Difference between revisions of "Jalapeno"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
 
(9 intermediate revisions by 4 users not shown)
Line 1: Line 1:
Jalapeno is a [[VMWare]] virtual machine currently running on [[Gourd]]. It serves as our primary [[DNS]] and CUPS print server.
+
Jalapeno is a [[kvm]] virtual machine currently running on [[Gourd]]. It serves as our primary [[DNS]] server.
 +
 
 +
Upgraded Jalapeño.
  
 
=Virtual Hardware=
 
=Virtual Hardware=
  
 
*Memory: 512 MB
 
*Memory: 512 MB
*Hard Disk: 8 GB
+
*Hard Disk: 10 GB
 
*Network 1 (eth0): Farm-Bridge
 
*Network 1 (eth0): Farm-Bridge
 
*Network 2 (eth1): UNH-Bridge
 
*Network 2 (eth1): UNH-Bridge
*SCSI Controller: LSI Logic
 
  
 
=Network Settings=
 
=Network Settings=
*IP Address farm (eth0): 10.0.0.253
+
*IP Address farm (eth0): 10.0.0.253     -- temp jalapeno2 10.0.0.237 (yendi)
 
*IP Address UNH (eth1):  132.177.88.37
 
*IP Address UNH (eth1):  132.177.88.37
  
Line 21: Line 22:
  
 
Named provides [[DNS]] hostname resolution for the farm.physics.unh.edu backend network. DNS configuration files are located in the /var/named directory.
 
Named provides [[DNS]] hostname resolution for the farm.physics.unh.edu backend network. DNS configuration files are located in the /var/named directory.
 
== Cups ==
 
 
'''Note: Print services are being relocated to [[corn]]'''.
 
 
CUPS is configured to provide access to the NPG printer [[Wigner]] located in DeMeritt room 362. Authentication is required to use the printer, and access is restricted to NPG group members. Cups configuration is located in /etc/cups/cupsd.conf and printer configuration is located in /etc/cups/printers.conf.
 
 
The cups web interface can be accessed at [http://jalapeno.unh.edu:631 http://jalapeno.unh.edu:631]
 
===/etc/cups/cupsd.conf===
 
 
MaxLogSize 2000000000
 
LogLevel info
 
SystemGroup sys root domain_admins
 
# Allow remote access
 
Port 631
 
Listen /var/run/cups/cups.sock
 
# Share local printers on the local network.
 
Browsing On
 
BrowseOrder allow,deny
 
BrowseAddress @LOCAL
 
DefaultAuthType Basic
 
<Location />
 
  Allow from 132.177
 
  # Allow shared printing and remote administration...
 
  Order allow,deny
 
  Allow @LOCAL
 
</Location>
 
<Location /admin>
 
  Allow from 132.177
 
  Encryption Required
 
  Require user @SYSTEM
 
  # Allow remote administration...
 
  Order allow,deny
 
  Allow @LOCAL
 
</Location>
 
<Location /admin/conf>
 
  Allow from 132.177
 
  AuthType Default
 
  Require user @SYSTEM
 
  # Allow remote access to the configuration files...
 
  Order allow,deny
 
  Allow @LOCAL
 
</Location>
 
<Policy default>
 
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job  Suspend-Current-Job Resume-Job CUPS-Move-Job>
 
    Require user @OWNER @SYSTEM
 
    AuthType Default
 
    Allow from 132.177
 
    Order deny,allow
 
  </Limit>
 
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
 
    AuthType Default
 
    Require user @SYSTEM
 
    Order deny,allow
 
  </Limit>
 
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer  Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
 
    AuthType Default
 
    Require user @SYSTEM
 
    Order deny,allow
 
  </Limit>
 
  <Limit Cancel-Job CUPS-Authenticate-Job>
 
    Require user @OWNER @SYSTEM
 
    Order deny,allow
 
  </Limit>
 
  <Limit All>
 
    Order deny,allow
 
  </Limit>
 
</Policy>
 
=== /etc/cups/printers.conf ===
 
 
# Printer configuration file for CUPS v1.3.7
 
# Written by cupsd on 2010-06-04 10:29
 
<Printer Wigner>
 
AuthInfoRequired username,password
 
Info HP Color Laserjet 4700
 
Location DeMeritt 362
 
DeviceURI socket://wigner.unh.edu:9100
 
State Idle
 
StateTime 1275490820
 
Accepting Yes
 
Shared Yes
 
JobSheets none none
 
QuotaPeriod 0
 
PageLimit 0
 
KLimit 0
 
AllowUser @npg
 
AllowUser kpohl
 
OpPolicy default
 
ErrorPolicy stop-printer
 
</Printer>
 
 
==Printtracker==
 
 
[[printtracker.py]] is a simple python script which sends monthly reports of print usage gathered from the cups page log. It records the number of pages printed by each user on the system.
 
