Sysadmin Todo List

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search

This is an unordered set of tasks. Detailed information on any of the tasks typically goes in related topics' pages, although usually not until the task has been filed under Completed.

Daily Check off list

Each day when you come in check the following:

  1. Einstein (script):
    1. Up and running?
    2. Disks are at less than 90% full?
    3. Mail system OK? (spamassasin, amavisd, ...)
  2. Temperature OK? No water blown into room?
  3. Systems up: Taro, Pepper, Pumpkin/Corn ?
  4. Backups:
    1. Did backup succeed?
    2. Does Lentil need a new disk?

Important

The einstein event

  • Not yet sure exactly what happened, but on the 7th, starting around 2 AM, root@einstein started receiving cron job errors from the machines, saying "no route to host," "domain not bound," etc. 6:54 AM, mdadm sent a message warning about a degraded array on /dev/md1. At 7:41 AM, both /dev/md0 and /dev/md1 were marked as degraded. At 2:09 PM, einstein sent itself the daily logwatch email, which mentioned a number of lost connections from postfix, and no mdadm messages. From then until 4 AM on the 8th, all machines sent cron errors. At 4 AM, we see gourd list pages of logwatch errors indicating that LDAP was down, while roentgen had a large number of named retry limit errors. At 8 AM, einstein sent mdadm warnings about /dev/md0 and md1 being degraded still. Einstein's logwatch email at 9:30 AM shows LDAP errors in almost every category, as well as ACPI kernel errors. Amavis seems to have been working at that time. At 10:12 AM, clamav on einstein sent email about DNS errors.
  • Presently, einstein appears to be working fully. It would seem that the degraded array messed up the system more and more as time went on, until everything failed to work properly. This leads me to believe that einstein's hardware, with the exception of the hard drives, is good. I'll set up a number of stress tests to run on old einstein and tomato to try to determine the faulty hardware. Good idea to test tomato; it's similar hardware and I'm still suspicious of it after that RAID problem.

Weather

Judging by the look of the post-it-notes on the wall, the fan was blowing some sort of weather in. We need to figure out a way to prevent the outside from coming inside. We're lucky roentgen seems okay. What about using screen material in front of the fan, oriented in such a way that any water will run down the screen and collect at the water sensor?

Now that we're experiencing a mini heat wave, the fan and line air conditioner aren't quite enough to keep the temperature below 70°F. The standard operating procedure has been to leave the door open during the day.

Pumpkin/Corn

Our new system needs to be setup and integrated/tied in. Read more: Pumpkin
New problem: I set up virtual hosts corn (32-bit RHEL5) and Fermi (64-bit RHEL4), both went fine. I tried installing compton with 32-bit RHEL4, but the installer keeps crashing someway into the install. Most annoying. Instead, I then installed compton "directly" from a backup. This worked (hurray!) EXCEPT, the system seems to occasionally, well is stops responding to the ssh session. No clue what is going on here.

New problem Continued: OK, this now downright scares me about virtual machines. At least, an RHEL4 32-bit one, where I see the following REALLY BAD behavior regarding disks:

  1. A disk label set on the host, pumpkin, is not recognized then the guest boots. Setting the disklabel to something else in the guest results in different labels being seen by guest and host.
  2. A files edited when the disk is mounted on the host (and guest not booted) does not appear to be changed when looking at this file on the booted guest (and unmounted from the host).

Conclusion: While these things work transparently in a para-virtualized RHEL5 (and I think RHEL4 64 bit), they are seriously messed up with RHEL4 32-bit. Should we ask RedHat for comments?

More New problems: It seems the internet connection to virtual hosts "goes to sleep". The system will be fine, but trying to ping it will result in a no reply. This only happens with fermi and compton. I suspect we need to add some config stuff....

The Non-answer: It cannot be done!This article tells about how to turn a fully virtualized host into a para-virtualized guest, RHEL4, running under an RHEL5 dom0. But in the notes it states that "don't mix and match x86_64 with i686 hosts and visa versa". Red Hat Magazine: Xen Guest for Red Hat Enterprise Linux 4. So we will run Corn fully virtual, which DOES work.

Einstein Upgrade

Einstein upgrade project and status page: Einstein Status Note: Einstein (current one) has a problem with / getting full occasionally. See Einstein#Special_Considerations_for_Einstein

Environmental Monitor

We have an environmental monitor running at http://10.0.0.98 This is capable of sending email and turning the fan on and off (needs to be set up more intelligently). It responds to SNMP so we can integrate it with Cacti (needs to be done). Cacti doesn't support traps, as it's a polling tool. A possible workaround is to have another daemon run that captures traps and writes them somewhere cacti can pick them up, such as syslog. Or, maybe we can just use splunk instead.

