Difference between revisions of "Infrastructure Management"

From CSLabsWiki
Jump to: navigation, search
Line 1: Line 1:
 
This page serves to be a quick but complete reference of various infrastructure-related tasks.
 
This page serves to be a quick but complete reference of various infrastructure-related tasks.
 +
 +
[[Category:Internal How-Tos]]
  
 
== Emergency operations: I '''NEED''' to... ==
 
== Emergency operations: I '''NEED''' to... ==

Revision as of 12:18, 2 September 2015

This page serves to be a quick but complete reference of various infrastructure-related tasks.

Emergency operations: I NEED to...

...disconnect the Internet.

Warning.svg
Warning! This disconnects the network from the Internet!
This will disconnect all services, including important, public-facing ones such as Mirror, Docs, and Talos' DNS. This should only be done as an absolute last resort, after confirming that the lab's network is responsible for some network/Internet aberration (e.g., compromised client) that cannot otherwise be resolved in a timely fashion. Obviously, this will be very disruptive to internal clients as well.
 
Privilege level: Server room
 


Operations: How do I...

...list users?

Method 1 (LDAP information users on enrolled machines)

Privilege level: Users
 

On any machine, run getent passwd and view the entries with a UID (third field) >= 1000000 (1 million).

Method 2 (LDAP information, raw query)

Privilege level: Anyone
 

On any machine with the OpenLDAP client binaries, run ldapsearch -H ldap://talos.cslabs.clarkson.edu/ -D "" -b ou=users,dc=cslabs,dc=clarkson,dc=edu and try to grok the resulting LDIF.

Method 3 (Kerberos users principals)

Privilege level: Administrators
 
  1. Kerberos.jpg
    Login to kadmin
    On any enrolled machine, run kadmin (kadmin -p username/admin), where username/admin is your administrative Kerberos principal. Additionally, on Talos, you can use kadmin.local as root.
     
  2. Run getprincs.

...create a new user?

Privilege level: Administrators
 
  1. PLA Logo Small.png
    First, login to PLA
    Navigate to phpLDAPAdmin on Talos (alt link), accept any certificate, click "Login" on the left, and enter the full DN of your account (for example, cn=lannonbr,ou=users,dc=cslabs,dc=clarkson,dc=edu) as the username, as well as your password.
     
  2. Expand dc=cslabs,dc=clarkson,dc=edu, then expand ou=users.
  3. Click Create new entry here immediately under ou=users.
  4. In the right pane, select Generic: User Account.
  5. Enter relevant account information, setting the following attributes. (This is going to be a little challenging, because some of the fields automatically populate from other fields. Check your work before saving it.)
    • User ID must be a valid Unix username. cn is traditionally set to the same value. (These fields like to populate from name, so change them after name.)
    • GID number should almost always be users (it's actually a drop-down).
    • Home directory should be /mnt/home/username. This will be set up momentarily.
    • Login shell can be left up to preference of users, but should be set to /bin/sh for maintainers and administrators to avoid being refused a session on a machine that doesn't have a certain shell.
    • The UID Number cannot be changed here. It will be done after saving.
  6. Critical section.gif
    Critical section: Perform these steps as a single transaction, and as quickly as possible!
    Click Create Object, and accept the changes. From the next screen in the right pane, confirm adding the object; then, immediately go to the newly added object and change the UID Number field to a proper value (ours start at one million [1000000] and go up; use getent passwd on any enrolled machines to get the current ID mappings and choose one that isn't allocated). Click Update Object, then again click through to confirm the changes.
     
  7. Double-check the fields while you're here; if you need to change anything, do so, click Update Object, and click through the confirmation.
  8. Have the user type their password in the password field; make sure to set the hash method to ssha (or something stronger than MD5). Update Object, click through to confirm.
  9. If the user is to be a member of other groups, enter the ou=groups unit in the left pane and select the relevant groups. From the right pane, you may select modify group members under the memberUID field. After you're done modifying the members, remember to click through the confirmation.
  10. Kerberos.jpg
    Then, login to kadmin
    On any enrolled machine, run kadmin (kadmin -p username/admin), where username/admin is your administrative Kerberos principal. Additionally, on Talos, you can use kadmin.local as root.
     
