Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity

Merge branch 'master' of git.psi.ch:linux-infra/documentation

Browse Source
This commit is contained in:
buchel_k
2023-11-10 08:35:58 +01:00
parent 497008e25e 1dc1e28e97
commit 297e692f16
13 changed files with 1308 additions and 859 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
_toc.yml
View File

@@ -36,13 +36,17 @@ chapters:
- file: admin-guide/configuration
sections:
- file: admin-guide/configuration/icinga2
- file: admin-guide/configuration/central_logging_elastic
- file: admin-guide/configuration/packages
- file: admin-guide/configuration/package_updates
- file: admin-guide/configuration/package_repositories
- file: admin-guide/configuration/services
- file: admin-guide/configuration/mount
- file: admin-guide/configuration/distribute_files
- file: admin-guide/configuration/vgroot
- file: admin-guide/configuration/xrdp
- file: admin-guide/configuration/custom_nameservers
- file: admin-guide/configuration/puppet_agent
- file: admin-guide/configuration/central_logging_elastic
- file: admin-guide/configuration/keyboard_layout
- file: admin-guide/configuration/autologin
- file: admin-guide/configuration/screen_lock
@@ -129,7 +133,6 @@ chapters:
- file: rhel8/index
sections:
- file: rhel8/installation
- file: rhel8/software
- file: rhel8/nvidia
- file: rhel8/kerberos
- file: rhel8/desktop

9
admin-guide/configuration.md
View File

@@ -5,8 +5,11 @@ Here starts a so far small collections of configuration guides for sysadmins of
## Monitoring
- [Icinga2](configuration/icinga2)
## Logging
- [Setup Central Logging to Elastic](configuration/central_logging_elastic)
## Software Management
- [Package Installation](configuration/packages)
- [Automated Package Updates](configuration/package_updates)
- [Selecting Package Repositories](configuration/package_repositories)
- [Managing Services with Systemd](configuration/services)
## Basic Setup
- [Mounting Volumes](configuration/mount)
@@ -23,6 +26,8 @@ Here starts a so far small collections of configuration guides for sysadmins of
- [Banner Message](configuration/banner_message)
- [Alternative Desktops/Window Managers](configuration/alternative_desktops)
## Logging
- [Setup Central Logging to Elastic](configuration/central_logging_elastic)
## Special Installations
- [SSH Host Hopping as Root (e.g. between cluster members)](configuration/ssh_host_hopping)

