Transcript Configuration and Maintenance

Configuration and Maintenance
Burgess, Ch.7
www.infotech.monash.edu
Introduction
Configuration and Maintenance
• Configuration –
How to initially setup system as required
• Maintenance –
How to keep it that way!!
• Systems tend towards disorder during use
• There are more ways for disorder to occur
www.infotech.monash.edu
2
Setting Policies
• Definition
– A clear expression of goals and responses
– Prepares for possible errors or problems
– Documents Intent and Procedure
Configuration and Maintenance
• Necessary in medium to large organisations or where many
administrators co-operate
• Helps to align system operation with organisational
objectives
www.infotech.monash.edu
3
System Policy includes:
•
•
•
•
Organisational rights and responsibilities
User rights and Account procedures
Network infrastructure and access rights
Application limits and responsibilities
Configuration and Maintenance
– FTP, eMail, Printing, Web pages, CGI
• Security and Privacy
Example:
– http://www.its.monash.edu.au/policies/
www.infotech.monash.edu
4
Network Policy
• Network structure derived from
– Design or Functional requirements
– Geography or Building constraints
– Network Engineering constraints
Configuration and Maintenance
• Policies should relate to operational goals
– Small organisation – resource sharing
> single network, repeaters/switches
– Bigger organisation – sharing & reduced traffic
> Subnets – switches/routers
www.infotech.monash.edu
5
Network Policy (cont’d)
• Segmentation
Subnet addressing
Logical to physical address mapping (VLANs?)
Port Blocking? Different on each subnet?
Blocking at Firewall or Router?
Configuration and Maintenance
–
–
–
–
• Address configuration
– IP - Static /etc/hosts, RARP, BOOTP, DHCP
• Name Resolution
– IP – DNS, WINS
• Directory – LDAP, MS PDC, Novell NDS
www.infotech.monash.edu
6
Applications Policy
• TFTP/FTP – Anonymous, Read-Only ?
• SMTP
Name aliases (eg [email protected])
File size and type limitations (ie attachments)
SPAM filtering
Virus checking
Configuration and Maintenance
–
–
–
–
• HTTP
– Content & Style guides, plagiarism, authorisation?
– CGI / Modules allowed?
(eg Apache mod_perl, mod_ssl)
– Load Limiting
www.infotech.monash.edu
7
Resource Sharing Policy
• Printing
– Personal printing? Page count quotas?
– Colour vs Monochrome
• File Systems
Configuration and Maintenance
– Common/Shared directories? Read-only?
• Backups
– Global or Local?
– Image or File?
– Archival or Incremental?
www.infotech.monash.edu
8
Network Security Policies
• Physical security of Servers & Workstations
• File/Directory/Resource access control lists
– UFS, NFS, Kerberos, NIS+, PDC, NDS
Superuser/Administrator Passwords
Enforced password aging and format rules
License servers
Logging and Auditing
Encryption tools supported?
Configuration and Maintenance
•
•
•
•
•
www.infotech.monash.edu
9
Some Common
Configuration and Maintenance activities
www.infotech.monash.edu
Synchronisation
Configuration and Maintenance
• Keeping the time-of-day clocks set correctly on all hosts
within a network
• Many security and maintenance tasks depend on time-of-day
or elapsed time
• Hardware clock accuracy varies greatly
• Can use UNIX script (rsh command)
• Better to use NTP
(xntpd or shareware available for most OSes)
www.infotech.monash.edu
11
Executing Scheduled Tasks
• Most host management systems require regular execution of
housekeeping tasks
• This is a key feature in most configuration management
systems
• Unix cron service
Configuration and Maintenance
– crontab command
– /etc/crontab file format
• Windows Schedule service
– at command
www.infotech.monash.edu
12
Unix cron service
• To edit a user crontab: crontab –e
• To list user crontab entries: crontab –l –u <user>
• crontab format:
min(0-59) hr(0-23) day(1-31) mth(1-12) weekday(M-S) ShellCmd
‘*’ in any position means ‘any’
Configuration and Maintenance
#Run script every weekday morning Mon-Fri at 3:15am
15 3 * * Mon-Fri /usr/local/bin/script
# The root crontab
0 2 * * 0,4 /etc/cron.d/logchecker
5 4 * * 6 /usr/lib/newsyslog
0 0 * * * /usr/local/bin/cfwrap /usr/local/bin/cfdaily
30 * * * * /usr/local/bin/cfwrap /usr/local/bin/cfhourly
www.infotech.monash.edu
13
Automation
Configuration and Maintenance
• Configuring and maintaining any non-trivial network can be
a heavy workload….
• Automation hides the effort required, increasing the
“efficiency” of administrators
• But may increase reliance on net services
• Therefore wont work well if net unreliable!!
www.infotech.monash.edu
14
Automation Tools
• Most Admin tools provide one or both of
– Administrator control interface (manual)
– Cloning of existing reference system (mirror)
Configuration and Maintenance
• These may have friendly GUI but often don’t provide
autonomous activity
• Allow a human manager to tweak things
• Most are management frameworks for executing scripts (in
shell or perl)
www.infotech.monash.edu
15
Automation Tools
(see Burgess, Page 156…)
• Examples include:
Configuration and Maintenance
•
– Tivoli
– HP OpenView
– Microsoft SMS
– Sun Solstice
– Host Factory
– GNU/Linux tools
Problems may include
– Limited functions, e.g., lack of autonomous behavior
– Potential for compromised security over the network
– Complexity
– Open problems in rigidness and flexibility
www.infotech.monash.edu
16
Scripting Languages
used by Automation Tools
• Shell and CLI: native to Host OS
– Most common…
Configuration and Maintenance
• Perl
• Python
• PHP
www.infotech.monash.edu
17
Monitoring Tools
Configuration and Maintenance
• Unobtrusively gather data about network or host behaviour
(ie Audit)
• Usually leave analysis of data until later
• When specified parameters exceed pre-defined limits, an
alarm can be raised (eg send email or SMS or pager
message)
• Alarm may trigger maintenance activity
• In future, Neural network or Semantic analysis may be used
to interpret these logs and perform complex autonomous
maintenance
www.infotech.monash.edu
18
SNMP Tools
Configuration and Maintenance
• Simple Network Management Protocol
• Useful for accessing management information from
networked devices (managed devices)
• Requires user knowledge of MIB (managed information
base) structure
• Focus in message exchange syntax rather than information
content….
• snmpwalk, snmpget
• Other APIs encapsulate SNMP tools
www.infotech.monash.edu
19
Preventative Maintenance
• Determine system policies
– Define what is expected and how to respond to failure
SysAdmin team agreement
Enforce policies – inspect and repair
Educate users in good and bad practice
Care for special users.
Configuration and Maintenance
•
•
•
•
– Catering to mission critical or power users can save time and effort
later
www.infotech.monash.edu
20
Preventative Maintenance in general
Configuration and Maintenance
• Don’t rely exclusively on outside support
• Educate users by posting information in a clear and friendly
way
• Make rules and structures as simple as possible
• Keep valuable information about configurations securely
and readily available
• Document all changes so that other who may rebuild can
incorporate them
• Work defensively
• If it ain’t broke, don’t fix it
• Redundancy provides fallback in case of a crisis
www.infotech.monash.edu
21
Other Preventative measures
• Garbage Collection
– Disk tidying – deleting old or temporary files, flushing caches and
out-of-date documents
– Process management – removing orphan and run-away or hung
processes
Configuration and Maintenance
• Productivity or Throughput
– Priorities and Quotas – can prevent rogue processes flooding disk
or overloading CPU, but can also interfere with legitimate short term
overloads
(eg compiles or compute bound process)
www.infotech.monash.edu
22
Cfengine
An environment for turning system policy into automated
maintenance actions
www.infotech.monash.edu
Cfengine
see Burgess (1st Edn Pg 158, 385)
Configuration and Maintenance
• Use cron to start cfengine at regular intervals
• cfengine is a language used to define policies and a run-time
environment (or robot) to interpret and implement these
policies
• cfengine is about:
– Defining how all hosts in network are to be configured
– Writing this is a ‘program’ to be read by all hosts
– Running this program on each host to check and fix its own
configuration
www.infotech.monash.edu
24
cfengine capabilities
Check and configure network interface
Edit text files for system or users
Make/maintain symbolic links
Check and set file permissions
Delete ‘junk’ files
Automatic ‘static’ mounting of NFS files
Checks for presence of important system files
Controlled execution of user scripts
Process management
Configuration and Maintenance
•
•
•
•
•
•
•
•
•
www.infotech.monash.edu
25
cfengine programs
•
cfengine.conf contains several action-type sections
action-type:
classes::
list of actions
–
–
–
–
Configuration and Maintenance
• Sections may be in any order, but are executed in order set
by the actionsequence parameter of the control action-type
• Classes is a single or compound expression identifying:
Operating systems
Hosts
Times and days
A user defined string
• Actions are only performed if the classes:: expression is true
for the current machine
www.infotech.monash.edu
26
Data Configuration & Management
• Databases required as web back-end
– Usually SQL based
• Database used as parameter storage
Configuration and Maintenance
– LDAP
– Other proprietary storage (eg NDS, Active Directory)
www.infotech.monash.edu
27
The following slides are overflow slides only. They are not to
be the basis for examinable/assessable content.
(end)
www.infotech.monash.edu
System vs Application configuration
Configuration and Maintenance
• Modern trend toward implementing applications as
collections of components
• Increasingly, system configuration includes configuration of
applications too!
• Policies and Standards reduce variety and choice for users,
but when implemented carefully, lead to economies of scale
www.infotech.monash.edu
29