7030
Comment:
|
4519
step three: remove redundant (and outdated) information better represented on Hardware
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
= Introduction = | #pragma section-numbers off |
Line 3: | Line 3: |
[[TableOfContents]] | = Admin Area = |
Line 5: | Line 5: |
= Special topic pages about migration and new set-up = | Links to detailed policies, procedures and information specific to HCoop. The resources here should allow HCoop admin team members to share information about every part of the complete system, and to allow easier training of future team members. |
Line 7: | Line 7: |
* AndrewFileSystem: Using our new shared filesystem * DaemonAdmin: Daemon-specific pages aimed at admins * DomTool: Administering and using the new domtool * NewSystemHardware: Information on the new hardware * TaskDistribution: What each sysadmin is responsible for * SoftwareArchitecturePlans: Plans for software installation * SystemArchitecturePlans: Plans regarding our hardware |
|
Line 15: | Line 8: |
The following are outdated: | <<TableOfContents>> |
Line 17: | Line 10: |
* ColocationNextSteps: Listing of things to do after getting the hardware. | |
Line 19: | Line 11: |
= To-do list = | == To be an admin == |
Line 21: | Line 13: |
== Before beginning to migrate members == | Sections you should read if you are interested in being an admin. |
Line 23: | Line 15: |
=== Per-User Tasks (also need to be included in adduser) === Assuming username "fred", |
{{{#!wiki tip Admins: it is recommended that you watch the changes [[http://wiki.hcoop.net/RecentChanges?action=rss_rc&diffs=1&ddiffs=1|RSS feed]] to keep informed of what everyone is up to. Then, please document all of your work on here somewhere - that way we will not only have a record, but everyone gets notified about what is going on. Alternatively, you can create a wiki account and subscribe to the page regex `.*` (all pages). }}} |
Line 26: | Line 19: |
* Add fred/cgi@HCOOP.NET principal * Generate keytab and put it somewhere where the user can't get it * Add fred/mailfilter@HCOOP.NET principal * Generate keytab and put it somewhere where the user can't get it * make a user volume * vos create user.fred * fs mkm /afs/hcoop.net/user/f/fr/fred/ * make a maildir * vos create mail.fred * create a delivery mountpoint * fs mkm /afs/hcoop.net/common/mail/f/fr/fred/ mail.fred * create the user's ~/Maildir mount point * fs mkm /afs/hcoop.net/user/f/fr/fred/Maildir mail.fred * doing this for at least one account is blocking Exim delivery testing * make a mount point for the user' oldfiles * fs mkm XXX user.username.backup * XXX = /afs/hcoop.net/u/us/username/.OldFiles/ * Advantage: "CMU style"; typical location * XXX = /afs/hcoop.net/oldfiles/u/us/username/ * Advantage: doesn't confuse find(1) and other tools by creating symlink-free cycles in the filesystem * should we provide snapshots for mail.fred? * where should we mount these volumes? |
=== Admins and Admin Responsibilities === |
Line 49: | Line 21: |
=== Getting Various Daemons to Run with AFS Tokens === | * TaskDistribution: What each sysadmin is responsible for. * VolunteerResponsePolicy: Guidelines for responding to requests and email. * AdminArea/ListOfVolunteers who can help us do stuff... * AdminGroup: Listing of people who can delete pages and despam pages on the wiki. |
Line 51: | Line 26: |
* Exim filters * (a method has been set up by MichaelOlson, but it needs testing). * Courier on deleuze * Apache Dynamic Content. Our options are: 1. Use Apache 1.3 to serve dynamic content (use umbc mod_waklog, which is designed for exactly what we're trying to do) 1. Support only CGI dynamic content (no PHP, mod_perl, etc) and use a kstart hack to wrap each CGI process. 1. Serve all dynamic content using a single monolithic AFS identity such as cgi@HCOOP.NET * not very useful since this is essentially equivalent to system:authuser@HCOOP.NET 1. Have each user run their own Apache instance. 1. Wait for mod_waklog to work properly on Apache 2.0 (may take unbounded amount of time) |
=== Introductory material === |
Line 62: | Line 28: |
=== Other === * Mailman? * Make ca@hcoop.net e-mail address working. It's the address that will be used in the certificate files. * Fix resolv.conf on both servers to have multiple good DNS servers for now, set it to use localhost once BIND is running and configured. * Figure out how to use Dell OMSA or other tools to monitor RAID and other hardware. * Configure Exim on mire to use deleuze as a smarthost. --MichaelOlson * Do performance testing on the new configuration, by having admins or other users monitor performance on mire (using vmstat, top, mytop, etc) and having one or more (perhaps multi-threaded) scripts requesting web pages from somewhere off of the Peer 1 network. |
Refer to documentation of each of the listed components. The information in our Wiki pages covers only the most basic principles, and quickly focuses on HCoop-specific setup, assuming skillset with the technology. |
Line 70: | Line 30: |
