openSUSE:Infrastructure policy
This policy should help everyone involved having the right expectations and assumptions to successfully provide the infrastructure behind openSUSE.
openSUSE infrastructure policy
Servers are either hosted in Provo/UT (USA), Nuremberg (Germany) or Prague (Czech Republic). New deployments will predominantly take place in Prague. All servers must comply with the requirements outlined below:
- Direct login with password must be disabled, only ssh-key login is allowed.
- For recovery reasons, every administrator has to provide the root password in an encrypted form, so it can be stored in the respective Git repository (https://gitlab.infra.opensuse.org/infra/pass).
- Person responsible is expected to respond to e-mail within 48 hours.
- It is desirable that the responsible person is reachable on IRC on most days between the hours of 11:00 A.M. And 3:00 P.M. UTC.
- Services accessible externally need to be minimized.
- All services must start automatically after a reboot.
- Servers are configured with a static IP address.
- In general servers should run openSUSE as the operating system. The operating system on the server needs to be maintained.
- Servers are configured to access the appropriate update repositories.
- Automatic updates need to be enabled, it is acceptable to skip updates that require user interaction
- All security updates (including kernel updates) must be installed as soon as possible.
- Services available via network should be protected with AppArmor or SELinux.
- If console access is required a written agreement is needed.
- Monitoring: all machine have to answer on ICMP echo request (ping), monitoring other services is recommended.
- Remote syslogging must be configured.
- The machine must be enrolled with Salt and the Salt provided base configuration must be applied. It is recommended to store all further configuration in the common Git repository (https://gitlab.infra.opensuse.org/infra/salt) as well and to use Salt for deployment.
- Anyone maintaining a server on the openSUSE infrastructure is expected to be subscribed to the heroes@opensuse.org mailing list.
- Anyone maintaining a server should have ticket access on https://progress.opensuse.org/ and read his tickets regularly.
- Being available at the IRC channel at ircs://irc.opensuse.org/#opensuse-admin is a plus.
All systems are subject to a maintenance window every Thursday between 8:00 A.M. And 10:00 A.M. local Nuremberg time.
Adding new services requires agreement to this policy and a request to the openSUSE infrastructure team via admin@opensuse.org. Violations of the policy will be documented and escalated to the openSUSE board. In emergency or security cases the openSUSE infrastructure team as well as SUSE reserve the right to shut down a server. People listed as contacts will be informed accordingly.
All running servers will be evaluated every 6 month to determined continued need for the services provided. If a service is deemed outdated or the server hosts content that may no longer be needed the maintainer on record will be contacted to provide additional details. If no response is received within a 2 week period the server will be shut down.
Communication
IRC channels
- #opensuse-admin on the Libera.Chat network is the channel where you can reach us
- #opensuse-buildservice on the Libera.Chat network is the channel where you can reach especially the openSUSE Build_Service administrators
Issue reports / Mailing list
- admin@opensuse.org - Issue reports about the openSUSE infrastructure.
- heroes@lists.opensuse.org - Discussion list about the openSUSE infrastructure..
Subscribe - Unsubscribe - Help - Archives
Other communication
- list of responsible people to contact if you experience problems with any service
- a list of services provided for the openSUSE community can be found here
- Important maintenance news of the infrastructure are posted to news.opensuse.org
- A blog with generic infrastructure news can be found here
- For ways to communicate with us individually check our list of members