Note timing of quick-change e-mail
Bold text about keys in payment comments
|Deletions are marked like this.||Additions are marked like this.|
|Line 22:||Line 22:|
|The absolute spiffiest thing that you could do is include in your Pay``Pal payment comment a URL to your SSH public key, so that we have pretty good reason to believe that it's genuine. See the next section for more information.||The absolute spiffiest thing that you could do is include in your Pay``Pal payment comment a URL to your SSH public key, so that we have pretty good reason to believe that it's genuine. See the next section for more information. '''Your payment will be rejected if it isn't sent in accordance with the below "getting started" instructions.'''|
OK, so it looks like you'll be joining us! In the descriptions below, we'll assume you've already been approved to join. If you haven't yet received an explicit e-mail saying that your application has been approved, then "you've been approved to join" does not apply to you!
Here's what you need to know about the process from here in. It will definitely make life easier for our volunteer administrators if you read all of this document before doing anything else with your new account.
To complete the joining process...
Terms of Service
When you applied for an account, you were asked to review and agree to HCoop's [http://hcoop.net/tos.html Terms of Service]. If you have not done so already, please read and familiarize yourself with them.
Each hcoop member has a balance, keeping track of unspent money that member has sent to the co-op. Most members prepay about a year's worth of estimated charges at a time and send new payments when they see their balances going low. Our policy is that every member must make a refundable "deposit" of $10 on joining. This is equivalent to requiring that your balance stay above that amount.
Before we give you an account on our servers, we need an initial payment from you. This should include the deposit amount and some additional amount, as determined by you. Like we said, prepaying an estimated year's costs is popular. If your balance goes below the deposit amount for too long a period, we'll be forced to cancel your membership, unless there are very extenuating circumstances. This means that paying the minimum amount will require that you remember to make frequent payments.
You can pay electronically using PayPal by [https://firstname.lastname@example.org following this link]. In the provided field, write that the payment is for "Initial payment for yournamehere," where "yournamehere" is the UNIX username you asked for when you applied.
You can use any other reasonable payment method you want, as long as it involves United States dollars reaching our treasurer. However, please e-mail email@example.com about any non-PayPal method of payment before using it, and wait for approval before going ahead.
Keep in mind the service fees associated with each method. For example, PayPal's fees are such that you save money by sending as much money at once as possible.
The absolute spiffiest thing that you could do is include in your PayPal payment comment a URL to your SSH public key, so that we have pretty good reason to believe that it's genuine. See the next section for more information. Your payment will be rejected if it isn't sent in accordance with the below "getting started" instructions.
MemberDues contains more information on payment policies.
Once you've paid, we can get started setting up your account. The big issue here is getting your initial password set. We don't want any unauthorized people to get ahold of your password and gain access to your account. Any unencrypted password sent over the Internet, including through e-mail, is vulnerable to interception by many people. Our two main approaches to this are:
If you create an ssh public key and give a URL or other reference to it in your PayPal payment comment, we can create your account with your key pre-installed.
After we set up your account, you'll be able to connect without needing to know a new password. We'll send you instructions on how to set your password from that point, since you do need to use a password for some services.
SshConfiguration contains a tutorial on how you can set up ssh public-key encryption. Follow it only up to the part about generating the keys and ignore the bit about transferring them to HCOOP's server. We're open to other crypto-based bootstrapping methods if you prefer them.
Please note that the entire point of this scheme is compromised if you send your key information separately from your PayPal payment; with unencrypted e-mail, anyone could be impersonating you, but with the PayPal method we can at least verify that the same person is paying and naming the key. If you ignore this request and e-mail key information separately, we reserve the right to require that you instead indicate your key in some way that can be tied securely to your PayPal account.
If cryptography scares you, then we can try to minimize the time from when we send you your random password in cleartext and when you log in to our server and change it over an encrypted connection.
This works best with a short meeting with an admin over IRC or an instant messaging service. Unencrypted e-mail is absolutely not acceptable, since there may be too long of a period when a password that has been sent in cleartext is still valid. Make sure you have an ssh client on hand, as you will be asked to ssh to hcoop.net within a minute or so to set your new password.
But, really, why not just use crypto? This is the 21st century, after all!
