6698
Comment: Migrate changes
|
1210
Add CertificateAuthority page
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
= Introduction = | #pragma section-numbers off This contains a list of pages that are of interest to the admins. |
Line 5: | Line 7: |
= Final preparations = | = General = |
Line 7: | Line 9: |
See page NewServersSetup/FinalPreparations. | * AdminGroup: Listing of HCoop system administrators. * AndrewFileSystem: Using our new shared filesystem. * AuthenticationScheme: How authentication works on our systems. * DomTool: Administering and using the new domtool. * IpAddresses: Listing of IPs that we use. * NewSystemHardware: Information on the new hardware. * SoftwareArchitecturePlans: Plans for software installation. * SystemArchitecturePlans: Plans regarding our hardware. * OnSiteStuff: Checklist for the next on-site visit to the new machines. * HcoopAddresses: Physical addresses relevant to us. |
Line 9: | Line 20: |
= Special topic pages about migration and new set-up = | = HOWTO = |
Line 11: | Line 22: |
* AndrewFileSystem: Using our new shared filesystem | |
Line 13: | Line 23: |
* DaemonAdmin: Daemon-specific pages aimed at admins * DomTool: Administering and using the new domtool * NewSystemHardware: Information on the new hardware * TaskDistribution: What each sysadmin is responsible for * SoftwareArchitecturePlans: Plans for software installation * SystemArchitecturePlans: Plans regarding our hardware * OnSiteStuff: Checklist for the next on-site visit to the new machines. * OneTimeCosts2007: Costs associated with the new servers through April 2007 * HcoopAddresses: Physical addresses relevant to us |
* CertificateAuthority: How to sign user SSL certificates and the like. * ChangingAdminPassword: How admins can change their UNIX passwords. |
Line 23: | Line 26: |
The following are outdated: | = Responsibilities = |
Line 25: | Line 28: |
* ColocationNextSteps: Listing of things to do after getting the hardware. | * TaskDistribution: What each sysadmin is responsible for. * VolunteerResponsePolicy: Guidelines for responding to requests and email. |
Line 27: | Line 31: |
= To-do list = | = Programs = |
Line 29: | Line 33: |
These items should probably be in Bugzilla instead now. == During migration == * Unclaimed * Watchdog process to kill resource hogs * Fix resolv.conf on both servers to have multiple good DNS servers for now, set it to use localhost once BIND is running and configured. * Figure out how to use Dell OMSA or other tools to monitor RAID and other hardware. * Migrate ejabberd mnesia db just before the dns switchover. * Set up back-up regime, possibly using [http://rsync.net/ rsync.net]. * Get miscellaneous web stuff ported, like membership application, vmail password change, publicly-viewable statistics on membership, bandwidth usage stats, .... * Do performance testing on the new configuration, by having admins or other users monitor performance on mire (using vmstat, top, mytop, etc) and having one or more (perhaps multi-threaded) scripts requesting web pages from somewhere off of the Peer 1 network. * ntk * Mailman * (Status) The exim side of things has been mostly set up. I think I migrated the non-exim stuff as well, but will need to double-check. --MichaelOlson * Migrate lists. * Reboot mire while on-site to watch for slow boot issues that should be resolved with recent changes * mwolson * Run simple tests on cron to see if it works. * AdamMegacz * Setup Sun Netra ("Krunk") to be secondary KDC+AFS server = Global Notes = * To edit LDAP database from a GUI tool, use ''gq'' program * To connect to hcoop's ldap server using ''gq'', create a SSH tunnel: ''' ssh -f -N -L 389:localhost:389 USERNAME@deleuze.hcoop.net''', and then connect to ''localhost:389'' in ''gq''. * For the description of the actual authentication scheme, see AuthenticationScheme. = Tasks done = == Deleuze == This machine donated by Justin Leitgeb seems real nice. Buffered disk throughput is about 1.5 GB/s. Raw disk reads are 60 MB/s for the two 36 GB disks and 120 MB/s for the 4-disk array. Not bad at all. * Removed excessive packages, cleaned up the system * Installed ''changetrack'' to monitor all config file changes. The program uses ''rcs'' and automatically keeps previous revisions. It is ran from ''cron'' on a daily basis. * Installed ''debsums'' to monitor file md5sums * Installed Courier IMAP