From 26849832438d9e2d892a87e9933bcb013f63ea30 Mon Sep 17 00:00:00 2001 From: Peter Boy Date: Mar 11 2021 10:30:10 +0000 Subject: renamed files (all lowercase), added content (container) --- diff --git a/docs/modules/ROOT/pages/container-nspawn.adoc b/docs/modules/ROOT/pages/container-nspawn.adoc new file mode 100644 index 0000000..a62cc21 --- /dev/null +++ b/docs/modules/ROOT/pages/container-nspawn.adoc @@ -0,0 +1,14 @@ += Systemd Nspawn Container +Peter Boy; Jan Kuparinen +:page-authors: {author}, {author_2} + +[sidebar] +**** +Author: Peter Boy (pboy) | Creation Date: N/A | Last update: N/A | Related Fedora Version(s): 33 +**** +[NOTE] +==== +Work in progress. Coming soon +==== + + diff --git a/docs/modules/ROOT/pages/server-administration.adoc b/docs/modules/ROOT/pages/server-administration.adoc new file mode 100644 index 0000000..a55dbe2 --- /dev/null +++ b/docs/modules/ROOT/pages/server-administration.adoc @@ -0,0 +1,55 @@ += Fedora Server Administration Guides +Peter Boy; Jan Kuparinen +:page-authors: {author}, {author_2} + +[sidebar] +**** +Author: Peter Boy (pboy) | Creation Date: 2021-03-10 | Last update: N/A | Related Fedora Version(s): 33 +**** +[NOTE] +==== +First Draft! Please comment on server mailing list +==== + +== What You Find Here + +Basic installation and system administration is covered by Fedora's overall Installation Guide (link) and System Administration Guide (link). But there are several of Fedora Server specific topics which are not included. There are such basic items as harddisk partitioning to more advanced security considerations up to virtualisation. + +== Basic System Installation +(to be decided: alternatively: expand Fedora central Installation and System Administration Guides) + +=== Disk Partitioning + +- What default partitioning does +- Raid system +- Hard disk larger as 2 TB in Raid set ups +- UEFI boot + +=== Networking +- Static configuration, appropriate for servers +- Post F32 network config file locations + +== Post Installation security enhancements +- Installing fail2ban (short step-by-step installation guide the Fedora way) +- Disabling ssh password based login for all users but a small number of fallbacks (short guide how to do) +- Protecting Cockpit password login +- Don't deactivate SELinux but resolve issues (link to cockpit SELinux page and description how to resolve on CLI (or link) ) +- Reduce the number of system users (If certain system users are required, move each (or all) to a lightweight system container, e.g. systemd-nspawn, or even a (semi-lightweight) Cloud Image VM) +- Would be nice to offer some configurable Ansible scripts for those repetitive tasks (downloadable from server-wg home page) +- links to existing script at github system roles und a guide how to use that script for this purpose + +== Specific System Administration Tasks + +=== Cockpit +- recommended documentation for specific types of installation / use case +- how to secure access / login page (integration into fail2ban, access via ssh tunnel, access via VPN) + +=== SELinux issues +- How to fix + +=== How to manage storage + + + + +Further topics of this kind to be added diff --git a/docs/modules/ROOT/pages/server-communicating.adoc b/docs/modules/ROOT/pages/server-communicating.adoc new file mode 100644 index 0000000..f73dad3 --- /dev/null +++ b/docs/modules/ROOT/pages/server-communicating.adoc @@ -0,0 +1,27 @@ += Communicating and Getting Help +Peter Boy; Jan Kuparinen +:page-authors: {author}, {author_2} + +[sidebar] +**** +Author: Jan Kuparinen (copperi) | Creation Date: 2021-03-09 | Last update: N/A | Related Fedora Version(s): All +**** +[NOTE] +==== +Placeholder! Please comment on server mailing list +==== + + + +For general troubleshooting help related to Fedora, please refer to link:https://ask.fedoraproject.org[Ask Fedora Forum]. + +If you found a bug, report it! +* link:https://docs.fedoraproject.org/en-US/quick-docs/howto-file-a-bug/[How to file a bug]. + +* Issues about a server can be filed at link:https://pagure.io/fedora-server/issues[ticketing repository on Pagure]. + +* You can chat