Difference between revisions of "Einstein"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
 
(61 intermediate revisions by 4 users not shown)
Line 1: Line 1:
== General Information ==
+
Einstein is currently a virtual machine running on [[Gourd]]. Go [[old_einstein|here]] for information about the old Einstein hardware.
Einstein is the primary server, and hosts services for [[LDAP]], NFS for [[Automount|home directories]], [[E-mail]], and the [[Web Servers|website]].
 
  
Hostnames: <code>einstein.unh.edu</code>, <code>einstein.farm.physics.unh.edu</code>
+
=Virtual Hardware=
  
== Hardware Information ==
+
*Memory: 2 GB
 +
*Hard Disk: 20 GB
 +
*Swap Disk: 4 GB
 +
*Network 1 (eth0): Farm-Bridge
 +
*Network 2 (eth1): UNH-Bridge
 +
*SCSI Controller: LSI Logic
  
Motherboard: SuperMicro H8SMU
+
=Network Settings=
SAS Backplane: SAS825TQ
 
  
== Special Considerations for Einstein (Historical) ==
+
*IP Address farm (eth0): 10.0.0.248
This information no longer applies and is here for historical reasons. We no longer use amavisd, and so these instructions are not useful.
+
*IP Address UNH (eth1):  132.177.88.52
  
 +
=Software and Services=
  
Einstein is our mail server. That means it runs '''"amavisd"''' (a virus scanner) and '''"spamassasin"''' a spam filter. Both these codes have some issues with leaving junk around, slowly causing the "/" file system to fill up. When that happens, einstein stops functioning.
+
==IPTables==
  
Some cleanup can be done as follows:
+
Einstein uses the standard NPG [[iptables]] firewall. It allows ssh, LDAP, imap, smtp, and http connections.
* stop amavisd and spamassasin:
 
service amavisd stop
 
service spamassasin stop
 
* clean out some of their junk:
 
rm /var/amavis/.razor/razor-agent.log
 
touch /var/amavis/.razor/razor-agent.log
 
chown amavis:amavis /var/amavis/.razor/razor-agent.log
 
chmod o-r /var/amavis/.razor/razor-agent.log
 
rm -f /var/virusmails/*  # (Sometimes there are so many, you have to delete in "chunks")
 
rm -rf /tmp
 
* start up the mail stuff again.
 
service amavisd start
 
service spamassasin start
 
  
There may be other areas that can be clean up, as in all the archived mail from "mailman"? But at least this list will let einstein function again.
+
==LDAP==
  
== Network Configuration ==
+
Einstein is our [[LDAP]] server. It provides user authentication among other useful services. LDAP configuration is located in /etc/openldap, and the LDAP database is stored in /var/lib/ldap.
Currently has ethernet cable to switch for local (farm) connection, and an ethernet cable to the wall for unh connection.
 
=== /etc/sysconfig/network-scripts/ifcfg-farm ===
 
DEVICE=farm
 
BOOTPROTO=static
 
HWADDR=00:0E:0C:51:41:5E
 
IPADDR=10.0.0.248
 
NETMASK=255.255.255.0
 
ONBOOT=yes
 
TYPE=Ethernet
 
=== /etc/sysconfig/network-scripts/ifcfg-lo ===
 
DEVICE=lo
 
IPADDR=127.0.0.1
 
NETMASK=255.0.0.0
 
NETWORK=127.0.0.0
 
# If you're having problems with gated making 127.0.0.0/8 a martian,
 
# you can change this to something else (255.255.255.255, for example)
 
BROADCAST=127.255.255.255
 
ONBOOT=yes
 
NAME=loopback
 
=== /etc/sysconfig/network-scripts/ifcfg-unh ===
 
# Intel Corporation 82541GI/PI Gigabit Ethernet Controller
 
DEVICE=unh
 
ONBOOT=yes
 
BOOTPROTO=static
 
IPADDR=132.177.88.52
 
#IPADDR=132.177.88.53
 
NETMASK=255.255.252.0
 
BROADCAST=132.177.91.255
 
HWADDR=00:0E:0C:51:43:62
 
#MACADDR=00:A0:CC:3C:63:AA
 
GATEWAY=132.177.88.1
 
== Access Configuration ==
 
=== /etc/security/access.conf ===
 
<pre>
 
</pre>
 
Any valid user can log into einstein from other machine on the Internet.
 
