Difference between revisions of "Einstein"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
 
(40 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== General Information ==
+
Einstein is currently a virtual machine running on [[Gourd]]. Go [[old_einstein|here]] for information about the old Einstein hardware.
Einstein is the primary server, and hosts services for [[LDAP]], NFS for [[Automount|home directories]], [[E-mail]], [[Elog]].
 
  
== Network Configuration ==
+
=Virtual Hardware=
Currently has ethernet cable to switch for local (farm) connection, and an ethernet cable to the wall for unh connection.
 
  
Hostnames: <code>einstein.unh.edu</code>, <code>einstein.farm.physics.unh.edu</code>
+
*Memory: 2 GB
=== ifconfig ===
+
*Hard Disk: 20 GB
<pre>
+
*Swap Disk: 4 GB
eth0      Link encap:Ethernet  HWaddr 00:30:48:63:BB:40 
+
*Network 1 (eth0): Farm-Bridge
          inet addr:10.0.0.248  Bcast:10.0.3.255  Mask:255.255.252.0
+
*Network 2 (eth1): UNH-Bridge
          inet6 addr: fe80::230:48ff:fe63:bb40/64 Scope:Link
+
*SCSI Controller: LSI Logic
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 
          RX packets:30590568 errors:0 dropped:0 overruns:0 frame:0
 
          TX packets:19265796 errors:0 dropped:0 overruns:0 carrier:0
 
          collisions:0 txqueuelen:1000
 
          RX bytes:12885415985 (12.0 GiB) TX bytes:37595782118 (35.0 GiB)
 
          Interrupt:106 Base address:0x4000
 
  
eth1      Link encap:Ethernet  HWaddr 00:30:48:63:BB:41 
+
=Network Settings=
          inet addr:132.177.88.52  Bcast:132.177.91.255  Mask:255.255.252.0
 
          inet6 addr: fe80::230:48ff:fe63:bb41/64 Scope:Link
 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 
          RX packets:140420169 errors:264 dropped:0 overruns:0 frame:264
 
          TX packets:102671315 errors:0 dropped:0 overruns:0 carrier:0
 
          collisions:0 txqueuelen:1000
 
          RX bytes:65061356613 (60.5 GiB)  TX bytes:74930930219 (69.7 GiB)
 
          Interrupt:114 Base address:0x6000
 
  
lo        Link encap:Local Loopback 
+
*IP Address farm (eth0): 10.0.0.248
          inet addr:127.0.0.1  Mask:255.0.0.0
+
*IP Address UNH (eth1): 132.177.88.52
          inet6 addr: ::1/128 Scope:Host
 
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
 
          RX packets:32295792 errors:0 dropped:0 overruns:0 frame:0
 
          TX packets:32295792 errors:0 dropped:0 overruns:0 carrier:0
 
          collisions:0 txqueuelen:0
 
          RX bytes:53090433084 (49.4 GiB)  TX bytes:53090433084 (49.4 GiB)
 
</pre>
 
== Hot Swap Information ==
 
* Interesting thread to get sata-nv to hotswap: ([http://www.linuxquestions.org/questions/linux-hardware-18/sata-hotplug-hotswap-howto-570811])
 
** There are drivers available for the MB sata, we could try them: [ftp://ftp.supermicro.com/driver/SATA/nVidia/MCP55/Linux/Non_RAID/Redhat/1.23/ Super Micro MB H8SMU drivers], BUT these appear to be standard Nvidia sata_nv driver.
 
* SAS Backplane: SAS825TQ
 
* SAT2-MV8 8-port SATA controller. Uses the sata-mv module which is NOT HOTPLUG CAPABLE. (see http://linux-ata.org/driver-status.html#matrix). THE ONLY WAY TO "HOT PLUG" with this driver is to dismount ALL the drives, then "modprobe -r sata-mv" (make sure it is really gone: lsmod | grep sata) then do the swap, then "modeprobe sata-mv" again.
 
  
== Hardware Information ==
+
=Software and Services=
[[Image:H8SMU_spec.jpg |right| SuperMicro H8SMU Motherboard ]]
 
* Motherboard: [http://www.supermicro.com/Aplus/motherboard/Opteron1000/MCP55/H8SMU.cfm SuperMicro H8SMU] [http://nuclear.unh.edu/wiki/images/7/72/MNL-H8SMU_10a.pdf User Manual]
 
** nVidia MCP55-Pro chipset
 
* SAS Backplane: SAS825TQ
 
* Marvell Technology Group Ltd. MV88SX6081 8-port SATA II PCI-X [http://nuclear.unh.edu/wiki/images/7/72/MNL-H8SMU_10a.pdf User Manual]
 
  
== Special Considerations for Einstein (Historical) ==
+
==IPTables==
This information no longer applies and is here for historical reasons. We no longer use amavisd, and so these instructions are not useful.
 
