Debian JP Server Administration / Debian JPのサーバ管理

Transcript

1. Debian JP Server Administration Debian JPのサーバ管理 2025-09-06 MiniDebConf Japan 2025

   @ Asahikawa, Japan Taku YASUI <[email protected]>

2. Introduction Thank you / 感謝 これまでにDebianJP Projectをスポンサードしていただいた皆様

3. What I Will And Will Not Talk Today What I

   will talk: • Overview of Debian JP server architecture • Overview of how to configure Debian JP servers What I will not talk: • Detailed information about Debian JP servers • Detailed configuration values • Description of the tools itself

4. About Me (Taku YASUI) 安井 卓（やすい たく） 
 Born 1977

   at Aichi Prefecture, Software Engineer 
 SVP, Leader at CX Division, Leader at CX Digital 
 LIXIL Corporation
 → → → → 2007 2010 2014 2017 Debian Project Official Developer since 2001 


5. Why and when I started Debian JP Server administration? VA

   Linux Systems Japan and OSDN Corporation supported OpenSource activity and start providing server resources to Debian JP Project. I was a system administrator at both companies and also Debian JP Project member. Therefore I was added as a member of server administrator team for the project.

6. Server Architecture and Configuration

7. Whole Server Architecture for Debian JP Project its00 (Virtual Machine)

   sakura00 (Virtual Machine) Configuration Repository (git) The Internet db00 db00 rt00 rt00 www00 ftp00 vote00 www00 ftp00 vote00 list00 svn00 miniconf00 list00 svn00 miniconf00 LXC (running) LXC (stopping) • db.debian.or.jp • www.debian.or.jp • ftp.debian.or.jp • vote.debian.or.jp • rt.debian.or.jp • lists.debian.or.jp • svn.debian.or.jp • miniconf.debian.or.jp Nginx (proxy) Nginx (proxy)

8. How administration works % git clone [email protected]:debianjp/ansible-playbooks.git . . .

   % cd ansible-playbooks % % cat README.md # Debian JP Project Server Admin https://bitbucket.org/debianjp/ansible-playbooks/src/master/README.md このリポジトリでは、Debian JP Projectのサーバ管理用の Ansible Playbookを管理しています。 プロジェクトメンバー向けのサーバ一覧は https://bitbucket.org/debianjp/ansible-playbooks/src/master/SERVERS.md で確認できます。 管理者向けの使い方は https://bitbucket.org/debianjp/ansible-playbooks/src/master/ADMIN.md で確認できます。 ---- (C) 2022 Debian JP Project

9. Configuration Repository Structure * group\_vars/ - 設定変数を入れるディレクトリ * group\_vars/all -

   すべてのホストに影響する変数設定 * group\_vars/db - db.debian.or.jp用の変数設定 * group\_vars/lxchosts - LXCホスト用の変数設定 * ansible.cfg - Ansibleの設定 * ssh_config - Ansible実行時のSSH設定 * hosts - インベントリ設定 * site.yml - 全サーバ実行する playbook * proxy.yml - リバースプロキシサーバ用の playbook * db.debian.or.jp.yml - db.debian.or.jp用のplaybook * ftp.debian.or.jp.yml - ftp.debian.or.jp (cdimage.debian.or.jp) 用のplaybook * lxchosts.yml - LXCホスト用のplaybook * vote.debian.or.jp.yml - vote.debian.or.jp用のplaybook * www.debian.or.jp.yml - www.debian.or.jp用のplaybook * roles/ - Roleの定義 * roles/apache2/ - apache2のインストールと基本設定用 role * roles/common/ - 全サーバ共通設定用 role * roles/lxchost/ - LXCホスト設定用role * roles/nginx/ - Nginxのインストールと基本設定用 role * roles/openldap/ - openldapのインストールと基本設定用 role * roles/proxy/ - リバースプロキシサーバ用 role * roles/db.debian.or.jp/ - db.debian.or.jp用role * roles/ftp.debian.or.jp/ - ftp.debian.or.jp用role * roles/vote.debian.or.jp/ - vote.debian.or.jp用role * roles/www.debian.or.jp/ - www.debian.or.jp用role