== During migration == | * DaemonDocumentation: manuals for core services with which you should be familiar * SystemArchitecture * DomTool * MitKerberos * AndrewFileSystem * EtcKeeper * [[Code]]: Details of HCoop-specific code kept in git.hcoop.net * [[OpenLDAP]] |
Line 72: | Line 39: |
* Watchdog process to kill resource hogs * Migrate ejabberd mnesia db just before the dns switchover. * Set up back-up regime, possibly using [http://rsync.net/ rsync.net]. * Get miscellaneous web stuff ported, like membership application, vmail password change, publicly-viewable statistics on membership, bandwidth usage stats, .... * put 'vos backupsys -localauth' in deleuze:/etc/cron.d/cron.daily/ |
== Planning and Records == |
Line 78: | Line 41: |
= Global Notes = | * ToDo: Both short term and longer term meta-planning. * IpAddresses: Listing of IPs that we use. * [[Hardware]]: Information on HCoop hardware. * HcoopAddresses: Physical addresses relevant to us. * OnSiteVisits: Records of visits by HCoop volunteers to our colocation facilities |
Line 80: | Line 47: |
* To edit LDAP database from a GUI tool, use ''gq'' program * To connect to hcoop's ldap server using ''gq'', create a SSH tunnel: ''' ssh -p 2222 -f -N -L 389:localhost:389 USERNAME@69.90.123.67''', and then connect to ''localhost:389'' in ''gq''. * For the description of the actual authentication scheme, see AuthenticationScheme. |
== Hardware / On-Site Infrastructure == |
Line 84: | Line 49: |
= Tasks done = | * [[Hardware]]: information on the colocation facility and the physical/virtual machines we are using. Tips on using service processors etc. are here. * InstallationProcedure: how to install a machine that adheres to our policies * KernelVirtualMachine: how we are using libvirt * SetupNewMachines: The ''old'' guide to installing a machine that adheres to our policies * KvmAccess: How to use the remove KVM and avoid going on site |
Line 86: | Line 55: |
== Deleuze == | == Software == |
Line 88: | Line 57: |
This machine donated by Justin Leitgeb seems real nice. Buffered disk throughput is about 1.5 GB/s. Raw disk reads are 60 MB/s for the two 36 GB disks and 120 MB/s for the 4-disk array. Not bad at all. | This documents all software things that are not specific to the on-site infrastructure. |
Line 90: | Line 59: |
* Removed excessive packages, cleaned up the system * Installed ''changetrack'' to monitor all config file changes. The program uses ''rcs'' and automatically keeps previous revisions. It is ran from ''cron'' on a daily basis. * Installed ''debsums'' to monitor file md5sums * Installed Courier IMAP and IMAP-SSL * Installed LDAP for user authentication. The system is currently configured to use LDAP and fallback to the usual ''/etc/'' files. Admin users will be added locally on all machines and will be able to log in even when LDAP is not operational. * Installed MIT Kerberos 5 * Fixed date/time on the system. Installed ''ntpd'' * Installed TLS support for LDAP. Certificate file is ''/etc/ldap/server.pem'', and ldap/ldaps ports are 389/636. * Installed Linux 2.6.18.3-grsec with 2.6.18-mm3 patches (2) for megaraid. * The patches and source tree installed, along with the .deb generated, is under /usr/src/ntk2. I set up sockets groups as on fyodor (7070-7072). SMP, with hyperthreading enhancements, is enabled. I also installed a bunch of packages that someone were uninstalled while I was gone (e.g., gcc). I also fixed the sudoers, wheel group, and admin home directories. --NathanKennedy * Kerberos + LDAP works. * Compiled requisite kernel modules, compiled and installed new OpenIPMI package, and installed dellomsa. Dell OMSA is now working. --NathanKennedy * Install SSH. * Permit new admins to log in by copying their SSH keys to their newly-created (empty) home directories. * Install AFS (need to repeat the reading on AFS and how it really works. Also it will influence the decision how to format ''/dev/sdb'' in the system) -- DavorOcelic * Install MySQL and PostgreSQL (input from AFS step and admin discussion needed to see how to exactly configure this). * Install BIND. * Install and configure Apache, to serve static web content only. --MichaelOlson * Review kernel configuration and install testnet. -- DavorOcelic * Configure exim4. --MichaelOlson * Configure Courier IMAP daemons, reviewing fyodor's config. --MichaelOlson * Migrate squirrelmail configuration settings from fyodor. * Configure Squirrel``Mail to use imapproxyd, which should give speed improvements once we migrate to deleuze. --MichaelOlson |
=== General Sysadmin === |
Line 114: | Line 61: |
= Mire = | * AuthenticationScheme * BackupInfo: Information on how to recover deleted files from our off-site backups. * DebianPackaging: How to make custom HCoop Debian packages. * DebianArchive: Our local debian mirror for distributing custom packages * ConfigurationManagement: How we manage system wide configuration * SystemAuthentication lists authentication * Member Management * UserManagement * MemberFreezing: How to freeze and unfreeze members who get behind on dues * AdminUserSetup, AddingNewAdmins, ChangingAdminPassword: lists steps to create (blank), delete, and change passwords of admin users. |
Line 116: | Line 72: |
