Jalapeno

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search

Jalapeno is a VMWare virtual machine currently running on Gourd. It serves as our primary DNS and CUPS print server.

Virtual Hardware

  • Memory: 512 MB
  • Hard Disk: 8 GB
  • Network 1 (eth0): Farm-Bridge
  • Network 2 (eth1): UNH-Bridge
  • SCSI Controller: LSI Logic

Network Settings

  • IP Address farm (eth0): 10.0.0.253
  • IP Address UNH (eth1): 132.177.88.37

Software and Services

IPTables

Jalapeno uses the standard NPG iptables firewall. It allows ssh, DNS, and CUPS ipp connections.

Named

Named provides DNS hostname resolution for the farm.physics.unh.edu backend network. DNS configuration files are located in the /var/named directory.

Cups

Note: Print services are being relocated to corn.

CUPS is configured to provide access to the NPG printer Wigner located in DeMeritt room 362. Authentication is required to use the printer, and access is restricted to NPG group members. Cups configuration is located in /etc/cups/cupsd.conf and printer configuration is located in /etc/cups/printers.conf.

The cups web interface can be accessed at http://jalapeno.unh.edu:631

/etc/cups/cupsd.conf

MaxLogSize 2000000000
LogLevel info
SystemGroup sys root domain_admins
# Allow remote access
Port 631
Listen /var/run/cups/cups.sock
# Share local printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAddress @LOCAL
DefaultAuthType Basic
<Location />
  Allow from 132.177
  # Allow shared printing and remote administration...
  Order allow,deny
  Allow @LOCAL
</Location>
<Location /admin>
  Allow from 132.177
  Encryption Required
  Require user @SYSTEM
  # Allow remote administration...
  Order allow,deny
  Allow @LOCAL
</Location>
<Location /admin/conf>
  Allow from 132.177
  AuthType Default
  Require user @SYSTEM
  # Allow remote access to the configuration files...
  Order allow,deny
  Allow @LOCAL
</Location>
<Policy default>
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job   Suspend-Current-Job Resume-Job CUPS-Move-Job> 
    Require user @OWNER @SYSTEM
    AuthType Default
    Allow from 132.177
    Order deny,allow
  </Limit>
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer  Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs> 
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

/etc/cups/printers.conf

# Printer configuration file for CUPS v1.3.7
# Written by cupsd on 2010-06-04 10:29
<Printer Wigner>
AuthInfoRequired username,password
Info HP Color Laserjet 4700
Location DeMeritt 362
DeviceURI socket://wigner.unh.edu:9100
State Idle
StateTime 1275490820
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
AllowUser @npg
AllowUser kpohl
OpPolicy default
ErrorPolicy stop-printer
</Printer>

Printtracker

printtracker.py is a simple python script which sends monthly reports of print usage gathered from the cups page log. It records the number of pages printed by each user on the system.

The script can run in two different modes. The weekly mode is configured in crontab to run before the normal cron.weekly tasks. This is necessary because it needs to read the logs before they're emptied by logrotate, which happens when the normal cron.weekly jobs run. The monthly routine that e-mails the final monthly report is run by a script in cron.monthly.

Backup Configuration

/etc/rsync-backup.conf

# Backups are 'pull' only.  Too bad there isn't a better way to enforce this.
read only       = yes

# Oh for the ability to retain CAP_DAC_READ_SEARCH, and no other.  
#uid            = root
# XXX There seems to be an obscure bug with pam_ldap and rsync whereby 
# getpwnam(3) segfaults when (and only when) archiving /etc.  Using a numeric
# uid avoids this bug.  Only verified on Fedora Core 2.
uid             = 0

# There's not much point in putting the superuser in a chroot jail
# use chroot    = yes

# This isn't really an effective "lock" per se, since the value is per-module,
# but there really ought never be more than one, and it would at least 
# ensure serialized backups.
max connections = 1

[usr_local]
        path    = /usr/local
        comment = unpackaged software

[opt]
        path    = /opt
        comment = unpackaged software

[etc]
        path    = /etc
        comment = conf files

[var]
        path    = /var
        comment = user and system storage