| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| running_your_own_baremetal_server [2022/01/26 09:52] – ac1cps | running_your_own_baremetal_server [2023/03/24 15:02] (current) – ac1mde |
|---|
| ====== Managing your own server in the DCS ====== | ====== Managing your own server in the DCS ====== |
| |
| This is the "DIY Sysadmin" option where the owner of the server is the administrator and DCS Tech Support do nothing with it. | This is the "DIY Sysadmin" option where the owner of the server is the administrator and DCS Tech Support do nothing with managing it. |
| |
| If you can afford to buy one, you can purchase your own actual metal-based server and put it in the DCS datacentre. This venture carries with it some significant responsibilities though, so check that we can't already offer you the service you want, with our existing infrastructure first. Or consider whether a virtual machine, available at ITS at no cost, would suit your needs. | Any server to be hosted in the server room must be a rack-mountable chassis, **not** a workstation or desktop PC format. |
| |
| **Buying a server:**\\ | Here's what we provide you with: |
| Any server to be hosted in the server room must be a rack-mountable chassis, not a workstation or desktop PC format. If in any doubt about what to purchase, contact COM Support and we will advise you. Don't be tempted to buy a workstation thinking you will host it under your desk, because these machines can be very noisy and hot, and it's generally not possible to retro-fit these machines with rackmount kits suitable for the server room. | |
| | |
| If you wish to go ahead, here's what we provide you with: | |
| |
| * Rack space | * Rack space |
| * Power supply | * Power supply |
| * Network connection to DCS network. | * Network connection to DCS network. |
| * Supervised access to the server room within working hours and with sensible notice regarding our current workload. | * Supervised access to the server room within office hours. |
| | |
| | (Access to the server room also requires the reading and signing of the server room risk assessment.) |
| |
| **For connection to the DCS network, here are our terms and conditions:**\\ | **For connection to the DCS network, here are our terms and conditions:**\\ |
| Please run a specifically server-oriented operating system. Most OSes have a stable server version with more robust security turned on by default and remote systems administration tools. When a machine is in the server room you won't have easy access to graphical console so a system designed with that in mind is a must. Similarly upgrades and patches are handled better remotely and the resulting reboots occur less frequently with a server OS. | |
| We require you to turn on your machine's internal firewall. Additionally we suggest you open as few ports as possible to the outside world. All machines on campus are visible to each other, and with hundreds of technically astute students on campus who would love to demonstrate their hacking skills on your machine, it's wise to give them as little opportunity as possible. | 1) All servers or virtual machines (VMs) hosted in the DCS data centre must have a 'nominated administrator' who is employed directly by the University. If this person leaves the University and no other suitable contacts can be found, by the DCS System Administrators, to take over the administration of the server or VM then the device will be decommissioned after a grace period of 90 days. |
| Please run a supported stable version of the OS and keep it patched. Turn on automatic patching and regularly check it's taking place. | |
| Keep the usernames and passwords on your server unique. In the event of a security breach, and in order to keep the risks of cross-contamination to a minimum, we ask that you create unique usernames, UIDs, group names and GIDs on your server. That ensures that if either the Department or your system are compromised, we can limit the damage to just those systems. Please also try to ensure your passwords are unique to each system, so if one password was broken it won't give access to any other system. | 2) All servers and VMs will be assigned an expected switch-off date (based on information given at the time of commission). This is to be agreed between the DCS system administrator team and the ‘nominated administrator’ responsible for the machine. The DCS System Administrators are responsible for proactively notifying the ‘nominated administrator’ three months before the switch-off date. Following the expiry of that switch-off date (and if no extension request is received via the ticket support system or passed via email to the DCS system administration team) then the device will be decommissioned after a 90 day grace period. |
| If you use sudo for administrator privilege, be extremely cautious which users you give access to. | |
| If you require your server to be visible from off campus, for example as a web server, you will need a firewall exemption from ITS. Request it from https://logcabin.shef.ac.uk/fireform. It normally takes no more than 24 hours to be granted an exemption. | 3) If the server or VM is expected to be managed by a ‘nominated administrator’ (as opposed to the DCS system administration team) then he or she must maintain the device as befits good system administration practice. This means complying with all directives given by the system administration team and relevant security teams within ITS. Failure to comply with this may eventually lead to the device being taken offline temporarily (pending corrective action) in order to ensure the security and integrity of the data centre infrastructure and wider network. |
| We require a designated contact person who is the systems administrator, who we can contact if there is a problem with the server, and who is responsible for its upkeep. If we do not have anyone to contact, we will shut the server down! | |
| | 4) At commission, responsibility for the safe execution of data backups will be determined. In effect, this means defining whether the server or VM will be backed up using the DCS system or if the ‘nominated administrator’ will themselves take responsibility for the execution of reliable and effective backups of essential files. |
| | |
