Glue

From CARMA
(Difference between revisions)
Jump to: navigation, search
(Some system issues to be resolved)
(Obvious and not so obvious User changes)
Line 12: Line 12:
 
* from your $HOME directory, there are 4 directories above: home, backup, mail and pub.
 
* from your $HOME directory, there are 4 directories above: home, backup, mail and pub.
  
* authentication is done via kerberos. I could ssh from everto to chara, and not need the ssh keys. But have not figured out how to setup the correct way with ssh keys to get from chara to everto. perhaps kerberos forbids this. Peter files a REQUEST on this FAQ.
+
* [[ssh using kerberos]]: authentication is done via kerberos. This means no need to pass around your id_rsa.pub or id_dsa.pub from your ~/.ssh directory. Simply type '''kinit''' to set your LDAP password, and its good for 24 hours of authenticated ssh. Your client machine must have been setup for this. See the link.
 +
 
 
* your mail is kept on glue.
 
* your mail is kept on glue.
  

Revision as of 11:48, 9 July 2007

Contents

GLUE

The GLUE project also maintains a WIKI page.


Obvious and not so obvious User changes

  • your new home directory will be /homes/$USER, and is limited to 100MB and lives on backed up computers in OIT. Note that your old $USER and new GLUE $USER name don't need to be the same, but you will not be able to share data between the two. They are completely different users on a completely different computer set. This means all data disks will need to have their user permissions changed.
  • from your $HOME directory, there are 4 directories above: home, backup, mail and pub.
  • ssh using kerberos: authentication is done via kerberos. This means no need to pass around your id_rsa.pub or id_dsa.pub from your ~/.ssh directory. Simply type kinit to set your LDAP password, and its good for 24 hours of authenticated ssh. Your client machine must have been setup for this. See the link.
  • your mail is kept on glue.

Some system issues to be resolved

  • there is no root access, each user that was given root permission can run "su"
  • there is no rsync server running, which combined with the previous item, make our current RAID backup system a bit tedious to re-implement.
  • where can things like /astromake go.
  • cross-mounting all astro disks (the /n map, as well as the /backup map)
  • mysql (for mediawiki and other things?) Note there are some version dependancies php/mysql/mediawiki
  • convert astro $USER to glue $USER permission. Kevin has a perl script.
  • users who want to keep a special local home directory on a given machine?

Things we can keep

  • mail server -- But see below.
  • web server (but you cannot use $HOME/public_html, on the webserver we'll need some $USER space)

System things to remember

  • partition tables on the boot disk need to be edited, but any data disks on that boot disk will need to be preserved in whatever partition type (physical vs. logical) they were initially. GLUE will use hda1/sda1 to populate with all logical partitions. The 3 remaining physical partitions are free to be used.

Things we lose

  • One feature installed recently is a program that inserts a firewall rule to block access to IP addresses that are trying to break into the system with ssh. Many hacked computers worldwide are running scripts that try to do this. A certain number are likely to eventually succeed. This script has reduced that problem (run "showblocked") to show the number of locations blocked within the last half a day. We would lose this with glue.
  • sendmail is the only mail transfer program that is available with glue. We give up a *lot* by dropping the present postfix based mail system and going back to sendmail:
o Mail to certain user names (usually mailing lists and exploders but this can 
  also be sensitive system names) can presently be confined to on-campus senders.   
  There is no way to do this in sendmail.
o There is no greylisting available in glue.
o unknown users or aliases are not even allowed into the department mail network.
  We would lose that ability, increasing the amount of spam the department must
  handle.

postfix could be installed in our area. However many programs call /usr/sbin/sendmail to send mail. Postfix replaces this with its own binary. On glue this is impossible.

Personal tools