Difference between revisions of "Storage Setup Process"

From CSLabsWiki
m (added xfs section)
 
(9 intermediate revisions by one other user not shown)
Line 1: Line 1:
  +
{{archived}}
  +
 
This page summarizes how [[Storage]] was set up in Fall 2010.
  
This page summarizes how [[Storage]] was set up in Fall 2010.
   
Line 98: Line 100:
 
</pre>
  
</pre>
   
= Configuration =
 +
= Yum Configuration =
== Updated System ==
  
*Added Extra Repositories
  
**RPMForge Yum Repository
  
***<code>rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm</code>
  
****From [http://dag.wieers.com/rpm/FAQ.php#B2 Dag Wieers]
  
**Fedora EPEL Yum Repository
  
***<code>rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-3.noarch.rpm</code>
  
****From [http://download.fedora.redhat.com/pub/epel/5/x86_64/repoview/epel-release.html Fedora]
  
   
  +
== Extra Repositories ==
*Configured Yum Priorities & to use our mirror
  
  +
Added RPMForge respository from [http://dag.wieers.com/rpm/FAQ.php#B2| Dag Wieers]:
**Edited <code>/etc/yum.repos.d/CentOS-Base.repo</code>
  
<code><pre>
 +
<pre>
  +
rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
  +
</pre>
  +
  +
Added Fedora EPEL Repository from [[Mirror]].
  +
<pre>
  +
rpm -Uvh http://mirror.clarkson.edu/epel//5/x86_64/epel-release-5-4.noarch.rpm
  +
</pre>
  +
  +
== Repositories ==
  +
All .repo files in /etc/yum.repos.d/ must be made to point to [[Mirror]] wherever possible. The exception is Dag Wieers, which we do not mirror. In order to accomplish this, the following files were edited:
  +
  +
<pre>
  +
CentOS-Base.repo
  +
epel.repo
  +
epel-testing.repo
  +
rpmforge.repo
  +
</pre>
  +
  +
The following files were not modified, but will appear in this documentation for the sake of completion:
  +
  +
<pre>
  +
CentOS-Media.repo
  +
mirrors-rpmforge
  +
</pre>
  +
  +
=== CentOS-Base.repo ===
  +
  +
<pre>
 
# CentOS-Base.repo
  
# CentOS-Base.repo
 
#
  
#
# This file uses a new mirrorlist system developed by Lance Davis for CentOS.
  
 
# The mirror system uses the connecting IP address of the client and the
  
# The mirror system uses the connecting IP address of the client and the
 
# update status of each mirror to pick mirrors that are updated to and
  
# update status of each mirror to pick mirrors that are updated to and
Line 119: Line 140:
 
# unless you are manually picking other mirrors.
  
# unless you are manually picking other mirrors.
 
#
  
#
# If the mirrorlist= does not work for you, as a fall back you can try the
 +
# If the mirrorlist= does not work for you, as a fall back you can try the
 
# remarked out baseurl= line instead.
  
# remarked out baseurl= line instead.
 
#
  
#
Line 127: Line 148:
 
name=CentOS-$releasever - Base
  
name=CentOS-$releasever - Base
 
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
  
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
  +
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
 
baseurl=http://mirror.clarkson.edu/centos/$releasever/os/$basearch/
  
baseurl=http://mirror.clarkson.edu/centos/$releasever/os/$basearch/
 
gpgcheck=1
  
gpgcheck=1
 
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
  
exclude=rsync
  
   
#released updates
 +
#released updates
 
[updates]
  
[updates]
 
name=CentOS-$releasever - Updates
  
name=CentOS-$releasever - Updates
 
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
  
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
  +
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
 
baseurl=http://mirror.clarkson.edu/centos/$releasever/updates/$basearch/
  
baseurl=http://mirror.clarkson.edu/centos/$releasever/updates/$basearch/
 
gpgcheck=1
  
gpgcheck=1
 
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
  
exclude=rsync
  
   
 
#packages used/produced in the build but not released
  
#packages used/produced in the build but not released
Line 147: Line 166:
 
name=CentOS-$releasever - Addons
  
name=CentOS-$releasever - Addons
 
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
  
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
  +
#baseurl=http://mirror.centos.org/centos/$releasever/addons/$basearch/
 
baseurl=http://mirror.clarkson.edu/centos/$releasever/addons/$basearch/
  
baseurl=http://mirror.clarkson.edu/centos/$releasever/addons/$basearch/
 
gpgcheck=1
  
gpgcheck=1
 
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
  
   
 
#additional packages that may be useful
  
#additional packages that may be useful
Line 156: Line 175:
 
name=CentOS-$releasever - Extras
  
name=CentOS-$releasever - Extras
 
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
  
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
  +
#baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
 
baseurl=http://mirror.clarkson.edu/centos/$releasever/extras/$basearch/
  
baseurl=http://mirror.clarkson.edu/centos/$releasever/extras/$basearch/
 
gpgcheck=1
  
gpgcheck=1
 
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
  
   
 
#additional packages that extend functionality of existing packages
  
#additional packages that extend functionality of existing packages
Line 165: Line 184:
 
name=CentOS-$releasever - Plus
  
name=CentOS-$releasever - Plus
 
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
  
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
  +
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
 
baseurl=http://mirror.clarkson.edu/centos/$releasever/centosplus/$basearch/
  
baseurl=http://mirror.clarkson.edu/centos/$releasever/centosplus/$basearch/
 
gpgcheck=1
  
gpgcheck=1
 
enabled=0
  
enabled=0
 
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2
  
   
 
#contrib - packages by Centos Users
  
#contrib - packages by Centos Users
Line 175: Line 194:
 
name=CentOS-$releasever - Contrib
  
name=CentOS-$releasever - Contrib
 
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
  
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
  +
#baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/
 
baseurl=http://mirror.clarkson.edu/centos/$releasever/contrib/$basearch/
  
baseurl=http://mirror.clarkson.edu/centos/$releasever/contrib/$basearch/
 
gpgcheck=1
  
gpgcheck=1
 
enabled=0
  
enabled=0
 
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  +
</pre>
priority=2
  
</pre></code>
  
   
  +
=== Centos-Media.repo ===
**Edited <code>/etc/yum.repos.d/rpmforge.repo</code>
  
<code><pre>
  
# Name: RPMforge RPM Repository for Red Hat Enterprise 5 - dag
  
# URL: http://rpmforge.net/
  
[rpmforge]
  
name = Red Hat Enterprise $releasever - RPMforge.net - dag
  
baseurl = http://mirror.clarkson.edu/rpmforge/redhat/el5/en/$basearch/dag
  
#mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
  
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
  
enabled = 1
  
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
  
gpgcheck = 1
  
priority=15
  
</pre></code>
  
   
  +
Note that this repository is not enabled.
**Edited <code>/etc/yum.repos.d/epel.repo</code>
  
  +
<code><pre>
  
  +
<pre>
  +
# CentOS-Media.repo
  +
#
  +
# This repo is used to mount the default locations for a CDROM / DVD on
  +
# CentOS-5. You can use this repo and yum to install items directly off the
  +
# DVD ISO that we release.
  +
#
  +
# To use this repo, put in your DVD and use it with the other repos too:
  +
# yum --enablerepo=c5-media [command]
  +
#
  +
# or for ONLY the media repo, do this:
  +
#
  +
# yum --disablerepo=\* --enablerepo=c5-media [command]
  +
  +
[c5-media]
  +
name=CentOS-$releasever - Media
  +
baseurl=file:///media/CentOS/
  +
file:///media/cdrom/
  +
file:///media/cdrecorder/
  +
gpgcheck=1
  +
enabled=0
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  +
</pre>
  +
  +
=== epel.repo ===
  +
  +
<pre>
 
[epel]
  
[epel]
 
name=Extra Packages for Enterprise Linux 5 - $basearch
  
name=Extra Packages for Enterprise Linux 5 - $basearch
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
 +
#baseurl=http://download.fedoraproject.org/pub/epel/5/$basearch
 
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
  
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
  +
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
 
failovermethod=priority
  
failovermethod=priority
 
enabled=1
  
enabled=1
 
gpgcheck=1
  
gpgcheck=1
 
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
  
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
priority=30
  
   
 
[epel-debuginfo]
  
