Difference between revisions of "Tomato"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
 
(23 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== General Information ==
+
The hostname Tomato is currently being used for the rackmount server which was previously known as [[Einstein]]. <strike>If you're looking for information about the system formerly known as Tomato, it has been renamed [[Okra]].</strike>
Tomato does some VPN stuff with Xemed.
 
  
Hostnames: <code>tomato.unh.edu</code>, <code>tomato.farm.physics.unh.edu</code>
+
Currently tomato isn't used for anything critical, but it does serve as a secondary [[DNS]] server and [[VMWare]] host.
  
== Network Configuration ==
+
= Hardware Information =
Currently has ethernet cable to switch for local (farm) connection, and an ethernet cable to the wall for unh connection.
+
[[Image:H8SMU_spec.jpg |right| SuperMicro H8SMU Motherboard ]]
=== /etc/sysconfig/network-scripts/ifcfg-eth0 ===
+
* Motherboard: [http://www.supermicro.com/Aplus/motherboard/Opteron1000/MCP55/H8SMU.cfm SuperMicro H8SMU]
<pre># 3Com Corporation 3c980-C 10/100baseTX NIC [Python-T]
+
** nVidia MCP55-Pro chipset
DEVICE=eth0
+
** SAS Backplane: SAS825TQ
BOOTPROTO=static
+
*Dual-Core AMD Opteron 1218 Processor
BROADCAST=132.177.88.255
+
*4 GB 333 MHz DDR Memory
HWADDR=00:E0:81:05:30:0E
+
*Marvell Technology Group Ltd. MV88SX6081 8-port SATA II PCI-X
IPADDR=132.177.88.76
+
*Two NVIDIA MCP55 Integrated Gigabit Ethernet Ports
IPV6ADDR=
+
*Matshita DVD-ROM
IPV6PREFIX=
+
*ATI ES1000 Video
NETMASK=255.255.255.0
 
NETWORK=132.177.88.0
 
ONBOOT=yes
 
</pre>
 
=== /etc/sysconfig/network-scripts/ifcfg-eth1 ===
 
<font color="red">unused</font>
 
<pre># 3Com Corporation 3c980-C 10/100baseTX NIC [Python-T]
 
DEVICE=eth1
 
BOOTPROTO=dhcp
 
HWADDR=00:E0:81:05:30:0F
 
ONBOOT=no
 
DHCP_HOSTNAME=tomato.unh.edu
 
</pre>
 
=== /etc/sysconfig/network-scripts/ifcfg-eth2 ===
 
<pre># Intel Corporation 82544EI Gigabit Ethernet Controller (Copper)
 
DEVICE=eth2
 
BOOTPROTO=static
 
BROADCAST=10.0.3.255
 
HWADDR=00:02:B3:D3:FE:12
 
IPADDR=10.0.0.251
 
IPV6ADDR=
 
IPV6PREFIX=
 
NETMASK=255.255.252.0
 
NETWORK=10.0.0.0
 
ONBOOT=yes
 
</pre>
 
=== /etc/sysconfig/network-scripts/ifcfg-lo ===
 
<pre>DEVICE=lo
 
IPADDR=127.0.0.1
 
NETMASK=255.0.0.0
 
NETWORK=127.0.0.0
 
# If you're having problems with gated making 127.0.0.0/8 a martian,
 
# you can change this to something else (255.255.255.255, for example)
 
BROADCAST=127.255.255.255
 
ONBOOT=yes
 
NAME=loopback
 
</pre>
 
  
== Access Configuration ==
 
=== /etc/security/access.conf ===
 
<pre>
 
</pre>
 
== Backup Configuration ==
 
=== /etc/rsync-backup.conf ===
 
<pre># Backups are 'pull' only.  Too bad there isn't a better way to enforce this.
 
read only      = yes
 
  
# Oh for the ability to retain CAP_DAC_READ_SEARCH, and no other. 
 
#uid            = root
 
# XXX There seems to be an obscure bug with pam_ldap and rsync whereby
 
# getpwnam(3) segfaults when (and only when) archiving /etc.  Using a numeric
 
# uid avoids this bug.  Only verified on Fedora Core 2.
 
uid            = 0
 
  
# There's not much point in putting the superuser in a chroot jail
+
[http://nuclear.unh.edu/wiki/pdfs/motherboards/MNL-H8SMU_10a.pdf Motherboard User Manual]
# use chroot    = yes
 
