Difference between revisions of "Taro"
Line 81: | Line 81: | ||
## grep git: /mnt/olddisk/etc/shadow >> /etc/shadow | ## grep git: /mnt/olddisk/etc/shadow >> /etc/shadow | ||
## cd /home; (cd /mnt/olddisk/home && tar czvf - git ) | tar xzvf - | ## cd /home; (cd /mnt/olddisk/home && tar czvf - git ) | tar xzvf - | ||
+ | # Setup LDAP | ||
+ | ## yum install -y openldap-clients sssd-ldap nss-pam-ldapd | ||
+ | ## Copy Gourd ldap dir: rsync -ravH gourd:/etc/openldap . | ||
+ | ## Copy gourd sssd.conf: scp gourd:/etc/sssd/sssd.conf . | ||
+ | ## systemctl enable sssd | ||
+ | ## systemctl start sssd | ||
+ | ## authconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --enablemkhomedir --ldapserver=ldap://einstein --ldapbasedn=dc=physics,dc=unh,dc=edu --enablelocauthorize --enableldaptls --update | ||
+ | # Setup Auto Mount. | ||
+ | ## yum install autofs | ||
+ | ## Copy auto.net and auto.master from Gourd. | ||
+ | # Setup IPtables. | ||
+ | ## Copy iptables-npg from old install to iptables | ||
+ | ## Install: yum install iptables-services | ||
+ | ## copy the netgroup2iptables: scp gourd:/usr/local/bin/netgroup2iptables.pl /usr/local/bin | ||
+ | ## systemctl stop firewalld | ||
+ | ## systemctl disable firewalld | ||
+ | ## systemctl mask firewalld | ||
+ | ## systemctl start iptables | ||
+ | ## systemctl enable iptables | ||
+ | ## scp gourd:/etc/init.d/iptables-netgroups /etc/init.d/ | ||
+ | ## systemctl start iptables-netgroups | ||
+ | # Install Fail2ban | ||
+ | ## yum install -y epel-release | ||
+ | ## yum install -y fail2ban whois | ||
+ | ## systemctl enable fail2ban | ||
+ | ## systemctl start fail2ban | ||
+ | ## scp gourd:/etc/fail2ban/filter.d/fail2ban.conf /etc/fail2ban/filter.d | ||
+ | ## scp gourd:/etc/fail2ban/jail.local /etc/fail2ban/ | ||
+ | ## systemctl restart fail2ban | ||
+ | # Install NFS export | ||
+ | ## copy old exportfs | ||
+ | ## mkdir /data | ||
+ | ## Edit /etc/fstab to add /data | ||
+ | ## mount /data | ||
+ | ### systemctl enable rpcbind | ||
+ | ### systemctl enable nfs-server | ||
+ | ### systemctl enable nfs-lock | ||
+ | ### systemctl enable nfs-idmap | ||
+ | ### systemctl start rpcbind | ||
+ | ### systemctl start nfs-server | ||
+ | ### systemctl start nfs-lock | ||
+ | ### systemctl start nfs-idmap | ||
+ | |||
+ | |||
+ | = ToDo = | ||
+ | |||
+ | * NFS export | ||
+ | * science packages | ||
== Continue Upgrade == | == Continue Upgrade == |
Revision as of 14:14, 8 August 2017
Taro is a data/computation server. Thinkmate serial number SN-826407.
Hardware Details
- Purchased in Jan 2009 from Thinkmate.
- Quad-Core Intel® Xeon® E5472 3.00GHz 1600FSB 12MB Cache (80W)
- Supermicro X7DWA-N - EATX - Intel® 5400 Chipset
- 4 x 2GB PC2-6400 677MHz FB-DIMM
- Chenbro SR107 EATX Chassis - No PS – Black + Rack Mount Conversion Kit
- 2 x Chenbro SR107 Black 4-Bay SATA Hotswap
- PC Power and Cooling Turbo-Cool® 860 - SLI Ready
- 500GB SATA 7200RPM - 3.5" - Seagate Barracuda® 7200.11
- Samsung 22x DVD+/-RW Dual Layer (SATA)
- MSI nVidia GeForce N280GTX OC 1GB GDDR3 PCI Express 2.0 (2xDVI) (Removed?)
