Configuring the Frontends
Record of configuration done to frontends. Updated Dec 16th for msurx build.
Connecting
You can ssh to the frontend as root to perform these actions. Root's ssh keys will automatically be generated on first login.
Disable named
Disable the name server until it is configured (not a worry in a test environment, but can be an issue in our production environment).
chkconfig named off
service named stop
Set Run Level 3
Prefer to have system at run-level 3 ( no X11 ). Edit /etc/inittab and then issue command "telinit 3".
Apply service pack
With 5.2.2 had a problem installing service pack during initial install, so added it at this point.
If it wasn't done during the install, get latest ROCKS update and apply it. Directions are at
http://www.rocksclusters.org/ --- follow them with the addition of the
touch of rpms before rebuild of distro.
Note ROCKS judges the newness of an rpm based on its timestamp, so "touch" all the rpms from the service-pack so that they will be considered newest.
# touch /export/rocks/install/rolls/service-pack/5.2.2/x86_64/RedHat/RPMS/*
Do it
[root@msurx ~]# wget http://www.rocksclusters.org/ftp-site/pub/rocks/rocks-5.2/linux/service-pack-5.2.2-1.x86_64.disk1.iso
[root@msurx ~]# rocks add roll service-pack-5.2.2-1.x86_64.disk1.iso
[root@msurx ~]# rocks list roll
NAME VERSION ARCH ENABLED
kernel: 5.2 x86_64 yes
base: 5.2 x86_64 yes
ganglia: 5.2 x86_64 yes
web-server: 5.2 x86_64 yes
LTS: 5.2 x86_64 yes
LTS: 5.2 x86_64 yes
service-pack: 5.2.2 x86_64 no
[root@msurx ~]# rocks enable roll service-pack version=5.2.2
[root@msurx ~]# cd /export/rocks/install/
[root@msurx install]# touch rolls/service-pack/5.2.2/x86_64/RedHat/RPMS/*
[root@msurx install]# rocks create distro
[root@msurx install]# rocks run roll service-pack | bash
[root@msurx install]# sh /tmp/finish-install-sp.sh
[root@msurx install]# shutdown -r now
Restrict SSH
Put admin's ssh_keys in /root/.ssh/authorized_keys and turn off password ssh for root. Also, tell sshd to listen on private network only.
ListenAddress 10.10.128.12
PermitRootLogin without-password
X11Forwarding yes
Turn off default X11 forwarding in /etc/ssh/ssh_config
ForwardX11 no
Restart sshd to pickup changes. Use lsof to verify sshd is only listening on proper ports.
Restrict Firewall
ROCKS sets up pretty reasonable firewall rules. We do remove the rule that allow ssh from anywhere and http and httpd on the public side.
Removed these rules
Just left as is for now
# Allow these ports
-A INPUT -m state --state NEW -p tcp --dport ssh -j ACCEPT
# http and https is allowed for all nodes on the public subnet
-A INPUT -m state --state NEW -p tcp --dport https --source 192.41.236.0/255.255.254.0 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport www --source 192.41.236.0/255.255.254.0 -j ACCEPT
Restrict Web Server
The ROCKS webserver setup should be tighter, it relies on the firewall for some access control, but wish to have tighter rules on webserver itself.
To Do
Check Rolls
(Have reinstalled without HPC roll...)
Note that LTS is listed twice because it comes on two DVDs.
[root@msurxi ~]# rocks list roll
NAME VERSION ARCH ENABLED
kernel: 5.2 x86_64 yes
base: 5.2 x86_64 yes rock
ganglia: 5.2 x86_64 yes
web-server: 5.2 x86_64 yes
LTS: 5.2 x86_64 yes
LTS: 5.2 x86_64 yes
service-pack: 5.2.2 x86_64 yes
What does the environment look like?
[root@msurxi ~]# echo $PATH | perl -p -e 's/:/\n/g'
/usr/kerberos/sbin
/usr/kerberos/bin
/usr/local/sbin
/usr/local/bin
/sbin
/bin
/usr/sbin
/usr/bin
/opt/ganglia/bin
/opt/ganglia/sbin
/opt/rocks/bin
/opt/rocks/sbin
/root/bin
[root@msurxi ~]# printenv | sort
ANT_HOME=/opt/rocks
CVS_RSH=ssh
DISPLAY=localhost:11.0
G_BROKEN_FILENAMES=1
HISTSIZE=1000
HOME=/root
HOSTNAME=msurxi.aglt2.org
INPUTRC=/etc/inputrc
LANG=en_US.iso885915
LESSOPEN=|/usr/bin/lesspipe.sh %s
LOGNAME=root
LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:
MAIL=/var/spool/mail/root
PATH=/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/ganglia/bin:/opt/ganglia/sbin:/opt/rocks/bin:/opt/rocks/sbin:/root/bin
PWD=/root
ROCKS_ROOT=/opt/rocks
ROCKSROOT=/opt/rocks/share/devel
ROLLSROOT=/opt/rocks/share/devel/src/roll
SHELL=/bin/bash
SHLVL=1
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
SSH_CLIENT=10.10.2.20 44321 22
SSH_CONNECTION=10.10.2.20 44321 10.10.128.12 22
SSH_TTY=/dev/pts/5
TERM=xterm
USER=root
_=/usr/bin/printenv
The default ~/.bash_profile is putting ~/bin in PATH. Add a /root/bin dir:
mkdir /root/bin
Local domain name change
Wish to use ".msulocal" instead of ".local" for private network domain name, this is not an option during the install:
[root@msurxi ~]# rocks set attr Kickstart_PrivateDNSDomain msulocal
[root@msurxi ~]# rocks sync config
/etc/hosts and DNS are updated; search entry in /etc/resolv.conf is not, fix that:
rocks report resolv > /etc/resolv.conf
DNS seems good (note, aglt2.org is not under our direct control...):
Note local nameserver is off...
[root@msurxi ~]# host msurxi
msurxi.msulocal has address 10.10.128.12
[root@msurxi ~]# host 10.10.128.12
12.128.10.10.in-addr.arpa domain name pointer msurxi.msulocal.
[root@msurxi ~]# host msurxi.aglt2.org
msurxi.aglt2.org has address 192.41.236.12
[root@msurxi ~]# host 192.41.236.12
12.236.41.192.in-addr.arpa domain name pointer msurxi.aglt2.org.
SVN
Most of setup of host is in SVN, so want to be able to start using it.
Install is using yum, this will get 1.4.2 from SL53, but that is ok for now.
yum install subversion
Fill the file /root/.ssh/id_rsa-subversion-readonly with proper contents, and make sure it has restricted permissions (600).
To use, setup these environment vars:
[root@msurxi ~]# cat svn-readonly.source
# Setup for read-only access to SVN
export SVN_SSH="ssh -i /root/.ssh/id_rsa-subversion-readonly"
export SVN_ROCKS="svn+ssh://ndt.aglt2.org/"
[root@msurxi ~]# svn list $SVN_ROCKS
branches/
tags/
trunk/
--
TomRockwell - 11 Nov 2009