Sysadmin Todo List
From Nuclear Physics Group Documentation Pages
Jump to navigationJump to searchThis is an unordered set of tasks. Detailed information on any of the tasks typically goes in related topics' pages, although usually not until the task has been filed under Completed.
Important
Einstein Upgrade
Massive amount of deployment documentation for RHEL 5
- Pick a date within the next week Monday, 7/23/2007
- Send an e-mail to Aaron, warning him of the future takedown of tomato Done
- Update Tomato to RHEL5 Installed w/ basic configuration (auth, autofs, etc)
- Check all services einstein currently provides. Locate as many custom scripts, etc. as is reasonable and label/copy them.
- DNS Installed, set up, working
- LDAP Installed, set up, working. Changed config files on tomato and einstein to do replication, but their LDAP services need restarted. Need to schedule a time to do it on einstein. Double-check configs!
- Postfix Installed, set up, working!
- AMaViS Installed, set up
- ClamAV Installed, set up
- SpamAssassin Installed, set up, working? (need to test to make sure)
- IMAP
cyradm localhost
gives "cannot connect to server". This all seems to be sasl-related. It'd be probably be easy if there was a way to have cyrus use PAM.LDAP and saslNevermind, that has to do with using SASL to authenticate LDAPsaslauthd -v
lists pam and ldap as available authentication mechanisms, and /etc/sysconfig/saslauthd has an entry "MECH=pam"…! What am I missing? Tried making a new "mail.physics.unh.edu.crt" for tomato, but couldn't because that would have required revoking einstein's cert of the same name. Tried using the "tomato.unh.edu.crt" and "tomato.unh.edu.key", but is giving the same results as the "mail.physics.unh.edu.*" copied from einstein. Tried using tomato's UNH address instead of hostname: same result. I'm able to login using theimtest
program, but the server doesn't send the same messages as shown here. - /home Installed, set up, working
- Samba Installed, set up, working. If anyone needs samba access, they need to find us and have us make them a samba account. No LDAP integration.
- Web?
- Fortran compilers and things like that? (Also needs compat libs--Nope, tomato is 32-bit.)
- Clone those services to tomato
- Switch einstein <-> tomato, and then upgrade what was originally einstein
- Look into making an einstein, tomato failsafe setup.
Miscellaneous
- The latest kernel on pepper doesn't have a SMP version? Had to go back to the second-most recent.
- Pauli crashes nearly every day, not when backups come around. We need to set up detailed system logging to find out why.
- Pauli2 and 4 don't give out their data via /net to the other paulis. This doesn't seem to be an autofs setting, since I see nothing about it in the working nodes' configs. Similarly, 2,4, and 6 won't access the other paulis via /net. 2,4 were nodes we rebuilt this summer, so it makes sense they don't have the right settings, but 6 is a mystery.
- Pauli2's hard drive may be dying. Some files in /data are inaccessible, and smartctl shows a large number of errors (98 if I'm reading this right...). Time to get Heisenberg a new hard drive?
- Steve can't log into roentgen. Don't appear in
getent passwd | grep mccoyst
, but that's the case on several other machines that I can log into. - Learn how to use cacti on okra. Seems like a nice tool, mostly set up for us already. Find out why lentil and okra (and tomato?) aren't being read by cacti. Could be related to the warnings that repeat in okra:/var/www/cacti/log/cacti.log. Not related to the warnings; those are for other machines that are otherwise being monitored. Try adding cacti to the exclude exclude list in access.conf Nevermind, lentil doesn't have any restrictions. Need to find out the requirements for a machine to be monitored by cacti/rrdtools. The documentaion makes it sound like only the cacti host needs any configuration, but I'm dubious. Ahh, it looks like every client has a file snmpd.conf, which affects what can be graphed. Tried configuring things on improv as in the Cacti HowTo, but no go. Must be some other settings as well. At some point on friday, cacti stopped being able to monitor einstein. Update-related? There are no errors in cacti.log, but the status page for einstein just says "down".
- Install the right SNMP stuff on tomato so that it can be graphed
- jalapeno hangups: Look at sensors on jalapeno, so that cacti can monitor the temp. The crashing probably isn't the splunk beta (no longer beta!), since it runs entirely in userspace. lm_sensors fails to detect anything readable. Is there a way around this?
- Try to pull as much data from Jim William's old drives as possible, if there's even anything on them.
Ongoing
Documentation
- Maintain the Documentation of all systems!
- Main function
- Hardware
- OS
- Network
- Continue homogenizing the configurations of the machines.
- Improve documentation of mail software, specifically SpamAssassin, Cyrus, etc.
Maintenance
- Check e-mails to root every morning
- Resize/clean up partitions as necessary. Seems to be a running trend that a computer gets 0 free space and problems crop up. Symanzik, bohr seem imminent. Yup, bohr died. Expanded his root by 2.5 gigs. Still serious monitor problems though, temporarily bypassed with vesa... Bohr's problem seems tied to the nvidia drivers, let's wait until the next release and see how those work out.
- Check up on security [1]
On-the-Side
- See if we can get the busted printer in 322 to work down here.
