CSCWiki - User contributions [en]

Infrastructure Renewal Plan

2025-12-28T07:12:04Z

S23adhik:

Will slowly update this page.

Plan is to move a lot of the less-essential services to Proxmox to allow us to make them a bit easier to backup, and manage. Also getting rid of old storage, and servers.

== Hardware ==
Two new servers currently have been bought; Teriyaki, and Tahini, will buy more ram for them once prices go down.

Will add Sorbitol to proxmox general-use cluster to act as backup, and phase out citric-acid ASAP

Will add in 1 more Dell r730 to cluster

Will replace Cobalamin with an r730.

Will put in 2 more r730's into MC 3015 to replace xylitol, and all other Dell r815.

Then install 2 of the 3.2tb ssds onto the proxmox general use cluster to act as storage for all of the syscom/club containers.

Use the other 2 ssds as a /scratch replacement so we can decommision corn-syrup, carbonated-water, yerba-mate, riboflavin,

In addition we're planning to go full-flash.

SSL

2025-12-09T00:35:15Z

S23adhik:

== GlobalSign ==

The CSC currently has an SSL Certificate from GlobalSign for *.csclub.uwaterloo.ca provided at no cost to us through IST. GlobalSign likes to take a long time to respond to certificate signing requests (CSR) for wildcard certs, so our CSR really needs to be handed off to IST at least 2 weeks in advance. You can do it sooner – the certificate expiry date will be the old expiry date + 1 year (+ a bonus ) Having an invalid cert for any length of time leads to terrible breakage, followed by terrible workarounds and prolonged problems.

When the certificate is due to expire in a month or two, syscom should (but apparently doesn't always) get an email notification. This will include a renewal link. Otherwise, use the [https://uwaterloo.ca/information-systems-technology/about/organizational-structure/information-security-services/certificate-authority/globalsign-signed-x5093-certificates/self-service-globalsign-ssl-certificates IST-CA self service system]. Please keep a copy of the key, CSR and (once issued) certificate in <tt>/users/sysadmin/certs</tt>. The OpenSSL examples linked there are good to generate a 2048-bit RSA key and a corresponding CSR. It's probably a good idea to change the private key (as it's not that much effort anyways). Just sure your CSR is for <tt>*.csclub.uwaterloo.ca</tt>.

At the self-service portal, these options worked in 2013. If you need IST assistance, [mailto:ist-ca@uwaterloo.ca ist-ca@uwaterloo.ca] is the email address you should contact.
Products: OrganizationSSL
SSL Certificate Type: Wildcard SSL Certificate
Validity Period: 1 year
Are you switching from a Competitor? No, I am not switching
Are you renewing this Certificate? Yes (paste current certificate)
30-day bonus: Yes (why not?)
Add specific Subject Alternative Names (SANs): No (*.csclub.uwaterloo.ca automatically adds csclub.uwaterloo.ca as a SAN)
Enter Certificate Signing Request (CSR): Yes (paste CSR)
Contact Information:
First Name: Computer Science Club
Last Name: Systems Committee
Telephone: +1 519 888 4567 x33870
Email Address: syscom@csclub.uwaterloo.ca

=== Helpful links ===
* [https://support.globalsign.com/ssl/ssl-certificates-installation/generate-csr-openssl How to generate a new CSR and private key]
* [https://uwaterloo.atlassian.net/wiki/spaces/ISTKB/pages/262013183/How+to+obtain+a+new+GlobalSign+certificate+or+renew+an+existing+one How to obtain a new GlobalSign certificate or renew an existing one]
* [https://system.globalsign.com/bm/public/certificate/poporder.do?domain=PAR12271n5w6s27pvg8d92v4150t GlobalSign UWaterloo self-service page]
* [https://support.globalsign.com/ca-certificates/intermediate-certificates/organizationssl-intermediate-certificates GlobalSign intermediate certificate] (needed to create a certificate chain; see below)

=== OpenSSL cheat sheet ===
<ul>
<li>
Generate a new CSR and private key (do this in a new directory):
<pre>
openssl req -out csclub.uwaterloo.ca.csr -new -newkey rsa:2048 -keyout csclub.uwaterloo.ca.key -nodes
</pre>
Enter the following information at the prompts:
<pre>
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Waterloo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Waterloo
Organizational Unit Name (eg, section) []:Computer Science Club
Common Name (e.g. server FQDN or YOUR name) []:*.csclub.uwaterloo.ca
Email Address []:systems-committee@csclub.uwaterloo.ca

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</pre>
</li>
<li>
View the information inside a CSR:
<pre>
openssl req -noout -text -in csclub.uwaterloo.ca.csr
</pre>
</li>
<li>
View the information inside a private key:
<pre>
openssl pkey -noout -text -in csclub.uwaterloo.ca.key
</pre>
</li>
<li>
View information inside a certificate:
<pre>
openssl x509 -noout -text -in csclub.uwaterloo.ca.crt
</pre>
</li>
</ul>

=== csclub.cloud ===
Once a year, someone from IST will ask us to create a temporary TXT record for csclub.cloud to prove to GlobalSign that we own it. This must be created at the root of the domain. Since this zone is managed dynamically (via the acme.sh script on biloba, see below), we need to freeze the domain and update /var/lib/bind/db.csclub.cloud directly.

Once you're in the correct server (not Biloba). Here are the steps:
<ol>
<li>Run <code>rndc freeze csclub.cloud</code>.</li>
<li>
Open /var/lib/bind/db.csclub.cloud and add a new TXT record. It'll look something like
<pre>
TXT "_globalsign-domain-verification=blablabla"
</pre>
</li>
<li>
In the same file, make sure to also update the SOA serial number. It should generally be YYYYMMDDNN where NN is a monotonically increasing counter (YYYYMMDD is the current date).
</li>
<li>Run <code>rndc reload</code>.</li>
<li>
Run a DNS query to make sure you can see the TXT record:
<pre>
dig -t txt @dns1 csclub.cloud
dig -t txt @dns2 csclub.cloud
</pre>
</li>
<li>Email back the person from IST and let them know that we created the TXT record.</li>
<li>
Once the certificate has been renewed, delete the TXT record, update the SOA serial number, and run <code>rndc reload</code>.
</li>
<li>Run <code>rndc thaw csclub.cloud</code>.</li>
</ol>

== Certificate Files ==
Let's say you obtain a new certificate for *.csclub.uwaterloo.ca. Here are the files which should be stored in the certs folder:
<ul>
<li>csclub.uwaterloo.ca.key: private key created by openssl</li>
<li>csclub.uwaterloo.ca.csr: certificate signing request created by openssl</li>
<li>order: order number from GlobalSign</li>
<li>csclub.uwaterloo.ca.crt: certificate created by GlobalSign</li>
<li>globalsign-intermediate.crt: intermediate certificate from GlobalSign, obtainable from [https://support.globalsign.com/ca-certificates/intermediate-certificates/organizationssl-intermediate-certificates here]. As of this writing, we use the "OrganizationSSL SHA-256 R3 Intermediate Certificate". Just click the "View in Base64" button and copy the contents.
<ul>
<li>There is an alternative way to get the intermediate certificate: if you run <code>openssl x509 -noout -text -in csclub.uwaterloo.ca.crt</code>, under X509v3 extensions > Authority Information Access, there should be a field called "CA Issuers" which has a URL which looks like http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt. You can download that file and convert it to PEM:
<pre>
wget https://secure.globalsign.com/cacert/gsrsaovsslca2018.crt
openssl x509 -inform der -in gsrsaovsslca2018.crt -out globalsign-intermediate.crt
rm gsrsaovsslca2018.crt
</pre>
</li>
</ul>
</li>
</ul><ul>
<li>csclub.uwaterloo.ca.chain: create this with the following command:
<pre>
cat csclub.uwaterloo.ca.crt globalsign-intermediate.crt > csclub.uwaterloo.ca.chain
</pre>
</li>
<li>csclub.uwaterloo.ca.pem: create this with the following command:
<pre>
cat csclub.uwaterloo.ca.key csclub.uwaterloo.ca.chain > csclub.uwaterloo.ca.pem
chmod 600 csclub.uwaterloo.ca.pem
</pre>
</li>
</ul>

== Certificate Locations ==

Keep a copy of newly generated certificates in /users/sysadmin/certs.

A list of places you'll need to put the new certificate to keep our services running. Private key (if applicable) should be kept next to the certificate with the extension .key.

