Difference between revisions of "Infrastructure:Sysadmin Handbook"

From the Linux and Unix Users Group at Virginia Teck Wiki
Jump to: navigation, search
imported>Pew
Line 1: Line 1:
'''Refer to [[Infrastructure:Host Deployment Guide]] until we fix the wiki deletion issue'''
+
This page describes how to manage the infra. See [https://vtluug.github.io/rtfm.txt rtfm.txt] for a guide to build it from scratch.
  
This page describes how to build the infrastructure from scratch, as well manage it in general.
+
This is NOT up to date as of 2019.
  
 +
This covers setup of a Debian 9 VM on cyberdelia. This is current as of 2017-08-19.
  
== Networking ==
+
== Networks ==
* Set up physical boxes based on the [[Infrastructure:Diagram|Diagram]]
+
We ''should'' have the following networks in place:
* Determine the ip addresses based on [[Infrastructure:Network|Network]]
 
=== Router ===
 
Configure /etc/network/interfaces:
 
  
<nowiki>
+
* Cyberdelia br0 on eth4 <--> eth1 on temp88191. This is the main LUUG network.
# v6
+
** 10.0.0.1/22 for VTLUUG NAT (echarlie thinks we should only use a /24)
iface $EXTERNAL_IF inet6 auto
+
** IPv6 via NDP proxying (static hosts configured in /root/scripts/router/ipv6/setup_ipv6.sh, but things should work without)
iface $INTERNAL_IF inet6 static
+
** Global IPv4s via ARP proxying (edit /root/scripts/router/ipv4/Nat and edit $Inside_Hosts). Gateway is 128.173.88.1/22.
    address $INTERNAL_IPv6
+
* Internal VM network (10.99.0.1/24). This is useful for sharing NFS insecurely, but be aware it only works on cyberdelia. If we get more VM hosts, they won't be able to use it without network reconfiguration. Several hosts also use this for LDAP
    netmask 128
+
* "Internet" (a CNS portal) <--> eth0 on temp88191. LUUG only has one of these, and port security is probably enabled.
    # Enable internal network to access router's external v6 address
 
    pre-up ip route add $EXTERNAL_IPv6 via $INTERNAL_IPv6
 
    # Enable NDP Proxying so internal boxes get SLAAC
 
    pre-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 
    pre-up echo 2 > /proc/sys/net/ipv6/conf/all/accept_ra
 
  
# VTLUUG Private Network v4
+
Most of our hosts consist of a "LUUG network" eth0 as the default route and an internal network for eth1.
iface $INTERNAL_IF inet static
 
    address $INTERNAL_IPv4
 
    netmask 255.255.255.0
 
  
# Additional IPs
+
DNS/DHCP:
iface $EXTERNAL_IF inet static
+
* I think echarlie manages vtluug.org DNS? (It's on namecheap. we should unfuck this)
    address $EXTERNAL_IPv4
+
* jkh and Roddy own ece.vt.edu. DNS updates don't happen. echarlie can add IPv6-only records if needed to wuvt.vt.edu so we have PTRs.
    gateway 128.173.88.1
+
* temp88191 runs DHCP and dnsmasq on eth1 (that is, 10.0.0.1/22). Edit /etc/dnsmasq.conf, add your static entries, and restart dnsmasq.
    broadcast 128.173.91.255
 
