welcome: please sign in

Diff for "AdminArea"

Differences between revisions 1 and 92 (spanning 91 versions)
Revision 1 as of 2006-11-21 19:07:38
Size: 4355
Editor: ri02-128
Comment:
Revision 92 as of 2007-10-18 01:47:57
Size: 912
Editor: MichaelOlson
Comment: add ChangingAdminPassword
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= Deleuze = = Introduction =
Line 3: Line 3:
This machine donated by Justin Leitgeb seems real nice. Buffered disk throughput is about 1.5 GB/s. Raw disk reads are 60 MB/s for the two 36 GB disks and 120 MB/s for the 4-disk array. Not bad at all. [[TableOfContents]]
Line 5: Line 5:
== Tasks done == = Special topic pages about the new set-up =
Line 7: Line 7:
 * Removed excessive packages, cleaned up the system
 * Installed ''changetrack'' to monitor all config file changes. The program uses ''rcs'' and automatically keeps previous revisions. It is ran from ''cron'' on a daily basis.
 * Installed ''debsums'' to monitor file md5sums
 * Installed Courier IMAP and IMAP-SSL
 * Installed LDAP for user authentication. The system is currently configured to use LDAP and fallback to the usual ''/etc/'' files. Admin users will be added locally on all machines and will be able to log in even when LDAP is not operational.
 * Installed MIT Kerberos 5
 * Fixed date/time on the system. Installed ''ntpd''
 * Installed TLS support for LDAP. Certificate file is ''/etc/ldap/server.pem'', and ldap/ldaps ports are 389/636.
 * Installed Linux 2.6.18.3-grsec with 2.6.18-mm3 patches (2) for megaraid.
  * The patches and source tree installed, along with the .deb generated, is under /usr/src/ntk2. I set up sockets groups as on fyodor (7070-7072). SMP, with hyperthreading enhancements, is enabled. I also installed a bunch of packages that someone were uninstalled while I was gone (e.g., gcc). I also fixed the sudoers, wheel group, and admin home directories. --NathanKennedy

== TODO ==

In order of implementation (soonest first):

 * Get Kerberos and LDAP working completely. There's just ''some small bit'' to do to get everything working. -- DavorOcelic
 * Fix resolv.conf on both servers to have multiple good DNS servers for now, set it to use localhost once BIND is running and configured.
 * Install AFS (need to repeat the reading on AFS and how it really works. Also it will influence the decision how to format ''/dev/sdb'' in the system) -- DavorOcelic
 * Install MySQL and PostgreSQL (input from AFS step and admin discussion needed to see how to exactly configure this) -- DavorOcelic
 * Install BIND -- DavorOcelic
 * Review kernel configuration and install testnet. -- DavorOcelic
 * See why db4.2 recover takes a long time on LDAP restart if anything is modified in the directory -- DavorOcelic
 * Install and configure Apache, to serve static web content only.
 * Get domtool2 working (this to be done concurrent with mire).

== Problems ==

 * When executing '''kinit; ldapsearch -H ldaps:/// -I -b "" -s base -LLL supportedSASLMechanisms''', instead of the correct answer, LDAP server dumps "Cannot open /etc/sasldb2" in error logs. This is a Berkeley DB file used when SASL assumes plain text identification, but here this is not the case (we want Kerberos authentication). I think the problem is in the lack of "{KERBEROS}" password type in userPassword LDAP field. I need to see if the problem simply consists of adding this option in the schema, or its unavailability suggests that LDAP can't do that. -- DavorOcelic
 * With ''debsums'', once you break md5sum of a config file, the file keeps being reported as mismatching even if you completely regenerate md5sums for a package!! -- DavorOcelic
 * The logical volume for /dev/sdb is supposed to be a 4-drive raid array, each drive ~73GB. Right now it seems to be configured as RAID1 mirroring the two drives, for a capacity of ~146G (see dmesg, for instance). This would be faster and the volume would be 73G bigger if it was set up as RAID5. I might need to do this from console, and I need to talk to Justin about it, since he set up the logical volumes and I thought he said that sdb was RAID5. --NathanKennedy

= Custom software =

 * DomtoolTwo
 * Vmail tools
 * Web portal
 * Watchdog process to kill resource hogs

These are my responsibility. Right now, I'm waiting for the more traditional stuff to be set up and stable before beginning. --AdamChlipala


= Global TODO =

 * Make ca@hcoop.net e-mail address working. It's the address used in the certificate files.

= Global Notes =

 * To edit LDAP database from a GUI tool, use ''gq'' program
 * To connect to hcoop's ldap server using ''gq'', create a SSH tunnel: ''' ssh -p 2222 -f -N -L 389:localhost:389 USERNAME@69.90.123.51''', and then connect to ''localhost:389'' in ''gq''.		  * AndrewFileSystem: Using our new shared filesystem
 * BackupInfo: Information on how to recover deleted files from our off-site backups.
 * ChangingAdminPassword: How admins can change their UNIX passwords.
 * DaemonAdmin: Daemon-specific pages aimed at admins
 * DomTool: Administering and using the new domtool
 * IpAddresses: Listing of IPs that we use (nonpublic).
 * NewSystemHardware: Information on the new hardware
 * TaskDistribution: What each sysadmin is responsible for
 * SoftwareArchitecturePlans: Plans for software installation
 * SystemArchitecturePlans: Plans regarding our hardware
 * OnSiteStuff: Checklist for the next on-site visit to the new machines.
 * OneTimeCosts2007: Costs associated with the new servers through April 2007
 * HcoopAddresses: Physical addresses relevant to us

Introduction

TableOfContents

Special topic pages about the new set-up

AdminArea (last edited 2020-08-23 22:16:03 by ClintonEbadi)