The OS3 infrastructure

An introduction to the OS3 infrastructure

2013 / 2014

Your system administrator

● Name: Niels Sijm

● E-mail: Niels.Sijm@os3.nl

● Hobbies/interests: philosophy, literature, boats, music, systems, networks and programming

● Past studies:– Bachelor in Information Technology

– MSc. in System and Network Engineering :)

– MSc. in Software Engineering :(

● Past job: IT teacher @ Eindhoven

OS3 infrastructure in a nutshell

● OS3 has its own network!– Linked directly to SURFnet

– Not at all linked to UvA network

● OS3 infrastructure includes:– Workstations (dual screen, Ubuntu

13.04)

– Generic services (dns, mail, web)

– Labs for students and teachers

The physical OS3 network

● Core Switch Router– Dell PowerConnect 6224

● Other switches– Dell, Cisco, ZyXEL, Foundry...

– Located in OS3 server room and C3.154

● Cabling: CAT5E UTP & single-mode Fiber– Multiple uplink connections possible

Switching and Routing

● OSI Layer 2: Switching– Ethernet: no other protocols active

● OSI Layer 3: Routing– IPv4: 145.100.96.0/20

– IPv6: 2001:610:158::/48

– Routing takes place at Core Switch Router

– Network grows, so looking for a replacement

Switches (1/4)

● Border switch router os3bsr, at Sara● Core switch router os3csr, at OS3 SR● Server switch Production servers● Staff switch Staff connectivity● Hosting switch OS3-related hosting

Switches (2/4)

● Imac switch Workstations in B1.23● Student switch Student laptops● Studlab switch Student servers● Studdrac switch Remote access control

Switches (3/4)

● Forensics switch Network in C3.154● Studlab 2012 switch Dell PE R210 II● SURFnet switch Dell PE 860 (donated)● SURFdrac switch DRAC for ↑

Switches (4/4)

● Switches use VLANs to seperate networks● VLAN defined for:

– Admin network– Server network– Staff network– Student network– ...

Routing: IPv4 (1/2)

● 145.100.96.0/22 OS3 servers and services

● 145.100.100.0/23 Staff & staff lab● 145.100.102.0/23 Students & stud. Exp.● 145.100.104.0/22 Studlab● 145.100.108.0/22 Spare :)

Routing: IPv4 (2/2)

● Routed subnet (/28!) for each student!● Subnet routed to your studlab machine● Used for courses and experiments● Don't start your own hosting company!● For project, IP space can be requested.

Routing: IPv6 (1/2)

● OS3 network is dual stack IPv4/IPv6● OS3 main servers are dual stack too :)

– Website runs on IPv6 (duh!)

– Mail accessible through IPv6

● Applications not always IPv6 compatible!– Single stack considered legacy?

– Please report IPv6 problems to me!

Routing: IPv6 (2/2)

● OS3 networks have the following scheme:– 2001:610:158:<VLAN>::/64

– Router always on 2001:610:158:<VLAN>::1

● Configuration in two ways:– Static IP´s as given out by me

– Auto-configuration (SLAAC)

● Studlab addresses to be found in your email

Services run by OS3

Mail, Web, DNS, Shell, Wiki, ...

OS3 server hardware

● Dell PowerEdge 2650● 2U (rack units) high● Intel QuadCore 2.0 Ghz● 4 GB memory● 4 * 500 GB SATA (2 x RAID1 sets)

OS3 server software

● Ubuntu as main server OS– Currently Ubuntu 12.04 LTS

– Some server require upgrade to 12.04

● Generic software from package manager– BIND, Postfix, Apache, openLDAP etc.

– Open standards, open software, open security

– ...practice what you preach :)

– KISS: keep it short and simple

OS3 servers—future plans

● Virtualization!– Most servers now run Xen Dom0 only :o

– Takes time to do it right

– Private OS3 cloud coming soon! (I hope...)

