Skip to content

Standard Change Templates

Version 1.0 | Classification: CONFIDENTIAL — Internal Use Only

Standard changes are pre-approved. They may be executed without IT Manager approval only if followed exactly. Any deviation reclassifies the change as Normal.

SC-001 — Add a DHCP Static Reservation

Risk: Low | Systems: SKY and RAIN

Procedure:

  1. Obtain hostname, MAC address, and desired IP from the requestor. Verify IP is outside the dynamic pool.
  2. Add reservation to /etc/dhcp/dhcpd.conf on SKY and RAIN (both simultaneously): 
    host <hostname> {
    hardware ethernet <MAC>;
    fixed-address <IP>;
    option host-name "<hostname>";
}
  3. Restart DHCP: sudo systemctl restart dhcpd
  4. Add forward and reverse DNS records to /var/named/wdc.us.gl3.db and the reverse zone file.
  5. Increment zone serial, re-sign DNSSEC, reload BIND: rndc reload
  6. Update wdc-hostregistry.csv.
  7. Run Post-Change Checklist on both SKY and RAIN.

SC-002 — Add a DNS A/PTR Record Pair

Risk: Low | Systems: SKY and RAIN

Procedure:

  1. Add the A record to /var/named/wdc.us.gl3.db and PTR to the appropriate reverse zone.
  2. Increment zone serial numbers.
  3. Re-sign DNSSEC and reload: rndc reload
  4. Verify: dig @192.168.120.1 <hostname>.wdc.us.gl3 A +short
  5. Update wdc-hostregistry.csv.
  6. Run Post-Change Checklist on both SKY and RAIN.

SC-003 — Apply OS Security Updates (dnf-automatic)

Risk: Low | Systems: Any server

dnf-automatic applies security updates automatically. Manual invocation for an ad-hoc update:

sudo dnf update --security -y

Reboot only if a kernel update was applied:

needs-restarting -r && echo "Reboot required" || echo "No reboot needed"

Run Post-Change Checklist after any package update.

SC-004 — Rotate Grafana Admin Password

Risk: Low | Systems: SUN

  1. Log in to Grafana at http://192.168.124.3:3000 as grafana_admin.
  2. Navigate to Profile → Change Password.
  3. Set new password meeting the 14-character policy.
  4. Update the password in the secure vault.
  5. Log the change to /var/log/asset-inventory.log on SUN.

SC-005 — Rebuild and Redeploy MkDocs Portal

Risk: Low | Systems: GCP Cloud Run

cd ~/terraform/gpus-infra/mkdocs
gcloud builds submit --config=cloudbuild.yaml .

Verify the portal is live:

gcloud run services describe gpus-mkdocs-portal \
    --region=us-central1 \
    --format="value(status.url)"

No Post-Change Checklist required (GCP only — no on-prem AIDE or DNSSEC impact).

SC-006 — Add a New Server to the Status Site

Risk: Low | Systems: GCP Cloud Run (status site backend)

  1. Deploy SSH public key to the new server for the appropriate service user.
  2. Open port 22 from 10.8.0.0/28 in the new server's firewall.
  3. Add the server to SERVERS dict in app.py and SERVER_META in gpus-status-site.html.
  4. Rebuild status-site image and redeploy via Cloud Build.
  5. Verify the new server card appears on https://status.greenpeace.us.

Annual Review

Standard change templates are reviewed and re-approved annually by the IT Manager. Last review: 2026-03-13.

Standard Changes · v1.1 · 2026-03-14 · GPUS-IT · Classification: CONFIDENTIAL — Internal Use Only