* auth1:/etc/ssl/private/csclub-wildcard.crt (for slapd, make sure to <code>sudo service slapd restart</code>)
* auth2:/etc/ssl/private/csclub-wildcard.crt (for slapd, make sure to <code>sudo service slapd restart</code>)
* phosphoric-acid:/etc/ssl/private/csclub-wildcard-chain.crt (for ceod)
* coffee:/etc/ssl/private/csclub.uwaterloo.ca (for PostgreSQL and MariaDB)
* caffeine:/etc/ssl/private/csclub-wildcard.crt (for Apache)
* mailman:/etc/ssl/private/csclub-wildcard-chain.crt (for Apache)
* prometheus:/etc/ssl/private/csclub-wildcard-chain.crt (for Apache)
* potassium-benzoate:/etc/ssl/private/csclub-wildcard.crt (for nginx)
* mattermost:/etc/ssl/private/csclub-wildcard.crt (for nginx)
* chat:/etc/ssl/private/csclub-wildcard-chain.crt (for nginx)
* chamomile:/etc/ssl/private/cloud.csclub.uwaterloo.ca.chain.crt, /etc/ssl/private/csclub.cloud.chain, /etc/ssl/private/csclub.uwaterloo.ca.chain (for nginx)
* nextcloud (nspawn container inside guayusa): /etc/ssl/private/csclub.uwaterloo.ca.chain (for nginx)
* keycloak: /opt/keycloak/ssl (you can figure out the rest)
* <s>mail:/etc/ssl/private/csclub-wildcard.crt (for Apache, Postfix and Dovecot)</s> (UPDATE: we use certbot now for these)
* <s>bigbluebutton:/etc/nginx/ssl/csclub-wildcard-chain.crt (podman container on xylitol)</s> (Also certbot)
* <s>load-balancer-0(1|2):/etc/ssl/private/csclub.uwaterloo.ca (for haproxy)</s> [Down since 2020]

Some services (e.g. Dovecot, Postfix) prefer to have the certificate chain in one file. Concatenate the appropriate intermediate root to the end of the certificate and store this as csclub-wildcard-chain.crt.

=== More certificate locations ===
We have some SSL certificates which are not used by web servers, but still need to be renewed eventually.

==== Prometheus node exporter ====
All of our Prometheus node exporters are using mTLS via stunnel (every bare-metal host, as well as caffeine, coffee and mail, is running this exporter). The certificates (both client and server) are set to expire in September 2031; before then, create new keypairs in /opt/prometheus/tls, and deploy the new server.crt, node.crt and node.key to /etc/stunnel/tls on all machines. Restart prometheus and all of the node exporters.

==== ADFS ====
See [[ADFS]]. When the university's IdP certificate expires (October 2025), we can just download a new one and restart Apache; when our own certificate expires (July 2031), we need to submit a new form to IST (please do this before the cert expires).

==== Keycloak ====
See [[Keycloak]]. When the saml-passthrough certificate expires (January 2032), you need to create a new keypair in /srv/saml-passthrough on caffeine, and upload the new certificate into the Keycloak UI (IdP settings). When the Keycloak SP certificate expires (December 2031), make sure to create a new keypair and upload it to the Keycloak UI (Realm Settings).

== letsencrypt ==

We support letsencrypt for our virtual hosts with custom domains. We use the <tt>cerbot</tt> from debian repositories with a configuration file at <tt>/etc/letsencrypt/cli.ini</tt>, and a systemd timer to handle renewals.

The setup for a new domain is:

# Become <tt>certbot</tt> on caffine with <tt>sudo -u certbot bash</tt> or similar.
# Run <tt>certbot certonly -c /etc/letsencrypt/cli.ini -d DOMAIN --logs-dir /tmp</tt>. The logs-dir isn't important and is only needed for troubleshooting.
# Set up the Apache site configuration using the example below. (apache config is in /etc/apache2) Note the permanent redirect to https.
# Make sure to commit your changes when you're done.
# Reloading apache config is <tt>sudo systemctl reload apache2</tt>.

<VirtualHost *:80>
ServerName example.com
ServerAlias *.example.com
ServerAdmin example@csclub.uwaterloo.ca

#DocumentRoot /users/example/www/
Redirect permanent / https://example.com/

ErrorLog /var/log/apache2/example-error.log
CustomLog /var/log/apache2/example-access.log combined
</VirtualHost>

<VirtualHost csclub:443>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLStrictSNIVHostCheck on

ServerName example.com
ServerAlias *.example.com
ServerAdmin example@csclub.uwaterloo.ca

DocumentRoot /users/example/www

ErrorLog /var/log/apache2/example-error.log
CustomLog /var/log/apache2/example-access.log combined
</VirtualHost>

== acme.sh ==
We are using [https://github.com/acmesh-official/acme.sh acme.sh] for provisioning SSL certificates for some of our *.csclub.cloud domains. It is currently set up under /root/.acme.sh on biloba.

NOTE: acme.sh has a cron job which automatically renews certificates before they expire and reloads NGINX, so you do not have to do anything after issuing and installing a certificate (i.e. "set-and-forget").

=== How to add a new SSL cert for a custom domain on CSC cloud ===
Note: you do not need to acquire a new cert if the requested domain is directly on csclub.cloud, e.g. app1.csclub.cloud. We can re-use our wildcard cert on csclub.cloud for that. However, if a user requests a multi-level domain on csclub.cloud, or a domain hosted on an external registrar, then you will need to create a new cert.

Let's say user <code>ctdalek</code> wants <code>mydomain.com</code> to point to a VM on CSC cloud.
 
TLDR:
<pre>
# Obtain the cert.
# If a subdomain was also requested, pass the -d option multiple times, e.g.
# `-d mydomain.com -d sub.mydomain.com`. Make sure the "main" domain is specified first.
acme.sh --issue -d mydomain.com -w /var/www

# Install the cert.
# If a subdomain was also requested, only specify the "main" domain.
acme.sh --install-cert -d mydomain.com \
--key-file /etc/nginx/ceod/member-ssl/mydomain.com.key \
--fullchain-file /etc/nginx/ceod/member-ssl/mydomain.com.chain \
--reloadcmd "/root/bin/reload-nginx.sh"

# Create a vhost file.
# Look at the other files in the same directory for inspiration.
# Make sure the file starts with the username and an underscore, e.g. "ctdalek_",
# because this is how ceod keeps track of the vhosts.
# Make sure to set the custom domain name(s) and paths to the SSL key/cert.
vim /etc/nginx/ceod/member-vhosts/ctdalek_mydomain.com

# Finally, reload NGINX on both biloba and chamomile. The /etc/nginx/ceod directory
# is shared between them.
/root/bin/reload-nginx.sh
</pre>

=== Installation ===
<pre>
cd /opt
git clone --depth 1 https://github.com/acmesh-official/acme.sh
cd acme.sh
./acme.sh --install -m syscom@csclub.uwaterloo.ca
. "/root/.acme.sh/acme.sh.env"
</pre>
Important: If invoking acme.sh from another program, it needs the environment variables set in acme.sh.env. Currently, that is just
<pre>
LE_WORKING_DIR="/root/.acme.sh"
</pre>

For testing purposes, make sure to use the Let's Encrypt test server:
<pre>
acme.sh --set-default-ca --server letsencrypt_test
</pre>

=== NGINX setup ===
<pre>
mkdir -p /var/www/.well-known/acme-challenge
</pre>
Add the following snippet to your default NGINX file (e.g. /etc/nginx/sites-enabled/default):
<pre>
# For Let's Encrypt
location /.well-known/acme-challenge/ {
alias /var/www/.well-known/acme-challenge/;
}
</pre>

Now assuming that biloba has the IP address for *.csclub.cloud, you can test that everything is working:
<pre>
acme.sh --issue -d app.merenber.csclub.cloud -w /var/www
</pre>
To install a certificate after it's been issued:
<pre>
acme.sh --install-cert -d app.merenber.csclub.cloud \
--key-file /etc/nginx/ceod/member-ssl/app.merenber.csclub.cloud.key \
--fullchain-file /etc/nginx/ceod/member-ssl/app.merenber.csclub.cloud.chain \
--reloadcmd "/root/bin/reload-nginx.sh"
</pre>
At this point, you should add your NGINX vhost file which uses that SSL certificate.
 
To remove a certificate:
<pre>
acme.sh --remove -d app.merenber.csclub.cloud
rm -r /root/.acme.sh/app.merenber.csclub.cloud
rm /etc/nginx/ceod/member-ssl/app.merenber.csclub.cloud.chain
rm /etc/nginx/ceod/member-ssl/app.merenber.csclub.cloud.key
</pre>
Don't forget to remove the NGINX vhost file too.

Once you think you're ready, use a real ACME provider, e.g.
<pre>
acme.sh --set-default-ca --server letsencrypt
</pre>

Since we have a [https://zerossl.com ZeroSSL] account, and ZeroSSL has no rate limit, we are going to use that instead:
<pre>
acme.sh --register-account --server zerossl \
--eab-kid xxxxxxxxxxxx \
--eab-hmac-key xxxxxxxxx
acme.sh --set-default-ca --server zerossl
</pre>

=== DNS challenge ===
To obtain a wildcard certificate (e.g. *.k8s.csclub.cloud), you will need to perform the DNS-01 challenge. We are going to use nsupdate to interact with our BIND9 server on dns1.

