diff --git a/admin-guide/_static/UID_and_GID.pdf b/admin-guide/_static/UID_and_GID.pdf deleted file mode 100644 index 2856cc44..00000000 Binary files a/admin-guide/_static/UID_and_GID.pdf and /dev/null differ diff --git a/admin-guide/certificates.md b/admin-guide/certificates.md deleted file mode 100644 index 06943634..00000000 --- a/admin-guide/certificates.md +++ /dev/null @@ -1,67 +0,0 @@ -# HTTPS Certificates - -We use DigiCert certificates. - - -## Request a Certificate - -First create a certificate signing request (CSR) like this, replacing the values for `FQDN` -and `ALIASES` - -```bash -ALIASES=xyz.psi.ch -FQDN=xyz00.psi.ch - -cat >$FQDN.cnf < IT Systems & Data Storage > Register E-Mail Sender) - -https://psi.service-now.com/psisp?id=psi_new_sc_cat_item&sys_id=68d60ca74f8833407f7660fe0310c7e3 - -The default PSI mail gateways for the different network segments are defined in the puppet common.yaml. Depending on the machines location a different default will take effect. The defaults are as follows: - -``` -mta::relays: - 'default': 'smtpint.psi.ch' - 'dmz': 'smtpdmz.psi.ch' - 'extranet': 'smtpdmz.psi.ch' - 'tier3': 'smtpdmz.psi.ch' -``` - -To enable the possibility to send emails from a machine to one of the standard gateways the flag `base::enable_mta` simply needs to be enabled. No other configuration is needed. - -```yaml -base::enable_mta: true -``` - -The default name of the sending mail server is the hostname of the machine running postfix. To rename it use `mta::myhostname`. - -```yaml -mta::myhostname: 'foobar.psi.ch' -``` - -## Sending Emails Via An Other SMTP Relay - -If your machine is in the default network zone (i.e. PSI intranet) sending via a differnet mail gateway than the default can be done like this: - -```yaml -base::enable_mta: true -mta::relays: - 'default': 'test-smtp-relay.psi.ch' -``` - -Wether the email is accepted by the mail relay depends on the relays configuration. Contact the relay admin what the rules for his gateway are. - - -## Configure Server as Mail Relay - -The following configuration is needed if you want to setup a email relay server accepting emails from clients. -Depending on the rule where your relay should forward messages, your server/relay must be registered/authorized on the relay it forwardes messages to. (e.g. PSI default mail relay, procedure see above) - -```yaml -base::enable_mta: true - -# if you want to use an other forward relay than the PSI defaults -# mta::relays: -# 'default': 'test-smtp-relay.psi.ch' - -# interfaces postfix should accept emails -mta::inet_interfaces: # array[string] default: loopback-only -# networks from which this relay should accept emails -mta::mynetworks: # default: undefined -``` - -Example (assumption the servers ip address is 10.1.2.110): -```yaml - mta::inet_interfaces: - - '10.1.2.110' - - 'localhost' - # mta::mynetworks_style: 'subnet' - mta::mynetworks: - - '10.1.2.0/24' - - '10.1.3.0/24' -``` diff --git a/admin-guide/configuration/basic/gssproxy_with_keytab.md b/admin-guide/configuration/basic/gssproxy_with_keytab.md deleted file mode 100644 index 969147fb..00000000 --- a/admin-guide/configuration/basic/gssproxy_with_keytab.md +++ /dev/null @@ -1,37 +0,0 @@ -# Permanent Kerberos with gssproxy and Password Keytab - -If there are accounts which run software permamently e.g. used for data collection and shall always be able to write to Kerberos protected network shares, they you may provide the `gssproxy` service with a password keytab. -After Kerberos for NFS and CIFS is handled transparently and there is no need to `kinit`, renew and anything like this because that is handled in the back by `gssproxy` automatically. - -**Attention: The keytab file generated in this guide is like a cleartext password and needs to be protected the same!** - -**Note: when the password of the user changes, a new keytab file with the new password needs to be created.** - -First you need the user name \(\$USER) and the user ID \(\$UID) to prepare the password keytab: - -``` -$ # ensure it does not exist, else it gets extended -$ rm $UID.keytab -$ ktutil -ktutil: add_entry -password -k 0 -f -p $USER -Password for $USER@D.PSI.CH: -ktutil: wkt $UID.keytab -ktutil: exit -$ -``` -Note that inside `ktutil` variables are not interpolated as this is not `bash`. -To test if the keytab works as intended do -``` -$ kinit -t $UID.keytab -k $USER -$ -``` -and without output it is working fine. - -Then as root (`sudo`) make it known to `gssproxy`: -``` -# cp $UID.keytab /var/lib/gssproxy/clients/ -# chmod 600 /var/lib/gssproxy/clients/$UID.keytab -# chown root:root /var/lib/gssproxy/clients/$UID.keytab -``` - -If you want to [distribute the keytab with Puppet/Hiera](../files/distribute_files), ensure it is [stored in Hiera encrypted](../../puppet/hiera). diff --git a/admin-guide/configuration/basic/host_rename.md b/admin-guide/configuration/basic/host_rename.md deleted file mode 100644 index b60aad53..00000000 --- a/admin-guide/configuration/basic/host_rename.md +++ /dev/null @@ -1,58 +0,0 @@ -# Host Renaming - -Following steps are required to rename a host. - - -## Introduce New Hostname - -### Sysdb/bob -For sysdb create a new node with bob as usual. -For reference do - -``` -OLD_FQDN=my-old-hostname.psi.ch -NEW_FQDN=my-new-hostname.psi.ch -bob node list -v $OLD_FQDN -``` -then add the new node -``` -bob node add $NEW_FQDN $SYSDB_ENV -bob node set-attr $NEW_FQDN [all attributes as listed above] -``` -and the same for the MAC addresses: -``` -for mac in $(bob node list-macs $OLD_FQDN); do echo bob node add-mac $NEW_FQDN $mac; done -``` - -### Hiera - -In Hiera ensure that a host specific configuration file exists for the FQDN with the same content as for the old hostname. - -## Acutal Hostname Change - -On the node as `root` run - -``` -hostnamectl set-hostname $NEW_FQDN -rm -rf /etc/puppetlabs/puppet/ssl -puppet agent -t -``` - -which changes the local hostname, removes the local Puppet certificate and updates the configuration with Puppet using the new hostname. - -## Other Changes to Consider - -- change DNS entry if a static IP address is assigned -- redo SSL/TLS certificates with new hostname -- if the host is icinga2 monitored you need to remove icinga2 from the host before running puppet so that a new cert, etc. is generated for the host -``` -yum remove icinga2-common icinga2-bin icinga2 -rm -rf /var/lib/icinga2 -rm -rf /etc/icinga2 -``` - -## Remove Old Hostname - -- `bob node delete $OLD_FQDN` -- remove from Hiera -- inform the Linux Team (linux-eng@psi.ch) so it can remove from Puppet server the certificate and other data and remove the computer object from the AD diff --git a/admin-guide/configuration/basic/networking.md b/admin-guide/configuration/basic/networking.md deleted file mode 100644 index 174b02f6..00000000 --- a/admin-guide/configuration/basic/networking.md +++ /dev/null @@ -1,276 +0,0 @@ -# Network Configuration - -Our Puppet configuration management supports five types of network configuration: -- **auto**: NetworkManager does automatic configuration while respecting local user managed configuration -- **auto_static_ip**: static NetworkManager connection with IP from DNS and network information from DHCP -- **managed**: NetworkManger is fully managed via Hiera/Puppet -- **unmanaged**: network configuration (incl. DNS) is not touched by Puppet -- **legacy**: Puppet keeps network configuration untouched except for DNS configuration and applying `network::*` Hiera settings - -Not all types are supported by all RedHat versions: - -| Type | RHEL7 | RHEL8 | RHEL9 | -|----------------|---------|---------|---------| -| auto | \- | ✓ | Default | -| auto_static_ip | \- | ✓ | ✓ | -| managed | \- | ✓ | ✓ | -| unmanaged | \- | ✓ | ✓ | -| legacy | Default | Default | \- | - -## Automatic Network Configuration - -The automatic network configuration will just let NetworkManager do the work as it does it by default. - -In Hiera you can select this option with - -``` -networking::setup: auto -``` - -And what does NetworkManager actually do by default? It attemps automatic configuration on all interfaces (DHCP, SLAAC). Additionally the user may add desired connections. This might be Wifi, VPN, but also normal Ethernet. Automatic configuration is only attempted if there is no such specific configuration. - -DNS configuration as such is learned by autoconfiguration/manual connection configuration and will not be managed by Puppet. - -Note that when changing to `auto` all legacy `ifcfg` files for network configuration are removed. - -## Automatic Network Configuration with Static IP Address - -In a setup where there is just one static IP address which can be resolved via DNS, Puppet can configure a static connection with - -``` -networking::setup: auto_static_ip -``` - -Note this only works if there is a DHCP server in that network which provides the network mask and the default gateway IP address. - -## Managed Network Configuration - -The network configuration can be fully and fine-grained be managed from Hiera with - -``` -networking::setup: managed -``` - -and the configuration for the individual connections: - -``` -networking::connections: - - psi_network - - management_network - -networking::connection::psi_network: - interface_name: 'eno0' - ipv4_method: 'manual' - ipv4_address: '129.129.241.66/24' - ipv4_gateway: '129.129.241.1' - ipv6_method: 'disabled' - -networking::connection::management_network: - interface_name: 'eno1' - ipv4_method: 'manual' - ipv4_address: '192.168.71.10/24' - ipv6_method: 'disabled' -``` - - -So there is the list `networking::connections` which selects the network connections which should be configured. - -Then for each connection name listed there needs to be a hash in Hiera named `networking::connection::$CONNECTION_NAME`. - -If you have a fixed IP address which is in the DNS, you might also interpolate the `ipv4_by_dns` or the `ipv6_by_dns` variable: - -``` -networking::connection::psi_network: - mac_address: '00:50:56:9d:bb:ad' - ipv4_method: 'manual' - ipv4_address: '%{ipv4_by_dns}/24' - ipv4_gateway: '129.129.187.1' - ipv6_method: 'manual' - ipv6_address: '%{ipv6_by_dns}' - ipv6_gateway: 'abcd:1234::1' -``` - -```{note} -The default value (if not specified) for `ipv6_method` is _auto_. -``` - -### Ethernet Connection Definition - -The default connection type is `ethernet` (alias for `802-3-ethernet`). -The network connection hash needs to specify the NIC for the connection either by name with the key `interface_name` or by MAC address with the key `mac_address`. - -Next you need to specify how IPv4 configuration should be done. The key `ipv4_method` supports the values `auto`, `dhcp`, `manual`, `disabled`, `link-local`. All except `manual` do not need further configuation. For `manual` the `ipv4_address` in the CIDR format "IP/network mask bits". For the default router has to be set with the key `ipv4_gateway`. - -We did not look into IPv6 configuration yet and usualy it is best to switch it off by setting `ipv6_method` to `disabled`. - -To keep an interface down the setting `state` can be set to `down` (default is `up`). - -You may also add additional configuration like size of the ring buffer: -``` -networking::connection::psi_network: - ... - additional_config: - ethtool: - ring-rx: 8192 - ring-tx: 8192 -``` -The first key level is the section in the NetworkManager configuration file (on the command line usually the first part before the dot), the second key level is the name of the value to be set. - -### Infiniband Connection Definition -For infiniband connections the configuration is similar to ethernet. Additionally there is there is the `type: 'infiniband` setting accompanied by an `additional_config` key holding an `infiniband` key with the infinibad specific optioins, as you see in below example: - -``` -networking::connection::ipoib_network: - interface_name: 'ib0' - ipv4_method: 'manual' - ipv4_address: '192.168.1.16/24' - ipv4_gateway: '192.168.1.1' - ipv6_method: 'disabled' - type: 'infiniband' - additional_config: - infiniband: - mtu: 65520 - transport-mode: 'connected' -``` - -### Other Connection Types - -NetworkManager also supports other types like `wifi`, `vpn`, `bridge`, `vlan`, etc. Note that other types than `ethernet` and `ethernet` have so far not been tested. Please contact us if you managed to set up some other network type or need help to do so. - - -### Interface Bonding -For a bonded interfaces there is an own list named `networking::bondings` which defines which configuration defined in `networking::bonding::$NAME` hashes should be appled: - -``` -networking::bondings: - - bond0 - -networking::bonding::bond0: - ipv4_method: 'manual' - ipv4_address: '%{ipv4_by_dns}/24' - ipv4_gateway: '129.129.86.1' - ipv6_method: 'ignore' - slaves: - - 'eno5' - - 'eno6' - bond: - mode: '802.3ad' - xmit_hash_policy: 'layer2+3' - miimon: '100' - # optional - additional_config: - ethernet: - mtu: 9000 -``` -Feel free to extend the documentation here or provide a link for detailed explanation of the bond options. - -By default the connection name is automatically used name of the bonding interface, Still, you can use speaking names instead for the connection if you specifiy the interface name explicitely: - -``` -networking::bondings: - - psi_network - -networking::bonding::psi_network: - ifc_name: 'bond0' - ipv4_method: 'manual' - ... -``` - -### Static Routes - -Static routes can be added with the `additional_config` key in the connection settings. -Depending on the IP version there is a `ipv4` or `ipv6` subkey which then can contain many `routes` + number keys. So the first route is `routes1`, the second `routes2`, etc. -The minimal entry for `routesX` is the network and then, separated with a comma, the next hop IP. The optional third entry is the metric. -For each route you may also add a option key `routesX_options`, where multiple options in the form `name=value` can be added, again comma separated. - -An example: - -``` -networking::connection::management_network: - interface_name: 'eno1' - ipv4_method: 'manual' - ipv4_address: '192.168.71.10/24' - ipv6_method: 'disabled' - additional_config: - ipv4: - routes1: '10.255.254.0/24,192.168.71.1' - routes2: '10.255.255.0/24,192.168.71.1,100' - routes2_options: 'lock-cwnd=false,lock-mtu=false' -``` - -All routing options can be found in the Red Hat NetworkManager documentation ([RHEL8](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/configuring-static-routes_configuring-and-managing-networking#how-to-use-the-nmcli-command-to-configure-a-static-route_configuring-static-routes), [RHEL9](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_and_managing_networking/configuring-static-routes_configuring-and-managing-networking#how-to-use-the-nmcli-command-to-configure-a-static-route_configuring-static-routes)). - -### Removing a Connection - -A connection does **not get removed** when its configuration has been removed in Hiera and was applied on the node. - -To remove it you may do it manually or reboot. - -Manual removal is done with `nmcli connection down $ID/$CONNECTION_NAME`: -``` -[root@lx-test-dmz-01 ~]# nmcli connection -NAME UUID TYPE DEVICE -dmz_network f77611ac-b6e2-5a08-841e-8a1023eefaed ethernet ens33 -ens35 f3ba4a81-8c9b-4aec-88ee-ddffd32f67fa ethernet ens35 -[root@lx-test-dmz-01 ~]# nmcli connection down f3ba4a81-8c9b-4aec-88ee-ddffd32f67fa -Connection 'ens35' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2) -[root@lmu-user-dmz-01 ~]# nmcli connection -NAME UUID TYPE DEVICE -dmz_network f77611ac-b6e2-5a08-841e-8a1023eefaed ethernet ens33 -[root@lx-test-dmz-01 ~]# -``` - -### DNS Override - -The internal nameservers are configured according to the network zone by Puppet. - -If for some reason that is unsuitable, you might set your own in Hiera: -``` -networking::nameservers_override: - - 192.33.120.5 - - 192.33.121.5 -``` - -### No Automatic Migration to Legacy Configuration - -Note that when changing to `managed` all legacy `ifcfg` files and all NetworkManager connections not reflected in Hiera are removed. So if you want to be able to go back to legacy mode you need to backup these files first. - -## Unmanaged Network Configuration - -Here Puppet keeps the fingers off any network related configuration like interface configuration, DNS or routing. - -In Hiera you can select this option with - -``` -networking::setup: unmanaged -``` - -When you change to unmanaged network configuration, the configuration on the node will stay as is. - -## Legacy Network Configuration - -The legacy mode Puppet does not do configuration of network addresses and interfaces. This usually is done by the Kickstart file during OS installation and then not touched any more. Or with manual changes. - -Additionally the `network` Puppet module can be used for more complex setups. But as this module is not maintained any more, we phase it out with RHEL9 and suggest to migrate away from it on RHEL8. - -The legacy mode is selected by not setting `networking::setup` in Hiera. - -### Custom Nameservers - -The internal nameservers are configured according to the network zone by Puppet. - -If for some reason that is unsuitable, you might set your own in Hiera: - -``` -networking::nameservers_override: - - 192.33.120.5 - - 192.33.121.5 -``` - -## Disable DNS Caching - -Except for the `unmanaged` setup mode you may disable DNS caching with - -``` -networking::enable_dns_caching: false -``` diff --git a/admin-guide/configuration/basic/ntp_client.md b/admin-guide/configuration/basic/ntp_client.md deleted file mode 100644 index 59c8b512..00000000 --- a/admin-guide/configuration/basic/ntp_client.md +++ /dev/null @@ -1,9 +0,0 @@ -# Custom NTP Servers - -You can add other nameservers to your list by extending in the Hiera key `ntp_client::servers` the list of your network zone (most probably `default`): - -``` -ntp_client::servers: - 'default': - - '172.16.1.15' -``` diff --git a/admin-guide/configuration/basic/ntp_server.md b/admin-guide/configuration/basic/ntp_server.md deleted file mode 100644 index 2d32f4a8..00000000 --- a/admin-guide/configuration/basic/ntp_server.md +++ /dev/null @@ -1,9 +0,0 @@ -# NTP Server - -Your node can serve as NTP server. To allow access you need to configure which networks/hosts are allowed to contact `chrony` in the Hiera list `ntp_server::allow`: - -``` -ntp_server::allow: - - '129.129.0.0/16' - - '10.10.10.10' -``` diff --git a/admin-guide/configuration/basic/puppet_agent.md b/admin-guide/configuration/basic/puppet_agent.md deleted file mode 100644 index db809664..00000000 --- a/admin-guide/configuration/basic/puppet_agent.md +++ /dev/null @@ -1,51 +0,0 @@ -# Puppet Agent Configuration -The Puppet Agent provides the basic system configuration as defined in Hiera. - -## Automatic Puppet Agent Runs - -By default the Puppet Agent runs daily somewhen between 5-8 AM. - -The frequency can be changed in Hiera with the key `puppet_client::exec_frequency`. - -Allowed parameters are -- 'halfhourly': every 30 minutes -- 'daily': once a day (default) -- 'weekly': every Monday -- 'boot_only': only shortly after bootup - -The actual automatic Puppet Agent run is always on the same random time (except for `boot_only`). Check `systemctl list-timers pli-puppet-run.timer` for the exact time on a specific node. - -For `daily` and `weekly` the time window is configured in Hiera with `puppet_client::exec_time`, the default is: -``` -puppet_client::exec_time: '05:00 -- 08:00' -``` -The time format used is '24-hour clock' `HH:MM -- HH:MM`. - -## Temporarily Disable Automatic Puppet Agent Runs -Puppet execution can be disabled for a certain amount of time with the -`/opt/pli/libexec/pli-puppet-disable` command: - -``` -# /opt/pli/libexec/pli-puppet-disable -puppet currently not disabled -# /opt/pli/libexec/pli-puppet-disable '1 week' -# /opt/pli/libexec/pli-puppet-disable -Puppet disabled until: Wed Nov 1 08:00:05 CET 2017 -# /opt/pli/libexec/pli-puppet-disable stop -Stopping -# /opt/pli/libexec/pli-puppet-disable -puppet currently not disabled -# -``` -The disabling time has to be in the ``date`` format (see date(1)). - -## Manual Execution of Puppet Agent -At any time you might update the node configuration by running the Puppet Agent manually. To do so run as user `root` the following command: -``` -puppet agent -t -``` - -If you just wish to see what it would change without doing the actual change on the system, run -``` -puppet agent -t --noop -``` diff --git a/admin-guide/configuration/basic/sysctl.md b/admin-guide/configuration/basic/sysctl.md deleted file mode 100644 index 34d1409a..00000000 --- a/admin-guide/configuration/basic/sysctl.md +++ /dev/null @@ -1,17 +0,0 @@ -sysctl -====== - -You may change individual sysctl values in Hiera with the hash `sysctl::values`: - -``` -sysctl::values: - net.ipv4.tcp_slow_start_after_idle: - value: '0' - net.core.rmem_max: - value: '83886080' - net.core.wmem_max: - value: '83886080' -``` - -[https://www.kernel.org/doc/Documentation/sysctl/](https://www.kernel.org/doc/Documentation/sysctl/) -[https://www.kernel.org/doc/Documentation/networking/](https://www.kernel.org/doc/Documentation/networking/) diff --git a/admin-guide/configuration/basic/verbose_boot.md b/admin-guide/configuration/basic/verbose_boot.md deleted file mode 100644 index 7090c03b..00000000 --- a/admin-guide/configuration/basic/verbose_boot.md +++ /dev/null @@ -1,10 +0,0 @@ -# Configuration to Send/Relay Emails - -Verbose boot can be configured in Hiera with - -``` -base::enable_verbose_boot: true -``` - -By default it is disabled on workstation type systems. - diff --git a/admin-guide/configuration/desktop.md b/admin-guide/configuration/desktop.md deleted file mode 100644 index 25c7b08d..00000000 --- a/admin-guide/configuration/desktop.md +++ /dev/null @@ -1,4 +0,0 @@ -# Desktop Configuration Guides - -```{tableofcontents} - diff --git a/admin-guide/configuration/desktop/_static/banner_message.png b/admin-guide/configuration/desktop/_static/banner_message.png deleted file mode 100644 index bdf24fc7..00000000 Binary files a/admin-guide/configuration/desktop/_static/banner_message.png and /dev/null differ diff --git a/admin-guide/configuration/desktop/_static/desktop_profile.excalidraw b/admin-guide/configuration/desktop/_static/desktop_profile.excalidraw deleted file mode 100644 index 5fc693bd..00000000 --- a/admin-guide/configuration/desktop/_static/desktop_profile.excalidraw +++ /dev/null @@ -1,1070 +0,0 @@ -{ - "type": "excalidraw", - "version": 2, - "source": "https://excalidraw.com", - "elements": [ - { - "type": "arrow", - "version": 210, - "versionNonce": 773687472, - "index": "b00", - "isDeleted": false, - "id": "i-TcXxnm4U_5weLUwaZKC", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "angle": 0, - "x": 737.1301390230093, - "y": 56, - "strokeColor": "#3bc9db", - "backgroundColor": "#ffffff", - "width": 362.8394303860613, - "height": 116.52494524386714, - "seed": 1774320879, - "groupIds": [], - "frameId": null, - "roundness": { - "type": 2 - }, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false, - "startBinding": { - "elementId": "iURU4cM1iSu4UBJwDjTGZ", - "focus": -0.048157023030437035, - "gap": 11, - "fixedPoint": null - }, - "endBinding": { - "elementId": "jCuzfFFGZpqKwRYA2sslz", - "focus": -0.3805678546118675, - "gap": 1, - "fixedPoint": null - }, - "lastCommittedPoint": null, - "startArrowhead": null, - "endArrowhead": "arrow", - "points": [ - [ - 0, - 0 - ], - [ - 362.8394303860613, - 116.52494524386714 - ] - ], - "elbowed": false - }, - { - "id": "2-KKbdZLD1wELjtEvSdzr", - "type": "rectangle", - "x": 401, - "y": 271, - "width": 92, - "height": 73, - "angle": 0, - "strokeColor": "#1e1e1e", - "backgroundColor": "transparent", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "groupIds": [], - "frameId": null, - "index": "b01", - "roundness": { - "type": 3 - }, - "seed": 399608033, - "version": 86, - "versionNonce": 1927322192, - "isDeleted": false, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false - }, - { - "type": "rectangle", - "version": 73, - "versionNonce": 482931376, - "index": "b02", - "isDeleted": false, - "id": "ysjk0fahBNb5g_ak66NTI", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "angle": 0, - "x": 600, - "y": 266.5, - "strokeColor": "#1e1e1e", - "backgroundColor": "transparent", - "width": 92, - "height": 73, - "seed": 875744353, - "groupIds": [], - "frameId": null, - "roundness": { - "type": 3 - }, - "boundElements": [ - { - "id": "X6DGJwvQiJ-h5Au1acBP_", - "type": "arrow" - } - ], - "updated": 1730908458556, - "link": null, - "locked": false - }, - { - "type": "rectangle", - "version": 112, - "versionNonce": 645451856, - "index": "b03", - "isDeleted": false, - "id": "Lx0Dd5nKo3gDcD-U43Uwj", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "angle": 0, - "x": 795, - "y": 263.5, - "strokeColor": "#1e1e1e", - "backgroundColor": "transparent", - "width": 92, - "height": 73, - "seed": 1704766671, - "groupIds": [], - "frameId": null, - "roundness": { - "type": 3 - }, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false - }, - { - "id": "L0M_MdtgJK1Ty36iyZ4wk", - "type": "text", - "x": 807, - "y": 358, - "width": 78.15999603271484, - "height": 25, - "angle": 0, - "strokeColor": "#1e1e1e", - "backgroundColor": "#ffffff", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "groupIds": [], - "frameId": null, - "index": "b04", - "roundness": null, - "seed": 1088913327, - "version": 54, - "versionNonce": 913775792, - "isDeleted": false, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false, - "text": "desktop", - "fontSize": 20, - "fontFamily": 5, - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "desktop", - "autoResize": true, - "lineHeight": 1.25 - }, - { - "id": "UbO_KLJ3Fdw9V1ZUmX5Zx", - "type": "text", - "x": 572, - "y": 359, - "width": 155.84002685546875, - "height": 25, - "angle": 0, - "strokeColor": "#1e1e1e", - "backgroundColor": "#ffffff", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "groupIds": [], - "frameId": null, - "index": "b05", - "roundness": null, - "seed": 2068754785, - "version": 59, - "versionNonce": 1704609360, - "isDeleted": false, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false, - "text": "session-manager", - "fontSize": 20, - "fontFamily": 5, - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "session-manager", - "autoResize": true, - "lineHeight": 1.25 - }, - { - "id": "dJeU6CW9Ow7aUfRIHA-P6", - "type": "text", - "x": 379, - "y": 360, - "width": 150.32003784179688, - "height": 25, - "angle": 0, - "strokeColor": "#1e1e1e", - "backgroundColor": "#ffffff", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "groupIds": [], - "frameId": null, - "index": "b06", - "roundness": null, - "seed": 916283247, - "version": 80, - "versionNonce": 214959792, - "isDeleted": false, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false, - "text": "display-manager", - "fontSize": 20, - "fontFamily": 5, - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "display-manager", - "autoResize": true, - "lineHeight": 1.25 - }, - { - "id": "V6v0H24LQe9TRIIHvKURS", - "type": "text", - "x": 416, - "y": 431, - "width": 68.24000549316406, - "height": 50, - "angle": 0, - "strokeColor": "#1e1e1e", - "backgroundColor": "#ffffff", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "groupIds": [], - "frameId": null, - "index": "b07", - "roundness": null, - "seed": 353426689, - "version": 14, - "versionNonce": 1830616144, - "isDeleted": false, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false, - "text": "gdm\nlightdm", - "fontSize": 20, - "fontFamily": 5, - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "gdm\nlightdm", - "autoResize": true, - "lineHeight": 1.25 - }, - { - "id": "0Fs-nmZNoMgjQnaUbjADA", - "type": "text", - "x": 609, - "y": 421, - "width": 139.86001586914062, - "height": 125, - "angle": 0, - "strokeColor": "#1e1e1e", - "backgroundColor": "#ffffff", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "groupIds": [], - "frameId": null, - "index": "b08", - "roundness": null, - "seed": 704674127, - "version": 75, - "versionNonce": 418920556, - "isDeleted": false, - "boundElements": [], - "updated": 1731416627531, - "link": null, - "locked": false, - "text": "gnome-xorg\ngnome-wayland\ngnome-classic\nxfce\n...", - "fontSize": 20, - "fontFamily": 5, - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "gnome-xorg\ngnome-wayland\ngnome-classic\nxfce\n...", - "autoResize": true, - "lineHeight": 1.25 - }, - { - "id": "X6DGJwvQiJ-h5Au1acBP_", - "type": "arrow", - "x": 519, - "y": 307, - "width": 64, - "height": 0, - "angle": 0, - "strokeColor": "#1e1e1e", - "backgroundColor": "#ffffff", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "groupIds": [], - "frameId": null, - "index": "b09", - "roundness": { - "type": 2 - }, - "seed": 1449781953, - "version": 17, - "versionNonce": 517534288, - "isDeleted": false, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false, - "points": [ - [ - 0, - 0 - ], - [ - 64, - 0 - ] - ], - "lastCommittedPoint": null, - "startBinding": null, - "endBinding": { - "elementId": "ysjk0fahBNb5g_ak66NTI", - "focus": -0.1095890410958904, - "gap": 17, - "fixedPoint": null - }, - "startArrowhead": null, - "endArrowhead": "arrow", - "elbowed": false - }, - { - "type": "arrow", - "version": 57, - "versionNonce": 220338864, - "index": "b0A", - "isDeleted": false, - "id": "fVUYVAnscnkDQpC9w3qYJ", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "angle": 0, - "x": 709.9628626323026, - "y": 303.5519597529316, - "strokeColor": "#1e1e1e", - "backgroundColor": "#ffffff", - "width": 64, - "height": 0, - "seed": 142099809, - "groupIds": [], - "frameId": null, - "roundness": { - "type": 2 - }, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false, - "startBinding": null, - "endBinding": null, - "lastCommittedPoint": null, - "startArrowhead": null, - "endArrowhead": "arrow", - "points": [ - [ - 0, - 0 - ], - [ - 64, - 0 - ] - ], - "elbowed": false - }, - { - "id": "1aZZupmz0IL17oNRXVAB0", - "type": "text", - "x": 555, - "y": 44, - "width": 144.6800079345703, - "height": 25, - "angle": 0, - "strokeColor": "#3bc9db", - "backgroundColor": "#ffffff", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "groupIds": [], - "frameId": null, - "index": "b0B", - "roundness": null, - "seed": 1817171233, - "version": 76, - "versionNonce": 1638279248, - "isDeleted": false, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false, - "text": "profile.desktop", - "fontSize": 20, - "fontFamily": 5, - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "profile.desktop", - "autoResize": true, - "lineHeight": 1.25 - }, - { - "type": "text", - "version": 256, - "versionNonce": 292242608, - "index": "b0C", - "isDeleted": false, - "id": "hqbgFqv5SQai0IxYPfWHR", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "angle": 0, - "x": 385.65999603271484, - "y": 186.5, - "strokeColor": "#3bc9db", - "backgroundColor": "#ffffff", - "width": 134.75999450683594, - "height": 50, - "seed": 846427137, - "groupIds": [], - "frameId": null, - "roundness": null, - "boundElements": [ - { - "id": "7BetjecKwL40_bxD4kMG6", - "type": "arrow" - } - ], - "updated": 1730908458556, - "link": null, - "locked": false, - "fontSize": 20, - "fontFamily": 5, - "text": "profile.gdm\nprofile.ligthdm", - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "profile.gdm\nprofile.ligthdm", - "autoResize": true, - "lineHeight": 1.25 - }, - { - "type": "text", - "version": 231, - "versionNonce": 22847056, - "index": "b0D", - "isDeleted": false, - "id": "sgeAiSoNtmkkUDqPxXIWg", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "angle": 0, - "x": 786.620002746582, - "y": 184, - "strokeColor": "#3bc9db", - "backgroundColor": "#ffffff", - "width": 124.13999938964844, - "height": 50, - "seed": 465673377, - "groupIds": [], - "frameId": null, - "roundness": null, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false, - "fontSize": 20, - "fontFamily": 5, - "text": "profile.gnome\nprofile.xfce", - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "profile.gnome\nprofile.xfce", - "autoResize": true, - "lineHeight": 1.25 - }, - { - "id": "O1DqGB2gPQlPAwonT1phu", - "type": "arrow", - "x": 543, - "y": 80, - "width": 58, - "height": 28, - "angle": 0, - "strokeColor": "#3bc9db", - "backgroundColor": "#ffffff", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "groupIds": [], - "frameId": null, - "index": "b0E", - "roundness": { - "type": 2 - }, - "seed": 1001465583, - "version": 64, - "versionNonce": 1191128752, - "isDeleted": false, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false, - "points": [ - [ - 0, - 0 - ], - [ - -58, - 28 - ] - ], - "lastCommittedPoint": null, - "startBinding": null, - "endBinding": { - "elementId": "BsAVKvplXbW64q8AjUuPF", - "focus": -0.3053039011162528, - "gap": 13, - "fixedPoint": null - }, - "startArrowhead": null, - "endArrowhead": "arrow", - "elbowed": false - }, - { - "id": "K7DqlaiHR7nxla8rtAfcg", - "type": "arrow", - "x": 645, - "y": 96, - "width": 1, - "height": 127, - "angle": 0, - "strokeColor": "#3bc9db", - "backgroundColor": "#ffffff", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "groupIds": [], - "frameId": null, - "index": "b0F", - "roundness": { - "type": 2 - }, - "seed": 104022497, - "version": 65, - "versionNonce": 248796240, - "isDeleted": false, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false, - "points": [ - [ - 0, - 0 - ], - [ - -1, - 127 - ] - ], - "lastCommittedPoint": null, - "startBinding": null, - "endBinding": null, - "startArrowhead": null, - "endArrowhead": "arrow", - "elbowed": false - }, - { - "id": "0hsN4LBogxU2vwzsQRP26", - "type": "arrow", - "x": 713, - "y": 86, - "width": 99, - "height": 79, - "angle": 0, - "strokeColor": "#3bc9db", - "backgroundColor": "#ffffff", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "groupIds": [], - "frameId": null, - "index": "b0G", - "roundness": { - "type": 2 - }, - "seed": 851749537, - "version": 43, - "versionNonce": 914741424, - "isDeleted": false, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false, - "points": [ - [ - 0, - 0 - ], - [ - 99, - 79 - ] - ], - "lastCommittedPoint": null, - "startBinding": null, - "endBinding": null, - "startArrowhead": null, - "endArrowhead": "arrow", - "elbowed": false - }, - { - "type": "text", - "version": 249, - "versionNonce": 1071991376, - "index": "b0H", - "isDeleted": false, - "id": "BsAVKvplXbW64q8AjUuPF", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "angle": 0, - "x": 367.62000274658203, - "y": 121, - "strokeColor": "#3bc9db", - "backgroundColor": "#ffffff", - "width": 208.62002563476562, - "height": 25, - "seed": 1416583073, - "groupIds": [], - "frameId": null, - "roundness": null, - "boundElements": [ - { - "id": "O1DqGB2gPQlPAwonT1phu", - "type": "arrow" - }, - { - "id": "7BetjecKwL40_bxD4kMG6", - "type": "arrow" - } - ], - "updated": 1730908458556, - "link": null, - "locked": false, - "fontSize": 20, - "fontFamily": 5, - "text": "profile.displaymanager", - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "profile.displaymanager", - "autoResize": true, - "lineHeight": 1.25 - }, - { - "type": "arrow", - "version": 141, - "versionNonce": 329728688, - "index": "b0I", - "isDeleted": false, - "id": "7BetjecKwL40_bxD4kMG6", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "angle": 0, - "x": 456.4140261019394, - "y": 155.4139667158201, - "strokeColor": "#3bc9db", - "backgroundColor": "#ffffff", - "width": 2, - "height": 24, - "seed": 72670543, - "groupIds": [], - "frameId": null, - "roundness": { - "type": 2 - }, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false, - "startBinding": { - "elementId": "BsAVKvplXbW64q8AjUuPF", - "focus": 0.1299440657812496, - "gap": 9.413966715820095, - "fixedPoint": null - }, - "endBinding": { - "elementId": "hqbgFqv5SQai0IxYPfWHR", - "focus": -0.018712078448140674, - "gap": 7.086033284179905, - "fixedPoint": null - }, - "lastCommittedPoint": null, - "startArrowhead": null, - "endArrowhead": "arrow", - "points": [ - [ - 0, - 0 - ], - [ - -2, - 24 - ] - ], - "elbowed": false - }, - { - "id": "IGa5lHIFV6mHR82pIwu8x", - "type": "text", - "x": 136, - "y": 155.5, - "width": 290.36798095703125, - "height": 20, - "angle": 0, - "strokeColor": "#ff8787", - "backgroundColor": "#ffffff", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "groupIds": [], - "frameId": null, - "index": "b0J", - "roundness": null, - "seed": 1523851663, - "version": 150, - "versionNonce": 1332183120, - "isDeleted": false, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false, - "text": "desktop:displaymanager: gdm(default)", - "fontSize": 16, - "fontFamily": 5, - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "desktop:displaymanager: gdm(default)", - "autoResize": true, - "lineHeight": 1.25 - }, - { - "type": "text", - "version": 314, - "versionNonce": 1561029808, - "index": "b0K", - "isDeleted": false, - "id": "iURU4cM1iSu4UBJwDjTGZ", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "angle": 0, - "x": 707.8799896240234, - "y": 67, - "strokeColor": "#ff8787", - "backgroundColor": "#ffffff", - "width": 290.83197021484375, - "height": 60, - "seed": 661369473, - "groupIds": [], - "frameId": null, - "roundness": null, - "boundElements": [ - { - "id": "i-TcXxnm4U_5weLUwaZKC", - "type": "arrow" - } - ], - "updated": 1730908458556, - "link": null, - "locked": false, - "fontSize": 16, - "fontFamily": 5, - "text": "desktop:enable_gnome: true (default)\ndesktop:enable_xfce: false (default)\n...", - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "desktop:enable_gnome: true (default)\ndesktop:enable_xfce: false (default)\n...", - "autoResize": true, - "lineHeight": 1.25 - }, - { - "type": "text", - "version": 297, - "versionNonce": 1563620944, - "index": "b0L", - "isDeleted": false, - "id": "7ketfPTzB-_M2hx40HDyA", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "angle": 0, - "x": 1031.9300003051758, - "y": 190, - "strokeColor": "#3bc9db", - "backgroundColor": "#ffffff", - "width": 201.9400177001953, - "height": 25, - "seed": 1935163151, - "groupIds": [], - "frameId": null, - "roundness": null, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false, - "fontSize": 20, - "fontFamily": 5, - "text": "profile.desktop_apps", - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "profile.desktop_apps", - "autoResize": true, - "lineHeight": 1.25 - }, - { - "type": "rectangle", - "version": 148, - "versionNonce": 2086295216, - "index": "b0M", - "isDeleted": false, - "id": "zbyi0CaoHAZR9QzSModbY", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "angle": 0, - "x": 1064, - "y": 264.5, - "strokeColor": "#1e1e1e", - "backgroundColor": "transparent", - "width": 92, - "height": 73, - "seed": 759386177, - "groupIds": [], - "frameId": null, - "roundness": { - "type": 3 - }, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false - }, - { - "type": "text", - "version": 100, - "versionNonce": 1310698576, - "index": "b0N", - "isDeleted": false, - "id": "Biyln1Tmh6MBlaTjpSxuA", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "angle": 0, - "x": 1043.9200019836426, - "y": 357.5, - "strokeColor": "#1e1e1e", - "backgroundColor": "#ffffff", - "width": 199.4600067138672, - "height": 25, - "seed": 719340449, - "groupIds": [], - "frameId": null, - "roundness": null, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false, - "fontSize": 20, - "fontFamily": 5, - "text": "desktop applications", - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "desktop applications", - "autoResize": true, - "lineHeight": 1.25 - }, - { - "type": "text", - "version": 315, - "versionNonce": 1715208368, - "index": "b0O", - "isDeleted": false, - "id": "7sdMvWFepJylS-vYM82ev", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "angle": 0, - "x": 614.8799896240234, - "y": 124, - "strokeColor": "#ff8787", - "backgroundColor": "#ffffff", - "width": 481.4720458984375, - "height": 20, - "seed": 1494910625, - "groupIds": [], - "frameId": null, - "roundness": null, - "boundElements": [], - "updated": 1730908458556, - "link": null, - "locked": false, - "fontSize": 16, - "fontFamily": 5, - "text": "desktop:sessionmanager: gnome-x11 / gnome-wayland (default)", - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "desktop:sessionmanager: gnome-x11 / gnome-wayland (default)", - "autoResize": true, - "lineHeight": 1.25 - }, - { - "type": "text", - "version": 426, - "versionNonce": 738566736, - "index": "b0P", - "isDeleted": false, - "id": "jCuzfFFGZpqKwRYA2sslz", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "angle": 0, - "x": 985.2639770507812, - "y": 157, - "strokeColor": "#ff8787", - "backgroundColor": "#ffffff", - "width": 353.072021484375, - "height": 20, - "seed": 541836289, - "groupIds": [], - "frameId": null, - "roundness": null, - "boundElements": [ - { - "id": "i-TcXxnm4U_5weLUwaZKC", - "type": "arrow" - } - ], - "updated": 1730908458556, - "link": null, - "locked": false, - "fontSize": 16, - "fontFamily": 5, - "text": "desktop:enable_desktop_apps: true (default)", - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "desktop:enable_desktop_apps: true (default)", - "autoResize": true, - "lineHeight": 1.25 - } - ], - "appState": { - "gridSize": 20, - "gridStep": 5, - "gridModeEnabled": false, - "viewBackgroundColor": "#ffffff" - }, - "files": {} -} \ No newline at end of file diff --git a/admin-guide/configuration/desktop/_static/desktop_profile.svg b/admin-guide/configuration/desktop/_static/desktop_profile.svg deleted file mode 100644 index fcce0ae1..00000000 --- a/admin-guide/configuration/desktop/_static/desktop_profile.svg +++ /dev/null @@ -1,10 +0,0 @@ - - - - - - - - desktopsession-managerdisplay-managergdmlightdmgnome-xorggnome-waylandgnome-classicxfce...profile.desktopprofile.gdmprofile.ligthdmprofile.gnomeprofile.xfceprofile.displaymanagerdesktop:displaymanager: gdm(default)desktop:enable_gnome: true (default)desktop:enable_xfce: false (default)...profile.desktop_appsdesktop applicationsdesktop:sessionmanager: gnome-x11 / gnome-wayland (default)desktop:enable_desktop_apps: true (default) \ No newline at end of file diff --git a/admin-guide/configuration/desktop/_static/gnome_tweaks_menu.png b/admin-guide/configuration/desktop/_static/gnome_tweaks_menu.png deleted file mode 100644 index cbe4fd3c..00000000 Binary files a/admin-guide/configuration/desktop/_static/gnome_tweaks_menu.png and /dev/null differ diff --git a/admin-guide/configuration/desktop/_static/gnome_tweaks_start.png b/admin-guide/configuration/desktop/_static/gnome_tweaks_start.png deleted file mode 100644 index b79475c1..00000000 Binary files a/admin-guide/configuration/desktop/_static/gnome_tweaks_start.png and /dev/null differ diff --git a/admin-guide/configuration/desktop/alternative_desktops.md b/admin-guide/configuration/desktop/alternative_desktops.md deleted file mode 100644 index c9a800f3..00000000 --- a/admin-guide/configuration/desktop/alternative_desktops.md +++ /dev/null @@ -1,40 +0,0 @@ -# Alternative Desktops/Window Managers - -Per default Gnome is installed, but sometimes there is the wish for other Desktops or Window Managers. -When changing the default desktop, please check the last chapter "Reset User Default Desktop". - -## XFCE -XFCE is installed when `desktop::enable_xfce: true` is set in Hiera. -It then is also used by default with `base::xfce_default: true` or `desktop::session_manager: xfce`. - -## IceWM -IceWM is installed when `desktop::enable_icewm: true` is set in Hiera. -It then is also used by default with `desktop::session_manager: icewm-session`. - -## Other (e.g. KDE) -The respective Desktop needs to be installed, either manually or through Puppet. - -The respective Session Manager can be set as system default in Hiera with `desktop::session_manager`. - -The name of the Session Manager you find in `/usr/share/xsessions/*.desktop` for `Xorg` and `/usr/share/wayland-sessions/*.desktop` for `Wayland` (not supported at PSI). For the `desktop::session_manager` Hiera setting use the respective file name excluding the `.desktop` suffix. - -Example KDE: -``` -base::pkg_group::kde: - - '@KDE Plasma Workspaces' - -base::package_groups: - - 'kde' - -desktop::session_manager: 'startplasma-x11' -``` - -## Reset User Default Desktop - -Note when changing the default desktop aka Session Manager, previous users will still get the one they used before. To reset that, you need to -- stop AccountsService (`systemctl stop accounts-daemon.service`) -- delete `/var/lib/AccountsService/users/*` (for `gdm`) -- delete `/var/cache/lightdm/dmrc/*.dmrc` (for `lightdm`) -- delete `/var/lib/lightdm/.cache/lightdm-gtk-greeter/state` (for `lightdm` with `lightdm-gtk-greeter`) -- start AccountsService (`systemctl start accounts-daemon.service`) - diff --git a/admin-guide/configuration/desktop/autologin.md b/admin-guide/configuration/desktop/autologin.md deleted file mode 100644 index 983d3af8..00000000 --- a/admin-guide/configuration/desktop/autologin.md +++ /dev/null @@ -1,15 +0,0 @@ -# Autologin - -To configure a user to be automatically logged into the Desktop at system startup, use the following Hiera keys: - -- `desktop::autologin_enable`: enable/disable autologin -- `desktop::autologin_user`: user account who should be looged in - -Example: - -``` -desktop::autologin_enable: true -desktop::autologin_user: 'proton' -``` - -This is only implemented for `gdm` (default) and not yet for `lightdm` (rarely used at PSI) diff --git a/admin-guide/configuration/desktop/banner_message.md b/admin-guide/configuration/desktop/banner_message.md deleted file mode 100644 index 403b3ba9..00000000 --- a/admin-guide/configuration/desktop/banner_message.md +++ /dev/null @@ -1,18 +0,0 @@ -# Banner Message - -To show a specific message on the Desktop login screen, use the Hiera key `gdm::banner_message`: - -``` -gdm::banner_message: 'Good morning, this is a test banner message!' -``` - -Which then looks on RHEL8 like - -![Banner Message on Login Screen](_static/banner_message.png) - -The default is -``` -Please contact the service desk (phone: 4800) in case you have problems logging in. -``` - -As the key suggests this is only implemented for `gdm` (default). diff --git a/admin-guide/configuration/desktop/desktop.md b/admin-guide/configuration/desktop/desktop.md deleted file mode 100644 index d58ee579..00000000 --- a/admin-guide/configuration/desktop/desktop.md +++ /dev/null @@ -1,54 +0,0 @@ -# Enabling Desktop Environment - -A desktop/graphical interface can be enabled on any kind of systems (regardless of puppet role). - -## Full Desktop Configuration - -A full desktop configuration with Gnome, office software and printing is enabled for the Puppet roles `role::workstation` and `role::console` or, independent of the role, in Hiera with - -``` -base::is_workstation: true -``` - -## Customized Desktop Configuration - -But desktop features can also be individually be switched on or off. -For printing check out the [respective guide](printing). - -The availability of the desktop is controlled with - -```yaml -base::enable_desktop: true -``` -By default this will install and enable Gnome as desktop and gdm as Display Manager. Without below options do not have any effect! - -The desktop configuration can be further refined and/or adapted by following keys: - -```yaml -desktop::display_manager: gdm # available options: gdm (default), lightdm - -# this will set the default session manager aka desktop -desktop::session_manager: gnome-xorg # availale options: gnome-xorg (default on RHEL8), gnome-wayland (default on RHEL9), gnome-classic, xfce, ... -``` - -Individual desktops can be enabled/disabled via: -```yaml -desktop::enable_gnome: true # true (default) -desktop::enable_xfce: true # false (default) -desktop::enable_icewm: true # false (default) -``` - -The installation of office applications can be enforced with - -```yaml -desktop::enable_office_apps: true -``` - -Further refinements can be done as documented in the other guides in this section. - - -Finally here a rough overview of the destopprofile structure: - -![Structure desktop profile](_static/desktop_profile.svg) -[Structure desktop_profile](_static/desktop_profile.excalidraw) - diff --git a/admin-guide/configuration/desktop/gnome.md b/admin-guide/configuration/desktop/gnome.md deleted file mode 100644 index 96fad826..00000000 --- a/admin-guide/configuration/desktop/gnome.md +++ /dev/null @@ -1,8 +0,0 @@ -# Gnome - -## Gnome Tweaks -The Gnome desktop can be customized in various ways. -You can use [Gnome Tweaks](https://wiki.gnome.org/action/show/Apps/Tweaks) to modify the status bar, virtual desktops, etc. - -![](_static/gnome_tweaks_start.png) -![](_static/gnome_tweaks_menu.png) diff --git a/admin-guide/configuration/desktop/keyboard_layout.md b/admin-guide/configuration/desktop/keyboard_layout.md deleted file mode 100644 index 8e1541c7..00000000 --- a/admin-guide/configuration/desktop/keyboard_layout.md +++ /dev/null @@ -1,15 +0,0 @@ -# Keyboard Layout - -The default keyboard layout as well as the list of available layouts to select from can be configured with the `desktop::keyboard_layouts` key in Hiera. The value is an list of keyboard layout identifier short. - -Default is: -``` -desktop::keyboard_layouts: - - 'us' - - 'de' - - 'ch' -``` - -The available options you find at `/usr/share/X11/xkb/rules/base.lst` in the section `! layout`. - - diff --git a/admin-guide/configuration/desktop/printing.md b/admin-guide/configuration/desktop/printing.md deleted file mode 100644 index 18e3daab..00000000 --- a/admin-guide/configuration/desktop/printing.md +++ /dev/null @@ -1,44 +0,0 @@ -# Printing -Printing at PSI usually goes via the Findme printing system. More details about this and what printers are available can be found here: https://intranet.psi.ch/de/computing/pull-printing . - -Each user can see his individual printing queue on: https://printmgmt.psi.ch/user - -## Configuration - -Enable printing on a system (printing is usually enabled by default on desktop systems): -```yaml -base::enable_printing: true -``` - -Special printing configuration: -```yaml - -# Configure your own printers -printing::printers: - 'C5500': - - 'Findme' - 'C400': - - 'ODGA_006' - -# set default printer - default if not specified: Findme -printing::default_printer: 'ODGA_006' -``` - -## Usage / Troubleshooting - -```bash -# print a file (using the default queue) -[root@lx-test-02 ~]# lp test.txt - -# list all print jobs -[root@lx-test-02 ~]# lpq -a -Rank Owner Job File(s) Total Size -1st root 3 test.txt 1024 bytes - -# delete a print job from the queue -[root@lx-test-02 ~]# lprm 3 - -# list all print jobs -[root@lx-test-02 ~]# lpq -a -no entries -``` diff --git a/admin-guide/configuration/desktop/program_starter.md b/admin-guide/configuration/desktop/program_starter.md deleted file mode 100644 index f70d8839..00000000 --- a/admin-guide/configuration/desktop/program_starter.md +++ /dev/null @@ -1,37 +0,0 @@ -# Gnome Program Starter: Dash, Dock or Panel - -The default program starter on Gnome is called dash and it is a bit strange for users of other operating systems. But there are extensions which provide a move conventional dock like MacOS or a panel like Windows. - -The dock can be enabled in Hiera with - -``` -gnome::program_starter: dock -``` -other valid values are `panel` and `dash`. - -The dock is default in RHEL9 as the panel currently has a [bug on RHEL9](https://github.com/home-sweet-gnome/dash-to-panel/issues/1891) which limits its usability. - -Note that this will only set the default configuration which can be changed by the user. - -To reset the user specific configuration run -``` -# only reset gnome dconf settings -dconf reset -f /org/gnome - -# reset all dconf settings -dconf reset -f / - -# if the commands above does not work -rm ~/.config/dconf/user -``` - -## Known Problems - -### Application Grid -Applications marked as favorites are not shown in the application grid. This is [expected behavior](https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/4115). - -### Dock -Favorite apps might not be shown when certain hardware is connected, see [upstream bug](https://github.com/micheleg/dash-to-dock/issues/941). - -### Panel -Empty application grid on RHEL9, see [upsteam bug](https://github.com/home-sweet-gnome/dash-to-panel/issues/1891). diff --git a/admin-guide/configuration/desktop/screen_lock.md b/admin-guide/configuration/desktop/screen_lock.md deleted file mode 100644 index 25cded3c..00000000 --- a/admin-guide/configuration/desktop/screen_lock.md +++ /dev/null @@ -1,17 +0,0 @@ -# Screen Lock - -To configure a user to be automatically logged into the Desktop at system startup, use the following Hiera keys: - -- `gnome::lock_enabled`: enable/disable screen lock (default `true`) -- `gnome::idle_delay`: idle time in seconds until the screen switched off (default 5 minutes) -- `gnome::lock_delay`: time in seconds between screen switched off and actually being locked (default `0`) - -Example: - -``` -gnome::lock_enabled: true -gnome::idle_delay: 900 -gnome::lock_delay: 15 -``` - -This is only implemented for Gnome desktop (default) and not yet for XFCE or any other desktop/window manager. diff --git a/admin-guide/configuration/desktop/xrdp.md b/admin-guide/configuration/desktop/xrdp.md deleted file mode 100644 index 7fef3210..00000000 --- a/admin-guide/configuration/desktop/xrdp.md +++ /dev/null @@ -1,43 +0,0 @@ -# RDP Remote Access with XRDP - -The basic configuration in Hiera is: - -``` -xrdp::enable: true -``` - -This allows by default to create new virtual desktop sessions or to connect to a local desktop session which is shared over VNC using port 5900. - -Some more details could be ajusted when needed: - -To disallow access to a shared desktop do -``` -xrdp::shared_desktop::enable: false -``` - -whereas to disallow virtual desktop sessions there is - -``` -xrdp::virtual_desktop::enable: false -``` - -Often you may not want the user to keep their desktop sessions open forever, so you may configure their sessions to be closed after they have been disconnected for some time (seconds). The default value is `0` which disables this feature. - -``` -xrdp::disconnected_session_timeout: 3600 -``` - -Also you may choose the backend for the virtual sessions, either `libxup.so` (default) or `libvnc.so`: - -``` -xrdp::virtual_desktop::backend: 'libvnc.so' -``` - -If you want to allow the same user to be able to open in parallel a local and a remote session then you can enable the systemd nest feature: - -``` -xrdp::nest_systemd::enable: true -``` - -## Notes -Users that are only allowed to login locally to the system (i.e. with an entry like this `+:ebner-adm:LOCAL` in `/etc/security/access_users.conf`) cannot use RDP virtual sessions. diff --git a/admin-guide/configuration/files.md b/admin-guide/configuration/files.md deleted file mode 100644 index c7ff6406..00000000 --- a/admin-guide/configuration/files.md +++ /dev/null @@ -1,4 +0,0 @@ -# Files, Volumes and Network Shares - -```{tableofcontents} - diff --git a/admin-guide/configuration/files/_static/resize_vm_disk_01.png b/admin-guide/configuration/files/_static/resize_vm_disk_01.png deleted file mode 100644 index 78eecb51..00000000 Binary files a/admin-guide/configuration/files/_static/resize_vm_disk_01.png and /dev/null differ diff --git a/admin-guide/configuration/files/_static/resize_vm_disk_02.png b/admin-guide/configuration/files/_static/resize_vm_disk_02.png deleted file mode 100644 index 611a0963..00000000 Binary files a/admin-guide/configuration/files/_static/resize_vm_disk_02.png and /dev/null differ diff --git a/admin-guide/configuration/files/afs.md b/admin-guide/configuration/files/afs.md deleted file mode 100644 index eaf0543a..00000000 --- a/admin-guide/configuration/files/afs.md +++ /dev/null @@ -1,41 +0,0 @@ -# AFS - -**Deprecation Note** -We plan to migrate away from AFS. We do not support AFS for RHEL9. Please contact the Linux Core Group for migration options. - - -AFS is depending on the Puppet role already configured by default. Additionally it can be enabled or disabled in Hiera with `base::enable_afs`: -``` -base::enable_afs: true -``` -respectively to disable: -``` -base::enable_afs: false -``` - -Following details can be modified, but are usually not required: -- `afs_client::mountpoint` -- `afs_client::root_volume` -- `afs_client::enable_dynroot` -- `afs_client::min_cache_size` (e.g. `8G`) -- `afs_client::files` -- `afs_client::dcache` - -When disabling AFS the daemon is not automatically switched off. There is additional manual effort required on the host: - -``` -systemctl disable yfs-client.service -reboot -``` - -If you want to do it without reboot, first stop all processes using AFS. You might figure them out e.g. with `lsof | grep /afs`. - -Then do -``` -umount /afs -systemctl stop yfs-client.service -systemctl disable yfs-client.service -afsd -shutdown -``` - - diff --git a/admin-guide/configuration/files/autofs.md b/admin-guide/configuration/files/autofs.md deleted file mode 100644 index 7c83df07..00000000 --- a/admin-guide/configuration/files/autofs.md +++ /dev/null @@ -1,36 +0,0 @@ -# autofs - -How to configure the `autofs` daemon. - -## Daemon Configuration - -In Hiera `base::enable_autofs` controls the `autofs` daemon. Start it with: -``` -base::enable_autofs: true -``` -or to keep it shut down -``` -base::enable_autofs: false -``` -or to keep Puppet off -``` -base::enable_autofs: null -``` - -Note that `base::enable_central_storage_mount: true` always enables `autofs` and `base::enable_autofs` will be ignored. - - -## Automatic NFS on /net - -The automatic mount of exported shares of an NFS server below `/net/$SERVER` is controlled in Hiera with the `autofs::slash_net` flag. -On RHEL7 or RHEL8 this feature is by default enabled, on RHEL9 and later disabled. - -To have it always enabled do -``` -autofs::slash_net: true -``` - -## Configure own autofs Maps - -For own maps place the `auto.master` part of the configuration in `/etc/auto.master.d/` in an unique file with the `.autofs` suffix. From there you link your map files, which can be placed everywhere, often directly in `/etc`. To manage this via Puppet/Hiera you might check out the [Distribute Files Guide](../files/distribute_files). - diff --git a/admin-guide/configuration/files/central_storage_mount.md b/admin-guide/configuration/files/central_storage_mount.md deleted file mode 100644 index 9dc1e1fb..00000000 --- a/admin-guide/configuration/files/central_storage_mount.md +++ /dev/null @@ -1,39 +0,0 @@ -# Central Storage Mount (/psi.ch) - -Mounts `/psi.ch` which gives Kerberos protected access to all network shares (NFS or CIFS/SMB/Windows) which have been configured/opened for this feature. - -## Configuration - -In Hiera enable it with -``` -base::enable_central_storage_mount: true -``` -or disable it with -``` -base::enable_central_storage_mount: false -``` - -On workstation type systems this is enabled by default starting with RHEL9 - -## Adding a Share - -For a new or exsting share find a suitable path below `/psi.ch/group` or `/psi.ch/project` and inform the [NAS Team](mailto:cits2-nas@psi.ch) or the [Linux Core Group](mailto:linux-eng@psi.ch). - -## Kerberos and Permanent Running Software -Checkout [Permanent Kerberos with gssproxy and Password Keytab](../basic/gssproxy_with_keytab) if you want to access this, e.g. with background processes without having to type passwords (`kinit`) regularly. - - -## Debugging - -Is autofs running and fine? - - -``` -sudo systemctl status autofs -sudo journalctl -u autofs -``` - -Is the firewall blocking access to the file server? - -For NFS shares, are there network access restrictions on server side for the share? - diff --git a/admin-guide/configuration/files/distribute_files.md b/admin-guide/configuration/files/distribute_files.md deleted file mode 100644 index 7c6e5170..00000000 --- a/admin-guide/configuration/files/distribute_files.md +++ /dev/null @@ -1,131 +0,0 @@ -# Distribute Files - -With Hiera it is possible to download files and git repositories as well as to create directories and symlinks. - - -## Create Directories - -The `files::directories` hash specifies directories to be created. The keys of the hash are the absolute pathnames of the directories, the optional value a hash with: - -- `owner`: file owner (optional, default `root`) -- `group`: file owner (optional, default `root`) -- `mode`: file permissions (optional, default `755`) - -Parent directories are automatically created with default settings. If that is not desired, a custom definition for each parent directory is required. - -Example: - -``` -files::directories: - /etc/test1: - /etc/test2/foo/bar: - owner: 'buchel_k' - group: 'unx-nogroup' - mode: '775' -``` - -## Create Symlinks - -The `files::symlinks` hash is used to configure symlinks. The keys of the hash are the absolute -pathnames of the symlinks, the values of the hash are the corresponding symlink -targets. - -Example: -``` -files::symlinks: - '/opt/foo': '/var/lib/foo' -``` - -Per default the symlink definitions are not merged over the full Hiera hierarchy, only the most specific definiton is used. To allow merge, set - -``` -files::symlinks::merge: true -``` - -Then also existing files and symlinks are not overwritten. Also this can be changed with - -``` -files::symlinks::force: true -``` -but this is then applies for all symlink definitions. - -## Create (Text) Files with Specific Content - -Textfiles with specific content can be created as follows: - -```yaml -files::files: - /testdir/test/three: - content: | - hello world t - this is a test -``` - -## Delete Files / Directories -Individual files and directories can be deleted as follows: - -```yaml -files::files: - /testdir/test/two: - ensure: absent - force: true -``` - -The option `force: true` is only needed for directories. For a directory, if absent, the directory will not be deleted (even if it is empty)! - - -## Download Git Repositories - -To synchronize a git repository to the host you might list them in the `files::git` hash. The key is the destination directory and the value is a hash with following options: - -- `url`: URL of the public git repository to clone -- `revision`: what branch, tag or commit-hash should be checked out (optional) - -Example: - -``` -files::git: - /var/test/container-images: - ensure: latest - url: 'https://git.psi.ch/linux-infra/container_images.git' - revision: 'main' -``` - -If the `ensure` is missing, it will initialize the checkout with the default branch, but afterwards leave the checkout as is and not try to ensure that it is on a given revision (branch, tag or commit). - -Possible values for `ensure` are: present, bare, mirror, absent, latest . - -More details on the possible values of ensure you can find in [this documentation](https://forge.puppet.com/modules/puppetlabs/vcsrepo/reference#ensure) - -Note that submodules are automatically initialized. - -## Download Files - -Files to download need to be placed on a git repository on `git.psi.ch` (internal) or `gitlab.psi.ch` (DMZ, Extranet, Tier3), where they need to be publicly available. - -For configuration in Hiera there is the `filecopy::files` hash where the keys is the destination path of the file. And the value is another hash with following options: - -- `repo`: the Git repository to download from -- `branch`: the Git branch in the repository (optional, default `master`) -- `path`: the file path inside the repository -- `owner`: file owner (optional, default `root`) -- `mode`: file permissions (optional, default `0644`) - - -Example: - -``` -filecopy::files: - '/tmp/test1': - repo: 'talamo_i/copy-file-test' - path: 'abc' - mode: '0600' - owner: 'talamo_i' -``` - -Note that the `filecopy::files` hash is **not merged** over the hierarchy, so only the most specific one will apply. - -This download functionality can be disabled with -``` -base::enable_filecopy: false -``` diff --git a/admin-guide/configuration/files/mount.md b/admin-guide/configuration/files/mount.md deleted file mode 100644 index bfc62a27..00000000 --- a/admin-guide/configuration/files/mount.md +++ /dev/null @@ -1,172 +0,0 @@ -# Mounting Volumes - -Managing mount points of local or network volumes can also be done in Hiera. - -For more automatic network data setups please look at -- [Windows Drives in Home Directory](windows_drives_in_home) -- [Central Storage Mount](central_storage_mount) -- [autofs](autofs) -- [AFS](afs) - - -## Managing Mountpoints in Hiera - -The configuration in Hiera is done with two parts: -1. the definition of a mountpoint (`mounter::def::$NAME`) -2. the list of mount points actually configured on a system (`mounter::mounts`) - -Due to this the mountpoints can be prepared once on a high scope (e.g. for all systems in an environment), but then the individual systems pick out whatever is required for them. - -Example: -``` -mounter::def::scratch: - ensure: 'mounted' - mountpoint: '/scratch' - device: '/dev/vg_data/lv_scratch' - type: 'xfs' - -mounter::mounts: - - 'scratch' -``` - -The directory of the mountpoint is automatically created when missing. - -For auto-mounts, add another option to the mountpoint definition: -``` - auto: true -``` - -## NFS - -Remote NFS mountpoints can be defined as in following example: - -``` -mounter::def::data1: - 'ensure': 'mounted' - 'device': 'x01dc-fs-1:/export/X01DC/Data1' - 'mountpoint': '/sls/X01DC/Data1' - 'type': 'nfs' - 'options': 'nfsvers=4.2,sec=krb5' - -mounter::def::controls: - 'ensure': 'mounted' - 'device': 'sls-hafs:/export/sls/controls' - 'mountpoint': '/gfa/.mounts/sls_controls' - 'type': 'nfs' - -mounter::mounts: - - 'data1' - - 'controls' -``` - -Ideally use NFSv4 (option `nfsvers=4.2`) and Kerberos authentication (option `sec=krb5`) is used. And of course also the NetApp side needs to be prepared accordingly. - -Following options are possible for `sec`: -- `sys` client enforces access control (default on NFS3) -- `krb5` server enforces access control, client user authenticates with Kerberos -- `krb5i` server enforces access control, client user authenticates with Kerberos and traffic is integrity checked -- `krb5p` server enforces access control, client user authenticates with Kerberos and traffic is fully encrypted - -NFS and Kerberos also needs ID mapping, which is automatically configured to the default domain `psi.ch`. Should a different domain be required, you may set it with Hiera: -``` -nfs_idmap::domain: 'ethz.ch' -``` - -Checkout [Permanent Kerberos with gssproxy and Password Keytab](../basic/gssproxy_with_keytab) if you want to access a Kerberos protected share, e.g. with background processes without having to type passwords (`kinit`) regularly. - -## CIFS - -### CIFS with Multiuser Option and Kerberos - -Mounting a CIFS share with the `multiuser` option and Kerberos has the advantage that no password is needed and each user gets personal access rights checked on the server side. But she/he needs to have, similar to AFS, an appropriate Kerberos ticket. Additionally the option `cifsacl` is required for showing the proper file owner. - -``` -mounter::def::scratch: - ensure: 'mounted' - device: '//scratch01.psi.ch/scratch' - mountpoint: '/media/scratch' - type: 'cifs' - options: 'multiuser,sec=krb5,cifsacl' - -mounter::mounts: - - 'scratch' -``` - -For shares on NetApp (`fs00.psi.ch` until `fs03.psi.ch`) you can mount the `data` folder which contains all shares on this server: - -``` -mounter::def::fs00: - ensure: 'mounted' - device: '//fs00.psi.ch/data' - mountpoint: '/cifs/fs00' - type: 'cifs' - options: 'multiuser,sec=krb5,cifsacl' - -mounter::mounts: - - 'fs00' -``` - -This only works if `everybody` has read access to the share itself, but that is not needed for subfolders. -Else you need a password as below or a keytab (here feel free to ask the Linux Group for support). - -Checkout [Permanent Kerberos with gssproxy and Password Keytab](../basic/gssproxy_with_keytab) if you want to access a Kerberos protected share, e.g. with background processes without having to type passwords (`kinit`) regularly. - -### CIFS with User and Password - -Remote CIFS mountpoints can be defined as follows: - -``` -mounter::def::emf: - ensure: 'mounted' - device: '//172.23.75.16/Users' - mountpoint: '/emf/jeol2200fs/k2' - type: 'cifs' - options: 'credentials=/etc/cifs-utils/cifs_mpc2375,uid=35667,gid=35270,forcegid,file_mode=0660,dir_mode=0770' - cifs: - cifs_mpc2375: - username: 'allowedWindowsUser' - password: 'ENC[PKCS7,MIIBeQYJKoZIhvc...]' - -mounter::mounts: - - 'emf' -``` - -In the above example, we need to create a `credentials` file with the content below the `cifs` -> `$NAME` parameter. This file will -be called like the key below `cifs` and will be located in `/etc/cifs-utils` and will contain information about the -username and password allowed to mount it. To be used the file needs to be referenced as `credentials=` in the mount options. - -## Systemd Automount - -Adding the options `noauto,x-systemd.automount` will make the mount not happen on startup, but will be automounted on the first use of the mountpoint. - -## Bind Mounts -Bind mounts can be defined as follows: - -``` -mounter::def::e10550: - 'ensure': 'mounted' - 'device': '/gpfs/perf/MX/Data10-pro/e10550' - 'mountpoint': '/sls/MX/Data10/e10550' - 'type': 'none' - 'options': 'bind,_netdev,x-systemd.requires-mounts-for=/gpfs/perf/MX/Data10-pro' -``` -Note that beside the mandatory `bind` option there is -- `_netdev` to be set when the directory to bind (`device`) is on a network volume -- `x-systemd.requires-mounts-for=$OTHER_MOUNTPOINT` ensures that systemd prepares the bind mount after the volume on which the directory to bind (`device`) is located - -## Removing a Mount - -Only removing a mount point definition from Hiera does not unmount and remove it from the node. This can then be done manually by unmounting it and removing it from `/etc/fstab`. - -Alternatively an `absent` mount defintion as in below example will automatically unmount and remove the mount `/etc/fstab` entry: - -``` -mounter::def::scratch: - ensure: 'absent' - mountpoint: '/media/scratch' - -mounter::mounts: - - 'scratch' -``` - -This configuration can then be removed again after it has been rolled out once to all concernded nodes. diff --git a/admin-guide/configuration/files/nfs_server.md b/admin-guide/configuration/files/nfs_server.md deleted file mode 100644 index bb4b7e5b..00000000 --- a/admin-guide/configuration/files/nfs_server.md +++ /dev/null @@ -1,50 +0,0 @@ -# NFS Server - -Your node can serve as NFS server. This guide is for RHEL8 and later. -By default RHEL8 serves NFS3 und NFS4, whereas RHEL9 and later will serve only NFS4. Still NFS3 can be configured if required. - -To enable the NFS server, set `base::enable_nfs_server` accordingly in Hiera: -``` -base::enable_nfs_server: true -``` - -## Exports - -Then the exports go below `nfs_server::exports`: -``` - '/home/meg/dcbboot': - clients: - - hosts: '*' - options: 'rw,sync,no_root_squash,no_subtree_check' - '/export/swissfel_athos/raw/maloja-staff': - options: 'fsid=1012' - clients: - - hosts: 'sf-export-1[2-3]-100g' - options: 'rw,async,no_root_squash' -``` -For each directory you want to export place its path as key to `nfs_server::exports`. Below you can set the global options in `options` and a list of client specific access restrictions and options below `clients`. - -Possible client host definitions and options you find in [`exports(5)`](https://man7.org/linux/man-pages/man5/exports.5.html). - -## Non-Standard NFS Server Configuration - -If you wish non-standard configuration in `/etc/nfs.conf`, you may set it in Hiera with key `nfs_server::nfs_conf`: - -``` -nfs_server::nfs_conf: - nfsd: - udp: 'y' - vers3: 'n' - threads: 32 -``` -For more details see [`nfs.conf(5)`](https://man7.org/linux/man-pages/man5/nfs.conf.5.html) - -## Kerberos -Kerberos support for the NFS server is configured automatically by Puppet. - -## Exporting from GPFS -If you want to export data backed on GPFS, please set -``` -nfs_server::after_gpfs: true -``` -to start the NFS server only after GPFS is ready. diff --git a/admin-guide/configuration/files/partially_shared_home.md b/admin-guide/configuration/files/partially_shared_home.md deleted file mode 100644 index 2a47449d..00000000 --- a/admin-guide/configuration/files/partially_shared_home.md +++ /dev/null @@ -1,28 +0,0 @@ -# Partially Shared Home - Automatically Link Files in Home - Admin Guide - -Shared homes create a set of problems depending on how much a software can handle running multiple instances of the same software, maybe with different version, on different hosts, probably at the same time. -Still it is useful to have certain tool settings always with you. - -Thus we suggest to have per default a local home drive `base::local_homes: true`, but having only selectively shared software configuration. -That configuration needs then to be on a file share, best the home drive (U:). -To ensure the tools find their configuration at the expected place, symlinks need automatically to be created which point to the shared version. -On the homde drive (U:) therein is also the personal configuration file of this feature (`linux_home_links.yaml` or `.linux_home_links.yaml`). - - - -The mountpoints can be found in `~/network-drives`. -The `U:` drive is there named `home`, while the rest keeps their original share name. - -This feature is enabled by default on workstation type systems starting RHEL9. -It can be controlled in Hiera with: - -``` -user_session::automatic_links_in_home: true -``` - -To the [User Guide](../../../user-guide/partially_shared_home). -This features depends on the ["Windows Drives in Home Directory" feature](windows_drives_in_home). - -Note this does not work for RHEL7. - - diff --git a/admin-guide/configuration/files/partitioning.md b/admin-guide/configuration/files/partitioning.md deleted file mode 100644 index ea117815..00000000 --- a/admin-guide/configuration/files/partitioning.md +++ /dev/null @@ -1,98 +0,0 @@ -# Partitioning - -## Resize System Volumes - -The size of the system volumes (inside volume group `vgroot`), are automatically set on a rather small size at the initial installation. - -Note that due to the limitations of XFS a volume can only be increased, not be shrunk. - -### Get Available Space and Volume Sizes - -To check how much space is still available, use `pvs` and look for the volume group `vgroot`: -``` -[root@lxdev00 ~]# pvs - PV VG Fmt Attr PSize PFree - /dev/sda2 vg_root lvm2 a-- <62.94g <5.19g -[root@lxdev00 ~]# -``` - -Then `lvs` gives the sizes of the volumes inside: -``` -[root@lxdev00 ~]# lvs - LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert - lv_home vg_root -wi-ao---- <31.44g - lv_openafs vg_root -wi-ao---- 2.00g - lv_root vg_root -wi-ao---- 12.31g - lv_tmp vg_root -wi-ao---- 2.00g - lv_var vg_root -wi-ao---- 8.00g - lv_var_log vg_root -wi-ao---- 2.00g -[root@lxdev00 ~]# -``` - -### Extend System Volume - -This can be done in Hiera with the `vgroot::path` key where for each volume which should be increased a new minium size can be set: - -``` -vgroot::path: - lv_root: 15GB - lv_var_log: 3GB - -``` - -This is then applied on the next puppet run, you may trigger one as `root`: - -``` -puppet agent -t -``` - -## Custom Partitioning - -To add a new volume to the system disk, you need to address the [lvm Puppet module](https://forge.puppet.com/modules/puppetlabs/lvm) directly in Hiera:: - -```yaml -lvm::volume_groups: - vg_root: - physical_volumes: - - /dev/nvme0n1p3 - logical_volumes: - lv_data: - size: 3TB - fs_type: 'xfs' - mountpath: '/mnt/data' - size_is_minsize: true -``` - -Please note that you need also to list the partition on which `vg_root` is located. - -The same you can do to add partitions outside of the system disk, but here you need to define the full LVM volume group: - -```yaml -lvm::volume_groups: - vg_data: - physical_volumes: - - '/dev/sdb' - logical_volumes: - lv_usr_local: - mountpath: '/usr/local' - fs_type: 'xfs' -``` - -Sometimes the classical disk names `sda` and `sdb` are not stable or may change due to a connected USB stick. -You can address a disk also by UID or hardware path with one of the links below `/dev/disk`: -```yaml -lvm::volume_groups: - vg_data: - followsymlinks: true - physical_volumes: - - '/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0' - logical_volumes: - lv_data: - mountpath: '/mnt/vd0' - fs_type: 'ext4' -``` -but for the `lvm` Puppet module to accept this you need to set `followsymlinks: true`. - - - - diff --git a/admin-guide/configuration/files/resize_vm_disk.md b/admin-guide/configuration/files/resize_vm_disk.md deleted file mode 100644 index cb1e524e..00000000 --- a/admin-guide/configuration/files/resize_vm_disk.md +++ /dev/null @@ -1,78 +0,0 @@ -# Resize VM Disk - -To increase the harddisk of a VM, go to vcenter.psi.ch, select the machine, right click, and select __Edit Settings ...