138
admin-guide/configuration/package_repositories.md Normal file
View File

@@ -0,0 +1,138 @@
# Selecting Package Repositories
## Package Repository Lists
Also for configuring package repositories our configuration management works with lists containing the names of the repositories to be installed.
The default list (except for nodes with the `bootpc` and `appliances::lenovo::*` Puppet roles) is `rpm_repos::default` (legacy: `yum_client::repositories`).
If repositories are managed in Hiera, feel free to add them to `rpm_repos::default` like
```
rpm_repos::default:
- 'gfa'
```
Note that repositories for different versions of RHEL can be added and only the fitting ones will be configured on the node.
If the package repositories are managed by a Puppet module, then it is good practice is to define a specific package repository list in [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml) and then to install it only when needed. An example is `profile::telegraf` which only installes the repositories listed in `rpm_repos::influx` when needed.
## Package Repository Definition
An individual package repository is configured in Hiera within the namespace `rpm_repos::repo::*`, like following example:
```
rpm_repos::repo::epel_rhel8:
name: 'epel'
descr: "Extra Packages for Enterprise Linux 8"
baseurl: 'https://repos.psi.ch/rhel8/tags/$pli_repo_tag/epel/'
gpgkey: 'https://repos.psi.ch/rhel8/keys/epel.gpg'
disable: false
gpgcheck: true
osversion: 8
exclude:
- "slurm*"
```
The legacy namespace `yum_client::repo::*` is currently used for RHEL7 repositories to be backward compatible as some Hiera configuration with higher precedence overwrites certain stuff.
### Package Repository Name
The reference name used in Hiera (the part after `rpm_repos::repo::` should be globally unique. An unfortunate practice is to use the same name for different package repositories. A current example is the `gfa` repository which has different URLs on different `sysdb` environments.
Note for `name` attribute, that only has to be unique on the machine where they are installed. So if there are two repositories defined to provide the same software for two different OS versions, then it is fine to have the same name there.
### Package Repository URL
Overriding the URL of a package repository definition on a stricter scope is considered bad practice. The URL defines the actual "identiy" of the package repository definition. It is confusing if it gets different meanings at different places. It is like one passport which will identify different persons in different countries.
If different sources are needed, define and name them appropriately. They point to one given repository and the package repository lists are the place to select what should be applied on a given node.
Also feel free to define all your package repositories in [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml).
### Select Package Repository by OS Version
Usually a package repository only serves packages for one major OS version. This can be stated by the `osversion` attribute. When a package repository list is installed, only the repositories fitting the version of the OS installed on the node are selected and configured.
If the `osversion` attribute is not set, then it is always installed.
### Package Repository GPG Verification
GPG verification is optional, so `gpgkey` may not be defined and `gpgcheck` is `false` by default. But ideally the packages are signed and checked for tampering and corruption.
### Exclude Packages
If certain packages provided by given repository should be ignored on the nodes, then add them to the `exclude` list.
## Using Specific Package Repository Snapshot
Most of the externally sourced package repositories on https://repos.psi.ch/rhel7 (RHEL7), https://repos.psi.ch/rhel8 (RHEL 8) and https://repos.psi.ch/rhel9 (RHEL 9) have snapshots which can be used to freeze the available package versions to a given date.
The tags are different per major OS version and are definied in the Hiera hash `rpm_repos::tag`, below you see the default:
```
yum_client::repo_tag: 'prod'
rpm_repos::tag:
redhat7: "%{lookup('yum_client::repo_tag')}"
redhat8: 'rhel-8'
redhat9: 'rhel-9'
```
So for RHEL 7 the default is `prod` and can be overriden on `yum_client::repo_tag` (backwards compatibility) or on the `redhat7` attribute of `rpm_repos::tag`.
To fix to a specific snapshot on RHEL 8, the `redhat8` attribute has to be set on `rpm_repos::tag`, the default is `rhel-8` which points to the latest snapshot.
The available tags your find at
- [https://repos.psi.ch/rhel9/tags/](https://repos.psi.ch/rhel8/tags/) for RHEL 9
- [https://repos.psi.ch/rhel8/tags/](https://repos.psi.ch/rhel8/tags/) for RHEL 8 (note the `prod` tag will phase out)
- [https://repos.psi.ch/rhel7/tags/](https://repos.psi.ch/rhel7/tags/) for RHEL 7
## Package Repositories made Available by the Linux Group
Availabe on all systems are:
- RedHat [BaseOS](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/baseos-repository), [AppStream](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/appstream-repository) and [CodeReady](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/codereadylinuxbuilder-repository) repositories
- [Extra Packages for Enterprise Linux (EPEL) repositories](https://docs.fedoraproject.org/en-US/epel/)
- Puppet 7 repository
- Auristor repository for YFS and AFS related packages (RHEL 7 and 8 only)
- Google Chrome repository
- pli-misc (not tagged for RHEL7, but on RHEL 8/9)
- Code (Visual Studio Code from Microsoft)
- Microsoft Teams
- PowerScript et. al. (Microsoft)
- HashiCorp (`vault`, `terraform`, `vagrant`, ...)
- Oracle Instant Client 19 and 21
- Opera
Predefined and used when needed are:
- Influx (`influxdb`, `telegraf`, ...)
- CUDA
- Nomachine
To be added/defined in [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml)?
- GPFS
- Epics (available for RHEL7)
### pli-misc Repository
A small list of packages managed by the Linux Team.
- *RHEL8*: make v4.3 from [CentOS](https://rpmfind.net/linux/RPM/centos-stream/9/baseos/x86_64/make-4.3-7.el9.x86_64.html) as v4.2.1 has been reported to to make trouble
- latest [Zoom client](https://zoom.us/download?os=linux)
- latest [Webex client](https://www.webex.com/downloads.html)
- latest [Slack client](https://slack.com/downloads/linux)
- latest [NoMachine Enterprise Client](https://downloads.nomachine.com/download/?id=11)
- latest [Real VNC Viewer](https://www.realvnc.com/en/connect/download/viewer/), recommended for VNC remote access to Windows machines
- `pli-assets` containing the PSI and the Customer Self Service logo, any hints about the source rpm are welcome
- *RHEL8*: [mod_gearman v4.0.1](https://mod-gearman.org/download/v4.0.1/rhel8/x86_64/)
- *RHEL8*: lightdm-gtk v2.0.8-3.pli, a patched lightdm-gtk-greeter ([SRPM](https://git.psi.ch/linux-infra/lightdm-gtk-rpm), [PR](https://github.com/Xubuntu/lightdm-gtk-greeter/pull/121)) which allows to limit the presented keyboard layouts
- Code Beamer Office pluging v9.5.0 managed by Gilles Martin
- storecli 007.2007.0000.0000 managed by Marc Caubet Serrabou
- [pam_single_kcm_cache PAM Module](https://github.com/paulscherrerinstitute/pam_single_kcm_cache) managed by Konrad Bucheli
- [nvidia-detect](http://elrepo.org/tiki/nvidia-detect) copied over from ElRepo to make it generally available
- [bob](https://git.psi.ch/linux-infra/bob)
## Package Repositories made Available by other PSI Groups
- `tivoli`, IBM backup software for Arema, managed by Datacenter and DB Services, AIT
- `nxserver` for NoMachine NX

18
admin-guide/configuration/package_updates.md Normal file
View File

@@ -0,0 +1,18 @@
# Automated Package Updates
The automatic updates are controlled in Hiera:
| Hiera key | default | comments |
|-----------------------------------|----------|-------------------------------------------------------------------------------|
| `base::automatic_updates::interval` | `weekly` | valid are `daily`, `weekly` and `never` which disables the automatic updates |
| `base::automatic_updates::type` | `security` | `security` installs only security updates whereas `all` installs all updates |
| `base::automatic_updates::exclude` | `[]` | list of packages not to update, wildcards like "*" are allowed |
| `base::automatic_updates::kernel` | `false` | define if new kernel packages also should be installed automatically |
Note that the updates run on midnight, for `weekly` from Sunday to Monday. There is no automatic reboot, e.g. for kernel updates.
---
**Important**
There will be no updates if you fix the package source to a snapshot/repo tag i.e. `rpm_repos::tag` or `yum_client::repo_tag` setting in Hiera point to a specfic snapshot.

