DICE Deployment: Infrastructure meeting 2002-05-09

.........................

home

units

doc

.........................

DICE Meeting 2002-05-31

Kings Buildings, JCMB 2509

Present

gdmr, iainr, neilb, timc, sxw, jmho, ajs

Previous Actions

Profile server
Filesystems
LDAP population
Kerberos at installation
Order of kerberos/localauth on laptops
Root account
Misc stuff

Profile server

Tim and AJS have DICEified the site specific header for 7.1 inf.ed.ac.uk machines and many machines are now using the new profile server.

Simon has setup a minimal RFE server on the new profile server and the LCFG rfe component is now in service.

The proposed path for the site specific .def files is no longer appropriate now that Paul wants these to be available on both servers and clients. AJS will propose a new path.

ACTION: ajs

Filesystems

GDMR has nearly completed the code to transform LDAP home directory info and partition table info into LDAP data suitable for use by amd. It has to be run by hand for now. /legacy is still to be done; this requires some ldapsync enhancements.

ACTION: gdmr/sxw

In order to keep the partition info in LDAP up-to-date, one option would be to make Ken's original partition table feed file "rfe-editable" , and then trigger updates into LDAP. This is done, apart from the trigger updates.

ACTION: timc/sxw

Simon will add a zero length check on input to ldapsync, as an extra sanity check.

ACTION: sxw

Tim and Ken have populated the homeDir, homePartition and homeSubdir attributes of the People object with valid data, so that George can try extracting this to create home dir maps from this info, rather than using the existing hesiod.

Tim suggested that it would be good to pull hesiod from DNS, as soon as possible after amd is using LDAP maps, to prove that we're not using hesiod at all.

ACTION: gdmr

AJS pointed out that we need to replace the hesiod /export/local, /usr/local and /useful/srpms maps with symlink equivalents before pulling hesiod from DNS. We can't implement the final package file structure until the new RPM/SRPM repository is in place, but he will cobble something similar using symlinks for now.

ACTION: ajs

We also need to keep up-to-date the list of "trusted" machines to which legacy NFS fileservers export their filesystems. We can do this by generating a list of trusted hosts using a spanning map, generating a list that can be exported to the legacy fileservers via rsync or http. It was agreed that, given that this was a short term measure, instead of creating yet another spanning map, we would add a temporary field called "exportto" to the inventory spanning map which would then be exported off the inventory server by http or rsync.

ACTION: ajs

LDAP population

Simon reported that roles are still not in service, and won't be for another couple of weeks. This means that we can't use roles to control who can log onto which machine. We need minimal access control before letting users use machines; we can use the PAM access module for the time being - allowing ALL to just the multi user login servers and just sysmans (by netgroup) to others.

people: still running with snapshot data - Neil hopes to be creating *real* accounts by end of May. His support scripts are all implemented, but are in the process of being tested.
ACTION: neilb
hosts: Simon will generate from a spanning map (the spanning map is now in place)
ACTION: sxw
printing: still running with snapshot data. Not clear whether this will be mastered in LDAP. The printing task need to be approached.
ACTION: ???
roles/netgroups: primary and secondary roles will come from the account technology task code. other roles will come from RFE editable text files, on a machine to be determined. Not hacking nss_ldap on the clients to handle netgroups - netgroups will come directly from LDAP instead. Who's going to identify capabilities ? Tim and Simon will look at some dummy roles to play with.
ACTION: sxw/timc

Kerberos at installation

Technicians often install machines, so they should get install principals that only have rights to create machine principals. Tim has tested that this works, but the individual install principals still need creating.

ACTION: timc

Order of Kerberos/local auth on laptops

The current order for PAM based authentication is kerberos, followed by localauth. Although this is suitable for desktop machines, it is arguably the incorrect order for laptops where the user wants more control of when the laptop communicates with other machines. Simon, Paul and AJS had discussed this without any agreement.

ACTION: open-issue

Root account

It was agreed that unifying the single-user root password with the multi-user root password, for any given machine, was necessary.

The single-user root password currently comes from /etc/{passwd,shadow} courtesy of the auth component. The multi-user root password is created by the kerberos component, and is stored in /etc/localtime in a kerberos encrypted form for use by the PAM localauth module.

Possibly the best solution is look at changing the single user code to understand the /etc/localpasswd format (by linking against the kerberos libraries).

Another possibility had been to write a PAM module that authenticates all root against /etc/passwd, but that is not as secure as the passwd would be stored in simple MD5 form and would be world readable (while profiles are world readable).

ACTION: sxw/ajs to discuss further

Misc

machine purchases: machines have been allocated to act as site network configuration servers and backup transit routers.
console servers at FH/BP: it was agreed that we will need console servers at FH and BP. Iain has ordered up approprate cyclades kit (32 ports per site) plus appropriate spares.

AMD problems

Don't think there were problems with 6.0.7, but started with 6.1alpha5. Don't think directly related to LDAP. GDMR not putting block size field - will try and recreate maps as identical as possible. Backporting LDAP to 6.0.7 would be horrible. Cranking back to NFS V2 appears to fix things, but not tested widely. Will do this ASAP for wider testing.

Minimal client features

The features required to be working for a minimal client were discussed :-

Printing from clients.
Window managers - KDE made "default". Needs docs on how "personal" works.
Browsers - netscape bug
(Mail clients - don't need for now as changing things pretty soon)
Support need to know how to create accounts
Support need to know how to create principals - tim will email round instructions.
allow logins to other machines from a desktop client
autofs
common home directory
(/legacy not essential coz principal home dir available)
make folk aware that when they login they need to be aware that new versions of S/W might convert their settings - eg KDE
errors to normal CSO support teams (and these will just foward to COs@informatics for now)

Multihomed machines

AJS reported that he had found the bug in the installroot that caused problems for kerberos for multi-homed machines at install time.

Laptop support

Folk would really like this ASAP. AJS will revisit and evaluate what needs to be done, how long and what won't/doesn't work (eg IP filtering will need completely revisited). Will have a look through existing laptop.h.

ACTION: ajs

Bugzilla

Simon requested that bugzilla.inf.ed.ac.uk be moved onto a more supported 7.1 DICE machine, from it's current home on dice3. AJS reported that the intention was for bugzilla to be installed on the RPM/SRPM master server, but that was yet to be installed. Simon and AJS will discuss moving bugzilla.inf.ed.ac.uk in the interim.

ACTION: sxw/ajs

Next meeting

No time set.

: Deploy : Meetings

Please contact us with any comments or corrections.
Unless explicitly stated otherwise, all material is copyright The University of Edinburgh