 
The script can run in two different modes. The weekly mode is configured in crontab to run before the normal cron.weekly tasks. This is necessary because it needs to read the logs before they're emptied by logrotate, which happens when the normal cron.weekly jobs run. The monthly routine that e-mails the final monthly report is run by a script in cron.monthly.
 
  
 
== Backup Configuration ==
 
== Backup Configuration ==
Line 154: Line 59:
 
         comment = user and system storage
 
         comment = user and system storage
 
</pre>
 
</pre>
 +
 +
= Upgrade to Centos7 =
 +
 +
== Initialization ==
 +
On Pumpkin (which is in the 88 network, while Jalapeño needs to be on 180!)
 +
  qemu-img create -f qcow2  /kvm/images/jalepeno_new.qcow2 10G
 +
  virt-install -v --name=jalapeno2 --memory 512 --os-type=linux --os-variant=rhel7 --cdrom=/net/data/endeavour1/System/Centos/CentOS-7-x86_64-DVD-1503-01.iso --disk path=/kvm/images/jalapeno_new.qcow2,size=10 --network=bridge:farmbr --network=bridge:unhbr --vnc --vncport=5904
 +
 +
Next, install a minimal machine, with installer, and setup the back-end IP address from installer GUI. Give it a root password.
 +
 +
Login to machine, check that network is up! Kill NetworkManager, and check the ifcfg, then ifup the network
 +
 +
Next, edit /etc/yum.conf to use the endeavour proxy, add: proxy=http://endeavour.farm.physics.unh.edu:3128 at end of file. Save. Then: "yum update" and "yum upgrade"
 +
 +
Install:
 +
  yum install -y emacs nano bind bind-utils
 +
 +
If you really want to, you can allow user login and all that, but there is really no need for it.
 +
 +
== Bind/Named installation ==
 +
 +
  yum install -y bind bind-utils
 +
 +
Install the named.conf file in /etc and the farm.physics.unh.edu.zone and ...-rev files in /var/named.
 +
The named.conf is new, and tested on the new Einstein centos7 host.
 +
 +
  systemctl enable named
 +
  systemctl start named
 +
 +
Test it. Works.
 +
 +
== Take on the Jalapeño properties ==
 +
 +
Rename the VM to jalapeno.unh.edu and also rename the disk. Do this by making a clone. First use virt-manager to rename the old machine to jalapeño.unh.edu.centos6. Then:
 +
 +
  virt-clone --original jalapeno.unh.edu.centos7 --auto-clone --name jalapeno.unh.edu --file jalapeno.centos7.qcow2
 +
  virsh edit jalapeno.unh.edu  # Remove from <channel type='unix'> ... </channel> See: https://bugzilla.redhat.com/show_bug.cgi?id=1270696
 +
 +
Now start the new VM, and take on the Jalapeño personality:
 +
 +
  cd /etc/ssh
 +
  scp 10.0.0.253:/etc/ssh/*  .  # Get the correct ssh id.
 +
  cd /root/.ssh
 +
  scp 10.0.0.253:/root/.ssh/*  . # For the backup system.
 +
  edit /etc/sysconfig/networking-scripts/ifcfg-eth0 and eth1 for Jalapeño network addresses
 +
  scp 10.0.0.253:/etc/rsync-backup.conf .
 +
 +
Some cleaning up to do. We also want iptables instead of firewalld. This wasn't possible because *still* we have buggy SELINUX and systemctl. So, turn off SELINUX, reboot, then switch.
 +
 +
  emacs -nw /etc/sysconfig/selinux # change to disabled.
 +
  systemctl disable firewalld.service
 +
  yum install iptables-services
 +
  systemctl enable iptables.service
 +
 +
Edit a reasonable iptables in /etc/sysconfig
 +
 +
Then go to the old jalapeño and change the IP address (to Benfranklin=132.177.88.253 and 10.0.0.153 ). Reboot old and new jalapeño
 +
 +
== TO DO ==
 +
 +
# Currently there is no setup of LDAP on jalapeño.
 +
# No user login either, since there is no LDAP.

Latest revision as of 16:58, 3 August 2017

Jalapeno is a kvm virtual machine currently running on Gourd. It serves as our primary DNS server.

Upgraded Jalapeño.

