5892
Comment:
|
1136
Make a HOWTO section
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
= Introduction = | #pragma section-numbers off This contains a list of pages that are of interest to the admins. |
Line 5: | Line 7: |
= Special topic pages about migration and new set-up = | = General = |
Line 7: | Line 9: |
* AndrewFileSystem: Using our new shared filesystem * DaemonAdmin: Daemon-specific pages aimed at admins * DomTool: Administering and using the new domtool * NewSystemHardware: Information on the new hardware * TaskDistribution: What each sysadmin is responsible for * SoftwareArchitecturePlans: Plans for software installation * SystemArchitecturePlans: Plans regarding our hardware |
* AdminGroup: Listing of HCoop system administrators. * AndrewFileSystem: Using our new shared filesystem. * AuthenticationScheme: How authentication works on our systems. * DomTool: Administering and using the new domtool. * IpAddresses: Listing of IPs that we use. * NewSystemHardware: Information on the new hardware. * SoftwareArchitecturePlans: Plans for software installation. * SystemArchitecturePlans: Plans regarding our hardware. * OnSiteStuff: Checklist for the next on-site visit to the new machines. * HcoopAddresses: Physical addresses relevant to us. |
Line 15: | Line 20: |
The following are outdated: | = HOWTO = |
Line 17: | Line 22: |
* ColocationNextSteps: Listing of things to do after getting the hardware. | * BackupInfo: Information on how to recover deleted files from our off-site backups. * ChangingAdminPassword: How admins can change their UNIX passwords. |
Line 19: | Line 25: |
= To-do list = | = Responsibilities = |
Line 21: | Line 27: |
== Before beginning to migrate members == | * TaskDistribution: What each sysadmin is responsible for. * VolunteerResponsePolicy: Guidelines for responding to requests and email. |
Line 23: | Line 30: |
=== Getting Various Daemons to Run with AFS Tokens === | = Programs = |
Line 25: | Line 32: |
* Courier on deleuze * appears to need authmodulelist="authpam" -- ok to change this? * Apache Dynamic Content. Our options are: 1. Use Apache 1.3 to serve dynamic content (use umbc mod_waklog, which is designed for exactly what we're trying to do) 1. Support only CGI dynamic content (no PHP, mod_perl, etc) and use a kstart hack to wrap each CGI process. 1. Serve all dynamic content using a single monolithic AFS identity such as cgi@HCOOP.NET * not very useful since this is essentially equivalent to system:authuser@HCOOP.NET 1. Have each user run their own Apache instance. 1. Wait for mod_waklog to work properly on Apache 2.0 (may take unbounded amount of time) === Other === * Mailman? * Make ca@hcoop.net e-mail address working. It's the address that will be used in the certificate files. * Fix resolv.conf on both servers to have multiple good DNS servers for now, set it to use localhost once BIND is running and configured. * Figure out how to use Dell OMSA or other tools to monitor RAID and other hardware. * Configure Exim on mire to use deleuze as a smarthost. --MichaelOlson * Do performance testing on the new configuration, by having admins or other users monitor performance on mire (using vmstat, top, mytop, etc) and having one or more (perhaps multi-threaded) scripts requesting web pages from somewhere off of the Peer 1 network. == During migration == * Watchdog process to kill resource hogs * Migrate ejabberd mnesia db just before the dns switchover. * Set up back-up regime, possibly using [http://rsync.net/ rsync.net]. * Get miscellaneous web stuff ported, like membership application, vmail password change, publicly-viewable statistics on membership, bandwidth usage stats, .... * put 'vos backupsys -localauth' in deleuze:/etc/cron.d/cron.daily/ = Global Notes = * To edit LDAP database from a GUI tool, use ''gq'' program * To connect to hcoop's ldap server using ''gq'', create a SSH tunnel: ''' ssh -p 2222 -f -N -L 389:localhost:389 USERNAME@69.90.123.67''', and then connect