Difference between revisions of "Storage Setup Process"

From CSLabsWiki
(finished yum config section)
(added user configuration section)
Line 98: Line 98:
 
</pre>
  
</pre>
   
= Configuration =
 +
= Yum Configuration =
   
 
== Extra Repositories ==
  
== Extra Repositories ==
Line 356: Line 356:
 
</pre>
  
</pre>
   
===Created User===
 +
= User Configuration =
*Created user mccarrms
  
**<code>/usr/sbin/useradd -m mccarrms</code>
  
*Set password for mccarrms
  
**<code>passwd mccarrms</code>
  
   
  +
== Adding Users ==
===Configured Sudo===
  
  +
Created users for all maintainers / interested parties (don't forget to set passwords with <tt>passwd <username></tt>):
*<code>/usr/sbin/visudo</code>
  
  +
<pre>
  +
useradd -m platekme
  +
useradd -m kopptr
  +
useradd -m mccarrms
  +
</pre>
   
  +
Add administrative users to group 'wheel' so they can use sudo. For example,
<code><pre>
  
  +
<pre>
  +
gpasswd -a platekme wheel
  +
</pre>
  +
  +
== Configure Sudo ==
  +
  +
Edit /etc/sudoers the safe way with the command
  +
<pre>visudo</pre>
  +
  +
Note that this configuration allows all users in group 'wheel' to use sudo.
  +
  +
<pre>
 
## Sudoers allows particular users to run various commands as
  
## Sudoers allows particular users to run various commands as
 
## the root user, without needing the root password.
  
## the root user, without needing the root password.
  +
##
  +
## Examples are provided at the bottom of the file for collections
  +
## of related commands, which can then be delegated out to particular
  +
## users or groups.
  +
##
  +
## This file must be edited with the 'visudo' command.
  +
  +
## Host Aliases
  +
## Groups of machines. You may prefer to use hostnames (perhap using
  +
## wildcards for entire domains) or IP addresses instead.
  +
# Host_Alias FILESERVERS = fs1, fs2
  +
# Host_Alias MAILSERVERS = smtp, smtp2
  +
  +
## User Aliases
  +
## These aren't often necessary, as you can use regular groups
  +
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
  +
## rather than USERALIAS
  +
# User_Alias ADMINS = jsmith, mikem
  +
  +
  +
## Command Aliases
  +
## These are groups of related commands...
   
 
## Networking
  
## Networking
Line 379: Line 414:
   
 
## Updating the locate database
  
## Updating the locate database
Cmnd_Alias LOCATE = /usr/sbin/updatedb
 +
Cmnd_Alias LOCATE = /usr/bin/updatedb
   
 
## Storage
  
## Storage
Line 399: Line 434:
 
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/userhelper, /usr/sbin/usermod, /usr/sbin/usernetctl
  
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/userhelper, /usr/sbin/usermod, /usr/sbin/usernetctl
   
  +
# Defaults specification
  +
  +
#
  +
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
  +
# You have to run "ssh -t hostname sudo <cmd>".
  +
#
 
Defaults requiretty
  
Defaults requiretty
   
Line 409: Line 450:
 
_XKB_CHARSET XAUTHORITY"
  
_XKB_CHARSET XAUTHORITY"
   
  +
## Next comes the main part: which users can run what software on
## Allow root to run any commands anywhere
  
  +
## which machines (the sudoers file can be shared between multiple
  +
## systems).
  +
## Syntax:
  +
##
  +
## user MACHINE=COMMANDS
  +
##
  +
## The COMMANDS section may have other options added to it.
  +
##
  +
## Allow root to run any commands anywhere
 
root ALL=(ALL) ALL
  
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
  
</pre></code>
  
   
  +
## Allows members of the 'sys' group to run networking, software,
===Configured Networks===
  
  +
## service management apps and more.
  +
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
  +
  +
## Allows people in group wheel to run all commands
  +
# %wheel ALL=(ALL) ALL
  +
  +
## Same thing without a password
  +
%wheel ALL=(ALL) NOPASSWD: ALL
  +
  +
## Allows members of the users group to mount and unmount the
  +
## cdrom as root
  +
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
  +
  +
## Allows members of the users group to shutdown this system
  +
# %users localhost=/sbin/shutdown -h now
  +
</pre>
  +
  +
= Network Configuration =
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +
 
*Configured hostname in <code>/etc/sysconfig/network</code>
  
*Configured hostname in <code>/etc/sysconfig/network</code>
 
<code><pre>
  
<code><pre>

Revision as of 16:12, 15 November 2010

This page summarizes how Storage was set up in Fall 2010.