__ - -![](_static/resize_vm_disk_01.png) - -Increase the harddisk size to the value you need to have: - -![](_static/resize_vm_disk_02.png) - - -Now connect to the system and change to root. - -List block devices: -```bash -[root@awi-ci-01 ~]# lsblk -NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT -sda 8:0 0 42G 0 disk -├─sda1 8:1 0 600M 0 part /boot/efi -├─sda2 8:2 0 1G 0 part /boot -└─sda3 8:3 0 32.4G 0 part - ├─vg_root-lv_root 253:0 0 14G 0 lvm / - ├─vg_root-lv_var_tmp 253:1 0 2G 0 lvm /var/tmp - ├─vg_root-lv_var_log 253:2 0 3G 0 lvm /var/log - ├─vg_root-lv_var 253:3 0 8G 0 lvm /var - ├─vg_root-lv_tmp 253:4 0 2G 0 lvm /tmp - └─vg_root-lv_home 253:5 0 2G 0 lvm /home -``` - -The command will probably not show the correct disk size. For this the VM either needs to be rebooted or you can trigger a re-read of the disksize without a reboot with this command (replace `sda` with the correct diskname you resized): -``` -echo 1 > /sys/block/sda/device/rescan -``` - - -Extend partition: -```bash -[root@awi-ci-01 ~]# parted /dev/sda -GNU Parted 3.2 -Using /dev/sda -Welcome to GNU Parted! Type 'help' to view a list of commands. -(parted) print -Model: VMware Virtual disk (scsi) -Disk /dev/sda: 45.1GB -Sector size (logical/physical): 512B/512B -Partition Table: gpt -Disk Flags: - -Number Start End Size File system Name Flags - 1 1049kB 630MB 629MB fat32 EFI System Partition boot, esp - 2 630MB 1704MB 1074MB ext4 - 3 1704MB 36.5GB 34.8GB lvm - -(parted) resizepart 3 -End? [36.5GB]? -0 -(parted) print -Model: VMware Virtual disk (scsi) -Disk /dev/sda: 45.1GB -Sector size (logical/physical): 512B/512B -Partition Table: gpt -Disk Flags: - -Number Start End Size File system Name Flags - 1 1049kB 630MB 629MB fat32 EFI System Partition boot, esp - 2 630MB 1704MB 1074MB ext4 - 3 1704MB 45.1GB 43.4GB lvm - -(parted) quit -``` - -Resize physical volume: -```bash -[root@awi-ci-01 ~]# pvresize /dev/sda3 - Physical volume "/dev/sda3" changed - 1 physical volume(s) resized or updated / 0 physical volume(s) not resized -``` - -Now the effective volumes of the machine can be extended as documented [Partitioning](partitioning.md) \ No newline at end of file diff --git a/admin-guide/configuration/files/sftp_server.md b/admin-guide/configuration/files/sftp_server.md deleted file mode 100644 index 49e2ee97..00000000 --- a/admin-guide/configuration/files/sftp_server.md +++ /dev/null @@ -1,12 +0,0 @@ -# SFTP Server - -Per default SFTP is enabled in the `sshd` configuration. You may disable it with: - -``` -ssh_server::sftp::enable: false -``` -or change it with e.g.: -``` -ssh_server::sftp::server: '/usr/libexec/openssh/sftp-server -l INFO' -``` -which configures more logging. diff --git a/admin-guide/configuration/files/systemd_tmpfiles.md b/admin-guide/configuration/files/systemd_tmpfiles.md deleted file mode 100644 index 680a3fab..00000000 --- a/admin-guide/configuration/files/systemd_tmpfiles.md +++ /dev/null @@ -1,30 +0,0 @@ -# systemd-tmpfiles - -[`systemd-tmpfiles`](https://www.freedesktop.org/software/systemd/man/latest/systemd-tmpfiles.html) can be used to create, delete, and clean up files and directories. -The system-wide configuration is in [`/etc/tmpfiles.d/*.conf`](https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html). - - -## Hiera Configuration - -In Hiera below `profile::tmpfiles:` you can set several use cases (here `podman`) with individual configuration at `content` which contains the full configuration as documented in [`tmpfiles.d(5)`](https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html): - -``` -profile::tmpfiles: - podman: - content: | - # This file is distributed by Puppet: profile::tmpfiles - # See tmpfiles.d(5) for details - - # Remove podman temporary directories on each boot - # https://github.com/containers/podman/discussions/23193 - R! /tmp/containers-user-* - R! /tmp/podman-run-* -``` - -To undo above configuration requires - -``` -profile::tmpfiles: - podman: - ensure: absent -``` diff --git a/admin-guide/configuration/files/windows_drives_in_home.md b/admin-guide/configuration/files/windows_drives_in_home.md deleted file mode 100644 index 7c13677d..00000000 --- a/admin-guide/configuration/files/windows_drives_in_home.md +++ /dev/null @@ -1,20 +0,0 @@ -# Windows Drives in Home Directory - -The Windows shares which get automatically connected on a PSI Windows system can also be automatically mounted on login on RHEL system. - -The mountpoints can be found in `~/network-drives`. -The `U:` drive is there named `home`, while the rest keeps their original share name. - -This feature is enabled by default on workstation type systems. -It can be controlled in Hiera with: - -``` -user_session::mount_cifs_shares: true -``` - -These mounts are created with the first user session and will end with the last session closed. -If for some reason they are not created (e.g. due to offline login), you might execute `setup-network-drives` to bring them back in again. - -Note this does not work for RHEL7. - - diff --git a/admin-guide/configuration/monitoring.md b/admin-guide/configuration/monitoring.md deleted file mode 100644 index 7a835040..00000000 --- a/admin-guide/configuration/monitoring.md +++ /dev/null @@ -1,4 +0,0 @@ -# Monitoring Configuration Guides - -```{tableofcontents} - diff --git a/admin-guide/configuration/monitoring/_static/icinga2_service_custom_variables.png b/admin-guide/configuration/monitoring/_static/icinga2_service_custom_variables.png deleted file mode 100644 index 7de9e3c8..00000000 Binary files a/admin-guide/configuration/monitoring/_static/icinga2_service_custom_variables.png and /dev/null differ diff --git a/admin-guide/configuration/monitoring/central_logging_elastic.md b/admin-guide/configuration/monitoring/central_logging_elastic.md deleted file mode 100644 index 108b2d1d..00000000 --- a/admin-guide/configuration/monitoring/central_logging_elastic.md +++ /dev/null @@ -1,41 +0,0 @@ -# Configure Central Logging to Elastic - -To ship the logs of a system to the central logging service (Elastic) following pre steps are needed: - -1. Have a space in Elastic to ship the logs to -2. Have a space API key - -Both prerequisites you can check with / talk to Michel Rebmann (michel.rebmann@psi.ch) / Group 9522, which will provide a configuration similar to the following: - -``` -{ - "id" : "${space_id}", - "name" : "input_${space_name}", - "api_key" : "${space_api_key}", - "encoded" : "${space_encoded_key}" -} -``` - -Afterwards the log shipping can be configures as follows in hiera: - -``` -base::enable_elastic: true -elastic::space: "${space_name}" -elastic::space_api_key: "${space_id}:${space_api_key}" # The resulting string should be encrypted -``` - -```{note} -Replace the space name as well as the space_api_key according to your setup. -``` - -Notice that `space` contains the `name` without the `input_` prefix, while `space_api_key` contains a `:`-separated value: -* the first part corresponds to the `id` of the space, -* the second part corresponds to the `api_key`. -* The resulting string `"${space_id}:${space_api_key}"` **should be encrypted** with [eyaml](https://linux.psi.ch/admin-guide/puppet/hiera.html?highlight=eyaml#encrypting-data-with-the-public-key) - -By default __all__ journald logs are shipped to the central Elastic instance. If you want to __limit__ the logs to specific units, the units can be specified as follows: - -``` -elastic::systemd_units: - - 'sshd.service' -``` diff --git a/admin-guide/configuration/monitoring/icinga2.md b/admin-guide/configuration/monitoring/icinga2.md deleted file mode 100644 index 1910ab74..00000000 --- a/admin-guide/configuration/monitoring/icinga2.md +++ /dev/null @@ -1,297 +0,0 @@ -# Icinga2 Configuration - -Icinga2 is productive, but the checks are still getting added: - -- ✅ standard Linuxfabrik checks -- 🏗️ support for automatically installed Icinga1 checks by Puppet ([see issue](https://git.psi.ch/linux-infra/issues/-/issues/419)) -- ✅ support for custom checks - -The overview of your nodes in Icinga2 you get at [monitoring.psi.ch](https://monitoring.psi.ch) and there you can handle the alerts and create service windows, etc. - -But the configuration as such is not done therein, but in Hiera and automatically propagated. - - -## TL;DR - -I, admin of xyz.psi.ch want ... - -... **monitoring with e-Mails during office hours**: -``` -icinga2::enable: true -icinga2::agent::enable: true -icinga2::alerting::enable: true -``` - -... **monitoring with SMS all around the clock**: -``` -icinga2::enable: true -icinga2::agent::enable: true -icinga2::alerting::enable: true -icinga2::alerting::severity: 1 -``` - -... **just be able to check monitoring state on monitoring.psi.ch**: -``` -icinga2::enable: true -icinga2::agent::enable: true -icinga2::alerting::enable: false -icinga2::alerting::severity: 5 -``` - -... **no monitoring**: -``` -icinga2::enable: false -``` - -## Basic Configuration -Enable monitoring with Icinga2 by -``` -icinga2::enable: true -``` -(which is `false` by default for RHEL7 and RHEL8, but `true` for RHEL9 and later). - -This only does the ping test to check if the host is online on the network. For further checks on the host itself the agent needs to be started: - -``` -icinga2::agent::enable: true -``` -(also here it is `false` by default for RHEL7 and RHEL8, but `true` for RHEL9 and later). - -Still no alerts are generated, respectively they are suppressed by a global infinite service window. If you wish different, set -``` -icinga2::alerting::enable: true -``` - -Per default these alerts are now sent during office hours to the admins. For further notification fine tuning checkout the chapters Notifications and Check Customization. - -Finally, if Icinga2 shall be managed without Puppet (not recommended except for Icinga2 infrastructure servers), then set -``` -icinga2::puppet: false -``` - - -## Web Access - -Users and groups in `aaa::admins` and `icinga2::web::users` will have access to these nodes on [monitoring.psi.ch](https://monitoring.psi.ch). -Prefix the group name with a `%` to distinguish them from users. - - -## Notifications - -### Notification Recipients - -By default the notifications are sent to all admins, this means users and groups listed in Hiera at `aaa::admins` with the exception of the default admins from `common.yaml` and the group `unx-lx_support`. If the admins should not be notified, then disable the sending of messages with -``` -icinga2::alerting::notify_admins: false -``` - -Additionally to/instead of the admins you can list the notification recipients in the Hiera list `icinga2::alerting::contacts`. You can list -- AD users by login name -- AD groups with `%` as prefix to their name -- plain e-mail addresses - -### Notificiation Time Restrictions - -Notificiations for warnings and alerts are sent out by default during office hours, this means from Monday to Friday 08:00 - 17:00. - -This can be configured in Hiera with the `icinga2::alerting::severity` key which is `4` by default. Following options are possible: - -| node severity | media | time | -|---------------|------------------|--------------| -| `1` | SMS and e-mail | 24x7 | -| `2` | e-mail | 24x7 | -| `3` | e-mail | office hours | -| `4` | e-mail | office hours | -| `5` | no notifications | never | - -(Currently `3` and `4` behave the same.) - -Please note that services where the `criticality` variable is set then time when notifications are sent out is also restricted: - -| service criticality | time | -|---------------------|--------------| -| - | 24x7 | -| `A` | 24x7 | -| `B` | office hours | -| `C` | never | - -The minimal settings are applied, e.g. a service with criticality `C` will never cause a notificiation independent of the node severity. - -To receive notification messages over SMS, you need to register your mobile phone with Icinga2. You may request this informing icinga2-support@psi.ch about your wish. Alternatively you will get an e-mail with the request to do so when the first SMS was supposed to be sent out for you and the phone number is still missing. - -## Default Checks - -By default we already run a comprehensive set of checks. Some of them can be fine-tuned in Hiera. -Whenever you have a use case which is not covered yet, please talk to us. - - -## Check Customization - -Most checks can have custom parameters. The variables you can adapt you find as "Custom Variables" in the page of given service. In Hiera you can add below the key `icinga2::service_check::customize` as multi level hash the service name and below the variable name with the new values. - -### Example "CPU Usage" - -Lets look at the example of `CPU Usage` "service": - -!["CPU Usage" service page](_static/icinga2_service_custom_variables.png) - -If the machinge is a number cruncher and the CPU is fine to be fully utilitzied, then you might ignore it by setting it always fine: - -``` -icinga2::service_check::customize: - 'CPU Usage': - cpu_usage_always_ok: true -``` - -If in contrary you want to get an immediate notification when CPU is overused, then following snipped is more advisable: -``` -icinga2::service_check::customize: - 'CPU Usage': - criticality: A -``` - -If it is a Linuxfabrik plugin, you find a link at "Notes" which points to the documentation of the check. This might shed more light on the effect of these variables. - -### Example "Kernel Ring Buffer (dmesg)'" -Another check which can easily have false alerts, but also has a big potential to signal severe kernel or hardware issues, is the check of the kernel log (dmesg). - -If you conclude that a given message can savely be ingored, you may add it onto the ignore list, where a partial string match will make it ignored in the future: -``` -icinga2::service_check::customize: - 'Kernel Ring Buffer (dmesg)': - 'dmesg_ignore': - - 'blk_update_request: I/O error, dev fd0, sector 0' - - 'integrity: Problem loading X.509 certificate -126' -``` -If you think that this log message can be globally ignored, please inform the Linux Team so we can ignore it by default. - -Note that you can reset this check after dealing with it by executing on the node: -``` -dmesg --clear -``` - -## Extra Checks - -### TLS/SSL Certificate Expiration - -To monitor the expiration of one or more certificates you need to give the node in Hiera the additional server role `ssl-cert` (except for `role::jupyterserver`): - -``` -icinga2::additional_server_role: - - 'ssl-cert' -``` - -Then list what certificate files you want to have checked: - -``` -icinga2::service_check::customize: - 'TLS/SSL Certificate Expiration': - ssl_cert_files: - - '/etc/xrdp/cert.pem' - - '/etc/httpd/ssl/node.crt' -``` - -Beside the file list you may set the warning time in days with the attribute `ssl_cert_warning` (`7` by default) and the critical time with the attribute `ssl_cert_critical` (`3` by default). - -If you run your own PKI, you might also check a CA certificate for expiration with - -``` -icinga2::additional_server_role: - - 'ca-cert' - -icinga2::service_check::customize: - 'CA Certificate Expiration': - ssl_cert_files: - - '/etc/my_pki/ca.pem' -``` -Here the warning is below 180 days and below 30 days is critical by default. - - -### Check for Systemd Service Status - -To check if a daemon or service has been successfully started by `systemd` configure a custom service using the `st-agent-awi-lx-service-active` template: - -``` -icinga2::custom_service: - 'XRDP Active': - template: 'st-agent-awi-lx-service-active' - vars: - criticality: 'A' - service_names: - - 'xrdp' - - 'xrdp-sesman' -``` -The name (here `XRDP Active`) needs to be unique over all Icinga "services" of a single host. -The `service_names` variable needs to contain one or more name of `systemd` services to be monitored. - -You can create multiple of these checks. - -Alternatively a more detailed configuration of a systemd unit state check can be done with the `st-agent-lf-systemd-unit` template: - -``` -icinga2::custom_service: - 'Last Puppet Run': - template: 'st-agent-lf-systemd-unit' - vars: - systemd_unit_unit: 'pli-puppet-run' - systemd_unit_activestate: ['active', 'inactive'] - systemd_unit_unitfilestate: 'static' - criticality: 'A' -``` - - -### External Connection Checks (Active Checks) - -For this we have fully custom service checks. - -Below example is for a RDP port: - -``` -icinga2::custom_service: - 'RDP Access': - command: 'tcp' - agent: false - perf_data: true - vars: - criticality: 'A' - tcp_port: 3389 -``` - -Possible commands are [`http`](https://icinga.com/docs/icinga-2/latest/doc/10-icinga-template-library/#plugin-check-command-http), [`tcp`](https://icinga.com/docs/icinga-2/latest/doc/10-icinga-template-library/#plugin-check-command-tcp), [`udp`](https://icinga.com/docs/icinga-2/latest/doc/10-icinga-template-library/#plugin-check-command-udp), [`ssl`](https://icinga.com/docs/icinga-2/latest/doc/10-icinga-template-library/#plugin-check-command-ssl), [`ssh`](https://icinga.com/docs/icinga-2/latest/doc/10-icinga-template-library/#plugin-check-command-ssh) or [`ftp`](https://icinga.com/docs/icinga-2/latest/doc/10-icinga-template-library/#plugin-check-command-ftp). - -Note if you want to reference the hostname, you might use a macro, e.g.: -``` - http_vhost: '$host.name$' -``` -Note that macros only work for check command arguments. - -The actual service name is up to you, it only needs to be unique. - -### Other Custom Checks -It is possible to create a very custom check. But note the command or service template used needs to be available/configured by some other means on the Icinga Master. The check plugin executed on the Icinga Satellite or by the Icinga agent needs also to be already available or distributed by other means. So please reach out to the [Linux Team](mailto:linux-eng@psi.ch) to check how to do it best and to ensure that all is in place. - -``` -icinga2::custom_service: - 'My Service Check 1': - template: st-agent-lf-file-size - vars: - criticality: 'B' - file_size_filename: '/var/my/growing/file' - file_size_warning = '100M' - file_size_critical = '200M' - 'My Service Check 2': - command: 'tcp' - agent: false - vars: - criticality: 'A' - tcp_port: 3389 - perf_data: true -``` -Below `icinga2::custom_service` set the name of the service/service check as it will be seen in Icingaweb. Then the possible arguments are -- `command` to issue a check command -- `template` to inherit from given service template -- `agent` shall the `command` run on the agent or the satellite, only if `themplate` is not set, default is `true` -- `vars` hash with arguments for the service check -- `perf_data` if performance data should be recorded and performance graph should be shown, default is `false` - -You are free in the use of the actual service name, it only needs to be unique. diff --git a/admin-guide/configuration/monitoring/journald.md b/admin-guide/configuration/monitoring/journald.md deleted file mode 100644 index 70d2433a..00000000 --- a/admin-guide/configuration/monitoring/journald.md +++ /dev/null @@ -1,25 +0,0 @@ -# Journald Tuning - -For the systemd journal size restriction and rate limiting can be fine tuned. - -## Size Restricion - -In Hiera `log_client::journal_system_max_use` (default `50%`) limits the total size of the journal, whereas `log_client::journal_system_keep_free` (default `25%`) ensures how much disk space is keep free in `/var/log` for other use. In addition to the syntax described in [journald.conf(5)](https://www.freedesktop.org/software/systemd/man/latest/journald.conf.htm) (bytes or use K, M, G, T, P, E as units) we also support percentages, i.e. `25%` means that the journal will use mostly/spare at least 25% of `/var/log`. Note that for the use of a percentage limit `/var/log` must be an own partition, else absolute values need to be set. - -`log_client::journal_system_max_file_size` limits the size of an individual journal file. Default ist `32M`. - -If there is no need for a persistent log at all, it can be disabled with -``` -log_client::persistent_journal: false -``` - -## Rate Limiting - -In Hiera `log_client::journal_rate_limit_burst` defines how many messages of a service are at least logged in the interval period (default 30s). Note that the [actual limit depends on the available disk space](https://www.freedesktop.org/software/systemd/man/latest/journald.conf.html#RateLimitIntervalSec=) The default is `10000` messages. - -So `log_client::journal_rate_limit_interval` defines the above mentioned interval period. Allowed time units are `s`, `min`, `h`, `ms` and `us`. If not specified seconds are assumed. - -Rate limiting is disabled with -``` -log_client::journal_rate_limit_interval: 0 -``` diff --git a/admin-guide/configuration/monitoring/metrics_telegraf.md b/admin-guide/configuration/monitoring/metrics_telegraf.md deleted file mode 100644 index 0855f85b..00000000 --- a/admin-guide/configuration/monitoring/metrics_telegraf.md +++ /dev/null @@ -1,85 +0,0 @@ -# Metric Collections - Configuration Telegraf - -There is a central metrics server at PSI that is accessible via https://metrics.psi.ch. All standard Linux system will be able to send metrics to this server when telegraf metrics collection is enabled via hiera. - -Following statement will enable the metrics collection: -```yaml -base::enable_telegraf: true -``` - -By default a number of metrics are collected, including cpu, disk usage, diskio, etc. -A detailed list with the defaults can be found in [common.yaml](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml#L855) of the puppet repository. - -Custom metrics can also be added. (documentation to be done - please contact the Linux Core group if you need this). - -Depending on the location of the system hiera/puppet will configure the system to either send the data directly (PSI intranet) or via reverse proxy (DMZ, Extranet, tier3) to the central metrics server. - -If you run your own metric server or you want to explicitly overwrite where data is send to you can do this as follows: - -```yaml -telegraf::agent: - url: http://your-metric-server.psi.ch -``` - -If you want to tweak the configuration on how metrics are collected, you can do this as well like this (following are the defaults - only specify the keys you would like to overwrite): - -```yaml -telegraf::agent: - interval: '1m' - collection_jitter: '0s' - flush_interval: '1m' - flush_jitter: '10s' - metric_buffer_limit: 10000 -``` - - -By default puppet will purge and recreate (if needed) all config files in `/etc/telegraf/telegraf.d`. If you want to deploy your own metrics collection scripts outside of puppet/hiera you can disable the purging via: - -```yaml -telegraf::config::purge: false -``` - - -You can also configure your own metric to be collected via hiera as follows: -```yaml -telegraf::metrics: - 'your_metric': - plugin: 'exec' - timeout: '30s' - interval: '1m' - data_format: 'influx' - commands: ['sudo /your/script/location/script.sh'] - enable: true -``` -This will only work if you have deployed the necessary script (in the example `/your/script/location/script.sh`) and the necessary sudo rule(s) beforehand. For this you might wanna use techniques described in [Distribute Files](../files/distribute_files) and/or [Custom sudo Rules](../access/sudo). - -## Examples - -### Custom Script - -A custom telegraf collector can look something like this: -```bash -#!/bin/bash - -CONNECTED=$(/usr/NX/bin/nxserver --history | awk '$7 == "Connected" {print}' | wc -l) -DISCONNECTED=$(/usr/NX/bin/nxserver --history | awk '$7 == "Disconnected" {print}' | wc -l) -FINISHED=$(/usr/NX/bin/nxserver --history | awk '$7 == "Finished" {print}' | wc -l) - -# Provide data to telegraf -echo "nxserver open_sockets=$(lsof -i -n -P | wc -l),connected_sessions=${CONNECTED},disconnected_sessions=${DISCONNECTED},finished_sessions=${FINISHED}" -``` - -The first string of the echo command is the name of the series the data is written into. This name can be overwritten in the metric config via `name_override = "nxserver_report"` - -### Custom Config File - -A custom config file in /etc/telegraf/telegraf.d could look like this: - -``` -[[inputs.exec]] - name_override = "remacc_report" - timeout = "30s" - interval = "5m" - data_format = "influx" - commands = ["sudo /usr/lib/telegraf/scripts/remacc_report.sh"] -``` diff --git a/admin-guide/configuration/monitoring/syslog_forwarding.md b/admin-guide/configuration/monitoring/syslog_forwarding.md deleted file mode 100644 index 38857717..00000000 --- a/admin-guide/configuration/monitoring/syslog_forwarding.md +++ /dev/null @@ -1,9 +0,0 @@ -# Syslog Forwarding - -To forward the system logs to a Syslog server, configure in Hiera `log_client::forward_to`: -``` - log_client::forward_to: - - 'log1.psi.ch:1514' - - '@log2.psi.ch' -``` -This sends to `log1.psi.ch` on the custom UDP port `1544`, but also `log2.psi.ch` gets a copy on TCP default port `514`. diff --git a/admin-guide/configuration/software.md b/admin-guide/configuration/software.md deleted file mode 100644 index 6ab343ed..00000000 --- a/admin-guide/configuration/software.md +++ /dev/null @@ -1,6 +0,0 @@ -# Software Management - -Guides on how to provide/install and run software on a computer - -```{tableofcontents} - diff --git a/admin-guide/configuration/software/citrix_vda.md b/admin-guide/configuration/software/citrix_vda.md deleted file mode 100644 index 69526456..00000000 --- a/admin-guide/configuration/software/citrix_vda.md +++ /dev/null @@ -1,14 +0,0 @@ -# Citrix VDA Installation - -There is a [installation guide](https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-release/installation-overview/manual-installation-overview/redhat.html) by Citrix to install the Citrix VDA manually on Red Hat systems. - -The following Hiera settings will bring the system into a state as requested in the installation guide: -``` -# Citrix VDA specialities -hostname::short: true -networking::hostname_on_lo: true -aaa::sssd_cache_creds: false -aaa::default_krb_cache: "FILE:/tmp/krb5cc_%{literal('%')}{uid}" -``` - -Note that for `hostname -f` to work correctly with `hostname::short: true` you need to set as well `networking::hostname_on_lo: true` because `glibc getaddrinfo()` reads the first hostname in `/etc/hosts` to determine the fully qalified hostname. diff --git a/admin-guide/configuration/software/cockpit.md b/admin-guide/configuration/software/cockpit.md deleted file mode 100644 index 0d8ce736..00000000 --- a/admin-guide/configuration/software/cockpit.md +++ /dev/null @@ -1,28 +0,0 @@ -# Cockpit - -The Hiera example below will install and activate the [web based management interface Cockpit](https://cockpit-project.org/) plus eventually some required modules: - -``` -base::package_groups: - - 'cockpit' - -base::pkg_group::cockpit: - - 'cockpit' - - 'cockpit-...' - -base::sockets: - cockpit: - enable: true -``` - -If you would like to disallow access from externally and only allow connections from the host itself, then extend the socket configuration as below: - -``` -base::sockets: - cockpit: - enable: true - dropin: true - options: - Socket: - ListenStream: ['', '[::1]:9090'] -``` diff --git a/admin-guide/configuration/software/conda.md b/admin-guide/configuration/software/conda.md deleted file mode 100644 index 7de8f3c5..00000000 --- a/admin-guide/configuration/software/conda.md +++ /dev/null @@ -1,84 +0,0 @@ -# Conda / Anaconda - -Conda / Anaconda (https://conda.org) is a package manager that can be used to easily create tailored Python environments without having required C/... binaries of some packages installed on the local system. (i.e. conda will take care that required binaries are installed into the environment) - -```{warning} -Due to certain license restrictions the usage of Anaconda at PSI is not allowed without obtaining a professional license from Anaconda.com! - -However the usage of the command `conda` and/or of packages from conda-forge is still possible - see below ... -``` - -This guide explains how to install and configure conda in accordance to the Anaconda.com license terms. - - -## Installation -On a standard Linux system the conda package can be simply installed via a: - -``` -yum install conda -``` - -To instruct puppet to install the package you can have following hiera config: - -```yaml -base::pkg_group::extra: - - 'conda' - -base::package_groups: - - 'extra' -``` - -## Configuration - -To overwrite the default configuration of conda (which would violate the license because packages would be installed from anaconda.org by default) following config file needs to be deployed in `/etc/conda/condarc.d/base.yml` (or similar): - -```yaml -channels: -- conda-forge -- nodefaults - -# Show channel URLs when displaying what is going to be downloaded -# and in 'conda list'. The default is False. -show_channel_urls: True -always_copy: true -``` - -To place the file via Puppet/Hiera you can have following configuration: - -```yaml -files::files: - /etc/conda/condarc.d/base.yml: - content: | - channels: - - conda-forge - - nodefaults - - # Show channel URLs when displaying what is going to be downloaded - # and in 'conda list'. The default is False. - show_channel_urls: True - always_copy: true -``` - - -To be able to use the `conda` command a user needs to source the command into its current shell. This can be done like this: - -```bash -source /opt/conda/etc/profile.d/conda.sh -``` - - -Afterwards conda environments can be created in a license conformed way as documented at https://docs.conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html - - -## Usage - -More details on the usage of the `conda` command can be found here: -https://docs.conda.io/projects/conda/en/stable/user-guide/index.html - - -### Important Info -It seems that the `conda list ` command still uses the default channel. However `conda install` seem to respect the config above. - -Probably related to this here: -https://stackoverflow.com/questions/67695893/how-do-i-completely-purge-and-disable-the-default-channel-in-anaconda-and-switch - diff --git a/admin-guide/configuration/software/flatpak_remotes.md b/admin-guide/configuration/software/flatpak_remotes.md deleted file mode 100644 index c61c8b40..00000000 --- a/admin-guide/configuration/software/flatpak_remotes.md +++ /dev/null @@ -1,31 +0,0 @@ -# Flatpak Repositories/Remotes - -## Flatpak Repository List -All flatpak remotes to be available on the system are listed in Hiera in the list `flatpak::repos::default`. - -You can add other than the default `flathub` remote by providing a configuration as shown in the next chapter and then referencing that here: -``` -rpm_repos::default: - - 'cpt' -``` - - -## Flatpak Repository Definition - -An individual flatpak remote is configured in Hiera within the namespace `flatpak::repo::*`, like following example: - -``` -flatpak::repo::flathub: | - [Flatpak Repo] - Title=Flathub - Url=https://flathub.psi.ch/repo/ - Homepage=https://flathub.org/ - Comment=Central repository of Flatpak applications (PSI CachingMirror) - Description=Central repository of Flatpak applications (PSI CachingMirror) - Icon=https://flathub.psi.ch/repo/logo.svg - GPGKey=mQINBFl... -``` - -The content is a single string in the [`.flatpakrepo` format](https://docs.flatpak.org/en/latest/flatpak-command-reference.html#flatpakrepo). - -Usually the Flatpak repository will provide such a file. diff --git a/admin-guide/configuration/software/labview.md b/admin-guide/configuration/software/labview.md deleted file mode 100644 index f7b1d3f6..00000000 --- a/admin-guide/configuration/software/labview.md +++ /dev/null @@ -1,102 +0,0 @@ -# LabView - -We have a site license for LabView, the license server is `lic-ni.psi.ch:27020`. - - -## Installation of LabView - -Select the desired version on the [NI Download Portal](https://www.ni.com/en/support/downloads/software-products/download.labview.html#544131). - -It downloads a zip file which you need to extract and to install the rpm file according to your OS, e.g.: - -``` -sudo dnf install ni-labview-2024-pro-24.3.1.49155-0+f3-rhel9.noarch.rpm -``` - -This now installs the package repository for given LabView version. Now it is just left to install it - - -``` -sudo dnf install ni-labview-2024-pro -``` - -Note that by default the package repository file will be removed by the next Puppet run. -To avoid this set `rpm_repos::purge: false` in Hiera or check the chapter "Installation via Puppet and Hiera". - -## Installation of LabView Drivers - -Again select you desired version on the [NI Download Portal](https://www.ni.com/en/support/downloads/drivers/download.ni-linux-device-drivers.html#544344). - -Again it downloads a zip file you need to extract and then install the suitable rpm file, e.g.: - -``` -sudo dnf install ni-rhel9-drivers-2024Q3.rpm -``` - -This now installs the package repository for the drivers. Next install the needed drivers, e.g. - -``` -sudo dnf install ni-488.2 -``` - -Now the kernel drivers need to be prepared - -``` -sudo dkms autoinstall -``` - -and finally reboot to prepare everything for showtime. - - -Note that by default the package repository file will be removed by the next Puppet run. -To avoid this set `rpm_repos::purge: false` in Hiera or check the next chapter "Installation via Puppet and Hiera". - - -## Installation via Puppet and Hiera - -Above example could also be configured with Hiera: - -``` -rpm_repos::repo::labview: - name: 'labview' - descr: "NI LabVIEW 2024 Q3 pro" - baseurl: 'https://download.ni.com/ni-linux-desktop/LabVIEW/2024/Q3/f1/pro/rpm/ni-labview-2024/el9' - gpgkey: 'https://download.ni.com/ni-linux-desktop/stream/ni-linux-desktop-2019.pub' - disable: false - gpgcheck: false - repo_gpgcheck: true - -rpm_repos::repo::labview_drivers: - name: 'labview_drivers' - descr: "NI Linux Software 2024 Q3" - baseurl: 'https://download.ni.com/ni-linux-desktop/2024/Q3/rpm/ni/el9' - gpgkey: 'https://download.ni.com/ni-linux-desktop/stream/ni-linux-desktop-2019.pub' - disable: false - gpgcheck: false - repo_gpgcheck: true - -rpm_repos::default: - - 'labview' - - 'labview_drivers' - -base::pkg_group::labview: - - 'ni-labview-2024-pro' - - 'ni-488.2' - -base::package_groups: - - 'labview' -``` - -The main difficulty is to figure out the repository URLs, which is easiest done by the manual download, unpack and install the rpm file. Or by inspecting its content. - -But with this Hiera configuration the setup can easily be replicated to other machines or to recreate the current setup. - -What still needs to be done on first installation and cannot be automated with Puppet is: -Now the kernel drivers need to be prepared - -``` -sudo dkms autoinstall -``` -and the following reboot. - - diff --git a/admin-guide/configuration/software/package_repositories.md b/admin-guide/configuration/software/package_repositories.md deleted file mode 100644 index 8c6c588c..00000000 --- a/admin-guide/configuration/software/package_repositories.md +++ /dev/null @@ -1,136 +0,0 @@ -# Selecting Package Repositories - -## Package Repository Lists -Also for configuring package repositories our configuration management works with lists containing the names of the repositories to be installed. -The default list (except for nodes with the `bootpc` and `appliances::lenovo::*` Puppet roles) is `rpm_repos::default`. - -If repositories are managed in Hiera, feel free to add them to `rpm_repos::default` like -``` -rpm_repos::default: - - 'gfa' -``` - -Note that repositories for different versions of RHEL can be added and only the fitting ones will be configured on the node. - -If the package repositories are managed by a Puppet module, then it is good practice is to define a specific package repository list in [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml) and then to install it only when needed. An example is `profile::telegraf` which only installes the repositories listed in `rpm_repos::influx` when needed. - -## Package Repository Definition - -An individual package repository is configured in Hiera within the namespace `rpm_repos::repo::*`, like following example: - -``` -rpm_repos::repo::epel_rhel8: - name: 'epel' - descr: "Extra Packages for Enterprise Linux 8" - baseurl: 'https://repos.psi.ch/rhel8/tags/$pli_repo_tag/epel/' - gpgkey: 'https://repos.psi.ch/rhel8/keys/epel.gpg' - disable: false - gpgcheck: true - osversion: 8 - exclude: - - "slurm*" -``` - -### Package Repository Name - -The reference name used in Hiera (the part after `rpm_repos::repo::` should be globally unique. An unfortunate practice is to use the same name for different package repositories. A current example is the `gfa` repository which has different URLs on different `sysdb` environments. - -Note for `name` attribute, that only has to be unique on the machine where they are installed. So if there are two repositories defined to provide the same software for two different OS versions, then it is fine to have the same name there. - -### Package Repository URL - -Overriding the URL of a package repository definition on a stricter scope is considered bad practice. The URL defines the actual "identiy" of the package repository definition. It is confusing if it gets different meanings at different places. It is like one passport which will identify different persons in different countries. - -If different sources are needed, define and name them appropriately. They point to one given repository and the package repository lists are the place to select what should be applied on a given node. - -Also feel free to define all your package repositories in [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml). - -### Select Package Repository by OS Version - -Usually a package repository only serves packages for one major OS version. This can be stated by the `osversion` attribute. When a package repository list is installed, only the repositories fitting the version of the OS installed on the node are selected and configured. - -If the `osversion` attribute is not set, then it is always installed. - -### Package Repository GPG Verification -GPG verification is optional, so `gpgkey` may not be defined and `gpgcheck` is `false` by default. But ideally the packages are signed and checked for tampering and corruption. - -### Exclude Packages -If certain packages provided by given repository should be ignored on the nodes, then add them to the `exclude` list. - - - -## Using Specific Package Repository Snapshot -Most of the externally sourced package repositories on https://repos.psi.ch/rhel7 (RHEL7), https://repos.psi.ch/rhel8 (RHEL 8) and https://repos.psi.ch/rhel9 (RHEL 9) have snapshots which can be used to freeze the available package versions to a given date. - -The tags are different per major OS version and are definied in the Hiera hash `rpm_repos::tag`, below you see the default: - -``` -yum_client::repo_tag: 'prod' - -rpm_repos::tag: - redhat7: "%{lookup('yum_client::repo_tag')}" - redhat8: 'rhel-8' - redhat9: 'rhel-9' -``` - -So for RHEL 7 the default is `prod` and can be overriden on `yum_client::repo_tag` (backwards compatibility) or on the `redhat7` attribute of `rpm_repos::tag`. - -To fix to a specific snapshot on RHEL 8, the `redhat8` attribute has to be set on `rpm_repos::tag`, the default is `rhel-8` which points to the latest snapshot. - -The available tags your find at -- [https://repos.psi.ch/rhel9/tags/](https://repos.psi.ch/rhel8/tags/) for RHEL 9 -- [https://repos.psi.ch/rhel8/tags/](https://repos.psi.ch/rhel8/tags/) for RHEL 8 (note the `prod` tag will phase out) -- [https://repos.psi.ch/rhel7/tags/](https://repos.psi.ch/rhel7/tags/) for RHEL 7 - -## Package Repositories made Available by the Linux Group - -Availabe on all systems are: -- RedHat [BaseOS](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/baseos-repository), [AppStream](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/appstream-repository) and [CodeReady](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/codereadylinuxbuilder-repository) repositories -- [Extra Packages for Enterprise Linux (EPEL) repositories](https://docs.fedoraproject.org/en-US/epel/) -- Puppet 7 repository -- Auristor repository for YFS and AFS related packages (RHEL 7 and 8 only) -- Google Chrome repository -- pli-misc (not tagged for RHEL7, but on RHEL 8/9) -- Code (Visual Studio Code from Microsoft) -- Microsoft Teams -- PowerScript et. al. (Microsoft) -- HashiCorp (`vault`, `terraform`, `vagrant`, ...) -- Oracle Instant Client 19 and 21 -- Opera - - -Predefined and used when needed are: -- Influx (`influxdb`, `telegraf`, ...) -- CUDA -- Nomachine - -To be added/defined in [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml)? -- GPFS -- Epics (available for RHEL7) - - -### pli-misc Repository - -A small list of packages managed by the Linux Team. - -- *RHEL8*: make v4.3 from [CentOS](https://rpmfind.net/linux/RPM/centos-stream/9/baseos/x86_64/make-4.3-7.el9.x86_64.html) as v4.2.1 has been reported to to make trouble -- latest [Zoom client](https://zoom.us/download?os=linux) -- latest [Webex client](https://www.webex.com/downloads.html) -- latest [Slack client](https://slack.com/downloads/linux) -- latest [NoMachine Enterprise Client](https://downloads.nomachine.com/download/?id=11) -- latest [Real VNC Viewer](https://www.realvnc.com/en/connect/download/viewer/), recommended for VNC remote access to Windows machines -- `pli-assets` containing the PSI and the Customer Self Service logo, any hints about the source rpm are welcome -- *RHEL8*: [mod_gearman v4.0.1](https://mod-gearman.org/download/v4.0.1/rhel8/x86_64/) -- *RHEL8*: lightdm-gtk v2.0.8-3.pli, a patched lightdm-gtk-greeter ([SRPM](https://git.psi.ch/linux-infra/lightdm-gtk-rpm), [PR](https://github.com/Xubuntu/lightdm-gtk-greeter/pull/121)) which allows to limit the presented keyboard layouts -- Code Beamer Office pluging v9.5.0 managed by Gilles Martin -- storecli 007.2007.0000.0000 managed by Marc Caubet Serrabou -- [pam_single_kcm_cache PAM Module](https://github.com/paulscherrerinstitute/pam_single_kcm_cache) managed by Konrad Bucheli -- [nvidia-detect](http://elrepo.org/tiki/nvidia-detect) copied over from ElRepo to make it generally available -- [bob](https://git.psi.ch/linux-infra/bob) - -## Package Repositories made Available by other PSI Groups - -- `tivoli`, IBM backup software for Arema, managed by Datacenter and DB Services, AIT -- `nxserver` for NoMachine NX - - diff --git a/admin-guide/configuration/software/package_updates.md b/admin-guide/configuration/software/package_updates.md deleted file mode 100644 index 4e41567a..00000000 --- a/admin-guide/configuration/software/package_updates.md +++ /dev/null @@ -1,27 +0,0 @@ -# Automated Package Updates - -The automatic updates are controlled in Hiera (excluding RHEL7): - -| Hiera key | default | comments | -|-------------------------------------|------------|-------------------------------------------------------------------------------| -| `base::automatic_updates::interval` | `weekly` | valid are `daily`, `weekly`, `boot_only` and `never` which disables the automatic updates | -| `base::automatic_updates::type` | `security` | `security` installs only security updates whereas `all` installs all updates | -| `base::automatic_updates::reboot` | `never` | valid are `never`, `when-needed` (when an updated package requests a reboot) and `when-changed` (after every update) | -| `base::automatic_updates::exclude` | `[]` | list of packages not to update, wildcards like "*" are allowed | -| `base::automatic_updates::kernel` | `false` | define if new kernel packages also should be installed automatically | - -For system-wide installed Flatpak packages there is a separate key for automatically updating them: - -| Hiera key | default | comments | -|------------------------------|------------|-------------------------------------------------------------------------------| -| `flatpak::updates::interval` | `weekly` | valid are `daily`, `weekly`, `boot_only` and `never` which disables the automatic updates | - - - -Note that the updates run on midnight, for `weekly` from Sunday to Monday. There is no automatic reboot, e.g. for kernel updates. - ---- -**Important** - -There will be no updates if you fix the package source to a snapshot/repo tag i.e. `rpm_repos::tag` or `yum_client::repo_tag` setting in Hiera point to a specfic snapshot. - diff --git a/admin-guide/configuration/software/packages.md b/admin-guide/configuration/software/packages.md deleted file mode 100644 index fc7bcfc8..00000000 --- a/admin-guide/configuration/software/packages.md +++ /dev/null @@ -1,185 +0,0 @@ -# Package Installation - -## Install Packages with Hiera Package Groups - -The packages automatically installed onto a system by Puppet are managed in the Hiera list `base::package_groups`. It contains the names of the package groups to be installed. Items can be added at all levels of the Hiera hierarchy and are merged. - -The package groups itself are Hieara lists named `base::pkg_group::$USE_CASE`. -Here list all the packages you want to install. - -Currently there exist the following package groups in the main [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml): - -- `base::pkg_group::system_tools` (installed by default) -- `base::pkg_group::daq_buffer` -- `base::pkg_group::desktop_settings` -- `base::pkg_group::dev` -- `base::pkg_group::login_server` -- `base::pkg_group::qt5` -- `base::pkg_group::root` - -but further ones can be created in Hiera at lower hierachies and added to `base::package_groups`, for example - -``` -base::pkg_group::java: - - 'java-1.8.0-openjdk' - - 'java-11-openjdk' - - 'java-17-openjdk' - -base::package_groups: - - 'java' -``` - - -## Install a Group of Packages - -To add a RedHat predefined group of packages (checkout out `dnf grouplist --hidden`) prepend the name of it with a `@`, e.g. for "Java Platform" it would be `@Java Platform`: - -``` -base::pkg_group::java: - - '@Java Platform' -``` - -## Install Latest Package Version - -Puppet by default only checks if a package is installed and only installs it if missing. -To ensure that always the latest available package version is installed, append the `:latest` tag to the package name in the package group: - -``` -base::pkg_group::java: - - 'java-1.8.0-openjdk' - - 'java-11-openjdk' - - 'java-17-openjdk:latest' -``` - -## Install Packages only on Given OS Version - - Certain packages are only used on a given OS Version, so a `os=` with the OS name and the major version selects a package only for given OS, where as a `os!` will filter away given package on hosts with given OS, so they are not installed there. - -``` -base::pkg_group::java: - - 'java-1.8.0-openjdk:os=redhat7' - - 'java-11-openjdk' - - 'java-17-openjdk:os!redhat7' -``` - -Note that this tag can be combined with the `latest` and `absent` tag. - -## Install Module Stream - -RHEL 8 introduced the concept of [module streams](https://docs.pagure.org/modularity/). -A specific stream can be selected with the `stream` tag: - -```yaml -base::pkg_group::nodejs: - - 'nodejs:stream=12' -``` - -## Install Python Modules with `pip` - -The `pip` tag can be used to install a PYPI Python package using `pip`, e.g. `pygame-utility`: - -```yaml -base::pkg_group::my_pip_modules: - - 'pygame-utility:pip' -``` - -To install a packages for specific python versions use the tag `:pip` (example: `- 'numpy:pip3.12'`). - -Note that packages installed with `pip` are not updated automatically! - - -## Install Software using Flatpak - -Flatpak is available by default on workstation type systems. Alternatively you may enable/disable flatpak support in Hiera by setting `base::enable_flatpak` to `true` respectively `false`. - -The `flatpak` tag can be used to install a software via flatpak. Best use the full Flatpak Application ID, like `dev.zed.Zed`: - -```yaml -base::pkg_group::my_flatpak_software: - - 'dev.zed.Zed:flatpak' -``` - -On [Flathub](https://flathub.org/) you find the Application ID if you press the down arrow next to the `Install` button: - -![Flathub install commands](packages/zed_on_flathub.png) - -Note that flatpak software is by default updated automatically, see [guide "Automated Package Updates"](package_updates) for details. - -The Flathub package "remote" is already installed, to add other "remotes" check out the [Configure Flatpak Remotes](flatpak_remotes) guide. - -## Remove Packages - -To remove an already installed package, append the `:absent` tag to the package name in the package group: - -``` -base::pkg_group::java: - - 'java-1.8.0-openjdk:absent' - - 'java-11-openjdk' - - 'java-17-openjdk' -``` - -## Remove Packages - -To remove an already installed package, append the `:absent` tag to the package name in the package group: - -``` -base::pkg_group::java: - - 'java-1.8.0-openjdk:absent' - - 'java-11-openjdk' - - 'java-17-openjdk' -``` - -## Ignore Packages - -To make packages unavailable for installation, even though provided by the package repositories, add them in Hiera to the list `base::package_exclude`: -``` -base::package_exclude: - - 'epics-base-7.0.6*' -``` -This list is merged over the full Hiera hierachy, so there is no need to copy exclusions from higher levels when creating an exclusion on a low level. - -This list can also be used to opt out packages from other, maybe inherited package groups. But unlike the `:absent` tag in a package list it will not uninstall a package when found. - -### Version Lock - -If you have the need to freeze a software on given version, you can use `dnf versionlock`. First you need to install the `python3-dnf-plugin-versionlock` package (see above). - -Then on the node best run -``` -dnf versionlock add $PACKAGE -``` -for every package you do not wish to get updates installed any more. If there are newer packages you might test with `dnf update --assumeno` if it does not show your software any more, while other updates are still possible. Sometimes this can cause dependency resolution failures and you might need to add a version lock for one ore more packages which depend on the locked package. - -After you best put the resulting `/etc/dnf/plugins/versionlock.list` in Hiera with [`files::files`](../files/distribute_files) for reproducability. - -#### Kernel Version Lock -A full kernel version lock needs to include a number of packages. For RHEL8: -``` -dnf versionlock add kernel kernel-core kernel-modules kernel-tools kernel-tools-libs kernel-headers kernel-devel -``` -For RHEL9: -``` -dnf versionlock add kernel kernel-core kernel-modules-core kernel-modules kernel-uki-vir kernel-tools kernel-tools-libs kernel-headers kernel-devel -``` -and if AFS is configured -``` -dnf versionlock add kmod-yfs -``` - - -### Install Debuginfo Packages - -The package repositories for debuginfo packages are disabled by default. To spontaneously install such a package, do - -``` -dnf --enablerepo '*_debug' install ... -``` - -## Missing Package - -If there is no such package in the repositories, then - -``` -Error: Execution of '/usr/bin/dnf -d 0 -e 1 -y install non-existing-package-for-test' returned 1: Error: Unable to find a match: non-existing-package-for-test -``` - diff --git a/admin-guide/configuration/software/packages/zed_on_flathub.png b/admin-guide/configuration/software/packages/zed_on_flathub.png deleted file mode 100644 index 8d2e3308..00000000 Binary files a/admin-guide/configuration/software/packages/zed_on_flathub.png and /dev/null differ diff --git a/admin-guide/configuration/software/python.md b/admin-guide/configuration/software/python.md deleted file mode 100644 index 9ca03190..00000000 --- a/admin-guide/configuration/software/python.md +++ /dev/null @@ -1,81 +0,0 @@ -# Python - -## Overview -```{note} -This guide only covers RHEL8/9 and newer. Also we will __not__ cover how to use Python 2 any more. -``` - -There are several versions of Python(3) available from RedHat. This guide shows how one can install specific/multiple versions and how to configure the default Python of a system. - -The use of Python environments like [`venv`](https://docs.python.org/3/library/venv.html) or [Conda](https://docs.conda.io) is recommended if a single user needs one or multiple specific Python environments. But this is not part of this guide. - - -## Platform Python vs Default Python - -As many system tools are written in Python each RHEL8/9 system comes with a so called Platform Python. This is a _fixed_ Python version than cannot be modified and usually is also not available via the commandline. - -Beside that, on each system you can install multiple Python versions. One of this Python version can then be set as the Default Python. This means that this Python version is called if you call `python` and/or `python3` on the commandline/script. - -To explicitly call a specific Python version always specify the full version as follows: `python`, e.g. `python3.12`. The same applies to the `pip` command! - -### Using the Platform Python -For system tools, that should run consistently on all systems you may decide to use the "Platform Python" instead of the Default Python. For doing so you need to set the shebang of your script to - -```bash -#!