752013-01-28 07:21:09ClintonEbadiexciting, the huge task list that was this page is basically gone...742013-01-24 06:40:30ClintonEbadiand now phpmyadmin works again, awesome.732013-01-21 08:46:33ClintonEbadimove firewall next gen notes to their own page722013-01-15 20:21:06ClintonEbadiremoved mire from slave dns duty too712013-01-15 20:20:02ClintonEbadifritz apache is off!702013-01-05 08:05:48ClintonEbadia few more things and remove stale tasks692012-12-31 08:46:09ClintonEbadihelped steve, wrote docs, remove a bit of cruft, might want to point users at the migration guide682012-12-31 00:07:23ClintonEbadibog lives672012-12-30 22:03:50ClintonEbadia few more tasks for bog662012-12-30 21:46:57ClintonEbadiconcrete bog tasks652012-12-25 21:27:19ClintonEbadiyou win one, you lose one642012-12-20 21:50:32ClintonEbadimove preseed to its own page632012-12-20 20:53:49ClintonEbadiprune scratch work areas622012-12-20 20:50:28ClintonEbadimove debian archive info612012-12-20 03:19:57ClintonEbadiam I done? I think I can call this done...602012-12-18 09:01:30ClintonEbadimore tasks592012-12-17 20:35:22ClintonEbadishifting priorities582012-12-16 19:43:00ClintonEbadiI can be kind of oblivious to the obvious sometimes572012-12-16 09:53:43ClintonEbadi30 seconds more work, slightly better sleep562012-12-16 09:44:25ClintonEbaditurns out things that were once difficult, are now easy / unmark unverified tasks552012-12-16 09:28:44ClintonEbadi542012-12-16 09:25:10ClintonEbadihow did I miss so many apache2 modules...532012-12-16 04:01:23ClintonEbadiin a battle between me and insserv, I won, but only after insserv knocked out a few teeth522012-12-15 09:53:38ClintonEbadia few questions for bog before I sleep512012-12-15 08:32:30ClintonEbadinow that fritz works, move forward!502012-12-10 07:40:24ClintonEbadissl!492012-12-10 00:10:02ClintonEbadifinish a few tasks, discover a few more482012-12-09 07:51:31ClintonEbadiprune completed tasks from task list472012-12-09 07:22:19ClintonEbaditime to start moving content to new pages462012-12-09 07:06:56ClintonEbadiit looks so easy452012-12-07 06:46:46ClintonEbadiwe can route mail from navajos, and it appears that apache works properly442012-12-06 10:02:04ClintonEbadithe inevitable details rear their ugly heads432012-12-06 08:36:38ClintonEbadifor betteror worse, navajos is finally in production422012-09-08 05:50:13ClintonEbadidid that kerberos thing, and boy was it more difficult than expected412012-09-07 21:41:15ClintonEbadiforked suphp packaging402012-09-07 21:01:47ClintonEbadiunix continues to throw up minor hurdles just to see me suffer392012-09-07 06:26:22ClintonEbadinote a couple of minor tasks post-setup382012-09-07 06:12:11ClintonEbadiprogress made without a 3 week gap? Yep.372012-09-04 07:27:48ClintonEbadireminding myself why we're not restricting the ports users can listen on362012-09-04 06:37:08ClintonEbadigood thing I have that book on iptables, ugh352012-09-04 05:53:20ClintonEbadimire does one non-user thing342012-09-03 19:46:16ClintonEbadia couple of minor tasks332012-09-03 06:47:51ClintonEbadias is often the case, it turns out there's another valley to cross before climbing the peak322012-09-02 23:15:43ClintonEbadidomtool is alive312012-09-02 21:45:15ClintonEbadivery close to apache2 working it would seem302012-09-02 07:07:08ClintonEbadithe thing with unix is that every solution reveals ten new problems292012-07-31 08:53:57ClintonEbadiawaiting testing/commit, I think I've got domtool going... onward to apache?282012-07-31 08:15:10ClintonEbadiI HAVE DEFEATED DOMTOOL IN BATTLE AND IT SHALL DO MY BIDDING272012-07-30 09:37:44ClintonEbadia few minor bits before zzz262012-07-30 09:04:01ClintonEbadimade some progress today252012-06-14 08:10:16ClintonEbadibackported mlton-tools242012-06-08 06:50:50ClintonEbadifinal setup tasks232012-06-07 07:13:57ClintonEbadithe taste of victory is near222012-06-05 07:34:56ClintonEbadiinching ever closer toward a working VM!212012-06-04 05:43:13ClintonEbadifinally got kerberos config packaged202012-05-18 19:36:07ClintonEbadiI guess we really do need domain_realm, ugh192012-04-30 07:01:54ClintonEbadimore tasks182012-04-28 05:43:56ClintonEbadigiving up from now, dump stack172012-04-28 03:46:15ClintonEbadipartioning proved to be straightforward162012-04-28 03:30:39ClintonEbadimore tasks152012-04-28 01:26:05ClintonEbadilet's get back on track142012-03-30 07:57:24ClintonEbadiI like it when things are impossible132012-03-30 07:44:59ClintonEbadibuilding domtool is sometimes a PITA122012-03-30 06:11:45ClintonEbadithings happen, often even if I do nothing112012-03-29 07:26:13ClintonEbadiinching toward something usable102012-03-27 08:41:50ClintonEbadiack, hosed part of the page92012-03-27 08:39:07ClintonEbadidid a bit more work, despaired at some tasks82012-03-26 07:25:09ClintonEbadimore config to package72012-03-26 03:34:32ClintonEbadidetails, details62012-03-25 23:25:40ClintonEbadipackaged nsswitch config more properly, moved info to DebianPackaging52012-03-25 10:41:43ClintonEbadiwhat actually happened with debarchiver ... p.s. we can basically install a new image that lets anyone login automagically!42012-03-25 02:30:52ClintonEbadiconcrete plans for debarchiver32012-03-24 19:53:49ClintonEbadidebian based package config? Have I gone insane?22012-03-17 05:29:53ClintonEbadiconfiguring stuff12012-03-15 05:04:21ClintonEbadilet's get this virtual party startedWorking notes on getting kvm working on fritz. This will need to be integrated into SetupNewMachines and AdminArea after everything is working. See for the gist of what ClintonEbadi is trying to do here, but s/OpenVZ/KVM via libvirt/g. And see NavajosBogMigrationGuide for actually using this stuff.

