openSUSE:Infrastructure policy
This policy should help both sides getting the right expectations and assumptions to successfully provide the infrastructure behind openSUSE.
openSUSE infrastructure policy
Servers are either hosted in Provo, UT, USA or Nuremberg, Germany. New deployments will predominantly take place in Nuremberg, Germany. All servers must comply with the requirements outlined below:
- Direct login with password must be disabled, only ssh-key login is allowed
- For recovery reasons, every administrator has to provide the root password in an encrypted form, so it can be stored in the gitlab repository.
- At least one person responsible for managing the server is registered with the SUSE-IT
- Person responsible is expected to respond to e-mail within 48 hours
- It is desirable that the responsible person is reachable on IRC on most days between the hours of 11:00 A.M. And 3:00 P.M. UTC
- Services accessible externally need to be minimized
- All services must start automatically after a reboot
- Servers are configured with a static IP address
- In general servers should run openSUSE or SUSE as the operating system. The operating system on the server needs to be maintained
- Servers are configured to access the appropriate update repositories
- Automatic updates need to be enabled, it is acceptable to skip updates that require user interaction
- All security updates (including kernel updates) must be installed as soon as possible. If this is for some reason not possible an exception must be granted by SUSE-IT team
- Services available via network should be protected with AppArmor or SELinux
- If console access is required a written agreement is needed
- Monitoring : all machine have to answer on ICMP echo request (ping), monitoring other services is recommended.
- Remote syslogging must be configured
- It is recommended to store at least the configuration in Gitlab and use Salt for deployment.
- Anyone maintaining a server on the openSUSE infrastructure is expected to be subscribed to the heroes@opensuse.org mailing list.
- Anyone maintaining a server should have ticket access on https://progress.opensuse.org/ and read his tickets regulary
- Being available at the IRC channel at irc://irc.opensuse.org/#opensuse-admin is a plus
All systems are subject to a maintenance window every Thursday between 8:00 A.M. And 10:00 A.M. local Nuremberg time.
The SUSE-IT team maintains a list of servers maintained on the openSUSE infrastructure. Adding new services requires agreement to this policy and a request to the openSUSE infrastructure team via admin@opensuse.org. Violations of the policy will be documented and escalated to the openSUSE board. In emergency or security cases the SUSE-IT team reserves the right to shut down the server. People listed as contacts will be informed accordingly.
All running servers will be evaluated every 6 month to determined continued need for the services provided. If a service is deemed outdated or the server hosts content that may no longer be needed the maintainer on record will be contacted to provide additional details. If no response is received within a 2 week period the server will be shut down.
Communication
IRC channels
- #opensuse-admin on the Libera.Chat network is the channel where you can reach us
- #opensuse-buildservice on the Libera.Chat network is the channel where you can reach especially the openSUSE Build_Service administrators
Issue reports / Mailing list
- admin@opensuse.org - Issue reports about the openSUSE infrastructure.
- heroes@lists.opensuse.org - Discussion list about the openSUSE infrastructure..
Subscribe - Unsubscribe - Help - Archives
Other communication
- list of responsible people to contact if you experience problems with any service
- a list of services provided for the openSUSE community can be found (in the future here
- Important maintenance news of the infrastructure is posted to news.opensuse.org
- A blog with generic infrastructure news can be found here
- For ways to communicate with us individually check our list of members