forked from Controls/gitea-pages
Merge branch 'master' of git.psi.ch:linux-infra/documentation
This commit is contained in:
Binary file not shown.
|
After Width: | Height: | Size: 127 KiB |
@@ -0,0 +1,79 @@
|
||||
@startuml
|
||||
|
||||
actor admin
|
||||
participant "BIOS Node\n(legacy boot)" as bootnode
|
||||
participant "QIP DHCP" as dhcp
|
||||
participant "pxeserv01.psi.ch" as pxeserver
|
||||
participant "boot00.psi.ch" as sysdb
|
||||
participant "repo00.psi.ch" as reposerver
|
||||
|
||||
admin -> bootnode : boots up
|
||||
|
||||
hnote over bootnode
|
||||
BIOS
|
||||
endhnote
|
||||
bootnode -> dhcp : DHCP request
|
||||
dhcp -> bootnode : IP + PXE boot location
|
||||
bootnode -> pxeserver : load PXE kernel tftp:/tftpboot/pxelinux.0
|
||||
|
||||
hnote over bootnode
|
||||
PXE
|
||||
endhnote
|
||||
bootnode -> pxeserver : load PXE config tftp:/tftpboot/pxelinux.cfg/01-$MAC
|
||||
note right
|
||||
By manually setting a MAC or IP config the
|
||||
boot menu can be customised or shortcut.
|
||||
Most is managed by symlinks. There is the
|
||||
undocumented "link-to-lxprod.py" script for
|
||||
manually linking MAC to hostname and hostname
|
||||
to "lxprod". At some places this is done the
|
||||
opposite by linking hostname to MAC to "lxprod".
|
||||
Having the **link to "lxprod" loads directly**
|
||||
**the iPXE kernel "boot00.lkrn"**, shortcutting
|
||||
the manual selection below.
|
||||
end note
|
||||
bootnode -> pxeserver : load PXE config tftp:/tftpboot/pxelinux.cfg/$HEX-IP
|
||||
bootnode -> pxeserver : load PXE config tftp:/tftpboot/pxelinux.cfg/default
|
||||
note right
|
||||
**Default selection is local boot**,
|
||||
but also visible and manually selectable are
|
||||
- Red Hat 7 Network Install
|
||||
- Windows Network install
|
||||
and many more which are hidden, but can
|
||||
be selected from the prompt, some with
|
||||
comments from 2013.
|
||||
end note
|
||||
admin -> bootnode : selects "Red Hat 7 Network Install"
|
||||
bootnode -> pxeserver : load iPXE kernel tftp:/tftpboot/boot00.lkrn
|
||||
note right
|
||||
https://git.psi.ch/linux-infra/ipxe-build
|
||||
The following steps are by embed/pxe.ipxe
|
||||
end note
|
||||
|
||||
hnote over bootnode
|
||||
iPXE
|
||||
endhnote
|
||||
bootnode -> dhcp : DHCP request
|
||||
dhcp -> bootnode : IP
|
||||
bootnode -> sysdb : load iPXE menu http:/ipxe/v1/config?mac=$MAC
|
||||
note right
|
||||
Default selection by sydb boot
|
||||
property "local" or "netboot",
|
||||
later installs Red Hat 7.9.
|
||||
manually selectable are all
|
||||
Red Hat 7 versions to install,
|
||||
Windows, a selection of tools
|
||||
and "HP SPP".
|
||||
endnote
|
||||
bootnode -> reposerver : load initrd http:/iso/rhel-server-7.9-x86_64-dvd/images/pxeboot/initrd.img
|
||||
bootnode -> reposerver : load kernel http:/iso/rhel-server-7.9-x86_64-dvd/images/pxeboot/vmlinuz
|
||||
|
||||
hnote over bootnode
|
||||
Linux kernel
|
||||
endhnote
|
||||
bootnode -> reposerver : installation media http:/iso/rhel-server-7.9-x86_64-dvd/
|
||||
bootnode -> sysdb : kickstart file http:/kickstart/v1/config?fqdn=$HOSTNAME&instrepo=rhel-server-7.9-x86_64-dvd
|
||||
|
||||
@enduml
|
||||
|
||||
|
||||
@@ -32,6 +32,11 @@ which distribution it is supposed to use. The menu offers other options as well,
|
||||
e.g. an interactive iPXE shell and a memory test.
|
||||
|
||||
|
||||
Sequence Diagram of the BIOS (Legacy) Boot Process
|
||||
--------------------------------------------------
|
||||
.. image:: _static/legacy_boot.png
|
||||
|
||||
|
||||
Building the iPXE boot image
|
||||
----------------------------
|
||||
|
||||
|
||||
@@ -33,7 +33,7 @@ and ``$ALIASES``::
|
||||
C = CH
|
||||
O = \$ORGNAME
|
||||
CN = \$FQDN
|
||||
OU = AIT
|
||||
OU = AWI
|
||||
|
||||
[ req_ext ]
|
||||
subjectAltName = \$ALTNAMES
|
||||
|
||||
@@ -1,6 +1,9 @@
|
||||
Puppet client
|
||||
-------------
|
||||
|
||||
regular automatic Puppet client runs
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Puppet client run is executed once daily between 5AM and 8AM
|
||||
(``puppet_client::exec_time`` in hiera data).