to ''localhost:389'' in ''gq''. * For the description of the actual authentication scheme, see AuthenticationScheme. = Tasks done = == Deleuze == This machine donated by Justin Leitgeb seems real nice. Buffered disk throughput is about 1.5 GB/s. Raw disk reads are 60 MB/s for the two 36 GB disks and 120 MB/s for the 4-disk array. Not bad at all. * Removed excessive packages, cleaned up the system * Installed ''changetrack'' to monitor all config file changes. The program uses ''rcs'' and automatically keeps previous revisions. It is ran from ''cron'' on a daily basis. * Installed ''debsums'' to monitor file md5sums * Installed Courier IMAP and IMAP-SSL * Installed LDAP for user authentication. The system is currently configured to use LDAP and fallback to the usual ''/etc/'' files. Admin users will be added locally on all machines and will be able to log in even when LDAP is not operational. * Installed MIT Kerberos 5 * Fixed date/time on the system. Installed ''ntpd'' * Installed TLS support for LDAP. Certificate file is ''/etc/ldap/server.pem'', and ldap/ldaps ports are 389/636. * Installed Linux 2.6.18.3-grsec with 2.6.18-mm3 patches (2) for megaraid. * The patches and source tree installed, along with the .deb generated, is under /usr/src/ntk2. I set up sockets groups as on fyodor (7070-7072). SMP, with hyperthreading enhancements, is enabled. I also installed a bunch of packages that someone were uninstalled while I was gone (e.g., gcc). I also fixed the sudoers, wheel group, and admin home directories. --NathanKennedy * Kerberos + LDAP works. * Compiled requisite kernel modules, compiled and installed new OpenIPMI package, and installed dellomsa. Dell OMSA is now working. --NathanKennedy * Install SSH. * Permit new admins to log in by copying their SSH keys to their newly-created (empty) home directories. * Install AFS (need to repeat the reading on AFS and how it really works. Also it will influence the decision how to format ''/dev/sdb'' in the system) -- DavorOcelic * Install MySQL and PostgreSQL (input from AFS step and admin discussion needed to see how to exactly configure this). * Install BIND. * Install and configure Apache, to serve static web content only. --MichaelOlson * Review kernel configuration and install testnet. -- DavorOcelic * Configure exim4. --MichaelOlson * Configure Courier IMAP daemons, reviewing fyodor's config. --MichaelOlson * Migrate squirrelmail configuration settings from fyodor. * Configure Squirrel``Mail to use imapproxyd, which should give speed improvements once we migrate to deleuze. --MichaelOlson * Exim filters * (a method has been set up by MichaelOlson, but it needs testing). = Mire = * Installed new second SCSI hard drive, reinstalled debian, and configured the drives with software RAID-1. --NathanKennedy * Configured Mire to work as a proper krb/ldap/afs client machine. --DavorOcelic = Custom software = * DomtoolTwo * Vmail tools * Web portal |
* DaemonAdmin: Daemon-specific pages aimed at admins. |
This contains a list of pages that are of interest to the admins.
General
AdminGroup: Listing of HCoop system administrators.
AndrewFileSystem: Using our new shared filesystem.
AuthenticationScheme: How authentication works on our systems.
DomTool: Administering and using the new domtool.
IpAddresses: Listing of IPs that we use.
NewSystemHardware: Information on the new hardware.
SoftwareArchitecturePlans: Plans for software installation.
SystemArchitecturePlans: Plans regarding our hardware.
OnSiteStuff: Checklist for the next on-site visit to the new machines.
HcoopAddresses: Physical addresses relevant to us.
HOWTO
BackupInfo: Information on how to recover deleted files from our off-site backups.
ChangingAdminPassword: How admins can change their UNIX passwords.
Responsibilities
TaskDistribution: What each sysadmin is responsible for.
VolunteerResponsePolicy: Guidelines for responding to requests and email.
Programs
DaemonAdmin: Daemon-specific pages aimed at admins.