- Certain settings are similar or identical for all machines, such as resolv.conf. It would be beneficial to write a program to do remote configuration. This would also simplify the process of adding/upgrading machines. Since resolv.conf was mentioned, I made a prototype that seems to work. Another idea that was tossed around was a program that periodically compared such files against master copies, to see if the settings somehow got changed. Learn how to use ssh-agent for most of these tasks
- Backup stuff: We need exclude filters on the backups. We need to plan and execute extensive tests before modifying the production backup program. Also, see if we can implement some sort of NFS user access. I've set up both filters and read-only snapshot access to backups at home. Uses what essentially amounts to a bash script version of the fancy perl thing we use now, only far less sophisticated. However, the filtering and user access uses a standard rsync exclude file (syntax in man page) and the user access is fairly obvious NFS read-only hosting. I am wondering if this is needed. The current scheme (ie the perl script) uses excludes by having a .rsync-filter is each of the directories where you want excluded contents. This has worked well. See ~maurik/tmp/.rsync-filter . The current script takes care of some important issues, like incomplete backups. Ah. So we need to get users to somehow keep that .rsync-filter file fairly updated. And to get them to use data to hold things, not home. Also, I wasn't suggesting we get rid of the perl script, I was saying that I've become familiar with a number of the things it does. [2] Put this on the backburner for now, since the current rate of backup disk consumption will give about 10 months before the next empty disk is needed.
Waiting
- That guy's computer has a BIOS checksum error. Flashing the BIOS to the newest version succeeds, but doesn't fix the problem. No obvious mobo damage either. What happen? Who was that guy, anyhow? (Silviu Covrig, probably) The machine is gluon, according to him. Waiting on ASUS tech support for warranty info Aaron said it might be power-supply-related. Nope. Definitely not. Used a known good PSU and still got error, reflashed bios with it and still got error. Got RMA, sending out on wed. Waiting on ASUS to send us a working one! Called ASUS on 8/6, they said it's getting repaired right now. Wohoo! Got a notification that it shipped! ...they didn't fix it... Still has the EXACT same error it had when we shipped it to them. What should we do about this?
- Printer queue for Copier: Konica Minolta Bizhub 750. IP=pita.unh.edu Seems like we need info from the Konica guy to get it set up on Red Hat. The installation documentation for the driver doesn't mention things like the passcode, because those are machine-specific. Katie says that if he doesn't come on Monday, she'll make an inquiry. Mac OS X now working, IT guy should be here week of June 26th Did he ever come? No, he didn't, and did not respond to a voice message left. Will call again.
Completed
- Figure out proper monitor refresh rates in an effort to fix bohr's strange graphics setup. [3] has them. Just need to wait for a convienient time for Silas to test and see if it worked. The display problems seem to be tied to the proprietary nvidia driver, it won't load right on its own, but loads and runs fine if you manually kill X and start it again. Hopefully the next release fixes that.
sudo
is hanging for me.groups
shows my groups, /etc/sudoers has the "domain_admins" line. It eventually returned, saying that my user number doesn't exist in the passwd file. Something missing from nsswitch.conf? Nope, it's just like blackbody's, which works. getent passwd has everybody listed, as well. This was the result of a typo in /etc/ldap.conf- Some machines, including pepper, have lost their RHN entitlements. Do we want more, or should we just swap entitlements from workstations like compton? compton and fermi are VMs on solo, so that's a no Entitlements were reapplied during the week of 9/23.
- Set up 32-bit compatibility libraries on pepper and taro.
- Myriad is only printing 70 pages at a time? Miscellaneous printing issues may be worked-around by setting clients to use different protocols that seem to work for some poeple --e.g. AppleTalk-- but keep an eye on the random shutting down of CUPS as well. Matt changed the protocol some of the clients use to jetdirect, the problems seem to have subsided temporarily. Nope, it seems to be telecom related. Maurik's called them in and hopefully they'll flip a few switches and all will be well.
- Test unknown equipment:* UPS I need a known good battery to play with. I'll probably get a surplus one cheap and bring it in. Seems like both UPSes I've looked at so far had bad batteries, since they were swollen and misshapen. The APC Smart-UPS 620 is good, just needs a new battery. The Belkin is dead. Is this the one the movers dropped? Applied for an RMA for the Belkin. Need to ship it out. Yeah, with the new super supplies, we shouldn't waste our time by going out of the way to get a new dinky one.
- Set up a few VM's to play with for settings, scripts, etc. Either xen or qemu should work fine. Good idea! We will also need a VM on the new server which allows someone to log into the system with a 32-bit environment. This will be needed for legacy software. There's some set up on improv, under the names fermi and compton. Wait, is it solo or improv?
- Had to take ennui's strip to set up benfranklin. There are enough slots by quark, though.
- Removed the ancient kernels from symanzik's boot partition, because they were taking up space needed by kernels from up2date
- Figure out how to password-protect a webpage for Silas. He hosts from his personal space on nuclear.unh.edu http://httpd.apache.org/docs/2.0/howto/auth.html#gettingitworking
- pepper, taro got kernel updates, but we have to wait on some users to finish some long jobs.
lzana says that he'll be finished around Tuesday (9/25/2007), so we should send out an e-mail on Monday to inform others. Tenetatively schedule the reboots for that Friday.He's still running his jobs. New estimate for completion is over the weekend. Done on 9/28 - Jalapeno was hung when I came in, so I took the opportunity to boot it with the latest uniprocessor kernel. Let's see how long it can last with this. If it hangs again soon, then the issue probably isn't the SMP kernel. "Found" a newer SMP kernel,
but it panics on boot.Tried the SMP again, but it made it to startup. Let's see how long it goes this time. It could be a power issue (e.g. Taro). Hung up again this morning (8/22). Let's look into the power angle. Hung up last night with the single-processor kernel (8/24). Hung sometime between the mornings of 8/26 and 8/27. Restarted this morning (8/27) with the default kernel. Was hung on 9/03 when the backup script came by, judging by the email records. Stopped by wed night, noticed jalapeno panicked. Copied down everything visible on-screen. Maybe we can use this to narrow down what's happening here.... (9/12, 7:40) Unsolved, just tidying; todo list has another jalapeno entry