  
# This isn't really an effective "lock" per se, since the value is per-module,
+
= Network Configuration =
# but there really ought never be more than one, and it would at least
+
Tomato has an ethernet cable connected to the switch for local (farm) connection, and uses a [[VLAN|vlan]] configuration for the connection to the external (unh) network.
# ensure serialized backups.
 
max connections = 1
 
  
filter = : .rsync-filter
+
* IP address UNH: 132.177.88.52 (eth1)
 +
* IP address Farm: 10.0.0.248 (eth0)
 +
* IP address IPMI: 10.0.0.148
  
[usr]
+
=Software and Services=
        path    = /usr
 
        comment = unpackaged software
 
        filter  =              \
 
                : .rsync-filter \
 
                + /            \
 
                + /local        \
 
                + /share        \
 
                + /share/ssl    \
 
                - /share/*      \
 
                - /*
 
  
[opt]
+
This section contains details about the services and software on Gourd and information about their configurations.
        path    = /opt
 
        comment = unpackaged software
 
  
[etc]
+
== IPTables ==
        path    = /etc
 
        comment = conf files
 
  
[var]
+
Tomato uses the standard NPG [[iptables]] firewall. Gourd allows ssh, icmp, portmap and nfs connections.
        path    = /var
 
        comment = user and system storage
 
  
[root]
+
==NFS Shares==
        path    = /root
 
        comment = root's home directory
 
</pre>
 
== SNMP Configuration ==
 
=== /etc/snmp/snmpd.conf ===
 
<pre>###############################################################################
 
#
 
# snmpd.conf:
 
#  An example configuration file for configuring the ucd-snmp snmpd agent.
 
#
 
###############################################################################
 
#
 
# This file is intended to only be as a starting point.  Many more
 
# configuration directives exist than are mentioned in this file.  For
 
# full details, see the snmpd.conf(5) manual page.
 
#
 
# All lines beginning with a '#' are comments and are intended for you
 
# to read.  All other lines are configuration commands for the agent.
 
  
###############################################################################
+
Tomato serves two volumes over [[NFS]]. They are located at /data0 and /data1. They are accessible via [[automount]] in /net/tomato on our systems.
# Access Control
 
###############################################################################
 
  
# As shipped, the snmpd demon will only respond to queries on the
+
===/etc/exports===
# system mib group until this file is replaced or modified for
+
<pre>
# security purposes. Examples are shown below about how to increase the
+
/data0  @servers(rw,sync) @npg_clients(rw,sync) \
# level of access.
+
        10.0.0.0/24(rw,sync)
 +
   
 +
/data1 @servers(rw,sync) @npg_clients(rw,sync) \
 +
10.0.0.0/24(rw,sync)
 +
</pre>
  
# By far, the most common question I get about the agent is "why won't
+
==VMWare==
# it work?", when really it should be "how do I configure the agent to
 
# allow me to access it?"
 
#
 
# By default, the agent responds to the "public" community for read
 
# only access, if run out of the box without any configuration file in
 
# place.  The following examples show you other ways of configuring
 
# the agent so that you can change the community names, and give
 
# yourself write access to the mib tree as well.
 
#
 
# For more information, read the FAQ as well as the snmpd.conf(5)
 
# manual page.
 
  
##      sec.name  source          community
+
Tomato is running [[VMWare]] Server version 2.0.2. It acts as a secondary virtualization server. The VMWare management interface is accessible at https://tomato.unh.edu:8333/ or from localhost:8222 if you're logged in or port forwarding over SSH.
com2sec local    localhost      NPG
 
com2sec mynetwork 10.0.0.0/24    NPG
 
  
##    group.name sec.model  sec.name
+
The VMWare datastore is located in /data0/vmware
group MyRWGroup  v1        local
 
group MyRWGroup  v2c        local
 
group MyRWGroup  usm        local
 
group MyROGroup  v1        mynetwork
 
group MyROGroup  v2c        mynetwork
 
group MyROGroup  usm        mynetwork
 
#
 
group MyRWGroup  v1        otherv3user
 
group MyRWGroup  v2c        otherv3user
 
group MyRWGroup  usm        otherv3user
 
#...
 