122
admin-guide/configuration/packages.md Normal file
View File

@@ -0,0 +1,122 @@
# Package Installation
## Install Packages with Hiera Package Groups
The packages automatically installed onto a system by Puppet are managed in the Hiera list `base::package_groups`. It contains the names of the package groups to be installed. Items can be added at all levels of the Hiera hierarchy and are merged.
The package groups itself are Hieara lists named `base::pkg_group::$USE_CASE`.
Here list all the packages you want to install.
Currently there exist the following package groups in the main [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml):
- `base::pkg_group::system_tools` (installed by default)
- `base::pkg_group::daq_buffer`
- `base::pkg_group::desktop_settings`
- `base::pkg_group::dev`
- `base::pkg_group::login_server`
- `base::pkg_group::qt5`
- `base::pkg_group::root`
but further ones can be created in Hiera at lower hierachies and added to `base::package_groups`, for example
```
base::pkg_group::java:
- 'java-1.8.0-openjdk'
- 'java-11-openjdk'
- 'java-17-openjdk'
base::package_groups:
- 'java'
```
## Install a Group of Packages
To add a RedHat predefined group of packages (checkout out `dnf grouplist --hidden`) prepend the name of it with a `@`, e.g. for "Java Platform" it would be `@Java Platform`:
```
base::pkg_group::java:
- '@Java Platform'
```
## Install Latest Package Version
Puppet by default only checks if a package is installed and only installs it if missing.
To ensure that always the latest available package version is installed, append the `:latest` tag to the package name in the package group:
```
base::pkg_group::java:
- 'java-1.8.0-openjdk'
- 'java-11-openjdk'
- 'java-17-openjdk:latest'
```
## Install Packages only on Given OS Version
Certain packages are only used on a given OS Version, so a `os=` with the OS name and the major version selects a package only for given OS, where as a `os!` will filter away given package on hosts with given OS, so they are not installed there.
```
base::pkg_group::java:
- 'java-1.8.0-openjdk:os=redhat7'
- 'java-11-openjdk'
- 'java-17-openjdk:os!redhat7'
```
Note that this tag can be combined with the `latest` and `absent` tag.
## Install Module Stream
RHEL 8 introduced the concept of [module streams](https://docs.pagure.org/modularity/).
A specific stream can be selected with the `stream` tag:
```
base::pkg_group::nodejos:
- 'nodejs:stream=12'
```
## Remove Packages
To remove an already installed package, append the `:absent` tag to the package name in the package group:
```
base::pkg_group::java:
- 'java-1.8.0-openjdk:absent'
- 'java-11-openjdk'
- 'java-17-openjdk'
```
## Ignore Packages
To make packages unavailable for installation, even though provided by the package repositories, add them in Hiera to the list `base::package_exclude`:
```
base::package_exclude:
- 'epics-base-7.0.6*'
```
This list is merged over the full Hiera hierachy, so there is no need to copy exclusions from higher levels when creating an exclusion on a low level.
This list can also be used to opt out packages from other, maybe inherited package groups. But unlike the `:absent` tag in a package list it will not uninstall a package when found.
### Install Debuginfo Packages
The package repositories for debuginfo packages are disabled by default. To spontaneously install such a package, do
```
dnf --enablerepo '*_debug' install ...
```
## Legacy Package Installation
The legacy Hiera lists for package groups is `yum_client::pkg_group::$USE_CASE` and supports the `latest` and `absent` tag, but not the filtering by operating system version.
Then `yum_client::package_groups` is the Hiera list to contain the package groups to be installed.
Please migrate them to the equivalent `base::*` list. You can have both of them available at the same time, with possibly the same content.
## Missing Package
If there is no such package in the repositories, then
```
Error: Execution of '/usr/bin/dnf -d 0 -e 1 -y install non-existing-package-for-test' returned 1: Error: Unable to find a match: non-existing-package-for-test
```

