Difference between revisions of "Sysadmin Todo List"
From Nuclear Physics Group Documentation Pages
Jump to navigationJump to searchLine 7: | Line 7: | ||
# Update Tomato to RHEL5 '''Installed w/ basic configuration (auth, autofs, etc)''' | # Update Tomato to RHEL5 '''Installed w/ basic configuration (auth, autofs, etc)''' | ||
# Check all services einstein currently provides. Locate as many custom scripts, etc. as is reasonable and label/copy them. | # Check all services einstein currently provides. Locate as many custom scripts, etc. as is reasonable and label/copy them. | ||
− | ## [[DNS]] ''Installed, set up'' | + | ## [[DNS]] ''Installed, set up, working'' |
## [[LDAP]] '''Loaded all the einstein users, and it WORKS!!!! WITH TLS!!!! OMGLOLZ!!''' Well, not totally. Client machines are able to use it for authentication, etc. but tomato itself isn't… '''Need to add the SASL stuff to slapd.conf for authentication over the Unix socket.''' Changed config files on tomato and einstein to do replication, but their LDAP services need restarted. Need to schedule a time to do it on einstein. Double-check configs! | ## [[LDAP]] '''Loaded all the einstein users, and it WORKS!!!! WITH TLS!!!! OMGLOLZ!!''' Well, not totally. Client machines are able to use it for authentication, etc. but tomato itself isn't… '''Need to add the SASL stuff to slapd.conf for authentication over the Unix socket.''' Changed config files on tomato and einstein to do replication, but their LDAP services need restarted. Need to schedule a time to do it on einstein. Double-check configs! | ||
− | ## [[Postfix]] ''Installed, | + | ## [[Postfix]] ''Installed, set up, needs started (waiting on SA, etc.).'' ([http://linuxgazette.net/124/pfeiffer.html Possibly helpful site]) '''All mail needs replicated/master-slaved''' |
## [[AMaViS]] [http://www.scalix.com/wiki/index.php?title=Scalix/Sendmail_%26_Amavisd-New_HOWTO Um, yes????] | ## [[AMaViS]] [http://www.scalix.com/wiki/index.php?title=Scalix/Sendmail_%26_Amavisd-New_HOWTO Um, yes????] | ||
## [[ClamAV]] | ## [[ClamAV]] |
Revision as of 17:17, 20 August 2007
This is an unordered set of tasks. Detailed information on any of the tasks typically goes in related topics' pages, although usually not until the task has been filed under Completed.
Important
Einstein Upgrade
Massive amount of deployment documentation for RHEL 5
- Pick a date within the next week Monday, 7/23/2007
- Send an e-mail to Aaron, warning him of the future takedown of tomato Done
- Update Tomato to RHEL5 Installed w/ basic configuration (auth, autofs, etc)
- Check all services einstein currently provides. Locate as many custom scripts, etc. as is reasonable and label/copy them.
- DNS Installed, set up, working
- LDAP Loaded all the einstein users, and it WORKS!!!! WITH TLS!!!! OMGLOLZ!! Well, not totally. Client machines are able to use it for authentication, etc. but tomato itself isn't… Need to add the SASL stuff to slapd.conf for authentication over the Unix socket. Changed config files on tomato and einstein to do replication, but their LDAP services need restarted. Need to schedule a time to do it on einstein. Double-check configs!
- Postfix Installed, set up, needs started (waiting on SA, etc.). (Possibly helpful site) All mail needs replicated/master-slaved
- AMaViS Um, yes????
- ClamAV
- SpamAssassin Installed, not set up.
- IMAP
- /home Maps are synched in the LDAP database, script is referenced by adduser-npg. Replicated/mounted-elsewhere?
- Samba Seems to be set up. Trick was to add root as a samba user with
smbpasswd -a root
. Strangely enough, even after restarting smbd, webmin shows no samba users. slapd.conf didn't have the samba stuff un-commented. Need that "smbk5pwd.la" file - Web?
- Fortran compilers and things like that? (Also needs compat libs--Nope, tomato is 32-bit.)
- Clone those services to tomato
- Switch einstein <-> tomato, and then upgrade what was originally einstein
- Look into making an einstein, tomato failsafe setup.
Miscellaneous
- At some point on friday, cacti stopped being able to monitor einstein. Update-related? There are no errors in cacti.log, but the status page for einstein just says "down".