/usr/libexec/platform-python -``` - -## Python Versions - -On __RHEL8__ the Platform (and usual Default) Python version is __3.6__. As the time of writing following Python versions are additinally available: _3.8_, _3.9_, _3.11_, _3.12_ . - -On __RHEL9__ the Platform (and usual Default) Python version is __3.9__. As the time of writing following Python versions are additinally available: _3.11_, _3.12_ - - -## Configuration - -Following hiera keys can be used to configure Python on a system. - -### Installing and Setting a Default Python - -To install a default Python you can use: -```yaml -python::default_version: '3.11' -``` - -This will make sure that that this Python version is installed on the system and that this Python version is available via the `python` and `python3` command. The same applies for `pip` and `pip3`. - - -### Installing Additional Python Versions - -To install additional Python versions on the system you can use: - -```yaml -python::install_versions: ['3.6', '3.12'] -``` - -This will take care that the necessary packages are installed on the system. These versions are then available by calling the version specific Python command `python=10 to mount the NFS4 share- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mount - details to be added here) - - -Once your folder/folders is/are created and your are autorized to write into these folders you can place RPMs and files into that directory/directories - -__Important__: Once mounted, to be able to change things on the filesystem you have to have a valid kerberosticket for your PSI user. -``` -kinit @D.PSI.CH -# or on standard PSI linux systems -kinit -``` - -```{note} -In case you are in a firewall protected zone, make sure that there is a rule to access lx-fs on TCP port 2049! -``` - - -## Overview -Custom repositories are provided by the central repository server as all other repositories. They will be available on the URL - -``` -https://repos.psi.ch//latest/ -``` - -The custom repositories are snapshotted and tagged as any other repository. - -Inside __hiera__ please use the URL: -``` -https://$lx_reposerver//$lx_repo_tag/ -``` -This ensures that the systems will always use the correct repository server url to access the repositories. (e.g. in the DMZ/extranet the DNS hostname of the repository is different ...) - - -The content of the custom repositories are managed on a a dedicated NFS4 share. On this share groups can have different folders where they place/manage their rpms. These RPMs are periodically synced to the main repository share (i.e. every 15 minutes), so what you see on the `packages_misc` is not exactly what will end up on the repository server. Upon sync the repository will be automatically build via the create-repo command. - -The structure of the share is usually as follows: - -``` -/ - # content in the case of one repo for all major RHEL version - /rhel7 - /rhel8 - /rhle9 # in case of different repo for major RHEL version -``` - -The access control is done by a Unix group usually named `unx-_adm` (most of the time this is a group that also gives access to hiera repos) - - -## Preparation for new Custom RPM Repository (by Linux Team) - -The `packages_misc` share is only root writeable from lx-sync-01.psi.ch. Therefore the initial setup needs to be done there. - -Creation of a new repo (on lx-sync-01 in `/packages_misc`): -``` -cd /packages_misc -mkdir -chgrp 35588 ## We need to use the numeric group id here as lx-sync is not directly connected to AD -chmod g+w -chmod g+s -``` - -To sync the repo and make it available there needs to be a sync config added to https://git.psi.ch/linux-infra/rpm-repo-utils/-/tree/main/etc?ref_type=heads -(inside the __*-misc__ directories) - -After adding this config the changes need to be deployed on lx-sync-01.psi.ch. -(either bootstrap/ansible or a manual `git pull` in `/opt/rpm-repo-utils/`) diff --git a/admin-guide/deployment.md b/admin-guide/deployment.md deleted file mode 100644 index b6145a38..00000000 --- a/admin-guide/deployment.md +++ /dev/null @@ -1,4 +0,0 @@ -# Deployment - -```{tableofcontents} -``` diff --git a/admin-guide/deployment/basic_installation.md b/admin-guide/deployment/basic_installation.md deleted file mode 100644 index 01a3f3f2..00000000 --- a/admin-guide/deployment/basic_installation.md +++ /dev/null @@ -1,142 +0,0 @@ -# Basic Installation - -Linux systems are installed using PXE and Kickstart. The Kickstart -configuration is auto-generated base on the configuration stored in sysdb/bob. - -```{note} -When PXE boot is not an option, e.g. in restricted networks, it is possible to start iPXE from a USB stick or other media. -``` - -The general process for a installation is: - -1. (Hardware) Register the machine in Package-Fence: https://enter.psi.ch:1443 to give it access to the PSI network -1. (Hardware Machine / static ip address) Register a static ip in https://qip.psi.ch/qip (or via request to the Network Team (via ServiceNow)) for the console -1. Register and configure the system with sysdb -2. Tell sysdb to perform an installation on the next boot -3. Reboot the system and trigger a PXE boot (usually by pressing F12 during - POST) - -The default way to interact with sysdb is to use [bob](https://git.psi.ch/linux-infra/bob). `bob` is already set up on `lxsup.psi.ch` for general use. Remember that you need a valid Kerberos ticket before modifying a sysdb entry via `bob`. - -Altenatively you many have on your workstation a local copy of `bob`. This can be done by installing the RPM from the pli-misc repository - https://repos.psi.ch/rhel8/latest/pli-misc/ or by installing the Python package manually. More details regaring `bob` can be found [here](https://git.psi.ch/linux-infra/bob). - -## Hardware/VM Requirements - -For hardware based system please check the Hardware compatibility page for -- [RHEL8](rhel8/hardware_compatibility.md) -- [RHEL9](rhel9/hardware_compatibility.md) - -In any case these are the **minimal** system requirements: -- RHEL8 - - RAM: 4GB - - Harddisk: 33GB -- RHEL9 - - RAM: 4GB - - Harddisk: 64GB - -## Sysdb Configuration - -Register node: -```bash -bob node add $FQDN $ENV netboot -``` - -To be able to PXE boot we need to configure at least one MAC address for the new node: -```bash -FQDN=test.psi.ch -MAC_ADDRESS=00:00:00:00:00:00 # get this from the hardware or vcenter console - -bob node add-mac $FQDN $MAC_ADDRESS -``` - -Finally we need to configure the installer to use, and the Puppet-related parameters: -```bash -bob node set-attr $FQDN ipxe_installer=rhel8install -bob node set-attr $FQDN puppet_role=role::server -``` - -and **optional**: -```bash -# static IP address (options: static, dhcp) -bob node set-attr $FQDN network=static - -# if you want to use hiera groups and sub-groups -bob node set-attr $FQDN puppet_group=cluster -bob node set-attr $FQDN puppet_subgroup=compute - -# use a differnt puppet environment -bob node set-attr $FQDN puppet_env=prod -``` - - -### Example - -Minimal example: - -```bash -bob node add test.psi.ch lx netboot -bob node add-mac test.psi.ch 00:00:00:00:00:00 -bob node set-attr test.psi.ch ipxe_installer=rhel8install puppet_role=role::server - -# show the configuration -bob node list -v test.psi.ch - -# start network boot on the machine -``` - - -### Special Settings - -#### Custom Kernel Commandline Arguments -For custom kernel commandline arguments for the installer (e.g. to provide drivers) the sysdb attribute `kernel_cmdline` can be used: - -```bash -bob node set-attr lx-test-02.psi.ch kernel_cmdline=inst.dd=https://linuxsoft.cern.ch/elrepo/dud/el8/x86_64/dd-megaraid_sas-07.725.01.00-1.el8_9.elrepo.iso -``` - -#### Custom/Fixed System Disk - -By default the whole space available on the first block device is used and any existing partition is removed. - -Alternatively you might set the sysdb attribute `system_disk` with the device name of the disk which should be used instead: - -```bash -bob node set-attr $FQDN system_disk=md126 -``` - -The ordering of disks (`sda`, `sdb`, ...) might sometimes not be stable. -To explicitely select the disk you might use on of the links below `/dev/disk` like - -```bash -bob node set-attr $FQDN system_disk=disk/by-path/pci-0000:a1:00.0-ata-1 -``` - - -#### Custom Partitioning -Partitions system are configured with a standard schema using LVM, so that they can be possibly changed afterwards. - -It is also possible to customize the partitioning by using the `partitions` attribute on sysdb. See https://git.psi.ch/linux-infra/bob for more details. - - -## BIOS / UEFI Boot - -All systems should use UEFI boot for booting! BIOS based boot should only be used where UEFI is not an option. - -### UEFI - -__NOTE:__ After the installation the boot order will be changed to localboot again! So if you reinstall make sure that you re-set the bootorder via the efi menu or the commandline: https://linux.die.net/man/8/efibootmgr - -```bash -[root@lx-test-02 ~]# efibootmgr -BootCurrent: 0004 -BootOrder: 0004,0002,0000,0001,0003 -Boot0000* EFI Virtual disk (0.0) -Boot0001* EFI VMware Virtual SATA CDROM Drive (0.0) -Boot0002* EFI Network -Boot0003* EFI Internal Shell (Unsupported option) -Boot0004* Red Hat Enterprise Linux - -[root@lx-test-02 ~]# efibootmgr --bootorder 2,4,0,1,3 -``` - -(there is no need to have the leading 000 ) diff --git a/admin-guide/deployment/console_installation.md b/admin-guide/deployment/console_installation.md deleted file mode 100644 index fc8fe2ac..00000000 --- a/admin-guide/deployment/console_installation.md +++ /dev/null @@ -1,37 +0,0 @@ -# Console Installation - -## Overview -A console is a multi user system (ideally running on standard hardware) with a graphical desktop. The individual users do not have admin rights on the system and all configuration and packages must be deployed by puppet (ensuring reproducibility and fast re-installation in case of hardware failures, etc.) - -Consoles are, for example, used at experimental stations, beamlines, endstations. - -The standard naming of a console is: __<group>-cons-<two digit number>__ -Due to various reasons these systems __must__ have a static IP assigned. - -## Installation Workflow - -1. Register the machine in Package-Fence: https://enter.psi.ch:1443 to give it access to the PSI network -1. Register a static ip in https://qip.psi.ch/qip (or via request to the Network Team (via ServiceNow)) for the console -2. Create the necessary bob entries for the machine: -```bash -bob node add netboot -bob node add-mac xx:xx:xx:xx:xx:xx -bob node set-attr network=static -bob node set-attr ipxe_installer=rhel8install - -bob node set-attr puppet_role=role::console -bob node set-attr puppet_env=prod -bob node set-attr puppet_group=default # replace default if needed - -# Optional -bob node set-attr puppet_subgroup=collector -``` - -3. Create a host specific file (`.yaml`) in the respective hiera repository/directory with the following content: - -```yaml -networking::setup: auto_static_ip -``` - -4. Ensure that the UEFI/BIOS is set to netboot -5. Kickstart the machine \ No newline at end of file diff --git a/admin-guide/deployment/dmz_installation.md b/admin-guide/deployment/dmz_installation.md deleted file mode 100644 index c4b2ae96..00000000 --- a/admin-guide/deployment/dmz_installation.md +++ /dev/null @@ -1,81 +0,0 @@ -# DMZ Installation - -The deployment in the DMZ ist the basically the same as [internaly](basic_installation), but there are a few points to consider: - -- a firewall rule for puppet is needed -- the commissioning can only be done in the special DMZ commissioning network - -Because of this commissioning network we suggest that the DMZ VM gets for commissioning two interfaces, a "front-door" to the actual network where it will finally provide its service and the "back-door" in the commissioning network. After successful setup that interface will be removed. - -## Preparation - -- get static IP addresss for "front-door" interface -- For Puppet you need to [order a firewall rule](https://psi.service-now.com/psisp?id=psi_new_sc_cat_item&sys_id=faccb8644fe58f8422b0119f0310c7f7) from your machine to `puppet01.psi.ch` using TCP port 8140. -- (let) the VM be set up with to interfaces, the first one in the final network ("front-door") and the second one attached to `172.23.206.0/24` ("back-door") -- get both MAC addresses -- prepare the node in Sysdb/`bob` with the "back-door" MAC address -- in Hiera following network configuration is suggested which keeps the "front-door" interface disabled for the start: - -```yaml -networking::setup: managed - -networking::connections: - - dmz_network - - commissioning_network - -networking::connection::dmz_network: - mac_address: '00:50:56:9d:47:eb' - ipv4_method: 'disabled' - ipv6_method: 'disabled' - -networking::connection::commissioning_network: - mac_address: '00:50:56:9d:c7:fe' - ipv4_method: 'auto' - ipv6_method: 'disabled' -``` -## Commissioning/Kickstart - -- commission/kickstart the node via network boot -- for SSH access get assigned IP address from VMWare or Puppet facts or QIP -- at the moment puppet will fail, provide the IP address to your fellow friendly Core Linux Team member to manually finish the first boot -- if the configuration is fully ready, configure the "front-door" interface: - -```yaml -networking::setup: managed - -networking::connections: - - dmz_network - - commissioning_network - -networking::connection::dmz_network: - mac_address: '00:50:56:9d:47:eb' - ipv4_method: 'manual' - ipv4_address: '192.33.120.60/24' - ipv4_gateway: '192.33.120.1' - ipv6_method: 'disabled' - -networking::connection::commissioning_network: - mac_address: '00:50:56:9d:c7:fe' - ipv4_method: 'auto' - ipv6_method: 'disabled' -``` - -## Cleanup - -- check if you still have management access (`ssh`) over the front door interface -- remove the configuration of the "back-door" interface: - -```yaml -networking::setup: managed - -networking::connections: - - dmz_network - -networking::connection::dmz_network: - mac_address: '00:50:56:9d:47:eb' - ipv4_method: 'manual' - ipv4_address: '192.33.120.60/24' - ipv4_gateway: '192.33.120.1' - ipv6_method: 'disabled' -``` -- remove the "back-door" interface from the VM diff --git a/admin-guide/deployment/re_installation.md b/admin-guide/deployment/re_installation.md deleted file mode 100644 index f6fcd830..00000000 --- a/admin-guide/deployment/re_installation.md +++ /dev/null @@ -1,18 +0,0 @@ -# Re-Installation - - - -Basically a reinstall can be done without doing anything other than doing the PXE boot, but there are some caveats to consider: - -__Netboot__ -After the initial installation the boot mode has been reset from netboot to local so it will then always boot from the local disk. For a redeployment the netboot needs to be set anew (on UEFI based systems netboot also needs to be always selected by the UEFI menu)) -```bash -bob node netboot $FQDN -``` - -__Puppet Certificates__ -The puppet client certificate is saved on the puppet server. By default corresponding certificate on the client is tried to be saved by the kickstart script. If you do a new install to a blank drive, but the puppet server has a certificate saved for the host, the client will generate a new cert, but the server will not, so the certificates saved on the 2 sides, will not match and will never work. In this case both sides need to be cleaned up before a new puppet run is attempted. - -Puppet client certs can be deleted at https://puppet.psi.ch/ and on that page, the command to delete the client cert is specified. - -To access https://puppet.psi.ch one needs to authenticate with your username/password. The server uses a invalid https certificate that is not accepted by modern safari/chrome any more. Use Firefox as a workaround. diff --git a/admin-guide/deployment/rhel8/_static/kerberos_desktop.png b/admin-guide/deployment/rhel8/_static/kerberos_desktop.png deleted file mode 100644 index 215773a6..00000000 Binary files a/admin-guide/deployment/rhel8/_static/kerberos_desktop.png and /dev/null differ diff --git a/admin-guide/deployment/rhel8/_static/kerberos_desktop.puml b/admin-guide/deployment/rhel8/_static/kerberos_desktop.puml deleted file mode 100644 index 317e57cd..00000000 --- a/admin-guide/deployment/rhel8/_static/kerberos_desktop.puml +++ /dev/null @@ -1,97 +0,0 @@ -@startuml - -title - **Desktop Authentication** - Needs a shared credential cache with //systemd --user// as it is used to start some processes - and the TGT needs to be updated on reauthentication when unlocking the screen. -end title - -actor user -box gdm - participant gdm - participant libpam - participant "pam_sssd.so" as pam_sssd - participant "pam_systemd.so" as pam_systemd - participant "pam_single_kcm_cache.so" as pam_single_kcm_cache -end box -participant sssd -participant "systemd --user" as systemd -box KCM - participant "sssd-kcm" as sssd_kcm - participant "credential cache KCM:$UID:61555" as default_cache - participant "credential cache KCM:$UID:desktop" as shared_cache -end box -box Gnome -participant "gnome-session-binary" as gnome_session -participant "gnome-shell" as gnome_shell -participant Firefox as firefox -participant "gnome-terminal" as gnome_terminal -end box -box Active Directory - participant KDC as kdc -end box - -== authentication == -user -> gdm : authenticates with password -gdm -> libpam : authenticate user -libpam -> pam_sssd : //pam_sm_setcred()// -pam_sssd -> sssd : authenticate -sssd -> kdc : authenticate and get TGT -sssd -> sssd_kcm : get default cache -sssd -> default_cache : place TGT -libpam -> pam_single_kcm_cache : //pam_sm_setcred()// -pam_single_kcm_cache -> sssd_kcm : iterate all suitable caches to find newest TGT -note right: the default cache may change in between -pam_single_kcm_cache -> default_cache: get TGT -pam_single_kcm_cache -> sssd_kcm : create new shared cache if it does not exist yet -create shared_cache -sssd_kcm -> shared_cache: create -pam_single_kcm_cache -> shared_cache: place newest TGT -pam_single_kcm_cache -> libpam: set //KRB5CCNAME=KCM:$UID:desktop// - -gdm -> libpam : setup session -libpam -> pam_systemd : //pam_sm_open_session()// -create systemd -pam_systemd -> systemd: start if not running yet - -== starting the desktop == -create gnome_session -gdm -> gnome_session : start Gnome session -gnome_session -> systemd : start some Gnome services -gnome_session -> gnome_session: start more Gnome services -create gnome_shell -gnome_session -> gnome_shell: start Gnome Shell - -== starting programs == -user -> gnome_shell: open browser -create firefox -gnome_shell -> firefox : start - -user -> gnome_shell : open terminal -gnome_shell -> systemd: start gnome-terminal -create gnome_terminal -systemd -> gnome_terminal: start - -== screen lock and unlock == -user -> gnome_shell : lock screen -gnome_shell -> gdm : lock screen - -user -> gdm : authenticates with password -gdm -> libpam : authenticate user -libpam -> pam_sssd : //pam_sm_setcred()// -pam_sssd -> sssd : authenticate -sssd -> kdc : authenticate and get TGT -sssd -> sssd_kcm : get default cache -sssd -> default_cache : place TGT -libpam -> pam_single_kcm_cache : //pam_sm_setcred()// -pam_single_kcm_cache -> sssd_kcm : iterate all suitable caches to find newest TGT -note right: the default cache may change in between -pam_single_kcm_cache -> default_cache: get TGT -pam_single_kcm_cache -> sssd_kcm : get shared cache -pam_single_kcm_cache -> shared_cache: place newest TGT -note over gdm : no session setup step -gdm -> gnome_shell : screen unlocked - -@enduml - - diff --git a/admin-guide/deployment/rhel8/_static/kerberos_sshd_password_only.png b/admin-guide/deployment/rhel8/_static/kerberos_sshd_password_only.png deleted file mode 100644 index c06a2059..00000000 Binary files a/admin-guide/deployment/rhel8/_static/kerberos_sshd_password_only.png and /dev/null differ diff --git a/admin-guide/deployment/rhel8/_static/kerberos_sshd_password_only.puml b/admin-guide/deployment/rhel8/_static/kerberos_sshd_password_only.puml deleted file mode 100644 index ad2897e4..00000000 --- a/admin-guide/deployment/rhel8/_static/kerberos_sshd_password_only.puml +++ /dev/null @@ -1,54 +0,0 @@ -@startuml - -title - **SSH with Password Authentication** - Provide every shell session an individual and isolated credential cache in KCM. -end title -hide footbox - -actor user -box sshd - participant sshd - participant libpam - participant "pam_sssd.so" as pam_sssd - participant "pam_systemd.so" as pam_systemd - participant "pam_single_kcm_cache.so" as pam_single_kcm_cache -end box -participant sssd -participant "systemd --user" as systemd -box KCM - participant "sssd-kcm" as sssd_kcm - participant "credential cache KCM:$UID:61555" as default_cache - participant "credential cache KCM:$UID:sitmchszro" as random_cache -end box -participant bash -box Active Directory - participant KDC as kdc -end box - -user -> sshd : connects using //ssh//\nwith authentication method //password// -sshd -> libpam : authenticate user -libpam -> pam_sssd : //pam_sm_setcred()// -pam_sssd -> sssd : authenticate -sssd -> kdc : authenticate and get TGT -sssd -> sssd_kcm : get default cache -sssd -> default_cache : place TGT -sshd -> libpam : setup session -libpam -> pam_systemd : //pam_sm_open_session()// -create systemd -pam_systemd -> systemd: start if not running yet -libpam -> pam_single_kcm_cache : //pam_sm_open_session()// -pam_single_kcm_cache -> sssd_kcm : iterate all suitable caches to find newest TGT -note right: the default cache may change in between -pam_single_kcm_cache -> default_cache: get TGT -pam_single_kcm_cache -> sssd_kcm : create new random cache -create random_cache -sssd_kcm -> random_cache: create -pam_single_kcm_cache -> random_cache: place newest TGT -pam_single_kcm_cache -> libpam: set //KRB5CCNAME=KCM:$UID:sitmchszro// -create bash -sshd -> bash : start - -@enduml - - diff --git a/admin-guide/deployment/rhel8/_static/kerberos_sshd_tgt_delegation.png b/admin-guide/deployment/rhel8/_static/kerberos_sshd_tgt_delegation.png deleted file mode 100644 index 54bcaf68..00000000 Binary files a/admin-guide/deployment/rhel8/_static/kerberos_sshd_tgt_delegation.png and /dev/null differ diff --git a/admin-guide/deployment/rhel8/_static/kerberos_sshd_tgt_delegation.puml b/admin-guide/deployment/rhel8/_static/kerberos_sshd_tgt_delegation.puml deleted file mode 100644 index a6c68e37..00000000 --- a/admin-guide/deployment/rhel8/_static/kerberos_sshd_tgt_delegation.puml +++ /dev/null @@ -1,49 +0,0 @@ -@startuml - -title - **SSH with TGT Delegation** - Provide every shell session an individual and isolated credential cache in KCM. -end title -hide footbox - -actor user -box sshd - participant sshd - - participant libpam - participant "pam_systemd.so" as pam_systemd - participant "pam_single_kcm_cache.so" as pam_single_kcm_cache -end box -participant "systemd --user" as systemd -box KCM - participant "sssd-kcm" as sssd_kcm - participant "credential cache KCM:$UID:61555" as new_cache - participant "credential cache KCM:$UID:sitmchszro" as random_cache -end box -participant bash - -user -> sshd : connects using //ssh//\nwith //GSSAPIDelegateCredentials=yes//\nand authentication method //gssapi-with-mic// -note right: authentication is done without libpam -sshd -> sssd_kcm : get new cache -create new_cache -sssd_kcm -> new_cache : create -sshd -> new_cache : place delegated TGT -sshd -> libpam : setup session -libpam -> pam_systemd : //pam_sm_open_session()// -create systemd -pam_systemd -> systemd: start if not running yet -libpam -> pam_single_kcm_cache : //pam_sm_open_session()// -pam_single_kcm_cache -> sssd_kcm : iterate all suitable caches to find newest TGT -note right: the default cache might be KCM:$UID:61555 or not -pam_single_kcm_cache -> new_cache: get TGT -pam_single_kcm_cache -> sssd_kcm : create new random cache -create random_cache -sssd_kcm -> random_cache: create -pam_single_kcm_cache -> random_cache: place newest TGT -pam_single_kcm_cache -> libpam: set //KRB5CCNAME=KCM:$UID:sitmchszro// -create bash -sshd -> bash : start - -@enduml - - diff --git a/admin-guide/deployment/rhel8/_static/kerberos_systemd_user.png b/admin-guide/deployment/rhel8/_static/kerberos_systemd_user.png deleted file mode 100644 index e090f1c8..00000000 Binary files a/admin-guide/deployment/rhel8/_static/kerberos_systemd_user.png and /dev/null differ diff --git a/admin-guide/deployment/rhel8/_static/kerberos_systemd_user.puml b/admin-guide/deployment/rhel8/_static/kerberos_systemd_user.puml deleted file mode 100644 index 8953eb1e..00000000 --- a/admin-guide/deployment/rhel8/_static/kerberos_systemd_user.puml +++ /dev/null @@ -1,35 +0,0 @@ -@startuml - -title - **Startup of Systemd User Instance** - One single //systemd --user// instance spans from the start of the first session - to the end of the last session and has access to the same credential cache as the desktop. -end title -hide footbox - -box Systemd User Instance - participant "systemd --user" as systemd - participant libpam - participant "pam_single_kcm_cache.so" as pam_single_kcm_cache -end box -box KCM - participant "sssd-kcm" as sssd_kcm - participant "credential cache KCM:$UID:61555" as default_cache - participant "credential cache KCM:$UID:desktop" as shared_cache -end box - -note over systemd : no authentication step -systemd -> libpam : setup session -libpam -> pam_single_kcm_cache : //pam_sm_open_session()// -pam_single_kcm_cache -> sssd_kcm : iterate all suitable caches to find newest TGT -note right: the default cache may change in between -pam_single_kcm_cache -> default_cache: get TGT -pam_single_kcm_cache -> sssd_kcm : create shared cache if not yet exists -create shared_cache -sssd_kcm -> shared_cache: create -pam_single_kcm_cache -> shared_cache: place newest TGT -pam_single_kcm_cache -> libpam: set //KRB5CCNAME=KCM:$UID:desktop// - -@enduml - - diff --git a/admin-guide/deployment/rhel8/desktop.md b/admin-guide/deployment/rhel8/desktop.md deleted file mode 100644 index 8142b7ed..00000000 --- a/admin-guide/deployment/rhel8/desktop.md +++ /dev/null @@ -1,55 +0,0 @@ -# Desktop on RHEL 8 - -## Many Servers and Managers - -Following software is involved in getting the desktop on Linux up and running. - -- **Display Server** paints the image onto the screen - - **Xorg**: good ol' Unix X Server with network redirection - - **Wayland**: new and modern -- **Display Manager** shows up at startup to authenticate the user and then start the desktop session - - **gdm** Gnome Display Manager is default on RHEL 8 - - **lightdm** is very flexible, but automatic Gnome screen lock does not work with it, manual locking would be needed (`dm_tool lock`) - - **sddm** the Simple Desktop Display Manager from the KDE world fails due to a kernel bug on RHEL 8.6 -- **Greeter**: user interface part of the display manager, e.g. for `lightdm` it is exchangable -- **Accounts Service** (`accounts-daemon`) used by `gdm` to learn about/store user information (last desktop session, profile image, etc) -- **Session Manager** starts the actual desktop. The installed options are found in `/usr/share/wayland-sessions/` for `Wayland` and `/usr/share/xsessions/` for `Xorg`. - - **gnome-session** normal Gnome starter (for `Xorg` and `Wayland`) - - **gnome-session-custom-session** to select a specific saved Gnome session - - **icewm-session** IceWM starter, `Xorg` only - - **startxfce4** XFCE starter, `Xorg` only - - **startplasma-x11** KDE Plasma starter for `Xorg` - - **startplasma-wayland** KDE Plasma starter for `Wayland` - -Out of the box RHEL 8 starts Gnome using `gdm` and `Wayland`. `Xorg` is also supported. Others can be installed from EPEL, but there is no support from Red Hat. - -## PSI Specific Desktop Settings -Per default Puppet starts `gdm` which then starts Gnome with `Xorg` using `/usr/share/xsessions/gnome-xorg.desktop`. - -Normally the Display Managers offer the user to select one of the available Desktop Sessions (`*.desktop` files in `/usr/share/wayland-sessions/` and `/usr/share/xsessions/`). This has been disabled as normally at the PSI this is more set per system and not per user. - -In Hiera the actual Desktop Session to be started can be selected/overriden by setting the `desktop::session_manager` to one of the `.desktop` files in above listed directories. Set it e.g. to `gnome-wayland` to test `Wayland`. It will then end up as default session manager in `/etc/accountsservice/user-templates/standard`. - -Note when changing the default Session Manager, previous users will still get the one they used before. To reset that, you need to delete -- stop AccountsService (`systemctl stop accounts-daemon.service`) -- `/var/lib/AccountsService/users/*` (for `gdm`) -- `/var/cache/lightdm/dmrc/*.dmrc` (for `lightdm`) -- `/var/lib/lightdm/.cache/lightdm-gtk-greeter/state` (for `lightdm` with `lightdm-gtk-greeter`) -- start AccountsService (`systemctl start accounts-daemon.service`) - -### XFCE -XFCE is installed when `base::enable_xfce: true` is set in Hiera. -It then is also used by default with `base::xfce_default: true` or `desktop::session_manager: xfce`. - -### IceWM -IceWM is installed when `base::enable_icewm: true` is set in Hiera. -It then is also used by default with `desktop::session_manager: icewm-session`. - -### Using a different Desktop (e.g. KDE) -The respective Desktop needs to be installed, either manually or through Puppet. -The respective Session Manager can be set as system default in Hiera with `desktop::session_manager`. - -If a different Display Manager is needed, or `lightdm` on other occasions, then changes in our Puppet code are required. - - - diff --git a/admin-guide/deployment/rhel8/hardware_compatibility.md b/admin-guide/deployment/rhel8/hardware_compatibility.md deleted file mode 100644 index a66d91cb..00000000 --- a/admin-guide/deployment/rhel8/hardware_compatibility.md +++ /dev/null @@ -1,96 +0,0 @@ -# Hardware Compatibility - -Here are hardware tests with RHEL8 on standard PSI hardware documented. - -Generally speaking has Linux a rather good hardware compatibility with PC hardware, usually the older the hardware the better the support. - -## Desktop Hardware - -### HP Elite Mini 800 G9 Desktop PC -- ✔ NIC -- ✔ GPU -- ✔ HDMI -- ✔ DP -- ✔ USB -- ✔ Audio - -### HP Z2 Tower G9 Workstation Desktop PC -- ✔ NIC -- ✔ GPU -- ✔ DP -- ✔ USB -- ✔ Audio - -## Mobile Hardware - -### HP ZBook Studio 16 inch G10 Mobile Workstation PC -- ❌/✔ Installation only with extra steps -- ✔ NIC (HP USB-C to RJ45 Adapter G2) -- ✔ WLAN -- ✔ GPU -- ✔ USB -- ❌/✔ Audio (manual firmware binary install from https://github.com/thesofproject/sof-bin/ required), microphone and ear plugs work, but not the speaker -- ✔ Webcam -- ✔ Bluetooth -- SIM slot (not tested) -- fingerprint scanner (not tested) - -#### Installation -- Nouveau driver fails on the Nvidia chip, so modesetting needs to be disabled: -``` -bob node set-attr pcXYZ.psi.ch "kernel_cmdline=nomodeset nouveau.modeset=0" -``` -- Register the system "Pass Through" MAC address (you find it in the BIOS). -- Installation did not work with the "HP USB-C to RJ45 Adapter G2": use another, registered adapter or dock instead. - -### HP ZBook Studio 16 inch G11 Mobile Workstation PC -- ✔ NIC (HP USB-C to RJ45 Adapter G2) -- ✔ WLAN -- ❌/✔ GPU -- ✔ USB -- ❌ Monitor via USB C -- ✔ Audio -- ✔ Webcam -- ❌ Bluetooth -- SIM slot (not tested) -- fingerprint scanner (not tested) -#### Installation -The device has two GPUs, an Intel and an Nvidia: -``` -# lspci | grep VGA -00:02.0 VGA compatible controller: Intel Corporation Meteor Lake-P [Intel Arc Graphics] (rev 08) -01:00.0 VGA compatible controller: NVIDIA Corporation Device 28b9 (rev a1) -# -``` -With the propretary Nvidia driver this does not work, but with the open source Nouveau driver it is fine, except that it cannot handle more than the primary monitor. -To enable the Nouveau driver put `nvidia::driver::enable: false` in Hiera, run as root `puppet agent -t` and remove all Nvidia related driver packages, then reboot. - -### HP EliteBook 840 14 inch G10 Notebook PC -- ✔ WLAN -- ✔ GPU -- ✔ HDMI -- ✔ USB -- ✔ Audio -- ✔ Webcam -- ✔ Bluetooth -- SIM slot (not tested) -- Card reader (not tested) - - -## Test Details - -- network card by installation via network -- GPU by running graphical desktop, for Nvidia GPUs check if Nvidia drivers are used -- HDMI -- DP -- USB by mouse, keyboard -- notebook: - - wifi - - bluetooth (headset working?) - - microphone - - speaker - - webcam - - Dock - - network - - USB by mouse, keyboard - - HDMI diff --git a/admin-guide/deployment/rhel8/index.md b/admin-guide/deployment/rhel8/index.md deleted file mode 100644 index 2600782a..00000000 --- a/admin-guide/deployment/rhel8/index.md +++ /dev/null @@ -1,177 +0,0 @@ -# Red Hat Enterprise Linux 8 - -## Production Ready - -The central infrastructure (automatic provisioning, upstream package synchronisation and Puppet) are stable and production ready. - -The configuration management is done with Puppet like for RHEL 7. RHEL 7 and RHEL 8 hosts can share the same hierarchy in Hiera and thus also the "same" configuration. In cases where the configuration for RHEL 7 or RHEL 8 differs, the idea is to have both in parallel in Hiera and Puppet shall select the right one. - - -Please still consider also implementing following two migrations when moving to RHEL 8: -- migrate from Icinga1 to [Icinga2](../../configuration/monitoring/icinga2.md), as Icinga1 will be decommissioned by end of 2024 -- explicit [network configuration in Hiera](../../configuration/basic/networking.md) with `networking::setup`, especially if you have static IP addresses or static routes - -Bugs and issues can be reported in the [Linux Issues project](https://git.psi.ch/linux-infra/issues). - -## Documenation - -* [Installation](../basic_installation.md) -* [CUDA and Nvidia Drivers](nvidia) -* [Kerberos](kerberos) -* [Desktop](desktop) -* [Hardware Compatibility](hardware_compatibility) -* [Vendor Documentation](vendor_documentation) - -## Disk Layout -The default partition schema for RHEL8 is: - -- create one primary ``/boot`` partition of 1Gb; -- create the ``vg_root`` Volume Group that uses the rest of the disk; -- on ``vg_root`` create the following logical volumes: - - ``lv_root`` of 14 Gb size for ``/root``; - - ``lv_home`` of 2 Gb size for ``/home``; - - ``lv_var`` of 8 Gb size for ``/var``; - - ``lv_var_log`` of 3 Gb size for ``/var/log``; - - ``lv_var_tmp`` of 2 Gb size for ``/var/log``; - - ``lv_tmp`` of 2 Gb size for ``/tmp``. - -## Caveats - -### Missing or Replaced Packages - -[List of packages removed in RHEL 8](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/considerations_in_adopting_rhel_8/index#removed-packages_changes-to-packages) - -| RHEL 7 | RHEL 8 | remarks | -| --- | --- | --- | -| `a2ps` | recommends to use `enscript` instead | [`enscript` upstream](https://www.gnu.org/software/enscript/) [`a2ps` upstream](https://www.gnu.org/software/a2ps/) | -| `blt` | - | [`blt` upstream](http://blt.sourceforge.net/), does not work with newer Tk version ([source](https://wiki.tcl-lang.org/page/BLT)) | -| `gnome-icon-theme-legacy` | - | used for RHEL 7 Icewm | -| ... | ... | here I stopped research, please report/document further packages | -| `devtoolset*` | `gcc-toolset*` | | -| `git-cvs` | - | `cvs` itself is not supported by RHEL8, but available through EPEL. Still missing is the support for `git cvsimport`. | - - -### Missing RAID Drivers - -#### Missing RAID Drivers during Installation - -For RHEL 8 Red Hat phased out some hardware drivers, here is an [official list](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/considerations_in_adopting_rhel_8/hardware-enablement_considerations-in-adopting-rhel-8#removed-adapters_hardware-enablement), but I also found some stuff missing not listed there. - -Installation with an unsupported RAID adapter then fails as the installer does not find a system disk to use. - -To figure out what driver you need, best go the the installer shell or boot a rescue linux over the network and on the shell check the PCI Device ID of the RAID controller with - -``` -$ lspci -nn -... -82:00.0 RAID bus controller [0104]: 3ware Inc 9750 SAS2/SATA-II RAID PCIe [13c1:1010] (rev 05) -... -``` -The ID is in the rightmost square brackets. Then check if there are drivers available. - -I will now focus on [ElRepo](https://elrepo.org/) which provides drivers not supported any more by Red Hat. Check the PCI Device ID on their list of (https://elrepo.org/tiki/DeviceIDs). If you found a driver, then there are also [driver disks provided](https://linuxsoft.cern.ch/elrepo/dud/el8/x86_64/). - -There are two option in providing this driver disk to the installer: - -1. Download the according `.iso` file and extract it on an USB stick labelled with `OEMDRV` and have it connected during installation. -2. Extend the kernel command line with `inst.dd=$URL_OF_ISO_FILE`, e.g. with a custom Grub config on the [boot server](https://git.psi.ch/linux-infra/network-boot) or with the sysdb/bob attribute `kernel_cmdline`. - -([Red Hat documentation of this procedure](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_8_installation/index#updating-drivers-during-installation_installing-rhel-as-an-experienced-user)) - -At the end do not forget to enable the ElRepo RPM package repository in Hiera to also get new drivers for updated kernels: -``` -# enable 3rd-party drivers from ElRepo -rpm_repos::default: - - 'elrepo_rhel8' -``` - -#### Missing RAID Drivers on Kernel Upgrade - -If the machine does not boot after provisioning or after an kernel upgrade with -``` -Warning: /dev/mapper/vg_root-lv_root does not exist -Warning: /dev/vg_root/lv_root does not exist -``` -after a lot of -``` -Warning: dracut-initqueue timeout - starting timeout scripts -``` -the it could be that the RAID controller supported was removed with the new kernel, e.g. for the LSI MegaRAID SAS there is a [dedicated article](https://access.redhat.com/solutions/3751841). - -For the LSI MegaRAID SAS there is still a driver available in ElRepo, so it can be installed during provisioning by Puppet. -To do so add to Hiera: -``` -base::pkg_group::....: - - 'kmod-megaraid_sas' - -rpm_repos::default: - - 'elrepo_rhel8' -``` - -### AFS cache partition not created due to existing XFS signature -It can happen when upgrading an existing RHEL 7 installation that the puppet run produces -``` -Error: Execution of '/usr/sbin/lvcreate -n lv_openafs --size 2G vg_root' returned 5: WARNING: xfs signature detected on /dev/vg_root/lv_openafs at offset 0. Wipe it? [y/n]: [n] -``` -This needs to be fixed manually: -- run the complaining command and approve (or use `--yes`) -- run `puppet agent -t` to finalize the configuration - -### Puppet run fails to install KCM related service/timer on Slurm node - -The Puppet run fails with -``` -Notice: /Stage[main]/Profile::Aaa/Systemd::Service[kcm-destroy]/Exec[start-global-user-service-kcm-destroy]/returns: Failed to connect to bus: Connection refused -Error: '/usr/bin/systemctl --quiet start --global kcm-destroy.service' returned 1 instead of one of [0] -Error: /Stage[main]/Profile::Aaa/Systemd::Service[kcm-destroy]/Exec[start-global-user-service-kcm-destroy]/returns: change from 'notrun' to ['0'] failed: '/usr/bin/systemctl --quiet start --global kcm-destroy.service' returned 1 instead of one of [0] (corrective) -Notice: /Stage[main]/Profile::Aaa/Profile::Custom_timer[kcm-cleanup]/Systemd::Timer[kcm-cleanup]/Exec[start-global-user-timer-kcm-cleanup]/returns: Failed to connect to bus: Connection refused -Error: '/usr/bin/systemctl --quiet start --global kcm-cleanup.timer' returned 1 instead of one of [0] -Error: /Stage[main]/Profile::Aaa/Profile::Custom_timer[kcm-cleanup]/Systemd::Timer[kcm-cleanup]/Exec[start-global-user-timer-kcm-cleanup]/returns: change from 'notrun' to ['0'] failed: '/usr/bin/systemctl --quiet start --global kcm-cleanup.timer' returned 1 instead of one of [0] (corrective) -``` - -This is caused by the use of KCM as default Kerberos credential cache in RHEL8: - -- for RHEL8 it was recommended to use the KCM provided by sssd as Kerberos Credential Cache. -- a major issue of this KCM is that it does not remove outdated caches -- this leads to a Denial-of-Service situation when all 64 slots are filled, new logins start to fail after (this is persistent, reboot does not help). -- we fix this issue by running regularly cleanup script in user context -- this "user context" is handled by the `systemd --user` instance, which is started on the first login and keeps running until the last session ends. -- that systemd user instance is started by `pam_systemd.so` -- `pam_systemd.so` and `pam_slurm_adopt.so` conflict because both want to set up cgroups -- because of this there is no `pam_systemd.so` configured on Slurm nodes thus there is no `systemd --user` instance - -I see two options to solve this issue: -- do not use KCM -- get somehow systemd user instance running - - -#### do not use KCM -Can be done in Hiera, to get back to RHEL7 behavior do - - aaa::default_krb_cache: "KEYRING:persistent:%{literal('%')}{uid}" - -then there will be no KCM magic any more. -We could also make this automatically happen in Puppet when Slurm is enabled. - - -#### get somehow systemd user instance running -`pam_systemd.so` does not want to take its hands off cgroups: -https://github.com/systemd/systemd/issues/13535 - -But there is documented how to get (part?) of the `pam_systemd.so` functionality running with Slurm: -https://slurm.schedmd.com/pam_slurm_adopt.html#PAM_CONFIG -(the Prolog, TaskProlog and Epilog part). -I wonder if that also starts a `systemd --user` instance or not. Or if it is possible to somehow integrate the start of it therein. - - -### Workstation Installation Takes Long and Seams to Hang -On the very first puppet run the command to install the GUI packages takes up to 10 minutes and it looks like it -is hanging. Usually it is after the installation of `/etc/sssd/sssd.conf`. Just give it a bit time. - -### "yum/dnf search" Gives Permission Denied as Normal User -It works fine beside the below error message: -``` -Failed to store expired repos cache: [Errno 13] Permission denied: '/var/cache/dnf/x86_64/8/expired_repos.json' -``` -which is IMHO OK to not allow a normal user to do changes there. - diff --git a/admin-guide/deployment/rhel8/kerberos.md b/admin-guide/deployment/rhel8/kerberos.md deleted file mode 100644 index fc5dfcd0..00000000 --- a/admin-guide/deployment/rhel8/kerberos.md +++ /dev/null @@ -1,333 +0,0 @@ -# Kerberos on RHEL 8 - -This document describes the state of Kerberos on RHEL 8. -This includes the current open issues, a user guide and how we solved the KCM (Kerberos Cache Manager) issues. -At the bottom you find sequence diagrams showing the interactions concerning authentication and Kerberos. - -## Open Problems - -- cleanup of caches, else we might end up in DoS situation. Best we do this `systemd --unit` managed. -- Kerberos with Firefox does not work yet. - -## User Guide - -### Manage Ticket for Admin User -If you need for administrative operations a TGT from your admin user (e.g. `buchel_k-adm`), then do -``` -OLD_KRB5CCNAME=$KRB5CCNAME -export KRB5CCNAME=KCM:$(id -u):admin -kinit $(id -un)-adm -``` -and after you are done do -``` -kdestroy -export KRB5CCNAME=$OLD_KRB5CCNAME -``` -to delete your administrative tickets and to get back to your normal credential cache. - -### Update TGT on Long Running Sessions -The TGT will be automatically renewed for 7 days. -Note that a screen unlock or a new connection with NoMachine NX will update the credential cache with a new TGT. - -But also manual reauthentication is possible. Inside the session you can do -``` -kinit -``` -Outside of the session you first need to figure out the credential cache used. -First get the process ID of the process which needs authentication, then -``` -$ strings /proc/$PID/environ | grep KRB5CCNAME -KRB5CCNAME=KCM:44951:iepgjskbkd -$ -``` -and then a -``` -KRB5CCNAME=KCM:44951:iepgjskbkd kinit -``` -will update given credential cache. - -Note that for AFS it will look in all caches for a valid TGT, so logging in on the desktop or ssh with password or ticket delegation is sufficient to make AFS access work for another week. - -### List all Credential Caches -``` -KRB5CCNAME=KCM: klist -l -``` -lists all caches and -``` -KRB5CCNAME=KCM: klist -A -``` -also the tickets therein. - - -## Kerberos Use and Test Cases - -- ssh authentication (authentication method `gssapi-with-mic`) -- ssh TGT (ticket granting ticket) delegation (with `GSSAPIDelegateCredentials yes`) -- AFS authentication (`aklog`) -- AFS administrative operations where the user switches to a separate admin principal (e.g. `buchel_k-adm`) -- long running sessions with `nohup`, `tmux` and `screen` -- local desktop: get new TGT on login -- local desktop: TGT renewal after reauthentication on lock screen -- remote desktop with NoMachine NX: get new TGT on login -- remote desktop with NoMachine NX: TGT renewal after reconnection -- website authentication (`SPNEGO` with Firefox, Chrome) - -## KCM (Kerberos Cache Manager) - -In RHEL 7 we are using the `KEYRING` (kernel keyring) cache, -whereas for RHEL 8 there came early the wish to use KCM instead, -which also is the [new default](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/considerations_in_adopting_rhel_8/identity-management_considerations-in-adopting-rhel-8#kcm-replace-keyring-default-cache_considerations-in-adopting-RHEL-8). - -The Kerberos documentation contains a [reference for all available cache types]( https://web.mit.edu/kerberos/www/krb5-latest/doc/basic/ccache_def.html). - -The KCM cache is provided by a dedicated daemon, for RHEL8 this is `sssd_kcm` which has been programmed by Red Hat itself. - -### Advantages of KCM - -The advantage of KCM is that the caches are permanent and survive daemon restarts and system reboots without the need to fiddle around with files and file permission. This simplifies daemon and container use cases. -It also automatically renews tickets which is handy for every use case. - -### User Based vs Session Based - -Intuitively I would expect that something delicate as authentication is managed per session (ssh, desktop, console login, ...). - -Aparently with KCM this is not the case. It provides a default cache which is supposed to be the optimal for you and that can change any time. - -Problems I see with this are -- user may change his principal, eg. for admin operations (`kinit buchel_k-adm`) which is then used by all sessions -- user may destroy the cache (it is good security practice to have a `kdestroy` in `.bash_logout` to ensure nobody on the machine can use your tokens after logging out) -- software may put tokens into the cache which suddenly are not there any more -- the magic/heuristic used to select might not work optimally for all use cases (as we see below `sshd-kcm` fails horribly...) - -So if we have more than one session on a machine (e.g. people connecting via remote desktop and ssh at the same time), the cross-session side-effects can cause unexpected behaviour. - -In contrast to this for AFS token renewal having access to new tokens is helpful, as this allows prolong the time a `PAG` (group of processes authenticated against AFS) is working as long as there is at least one valid ticket available. -Or even to recover when a new ticket comes available again. - -A way to get KCM of of the business of selecting the "optimal" cache is to select it yourself and provide the session/software one specific cache by setting the `KRB5CCNAME` environment variable accordingly (e.g. `KCM:44951:66120`). Note when set to `KCM:` it will use as default cache the one KCM believes should be the default cache. And that can change for whatever reason. - - -### Problems of `sssd_kcm` - -To check the Kerberos credential cache, you can use `klist` to look a the current default cache and `klist -l` to look at all available caches. Note that the first listed cache is the default cache. Of course that is only valid when there is no `KRB5CCNAME` environment variable set or it is `KCM:`. - -#### No Cleanup of Expired Caches -The most obvious and [well known problem](https://github.com/SSSD/sssd/issues/3593) of `sshd-kcm` is that it does not remove expired tokens and credential caches. I agree that it should not have an impact as this is mostly cosmetic. But that is only the case when everything can cope with that... - -By default is is limited to 64 caches, but when that limit was hit, then it was not possible any more to authenticate on the lock screen: - -``` -Okt 05 14:57:11 lxdev01.psi.ch krb5_child[43689]: Internal credentials cache error -``` -So this causes a denial of service problem, we need to deal with somehow, e.g. by regulary removing expired caches. And note that these caches are persistent and do not get removed on reboot. - -#### Use of Expired Credential Caches -In below example you see that on the ssh login, I got a new default cache. But after a few minutes (there was a Desktop login from my side and maybe an automatic AFS token renewal in between), I get an expired cache as default cache. -``` -$ ssh lxdev01.psi.ch -Last login: Tue Oct 4 09:50:33 2022 -[buchel_k@lxdev01 ~]$ klist -l -Principal name Cache name --------------- ---------- -buchel_k@D.PSI.CH KCM:44951:42923 -buchel_k@D.PSI.CH KCM:44951:12312 (Expired) -buchel_k@D.PSI.CH KCM:44951:42199 (Expired) -buchel_k@D.PSI.CH KCM:44951:40168 -buchel_k@D.PSI.CH KCM:44951:8914 (Expired) -buchel_k@D.PSI.CH KCM:44951:62275 (Expired) -buchel_k@D.PSI.CH KCM:44951:27078 (Expired) -buchel_k@D.PSI.CH KCM:44951:73924 (Expired) -buchel_k@D.PSI.CH KCM:44951:72006 -buchel_k@D.PSI.CH KCM:44951:64449 (Expired) -buchel_k@D.PSI.CH KCM:44951:60061 (Expired) -buchel_k@D.PSI.CH KCM:44951:36925 (Expired) -buchel_k@D.PSI.CH KCM:44951:48361 (Expired) -buchel_k@D.PSI.CH KCM:44951:49651 (Expired) -buchel_k@D.PSI.CH KCM:44951:76984 (Expired) -buchel_k@D.PSI.CH KCM:44951:54227 (Expired) -buchel_k@D.PSI.CH KCM:44951:85800 (Expired) -[buchel_k@lxdev01 ~]$ klist -l -Principal name Cache name --------------- ---------- -buchel_k@D.PSI.CH KCM:44951:12312 (Expired) -buchel_k@D.PSI.CH KCM:44951:42199 (Expired) -buchel_k@D.PSI.CH KCM:44951:40168 -buchel_k@D.PSI.CH KCM:44951:8914 (Expired) -buchel_k@D.PSI.CH KCM:44951:62275 (Expired) -buchel_k@D.PSI.CH KCM:44951:27078 (Expired) -buchel_k@D.PSI.CH KCM:44951:73924 (Expired) -buchel_k@D.PSI.CH KCM:44951:72006 -buchel_k@D.PSI.CH KCM:44951:64449 (Expired) -buchel_k@D.PSI.CH KCM:44951:60061 (Expired) -buchel_k@D.PSI.CH KCM:44951:36925 (Expired) -buchel_k@D.PSI.CH KCM:44951:48361 (Expired) -buchel_k@D.PSI.CH KCM:44951:42923 -buchel_k@D.PSI.CH KCM:44951:49651 (Expired) -buchel_k@D.PSI.CH KCM:44951:76984 (Expired) -buchel_k@D.PSI.CH KCM:44951:54227 (Expired) -buchel_k@D.PSI.CH KCM:44951:85800 (Expired) -[buchel_k@lxdev01 ~]$ -``` -Note that the automatic AFS token renewal was created after we have experienced this issue. - - -#### Busy Loop of `goa-daemon` -If the [GNOME Online Accounts](https://wiki.gnome.org/Projects/GnomeOnlineAccounts) encounters a number of Kerberos credential caches it goes into a busy loop and causes `sssd-kcm` to consume 100% of one core. Happily ignored bugs at [Red Hat](https://bugzilla.redhat.com/show_bug.cgi?id=1645624#c113) and [Gnome](https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/issues/79). - -#### Zombie Caches by NoMachine NX -On a machine with remote desktop access using NoMachine NX I have seen following cache list in the log: -``` -# /usr/bin/klist -l -Principal name Cache name --------------- ---------- -fische_r@D.PSI.CH KCM:45334:73632 (Expired) -buchel_k@D.PSI.CH KCM:45334:55706 (Expired) -fische_r@D.PSI.CH KCM:45334:44226 (Expired) -fische_r@D.PSI.CH KCM:45334:40904 (Expired) -fische_r@D.PSI.CH KCM:45334:62275 (Expired) -fische_r@D.PSI.CH KCM:45334:89020 (Expired) -buchel_k@D.PSI.CH KCM:45334:25061 (Expired) -buchel_k@D.PSI.CH KCM:45334:35168 (Expired) -fische_r@D.PSI.CH KCM:45334:73845 (Expired) -fische_r@D.PSI.CH KCM:45334:47508 (Expired) -fische_r@D.PSI.CH KCM:45334:34317 (Expired) -fische_r@D.PSI.CH KCM:45334:52058 (Expired) -fische_r@D.PSI.CH KCM:45334:16150 (Expired) -fische_r@D.PSI.CH KCM:45334:84445 (Expired) -fische_r@D.PSI.CH KCM:45334:69076 (Expired) -buchel_k@D.PSI.CH KCM:45334:87346 (Expired) -fische_r@D.PSI.CH KCM:45334:57070 (Expired) -``` -or on another machine in my personal list: -``` -[buchel_k@pc14831 ~]$ klist -l -Principal name Cache name --------------- ---------- -buchel_k@D.PSI.CH KCM:44951:69748 -buchel_k@D.PSI.CH KCM:44951:18506 (Expired) -buchel_k@D.PSI.CH KCM:44951:5113 (Expired) -buchel_k@D.PSI.CH KCM:44951:52685 (Expired) -buchel_k@D.PSI.CH KCM:44951:13951 (Expired) -PC14831$@D.PSI.CH KCM:44951:43248 (Expired) -PC14831$@D.PSI.CH KCM:44951:58459 (Expired) -buchel_k@D.PSI.CH KCM:44951:14668 (Expired) -buchel_k@D.PSI.CH KCM:44951:92516 (Expired) -[buchel_k@pc14831 ~]$ -``` -Both show principals which I am very sure that they have not been added manually by the user. And somewhere there is a security issue, either `sssd-kcm` or NoMachine NX. - -In another experiment I logged into a machine with `ssh` and did `kdestroy -A` which should destroy all caches: - -``` -[buchel_k@mpc2959 ~]$ kdestroy -A -[buchel_k@mpc2959 ~]$ klist -l -Principal name Cache name -[buchel_k@mpc2959 ~]$ -``` - -After I logged in via NoMachine NX I got a cache expired since more than two month: - -``` -[buchel_k@mpc2959 ~]$ klist -l -Principal name Cache name - -buchel_k@D.PSI.CH KCM:44951:16795 (Expired) -buchel_k@D.PSI.CH KCM:44951:69306 -[buchel_k@mpc2959 ~]$ klist -Ticket cache: KCM:44951:16795 -Default principal: buchel_k@D.PSI.CH - -Valid starting Expires Service principal -13.07.2022 11:35:51 13.07.2022 21:26:19 krbtgt/D.PSI.CH@D.PSI.CH -renew until 14.07.2022 11:26:19 -[buchel_k@mpc2959 ~]$ date -Do Sep 22 08:37:41 CEST 2022 -[buchel_k@mpc2959 ~]$ -``` -Note that a non-expired cache is available, but NoMachine NX explicitely sets `KRB5CCNAME` to a specific KCM cache. And it contains a ticket/cache which is supposed to the gone. - -So there is a security bug in `sssd-kcm`: it does not fully destroy tickets when being told so. And there is another security issue in the NoMachine NX -> `sssd-kcm` interaction. I assume that it talks with the KCM as root and gets somehow (or has saved somewhere) old caches and moves them over into user context. But the cache may originally not have belonged to the user... - -I have not found a lot concerning Kerberos on the NoMachine website. - -## Solution Attempts - -Ideally we would get to a solution which can do the following: - -- interactive user sessions are isolated do not interfer with each other -- AFS can get hold of new tickets and inject them into the PAGs as long as the user somehow regularly authenticates -- `systemd --user` which is residing outside of the interactive user sessions is happy as well -- `goa-daemon` sees only one cache -- expired caches get somehow cleaned up - - -### Only One Cache - -The `sssd-kcm` limits the number of caches by default to 64, but that can be changed to 1 with the `max_uid_ccaches`. -So there would be only one cache, shared by all sessions, but at least the KCM cannot serve anything but the latest. - -But some logins do not work any more when the maximum number of caches is hit as already documented above in the chapter "No Cleanup of Expired Caches". - - -### renew-afstoken Script/Daemon - -For AFS we (Achim and I) made the script `renew-afstoken` which is started as per PAG daemon by PAM upon login. -Out of the available KCM caches it selects a suitable one to regulary get a new AFS token. -This now works very robust and can also recover from expiration when a new ticket gets available. - - -### Setup Shared or Isolated Caches with KRB5CCNAME in own PAM Module - -The self-made PAM module `pam_single_kcm_cache.so` improves the situation by setting - -- `KRB5CCNAME=KCM:$UID:desktop` to use a shared credential cache for desktop sessions and `systemd --user` -- `KRB5CCNAME=KCM:$UID:$RANDOM_LETTERS` for text sessions to provide session isolation - -and providing a working TGT in these caches. - -I identified so far two cases of the program flow in PAM to manage: -- **TGT delegation** as done by `sshd` with authentication method `gssapi-with-mic`, where a new cache is created by `sshd` and then filled with the delegated ticket -- **TGT creation** as done by `pam_sss.so` upon password authentication, where a new TGT is created an placed into the `KCM` managed default cache. - -Now there is no simple and bullet proof selection of where the TGT ends up in KCM. -The KCM designated default cache might it be or not. -To work around this, the module iterates through all credential caches provided by the KCM copies a TGT which is younger than 10 s and has a principal fitting the username. - -Note that the reason for `systemd --user` to use the same credential cache as the desktop sessions is that at least Gnome uses it to start the user programs like Evolution or Firefox. - -The code is publicly available on [Github](https://github.com/paulscherrerinstitute/pam_single_kcm_cache). - -## Diagrams about Kerberos related Interactions - -Below diagrams show how PAM and especially `pam_single_kcm_cache.so` interact with the KCM in different use cases. - -### Login with SSH using Password Authentication -![Login with SSH and Password Authentication](_static/kerberos_sshd_password_only.png) - -That is kind of the "common" authentication case where all important work is done in PAM. This is the same for login on the virtual console or when using `su` with password. At the end there is an shell session with a credential cache which is not used by any other session (unless the user shares it somehow manually). Like this session isolation is achieved. - -### Login with SSH using Kerberos Authentication and TGT Delegation -![Login with SSH and Password Authentication](_static/kerberos_sshd_tgt_delegation.png) - -This is a bit simpler as all the authentication is done in `sshd` and only the session setup is done by PAM. Note that `sshd` does not use the default cache, but instead creates always a new one with the delegated TGT. - -### Systemd User Instance - -In above diagrams we see how `systemd --user` is being started. It is also using PAM to setup its own session, but it does not do any authentication. - -![Login with SSH and Password Authentication](_static/kerberos_systemd_user.png) - -Here we use a predefined name for the credential cache so it can be shared with the desktop sessions. The next diagram shows more in detail how `systemd --user` and the Gnome desktop interact. - -### Gnome Desktop - -This is the most complex use case: - -![Gnome Desktop](_static/kerberos_desktop.png) - -At the end we have a well known shared credential cache between Gnome and `systemd --user`. This is needed `systemd --user` is used extensively by Gnome. Important is that the Kerberos setup already happens at authentication phase as there is no session setup phase for screen unlock as the user returns there to an already existing session. - -With NoMachine NX this is configured similarly. - -## PS -There is an advantage in the broken `sssd-kcm` default cache selection: it forces us to make our stuff robust against KCM glitches, which might also occur with a better manager, just way less often and then it would be more harder to explain and to track down. diff --git a/admin-guide/deployment/rhel8/nvidia.md b/admin-guide/deployment/rhel8/nvidia.md deleted file mode 100644 index ed9a5ac3..00000000 --- a/admin-guide/deployment/rhel8/nvidia.md +++ /dev/null @@ -1,175 +0,0 @@ -# CUDA and Proprietary Nvidia GPU Drivers on RHEL 8 - -Managing Nvidia software comes with its own set of challenges. -For the most common cases are covered by our Puppet configuration. -Those are discussed in the first chapter, more details you find more below. - - -## Hiera Configuration - -Changes in Hiera are forwared by Puppet to the node, but **not applied**. -They are applied on **reboot**. -Alternatively you might execute `/opt/pli/libexec/ensure-nvidia-software` in a safe moment (no process using CUDA and the desktop will be restarted). - -### I just need the Nvidia GPU drivers - -Nothing needs to be done, they are installed by default when Nvidia GPUs or accelerators are found. - -### I need CUDA - -Set in Hiera `nvidia::cuda::enable true` and it will automatically install the suitable Nvidia drivers and newest possible CUDA version. - -The `nvidia_persistenced` service is automatically started. If you do not want it, to set `nvidia::cuda::nvidia_persistenced::enable: false`. - -### I need a specific CUDA version - -Then you can additionally set `nvidia::cuda::version` to the desired version. -The version must be fully specified (all three numbers, with X.Y.0 for the GA version). - -Note that newer CUDA versions do not support older drivers, for details see Table 3 in the [CUDA Release Notes](https://docs.nvidia.com/cuda/cuda-toolkit-release-notes/index.html). - -### I do not want the Nvidia drivers - -Set in Hiera `nvidia::driver::enable: false`. Note this will be ignored if CUDA is enabled (see above). - -Note they do not get automatically removed when already installed. That you would need to do by hand. - -### I need the Nvidia drivers from a specific driver branch - -The driver branch can be selected in Hiera with `nvidia::driver::branch`. It will then use the latest driver version of that branch. Note that only production branches are available in the PSI package repository. - -### I need a Nvidia driver of a given version - -This is not recommended, still it is possible to do so by setting the exact driver version (X.Y.Z, excluding the package iteration number) in Hiera with `nvidia::driver::version`. - -If the driver version is too old, it will install an older kernel version and you will need a second reboot to activate it. - -### My hardware is very old - -The oldest driver branch packaged by Nvidia for RHEL 8 is `470`. For hardware only supported by older drivers it falls back to ElRepo packaged drivers. You might do that also on purpose in Hiera by setting `nvidia::driver::branch: elrepo` (or when you want an specific ElRepo branch: `nvidia::driver::branch: 390xx`). - -Or you might just live with the fallback to Nouveau (`nvidia::driver::enable: false` in Hiera). - -Alternatively you might also just download and install the Nvidia driver manually. -Go to their [Download page](https://www.nvidia.de/Download/index.aspx), select and download the according installer and run it. -You best keep Puppet off your driver by setting `nvidia::driver::enable: false` in Hiera. - -## Versioning Mess - -I did not find much information about Nvidia driver version structure and policy. Still I concluded that they use following pattern. - -### Driver Branches - -Their drivers are oranized in driver branches. As you see for example in their [Unix Driver Archive](https://www.nvidia.com/en-us/drivers/unix/) noted as e.g. `470.xx series`. - -There are `Production` and `New Feature` branches (and, on the above linked page, a `Beta Version` which is not linked to any of the above branches (yet?)). - -Such a branch can be considered a major release and with new braches adding support for new hardware or removing support for old hardware. -The drivers within certain branches are maintained quite a long time. Individual drivers in that branch get increasing version numbers which just start with the same first "branch" number. - -In the RPM repo there are more branches available than listed in the [Unix Driver Archive](https://www.nvidia.com/en-us/drivers/unix/). It is not possible to find out retrospectively to what type of branch it belongs. My guess is that the "Legacy" section lists only the production/long term support branches. - -Also it is not possible to find out from the package meta information if a driver is considered beta or not. That you only find out by googling "Nvidia $DRIVER_VERSION" and looking at the respective driver page. In my experience the first few driver versions of a branch are usually "beta". - -### What Driver \[Branch] for which Hardware - -The most authorative way to do so is to chech the [Appendix A of the README of a recent driver](http://us.download.nvidia.com/XFree86/Linux-x86_64/525.78.01/README/supportedchips.html). -There search for your model or PCI ID. Then check out at the top of the respective table which legacy driver it still supports. -Or it might be the current driver. - -Another more automated option to figure out the driver is the third-party tool [`nvidia-detect`](http://elrepo.org/tiki/nvidia-detect) by ElRepo. It tells which driver package from ElRepo it suggests, but it can also be used to figure out which production/long term support branch can be used. - -### CUDA - Driver Compatibility - -A CUDA version needs a suitably new driver version, but old CUDA versions are supported by newer driver versions (drivers are backwards-compatible). To figure out up to which CUDA version runs on your installed driver, check out "Table 3" of the [CUDA release notes](https://docs.nvidia.com/cuda/cuda-toolkit-release-notes/index.html). For each driver branch there is a major 11.x.0 release with possible further bugfix releases. - - -## Manual Operation - -Instead of using Puppet/Hiera, you may also manage the drivers manually. - -Note that drivers made available by default are curated, that means it contains only non-beta production drivers. If you want all drivers available, you need to use `https://repos.psi.ch/rhel8/sources/cuda8/` as URL for the package repository. - -### Select the Driver Branch - -In the RPM package repository the driver branches are mapped to module streams, so there are different streams for different branches and `dnf module list nvidia-driver` will tell you what is available: - -``` -# dnf module list nvidia-driver -Last metadata expiration check: 2:37:29 ago on Mon 28 Nov 2022 09:15:57 AM CET. -CUDA and drivers from Nvidia -Name Stream Profiles Summary -nvidia-driver latest default [d], fm, ks, src Nvidia driver for latest branch -nvidia-driver latest-dkms [d] default [d], fm, ks Nvidia driver for latest-dkms branch -nvidia-driver open-dkms default [d], fm, ks, src Nvidia driver for open-dkms branch -nvidia-driver 418 default [d], fm, ks, src Nvidia driver for 418 branch -nvidia-driver 418-dkms default [d], fm, ks Nvidia driver for 418-dkms branch -nvidia-driver 440 default [d], fm, ks, src Nvidia driver for 440 branch -nvidia-driver 440-dkms default [d], fm, ks Nvidia driver for 440-dkms branch -nvidia-driver 450 default [d], fm, ks, src Nvidia driver for 450 branch -nvidia-driver 450-dkms default [d], fm, ks Nvidia driver for 450-dkms branch -nvidia-driver 455 default [d], fm, ks, src Nvidia driver for 455 branch -nvidia-driver 455-dkms default [d], fm, ks Nvidia driver for 455-dkms branch -nvidia-driver 460 default [d], fm, ks, src Nvidia driver for 460 branch -nvidia-driver 460-dkms default [d], fm, ks Nvidia driver for 460-dkms branch -nvidia-driver 465 default [d], fm, ks, src Nvidia driver for 465 branch -nvidia-driver 465-dkms default [d], fm, ks Nvidia driver for 465-dkms branch -nvidia-driver 470 default [d], fm, ks, src Nvidia driver for 470 branch -nvidia-driver 470-dkms [e] default [d] [i], fm, ks Nvidia driver for 470-dkms branch -nvidia-driver 495 default [d], fm, ks, src Nvidia driver for 495 branch -nvidia-driver 495-dkms default [d], fm, ks Nvidia driver for 495-dkms branch -nvidia-driver 510 default [d], fm, ks, src Nvidia driver for 510 branch -nvidia-driver 510-dkms default [d], fm, ks Nvidia driver for 510-dkms branch -nvidia-driver 515 default [d], fm, ks, src Nvidia driver for 515 branch -nvidia-driver 515-dkms default [d], fm, ks Nvidia driver for 515-dkms branch -nvidia-driver 515-open default [d], fm, ks, src Nvidia driver for 515-open branch -nvidia-driver 520 default [d], fm, ks, src Nvidia driver for 520 branch -nvidia-driver 520-dkms default [d], fm, ks Nvidia driver for 520-dkms branch -nvidia-driver 520-open default [d], fm, ks, src Nvidia driver for 520-open branch - -Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled -# -``` -The first try would be to pick the number of the desired branch. Currently the `520*` and `latest` are empty because the drivers where removed. - -The "number only" module streams contain precompiled drivers for some kernels. Note that for older branches or older drivers it may not be precompiled for the latest kernel version. For older branches I had the experience that the `*-dkms` module stream works better for newer kernels. But I did not manage to do "real" DKMS with them, that means compiling the translation layer of any given driver version for whatever kernel. Feel free to update this guide or to tell the Core Linux Team if you found a working procedure. - -Finally the `*-open` module streams contain the new open source drivers which currently do not provide the full feature set of the propretiary ones. - -### Install a Driver - -Best works to install the whole module stream: -``` -dnf module install "nvidia-driver:$STREAM" -``` - -Alternatively the module stream might be enabled first (`dnf module enable "nvidia-driver:$STREAM"`) and the packages installed individually after, but then you have to figure out yourself what all is needed. - -If the installation command is rather unhappy and complains a lot about `is filtered out by modular filtering`, then there is already a module stream enabled and some driver installed. So to clean that up do: -``` -dnf remove cuda-driver nvidia-driver -dnf module reset nvidia-driver -``` -Note that this will also remove installed CUDA packages. - -### Install CUDA - -It is not recommended to install the `cuda` meta-package directly, because that required the latest drivers from the "new feature" branch. It is better to install the `cuda-11-x` meta-package instead, which installs the CUDA version suitable to your driver and keeps it then updated with bugfix releases to this specific major release. Check out the Table 3 in the [CUDA Release Notes](https://docs.nvidia.com/cuda/cuda-toolkit-release-notes/index.html) for details. - -The `cuda` meta-package is by default excluded as explained above. If you still want to use it, do -``` -dnf --disableexcludes cuda install cuda -``` - -After manual CUDA installation you should think about enabling and starting `nvidia-persistenced`: -``` -systemctl enable nvidia-persistenced -systemctl start nvidia-persistenced -``` - - -## Regular Tasks by the Core Linux Team -- classify new driver branches and beta versions in the [snapshot preparation script](https://git.psi.ch/linux-infra/rpm-repo-utils/-/blob/main/bin/fix-snapshot/20_remove_nvidia_beta_drivers#L90) -- update the latest production branch in [Puppet managed vidia software installation script](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/code/modules/profile/files/nvidia/ensure-nvidia-software#L17) -- add more production/long term support branches supported by [`nvidia-detect`](http://elrepo.org/tiki/nvidia-detect) to the [Puppet managed Nvidia software installation script](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/code/modules/profile/files/nvidia/ensure-nvidia-software#L62) -- update the [driver version to CUDA version mapping script](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/code/modules/profile/files/nvidia/suitable_cuda_version#L21) according to new entries in the [CUDA Release Notes](https://docs.nvidia.com/cuda/cuda-toolkit-release-notes/index.html) diff --git a/admin-guide/deployment/rhel8/vendor_documentation.md b/admin-guide/deployment/rhel8/vendor_documentation.md deleted file mode 100644 index fd413776..00000000 --- a/admin-guide/deployment/rhel8/vendor_documentation.md +++ /dev/null @@ -1,37 +0,0 @@ -# Vendor Documentation - -## User Documentation - - * [Using the desktop environment in RHEL-8](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_the_desktop_environment_in_rhel_8/) - -## Administrator Documentation - - * [Configuring basic system settings](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/) - * [Administration and configuration tasks using System Roles in RHEL](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/administration_and_configuration_tasks_using_system_roles_in_rhel/) - * [Deploying different types of servers](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/) - * [Using SELinux ](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/) - -## Product Documentation - -### Red Hat Enterprise Linux 8 - * [Red Hat Enterprise Linux 8](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/) - -### Red Hat Ansible Tower (AWX) - * [Red Hat Ansible Tower (AWX)](https://docs.ansible.com/ansible-tower/) - * [Red Hat Ansible Tower (AWX) Installation and Reference Guide](http://docs.ansible.com/ansible-tower/latest/html/installandreference/index.html) - * [Red Hat Ansible Tower (AWX) User Guide](http://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - * [Red Hat Ansible Tower (AWX) Adminsitration Guide](http://docs.ansible.com/ansible-tower/latest/html/administration/index.html) - -### Red Hat Ansible Engine - * [Ansible Documentation Overview](https://docs.ansible.com/) - * [Ansible Engine](https://docs.ansible.com/ansible/latest/index.html) - * [Ansible User Guide](https://docs.ansible.com/ansible/latest/user_guide/index.html) - -### Red Hat Satellite - * [Red Hat Satellite Documentation](https://access.redhat.com/documentation/en-us/red_hat_satellite/6.9/) - * [Administering Red Hat Satellite](https://access.redhat.com/documentation/en-us/red_hat_satellite/6.9/html/administering_red_hat_satellite/) - * [Managing Hosts](https://access.redhat.com/documentation/en-us/red_hat_satellite/6.9/html/managing_hosts/) - * [Provisioning Guide](https://access.redhat.com/documentation/en-us/red_hat_satellite/6.9/html/provisioning_guide/) - * [Content Management Guide](https://access.redhat.com/documentation/en-us/red_hat_satellite/6.9/html/content_management_guide/) - * [Adding Custom RPM Repositories](https://access.redhat.com/documentation/en-us/red_hat_satellite/6.9/html/content_management_guide/importing_custom_content#Importing_Custom_Content-Creating_a_Custom_RPM_Repository) - * [Uploading Content to Custom RPM Repositories](https://access.redhat.com/documentation/en-us/red_hat_satellite/6.9/html/content_management_guide/importing_custom_content#uploading-content-to-a-custom-rpm-repository) diff --git a/admin-guide/deployment/rhel9/hardware_compatibility.md b/admin-guide/deployment/rhel9/hardware_compatibility.md deleted file mode 100644 index 493709e8..00000000 --- a/admin-guide/deployment/rhel9/hardware_compatibility.md +++ /dev/null @@ -1,87 +0,0 @@ -# Hardware Compatibility - -Here are hardware tests with RHEL9 on standard PSI hardware documented. - -Generally speaking has Linux a rather good hardware compatibility with PC hardware, usually the older the hardware the better the support. - -## Desktop Hardware - -### HP Elite Mini 800 G9 Desktop PC -- ✔ NIC -- ✔ GPU -- ✔ HDMI -- ✔ DP -- ✔ USB -- ✔ Audio - -### HP Z2 Tower G9 Workstation Desktop PC -- ✔ NIC -- ✔ GPU -- ✔ DP -- ✔ USB -- ✔ Audio - -## Mobile Hardware - -### HP ZBook Studio 16 inch G10 Mobile Workstation PC -- ❌/✔ Installation only with extra steps -- ✔ NIC (HP USB-C to RJ45 Adapter G2) -- ✔ WLAN -- ✔ GPU -- ✔ USB -- ❌/✔ Audio (manual firmware binary install from https://github.com/thesofproject/sof-bin/ required), microphone and ear plugs work, but not the speaker -- ✔ Webcam -- ✔ Bluetooth -- SIM slot (not tested) -- fingerprint scanner (not tested) - -#### Installation -- Nouveau driver fails on the Nvidia chip, so modesetting needs to be disabled: -``` -bob node set-attr pcXYZ.psi.ch "kernel_cmdline=nomodeset nouveau.modeset=0" -``` -- Register the system "Pass Through" MAC address (you find it in the BIOS). -- Installation did not work with the "HP USB-C to RJ45 Adapter G2": use another, registered adapter or dock instead. -- At the final boot the Nvidia drivers are installed automatically, but cannot be activated and the screen turns black. Power off and on again, then the Nvidia drivers get loaded properly on the next boot. - -### HP ZBook Studio 16 inch G11 Mobile Workstation PC - -- ✔ NIC (HP USB-C to RJ45 Adapter G2) -- ✔ WLAN -- ✔ GPU -- ✔ USB -- ✔ Monitor via USB C -- ✔ Audio -- ✔ Webcam -- ✔ Bluetooth -- SIM slot (not tested) -- fingerprint scanner (not tested) - -### HP EliteBook 840 14 inch G10 Notebook PC -- ✔ WLAN -- ✔ GPU -- ✔ HDMI -- ✔ USB -- ❌/✔ Audio (manual firmware binary install from https://github.com/thesofproject/sof-bin/ required) -- ✔ Webcam -- ✔ Bluetooth -- SIM slot (not tested) -- Card reader (not tested) - -## Test Details - -- network card by installation via network -- GPU by running graphical desktop, for Nvidia GPUs check if Nvidia drivers are used -- HDMI -- DP -- USB by mouse, keyboard, monitor (USB C) -- notebook: - - wifi - - bluetooth (headset working?) - - microphone - - speaker - - webcam - - Dock - - network - - USB by mouse, keyboard - - HDMI diff --git a/admin-guide/deployment/rhel9/index.md b/admin-guide/deployment/rhel9/index.md deleted file mode 100644 index 522749ee..00000000 --- a/admin-guide/deployment/rhel9/index.md +++ /dev/null @@ -1,66 +0,0 @@ -# Red Hat Enterprise Linux 9 - -## Hardware Compatibility -- [Hardware Compatibility](hardware_compatibility.md) - -## Alpha Testing - -We encourage you to install RHEL9 on testing systems and tell us what we may have broken, what bugs you run into and what features you are missing. Please be aware of certain things we changed on how we want the base operating system to work, listed below. - -Bugs and issues can be reported in the [Linux Issues project](https://git.psi.ch/linux-infra/issues). - -Additional ressource [Considerations in adopting RHEL 9](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/considerations_in_adopting_rhel_9/index#doc-wrapper) - - -## Install Documentation -* [Installation Documentation](../basic_installation.md) - -## Changes for Base Installation - -### No Support for AFS -The future support model for AFS or the service and functionality it provides is currently under consideration. Consequently it has been decided not to support AFS in the PSI RHEL9 distribution at the time being. - - -### Network Configuration -By default the network configuration is handed over to NetworkManager which does automatic configuation. - -If you wish different behaviour, e.g. for static IP addresses, please check out the [Network Configuration guide](../../configuration/basic/networking.md). - - -### Disk Layout -Provided disk size is 64GB for virtual machines. - -| Name | Path | Size | Type | LVM | -| --- | --- | --- | --- | --- | -| root | / | 16GB | xfs | yes | -| home | /home | 2GB | xfs | yes | -| tmp | /tmp | 2GB | xfs | yes | -| var | /var | 16GB | xfs | yes | -| log | /var/log | 4GB | xfs | yes | -| boot | /boot | 1GB | ext4 | no | -| swap | - | 4GB | swap | no | - - -### Workstation Package Groups -Changed the ammount of packages installed by default on workstation installation. See the comparison below: - -| RHEL 7&8 | RHEL 9 | -| --- | --- | -|
