Difference between revisions of "Infrastructure:Sysadmin Handbook"
imported>Pew |
|||
Line 1: | Line 1: | ||
− | + | This page describes how to manage the infra. See [https://vtluug.github.io/rtfm.txt rtfm.txt] for a guide to build it from scratch. | |
− | This | + | This is NOT up to date as of 2019. |
+ | This covers setup of a Debian 9 VM on cyberdelia. This is current as of 2017-08-19. | ||
− | == | + | == Networks == |
− | + | We ''should'' have the following networks in place: | |
− | |||
− | |||
− | |||
− | + | * Cyberdelia br0 on eth4 <--> eth1 on temp88191. This is the main LUUG network. | |
− | + | ** 10.0.0.1/22 for VTLUUG NAT (echarlie thinks we should only use a /24) | |
− | + | ** IPv6 via NDP proxying (static hosts configured in /root/scripts/router/ipv6/setup_ipv6.sh, but things should work without) | |
− | + | ** Global IPv4s via ARP proxying (edit /root/scripts/router/ipv4/Nat and edit $Inside_Hosts). Gateway is 128.173.88.1/22. | |
− | + | * Internal VM network (10.99.0.1/24). This is useful for sharing NFS insecurely, but be aware it only works on cyberdelia. If we get more VM hosts, they won't be able to use it without network reconfiguration. Several hosts also use this for LDAP | |
− | + | * "Internet" (a CNS portal) <--> eth0 on temp88191. LUUG only has one of these, and port security is probably enabled. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Most of our hosts consist of a "LUUG network" eth0 as the default route and an internal network for eth1. | |
− | |||
− | |||
− | |||
− | + | DNS/DHCP: | |
− | + | * I think echarlie manages vtluug.org DNS? (It's on namecheap. we should unfuck this) | |
− | + | * jkh and Roddy own ece.vt.edu. DNS updates don't happen. echarlie can add IPv6-only records if needed to wuvt.vt.edu so we have PTRs. | |
− | + | * temp88191 runs DHCP and dnsmasq on eth1 (that is, 10.0.0.1/22). Edit /etc/dnsmasq.conf, add your static entries, and restart dnsmasq. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | == Auth == | |
− | + | * <code>apt-get -y install sssd-ldap nscd</code> | |
+ | * <code>vim /etc/sssd/sssd.conf</code> | ||
+ | <pre> | ||
+ | [sssd] | ||
+ | config_file_version = 2 | ||
+ | services = nss, pam | ||
+ | domains = LDAP | ||
+ | debug_level = 5 | ||
+ | [nss] | ||
+ | filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd | ||
+ | homedir_substring = /home | ||
− | + | [domain/LDAP] | |
− | + | id_provider = ldap | |
− | + | auth_provider = ldap | |
− | + | ldap_search_base = dc=vtluug,dc=org | |
− | + | ldap_tls_reqcert = allow | |
− | + | ldap_uri = ldaps://razor.vtluug.org | |
− | + | </pre> | |
− | + | == Storage == | |
− | + | * <code>apt-get -y install nfs-common</code> | |
− | + | * <code>vim /etc/idmap.conf</code> | |
− | + | <pre> | |
− | + | [General] | |
− | |||
− | |||
− | |||
− | |||
− | + | Verbosity = 0 | |
− | + | Pipefs-Directory = /run/rpc_pipefs | |
− | + | # set your own domain here, if it differs from FQDN minus hostname | |
− | + | # Domain = localdomain | |
− | + | Domain = vtluug.org | |
− | |||
− | |||
− | |||
− | + | [Mapping] | |
− | == | + | Nobody-User = nobody |
− | + | Nobody-Group = nogroup | |
− | + | </pre> | |
+ | * <code>vim /etc/fstab</code> | ||
+ | <pre> | ||
+ | 10.99.0.1:/tank/nfs/home /home nfs soft,auto,nodev 0 0 | ||
+ | 10.99.0.1:/tank/nfs/share /tank/nfs/share nfs soft,auto,nodev,nosuid 0 0 | ||
+ | 10.99.0.1:/tank/nfs/scratch /tank/nfs/scratch nfs soft,auto,nodev,nosuid 0 0 | ||
+ | 10.99.0.1:/tank/nfs/files /tank/nfs/files nfs soft,auto,nodev,nosuid 0 0 | ||
+ | </pre> | ||
+ | * <code>mkdir -p /tank/nfs/{share,scratch,files}</code> | ||
+ | * <code>systemctl restart sssd</code> | ||
+ | * <code>mount -a</code> | ||
− | + | == Testing == | |
− | + | To verify that this worked: <code>su</code> to your user, <code>cd</code>, and you should be able to modify your files. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
[[Category:Infrastructure]] | [[Category:Infrastructure]] | ||
[[Category:Howtos]] | [[Category:Howtos]] | ||
− | [[Category:Needs | + | [[Category:Needs Restoration]] |
Revision as of 08:37, 3 January 2019
This page describes how to manage the infra. See rtfm.txt for a guide to build it from scratch.