- Steve can't log into roentgen. Don't appear in
getent passwd | grep mccoyst
, but that's the case on several other machines that I can log into. - Bohr, improv, and who knows how many others lost connection to /net/home at the same time. Turns out that the DNS servers running on both einstein and tomato died. Restarting named and rebooting affected workstations solved the problem. Why did this happen in the first place??
- Jalapeno was hung when I came in, so I took the opportunity to boot it with the latest uniprocessor kernel. Let's see how long it can last with this. If it hangs again soon, then the issue probably isn't the SMP kernel. "Found" a newer SMP kernel, but it panics on boot.
- Learn how to use cacti on okra. Seems like a nice tool, mostly set up for us already. Find out why lentil and okra (and tomato?) aren't being read by cacti. Could be related to the warnings that repeat in okra:/var/www/cacti/log/cacti.log. Not related to the warnings; those are for other machines that are otherwise being monitored. Try adding cacti to the exclude exclude list in access.conf Nevermind, lentil doesn't have any restrictions. Need to find out the requirements for a machine to be monitored by cacti/rrdtools. The documentaion makes it sound like only the cacti host needs any configuration, but I'm dubious. Ahh, it looks like every client has a file snmpd.conf, which affects what can be graphed. Tried configuring things on improv as in the Cacti HowTo, but no go. Must be some other settings as well.
- Set up a few VM's to play with for settings, scripts, etc. Either xen or qemu should work fine. Good idea! We will also need a VM on the new server which allows someone to log into the system with a 32-bit environment. This will be needed for legacy software.
- Install the right SNMP stuff on tomato so that it can be graphed
- Look at sensors on jalapeno, so that cacti can monitor the temp. The crashing probably isn't the splunk beta (no longer beta!), since it runs entirely in userspace.
- Figure out proper monitor refresh rates in an effort to fix bohr's strange graphics setup.
- Set up 32-bit compatibility libraries on pepper and taro.
Ongoing
Documentation
- Maintain the Documentation of all systems!
- Main function
- Hardware
- OS
- Network
- Continue homogenizing the configurations of the machines.
- Improve documentation of mail software, specifically SpamAssassin, Cyrus, etc.
Maintenance
- Check e-mails to root every morning
- Resize/clean up partitions as necessary. Seems to be a running trend that a computer gets 0 free space and problems crop up. Symanzik, bohr seem imminent. Yup, bohr died. Expanded his root by 2.5 gigs. Still serious monitor problems though, temporarily bypassed with vesa...
- Check up on security [1]
Cleaning
- Test unknown equipment:
- UPS I need a known good battery to play with. I'll probably get a surplus one cheap and bring it in. Seems like both UPSes I've looked at so far had bad batteries, since they were swollen and misshapen. The APC Smart-UPS 620 is good, just needs a new battery. The Belkin is dead. Is this the one the movers dropped? Applied for an RMA for the Belkin. Need to ship it out.
On-the-Side
- Certain settings are similar or identical for all machines, such as resolv.conf. It would be beneficial to write a program to do remote configuration. This would also simplify the process of adding/upgrading machines. Since resolv.conf was mentioned, I made a prototype that seems to work. Another idea that was tossed around was a program that periodically compared such files against master copies, to see if the settings somehow got changed. Learn how to use ssh-agent for most of these tasks
- Backup stuff: We need exclude filters on the backups. We need to plan and execute extensive tests before modifying the production backup program. Also, see if we can implement some sort of NFS user access. I've set up both filters and read-only snapshot access to backups at home. Uses what essentially amounts to a bash script version of the fancy perl thing we use now, only far less sophisticated. However, the filtering and user access uses a standard rsync exclude file (syntax in man page) and the user access is fairly obvious NFS read-only hosting. I am wondering if this is needed. The current scheme (ie the perl script) uses excludes by having a .rsync-filter is each of the directories where you want excluded contents. This has worked well. See ~maurik/tmp/.rsync-filter . The current script takes care of some important issues, like incomplete backups. Ah. So we need to get users to somehow keep that .rsync-filter file fairly updated. And to get them to use data to hold things, not home. Also, I wasn't suggesting we get rid of the perl script, I was saying that I've become familiar with a number of the things it does. [2] Put this on the backburner for now, since the current rate of backup disk consumption will give about 10 months before the next empty disk is needed.
