Difference between revisions of "Taro"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
 
(33 intermediate revisions by 4 users not shown)
Line 1: Line 1:
== General Information ==
+
Taro is a data/computation server. Thinkmate serial number SN-826407.
Taro is a data/computation server.
+
[[Image:taro.jpg|thumb|200px|Taro: A large-leaved plant grown throughout the tropics for its edible starchy roots]]
  
Hostnames: <code>taro.unh.edu</code>, <code>taro.farm.physics.unh.edu</code>
 
  
== Network Configuration ==
 
Currently has ethernet cable to switch for local (farm) connection, and an ethernet cable to the wall for unh connection.
 
=== /etc/sysconfig/network-scripts/ifcfg-unh ===
 
<pre>DEVICE=eth0
 
BOOTPROTO=none
 
HWADDR=00:0C:76:18:49:6D
 
IPADDR=132.177.88.86
 
NETMASK=255.255.252.0
 
ONBOOT=yes
 
TYPE=Ethernet
 
USERCTL=no
 
IPV6INIT=no
 
PEERDNS=yes
 
GATEWAY=132.177.88.1
 
</pre>
 
  
=== /etc/sysconfig/network-scripts/ifcfg-farm ===
+
= Hardware Details =
<pre># Broadcom Corporation NetXtreme BCM5704 Gigabit Ethernet
 
DEVICE=farm
 
ONBOOT=yes
 
BOOTPROTO=none
 
IPADDR=10.0.0.247
 
NETMASK=255.255.255.0
 
HWADDR=00:0C:76:18:49:6C
 
USERCTL=no
 
IPV6INIT=no
 
PEERDNS=yes
 
TYPE=Ethernet
 
</pre>
 
  
=== /etc/sysconfig/network-scripts/ifcfg-lo ===
+
* Purchased in Jan 2009 from Thinkmate.
DEVICE=lo
+
* Quad-Core Intel® Xeon® E5472 3.00GHz 1600FSB 12MB Cache (80W)
IPADDR=127.0.0.1
+
* [http://www.supermicro.com/products/motherboard/Xeon1333/5400/X7DWA-N.cfm Supermicro X7DWA-N - EATX - Intel® 5400 Chipset]
NETMASK=255.0.0.0
+
* 4 x 2GB PC2-6400 677MHz FB-DIMM
NETWORK=127.0.0.0
+
* Chenbro SR107 EATX Chassis - No PS – Black + Rack Mount Conversion Kit
# If you're having problems with gated making 127.0.0.0/8 a martian,
+
* 2 x Chenbro SR107 Black 4-Bay SATA Hotswap
# you can change this to something else (255.255.255.255, for example)
+
* PC Power and Cooling Turbo-Cool® 860 - SLI Ready
BROADCAST=127.255.255.255
+
* 500GB SATA 7200RPM - 3.5" - Seagate Barracuda® 7200.11
ONBOOT=yes
+
* Samsung 22x DVD+/-RW Dual Layer (SATA)
NAME=loopback
+
* MSI nVidia GeForce N280GTX OC 1GB GDDR3 PCI Express 2.0 (2xDVI) (Removed?)
== Access Configuration ==
+
* Areca-ARC 1231 12-channel RAID card on address: 10.0.0.97
  
 +
[[Media:SuperMicro_MNL-0945.pdf | Local copy of the Motherboard manual]]
  
== Backup Configuration ==
+
= Network Configuration =
=== /etc/rsync-backup.conf ===
 
<pre># Backups are 'pull' only.  Too bad there isn't a better way to enforce this.
 
read only      = yes
 
  
# Oh for the ability to retain CAP_DAC_READ_SEARCH, and no other.
+
Taro's network configuration contains bridge interfaces to support KVM virtual machines.  
#uid            = root
 
# XXX There seems to be an obscure bug with pam_ldap and rsync whereby
 
# getpwnam(3) segfaults when (and only when) archiving /etc.  Using a numeric
 
# uid avoids this bug.  Only verified on Fedora Core 2.
 
uid            = 0
 
  
# There's not much point in putting the superuser in a chroot jail
+
*IP address Farm:  10.0.0.247 (eth1/farmbr)
# use chroot    = yes
+
*IP address UNH:  132.177.88.86 (eth2/unhbr)
  
# This isn't really an effective "lock" per se, since the value is per-module,
+
Hostnames: <code>taro.unh.edu</code>, <code>taro.farm.physics.unh.edu</code>
# but there really ought never be more than one, and it would at least
 