  
##          incl/excl subtree                          mask
+
===Guest VMs===
view all    included  .1                              80
 
  
## -or just the mib2 tree-
+
*[[corn]] - Bugzilla bug tracker
  
#view mib2  included  .iso.org.dod.internet.mgmt.mib-2 fc
+
= Disks and Raid Configuration =
  
 +
Due to issues with the HD controller card in Tomato we are only using the bottom four hard drive bays, which are connected directly to SATA port on the motherboard.
  
##                context sec.model sec.level prefix read  write  notif
+
'''Disks and Raid configuration'''
access MyROGroup ""     any      noauth    exact      all    none  none
+
{| style="wikitable;" border="1"
access MyRWGroup ""     any      noauth    exact      all    all    all
+
! Drive Bay !! Disk Size !! Raid Type !! Raid level
 +
|-
 +
| 1 || 750 GB || Software RAID || Raid 1
 +
|-
 +
| 2 || 750 GB || Software RAID || Raid 1
 +
|-
 +
| 3 || 400 GB || Software RAID || Raid 1
 +
|-
 +
| 4 || 400 GB || Software RAID || Raid 1
 +
|}
 +
<br/>
  
 +
'''Volume Set and Partition configuration'''
 +
{| style="wikitable;"  border="1"
 +
! Raid device !! Volume set !! Volume size !! Mount Point
 +
|-
 +
| /dev/md0 &nbsp; || sdb1 & sdc1 || 50 GB || System (/)
 +
|-
 +
| /dev/md1 &nbsp; || sdb2 & sdc2 || 630 GB || /data0
 +
|-
 +
| /dev/md2 &nbsp; || sda1 & sdd1 || 343 GB || /data1
 +
|}
  
###############################################################################
+
= Special Considerations for Einstein (Historical) =
# Sample configuration to make net-snmpd RFC 1213.
+
This information no longer applies and is here for historical reasons. We no longer use amavisd, and so these instructions are not useful.
# Unfortunately v1 and v2c don't allow any user based authentification, so
 
# opening up the default config is not an option from a security point.
 
#
 
# WARNING: If you uncomment the following lines you allow write access to your
 
# snmpd daemon from any source! To avoid this use different names for your
 
# community or split out the write access to a different community and  
 
# restrict it to your local network.
 
# Also remember to comment the syslocation and syscontact parameters later as
 
# otherwise they are still read only (see FAQ for net-snmp).
 
#
 
  
# First, map the community name "public" into a "security name"
 
#      sec.name        source          community
 
#com2sec notConfigUser  default        public
 
  
# Second, map the security name into a group name:
+
Einstein is our mail server. That means it runs '''"amavisd"''' (a virus scanner) and '''"spamassasin"''' a spam filter. Both these codes have some issues with leaving junk around, slowly causing the "/" file system to fill up. When that happens, einstein stops functioning.
#      groupName      securityModel  securityName
 
#group  notConfigGroup  v1              notConfigUser
 
#group  notConfigGroup  v2c            notConfigUser
 
  
# Third, create a view for us to let the group have rights to:
+
Some cleanup can be done as follows:
# Open up the whole tree for ro, make the RFC 1213 required ones rw.
+
* stop amavisd and spamassasin:
#      name            incl/excl      subtree mask(optional)
+
service amavisd stop
#view    roview          included        .1
+
service spamassasin stop
#view    rwview          included        system.sysContact
+
* clean out some of their junk:
#view    rwview          included        system.sysName
+
rm /var/amavis/.razor/razor-agent.log
#view    rwview          included        system.sysLocation
+
touch /var/amavis/.razor/razor-agent.log
#view    rwview          included        interfaces.ifTable.ifEntry.ifAdminStatus
+
chown amavis:amavis /var/amavis/.razor/razor-agent.log
#view    rwview          included        at.atTable.atEntry.atPhysAddress
+
chmod o-r /var/amavis/.razor/razor-agent.log
#view    rwview          included        at.atTable.atEntry.atNetAddress
+
rm -f /var/virusmails/*  # (Sometimes there are so many, you have to delete in "chunks")
#view    rwview          included        ip.ipForwarding
+
rm -rf /tmp
#view    rwview          included        ip.ipDefaultTTL
+
* start up the mail stuff again.
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteDest
+
service amavisd start
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex
+
service spamassasin start
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric1
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric2
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric3
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric4
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteType
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteAge
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMask
 
#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric5
 
#view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex
 
#view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress
 
#view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress
 
#view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType
 
#view    rwview          included        tcp.tcpConnTable.tcpConnEntry.tcpConnState
 
#view    rwview          included        egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger
 
#view    rwview          included        snmp.snmpEnableAuthenTraps
 
  
# Finally, grant the group read-only access to the systemview view.
+
There may be other areas that can be clean up, as in all the archived mail from "mailman"? But at least this list will let einstein function again.
#      group          context sec.model sec.level prefix read  write  notif
 
#access  notConfigGroup ""     any      noauth    exact  roview rwview none
 
  
 
+
== Hot Swap Information ==
 
+
* Interesting thread to get sata-nv to hotswap: ([http://www.linuxquestions.org/questions/linux-hardware-18/sata-hotplug-hotswap-howto-570811])
###############################################################################
+
** There are drivers available for the MB sata, we could try them: [ftp://ftp.supermicro.com/driver/SATA/nVidia/MCP55/Linux/Non_RAID/Redhat/1.23/ Super Micro MB H8SMU drivers], BUT these appear to be standard Nvidia sata_nv driver.
# System contact information
+
* SAS Backplane: SAS825TQ
#
+
* SAT2-MV8 8-port SATA controller. Uses the sata-mv module which is NOT HOTPLUG CAPABLE. (see http://linux-ata.org/driver-status.html#matrix). THE ONLY WAY TO "HOT PLUG" with this driver is to dismount ALL the drives, then "modprobe -r sata-mv" (make sure it is really gone: lsmod | grep sata) then do the swap, then "modeprobe sata-mv" again.
 
 
# It is also possible to set the sysContact and sysLocation system
 
# variables through the snmpd.conf file:
 
 
 
syslocation Durham, NH, USA, University of New Hampshire, DeMeritt Hall
 
syscontact NPG Admins <npg-admins@einstein.unh.edu>
 
 
 
# Example output of snmpwalk:
 
#  % snmpwalk -v 1 localhost -c public system
 
#  system.sysDescr.0 = "SunOS name sun4c"
 
#  system.sysObjectID.0 = OID: enterprises.ucdavis.ucdSnmpAgent.sunos4
 
#  system.sysUpTime.0 = Timeticks: (595637548) 68 days, 22:32:55
 
#  system.sysContact.0 = "Me <me@somewhere.org>"
 
#  system.sysName.0 = "name"
 
#  system.sysLocation.0 = "Right here, right now."
 
#  system.sysServices.0 = 72
 
 
 
 
 
# -----------------------------------------------------------------------------
 
 
 
 
 
###############################################################################
 
# Process checks.
 
#
 
#  The following are examples of how to use the agent to check for
 
#  processes running on the host.  The syntax looks something like:
 
#
 
#  proc NAME [MAX=0] [MIN=0]
 
#
 
#  NAME:  the name of the process to check for.  It must match
 
#        exactly (ie, http will not find httpd processes).
 
#  MAX:  the maximum number allowed to be running.  Defaults to 0.
 
#  MIN:  the minimum number to be running.  Defaults to 0.
 
 
 
#
 
#  Examples (commented out by default):
 
#
 
 
 
#  Make sure mountd is running
 
#proc mountd
 
 
 
#  Make sure there are no more than 4 ntalkds running, but 0 is ok too.
 
#proc ntalkd 4
 
 
 
#  Make sure at least one sendmail, but less than or equal to 10 are running.
 
#proc sendmail 10 1
 
 
 