  
== Backup Configuration ==
+
==Mail==
=== /etc/rsync-backup.conf ===
 
<pre># Backups are 'pull' only.  Too bad there isn't a better way to enforce this.
 
read only      = yes
 
  
# Oh for the ability to retain CAP_DAC_READ_SEARCH, and no other.
+
Einstein is our [[Email]] server. The mail itself is stored in a raid1 volume on [[Gourd]], and Einstein mounts the NFS share to /var/spool/mail.
uid            = root
 
  
# There's not much point in putting the superuser in a chroot jail
+
Einstein should mount the NFS share at boot, but note that since it mounts by hostname you should make sure that DNS is accessible before starting the Einstein VM. Otherwise mail won't be mounted properly when the system boots. If for some reason DNS is unavailable you can manually mount the NFS share in /mail using gourd's IP address directly.
use chroot      = no
 
  
# This isn't really an effective "lock" per se, since the value is per-module,
+
===Webmail===
# but there really ought never be more than one, and it would at least
 
# ensure serialized backups.
 
max connections = 1
 
  
log file = /tmp/rsync-backup.log
+
Einstein provides web-based access to e-mail using [[Squirrelmail]]. You can access it at [https://einstein.unh.edu/mail].
transfer logging = yes
 
  
[usr_local]
+
See also: [[Gourd/Einstein Migration Plan]]
        path    = /usr/local
 
        comment = unpackaged software
 
  
[opt]
+
= Upgrade from RHEL5 to Centos7 =
        path    = /opt
 
        comment = unpackaged software
 
  
[etc]
+
OK, this has not been fun, and taken way too long.
        path    = /etc
 
        comment = conf files
 
  
[var]
+
== Status ==
        path    = /var
 
        comment = user and system storage
 
  
[home]
+
We have a running Centos7 Einstein2 system.  
        path    = /home
+
* It has Named installed and running as a slave to Jalapeño.
        comment = user home directories
+
* Slapd is installed. Still working on it.
        filter = dir-merge_.rsync-filter
 
</pre>
 
== SNMP Configuration ==
 
=== /etc/snmp/snmpd.conf ===
 
<pre>###############################################################################
 
#
 
# snmpd.conf:
 
#  An example configuration file for configuring the ucd-snmp snmpd agent.
 
#
 
###############################################################################
 
#
 
# This file is intended to only be as a starting point. Many more
 
# configuration directives exist than are mentioned in this file.  For
 
# full details, see the snmpd.conf(5) manual page.
 
#
 
# All lines beginning with a '#' are comments and are intended for you
 
# to read. All other lines are configuration commands for the agent.
 
  
###############################################################################
+
=== LDAP ===
# Access Control
 
###############################################################################
 
  
# As shipped, the snmpd demon will only respond to queries on the
+
Follow the installation instruction from https://www.certdepot.net/rhel7-configure-ldap-directory-service-user-connection/
# system mib group until this file is replaced or modified for
 
# security purposes. Examples are shown below about how to increase the
 
# level of access.
 
  
# By far, the most common question I get about the agent is "why won't
+
Noted differences:
# it work?", when really it should be "how do I configure the agent to
+
* Install extra schema:
# allow me to access it?"
+
** core.ldif 
#
+
** inetorgperson.ldif
# By default, the agent responds to the "public" community for read
+
**  wget https://launchpadlibrarian.net/55451730/autofs.ldif
# only access, if run out of the box without any configuration file in
+
** /usr/share/doc/samba-4.4.4/LDAP/samba.ldif
# place. The following examples show you other ways of configuring
+
* for each do: ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f  <file>
# the agent so that you can change the community names, and give
+
* (Left out misc.schema and RADIUS-LDAPv3.schema )
# yourself write access to the mib tree as well.
 