  
 +
Einstein uses the standard NPG [[iptables]] firewall. It allows ssh, LDAP, imap, smtp, and http connections.
  
Einstein is our mail server. That means it runs '''"amavisd"''' (a virus scanner) and '''"spamassasin"''' a spam filter. Both these codes have some issues with leaving junk around, slowly causing the "/" file system to fill up. When that happens, einstein stops functioning.
+
==LDAP==
  
Some cleanup can be done as follows:
+
Einstein is our [[LDAP]] server. It provides user authentication among other useful services. LDAP configuration is located in /etc/openldap, and the LDAP database is stored in /var/lib/ldap.
* stop amavisd and spamassasin:
 
service amavisd stop
 
service spamassasin stop
 
* clean out some of their junk:
 
rm /var/amavis/.razor/razor-agent.log
 
touch /var/amavis/.razor/razor-agent.log
 
chown amavis:amavis /var/amavis/.razor/razor-agent.log
 
chmod o-r /var/amavis/.razor/razor-agent.log
 
rm -f /var/virusmails/*  # (Sometimes there are so many, you have to delete in "chunks")
 
rm -rf /tmp
 
* start up the mail stuff again.
 
service amavisd start
 
service spamassasin start
 
  
There may be other areas that can be clean up, as in all the archived mail from "mailman"? But at least this list will let einstein function again.
+
==Mail==
 +
 
 +
Einstein is our [[Email]] server. The mail itself is stored in a raid1 volume on [[Gourd]], and Einstein mounts the NFS share to /var/spool/mail.
 +
 
 +
Einstein should mount the NFS share at boot, but note that since it mounts by hostname you should make sure that DNS is accessible before starting the Einstein VM. Otherwise mail won't be mounted properly when the system boots. If for some reason DNS is unavailable you can manually mount the NFS share in /mail using gourd's IP address directly.
 +
 
 +
===Webmail===
 +
 
 +
Einstein provides web-based access to e-mail using [[Squirrelmail]]. You can access it at [https://einstein.unh.edu/mail].
 +
 
 +
See also: [[Gourd/Einstein Migration Plan]]
 +
 
 +
= Upgrade from RHEL5 to Centos7 =
 +
 
 +
OK, this has not been fun, and taken way too long.
 +
 
 +
== Status ==
 +
 
 +
We have a running Centos7 Einstein2 system.
 +
* It has Named installed and running as a slave to Jalapeño.
 +
* Slapd is installed. Still working on it.
 +
 
 +
=== LDAP ===
 +
 
 +
Follow the installation instruction from https://www.certdepot.net/rhel7-configure-ldap-directory-service-user-connection/
 +
 
 +
Noted differences:
 +
* Install extra schema:
 +
** core.ldif 
 +
** inetorgperson.ldif
 +
**  wget https://launchpadlibrarian.net/55451730/autofs.ldif
 +
** /usr/share/doc/samba-4.4.4/LDAP/samba.ldif
 +
* for each do: ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f  <file>
 +
* (Left out misc.schema and RADIUS-LDAPv3.schema )
 +
 
 +
==== Certificate ====
 +
 
 +
You need to configure the TLS certificate for the system. To create a  new one (see: [https://www.lisenet.com/2016/openldap-with-ssl-and-nfs-for-user-home-directories-on-centos-7  certs creating]) :
 +
  cd /etc/pki/tls/private
 +
  DOMAIN=einstein.unh.edu
 +
  openssl genrsa -out "$DOMAIN".key 2048 && chmod 0600 "$DOMAIN".key
 +
  openssl req -new -sha256 -key "$DOMAIN".key -out "$DOMAIN".csr
 +
  openssl x509 -req -days 3650 -sha256 -in "$DOMAIN".csr -signkey "$DOMAIN".key -out "$DOMAIN".crt
 +
  openssl pkcs8 -topk8 -inform pem -in "$DOMAIN".key -outform pem -nocrypt -out "$DOMAIN".pem
 +
  chmod 640 "$DOMAIN".key "$DOMAIN".pem
 +
  chgrp ldap "$DOMAIN".key "$DOMAIN".pem
 +
  mv "$DOMAIN".crt ../certs/
 +
  cd ../certs
 +
  ln -s ${DOMAIN}.crt `/etc/pki/tls/misc/c_hash ${DOMAIN}.crt | cut -d' ' -f1`  # Set a link to the hash of the cert.
 +
 