#  A snmpwalk of the process mib tree would look something like this:
 
#
 
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.2
 
# enterprises.ucdavis.procTable.prEntry.prIndex.1 = 1
 
# enterprises.ucdavis.procTable.prEntry.prIndex.2 = 2
 
# enterprises.ucdavis.procTable.prEntry.prIndex.3 = 3
 
# enterprises.ucdavis.procTable.prEntry.prNames.1 = "mountd"
 
# enterprises.ucdavis.procTable.prEntry.prNames.2 = "ntalkd"
 
# enterprises.ucdavis.procTable.prEntry.prNames.3 = "sendmail"
 
# enterprises.ucdavis.procTable.prEntry.prMin.1 = 0
 
# enterprises.ucdavis.procTable.prEntry.prMin.2 = 0
 
# enterprises.ucdavis.procTable.prEntry.prMin.3 = 1
 
# enterprises.ucdavis.procTable.prEntry.prMax.1 = 0
 
# enterprises.ucdavis.procTable.prEntry.prMax.2 = 4
 
# enterprises.ucdavis.procTable.prEntry.prMax.3 = 10
 
# enterprises.ucdavis.procTable.prEntry.prCount.1 = 0
 
# enterprises.ucdavis.procTable.prEntry.prCount.2 = 0
 
# enterprises.ucdavis.procTable.prEntry.prCount.3 = 1
 
# enterprises.ucdavis.procTable.prEntry.prErrorFlag.1 = 1
 
# enterprises.ucdavis.procTable.prEntry.prErrorFlag.2 = 0
 
# enterprises.ucdavis.procTable.prEntry.prErrorFlag.3 = 0
 
# enterprises.ucdavis.procTable.prEntry.prErrMessage.1 = "No mountd process running."
 
# enterprises.ucdavis.procTable.prEntry.prErrMessage.2 = ""
 
# enterprises.ucdavis.procTable.prEntry.prErrMessage.3 = ""
 
# enterprises.ucdavis.procTable.prEntry.prErrFix.1 = 0
 
# enterprises.ucdavis.procTable.prEntry.prErrFix.2 = 0
 
# enterprises.ucdavis.procTable.prEntry.prErrFix.3 = 0
 
#
 
#  Note that the errorFlag for mountd is set to 1 because one is not
 
#  running (in this case an rpc.mountd is, but thats not good enough),
 
#  and the ErrMessage tells you what's wrong.  The configuration
 
#  imposed in the snmpd.conf file is also shown. 
 
#
 
#  Special Case:  When the min and max numbers are both 0, it assumes
 
#  you want a max of infinity and a min of 1.
 
#
 
 
 
 
 
# -----------------------------------------------------------------------------
 
 
 
 
 
###############################################################################
 
# Executables/scripts
 
#
 
 
 
#
 
#  You can also have programs run by the agent that return a single
 
#  line of output and an exit code.  Here are two examples.
 
#
 
#  exec NAME PROGRAM [ARGS ...]
 
#
 
#  NAME:     A generic name.
 
#  PROGRAM:  The program to run.  Include the path!
 
#  ARGS:    optional arguments to be passed to the program
 
 
 
# a simple hello world
 
 
 
#exec echotest /bin/echo hello world
 
 
 
# Run a shell script containing:
 
#
 
# #!/bin/sh
 
# echo hello world
 
# echo hi there
 
# exit 35
 
#
 
# Note:  this has been specifically commented out to prevent
 
# accidental security holes due to someone else on your system writing
 
# a /tmp/shtest before you do. Uncomment to use it.
 
#
 
#exec shelltest /bin/sh /tmp/shtest
 
 
 