#
 
# For more information, read the FAQ as well as the snmpd.conf(5)
 
# manual page.
 
  
##      sec.name  source          community
+
==== Certificate ====
com2sec local    localhost      NPG
 
com2sec farm      10.0.0.0/24    NPG
 
  
##    group.name sec.model sec.name
+
You need to configure the TLS certificate for the system. To create a  new one (see: [https://www.lisenet.com/2016/openldap-with-ssl-and-nfs-for-user-home-directories-on-centos-7 certs creating]) :
#group MyRWGroup  any        local
+
  cd /etc/pki/tls/private
#group MyROGroup  any        mynetwork
+
  DOMAIN=einstein.unh.edu
##
+
  openssl genrsa -out "$DOMAIN".key 2048 && chmod 0600 "$DOMAIN".key
#group MyRWGroup  any        otherv3user
+
  openssl req -new -sha256 -key "$DOMAIN".key -out "$DOMAIN".csr
##...
+
  openssl x509 -req -days 3650 -sha256 -in "$DOMAIN".csr -signkey "$DOMAIN".key -out "$DOMAIN".crt
group MyRWGroup  v1        local
+
  openssl pkcs8 -topk8 -inform pem -in "$DOMAIN".key -outform pem -nocrypt -out "$DOMAIN".pem
group MyRWGroup  v2c        local
+
  chmod 640 "$DOMAIN".key "$DOMAIN".pem
group MyROGroup v1        farm
+
  chgrp ldap "$DOMAIN".key "$DOMAIN".pem
group MyROGroup  v2c        farm
+
  mv "$DOMAIN".crt ../certs/
 +
  cd ../certs
 +
  ln -s ${DOMAIN}.crt `/etc/pki/tls/misc/c_hash ${DOMAIN}.crt | cut -d' ' -f1` # Set a link to the hash of the cert.
  
##          incl/excl subtree                          mask
+
==== Install Certificate ====
view all    included  .1                              80
 
  
## -or just the mib2 tree-
+
Edit an ldif file:
  
#view mib2   included  .iso.org.dod.internet.mgmt.mib-2 fc
+
dn: cn=config
 +
  changetype: modify
 +
  replace: olcTLSCACertificatePath
 +
  olcTLSCACertificatePath: /etc/pki/tls/certs
 +
  -
 +
   replace: olcTLSCACertificateFile
 +
  olcTLSCACertificateFile: /etc/pki/tls/certs/ca-bundle.crt
 +
  -
 +
  replace: olcTLSCertificateFile
 +
  olcTLSCertificateFile: /etc/pki/tls/certs/einstein.unh.edu.crt
 +
  -
 +
  replace: olcTLSCertificateKeyFile
 +
  olcTLSCertificateKeyFile: /etc/pki/tls/private/einstein.unh.edu.pem
  
 +
To make a change to the ldap server:
 +
  ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/certificate_change_localhost.ldif
  
#                context sec.model sec.level prefix read  write notif
+
Note that the hostname needs to be correct, so you probably need to set it in /etc/hosts  i.e127.0.0.1 einstein localhost
access MyROGroup ""      any      noauth    exact  all    none  none
 
#access MyRWGroup ""      any      noauth    exact  all    all    all
 
  
 +
Test, add -d1 -d2 or -d3 for increased debug output:
 +
  ldapsearch -x -ZZ
 +
  ldapsearch -x -H ldaps:// 
  
###############################################################################
+
Make sure that the "authconfig" line from [[Upgrading to Centos 7]] is executed and restart sssd
# Sample configuration to make net-snmpd RFC 1213.
 
# Unfortunately v1 and v2c don't allow any user based authentification, so
 
# opening up the default config is not an option from a security point.
 
#
 
# WARNING: If you uncomment the following lines you allow write access to your
 
# snmpd daemon from any source! To avoid this use different names for your
 
# community or split out the write access to a different community and
 
# restrict it to your local network.
 
# Also remember to comment the syslocation and syscontact parameters later as
 
# otherwise they are still read only (see FAQ for net-snmp).
 
#
 
  
# First, map the community name "public" into a "security name"
+
Import Old Database:
#      sec.name        source          community
+
* Dump on old einstein, see /var/lib/ldap/dump.ldif  created by /usr/local/bin/ldap_dump.sh
#com2sec notConfigUser  default        public
+
* Import with  ldapadd -x -w 'password' -D cn=root,dc=physics,dc=unh,dc=edu -f  /tmp/dump.ldif
  
# Second, map the security name into a group name:
+
Allow access over SSL:
#      groupName      securityModel  securityName
+
* edit: /etc/sysconfig/slapd
#group  notConfigGroup  v1              notConfigUser
+
* change: SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
#group  notConfigGroup  v2c            notConfigUser
+
* There is still the issue that the TLS is for "einstein" while the testing node is not called "einstein"
  
# Third, create a view for us to let the group have rights to:
+
Setup /etc/openssl/ldap.conf:
# Open up the whole tree for ro, make the RFC 1213 required ones rw.
+
* echo "tls_reqcert allow" >> /etc/nslcd.conf
#      name            incl/excl      subtree mask(optional)
+
** Note that this makes it so that the TLS is not enforced.
#view    roview          included        .1
 
#view    rwview          included        system.sysContact
 
#view    rwview          included        system.sysName
 
#view    rwview          included        system.sysLocation
 
#view    rwview          included        interfaces.ifTable.ifEntry.ifAdminStatus
 