Waiting
- That guy's computer has a BIOS checksum error. Flashing the BIOS to the newest version succeeds, but doesn't fix the problem. No obvious mobo damage either. What happen? Who was that guy, anyhow? (Silviu Covrig, probably) The machine is gluon, according to him. Waiting on ASUS tech support for warranty info Aaron said it might be power-supply-related. Nope. Definitely not. Used a known good PSU and still got error, reflashed bios with it and still got error. Got RMA, sending out on wed. Waiting on ASUS to send us a working one! Called ASUS on 8/6, they said it's getting repaired right now. Wohoo! Got a notification that it shipped!
- Printer queue for Copier: Konica Minolta Bizhub 750. IP=pita.unh.edu Seems like we need info from the Konica guy to get it set up on Red Hat. The installation documentation for the driver doesn't mention things like the passcode, because those are machine-specific. Katie says that if he doesn't come on Monday, she'll make an inquiry. Mac OS X now working, IT guy should be here week of June 26th Did he ever come? No, he didn't, and did not respond to a voice message left. Will call again.
Completed
- Can add users with luseradd and lgroupadd, and those programs refuse duplicate entries, but doing an ldapsearch does not return added users/groups. Groups and users added via something like Luma or JXplorer show up in ldapsearch, but not groups/users added by l*add! Are they using different databases? /etc/libuser.conf controls how libuser (the 'l' in luseradd, etc.) does its thing.
- The LDAP password was stored in a plain text file on einstein, so I deleted it. Only root had permissions, but still… This "might" be needed by something, so let's not forget about it having existed Yes, it was needed by PAM, at least
- Get the old public keys for pauli2 and 4 from einstein or whatever and replace the new ones on pauli2 and 4 with the old ones
- Got rid of the "wheel" entry in /etc/sudoers since we don't have a wheel group.
- Standardized the
/etc/ssh/ssh_known_hosts
file. Made one host per line, with all possible ways to get to the host (lone hostname, unh address, unh ip, farm ip, farm address, etc.). WAY cleaner and easier to read and blocked into obvious sections. - Pepper's been running two instances of cortex for a REALLY long time with 100% cpu usage. Sent a message to Covrig to ask if he's actually doing something of if it's out of control. Turns out they were runaways, he killed them.
- tomato: trying to figure out how to configure and set up some fake users for testing[3] before copying einstein's setup Need to figure out TLS certificates, too. User passwords are stored encrypted in the LDAP database. We need the key that einstein uses or it won't work for authentication when we transfer the db to tomato. There are several keys and certificates in /usr/share/ssl/certs, but what each of them is for is not totally obvious. The LDAP-related ones are referenced in slapd.conf/ldap.conf We need to figure out how to deal with transferring the LDAP database to tomato and have the passwords work. Turns out to be not a big deal with salted hashing. The client requests the salt from the server, hashes the password, and then sends the hashed version to the server for authentication. So no external keys are used for that. Certs and stuff are still needed for encryption over the network.
- rsync didn't backup tomato last night. Did we change a key? Maybe not, since tomato was in some weird state where root couldn't log in… Tomato was having serious ssl-related ldap issues, preventing it from starting ldap and authenticating anything far enough to log in, including root, strangely enough.
- Put jalapeno back on an SMP kernel. GRUB doesn't have it as the default, so the last time jalapeno froze up, the single got loaded. However, the most recent SMP kernel led to a panic on initialization, so we're using a slightly older one.
- Price server hardware and see if we can beat the microway quote. Not worth our time to build it from scratch, especially considering the fact that the school year is approaching.
- Slapdcat'd einstein, slapadd'd tomato, works! A benefit of BerkleyDB is that slapcat can be safely run while slapd is running. Handy SSL Stuff Specifics for OpenLdap Setting up with TLS. Roentgen is NPG's Certificate Authority. Remember to concatenate einstein and tomato's unh_physics_ca.crt files, and distribute that to clients before the switch?
- Updated up2date on pepper, taro, symanzik, and parity via the old up2date. Worked without errors, and used the new up2date to fetch updates.
- Figure out how to change log levels for snmpd on jalapeno. It's logging every time okra makes a connection. /etc/sysconfig/snmpd.options ? Changing it to be like einstein's didn't work. Looks to me like it did work. Check with ps auwwx, will show options are set properly. Those options don't seem to be all there is to it, because splunk still shows ~550 logs per hour. Well, the issue seems to have gone away as of thursday