# Then,
 
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.8
 
# enterprises.ucdavis.extTable.extEntry.extIndex.1 = 1
 
# enterprises.ucdavis.extTable.extEntry.extIndex.2 = 2
 
# enterprises.ucdavis.extTable.extEntry.extNames.1 = "echotest"
 
# enterprises.ucdavis.extTable.extEntry.extNames.2 = "shelltest"
 
# enterprises.ucdavis.extTable.extEntry.extCommand.1 = "/bin/echo hello world"
 
# enterprises.ucdavis.extTable.extEntry.extCommand.2 = "/bin/sh /tmp/shtest"
 
# enterprises.ucdavis.extTable.extEntry.extResult.1 = 0
 
# enterprises.ucdavis.extTable.extEntry.extResult.2 = 35
 
# enterprises.ucdavis.extTable.extEntry.extOutput.1 = "hello world."
 
# enterprises.ucdavis.extTable.extEntry.extOutput.2 = "hello world."
 
# enterprises.ucdavis.extTable.extEntry.extErrFix.1 = 0
 
# enterprises.ucdavis.extTable.extEntry.extErrFix.2 = 0
 
 
 
# Note that the second line of the /tmp/shtest shell script is cut
 
# off.  Also note that the exit status of 35 was returned.
 
 
 
# -----------------------------------------------------------------------------
 
 
 
 
 
###############################################################################
 
# disk checks
 
#
 
 
 
# The agent can check the amount of available disk space, and make
 
# sure it is above a set limit. 
 
 
 
# disk PATH [MIN=100000]
 
#
 
# PATH: mount path to the disk in question.
 
# MIN:  Disks with space below this value will have the Mib's errorFlag set.
 
#        Default value = 100000.
 
 
 
# Check the / partition and make sure it contains at least 10 megs.
 
 
 
disk / 10000
 
disk /home 10000
 
#disk /var/lib/snmp/var_spool_imap 10000
 
#disk /var/lib/snmp/wheel 10000
 
 
 
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.9
 
# enterprises.ucdavis.diskTable.dskEntry.diskIndex.1 = 0
 
# enterprises.ucdavis.diskTable.dskEntry.diskPath.1 = "/" Hex: 2F
 
# enterprises.ucdavis.diskTable.dskEntry.diskDevice.1 = "/dev/dsk/c201d6s0"
 
# enterprises.ucdavis.diskTable.dskEntry.diskMinimum.1 = 10000
 
# enterprises.ucdavis.diskTable.dskEntry.diskTotal.1 = 837130
 
# enterprises.ucdavis.diskTable.dskEntry.diskAvail.1 = 316325
 
# enterprises.ucdavis.diskTable.dskEntry.diskUsed.1 = 437092
 
# enterprises.ucdavis.diskTable.dskEntry.diskPercent.1 = 58
 
# enterprises.ucdavis.diskTable.dskEntry.diskErrorFlag.1 = 0
 
# enterprises.ucdavis.diskTable.dskEntry.diskErrorMsg.1 = ""
 
 
 
# -----------------------------------------------------------------------------
 
 
 
 
 
###############################################################################
 
# load average checks
 
#
 
 
 
# load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0]
 
#
 
# 1MAX:  If the 1 minute load average is above this limit at query
 
#        time, the errorFlag will be set.
 
# 5MAX:   Similar, but for 5 min average.
 
# 15MAX:  Similar, but for 15 min average.
 
 
 
# Check for loads:
 
#load 12 14 14
 
 
 
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.10
 
# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.1 = 1
 
# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.2 = 2
 
# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.3 = 3
 
# enterprises.ucdavis.loadTable.laEntry.loadaveNames.1 = "Load-1"
 
# enterprises.ucdavis.loadTable.laEntry.loadaveNames.2 = "Load-5"
 
# enterprises.ucdavis.loadTable.laEntry.loadaveNames.3 = "Load-15"
 
# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.1 = "0.49" Hex: 30 2E 34 39
 
# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.2 = "0.31" Hex: 30 2E 33 31
 
# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.3 = "0.26" Hex: 30 2E 32 36
 
# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.1 = "12.00"
 
# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.2 = "14.00"
 
# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.3 = "14.00"
 
# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.1 = 0
 
# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.2 = 0
 
# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.3 = 0
 
# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.1 = ""
 
# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.2 = ""
 
# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.3 = ""
 
 
 
# -----------------------------------------------------------------------------
 
 
 
 
 
###############################################################################
 
# Extensible sections.
 
#
 
 
 
# This alleviates the multiple line output problem found in the
 
# previous executable mib by placing each mib in its own mib table:
 
 
 