Installation

Operating system: CentOS 5.5 x86_64

Partition Scheme

Partition Scheme:

  • /dev/md0: 100MB, /boot, mdRAID 1
  • /dev/md1: 80GB, LVM (root_lvg), mdRAID 1
    • /dev/root_lvg/root_lv: 65GB, /
    • /dev/root_lvg/tmp_lv: 1GB, /tmp
    • /dev/root_lvg/var_lv: 4GB, /var
    • /dev/root_lvg/home_lv: 1GB, /home
    • /dev/root_lvg/swap_lv: 4GB, swap
  • /dev/md2: 3TB, /storage, mdRAID 10

Partition Types

The boot array is formatted as ext2, all other partitions except the storage array are formatted as ext3.

The storage partition is formatted as xfs, a robust filesystem that deals particularly well with large files. The filesystem was created with the following command: 

mkfs.xfs -d agcount=1000 -l size=128m /dev/md2

This creates an xfs filesystem with 1000 AGs (each of 3GB) and a log size of 128MB. Having many AGs makes the filesystem more parallelizable at cost of CPU cycles (of which we have plenty), and the higher-than-default log size increases the number of small writes that can take place quickly in memory and be committed asynchronously in contiguous bursts.

The filesystem is mounted in /etc/fstab with the following options: 

/dev/md2    /storage    xfs    defaults,logbufs=8,noatime    1 2

This mounts the filesystem with 8 log buffers, again increasing the number of transactions able to be performed in memory at once. Option 'noatime' causes inode access times to not be updated, increasing performance slightly. It's OK to do this since inode access times are not generally used.

In order to use xfs in CentOS 5.5, the following packages were installed: 

kmod-xfs
xfsdump
xfsprogs

Kickstart

This is the kickstart file appearing in /root after the install finished. There is a storage kickstart file living on Admin that was used for the netinstall. 

# Kickstart file automatically generated by anaconda.

install
url --url http://mirror.clarkson.edu/centos/5/os/x86_64/
lang en_US.UTF-8
keyboard us
network --device eth0 --bootproto static --ip 128.153.145.40 --netmask 255.255.255.0 --gateway 128.153.145.1 --nameserver 128.153.0.254,128.153.5.254 --hostname storage
network --device eth1 --bootproto static --ip 10.0.1.35 --netmask 255.255.255.0 --gateway 128.153.145.1 --nameserver 128.153.0.254,128.153.5.254 --hostname storage
network --device eth2 --bootproto static --ip 10.0.0.15 --netmask 255.255.255.0 --gateway 128.153.145.1 --nameserver 128.153.0.254,128.153.5.254 --hostname storage
rootpw --iscrypted $1$5UvTrOQ1$ttBrGsABSlAoVyxdlf4wg/
firewall --enabled --port=22:tcp
authconfig --enableshadow --enablemd5
selinux --permissive
timezone --utc America/New_York
bootloader --location=partition --driveorder=hda,hdb,sda,sdb,sdc,sdd,sde,sdf
# The following is the partition information you requested
# Note that any partitions you deleted are not expressed
# here so unless you clear all partitions first, this is
# not guaranteed to work
#part raid.1 --noformat --onpart hda1
#part raid.3 --noformat --onpart hdb1
#part raid.10 --noformat --onpart sdf1
#part raid.9 --noformat --onpart sde1
#part raid.8 --noformat --onpart sdd1
#part raid.7 --noformat --onpart sdc1
#part raid.6 --noformat --onpart sdb1
#part raid.5 --noformat --onpart sda1
#part raid.4 --noformat --onpart hdb2
#part raid.2 --noformat --onpart hda2
#raid /boot --useexisting --fstype ext2 --level=RAID1 --device=md0 raid.1 raid.3
#raid pv.13 --noformat --useexisting --fstype "physical volume (LVM)" --level=RAID1 --device=md1 raid.2 raid.4
#raid /storage --useexisting --fstype ext3 --level=RAID10 --device=md2 raid.5 raid.6 raid.7 raid.8 raid.9 raid.10
#volgroup root_lvg --noformat --useexisting --pesize=32768 pv.13
#logvol /home --useexisting --fstype ext3 --name=home_lv --vgname=root_lvg --size=1024
#logvol /var --useexisting --fstype ext3 --name=var_lv --vgname=root_lvg --size=4096
#logvol / --useexisting --fstype ext3 --name=root_lv --vgname=root_lvg --size=65952
#logvol swap --useexisting --fstype swap --name=swap_lv --vgname=root_lvg --size=4096
#logvol /tmp --useexisting --fstype ext3 --name=tmp_lv --vgname=root_lvg --size=1024
             
