Merge branch 'master' of git.psi.ch:linux-infra/documentation

This commit is contained in:
2022-05-23 09:21:52 +02:00
46 changed files with 536 additions and 2260 deletions
Binary file not shown.

After

Width:  |  Height:  |  Size: 127 KiB

@@ -0,0 +1,79 @@
@startuml
actor admin
participant "BIOS Node\n(legacy boot)" as bootnode
participant "QIP DHCP" as dhcp
participant "pxeserv01.psi.ch" as pxeserver
participant "boot00.psi.ch" as sysdb
participant "repo00.psi.ch" as reposerver
admin -> bootnode : boots up
hnote over bootnode
BIOS
endhnote
bootnode -> dhcp : DHCP request
dhcp -> bootnode : IP + PXE boot location
bootnode -> pxeserver : load PXE kernel tftp:/tftpboot/pxelinux.0
hnote over bootnode
PXE
endhnote
bootnode -> pxeserver : load PXE config tftp:/tftpboot/pxelinux.cfg/01-$MAC
note right
By manually setting a MAC or IP config the
boot menu can be customised or shortcut.
Most is managed by symlinks. There is the
undocumented "link-to-lxprod.py" script for
manually linking MAC to hostname and hostname
to "lxprod". At some places this is done the
opposite by linking hostname to MAC to "lxprod".
Having the **link to "lxprod" loads directly**
**the iPXE kernel "boot00.lkrn"**, shortcutting
the manual selection below.
end note
bootnode -> pxeserver : load PXE config tftp:/tftpboot/pxelinux.cfg/$HEX-IP
bootnode -> pxeserver : load PXE config tftp:/tftpboot/pxelinux.cfg/default
note right
**Default selection is local boot**,
but also visible and manually selectable are
- Red Hat 7 Network Install
- Windows Network install
and many more which are hidden, but can
be selected from the prompt, some with
comments from 2013.
end note
admin -> bootnode : selects "Red Hat 7 Network Install"
bootnode -> pxeserver : load iPXE kernel tftp:/tftpboot/boot00.lkrn
note right
https://git.psi.ch/linux-infra/ipxe-build
The following steps are by embed/pxe.ipxe
end note
hnote over bootnode
iPXE
endhnote
bootnode -> dhcp : DHCP request
dhcp -> bootnode : IP
bootnode -> sysdb : load iPXE menu http:/ipxe/v1/config?mac=$MAC
note right
Default selection by sydb boot
property "local" or "netboot",
later installs Red Hat 7.9.
manually selectable are all
Red Hat 7 versions to install,
Windows, a selection of tools
and "HP SPP".
endnote
bootnode -> reposerver : load initrd http:/iso/rhel-server-7.9-x86_64-dvd/images/pxeboot/initrd.img
bootnode -> reposerver : load kernel http:/iso/rhel-server-7.9-x86_64-dvd/images/pxeboot/vmlinuz
hnote over bootnode
Linux kernel
endhnote
bootnode -> reposerver : installation media http:/iso/rhel-server-7.9-x86_64-dvd/
bootnode -> sysdb : kickstart file http:/kickstart/v1/config?fqdn=$HOSTNAME&instrepo=rhel-server-7.9-x86_64-dvd
@enduml
+5
View File
@@ -32,6 +32,11 @@ which distribution it is supposed to use. The menu offers other options as well,
e.g. an interactive iPXE shell and a memory test.
Sequence Diagram of the BIOS (Legacy) Boot Process
--------------------------------------------------
.. image:: _static/legacy_boot.png
Building the iPXE boot image
----------------------------
+1 -1
View File
@@ -33,7 +33,7 @@ and ``$ALIASES``::
C = CH
O = \$ORGNAME
CN = \$FQDN
OU = AIT
OU = AWI
[ req_ext ]
subjectAltName = \$ALTNAMES
+19
View File
@@ -1,6 +1,9 @@
Puppet client
-------------
regular automatic Puppet client runs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Puppet client run is executed once daily between 5AM and 8AM
(``puppet_client::exec_time`` in hiera data).
@@ -15,6 +18,9 @@ The puppet client is executed via the ``pli-puppet-run`` system timer: ::
2 timers listed.
Pass --all to see loaded but inactive timers, too.
temporarily disable automatic Puppet client runs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Puppet execution can be disabled for a certain amount of time with the
``/opt/pli/libexec/pli-puppet-disable`` command: ::
@@ -31,3 +37,16 @@ Puppet execution can be disabled for a certain amount of time with the
The disabling time has to be in the ``date`` format (see date(1)).