|
||||
|
||||
@@ -15,6 +18,9 @@ The puppet client is executed via the ``pli-puppet-run`` system timer: ::
|
||||
2 timers listed.
|
||||
Pass --all to see loaded but inactive timers, too.
|
||||
|
||||
temporarily disable automatic Puppet client runs
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Puppet execution can be disabled for a certain amount of time with the
|
||||
``/opt/pli/libexec/pli-puppet-disable`` command: ::
|
||||
|
||||
@@ -31,3 +37,16 @@ Puppet execution can be disabled for a certain amount of time with the
|
||||
|
||||
The disabling time has to be in the ``date`` format (see date(1)).
|
||||
|
||||
|
||||
manually retrieve host information from Puppet
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
To manually check the node information on the Puppet server for given host, do ::
|
||||
|
||||
FQDN=$(hostname --fqdn)
|
||||
curl \
|
||||
--cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \
|
||||
--cert /etc/puppetlabs/puppet/ssl/certs/$FQDN.pem \
|
||||
--key /etc/puppetlabs/puppet/ssl/private_keys/$FQDN.pem \
|
||||
"https://puppet01.psi.ch:8140/puppet/v3/node/$FQDN?environment=prod&configured_en" \
|
||||
| jq .
|
||||
|
||||
@@ -12,9 +12,9 @@ auditing. In particular, it
|
||||
Parameters
|
||||
----------
|
||||
|
||||
=============================== ======== ================================================
|
||||
=============================== ======== ==============================================================
|
||||
**Name** **Type** **Default**
|
||||
------------------------------- -------- ------------------------------------------------
|
||||
------------------------------- -------- --------------------------------------------------------------
|
||||
admins list hiera_array('aaa::admins')
|
||||
allow_sudoers_d bool hiera('aaa::allow_sudoers_d')
|
||||
bastions list hiera('aaa::bastions')
|
||||
@@ -32,9 +32,9 @@ ssh_authorized_keys hash hiera_hash('aaa::sshkeys', {})
|
||||
sssd_debuglevel int hiera('aaa::sssd_debuglevel')
|
||||
sudo_rules (Hiera only) list hiera_array('aaa::sudo_rules', [])
|
||||
support_afs bool hiera('aaa::support_afs'),
|
||||
use_bastions bool hiera('aaa::use_bastions', undef)
|
||||
use_bastions bool hiera('aaa::use_bastions', $profile::networking::use_bastions)
|
||||
users list hiera_array('aaa::users', [])
|
||||
=============================== ======== ================================================
|
||||
=============================== ======== ==============================================================
|
||||
|
||||
|
||||
``admins``
|
||||
|
||||
@@ -25,10 +25,11 @@ journal_system_max_use string hiera('log_client::journal_system_max_us
|
||||
``journal_system_keep_free``
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
How much space :manpage:`systemd-journald(8)` should keep free for non-journal
|
||||
How much space `systemd-journald(8) <https://www.freedesktop.org/software/systemd/man/systemd-journald.html>`_ should keep free for non-journal
|
||||
use in ``/var/log``. In addition to the syntax described in
|
||||
:manpage:`journald.conf(5)` we also support percentages, ie ``'25%'`` means that
|
||||
`journald.conf(5) <https://www.freedesktop.org/software/systemd/man/journald.conf.html#SystemMaxUse=>`_ (bytes or use K, M, G, T, P, E as units) we also support percentages, ie ``'25%'`` means that
|
||||
the journal will leave at least 25% of ``/var/log`` for other uses.
|
||||
Note that for the use of a percentage limit ``/var/log`` must be an separate partition, else absolute values need to be set.
|
||||
|
||||
|
||||
``journal_system_max_file_size``
|
||||
@@ -41,8 +42,9 @@ The maximum size of individual journal files.
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The maximum amount of space that the journal is allowed to use. In addition to
|
||||
the syntax described in :manpage:`journald.conf(5)` we also support percentages,
|
||||
the syntax described in `journald.conf(5) <https://www.freedesktop.org/software/systemd/man/journald.conf.html#SystemMaxUse=>`_ (bytes or use K, M, G, T, P, E as units) we also support percentages,
|
||||
ie ``'50%'`` means that the journal can use at most 50% of ``/var/log``.
|
||||
Note that for the use of a percentage limit ``/var/log`` must be an separate partition, else absolute values need to be set.
|
||||
|
||||
|
||||
``forward_to``
|
||||
|
||||
@@ -22,10 +22,14 @@ variables listed below:
|
||||
|
||||
This boolean indicates to the :doc:`aaa <../profiles/aaa>` profile whether SSH
|
||||
access should be restricted to connections coming from the bastion hosts.
|
||||
Override possible with ``aaa::use_bastions``.
|
||||
|
||||
|
||||
Notes:
|
||||
|
||||
- the above variables are not configured in ``hiera``, but in the
|
||||
`Puppet manifest <https://git.psi.ch/linux-infra/puppet/-/blob/preprod/code/modules/profile/manifests/networking/params.pp>`_
|
||||
|
||||
- the DNS cache is configured to be persistent, i.e. the cached data will
|
||||
survive restarts of ``nscd.service``. To clear the cache, run ``nscd -i
|
||||
hosts`` or ``systemctl reload nscd``.
|
||||
|
||||
Reference in New Issue
Block a user