%packages
@base
@core
device-mapper-multipath 
vim-enhanced 
gcc
emacs-nox
screen 
-bluez-utils
-cpuspeed
-NetworkManager

Yum Configuration

Extra Repositories

Added RPMForge respository from Dag Wieers: 

rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

Added Fedora EPEL Repository from Mirror. 

rpm -Uvh http://mirror.clarkson.edu/epel//5/x86_64/epel-release-5-4.noarch.rpm

Repositories

All .repo files in /etc/yum.repos.d/ must be made to point to Mirror wherever possible. The exception is Dag Wieers, which we do not mirror. In order to accomplish this, the following files were edited: 

CentOS-Base.repo
epel.repo
epel-testing.repo
rpmforge.repo

The following files were not modified, but will appear in this documentation for the sake of completion: 

CentOS-Media.repo
mirrors-rpmforge

CentOS-Base.repo

# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client.  You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the 
# remarked out baseurl= line instead.
#
#

[base]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
baseurl=http://mirror.clarkson.edu/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#released updates 
[updates]
name=CentOS-$releasever - Updates
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
baseurl=http://mirror.clarkson.edu/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
#baseurl=http://mirror.centos.org/centos/$releasever/addons/$basearch/
baseurl=http://mirror.clarkson.edu/centos/$releasever/addons/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
#baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
baseurl=http://mirror.clarkson.edu/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
baseurl=http://mirror.clarkson.edu/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
#baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/
baseurl=http://mirror.clarkson.edu/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

Centos-Media.repo

Note that this repository is not enabled. 

# CentOS-Media.repo
#
# This repo is used to mount the default locations for a CDROM / DVD on
#  CentOS-5.  You can use this repo and yum to install items directly off the
#  DVD ISO that we release.
#
# To use this repo, put in your DVD and use it with the other repos too:
#  yum --enablerepo=c5-media [command]
#  
# or for ONLY the media repo, do this:
#
#  yum --disablerepo=\* --enablerepo=c5-media [command]

[c5-media]
name=CentOS-$releasever - Media
baseurl=file:///media/CentOS/
        file:///media/cdrom/
        file:///media/cdrecorder/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

epel.repo

[epel]
name=Extra Packages for Enterprise Linux 5 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 5 - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/5/$basearch/debug
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=$basearch
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

[epel-source]
name=Extra Packages for Enterprise Linux 5 - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/5/SRPMS
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-source-5&arch=$basearch
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

epel-testing.repo

[epel-testing]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/testing/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel5&arch=$basearch
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
failovermethod=priority
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL

[epel-testing-debuginfo]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/testing/5/$basearch/debug
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-debug-epel5&arch=$basearch
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

[epel-testing-source]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/testing/5/SRPMS
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-source-epel5&arch=$basearch
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

mirrors.rpmforge

http://apt.sw.be/redhat/el5/en/$ARCH/dag
http://archive.cs.uu.nl/mirror/dag.wieers/redhat/el5/en/$ARCH/dag
http://ftp2.lcpe.uni-sofia.bg/freshrpms/pub/dag/redhat/el5/en/$ARCH/dag
#http://ftp.heanet.ie/pub/freshrpms/pub/dag/redhat/el5/en/$ARCH/dag
http://ftp-stud.fht-esslingen.de/dag/redhat/el5/en/$ARCH/dag
http://mirror.cpsc.ucalgary.ca/mirror/dag/redhat/el5/en/$ARCH/dag
http://mirrors.ircam.fr/pub/dag/redhat/el5/en/$ARCH/dag
http://rh-mirror.linux.iastate.edu/pub/dag/redhat/el5/en/$ARCH/dag
http://rpmfind.net/linux/dag/redhat/el5/en/$ARCH/dag
http://wftp.tu-chemnitz.de/pub/linux/dag/redhat/el5/en/$ARCH/dag
http://www.mirrorservice.org/sites/apt.sw.be/redhat/el5/en/$ARCH/dag