# ensure serialized backups.
 
max connections = 1
 
 
 
[usr_local]
 
        path    = /usr/local
 
        comment = unpackaged software
 
 
 
[opt]
 
        path    = /opt
 
        comment = unpackaged software
 
 
 
[etc]
 
        path    = /etc
 
        comment = conf files
 
 
 
[var]
 
        path    = /var
 
        comment = user and system storage
 
</pre>
 
== SNMP Configuration ==
 
=== /etc/snmp/snmpd.conf ===
 
<pre>###############################################################################
 
#
 
# snmpd.conf:
 
#  An example configuration file for configuring the ucd-snmp snmpd agent.
 
#
 
###############################################################################
 
#
 
# This file is intended to only be as a starting point.  Many more
 
# configuration directives exist than are mentioned in this file.  For
 
# full details, see the snmpd.conf(5) manual page.
 
#
 
# All lines beginning with a '#' are comments and are intended for you
 
# to read.  All other lines are configuration commands for the agent.
 
 
 
###############################################################################
 
# Access Control
 
###############################################################################
 
 
 
# As shipped, the snmpd demon will only respond to queries on the
 
# system mib group until this file is replaced or modified for
 
# security purposes.  Examples are shown below about how to increase the
 
# level of access.
 
 
 
# By far, the most common question I get about the agent is "why won't
 
# it work?", when really it should be "how do I configure the agent to
 
# allow me to access it?"
 
#
 
# By default, the agent responds to the "public" community for read
 
# only access, if run out of the box without any configuration file in
 
# place.  The following examples show you other ways of configuring
 
# the agent so that you can change the community names, and give
 
# yourself write access to the mib tree as well.
 
#
 
# For more information, read the FAQ as well as the snmpd.conf(5)
 
# manual page.
 
 
 
####
 
# First, map the community name "public" into a "security name"
 
 
 
#      sec.name  source          community
 
com2sec notConfigUser  default      public
 
 
 
####
 
# Second, map the security name into a group name:
 
 
 
#      groupName      securityModel securityName
 
group  notConfigGroup v1          notConfigUser
 
group  notConfigGroup v2c          notConfigUser
 
 
 
####
 
# Third, create a view for us to let the group have rights to:
 
 
 
# Make at least  snmpwalk -v 1 localhost -c public system fast again.
 
#      name          incl/excl    subtree        mask(optional)
 
view    systemview    included  .1.3.6.1.2.1.1
 
view    systemview    included  .1.3.6.1.2.1.25.1.1
 
 
 
####
 
# Finally, grant the group read-only access to the systemview view.
 
 
 
#      group          context sec.model sec.level prefix read  write  notif
 
access  notConfigGroup ""      any      noauth    exact  systemview none none
 
 
 
# -----------------------------------------------------------------------------
 
 
 
# Here is a commented out example configuration that allows less
 
# restrictive access.
 
 
 
# YOU SHOULD CHANGE THE "COMMUNITY" TOKEN BELOW TO A NEW KEYWORD ONLY
 
# KNOWN AT YOUR SITE.  YOU *MUST* CHANGE THE NETWORK TOKEN BELOW TO
 
# SOMETHING REFLECTING YOUR LOCAL NETWORK ADDRESS SPACE.
 
 
 
##      sec.name  source          community
 
#com2sec local    localhost      COMMUNITY
 
#com2sec mynetwork NETWORK/24      COMMUNITY
 
com2sec  local    localhost      NPG
 
com2sec  okra      okra.unh.edu   NPG
 
com2sec  farm      10.0.0.0/24    NPG
 
 
 
##    group.name sec.model  sec.name
 
#group MyRWGroup  any        local
 
#group MyROGroup  any        mynetwork
 
#
 
#group MyRWGroup  any        otherv3user
 
#...
 
group  MyROGroup  v1        local
 
group  MyROGroup  v2c        local
 
group  MyROGroup  v1        okra
 
group  MyROGroup  v2c        okra
 
group  MyROGroup  v1        farm
 
group  MyROGroup  v2c        farm
 
 
 
##          incl/excl subtree                          mask
 
view  all    included  .1                              80
 
 
 
## -or just the mib2 tree-
 
 
 
#view mib2  included  .iso.org.dod.internet.mgmt.mib-2 fc
 
 
 
 
 