and IMAP-SSL * Installed LDAP for user authentication. The system is currently configured to use LDAP and fallback to the usual ''/etc/'' files. Admin users will be added locally on all machines and will be able to log in even when LDAP is not operational. * Installed MIT Kerberos 5 * Fixed date/time on the system. Installed ''ntpd'' * Installed TLS support for LDAP. Certificate file is ''/etc/ldap/server.pem'', and ldap/ldaps ports are 389/636. * Installed Linux 2.6.18.3-grsec with 2.6.18-mm3 patches (2) for megaraid. * The patches and source tree installed, along with the .deb generated, is under /usr/src/ntk2. I set up sockets groups as on fyodor (7070-7072). SMP, with hyperthreading enhancements, is enabled. I also installed a bunch of packages that someone were uninstalled while I was gone (e.g., gcc). I also fixed the sudoers, wheel group, and admin home directories. --NathanKennedy * Kerberos + LDAP works. * Compiled requisite kernel modules, compiled and installed new OpenIPMI package, and installed dellomsa. Dell OMSA is now working. --NathanKennedy * Install SSH. * Permit new admins to log in by copying their SSH keys to their newly-created (empty) home directories. * Install AFS (need to repeat the reading on AFS and how it really works. Also it will influence the decision how to format ''/dev/sdb'' in the system) -- DavorOcelic * Install MySQL and PostgreSQL (input from AFS step and admin discussion needed to see how to exactly configure this). * Install BIND. * Install and configure Apache, to serve static web content only. --MichaelOlson * Review kernel configuration and install testnet. -- DavorOcelic * Configure exim4. --MichaelOlson * Configure Courier IMAP daemons, reviewing fyodor's config. --MichaelOlson * Migrate squirrelmail configuration settings from fyodor. * Configure Squirrel``Mail to use imapproxyd, which should give speed improvements once we migrate to deleuze. --MichaelOlson * Exim filters * (a method has been set up by MichaelOlson, but it needs testing). * DNS server * Works on deleuze, although I will test once more domains have been migrated for reasonable domain defaults --JustinLeitgeb * nscd process for name caching * Currently this processes is set to do hostname caching on deleuze, so bind will not be set up as a caching name server --JustinLeitgeb * Get exim working on mire --MichaelOlson * Upgrade deleuze to debian etch --MichaelOlson * Install denyhosts on both deleuze and mire, needs debian etch --MichaelOlson * Switch ssh on deleuze to listen to port 22, needs denyhosts --MichaelOlson * Perform testing on procmail and exim filter on deleuze. --MichaelOlson * Make ca@hcoop.net e-mail address working. It's the address that will be used in the certificate files. --MichaelOlson * Make sure somebody is reading mail sent to abuse@hcoop.net so we don't wind up on lame DNSBLs. * Review apache configuration on mire. --MichaelOlson * Make /afs/hcoop.net/common/etc/scripts/apache-sync-logs work. --Megacz == Mire == * Installed new second SCSI hard drive, reinstalled debian, and configured the drives with software RAID-1. --NathanKennedy * Configured Mire to work as a proper krb/ldap/afs client machine. --DavorOcelic == Krunk == = Custom software = * DomtoolTwo * Vmail tools * Web portal |
* DaemonAdmin: Daemon-specific pages aimed at admins. |
This contains a list of pages that are of interest to the admins.
General
AdminGroup: Listing of HCoop system administrators.
AndrewFileSystem: Using our new shared filesystem.
AuthenticationScheme: How authentication works on our systems.
DomTool: Administering and using the new domtool.
IpAddresses: Listing of IPs that we use.
NewSystemHardware: Information on the new hardware.
SoftwareArchitecturePlans: Plans for software installation.
SystemArchitecturePlans: Plans regarding our hardware.
OnSiteStuff: Checklist for the next on-site visit to the new machines.
HcoopAddresses: Physical addresses relevant to us.
HOWTO
BackupInfo: Information on how to recover deleted files from our off-site backups.
CertificateAuthority: How to sign user SSL certificates and the like.
ChangingAdminPassword: How admins can change their UNIX passwords.
Responsibilities
TaskDistribution: What each sysadmin is responsible for.
VolunteerResponsePolicy: Guidelines for responding to requests and email.
Programs
DaemonAdmin: Daemon-specific pages aimed at admins.