Sugar Labs - User contributions [en]

Infrastructure Team/TODO

2017-08-21T18:01:51Z

Scg: /* High-priority tasks */

<noinclude>{{TeamHeader|Infrastructure Team}}</noinclude>

=== Unmaintained services ===

* [[Service/translate]] -- Pootle

=== High-priority tasks ===

* New css/template for planet.sugarlabs.org ... or an entirely new rss aggregator
* Move wiki.sugarlabs.org to a container
* Document Docker (including new container creation, image maintenance and backups)

=== Wishlist ===

* Switch from Google Analytics to [http://piwik.org/ piwik]
* Switch Pipermail archives to HyperKitty
* Switch to Mailman 3 (Fedora switched all their lists, so it's probably stable enough for us as well)
* A pastebin app like http://fpaste.org
* Host an instance of [http://selectricity.org Selectricity] for the next elections
* An Etherpad instance?
*: See http://www.mediawiki.org/wiki/Future/Real-time_collaboration
* Make the Mediawiki HTML5 video handler work in wiki-devel

[[Category:TODO]]

Infrastructure Team/TODO

2017-08-21T18:00:57Z

Scg: /* High-priority tasks */

<noinclude>{{TeamHeader|Infrastructure Team}}</noinclude>

=== Unmaintained services ===

* [[Service/translate]] -- Pootle

=== High-priority tasks ===

* Migrate Mailman2 to Mailman3 + Hyperkitty for lists.sugarlabs.org.
* New css/template for planet.sugarlabs.org ... or an entirely new rss aggregator
* Move wiki.sugarlabs.org to a container
* Document Docker (including new container creation, image maintenance and backups)

=== Wishlist ===

* Switch from Google Analytics to [http://piwik.org/ piwik]
* Switch Pipermail archives to HyperKitty
* Switch to Mailman 3 (Fedora switched all their lists, so it's probably stable enough for us as well)
* A pastebin app like http://fpaste.org
* Host an instance of [http://selectricity.org Selectricity] for the next elections
* An Etherpad instance?
*: See http://www.mediawiki.org/wiki/Future/Real-time_collaboration
* Make the Mediawiki HTML5 video handler work in wiki-devel

[[Category:TODO]]

Machine/justice

2017-08-07T02:26:12Z

Scg:

<noinclude>{{TOCright}}</noinclude>

== Hostnames ==
* justice.sugarlabs.org
* freedom.sugarlas.org

=== Info ===

Freedom and Justice are two twin KVM hosts bought by Sugar Labs in 2012.

Justice is currently our primary VM hosting box, while freedom is a hot-standby with secondary services and backups.

== Hardware ==
* 2U rack-mountable case
* Motherboard ASUS KFSN5-D
* 8-core Opteron 6212 @ 1.4GHz
* 64GB RAM
* 2x1TB RAID1

== Software ==
* Ubuntu Precise (12.04) amd64 on justice
* Ubuntu 14.04 LTS on freedom

== Location ==
Hosted by the [http://media.mit.edu/ MIT Media Lab], building E15.

== Admins ==
* [[User:Bernie|Bernie Innocenti]], bernie on #sugar Freenode
* [[User:Scg|Samuel Cantero]], scg on #sugar Freenode
* [[User:Dogi|Stefan Unterhauser]], dogi on #sugar or [http://mibbit.com/?channel=%23treehouse&server=irc.oftc.net #treehouse]
* [[User:SAMdroid|Sam]], samdroid on #sugar on Freenode

== Network configuration ==
Justice is globally accessible through public, static IPv4.
The IPv6 /64 subnet (6to4) is currently experimental and not associated with AAAA records.

IPs 18.85.44.59-77 are available for hosted VMs.

== Hosted VMs ==
All KVM virtual machines are managed by libvirtd. Yes, that's scary.

See [[Sysadmin/Add virtual machine]] for creating new VMs.

{{Special:PrefixIndex/{{PAGENAME}}/}}

Sysadmin/Add virtual machine

2017-08-07T02:08:48Z

Scg:

=== Create new VM on [[Machine/justice]] or [[Machine/freedom]] ===

This procedure creates a clone of the [[Machine/template-xenial|Ubuntu Xenial template virtual machine]].

virt-clone -o template-xenial --file=/var/lib/libvirt/images/boot/FOOBAR-boot.img --file=/dev/justice/FOOBAR-root -n FOOBAR
virsh autostart FOOBAR
virsh start --console FOOBAR

* Add A and AAAA records for the new host in the sugarlabs.org zone file (See [[Service/Nameservers]]).