This is NOT up to date as of 2019.
This covers setup of a Debian 9 VM on cyberdelia. This is current as of 2017-08-19.
Contents
Networks
We should have the following networks in place:
- Cyberdelia br0 on eth4 <--> eth1 on temp88191. This is the main LUUG network.
- 10.0.0.1/22 for VTLUUG NAT (echarlie thinks we should only use a /24)
- IPv6 via NDP proxying (static hosts configured in /root/scripts/router/ipv6/setup_ipv6.sh, but things should work without)
- Global IPv4s via ARP proxying (edit /root/scripts/router/ipv4/Nat and edit $Inside_Hosts). Gateway is 128.173.88.1/22.
- Internal VM network (10.99.0.1/24). This is useful for sharing NFS insecurely, but be aware it only works on cyberdelia. If we get more VM hosts, they won't be able to use it without network reconfiguration. Several hosts also use this for LDAP
- "Internet" (a CNS portal) <--> eth0 on temp88191. LUUG only has one of these, and port security is probably enabled.
Most of our hosts consist of a "LUUG network" eth0 as the default route and an internal network for eth1.
DNS/DHCP:
- I think echarlie manages vtluug.org DNS? (It's on namecheap. we should unfuck this)
- jkh and Roddy own ece.vt.edu. DNS updates don't happen. echarlie can add IPv6-only records if needed to wuvt.vt.edu so we have PTRs.
- temp88191 runs DHCP and dnsmasq on eth1 (that is, 10.0.0.1/22). Edit /etc/dnsmasq.conf, add your static entries, and restart dnsmasq.
Auth
apt-get -y install sssd-ldap nscd
vim /etc/sssd/sssd.conf
[sssd] config_file_version = 2 services = nss, pam domains = LDAP debug_level = 5 [nss] filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd homedir_substring = /home [domain/LDAP] id_provider = ldap auth_provider = ldap ldap_search_base = dc=vtluug,dc=org ldap_tls_reqcert = allow ldap_uri = ldaps://razor.vtluug.org
Storage
apt-get -y install nfs-common
vim /etc/idmap.conf
[General] Verbosity = 0 Pipefs-Directory = /run/rpc_pipefs # set your own domain here, if it differs from FQDN minus hostname # Domain = localdomain Domain = vtluug.org [Mapping] Nobody-User = nobody Nobody-Group = nogroup
vim /etc/fstab
10.99.0.1:/tank/nfs/home /home nfs soft,auto,nodev 0 0 10.99.0.1:/tank/nfs/share /tank/nfs/share nfs soft,auto,nodev,nosuid 0 0 10.99.0.1:/tank/nfs/scratch /tank/nfs/scratch nfs soft,auto,nodev,nosuid 0 0 10.99.0.1:/tank/nfs/files /tank/nfs/files nfs soft,auto,nodev,nosuid 0 0
mkdir -p /tank/nfs/{share,scratch,files}
systemctl restart sssd
mount -a
Testing
To verify that this worked: su
to your user, cd
, and you should be able to modify your files.