Sysadmin Todo List
From Nuclear Physics Group Documentation Pages
Jump to navigationJump to searchThis is an unordered set of tasks. Detailed information on any of the tasks typically goes in related topics' pages, although usually not until the task has been filed under Completed.
Important
Einstein Upgrade
Massive amount of deployment documentation for RHEL 5
- Pick a date within the next week Monday, 7/23/2007
- Send an e-mail to Aaron, warning him of the future takedown of tomato Done
- Update Tomato to RHEL5 Installed w/ basic configuration (auth, autofs, etc)
- Check all services einstein currently provides. Locate as many custom scripts, etc. as is reasonable and label/copy them.
- DNS Set up w/ einstein's configuration files
- LDAP Installed programs, trying to figure out how to configure and set up some fake users for testing[1] before copying einstein's setup Need to figure out TLS certificates, too. User passwords are stored encrypted in the LDAP database. We need the key that einstein uses or it won't work for authentication when we transfer the db to tomato. There are several keys and certificates in /usr/share/ssl/certs, but what each of them is for is not totally obvious. The LDAP-related ones are referenced in slapd.conf/ldap.conf
- Postfix
- AMaViS
- ClamAV
- SpamAssassin
- IMAP
- /home
- Samba
- Web?
- Fortran compilers and things like that?
- Clone those services to tomato
- Switch einstein <-> tomato, and then upgrade what was originally einstein
- Look into making an einstein, tomato failsafe setup.
Miscellaneous
- Backup stuff: We need exclude filters on the backups. We need to plan and execute extensive tests before modifying the production backup program. Also, see if we can implement some sort of NFS user access. I've set up both filters and read-only snapshot access to backups at home. Uses what essentially amounts to a bash script version of the fancy perl thing we use now, only far less sophisticated. However, the filtering and user access uses a standard rsync exclude file (syntax in man page) and the user access is fairly obvious NFS read-only hosting. I am wondering if this is needed. The current scheme (ie the perl script) uses excludes by having a .rsync-filter is each of the directories where you want excluded contents. This has worked well. See ~maurik/tmp/.rsync-filter . The current script takes care of some important issues, like incomplete backups. Ah. So we need to get users to somehow keep that .rsync-filter file fairly updated. And to get them to use data to hold things, not home. Also, I wasn't suggesting we get rid of the perl script, I was saying that I've become familiar with a number of the things it does. [2]
- Learn how to use cacti on okra. Seems like a nice tool, mostly set up for us already. Find out why lentil and okra (and tomato?) aren't being read by cacti. Could be related to the warnings that repeat in okra:/var/www/cacti/log/cacti.log. Not related to the warnings; those are for other machines that are otherwise being monitored. Try adding cacti to the exclude exclude list in access.conf Nevermind, lentil doesn't have any restrictions. Need to find out the requirements for a machine to be monitored by cacti/rrdtools. The documentaion makes it sound like only the cacti host needs any configuration, but I'm dubious. Ahh, it looks like every client has a file snmpd.conf, which affects what can be graphed. Tried configuring things on improv as in the Cacti HowTo, but no go. Must be some other settings as well.
- Set up a few VM's to play with for settings, scripts, etc. Either xen or qemu should work fine.
- Figure out how to change log levels for snmpd on jalapeno. It's logging every time okra makes a connection. /etc/sysconfig/snmpd.options ? Changing it to be like einstein's didn't work.
- Install the right SNMP stuff on tomato so that it can be graphed
- Look at sensors on jalapeno, so that cacti can monitor the temp. The crashing probably isn't the splunk beta, since it runs entirely in userspace.
Ongoing
Documentation
- Maintain the Documentation of all systems!
- Main function
- Hardware
- OS
- Network
- Continue homogenizing the configurations of the machines.
- Improve documentation of mail software, specifically SpamAssassin, Cyrus, etc.
Maintenance
- Check e-mails to root every morning
- Resize/clean up partitions as necessary. Seems to be a running trend that a computer gets 0 free space and problems crop up. Symanzik, bohr seem imminent.
- Check up on security [3]
Cleaning
- Test unknown equipment:
- UPS I need a known good battery to play with. I'll probably get a surplus one cheap and bring it in. Seems like both UPSes I've looked at so far had bad batteries, since they were swollen and misshapen.
- Printer in 323 is not hooked up to a dead network port. Actually managed to ping it. One person reportedly got it to print, nobody else has, and that user has been unable ever since. Is this printer dead? We need to find out. Matt votes it's dead.
On-the-Side
- Certain settings are similar or identical for all machines, such as resolv.conf. It would be beneficial to write a program to do remote configuration. This would also simplify the process of adding/upgrading machines. Since resolv.conf was mentioned, I made a prototype that seems to work. Another idea that was tossed around was a program that periodically compared such files against master copies, to see if the settings somehow got changed.
- Learn how to use ssh-agent for most of these tasks
- Price server hardware and see if we can beat the microway quote.
- Get the old public keys for pauli2 and 4 from einstein or whatever and replace the new ones on pauli2 and 4 with the old ones
Waiting
- That guy's computer has a BIOS checksum error. Flashing the BIOS to the newest version succeeds, but doesn't fix the problem. No obvious mobo damage either. What happen? Who was that guy, anyhow? (Silviu Covrig, probably) The machine is gluon, according to him. Waiting on ASUS tech support for warranty info Aaron said it might be power-supply-related. Nope. Definitely not. Used a known good PSU and still got error, reflashed bios with it and still got error. Got RMA, sending out on wed. Waiting on ASUS to send us a working one! Called ASUS on 8/6, they said it's getting repaired right now.
- Printer queue for Copier: Konica Minolta Bizhub 750. IP=pita.unh.edu Seems like we need info from the Konica guy to get it set up on Red Hat. The installation documentation for the driver doesn't mention things like the passcode, because those are machine-specific. Katie says that if he doesn't come on Monday, she'll make an inquiry. Mac OS X now working, IT guy should be here week of June 26th Did he ever come? No, he didn't, and did not respond to a voice message left. Will call again.