rpmforge.repo

# Name: RPMforge RPM Repository for Red Hat Enterprise 5 - dag
# URL: http://rpmforge.net/
[rpmforge]
name = Red Hat Enterprise $releasever - RPMforge.net - dag
#baseurl = http://apt.sw.be/redhat/el5/en/$basearch/dag
#mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
baseurl = http://mirror.clarkson.edu/rpmforge/redhat/el5/en/$basearch/dag
enabled = 1
protect = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1


Final Yum Config

Disable Yum fastestmirror plugin since we are pulling from Mirror only. 

sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf

Install yum priorities plugin: 

yum install yum-priorities

Configure yum priorities to check for obsoletes: 

echo "check_obsoletes=1" >> /etc/yum/pluginconf.d/priorities.conf

Install a few useful extra packages: 

yum install vim-enhanced gcc emacs-nox screen iftop

Update the system: 

yum update

User Configuration

Adding Users

Created users for all maintainers / interested parties (don't forget to set passwords with passwd <username>): 

useradd -m platekme
useradd -m kopptr
useradd -m mccarrms

Add administrative users to group 'wheel' so they can use sudo. For example, 

gpasswd -a platekme wheel

Configure Sudo

Edit /etc/sudoers the safe way with the command 

visudo

Note that this configuration allows all users in group 'wheel' to use sudo. 

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
## 
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhap using 
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe

## Shells
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su

## Users
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/userhelper, /usr/sbin/usermod, /usr/sbin/usernetctl

# Defaults specification

#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear. 
#         You have to run "ssh -t hostname sudo <cmd>".
#
Defaults    requiretty

Defaults    env_reset,tty_tickets,lecture=always,logfile=/var/log/sudo.log
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere 
root    ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software, 
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

## Same thing without a password
%wheel  ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the 
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

Network Configuration

  • Configured hostname in /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=mirror
GATEWAY=128.153.145.1
  • Verified eth0 configuration for Clarkson Network in /etc/sysconfig/network-scripts/ifcfg-eth0
# Intel Corporation 82541PI Gigabit Ethernet Controller
DEVICE=eth0
BOOTPROTO=static
BROADCAST=128.153.145.255
HWADDR=00:1B:21:28:C8:48
IPADDR=128.153.145.19
NETMASK=255.255.255.0
NETWORK=128.153.145.0
ONBOOT=yes
  • Verified eth1 configuration for the Server Room Network in /etc/sysconfig/network-scripts/ifcfg-eth1
# Intel Corporation 82566DM-2 Gigabit Network Connection
DEVICE=eth1
BOOTPROTO=static
BROADCAST=10.0.1.255
HWADDR=00:30:48:9A:DB:26
IPADDR=10.0.1.36
NETMASK=255.255.255.0
NETWORK=10.0.1.0
ONBOOT=yes
  • Verified eth2 configuration for the Internal Network in /etc/sysconfig/network-scripts/ifcfg-eth2
# Intel Corporation 82573L Gigabit Ethernet Controller
DEVICE=eth2
BOOTPROTO=static
BROADCAST=10.0.0.255
HWADDR=00:30:48:9A:DB:27
IPADDR=10.0.0.14
NETMASK=255.255.255.0
NETWORK=10.0.0.0
ONBOOT=yes

Configured Hosts

  • Edited /etc/hosts
127.0.0.1       localhost.localdomain localhost
128.153.145.19  mirror.clarkson.edu mirror.cslabs.clarkson.edu mirror.cslabs mirror
10.0.1.36       mirror.sr.cslabs.clarkson.edu mirror.sr.cslabs mirror.sr
10.0.0.14       mirror.int.cslabs.clarkson.edu mirror.int.cslabs mirror.int
  • Edited /etc/hosts.allow
For security purposes, this information has been intentionally left off.
  • Edited /etc/hosts.deny
ALL: ALL

Configured DNS Servers

  • Edited /etc/resolv.conf
search cslabs.clarkson.edu clarkson.edu
nameserver 128.153.145.3
nameserver 128.153.145.4

