DNS updated¶

https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/DNS is updated, covering the latest changes.

TL;DR: all (internal and external) heroes networks now have at least one dedicated DNS server.

JFYI: NTP problems¶

ntp1.opensuse.org and ntp2.opensuse.org lately got hit by a heatwave. Meanwhile, they are back online.

Monitoring¶

We are back to "just" Update service problems. Which keeps us with:

• 89 machines
• 1859 services

New haproxy setup at IPX¶

We've now ipx-proxy1.infra.opensuse.org up and running, providing the same services as anna/elsa.

• dehydrated is adjusted (SSL certificates should be deployed automatically)
• haproxy configurations on anna/elsa and ipx-proxy1 are identical
• bind is up and running (configuration identical with provo-proxy, anna & elsa)

New narwal setup at IPX¶

We've now ipx-narwal1.infra.opensuse.org (alias narwal1.infra.opensuse.org) up and running, providing the same services as narwal{4-7}.infra.opensuse.org

• nginx is up and running
• sync from narwal5 is tested (script adjusted)

narwal4.infra.opensuse.org nginx config was broken - restored.

Distribution status¶

1x CentOS Stream 8¶

EOL: December 31st, 2021

freeipa2.infra.opensuse.org - unused machine?

1x openSUSE Leap 15.2¶

EOL: January 4, 2022

progress.infra.opensuse.org - progressoo.infra.opensuse.org exists as replacement. But the current redmine package does not build any longer on 15.4.

2x SUSE Linux Enterprise Server 12 SP5¶

EOL: June 30, 2023

• community.infra.opensuse.org
• forum.infra.opensuse.org

6x openSUSE Leap 15.3¶

EOL: end of November 2022

1. riesling3.infra.opensuse.org
2. riesling.infra.opensuse.org
3. obsreview.infra.opensuse.org
4. mailman3.infra.opensuse.org
5. dale.infra.opensuse.org
6. nuka.infra.opensuse.org

6x openSUSE Tumbleweed¶

1. gitlab-runner1.infra.opensuse.org
2. gitlab-runner2.infra.opensuse.org
3. gcc-stats.infra.opensuse.org
4. matrix.infra.opensuse.org
5. chip.infra.opensuse.org
6. mickey.infra.opensuse.org

70x openSUSE Leap 15.4¶

...all other...

New mirror sync¶

Aside from the push mirroring, rsync.o.o and provo-mirror.o.o now run regular sync jobs. This will hopefully keep our own 3 mirrors in sync, even if there are network problems or power cycles in between the push syncs.

As both mirrors provide currently enough space, there is no need to exclude files from the sync.

In the home of the 'mirror' user on each machine are now simple 'loop' (rsync) scripts (see /home/mirror/bin/ for details). These scripts hopefully split the >30TB of data into small enough chunks to get them synced in time.

A service called 'cscreend' is started during boot. This service runs as mirror user, starting screen with multiple sessions in it. Each session is executing one of the loop-scripts. Most scripts include a short (random) break after each run, to allow stage.o.o to 'cool down' a bit.

Logfiles are provided in /var/log/screen/ on each machine.

If you want to "see" the current sync:

• Log in on the server
• Become user 'model's
• Execute screen -x to attach to the multi-screen
• Press [Control]-A + [shift]-" to get a list of running sessions
• Use arrow keys + [enter] to select the interesting one (all have speaking names)
• Use [Control]-A + d to leave the screen again

openVAS¶

As it became a ticket lately - yes, we run an internal openVAS scanner since a while, to detect security issues - hopefully before any hacker detect and misuses them.

The machine doing this is called kali.infra.opensuse.org.

From time to time, SUSE-IT Security is also running security scans against the outside/public perimeter of the openSUSE infrastructure. They are using Qualys for this.

Combining the reports of both Vulnerability-Scanners provides a good overview of the security state of our openSUSE infrastructure.