##                context sec.model sec.level prefix read  write  notif
 
access  MyROGroup ""      any      noauth    exact  all    none  none
 
#access MyRWGroup ""      any      noauth    0      all    all    all
 
 
 
 
 
###############################################################################
 
# Sample configuration to make net-snmpd RFC 1213.
 
# Unfortunately v1 and v2c don't allow any user based authentification, so
 
# opening up the default config is not an option from a security point.
 
#
 
# WARNING: If you uncomment the following lines you allow write access to your
 
# snmpd daemon from any source! To avoid this use different names for your
 
# community or split out the write access to a different community and
 
# restrict it to your local network.
 
# Also remember to comment the syslocation and syscontact parameters later as
 
# otherwise they are still read only (see FAQ for net-snmp).
 
#
 
 
 
# First, map the community name "public" into a "security name"
 
#      sec.name        source          community
 
#com2sec notConfigUser  default        public
 
 
 
# Second, map the security name into a group name:
 
#      groupName      securityModel  securityName
 
#group  notConfigGroup  v1              notConfigUser
 
#group  notConfigGroup  v2c            notConfigUser
 
 
 
# Third, create a view for us to let the group have rights to:
 
# Open up the whole tree for ro, make the RFC 1213 required ones rw.
 
#      name            incl/excl      subtree mask(optional)
 
#view    roview          included        .1
 
#view    rwview          included        system.sysContact
 
#view    rwview          included        system.sysName
 
#view    rwview          included        system.sysLocation
 
#view    rwview          included        interfaces.ifTable.ifEntry.ifAdminStatus
 
#view    rwview          included        at.atTable.atEntry.atPhysAddress
 
#view    rwview          included        at.atTable.atEntry.atNetAddress
 
#view    rwview          included        ip.ipForwarding
 
#view    rwview          included        ip.ipDefaultTTL
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteDest
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric1
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric2
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric3
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric4
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteType
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteAge
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMask
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric5
 
#view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex
 
#view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress
 
#view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress
 
#view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType
 
#view    rwview          included        tcp.tcpConnTable.tcpConnEntry.tcpConnState
 
#view    rwview          included        egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger
 
#view    rwview          included        snmp.snmpEnableAuthenTraps
 
 
 
# Finally, grant the group read-only access to the systemview view.
 
#      group          context sec.model sec.level prefix read  write  notif
 
#access  notConfigGroup ""      any      noauth    exact  roview rwview none
 
 
 
 
 
 
 
###############################################################################
 
# System contact information
 
#
 
 
 
# It is also possible to set the sysContact and sysLocation system
 
# variables through the snmpd.conf file:
 
 
 
syslocation Durham, NH, USA, University of New Hampshire, DeMeritt Hall
 
syscontact NPG Admins <npg-admins@einstein.unh.edu>
 
 
 
# Example output of snmpwalk:
 
#  % snmpwalk -v 1 localhost -c public system
 
#  system.sysDescr.0 = "SunOS name sun4c"
 
#  system.sysObjectID.0 = OID: enterprises.ucdavis.ucdSnmpAgent.sunos4
 
#  system.sysUpTime.0 = Timeticks: (595637548) 68 days, 22:32:55
 
#  system.sysContact.0 = "Me <me@somewhere.org>"
 
#  system.sysName.0 = "name"
 
#  system.sysLocation.0 = "Right here, right now."
 
#  system.sysServices.0 = 72
 
 
 
 
 
# -----------------------------------------------------------------------------
 
 
 
 
 
###############################################################################
 
# Process checks.
 
#
 
#  The following are examples of how to use the agent to check for
 
#  processes running on the host.  The syntax looks something like:
 
#
 
#  proc NAME [MAX=0] [MIN=0]
 
#
 
#  NAME:  the name of the process to check for.  It must match
 
#        exactly (ie, http will not find httpd processes).
 
#  MAX:  the maximum number allowed to be running.  Defaults to 0.
 
#  MIN:  the minimum number to be running.  Defaults to 0.
 
 
 
#
 
#  Examples (commented out by default):
 
#
 
 
 
#  Make sure mountd is running
 
#proc mountd
 
 
 
#  Make sure there are no more than 4 ntalkds running, but 0 is ok too.
 
#proc ntalkd 4
 
 
 
#  Make sure at least one sendmail, but less than or equal to 10 are running.
 
#proc sendmail 10 1
 
 
 