81
admin-guide/configuration/services.md Normal file
View File

@@ -0,0 +1,81 @@
# Managing Services with Systemd
Hiera can also be used to manage services and to automate reoccuring tasks with timers.
## Enabling/Starting a Service
If the software already comes with an systemd unit file, then it is sufficient to just enable it in Hiera by using the `base::services` key:
```
base::services:
netdata:
enable: true
```
The key inside is the `systemd` service name without the `.service` suffix.
## Disabling/Stopping a Service
To stop and disable an already running service, disable it in the `base::services` Hiera key with `enable: false`:
```
base::services:
netdata:
enable: false
```
## Systemd Timers
To have custom executables run regulary on given time/interval, you may use the `base::timers` Hiera key:
```
base::timers:
'timer_test':
description: 'test timers'
command: '/usr/bin/logger foo'
on_calendar: '*:*:10'
persistence: false
```
For each timer following keys are mandatory
- `description` for a short explaination what it is about
- `command` for the command to run
- `on_calendar` defining when it should run using the [`systemd` calendar event format](https://www.freedesktop.org/software/systemd/man/systemd.time.html#Calendar%20Events), (alternatively see also chapter "CALENDAR EVENTS" of `man systemd.date`)
Optional is
- `persistence` which signals if the timer should run immediately after boot when the node was switched of on the last scheduled run time (default is `false`)
## Manage Services with Custom Unit Files
It is also possible to provide a full systemd unit file if there is none already. For this define the different secions and their content with subkeys below the `options` key as in below example:
```
# The following service stops users from accessing the node
# before the home directory is mounted
base::services:
'wait_for_home':
enable: true
options:
Unit:
Before: 'systemd-user-sessions.service'
Install:
WantedBy: 'multi-user.target'
RequiredBy: 'multi-user.target'
Service:
Type: 'oneshot'
ExecStart: '/opt/pli/libexec/waitformount -m /das/home'
RemainAfterExit: 'true'
```
## Enhance a Service with a Dropin Unit File
It is possible to fine-tune already existing `systemd` unit files with dropins. These are placed as `.conf` files in `/etc/systemd/system/$SERVICE.service.d/`.
With the `dropin: true` setting the content of the `options` parameter is written into the according dropin directory:
```
base::services:
'name_of_enhanced_service':
enable: true
dropin: true
options:
...
```
If there are multiple dropins, you might also name them individually with the `dropin_name` parameter.

1386
infrastructure-guide/overview_linux.drawio.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 84 KiB

After

Width:  |  Height:  |  Size: 117 KiB

2
rhel8/index.md
View File

@@ -154,9 +154,7 @@ which is IMHO OK to not allow a normal user to do changes there.
## Documenatation
* [Installation](installation)
* [Software and Package Management](software)
* [CUDA and Nvidia Drivers](nvidia)
* [Kerberos](kerberos)
* [Desktop](desktop)
* [Vendor Documentation](vendor_documentation)