* Now login as root from the console (there should be no password)

* setup both IPv4 and IPv6 addresses

vi /etc/network/interfaces

* change machine fqdn

sed -i -e s/template-xenial/FOOBAR/g /etc/hosts /etc/hostname /etc/mailname /etc/postfix/main.cf

* activate new IP and hostname

/etc/init.d/networking restart

* install latest security/stability updates

apt-get update
apt-get dist-upgrade

* Find a nice color combo for HOST_COLOR in /etc/zzz_profile.conf

* generate host keys and a key for root

rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
ssh-keygen -N "" -f /root/.ssh/id_rsa -t rsa

* Setup wizbackup on a backup server (See [[Service/backup]])

* Move daily, weekly, monthly cronjobs to a unique timeslot to avoid cpu/net storms

vi /etc/crontab

* The most important thing: come up with a funny quip for this machine

vi /etc/motd.tail

* Taa--daah!

reboot

* Add the machine to <code>/etc/munin/munin.conf</code> on [[Machine/sunjammer]] for monitoring.

[FOOBAR.sugarlabs.org]
address FOOBAR.sugarlabs.org

See also: [[Sysadmin/Delete virtual machine]], [[Sysadmin/Migrate_virtual_machine]].

Machine/template-xenial

2017-08-07T02:06:28Z

Scg: Created page with "== VM Creation (host part) == virt-install -v --accelerate --nographics -x console=ttyS0,115200 \ --name template-xenial --vcpus=3 --ram $((1 * 1024)) \ --os-type=linux --..."

== VM Creation (host part) ==

virt-install -v --accelerate --nographics -x console=ttyS0,115200 \
--name template-xenial --vcpus=3 --ram $((1 * 1024)) \
--os-type=linux --os-variant=ubuntu16.04 --network bridge:br0 \
--disk path=/var/lib/libvirt/images/boot/template-xenial-boot.img,bus=virtio,size=0.25,format=raw \
--disk path=/dev/justice/template-xenial-root,bus=virtio,size=10 \
--location http://ubuntu.media.mit.edu/ubuntu/dists/xenial/main/installer-amd64/

'''Obs''': ''format=raw'' is mandatory, otherwise qcow2 format will be used by default.
''raw'' format allows us to easily create device mappings for the image.

The new VM will boot into the installer. Answer all questions with the defaults, except:

# Hostname: template-precise
# Mirror: enter information manually
# Mirror hostname: ubuntu.media.mit.edu
# (create your user with a strong password and no encrypted home)
# Partitioning: manual (see Partitioning below)
# Automatically install security updates
# Software selection:
#* Basic Ubuntu Server
#* OpenSSH server
# GRUB: let the installer setup grub on /dev/vba (which contains /boot)

== Partitioning ==

The goal is to have a small disk file for the MBR and /boot, and a larger raw filesystem in
an LVM Logical Volume. We don't want the LV to be partitioned because this makes it harder to
resize, mount, etc.

Now create a partition table in the smallest disk (256MB) and create a single partition in it.
Format this partition as ext4, labeled "boot" and mounted as /boot.

The installer won't let you format the entire disk as a filesystem, so go ahead and partition
the 10GB disk too, then create a primary partition in it and format it as ext4, mounted as /
and labeled "template-xenial" ('''"template-xenial-root" would exceed the ext4 limit''').

And yes.. just in case you're wondering. We don't use swap partitions.

We'll have to fix the disk later.

== First boot ==
After installation has finished and OS is restarted, it will boot but we won't have serial console access
(<code>virsh console template-xenial</code>). This is due the getty service for serial device is disabled by default on Ubuntu 16.04.
We'll fix this later.