Virtual Hardware

  • Memory: 512 MB
  • Hard Disk: 10 GB
  • Network 1 (eth0): Farm-Bridge
  • Network 2 (eth1): UNH-Bridge

Network Settings

  • IP Address farm (eth0): 10.0.0.253 -- temp jalapeno2 10.0.0.237 (yendi)
  • IP Address UNH (eth1): 132.177.88.37

Software and Services

IPTables

Jalapeno uses the standard NPG iptables firewall. It allows ssh, DNS, and CUPS ipp connections.

Named

Named provides DNS hostname resolution for the farm.physics.unh.edu backend network. DNS configuration files are located in the /var/named directory.

Backup Configuration

/etc/rsync-backup.conf

# Backups are 'pull' only.  Too bad there isn't a better way to enforce this.
read only       = yes

# Oh for the ability to retain CAP_DAC_READ_SEARCH, and no other.  
#uid            = root
# XXX There seems to be an obscure bug with pam_ldap and rsync whereby 
# getpwnam(3) segfaults when (and only when) archiving /etc.  Using a numeric
# uid avoids this bug.  Only verified on Fedora Core 2.
uid             = 0

# There's not much point in putting the superuser in a chroot jail
# use chroot    = yes

# This isn't really an effective "lock" per se, since the value is per-module,
# but there really ought never be more than one, and it would at least 
# ensure serialized backups.
max connections = 1

[usr_local]
        path    = /usr/local
        comment = unpackaged software

[opt]
        path    = /opt
        comment = unpackaged software

[etc]
        path    = /etc
        comment = conf files

[var]
        path    = /var
        comment = user and system storage

Upgrade to Centos7

Initialization

On Pumpkin (which is in the 88 network, while Jalapeño needs to be on 180!) 

 qemu-img create -f qcow2  /kvm/images/jalepeno_new.qcow2 10G
 virt-install -v --name=jalapeno2 --memory 512 --os-type=linux --os-variant=rhel7 --cdrom=/net/data/endeavour1/System/Centos/CentOS-7-x86_64-DVD-1503-01.iso --disk path=/kvm/images/jalapeno_new.qcow2,size=10 --network=bridge:farmbr --network=bridge:unhbr --vnc --vncport=5904

Next, install a minimal machine, with installer, and setup the back-end IP address from installer GUI. Give it a root password.

Login to machine, check that network is up! Kill NetworkManager, and check the ifcfg, then ifup the network

Next, edit /etc/yum.conf to use the endeavour proxy, add: proxy=http://endeavour.farm.physics.unh.edu:3128 at end of file. Save. Then: "yum update" and "yum upgrade"

Install: 

 yum install -y emacs nano bind bind-utils

If you really want to, you can allow user login and all that, but there is really no need for it.

Bind/Named installation

 yum install -y bind bind-utils

Install the named.conf file in /etc and the farm.physics.unh.edu.zone and ...-rev files in /var/named. The named.conf is new, and tested on the new Einstein centos7 host. 

  systemctl enable named
  systemctl start named

Test it. Works.

Take on the Jalapeño properties

Rename the VM to jalapeno.unh.edu and also rename the disk. Do this by making a clone. First use virt-manager to rename the old machine to jalapeño.unh.edu.centos6. Then: 

 virt-clone --original jalapeno.unh.edu.centos7 --auto-clone --name jalapeno.unh.edu --file jalapeno.centos7.qcow2
 virsh edit jalapeno.unh.edu  # Remove from <channel type='unix'> ... </channel> See: https://bugzilla.redhat.com/show_bug.cgi?id=1270696

Now start the new VM, and take on the Jalapeño personality: 

 cd /etc/ssh
 scp 10.0.0.253:/etc/ssh/*  .   # Get the correct ssh id.
 cd /root/.ssh
 scp 10.0.0.253:/root/.ssh/*  . # For the backup system.
 edit /etc/sysconfig/networking-scripts/ifcfg-eth0 and eth1 for Jalapeño network addresses
 scp 10.0.0.253:/etc/rsync-backup.conf .

Some cleaning up to do. We also want iptables instead of firewalld. This wasn't possible because *still* we have buggy SELINUX and systemctl. So, turn off SELINUX, reboot, then switch. 

 emacs -nw /etc/sysconfig/selinux # change to disabled.
 systemctl disable firewalld.service
 yum install iptables-services
 systemctl enable iptables.service

Edit a reasonable iptables in /etc/sysconfig

Then go to the old jalapeño and change the IP address (to Benfranklin=132.177.88.253 and 10.0.0.153 ). Reboot old and new jalapeño

TO DO

  1. Currently there is no setup of LDAP on jalapeño.
  2. No user login either, since there is no LDAP.
Retrieved from "https://nuclear.unh.edu/wiki/index.php?title=Jalapeno&oldid=6162"