Glue

From CARMA
(Difference between revisions)
Jump to: navigation, search
Line 27: Line 27:
 
== Things we can keep ==
 
== Things we can keep ==
  
* mail server
+
* mail server -- But see below.
  sendmail is the only mail transfer program that is available with glue.  We give up
+
  a *lot* by dropping the present postfix based mail system and going back to sendmail:
+
  o Mail to certain user names (usually mailing lists and exploders but this
+
    can also be sensitive system names) can presently be confined to on-campus
+
    senders.  There is no way to do this in sendmail.
+
  o There is no greylisting in glue.
+
  o unknown users or aliases are not even allowed into the department mail
+
    network.  We would lose that ability, increasing the amount of spam the
+
    department must handle.
+
  o There is no way to move mailboxes off of a main server onto other a user's
+
    home directory.  Thus the cpu load taken by spam filtering will always
+
    be at the mail server, which can often be overloaded.  Using a faster
+
    computer as mailserver has helped, but not always eliminated that problem.
+
 
* web server (but you cannot use $HOME/public_html, on the webserver we'll need some $USER space)
 
* web server (but you cannot use $HOME/public_html, on the webserver we'll need some $USER space)
  
Line 49: Line 36:
 
== Things we lose ==
 
== Things we lose ==
 
* One feature installed recently is a program that inserts a firewall rule to block access to IP addresses that are trying to break into the system  with ssh.  Many hacked computers worldwide are running scripts that try to do this.  A certain number are likely to eventually succeed.  This script has reduced that problem (run "showblocked") to show the number of locations blocked within the last half a day. We would lose this with glue.
 
* One feature installed recently is a program that inserts a firewall rule to block access to IP addresses that are trying to break into the system  with ssh.  Many hacked computers worldwide are running scripts that try to do this.  A certain number are likely to eventually succeed.  This script has reduced that problem (run "showblocked") to show the number of locations blocked within the last half a day. We would lose this with glue.
 +
* sendmail is the only mail transfer program that is available with glue.  We give up  a *lot* by dropping the present postfix based mail system and going back to sendmail:
 +
o Mail to certain user names (usually mailing lists and exploders but this can
 +
  also be sensitive system names) can presently be confined to on-campus senders. 
 +
  There is no way to do this in sendmail.
 +
o There is no greylisting available in glue.
 +
o unknown users or aliases are not even allowed into the department mail network.
 +
  We would lose that ability, increasing the amount of spam the department must
 +
  handle.
 +
 +
postfix could be installed in our area.  However many programs call /usr/sbin/sendmail to send mail.  Postfix replaces this with its own binary. On
 +
glue this is impossible.
 +
*

Revision as of 16:50, 29 June 2007

Contents

GLUE

The GLUE project also maintains a WIKI page.


Obvious and not so obvious User changes

  • your new home directory will be /homes/$USER, and is limited to 100MB and lives on backed up computers in OIT. Note that your old $USER and new GLUE $USER name don't need to be the same, but you will not be able to share data between the two. They are completely different users on a completely different computer set. This means all data disks will need to have their user permissions changed.
  • from your $HOME directory, there are 4 directories above: home, backup, mail and pub.
  • authentication is done via kerberos. I could ssh from everto to chara, and not need the ssh keys. But have not figured out how to setup the correct way with ssh keys to get from chara to everto. perhaps kerberos forbids this. Peter files a REQUEST on this FAQ.
  • your mail is kept on glue.

Some system issues to be resolved

  • there is no root access, each user that was given root permission can run "su"
  • there is no rsync server running, which combined with the previous item, make our current RAID backup system a bit tedious to re-implement.
  • where can things like /astromake go.
  • cross-mounting all astro disks (the /n map, as well as the /backup map)
  • mysql (for mediawiki and other things?)
  • convert astro $USER to glue $USER permission. Kevin has a perl script.
  • users who want to keep a special local home directory on a given machine?

Things we can keep

  • mail server -- But see below.
  • web server (but you cannot use $HOME/public_html, on the webserver we'll need some $USER space)

System things to remember

  • partition tables on the boot disk need to be edited, but any data disks on that boot disk will need to be preserved in whatever partition type (physical vs. logical) they were initially. GLUE will use hda1/sda1 to populate with all logical partitions. The 3 remaining physical partitions are free to be used.

Things we lose

  • One feature installed recently is a program that inserts a firewall rule to block access to IP addresses that are trying to break into the system with ssh. Many hacked computers worldwide are running scripts that try to do this. A certain number are likely to eventually succeed. This script has reduced that problem (run "showblocked") to show the number of locations blocked within the last half a day. We would lose this with glue.
  • sendmail is the only mail transfer program that is available with glue. We give up a *lot* by dropping the present postfix based mail system and going back to sendmail:
o Mail to certain user names (usually mailing lists and exploders but this can 
  also be sensitive system names) can presently be confined to on-campus senders.   
  There is no way to do this in sendmail.
o There is no greylisting available in glue.
o unknown users or aliases are not even allowed into the department mail network.
  We would lose that ability, increasing the amount of spam the department must
  handle.

postfix could be installed in our area. However many programs call /usr/sbin/sendmail to send mail. Postfix replaces this with its own binary. On glue this is impossible.

Personal tools