355
rhel8/software.md
View File

@@ -1,355 +0,0 @@
# Software and Package Management for RHEL 8
How to add packages and package repositories and what repositories are available is documented here.
## Package Installation
### Install Packages with Hiera Package Groups
The packages automatically installed onto a system by Puppet are managed in the Hiera list `base::package_groups`. It contains the names of the package groups to be installed. Items can be added at all levels of the Hiera hierarchy and are merged.
The package groups itself are Hieara lists named `base::pkg_group::$USE_CASE`.
Here list all the packages you want to install.
Currently there exist the following package groups in the main [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml):
- `base::pkg_group::system_tools` (installed by default)
- `base::pkg_group::daq_buffer`
- `base::pkg_group::desktop_settings`
- `base::pkg_group::dev`
- `base::pkg_group::login_server`
- `base::pkg_group::qt5`
- `base::pkg_group::root`
but further ones can be created in Hiera at lower hierachies and added to `base::package_groups`, for example
```
base::pkg_group::java:
- 'java-1.8.0-openjdk'
- 'java-11-openjdk'
- 'java-17-openjdk'
base::package_groups:
- 'java'
```
### Install a Group of Packages
To add a RedHat predefined group of packages (checkout out `dnf grouplist --hidden`) prepend the name of it with a `@`, e.g. for "Java Platform" it would be `@Java Platform`:
```
base::pkg_group::java:
- '@Java Platform'
```
### Install Latest Package Version
Puppet by default only checks if a package is installed and only installs it if missing.
To ensure that always the latest available package version is installed, append the `:latest` tag to the package name in the package group:
```
base::pkg_group::java:
- 'java-1.8.0-openjdk'
- 'java-11-openjdk'
- 'java-17-openjdk:latest'
```
### Install Packages only on Given OS Version
Certain packages are only used on a given OS Version, so a `os=` with the OS name and the major version selects a package only for given OS, where as a `os!` will filter away given package on hosts with given OS, so they are not installed there.
```
base::pkg_group::java:
- 'java-1.8.0-openjdk:os=redhat7'
- 'java-11-openjdk'
- 'java-17-openjdk:os!redhat7'
```
Note that this tag can be combined with the `latest` and `absent` tag.
### Install Module Stream
RHEL 8 introduced the concept of [module streams](https://docs.pagure.org/modularity/).
A specific stream can be selected with the `stream` tag:
```
base::pkg_group::nodejos:
- 'nodejs:stream=12'
```
### Remove Packages
To remove an already installed package, append the `:absent` tag to the package name in the package group:
```
base::pkg_group::java:
- 'java-1.8.0-openjdk:absent'
- 'java-11-openjdk'
- 'java-17-openjdk'
```
### Ignore Packages
To make packages unavailable for installation, even though provided by the package repositories, add them in Hiera to the list `base::package_exclude`:
```
base::package_exclude:
- 'epics-base-7.0.6*'
```
This list is merged over the full Hiera hierachy, so there is no need to copy exclusions from higher levels when creating an exclusion on a low level.
This list can also be used to opt out packages from other, maybe inherited package groups. But unlike the `:absent` tag in a package list it will not uninstall a package when found.
### Install Debuginfo Packages
The package repositories for debuginfo packages are disabled by default. To spontaneously install such a package, do
```
dnf --enablerepo '*_debug' install ...
```
### Legacy Package Installation
The legacy Hiera lists for package groups is `yum_client::pkg_group::$USE_CASE` and supports the `latest` and `absent` tag, but not the filtering by operating system version.
Then `yum_client::package_groups` is the Hiera list to contain the package groups to be installed.
Please migrate them to the equivalent `base::*` list. You can have both of them available at the same time, with possibly the same content.
### Missing Package
If there is no such package in the repositories, then
```
Error: Execution of '/usr/bin/dnf -d 0 -e 1 -y install non-existing-package-for-test' returned 1: Error: Unable to find a match: non-existing-package-for-test
```
## Managing Services with Systemd
Hiera can also be used to manage services and to automate reoccuring tasks with timers.
### Enabling/Starting a Service
If the software already comes with an systemd unit file, then it is sufficient to just enable it in Hiera by using the `base::services` key:
```
base::services:
netdata:
enable: true
```
The key inside is the `systemd` service name without the `.service` suffix.
### Disabling/Stopping a Service
To stop and disable an already running service, disable it in the `base::services` Hiera key with `enable: false`:
```
base::services:
netdata:
enable: false
```
### Systemd Timers
To have custom executables run regulary on given time/interval, you may use the `base::timers` Hiera key:
```
base::timers:
'timer_test':
description: 'test timers'
command: '/usr/bin/logger foo'
on_calendar: '*:*:10'
persistence: false
```
For each timer following keys are mandatory
- `description` for a short explaination what it is about
- `command` for the command to run
- `on_calendar` defining when it should run using the [`systemd` calendar event format](https://www.freedesktop.org/software/systemd/man/systemd.time.html#Calendar%20Events), (alternatively see also chapter "CALENDAR EVENTS" of `man systemd.date`)
Optional is
- `persistence` which signals if the timer should run immediately after boot when the node was switched of on the last scheduled run time (default is `false`)
### Manage Services with Custom Unit Files
It is also possible to provide a full systemd unit file if there is none already. For this define the different secions and their content with subkeys below the `options` key as in below example:
```
# The following service stops users from accessing the node
# before the home directory is mounted
base::services:
'wait_for_home':
enable: true
options:
Unit:
Before: 'systemd-user-sessions.service'
Install:
WantedBy: 'multi-user.target'
RequiredBy: 'multi-user.target'
Service:
Type: 'oneshot'
ExecStart: '/opt/pli/libexec/waitformount -m /das/home'
RemainAfterExit: 'true'
```
### Enhance a Service with a Dropin Unit File
It is possible to fine-tune already existing `systemd` unit files with dropins. These are placed as `.conf` files in `/etc/systemd/system/$SERVICE.service.d/`.
With the `dropin: true` setting the content of the `options` parameter is written into the according dropin directory:
```
base::services:
'name_of_enhanced_service':
enable: true
dropin: true
options:
...
```
If there are multiple dropins, you might also name them individually with the `dropin_name` parameter.
## Management of Package Repositories
### Package Repository Lists
Also for configuring package repositories our configuration management works with lists containing the names of the repositories to be installed.
The default list (except for nodes with the `bootpc` and `appliances::lenovo::*` Puppet roles) is `rpm_repos::default` (legacy: `yum_client::repositories`).
If repositories are managed in Hiera, feel free to add them to `rpm_repos::default` like
```
rpm_repos::default:
- 'gfa'
```
Note that repositories for different versions of RHEL can be added and only the fitting ones will be configured on the node.