[epel-debuginfo]
 
name=Extra Packages for Enterprise Linux 5 - $basearch - Debug
  
name=Extra Packages for Enterprise Linux 5 - $basearch - Debug
baseurl=http://mirror.clarkson.edu/epel/5/$basearch/debug
 +
#baseurl=http://download.fedoraproject.org/pub/epel/5/$basearch/debug
 
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=$basearch
  
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=$basearch
  +
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
 
failovermethod=priority
  
failovermethod=priority
 
enabled=0
  
enabled=0
 
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
  
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
 
gpgcheck=1
  
gpgcheck=1
priority=30
  
   
 
[epel-source]
  
[epel-source]
 
name=Extra Packages for Enterprise Linux 5 - $basearch - Source
  
name=Extra Packages for Enterprise Linux 5 - $basearch - Source
baseurl=http://mirror.clarkson.edu/epel/5/SRPMS
 +
#baseurl=http://download.fedoraproject.org/pub/epel/5/SRPMS
 
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-source-5&arch=$basearch
  
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-source-5&arch=$basearch
  +
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
 
failovermethod=priority
  
failovermethod=priority
 
enabled=0
  
enabled=0
 
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
  
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
 
gpgcheck=1
  
gpgcheck=1
  +
</pre>
priority=30
  
</pre></code>
  
   
**Edited <code>/etc/yum.repos.d/epel-testing.repo</code>
 +
=== epel-testing.repo ===
  +
<code><pre>
  
  +
<pre>
 
[epel-testing]
  
[epel-testing]
 
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch
  
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
 +
#baseurl=http://download.fedoraproject.org/pub/epel/testing/5/$basearch
 
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel5&arch=$basearch
  
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel5&arch=$basearch
  +
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
 
failovermethod=priority
  
failovermethod=priority
 
enabled=0
  
enabled=0
 
gpgcheck=1
  
gpgcheck=1
 
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
  
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
priority=40
  
   
 
[epel-testing-debuginfo]
  
[epel-testing-debuginfo]
 
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Debug
  
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Debug
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch/debug
 +
#baseurl=http://download.fedoraproject.org/pub/epel/testing/5/$basearch/debug
 
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-debug-epel5&arch=$basearch
  
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-debug-epel5&arch=$basearch
  +
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
 
failovermethod=priority
  
failovermethod=priority
 
enabled=0
  
enabled=0
 
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
  
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
 
gpgcheck=1
  
gpgcheck=1
priority=40
  
   
 
[epel-testing-source]
  
[epel-testing-source]
 
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Source
  
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Source
baseurl=http://mirror.clarkson.edu/epel/testing/5/SRPMS
 +
#baseurl=http://download.fedoraproject.org/pub/epel/testing/5/SRPMS
 
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-source-epel5&arch=$basearch
  
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-source-epel5&arch=$basearch
  +
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
 
failovermethod=priority
  
failovermethod=priority
 
enabled=0
  
enabled=0
 
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
  
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
 
gpgcheck=1
  
gpgcheck=1
  +
</pre>
priority=40
  
</pre></code>
  
   
  +
=== mirrors.rpmforge ===
*Disabled Yum FastestMirror since using local mirror
  
**<code>sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf</code>
  
   
  +
<pre>
*Installed Yum Priorities (Note: This must be installed prior to installing the packages below.)
  
  +
http://apt.sw.be/redhat/el5/en/$ARCH/dag
**<code>yum install yum-priorities</code>
  
  +
http://archive.cs.uu.nl/mirror/dag.wieers/redhat/el5/en/$ARCH/dag
  +
http://ftp2.lcpe.uni-sofia.bg/freshrpms/pub/dag/redhat/el5/en/$ARCH/dag
  +
#http://ftp.heanet.ie/pub/freshrpms/pub/dag/redhat/el5/en/$ARCH/dag
  +
http://ftp-stud.fht-esslingen.de/dag/redhat/el5/en/$ARCH/dag
  +
http://mirror.cpsc.ucalgary.ca/mirror/dag/redhat/el5/en/$ARCH/dag
  +
http://mirrors.ircam.fr/pub/dag/redhat/el5/en/$ARCH/dag
  +
http://rh-mirror.linux.iastate.edu/pub/dag/redhat/el5/en/$ARCH/dag
  +
http://rpmfind.net/linux/dag/redhat/el5/en/$ARCH/dag
  +
http://wftp.tu-chemnitz.de/pub/linux/dag/redhat/el5/en/$ARCH/dag
  +
http://www.mirrorservice.org/sites/apt.sw.be/redhat/el5/en/$ARCH/dag
  +
</pre>
   
  +
=== rpmforge.repo ===
*Configured Yum Priorities to check for obsoletes
  
**<code>echo "check_obsoletes=1" >> /etc/yum/pluginconf.d/priorities.conf</code>
  
   
  +
<pre>
*<code>yum install vim-enhanced gcc emacs-nox screen iftop</code>
  
  +
# Name: RPMforge RPM Repository for Red Hat Enterprise 5 - dag
*<code>yum update</code>
  
  +
# URL: http://rpmforge.net/
  +
[rpmforge]
  +
name = Red Hat Enterprise $releasever - RPMforge.net - dag
  +
#baseurl = http://apt.sw.be/redhat/el5/en/$basearch/dag
  +
#mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
  +
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
  +
baseurl = http://mirror.clarkson.edu/rpmforge/redhat/el5/en/$basearch/dag
  +
enabled = 1
  +
protect = 0
  +
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
  +
gpgcheck = 1
  +
</pre>
   
===Created User===
  
*Created user mccarrms
  
**<code>/usr/sbin/useradd -m mccarrms</code>
  
*Set password for mccarrms
  
**<code>passwd mccarrms</code>
  
   
  +
== Final Yum Config ==
===Configured Sudo===
  
*<code>/usr/sbin/visudo</code>
  
   
  +
Disable Yum fastestmirror plugin since we are pulling from [[Mirror]] only.
<code><pre>
  
  +
<pre>
  +
sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf
  +
</pre>
  +
  +
Install yum priorities plugin:
  +
<pre>
  +
yum install yum-priorities
  +
</pre>
  +
  +
Configure yum priorities to check for obsoletes:
  +
<pre>
  +
echo "check_obsoletes=1" >> /etc/yum/pluginconf.d/priorities.conf
  +
</pre>
  +
  +
Install a few useful extra packages:
  +
<pre>
  +
yum install vim-enhanced gcc emacs-nox screen iftop
  +
</pre>
  +
  +
Update the system:
  +
<pre>
  +
yum update
  +
</pre>
  +
  +
= User Configuration =
  +
  +
== Adding Users ==
  +
Created users for all maintainers / interested parties (don't forget to set passwords with <tt>passwd <username></tt>):
  +
<pre>
  +
useradd -m platekme
  +
useradd -m kopptr
  +
useradd -m mccarrms
  +
</pre>
  +
  +
Add administrative users to group 'wheel' so they can use sudo. For example,
  +
<pre>
  +
gpasswd -a platekme wheel
  +
</pre>
  +
  +
== Configure Sudo ==
  +
  +
Edit /etc/sudoers the safe way with the command
  +
<pre>visudo</pre>
  +
  +
Note that this configuration allows all users in group 'wheel' to use sudo.
  +
  +
<pre>
 
## Sudoers allows particular users to run various commands as
  
## Sudoers allows particular users to run various commands as
 
## the root user, without needing the root password.
  
## the root user, without needing the root password.
  +
##
  +
## Examples are provided at the bottom of the file for collections
  +
## of related commands, which can then be delegated out to particular
  +
## users or groups.
  +
##
  +
## This file must be edited with the 'visudo' command.
  +
  +
## Host Aliases
  +
## Groups of machines. You may prefer to use hostnames (perhap using
  +
## wildcards for entire domains) or IP addresses instead.
  +
# Host_Alias FILESERVERS = fs1, fs2
  +
# Host_Alias MAILSERVERS = smtp, smtp2
  +
  +
## User Aliases
  +
## These aren't often necessary, as you can use regular groups
  +
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
  +
## rather than USERALIAS
  +
# User_Alias ADMINS = jsmith, mikem
  +
  +
  +
## Command Aliases
  +
## These are groups of related commands...
   