== Switch the root filesystem to an LV ==

When the machine is offline, go to the host to recreate the root filesystem directly as an LV (as opposed to a partitioned volume)

First of all, we need to set up the device mapping for the first and only partition where the root filesystem resides.

kpartx -av /dev/justice/template-xenial-root

Mount the root partition:

mkdir /mnt/template-xenial-root
mount /dev/mapper/justice-template--xenial-root1 /mnt/template-xenial-root

Now create and format a new LV:

lvcreate -L 10G -n template-xenial-root2 justice
mkfs.ext4 -L template-xenial -O flex_bg,extent,uninit_bg,sparse_super /dev/justice/template-xenial-root2
tune2fs -c -1 -i 0 /dev/justice/template-xenial-root2
mkdir /mnt/template-xenial-root2
mount /dev/justice/template-xenial-root2 /mnt/template-xenial-root2

Move the files over:

rsync -HAXphax --numeric-ids /mnt/template-xenial-root/ /mnt/template-xenial-root2/

'''NOTE''': By default, Ubuntu 16.04 uses UUID in /etc/fstab in order to mount partitions. Since we have changed the root
partition to a new disk, the UUID will change. Aside from that, the grub.cfg also specifies the location of the root filesystem
using UUID notation (ex: /vmlinuz-4.4.0-89-generic root=UUID=0ad5d004-e5dd-4b93-abe4-2bb0ba4fd94a).

Before we umount the filesystems, let's create a chroot environment and fix previous issues:

kpartx -av /var/lib/libvirt/images/boot/template-xenial-boot.img
mount /dev/mapper/loop0p1 /mnt/template-xenial-root2/boot
mount --bind /dev/ /mnt/template-xenial-root2/dev/
mount -t proc proc /mnt/template-xenial-root2/proc/
mount -t sysfs sys /mnt/template-xenial-root2/sys/
chroot /mnt/template-xenial-root2/

Once inside the chroot environment:

* Fix serial console access by making getty listen on /dev/ttyS0:
systemctl enable serial-getty@ttyS0.service

* Replace UUID with device name for root fs location inside /boot/grub/grub.cfg
sed -i -r "s/root=UUID=[0-9a-f-]+/root=\/dev\/vdb/" /boot/grub/grub.cfg

* Adjust /etc/fstab to mount the filesystems from "LABEL=boot" and "LABEL=template-xenial".

Finally (VERY IMPORTANT), umount all filesystems before starting the VM:
umount /mnt/template-xenial-root2/boot/
umount /mnt/template-xenial-root2/dev/
umount /mnt/template-xenial-root2/proc/
umount /mnt/template-xenial-root2/sys/
umount /mnt/template-xenial-root2/ /mnt/template-xenial-root/

Get rid of the old root and rename the new one on top of it

lvremove /dev/justice/template-xenial-root
lvrename justice template-xenial-root2 template-xenial-root

== Configuration after system start ==

After the installation, the machine will boot automatically and you'll be dropped into the serial console.
You can return to the console at any time by doing:

virsh console template-xenial

Login with your installation username and password, then become root:

sudo -i

* Adjust /etc/default/grub:
** Set `GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS0,115200"` (and remove the obnoxious "quiet splash")
** Uncomment GRUB_DISABLE_LINUX_UUID
* Update grub: `update-grub`

* Get rid of the restricted repositories from /etc/apt/sources.list (virtual machines don't need any non-free drivers anyway).
* Add a few useful packages:

apt-get install etckeeper bash-completion strace munin-node postfix vim aptitude

Note: etckeeper uses git by default :)

When prompted on how to configure postfix, say "Internet site".
Afterwards, edit `/etc/postfix/main.cs` by hand and set `inet_interfaces = loopback-only` and restart postfix.

* Monitor mail for root:

echo >>/etc/aliases "root: systems-logs@lists.sugarlabs.org"
newaliases

* Switch to the virtual kernel:

apt-get install linux-image-virtual linux-virtual
apt-get purge linux-image-generic
apt-get autoremove
update-grub

=== Network interface setup ===

We use [http://en.wikipedia.org/wiki/6to4 6to4] to reach the closest IPv6 anycast relay.
Append the following to /etc/network/interfaces:

auto eth0
iface eth0 inet static
address 18.85.44.67
netmask 255.255.255.0
gateway 18.85.44.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 18.71.0.151 18.70.0.160 18.72.0.3
dns-search sugarlabs.org

auto tun6to4
iface tun6to4 inet6 v4tunnel
# printf "2002:%02x%02x:%02x%02x::1\n" `echo $IPV4ADDR | tr . ' '`
address 2002:1255:2c43::1
netmask 16
gateway ::192.88.99.1
endpoint any
local 18.85.44.67

=== Other configurations ===

Add these to /etc/sudoers:

#bernie: forward ssh-agent
Defaults env_keep+="SSH_AUTH_SOCK"

#bernie:
%sudo ALL=(ALL:ALL) NOPASSWD: ALL

* Install your ssh keys to /root/.ssh/authorized_keys and to your user account. Also install the wizbackup keys for [[Service/backup]].