Disabled IP v6

  • Appended the following to /etc/modprobe.conf
install ipv6 /bin/true
  • Disabled IP v6 firewall
    • /sbin/chkconfig ip6tables off

Configured IPtables

Due to the sensitivity of this material, this config file has been left off; however, the following rules are needed.
  • Restarted iptables
    • /etc/init.d/iptables restart

Configured SSH

  • Edited /etc/ssh/sshd_config
Due to the sensitivity of this material, this config file has been left off.
  • Restarted sshd
    • /etc/init.d/sshd restart

Set Up SSH Login Banner

  • Edited /etc/issue.net
         _                 
  __ _  (_)__________  ____
 /  ' \/ / __/ __/ _ \/ __/
/_/_/_/_/_/ /_/  \___/_/

Configured Password Requirements

  • Edited /etc/login.defs
MAIL_DIR        /var/spool/mail

PASS_MAX_DAYS   360
PASS_MIN_DAYS   0
PASS_MIN_LEN    8
PASS_WARN_AGE   60

UID_MIN                   500
UID_MAX                 60000

GID_MIN                   500
GID_MAX                 60000

CREATE_HOME     yes

UMASK           077

USERGROUPS_ENAB yes

MD5_CRYPT_ENAB yes

ENCRYPT_METHOD MD5

Added Custom PATH Variables

  • Added the following to /etc/profile
PATH=$PATH:/usr/sbin:/sbin
export PATH

Modified Root's Crontab

  • crontab -e
# Used to update locate database
0 * * * * /usr/bin/updatedb

Set Up & Configured NTP

  • Installed NTP
    • yum install ntp
  • Edited /etc/ntp.conf
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

restrict 127.0.0.1
restrict -6 ::1

restrict tick.clarkson.edu mask 255.255.255.255 nomodify notrap noquery
restrict tock.clarkson.edu mask 255.255.255.255 nomodify notrap noquery

server tick.clarkson.edu
server tock.clarkson.edu

server  127.127.1.0     # local clock
fudge   127.127.1.0 stratum 10

driftfile /var/lib/ntp/drift

keys /etc/ntp/keys
  • Edited /etc/ntp/step-tickers
tick.clarkson.edu
tock.clarkson.edu
  • Configured ntpd to start on boot
    • /sbin/chkconfig --levels 2345 ntpd on
  • Started ntpd
    • /etc/init.d/ntpd start

Configured ntpd to Sync Hardware Clock

  • Edited /etc/sysconfig/ntpd
# Drop root to id 'ntp:ntp' by default.
OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"

# Set to 'yes' to sync hw clock after successful ntpdate
SYNC_HWCLOCK=yes

# Additional options for ntpdate
NTPDATE_OPTIONS=""

Installed and Configured APCUPSD

This package is used to monitor the UPS which Mirror is plugged into and is used to shutdown the system in the event of a power failure.

Configured to Power On when Power is Restored

  • Edited the BIOS to have Restore on AC/Power Loss set to Power On.

Installed and configured apcupsd

  • Installed apcupsd
    • yum install apcupsd
  • Edited /etc/apcupsd/apcupsd.conf
## apcupsd.conf v1.1 ##

UPSNAME ups3

UPSCABLE ether

UPSTYPE net
DEVICE 128.153.145.215:3551

LOCKFILE /var/lock

SCRIPTDIR /etc/apcupsd

PWRFAILDIR /etc/apcupsd

NOLOGINDIR /etc

ONBATTERYDELAY 6

BATTERYLEVEL 10

MINUTES 15

TIMEOUT 0

ANNOY 300

ANNOYDELAY 60

NOLOGON disable

KILLDELAY 0

NETSERVER on

NISIP 127.0.0.1

NISPORT 3551

EVENTSFILE /var/log/apcupsd.events

EVENTSFILEMAX 10

UPSCLASS standalone

UPSMODE disable

STATTIME 0

STATFILE /var/log/apcupsd.status

LOGSTATS off

DATATIME 0

SELFTEST 336
  • Configured apcupsd to start on boot
    • /sbin/chkconfig --levels 2345 apcupsd on
  • Started apcupsd
    • /etc/init.d/apcupsd start