If you want to use this technique, we ask that you please e-mail firstname.lastname@example.org to inform us of your intentions. It would also be good if you'd let us know why you're not using the crypto option. You are making life harder for our volunteer admins by requesting to do things this way, since it requires that they orient their schedules around your availability, so we'd like to understand what prevented you from picking the easier option. You must send this e-mail before sending your payment, or we will assume that you have not read these instructions and e-mail you asking for another payment that includes a public key.
You should have chosen your e-mail preferences when you applied. What we're referring to is whether you want e-mail to your account to be stored on our servers (and accessed via IMAP or POP3) or forwarded to an existing e-mail address. If you don't choose to forward it away, please be sure to check your hcoop e-mail box as often as any other personal mailbox! We may need to contact all members with some time-critical announcements.
While there was a one-time way to set this preference when you applied, you can change it after joining by editing/deleting your ~/.forward file in usual UNIX fashion.
We'll send important announcements through the hcoop-announce mailing list. Every member is subscribed to this on joining. This is for on-topic announcements about the co-op and the services we provide. It's moderated, and we don't allow discussion or anything else high volume enough to encourage members to start ignoring the list.
Since we currently run based entirely on volunteer labor, we're unable to guarantee any uptime for your services if you don't read every message sent to the announcements list in a prompt manner! Sometimes we will need your help to keep your stuff going.
For less time-sensitive traffic, we have the hcoop-discuss list. It's meant for on-topic discussion. There's also hcoop-misc, for anything at all that you think might be of interest to hcoop members. Subscription to either of these lists is voluntary. You can also set preferences for them after subscribing, including switching them to digest mode. This means that you receive at most one message a day, containing everything sent to the list that day. This increases the average delay to receive a message but decreases volume, in terms of number of messages sent to you.
See the section on preferences below for information on setting your subscriptions. Note that it is expected that you will get an error e-mail if you try to post to a mailing list with a From address besides email@example.com. This is no big deal. Just wait for a moderator to see that your message is legit and add the From address that you're using to our whitelist.
Basics of hosting
You will configure most of your hosted services using our custom DomainTool. More details will follow in the sections below.
While you may be used to using FTP to upload files, we recommend against that and require that you specially request FTP access. You should almost certainly follow our FileTransfer instructions instead.
We're pretty gung-ho about security. To the best of our knowledge, hcoop is unique in providing the level of hosted service flexibility that we do to the general public. Naturally, we have to make sure that we don't provide members enough "flexibility" to rain on other members' parades! We have a number of custom tools designed in an attempt to find the right balance between flexibility/ease of use and security.
There are a few things about our set-up that may surprise you in comparison to other Internet hosting and "shell server" providers. Let's start with the good surprises!
- After getting admin approval for setting up your domain names on our servers, you will be able to use them with standard, shared daemons in pretty much any way that you'd like, without needing to wait for a superuser to approve any more requests.
- You can even run novel services or daemons that you've written yourself!
Now the "bad news," which isn't really that bad, because it helps ensure the stability of our services. To use the links below, you should run the webpasswd program on fyodor to set your web password.
By default, your UNIX user can't even create Internet sockets. This works out well for most members, and it removes possibilities for exploits that go through your account and need to create sockets. If you do need to create sockets, that's fine; just [https://members.hcoop.net/portal/sec request a change in your security settings].
We can go even more paranoid than this and set up your UNIX user to be unable to execute programs that aren't located in root-owned directories. This would be a good setting for someone who only runs static web sites, for example. You can request this [https://members.hcoop.net/portal/sec at the same place] as in the last case.
Even once you are allowed to create sockets, our firewall is going to restrict you to using just a few standard ports. You can [https://members.hcoop.net/portal/sec request more]. See FirewallRules for more information.
We've had problems in the past with runaway user processes exhausting available memory and crashing just about everything running on the server. To help avoid this, we impose "ulimits" on how many processes you can run at once and how much RAM you can use. If you do anything resource-intensive, you'll likely run into this, in the form of mysterious program crashes. UsingResourceLimits has more information.
We also impose disk quotas, to prevent runaway disk-writing processes from filling up our disks. You can run quota -g to see your quota information. We're very unlikely to grant any requests for quota increases on our present server, since it's just too much work to get new disks added at the remote facility where our dedicated server lives.
You aren't allowed to use cron by default, but you can [https://members.hcoop.net/portal/sec request access].