 
## Networking
  
## Networking
Line 298: Line 416:
   
 
## Updating the locate database
  
## Updating the locate database
Cmnd_Alias LOCATE = /usr/sbin/updatedb
 +
Cmnd_Alias LOCATE = /usr/bin/updatedb
   
 
## Storage
  
## Storage
Line 318: Line 436:
 
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/userhelper, /usr/sbin/usermod, /usr/sbin/usernetctl
  
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/userhelper, /usr/sbin/usermod, /usr/sbin/usernetctl
   
  +
# Defaults specification
  +
  +
#
  +
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
  +
# You have to run "ssh -t hostname sudo <cmd>".
  +
#
 
Defaults requiretty
  
Defaults requiretty
   
Line 328: Line 452:
 
_XKB_CHARSET XAUTHORITY"
  
_XKB_CHARSET XAUTHORITY"
   
  +
## Next comes the main part: which users can run what software on
## Allow root to run any commands anywhere
  
  +
## which machines (the sudoers file can be shared between multiple
  +
## systems).
  +
## Syntax:
  +
##
  +
## user MACHINE=COMMANDS
  +
##
  +
## The COMMANDS section may have other options added to it.
  +
##
  +
## Allow root to run any commands anywhere
 
root ALL=(ALL) ALL
  
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
  
</pre></code>
  
   
  +
## Allows members of the 'sys' group to run networking, software,
===Configured Networks===
  
  +
## service management apps and more.
*Configured hostname in <code>/etc/sysconfig/network</code>
  
  +
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
<code><pre>
  
  +
  +
## Allows people in group wheel to run all commands
  +
# %wheel ALL=(ALL) ALL
  +
  +
## Same thing without a password
  +
%wheel ALL=(ALL) NOPASSWD: ALL
  +
  +
## Allows members of the users group to mount and unmount the
  +
## cdrom as root
  +
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
  +
  +
## Allows members of the users group to shutdown this system
  +
# %users localhost=/sbin/shutdown -h now
  +
</pre>
  +
  +
== Change System PATH Variable ==
  +
Edit <tt>/etc/profile</tt>:
  +
<pre>
  +
PATH=$PATH:/usr/sbin:/sbin
  +
export PATH
  +
</pre>
  +
  +
== Modify Root's Crontab ==
  +
Add the following entry to root's crontab with the command <tt>crontab -e</tt>
  +
<pre>
  +
# Used to update locate database
  +
0 * * * * /usr/bin/updatedb
  +
</pre>
  +
  +
== Disable CTRL-ALT-DELETE ==
  +
Remove trap entry to prevent accidental reboots, then make changes active:
  +
<pre>
  +
sed -i 's/ca::ctrlaltdel:/#ca::ctrlaltdel:/g' /etc/inittab
  +
init q
  +
</pre>
  +
  +
== Disable Various Kernel Modules ==
  +
*Add the following to <tt>/etc/modprobe.conf</tt>:
  +
<pre>
  +
install pppox /bin/true
  +
install bluetooth /bin/true
  +
install sctp /bin/true
  +
</pre>
  +
  +
= Network Configuration =
  +
  +
== Hostname ==
  +
Configure the hostname in <tt>/etc/sysconfig/network</tt>:
  +
<pre>
 
NETWORKING=yes
  
NETWORKING=yes
 
NETWORKING_IPV6=no
  
NETWORKING_IPV6=no
HOSTNAME=mirror
 +
HOSTNAME=storage
 
GATEWAY=128.153.145.1
  
GATEWAY=128.153.145.1
</pre></code>
 +
</pre>
   
  +
== Interfaces ==
*Verified eth0 configuration for Clarkson Network in <code>/etc/sysconfig/network-scripts/ifcfg-eth0</code>
  
  +
Verified eth0 configuration for Clarkson Network in <tt>/etc/sysconfig/network-scripts/ifcfg-eth0</tt>
<code><pre>
  
  +
<pre>
 
# Intel Corporation 82541PI Gigabit Ethernet Controller
  
# Intel Corporation 82541PI Gigabit Ethernet Controller
 
DEVICE=eth0
  
DEVICE=eth0
 
BOOTPROTO=static
  
BOOTPROTO=static
 
BROADCAST=128.153.145.255
  
BROADCAST=128.153.145.255
HWADDR=00:1B:21:28:C8:48
 +
HWADDR=00:1B:21:28:C8:6A
IPADDR=128.153.145.19
 +
IPADDR=128.153.145.40
 
NETMASK=255.255.255.0
  
NETMASK=255.255.255.0
 
NETWORK=128.153.145.0
  
NETWORK=128.153.145.0
 
ONBOOT=yes
  
ONBOOT=yes
</pre></code>
 +
</pre>
   
*Verified eth1 configuration for the Server Room Network in <code>/etc/sysconfig/network-scripts/ifcfg-eth1</code>
 +
Verified eth1 configuration for the Server Room Network in <tt>/etc/sysconfig/network-scripts/ifcfg-eth1</tt>
<code><pre>
 +
<pre>
 
# Intel Corporation 82566DM-2 Gigabit Network Connection
  
# Intel Corporation 82566DM-2 Gigabit Network Connection
 
DEVICE=eth1
  
DEVICE=eth1
 
BOOTPROTO=static
  
BOOTPROTO=static
 
BROADCAST=10.0.1.255
  
BROADCAST=10.0.1.255
HWADDR=00:30:48:9A:DB:26
 +
HWADDR=00:30:48:9A:DA:5E
IPADDR=10.0.1.36
 +
IPADDR=10.0.1.35
 
NETMASK=255.255.255.0
  
NETMASK=255.255.255.0
 
NETWORK=10.0.1.0
  
NETWORK=10.0.1.0
 
ONBOOT=yes
  
ONBOOT=yes
</pre></code>
 +
</pre>
   
*Verified eth2 configuration for the Internal Network in <code>/etc/sysconfig/network-scripts/ifcfg-eth2</code>
 +
Verified eth2 configuration for the COSI Internal Network in <tt>/etc/sysconfig/network-scripts/ifcfg-eth2</tt>
<code><pre>
 +
<pre>
 
# Intel Corporation 82573L Gigabit Ethernet Controller
  
# Intel Corporation 82573L Gigabit Ethernet Controller
 
DEVICE=eth2
  
DEVICE=eth2
 
BOOTPROTO=static
  
BOOTPROTO=static
 
BROADCAST=10.0.0.255
  
BROADCAST=10.0.0.255
HWADDR=00:30:48:9A:DB:27
 +
HWADDR=00:30:48:9A:DA:5F
IPADDR=10.0.0.14
 +
IPADDR=10.0.0.15
 
NETMASK=255.255.255.0
  
NETMASK=255.255.255.0
 
NETWORK=10.0.0.0
  
NETWORK=10.0.0.0
 
ONBOOT=yes
  
ONBOOT=yes
</pre></code>
 +
</pre>
   
====Configured Hosts====
 +
== Hosts ==
*Edited <code>/etc/hosts</code>
 +
Edited <tt>/etc/hosts</tt>:
<code><pre>
 +
<pre>
  +
# Do not remove the following line, or various programs
  +
# that require network functionality will fail.
 
127.0.0.1 localhost.localdomain localhost
  
127.0.0.1 localhost.localdomain localhost
128.153.145.19 mirror.clarkson.edu mirror.cslabs.clarkson.edu mirror.cslabs mirror
 +
128.153.145.40 storage.cslabs.clarkson.edu storage.cslabs storage
10.0.1.36 mirror.sr.cslabs.clarkson.edu mirror.sr.cslabs mirror.sr
 +
10.0.1.35 storage.sr.cslabs.clarkson.edu storage.sr.cslabs storage.sr
10.0.0.14 mirror.int.cslabs.clarkson.edu mirror.int.cslabs mirror.int
 +
10.0.0.15 storage.int.cslabs.clarkson.edu storage.int.cslabs storage.int
</pre></code>
 +
</pre>
   
*Edited <code>/etc/hosts.allow</code>
 +
Edited <tt>/etc/hosts.allow</tt>:
<code><pre>
 +
<pre>
  +
This file has intentionally been left out for security reasons.
For security purposes, this information has been intentionally left off.
  