 +
==== Install Certificate ====
 +
 
 +
Edit an ldif file:
 +
 
 +
dn: cn=config
 +
  changetype: modify
 +
  replace: olcTLSCACertificatePath
 +
  olcTLSCACertificatePath: /etc/pki/tls/certs
 +
  -
 +
  replace: olcTLSCACertificateFile
 +
  olcTLSCACertificateFile: /etc/pki/tls/certs/ca-bundle.crt
 +
  -
 +
  replace: olcTLSCertificateFile
 +
  olcTLSCertificateFile: /etc/pki/tls/certs/einstein.unh.edu.crt
 +
  -
 +
  replace: olcTLSCertificateKeyFile
 +
  olcTLSCertificateKeyFile: /etc/pki/tls/private/einstein.unh.edu.pem
 +
 
 +
To make a change to the ldap server:
 +
  ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/certificate_change_localhost.ldif
 +
 
 +
Note that the hostname needs to be correct, so you probably need to set it in /etc/hosts  i.e.  127.0.0.1 einstein localhost
 +
 
 +
Test, add -d1 -d2 or -d3 for increased debug output:
 +
  ldapsearch -x -ZZ
 +
  ldapsearch -x -H ldaps:// 
 +
 
 +
Make sure that the "authconfig" line from [[Upgrading to Centos 7]] is executed and restart sssd
 +
 
 +
Import Old Database:
 +
* Dump on old einstein, see /var/lib/ldap/dump.ldif  created by /usr/local/bin/ldap_dump.sh
 +
* Import with  ldapadd -x -w 'password' -D cn=root,dc=physics,dc=unh,dc=edu -f  /tmp/dump.ldif
 +
 
 +
Allow access over SSL:
 +
* edit: /etc/sysconfig/slapd
 +
* change: SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
 +
* There is still the issue that the TLS is for "einstein" while the testing node is not called "einstein"
 +
 
 +
Setup /etc/openssl/ldap.conf:
 +
* echo "tls_reqcert allow" >> /etc/nslcd.conf
 +
** Note that this makes it so that the TLS is not enforced.
 +
 
 +
==== Allow passwd to work ====
 +
 
 +
This was darn tricky to find out how to do. The issue is properly modifying, or adding olcAccess to the database. The following does the trick. Create a file change_password_access_policy.ldif in /etc/openldap
 +
 
 +
  dn: olcDatabase={2}hdb,cn=config
 +
  add: olcAccess
 +
  olcAccess: {0}to attrs=userPassword
 +
    by dn="cn=root,dc=physics,dc=unh,dc=edu" write
 +
    by anonymous auth
 +
    by self write
 +
    by * none
 +
  olcAccess: {1}to dn.base=""
 +
    by * read
 +
  olcAccess: {2}to *
 +
    by dn="cn=Manager,dc=tuxfixer,dc=com" write
 +
    by * read
 +
 
 +
Then enter the info into LDAP:
 +
 
 +
  ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/change_password_access_policy.ldif
 +
 
 +
The documentation for olcAccess is here [https://www.openldap.org/doc/admin24/access-control.html Access Control]
 +
It appears that the entry for olcAccess: {0} gets encrypted. Weird, since I cannot find any documentation on that.
 +
 
 +
= Other Tasks =
 +
 
 +
Move the Mail configuration. See: [[E-mail]]
 +
 
 +
Move the SSH keys from the system.
 +
 
 +
Move the sudoers file.
 +
 
 +
== TO DO ==

Latest revision as of 22:21, 3 January 2018

Einstein is currently a virtual machine running on Gourd. Go here for information about the old Einstein hardware.

Virtual Hardware

  • Memory: 2 GB
  • Hard Disk: 20 GB
  • Swap Disk: 4 GB
  • Network 1 (eth0): Farm-Bridge
  • Network 2 (eth1): UNH-Bridge
  • SCSI Controller: LSI Logic

Network Settings

  • IP Address farm (eth0): 10.0.0.248
  • IP Address UNH (eth1): 132.177.88.52

Software and Services

IPTables

Einstein uses the standard NPG iptables firewall. It allows ssh, LDAP, imap, smtp, and http connections.

LDAP

Einstein is our LDAP server. It provides user authentication among other useful services. LDAP configuration is located in /etc/openldap, and the LDAP database is stored in /var/lib/ldap.

Mail

Einstein is our Email server. The mail itself is stored in a raid1 volume on Gourd, and Einstein mounts the NFS share to /var/spool/mail.