  11. Run addprinc username. Have the user enter their password, which should, for ease of use, be the same as the LDAP password.
  12. For administrators, also run addprinc username/admin for an administrative principal (one to use with kadmin etc.). This should not be the same password.
  13. Finally, login to Metapod
  14. cd to /storage/home/, and mkdir username. Then, chown username:users username

That should be it!

...change a password?

Privilege level: Administrators
 

This is very similar to the above--you'll need to do this in two places, again, sorry.

  1. (For setting only the password of an administrative principal, skip to the KAdmin section, below.)
  2. PLA Logo Small.png
    First, login to PLA
    Navigate to phpLDAPAdmin on Talos (alt link), accept any certificate, click "Login" on the left, and enter the full DN of your account (for example, cn=lannonbr,ou=users,dc=cslabs,dc=clarkson,dc=edu) as the username, as well as your password.
     
  3. Expand ou=users,dc=cslabs,dc=clarkson,dc=edu in the left pane, and find the user.
  4. Instruct the user to enter their password in the two password fields (warning: the tab order is wrong; from the keyboard, you need to enter password<Tab><Tab>password).
  5. Ensure the hash (the dropdown to the right) is still ssha or similarly secure (not "clear").
  6. Click Update Object, then confirm the changes.
  7. Kerberos.jpg
    Then, login to kadmin
    On any enrolled machine, run kadmin (kadmin -p username/admin), where username/admin is your administrative Kerberos principal. Additionally, on Talos, you can use kadmin.local as root.
     
  8. Issue cpw username, and instruct the user to enter their password at the prompt. This should generally be the same as the LDAP password.
  9. For administrative principals, also issue cpw username/admin and do the same. This should not be the same as the LDAP password.

That's it!

...change group memberships?

Privilege level: Administrators
 
  1. PLA Logo Small.png
    Login to PLA
    Navigate to phpLDAPAdmin on Talos (alt link), accept any certificate, click "Login" on the left, and enter the full DN of your account (for example, cn=lannonbr,ou=users,dc=cslabs,dc=clarkson,dc=edu) as the username, as well as your password.
     
  2. Enter the groups OU, ou=groups,dc=cslabs,dc=clarkson,dc=edu, in the left pane.
  3. Select any one of the groups of which you'd like to modify memberships.
  4. Under the memberUid field, click modify group memberships.
  5. Add or remove users as you see fit.
  6. Click Update Object, and click through the confirmation page.

Changes take effect immediately upon the next logins of the modified users, though the caches may occasionally disagree for a few minutes. If any of the hosts aren't showing updates, wait a few minutes or run nscd -i group (nscd -I group on Metapod).

...delete a user?

Privilege level: Administrators
 

First off, this usually doesn't need to be done. Nonetheless, these instructions are included for completeness.

  1. PLA Logo Small.png
    First, login to PLA
    Navigate to phpLDAPAdmin on Talos (alt link), accept any certificate, click "Login" on the left, and enter the full DN of your account (for example, cn=lannonbr,ou=users,dc=cslabs,dc=clarkson,dc=edu) as the username, as well as your password.
     
  2. In the left pane, navigate to ou=users,dc=cslabs,dc=clarkson,dc=edu.
  3. Select the user you'd like to delete under this OU.
  4. In the right pane, click Delete this entry. If you are satisfied, confirm this action. This cannot be undone.
  5. Kerberos.jpg
    Then, login to kadmin
    On any enrolled machine, run kadmin (kadmin -p username/admin), where username/admin is your administrative Kerberos principal. Additionally, on Talos, you can use kadmin.local as root.
     
  6. Issue delprinc username.
  7. For administrative users, also issue delprinc username/admin.

You should stop here. However, if data loss is of little concern to you (which is wrong and I have strong words to the contrary if you fite me irl), you can also login to Metapod and rm -rf /storage/home/username as root.

...enroll a Debian machine in central authentication?

Todo.png
This section is under construction!
For now, refer to the bottom of the great Talos book. The headings there practically enumerate the list that will go here, anyway.