# Run a shell script containing:
 
#
 
# #!/bin/sh
 
# echo hello world
 
# echo hi there
 
# exit 35
 
#
 
# Note:  this has been specifically commented out to prevent
 
# accidental security holes due to someone else on your system writing
 
# a /tmp/shtest before you do. Uncomment to use it.
 
#
 
# exec .1.3.6.1.4.1.2021.50 shelltest /bin/sh /tmp/shtest
 
 
 
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.50
 
# enterprises.ucdavis.50.1.1 = 1
 
# enterprises.ucdavis.50.2.1 = "shelltest"
 
# enterprises.ucdavis.50.3.1 = "/bin/sh /tmp/shtest"
 
# enterprises.ucdavis.50.100.1 = 35
 
# enterprises.ucdavis.50.101.1 = "hello world."
 
# enterprises.ucdavis.50.101.2 = "hi there."
 
# enterprises.ucdavis.50.102.1 = 0
 
 
 
# Now the Output has grown to two lines, and we can see the 'hi
 
# there.' output as the second line from our shell script.
 
#
 
# Note that you must alter the mib.txt file to be correct if you want
 
# the .50.* outputs above to change to reasonable text descriptions.
 
 
 
# Other ideas:
 
#
 
# exec .1.3.6.1.4.1.2021.51 ps /bin/ps
 
# exec .1.3.6.1.4.1.2021.52 top /usr/local/bin/top
 
# exec .1.3.6.1.4.1.2021.53 mailq /usr/bin/mailq
 
 
 
# -----------------------------------------------------------------------------
 
 
 
 
 
###############################################################################
 
# Pass through control.
 
#
 
 
 
# Usage:
 
#  pass MIBOID EXEC-COMMAND
 
#
 
# This will pass total control of the mib underneath the MIBOID
 
# portion of the mib to the EXEC-COMMAND. 
 
#
 
# Note:  You'll have to change the path of the passtest script to your
 
# source directory or install it in the given location.
 
#
 
# Example:  (see the script for details)
 
#          (commented out here since it requires that you place the
 
#          script in the right location. (its not installed by default))
 
 
 
# pass .1.3.6.1.4.1.2021.255 /bin/sh /usr/local/local/passtest
 
 
 
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.255
 
# enterprises.ucdavis.255.1 = "life the universe and everything"
 
# enterprises.ucdavis.255.2.1 = 42
 
# enterprises.ucdavis.255.2.2 = OID: 42.42.42
 
# enterprises.ucdavis.255.3 = Timeticks: (363136200) 42 days, 0:42:42
 
# enterprises.ucdavis.255.4 = IpAddress: 127.0.0.1
 
# enterprises.ucdavis.255.5 = 42
 
# enterprises.ucdavis.255.6 = Gauge: 42
 
#
 
# % snmpget -v 1 localhost public .1.3.6.1.4.1.2021.255.5
 
# enterprises.ucdavis.255.5 = 42
 
#
 
# % snmpset -v 1 localhost public .1.3.6.1.4.1.2021.255.1 s "New string"
 
# enterprises.ucdavis.255.1 = "New string"
 
#
 
 
 
# For specific usage information, see the man/snmpd.conf.5 manual page
 
# as well as the local/passtest script used in the above example.
 
 
 
# Added for support of bcm5820 cards.
 
pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat
 
 
 
###############################################################################
 
# Further Information
 
#
 
#  See the snmpd.conf manual page, and the output of "snmpd -H".
 
</pre>
 

Latest revision as of 20:15, 22 September 2014

The hostname Tomato is currently being used for the rackmount server which was previously known as Einstein. If you're looking for information about the system formerly known as Tomato, it has been renamed Okra.

Currently tomato isn't used for anything critical, but it does serve as a secondary DNS server and VMWare host.

