Size: 2397
Comment: preventing full /afs/hcoop.net outage during upgrade
|
Size: 3163
Comment: pam stuff
|
Deletions are marked like this. | Additions are marked like this. |
Line 6: | Line 6: |
== Pre-Install Cleanup Tasks == === Sanitize NSS Configuration === * Synchronize the UIDs of locally created users with their counterparts in AFS * `docelic_admin` * `rkd_admin` * `clinton_admin` * `adamc_admin` * `shadowfax_admin` * Locate and update any files owned by an obsolete UID to the new UID * Setup `libnss-afs` (`afs files`) === Reconfigure PAM === This may be better to do after the installation. Configure `sshd` and `login` to use `pam_localuser` instead of `pam_unix` to ensure only local users can login ignoring the NSS configuration (right now non-local users can't login using just `pam_unix`, but this is an accident of the implementation of `libnss-afs` and not something that should be relied upon). |
Plans for upgrading Fritz to Debian Squeeze
1. Preliminaries
Release Note Information of Upgrading From Lenny.
1.1. Pre-Install Cleanup Tasks
1.1.1. Sanitize NSS Configuration
- Synchronize the UIDs of locally created users with their counterparts in AFS
docelic_admin
rkd_admin
clinton_admin
adamc_admin
shadowfax_admin
- Locate and update any files owned by an obsolete UID to the new UID
Setup libnss-afs (afs files)
1.1.2. Reconfigure PAM
This may be better to do after the installation.
Configure sshd and login to use pam_localuser instead of pam_unix to ensure only local users can login ignoring the NSS configuration (right now non-local users can't login using just pam_unix, but this is an accident of the implementation of libnss-afs and not something that should be relied upon).
2. Installation environment
su to root, start a screen session (preventing partial upgrade issues if the network connection drops)
- Open a physical console root login just in case
3. Installation Steps
3.1. Upgrade Kernel and udev
Install new kernel image and openafs-module-dkms
Install udev
- Reboot
3.2. Basic Upgrade
apt-get upgrade
- Reboot?
3.3. Full Upgrade
apt-get dist-upgrade
- Reboot?
3.4. Clean Up
- Make sure the other machines are still sane after losing volume access for a while.
4. Caveats
4.1. pam_unix_session locking all login access
This bit us on hopper. ClintonEbadi has confirmed this is not an issue on fritz.
4.2. Locally built packages
Todo: someone needs to scan fritz for locally built packages (krb5 and openafs?) and make sure we have an upgrade path for them.
5. Service Interruption Mitigation
5.1. Read Only Volumes on Deleuze
Since we have openafs we may as well take advantage of it by adding deleuze's vicepa as a site for user.$USER volumes. There does not appear to be enough room for mail.$USER volumes so we won't worry about those (mail will still be queued and having a read only copy of mail volumes is of dubious value).
5.1.1. Preparation
A few days before the upgrade:
Prevent backup from running (uncomment exit 0 in hcoop-backup-wrapper) before scheduled upgrade date
- Purge last backup data
Purge db.$USER volumes
Purge {user,mail}.$USER.d volumes for members who departed more than (tentatively) 90 ago
For all active user.$USER volumes: vos addsite deleuze vicepa user.$USER
Immediately before upgrading:
For all active user.$USER volumes: vos release user.$USER
5.1.2. Clean Up
For all user volumes vos remsite deleuze vicepa user.$USER to free space for the backup. Alternatively, since the backup will be moved to fritz anyway, leave them in place. There seems to be little benefit to doing so since deleuze does not have much space compared to fritz and we have nothing in place to regularly vos release volumes making them effectively useless.