* Installed new second SCSI hard drive, reinstalled debian, and configured the drives with software RAID-1. --NathanKennedy * Configured Mire to work as a proper krb/ldap/afs client machine. --DavorOcelic |
=== Specific Services === |
Line 119: | Line 74: |
= Custom software = | <<Include(DaemonAdmin, ,to="^----$")>> * AFS / Kerberos * SetupNewAfsServer: How to set up a new AFS server. * PrincipalsForNonHumans talks about kerberos for automated tasks. * MailMan contains no information... * SpamAssassinAdmin * DomTool * Web * CertificateAuthority: How to sign user SSL certificates and the like. * WebServicesAdmin: How to administer hcoop provided web services * DNS * ZoneTransfers is also mostly blank. * Databases * Backups * VersionControlAdmin * wiki.hcoop.net * JabberAdmin * [[BugZilla]] == Historical == |
Line 121: | Line 96: |
* DomtoolTwo * Vmail tools * Web portal |
Pages no longer considered relevant, but may be of historical interest: * UsingResourceLimits * DaemonFileSecurity * ResourceLimits * TipsAndTricks * SoftwareArchitecturePlans: Plans for software installation. * SystemArchitecturePlans: Plans regarding our hardware. * InstallationLog contains ancient (~2005) records of installation of software and hardware * KrunkInfoz (Krunk is out of service) * [[Migration2009]] (never happened, staying at Peer1 was a better choice after all) * [[Migration2009/SoftwareSetup]] * InstalledSoftware ---- CategorySystemAdministration |
Admin Area
Links to detailed policies, procedures and information specific to HCoop. The resources here should allow HCoop admin team members to share information about every part of the complete system, and to allow easier training of future team members.
Contents
To be an admin
Sections you should read if you are interested in being an admin.
Admins: it is recommended that you watch the changes RSS feed to keep informed of what everyone is up to. Then, please document all of your work on here somewhere - that way we will not only have a record, but everyone gets notified about what is going on. Alternatively, you can create a wiki account and subscribe to the page regex .* (all pages).
Admins and Admin Responsibilities
TaskDistribution: What each sysadmin is responsible for.
VolunteerResponsePolicy: Guidelines for responding to requests and email.
AdminArea/ListOfVolunteers who can help us do stuff...
AdminGroup: Listing of people who can delete pages and despam pages on the wiki.
Introductory material
Refer to documentation of each of the listed components. The information in our Wiki pages covers only the most basic principles, and quickly focuses on HCoop-specific setup, assuming skillset with the technology.
DaemonDocumentation: manuals for core services with which you should be familiar
Code: Details of HCoop-specific code kept in git.hcoop.net
Planning and Records
ToDo: Both short term and longer term meta-planning.
IpAddresses: Listing of IPs that we use.
Hardware: Information on HCoop hardware.
HcoopAddresses: Physical addresses relevant to us.
OnSiteVisits: Records of visits by HCoop volunteers to our colocation facilities
Hardware / On-Site Infrastructure
Hardware: information on the colocation facility and the physical/virtual machines we are using. Tips on using service processors etc. are here.
InstallationProcedure: how to install a machine that adheres to our policies
KernelVirtualMachine: how we are using libvirt
SetupNewMachines: The old guide to installing a machine that adheres to our policies
KvmAccess: How to use the remove KVM and avoid going on site
Software
This documents all software things that are not specific to the on-site infrastructure.
General Sysadmin
BackupInfo: Information on how to recover deleted files from our off-site backups.
DebianPackaging: How to make custom HCoop Debian packages.
DebianArchive: Our local debian mirror for distributing custom packages
ConfigurationManagement: How we manage system wide configuration
SystemAuthentication lists authentication
- Member Management
MemberFreezing: How to freeze and unfreeze members who get behind on dues
AdminUserSetup, AddingNewAdmins, ChangingAdminPassword: lists steps to create (blank), delete, and change passwords of admin users.
Specific Services
We've recorded some special instructions, hints, etc., for daemons with non-standard configuration.
- AFS / Kerberos
SetupNewAfsServer: How to set up a new AFS server.
PrincipalsForNonHumans talks about kerberos for automated tasks.
- Mail
MailMan contains no information...
- Web
CertificateAuthority: How to sign user SSL certificates and the like.
WebServicesAdmin: How to administer hcoop provided web services
- DNS
ZoneTransfers is also mostly blank.
- Databases
- Backups
- wiki.hcoop.net
Historical
Pages no longer considered relevant, but may be of historical interest:
SoftwareArchitecturePlans: Plans for software installation.
SystemArchitecturePlans: Plans regarding our hardware.
InstallationLog contains ancient (~2005) records of installation of software and hardware
KrunkInfoz (Krunk is out of service)
Migration2009 (never happened, staying at Peer1 was a better choice after all)