User:iwm21: Difference between revisions
No edit summary |
|||
(13 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
==Proposed changes/additions to the CL wiki:== | ==Proposed changes/additions to the CL wiki:== | ||
=== DHCP failure === | |||
Subject: Re: [rt.cl.cam.ac.uk #95369] [Comment] DHCP failing (Re: DHCP request now processed) <br /> | Subject: Re: [rt.cl.cam.ac.uk #95369] [Comment] DHCP failing (Re: DHCP request now processed) <br /> | ||
> <br /> | > <br /> | ||
Line 16: | Line 17: | ||
In the last comment I responded with the fact that Vince and I responded with "... but we cannot change that from static" | In the last comment I responded with the fact that Vince and I responded with "... but we cannot change that from static" | ||
=== Server types === | |||
There are three main classes of machines: | |||
# user Workstations | |||
# group servers | |||
# departmental servers (including the MPhil pool) | |||
A fairly simple rule covers all three: If an extra package is wanted, ask the | |||
person who owns /etc/user-config/bundles to add the package. | |||
In the case of (1), there's normally only one user, so they do it themselves. | |||
In the case of (2), there is normally an 'assigned manager' so that there | |||
aren't too many people fiddling with things at the same time, and one person | |||
can keep a general overall biew of what's going on. | |||
In the case of (3), it's "any member of the CO / HelpDesk team". | |||
A fairly strong case is needed to do it. | |||
It should be done to all machines in that class (e.g. all slog servers, or all | |||
MPhil machines). | |||
Items are generally case (2), so | |||
laira:~: ls -l /etc/user-config/bundles | |||
-rw-rw-r--+ 1 awm22 sysadmin 3996 Nov 15 2014 /etc/user-config/bundles | |||
nile:~: | |||
redirect the user to awm22. | |||
Hmm -- the '+' means that theer is an ACL, so use getfacl: | |||
laira:~: getfacl /etc/user-config/bundles | |||
getfacl: Removing leading '/' from absolute path names | |||
# file: /etc/user-config/bundles | |||
# owner: awm22 | |||
# group: sysadmin | |||
user::rw- | |||
user:tm444:rw- | |||
group::rw- | |||
group:srg-tsars:rw- | |||
mask::rw- | |||
other::r-- | |||
laira:~: | |||
==KERBEROS access renewal== | ==KERBEROS access renewal== | ||
Line 28: | Line 75: | ||
===New user=== | ===New user=== | ||
===Visitor's machine=== | ===Visitor's machine=== | ||
===DNS resolution check=== | |||
Machines that do not resolve in the DNS (script to list them): | |||
What is to be done for /etc/resolv.conf on the following machines? | |||
laira:cd /usr/groups/linux/ownfiles | |||
laira:/usr/groups/linux/ownfiles: grep -l 128.232.13 $(cd CKSUM; find * -type f -mtime -300 | sed \ | |||
's=$=/etc/resolv.conf=') 2>/dev/null | sed 's=/.*==' | |||
bretzel.xen | |||
condor68-negotiator-0 | |||
linux-serv0 | |||
linux-serv1 | |||
mta0 | |||
mta3 | |||
ssh-remote-0 | |||
svr-acjf3-armie | |||
svr-acr31-acsmobile | |||
svr-acr31-ormchem | |||
svr-acr31-trac | |||
svr-hotcrp | |||
svr-qs101-pico | |||
sxp01.xen | |||
sxp03.xen | |||
sxp05.xen | |||
sxp06.xen | |||
sxp08.xen | |||
sxp09.xen | |||
sxp18.xen | |||
sxp23.xen | |||
www-ecad | |||
===SSH access overview=== | |||
Comments to help HelDesk rather than intended for user directly. | |||
> How do I get SSH from an external machine to a group server to work every time? | |||
There are two basic ssh auth methods we support: ssh user key and kerberos. | |||
A) ssh user key: | |||
1) ensure that the client has a suitable private user key | |||
2) ensure that the server has the public user key enabled for the calling host. | |||
Either the public key can be stored locally on the server, | |||
or it can be stored on the filer, in which case a TGT is needed to access it. | |||
B) Kerberos: | |||
1) ensure that the client can access the kerberos servers | |||
2) get a TGT on the client | |||
In either case, that should allow ssh access to the server. | |||
(filer access will require a TGT) | |||
To protect the systems, when an external IPv4 address calls the system, | |||
a counter is incremented. If this reaches a treshold within a certain | |||
interval, the IPv4 address is deemed to be attacking the system, | |||
and it drops the packets, causing ssh connection to be very slow. | |||
To avoid this being a problem | |||
1) the client should not make lots of ssh calls in a short time | |||
2) the client should use a VPN or tunnel so that it is deemed 'local' | |||
3) the server should clear the counter each time an ssh connection works. | |||
> I have SSH from my laptop to a server working some of the time, but it's | |||
> random. For instance: | |||
> fossil-3:autobuilder atm26$ ssh -L 5901:localhost:5901 > versace.cl.cam.ac.uk | |||
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic). | |||
... and what looks like it failing in the SAME way seven times - did I miss something? | |||
> fossil-3:autobuilder atm26$ ssh sandy.cl.cam.ac.uk | |||
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive). | |||
> fossil-3:autobuilder atm26$ ssh sandy.cl.cam.ac.uk | |||
> Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-51-generic x86_64) | |||
That I do not understand. | |||
With the times, we could look in the logs on sandy. | |||
Might it be alternating between IPv4 and IPv6? | |||