#view    rwview          included        at.atTable.atEntry.atPhysAddress
 
#view    rwview          included        at.atTable.atEntry.atNetAddress
 
#view    rwview          included        ip.ipForwarding
 
#view    rwview          included        ip.ipDefaultTTL
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteDest
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric1
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric2
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric3
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric4
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteType
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteAge
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMask
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric5
 
#view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex
 
#view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress
 
#view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress
 
#view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType
 
#view    rwview          included        tcp.tcpConnTable.tcpConnEntry.tcpConnState
 
#view    rwview          included        egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger
 
#view    rwview          included        snmp.snmpEnableAuthenTraps
 
  
# Finally, grant the group read-only access to the systemview view.
+
==== Allow passwd to work ====
#      group          context sec.model sec.level prefix read  write  notif
 
#access  notConfigGroup ""      any      noauth    exact  roview rwview none
 
  
 +
This was darn tricky to find out how to do. The issue is properly modifying, or adding olcAccess to the database. The following does the trick. Create a file change_password_access_policy.ldif in /etc/openldap
  
 +
  dn: olcDatabase={2}hdb,cn=config
 +
  add: olcAccess
 +
  olcAccess: {0}to attrs=userPassword
 +
    by dn="cn=root,dc=physics,dc=unh,dc=edu" write
 +
    by anonymous auth
 +
    by self write
 +
    by * none
 +
  olcAccess: {1}to dn.base=""
 +
    by * read
 +
  olcAccess: {2}to *
 +
    by dn="cn=Manager,dc=tuxfixer,dc=com" write
 +
    by * read
  
###############################################################################
+
Then enter the info into LDAP:
# System contact information
 
#
 
  
# It is also possible to set the sysContact and sysLocation system
+
  ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/change_password_access_policy.ldif
# variables through the snmpd.conf file:
 
  
syslocation Durham, NH, USA, University of New Hampshire, DeMeritt Hall
+
The documentation for olcAccess is here [https://www.openldap.org/doc/admin24/access-control.html Access Control]
syscontact NPG Admins <npg-admins@einstein.unh.edu>
+
It appears that the entry for olcAccess: {0} gets encrypted. Weird, since I cannot find any documentation on that.
  
# Example output of snmpwalk:
+
= Other Tasks =
#  % snmpwalk -v 1 localhost -c public system
 
#  system.sysDescr.0 = "SunOS name sun4c"
 
#  system.sysObjectID.0 = OID: enterprises.ucdavis.ucdSnmpAgent.sunos4
 
#  system.sysUpTime.0 = Timeticks: (595637548) 68 days, 22:32:55
 
#  system.sysContact.0 = "Me <me@somewhere.org>"
 
#  system.sysName.0 = "name"
 
#  system.sysLocation.0 = "Right here, right now."
 
#  system.sysServices.0 = 72
 
  
 +
Move the Mail configuration. See: [[E-mail]]
  
# -----------------------------------------------------------------------------
+
Move the SSH keys from the system.
  
 +
Move the sudoers file.
  
###############################################################################
+
== TO DO ==
# Process checks.
 
#
 
#  The following are examples of how to use the agent to check for
 
#  processes running on the host.  The syntax looks something like:
 
#
 
#  proc NAME [MAX=0] [MIN=0]
 
#
 
#  NAME:  the name of the process to check for.  It must match
 
#        exactly (ie, http will not find httpd processes).
 
#  MAX:  the maximum number allowed to be running.  Defaults to 0.
 
#  MIN:  the minimum number to be running.  Defaults to 0.
 
 
 
#
 
#  Examples (commented out by default):
 
#
 
 
 
#  Make sure mountd is running
 
#proc mountd
 
 
 
#  Make sure there are no more than 4 ntalkds running, but 0 is ok too.
 
#proc ntalkd 4
 
 
 
#  Make sure at least one sendmail, but less than or equal to 10 are running.
 
#proc sendmail 10 1
 
 
 