Miscellaneous

  • Roentgen was plugged into one of the non-battery-backup slots of its UPS, so I shut it down and moved the plug. After starting back up, root got a couple of mysterious e-mails about /dev/md0 and /dev/md2: Array /dev/md2 has experienced event "DeviceDisappeared". However, mount seems to indicate that everything important is around:
/dev/vg_roentgen/rhel3 on / type ext3 (rw,acl)
none on /proc type proc (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
usbdevfs on /proc/bus/usb type usbdevfs (rw)
/dev/md1 on /boot type ext3 (rw)
none on /dev/shm type tmpfs (rw)
/dev/vg_roentgen/rhel3_var on /var type ext3 (rw)
/dev/vg_roentgen/wheel on /wheel type ext3 (rw,acl)
/dev/vg_roentgen/srv on /srv type ext3 (rw,acl)
/dev/vg_roentgen/dropbox on /var/www/dropbox type ext3 (rw)
/usr/share/ssl on /etc/ssl type none (rw,bind)
/proc on /var/lib/bind/proc type none (rw,bind)
automount(pid1503) on /net type autofs (rw,fd=5,pgrp=1503,minproto=2,maxproto=4)

and all of the sites listed on Web Servers work. Were those just old arrays that aren't around anymore but are still listed in some config file?

  • Clean out some users who have left a while ago. (Maurik should do this.)
  • Monitoring: I would like to see the new temp-monitor integrated with Cacti, and fix some of the cacti capabilities, i.e. tie it in with the sensors output from pepper and taro (and tomato/einstein). Setup sensors on the corn/pumpkin. Have an intelligent way in which we are warned when conditions are too hot, a drive has failed, a system is down.
  • Check into smartd monitoring (and processing its output) on Pepper, Taro, Corn/Pumpkin, Einstein, Tomato.
  • Decommission Okra. - This system is way too outdated to bother with it. Move Cacti to another system. Perhaps a VM, once we get that figured out?
  • Decide whether we want to decommission Jalapeno. It is currently not a stable system, and perhaps not worth the effort trying to make it stable. It's only service is Splunk, which can be moved to another system (which?). We could "rebuild" the HW if there is need.
  • Gourd's been giving smartd errors, namely
Offline uncorrectable sectors detected:
       /dev/sda [3ware_disk_00] - 48 Time(s)
       1 offline uncorrectable sectors detected

Okra also has an offline uncorrectable sector!

  • Continue purgin NIS from ancient workstations, and replacing with files. The following remain:
    • pauli nodes -- Low priority!
  • Learn how to use cacti on okra. Seems like a nice tool, mostly set up for us already. Find out why lentil isn't being read by cacti. Install the net-snmp package, copy the /etc/snmpd/snmpd.conf from a working machine to the new one, start the snmpd service. Still not working though. Lentil won't start iptables-netgroups
    ("Net::SSLeay object version 1.30 does not match bootstrap parameter 1.25 at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/DynaLoader.pm line 253, line 225.
    Compilation failed in require at /usr/lib/perl5/vendor_perl/5.8.8/IO/Socket/SSL.pm line 17, line 225.
    BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/5.8.8/IO/Socket/SSL.pm line 17, line 225.
    Compilation failed in require at /usr/lib/perl5/vendor_perl/5.8.8/Net/LDAP.pm line 156, line 225."),
    maybe that's why. Lentil and pumpkin have the same Perl packages installed, yet pumpkin doesn't fail at starting the script.

Ongoing

Documentation

  • Maintain the Documentation of all systems!
    • Main function
    • Hardware
    • OS
    • Network
  • Continue homogenizing the configurations of the machines.
  • Improve documentation of mail software, specifically SpamAssassin, Cyrus, etc.

Maintenance

  • Check e-mails to root every morning
  • Resize/clean up partitions as necessary. Seems to be a running trend that a computer gets 0 free space and problems crop up. Symanzik, bohr seem imminent. Yup, bohr died. Expanded his root by 2.5 gigs. Still serious monitor problems though, temporarily bypassed with vesa... Bohr's problem seems tied to the nvidia drivers, let's wait until the next release and see how those work out.
  • Check up on security [1]
  • Clean up Room 202.
    • Ask UNH if they have are willing/able to recycle/reuse the three CRTs that we have sitting around.

On-the-Side

  • See if we can get the busted printer in 322 to work down here.
  • Learn how to use ssh-agent for task automation.
  • Backup stuff: We need exclude filters on the backups. We need to plan and execute extensive tests before modifying the production backup program. Also, see if we can implement some sort of NFS user access. I've set up both filters and read-only snapshot access to backups at home. Uses what essentially amounts to a bash script version of the fancy perl thing we use now, only far less sophisticated. However, the filtering and user access uses a standard rsync exclude file (syntax in man page) and the user access is fairly obvious NFS read-only hosting. I am wondering if this is needed. The current scheme (ie the perl script) uses excludes by having a .rsync-filter is each of the directories where you want excluded contents. This has worked well. See ~maurik/tmp/.rsync-filter . The current script takes care of some important issues, like incomplete backups. Ah. So we need to get users to somehow keep that .rsync-filter file fairly updated. And to get them to use data to hold things, not home. Also, I wasn't suggesting we get rid of the perl script, I was saying that I've become familiar with a number of the things it does. [2] Put this on the backburner for now, since the current rate of backup disk consumption will give about 10 months before the next empty disk is needed.

Waiting

  • jalapeno hangups: Look at sensors on jalapeno, so that cacti can monitor the temp. The crashing probably isn't the splunk beta (no longer beta!), since it runs entirely in userspace. lm_sensors fails to detect anything readable. Is there a way around this? Jalapeno's been on for two weeks with no problems, let's keep our fingers crossed…
  • That guy's computer has a BIOS checksum error. Flashing the BIOS to the newest version succeeds, but doesn't fix the problem. No obvious mobo damage either. What happen? Who was that guy, anyhow? (Silviu Covrig, probably) The machine is gluon, according to him. Waiting on ASUS tech support for warranty info Aaron said it might be power-supply-related. Nope. Definitely not. Used a known good PSU and still got error, reflashed bios with it and still got error. Got RMA, sending out on wed. Waiting on ASUS to send us a working one! Called ASUS on 8/6, they said it's getting repaired right now. Wohoo! Got a notification that it shipped! ...they didn't fix it... Still has the EXACT same error it had when we shipped it to them. What should we do about this? I'm going to call them up and have a talk, considering looking at the details on their shipment reveals that they sent us a different motherboard, different serial number and everything but with the same problem.
  • Printer queue for Copier: Konica Minolta Bizhub 750. IP=pita.unh.edu Seems like we need info from the Konica guy to get it set up on Red Hat. The installation documentation for the driver doesn't mention things like the passcode, because those are machine-specific. Katie says that if he doesn't come on Monday, she'll make an inquiry. Mac OS X now working, IT guy should be here week of June 26th Did he ever come? No, he didn't, and did not respond to a voice message left. Will call again.
  • Pauli crashes nearly every day, not when backups come around. We need to set up detailed system logging to find out why. Pauli2 and 4 don't give out their data via /net to the other paulis. This doesn't seem to be an autofs setting, since I see nothing about it in the working nodes' configs. Similarly, 2,4, and 6 won't access the other paulis via /net. 2,4 were nodes we rebuilt this summer, so it makes sense they don't have the right settings, but 6 is a mystery. Pauli2's hard drive may be dying. Some files in /data are inaccessible, and smartctl shows a large number of errors (98 if I'm reading this right...). Time to get Heisenberg a new hard drive? Or maybe just wean him off of NPG… It may be done for; can't connect to pauli2 and rebooting didn't seem to work. Need to set up the monitor/keyboard for it & check things out. The pauli nodes are all off for now. They've been deemed to produce more heat than they're worth. We'll leave them off until Heisenberg complains. Heisenberg's complaining now. Fixed his pauli machine by walking in the room (still don't know what he was talking about) and dirac had LDAP shut off. He wants the paulis up whenever possible, which I explained could be awhile because of the heat issues.
  • Sent an email to UNH Property Control asking what the procedure is to get rid of untagged equipment, namely, the two old monitors in the corner. Apparently they want us to fill out lots of information on the scrapping form like if it was paid for with government money, etc, as well as give them serial numbers, model numbers, and everything we can get ahold of. Then, we get to hang onto them until the hazardous equipment people come in and take it out, at their leisure. Waiting to figure out what we want to do with them.

Completed

Previous Months Completed

June 2007

July 2007

August 2007

September 2007

October 2007

NovDec 2007

January 2008