On dns1, run:
<pre>
tsig-keygen csc-cloud
</pre>
Paste the output into the appropriate section in /etc/bind/named.conf.local. Also paste it into a file somewhere on biloba, e.g. /etc/csc/csc-cloud-tsig.key.

Add the following to the csclub.cloud zone block:
<pre>
allow-update {
!{
!127.0.0.1;
!::1;
!129.97.134.0/24;
!2620:101:f000:4901::/64;
any;
};
key csc-cloud;
};
</pre>
(We're basically trying to restrict updates to the given IP ranges. See https://serverfault.com/a/417229.)

The 'bind' user can't write to files under /etc/bind, so we're going to move our zone file to /var/lib/bind instead.
Comment out 'file "/etc/bind/db.csclub.cloud";' from named.conf.local and add this line below it:
<pre>
file "/var/lib/bind/db.csclub.cloud";
</pre>
Then run:
<pre>
cp /etc/bind/db.csclub.cloud /var/lib/bind/db.csclub.cloud
chown bind:bind /var/lib/bind/db.csclub.cloud
rndc reload
</pre>

On biloba, check that everything's working:
<pre>
nsupdate -k /etc/csc/csc-cloud-tsig.key -v <<EOF
update add test.csclub.cloud 300 A 0.0.0.0
send
EOF
</pre>
Use a tool such as <code>dig</code> to make sure that the update was successful.
If it worked, you can delete the record:
<pre>
nsupdate -k /etc/csc/csc-cloud-tsig.key -v <<EOF
delete test.csclub.cloud
send
EOF
</pre>
Now we are ready to actually perform the challenge with acme.sh:
<pre>
export NSUPDATE_SERVER="dns1.csclub.uwaterloo.ca"
export NSUPDATE_KEY="/etc/csc/csc-cloud-tsig.key"
acme.sh --issue --dns dns_nsupdate -d 'k8s.csclub.cloud' -d '*.k8s.csclub.cloud'
</pre>
(If something goes wrong, use the <code>--debug</code> flag.)

If all went well, just install the certificate as usual:
<pre>
acme.sh --install-cert -d k8s.csclub.cloud \
--key-file /etc/nginx/ceod/syscom-ssl/k8s.csclub.cloud.key \
--fullchain-file /etc/nginx/ceod/syscom-ssl/k8s.csclub.cloud.chain \
--reloadcmd 'systemctl reload nginx'
</pre>

Immich

2025-11-16T07:29:46Z

S23adhik:

Note: Immich has been turned off due to low usage.

== Administration ==
* Admin credentials are stored in [TODO].
* Take care not to touch the external libraries unless you know what you're doing; those are used to link users' Nextcloud data to their Immich accounts.


== Container setup ==
Immich runs in <code>docker compose</code>. All relevant files can be found in <code>/root/immich</code> on guayusa.


== Access ==
In <code>/root/immich</code> on guayusa:
* <code>docker compose exec -it database psql -U postgres immich</code> will get you a psql shell in the Immich Postgres database.
* <code>curl https://photos.csclub.uwaterloo.ca/api/*</code> or <code>curl https://localhost:2283/api/*</code> lets you access the [https://api.immich.app/introduction Immich API]. You'll need to create an API key through the web UI -> Administration, then pass it in as the `x-api-key` header.


== Updating Immich ==

As root:
* <code>cd /root/immich</code>
* <code>docker compose pull</code>
* <code>docker compose up -d</code>


== Nginx ==

The Immich setup piggybacks off the nginx instance [https://wiki.csclub.uwaterloo.ca/Nextcloud#Setup_Nginx running in the Nextcloud container]. Once you've gained access to the container via <code>sudo machinectl shell nextcloud</code>, the nginx config can be found at <code>/etc/nginx/sites-available/immich</code>.


== Linking Nextcloud ==

Every user who has logged into both Immich and Nextcloud will have an external library created in Immich, following the naming convention <code>[watiam]'s Library</code>. This allows Immich to access the user's images stored in Nextcloud, located at <code>/var/lib/machines/nextcloud/data/nextcloud-data/[watiam]/files</code>.

The libraries are created by the script <code>/root/immich/sync-libraries.sh</code>. It's in the root user's crontab, set to run every hour.


== OIDC setup ==

OAuth can be configured in the web UI -> Administration from the admin account. [https://immich.app/docs/administration/oauth Documentation].

Decommissioned Machines

2025-11-13T23:11:17Z

S23adhik:

= 2025 =
==''biloba''==

Dead, died after the poweroutage of May 9th, 2025, previously served as Cloudstack master node or wtv.

Supermicro server funded by SLEF for CSC web hosting. Located in DC 3558. TODO: rack??

==== Specs ====

* 2x Intel Xeon Gold 6140 @ 2.30GHz [18 cores each]
* 384GB RAM
* 12 3.5" Hot Swap Drive Bays
** 2 x 480 GB SSD
* 10GbE onboard, 10GbE SFP+ card (on loan from CSCF)

==== Services ====

* OpenStack Compute machine
'''Notes'''
* TODO: cloudstack migration

No longer in use:

* caffeine
* mail
* mattermost

== ''suika'' ==
Suika is an office terminal built from various components donated by our members.

==== Specs ====

* AMD Ryzen 7 2700X
* 2x 8GB DDR4
* 1x Samsung 256GB SSD
* AMD Radeon RX 550 4GB

= Pre-2021 =
==''aspartame''==

aspartame was a taurine clone donated by CSCF. It was once our primary file server, serving as the gateway interface to space on phlogiston. It also used to host the [[#auth1|auth1]] container, which has been temporarily moved to [[#dextrose|dextrose]]. Decomissioned in March 2021 after refusing to boot following a power outage.

==''psilodump''==

psilodump is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling phlogiston, hosted disk shelves exported as iSCSI block devices.

psilodump was plugged into aspartame. It's still installed but inaccessible.

==''phlogiston''==

phlogiston is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling psilodump, hosted disk shelves exported as iSCSI block devices.

phlogiston is turned off and should remain that way. It is misconfigured to have its drives overlap with those owned by psilodump, and if it is turned on, it will likely cause irreparable data loss.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 10GB RAM

==== Notes from before decommissioning ====

* The lxc files are still present and should not be started up, or else the two copies of auth1 will collide.
* It currently cannot route the 10.0.0.0/8 block to a misconfiguration on the NetApp. This should be fixed at some point.

==''glomag''==

Glomag hosted [[#caffeine|caffeine]]. Decommissioned April 6, 2018.

==== Specs ====

* Intel Xeon X3450 @ 2.67 GHz
* 6 GB RAM
* vg0: 465 GB software RAID1 (contains root partition):
** 750 GB Seagate Barracuda SATA hard drive
** 500 GB Western-Digital Caviar Blue SATA hard drive
* vg1: 596 GB software RAID1 (contains caffeine):
** 2 × 640 GB Western-Digital Caviar Blue SATA hard drive

==== Services ====

* Before its decommissioning, glomag hosted [[#caffeine|caffeine]], [[#mail|mail]], and [[#munin|munin]] as [[Virtualization#Linux_Container|Linux containers]]

==''Lisp machine''==

A Symbolics XL1200 Lisp machine. Donated to a new home when we couldn't get it working.

http://www.globalnerdy.com/2008/12/03/symbolics-xl1200-lisp-machine-free-to-a-good-home/ for some history on this hardware.

==== Specs ====

Currently inoperable due to (at least) a missing console cable.

==''ginseng''==

Ginseng used to be our fileserver, before aspartame and the netapp took over.

==== Specs ====

* Intel Pentium Dual Core E2180
* 8GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/s3000ah_tps_1_1.pdf Intel S3000AHV Motherboard]
* 4 × 640 GB Western-Digital Caviar Blue in [[wikipedia:Nested_RAID_levels#RAID_10_.28RAID_1.2B0.29|RAID 10]] behind a [http://www.3ware.com/products/serial_ata2-9650.asp 3ware 9650SE RAID card].
[[Category:Hardware]]

==''calum''==

Calum used to be our main server and was named after Calum T Dalek. Purchased new by the club in 1994.

==== Specs ====

* SPARCserver 10 (headless SPARCstation 10)

==''paza''==

An iMac G3 that was used as a dumb terminal.

==== Specs ====

* 233Mhz PowerPC 740/750
* 96 MB RAM

==''romana''==

Romana was a BeBox that has been in the CSC's possession since long before BeOS became defunct.

Confirmed on March 19th, 2016 to be fully functional. An SSHv1 compatible client was installed from http://www.abstrakt.ch/be/ and a compatible firewalled daemon was started on Sucrose (living in /root, prefix is /root/ssh-romana). The insecure daemon is to be used a bastion host to jump to hosts only supporting >=SSHv2. The mail daemon on the BeBox has also been configured to send mail through mail.csclub.uwaterloo.ca.

==== Specs ====

* 2 PowerPC based processors
* Stylish Blinken processor-load lights

==''sodium-citrate''==

Sodium-citrate was an SGI O2 machine.

In order to net boot you need to set /proc/sys/net/ipv4/ip_no_pmtu_disc to 1. When the O2 boots, hit F5 at the boot menu and type bootp():.

==== Specs ====
* SGI O2 MIPS processor
* 423 MB (?) RAM
* 2 × 2 GB hard drive

==''acesulfame-potassium''==

An old office terminal.

==== Specs ====
* Intel Pentium 4 2.67GHz
* 1GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/ABIT_VT7.pdf ABIT VT7] Motherboard
* ATI Radeon 7000

==''skynet''==

skynet was a Sun E6500 machine donated by Sanjay Singh. It was never fully set up.

==== Specs ====

* 15 full CPU/memory boards
** 2x UltraSPARC II 464MHz / 8MB Cache Processors
** ??? RAM?
* 1 I/O board (type=???)
** ???x disks?
* 1 CD-ROM drive

*[http://mirror.csclub.uwaterloo.ca/csclub/sun_e6500/ent6k.srvr/ e6500 documentation (hosted on mirror, currently dead link)]
*[http://docs.oracle.com/cd/E19095-01/ent6k.srvr/ e6500 documentation (backup link)]
*[http://www.e6500.com/ e6500]

==''freebsd''==

FreeBSD was a virtual machine with FreeBSD installed.

==== Services ====

* Newer software

==''rainbowdragoneyes''==

Rainbowdragoneyes was our Lemote Fuloong MIPS machine. This machine is aliased to rde.csclub.uwaterloo.ca.

==== Specs ====

* 800MHz MIPS Loongson 2f CPU

==''denardo''==

Due to some instability, general uselessness, and the acquisition of a more powerful SPARC machine from MFCF, denardo was decommissioned in February 2015.

==== Specs ====

* Sun Fire V210
* TI UltraSparc IIIi (Jalapeño)
* 2 GB RAM
* 160 GB RAID array
* ALOM on denardo-alom.csclub can be used to power machine on/off
==''artificial-flavours''==

Artificial-flavours was our secondary (backup services) server. It used to be an office terminal. It was decommissioned in February 2015 and transferred to the ownership of Women in Computer Science (WiCS).

==== Specs ====

* Intel Celeron 3.2GHz
* 2GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/Biostar_P4M80-M4.pdf Biostar P4M80-M4] Motherboard
* Western-Digital 80 GB ATA hard drive

==''potassium-citrate''==

Potassium-citrate is a dual-processor Alpha machine. It is on extended loan from pbarfuss.

It is temporarily decommissioned pending the reinstallation of a supported operating system (such as OpenBSD).

==== Specs ====
* Alphaserver CS20 (2 833MHz EV68al CPUs)
* 512MB RAM
* 36 GB Seagate SCSI hard drive

==''potassium-nitrate''==

This was a Sun Fire E2900 from a decommissioned MFCF compute cluster. It had a SPARC architecture and ran OpenBSD, unlike many of our other systems which are x86/x86-64 and Linux/Debian. After multiple unsuccessful attempts to boot a modern Linux kernel and possible hardware instability, it was determined to be non-cost-effective and non-effort-effective to put more work into running this machine. The system was reclaimed by MFCF where someone from CS had better luck running a suitable operating system (probably Solaris).

The name is from saltpetre, because sparks.

==== Specs ====

* 24 CPUs
* 90GB main memory
* 400GB scratch disk local storage in /scratch-potassium-nitrate

There is a [[Sun 2900 Strategy Guide|setup guide]] available for this machine.

See also [[Sun 2900]].

==''taurine''==

'''Note: On August 21, 2019, just before 2:30PM EDT, we were informed that taurine caught fire'''. As a result, taurine has been decommissioned as of Fall 2019.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 8GB RAM
* 136 GB LVM volume group

==== Services ====

* Virtual machines
* BitlBee IRC instant messaging gateway (localhost only)
*[[ident]] server to maintain high connection cap to freenode
* Runs ssh on ports 21,22,53,80,81,443,8000,8080 for user's convenience.

==''dextrose''==

dextrose was a [[#taurine|taurine]] clone donated by CSCF and was decommissioned in Fall 2019 after being replaced with a more powerful server.

==''sucrose''==

sucrose was a [[#taurine|taurine]] clone donated by CSCF. It was decommissioned in Fall 2019 following multiple hardware failures.

==''goto80''==
'''Note (2022-10-25): This seems to have gone missing or otherwise left our hands.'''

This was small ARM machine we picked up in order to have similar hardware to the Real Time Operating Systems (CS 452) course. It has a [[TS-7800_JTAG|JTAG]] interface. Located was the office on the top shelf above strombola.

==== Specs ====

* 500 MHz Feroceon (ARM926ej-s compatible) processor
* ARMv5TEJ architecture

Use -march=armv5te -mtune=arm926ej-s options to GCC.

For information on the TS-7800's hardware see here:
http://www.embeddedarm.com/products/board-detail.php?product=ts-7800

==''nullsleep''==

nullsleep is an [http://csclub.uwaterloo.ca/misc/manuals/ASRock_ION_330.pdf ASRock ION 330] machine given to us by CSCF and funded by MEF.

It's decommissioned on 2023-03-20 due to repeated unexpected shutdown. Replaced by [[#powernap|powernap]].

==== Specs ====

* Intel® Dual Core Atom™ 330
* 2GB RAM
* NVIDIA® ION™ graphics
* 1x 64GB SanDisk SDSSDP064G SSD
* DVD Burner

==== Speakers ====
Nullsleep has the office speakers (a pair of nice studio monitors) currently connected to it.

==== Services ====
Nullsleep runs MPD for playing music. Control of MPD is available only to users in the "audio" group.
Music is located in /music on the office terminal

== ''bit-shifter'' ==
bit-shifter was an office terminal, decommissioned April 2023 due to extended age. It was upgraded to the same specs as Strombola at an unknown point in time.

==== Specs ====

* Intel Core 2 Quad CPU Q8300
* 4GB RAM
* Nvidia GeForce GT 440
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD
* Jacob Parker's Firewire Card

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''strombola''==
Strombola was an office terminal named after Gordon Strombola. It was retired in April 2023.

==== Specs ====
* Intel Pentium G4600 2 cores @ 3.6Ghz
* 8 GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD

==== Speakers ====
Strombola used to have integrated 5.1 channel sound before we got new speakers and moved audio stuff to nullsleep.

== ''gwem'' ==
gwem was an office terminal that was created because AMD donated a graphics card. It entered CSC service in February 2012.

=== Specs ===

* AMD FX-8150 3.6GHz 8-Core CPU
* 16 GB RAM
* AMD Radeon 6870 HD 1GB GPU
*[http://csclub.uwaterloo.ca/misc/manuals/ga-990fxa-ud7_e.pdf Gigabyte GA-990FXA-UD7] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD

== ''maltodextrin'' ==
(*specs are outdated at least as of 2023-05-27*)
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
Maltodextrin was an office terminal. It was upgraded in Spring 2014 after an unidentified failure. Not operational (no video output) as of July 2022.

==== Specs ====

* Intel Core i3-4130 @ 3.40 GHz
* 8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
*[http://csclub.uwaterloo.ca/misc/manuals/E8425_H81I_PLUS.pdf ASUS H81-PLUS] Motherboard

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''natural-flavours'' ==

Natural-flavours is an office terminal; it used to be our mirror.

In Fall 2016, it received a major upgrade thanks the MathSoc's Capital Improvement Fund.

Machine List

2025-11-13T23:10:33Z

S23adhik:

Infrastructure Renewal Plan

2025-11-04T16:21:20Z

S23adhik: Created page with "Will slowly update this page. Plan is to move a lot of the less-essential services to Proxmox to allow us to make them a bit easier to backup, and manage. Also getting rid of old storage, and servers. In addition we're planning to go full-flash."

Machine List

2025-11-04T05:21:14Z

S23adhik: /* Tahini */

Most of our machines are in the E7, F7, G7 and H7 racks (as of Jan. 2022) in the MC 3015 server room. There is an additional rack in the DC 3558 machine room on the third floor. Our office terminals are in the CSC office, in MC 3036/3037.

= Web Server =
You are highly encouraged to avoid running anything that's not directly related to your CSC webspace on our web server. We have plenty of general-use machines; please use those instead. You can even edit web pages from any other machine--usually the only reason you'd *need* to be on caffeine is for database access.

== ''caffeine'' ==

Caffeine is the Computer Science Club's web server. It serves websites, databases for websites, and a large amount of other services.

''(Redundant active backup coming soon...)''