#  A snmpwalk of the process mib tree would look something like this:
 
#
 
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.2
 
# enterprises.ucdavis.procTable.prEntry.prIndex.1 = 1
 
# enterprises.ucdavis.procTable.prEntry.prIndex.2 = 2
 
# enterprises.ucdavis.procTable.prEntry.prIndex.3 = 3
 
# enterprises.ucdavis.procTable.prEntry.prNames.1 = "mountd"
 
# enterprises.ucdavis.procTable.prEntry.prNames.2 = "ntalkd"
 
# enterprises.ucdavis.procTable.prEntry.prNames.3 = "sendmail"
 
# enterprises.ucdavis.procTable.prEntry.prMin.1 = 0
 
# enterprises.ucdavis.procTable.prEntry.prMin.2 = 0
 
# enterprises.ucdavis.procTable.prEntry.prMin.3 = 1
 
# enterprises.ucdavis.procTable.prEntry.prMax.1 = 0
 
# enterprises.ucdavis.procTable.prEntry.prMax.2 = 4
 
# enterprises.ucdavis.procTable.prEntry.prMax.3 = 10
 
# enterprises.ucdavis.procTable.prEntry.prCount.1 = 0
 
# enterprises.ucdavis.procTable.prEntry.prCount.2 = 0
 
# enterprises.ucdavis.procTable.prEntry.prCount.3 = 1
 
# enterprises.ucdavis.procTable.prEntry.prErrorFlag.1 = 1
 
# enterprises.ucdavis.procTable.prEntry.prErrorFlag.2 = 0
 
# enterprises.ucdavis.procTable.prEntry.prErrorFlag.3 = 0
 
# enterprises.ucdavis.procTable.prEntry.prErrMessage.1 = "No mountd process running."
 
# enterprises.ucdavis.procTable.prEntry.prErrMessage.2 = ""
 
# enterprises.ucdavis.procTable.prEntry.prErrMessage.3 = ""
 
# enterprises.ucdavis.procTable.prEntry.prErrFix.1 = 0
 
# enterprises.ucdavis.procTable.prEntry.prErrFix.2 = 0
 
# enterprises.ucdavis.procTable.prEntry.prErrFix.3 = 0
 
#
 
#  Note that the errorFlag for mountd is set to 1 because one is not
 
#  running (in this case an rpc.mountd is, but thats not good enough),
 
#  and the ErrMessage tells you what's wrong.  The configuration
 
#  imposed in the snmpd.conf file is also shown. 
 
#
 
#  Special Case:  When the min and max numbers are both 0, it assumes
 
#  you want a max of infinity and a min of 1.
 
#
 
 
 
 
 
# -----------------------------------------------------------------------------
 
 
 
 
 
###############################################################################
 
# Executables/scripts
 
#
 
 
 
#
 
#  You can also have programs run by the agent that return a single
 
#  line of output and an exit code.  Here are two examples.
 
#
 
#  exec NAME PROGRAM [ARGS ...]
 
#
 
#  NAME:    A generic name.
 
#  PROGRAM:  The program to run.  Include the path!
 
#  ARGS:    optional arguments to be passed to the program
 
 
 
# a simple hello world
 
 
 
#exec echotest /bin/echo hello world
 
 
 
# Run a shell script containing:
 
#
 
# #!/bin/sh
 
# echo hello world
 
# echo hi there
 
# exit 35
 
#
 
# Note:  this has been specifically commented out to prevent
 
# accidental security holes due to someone else on your system writing
 
# a /tmp/shtest before you do.  Uncomment to use it.
 
#
 
#exec shelltest /bin/sh /tmp/shtest
 
 
 
# Then,
 
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.8
 
# enterprises.ucdavis.extTable.extEntry.extIndex.1 = 1
 
# enterprises.ucdavis.extTable.extEntry.extIndex.2 = 2
 
# enterprises.ucdavis.extTable.extEntry.extNames.1 = "echotest"
 
# enterprises.ucdavis.extTable.extEntry.extNames.2 = "shelltest"
 
# enterprises.ucdavis.extTable.extEntry.extCommand.1 = "/bin/echo hello world"
 
# enterprises.ucdavis.extTable.extEntry.extCommand.2 = "/bin/sh /tmp/shtest"
 
# enterprises.ucdavis.extTable.extEntry.extResult.1 = 0
 
# enterprises.ucdavis.extTable.extEntry.extResult.2 = 35
 
# enterprises.ucdavis.extTable.extEntry.extOutput.1 = "hello world."
 
# enterprises.ucdavis.extTable.extEntry.extOutput.2 = "hello world."
 
# enterprises.ucdavis.extTable.extEntry.extErrFix.1 = 0
 
# enterprises.ucdavis.extTable.extEntry.extErrFix.2 = 0
 
 
 