Once your keys are installed, you might SSH in and start configuration using a SSH session.

Log in with "ssh -A template-xenial.sugarlabs.org" to forward your ssh-agent and copy files from sunjammer

rsync -aP <your-user>@sunjammer.sugarlabs.org:/usr/src/devtools/ /usr/src/devtools/
ln -sf /usr/src/devtools/sysadm/bashrc.sh /etc/skel/.bashrc
ln -sf /usr/src/devtools/sysadm/bashrc.sh /root/.bashrc
ln -sf /usr/src/devtools/sysadm/zzz_profile.sh /etc/profile.d/zzz_profile.sh
ln -sf /usr/src/devtools/conf/vimrc /etc/vim/vimrc.local

vim /etc/bash.bashrc # comment out code messing with PS1
vim /etc/login.defs # set umask 002

* Create /etc/zzz_profile.conf:

HOST_COLOR='\033[1;40;37m'

* Disable PasswordAuthentication in /etc/ssh/sshd_config, then restart ssh

* Set a blank password for root, to be used to log in from the console only

passwd -d

* Insert into /etc/munin/munin.node:

#bernie
allow ^208\.118\.235\.53$ # sunjammer.sugarlabs.org
allow ^2001:4830:134:7::11$ # sunjammer.sugarlabs.org (IPv6)

* Add/remove munin plugins

cd /etc/munin/plugins
rm df_inode entropy forks fw_packets if_err_ens2 open_files open_inodes threads uptime processes proc_pri swap

* Disable unused services (They are dependencies of the ubuntu-server package):
systemctl disable snapd.service
systemctl disable atd.service
systemctl disable iscsid.service
systemctl disable lvm2-monitor.service
systemctl disable open-vm-tools.service
systemctl disable lxcfs.service
systemctl disable lxd-containers.service

FindTheGoldInThePot

2017-03-25T17:05:30Z

Scg:

Flea Market Barking Up The Wrong Tree

Birds of a Feather Flock Together

In Pickle Heads Up Close But No Cigar

Needle In a Haystack Lovey Dovey

A Fool and His Money are Soon Parted

FindTheGoldInThePot

2017-03-25T17:04:34Z

Scg: Created page with "Flea Market Barking Up The Wrong Tree Birds of a Feather Flock Together In a Pickle Heads Up Close But No Cigar Needle In a Haystack Lovey Dovey A Fool and His Money are S..."

Flea Market Barking Up The Wrong Tree

Birds of a Feather Flock Together

In a Pickle Heads Up Close But No Cigar

Needle In a Haystack Lovey Dovey

A Fool and His Money are Soon Parted

Service/turtleartday.org

2016-08-01T04:21:07Z

Scg: /* Notes */

== Description ==

The [[Turtle Art]] front page.

Managed with the Jekyll CMS, it contains static articles describing the annual event.

== Hostnames ==

http://www.turtleartday.org

== Hosted on ==

[[Machine/sunjammer]]

== Administrative contact ==

marketing AT sugarlabs DOT org

== Sysadmins ==

Send email to the systems sugar labs list.

== Notes ==

In https://github.com/sugarlabs/turtleartday.org/settings/hooks there is a webhook defined, as documented at https://developer.github.com/webhooks/

This sends a POST request in JSON format to https://hook.sugarlabs.org/www.turtleartday.org

A container named org.turtleartday.www-rebuilder is in charge of processing this payload, which does the following:

1. Install jekyll.

2. Clone the SL repo.

3. Install Flask

4. Execute a Flask Python App which does the following: pull the repo and jekyll build. This app doesn't parse the POST request.

The site is generated in the folder /clone/_site which is bind to the following directory in freedom: /srv/www-turtleartday.org-out. This is the document root for the site turtleartday.org in the nginx server block.

== Upgrade notes ==

Remember to restart the org.turtleartday.www-rebuilder container after upgrading freedom.

[[Category:Service|www]]

User:Scg

2016-05-16T18:06:19Z

Scg:

== Personal info ==

I am a computer engineer and a GNU/Linux passionate.