If the package repositories are managed by a Puppet module, then it is good practice is to define a specific package repository list in [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml) and then to install it only when needed. An example is `profile::telegraf` which only installes the repositories listed in `rpm_repos::influx` when needed.
### Package Repository Definition
An individual package repository is configured in Hiera within the namespace `rpm_repos::repo::*`, like following example:
```
rpm_repos::repo::epel_rhel8:
name: 'epel'
descr: "Extra Packages for Enterprise Linux 8"
baseurl: 'https://repos.psi.ch/rhel8/tags/$pli_repo_tag/epel/'
gpgkey: 'https://repos.psi.ch/rhel8/keys/epel.gpg'
disable: false
gpgcheck: true
osversion: 8
exclude:
- "slurm*"
```
The legacy namespace `yum_client::repo::*` is currently used for RHEL7 repositories to be backward compatible as some Hiera configuration with higher precedence overwrites certain stuff.
#### Package Repository Name
The reference name used in Hiera (the part after `rpm_repos::repo::` should be globally unique. An unfortunate practice is to use the same name for different package repositories. A current example is the `gfa` repository which has different URLs on different `sysdb` environments.
Note for `name` attribute, that only has to be unique on the machine where they are installed. So if there are two repositories defined to provide the same software for two different OS versions, then it is fine to have the same name there.
#### Package Repository URL
Overriding the URL of a package repository definition on a stricter scope is considered bad practice. The URL defines the actual "identiy" of the package repository definition. It is confusing if it gets different meanings at different places. It is like one passport which will identify different persons in different countries.
If different sources are needed, define and name them appropriately. They point to one given repository and the package repository lists are the place to select what should be applied on a given node.
Also feel free to define all your package repositories in [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml).
#### Select Package Repository by OS Version
Usually a package repository only serves packages for one major OS version. This can be stated by the `osversion` attribute. When a package repository list is installed, only the repositories fitting the version of the OS installed on the node are selected and configured.
If the `osversion` attribute is not set, then it is always installed.
#### Package Repository GPG Verification
GPG verification is optional, so `gpgkey` may not be defined and `gpgcheck` is `false` by default. But ideally the packages are signed and checked for tampering and corruption.
#### Exclude Packages
If certain packages provided by given repository should be ignored on the nodes, then add them to the `exclude` list.
### Using Specific Package Repository Snapshot
Most of the externally sourced package repositories on https://repos.psi.ch/rhel7 (RHEL7) and https://repos.psi.ch/rhel8 (RHEL 8) have snapshots which can be used to freeze the available package versions to a given date.
The tags are different per major OS version and are definied in the Hiera hash `rpm_repos::tag`, below you see the default:
```
yum_client::repo_tag: 'prod'
rpm_repos::tag:
redhat7: "%{lookup('yum_client::repo_tag')}"
redhat8: 'rhel-8'
```
So for RHEL 7 the default is `prod` and can be overriden on `yum_client::repo_tag` (backwards compatibility) or on the `redhat7` attribute of `rpm_repos::tag`.
To fix to a specific snapshot on RHEL 8, the `redhat8` attribute has to be set on `rpm_repos::tag`, the default is `rhel-8` which points to the latest snapshot.
The available tags your find at
- [https://repos.psi.ch/rhel8/tags/](https://repos.psi.ch/rhel8/tags/) for RHEL 8 (note the `prod` tag will phase out)
- [https://repos.psi.ch/rhel7/tags/](https://repos.psi.ch/rhel7/tags/) for RHEL 7
### Package Repositories made Available by the Linux Group
Availabe on all systems are:
- RedHat [BaseOS](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/baseos-repository), [AppStream](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/appstream-repository) and [CodeReady](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/codereadylinuxbuilder-repository) repositories
- [Extra Packages for Enterprise Linux (EPEL) repositories](https://docs.fedoraproject.org/en-US/epel/)
- Puppet 7 repository
- Auristor repository for YFS and AFS related packages
- Google Chrome repository
- pli-misc (not tagged for RHEL7, but on RHEL 8)
- Code (Visual Studio Code from Microsoft)
- Microsoft Teams
- PowerScript et. al. (Microsoft)
- HashiCorp (`vault`, `terraform`, `vagrant`, ...)
- Oracle Instant Client 19 and 21
- Opera
Predefined and used when needed are:
- Influx (`influxdb`, `telegraf`, ...)
- CUDA
- Nomachine
To be added/defined in [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml)?
- GPFS
- Epics (available for RHEL7)
### pli-misc Repository
A small list of packages managed by the Linux Team.
- make v4.3 from [CentOS](https://rpmfind.net/linux/RPM/centos-stream/9/baseos/x86_64/make-4.3-7.el9.x86_64.html) as v4.2.1 has been reported to to make trouble
- latest [Zoom client](https://zoom.us/download?os=linux)
- latest [Webex client](https://www.webex.com/downloads.html)
- latest [Slack client](https://slack.com/downloads/linux)
- latest [NoMachine Enterprise Client](https://downloads.nomachine.com/download/?id=11)
- latest [Real VNC Viewer](https://www.realvnc.com/en/connect/download/viewer/), recommended for VNC remote access to Windows machines
- `pli-assets` containing the PSI and the Customer Self Service logo, any hints about the source rpm are welcome
- [mod_gearman v4.0.1](https://mod-gearman.org/download/v4.0.1/rhel8/x86_64/)
- lightdm-gtk v2.0.8-3.pli, a patched lightdm-gtk-greeter ([SRPM](https://git.psi.ch/linux-infra/lightdm-gtk-rpm), [PR](https://github.com/Xubuntu/lightdm-gtk-greeter/pull/121)) which allows to limit the presented keyboard layouts
- Code Beamer Office pluging v9.5.0 managed by Gilles Martin
- storecli 007.2007.0000.0000 managed by Marc Caubet Serrabou
- [pam_single_kcm_cache PAM Module](https://github.com/paulscherrerinstitute/pam_single_kcm_cache) managed by Konrad Bucheli
- [nvidia-detect](http://elrepo.org/tiki/nvidia-detect) copied over from ElRepo to make it generally available
- [bob](https://git.psi.ch/linux-infra/bob)
### Package Repositories made Available by other PSI Groups
- `tivoli`, IBM backup software for Arema, managed by Datacenter and DB Services, AIT
- `nxserver` for NoMachine NX
## Automated Package Updates
The automatic updates are controlled in Hiera:
| Hiera key | default | comments |
|-----------------------------------|----------|-------------------------------------------------------------------------------|
| base::automatic_updates::interval | weekly | valid are `daily`, `weekly` and `never` which disables the automatic updates |
| base::automatic_updates::type | security | `security` installs only security updates whereas `all` installs all updates |
| base::automatic_updates::exclude | [] | list of packages not to update, wildcards like "*" are allowed |
| base::automatic_updates::kernel | false | define if new kernel packages also should be installed automatically |
Note that the updates run on midnight, for `weekly` from Sunday to Monday. There is no automatic reboot, e.g. for kernel updates.

