Difference between revisions of "Taro"
| (One intermediate revision by the same user not shown) | |||
| Line 81: | Line 81: | ||
| ##  grep git: /mnt/olddisk/etc/shadow >> /etc/shadow | ##  grep git: /mnt/olddisk/etc/shadow >> /etc/shadow | ||
| ##  cd /home; (cd /mnt/olddisk/home && tar czvf - git ) | tar xzvf - | ##  cd /home; (cd /mnt/olddisk/home && tar czvf - git ) | tar xzvf - | ||
| − | # Setup LDAP | + | # Setup SSSD & LDAP | 
| ## yum install -y openldap-clients sssd-ldap nss-pam-ldapd | ## yum install -y openldap-clients sssd-ldap nss-pam-ldapd | ||
| ## Copy Gourd ldap dir: rsync -ravH gourd:/etc/openldap . | ## Copy Gourd ldap dir: rsync -ravH gourd:/etc/openldap . | ||
| Line 87: | Line 87: | ||
| ## systemctl enable sssd | ## systemctl enable sssd | ||
| ## systemctl start sssd | ## systemctl start sssd | ||
| − | ## authconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --enablemkhomedir   --ldapserver= | + | ## authconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --enablemkhomedir   --ldapserver="ldaps://einstein ldaps://pepper" --ldapbasedn=dc=physics,dc=unh,dc=edu --enablelocauthorize --enableldaptls --update | 
| # Setup Auto Mount. | # Setup Auto Mount. | ||
| ## yum install autofs | ## yum install autofs | ||
| Line 123: | Line 123: | ||
| ### systemctl start nfs-lock | ### systemctl start nfs-lock | ||
| ### systemctl start nfs-idmap | ### systemctl start nfs-idmap | ||
| − | |||
| = ToDo = | = ToDo = | ||
Latest revision as of 14:44, 8 August 2017
Taro is a data/computation server. Thinkmate serial number SN-826407.
Hardware Details
- Purchased in Jan 2009 from Thinkmate.
- Quad-Core Intel® Xeon® E5472 3.00GHz 1600FSB 12MB Cache (80W)
- Supermicro X7DWA-N - EATX - Intel® 5400 Chipset
- 4 x 2GB PC2-6400 677MHz FB-DIMM
- Chenbro SR107 EATX Chassis - No PS – Black + Rack Mount Conversion Kit
- 2 x Chenbro SR107 Black 4-Bay SATA Hotswap
- PC Power and Cooling Turbo-Cool® 860 - SLI Ready
- 500GB SATA 7200RPM - 3.5" - Seagate Barracuda® 7200.11
- Samsung 22x DVD+/-RW Dual Layer (SATA)
- MSI nVidia GeForce N280GTX OC 1GB GDDR3 PCI Express 2.0 (2xDVI) (Removed?)
- Areca-ARC 1231 12-channel RAID card on address: 10.0.0.97
Local copy of the Motherboard manual
Network Configuration
Taro's network configuration contains bridge interfaces to support KVM virtual machines.
- IP address Farm: 10.0.0.247 (eth1/farmbr)
- IP address UNH: 132.177.88.86 (eth2/unhbr)
Hostnames: taro.unh.edu, taro.farm.physics.unh.edu
Software and Services
Taro is one of the few systems that has a bit more accessibility from off-campus. It requires additional monitoring to make sure everything is working and there are no compromises on security. Taro stores a considerable amount of data on its RAID
Globus
This is a system for transferring data to/from Jlab. See more on the globus page.
IPTables
Taro uses the standard NPG iptables firewall. Taro allows ssh, icmp, portmap and nfs connections.
Taro serves its /data volume over NFS. It can be accessed from any system via automount either in /net/data/taro or /net/taro/data.
/etc/exports
/data   @servers(rw,sync) @npg_clients(rw,sync) \
       10.0.0.0/24(rw,no_root_squash,sync)
Drive configuration
- RAID
- RAID Is hardware based with an ARECA card at ip 10.0.0.97
- Current setup is RAID-5 across 6 drives, with a 7th drive as a hot spare.
- There is a singe volume on the RAID, lun 0/0/0
Upgrade to Centos 7
- Boot from USB stick into installed
- Choose one of the physical disks that were previously part of the Software RAID to install system.
- Partition drive, note that you have to make the installed erase the drive first.
- Install minimum system. Set root password.
 
- When installation done, reboot.
- Disable and Mask NetworkManager
- Setup the Farm ethernet port.
- Setup the UNH ethernet port.
- Update yum: "yum update" and say yes to all the updates.
- mount the old Software RAID:
- yum install mdadm
- mdadm --detail --scan
- mdadm --assemble --scan
- mount /dev/md127 /mnt/olddisk
 
- Copy the old SSH keys to the new system
- cd /etc/sshd ; (cd /mnt/olddisk/etc/ssh && tar czvf - .) | tar xzvf -
- systemctl restart sshd
 
- Copy the git user to the new machine.
- grep git: /mnt/olddisk/etc/passwd >> /etc/passwd
- grep git: /mnt/olddisk/etc/shadow >> /etc/shadow
- cd /home; (cd /mnt/olddisk/home && tar czvf - git ) | tar xzvf -
 
- Setup SSSD & LDAP
- yum install -y openldap-clients sssd-ldap nss-pam-ldapd
- Copy Gourd ldap dir: rsync -ravH gourd:/etc/openldap .
- Copy gourd sssd.conf: scp gourd:/etc/sssd/sssd.conf .
- systemctl enable sssd
- systemctl start sssd
- authconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --enablemkhomedir --ldapserver="ldaps://einstein ldaps://pepper" --ldapbasedn=dc=physics,dc=unh,dc=edu --enablelocauthorize --enableldaptls --update
 
- Setup Auto Mount.
- yum install autofs
- Copy auto.net and auto.master from Gourd.
 
- Setup IPtables.
- Copy iptables-npg from old install to iptables
- Install: yum install iptables-services
- copy the netgroup2iptables: scp gourd:/usr/local/bin/netgroup2iptables.pl /usr/local/bin
- systemctl stop firewalld
- systemctl disable firewalld
- systemctl mask firewalld
- systemctl start iptables
- systemctl enable iptables
- scp gourd:/etc/init.d/iptables-netgroups /etc/init.d/
- systemctl start iptables-netgroups
 
- Install Fail2ban
- yum install -y epel-release
- yum install -y fail2ban whois
- systemctl enable fail2ban
- systemctl start fail2ban
- scp gourd:/etc/fail2ban/filter.d/fail2ban.conf /etc/fail2ban/filter.d
- scp gourd:/etc/fail2ban/jail.local /etc/fail2ban/
- systemctl restart fail2ban
 
- Install NFS export
- copy old exportfs
- mkdir /data
- Edit /etc/fstab to add /data
- mount /data
- systemctl enable rpcbind
- systemctl enable nfs-server
- systemctl enable nfs-lock
- systemctl enable nfs-idmap
- systemctl start rpcbind
- systemctl start nfs-server
- systemctl start nfs-lock
- systemctl start nfs-idmap
 
 
ToDo
- NFS export
- science packages