He does not give any timing info. | |||
If a long delay it might be trying IPv4, timing out as it seems to be attacking, | |||
so fall back to IPv6, which fails as the calling address isn't permitted. | |||
Eventually IPv4 is allowed in, and its address is permitted. | |||
> Sometimes I can SSH into sandy, then into ventura, making sure I have | |||
> Kerberos keys and filesystem access, but external SSH still fails. | |||
That would be explained if the calling address / DNS name is not permitted. | |||
We really need 'ssh -v' info to show what address is being called - IPv4 or IPv6. | |||
> Sometimes I can't even SSH into sandy. | |||
Again, only guess is IPv4 vs IPv6 - but I am clutching at straws - most | |||
systems use IPv6 and then IPv4, or are at least consistent - they don't do | |||
Round Robin between IPv4 and IPv6 addresses ... | |||
> Or it works second time around, | |||
IPv4 vs IPv6?? | |||
> one time out of ten, | |||
Hard to explain. | |||
> if I wait half an hour, or some other variable I can't quite grasp. | |||
That might be the counter being cleared, | |||
or it might be 'it works one time in two' ... | |||
> Is there a foolproof way to have reliable SSH connections? | |||
Almost certainly - we just need to know what the setup is, | |||
and what is causing it to fail. | |||
> For instance, I can VPN into vpdn-pptp (I know it's old, but it was to hand), and it | |||
> seems to make no difference to the lottery of getting in. | |||
He should be told to use the UIS provided CL VPN. | |||
> I have no problem using a VPN if that will solve the problem. | |||
It should help. | |||
> The use case is I want to make lots of SSH connections in a short space of | |||
> time (eg scp or multiple remote X sessions) | |||
I'd put in PAM magic to reset the counter to avoid 'timeout' problems. | |||
> These are things for which indirecting via sandy and friends is no good | |||
(As I remember, I managed to get scp etc working via ssh-relay) | |||
===OS upgrade prompts (Linux)=== | |||
Subject: Upgrade to 14.10 ubuntu | |||
Hi, | |||
My updater is asking me to update ubuntu to 14.10. Is it in line with | |||
the department policy? | |||
--------------- | |||
First off, thank him for contacting us, as per http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/LinuxDosAndDonts | |||
Then ask the user to confirm which machine they are asking about, and note that that is generally useful info to include to avoid possible confusion. | |||
The CL installs LTS (Long Term Support) systems and only push people to upgrade when support runs out (5 years), so as to avoid 3 year visitors (such as Research Students) from having to have the disruption of an upgrade. | |||
LTS systems normally do not ask to upgrade to a non LTS version, so 12.04LTS would ask about 14.04LTS but 14.04LTS should not ask about 14.10. | |||
I suspect the user (or some package) may have taken it out of LTS mode. | |||
The user should be informed that some people require non-LTS versions, and we do not stop them from using them, but the level of support is reduced. We 'expect' them to work, and will try to fix up any problems which he may have, but at some point we may have to simply offer to do a fresh install of the lastest supported LTS version. | |||
===Granting "user admin" access=== | |||
Example of adding user admin privelage on a machine (e.g. username = $user = "ke293", machine "smew") | |||
CL guide: http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/MachineSetup#useradmin | |||
Attach to the machine using your KERBEROS credentials | |||
ssh -K smew | |||
This shows how to grant 'user admin' access to a lab-managed machine. | |||
user=ke293 | |||
cl-asuser cl-hostid-fix --user $user | |||
then generally follow this with | |||
cl-asuser cl-hostid-fix --user $user -a | |||
Then grant permissions on the bundles (so they can add/remove/update packages) | |||
sudo setfacl -m u:$user:rw /etc/user-config/bundles | |||
Below is a sample script that can be used. Enter the 1st line using the user's username, then the rest of the liens use that: | |||
user=ke293 | |||
cl-asuser cl-hostid-fix --user $user | |||
if output looks ok run it again with "-a" then set the user's privilege on the application package list (bundles) and the list of apps to update (patches) | |||
cl-asuser cl-hostid-fix --user $user -a | |||
sudo setfacl -m u:$user:rw /etc/user-config/bundles | |||
sudo setfacl -m u:$user:w /etc/user-config/patches | |||
If the machine is a short term loan, use the command 'setfacl -x' on the machine to remove the packages installed by the user. | |||
This should be undone when use finishes, so when done, set the ticket status to 'stalled', set owner as 'nobody' and the 'Due date' to the end of the visit. | |||
To remove the packages added by the user in the previous (setfact -m -u:...), on a privileged machine enter the following: | |||
ssh -K smew | |||
sudo setfacl -x |
Latest revision as of 16:25, 5 August 2015
System resources access diagram
<UnderConstruction>
Proposed changes/additions to the CL wiki:
DHCP failure
Subject: Re: [rt.cl.cam.ac.uk #95369] [Comment] DHCP failing (Re: DHCP request now processed)
>
> Most of our VLANs do not use dynamic DHCP addresses so in most cases you
> need to add an address to the DNS when a new machine is added to the VLAN.
