Project

General

Profile

Wiki » Seznam serveru »

Vývojový server warden-dev.cesnet.cz

Zpět na obsah dokumentu

 Hostname: warden-dev.cesnet.cz

 OS:       Debian Squeeze
           Linux warden-dev 2.6.32-5-amd64 #1 SMP Tue Jun 14 09:42:28 UTC 2011 x86_64 GNU/Linux

 CPU:      AMD Opteron(tm) Processor 4184 @2.8GHz

 RAM:                   total       used       free     shared    buffers     cached
           Mem:      33005688     507072   32498616          0      97048     234352
           -/+ buffers/cache:     175672   32830016
           Swap:      1952760          0    1952760

 HDD:
           Filesystem            Size  Used Avail Use% Mounted on
           /dev/sda1             9.2G  526M  8.2G   6% /
           tmpfs                  16G     0   16G   0% /lib/init/rw
           udev                   16G  152K   16G   1% /dev
           tmpfs                  16G     0   16G   0% /dev/shm
           /dev/sda3             539G  338M  511G   1% /var

  RAID: 
           hardwarový 1

  KONFIGURACE:
           Dell PowerEdge R415 Rack Chassis for Up to 4x 3.5" Hot Plug HDDs, LCD diagnostics
           2 x AMD Opteron 4184 Processor (2.8GHz, 6C, 6x512K L2/6M L3 Cache, 75W ACP), DDR3-1333MHz
           32GB Memory for 2CPU (8x4GB Dual Rank UDIMMs) 1333MHz
           2 x 600GB SAS 6Gbps 15k 3.5" HD Hot Plug
           PERC H700A RAID Controller, 1GB NV Cache, For Hot Plug HDD Chassis
           16X DVD-ROM Drive SATA with SATA Cable

Registrovani klienti systemu Warden

Current registered clients in: Fri Nov 25 09:45:34 2011

Konfigurace serveru

Nastavení monitorování systému

Pomocí systému Nagios a nástrojů Logwatch a Apticron:

Instalace balíčků:

aptitude install nagios-nrpe-server nagios-plugins-basic logwatch apticron

Konfigurace v /etc/nagios/nrpe.cfg:

#nagios.cesnet.cz pool
allowed_hosts=195.113.187.74,195.113.187.75,195.113.187.76,195.113.187.77,195.113.187.78

# watched services
command[check_users]=/usr/lib/nagios/plugins/check_users -w 10 -c 15
command[check_load]=/usr/lib/nagios/plugins/check_load -w 45,40,20 -c 50,50,40
command[check_disk_/]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /
command[check_disk_/var]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /var
command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 350 -c 500
command[check_ssh]=/usr/lib/nagios/plugins/check_ssh -H localhost
command[check_ntp_time]=/usr/lib/nagios/plugins/check_ntp_time -H tik.cesnet.cz -w 0.5 -c 1
command[check_warden]=/usr/lib/nagios/plugins/check_procs -c 1:1 -a /opt/warden-server/bin/warden-server.pl

Nastavení zálohování

O zálohování se stará skript /root/bin/backup, který je spouštěn cronem každý den ve 22:00 hodin. Skript je z důvodu efektivity nastaven tak, aby každou neděli provedl plnou zálohu a každý další den tvořil pouze inkrementální rozdílové zálohy. Zálohování se provádí na server neant.cesnet.cz.

Nastavení logování

Konfigurace v /etc/syslog-ng/syslog-ng.conf:

options { long_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);
          owner("root"); group("adm"); perm(0640); log_fifo_size(10000); mark_freq(300); stats_freq(600);
          stats_level(1); time_reopen(10); bad_hostname("^gconfd$");
};

destination d_warden { file("/var/log/warden.log" group("warden")); };
destination d_net { tcp("vinovago.cesnet.cz" 
                        port(514)
                        tls(
                                key_file("/etc/ssl/private/warden-dev.cesnet.cz.key")
                                cert_file("/etc/ssl/certs/warden-dev.cesnet.cz.pem")
                                ca_dir("/etc/ssl/trusted_ca")
                                trusted_dn("CN=vinovago.cesnet.cz, O=CESNET, C=CZ")
                        )
                        flush_lines(100)
                        flush_timeout(5000)
                     );  
                  };   

filter f_warden { facility(local7); };

log { source(s_src); filter(f_warden); destination(d_warden); };
log { source(s_src); destination(d_net); };

Konfigurace v /etc/logrotate.d/warden:

/var/log/warden.log {
   rotate 12
   missingok
   notifempty
   weekly
   compress
   delaycompress
   dateext
}

