Discussion

Administration Docs for server.oekonux.de

Overview

The Oekonux server, server.oekonux.de (213.146.167.186), is a virtual server currently running Debian GNU/Linux 3.1 (Sarge), hosted by VD-Server. Apart from the kernel, Oekonux is solely responsible for maintaining the Debian system and keeping the software up-to-date. The server operates with 192 MB of RAM (plus an 100 MB swap file) and has 10 GB of hard disk space available. Next to that, we have an account on backup2.vdserver.de, which provides 750 MB of backup space, accessible via FTP or RSYNC.

Maintainers

Currently, the following people have shell accounts (accessed via SSH) and full root access on the server:

General maintenance is done by HolgerWeiss, certain facilities are maintained mainly by StefanMerten.

Services

server.oekonux.de runs the following services:

  • HTTP
  • SMTP
  • FTP
  • SSH
  • ht://Dig
  • SpamAssassin
  • Majordomo
  • TheClerk
  • Backup
  • Nagios (run remotely, currently on corona.jhweiss.de)
  • ...

While most of the "base system software" is installed from the normal, official Debian packages using apt(8), some of the software needed for actually providing the above services is compiled and installed manually. This software resides in /srv/foo, where foo is the service name. This gives us full control over the software versions and configurations. Since these software packages typically aren't packages which other software would depend on, installing them manually doesn't lead to dependency problems within the Debian package database. qmail is an exception, though: Various Debian packages expect an MTA to be installed. Hence, we created and installed an dummy MTA package (see /srv/src/mta-dummy). Another drawback of installing software manually is, of course, that it won't be updated via apt-get upgrade. Hence, (at least) in case of security and bug fixes, it must be updated manually (which is especially important as we're talking about software where security problems may be exploitable remotely).

Domain Names

The following domain names point to 213.146.167.186 (server.oekonux.de):

  • oekonux.org
  • oekonux.de
  • oekonux-conference.org
  • oekonux-konferenz.de

For all of these domains, a wildcard is used, so that (for example) foobar.oekonux.org also resolves to the IP address of our server. Also, an MX entry pointing to (for example) mail.oekonux.org exists for all of the domains. Apart from that, there is an A record for download.oekonux-conference.org pointing to 86.59.13.82.

The authoritative DNS servers are:

  • ns1.beastsassociated.de
  • gamma.beastsassociated.de

Additional records or changes to the records can only be done by the VD-Server support.

TODO

  • Reanimate http://traffic.oekonux.de/ (preferably using some better solution than IPAC-NG, which we used in the past).
  • Add new (passive) service checks to our Nagios installation: Monitor spamd(8), syslogd(8), cron(8), and stuff like mail queue size or memory usage. Also, create graphs from the performance data.
  • Grep logs for unusual activity automagically (and submit the results to Nagios)?
  • Cleanup /srv, probably by creating a new directory /server and moving everything from /srv/* to the new place step by step. Things that need to be done:
    • Create a user/group for every service. The home directory will be /service/foo, where foo is the name of the software. This user should be able to do everything, including installing and running the software in question.
    • Therefore, add some custom init-script mechanism which starts/stops the services via scripts in /server/*/etc/rc.d/. We can then purge any custom scripts from /etc/init.d/, apart from a single script which calls this mechanism.
    • Also, for consistency, purge the DJB daemontools and start/stop qmail using the new mechanism.
    • Cleanup the files accessible via HTTP: Make a clean distinction between files which must be writeable by www-run and everything else, which should belong www-adm.
    • Move /backup to /server/backup.
    • Let all services listen on ports > 1024 and map the ports using NAT.
    • Add appropriate lines to /etc/sudoers for anything which still cannot be run by the generic service user.
  • Delete the not yet documented section of this page :-)

Not Yet Documented

Topics

Topics that should be documented:

  • Installation/configuration of our services. In particular, an explanation of the complicated mail setup involving qmail, SpamAssassin, Majordomo, optionally TheClerk and a couple of scripts.
  • Cronjobs, such as running dpkg(8), debsums(1), ntpdate(1), and so on.
  • Specifics of our Debian installation/configuration. That is, our file system layout, users/groups, UIDs/GIDs, and so on.
  • Custom commands and TCSH aliases.
  • Crashes/downtimes/outages.
  • VD-Server technical support address.
  • ...

Convert Existing Docs

Most of the following stuff should be brought up-to-date and then incorporated into these wiki pages:

/etc/README:

# $Id: README,v 1.22 2004/11/15 00:38:53 holger Exp $

- default login shell: tcsh, because Holger likes it ;-) Use chsh(1) if you
  want /bin/sh or /bin/bash as login shell.  Let me know if you want ksh, zsh
  or some other shell which isn't installed.