● Gimme more...– Storage (SuperMicro, 24*3TB)

– Virtual machines (requires more memory)

– Shared workspace (file sharing, svn etc.)

OS3 server names

● Servers are named after Gummi Bears :o

– Tummi DNS, mail, LDAP

– Zummi Web, DNS

– Sunni Staff applications

– Grammi Storage, NFS

– Gruffi Storage (spare)

– Gusto Student server (shell etc.)

OS3 e-mail (1/3)

● 1 GB mailbox for students!

● Official address used by OS3!

● Address: Name.Surname@os3.nl

● Mailing list: snestudents2013@os3.nl

● Webmail: https://webmail.os3.nl/

● Filtering and forwaring via webmail

OS3 e-mail (2/3)

● SMTP Sending e-mail

– smtp.os3.nl

– STARTTLS

– TCP port 587● IMAP Reading e-mail

– imap.os3.nl

– SSL/TLS

– TCP port 993

OS3 e-mail (3/3)

● Use of PGP encouraged!

● Pretty Good Privacy :)

● Is able to sign e-mail (integrity)

● Is able to encrypt e-mail (confidentiality)

● OS3 key signing party?

● GPG: GNU Privacy Guard

● Enigmail: Thunderbird PGP plugin

Domain Name System (1/2)

● Software: BIND on Ubuntu– Future: Unbound/NSD on Debian?

● Caching and resolving from within OS3– dns1.serv.os3.nl

– dns2.serv.os3.nl

● Just authoritative for os3.nl from outside– ns1.os3.nl

– ns2.os3.nl

Domain Name System (2/2)

● One of the first .nl DNSSEC domains :)● DNSSEC only on authoritative side

– Planning to set up a validating resolver

● Recent attacks using os3.nl w/ DNSSEC– Free advertisement for OS3 \o/ ;-)

– Because providers do not check IP source

– Rate limiting seems only remedy :(

Website and wiki

● Website == wiki

● Some parts are pub., other parts are priv.– Public: general and course information

– Private: student playground \o/

● Log in with your OS3 account● Keep a log on your wiki subtree

– …/students/name_surname/cia for CIA

Student shell server

● shell.students.os3.nl● Shell access via SSH to Ubuntu 12.04 LTS

– Login with user/pass or SSH keys

● Typical usage: screen, irssi, IM, …● Persisent and secure home directory!

– Stored on RAID5

– Mounted via NFS

Student machines

Workstations and servers

Lab UTP cabling (1/2)

● Blue Workstation network● Black Laptop network● White Exp. connection 1● Grey Exp. connection 2

Lab UTP cabling (2/2)

● Blue UTP cable– Workstation: use for desktop only!

● Black UTP cable– Laptop network

– Send me your MAC address by e-mail

● White and Grey UTP cable– For use in experiments later this year

– Patched to server room

Studlab servers and network (1/4)

● One server per student!– 25 x Dell PowerEdge R210 I

– 15 x Dell PowerEdge R210 II

– 10 x Dell PowerEdge 860

● Use this machine for lab exercises● You “own” this machine!

– Install and administer your own server

– You are responsible for your server

Studlab servers and network (2/4)

● Dell PowerEdge R210 specs:

– Intel Xeon L3426

– 8 GB memory

– 2 x 500 GB SATA disks

– iDRAC6 Enterprise

– Hardware Virtualization

Studlab servers and network (3/4)

● KVM available via iDRAC6– Keyboard, Video, Mouse

– https://drac.<city>.studlab.os3.nl/

– Java-applet for VNC-like administration

● Don´ts with your machine– Start a webhosting company on it

– Seed torrents of the latest Hollywood movies

– Mount attacks on other Internet Sites

Studlab servers and network (4/4)

● iDrac network interface– 10/100 Mbit, used for iDrac

● eth0 network interface– Gigabit connection to the OS3 network

– Use DHCP to gain an IP address

● eth1 network interface– Can be used during courses and exp.