#  A snmpwalk of the process mib tree would look something like this:
 
#
 
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.2
 
# enterprises.ucdavis.procTable.prEntry.prIndex.1 = 1
 
# enterprises.ucdavis.procTable.prEntry.prIndex.2 = 2
 
# enterprises.ucdavis.procTable.prEntry.prIndex.3 = 3
 
# enterprises.ucdavis.procTable.prEntry.prNames.1 = "mountd"
 
# enterprises.ucdavis.procTable.prEntry.prNames.2 = "ntalkd"
 
# enterprises.ucdavis.procTable.prEntry.prNames.3 = "sendmail"
 
# enterprises.ucdavis.procTable.prEntry.prMin.1 = 0
 
# enterprises.ucdavis.procTable.prEntry.prMin.2 = 0
 
# enterprises.ucdavis.procTable.prEntry.prMin.3 = 1
 
# enterprises.ucdavis.procTable.prEntry.prMax.1 = 0
 
# enterprises.ucdavis.procTable.prEntry.prMax.2 = 4
 
# enterprises.ucdavis.procTable.prEntry.prMax.3 = 10
 
# enterprises.ucdavis.procTable.prEntry.prCount.1 = 0
 
# enterprises.ucdavis.procTable.prEntry.prCount.2 = 0
 
# enterprises.ucdavis.procTable.prEntry.prCount.3 = 1
 
# enterprises.ucdavis.procTable.prEntry.prErrorFlag.1 = 1
 
# enterprises.ucdavis.procTable.prEntry.prErrorFlag.2 = 0
 
# enterprises.ucdavis.procTable.prEntry.prErrorFlag.3 = 0
 
# enterprises.ucdavis.procTable.prEntry.prErrMessage.1 = "No mountd process running."
 
# enterprises.ucdavis.procTable.prEntry.prErrMessage.2 = ""
 
# enterprises.ucdavis.procTable.prEntry.prErrMessage.3 = ""
 
# enterprises.ucdavis.procTable.prEntry.prErrFix.1 = 0
 
# enterprises.ucdavis.procTable.prEntry.prErrFix.2 = 0
 
# enterprises.ucdavis.procTable.prEntry.prErrFix.3 = 0
 
#
 
#  Note that the errorFlag for mountd is set to 1 because one is not
 
#  running (in this case an rpc.mountd is, but thats not good enough),
 
#  and the ErrMessage tells you what's wrong.  The configuration
 
#  imposed in the snmpd.conf file is also shown. 
 
#
 
#  Special Case:  When the min and max numbers are both 0, it assumes
 
#  you want a max of infinity and a min of 1.
 
#
 
 
 
 
 
# -----------------------------------------------------------------------------
 
 
 
 
 
###############################################################################
 
# Executables/scripts
 
#
 
 
 
#
 
#  You can also have programs run by the agent that return a single
 
#  line of output and an exit code.  Here are two examples.
 
#
 
#  exec NAME PROGRAM [ARGS ...]
 
#
 
#  NAME:    A generic name.
 
#  PROGRAM:  The program to run.  Include the path!
 
#  ARGS:    optional arguments to be passed to the program
 
 
 
# a simple hello world
 
 
 
#exec echotest /bin/echo hello world
 
 
 
# Run a shell script containing:
 
#
 
# #!/bin/sh
 
# echo hello world
 
# echo hi there
 
# exit 35
 
#
 
# Note:  this has been specifically commented out to prevent
 
# accidental security holes due to someone else on your system writing
 
# a /tmp/shtest before you do.  Uncomment to use it.
 
#
 
#exec shelltest /bin/sh /tmp/shtest
 
 
 
# Then,
 
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.8
 
# enterprises.ucdavis.extTable.extEntry.extIndex.1 = 1
 
# enterprises.ucdavis.extTable.extEntry.extIndex.2 = 2
 
# enterprises.ucdavis.extTable.extEntry.extNames.1 = "echotest"
 
# enterprises.ucdavis.extTable.extEntry.extNames.2 = "shelltest"
 
# enterprises.ucdavis.extTable.extEntry.extCommand.1 = "/bin/echo hello world"
 
# enterprises.ucdavis.extTable.extEntry.extCommand.2 = "/bin/sh /tmp/shtest"
 
# enterprises.ucdavis.extTable.extEntry.extResult.1 = 0
 
# enterprises.ucdavis.extTable.extEntry.extResult.2 = 35
 
# enterprises.ucdavis.extTable.extEntry.extOutput.1 = "hello world."
 
# enterprises.ucdavis.extTable.extEntry.extOutput.2 = "hello world."
 
# enterprises.ucdavis.extTable.extEntry.extErrFix.1 = 0
 
# enterprises.ucdavis.extTable.extEntry.extErrFix.2 = 0
 
 
 
# Note that the second line of the /tmp/shtest shell script is cut
 
# off.  Also note that the exit status of 35 was returned.
 
 
 
# -----------------------------------------------------------------------------
 
 
 
 
 
###############################################################################
 
# disk checks
 
#
 
 
 
# The agent can check the amount of available disk space, and make
 
# sure it is above a set limit. 
 
 
 
# disk PATH [MIN=100000]
 
#
 
# PATH:  mount path to the disk in question.
 
# MIN:  Disks with space below this value will have the Mib's errorFlag set.
 
#        Default value = 100000.
 
 
 
# Check the / partition and make sure it contains at least 10 megs.
 
 
 
disk / 10000
 
disk /home 10000
 
disk /var/lib/snmp/var_spool_imap 10000
 
disk /var/lib/snmp/wheel 10000
 
 
 
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.9
 
# enterprises.ucdavis.diskTable.dskEntry.diskIndex.1 = 0
 
# enterprises.ucdavis.diskTable.dskEntry.diskPath.1 = "/" Hex: 2F
 
# enterprises.ucdavis.diskTable.dskEntry.diskDevice.1 = "/dev/dsk/c201d6s0"
 
# enterprises.ucdavis.diskTable.dskEntry.diskMinimum.1 = 10000
 
# enterprises.ucdavis.diskTable.dskEntry.diskTotal.1 = 837130
 
# enterprises.ucdavis.diskTable.dskEntry.diskAvail.1 = 316325
 
# enterprises.ucdavis.diskTable.dskEntry.diskUsed.1 = 437092
 
# enterprises.ucdavis.diskTable.dskEntry.diskPercent.1 = 58
 
# enterprises.ucdavis.diskTable.dskEntry.diskErrorFlag.1 = 0
 
# enterprises.ucdavis.diskTable.dskEntry.diskErrorMsg.1 = ""
 
 
 
# -----------------------------------------------------------------------------
 
 
 
 
 
###############################################################################
 
# load average checks
 
#
 
 
 
# load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0]
 
#
 
# 1MAX:  If the 1 minute load average is above this limit at query
 
#        time, the errorFlag will be set.
 
# 5MAX:  Similar, but for 5 min average.
 
# 15MAX:  Similar, but for 15 min average.
 
 
 
# Check for loads:
 
#load 12 14 14
 
 
 
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.10
 
# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.1 = 1
 
# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.2 = 2
 
# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.3 = 3
 
# enterprises.ucdavis.loadTable.laEntry.loadaveNames.1 = "Load-1"
 
# enterprises.ucdavis.loadTable.laEntry.loadaveNames.2 = "Load-5"
 
# enterprises.ucdavis.loadTable.laEntry.loadaveNames.3 = "Load-15"
 
# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.1 = "0.49" Hex: 30 2E 34 39
 
# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.2 = "0.31" Hex: 30 2E 33 31
 
# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.3 = "0.26" Hex: 30 2E 32 36
 
# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.1 = "12.00"
 
# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.2 = "14.00"
 
# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.3 = "14.00"
 
# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.1 = 0
 
# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.2 = 0
 
# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.3 = 0
 
# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.1 = ""
 
# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.2 = ""
 
# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.3 = ""
 
 
 
# -----------------------------------------------------------------------------
 
 
 
 
 
###############################################################################
 
# Extensible sections.
 
#
 
 
 
# This alleviates the multiple line output problem found in the
 
# previous executable mib by placing each mib in its own mib table:
 
 
 
# Run a shell script containing:
 
#
 
# #!/bin/sh
 
# echo hello world
 
# echo hi there
 
# exit 35
 
#
 
# Note:  this has been specifically commented out to prevent
 
# accidental security holes due to someone else on your system writing
 
# a /tmp/shtest before you do.  Uncomment to use it.
 
#
 
# exec .1.3.6.1.4.1.2021.50 shelltest /bin/sh /tmp/shtest
 
 
 
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.50
 
# enterprises.ucdavis.50.1.1 = 1
 
# enterprises.ucdavis.50.2.1 = "shelltest"
 
# enterprises.ucdavis.50.3.1 = "/bin/sh /tmp/shtest"
 
# enterprises.ucdavis.50.100.1 = 35
 
# enterprises.ucdavis.50.101.1 = "hello world."
 
# enterprises.ucdavis.50.101.2 = "hi there."
 
# enterprises.ucdavis.50.102.1 = 0
 
 
 
# Now the Output has grown to two lines, and we can see the 'hi
 
# there.' output as the second line from our shell script.
 
#
 
# Note that you must alter the mib.txt file to be correct if you want
 
# the .50.* outputs above to change to reasonable text descriptions.
 
 
 
# Other ideas:
 
#
 
# exec .1.3.6.1.4.1.2021.51 ps /bin/ps
 
# exec .1.3.6.1.4.1.2021.52 top /usr/local/bin/top
 
# exec .1.3.6.1.4.1.2021.53 mailq /usr/bin/mailq
 
 
 