</pre></code>
 +
</pre>
   
*Edited <code>/etc/hosts.deny</code>
 +
Edited <tt>/etc/hosts.deny</tt>:
<code><pre>
 +
<pre>
 
ALL: ALL
  
ALL: ALL
</pre></code>
 +
</pre>
   
====Configured DNS Servers====
 +
== DNS ==
  +
*Edited <code>/etc/resolv.conf</code>
  
  +
Edited <tt>/etc/resolv.conf</tt>:
<code><pre>
  
  +
<pre>
 
search cslabs.clarkson.edu clarkson.edu
  
search cslabs.clarkson.edu clarkson.edu
 
nameserver 128.153.145.3
  
nameserver 128.153.145.3
 
nameserver 128.153.145.4
  
nameserver 128.153.145.4
</pre></code>
 +
</pre>
   
====Disabled IP v6====
 +
== IP Configuration ==
  +
*Appended the following to <code>/etc/modprobe.conf</code>
  
  +
=== Disable IPv6 ===
<code><pre>
  
  +
IPv6 should be disabled since we don't use it. First, add the following to <tt>/etc/modprobe.conf</tt>:
  +
<pre>
 
install ipv6 /bin/true
  
install ipv6 /bin/true
</pre></code>
 +
</pre>
*Disabled IP v6 firewall
  
**<code>/sbin/chkconfig ip6tables off</code>
  
   
  +
Then, disable the unneeded IPv6 firewall with this command:
===Configured IPtables===
  
<code><pre>
 +
<pre>
  +
/sbin/chkconfig ip6tables off
Due to the sensitivity of this material, this config file has been left off; however, the following rules are needed.
  
</pre></code>
 +
</pre>
*Restarted iptables
  
**<code>/etc/init.d/iptables restart</code>
  
   
  +
=== IPtables Configuration ===
===Configured SSH===
  
*Edited <code>/etc/ssh/sshd_config</code>
  
<code><pre>
  
Due to the sensitivity of this material, this config file has been left off.
  
</pre></code>
  
*Restarted sshd
  
**<code>/etc/init.d/sshd restart</code>
  
   
  +
<pre>
====Set Up SSH Login Banner====
  
  +
This configuration file has been omitted for security reasons.
*Edited <code>/etc/issue.net</code>
  
<code><pre>
 +
</pre>
_
 
__ _ (_)__________ ____
  
/ ' \/ / __/ __/ _ \/ __/
  
/_/_/_/_/_/ /_/ \___/_/
 
 
</pre></code>
  
   
  +
After configuring it, restart iptables:
===Configured Password Requirements===
  
  +
<pre>
*Edited <code>/etc/login.defs</code>
  
  +
/etc/init.d/iptables restart
<code><pre>
  
  +
</pre>
  +
  +
== SSH Configuration ==
  +
Edited file <tt>/etc/ssh/sshd_config</tt>:
  +
<pre>
  +
This configuration file has been omitted for security concerns.
  +
</pre>
  +
  +
After editing the config file, restart sshd:
  +
<pre>
  +
/etc/init.d/sshd restart
  +
</pre>
  +
  +
Use the ASCII Art text generator at http://patorjk.com/software/taag/ to generate the login banner in font 'small slant'.
  +
Put this login banner in /etc/issue.net:
  +
<pre>
  +
______
  +
/ __/ /____ _______ ____ ____
  +
_\ \/ __/ _ \/ __/ _ `/ _ `/ -_)
  +
/___/\__/\___/_/ \_,_/\_, /\__/
  +
/___/
  +
</pre>
  +
  +
Set user password requirements by editing <tt>/etc/login.defs</tt>:
  +
<pre>
 
MAIL_DIR /var/spool/mail
  
MAIL_DIR /var/spool/mail
   
Line 466: Line 661:
   
 
ENCRYPT_METHOD MD5
  
ENCRYPT_METHOD MD5
</pre></code>
 +
</pre>
   
  +
== NTP ==
===Added Custom PATH Variables===
  
*Added the following to <code>/etc/profile</code>
  
<code><pre>
  
PATH=$PATH:/usr/sbin:/sbin
  
export PATH
  
</pre></code>
  
   
  +
First, install NTP:
===Modified Root's Crontab===
  
  +
<pre>
*<code>crontab -e</code>
  
  +
yum install ntp
<code><pre>
  
  +
</pre>
# Used to update locate database
  
0 * * * * /usr/bin/updatedb
  
</pre></code>
  
   
  +
Edit <tt>/etc/ntp.conf</tt>:
===Set Up & Configured NTP===
  
  +
<pre>
*Installed NTP
  
**<code>yum install ntp</code>
  
 
*Edited <code>/etc/ntp.conf</code>
  
<code><pre>
  
 
restrict default kod nomodify notrap nopeer noquery
  
restrict default kod nomodify notrap nopeer noquery
 
restrict -6 default kod nomodify notrap nopeer noquery
  
restrict -6 default kod nomodify notrap nopeer noquery
Line 506: Line 690:
   
 
keys /etc/ntp/keys
  
keys /etc/ntp/keys
</pre></code>
 +
</pre>
   
*Edited <code>/etc/ntp/step-tickers</code>
 +
Edit <tt>/etc/ntp/step-tickers</tt>:
<code><pre>
 +
<pre>
 
tick.clarkson.edu
  
tick.clarkson.edu
 
tock.clarkson.edu
  
tock.clarkson.edu
</pre></code>
 +
</pre>
   
*Configured ntpd to start on boot
 +
Configure NTP to start on boot, and start it now:
  +
<pre>
**<code>/sbin/chkconfig --levels 2345 ntpd on</code>
  
  +
chkconfig --levels 2345 ntpd on
  +
/etc/init.d/ntpd start
  +
</pre>
   
  +
Configure NTP to sync the hardware clock. Edit <tt>/etc/sysconfig/ntpd</tt>:
*Started ntpd
  
  +
<pre>
**<code>/etc/init.d/ntpd start</code>
  
 
====Configured ntpd to Sync Hardware Clock====
  
*Edited <code>/etc/sysconfig/ntpd</code>
  
<code><pre>
  
 
# Drop root to id 'ntp:ntp' by default.
  
# Drop root to id 'ntp:ntp' by default.
 
OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"
  
OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"
Line 531: Line 714:
 
# Additional options for ntpdate
  
# Additional options for ntpdate
 
NTPDATE_OPTIONS=""
  
NTPDATE_OPTIONS=""
</pre></code>
 +
</pre>
   
  +
= Power Management =
===Installed and Configured [http://www.apcupsd.org/ APCUPSD]===
  
This package is used to monitor the UPS which [[Mirror]] is plugged into and is used to shutdown the system in the event of a power failure.
  
   
  +
== [http://www.apcupsd.org/ APCUPSD] ==
====Configured to Power On when Power is Restored====
  
  +
This package is used to monitor the UPS which [[Storage]] is plugged into and is used to shutdown the system in the event of a power failure.
*Edited the BIOS to have <code>Restore on AC/Power Loss</code> set to <code>Power On</code>.
  
   
  +
Change the BIOS settings to cause the machine to be powered on when power is restored. This will be something like <tt>Restore on AC/Power Loss</tt>.
====Installed and configured <code>apcupsd</code>====
  
*Installed <code>apcupsd</code>
  
**<code>yum install apcupsd</code>
  
   
  +
Install APCUPSD
*Edited <code>/etc/apcupsd/apcupsd.conf</code>
  
<code><pre>
 +
<pre>
  +
yum install apcupsd
  +
</pre>
  +
  +
Edit <tt>/etc/apcupsd/apcupsd.conf</tt>:
  +
<pre>
 
## apcupsd.conf v1.1 ##
  
## apcupsd.conf v1.1 ##
   
Line 601: Line 786:
   
 
SELFTEST 336
  
SELFTEST 336
</pre></code>
 +
</pre>
   
*Configured <code>apcupsd</code> to start on boot
 +
Configure apcupsd to start on boot, and start it:
  +
<pre>
**<code>/sbin/chkconfig --levels 2345 apcupsd on</code>
  
  +
/sbin/chkconfig --levels 2345 apcupsd on
  +
/etc/init.d/apcupsd start
  +
</pre>
   
  +
= Mail, Logging, and Services =
*Started <code>apcupsd</code>
  
**<code>/etc/init.d/apcupsd start</code>
  
   
===Configured Aliases===
 +
== Configure Aliases ==
*Edited <code>/etc/aliases</code>
 +
Edit <tt>/etc/aliases</tt>:
<code><pre>
 +
<pre>
 
