Fylvestre

Imara used to have a versatile server, tweety, which finally worked himself to death. Its replacement is a brand new computer called fylvestre (because fylvestre is always chasing tweety).

It tends to provide the same services, which are listed below. To ease migration, fylvestre.inria.fr is also available as tweety.inria.fr, as well as lara.inria.fr and imara-serv.inria.fr. This may be particularly useful when trying to access the computer from outside.

Quick monitoring of fylvestre's vitals can be done using phpSysInfo.

Services

Filesharing

Fylvestre provides a Samba filesharing server (a.k.a. Windows shares) accessible at \\fylvestre.inria.fr\. Most of the content is only accessible after providing a username and password. This is a private space.

Most notably, one can find software setups, photos, projects-related data, etc.

This storage space is also quickly available using HTTP at http://fylvestre.inria.fr/data/.

Webserver

Some useful and quite static and public-ish files (documentation,…) are available through a web server running on Fylvestre.

The actual files are in /srv/www, and are g+rw imara, meaning that all the team can read and modify them when logged in on the server. Caution is recommended.

:!: When files are on AFS (/afs), they MUST NOT be served by Fylvestre, but rather directly by Inria's webservers (as all the other the public sites). Doing otherwise would create multiple unnecessary single-point-of-failure :!:

A Google Maps key has been generated in order to enable the use of this API on webpages hosted on Fylvestre. It is

ABQIAAAA0KYv1SLZiBnyuSW6ohnwlhRI3b1KNCckJcBoVmjPJA5TzE6cJxTNtE3-SxvCJZeDqCstC-blLtqmQw

User logins

All the Imara users are directly authenticated from AFS. It can be used as explained in Using AFS (the AFS home directories are located as on any AFS-enabled Inria computer).

:!: As AFS is used for authentication, this means that users need to have initialised their AFS account with the AFS team (i.e. neither the MIRIAD/Windows nor the iLDAP password will work).

To maintain the userbase in sync with AFS, a call to a script (described here) has been added to the system crontab, to be run once a month (/etc/cron.monthly/update_passwd_from_afs).

#!/bin/bash
cp -f /etc/passwd /etc/passwd.bak
/usr/local/sbin/make_passwd.sh -i /etc/passwd >/dev/null

:!: As mentionned in the previous link, this script is risky, so one has better keep backup of the /etc/passwd file, for example as follows:

$ sudo cp /etc/passwd /etc/passwd.`date +%Y%d%m`

It may be necessary, after login, to acquire an AFS token using klog before being able to access AFS-files in read/write mode. See here for details. In the following example, the user does not have read/write access to his files before getting an AFS token.

Last login: Fri Jun 15 14:20:30 2007 from vision.inria.fr
-sh: /afs/inria.fr/rocq/home/imara/mehani/.profile: Permission denied
mehani@fylvestre:~$ touch arf
touch: cannot touch `arf': Permission denied
mehani@fylvestre:~$ klog
Password:
mehani@fylvestre:~$ touch arf
mehani@fylvestre:~$ ls 
afs  bin     Choices  devel     -i     lib  www
arf  bordel  Desktop  download  imara  src
mehani@fylvestre:~$ 

Printing server

Administrative stuff

Fylvestre is running a testing version of Debian GNU/Linux, which is easily maintainable using APT. The list of installed packages is saved once a month with the following crontab entry, in /etc/cron.monthly/update_selections.

#!/bin/bash
dpkg --get-selections > /srv/fylvestre_backup/dpkg_selections.txt

:!: All Imara-related data (and specific server configuration) are stored in the /srv subtree to ease subsequent migrations, backups or disk changes. :!:

Currently, a 500GB Seagate IDE harddisk is mounted with a single partition in /srv.

It is configured as an AFS node for user authentication and $HOMEs.

All local email te root (and other system accounts) is forwarded to imara-admin@inria.fr (see Mailing lists). This is quickly done in /etc/aliases (and the needed call to newaliases).

User accounts

The administrative (but unpriviledged) local user is the operator. It has a complete sudo access to do administrative tasks.

There is a default imara user (its UID, 1000, collides with user verlyck from AFS; this user is, however, not imported to the local base), mostly for ownership of the files shared using Samba.

Another user, scmuser (its UID, 1001, collides with that of aed, who's not imported either), whose home is /srv/scmuser can be used to checkout read-only versions of our developments (as user imara in GForge). This can be useful for automated task, like Taxi documentation generation.

Samba server

The specific configuration file is located in /srv/samba/smb.conf, the shares are at the bottom. It is symlinked as /etc/samba/smb.conf.

Most of the shared files are stored in /srv/imara_data.

Web server

In /srv/www lies a file called imara-apache.conf which is the configuration for Apache to enable access to the Imara website. This as been symlinked as /etc/apache2/sites-enabled/000-imara to enable the computer to serve Imara content. Any modification to this file should be followed by a restart:

$ sudo /etc/init.d/apache2 restart
AFS Password: 
Password:
Forcing reload of web server (apache2)....

IPv6 Redirections for the LaRA websites

:!: DEPRECATION WARNING :!: Fylvestre is no longer used for this purpose. It is now gw.imara.inria.fr which serves this role, as well as DNS server for the names. :!:

fylvestre is the IPv6 server for the LaRA website by transparently proxying IPv6 requests to Inria's IPv4 servers (http://www-roc.inria.fr). The same goes for http://imara.inria.fr, http://caor.mines-paristech.fr and http://caor.ensmp.fr.

:!: fylvestre is not hosting any content for this wiki. Everything is hosted on http://www-roc.inria.fr. The following is just a transparent (though kludgy) redirection until www-roc is IPv6-enabled.

In /srv/www/imara-apache.conf:

...
<VirtualHost *:80>
        ServerAdmin webmaster@fylvestre.inria.fr
        ServerName www.lara.prd.fr
        ServerAlias lara.prd.fr imara.inria.fr caor.mines-paristech.fr caor.ensmp.fr
        # IP address for www-roc.inria.fr as of 2010-01-14
        ProxyPass / http://192.93.2.19/
        ProxyPassReverse / http://192.93.2.19/
        ProxyPreserveHost On
        <Proxy http://192.93.2.19/>
                Order deny,allow
                Allow from all
        </Proxy>
</VirtualHost>

Local System Backups using rdiff-backup

The /etc and /vardirectories are backed-up every month using rdiff-backup to /srv/fylvestre_backup.

/etc/cron.monthly/rdiff-backup:

#!/bin/bash
/usr/bin/rdiff-backup --create-full-path /etc /srv/fylvestre_backup/etc >/dev/null
/usr/bin/rdiff-backup --create-full-path /var /srv/fylvestre_backup/var >/dev/null

Remote backup using NetWorker

Inria has a remote backup system available for our computers. Usage of this service has been set up on fylvestre as follows.

Installation

The axlan user, with UID 11416 and GID 25051 is created (as group 25051 is non-existent on the system, a little workaround has to be done, hence the sed line), then a secure password is given to the account.

$ sudo useradd -c "NetWorker remote backup user" -d /var/run/axlan -g 0 -m -u 11416 axlan
$ sudo sed -i "s/^axlan:x:11416:0/axlan:x:11416:25051/" /etc/passwd
$ passwd axlan

The packages are available on a network file system, which we mount.

$ sudo mount logiciels-roc:/pub/networker /mnt/

Said packages are in the (ugly) RPM format, which can be converted into Debian packages using Alien. The newly created packages are then installed.

$ sudo apt-get install alien
[...]
$ sudo alien --to-deb /mnt/nfs/lgtoclnt-7.1.3-1.i686.rpm
$ sudo alien --to-deb /mnt/nfs/lgtoman-7.1.3-1.i686.rpm
$ sudo dpkg -i lgtoclnt_7.1.3-2_i386.deb 
(Reading database ... 42832 files and directories currently installed.)
Preparing to replace lgtoclnt 7.1.3-2 (using lgtoclnt_7.1.3-2_i386.deb) ...
Unpacking replacement lgtoclnt ...
Setting up lgtoclnt (7.1.3-2) ...
operator@fylvestre:~$ sudo dpkg -i lgtoman_7.1.3-2_i386.deb 
Selecting previously deselected package lgtoman.
(Reading database ... 42832 files and directories currently installed.)
Unpacking lgtoman (from lgtoman_7.1.3-2_i386.deb) ...
Setting up lgtoman (7.1.3-2) ...

Firewall

Ports (TCP and UDP) 7937 to 9936 and 10001 to 30000, as well as the portmap one (111) must not be blocked by a firewall.