  • VMware platform specific packages (platform-vmware)
  • Container Management (container-management)
  • Internet Browser (internet-browser)
  • GNOME (gnome-desktop)
  • Headless Management (headless-management)
  • Server product core (server-product)
  • Hardware Monitoring Utilities (hardware-monitoring)
  • base-x (base-x)
  • core (core)
  • fonts (fonts)
  • guest-desktop-agents (guest-desktop-agents)
  • hardware-support (hardware-support)
  • input-methods (input-methods)
  • multimedia (multimedia)
  • networkmanager-submodules (networkmanager-submodules)
  • print-client (print-client)
  • standard (standard)
|
  • Internet Browser
  • VMware platform specific packages (platform-vmware)
  • GNOME (gnome-desktop)
  • Core (core)
  • fonts (fonts)
  • multimedia (multimedia)
  • office-suite (office-suite)
  • print-client (print-client)
| - - -## Caveats - -### Missing or Replaced Packages - -[List of packages removed in RHEL 9](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/considerations_in_adopting_rhel_9/index#removed-packages_assembly_changes-to-packages) - -| RHEL 8 | RHEL 9 | Remarks | -| --- | --- | --- | -| `mailx` | `s-nail` | S-nail is MIME capable and has extensions for line editing, S/MIME, SMTP, IMAP, POP3, and more. | -| `platform-python, python2 (python27:2.7), python36 (python36:3.6), python38 (python38:3.8), python39 (python39:3.9)` | `python3` | As for all python* packages | -| `pulseaudio` | `pipewire-pulseaudio` | The pulseaudio server implementation has been replaced by the pipewire-pulseaudio implementation. Note that only the server implementation has been switched. The pulseaudio client libraries are still in use. | -| `inkscape1` | `inkscape` | Also affects `inkscape-docs` and `inkscape-view` | - - - diff --git a/admin-guide/guidelines.md b/admin-guide/guidelines.md deleted file mode 100644 index dd6953c5..00000000 --- a/admin-guide/guidelines.md +++ /dev/null @@ -1,53 +0,0 @@ -# Guidelines - -## General Directives -Regardless of the content of this documentation, all PSI directives have precedence and need to be applied/followed. Among others these are some of the most relevant ones regarding IT systems: - -- [AW-95-06-01](https://DLS01P.PSI.CH/documents/jsp/qv?id=PSIcgc_fi20220000526102) / [AW-95-06-01e](https://DLS01P.PSI.CH/documents/jsp/qv?id=PSIcgc_fi20220000526095) Usage and Monitoring of IT Ressources at PSI -- [AA-9500-142](https://DLS01P.PSI.CH/documents/jsp/qv?pri=PSIcgc&ft=cgcDocument@STORE_MAIN_CGC&q_cgcId=ID22023011616445798386)/[AA-9500-142e](https://DLS01P.PSI.CH/documents/jsp/qv?id=PSIcgc_fi20230003212302) Handling of Software Updates - -## Version Control - -Everything must be in version control before being used on production systems. In particular, scripts and other software, SPEC files for packages, relevant documentation, Puppet code, etc. - - -## Hiera -The naming of the variables inside Hiera depends on the scope usage of the variables. The variables beeing used only inside one specific class will be named `base_class_name::variable` where `base_class_name` is the last part of class name, without the part before the last `::` separator. Example: the `permit_root_login` variable for the `profile::ssh_server` class will be named `ssh_server::permit_root_login`. - - -## External Code -Although the installation infrastructure makes large usage of external code the system has to avoid as much as possible dependency from external services availability. A WAN outage or a remote http server failure should not influence the installation system. For this reason, all the external code is mirrored internally in specific git repositories. - - -## Servers and services -Every server should support exactly one service, e.g. Puppet, or FTP. This makes the services more independent (e.g. for downtimes), simplifies the structure of the corresponding Puppet code, makes it easier to reason about the environment, and prevents conflicts regarding certain configuration settings. - -### Naming Convention Nodes / Servers - -Node/Server names have the form `lx-purpose-[0-9][0-9].psi.ch`, where `purpose` is the purpose of the server or the service provided by it. Example: `lx-boot-01.psi.ch` is the **boot** server - -The production server always has an DNS alias `purpose.psi.ch` and clients should always use this alias to connect to the server. - -When putting system names into configuration files, we always use lower case and the fully qualified domain name. - - -## Software Update Policy - -It is in the responsibilty of the owner/administrator of a system to care about the software update policy and its application! - -### Automatic Updates - -By default once a week (in the night from Sunday to Monday) security updates are automatically applied. Other updates, including Kernel updates, need to be installed manually. - -This is [configurable](configuration/software/package_updates.md), you may switch it off completely, make it run daily or make it install all updates. - -Reboots are never done automatically. - -Also for software which have been installed from other sources than RPM package repositories (like `pip` or manual install) there is no automatic update procedure. - -### Snapshots - -On specially protected systems where stability is more important than being up-to-date, there is the option to freeze the provided RPM package version to a specified date. Also this can be [configured in Hiera](configuration/software/package_repositories.md)(chapter "Using Specific Package Repository Snapshot"). If such a system is set by such a "Repo Tag" to a specific snapshot, the update procedure cannot get newer than the given state. - -Again, this should only be done for nodes in protected networks, e.g. with access restrictions through an [ssh gateway](../services/admin-guide/ssh_gateways.md) and requires consent with IT Security. - diff --git a/admin-guide/index.md b/admin-guide/index.md deleted file mode 100644 index 42571ba7..00000000 --- a/admin-guide/index.md +++ /dev/null @@ -1,6 +0,0 @@ -# Admin Guide - -This is documenation relevant for system admins. - -```{tableofcontents} -``` diff --git a/admin-guide/puppet.md b/admin-guide/puppet.md deleted file mode 100644 index e9b95ce8..00000000 --- a/admin-guide/puppet.md +++ /dev/null @@ -1,4 +0,0 @@ -# Puppet - -```{tableofcontents} -``` diff --git a/admin-guide/puppet/hiera.md b/admin-guide/puppet/hiera.md deleted file mode 100644 index 9bed08e6..00000000 --- a/admin-guide/puppet/hiera.md +++ /dev/null @@ -1,116 +0,0 @@ -# Hiera - -Please refer to `here `_ for a general Hiera -introduction. - -Our current hierarchy has seven levels (first will be considered first -during value lookup): - -- nodes (FQDN) -- subgroup (optional, ``puppet_subgroup`` attribute in sysdb) -- group (``puppet_group`` attribute in sysdb) -- sysdb environments -- Puppet server specific -- global -- common - -The first four layers can be edited by the admin in the respective hiera git repository. The common layer (default values) and the server specific layer (differences between test and prod) are part of the Puppet code repository. Finally the global layer contains a few configurations which are managed by the Core Linux Group outside of the normal Puppet release process, eg. for license management. - -The values can be stored as classical YAML values or with [encrypted yaml](https://github.com/TomPoulton/hiera-eyaml) for secrets. - -The filesystem structure is as follows (the last 3 cannot be controlled by a common admin): - -1. ``%{::sysdb_env}/%{::group}/%{::fqdn}.yaml`` or ``%{::sysdb_env}/%{::group}/%{::subgroup}/%{::fqdn}.yaml`` -2. ``%{::sysdb_env}/%{::group}/%{::subgroup}.yaml`` -3. ``%{::sysdb_env}/%{::group}.yaml`` -4. ``%{::sysdb_env}/%{::sysdb_env}.yaml`` - -5. ``%{::environment}/data/server_%{server_facts.servername}.yaml`` -6. ``/srv/puppet/data/global/global.yaml`` -7. ``%{::environment}/data/common.yaml`` - -Depending if a subgroup is defined, the node specific YAML is at a different level in the filesysystem hierarchy. - -The ``%{variable}`` notation is hiera specific. - -## Repositories - -Hiera data are organized in different repositories. These repositories are located at: https://git.psi.ch/linux-infra/hiera - - -Each __sysdb environment__ has a dedicated hiera repository, called ``data-``, eg. [data-hpc]( https://git.psi.ch/linux-infra/hiera/data-hpc). -The first 4 levels of the filesystem structure shown before are actually the files inside this kind of repositories. - -Any change to the repo will automatically trigger a redeployment of the new version of its content on the puppet master within a few seconds from the push. - -## Configuration - -### Secrets -Secrets and clear-text values can be mixed inside the same yaml file, eg.:: -```yaml -ntp_client::servers: - - pstime1.psi.ch - - pstime2.psi.ch - - pstime3.psi.ch - -secret_key: ENC[PKCS7,MIIBiQYJKoZIhvcNA...AMA==] -``` - -The encrypted values can be decrypted transparently from Hiera (on a host having the proper hiera key): -```bash -[root]# hiera secret_key -this is a secret value -``` - -You can edit secure data inside any yaml file with the command `/opt/puppetlabs/puppet/bin/eyaml edit common.yaml`. In this case secure data will appear in clear-text inside the editor. - - -### Encrypt Data -To encrypting data you have to use the public key from your Hiera (`data-*`) git repository named `eyaml_public_key.pem` - -For the lower layers (global, server or data) it is on the Puppet server at [`/etc/puppetlabs/keys/eyaml/public_key.pkcs7.pem`](https://git.psi.ch/linux-infra/bootstrap/-/blob/prod/instcode/puppet/puppet_server/files/crypto/public_key.pkcs7.pem). - -Beside this key you also need to have `hiera-eyaml` tool installed on your system. - -```bash -eyaml encrypt --pkcs7-public-key=eyaml_public_key.pem -s secret_string -``` - -While a complete file can be encrypted with: -```bash -eyaml encrypt --pkcs7-public-key=eyaml_public_key.pem -f secret_file -``` - -#### Example - -To encrypting password for a system you can go about like this: - -```bash -# openssl passwd -6 | eyaml encrypt --pkcs7-public-key=eyaml_public_key.pem --stdin -Password: -Verifying - Password: -string: ENC[PKCS7,MIIBxxxxxxxx...xxxxxxxx] - -OR - -block: > - ENC[PKCS7,MIIBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - ... - xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] -# -``` - - - -and place either the string or the block at the required place in your Hiera YAML. - -# Hiera Variable Interpolation - -Within Hiera also variable interpolation might be use to include other Hiera keys or facts, etc. into the values. -For details check out the [Puppet documentation](https://www.puppet.com/docs/puppet/7/hiera_merging.html#interpolation_functions) - -As such an interpolation starts with `%{`, some key or file content (especially in Apache configuration) might be interpreted as variable interpolation and result in some part of the text disappear. -Or it might simply the puppet run with `Syntax error in string` if Puppet fails to parse what it considers an interpolation. -To escape a `%` you can write `%{literal('%')}` instead. diff --git a/admin-guide/puppet/overview.md b/admin-guide/puppet/overview.md deleted file mode 100644 index e0f3c22f..00000000 --- a/admin-guide/puppet/overview.md +++ /dev/null @@ -1,5 +0,0 @@ -# Overview - -[Puppet](https://puppet.com/docs/puppet) is the *configuration management system* used to configure our nodes at PSI. - -Our [Puppet Dashboard](https://puppet.psi.ch/puppetboard) gives an overview over all systems managed using Puppet at PSI. diff --git a/admin-guide/puppet/puppet_client.md b/admin-guide/puppet/puppet_client.md deleted file mode 100644 index 894d0f2e..00000000 --- a/admin-guide/puppet/puppet_client.md +++ /dev/null @@ -1,38 +0,0 @@ -# Puppet Client - -The Puppet Agent updates the configuration on the node. It automatically runs regulary, for configuration details check the [configuration guide](../configuration/basic/puppet_agent). - -The puppet client can be manually triggered/run by calling following command on the client: - -```bash -puppet agent -t -``` - -To only check what the client would actually do, without actually changing the systems configuration/files/etc. you can use the `--noop` option: - -```bash -puppet agent -t --noop -``` - -To instruct the puppet client to use a specific puppet environment use: - -```bash -puppet agent -t --environment my_environment -``` -The client will keep this environment until -- either the puppet environment is removed from the server (i.e. the client will do a fallback to the default environment) -- you manually change the environment again - - - -## Configuration -### Attach Node to Different Puppet Server - -For testing purpose you might want to change the Puppet server to which a test node is attached to. To do so do, change the ``server`` in the ``[main]`` section of ``/etc/puppetlabs/puppet/puppet.conf`` accordingly. - -Then delete the current host and CA certficate and the CRL: - - #. ``rm /etc/puppetlabs/puppet/ssl/certs/*`` - #. ``rm /etc/puppetlabs/puppet/ssl/crl.pem`` - -Finally run the puppet agent again. diff --git a/admin-guide/puppet/puppet_environments.md b/admin-guide/puppet/puppet_environments.md deleted file mode 100644 index b3d931d3..00000000 --- a/admin-guide/puppet/puppet_environments.md +++ /dev/null @@ -1,37 +0,0 @@ -# Puppet Environments - -An Puppet environment is a particular version of the Puppet code/configuration. In our infrastructure an Puppet environment always corresponds to a git branch in the main puppet codebase: https://git.psi.ch/linux-infra/puppet - -To all time our Puppet server provides two environments, __prod__ and __preprod__. - -## Development Environments - -Beside the __prod__ and __preprod__ environments, development environments for feature branches of the puppet git repository are automatically put on and removed from the puppet server. To create a new feature branch and test environment simply: - -__ON YOUR COMPUTER!__ - -1. Clone the puppet repository https://git.psi.ch/linux-infra/puppet -2. Create a new branch with a name that matches following regex: `^[a-z]+[a-z,0-9,_]+$` (e.g. my_test_branch) -3. Do the necessary changes and commit your changes -4. Push the new branch / changes to the git server - -Whenever the git server receives a push a gitlab-runner gets triggered on the puppet server that does the automatic checkout of the branch and registers this as a new development environment. - -Note: If branches are deleted on the git server the corresponding checkouts/environments on the puppet server will also be removed. (with some delay) - -To use/test the code changes via the puppet test environment use -``` -puppet agent -t --environment=issue_x -``` - -The following video shows all the necessary steps in detail. (The left terminal is a shell on my workstation, the right terminal is a shell on a test server) - - - -Once you are done with the develoment and testing create a merge request for the branch to the __preprod__ branch. - -### Development Environment Names - -The name of an branch/environment must match the following regex expression: `^[a-z]+[a-z,0-9,_]+$` - -If the name is not compliant with this rule, a push of the branch to the git server will not be possible. diff --git a/admin-guide/troubleshooting.md b/admin-guide/troubleshooting.md deleted file mode 100644 index e271f5d2..00000000 --- a/admin-guide/troubleshooting.md +++ /dev/null @@ -1,5 +0,0 @@ -# Troubleshooting - -```{tableofcontents} -``` - diff --git a/admin-guide/troubleshooting/_static/AIT-AD-Kerberos-Troubleshooting.pdf b/admin-guide/troubleshooting/_static/AIT-AD-Kerberos-Troubleshooting.pdf deleted file mode 100644 index 0d629fd1..00000000 Binary files a/admin-guide/troubleshooting/_static/AIT-AD-Kerberos-Troubleshooting.pdf and /dev/null differ diff --git a/admin-guide/troubleshooting/_static/AIT-Keytab-File.pdf b/admin-guide/troubleshooting/_static/AIT-Keytab-File.pdf deleted file mode 100644 index fb58a149..00000000 Binary files a/admin-guide/troubleshooting/_static/AIT-Keytab-File.pdf and /dev/null differ diff --git a/admin-guide/troubleshooting/_static/boot_add_serial_port.png b/admin-guide/troubleshooting/_static/boot_add_serial_port.png deleted file mode 100644 index e48731b8..00000000 Binary files a/admin-guide/troubleshooting/_static/boot_add_serial_port.png and /dev/null differ diff --git a/admin-guide/troubleshooting/_static/boot_qip.png b/admin-guide/troubleshooting/_static/boot_qip.png deleted file mode 100644 index be5be2c0..00000000 Binary files a/admin-guide/troubleshooting/_static/boot_qip.png and /dev/null differ diff --git a/admin-guide/troubleshooting/_static/boot_serial_port_settings.png b/admin-guide/troubleshooting/_static/boot_serial_port_settings.png deleted file mode 100644 index 77bd0ba8..00000000 Binary files a/admin-guide/troubleshooting/_static/boot_serial_port_settings.png and /dev/null differ diff --git a/admin-guide/troubleshooting/_static/para-callgraph-pam.stp b/admin-guide/troubleshooting/_static/para-callgraph-pam.stp deleted file mode 100644 index ee0c3f49..00000000 --- a/admin-guide/troubleshooting/_static/para-callgraph-pam.stp +++ /dev/null @@ -1,40 +0,0 @@ -#! /usr/bin/env stap - -global trace - -function trace(entry_p, extra) { - if (tid() in trace) - printf("%s%s%s %s\n", - thread_indent (entry_p), - (entry_p>0?"->":"<-"), - ppfunc (), - extra) -} - -probe process("/usr/sbin/sshd").function("do_pam_setcred").call { - if (pid() != target()) next - if ($init != 1) next - printf("Tracing %ld (%s)\n", pid(), execname()) - trace[tid()] = 1 -} -probe process("/usr/sbin/sshd").function("do_pam_setcred").return { - delete trace[tid()] -} - -probe process("/usr/lib64/libpam.so.0").function("*").call { trace(1, $$parms) } -probe process("/usr/lib64/security/pam_env.so").function("*").call { trace(1, $$parms) } -probe process("/usr/lib64/security/pam_localuser.so").function("*").call { trace(1, $$parms) } -probe process("/usr/lib64/security/pam_access.so").function("*").call { trace(1, $$parms) } -probe process("/usr/lib64/security/pam_succeed_if.so").function("*").call { trace(1, $$parms) } -probe process("/usr/lib64/security/pam_unix.so").function("*").call { trace(1, $$parms) } -probe process("/usr/lib64/security/pam_radius_auth.so").function("*").call { trace(1, $$parms) } -probe process("/usr/lib64/security/pam_sss.so").function("*").call { trace(1, $$parms) } - -probe process("/usr/lib64/libpam.so.0").function("*").return { trace(-1, $$return) } -probe process("/usr/lib64/security/pam_env.so").function("*").return { trace(-1, $$return) } -probe process("/usr/lib64/security/pam_localuser.so").function("*").return { trace(-1, $$return) } -probe process("/usr/lib64/security/pam_access.so").function("*").return { trace(-1, $$return) } -probe process("/usr/lib64/security/pam_succeed_if.so").function("*").return { trace(-1, $$return) } -probe process("/usr/lib64/security/pam_unix.so").function("*").return { trace(-1, $$return) } -probe process("/usr/lib64/security/pam_radius_auth.so").function("*").return { trace(-1, $$return) } -probe process("/usr/lib64/security/pam_sss.so").function("*").return { trace(-1, $$return) } diff --git a/admin-guide/troubleshooting/_static/selinux-coloring-book_A4-Stapled.pdf b/admin-guide/troubleshooting/_static/selinux-coloring-book_A4-Stapled.pdf deleted file mode 100644 index 847143fe..00000000 Binary files a/admin-guide/troubleshooting/_static/selinux-coloring-book_A4-Stapled.pdf and /dev/null differ diff --git a/admin-guide/troubleshooting/boot.md b/admin-guide/troubleshooting/boot.md deleted file mode 100644 index 895da287..00000000 --- a/admin-guide/troubleshooting/boot.md +++ /dev/null @@ -1,52 +0,0 @@ -# Boot Issues - -## SecureBoot - -While having secure boot enabled it is not possible to load the yfs kernel module or Nvidia drivers. Therefore it is important that secure boot is disabled on the systems booting EFI! - - -This is how to check on a running system if secure boot is enabled: - -```bash -mokutil --sb-state -``` - -https://access.redhat.com/articles/5337691 - -## Network Boot Failure on UEFI System - -If the system downloads the bootloader, but then fails, it might be due to downloading the wrong bootloader, here `pxelinux.0` instead of `shimx64.efi`. -The Linux Team can check in the journal of boot.psi.ch what was actually downloaded. - -If that is confirmed, then the issue is probably a so far unknown Vendor Class which is sent with the DHCP request of the firmware. It is configured in QIP: - -![Vendor Class to network boot configuration in QIP](_static/boot_qip.png) - -Please inform the network team about the missing Vendor Class. - -(for plain `dhcpd` there would be a [generic solution](https://www.redhat.com/sysadmin/pxe-boot-uefi) but apparently this cannot be implemented in QIP (yet?)). - -## Redirect Serial Output to File in VMware - -To change the serial port settings the VM needs to be shut down. Then edit the VM settings and add a new serial device by clicking "ADD NEW DEVICE" on top right and there select "Serial Port". -![Add Serial Port](_static/boot_add_serial_port.png) - -The serial port should then be connected to a file on the datastore `serial_console`: -![Serial Port Settings](_static/boot_serial_port_settings.png) - -At the moment we have this setup for `lxdev06`, `lxdev07` and `lxdev08` already prepared. - -These files then can be accessed over `lxsup.psi.ch:/data/serial_console`. - -## Send Grub Output to Serial Port - -For sending out Grub debug information over the serial port to a file because it is to much to fit the screen or for later inspection, you might do the following: -- in the Grub menue type `c` to get to the command line -- configure the serial port with -``` -serial --unit=0 --speed=115200 -``` -- set the output to the serial port, run the debug command and set the output back: -``` -terminal_output serial; lsefi; terminal_output console -``` diff --git a/admin-guide/troubleshooting/deployment.md b/admin-guide/troubleshooting/deployment.md deleted file mode 100644 index f41bd22c..00000000 --- a/admin-guide/troubleshooting/deployment.md +++ /dev/null @@ -1,79 +0,0 @@ -# Deployment - -A deployment roughly has the following phases: -1. DHCP followed by PXE boot. -2. Kickstart installation followed by a reboot. -3. Initial Puppet run, followed by updates, followed by another Puppet run and a reboot. - - -## PXE boot/iPXE - -When deployment fails during the PXE phase it usually due to one of the following: - -1. No network connectivity - This is usually indicated by messages similar to ``No link on XXX``. -2. No DHCP in the connected network (eg DMZ, tier3) - The DHCP requests by the BIOS/UEFI firmware will time out. -3. Firewall (no TFTP/HTTP to the relevant servers) -4. Incompatibilities between iPXE and network card (NIC) -5. Incorrect sysdb entry (hence iPXE entry incorrect). - -If there is not DHCP, the static network information provided manually is possibly wrong or for a different network than the one connected to the host. - - -## Infiniband - -Infiniband can generally cause installation problem, expecially in the initial phase, when iPXE tries to load the configuration file. As a general rule, disable PXE on all Infiniband cards. - -Anyway this is not always enough since it happens that iPXE recognized anyway the Infiniband card as the first device (with MAC address ``79:79:79:79:79:79``) and tries to get configuration file for that. - - -## Kickstart - -Typical problems during the Kickstart phase: -1. The Kickstart file cannot be retrieved from the sysdb server __sysdb.psi.ch__. Typically caused by incorrect sysdb entries or firewalls. -2. Partitioning fails. This can happen because - - No disk is recognized, or the wrong disk is used - - Packages or other installation data cannot be downloaded. Can be caused by firewalls or incorrect sysdb entries. - -## Hiera - -A typical problem are Hiera errors, eg the following:: -```bash -Info: Using configured environment 'prod' -Info: Retrieving pluginfacts -Info: Retrieving plugin -Info: Loading facts -Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Function lookup() did not find a value for the name 'console::mount_root' at /srv/puppet/code/dev/envs/prod/code/modules/role/manifests/console.pp:1 on node lxdev05.psi.ch -Warning: Not using cache on failed catalog -Error: Could not retrieve catalog; skipping run -``` - -The error message shows that the value for `console::mount_root` could not be found in Hiera. - - -## Active Directory - -Sometimes the Active Directory join fails, usually for one of these three reasons: - -- There is already an Active Directory computer object for the same system from a previous Windows installation. In this case, delete the computer object and restart the installation. -- Firewall restrictions -- Old Puppet certificates from a previous SL6 installation are used on the system. In this case delete the certificates on the client with `find /etc/puppetlabs -name '*.pem' -delete` and clean up any certificates on the Puppet server with ``puppet cert clean $HOSTNAME``. Then restart the installation. - -### Rejoin Active Directory - -If the AD join seams to be broken (failed logins, etc.), then the node can be automatically rejoined again: -- remove `/etc/krb5.keytab` -- run puppet, e.g. with `puppet agent --test` - - -## YFS / AFS - -If the ``yfs-client`` does not start (cannot load kernel module) due to `key not available`: - -```bash -Sep 02 13:21:34 pc12661.psi.ch systemd[1]: Starting AuriStorFS Client Service... -Sep 02 13:21:34 pc12661.psi.ch modprobe[29282]: modprobe: ERROR: could not insert 'yfs': Required key not available -``` - -then there is most probably SecureBoot blocking the loading of the unsigned `yfs` kernel module. - -Disable secure boot in the BIOS/EFI settings. diff --git a/admin-guide/troubleshooting/filesystem.md b/admin-guide/troubleshooting/filesystem.md deleted file mode 100644 index 29110c4d..00000000 --- a/admin-guide/troubleshooting/filesystem.md +++ /dev/null @@ -1,37 +0,0 @@ -# Filesystem - -Check filesystem capacity using `df`: - -```bash -[root@lx ~]# df -h -Filesystem Size Used Avail Use% Mounted on -/dev/mapper/vg_root-lv_root 8.0G 1.4G 6.7G 17% / -devtmpfs 909M 0 909M 0% /dev -tmpfs 920M 0 920M 0% /dev/shm -tmpfs 920M 816K 920M 1% /run -tmpfs 920M 0 920M 0% /sys/fs/cgroup -/dev/sda1 976M 198M 728M 22% /boot -/dev/mapper/vg_root-lv_tmp 1014M 34M 981M 4% /tmp -/dev/mapper/vg_root-lv_var 2.9G 1.4G 1.5G 47% /var -/dev/mapper/vg_root-lv_var_log 2.0G 160M 1.9G 8% /var/log -/dev/mapper/vg_root-lv_openafs 1008M 1.3M 956M 1% /var/cache/openafs -tmpfs 184M 4.0K 184M 1% /run/user/0 -``` - -Check available inodes (~ the maximum number of files that can be created):: - -```bash -[root@lx ~]# df -i -Filesystem Inodes IUsed IFree IUse% Mounted on -/dev/mapper/vg_root-lv_root 4194304 48891 4145413 2% / -devtmpfs 232630 383 232247 1% /dev -tmpfs 235485 1 235484 1% /dev/shm -tmpfs 235485 575 234910 1% /run -tmpfs 235485 16 235469 1% /sys/fs/cgroup -/dev/sda1 65536 348 65188 1% /boot -/dev/mapper/vg_root-lv_tmp 524288 316 523972 1% /tmp -/dev/mapper/vg_root-lv_var 1474560 1042691 431869 71% /var -/dev/mapper/vg_root-lv_var_log 1048576 81 1048495 1% /var/log -/dev/mapper/vg_root-lv_openafs 65536 11 65525 1% /var/cache/openafs -tmpfs 235485 2 235483 1% /run/user/0 -``` \ No newline at end of file diff --git a/admin-guide/troubleshooting/gvfs.md b/admin-guide/troubleshooting/gvfs.md deleted file mode 100644 index b5943a87..00000000 --- a/admin-guide/troubleshooting/gvfs.md +++ /dev/null @@ -1,13 +0,0 @@ -# GVFS (Gnome Virtual Filesystem) - -GVFS or `gio mount` allows access to different types of network filesystems like SMB/CIFS and protocols like FTP or SFTP. - -If Nautilus access to such a destination or a `gio mount ...` does not work, following can be used to see what happens inside `gvfsd`: - -```bash -GVFS_SMB_DEBUG=10 GVFS_DEBUG=1 $(find /usr/lib* -name gvfsd 2>/dev/null) --replace -``` -of if Kerberos is involved and might be the issue: -```bash -KRB5_TRACE=/dev/stdout GVFS_SMB_DEBUG=10 GVFS_DEBUG=1 $(find /usr/lib* -name gvfsd 2>/dev/null) --replace -``` diff --git a/admin-guide/troubleshooting/journald.md b/admin-guide/troubleshooting/journald.md deleted file mode 100644 index a93f5df0..00000000 --- a/admin-guide/troubleshooting/journald.md +++ /dev/null @@ -1,45 +0,0 @@ -# Journald - -- List all reboots/show logs starting at a specific reboot: -```bash -journalctl --list-boots - -10 19d173f56d314912820486b9ddfd7d6c Thu 2018-06-21 11:20:55 CEST—Thu 2018-06-21 - -9 3a5a050289314221a3863b88a0eef367 Thu 2018-06-21 11:26:33 CEST—Thu 2018-06-21 - -8 f9726e6c9ce44678ab68a2fc12b1c12c Thu 2018-06-21 11:43:38 CEST—Thu 2018-06-21 - -7 b4e6bc84ff8840adbc698992cd1900d2 Thu 2018-06-21 14:55:42 CEST—Thu 2018-06-21 - -6 81b78d0d09934937a24a73bfcd3d8ede Thu 2018-06-21 15:06:18 CEST—Thu 2018-06-21 - -5 dd78e29c073448ad9731c6c18288c97a Thu 2018-06-21 15:23:15 CEST—Thu 2018-06-21 - -4 0fc2f05d12664d3aba6364102401d5fb Thu 2018-06-21 15:29:36 CEST—Thu 2018-06-21 - -3 412bbe36d12546bab749a2a63fad99ca Thu 2018-06-21 15:34:19 CEST—Thu 2018-06-21 - -2 c5189f2006c245d7833bb8fe20e62545 Thu 2018-06-21 16:07:51 CEST—Thu 2018-06-21 - -1 7c47950edd194ff4b6a67d3556672430 Thu 2018-06-21 16:11:28 CEST—Thu 2018-06-21 - 0 61ea098edc924030aafb7a822c2df0e3 Thu 2018-06-21 16:26:46 CEST—Wed 2018-06-27 - -journalctl -b - -- Logs begin at Thu 2018-06-21 11:20:55 CEST, end at Wed 2018-06-27 14:20:01 CEST. -- - Jun 21 16:26:46 lxdev05.psi.ch systemd-journal[85]: Runtime journal is using 8.0M (max allowed 91.9M, trying to leave 137.9M free of 911.8M av - Jun 21 16:26:46 lxdev05.psi.ch kernel: Initializing cgroup subsys cpuset - -journalctl -b -2 - -- Logs begin at Thu 2018-06-21 11:20:55 CEST, end at Wed 2018-06-27 14:20:01 CEST. -- - Jun 21 16:07:51 lxdev05.psi.ch systemd-journal[87]: Runtime journal is using 8.0M (max allowed 91.9M, trying to leave 137.9M free of 911.8M av - Jun 21 16:07:51 lxdev05.psi.ch kernel: Initializing cgroup subsys cpuset -``` - -- Show logs starting from a given date/time: -```bash -journalctl --since 2018-06-23 -journalctl --since '2018-06-23 18:13' -``` - -- Show logs for a given unit, eg a given service: -```bash -journalctl -u sshd.service -journalctl -u pli-puppet-run.timer -``` - -- Show the last N messages (1000 by default):: -```bash -journalctl -e -journalctl -e -n 250 -``` diff --git a/admin-guide/troubleshooting/kerberos.md b/admin-guide/troubleshooting/kerberos.md deleted file mode 100644 index 911bbfe6..00000000 --- a/admin-guide/troubleshooting/kerberos.md +++ /dev/null @@ -1,13 +0,0 @@ -# Kerberos - -PSI Kerberos documentation: https://intranet.psi.ch/de/knowledge-base/kerberos-and-afs - - - Old AIT AD Kerberos troubleshooting guide: [PDF](_static/AIT-AD-Kerberos-Troubleshooting.pdf) - - Old AIT keytab file documentation: [PDF](_static/AIT-Keytab-File.pdf) - - -Enable trace log of the Kerberos library to troubleshoot authentication problems (e.g. for curl): - -```bash -KRB5_TRACE=/dev/stderr curl -v --negotiate -u : https://boot00-test.psi.ch/sysdb/v1/node > /dev/null -``` diff --git a/admin-guide/troubleshooting/login.md b/admin-guide/troubleshooting/login.md deleted file mode 100644 index 00e9330b..00000000 --- a/admin-guide/troubleshooting/login.md +++ /dev/null @@ -1,63 +0,0 @@ -# Login and Remote Access - -When a user cannot log in on a system, it is usually caused by one of these: - -1. The password is wrong. -2. Access hasn't been granted through Hiera (`aaa::admins` and `aaa::users`) - or `/etc/security/ssh.allow.*`. The latter also has to be enabled in Hiera. -3. Log in as root is attempted from a system that is not a bastion host (eg - `wmgt0*.psi.ch` or `*-gw.psi.ch`). -4. In the case of Gnome logins, the problem might be caused by the home - directory being inaccessible (eg because AFS doesn't work properly). -5. [`sssd(8)`](https://linux.die.net/man/8/sssd) may have problems. - -Regarding #3 note that on some systems the configured bastion host is -`wmgt*.psi.ch` even though it is not actually possible to log in from there, -because the PSI firewall only allows connections from a certain gateway, eg -`foobar-gw.psi.ch`. - -## Known Errors - -### Problematic `.bashrc`/`.bash_profile` -Some people load a pmodule or a conda environment when bash is started. This can easily break the Gnome Startup as this can bring in incompatible tools and libraries. Suspicous is also setting the `LD_LIBRARY_PATH` environment variable. Once even `PATH` was the culprit because an incompatible `kinit` was used after. - - -### pam_sss Errors -``` -pam_sss(sshd:account): Access denied for user xxxxxx_y: 4 (System error) -``` -Here the AD join might be broken. The machine can be rejoined by deleting/moving away `/etc/krb5.keytab` and then running Puppet (`puppet agent -t`). - -``` -pam_sss(xrdp-sesman:auth): received for user xxxxxx_y: 10 (User not known to the underlying authentication module) -``` -can be caused by corrupt `sssd` cache files (see [SSD Troubleshooting](sssd)) - - -### KioskWithKeyboard Error -``` -gnome-session[31143]: gnome-session-binary[31143]: dconf-WARNING: unable to open named profile (redhatkiosk): using the null configuration. -gnome-session-binary[31143]: dconf-WARNING: unable to open named profile (redhatkiosk): using the null configuration. -gnome-session[31143]: gnome-session-binary[31143]: WARNING: Unable to find required component 'com.redhat.KioskWithKeyboard.WindowManager' -gnome-session-binary[31143]: WARNING: Unable to find required component 'com.redhat.KioskWithKeyboard.WindowManager' -gnome-session[31143]: gnome-session-binary[31143]: WARNING: Unable to find required component 'com.redhat.Kiosk.Script' -gnome-session-binary[31143]: WARNING: Unable to find required component 'com.redhat.Kiosk.Script' -gnome-session-binary[31143]: Entering running state -gnome-session[31214]: Unable to init server: Could not connect: Connection refused -gnome-session-f[31214]: Cannot open display: -``` -For some reason the user got the first instead of the default desktop session. This can be fixed with - -``` -USER_WITH_BROKEN_LOGIN=... -systemctl stop accounts-daemon.service -rm /var/lib/AccountsService/users/$USER_WITH_BROKEN_LOGIN -systemctl start accounts-daemon.service -``` - -## Notes - -For normal users there will be a [`pam_access(8)`](https://linux.die.net/man/8/pam_access) error even for -successful logins. The reason is that we use pam_access twice. First for admins -and then - depending on the system's configuration - for normal users. Obviously -the first one will fail unless the user in question is recognized as an admin. diff --git a/admin-guide/troubleshooting/network.md b/admin-guide/troubleshooting/network.md deleted file mode 100644 index 0bd2c01a..00000000 --- a/admin-guide/troubleshooting/network.md +++ /dev/null @@ -1,82 +0,0 @@ -# Network - -Test hostname resolution with `getent`, for example `getent hosts www.psi.ch`. Unlike `nslookup` or `dig`, it uses the -system resolver. - -The systems IP addresses and routes can be displayed using `ip`: -```bash -[root@lx ~]# ip address -1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 - link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 - inet 127.0.0.1/8 scope host lo - valid_lft forever preferred_lft forever - inet6 ::1/128 scope host - valid_lft forever preferred_lft forever -2: ens160: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 - link/ether 00:50:56:9d:6d:03 brd ff:ff:ff:ff:ff:ff - inet 10.129.160.195/24 brd 10.129.160.255 scope global ens160 - valid_lft forever preferred_lft forever - inet6 fe80::250:56ff:fe9d:6d03/64 scope link - valid_lft forever preferred_lft forever - - -[root@lx ~]# ip route -default via 10.129.160.1 dev ens160 -10.129.160.0/24 dev ens160 proto kernel scope link src 10.129.160.195 -169.254.0.0/16 dev ens160 scope link metric 1002 -``` - -The link status and other information of an interface can be displayed using -`ethtool`: - -1. Link status: -```bash -[root@lx ~]# ethtool ens160 -Settings for ens160: - [...] - Speed: 10000Mb/s - Duplex: Full - [...] - Link detected: yes -``` -2. Statistics (driver-specific, but look for errors/discards/dropped):: -```bash -[root@lx ~]# ethtool -S ens160 -NIC statistics: - Tx Queue#: 0 - TSO pkts tx: 21529 - TSO bytes tx: 91036062 - ucast pkts tx: 1036632 - ucast bytes tx: 235421707 - mcast pkts tx: 8 - mcast bytes tx: 648 - bcast pkts tx: 7 - bcast bytes tx: 294 - pkts tx err: 0 - pkts tx discard: 0 - drv dropped tx total: 0 - too many frags: 0 - giant hdr: 0 - hdr err: 0 - tso: 0 - ring full: 0 - pkts linearized: 0 - hdr cloned: 0 - giant hdr: 0 - Rx Queue#: 0 - LRO pkts rx: 6913 - LRO byte rx: 100534073 - ucast pkts rx: 551554 - ucast bytes rx: 161369441 - mcast pkts rx: 4 - mcast bytes rx: 344 - bcast pkts rx: 753276 - bcast bytes rx: 45787629 - pkts rx OOB: 0 - pkts rx err: 0 - drv dropped rx total: 0 - err: 0 - fcs: 0 - rx buf alloc fail: 0 - tx timeout count: 0 -``` \ No newline at end of file diff --git a/admin-guide/troubleshooting/packages.md b/admin-guide/troubleshooting/packages.md deleted file mode 100644 index a4d3f4a2..00000000 --- a/admin-guide/troubleshooting/packages.md +++ /dev/null @@ -1,91 +0,0 @@ -# Packages - -## Dependency Resolution Failure / Duplicate Packages -If e.g. an update attempt ends up in something like -```bash -yum update - -Loaded plugins: langpacks, search-disabled-repos -Resolving Dependencies -... ---> Finished Dependency Resolution -Error: Package: sssd-dbus-1.16.5-10.el7_9.12.x86_64 (@rhel7) - Requires: sssd-common = 1.16.5-10.el7_9.12 - Removing: sssd-common-1.16.5-10.el7_9.12.x86_64 (@rhel7) - sssd-common = 1.16.5-10.el7_9.12 - Updated By: sssd-common-1.16.5-10.el7_9.15.x86_64 (rhel7) - sssd-common = 1.16.5-10.el7_9.15 - Removing: sssd-common-1.16.5-10.el7_9.13.x86_64 (@rhel7) -... -``` - -best check if one of these packages is twice listed as installed: -```bash -rpm -qa sssd-common -sssd-common-1.16.5-10.el7_9.13.x86_64 -sssd-common-1.16.5-10.el7_9.12.x86_64 -``` -Now you can try to remove one or both packages, maybe you need to remove also packages which depend on this one. Then install it again. - -## Berkley DB Issue - -### BDB0087 DB_RUNRECOVERY - -If the error message is -```bash -error: rpmdb: BDB0113 Thread/process 21389/140229907089216 failed: BDB1507 Thread died in Berkeley DB library -error: db5 error(-30973) from dbenv->failchk: BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery -error: cannot open Packages index using db5 - (-30973) -error: cannot open Packages database in /var/lib/rpm -CRITICAL:yum.main: - -Error: rpmdb open failed -``` - -then do - -```bash -mv /var/lib/rpm/__db* /tmp -yum clean all -``` - -### BDB0091 DB_VERSION_MISMATCH - -For -```bash -RPM: error: db5 error(-30969) from dbenv->open: BDB0091 DB_VERSION_MISMATCH: Database environment version mismatch -RPM: error: cannot open Packages index using db5 - (-30969) -RPM: error: cannot open Packages database in /var/lib/rpm -Error: Could not run transaction. -``` -do - -```bash -yum clean all -rpm --rebuilddb -``` - - -## Rebuild RPM Database -When `yum`, `dnf` or `rpm` hang or have errors pointing to a problem with their database, then follow the -[Guide to rebuild a corrupted RPM database](https://www.tecmint.com/rebuild-corrupted-rpm-database-in-centos/) - -## RPM Integrity Check -The integratity of installed package can be checked with `rpm`: - -```bash -rpm -Vv pciutils -......... /usr/sbin/lspci -......... /usr/sbin/setpci -......... /usr/sbin/update-pciids -......... /usr/share/doc/pciutils-3.5.1 -......... d /usr/share/doc/pciutils-3.5.1/COPYING -......... d /usr/share/doc/pciutils-3.5.1/ChangeLog -......... d /usr/share/doc/pciutils-3.5.1/README -......... d /usr/share/doc/pciutils-3.5.1/pciutils.lsm -......... d /usr/share/man/man8/lspci.8.gz -......... d /usr/share/man/man8/setpci.8.gz -......... d /usr/share/man/man8/update-pciids.8.gz -``` - -Running `rpm -Vav` will verify **all** installed packages and take a long time. See the man page for details on the output format. Changes, especially in configuration files, can be normal, though. \ No newline at end of file diff --git a/admin-guide/troubleshooting/pam.md b/admin-guide/troubleshooting/pam.md deleted file mode 100644 index 7b954e6b..00000000 --- a/admin-guide/troubleshooting/pam.md +++ /dev/null @@ -1,57 +0,0 @@ -# PAM - -Checking PAM issues can be quite tricky. - - -## Debugging Messages with `pam_echo.so` - -This can be used to print a message. When placed on every PAM step it shows how far the processing goes and maybe where the error might be: - - -``` -auth required pam_env.so -auth optional pam_echo.so "Have passed pam_env" -auth [default=1 success=ok] pam_localuser.so -auth optional pam_echo.so "Have passed pam_localuser" -auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass -auth optional pam_echo.so "Have passed pam_unix" -auth requisite pam_succeed_if.so uid >= 1000 quiet_success -auth optional pam_echo.so "Have passed pam_succeed_if" -auth required pam_sss.so forward_pass -auth optional pam_echo.so "Have passed pam_sss" -auth optional pam_afs_session.so debug always_aklog program=/usr/bin/aklog minimum_uid=1000 -auth optional pam_echo.so "Have passed pam_afs_session" -``` - Please note that above example introduced a bug: the `default=1` on line 3 ignores the next entry (`1`) if the user is local. Now with adding the debugging statements it needs to be `default=2`, but then the message does not fit, so it should be more specific: -``` -auth [default=2 success=ok] pam_localuser.so -auth optional pam_echo.so "Have local user (pam_localuser) and now try to check local password database (pam_unix)" -auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass -auth optional pam_echo.so "Have passed pam_localuser and pam_unix" -``` - -Or just one message after this block without changing the skip number: -``` -auth [default=1 success=ok] pam_localuser.so -auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass -auth optional pam_echo.so "Have passed pam_localuser and pam_unix" -``` - - -## PAM Call Stack with SystemTap - -When debugging an PAM issue with the RedHat support, they provided us a neat Systemtab script to create a PAM call stack of the `do_pam_setcred()` function in sshd. You find it [here](_static/para-callgraph-pam.stp). - -For other PAM functions or other processes this script would need changes. - -In order to run it, you need to have the debug rpms enabled. In our RHEL8 you can do that manually by setting in -`/etc/yum.repos.d/rhel8_baseos_debug.repo` and `/etc/yum.repos.d/rhel8_appstream_debug.repo` `enabled = 1`. It will then be reset with the next Puppet run. - -Then install `systemtap` and `yum-utils`. - -Finally a -``` -stap -x $PID -v ./para-callgraph-pam.stp -``` -will make the Systemtab script observe the given process `$PID`. On the first run it will fail and tell what debug packages it needs to have installed. - diff --git a/admin-guide/troubleshooting/pcie_bus_error.md b/admin-guide/troubleshooting/pcie_bus_error.md deleted file mode 100644 index cfc81ac4..00000000 --- a/admin-guide/troubleshooting/pcie_bus_error.md +++ /dev/null @@ -1,29 +0,0 @@ -# PCIe Bus Error - -When there are PCI Express bus errors like -```bash -Oct 05 11:26:19 pc16209.psi.ch kernel: pcieport 10000:e0:06.0: AER: TLP Header: 34000000 e1000010 89148914 00000000 -Oct 05 11:26:19 pc16209.psi.ch kernel: pcieport 10000:e0:06.0: PCIe Bus Error: severity=Uncorrected (Non-Fatal), type=Transaction Layer, (Requester ID) -Oct 05 11:26:19 pc16209.psi.ch kernel: pcieport 10000:e0:06.0: device [8086:464d] error status/mask=00100000/00010000 -Oct 05 11:26:19 pc16209.psi.ch kernel: pcieport 10000:e0:06.0: [20] UnsupReq (First) -``` -or -``` -Jan 31 09:29:29 pc16422.psi.ch kernel: pcieport 10000:e0:06.0: AER: can't find device of ID0030 -Jan 31 09:29:29 pc16422.psi.ch kernel: pcieport 10000:e0:06.0: AER: Uncorrected (Non-Fatal) error received: 10000:00:06.0 -``` -This are AER (Advanced Error Reporting) messages of the PCIe chip. - -One thing you might try is disabling **Active State Power Management** (ASPM) in the kernel. - -To do so set in Hiera - -```yaml -base::enable_pcie_aspm: false -``` - -the apply it with `puppet agent -t` and reboot. - -AER: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/assembly_advanced-error-reporting_managing-monitoring-and-updating-the-kernel - -Source: https://www.thomas-krenn.com/de/wiki/PCIe_Bus_Error_Status_00001100_beheben diff --git a/admin-guide/troubleshooting/processes.md b/admin-guide/troubleshooting/processes.md deleted file mode 100644 index 4a65b0f1..00000000 --- a/admin-guide/troubleshooting/processes.md +++ /dev/null @@ -1,13 +0,0 @@ -# Processes - -Processes can be investigated through a variety of tools: - -1. The files in `/proc/$PID/`, in particular - - `/proc/$PID/fd/*`: the open files of the process - - `/proc/$PID/environ`: the process' environment -2. `strace` allows tracing a process' system calls. -3. `ltrace` allows tracing a process' library calls. - -```{note} -Both `strace` and `ltrace` slow the target process down **a lot**, which might cause problems. -``` diff --git a/admin-guide/troubleshooting/puppet.md b/admin-guide/troubleshooting/puppet.md deleted file mode 100644 index e5c19ed7..00000000 --- a/admin-guide/troubleshooting/puppet.md +++ /dev/null @@ -1,27 +0,0 @@ -# Puppet - -## Manually Retrieve Node Information From Puppet Server - -To manually check the node information on the Puppet server for given host, do -```bash -FQDN=$(hostname --fqdn) -curl \ - --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \ - --cert /etc/puppetlabs/puppet/ssl/certs/$FQDN.pem \ - --key /etc/puppetlabs/puppet/ssl/private_keys/$FQDN.pem \ - "https://puppet01.psi.ch:8140/puppet/v3/node/$FQDN?environment=prod&configured_en" \ - | jq . -``` - -## PSON - -Sometimes the puppet agent emits: -``` -Info: Unable to serialize catalog to json, retrying with pson. PSON is deprecated and will be removed in a future release -``` -These should be fixed in the puppet code as with Puppet 8 this will fail hard. - -To figure out what part of the catalog is concerned, look at `/opt/puppetlabs/puppet/cache/client_data/catalog/$(hostname --fqdn).json`. -Then search for `\u` which starts a binary (non-utf8) character in PSON in a way that is still valid JSON. - -Please improve the Puppet code wherever such non-utf8 strings are used. Be aware that not only resources, but also arguments to profiles, classes, etc. end up in the catalog. diff --git a/admin-guide/troubleshooting/rpm.md b/admin-guide/troubleshooting/rpm.md deleted file mode 100644 index c2472453..00000000 --- a/admin-guide/troubleshooting/rpm.md +++ /dev/null @@ -1,22 +0,0 @@ -# RPM - -## Fix Broken RPM Database -### Error -```bash -error: rpmdb: BDB0113 Thread/process 27704/139786043250496 failed: BDB1507 Thread died in Berkeley DB library -error: db5 error(-30973) from dbenv->failchk: BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery -error: cannot open Packages index using db5 - (-30973) -error: cannot open Packages database in /var/lib/rpm -CRITICAL:yum.main: - -Error: rpmdb open failed -``` - -## Fix -1. Rebuild RPM Database: - ``` - rpm --rebuilddb - ``` -2. re-run puppet - -Reference: https://stackoverflow.com/questions/53112493/how-do-i-recover-a-corrupted-dnf-database \ No newline at end of file diff --git a/admin-guide/troubleshooting/selinux.md b/admin-guide/troubleshooting/selinux.md deleted file mode 100644 index 9637a843..00000000 --- a/admin-guide/troubleshooting/selinux.md +++ /dev/null @@ -1,199 +0,0 @@ -# SELinux - -General information on SELinux can be found here: -- [SELinux coloring book](_static/selinux-coloring-book_A4-Stapled.pdf) - Original: https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf - -## Modes - -SELinux can be in one of three modes: -- `enforcing` - The SELinux policy is enforced, violations are logged. -- `permissive` - The SELinux policy is **not** enforced, but violations are still logged. -- `disabled` - SELinux is not loaded at all. - -Going from ``enforcing`` or ``permissive`` to/from ``disabled`` requires a reboot. - - -## Contexts - -On an SELinux system every file has a context, and the SELinux policy controls whether a confined service can access files of a given context. - -The context of files can be listed with the `stat` command or by passing the `-Z` option to `ls`:: -```bash -$ ls -Z /etc/fstab --rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/fstab - -$ stat /etc/fstab -File: ‘/etc/fstab’ -Size: 619 Blocks: 8 IO Block: 4096 regular file -Device: fd01h/64769d Inode: 134320258 Links: 1 -Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) -Context: system_u:object_r:etc_t:s0 -Access: 2017-05-13 21:50:43.533927373 +0200 -Modify: 2016-04-03 04:19:02.289004083 +0200 -Change: 2016-04-03 04:29:29.955011505 +0200 -Birth: - -``` - -When files are created they are assigned a default context based on their path according to the system policy. - -The default contexts configured for various filesystem locations can be listed by running :manpage:`semanage`: -```bash -$ semanage fcontext -l -... -/usr/.* all files system_u:object_r:usr_t:s0 -/var/.* all files system_u:object_r:var_t:s0 -/run/.* all files system_u:object_r:var_run_t:s0 -/srv/.* all files system_u:object_r:var_t:s0 -... -``` - -It is possible to add/list local customizations to the default contexts of the system: - -```bash -$ semanage fcontext -a -t httpd_sys_content_t '/srv/web/data(/.*)?' -$ semanage fcontext -a -t etc_t /srv/web/httpd.conf - -$ semanage fcontext -l -C -/srv/web/httpd.conf all files system_u:object_r:etc_t:s0 -/srv/web/data(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 -``` - -Use the `restorecon` command to restore the context of a file or directory tree according to the system policy:: -```bash -$ restorecon -v /etc/fstab -$ restorecon -vR /etc/puppetlabs/ -``` - -It is also possible to trigger a relabeling of all files with default contexts by:: -```bash -touch /.autorelabel -reboot -``` - -For debugging or during development the `chcon` command can be used: -```bash -chcon -t etc_t /srv/web/httpd.conf - -.. important:: This is not enough! The next ``restorecon(8)``, relabeling, or system - redeployment will not honor the changes made with :manpage:`chcon(1)`. Use - :manpage:`semanage(8)` as described above or change the location of the files - in question so that they are classified correctly by the system policy. -``` - -## Booleans - -SELinux booleans are variables which control certain restrictions enforced by the SELinux policy. An example would be `httpd_can_network_connect`, which controls whether Apache can open network connections. - -The state of SELinux booleans is either `on` or `off` and can be queried using `getsebool`: -```bash -# List all SELinux booleans and their states -getsebool -a - -# Show the state of a given variable -getsebool httpd_can_network_connect -``` - -The `setsebool` command changes the state of a boolean: -```bash -setsebool httpd_can_network_connect on -``` - - -## Basic Checks and Actions - -Check mode/status SELinux: -```bash -getenforce -``` - -Change mode/status SELinux from enforce to permissive: -```bash -setenforce 0 -``` - -Show SELinux context of a file: -```bash -ls -Z -``` - -Show SELinux context attached to process -```bash -ps -Z -``` - -Show SELinux booleans -```bash -getsebool -a -``` - -Set SELinux boolean -```bash -setsebool -P httpd_can_connect_ldap on -setsebool -P httpd_can_check_spam off -``` -`-P` makes it permanent and it will survive reboots. - -List defined SELinux contexts: -```bash -semanage fcontext --list -``` - -Add SELinux context for directories/files: -```bash -semanage fcontext --add -t httpd_log_t "/var/www(/.*)?/log(/.*)?" -``` - -Restore SELinux context of a directory/file -```bash -restorecon -Rv /var/www/html/var -``` - -## in Depth Log Analysis and Module Creation - -Ensure that `setroubleshoot-server` is installed for better readable log entries in `/var/log/audit/audit.log` and the journal. - -To see everything, you may enable full logging by disabling the `noaudit` rules: -```bash -semodule -DB -``` -revert again after, else it will fill your log: -```bash -semodule -B -``` - -Check the new log entries since the start of your test -```bash -ausearch -ts 14:29 -``` - -Create a new SELinux policy file for the events logged since the start of your test - -```bash -ausearch -ts 14:28 --raw | audit2allow -M my-application -``` - -This will create a `my-application.te` policy file with the source code (e.g. to be modified and distributed with Ansible or Puppet) and the copiled `my-application.pp` policy file. - -If you just need the TE source code as output (e.g. for Puppet), then do - -```bash -ausearch -ts 14:28 --raw | audit2allow -r -m my-application -``` -To add such a module to Hiera for Puppet see [SELinux Configuration](../configuration/software/selinux_configuration). - -To install the new SELinux policy file run -```bash -semodule --install my-application.pp -``` - -To compile the binary SELinux policy file yourself run -```bash -cd /tmp; checkmodule --mls -m --output my-application.mod $PATH_TO/my-application.te; semodule_package --outfile my-application.pp --module my-application.mod -``` - - -References: -- [SELinux Guide](https://docs.linuxfabrik.ch/base/security/selinux.html) (German) -- [Short SELinux Manual](https://dokuwiki.dsteiner.ch/selinux) (English) -- How to read SELinux logs: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux -- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux diff --git a/admin-guide/troubleshooting/sssd.md b/admin-guide/troubleshooting/sssd.md deleted file mode 100644 index 11ab9ca7..00000000 --- a/admin-guide/troubleshooting/sssd.md +++ /dev/null @@ -1,96 +0,0 @@ -# SSSD - -## Check Domain State -As `root` check what domains are configured: -``` -# sssctl domain-list -D.PSI.CH -# -``` -and then check their state: -``` -# sssctl domain-status D.PSI.CH -Online status: Offline - -Active servers: -AD Global Catalog: not connected -AD Domain Controller: dc01.D.PSI.CH - -Discovered AD Global Catalog servers: -None so far. -Discovered AD Domain Controller servers: -- dc01.D.PSI.CH -- dc02.D.PSI.CH -- dc00.D.PSI.CH - -# -``` - -## Check User State -``` -# sssctl user-checks buchel_k -user: buchel_k -action: acct -service: system-auth - -SSSD nss user lookup result: - - user name: buchel_k - - user id: 44951 - - group id: 710 - - gecos: Bucheli Konrad - - home directory: /home/buchel_k - - shell: /bin/bash - -SSSD InfoPipe user lookup result: - - name: buchel_k - - uidNumber: 44951 - - gidNumber: 710 - - gecos: Bucheli Konrad - - homeDirectory: /afs/psi.ch/user/b/buchel_k - - loginShell: /bin/bash - -testing pam_acct_mgmt - -pam_acct_mgmt: Success - -PAM Environment: - - no env - -# -``` - -## Check Log for AD connection - -If `/var/log/sssd/sssd_D.PSI.CH.log` complains about file issues like - -``` - * (2024-10-03 9:47:17): [be[D.PSI.CH]] [sysdb_delete_cache_entry] (0x0020): [RID#78] LDB Error: No such object (32); error message: [ldb_wait from ldb_delete with LDB_WAIT_ALL: No such object (32)] -********************** BACKTRACE DUMP ENDS HERE ********************************* - -(2024-10-03 9:47:17): [be[D.PSI.CH]] [sysdb_delete_entry] (0x0040): [RID#78] sysdb_delete_cache_entry failed: 2 -(2024-10-03 9:48:24): [be[D.PSI.CH]] [sysdb_create_ts_entry] (0x0040): [RID#90] ldb_add failed: [Entry already exists](68)[Entry name=X06SA@d.psi.ch,cn=groups,cn=D.PSI.CH,cn=sysdb already exists] - * ... skipping repetitive backtrace ... -(2024-10-03 9:48:24): [be[D.PSI.CH]] [sysdb_create_ts_entry] (0x0040): [RID#90] Error: 17 (File exists) - * ... skipping repetitive backtrace ... -(2024-10-03 9:48:24): [be[D.PSI.CH]] [sysdb_create_ts_entry] (0x0040): [RID#90] ldb_add failed: [Entry already exists](68)[Entry name=gac-x07da@d.psi.ch,cn=groups,cn=D.PSI.CH,cn=sysdb already exists] - * ... skipping repetitive backtrace ... -(2024-10-03 9:48:24): [be[D.PSI.CH]] [sysdb_create_ts_entry] (0x0040): [RID#90] Error: 17 (File exists) - * ... skipping repetitive backtrace ... -(2024-10-03 9:48:24): [be[D.PSI.CH]] [sysdb_create_ts_entry] (0x0040): [RID#90] ldb_add failed: [Entry already exists](68)[Entry name=X07DA@d.psi.ch,cn=groups,cn=D.PSI.CH,cn=sysdb already exists] -``` - -delete the `sssd` files: - -``` -systemctl stop sssd.service -rm -f /var/lib/sss/db/* -systemctl start sssd.service -``` - -## Extended Logging - -To get more logging messages you may raise the log level to 6, either permanently in Hiera with key `aaa::sssd_debuglevel` or temporary on the host itself with -``` -sssctl debug-level 6 -``` - -The logs are located in `/etc/log/sssd/` diff --git a/admin-guide/troubleshooting/systemd.md b/admin-guide/troubleshooting/systemd.md deleted file mode 100644 index c01fce70..00000000 --- a/admin-guide/troubleshooting/systemd.md +++ /dev/null @@ -1,26 +0,0 @@ -# Systemd - - -- List status of services -```bash -# list status of all services -systemctl status - -# list status specific service -systemctl status yourservice -``` - -- List all systemd timers: -```bash -systemctl list-timers - NEXT LEFT LAST PASSED UNIT ACTIVATES - Wed 2018-06-27 16:45:01 CEST 2h 16min left Tue 2018-06-26 16:45:01 CEST 21h ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service - Thu 2018-06-28 07:31:00 CEST 17h left Wed 2018-06-27 07:31:25 CEST 6h ago pli-puppet-run.timer pli-puppet-run.service - - 2 timers listed. - Pass --all to see loaded but inactive timers, too. -``` - -## Logs -All systemd logs end up in journald. One important exception is __sssd__ which provides authentication against Active Directory. Its logs can be found in -`/var/log/sssd`. \ No newline at end of file diff --git a/admin-guide/virtual_machines.md b/admin-guide/virtual_machines.md deleted file mode 100644 index 01537630..00000000 --- a/admin-guide/virtual_machines.md +++ /dev/null @@ -1,32 +0,0 @@ -# Virtual Machines - -Until there is a dedicated workflow implemented in ServiceNow, virtual machines for Linux can be ordered by opening a general ServiceNow Ticket or by contacting linux-eng@psi.ch. - -Please provide at least following information with the request: -- Contact person -- Hostname of virtual server -- OS (Linux / Windows) -- Short description of usage purpose -- Number of CPUs -- Memory [GB] -- Diskspace [GB] -- **PSP** / group number - -If you can give more details to your plans the better! If you are unsure about some of the details here, please talk to us. - -## Costs - -You need to pay for the VM[^1] except: - -- VMs running on an already paid ESX-Cluster (for 2023 this is cpt*, gfa*, gls, catia-3d) -- AIT -- AWI -- LOG - -A SLA document[^2] will be prepared which shows the annual costs. - - -[^1]: according to Peter Hüsser (12.09.2023), latest definition see: `smb://fs03/AITvirtualization/SLA/wer_bezahlt.docx` - -[^2]: SLA document to be prepared with template `smb://fs03/AITvirtualization/SLA/Template/SLA_V2.dotx` and then to be placed in `smb://fs03/AITvirtualization/SLA/Linux`. -Access to the `smb://fs03/AITvirtualization` share is/can be granted by Peter Hüsser. diff --git a/engineering-guide/_static/add_new_metric_source.png b/engineering-guide/_static/add_new_metric_source.png deleted file mode 100644 index 6a4c92ae..00000000 Binary files a/engineering-guide/_static/add_new_metric_source.png and /dev/null differ diff --git a/engineering-guide/_static/legacy_boot.png b/engineering-guide/_static/legacy_boot.png deleted file mode 100644 index a1bded69..00000000 Binary files a/engineering-guide/_static/legacy_boot.png and /dev/null differ diff --git a/engineering-guide/_static/legacy_boot.puml b/engineering-guide/_static/legacy_boot.puml deleted file mode 100644 index 2c10abcd..00000000 --- a/engineering-guide/_static/legacy_boot.puml +++ /dev/null @@ -1,82 +0,0 @@ -@startuml - -actor admin -participant "BIOS Node\n(legacy boot)" as bootnode -participant "QIP DHCP" as dhcp -participant "boot.psi.ch" as pxeserver -participant "sysdb.psi.ch" as sysdb -participant "repos.psi.ch" as reposerver - -admin -> bootnode : boots up - -hnote over bootnode - BIOS -endhnote -bootnode -> dhcp : DHCP request -dhcp -> bootnode : IP + PXE boot location -bootnode -> pxeserver : load PXE kernel tftp:/tftpboot/pxelinux.0 - -hnote over bootnode - PXE -endhnote -bootnode -> pxeserver : load PXE config tftp:/tftpboot/pxelinux.cfg/01-$MAC -note right - By manually setting a MAC or IP config the - boot menu can be customised or shortcut. - Most is managed by symlinks. There is the - undocumented "link-to-lxprod.py" script for - manually linking MAC to hostname and hostname - to "lxprod". At some places this is done the - opposite by linking hostname to MAC to "lxprod". - Having the **link to "lxprod" loads directly** - **the iPXE kernel "ipxe.lkrn"**, shortcutting - the manual selection below. -end note -bootnode -> pxeserver : load PXE config tftp:/tftpboot/pxelinux.cfg/$HEX-IP -bootnode -> pxeserver : load PXE config tftp:/tftpboot/pxelinux.cfg/default -note right - **Default selection is local boot**, - but also visible and manually selectable are - - Red Hat 7 Network Install - - Windows Network install - and many more which are hidden, but can - be selected from the prompt, some with - comments from 2013. -end note -admin -> bootnode : selects "Red Hat 7 Network Install" -bootnode -> pxeserver : load iPXE kernel tftp:/tftpboot/ipxe.lkrn -note right - https://git.psi.ch/linux-infra/ipxe-build - The following steps are by embed/pxe.ipxe -end note - -hnote over bootnode - iPXE -endhnote -bootnode -> dhcp : DHCP request -dhcp -> bootnode : IP -bootnode -> sysdb : load iPXE menu http:/ipxe/v1/config?mac=$MAC -note right - Default selection by sydb boot - property "local" or "netboot", - later automatically starts the - installer configured in sysdb - attribute "ipxe_installer". - Manually selectable are all - Red Hat 7 versions and Red Hat 8 - alpha test version to install, - Windows, a selection of tools - and "HP SPP". -endnote -bootnode -> reposerver : load initrd http:/iso/rhel-server-7.9-x86_64-dvd/images/pxeboot/initrd.img -bootnode -> reposerver : load kernel http:/iso/rhel-server-7.9-x86_64-dvd/images/pxeboot/vmlinuz - -hnote over bootnode - Linux kernel -endhnote -bootnode -> reposerver : installation media http:/iso/rhel-server-7.9-x86_64-dvd/ -bootnode -> sysdb : kickstart file http:/kickstart/v1/config?fqdn=$HOSTNAME&instrepo=rhel-server-7.9-x86_64-dvd - -@enduml - - diff --git a/engineering-guide/_static/overview_linux.drawio.svg b/engineering-guide/_static/overview_linux.drawio.svg deleted file mode 100644 index e6f396e2..00000000 --- a/engineering-guide/_static/overview_linux.drawio.svg +++ /dev/null @@ -1,1533 +0,0 @@ - - - - - - - - - - -
-
-
- tftp udp:69 -
-
-
- - - tftp udp:69 - - - - - - - - -
-
-
- timer / pull (every 30s) -
-
-
- - - timer / pu... - - - - - - - -
-
-
- iso sync: - - https://id-sat-prd-02.ethz.ch/pub/isos/ - -
- - repo sync - - - sources defined in - - - /opt/rpm-repo-utils/etc/... - -
-
-
- - - iso sync: https://id-sat-prd-02.ethz.ch/pub/isos/... - - - - - - - - - - -
-
-
- http tcp:80 -
- https tcp:443 -
-
-
- - - http tcp:8... - - - - - - - - -
-
-
- https:8086 -
-
-
- - - https:8086 - - - - - - - - -
-
-
- https:443 -
-
-
- - - https:443 - - - - - - - - - - -
-
-
- network infra structure servers -
- (network team) -
-
-
- - - network infra structure servers... - - - - - - - - - - -
-
-
- subscribed via -
- subscription manager -
-
-
- - - subscribed via... - - - - - - - -
-
-
- sysdb.psi.ch -
- - lx-sysdb-01.psi.ch - -
-
-
- - - sysdb.psi.ch... - - - - - - -
-
-
-
- - Services: - -
- - sysdb - - -
- -
-
- - - serves grub config - -
- - generates kickstart files -
-
-
- - - Services:... - - - - - - - - -
-
-
- internet repositories -
-
-
- - - internet repositories - - - - - - - -
-
-
- - repo sync - - - sources defined in - - - /opt/rpm-repo-utils/etc/... - -
-
-
- - - repo sync  sources defined in /opt/rpm-repo-ut... - - - - - - - - -
-
-
-
- - Services: - -
- - TFTP server - - -
- -
-
-
-
-
-
-
- - - Services:... - - - - - - - -
-
-
- - boot.psi.ch - -
- - - lx-boot-01.psi.ch - - -
-
-
- - - boot.psi.ch... - - - - - - - -
-
-
- - /tftpboot - -
-
-
- - - /tftpboot - - - - - - - -
-
-
-
- - repos.psi.ch - -
-
- - lx-repos-01.psi.ch - -
-
-
-
- - - repos.psi.ch... - - - - - - -
-
-
-
- - Services: - -
-
- - http server - - - repos - -
-
-
-
- - - Services:... - - - - - - - -
-
-
- - /packages - -
-
-
- - - /packages - - - - - - - - -
-
-
- http tcp:80 -
- https tcp:443 -
-
-
- - - http tcp:8... - - - - - - - -
-
-
-
- lx-metric-01.psi.ch -
-
- metric.psi.ch -
-
-
-
- - - lx-metric-01.psi.ch... - - - - - - -
-
-
-
- - Services: - -
-
- - http server - -
-
- - - grafana - -
-
-
-
-
-
-
- - - Services:... - - - - - - - - - -
-
-
-
- lx-influx-01.psi.ch -
-
- influx.psi.ch -
-
-
-
- - - lx-influx-01.psi.ch... - - - - - - -
-
-
-
- - Services: - -
-
- influxd -
-
-
-
-
-
-
- - - Services:... - - - - - - - -
-
-
-