#
  
#
 
# Aliases in this file will NOT be expanded in the header from
  
# Aliases in this file will NOT be expanded in the header from
Line 708: Line 895:
 
# Person who should get roots's mail
  
# Person who should get roots's mail
 
root: logwatch@cslabs.clarkson.edu
  
root: logwatch@cslabs.clarkson.edu
</pre></code>
 +
</pre>
   
  +
With that config file in place, update the aliases:
*Updated aliases
  
  +
<pre>
**<code>/usr/bin/newaliases</code>
  
  +
/usr/bin/newaliases
  +
</pre>
   
  +
== SNMP ==
===Disabled <code>CTRL-ALT-DELETE</code>===
  
  +
Install it:
*Removed trap entry to prevent accidental reboots
  
<code><pre>
 +
<pre>
sed -i 's/ca::ctrlaltdel:/#ca::ctrlaltdel:/g' /etc/inittab
  
</pre></code>
  
 
*Made Changes Active
  
<code><pre>
  
init q
  
</pre></code>
  
 
===Disabled Various Kernel Modules===
  
*Added the following to <code>/etc/modprobe.conf</code>
  
<code><pre>
  
install pppox /bin/true
  
install bluetooth /bin/true
  
install sctp /bin/true
  
</pre></code>
  
 
===Installed & Configured SNMP===
  
*Installed needed packages
  
<code><pre>
  
 
yum install net-snmp ntp
  
yum install net-snmp ntp
</pre></code>
 +
</pre>
   
*Configured SNMP Daemon <code>/etc/snmp/snmpd.conf</code>
 +
Configure the snmp daemon by editing <tt>/etc/snmp/snmpd.conf</tt>:
<code><pre>
 +
<pre>
 
rocommunity <passphrase> 127.0.0.1
  
rocommunity <passphrase> 127.0.0.1
 
rocommunity <passphrase> <ipsallowed>
  
rocommunity <passphrase> <ipsallowed>
Line 754: Line 924:
 
exec timeskew /usr/local/sbin/ntp_check
  
exec timeskew /usr/local/sbin/ntp_check
 
exec uptime /usr/bin/uptime
  
exec uptime /usr/bin/uptime
</pre></code>
 +
</pre>
   
*Deployed <code>ntp_check</code> script
 +
Copy the <tt>ntp_check</tt> script from [[Isengard]] to <tt>/usr/local/sbin</tt>.
  +
<pre>
**Copied over <code>/usr/local/sbin/ntp_check</code> from [[Isengard]] to /usr/local/sbin/
  
**<code>chown root.root /usr/local/sbin/ntp_check</code>
 +
rsync <user>@isengard:/usr/local/sbin/ntp_check /usr/local/sbin
  +
chown root.root /usr/local/sbin/ntp_check
  +
</pre>
   
*Configured SNMP to start at specific run levels
 +
Set SNMP to run on specific runlevels, then start it:
<code><pre>
 +
<pre>
 
/sbin/chkconfig --levels 2345 snmpd on
  
/sbin/chkconfig --levels 2345 snmpd on
</pre></code>
  
 
*Started daemon
  
<code><pre>
  
 
/etc/init.d/snmpd start
  
/etc/init.d/snmpd start
</pre></code>
 +
</pre>
   
===Increased Detail of Logwatch Reports===
 +
== Logwatch ==
*Set detail level to be high
 +
Increase the detail of the Logwatch report:
<code><pre>
 +
<pre>
 
echo "Detail = High" >> /etc/logwatch/conf/logwatch.conf
  
echo "Detail = High" >> /etc/logwatch/conf/logwatch.conf
</pre></code>
 +
</pre>
   
===Disabled Unneeded Services===
 +
== Disable Unneeded Services ==
*Referenced [http://www.cyberciti.biz/faq/linux-default-services-which-are-enabled-at-boot/ this page]
 +
Referenced [http://www.cyberciti.biz/faq/linux-default-services-which-are-enabled-at-boot/ this page] to determine which services are unneeded. Disabled the following services:
  +
<pre>
 
  +
chkconfig readahead_later off
<code><pre>
  
  +
chkconfig readahead_early off
  +
chkconfig pcscd off
  +
chkconfig kudzu off
  +
chkconfig irda off
  +
chkconfig haldaemon off
  +
chkconfig gpm off
  +
chkconfig firstboot off
  +
chkconfig cups off
  +
chkconfig avahi-dnsconfd off
  +
chkconfig avahi-daemon off
  +
chkconfig anacron off
 
chkconfig nfs off
  
chkconfig nfs off
/etc/init.d/nfs stop
  
 
chkconfig nfslock off
  
chkconfig nfslock off
/etc/init.d/nfslock stop
  
 
chkconfig rpcgssd off
  
chkconfig rpcgssd off
/etc/init.d/rpcgssd stop
  
 
chkconfig rpcidmapd off
  
chkconfig rpcidmapd off
/etc/init.d/rpcidmapd stop
  
 
chkconfig rpcsvcgssd off
  
chkconfig rpcsvcgssd off
/etc/init.d/rpcsvcgssd stop
  
 
chkconfig portmap off
  
chkconfig portmap off
/etc/init.d/portmap stop
  
 
chkconfig netfs off
  
chkconfig netfs off
/etc/init.d/netfs stop
  
chkconfig anacron off
  
/etc/init.d/anacron stop
  
 
chkconfig autofs off
  
chkconfig autofs off
/etc/init.d/autofs stop
  
chkconfig avahi-daemon off
  
/etc/init.d/avahi-daemon stop
  
chkconfig avahi-dnsconfd off
  
/etc/init.d/avahi-dnsconfd stop
  
 
chkconfig bluetooth off
  
chkconfig bluetooth off
/etc/init.d/bluetooth stop
  
 
chkconfig hidd off
  
chkconfig hidd off
/etc/init.d/hidd stop
  
chkconfig cups off
  
/etc/init.d/cups stop
  
chkconfig firstboot off
  
/etc/init.d/firstboot stop
  
chkconfig gpm off
  
/etc/init.d/gpm stop
  
chkconfig haldaemon off
  
/etc/init.d/haldaemon stop
  
chkconfig irda off
  
/etc/init.d/irda stop
  
chkconfig kudzu off
  
/etc/init.d/kudzu stop
  
 
chkconfig messagebus off
  
chkconfig messagebus off
/etc/init.d/messagebus stop
  
chkconfig microcode_ctl off
  
/etc/init.d/microcode_ctl stop
  
chkconfig pcscd off
  
/etc/init.d/pcscd stop
  
chkconfig readahead_early off
  
/etc/init.d/readahead_early stop
  
chkconfig readahead_later off
  
/etc/init.d/readahead_later stop
  
 
chkconfig ypbind off
  
chkconfig ypbind off
  +
</pre>
/etc/init.d/ypbind stop
  
</pre></code>
  
   
  +
== fstab ==
===Modified <code>/etc/fstab</code> to increase performance===
  
  +
Modify <tt>/etc/fstab</tt> to increase performace. Adding option 'noatime' to all mounted partition causes unnecessary inode modification times to not be written, increasing I/O performance.
*Configured to not update inode access times
  
<code><pre>
 +
<pre>
/dev/root_lvg/root_lv / ext3 defaults 1 1
 +
/dev/root_lvg/root_lv / ext3 defaults,noatime 1 1
/dev/md2 /mnt/raid ext3 defaults,noatime 1 2
 +
/dev/md2 /storage xfs defaults,logbufs=8,noatime 1 2
/dev/storage_lvg/storage_lv /mnt/lvg_storage ext3 defaults,noatime 1 2
 +
/dev/root_lvg/tmp_lv /tmp ext3 defaults,noatime 1 2
/dev/md0 /boot ext3 defaults 1 2
 +
/dev/root_lvg/var_lv /var ext3 defaults,noatime 1 2
/dev/root_lvg/var_lv /var ext3 defaults 1 2
 +
/dev/md0 /boot ext2 defaults,noatime 1 2
LABEL=/mnt/storage1 /mnt/storage1 ext3 defaults,noatime 1 2
 +
/dev/root_lvg/home_lv /home ext3 defaults,noatime 1 2
LABEL=/mnt/storage2 /mnt/storage2 ext3 defaults,noatime 1 2
  
 
tmpfs /dev/shm tmpfs defaults 0 0
  
tmpfs /dev/shm tmpfs defaults 0 0
 
devpts /dev/pts devpts gid=5,mode=620 0 0
  
devpts /dev/pts devpts gid=5,mode=620 0 0
Line 847: Line 987:
 
proc /proc proc defaults 0 0
  
proc /proc proc defaults 0 0
 
/dev/root_lvg/swap_lv swap swap defaults 0 0
  
/dev/root_lvg/swap_lv swap swap defaults 0 0
</pre></code>
 +
</pre>

Latest revision as of 12:21, 3 September 2015

Emblem-important.png This is an archived article or section.
This page is a legacy practice, project, or tutorial, and the information may not be up to date. See the talk page for more information about the page's status.