with us at link:https://webchat.freenode.net/?channels=#fedora-server[#fedora-server on irc.freenode.net]. + +* You can discuss server issues at link:https://discussion.fedoraproject.org/c/server[Server Discussion Forum]. + +* You can e-mail us on the Server mailing list at link:https://lists.fedoraproject.org/admin/lists/server@lists.fedoraproject.org/[server@lists.fedoraproject.org]. \ No newline at end of file diff --git a/docs/modules/ROOT/pages/server-community.adoc b/docs/modules/ROOT/pages/server-community.adoc new file mode 100644 index 0000000..ab02f73 --- /dev/null +++ b/docs/modules/ROOT/pages/server-community.adoc @@ -0,0 +1,28 @@ += Server Community, Policies, and Working Methods +Peter Boy; Jan Kuparinen +:page-authors: {author}, {author_2} + +[sidebar] +**** +Creation Date: N/A | Last update: N/A | Related Fedora Version(s): 33 +**** +[NOTE] +==== +First Collection of Ideas! Please comment on server mailing list +==== +[TIP] +==== +Intended content: Basic information how work on Server is organiszed. In a first version probably just the most importent content of the Working Group and the SIG and a collection of annotated links to the most important information sources (WG wiki, SIG wiki, pagure, fedora calendar, anything else?) +==== + + +(We should make the working group more "tangible" and transparent, not just refer to an (anonymous) mailing list.) + + + 1 SIG / Link to SIG Wiki + 1.1 Members of SIG + 2 WG / Link to WG Wiki + 2.1 Members of WG incl. Tasks / area of commitment + 2.1.1 Governance Charter + 3 Product Requirements Document + 4 Various other suitable contents of the Fedora Server Wiki pages \ No newline at end of file diff --git a/docs/modules/ROOT/pages/server-containers.adoc b/docs/modules/ROOT/pages/server-containers.adoc new file mode 100644 index 0000000..31c0321 --- /dev/null +++ b/docs/modules/ROOT/pages/server-containers.adoc @@ -0,0 +1,85 @@ += Containerization +Peter Boy; Jan Kuparinen +:page-authors: {author}, {author_2} + +[sidebar] +**** +Author: Peter Boy (pboy) | Creation Date: N/A | Last update: N/A | Related Fedora Version(s): 33 +**** +[NOTE] +==== +Work in progress. Coming soon +==== + + +Planned content: + +(**Preliminary note**) + +* Currently on everyone's lips, prominent subject of public discussion +* Often equated with "Docker" +* But: One size doesn't fit all. There are alternatives, some with a different application profile. +* *Fedora Server supports and allows several alternatives that can be used depending on the local / user's requirement profile.* + +== Overview + +* All containers on a system use the same kernel +* Some kind of isolation using kernel capabilities (cname, etc) to isolate processes from each other +* Differences in implementations, toolset, environment, community +* system container vs application container (main feature existence of an init system) + +== Podman + +* application container +* security enhancement: no root privileges required +* optimized for interaction of several containers to perform a task +* same container image as Docker, mutually usable +* *natively supported by Fedora Server* + +== Docker + +* application container +* dependent on a Damon with ROOT privileges +* huge trove of pre-built containers for all sorts of software +* no native support in Fedora Server, but a *vendor repository* maintained for Fedora + +== LXC (libvirt) + +* system container +* support of container runtime based on kernel capabilities +* rough toolset support (requires to compose various xml files) +* *natively supported by Fedora Server* (via libvirt as default virtualization tool) + +== LXC (linuxcontainers) + +* systemcontainer +* one of the first implementations of containers +* system containers +* originally base of Docker +* complete toolset, container images, community +* *natively supported by Fedora Server* (just LTS versions) + +== LXD (linuxcontainers) + +* system container +* LXC with advanced toolset +* not natively supported by Fedora, but a *COPR project* available +* *vendor support* for Fedory by third party packagemanager + +== systemd-nspawn