'''LinkedIn profile''': https://www.linkedin.com/in/scantero

== Contact info ==

'''E-mail''': scanterog AT gmail DOT com

'''Freenode IRC nickname''': scg on #sugar channel

User:Scg

2016-05-16T18:06:07Z

Scg:

== Personal info ==

I am a computer engineer and a GNU/Linux passionate.

'''LinkedIn profile''': https://www.linkedin.com/in/scantero

testing '''LinkedIn profile''': https://www.linkedin.com/in/scantero

== Contact info ==

'''E-mail''': scanterog AT gmail DOT com

'''Freenode IRC nickname''': scg on #sugar channel

User:Scg

2016-05-15T05:08:06Z

Scg:

User:Scg

2016-05-15T04:48:44Z

Scg:

== Personal info ==

I am a computer engineer and a GNU/Linux passionate. Currently here as a volunteer trying to help in this wonderful project.

'''LinkedIn profile''': https://www.linkedin.com/in/scantero

== Contact info ==

'''E-mail''': scanterog AT gmail DOT com

'''Freenode IRC nickname''': scg on #sugar channel

MediaWiki:Loginprompt

2016-05-14T20:25:33Z

Scg:

You must have cookies enabled to log in to {{SITENAME}}.

Sysadmin/Letsencrypt

2016-03-08T02:18:57Z

Scg: Testing VisualEdit

== Description ==

Let’s Encrypt (LE) is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is sponsored by the biggest Internet companies and browsers: Google (Chrome), Mozilla (Firefox), and so on. At the time of writing, LE is in public beta.

Currently, we have LE installed on [[Machine/freedom]].

== Installation ==

We have chosen <code>/opt/letsencrypt</code> as the base or home directory for the LE client. The LE Client is a fully-featured, extensible client for the Let’s Encrypt CA (or any other CA that speaks the ACME protocol) that can automate the tasks of obtaining certificates and configuring webservers to use them.

Because there is no a LE package for Ubuntu yet, we must clone the <code>letsencrypt-auto</code> wrapper script. This script obtains some dependencies from the OS (apt-get) and puts others in a python virtual environment (Pip). The only requirement is Python 2.6 or Python 2.7.

<pre>git clone https://github.com/letsencrypt/letsencrypt</pre>

This client requires root access in order to write to <code>/etc/letsencrypt</code>, <code>/var/log/letsencrypt</code>, <code>/var/lib/letsencrypt</code>; to bind to ports 80 and 443 and to read and modify webserver configurations (for apache or nginx plugins).

== Getting a certificate ==

The Let’s Encrypt client supports a number of different ''plugins'' that can be used to obtain and/or install certificates. For the moment, we decided to get the certificates manually and apply the changes to the the web server with a script. We can use the Nginx plugin to automatically obtain and install the certificate but this plugin is still experimental.

In order to automate the process (of getting the cert), we create a config file for each domain inside the folder <code>/etc/letsencrypt/config</code>. For example, the config file for www.slo is:

<pre>
# We use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

email = sysadmin@sugarlabs.org
domains = sugarlabs.org, www.sugarlabs.org

authenticator = webroot

# This is the webroot directory of your domain in which
# letsencrypt will write a hash in /.well-known/acme-challenge directory.
webroot-path = /srv/www-sugarlabs/
</pre>

The LE validation server must have access to the domain (port 80) of which we want to get the certificate. In order to validate that the server control the domain, the LE CA will issue one or more sets of challenges. For example, provisioning an HTTP resource under a well-known URI. Usually, the resource requested will be located at <code>/.well-known/acme-challenge</code> under the webroot folder of the requested site.

In Nginx, we can define how to process a specific request with the location directive. Be sure to add the following lines to the server block inside Nginx:

<pre>
location '/.well-known/acme-challenge' {
root /srv/www-sugarlabs/;
}
</pre>

To get the certificate using the previous config file, we must execute the following command:

<pre>/opt/letsencrypt/letsencrypt-auto certonly --config /etc/letsencrypt/config/sugarlabs.org.ini </pre>

All generated keys and issued certificates can be found in <code>/etc/letsencrypt/live/sugarlabs.org/</code>.

The same process can be applied for getting certs for other domains:
(1) create a subdomain.domain.tld config file,
(2) define the well-know resource and,
(3) request the certificate.