Configured Aliases

  • Edited /etc/aliases
#
#  Aliases in this file will NOT be expanded in the header from
#  Mail, but WILL be visible over networks or from /bin/mail.
#
#       >>>>>>>>>>      The program "newaliases" must be run after
#       >> NOTE >>      this file is updated for any changes to
#       >>>>>>>>>>      show through to sendmail.
#

# Basic system aliases -- these MUST be present.
mailer-daemon:  postmaster
postmaster:     logwatch@cslabs.clarkson.edu

# General redirections for pseudo accounts.
bin:            logwatch@cslabs.clarkson.edu
daemon:         logwatch@cslabs.clarkson.edu
adm:            logwatch@cslabs.clarkson.edu
lp:             logwatch@cslabs.clarkson.edu
sync:           logwatch@cslabs.clarkson.edu
shutdown:       logwatch@cslabs.clarkson.edu
halt:           logwatch@cslabs.clarkson.edu
mail:           logwatch@cslabs.clarkson.edu
news:           logwatch@cslabs.clarkson.edu
uucp:           logwatch@cslabs.clarkson.edu
operator:       logwatch@cslabs.clarkson.edu
games:          logwatch@cslabs.clarkson.edu
gopher:         logwatch@cslabs.clarkson.edu
ftp:            logwatch@cslabs.clarkson.edu
nobody:         logwatch@cslabs.clarkson.edu
radiusd:        logwatch@cslabs.clarkson.edu
nut:            logwatch@cslabs.clarkson.edu
dbus:           logwatch@cslabs.clarkson.edu
vcsa:           logwatch@cslabs.clarkson.edu
canna:          logwatch@cslabs.clarkson.edu
wnn:            logwatch@cslabs.clarkson.edu
rpm:            logwatch@cslabs.clarkson.edu
nscd:           logwatch@cslabs.clarkson.edu
pcap:           logwatch@cslabs.clarkson.edu
apache:         logwatch@cslabs.clarkson.edu
webalizer:      logwatch@cslabs.clarkson.edu
dovecot:        logwatch@cslabs.clarkson.edu
fax:            logwatch@cslabs.clarkson.edu
quagga:         logwatch@cslabs.clarkson.edu
radvd:          logwatch@cslabs.clarkson.edu
pvm:            logwatch@cslabs.clarkson.edu
amanda:         logwatch@cslabs.clarkson.edu
privoxy:        logwatch@cslabs.clarkson.edu
ident:          logwatch@cslabs.clarkson.edu
named:          logwatch@cslabs.clarkson.edu
xfs:            logwatch@cslabs.clarkson.edu
gdm:            logwatch@cslabs.clarkson.edu
mailnull:       logwatch@cslabs.clarkson.edu
postgres:       logwatch@cslabs.clarkson.edu
sshd:           logwatch@cslabs.clarkson.edu
smmsp:          logwatch@cslabs.clarkson.edu
postfix:        logwatch@cslabs.clarkson.edu
netdump:        logwatch@cslabs.clarkson.edu
ldap:           logwatch@cslabs.clarkson.edu
squid:          logwatch@cslabs.clarkson.edu
ntp:            logwatch@cslabs.clarkson.edu
mysql:          logwatch@cslabs.clarkson.edu
desktop:        logwatch@cslabs.clarkson.edu
rpcuser:        logwatch@cslabs.clarkson.edu
rpc:            logwatch@cslabs.clarkson.edu
nfsnobody:      logwatch@cslabs.clarkson.edu

ingres:         logwatch@cslabs.clarkson.edu
system:         logwatch@cslabs.clarkson.edu
toor:           logwatch@cslabs.clarkson.edu
manager:        logwatch@cslabs.clarkson.edu
dumper:         logwatch@cslabs.clarkson.edu
abuse:          logwatch@cslabs.clarkson.edu

newsadm:        news
newsadmin:      news
usenet:         news
ftpadm:         ftp
ftpadmin:       ftp
ftp-adm:        ftp
ftp-admin:      ftp
www:            webmaster
webmaster:      logwatch@cslabs.clarkson.edu
noc:            logwatch@cslabs.clarkson.edu
security:       logwatch@cslabs.clarkson.edu
hostmaster:     logwatch@cslabs.clarkson.edu
info:           postmaster
marketing:      postmaster
sales:          postmaster
support:        postmaster