This page summarizes how Storage was set up in Fall 2010.

Installation

Operating system: CentOS 5.5 x86_64

Partition Scheme

Partition Scheme:

  • /dev/md0: 100MB, /boot, mdRAID 1
  • /dev/md1: 80GB, LVM (root_lvg), mdRAID 1
    • /dev/root_lvg/root_lv: 65GB, /
    • /dev/root_lvg/tmp_lv: 1GB, /tmp
    • /dev/root_lvg/var_lv: 4GB, /var
    • /dev/root_lvg/home_lv: 1GB, /home
    • /dev/root_lvg/swap_lv: 4GB, swap
  • /dev/md2: 3TB, /storage, mdRAID 10

Partition Types

The boot array is formatted as ext2, all other partitions except the storage array are formatted as ext3.

The storage partition is formatted as xfs, a robust filesystem that deals particularly well with large files. The filesystem was created with the following command: 

mkfs.xfs -d agcount=1000 -l size=128m /dev/md2

This creates an xfs filesystem with 1000 AGs (each of 3GB) and a log size of 128MB. Having many AGs makes the filesystem more parallelizable at cost of CPU cycles (of which we have plenty), and the higher-than-default log size increases the number of small writes that can take place quickly in memory and be committed asynchronously in contiguous bursts.

The filesystem is mounted in /etc/fstab with the following options: 

/dev/md2    /storage    xfs    defaults,logbufs=8,noatime    1 2

This mounts the filesystem with 8 log buffers, again increasing the number of transactions able to be performed in memory at once. Option 'noatime' causes inode access times to not be updated, increasing performance slightly. It's OK to do this since inode access times are not generally used.

In order to use xfs in CentOS 5.5, the following packages were installed: 

kmod-xfs
xfsdump
xfsprogs

Kickstart

This is the kickstart file appearing in /root after the install finished. There is a storage kickstart file living on Admin that was used for the netinstall. 

# Kickstart file automatically generated by anaconda.

install
url --url http://mirror.clarkson.edu/centos/5/os/x86_64/
lang en_US.UTF-8
keyboard us
network --device eth0 --bootproto static --ip 128.153.145.40 --netmask 255.255.255.0 --gateway 128.153.145.1 --nameserver 128.153.0.254,128.153.5.254 --hostname storage
network --device eth1 --bootproto static --ip 10.0.1.35 --netmask 255.255.255.0 --gateway 128.153.145.1 --nameserver 128.153.0.254,128.153.5.254 --hostname storage
network --device eth2 --bootproto static --ip 10.0.0.15 --netmask 255.255.255.0 --gateway 128.153.145.1 --nameserver 128.153.0.254,128.153.5.254 --hostname storage
rootpw --iscrypted $1$5UvTrOQ1$ttBrGsABSlAoVyxdlf4wg/
firewall --enabled --port=22:tcp
authconfig --enableshadow --enablemd5
selinux --permissive
timezone --utc America/New_York
bootloader --location=partition --driveorder=hda,hdb,sda,sdb,sdc,sdd,sde,sdf
# The following is the partition information you requested
# Note that any partitions you deleted are not expressed
# here so unless you clear all partitions first, this is
# not guaranteed to work
#part raid.1 --noformat --onpart hda1
#part raid.3 --noformat --onpart hdb1
#part raid.10 --noformat --onpart sdf1
#part raid.9 --noformat --onpart sde1
#part raid.8 --noformat --onpart sdd1
#part raid.7 --noformat --onpart sdc1
#part raid.6 --noformat --onpart sdb1
#part raid.5 --noformat --onpart sda1
#part raid.4 --noformat --onpart hdb2
#part raid.2 --noformat --onpart hda2
#raid /boot --useexisting --fstype ext2 --level=RAID1 --device=md0 raid.1 raid.3
#raid pv.13 --noformat --useexisting --fstype "physical volume (LVM)" --level=RAID1 --device=md1 raid.2 raid.4
#raid /storage --useexisting --fstype ext3 --level=RAID10 --device=md2 raid.5 raid.6 raid.7 raid.8 raid.9 raid.10
#volgroup root_lvg --noformat --useexisting --pesize=32768 pv.13
#logvol /home --useexisting --fstype ext3 --name=home_lv --vgname=root_lvg --size=1024
#logvol /var --useexisting --fstype ext3 --name=var_lv --vgname=root_lvg --size=4096
#logvol / --useexisting --fstype ext3 --name=root_lv --vgname=root_lvg --size=65952
#logvol swap --useexisting --fstype swap --name=swap_lv --vgname=root_lvg --size=4096
#logvol /tmp --useexisting --fstype ext3 --name=tmp_lv --vgname=root_lvg --size=1024
             
%packages
@base
@core
device-mapper-multipath 
vim-enhanced 
gcc
emacs-nox
screen 
-bluez-utils
-cpuspeed
-NetworkManager

Yum Configuration

Extra Repositories

Added RPMForge respository from Dag Wieers: 

rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

Added Fedora EPEL Repository from Mirror. 

rpm -Uvh http://mirror.clarkson.edu/epel//5/x86_64/epel-release-5-4.noarch.rpm

Repositories

All .repo files in /etc/yum.repos.d/ must be made to point to Mirror wherever possible. The exception is Dag Wieers, which we do not mirror. In order to accomplish this, the following files were edited: 

CentOS-Base.repo
epel.repo
epel-testing.repo
rpmforge.repo

The following files were not modified, but will appear in this documentation for the sake of completion: 

CentOS-Media.repo
mirrors-rpmforge

CentOS-Base.repo

# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client.  You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the 
# remarked out baseurl= line instead.
#
#

[base]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
baseurl=http://mirror.clarkson.edu/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#released updates 
[updates]
name=CentOS-$releasever - Updates
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
baseurl=http://mirror.clarkson.edu/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
#baseurl=http://mirror.centos.org/centos/$releasever/addons/$basearch/
baseurl=http://mirror.clarkson.edu/centos/$releasever/addons/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
#baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
baseurl=http://mirror.clarkson.edu/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
baseurl=http://mirror.clarkson.edu/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
#baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/
baseurl=http://mirror.clarkson.edu/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

Centos-Media.repo

Note that this repository is not enabled. 

# CentOS-Media.repo
#
# This repo is used to mount the default locations for a CDROM / DVD on
#  CentOS-5.  You can use this repo and yum to install items directly off the
#  DVD ISO that we release.
#
# To use this repo, put in your DVD and use it with the other repos too:
#  yum --enablerepo=c5-media [command]
#  
# or for ONLY the media repo, do this:
#
#  yum --disablerepo=\* --enablerepo=c5-media [command]

[c5-media]
name=CentOS-$releasever - Media
baseurl=file:///media/CentOS/
        file:///media/cdrom/
        file:///media/cdrecorder/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

epel.repo

[epel]
name=Extra Packages for Enterprise Linux 5 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 5 - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/5/$basearch/debug
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=$basearch
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

[epel-source]
name=Extra Packages for Enterprise Linux 5 - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/5/SRPMS
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-source-5&arch=$basearch
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

epel-testing.repo

[epel-testing]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/testing/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel5&arch=$basearch
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
failovermethod=priority
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL

[epel-testing-debuginfo]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/testing/5/$basearch/debug
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-debug-epel5&arch=$basearch
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

[epel-testing-source]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/testing/5/SRPMS
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-source-epel5&arch=$basearch
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

mirrors.rpmforge

http://apt.sw.be/redhat/el5/en/$ARCH/dag
http://archive.cs.uu.nl/mirror/dag.wieers/redhat/el5/en/$ARCH/dag
http://ftp2.lcpe.uni-sofia.bg/freshrpms/pub/dag/redhat/el5/en/$ARCH/dag
#http://ftp.heanet.ie/pub/freshrpms/pub/dag/redhat/el5/en/$ARCH/dag
http://ftp-stud.fht-esslingen.de/dag/redhat/el5/en/$ARCH/dag
http://mirror.cpsc.ucalgary.ca/mirror/dag/redhat/el5/en/$ARCH/dag
http://mirrors.ircam.fr/pub/dag/redhat/el5/en/$ARCH/dag
http://rh-mirror.linux.iastate.edu/pub/dag/redhat/el5/en/$ARCH/dag
http://rpmfind.net/linux/dag/redhat/el5/en/$ARCH/dag
http://wftp.tu-chemnitz.de/pub/linux/dag/redhat/el5/en/$ARCH/dag
http://www.mirrorservice.org/sites/apt.sw.be/redhat/el5/en/$ARCH/dag

rpmforge.repo

# Name: RPMforge RPM Repository for Red Hat Enterprise 5 - dag
# URL: http://rpmforge.net/
[rpmforge]
name = Red Hat Enterprise $releasever - RPMforge.net - dag
#baseurl = http://apt.sw.be/redhat/el5/en/$basearch/dag
#mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
baseurl = http://mirror.clarkson.edu/rpmforge/redhat/el5/en/$basearch/dag
enabled = 1
protect = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1


Final Yum Config

Disable Yum fastestmirror plugin since we are pulling from Mirror only. 

sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf

Install yum priorities plugin: 

yum install yum-priorities

Configure yum priorities to check for obsoletes: 

echo "check_obsoletes=1" >> /etc/yum/pluginconf.d/priorities.conf

Install a few useful extra packages: 

yum install vim-enhanced gcc emacs-nox screen iftop

Update the system: 

yum update

User Configuration

Adding Users

Created users for all maintainers / interested parties (don't forget to set passwords with passwd <username>): 

useradd -m platekme
useradd -m kopptr
useradd -m mccarrms

Add administrative users to group 'wheel' so they can use sudo. For example, 

gpasswd -a platekme wheel

Configure Sudo

Edit /etc/sudoers the safe way with the command 

visudo

Note that this configuration allows all users in group 'wheel' to use sudo. 

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
## 
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhap using 
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe

## Shells
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su

## Users
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/userhelper, /usr/sbin/usermod, /usr/sbin/usernetctl

# Defaults specification

#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear. 
#         You have to run "ssh -t hostname sudo <cmd>".
#
Defaults    requiretty

Defaults    env_reset,tty_tickets,lecture=always,logfile=/var/log/sudo.log
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere 
root    ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software, 
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

## Same thing without a password
%wheel  ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the 
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

Change System PATH Variable

Edit /etc/profile: 

PATH=$PATH:/usr/sbin:/sbin
export PATH

Modify Root's Crontab

Add the following entry to root's crontab with the command crontab -e 

# Used to update locate database
0 * * * * /usr/bin/updatedb

Disable CTRL-ALT-DELETE

Remove trap entry to prevent accidental reboots, then make changes active: 

sed -i 's/ca::ctrlaltdel:/#ca::ctrlaltdel:/g' /etc/inittab
init q

Disable Various Kernel Modules

  • Add the following to /etc/modprobe.conf:
install pppox /bin/true
install bluetooth /bin/true
install sctp /bin/true

Network Configuration

Hostname

Configure the hostname in /etc/sysconfig/network: 

NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=storage
GATEWAY=128.153.145.1

Interfaces

Verified eth0 configuration for Clarkson Network in /etc/sysconfig/network-scripts/ifcfg-eth0 

# Intel Corporation 82541PI Gigabit Ethernet Controller
DEVICE=eth0
BOOTPROTO=static
BROADCAST=128.153.145.255
HWADDR=00:1B:21:28:C8:6A
IPADDR=128.153.145.40
NETMASK=255.255.255.0
NETWORK=128.153.145.0
ONBOOT=yes

Verified eth1 configuration for the Server Room Network in /etc/sysconfig/network-scripts/ifcfg-eth1 

# Intel Corporation 82566DM-2 Gigabit Network Connection
DEVICE=eth1
BOOTPROTO=static
BROADCAST=10.0.1.255
HWADDR=00:30:48:9A:DA:5E
IPADDR=10.0.1.35
NETMASK=255.255.255.0
NETWORK=10.0.1.0
ONBOOT=yes

Verified eth2 configuration for the COSI Internal Network in /etc/sysconfig/network-scripts/ifcfg-eth2 

# Intel Corporation 82573L Gigabit Ethernet Controller
DEVICE=eth2
BOOTPROTO=static
BROADCAST=10.0.0.255
HWADDR=00:30:48:9A:DA:5F
IPADDR=10.0.0.15
NETMASK=255.255.255.0
NETWORK=10.0.0.0
ONBOOT=yes

Hosts

Edited /etc/hosts: 

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost.localdomain localhost
128.153.145.40  storage.cslabs.clarkson.edu storage.cslabs storage
10.0.1.35       storage.sr.cslabs.clarkson.edu storage.sr.cslabs storage.sr
10.0.0.15       storage.int.cslabs.clarkson.edu storage.int.cslabs storage.int

Edited /etc/hosts.allow: 

This file has intentionally been left out for security reasons.

Edited /etc/hosts.deny: 

ALL: ALL

DNS

Edited /etc/resolv.conf: 

search cslabs.clarkson.edu clarkson.edu
nameserver 128.153.145.3
nameserver 128.153.145.4

IP Configuration

Disable IPv6

IPv6 should be disabled since we don't use it. First, add the following to /etc/modprobe.conf: 

install ipv6 /bin/true

Then, disable the unneeded IPv6 firewall with this command: 

/sbin/chkconfig ip6tables off

IPtables Configuration

This configuration file has been omitted for security reasons.

After configuring it, restart iptables: 

/etc/init.d/iptables restart

SSH Configuration

Edited file /etc/ssh/sshd_config: 

This configuration file has been omitted for security concerns.

After editing the config file, restart sshd: 

/etc/init.d/sshd restart

Use the ASCII Art text generator at http://patorjk.com/software/taag/ to generate the login banner in font 'small slant'. Put this login banner in /etc/issue.net: 

   ______                        
  / __/ /____  _______ ____ ____ 
 _\ \/ __/ _ \/ __/ _ `/ _ `/ -_)
/___/\__/\___/_/  \_,_/\_, /\__/ 
                      /___/

Set user password requirements by editing /etc/login.defs: 

MAIL_DIR        /var/spool/mail

PASS_MAX_DAYS   360
PASS_MIN_DAYS   0
PASS_MIN_LEN    8
PASS_WARN_AGE   60

UID_MIN                   500
UID_MAX                 60000

GID_MIN                   500
GID_MAX                 60000

CREATE_HOME     yes

UMASK           077

USERGROUPS_ENAB yes

MD5_CRYPT_ENAB yes

ENCRYPT_METHOD MD5

NTP

First, install NTP: 

yum install ntp

Edit /etc/ntp.conf: 

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

restrict 127.0.0.1
restrict -6 ::1

restrict tick.clarkson.edu mask 255.255.255.255 nomodify notrap noquery
restrict tock.clarkson.edu mask 255.255.255.255 nomodify notrap noquery

server tick.clarkson.edu
server tock.clarkson.edu

server  127.127.1.0     # local clock
fudge   127.127.1.0 stratum 10

driftfile /var/lib/ntp/drift

keys /etc/ntp/keys

Edit /etc/ntp/step-tickers: 

tick.clarkson.edu
tock.clarkson.edu

Configure NTP to start on boot, and start it now: 

chkconfig --levels 2345 ntpd on
/etc/init.d/ntpd start

Configure NTP to sync the hardware clock. Edit /etc/sysconfig/ntpd: 

# Drop root to id 'ntp:ntp' by default.
OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"

# Set to 'yes' to sync hw clock after successful ntpdate
SYNC_HWCLOCK=yes

# Additional options for ntpdate
NTPDATE_OPTIONS=""

Power Management

APCUPSD

This package is used to monitor the UPS which Storage is plugged into and is used to shutdown the system in the event of a power failure.

Change the BIOS settings to cause the machine to be powered on when power is restored. This will be something like Restore on AC/Power Loss.