==== Specs ====

* LXC virtual machine hosted on [[Machine List#phosphoric-acid|phosphoric-acid]]
** 12 vCPUs
** 32GB of RAM

==== Services ====

* Club and member web sites with [https://www.apache.org/ Apache]
* [[MySQL]] databases
* [[PostgreSQL]] databases
* [[ceo]] daemon

==''mathnews''==

[[#xylitol|xylitol]] hosts a systemd-nspawn container which serves as the mathNEWS webserver. It is administered by mathNEWS, as a pilot for providing containers to select groups who have more specialized demands than the general-use infrastructure can meet.

= General-Use Servers =

These machines can be used for (nearly) anything you like (though be polite and remember that these are shared machines). Recall that when you signed the Machine Usage Agreement, you promised not to use these machines to generate profit (so no cryptocurrency mining).

For computationally-intensive jobs (CPU/memory bound) we recommend running on high-fructose-corn-syrup, carbonated-water, sorbitol, mannitol, or corn-syrup, listed in roughly decreasing order of available resources. For low-intensity interactive jobs, such as IRC clients, we recommend running on neotame. '''If you have a long-running computationally intensive job, it's good to nice[https://en.wikipedia.org/wiki/Nice_(Unix)] your process, and possibly let syscom know too.'''

== ''corn-syrup'' ==

Dell PowerEdge 2950

==== Specs ====

* 2 × Intel Xeon E5405 (2.00 GHz, 4 cores each)
* 32 GB RAM
* eth0 ("Gb0") mac addr 00:24:e8:52:41:27
* eth1 ("Gb1") mac addr 00:24:e8:52:41:29
* IPMI mac addr 00:24:e8:52:41:2b
* 3 × Western-Digital 160GB SATA hard drive (445 GB software RAID0 array)

==== Notes ====

* Use eth0/Gb0 for the mathstudentorgsnet connection

==== Services ====

* Hosts 1 TB <tt>[[scratch|/scratch]]</tt> and exports via NFS (sec=krb5)

== ''high-fructose-corn-syrup'' ==

High-fructose-corn-syrup (or hfcs) is a large SuperMicro server. It's been in CSC service since April 2012.

==== Specs ====

* 4x AMD Opteron 6272 (2.4 GHz, 16 cores each)
* 192 GB RAM
* Supermicro H8QGi+-F Motherboard Quad 1944-pin Socket [http://csclub.uwaterloo.ca/misc/manuals/motherboard-H8QGI+-F.pdf (Manual)]
* 500 GB Seagate Barracuda
* Supermicro Case Rackmount CSE-748TQ-R1400B 4U [http://csclub.uwaterloo.ca/misc/manuals/SC748.pdf (Manual)]
'''Notes'''

* Missing moba IO shield (as of January 2024)

== ''carbonated-water'' ==

carbonated-water is a Dell R815 provided by CSCF.

==== Specs ====

* 4x AMD Opteron 6176 processors (2.3 GHz, 12 cores each)
* 128GB RAM

== ''neotame'' ==

neotame is a SuperMicro server funded by MEF. It is the successor to taurine.

'''We strongly discourage running computationally-intensive jobs''' on neotame as many users run interactive applications such as IRC clients on it and any significant service degradation will be more likely to affect other users (who will probably notice right away).

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
'''Notes'''
* SSH server also listens on ports 21, 22, 53, 80, 81, 443, 8000, 8080 for your convenience.

== ''sorbitol'' ==

sorbitol is a SuperMicro server funded by MEF.

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
== ''mannitol'' ==

mannitol is a SuperMicro server funded by MEF. CUDA is available on this node.

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
* NVIDIA GeForce RTX 3050 6G

= Office Terminals =

It's possible to SSH into these machines, but we discourage you from trying to use these machines when you're not sitting in front of them. They are bounced at least every time our login manager, lightdm, throws a tantrum (which is several times a day). These are for use inside our physical office.

== ''cyanide'' ==
cyanide is a [https://support.apple.com/kb/sp710 Mac Mini (Late 2014)], identical in specification to powernap

=== Spec ===

* Intel i7-4578U (4) @ 3.500GHz
* 16GB RAM
* Intel Iris Graphics 5100
* 256GB On-board SSD

== ''suika'' ==

Suika is an office terminal built from various components donated by our members.

==== Specs ====

* AMD Ryzen 7 2700X
* 2x 8GB DDR4
* 1x Samsung 256GB SSD
* AMD Radeon RX 550 4GB

==''powernap''==
powernap is a [https://support.apple.com/kb/sp710 Mac Mini (Late 2014)].

=== Spec ===

* Intel i7-4578U (4) @ 3.500GHz
* 16GB RAM
* Intel Iris Graphics 5100
* 256GB On-board SSD

=== Speaker ===
powernap has the office speakers (a pair of nice studio monitors) currently connected to it.

=== Services ===
* MPD for playing music. Only office/termcom/syscom can log into powernap. Use `ncmpcpp` to control MPD.
** TODO: this is not the case anymore
* Bluetooth audio receiver. Only syscom can control bluetooth pairing. Use `bluetoothctl` to control bluetooth.

Music is located in `/music` on the office terminals.

= Progcom Only =
The Programme Committee has access to a VM on corn-syrup called 'progcom'. They have sudo rights in this VM so they may install and run their own software inside it. This VM should only be accessible by members of progcom or syscom.

The CI/CD stuff for the csclub.uwaterloo.ca runs on this vm (drone).

= Codey Bot Only =
Ran on CSC Cloud in a separate Cloudstack project. codey-staging, codey-dev, codey-prod.

TODO: migrating from cloudstack

= Syscom Only =

The following systems are only be accessible to members of the [[Systems Committee]] for a variety of reasons; the most common of which being that some of these machines host [[Kerberos]] authentication services for the CSC.

==''xylitol''==

xylitol is a Dell PowerEdge R815 donated by CSCF. It is primarily a container host for services previously hosted on aspartame and dextrose, including munin, rt, mathnews, auth1, and dns1. It was provisioned with the intent to replace both of those hosts.

==== Specs ====

* Dual AMD Opteron 6176 (2.3 GHz, 48 cores total)
* 128GB RAM
* 500GB volume group on RAID1 SSD (xylitol-mirrored)
* 500ish-GB volume group on RAID10 HDD (xylitol-raidten)

==''auth1''==

Container on [[#xylitol|xylitol]].

==== Services ====

*[[LDAP]] primary
*[[Kerberos]] primary

==''chat''==

Container on [[#xylitol|xylitol]].

==== Services ====

* The Lounge web IRC client (https://chat.csclub.uwaterloo.ca)

==''phosphoric-acid''==

phosphoric-acid is a Dell PowerEdge R815 donated by CSCF and is a clone of xylitol. It may be used to provide redundant cloud services in the future.

==== Specs ====

* (clone of Xylitol)
* 4x 2TB Kingston KC3000 (ZFS Z2 [Sustain 2-failures]) (KIN-SKC3000D2048G)
** Mounted on 2x Startech Dual M.2 PCIE SSD Adapter Cards (STA-PEX8M2E2)

==== Services ====

*[[#caffeine|caffeine]]
*[[#coffee|coffee]]
*prometheus

==''coffee''==

Virtual machine running on phosphoric-acid.

==== Services ====

*[[Database#MySQL|MySQL]]
*[[Database#Postgres|Postgres]]

==''cobalamin''==

Dell PowerEdge 2950 donated to us by FEDS. Located in the Science machine room on the first floor of Physics, on Science Computing Rack 2. NICs are plugged into A1 and A2 on the adjacent rack. Acts as a backup server for many things.

TODO: should replace with another Syscom server when Science Computing clears out the rack (ETA before 09/2024)

==== Specs ====

* 1 × Intel Xeon E5420 (2.50 GHz, 4 cores)
* 16GB RAM
* Broadcom NetworkXtreme II
* 2x73GB Hard Drives, hardware RAID1
** Soon to be 2x1TB in MegaRAID1
*http://www.dell.com/support/home/ca/en/cabsdt1/product-support/servicetag/51TYRG1/configuration

==== Services ====

* Containers: [[#auth2|auth2]] (kerberos)

==== Notes ====

* '''TODO: Mega unreliable.''' (Goes down once every few weeks... due to power outages in the PHYS server room)
** It is plugged into a UPS but the UPS has dead batteries.
* The network card requires non-free drivers. Be sure to use an installation disc with non-free.

* We have separate IP ranges for cobalamin and its containers because the machine is located in a different building. They are:
** VLAN ID 506 (csc-data1): 129.97.18.16/29; gateway 129.97.18.17; mask 255.255.255.240
** VLAN ID 504 (csc-ipmi): 172.19.5.24/29; gateway 172.19.5.25; mask 255.255.255.248
* Physical access to the PHYS server rooms can be acquired by visiting Science Computing in PHYS 2006.

==''auth2''==

Container on [[#cobalamin|cobalamin]].

==== Services ====

*[[LDAP]] secondary
*[[Kerberos]] secondary

MAC Address: c2:c0:00:00:00:a2

==''mail''==

mail is the CSC's mail server. It hosts mail delivery, imap(s), smtp(s), and mailman. It is also syscom-only. It is a [[Virtualization#Linux_Containers|Linux container]] at present.