(./) = done, {o} = not done, <!> = possibly done, awaiting verification, {X} = gave up or died trying <!> Apply advanced wine making techniques to carefully blend the Apache configurations on fritz and mire {o} Per machine NameVirtualHost config It turns out that both the NameVirtualHost and VirtualHost directive must use * or an explicit IP. For the sake of correctness, keeping the IP in VirtualHost directives seems like a Good Idea (tm), so we need to have domtool install /etc/apache2/conf.d/hcoop-namevhost-$machine for every web serving node. However: Apache 2.4 removed the NameVirtualHost directive so wheezy+1 (or, backports?) won't need this. {o} Per-machine apache default vhost {o} Change defaultPhpVersion to 5 {X} Check all user domtool configs and explicitly set phpVersion = 4 if needed We'll be supporting php4 for such a short time anyway... <!> Domtool mod_proxy support to machines other than localhost (./) Check DomTool for all used modules and sure they are enabled (./) Spin up the fancy new Apache KVM and pray that it works (./) Reinstall using preseed + postinst (./) Make openafs start earlier in boot process Things like apache need to resolve pts users; it's easier to divert/transform the openafs script than to divert every script that needs access to afs uids. {i} This was really hard. insserv in squeeze has weird problems. (./) Move gitweb and git hosting over (./) Set up rcube <!> Install squirrelmail at squirrelmail.hcoop.net temporarily (sort of, still on deleuze) (./) Turn off fritz's Apache (it's the KVM host and KDC ... change of plans, eh) (./) Move to navajos (./) Move mire web services (./) phpmyadmin {X} ajaxterm (./) Move unknownlamer.org onto navajos (what better a guinea pig) {X} Point hcoop.net at the new machine (also a huge reconfiguration PITA) {o} Harrass any users who refuse to leave mire {o} Remove php4 support from domtool {o} Turn mire off, remove from rack, set on fire {X} Kill ns3 {o} Migrate web services from deleuze (./) Migrate and upgrade hcoop wiki {o} Migrate Portal {o} Move all data storage into afs {o} Hack needed 32-bit libraries <!> Update SMLSQL for libpq5 (it builds at least) Other tasks, lower priority: {o} Configuration package nits {o} ssh: restart sshd after installation Actually easy: just setup a trivial postinst/prerm ala hcoop-apache2-config {o} firewall {o} restart ferm after installation {o} install user rules conffiles so firewall works before install fwtool

This, and other information, should be merged into a general description of our infrastructure and how it differs from a stock Debian installation. Things not mentioned on SetupNewMachines that had to have their default debconf values changed. ssmtp forward all mail for UID < 1000 to logs Masquerade as hcoop.net PAM Newfangled pam-config framework for a fresh squeeze install looks quite promising... (enabled kerberos + unix + afs session)

This, and other things, should be merged into a "Undecided Infrastructure Issues" document, so that folks don't make the mistake that "the path of least resistance" is how we wanted to do things. Exim setup (have to add to forwardable domains on deleuze) Figuring out what to do wrt local users for system services that need to access afs e.g. Apache, Exim, debarchiver, domtool, impad, spamd, ... AFAICT, it makes more sense to just have afs users -- if the ptdb is gone, the services will not operate in a correct way anyway Removes issues with keeping UIDs in sync How does this interact with Debian automatically creating system users for packages? A few system users were created using create-user -- mail is routed to them and they are subscribed to mailing lists and whatnot which is ... probably bad. i.e. We probably want to split create-user into the portions to just create an afs/kerberos user and then to do the fancy stuff an actual factual human user needs. Integration with package requests Preseeding means we can kill/respin web node images with ease -- but not restore packages users have requested to support their cgi programs If the portal stores this info, we need a package to reinstall user packages Is the keytab situation messy? Having the domtool keytab at the toplevel seems out of place Reading old -sysadmin posts revealed that only having $user.daemon keys was supposed to be temporary -- we really should have a few standard principles for hcoop services to access data (e.g. $user.mail for mail delivery), and have a portal interface (and domtool integration) allowing users to request additional principles if they want (e.g. $user.$webapp-they-run ... or just $user.cgi in the default Just Works (tm) configuration) CategorySystemAdministration CategoryWorkInProgress