# -----------------------------------------------------------------------------
 
 
 
 
 
###############################################################################
 
# Pass through control.
 
#
 
 
 
# Usage:
 
#  pass MIBOID EXEC-COMMAND
 
#
 
# This will pass total control of the mib underneath the MIBOID
 
# portion of the mib to the EXEC-COMMAND. 
 
# enterprises.ucdavis.50.100.1 = 35
 
# enterprises.ucdavis.50.101.1 = "hello world."
 
# enterprises.ucdavis.50.101.2 = "hi there."
 
# enterprises.ucdavis.50.102.1 = 0
 
 
 
# Now the Output has grown to two lines, and we can see the 'hi
 
# there.' output as the second line from our shell script.
 
#
 
# Note that you must alter the mib.txt file to be correct if you want
 
# the .50.* outputs above to change to reasonable text descriptions.
 
 
 
# Other ideas:
 
#
 
# exec .1.3.6.1.4.1.2021.51 ps /bin/ps
 
# exec .1.3.6.1.4.1.2021.52 top /usr/local/bin/top
 
# exec .1.3.6.1.4.1.2021.53 mailq /usr/bin/mailq
 
 
 
# -----------------------------------------------------------------------------
 
 
 
 
 
###############################################################################
 
# Pass through control.
 
#
 
 
 
# Usage:
 
#  pass MIBOID EXEC-COMMAND
 
#
 
# This will pass total control of the mib underneath the MIBOID
 
# portion of the mib to the EXEC-COMMAND. 
 
#
 
# Note:  You'll have to change the path of the passtest script to your
 
# source directory or install it in the given location.
 
#
 
# Example:  (see the script for details)
 
#          (commented out here since it requires that you place the
 
#          script in the right location. (its not installed by default))
 
 
 
# pass .1.3.6.1.4.1.2021.255 /bin/sh /usr/local/local/passtest
 
 
 
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.255
 
# enterprises.ucdavis.255.1 = "life the universe and everything"
 
# enterprises.ucdavis.255.2.1 = 42
 
# enterprises.ucdavis.255.2.2 = OID: 42.42.42
 
# enterprises.ucdavis.255.3 = Timeticks: (363136200) 42 days, 0:42:42
 
# enterprises.ucdavis.255.4 = IpAddress: 127.0.0.1
 
# enterprises.ucdavis.255.5 = 42
 
# enterprises.ucdavis.255.6 = Gauge: 42
 
#
 
# % snmpget -v 1 localhost public .1.3.6.1.4.1.2021.255.5
 
# enterprises.ucdavis.255.5 = 42
 
#
 
# % snmpset -v 1 localhost public .1.3.6.1.4.1.2021.255.1 s "New string"
 
# enterprises.ucdavis.255.1 = "New string"
 
#
 
 
 
# For specific usage information, see the man/snmpd.conf.5 manual page
 
# as well as the local/passtest script used in the above example.
 
 
 
# Added for support of bcm5820 cards.
 
pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat
 
 
 
###############################################################################
 
# Further Information
 
#
 
#  See the snmpd.conf manual page, and the output of "snmpd -H".
 
</pre>
 

Latest revision as of 22:21, 3 January 2018

Einstein is currently a virtual machine running on Gourd. Go here for information about the old Einstein hardware.

Virtual Hardware

  • Memory: 2 GB
  • Hard Disk: 20 GB
  • Swap Disk: 4 GB
  • Network 1 (eth0): Farm-Bridge
  • Network 2 (eth1): UNH-Bridge
  • SCSI Controller: LSI Logic

Network Settings

  • IP Address farm (eth0): 10.0.0.248
  • IP Address UNH (eth1): 132.177.88.52

Software and Services

IPTables

Einstein uses the standard NPG iptables firewall. It allows ssh, LDAP, imap, smtp, and http connections.

LDAP

Einstein is our LDAP server. It provides user authentication among other useful services. LDAP configuration is located in /etc/openldap, and the LDAP database is stored in /var/lib/ldap.

Mail

Einstein is our Email server. The mail itself is stored in a raid1 volume on Gourd, and Einstein mounts the NFS share to /var/spool/mail.

Einstein should mount the NFS share at boot, but note that since it mounts by hostname you should make sure that DNS is accessible before starting the Einstein VM. Otherwise mail won't be mounted properly when the system boots. If for some reason DNS is unavailable you can manually mount the NFS share in /mail using gourd's IP address directly.