TODO: "HA"-ish configuration

==== Specs ====

* currently hosted on [[#xylitol|xylitol]]

==== Services ====

*[[Mail]] services
* mailman (web interface at [http://mailman.csclub.uwaterloo.ca/])
*[[Webmail]]
*[[ceo]] daemon

==''sodium-benzoate''==

Sodium-benzoate is our previous mirror server, funded by MEF.

It is currently sitting in the office pending repurposing. Will likely become a machine for backups in DC.

==== Specs ====

* Intel Xeon Quad Core E5405 @ 2.00 GHz
* 16GB RAM
* vg0: 228 GB block device behind DELL PERC 6/i (contains root partition)

Space disks are currently in the office underneath maltodextrin.

TODO: gone??

==''potassium-benzoate''==

potassium-benzoate is our mirror server, funded by MEF.

==== Specs ====

* 36 drive Supermicro chassis (SSG-6048R-E1CR36L)
* 2 x Intel Xeon E5-2695 v4 (18 cores, 2.10GHz)
* 64 GB (4 x 16GB) of DDR4 (2133Mhz) ECC RDIMM RAM
* 2 x 1 TB Samsung Evo 850 SSD drives
* 17 x 4 TB Western Digital Gold drives (separate funding from MEF)
* 9 x 18TB Seagate Exos X18 (8 ZFS, Z2,1 hot-spare)
* 10 Gbps SFP+ card (loaned from CSCF)
* 50 Gbps Mellanox QSFP card (from ginkgo; currently unconnected)

Spec before 2025-03-27:
* 1 x Intel Xeon E5-2630 v3 (8 cores, 2.40 GHz)

==== Network Connections ====

potassium-benzoate has two connections to our network:

* 1 Gbps to our switch (used for management)
* 2 x 10 Gbps (LACP bond) to mc-rt-3015-mso-a (for mirror)

Mirror's bandwidth is limited to 1 Gbps on each of the 4 campus internet links. Mirror's bandwidth is not limited on campus.

==== Services ====

*[[Mirror]]
*[[Talks]] mirror
*[[Debian_Repository|CSClub packages repository]]

==''munin''==

munin is a syscom-only monitoring and accounting machine. It is a [[Virtualization#Linux_Containers|Linux container]] at present.

==== Specs ====

* currently hosted on [[#xylitol|xylitol]]

==== Services ====

*[http://munin.csclub.uwaterloo.ca munin] systems monitoring daemon
TODO: Debian 9?

==''yerba-mate''==

A Dell PowerEdge 2950 donated by a CSC member.

==== Specs ====

* 2x 3.00 GHz quad core Intel Xeon 5160
* 32GB RAM
* 2x75GB 15k drives (RAID 1)

==== Services ====

* test-ipv6 (test-ipv6.csclub.uwaterloo.ca; a test-ipv6.com mirror)
'''Notes'''

* Also used for experimenting new CSC services.

* TODO: use as backup server

==''citric-acid''==
A Dell PowerEdge R815 (TODO: check model) provided by CSCF to replace [[Machine List#aspartame|aspartame]].

'''Specs'''

* 2 x AMD Opteron 6174 (12 cores, 2.20 GHz)
* 128 GB RAM

'''Services'''

* Configured for [https://pass.uwaterloo.ca pass.uwaterloo.ca], a university-wide password manager hosted by CSC as a demo service for all Nexus (ADFS) user.
* [[Plane]], an internal (CSC) project management tool.
* Minio
'''Notes'''

* Being repurposed for Termcom training and development.
* Being used for Matrix & Proxmox Testing
* UFW opened-ports: SSH, HTTP/HTTPS
* Upgraded to Podman 4.x

== ''Tahini'' ==
Server was funded via SLEF, and MEF. More info coming soon. Part of Proxmox Project, and mass migration

== ''Teriyaki'' ==
Server was funded via SLEF, and MEF. More info coming soon. Part of Proxmox Project, and mass migration

= Cloud =

These machines are used by [https://cloud.csclub.uwaterloo.ca cloud.csclub.uwaterloo.ca]. The machines themselves are restricted to Syscom only access.

==''chamomile''==

A Dell PowerEdge R815 provided by CSCF.

==== Specs ====

* 4x 2.20GHz 12-core processors (AMD Opteron(tm) Processor 6174)
* 128GB RAM
* 10GbE connection to core router

==== Services ====

* Cloudstack host
* TODO: cloudstack migration

==''riboflavin''==

A Dell PowerEdge R515 provided by CSCF.

==== Specs ====

* 2x 2.6 GHz 8-core processors (AMD Opteron(tm) Processor 4376 HE)
* 64GB RAM
* 10GbE connection to core router
* 2x 500GB internal SSD
* 12x Seagate 4TB SSHD
==== Services ====

* OpenStack block and object storage for csclub.cloud
* ????
'''Notes'''

* TODO: cloudstack migration

==''guayusa''==

A Dell PowerEdge 2950 donated by a CSC member.

==== Specs ====

* 2x 3.00 GHz quad core Intel Xeon 5160
* 32GB RAM
* 2TB PCI-Express Flash SSD
* 2x75GB 15k drives (RAID 1)

==== Services ====

* load-balancer-01

Was used to experiment the following then-new CSC services:

* cifs (for booting ginkgo from CD)
* caffeine-01 (testing of multi-node caffeine)
* TODO: ???
** block1.cloud
** object1.cloud
'''Notes'''

* TODO: cloudstack migration
* TODO: ditch... Currently being used to set up NextCloud.

==''ginkgo''==

Supermicro server funded by MEF for CSC web hosting. Locate in MC 3015.

==== Specs ====

* 2x Intel Xeon E5-2697 v4 @ 2.30GHz [18 cores each]
* 256GB RAM
* 2 x 1.2 TB SSD (400GB of each for RAID 1)
* 10GbE onboard, 25GbE SFP+ card (also included 50GbE SFP+ card which will probably go in mirror)

==== Services ====

* OpenStack Compute machine

No longer in use:

* controller1.cloud
* db1.cloud
* router1.cloud (NAT for cloud tenant network)
* network1.cloud

'''Notes'''
* TODO: cloudstack migration

*

= Storage =

==''fs00''==

fs00 is a '''NetApp FAS3040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====

* dual SFP connection to core switch

... TODO

==''fs01''==

fs01 is a '''NetApp FAS3040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====
... TODO

TODO: disconnected??

==''fs10''==

fs10 is a '''NetApp FAS8040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====

* FAS8040 (dual heads)
** ... TODO
* 6 DS4324 HDD shelves (24-disks each)
** 24 x 2TB HDDs (assorted brands/models)
** Dual IOM3 controllers.
** Loop 1: bottom 4 shelves
** Loop 2: top 2 shelves + SSD shelf
* 1 DS2246 SSD shelf (TODO: right model?)
** 24 Samsung SM1625 SSDs (MZ-6ER2000/0G3), 200GB (SAS 2, 2.5")

= Other =

==''mathnews''==

[[#xylitol|xylitol]] hosts a systemd-nspawn container which serves as the mathNEWS webserver. It is administered by mathNEWS, as a pilot for providing containers to select groups who have more specialized demands than the general-use infrastructure can meet.

== ps3 ==
This is just a very wide PS3, the model that supported running Linux natively before it was removed. Firmware was updated to remove this feature, however it can still be done via. homebrew.

'''Specs'''

* It's a PS3.

'''2022-10-24''' - Thermal paste replaced + firmware updated to latest supported version, also modded.

==''binaerpilot''==

This is a Gumstix Overo Tide CPU on a Tobi expansion board. It is currently attached to corn-syrup in the machine room and even more currently turned off until someone can figure out what is wrong with it.

==== Specs ====

* TI OMAP 3530 750Mhz (ARM Cortex-A8)
* 512MB RAM

==''anamanaguchi''==

This is a Gumstix Overo Tide CPU on a Chestnut43 expansion board. It is currently in the hardware drawer in the CSC.

==== Specs ====

* TI OMAP 3530 750Mhz (ARM Cortex-A8)
* 512MB RAM

'''NOTE: May have disappeared at some point'''

==''digital cutter''==

See [[Digital Cutter|here]].

= Decommissioned =

==''biloba''==

Dead, died after the poweroutage of May 9th, 2025, previously served as Cloudstack master node or wtv.

Supermicro server funded by SLEF for CSC web hosting. Located in DC 3558. TODO: rack??

==== Specs ====

* 2x Intel Xeon Gold 6140 @ 2.30GHz [18 cores each]
* 384GB RAM
* 12 3.5" Hot Swap Drive Bays
** 2 x 480 GB SSD
* 10GbE onboard, 10GbE SFP+ card (on loan from CSCF)

==== Services ====

* OpenStack Compute machine
'''Notes'''
* TODO: cloudstack migration

No longer in use:

* caffeine
* mail
* mattermost

==''aspartame''==

aspartame was a taurine clone donated by CSCF. It was once our primary file server, serving as the gateway interface to space on phlogiston. It also used to host the [[#auth1|auth1]] container, which has been temporarily moved to [[#dextrose|dextrose]]. Decomissioned in March 2021 after refusing to boot following a power outage.