Piete Brooks:
When you add the DHCP registration on the VLAN to the host, it says whether it is static or dynamic (there is a pull down menu which allows you to select if both are available)
In the last comment I responded with the fact that Vince and I responded with "... but we cannot change that from static"
Server types
There are three main classes of machines:
- user Workstations
- group servers
- departmental servers (including the MPhil pool)
A fairly simple rule covers all three: If an extra package is wanted, ask the person who owns /etc/user-config/bundles to add the package.
In the case of (1), there's normally only one user, so they do it themselves.
In the case of (2), there is normally an 'assigned manager' so that there aren't too many people fiddling with things at the same time, and one person can keep a general overall biew of what's going on.
In the case of (3), it's "any member of the CO / HelpDesk team". A fairly strong case is needed to do it. It should be done to all machines in that class (e.g. all slog servers, or all MPhil machines).
Items are generally case (2), so
laira:~: ls -l /etc/user-config/bundles -rw-rw-r--+ 1 awm22 sysadmin 3996 Nov 15 2014 /etc/user-config/bundles nile:~:
redirect the user to awm22.
Hmm -- the '+' means that theer is an ACL, so use getfacl:
laira:~: getfacl /etc/user-config/bundles getfacl: Removing leading '/' from absolute path names
- file: /etc/user-config/bundles
- owner: awm22
- group: sysadmin
user::rw- user:tm444:rw- group::rw- group:srg-tsars:rw- mask::rw- other::r--
laira:~:
KERBEROS access renewal
When you log into a server (e.g. the remote server) in the Computer Laboratory, your home-directory is automatically 'mounted'.
iwm21@svr-ssh-1:/$ cl-krenew --status no processes found refreshing or distributing keys
Workflow checklist for RT tickets
Visitor
New user
Visitor's machine
DNS resolution check
Machines that do not resolve in the DNS (script to list them):
What is to be done for /etc/resolv.conf on the following machines? laira:cd /usr/groups/linux/ownfiles laira:/usr/groups/linux/ownfiles: grep -l 128.232.13 $(cd CKSUM; find * -type f -mtime -300 | sed \ 's=$=/etc/resolv.conf=') 2>/dev/null | sed 's=/.*==' bretzel.xen condor68-negotiator-0 linux-serv0 linux-serv1 mta0 mta3 ssh-remote-0 svr-acjf3-armie svr-acr31-acsmobile svr-acr31-ormchem svr-acr31-trac svr-hotcrp svr-qs101-pico sxp01.xen sxp03.xen sxp05.xen sxp06.xen sxp08.xen sxp09.xen sxp18.xen sxp23.xen www-ecad
SSH access overview
Comments to help HelDesk rather than intended for user directly.