SSL certifikáty

serverovy certifikat:     /etc/ssl/certs/warden-dev.cesnet.cz.pem
klic:            /etc/ssl/private/warden-dev.cesnet.cz.key
CA certifikat budle:    /etc/ssl/certs/tcs-ca-bundle.pem
TERENA SSL CA:        /etc/ssl/certs/TERENA_SSL_CA.pem

(Budle CA obsahuje chain vsech CA az ke koreni)

# Get the certificate hash
openssl x509 -noout -hash -in /etc/ssl/certs/TERENA_SSL_CA.pem

# Install the symbolic link
ln -s /etc/ssl/certs/TERENA_SSL_CA.pem /etc/ssl/certs/9df51c42.0

# Verify the installation
openssl verify /etc/ssl/certs/mentat.cesnet.cz.pem

Nastaveni warden serveru (pro vyvojove ucely)

  • symlinky z vyvojovych adresaru do systemovych adresaru
    ln -s /var/home/warden/warden/bin/wardend /etc/init.d/wardend
  • nastavena prava na spousteni /etc/init.d/wardend pres sudo
  • Warden server bezi na portu TCP/443
  • zapisuje do /var/run (pid), /var/log (logy) a /var/lock (zamek).

Instalovane baliky

Provozni

aptitude install ntp mc joe vim screen htop apt-show-versions build-utils

Vyvojove

apt-get install libsoap-lite-perl libfile-pid-perl sqlite3 libdbd-sqlite3-perl libformat-human-bytes-perl libnet-cidr-lite-perl libdatetime-perl libdevel-nytprof-perl
  • libsoap-lite-perl
    The following extra packages will be installed:
  libclass-inspector-perl libconvert-binhex-perl libcrypt-ssleay-perl libfcgi-perl libfont-afm-perl libhtml-format-perl libhtml-parser-perl
  libhtml-tagset-perl libhtml-tree-perl libidn11 libio-socket-ssl-perl libio-stringy-perl libmailtools-perl libmime-tools-perl libnet-libidn-perl
  libnet-ssleay-perl libossp-uuid-perl libossp-uuid16 libtask-weaken-perl libtimedate-perl liburi-perl libwww-perl libxml-parser-perl
Suggested packages:
  libdata-dump-perl libio-socket-inet6-perl uuid libapache2-mod-perl2 libnet-jabber-perl libmime-lite-perl
The following NEW packages will be installed:
  libclass-inspector-perl libconvert-binhex-perl libcrypt-ssleay-perl libfcgi-perl libfont-afm-perl libhtml-format-perl libhtml-parser-perl
  libhtml-tagset-perl libhtml-tree-perl libidn11 libio-socket-ssl-perl libio-stringy-perl libmailtools-perl libmime-tools-perl libnet-libidn-perl
  libnet-ssleay-perl libossp-uuid-perl libossp-uuid16 libsoap-lite-perl libtask-weaken-perl libtimedate-perl liburi-perl libwww-perl libxml-parser-perl
  • libfile-pid-perl
    The following extra packages will be installed:
  libclass-accessor-perl libsub-name-perl
The following NEW packages will be installed:
  libclass-accessor-perl libfile-pid-perl libsub-name-perl
  • sqlite3 (3.7.3.)
    Suggested packages:
  sqlite3-doc
The following NEW packages will be installed:
  sqlite3
  • libdbd-sqlite3-perl
    The following extra packages will be installed:
  libdbi-perl libnet-daemon-perl libplrpc-perl
The following NEW packages will be installed:
  libdbd-sqlite3-perl libdbi-perl libnet-daemon-perl libplrpc-perl
  • libformat-human-bytes-perl
  • libnet-cidr-lite-perl
  • libdatetime-perl
    The following extra packages will be installed:
  libclass-singleton-perl libdatetime-locale-perl libdatetime-timezone-perl liblist-moreutils-perl libparams-validate-perl
The following NEW packages will be installed:
  libclass-singleton-perl libdatetime-locale-perl libdatetime-perl libdatetime-timezone-perl liblist-moreutils-perl libparams-validate-perl

Wardenweb
  • libapache2-mod-php5, php5-mysql
  • warden web se pouze rozbali a nastavi se jmeno a heslo do databaze ve wardenweb/db.php

Záznamy rootovských zásahů

  • 25. 5. 2012 ph, zrušeno 7. 6.
    Přesměrování portu 1443 na 443 pro otestování funkčnosti wardenu s přesměrování - pro dvoufázový přesun na jiný port.
  • ...

Zpět na obsah dokumentu