    netmask 255.255.252.0
 
    # Nat Settings
 
    # TODO this probably doesn't work
 
    pre-up tc action nat egress 10.99.0.0/24 $EXTERNAL_IP
 
    # Enable ARP Proxying so internal v4 address are accessible
 
    pre-up echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
 
    pre-up echo 1 > /proc/sys/net/ipv4/ip_forward
 
    # Route internal v4 addresses
 
    ip route add $JOEY_EXTERNAL_IPv4/24 dev $INTERNAL_IF
 
    ip route add $CRASHANDBURN_EXTERNAL_IPv4/24 dev $INTERNAL_IF
 
    ip route add $SCZI_EXTERNAL_IPv4/24 dev $INTERNAL_IF
 
    ip route add $ACIDBURN_EXTERNAL_IPv4/24 dev $INTERNAL_IF
 
    ip route add $ZEROCOOL_EXTERNAL_IPv4/24 dev $INTERNAL_IF
 
    ip route add $MIRROR_EXTERNAL_IPv4/24 dev $INTERNAL_IF
 
</nowiki>
 
  
Next, set up NDP proxying
+
== Auth ==
Configure /etc/ndppd.conf: (May not already exist)
+
* <code>apt-get -y install sssd-ldap nscd</code>
 +
* <code>vim /etc/sssd/sssd.conf</code>
 +
<pre>
 +
[sssd]
 +
config_file_version = 2
 +
services = nss, pam
 +
domains = LDAP
 +
debug_level = 5
  
 +
[nss]
 +
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
 +
homedir_substring = /home
  
<nowiki>
+
[domain/LDAP]
# Rather than only listenting on each individual IPv6 address, we
+
id_provider = ldap
#  simply forward all soliciations. The main advantage is that we
+
auth_provider = ldap
#  don't have to add any additional routing rules if a new internal
+
ldap_search_base = dc=vtluug,dc=org
#  device is added.
+
ldap_tls_reqcert = allow
route-ttl 30000
+
ldap_uri = ldaps://razor.vtluug.org
address-ttl 30000
+
</pre>
  
# External interface to listen on
+
== Storage ==
proxy $EXTERNAL_IF {
+
* <code>apt-get -y install nfs-common</code>
    router yes
+
* <code>vim /etc/idmap.conf</code>
    timeout 500 
+
<pre>
    autowire no
+
[General]
    keepalive yes
 
    retries 3
 
    promiscuous no
 
    ttl 30000
 
  
    # Prefix to listen on
+
Verbosity = 0
    rule ::0/ { # TODO might change prefix
+
Pipefs-Directory = /run/rpc_pipefs
        # Internal interface to forward everything to
+
# set your own domain here, if it differs from FQDN minus hostname
        iface $INTERNAL_IF
+
# Domain = localdomain
        autovia no
+
Domain = vtluug.org
    }
 
}
 
</nowiki>
 
  
Now start '''and''' enable ndppd.service.
+
[Mapping]
  
=== Everything Else not run under oVirt ===
+
Nobody-User = nobody
==== Debian ====
+
Nobody-Group = nogroup
Configure /etc/network/interfaces:
+
</pre>
 +
* <code>vim /etc/fstab</code>
 +
<pre>
 +
10.99.0.1:/tank/nfs/home /home nfs soft,auto,nodev 0 0
 +
10.99.0.1:/tank/nfs/share /tank/nfs/share nfs soft,auto,nodev,nosuid 0 0
 +
10.99.0.1:/tank/nfs/scratch /tank/nfs/scratch nfs soft,auto,nodev,nosuid 0 0
 +
10.99.0.1:/tank/nfs/files /tank/nfs/files nfs soft,auto,nodev,nosuid 0 0
 +
</pre>
 +
* <code>mkdir -p /tank/nfs/{share,scratch,files}</code>
 +
* <code>systemctl restart sssd</code>
 +
* <code>mount -a</code>
  
<nowiki>
+
== Testing ==
# v6
+
To verify that this worked: <code>su</code> to your user, <code>cd</code>, and you should be able to modify your files.
iface $INTERFACE inet6 auto
 
auto $INTERFACE
 
iface $INTERFACE inet static
 
    address $INTERNAL_IPv4
 
    gateway 10.99.0.1
 
    netmask 255.255.255.0
 
  
# Additional IPs - Only do this if this box has an external IP
 
iface $INTERFACE inet static
 
    address $EXTERNAL_IPv4
 
    gateway 128.173.88.1
 
    netmask 255.255.252.0
 
</nowiki>
 
 
==== Centos ====
 
Configure /etc/sysconfig/network-scripts/ifcfg-$INTERFACE:
 
