Configuring the Frontends

Record of configuration done to frontends. Updated Dec 16th for msurx build.

Connecting

You can ssh to the frontend as root to perform these actions. Root's ssh keys will automatically be generated on first login.

Disable named

Disable the name server until it is configured (not a worry in a test environment, but can be an issue in our production environment).

chkconfig named off
service named stop

Set Run Level 3

Prefer to have system at run-level 3 ( no X11 ). Edit /etc/inittab and then issue command "telinit 3".

Apply service pack

With 5.2.2 had a problem installing service pack during initial install, so added it at this point.

If it wasn't done during the install, get latest ROCKS update and apply it. Directions are at http://www.rocksclusters.org/ --- follow them with the addition of the touch of rpms before rebuild of distro.

Note ROCKS judges the newness of an rpm based on its timestamp, so "touch" all the rpms from the service-pack so that they will be considered newest.

# touch /export/rocks/install/rolls/service-pack/5.2.2/x86_64/RedHat/RPMS/*

Do it

[root@msurx ~]# wget http://www.rocksclusters.org/ftp-site/pub/rocks/rocks-5.2/linux/service-pack-5.2.2-1.x86_64.disk1.iso

[root@msurx ~]# rocks add roll service-pack-5.2.2-1.x86_64.disk1.iso

[root@msurx ~]# rocks list roll
NAME          VERSION ARCH   ENABLED
kernel:       5.2     x86_64 yes    
base:         5.2     x86_64 yes    
ganglia:      5.2     x86_64 yes    
web-server:   5.2     x86_64 yes    
LTS:          5.2     x86_64 yes    
LTS:          5.2     x86_64 yes    
service-pack: 5.2.2   x86_64 no

[root@msurx ~]# rocks enable roll service-pack version=5.2.2

[root@msurx ~]# cd /export/rocks/install/

[root@msurx install]# touch rolls/service-pack/5.2.2/x86_64/RedHat/RPMS/*

[root@msurx install]# rocks create distro

[root@msurx install]# rocks run roll service-pack | bash

[root@msurx install]# sh /tmp/finish-install-sp.sh

[root@msurx install]# shutdown -r now

Restrict SSH

Put admin's ssh_keys in /root/.ssh/authorized_keys and turn off password ssh for root. Also, tell sshd to listen on private network only.

ListenAddress 10.10.128.12
PermitRootLogin without-password
X11Forwarding yes

Turn off default X11 forwarding in /etc/ssh/ssh_config

        ForwardX11              no

Restart sshd to pickup changes. Use lsof to verify sshd is only listening on proper ports.

Restrict Firewall

ROCKS sets up pretty reasonable firewall rules. We do remove the rule that allow ssh from anywhere and http and httpd on the public side.

Removed these rules

Just left as is for now

# Allow these ports
-A INPUT -m state --state NEW -p tcp --dport ssh -j ACCEPT
# http and https is allowed for all nodes on the public subnet
-A INPUT -m state --state NEW -p tcp --dport https --source 192.41.236.0/255.255.254.0 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport www --source 192.41.236.0/255.255.254.0 -j ACCEPT

Restrict Web Server

The ROCKS webserver setup should be tighter, it relies on the firewall for some access control, but wish to have tighter rules on webserver itself.

To Do

Check Rolls

(Have reinstalled without HPC roll...)

Note that LTS is listed twice because it comes on two DVDs.

[root@msurxi ~]# rocks list roll
NAME        VERSION ARCH   ENABLED
kernel:     5.2     x86_64 yes    
base:       5.2     x86_64 yes    rock
ganglia:    5.2     x86_64 yes    
web-server: 5.2     x86_64 yes    
LTS:        5.2     x86_64 yes    
LTS:        5.2     x86_64 yes    
service-pack: 5.2.2   x86_64 yes

What does the environment look like?

[root@msurxi ~]# echo $PATH | perl -p -e 's/:/\n/g'
/usr/kerberos/sbin
/usr/kerberos/bin
/usr/local/sbin
/usr/local/bin
/sbin
/bin
/usr/sbin
/usr/bin
/opt/ganglia/bin
/opt/ganglia/sbin
/opt/rocks/bin
/opt/rocks/sbin
/root/bin

[root@msurxi ~]# printenv | sort
ANT_HOME=/opt/rocks
CVS_RSH=ssh
DISPLAY=localhost:11.0
G_BROKEN_FILENAMES=1
HISTSIZE=1000
HOME=/root
HOSTNAME=msurxi.aglt2.org
INPUTRC=/etc/inputrc
LANG=en_US.iso885915
LESSOPEN=|/usr/bin/lesspipe.sh %s
LOGNAME=root
LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:
MAIL=/var/spool/mail/root
PATH=/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/ganglia/bin:/opt/ganglia/sbin:/opt/rocks/bin:/opt/rocks/sbin:/root/bin
PWD=/root
ROCKS_ROOT=/opt/rocks
ROCKSROOT=/opt/rocks/share/devel
ROLLSROOT=/opt/rocks/share/devel/src/roll
SHELL=/bin/bash
SHLVL=1
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
SSH_CLIENT=10.10.2.20 44321 22
SSH_CONNECTION=10.10.2.20 44321 10.10.128.12 22
SSH_TTY=/dev/pts/5
TERM=xterm
USER=root
_=/usr/bin/printenv

The default ~/.bash_profile is putting ~/bin in PATH. Add a /root/bin dir:

mkdir /root/bin

Local domain name change

Wish to use ".msulocal" instead of ".local" for private network domain name, this is not an option during the install:

[root@msurxi ~]# rocks set attr Kickstart_PrivateDNSDomain msulocal
[root@msurxi ~]# rocks sync config

/etc/hosts and DNS are updated; search entry in /etc/resolv.conf is not, fix that:

rocks report resolv > /etc/resolv.conf

DNS seems good (note, aglt2.org is not under our direct control...):

Note local nameserver is off...

[root@msurxi ~]# host msurxi
msurxi.msulocal has address 10.10.128.12

[root@msurxi ~]# host 10.10.128.12
12.128.10.10.in-addr.arpa domain name pointer msurxi.msulocal.

[root@msurxi ~]# host msurxi.aglt2.org
msurxi.aglt2.org has address 192.41.236.12

[root@msurxi ~]# host 192.41.236.12   
12.236.41.192.in-addr.arpa domain name pointer msurxi.aglt2.org.

SVN

Most of setup of host is in SVN, so want to be able to start using it.

Install is using yum, this will get 1.4.2 from SL53, but that is ok for now.

yum install subversion

Fill the file /root/.ssh/id_rsa-subversion-readonly with proper contents, and make sure it has restricted permissions (600).

To use, setup these environment vars:

[root@msurxi ~]# cat svn-readonly.source 
# Setup for read-only access to SVN
export SVN_SSH="ssh -i /root/.ssh/id_rsa-subversion-readonly"
export SVN_ROCKS="svn+ssh://ndt.aglt2.org/"

[root@msurxi ~]# svn list $SVN_ROCKS
branches/
tags/
trunk/

-- TomRockwell - 11 Nov 2009
Topic revision: r11 - 18 Dec 2009, TomRockwell
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback