Cleaning MPDL Servers

ServiceAdmin,Mgmt,Admin

This page shows which administrative modifications certain MPDL machines already have undergone or should undergo in the near future.

Actions already taken
The following types of customizations already have been applied to some of MPDL's physical (srv[01-11]) or virtual machines (vm[01-73] except vm[01,09,54,56-59]): (done on all hosts) (with one user having successfully tested user login using a password and sudo to root) (done on some major hosts) (done on all hosts, to be extended by svcadmin alias) (done on all hosts) (done on vm[30,43,53,71]) (done on all hosts) with possibly existing entries to be kept extracted to (a possibly empty) /etc/cron.d/local-services and /etc/cron.d/gwdg (done on all hosts, with no or a reduced gwdg crontab on vm[30,36-37,43,53]) (done on all hosts resp. vm43 only) (done on all hosts) (done on vm17) (done on vm[15-16,21,43,53] (done on all hosts) (done on all hosts) (done on all hosts) (done on all hosts) (done on all hosts) (done on all hosts) (done on all hosts)
 * Profiles: disabled system-wide /etc/bash.bashrc.local profiles and moved relevant content of /etc/profile.local to appropriate service profiles in /etc/profile.d
 * Sudoers: adding users to wheel group with changing /etc/sudoers accordingly
 * Root Mails: adding appropriate aliases to /etc/aliases to avoid a local root mails sink
 * PDSH: added package pdsh (version 2.10-24 for SLES 10.2, version 2.26-12.1 for SLES 11.[1-3]) to make use of pdcp
 * SNMP Configuration: modified /etc/snmp/snmpd.conf to reflect now working root mails and changed disks
 * TSM: revised new TSM client installation and configuration
 * System Crontab: /etc/crontab</tt> has been cleaned up from actions (to be) taken over by Icinga and reset to system defaults
 * Silent Rotation: modified /etc/logrotate.d/net-snmp</tt> and /etc/logrotate.d/syslog</tt> to allow silent standard log rotation
 * Last Log: system's last log /var/log/wtmp</tt> has been excluded from monthly truncation
 * Online Updates: removed weekly crontab entry causing failing online updates (/etc/cron.weekly/opensuse.org-online_update -> /usr/lib/YaST2/bin/online_update</tt>)
 * Postfix Client: replaced sendmail by postfix due to devtools's delivering problems
 * Default Runlevel: set default run level to 3 (not 5)
 * DRM User: consistent add of wheel user oper (-c "operator 444") to be able to access system in case of DRM (eg. some kinds of root access failure)
 * Basic Shell Environment: starting by establishing /etc/profile.d/ashenv.{sh,csh}
 * User Entries: removed directories of non-existing users and re-owned directories of existing users
 * Zypper Repos: created valid working repository definitions
 * NTP: configured NTP and let it have set date and time
 * Language: unset non-standard language settings to get back en_US

With pdsh installed on every host and configured on the pdsh master vm30</tt>, these actions can be spread to all or at least all relevant hosts. The latter taking into account groups or categories of hosts sharing a feature that needs a common action or treatment.

Sample VM
As vm33</tt> might serve as a template for future virtual machines, the following modifications have been done here already: and to use mailing list sysadmin@mpdl.mpg.de</tt> instead of deprecated rnd-admin</tt>
 * modified scripts from /root/bin</tt> not to spoil /</tt> but use /root</tt>,
 * removed unused /X and /Y directories

Furthermore these modifications have been pushed up to prevent further error logs spread everywhere:
 * added /etc/profile.d/dsm.[c]sh</tt>, mainly to prevent floating dsmerror.log</tt> locations
 * installed pdsh</tt> package pdsh-2.26-12.1.x86_64.rpm</tt> to allow for easier remote administration

Nevertheless no virtual machine, including <tt>vm33</tt>, <B>shall serve as a VM template.</B> A suitable template has to be created from scratch based on a sober installation including proper cleanup on deployment.

Actions to be taken
Further types of actions targeting at more consistency should include:
 * Boot Local: <tt>/etc/init.d/boot.local</tt> mod to establish cleanup of temporary directories, pid, and lock files
 * Root SSH Identity: all common or all separate ssh identities for root
 * Host SSH Identity: same for host keys
 * Root Auth: wheel group users access to root via ssh's authorized keys (common <tt>authorized_keys</tt>)
 * User Login: manage common MPDL user accounts or groups
 * GWDG User: bundle GWDG access into one single GWDG shared user account
 * Spoiled /, /tmp, and /root: move unwanted or lost files to more appropriate locations or have them deleted
 * Notification: do not propagate trivial information by Icinga, focus on real errors instead
 * Boot Cleanup: allow for successful reboot in case of disk full or daemon start fail conditions

Probably there are much more effects to take care of than the ones listed.

Actions in question
They were detected some questionable service, where it is not clear, whether to spread them out globally or disable them completely:


 * Automatic Online Updates: controlled by <tt>/etc/cron.weekly/opensuse.org-online_update</tt> and <tt>/etc/sysconfig/automatic_online_update</tt>, which aren't part of any package

Physical and Virtual Machines
The current distribution of virtual machines looks as follows (condensed from MPDL IT Infrastructure):