container + +* system container and also configurable as a kind of application container +* rather new development +* toolset highly integrated into systemd system management +* "lightweight virtual machine" +* *natively supported by Fedora Server* + +== Linux Vserver + +* requires modified kernel +* *no native Fedora Server support* + +== OpenVZ + +* Uses a self customized version of RHEL / CentOS +* *Not applicable for Fedora Server* diff --git a/docs/modules/ROOT/pages/server-faq.adoc b/docs/modules/ROOT/pages/server-faq.adoc new file mode 100644 index 0000000..aca6a19 --- /dev/null +++ b/docs/modules/ROOT/pages/server-faq.adoc @@ -0,0 +1,18 @@ += Frequently Asked Questions (FAQ) +Peter Boy; Jan Kuparinen +:page-authors: {author}, {author_2} + +[sidebar] +**** +Author: Jan Kuparinen (copperi) | Creation Date: 2021-03-09 | Last update: N/A | Related Fedora Version(s): All +**** +[NOTE] +==== +Placeholder! Please comment on server mailing list +==== + +[qanda] +Can I see a built preview of this template to get a better idea about the result?:: + Of course you can! Just look at the README of the repository — it should tell you everything. +Is writing documentation hard and dreadful?:: + Absolutely not (OK, just joking). Writing documentation in asciidoc is very simple and straightforward. And in fact, writing documentation makes you very happy. Just try and see for yourself! diff --git a/docs/modules/ROOT/pages/server-troubleshooting.adoc b/docs/modules/ROOT/pages/server-troubleshooting.adoc new file mode 100644 index 0000000..c0edae2 --- /dev/null +++ b/docs/modules/ROOT/pages/server-troubleshooting.adoc @@ -0,0 +1,37 @@ += Communicating and Getting Help +Peter Boy; Jan Kuparinen +:page-authors: {author}, {author_2} + +[sidebar] +**** +Author: Jan Kuparinen (copperi) | Creation Date: 2021-03-09 | Last update: N/A | Related Fedora Version(s): 33 +**** +[NOTE] +==== +First Collection of Ideas! Please comment on server mailing list +==== + + +Some examples from the latest discussions + +1. The well known BIOSboot partition issue +2. systemnd-oomd and httpd / jBoss/wildfly +3. UEFI – one ESP for /boot/efi requirement in software RAID 1 / RAID x + +### Some generic information + + +If you found a bug, report it! + +* link:https://docs.fedoraproject.org/en-US/quick-docs/howto-file-a-bug/[How to file a bug]. + +* Issues about a server can be filed at link:https://pagure.io/fedora-server/issues[ticketing repository on Pagure]. + +* You can chat with us at link:https://webchat.freenode.net/?channels=#fedora-server[#fedora-server on irc.freenode.net]. + +* You can discuss server issues at link:https://discussion.fedoraproject.org/c/server[Server Discussion Forum]. + +* You can e-mail us on the Server mailing list at link:https://lists.fedoraproject.org/admin/lists/server@lists.fedoraproject.org/[server@lists.fedoraproject.org]. + +For general troubleshooting help related to Fedora, please refer to link:https://ask.fedoraproject.org[Ask Fedora Forum]. + \ No newline at end of file diff --git a/docs/modules/ROOT/pages/server-tutorials.adoc b/docs/modules/ROOT/pages/server-tutorials.adoc new file mode 100644 index 0000000..ad1dd6f --- /dev/null +++ b/docs/modules/ROOT/pages/server-tutorials.adoc @@ -0,0 +1,24 @@ += Fedora Server Tutorials +Peter Boy; Jan Kuparinen +:page-authors: {author}, {author_2} + +[sidebar] +**** +Author: Peter Boy (pboy) | Creation Date: N/A | Last update: N/A | Related Fedora Version(s): 33 +**** +[NOTE] +==== +First Collection of Ideas! Please comment on server mailing list +==== + + +Some ideas: + +- Setting up a dedicated rented off premise Internet Server (example Hetzner) +- Setting up a private local (on premise) Internet server +- Setting up an Internet server for SMEs +- Setting up a homelab / worklab Server +- Setting up a simple private Mail Server +- Setting up a full features Mail Server +- Backup Guide +- (more to come) \ No newline at end of file diff --git a/docs/modules/ROOT/pages/server-usecases.adoc b/docs/modules/ROOT/pages/server-usecases.adoc new file mode 100644 index 0000000..08a8ff7 --- /dev/null +++ b/docs/modules/ROOT/pages/server-usecases.adoc @@ -0,0 +1,27 @@ += Fedora Server Example Use Cases +Peter Boy; Jan Kuparinen +:page-authors: {author}, {author_2} + +[sidebar] +**** +Author: N/A | Creation Date: N/A | Last update: N/A | Related Fedora Version(s): 33 +**** +[NOTE] +==== +First Collection of Ideas! Please comment on server mailing list +==== + + 1 Setting up a Fedora Local Home Server, including + 1.1 Security considerations + 1.2 Considerations organizing storage + 1.3 Configuring local network + 1.4 file services Windows. Apple, Fedora Workstation + 1.5 media server + 1.6 (personal web server, perhaps rather a bit off the mark) + 1.7 Again, probably providing a configurable / adaptable Ansible playbook + 2 Set up a Home Server Mail Service + (items according to above) + 3 More to come (hopefully) + + + diff --git a/docs/modules/ROOT/pages/server-virtualization.adoc b/docs/modules/ROOT/pages/server-virtualization.adoc new file mode 100644 index 0000000..8b36ace --- /dev/null +++ b/docs/modules/ROOT/pages/server-virtualization.adoc @@ -0,0 +1,46 @@ +# Virtualization + +[sidebar] +**** +Author: Peter Boy (pboy) | Creation Date: 2021-03-10 | Last update: N/A | Related Fedora Version(s): 33 +**** +[NOTE] +==== +First Draft! Please comment on server mailing list +==== + + +Today's Hardware is pretty much powerful enough to run not only one server but many of them. + +Virtualization means that several complete and probably different operating systems run on one and the same hardware - as far as possible independently and isolated from each other. + +Containers are an alternative. Here, several containers use the kernel of the host system simultaneously. The mutual isolation is lower, but the performance overhead is also lower. + +Fedora Server uses KVM and the libvirt libraries for virtualization. Another alternative that is often used is XEN. + +System software required for virtualization is not automatically installed. It can be added as an option during installation. However, a more targeted installation is a subsequent, precisely fitting installation. + +After Fedora Server is enabled for virtualization, one or more virtual machines can be installed. This can also be Fedora Server, or any other distribution. + +## Adding Virtualization + +This step includes an installation of the libvirt software and further configuration steps. For example, external connectivity must be set up for virtual machines, e.g. through a virtual bridge. Often, an internal network is also required for protected communication between the virtual machines or with the host system. + +## Adding Virtual Machines + +There are two common ways to install virtual machines: + +- Use of the distribution-specific installation program with the help of specialized utilities +- Installation of cloud (base) images, a variant of the operating system optimized for virtualization. + +### Distribution specific installation + +To do this, the standard ISO file is copied to the server and then executed via a utility. The web-based administration tool Cockpit is currently recommended for Fedora Server. An alternative is Virt-Manager, a graphical utility. However, it must be installed on the local workstation (Linux only) and then works via a ssh connection. Execution on the server itself is not supported, as Fedora Server is designed to be "headless", i.e. without a graphical user interface. + +Experienced administrators can also initialize an installation via the command line using VNC and virt-install. However, this is comparatively time-consuming and error-prone. + +### Cloud Base Images + +A special feature of cloud images is a configuration for a specific runtime environment and purpose with the help of a special program, cloud-init. The necessary information is provided by the cloud system, e.g. Open Stack. These are not readily available on an autonomous server. With Fedora 33 and version 3 of the virt-install program, the installation and use of cloud images and cloud-init has been greatly simplified. + +Installation is now accomplished