 
<nowiki>
 
ONBOOT="yes"
 
NM_CONTROLLED="no"
 
BOOTPROTO="static"
 
IPADDR0="$INTERNAL_IPv4"
 
GATEWAY0="10.99.0.1"
 
NETMASK0="255.255.255.0"
 
# Addition IPs - Only do this if this box has an external IP
 
IPADDR1="$EXTERNAL_IPv4"
 
GATEWAY1="128.173.88.1"
 
NETMASK1="255.255.252.0"
 
</nowiki>
 
 
== Other stuff ==
 
  
 
[[Category:Infrastructure]]
 
[[Category:Infrastructure]]
 
[[Category:Howtos]]
 
[[Category:Howtos]]
[[Category:Needs restoration]]
+
[[Category:Needs Restoration]]

Revision as of 08:37, 3 January 2019

This page describes how to manage the infra. See rtfm.txt for a guide to build it from scratch.

This is NOT up to date as of 2019.

This covers setup of a Debian 9 VM on cyberdelia. This is current as of 2017-08-19.

Networks

We should have the following networks in place:

  • Cyberdelia br0 on eth4 <--> eth1 on temp88191. This is the main LUUG network.
    • 10.0.0.1/22 for VTLUUG NAT (echarlie thinks we should only use a /24)
    • IPv6 via NDP proxying (static hosts configured in /root/scripts/router/ipv6/setup_ipv6.sh, but things should work without)
    • Global IPv4s via ARP proxying (edit /root/scripts/router/ipv4/Nat and edit $Inside_Hosts). Gateway is 128.173.88.1/22.
  • Internal VM network (10.99.0.1/24). This is useful for sharing NFS insecurely, but be aware it only works on cyberdelia. If we get more VM hosts, they won't be able to use it without network reconfiguration. Several hosts also use this for LDAP
  • "Internet" (a CNS portal) <--> eth0 on temp88191. LUUG only has one of these, and port security is probably enabled.

Most of our hosts consist of a "LUUG network" eth0 as the default route and an internal network for eth1.

DNS/DHCP:

  • I think echarlie manages vtluug.org DNS? (It's on namecheap. we should unfuck this)
  • jkh and Roddy own ece.vt.edu. DNS updates don't happen. echarlie can add IPv6-only records if needed to wuvt.vt.edu so we have PTRs.
  • temp88191 runs DHCP and dnsmasq on eth1 (that is, 10.0.0.1/22). Edit /etc/dnsmasq.conf, add your static entries, and restart dnsmasq.

Auth

  • apt-get -y install sssd-ldap nscd
  • vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
debug_level = 5

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
homedir_substring = /home

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_search_base = dc=vtluug,dc=org
ldap_tls_reqcert = allow
ldap_uri = ldaps://razor.vtluug.org

Storage

  • apt-get -y install nfs-common
  • vim /etc/idmap.conf
[General]

Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if it differs from FQDN minus hostname
# Domain = localdomain
Domain = vtluug.org

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup
  • vim /etc/fstab
10.99.0.1:/tank/nfs/home			/home	nfs	soft,auto,nodev	0	0
10.99.0.1:/tank/nfs/share 		/tank/nfs/share	nfs	soft,auto,nodev,nosuid	0	0
10.99.0.1:/tank/nfs/scratch		/tank/nfs/scratch	nfs	soft,auto,nodev,nosuid	0	0
10.99.0.1:/tank/nfs/files		/tank/nfs/files		nfs	soft,auto,nodev,nosuid	0	0
  • mkdir -p /tank/nfs/{share,scratch,files}
  • systemctl restart sssd
  • mount -a

Testing

To verify that this worked: su to your user, cd, and you should be able to modify your files.