# Note that the second line of the /tmp/shtest shell script is cut
 
# off.  Also note that the exit status of 35 was returned.
 
 
 
# -----------------------------------------------------------------------------
 
 
 
 
 
###############################################################################
 
# disk checks
 
#
 
 
 
# The agent can check the amount of available disk space, and make
 
# sure it is above a set limit. 
 
 
 
# disk PATH [MIN=100000]
 
#
 
# PATH:  mount path to the disk in question.
 
# MIN:  Disks with space below this value will have the Mib's errorFlag set.
 
#        Default value = 100000.
 
 
 
# Check the / partition and make sure it contains at least 10 megs.
 
 
 
disk / 100000
 
disk /data 100000
 
 
 
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.9
 
# enterprises.ucdavis.diskTable.dskEntry.diskIndex.1 = 0
 
# enterprises.ucdavis.diskTable.dskEntry.diskPath.1 = "/" Hex: 2F
 
# enterprises.ucdavis.diskTable.dskEntry.diskDevice.1 = "/dev/dsk/c201d6s0"
 
# enterprises.ucdavis.diskTable.dskEntry.diskMinimum.1 = 10000
 
# enterprises.ucdavis.diskTable.dskEntry.diskTotal.1 = 837130
 
# enterprises.ucdavis.diskTable.dskEntry.diskAvail.1 = 316325
 
# enterprises.ucdavis.diskTable.dskEntry.diskUsed.1 = 437092
 
# enterprises.ucdavis.diskTable.dskEntry.diskPercent.1 = 58
 
# enterprises.ucdavis.diskTable.dskEntry.diskErrorFlag.1 = 0
 
# enterprises.ucdavis.diskTable.dskEntry.diskErrorMsg.1 = ""
 
 
 
# -----------------------------------------------------------------------------
 
 
 
 
 
###############################################################################
 
# load average checks
 
#
 
 
 
# load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0]
 
#
 
# 1MAX:  If the 1 minute load average is above this limit at query
 
#        time, the errorFlag will be set.
 
# 5MAX:  Similar, but for 5 min average.
 
# 15MAX:  Similar, but for 15 min average.
 
 
 
# Check for loads:
 
#load 12 14 14
 
 
 
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.10
 
# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.1 = 1
 
# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.2 = 2
 
# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.3 = 3
 
# enterprises.ucdavis.loadTable.laEntry.loadaveNames.1 = "Load-1"
 
# enterprises.ucdavis.loadTable.laEntry.loadaveNames.2 = "Load-5"
 
# enterprises.ucdavis.loadTable.laEntry.loadaveNames.3 = "Load-15"
 
# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.1 = "0.49" Hex: 30 2E 34 39
 
# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.2 = "0.31" Hex: 30 2E 33 31
 
# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.3 = "0.26" Hex: 30 2E 32 36
 
# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.1 = "12.00"
 
# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.2 = "14.00"
 
# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.3 = "14.00"
 
# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.1 = 0
 
# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.2 = 0
 
# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.3 = 0
 
# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.1 = ""
 
# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.2 = ""
 
# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.3 = ""
 
  
# -----------------------------------------------------------------------------
+
=Software and Services=
  
 +
Taro is one of the few systems that has a bit more accessibility from off-campus. It requires additional monitoring to make sure everything is working and there are no compromises on security.
 +
Taro stores a considerable amount of data on its RAID
  
###############################################################################
+
== Globus ==
# Extensible sections.
 