Install APCUPSD 

yum install apcupsd

Edit /etc/apcupsd/apcupsd.conf: 

## apcupsd.conf v1.1 ##

UPSNAME ups3

UPSCABLE ether

UPSTYPE net
DEVICE 128.153.145.215:3551

LOCKFILE /var/lock

SCRIPTDIR /etc/apcupsd

PWRFAILDIR /etc/apcupsd

NOLOGINDIR /etc

ONBATTERYDELAY 6

BATTERYLEVEL 10

MINUTES 15

TIMEOUT 0

ANNOY 300

ANNOYDELAY 60

NOLOGON disable

KILLDELAY 0

NETSERVER on

NISIP 127.0.0.1

NISPORT 3551

EVENTSFILE /var/log/apcupsd.events

EVENTSFILEMAX 10

UPSCLASS standalone

UPSMODE disable

STATTIME 0

STATFILE /var/log/apcupsd.status

LOGSTATS off

DATATIME 0

SELFTEST 336

Configure apcupsd to start on boot, and start it: 

/sbin/chkconfig --levels 2345 apcupsd on
/etc/init.d/apcupsd start

Mail, Logging, and Services

Configure Aliases

Edit /etc/aliases: 

#
#  Aliases in this file will NOT be expanded in the header from
#  Mail, but WILL be visible over networks or from /bin/mail.
#
#       >>>>>>>>>>      The program "newaliases" must be run after
#       >> NOTE >>      this file is updated for any changes to
#       >>>>>>>>>>      show through to sendmail.
#

# Basic system aliases -- these MUST be present.
mailer-daemon:  postmaster
postmaster:     logwatch@cslabs.clarkson.edu

# General redirections for pseudo accounts.
bin:            logwatch@cslabs.clarkson.edu
daemon:         logwatch@cslabs.clarkson.edu
adm:            logwatch@cslabs.clarkson.edu
lp:             logwatch@cslabs.clarkson.edu
sync:           logwatch@cslabs.clarkson.edu
shutdown:       logwatch@cslabs.clarkson.edu
halt:           logwatch@cslabs.clarkson.edu
mail:           logwatch@cslabs.clarkson.edu
news:           logwatch@cslabs.clarkson.edu
uucp:           logwatch@cslabs.clarkson.edu
operator:       logwatch@cslabs.clarkson.edu
games:          logwatch@cslabs.clarkson.edu
gopher:         logwatch@cslabs.clarkson.edu
ftp:            logwatch@cslabs.clarkson.edu
nobody:         logwatch@cslabs.clarkson.edu
radiusd:        logwatch@cslabs.clarkson.edu
nut:            logwatch@cslabs.clarkson.edu
dbus:           logwatch@cslabs.clarkson.edu
vcsa:           logwatch@cslabs.clarkson.edu
canna:          logwatch@cslabs.clarkson.edu
wnn:            logwatch@cslabs.clarkson.edu
rpm:            logwatch@cslabs.clarkson.edu
nscd:           logwatch@cslabs.clarkson.edu
pcap:           logwatch@cslabs.clarkson.edu
apache:         logwatch@cslabs.clarkson.edu
webalizer:      logwatch@cslabs.clarkson.edu
dovecot:        logwatch@cslabs.clarkson.edu
fax:            logwatch@cslabs.clarkson.edu
quagga:         logwatch@cslabs.clarkson.edu
radvd:          logwatch@cslabs.clarkson.edu
pvm:            logwatch@cslabs.clarkson.edu
amanda:         logwatch@cslabs.clarkson.edu
privoxy:        logwatch@cslabs.clarkson.edu
ident:          logwatch@cslabs.clarkson.edu
named:          logwatch@cslabs.clarkson.edu
xfs:            logwatch@cslabs.clarkson.edu
gdm:            logwatch@cslabs.clarkson.edu
mailnull:       logwatch@cslabs.clarkson.edu
postgres:       logwatch@cslabs.clarkson.edu
sshd:           logwatch@cslabs.clarkson.edu
smmsp:          logwatch@cslabs.clarkson.edu
postfix:        logwatch@cslabs.clarkson.edu
netdump:        logwatch@cslabs.clarkson.edu
ldap:           logwatch@cslabs.clarkson.edu
squid:          logwatch@cslabs.clarkson.edu
ntp:            logwatch@cslabs.clarkson.edu
mysql:          logwatch@cslabs.clarkson.edu
desktop:        logwatch@cslabs.clarkson.edu
rpcuser:        logwatch@cslabs.clarkson.edu
rpc:            logwatch@cslabs.clarkson.edu
nfsnobody:      logwatch@cslabs.clarkson.edu

ingres:         logwatch@cslabs.clarkson.edu
system:         logwatch@cslabs.clarkson.edu
toor:           logwatch@cslabs.clarkson.edu
manager:        logwatch@cslabs.clarkson.edu
dumper:         logwatch@cslabs.clarkson.edu
abuse:          logwatch@cslabs.clarkson.edu

newsadm:        news
newsadmin:      news
usenet:         news
ftpadm:         ftp
ftpadmin:       ftp
ftp-adm:        ftp
ftp-admin:      ftp
www:            webmaster
webmaster:      logwatch@cslabs.clarkson.edu
noc:            logwatch@cslabs.clarkson.edu
security:       logwatch@cslabs.clarkson.edu
hostmaster:     logwatch@cslabs.clarkson.edu
info:           postmaster
marketing:      postmaster
sales:          postmaster
support:        postmaster


# trap decode to catch security attacks
decode:         logwatch@cslabs.clarkson.edu

# Person who should get roots's mail
root:           logwatch@cslabs.clarkson.edu

With that config file in place, update the aliases: 

/usr/bin/newaliases

SNMP

Install it: 

yum install net-snmp ntp

Configure the snmp daemon by editing /etc/snmp/snmpd.conf: 

rocommunity     <passphrase>  127.0.0.1
rocommunity     <passphrase>  <ipsallowed>
 
syslocation Clarkson University Applied CS Labs
syscontact Matt McCarrell <mccarrms@gmail.com>
disk /
disk /var
disk /boot
disk /mnt/raid
disk /mnt/lvg_storage
disk /mnt/storage1
disk /mnt/storage2
exec timeskew /usr/local/sbin/ntp_check
exec uptime /usr/bin/uptime

Copy the ntp_check script from Isengard to /usr/local/sbin. 

rsync <user>@isengard:/usr/local/sbin/ntp_check /usr/local/sbin
chown root.root /usr/local/sbin/ntp_check

Set SNMP to run on specific runlevels, then start it: 

/sbin/chkconfig --levels 2345 snmpd on
/etc/init.d/snmpd start

Logwatch

Increase the detail of the Logwatch report: 

echo "Detail = High" >> /etc/logwatch/conf/logwatch.conf

Disable Unneeded Services

Referenced this page to determine which services are unneeded. Disabled the following services: 

chkconfig readahead_later off
chkconfig readahead_early off
chkconfig pcscd off
chkconfig kudzu off
chkconfig irda off
chkconfig haldaemon off
chkconfig gpm off
chkconfig firstboot off
chkconfig cups off
chkconfig avahi-dnsconfd off
chkconfig avahi-daemon off
chkconfig anacron off
chkconfig nfs off
chkconfig nfslock off
chkconfig rpcgssd off
chkconfig rpcidmapd off
chkconfig rpcsvcgssd off
chkconfig portmap off
chkconfig netfs off
chkconfig autofs off
chkconfig bluetooth off
chkconfig hidd off
chkconfig messagebus off
chkconfig ypbind off

fstab

Modify /etc/fstab to increase performace. Adding option 'noatime' to all mounted partition causes unnecessary inode modification times to not be written, increasing I/O performance. 

/dev/root_lvg/root_lv   /                       ext3    defaults,noatime        1 1
/dev/md2                /storage                xfs     defaults,logbufs=8,noatime        1 2
/dev/root_lvg/tmp_lv    /tmp                    ext3    defaults,noatime        1 2
/dev/root_lvg/var_lv    /var                    ext3    defaults,noatime        1 2
/dev/md0                /boot                   ext2    defaults,noatime        1 2
/dev/root_lvg/home_lv   /home                   ext3    defaults,noatime        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/root_lvg/swap_lv   swap                    swap    defaults        0 0
Retrieved from "http://docs.cslabs.clarkson.edu/mediawiki/index.php?title=Storage_Setup_Process&oldid=7099"