Einstein should mount the NFS share at boot, but note that since it mounts by hostname you should make sure that DNS is accessible before starting the Einstein VM. Otherwise mail won't be mounted properly when the system boots. If for some reason DNS is unavailable you can manually mount the NFS share in /mail using gourd's IP address directly.

Webmail

Einstein provides web-based access to e-mail using Squirrelmail. You can access it at [1].

See also: Gourd/Einstein Migration Plan

Upgrade from RHEL5 to Centos7

OK, this has not been fun, and taken way too long.

Status

We have a running Centos7 Einstein2 system.

  • It has Named installed and running as a slave to Jalapeño.
  • Slapd is installed. Still working on it.

LDAP

Follow the installation instruction from https://www.certdepot.net/rhel7-configure-ldap-directory-service-user-connection/

Noted differences:

  • Install extra schema:
  • for each do: ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f <file>
  • (Left out misc.schema and RADIUS-LDAPv3.schema )

Certificate

You need to configure the TLS certificate for the system. To create a new one (see: certs creating) :

 cd /etc/pki/tls/private
 DOMAIN=einstein.unh.edu
 openssl genrsa -out "$DOMAIN".key 2048 && chmod 0600 "$DOMAIN".key
 openssl req -new -sha256 -key "$DOMAIN".key -out "$DOMAIN".csr
 openssl x509 -req -days 3650 -sha256 -in "$DOMAIN".csr -signkey "$DOMAIN".key -out "$DOMAIN".crt
 openssl pkcs8 -topk8 -inform pem -in "$DOMAIN".key -outform pem -nocrypt -out "$DOMAIN".pem
 chmod 640 "$DOMAIN".key "$DOMAIN".pem
 chgrp ldap "$DOMAIN".key "$DOMAIN".pem
 mv "$DOMAIN".crt ../certs/
 cd ../certs
 ln -s ${DOMAIN}.crt `/etc/pki/tls/misc/c_hash ${DOMAIN}.crt | cut -d' ' -f1`  # Set a link to the hash of the cert.

Install Certificate

Edit an ldif file:

dn: cn=config
 changetype: modify
 replace: olcTLSCACertificatePath
 olcTLSCACertificatePath: /etc/pki/tls/certs
 -
 replace: olcTLSCACertificateFile
 olcTLSCACertificateFile: /etc/pki/tls/certs/ca-bundle.crt
 -
 replace: olcTLSCertificateFile
 olcTLSCertificateFile: /etc/pki/tls/certs/einstein.unh.edu.crt
 -
 replace: olcTLSCertificateKeyFile
 olcTLSCertificateKeyFile: /etc/pki/tls/private/einstein.unh.edu.pem

To make a change to the ldap server:

 ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/certificate_change_localhost.ldif

Note that the hostname needs to be correct, so you probably need to set it in /etc/hosts i.e. 127.0.0.1 einstein localhost

Test, add -d1 -d2 or -d3 for increased debug output:

  ldapsearch -x -ZZ 
  ldapsearch -x -H ldaps://  

Make sure that the "authconfig" line from Upgrading to Centos 7 is executed and restart sssd

Import Old Database:

  • Dump on old einstein, see /var/lib/ldap/dump.ldif created by /usr/local/bin/ldap_dump.sh
  • Import with ldapadd -x -w 'password' -D cn=root,dc=physics,dc=unh,dc=edu -f /tmp/dump.ldif

Allow access over SSL:

  • edit: /etc/sysconfig/slapd
  • change: SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
  • There is still the issue that the TLS is for "einstein" while the testing node is not called "einstein"

Setup /etc/openssl/ldap.conf:

  • echo "tls_reqcert allow" >> /etc/nslcd.conf
    • Note that this makes it so that the TLS is not enforced.

Allow passwd to work

This was darn tricky to find out how to do. The issue is properly modifying, or adding olcAccess to the database. The following does the trick. Create a file change_password_access_policy.ldif in /etc/openldap

 dn: olcDatabase={2}hdb,cn=config
 add: olcAccess
 olcAccess: {0}to attrs=userPassword
   by dn="cn=root,dc=physics,dc=unh,dc=edu" write
   by anonymous auth
   by self write
   by * none
 olcAccess: {1}to dn.base=""
   by * read
 olcAccess: {2}to *
   by dn="cn=Manager,dc=tuxfixer,dc=com" write
   by * read

Then enter the info into LDAP:

 ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/change_password_access_policy.ldif

The documentation for olcAccess is here Access Control It appears that the entry for olcAccess: {0} gets encrypted. Weird, since I cannot find any documentation on that.

Other Tasks

Move the Mail configuration. See: E-mail

Move the SSH keys from the system.

Move the sudoers file.

TO DO