> How do I get SSH from an external machine to a group server to work every time? There are two basic ssh auth methods we support: ssh user key and kerberos. A) ssh user key: 1) ensure that the client has a suitable private user key 2) ensure that the server has the public user key enabled for the calling host. Either the public key can be stored locally on the server, or it can be stored on the filer, in which case a TGT is needed to access it. B) Kerberos: 1) ensure that the client can access the kerberos servers 2) get a TGT on the client In either case, that should allow ssh access to the server. (filer access will require a TGT) To protect the systems, when an external IPv4 address calls the system, a counter is incremented. If this reaches a treshold within a certain interval, the IPv4 address is deemed to be attacking the system, and it drops the packets, causing ssh connection to be very slow. To avoid this being a problem 1) the client should not make lots of ssh calls in a short time 2) the client should use a VPN or tunnel so that it is deemed 'local' 3) the server should clear the counter each time an ssh connection works. > I have SSH from my laptop to a server working some of the time, but it's > random. For instance: > fossil-3:autobuilder atm26$ ssh -L 5901:localhost:5901 > versace.cl.cam.ac.uk > Permission denied (publickey,gssapi-keyex,gssapi-with-mic). ... and what looks like it failing in the SAME way seven times - did I miss something? > fossil-3:autobuilder atm26$ ssh sandy.cl.cam.ac.uk > Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive). > fossil-3:autobuilder atm26$ ssh sandy.cl.cam.ac.uk > Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-51-generic x86_64) That I do not understand. With the times, we could look in the logs on sandy. Might it be alternating between IPv4 and IPv6? He does not give any timing info. If a long delay it might be trying IPv4, timing out as it seems to be attacking, so fall back to IPv6, which fails as the calling address isn't permitted. Eventually IPv4 is allowed in, and its address is permitted. > Sometimes I can SSH into sandy, then into ventura, making sure I have > Kerberos keys and filesystem access, but external SSH still fails. That would be explained if the calling address / DNS name is not permitted. We really need 'ssh -v' info to show what address is being called - IPv4 or IPv6. > Sometimes I can't even SSH into sandy. Again, only guess is IPv4 vs IPv6 - but I am clutching at straws - most systems use IPv6 and then IPv4, or are at least consistent - they don't do Round Robin between IPv4 and IPv6 addresses ... > Or it works second time around, IPv4 vs IPv6?? > one time out of ten, Hard to explain. > if I wait half an hour, or some other variable I can't quite grasp. That might be the counter being cleared, or it might be 'it works one time in two' ... > Is there a foolproof way to have reliable SSH connections? Almost certainly - we just need to know what the setup is, and what is causing it to fail. > For instance, I can VPN into vpdn-pptp (I know it's old, but it was to hand), and it > seems to make no difference to the lottery of getting in. He should be told to use the UIS provided CL VPN. > I have no problem using a VPN if that will solve the problem. It should help. > The use case is I want to make lots of SSH connections in a short space of > time (eg scp or multiple remote X sessions) I'd put in PAM magic to reset the counter to avoid 'timeout' problems. > These are things for which indirecting via sandy and friends is no good (As I remember, I managed to get scp etc working via ssh-relay)
OS upgrade prompts (Linux)
Subject: Upgrade to 14.10 ubuntu
Hi, My updater is asking me to update ubuntu to 14.10. Is it in line with the department policy?
First off, thank him for contacting us, as per http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/LinuxDosAndDonts
Then ask the user to confirm which machine they are asking about, and note that that is generally useful info to include to avoid possible confusion.
The CL installs LTS (Long Term Support) systems and only push people to upgrade when support runs out (5 years), so as to avoid 3 year visitors (such as Research Students) from having to have the disruption of an upgrade.
LTS systems normally do not ask to upgrade to a non LTS version, so 12.04LTS would ask about 14.04LTS but 14.04LTS should not ask about 14.10. I suspect the user (or some package) may have taken it out of LTS mode.
The user should be informed that some people require non-LTS versions, and we do not stop them from using them, but the level of support is reduced. We 'expect' them to work, and will try to fix up any problems which he may have, but at some point we may have to simply offer to do a fresh install of the lastest supported LTS version.
Granting "user admin" access
Example of adding user admin privelage on a machine (e.g. username = $user = "ke293", machine "smew")
CL guide: http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/MachineSetup#useradmin
Attach to the machine using your KERBEROS credentials
ssh -K smew
This shows how to grant 'user admin' access to a lab-managed machine.
user=ke293 cl-asuser cl-hostid-fix --user $user
then generally follow this with
cl-asuser cl-hostid-fix --user $user -a
Then grant permissions on the bundles (so they can add/remove/update packages)
sudo setfacl -m u:$user:rw /etc/user-config/bundles
Below is a sample script that can be used. Enter the 1st line using the user's username, then the rest of the liens use that:
user=ke293 cl-asuser cl-hostid-fix --user $user
if output looks ok run it again with "-a" then set the user's privilege on the application package list (bundles) and the list of apps to update (patches)
cl-asuser cl-hostid-fix --user $user -a sudo setfacl -m u:$user:rw /etc/user-config/bundles sudo setfacl -m u:$user:w /etc/user-config/patches
If the machine is a short term loan, use the command 'setfacl -x' on the machine to remove the packages installed by the user.
This should be undone when use finishes, so when done, set the ticket status to 'stalled', set owner as 'nobody' and the 'Due date' to the end of the visit.
To remove the packages added by the user in the previous (setfact -m -u:...), on a privileged machine enter the following:
ssh -K smew sudo setfacl -x