7140
Comment:
|
4694
overhaul step two: move obsolete links
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
= Deleuze = | #pragma section-numbers off |
Line 3: | Line 3: |
This machine donated by Justin Leitgeb seems real nice. Buffered disk throughput is about 1.5 GB/s. Raw disk reads are 60 MB/s for the two 36 GB disks and 120 MB/s for the 4-disk array. Not bad at all. | = Admin Area = |
Line 5: | Line 5: |
== Tasks done == | Links to detailed policies, procedures and information specific to HCoop. The resources here should allow HCoop admin team members to share information about every part of the complete system, and to allow easier training of future team members. |
Line 7: | Line 7: |
* Removed excessive packages, cleaned up the system * Installed ''changetrack'' to monitor all config file changes. The program uses ''rcs'' and automatically keeps previous revisions. It is ran from ''cron'' on a daily basis. * Installed ''debsums'' to monitor file md5sums * Installed Courier IMAP and IMAP-SSL * Installed LDAP for user authentication. The system is currently configured to use LDAP and fallback to the usual ''/etc/'' files. Admin users will be added locally on all machines and will be able to log in even when LDAP is not operational. * Installed MIT Kerberos 5 * Fixed date/time on the system. Installed ''ntpd'' * Installed TLS support for LDAP. Certificate file is ''/etc/ldap/server.pem'', and ldap/ldaps ports are 389/636. * Installed Linux 2.6.18.3-grsec with 2.6.18-mm3 patches (2) for megaraid. * The patches and source tree installed, along with the .deb generated, is under /usr/src/ntk2. I set up sockets groups as on fyodor (7070-7072). SMP, with hyperthreading enhancements, is enabled. I also installed a bunch of packages that someone were uninstalled while I was gone (e.g., gcc). I also fixed the sudoers, wheel group, and admin home directories. --NathanKennedy * Kerberos + LDAP works. * Compiled requisite kernel modules, compiled and installed new OpenIPMI package, and installed dellomsa. Dell OMSA is now working. --NathanKennedy * Install SSH. * Permit new admins to log in by copying their SSH keys to their newly-created (empty) home directories. * Install AFS (need to repeat the reading on AFS and how it really works. Also it will influence the decision how to format ''/dev/sdb'' in the system) -- DavorOcelic |
|
Line 23: | Line 8: |
== TODO == | <<TableOfContents>> |
Line 25: | Line 10: |
In order of implementation (soonest first): | |
Line 27: | Line 11: |
* Fix resolv.conf on both servers to have multiple good DNS servers for now, set it to use localhost once BIND is running and configured. * Install MySQL and PostgreSQL (input from AFS step and admin discussion needed to see how to exactly configure this) -- DavorOcelic * Install BIND -- DavorOcelic * Review kernel configuration and install testnet. -- DavorOcelic * Install and configure Apache, to serve static web content only. --MichaelOlson * Get domtool2 working (this to be done concurrent with mire). * Figure out how to use Dell OMSA or other tools to monitor RAID and other hardware. |
== To be an admin == |
Line 35: | Line 13: |
== Problems == | Sections you should read if you are interested in being an admin. |
Line 37: | Line 15: |
* With ''debsums'', once you break md5sum of a config file, the file keeps being reported as mismatching even if you completely regenerate md5sums for a package!! -- DavorOcelic * The logical volume for /dev/sdb is supposed to be a 4-drive raid array, each drive ~73GB. Right now it seems to be configured as RAID1 mirroring the two drives, for a capacity of ~146G (see dmesg, for instance). This would be faster and the volume would be 73G bigger if it was set up as RAID5. I might need to do this from console, and I need to talk to Justin about it, since he set up the logical volumes and I thought he said that sdb was RAID5. --NathanKennedy * Spoke to Justin about this. Nonproblem--it is RAID10 and intended to be so. I will let admins decide the merits of RAID5 vs. RAID10. --NathanKennedy |
{{{#!wiki tip Admins: it is recommended that you watch the changes [[http://wiki.hcoop.net/RecentChanges?action=rss_rc&diffs=1&ddiffs=1|RSS feed]] to keep informed of what everyone is up to. Then, please document all of your work on here somewhere - that way we will not only have a record, but everyone gets notified about what is going on. Alternatively, you can create a wiki account and subscribe to the page regex `.*` (all pages). }}} |
Line 41: | Line 19: |
== Authentication scheme explained == | === Admins and Admin Responsibilities === |
Line 43: | Line 21: |
Regarding the exact authentication mechanism on HCoop: | * TaskDistribution: What each sysadmin is responsible for. * VolunteerResponsePolicy: Guidelines for responding to requests and email. * AdminArea/ListOfVolunteers who can help us do stuff... * AdminGroup: Listing of people who can delete pages and despam pages on the wiki. |
Line 45: | Line 26: |
We have Kerberos and LDAP working. Kerberos holds user "principals" (account names + passwords), while LDAP keeps account names plus everything else (such as UIDs, GIDs, home directories, real names, permissions etc.). General policy is: all users have LDAP accounts and a Kerberos principal. Admins have passwd file account and a Kerberos principal. When needed, admins can also create a pure local-files-based account. | === Introductory material === |