'''NOTE''': We had to comment out our CAA records in the DNS in order to obtain the certificates. CAA records forbids LE to issue certificates for a domain.

== Renewing a Certificate ==

Let’s Encrypt CA issues short lived certificates (90 days). In order to automate the renewal, we everyday automatically execute a script which checks the expiration day for every certificate and requests the renewal 15 days before the expiration day (this value is tweakable). After renewing the cert, the script reload the Nginx config.

<pre>
#!/bin/bash

LE_CERTS='/etc/letsencrypt/live'
LE_CONFIG_PATH='/etc/letsencrypt/config'
LE_BIN='/opt/letsencrypt/letsencrypt-auto'
WEB_SERVER='nginx'
EXP_LIMIT=15

for config in $(ls $LE_CONFIG_PATH/*.ini); do
domain=$(basename "$config" .ini)
DATE_NOW=$(date -d "now" +%s)
EXP_DATE=$(date -d "`openssl x509 -in $LE_CERTS/$domain/cert.pem -text -noout | grep "Not After" | cut -c 25-`" +%s)
EXP_DAYS=$(( (EXP_DATE - $DATE_NOW) / 86400 ))
if (( $EXP_DAYS < $EXP_LIMIT )) ; then
echo "The certificate for $domain is about to expire soon. Starting renewal..."
$LE_BIN certonly --renew-by-default --config $config
echo "Reloading $WEB_SERVER"
/usr/sbin/service $WEB_SERVER reload
echo "Renewal process finished for $domain"
else
echo "The certificate for $domain is up to date, no need for renewal ($EXP_DAYS days left for renewal)."
fi
done
</pre>

The script is named <code>renew-letsencrypt.sh</code> and is located in <code>/usr/local/bin </code>

== Sites ==

The sites currently with a LE SSL certificate are:

* [https://www.sugarlabs.org www.sugarlabs.org].
* [https://nagios.sugarlabs.org nagios.sugarlabs.org].

== Contact ==

* [[User:scg|Samuel]], scg on #sugar on Freenode.

Sysadmin/Letsencrypt

2016-01-03T21:08:09Z

Scg: /* Renewing a Certificate */

Sysadmin/Letsencrypt

2016-01-03T20:47:37Z

Scg: Created page with "== Description == Let’s Encrypt (LE) is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is sponsored by the biggest Internet comp..."

== Description ==

Let’s Encrypt (LE) is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is sponsored by the biggest Internet companies and browsers: Google (Chrome), Mozilla (Firefox), and so on. At the time of writing, LE is in public beta.

Currently, we have LE installed on [[Machine/freedom]].

== Installation ==

We have chosen <code>/opt/letsencrypt</code> as the base or home directory for the LE client. The LE Client is a fully-featured, extensible client for the Let’s Encrypt CA (or any other CA that speaks the ACME protocol) that can automate the tasks of obtaining certificates and configuring webservers to use them.

Because there is no a LE package for Ubuntu yet, we must clone the <code>letsencrypt-auto</code> wrapper script. This script obtains some dependencies from the OS (apt-get) and puts others in a python virtual environment (Pip). The only requirement is Python 2.6 or Python 2.7.

<pre>git clone https://github.com/letsencrypt/letsencrypt</pre>

This client requires root access in order to write to <code>/etc/letsencrypt</code>, <code>/var/log/letsencrypt</code>, <code>/var/lib/letsencrypt</code>; to bind to ports 80 and 443 and to read and modify webserver configurations (for apache or nginx plugins).

== Getting a certificate ==

The Let’s Encrypt client supports a number of different ''plugins'' that can be used to obtain and/or install certificates. For the moment, we decided to get the certificates manually and apply the changes to the the web server with a script. We can use the Nginx plugin to automatically obtain and install the certificate but this plugin is still experimental.

In order to automate the process (of getting the cert), we create a config file for each domain inside the folder <code>/etc/letsencrypt/config</code>. For example, the config file for www.slo is:

<pre>
# We use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

email = sysadmin@sugarlabs.org
domains = sugarlabs.org, www.sugarlabs.org

authenticator = webroot

# This is the webroot directory of your domain in which
# letsencrypt will write a hash in /.well-known/acme-challenge directory.
webroot-path = /srv/www-sugarlabs/
</pre>

The LE validation server must have access to the domain (port 80) of which we want to get the certificate. In order to validate that the server control the domain, the LE CA will issue one or more sets of challenges. For example, provisioning an HTTP resource under a well-known URI. Usually, the resource requested will be located at <code>/.well-known/acme-challenge</code> under the webroot folder of the requested site.

In Nginx, we can define how to process a specific request with the location directive. Be sure to add the following lines to the server block inside Nginx:

<pre>
location '/.well-known/acme-challenge' {
root /srv/www-sugarlabs/;
}
</pre>

To get the certificate using the previous config file, we must execute the following command:

<pre>/opt/letsencrypt/letsencrypt-auto certonly --config /etc/letsencrypt/config/sugarlabs.org.ini </pre>

All generated keys and issued certificates can be found in <code>/etc/letsencrypt/live/sugarlabs.org/</code>.

The same process can be applied for getting certs for other domains:
(1) create a subdomain.domain.tld config file,
(2) define the well-know resource and,
(3) request the certificate.

'''NOTE''': We had to comment out our CAA records in the DNS in order to obtain the certificates. CAA records forbids LE to issue certificates for a domain.

== Renewing a Certificate ==

Let’s Encrypt CA issues short lived certificates (90 days). In order to automate the renewal, we everyday automatically execute a script which checks the expiration day for every certificate and requests the renewal 15 days before the expiration day (this value is tweakable). After renewing the cert, the script reload the Nginx config.

<pre>
#!/bin/bash

LE_CERTS='/etc/letsencrypt/live'
LE_CONFIG_PATH='/etc/letsencrypt/config'
LE_BIN='/opt/letsencrypt/letsencrypt-auto'
WEB_SERVER='nginx'
EXP_LIMIT=15

for config in $(ls $LE_CONFIG_PATH/*.ini); do
domain=$(basename "$config" .ini)
DATE_NOW=$(date -d "now" +%s)
EXP_DATE=$(date -d "`openssl x509 -in $LE_CERTS/$domain/cert.pem -text -noout | grep "Not After" | cut -c 25-`" +%s)
EXP_DAYS=$(( (EXP_DATE - $DATE_NOW) / 86400 ))
if (( $EXP_DAYS < $EXP_LIMIT )) ; then
echo "The certificate for $domain is about to expire soon. Starting renewal..."
$LE_BIN certonly --renew-by-default --config $config
echo "Reloading $WEB_SERVER"
/usr/sbin/service $WEB_SERVER reload
echo "Renewal process finished for $domain"
else
echo "The certificate for $domain is up to date, no need for renewal ($EXP_DAYS days left for renewal)."
fi
done
</pre>

== Sites ==

The sites currently with a LE SSL certificate are:

* [https://www.sugarlabs.org www.sugarlabs.org].
* [https://nagios.sugarlabs.org nagios.sugarlabs.org].

== Contact ==

* [[User:scg|Samuel]], scg on #sugar on Freenode

Sysadmin/Add virtual machine

2015-12-07T02:50:08Z

Scg: /* Create new VM on Machine/justice or Machine/freedom */

=== Create new VM on [[Machine/justice]] or [[Machine/freedom]] ===

This procedure creates a clone of the [[Machine/template-precise|Ubuntu Precise template virtual machine]].

virt-clone --prompt -o template-precise --file=/var/lib/libvirt/images/boot/FOOBAR-boot.img --file=/dev/justice/FOOBAR-root -n FOOBAR
virsh autostart FOOBAR
virsh start --console FOOBAR

* Add A and AAAA records for the new host in the sugarlabs.org zone file (See [[Service/Nameservers]]).

* Now login as root from the console (there should be no password)

* setup both IPv4 and IPv6 addresses

vi /etc/network/interfaces

* change machine fqdn

sed -i -e s/template-precise/FOOBAR/g /etc/hosts /etc/hostname /etc/mailname /etc/postfix/main.cf

* activate new IP and hostname

/etc/init.d/networking restart

* install latest security/stability updates

aptitude update
aptitude full-upgrade

* Find a nice color combo for HOST_COLOR in /etc/zzz_profile.conf

* generate host keys and a key for root

rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
ssh-keygen -N "" -f /root/.ssh/id_rsa -t rsa

* Setup wizbackup on a backup server (See [[Service/backup]])

* Move daily, weekly, monthly cronjobs to a unique timeslot to avoid cpu/net storms

vi /etc/crontab

* The most important thing: come up with a funny quip for this machine

vi /etc/motd.tail

* Taa--daah!

reboot

* Add the machine to <code>/etc/munin/munin.conf</code> on [[Machine/sunjammer]] for monitoring.