13
services-admin-guide/ssh_gateways.md
View File

@@ -2,7 +2,14 @@
The purpose of the ssh gateways is to give access to protected networks and resources (for a finite period of time).
Users are only supposed to use ssh to connect and on the gateways. They are also supposed to only use the ssh command to further connect to other machines. It is not intended that users keep state on the gateways (e.g. screen/tmux sessions)
Users are only supposed to use ssh to connect to the gateways as well as them to further connect to other machines. Never the less, for ease of use, there are some protocols/ports that can directly be accessed from the ssh gateway. These ports include: 5900 VNC, 3389 RDP, 4000 NX, ICMP/PING.
Therefore direct portforwarding on those ports will work.
```
ssh -L 3389:machine-you-want-to-connect:3389 protected-network-gw
```
It is not intended that users keep state on the gateways (e.g. screen/tmux sessions)
Depending on the gateway the user authenticates via password or password/MFA combination.
@@ -27,6 +34,10 @@ However, the general baseline is that always the responsible of the protected ne
The administration and management of the gateways is done via hiera:
https://git.psi.ch/linux-infra/hiera/data-lx (all the machines are in the sshgw group)
## Gateway List
The list of supported gateways can be found here:
https://git.psi.ch/linux-infra/ansible/playbooks/lx_ansible/-/blob/main/inventory.yaml#L3
## Troubleshooting