Hardware Information

SuperMicro H8SMU Motherboard
  • Motherboard: SuperMicro H8SMU
    • nVidia MCP55-Pro chipset
    • SAS Backplane: SAS825TQ
  • Dual-Core AMD Opteron 1218 Processor
  • 4 GB 333 MHz DDR Memory
  • Marvell Technology Group Ltd. MV88SX6081 8-port SATA II PCI-X
  • Two NVIDIA MCP55 Integrated Gigabit Ethernet Ports
  • Matshita DVD-ROM
  • ATI ES1000 Video


Motherboard User Manual

Network Configuration

Tomato has an ethernet cable connected to the switch for local (farm) connection, and uses a vlan configuration for the connection to the external (unh) network.

  • IP address UNH: 132.177.88.52 (eth1)
  • IP address Farm: 10.0.0.248 (eth0)
  • IP address IPMI: 10.0.0.148

Software and Services

This section contains details about the services and software on Gourd and information about their configurations.

IPTables

Tomato uses the standard NPG iptables firewall. Gourd allows ssh, icmp, portmap and nfs connections.

NFS Shares

Tomato serves two volumes over NFS. They are located at /data0 and /data1. They are accessible via automount in /net/tomato on our systems.

/etc/exports

 /data0  @servers(rw,sync) @npg_clients(rw,sync) \
         10.0.0.0/24(rw,sync)
 
 /data1	 @servers(rw,sync) @npg_clients(rw,sync) \
 	 10.0.0.0/24(rw,sync)

VMWare

Tomato is running VMWare Server version 2.0.2. It acts as a secondary virtualization server. The VMWare management interface is accessible at https://tomato.unh.edu:8333/ or from localhost:8222 if you're logged in or port forwarding over SSH.

The VMWare datastore is located in /data0/vmware

Guest VMs

  • corn - Bugzilla bug tracker

Disks and Raid Configuration

Due to issues with the HD controller card in Tomato we are only using the bottom four hard drive bays, which are connected directly to SATA port on the motherboard.

Disks and Raid configuration

Drive Bay Disk Size Raid Type Raid level
1 750 GB Software RAID Raid 1
2 750 GB Software RAID Raid 1
3 400 GB Software RAID Raid 1
4 400 GB Software RAID Raid 1


Volume Set and Partition configuration

Raid device Volume set Volume size Mount Point
/dev/md0   sdb1 & sdc1 50 GB System (/)
/dev/md1   sdb2 & sdc2 630 GB /data0
/dev/md2   sda1 & sdd1 343 GB /data1

Special Considerations for Einstein (Historical)

This information no longer applies and is here for historical reasons. We no longer use amavisd, and so these instructions are not useful.


Einstein is our mail server. That means it runs "amavisd" (a virus scanner) and "spamassasin" a spam filter. Both these codes have some issues with leaving junk around, slowly causing the "/" file system to fill up. When that happens, einstein stops functioning.

Some cleanup can be done as follows:

  • stop amavisd and spamassasin:
service amavisd stop
service spamassasin stop
  • clean out some of their junk:
rm /var/amavis/.razor/razor-agent.log 
touch /var/amavis/.razor/razor-agent.log 
chown amavis:amavis /var/amavis/.razor/razor-agent.log
chmod o-r /var/amavis/.razor/razor-agent.log
rm -f /var/virusmails/*   # (Sometimes there are so many, you have to delete in "chunks")
rm -rf /tmp
  • start up the mail stuff again.
service amavisd start
service spamassasin start

There may be other areas that can be clean up, as in all the archived mail from "mailman"? But at least this list will let einstein function again.

Hot Swap Information

  • Interesting thread to get sata-nv to hotswap: ([1])
    • There are drivers available for the MB sata, we could try them: Super Micro MB H8SMU drivers, BUT these appear to be standard Nvidia sata_nv driver.
  • SAS Backplane: SAS825TQ
  • SAT2-MV8 8-port SATA controller. Uses the sata-mv module which is NOT HOTPLUG CAPABLE. (see http://linux-ata.org/driver-status.html#matrix). THE ONLY WAY TO "HOT PLUG" with this driver is to dismount ALL the drives, then "modprobe -r sata-mv" (make sure it is really gone: lsmod | grep sata) then do the swap, then "modeprobe sata-mv" again.
Retrieved from "https://nuclear.unh.edu/wiki/index.php?title=Tomato&oldid=5708"