MiServer: Managed Linux: Service Overview

The MiServer Managed Service offers customers a managed operating system, including installation and support for the operating system, patch management, antivirus, monitoring, and backups. MiServer Managed (sometimes referred to as Managed OS) is an offering in the cloud service that leverages components from Infrastructure as a Service (IaaS) to provide service to customers. More information on components listed in IaaS can be found on the IaaS and Cloud service definitions.

For detailed information about these services refer to the Service Definition documents and Service Level Expectation document.

Scope

The scope of this document is to provide customers more detailed information regarding components of the service.

In Scope

  • Managed OS service includes the following: OS provisioning, patch management and backups/restores.
  • Operating Systems offered to customer for new requests:
    • RHEL 9 64 Bit
    • RHEL 8 64 Bit
    • Ubuntu 24.04 LTS 64 Bit
    • Ubuntu 22.04 LTS 64 Bit

Out of Scope

  • Any system with PCI data
  • High Performance Computing (HPC)
  • Application support
  • Any operating system not specified in scope for the service

Expectations

  • Customers should have the capability and necessary skill sets to manage applications.
  • Customers will put servers in maintenance mode prior to performing any maintenance or performing any work that may be disruptive on the server.
  • Applications will not be installed or supported by the Managed OS support.
  • Managed OS support will only be for OS support level.

Monitoring

The MiServer Managed service proactively monitors the operating system to help identify potential problems, maintain high availability, and provide prompt break/fix response times if OS issues arise. Administrators are asked to communicate with the MiServer team to put servers in maintenance mode prior to performing any maintenance or disruptive work on the server. The monitoring component in the MiServer Managed service includes but is not limited to:

  • Unplanned Server Restarts\Crashes
  • Operating System & Operating System Core Services
  • MiServer Components (Antivirus, Backups, Patches, etc)
  • Service Infrastructure Components

In the event an incident is identified by the monitoring agent, or through other channels, the MiServer team will work with the customer to take corrective measures as necessary. Please remember that it is crucial to have servers that are subscribed to the service put in maintenance mode prior to taking any services offline intentionally or performing any disruptive maintenance. This process is to help identify servers that do not need to be responded to immediately and prevent services from being recovered when the original intent was to have those services remain offline.

Zabbix is the monitoring tool of choice. See related information linked below:

Many common OS issues may be triggered by the application, such as excessive paging. While the MiServer team will attempt to mitigate the issue, customer approval to recycle an application, add disk space, or reboot a server may be required

All servers will be monitored 24x7 for the following:

  • Disk & Inode usage on /, /boot, /home, /opt, /tmp, /usr/local, /var
  • Swap utilization
  • SSH local & remote access
  • Ping up / down

Patch Management

It is best practice to apply security patches as soon as possible to not further risk a server from being compromised due to known exploits. All servers subscribed to the MiServer Managed service will be patched each month during the selected patch day/time. Additional patches may be required if critical security fixes are identified. Customers will have the option to opt out of or reschedule a specific patch date by contacting the OS team or modifying the selected patch day/time via the Service Request System. Non-Production servers to be patched 1 week before the all server window.

Backups

Scheduled backups will include all files except remote file systems such as AFS or NFS, which fall into the exclusions shown below. Customers have the ability to restore individual files on demand using the backup client installed on the server. In the event a customer requires or would like additional assistance, a service request should be filed with the MiServer team. If a complete system restore is required, customers should work with the MiServer team by requesting a system state restore. The backup service is optional; however, it is recommended to enable backups especially on production servers.

User Management

Components of the OS managed servers will be managed under group policies. All members of the MCommunity group used to register for the service will be granted access to the server.

Managed servers are joined to the Active Directory domain (ADSROOT) for authentication. The MCommunity group used to register for the service is automatically added to Active Directory (synced). New members added to the MCommunity group will be granted access to the server immediately. To remove access for a particular user, simply remove that user from the MCommunity group. Additional groups can be added to the authorization configuration via the ‘realm’ command (sudo realm permit -g adgroupname).