Webmail

Einstein provides web-based access to e-mail using Squirrelmail. You can access it at [1].

See also: Gourd/Einstein Migration Plan

Upgrade from RHEL5 to Centos7

OK, this has not been fun, and taken way too long.

Status

We have a running Centos7 Einstein2 system.

  • It has Named installed and running as a slave to Jalapeño.
  • Slapd is installed. Still working on it.

LDAP

Follow the installation instruction from https://www.certdepot.net/rhel7-configure-ldap-directory-service-user-connection/

Noted differences:

  • Install extra schema:
  • for each do: ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f <file>
  • (Left out misc.schema and RADIUS-LDAPv3.schema )

Certificate

You need to configure the TLS certificate for the system. To create a new one (see: certs creating) : 

 cd /etc/pki/tls/private
 DOMAIN=einstein.unh.edu
 openssl genrsa -out "$DOMAIN".key 2048 && chmod 0600 "$DOMAIN".key
 openssl req -new -sha256 -key "$DOMAIN".key -out "$DOMAIN".csr
 openssl x509 -req -days 3650 -sha256 -in "$DOMAIN".csr -signkey "$DOMAIN".key -out "$DOMAIN".crt
 openssl pkcs8 -topk8 -inform pem -in "$DOMAIN".key -outform pem -nocrypt -out "$DOMAIN".pem
 chmod 640 "$DOMAIN".key "$DOMAIN".pem
 chgrp ldap "$DOMAIN".key "$DOMAIN".pem
 mv "$DOMAIN".crt ../certs/
 cd ../certs
 ln -s ${DOMAIN}.crt `/etc/pki/tls/misc/c_hash ${DOMAIN}.crt | cut -d' ' -f1`  # Set a link to the hash of the cert.

Install Certificate

Edit an ldif file: 

dn: cn=config
 changetype: modify
 replace: olcTLSCACertificatePath
 olcTLSCACertificatePath: /etc/pki/tls/certs
 -
 replace: olcTLSCACertificateFile
 olcTLSCACertificateFile: /etc/pki/tls/certs/ca-bundle.crt
 -
 replace: olcTLSCertificateFile
 olcTLSCertificateFile: /etc/pki/tls/certs/einstein.unh.edu.crt
 -
 replace: olcTLSCertificateKeyFile
 olcTLSCertificateKeyFile: /etc/pki/tls/private/einstein.unh.edu.pem

To make a change to the ldap server: 

 ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/certificate_change_localhost.ldif

Note that the hostname needs to be correct, so you probably need to set it in /etc/hosts i.e. 127.0.0.1 einstein localhost

Test, add -d1 -d2 or -d3 for increased debug output: 

  ldapsearch -x -ZZ 
  ldapsearch -x -H ldaps://

Make sure that the "authconfig" line from Upgrading to Centos 7 is executed and restart sssd

Import Old Database:

  • Dump on old einstein, see /var/lib/ldap/dump.ldif created by /usr/local/bin/ldap_dump.sh
  • Import with ldapadd -x -w 'password' -D cn=root,dc=physics,dc=unh,dc=edu -f /tmp/dump.ldif

Allow access over SSL:

  • edit: /etc/sysconfig/slapd
  • change: SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
  • There is still the issue that the TLS is for "einstein" while the testing node is not called "einstein"

Setup /etc/openssl/ldap.conf:

  • echo "tls_reqcert allow" >> /etc/nslcd.conf
    • Note that this makes it so that the TLS is not enforced.

Allow passwd to work

This was darn tricky to find out how to do. The issue is properly modifying, or adding olcAccess to the database. The following does the trick. Create a file change_password_access_policy.ldif in /etc/openldap 

 dn: olcDatabase={2}hdb,cn=config
 add: olcAccess
 olcAccess: {0}to attrs=userPassword
   by dn="cn=root,dc=physics,dc=unh,dc=edu" write
   by anonymous auth
   by self write
   by * none
 olcAccess: {1}to dn.base=""
   by * read
 olcAccess: {2}to *
   by dn="cn=Manager,dc=tuxfixer,dc=com" write
   by * read

Then enter the info into LDAP: 

 ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/change_password_access_policy.ldif

The documentation for olcAccess is here Access Control It appears that the entry for olcAccess: {0} gets encrypted. Weird, since I cannot find any documentation on that.

Other Tasks

Move the Mail configuration. See: E-mail

Move the SSH keys from the system.

Move the sudoers file.

TO DO

Retrieved from "https://nuclear.unh.edu/wiki/index.php?title=Einstein&oldid=6267"