Delivery document Linux Server
Dear new client of a WUR server,
You have chosen a Red Hat 7/Ubuntu 16.04 LTS operating system. As linux management team, we are deeply happy that you have chosen for open source. Through the use of this document we would like to clarify the management rules and help provide you with some guidelines for the configuration of your system. This is additional information to Appendix 6 from the service catalogue.
Support: Please send a mail to servicedesk.it@wur.nl and request a ticket for Infra Linux Beheer. We always strive for a quick solution time, but we can guarantee to keep by the standard service commitments.
Configuratie: We use a configuration management system to administer parts of the OS so that we can centrally administer many of our managed servers. This allows us to maintain consistency and reproducibility between servers. Changes that you make to these files will be reverted automatically by our systems. The configuration files that are managed by us are clearly marked in the first or second line. A detailed list of these files you can find here. If you need to change the contents of these files, please send a mail to servicedesk to request a ticket.
The two most significant issues are highlighted:
- selinux is always on. (on Red Hat systems) This is an advanced management system to improve security on our managed systems, preventing processes from being able to access files they were not allowed to access. For custom or non-standard builds, this can cause issues with deployment. Please let us know if you are having issues and we will be happy to assist you to have a working and safe environment.
- Firewall is managed by us. The firewall is initially set as very closed, and is configured entirely by our config management tool and is not locally editable on a permanent basis. Please request a ticket to enable access to ports as needed for your environment.
Monitoring/Statistics: We provide access to our monitoring and statistics tool Zabbix as standard. By default, it is configured so that users of the server may log in to the service and administrators will get alert notifications in the case of serious issues, for example, if the disk space has run out. There are many more configuration options available, accessible at https://zabbix.wur.nl . We have several standard monitored services - see here for a list. For further monitoring or custom monitoring, you will have to configure these yourself. If you need assistance, that's no problem - we have several use cases to hand to be able to assist you with setting this up. Additionally, Zabbix provides statistics on all monitored servers. Every service can be displayed as a graph against time, for example as below, the memory usage:
Updates: We perform regular updates on systems in a coordinated fashion. Every third tuesday of the month at 21:00 we update all production machines, and at 10:00 on the previous sunday the OTA machines. We have an automated system to manage this, and you will be asked at server request which update slot your wish your server to be assigned to. If you can't use either of these times, a special maintenance window can be created for you - simply make a request for further information.
Vulnerability scan: Elke maand word er een scan gedaan op Uw server om (nieuwe) security kwetsbaarheden te vinden. De applicatie die we hiervoor gebruiken is Nexpose. Hiervan krijgt U elke maand een rapport. Het oplossen van gevonden kwetsbaarheden in het OS en de standaard applicaties onder de dienstverlening van IT. U bent zelf verantwoordelijk voor het oplossen van problemen met diensten die U zelf heeft opgezet. Bij twijfel kunt U altijd een afspraak maken om het een keer door te nemen met een specialist. U kunt aanvullend voor websites kostenloos gebruik maken van een speciale website kwetsbaarheden scanner: Appspider. Als U hierin geintereseerd bent dan kunt U dit aangeven via de servicedesk of Uw service manager.
Packages: Nieuwe software is als packages beschikbaar in de standaard repository via yum of apt. We raden het af om packages manueel te installeren. Mocht dit echt nodig zijn overlegd u dan eerst met ons. Misschien zijn er nog andere oplossingen.
Webserver: U kunt via de servicedesk gratis een officieel certificaat aanvragen om Uw website te versleutelen (https). Het versleutelen van websites verbeterd niet alleen de algehele veiligheid maar levert U ook een hogere ranking op Google. Vanuit de WUR adviseren we om websites in alle gevallen te versleutelen. Als er gevoelige informatie op de website staat, vraag dan bij de servicedesk om een specialist om te overleggen over aanvullende maatregelen. U kunt Uw webserver een herkenbare naam geven voor interne websites (<naam website>.wurnet.nl) of externe websites (<naam website>.wur.nl). Het verzoek voor een dergelijke DNS naam is gratis en kunt U doen via de servicedesk.
Storage: U systeem schijf heeft een standaard indeling. Deze indeling voldoet in de meeste gevallen. Mocht er afgeweken moeten worden dan kan dat.
Additional: If you are going to build/install a custom application, we would like you to do this in /opt, as this has been specifically enlarged for this purpose. If there's not enough room, or you need some custom storage, you can request extra storage from us. If you are going to do maintenance on your server yourself, then you should be aware of the custom script create_downtime. You can use this script from any managed server to let Zabbix known to temporarily halt monitoring this server, and so we don't get alerted about servers being temporarily restarted at odd times. By default, this script will request one hour, but you can request more or less than this. For example:
create_downtime 120
will put the server in maintenance for 2 hours.
More information:
Here on the wiki https://lug.wur.nl/ you can find technical procedures for connecting machines to other WUR systems. There is also an intranet group “Linux en Open Source” that news and questions may be asked in.