# trap decode to catch security attacks
decode:         logwatch@cslabs.clarkson.edu

# Person who should get roots's mail
root:           logwatch@cslabs.clarkson.edu
  • Updated aliases
    • /usr/bin/newaliases

Disabled CTRL-ALT-DELETE

  • Removed trap entry to prevent accidental reboots
sed -i 's/ca::ctrlaltdel:/#ca::ctrlaltdel:/g' /etc/inittab
  • Made Changes Active
init q

Disabled Various Kernel Modules

  • Added the following to /etc/modprobe.conf
install pppox /bin/true
install bluetooth /bin/true
install sctp /bin/true

Installed & Configured SNMP

  • Installed needed packages
yum install net-snmp ntp
  • Configured SNMP Daemon /etc/snmp/snmpd.conf
rocommunity     <passphrase>  127.0.0.1
rocommunity     <passphrase>  <ipsallowed>
 
syslocation Clarkson University Applied CS Labs
syscontact Matt McCarrell <mccarrms@gmail.com>
disk /
disk /var
disk /boot
disk /mnt/raid
disk /mnt/lvg_storage
disk /mnt/storage1
disk /mnt/storage2
exec timeskew /usr/local/sbin/ntp_check
exec uptime /usr/bin/uptime
  • Deployed ntp_check script
    • Copied over /usr/local/sbin/ntp_check from Isengard to /usr/local/sbin/
    • chown root.root /usr/local/sbin/ntp_check
  • Configured SNMP to start at specific run levels
/sbin/chkconfig --levels 2345 snmpd on
  • Started daemon
/etc/init.d/snmpd start

Increased Detail of Logwatch Reports

  • Set detail level to be high
echo "Detail = High" >> /etc/logwatch/conf/logwatch.conf

Disabled Unneeded Services

chkconfig nfs off
/etc/init.d/nfs stop
chkconfig nfslock off
/etc/init.d/nfslock stop
chkconfig rpcgssd off
/etc/init.d/rpcgssd stop
chkconfig rpcidmapd off
/etc/init.d/rpcidmapd stop
chkconfig rpcsvcgssd off
/etc/init.d/rpcsvcgssd stop
chkconfig portmap off
/etc/init.d/portmap stop
chkconfig netfs off
/etc/init.d/netfs stop
chkconfig anacron off
/etc/init.d/anacron stop
chkconfig autofs off
/etc/init.d/autofs stop
chkconfig avahi-daemon off
/etc/init.d/avahi-daemon stop
chkconfig avahi-dnsconfd off
/etc/init.d/avahi-dnsconfd stop
chkconfig bluetooth off
/etc/init.d/bluetooth stop
chkconfig hidd off
/etc/init.d/hidd stop
chkconfig cups off
/etc/init.d/cups stop
chkconfig firstboot off
/etc/init.d/firstboot stop
chkconfig gpm off
/etc/init.d/gpm stop
chkconfig haldaemon off
/etc/init.d/haldaemon stop
chkconfig irda off
/etc/init.d/irda stop
chkconfig kudzu off
/etc/init.d/kudzu stop
chkconfig messagebus off
/etc/init.d/messagebus stop
chkconfig microcode_ctl off
/etc/init.d/microcode_ctl stop
chkconfig pcscd off
/etc/init.d/pcscd stop
chkconfig readahead_early off
/etc/init.d/readahead_early stop
chkconfig readahead_later off
/etc/init.d/readahead_later stop
chkconfig ypbind off
/etc/init.d/ypbind stop

Modified /etc/fstab to increase performance

  • Configured to not update inode access times
/dev/root_lvg/root_lv   /                       ext3    defaults        1 1
/dev/md2                /mnt/raid               ext3    defaults,noatime        1 2
/dev/storage_lvg/storage_lv /mnt/lvg_storage        ext3    defaults,noatime        1 2
/dev/md0                /boot                   ext3    defaults        1 2
/dev/root_lvg/var_lv    /var                    ext3    defaults        1 2
LABEL=/mnt/storage1     /mnt/storage1           ext3    defaults,noatime        1 2
LABEL=/mnt/storage2     /mnt/storage2           ext3    defaults,noatime        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/root_lvg/swap_lv   swap                    swap    defaults        0 0
Retrieved from "http://docs.cslabs.clarkson.edu/mediawiki/index.php?title=Storage_Setup_Process&oldid=4872"