28
services-admin-guide/ssh_gateways_overview.drawio.svg
View File

@@ -1,4 +1,4 @@
<svg host="65bd71144e" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="501px" height="267px" viewBox="-0.5 -0.5 501 267" content="&lt;mxfile&gt;&lt;diagram id=&quot;LdZEgD8OCABI24Oml7D-&quot; name=&quot;Page-1&quot;&gt;3Vpdc6IwFP01PrYDCSg8bm3t9qFdZzuz+5xChEyROCFW3V+/iQQ0fBRUqlJndPCQXLjn3Htzgw7geL5+ZGgRPlMfRwNg+OsBvB8AAE0gPiWwSQHgDFMgYMRPIXMHvJJ/WIGGQpfEx4k2kFMacbLQQY/GMfa4hiHG6EofNqORftUFCnAJePVQVEb/Ep+HKeqA0Q7/iUkQZlc2h256Zo6ywcqTJEQ+Xe1B8GEAx4xSnh7N12McSe4yXtJ5k5qz+Y0xHPNWE9SMDxQtlXPqxvgm8zZgdLkoG85mYsbxuop29JZZ2HkmIgLTOeZsI8Zl4eBY6bwsGkaKnNWO26GCwj1aHVspqtQMcss7h8WB8rnaf6fZfeF97GM53hjAu1VIOH5dIE+eXYnoFljI58L+vSkOZySKxjSibDsXYtu0DDltRmO+h8+2L4EnnNF3vHfmDhjGdkYF4XWM1zILbI3YG7OCWbOC2Tw8T6HWLVE7IQyvkBxUoFi4w3UedV5iGuMCuQpCEQli8dUTLGGB30lyiMjUH+rEnPi+vEylcLq0JzGuKLbtVqELO+AXDC+fuqajR9g5Uzertr3I3VysfuRuRV3sXfIeQPn5kxdeQfJmvm2yYKoKsKoIG3ZAgGmVCPg1mxEhMDBeMF9R9t6bSIOHJ7dOfR5S51g27C8sm4puHyXhdrp5Kl+NsdhFtYMtVpKvTkbrotkIy/V+yigX9y9kBMNIpt0bE0eBPOpdfo5qVLrG/ITlvvns+dmer7Pkp1VeLJMkHEjTE/FZQRCO/R9yny9DKkJJQjydk3qfsa9t/T/12K5wOMMYjhAnH/oDgyoS1BWmlIhbyQPwxjT1EHQKPCZ0yTysZu1v8AuG7M/NcMQCzEtmtorkTrcTybh8Eb1sS2OVn6U8Ii6a5s1+T1MspiZwb7dvd3QrAxpYvamrueR9qKsWuHhdPYCv89TVcg/eNmVrXWmfsyoG3JYpOurAYdhxCFTwYtXw0rjPb1hXrC70rllGg6xK9aXutCd5o7PXFGSdFJrybuLPyzjvVmw3u/BJ/YpKtitpV2ChzQBGgcjW7YrZYKjDhqW85/l9P811gtBxv79OxWXkaJ2KhjrUqbwheho/C6Em06eXx+8vUbHyHy1R0VB3EmW3/JUbtOtSqbg9yx/FH6pS3tfUGepQpfL+RK7PDMlBCWYfxMPJt1MKjMBt8Ucq9zitTHvUZOpotcTX3a/+6fDdXyfgw38=&lt;/diagram&gt;&lt;/mxfile&gt;">
<svg host="65bd71144e" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="501px" height="267px" viewBox="-0.5 -0.5 501 267" content="&lt;mxfile&gt;&lt;diagram id=&quot;LdZEgD8OCABI24Oml7D-&quot; name=&quot;Page-1&quot;&gt;5Vpbc6IwFP41PrYDCag8bu1l+1DX2c7s7msKETJF4oRY6/76TSSgIVBRqUrXGR085Bw433duQXtwNHt/YGgePdEAxz1gBe89eNsDAEBLfErBSgkGbiYIGQkykb0RPJO/WAmVXrggAU61hZzSmJO5LvRpkmCfazLEGF3qy6Y01q86RyE2BM8+ik3pbxLwKJMOwWAj/45JGOVXtvtedmaG8sXKkzRCAV1uieBdD44YpTw7mr2PcCyxy3HJ9O5rzhY3xnDCGykojTcUL5Rz6sb4Kvc2ZHQxNw3nmphx/F4FO3rJLWw8ExGB6QxzthLrlBYcOpleEQ0KnOUG274SRVuwDlXQIMVmWFjeOCwOlM/V/g93uy+8TwIs11s9eLOMCMfPc+TLs0sR3UIW8Zmwf2uLwymJ4xGNKVvrQuzajiXVpjThW/Lp+iXkKWf0FW+duQGWtdaoALwO8VpkgasBe2VXIGtXIFuE5zHQega094ThJZKLShALd7iOo45LQhNcAleJUEzCRHz1BUpYyG8kOERk6jd1YkaCQF6mkjid2qMQVxC7bqPQhS3gC/rnT117qEfYKVM3r7adyN2CrG7kbkVd7Fzy7gH56ZMXXkDy5r6t8mCqCrCqCOu3AIDtGAD8mE6JIBhYY8yXlL12JtLg/smtQ1+E1CnahvuJZVPBHaA0Wqvbx+K1MxbbqHawQSf57GR0zpqN0Kz3E0a5uH9BI+jHMu1emDgK5VHn8nNQw9Il5ic05+aT52dzvE6Sn47ZLNM06knT9+KzAiCcBN/kPl+GVIzSlPg6JvU+40Db+n/osVvhcC5jOEacvOkPDKpAUFeYUCJupQjAK9vWQ3BYwjGlC+ZjpbW9wS8Zcj82wxELMTfMrBkpnG5EkgsMkh5HTxOhNnkcPxzIUImNKsouhiG7XIgPpMiw0x5HjnX+RnfesdMxn3c9IC42NqvtubPc8GzgXa/f3uBaFh3gdKb3FZR3ofc5Zg05de/bA6/T9D5zn9Q0ZWtdaZ6zKga8hik6aMFh2HIIVODi1OCy81nMjs7itMG34X426oR5lepK3WkO8kpHb1eQtVJozB3fr/GomChdL7/wUTOlSrYLGSlhac4AVgnIxvOKvcNQiwOLuS/9eTspeIJw6H19nspt5GCeyoZa5MnctI7/FDQ51v+QTuXqfzBNZUMt7tHM+b/1jfRlsVTepBU/mezLUjHb1BlqkSVzjyJ7NENyUYrZG/Fx+uWYAgNwXf4x0TuMK9sd7DJ1MFvi6+bfGdnyzV9c4N0/&lt;/diagram&gt;&lt;/mxfile&gt;">
<defs/>
<g>
<rect x="349" y="0" width="10" height="220" fill="#e51400" stroke="#b20000" pointer-events="none"/>
@@ -89,6 +89,24 @@
</text>
</switch>
</g>
<path d="M 290 160 L 443.63 160" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="none"/>
<path d="M 448.88 160 L 441.88 163.5 L 443.63 160 L 441.88 156.5 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="none"/>
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 160px; margin-left: 370px;">
<div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; background-color: rgb(255, 255, 255); white-space: nowrap;">
ICMP/PING
</div>
</div>
</div>
</foreignObject>
<text x="370" y="163" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">
ICMP/PING
</text>
</switch>
</g>
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
@@ -169,13 +187,13 @@
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 140px; margin-left: 370px;">
<div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; background-color: rgb(255, 255, 255); white-space: nowrap;">
ICMP/PING
NX / 4000
</div>
</div>
</div>
</foreignObject>
<text x="370" y="143" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">
ICMP/PING
NX / 4000
</text>
</switch>
</g>
@@ -220,8 +238,8 @@
<g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/>
<a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank">
<text text-anchor="middle" font-size="10px" x="50%" y="100%">
Viewer does not support full SVG 1.1
Text is not SVG - cannot display
</text>
</a>
</switch>
</svg>
</svg>
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 19 KiB

After

Width:  |  Height:  |  Size: 20 KiB

2
services-user-guide/nx_nomachine.md
View File

@@ -2,3 +2,5 @@
More info on the nomachine service can be found here:
[User Documentation - Intranet](https://www.psi.ch/en/photon-science-data-services/remote-interactive-access)

6
services-user-guide/ssh_gateways.md
View File

@@ -1,10 +1,9 @@
# SSH Gateways
The purpose of the ssh gateways is to give temporary access to protected networks and resources. Users are only supposed to use __ssh__ to connect to and on the gateways. They are not supposed to only use the __ssh__ command to further connect to the machine they need to connect to.
The purpose of the ssh gateways is to give temporary access to protected networks and resources. Users are only supposed to use __ssh__ to connect to and from the gateways.
The access to the gateway is controlled by special ActiveDirectory groups. The membership of the groups are managed by the responsible of the protected network the gateway gives access to. In case of a beamline this is the beamline scientist.
Connecting to a gateway:
```bash
@@ -25,6 +24,3 @@ Establishing an SSH connection through the gateway to a machine inside the prote
```bash
ssh -J <gateway-name>-gw <name-of-the-machine-you-want-to-connect>
```