OS Upgrades

As new operating systems become available, the MiServer Managed service will review, evaluate and test the new operating system. Minor releases (ie, 8.3 -> 8.4) will be upgraded as part of the standard patching window and are generally available shortly after release. Major releases will take longer to be available for MiServer, but should be fully supported within 6 months of general availability. After the new OS has been completely reviewed and fully tested within the service to reflect best practices, the new OS will become available for new provisions. The MiServer team now also supports in-place upgrades for major releases. If a customer wishes to migrate to a new server running the new OS, a new server can be ordered with the new OS. The customer can install/configure his or her application and migrate data to the new server. When complete the old server can be retired.

Filesystem Configuration & Application Installs

Your new MiServer has a default 50 GB disk 0, partitioned into several filesystems. 30 GB is in the root volume group, where we keep about 7 GB unused to add space to whatever filesystems you need. This will enable the OS team to troubleshoot certain monitoring incidents after hours without calling the customer. The other 20 GB will be in a /usr/local/miserver filesystem. Additional disk requested via the portal will be used to grow the /usr/local/miserver filesystem. While not required, this filesystem is intended for application specific data / binaries / logs / etc. If requested the MiServer team can use the additional disk to create or grow any filesystem needed.

Root Level Access & System Configuration

If your application does not require root access, we recommend the creation of an “Application ID”. This ID can be used to install and own an application with shared access granted to as many users as needed. Customers can submit an incident or create the ID(s) themselves as they desire. If root access is required, the use of sudo will also be required. The MiServer team can work with the customer to determine what sudo commands are appropriate. Changing the root password can cause delays if support is needed and potentially require the system be booted into init 1 for the OS team to repair a damaged system.

User Accounts & Passwords

System account passwords (root, etc) should not be changed. User accounts should be added only in accordance with the Standard Practices Guide.

SSH Access Configuration

Systems are delivered with remote root level control granted to a number of MiServer administrative hosts via SSH keys. No remote root access should be granted to any other hosts. Currently the administrative hosts are:

  • bluefoot.dsc.umich.edu
  • bluejay.dsc.umich.edu
  • redbird.dsc.umich.edu

This access is required to support your system. This list may change over time, please check this document for the current list.

User-level access via public keys, local password & kerberos are all enabled by default. Specific users can be blocked from SSH connections by adding their ID to /etc/ssh/sshd.deny. Available options also include disabling public keys.

Fail2ban is running by default. This service will lock unauthorized IP addresses out of the system if too many failed SSH connections are detected. Please put an incident in if you are locked out for an extended period. Short term mitigation is to connect from a different IP address or wait until the ban automatically clears (10 minutes).

Host Firewall

Please do not make any rules that would block ports 22, 111, 2049, 7001-7011, 10050, 10051

AFS

AFS is not enabled by default but can be added if requested. In your request, please specify if local home directories should be replaced by AFS.

NFS

NFS access to University-supplied value storage will be enabled on request. Other NFS access will be granted on a case by case basis.

Additional Packages

The following repositories are enabled by default. The MiServer team can install packages or a customer with appropriate sudo privileges can use dnf or apt to install packages.

RHEL

  • ITS_Duo_Security_Duo_Security_Red_Hat_8_Server
  • ITS_Extra_Packages_for_Enterprise_Linux_8_Extra_Packages_for_Enterprise_Linux_8
  • codeready-builder-for-rhel-8-x86_64-rpms
  • duosecurity
  • rhel-8-for-x86_64-appstream-rpms
  • rhel-8-for-x86_64-baseos-rpms
  • satellite-tools-6.10-for-rhel-8-x86_64-rpms​

Ubuntu

DNS/Hostname Updates

The MiServer OS team tracks and monitors servers based on DNS values. If you want to change your server name or domain, please put in a request and we will do it for you. This will allow us to ensure that your server continues to be monitored and patched without interruption in service.

Vulnerability Scanning

ITS is providing monthly vulnerability scans. These scans will examine managed servers both locally and remotely and alert administrators to any security concerns.

Last Updated
Wednesday, September 18, 2024