10. LXC Structure Configuration containers: { "db.debian.or.jp": { "host": "its00", "upstream":

    "db00", "ssl": "enabled", "stream": "yes" }, "vote.debian.or.jp": { "host": "its00", "upstream": "vote00", "ssl": "enabled" }, "svn.debian.or.jp": { "host": "sakura00", "upstream": "svn00", "ssl": "enabled" }, . . . group_vars/all use_lxc_brdige: "true" lxc_iface: lxcbr0 lxc_address: 192.168.222.1 lxc_netmask: 255.255.255.0 lxc_network: 192.168.222.0/24 lxc_ptr_domain: 222.168.192.in-addr.arpa lxc_dhcp_range: 192.168.222.101,192.168.222.200 lxc_dhcp_max: 100 lxc_domain: lxc lxc_containers: { "db00": { "addr": "192.168.222.101", "host": "its00" }, "rt00": { "addr": "192.168.222.102", "host": "sakura00" }, "list00": { "addr": "192.168.222.103", "host": "sakura00" }, "proxy00": { "addr": "192.168.222.104", "host": "sakura00" }, "miniconf00": { "addr": "192.168.222.105", "host": "sakura00" }, "www00": { "addr": "192.168.222.106", "host": "its00" }, "ftp00": { "addr": "192.168.222.107", "host": "its00" }, "vote00": { "addr": "192.168.222.108", "host": "its00" }, "svn00": { "addr": "192.168.222.109", "host": "sakura00" }

11. Playbook (www.debian.or.jp) - name: Setup www.debian.or.jp hosts: www become: yes

    roles: - common - apache2 - www.debian.or.jp group_vars/all hosts [www] www00 . . . [containers] db00 list00 www00 . . . - import_tasks: hostname.yml tags: hostname - import_tasks: resolved.yml when: inventory_hostname not in groups['containers'] tags: network - import_tasks: apt.yml tags: apt - import_tasks: base.yml tags: base - import_tasks: fail2ban.yml when: inventory_hostname not in groups['containers'] tags: fail2ban - import_tasks: ssh.yml tags: ssh - import_tasks: etckeeper.yml tags: etckeeper - import_tasks: datetime.yml when: inventory_hostname not in groups['containers'] tags: datetime - import_tasks: rsyslog.yml tags: rsyslog - import_tasks: postfix.yml tags: postfix - import_tasks: emailforward.yml when: inventory_hostname in groups['mta'] tags: emailforward - import_tasks: logcheck.yml tags: logcheck - import_tasks: sysstat.yml tags: sysstat - import_tasks: users.yml tags: users roles/common/tasks/main.yml

12. Playbook (www.debian.or.jp) - name: Install apache2 apt: name={{ packages }}

    state=latest update_cache=yes cache_valid_time=3600 vars: packages: - apache2 tags: package - name: Enable apache2 modules for reverse-proxy upstream command: a2enmod {{ item }} with_items: - headers - remoteip notify: Restart apache2 when: inventory_hostname in groups['containers'] - name: Install /etc/logcheck/logcheck.logfiles.d/debianjp-apache2.logfiles template: src: etc/logcheck/logcheck.logfiles.d/debianjp-apache2.logfiles.j2 dest: /etc/logcheck/logcheck.logfiles.d/debianjp-apache2.logfiles tags: logcheck - name: Install /etc/logcheck/ignore.d.server/local-debianjp-apache2 template: src: etc/logcheck/ignore.d.server/local-debianjp-apache2.j2 dest: /etc/logcheck/ignore.d.server/local-debianjp-apache2 tags: logcheck - name: Install /etc/apache2/conf-available/debianjp.conf template: src: etc/apache2/conf-available/debianjp.conf.j2 dest: /etc/apache2/conf-available/debianjp.conf notify: Restart apache2 roles/apache2/tasks/main.yml - name: Install /etc/apache2/sites-available/000-debianjp-default.conf template: src: etc/apache2/sites-available/000-debianjp-default.conf.j2 dest: /etc/apache2/sites-available/000-debianjp-default.conf notify: Restart apache2 - name: Disable original apache2 default file: path=/etc/apache2/sites-enabled/000-default.conf state=absent notify: Restart apache2 - name: Enable debianjp apache2 conf file: path: /etc/apache2/conf-enabled/debianjp.conf src: ../conf-available/debianjp.conf state: link notify: Restart apache2 - name: Enable debianjp apache2 default file: path: /etc/apache2/sites-enabled/000-debianjp-default.conf src: ../sites-available/000-debianjp-default.conf state: link notify: Restart apache2