Line 47: | Line 28: |
The whole authentication work is performed though a series of PAM (Pluggable Authentication Modules) configuration directives. PAM has four "management groups", listed in most-common order of execution: auth, account, session, and password. (The exact order of execution is controlled by the order of lines in /etc/pam.d/* files, with each file corresponding to a particular service). | Refer to documentation of each of the listed components. The information in our Wiki pages covers only the most basic principles, and quickly focuses on HCoop-specific setup, assuming skillset with the technology. |
Line 49: | Line 30: |
* Auth is concerned with actual username/password verification in the database. In our setup, when users type in the password, it is verified against the Kerberos database. If three attempts are unsuccessful, another prompt is displayed, allowing a user to enter Unix passwd file password. (Only administrators who create a local account would have one). Then, pam_env is invoked, which reads ''/etc/security/pam_env.conf''. That way you can initialize environment variables in the user session. * Account checks things like password aging etc. If the user has an LDAP account, then the Kerberos account module is invoked which checks for the list of allowed principals in ''~/.k5login''. Users with no LDAP account are just checked in the local password files. Then, pam_access is invoked, which reads ''/etc/security/access.conf''. That way you can determine which users (and from where) are allowed to log in. * Session sets up session details. First pam_limits is invoked, imposing limits on users as defined in ''/etc/security/limits.conf''. Then pam_krb5 is invoked which will only succeed if the user has a Kerberos principal. (If it has, it initializes the TGT ticket for them automatically). And then, finally, pam_unix_session is called which just logs session creation (and later session termination) to system log files. At that point, users are logged in. * Password is the management group involved only in changing the password (or whatever the authentication mechanism is). Currently, by default, Kerberos password is changed. Running '''kpasswd''' will change the Kerberos password; running '''passwd''' will change the local-files password, and will only work for people with pure local accounts. |
* DaemonDocumentation: manuals for core services with which you should be familiar * SystemArchitecture * DomTool * MitKerberos * AndrewFileSystem * EtcKeeper * [[Code]]: Details of HCoop-specific code kept in git.hcoop.net * [[OpenLDAP]] |
Line 54: | Line 39: |
= Custom software = | == Planning and Records == |
Line 56: | Line 41: |
* DomtoolTwo (Adam, will it be possible to change/modify support requests from the command line? Also, it would be so "candy" if the messages regarding ticket status were sent as followups to the original request email, not as completely separate mails). -- DavorOcelic * Vmail tools * Web portal * Watchdog process to kill resource hogs |
* ToDo: Both short term and longer term meta-planning. * IpAddresses: Listing of IPs that we use. * [[Hardware]]: Information on HCoop hardware. * HcoopAddresses: Physical addresses relevant to us. * OnSiteVisits: Records of visits by HCoop volunteers to our colocation facilities |
Line 61: | Line 47: |
These are my responsibility. Right now, I'm waiting for the more traditional stuff to be set up and stable before beginning. --AdamChlipala | == Specific Machines == |
Line 63: | Line 49: |
= Mire = == Tasks done == * Installed new second SCSI hard drive, reinstalled debian, and configured the drives with software RAID-1. --NathanKennedy |
This documents machine-specific (hardware) things, or specific configuration necessary for ''that machine''. |
Line 67: | Line 51: |
= Global TODO = | * [[Hardware]] * InstallationProcedure: how to install a machine that adheres to our policies * SetupNewMachines: The ''old'' guide to installing a machine that adheres to our policies * KvmAccess: How to use the remove KVM and avoid going on site. * deleuze * PowerEdge2850 is about '''deleuze''' * RebootingDeleuze: Steps to take after rebooting deleuze. * mire * RebootingMireSp: How to reboot mire using its SP interface. * hopper * HopperServiceProcessor * fritz * FritzInfo * outpost * OutpostInfo |
Line 69: | Line 67: |
* Make ca@hcoop.net e-mail address working. It's the address used in the certificate files. | |
Line 71: | Line 68: |
= Global Notes = | == Services == This documents all software things that are not machine specific. |
Line 73: | Line 71: |
* To edit LDAP database from a GUI tool, use ''gq'' program * To connect to hcoop's ldap server using ''gq'', create a SSH tunnel: ''' ssh -p 2222 -f -N -L 389:localhost:389 USERNAME@69.90.123.51''', and then connect to ''localhost:389'' in ''gq''. |