- There are probably other things that we've forgotten to list that we are glad to allow you to do, but that you aren't allowed to do by default. Don't assume that any limitations you encounter are "hard limits." They're more likely to be default security choices, in the spirit of least privilege.
The web portal
[https://members.hcoop.net/portal/portal Our web portal] is your starting point for the information and services we can provide. We recommend following the link to it now and walking through the different parts as we discuss them here.
You won't be able to access the portal until you have an account, at which time you'll be able to run the webpasswd command-line program to set the password you use to access it.
[https://members.hcoop.net/portal/pref Here] you can set a number of important options.
First, you have the option to include yourself in the [http://hcoop.net/dyn/members.html public directory of hcoop members]. We recommend checking this if you feel comfortable doing so.
You can also set whether or not you are subscribed to our two optional mailing lists.
[https://members.hcoop.net/portal/money Here] you can keep track of your monetary balance and the history of transactions you've been involved in.
We pointed you to [https://members.hcoop.net/portal/sec this page] above for requesting permissions related to network sockets and cron access.
You can add information on [https://members.hcoop.net/portal/contact how to contact you] through a variety of media. For each entry, you can choose an access level to control who is allowed to see that entry. We recommend that you add at least a "Non-hcoop e-mail" that at least admins can see, so that it's easier to contact you if we're ever having trouble handling e-mail to your account.
Your geographic locations
[https://members.hcoop.net/portal/location This] is a "just for fun" kind of thing to help members and the general public get an idea of how hcoop members are distributed around the world. Information on where members live is [http://hcoop.net/dyn/locs.html published on the main site] without any association between locations and particular members. If willing, please mark where you spend most of your time, adding any locations that aren't already present.
Public URL directory
Here you can request that various administrative actions be performed on your behalf.
A brief comment on support: While many admins will be readily reachable on IRC or other such services, please resist the urge to expect them to help you in real-time. You place much less demand on these volunteers' time by using the portal's support system to submit requests. This allows the people who can help you to keep track of pending requests and schedule appropriately to handle them.
Request control of a domain with domtool
We have [http://hcoop.sf.net/ a system developed in-house] to help members manage their services, described in DomainTool. To be able to use it, you need to be granted access to one or more domains. This portal feature lets you [https://members.hcoop.net/portal/domain request that].
Request Debian apt packages
We run [http://www.debian.org/ Debian] [http://www.debian.org/devel/testing testing] on our servers. That means it's much easier for us to install and maintain software if it is in the main [http://packages.debian.org/ Debian testing package database]. [https://members.hcoop.net/portal/apt This portal feature] lets you request that we install some of these packages. It also validates your requests by making sure that all the packages you want exist and are not already installed, showing you their descriptions to make sure you are asking for the correct thing.
Request a Mailman mailing list
We have a shared installation of the [http://www.list.org/ Mailman] mailing list software. [https://members.hcoop.net/portal/list Here] you can request that we create a new list for you in that system.
Other support request
If your request doesn't fall into the above categories, [https://members.hcoop.net/portal/support this] is the place to go. You choose a category and submit an issue to be considered by the people in charge of that category.
In addition to what you'd expect from a support system with a commerical service, we also have a twist on the old ideas: Any member can subscribe to any support category. If you've subscribed to a category, you'll be notified of requests for help in that category, and you can participate just like an "admin." For requests when you desire privacy, we have an option to only make the issue accessible to admins.
Please subscribe to all the support categories you feel competent and willing to help with!
Review pending membership applications
For every new membership application, we have a two-day waiting period when current members can review the application. If you're interested, you can take a [https://members.hcoop.net/portal/apps look at these].
Contact information directory
Here you can list [https://members.hcoop.net/portal/dir member contact information] by type of contact.
This [https://members.hcoop.net/portal/poll public-ballot voting system] can be used both for formal and informal polls.
On the informal side, you can initiate a poll on any issue for which you'd like members' input.
On the formal side, this is the mechanism for handling votes described in our HcoopBylaws. For "serious" votes like this, you should be sure to set the poll to start well enough after you create it, and you should announce it on hcoop-announce.
This wiki is our primary source for recording sundry information of interest to members. Take a look around before asking any question you have. You should be able to find instructions for most things a small number of clicks away from the FrontPage.