$ sudo iptables -A INPUT -p tcp --dport 111 -j ACCEPT
$ sudo iptables -A INPUT -p udp --dport 111 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 7937:9936 -j ACCEPT
$ sudo iptables -A INPUT -p udp --dport 7937:9936 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 10001:30000 -j ACCEPT
$ sudo iptables -A INPUT -p udp --dport 10001:30000 -j ACCEPT

Configuration

The configuration files should be located in /nsr/res.

$ sudo mkdir -p /nsr/res

The backup server has to be specified.

$ sudo -s
# cat << EOF > /nsr/res/servers
> tanana.inria.fr
> EOF
# exit

FIXME The following is no longer done as putting a .nsr in / with given contents would prevent anything from being backuped. The directory trees to save are then configured on the backup server by the backup team adm-save@inria.fr.

We only want to save what's under /srv, and additional project-scpecific disk. For all other mounted filesystem (/, /home, /tmp, /var), a file called .nsr has to be created at the root containing.

+skip: * .?*

Startup script

Eventually, we want to automatically start the service at boot time. A startup script is required by the name of /etc/init.d/networker

#! /bin/sh
### BEGIN INIT INFO
# Provides:          nsrexecd
# Required-Start:    $local_fs $remote_fs
# Required-Stop:     $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: LEGATO NetWorker Client init script
### END INIT INFO
 
# Author: Olivier Mehani <olivier.mehani@inria.fr>
 
# Do NOT "set -e"
 
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="LEGATO NetWorker Client for Linux Platforms"
NAME=nsrexecd
DAEMON=/usr/sbin/$NAME
DAEMON_ARGS=""
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/networker
 
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
 
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions
 
#
# Function that starts the daemon/service
#
do_start()
{
	# Return
	#   0 if daemon has been started
	#   1 if daemon was already running
	#   2 if daemon could not be started
	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
		|| return 1
	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
		$DAEMON_ARGS \
		|| return 2
}
 
#
# Function that stops the daemon/service
#
do_stop()
{
	# Return
	#   0 if daemon has been stopped
	#   1 if daemon was already stopped
	#   2 if daemon could not be stopped
	#   other if a failure occurred
	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
	RETVAL="$?"
	[ "$RETVAL" = 2 ] && return 2
	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
	[ "$?" = 2 ] && return 2
	# Many daemons don't delete their pidfiles when they exit.
	rm -f $PIDFILE
	return "$RETVAL"
}
 
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
	#
	# If the daemon can reload its configuration without
	# restarting (for example, when it is sent a SIGHUP),
	# then implement that here.
	#
	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
	return 0
}
 
case "$1" in
  start)
	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
	do_start
	case "$?" in
		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
	esac
	;;
  stop)
	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
	do_stop
	case "$?" in
		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
	esac
	;;
  #reload|force-reload)
	#
	# If do_reload() is not implemented then leave this commented out
	# and leave 'force-reload' as an alias for 'restart'.
	#
	#log_daemon_msg "Reloading $DESC" "$NAME"
	#do_reload
	#log_end_msg $?
	#;;
  restart|force-reload)
	#
	# If the "reload" option is implemented then remove the
	# 'force-reload' alias
	#
	log_daemon_msg "Restarting $DESC" "$NAME"
	do_stop
	case "$?" in
	  0|1)
		do_start
		case "$?" in
			0) log_end_msg 0 ;;
			1) log_end_msg 1 ;; # Old process is still running
			*) log_end_msg 1 ;; # Failed to start
		esac
		;;
	  *)
	  	# Failed to stop
		log_end_msg 1
		;;
	esac
	;;
  *)
	#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
	echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
	exit 3
	;;
esac
 
:

This script must be added to the startup sequence, then manually stared for the time being (waiting for next reboot).

$ sudo update-rc.d  networker defaults
 Adding system startup for /etc/init.d/networker ...
   /etc/rc0.d/K20networker -> ../init.d/networker
   /etc/rc1.d/K20networker -> ../init.d/networker
   /etc/rc6.d/K20networker -> ../init.d/networker
   /etc/rc2.d/S20networker -> ../init.d/networker
   /etc/rc3.d/S20networker -> ../init.d/networker
   /etc/rc4.d/S20networker -> ../init.d/networker
   /etc/rc5.d/S20networker -> ../init.d/networker
$ sudo /etc/init.d/networker start
Starting LEGATO NetWorker Client for Linux Platforms: nsrexecd.
 
documentation/fylvestre.txt · Last modified: 2012/01/23 09:37 by Olivier Mehani
Recent changes · Show pagesource · Login