=== General Sysadmin === * AuthenticationScheme * BackupInfo: Information on how to recover deleted files from our off-site backups. * DebianPackaging: How to make custom HCoop Debian packages. * DebianArchive: Our local debian mirror for distributing custom packages * ConfigurationManagement: How we manage system wide configuration * SystemAuthentication lists authentication * Member Management * UserManagement * MemberFreezing: How to freeze and unfreeze members who get behind on dues * AdminUserSetup, AddingNewAdmins, ChangingAdminPassword: lists steps to create (blank), delete, and change passwords of admin users. === Specific Services === <<Include(DaemonAdmin, ,to="^----$")>> * AFS / Kerberos * SetupNewAfsServer: How to set up a new AFS server. * PrincipalsForNonHumans talks about kerberos for automated tasks. * MailMan contains no information... * SpamAssassinAdmin * DomTool * Web * CertificateAuthority: How to sign user SSL certificates and the like. * WebServicesAdmin: How to administer hcoop provided web services * DNS * ZoneTransfers is also mostly blank. * Databases * Backups * VersionControlAdmin * wiki.hcoop.net * JabberAdmin * [[BugZilla]] == Historical == Pages no longer considered relevant, but may be of historical interest: * UsingResourceLimits * DaemonFileSecurity * ResourceLimits * TipsAndTricks * SoftwareArchitecturePlans: Plans for software installation. * SystemArchitecturePlans: Plans regarding our hardware. * InstallationLog contains ancient (~2005) records of installation of software and hardware * KrunkInfoz (Krunk is out of service) * [[Migration2009]] (never happened, staying at Peer1 was a better choice after all) * [[Migration2009/SoftwareSetup]] * InstalledSoftware ---- CategorySystemAdministration |
Admin Area
Links to detailed policies, procedures and information specific to HCoop. The resources here should allow HCoop admin team members to share information about every part of the complete system, and to allow easier training of future team members.
Contents
To be an admin
Sections you should read if you are interested in being an admin.
Admins: it is recommended that you watch the changes RSS feed to keep informed of what everyone is up to. Then, please document all of your work on here somewhere - that way we will not only have a record, but everyone gets notified about what is going on. Alternatively, you can create a wiki account and subscribe to the page regex .* (all pages).
Admins and Admin Responsibilities
TaskDistribution: What each sysadmin is responsible for.
VolunteerResponsePolicy: Guidelines for responding to requests and email.
AdminArea/ListOfVolunteers who can help us do stuff...
AdminGroup: Listing of people who can delete pages and despam pages on the wiki.
Introductory material
Refer to documentation of each of the listed components. The information in our Wiki pages covers only the most basic principles, and quickly focuses on HCoop-specific setup, assuming skillset with the technology.
DaemonDocumentation: manuals for core services with which you should be familiar
Code: Details of HCoop-specific code kept in git.hcoop.net
Planning and Records
ToDo: Both short term and longer term meta-planning.
IpAddresses: Listing of IPs that we use.
Hardware: Information on HCoop hardware.
HcoopAddresses: Physical addresses relevant to us.
OnSiteVisits: Records of visits by HCoop volunteers to our colocation facilities
Specific Machines
This documents machine-specific (hardware) things, or specific configuration necessary for that machine.
InstallationProcedure: how to install a machine that adheres to our policies
SetupNewMachines: The old guide to installing a machine that adheres to our policies
KvmAccess: How to use the remove KVM and avoid going on site.
- deleuze
PowerEdge2850 is about deleuze
RebootingDeleuze: Steps to take after rebooting deleuze.
- mire
RebootingMireSp: How to reboot mire using its SP interface.
- hopper
- fritz
- outpost
Services
This documents all software things that are not machine specific.
General Sysadmin
BackupInfo: Information on how to recover deleted files from our off-site backups.
DebianPackaging: How to make custom HCoop Debian packages.
DebianArchive: Our local debian mirror for distributing custom packages
ConfigurationManagement: How we manage system wide configuration
SystemAuthentication lists authentication
- Member Management
MemberFreezing: How to freeze and unfreeze members who get behind on dues
AdminUserSetup, AddingNewAdmins, ChangingAdminPassword: lists steps to create (blank), delete, and change passwords of admin users.
Specific Services
We've recorded some special instructions, hints, etc., for daemons with non-standard configuration.
- AFS / Kerberos
SetupNewAfsServer: How to set up a new AFS server.
PrincipalsForNonHumans talks about kerberos for automated tasks.
- Mail
MailMan contains no information...
- Web
CertificateAuthority: How to sign user SSL certificates and the like.
WebServicesAdmin: How to administer hcoop provided web services
- DNS
ZoneTransfers is also mostly blank.
- Databases
- Backups
- wiki.hcoop.net
Historical
Pages no longer considered relevant, but may be of historical interest:
SoftwareArchitecturePlans: Plans for software installation.
SystemArchitecturePlans: Plans regarding our hardware.
InstallationLog contains ancient (~2005) records of installation of software and hardware
KrunkInfoz (Krunk is out of service)
Migration2009 (never happened, staying at Peer1 was a better choice after all)