- Areca-ARC 1231 12-channel RAID card on address: 10.0.0.97
Local copy of the Motherboard manual
Network Configuration
Taro's network configuration contains bridge interfaces to support KVM virtual machines.
- IP address Farm: 10.0.0.247 (eth1/farmbr)
- IP address UNH: 132.177.88.86 (eth2/unhbr)
Hostnames: taro.unh.edu
, taro.farm.physics.unh.edu
Software and Services
Taro is one of the few systems that has a bit more accessibility from off-campus. It requires additional monitoring to make sure everything is working and there are no compromises on security. Taro stores a considerable amount of data on its RAID
Globus
This is a system for transferring data to/from Jlab. See more on the globus page.
IPTables
Taro uses the standard NPG iptables firewall. Taro allows ssh, icmp, portmap and nfs connections.
Taro serves its /data volume over NFS. It can be accessed from any system via automount either in /net/data/taro or /net/taro/data.
/etc/exports
/data @servers(rw,sync) @npg_clients(rw,sync) \ 10.0.0.0/24(rw,no_root_squash,sync)
Drive configuration
- RAID
- RAID Is hardware based with an ARECA card at ip 10.0.0.97
- Current setup is RAID-5 across 6 drives, with a 7th drive as a hot spare.
- There is a singe volume on the RAID, lun 0/0/0
Upgrade to Centos 7
- Boot from USB stick into installed
- Choose one of the physical disks that were previously part of the Software RAID to install system.
- Partition drive, note that you have to make the installed erase the drive first.
- Install minimum system. Set root password.
- When installation done, reboot.
- Disable and Mask NetworkManager
- Setup the Farm ethernet port.
- Setup the UNH ethernet port.
- Update yum: "yum update" and say yes to all the updates.
- mount the old Software RAID:
- yum install mdadm
- mdadm --detail --scan
- mdadm --assemble --scan
- mount /dev/md127 /mnt/olddisk
- Copy the old SSH keys to the new system
- cd /etc/sshd ; (cd /mnt/olddisk/etc/ssh && tar czvf - .) | tar xzvf -
- systemctl restart sshd
- Copy the git user to the new machine.
- grep git: /mnt/olddisk/etc/passwd >> /etc/passwd
- grep git: /mnt/olddisk/etc/shadow >> /etc/shadow
- cd /home; (cd /mnt/olddisk/home && tar czvf - git ) | tar xzvf -
- Setup LDAP
- yum install -y openldap-clients sssd-ldap nss-pam-ldapd
- Copy Gourd ldap dir: rsync -ravH gourd:/etc/openldap .
- Copy gourd sssd.conf: scp gourd:/etc/sssd/sssd.conf .
- systemctl enable sssd
- systemctl start sssd
- authconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --enablemkhomedir --ldapserver=ldap://einstein --ldapbasedn=dc=physics,dc=unh,dc=edu --enablelocauthorize --enableldaptls --update
- Setup Auto Mount.
- yum install autofs
- Copy auto.net and auto.master from Gourd.
- Setup IPtables.
- Copy iptables-npg from old install to iptables
- Install: yum install iptables-services
- copy the netgroup2iptables: scp gourd:/usr/local/bin/netgroup2iptables.pl /usr/local/bin
- systemctl stop firewalld
- systemctl disable firewalld
- systemctl mask firewalld
- systemctl start iptables
- systemctl enable iptables
- scp gourd:/etc/init.d/iptables-netgroups /etc/init.d/
- systemctl start iptables-netgroups
- Install Fail2ban
- yum install -y epel-release
- yum install -y fail2ban whois
- systemctl enable fail2ban
- systemctl start fail2ban
- scp gourd:/etc/fail2ban/filter.d/fail2ban.conf /etc/fail2ban/filter.d
- scp gourd:/etc/fail2ban/jail.local /etc/fail2ban/
- systemctl restart fail2ban
- Install NFS export
- copy old exportfs
- mkdir /data
- Edit /etc/fstab to add /data
- mount /data
- systemctl enable rpcbind
- systemctl enable nfs-server
- systemctl enable nfs-lock
- systemctl enable nfs-idmap
- systemctl start rpcbind
- systemctl start nfs-server
- systemctl start nfs-lock
- systemctl start nfs-idmap
ToDo
- NFS export
- science packages