|
Size: 4355
Comment:
|
Size: 1553
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = Deleuze = | #pragma section-numbers off |
| Line 3: | Line 3: |
| This machine donated by Justin Leitgeb seems real nice. Buffered disk throughput is about 1.5 GB/s. Raw disk reads are 60 MB/s for the two 36 GB disks and 120 MB/s for the 4-disk array. Not bad at all. | This contains a list of pages that are of interest to the admins. |
| Line 5: | Line 5: |
| == Tasks done == | [[TableOfContents]] |
| Line 7: | Line 7: |
| * Removed excessive packages, cleaned up the system * Installed ''changetrack'' to monitor all config file changes. The program uses ''rcs'' and automatically keeps previous revisions. It is ran from ''cron'' on a daily basis. * Installed ''debsums'' to monitor file md5sums * Installed Courier IMAP and IMAP-SSL * Installed LDAP for user authentication. The system is currently configured to use LDAP and fallback to the usual ''/etc/'' files. Admin users will be added locally on all machines and will be able to log in even when LDAP is not operational. * Installed MIT Kerberos 5 * Fixed date/time on the system. Installed ''ntpd'' * Installed TLS support for LDAP. Certificate file is ''/etc/ldap/server.pem'', and ldap/ldaps ports are 389/636. * Installed Linux 2.6.18.3-grsec with 2.6.18-mm3 patches (2) for megaraid. * The patches and source tree installed, along with the .deb generated, is under /usr/src/ntk2. I set up sockets groups as on fyodor (7070-7072). SMP, with hyperthreading enhancements, is enabled. I also installed a bunch of packages that someone were uninstalled while I was gone (e.g., gcc). I also fixed the sudoers, wheel group, and admin home directories. --NathanKennedy |
= General = |
| Line 18: | Line 9: |
| == TODO == | * AdminGroup: Listing of people who can delete pages and despam pages on the wiki. * AndrewFileSystem: Using our new shared filesystem. * AuthenticationScheme: How authentication works on our systems. * DomTool: Administering and using the new domtool. * [:Hardware:]: Information on the new hardware. * HcoopAddresses: Physical addresses relevant to us. * IpAddresses: Listing of IPs that we use. * OnSiteStuff: Checklist for the next on-site visit to the new machines. * RoadMaps: Detailed plans for future events. * SoftwareArchitecturePlans: Plans for software installation. * SystemArchitecturePlans: Plans regarding our hardware. |
| Line 20: | Line 21: |
| In order of implementation (soonest first): | = HOWTO = |
| Line 22: | Line 23: |
| * Get Kerberos and LDAP working completely. There's just ''some small bit'' to do to get everything working. -- DavorOcelic * Fix resolv.conf on both servers to have multiple good DNS servers for now, set it to use localhost once BIND is running and configured. * Install AFS (need to repeat the reading on AFS and how it really works. Also it will influence the decision how to format ''/dev/sdb'' in the system) -- DavorOcelic * Install MySQL and PostgreSQL (input from AFS step and admin discussion needed to see how to exactly configure this) -- DavorOcelic * Install BIND -- DavorOcelic * Review kernel configuration and install testnet. -- DavorOcelic * See why db4.2 recover takes a long time on LDAP restart if anything is modified in the directory -- DavorOcelic * Install and configure Apache, to serve static web content only. * Get domtool2 working (this to be done concurrent with mire). |
* BackupInfo: Information on how to recover deleted files from our off-site backups. * CertificateAuthority: How to sign user SSL certificates and the like. * ChangingAdminPassword: How admins can change their UNIX passwords. * DebianPackaging: How to make custom HCoop Debian packages. * DaemonAdmin: How to set up various daemons. * KvmAccess: How to use the remove KVM and avoid going on site. * RebootingMireSp: How to reboot mire using its SP interface. * SetupNewMachines: How to put the basic hcoop AFS/Kerberos client config on a newly acquired machine |
| Line 32: | Line 32: |
| == Problems == | = Responsibilities = |
| Line 34: | Line 34: |
| * When executing '''kinit; ldapsearch -H ldaps:/// -I -b "" -s base -LLL supportedSASLMechanisms''', instead of the correct answer, LDAP server dumps "Cannot open /etc/sasldb2" in error logs. This is a Berkeley DB file used when SASL assumes plain text identification, but here this is not the case (we want Kerberos authentication). I think the problem is in the lack of "{KERBEROS}" password type in userPassword LDAP field. I need to see if the problem simply consists of adding this option in the schema, or its unavailability suggests that LDAP can't do that. -- DavorOcelic * With ''debsums'', once you break md5sum of a config file, the file keeps being reported as mismatching even if you completely regenerate md5sums for a package!! -- DavorOcelic * The logical volume for /dev/sdb is supposed to be a 4-drive raid array, each drive ~73GB. Right now it seems to be configured as RAID1 mirroring the two drives, for a capacity of ~146G (see dmesg, for instance). This would be faster and the volume would be 73G bigger if it was set up as RAID5. I might need to do this from console, and I need to talk to Justin about it, since he set up the logical volumes and I thought he said that sdb was RAID5. --NathanKennedy = Custom software = * DomtoolTwo * Vmail tools * Web portal * Watchdog process to kill resource hogs These are my responsibility. Right now, I'm waiting for the more traditional stuff to be set up and stable before beginning. --AdamChlipala = Global TODO = * Make ca@hcoop.net e-mail address working. It's the address used in the certificate files. = Global Notes = * To edit LDAP database from a GUI tool, use ''gq'' program * To connect to hcoop's ldap server using ''gq'', create a SSH tunnel: ''' ssh -p 2222 -f -N -L 389:localhost:389 USERNAME@69.90.123.51''', and then connect to ''localhost:389'' in ''gq''. |
* TaskDistribution: What each sysadmin is responsible for. * VolunteerResponsePolicy: Guidelines for responding to requests and email. |
This contains a list of pages that are of interest to the admins.
General
AdminGroup: Listing of people who can delete pages and despam pages on the wiki.
AndrewFileSystem: Using our new shared filesystem.
AuthenticationScheme: How authentication works on our systems.
DomTool: Administering and using the new domtool.
- [:Hardware:]: Information on the new hardware.
HcoopAddresses: Physical addresses relevant to us.
IpAddresses: Listing of IPs that we use.
OnSiteStuff: Checklist for the next on-site visit to the new machines.
RoadMaps: Detailed plans for future events.
SoftwareArchitecturePlans: Plans for software installation.
SystemArchitecturePlans: Plans regarding our hardware.
HOWTO
BackupInfo: Information on how to recover deleted files from our off-site backups.
CertificateAuthority: How to sign user SSL certificates and the like.
ChangingAdminPassword: How admins can change their UNIX passwords.
DebianPackaging: How to make custom HCoop Debian packages.
DaemonAdmin: How to set up various daemons.
KvmAccess: How to use the remove KVM and avoid going on site.
RebootingMireSp: How to reboot mire using its SP interface.
SetupNewMachines: How to put the basic hcoop AFS/Kerberos client config on a newly acquired machine
Responsibilities
TaskDistribution: What each sysadmin is responsible for.
VolunteerResponsePolicy: Guidelines for responding to requests and email.