Sown-Auth Migration: Difference between revisions
From SUWS-wiki
DavidNewman (talk | contribs) (Added priortities) |
DavidNewman (talk | contribs) (All problems fixed :)) |
||
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
''Priority Key: 1 = Fix ASAP, 2 = Not a big problem if takes a week or two to fix, 3 = Would like to fix but can be left to last.'' | ''Priority Key: 1 = Fix ASAP, 2 = Not a big problem if takes a week or two to fix, 3 = Would like to fix but can be left to last.'' | ||
# Move NWMONITOR/NAGIOS check to gw as that is a box that is know to be monitored by NWMONITOR. (Priority 3) | # <strike>Move NWMONITOR/NAGIOS check to gw as that is a box that is know to be monitored by NWMONITOR.</strike> (Priority 3) | ||
#* This requires some iptables and syslog configuration. | #* This requires some iptables and syslog configuration. | ||
#* It would be useful if this could be documented, in case we want to move/add to another server in future. | #* It would be useful if this could be documented, in case we want to move/add to another server in future. | ||
#* Ported syslog-ng config. Need some manipulation as auth2 only running syslog-ng 2 (not 3). | |||
#* Added iptables rule to /etc/rc.local (nasty). | |||
#* Morse is best placed to do this. | #* Morse is best placed to do this. | ||
# Fix SOWN-Bot's SVN/Git reminders so they don't depend or check SVNs on auth. (Priority 2) | # <strike>Fix SOWN-Bot's SVN/Git reminders so they don't depend or check SVNs on auth.</strike> (Priority 2) | ||
#* daveruss will look into fixing this. | #* daveruss will look into fixing this. | ||
#* This are now fixed from SOWN-Bot's end. | #* This are now fixed from SOWN-Bot's end. | ||
#* This has been fixed on auth2 and monitor SVN/GIT repo end. SVN repos on dev have also been added with a new cron jobn on dev. | |||
#* These will need fixing SVN/Git repo end with db credential; updates and new users / granted privileges in the database. | #* These will need fixing SVN/Git repo end with db credential; updates and new users / granted privileges in the database. | ||
# Move Debsums to auth2 and make sure | # <strike>Move passive Debsums cron job checks to auth2 and make sure all supporting files are also copied accross.</strike> (Priority 2) | ||
#* daveruss | #* daveruss has now done this and all the checks have gone OK. | ||
# <strike>Remove auth as a DNS server from all bind configuration.</strike> (Priority 2) | # <strike>Remove auth as a DNS server from all bind configuration.</strike> (Priority 2) | ||
#* daveruss has removed ns2 record associated with auth for ipv4 ipv6 and reverse records. | #* daveruss has removed ns2 record associated with auth for ipv4 ipv6 and reverse records. | ||
# <strike>Check all resolv.conf files for auth (10.13.0.252) still being used as a DNS server.</strike> (Priority 1) | # <strike>Check all resolv.conf files for auth (10.13.0.252) still being used as a DNS server.</strike> (Priority 1) | ||
#* daveruss has checked all the resolv.conf files and resolvconf.d files and removed all references to 10.13.0.252. | #* daveruss has checked all the resolv.conf files and resolvconf.d files and removed all references to 10.13.0.252. | ||
# Radius checks for Radmatrix need to be moved to auth2. (Priority 1) | # <strike>Radius checks for Radmatrix need to be moved to auth2.</strike> (Priority 1) | ||
#* These have been moved, as has check_eapol script. | #* These have been moved, as has check_eapol script. | ||
#* eapol_test has been recompiled on auth2 and placed in the appropriate directory. | #* eapol_test has been recompiled on auth2 and placed in the appropriate directory. | ||
#* /etc/freeradius/proxy.conf needs updating for shared secrets. However, these will only work via sown-auth's ECS IP. It is probably worth switching this over to auth2 and having this as auth2 primary ECS interface and auth2's current IP on a virtual interface on the same physical interface. | #* /etc/freeradius/proxy.conf needs updating for shared secrets. However, these will only work via sown-auth's ECS IP. It is probably worth switching this over to auth2 and having this as auth2 primary ECS interface and auth2's current IP on a virtual interface on the same physical interface. | ||
#* One problem was that auth and auth2 have different radius shared secret, so when auth's config was copied over this needed to be changed. | |||
#* auth2's /etc/network/interfaces set a gateway of eth0:1 (auth2's rather than auth's IP) which caused traffic to be routed out through the wrong interface/IP. | |||
#* Still some issues with the checks for ECS/SOTON servers. Suspect this is a shared secret issue. | |||
#* Reorganised the interfaces on auth2 but simply updating proxy.conf to what was running on auth does not work. | #* Reorganised the interfaces on auth2 but simply updating proxy.conf to what was running on auth does not work. | ||
#* Could Morse look at proxy.conf (and proxy.conf.old and proxy.conf.new) on auth2 in /etc/freeradius/. | #* Could Morse look at proxy.conf (and proxy.conf.old and proxy.conf.new) on auth2 in /etc/freeradius/. | ||
#* The localhost config in proxy.conf is used to find the shared secret for ECS ans SOTON servers. So the RADIUS secret for auth2 needs to be the same as was used for auth. | |||
#* After changing this restarted freeradius. Also restart some apache servers on various machines to make sure they can work with radius (shouldn't be necessary). | |||
#* Need to update freeradius secret for PHP eapol_test function in /etc/php5/conf.d/eapol_test.ini | |||
# <strike>Remove Icinga config (MySQL query to auth sown_data DB, service checks, service dependencies etc.) that are dependent on auth.</strike> (Priority 2) | # <strike>Remove Icinga config (MySQL query to auth sown_data DB, service checks, service dependencies etc.) that are dependent on auth.</strike> (Priority 2) | ||
#* daveruss has done this marking the commented out lines with "auth-based check". | #* daveruss has done this marking the commented out lines with "auth-based check". | ||
# Fix widgets on www.sown.org.uk homepage for host and service checks, etc. (Priority 1) | # <strike>Fix widgets on www.sown.org.uk homepage for host and service checks, etc. (Priority 1)</strike> | ||
#* daveruss will look into this. | #* daveruss will look into this. | ||
#* Moved to sown-monitor and renamed directory status-icinga and updated the file_get_contents URLs on the public website, which are now mainly working. | #* Moved to sown-monitor and renamed directory status-icinga and updated the file_get_contents URLs on the public website, which are now mainly working. | ||
#* Still having some problems with the generateNodeXML.php script which is probably the reason the map is currently broken. | #* Still having some problems with the generateNodeXML.php script which is probably the reason the map is currently broken. | ||
#** This was due to the code not dealing very well with exactly one node being deployed and up. |
Latest revision as of 12:04, 25 May 2015
Priority Key: 1 = Fix ASAP, 2 = Not a big problem if takes a week or two to fix, 3 = Would like to fix but can be left to last.
Move NWMONITOR/NAGIOS check to gw as that is a box that is know to be monitored by NWMONITOR.(Priority 3)- This requires some iptables and syslog configuration.
- It would be useful if this could be documented, in case we want to move/add to another server in future.
- Ported syslog-ng config. Need some manipulation as auth2 only running syslog-ng 2 (not 3).
- Added iptables rule to /etc/rc.local (nasty).
- Morse is best placed to do this.
Fix SOWN-Bot's SVN/Git reminders so they don't depend or check SVNs on auth.(Priority 2)- daveruss will look into fixing this.
- This are now fixed from SOWN-Bot's end.
- This has been fixed on auth2 and monitor SVN/GIT repo end. SVN repos on dev have also been added with a new cron jobn on dev.
- These will need fixing SVN/Git repo end with db credential; updates and new users / granted privileges in the database.
Move passive Debsums cron job checks to auth2 and make sure all supporting files are also copied accross.(Priority 2)- daveruss has now done this and all the checks have gone OK.
Remove auth as a DNS server from all bind configuration.(Priority 2)- daveruss has removed ns2 record associated with auth for ipv4 ipv6 and reverse records.
Check all resolv.conf files for auth (10.13.0.252) still being used as a DNS server.(Priority 1)- daveruss has checked all the resolv.conf files and resolvconf.d files and removed all references to 10.13.0.252.
Radius checks for Radmatrix need to be moved to auth2.(Priority 1)- These have been moved, as has check_eapol script.
- eapol_test has been recompiled on auth2 and placed in the appropriate directory.
- /etc/freeradius/proxy.conf needs updating for shared secrets. However, these will only work via sown-auth's ECS IP. It is probably worth switching this over to auth2 and having this as auth2 primary ECS interface and auth2's current IP on a virtual interface on the same physical interface.
- One problem was that auth and auth2 have different radius shared secret, so when auth's config was copied over this needed to be changed.
- auth2's /etc/network/interfaces set a gateway of eth0:1 (auth2's rather than auth's IP) which caused traffic to be routed out through the wrong interface/IP.
- Still some issues with the checks for ECS/SOTON servers. Suspect this is a shared secret issue.
- Reorganised the interfaces on auth2 but simply updating proxy.conf to what was running on auth does not work.
- Could Morse look at proxy.conf (and proxy.conf.old and proxy.conf.new) on auth2 in /etc/freeradius/.
- The localhost config in proxy.conf is used to find the shared secret for ECS ans SOTON servers. So the RADIUS secret for auth2 needs to be the same as was used for auth.
- After changing this restarted freeradius. Also restart some apache servers on various machines to make sure they can work with radius (shouldn't be necessary).
- Need to update freeradius secret for PHP eapol_test function in /etc/php5/conf.d/eapol_test.ini
Remove Icinga config (MySQL query to auth sown_data DB, service checks, service dependencies etc.) that are dependent on auth.(Priority 2)- daveruss has done this marking the commented out lines with "auth-based check".
Fix widgets on www.sown.org.uk homepage for host and service checks, etc. (Priority 1)- daveruss will look into this.
- Moved to sown-monitor and renamed directory status-icinga and updated the file_get_contents URLs on the public website, which are now mainly working.
- Still having some problems with the generateNodeXML.php script which is probably the reason the map is currently broken.
- This was due to the code not dealing very well with exactly one node being deployed and up.