- use RCS for all config files (TODO: write a quick HOWTO)

- only the 'wheel' group may 'su root' (-> /etc/pam.d/su)

- only users listed in /etc/ssh/sshd_config may login remotely

- special users/groups: srv-adm, www-adm, www-run, the FTP- and the Mail-stuff

- sudo

- HTTPd (including mod_python), FTPd and Qmail, that is, the services serving
  data, are installed to /srv:
  http://www.pathname.com/fhs/pub/fhs-2.3.html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM

- DJB stuff in /bin, /command, /package, /service, /srv/mail, and /usr/local:
  daemontools, ucspi-tcp, checkpassword, dot-forward, qmailanalog, netqmail
  and tai64nfrac (which isn't written by DJB, but needed by qmailanalog)

- everything else is installed as Debian package (Sarge), use the command
  'dpkg -l | grep "^ii"' to get a list of all installed packages

- mta-dummy package (-> /usr/local/src/mta-dummy/)

- Qmail startup/shutdown is not handled via SysV init, but by DJBs supervise
  from the daemontools package (-> /service/), which in turn is called in
  /etc/inittab.  Qmail and the POP3 daemon can be controlled with qmailctl,
  see 'qmailctl help'.

- HTTPd logs are rotated via 'logrotate /etc/logrotate_apache.conf', which is
  called once a week from roots crontab(5)

- ntpdate is run once a day from roots crontab(5)

- traffic accounting is done by ipac-ng.  The data is mailed to root and
  written to /srv/www/traffic (accessible via http://oekonux.de/traffic/)
  daily and monthly.

- backup.  The following directories are backed up once a day, whereas all
  other directories are NOT backed up: /backup, /etc, /home, /root and /srv.
  Note that the backup is done via RSYNC and stored unencrypted, therefore all
  confidential files (such as private keys in ~/.ssh/, for example) should be
  encrypted prior to backup.  This can be done automagically, please let me
  know which files to encrypt or add them to /backup/encrypt_file.list
  yourself.

/etc/HOWTO:

# $Id: HOWTO,v 1.17 2006/07/04 00:28:09 root Exp $

CONFIGURE SOMETHING
===================

$ co -l example.conf    # not needed if example.conf never was touched
$ vi example.conf
$ ci -u example.conf    # you will be asked for a log message, you can
                        # add one or simply escape that with ".<RETURN>"
# or:
$ rcsvi example.conf


ADD VIRTUAL DOMAIN
==================

Example: Add virtual domain "example.org"

$ useradd -m -d /srv/mail/virtual/example.org -s /bin/false \
          -c 'Virtual Domain' -g virtual example.org
$ cd /srv/mail/virtual/example.org
$ mkdir .qmails
$ ln -s .qmails alias
$ chown example.org:virtual .qmails alias
$ echo "example.org:example.org" >> /srv/mail/control/virtualdomains
$ echo "example.org" >> /srv/mail/control/rcpthosts
# add the following line to the TOP of /srv/mail/users/assign, but
# replace 3001 by the UID of the user example.org:
+example.org-:example.org:3001:111:/srv/mail/virtual/example.org:s/::
$ qmail-newu


FORWARD MAIL FOR VIRTUAL DOMAIN
===============================

# forward mail for <steve@example.org> to <dave@foobar.com>:
$ echo "dave@foobar.com" >> ~example.org/alias/steve
$ echo "steve@example.org" >> /srv/mail/control/validrcptto
$ qmailctl reload


SHOW ALL MAIL ALIASES
=====================

# external aliases:
$ lsalias | less
# all aliases:
$ lsalias -a | less


KEEP THE SYSTEM UP-TO-DATE
==========================

# 1.) update all Debian packages:
$ apt-get update && apt-get upgrade && apt-get clean
# 2.) update all packages installed from source, especially the
# network servers; see:
$ cat /srv/src/README

/srv/src/README:

# $Id: README,v 1.5 2005/03/20 19:49:28 holger Exp $

Directories:
============

configure/      -> our configure script options
mta-dummy/      -> our mta-dummy package
patches/        -> our source patches
scripts/        -> our local system scripts


Packages installed from source:
===============================

Backup:
        http://www.heilbit.de/backup.html

Apache 2:
        http://httpd.apache.org/

mod_python:
        http://www.modpython.org/

MoinMoin Wiki:
        http://moinmoin.wikiwikiweb.de/

PureFTPd:
        http://www.pureftpd.org/

netqmail:
        http://www.qmail.org/netqmail/

qmail related software:
        http://cr.yp.to/ucspi-tcp.html
        http://cr.yp.to/daemontools.html
        http://cr.yp.to/dot-forward.html
        http://cr.yp.to/qmailanalog.html
        http://www.eyrie.org/~eagle/software/tai64nfrac/

qmailctl script from:
        http://www.lifewithqmail.org/lwq.html

Oekonux/Project/Machinery/Administration (last edited 2006-10-04 14:09:01 by HolgerWeiss)

Creative Commons License
This work is licensed under a Creative Commons License (details).
All pages are immutable until you log in