- Local storage for data -

-

- /var/lib/influxdb -

-
-
-
- - - Local storage for dat... - - - - - - - -
-
-
-
- lxweb00.psi.ch -
-
- linux.web.psi.ch -
-
- 129.129.190.46 -
-
-
-
- - - lxweb00.psi.ch... - - - - - - -
-
-
-
- - Services: - -
-
- - http server - -
-
-
-
- - - Services:... - - - - - - - - -
-
-
- puppet.psi.ch -
- - puppet01.psi.ch - -
-
-
- - - puppet.psi.ch... - - - - - - - -
-
-
- puppet00-test.psi.ch -
-
-
- - - puppet00-test.psi.ch - - - - - - -
-
-
-
- - Services: - -
-
- puppet -
-
-
-
- - - Services:... - - - - - - - - -
-
-
- https/443 -
- 8140 -
-
-
- - - https/443... - - - - - - - - -
-
-
- https/443 -
- 8140 -
-
-
- - - https/443... - - - - - - - - -
-
-
- http:80 -
-
-
- - - http:80 - - - - - - - - -
-
-
- http:80 -
-
-
- - - http:80 - - - - - - - - -
-
-
- https:443 -
-
-
- - - https:443 - - - - - - - - -
-
-
- manual pull/ansible -
-
-
- - - manual pul... - - - - - - - - -
-
-
- icmp/ping -
-
-
- - - icmp/ping - - - - - - - - - - - -
-
-
-
- - lx-sync-01.psi.ch - -
-
-
-
-
- - - lx-sync-01.psi.ch - - - - - - -
-
-
-
- - Services: - - - -
-
- repo sync RHEL7/8 -
-
-
-
- - - Services:... - - - - - - -
-
-
- id-sat-prd-02.ethz.ch -
- (located at and operated by ETHZ) -
-
-
- - - id-sat-prd-02.ethz.c... - - - - - - - - -
-
-
- - /packages - -
-
-
- - - /packages - - - - - - - - -
-
-
- NFS4 -
- (read/write) -
-
-
- - - NFS4... - - - - - - - - -
-
-
- NFS4 -
- (read-only) -
-
-
- - - NFS4... - - - - - - - -
-
-
-
- - repos-dmz.psi.ch - -
-
- - lx-repos-dmz-01.psi.ch - -
-
-
-
- - - repos-dmz.psi.ch... - - - - - - - -
-
-
-
- - boot - - - -dmz.psi.ch - -
-
- - lx-boot-dmz-01.psi.ch - -
-
-
-
- - - boot-dmz.psi.ch... - - - - - - - - -
-
-
-
- lx-fs - - .psi.ch - -
-
-
-
- - - lx-fs.psi.ch - - - - - - -
-
-
-
- lx-fs-dmz - - .psi.ch - -
-
-
-
- - - lx-fs-dmz.psi.ch - - - - - - - - -
-
-
- NFS4 -
- (read-only) -
-
-
- - - NFS4... - - - - - - - -
-
-
-

- - https://git.psi.ch/linux-infra/network-boot - -
-

-
-
-
- - - https://git.psi.ch/linux-infra/network-boot - - - - - - - - -
-
-
-

- - https://git.psi.ch/linux-infra/sysdb - -
-

-
-
-
- - - https://git.psi.ch/linux-infra/sysdb - - - - - - -
-
-
-

- - /ext/gpfs "/afs/psi.ch/software/linux/dist/scientificlinux/7x/x86_64/GPFS" - -
-

-

- /ext/hpc-extra "/afs/psi.ch/software/linux/dist/scientificlinux/7x/x86_64/hpc-extra" -

-

- /ext/ofed "/afs/psi.ch/software/linux/dist/scientificlinux/7x/x86_64/OFED" -

-

- /ext/slurm "/afs/psi.ch/software/linux/dist/scientificlinux/7x/x86_64/slurm" -

-
-
-
- - - /ext/gpfs "/afs/psi.ch/software/linux/dist/scientificlinux/7x/x86_64/GPFS"... - - - - - - - -
-
-
- - /packages - -
-
-
- - - /packages - - - - - - -
-
-
- Firewall -
-
-
- - - Firewall - - - - - - - -
-
-
- - /tftpboot - -
-
-
- - - /tftpboot - - - - - - - - -
-
-
- 8140 -
-
-
- - - 8140 - - - - - - - - -
-
-
- GET / grub/kickstart requests / only UEFI -
-
-
- - - GET / grub/kickstart requests / only UEFI - - - - - - - -
-
-
- F5 -
-
-
- - - F5 - - - - - - - - -
-
-
- http tcp:80 -
- https tcp:443 -
-
-
- - - http tcp:8... - - - - - - - - -
-
-
- tftp udp:69 -
-
-
- - - tftp udp:69 - - - - - - - - -
-
-
- manual push -
-
-
- - - manual push - - - - - - - -
-
-
-