==''psilodump''==

psilodump is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling phlogiston, hosted disk shelves exported as iSCSI block devices.

psilodump was plugged into aspartame. It's still installed but inaccessible.

==''phlogiston''==

phlogiston is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling psilodump, hosted disk shelves exported as iSCSI block devices.

phlogiston is turned off and should remain that way. It is misconfigured to have its drives overlap with those owned by psilodump, and if it is turned on, it will likely cause irreparable data loss.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 10GB RAM

==== Notes from before decommissioning ====

* The lxc files are still present and should not be started up, or else the two copies of auth1 will collide.
* It currently cannot route the 10.0.0.0/8 block to a misconfiguration on the NetApp. This should be fixed at some point.

==''glomag''==

Glomag hosted [[#caffeine|caffeine]]. Decommissioned April 6, 2018.

==== Specs ====

* Intel Xeon X3450 @ 2.67 GHz
* 6 GB RAM
* vg0: 465 GB software RAID1 (contains root partition):
** 750 GB Seagate Barracuda SATA hard drive
** 500 GB Western-Digital Caviar Blue SATA hard drive
* vg1: 596 GB software RAID1 (contains caffeine):
** 2 × 640 GB Western-Digital Caviar Blue SATA hard drive

==== Services ====

* Before its decommissioning, glomag hosted [[#caffeine|caffeine]], [[#mail|mail]], and [[#munin|munin]] as [[Virtualization#Linux_Container|Linux containers]]

==''Lisp machine''==

A Symbolics XL1200 Lisp machine. Donated to a new home when we couldn't get it working.

http://www.globalnerdy.com/2008/12/03/symbolics-xl1200-lisp-machine-free-to-a-good-home/ for some history on this hardware.

==== Specs ====

Currently inoperable due to (at least) a missing console cable.

==''ginseng''==

Ginseng used to be our fileserver, before aspartame and the netapp took over.

==== Specs ====

* Intel Pentium Dual Core E2180
* 8GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/s3000ah_tps_1_1.pdf Intel S3000AHV Motherboard]
* 4 × 640 GB Western-Digital Caviar Blue in [[wikipedia:Nested_RAID_levels#RAID_10_.28RAID_1.2B0.29|RAID 10]] behind a [http://www.3ware.com/products/serial_ata2-9650.asp 3ware 9650SE RAID card].
[[Category:Hardware]]

==''calum''==

Calum used to be our main server and was named after Calum T Dalek. Purchased new by the club in 1994.

==== Specs ====

* SPARCserver 10 (headless SPARCstation 10)

==''paza''==

An iMac G3 that was used as a dumb terminal.

==== Specs ====

* 233Mhz PowerPC 740/750
* 96 MB RAM

==''romana''==

Romana was a BeBox that has been in the CSC's possession since long before BeOS became defunct.

Confirmed on March 19th, 2016 to be fully functional. An SSHv1 compatible client was installed from http://www.abstrakt.ch/be/ and a compatible firewalled daemon was started on Sucrose (living in /root, prefix is /root/ssh-romana). The insecure daemon is to be used a bastion host to jump to hosts only supporting >=SSHv2. The mail daemon on the BeBox has also been configured to send mail through mail.csclub.uwaterloo.ca.

==== Specs ====

* 2 PowerPC based processors
* Stylish Blinken processor-load lights

==''sodium-citrate''==

Sodium-citrate was an SGI O2 machine.

In order to net boot you need to set /proc/sys/net/ipv4/ip_no_pmtu_disc to 1. When the O2 boots, hit F5 at the boot menu and type bootp():.

==== Specs ====
* SGI O2 MIPS processor
* 423 MB (?) RAM
* 2 × 2 GB hard drive

==''acesulfame-potassium''==

An old office terminal.

==== Specs ====
* Intel Pentium 4 2.67GHz
* 1GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/ABIT_VT7.pdf ABIT VT7] Motherboard
* ATI Radeon 7000

==''skynet''==

skynet was a Sun E6500 machine donated by Sanjay Singh. It was never fully set up.

==== Specs ====

* 15 full CPU/memory boards
** 2x UltraSPARC II 464MHz / 8MB Cache Processors
** ??? RAM?
* 1 I/O board (type=???)
** ???x disks?
* 1 CD-ROM drive

*[http://mirror.csclub.uwaterloo.ca/csclub/sun_e6500/ent6k.srvr/ e6500 documentation (hosted on mirror, currently dead link)]
*[http://docs.oracle.com/cd/E19095-01/ent6k.srvr/ e6500 documentation (backup link)]
*[http://www.e6500.com/ e6500]

==''freebsd''==

FreeBSD was a virtual machine with FreeBSD installed.

==== Services ====

* Newer software

==''rainbowdragoneyes''==

Rainbowdragoneyes was our Lemote Fuloong MIPS machine. This machine is aliased to rde.csclub.uwaterloo.ca.

==== Specs ====

* 800MHz MIPS Loongson 2f CPU

==''denardo''==

Due to some instability, general uselessness, and the acquisition of a more powerful SPARC machine from MFCF, denardo was decommissioned in February 2015.

==== Specs ====

* Sun Fire V210
* TI UltraSparc IIIi (Jalapeño)
* 2 GB RAM
* 160 GB RAID array
* ALOM on denardo-alom.csclub can be used to power machine on/off
==''artificial-flavours''==

Artificial-flavours was our secondary (backup services) server. It used to be an office terminal. It was decommissioned in February 2015 and transferred to the ownership of Women in Computer Science (WiCS).

==== Specs ====

* Intel Celeron 3.2GHz
* 2GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/Biostar_P4M80-M4.pdf Biostar P4M80-M4] Motherboard
* Western-Digital 80 GB ATA hard drive

==''potassium-citrate''==

Potassium-citrate is a dual-processor Alpha machine. It is on extended loan from pbarfuss.

It is temporarily decommissioned pending the reinstallation of a supported operating system (such as OpenBSD).

==== Specs ====
* Alphaserver CS20 (2 833MHz EV68al CPUs)
* 512MB RAM
* 36 GB Seagate SCSI hard drive

==''potassium-nitrate''==

This was a Sun Fire E2900 from a decommissioned MFCF compute cluster. It had a SPARC architecture and ran OpenBSD, unlike many of our other systems which are x86/x86-64 and Linux/Debian. After multiple unsuccessful attempts to boot a modern Linux kernel and possible hardware instability, it was determined to be non-cost-effective and non-effort-effective to put more work into running this machine. The system was reclaimed by MFCF where someone from CS had better luck running a suitable operating system (probably Solaris).

The name is from saltpetre, because sparks.

==== Specs ====

* 24 CPUs
* 90GB main memory
* 400GB scratch disk local storage in /scratch-potassium-nitrate

There is a [[Sun 2900 Strategy Guide|setup guide]] available for this machine.

See also [[Sun 2900]].

==''taurine''==

'''Note: On August 21, 2019, just before 2:30PM EDT, we were informed that taurine caught fire'''. As a result, taurine has been decommissioned as of Fall 2019.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 8GB RAM
* 136 GB LVM volume group

==== Services ====

* Virtual machines
* BitlBee IRC instant messaging gateway (localhost only)
*[[ident]] server to maintain high connection cap to freenode
* Runs ssh on ports 21,22,53,80,81,443,8000,8080 for user's convenience.

==''dextrose''==

dextrose was a [[#taurine|taurine]] clone donated by CSCF and was decommissioned in Fall 2019 after being replaced with a more powerful server.

==''sucrose''==

sucrose was a [[#taurine|taurine]] clone donated by CSCF. It was decommissioned in Fall 2019 following multiple hardware failures.

==''goto80''==
'''Note (2022-10-25): This seems to have gone missing or otherwise left our hands.'''

This was small ARM machine we picked up in order to have similar hardware to the Real Time Operating Systems (CS 452) course. It has a [[TS-7800_JTAG|JTAG]] interface. Located was the office on the top shelf above strombola.

==== Specs ====

* 500 MHz Feroceon (ARM926ej-s compatible) processor
* ARMv5TEJ architecture

Use -march=armv5te -mtune=arm926ej-s options to GCC.

For information on the TS-7800's hardware see here:
http://www.embeddedarm.com/products/board-detail.php?product=ts-7800

==''nullsleep''==

nullsleep is an [http://csclub.uwaterloo.ca/misc/manuals/ASRock_ION_330.pdf ASRock ION 330] machine given to us by CSCF and funded by MEF.

It's decommissioned on 2023-03-20 due to repeated unexpected shutdown. Replaced by [[#powernap|powernap]].