13. Playbook (www.debian.or.jp) - name: Create /var/log/apache2/{ hostname }} directory file:

    path: "/var/log/apache2/{{ hostname }}" state: directory - name: Enable apache2 modules command: "a2enmod {{ item }}" with_items: - cgi - headers - rewrite notify: Restart apache2 - name: Install /etc/apache2/sites-available/{{ hostname }}.conf template: src: etc/apache2/sites-available/{{ hostname }}.conf.j2 dest: /etc/apache2/sites-available/{{ hostname }}.conf notify: Restart apache2 - name: Enable {{ hostname }} file: path: /etc/apache2/sites-enabled/{{ hostname }}.conf src: ../sites-available/{{ hostname }}.conf state: link notify: Restart apache2 roles/www.debian.or.jp/tasks/apache2.yml - name: Add Debian JP apache2 logs to /etc/logrotate.d/apache2 lineinfile: >- dest=/etc/logrotate.d/apache2 state=present insertbefore='^/var/log/apache2/\*\.log \{' line='/var/log/apache2/*/*.log' - name: Update /etc/logrotate.d/apache2 lineinfile: >- dest=/etc/logrotate.d/apache2 state=present backrefs=yes regexp='{{ item.regexp }}' line='{{ item.line }}' with_items: - regexp: '^(\s+)daily$' line: '\1weekly' - regexp: '^(\s+rotate) [0-9]+$' line: '\1 52'

14. Run Playbook (www.debian.or.jp) % ansible-playbook -C -D -i hosts www.debian.or.jp.yml

    PLAY [Setup www.debian.or.jp] ***************************************************************** TASK [Gathering Facts] ************************************************************************ ok: [www00] TASK [common : Set hostname] ****************************************************************** skipping: [www00] TASK [common : Install /etc/hosts] ************************************************************ ok: [www00] TASK [common : Install network related package] *********************************************** skipping: [www00] TASK [common : Configure systemd-resolved] **************************************************** skipping: [www00] => (item={'regexp': '^#?DNS=', 'line': 'DNS=192.168.222.1'}) skipping: [www00] => (item={'regexp': '^#?FallbackDNS=', 'line': 'FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844'}) skipping: [www00] => (item={'regexp': '^#?Domains=', 'line': 'Domains=debian.or.jp'}) skipping: [www00] TASK [common : Install /etc/apt/sources.list] ************************************************* ok: [www00] TASK [common : Enable https transport for apt] ************************************************ skipping: [www00] . . .

15. Backup its00% cat /etc/cron.d/debianjp-backup 7 3 * * * root

    perl -e 'sleep int(rand(3600))' && \ /usr/local/libexec/debianjp/debianjp-backup Using rsync, we are performing mutual backups between its00 and sakura00. backup() { local dir=$1; shift local host=$1; shift log "Start backup for $dir to $host" test -e $dir || return; ssh $host "mkdir -p /backup/`hostname -s`$dir" nice rsync $RSYNC_OPTIONS $@ $dir $host:/backup/`hostname -s`$dir log "Finish backup for $dir to $host" } for h in $HOSTS; do backup /root/ $h backup /etc/ $h backup /home/ $h backup /org/ $h backup /var/ $h \ --exclude="/cache/apt/" \ --exclude="/cache/lxc/" \ --exclude="/lib/lxcfs/" \ --exclude="/lock/" \ --exclude="/run/" \ --exclude="/tmp/" done

16. Where I put in the effort • The setting value

    was not placed in the “role” but was instead placed externally. • Made two VMs behave as a complementary manner. • Made it possible to configure basic settings like networks using Ansible. and so on.

17. But Not yet perfect. Need more effort. Need your support.

18. One More Thing

19. ] LIXIL Family STORE と補助金制度 でお得に快適な窓リフォームを！ LIXIL Family STORE のリフォームでお得＆安心！

    安井の招待コードで会員登録！ ✓ 役職員からの招待で会員登録！ ✓ 今ならキャッシュバック増額中！ ✓ LIXILおすすめの工事店で安心の施工！ Point 3 冷暖房費が高い 外の音が気になる 夏、暑くて　冬、寒い 冬場の結露がひどい Point １ 窓リフォームでお困りごと解決して快適に！ 窓（断熱）リフォームをすることで 国から補助金がもらえます！ 大型※1 の補助金は、今年 ※2 が最後！ さらに 自治体からの 補助金がある エリアも！ Point 2 補助金でお得にリフォーム キッチンや トイレなどの 水まわりも お得！ ※1 住宅エコポイント制度、復興支援・住宅エコポイント制度、省エネ住宅ポイント制度、次世代住宅ポイント制度、グリーン住宅ポイント制度、こどもみらい住宅支援事業、住宅省エネ2023キャンペーン、住宅省エネ2024キャンペーンの予算規模と 比較して、ほぼ同等もしくはそれ以上の規模であるという趣旨です。 ※2 令和7年12月31日まで工事完了するものが対象。（予算の執行状況により、早期終了となる場合があります） [PR]

20. Thank you Taku YASUI <[email protected]> https://x.com/gtach https://www.linkedin.com/in/takuyasui/ https://www.facebook.com/taku.yasui LIXIL Family

    STORE 会員登録