- - https://git.psi.ch/linux-infra/network-boot-dmz - -
-

-
-
-
- - - https://git.psi.ch/linux-infra/network-boot-dm... - - - - - - - - -
-
-
- http/80 https/443 -
-
-
- - - http/80 https/443 - - - - - - -
-
-
- sysdb-dmz.psi.ch -
-
-
- - - sysdb-dmz.psi.ch - - - - - - -
-
-
- add additional parameter for the sysdb request -
-
-
- - - add additi... - - - - - - -
-
-
- client certificate / puppet uses this to identify the machine ? Does this work with a reverse proxy? -
-
-
- - - client certificate / puppe... - - - - - - - - -
-
-
- https:8086 -
-
-
- - - https:8086 - - - - - - - -
-
-
- F5 -
-
-
- - - F5 - - - - - - - - -
-
-
- https://influx-dmz.psi.ch -
-
-
- - - https://influx-dmz.psi.ch - - - - - - -
-
-
- All DMZ/Extranet/Tier3 Systems -
-
-
- - - All DMZ/Extranet/Tier3 Sy... - - - - - - -
-
-
- - puppet-dmz.psi.ch - -
-
-
- - - puppet-dmz.psi.ch - - - - - - -
-
-
- communication to be moved to F5 by May 2024 -
-
-
- - - communication to be moved... - - - - - - - -
-
-
- - /packages_misc -
- -
-
-
- - - /packages_misc - - - - - - - - -
-
-
- mirror/sync -
-
-
- - - mirror/sync - - - - - - - - - Text is not SVG - cannot display - - - - \ No newline at end of file diff --git a/engineering-guide/_static/uefi_boot.png b/engineering-guide/_static/uefi_boot.png deleted file mode 100644 index 660821b5..00000000 Binary files a/engineering-guide/_static/uefi_boot.png and /dev/null differ diff --git a/engineering-guide/_static/uefi_boot.puml b/engineering-guide/_static/uefi_boot.puml deleted file mode 100644 index 7eb8b7ce..00000000 --- a/engineering-guide/_static/uefi_boot.puml +++ /dev/null @@ -1,88 +0,0 @@ -@startuml - -actor admin -participant "UEFI Node" as bootnode -participant "QIP DHCP" as dhcp -participant "boot.psi.ch" as pxeserver -participant "sysdb.psi.ch" as sysdb -participant "repos.psi.ch" as reposerver - -admin -> bootnode : boots up - -hnote over bootnode - EFI -endhnote -bootnode -> dhcp : DHCP request -dhcp -> bootnode : IP + PXE boot location -bootnode -> pxeserver : load PXE kernel tftp:/tftpboot/shimx64.efi -bootnode -> pxeserver : load PXE kernel tftp:/tftpboot/grubx64.efi - - -hnote over bootnode - GRUB -endhnote -bootnode -> pxeserver : load PXE config tftp:/tftpboot/grub.cfg-01-$MAC -note right - By manually setting a MAC or IP config the - boot menu can be customised or shortcut. -end note -bootnode -> pxeserver : load PXE config tftp:/tftpboot/grub.cfg-$HEX-IP -bootnode -> pxeserver : load PXE config tftp:/tftpboot/grub.cfg -bootnode -> sysdb : load GRUB menu http:/grub/v1/config?mac=$MAC -note right - Default selection by sydb boot - property "local" or "netboot", - later automatically starts the - installer configured in sysdb - attribute "ipxe_installer". - Manually selectable are other - version of RHEL 7 and - "Windows and Tools Menus". -endnote - -admin -> bootnode : selects "Windows and Tools Menus" -note left - Now the automatic installation kicks in, - but here we show the manual detour over iPXE. -end note - -bootnode -> pxeserver : load iPXE kernel tftp:/tftpboot/ipxe.efi -note right - https://git.psi.ch/linux-infra/ipxe-build - The following steps are by embed/pxe.ipxe -end note - -hnote over bootnode - iPXE -endhnote -bootnode -> dhcp : DHCP request -dhcp -> bootnode : IP -bootnode -> sysdb : load iPXE menu http:/ipxe/v1/config?mac=$MAC -note right - Default selection by sydb boot - property "local" or "netboot", - later automatically starts the - installer configured in sysdb - attribute "ipxe_installer". - Manually selectable are all - Red Hat 7 versions and Red Hat 8 - alpha test version to install, - Windows, a selection of tools - and "HP SPP". -endnote -bootnode -> reposerver : load initrd http:/iso/rhel-server-7.9-x86_64-dvd/images/pxeboot/initrd.img -note left - Automatic installation in GRUB - directly jumps here without iPXE -end note -bootnode -> reposerver : load kernel http:/iso/rhel-server-7.9-x86_64-dvd/images/pxeboot/vmlinuz - -hnote over bootnode - Linux kernel -endhnote -bootnode -> reposerver : installation media http:/iso/rhel-server-7.9-x86_64-dvd/ -bootnode -> sysdb : kickstart file http:/kickstart/v1/config?fqdn=$HOSTNAME&instrepo=rhel-server-7.9-x86_64-dvd - -@enduml - - diff --git a/engineering-guide/accounts-and-groups.md b/engineering-guide/accounts-and-groups.md deleted file mode 100644 index d36239cb..00000000 --- a/engineering-guide/accounts-and-groups.md +++ /dev/null @@ -1,168 +0,0 @@ -# Accounts and Groups - -Linux accounts are generally stored and managed in Active Directory. - -## Account Types - -There are several types of accounts, which are usually indicated by a -prefix or suffix: - -- Normal accounts. No prefix or suffix. Older accounts are just last - names, newer accounts are LASTNAME_X, where X is the first letter of - the given name. -- Global accounts (or gac-accounts). These have a `gac-` prefix. These are shared accounts where several people know the password. Note that some global accounts were originially experiment accounts and share the properties of experiment accounts -- Administrator accounts. Marked with an `-adm` suffix. -- External users. These start with an `ext-` prefix and are provided - to external users, ie. those who are not PSI employees. -- Experiment accounts (or e-accounts). These start with `e` followed by the uid (+ some global accounts which where renamed later). - These are managed by the [Digital User Office (DUO)](https://duo.psi.ch). - The password is shared by all users involved in the experiment. -- Service accounts. These come with an `svcusr-` prefix and are used for running services. - -Official documentation on PSI IT account naming convention can be found [here](https://psi.service-now.com/psisp?sys_kb_id=c498a3cb1bff68502c5940498b4bcb44&id=kb_article_view&sysparm_rank=1&sysparm_tsqueryId=4877d78687cc1d10bc150d830cbb3540) - -To be able to easily distinguish between the different account types, a user shall be assigned to - - | Unix Group | Accont Type | Test User | - |--------------------|-------------|-----------| - | `unx-lx_users` | normal user | `lx_test` | - | `unx-lx_adm_users` | administrator acccounts for normal users | `lx_test-adm` | - | `unx-lx_gac_users` | global accounts | `gac-lx_test` | - | `unx-lx_ext_users` | external accounts | `ext-lx_test` | - | `unx-lx_ext_adm` | external adm accounts (group should actually be named `unx-lx_ext_adm_users` but because of character limitations we abbreviated)| `ext-lx_test-adm`| - | `unx-lx_e_users` | experiment accounts | `e22284` | - | `unx-lx_svc_users` | service accounts accounts | `svcusr-lx_test`| - -The passwords for all these users are found in the [Shared Core Linux Secret Store](https://git.psi.ch/linux-infra/core-linux-secrets), except for `e22284` which is found in the [PSI e-account Password Manager](https://epwd.psi.ch/cred/detail/18556/). - -```{note} -unx-lx_ext_users - this group does not yet contain all ext accounts (only the ones that are currently in the scope of IAM - this should be fixed by end of January 2025 -``` - -### Policies -GAC accounts __must not__ be used for administrative tasks (also see: AW-95-17-02 Logical Access Control). Therefore membership in groups granting such privilidges is not permitted. - -## UID Allocation - - | UID | GID | | - |-------------------------|-------------------------|-------------------------------| - | 0 - 1000 | 100 - 1000 | local users / groups manually | - | 1000 - 9999 | 110 - 9999 | old AD accounts manually | - | 10000 - 29999 | 10000 - 29999 | e-accounts / p-groups Experiment prov. tool | - | 30000 - 61183 | 30000 - 61183 | new AD users / groups /external AD accounts OM | - | 61184–65519 | 61184–65519 | [systemd Dynamic Users](https://0pointer.net/blog/dynamic-users-with-systemd.html) | - | 70000 - 120000 | 70000 - 120000 | e-accounts / p-groups Experiment prov. tool | - | 123458 - 150000 | -10000 - -4294967296 | local AFS users / groups AFS | - | 200000 - 400000 | 200000 - 400000 | new AD users / groups /external AD accounts IAM | - | 2000000000 - 4294967296 | 2000000000 - 4294967296 | sub UID / GID for containers local Linux systems / local Windows subsystems for Linux | - - - -## AD Attribute Mapping - -For the [sssd-ldap(5)](https://man.archlinux.org/man/sssd-ldap.5.en) provider following mapping is used - - | passwd attribute | AD attribute | - |-----------|------------------------| - | username | `msSFU30Name` | - | UID | `msSFU30UidNumber` | - | GID | `msSFU30GidNumber` | - | home | `msSFU30HomeDirectory` | - | shell | `msSFU30LoginShell` | - -We are on the process to move to the [sssd-ad(5)](https://man.archlinux.org/man/sssd-ad.5.en) provider. There we need following attributes: - - | passwd attribute | AD attribute | - |-----------|---------------------| - | username | `sAMAccountName` | - | UID | `uidNumber` | - | GID | `gidNumber` | - | home | `unixHomeDirectory` | - | gecos | `gecos` | - -Note that the `loginShell` attribute for the shell shall not be set as we only want to support Bash as login shell in the future. - -Finally the [gecos field](https://en.wikipedia.org/wiki/Gecos_field) shall be generated from other already existing AD attributes: - -``` -,,,, -``` - -example: -``` -Konrad Bucheli,OBBA/230,+41563102724,,konrad.bucheli@psi.ch -``` -Note the field 4 (home/mobile number) we do not set, thus we have an empty field with two commas in a row. - - -## Primary Groups -By default the primary user group is `unx-nogroup` (710). The exception are experiment accounts, where the primary group is the corresponding g-group. - -If there are good reasons (example?) another primary group might be set. - -Except for the default `unx-nogroup`, a user shall always also be explicit member of his primary group (e.g. member of the g-group for experiment accounts). - -At PSI the user-private group scheme (UPG), the default on Red Hat -distributions, is **not** used. - -## Low GIDs - -A number of groups have very low GIDs (\<500), in particular: - - unx-fkt:*:101: - unx-lke:*:110: - unx-abe:*:120:stingelin - unx-aea:*:130: - unx-lmu:*:140: - unx-lem:*:141: - unx-muesr:*:150: - unx-asm:*:210: - unx-lrp:*:220: - unx-zrp:*:221: - unx-ash:*:230: - unx-ppt:*:280: - unx-pmr:*:290: - unx-cmt:*:301: - unx-lfk:*:310: - unx-lch:*:320: - unx-lns:*:330: - unx-lap:*:340: - unx-lmn:*:350: - unx-asq:*:360: - unx-crpp:*:370: - unx-psq:*:380: - unx-psz:*:390: - unx-gabe:*:402: - unx-lrs:*:410: - unx-lth:*:420: - unx-lwv:*:430: - unx-les:*:440: - unx-dtp:*:451: - unx-lsu:*:490: - - -## Special Accounts - -### `linux_ldap`: query LDAP - -The [linux_ldap]{.title-ref} account has read-only permissions on a -limited subset of the LDAP attributes. It is used by -[nslcd]{.title-ref}, for example, to query LDAP for users\' uid, gid, -etc. - -The password should not be shared unnecessarily, but it does not need to -be specifically protected either. In fact, in earlier releases of -Scientific Linux it was necessary to have [/etc/nslcd.conf]{.title-ref}, -which contains the password, world-readable. - -This account **must not** be given additional access or privileges. - -### `linuxadjoin.psi.ch@D.PSI.CH` - -This account is a pure AD account (ie it doesn\'t have Unix attributes -like uid), which is used to manage computer objects in AD automatically. -In particular, it is used to precreate computer objects to allow -password-less AD joins. - -The account is only used on the Puppet server and has no (known) -password. Instead a keytab is used to get a valid Kerberos ticket. diff --git a/engineering-guide/active-directory.md b/engineering-guide/active-directory.md deleted file mode 100644 index 37af137b..00000000 --- a/engineering-guide/active-directory.md +++ /dev/null @@ -1,61 +0,0 @@ -# Active Directory - -## Kerberos Realm and Settings - -The AD domain (ie the Kerberos realm) is D.PSI.CH, **not** PSI.CH. The maximum -lifetime of a ticket is about a day, and a ticket can be renewed for about a -week. - - -## Domain Controllers - -In most networks `d.psi.ch` resolves to the correct names/IPs. One exception -is the DMZ. - -The domain controllers that are used internally are: - -- `dc00` -- `dc01` -- `dc02` - -In the DMZ we need to use these instead: - -- `rodc00` -- `rodc01` - -It is important to note that the SSL certificates for the internal DCs are -**not** signed for `dc0n.psi.ch`, but `dc0n.d.psi.ch` (note the extra `d`). -In certain contexts (eg in [`sssd.conf(5)`](https://linux.die.net/man/5/sssd.conf)) specifying the DCs as -`dc0n.psi.ch` fails because of this. - - -## Linux Computer Objects - -Computer objects for Linux systems are created in -`OU=linux,OU=servers,OU=psi,DC=d,DC=psi,DC=ch` or `OU=linux,OU=computers,OU=psi,DC=d,DC=psi,DC=ch` (workstation and consoles). - -We perform the join password-less, by pre-creating the computer object using a -script running on the Puppet master. - -As the AD only support [computer account aka NetBIOS names with maximum 15 characters](https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou#netbios-computer-names) it shortens longer hostnames down to the first 15 characters. This is a bit unfortunate as this name has to be unique as it serves as primary identifier in the AD. -To work around this limitation we use a different NetBIOS name if the hostname is longer than 15 characters which is less prone to collisions ([inspiration](https://www.beyondtrust.com/docs/ad-bridge/how-to/delegate-domain-join-privileges/ad-naming-limitations.htm)). - -The actual NetBIOS name we use for these hosts is the first 7 characters of the name, then a `-` followed by the last 7 characters of the SHA256 hash of the fully qualified domain name. To check the NetBIOS name of a given host run - -``` -klist -t -k /etc/krb5.keytab -``` -and look at the first entry, here for an example with a sufficiently short name: -``` - 15 07.03.2023 09:23:02 PUPPET01$@D.PSI.CH -``` -here `lx-sysdb-test-00.psi.ch` which gets a hashed NetBIOS hostname -``` - 3 05/12/23 08:39:15 lx-sysd-3563a67$@D.PSI.CH -``` -or `merlin-export-01.psi.ch` which has an automatically shortend NetBIOS name which was joined before we started to use the hashed NetBIOS hostnames: -``` - 7 29.10.2019 11:24:04 MERLIN-EXPORT-0$@D.PSI.CH -``` - - diff --git a/engineering-guide/boot_server.md b/engineering-guide/boot_server.md deleted file mode 100644 index 1062b26c..00000000 --- a/engineering-guide/boot_server.md +++ /dev/null @@ -1,9 +0,0 @@ -# Boot Server - -## Troubleshooting - -To troubleshoot the tftp server / tftp queries check the tftpserver logs as follows: - -```bash -journalctl -u tftp.service -``` diff --git a/engineering-guide/gitea-dmz.md b/engineering-guide/gitea-dmz.md deleted file mode 100644 index 1a6db66f..00000000 --- a/engineering-guide/gitea-dmz.md +++ /dev/null @@ -1,2 +0,0 @@ -# Gitea Production Documentation -![Gitea](gitea/gitea_setup.png) diff --git a/engineering-guide/gitea.md b/engineering-guide/gitea.md deleted file mode 100644 index eb280fe5..00000000 --- a/engineering-guide/gitea.md +++ /dev/null @@ -1,106 +0,0 @@ -# Gitea Test Server -Documentation about the setup for reproducability. -There is an additional data disk, mapped to /srv that contains all Gitea data. -All code can be found here: https://gitea-test.psi.ch/lx/Gitea - -## Docker Compose - -### Connectivity -The compose file has 2 Networks, `public` to talk to the outside world and `gitea` that acts as a backend network. Docker has full access to names, ports and IPs as long as its in the same network. -The Nginx container has both networks to act as proxy. - -The proxy container has two ports exposed for `HTTP` and `HTTPS`, the Gitea container exposes `SSH` on port 222. - -### Users and Passwords -Username and Passwords are held in a .env file and are referenced like such `${SERVICE_USER}`. Mentioned passwords and keys can also be found in the lx password store. -In case of a fresh installation, the `GITEA_RUNNER_REGISTRATION_TOKEN` , `OG_GITEA_SECRET` , `OG_GITEA_CLIENT_KEY` and the `Caddy Token` need to be created when the gitea server is running and an administrator account is created. - -Gitea's `USER_ID` mapping is for the local git user. Correct IDs can be gathered from `/etc/passwd` - -### Functionality -`docker compose up -d` starts all networks and containers that are not running or that have been changed in the compose file. `-d` starts in detached mode. -`docker compose down "Service"` destroys the container of a specific service. -`docker compose restart "Service"` Restart a container to apply configuration changes. - -## Proxy -All certificates are in the RHEL standard location, under `/etc/pki/tls/[certs,private]`. These folders are linked into the nginx container as read only, to be used in `/nginx/conf.d/*.conf` -The image is using the tag :latest to always keep it up to date. - -## Gitea -### SSH -To be able to use Gitea with SSH, a SSHIM is configured. The git users .ssh directory is mapped inside the container. Every public key uploaded in the Gitea Web UI is therefore saved on the host `/home/git/.ssh/authorized_keys`, forwarding all ssh traffic from the git user to localhost:222 which is then picked up by the docker network and sent to port 22 in the gitea container. - -``` - sudo -u git ssh-keygen -t ecdsa -b 521 -C "Gitea Host Key" - sudo -u git cat /home/git/.ssh/id_ecdsa.pub | sudo -u git tee -a /home/git/.ssh/authorized_keys - sudo -u git chmod 600 /home/git/.ssh/authorized_keys - cat <<"EOF" | sudo tee /usr/local/bin/gitea - #!/bin/sh - ssh -p 222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@" - EOF - sudo chmod +x /usr/local/bin/gitea -``` - -### Authentication -- User Filter -Important to notice is that `(sAMAccountName=%s)` is a placeholder for the users login name to be queried correctly. Username Attribute must be sAMAccountName respectively. -`(&(objectCategory=Person)(sAMAccountName=%s)(memberOf=CN=m365-app_git_access,OU=organizational,OU=Groups,OU=psi,DC=d,DC=psi,DC=ch)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))` - -- Admin Filter -`(memberOf=CN=unx-lx_eng,OU=Groups,OU=psi,DC=d,DC=psi,DC=ch)` - -- Group Search Base Dn -`OU=Groups,OU=psi,DC=d,DC=psi,DC=ch` - -- Paged Search with 1000 results - -- Synchronisation is disabled, that only users are created that have logged in. - -https://docs.gitea.com/administration/authentication - -### Mail -Connection to the on prem mailserver need to be requested. Login is secured with `smtp+starttls` - -https://docs.gitea.com/administration/email-setup - -### GPG -The git user has a GPG key configured. To not have to tinker with any sudo permissions the key is generated as the root user and imported for the git user. (There is a better solution, please educate me :)) -Since the git user inside the container has its home in /data/git/ but gitea runs its own home directory, its important to have `[git]HOME_PATH = /data/git` that the git user can sign commits with its key. - -``` -*In roots home* -gpg --full-generate-key -gpg --output private.pgp --armor --export-secret-key gitea@psi.ch -mv private.gpg /home/git/ -su git -cd -gpg --import private.pgp -gpg --list-secret-keys --keyid-format LONG -``` - -`[user]signingkey = SUPERSECRETSIGININGKEYNOTSUITABLEFORDOCUMENTATION` must be added to the git users .gitconfig - -https://docs.gitea.com/administration/signing - -## Database -Database just needs login information created beforehand and shared in gitea and db compose section and .env. -SSL can be configured additionaly - Maybe todo? - -## Pages -Pages are exposed with a caddy webserver in a container that queries the Gitea API for the keyword `gitea-pages`. An application token needs to be created beforehand to start the container (I used the administrators account). -Profile and settings... -> User Settings -> Applications -> Generate new token. With read permissions on organisation and repository. -Add the generated token to the Caddyfile. - -https://github.com/42wim/caddy-gitea - -## Snippets -The `OG_GITEA_CLIENT_KEY` and `OG_GITEA_SECRET` need to be created as administrator in Gitea. -Site Administration -> Admin Settings -> Applications. The redirect URI is `https://snippets-test.psi.ch/oauth/gitea/callback` - -https://github.com/thomiceli/opengist - -## Runner -That Docker in Docker works the Runner needs to have `/var/run/docker.sock` mapped into the container and the runner must be set to privileged `privileged: true` in the runner config. A default config can be generated with `./act_runner generate-config` - -https://docs.gitea.com/usage/actions/act-runner - diff --git a/engineering-guide/gitea/gitea_setup.png b/engineering-guide/gitea/gitea_setup.png deleted file mode 100644 index 5541b4b2..00000000 Binary files a/engineering-guide/gitea/gitea_setup.png and /dev/null differ diff --git a/engineering-guide/icinga2.md b/engineering-guide/icinga2.md deleted file mode 100644 index 8417193c..00000000 --- a/engineering-guide/icinga2.md +++ /dev/null @@ -1,138 +0,0 @@ -# Icinga2 Architecture/Design/Setup - -We want to support monitoring of the Linux machines in Icinga2. The Icinga2 infrastructure as such is maintained by AIT, currently mainly Heinz Scheffler, with Bernard Bumbak as deputy. - -## Icinga2 Servers - -- PROD [monitoring.psi.ch](https://monitoring.psi.ch/) (Loadbalancer) - - Primary [vemonma01a.psi.ch](https://vemonma01a.psi.ch/) (with Icinga Director) - - Secondary [wmonma01b.psi.ch](https://wmonma01b.psi.ch/) - -- DEV - - Primary [vmonma02a.psi.ch](https://vmonma02a.psi.ch/) (with Icinga Director) - - Secondary [vmonma02b.psi.ch](https://vmonma02b.psi.ch/) - - -## Automated Host Configuration - -The Linux part of the Icinga2 Master configuration is manged using Ansible in the [`icinga_master` role in the `bootstrap` repo](https://git.psi.ch/linux-infra/bootstrap/-/tree/prod/ansible/roles/icinga_master). - -For Puppet managed nodes there is an automated import pipeline using the Icinga Director. For the central infrastructure itself there is a predefined Configuration Basket snapshot which is installed by manual Ansible run. - -Configuration which is shared and used by both type of systems are found in the [`awi-lx-basic` Configuration Basket](https://git.psi.ch/linux-infra/bootstrap/-/blob/prod/ansible/roles/icinga_master/files/etc/icingaweb2/psi/lx-core/Director-Basket_awi-lx-basic.json) - -### Puppet Managed Nodes - -The individual host configuration is automatically generated using already known information from -- Sysdb (inventory of nodes) -- Hiera (configuration and customization of the nodes) -- Puppet Facts (OS version, attached networks, partitions) -- NetOps (security levels of networks, needed for selecting the correct Icinga2 Satellite) - -![high level idea of Linux computer data import to Icinga2](icinga2/icinga2_import_big_picture.png) - -#### Import of Hiera Data to Sysdb - -TODO - -#### Import of Puppet Facts to Sysdb - -TODO - -#### Import of NetOps Data - -TODO - -#### Import into Director -What in the overview diagram is one arrow, is a bit more complicated when implemented: - -![high level idea of Linux computer data import to Icinga2](icinga2/icinga2_import.png) - -It contains two parts: -- the import of host information (a bit simpler) -- the import of notification users (a bit more complex). - -The import as such is triggered every 10 minutes by the `sysdb-director-import` timer. - -To avoid interference with manual Director change operations the import script checks first if there are no undeployed objects. If so it it will not run. - -A Director import pipeline needs first a Import Source which imports the data from an external source. The second element is the Sync Rule which then creates actual Director objects out of the data provided by one or more Import Sources - -##### Director Import of Host Information - -The Icinga Director import pipeline is provides as [Configuration Basket template `awi-lx-sysdb`](https://git.psi.ch/linux-infra/bootstrap/-/blob/prod/ansible/roles/icinga_master/templates/Director-Basket_awi-lx-sysdb.json). - -The pipeline for host groups imports the list of sysdb host groups and the filter to select the hosts where the group name is listed in the `host.vars.host_groups` array of the host. - -The host import contains all the special configuration for a host. But there we need two sync rules, where `awi-lx-sysdb-host-sync-rule` creates and fills the host object. - -The second `awi-lx-sysdb-service-override-sync-rule` just fills `host.vars._override_servicevars` which the Director does not touch in the normal import. -The reason is that this variable stores usually manual serice override changes made in Director, an those should survive normal imports. But as we also manage these in Hiera, we need a `Update only` sync rule which allows also to set this variable. - -##### Director Import of Notification Users -Here the actual user information comes from the AD. But as we do not import all users, but only those who want to be notified, we also need to modify what is being imported. - -An LDAP filter selects these users specificly. The filter has three sections: -- users we do not want (service users, etc) -- departments we want -- notification users for Linux machines - -The LDAP filter is created on one side out of `ignore_list.conf` and `department_list.conf` which are managed by AIT/Icinga2 Team. The second part is read from the Sysdb API (`user_list.conf`). Together the Configuration Basket `Director-Basket_icinga-notification-user-import.json` which contains the full notification user import pipeline (import source `icinga-notification-user-import` and sync rule `icinga-notification-user-sync-rule` which also get updated always on an import run, before they are then actually triggered. - -### Ansible Managed Central Infrastructure (e.g. Puppet Server) -TODO - -## Development of Icinga Director Import Pipeline - -The base are always the Configuration Basket snapshots (JSON files) which we have in Git. -For changes either change them directly or change them in the Icinga Director web UI and then create a new snapshot of the according Configuration Basket, download it, modify if necessary, e.g. if it is templated as for the Sysdb import pipeline -and then commit it to the git repo. - -The rollout into production is then done with the bootstrap Ansible role for the Icinga2 Master nodes. -Note that it will only attempt to import the Configuration Basket snapshot as provided from git when the file changes on disk. So if there is an failure during the import, best delete them on the Icinga2 Master: -``` -rm /etc/icingaweb2/psi/lx-core/* -``` - -Further there is an issue with updated Sync Rules in the Configuration Basket snapshot. There is a [bug which makes their property list not updated on import](https://github.com/Icinga/icingaweb2-module-director/issues/2779). To work around you need to delete the Sync Rule manually in the Icinga Director UI. They cannot be deleted from shell with `icingacli director` ([feature request](https://github.com/Icinga/icingaweb2-module-director/issues/2706)). - -## Bootstrap - -The Icinga2 infrastructure is maintained and prepared by AIT. Following items need to be prepared from their side: -- basic setup of Icinga2 Master -- addition of the Icinga Director module -- addition of the Fileshipper module with following configuration (`/etc/icingaweb2/modules/fileshipper/imports.ini`): - ``` - [Import AWI Linux Infrastructure Servers] - basedir = "/etc/icingaweb2/psi/lx-core" - ``` -- in `roles.ini` have a `Generic User Role` with read/monitoring-only permissions -- the `/etc/icingaweb2/psi/merge-roles-ini.py` script provided by AIT to be able to merge in roles via Ansible/Sysdb API -- access to the AD with and LDAP import source named `LDAP PSI` - -From our side we need the following manual setup -- prepare the Scheduled Downtime `Generic Linux Alert Suppression` (cannot be imported with Configuration Basket, see [feature request](https://github.com/Icinga/icingaweb2-module-director/issues/2795)) with - - Downtime name: `Generic Linux Alert Suppression` - - Author: `Core Linux Research Services` - - Comment: - ``` - By default manged RHEL systems do not alert or send notifications, they just collect monitoring information in Icinga2. - To enable alerting, set in Hiera: - icinga2::alerting::enable: true - ``` - - Fixed: `Yes` - - Disabled: `No` - - Apply to: `Hosts` - - With Services: `Yes` - - Assign where: `host.vars.lx_disabled_alerting` `is true (or set)` - - and finally on "Ranges" add a range with - Days: `january 1 - december 31` - Timeperiods: `00:00-24:00` -- run the Ansible playbook: - ``` - ansible-playbook -i inventory_test.yaml --vault-pass-file ./vault-pass prepare_icinga_master.yaml - ``` - or for production - ``` - ansible-playbook -i inventory.yaml -i inventory_dmz.yaml --vault-pass-file ./vault-pass prepare_icinga_master.yaml - ``` diff --git a/engineering-guide/icinga2/icinga2_import.png b/engineering-guide/icinga2/icinga2_import.png deleted file mode 100644 index 4414be78..00000000 Binary files a/engineering-guide/icinga2/icinga2_import.png and /dev/null differ diff --git a/engineering-guide/icinga2/icinga2_import.puml b/engineering-guide/icinga2/icinga2_import.puml deleted file mode 100644 index c461fe67..00000000 --- a/engineering-guide/icinga2/icinga2_import.puml +++ /dev/null @@ -1,59 +0,0 @@ -@startuml - -node "Icinga2 Master" as master { - control "= sysdb-director-import.timer" as import_timer #line.bold - file "sysdb-director-import" as import_script - component "Director" as director { - component "awi-lx-sysdb-hostgroup-import" as hostgroup_import - component "awi-lx-sysdb-hostgroup-sync-rule" as hostgroup_sync - component "awi-lx-sysdb-host-import" as host_import - component "awi-lx-sysdb-host-sync-rule" as host_sync - component "awi-lx-sysdb-service-override-sync-rule" as service_override_sync - component "icinga-notification-user-import" as user_import - component "icinga-notification-user-sync-rule" as user_sync - } - together { - file "user_and_group_list.conf" as user_and_group_list - file "department_list.conf" as department_list - file "ignore_list.conf" as ignore_list - } - file "generate_icinga_notification_user_import_basket.py" as notification_user_basket_generator - file "Director-Basket_icinga-notification-user-import.json" as notification_user_basket - note top of notification_user_basket : adapted LDAP filter - ' make it stand out, = is for large text - folder "= Icinga2 configuration" as icinga2_configuration #line.bold -} -node "Sysdb Server" as sysdb_server { - component "Sysdb API" as sysdb_api { - ' component "icinga2/v1/roles" as sysdb_api_roles - component "icinga2/v1/hostgroups" as sysdb_api_hostgroups - component "icinga2/v1/hosts" as sysdb_api_hosts - component "icinga2/v1/ad_notification_users" as sysdb_api_roles_ad_notification_users - } -} -database "AD" as ad - -import_timer -[dashed]down-> import_script : "triggers" -import_script -[dashed]down-> director : triggers imports, sync rules and deployment -import_script -[dashed]up-> user_and_group_list : downloads -import_script -[dashed]right-> notification_user_basket_generator : runs - -sysdb_api_hostgroups ==> hostgroup_import -hostgroup_import --> hostgroup_sync - -sysdb_api_hosts ==> host_import -host_import --> host_sync -host_import --> service_override_sync - -sysdb_api_roles_ad_notification_users ==> user_and_group_list -notification_user_basket_generator -[dashed]-> notification_user_basket : generates -user_and_group_list --> notification_user_basket -department_list --> notification_user_basket -ignore_list --> notification_user_basket -notification_user_basket --> user_import -ad ==> user_import -user_import --> user_sync - -director ==> icinga2_configuration - -@enduml diff --git a/engineering-guide/icinga2/icinga2_import_big_picture.png b/engineering-guide/icinga2/icinga2_import_big_picture.png deleted file mode 100644 index fbfe20d9..00000000 Binary files a/engineering-guide/icinga2/icinga2_import_big_picture.png and /dev/null differ diff --git a/engineering-guide/icinga2/icinga2_import_big_picture.puml b/engineering-guide/icinga2/icinga2_import_big_picture.puml deleted file mode 100644 index c6fb5fd5..00000000 --- a/engineering-guide/icinga2/icinga2_import_big_picture.puml +++ /dev/null @@ -1,20 +0,0 @@ -@startuml - -skinparam componentStyle rectangle - -component "Icinga2 Master" as master -component "Director" as director -database "Sysdb" as sysdb -database "NetOps" as netops -database "Hiera" as hiera -database "Puppet Facts" as facts -interface "Sysdb API" as sysdb_api - -sysdb --> sysdb_api -hiera --> sysdb_api -facts --> sysdb_api -netops --> sysdb_api -sysdb_api --> director -director --> master - -@enduml diff --git a/engineering-guide/index.md b/engineering-guide/index.md deleted file mode 100644 index 267e5b99..00000000 --- a/engineering-guide/index.md +++ /dev/null @@ -1,4 +0,0 @@ -# Engineering Guide - -```{tableofcontents} -``` diff --git a/engineering-guide/influx.md b/engineering-guide/influx.md deleted file mode 100644 index dd17c0bc..00000000 --- a/engineering-guide/influx.md +++ /dev/null @@ -1,55 +0,0 @@ -# Metrics Server - Influx DB - -This is puppet managed: -https://git.psi.ch/linux-infra/hiera/data-lx/blob/master/default/lx-influx-01.psi.ch.yaml - -Runs the influxdb backend for the metrics.psi.ch service, as part of the telegraph, influxdb and grafana stack. - -Data is stored at `/var/lib/influxdb` "locally" on the virtual machine. -The influx configuration can be found `/etc/influxdb/influxdb.conf` - - -# Administration Influx Database - -Connect to the influx server -```bash -ssh influx.psi.ch -``` - -Connect to the influx database: -```bash -influx -``` - -Now you should have the prompt of the influx cli client - - -Show all databases -```bash -show databases -``` - -Switch to a database: -```bash -use "database_name" -``` - -Show all measurements -```bash -show measurements -``` - -Show all series (of all measurements) -```bash -show series -``` - -Show all series for a particular host: -```bash -show series where "host" = 'lx-puppet-01.psi.ch' -``` - -Delete all series for a particular host: -``` -DROP SERIES FROM /.*/ WHERE "host" = 'lx-puppet-01.psi.ch' -``` \ No newline at end of file diff --git a/engineering-guide/infrastructure_administration.md b/engineering-guide/infrastructure_administration.md deleted file mode 100644 index cdda716c..00000000 --- a/engineering-guide/infrastructure_administration.md +++ /dev/null @@ -1,128 +0,0 @@ -# Infrastructure Administration - -## How to Grant a Access to bob/sysdb - -bob is making http calls to the sysdb app. Authorization (https://git.psi.ch/linux-infra/sysdb#authentication-and-authorization) is done via krb5 tokens. Operations outside of environments (creating/changing the owner of/deleting environments) needs to be done by a sysdb admin, ie someone who is a member of the group sysdb-admins. Group membership of the authenticated users is evaluated on the OS level on sysdb.psi.ch. So group memberships can be set both locally or in the AD. This makes it a bit confusing, but both are used. - - -For the envs (bob env list), only adding and listing are implemented in bob, any other operation, like deletion or modification can only be performed in the sysdb sqlite database itself. - -Each env can only have one user and one group assigned to it. - - -To grant access to different environments data-xxx repositories normal Git access control is used. -Nothing overrides the access control of the git server. - - -## SSH Certificates / Signing Public User Keys - -Generate a ssh key e.g. as follows: -```bash -ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/linux_id_ed25519 -``` - -Use the [user ca certificate](https://git.psi.ch/linux-infra/core-linux-secrets/-/blob/main/ssh-ca/user-ca.gpg), but this is automated by pasting below function into your shell -```bash -function sign-user-ssh-key { - ( - name="$1" - pubkey="$2" - - # let the private key flow through a named pipe - # so it never ends up on the file system - - umask 077 - pipe_base="$(mktemp)" # MacOS does not know about --dry-run - pipe="${pipe_base}.pipe" - echo "mkfifo '$pipe'" - mkfifo "$pipe" || return 1 - [ -p "$pipe" ] || return 1 - echo "pass ssh-ca/user-ca > '$pipe' &" - pass ssh-ca/user-ca > "$pipe" & - echo "ssh-keygen -s '$pipe' -I '$name' -n '$name' -V +55w '$pubkey'" - ssh-keygen -s "$pipe" -I "$name" -n "$name" -V +55w "$pubkey" - echo "rm '$pipe' '$pipe_base'" - rm "$pipe" "$pipe_base" - ) -} -``` -and run it with the user name as principal and the public key file -``` -sign-user-ssh-key $PRINCIPAL $PUBKEY_FILE -``` - -More details on how this works can be found in this article: https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/ - - -## Unix Groups - -Currently we have following AD groups to grant access to certain services/systems: - -| Group | Notes | -| ---- | ---- | -| unx-lx_eng | Member of linux engineering - used to give access to management NFS filesystem, sysdb, ... | -| unx-lx_support | used to give Linux supporters access to systems/services | -| unx-puppet_adm -| associated with lxdev environment/systems | -| unx-puppet_dev | developer of puppet code | -| unx-puppet_usr | user of puppet (i.e. need access to linux-infra group/repos) | -| unx-lx_users | all personal linux accounts at PSI (directly updated from SAP) | -| unx-lx_grafana_adm | Grafana Administrators | -| unx-lx_grafana_edi | Group with Grafana editor rights | - -These two groups are used within Service now to assign tickets: -| Group | -| ---- | -| itsm-linux | -| itsm-linux_2nd | - -Access VM infrastructure for linux core employees: -| Group | Notes | -| ---- | ---- | -| VC_Admins_Linux | Access to the PSI VM Infrastructure | - -## AD Users -| Group | Notes | -| ---- | ---- | -| lx-netops-api | (keytab) Used to access the netops api | -| lx_ad_join | (keytab) Used to join a machine to AD | -| linux_ldap ???? | was registered by Derek (he is noted as responsible in AD) - used for ???? | - - -## linux.psi.ch -linux.psi.ch is hosted from this git repo as git pages. There is a proxy entry for the domain name linux.psi.ch on the F5 reverse proxy, that is managed by the network team, to reach the git pages by https://linux.psi.ch - -The HTTPS certificates of the domain linux.psi.ch is managed by the network team. - -## Email Lists - -### linux@psi.ch - -Right now following people are on the list: -- Marc Caubet -- Derek Feichtinger -- Peter Huesser -- Rene Kapeller -- Gilles Martin -- Leonardo Sala -- Ivano Talamo -- Alvise Dorigo -- Joshua Taylor -- Simon Ebner -- Konrad Bucheli - -This email list is administered by Outlook in the following way (if you have manager right): - -- Open outlook and go to the address book - -![outlook_01.png](infrastructure_administration/outlook_01.png) - -- Search for the PSI.Linux mailing list and double click - -![outlook_02.png](infrastructure_administration/outlook_02.png) - -- Go to modify members (you only see this if you are a manager) - -![outlook_03.png](infrastructure_administration/outlook_03.png) -- Click on Add and add a new email address - -![outlook_04.png](infrastructure_administration/outlook_04.png) diff --git a/engineering-guide/infrastructure_administration/outlook_01.png b/engineering-guide/infrastructure_administration/outlook_01.png deleted file mode 100644 index 159f38e4..00000000 Binary files a/engineering-guide/infrastructure_administration/outlook_01.png and /dev/null differ diff --git a/engineering-guide/infrastructure_administration/outlook_02.png b/engineering-guide/infrastructure_administration/outlook_02.png deleted file mode 100644 index 56b4b983..00000000 Binary files a/engineering-guide/infrastructure_administration/outlook_02.png and /dev/null differ diff --git a/engineering-guide/infrastructure_administration/outlook_03.png b/engineering-guide/infrastructure_administration/outlook_03.png deleted file mode 100644 index f44f846a..00000000 Binary files a/engineering-guide/infrastructure_administration/outlook_03.png and /dev/null differ diff --git a/engineering-guide/infrastructure_administration/outlook_04.png b/engineering-guide/infrastructure_administration/outlook_04.png deleted file mode 100644 index b95ac4e7..00000000 Binary files a/engineering-guide/infrastructure_administration/outlook_04.png and /dev/null differ diff --git a/engineering-guide/infrastructure_systems.md b/engineering-guide/infrastructure_systems.md deleted file mode 100644 index b0841dfb..00000000 --- a/engineering-guide/infrastructure_systems.md +++ /dev/null @@ -1,53 +0,0 @@ -# Infrastructure Systems - -![](_static/overview_linux.drawio.svg) - -## Core Infrastructure -1. [boot.psi.ch](boot_server.md) - TFTP server for PXE booting -2. [sysdb.psi.ch](sysdb_server.md) - Runs sysdb, providing the dynamic iPXE, Grub and kickstart files -3. [repos.psi.ch](repo_server.md) - Repository server -4. [puppet.psi.ch](puppet_server.md) - puppet.psi.ch - Puppet server ----- -5. [lx-sync-01.psi.ch](sync_server.md) - System to mirror external yum repositories / packages / ... -6. lx-cache-pypi-01 - PYPI cache server ----- -7. [lxweb00](lxweb00) - http://linux.web.psi.ch - __legacy__ - 129.129.190.46 - Exports further repositories from AFS - - -### Dependencies -The core infrastructure systems only have a dependency on __lx-fs.psi.ch__. Once this dependency is up and running the systems should be started according to the numbering above. - -## Additional Infrastructure - -Git Server: -1. git00.psi.ch - Internal git server (git.psi.ch) -2. lx-gitrunner-01.psi.ch - Shared git runner server - -Git Server DMZ: -1. gitdmz00.psi.ch - External git server (gitlab.psi.ch) - -SSH Gateways: -1. wmgt*.psi.ch - Central SSH gateway for admins -2. *-gw.psi.ch - SSH gateways to facility/machine/beamline/lab networks - -Management System -1. lx-gmgt-01.psi.ch - Management server for WBGB Servers - -Monitoring: -1. [lx-influx-01.psi.ch](influx) - Influx database server -2. [lx-metrics-01.psi.ch](metrics) - https://metrics.psi.ch - Grafana frontend for Influx - -Monitoring -1. [Icinga2](icinga2) - Icinga2 (operated by AIT) - - -Sysdb Access Supporters: -1. [lxsup.psi.ch](lxsup) - Standard node for the linux support, primarily to run bob - -## Enduser Systems - -1. cpw.psi.ch - Node to change passwords -2. [login.psi.ch](login) - Set of nodes for enduser use - -3. lx-term.psi.ch - RDP Linux terminal server -4. [nx-term.psi.ch](https://nx-term.psi.ch) - NoMachine NX Linux terminal server diff --git a/engineering-guide/initial_setup.md b/engineering-guide/initial_setup.md deleted file mode 100644 index b9a2585f..00000000 --- a/engineering-guide/initial_setup.md +++ /dev/null @@ -1,53 +0,0 @@ -# Initial Infrastructure Setup - -This document describes the steps needed for the initial infrastructure setup (in case everything needs to be bootstrapped from scratch) - -This would be the sequence the systems need to be set up: -- lx-boot-xx (boot.psi.ch, boot-dmz.psi.ch) -- lx-repos-xx (repos.psi.ch, repos-dmz.psi.ch) -- lx-sysdb-xx (sysdb.psi.ch) -- lx-puppet-xx (puppet.psi.ch) - -The steps involved to bootstrap the boot server and the repository server are the following: - -1. Create the VM in vcenter (Make sure secure boot is disabled!) -1. Get the latest RedHat RHEL iso from somewhere (i.e. ETH Red Hat Satellite or directly from [Red Hat](https://access.redhat.com/downloads)) - - There are two ISOs, one ~900MB and one ~11GB (RHEL8). The smaller one is able to boot and start the installation of the system, however it requires a network based repository for the installation (i.e. the content of the unpacked ISO need to be available via http(s)) - With the bigger one the system can be completely installed. - -1. Generate a kickstart file for the system in the https://git.psi.ch/linux-infra/bootstrap repository - - For the DMZ server the ip of the DNS server needs to be different in DMZ `--nameserver=192.168.70.5` - -1. Create a new iso including the generated kickstart file via the [mkksiso](https://weldr.io/lorax/mkksiso.html) utility: - ``` - mkksiso lx-boot-dmz-01.psi.ch.ks rhel-8.7-x86_64-boot.iso lx-boot-dmz-01-rhel-8.7-x86_64-boot.iso - ``` - Alternatively create a second iso file with just the kickstart file. Place the kickstart file as `ks.cfg` in an directory and run: - ``` - mkisofs -volid OEMDRV -output $TARGET_HOSTNAME-kickstart.iso $DIR_WITH_KICKSTART_FILE - ``` - -1. Remote Login (via RDP) to vmsmgt.psi.ch and mount the ISO to the VM - - 1. Make the generated iso accessible to the machine vmsmgt.psi.ch - - 1. Open vcenter.psi.ch in the browser, search the virtual machine you want to mount the ISO to. Click on __Launch Remote Console__ - ![](initial_setup/launch_remote_console.png) - - 1. This will open the VMWare Remote Console program. To mount the ISO do the following (Pay attention that the __"Connect at Boot"__ option is checked): - ![](initial_setup/mount_iso_menu.png) - ![](initial_setup/mount_iso.png) - - 1. If you have a separate kickstart iso file, you need two CD drives and connect both iso files. - - 1. Start the VM to trigger the install - -```{note} -For the initial setup of boot and repos server in the DMZ a temporary firewall access rule need to be enabled to the PSI internal server https://repos.psi.ch -``` - -## References -- https://weldr.io/lorax/mkksiso.html -- https://access.redhat.com/solutions/60959 -- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/starting-kickstart-installations_installing-rhel-as-an-experienced-user#doc-wrapper - diff --git a/engineering-guide/initial_setup/launch_remote_console.png b/engineering-guide/initial_setup/launch_remote_console.png deleted file mode 100644 index e01dddc4..00000000 Binary files a/engineering-guide/initial_setup/launch_remote_console.png and /dev/null differ diff --git a/engineering-guide/initial_setup/mount_iso.png b/engineering-guide/initial_setup/mount_iso.png deleted file mode 100644 index 1fc65d8b..00000000 Binary files a/engineering-guide/initial_setup/mount_iso.png and /dev/null differ diff --git a/engineering-guide/initial_setup/mount_iso_menu.png b/engineering-guide/initial_setup/mount_iso_menu.png deleted file mode 100644 index 3c9a69e6..00000000 Binary files a/engineering-guide/initial_setup/mount_iso_menu.png and /dev/null differ diff --git a/engineering-guide/ipxe.md b/engineering-guide/ipxe.md deleted file mode 100644 index 7e18be0f..00000000 --- a/engineering-guide/ipxe.md +++ /dev/null @@ -1,116 +0,0 @@ -# PXE-booting with iPXE - -## UEFI - -iPXE supports UEFI and so do we. This requires the ``ipxe.efi`` boot image. - -Instructions how to copy the necessary grub files to the tftp server: -https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/chap-installation-server-setup#sect-network-boot-setup-uefi -(alternatively one can also copy the files from the /boot/efi/EFI/redhat/ directory of an installed system) - -``` -[root@ tmp]# cd /tmp -[root@ tmp]# curl -OL http://repos.psi.ch/rhel9/iso/rhel-baseos-9.1-x86_64-dvd/BaseOS/Packages/shim-x64-15.6-1.el9.x86_64.rpm - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed -100 471k 100 471k 0 0 92.0M 0 --:--:-- --:--:-- --:--:-- 92.0M -[root@lx-repos-01 tmp]# curl -LO http://repos.psi.ch/rhel9/iso/rhel-baseos-9.1-x86_64-dvd/BaseOS/Packages/grub2-efi-x64-2.06-46.el9.x86_64.rpm - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed -100 1333k 100 1333k 0 0 8550k 0 --:--:-- --:--:-- --:--:-- 8550k -[root@ tmp]# rpm2cpio shim-x64-15.6-1.el9.x86_64.rpm | cpio -dimv -./boot/efi/EFI/BOOT/BOOTX64.EFI -./boot/efi/EFI/BOOT/fbx64.efi -./boot/efi/EFI/redhat/BOOTX64.CSV -./boot/efi/EFI/redhat/mmx64.efi -./boot/efi/EFI/redhat/shim.efi -./boot/efi/EFI/redhat/shimx64-redhat.efi -./boot/efi/EFI/redhat/shimx64.efi -9232 blocks -[root@ tmp]# rpm2cpio grub2-efi-x64-2.06-46.el9.x86_64.rpm | cpio -dimv -./boot/efi/EFI/redhat/grubx64.efi -./boot/grub2/fonts -./boot/grub2/fonts/unicode.pf2 -./boot/grub2/grubenv -./boot/loader/entries -./etc/dnf/protected.d/grub2-efi-x64.conf -./etc/grub2-efi.cfg -./etc/grub2.cfg -9612 blocks -[root@ tmp]# ls boot/efi/EFI/redhat/ -BOOTX64.CSV grubx64.efi mmx64.efi shim.efi shimx64.efi shimx64-redhat.efi -[root@ tmp]# ls -la boot/efi/EFI/redhat/ -total 6088 -drwxr-xr-x. 2 root root 122 Mar 1 16:16 . -drwxr-xr-x. 4 root root 32 Mar 1 16:16 .. --rwx------. 1 root root 108 Jun 7 2022 BOOTX64.CSV --rwx------. 1 root root 2524792 Aug 25 2022 grubx64.efi --rwx------. 1 root root 856528 Jun 7 2022 mmx64.efi --rwx------. 1 root root 946736 Jun 7 2022 shim.efi --rwx------. 1 root root 946736 Jun 7 2022 shimx64.efi --rwx------. 1 root root 938808 Jun 7 2022 shimx64-redhat.efi -[root@ tmp]# -``` - - -## Process - -When a system PXE boots, the DHCP server will boot either pxelinux in legacy -mode or grub on UEFI. It is still possible to load ipxe from either of these. -With the right option, the boot process is pointed to ``sysdb.psi.ch`` and one -of the following boot images: - -- `ipxe.efi` for systems using UEFI -- `ipxe.lkrn` for all other systems - -The system downloads the image and executes it. - -The image contains a small iPXE script, which makes iPXE retrieve its actual -configuration from a web service running (usually) on `sysdb.psi.ch`. -Specifically, it queries the URL -`https://sysdb.psi.ch/ipxe/v1/config?mac=`, where `` is the MAC -address of the interface used by iPXE. - -The web service on ``sysdb.psi.ch`` will generate the iPXE configuration on the -fly, depending on whether the system is supposed to be reinstalled and if so, -which distribution it is supposed to use. The menu offers other options as well, -e.g. an interactive iPXE shell and a memory test. - - -## Sequence Diagram of the UEFI Boot Process -![UEFI boot process](_static/uefi_boot.png) - - -## Sequence Diagram of the BIOS (Legacy) Boot Process -![Legacy boot process](_static/legacy_boot.png) - - -## Building the iPXE boot image - -The steps for building an iPXE image are - -1. Clone `git@git.psi.ch:linux-infra/ipxe-build.git` -2. Change into the new directory -3. Run the `refresh-ipxe.sh` script. This will check out the iPXE source code - mirror from `git.psi.ch`. -4. Run the `build.sh` script. This will use the named configurations in the - `ipxe-build` repository to compile two iPXE images: `src/bin/ipxe.lkrn` - (legacy boot) and `src/bin-x86_64-efi/ipxe.efi` (UEFI). - - -As described above, we use an iPXE boot image with an embedded script looking -roughly like the following -``` -#!ipxe - -dhcp && goto dhcp_succeeded - -shell -#prompt for network info - -:dhcp_succeeded - -chain http://sysdb.psi.ch/ipxe/v1/config?mac=${netX/mac} -``` - - diff --git a/engineering-guide/login.md b/engineering-guide/login.md deleted file mode 100644 index a3af6ca4..00000000 --- a/engineering-guide/login.md +++ /dev/null @@ -1,3 +0,0 @@ -# Login Nodes - -This is a set of 3 machines which have the same DNS alias `login.psi.ch` (connection to a random machine) The machines are managed by Puppet: https://git.psi.ch/linux-infra/hiera/data-lx/blob/master/login.yaml. diff --git a/engineering-guide/lxsup.md b/engineering-guide/lxsup.md deleted file mode 100644 index 6b35cab8..00000000 --- a/engineering-guide/lxsup.md +++ /dev/null @@ -1,6 +0,0 @@ -# Login Node - Supporters - -lxsup.psi.ch is a utility machine for our supporters. It provides a readily installed and configured `bob` as well as `ansible` command to provision and modify systems. - -This is a RHEL8 machine and is fully Puppet managed: -https://git.psi.ch/linux-infra/hiera/data-lx/-/blob/master/default/lx-sup-01.psi.ch.yaml diff --git a/engineering-guide/lxweb00.md b/engineering-guide/lxweb00.md deleted file mode 100644 index c8c5dfd5..00000000 --- a/engineering-guide/lxweb00.md +++ /dev/null @@ -1,66 +0,0 @@ -# Repository Server - LEGACY - lxweb00 - -This is a RHEL7 machine and is puppet managed. The httpd configuration seem to be managed there as well: -https://git.psi.ch/linux-infra/hiera/data-lx/blob/master/default/lxweb00.psi.ch.yaml - -Exports various paths from AFS to http(s), see /etc/httpd/conf.d/ for details. -The AFS directories exported are: -``` - Alias /pxe "/afs/psi.ch/service/linux/tftpboot" - Alias /ext/cpt "/afs/psi.ch/project/cpt/repo/" - Alias /ext/gfa "/afs/psi.ch/project/gfa-controls-sw-repo" - Alias /ext/gpfs "/afs/psi.ch/software/linux/dist/scientificlinux/7x/x86_64/GPFS" - Alias /ext/hpc-extra "/afs/psi.ch/software/linux/dist/scientificlinux/7x/x86_64/hpc-extra" - Alias /ext/lmu "/afs/psi.ch/project/lmu/lmu_rpm/" - Alias /ext/ofed "/afs/psi.ch/software/linux/dist/scientificlinux/7x/x86_64/OFED" - Alias /ext/slurm "/afs/psi.ch/software/linux/dist/scientificlinux/7x/x86_64/slurm" - - Alias /dist/yfs "/afs/psi.ch/software/mirror/your-file-system.com/yfs" - Alias /dist/ks "/afs/psi.ch/software/mirror/ks" - Alias /dist/scientificlinux "/afs/psi.ch/software/mirror/scientificlinux" - Alias /dist/scientificlinux/epel "/afs/psi.ch/software/mirror/epel" - Alias /dist/scientificlinux/7x/x86_64/tier3 "/afs/psi.ch/software/linux/dist/scientificlinux/7x/x86_64/tier3" -``` - - -The httpd config files are located here: -``` -[root@lxweb00 conf.d]# ls -la /etc/httpd/conf.d/25* --rw-r--r-- 1 root root 3294 Dec 3 07:55 /etc/httpd/conf.d/25-linux.web.psi.ch_non_ssl.conf --rw-r--r-- 1 root root 3559 Dec 3 07:55 /etc/httpd/conf.d/25-linux.web.psi.ch_ssl.conf -``` - -The content is served on port 80 and 443 -``` -[root@lxweb00 conf.d]# netstat -tulnp | grep http -tcp6 0 0 :::80 :::* LISTEN 19619/httpd -tcp6 0 0 :::443 :::* LISTEN 19619/httpd -``` - -The https certificate is located/installed in `/etc/pki/tls` - -# Questions -- who is taking care of this certificate, how is it installed? how is the expiration monitored? - - The owner/admin of this system must take care of the certificate. There is no monitoring or automation. The standard SWITCH procedure is to be used. -- Why is "/afs/psi.ch/service/linux/tftpboot" exported on this server as well? - - Don't know, could only guess. -- Who is responsible or the contact person for the different exported AFS directories? - - I don't know, it's not really formalized. I have some guesses for some parts: - -| AFS | Responsible / Contact Person | -| ------ | ------ | -| /afs/psi.ch/project/cpt/repo/ | Gilles Martin | -| /afs/psi.ch/project/gfa-controls-sw-repo | Rene Kapeller| -| /afs/psi.ch/software/linux/dist/scientificlinux/7x/x86_64/GPFS | Leo's group | -| /afs/psi.ch/software/linux/dist/scientificlinux/7x/x86_64/hpc-extra | Marc & Ivano | -| /afs/psi.ch/project/lmu/lmu_rpm/ | Andrea Raselli | -| /afs/psi.ch/software/linux/dist/scientificlinux/7x/x86_64/OFED | Marc & Ivano | -| /afs/psi.ch/software/linux/dist/scientificlinux/7x/x86_64/slurm | Marc & Ivano | -| -- | -- | -| /dist/yfs | Achim | -| /dist/ks | Achim | -| /dist/scientificlinux | Achim | -| /dist/scientificlinux/epel | Achim | -| /dist/scientificlinux/7x/x86_64/tier3 | Derek | - -All repos in the /dist path are Scientific Linux 7 !!!! diff --git a/engineering-guide/metrics.md b/engineering-guide/metrics.md deleted file mode 100644 index 220bb88e..00000000 --- a/engineering-guide/metrics.md +++ /dev/null @@ -1,47 +0,0 @@ -# Metrics Server - Grafana - -The Grafana frontend can be accessed via - https://metrics.psi.ch - -This machine is puppet managed: -https://git.psi.ch/linux-infra/hiera/data-lx/blob/master/default/lx-metrics-01.psi.ch.yaml - -The rights for Grafana are managed with these two AD groups: -| Group | Notes | -| ---- | ---- | -| unx-lx_grafana_adm | Grafana Administrators | -| unx-lx_grafana_edi | Group with Grafana editor rights | - -## Administration - -New telegraf/hiera metric sources are automatically added by a systemd timer once a day (~ 01:08). - -To add a new metric source manually go about like this: -![](_static/add_new_metric_source.png) - - -## Configuration - -### Grafana Dashboard Management -Dashboards can be automatically imported into grafana via files on the filesytem: https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards - -**/etc/grafana/provisioning/dashboards/importer.yaml**: -```yaml -# # config file version -# https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards -apiVersion: 1 - -providers: - - name: 'default' - orgId: 1 - folder: '' - folderUid: '' - type: file - disableDeletion: false - updateIntervalSeconds: 10 - allowUiUpdates: false - options: - path: /var/lib/grafana/dashboards - foldersFromFilesStructure: true -``` - -The dashboard `.json` files need to be located then in `/var/lib/grafana/dashboards` \ No newline at end of file diff --git a/engineering-guide/new_sysdb_environment.md b/engineering-guide/new_sysdb_environment.md deleted file mode 100644 index 5e759e3c..00000000 --- a/engineering-guide/new_sysdb_environment.md +++ /dev/null @@ -1,130 +0,0 @@ -# New Sysdb Environment - -## Introduction - -Deploying a new environment requires the following: - 1. Configuring the environment in **bob** - 2. Configuring the environment in GIT (`https://git.psi.ch/linux-infra/hiera`) - - Environment format: `data-` - - And change permissions accordingly - - Configure the necessary webhooks for the Puppet and Sysdb server - 3. Configuring the environment in Puppet (e.g. `puppet01.psi.ch`) - -## Configuring the environment in sysdb - -Bob allows to create a new environment in `sysdb` by using the `bob env` option. -You must have permissions to do that. - - -You must belong to the `sysdb-admins` group that is actually -configured on the local `/etc/group` file. A migration to Active -Directory should be done for that group. - -To list current defined environments run - - bob env list - -To add a new environment, run - - bob env add "" - -In example, for the MeG cluster - - bob env add meg caubet_m unx-hpc_adm "MeG Cluster" - -### Test new environment in BOB - -In order to test that environment was successfully created - - bob env list | grep - -An example - - caubet_m@caubet-laptop:~/GIT/admin-guide/deployment$ bob env list | grep meg - meg caubet_m unx-hpc_adm MeG Cluster - - -## Configuring the environment in GIT - -You must belong to the `unx-puppet_adm` Active Directory group in order to be able to create new projects. - -In order to create a new environment in **GIT**, you should access and login in the following link: https://git.psi.ch/linux-infra/hiera/. -Here you can see the different environments. - -The steps to create and configure a new **GIT** project are: - -1. Create a new project (environment) in the `hiera` group. It can be done here: https://git.psi.ch/projects/new?namespace_id=1738 - - - Click `[Create blank project]` - - Define `[Project name]`, which *must* have the format `data-` where `` is the one defined in **Bob** - - Specify `[Visibility Level]`: Should be `Internal` or `Private` - - Remove the tick `[Initialize repository with a README]`. - -2. Configure project permissions as follows: - - - `[data-[Settings]->[Repository]`, or directly: https://git.psi.ch/linux-infra/hiera/data-(environment_name)/-/settings/repository - - Enable already registered deploy key: `[Deploy Keys]` -> `[Privately accessible deploy keys]` -> select `root@puppet01'` -> click on `'Enable'` - - `[data-[Manage]->[Members]`, or directly: https://git.psi.ch/linux-infra/hiera/data-(environment_name)/project_members - - Setup specific permissions for specific users or groups. In example: - - Set project `Maintainer`: - - `[Select members to invite]` (`caubet_m`) + `[Choose a role permission]` (`Maintainer`) + `[Add to project]` - - Set other roles: - - `[Select members to invite]` (`dorigo_a`) + `[Choose a role permission]` (`Developer`) + `[Add to project]` - - `[data-[Settings]->[Webhooks]`, or directly: https://git.psi.ch/linux-infra/hiera/data-(environment_name)/-/hooks - - Add WebHooks as follows: - - `[URL]`: http://puppet01.psi.ch/events/dataupdate - - `[URL]`: http://sysdb.psi.ch/events/dataupdate - - (Checked) `[Push events]`. Uncheck the rest. - - `[SSL verification]` -> (uncheck) `[Enable SSL verification]` - - Confirm information from above, and click on `[Add webhook]` to add the new WebHook. - -### Test new environment in GIT - -In order to test that environment was successfully created - - git clone git@git.psi.ch:linux-infra/hiera/data-.git - -An example - - caubet_m@caubet-laptop:~/GIT$ git clone git@git.psi.ch:linux-infra/hiera/data-meg.git - Cloning into 'data-meg'... - X11 forwarding request failed - warning: You appear to have cloned an empty repository. - -## Configuring the environment in Puppet server - -In [bootstrap](https://git.psi.ch/linux-infra/bootstrap) add the new repo to `instcode/puppet/puppet_server/manifests/data.pp` and run the bootstrap for the Puppet server. Note that before this can be rolled out `master` branch needs to exist on `git.psi.ch`. - -## Configuring the environment in Sysdb Server - -In [bootstrap](https://git.psi.ch/linux-infra/bootstrap) add the new repo to the suitable inventory file (eg. `ansible/inventory.yaml` for production) and run the playbook for the Sysdb server. Note that before this can be rolled out `master` branch needs to exist on `git.psi.ch`. - - -## Test new environment in Puppet - -In order to test that environment was successfully created - - git clone git@git.psi.ch:linux-infra/data-.git - -Add a new file .yaml in to the project: - - cd data- - touch .yaml - git add .yaml - git commit -a -m "Added first empty file" - git push - -After a few seconds (needs time to trigger the change), check in `puppet01.psi.ch:/srv/puppet/data/` that file was successfully triggered (copied) to the puppet server from **GIT** - - ssh root@puppet01.psi.ch ls /srv/puppet/data//.yaml - -Full real example: - - git clone git@git.psi.ch:linux-infra/data-meg.git - cd data-meg - touch meg.yaml - git add meg.yaml - git commit -a -m "Added first empty file" - git push - sleep 5 - ssh root@puppet01.psi.ch ls /srv/puppet/data/meg/meg.yaml diff --git a/engineering-guide/puppet.md b/engineering-guide/puppet.md deleted file mode 100644 index 14e000fe..00000000 --- a/engineering-guide/puppet.md +++ /dev/null @@ -1,4 +0,0 @@ -# Puppet - -```{tableofcontents} -``` \ No newline at end of file diff --git a/engineering-guide/puppet/_static/puppet_workflow.jpg b/engineering-guide/puppet/_static/puppet_workflow.jpg deleted file mode 100644 index b5c31a22..00000000 Binary files a/engineering-guide/puppet/_static/puppet_workflow.jpg and /dev/null differ diff --git a/engineering-guide/puppet/components/grub2.rst b/engineering-guide/puppet/components/grub2.rst deleted file mode 100644 index 6fc11ec9..00000000 --- a/engineering-guide/puppet/components/grub2.rst +++ /dev/null @@ -1,20 +0,0 @@ -``grub2`` -========= - -This module provides a defined type to configure kernel arguments in grub2. - - -Defined Types -------------- - - -``grub2::kernel_arg`` -~~~~~~~~~~~~~~~~~~~~~ - -Modify a kernel argument. - -Parameters: - -- ``action``: one of 'add' and 'remove' -- ``value``: specifies the value for arguments of the form ``arg=value``, e.g. - ``crashkernel=auto``. diff --git a/engineering-guide/puppet/components/logrotate.rst b/engineering-guide/puppet/components/logrotate.rst deleted file mode 100644 index 54af3a68..00000000 --- a/engineering-guide/puppet/components/logrotate.rst +++ /dev/null @@ -1,156 +0,0 @@ -``logrotate`` -============= - -This module configures ``logrotate``. Further information an examples can be -found in the following link: - -* https://git.psi.ch/linux-infra/voxpupuli-logrotate - -Main class ``logrotate`` can be called, but usually calling just a rule ``logrotate::rule`` -should be enough to automatically configure ``logrotate`` in the host. It will use the -default values for this class, which is placing all the default ``rules`` from the O.S. -to the ``/etc/logrotate.d`` directory. - -Parameters ----------- - -All available parameters are:: - - namevar - The String name of the rule. - path - The path String to the logfile(s) to be rotated. - ensure - The desired state of the logrotate rule as a String. Valid - values are 'absent' and 'present' (default: 'present'). - compress - A Boolean value specifying whether the rotated logs should - be compressed (optional). - compresscmd - The command String that should be executed to compress the - rotated logs (optional). - compressext - The extention String to be appended to the rotated log files - after they have been compressed (optional). - compressoptions - A String of command line options to be passed to the - compression program specified in `compresscmd` (optional). - copy - A Boolean specifying whether logrotate should just take a - copy of the log file and not touch the original (optional). - copytruncate - A Boolean specifying whether logrotate should truncate the - original log file after taking a copy (optional). - create - A Boolean specifying whether logrotate should create a new - log file immediately after rotation (optional). - create_mode - An octal mode String logrotate should apply to the newly - created log file if create => true (optional). - create_owner - A username String that logrotate should set the owner of the - newly created log file to if create => true (optional). - create_group - A String group name that logrotate should apply to the newly - created log file if create => true (optional). - dateext - A Boolean specifying whether rotated log files should be - archived by adding a date extension rather just a number - (optional). - dateformat - The format String to be used for `dateext` (optional). - Valid specifiers are '%Y', '%m', '%d' and '%s'. - dateyesterday - A Boolean specifying whether to use yesterday's date instead - of today's date to create the `dateext` extension (optional). - delaycompress - A Boolean specifying whether compression of the rotated - log file should be delayed until the next logrotate run - (optional). - extension - Log files with this extension String are allowed to keep it - after rotation (optional). - ifempty - A Boolean specifying whether the log file should be rotated - even if it is empty (optional). - mail - The email address String that logs that are about to be - rotated out of existence are emailed to (optional). - mailfirst - A Boolean that when used with `mail` has logrotate email the - just rotated file rather than the about to expire file - (optional). - maillast - A Boolean that when used with `mail` has logrotate email the - about to expire file rather than the just rotated file - (optional). - maxage - The Integer maximum number of days that a rotated log file - can stay on the system (optional). - minsize - The String minimum size a log file must be to be rotated, - but not before the scheduled rotation time (optional). - The default units are bytes, append k, M or G for kilobytes, - megabytes and gigabytes respectively. - maxsize - The String maximum size a log file may be to be rotated; - When maxsize is used, both the size and timestamp of a log - file are considered for rotation. - The default units are bytes, append k, M or G for kilobytes, - megabytes and gigabytes respectively. - missingok - A Boolean specifying whether logrotate should ignore missing - log files or issue an error (optional). - olddir - A String path to a directory that rotated logs should be - moved to (optional). - postrotate - A command String that should be executed by /bin/sh after - the log file is rotated (optional). - prerotate - A command String that should be executed by /bin/sh before - the log file is rotated and only if it will be rotated - (optional). - firstaction - A command String that should be executed by /bin/sh once - before all log files that match the wildcard pattern are - rotated (optional). - lastaction - A command String that should be execute by /bin/sh once - after all the log files that match the wildcard pattern are - rotated (optional). - rotate - The Integer number of rotated log files to keep on disk - (optional). - rotate_every - How often the log files should be rotated as a String. - Valid values are 'hour', 'day', 'week', 'month' and 'year' - (optional). Please note, older versions of logrotate do not - support yearly log rotation. - size - The String size a log file has to reach before it will be - rotated (optional). The default units are bytes, append k, - M or G for kilobytes, megabytes or gigabytes respectively. - sharedscripts - A Boolean specifying whether logrotate should run the - postrotate and prerotate scripts for each matching file or - just once (optional). - shred - A Boolean specifying whether logs should be deleted with - shred instead of unlink (optional). - shredcycles - The Integer number of times shred should overwrite log files - before unlinking them (optional). - start - The Integer number to be used as the base for the extensions - appended to the rotated log files (optional). - su_owner - A username String that logrotate should use to rotate a - log file set instead of using the default if - su => true (optional). - su_group - A String group name that logrotate should use to rotate a - log file set instead of using the default if - su => true (optional). - uncompresscmd - The String command to be used to uncompress log files - (optional). - -Examples --------- - -Configure ``logrotate.conf``:: - - logrotate::conf { '/etc/logrotate.conf': - rotate => 10, - rotate_every => 'week', - ifempty => true, - dateext => true, - } - - -Rule for rotating ``messages``:: - - logrotate::rule { 'messages': - path => '/var/log/messages', - rotate => 5, - rotate_every => 'week', - postrotate => '/usr/bin/killall -HUP syslogd', - } - - -Rule for rotating ``slurmd`` client:: - - logrotate::rule { 'slurmd': - path => '/var/log/slurm/slurmd.log', - rotate => $rotate, - rotate_every => $rotate_every, - compress => true, - create => true, - create_mode => '0600', - create_owner => 'slurm', - create_group => 'slurm', - missingok => true, - ifempty => false, - sharedscripts => true, - postrotate => '/bin/systemctl reload slurmd.service > /dev/null 2>/dev/null || true'; - } diff --git a/engineering-guide/puppet/components/selinux.rst b/engineering-guide/puppet/components/selinux.rst deleted file mode 100644 index 91478ca7..00000000 --- a/engineering-guide/puppet/components/selinux.rst +++ /dev/null @@ -1,43 +0,0 @@ -``selinux`` -=========== - -This module configures :doc:`selinux`. It allows configuring the SELinux mode -as well as setting SELinux booleans. - - -Parameters ----------- - -``selinux_mode`` -~~~~~~~~~~~~~~~~ - -Acceptable values are ``enforcing``, ``permissive``, and ``disabled``. The -module configures this mode for the next reboot. It also sets it right away -unless the mode to be configured is ``disabled`` or SELinux is currently -disabled. In the former case the current mode is set to ``permissive``. In the -latter case nothing is done before the next reboot. - - -Defined Types -------------- - -``set_sebool`` -~~~~~~~~~~~~~~ - -Sets the SELinux boolean specified as the resource title unless SELinux is -disabled, in which case it does nothing. - -Parameters: - -- ``enable`` - - If true, the boolean is set to ``on``. If false, the boolean is set to - ``off``. - - -Examples --------- - -Allow httpd to access user's home directories:: - - selinux::set_sebool {'httpd_enable_homedirs': enable => true } diff --git a/engineering-guide/puppet/components/sudo.rst b/engineering-guide/puppet/components/sudo.rst deleted file mode 100644 index f4bd0d38..00000000 --- a/engineering-guide/puppet/components/sudo.rst +++ /dev/null @@ -1,25 +0,0 @@ -``sudo`` -======== - -This module installs and configures ``sudo(8)``. -This is only internal documentation, Hiera configuration is done in the :doc:`aaa profile<../profiles/aaa>`. - -Parameters ----------- - - -``allow_sudoers_d`` -~~~~~~~~~~~~~~~~~~~ - -This boolean determines whether the files in ``/etc/sudoers.d/`` are included in -the sudo configuration. - - -Defined types -------------- - -``sudo::rules`` -~~~~~~~~~~~~~~~ - -This defined type accepts a parameter ``rules``, which is an array of strings to -be added to ``/etc/sudoers``. diff --git a/engineering-guide/puppet/components/updatedb.rst b/engineering-guide/puppet/components/updatedb.rst deleted file mode 100644 index a1182efc..00000000 --- a/engineering-guide/puppet/components/updatedb.rst +++ /dev/null @@ -1,24 +0,0 @@ -``updatedb`` -============ - -This module manages the configuration for ``mlocate`` aka ``updatedb(8)``. - - -Parameters ----------- - -``enable`` -~~~~~~~~~~ - -A boolean indicating whether ``mlocate`` - ie the ``updatedb(8)`` cron job - -should be enabled or not. - - -Defined Types -------------- - -``updatedb::exclude`` -~~~~~~~~~~~~~~~~~~~~~ - -Takes a list of directories and makes sure that ``updatedb(8)`` ignores them -when indexing. diff --git a/engineering-guide/puppet/components/utils.rst b/engineering-guide/puppet/components/utils.rst deleted file mode 100644 index eb2a6d28..00000000 --- a/engineering-guide/puppet/components/utils.rst +++ /dev/null @@ -1,32 +0,0 @@ -``utils`` -========= - -This module contains a number of utility functions used at PSI. It is the -PSI-specific analogue to Puppetlabs' ``stdlib``. - - -Functions ---------- - - -``check_os`` -~~~~~~~~~~~~ - -Accepts an arbitrary number of arguments, each of which is a string of the form -``$osfamily $majorversion`` as reported by ``facter(8)``. If the facts of the -client system **do not** match any of the arguments, the function aborts the -Puppet run. - - -``rand_time`` -~~~~~~~~~~~~~ - -This function takes a parameter specifying a time window and returns a specific -time within this window based on the MD5 on the hostname. This allows scheduling -cron jobs etc uniformly across a fleet of system within a given window, while -keeping the time on each system predictable. - -The format for the argument specifying the time window is ``HH:MM--HH:MM``. The -window must not include midnight. - -The format of the return value is ``HH:MM``. diff --git a/engineering-guide/puppet/modules.md b/engineering-guide/puppet/modules.md deleted file mode 100644 index 6cdfe055..00000000 --- a/engineering-guide/puppet/modules.md +++ /dev/null @@ -1,107 +0,0 @@ -# Modules - -The repository for the Puppet role/profile modules is . - - -So we have some roles that are generic PSI-wide (eg. `role::server`) while -some roles that are specific to some projects and have a dedicated namespace (e.g. `role::hpc::database`). - -For the profiles we have - - -- `profile::ssh_client` -- `profile::afs_client` -- `profile::log_client` -- `profile::mysql_server` -- ... - -For profiles maybe we will not need namespace areas dedicated to -specific projects, since profiles should be generic enough to be -reusable. - - -Components are gernerally useful Puppet modules and they reside in an own git repository and are handled like any other externally used module. - - -## Hiera queries - -Only profiles and roles query Hiera. Components should take all their inputs as -parameters or facts. - -In profiles, Hiera queries must generally be done as default arguments to -parameters, **not** inside the modules body - -``` -class profile::logging ( - $forward_to = lookup('...'), - $persistent_journal = lookup('...'), -) -{ -``` - -The reason is that this allows a role to enforce certain parameters and disable -the corresponding Hiera query. - - -## Layout - -Roles and profiles are usually implemented in a single file, e.g. -`code/profile/manifests/logging.pp`. Components on the other hand follow the -standard Puppet layout, i.e. -`auditd/manifests/{init,install,config,service}.pp`. - -## Files and templates - -Every file or template should be used by only one class and its path inside the -module should reflect this. Eg. if the template `sshd_config.erb` is used by -the `profile::ssh_server` module, it will be places inside the -`templates/profile/ssh_server` directory. - -Furthermore, on top of every file managed by puppet, a header like the -following should be present: - -``` -######################################################################## -# -# THIS FILE IS MANAGED BY PUPPET - DO NOT MODIFY! -# -# profile::ssh_server -# sshd_config.erb -# -######################################################################## -``` - -The last two lines should be: - - - the puppet class using the file; - - the name of the file/template. - -## Debugging templates - -You can use the `erb` tool to test the variable interpolation. One easy way is to prepare a file with the variable values and pipe it together with the template through erb. Define the variables in a file `test-vars.erb` like in this example - -``` -<% -@partitions = {'a' => 'aa', 'b' => 'bb', 'c' => 'cc'} -@group_whitelist = ['groupA', 'groupB'] -@port = 8000 -%> -``` - -and then use a commmand line like the following to pipe it through `erb` - -``` -erb <(cat /tmp/test-vars.erb /tmp/my-template.erb) -``` - -The output will contain the variable substituted template. If you want to check your -template for syntax errors, you can just use the following command - -``` -erb -P -x -T '-' jupyterhub_config.py.erb | ruby -c -``` - -## Contents - -```{tableofcontents} -``` diff --git a/engineering-guide/puppet/overview.md b/engineering-guide/puppet/overview.md deleted file mode 100644 index 46f489b8..00000000 --- a/engineering-guide/puppet/overview.md +++ /dev/null @@ -1,39 +0,0 @@ - -# Overview - -Puppet is used in master mode and the general idea is to make large use of indipendent and (relatively) small puppet modules and composing profiles and roles based on them to create classes that are assigned to the hosts. By independence of puppet modules we mean that each puppet module targets a single functionality (eg. `web server`, `afs client`) and this is choosen to keep the code of the single module smaller, more coherent and easier to debug. - -Furthermore the system makes use of some puppet modules from the [puppet forge](https://forge.puppet.com). These puppet modules are not accessed directly but through a PSI mirror. - -Code and data are kept separated, using puppet modules for code and hiera for data. Secure data are safely managed inside hiera using [hiera eyaml](https://github.com/TomPoulton/hiera-eyaml). - -For each host the following parameters will determine how it will be configured: - -- the puppet environment (that will determine the puppet role/profile code base) -- the sysdb data environment (that will determine the hiera code base) -- the puppet group (that will determine what files will be considered in the hiera code base) -- the role - -All these elements are configured inside sysdb as attributes and are accessed by the puppet master via the ENC. - -Here you can get a general overview: -![puppet workflow](_static/puppet_workflow.jpg) - - -## Puppet Environments - -We use Puppet environments for two purposes: -- roll out changes to a small subset of all systems first -- module development - - -The following environments exist: -- `prod` - The most stable, and most systems are attached to it. All changes to `prod` have to go through `preprod` first. - -- `preprod` - production test environment - -- Development environments. These are private to a single developer, - can have names matching the regex ``^[a-z]+[a-z,0-9,_]+$`` like ``ganglia_issue_21`` or - ``klog_client``, and are used for developing and testing - changes. Generally, only individual systems are attached to these - environments. diff --git a/engineering-guide/puppet/profiles/afs_client.rst b/engineering-guide/puppet/profiles/afs_client.rst deleted file mode 100644 index efbcd21a..00000000 --- a/engineering-guide/puppet/profiles/afs_client.rst +++ /dev/null @@ -1,51 +0,0 @@ -``profile::afs_client`` -============================ - -This module installs and configures the OpenAFS client. - -On systems using AFS it is necessary to have the AFS kernel module for the -running kernel installed. This module installs the AFS kernel module for -**every** installed kernel (usually up to 3). Therefore it is recommended to run -Puppet after (kernel) updates. - -Note: Simply including this profile is usually **not** enough to enable AFS on a -system. It is also necessary to enable AFS support when including -``profile::aaa``. The latter makes sure that AD is used for authentication and -configures PAM to automatically create and renew AFS tokens. - - -Parameters ----------- - -=============================== ======== ================================================ -**Name** **Type** **Default** -------------------------------- -------- ------------------------------------------------ -enable_dynroot bool hiera('afs_client::enable_dynroot') -min_cache_size int hiera('afs_client::min_cache_size') -mountpoint string hiera('afs_client::mountpoint') -root_volume string hiera('afs_client::root_volume') -=============================== ======== ================================================ - - -``enable_dynroot`` -~~~~~~~~~~~~~~~~~~ - - -``min_cache_size`` -~~~~~~~~~~~~~~~~~~ - -The minimum size for the local AFS cache. If the cache is smaller than this, -Puppet will try to resize the logical volume =lv_openafs=, otherwise Puppet will -leave it alone. - - -``mountpoint`` -~~~~~~~~~~~~~~ - -Defines the mountpoint for the AFS filesystem. - - -``root_volume`` -~~~~~~~~~~~~~~~ - -The name of the root volume to mount. diff --git a/engineering-guide/puppet/profiles/epics.rst b/engineering-guide/puppet/profiles/epics.rst deleted file mode 100644 index 0a2ff2d7..00000000 --- a/engineering-guide/puppet/profiles/epics.rst +++ /dev/null @@ -1,20 +0,0 @@ -``profile::epics`` -================== - -Install and configure Epics. - - -Parameters ----------- - -============ ======== =========== -**Name** **Type** **Default** ------------- -------- ----------- -epics_func string - -============ ======== =========== - - -``epics_func`` -~~~~~~~~~~~~~~ - -A command written to ``/etc/epics_func.conf``, followed by ``>/dev/null``. diff --git a/engineering-guide/puppet/profiles/filecopy.rst b/engineering-guide/puppet/profiles/filecopy.rst deleted file mode 100644 index 4c56c0ee..00000000 --- a/engineering-guide/puppet/profiles/filecopy.rst +++ /dev/null @@ -1,37 +0,0 @@ -``profile::filecopy`` -===================== - -This module allows to copy file on the host using a git repository as -the source. - -The purpose of this module is to distribute files that are not -created/configured with other modules, usually files very specific -eg. scripts for very specific environments. - -With this module is possible to specifiy only single files, so no -directory or recursion is possible. - -The source files are taken from the master branch of a git repo that -should be accessible without authentication. Or anyway accessible from -the host where the files have to be copied (eg. via a proper ssh key). - -A section like the following in hiera will copy on file ``/tmp/test1`` -the content of -``https://git.psi.ch/talamo_i/copy-file-test/raw/master/abc``:: - - filecopy::files: - '/tmp/test1': - repo: 'talamo_i/copy-file-test' - path: 'abc' - mode: '0600' - owner: 'talamo_i' - -You can additionally specify the group owner of the file: - group: 'apache' - - -This module is included by default and ``filecopy::files`` is empty by -default. - -To copy files just define properly the ``filecopy::files`` variable. - diff --git a/engineering-guide/puppet/profiles/files.rst b/engineering-guide/puppet/profiles/files.rst deleted file mode 100644 index 87759db0..00000000 --- a/engineering-guide/puppet/profiles/files.rst +++ /dev/null @@ -1,45 +0,0 @@ -``profile::files`` -================== - -This profile creates symlinks. - - -Parameters ----------- - -=============================== ======== ================================================ -**Name** **Type** **Default** -------------------------------- -------- ------------------------------------------------ -symlinks hash hiera('files::symlinks') -directories hash hiera_hash('files::directories') -=============================== ======== ================================================ - - -``symlinks`` -~~~~~~~~~~~~ - -A hash specifying symlinks to be created. The keys of the hash are the absolute -pathnames of the symlinks, the values of the hash are the corresponding symlink -targets. - -Example:: - - files::symlinks: - '/opt/foo': '/var/lib/foo' - - - -``directories`` -~~~~~~~~~~~~~~~ - -A hash specifying directories to be created. The keys of the hash are the absolute -pathnames of the directory, the optional values can be ``owner``, ``group`` (default is ``root`` for both) and the ``mode`` (default ``755``). Parent directories are automatically created with default settings. If that is not desired, do a custom definition for each parent directory too. - -Example:: - - files::directories: - /etc/test1: - /etc/test2/foo/bar: - owner: 'buchel_k' - group: 'unx-nogroup' - mode: '775' diff --git a/engineering-guide/puppet/profiles/ganglia_client.rst b/engineering-guide/puppet/profiles/ganglia_client.rst deleted file mode 100644 index 607e8370..00000000 --- a/engineering-guide/puppet/profiles/ganglia_client.rst +++ /dev/null @@ -1,36 +0,0 @@ -``profile::ganglia_client`` -============================ - -This module installs and configures Ganglia's gmond. - - -Parameters ----------- - -=============================== ======== ================================================ -**Name** **Type** **Default** -------------------------------- -------- ------------------------------------------------ -grid string hiera('ganglia::grid') -cluster string hiera('ganglia_client::cluster') -n/a hash hiera('ganglia::grid_${GRID}') -=============================== ======== ================================================ - - -``grid`` -~~~~~~~~ - -The name of the Ganglia grid the client is a part of. - - -``cluster`` -~~~~~~~~~~~ - -The name of the Ganglia cluster within the grid the client is a part of. - - -``grid_${GRID}`` -~~~~~~~~~~~~~~~~ - -The definition of the grid. See the :doc:`ganglia_server documentation -<../profiles/ganglia_server>` for details. - diff --git a/engineering-guide/puppet/profiles/ganglia_server.rst b/engineering-guide/puppet/profiles/ganglia_server.rst deleted file mode 100644 index 62a525fd..00000000 --- a/engineering-guide/puppet/profiles/ganglia_server.rst +++ /dev/null @@ -1,104 +0,0 @@ -``profile::ganglia_server`` -=========================== - -This module configures the following Ganglia server components: - -- the web interface (using Apache) -- one gmond for each cluster to be monitored by this server - -The latter is a little unusual. Normally, the gmonds collecting the data for -each cluster, which are then queried by gmetad, are part of the cluster. The -implementation chosen by this module makes it easier to deal with firewalls. - - -Parameters ----------- - -=============================== ======== ================================================ -**Name** **Type** **Default** -------------------------------- -------- ------------------------------------------------ -grid string hiera('ganglia::grid') -grid_${GRID} hash hiera('ganglia::grid_${GRID}') -=============================== ======== ================================================ - - -``grid`` -~~~~~~~~ - -This string identifies the grid (ie the collection of clusters) this server -monitors. The definition of the grid is taken from the Hiera value -``grid_${GRID}``. - - -``grid_${GRID}`` -~~~~~~~~~~~~~~~~ - -The definition of the Ganglia grid this server is responsible for. It is a hash -containing the following keys: - - -``name`` -,,,,,,,, - -The name of the grid as used in the web interface. - - -``ui`` -,,,,,, - -The FQDN of the server hosting the web UI and collecting the data for the grid. -A system with role ``ganglia_server`` will compare its own FQDN to this value -and fail if they are not equal. Clients will need this value to know where they -they should send their metrics. - - -``clusters`` -,,,,,,,,,,,, - -A hash of cluster definitions. The keys are the IDs of the clusters, ie. what a -client expects to find in ``ganglia::cluster``. The values are hashes containing -the following attributes: - -``name`` -........ - -The user-friendly name of the cluster to be used in the web UI. - -``port`` -........ - -The port used within the cluster. The first cluster should use 8649 (the Ganglia -standard port), the next cluster should use 8650, and so on. - - -Examples --------- - -Suppose we have a Ganglia grid for Swissfel (sysdb_env == swissfel). -The we could put the following in Hiera. - -In ``swissfel.yaml`` we would define grid, say ``sfel``, and set the grid for -all systems in the ``swissfel`` environment to ``sfel``:: - - - ganglia::grid: 'sfel' - - ganglia::grid_sfel: - name: 'SwissFEL' - ui: 'gmeta00.psi.ch' - clusters: - 'sf-daqbuf': - name: 'DAQ Buffers' - port: 8649 - 'sf-athos' - name: 'Athos Beamline Systems' - port: 8650 - -In the ``swissfel/daqbuf.yaml`` we would then set the cluster to ``sf-daqbuf``:: - - ganglia::cluster: 'sf-daqbuf' - -In ``swissfel/athos.yaml`` on the other hand, we would set the cluster to -``sf-athos``:: - - ganglia::cluster: 'sf-athos' diff --git a/engineering-guide/puppet/profiles/gpfs.rst b/engineering-guide/puppet/profiles/gpfs.rst deleted file mode 100644 index aff0ed67..00000000 --- a/engineering-guide/puppet/profiles/gpfs.rst +++ /dev/null @@ -1,91 +0,0 @@ -``profile::gpfs`` -================= - -Install and configure the `GPFS parallel file system -`_. - -The installation also includes the configuration of the rpm repositories. - -Parameters ----------- - -================= ========== =========== -**Name** **Type** **Default** ------------------ ---------- ----------- -version string -repo_base_url string -setup_repos bool true -setup_pmsensors bool true -setup_pmcollector bool false -setup_ces bool false -setup_gui bool false -fs_opts hash empty hash -================= ========== =========== - - -``version`` -~~~~~~~~~~~ - -The version of GPFS to install. - - -``repo_base_url`` -~~~~~~~~~~~~~~~~~ - -The base URL of the GPFS repositories. Each version of GPFS comes in its own -repositories, which are assumed to be located under -``${repo_base_url}/${version}/``. - -Repository configuration is subject to `setup_repos`_. - - -``setup_repos`` -~~~~~~~~~~~~~~~ - -Whether or not to configure the GPFS repositories. - - -``setup_pmsensors`` -~~~~~~~~~~~~~~~~~~~ - -Install packages needed to run the pmsensors service. - -``setup_pmcollector`` -~~~~~~~~~~~~~~~~~~~~~ - -Install packages needed to run the pmcollector service. - -``setup_ces`` -~~~~~~~~~~~~~ - - -``setup_gui`` -~~~~~~~~~~~~~ - -Install packages needed to run the gpfsgui service. - -``fs_opts`` -~~~~~~~~~~~ - -By default a GPFS filesystem will be mounted on all nodes of -the cluster with the same option, eg. it will be read-write if -the filesystem as been defined with read-write access (see ``mmfs`` -for the mount options). - -It is possible to override these option on a host specific base -configuring a file named ``/var/mmfs/etc/localMountOptions.`` -with one option per line. - -Please note that even if the parameter is ``fs_opts`` in the code, -the hiera variable is called ``fs_mount_opts``. - -The following hiera code can be used to make the ``beamline`` filesystem -mounted in read-only mode:: - - gpfs::fs_mount_opts: - 'beamline': ['ro'] - - - - - diff --git a/engineering-guide/puppet/profiles/grafana.rst b/engineering-guide/puppet/profiles/grafana.rst deleted file mode 100644 index 66427986..00000000 --- a/engineering-guide/puppet/profiles/grafana.rst +++ /dev/null @@ -1,65 +0,0 @@ -``profile::grafana`` -==================== - -This module installs and configures Grafana server. -It requires a SSL cert/key since the server will be provided over HTTPS. - -The system uses AD authentication for users and allows anonymous user -with view-only capabilities. - - -Parameters ----------- - -=============================== ======== ================================================ -**Name** **Type** **Default** -------------------------------- -------- ------------------------------------------------ -vhost string hiera('grafana::vhost', FQDN) -servers array hiera('grafana::influxdb_servers') -admin_groups array hiera('grafana::admin_groups') -editor_groups array hiera('grafana::editor_groups') -admin_pw string hiera('grafana::admin_pw') -cert string hiera('grafana::tls_cert') -key string hiera('grafana::tls_key') -=============================== ======== ================================================ - - -``vhost`` -~~~~~~~~~ - -The hostname through which the server will provide http/https service. -By default it corresponds to the FQDN, but in case of aliases or Round-Robin DNS it can be different. - -``servers`` -~~~~~~~~~~~ - -A list of influx db servers url to query for data. -Each server should be specified with a URL like ``http://hostname:8086``. - -The list of services will be queried to get the list of available databases and -the corresponding data sources will be automatically created. -The generation of the data sources happens when the list of server files or automatically every day. - -``admin_groups`` -~~~~~~~~~~~~~~~~ - -The list of unix groups that will have full (admin) rights when logging into the server. -See `this `_ for further details.ls. - -``editor_groups`` -~~~~~~~~~~~~~~~~~ - -The list of unix groups that will have editor rights when logging into the server. -See `this `_ for further details. - -``admin_pw`` - -Password of the ``admin`` user. - -``cert`` - -SSL public certificate of the HTTPS server. - -``key`` - -Private key matching with the SSL certificate. diff --git a/engineering-guide/puppet/profiles/icinga/checks/gpfs.rst b/engineering-guide/puppet/profiles/icinga/checks/gpfs.rst deleted file mode 100644 index 56ba649d..00000000 --- a/engineering-guide/puppet/profiles/icinga/checks/gpfs.rst +++ /dev/null @@ -1,41 +0,0 @@ -``profile::icinga::checks::gpfs`` -================================= - -This profile is called when ``gpfs`` is being configured. - -Setup specific checks for GPFS: - * It will check that **GPFS** service is running correctly. - * Also checks node status with ``mmhealth``. - -Parameters ----------- - -=================== ========== ============================================================= -**Name** **Type** **Default** -------------------- ---------- ------------------------------------------------------------- -check_unhealth_only Boolean ``icinga::checks::options::gpfs::ignoretips:`` **``true``** -check_ignore_tips Boolean ``icinga::checks::options::gpfs::unhealth:`` **``false``** -=================== ========== ============================================================= - -``check_unhealth_only`` -~~~~~~~~~~~~~~~~~~~~~~~ - -By default ``mmhealth`` is called with the option ``--unhealth``. This shows only **unhealthy** problems. This can be disabled -by setting ``icinga::checks::options::gpfs::unhealth: false``, in this case ``mmhealth`` will also report about **healthy** checks. - - -``check_ignore_tips`` -~~~~~~~~~~~~~~~~~~~~~ - -**TIPS** errors are considered ``[WARNING]`` by default. As these are configuration tips, some admins can consider that tips are ``[OK]`` -in their clusters. This behaviour can be changed by setting ``icinga::checks::options::gpfs::ignoretips: true``, which will consider **TIPS** as ``[OK]``. - -Facts ------ - -When some specific facts are detected, it will trigger some actions. - -===================================== =============== ============================================== -**Fact** **Value(s)** **Action description** -------------------------------------- --------------- ---------------------------------------------- -===================================== =============== ============================================== diff --git a/engineering-guide/puppet/profiles/icinga/checks/hp/smart_array.rst b/engineering-guide/puppet/profiles/icinga/checks/hp/smart_array.rst deleted file mode 100644 index 18c58a2a..00000000 --- a/engineering-guide/puppet/profiles/icinga/checks/hp/smart_array.rst +++ /dev/null @@ -1,29 +0,0 @@ -``profile::icinga::checks::hp::smart_array`` -============================================ - -This profile is automatically called when a HP Smart Array is detected through facter from the -``profile::platform::hewlett_packard`` class. - -Setup checks for HP Smart Arrray. - * Will setup a check executing ``ssacli`` in order to check the following components: - * **Controller(s)** status, **Cache** status (when configured) & **Battery** status (when present) - * **Logical Drive(s)** status - * **Physical Drive(s)** status - -Parameters ----------- - -================= ========== ========================================================= -**Name** **Type** **Default** ------------------ ---------- --------------------------------------------------------- -================= ========== ========================================================= - -Facts ------ - -When some specific facts are detected, it will trigger some actions. - -===================================== =============== ============================================== -**Fact** **Value(s)** **Action description** -------------------------------------- --------------- ---------------------------------------------- -===================================== =============== ============================================== diff --git a/engineering-guide/puppet/profiles/icinga/checks/nvidia.rst b/engineering-guide/puppet/profiles/icinga/checks/nvidia.rst deleted file mode 100644 index 3d73b72f..00000000 --- a/engineering-guide/puppet/profiles/icinga/checks/nvidia.rst +++ /dev/null @@ -1,31 +0,0 @@ -``profile::icinga::checks::nvidia`` -======================================== - -This profile is called when ``nvidia`` is being configured through ``cuda`` - -Setup specific checks for the Puppet Client: - * It will check that ``nvidia-smi`` correctly responds with the NVIDIA GPU cards. - When kernel is updated, it may cause to boot up with the NVIDIA drivers. - -It will return OK and the list of GPUS when ``nvidia-smi`` correctly answers. -It will return CRITICAL and the error message when ``nvidia-smi`` is unable to detect GPU cards. - -Most probably in the future drivers will be directly checked. - -Parameters ----------- - -================== ========== ============================================================= -**Name** **Type** **Default** ------------------- ---------- ------------------------------------------------------------- -================== ========== ============================================================= - -Facts ------ - -When some specific facts are detected, it will trigger some actions. - -===================================== =============== ============================================== -**Fact** **Value(s)** **Action description** -------------------------------------- --------------- ---------------------------------------------- -===================================== =============== ============================================== diff --git a/engineering-guide/puppet/profiles/icinga/checks/puppet_client.rst b/engineering-guide/puppet/profiles/icinga/checks/puppet_client.rst deleted file mode 100644 index 750aab42..00000000 --- a/engineering-guide/puppet/profiles/icinga/checks/puppet_client.rst +++ /dev/null @@ -1,33 +0,0 @@ -``profile::icinga::checks::puppet_client`` -========================================== - -This profile is called when ``puppet`` client is being configured. - -Setup specific checks for the Puppet Client: - * It will check that the current running environment is ``puppet_environment``. - Otherwise it will return a **nagios** ``WARNING`` message and error. - -Parameters ----------- - -================== ========== ============================================================= -**Name** **Type** **Default** ------------------- ---------- ------------------------------------------------------------- -puppet_environment String hiera('icinga::checks::options::puppet_environment',**prod**) -================== ========== ============================================================= - -``puppet_environment`` -~~~~~~~~~~~~~~~~~~~~~~ - -This setting defaults to the puppet environment ``prod``. Can be changed from YAML by setting -``icinga::checks::options::puppet_environment`` to a different value. - -Facts ------ - -When some specific facts are detected, it will trigger some actions. - -===================================== =============== ============================================== -**Fact** **Value(s)** **Action description** -------------------------------------- --------------- ---------------------------------------------- -===================================== =============== ============================================== diff --git a/engineering-guide/puppet/profiles/icinga/checks/service.rst b/engineering-guide/puppet/profiles/icinga/checks/service.rst deleted file mode 100644 index a99ab78d..00000000 --- a/engineering-guide/puppet/profiles/icinga/checks/service.rst +++ /dev/null @@ -1,36 +0,0 @@ -``profile::icinga::checks::service`` -==================================== - -This class will configure Nagios checks for one or more ``systemctl`` services. This can be done by setting -a list of services with the ``icinga::checks::service::list`` *hiera* setting. ``check_service`` is the -script that will be in charge for that, which is also used by other Nagios scripts (i.e. ``check_slurm`` & -``check_gpfs``) to check specific services for these alarms. - -Parameters ----------- - -===================== ========== ========================================================================= -**Name** **Type** **Default** ---------------------- ---------- ------------------------------------------------------------------------- -service_list Array ``'icinga::checks::service::list'``, defaults to ``'[]'`` -===================== ========== ========================================================================= - -``service_list`` -~~~~~~~~~~~~~~~~ - -The default value is an empty ``Array`` (``'[]'``). Hence, no ``systemctl`` services are checked. -This value can be overwritten with a list of services. In example:: - - icinga::checks::service::list: - - ntpd - - postfix - -Facts ------ - -When some specific facts are detected, it will trigger some actions. - -===================================== =============== ============================================== -**Fact** **Value(s)** **Action description** -------------------------------------- --------------- ---------------------------------------------- -===================================== =============== ============================================== diff --git a/engineering-guide/puppet/profiles/icinga/checks/slurm.rst b/engineering-guide/puppet/profiles/icinga/checks/slurm.rst deleted file mode 100644 index b2614129..00000000 --- a/engineering-guide/puppet/profiles/icinga/checks/slurm.rst +++ /dev/null @@ -1,87 +0,0 @@ -``profile::icinga::checks::slurm`` -========================================== - -This profile should be called when **Slurm** (server, cn, ui) is being configured. - -Setup specific checks for Slurm nodes: - * It can check ``slurmd`` service. This check makes sense on computing nodes running ``slurmd``. - * It can check ``munge`` service. This check makes sense on any node with a configured **Slurm** client/server. - * It can check ``slurmctld`` service. This check makes sense on server nodes, will disable ``slurmd`` check. - * It can check ``slurmdbd`` service. This check makes sense on server nodes. - * It can check ``sinfo`` status, detecting miss-behaving nodes. - -By default, since the most common node in a **Slurm** cluster is a computing node, this check will report about -``slurmd`` and ``munge`` status. - -Parameters ----------- - -===================== ========== ========================================================================= -**Name** **Type** **Default** ---------------------- ---------- ------------------------------------------------------------------------- -skip_munge Boolean ``icinga::checks::options::slurm::skip_munge`` **``false``** -skip_slurmd Boolean ``icinga::checks::options::slurm::skip_slurmd``: **``false``** -check_slurmdbd Boolean ``icinga::checks::options::slurm::check_slurmdbd`` **``false``** -check_slurmctld Boolean ``icinga::checks::options::slurm::check_slurmctld`` **``false``** -ignore_draining Boolean ``icinga::checks::options::slurm::ignore_draining`` **``false``** -ignore_drained Boolean ``icinga::checks::options::slurm::ignore_drained`` **``false``** -check_nodes Boolean ``icinga::checks::options::slurm::check_nodes`` **``false``** -no_reason Boolean ``icinga::checks::options::slurm::no_reason`` **``true``** -no_timestamp Boolean ``icinga::checks::options::slurm::no_timestamp`` **``false``** -===================== ========== ========================================================================= - -``skip_munge`` -~~~~~~~~~~~~~~~~~~~~~~ - -By default ``munge`` service is checked. Can be disabled by setting ``icinga::checks::options::slurm::skip_munge: false``. - -``skip_slurmd`` -~~~~~~~~~~~~~~~~~~~~~ - -By default ``slurmd`` service is checked. Can be disabled by setting ``icinga::checks::options::slurm::skip_slurmd: false``. - - -``check_slurmdbd`` -~~~~~~~~~~~~~~~~~~~~~~~ - -By default ``slurmdbd`` service is disabled. Can be enabled by setting ``icinga::checks::options::slurm::check_slurmdbd: true``. - -``check_slurmctld`` -~~~~~~~~~~~~~~~~~~~~~~~~ - -By default ``slurmctld`` service is disabled. Can be enabled by setting ``icinga::checks::options::slurm::check_slurmctld: true``, in this case ``icinga::checks::options::slurm::skip_slurmd`` -should be also set to ``true``. - -`ignore_draining`` -~~~~~~~~~~~~~~~~~~~~~~~~~ - -By default nodes in ``draining`` state are checked and will be reported as ``[WARNING]``. This can be disabled by setting ``icinga::checks::options::slurm::ignore_draining: true``. -When set to ``true``, ``draining`` nodes will be reported anyway but will be considered as ``[OK]`` - -``ignore_drained`` -~~~~~~~~~~~~~~~~~~~~~~~~ - -By default nodes in ``drained`` state are checked and will be reported as ``[WARNING]``. This can be disabled by setting ``icinga::checks::options::slurm::ignore_drained: true``. -When set to ``true``, ``drained`` nodes will be reported anyway but will be considered as ``[OK]`` - -``no_reason`` -~~~~~~~~~~~~~~~~~~~~~ - -By default **no** ``Reason`` is reported. This is because it will add extra text to the alarm output when nodes are ``drained``/``draining``/``down``/``failed``. -Printing ``Reason`` can be turned on by setting ``icinga::checks::options::slurm::no_reason: false``. - -``no_timestamp`` -~~~~~~~~~~~~~~~~~~~~~ - -By default ``Timestamp`` is being reported. Timestamp shows the date and time when a node was set ``drained``/``draining``/``down``/``failed``. -As this setting adds extra text in the alarm, it can be disabled by setting ``icinga::checks::options::slurm::no_reason: true``. - -Facts ------ - -When some specific facts are detected, it will trigger some actions. - -===================================== =============== ============================================== -**Fact** **Value(s)** **Action description** -------------------------------------- --------------- ---------------------------------------------- -===================================== =============== ============================================== diff --git a/engineering-guide/puppet/profiles/icinga/client.rst b/engineering-guide/puppet/profiles/icinga/client.rst deleted file mode 100644 index 075355e6..00000000 --- a/engineering-guide/puppet/profiles/icinga/client.rst +++ /dev/null @@ -1,50 +0,0 @@ -``profile::icinga::client`` -=========================== - -This profile installs and configured the ``nrpe`` service: - * Installs ``mod_gearman-static``, ``nrpe-selinux``, ``nrpe`` - * Instals Nagios plugins: ``nagios-plugins-disk``, ``nagios-plugins-load`` - * Manages the NRPE service and ensures that is ``running`` and ``enabled`` - * Allows to configure the ``nrpe.cfg`` file with the ``icinga::client::servers`` setting which defaults to ``[ 'emonma00.psi.ch','wmonag00.psi.ch','emonag00.psi.ch' ]`` (default value on fresh *nrpe* installations) - * SELinux policy setup to allow ``nagios_run_sudo``. - - -Parameters ----------- - -================= ========== ========================================================= -**Name** **Type** **Default** ------------------ ---------- --------------------------------------------------------- -servers Array hiera('icinga::client::servers') -blame Array hiera('icinga::client::dont_blame_nrpe', 0) -================= ========== ========================================================= - -``servers`` -~~~~~~~~~~~ - -The local parameter for ``icinga::client::servers`` is ``servers``. Defaults to ``[ 'emonma00.psi.ch','wmonag00.psi.ch','emonag00.psi.ch' ]`` -which is the default value in the ``nrpe.cfg`` file on fresh ``nrpe`` installations. Somebody can -overwrite this value with a new ``Array`` of Icinga servers. This ``Array`` will be converted to ``String`` -afterwards:: - - ... - Array $servers = hiera('icinga::client::servers'), - ... - $icinga_servers = join($servers,",") - ... - -``blame`` -~~~~~~~~~ - -With this option, the NRPE will allow clients to specify arguments in the commands. By default this is ``disabled``: arguments must be -specified in the NRPE daemon side and not from the client side. This option modifies the setting ``dont_blame_nrpe`` in the ``nrpe.cfg`` file. - -Facts ------ - -When some specific facts are detected, it will trigger some actions. - -===================================== =============== ============================================== -**Fact** **Value(s)** **Action description** -------------------------------------- --------------- ---------------------------------------------- -===================================== =============== ============================================== diff --git a/engineering-guide/puppet/profiles/icinga/nrpe.rst b/engineering-guide/puppet/profiles/icinga/nrpe.rst deleted file mode 100644 index bb526f75..00000000 --- a/engineering-guide/puppet/profiles/icinga/nrpe.rst +++ /dev/null @@ -1,55 +0,0 @@ -``profile::icinga::nrpe`` -========================= - -This profile is a function that configures ``nrpe`` and ``sudoers`` (whenever needed) for a specific command: - * Will create a ``/etc/nrpe.d/.cfg`` file for ``nrpe`` - * Will create a ``/etc/sudoers.d/`` file for ``sudoers`` (if ``sudo`` is required) - -Parameters ----------- - -====================== ========== ========================================================= -**Name** **Type** **Default** ----------------------- ---------- --------------------------------------------------------- -command String -sudo Boolean ``false`` -notifications_enabled Boolean ``true`` -====================== ========== ========================================================= - -``command`` -~~~~~~~~~~~ - -Full path for the command to be configured in the ``nrpe.d`` file. This will be translated -in the ``nrpe.d`` as:: - - # sudo = true - command[${title}]=/usr/bin/sudo ${command} - - # sudo = false - command[${title}]=${command} - -``sudo`` -~~~~~~~~ - -Whether ``sudo`` is required or not for that command. By default is ``false``. -When set to ``true``, ``/usr/bin/sudo`` will be added to the ``nrpe`` command, and proper -``sudoers`` file will be configured. Example:: - - Defaults:nrpe !requiretty - nrpe ALL=(root) NOPASSWD: ${command} - -``notifications_enables`` -~~~~~~~~~~~~~~~~~~~~~~~~~ - -Currently this settings has no effect. Will be used when exporting Nagios resources to the PuppetDB. -Please ignore it in the meantime. - -Facts ------ - -When some specific facts are detected, it will trigger some actions. - -===================================== =============== ============================================== -**Fact** **Value(s)** **Action description** -------------------------------------- --------------- ---------------------------------------------- -===================================== =============== ============================================== diff --git a/engineering-guide/puppet/profiles/infiniband.rst b/engineering-guide/puppet/profiles/infiniband.rst deleted file mode 100644 index 3e3683c8..00000000 --- a/engineering-guide/puppet/profiles/infiniband.rst +++ /dev/null @@ -1,53 +0,0 @@ -``profile::infiniband`` -======================= - -Installs and configures the Infiniband software stack. - - * New service ``ib-online`` is being installed, which will wait until IB gets online. The script ``/opt/pli/libexec/ib-check-active-ports`` is used for that. - * Setup of the ``/etc/sysconfig/network-scripts/ifcfg-${ib_ifname}`` files. - * Installation of ``/usr/local/bin/mlxup`` which is useful for checking firmware version and upgrade Mellanox IB cards directly from Mellanox. - * OFED repository + installation of the following packages: ``ibutils``, ``infiniband-diags``, ``mlnx-ofed-basic``, ``librdmacm-devel``, ``perftest``, ``infinipath-psm`` - -Parameters ----------- - -========== ========= ========================== -**Name** **Type** **Default** ----------- --------- -------------------------- -ib_ifname string *undef* -ib_ip string *undef* -ib_subnet string *undef* -repo_tag String *yum_client::repo_tag* -ofed_vers String *infiniband::ofed_version* -========== ========= ========================== - - -``ib_ifname`` -~~~~~~~~~~~~~ - -The name of the Infiniband interface. - - -``ib_ip`` -~~~~~~~~~ - -The IP to be configured on the Infiniband interface. - - -``ib_subnet`` -~~~~~~~~~~~~~ - -The subnet to be used on the Infiniband interface in CIDR notation. - - -``repo_tag`` -~~~~~~~~~~~~ - -Which ``yum`` ``repo_tag`` should be used. In example, ``latest`` can be used. - - -``ofed_vers`` -~~~~~~~~~~~~~ - -OFED version to be installed and configured. Format: ``X.Y-A.B.C.D``, where X.Y is the major OFED version and -A.B.C.D is the subversion. diff --git a/engineering-guide/puppet/profiles/jupyterhub.rst b/engineering-guide/puppet/profiles/jupyterhub.rst deleted file mode 100644 index 6f0af201..00000000 --- a/engineering-guide/puppet/profiles/jupyterhub.rst +++ /dev/null @@ -1,138 +0,0 @@ -``profile::jupyterhub`` -======================= - -This module configures the node for running a jupyterhub service -able to spawn singleuser servers on cluster nodes via SLURM - -The jupyterhub software itself will not be installed by this -module. It is expected to be found in an existing environment -usually installed separately by ``conda`` and centrally served on a -distributed file system (There is a reference installation in the -environment module ``anaconda/2019.03`` within the -``jupyterhub_dev_py36`` conda environment) - -Supported jupyterhub versions: jupyterhub-0.96 or the current -(as of 2019-05) development version 1.0.0b1. The development version is preferred -due to recent fixes that enable a clean shutdown on a batch cluster. - -Optional customization of User selectable options -------------------------------------------------- - -This installation uses the `optionsSpawner `_ plugin to offer user selectable -customizations on the spawning web page. By default, a simple dialog -with selectable partitions and runtime is offered. If a more extended -customization page is required, the administrator can create the file -``/etc/jupyterhub/optionsspawner_config.py`` and put additional options inside. -The jupyterhub main configuration file ``/etc/jupyterhub/jupyterhub_config.py`` -will check whether the file exists and load it. In this way we can -keep the puppet module more generic. - -Some adaptions may require deeper changes to the configuration file -and adaption of the puppet code - -Parameters ----------- - -=============================== ======== ================================================ -**Name** **Type** **Default** -------------------------------- -------- ------------------------------------------------ -admin_users Array hiera('jupyterhub\:\:admin_users') -api_port Integer hiera('jupyterhub\:\:api_port', 8080) -env_setup String hiera('jupyterhub\:\:env_setup') -group_whitelist Array hiera('jupyterhub\:\:group_whitelist') -hub_port Integer hiera('jupyterhub\:\:hub_port', 8000) -hub_version String hiera('jupyterhub\:\:hub_version') -partitions Hash hiera('jupyterhub\:\:partitions') -tls_cert String hiera('jupyterhub\:\:tls_cert') -tls_key String hiera('jupyterhub\:\:tls_key') -=============================== ======== ================================================ - - - -``admin_users`` -~~~~~~~~~~~~~~~ - -A list of user names. These users will get access to the jupyterhub administration -web pages. - -Example: - -:: - - jupyterhub::admin_users: - - 'feichtinger' - - 'caubet_m' - - 'bliven_s' - - 'loktionova_n' - -``api_port`` -~~~~~~~~~~~~ - -Port number of the port on which the jupyterhub API will be listening (internally -used by jupyterhub for control communications) - -``env_setup`` -~~~~~~~~~~~~~ - -Lines to be inserted into the bash scripts for defining the -jupyterhub environment for both the server and the spawned client -sessions (it is important that the server and the singleserver -client host both run the same jupyterhub and spawner codes) - -Example: - -.. code:: bash - - export PMODULES_VERSION=1.0.0rc4 - source /opt/psi/config/profile.bash - module use unstable &> /dev/null - module load anaconda/2019.03 &> /dev/null - conda activate jupyterhub_dev - -``group_whitelist`` -~~~~~~~~~~~~~~~~~~~ - -A list of unix groups that will be granted access to this jupyterhub. - -Example: - -:: - - jupyterhub::group_whitelist: - - 'svc-cluster_merlin5' - -``hub_port`` -~~~~~~~~~~~~ - -The main port to which clients will connect. - -``hub_version`` -~~~~~~~~~~~~~~~ - -Version String of jupyterhub. Currently either '0.96' or '1.0.0b2' is -supported. Recommended: '1.0.0b2'. - -partitions -~~~~~~~~~~ - -SLURM partitions to be offered in the default option selection. Should be -a mapping of partition names to descriptive strings. - -Example: - -:: - - jupyterhub::partitions: - 'test' : 'Test nodes' - 'merlin' : 'merlin standard' - 'gpu' : 'GPU nodes' - -tls_cert -~~~~~~~~ - -String (PEM Format) of the web server certificate - -tls_key -~~~~~~~ - -Eyaml encoded string of the web server certificate key (PEM format) diff --git a/engineering-guide/puppet/profiles/kdump_client.rst b/engineering-guide/puppet/profiles/kdump_client.rst deleted file mode 100644 index 4299bff2..00000000 --- a/engineering-guide/puppet/profiles/kdump_client.rst +++ /dev/null @@ -1,42 +0,0 @@ -``profile::kdump_client`` -========================= - -This profile manages the ``kdump`` service. It automatically reserves memory for -the crash kernel. - - -Parameters ----------- - -=========== ======== ================================================ -**Name** **Type** **Default** ------------ -------- ------------------------------------------------ -crashkernel string hiera('kdump_client::crashkernel') -target string hiera('kdump_client::target') -=========== ======== ================================================ - - -``crashkernel`` -~~~~~~~~~~~~~~~ - -Configures the kernel parameter ``crashkernel``, which specifies the amount of -memory to be reserved for the crash kernel. This can be ``auto`` or ``xxxM``. -Further information is provided by `Red Hat -`_. - - -``target`` -~~~~~~~~~~ - -The target for kernel dumps as documented in ``kdump.conf(5)``. Currently SSH -targets do not work, as there is no way to specify an SSH key. - - -Examples --------- - -Transfer kernel dumps to a remote server using NFS:: - - class {'kdump': - target => 'nfs some-server.psi.ch/crashes/', - } diff --git a/engineering-guide/puppet/profiles/local_accounts.rst b/engineering-guide/puppet/profiles/local_accounts.rst deleted file mode 100644 index fb048af6..00000000 --- a/engineering-guide/puppet/profiles/local_accounts.rst +++ /dev/null @@ -1,102 +0,0 @@ -``profile::local_accounts`` -=========================== - -This module helps managing local users and groups. - - -Parameters ----------- - -=============================== ======== ================================================ -**Name** **Type** **Default** -------------------------------- -------- ------------------------------------------------ -group_defs hash hiera('local_accounts::group_defs') -groups hash hiera('local_accounts::groups') -user_defs hash hiera('local_accounts::user_defs') -users list hiera('local_accounts:users') -=============================== ======== ================================================ - - -``group_defs`` -~~~~~~~~~~~~~~ - -A hash containing the definitions of local groups. The keys are the group names, -the values are the numeric group IDs. - - -Example:: - - local_accounts::group_defs: - 'my_local_group': 673 - -Also see `groups`_. - - -``groups`` -~~~~~~~~~~ - -A list containing the names of the local groups to be created. The definition -for each group is taken from `group_defs`_. - - -``user_defs`` -~~~~~~~~~~~~~ - -A hash containing the definitions of local users. The keys are the user names, -the values are hashes containing the usual user properties, ie: - -============ ========================== -``password`` password hash (optional) -``uid`` numeric UID (required) -``gid`` numeric GID (required) -``comment`` comment (optional) -``home`` home directory (required) -``shell`` shell (required) -============ ========================== - -Ideally the password hash is generated with ``openssl passwd -6`` and then encrypted - - -``users`` -~~~~~~~~~ - -A list of the users to be created. The definition of each user is taken from -`user_defs`_. - - -Examples --------- - -The following defines three users and one group, but only creates one each:: - - local_accounts::group_defs: - 'archadm': 503 - - local_accounts::user_defs: - 'ioc': - 'uid': 500 - 'gid': 9102 - 'home': '/home/ioc' - 'shell': '/bin/bash' - 'comment': 'IOC Account' - - 'slsop': - 'uid': 501 - 'gid': 9102 - 'home': '/home/slsop' - 'shell': '/bin/bash' - 'comment': 'SLS Operator' - - 'archadm': - 'uid': 503 - 'gid': 503 - 'home': '/home/archadm' - 'shell': '/bin/bash' - 'comment': '' - 'password': 'ENC[PKCS7,MIIB2gYxxxxxx...xxxxxxx]' - - local_accounts::groups: - - 'archadm' - - local_accounts::users: - - 'archadm' diff --git a/engineering-guide/puppet/profiles/log_client.rst b/engineering-guide/puppet/profiles/log_client.rst deleted file mode 100644 index 41e2afbc..00000000 --- a/engineering-guide/puppet/profiles/log_client.rst +++ /dev/null @@ -1,93 +0,0 @@ -``profile::log_client`` -======================= - -This module manages the local logging-related configuration. - -It can make the journal permanent, enable or disable legacy configuration files -(e.g. ``/var/log/messages``), and configure log forwarding. - - -Parameters ----------- - -============================ ======== ================================================== -**Name** **Type** **Default** ----------------------------- -------- -------------------------------------------------- -forward_to list hiera('log_client::forward_to', []) -legacy_logs bool hiera('log_client::legacy_logs') -persistent_journal bool hiera('log_client::persistent_journal') -journal_system_keep_free string hiera('log_client::journal_system_keep_free') -journal_system_max_file_size string hiera('log_client::journal_system_max_file_size') -journal_system_max_use string hiera('log_client::journal_system_max_use') -============================ ======== ================================================== - - -``journal_system_keep_free`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -How much space `systemd-journald(8) `_ should keep free for non-journal -use in ``/var/log``. In addition to the syntax described in -`journald.conf(5) `_ (bytes or use K, M, G, T, P, E as units) we also support percentages, ie ``'25%'`` means that -the journal will leave at least 25% of ``/var/log`` for other uses. -Note that for the use of a percentage limit ``/var/log`` must be an separate partition, else absolute values need to be set. - - -``journal_system_max_file_size`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The maximum size of individual journal files. - - -``journal_system_max_use`` -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The maximum amount of space that the journal is allowed to use. In addition to -the syntax described in `journald.conf(5) `_ (bytes or use K, M, G, T, P, E as units) we also support percentages, -ie ``'50%'`` means that the journal can use at most 50% of ``/var/log``. -Note that for the use of a percentage limit ``/var/log`` must be an separate partition, else absolute values need to be set. - - -``forward_to`` -~~~~~~~~~~~~~~ - -An array of FQDNs, possibly prefixed with ``@`` for enabling TCP and followed by -a port number. Log messages are forwarded to all entries in this list. - - -``legacy_logs`` -~~~~~~~~~~~~~~~ - -A boolean controlling whether the legacy log files (``/var/log/messages`` etc) -should be created (true) or not (false). - - -``persistent_journal`` -~~~~~~~~~~~~~~~~~~~~~~ - -A boolean controlling whether the journal should be persistent (true) or not -(false). - - -Examples --------- - -This profile is included in the base role. To customize the log_client in a -role, do this:: - - class role::some_role () { - class {'role::base': - include_log_client => false, - ... - } - - class {'profile::log_client': - legacy_logs => false, - persistent_journal => true, - } - -In Hiera, configure forwarding to ``log1`` using UDP on port 1514 and to -``log2`` using TCP (on port 514):: - - log_client::forward_to: - - 'log1.psi.ch:1514' - - '@log2.psi.ch' diff --git a/engineering-guide/puppet/profiles/log_server.rst b/engineering-guide/puppet/profiles/log_server.rst deleted file mode 100644 index 2c87648a..00000000 --- a/engineering-guide/puppet/profiles/log_server.rst +++ /dev/null @@ -1,25 +0,0 @@ -``profile::log_server`` -============================= - - -Parameters ----------- - -======== ========= ================================= -**Name** **Type** **Default** --------- --------- --------------------------------- -base_dir string hiera('log_server::base_log_dir') -rules list hiera('log_server::rules') -======== ========= ================================= - - -``base_dir`` -~~~~~~~~~~~~ - -This parameter designates the directory where the log data is stored. - - -``rules`` -~~~~~~~~~ - -A list of rules to add to the end of ``/etc/rsyslog.conf``. diff --git a/engineering-guide/puppet/profiles/mkresource/files.rst b/engineering-guide/puppet/profiles/mkresource/files.rst deleted file mode 100644 index 44d8e0a3..00000000 --- a/engineering-guide/puppet/profiles/mkresource/files.rst +++ /dev/null @@ -1,107 +0,0 @@ -``profile::mkresource::files`` -============================== - -``profile::mkresource::files`` is a puppet ``define`` (a.k.a. ``function``) which easily allows the creation of files -through the puppet ``file`` resource (through the ``create_resources`` puppet function. - -This ``define`` is intended to be called in a controlled way from a ``role`` or from another ``profile``, through an ``Array`` -list. However, it also allows the possibility to provide freedom by calling it through a ``Hash`` of files. Further information -is explained below": - -* ``Array``: In order to have more control on the files that are being created. In example:: - - # Begin: puppet class - class role::hpc::ui ( - Array $scratch = hiera('base::scratch', []), - ... - ) { - ... - profile::mkresource::files { "scratch": - files => $scratch, - defaults => { mode => '1777' }; - } - ... - } - # End: puppet class - - # Begin: hiera call - base::scratch: - - '/scratch' - - '/ssd-scratch' - # End: hiera call - -* ``Hash``: This will provide more flexibility from the user side. Only really strange cases will be allowed. Example:: - - # Begin: puppet class - class role::hpc::ui ( - Array $scratch = hiera('base::scratch', {}), - ... - ) { - ... - profile::mkresource::files { "scratch": - files => $scratch; - } - ... - } - # End: puppet class - - # Begin: hiera call - base::scratch: - '/scratch': - ensure: directory - mode: '1777' - owner: 'root' - group: 'root' - '/ssd-scratch' - ensure: directory - mode: '1770' - group: 'svc-cluster_merlin5' - # End: hiera call - -Parameters ----------- - -========== ==================== ========================== -**Name** **Type** **Default** ----------- -------------------- -------------------------- -$files Variant[Array, Hash] {} -$defaults Hash {} -========== ==================== ========================== - - -``files`` -~~~~~~~~~ -Defaults to ``Hash`` type ``{}``. Whenever is an ``Array``, it will be converted to ``Hash`` as ``create_resources`` is used and -it always expects a ``Hash``. - -Two different call examples: - -* ``Hash``:: - - base::scratch: - '/scratch': - ensure: directory - mode: '1777' - owner: 'root' - group: 'root' - '/ssd-scratch' - ensure: directory - mode: '1770' - group: 'svc-cluster_merlin5' - -* ``Array``:: - - base::scratch: - - '/scratch' - - '/ssd-scratch' - -``defaults`` -~~~~~~~~~~~~ - -Defaults to empty ``Hash``. Should contain ``file`` resource parameters (in example, ``mode``, ``owner``, ``group``, ``ensure``, etc.) -Example:: - - profile::mkresource::files { "scratch": - files => [ '/scratch', '/ssd-scratch' ], - defaults => { mode => '1777' }; - } diff --git a/engineering-guide/puppet/profiles/mta.rst b/engineering-guide/puppet/profiles/mta.rst deleted file mode 100644 index 74a06520..00000000 --- a/engineering-guide/puppet/profiles/mta.rst +++ /dev/null @@ -1,16 +0,0 @@ -``profile::mta`` -================ - -This module manages configures the system's MTA, currently -:manpage:`postfix(1)`. At the moment it only configures a relay host and -restricts access to the loopback interface. - - -Parameters ----------- - - -``relay`` -~~~~~~~~~ - -The FQDN of a host that all outgoing mail will be forwarded to for delivery. diff --git a/engineering-guide/puppet/profiles/multipath.rst b/engineering-guide/puppet/profiles/multipath.rst deleted file mode 100644 index d71c6759..00000000 --- a/engineering-guide/puppet/profiles/multipath.rst +++ /dev/null @@ -1,147 +0,0 @@ -``profile::multipath`` -======================= - -This profile configures :manpage:`multipath.conf`. - - -Parameters ----------- - -==================== ======== ============================================= -**Name** **Type** **Default** --------------------- -------- --------------------------------------------- -wwid hash hiera_hash('multipath::wwid',{}) -blacklist_wwid hash hiera_hash('multipath::blacklist_wwid',{}) -devices array hiera_hash('multipath::devices',{}) -blacklist_devices array hiera_hash('multipath::blacklist_devices',{}) -blacklist_devnode array hiera_hash('multipath::blacklist_devnode',{}) -==================== ======== ============================================= - - -``wwid`` -~~~~~~~~ - -A hash containing the `allowed multipaths` by adding the `device alias` and its corresponding `'wwid'`. -In example: - -Hiera data:: - - profile::multipath::wwid: - 'vol1_a': '360080e50004315f40000087e5966df82' - 'vol1_b': '360080e5000431680000007c35966e03e' - 'vol1_c': '360080e50004315f4000008825966e1bf' - -will generate the following lines in the `'/etc/multipath.conf'` file:: - - multipaths { - multipath { - alias vol1_a - wwid "360080e50004315f40000087e5966df82" - } - multipath { - alias vol1_b - wwid "360080e5000431680000007c35966e03e" - } - multipath { - alias vol1_c - wwid "360080e50004315f4000008825966e1bf" - } - } - -``blacklist_wwid`` -~~~~~~~~~~~~~~~~~~ - -An hash containing `blacklisted multipaths` by adding the `device alias` and its corresponding `wwid`. In example: - -Hiera data:: - - profile::multipath::blacklist_wwid: - 'vol1_j': '360080e50004315f40000087e59aaaaaa' - -will generate the following lines in the `'/etc/multipath.conf'` file:: - - blacklist { - ... - multipath { - alias vol1_j - wwid "360080e50004315f40000087e59aaaaaa" - } - ... - } - - -``devices`` -~~~~~~~~~~~ - -An array containing `allowed devices` in the `multipath.conf` configuration. In example: - -Hiera data:: - - profile::multipath::devices: - - vendor: "Supermicro" - product: "Supermicro" - - -will generate the following lines in the `'/etc/multipath.conf'` file:: - - devices { - device { - vendor "Supermicro" - product "Supermicro" - } - } - - -``blacklist_devices`` -~~~~~~~~~~~~~~~~~~~~~ - -An array containing `blacklisted devices` in the `multipath.conf` configuration. In example: - -Hiera data:: - - profile::multipath::blacklist_devices: - - vendor: "HP" - product: "HP" - - vendor: "HP" - -will generate the following lines in the `'/etc/multipath.conf'` file:: - - blacklist { - ... - device { - vendor "HP" - product "HP" - } - device { - vendor "HP" - } - ... - } - - -``blacklist_devnode`` -~~~~~~~~~~~~~~~~~~~~~ - -An array containing a list of `node devices` that will be `blacklisted` in `multipath.conf`. -By default some `'devnodes'` are already included and fixed by default in the template file. These ones are the following:: - - devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9]*" - devnode "^(td|hd|vd)[a-z]" - devnode "^(dcssblk)[0-9]*" - -In example, hiera data:: - - profile::multipath::blacklist_devnode: - - "sda" - - "sdb" - -will generate the following lines in the `'/etc/multipath.conf'` file:: - - blacklist { - ... - devnode "sda" - devnode "sdb" - ... - } - - diff --git a/engineering-guide/puppet/profiles/nvidia.rst b/engineering-guide/puppet/profiles/nvidia.rst deleted file mode 100644 index d281f5a8..00000000 --- a/engineering-guide/puppet/profiles/nvidia.rst +++ /dev/null @@ -1,37 +0,0 @@ -``profile::nvidia`` -=================== - -The purpose of this module is to install the NVIDIA drivers. If NVIDIA GPU cards are -detected with the facter ``pci_devices.gpu.nvidia``, automatically the ``profile::nvidia`` -class will be called. The ``class profile::platform`` is responsible for calling this profile:: - - if ( $facts['pci_devices']['gpu']['nvidia'].size > 0 ) { - class { 'profile::nvidia':; } - } - -By default the profile only installs the GPU drivers, which can be disabled setting ``nvidia::driver::enable`` to ``false``. - -To enable CUDA installation ``nvidia::cuda::enable`` must be set to ``true`` (default -is ``false``). - -Parameters ----------- - -============= ======== ======================================================= -**Name** **Type** **Default** -------------- -------- ------------------------------------------------------- -dgx boolean $::productname ? { /^DGX.*/ => true, default => false } -driver_enable boolean hiera('nvidia::driver::enable', true) -cuda_enable boolean hiera('nvidia::cuda::enable', true) -============= ======== ======================================================= - - -``driver_enable`` -~~~~~~~~~~~~~~~~~ - -Install the Nvidia GPU drivers. By default is ``true``. - -``cuda_enable`` -~~~~~~~~~~~~~~~ - -By default is ``false``. Set to ``true`` if you want to install CUDA. diff --git a/engineering-guide/puppet/profiles/nvidia/cuda.rst b/engineering-guide/puppet/profiles/nvidia/cuda.rst deleted file mode 100644 index 7ed03a8b..00000000 --- a/engineering-guide/puppet/profiles/nvidia/cuda.rst +++ /dev/null @@ -1,48 +0,0 @@ -``profile::nvidia::cuda`` -========================= - -The purpose of this module is to install the NVIDIA drivers and CUDA. -This - -The GPU drivers are always installed when this profile is included. - -To enable CUDA installation ``nvidia::cuda::enable`` must be set to ``true`` (default -is ``false``). - -Parameters ----------- - -============== ======== ========================================================= -**Name** **Type** **Default** --------------- -------- --------------------------------------------------------- -driver_version string hiera('nvidia::driver::version', undef) -driver_branch string hiera('nvidia::driver::branch', undef) -cuda_enable boolean hiera('nvidia::cuda::enable', true) -cuda_version string hiera('nvidia::cuda::version') -nv_persist boolean hiera('nvidia::cuda::nvidia_persistenced::enable', undef) -============== ======== ========================================================= - - -``driver_version`` -~~~~~~~~~~~~~~~~~~ - -Keep the Nvidia GPU driver at a given version. - -``driver_branch`` -~~~~~~~~~~~~~~~~~ - -RHEL 8 only: Use the GPU drivers from given driver branch. - -``cuda_enable`` -~~~~~~~~~~~~~~~ - -By default is ``false``. Set to ``true`` if you want to install CUDA. - - -``cuda_version`` -~~~~~~~~~~~~~~~~ -The version of CUDA to be used. On RHEL 8 it will install the newest possible still supporting the installed driver. - -``nv_persist`` -~~~~~~~~~~~~~~ -Controls the ``nvidia_persistenced`` service. By default is disabled and stopped on RHEL 7, while on RHEL 8 it is enabled and running by defautl. diff --git a/engineering-guide/puppet/profiles/platform.rst b/engineering-guide/puppet/profiles/platform.rst deleted file mode 100644 index 833f7c40..00000000 --- a/engineering-guide/puppet/profiles/platform.rst +++ /dev/null @@ -1,47 +0,0 @@ -``profile::platform`` -===================== - -The purpose of this ``profile`` is to install specific components depending on the hardware components -and hardware/platform type. - -Currently, for ``vmware`` machines no actions are performed. For ``physical`` machines some actions will -be performed depending on the parameter settings (see below). - -Also, according to the facter ``manufacturer``, some specific actions can be triggered. Currently only -``HP``/``HPE`` hardware is considered. - -Other options such like NVIDIA or Infiniband card detection are possible. Whenever detected, it will call -the corresponding class and will perform required actions. - -Parameters ----------- - -================= ========== =========== -**Name** **Type** **Default** ------------------ ---------- ----------- -enable_rasdaemon bool -enable_smartd bool -================= ========== =========== - -``enable_rasdaemon`` -~~~~~~~~~~~~~~~~~~~~ - -When set to ``true``, will install and enable the ``rasdaemon`` service. - -``enable_smartd`` -~~~~~~~~~~~~~~~~~ - -When set to ``true``, will install and enable the ``smartmontools`` (``smartd``) service. - -Facts ------ - -When some specific facts are detected, it will trigger some actions. - -===================================== =============== ============================================== -**Fact** **Value(s)** **Action description** -------------------------------------- --------------- ---------------------------------------------- -``manufacturer`` ``HP``|``HPE`` ``include profile::platform::hewlett_packard`` -``['pci_devices']['gpu']['nvidia']`` count > 0 ``include profile::nvidia`` -``['pci_devices']['ib']['mellanox']`` count > 0 ``include profile::infiniband`` -===================================== =============== ============================================== diff --git a/engineering-guide/puppet/profiles/platform/hewlett_packard.rst b/engineering-guide/puppet/profiles/platform/hewlett_packard.rst deleted file mode 100644 index af4215be..00000000 --- a/engineering-guide/puppet/profiles/platform/hewlett_packard.rst +++ /dev/null @@ -1,24 +0,0 @@ -``profile::platform::hewlett_packard`` -====================================== - -When ``profile::platform::hewlett_packard`` is called (usually from the ``profile::platform`` through -the facter ``manufacturer``, by auto-detecting an HP platform) some actions will be triggered. - -Parameters ----------- - -================= ========== =========== -**Name** **Type** **Default** ------------------ ---------- ----------- -================= ========== =========== - -Facts ------ - -When some specific facts are detected, it will trigger some actions. - -==================================== ================= ======================================================= -**Fact** **Value(s)** **Action description** ------------------------------------- ----------------- ------------------------------------------------------- -``productname`` ``/^ProLiant.*/`` Install ``hpssacli`` for HP Array Management/Monitoring -==================================== ================= ======================================================= diff --git a/engineering-guide/puppet/profiles/pmodules.rst b/engineering-guide/puppet/profiles/pmodules.rst deleted file mode 100644 index 0cfdaafb..00000000 --- a/engineering-guide/puppet/profiles/pmodules.rst +++ /dev/null @@ -1,54 +0,0 @@ -``profile::pmodules`` -===================== - -This module manages the `AIT Pmodules -`_. - -It automatically enables Pmodules for all users with - -1. a UID >= 1000 -2. a username **not** ending in ``-adm`` - -This makes sure that local service accounts, root, and administrator accounts do -not use Pmodules automatically. - - -Parameters ----------- - -================== ======== ============================== -**Name** **Type** **Default** ------------------- -------- ------------------------------ -basedir string hiera('pmodules::basedir') -================== ======== ============================== - - -``basedir`` -~~~~~~~~~~~ - -The subdirectory of ``/afs/psi.ch/sys/`` where the modules can be found, e.g. -``psi.x86_64_slp6`` or ``psi.ra``. - - -Examples --------- - -This profile is included in the base role, but disabled. To enable Pmodules -simply pass ``enable_pmodules => true`` when including the base role:: - - class role::some_role () { - class {'role::base': - enable_pmodules => true, - ... - } - ... - -To customize the base directory, include ``pmodules`` separately:: - - class role::some_role () { - include role::base - - class {'profile::pmodules': - basedir => 'psi.ra', - } - ... diff --git a/engineering-guide/puppet/profiles/puppet_client.rst b/engineering-guide/puppet/profiles/puppet_client.rst deleted file mode 100644 index 6bd504c6..00000000 --- a/engineering-guide/puppet/profiles/puppet_client.rst +++ /dev/null @@ -1,23 +0,0 @@ -``profile::puppet_client`` -========================== - - -Parameters ----------- - -========== ========= ========================= -**Name** **Type** **Default** ----------- --------- ------------------------- -exec_time string ``05:00:00 -- 08:00:00`` -========== ========= ========================= - - -``exec_time`` -~~~~~~~~~~~~~ - -Defines a time window during which Puppet will run every day. The exact time -depends on the FQDN of the system (see below), ensuring that on each system the -timing is consistent and predictable, but across a group of systems using the -same time window the exact times are distributed uniformly. - -The syntax is ``HH:MM:SS -- HH:MM:SS``. diff --git a/engineering-guide/puppet/profiles/serial_console.rst b/engineering-guide/puppet/profiles/serial_console.rst deleted file mode 100644 index 01f7221d..00000000 --- a/engineering-guide/puppet/profiles/serial_console.rst +++ /dev/null @@ -1,27 +0,0 @@ -``profile::serial_console`` -=========================== - -Configures the serial console on physical systems. - - -Parameters ----------- - -========= ========= ============ -**Name** **Type** **Default** ---------- --------- ------------ -device string ``ttyS0`` -rate integer 115200 -========= ========= ============ - - -``device`` -~~~~~~~~~~ - -The device to configure as a console. - - -``rate`` -~~~~~~~~ - -The rate to use for the serial console. diff --git a/engineering-guide/puppet/profiles/sysinfo.rst b/engineering-guide/puppet/profiles/sysinfo.rst deleted file mode 100644 index ea326703..00000000 --- a/engineering-guide/puppet/profiles/sysinfo.rst +++ /dev/null @@ -1,10 +0,0 @@ -``profile::sysinfo`` -==================== - -Stores certain information about the system in ``/etc/sysconfig/pli-info`` for -the use of other programs and scripts. Currently, the following values are -stored: - -- ``SYSDB_ENV``: the system's sysdb environment -- ``PUPPET_GROUP``: the system's ``puppet_group`` value from sysdb -- ``PUPPET_ROLE``: the system's ``puppet_role`` value from sysdb diff --git a/engineering-guide/puppet/profiles/web_server.rst b/engineering-guide/puppet/profiles/web_server.rst deleted file mode 100644 index ec10e68a..00000000 --- a/engineering-guide/puppet/profiles/web_server.rst +++ /dev/null @@ -1,49 +0,0 @@ -``profile::web_server`` -======================= - -Install and configure Apache to make local files available through HTTP/HTTPS. - - -Parameters ----------- - -========== ========= ============ -**Name** **Type** **Default** ----------- --------- ------------ -tls_cert string -tls_chain string -tls_key string -vhost string -url_map hash -========== ========= ============ - -``tls_cert`` -~~~~~~~~~~~~ - -The TLS certificate (PEM). - - -``tls_chain`` -~~~~~~~~~~~~~ - -The TLS certificate chain, ie. the intermediate certificate concatenated with -the host's certificate. - - -``tls_key`` -~~~~~~~~~~~ - -The TLS key (PEM). **Must be encrypted**! - - -``vhost`` -~~~~~~~~~ - -The name of the Apache virtual host, eg. ``linux.web.psi.ch``. - - -``url_map`` -~~~~~~~~~~~ - -A hash describing the mapping between URLs and files. The keys are the URLs -relative to the `vhost`_, the values are the corresponding paths. diff --git a/engineering-guide/puppet/roles/base.rst b/engineering-guide/puppet/roles/base.rst deleted file mode 100644 index 49f8bb6d..00000000 --- a/engineering-guide/puppet/roles/base.rst +++ /dev/null @@ -1,340 +0,0 @@ -``role::base`` -============== - -This role is special in that **it cannot be assigned to a system**. It is meant -to be included by all other roles and provide basic functionality that all roles -need anyway. - - -Parameters ----------- - -========================= ======== ==================================================== -**Name** **Type** **Default** -------------------------- -------- ---------------------------------------------------- -default_target string ``multi-user`` -default_enable_afs bool undef -default_enable_pmodules bool undef -default_pmodules_when_afs bool false, -default_local_homes bool undef, -default_enable_mta bool undef, -enable_afs bool hiera('base::enable_afs') -enable_autofs bool hiera('base::enable_autofs') -enable_epics bool hiera('base::enable_epics') -enable_filecopy bool hiera('base::enable_filecopy') -enable_ganglia bool hiera('base::enable_ganglia') -enable_icinga bool hiera('base::enable_icinga') -enable_iommu bool hiera('base::enable_iommu') -enable_kdump_client bool hiera('base::enable_kdump_client') -enable_local_homes bool hiera('base::local_homes', undef), -enable_mta bool hiera('base::enable_mta', undef), -enable_multipath bool hiera('base::enable_multipath') -enable_nfs_server bool hiera('base::enable_nfs_server') -enable_nomachine bool hiera('base::enable_nomachine') -enable_platform bool hiera('base::enable_platform') -enable_pmodules bool hiera('base::enable_pmodules') -enable_ssh_client bool hiera('base::enable_ssh_client') -enable_telegraf bool hiera('base::enable_telegraf') -enable_updatedb bool hiera('base::enable_updatedb') -include_aaa bool true -include_log_client bool true -include_rpm_repos bool true -package_groups array hiera_array('base::package_groups', []) -package_excludes array hiera_array('base::package_exclude', []) -pkg_group::* array hiera_array('base::pkg_group::...', []) -selinux_mode string hiera('base::selinux_mode', 'enforcing') -update_interval enum hiera('base::automatic_updates::interval', 'weekly') -update_type enum hiera('base::automatic_updates::type', 'security') -update_exclude array hiera_array('base::automatic_updates::exclude', []) -update_kernel bool hiera('base::automatic_updates::kernel', false) -========================= ======== ==================================================== - - -``default_target`` -~~~~~~~~~~~~~~~~~~ - -Specifies the systemd default target to configure. This does not *isolate* the -target (see :manpage:`systemctl(1)`), but merely sets it so it will become -active after a reboot. - -``default_enable_afs`` -~~~~~~~~~~~~~~~~~~~~~~ -Allows the role programmer to define if AFS should be enabled or not when there is no ``base::enable_afs`` Hiera setting and parameter ``enable_afs`` is undefined (default). - -``default_enable_pmodules`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Allows the role programmer to define if pmodules should be enabled or not when there is no ``base::enable_pmodules`` Hiera setting and parameter ``enable_pmodules`` is undefined (default). - -``default_pmodules_when_afs`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Allows the role programmer to define if pmodules should be automatically enabled together with AFS. should be enabled or not when there is no ``base::enable_pmodules`` Hiera setting and parameter ``enable_pmodules`` is undefined (default). - -This requires the parameters ``default_enable_pmodules`` and ``enable_pmodules`` to be undefined (default) and that there is no ``base::enable_pmodules`` Hiera setting. - -``default_local_homes`` -~~~~~~~~~~~~~~~~~~~~~~~ -Allows the role programmer to define if local homes should be used if not configured differently in Hiera. This is default on RHEL8. - -``default_enable_mta`` -~~~~~~~~~~~~~~~~~~~~~~ -Allows the role programmer to define if postfix should be enabled or not when there is no ``base::enable_mta`` Hiera setting and parameter ``enable_mta`` is undefined (default). - -``enable_afs`` -~~~~~~~~~~~~~~ - -Determines whether to include the :doc:`afs_client <../profiles/afs_client>` -profile to enable AFS access. -For the ``softioc`` role this is ignored, respectively there is a separate ``softioc::enable_afs`` Hiera settings. - -Puppet roles should not set this parameter as this overrides ``base::enable_afs`` from Hiera. -Please use ``default_enable_afs`` instead to define the role preference. - - -``enable_autofs`` -~~~~~~~~~~~~~~~~~ - -Enable the ``autofs`` service. This is **not** needed for automounts! It is only -needed to support the ``-hosts`` map as documented in :manpage:`auto.master`. -The ``-hosts`` map is mounted on ``/net``. - - -``enable_epics`` -~~~~~~~~~~~~~~~~~ - -Enables the ``EPICS``. TODO: more details... - - -``enable_filecopy`` -~~~~~~~~~~~~~~~~~~~ - -Enable the ``filecopy`` profile, which allows deploying arbitrary files from -``git.psi.ch`` through Hiera. - - -``enable_ganglia`` -~~~~~~~~~~~~~~~~~~ - -Determines whether to include the :doc:`ganglia_client -<../profiles/ganglia_client>`. - - -``enable_ssh_client`` -~~~~~~~~~~~~~~~~~~~~~ - -Deploy global SSH client configuration, ie ``/etc/ssh/ssh_config``. - - -``enable_telegraf`` -~~~~~~~~~~~~~~~~~~~ - -Enable the telegraf monitoring agent, which reports various system metrics to -InfluxDB servers. - - -``enable_icinga`` -~~~~~~~~~~~~~~~~~ - -Determines whether to include the :doc:`icinga_client -<../profiles/icinga/client>` profile, which installs the client components -necessary for Icinga-based monitoring. - - -``enable_iommu`` -~~~~~~~~~~~~~~~~~ - -It enables the IOMMU support in the kernel on boot. The node needs to be rebooted for this change to become active. - - -``enable_kdump_client`` -~~~~~~~~~~~~~~~~~~~~~~~ - -Determines whether to include the :doc:`kdump_client <../profiles/kdump_client>` -profile. - -``enable_local_homes`` -~~~~~~~~~~~~~~~~~~~~~~ -Configures local homes. - -Puppet roles should not set this parameter as this overrides ``base::enable_local_homes`` from Hiera. -Please use ``default_local_homes`` instead to define the role preference. - -``enable_mta`` -~~~~~~~~~~~~~~ -Enables postfix. - -Puppet roles should not set this parameter as this overrides ``base::enable_mta`` from Hiera. -Please use ``default_enable_mta`` instead to define the role preference. - -``enable_multipath`` -~~~~~~~~~~~~~~~~~~~~ - -Enable the ``multipath`` profile for basic multipath functionality. - - -``enable_nfs_server`` -~~~~~~~~~~~~~~~~~~~~~ - -Enable the kernel NFS server and configure the :manpage:`exports(5)` file. - - -``enable_nomachine`` -~~~~~~~~~~~~~~~~~~~~ - -Include the ``nomachine`` profile, which can install NoMachine NX in various -configurations. - - -``enable_platform`` -~~~~~~~~~~~~~~~~~~~ - -Enable the ``platform`` profile, which installs and configures hardware-specific -tools and configurations. - - -``enable_pmodules`` -~~~~~~~~~~~~~~~~~~~ - -Determines whether to enable the :doc:`pmodules <../profiles/pmodules>` profile. -When true, the necessary configuration is automatically sourced for all normal -users (ie UID >= 1000 and no ``-adm`` suffix) using :manpage:`bash(1)`. - -Requires AFS to work, as the required configuration files are stored on AFS. - -Puppet roles should not set this parameter as this overrides ``base::enable_pmodules`` from Hiera. -Please use ``default_enable_pmodules`` or even ``default_pmodules_when_afs`` instead to define the role preference. - - -``enable_updatedb`` -~~~~~~~~~~~~~~~~~~~ - -Determines whether or not :manpage:`updatedb(8)` (aka :manpage:`locate(1)`) is -enabled or not. When enabled, it is still possible to exclude certain -directories for indexing. This is also supported directly by the mounter module. - - -``include_aaa`` -~~~~~~~~~~~~~~~ - -Determines whether to include the :doc:`aaa <../profiles/aaa>` profile, which -configures authentication, authorization, and (partly) auditing. - - -``include_log_client`` -~~~~~~~~~~~~~~~~~~~~~~ - -Include the :doc:`log_client <../profiles/log_client>` profile. This is only -meant to allow roles customization of the :doc:`log_client -<../profiles/log_client>` profile. - - -``include_rpm_repos`` -~~~~~~~~~~~~~~~~~~~~~~ - -Determines whether to install the default RPM package repositories. - - -``package_groups`` -~~~~~~~~~~~~~~~~~~ - -The list of package groups to install. Package groups are defined in Hiera using -``base::pkg_group::NAME``. - - -``pkg_group::NAME`` -~~~~~~~~~~~~~~~~~~~ - -An array defining the package group ``NAME``. It contains the package name with optionally -one or more tags, separated by ``:``. Following tags are allowed: - -========== ===================================================== -Tag Description ----------- ----------------------------------------------------- -latest ensure the latest version of the package is installed -absent ensure the package is not installed -os=redhat7 install it only on this OS -os!redhat7 install on any OS except this one -========== ===================================================== - - -``package_excludes`` -~~~~~~~~~~~~~~~~~~~~ - -An array with packages which are not made available on the system. - - -``selinux_mode`` -~~~~~~~~~~~~~~~~ - -The SELinux mode to use, one of ``enforcing``, ``permissive``, and ``disabled``. -The *configured* SELinux mode (ie the setting in ``/etc/sysconfig/selinux``) is -changed immediately. The runtime mode is changed as follows, as certain -transitions are impossible without a reboot: - -========== ========== =========== -Current Setting New runtime ----------- ---------- ----------- -Enforcing Disabled Permissive -Enforcing Permissive Permissive -Permissive Enforcing Enforcing -Permissive Disabled Permissive -Disabled Permissive Disabled -Disabled Enforcing Disabled -========== ========== =========== - - -``update_interval`` -~~~~~~~~~~~~~~~~~~~ -How often should the automatic updates be installed. Valid options are ``never``, ``daily`` and ``weekly``. - - -``update_type`` -~~~~~~~~~~~~~~~ -What type of package updates should be installed automatically, either ``security`` for only security updates or ``all`` for all updates. - - -``update_exclude`` -~~~~~~~~~~~~~~~~~~ -List of packages which shall not be updated automatically. Wildcards like * are allowed. The kernel is excluded by default. - -``update_kernel`` -~~~~~~~~~~~~~~~~~ -Marks if also the kernel package should be automatically updated. Note that the necessary reboot to run the new kernel needs to be done manually. - - -Examples --------- - -The most basic usage is:: - - class role::some_role () { - - include role::base - - ... - } - -Most profiles that are included can be excluded when necessary:: - - class role::some_role () { - - class {'role::base': - include_icinga => false, - } - - ... - } - -This can be used to customize some of the basic profiles:: - - class role::base () { - - class {'role::base': - include_aaa => false, - } - - class {'profile::aaa': - support_nx => true, - } - - ... - } diff --git a/engineering-guide/puppet/roles/daq_buffer.rst b/engineering-guide/puppet/roles/daq_buffer.rst deleted file mode 100644 index fd82458a..00000000 --- a/engineering-guide/puppet/roles/daq_buffer.rst +++ /dev/null @@ -1,17 +0,0 @@ -``role::daq_buffer`` -==================== - -A data acquisition server. This role assumes to be running on a system with two -disks, ``/dev/sda`` and ``/dev/sdb``. Apart from the usual LVs for the OS there -is another LV for metadata on ``/dev/sda`` (as usual). On ``/dev/sdb`` there is -a single LV for the actual data. - - -Parameters ----------- - -``daq_admins`` -~~~~~~~~~~~~~~ - -A list of users with full root access on the system (in addition to the usual -``aaa::admins``). diff --git a/engineering-guide/puppet/roles/hpc/ces.rst b/engineering-guide/puppet/roles/hpc/ces.rst deleted file mode 100644 index 27f38f37..00000000 --- a/engineering-guide/puppet/roles/hpc/ces.rst +++ /dev/null @@ -1,2 +0,0 @@ -``role::hpc::ces`` -================== diff --git a/engineering-guide/puppet/roles/hpc/cn.rst b/engineering-guide/puppet/roles/hpc/cn.rst deleted file mode 100644 index 6cdeec56..00000000 --- a/engineering-guide/puppet/roles/hpc/cn.rst +++ /dev/null @@ -1,20 +0,0 @@ -``role::hpc::cn`` -====================== - -This role implements a Computing Node. Currently only Slurm is supported. -GPFS can be configured, but need changes in Puppet for newer clusters:: - - # Cluster specific classes - case $cluster['name'] { - 'merlin5','ComputeCluster_SwissFEL','ra','xbl','sf': { - class { 'profile::gpfs':; } - } - } - -Parameters ----------- - -``cluster`` -~~~~~~~~~~~~~~~ - -Must be defined by the setting: ``slurm::cluster`` in YAML. diff --git a/engineering-guide/puppet/roles/hpc/database.rst b/engineering-guide/puppet/roles/hpc/database.rst deleted file mode 100644 index b244e4d7..00000000 --- a/engineering-guide/puppet/roles/hpc/database.rst +++ /dev/null @@ -1,4 +0,0 @@ -``role::hpc::database`` -======================= - -This role implements a MySQL server for Slurm. diff --git a/engineering-guide/puppet/roles/hpc/server.rst b/engineering-guide/puppet/roles/hpc/server.rst deleted file mode 100644 index 360a7992..00000000 --- a/engineering-guide/puppet/roles/hpc/server.rst +++ /dev/null @@ -1,64 +0,0 @@ -``role::hpc::server`` -====================== - -This role implements a Server node. Currently only Slurm is supported. -GPFS can be configured, but need changes in Puppet for newer clusters:: - - # Cluster specific classes - case $cluster['name'] { - 'merlin5': { - class { 'profile::gpfs':; } - } - } - -Parameters ----------- - -=========== ========= ========================== -**Name** **Type** **Default** ------------ --------- -------------------------- -has_slurm Boolean *true* -cluster Hash *slurm::cluster* -db_user String *slurm::db::user* -db_password String *slurm::db::password* -db_backup Boolean *slurm::db::backup* -=========== ========= ========================== - -``has_slurm`` -~~~~~~~~~~~~~~~ - -When set to ``true``, installs and configured a **slurm** server. -By default **slurm** is always installed, it can be disabled by setting this -parameter to ``false`` - -``cluster`` -~~~~~~~~~~~~~~~ - -Must be defined by the setting ``slurm::cluster`` in YAML. - -``db_user`` -~~~~~~~~~~~~~~~ - -Must be defined by the setting ``slurm::db::user`` in YAML. - -``db_passwd`` -~~~~~~~~~~~~~~~ - -Must be defined by the setting ``slurm::db::password`` in YAML. - -``db_backup`` -~~~~~~~~~~~~~~~ - -Must be defined by the setting ``slurm::db::backup`` in YAML. - -``db_options`` -~~~~~~~~~~~~~~~ - -Can be defined by the setting ``slurm::db::options`` in YAML. -Defaults to ``{}`` - -``db_backup_dir`` -~~~~~~~~~~~~~~~~~ - -Can be defined by the setting ``slurm::db::backup_dir`` in YAML. -Defaults to ``undef`` diff --git a/engineering-guide/puppet/roles/hpc/ui.rst b/engineering-guide/puppet/roles/hpc/ui.rst deleted file mode 100644 index 6152cd51..00000000 --- a/engineering-guide/puppet/roles/hpc/ui.rst +++ /dev/null @@ -1,20 +0,0 @@ -``role::hpc::ui`` -====================== - -This role implements a User Interface. Currently only Slurm is supported. -GPFS can be configured, but need changes in Puppet for newer clusters:: - - # Cluster specific classes - case $cluster['name'] { - 'merlin5','xbl','sf': { - class { 'profile::gpfs':; } - } - } - -Parameters ----------- - -``cluster`` -~~~~~~~~~~~~~~~ - -Must be defined by the setting: ``slurm::cluster`` in YAML. diff --git a/engineering-guide/puppet/roles/softioc.rst b/engineering-guide/puppet/roles/softioc.rst deleted file mode 100644 index 83fa7f15..00000000 --- a/engineering-guide/puppet/roles/softioc.rst +++ /dev/null @@ -1,71 +0,0 @@ -``role::softioc`` -================= - -This role implements a GFA SoftIOC system. - - -Parameters ----------- - -============== ======== =================================== -enable_afs bool hiera('softioc::enable_afs', false) -local_homes bool hiera('softioc::local_homes') -mount_root string hiera('softioc::mount_root') -mounts hash hiera_hash('softioc::mounts', {}) -symlink_root string hiera('softioc::symlink_root') -users array hiera('softioc::users', []) -============== ======== =================================== - - -``enable_afs`` -~~~~~~~~~~~~~~~ - -Configures AFS access and pmodule. - - -``local_homes`` -~~~~~~~~~~~~~~~ - -If this is true, the home directories on the system will be in ``/home/%u``. - - -``mount_root`` -~~~~~~~~~~~~~~ - -The directory where the mounts given in ``mounts`` are mounted. - - -``mounts`` -~~~~~~~~~~ - -A hash defining the mounts to be mounted below ``mount_root``. - - -``symlink_root`` -~~~~~~~~~~~~~~~~ - -This defines the directory where symlinks to the mounts defined by ``mounts`` -are created. - - -``users`` -~~~~~~~~~ - -This overrides the ``aaa::users`` parameter. - - -Examples --------- - -Configuration:: - - softioc::mount_root: '/gfa/.mounts' - softioc::symlink_root: '/sf' - softioc::mounts: - 'data': - ... - -Resulting files: - -- ``/gfa/.mounts/data``: mountpoint for ``data`` -- ``/sf/data ``: symlink to ``/gfa/.mounts/data`` diff --git a/engineering-guide/puppet/roles/web_server.rst b/engineering-guide/puppet/roles/web_server.rst deleted file mode 100644 index 0f1960e5..00000000 --- a/engineering-guide/puppet/roles/web_server.rst +++ /dev/null @@ -1,26 +0,0 @@ -``role::web_server`` -==================== - -This role implements a simple web server which simply exports directories under -certain URLs. - - -Parameters ----------- - -``directories`` -~~~~~~~~~~~~~~~ - -A hash whose keys are the (relative) URLs under which to export the directories. -The values of the hash are the directories that should be made available. - - -Examples --------- - -The following configuration exports ``/usr/share/doc`` as -``$FQDN/documentation`` and ``/usr/share/man`` as ``$FQDN/manpages``:: - - web_server::directories: - '/documentation': '/usr/share/doc' - '/manpages': '/usr/share/man' diff --git a/engineering-guide/puppet/roles/workstation.rst b/engineering-guide/puppet/roles/workstation.rst deleted file mode 100644 index d0928f83..00000000 --- a/engineering-guide/puppet/roles/workstation.rst +++ /dev/null @@ -1,109 +0,0 @@ -``role::workstation`` -===================== - -This role implements a generic desktop system. The following features are -supported: - -- AFS (optional), with automatic token renewal -- AD authentication -- Printing via the PSI CUPS server -- Multiple keyboard layouts on the login screen -- Kerberos support for Firefox - - -Parameters ----------- - - -================= ========= ======================================== -**Name** **Type** **Default** ------------------ --------- ---------------------------------------- -banner_message string See ``common.yaml`` -enable_afs bool hiera('workstation::enable_afs', true) -favorites array See ``common.yaml`` -keyboard_layouts array See ``common.yaml`` -local_homes bool false -priv_users array [] -idle_delay integer hiera('workstation::idle_delay') -lock_delay integer hiera('workstation::lock_delay') -lock_enabled boolean hiera('workstation::lock_enabled') -timedlogin_delay integer hiera('workstation::timedlogin_delay') -timedlogin_enable boolean hiera('workstation::timedlogin_enable') -timedlogin_user string hiera('workstation::timedlogin_user') -================= ========= ======================================== - -``banner_message`` -~~~~~~~~~~~~~~~~~~ - -A message displayed on the login screen. - -``enable_afs`` -~~~~~~~~~~~~~~~ - -Configures AFS access and pmodule. - - -``favorites`` -~~~~~~~~~~~~~ - -The of applications/locations in the 'Favorites' menu. Entries usually specify -an application's desktop file, eg. 