[housetree.sugarlabs.org]
address housetree.sugarlabs.org

See also: [[Sysadmin/Delete virtual machine]], [[Sysadmin/Migrate_virtual_machine]].

Infrastructure Team/Contacts

2015-10-06T17:09:11Z

Scg: /* Core admins */

<noinclude>{{TeamHeader|Infrastructure Team}}</noinclude>
{{TOCright}}

== Team coordinator ==
{{:Infrastructure Team/Coordinator}}

== Support and administrative requests ==

'''Please, do not cc multiple administrative contacts in the same email.''' If you do not receive an answer within 48 hours, please ping one of us by email or IRC.

;User accounts
:<accounts AT sugarlabs DOT org>
:See also [[Service/Account]]

;Sugar Labs web site and wiki
:<webmaster AT sugarlabs DOT org>
:See also [[Service/wiki]]

;Git project hosting
:<gitmaster AT sugarlabs DOT org>
:See also [[Service/git]]

;Sugar Planet
:<planetmaster AT sugarlabs DOT org>
:See also [[Sysadmin/Planet_syndication_request]], [[Service/planet]]

;DNS Management and Domains Registration
:<hostmaster AT sugarlabs DOT org>
:See also [[Service/Nameservers]]

;Other requests
:<sysadmin AT sugarlabs DOT org>

== Team Contacts ==

* Infrastructure Team mailing-list: http://lists.sugarlabs.org/listinfo/systems
* IRC: [http://chat.sugarlabs.org #sugar on FreeNode]

== Services status ==

http://identi.ca/group/sugarlabsstatus

This Identi.ca feed sends updates about the health status of all our
services and machines. Subscribe if you want to be notified.

Notifications for planned service outages are also posted ahead of time on our
"It's An Education Project" (iaep) list (check the [http://wiki.sugarlabs.org/go/Mailing_Lists#General_Lists Mailing Lists] page).

== Sysadmin Contacts ==

;For problems with a specific service (e.g. [[Service/wiki|this wiki]]): consult the specific [[Service]] page for a list of sysadmin contacts
;For problems with a server (e.g. [[Machine/sunjammer|sunjammer]]): consult the specific [[Machine]] page for a list of sysadmin contacts
;For anything else: your friendly sysadmins can be contacted at '''<sysadmin ''AT'' sugarlabs ''DOT'' org>'''

== Core admins ==

For urgent matters, the core Sugar Labs sysadmins are:

* [[User:Bernie|Bernie Innocenti]], '''bernie''' on [http://chat.sugarlabs.org/ #sugar], PGP [http://keys.sugarlabs.org:11371/pks/lookup?op=vindex&search=0x71FF4BAC 71FF4BAC]
* [[User:Dogi|Stefan Unterhauser]], '''dogi''' on [http://chat.sugarlabs.org/ #sugar] or [http://mibbit.com/?channel=%23treehouse&server=irc.oftc.net #treehouse]
[http://keys.sugarlabs.org:11371/pks/lookup?op=vindex&search=0xE810E9C1 E810E9C1]
* [[User:Sebastian|Sebastian Silva]], '''icarito''' on [http://chat.sugarlabs.org/ #sugar]
* [[User:Scg|Samuel Cantero]], '''scg''' on [http://chat.sugarlabs.org/ #sugar]

For any non-urgent business, preferably use the official administrative contacts instead of contacting any individual system administrator directly.

== We Care (tm) ==

[[Image:Barbeque computer.jpg]]

[[Category:Contact]]

User:Scg

2015-10-06T17:04:42Z

Scg: Created page with "== Personal info == I am a computer engineer and a Linux passionate. Currently here as a volunteer trying to help in this wonderful project. '''LinkedIn profile''': https://w..."

== Personal info ==
I am a computer engineer and a Linux passionate. Currently here as a volunteer trying to help in this wonderful project.

'''LinkedIn profile''': https://www.linkedin.com/in/scantero

== Contact info ==

'''E-mail''': scanterog AT gmail DOT com

'''Freenode IRC nickname''': scg on #sugar channel