The Linux Server Hosting service provides professionally-managed Linux servers for University academic, research, and administrative units. The service is supported by the Hosting Engineering and Automation Team. For help and support, contact Technology Help or email [email protected].
For more advanced technical guidance, visit the Hosting Manual public documentation site.
This Service Guide covers:
- Roles and Responsibilities
- Departmental Administrative Access
- Server Administration and Configuration
- Linux Documentation
Roles and Responsibilities
IT Staff
Our Hosting team provides support to IT directors, business unit directors, or staff members that an IT director has approved.
The Hosting team will be expected to do the following:
- Communicate and coordinate with IT staff in local units to minimize disruption to end users.
- Notify customers about all scheduled maintenance.
- Maintain and manage the infrastructure, operating system, storage, backups, security, and patching.
- Provide documentation delineating responsibilities of customers and the hosting team.
- Provide advice and documentation for basic administrative tasks.
Customers
Customers will be expected to do the following:
- Adhere to any related policies, processes, and procedures including:
- Complying with the Acceptable Use of Information Technology Resources policy.
- Refraining from hosting PCI regulated applications or PCI regulated data.
- Report problems using reporting procedures described in the service statement.
- Provide input on the quality and timeliness of service.
- Provide application administration and customer support for their users; this can be provided by the unit, a vendor, or another third party.
- Provide audit compliance for application(s) and data, which includes making IT systems administrators aware of any private data or HIPAA regulated data.
Departmental Administrative Access
SSH Access
Red Hat Enterprise Linux 9 (RHEL 9)
- SSH is open to the University campus networks by default for medium-security hosts.
- SSH is restricted to Ales for high-security hosts.
- Servers on the publicly addressed network require a request to be sent to Managed Network Operations to enable connectivity.
- Multi-factor authentication is required (Duo or ssh keys).
Red Hat Enterprise Linux 7 (RHEL 7)
- SSH is open to the university campus network by default.
- Multi factor authentication is required (Duo or ssh keys).
User Authentication
- All users must have a UMN Internet account.
- Sponsored UMN Internet accounts are required for external collaborators.
- By default, only CESI Linux administrators for the unit have access to Linux hosts.
RHEL 9
- Users authenticate using Active Directory credentials
- Additional users and groups in Active Directory can be granted access to a server with the following command, executed by a CESI Linux administrator of the unit:
$ sudo realm permit $USERNAME
RHEL 7
- Users authenticate using Active Directory credentials
Escalated Privileges
RHEL 9
- CESI Linux administrators for a unit may log in with their Internet ID to their host, and run any elevated commands as follows:
$ sudo $COMMAND
RHEL 7
- A specific set of sudo privileges has been predefined for common use cases. For details, see: Overview of the Sudo's Allowed by Default in RHEL 7.
Shared Application User
- By default, a single shared user exists for the purpose of software administration. Appropriate UMN Departmental Internet accounts will have sudo access to this user.
- Additional shared service users can be created, if necessary.
Server Administration and Configuration
This section describes operating system configuration defaults. Changes will be negotiated, allocated, and configured to address application requirements on a case-by-case basis.
Operating System Version and Updates
OS installation will consist of the latest stable version of 64-bit Red Hat Enterprise Linux at the time of VM deployment.
RHEL 7/9
The weekly set of system updates is created on Sunday evening at 11:00 PM. Please refer to the Red Hat Product Erratas for a list of patches and their release dates.
|
Environment |
System Updates |
Chef Code Release |
Chef Converge Schedule (RHEL 7 only) |
|---|---|---|---|
|
Development |
First Monday of the month, 6:00 AM |
Tuesday, 10:00 AM |
Every 30 minutes |
|
Test/Staging/QAT |
Second Monday of the month, 6:00 AM |
Wednesday, 10:00 AM |
Every 30 minutes |
|
Prod |
Fourth Monday of the month, 6:00 AM |
Thursday, 10:00 AM |
Every 30 minutes |
Operating System updates supplied from Red Hat will be automatically applied within three days of the corresponding Dev/Test/Prd release schedule outlined above.
Monitoring
OIT provides monitoring for all servers. Administrators may request access to Zabbix 6 by emailing [email protected] in order to deploy their own application-specific monitoring.
|
Items Monitored |
Check Method |
Notification |
|---|---|---|
|
Host |
Ping |
Page/email |
|
Disk usage |
% full |
Page/email |
|
Services |
Service running/stopped |
Page/email |
|
Customer owned services |
Service running/stopped |
Page/email |
File System Layout
Below are the default partitioning schemes for the virtual machines. We partition /var and /var/lib separately to prevent log runaway from impacting other components of RHEL systems. Our default deployments provide around 30 GB of unallocated physical space. If, for instance, an administrator wishes to run containers, it may be helpful to expand /var/lib by executing the following commands:
$ sudo lvextend -L +10G /dev/vg00/lib
$ sudo xfs_growfs /var/lib
RHEL 7/9
|
FILE SYSTEM |
SIZE |
NOTES |
|---|---|---|
|
/ |
2G |
n/a |
|
/boot |
512M |
n/a |
|
/home |
10G |
n/a |
|
/opt |
5G |
n/a |
|
/swadm |
10G |
Owned by swadm user (RHEL 7 only) |
|
/tmp |
2G |
Please limit use of /tmp |
|
/usr |
5G |
n/a |
|
/var |
35G |
n/a |
| /var/lib | 8G | n/a |
Backups
- Newly deployed systems are given the option to be backed up or not.
- The backup routine is scheduled with weekly full and daily differentials.
- The full backups are retained for one month. The differentials are retained for two weeks.
- Restore requests are fulfilled by OIT systems administrators. Requests can be sent to [email protected].
Linux Documentation
For more advanced technical guidance, see the Linux Platform and Tools team public documentation at GitHub LPT documentation.