A Gentoo Linux Advanced Reference Architecture

Sven Vermeulen

You are free to share (copy, distribute and transmit) the work as well as remix (adapt) the work under the conditions of the Creative Commons Attribution Noncommercial Share Alike 2.0 license, available at http://creativecommons.org/licenses/by-nc-sa/2.0/be/deed.en

Abstract

The book "A Gentoo Linux Advanced Reference Architecture" is meant as a resource displaying the powerful features of many free software solutions that are supported on top of Gentoo Linux. It is a deep-dive approach in many aspects related to processes, supportability, maintainability based on Gentoo Linux system deployments.

Unlike the existing, per-application documents that exist on the Internet (and which are a valuable resource to get into the gory details of many applications) and the per-distribution guides that provide information on using that particular distribution, this book will focus more on architecturing IT infrastructure for medium-sized enterprises. Smaller enterprises might find the reference architecture here too expensive or large - however, many services described in the book can be slimmed down into a smaller deployment as well.

It is seriously recommended to have a good grasp of what Gentoo Linux is to start with. The other online resource ("Linux Sea") can be a good introduction to Gentoo Linux, but that might not be sufficient to appreciate the detail and organization of this book.

This book will progress rather slowly (compared to the initial development of "Linux Sea" as its content will be written down as I teach myself the technologies mentioned within. When the development of this book started, knowledge about the technical services described later is still limited, and the book will be used as a sort-of progress report by the author. Call it offsite knowledge storage ;-)

The version you are reading currently is v0.22 and has been generated on 2014/01/01.


Table of Contents

1. Infrastructure Architecturing for Free Software
Introduction
Architecture frameworks
Reference architecture for infrastructure
Designing a reference architecture
The process
Logical design
About this book
2. Platform selection
Gentoo Linux
Basic OS - the requirements
Services
Access management services
Monitoring services
Backup services
Configuration management
Compliance management
Distributed resource management
Architecture
Flows and feeds
Administration
Monitoring
Operations
Users
Security
Pluggable Authentication Modules
Principles behind PAM
How PAM works
Managing PAM configuration
Configuring PAM on the system
Learning more about PAM
Gentoo Hardened
PaX
PIE/PIC/SSP
Checking PaX and PIE/PIC/SSP results
SELinux as MAC
grSecurity kernel improvements
Using IMA and EVM
OpenSSH
Key management
Securing OpenSSH
Using DNS SSHFP fields
Logging and auditing
System logging
Auditing
Privilege escalation through sudo
Centralized sudoers file
Resources
3. The environment at large
Structuring the environment
Multi-tenancy
SLA groups
Architectural positioning
Categories
Resources
4. DNS services
DNS
Architecture
Flows and feeds
Administration
Monitoring
Operations
Users
Security
BIND
From records to views
Deployment and uses
Using bind
Logging
Resources
5. DHCP services
DHCP
Bootstrap Protocol
Various DHCP options
Architecture
Flows and feeds
Administration
Monitoring
Operations
Users
Security
ISC DHCP
Installation and configuration
Logging
Resources
6. Certificates and PKI
Why it is needed
How do certificates work
Certificates in organizations
CA service providers
Certificate management protocols
Architecture
Flows and feeds
Administration
Monitoring
Operations
Users
Security
OpenSSL as CA
Setting up the CA
Daily handling
Scripted approach
Mail service
Fetchmail
Procmail
7. High Available File Server
Introduction
NFS v4
Architecture
Installation
Configuration
Disaster Recovery Setup
Architectures
Simple replication
DRBD and Heartbeat
Resources
8. A Gentoo build server
Introduction
Building a build server
Setup build host
Enabling the web server
Resources
9. Database Server
Introduction
PostgreSQL
Architecture
Deployment and uses
MySQL
Architecture
Deployment and uses
User management
Resources
10. Mail Server
Introduction
Postfix
Architecture
Installation
Managing Postfix
Scaling Postfix
11. Configuration management with git and Puppet
Introduction
Central configuration management, or federated?
About Puppet
About Git
Git with gitolite
Architecture
Using gitolite
Puppet
Architecture
Setting up puppet master
Setting up puppet clients
Working with Puppet
The power of Puppets definitions
Resources
12. Virtualization with KVM
Introduction
Virtualization using KVM
Why virtualize
Architecture
Deployment and uses
Offline operations
Bare metal recovery (snapshot backups)
Integrity validation (offline AIDE scans)
Index

List of Figures

2.1. Services for an operating system platform
2.2. Components for operating system platform
2.3. Backup (cannot be more simpler than this ;-)
2.4. Log flows from server to central log server
2.5. Operating system administration
2.6. Operating system monitoring
2.7. Running compliance (and inventory) validation
2.8. Schematic representation of PAM
2.9. Syslog mode of operations
2.10. Audit operations
3.1. Multi-tenant setup
3.2. SLA group structure
3.3. Architectural positioning
3.4. Example categorization for end user devices, internal workstations
4.1. DNS services
4.2. Simple DNS architecture
4.3. Flows and feeds
4.4. BIND administration
4.5. BIND monitoring
4.6. Standard operation usage of BIND
4.7. DNSSEC overview
5.1. Standard DHCP flow
5.2. Standard HA architecture for DHCP
5.3. Administering DHCPd
5.4. Operational flows and activities on DHCP service
6.1. Certificates and CAs in a nutshell
6.2. Flows and feeds for the CA server
6.3. Operations on a CA server
6.4. User definitions for CA operations
7.1. NFSv3 versus NFSv4
7.2. Alternative HA setup using DRBD and Heartbeat
7.3. HTree in a simple example
9.1. Load balanced setup
9.2. Backup architecture for a PostgreSQL setup
9.3. Standby setups
9.4. Internal architecture for PostgreSQL
10.1. High-level architecture for Postfix
11.1. Overview for configuration management
11.2. Git and gitolite flows
11.3. Gitolite administration
11.4. Flows towards and from puppet
11.5. Puppet administration
11.6. Regular operations of puppet