Warning Livedoc is no longer being updated and will be deprecated shortly. Please refer to https://documentation.tjhsst.edu.

Difference between revisions of "Discussion Agenda archive 1"

From Livedoc - The Documentation Repository
Jump to: navigation, search
m (Updated discussion agenda)
(CSL Keytabs: Lee is gone, no dispute.)
Line 15: Line 15:
*Online backups for AFS (yesterday directory) - uses COW, so this doesn't take much storage if done regularly. Use "vos backupsys <volprefix>".
*Online backups for AFS (yesterday directory) - uses COW, so this doesn't take much storage if done regularly. Use "vos backupsys <volprefix>".
*Off-site backup
*Off-site backup
===CSL keytabs (why not?)===
===Virtualization ideas===
===Virtualization ideas===

Revision as of 19:41, 16 January 2008

If there is anything that needs to be/should be discussed in a sysadmin meeting, please list it here - also, if you add something to a topic, remember to add your username to the section:

Donated equipment from Aristotle International


  • Rack space
  • Power requirements
    • Additional UPSs?
    • Red plugs
  • Equipment usage
  • Site placement - syslab, 119s, etc


  • Full backup system that handles most (all if possible) data in the lab - "protect the data"
  • Online backups for AFS (yesterday directory) - uses COW, so this doesn't take much storage if done regularly. Use "vos backupsys <volprefix>".
  • Off-site backup

Virtualization ideas

  • What services to start to virtualize, as a proof of concept and/or permanent installation
    • Dev hosts - each developer gets their own host to setup and configure as they wish for whatever they are doing (currently being implemented on humboldt for iodine developemnt, as well as development of the new school website)
    • DNS - bind has not had a great security record, it would be best to put bind in an isolated environment, making a vm perfect - if this is not going to be done for awhile, bind should at least be chrooted
    • etc
  • Data storage methods to employ for virtualization
    • Central storage on one or more servers, provides HA (something like storage arrays with both data and VMs)
    • Distributed storage, using something like AoE
    • Local storage with backup - vm is stored locally, with another copy somewhere else that is updated periodically, but is not turned on unless needed
    • Some other storage scheme

Cleanup of AFS

  • While we are auditing AFS permissions, and removing @local.tjhsst.edu users, we should do a few other things
  • Clean the service directory
    • Archive everything that is no longer in use
    • Archive everything that is no longer useful
  • Audit permissions on all directories, including web, etc
  • Other cleanup tasks (I'll add more when I have more time)

Security issues

  • Separation of services
    • Services should be separated for security, if one is compromised, all services should not be compromised
      • fiordland comes to mind as something that should be fixed
      • One solution is to put services into virtual machines - good security, with additional management benefits - want to move what host a service runs on, just move the vm with a simple command
      • Another solution, using multiple chroot environments
  • Logging - do we look at the logs for anything anymore, and if not, how can we go about accomplishing this, so we know what is happening on our systems
  • More issues added as I have more time to add them to this list

High availability / load balancing

  • Currently we have almost zero high availability for most services, this needs to change - also, we need to test high availability functions for services in which it supposedly should work
  • Mysql
  • Apache
  • Kerberos (does it work?)
  • Iodine
  • Remote and oldremote (until it goes away) - loadbalanced and high availability
  • Workstation service ip, so I can ssh to workstation, and it will redirect me to the workstation with the lowest load?
  • Zimbra (can we make it work, even though the "community" edition does not include it)
  • Load balancing for LTSP - login to "LTSP" or something, and have it redirect you to either "Rockhopper" or "Bottom"
  • Other services

No HA will be implemented until all systems are stable and functioning normally. (Determined at the Lunch Meetings)

Additional "Services" To offer

  • Postgresql
  • Form submission on tjhsst.edu/admin/ or tjhsst.edu/syslab or papers on the wall for web accounts, mysql stuff, etc.

Enable Dynamic Power Savings Mode on Intel HPs

  • Note to Lee: I have had no bad experiences with laptop power savings features (from an ancient P1 Toshiba to a 1-2 yr old IBM) and I was unable to find any problems online (either with laptops or with HP's) after a quick Google search. Please provide some links. FYI it is OS-independent.
  • HP's website


  • Currently, all machines (unless they don't support it, or are otherwise disabled) on our csl network (even vpn users) have ipv6 addresses (actually two of them, a link address and a global address) - apparently our router hands out the network prefix, thus hosts are able to generate the remaining 64bits of the address based off the mac address, if a mac address is not available, the address is automatically generated each time the link comes up.
    • Does anyone know how the router is configured - the only thing that I know is that the addresses are Abilene intranet2 addresses, and that the router magically responds to ipv6 requests to give hosts these addresses
    • To test to see if a host is using ipv6, goto http://www.kame.net/ - if the turtle is dancing (i.e. animated), then you are using ipv6 to connect to their web server
  • Do we want to put ipv6 addresses in DNS, so that most traffic in the lab is running over ipv6? The only AAAA record that we currently have is for ns1, so dns lookups over ipv6 work. This would work for all "hardware" addresses, as they are the same every time the link comes up, but DDNS would have to be used to update DNS each time a link with an autogenerated address comes up (or we just statically configure all links that are not associated with a MAC).
  • Should we make ipv6 addresses for service ips?
  • Do we want to give new vm's ipv6 addresses?
  • Is the firewall protecting our ipv6 addresses, in addition to the ipv4 addresses?