with a single and simple invocation of the virt-install CLI program. Currently, no support is available through a graphical or web-based program. \ No newline at end of file diff --git a/docs/modules/ROOT/pages/virtualization-install.adoc b/docs/modules/ROOT/pages/virtualization-install.adoc new file mode 100644 index 0000000..161377b --- /dev/null +++ b/docs/modules/ROOT/pages/virtualization-install.adoc @@ -0,0 +1,116 @@ += Adding Virtualization Support +Peter Boy; Jan Kuparinen +:page-authors: {author}, {author_2} + +[sidebar] +**** +Author: Peter Boy (pboy) | Creation Date: 2021-03-10 | Last update: N/A | Affected Fedora Version(s): 33 +**** +[NOTE] +==== +First Draft! Please comment on server mailing list +==== +Libvirt is the standard virtualization method in Fedora and provides a management toolkit for KVM / QEMU. This includes a local virtual network for protected communication between the virtual guest systems with each other and with the host. + +== Preparation + +Libvirt stores its data including the image files of the virtual hard disk(s) for the guest systems in /var/lib/libvirt. If you adhere to the default partitioning concept, the libvirt application data is stored in its own logical volume in the default volume group (fedora_fedora). + +Before starting the installation, a logical partition must be created. The easiest way is to use Cockpit to create a logical volume, e.g. named libvirt, format it with XFS and mount it at the position /var/lib/libvirt. Cockpit creates this directory automatically. + +== Installing libvirt Virtualization Software + +Installing the software is quite simple. +[source,] +---- +[…]# dnf install qemu-kvm libvirt virt-install cockpit-machines libguestfs-tools +---- + +Package libguestfs-tools provides various useful tools to maintain virtual disks. It is recommended not to install the group @virtualization onto a Fedora Server. It includes various graphical programs and libraries that are not usable on headless servers. + +Next check the SELinux labels +[source,] +---- +[…]# ls -alZ /var/lib/libvirt +---- + +Usually, the installation adjusts the labels accordingly. Otherwise, an adjustment must be made manually. +[source,] +---- +[…]# /sbin/restorecon -R -vF /var/lib/libvirt +---- +If everything is correct, libvirtd must be activated and started. +[source,] +---- +[…]# systemctl enable libvirtd --now +---- + +By default, libvirt creates a bridge with an interface virbr0, the IP 192.168.122.1 and the internal name default. In addition, a separate firewall zone libvirt is set up. Check if everything is running as expected. +[source,] +---- +[…]# ip a +[…]# firewall-cmd –get-active-zones +---- + +== Adjusting libvirt Configuration + +The internal network should be used for the internal, protected communication of the VMs with each other and with the host. For this purpose, it is advantageous to set up a DNS for the internal network so that the VMs can be addressed by their names. + +The first step is to decide about a domain name. A top-level ".local" is explicitly not recommended, nor taking one if the official top-level names. But for example, you can take the official domain name and replace the top-level domain with 'lan' or 'internal'. The example domain example.com then becomes example.lan. We use that one throughout this tutorial. The host gets the name host.example.lan. + +Modify libvirt default network +[source,] +---- +[…]# virsh net-edit default + + default + aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee + + + + + + + + + + + host + host.example.lan + + + + + + + + +---- + +Activate the modified configuration +[source,] +---- +[…]# virsh net-destroy default +[…]# virsh net-start default +---- + +== Converting the Hosts DNS Configuration +[IMPORTANT] +==== +Wait, systemd project is currently working to fix the resolved split-DNS bug +==== + +== Final Test + +Check the functionality of the name resolution with internal and external addresses.[source,] +---- +[…]# ping host +[…]# ping host.example.lan +[…]# ping host.example.com +[…]# ping guardian.co.uk +---- + + + + +