'firefox.desktop'. - - -``idle_delay`` -~~~~~~~~~~~~~~ - -The number of seconds before the screensaver is started. Also see `lock_delay`_ -and `lock_enabled`_. - - -``keyboard_layouts`` -~~~~~~~~~~~~~~~~~~~~ - -The list of keyboard layouts available on the login screen. - - -``local_homes`` -~~~~~~~~~~~~~~~ - -Whether or not to use local homes in ``/home``. - - -``lock_delay`` -~~~~~~~~~~~~~~ - -The number of seconds to wait after the start of the screensaver before locking -the screen. Also see `idle_delay`_. - - -``lock_enabled`` -~~~~~~~~~~~~~~~~ - -Whether or not to lock the screen after a period of inactivity. See -`idle_delay`_ and `lock_delay`_ for more. - - -``priv_users`` -~~~~~~~~~~~~~~ - -A list of users, which will have admin privileges in the UI. They can install -additional software, for example. - - -``timedlogin_delay`` -~~~~~~~~~~~~~~~~~~~~ - -How many seconds to wait at the login screen before logging in automatically. - - -``timedlogin_enable`` -~~~~~~~~~~~~~~~~~~~~~ - -Enable automatic logins. This does not work with accounts which require AFS, of -course. - - -``timedlogin_user`` -~~~~~~~~~~~~~~~~~~~ - -Which user to log in as if automatic logins have been enabled. diff --git a/engineering-guide/puppet_server.md b/engineering-guide/puppet_server.md deleted file mode 100644 index f67b43bb..00000000 --- a/engineering-guide/puppet_server.md +++ /dev/null @@ -1,96 +0,0 @@ -# Puppet Server - -Runs the puppet server for rhel7 - -The main code repositories are synced into: - -* /srv/puppet/code/base/preprod/ -* /srv/puppet/code/base/prod/ - -Other optional environments can be arbitrarily created and immediately used under this path: - -* /srv/puppet/code/dev/envs/ - -At https://puppet01.psi.ch/ , a small web app to delete server side certificates is made available. The authentication uses LDAP against the AD, but access rights are granted from the /etc/httpd/conf.d/ssl.conf - -## Branches - -You can create a branch to develop new code from the master branch of the puppet repository. To test the code, a directory with the same name as the branch can be created at puppet01:/srv/puppet/code/dev/envs/ . Upon creating the directory, preprod gets rsynced in here. If the branch alrady exists and if it's to be pulled, that can be done via the command: - -``` -git pull origin xyz -``` - -This can then be tested on any controlled host by running: - -``` -puppet agent -t --environment=xyz -``` - -## Merge Process - -Merge meetings are usually held weekly. To record the meeting a https://git.psi.ch/linux-infra/org/wikis/meeting_reports/YYYY-MM-DD page is to be created based on the https://git.psi.ch/linux-infra/org/wikis/merge-meeting-guidelines template. - -## Modules - -The modules, which are not part of the base repo are to be pulled into /srv/puppet/code/dev/envs/(pre)prod/code/modules/ - -The correct way to pull the modules is with the use of librarian. However, at this time, the puppetfile contains "prod" or "production" as versions for some of the modules. Librarian can not understand this. As a result, it turns to the puppetfile.lock , where the commit of the initial pull is saved. As long as the lock is present, librarian will always pull the commit saved there, it will not pull the latest commit and will even revert, if that latest commit is pulled manually. - -The solution is to always run librarian with the lock file removed: - -``` -[root@puppet01 prod]# cd /srv/puppet/code/base/prod -[root@puppet01 prod]# rm -f Puppetfile.lock -[root@puppet01 prod]# /opt/puppetlabs/puppet/bin/librarian-puppet install --path=code/modules -``` - -This way the latest commit will be pulled for all incorrectly defined modules. - -## Hiera / data-xxx -The data-xxx repositories have a webhook configured that points to http://puppet01.psi.ch/events/dataupdate -The triggered webhook code can be found on puppet01 at /var/www/webhook/app/webhook.py - -This webhook checks out the data repositories in /srv/puppet/data - -## PuppetDB -To be able to talk to the PuppetDB we need a (client) certificate (including the key) accepted by the Puppet server -for authentication. On Puppet-enabled nodes the node's certificate works, i.e.: - -- Certificate: `/etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem` -- Key: `/etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem` - -These can be supplied to `curl(1)` using the `--key`, `--cert`, and -`--cacert` options: - -```bash - curl --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \ - --key /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem \ - --cert /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem \ - https://puppet01.psi.ch:8080/pdb/query/v4/nodes -``` - -There are several API endpoints that can be queried, e.g. `/pdb/query/v4` (note that there is no -`/` at the end), or `/pdb/query/v4/nodes`. - - -### Examples - -```bash -# define a function to simplify the queries -function pdb { - local pql=$1 - curl --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \ - --key /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem \ - --cert /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem \ - -H content-type:application/json --data "{ \"query\": \"$pql\" }" \ - https://puppet01.psi.ch:8080/pdb/query/v4 | json_reformat - } - -# list all nodes -pdb "nodes[certname] { order by certname }" - - -# list environments and times of the last Puppet run -pdb "reports[certname,environment,start_time,end_time] { order by certname }" -``` \ No newline at end of file diff --git a/engineering-guide/repo_server.md b/engineering-guide/repo_server.md deleted file mode 100644 index 0c729452..00000000 --- a/engineering-guide/repo_server.md +++ /dev/null @@ -1,26 +0,0 @@ -# Repository Server - -The repository server is [lx-repos-01.psi.ch](https://lx-repos-01.psi.ch), usually accessed with the alias [repos.psi.ch](https://repos.psi.ch). - -## Prepare a new RHEL Version for Installation - -Download the iso image on repos.psi.ch from https://id-sat-prd-02.ethz.ch/pub/isos/ and add it to the /packages/rhel\[7/8]/iso directory - -The service restart mounts the iso as a loop device into a directory of the same name. - -Then the ipxe and grub templates of the sysdb have to be edited, to add the new version: - -https://git.psi.ch/linux-infra/sysdb/blob/prod/sysdb/ipxe_template.py - -https://git.psi.ch/linux-infra/sysdb/blob/prod/sysdb/grub_template.py - -Once the change is committed, the changes have to be pulled on sysdb.psi.ch: - -``` -[root@sysdb ~]# cd /var/www/sysdb/app/ -[root@sysdb ~]# git pull -[root@sysdb ~]# systemctl restart httpd -``` - -The changes only come live after a restart of the httpd. - diff --git a/engineering-guide/sync_server.md b/engineering-guide/sync_server.md deleted file mode 100644 index c1aa3185..00000000 --- a/engineering-guide/sync_server.md +++ /dev/null @@ -1,18 +0,0 @@ -# Sync Server -This server (lx-sync-01.psi.ch) mirrors and synchronize the YUM repositories to our infrastructure. It is the only server that has write access to NFS volume hosting holding the data of our repositories. - -## Howto - -### Copy/Deploy ISOs -This is how to manually copy ISOs to - -1. Place iso on the PSI scratch drive -2. On lx-sync-01 temporarily mount the scratch drive - ``` - mount.cifs -ouser=ebner //scratch0/scratch /mnt - ``` -3. copy over iso's -4. Umount scratch: - ``` - umount /mnt - ``` diff --git a/engineering-guide/sysdb_server.md b/engineering-guide/sysdb_server.md deleted file mode 100644 index 2515ae64..00000000 --- a/engineering-guide/sysdb_server.md +++ /dev/null @@ -1,7 +0,0 @@ -# Sysdb Server - -https://git.psi.ch/linux-infra/sysdb/ is pulled into /var/www/sysdb/app/ (no automation, just by hand) - -httpd runs the service and it needs restarting, when pulling changes - -Access rights are granted on the environment level (bob env list). At this time, most of the users and groups come from the AD, except for the sysdb-admins, which is defined locally, see /etc/group diff --git a/engineering-guide/test_systems.md b/engineering-guide/test_systems.md deleted file mode 100644 index ec68300c..00000000 --- a/engineering-guide/test_systems.md +++ /dev/null @@ -1,54 +0,0 @@ -# Test Systems -List of test nodes and the idea behind. - -## Core Linux Infrastructure Systems - -- sysdb-test.psi.ch aka lx-sysdb-test-01.psi.ch as test Sysdb server -- puppet00-test.psi.ch as test Puppet server - -On these systems there is currently only the [`lxdev` sysdb environment](https://git.psi.ch/linux-infra/hiera/data-lxdev) available/configured. - -To get a node to boot into the test setup, you need a special network boot configuration for grub in the [`network-boot` repo](https://git.psi.ch/linux-infra/network-boot). -Best do in `grub.d` a symlink from the full qualified hostname to `use-sysdb-test`. -Then in the root directory you need another symlink from `grub.cfg-01-$MAC` (use dashes instead of colons to separte the MAC address bytes) to the symlink with your hostname in `grub.d`. This last file is looked up by grub during network boot. The symlink cascade is to know what MAC address belongs to what host and what is the intend of the special configuration. - -## Icinga2 Test Server - -Here we mostly deal with the master: - -- Primary [vmonma02a.psi.ch](https://vmonma02a.psi.ch) (with Director) -- Secondary [vmonma02b.psi.ch](https://vmonma02b.psi.ch) - -The schema with all nodes of the test setup you find in the [Monitoring Environment Slides](https://monitoring.psi.ch/icingaweb2/psi-help/pdfs/MonitoringIcinga2.pdf) page 3. - -## Test RHEL Nodes - -This systems are in the [`lxdev` sysdb environment](https://git.psi.ch/linux-infra/hiera/data-lxdev). - -Here we have minimal configuration (`noconfig`) to test the default setup and a more extensive configuration (`muchconfig`) to have a test bed with more complex settings. - -### `noconfig` Servers -- `lxdev00.psi.ch` running RHEL7 -- `lxdev01.psi.ch` running RHEL8 with managed network configuration and static IP automatically read from DNS -- `lxdev02.psi.ch` running RHEL9 with managed network configuration and static IP automatically read from DNS - -### `noconfig` Workstations -- `lxdev03` running RHEL7 -- `lxdev04` running RHEL8 -- `lxdev05` running RHEL9 - -### `muchconfig` Workstations -- `lxdev6` running RHEL7 -- `lxdev7` running RHEL8 -- `lxdev8` running RHEL9 - -All of these have a serial port added to the virtual hardware and the output of it is sent to a file which is accessible on `lxsup.psi.ch` on `/data/serial_console/` - -Then each of these hosts can monitor the network traffic of the two other hosts. The interface `ens224` will get a copy of the network traffic from the lower of the other two hosts, whereas the interface `ens256` gets the traffic of the node with the bigger number. - -## Test DMZ Nodes - -This system are in the normal production [`lx` sysdb environment](https://git.psi.ch/linux-infra/hiera/data-lx) in the `dmz` puppet group: -- `lx-test-dmz-01.psi.ch` -- `lx-test-dmz-02.psi.ch` - diff --git a/engineering-guide/troubleshooting.md b/engineering-guide/troubleshooting.md deleted file mode 100644 index 9ec15439..00000000 --- a/engineering-guide/troubleshooting.md +++ /dev/null @@ -1,15 +0,0 @@ -# Troubleshooting - -## Network Issues -To be able to debug early network issues in the boot process the 2 test VMs lxdev04 and lxdev05 have network port mirroring enabled. - -I.e. lxdev04 has a second interface that mirrors the primary interface of lxdev05 and lxdev05 has a second interface that mirrors the primary interface of lxdev04. - -Bring the device up without IP address: - -``` -ip link set dev ens192 up -ip addr flush dev ens192 -``` -and then use `tcpdump -i ens192 ...` - diff --git a/management/_static/RedHat-Product-Life-Cycles.pdf b/management/_static/RedHat-Product-Life-Cycles.pdf deleted file mode 100644 index 93445e8f..00000000 Binary files a/management/_static/RedHat-Product-Life-Cycles.pdf and /dev/null differ diff --git a/management/index.md b/management/index.md deleted file mode 100644 index 11234a5c..00000000 --- a/management/index.md +++ /dev/null @@ -1,4 +0,0 @@ -# Management - -```{tableofcontents} -``` diff --git a/management/redhat_product_lifecycle.md b/management/redhat_product_lifecycle.md deleted file mode 100644 index 68ff3255..00000000 --- a/management/redhat_product_lifecycle.md +++ /dev/null @@ -1,6 +0,0 @@ -# RedHat Product Lifecycle - -These pages give an overview about the RedHat product lifecycle in the upcoming years: - -- https://access.redhat.com/support/policy/updates/errata/ -- Red Hat Product Lifecycle Overview: [RedHat-Product-Life-Cycles.pdf](_static/RedHat-Product-Life-Cycles.pdf) \ No newline at end of file diff --git a/management/strategy.md b/management/strategy.md deleted file mode 100644 index 928e4d15..00000000 --- a/management/strategy.md +++ /dev/null @@ -1,61 +0,0 @@ -# Linux Strategy - -The Core Linux team is following a dynamic strategy that are based on the following basic pillars. - -## Goal -We enable PSI scientists/staff to focus on their research/work. Based on the resources we are given by management we provide/operate necessary infrastructure, support and services so that people can perform at their best. - -We rely on industry standards and professional solutions to ensure the sustainability and robustness of PSI Linux infrastructure. We pursue to find the most simple, maintainable and sustainable solution to our challenges. - -## Assessment and Planning - -- **Needs Analysis**: Identify departments or areas where Linux usage is critical or can be expanded. -- **Stakeholder Consultation**: Engage with departments, scientists, staff and students to understand their Linux requirements and challenges. -- **Lifecycle Management**: Proactively address and prepare for end of support/end of life situations. -- **Order of Priority**: Security incident before operational incident before user issues before own development. - -## Security and Compliance - -- **Action**: We work on eliminating/upgrade/... vulnerable systems and services. -- **Support**: We provide latest updates. We provide our skills and knowhow for vulnerability and icident analyis. -- **Security Policies**: Establish Linux-specific security policies and procedures (e.g., user permissions, firewall settings) to make PSI resilient and robust to cyber threads. -- **Compliance**: Our Linux systems should/must comply with relevant regulatory requirements (e.g., GDPR, HIPAA). - -## Standardization and Deployment - -- **Linux Distribution**: We support a stable and well-supported Linux distribution (currently RHEL) for deployment across the PSI. -- **Standardize Configurations**: Develop standardized configurations for Linux systems to ensure consistency and security. -- **Automated Deployment**: We provide fully automated provisioning and deployment of Linux systems. -- **Support**: For standard distribution, software and hardware we provide extensive support, the more exotic these get the less. - -## Resource Optimization - -- **Virtualization and Containers**: Embrace virtualization and containerization technologies (e.g., Docker, Kubernetes) to optimize resource utilization. - -## Monitoring and Performance Tuning - -- **Monitoring Tools**: Deploy monitoring tools to track Linux system performance and health. -- **Performance Optimization**: We provide our skills and knowhow to analize performance problems. - -## Training and Support -- **Training**: Organize training sessions and workshops to enhance Linux skills within PSI. -- **Documentation**: Maintain comprehensive documentation and guides for Linux usage and troubleshooting. -- **User Support**: Provide responsive user support for Linux-related issues and queries. - - -## Backup and Disaster Recovery - -- **Backup Solutions**: We rely and implement robust backup solutions for critical Linux data and configurations. (provided by other PSI teams) -- **Disaster Recovery**: Develop our system for easy disaster recovery. - -## Continous Improvement - -- **Feedback Loop**: Establish a feedback loop to gather insights from users and stakeholders for continuous improvement. -- **Periodic Reviews**: Conduct periodic reviews of our strategy and services to adapt to evolving needs and technological advancements. (? do we or our management do that?) - -## Misc -- **Engagement in Communities**: Encourage participation in open source communities and projects relevant to our needs. -- **Contribution**: Foster a culture of contributing back to the open source ecosystem. - -- **Encourage Innovation**: Promote Linux-based research and development initiatives within PSI. -- **Partnerships**: Explore partnerships with industry and other academic institutions for collaborative Linux projects. diff --git a/user-guide/MFA.md b/user-guide/MFA.md deleted file mode 100644 index 2165c73b..00000000 --- a/user-guide/MFA.md +++ /dev/null @@ -1,38 +0,0 @@ -# MFA / OTP - Multi Factor Authentication - -PSI multi factor authentication is based on a Microsoft Authenticatior infrastructure. - -This is how you can configure our account so that you are able to use any OTP instead of Microsoft Authenticator. - -1. Login to: - -https://mysignins.microsoft.com/security-info - -2. Click on Add Authentication Method -![Alt text](MFA/MFA_1.png) - -3. Select Authenticator-App and click __Add__ -![Alt text](MFA/MFA_2.png) - -4. When you get this menu - click on the link __I want to add an other Authenticator-App__ (do NOT click on _Continue_) -![Alt text](MFA/MFA_3.png) - -5. The dialog will then change to something like this. Now click on _Continue_. -![Alt text](MFA/MFA_4.png) - -6. You will then have a QR code presented that you have to scan with your Authenticator app. -![Alt text](MFA/MFA_7.png) - -7. Verify the correct setup by entering an OTP code: -![Alt text](MFA/MFA_5.png) - -8. Continue the dialog to finish adding the method. - - - -If you want to set OTP based authentication as default change the Standard Authentication Method to "Authenticator-App or Hardwaretoken - Code" - -![Alt text](MFA/MFA_6.png) - - -After changing the default authentication method to "Authenticator-App or Hardwaretoken - Code" you should always get a second prompt for the OTP value instead of the Microsoft Authenticatior push message. diff --git a/user-guide/MFA/MFA_1.png b/user-guide/MFA/MFA_1.png deleted file mode 100644 index d998821b..00000000 Binary files a/user-guide/MFA/MFA_1.png and /dev/null differ diff --git a/user-guide/MFA/MFA_2.png b/user-guide/MFA/MFA_2.png deleted file mode 100644 index dae4932b..00000000 Binary files a/user-guide/MFA/MFA_2.png and /dev/null differ diff --git a/user-guide/MFA/MFA_3.png b/user-guide/MFA/MFA_3.png deleted file mode 100644 index 5cebd62d..00000000 Binary files a/user-guide/MFA/MFA_3.png and /dev/null differ diff --git a/user-guide/MFA/MFA_4.png b/user-guide/MFA/MFA_4.png deleted file mode 100644 index 1603ffdb..00000000 Binary files a/user-guide/MFA/MFA_4.png and /dev/null differ diff --git a/user-guide/MFA/MFA_5.png b/user-guide/MFA/MFA_5.png deleted file mode 100644 index 4bf75e6d..00000000 Binary files a/user-guide/MFA/MFA_5.png and /dev/null differ diff --git a/user-guide/MFA/MFA_6.png b/user-guide/MFA/MFA_6.png deleted file mode 100644 index b03997f4..00000000 Binary files a/user-guide/MFA/MFA_6.png and /dev/null differ diff --git a/user-guide/MFA/MFA_7.png b/user-guide/MFA/MFA_7.png deleted file mode 100644 index 91e770ab..00000000 Binary files a/user-guide/MFA/MFA_7.png and /dev/null differ diff --git a/user-guide/eaccounts.md b/user-guide/eaccounts.md deleted file mode 100644 index e0857c1d..00000000 --- a/user-guide/eaccounts.md +++ /dev/null @@ -1,10 +0,0 @@ -# Experimental Accounts - pgroup - eaccount - -For each experiment proposal that is accepted there is a so called pgroup, a Unix group that will manage the access to the data (proposals are managed in https://duo.psi.ch). For each pgroup there will also be a so called eaccount that can be used to collect data when a beamtime is scheduled. There is a one to one mapping of eaccount and pgroup. - -The pgroup can and will hold additional accounts that are related to that proposal. These additional accounts can be added in DUO and must be used to access and analyze the data after the data is collected. - -More details can be found [](../admin-guide/configuration/access/eaccounts.md) - -## Lookup / Reset eaccount Password -Each member of the pgroup of the eaccount can lookup / reset its password at: https://epwd.psi.ch/ diff --git a/user-guide/env_variables.md b/user-guide/env_variables.md deleted file mode 100644 index 6dc59a6c..00000000 --- a/user-guide/env_variables.md +++ /dev/null @@ -1,33 +0,0 @@ -# User Specific Environment Variables for the Desktop - -The usual place to set environment variables is `~/.bashrc`, but these variables influence only shell sessions, not all desktop programs. - -To influence all user spawned processes, you might add one or more `*.conf` files into -`~/.config/environment.d/`. - -Following example (`~/.config/environment.d/swiss.conf`) keeps all texts in original English, but changes date/date/paper sizes and other formating elements to what is usual locally in Switzerland: - -``` -LC_ADDRESS=de_CH.UTF-8 -LC_NAME=de_CH.UTF-8 -LC_MONETARY=de_CH.UTF-8 -LC_PAPER=de_CH.UTF-8 -LC_IDENTIFICATION=de_CH.UTF-8 -LC_TELEPHONE=de_CH.UTF-8 -LC_MEASUREMENT=de_CH.UTF-8 -LC_TIME=de_CH.UTF-8 -LC_COLLATE=C -LC_NUMERIC=de_CH.UTF-8 -``` -See the [manual](https://www.freedesktop.org/software/systemd/man/latest/environment.d.html#Configuration%20Format) about more details of the configuration format. - -Also be aware you need to have these files locally in your home directory, you cannot use links to your `U:`-drive from the ["Partially Shared Home"-feature](partially_shared_home) because they are not availabe so early in the session setup process. - -Note this does not work on RHEL7. - - - - - - - diff --git a/user-guide/evolution_for_o365.md b/user-guide/evolution_for_o365.md deleted file mode 100644 index 4bce189a..00000000 --- a/user-guide/evolution_for_o365.md +++ /dev/null @@ -1,76 +0,0 @@ -# Configure Evolution for 0ffice365 - -## Account and MFA ready? -Before connecting to Evolution to Office365, you need to have your MFA token/app configured. - -If you use an app or SMS, then you can set it up directly at [Microsoft](https://aka.ms/mfasetup). Note that when you select the app and use "Use verification code", then you can also use 3rd party OTP apps. - -For all the options check out the internal [knowledge base article](https://psi.service-now.com/kb_view.do?sysparm_article=KB0002928) - -## Software Installed? - -The package `evolution-ews` needs to be installed before starting. - - -## Configure Your Mail Account - -If you first open Evolution you get automatically to the "Mail Configuration Assistant", else you select in the "Edit" menu "Accounts", and then klick the "+Add" dropdown and select `Mail Account`. Then you should get - -![Welcome](evolution_for_o365/evolution01_wizard_welcome.png) - -Here go on with "Next", - -![Restore](evolution_for_o365/evolution02_wizard_restore.png) - -and with "Next" again - -![Identity](evolution_for_o365/evolution03_wizard_identity.png) - -and finally fill in your Name (as it should be shown in outgoing emails) and your email address. Also tell Evolution to not try to figure out the server itself. After continuing: - -![Receiving Email](evolution_for_o365/evolution04_wizard_receiving.png) - -Now change the "Server Type" to `Exchange Web Service`, enter as username again your email address and put `https://outlook.office365.com/EWS/Exchange.asmx` as "Host URL". -The "OAB URL" is `https://outlook.office365.com/OAB/e24cb15c-bdec-429a-ba66-9832440ba55e/oab.xml`. - -On the "Authentication" part select `OAuth2 (Office365)` and override the Office365 OAuth2 settings with - -Tenant: `50f89ee2-f910-47c5-9913-a6ea08928f11` -Application ID: `751cf8be-ca07-484b-9308-fac4b9d85eff` - -and then go on. There is nothing more to change: - -![Receiving Options](evolution_for_o365/evolution05_wizard_options.png) - -![Account Summary](evolution_for_o365/evolution06_wizard_summary.png) - -![Done](evolution_for_o365/evolution07_wizard_done.png) - -But then for authentication you then get a web popup: - -![Office365 account authentication request](evolution_for_o365/evolution08_oauth2_user.png) - -Here enter your email address - -![Office365 account authentication request MFA](evolution_for_o365/evolution09_oauth2_password.png) - -then enter your normal AD/Windows password - - -![Office365 account authentication request password](evolution_for_o365/evolution10_oauth2_2fa.png) - -Followed by your MFA approval (in the Authenticator app or with a token code). - -![Inbox](evolution_for_o365/evolution11_inbox.png) - -And finally enjoy your inbox. - - - - - - - - - - diff --git a/user-guide/evolution_for_o365/evolution01_wizard_welcome.png b/user-guide/evolution_for_o365/evolution01_wizard_welcome.png deleted file mode 100644 index f7f403e1..00000000 Binary files a/user-guide/evolution_for_o365/evolution01_wizard_welcome.png and /dev/null differ diff --git a/user-guide/evolution_for_o365/evolution02_wizard_restore.png b/user-guide/evolution_for_o365/evolution02_wizard_restore.png deleted file mode 100644 index c08b5168..00000000 Binary files a/user-guide/evolution_for_o365/evolution02_wizard_restore.png and /dev/null differ diff --git a/user-guide/evolution_for_o365/evolution03_wizard_identity.png b/user-guide/evolution_for_o365/evolution03_wizard_identity.png deleted file mode 100644 index 4fd8bda2..00000000 Binary files a/user-guide/evolution_for_o365/evolution03_wizard_identity.png and /dev/null differ diff --git a/user-guide/evolution_for_o365/evolution04_wizard_receiving.png b/user-guide/evolution_for_o365/evolution04_wizard_receiving.png deleted file mode 100644 index 09be62fa..00000000 Binary files a/user-guide/evolution_for_o365/evolution04_wizard_receiving.png and /dev/null differ diff --git a/user-guide/evolution_for_o365/evolution05_wizard_options.png b/user-guide/evolution_for_o365/evolution05_wizard_options.png deleted file mode 100644 index 8cc0f6eb..00000000 Binary files a/user-guide/evolution_for_o365/evolution05_wizard_options.png and /dev/null differ diff --git a/user-guide/evolution_for_o365/evolution06_wizard_summary.png b/user-guide/evolution_for_o365/evolution06_wizard_summary.png deleted file mode 100644 index 9fdf66d7..00000000 Binary files a/user-guide/evolution_for_o365/evolution06_wizard_summary.png and /dev/null differ diff --git a/user-guide/evolution_for_o365/evolution07_wizard_done.png b/user-guide/evolution_for_o365/evolution07_wizard_done.png deleted file mode 100644 index 7d7b7ccd..00000000 Binary files a/user-guide/evolution_for_o365/evolution07_wizard_done.png and /dev/null differ diff --git a/user-guide/evolution_for_o365/evolution08_oauth2_user.png b/user-guide/evolution_for_o365/evolution08_oauth2_user.png deleted file mode 100644 index b09e9757..00000000 Binary files a/user-guide/evolution_for_o365/evolution08_oauth2_user.png and /dev/null differ diff --git a/user-guide/evolution_for_o365/evolution09_oauth2_password.png b/user-guide/evolution_for_o365/evolution09_oauth2_password.png deleted file mode 100644 index 250fb72c..00000000 Binary files a/user-guide/evolution_for_o365/evolution09_oauth2_password.png and /dev/null differ diff --git a/user-guide/evolution_for_o365/evolution10_oauth2_2fa.png b/user-guide/evolution_for_o365/evolution10_oauth2_2fa.png deleted file mode 100644 index 1c855856..00000000 Binary files a/user-guide/evolution_for_o365/evolution10_oauth2_2fa.png and /dev/null differ diff --git a/user-guide/evolution_for_o365/evolution11_inbox.png b/user-guide/evolution_for_o365/evolution11_inbox.png deleted file mode 100644 index 14a9554f..00000000 Binary files a/user-guide/evolution_for_o365/evolution11_inbox.png and /dev/null differ diff --git a/user-guide/firefox_profile_per_host.md b/user-guide/firefox_profile_per_host.md deleted file mode 100644 index 7e2db0b4..00000000 --- a/user-guide/firefox_profile_per_host.md +++ /dev/null @@ -1,64 +0,0 @@ -# Per Host Default Profile for Firefox - -## Problem Description - -Firefox refuses to start with - -![error message Firefox already running](firefox_profile_per_host/firefox_already_running.png) - -if the user has the home directory on the network (AFS or NFS) and has Firefox already running on one computer and tries to start it on another computer. - -A solution is to have an individual default profile for each host. - -## Solution for Red Hat 7 - -Add to the bottom of `~/.bash_profile`: - -``` -if ! mountpoint -q ~/.mozilla/firefox; then - mkdir -p ~/.mozilla/firefox{_$(hostname --fqdn),} - bindfs --force-user="$(id -un)" --force-group="$(id -gn)" -o nonempty,no-allow-other ~/.mozilla/firefox_$(hostname --fqdn) ~/.mozilla/firefox -fi -``` - -and it will be ready with the next login. You may also run this code directly on the terminal if you wish to have it ready for the currently running session. - -## Solution for Red Hat 8 - -Create the file `~/.config/systemd/user/private-firefox-profile-per-host.service` with following content: - -``` -[Unit] -Description=Private Firefox Profile per Host - -[Service] -Type=oneshot -RemainAfterExit=true -ExecStart=bash -c 'if ! mountpoint -q "%h/.mozilla/firefox"; then mkdir -p "%h/.mozilla/firefox"{_%H,}; bindfs --force-user="$(id -un)" --force-group="$(id -gn)" -o nonempty,no-allow-other "%h/.mozilla/firefox_%H" "%h/.mozilla/firefox"; fi' -ExecStop=fusermount -u %h/.mozilla/firefox - -[Install] -WantedBy=default.target -``` - -To have it started automatically a symlink is needed from -`~/.config/systemd/user/default.target.wants/private-firefox-profile-per-host.service` to `../private-firefox-profile-per-host.service`, e.g. to be created with given user: - -``` -systemctl --user enable private-firefox-profile-per-host.service -``` -It will be available after the next login. To start it immediately run - -``` -systemctl --user start private-firefox-profile-per-host.service -``` - - -## Technical Discussion - -The solution does a bind mount from `~/.mozilla/firefox_$FQDN` to `~/.mozilla/firefox` (and ensures that both directories exist). As normal user without special admin privileges it is not possible to do a normal bind mount. The alternative used here is `bindfs`, a tool implementing bind mounts as user space tool (FUSE) and runs without special privileges. - -One can install both the RHEL 7 and the RHEL 8 solution at the same time, they are tolerant to each other. - -The special solution for RHEL 7 is required because Red Hat patched out the support for `systemd --user`. An issue with this solution is that the bind mount is never cleared. It is ensured that there is only one per user, but this one stays until the machine shuts down or it is manually unmounted. But the the tool is slim and uses less than 1 MB resident memory per instance. - diff --git a/user-guide/firefox_profile_per_host/firefox_already_running.png b/user-guide/firefox_profile_per_host/firefox_already_running.png deleted file mode 100644 index c0470f4f..00000000 Binary files a/user-guide/firefox_profile_per_host/firefox_already_running.png and /dev/null differ diff --git a/user-guide/gnome_desktop_icons.md b/user-guide/gnome_desktop_icons.md deleted file mode 100644 index 2a44fef8..00000000 --- a/user-guide/gnome_desktop_icons.md +++ /dev/null @@ -1,41 +0,0 @@ -# Gnome Desktop Icons - -By default Gnome does not show any more icons on the desktop since version 3. - -This guide will show how to bring them back. - -## Enable Desktop Icon Extension -Start the "Tweak" tool: - - -![Start "Tweak"](gnome_desktop_icons/start_tweak.png) - - -![Select "Extensions"](gnome_desktop_icons/select_extensions.png) - -Therein select "Extensions" on the left: - -![Extensions dialog](gnome_desktop_icons/extensions.png) - -Now the second entry "Desktop icons" on the right allows you enable them. - -![Desktop icons enabled](gnome_desktop_icons/desktop_icons_enabled.png) - -Now you can close the tool. - -## Allow to Launch Desktop Files - -By default the `*.desktop` files in the `~/Desktop` folder are not executed, they are presented like normal textfiles instead. To change this right-click onto the .desktop file and select "Allow Launching": - -![Desktop icons enabled](gnome_desktop_icons/allow_launching.png) - -After you can start them with a click: - -![Desktop icons enabled](gnome_desktop_icons/launched.png) - - - - - - - diff --git a/user-guide/gnome_desktop_icons/allow_launching.png b/user-guide/gnome_desktop_icons/allow_launching.png deleted file mode 100644 index 5778c661..00000000 Binary files a/user-guide/gnome_desktop_icons/allow_launching.png and /dev/null differ diff --git a/user-guide/gnome_desktop_icons/desktop_icons_enabled.png b/user-guide/gnome_desktop_icons/desktop_icons_enabled.png deleted file mode 100644 index fc5afc9d..00000000 Binary files a/user-guide/gnome_desktop_icons/desktop_icons_enabled.png and /dev/null differ diff --git a/user-guide/gnome_desktop_icons/extensions.png b/user-guide/gnome_desktop_icons/extensions.png deleted file mode 100644 index e6bd24ed..00000000 Binary files a/user-guide/gnome_desktop_icons/extensions.png and /dev/null differ diff --git a/user-guide/gnome_desktop_icons/launched.png b/user-guide/gnome_desktop_icons/launched.png deleted file mode 100644 index 34ddc1f2..00000000 Binary files a/user-guide/gnome_desktop_icons/launched.png and /dev/null differ diff --git a/user-guide/gnome_desktop_icons/select_extensions.png b/user-guide/gnome_desktop_icons/select_extensions.png deleted file mode 100644 index f0bd97ee..00000000 Binary files a/user-guide/gnome_desktop_icons/select_extensions.png and /dev/null differ diff --git a/user-guide/gnome_desktop_icons/start_tweak.png b/user-guide/gnome_desktop_icons/start_tweak.png deleted file mode 100644 index 60558e6f..00000000 Binary files a/user-guide/gnome_desktop_icons/start_tweak.png and /dev/null differ diff --git a/user-guide/gnome_screenshots.md b/user-guide/gnome_screenshots.md deleted file mode 100644 index b9cdae13..00000000 --- a/user-guide/gnome_screenshots.md +++ /dev/null @@ -1,23 +0,0 @@ -# Gnome Screenshots and Screencasts - -Gnome has a build in screenshot and screencast application. You can use following shortcuts to easily use this functionality: - -- __PrintScreen__: Take a screenshot of the desktop -- __Alt + PrintScreen__: Take screenshot of the current active window -- __Shift + PrintScreen__: Take a screenshot of an area you select - -With all shortcuts the screenshots will end up in the _Pictures_ folder in your home directory. If you don't have a _Pictures_ folder the files will end up in your home folder. - - -You can also hold down __Ctrl__ with any of the above shortcuts to copy the screenshot image to the clipboard instead of saving it. - - -To create a screencast of your desktop you can use following shortcuts: - - - __Ctrl+Alt+Shift+R__: Start recording - - __Ctrl+Alt+Shift+R__: Stop recording - -The video is automatically saved in your _Videos_ folder in your home folder. If you don't have a _Videos_ folder the files will end up in your home folder. - - -Reference: https://help.gnome.org/users/gnome-help/stable/screen-shot-record.html.en diff --git a/user-guide/index.md b/user-guide/index.md deleted file mode 100644 index 2aa1fa0d..00000000 --- a/user-guide/index.md +++ /dev/null @@ -1,22 +0,0 @@ -# User Guide - -This guide contains tricks and recipies for end users using Red Hat Enterprise Linux 7 or 8 as provided by the Core Linux Research Services group. - -- [Login Servers](login_servers) -- [Linux Terminalserver](linux_terminalserver) -- [Access same Network Drives as Windows](windows_drives_in_home) -- [Partially Shared Home - Automatically Link Files in Home](partially_shared_home) -- [MFA / OTP - Multi Factor Authentication](MFA) -- [Microsoft Teams](ms_teams) -- [Connect Evolution with Office365](evolution_for_o365) -- [Connect Thunderbird with Office365](thunderbird_for_o365) -- [Desktop Icons in Gnome](gnome_desktop_icons) -- [Remote Access with RDP](xrdp) -- [RDP Access to winterm4(Windows)](https://psi.service-now.com/kb_view.do?sys_kb_id=c3fc386e8788dd10bc150d830cbb358a&sysparm_language=en&sysparm_nostack=true&sysparm_no_create_incident=&sysparm_no_rating=&sysparm_no_suggest=&sysparm_no_update=) -- SSH asks to accept key on unknown host -> [SSH Host Key Certificates](ssh_host_key_certificates) -- [SSH Client Configuration](ssh_client_config) -- How to set [User Specific Environment Variables for the Desktop](env_variables) -- Firefox refuses to start with home directory on the network drive -> [Per Host Default Profile for Firefox](firefox_profile_per_host) -- [Kerberos for Long Running Programs/Simulations/Shell Sessions](kerberos_lifetime) -- [Start Long Running Programs/Simulations with mpirun](mpirun) -- AFS `permission denied` when using Putty -> [SSH Access from Windows using Putty](putty) diff --git a/user-guide/kerberos_lifetime.md b/user-guide/kerberos_lifetime.md deleted file mode 100644 index 96ae5730..00000000 --- a/user-guide/kerberos_lifetime.md +++ /dev/null @@ -1,15 +0,0 @@ -# Kerberos for Long Running Programs/Simulations/Shell Sessions - -Kerberos tickets get invalid at some point and after they can not be used for authentication any more. This results in e.g. AFS or ssh refusing access. - -To check when this will be run `klist` and in the output check below `krbtgt/D.PSI.CH@D.PSI.CH` the `renew until` timestamp: - -``` -Valid starting Expires Service principal -17.03.2023 09:25:20 17.03.2023 19:25:03 krbtgt/D.PSI.CH@D.PSI.CH - renew until 24.03.2023 09:25:08 -``` - -To seamlessly continue you need to obtain a new Kerberos ticket before by running `kinit`. -It will then ask your password and after sucessful authentication there will be a newly acquired Kerberos ticket which will do it again one week. - diff --git a/user-guide/linux_terminalserver.md b/user-guide/linux_terminalserver.md deleted file mode 100644 index 4960d49a..00000000 --- a/user-guide/linux_terminalserver.md +++ /dev/null @@ -1,44 +0,0 @@ -# Linux Terminalserver - -It is possible connect to a Linux terminal server using -- RDP/Remote Desktop Connection: `lx-term.psi.ch` -- Browser: [nx-term.psi.ch](https://nx-term.psi.ch) -- NoMachine: `nx-term.psi.ch` - -A disconnected session will be automatically **closed after 4 days**. And on the first Monday of the month the servers get updated and rebooted which will also end all running sessions. - -There is no backup of the data located on this servers, e.g. in your home directory. - -## RDP to lx-term.psi.ch - -You can use "Remote Desktop Connection" or any other RDP client like Remmina or xfreerdp to connect to lx-term.psi.ch and log in with your PSI AD account: - -![Start Remote Desktop Connection](linux_terminalserver/rdp_connect.png) - -![login on terminalserver](linux_terminalserver/rdp_login.png) - -## Browser to nx-term.psi.ch -Connect your web browser [https://nx-term.psi.ch](https:nx-term.psi.ch) and log in with your PSI AD account: - - -![connect browser](linux_terminalserver/browser_connect.png) - -## NoMachine to nx-term.psi.ch - -Note that the normal free NoMachine product is not licensed for academic use. Please download the NoMachine Enterprise Client (at the bottom of the [download page](https://downloads.nomachine.com/download-enterprise/)) which is free to use as well. - -To connect start the NoMachine client. On the first time you need to create a new connection by clicking on "Add" below "Machines" on the top left: - -![nx add connection](linux_terminalserver/nx_add.png) - -Now configure the connection with "Host" `nx-term.psi.ch`, a recognizable name at "Name" and finally click on the "Add" button in the top right corner: - -![nx configure connection](linux_terminalserver/nx_configure.png) - -There is a new icon with given name to double click on: - -![nx connect](linux_terminalserver/nx_connect.png) - -Finally enter your PSI AD username and password: - -![nx login](linux_terminalserver/nx_login.png) diff --git a/user-guide/linux_terminalserver/browser_connect.png b/user-guide/linux_terminalserver/browser_connect.png deleted file mode 100644 index a9ae7b55..00000000 Binary files a/user-guide/linux_terminalserver/browser_connect.png and /dev/null differ diff --git a/user-guide/linux_terminalserver/nx_add.png b/user-guide/linux_terminalserver/nx_add.png deleted file mode 100644 index 56ee2a5a..00000000 Binary files a/user-guide/linux_terminalserver/nx_add.png and /dev/null differ diff --git a/user-guide/linux_terminalserver/nx_configure.png b/user-guide/linux_terminalserver/nx_configure.png deleted file mode 100644 index 7a616db9..00000000 Binary files a/user-guide/linux_terminalserver/nx_configure.png and /dev/null differ diff --git a/user-guide/linux_terminalserver/nx_connect.png b/user-guide/linux_terminalserver/nx_connect.png deleted file mode 100644 index 043f582e..00000000 Binary files a/user-guide/linux_terminalserver/nx_connect.png and /dev/null differ diff --git a/user-guide/linux_terminalserver/nx_login.png b/user-guide/linux_terminalserver/nx_login.png deleted file mode 100644 index 9cfbf26b..00000000 Binary files a/user-guide/linux_terminalserver/nx_login.png and /dev/null differ diff --git a/user-guide/linux_terminalserver/rdp_connect.png b/user-guide/linux_terminalserver/rdp_connect.png deleted file mode 100644 index 341eedef..00000000 Binary files a/user-guide/linux_terminalserver/rdp_connect.png and /dev/null differ diff --git a/user-guide/linux_terminalserver/rdp_login.png b/user-guide/linux_terminalserver/rdp_login.png deleted file mode 100644 index da747fc3..00000000 Binary files a/user-guide/linux_terminalserver/rdp_login.png and /dev/null differ diff --git a/user-guide/login_servers.md b/user-guide/login_servers.md deleted file mode 100644 index a64fbf45..00000000 --- a/user-guide/login_servers.md +++ /dev/null @@ -1,12 +0,0 @@ -# Login Servers - -There are 3 login servers available for users at PSI: - -* login00.psi.ch -* login01.psi.ch -* login02.psi.ch - -People in following groups have access to this service: - -* All PSI employees (i.e. members of the Unix group `unx-lx_users`) -* All external users (i.e. members of the Unix group `unx-lx_ext_users`) diff --git a/user-guide/mpirun.md b/user-guide/mpirun.md deleted file mode 100644 index 04fae4d6..00000000 --- a/user-guide/mpirun.md +++ /dev/null @@ -1,13 +0,0 @@ -# Start Long Running Programs/Simulations with `mpirun` - -If you want to start a program with `mpirun` or based on `mpirun` in a shell session and to exit after, then `nohup`, `screen` or `tmux` are not sufficient. On exit you might get an error like -``` -mpirun noticed that process rank 0 with PID 26312 on node lcth31 exited on signal 0 (Unknown signal 0). -``` - -To avoid this, use `disown`: - -``` -nohup [command] & disown -``` - diff --git a/user-guide/ms_teams.md b/user-guide/ms_teams.md deleted file mode 100644 index c9920c81..00000000 --- a/user-guide/ms_teams.md +++ /dev/null @@ -1,19 +0,0 @@ -# Microsoft Teams - -There is no Microsoft Teams client package that you can install on Linux. The official client provided by Microsoft is a PWA ([Progressive Web App](https://en.wikipedia.org/wiki/Progressive_web_app)) - -For this to work you need an up-to-date browser on your linux system. - -To "install" the app simply point your browser to: https://teams.microsoft.com - -Afterwards you should have the full teams functionality available. - -More details to come ... - - -## References -- https://learn.microsoft.com/en-us/microsoftteams/troubleshoot/teams-on-linux/linux-known-issues -- https://techcommunity.microsoft.com/t5/microsoft-teams-blog/microsoft-teams-progressive-web-app-now-available-on-linux/bc-p/3690597 -- https://learn.microsoft.com/en-gb/microsoftteams/get-clients?tabs=Windows -- https://learn.microsoft.com/en-us/answers/questions/1195828/microsoft-teams-on-linux-desktop - diff --git a/user-guide/order_linux_system.md b/user-guide/order_linux_system.md deleted file mode 100644 index 9ade85de..00000000 --- a/user-guide/order_linux_system.md +++ /dev/null @@ -1,22 +0,0 @@ -# Order / Replacement Linux System / Console -To order a new/replacement Linux system / console proceed to the ServiceNow Service Catalog > IT > IT Workspace. -After choosing the hardware you might want to add additional information into the __Additional order information__ field so that your order can be processed faster: - -- Operating system Linux RHEL8, RHEL9 ... -- Purpose of the hardware - - Is it a workstation or beamline/endstation console? - - Is additional hardware needed - e.g. additional graphics card to connect multiple monitors -- Is it a replacement for an existing system? If yes, which system? should the name be kept? - -- Hostname -- Hiera environment (if you don't know what this is - please ignore) -- Puppet group/subgroup (if you don't know what this is - please ignore) -- Network (role in PacketFence) - -# Reinstallation -For a reinstallation of a system please open a general ServiceNow ticket. Important information that should be included in the ticket are: - -- Information on whether this system was a Windows system before? -- MAC address -- Hiera environment (if you don't know what this is - please ignore) -- Puppet group/subgroup (if you don't know what this is - please ignore) diff --git a/user-guide/partially_shared_home.md b/user-guide/partially_shared_home.md deleted file mode 100644 index 83d8270e..00000000 --- a/user-guide/partially_shared_home.md +++ /dev/null @@ -1,58 +0,0 @@ -# Partially Shared Home - Automatically Link Files in Home - User Guide - -Shared homes create a set of problems depending on how much a software can handle running multiple instances of the same software, maybe with different version, on different hosts, probably at the same time. -Still it is useful to have certain tool settings always with you. - -With the "Partially Shared Home" feature you can selectively configure what configuration file or directory shall be made available on all the different machines. Talk to your system admin or check the [admin guide](../admin-guide/configuration/files/partially_shared_home) to make that feature available on a specific system. - -The configuration file is on your CIFS home drive, also known as U: drive. It needs to be in the base directory and has to be named `linux_home_links.yaml` or `.linux_home_links.yaml`. -Below an example with many different use cases which assumes you would like to have your Linux configuration files in a `linux_config` subdirectory on U: -``` -link: - # ssh configuration directory - '.ssh': - to: 'network_drives/home/linux_config/ssh' - - # git - '.gitconfig': - to: 'network_drives/home/linux_config/gitconfig' - - # vim - '.vimrc': - to: 'network_drives/home/linux_config/vimrc' - - # emacs - '.config/emacs/init.el': - to: 'network_drives/home/linux_config/emacs_init.el' - - # bash - # RHEL 9 bashrc includes - 'bashrc.d': - to 'network_drives/home/linux_config/bashrc.d - # this does not work as usually a ~/.bashrc is installed automatically from /etc/skel - # '.bashrc': - # to 'network_drives/home/linux_config/bashrc - - # any other file or directory to show up -``` -(if you have more use cases to add, please contact the [Linux Core Group](mailto:linux-eng@psi.ch)) - -Note that if the intended symlink location already exists (e.g `.ssh`), then it will keep the file or directory. -But an alredy exiting symlink will be updated. - -If you beleave not everything is linked properly or to check if everything is fine, have a look at your log: - -``` -$ journalctl -S today -... -Nov 22 14:11:44 lxdev08.psi.ch systemd[1940551]: Starting Create links in home according to U:\linux_home_links.yaml... -Nov 22 14:11:44 lxdev08.psi.ch create-automatic-links-in-home[1940731]: error processing '.bashrc': [Errno 17] File exists: 'network_drives/home/linux_config/bashrc' -Nov 22 14:11:44 lxdev08.psi.ch systemd[1940551]: Finished Create links in home according to U:\linux_home_links.yaml. -... -$ -``` - -Or you run directly `/opt/pli/bin/create-automatic-links-in-home`, also if you want to have your changes in the configuration file applied immediately. - - - diff --git a/user-guide/putty.md b/user-guide/putty.md deleted file mode 100644 index 14987cad..00000000 --- a/user-guide/putty.md +++ /dev/null @@ -1,25 +0,0 @@ -# SSH Access from Windows using Putty - -## Kerberos/AFS Failures with Default Settings - -The default settings of Putty allow to connect to a Linux host. But when there are services depending on Kerberos like AFS then that will fail: - -![Failing AFS](putty/missing_kerberos_ticket_delegation.png) - -This is due to missing Kerberos ticket delegation. Note that you may recover from this on the Linux shell by entering `kinit` and then your password to opain a new Kerberos ticket and `aklog` to log into AFS. - -## Disable Kerberos in Putty - -To avoid this issue disable Kerberos in Putty. You will then need to enter your password, but that will setup Kerberos properly on the destination machine. - -In the Putty settings select "Connection" -> "SSH" -> "Auth" -> "GSSAPI" and there remove all ticks. - -![Working AFS](putty/working_new_kerberos_ticket.png) - -## Kerberos Details for Long Running Programs/Simulations -Kerberos tickets get invalid at some point after AFS will refuse access. - -To check when this will be run `klist` and in the output check below `krbtgt/D.PSI.CH@D.PSI.CH` the `renew until` timestamp. -To seamlessly continue you need to obtain a new Kerberos ticket before by running `kinit`. -It will then ask your password and after sucessful authentication there will be a newly acquired Kerberos ticket which will do it for one week and AFS is happy as long too. - diff --git a/user-guide/putty/missing_kerberos_ticket_delegation.png b/user-guide/putty/missing_kerberos_ticket_delegation.png deleted file mode 100644 index 490974a5..00000000 Binary files a/user-guide/putty/missing_kerberos_ticket_delegation.png and /dev/null differ diff --git a/user-guide/putty/working_new_kerberos_ticket.png b/user-guide/putty/working_new_kerberos_ticket.png deleted file mode 100644 index 833c53c3..00000000 Binary files a/user-guide/putty/working_new_kerberos_ticket.png and /dev/null differ diff --git a/user-guide/ssh_client_config.md b/user-guide/ssh_client_config.md deleted file mode 100644 index 286b71cc..00000000 --- a/user-guide/ssh_client_config.md +++ /dev/null @@ -1,105 +0,0 @@ -# SSH Client Configuration - -Here you find suggestions and best practices for a SSH client configuration file `~/.ssh/config`. -The assumption is that you are working at the PSI campus or are connected over VPN using `AnyConnect` or `openconnect`. - -A good SSH config is a rather personal thing. First there are useful defaults, then starting points for common use cases. -The last chapter contains the details and explanations useful for a even more streamlined configuration. - -## TLDR; common defaults -``` -# useful defaults -ControlPersist 3h -ControlPath ~/.ssh/controlmasters/%r@%h:%p -HashKnownHosts no -AddKeysToAgent yes -ServerAliveInterval 300 -ServerAliveCountMax 2 -``` -These are suitable everywhere. - -## TLDR; I work on a beamline -``` -# beamline x09lb -Host x09lb-* !x09lb-gw* - ProxyJump x09lb-gw.psi.ch - GSSAPIDelegateCredentials yes - ForwardAgent yes - ForwardX11Trusted yes - ControlMaster auto -``` -Add all the machines of your beamline (`*` and `?` wildcards allowed) at the host selection line and exclude the gateway at the end. Then update at "ProxyJump" the gateway accordingly. - -## TLDR; I run a few servers - -``` -Host wmgt0* - ControlMaster auto - -# my trusted machines I usually connect as root -Host lx-* - User root - ProxyJump wmgt02.psi.ch - GSSAPIDelegateCredentials yes - ForwardAgent yes - ControlMaster auto -``` - -## TLDR; I connect to all over the PSI -``` -Host wmgt0* - ControlMaster auto - GSSAPIDelegateCredentials no - ForwardAgent no - -# gateways -Host *-gw* cptgate* ucsgw* - ProxyJump wmgt02.psi.ch - -# beamlines -Host x09lb-* !x09lb-gw* - ProxyJump x09lb-gw - -# more of them... - -# default fallback Jumphost -Host pc* mpc* vpc* vmpc* - ProxyJump wmgt02.psi.ch - -# do trusted connecion by using FQDN (needed for AFS access, etc.) -Host *.psi.ch - GSSAPIDelegateCredentials yes - ForwardAgent yes - -``` - -Here we by default do not trust the machines we connect to, e.g. we do not delegate the Kerberos TGT, do not forward the SSH agent and do not do X forwarding, stuff which could be abused when the destination machine is compromised or run by an hostile admin. -Features requiring trust are selected on a case by case basis when needed (e.g. for AFS) by using their FQDN instead of just the short name. - -Alternatively you might use -- `ssh -K` for `GSSAPIDelegateCredentials yes` (Kerberos TGT delegation) -- `ssh -A` for `ForwardAgent yes` -- `ssh -X` for `ForwardX11 yes` -- `ssh -Y` for `ForwardX11Trusted yes` - -But note that for tools like scp or rsync these options are difficult to pass in. - -If you have trusted servers and/or beamlines, just include for them the according parts of the previous chapters. - -## Glory Details - -The full feature set you get at [`ssh_config(5)`](https://man.openbsd.org/ssh_config). - - -### Multiplexing Master Connection - -The master connection (`ControlMaster auto`) multiplexes several connections over the first connection. This means that the connection setup and authentication step is only done once and so you get a single-signon behaviour (especially useful for `wmgt01` and `wmgt02`) and a faster connection setup for subsequent connections. The `ControlPersist` setting defines for how long the master connection will stay after the last user connection has been closed. - - -### Stale Connection Detection -A stale connection will be closed after 10 minutes with the suggested default settings: -``` -ServerAliveInterval 300 -ServerAliveCountMax 2 -``` -When there is no traffic it will send an alive message every 5 minutes and when two of them did not get a response it closes the connection. diff --git a/user-guide/ssh_host_key_certificates.md b/user-guide/ssh_host_key_certificates.md deleted file mode 100644 index 30af7ac2..00000000 --- a/user-guide/ssh_host_key_certificates.md +++ /dev/null @@ -1,19 +0,0 @@ -# SSH Host Key Certificates - -The SSH host keys of Puppet managed Linux hosts have a certficate which avoids below key acceptance question: - -``` -$ ssh hipa-gw -The authenticity of host 'hipa-gw (129.129.197.23)' can't be established. -ECDSA key fingerprint is SHA256:aRuVOefLvadIyDTxlSglDNylKG6eww2ZW0ddZs97dUo. -ECDSA key fingerprint is MD5:a8:be:15:24:9c:2b:82:7f:9d:9f:88:3f:e4:8c:df:cd. -Are you sure you want to continue connecting (yes/no)? -``` - -To accept SSH host keys with a certificate, please update either `~/.ssh/known_hosts` (your user only) or `/etc/ssh/ssh_known_hosts` (system-wide) as follows: - -``` -# SSH host key certficate CA manged by PSI Puppet -@cert-authority * ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF2xLCCHNmXSeY+qNPmdo/jO2AXrcHyQDqZLBzWVwk2/GqMRDl4mavZLBPyQPNeLGAPc+BHg7iRC65wQQEeYOVU= -@cert-authority * ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhIx/obIiiO9AtrUgj7pF8kAgv4g9Dp+DRXilkmlkxK -``` diff --git a/user-guide/thunderbird_for_o365.md b/user-guide/thunderbird_for_o365.md deleted file mode 100644 index 5ead2ebc..00000000 --- a/user-guide/thunderbird_for_o365.md +++ /dev/null @@ -1,234 +0,0 @@ -# Configure Thunderbird for 0ffice365 - -This guide shows how to access e-mail, address book and calendar with Thunderbird. - -## Account and MFA ready? -Before connecting to Thunderbird to Office365, you need to have your MFA (Multi-Factor-Authentication) token/app configured. - -If you use an app or SMS, then you can set it up directly at [Microsoft](https://aka.ms/mfasetup). Note that when you select the app and use "Use verification code", then you can also use 3rd party OTP apps. - -For all the options check out the internal [knowledge base article](https://psi.service-now.com/kb_view.do?sysparm_article=KB0002928) - - -## Software Installed? - -The package `thunderbird` needs to be installed before starting. - - -## Import PSI TLS Interception CA Certificate - -Inside the PSI network access to E-Mail services using IMAP is protected by automatic malware scanning. - -You get the [certificate in a zip file](https://drive.switch.ch/index.php/s/VK5zE9c0RRKIH8i/download) and unpack it. - -Open Thunderbird. If this is your first account, it will show a account setup assisant which you can exit or close. - -![Open Settings](thunderbird_for_o365/thunderbird01_open_settings.png) - -Then open the hamburger menu at the top right and select "Settings". - -![Search for Certificate Settings](thunderbird_for_o365/thunderbird02_certificate_settings.png) - -There type `certificate` into the search box at the top right. Then press below the "Manage Certificates..." button. - -![Certificate Manager Dialog](thunderbird_for_o365/thunderbird02b_certficate_dialog.png) - -Open the "Authorities" tab. - -![Search for Certificate Settings](thunderbird_for_o365/thunderbird03_certificate_import.png) - -Here click on "Import..." and then select the previously downloaded and unpacked file "cert_PSI_FW_SSL_Scanner_TRUST.crt". - -![Trust Certificate](thunderbird_for_o365/thunderbird04_trust_certificate.png) - -Now tick the checkbox "Trust this CA to identify websites" and confirm this and the previous dialog with "OK". Finally close the "Settings" tab. - - -## Configure Your Mail Account - -To add a new account open the hamburger menu on the top right. There choose "New" -> "Existing Mail Account...". - -![Set Up Your Existing Email Address](thunderbird_for_o365/thunderbird05_address_entry.png) - -Here please enter first the full name (as it should be shown in outgoing emails) and your email address. As no password is used yet remove the "Remember password" tick and go on by clicking the small "Configure manually" link, which opens more options below: - -![Incoming Server Options](thunderbird_for_o365/thunderbird06_incoming_server_entry.png) - -For "INCOMING SERVER" set the "Hostname" to `outlook.office365.com`, the "Port" to `993` and select `SSL/TLS` in the "Connection security" dropdown if that does not happen automatically. For "Authentication method" select `OAuth2`. - -![Outgoing Server Options](thunderbird_for_o365/thunderbird07_outgoing_server_entry.png) - -For "OUTGOING SERVER" set the "Hostname" to `smtp.office365.com`, the "Port" to `587` and select `STARTTLS` in the "Connection security" dropdown. For "Authentication method" select `OAuth2` and then finish by clicking on "Done". - -![OAuth2 Login](thunderbird_for_o365/thunderbird08_oauth_login.png) - -This is followed by a Microsoft login page where you need to enter your normal PSI AD/Windows password, maybe asking for second factor authentification (Authenticator app or token code). - -![Done](thunderbird_for_o365/thunderbird09_success.png) - -With successful authentication you then close the "Account Setup" tab and enjoy the inbox or use one of the direct links for further configuration tuning, for some of them see the next two chapters. - - -## Use O365 Default Folders - -Thunderbird and O365 use by default different folders for sent and deleted messages. - -![Open Account Settings](thunderbird_for_o365/thunderbird10_account_settings.png) - -Via the hamburger menu at the top right open the "Account Settings" window. - - -### Folder for Deleted Messages - -![Account Settings for Deleted Messages](thunderbird_for_o365/thunderbird11_deleted_folder.png) - -Then select for your account "Server Settings" and there select the "Deleted Items" entry in the dropdown menu "When I delete a message: Move it to this folder:". - -This only needs to be done once, because after Thunderbird has marked the folders once on the server any other Thunderbird instance connecting to it will automatically use the correct folder. - - -### Folder for Sent Messages - -![No Sent Messages Copy](thunderbird_for_o365/thunderbird12_no_copy_of_sent_messages.png) - -O365 seams to automatically put on server side a copy into the "Sent Items" folder, so Thunderbird does not need to do so. -Go to "Copies & Folders" of your account and untick below "When sending messages, automatically:" the "Place a copy in:" option. - -Best you send now a test message and check if you get a copy in "Sent Items". - - -## Addressbook with PSI Email Adresses - -![Open Settings](thunderbird_for_o365/thunderbird01_open_settings.png) - -Open again the "Settings". - -![Search for Directory](thunderbird_for_o365/thunderbird30_directory_settings.png) - -There type `directory` into the search box at the top right. Then select below the "Directory Server" checkbox, followed by clicking the "Edit Directories..." button. - -![Add new Directory](thunderbird_for_o365/thunderbird31_add_directory.png) - -On the newly opened dialog click on "Add". - -![Edit Directory Settings](thunderbird_for_o365/thunderbird32_new_directory_settings.png) - -Here fill in the following: -Name: `PSI AD` -Hostname: `d.psi.ch` -Base DN: `ou=PSI,dc=d,dc=psi,dc=ch` -Port number: `636` -Bind DN: `CN=$USER,OU=users,OU=psi,DC=d,DC=psi,DC=ch`, where you replace `$USER` with your Windows/AD login name. - -Also select the "Use secure connection (SSL)" checkbox. - -Next click on the "Advanced" tab. - -![Edit Advanced Directory Settings](thunderbird_for_o365/thunderbird33_advanced_directory_settings.png) - -Here set the "Search filter" to `(mail=*)`, then press "OK". - - -![Close Directory Settings](thunderbird_for_o365/thunderbird34_close_directory_settings.png) - -Another time click "OK" - -![Select PSI AD Directory](thunderbird_for_o365/thunderbird35_select_directory.png) - -Now select in the "Directory Server" dropdown the newly added `PSI AD` directory. - - -![Config Editor](thunderbird_for_o365/thunderbird36_config_editor.png) - -Now open the "Config Editor", you find it fastest by entering `editor` at the search field in the top right. - -![Config Editor Opened](thunderbird_for_o365/thunderbird37_config_editor_open.png) - -Therein search for `displayname` - -![Config Editor Search](thunderbird_for_o365/thunderbird38_config_editor_search.png) - -and on the line "ldap_2.servers.default.attrmap.DisplayName" click onto the edit button on the right. - -![Change DisplayName](thunderbird_for_o365/thunderbird39_config_editor_change.png) - -Now change the value to `displayName`. Save it with the save button on the right side. Then close the "Config Editor" and the "Settings" tab. Then close Thunderbird as the last configuration change is only active after restart. - -The next time you write a new message and enter something into the "To" line, - -![Directory Password](thunderbird_for_o365/thunderbird40_directory_password.png) - -you need to enter your Windos/AD password and then it will also search the PSI wide user directory. - - -## Calendar Integration - -The calendar can be synchronized using the [TbSync](https://github.com/jobisoft/TbSync) add-on. - -![Open Add-on Manager](thunderbird_for_o365/thunderbird60_open_addons.png) - -Open the hamburger menu at the top right and select "Add-ons and Themes". - -![Search tbsync in Add-on Manager](thunderbird_for_o365/thunderbird61_search_tbsync.png) - -In the Add-on Manager search in the top right search box for `tbsync`. - -![Install tbsync in Add-on Manager](thunderbird_for_o365/thunderbird62_select_tbsync.png) - -In the result list below click on the button "+ Add to Thunderbird" for the "TBSync" result line. - -![Install tbsync in Add-on Manager](thunderbird_for_o365/thunderbird63_install_tbsync.png) - -Now click on "Add" - -![Installed tbsync in Add-on Manager](thunderbird_for_o365/thunderbird64_installed_tbsync.png) - -and "OK. - -![Installed tbsync in Add-on Manager](thunderbird_for_o365/thunderbird65_select_eas.png) - -Next we also need the connector to O365, so please also look for the "Provider for Exchange ActiveSync" and click on that line again the button "+ Add to Thunderbird". - -![Install Provider for Exchange ActiveSync in Add-on Manager](thunderbird_for_o365/thunderbird66_install_eas.png) - -Here again click on "Add" - -![Install Provider for Exchange ActiveSync in Add-on Manager](thunderbird_for_o365/thunderbird67_installed_eas.png) - -and "OK". - -![Open TbSync](thunderbird_for_o365/thunderbird68_open_tbsync.png) - -To configure TbSync click onto "TbSync: Idle" on very right in the footer of the Thunderbird window. - -![Add Exchange ActiveSync](thunderbird_for_o365/thunderbird69_add_exchange_activesync_account.png) - -To add a new account, open the dropdown "Account actions" at the bottom left. Therein select "Add new account" and "Exchange ActiveSync". - -![Enter information for Exchange ActiveSync account](thunderbird_for_o365/thunderbird70_add_o365_account.png) - -In this dialog select "Microsoft Office 365", then at "Account name" add suitable name for the calendar, followed by the respective email address in the field "User name (email address)". Finish with clicking onto "Add account". - -![Authenticate at O365](thunderbird_for_o365/thunderbird71_o365_oauth.png) - -Now authenticate with Microsoft. - -![Enable O365 calendar sync](thunderbird_for_o365/thunderbird72_activate_o365_calendar_sync.png) - -Now with the account set up enable the checkbox "Enable and synchronize this account". - -![Configure O365 calendar sync](thunderbird_for_o365/thunderbird73_configure_o365_calendar_sync.png) - -In the now newly shown configuration pane select the parts you want to synchronize (probably "Calendar", maybe also "Contacts". -Further below set the "Periodic synchronization (in minutes)" to a value like `10` to allow for automatic synchronization. -Now start manually a synchronization by pressing the "Synchronize Now" button. - -![O365 calendar sync done](thunderbird_for_o365/thunderbird74_o365_calendar_sync_done.png) - -Now all "Status" should be "OK". Close the "TbSync account manager" dialog. - - -![O365 calendar sync done](thunderbird_for_o365/thunderbird75_open_calendar.png) - -Finally you can enjoy your calendar. - diff --git a/user-guide/thunderbird_for_o365/thunderbird01_open_settings.png b/user-guide/thunderbird_for_o365/thunderbird01_open_settings.png deleted file mode 100644 index 3b920912..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird01_open_settings.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird02_certificate_settings.png b/user-guide/thunderbird_for_o365/thunderbird02_certificate_settings.png deleted file mode 100644 index cd28c170..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird02_certificate_settings.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird02b_certficate_dialog.png b/user-guide/thunderbird_for_o365/thunderbird02b_certficate_dialog.png deleted file mode 100644 index 9b09cd67..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird02b_certficate_dialog.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird03_certificate_import.png b/user-guide/thunderbird_for_o365/thunderbird03_certificate_import.png deleted file mode 100644 index 5917bf7d..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird03_certificate_import.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird04_trust_certificate.png b/user-guide/thunderbird_for_o365/thunderbird04_trust_certificate.png deleted file mode 100644 index 5143bba3..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird04_trust_certificate.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird05_address_entry.png b/user-guide/thunderbird_for_o365/thunderbird05_address_entry.png deleted file mode 100644 index ecb1f165..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird05_address_entry.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird06_incoming_server_entry.png b/user-guide/thunderbird_for_o365/thunderbird06_incoming_server_entry.png deleted file mode 100644 index 6afa8da9..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird06_incoming_server_entry.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird07_outgoing_server_entry.png b/user-guide/thunderbird_for_o365/thunderbird07_outgoing_server_entry.png deleted file mode 100644 index 73489597..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird07_outgoing_server_entry.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird08_oauth_login.png b/user-guide/thunderbird_for_o365/thunderbird08_oauth_login.png deleted file mode 100644 index 479bc6ae..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird08_oauth_login.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird09_success.png b/user-guide/thunderbird_for_o365/thunderbird09_success.png deleted file mode 100644 index c3fb1d0d..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird09_success.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird10_account_settings.png b/user-guide/thunderbird_for_o365/thunderbird10_account_settings.png deleted file mode 100644 index 7cc860da..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird10_account_settings.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird11_deleted_folder.png b/user-guide/thunderbird_for_o365/thunderbird11_deleted_folder.png deleted file mode 100644 index 07ce3e62..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird11_deleted_folder.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird12_no_copy_of_sent_messages.png b/user-guide/thunderbird_for_o365/thunderbird12_no_copy_of_sent_messages.png deleted file mode 100644 index 1e4e7b53..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird12_no_copy_of_sent_messages.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird30_directory_settings.png b/user-guide/thunderbird_for_o365/thunderbird30_directory_settings.png deleted file mode 100644 index 447e78ad..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird30_directory_settings.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird31_add_directory.png b/user-guide/thunderbird_for_o365/thunderbird31_add_directory.png deleted file mode 100644 index 79dc43e5..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird31_add_directory.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird32_new_directory_settings.png b/user-guide/thunderbird_for_o365/thunderbird32_new_directory_settings.png deleted file mode 100644 index 640e6402..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird32_new_directory_settings.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird33_advanced_directory_settings.png b/user-guide/thunderbird_for_o365/thunderbird33_advanced_directory_settings.png deleted file mode 100644 index 4536ddec..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird33_advanced_directory_settings.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird34_close_directory_settings.png b/user-guide/thunderbird_for_o365/thunderbird34_close_directory_settings.png deleted file mode 100644 index 1639cf0f..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird34_close_directory_settings.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird35_select_directory.png b/user-guide/thunderbird_for_o365/thunderbird35_select_directory.png deleted file mode 100644 index 7936f02f..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird35_select_directory.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird36_config_editor.png b/user-guide/thunderbird_for_o365/thunderbird36_config_editor.png deleted file mode 100644 index e4c192d8..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird36_config_editor.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird37_config_editor_open.png b/user-guide/thunderbird_for_o365/thunderbird37_config_editor_open.png deleted file mode 100644 index 02f500b8..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird37_config_editor_open.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird38_config_editor_search.png b/user-guide/thunderbird_for_o365/thunderbird38_config_editor_search.png deleted file mode 100644 index 80ab199c..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird38_config_editor_search.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird39_config_editor_change.png b/user-guide/thunderbird_for_o365/thunderbird39_config_editor_change.png deleted file mode 100644 index 1829d420..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird39_config_editor_change.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird40_directory_password.png b/user-guide/thunderbird_for_o365/thunderbird40_directory_password.png deleted file mode 100644 index 75c8a0b0..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird40_directory_password.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird60_open_addons.png b/user-guide/thunderbird_for_o365/thunderbird60_open_addons.png deleted file mode 100644 index 6454f634..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird60_open_addons.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird61_search_tbsync.png b/user-guide/thunderbird_for_o365/thunderbird61_search_tbsync.png deleted file mode 100644 index 8117a1ca..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird61_search_tbsync.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird62_select_tbsync.png b/user-guide/thunderbird_for_o365/thunderbird62_select_tbsync.png deleted file mode 100644 index 23e93944..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird62_select_tbsync.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird63_install_tbsync.png b/user-guide/thunderbird_for_o365/thunderbird63_install_tbsync.png deleted file mode 100644 index 74dbde83..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird63_install_tbsync.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird64_installed_tbsync.png b/user-guide/thunderbird_for_o365/thunderbird64_installed_tbsync.png deleted file mode 100644 index 7815e01a..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird64_installed_tbsync.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird65_select_eas.png b/user-guide/thunderbird_for_o365/thunderbird65_select_eas.png deleted file mode 100644 index e4f03ad4..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird65_select_eas.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird66_install_eas.png b/user-guide/thunderbird_for_o365/thunderbird66_install_eas.png deleted file mode 100644 index f2c1f822..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird66_install_eas.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird67_installed_eas.png b/user-guide/thunderbird_for_o365/thunderbird67_installed_eas.png deleted file mode 100644 index 2644facb..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird67_installed_eas.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird68_open_tbsync.png b/user-guide/thunderbird_for_o365/thunderbird68_open_tbsync.png deleted file mode 100644 index 259b0205..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird68_open_tbsync.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird69_add_exchange_activesync_account.png b/user-guide/thunderbird_for_o365/thunderbird69_add_exchange_activesync_account.png deleted file mode 100644 index 73d5f8a9..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird69_add_exchange_activesync_account.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird70_add_o365_account.png b/user-guide/thunderbird_for_o365/thunderbird70_add_o365_account.png deleted file mode 100644 index b6d91b18..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird70_add_o365_account.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird71_o365_oauth.png b/user-guide/thunderbird_for_o365/thunderbird71_o365_oauth.png deleted file mode 100644 index f0a8a6b2..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird71_o365_oauth.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird72_activate_o365_calendar_sync.png b/user-guide/thunderbird_for_o365/thunderbird72_activate_o365_calendar_sync.png deleted file mode 100644 index 4735332c..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird72_activate_o365_calendar_sync.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird73_configure_o365_calendar_sync.png b/user-guide/thunderbird_for_o365/thunderbird73_configure_o365_calendar_sync.png deleted file mode 100644 index 76a7f13e..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird73_configure_o365_calendar_sync.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird74_o365_calendar_sync_done.png b/user-guide/thunderbird_for_o365/thunderbird74_o365_calendar_sync_done.png deleted file mode 100644 index 27d78bda..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird74_o365_calendar_sync_done.png and /dev/null differ diff --git a/user-guide/thunderbird_for_o365/thunderbird75_open_calendar.png b/user-guide/thunderbird_for_o365/thunderbird75_open_calendar.png deleted file mode 100644 index bc6e78bd..00000000 Binary files a/user-guide/thunderbird_for_o365/thunderbird75_open_calendar.png and /dev/null differ diff --git a/user-guide/windows_drives_in_home.md b/user-guide/windows_drives_in_home.md deleted file mode 100644 index 1daf3d9c..00000000 --- a/user-guide/windows_drives_in_home.md +++ /dev/null @@ -1,5 +0,0 @@ -# Access same Network Drives as Windows - -In your home directory you find in `network-drives` the same Windows shares as on a PSI Windows system. Note that the `U:` drive is named `home`, the rest has their original share name. - -If it does not work, point your admin to the [configuration guide](../admin-guide/configuration/files/windows_drives_in_home). diff --git a/user-guide/xrdp.md b/user-guide/xrdp.md deleted file mode 100644 index 1528d57f..00000000 --- a/user-guide/xrdp.md +++ /dev/null @@ -1,105 +0,0 @@ -# Remote Access with RDP - -This guide shows how to access a Red Hat Enterprise Linux system with RDP. - -## Configure RDP Remote Access - -Ask your computer administrator to allow it (for details see the [configuration guide](../admin-guide/configuration/desktop/xrdp) - -## Access from Windows - -Start the `Remote Desktop Connection` tool: - -![Remote Desktop Connection tool](xrdp/windows_remote_desktop_client_00.png) - -First enter the destination host name you want to connect to, then adapt the user name for the logn. For this go to `Show Options`: - -![Remote Desktop Connection tool with options](xrdp/windows_remote_desktop_client_01.png) - -Enable the `Always ask for credentials` checkbox and remove the Windows domain part (`PSICH\`) from your login name: - -![Remote Desktop Connection tool with proper user name](xrdp/windows_remote_desktop_client_02.png) - -Then press `Connect`. Now on the first time it will ask to accept the certficate of the device you try to connect to: - -![Remote Desktop Connection tool certificate warning](xrdp/windows_remote_desktop_client_03.png) - -and finally you get to the login screen: - -![XRDP login screen](xrdp/login_screen.png) - -## Access from Linux - -There is a number of GUI-clients like `Remmina`, `Vinagre` or `KRDC`, but it can also be connected from the terminal with `xfreerdp`: - -``` -xfreerdp /u:$USER /v:$REMOTE_RDP_SERVER /sec:tls +clipboard +fonts +bitmap-cache +glyph-cache /dynamic-resolution -``` -Adapt `$USER` (not needed if the user is the same as on the client machine) and `$REMOTE_RDP_SERVER` as required. - -The keyboard layout can be set by an additional parameter `/kbd:0x409` (US) or `/kbd:0x807` (Swiss German). - -If you connect to an real desktop session (see "Access Existing Desktop Session" below) I recommend to remove the `/dynamic-resolution` parameter. - -Also here you need to accept the certificate on first connect. - -## Virtual Remote Session - -The default option when you connect is `remote session (new or existing)` which will create a new virtual desktop session or attach again to an existing one. - -Note that if there is already a local desktop session, it is not possible ot create a virtual desktop session and the connection will simply close without error message when this is tried. - -## Access Existing Desktop Session - -This will give access to the deskop session which is running on the local screen. But this does not work automatically, that needs a bit of preparation. To be able to connect, the desktop session needs to be accessible with VNC on port 5900. - -### Gnome Desktop Sharing -An userfriendly way to achive this is to use the Gnome Desktop Sharing feature. But you need to prepare that while working locally connected on the real attached screen and keyboard. - -Open the `Settings` tool and therein `Sharing`: - -![Gnome Settings Sharing](xrdp/gnome_desktop_sharing_00.png) - -and then click on `Screen Sharing`: - -![Gnome Settings Screen Sharing](xrdp/gnome_desktop_sharing_01.png) - -Then switch to `ON` on the top, set `require a password` and set a password. There are only 8 characters allowed. But it is important else everyone with access to your RDP port can access also the session. - -When connecting with RDP, then select on the login screen `local desktop session (existing only)` and enter the password you set before: - -![Login Screen Local Desktop Session](xrdp/login_screen_local_desktop_session.png) - - -### `x11vnc` - -Another option is to use `x11vnc` to share the desktop. This tool is run from the terminal and can be used to share also other desktop envrionments like XFCE or KDE. It can also be started on demand from remote if an `ssh` connection to the host can be etablished. It will use your normal password to authenticate the connection. - -The suggested way to start it is: -``` -UNIXPW_DISABLE_SSL=1 x11vnc -extra_fbur 5 -forever -shared -loop -find -localhost -rfbport 5900 -unixpw $USER -``` -and keep it running somewhere in the background as long as you need remote access. - -When connecting with RDP, then select on the login screen `local desktop session (existing only)` go on without entering the password (it will be ignored): - -![Login Screen Local Desktop Session](xrdp/xvnc11_desktop_sharing_00.png) - - -Then you get to a login black screen where you need to hit the Enter key first: - -![Login Screen Local Desktop Session](xrdp/xvnc11_desktop_sharing_01.png) - -Now it is possible to set your user name: - -![Login Screen Local Desktop Session](xrdp/xvnc11_desktop_sharing_02.png) - -And after the normal password: - -![Login Screen Local Desktop Session](xrdp/xvnc11_desktop_sharing_03.png) - -it authenticates and connects. - - - -Note that `xvnc11` does not support non-US keyboard layouts very well. If you want to connect and use e.g. the Swiss German keyboard, it works best if you switch the desktop keyboard layout to English (there seams to be some double conversion in place ...). diff --git a/user-guide/xrdp/gnome_desktop_sharing_00.png b/user-guide/xrdp/gnome_desktop_sharing_00.png deleted file mode 100644 index 7d0cc3a2..00000000 Binary files a/user-guide/xrdp/gnome_desktop_sharing_00.png and /dev/null differ diff --git a/user-guide/xrdp/gnome_desktop_sharing_01.png b/user-guide/xrdp/gnome_desktop_sharing_01.png deleted file mode 100644 index 4cfab1fb..00000000 Binary files a/user-guide/xrdp/gnome_desktop_sharing_01.png and /dev/null differ diff --git a/user-guide/xrdp/login_screen.png b/user-guide/xrdp/login_screen.png deleted file mode 100644 index 054afea4..00000000 Binary files a/user-guide/xrdp/login_screen.png and /dev/null differ diff --git a/user-guide/xrdp/login_screen_local_desktop_session.png b/user-guide/xrdp/login_screen_local_desktop_session.png deleted file mode 100644 index 9fdb876e..00000000 Binary files a/user-guide/xrdp/login_screen_local_desktop_session.png and /dev/null differ diff --git a/user-guide/xrdp/windows_remote_desktop_client_00.png b/user-guide/xrdp/windows_remote_desktop_client_00.png deleted file mode 100644 index 54904d13..00000000 Binary files a/user-guide/xrdp/windows_remote_desktop_client_00.png and /dev/null differ diff --git a/user-guide/xrdp/windows_remote_desktop_client_01.png b/user-guide/xrdp/windows_remote_desktop_client_01.png deleted file mode 100644 index e43d3ffa..00000000 Binary files a/user-guide/xrdp/windows_remote_desktop_client_01.png and /dev/null differ diff --git a/user-guide/xrdp/windows_remote_desktop_client_02.png b/user-guide/xrdp/windows_remote_desktop_client_02.png deleted file mode 100644 index 1f1867e1..00000000 Binary files a/user-guide/xrdp/windows_remote_desktop_client_02.png and /dev/null differ diff --git a/user-guide/xrdp/windows_remote_desktop_client_03.png b/user-guide/xrdp/windows_remote_desktop_client_03.png deleted file mode 100644 index 7e74d3db..00000000 Binary files a/user-guide/xrdp/windows_remote_desktop_client_03.png and /dev/null differ diff --git a/user-guide/xrdp/xvnc11_desktop_sharing_00.png b/user-guide/xrdp/xvnc11_desktop_sharing_00.png deleted file mode 100644 index 20edca8c..00000000 Binary files a/user-guide/xrdp/xvnc11_desktop_sharing_00.png and /dev/null differ diff --git a/user-guide/xrdp/xvnc11_desktop_sharing_01.png b/user-guide/xrdp/xvnc11_desktop_sharing_01.png deleted file mode 100644 index 215be300..00000000 Binary files a/user-guide/xrdp/xvnc11_desktop_sharing_01.png and /dev/null differ diff --git a/user-guide/xrdp/xvnc11_desktop_sharing_02.png b/user-guide/xrdp/xvnc11_desktop_sharing_02.png deleted file mode 100644 index ad9ffcd5..00000000 Binary files a/user-guide/xrdp/xvnc11_desktop_sharing_02.png and /dev/null differ diff --git a/user-guide/xrdp/xvnc11_desktop_sharing_03.png b/user-guide/xrdp/xvnc11_desktop_sharing_03.png deleted file mode 100644 index 8ce04f80..00000000 Binary files a/user-guide/xrdp/xvnc11_desktop_sharing_03.png and /dev/null differ