==== Specs ====

* Intel® Dual Core Atom™ 330
* 2GB RAM
* NVIDIA® ION™ graphics
* 1x 64GB SanDisk SDSSDP064G SSD
* DVD Burner

==== Speakers ====
Nullsleep has the office speakers (a pair of nice studio monitors) currently connected to it.

==== Services ====
Nullsleep runs MPD for playing music. Control of MPD is available only to users in the "audio" group.
Music is located in /music on the office terminal

== ''bit-shifter'' ==
bit-shifter was an office terminal, decommissioned April 2023 due to extended age. It was upgraded to the same specs as Strombola at an unknown point in time.

==== Specs ====

* Intel Core 2 Quad CPU Q8300
* 4GB RAM
* Nvidia GeForce GT 440
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD
* Jacob Parker's Firewire Card

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''strombola''==
Strombola was an office terminal named after Gordon Strombola. It was retired in April 2023.

==== Specs ====
* Intel Pentium G4600 2 cores @ 3.6Ghz
* 8 GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD

==== Speakers ====
Strombola used to have integrated 5.1 channel sound before we got new speakers and moved audio stuff to nullsleep.

== ''gwem'' ==
gwem was an office terminal that was created because AMD donated a graphics card. It entered CSC service in February 2012.

=== Specs ===

* AMD FX-8150 3.6GHz 8-Core CPU
* 16 GB RAM
* AMD Radeon 6870 HD 1GB GPU
*[http://csclub.uwaterloo.ca/misc/manuals/ga-990fxa-ud7_e.pdf Gigabyte GA-990FXA-UD7] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD

== ''maltodextrin'' ==
(*specs are outdated at least as of 2023-05-27*)
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
Maltodextrin was an office terminal. It was upgraded in Spring 2014 after an unidentified failure. Not operational (no video output) as of July 2022.

==== Specs ====

* Intel Core i3-4130 @ 3.40 GHz
* 8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
*[http://csclub.uwaterloo.ca/misc/manuals/E8425_H81I_PLUS.pdf ASUS H81-PLUS] Motherboard

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''natural-flavours'' ==

Natural-flavours is an office terminal; it used to be our mirror.

In Fall 2016, it received a major upgrade thanks the MathSoc's Capital Improvement Fund.

==== Specs ====

* Intel Core i7-6700k
* 2x8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
* Cup Holder (DVD drive has power, but not connected to mother board)
= UPS =

All of the machines in the MC 3015 machine room are connected to one of our UPSs.

All of our UPSs can be monitored via CSCF:

* MC3015-UPS-B2
* mc-3015-e7-ups-1.cs.uwaterloo.ca (rbc55, batteries replaced July 2014) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-e7-ups-1&var-Interval=30m)
* mc-3015-f7-ups-1.cs.uwaterloo.ca (rbc55, batteries replaced Feb 2017) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-f7-ups-1&var-Interval=30m)
* mc-3015-g7-ups-1.cs.uwaterloo.ca (su5000t, batteries replaced 2010) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-g7-ups-1&var-Interval=30m)
* mc-3015-g7-ups-2.cs.uwaterloo.ca (unknown) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-g7-ups-2&var-Interval=30m)
* mc-3015-h7-ups-1.cs.uwaterloo.ca (su5000t, batteries replaced 2004) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-h7-ups-1&var-Interval=30m)
* mc-3015-h7-ups-2.cs.uwaterloo.ca (unknown) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-h7-ups-2&var-Interval=30m)

We will receive email alerts for any issues with the UPS. Their status can be monitored via [[SNMP]].

TODO: Fix labels & verify info is correct & figure out why we can't talk to cacti.

Full Flash and Centralised Backup Plan

2025-11-04T05:05:32Z

S23adhik:

NOTE: SEE [[Infrastructure Renewal Plan]] for more up to date plan

Otherwise called FFCBP. This is a plan written by Siracha (s23adhik) to transition all of csc's storage from New Netapp to a full flash array, with everything being centralized and backed up.

== Phase 1: Migrating off of New Netapp (Complete) ==
Connect a donated server (Dell R730 from CSCF) to the disk shelves in E7, and get them all connected. Then setup a zfs array and move over the entire <code>/users</code> directory to the server.

This part has been completed, and the server was named Ranch.

== Phase 2: UPS replacement & beginning flash storage acquisition ==
The UPS in rack E7, which powers the disk shelves is in a degraded state and will only last a few minutes in case of a power outage. Hence it needs to be replaced, will be getting a 4kw, or a 5kw UPS because we also want to put essential services onto this new UPS.

On another note, when the M4 move occurs, we likely wont need to worry about UPS's anymore?

Full Flash and Centralised Backup Plan

2025-10-20T23:51:01Z

S23adhik:

Otherwise called FFCBP. This is a plan written by Siracha (s23adhik) to transition all of csc's storage from New Netapp to a full flash array, with everything being centralized and backed up.

== Phase 1: Migrating off of New Netapp (Complete) ==
Connect a donated server (Dell R730 from CSCF) to the disk shelves in E7, and get them all connected. Then setup a zfs array and move over the entire <code>/users</code> directory to the server.

This part has been completed, and the server was named Ranch.

== Phase 2: UPS replacement & beginning flash storage acquisition ==
The UPS in rack E7, which powers the disk shelves is in a degraded state and will only last a few minutes in case of a power outage. Hence it needs to be replaced, will be getting a 4kw, or a 5kw UPS because we also want to put essential services onto this new UPS.

On another note, when the M4 move occurs, we likely wont need to worry about UPS's anymore?

Full Flash and Centralised Backup Plan

2025-10-20T21:22:34Z

S23adhik: Created page with "Otherwise called FFCBP. This is a plan written by Siracha (s23adhik) to transition all of csc's storage from New Netapp to a full flash array, with everything being centralized and backed up."

Otherwise called FFCBP. This is a plan written by Siracha (s23adhik) to transition all of csc's storage from New Netapp to a full flash array, with everything being centralized and backed up.

Vaultwarden

2025-10-02T01:43:39Z

S23adhik:

Can be found at; https://pass.csclub.uwaterloo.ca/

You have to manually make an account by pressing 'Create Account'

It's doesn't integrate with OAuth, or LDAP so we can't auto-create the accounts

It runs on kubernetes

Mail

2025-08-11T07:26:01Z

S23adhik: /* Technical Details */

Mail services are currently handled by [[Machine_List#mail|the mail container]] on [[Machine_List#xylitol|xylitol]].

== Reading your mail ==

You can use any user agent that supports maildir locally (mutt, alpine, etc), and any client that supports IMAP either locally or remotely. We also have webmail.

Here are the details:

* maildir
** Location: $HOME/.maildir/

* [[Webmail]]
** URL: https://mail.csclub.uwaterloo.ca/

* POP3
** No longer supported.

* IMAP
** Hostname: mail.csclub.uwaterloo.ca
** Port: 143 (IMAP), 993 (IMAPS)

* SMTP
** Hostname: mail.csclub.uwaterloo.ca
** SSL encryption and authentication required
** Port: 25, 465, or 587

== Mail Filtering ==
Mail filtering allows you to automatically organize mails into different places, like putting potential spam mail into Junk folder, or to put notifications into a separate folder to make your inbox clean.

Mail filtering can be done by writing a sieve script. Traditionally mail filtering is done through procmail, but it's currently being phased out due to its complex syntax and unmaintained state.

The easiest way to do it is to use the Filters setting on our [https://mail.csclub.uwaterloo.ca Webmail]. You can either edit with the GUI, or import a script. A simple script that puts suspected spam into "Junk" and puts syscom emails into "Mailing List" folder looks like this:

<pre>
require ["fileinto"];
# rule:[Spam]
if allof (header :contains "X-Spam-Level" "******")
{
fileinto "Junk";
}
# rule:[Mailing List]
if anyof (header :contains "list-id" "syscom.csclub.uwaterloo.ca", header :contains "list-id" "syscom-alerts.csclub.uwaterloo.ca", header :contains "list-id" "ceo.csclub.uwaterloo.ca")
{
fileinto "Mailing List";
}
</pre>

For more advanced use of sieve check out [https://doc.dovecot.org/2.3/configuration_manual/sieve/examples/ Pigeonhole Sieve examples - Dovecot].

== Mail User Agents ==
Here are instructions on how to access your CSC email using some common Mail User Agents (a.k.a. "email clients").

=== Apple Mail ===
Open the Mail app. On the Menu Bar, click on 'Mail', then 'Add account'.

[[File:Apple_mail_select_account_provider.png|300px]]

Select 'Other mail account', then 'Continue'.

[[File:Apple_mail_add_a_mail_account.png|300px]]

Fill in your real name, your CSC email address (should be watiam_id@csclub.uwaterloo.ca), and your CSC password. Click 'Sign in'.

[[File:Apple_mail_imap_details.png|300px]]

You will get an error saying 'