CSCWiki - User contributions [en]

Virtualization (LXC Containers)

2017-02-19T19:00:54Z

Ehashman: /* Creating a new container */

As of Fall 2009, we use [http://lxc.sourceforge.net/ Linux containers] to maintain virtual machines, most notably [[Machine_List#caffeine|caffeine]], which is hosted on [[Machine_List#glomag|glomag]]. The various commands to manipulate Linux containers are prefixed with "lxc-"; see their individual manpages for usage.

== Management Quick Guide ==

To manage containers, use the <tt>lxc-*</tt> tools, which require root privilege. Some examples (replace <tt>caffeine</tt> with the appropriate container name):

# check if caffeine is running
lxc-info -n caffeine

# start caffeine in the background
lxc-start -d -n caffeine

# stop caffeine gracefully
lxc-halt -n caffeine

# stop caffeine forcefully
lxc-stop -n caffeine

# launch a TTY console for the container
lxc-console -n caffeine

To install Linux container support on a recent Debian (squeeze or newer) system:
* Install the <tt>lxc</tt> and <tt>bridge-utils</tt> packages.
* Create a bridged network interface (this can be configured in <tt>/etc/network/interfaces</tt> as though it were a normal Ethernet device, with the additional <tt>bridge_ports</tt> parameter. This is usually called <tt>br0</tt> (can be created manually with <tt>brctl</tt>). LXC will create a virtual Ethernet device and add it to the bridge when each container starts.

To start caffeine, run the following command as root on glomag:

lxc-start -d -n caffeine

Containers are stored on the host filesystem in /var/lib/lxc (root filesystems are symlinked to the appropriate directory on /vm).

== ehashman's Guide to LXC on Debian ==

=== Configuring the host machine ===

First, install all required packages:

<pre># apt-get install lxc bridge-utils</pre>
==== Setting up ethernet bridging ====

Next, create an ethernet bridge for the container. Edit <code>/etc/network/interfaces</code>:

<pre># The primary network interface
#auto eth0
#iface eth0 inet static
# address 129.97.134.200
# netmask 255.255.255.0
# gateway 129.97.134.1

# Bridge ethernet for containers
auto br0
iface br0 inet static
bridge_ports eth0
address 129.97.134.200
netmask 255.255.255.0
gateway 129.97.134.1
dns-nameservers 129.97.2.1 129.97.2.2
dns-search wics.uwaterloo.ca uwaterloo.ca</pre>
Cross your fingers and restart networking for your configuration to take effect!

<pre># ifdown br0 && ifup br0
// bash enter to see if you lost connectivity and have to make a machine room trip</pre>

'''Note:''' !!! Do '''not''' use !!! <pre># service networking restart</pre> The init scripts are broken and this likely will result in a machine room trip (or IPMI power cycle).

==== Setting up storage ====

Last, allocate some space in your volume group to put the container root on:

<pre>// Find the correct volume group to put the container on
# vgdisplay

// Create the volume in the appropriate volume group
# lvcreate -L 20G -n container vg0

// Find it in the dev mapper
# ls /dev/mapper/

// Create a filesystem on it
# mkfs.ext4 /dev/mapper/vg0-container

// Add a mount point
# mkdir /vm/container </pre>
Last, add it to <code>/etc/fstab</code>:

<pre>/dev/mapper/vg0-container /vm/container ext4 defaults 0 2</pre>
Test the entry with <code>mount</code>:

<pre># mount /vm/container</pre>
Now you're done!

=== Creating a new container ===

Create a new container using <code>lxc-create</code>:

<pre>// Create new container "container" with root fs located at /vm/container
# lxc-create --dir=/vm/container -n container --template download</pre>
This will prompt you for distribution, release, and architecture. (Architecture ''must'' match host machine.)

Take this time to review its config in <code>/var/lib/lxc/container/config</code>, and tell it to auto-start if you like:

<pre># Auto-start the container on boot
lxc.start.auto = 1</pre>

You'll also want to set up networking (if applicable):

<pre># Networking
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.hwaddr = de:ad:be:ef:ba:be # or something sensible</pre>

Now,

<pre>// List containers, -f for fancy
# lxc-ls -f</pre>
to ensure that your container has been successfully created; it should be listed. You can also list its root directory if you like. To start it in the background and obtain a root shell, do

<pre>// Start and attach a root shell
# lxc-start -d -n container
# lxc-attach -n container</pre>

=== Migrating a container between hosts ===

Start by shutting the container down:

<pre>root@container:~# halt</pre>
Then make a tarball of the container's filesystem:

<pre># tar --numeric-owner -czvf container.tar.gz /vm/container</pre>
Copy it to its target destination, along with the configs:

<pre>$ scp container.tar.gz new-host:
$ scp -r /var/lib/lxc/container/ new-host:/var/lib/lxc/</pre>
Now carefully extract it. '''If you haven't already, provision storage and ethernet per the container creation section.'''

Yes, we really do want to stick it directly into <code>/</code>:

<pre># tar --numeric-owner -xzvf container.tar.gz -C /</pre>
Verify the container's existence:

<pre># lxc-ls -f
NAME STATE IPV4 IPV6 AUTOSTART
-----------------------------------------
container STOPPED - - YES </pre>
Now just start it on up:

<pre># lxc-start -d -n container</pre>
And test by trying an ssh in!

[[Category:Software]]

Virtualization (LXC Containers)

2017-02-19T18:53:06Z

Ehashman: /* Setting up storage */

As of Fall 2009, we use [http://lxc.sourceforge.net/ Linux containers] to maintain virtual machines, most notably [[Machine_List#caffeine|caffeine]], which is hosted on [[Machine_List#glomag|glomag]]. The various commands to manipulate Linux containers are prefixed with "lxc-"; see their individual manpages for usage.

== Management Quick Guide ==

To manage containers, use the <tt>lxc-*</tt> tools, which require root privilege. Some examples (replace <tt>caffeine</tt> with the appropriate container name):

# check if caffeine is running
lxc-info -n caffeine

# start caffeine in the background
lxc-start -d -n caffeine

# stop caffeine gracefully
lxc-halt -n caffeine

# stop caffeine forcefully
lxc-stop -n caffeine

# launch a TTY console for the container
lxc-console -n caffeine

To install Linux container support on a recent Debian (squeeze or newer) system:
* Install the <tt>lxc</tt> and <tt>bridge-utils</tt> packages.
* Create a bridged network interface (this can be configured in <tt>/etc/network/interfaces</tt> as though it were a normal Ethernet device, with the additional <tt>bridge_ports</tt> parameter. This is usually called <tt>br0</tt> (can be created manually with <tt>brctl</tt>). LXC will create a virtual Ethernet device and add it to the bridge when each container starts.

To start caffeine, run the following command as root on glomag:

lxc-start -d -n caffeine

Containers are stored on the host filesystem in /var/lib/lxc (root filesystems are symlinked to the appropriate directory on /vm).

== ehashman's Guide to LXC on Debian ==

=== Configuring the host machine ===

First, install all required packages:

<pre># apt-get install lxc bridge-utils</pre>
==== Setting up ethernet bridging ====

Next, create an ethernet bridge for the container. Edit <code>/etc/network/interfaces</code>:

<pre># The primary network interface
#auto eth0
#iface eth0 inet static
# address 129.97.134.200
# netmask 255.255.255.0
# gateway 129.97.134.1

# Bridge ethernet for containers
auto br0
iface br0 inet static
bridge_ports eth0
address 129.97.134.200
netmask 255.255.255.0
gateway 129.97.134.1
dns-nameservers 129.97.2.1 129.97.2.2
dns-search wics.uwaterloo.ca uwaterloo.ca</pre>
Cross your fingers and restart networking for your configuration to take effect!

<pre># ifdown br0 && ifup br0
// bash enter to see if you lost connectivity and have to make a machine room trip</pre>

'''Note:''' !!! Do '''not''' use !!! <pre># service networking restart</pre> The init scripts are broken and this likely will result in a machine room trip (or IPMI power cycle).

==== Setting up storage ====

Last, allocate some space in your volume group to put the container root on:

<pre>// Find the correct volume group to put the container on
# vgdisplay

// Create the volume in the appropriate volume group
# lvcreate -L 20G -n container vg0

// Find it in the dev mapper
# ls /dev/mapper/

// Create a filesystem on it
# mkfs.ext4 /dev/mapper/vg0-container

// Add a mount point
# mkdir /vm/container </pre>
Last, add it to <code>/etc/fstab</code>:

<pre>/dev/mapper/vg0-container /vm/container ext4 defaults 0 2</pre>
Test the entry with <code>mount</code>:

<pre># mount /vm/container</pre>
Now you're done!

=== Creating a new container ===

Create a new container using <code>lxc-create</code>:

<pre>// Create new container "container" with root fs located at /vm/container
# lxc-create --dir=/vm/container -n container --template download</pre>
This will prompt you for distribution, release, and architecture. (Architecture ''must'' match host machine.)

Take this time to review its config in <code>/var/lib/lxc/container/config</code>, and tell it to auto-start if you like:

<pre># Auto-start the container on boot
lxc.start.auto = 1</pre>
Now,

<pre>// List containers, -f for fancy
# lxc-ls -f</pre>
to ensure that your container has been successfully created; it should be listed. You can also list its root directory if you like. To start it in the background and obtain a root shell, do

<pre>// Start and attach a root shell
# lxc-start -d -n container
# lxc-attach -n container</pre>
=== Migrating a container between hosts ===

Start by shutting the container down:

<pre>root@container:~# halt</pre>
Then make a tarball of the container's filesystem:

<pre># tar --numeric-owner -czvf container.tar.gz /vm/container</pre>
Copy it to its target destination, along with the configs:

<pre>$ scp container.tar.gz new-host:
$ scp -r /var/lib/lxc/container/ new-host:/var/lib/lxc/</pre>
Now carefully extract it. '''If you haven't already, provision storage and ethernet per the container creation section.'''

Yes, we really do want to stick it directly into <code>/</code>:

<pre># tar --numeric-owner -xzvf container.tar.gz -C /</pre>
Verify the container's existence:

<pre># lxc-ls -f
NAME STATE IPV4 IPV6 AUTOSTART
-----------------------------------------
container STOPPED - - YES </pre>
Now just start it on up:

<pre># lxc-start -d -n container</pre>
And test by trying an ssh in!

[[Category:Software]]

Virtualization (LXC Containers)

2017-02-19T18:46:45Z

Ehashman: /* Setting up ethernet bridging */ Fix bad instruction that references "service networking"

As of Fall 2009, we use [http://lxc.sourceforge.net/ Linux containers] to maintain virtual machines, most notably [[Machine_List#caffeine|caffeine]], which is hosted on [[Machine_List#glomag|glomag]]. The various commands to manipulate Linux containers are prefixed with "lxc-"; see their individual manpages for usage.

== Management Quick Guide ==

To manage containers, use the <tt>lxc-*</tt> tools, which require root privilege. Some examples (replace <tt>caffeine</tt> with the appropriate container name):

# check if caffeine is running
lxc-info -n caffeine

# start caffeine in the background
lxc-start -d -n caffeine

# stop caffeine gracefully
lxc-halt -n caffeine

# stop caffeine forcefully
lxc-stop -n caffeine

# launch a TTY console for the container
lxc-console -n caffeine

To install Linux container support on a recent Debian (squeeze or newer) system:
* Install the <tt>lxc</tt> and <tt>bridge-utils</tt> packages.
* Create a bridged network interface (this can be configured in <tt>/etc/network/interfaces</tt> as though it were a normal Ethernet device, with the additional <tt>bridge_ports</tt> parameter. This is usually called <tt>br0</tt> (can be created manually with <tt>brctl</tt>). LXC will create a virtual Ethernet device and add it to the bridge when each container starts.

To start caffeine, run the following command as root on glomag:

lxc-start -d -n caffeine

Containers are stored on the host filesystem in /var/lib/lxc (root filesystems are symlinked to the appropriate directory on /vm).

== ehashman's Guide to LXC on Debian ==

=== Configuring the host machine ===

First, install all required packages:

<pre># apt-get install lxc bridge-utils</pre>
==== Setting up ethernet bridging ====

Next, create an ethernet bridge for the container. Edit <code>/etc/network/interfaces</code>:

<pre># The primary network interface
#auto eth0
#iface eth0 inet static
# address 129.97.134.200
# netmask 255.255.255.0
# gateway 129.97.134.1

# Bridge ethernet for containers
auto br0
iface br0 inet static
bridge_ports eth0
address 129.97.134.200
netmask 255.255.255.0
gateway 129.97.134.1
dns-nameservers 129.97.2.1 129.97.2.2
dns-search wics.uwaterloo.ca uwaterloo.ca</pre>
Cross your fingers and restart networking for your configuration to take effect!

<pre># ifdown br0 && ifup br0
// bash enter to see if you lost connectivity and have to make a machine room trip</pre>

'''Note:''' !!! Do '''not''' use !!! <pre># service networking restart</pre> The init scripts are broken and this likely will result in a machine room trip (or IPMI power cycle).

==== Setting up storage ====

Last, allocate some space in your volume group to put the container root on:

<pre>// Find the correct volume group to put the container on
# vgdisplay

// Create the volume in the appropriate volume group
# lvcreate -L 20G -n container vg0

// Find it in the dev mapper
# ls /dev/mapper/

// Create a filesystem on it
# mkfs.ext4 /dev/mapper/vg0-container</pre>
Last, add it to <code>/etc/fstab</code>:

<pre>/dev/mapper/vg0-container /vm/container ext4 defaults 0 2</pre>
Test the entry with <code>mount</code>:

<pre># mount /vm/container</pre>
Now you're done!

=== Creating a new container ===

Create a new container using <code>lxc-create</code>:

<pre>// Create new container "container" with root fs located at /vm/container
# lxc-create --dir=/vm/container -n container --template download</pre>
This will prompt you for distribution, release, and architecture. (Architecture ''must'' match host machine.)

Take this time to review its config in <code>/var/lib/lxc/container/config</code>, and tell it to auto-start if you like:

<pre># Auto-start the container on boot
lxc.start.auto = 1</pre>
Now,

<pre>// List containers, -f for fancy
# lxc-ls -f</pre>
to ensure that your container has been successfully created; it should be listed. You can also list its root directory if you like. To start it in the background and obtain a root shell, do

<pre>// Start and attach a root shell
# lxc-start -d -n container
# lxc-attach -n container</pre>
=== Migrating a container between hosts ===

Start by shutting the container down:

<pre>root@container:~# halt</pre>
Then make a tarball of the container's filesystem:

<pre># tar --numeric-owner -czvf container.tar.gz /vm/container</pre>
Copy it to its target destination, along with the configs:

<pre>$ scp container.tar.gz new-host:
$ scp -r /var/lib/lxc/container/ new-host:/var/lib/lxc/</pre>
Now carefully extract it. '''If you haven't already, provision storage and ethernet per the container creation section.'''

Yes, we really do want to stick it directly into <code>/</code>:

<pre># tar --numeric-owner -xzvf container.tar.gz -C /</pre>
Verify the container's existence:

<pre># lxc-ls -f
NAME STATE IPV4 IPV6 AUTOSTART
-----------------------------------------
container STOPPED - - YES </pre>
Now just start it on up:

<pre># lxc-start -d -n container</pre>
And test by trying an ssh in!

[[Category:Software]]

Kerberos

2016-09-14T01:18:55Z

Ehashman: Add illustrative image

We use [http://web.mit.edu/Kerberos/ MIT Kerberos 5] for authentication. Our kerberos realm is CSCLUB.UWATERLOO.CA. KDCs run on [[Machine_List#auth1|auth1]] (kdc1) and [[Machine_List#artificial-flavours|artificial-flavours]] (kdc2).

[[File:kerberos.png|frame|Kerberos, the network authentication protocol]]

=== ehashman's guide to MIT Kerberos v5 on Debian ===

==== Preparatory Reading ====

# [http://web.mit.edu/kerberos/dialogue.html Kerberos: A Dialogue in Four Scenes] ('''''definitely''''' read this)
# [http://www.roguelynn.com/words/explain-like-im-5-kerberos/ Explain Like I'm 5: Kerberos] (less entertaining than the stage play)
# [http://www.rjsystems.nl/en/2100-d6-kerberos-master.php A very practical configuration guide to Kerberos on Debian squeeze] (things don't change much in the Debian world)
# [http://web.mit.edu/kerberos/krb5-latest/doc/admin/index.html The official Kerberos documentation]

==== Set up host records ====

<ul>
<li>We will need host records to correspond to our Kerberos admin server and key distribution center, <code>kadmin.wics.uwaterloo.ca</code> and <code>kdc1.wics.uwaterloo.ca</code>. These can just be A records pointing to our auth server (currently <code>129.97.134.212</code>).</li>
<li>We can also set up [http://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html special SRV records] as well. This is recommended but not necessary. They look like this:
<pre>_kerberos._udp.wics.uwaterloo.ca SRV 0 0 88 kdc1.wics.uwaterloo.ca
_kerberos-master._udp.wics.uwaterloo.ca SRV 0 0 88 kdc1.wics.uwaterloo.ca
_kpasswd._udp.wics.uwaterloo.ca SRV 0 0 464 kdc1.wics.uwaterloo.ca</pre>
You may have guessed that the third integer is the port the service runs on.</li></ul>

==== Install packages ====

<ul>
<li>First, install some common system utils that may be missing from the fresh container:
<pre># apt-get install ssh ntpdate xinetd nmap</pre></li>
<li>Do NOT install ntp on the container. Install it on the host system instead. See [[ntp|NTP]] for info on NTP servers.</li>
<li>Next, install the Kerberos server:
<pre>apt-get install krb5-{admin-server,user}</pre></li>
<li>During the install process, <code>dpkg</code> will ask you for the following three values, specified below:
<pre>Default Kerberos version 5 realm: WICS.UWATERLOO.CA
Kerberos servers for your realm: kdc1.wics.uwaterloo.ca
Administrative server for your Kerberos realm: kadmin.wics.uwaterloo.ca</pre></li>
<li>You'll encounter this lovely error, from <code>xinetd</code>:
<pre>Note: xinetd currently is not fully supported by update-inetd.
Please consult /usr/share/doc/xinetd/README.Debian and itox(8).</pre>
To solve this, we create a file <code>/etc/xinetd.d/krb_prop</code> with the following contents:
<pre>service krb_prop
{
disable = no
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/kpropd
}</pre>
And then restart <code>xinetd</code>:
<pre># service xinetd restart</pre></li>
<li>You'll also note that the <code>krb5-kdc</code> service failed to start. This is okay. > This is because the realm, EXAMPLE.COM, or rather the database file for it (<code>/var/lib/krb5kdc/principal</code>), has not yet been created. – http://www.rjsystems.nl/en/2100-d6-kerberos-master.php</li></ul>

==== Configuring Kerberos ====

<ul>
<li>The first thing we'll configure is the access control list. Edit <code>/etc/krb5kdc/kadm5.acl</code> and enable/add the following line:
<pre>*/admin *</pre>
Our primary admin principal will be <code>sysadmin/admin@WICS.UWATERLOO.CA</code>, so there is no need to add a separate <code>admin</code> principal to the ACL.</li>
<li>Let's configure Kerberos client-side in [https://git.uwaterloo.ca/wics/documentation/blob/master/krb5.conf <code>/etc/krb5.conf</code>]. Consulting with the CSC's config, [[www.rjsystems.nl/en/2100-d6-kerberos-master.php#rcfg|our favoured setup guide]], and [http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html the Kerberos krb5.conf manual], we'll mostly select default settings. Notable additions include
<pre>[libdefaults]
allow_weak_crypto = false # default is currently false but hey

# If DNS breaks we don't want auth to fail
dns_lookup_kdc = false
dns_lookup_realm = false

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5.log</pre></li>
<li>We also want to ensure we're using good crypto for our Key Distribution Center, so let's set that up next in [https://git.uwaterloo.ca/wics/documentation/blob/master/kdc.conf <code>/etc/krb5kdc/kdc.conf</code>]:
<pre>[kdcdefaults]
kdc_ports = 750,88

[realms]
WICS.UWATERLOO.CA = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 12h 0m 0s
max_renewable_life = 1d 0h 0m 0s
master_key_type = aes256-cts-hmac-sha1-96
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
default_principal_flags = +preauth
}</pre></li>
<li>We didn't choose to create a new krb5 log directory but we should set up logrotate. Create a file [https://git.uwaterloo.ca/wics/documentation/blob/master/logrotate.d.krb5 <code>/etc/logrotate.d/krb5</code>] with three of the following entries (one for each log file):
<pre>/var/log/FILENAME.log {
weekly
missingok
rotate 8
compress
delaycompress
notifempty
postrotate
/etc/init.d/SERVICENAME restart > /dev/null
endscript
}</pre></li>
<li>Make sure you also create those files so the service can write to them:
<pre># touch /var/log/{krb5,krb5kdc,kadmin}.log</pre></li></ul>

==== Creating the Kerberos Realm ====

<ul>
<li>Now we're going to create the realm:
<pre># krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data</pre>
The script may pause at this point until there is sufficient available entropy to generate a key. Then it will prompt for a password. USE A LONG, RANDOM ONE. THIS PASSWORD IS VERY IMPORTANT.
<pre>Initializing database '/var/lib/krb5kdc/principal' for realm
'WICS.UWATERLOO.CA',
master key name 'K/M@WICS.UWATERLOO.CA'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers. Kerberos admin
principals usually belong to a single user and end in /admin. For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.

Don't forget to set up DNS information so your clients can find your
KDC and admin servers. Doing so is documented in the administration
guide.</pre></li>
<li>We'll now configure the default and maximum ticket life for the Kerberos Ticket Granting Ticket (<code>krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA</code>):
<pre># kadmin.local
Authenticating as principal root/admin@WICS.UWATERLOO.CA with password.
kadmin.local: getprinc krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA
Principal: krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 0 days 12:00:00
Maximum renewable life: 1 day 00:00:00
Last modified: Thu Dec 03 03:59:04 UTC 2015 (db_creation@WICS.UWATERLOO.CA)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>
Let's set the max life to 4 hours and the renewable life to 10 hours, for extra security.
<pre>kadmin.local: modprinc -maxlife "4 hour" -maxrenewlife "10 hour" krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA
Principal "krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA" modified.</pre></li></ul>

==== Adding Principals ====

<ul>
<li>We need some root users in our system in order to bootstrap the rest, so let's create our sysadmin user, and give them our root password for authentication:
<pre># kadmin.local
Authenticating as principal root/admin@WICS.UWATERLOO.CA with password.
kadmin.local: addprinc sysadmin/admin
WARNING: no policy specified for sysadmin/admin@WICS.UWATERLOO.CA; defaulting to no policy
Enter password for principal "sysadmin/admin@WICS.UWATERLOO.CA":
Re-enter password for principal "sysadmin/admin@WICS.UWATERLOO.CA":
Principal "sysadmin/admin@WICS.UWATERLOO.CA" created.</pre></li>
<li>Now we need to add a principal and keytab for our KDC host. While <code>addprinc -randkey</code> does add a key, we need to use <code>ktadd</code> to ensure it's copied over to the client host (in this case, auth1).

('''keytab:''' a key table file containing one or more keys. A host or service uses a keytab file in much the same way as a user uses his/her password.)

<pre>$ kadmin -p sysadmin/admin
Authenticating as principal sysadmin/admin with password.
Password for sysadmin/admin@WICS.UWATERLOO.CA:
kadmin: addprinc -randkey host/auth1.wics.uwaterloo.ca
WARNING: no policy specified for
host/auth1.wics.uwaterloo.ca@WICS.UWATERLOO.CA; defaulting to no policy
Principal "host/auth1.wics.uwaterloo.ca@WICS.UWATERLOO.CA" created.
kadmin: ktadd host/auth1.wics.uwaterloo.ca
Entry for principal host/auth1.wics.uwaterloo.ca with kvno 2, encryption type
aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/auth1.wics.uwaterloo.ca with kvno 2, encryption type
aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.</pre></li>
<li>Now we can test that the KDC can grant principals tickets:
<pre>$ kinit sysadmin/admin
Password for sysadmin/admin@WICS.UWATERLOO.CA:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sysadmin/admin@WICS.UWATERLOO.CA
Valid starting Expires Service principal
12/03/2015 05:31:38 12/03/2015 09:31:38 krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA
renew until 12/03/2015 15:31:38
$ kdestroy
$ klist
klist: Credentials cache file '/tmp/krb5cc_0' not found</pre></li>
<li>Next, we'll probably want to add principals for any users that we created in LDAP. We can do this in <code>weo</code> using the following command, and we can even test that principal after its creation:
<pre>$ python weo.py --add-krb-princ --username=ehashman
Okay, adding Kerberos principal ehashman@WICS.UWATERLOO.CA
Enter Kerberos admin password:
Enter password for principal ehashman@WICS.UWATERLOO.CA:
Retype password:
Adding Kerberos principal...
Principal ehashman@WICS.UWATERLOO.CA successfully added.
$ kinit ehashman
Password for ehashman@WICS.UWATERLOO.CA:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ehashman@WICS.UWATERLOO.CA
Valid starting Expires Service principal
15-12-03 17:36:22 15-12-03 21:36:22 krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA
renew until 15-12-04 03:36:22</pre></li>
<li>From now on, though, Kerberos principals will automatically be generated when we add new users! Like this:
<pre>$ python weo.py --adduser --username=fhboxwal --fullname="Fatema Boxwala"
Okay, adding user fhboxwal
Please enter the new user's password:
Retype password:
Enter LDAP admin password:
Enter Kerberos admin password:
Locking LDAP database...
Adding user...
Unlocked database.
Adding Kerberos principal...
User fhboxwal successfully added.</pre></li>
<li>Awesome! Now we're ready to configure Kerberos for clients.</li></ul>

==== Setting Up Client Machines with SSSD ====

<ul>
<li>On your machine of choice, install the Kerberos client packages:
<pre># apt-get install krb5-user</pre></li>
<li>Now copy over your Kerberos config, [https://git.uwaterloo.ca/wics/documentation/blob/master/krb5.conf <code>krb5.conf</code>], into <code>/etc/krb5.conf</code>.</li>
<li>Next, set up a host keytab for the local machine:
<pre># kadmin -p sysadmin/admin
Authenticating as principal sysadmin/admin with password.
Password for sysadmin/admin@WICS.UWATERLOO.CA:
kadmin: addprinc -randkey host/mother-goose.wics.uwaterloo.ca
WARNING: no policy specified for host/mother-goose.wics.uwaterloo.ca@WICS.UWATERLOO.CA; defaulting to no policy
Principal "host/mother-goose.wics.uwaterloo.ca@WICS.UWATERLOO.CA" created.
kadmin: ktadd host/mother-goose.wics.uwaterloo.ca
Entry for principal host/mother-goose.wics.uwaterloo.ca with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/mother-goose.wics.uwaterloo.ca with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.</pre></li>
<li>In order to configure authentication, we'll use a package called SSSD. (It has 234823840 dependencies.) Install it and its utilities:
<pre># apt-get install sssd sssd-tools</pre></li>
<li>Next, copy over the following configs:</li>
<li>[https://git.uwaterloo.ca/wics/documentation/blob/master/ldap.conf <code>/etc/ldap/ldap.conf</code>]</li>
<li>[https://git.uwaterloo.ca/wics/documentation/blob/master/sssd.conf <code>/etc/sssd/sssd.conf</code>]</li>
<li>[https://git.uwaterloo.ca/wics/documentation/blob/master/sshd_config <code>/etc/ssh/sshd_config</code>]</li>
<li>[https://git.uwaterloo.ca/wics/documentation/blob/master/ssh_config <code>/etc/ssh/ssh_config</code>]</li>
<li>[https://git.uwaterloo.ca/wics/documentation/blob/master/hosts <code>/etc/hosts</code>] (because what the heck)</li>
<li>Restart <code>sssd</code> and <code>sshd</code>. The former can be very temperamental:
<pre># service ssh restart
# service sssd restart</pre></li>
<li>Test that this all worked by attempting to log in:
<pre># Just try logging in
$ ssh me@machine.wics.uwaterloo.ca

# Try logging in using Kerberos
$ kinit me
$ ssh -o GSSAPIAuthentication=yes me@machine.wics.uwaterloo.ca

# Test that sudo is working
machine:~$ sudo -i</pre></li></ul>

==== Tools for Debugging SSSD ====

<ul>
<li>It turns out <code>sssd</code> is not the greatest at telling us things. If it starts breaking, stop it and start it in the foreground in debugging mode:
<pre># service sssd stop
# sssd -d 5 -i</pre></li>
<li>Some problems with <code>sssd</code> may be cache-related, and restarting it does not clear the cache. If you need to invalidate the cache, run
<pre>sss_cache -E</pre></li></ul>

=== Password Resets ===
To change your own password you can run passwd on any of the club's machines.

Changing other users' passwords
* ssh auth1
* sudo kadmin.local
* cpw username
* Enter new password and confirm

[[Category:Software]]

[http://web.archive.org/web/20120202205851/http://cryptnet.net/mirrors/docs/krb5api.html API Documentation.] While not even close to enough to let you do most things that you'd want to do with Kerberos (and also being somewhat woefully out-of-date, considering it's from 1996), it's at least a start.

=== Expiring Passwords ===

If you are on syscom, you can force a user to change their password by doing this:
* ssh auth1
* sudo kadmin.local
* modify_principal +needchange [username]

=== Suspending an Account ===

If you are on syscom, you can prevent a user from logging with a Kerberos ticket by doing this:
* ssh auth1
* sudo kadmin.local
* modify_principal -allow_tix [username]
If you are seriously locking out an account, you may want to do some other things as well, including but not limited to changing the user's password (prevents password login) and changing the ownership and permissions on .ssh/authorized_keys* (prevents SSH key login). Don't do these things without a strong reason (but know how to do them when the time comes).

=== bofh's Kerberos5 cheat sheet, or "what does *that* error message mean, exactly?" ===

* If GSSAPI complains about "Wrong Principal in Request", make sure there's no clockskew on the machine trying to get the service ticket and the machine running the service that you are trying to get a GSS token to. This will cause this error for some insane reason, despite there being ANOTHER message for clockskew that specifically says "your clocks are off" - it just never seems to be used in the source code anywhere (as of MIT-KRB5 1.9, at least).
* There are some "generic" errors that are hard to debug. A few possible causes: unreadable krb5.keytab, reverse resolution of a host does not match its principal.

File:Kerberos.png

2016-09-14T01:16:52Z

Ehashman:

Virtualization (LXC Containers)

2016-06-01T21:03:15Z

Ehashman: WiCS LXC docs

As of Fall 2009, we use [http://lxc.sourceforge.net/ Linux containers] to maintain virtual machines, most notably [[Machine_List#caffeine|caffeine]], which is hosted on [[Machine_List#glomag|glomag]]. The various commands to manipulate Linux containers are prefixed with "lxc-"; see their individual manpages for usage.

== Management Quick Guide ==

To manage containers, use the <tt>lxc-*</tt> tools, which require root privilege. Some examples (replace <tt>caffeine</tt> with the appropriate container name):

# check if caffeine is running
lxc-info -n caffeine

# start caffeine in the background
lxc-start -d -n caffeine

# stop caffeine gracefully
lxc-halt -n caffeine

# stop caffeine forcefully
lxc-stop -n caffeine

# launch a TTY console for the container
lxc-console -n caffeine

To install Linux container support on a recent Debian (squeeze or newer) system:
* Install the <tt>lxc</tt> and <tt>bridge-utils</tt> packages.
* Create a bridged network interface (this can be configured in <tt>/etc/network/interfaces</tt> as though it were a normal Ethernet device, with the additional <tt>bridge_ports</tt> parameter. This is usually called <tt>br0</tt> (can be created manually with <tt>brctl</tt>). LXC will create a virtual Ethernet device and add it to the bridge when each container starts.

To start caffeine, run the following command as root on glomag:

lxc-start -d -n caffeine

Containers are stored on the host filesystem in /var/lib/lxc (root filesystems are symlinked to the appropriate directory on /vm).

== ehashman's Guide to LXC on Debian ==

=== Configuring the host machine ===

First, install all required packages:

<pre># apt-get install lxc bridge-utils</pre>
==== Setting up ethernet bridging ====

Next, create an ethernet bridge for the container. Edit <code>/etc/network/interfaces</code>:

<pre># The primary network interface
#auto eth0
#iface eth0 inet static
# address 129.97.134.200
# netmask 255.255.255.0
# gateway 129.97.134.1

# Bridge ethernet for containers
auto br0
iface br0 inet static
bridge_ports eth0
address 129.97.134.200
netmask 255.255.255.0
gateway 129.97.134.1
dns-nameservers 129.97.2.1 129.97.129.10
dns-search wics.uwaterloo.ca uwaterloo.ca</pre>
Cross your fingers and restart networking for your configuration to take effect!

<pre># service networking restart
// bash enter to see if you lost connectivity and have to make a machine room trip</pre>
==== Setting up storage ====

Last, allocate some space in your volume group to put the container root on:

<pre>// Find the correct volume group to put the container on
# vgdisplay

// Create the volume in the appropriate volume group
# lvcreate -L 20G -n container vg0

// Find it in the dev mapper
# ls /dev/mapper/

// Create a filesystem on it
# mkfs.ext4 /dev/mapper/vg0-container</pre>
Last, add it to <code>/etc/fstab</code>:

<pre>/dev/mapper/vg0-container /vm/container ext4 defaults 0 2</pre>
Test the entry with <code>mount</code>:

<pre># mount /vm/container</pre>
Now you're done!

=== Creating a new container ===

Create a new container using <code>lxc-create</code>:

<pre>// Create new container "container" with root fs located at /vm/container
# lxc-create --dir=/vm/container -n container --template download</pre>
This will prompt you for distribution, release, and architecture. (Architecture ''must'' match host machine.)

Take this time to review its config in <code>/var/lib/lxc/container/config</code>, and tell it to auto-start if you like:

<pre># Auto-start the container on boot
lxc.start.auto = 1</pre>
Now,

<pre>// List containers, -f for fancy
# lxc-ls -f</pre>
to ensure that your container has been successfully created; it should be listed. You can also list its root directory if you like. To start it in the background and obtain a root shell, do

<pre>// Start and attach a root shell
# lxc-start -d -n container
# lxc-attach -n container</pre>
=== Migrating a container between hosts ===

Start by shutting the container down:

<pre>root@container:~# halt</pre>
Then make a tarball of the container's filesystem:

<pre># tar --numeric-owner -czvf container.tar.gz /vm/container</pre>
Copy it to its target destination, along with the configs:

<pre>$ scp container.tar.gz new-host:
$ scp -r /var/lib/lxc/container/ new-host:/var/lib/lxc/</pre>
Now carefully extract it. '''If you haven't already, provision storage and ethernet per the container creation section.'''

Yes, we really do want to stick it directly into <code>/</code>:

<pre># tar --numeric-owner -xzvf container.tar.gz -C /</pre>
Verify the container's existence:

<pre># lxc-ls -f
NAME STATE IPV4 IPV6 AUTOSTART
-----------------------------------------
container STOPPED - - YES </pre>
Now just start it on up:

<pre># lxc-start -d -n container</pre>
And test by trying an ssh in!

[[Category:Software]]

Main Page

2016-06-01T20:51:53Z

Ehashman: /* Machine/System Documentation */

This is the Wiki of the [[Computer Science Club]]. Feel free to start adding pages and information.

[[Special:AllPages]]

== Guides ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[ New Member Guide]]
* [[Budget Guide]]
* [[Club Hosting]]
* [[Web Hosting]]
* [[Exec Manual]]
* [[Imapd Guide]]
* [[MEF Guide]]
* [[Office Policies]]
* [[Office Staff]]
* [[How to IRC]]
* [[Talks Guide]]
* [[SCS Guide]]
* [[Kerberos | Password Reset ]]
* [[Disk Drive RMA Process]]
* [[ IPMI101 ]]
</div>

== News and Events ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Meetings]]
* [[Talks]]
* [[Projects]]
* [[Industry Opportunities]]
</div>

== Machine/System Documentation ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Authentication]]
* [[Backups]]
* [[ceo]]
* [[DNS]]
* [[Debian Repository]]
* [[Digital Cutter]]
* [[Directory Services]]
* [[Electronics]]
* [[Hardware]]
* [[Kerberos]]
* [[LDAP]]
* [[Machine List]]
* [[Mail]]
* [[Mailing Lists]]
* [[Mirror]]
* [[Music]]
* [[MySQL]]
* [[NetApp]]
* [[Network]]
* [[New CSC Machine]]
* [[NFS/Kerberos]]
* [[OID Assignment]]
* [[Printing]]
* [[Pulseaudio]]
* [[Robot Arm]]
* [[Scratch]]
* [[SNMP]]
* [[Serial Connections]]
* [[SSL]]
* [[Switches]]
* [[Syscom Todo]]
* [[Systems Committee]]
* [[UID/GID Assignment]]
* [[Webcams]]
* [[Webmail]]
* [[Website]]
* [[Virtualization (LXC Containers)]]
</div>

== Miscellaneous ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Budget]]
* [[Executive]]
* [[Past Executive]]
* [[Frosh]]
* [[History]]
* [[Library]]
* [[MEF Proposals]]
* [[Term Notes]]
* [[Proposed Constitution Changes]]
</div> __NOTOC__

LDAP

2016-06-01T20:51:18Z

Ehashman: WiCS Wiki article

We use [http://www.openldap.org/ OpenLDAP] for directory services. Our primary LDAP server is [[Machine_List#auth1|auth1]] and our secondary LDAP server is [[Machine_List#auth2|auth2]].

=== ehashman's Guide to Setting up OpenLDAP on Debian ===

Welcome to my nightmare.

==== What is LDAP? ====

<blockquote>'''LDAP:''' Lightweight Directory Access Protocol

An open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. — [https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol Wikipedia: LDAP]
</blockquote>
In this case, "directory" refers to the user directory, like on an old-school Rolodex. Many groups use LDAP to maintain their user directory, including the University (the "WatIAM" identity management system), the Computer Science Club, and even the UW Amateur Radio Club.

This is a guide documenting how to set up LDAP on a Debian Linux system.

==== First steps ====

<ul>
<li>Ensure that openldap is installed on the machine:
<pre># apt-get install slapd ldap-utils</pre></li>
<li>Debian will do a lot of magic and set up a skeleton LDAP server and get it running. We need to configure that further.</li>
<li>Let's set up logging before we forget. Create the following files in <code>/var/log</code>:
<pre># mkdir /var/log/ldap
# touch /var/log/ldap.log</pre></li>
<li>Set ownership correctly:
<pre># chown openldap:openldap /var/log/ldap</pre></li>
<li>Set up rsyslog to dump the LDAP logs into <code>/var/log/ldap.log</code> by adding the following lines:
<pre># vim /etc/rsyslog.conf
...
# Grab ldap logs, don't duplicate in syslog
local4.* /var/log/ldap.log</pre></li>
<li>Set up log rotation for these by creating the file [https://git.uwaterloo.ca/wics/documentation/blob/master/ldap/logrotate.d.ldap <code>/etc/logrotate.d/ldap</code>] with the following contents:
<pre>/var/log/ldap/*log {
weekly
missingok
rotate 1000
compress
delaycompress
notifempty
create 0640 openldap adm
postrotate
if [ -f /var/run/slapd/slapd.pid ]; then
/etc/init.d/slapd restart >/dev/null 2>&1
fi
endscript
}

/var/log/ldap.log {
weekly
missingok
rotate 24
compress
delaycompress
notifempty
}</pre></li>
<li>As of OpenLDAP 2.4, it doesn't actually create a config file for us. Apparently, this is a "feature": LDAP maintainers think we should want to set this up via dynamic queries. We don't, so the first thing we need is our [https://git.uwaterloo.ca/wics/documentation/blob/master/ldap/slapd.conf <code>slapd.conf</code>] file.</li></ul>

===== Building <code>slapd.conf</code> from scratch =====

<ul>
<li>Get a copy to work with:
<pre># scp uid@auth1.csclub.uwaterloo.ca:/etc/ldap/slapd.conf /etc/ldap/ ## you need CSC root for this</pre></li>
<li>You'll want to comment out the TLS lines, and anything referring to Kerberos and access for now. You'll also want to comment out lines specifically referring to syscom and office staff.</li>
<li>Make sure you remove the reference to <code>nonMemberTerm</code> as an index, as we're going to remove this field.</li>
<li>You'll also need to generate a root password for the LDAP to bootstrap auth, like so:
<pre># slappasswd
New password:
Re-enter new password:
{SSHA}longhash</pre></li>
<li>Add this line below <code>rootdn</code> in the <code>slapd.conf</code>:
<pre>rootpw {SSHA}longhash</pre></li>
<li>Now we want to edit all instances of "csclub" to be "wics" instead, e.g.:
<pre>suffix "dc=wics,dc=uwaterloo,dc=ca"
rootdn "cn=root,dc=wics,dc=uwaterloo,dc=ca"</pre></li>
<li>Next, we need to grab all the relevant schemas:
<pre>scp -r uid@auth1.csclub.uwaterloo.ca:/etc/ldap/schema/ /tmp/schemas</pre></li>
<li>Use the include directives to help you find the ones you need. I noticed we were missing <code>sudo.schema</code>, <code>csc.schema</code>, and <code>rfc2307bis.schema</code>.</li>
<li>Open up the [https://git.uwaterloo.ca/wics/documentation/blob/master/ldap/csc.schema <code>csc.schema</code>] for editing; we're not using it verbatim. Remove the attributes <code>studentid</code> and <code>nonMemberTerm</code> and the objectclass <code>club</code>. Also make sure you change the OID so we don't clash with the CSC. Because we didn't want to go through the process of requesting a [http://pen.iana.org/pen/PenApplication.page PEN number], we chose arbitrarily to use 26338, which belongs to IWICS Inc.</li>
<li>We also need to can the auto-generated config files, so do that:
<pre># rm -rf /etc/openldap/slapd.d/*</pre></li>
<li>Also nuke the auto-generated database:
<pre># rm /var/lib/ldap/__db.*</pre></li>
<li>Configure the database:
<pre># cp /usr/share/slapd/DB_CONFIG /var/lib/ldap/
# chown openldap:openldap /var/lib/ldap/DB_CONFIG </pre></li>
<li>Now we can generate the new configuration files:
<pre># slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/</pre></li>
<li>And ensure that the permissions are all set correctly, lest this break something:
<pre># chown -R openldap:openldap /etc/ldap/slapd.d</pre></li>
<li>If at this point you get a nasty error, such as
<pre>5657d4db hdb_db_open: database "dc=wics,dc=uwaterloo,dc=ca": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
5657d4db backend_startup_one (type=hdb, suffix="dc=wics,dc=uwaterloo,dc=ca"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)</pre>
Just try restarting slapd, and see if that fixes the problem:
<pre># service slapd stop
# service slapd start</pre></li>
<li>Congratulations! Your LDAP service is now configured and running.</li></ul>

==== Getting TLS Up and Running ====

<ul>
<li>Now that we have our LDAP service, we'll want to be able to serve encrypted traffic. This is especially important for any remote access, since binding to LDAP (i.e. sending it a password for auth) occurs over plaintext, and we don't want to leak our admin password.</li>
<li>Our first step is to copy our SSL certificates into the correct places. Public ones go into <code>/etc/ssl/certs/</code> and private ones go into <code>/etc/ssl/private/</code>.</li>
<li>Since the LDAP daemon needs to be able to read our private cert, we need to grant LDAP access to the private folder:
<pre># chgrp openldap /etc/ssl/private
# chmod g+x /etc/ssl/private</pre></li>
<li>Next, uncomment the TLS-related settings in <code>slapd.conf</code>. These are <code>TLSCertificateFile</code> (the public cert), <code>TLSCertificateKeyFile</code> (the private key), <code>TLSCACertificateFile</code> (the intermediate CA cert), and <code>TLSVerifyClient</code> (set to "allow").
<pre># enable TLS connections
TLSCertificateFile /etc/ssl/certs/wics-wildcard.crt
TLSCertificateKeyFile /etc/ssl/private/wics-wildcard.key

# enable TLS client authentication
TLSCACertificateFile /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem
TLSVerifyClient allow</pre></li>
<li>Update all your LDAP settings:
<pre># rm -rf /etc/openldap/slapd.d/*
# slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/
# chown -R openldap:openldap /etc/ldap/slapd.d</pre></li>
<li>And last, ensure that LDAP will actually serve <code>ldaps://</code> by modifying the init script variables in <code>/etc/default/</code>:
<pre># vim /etc/default/slapd
...
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
...</pre></li>
<li>Now you can restart the LDAP server:
<pre># service slapd restart</pre></li>
<li>And assuming this is successful, test to ensure LDAP is serving on port 636 for <code>ldaps://</code>:
<pre># netstat -ntaup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 22847/slapd
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 22847/slapd </pre></li></ul>

==== Populating the Database ====

Now you'll need to start adding objects to the database. While we'll want to mostly do this programmatically, there are a few entries we'll need to bootstrap.

===== Root Entries =====

<ul>
<li>Start by creating a file [https://git.uwaterloo.ca/wics/documentation/blob/master/ldap/tree.ldif <code>tree.ldif</code>] to create a few necessary "roots" in our LDAP tree, with the contents:
<pre>dn: dc=wics,dc=uwaterloo,dc=ca
objectClass: dcObject
objectClass: organization
o: Women in Computer Science
dc: wics

dn: ou=People,dc=wics,dc=uwaterloo,dc=ca
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=wics,dc=uwaterloo,dc=ca
objectClass: organizationalUnit
ou: Group</pre></li>
<li>Now attempt an LDAP add, using the password you set earlier:
<pre># ldapadd -cxWD cn=root,dc=wics,dc=uwaterloo,dc=ca -f tree.ldif
Enter LDAP Password:
adding new entry "dc=wics,dc=uwaterloo,dc=ca"

adding new entry "ou=People,dc=wics,dc=uwaterloo,dc=ca"

adding new entry "ou=Group,dc=wics,dc=uwaterloo,dc=ca"</pre></li>
<li>Test that everything turned out okay, by performing a query of the entire database:
<pre># ldapsearch -x -h localhost
# extended LDIF
#
# LDAPv3
# base <dc=wics,dc=uwaterloo,dc=ca> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# wics.uwaterloo.ca
dn: dc=wics,dc=uwaterloo,dc=ca
objectClass: dcObject
objectClass: organization
o: Women in Computer Science
dc: wics

# People, wics.uwaterloo.ca
dn: ou=People,dc=wics,dc=uwaterloo,dc=ca
objectClass: organizationalUnit
ou: People

# Group, wics.uwaterloo.ca
dn: ou=Group,dc=wics,dc=uwaterloo,dc=ca
objectClass: organizationalUnit
ou: Group

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3</pre></li></ul>

===== Users and Groups =====

<ul>
<li>Next, add users to track the current GID and UID. This will save us from querying the entire database every time we make a new user or group. Create this file, [https://git.uwaterloo.ca/wics/documentation/blob/master/ldap/nextxid.ldif <code>nextxid.ldif</code>]:
<pre>dn: uid=nextuid,ou=People,dc=wics,dc=uwaterloo,dc=ca
cn: nextuid
objectClass: account
objectClass: posixAccount
objectClass: top
uidNumber: 20000
gidNumber: 20000
homeDirectory: /dev/null

dn: cn=nextgid,ou=Group,dc=wics,dc=uwaterloo,dc=ca
objectClass: group
objectClass: posixGroup
objectClass: top
gidNumber: 10000</pre>
You'll see here that our first GID is 10000 and our first UID is 20000.</li>
<li>Now add them, like you did with the roots of the tree:
<pre># ldapadd -cxWD cn=root,dc=wics,dc=uwaterloo,dc=ca -f nextxid.ldif
Enter LDAP Password:
adding new entry "uid=nextuid,ou=People,dc=wics,dc=uwaterloo,dc=ca"

adding new entry "cn=nextgid,ou=Group,dc=wics,dc=uwaterloo,dc=ca"</pre></li></ul>

===== Special <code>sudo</code> Entries =====

<ul>
<li>We also need to add a sudoers OU with a defaults object for default sudo settings. We also need entries for syscom, such that members of the syscom group can use sudo on all hosts, and for termcom, whose members can use sudo on only the office terminals. Call this one [https://git.uwaterloo.ca/wics/documentation/blob/master/ldap/sudoers.ldif <code>sudoers.ldif</code>]:
<pre>dn: ou=SUDOers,dc=wics,dc=uwaterloo,dc=ca
objectClass: organizationalUnit
ou: SUDOers

dn: cn=defaults,ou=SUDOers,dc=wics,dc=uwaterloo,dc=ca
objectClass: top
objectClass: sudoRole
cn: defaults
sudoOption: !lecture
sudoOption: env_reset
sudoOption: listpw=never
sudoOption: mailto="wics-sys@lists.uwaterloo.ca"
sudoOption: shell_noargs

dn: cn=%syscom,ou=SUDOers,dc=wics,dc=uwaterloo,dc=ca
objectClass: top
objectClass: sudoRole
cn: %syscom
sudoUser: %syscom
sudoHost: ALL
sudoCommand: ALL
sudoRunAsUser: ALL

dn: cn=%termcom,ou=SUDOers,dc=wics,dc=uwaterloo,dc=ca
objectClass: top
objectClass: sudoRole
cn: %termcom
sudoUser: %termcom
sudoHost: honk
sudoHost: hiss
sudoHost: gosling
sudoCommand: ALL
sudoRunAsUser: ALL</pre></li>
<li>Now add them:
<pre># ldapadd -cxWD cn=root,dc=wics,dc=uwaterloo,dc=ca -f sudoers.ldif
Enter LDAP Password:
adding new entry "ou=SUDOers,dc=wics,dc=uwaterloo,dc=ca"

adding new entry "cn=defaults,ou=SUDOers,dc=wics,dc=uwaterloo,dc=ca"

adding new entry "cn=%syscom,ou=SUDOers,dc=wics,dc=uwaterloo,dc=ca"

adding new entry "cn=%termcom,ou=SUDOers,dc=wics,dc=uwaterloo,dc=ca"</pre></li>
<li>Last, add some special local groups via [https://git.uwaterloo.ca/wics/documentation/blob/master/ldap/local-groups.ldif <code>local-groups.ldif</code>]:
<pre># ldapadd -cxWD cn=root,dc=wics,dc=uwaterloo,dc=ca -f local-groups.ldif</pre>
The local groups are special because they usually are present on all systems, but we want to be able to add users to them at the LDAP level. For instance, the audio group controls access to sound equipment, and the adm group controls log read access.</li>
<li>That's all the entries we have to add manually! Now we can use software for the rest. See [[weo|<code>weo</code>]] for more details.</li></ul>

=== Querying LDAP ===

There are many tools available for issuing LDAP queries. Queries should be issued to <tt>ldap1.csclub.uwaterloo.ca</tt>. The search base you almost certainly want is <tt>dc=csclub,dc=uwaterloo,dc=ca</tt>. Read access is available without authentication; [[Kerberos]] is used to authenticate commands which require it.

Example:

ldapsearch -x -h ldap1.csclub.uwaterloo.ca -b dc=csclub,dc=uwaterloo,dc=ca uid=ctdalek

The <tt>-x</tt> option causes <tt>ldapsearch</tt> to switch to simple authentication rather than trying to authenticate via SASL (which will fail if you do not have a Kerberos ticket).

The University LDAP server (uwldap.uwaterloo.ca) can also be queried like this. Again, use "simple authentication" as read access is available (from on campus) without authentication. SASL authentication will fail without additional parameters.

Example:

ldapsearch -x -h uwldap.uwaterloo.ca -b dc=uwaterloo,dc=ca "cn=Prabhakar Ragde"

=== Replication ===

While <tt>ldap1.csclub.uwaterloo.ca</tt> ([[Machine_List#auth1|auth1]]) is the LDAP master, an up-to-date replica is available on <tt>ldap2.csclub.uwaterloo.ca</tt> ([[Machine_List#auth2|auth2]]).

In order to replicate changes from the master, the slave maintains an authenticated connection to the master which provides it with full read access to all changes.

Specifically, <tt>/etc/systemd/system/k5start-slapd.service</tt> maintains an active Kerberos ticket for <tt>ldap/auth2.csclub.uwaterloo.ca@CSCLUB.UWATERLOO.CA</tt> in <tt>/var/run/slapd/krb5cc</tt>. This is then used to authenticate the slave to the server, who maps this principal to <tt>cn=ldap-slave,dc=csclub,dc=uwaterloo,dc=ca</tt>, which in turn has full read privileges.

In the event of master failure, all hosts should fail LDAP reads seamlessly over to the slave.

[[Category:Software]]

Kerberos

2016-06-01T18:57:01Z

Ehashman: Add WiCS Kerberos Docs

We use [http://web.mit.edu/Kerberos/ MIT Kerberos 5] for authentication. Our kerberos realm is CSCLUB.UWATERLOO.CA. KDCs run on [[Machine_List#auth1|auth1]] (kdc1) and [[Machine_List#artificial-flavours|artificial-flavours]] (kdc2).

=== ehashman's guide to MIT Kerberos v5 on Debian ===

==== Preparatory Reading ====

# [http://web.mit.edu/kerberos/dialogue.html Kerberos: A Dialogue in Four Scenes] ('''''definitely''''' read this)
# [http://www.roguelynn.com/words/explain-like-im-5-kerberos/ Explain Like I'm 5: Kerberos] (less entertaining than the stage play)
# [http://www.rjsystems.nl/en/2100-d6-kerberos-master.php A very practical configuration guide to Kerberos on Debian squeeze] (things don't change much in the Debian world)
# [http://web.mit.edu/kerberos/krb5-latest/doc/admin/index.html The official Kerberos documentation]

==== Set up host records ====

<ul>
<li>We will need host records to correspond to our Kerberos admin server and key distribution center, <code>kadmin.wics.uwaterloo.ca</code> and <code>kdc1.wics.uwaterloo.ca</code>. These can just be A records pointing to our auth server (currently <code>129.97.134.212</code>).</li>
<li>We can also set up [http://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html special SRV records] as well. This is recommended but not necessary. They look like this:
<pre>_kerberos._udp.wics.uwaterloo.ca SRV 0 0 88 kdc1.wics.uwaterloo.ca
_kerberos-master._udp.wics.uwaterloo.ca SRV 0 0 88 kdc1.wics.uwaterloo.ca
_kpasswd._udp.wics.uwaterloo.ca SRV 0 0 464 kdc1.wics.uwaterloo.ca</pre>
You may have guessed that the third integer is the port the service runs on.</li></ul>

==== Install packages ====

<ul>
<li>First, install some common system utils that may be missing from the fresh container:
<pre># apt-get install ssh ntpdate xinetd nmap</pre></li>
<li>Do NOT install ntp on the container. Install it on the host system instead. See [[ntp|NTP]] for info on NTP servers.</li>
<li>Next, install the Kerberos server:
<pre>apt-get install krb5-{admin-server,user}</pre></li>
<li>During the install process, <code>dpkg</code> will ask you for the following three values, specified below:
<pre>Default Kerberos version 5 realm: WICS.UWATERLOO.CA
Kerberos servers for your realm: kdc1.wics.uwaterloo.ca
Administrative server for your Kerberos realm: kadmin.wics.uwaterloo.ca</pre></li>
<li>You'll encounter this lovely error, from <code>xinetd</code>:
<pre>Note: xinetd currently is not fully supported by update-inetd.
Please consult /usr/share/doc/xinetd/README.Debian and itox(8).</pre>
To solve this, we create a file <code>/etc/xinetd.d/krb_prop</code> with the following contents:
<pre>service krb_prop
{
disable = no
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/kpropd
}</pre>
And then restart <code>xinetd</code>:
<pre># service xinetd restart</pre></li>
<li>You'll also note that the <code>krb5-kdc</code> service failed to start. This is okay. > This is because the realm, EXAMPLE.COM, or rather the database file for it (<code>/var/lib/krb5kdc/principal</code>), has not yet been created. – http://www.rjsystems.nl/en/2100-d6-kerberos-master.php</li></ul>

==== Configuring Kerberos ====

<ul>
<li>The first thing we'll configure is the access control list. Edit <code>/etc/krb5kdc/kadm5.acl</code> and enable/add the following line:
<pre>*/admin *</pre>
Our primary admin principal will be <code>sysadmin/admin@WICS.UWATERLOO.CA</code>, so there is no need to add a separate <code>admin</code> principal to the ACL.</li>
<li>Let's configure Kerberos client-side in [https://git.uwaterloo.ca/wics/documentation/blob/master/krb5.conf <code>/etc/krb5.conf</code>]. Consulting with the CSC's config, [[www.rjsystems.nl/en/2100-d6-kerberos-master.php#rcfg|our favoured setup guide]], and [http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html the Kerberos krb5.conf manual], we'll mostly select default settings. Notable additions include
<pre>[libdefaults]
allow_weak_crypto = false # default is currently false but hey

# If DNS breaks we don't want auth to fail
dns_lookup_kdc = false
dns_lookup_realm = false

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5.log</pre></li>
<li>We also want to ensure we're using good crypto for our Key Distribution Center, so let's set that up next in [https://git.uwaterloo.ca/wics/documentation/blob/master/kdc.conf <code>/etc/krb5kdc/kdc.conf</code>]:
<pre>[kdcdefaults]
kdc_ports = 750,88

[realms]
WICS.UWATERLOO.CA = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 12h 0m 0s
max_renewable_life = 1d 0h 0m 0s
master_key_type = aes256-cts-hmac-sha1-96
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
default_principal_flags = +preauth
}</pre></li>
<li>We didn't choose to create a new krb5 log directory but we should set up logrotate. Create a file [https://git.uwaterloo.ca/wics/documentation/blob/master/logrotate.d.krb5 <code>/etc/logrotate.d/krb5</code>] with three of the following entries (one for each log file):
<pre>/var/log/FILENAME.log {
weekly
missingok
rotate 8
compress
delaycompress
notifempty
postrotate
/etc/init.d/SERVICENAME restart > /dev/null
endscript
}</pre></li>
<li>Make sure you also create those files so the service can write to them:
<pre># touch /var/log/{krb5,krb5kdc,kadmin}.log</pre></li></ul>

==== Creating the Kerberos Realm ====

<ul>
<li>Now we're going to create the realm:
<pre># krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data</pre>
The script may pause at this point until there is sufficient available entropy to generate a key. Then it will prompt for a password. USE A LONG, RANDOM ONE. THIS PASSWORD IS VERY IMPORTANT.
<pre>Initializing database '/var/lib/krb5kdc/principal' for realm
'WICS.UWATERLOO.CA',
master key name 'K/M@WICS.UWATERLOO.CA'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers. Kerberos admin
principals usually belong to a single user and end in /admin. For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.

Don't forget to set up DNS information so your clients can find your
KDC and admin servers. Doing so is documented in the administration
guide.</pre></li>
<li>We'll now configure the default and maximum ticket life for the Kerberos Ticket Granting Ticket (<code>krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA</code>):
<pre># kadmin.local
Authenticating as principal root/admin@WICS.UWATERLOO.CA with password.
kadmin.local: getprinc krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA
Principal: krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 0 days 12:00:00
Maximum renewable life: 1 day 00:00:00
Last modified: Thu Dec 03 03:59:04 UTC 2015 (db_creation@WICS.UWATERLOO.CA)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>
Let's set the max life to 4 hours and the renewable life to 10 hours, for extra security.
<pre>kadmin.local: modprinc -maxlife "4 hour" -maxrenewlife "10 hour" krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA
Principal "krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA" modified.</pre></li></ul>

==== Adding Principals ====

<ul>
<li>We need some root users in our system in order to bootstrap the rest, so let's create our sysadmin user, and give them our root password for authentication:
<pre># kadmin.local
Authenticating as principal root/admin@WICS.UWATERLOO.CA with password.
kadmin.local: addprinc sysadmin/admin
WARNING: no policy specified for sysadmin/admin@WICS.UWATERLOO.CA; defaulting to no policy
Enter password for principal "sysadmin/admin@WICS.UWATERLOO.CA":
Re-enter password for principal "sysadmin/admin@WICS.UWATERLOO.CA":
Principal "sysadmin/admin@WICS.UWATERLOO.CA" created.</pre></li>
<li>Now we need to add a principal and keytab for our KDC host. While <code>addprinc -randkey</code> does add a key, we need to use <code>ktadd</code> to ensure it's copied over to the client host (in this case, auth1).

('''keytab:''' a key table file containing one or more keys. A host or service uses a keytab file in much the same way as a user uses his/her password.)

<pre>$ kadmin -p sysadmin/admin
Authenticating as principal sysadmin/admin with password.
Password for sysadmin/admin@WICS.UWATERLOO.CA:
kadmin: addprinc -randkey host/auth1.wics.uwaterloo.ca
WARNING: no policy specified for
host/auth1.wics.uwaterloo.ca@WICS.UWATERLOO.CA; defaulting to no policy
Principal "host/auth1.wics.uwaterloo.ca@WICS.UWATERLOO.CA" created.
kadmin: ktadd host/auth1.wics.uwaterloo.ca
Entry for principal host/auth1.wics.uwaterloo.ca with kvno 2, encryption type
aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/auth1.wics.uwaterloo.ca with kvno 2, encryption type
aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.</pre></li>
<li>Now we can test that the KDC can grant principals tickets:
<pre>$ kinit sysadmin/admin
Password for sysadmin/admin@WICS.UWATERLOO.CA:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sysadmin/admin@WICS.UWATERLOO.CA
Valid starting Expires Service principal
12/03/2015 05:31:38 12/03/2015 09:31:38 krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA
renew until 12/03/2015 15:31:38
$ kdestroy
$ klist
klist: Credentials cache file '/tmp/krb5cc_0' not found</pre></li>
<li>Next, we'll probably want to add principals for any users that we created in LDAP. We can do this in <code>weo</code> using the following command, and we can even test that principal after its creation:
<pre>$ python weo.py --add-krb-princ --username=ehashman
Okay, adding Kerberos principal ehashman@WICS.UWATERLOO.CA
Enter Kerberos admin password:
Enter password for principal ehashman@WICS.UWATERLOO.CA:
Retype password:
Adding Kerberos principal...
Principal ehashman@WICS.UWATERLOO.CA successfully added.
$ kinit ehashman
Password for ehashman@WICS.UWATERLOO.CA:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ehashman@WICS.UWATERLOO.CA
Valid starting Expires Service principal
15-12-03 17:36:22 15-12-03 21:36:22 krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA
renew until 15-12-04 03:36:22</pre></li>
<li>From now on, though, Kerberos principals will automatically be generated when we add new users! Like this:
<pre>$ python weo.py --adduser --username=fhboxwal --fullname="Fatema Boxwala"
Okay, adding user fhboxwal
Please enter the new user's password:
Retype password:
Enter LDAP admin password:
Enter Kerberos admin password:
Locking LDAP database...
Adding user...
Unlocked database.
Adding Kerberos principal...
User fhboxwal successfully added.</pre></li>
<li>Awesome! Now we're ready to configure Kerberos for clients.</li></ul>

==== Setting Up Client Machines with SSSD ====

<ul>
<li>On your machine of choice, install the Kerberos client packages:
<pre># apt-get install krb5-user</pre></li>
<li>Now copy over your Kerberos config, [https://git.uwaterloo.ca/wics/documentation/blob/master/krb5.conf <code>krb5.conf</code>], into <code>/etc/krb5.conf</code>.</li>
<li>Next, set up a host keytab for the local machine:
<pre># kadmin -p sysadmin/admin
Authenticating as principal sysadmin/admin with password.
Password for sysadmin/admin@WICS.UWATERLOO.CA:
kadmin: addprinc -randkey host/mother-goose.wics.uwaterloo.ca
WARNING: no policy specified for host/mother-goose.wics.uwaterloo.ca@WICS.UWATERLOO.CA; defaulting to no policy
Principal "host/mother-goose.wics.uwaterloo.ca@WICS.UWATERLOO.CA" created.
kadmin: ktadd host/mother-goose.wics.uwaterloo.ca
Entry for principal host/mother-goose.wics.uwaterloo.ca with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/mother-goose.wics.uwaterloo.ca with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.</pre></li>
<li>In order to configure authentication, we'll use a package called SSSD. (It has 234823840 dependencies.) Install it and its utilities:
<pre># apt-get install sssd sssd-tools</pre></li>
<li>Next, copy over the following configs:</li>
<li>[https://git.uwaterloo.ca/wics/documentation/blob/master/ldap.conf <code>/etc/ldap/ldap.conf</code>]</li>
<li>[https://git.uwaterloo.ca/wics/documentation/blob/master/sssd.conf <code>/etc/sssd/sssd.conf</code>]</li>
<li>[https://git.uwaterloo.ca/wics/documentation/blob/master/sshd_config <code>/etc/ssh/sshd_config</code>]</li>
<li>[https://git.uwaterloo.ca/wics/documentation/blob/master/ssh_config <code>/etc/ssh/ssh_config</code>]</li>
<li>[https://git.uwaterloo.ca/wics/documentation/blob/master/hosts <code>/etc/hosts</code>] (because what the heck)</li>
<li>Restart <code>sssd</code> and <code>sshd</code>. The former can be very temperamental:
<pre># service ssh restart
# service sssd restart</pre></li>
<li>Test that this all worked by attempting to log in:
<pre># Just try logging in
$ ssh me@machine.wics.uwaterloo.ca

# Try logging in using Kerberos
$ kinit me
$ ssh -o GSSAPIAuthentication=yes me@machine.wics.uwaterloo.ca

# Test that sudo is working
machine:~$ sudo -i</pre></li></ul>

==== Tools for Debugging SSSD ====

<ul>
<li>It turns out <code>sssd</code> is not the greatest at telling us things. If it starts breaking, stop it and start it in the foreground in debugging mode:
<pre># service sssd stop
# sssd -d 5 -i</pre></li>
<li>Some problems with <code>sssd</code> may be cache-related, and restarting it does not clear the cache. If you need to invalidate the cache, run
<pre>sss_cache -E</pre></li></ul>

=== Password Resets ===
To change your own password you can run passwd on any of the club's machines.

Changing other users' passwords
* ssh auth1
* sudo kadmin.local
* cpw username
* Enter new password and confirm

[[Category:Software]]

[http://web.archive.org/web/20120202205851/http://cryptnet.net/mirrors/docs/krb5api.html API Documentation.] While not even close to enough to let you do most things that you'd want to do with Kerberos (and also being somewhat woefully out-of-date, considering it's from 1996), it's at least a start.

=== Expiring Passwords ===

If you are on syscom, you can force a user to change their password by doing this:
* ssh auth1
* sudo kadmin.local
* modify_principal +needchange [username]

=== Suspending an Account ===

If you are on syscom, you can prevent a user from logging with a Kerberos ticket by doing this:
* ssh auth1
* sudo kadmin.local
* modify_principal -allow_tix [username]
If you are seriously locking out an account, you may want to do some other things as well, including but not limited to changing the user's password (prevents password login) and changing the ownership and permissions on .ssh/authorized_keys* (prevents SSH key login). Don't do these things without a strong reason (but know how to do them when the time comes).

=== bofh's Kerberos5 cheat sheet, or "what does *that* error message mean, exactly?" ===

* If GSSAPI complains about "Wrong Principal in Request", make sure there's no clockskew on the machine trying to get the service ticket and the machine running the service that you are trying to get a GSS token to. This will cause this error for some insane reason, despite there being ANOTHER message for clockskew that specifically says "your clocks are off" - it just never seems to be used in the source code anywhere (as of MIT-KRB5 1.9, at least).
* There are some "generic" errors that are hard to debug. A few possible causes: unreadable krb5.keytab, reverse resolution of a host does not match its principal.

NetApp

2015-12-17T02:52:31Z

Ehashman: /* Terminology */ jxpryde nitpicking me

As of Fall 2013, the CSC has a NetApp FAS3000 series which is capable of hosting network shares. It was donated to us by CSCF. It is also pretty old. Like, Pentium IV old.

==Documentation==
All the manuals are hosted in ~sysadmin/netapp-docs/

Relevant docs for storage modification are: smg.pdf, sysadmin.pdf

iSCSI documentation is in ontop/bsag.pdf

==Background==
While the NetApp supports both NFS and CIFS, neither of these export options provide the versatility nor the options we desire of a network fileshare (for instance, no device authentication is supported). Instead, we have configured the NetApp to export iSCSI block devices to be mounted on aspartame. Therefore, aspartame now replaces ginseng as the primary CSC fileserver.

===Terminology===
* '''Filer:''' the controller unit for the NetApp. Currently psilodump.
* '''Disk shelf:''' where the physical disks live. Can be plugged into a filer or directly into another machine.
* '''RAID:''' "Redundant Array of Independent Disks", used to improve reliability and protect against disk failures.
* '''RAID-DP:''' "Double Parity" RAID, similar to RAID6 in failure tolerance (implemented like RAID4 but with two dedicated parity disks). It can survive up to two disk failures before degradation.
* '''aggr:''' An aggregate of disks. This is a list of physical disks, similar to selecting the physical devices used for LVM.
* '''vol:''' A volume consisting of some space on an aggregate. In general, we use the whole aggregate for a volume. RAID level is set at the volume. Similar to an LVM volume group.
* '''lun:''' "Logical Unit Number" The LUN is a device addressed by the SCSI protocol, and looks like a disk to the user. We usually use the whole volume for a single LUN. This is similar to an LVM logical volume.

===Common Commands===
aggr status -r aggr_name
Shows aggregate status
disk show -v
Shows disks, and which filer they are owned by (currently all by psilodump)
storage
storage related things
disk assign
Assigns orphaned disks to a filer
vol
Volume stuffs

==NetApp Configuration==
Should aspartame get totally hosed, or stability is long enough such that all sysadmin folk at the time have graduated, here is how to access, configure, and complete set up iSCSI on the NetApp+aspartame.

===Access===
Configuration mechanisms are accessible via SSH or serial interface, but through aspartame only, which the machine is directly plugged into. The NetApp is not visible on 134net at all.

The private IP is 10.15.134.130, only available from aspartame on the interface with IP 10.15.134.1. You may have to remove the default route from the routing table in order to successfully contact the machine with ssh.

===Disk information===
* shelf 1
** 14x136GB 10,000RPM FibreChannel disks
** Currently disconnected, could be connected to psilodump or directly to another machine.
* shelf 2
** 14x136GB 10,000RPM FibreChannel disks
** Currently assigned to psilodump
* shelf 3
** 14x500GB 7,200RPM ATA disks
** Currently assigned to psilodump
* shelf 4
** 14x500GB 7,200RPM ATA disks
** Currently assigned to psilodump

====Aggregates====
* aggr0
** Root aggregate volume, in RAID-DP
* aggr1
** Music aggregate volume, in RAID-DP
* aggr2
** Users aggregate volume, in RAID-DP
* aggr3
** Backups volume for CSC videos, in RAID-DP

====Volumes====
* /vol/vol0
** Root volume.
* /vol/vol1music
** Music volume. This volume is not accessible via NFS or CIFS. It contains only the iSCSI LUN /vol/vol1music/lun0 .
* /vol/vol2users
** Users volume. This volume is not accessible via NFS or CIFS. It contains only the iSCSI LUN /vol/vol2users/lun0 .
* /vol/vol3backup
** Backup volume for videos. This volume is not accessible via NFS or CIFS. It contains only the iSCSI LUN /vol/vol3backup/lun0 .

===Enabling iSCSI and Auth (one-time setup)===

Enable iSCSI and configure default authentication.

options iscsi.enable on
iscsi nodename iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
iscsi security default -s CHAP -p yoursecurepassword -n psilodump

where yoursecurepassword is more secure. For iSCSI hosts, the target will be on node iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca with username psilodump and password yoursecurepassword.

===Setting up a new disk aggregate, volume, and LUN===

1. Login to the NetApp. You'll either need access to the physical serial console or to ssh as root to psilodump's private IP (10.15.134.130). Credentials are stored in /users/sysadmin .

2. To get information on the available disks, run the command:
aggr status -r
This command will return three lists: Active aggregates with their assigned disks, spare disks, and disks managed by the partner. An aggregate is roughly equivalent to an LVM volume group: It is a collection of physical disks, possibly across multiple disk shelves and with various RAID levels applied, which may host one or more logical volumes.
Do not proceed if there are fewer than three spare disks of each type available. Refer to the NetApp documentation to add more disks or release disks from existing aggregates.

3. Choose a list of disks for your new aggregate. The available space will be approximately 2/3 of the total disk space.

4. Create the aggregate as follows:
aggr create aggrN -t raid_dp -d [disk-list]

where [disk-list] is a list of the form AA:BB CC:DD ... containing the identifiers for the disks you wish to use to create the aggregate.

5. Retrieve the aggregate information. You will need to know the available space for the next step.
aggr show_space aggrN

6. Create a volume in the aggregate:
vol create volNfoo -s volume aggrN XXXK

where XXX is the total available space in aggrN. You may need to choose a smaller number due to hidden size constraints and rounding. If you can't seem to find the right size, pick one much smaller, and then use the command

vol size volNfoo +XXX

to grow the volume. This command will tell you how much available space remains, unlike `vol create`, so you don't need to keep guessing.

7. Disable snapshotting and access time update. Neither will be needed for exporting an iSCSI LUN.
vol options volNfoo no_atime_update on
vol options volNfoo nosnap on
snap reserve volNfoo 0

8. Create a LUN on your volume:
lun create -s XXXK -t linux /vol/volNfoo/lun0

where XXXK is the amount of available space on the volume, as shown by the command df.

9. Create an iSCSI initiator group and add all of your hosts to it:
igroup create -i -t linux volNfoo_group
igroup add volNfoo_group iqn.1993-08.org.debian:01:123456789
igroup add volNfoo_group iqn.1993-08.org.debian:01:981287231
...

The node identifiers given to the igroup add command will soon be able to access the iSCSI LUN you created above.

10. Map the LUN to the iSCSI initiator group:
lun map /vol/volNfoo/lun0 volNfoo_group

You're done! Any host in the initiator group should now be able to access the LUN you've created as a block device.

===Expanding an aggregate, volume, and LUN===

1. Start by getting the aggregate's status, e.g.

psilodump> '''aggr status -r aggr3'''
Aggregate aggr3 (online, raid_dp) (block checksums)
Plex /aggr3/plex0 (online, normal, active)
RAID group /aggr3/plex0/rg0 (normal)

RAID Disk Device HA SHELF BAY CHAN Pool Type RPM Used (MB/blks) Phys (MB/blks)
--------- ------ ------------- ---- ---- ---- ----- -------------- --------------
dparity 0c.32 0c 2 0 FC:B - FCAL 10000 136000/278528000 139072/284820800
parity 0c.33 0c 2 1 FC:B - FCAL 10000 136000/278528000 139072/284820800
data 0a.34 0a 2 2 FC:A - FCAL 10000 136000/278528000 139072/284820800
...

2. Now determine the available spare disks:
psilodump> '''aggr status -s'''

Spare disks

RAID Disk Device HA SHELF BAY CHAN Pool Type RPM Used (MB/blks) Phys (MB/blks)
--------- ------ ------------- ---- ---- ---- ----- -------------- --------------
Spare disks for block or zoned checksum traditional volumes or aggregates
spare 0a.41 0a 2 9 FC:A - FCAL 10000 136000/278528000 137104/280790184
spare 0c.38 0c 2 6 FC:B - FCAL 10000 136000/278528000 137104/280790184
spare 0c.37 0c 2 5 FC:B - FCAL 10000 136000/278528000 137422/281442144
...

3. Select disks by device number and add them to the aggregate, using the following command. (Use the -n flag if you want to test your command syntax with a dry run.)

psilodump> '''aggr add aggr3 -g rg0 -d 0a.39 0a.44 0c.40 0c.45'''
Addition of 4 disks to the aggregate has completed.
Wed Dec 16 19:55:09 EST [psilodump: raid.vol.disk.add.done:notice]: Addition of Disk /aggr3/plex0/rg0/0c.45 Shelf 2 Bay 13 [NETAPP X274_HJURE146F10 NA14] S/N [404W6272] to aggregate aggr3 has completed successfully
...

4. Now fight with `vol size` to resize the volume:

psilodump> '''df -A aggr3'''
Aggregate kbytes used avail capacity
aggr3 833369408 357122492 476246916 43%
psilodump> '''vol size vol3backup +476246000k'''
vol size: Insufficient space to grow this volume with its guarantee enabled; maximum growth is +473602692k.
psilodump> '''vol size vol3backup +473602692k'''
vol size: Flexible volume 'vol3backup' size set to 828725892k.

5. Last, fight with `lun resize` to increase the lun size:

psilodump> '''lun resize /vol/vol3backup/lun0 +473602692k'''
lun resize: No space left on device
lun resize: max size: 788g (846844657664)
psilodump> '''lun resize /vol/vol3backup/lun0 846844657664'''

==Host Configuration==

===aspartame Configuration===
Install open-iscsi:
apt-get install open-scsi

Edit /etc/iscsi/iscsid.conf:
node.startup = manual
discovery.sendtargets.auth.authmethod=CHAP
discovery.sendtargets.auth.username=username
discovery.sendtargets.auth.password=password
node.session.auth.authmethod=CHAP
node.session.auth.username=username
node.session.auth.password=password

Start open-iscsi service:
service open-iscsi start

Scan for iSCSI devices from the NetApp:
iscsiadm --mode discovery --type st --portal psilodump

This should dump out a ton of information, for example:
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,2001 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,2000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,2002 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,1000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
10.15.134.131:3260,2002 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
129.97.134.131:3260,2001 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
10.15.134.130:3260,2000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
129.97.134.130:3260,1000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca

The .130 IPs correspond to one filer, and the .131 IPs correspond to the other filer. Currently we are only using one of the filers (psilodump).

This also populates the /etc/iscsi/nodes/iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca directory with all possible ways to access the NetApp. For testing purposes (i.e. node.startup = manual), this is okay.

Test to see if you can get the iSCSI device to show up correctly:
iscsiadm --mode node --targetname "iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca" --portal 10.15.134.130:3260 --login

This should produce output similar to:
Logging in to [iface: default, target: iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca, portal: 10.15.134.130,3260]
Login to [iface: default, target: iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca, portal: 10.15.134.130,3260]: successful

Check /dev/disk/by-path/ip* to ensure new disks show up:
# ls -l /dev/disk/by-path/ip*
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-0 -> ../../sda
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-0-part1 -> ../../sda1
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-1 -> ../../sdb
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-1-part1 -> ../../sdb1

If this fails, check all your configuration again.

If this succeeds, you are now ready to try autoconnecting the iSCSI device.

Delete all extraneous entries from /etc/iscsi/nodes/iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca . This prevents the startup script from (a) hanging, and (b) being very upset. All that is left should be the interface you intend to connect through:
# ls -l /etc/iscsi/nodes/iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca/
10.15.134.130,3260,2000

Edit /etc/iscsi/iscsid.conf:
node.startup = automatic

For the init.d script to work correctly (i.e. properly mount things) we need to add a sleep to allow the device to settle:
Edit /etc/init.d/open-iscsi roughly around line 127 to add a "sleep 1":
...
# Now let's mount
sleep 1
log_daemon_msg "Mounting network filesystems"
MOUNT_RESULT=1
if mount -a -O _netdev >/dev/null 2>&1; then
MOUNT_RESULT=0
break
fi
log_end_msg $MOUNT_RESULT
...

Now we can restart the service:
service open-iscsi restart

Now you can configure partitions and mountpoints.

===Exporting Kerberized NFS from Debian Sid===

The default kernel in Debian sid (stable, 2.6.32) does not support the necessary crypto suites to export kerberized NFS to newer kernels. You MUST upgrade the kernel, nfs-common, and nfs-kernel-server packages to AT LEAST squeeze-backports.

===iSCSI block device mount optimizations===

tmyklebu made some changes to /sys/block/sda/queue. The following is now in /etc/rc.local on aspartame:

echo 2048 > /sys/block/sda/queue/read_ahead_kb
echo 32768 > /sys/block/sda/queue/max_sectors_kb
echo 4096 > /sys/block/sda/queue/nr_requests
echo noop > /sys/block/sda/queue/scheduler

We should increase the iSCSI configs node.session.queue_depth and node.session.cmds_max during next maintenance window.

===Transferring old files from ginseng===

====Method A====

* On ginseng, use parted to set up the mounted iscsi drive as an ext4 primary partition (setting up a partition of size >2TB requires care and a GPT)
* Compiled star in /root on ginseng
* Transferred files with the following Makefile (assuming original user directories in /export/users, destination volume in /mnt/iscsi, make -j8):
foo := $(wildcard /export/users/*)
bar := $(patsubst /export/users/%,/mnt/iscsi/%,$(foo))
all: $(bar)
/mnt/iscsi/%: /export/users/%
# echo $@ $<
~/star-1.5.2/star/OBJ/x86_64-linux-cc/star \
-copy -p -acl artype=exustar \
-C /export/users $(notdir $<) /mnt/iscsi

====Method B====

* On ginseng, authenticate with iSCSI target (psilodump.csclub.uwaterloo.ca lun0).
* Umount /dev/mapper/vg0-users
* Copy users filesystem directly to iSCSI target:
dd if=/dev/mapper/vg0-users of=/path/to/psilodump:lun0 bs=8M
* Resize users filesystem on destination partition to fit:
resize2fs /path/to/psilodump:lun0

NetApp

2015-12-17T02:49:44Z

Ehashman: /* NetApp Configuration */ Add expanding LUN section

As of Fall 2013, the CSC has a NetApp FAS3000 series which is capable of hosting network shares. It was donated to us by CSCF. It is also pretty old. Like, Pentium IV old.

==Documentation==
All the manuals are hosted in ~sysadmin/netapp-docs/

Relevant docs for storage modification are: smg.pdf, sysadmin.pdf

iSCSI documentation is in ontop/bsag.pdf

==Background==
While the NetApp supports both NFS and CIFS, neither of these export options provide the versatility nor the options we desire of a network fileshare (for instance, no device authentication is supported). Instead, we have configured the NetApp to export iSCSI block devices to be mounted on aspartame. Therefore, aspartame now replaces ginseng as the primary CSC fileserver.

===Terminology===
* '''Filer:''' the controller unit for the NetApp. Currently psilodump.
* '''Disk shelf:''' where the physical disks live. Can be plugged into a filer or directly into another machine.
* '''RAID:''' "Redundant Array of Independent Disks", used to improve reliability and protect against disk failures.
* '''RAID-DP:''' "Double Parity" RAID, similar to RAID6 (this is probably RAID4 with two parity disks, but the result is the same). It uses two parity disks and can survive up to two disk failures before degradation.
* '''aggr:''' An aggregate of disks. This is a list of physical disks, similar to selecting the physical devices used for LVM.
* '''vol:''' A volume consisting of some space on an aggregate. In general, we use the whole aggregate for a volume. RAID level is set at the volume. Similar to an LVM volume group.
* '''lun:''' "Logical Unit Number" The LUN is a device addressed by the SCSI protocol, and looks like a disk to the user. We usually use the whole volume for a single LUN. This is similar to an LVM logical volume.

===Common Commands===
aggr status -r aggr_name
Shows aggregate status
disk show -v
Shows disks, and which filer they are owned by (currently all by psilodump)
storage
storage related things
disk assign
Assigns orphaned disks to a filer
vol
Volume stuffs

==NetApp Configuration==
Should aspartame get totally hosed, or stability is long enough such that all sysadmin folk at the time have graduated, here is how to access, configure, and complete set up iSCSI on the NetApp+aspartame.

===Access===
Configuration mechanisms are accessible via SSH or serial interface, but through aspartame only, which the machine is directly plugged into. The NetApp is not visible on 134net at all.

The private IP is 10.15.134.130, only available from aspartame on the interface with IP 10.15.134.1. You may have to remove the default route from the routing table in order to successfully contact the machine with ssh.

===Disk information===
* shelf 1
** 14x136GB 10,000RPM FibreChannel disks
** Currently disconnected, could be connected to psilodump or directly to another machine.
* shelf 2
** 14x136GB 10,000RPM FibreChannel disks
** Currently assigned to psilodump
* shelf 3
** 14x500GB 7,200RPM ATA disks
** Currently assigned to psilodump
* shelf 4
** 14x500GB 7,200RPM ATA disks
** Currently assigned to psilodump

====Aggregates====
* aggr0
** Root aggregate volume, in RAID-DP
* aggr1
** Music aggregate volume, in RAID-DP
* aggr2
** Users aggregate volume, in RAID-DP
* aggr3
** Backups volume for CSC videos, in RAID-DP

====Volumes====
* /vol/vol0
** Root volume.
* /vol/vol1music
** Music volume. This volume is not accessible via NFS or CIFS. It contains only the iSCSI LUN /vol/vol1music/lun0 .
* /vol/vol2users
** Users volume. This volume is not accessible via NFS or CIFS. It contains only the iSCSI LUN /vol/vol2users/lun0 .
* /vol/vol3backup
** Backup volume for videos. This volume is not accessible via NFS or CIFS. It contains only the iSCSI LUN /vol/vol3backup/lun0 .

===Enabling iSCSI and Auth (one-time setup)===

Enable iSCSI and configure default authentication.

options iscsi.enable on
iscsi nodename iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
iscsi security default -s CHAP -p yoursecurepassword -n psilodump

where yoursecurepassword is more secure. For iSCSI hosts, the target will be on node iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca with username psilodump and password yoursecurepassword.

===Setting up a new disk aggregate, volume, and LUN===

1. Login to the NetApp. You'll either need access to the physical serial console or to ssh as root to psilodump's private IP (10.15.134.130). Credentials are stored in /users/sysadmin .

2. To get information on the available disks, run the command:
aggr status -r
This command will return three lists: Active aggregates with their assigned disks, spare disks, and disks managed by the partner. An aggregate is roughly equivalent to an LVM volume group: It is a collection of physical disks, possibly across multiple disk shelves and with various RAID levels applied, which may host one or more logical volumes.
Do not proceed if there are fewer than three spare disks of each type available. Refer to the NetApp documentation to add more disks or release disks from existing aggregates.

3. Choose a list of disks for your new aggregate. The available space will be approximately 2/3 of the total disk space.

4. Create the aggregate as follows:
aggr create aggrN -t raid_dp -d [disk-list]

where [disk-list] is a list of the form AA:BB CC:DD ... containing the identifiers for the disks you wish to use to create the aggregate.

5. Retrieve the aggregate information. You will need to know the available space for the next step.
aggr show_space aggrN

6. Create a volume in the aggregate:
vol create volNfoo -s volume aggrN XXXK

where XXX is the total available space in aggrN. You may need to choose a smaller number due to hidden size constraints and rounding. If you can't seem to find the right size, pick one much smaller, and then use the command

vol size volNfoo +XXX

to grow the volume. This command will tell you how much available space remains, unlike `vol create`, so you don't need to keep guessing.

7. Disable snapshotting and access time update. Neither will be needed for exporting an iSCSI LUN.
vol options volNfoo no_atime_update on
vol options volNfoo nosnap on
snap reserve volNfoo 0

8. Create a LUN on your volume:
lun create -s XXXK -t linux /vol/volNfoo/lun0

where XXXK is the amount of available space on the volume, as shown by the command df.

9. Create an iSCSI initiator group and add all of your hosts to it:
igroup create -i -t linux volNfoo_group
igroup add volNfoo_group iqn.1993-08.org.debian:01:123456789
igroup add volNfoo_group iqn.1993-08.org.debian:01:981287231
...

The node identifiers given to the igroup add command will soon be able to access the iSCSI LUN you created above.

10. Map the LUN to the iSCSI initiator group:
lun map /vol/volNfoo/lun0 volNfoo_group

You're done! Any host in the initiator group should now be able to access the LUN you've created as a block device.

===Expanding an aggregate, volume, and LUN===

1. Start by getting the aggregate's status, e.g.

psilodump> '''aggr status -r aggr3'''
Aggregate aggr3 (online, raid_dp) (block checksums)
Plex /aggr3/plex0 (online, normal, active)
RAID group /aggr3/plex0/rg0 (normal)

RAID Disk Device HA SHELF BAY CHAN Pool Type RPM Used (MB/blks) Phys (MB/blks)
--------- ------ ------------- ---- ---- ---- ----- -------------- --------------
dparity 0c.32 0c 2 0 FC:B - FCAL 10000 136000/278528000 139072/284820800
parity 0c.33 0c 2 1 FC:B - FCAL 10000 136000/278528000 139072/284820800
data 0a.34 0a 2 2 FC:A - FCAL 10000 136000/278528000 139072/284820800
...

2. Now determine the available spare disks:
psilodump> '''aggr status -s'''

Spare disks

RAID Disk Device HA SHELF BAY CHAN Pool Type RPM Used (MB/blks) Phys (MB/blks)
--------- ------ ------------- ---- ---- ---- ----- -------------- --------------
Spare disks for block or zoned checksum traditional volumes or aggregates
spare 0a.41 0a 2 9 FC:A - FCAL 10000 136000/278528000 137104/280790184
spare 0c.38 0c 2 6 FC:B - FCAL 10000 136000/278528000 137104/280790184
spare 0c.37 0c 2 5 FC:B - FCAL 10000 136000/278528000 137422/281442144
...

3. Select disks by device number and add them to the aggregate, using the following command. (Use the -n flag if you want to test your command syntax with a dry run.)

psilodump> '''aggr add aggr3 -g rg0 -d 0a.39 0a.44 0c.40 0c.45'''
Addition of 4 disks to the aggregate has completed.
Wed Dec 16 19:55:09 EST [psilodump: raid.vol.disk.add.done:notice]: Addition of Disk /aggr3/plex0/rg0/0c.45 Shelf 2 Bay 13 [NETAPP X274_HJURE146F10 NA14] S/N [404W6272] to aggregate aggr3 has completed successfully
...

4. Now fight with `vol size` to resize the volume:

psilodump> '''df -A aggr3'''
Aggregate kbytes used avail capacity
aggr3 833369408 357122492 476246916 43%
psilodump> '''vol size vol3backup +476246000k'''
vol size: Insufficient space to grow this volume with its guarantee enabled; maximum growth is +473602692k.
psilodump> '''vol size vol3backup +473602692k'''
vol size: Flexible volume 'vol3backup' size set to 828725892k.

5. Last, fight with `lun resize` to increase the lun size:

psilodump> '''lun resize /vol/vol3backup/lun0 +473602692k'''
lun resize: No space left on device
lun resize: max size: 788g (846844657664)
psilodump> '''lun resize /vol/vol3backup/lun0 846844657664'''

==Host Configuration==

===aspartame Configuration===
Install open-iscsi:
apt-get install open-scsi

Edit /etc/iscsi/iscsid.conf:
node.startup = manual
discovery.sendtargets.auth.authmethod=CHAP
discovery.sendtargets.auth.username=username
discovery.sendtargets.auth.password=password
node.session.auth.authmethod=CHAP
node.session.auth.username=username
node.session.auth.password=password

Start open-iscsi service:
service open-iscsi start

Scan for iSCSI devices from the NetApp:
iscsiadm --mode discovery --type st --portal psilodump

This should dump out a ton of information, for example:
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,2001 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,2000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,2002 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,1000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
10.15.134.131:3260,2002 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
129.97.134.131:3260,2001 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
10.15.134.130:3260,2000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
129.97.134.130:3260,1000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca

The .130 IPs correspond to one filer, and the .131 IPs correspond to the other filer. Currently we are only using one of the filers (psilodump).

This also populates the /etc/iscsi/nodes/iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca directory with all possible ways to access the NetApp. For testing purposes (i.e. node.startup = manual), this is okay.

Test to see if you can get the iSCSI device to show up correctly:
iscsiadm --mode node --targetname "iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca" --portal 10.15.134.130:3260 --login

This should produce output similar to:
Logging in to [iface: default, target: iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca, portal: 10.15.134.130,3260]
Login to [iface: default, target: iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca, portal: 10.15.134.130,3260]: successful

Check /dev/disk/by-path/ip* to ensure new disks show up:
# ls -l /dev/disk/by-path/ip*
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-0 -> ../../sda
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-0-part1 -> ../../sda1
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-1 -> ../../sdb
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-1-part1 -> ../../sdb1

If this fails, check all your configuration again.

If this succeeds, you are now ready to try autoconnecting the iSCSI device.

Delete all extraneous entries from /etc/iscsi/nodes/iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca . This prevents the startup script from (a) hanging, and (b) being very upset. All that is left should be the interface you intend to connect through:
# ls -l /etc/iscsi/nodes/iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca/
10.15.134.130,3260,2000

Edit /etc/iscsi/iscsid.conf:
node.startup = automatic

For the init.d script to work correctly (i.e. properly mount things) we need to add a sleep to allow the device to settle:
Edit /etc/init.d/open-iscsi roughly around line 127 to add a "sleep 1":
...
# Now let's mount
sleep 1
log_daemon_msg "Mounting network filesystems"
MOUNT_RESULT=1
if mount -a -O _netdev >/dev/null 2>&1; then
MOUNT_RESULT=0
break
fi
log_end_msg $MOUNT_RESULT
...

Now we can restart the service:
service open-iscsi restart

Now you can configure partitions and mountpoints.

===Exporting Kerberized NFS from Debian Sid===

The default kernel in Debian sid (stable, 2.6.32) does not support the necessary crypto suites to export kerberized NFS to newer kernels. You MUST upgrade the kernel, nfs-common, and nfs-kernel-server packages to AT LEAST squeeze-backports.

===iSCSI block device mount optimizations===

tmyklebu made some changes to /sys/block/sda/queue. The following is now in /etc/rc.local on aspartame:

echo 2048 > /sys/block/sda/queue/read_ahead_kb
echo 32768 > /sys/block/sda/queue/max_sectors_kb
echo 4096 > /sys/block/sda/queue/nr_requests
echo noop > /sys/block/sda/queue/scheduler

We should increase the iSCSI configs node.session.queue_depth and node.session.cmds_max during next maintenance window.

===Transferring old files from ginseng===

====Method A====

* On ginseng, use parted to set up the mounted iscsi drive as an ext4 primary partition (setting up a partition of size >2TB requires care and a GPT)
* Compiled star in /root on ginseng
* Transferred files with the following Makefile (assuming original user directories in /export/users, destination volume in /mnt/iscsi, make -j8):
foo := $(wildcard /export/users/*)
bar := $(patsubst /export/users/%,/mnt/iscsi/%,$(foo))
all: $(bar)
/mnt/iscsi/%: /export/users/%
# echo $@ $<
~/star-1.5.2/star/OBJ/x86_64-linux-cc/star \
-copy -p -acl artype=exustar \
-C /export/users $(notdir $<) /mnt/iscsi

====Method B====

* On ginseng, authenticate with iSCSI target (psilodump.csclub.uwaterloo.ca lun0).
* Umount /dev/mapper/vg0-users
* Copy users filesystem directly to iSCSI target:
dd if=/dev/mapper/vg0-users of=/path/to/psilodump:lun0 bs=8M
* Resize users filesystem on destination partition to fit:
resize2fs /path/to/psilodump:lun0

NetApp

2015-12-17T02:09:57Z

Ehashman: Major updates to the page; re-ordered it for ease of navigation

As of Fall 2013, the CSC has a NetApp FAS3000 series which is capable of hosting network shares. It was donated to us by CSCF. It is also pretty old. Like, Pentium IV old.

==Documentation==
All the manuals are hosted in ~sysadmin/netapp-docs/

Relevant docs for storage modification are: smg.pdf, sysadmin.pdf

iSCSI documentation is in ontop/bsag.pdf

==Background==
While the NetApp supports both NFS and CIFS, neither of these export options provide the versatility nor the options we desire of a network fileshare (for instance, no device authentication is supported). Instead, we have configured the NetApp to export iSCSI block devices to be mounted on aspartame. Therefore, aspartame now replaces ginseng as the primary CSC fileserver.

===Terminology===
* '''Filer:''' the controller unit for the NetApp. Currently psilodump.
* '''Disk shelf:''' where the physical disks live. Can be plugged into a filer or directly into another machine.
* '''RAID:''' "Redundant Array of Independent Disks", used to improve reliability and protect against disk failures.
* '''RAID-DP:''' "Double Parity" RAID, similar to RAID6. It uses two parity disks and can survive up to two disk failures before degradation.
* '''aggr:''' An aggregate of disks. This is a list of physical disks, similar to selecting the physical devices used for LVM.
* '''vol:''' A volume consisting of some space on an aggregate. In general, we use the whole aggregate for a volume. RAID level is set at the volume. Similar to an LVM volume group.
* '''lun:''' "Logical Unit Number" The LUN is a device addressed by the SCSI protocol, and looks like a disk to the user. We usually use the whole volume for a single LUN. This is similar to an LVM logical volume.

===Common Commands===
aggr status -r aggr_name
Shows aggregate status
disk show -v
Shows disks, and which filer they are owned by (currently all by psilodump)
storage
storage related things
disk assign
Assigns orphaned disks to a filer
vol
Volume stuffs

==NetApp Configuration==
Should aspartame get totally hosed, or stability is long enough such that all sysadmin folk at the time have graduated, here is how to access, configure, and complete set up iSCSI on the NetApp+aspartame.

===Access===
Configuration mechanisms are accessible via SSH or serial interface, but through aspartame only, which the machine is directly plugged into. The NetApp is not visible on 134net at all.

The private IP is 10.15.134.130, only available from aspartame on the interface with IP 10.15.134.1. You may have to remove the default route from the routing table in order to successfully contact the machine with ssh.

===Disk information===
* shelf 1
** 14x136GB 10,000RPM FibreChannel disks
** Currently disconnected, could be connected to psilodump or directly to another machine.
* shelf 2
** 14x136GB 10,000RPM FibreChannel disks
** Currently assigned to psilodump
* shelf 3
** 14x500GB 7,200RPM ATA disks
** Currently assigned to psilodump
* shelf 4
** 14x500GB 7,200RPM ATA disks
** Currently assigned to psilodump

====Aggregates====
* aggr0
** Root aggregate volume, in RAID-DP
* aggr1
** Music aggregate volume, in RAID-DP
* aggr2
** Users aggregate volume, in RAID-DP
* aggr3
** Backups volume for CSC videos, in RAID-DP

====Volumes====
* /vol/vol0
** Root volume.
* /vol/vol1music
** Music volume. This volume is not accessible via NFS or CIFS. It contains only the iSCSI LUN /vol/vol1music/lun0 .
* /vol/vol2users
** Users volume. This volume is not accessible via NFS or CIFS. It contains only the iSCSI LUN /vol/vol2users/lun0 .
* /vol/vol3backup
** Backup volume for videos. This volume is not accessible via NFS or CIFS. It contains only the iSCSI LUN /vol/vol3backup/lun0 .

===Enabling iSCSI and Auth (one-time setup)===

Enable iSCSI and configure default authentication.

options iscsi.enable on
iscsi nodename iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
iscsi security default -s CHAP -p yoursecurepassword -n psilodump

where yoursecurepassword is more secure. For iSCSI hosts, the target will be on node iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca with username psilodump and password yoursecurepassword.

===Setting up a new disk aggregate, volume, and LUN===

1. Login to the NetApp. You'll either need access to the physical serial console or to ssh as root to psilodump's private IP (10.15.134.130). Credentials are stored in /users/sysadmin .

2. To get information on the available disks, run the command:
aggr status -r
This command will return three lists: Active aggregates with their assigned disks, spare disks, and disks managed by the partner. An aggregate is roughly equivalent to an LVM volume group: It is a collection of physical disks, possibly across multiple disk shelves and with various RAID levels applied, which may host one or more logical volumes.
Do not proceed if there are fewer than three spare disks of each type available. Refer to the NetApp documentation to add more disks or release disks from existing aggregates.

3. Choose a list of disks for your new aggregate. The available space will be approximately 2/3 of the total disk space.

4. Create the aggregate as follows:
aggr create aggrN -t raid_dp -d [disk-list]

where [disk-list] is a list of the form AA:BB CC:DD ... containing the identifiers for the disks you wish to use to create the aggregate.

5. Retrieve the aggregate information. You will need to know the available space for the next step.
aggr show_space aggrN

6. Create a volume in the aggregate:
vol create volNfoo -s volume aggrN XXXK

where XXX is the total available space in aggrN. You may need to choose a smaller number due to hidden size constraints and rounding. If you can't seem to find the right size, pick one much smaller, and then use the command

vol size volNfoo +XXX

to grow the volume. This command will tell you how much available space remains, unlike `vol create`, so you don't need to keep guessing.

7. Disable snapshotting and access time update. Neither will be needed for exporting an iSCSI LUN.
vol options volNfoo no_atime_update on
vol options volNfoo nosnap on
snap reserve volNfoo 0

8. Create a LUN on your volume:
lun create -s XXXK -t linux /vol/volNfoo/lun0

where XXXK is the amount of available space on the volume, as shown by the command df.

9. Create an iSCSI initiator group and add all of your hosts to it:
igroup create -i -t linux volNfoo_group
igroup add volNfoo_group iqn.1993-08.org.debian:01:123456789
igroup add volNfoo_group iqn.1993-08.org.debian:01:981287231
...

The node identifiers given to the igroup add command will soon be able to access the iSCSI LUN you created above.

10. Map the LUN to the iSCSI initiator group:
lun map /vol/volNfoo/lun0 volNfoo_group

You're done! Any host in the initiator group should now be able to access the LUN you've created as a block device.

==Host Configuration==

===aspartame Configuration===
Install open-iscsi:
apt-get install open-scsi

Edit /etc/iscsi/iscsid.conf:
node.startup = manual
discovery.sendtargets.auth.authmethod=CHAP
discovery.sendtargets.auth.username=username
discovery.sendtargets.auth.password=password
node.session.auth.authmethod=CHAP
node.session.auth.username=username
node.session.auth.password=password

Start open-iscsi service:
service open-iscsi start

Scan for iSCSI devices from the NetApp:
iscsiadm --mode discovery --type st --portal psilodump

This should dump out a ton of information, for example:
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,2001 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,2000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,2002 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,1000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
10.15.134.131:3260,2002 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
129.97.134.131:3260,2001 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
10.15.134.130:3260,2000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
129.97.134.130:3260,1000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca

The .130 IPs correspond to one filer, and the .131 IPs correspond to the other filer. Currently we are only using one of the filers (psilodump).

This also populates the /etc/iscsi/nodes/iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca directory with all possible ways to access the NetApp. For testing purposes (i.e. node.startup = manual), this is okay.

Test to see if you can get the iSCSI device to show up correctly:
iscsiadm --mode node --targetname "iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca" --portal 10.15.134.130:3260 --login

This should produce output similar to:
Logging in to [iface: default, target: iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca, portal: 10.15.134.130,3260]
Login to [iface: default, target: iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca, portal: 10.15.134.130,3260]: successful

Check /dev/disk/by-path/ip* to ensure new disks show up:
# ls -l /dev/disk/by-path/ip*
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-0 -> ../../sda
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-0-part1 -> ../../sda1
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-1 -> ../../sdb
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-1-part1 -> ../../sdb1

If this fails, check all your configuration again.

If this succeeds, you are now ready to try autoconnecting the iSCSI device.

Delete all extraneous entries from /etc/iscsi/nodes/iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca . This prevents the startup script from (a) hanging, and (b) being very upset. All that is left should be the interface you intend to connect through:
# ls -l /etc/iscsi/nodes/iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca/
10.15.134.130,3260,2000

Edit /etc/iscsi/iscsid.conf:
node.startup = automatic

For the init.d script to work correctly (i.e. properly mount things) we need to add a sleep to allow the device to settle:
Edit /etc/init.d/open-iscsi roughly around line 127 to add a "sleep 1":
...
# Now let's mount
sleep 1
log_daemon_msg "Mounting network filesystems"
MOUNT_RESULT=1
if mount -a -O _netdev >/dev/null 2>&1; then
MOUNT_RESULT=0
break
fi
log_end_msg $MOUNT_RESULT
...

Now we can restart the service:
service open-iscsi restart

Now you can configure partitions and mountpoints.

===Exporting Kerberized NFS from Debian Sid===

The default kernel in Debian sid (stable, 2.6.32) does not support the necessary crypto suites to export kerberized NFS to newer kernels. You MUST upgrade the kernel, nfs-common, and nfs-kernel-server packages to AT LEAST squeeze-backports.

===iSCSI block device mount optimizations===

tmyklebu made some changes to /sys/block/sda/queue. The following is now in /etc/rc.local on aspartame:

echo 2048 > /sys/block/sda/queue/read_ahead_kb
echo 32768 > /sys/block/sda/queue/max_sectors_kb
echo 4096 > /sys/block/sda/queue/nr_requests
echo noop > /sys/block/sda/queue/scheduler

We should increase the iSCSI configs node.session.queue_depth and node.session.cmds_max during next maintenance window.

===Transferring old files from ginseng===

====Method A====

* On ginseng, use parted to set up the mounted iscsi drive as an ext4 primary partition (setting up a partition of size >2TB requires care and a GPT)
* Compiled star in /root on ginseng
* Transferred files with the following Makefile (assuming original user directories in /export/users, destination volume in /mnt/iscsi, make -j8):
foo := $(wildcard /export/users/*)
bar := $(patsubst /export/users/%,/mnt/iscsi/%,$(foo))
all: $(bar)
/mnt/iscsi/%: /export/users/%
# echo $@ $<
~/star-1.5.2/star/OBJ/x86_64-linux-cc/star \
-copy -p -acl artype=exustar \
-C /export/users $(notdir $<) /mnt/iscsi

====Method B====

* On ginseng, authenticate with iSCSI target (psilodump.csclub.uwaterloo.ca lun0).
* Umount /dev/mapper/vg0-users
* Copy users filesystem directly to iSCSI target:
dd if=/dev/mapper/vg0-users of=/path/to/psilodump:lun0 bs=8M
* Resize users filesystem on destination partition to fit:
resize2fs /path/to/psilodump:lun0

NetApp

2015-12-17T01:49:58Z

Ehashman: /* Disk information */

As of 2013, the CSC has a NetApp FAS3000 series which is capable of hosting network shares. It was donated to us by CSCF. It is also pretty old.

==Documentation==
All the manuals are hosted in ~sysadmin/netapp-docs/

Relevant docs for storage modification are: smg.pdf, sysadmin.pdf

iSCSI documentation is in ontop/bsag.pdf

==Background==
While the NetApp supports both NFS and CIFS, neither of these export options provide the versatility nor the options we desire of a network fileshare. Instead, we have configured the NetApp to export iSCSI block devices to be mounted on aspartame. Therefore, aspartame now replaces ginseng as being the primary fileserver in CSC.

==Access==
Configuration mechanisms are accessible either via SSH or serial interface, but through aspartame only. The NetApp is not visible on 134net at all.

The private IP is 10.15.134.130, only available from aspartame on the interface with IP 10.15.134.1. You may have to remove the default route from the routing table in order to successfully contact the machine with ssh.

==Configuration==
Should aspartame get totally hosed, or stability is long enough such that all sysadmin folk at the time have graduated, here is how to set up iSCSI on the NetApp+aspartame.

===NetApp Configuration===

This section describes how to create a volume on the NetApp and export it as an iSCSI target. For further NetApp configuration instructions, refer to the NetApp documentation.

====One-time Configuration====

Enable iSCSI and configure default authentication.

options iscsi.enable on
iscsi nodename iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
iscsi security default -s CHAP -p yoursecurepassword -n psilodump

where yoursecurepassword is more secure. For iSCSI hosts, the target will be on node iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca with username psilodump and password yoursecurepassword.

====Setting up a new disk aggregate, volume, and LUN====

1. Login to the NetApp. You'll either need access to the physical serial console or to ssh as root to psilodump's private IP (10.15.134.130). Credentials are stored in /users/sysadmin .

2. To get information on the available disks, run the command:
aggr status -r
This command will return three lists: Active aggregates with their assigned disks, spare disks, and disks managed by the partner. An aggregate is roughly equivalent to an LVM volume group: It is a collection of physical disks, possibly across multiple disk shelves and with various RAID levels applied, which may host one or more logical volumes.
Do not proceed if there are fewer than three spare disks of each type available. Refer to the NetApp documentation to add more disks or release disks from existing aggregates.

3. Choose a list of disks for your new aggregate. The available space will be approximately 2/3 of the total disk space.

4. Create the aggregate as follows:
aggr create aggrN -t raid_dp -d [disk-list]

where [disk-list] is a list of the form AA:BB CC:DD ... containing the identifiers for the disks you wish to use to create the aggregate.

5. Retrieve the aggregate information. You will need to know the available space for the next step.
aggr show_space aggrN

6. Create a volume in the aggregate:
vol create volNfoo -s volume aggrN XXXK

where XXX is the total available space in aggrN. You may need to choose a smaller number due to hidden size constraints and rounding. If you can't seem to find the right size, pick one much smaller, and then use the command

vol size volNfoo +XXX

to grow the volume. This command will tell you how much available space remains, unlike `vol create`, so you don't need to keep guessing.

7. Disable snapshotting and access time update. Neither will be needed for exporting an iSCSI LUN.
vol options volNfoo no_atime_update on
vol options volNfoo nosnap on
snap reserve volNfoo 0

8. Create a LUN on your volume:
lun create -s XXXK -t linux /vol/volNfoo/lun0

where XXXK is the amount of available space on the volume, as shown by the command df.

9. Create an iSCSI initiator group and add all of your hosts to it:
igroup create -i -t linux volNfoo_group
igroup add volNfoo_group iqn.1993-08.org.debian:01:123456789
igroup add volNfoo_group iqn.1993-08.org.debian:01:981287231
...

The node identifiers given to the igroup add command will soon be able to access the iSCSI LUN you created above.

10. Map the LUN to the iSCSI initiator group:
lun map /vol/volNfoo/lun0 volNfoo_group

You're done! Any host in the initiator group should now be able to access the LUN you've created as a block device.

===aspartame Configuration===
Install open-iscsi:
apt-get install open-scsi

Edit /etc/iscsi/iscsid.conf:
node.startup = manual
discovery.sendtargets.auth.authmethod=CHAP
discovery.sendtargets.auth.username=username
discovery.sendtargets.auth.password=password
node.session.auth.authmethod=CHAP
node.session.auth.username=username
node.session.auth.password=password

Start open-iscsi service:
service open-iscsi start

Scan for iSCSI devices from the NetApp:
iscsiadm --mode discovery --type st --portal psilodump

This should dump out a ton of information, for example:
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,2001 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,2000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,2002 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,1000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
10.15.134.131:3260,2002 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
129.97.134.131:3260,2001 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
10.15.134.130:3260,2000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
129.97.134.130:3260,1000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca

The .130 IPs correspond to one filer, and the .131 IPs correspond to the other filer. Currently we are only using one of the filers (psilodump).

This also populates the /etc/iscsi/nodes/iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca directory with all possible ways to access the NetApp. For testing purposes (i.e. node.startup = manual), this is okay.

Test to see if you can get the iSCSI device to show up correctly:
iscsiadm --mode node --targetname "iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca" --portal 10.15.134.130:3260 --login

This should produce output similar to:
Logging in to [iface: default, target: iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca, portal: 10.15.134.130,3260]
Login to [iface: default, target: iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca, portal: 10.15.134.130,3260]: successful

Check /dev/disk/by-path/ip* to ensure new disks show up:
# ls -l /dev/disk/by-path/ip*
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-0 -> ../../sda
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-0-part1 -> ../../sda1
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-1 -> ../../sdb
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-1-part1 -> ../../sdb1

If this fails, check all your configuration again.

If this succeeds, you are now ready to try autoconnecting the iSCSI device.

Delete all extraneous entries from /etc/iscsi/nodes/iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca . This prevents the startup script from (a) hanging, and (b) being very upset. All that is left should be the interface you intend to connect through:
# ls -l /etc/iscsi/nodes/iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca/
10.15.134.130,3260,2000

Edit /etc/iscsi/iscsid.conf:
node.startup = automatic

For the init.d script to work correctly (i.e. properly mount things) we need to add a sleep to allow the device to settle:
Edit /etc/init.d/open-iscsi roughly around line 127 to add a "sleep 1":
...
# Now let's mount
sleep 1
log_daemon_msg "Mounting network filesystems"
MOUNT_RESULT=1
if mount -a -O _netdev >/dev/null 2>&1; then
MOUNT_RESULT=0
break
fi
log_end_msg $MOUNT_RESULT
...

Now we can restart the service:
service open-iscsi restart

Now you can configure partitions and mountpoints.

==Other notes==

===Transferring old files from ginseng===

====Method A====

* On ginseng, use parted to set up the mounted iscsi drive as an ext4 primary partition (setting up a partition of size >2TB requires care and a GPT)
* Compiled star in /root on ginseng
* Transferred files with the following Makefile (assuming original user directories in /export/users, destination volume in /mnt/iscsi, make -j8):
foo := $(wildcard /export/users/*)
bar := $(patsubst /export/users/%,/mnt/iscsi/%,$(foo))
all: $(bar)
/mnt/iscsi/%: /export/users/%
# echo $@ $<
~/star-1.5.2/star/OBJ/x86_64-linux-cc/star \
-copy -p -acl artype=exustar \
-C /export/users $(notdir $<) /mnt/iscsi

====Method B====

* On ginseng, authenticate with iSCSI target (psilodump.csclub.uwaterloo.ca lun0).
* Umount /dev/mapper/vg0-users
* Copy users filesystem directly to iSCSI target:
dd if=/dev/mapper/vg0-users of=/path/to/psilodump:lun0 bs=8M
* Resize users filesystem on destination partition to fit:
resize2fs /path/to/psilodump:lun0

===Exporting Kerberized NFS from Debian Sid===

The default kernel in Debian sid (stable, 2.6.32) does not support the necessary crypto suites to export kerberized NFS to newer kernels. You MUST upgrade the kernel, nfs-common, and nfs-kernel-server packages to AT LEAST squeeze-backports.

===iSCSI block device mount optimizations===

tmyklebu made some changes to /sys/block/sda/queue. The following is now in /etc/rc.local on aspartame:

echo 2048 > /sys/block/sda/queue/read_ahead_kb
echo 32768 > /sys/block/sda/queue/max_sectors_kb
echo 4096 > /sys/block/sda/queue/nr_requests
echo noop > /sys/block/sda/queue/scheduler

We should increase the iSCSI configs node.session.queue_depth and node.session.cmds_max during next maintenance window.

==Disk information==
* shelf 1
** 14x136GB 10,000RPM FibreChannel disks
** Currently disconnected, could be connected to psilodump or directly to another machine.
* shelf 2
** 14x136GB 10,000RPM FibreChannel disks
** Currently assigned to psilodump
* shelf 3
** 14x500GB 7,200RPM ATA disks
** Currently assigned to psilodump
* shelf 4
** 14x500GB 7,200RPM ATA disks
** Currently assigned to psilodump

===Aggregates===
* aggr0
** Root aggregate volume, in RAID-DP
* aggr1
** Music aggregate volume, in RAID-DP
* aggr2
** Users aggregate volume, in RAID-DP
* aggr3
** Backups volume for CSC videos, in RAID-DP

===Volumes===
* /vol/vol0
** Root volume.
* /vol/vol1music
** Music volume. This volume is not accessible via NFS or CIFS. It contains only the iSCSI LUN /vol/vol1music/lun0 .
* /vol/vol2users
** Users volume. This volume is not accessible via NFS or CIFS. It contains only the iSCSI LUN /vol/vol2users/lun0 .
* /vol/vol3backup
** Backup volume for videos. This volume is not accessible via NFS or CIFS. It contains only the iSCSI LUN /vol/vol3backup/lun0 .

==Commands==
aggr status -r aggr<num>
Shows aggregate status
disk show -v
Shows disks, and which filer they are owned by (currently all by psilodump)
storage
storage related things
disk assign
Assigns orphaned disks to a filer
vol
Volume stuffs

==Terminology==
* RAID-DP - Double Parity RAID4

Serial Connections

2015-10-26T19:20:38Z

Ehashman: /* MC 3015 */ Update console table and remove binaerpilot/ascorbic-acid

This article documents the physical serial ports on each machine and the connections between them. These connections are used for console access using [[Conserver]].

==== MC 3015 ====

Local machine | Local TTY | Remote machine | Remote TTY | Baud rate
-------------------+------------+---------------------+------------+----------
corn-syrup ttyS1 LOM <- corn-syrup-ipmi - 57600
mirror ttyS1 LOM <- sodium-benzoate-ipmi - 57600
taurine ttyS1 LOM <- taurine-ilo - 115200
glomag ttyS0 LOM <- glomag-ipmi - 115200
goto80 ttyS0 <- corn-syrup N/A 115200
goto80 ttyS1 <- corn-syrup N/A 115200
goto80 power <- corn-syrup N/A 115200
potassium-citrate ttyS0 <- corn-syrup:ttyUSB2 hub3 115200
aspartame ttyS0 <- corn-syrup:ttyUSB4 hub5 115200
electrons - <- corn-syrup hub8 9600

The "hubN" ports are on the 8-port serial hub. To access, look in /dev/csc, or just use ttyUSB[N-1] directly.

== Machine Ports ==

Most machines either have no serial ports, or one [[Serial_Pin-outs#RS-232_over_DE-9|DE-9]] serial port. Details of other configurations are listed here. We do not have any modems (DCE), so all connections should be crossed (i.e., use null modem cables or compatible).

==== taurine ====

taurine has a virtual serial port that can be accessed via telnet or SSH

ttyS0 physical DE-9
ttyS1 virtual

==== ascorbic-acid ====

ascorbic-acid has two [[Serial_Pin-outs#RS-232_over_8P8C_.28Sun.29|Sun 8P8C]] serial ports stacked vertically, with the first port on top. The first port may be used to access LOM, and probably has to be set to 9600 baud.

A (ttyS0, LOM)
B (ttyS1)

These ports should be connected to another system's DE-9 using a DE-9<->8P8C modular adapter and an [[Serial_Pin-outs#Almost_Rollover_Cable|Almost Rollover]] or standard rollover.

==== potassium-citrate ====

potassium-citrate has two DE-9 serial ports side by side, with the second port on the left

101102 (ttyS1) 101101 (ttyS0)

==== sodium-citrate ====

sodium-citrate has two DE-9 serial ports side by side, with the second port on the left

ttyS1 ttyS0

==== dumbterm ====

dumbterm has one DB-25 serial port. It is currently connected to a black [[Serial_Pin-outs#Grey_DB-25_Female_to_8P8C_Adapter|nonstandard DB-25<->8P8C adapter]], to a [[Serial_Pin-outs#Dumbterm_Cable|special twisted pair cable]], to a [[Serial_Pin-outs#Black_DE-9_Female_to_8P8C_Adapter|nonstandard 8P8C<->DE-9 adapter]]. All of these pieces are labeled "dumbterm". The dumbterm cable is not symmetric; the end labeled "DE-9" must be plugged into the DE-9 adapter.

[[Category:Hardware]]

Syscom Todo

2015-09-04T20:14:47Z

Ehashman: /* When in the Machine Room */

These are things that syscom should do eventually:

==General==
* Prepare for `sodium-benzoate` upgrades/replacement.
** new-mirror has like 30 disk shelves so we can just do a live sync on the 2TB disks and then insert the 4TB ones
* Establish remote syslog
* Get UPS monitoring working across multiple systems
* `/users` backups
* Disaster recovery plan
* '''Put backup container for authentication onto cobalamin'''
* Get an IP/KVM for the machine room which doesn't suck?
* Sort through keyboards in the office
* Clean up wiki vandalism
* Fix debian.csclub, aka our personal Debian repo which serves the CEO package
** Fix ceo versioning, which seems to be different on every machine it's installed on...
* Fix audio auth: audio is both a system group and an LDAP group and this has bad consequences for audio authorization
* Centralized repo for various configs: NFS, PAM auth with kerb, /etc/hosts/, LDAP and Kerb5, routing/interfaces files
** LDAP login is currently broken on glomag, it is password with root only
** Private subnet routing is broken on every machine ''except'' corn-syrup (see 'ethcrazy')
* Update hosts list (10.15.134.WTF?)
* MySQL backups

== Wiki Updates ==

* Update the following wiki pages
** [[Backups]]
** [[Ceo]], also related to "debian.csclub is broken"
** somehow merge [[Conserver]]/[[Serial Connections]]/[[Console Configuration]]
** [[Cscbot]]
** [[DNS]]
** [[Hardware]]
** [[Machine List]]
** [[Mirror]]
** [[Music]] and possibly link to [[Pulseaudio]]
** [[MySQL]] mentions a-f replica
** [[NFS/Kerberos]] should probably by merged with an existing page
** [[NetApp]]
** [[Netboot]] (might want to merge with [[New CSC Machine]])
** [[OID Assignment]] and [[UID/GID Assignment]] should be merged with LDAP and replaced with a redirect
** Merge [[Point Of Sale]] and [[Point of Sale System]]
** [[Projects]]
** [[Scratch]]
** Merge [[Sun 2900]] and [[Sun 2900 Strategy Guide]]
** Add more info to [[Switches]]
** [[Virtualization]]
** [[Webcams]] needs a serious update
** [[Wireless]]

==When in the Machine Room==
* Set up binaerpilot.
* Set up rainbowdragoneyes
* Pick up paperclip to install a new OS
* Locate electrons
** Electrons, aka the giant power bar, is sitting somewhere *near* the rack. I can't remember why it was taken down. -ehashman
* Make sure that the IPMI/console connections are correct, up-to-date, and working.
* Fix psilodump's and aspartame's IPs and routing
** psilodump should not be routable outside aspartame. This is currently accomplished by fuckery. This *should* be fixed to use the net.ipv4.conf.all.arp_filter sysctl.
* Look into expanding /scratch and using RAID using spare disks in the office.

==Science Machine Room==
* Set up remote syslog2

Syscom Todo

2015-09-04T20:13:31Z

Ehashman: /* General */

These are things that syscom should do eventually:

==General==
* Prepare for `sodium-benzoate` upgrades/replacement.
** new-mirror has like 30 disk shelves so we can just do a live sync on the 2TB disks and then insert the 4TB ones
* Establish remote syslog
* Get UPS monitoring working across multiple systems
* `/users` backups
* Disaster recovery plan
* '''Put backup container for authentication onto cobalamin'''
* Get an IP/KVM for the machine room which doesn't suck?
* Sort through keyboards in the office
* Clean up wiki vandalism
* Fix debian.csclub, aka our personal Debian repo which serves the CEO package
** Fix ceo versioning, which seems to be different on every machine it's installed on...
* Fix audio auth: audio is both a system group and an LDAP group and this has bad consequences for audio authorization
* Centralized repo for various configs: NFS, PAM auth with kerb, /etc/hosts/, LDAP and Kerb5, routing/interfaces files
** LDAP login is currently broken on glomag, it is password with root only
** Private subnet routing is broken on every machine ''except'' corn-syrup (see 'ethcrazy')
* Update hosts list (10.15.134.WTF?)
* MySQL backups

== Wiki Updates ==

* Update the following wiki pages
** [[Backups]]
** [[Ceo]], also related to "debian.csclub is broken"
** somehow merge [[Conserver]]/[[Serial Connections]]/[[Console Configuration]]
** [[Cscbot]]
** [[DNS]]
** [[Hardware]]
** [[Machine List]]
** [[Mirror]]
** [[Music]] and possibly link to [[Pulseaudio]]
** [[MySQL]] mentions a-f replica
** [[NFS/Kerberos]] should probably by merged with an existing page
** [[NetApp]]
** [[Netboot]] (might want to merge with [[New CSC Machine]])
** [[OID Assignment]] and [[UID/GID Assignment]] should be merged with LDAP and replaced with a redirect
** Merge [[Point Of Sale]] and [[Point of Sale System]]
** [[Projects]]
** [[Scratch]]
** Merge [[Sun 2900]] and [[Sun 2900 Strategy Guide]]
** Add more info to [[Switches]]
** [[Virtualization]]
** [[Webcams]] needs a serious update
** [[Wireless]]

==When in the Machine Room==
* Set up binaerpilot.
* Set up rainbowdragoneyes
* Pick up paperclip to install a new OS
* Locate electrons?
* Make sure that the IPMI/console connections are correct, up-to-date, and working.
* Fix psilodump's and aspartame's IPs and routing
** psilodump should not be routable outside aspartame. This is currently accomplished by fuckery. This *should* be fixed to use the net.ipv4.conf.all.arp_filter sysctl.
* Look into expanding /scratch and using RAID using spare disks in the office.

==Science Machine Room==
* Set up remote syslog2

Web Hosting

2015-09-04T20:09:18Z

Ehashman: /* What can I host on my website? */

The CSC offers web hosting for [[Club Hosting|clubs]] and [http://csclub.uwaterloo.ca/about/ our members] in accordance with our [http://csclub.uwaterloo.ca/services/machine_usage Machine Usage Agreement]. This is a quick guide for the kinds of hosting we offer on our webserver, <tt>csclub.uwaterloo.ca</tt>, also known as [[Machine List#caffeine|caffeine]].

We run an Apache httpd webserver and we offer you the use of a [[MySQL|MySQL database]].

== What can I host on my website? ==

Web hosting is provided in accordance with the CSC [http://csclub.uwaterloo.ca/services/machine_usage Machine Usage Agreement]. As a reminder, you are '''not permitted''' to host any of the following:

* '''Ads.''' Advertisements are not permitted because using our machines for commercial purposes is forbidden by university policy.
* '''Your start-up's website.''' Again, commercial use of our hosting is not permitted.
* '''Unauthorized copyrighted materials.''' Violating the law is a violation of our Machine Usage Agreement.

Please note that '''this is not an exhaustive list. Websites may be taken down ''without notice''''' at the discretion of the Systems Committee. (We will always let you know that we took your site down, but if it is breaking our shared environment, we can't provide an advance warning.)

Some great examples of things members host on our webserver:

* Academic projects!
* A personal website or blog!
* [[Club Hosting|Club websites!]]

== DNS and Your Domain Name ==

You can serve files without any additional configuration by placing them in your <tt>www</tt> directory and accessing them at <tt>http://csclub.uwaterloo.ca/~userid</tt>, where <tt>userid</tt> is your CSC user ID. However, many of our members and clubs prefer to use a custom domain name.

=== uwaterloo.ca domain Names ===

If you represent a UWaterloo organization, you may be eligible for a custom <tt>uwaterloo.ca</tt> domain name, such as <tt>csclub.uwaterloo.ca</tt>. We can request this on your behalf.

In order to do so, we must have verified that the organization is a legitimate UWaterloo-affiliated group, and that you, the representative, are authorized to request a domain name on their behalf. This all takes place when you request [[Club Hosting|club hosting]] with the Computer Science Club.

Once you register as a club representative of your particular organization, you can send an email from your official club account to syscom@csclub.uwaterloo.ca to request the domain <tt>yourdomain.uwaterloo.ca</tt>. Assuming it is available, we will file a ticket and request the domain in your name.

=== Your personal domain name ===

These virtual hosts must be approved by the Executive and Systems Committee. If interested, send syscom@csclub.uwaterloo.ca an email. If your request is approved, the Systems Committee will direct you to create a CNAME record for your domain and point it at <tt>csclub.uwaterloo.ca</tt>.

== Static Sites ==

You can place all your static content into your web directory, <tt>/users/userid/www</tt>.

If you have been approved for a virtual host, you can access this content using your personal domain once the Systems Committee makes the appropriate configuration changes. Here is an example configuration file:

<VirtualHost *:80>
ServerName foobar.uwaterloo.ca
ServerAlias *.foobar.uwaterloo.ca foobar
ServerAdmin your@email.here.tld

DocumentRoot /users/userid/www/

ErrorLog /var/log/apache2/luser-userid-error.log
CustomLog /var/log/apache2/luser-userid-access.log combined
</VirtualHost>

== Dynamic Sites ==

If you require use of a database, we offer you the sole choice of MySQL. See [[MySQL|this guide]] for how to create your database and connect to MySQL.

=== ***NOTICE*** ===

We '''STRONGLY''' discourage the use of content management systems such as
WordPress. These packages are notorious for the number of security
vulnerabilities they contain and pose a threat to our systems if they are not
kept up to date. The Systems Committee '''WILL,''' at its discretion, disable
any website using a package such as WordPress that is not updated to the latest
version or that is found to contain exploitable security flaws. In such a case,
the member or club serving that site will be notified of the termination; the
site will not be re-enabled until the issues are addressed.

=== Using PHP ===

Because we use Apache, it's as simple as placing your <tt>index.php</tt> file in your <tt>/users/userid/www</tt>. That's it!

You can even include rewrite rules in an <tt>.htaccess</tt> file in your web directory.

=== Using FCGI ===

We support the use of <tt>mod_fcgid</tt>, which runs all of our PHP applications and more. If you've set up your PHP application as above, it is very unlikely this will need further configuration. However, we can and may tweak <tt>Fcgid*</tt> directives to ensure optimal performance of our hosting across websites.

=== Using WSGI ===

We newly support <tt>mod_wsgi</tt> for dynamic frameworks you may not want to run through FCGI, such as Django. If you'd like to set up one of these sites, you'll need Systems Committee approval and assistance with the configuration. You will be responsible for setting up the site in your home directory and all the associated WSGI scripts.

Here is a sample configuration file for a Django site:

<VirtualHost *:80>
ServerName foobar.uwaterloo.ca
ServerAlias *.foobar.uwaterloo.ca foobar
ServerAdmin your@email.here.tld

ErrorLog /var/log/apache2/luser-userid-error.log
CustomLog /var/log/apache2/luser-userid-access.log combined

WSGIDaemonProcess process_name python-path=your/path/here/:possibly:/users/userid/site:/users/userid/.env/...
WSGIScriptAlias / /path/to/your/wsgi/script
WSGIProcessGroup process_name

Alias /robots.txt /path/if/necessary/robots.txt
Alias /favicon.ico /path/if/necessary/favicon.ico

<Directory /path/to/your/wsgi/script>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
</VirtualHost>

New Member Guide

2015-09-03T04:10:37Z

Ehashman: /* Web Hosting */ Remove tips and add link to guide

Hello, and welcome to the Computer Science Club! Thanks for joining. The office staff who signed you up should have told you about this stuff, but just as a refresher, here it is again.

== Office ==

* Our office is MC 3036/3037 (we occupy both rooms) and we're across the hall (but distinct from) the Mathsoc office.

* Our club doesn't have weekly meetings or anything like that. If the door is open, we are open (even if it's 3 in the morning on Sunday). Feel free to drop in and say hi!

* The office closes when the last office staff leaves the room, and the office opens when somebody with a key comes by. If you're interested in becoming office staff, look out for the termly office staff training event or ask around the office.

* We have staplers by the door farthest from Mathsoc. Even if you're not a member, you're allowed to use them. You don't even have to ask (and in fact, we'd prefer if you didn't. Office regulars spend a good amount of time telling people that yes, they can use the staplers).

* We sell pop, chips, chocolate bars and other snacks. Prices are on the fridge door. Pay the red cup in the fridge.

== Events ==
We hold a different set of events every term, but the same types of events come up again and again. Watch out for emails about:
* Industry tech talks. In the past, we've gotten folks from various tech companies to talk about algorithms, database design decisions and other things.

* UNIX 10X tutorials. Don't know how to use the commandline? Come out and learn with us. Know how to use the commandline? Come out and help us answer questions.

* Member talks. Do you have a burning desire to talk about AVL trees? No? Well, if you want to talk about a computer sciencey topic that's close to your heart, send an email to exec at csclub.uwaterloo.ca with a talk abstract (a paragraph we can put on a poster to describe your talk) and we'll see if we can make something happen.

* Code parties. We eat food, talk and write code. Code parties happen several times a term.

== Machines ==
As a member of the club, you have access to our machines, both [[Machine_List#Servers|servers in the machine room down the hall]] and [[Machine_List#Office Terminals|desktops in our physical office]]. Keep in mind that your username is your quest userid (e.g. j7smith) and your password starts out as the one you set when you joined the club for the first time.

* As a member you must abide by the [https://csclub.uwaterloo.ca/services/machine_usage machine usage policy].

* Your files are accessible on all of our machines

* Keep in mind that the machines are shared among all of our members. Play nice. For example, <nowiki>caffeine</nowiki> is our web server. You are strongly advised not to run long, intensive jobs on it. Something like that is a better fit for <nowiki>hfcs</nowiki>, <nowiki>corn-syrup</nowiki> or even possibly <nowiki>taurine</nowiki>.

* use SSH for access to the machines in the server room.
** If you don't know how to use the commandline, you can wait for our approximately termly UNIX 101 event, google for "how to use the command line", or ask around the office.
** if you happen to be using Windows, you can use an SSH client such as PuTTY[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html].
** If you have a Mac or you run Linux, you already have the <nowiki>ssh</nowiki> command installed. If your userid is <nowiki>j7smith</nowiki> and you want to use <nowiki>taurine</nowiki>, just open up a terminal window and type the following. You will be asked for your CSC password.

ssh j7smith@taurine.csclub.uwaterloo.ca

* Our office terminals are turned off, rebooted and otherwise reset somewhat frequently.

* If you forget your password, come by the office with your watcard and some other form of ID. Regular office staff can't reset your password for you, but if there's someone on our Systems Committee hanging around, they can do this for you.

* If you would like to change your password, log on to any of our machines and type <nowiki>kpasswd</nowiki> in a terminal. You will be prompted for your old password and be asked to type in your new password twice (just to make sure you didn't make a typo).

* We have a MySQL daemon running, but only on our web server <nowiki>caffeine</nowiki>. Check out [[MySQL|this page]] if you would like a database.

* for technical questions (including package installation requests), send an email to our systems committee, syscom at csclub.uwaterloo.ca.

== Web Hosting ==
You get web space with your CSC membership. Your website is visible at [http://csclub.uwaterloo.ca/~j7smith] (where j7smith is replaced with your own userid, of course).

See [[Web Hosting]] for more information.

== IRC ==
We have an IRC (internet relay chat) channel. Come hang out with us in #csc on freenode. If you are unfamiliar with IRC, you may want to read [[How to IRC|this guide]].

== Mail ==
* see the [[Mail]] page.
* The CSC gets a lot of requests to distribute [[Industry Opportunities]] to our members. We have a special opt-in mailing list for the people that want to hear about such things.
* We have a low-volume general mailing list which we use to send out information about upcoming events.

== Library ==
There are books on the shelves lining the office. Feel free to drop by and read them.

Someone who knows more about the library checkout system than jy2wong should write something here.

Club Hosting

2015-09-03T04:09:39Z

Ehashman: Update formatting, link to Web hosting and MySQL pages

The Computer Science Club provides web hosting to other clubs free of charge. We host many club web sites and mailing lists. If you have a question about our hosting service, contact syscom@csclub.uwaterloo.ca or visit our office in MC 3036.

== Hosting Features ==

* 4 GB web space
* Scripting
** PHP (mod_fcgid)
** Perl (mod_fcgid)
** Python (mod_fcgid)
*** Django (mod_wsgi)
** Ruby (mod_fcgid)
* Databases
** [[MySQL]]

This is not an exhaustive list. Contact us if you want something not listed or installed.

== Getting Hosted ==

To get hosted, you need a '''club account''' and one '''user account''' for each person who will be updating the club's web site or other files.

=== Club Account ===

Each club we host has a "club account" that owns and stores club resources. You can request a club account via email or in person. The club account:

* Is named after the club, possibly abbreviated.
* Has a home directory named /users/clubname, where club files are stored.
* Is not permitted to log in. You must use your own user account to login.

The Systems Committee will create club accounts when sent a request from the club's email address to syscom@csclub.uwaterloo.ca. Verification of the club's university affiliation may be required, for instance by contacting the Federation of Students or the club's faculty advisor.

=== User Accounts ===

Each user who needs access to the club account must have his/her own user account on our machines. There are two ways to get an account:

* Become a member of the Computer Science Club. Membership is $2.00 per term.
* Request a free "club representative" account. These accounts are to be used solely for managing the club account, and expire at the end of the term.

In both cases, you must come to MC 3036/3037 in person for initial registration. Club representatives can request renewal of their free accounts if they still need the account in future terms. Renewal can be done in person or via email.

Your user account must also be authorized to change club files. Each club has a "club group" whose members may update the clubs files. We add (and remove) users to the group when we are asked to do so by the club exec. The exec must email the Systems Committee (syscom@csclub.uwaterloo.ca) from a club email address.

Any office staff member may create and renew both member and club representative accounts using [[ceo]]. Only Systems Committee members may modify club access lists.

== Accessing Club Resources ==

At this point, you have a user account and a club account, and need to get started with your web site. Before you can do anything, you need to log into our machines somehow.

=== Shell Access ===

To gain shell access to your site, you can:

* Log in using a terminal in the office
* Log in from anywhere using SSH. Our web server (caffeine) is available at csclub.uwaterloo.ca.

The club's files are stored in /users/clubname.

If you want, you can become the club user by typing "become_club clubname". This is not usually necessary, as the permissions should allow you to make changes as yourself.

=== SFTP File Access ===

You may access files stored on our servers, or upload new ones, via SFTP and SCP. If you are a Windows user you should use [http://winscp.net/ WinSCP] or a similar client with SFTP/SCP abilities. If you are using OS X you can use the sftp or scp Terminal commands, or you can install a graphical client such as [http://cyberduck.ch/ Cyberduck]. Similarly on GNU/Linux you can use the shell commands or a graphical client such as gftp.

== Services ==

=== Web Hosting ===

See [[Web Hosting]].

=== Databases ===

See [[MySQL]].

You can create a MySQL database yourself through [[ceo]] by following [[MySQL#Using_ceo|these instructions]].

[[Category:Services]]

Main Page

2015-09-03T04:02:13Z

Ehashman: /* Guides */ Update hosting guide

This is the Wiki of the [[Computer Science Club]]. Feel free to start adding pages and information.

[[Special:AllPages]]

== Guides ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[ New Member Guide]]
* [[Budget Guide]]
* [[Club Hosting]]
* [[Web Hosting]]
* [[Exec Manual]]
* [[Imapd Guide]]
* [[MEF Guide]]
* [[Office Policies]]
* [[Office Staff]]
* [[How to IRC]]
* [[Talks Guide]]
* [[SCS Guide]]
* [[Kerberos | Password Reset ]]
* [[Disk Drive RMA Process]]
</div>

== News and Events ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Meetings]]
* [[Talks]]
* [[Projects]]
* [[Industry Opportunities]]
</div>

== Machine/System Documentation ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Authentication]]
* [[Backups]]
* [[ceo]]
* [[DNS]]
* [[Debian Repository]]
* [[Digital Cutter]]
* [[Directory Services]]
* [[Electronics]]
* [[Hardware]]
* [[Kerberos]]
* [[Machine List]]
* [[Mail]]
* [[Mailing Lists]]
* [[Mirror]]
* [[Music]]
* [[MySQL]]
* [[NetApp]]
* [[New CSC Machine]]
* [[NFS/Kerberos]]
* [[OID Assignment]]
* [[Printing]]
* [[Pulseaudio]]
* [[Robot Arm]]
* [[Scratch]]
* [[SNMP]]
* [[Serial Connections]]
* [[SSL]]
* [[Switches]]
* [[Syscom Todo]]
* [[Systems Committee]]
* [[UID/GID Assignment]]
* [[Webcams]]
* [[Webmail]]
* [[Website]]
* [[Virtualization]]
</div>

== Miscellaneous ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Budget]]
* [[Executive]]
* [[Past Executive]]
* [[Frosh]]
* [[History]]
* [[Library]]
* [[MEF Proposals]]
* [[Term Notes]]
</div> __NOTOC__

Web Hosting

2015-09-03T03:59:37Z

Ehashman: /* uwaterloo.ca domain Names */ typo

The CSC offers web hosting for [[Club Hosting|clubs]] and [http://csclub.uwaterloo.ca/about/ our members] in accordance with our [http://csclub.uwaterloo.ca/services/machine_usage Machine Usage Agreement]. This is a quick guide for the kinds of hosting we offer on our webserver, <tt>csclub.uwaterloo.ca</tt>, also known as [[Machine List#caffeine|caffeine]].

We run an Apache httpd webserver and we offer you the use of a [[MySQL|MySQL database]].

== What can I host on my website? ==

Web hosting is provided in accordance with the CSC [http://csclub.uwaterloo.ca/services/machine_usage Machine Usage Agreement]. As a reminder, you are '''not permitted''' to host any of the following:

* '''Ads.''' Advertisements are not permitted because using our machines for commercial purposes is forbidden by university policy.
* '''Your start-up's website.''' Again, commercial use of our hosting is not permitted.
* '''Unauthorized copyrighted materials.''' Violating the law is a violation of our Machine Usage Agreement.

Please note that '''this is not an exhaustive list. Websites may be taken down ''without notice''''' at the discretion of the Systems Committee.

Some great examples of things members host on our webserver:

* Academic projects!
* A personal website or blog!
* [[Club Hosting|Club websites!]]

== DNS and Your Domain Name ==

You can serve files without any additional configuration by placing them in your <tt>www</tt> directory and accessing them at <tt>http://csclub.uwaterloo.ca/~userid</tt>, where <tt>userid</tt> is your CSC user ID. However, many of our members and clubs prefer to use a custom domain name.

=== uwaterloo.ca domain Names ===

If you represent a UWaterloo organization, you may be eligible for a custom <tt>uwaterloo.ca</tt> domain name, such as <tt>csclub.uwaterloo.ca</tt>. We can request this on your behalf.

In order to do so, we must have verified that the organization is a legitimate UWaterloo-affiliated group, and that you, the representative, are authorized to request a domain name on their behalf. This all takes place when you request [[Club Hosting|club hosting]] with the Computer Science Club.

Once you register as a club representative of your particular organization, you can send an email from your official club account to syscom@csclub.uwaterloo.ca to request the domain <tt>yourdomain.uwaterloo.ca</tt>. Assuming it is available, we will file a ticket and request the domain in your name.

=== Your personal domain name ===

These virtual hosts must be approved by the Executive and Systems Committee. If interested, send syscom@csclub.uwaterloo.ca an email. If your request is approved, the Systems Committee will direct you to create a CNAME record for your domain and point it at <tt>csclub.uwaterloo.ca</tt>.

== Static Sites ==

You can place all your static content into your web directory, <tt>/users/userid/www</tt>.

If you have been approved for a virtual host, you can access this content using your personal domain once the Systems Committee makes the appropriate configuration changes. Here is an example configuration file:

<VirtualHost *:80>
ServerName foobar.uwaterloo.ca
ServerAlias *.foobar.uwaterloo.ca foobar
ServerAdmin your@email.here.tld

DocumentRoot /users/userid/www/

ErrorLog /var/log/apache2/luser-userid-error.log
CustomLog /var/log/apache2/luser-userid-access.log combined
</VirtualHost>

== Dynamic Sites ==

If you require use of a database, we offer you the sole choice of MySQL. See [[MySQL|this guide]] for how to create your database and connect to MySQL.

=== ***NOTICE*** ===

We '''STRONGLY''' discourage the use of content management systems such as
WordPress. These packages are notorious for the number of security
vulnerabilities they contain and pose a threat to our systems if they are not
kept up to date. The Systems Committee '''WILL,''' at its discretion, disable
any website using a package such as WordPress that is not updated to the latest
version or that is found to contain exploitable security flaws. In such a case,
the member or club serving that site will be notified of the termination; the
site will not be re-enabled until the issues are addressed.

=== Using PHP ===

Because we use Apache, it's as simple as placing your <tt>index.php</tt> file in your <tt>/users/userid/www</tt>. That's it!

You can even include rewrite rules in an <tt>.htaccess</tt> file in your web directory.

=== Using FCGI ===

We support the use of <tt>mod_fcgid</tt>, which runs all of our PHP applications and more. If you've set up your PHP application as above, it is very unlikely this will need further configuration. However, we can and may tweak <tt>Fcgid*</tt> directives to ensure optimal performance of our hosting across websites.

=== Using WSGI ===

We newly support <tt>mod_wsgi</tt> for dynamic frameworks you may not want to run through FCGI, such as Django. If you'd like to set up one of these sites, you'll need Systems Committee approval and assistance with the configuration. You will be responsible for setting up the site in your home directory and all the associated WSGI scripts.

Here is a sample configuration file for a Django site:

<VirtualHost *:80>
ServerName foobar.uwaterloo.ca
ServerAlias *.foobar.uwaterloo.ca foobar
ServerAdmin your@email.here.tld

ErrorLog /var/log/apache2/luser-userid-error.log
CustomLog /var/log/apache2/luser-userid-access.log combined

WSGIDaemonProcess process_name python-path=your/path/here/:possibly:/users/userid/site:/users/userid/.env/...
WSGIScriptAlias / /path/to/your/wsgi/script
WSGIProcessGroup process_name

Alias /robots.txt /path/if/necessary/robots.txt
Alias /favicon.ico /path/if/necessary/favicon.ico

<Directory /path/to/your/wsgi/script>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
</VirtualHost>

Web Hosting

2015-09-03T03:58:10Z

Ehashman: /* uwaterloo.ca domain Names */ typo

The CSC offers web hosting for [[Club Hosting|clubs]] and [http://csclub.uwaterloo.ca/about/ our members] in accordance with our [http://csclub.uwaterloo.ca/services/machine_usage Machine Usage Agreement]. This is a quick guide for the kinds of hosting we offer on our webserver, <tt>csclub.uwaterloo.ca</tt>, also known as [[Machine List#caffeine|caffeine]].

We run an Apache httpd webserver and we offer you the use of a [[MySQL|MySQL database]].

== What can I host on my website? ==

Web hosting is provided in accordance with the CSC [http://csclub.uwaterloo.ca/services/machine_usage Machine Usage Agreement]. As a reminder, you are '''not permitted''' to host any of the following:

* '''Ads.''' Advertisements are not permitted because using our machines for commercial purposes is forbidden by university policy.
* '''Your start-up's website.''' Again, commercial use of our hosting is not permitted.
* '''Unauthorized copyrighted materials.''' Violating the law is a violation of our Machine Usage Agreement.

Please note that '''this is not an exhaustive list. Websites may be taken down ''without notice''''' at the discretion of the Systems Committee.

Some great examples of things members host on our webserver:

* Academic projects!
* A personal website or blog!
* [[Club Hosting|Club websites!]]

== DNS and Your Domain Name ==

You can serve files without any additional configuration by placing them in your <tt>www</tt> directory and accessing them at <tt>http://csclub.uwaterloo.ca/~userid</tt>, where <tt>userid</tt> is your CSC user ID. However, many of our members and clubs prefer to use a custom domain name.

=== uwaterloo.ca domain Names ===

If you represent a UWaterloo organization, you may be eligible for a custom <tt>uwaterloo.ca</tt> domain name, such as <tt>csclub.uwaterloo.ca</tt>. We can request this on your behalf.

In order to do so, we must have verified that the organization is a legitimate UWaterloo-affiliated group, and that you, the representative, are authorized to request a domain name on their behalf. This all takes place when you request [[club hosting]] with the Computer Science Club.

Once you register as a club representative of your particular organization, you can send an email from your official club account to syscom@csclub.uwaterloo.ca to request the domain <tt>yourdomain.uwaterloo.ca</tt>. Assuming it is available, we will file a ticket and request the domain in your name.

=== Your personal domain name ===

These virtual hosts must be approved by the Executive and Systems Committee. If interested, send syscom@csclub.uwaterloo.ca an email. If your request is approved, the Systems Committee will direct you to create a CNAME record for your domain and point it at <tt>csclub.uwaterloo.ca</tt>.

== Static Sites ==

You can place all your static content into your web directory, <tt>/users/userid/www</tt>.

If you have been approved for a virtual host, you can access this content using your personal domain once the Systems Committee makes the appropriate configuration changes. Here is an example configuration file:

<VirtualHost *:80>
ServerName foobar.uwaterloo.ca
ServerAlias *.foobar.uwaterloo.ca foobar
ServerAdmin your@email.here.tld

DocumentRoot /users/userid/www/

ErrorLog /var/log/apache2/luser-userid-error.log
CustomLog /var/log/apache2/luser-userid-access.log combined
</VirtualHost>

== Dynamic Sites ==

If you require use of a database, we offer you the sole choice of MySQL. See [[MySQL|this guide]] for how to create your database and connect to MySQL.

=== ***NOTICE*** ===

We '''STRONGLY''' discourage the use of content management systems such as
WordPress. These packages are notorious for the number of security
vulnerabilities they contain and pose a threat to our systems if they are not
kept up to date. The Systems Committee '''WILL,''' at its discretion, disable
any website using a package such as WordPress that is not updated to the latest
version or that is found to contain exploitable security flaws. In such a case,
the member or club serving that site will be notified of the termination; the
site will not be re-enabled until the issues are addressed.

=== Using PHP ===

Because we use Apache, it's as simple as placing your <tt>index.php</tt> file in your <tt>/users/userid/www</tt>. That's it!

You can even include rewrite rules in an <tt>.htaccess</tt> file in your web directory.

=== Using FCGI ===

We support the use of <tt>mod_fcgid</tt>, which runs all of our PHP applications and more. If you've set up your PHP application as above, it is very unlikely this will need further configuration. However, we can and may tweak <tt>Fcgid*</tt> directives to ensure optimal performance of our hosting across websites.

=== Using WSGI ===

We newly support <tt>mod_wsgi</tt> for dynamic frameworks you may not want to run through FCGI, such as Django. If you'd like to set up one of these sites, you'll need Systems Committee approval and assistance with the configuration. You will be responsible for setting up the site in your home directory and all the associated WSGI scripts.

Here is a sample configuration file for a Django site:

<VirtualHost *:80>
ServerName foobar.uwaterloo.ca
ServerAlias *.foobar.uwaterloo.ca foobar
ServerAdmin your@email.here.tld

ErrorLog /var/log/apache2/luser-userid-error.log
CustomLog /var/log/apache2/luser-userid-access.log combined

WSGIDaemonProcess process_name python-path=your/path/here/:possibly:/users/userid/site:/users/userid/.env/...
WSGIScriptAlias / /path/to/your/wsgi/script
WSGIProcessGroup process_name

Alias /robots.txt /path/if/necessary/robots.txt
Alias /favicon.ico /path/if/necessary/favicon.ico

<Directory /path/to/your/wsgi/script>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
</VirtualHost>

Web Hosting

2015-09-03T03:53:58Z

Ehashman: Initial draft of page to replace "Member hosting"

The CSC offers web hosting for [[Club Hosting|clubs]] and [http://csclub.uwaterloo.ca/about/ our members] in accordance with our [http://csclub.uwaterloo.ca/services/machine_usage Machine Usage Agreement]. This is a quick guide for the kinds of hosting we offer on our webserver, <tt>csclub.uwaterloo.ca</tt>, also known as [[Machine List#caffeine|caffeine]].

We run an Apache httpd webserver and we offer you the use of a [[MySQL|MySQL database]].

== What can I host on my website? ==

Web hosting is provided in accordance with the CSC [http://csclub.uwaterloo.ca/services/machine_usage Machine Usage Agreement]. As a reminder, you are '''not permitted''' to host any of the following:

* '''Ads.''' Advertisements are not permitted because using our machines for commercial purposes is forbidden by university policy.
* '''Your start-up's website.''' Again, commercial use of our hosting is not permitted.
* '''Unauthorized copyrighted materials.''' Violating the law is a violation of our Machine Usage Agreement.

Please note that '''this is not an exhaustive list. Websites may be taken down ''without notice''''' at the discretion of the Systems Committee.

Some great examples of things members host on our webserver:

* Academic projects!
* A personal website or blog!
* [[Club Hosting|Club websites!]]

== DNS and Your Domain Name ==

You can serve files without any additional configuration by placing them in your <tt>www</tt> directory and accessing them at <tt>http://csclub.uwaterloo.ca/~userid</tt>, where <tt>userid</tt> is your CSC user ID. However, many of our members and clubs prefer to use a custom domain name.

=== uwaterloo.ca domain Names ===

If you represent a UWaterloo organization, you may be eligible for a custom <tt>uwaterloo.ca</tt> domain name, such as <tt>csclub.uwaterloo.ca</tt>. We can request this on your behalf.

In order to do so, we must have verified that the organization is a legitimate UWaterloo-affiliated group, and that you, the representative, is authorized to request a domain name on their behalf. This all takes place when you request [[club hosting]] with the Computer Science Club.

Once you register as a club representative of your particular organization, you can send an email from your official club account to syscom@csclub.uwaterloo.ca to request the domain <tt>yourdomain.uwaterloo.ca</tt>. Assuming it is available, we will file a ticket and request the domain in your name.

=== Your personal domain name ===

These virtual hosts must be approved by the Executive and Systems Committee. If interested, send syscom@csclub.uwaterloo.ca an email. If your request is approved, the Systems Committee will direct you to create a CNAME record for your domain and point it at <tt>csclub.uwaterloo.ca</tt>.

== Static Sites ==

You can place all your static content into your web directory, <tt>/users/userid/www</tt>.

If you have been approved for a virtual host, you can access this content using your personal domain once the Systems Committee makes the appropriate configuration changes. Here is an example configuration file:

<VirtualHost *:80>
ServerName foobar.uwaterloo.ca
ServerAlias *.foobar.uwaterloo.ca foobar
ServerAdmin your@email.here.tld

DocumentRoot /users/userid/www/

ErrorLog /var/log/apache2/luser-userid-error.log
CustomLog /var/log/apache2/luser-userid-access.log combined
</VirtualHost>

== Dynamic Sites ==

If you require use of a database, we offer you the sole choice of MySQL. See [[MySQL|this guide]] for how to create your database and connect to MySQL.

=== ***NOTICE*** ===

We '''STRONGLY''' discourage the use of content management systems such as
WordPress. These packages are notorious for the number of security
vulnerabilities they contain and pose a threat to our systems if they are not
kept up to date. The Systems Committee '''WILL,''' at its discretion, disable
any website using a package such as WordPress that is not updated to the latest
version or that is found to contain exploitable security flaws. In such a case,
the member or club serving that site will be notified of the termination; the
site will not be re-enabled until the issues are addressed.

=== Using PHP ===

Because we use Apache, it's as simple as placing your <tt>index.php</tt> file in your <tt>/users/userid/www</tt>. That's it!

You can even include rewrite rules in an <tt>.htaccess</tt> file in your web directory.

=== Using FCGI ===

We support the use of <tt>mod_fcgid</tt>, which runs all of our PHP applications and more. If you've set up your PHP application as above, it is very unlikely this will need further configuration. However, we can and may tweak <tt>Fcgid*</tt> directives to ensure optimal performance of our hosting across websites.

=== Using WSGI ===

We newly support <tt>mod_wsgi</tt> for dynamic frameworks you may not want to run through FCGI, such as Django. If you'd like to set up one of these sites, you'll need Systems Committee approval and assistance with the configuration. You will be responsible for setting up the site in your home directory and all the associated WSGI scripts.

Here is a sample configuration file for a Django site:

<VirtualHost *:80>
ServerName foobar.uwaterloo.ca
ServerAlias *.foobar.uwaterloo.ca foobar
ServerAdmin your@email.here.tld

ErrorLog /var/log/apache2/luser-userid-error.log
CustomLog /var/log/apache2/luser-userid-access.log combined

WSGIDaemonProcess process_name python-path=your/path/here/:possibly:/users/userid/site:/users/userid/.env/...
WSGIScriptAlias / /path/to/your/wsgi/script
WSGIProcessGroup process_name

Alias /robots.txt /path/if/necessary/robots.txt
Alias /favicon.ico /path/if/necessary/favicon.ico

<Directory /path/to/your/wsgi/script>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
</VirtualHost>

New CSC Machine

2015-07-28T21:00:52Z

Ehashman: /* apt */ Remove emdebian

= Booting =

* Put the TFTP image in place (if dist-arch pair installed before, you may skip this).
e.g. extract http://mirror.csclub.uwaterloo.ca/ubuntu/dists/oneiric/main/installer-amd64/current/images/netboot/netboot.tar.gz to caffeine:/srv/tftp/oneiric-amd64

* Force network boot in the BIOS. This may be called "Legacy LAN" or other such cryptic things. If this doesn't work, boot from CD or USB instead.

It is preferred to use the "alternate" Ubuntu installer image, based on debian-installer, instead of the Ubiquity installer. This installer supports software RAID and LVM out of the box, and will generally make your life easier. If installing Debian, this is the usual installer, so don't sweat it.

= Installing =

== debian-installer ==

At least in expert mode, you can choose a custom mirror (top of the countries list) and give the path for mirror directly. This will make installation super-fast compared to installing from anywhere else.

Please install to LVM volumes, as this is our standard configuration on all machines where possible. It allows more flexible partitioning across available volumes. Since GRUB 2, even /boot may be on LVM; this is the preferred configuration for simplicity, except when legacy partitioning setups make this inconvenient.

You may enable unattended upgrades, but do not enable Canonical's remote management service or any such nonsense. This is mostly a straightforward Debian/Ubuntu install.

== Ubiquity ==

Ubiquity is the Ubuntu GUI installer. For it to have lvm support, run:
apt-get install lvm2

If you still can't see the partitions (even if lvscan sees them, but no devices exist), run <tt>vgscan</tt> and <tt>vgchange -ay</tt> as root. Now the partitioner should be able to see them. We prefer to use LVM for partitions. Since GRUB 2, even /boot may be on LVM; this is the preferred configuration for simplicity, except when legacy partitioning setups make this inconvenient.

After installing with Ubiquity, you must also add LVM support to the newly installed system, and in particular its initramfs.

mount /dev/vg0/root /mnt
mount /dev/sda1 /mnt/boot
chroot /mnt
apt-get install lvm2

You should see an update-initramfs update. Reboot.

= After Installing =

Add the new machine's ip to /etc/hosts and propagate to all other machines (~syscom/bin/alldist).

== apt ==

If you did not during installation, change all references in <tt>/etc/apt/sources.list</tt> to use <tt>mirror</tt> instead of the usual mirrors.

Also add support for the CSC packages. Add the following to <tt>/etc/apt/sources.list.d/csclub.list</tt> (or copy from another host):

deb http://debian.csclub.uwaterloo.ca/ <distribution> main contrib non-free
deb-src http://debian.csclub.uwaterloo.ca/ <distribution> main contrib non-free

You'll also need the CSC archive signing key (if <tt>curl</tt> is not installed, install it).
curl -s http://debian.csclub.uwaterloo.ca/csclub.asc | apt-key add -

You should now run <tt>apt-get update</tt> to reflect these changes.

Next, install <tt>inapt</tt> (it is in the CSC Debian archive). If it hasn't previously been built for the current platform, clone and build it (TODO: describe how to do this).

Clone <tt>~git/public/packages.git</tt>, update it if necessary (notably updating <tt>nodes.ia</tt> to reflect the distribution and role of the machine), then run:
inapt *.ia

(Due to a bug, if a warning is thrown, this will segfault. Until fixed, just temporarily remove whatever packages it complains about from the list.)

Warning: this will take a long time due to the large number of packages being installed. Some of the below can be done once the relevant packages are installed, but while other packages are still being installed.

Note that inapt current uninstalls NetworkManager, which is what Ubuntu uses by default to configure the network. Once this completes, open <tt>/etc/network/interfaces</tt> and set up a static networking configuration (otherwise, networking will not come back up on reboot). It should look something like this:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 129.97.134.xxx
netmask 255.255.255.0
gateway 129.97.134.1
network 129.97.134.0
broadcast 129.97.134.255
dns-nameservers 129.97.2.1 129.97.47.5 129.97.47.6
dns-search csclub.uwaterloo.ca uwaterloo.ca

For unattended upgrades in the future, install the <tt>unattended-upgrades</tt> package and copy <tt>/etc/apt/apt.conf</tt> from another host.

== Keys ==

If this is a reinstall of an existing host, copy back the SSH host keys and <tt>/etc/krb5.keytab</tt> from its former incarnation. Otherwise, create a new Kerberos principal and copy the keytab over, as follows (run from the host in question):
kadmin -p sysadmin/admin # or any other admin principal; the password for this one is the usual root password
addprinc -randkey host/[hostname].csclub.uwaterloo.ca
ktadd host/[hostname].csclub.uwaterloo.ca

This will generate a new principal (you can skip this step if one already exists) and add it to the local Kerberos keytab.

Also copy <tt>/etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem</tt> from another host, as many of our services use a certificate issued by this CA.

== Configuration ==

=== General ===

The following config files are needed to work in the CSC environment (examples given below for an office terminal; perhaps refer to another host if preferred).

<tt>/etc/nsswitch.conf</tt>
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: files ldap
group: files ldap
shadow: files ldap
sudoers: files ldap

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

<tt>/etc/ldap/ldap.conf</tt>

# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=csclub, dc=uwaterloo, dc=ca
URI ldap://ldap1.csclub.uwaterloo.ca ldap://ldap2.csclub.uwaterloo.ca

SIZELIMIT 0

TLS_CACERT /etc/ssl/certs/GlobalSign_Intermediate_Root.pem
TLS_CACERTFILE /etc/ssl/certs/GlobalSign_Intermediate_Root.pem

SUDOERS_BASE ou=SUDOers,dc=csclub,dc=uwaterloo,dc=ca

Also make <tt>/etc/sudo-ldap.conf</tt> a symlink to the above.

<tt>/etc/nslcd.conf</tt>
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://ldap1.csclub.uwaterloo.ca
uri ldap://ldap2.csclub.uwaterloo.ca

# The search base that will be used for all queries.
base dc=csclub,dc=uwaterloo,dc=ca

# use the uniqueMember attribute for group membership
# (not applicable on Debian squeeze)
map group member uniqueMember

<tt>/etc/krb5.conf</tt>
[libdefaults]
default_realm = CSCLUB.UWATERLOO.CA
forwardable = true
proxiable = true
dns_lookup_kdc = false
dns_lookup_realm = false

[realms]
CSCLUB.UWATERLOO.CA = {
kdc = kdc1.csclub.uwaterloo.ca
kdc = kdc2.csclub.uwaterloo.ca
admin_server = kadmin.csclub.uwaterloo.ca
}
(rest omitted for brevity)

Update: <tt>allow_weak_crypto</tt> is basically a no-op in recent Kerberos versions - but this is not a problem as any linux kernel with version >= 2.6.38.2 can use any cipher available to the kernel to grab tickets from the KDC for the purpose of NFS sec=krb5. Notably, this means you can use ciphersuites less craptastic than des-cbc-crc (the only one that used to work prior to this kernel revision) for NFS sec=krb5 mounts. Therefore, <tt>allow_weak_crypto</tt> has been removed from /etc/krb5.conf on all our machines.

Furthermore, the lines <tt>dns_lookup_kdc</tt> and <tt>dns_lookup_realm</tt> have been added - they are needed to stop the KDC from throwing its arms in the air and giving up if IST's DNS servers ever explode - an event that has happened in the recent past far more often than I'd like it to.

Notably, <tt>allow_weak_crypto</tt> is currently needed to mount <tt>/users</tt> (/music and <tt>/scratch</tt> is sec=sys and thus will always mount, even when krb5 is down and/or broken). Otherwise, you will get a mysterious "permission denied" error (even though the server claims to have authenticated the mount successfully).

<tt>/etc/pam.d/common-account</tt>
#
# /etc/pam.d/common-account - authorization settings common to all services
#

# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account required pam_krb5.so minimum_uid=10000
# end of pam-auth-update config

# Make sure the user is up to date. System accounts and syscom are exempt.
account [success=2 default=ignore] pam_succeed_if.so quiet uid < 10000
account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup syscom
account required pam_csc.so

This file is notably different on syscom-only hosts. Look at an existing syscom-only host to see the difference.

Alter <tt>/etc/default/nfs-common</tt> to enable <tt>statd</tt>, and more importantly <tt>gssd</tt> (needed for Kerberos NFS mounts). Start both daemons manually for now.

Add <tt>/users</tt>, <tt>/music</tt> and <tt>/scratch</tt> to <tt>/etc/fstab</tt> (as appropriate for the machine's role), make their mount points and mount them. Note that <tt>/music</tt> and <tt>/scratch</tt> are sec=sys whereas /users is sec=krb5 (with exceptions granted on a case-by-case basis for servers only, office terminals are always sec=krb5 for security reasons).

To allow single sign-on as <tt>root</tt> (primarily useful for pushing files to all machines simultaneously), put the following in <tt>/root/.k5login</tt>:
sysadmin/admin@CSCLUB.UWATERLOO.CA

Also copy the following files from another CSC host:
* <tt>/etc/ssh/ssh_config</tt> and <tt>/etc/ssh/sshd_config</tt> (for single sign-on)
* <tt>/etc/ssh/ssh_known_hosts</tt> (to remove hostkey warnings within our network)
* <tt>/etc/hosts</tt> (for host tab completion and emergency name resolution)

=== Display Manager ===

LightDM (with unity-greeter) is the current display manager of choice for CSC office terminals. Copy <tt>/etc/lightdm/lightdm.conf</tt> from another CSC machine to configure it properly. If kdm or another display manager gets installed, please ensure that you continue to choose LightDM as the default display manager.

Please leave AccountsService enabled, as LightDM and certain parts of the GNOME packages work better when it is available.

The Unity greeter configuration is now in gsettings. We currently have a novelty wallpaper configured. To configure this, copy <tt>/usr/local/share/backgrounds/tarkin.png</tt> from another machine and run:

sudo -u lightdm dbus-launch gsettings set com.canonical.unity-greeter background /usr/local/share/backgrounds/tarkin.png

=== User-Defined Session ===

For some reason, ubuntu does not install a session file for a session that just launches whatever's in the user's ~/.xsession. To fix this, put the following into <tt>/usr/share/xsessions/xsession.desktop</tt>:

[Desktop Entry]
Name=User-defined session
Exec=/etc/X11/Xsession

=== Audio ===

On an office terminal, copy <tt>/etc/pulse/default.pa</tt> from another office terminal.

If this is to be the machine that actually plays audio (currently <tt>nullsleep</tt>), the setup is slightly more complicated. You'll need to set up MPD and PulseAudio to receive connections, and store the PulseAudio cookie in <tt>~audio</tt>, with appropriate permissions so that only the <tt>audio</tt> group can access it. If this is a new audio machine, you'll also need to change <tt>default.pa</tt> on all office terminals to point to it.

=== Tweaks ===

On Ubuntu precise, even when <tt>gnome-keyring</tt> is uninstalled, it leaves a config file behind that causes error messages. Remove <tt>/etc/pkcs11/modules/gnome-keyring-module</tt> to fix this.

On Ubuntu saucy or newer, edit <tt>/etc/sysctl.d/10-magic-sysrq</tt> at change the value 244.

== Records ==

You probably already created the host in the University IPAM system beforehand. If not, please do so.

Please also add the host to the [[Machine List]] here on the Wiki, and to <tt>/users/syscom/csc-machines</tt> (and <tt>csc-office-machines</tt>, if applicable).

== Munin (System Monitoring) ==

If the new machine is not a container, you probably want to have it participate in the Munin cluster. Run <tt>apt-get install munin-node</tt> to install the monitoring client, then
edit the file /etc/munin/munin-node.conf. Look for a line that says <tt>allow ^127\.0\.0\.1$</tt> and add the following on a new line immediately below it:
<tt>allow ^129\.97\.134\.51$</tt> (this is the IP address for munin.csclub). Save the file, then <tt>/etc/init.d/munin-node restart</tt> and <tt>update-rc.d munin-node defaults</tt>.

Then, ssh into munin.csclub and edit the file /etc/munin/munin.conf and add the following lines to the end:
<tt>

[NEW-MACHINE-NAME.csclub] 
addr 129.97.134.### 
use_node_name yes

</tt>

= New Distribution =

If you're adding a new distribution, there a couple of steps you'll need to take in updating the CSClub Debian repository on [[Machine_List#sodium_benzoate|sodium-benzoate/mirror]].

The steps to add a new Debian release (in the examples, jessie) is as follows, modify as necessary:

=== Step 0: Create a GPG key ===

Use "gpg --gen-key" or something like that. Skip this if you already have one.

=== Step 1: Add to Uploaders ===

The /srv/debian/conf/uploaders file on mirror contains the list of people who can upload. Add your GPG key id to this file. Use "gpg --list-secret-keys" to find out the key ID. You also need to import your key into the mirror's gpg homedir as follows:

gpg --export $KEYID | sudo env GNUPGHOME=/srv/debian/gpg gpg --import

You only need to do this step once.

=== Step 2: Add Distro ===

Add a new section to /srv/debian/conf/distributions:

Origin: CSC
Label: Debian
Codename: '''jessie'''
Architectures: alpha amd64 i386 mips mipsel sparc powerpc armel source
Components: main contrib non-free
Uploaders: uploaders
Update: dell chrome
SignWith: yes
Log: jessie.log
--changes notifier

And update the '''Allow''' line in /srv/debian/conf/incoming:

Allow: '''jessie>jessie''' oldstable>squeeze stable>wheezy lucid>lucid maverick>maverick oneiric>oneiric precise>precise quantal>quantal

=== Step 3: Update from Sources ===

Run:

sudo env GNUPGHOME=/srv/debian/gpg rrr-update

If all went well you should see the new distribution listed at http://debian.csclub.uwaterloo.ca/dists/

=== Step 4: CSC Packages ===

Now that we've got our new distribution set up we need to generate our packages and have them uploaded. Namely, ceo, libpam-csc & inapt. Using libpam-csc as an example:

Get the package:

git clone ~git/public/libpam-csc.git
cd libpam-csc

Update change log:

EMAIL=[you]@csclub.uwaterloo.ca NAME="Your Name" dch -i

Update as necessary, i.e:

libpam-csc (1.10'''jessie0''') '''jessie'''; urgency=low

* Packaging for jessie.

-- Your Name <[you]@csclub.uwaterloo.ca> Thu, 10 Oct 2013 22:08:48 -0400

Build! (You may need to install various dependencies, which it will yell at you if you don't have.)

debuild -k'''YOURKEYID'''

Yay, it built now let's upload it to the repo. The build process which create a PACKAGE.changes file in the parent directory (replace PACKAGE with the actual package name).

dupload libpam-csc_1.10jessie0_amd64.changes

Finally, log into mirror and type "sudo rrr-incoming". This is supposed to happen once every few minutes however it is always faster to run it manually.

And you're done. Just repeat the previous bit for other csc packages.

Virtualization (LXC Containers)

2015-07-28T20:59:38Z

Ehashman: Fix New CSC Machine link

Virtualization (LXC Containers)

2015-07-28T20:58:50Z

Ehashman: Major LXC update, remove linux vserver

NetApp

2015-07-22T23:09:45Z

Ehashman: /* Configuration */ re-ordered and clarified some directions

As of 2013, the CSC has a NetApp FAS3000 series which is capable of hosting network shares. It was donated to us by CSCF. It is also pretty old.

==Documentation==
All the manuals are hosted in ~sysadmin/netapp-docs/

Relevant docs for storage modification are: smg.pdf, sysadmin.pdf

iSCSI documentation is in ontop/bsag.pdf

==Background==
While the NetApp supports both NFS and CIFS, neither of these export options provide the versatility nor the options we desire of a network fileshare. Instead, we have configured the NetApp to export iSCSI block devices to be mounted on aspartame. Therefore, aspartame now replaces ginseng as being the primary fileserver in CSC.

==Access==
Configuration mechanisms are accessible either via SSH or serial interface, but through aspartame only. The NetApp is not visible on 134net at all.

The private IP is 10.15.134.130, only available from aspartame on the interface with IP 10.15.134.1. You may have to remove the default route from the routing table in order to successfully contact the machine with ssh.

==Configuration==
Should aspartame get totally hosed, or stability is long enough such that all sysadmin folk at the time have graduated, here is how to set up iSCSI on the NetApp+aspartame.

===NetApp Configuration===

This section describes how to create a volume on the NetApp and export it as an iSCSI target. For further NetApp configuration instructions, refer to the NetApp documentation.

====One-time Configuration====

Enable iSCSI and configure default authentication.

options iscsi.enable on
iscsi nodename iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
iscsi security default -s CHAP -p yoursecurepassword -n psilodump

where yoursecurepassword is more secure. For iSCSI hosts, the target will be on node iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca with username psilodump and password yoursecurepassword.

====Setting up a new disk aggregate, volume, and LUN====

1. Login to the NetApp. You'll either need access to the physical serial console or to ssh as root to psilodump's private IP (10.15.134.130). Credentials are stored in /users/sysadmin .

2. To get information on the available disks, run the command:
aggr status -r
This command will return three lists: Active aggregates with their assigned disks, spare disks, and disks managed by the partner. An aggregate is roughly equivalent to an LVM volume group: It is a collection of physical disks, possibly across multiple disk shelves and with various RAID levels applied, which may host one or more logical volumes.
Do not proceed if there are fewer than three spare disks of each type available. Refer to the NetApp documentation to add more disks or release disks from existing aggregates.

3. Choose a list of disks for your new aggregate. The available space will be approximately 2/3 of the total disk space.

4. Create the aggregate as follows:
aggr create aggrN -t raid_dp -d [disk-list]

where [disk-list] is a list of the form AA:BB CC:DD ... containing the identifiers for the disks you wish to use to create the aggregate.

5. Retrieve the aggregate information. You will need to know the available space for the next step.
aggr show_space aggrN

6. Create a volume in the aggregate:
vol create volNfoo -s volume aggrN XXXK

where XXX is the total available space in aggrN. You may need to choose a smaller number due to hidden size constraints and rounding. If you can't seem to find the right size, pick one much smaller, and then use the command

vol size volNfoo +XXX

to grow the volume. This command will tell you how much available space remains, unlike `vol create`, so you don't need to keep guessing.

7. Disable snapshotting and access time update. Neither will be needed for exporting an iSCSI LUN.
vol options volNfoo no_atime_update on
vol options volNfoo nosnap on
snap reserve volNfoo 0

8. Create a LUN on your volume:
lun create -s XXXK -t linux /vol/volNfoo/lun0

where XXXK is the amount of available space on the volume, as shown by the command df.

9. Create an iSCSI initiator group and add all of your hosts to it:
igroup create -i -t linux volNfoo_group
igroup add volNfoo_group iqn.1993-08.org.debian:01:123456789
igroup add volNfoo_group iqn.1993-08.org.debian:01:981287231
...

The node identifiers given to the igroup add command will soon be able to access the iSCSI LUN you created above.

10. Map the LUN to the iSCSI initiator group:
lun map /vol/volNfoo/lun0 volNfoo_group

You're done! Any host in the initiator group should now be able to access the LUN you've created as a block device.

===aspartame Configuration===
Install open-iscsi:
apt-get install open-scsi

Edit /etc/iscsi/iscsid.conf:
node.startup = manual
discovery.sendtargets.auth.authmethod=CHAP
discovery.sendtargets.auth.username=username
discovery.sendtargets.auth.password=password
node.session.auth.authmethod=CHAP
node.session.auth.username=username
node.session.auth.password=password

Start open-iscsi service:
service open-iscsi start

Scan for iSCSI devices from the NetApp:
iscsiadm --mode discovery --type st --portal psilodump

This should dump out a ton of information, for example:
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,2001 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,2000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,2002 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,1000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
10.15.134.131:3260,2002 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
129.97.134.131:3260,2001 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
10.15.134.130:3260,2000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
129.97.134.130:3260,1000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca

The .130 IPs correspond to one filer, and the .131 IPs correspond to the other filer. Currently we are only using one of the filers (psilodump).

This also populates the /etc/iscsi/nodes/iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca directory with all possible ways to access the NetApp. For testing purposes (i.e. node.startup = manual), this is okay.

Test to see if you can get the iSCSI device to show up correctly:
iscsiadm --mode node --targetname "iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca" --portal 10.15.134.130:3260 --login

This should produce output similar to:
Logging in to [iface: default, target: iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca, portal: 10.15.134.130,3260]
Login to [iface: default, target: iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca, portal: 10.15.134.130,3260]: successful

Check /dev/disk/by-path/ip* to ensure new disks show up:
# ls -l /dev/disk/by-path/ip*
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-0 -> ../../sda
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-0-part1 -> ../../sda1
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-1 -> ../../sdb
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-1-part1 -> ../../sdb1

If this fails, check all your configuration again.

If this succeeds, you are now ready to try autoconnecting the iSCSI device.

Delete all extraneous entries from /etc/iscsi/nodes/iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca . This prevents the startup script from (a) hanging, and (b) being very upset. All that is left should be the interface you intend to connect through:
# ls -l /etc/iscsi/nodes/iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca/
10.15.134.130,3260,2000

Edit /etc/iscsi/iscsid.conf:
node.startup = automatic

For the init.d script to work correctly (i.e. properly mount things) we need to add a sleep to allow the device to settle:
Edit /etc/init.d/open-iscsi roughly around line 127 to add a "sleep 1":
...
# Now let's mount
sleep 1
log_daemon_msg "Mounting network filesystems"
MOUNT_RESULT=1
if mount -a -O _netdev >/dev/null 2>&1; then
MOUNT_RESULT=0
break
fi
log_end_msg $MOUNT_RESULT
...

Now we can restart the service:
service open-iscsi restart

Now you can configure partitions and mountpoints.

==Other notes==

===Transferring old files from ginseng===

====Method A====

* On ginseng, use parted to set up the mounted iscsi drive as an ext4 primary partition (setting up a partition of size >2TB requires care and a GPT)
* Compiled star in /root on ginseng
* Transferred files with the following Makefile (assuming original user directories in /export/users, destination volume in /mnt/iscsi, make -j8):
foo := $(wildcard /export/users/*)
bar := $(patsubst /export/users/%,/mnt/iscsi/%,$(foo))
all: $(bar)
/mnt/iscsi/%: /export/users/%
# echo $@ $<
~/star-1.5.2/star/OBJ/x86_64-linux-cc/star \
-copy -p -acl artype=exustar \
-C /export/users $(notdir $<) /mnt/iscsi

====Method B====

* On ginseng, authenticate with iSCSI target (psilodump.csclub.uwaterloo.ca lun0).
* Umount /dev/mapper/vg0-users
* Copy users filesystem directly to iSCSI target:
dd if=/dev/mapper/vg0-users of=/path/to/psilodump:lun0 bs=8M
* Resize users filesystem on destination partition to fit:
resize2fs /path/to/psilodump:lun0

===Exporting Kerberized NFS from Debian Sid===

The default kernel in Debian sid (stable, 2.6.32) does not support the necessary crypto suites to export kerberized NFS to newer kernels. You MUST upgrade the kernel, nfs-common, and nfs-kernel-server packages to AT LEAST squeeze-backports.

===iSCSI block device mount optimizations===

tmyklebu made some changes to /sys/block/sda/queue. The following is now in /etc/rc.local on aspartame:

echo 2048 > /sys/block/sda/queue/read_ahead_kb
echo 32768 > /sys/block/sda/queue/max_sectors_kb
echo 4096 > /sys/block/sda/queue/nr_requests
echo noop > /sys/block/sda/queue/scheduler

We should increase the iSCSI configs node.session.queue_depth and node.session.cmds_max during next maintenance window.

==Disk information==
* shelf 1
** 14x136GB 10,000RPM FibreChannel disks
** Currently disconnected, could be connected to psilodump or directly to another machine.
* shelf 2
** 14x136GB 10,000RPM FibreChannel disks
** Currently assigned to psilodump
* shelf 3
** 14x500GB 7,200RPM ATA disks
** Currently assigned to psilodump
* shelf 4
** 14x500GB 7,200RPM ATA disks
** Currently assigned to psilodump

===Aggregates===
* aggr0
** Root aggregate volume, in RAID-DP
* aggr1
** Music aggregate volume, in RAID-DP
* aggr_users
** Users aggregate volume, in RAID-DP
* aggr2
** Old users aggregate volume, in RAID-DP

===Volumes===
* /vol/vol0
** Root volume.
* /vol/vol1music
** Music volume. This volume is not accessible via NFS or CIFS. It contains only the iSCSI LUN /vol/vol1music/lun0 .
* /vol/vol2users
** Users volume. This volume is not accessible via NFS or CIFS. It contains only the iSCSI LUN /vol/vol2users/lun0 .

==Commands==
aggr status -r aggr<num>
Shows aggregate status
disk show -v
Shows disks, and which filer they are owned by (currently all by psilodump)
storage
storage related things
disk assign
Assigns orphaned disks to a filer
vol
Volume stuffs

==Terminology==
* RAID-DP - Double Parity RAID4

Syscom Todo

2015-07-16T19:22:36Z

Ehashman: /* When in the Machine Room */

These are things that syscom should do eventually:

==General==
* Prepare for `sodium-benzoate` upgrades/replacement.
** new-mirror has like 30 disk shelves so we can just do a live sync on the 2TB disks and then insert the 4TB ones
* Establish remote syslog
* Get UPS monitoring working across multiple systems
* `/users` backups
* Disaster recovery plan
* '''Put backup container for authentication onto cobalamin'''
* Get an IP/KVM for the machine room which doesn't suck?
* Sort through keyboards in the office
* Clean up wiki vandalism
* Fix debian.csclub, aka our personal Debian repo which serves the CEO package
** Fix ceo versioning, which seems to be different on every machine it's installed on...
* Fix audio auth: audio is both a system group and an LDAP group and this has bad consequences for audio authorization
* Centralized repo for various configs: NFS, PAM auth with kerb, /etc/hosts/, LDAP and Kerb5, routing/interfaces files
** LDAP login is currently broken on glomag, it is password with root only
** Private subnet routing is broken on every machine ''except'' corn-syrup (see 'ethcrazy')
* Update hosts list (10.15.134.WTF?)

== Wiki Updates ==

* Update the following wiki pages
** [[Backups]]
** [[Ceo]], also related to "debian.csclub is broken"
** somehow merge [[Conserver]]/[[Serial Connections]]/[[Console Configuration]]
** [[Cscbot]]
** [[DNS]]
** [[Hardware]]
** [[Machine List]]
** [[Mirror]]
** [[Music]] and possibly link to [[Pulseaudio]]
** [[MySQL]] mentions a-f replica
** [[NFS/Kerberos]] should probably by merged with an existing page
** [[NetApp]]
** [[Netboot]] (might want to merge with [[New CSC Machine]])
** [[OID Assignment]] and [[UID/GID Assignment]] should be merged with LDAP and replaced with a redirect
** Merge [[Point Of Sale]] and [[Point of Sale System]]
** [[Projects]]
** [[Scratch]]
** Merge [[Sun 2900]] and [[Sun 2900 Strategy Guide]]
** Add more info to [[Switches]]
** [[Virtualization]]
** [[Webcams]] needs a serious update
** [[Wireless]]

==When in the Machine Room==
* Set up binaerpilot.
* Set up rainbowdragoneyes
* Pick up paperclip to install a new OS
* Locate electrons?
* Make sure that the IPMI/console connections are correct, up-to-date, and working.
* Fix psilodump's and aspartame's IPs and routing
** psilodump should not be routable outside aspartame. This is currently accomplished by fuckery. This *should* be fixed to use the net.ipv4.conf.all.arp_filter sysctl.
* Look into expanding /scratch and using RAID using spare disks in the office.

==Science Machine Room==
* Set up remote syslog2

Serial Connections

2015-07-16T19:21:06Z

Ehashman: /* MC 3015 */ update serial configs from server room reconnaissance mission

This article documents the physical serial ports on each machine and the connections between them. These connections are used for console access using [[Conserver]].

==== MC 3015 ====

corn-syrup ttyS1 LOM <- corn-syrup-ipmi - 57600
mirror ttyS1 LOM <- sodium-benzoate-ipmi - 57600
taurine ttyS1 LOM <- taurine-ilo - 115200
glomag ttyS0 LOM <- glomag-ipmi - 115200
binaerpilot ttyUSB0 <- ascorbic-acid ttyUSB0 115200
goto80 ttyS0 <- corn-syrup N/A 115200
goto80 ttyS1 <- corn-syrup N/A 115200
goto80 power <- corn-syrup N/A 115200
potassium-citrate ttyS0 <- corn-syrup:ttyUSB2 hub3 115200
aspartame ttyS0 <- corn-syrup:ttyUSB4 hub5 115200
electrons - <- corn-syrup hub8 9600

The "hubN" ports are on the 8-port serial hub. To access, look in /dev/csc.

== Machine Ports ==

Most machines either have no serial ports, or one [[Serial_Pin-outs#RS-232_over_DE-9|DE-9]] serial port. Details of other configurations are listed here. We do not have any modems (DCE), so all connections should be crossed (i.e., use null modem cables or compatible).

==== taurine ====

taurine has a virtual serial port that can be accessed via telnet or SSH

ttyS0 physical DE-9
ttyS1 virtual

==== ascorbic-acid ====

ascorbic-acid has two [[Serial_Pin-outs#RS-232_over_8P8C_.28Sun.29|Sun 8P8C]] serial ports stacked vertically, with the first port on top. The first port may be used to access LOM, and probably has to be set to 9600 baud.

A (ttyS0, LOM)
B (ttyS1)

These ports should be connected to another system's DE-9 using a DE-9<->8P8C modular adapter and an [[Serial_Pin-outs#Almost_Rollover_Cable|Almost Rollover]] or standard rollover.

==== potassium-citrate ====

potassium-citrate has two DE-9 serial ports side by side, with the second port on the left

101102 (ttyS1) 101101 (ttyS0)

==== sodium-citrate ====

sodium-citrate has two DE-9 serial ports side by side, with the second port on the left

ttyS1 ttyS0

==== dumbterm ====

dumbterm has one DB-25 serial port. It is currently connected to a black [[Serial_Pin-outs#Grey_DB-25_Female_to_8P8C_Adapter|nonstandard DB-25<->8P8C adapter]], to a [[Serial_Pin-outs#Dumbterm_Cable|special twisted pair cable]], to a [[Serial_Pin-outs#Black_DE-9_Female_to_8P8C_Adapter|nonstandard 8P8C<->DE-9 adapter]]. All of these pieces are labeled "dumbterm". The dumbterm cable is not symmetric; the end labeled "DE-9" must be plugged into the DE-9 adapter.

[[Category:Hardware]]

Syscom Todo

2015-07-16T04:59:04Z

Ehashman: Add wiki pages to be edited

These are things that syscom should do eventually:

==General==
* Prepare for `sodium-benzoate` upgrades/replacement.
** new-mirror has like 30 disk shelves so we can just do a live sync on the 2TB disks and then insert the 4TB ones
* Establish remote syslog
* Get UPS monitoring working across multiple systems
* `/users` backups
* Disaster recovery plan
* '''Put backup container for authentication onto cobalamin'''
* Get an IP/KVM for the machine room which doesn't suck?
* Sort through keyboards in the office
* Clean up wiki vandalism
* Fix debian.csclub, aka our personal Debian repo which serves the CEO package
** Fix ceo versioning, which seems to be different on every machine it's installed on...
* Fix audio auth: audio is both a system group and an LDAP group and this has bad consequences for audio authorization
* Centralized repo for various configs: NFS, PAM auth with kerb, /etc/hosts/, LDAP and Kerb5, routing/interfaces files
** LDAP login is currently broken on glomag, it is password with root only
** Private subnet routing is broken on every machine ''except'' corn-syrup (see 'ethcrazy')
* Update hosts list (10.15.134.WTF?)

== Wiki Updates ==

* Update the following wiki pages
** [[Backups]]
** [[Ceo]], also related to "debian.csclub is broken"
** somehow merge [[Conserver]]/[[Serial Connections]]/[[Console Configuration]]
** [[Cscbot]]
** [[DNS]]
** [[Hardware]]
** [[Machine List]]
** [[Mirror]]
** [[Music]] and possibly link to [[Pulseaudio]]
** [[MySQL]] mentions a-f replica
** [[NFS/Kerberos]] should probably by merged with an existing page
** [[NetApp]]
** [[Netboot]] (might want to merge with [[New CSC Machine]])
** [[OID Assignment]] and [[UID/GID Assignment]] should be merged with LDAP and replaced with a redirect
** Merge [[Point Of Sale]] and [[Point of Sale System]]
** [[Projects]]
** [[Scratch]]
** Merge [[Sun 2900]] and [[Sun 2900 Strategy Guide]]
** Add more info to [[Switches]]
** [[Virtualization]]
** [[Webcams]] needs a serious update
** [[Wireless]]

==When in the Machine Room==
* Set up binaerpilot.
* Make sure that the IPMI/console connections are correct, up-to-date, and working.
* Fix psilodump's and aspartame's IPs and routing
** psilodump should not be routable outside aspartame. This is currently accomplished by fuckery. This *should* be fixed to use the net.ipv4.conf.all.arp_filter sysctl.
* Look into expanding /scratch and using RAID using spare disks in the office.

==Science Machine Room==
* Set up remote syslog2

Exec Todo

2015-07-16T04:58:11Z

Ehashman: Created page with "Update wiki pages: * Alumni Project * Budget Guide * Clothing Ideas * Enhancement Project * History * Library * Meetings which is kind of worthless..."

Update wiki pages:
* [[Alumni Project]]
* [[Budget Guide]]
* [[Clothing Ideas]]
* [[Enhancement Project]]
* [[History]]
* [[Library]]
* [[Meetings]] which is kind of worthless
* [[Mentorship]]
* [[New Member Guide]]
* [[Office Staff]] should probably be merged with [[Office Policies]]
* [[Other Clubs]] should get a look
* Merge [[Propaganda]] and [[Publicity Guide]]
* [[SCS Guide]]
* [[Security Workshops]] <-- might wanna tag that as F13
* Merge [[Space Project]] and [[Space plan]]
* [[Talk Archive]] <-- [[User:Ehashman]] should probably update this

Main Page

2015-07-16T04:56:09Z

Ehashman: /* Miscellaneous */

This is the Wiki of the [[Computer Science Club]]. Feel free to start adding pages and information.

[[Special:AllPages]]

== Guides ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[ New Member Guide]]
* [[Budget Guide]]
* [[Club Hosting]]
* [[Member Hosting]]
* [[Exec Manual]]
* [[Imapd Guide]]
* [[MEF Guide]]
* [[Office Policies]]
* [[Office Staff]]
* [[How to IRC]]
* [[Talks Guide]]
* [[SCS Guide]]
* [[Kerberos | Password Reset ]]
* [[Disk Drive RMA Process]]
</div>

== News and Events ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Meetings]]
* [[Talks]]
* [[Projects]]
* [[Industry Opportunities]]
</div>

== Machine/System Documentation ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Authentication]]
* [[Backups]]
* [[ceo]]
* [[DNS]]
* [[Debian Repository]]
* [[Digital Cutter]]
* [[Directory Services]]
* [[Electronics]]
* [[Hardware]]
* [[Kerberos]]
* [[Machine List]]
* [[Mail]]
* [[Mailing Lists]]
* [[Mirror]]
* [[Music]]
* [[MySQL]]
* [[NetApp]]
* [[New CSC Machine]]
* [[NFS/Kerberos]]
* [[OID Assignment]]
* [[Printing]]
* [[Pulseaudio]]
* [[Robot Arm]]
* [[Scratch]]
* [[SNMP]]
* [[Serial Connections]]
* [[SSL]]
* [[Switches]]
* [[Syscom Todo]]
* [[Systems Committee]]
* [[UID/GID Assignment]]
* [[Webcams]]
* [[Webmail]]
* [[Website]]
* [[Virtualization]]
</div>

== Miscellaneous ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Budget]]
* [[Executive]]
* [[Past Executive]]
* [[Frosh]]
* [[History]]
* [[Library]]
* [[MEF Proposals]]
* [[Term Notes]]
</div> __NOTOC__

Main Page

2015-07-16T04:55:55Z

Ehashman: /* Machine/System Documentation */ broken links

This is the Wiki of the [[Computer Science Club]]. Feel free to start adding pages and information.

[[Special:AllPages]]

== Guides ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[ New Member Guide]]
* [[Budget Guide]]
* [[Club Hosting]]
* [[Member Hosting]]
* [[Exec Manual]]
* [[Imapd Guide]]
* [[MEF Guide]]
* [[Office Policies]]
* [[Office Staff]]
* [[How to IRC]]
* [[Talks Guide]]
* [[SCS Guide]]
* [[Kerberos | Password Reset ]]
* [[Disk Drive RMA Process]]
</div>

== News and Events ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Meetings]]
* [[Talks]]
* [[Projects]]
* [[Industry Opportunities]]
</div>

== Machine/System Documentation ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Authentication]]
* [[Backups]]
* [[ceo]]
* [[DNS]]
* [[Debian Repository]]
* [[Digital Cutter]]
* [[Directory Services]]
* [[Electronics]]
* [[Hardware]]
* [[Kerberos]]
* [[Machine List]]
* [[Mail]]
* [[Mailing Lists]]
* [[Mirror]]
* [[Music]]
* [[MySQL]]
* [[NetApp]]
* [[New CSC Machine]]
* [[NFS/Kerberos]]
* [[OID Assignment]]
* [[Printing]]
* [[Pulseaudio]]
* [[Robot Arm]]
* [[Scratch]]
* [[SNMP]]
* [[Serial Connections]]
* [[SSL]]
* [[Switches]]
* [[Syscom Todo]]
* [[Systems Committee]]
* [[UID/GID Assignment]]
* [[Webcams]]
* [[Webmail]]
* [[Website]]
* [[Virtualization]]
</div>

== Miscellaneous ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Budget]]
* [[Executive]]
* [[Past Executive]]
* [[Frosh]]
* [[History]]
* [[Library]]
* [[MEF Proposals]]
* [[Office Cleanup]]
* [[Projector]]
* [[Term Notes]]
</div> __NOTOC__

Pop Run

2015-07-16T04:36:33Z

Ehashman: Redirected page to Imapd Guide

#REDIRECT [[Imapd_Guide]]

Phone numbers

2015-07-16T04:33:26Z

Ehashman:

===Important Phone Numbers for the CSC===

* Main university phone number: (519) 888-4567
** Real Time Lab:
** Graphics Lab: 36560
** Mathsoc: 32324
** Hallway phone next to CSC bathroom: 32391
** MEF office: 35757
** Crysp lab: 31337
** WiCS office: 30295

[[Category:Administration]]

Ident

2015-07-16T04:29:46Z

Ehashman: categories

[[Machine List#taurine|taurine]] needs to provide ident services to raise the IRC connection cap. A small ident daemon written by m4burns in Racket lives in <tt>/home/ident</tt> on taurine.

To get it running, run it as the `indent` user and add an iptables rule sending port 113 to port 1113.

iptables -t nat -A PREROUTING -p tcp --dport 113 -j REDIRECT --to-port 1113

[[Category:Systems]]
[[Category:Software]]

Syscom Todo

2015-07-16T03:36:44Z

Ehashman:

Mirror Stats

2015-07-16T03:17:23Z

Ehashman: Ehashman moved page Cacti to Mirror Stats without leaving a redirect: Page name is unintelligible.

We used to run Cacti, but we no longer do. Mirror stats are available at http://mirror.csclub.uwaterloo.ca/stats.png (generated by pbarfuss' RRDTool script).

[[Category:Software]]

Mirror Stats

2015-07-16T03:16:48Z

Ehashman:

We used to run Cacti, but we no longer do. Mirror stats are available at http://mirror.csclub.uwaterloo.ca/stats.png (generated by pbarfuss' RRDTool script).

[[Category:Software]]

NetApp

2015-07-16T03:08:10Z

Ehashman: /* Terminology */ this is wrong

As of 2013, the CSC has a NetApp FAS3000 series which is capable of hosting network shares. It was donated to us by CSCF. It is also pretty old.

==Documentation==
All the manuals are hosted in ~sysadmin/netapp-docs/

Relevant docs for storage modification are: smg.pdf, sysadmin.pdf

iSCSI documentation is in ontop/bsag.pdf

==Background==
While the NetApp supports both NFS and CIFS, neither of these export options provide the versatility nor the options we desire of a network fileshare. Instead, we have configured the NetApp to export iSCSI block devices to be mounted on aspartame. Therefore, aspartame now replaces ginseng as being the primary fileserver in CSC.

==Access==
Configuration mechanisms are accessible either via SSH or serial interface, but through aspartame only. The NetApp is not visible on 134net at all.

The private IP is 10.15.134.130, only available from aspartame on the interface with IP 10.15.134.1. You may have to remove the default route from the routing table in order to successfully contact the machine with ssh.

==Configuration==
Should aspartame get totally hosed, or stability is long enough such that all sysadmin folk at the time have graduated, here is how to set up iSCSI on the NetApp+aspartame.

===NetApp Configuration===

This section describes how to create a volume on the NetApp and export it as an iSCSI target. For further NetApp configuration instructions, refer to the NetApp documentation.

1. Login to the NetApp. You'll either need access to the physical serial console or to ssh as root to psilodump's private IP (10.15.134.130). Credentials are stored in /users/sysadmin .

2. To get information on the available disks, run the command:
aggr status -r
This command will return three lists: Active aggregates with their assigned disks, spare disks, and disks managed by the partner. An aggregate is roughly equivalent to an LVM volume group: It is a collection of physical disks, possibly across multiple disk shelves and with various RAID levels applied, which may host one or more logical volumes.
Do not proceed if there are fewer than three spare disks of each type available. Refer to the NetApp documentation to add more disks or release disks from existing aggregates.

3. Choose a list of disks for your new aggregate. The available space will be approximately 2/3 of the total disk space.

4. Create the aggregate as follows:
aggr create aggrN -t raid_dp -d [disk-list]

where [disk-list] is a list of the form AA:BB CC:DD ... containing the identifiers for the disks you wish to use to create the aggregate.

5. Retrieve the aggregate information. You will need to know the available space for the next step.
aggr show_space aggrN

6. Create a volume in the aggregate:
vol create volNfoo -s volume aggrN XXXK

where XXX is the total available space in aggrN. You may need to choose a slightly smaller number due to hidden size constraints and rounding.

7. Disable snapshotting and access time update. Neither will be needed for exporting an iSCSI LUN.
vol options volNfoo no_atime_update on
vol options volNfoo nosnap on
snap reserve volNfoo 0

8. Enable iSCSI and configure default authentication.
options iscsi.enable on
iscsi nodename iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
iscsi security default -s CHAP -p yoursecurepassword -n psilodump

where yoursecurepassword is more secure. For iSCSI hosts, the target will be on node iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca with username psilodump and password yoursecurepassword.

9. Create a LUN on your volume:
lun create -s XXXK -t linux /vol/volNfoo/lun0

where XXXK is the amount of available space on the volume, as shown by the command df.

10. Create an iSCSI initiator group and add all of your hosts to it:
igroup create -i -t linux volNfoo_group
igroup add volNfoo_group iqn.1993-08.org.debian:01:123456789
igroup add volNfoo_group iqn.1993-08.org.debian:01:981287231
...

The node identifiers given to the igroup add command will soon be able to access the iSCSI LUN you created above.

11. Map the LUN to the iSCSI initiator group:
lun map /vol/volNfoo/lun0 volNfoo_group

You're done! Any host in the initiator group should now be able to access the LUN you've created as a block device.

===aspartame Configuration===
Install open-iscsi:
apt-get install open-scsi

Edit /etc/iscsi/iscsid.conf:
node.startup = manual
discovery.sendtargets.auth.authmethod=CHAP
discovery.sendtargets.auth.username=username
discovery.sendtargets.auth.password=password
node.session.auth.authmethod=CHAP
node.session.auth.username=username
node.session.auth.password=password

Start open-iscsi service:
service open-iscsi start

Scan for iSCSI devices from the NetApp:
iscsiadm --mode discovery --type st --portal psilodump

This should dump out a ton of information, for example:
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,2001 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,2000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,2002 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
[fe80::XXXX:XXXX:XXXX:XXXX]:3260,1000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
10.15.134.131:3260,2002 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
129.97.134.131:3260,2001 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
10.15.134.130:3260,2000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca
129.97.134.130:3260,1000 iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca

The .130 IPs correspond to one filer, and the .131 IPs correspond to the other filer. Currently we are only using one of the filers (psilodump).

This also populates the /etc/iscsi/nodes/iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca directory with all possible ways to access the NetApp. For testing purposes (i.e. node.startup = manual), this is okay.

Test to see if you can get the iSCSI device to show up correctly:
iscsiadm --mode node --targetname "iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca" --portal 10.15.134.130:3260 --login

This should produce output similar to:
Logging in to [iface: default, target: iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca, portal: 10.15.134.130,3260]
Login to [iface: default, target: iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca, portal: 10.15.134.130,3260]: successful

Check /dev/disk/by-path/ip* to ensure new disks show up:
# ls -l /dev/disk/by-path/ip*
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-0 -> ../../sda
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-0-part1 -> ../../sda1
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-1 -> ../../sdb
/dev/disk/by-path/ip-10.15.134.130:3260-iscsi-iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca-lun-1-part1 -> ../../sdb1

If this fails, check all your configuration again.

If this succeeds, you are now ready to try autoconnecting the iSCSI device.

Delete all extraneous entries from /etc/iscsi/nodes/iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca . This prevents the startup script from (a) hanging, and (b) being very upset. All that is left should be the interface you intend to connect through:
# ls -l /etc/iscsi/nodes/iqn.1992-08.com.netapp:psilodump.csclub.uwaterloo.ca/
10.15.134.130,3260,2000

Edit /etc/iscsi/iscsid.conf:
node.startup = automatic

For the init.d script to work correctly (i.e. properly mount things) we need to add a sleep to allow the device to settle:
Edit /etc/init.d/open-iscsi roughly around line 127 to add a "sleep 1":
...
# Now let's mount
sleep 1
log_daemon_msg "Mounting network filesystems"
MOUNT_RESULT=1
if mount -a -O _netdev >/dev/null 2>&1; then
MOUNT_RESULT=0
break
fi
log_end_msg $MOUNT_RESULT
...

Now we can restart the service:
service open-iscsi restart

Now you can configure partitions and mountpoints.

==Other notes==

===Transferring old files from ginseng===

====Method A====

* On ginseng, use parted to set up the mounted iscsi drive as an ext4 primary partition (setting up a partition of size >2TB requires care and a GPT)
* Compiled star in /root on ginseng
* Transferred files with the following Makefile (assuming original user directories in /export/users, destination volume in /mnt/iscsi, make -j8):
foo := $(wildcard /export/users/*)
bar := $(patsubst /export/users/%,/mnt/iscsi/%,$(foo))
all: $(bar)
/mnt/iscsi/%: /export/users/%
# echo $@ $<
~/star-1.5.2/star/OBJ/x86_64-linux-cc/star \
-copy -p -acl artype=exustar \
-C /export/users $(notdir $<) /mnt/iscsi

====Method B====

* On ginseng, authenticate with iSCSI target (psilodump.csclub.uwaterloo.ca lun0).
* Umount /dev/mapper/vg0-users
* Copy users filesystem directly to iSCSI target:
dd if=/dev/mapper/vg0-users of=/path/to/psilodump:lun0 bs=8M
* Resize users filesystem on destination partition to fit:
resize2fs /path/to/psilodump:lun0

===Exporting Kerberized NFS from Debian Sid===

The default kernel in Debian sid (stable, 2.6.32) does not support the necessary crypto suites to export kerberized NFS to newer kernels. You MUST upgrade the kernel, nfs-common, and nfs-kernel-server packages to AT LEAST squeeze-backports.

===iSCSI block device mount optimizations===

tmyklebu made some changes to /sys/block/sda/queue. The following is now in /etc/rc.local on aspartame:

echo 2048 > /sys/block/sda/queue/read_ahead_kb
echo 32768 > /sys/block/sda/queue/max_sectors_kb
echo 4096 > /sys/block/sda/queue/nr_requests
echo noop > /sys/block/sda/queue/scheduler

We should increase the iSCSI configs node.session.queue_depth and node.session.cmds_max during next maintenance window.

==Disk information==
* shelf 1
** 14x136GB 10,000RPM FibreChannel disks
** Currently disconnected, could be connected to psilodump or directly to another machine.
* shelf 2
** 14x136GB 10,000RPM FibreChannel disks
** Currently assigned to psilodump
* shelf 3
** 14x500GB 7,200RPM ATA disks
** Currently assigned to psilodump
* shelf 4
** 14x500GB 7,200RPM ATA disks
** Currently assigned to psilodump

===Aggregates===
* aggr0
** Root aggregate volume, in RAID-DP
* aggr1
** Music aggregate volume, in RAID-DP
* aggr_users
** Users aggregate volume, in RAID-DP
* aggr2
** Old users aggregate volume, in RAID-DP

===Volumes===
* /vol/vol0
** Root volume.
* /vol/vol1music
** Music volume. This volume is not accessible via NFS or CIFS. It contains only the iSCSI LUN /vol/vol1music/lun0 .
* /vol/vol2users
** Users volume. This volume is not accessible via NFS or CIFS. It contains only the iSCSI LUN /vol/vol2users/lun0 .

==Commands==
aggr status -r aggr<num>
Shows aggregate status
disk show -v
Shows disks, and which filer they are owned by (currently all by psilodump)
storage
storage related things
disk assign
Assigns orphaned disks to a filer
vol
Volume stuffs

==Terminology==
* RAID-DP - Double Parity RAID4

Syscom Todo

2015-07-15T17:44:23Z

Ehashman:

Printing

2014-09-23T23:14:26Z

Ehashman: /* MathSoc Printer (new) */

= Setting up printers =

We usually support the MathSoc and MFCF printers on our office terminals.

== MathSoc Printer (new) ==

The new MathSoc Printer is an HP LaserJet Pro MFP M476dn, and requires the HPLIP v3.14.4 drivers. This model is not supported by the default version of HPLIP in Ubuntu 14.04 (3.14.3); therefore, you will need to run the installation scripts.

# Go to [http://hplipopensource.com/hplip-web/install/install/index.html the HP Linux Imaging and Printing site] and download hplip, version >= 3.14.4.
# Follow the installation walkthrough; make sure you put the run script in <tt>/tmp</tt> to avoid NFS permissions problems. Then execute <pre>sh hplip-x.xx.x.run</pre>
#* All the default options are fine. You can select the automatic setup process.
#** This is '''not''' true for <tt>maltodextrin</tt>, which had some issues with the scanner group during the setup process. We don't actually need scanner support, so I fixed this by selecting a subset of features (that excluded scanning) in the "custom" install.
#* This will take a while and install all your dependencies; you need to supply it your sudo password.
#* When prompted about USB-conncted printers, you can select "i=ignore".
# Now you should be able to add the printer through the Ubuntu GUI: <pre>gksudo /usr/share/system-config-printer/system-config-printer.py</pre> Follow the wizard step-by-step:
## URI: <pre>ipp://lp-mc3038.mathsoc.uwaterloo.ca/ipp</pre>
## Choose "Select Printer from Database", and select details:
##* Brand: HP
##* Make: Color LaserJet Pro MFP m476dn
## Fill in printer info:
##* Name: MathSoc
##* Description: The colour printer in MathSoc. Printing is 10 cents per double-sided black and white sheet, and 35 cents per colour side.
##* Location: MC 3038
## Set default options: make sure that Job Options > print-color-mode: is set to '''monochrome''' and Printer Options > Two-sided: is set to '''Long-Edge Binding'''.

== ljp_3016 printer ==

# Printer Connection: <pre>ipp://print.cs.uwaterloo.ca/printers/ljp_3016</pre>
# Name: ljp_3016
# Description: Main Math Printers
# Location: MC 3016
# Brand: HP
# Make: LaserJet 4250 Foomatic/Postscript
# Default options: make sure that two-sided printing is set to long-edge

'''NOTE: If the brand/make is not available for selection, don't download any third-party drivers. These drivers are available in apt. Find them there.'''

Print quota is done via IST's XAS system, which can be accessed here: [http://strobe.uwaterloo.ca/ist/services/index.php?service=62] or [https://ist-xas.uwaterloo.ca/xas/]

= Setting up CUPS, the printing subsystem =
# Install <tt>cups</tt>.
# Go to <tt>http://localhost:631/</tt>. Go to 'Add Printer'. You may need to supply the root username/password.
# Click 'Internet Printing Protocol (ipp)'. CSC doesn't have any local printers, chances are all printers are connected via LAN. If it is LAN, then it is ipp.
# Enter connection, name, and description of the printer.

If there is a machine with printing already properly set up, you may copy the file /etc/cups/printers.conf to the corresponding location on machines that aren't set up. Ensure that you stop CUPS (sudo service cups stop) on the fresh machine before copying over printers.conf (and don't forget to start it again afterward).

Printing

2014-09-23T22:48:17Z

Ehashman: /* MathSoc Printer (new) */

= Setting up printers =

We usually support the MathSoc and MFCF printers on our office terminals.

== MathSoc Printer (new) ==

The new MathSoc Printer is an HP LaserJet Pro MFP M476dn, and requires the HPLIP v3.14.4 drivers. This model is not supported by the default version of HPLIP in Ubuntu 14.04 (3.14.3); therefore, you will need to run the installation scripts.

# Go to [http://hplipopensource.com/hplip-web/install/install/index.html the HP Linux Imaging and Printing site] and download hplip, version >= 3.14.4.
# Follow the installation walkthrough; make sure you put the run script in <tt>/tmp</tt> to avoid NFS permissions problems. Then execute <pre>sh hplip-x.xx.x.run</pre>
#* All the default options are fine. You can select the automatic setup process.
#* This will take a while and install all your dependencies; you need to supply it your sudo password.
#* When prompted about USB-conncted printers, you can select "i=ignore".
# Now you should be able to add the printer through the Ubuntu GUI: <pre>gksudo /usr/share/system-config-printer/system-config-printer.py</pre> Follow the wizard step-by-step:
## URI: <pre>ipp://lp-mc3038.mathsoc.uwaterloo.ca/ipp</pre>
## Choose "Select Printer from Database", and select details:
##* Brand: HP
##* Make: Color LaserJet Pro MFP m476dn
## Fill in printer info:
##* Name: MathSoc
##* Description: The colour printer in MathSoc. Printing is 10 cents per double-sided black and white sheet, and 35 cents per colour side.
##* Location: MC 3038
## Set default options: make sure that Job Options > print-color-mode: is set to '''monochrome''' and Printer Options > Two-sided: is set to '''Long-Edge Binding'''.

== ljp_3016 printer ==

# Printer Connection: <pre>ipp://print.cs.uwaterloo.ca/printers/ljp_3016</pre>
# Name: ljp_3016
# Description: Main Math Printers
# Location: MC 3016
# Brand: HP
# Make: LaserJet 4250 Foomatic/Postscript
# Default options: make sure that two-sided printing is set to long-edge

'''NOTE: If the brand/make is not available for selection, don't download any third-party drivers. These drivers are available in apt. Find them there.'''

Print quota is done via IST's XAS system, which can be accessed here: [http://strobe.uwaterloo.ca/ist/services/index.php?service=62] or [https://ist-xas.uwaterloo.ca/xas/]

= Setting up CUPS, the printing subsystem =
# Install <tt>cups</tt>.
# Go to <tt>http://localhost:631/</tt>. Go to 'Add Printer'. You may need to supply the root username/password.
# Click 'Internet Printing Protocol (ipp)'. CSC doesn't have any local printers, chances are all printers are connected via LAN. If it is LAN, then it is ipp.
# Enter connection, name, and description of the printer.

If there is a machine with printing already properly set up, you may copy the file /etc/cups/printers.conf to the corresponding location on machines that aren't set up. Ensure that you stop CUPS (sudo service cups stop) on the fresh machine before copying over printers.conf (and don't forget to start it again afterward).

Printing

2014-09-23T18:30:10Z

Ehashman:

= Setting up printers =

We usually support the MathSoc and MFCF printers on our office terminals.

== MathSoc Printer (new) ==

The new MathSoc Printer is an HP LaserJet Pro MFP M476dn, and requires the HPLIP v3.14.4 drivers. This model is not supported by the default version of HPLIP in Ubuntu 14.04 (3.14.3); therefore, you will need to run the installation scripts.

# Go to [http://hplipopensource.com/hplip-web/install/install/index.html the HP Linux Imaging and Printing site] and download hplip, version >= 3.14.4.
# Follow the installation walkthrough; make sure you put the run script in <tt>/tmp</tt> to avoid NFS permissions problems. Then execute <pre>sh hplip-x.xx.x.run</pre>
#* This will take a while and install all your dependencies.
# Now you should be able to add the printer through the Ubuntu GUI: <pre>gksudo /usr/share/system-config-printer/system-config-printer.py</pre> Follow the wizard step-by-step:
## URI: <pre>ipp://lp-mc3038.mathsoc.uwaterloo.ca/ipp</pre>
## Choose "Select Printer from Database", and select details:
##* Brand: HP
##* Make: Color LaserJet Pro MFP m476dn
## Fill in printer info:
##* Name: MathSoc
##* Description: The colour printer in MathSoc. Printing is 10 cents per double-sided black and white sheet, and 35 cents per colour side.
##* Location: MC 3038
## Set default options: make sure that Job Options > print-color-mode: is set to '''monochrome''' and Printer Options > Two-sided: is set to '''Long-Edge Binding'''.

== ljp_3016 printer ==

# Printer Connection: <pre>ipp://print.cs.uwaterloo.ca/printers/ljp_3016</pre>
# Name: ljp_3016
# Description: Main Math Printers
# Location: MC 3016
# Brand: HP
# Make: LaserJet 4250 Foomatic/Postscript
# Default options: make sure that two-sided printing is set to long-edge

'''NOTE: If the brand/make is not available for selection, don't download any third-party drivers. These drivers are available in apt. Find them there.'''

Print quota is done via IST's XAS system, which can be accessed here: [http://strobe.uwaterloo.ca/ist/services/index.php?service=62] or [https://ist-xas.uwaterloo.ca/xas/]

= Setting up CUPS, the printing subsystem =
# Install <tt>cups</tt>.
# Go to <tt>http://localhost:631/</tt>. Go to 'Add Printer'. You may need to supply the root username/password.
# Click 'Internet Printing Protocol (ipp)'. CSC doesn't have any local printers, chances are all printers are connected via LAN. If it is LAN, then it is ipp.
# Enter connection, name, and description of the printer.

If there is a machine with printing already properly set up, you may copy the file /etc/cups/printers.conf to the corresponding location on machines that aren't set up. Ensure that you stop CUPS (sudo service cups stop) on the fresh machine before copying over printers.conf (and don't forget to start it again afterward).

Printing

2014-09-23T18:29:34Z

Ehashman: /* Setting up CUPS, the printing subsystem */

== MathSoc Printer (new) ==

The new MathSoc Printer is an HP LaserJet Pro MFP M476dn, and requires the HPLIP v3.14.4 drivers. This model is not supported by the default version of HPLIP in Ubuntu 14.04 (3.14.3); therefore, you will need to run the installation scripts.

# Go to [http://hplipopensource.com/hplip-web/install/install/index.html the HP Linux Imaging and Printing site] and download hplip, version >= 3.14.4.
# Follow the installation walkthrough; make sure you put the run script in <tt>/tmp</tt> to avoid NFS permissions problems. Then execute <pre>sh hplip-x.xx.x.run</pre>
#* This will take a while and install all your dependencies.
# Now you should be able to add the printer through the Ubuntu GUI: <pre>gksudo /usr/share/system-config-printer/system-config-printer.py</pre> Follow the wizard step-by-step:
## URI: <pre>ipp://lp-mc3038.mathsoc.uwaterloo.ca/ipp</pre>
## Choose "Select Printer from Database", and select details:
##* Brand: HP
##* Make: Color LaserJet Pro MFP m476dn
## Fill in printer info:
##* Name: MathSoc
##* Description: The colour printer in MathSoc. Printing is 10 cents per double-sided black and white sheet, and 35 cents per colour side.
##* Location: MC 3038
## Set default options: make sure that Job Options > print-color-mode: is set to '''monochrome''' and Printer Options > Two-sided: is set to '''Long-Edge Binding'''.

== ljp_3016 printer ==

# Printer Connection: <pre>ipp://print.cs.uwaterloo.ca/printers/ljp_3016</pre>
# Name: ljp_3016
# Description: Main Math Printers
# Location: MC 3016
# Brand: HP
# Make: LaserJet 4250 Foomatic/Postscript
# Default options: make sure that two-sided printing is set to long-edge

'''NOTE: If the brand/make is not available for selection, don't download any third-party drivers. These drivers are available in apt. Find them there.'''

Print quota is done via IST's XAS system, which can be accessed here: [http://strobe.uwaterloo.ca/ist/services/index.php?service=62] or [https://ist-xas.uwaterloo.ca/xas/]

= Setting up CUPS, the printing subsystem =
# Install <tt>cups</tt>.
# Go to <tt>http://localhost:631/</tt>. Go to 'Add Printer'. You may need to supply the root username/password.
# Click 'Internet Printing Protocol (ipp)'. CSC doesn't have any local printers, chances are all printers are connected via LAN. If it is LAN, then it is ipp.
# Enter connection, name, and description of the printer.

If there is a machine with printing already properly set up, you may copy the file /etc/cups/printers.conf to the corresponding location on machines that aren't set up. Ensure that you stop CUPS (sudo service cups stop) on the fresh machine before copying over printers.conf (and don't forget to start it again afterward).

Printing

2014-09-23T18:28:55Z

Ehashman: /* MathSoc Printer (old) */

= Setting up CUPS, the printing subsystem =
# Install <tt>cups</tt>.
# Go to <tt>http://localhost:631/</tt>. Go to 'Add Printer'. You may need to supply the root username/password.
# Click 'Internet Printing Protocol (ipp)'. CSC doesn't have any local printers, chances are all printers are connected via LAN. If it is LAN, then it is ipp.
# Enter connection, name, and description of the printer.

If there is a machine with printing already properly set up, you may copy the file /etc/cups/printers.conf to the corresponding location on machines that aren't set up. Ensure that you stop CUPS (sudo service cups stop) on the fresh machine before copying over printers.conf (and don't forget to start it again afterward).

== MathSoc Printer (new) ==

The new MathSoc Printer is an HP LaserJet Pro MFP M476dn, and requires the HPLIP v3.14.4 drivers. This model is not supported by the default version of HPLIP in Ubuntu 14.04 (3.14.3); therefore, you will need to run the installation scripts.

# Go to [http://hplipopensource.com/hplip-web/install/install/index.html the HP Linux Imaging and Printing site] and download hplip, version >= 3.14.4.
# Follow the installation walkthrough; make sure you put the run script in <tt>/tmp</tt> to avoid NFS permissions problems. Then execute <pre>sh hplip-x.xx.x.run</pre>
#* This will take a while and install all your dependencies.
# Now you should be able to add the printer through the Ubuntu GUI: <pre>gksudo /usr/share/system-config-printer/system-config-printer.py</pre> Follow the wizard step-by-step:
## URI: <pre>ipp://lp-mc3038.mathsoc.uwaterloo.ca/ipp</pre>
## Choose "Select Printer from Database", and select details:
##* Brand: HP
##* Make: Color LaserJet Pro MFP m476dn
## Fill in printer info:
##* Name: MathSoc
##* Description: The colour printer in MathSoc. Printing is 10 cents per double-sided black and white sheet, and 35 cents per colour side.
##* Location: MC 3038
## Set default options: make sure that Job Options > print-color-mode: is set to '''monochrome''' and Printer Options > Two-sided: is set to '''Long-Edge Binding'''.

== ljp_3016 printer ==

# Printer Connection: <pre>ipp://print.cs.uwaterloo.ca/printers/ljp_3016</pre>
# Name: ljp_3016
# Description: Main Math Printers
# Location: MC 3016
# Brand: HP
# Make: LaserJet 4250 Foomatic/Postscript
# Default options: make sure that two-sided printing is set to long-edge

'''NOTE: If the brand/make is not available for selection, don't download any third-party drivers. These drivers are available in apt. Find them there.'''

Print quota is done via IST's XAS system, which can be accessed here: [http://strobe.uwaterloo.ca/ist/services/index.php?service=62] or [https://ist-xas.uwaterloo.ca/xas/]

Printing

2014-09-23T18:28:39Z

Ehashman: /* MathSoc Printer (new) */

= Setting up CUPS, the printing subsystem =
# Install <tt>cups</tt>.
# Go to <tt>http://localhost:631/</tt>. Go to 'Add Printer'. You may need to supply the root username/password.
# Click 'Internet Printing Protocol (ipp)'. CSC doesn't have any local printers, chances are all printers are connected via LAN. If it is LAN, then it is ipp.
# Enter connection, name, and description of the printer.

If there is a machine with printing already properly set up, you may copy the file /etc/cups/printers.conf to the corresponding location on machines that aren't set up. Ensure that you stop CUPS (sudo service cups stop) on the fresh machine before copying over printers.conf (and don't forget to start it again afterward).

== MathSoc Printer (new) ==

The new MathSoc Printer is an HP LaserJet Pro MFP M476dn, and requires the HPLIP v3.14.4 drivers. This model is not supported by the default version of HPLIP in Ubuntu 14.04 (3.14.3); therefore, you will need to run the installation scripts.

# Go to [http://hplipopensource.com/hplip-web/install/install/index.html the HP Linux Imaging and Printing site] and download hplip, version >= 3.14.4.
# Follow the installation walkthrough; make sure you put the run script in <tt>/tmp</tt> to avoid NFS permissions problems. Then execute <pre>sh hplip-x.xx.x.run</pre>
#* This will take a while and install all your dependencies.
# Now you should be able to add the printer through the Ubuntu GUI: <pre>gksudo /usr/share/system-config-printer/system-config-printer.py</pre> Follow the wizard step-by-step:
## URI: <pre>ipp://lp-mc3038.mathsoc.uwaterloo.ca/ipp</pre>
## Choose "Select Printer from Database", and select details:
##* Brand: HP
##* Make: Color LaserJet Pro MFP m476dn
## Fill in printer info:
##* Name: MathSoc
##* Description: The colour printer in MathSoc. Printing is 10 cents per double-sided black and white sheet, and 35 cents per colour side.
##* Location: MC 3038
## Set default options: make sure that Job Options > print-color-mode: is set to '''monochrome''' and Printer Options > Two-sided: is set to '''Long-Edge Binding'''.

== MathSoc Printer (old) ==

# Go to [http://welcome.solutions.brother.com/bsc/public_s/id/linux/en/download_prn.html#MFC-9970CDW the Brother site] and grab the cupswrapper and lpr drivers.
# Install the drivers with <tt>dpkg</tt>. You may need to use <tt>--force architecture</tt> on a 64-bit machine; don't worry, the package is actually arch-independent. <pre>sudo dpkg --force-architecture -i mfc9970*.deb</pre>
# On a 64-bit machine, install <tt>ia32-libs</tt>
# Printer Connection: <pre>ipp://lp-mc3038.mathsoc.uwaterloo.ca/ipp</pre>
# Name: MathSoc
# Description: The colour printer in MathSoc. Printing is 10 cents per double-sided black and white sheet, and 30 cents per colour side.
# Location: MC 3038
# Brand: Brother
# Make: MFC 9770CDW
# Default options: make sure that Color is set to Mono and Two-sided printing is set to Long-edge.

== ljp_3016 printer ==

# Printer Connection: <pre>ipp://print.cs.uwaterloo.ca/printers/ljp_3016</pre>
# Name: ljp_3016
# Description: Main Math Printers
# Location: MC 3016
# Brand: HP
# Make: LaserJet 4250 Foomatic/Postscript
# Default options: make sure that two-sided printing is set to long-edge

'''NOTE: If the brand/make is not available for selection, don't download any third-party drivers. These drivers are available in apt. Find them there.'''

Print quota is done via IST's XAS system, which can be accessed here: [http://strobe.uwaterloo.ca/ist/services/index.php?service=62] or [https://ist-xas.uwaterloo.ca/xas/]

Printing

2014-09-23T18:04:52Z

Ehashman: /* MathSoc Printer */

= Setting up CUPS, the printing subsystem =
# Install <tt>cups</tt>.
# Go to <tt>http://localhost:631/</tt>. Go to 'Add Printer'. You may need to supply the root username/password.
# Click 'Internet Printing Protocol (ipp)'. CSC doesn't have any local printers, chances are all printers are connected via LAN. If it is LAN, then it is ipp.
# Enter connection, name, and description of the printer.

If there is a machine with printing already properly set up, you may copy the file /etc/cups/printers.conf to the corresponding location on machines that aren't set up. Ensure that you stop CUPS (sudo service cups stop) on the fresh machine before copying over printers.conf (and don't forget to start it again afterward).

== MathSoc Printer (new) ==

# Go to [http://welcome.solutions.brother.com/bsc/public_s/id/linux/en/download_prn.html#MFC-9970CDW the Brother site] and grab the cupswrapper and lpr drivers.
# Install the drivers with <tt>dpkg</tt>. You may need to use <tt>--force architecture</tt> on a 64-bit machine; don't worry, the package is actually arch-independent. <pre>sudo dpkg --force-architecture -i mfc9970*.deb</pre>
# On a 64-bit machine, install <tt>ia32-libs</tt>
# Printer Connection: <pre>ipp://lp-mc3038.mathsoc.uwaterloo.ca/ipp</pre>
# Name: MathSoc
# Description: The colour printer in MathSoc. Printing is 10 cents per double-sided black and white sheet, and 30 cents per colour side.
# Location: MC 3038
# Brand: Brother
# Make: MFC 9770CDW
# Default options: make sure that Color is set to Mono and Two-sided printing is set to Long-edge.

== MathSoc Printer (old) ==

# Go to [http://welcome.solutions.brother.com/bsc/public_s/id/linux/en/download_prn.html#MFC-9970CDW the Brother site] and grab the cupswrapper and lpr drivers.
# Install the drivers with <tt>dpkg</tt>. You may need to use <tt>--force architecture</tt> on a 64-bit machine; don't worry, the package is actually arch-independent. <pre>sudo dpkg --force-architecture -i mfc9970*.deb</pre>
# On a 64-bit machine, install <tt>ia32-libs</tt>
# Printer Connection: <pre>ipp://lp-mc3038.mathsoc.uwaterloo.ca/ipp</pre>
# Name: MathSoc
# Description: The colour printer in MathSoc. Printing is 10 cents per double-sided black and white sheet, and 30 cents per colour side.
# Location: MC 3038
# Brand: Brother
# Make: MFC 9770CDW
# Default options: make sure that Color is set to Mono and Two-sided printing is set to Long-edge.

== ljp_3016 printer ==

# Printer Connection: <pre>ipp://print.cs.uwaterloo.ca/printers/ljp_3016</pre>
# Name: ljp_3016
# Description: Main Math Printers
# Location: MC 3016
# Brand: HP
# Make: LaserJet 4250 Foomatic/Postscript
# Default options: make sure that two-sided printing is set to long-edge

'''NOTE: If the brand/make is not available for selection, don't download any third-party drivers. These drivers are available in apt. Find them there.'''

Print quota is done via IST's XAS system, which can be accessed here: [http://strobe.uwaterloo.ca/ist/services/index.php?service=62] or [https://ist-xas.uwaterloo.ca/xas/]

Past Executive

2013-12-15T03:17:35Z

Ehashman:

__NOTOC__

Data sources for this exec list have been: CSC records, MathNEWS.
According to the warrior wiki dudes, there was an article about the CSC being founded in the chevron: ''This week on campus''. The Chevron. January 5 1968. Page 16. -- somebody should get a copy of that.

= Definitions =
#define PR President
#define VP Vice-president
#define TR Treasurer
#define SE Secretary
#define SA Sysadmin
#define OF Office Manager
#define LI Librarian
#define FL Flasher
#define DE Deity
#define WW Webmaster
#define OF Office Manager
#define SE-TR Secretary-Treasurer (Position was split)

=Founding 1967=

Sponsor - J. Peter Sprung
PR: K. Rugger
VP: R. Jaques
SE-TR: G. Sutherland

Founding Members:
B. Kindree
R. Melen
V. Neglia
R. Charney
R. Truman
Glenn Berry
D. Meek

===Fall===

PR: Bill Kindred
VP: Rick Jacques
SE-TR: Graham Sutherland

Committee members: R. Stallwerthy, C. de Vries

=1968=

===Winter===

PR: Bill Kindred
VP: Rick Jacques
SE-TR: Graham Sutherland

===Fall===

SE-TR: Glenn Berry

=1969=

Unknown, only one letter found in the folder 'ACM History' addressed to Glenn Berry, which makes it likely that he was SE-TR once again. May be indicated in membership lists. The club appears to have died this academic year.

=1970=

===A note on ACM affiliation===

The first attempt at joining the ACM was started with an informal inquiry Dec 5, 1967. This lead to a series of constitution edits (working towards affiliation) in Winter 1968. There was a break for the spring (no correspondence found, I presume we were waiting on a reply). In the fall records indicate that our constitution and chartering was rejected, further correspondence was sent in Fall 1968 by Glenn Berry. A new inquiry, seemingly unaware of the first was sent Dec 7, 1970

===Fall===

PR: Rick Beach
VP: Lee Santon
TR: Randy Melen
SE: Vic Neglia

=1971=

===Spring===

VP: James H. "Jim" Finch and James W. Welch both signed letters as VP.

===Fall===

VP: James W. Welch

=1972=

It appears we visited Western and Western visited us this year (there is some reference to a similar occurrence the year previous). Documents from 1973 indicate a termly exec structure, this probably goes back to 1972.

===Winter===

PR: Mike Campbell
VP: Edgar Hew
SE-TR: Doug Lacy

There is also stuff from James W. Welch without a position.

===Fall===

PR: Ian McIntosh

=1973=

Faculty Sponsor: Morven Gentleman

===Winter===

SE: Douglas E. Lacy

===Spring===

PR: Jim Parry

===Fall===

PR: Jim Parry
VP: Ray Walden
TR: Slavko Stemberger
SE: Mario Festival

=1974=

===Fall===

PR: Russell Crook

=1975-1977=

Faculty Sponsor: Morven Gentleman??

Peter Raynham reports (first hand account): president for at least 2 or 3 terms in this period.
Sylvia Eng: 1975/6 as some position.
Dave Buckingham: a VP at some point
Allison Nolan: 1977 time
Peter Stevens: 1977
Russel Crook???

Dennis Ritchie came. So did Jeffrey D. Ullman.

=1976=

===Fall===

Progcom: Peter Stevens

=1977=

===Winter===

Progcom: Allison Nowlan

===Spring===

PR: Peter Stevens
Progcom: Allison Nowlan

===Fall===

PR: Andrzej Jan Taramina
Progcom: Allison Nowlan

=1978=

===Winter===

PR: Peter Stevens

===Spring===

TR: K.G. Dykes
SE: Kandry Mutheardy

Brian Kernighan gave a talk this term. So did Ken Thompson.

===Fall===

=1979=

===Spring===

PR: Robert Biddle

=1987=

===Fall===

PR: Jim Boritz
VP: Ted Timar
TR: Gayla Boritz
SE: Edwin Hoogerbeets

=1988=

Jim Boritz was president in Winter 1988. (Source: http://csclub.uwaterloo.ca/misc/procedure.pdf)
Tim Timar - cc'd on memos/mentioned on mathsoc minutes in 1987/88.
The Sysadmin and Office Manager positions seem to have been created somewhere in here. The 'Record Management Profile' that Robyn Stewart did as an assignment in 1991-1992 for some class at UBC
indicates the existence of both positions. We acquired an HP-9000 in the summer of 1988 and as this was out first "real" computer (previously we had an IBM PC and terminal), the sysadmin position was created, starting with the Fall 1988 term.

===Fall===

SA: Wade Richards

=1989=

===Winter===

http://mirror.csclub.uwaterloo.ca/csclub/bill-gates-1989-big.jpg

Left to right: Jim Boritz (bottom), Wade Richards (top), Ted Timar, ???, Keven Smith, Bill Gates (not exec), Angela Chambers, Ross Ridge (top), Sean Goggin (bottom), ???

PR: Barry W. Smith
VP: Angela Chambers
TR:
SE: Sean Goggin
SA: Wade Richards / Ross Ridge

(President Kevin Smith confirmed: http://csclub.uwaterloo.ca/misc/procedure.pdf)

===Spring===

PR: Jim Thornton
VP: Gayla Boritz
TR: David Fenger
SE: Kivi Shapiro
SA: Reid Pinchback

Assistance to sysadmin: Jim Boritz.

===Fall===

PR: James Boritz
VP: Edmond Bourne
SA: Ross Ridge

=1990=

===Winter===

TR: Jim Thornton

===Spring===

TR: Karen Smith
SE: Robyn Steward

===Fall===
PR: Wade Richards
TR: Carolyn Duke
SE: Robyn Stewart - attended mathsoc meeting on our behalf.
Kivi Shapiro - attended mathsoc meeting on our behalf.
- Censured by mathsoc for his actions during the election.
Shannon Mann - attended mathsoc meeting on our behalf.

=1991=

===Winter===
VP: Edmond Bourne
TR: Carolyn Duke
SE: Robyn Stewart
Shannon Mann - attended mathsoc meeting on our behalf.

John McCarthy came this term.

===Spring===
TR: Rob Leitman
Jason Knell - attended mathsoc meeting on our and PMC's behalf.

===Fall===
TR: Mike Van Lingen
Wiktor Wiewiorowski - attended mathsoc meeting on our behalf this term.

=1992=

===Winter===
TR: Norm Ross
SE: Brent Williams

===Spring===
PR: Dale Wick
TR: Stephen A. Mills

===Fall===
TR: Mark Plumb

=1993=

===Winter===
TR: Rob Leitman
VP: Tim Prime
OF: Dave Ebbo
LI: Norm Ross

Other exec for this term: Ellen Hsiang, Sam Coulombe, Peter Gray

===Spring===
TR: Mark Tompsett

===Fall===

PR: Ian Goldberg

=1994=

===Winter===
PR: Ian Goldberg
TR: Mark Tompsett
SE: Tom Rathbourne
LI: Michael Van Biesbrouck
Norm Ross assisted with finances.

===Spring===
PR: Dale Wick (?)
TR: Steve Mills
SA: Ian Goldberg (?)
Norm Ross assisted with finances.

===Fall===
PR: Ross Ridge
VP: Tom Rathbourne (?)
TR: Rob Leitman
SA: Zygo Blaxell
LI: Michael Van Biesbrouck

=1995=

===Winter===
TR: Sharlene Schmeichel
Amy Brown and Rob Ridge purchased books.

===Spring===
TR: Steve Mills

===Fall===
PR: Amy Brown (arbrown)
VP: Christina Norman (cbnorman)
TR: Steven Mills (samills)
SE: Allyson Graham (akgraham)
SA: Gavin Peters

=1996=

===Winter===
PR: Nikita Borisov (nborisov)
VP: Joseph Deu Ngoc (dtdeungo)
TR: Stephen Mills (samills)
SE: Sharlene Schmeichel (saschmei)
SA: Dave Brown (dagbrown)
OF: Somsack Tsai (stsai)
LI: Devin Carless (dccarles)
FL: Allyson Graham (akgraham)
DE: Ian Goldberg (iagoldbe)

===Spring===
PR: Blake Winton (bwinton)
VP: Nick Harvey (njaharve)
TR: Nikita Borisov (nborisov)
SE: Viet-Trung Luu (vluu)
SA: Drew Hamilton (awhamilt)
OF: Jillian Arnott (jarnott)
LI: Ross Ridge (rridge)
FL: Devin Carless (dccarles)

=== Fall ===
PR: Shannon Mann (sjbmann)
VP: Joe "Frosh" Deu Ngoc (jtdeungo) resigned (heavy workload)
TR: Michal Van Biesbrouck (mlvanbie)
SE: Nikita Borisov (nborisov)
SA: Chris Rovers
OF: Dax Hutcheon (ddhutche) became VP upon jtduengo's resignation
LI: Aliz Csenki (acsenki)
FL: Aaron Chmielowiec (archmiel)
DE: Skuld (no uwuserid yet...)

=1997=

===Winter===
PR: Dima Brodsky
VP: Nikita Borisov (nborisov)
TR: Stephen Mills (samills)
SE: Evan Jones (ejones)
SA: Alex Brodsky
OF: Chris Doherty
LI: Matt Corks
FL: Paul Prescod

=== Fall ===
PR: Chris Rovers (cdrovers)
VP: Michael van Biesbrouck (mlvanbie)
TR: Somsack Tsai (stsai)
SE: Matt Corks (mvcorks)
SA: Lennart Sorensen (lsorense)
LI: Chmielowiec (archmiel)
OF: Devin Carless (dccarles)
FL: Aaron Chmielowiec (archmiel)

= 1998 =

=== Winter ===
PR: Suresh Naidu
VP: Viet-Trung Luu
TR: Tim Coleman
SE: Dax Hutcheon
Librarian: Dax Hutcheon
Flasher: Dax Hutcheon
Webmaster: Dax Hutcheon
SA: Robin Powell
OF: Aaron Chmielowiec

=== Spring ===

Position Name You might call them...
President roconnor Russell O'Connor
Vice-president trwcolem Tim Coleman
Treasurer knzarysk Karl Zaryski
Secretary (bwinton) (Blake Winton)
Sysadmin wbiggs Billy Biggs
Librarian snaidu Suresh Naidu
Flasher pechrysl Paul Chrysler
Office Manager dccarles Devin Carless
WWWW trwcolem Tim Coleman

=== Fall ===

President Joe Deu Ngoc jtdeungo
Vice-President Wai Ling Yee wlyee
Treasurer Fjord j2lynn
Secretary Matt Corks mvcorks
Sysadmin Andrew Hamilton awhamilt

World Wide Web Wench Dax Hutcheon ddhutche
Office Manager Richard Bell rlbell
Librarian Damian Gryski dgryski
Flasher Paul Chrysler pechrysl
Official Deity Ian Goldberg iagoldbe
Official Chairbeing Calum T. Dalek calum

=1999=

=== Winter ===
PR: geduggan
VP:
TR:
SE:
SA:

=2000=

=== Winter ===
PR: Will Chartrand (wgchartr)
VP: Gavin Duggan (geduggan)
TR:
SE:
SA: Lennart Sorensen (lsorense)
OF:

=== Fall ===
PR: geduggan
VP:
TR:
SE:
SA: bioster
OF:

=2001=

=== Winter ===
PR: geduggan
VP:
TR:
SE:
SA:
OF:

=== Spring ===
PR: geduggan
VP:
TR:
SE:
SA:
OF:

=2002=

http://www.mathnews.uwaterloo.ca/Issues/mn8902/cscflash.php

=== Winter ===
PR: Billy Biggs
VP: Stefanus Du Toit
TR: Melissa Basinger
SE: James Perry
SA: Barry Genova
Librarian: Ryan Golbeck
Webmaster: Jonathan Beverley
Office Manager: Sayan Li

=== Spring ===
PR: Alex Pop
VP: Melissa Basinger
TR: Siyan Li
SE: James A Morrison
SA: Jonathan Beverley
Webmaster: Stefanus Du Toit

=== Fall ===
PR: James A. Morrison
VP: Stefanus Du Toit
TR: James Perry
SE: Michael Biggs
SA: Ryan Golbeck
Librarian: Mark Sherry, Cassandra Schopf
Webmaster: Stefanus Du Toit

=2003=

=== Winter ===
PR: Kannan Vijayan (kvijayan)
VP: Meg Darragh (m2darrag)
TR: James Perry (jeperry)
SE: Wojciech Kosnik (wkosnik)
SA: Stefanus Du Toit (sjdutoit)
LI: Simon Law (sfllaw)
WM: Julie Lavoie (jlavoie)

===Fall===
PR: Stefanus Du Toit (sjdutoit)
VP: Meg Darragh (m2darrag)
TR: Tor Myklebust (tmyklebu)
SE: James Perry (jeperry)
SA: Simon Law (sfllaw)
OF:

=2004=

===Winter===
PR: Simon Law (sfllaw)
VP: fspacek
TR: ljain
SE: Julie Lavoie (jlavoie)
SA: Tor Myklebust(tmyklebu)
OF:

===Spring===
PR: dnmorton ?
VP: Tim Loach (tloach)
TR: Michael Biggs (mbiggs)
SE: Lesley Northam (lanortha)
SA:
OF:

===Fall ===
PR: jeperry
VP: mtsay
TR: Mark Sherry (mdsherry)
SE: Tor Myklebust (tmyklebu)
SA: jlavoie
OF:

=2005=

===Winter===

PR: mtsay
VP: Lesley Northam (lanortha)
TR: Holden Karau (hkarau)
SE: domorton
SA: Tor Myklebust (tmyklebu)
OF:

===Spring===

PR: Mark Sherry (mdsherry)
VP: Martin Kess (mdkess)
TR: Ali Piccioni (apiccion)
SE: Michael Biggs (mbiggs)
SA: Tor Myklebust (tmyklebu)
OF:

===Fall===

PR: Tim Loach (tloach)
VP: Lesley Northam (lanortha)
TR: Caelyn McAulay (cmcaulay)
SE: The Professor
SA: Holden Karau (hkarau)
OF:

=2006=

===Winter===

PR: Tor Myklebust (tmyklebu)
VP: Michael Druker (mdruker)
TR: Caelyn McAulay (cmcaulay)
SE: Mark Sherry (mdsherry)
SA: William O'Connor (woconnor)
OF:

===Spring===
PR: David Bartley (dtbartle)
VP: David Belanger (dbelange)
TR: David Tenty (daltenty)
SE: Chris Evensen (cevensen)
SA: Holden Karau (hkarau)
OF:

===Fall===

PR: Martin Kess (mdkess)
VP: Mark Sherry (mdsherry)
TR: Sylvan L. Mably (slmably)
SE: Caelyn McAulay (cmcaulay)
SA: William O'Connor (woconnor)

=2007=

===Winter===
PR: David Bartley (dtbartle)
VP: David Belanger (dbelange)
TR: Caelyn McAulay (cmcaulay)
SE: David Tenty (daltenty)
SA: Holden Karau (hkarau)
Webmaster: jnopporn
OF:

===Spring===
PR: Gaelan D'costa (gdcosta)
VP: Kyle Larose (kmlarose)
TR: Kyle Spaans (kspaans)
SE: Erik Louie (elouie)
SA: Michael Spang (mspang)
Librarian: David Tenty (daltenty)
OF:

===Fall ===
PR: Holden Karau (hkarau)
VP: Alex McCausland (amccausl)
TR: Dominik Chlobowski (dchlobow)
SE: Sean Cumming (sgcummin)
SA: David Tenty (daltenty)
OF:
WW: dtbartle / jnopporn

=2008=

===Winter ===
PR: Sean Cumming (sgcummin)
VP: Matt Lawrence (m3lawren)
TR: Mateusz Tarkowski (mtarkows)
SE: Edgar Bering (ebering)
SA: Jordan Saunders (jmsaunde)
OF:

===Summer ===
PR: Brennan Taylor (b4taylor)
VP: Qifan Xi (qxi)
TR: Matt Lawrence (m3lawren)
SE: Nick Guenther (nguenthe)
SA:
OF:

===Fall ===
PR: Matthew Lawrence (m3lawren)
VP: Edgar Bering (ebering)
TR: Michael Gregson (mgregson)
SE: James Simpson (j2simpso) resigned for medical reasons, replaced by Dominik 'Domo' Chłobowski
SA: Kyle Spaans (kspaans)
OF:

=2009=

===Winter===
PR: Michael Gregson (mgregson)
VP: Edgar Bering (ebering)
TR: Brennan Taylor (b4taylor)
SE: James Simpson (j2simpso) resigned for business reasons, replaced by Rebecca Putinski (rjputins)
SA: Jacob Parker (j3parker)
OF: XinChi Yang / Sapphyre Gervais (x23yang / sagervai) (both)

===Spring ===
PR: Michael Spang (mspang)
VP: Jacob Parker (j3parker)
TR: Sapphyre Gervais (sagervai)
SE: Matthew McPherrin (mimcpher)
SA: Anthony Brennan (a2brenna)
OF:

===Fall===
PR: Jacob Parker (j3parker)
VP: Edgar Bering (ebering)
TR: Michael Spang (mspang)
SE: Brennan Taylor (b4taylor)
SA: Michael Ellis (m2ellis)
OF: Rebecca Putinski (rjputins)

=2010=

===Winter===
PR: Kyle Spaans (kspaans)
VP: Edgar Bering (ebering)
TR: Sapphyre Gervais (sagervai)
SE: Ajnu Jacob (ajacob)
SA: Matthew Thiffault (mthiffau)
OF: Jacob Parker (j3parker)

Keyed office staffers: j3camero,jdonland,m2ellis,mimcpher,nsasherr

===Spring===
PR: Jeff Cameron (j3camero)
VP: Brennan Taylor (b4taylor)
TR: Vardhan Mudunuru (vmudunur)
SE: Matthew Lawrence (m3lawren)
SA: Michael Ellis (m2ellis)
OF: Edgar Bering (ebering)

===Fall===
PR: Jacob Parker (j3parker)
VP: Edgar Bering (ebering)
TR: Rebecca Putinski (rjputins)
SE: Kyle Spaans (kspaans)
SA: Jeremy Roman (jbroman)
OF: Amir Sayed Khader (askhader)

=2011=

===Winter===
PR: Edgar Bering (ebering)
VP: Jennifer "Emily" Wong (jy2wong)
TR: Kyle Spaans (kspaans)
SE: Elana "Alana" Hashman (ehashman)
SA: Peter "Bofh" Barfuss (pbarfuss)
OF: Marc Burns (Marc Burns)

===Spring===
PR: Matthew Thiffault (mthiffau)
VP: Matthew McPherrin (mimcpher)
TR: Kyle Spaans (kspaans)
SE: Kwame Andrew Ansong (kansong)
SA: Jeremy Brandon Roman (jbroman)
OF: Jennifer "Emily" Wong (jy2wong)

===Fall===
PR: Marc Burns (m4burns)
VP: Katharine Hyatt (kshyatt)
TR: Jacob Parker (j3parker)
SE: Elana Hashman (ehashman)
SA: Anthony "hatguy/hotgay" Brennan (a2brenna)
OF: Kyle Spaans (kspaans)
LIB: Edgar Bering (ebering)

=2012=

===Winter===
PR: Marc Burns (m4burns)
VP: Elana Hashman (ehashman)
TR: Jacob Parker (j3parker)
SE: Matthew McPherrin (mimcpher)
SA: Jeremy Roman (jbroman)
OF: Luqman Aden (laden)
LIB: Jennifer "Emily" Wong (jy2wong)

===Summer===
PR: Anthony Brennan (a2brenna)
VP: Luqman Aden (laden)
TR: Matthew McPherrin (mimcpher)
SE: Elana Hashman (ehashman)
SA: Sarah Harvey (sharvey)
OF: Marc Burns (m4burns)
LIB: John Ladan (jladan)

===Fall===
PR: Marc Burns (m4burns)
VP: Salem Talha (satalha)
TR: Jennifer Wong (jy2wong)
SE: Elana Hashman (ehashman), resigned
SA: Jeremy Roman (jbroman)
OF: Luqman Aden (laden)
LIB: John Ladan (jladan)

=2013=

===Winter===
PR: Anthony Brennan (a2brenna)
VP: Marc Burns (m4burns)
TR: John Mumford (jsmumfor)
SE: Matt Olechnowicz (mgolechn)
SA: Sarah Harvey (sharvey)
OF: Bryan Coutts (b2coutts)
LIB: Matthew McPherrin (mimcpher)

===Spring===
PR: Shane Robert Creighton-Young (srcreigh)
VP: Visishta Vijayanand (vvijayan)
TR: Dominik Chlobowski (dchlobow)
SE: Youn Jin Kim (yj7kim)
SA: Anthony Brennan (a2brenna)
OF: Marc Burns (m4burns)
IMAPD: Dominik Chlobowski (dchlobow)

===Fall===
PR: Elana Hashman (ehashman)
VP: Marc Burns (m4burns)
TR: Dominik Chlobowski (dchlobow)
SE: Edward Lee (e45lee)
SA: Jeremy Roman (jbroman)
OF: Sean Hunt (scshunt)

Past Executive

2013-12-15T02:55:25Z

Ehashman: /* 1970 */

__NOTOC__

Data sources for this exec list have been: CSC records, MathNEWS.
According to the warrior wiki dudes, there was an article about the CSC being founded in the chevron: ''This week on campus''. The Chevron. January 5 1968. Page 16. -- somebody should get a copy of that.

= Definitions =
#define PR President
#define VP Vice-president
#define TR Treasurer
#define SE Secretary
#define SA Sysadmin
#define OF Office Manager
#define LI Librarian
#define FL Flasher
#define DE Deity
#define WW Webmaster
#define OF Office Manager
#define SE-TR Secretary-Treasurer (Position was split)

=Founding 1967=

Sponsor - J. Peter Sprung
PR: K. Rugger
VP: R. Jaques
SE-TR: G. Sutherland

Founding Members:
B. Kindree
R. Melen
V. Neglia
R. Charney
R. Truman
Glenn Berry
D. Meek

===Fall===

PR: Bill Kindred
VP: Rick Jacques
SE-TR: Graham Sutherland

Committee members: R. Stallwerthy, C. de Vries

=1968=

===Winter===

PR: Bill Kindred
VP: Rick Jacques
SE-TR: Graham Sutherland

===Spring===

===Fall===

SE-TR: Glenn Berry

=1969=

Unknown, only one letter found in the folder 'ACM History' addressed to Glenn Berry, which makes it likely that he was SE-TR once again. May be indicated in membership lists. The club appears to have died this academic year.

=1970=

===A note on ACM affiliation===

The first attempt at joining the ACM was started with an informal inquiry Dec 5, 1967. This lead to a series of constitution edits (working towards affiliation) in Winter 1968. There was a break for the spring (no correspondence found, I presume we were waiting on a reply). In the fall records indicate that our constitution and chartering was rejected, further correspondence was sent in Fall 1968 by Glenn Berry. A new inquiry, seemingly unaware of the first was sent Dec 7, 1970

===Fall===

PR: Rick Beach
VP: Lee Santon
TR: Randy Melen
SE: Vic Neglia

=1971=

===Winter===

===Spring===

VP: James H. "Jim" Finch and James W. Welch both signed letters as VP.

===Fall===

VP: James W. Welch

=1972=

It appears we visited Western and Western visited us this year (there is some reference to a similar occurrence the year previous). Documents from 1973 indicate a termly exec structure, this probably goes back to 1972.

===Winter===

PR: Mike Campbell
VP: Edgar Hew
SE-TR: Doug Lacy

There is also stuff from James W. Welch without a position.

===Spring===

===Fall===

PR: Ian McIntosh

=1973=

Faculty Sponsor: Morven Gentleman

===Winter===

SE: Douglas E. Lacy

===Spring===

PR: Jim Parry

===Fall===

PR: Jim Parry
VP: Ray Walden
TR: Slavko Stemberger
SE: Mario Festival

=1974=

===Winter===

===Spring===

===Fall===

PR: Russell Crook

=1975-1977=

Faculty Sponsor: Morven Gentleman??

Peter Raynham reports (first hand account): president for at least 2 or 3 terms in this period.
Sylvia Eng: 1975/6 as some position.
Dave Buckingham: a VP at some point
Allison Nolan: 1977 time
Peter Stevens: 1977
Russel Crook???

Dennis Ritchie came. So did Jeffrey D. Ullman.

=1976=

===Fall===

Progcom: Peter Stevens

=1977=

===Winter===

Progcom: Allison Nowlan

===Spring===

PR: Peter Stevens
Progcom: Allison Nowlan

===Fall===

PR: Andrzej Jan Taramina
Progcom: Allison Nowlan

=1978=

===Winter===

PR: Peter Stevens

===Spring===

TR: K.G. Dykes
SE: Kandry Mutheardy

Brian Kernighan gave a talk this term. So did Ken Thompson.

===Fall===

=1979=

===Winter===

===Spring===

PR: Robert Biddle

===Fall===

=1987=

===Winter===
===Spring===

===Fall===

PR: Jim Boritz
VP: Ted Timar
TR: Gayla Boritz
SE: Edwin Hoogerbeets

=1988=

Jim Boritz was president in Winter 1988. (Source: http://csclub.uwaterloo.ca/misc/procedure.pdf)
Tim Timar - cc'd on memos/mentioned on mathsoc minutes in 1987/88.
The Sysadmin and Office Manager positions seem to have been created somewhere in here. The 'Record Management Profile' that Robyn Stewart did as an assignment in 1991-1992 for some class at UBC
indicates the existence of both positions. We acquired an HP-9000 in the summer of 1988 and as this was out first "real" computer (previously we had an IBM PC and terminal), the sysadmin position was created, starting with the Fall 1988 term.

===Fall===

SA: Wade Richards

=1989=
===Winter===

http://mirror.csclub.uwaterloo.ca/csclub/bill-gates-1989-big.jpg

Left to right: Jim Boritz (bottom), Wade Richards (top), Ted Timar, ???, Keven Smith, Bill Gates (not exec), Angela Chambers, Ross Ridge (top), Sean Goggin (bottom), ???

PR: Barry W. Smith
VP: Angela Chambers
TR:
SE: Sean Goggin
SA: Wade Richards / Ross Ridge

(President Kevin Smith confirmed: http://csclub.uwaterloo.ca/misc/procedure.pdf)

===Spring===

PR: Jim Thornton
VP: Gayla Boritz
TR: David Fenger
SE: Kivi Shapiro
SA: Reid Pinchback

Assistance to sysadmin: Jim Boritz.

===Fall===

PR: James Boritz
VP: Edmond Bourne
SA: Ross Ridge

=1990=
===Winter===

TR: Jim Thornton

===Spring===

TR: Karen Smith
SE: Robyn Steward

===Fall===
PR: Wade Richards
TR: Carolyn Duke
SE: Robyn Stewart - attended mathsoc meeting on our behalf.
Kivi Shapiro - attended mathsoc meeting on our behalf.
- Censured by mathsoc for his actions during the election.
Shannon Mann - attended mathsoc meeting on our behalf.

=1991=
===Winter===
VP: Edmond Bourne
TR: Carolyn Duke
SE: Robyn Stewart
Shannon Mann - attended mathsoc meeting on our behalf.

John McCarthy came this term.

===Spring===
TR: Rob Leitman
Jason Knell - attended mathsoc meeting on our and PMC's behalf.

===Fall===
TR: Mike Van Lingen
Wiktor Wiewiorowski - attended mathsoc meeting on our behalf this term.

=1992=
===Winter===
TR: Norm Ross
SE: Brent Williams

===Spring===
PR: Dale Wick
TR: Stephen A. Mills

===Fall===
TR: Mark Plumb

=1993=
===Winter===
TR: Rob Leitman
VP: Tim Prime
OF: Dave Ebbo
LI: Norm Ross

Other exec for this term: Ellen Hsiang, Sam Coulombe, Peter Gray

===Spring===
TR: Mark Tompsett

===Fall===

PR: Ian Goldberg

=1994=

===Winter===
PR: Ian Goldberg
TR: Mark Tompsett
SE: Tom Rathbourne
LI: Michael Van Biesbrouck
Norm Ross assisted with finances.

===Spring===
PR: Dale Wick (?)
TR: Steve Mills
SA: Ian Goldberg (?)
Norm Ross assisted with finances.

===Fall===
PR: Ross Ridge
VP: Tom Rathbourne (?)
TR: Rob Leitman
SA: Zygo Blaxell
LI: Michael Van Biesbrouck

=1995=
===Winter===
TR: Sharlene Schmeichel
Amy Brown and Rob Ridge purchased books.

===Spring===
TR: Steve Mills

===Fall===
PR: Amy Brown (arbrown)
VP: Christina Norman (cbnorman)
TR: Steven Mills (samills)
SE: Allyson Graham (akgraham)
SA: Gavin Peters

=1996=
===Winter===
PR: Nikita Borisov (nborisov)
VP: Joseph Deu Ngoc (dtdeungo)
TR: Stephen Mills (samills)
SE: Sharlene Schmeichel (saschmei)
SA: Dave Brown (dagbrown)
OF: Somsack Tsai (stsai)
LI: Devin Carless (dccarles)
FL: Allyson Graham (akgraham)
DE: Ian Goldberg (iagoldbe)

===Spring===
PR: Blake Winton (bwinton)
VP: Nick Harvey (njaharve)
TR: Nikita Borisov (nborisov)
SE: Viet-Trung Luu (vluu)
SA: Drew Hamilton (awhamilt)
OF: Jillian Arnott (jarnott)
LI: Ross Ridge (rridge)
FL: Devin Carless (dccarles)

=== Fall ===
PR: Shannon Mann (sjbmann)
VP: Joe "Frosh" Deu Ngoc (jtdeungo) resigned (heavy workload)
TR: Michal Van Biesbrouck (mlvanbie)
SE: Nikita Borisov (nborisov)
SA: Chris Rovers
OF: Dax Hutcheon (ddhutche) became VP upon jtduengo's resignation
LI: Aliz Csenki (acsenki)
FL: Aaron Chmielowiec (archmiel)
DE: Skuld (no uwuserid yet...)

=1997 =

===Winter===
PR: Dima Brodsky
VP: Nikita Borisov (nborisov)
TR: Stephen Mills (samills)
SE: Evan Jones (ejones)
SA: Alex Brodsky
OF: Chris Doherty
LI: Matt Corks
FL: Paul Prescod

=== Fall ===
PR: Chris Rovers (cdrovers)
VP: Michael van Biesbrouck (mlvanbie)
TR: Somsack Tsai (stsai)
SE: Matt Corks (mvcorks)
SA: Lennart Sorensen (lsorense)
LI: Chmielowiec (archmiel)
OF: Devin Carless (dccarles)
FL: Aaron Chmielowiec (archmiel)

= 1998 =
=== Winter ===
PR: Suresh Naidu
VP: Viet-Trung Luu
TR: Tim Coleman
SE: Dax Hutcheon
Librarian: Dax Hutcheon
Flasher: Dax Hutcheon
Webmaster: Dax Hutcheon
SA: Robin Powell
OF: Aaron Chmielowiec

=== Spring ===

Position Name You might call them...
President roconnor Russell O'Connor
Vice-president trwcolem Tim Coleman
Treasurer knzarysk Karl Zaryski
Secretary (bwinton) (Blake Winton)
Sysadmin wbiggs Billy Biggs
Librarian snaidu Suresh Naidu
Flasher pechrysl Paul Chrysler
Office Manager dccarles Devin Carless
WWWW trwcolem Tim Coleman

=== Fall ===

President Joe Deu Ngoc jtdeungo
Vice-President Wai Ling Yee wlyee
Treasurer Fjord j2lynn
Secretary Matt Corks mvcorks
Sysadmin Andrew Hamilton awhamilt

World Wide Web Wench Dax Hutcheon ddhutche
Office Manager Richard Bell rlbell
Librarian Damian Gryski dgryski
Flasher Paul Chrysler pechrysl
Official Deity Ian Goldberg iagoldbe
Official Chairbeing Calum T. Dalek calum

=1999=

=== Winter ===
PR: geduggan
VP:
TR:
SE:
SA:

=== Spring ===

=== Fall ===

=2000=
=== Winter ===
PR: Will Chartrand (wgchartr)
VP: Gavin Duggan (geduggan)
TR:
SE:
SA: Lennart Sorensen (lsorense)
OF:

=== Spring ===

=== Fall ===
PR: geduggan
VP:
TR:
SE:
SA: bioster
OF:

=2001=
=== Winter ===
PR: geduggan
VP:
TR:
SE:
SA:
OF:

=== Spring ===
PR: geduggan
VP:
TR:
SE:
SA:
OF:

=== Fall ===

=2002=
http://www.mathnews.uwaterloo.ca/Issues/mn8902/cscflash.php
=== Winter ===
PR: Billy Biggs
VP: Stefanus Du Toit
TR: Melissa Basinger
SE: James Perry
SA: Barry Genova
Librarian: Ryan Golbeck
Webmaster: Jonathan Beverley
Office Manager: Sayan Li

=== Spring ===
PR: Alex Pop
VP: Melissa Basinger
TR: Siyan Li
SE: James A Morrison
SA: Jonathan Beverley
Webmaster: Stefanus Du Toit

=== Fall ===
PR: James A. Morrison
VP: Stefanus Du Toit
TR: James Perry
SE: Michael Biggs
SA: Ryan Golbeck
Librarian: Mark Sherry, Cassandra Schopf
Webmaster: Stefanus Du Toit

=2003=
=== Winter ===
PR: Kannan Vijayan (kvijayan)
VP: Meg Darragh (m2darrag)
TR: James Perry (jeperry)
SE: Wojciech Kosnik (wkosnik)
SA: Stefanus Du Toit (sjdutoit)
LI: Simon Law (sfllaw)
WM: Julie Lavoie (jlavoie)

=== Spring===
===Fall===
PR: Stefanus Du Toit (sjdutoit)
VP: Meg Darragh (m2darrag)
TR: Tor Myklebust (tmyklebu)
SE: James Perry (jeperry)
SA: Simon Law (sfllaw)
OF:

=2004=
===Winter===
PR: Simon Law (sfllaw)
VP: fspacek
TR: ljain
SE: Julie Lavoie (jlavoie)
SA: Tor Myklebust(tmyklebu)
OF:

===Spring===
PR: dnmorton ?
VP: Tim Loach (tloach)
TR: Michael Biggs (mbiggs)
SE: Lesley Northam (lanortha)
SA:
OF:

===Fall ===
PR: jeperry
VP: mtsay
TR: Mark Sherry (mdsherry)
SE: Tor Myklebust (tmyklebu)
SA: jlavoie
OF:

=2005=
===Winter===

PR: mtsay
VP: Lesley Northam (lanortha)
TR: Holden Karau (hkarau)
SE: domorton
SA: Tor Myklebust (tmyklebu)
OF:

===Spring===

PR: Mark Sherry (mdsherry)
VP: Martin Kess (mdkess)
TR: Ali Piccioni (apiccion)
SE: Michael Biggs (mbiggs)
SA: Tor Myklebust (tmyklebu)
OF:

===Fall===

PR: Tim Loach (tloach)
VP: Lesley Northam (lanortha)
TR: Caelyn McAulay (cmcaulay)
SE: The Professor
SA: Holden Karau (hkarau)
OF:

=2006=

===Winter===

PR: Tor Myklebust (tmyklebu)
VP: Michael Druker (mdruker)
TR: Caelyn McAulay (cmcaulay)
SE: Mark Sherry (mdsherry)
SA: William O'Connor (woconnor)
OF:

===Spring===
PR: David Bartley (dtbartle)
VP: David Belanger (dbelange)
TR: David Tenty (daltenty)
SE: Chris Evensen (cevensen)
SA: Holden Karau (hkarau)
OF:

===Fall===

PR: Martin Kess (mdkess)
VP: Mark Sherry (mdsherry)
TR: Sylvan L. Mably (slmably)
SE: Caelyn McAulay (cmcaulay)
SA: William O'Connor (woconnor)

=2007=

===Winter===
PR: David Bartley (dtbartle)
VP: David Belanger (dbelange)
TR: Caelyn McAulay (cmcaulay)
SE: David Tenty (daltenty)
SA: Holden Karau (hkarau)
Webmaster: jnopporn
OF:

===Spring===
PR: Gaelan D'costa (gdcosta)
VP: Kyle Larose (kmlarose)
TR: Kyle Spaans (kspaans)
SE: Erik Louie (elouie)
SA: Michael Spang (mspang)
Librarian: David Tenty (daltenty)
OF:

===Fall ===
PR: Holden Karau (hkarau)
VP: Alex McCausland (amccausl)
TR: Dominik Chlobowski (dchlobow)
SE: Sean Cumming (sgcummin)
SA: David Tenty (daltenty)
OF:
WW: dtbartle / jnopporn

=2008=
===Winter ===
PR: Sean Cumming (sgcummin)
VP: Matt Lawrence (m3lawren)
TR: Mateusz Tarkowski (mtarkows)
SE: Edgar Bering (ebering)
SA: Jordan Saunders (jmsaunde)
OF:

===Summer ===
PR: Brennan Taylor (b4taylor)
VP: Qifan Xi (qxi)
TR: Matt Lawrence (m3lawren)
SE: Nick Guenther (nguenthe)
SA:
OF:

===Fall ===
PR: Matthew Lawrence (m3lawren)
VP: Edgar Bering (ebering)
TR: Michael Gregson (mgregson)
SE: James Simpson (j2simpso) resigned for medical reasons, replaced by Dominik 'Domo' Chłobowski
SA: Kyle Spaans (kspaans)
OF:

=2009=
===Winter===
PR: Michael Gregson (mgregson)
VP: Edgar Bering (ebering)
TR: Brennan Taylor (b4taylor)
SE: James Simpson (j2simpso) resigned for business reasons, replaced by Rebecca Putinski (rjputins)
SA: Jacob Parker (j3parker)
OF: XinChi Yang / Sapphyre Gervais (x23yang / sagervai) (both)

===Spring ===
PR: Michael Spang (mspang)
VP: Jacob Parker (j3parker)
TR: Sapphyre Gervais (sagervai)
SE: Matthew McPherrin (mimcpher)
SA: Anthony Brennan (a2brenna)
OF:

===Fall===
PR: Jacob Parker (j3parker)
VP: Edgar Bering (ebering)
TR: Michael Spang (mspang)
SE: Brennan Taylor (b4taylor)
SA: Michael Ellis (m2ellis)
OF: Rebecca Putinski (rjputins)

=2010=
===Winter===
PR: Kyle Spaans (kspaans)
VP: Edgar Bering (ebering)
TR: Sapphyre Gervais (sagervai)
SE: Ajnu Jacob (ajacob)
SA: Matthew Thiffault (mthiffau)
OF: Jacob Parker (j3parker)

Keyed office staffers: j3camero,jdonland,m2ellis,mimcpher,nsasherr

===Spring===
PR: Jeff Cameron (j3camero)
VP: Brennan Taylor (b4taylor)
TR: Vardhan Mudunuru (vmudunur)
SE: Matthew Lawrence (m3lawren)
SA: Michael Ellis (m2ellis)
OF: Edgar Bering (ebering)

===Fall===
PR: Jacob Parker (j3parker)
VP: Edgar Bering (ebering)
TR: Rebecca Putinski (rjputins)
SE: Kyle Spaans (kspaans)
SA: Jeremy Roman (jbroman)
OF: Amir Sayed Khader (askhader)

=2011=
===Winter===
PR: Edgar Bering (ebering)
VP: Jennifer "Emily" Wong (jy2wong)
TR: Kyle Spaans (kspaans)
SE: Elana "Alana" Hashman (ehashman)
SA: Peter "Bofh" Barfuss (pbarfuss)
OF: Marc Burns (Marc Burns)

===Spring===
PR: Matthew Thiffault (mthiffau)
VP: Matthew McPherrin (mimcpher)
TR: Kyle Spaans (kspaans)
SE: Kwame Andrew Ansong (kansong)
SA: Jeremy Brandon Roman (jbroman)
OF: Jennifer "Emily" Wong (jy2wong)

===Fall===
PR: Marc Burns (m4burns)
VP: Katharine Hyatt (kshyatt)
TR: Jacob Parker (j3parker)
SE: Elana Hashman (ehashman)
SA: Anthony "hatguy/hotgay" Brennan (a2brenna)
OF: Kyle Spaans (kspaans)
LIB: Edgar Bering (ebering)

=2012=
===Winter===
PR: Marc Burns (m4burns)
VP: Elana Hashman (ehashman)
TR: Jacob Parker (j3parker)
SE: Matthew McPherrin (mimcpher)
SA: Jeremy Roman (jbroman)
OF: Luqman Aden (laden)
LIB: Jennifer "Emily" Wong (jy2wong)

===Summer===
PR: Anthony Brennan (a2brenna)
VP: Luqman Aden (laden)
TR: Matthew McPherrin (mimcpher)
SE: Elana Hashman (ehashman)
SA: Sarah Harvey (sharvey)
OF: Marc Burns (m4burns)
LIB: John Ladan (jladan)

===Fall===
PR: Marc Burns (m4burns)
VP: Salem Talha (satalha)
TR: Jennifer Wong (jy2wong)
SE: Elana Hashman (ehashman), resigned
SA: Jeremy Roman (jbroman)
OF: Luqman Aden (laden)
LIB: John Ladan (jladan)

=2013=
===Winter===
PR: Anthony Brennan (a2brenna)
VP: Marc Burns (m4burns)
TR: John Mumford (jsmumfor)
SE: Matt Olechnowicz (mgolechn)
SA: Sarah Harvey (sharvey)
OF: Bryan Coutts (b2coutts)
LIB: Matthew McPherrin (mimcpher)
===Spring===
PR: Shane Robert Creighton-Young (srcreigh)
VP: Visishta Vijayanand (vvijayan)
TR: Dominik Chlobowski (dchlobow)
SE: Youn Jin Kim (yj7kim)
SA: Anthony Brennan (a2brenna)
OF: Marc Burns (m4burns)
IMAPD: Dominik Chlobowski (dchlobow)
===Fall===
PR: Elana Hashman (ehashman)
VP: Marc Burns (m4burns)
TR: Dominik Chlobowski (dchlobow)
SE: Edward Lee (e45lee)
SA: Jeremy Roman (jbroman)
OF: Sean Hunt (scshunt)