manually retrieve host information from Puppet
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To manually check the node information on the Puppet server for given host, do ::
FQDN=$(hostname --fqdn)
curl \
--cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \
--cert /etc/puppetlabs/puppet/ssl/certs/$FQDN.pem \
--key /etc/puppetlabs/puppet/ssl/private_keys/$FQDN.pem \
"https://puppet01.psi.ch:8140/puppet/v3/node/$FQDN?environment=prod&configured_en" \
| jq .
+4 -4
View File
@@ -12,9 +12,9 @@ auditing. In particular, it
Parameters
----------
=============================== ======== ================================================
=============================== ======== ==============================================================
**Name** **Type** **Default**
------------------------------- -------- ------------------------------------------------
------------------------------- -------- --------------------------------------------------------------
admins list hiera_array('aaa::admins')
allow_sudoers_d bool hiera('aaa::allow_sudoers_d')
bastions list hiera('aaa::bastions')
@@ -32,9 +32,9 @@ ssh_authorized_keys hash hiera_hash('aaa::sshkeys', {})
sssd_debuglevel int hiera('aaa::sssd_debuglevel')
sudo_rules (Hiera only) list hiera_array('aaa::sudo_rules', [])
support_afs bool hiera('aaa::support_afs'),
use_bastions bool hiera('aaa::use_bastions', undef)
use_bastions bool hiera('aaa::use_bastions', $profile::networking::use_bastions)
users list hiera_array('aaa::users', [])
=============================== ======== ================================================
=============================== ======== ==============================================================
``admins``
+5 -3
View File
@@ -25,10 +25,11 @@ journal_system_max_use string hiera('log_client::journal_system_max_us
``journal_system_keep_free``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
How much space :manpage:`systemd-journald(8)` should keep free for non-journal
How much space `systemd-journald(8) <https://www.freedesktop.org/software/systemd/man/systemd-journald.html>`_ should keep free for non-journal
use in ``/var/log``. In addition to the syntax described in
:manpage:`journald.conf(5)` we also support percentages, ie ``'25%'`` means that
`journald.conf(5) <https://www.freedesktop.org/software/systemd/man/journald.conf.html#SystemMaxUse=>`_ (bytes or use K, M, G, T, P, E as units) we also support percentages, ie ``'25%'`` means that
the journal will leave at least 25% of ``/var/log`` for other uses.
Note that for the use of a percentage limit ``/var/log`` must be an separate partition, else absolute values need to be set.
``journal_system_max_file_size``
@@ -41,8 +42,9 @@ The maximum size of individual journal files.
~~~~~~~~~~~~~~~~~~~~~~~~~~
The maximum amount of space that the journal is allowed to use. In addition to
the syntax described in :manpage:`journald.conf(5)` we also support percentages,
the syntax described in `journald.conf(5) <https://www.freedesktop.org/software/systemd/man/journald.conf.html#SystemMaxUse=>`_ (bytes or use K, M, G, T, P, E as units) we also support percentages,
ie ``'50%'`` means that the journal can use at most 50% of ``/var/log``.
Note that for the use of a percentage limit ``/var/log`` must be an separate partition, else absolute values need to be set.
``forward_to``
@@ -22,10 +22,14 @@ variables listed below:
This boolean indicates to the :doc:`aaa <../profiles/aaa>` profile whether SSH
access should be restricted to connections coming from the bastion hosts.
Override possible with ``aaa::use_bastions``.
Notes:
- the above variables are not configured in ``hiera``, but in the
`Puppet manifest <https://git.psi.ch/linux-infra/puppet/-/blob/preprod/code/modules/profile/manifests/networking/params.pp>`_
- the DNS cache is configured to be persistent, i.e. the cached data will
survive restarts of ``nscd.service``. To clear the cache, run ``nscd -i
hosts`` or ``systemctl reload nscd``.