Configuration and Maintenance
Download
Report
Transcript Configuration and Maintenance
Configuration and
Maintenance
MIB and SNMP
Week-6
Introduction
Configuration
– How to initially setup
system as required
Maintenance - How to keep it that
way!!
Systems tend towards disorder
during use
Setting Policies
Definition
– A clear expression of goals and responses
– Prepares for possible errors or problems
– Documents Intent and Procedure
Necessary
in medium to large
organisations or where many
administrators co-operate
Helps to align system operation with
organisational objectives
System vs Application configuration
Modern
trend toward implementing
applications as collections of
components
Increasingly, system configuration
includes configuration of applications
too!
Policies and Standards reduce variety
and choice for users, but when
implemented carefully, lead to
economies of scale
System Policy includes:
Organisational
rights and
responsibilities
User rights and Account procedures
Network infrastructure and access
rights
Application limits and responsibilities
– FTP, eMail, Printing, Web pages, CGI
Security
and Privacy
Network Policy
Network
structure derived from
– Design or Functional requirements
– Geography or Building constraints
– Network Engineering constraints
Policies
goals
should relate to operational
– Small organisation – resource sharing
single
network, repeaters/switches
– Bigger organisation – sharing & reduced
traffic
Subnets
– switches/routers
Network Policy
Segmentation
– Subnet addressing
– Logical to physical address mapping
(VLANs?)
– Port Blocking? Different on each subnet?
– Blocking at Firewall or Router?
Address configuration
– IP - Static /etc/hosts, RARP, BOOTP, DHCP
Name Resolution
– IP – DNS, WINS
Directory – LDAP, MS PDC, Novell NDS
Applications Policy
TFTP/FTP – Anonymous, Read-Only ?
SMTP
– Name aliases (eg
[email protected])
– File size and type limitations (ie attachments)
– SPAM filtering
– Virus checking
HTTP
– Content & Style guides, plagiarism,
authorisation?
– CGI / Modules allowed?
(eg Apache mod_perl, mod_ssl)
– Load Limiting
Resource Sharing
Printing
– Personal printing? Page count quotas?
– Colour vs Monochrome
File Systems
– Common/Shared directories? Read-only?
Backups
– Global or Local?
– Image or File?
– Archival or Incremental?
Network Security
Physical security of Servers &
Workstations
File/Directory/Resource access control lists
– UFS, NFS, Kerberos, NIS+, PDC, NDS
Superuser/Administrator Passwords
Enforced password aging and format rules
License servers
Logging and Auditing
Encryption tools supported?
some common
Configuration and
Maintenance activities
Synchronisation
Keeping the time-of-day clocks set
correctly on all hosts within a network
Many security and maintenance tasks
depend on time-of-day or elapsed time
Hardware clock accuracy varies greatly
Can use UNIX script (rsh command)
Better to use NTP
(xntpd or shareware available for most OSes)
Executing Tasks
Most host management systems require
regular execution of housekeeping tasks
This is a key feature in most configuration
management systems
Unix cron service
– crontab command
– /etc/crontab file format
Windows Schedule service
– at command
Unix cron service
To edit a user crontab: crontab –e
To list user crontab entries: crontab –l
crontab format:
min(0-59) hr(0-23) day(1-31) mth(1-12) weekday(Mon-Sun)
ShellCommand
‘*’ in any position means ‘any’
#Run script every weekday morning Mon-Fri at 3:15am
15 3 * * Mon-Fri /usr/local/bin/script
# The root crontab
0 2 * * 0,4 /etc/cron.d/logchecker
5 4 * * 6 /usr/lib/newsyslog
0 0 * * * /usr/local/bin/cfwrap /usr/local/bin/cfdaily
30 * * * * /usr/local/bin/cfwrap /usr/local/bin/cfhourly
Automation
Configuring
and maintaining any
non-trivial network can be a heavy
workload….
Automation hides the effort required,
increasing the “efficiency” of
administrators
But may increase reliance on net
services
Therefore wont work well if net
unreliable!!
Automation Tools
Most Admin tools provide one or both of
– Administrator control interface (manual)
– Cloning of existing reference system (mirror)
These may have friendly GUI but often
don’t provide autonomous activity
Allow a human manager to tweak things
Most are management frameworks for
executing scripts (in shell or perl)
Automation Tools
(see Burgess, Page 156…)
Examples
include:
– Tivoli
– HP OpenView
– Microsoft SMS
– Sun Solstice
– Host Factory
– GNU/Linux tools
Scripting Languages
used by Automation Tools
Shell
and CLI: native to Host OS
– Most common…
Perl
Python
PHP
Monitoring Tools
Unobtrusively gather data about network or
host behaviour (ie Audit)
Usually leave analysis of data until later
When specified parameters exceed predefined limits, an alarm can be raised (eg
send email or SMS or pager message)
Alarm may trigger maintenance activity
In future, Neural network or Semantic analysis may
be used to interpret these logs and perform
complex autonomous maintenance
SNMP Tools
Useful
for accessing management
information from networked devices
Require user to know MIB structure
Focus in message exchange syntax
rather than information content….
snmpwalk, snmpget
Other APIs encapsulate SNMP tools
Preventative Maintenance
Determine
system policies
– Define what is expected and response to
failure
SysAdmin
team agreement
Enforce policies – inspect and repair
Educate users in good and bad
practice
Care for special users. Catering to mission
critical or power users can save time and effort
later
Preventative Maintenance in general
Don’t rely on outside support – invest in local
expertise
Educate users by posting information in a clear and
friendly way
Make rules and structures as simple as possible
Keep valuable information about configurations
securely and readily available
Document all changes so that other who may rebuild
can incorporate them
Work defensively
If it ain’t broke, don’t fix it
Duplication provides fallback in case of a crisis
Other Preventative measures
Garbage
Collection
– Disk tidying – deleting old or temporary
files, flushing caches and out-of-date
documents
– Process management – removing orphan
and run-away or hung processes
Productivity
or Throughput
– Priorities and Quotas – can prevent rogue
processes flooding disk or overloading
CPU, but can also interfere with legitimate
short term overloads
(eg compiles or compute bound process)
Cfengine
An environment for
turning system policy into
automated maintenance
actions
Cfengine
see Burgess (1st Edn Pg 158, 385)
Use cron to start cfengine at regular intervals
cfengine is a language used to define policies
and a run-time environment (or robot) to
interpret and implement these policies
cfengine is about:
– Defining how all hosts in network are to be configured
– Writing this is a ‘program’ to be read by all hosts
– Running this program on each host to check and fix its
own configuration
cfengine capabilities
Check and configure network interface
Edit text files for system or users
Make/maintain symbolic links
Check and set file permissions
Delete ‘junk’ files
Automatic ‘static’ mounting of NFS files
Checks for presence of important system
files
Controlled execution of user scripts
Process management
cfengine programs
cfengine.conf contains several action-type sections
action-type:
classes::
list of actions
Sections may be in any order, but are executed
in order set by the actionsequence parameter of
the control action-type
Classes is a single or compound expression
identifying:
–
–
–
–
Operating systems
Hosts
Times and days
A user defined string
Actions are only performed if the classes::
expression is true for the current machine
Data Configuration & Management
Databases
required as web back-end
– Usually SQL based
Database
used as parameter storage
– LDAP
– Other proprietary storage (eg NDS,
Active Directory)