontab(5) - ntpdate is run once a day from roots crontab(5) - traffic accounting is done by ipac-ng. The data is mailed to root and written to /srv/www/traffic (accessible via http://oekonux.de/traffic/) daily and monthly. - backup. The following directories are backed up once a day, whereas all other directories are NOT backed up: /backup, /etc, /home, /root and /srv. Note that the backup is done via RSYNC and stored unencrypted, therefore all confidential files (such as private keys in ~/.ssh/, for example) should be encrypted prior to backup. This can be done automagically, please let me know which files to encrypt or add them to /backup/encrypt_file.list yourself.
/etc/HOWTO:
# $Id: HOWTO,v 1.17 2006/07/04 00:28:09 root Exp $ CONFIGURE SOMETHING =================== $ co -l example.conf # not needed if example.conf never was touched $ vi example.conf $ ci -u example.conf # you will be asked for a log message, you can # add one or simply escape that with ".<RETURN>" # or: $ rcsvi example.conf ADD VIRTUAL DOMAIN ================== Example: Add virtual domain "example.org" $ useradd -m -d /srv/mail/virtual/example.org -s /bin/false \ -c 'Virtual Domain' -g virtual example.org $ cd /srv/mail/virtual/example.org $ mkdir .qmails $ ln -s .qmails alias $ chown example.org:virtual .qmails alias $ echo "example.org:example.org" >> /srv/mail/control/virtualdomains $ echo "example.org" >> /srv/mail/control/rcpthosts # add the following line to the TOP of /srv/mail/users/assign, but # replace 3001 by the UID of the user example.org: +example.org-:example.org:3001:111:/srv/mail/virtual/example.org:s/:: $ qmail-newu FORWARD MAIL FOR VIRTUAL DOMAIN =============================== # forward mail for <steve@example.org> to <dave@foobar.com>: $ echo "dave@foobar.com" >> ~example.org/alias/steve $ echo "steve@example.org" >> /srv/mail/control/validrcptto $ qmailctl reload SHOW ALL MAIL ALIASES ===================== # external aliases: $ lsalias | less # all aliases: $ lsalias -a | less KEEP THE SYSTEM UP-TO-DATE ========================== # 1.) update all Debian packages: $ apt-get update && apt-get upgrade && apt-get clean # 2.) update all packages installed from source, especially the # network servers; see: $ cat /srv/src/README
/srv/src/README:
# $Id: README,v 1.5 2005/03/20 19:49:28 holger Exp $ Directories: ============ configure/ -> our configure script options mta-dummy/ -> our mta-dummy package patches/ -> our source patches scripts/ -> our local system scripts Packages installed from source: =============================== Backup: http://www.heilbit.de/backup.html Apache 2: http://httpd.apache.org/ mod_python: http://www.modpython.org/ MoinMoin Wiki: http://moinmoin.wikiwikiweb.de/ PureFTPd: http://www.pureftpd.org/ netqmail: http://www.qmail.org/netqmail/ qmail related software: http://cr.yp.to/ucspi-tcp.html http://cr.yp.to/daemontools.html http://cr.yp.to/dot-forward.html http://cr.yp.to/qmailanalog.html http://www.eyrie.org/~eagle/software/tai64nfrac/ qmailctl script from: http://www.lifewithqmail.org/lwq.html