#
 
  
# This alleviates the multiple line output problem found in the
+
This is a system for transferring data to/from Jlab. See more on the [[globus]] page.
# previous executable mib by placing each mib in its own mib table:
 
  
# Run a shell script containing:
+
== IPTables ==
#
 
# #!/bin/sh
 
# echo hello world
 
# echo hi there
 
# exit 35
 
#
 
# Note:  this has been specifically commented out to prevent
 
# accidental security holes due to someone else on your system writing
 
# a /tmp/shtest before you do.  Uncomment to use it.
 
#
 
# exec .1.3.6.1.4.1.2021.50 shelltest /bin/sh /tmp/shtest
 
  
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.50
+
Taro uses the standard NPG [[iptables]] firewall. Taro allows ssh, icmp, portmap and nfs connections.
# enterprises.ucdavis.50.1.1 = 1
 
# enterprises.ucdavis.50.2.1 = "shelltest"
 
# enterprises.ucdavis.50.3.1 = "/bin/sh /tmp/shtest"
 
# enterprises.ucdavis.50.100.1 = 35
 
# enterprises.ucdavis.50.101.1 = "hello world."
 
# enterprises.ucdavis.50.101.2 = "hi there."
 
# enterprises.ucdavis.50.102.1 = 0
 
  
# Now the Output has grown to two lines, and we can see the 'hi
+
==NFS Shares==
# there.' output as the second line from our shell script.
 
#
 
# Note that you must alter the mib.txt file to be correct if you want
 
# the .50.* outputs above to change to reasonable text descriptions.
 
  
# Other ideas:
+
Taro serves its /data volume over [[NFS]]. It can be accessed from any system via [[automount]] either in /net/data/taro or /net/taro/data.
#
 
# exec .1.3.6.1.4.1.2021.51 ps /bin/ps
 
# exec .1.3.6.1.4.1.2021.52 top /usr/local/bin/top
 
# exec .1.3.6.1.4.1.2021.53 mailq /usr/bin/mailq
 
  
# -----------------------------------------------------------------------------
+
===/etc/exports===
  
 +
/data  @servers(rw,sync) @npg_clients(rw,sync) \
 +
        10.0.0.0/24(rw,no_root_squash,sync)
  
###############################################################################
+
=== Drive configuration ===
# Pass through control.
 
#
 
  
# Usage:
+
; RAID
#  pass MIBOID EXEC-COMMAND
+
* RAID Is hardware based with an ARECA card at ip 10.0.0.97
#
+
* Current setup is RAID-5 across 6 drives, with a 7th drive as a hot spare.
# This will pass total control of the mib underneath the MIBOID
+
* There is a singe volume on the RAID, lun 0/0/0
# portion of the mib to the EXEC-COMMAND.
 
#
 
# Note:  You'll have to change the path of the passtest script to your
 
# source directory or install it in the given location.
 
#
 
# Example:  (see the script for details)
 
#          (commented out here since it requires that you place the
 
#          script in the right location. (its not installed by default))
 
  
# pass .1.3.6.1.4.1.2021.255 /bin/sh /usr/local/local/passtest
+
== Upgrade to Centos 7 ==
  
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.255
+
# Boot from USB stick into installed
# enterprises.ucdavis.255.1 = "life the universe and everything"
+
## Choose one of the physical disks that were previously part of the Software RAID to install system.
# enterprises.ucdavis.255.2.1 = 42
+
## Partition drive, note that you have to make the installed erase the drive first.
# enterprises.ucdavis.255.2.2 = OID: 42.42.42
+
## Install minimum system. Set root password.
# enterprises.ucdavis.255.3 = Timeticks: (363136200) 42 days, 0:42:42
+
# When installation done, reboot.
# enterprises.ucdavis.255.4 = IpAddress: 127.0.0.1
+
# Disable and Mask NetworkManager
# enterprises.ucdavis.255.5 = 42
+
# Setup the Farm ethernet port.  
# enterprises.ucdavis.255.6 = Gauge: 42
+
# Setup the UNH ethernet port.
#
+
# Update yum: "yum update" and say yes to all the updates.  
# % snmpget -v 1 localhost public .1.3.6.1.4.1.2021.255.5
+
# mount the old Software RAID:
# enterprises.ucdavis.255.5 = 42
+
## yum install mdadm
#
+
## mdadm --detail --scan
# % snmpset -v 1 localhost public .1.3.6.1.4.1.2021.255.1 s "New string"
+
## mdadm --assemble --scan
# enterprises.ucdavis.255.1 = "New string"
+
## mount /dev/md127 /mnt/olddisk
#
+
# Copy the old SSH keys to the new system
 +
## cd /etc/sshd ;  (cd /mnt/olddisk/etc/ssh && tar czvf - .) | tar xzvf -
 +
## systemctl restart sshd
 +
# Copy the git user to the new machine.
 +
##  grep git: /mnt/olddisk/etc/passwd >> /etc/passwd
 +
##  grep git: /mnt/olddisk/etc/shadow >> /etc/shadow
 +
##  cd /home; (cd /mnt/olddisk/home && tar czvf - git ) | tar xzvf -
 +
# Setup SSSD & LDAP
 +
## yum install -y openldap-clients sssd-ldap nss-pam-ldapd
 +
## Copy Gourd ldap dir: rsync -ravH gourd:/etc/openldap .
 +
## Copy gourd sssd.conf:  scp gourd:/etc/sssd/sssd.conf .
 +
## systemctl enable sssd
 +
## systemctl start sssd
 +
## authconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --enablemkhomedir  --ldapserver="ldaps://einstein ldaps://pepper" --ldapbasedn=dc=physics,dc=unh,dc=edu --enablelocauthorize --enableldaptls --update
 +
# Setup Auto Mount.
 +
## yum install autofs
 +
## Copy auto.net and auto.master from Gourd.
 +
# Setup IPtables.
 +
## Copy iptables-npg from old install to iptables
 +
## Install: yum install iptables-services
 +
## copy the netgroup2iptables: scp gourd:/usr/local/bin/netgroup2iptables.pl /usr/local/bin
 +
## systemctl stop firewalld
 +
## systemctl disable firewalld
 +
## systemctl mask firewalld
 +
## systemctl start iptables
 +
## systemctl enable iptables
 +
## scp gourd:/etc/init.d/iptables-netgroups /etc/init.d/
 +
## systemctl start iptables-netgroups
 +
# Install Fail2ban
 +
## yum install -y epel-release
 +
## yum install -y  fail2ban whois
 +
## systemctl enable fail2ban
 +
## systemctl start fail2ban
 +
## scp gourd:/etc/fail2ban/filter.d/fail2ban.conf /etc/fail2ban/filter.d
 +
## scp gourd:/etc/fail2ban/jail.local /etc/fail2ban/
 +
## systemctl restart fail2ban
 +
# Install NFS export
 +
## copy old exportfs
 +
## mkdir /data
 +
## Edit /etc/fstab to add /data
 +
## mount /data
 +
### systemctl enable rpcbind
 +
### systemctl enable nfs-server
 +
### systemctl enable nfs-lock
 +
### systemctl enable nfs-idmap
 +
### systemctl start rpcbind
 +
### systemctl start nfs-server
 +
### systemctl start nfs-lock
 +
### systemctl start nfs-idmap
  
# For specific usage information, see the man/snmpd.conf.5 manual page
+
= ToDo =
# as well as the local/passtest script used in the above example.
 
  
# Added for support of bcm5820 cards.
+
* NFS export
pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat
+
* science packages
  
###############################################################################
+
== Continue Upgrade ==
# Further Information
 
#
 
#  See the snmpd.conf manual page, and the output of "snmpd -H".
 
</pre>
 

Latest revision as of 14:44, 8 August 2017

Taro is a data/computation server. Thinkmate serial number SN-826407.

Taro: A large-leaved plant grown throughout the tropics for its edible starchy roots


Hardware Details

  • Purchased in Jan 2009 from Thinkmate.
  • Quad-Core Intel® Xeon® E5472 3.00GHz 1600FSB 12MB Cache (80W)
  • Supermicro X7DWA-N - EATX - Intel® 5400 Chipset
  • 4 x 2GB PC2-6400 677MHz FB-DIMM
  • Chenbro SR107 EATX Chassis - No PS – Black + Rack Mount Conversion Kit
  • 2 x Chenbro SR107 Black 4-Bay SATA Hotswap
  • PC Power and Cooling Turbo-Cool® 860 - SLI Ready
  • 500GB SATA 7200RPM - 3.5" - Seagate Barracuda® 7200.11
  • Samsung 22x DVD+/-RW Dual Layer (SATA)
  • MSI nVidia GeForce N280GTX OC 1GB GDDR3 PCI Express 2.0 (2xDVI) (Removed?)
  • Areca-ARC 1231 12-channel RAID card on address: 10.0.0.97

Local copy of the Motherboard manual

Network Configuration

Taro's network configuration contains bridge interfaces to support KVM virtual machines.

  • IP address Farm: 10.0.0.247 (eth1/farmbr)
  • IP address UNH: 132.177.88.86 (eth2/unhbr)

Hostnames: taro.unh.edu, taro.farm.physics.unh.edu

Software and Services

Taro is one of the few systems that has a bit more accessibility from off-campus. It requires additional monitoring to make sure everything is working and there are no compromises on security. Taro stores a considerable amount of data on its RAID

Globus

This is a system for transferring data to/from Jlab. See more on the globus page.

IPTables

Taro uses the standard NPG iptables firewall. Taro allows ssh, icmp, portmap and nfs connections.

NFS Shares

Taro serves its /data volume over NFS. It can be accessed from any system via automount either in /net/data/taro or /net/taro/data.

/etc/exports

/data   @servers(rw,sync) @npg_clients(rw,sync) \
       10.0.0.0/24(rw,no_root_squash,sync)

Drive configuration

RAID
  • RAID Is hardware based with an ARECA card at ip 10.0.0.97
  • Current setup is RAID-5 across 6 drives, with a 7th drive as a hot spare.
  • There is a singe volume on the RAID, lun 0/0/0

Upgrade to Centos 7

  1. Boot from USB stick into installed
    1. Choose one of the physical disks that were previously part of the Software RAID to install system.
    2. Partition drive, note that you have to make the installed erase the drive first.
    3. Install minimum system. Set root password.
  2. When installation done, reboot.
  3. Disable and Mask NetworkManager
  4. Setup the Farm ethernet port.
  5. Setup the UNH ethernet port.
  6. Update yum: "yum update" and say yes to all the updates.
  7. mount the old Software RAID:
    1. yum install mdadm
    2. mdadm --detail --scan
    3. mdadm --assemble --scan
    4. mount /dev/md127 /mnt/olddisk
  8. Copy the old SSH keys to the new system
    1. cd /etc/sshd ; (cd /mnt/olddisk/etc/ssh && tar czvf - .) | tar xzvf -
    2. systemctl restart sshd
  9. Copy the git user to the new machine.
    1. grep git: /mnt/olddisk/etc/passwd >> /etc/passwd
    2. grep git: /mnt/olddisk/etc/shadow >> /etc/shadow
    3. cd /home; (cd /mnt/olddisk/home && tar czvf - git ) | tar xzvf -
  10. Setup SSSD & LDAP
    1. yum install -y openldap-clients sssd-ldap nss-pam-ldapd
    2. Copy Gourd ldap dir: rsync -ravH gourd:/etc/openldap .
    3. Copy gourd sssd.conf: scp gourd:/etc/sssd/sssd.conf .
    4. systemctl enable sssd
    5. systemctl start sssd
    6. authconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --enablemkhomedir --ldapserver="ldaps://einstein ldaps://pepper" --ldapbasedn=dc=physics,dc=unh,dc=edu --enablelocauthorize --enableldaptls --update
  11. Setup Auto Mount.
    1. yum install autofs
    2. Copy auto.net and auto.master from Gourd.
  12. Setup IPtables.
    1. Copy iptables-npg from old install to iptables
    2. Install: yum install iptables-services
    3. copy the netgroup2iptables: scp gourd:/usr/local/bin/netgroup2iptables.pl /usr/local/bin
    4. systemctl stop firewalld
    5. systemctl disable firewalld
    6. systemctl mask firewalld
    7. systemctl start iptables
    8. systemctl enable iptables
    9. scp gourd:/etc/init.d/iptables-netgroups /etc/init.d/
    10. systemctl start iptables-netgroups
  13. Install Fail2ban
    1. yum install -y epel-release
    2. yum install -y fail2ban whois
    3. systemctl enable fail2ban
    4. systemctl start fail2ban
    5. scp gourd:/etc/fail2ban/filter.d/fail2ban.conf /etc/fail2ban/filter.d
    6. scp gourd:/etc/fail2ban/jail.local /etc/fail2ban/
    7. systemctl restart fail2ban
  14. Install NFS export
    1. copy old exportfs
    2. mkdir /data
    3. Edit /etc/fstab to add /data
    4. mount /data
      1. systemctl enable rpcbind
      2. systemctl enable nfs-server
      3. systemctl enable nfs-lock
      4. systemctl enable nfs-idmap
      5. systemctl start rpcbind
      6. systemctl start nfs-server
      7. systemctl start nfs-lock
      8. systemctl start nfs-idmap

ToDo

  • NFS export
  • science packages

Continue Upgrade

Retrieved from "https://nuclear.unh.edu/wiki/index.php?title=Taro&oldid=6224"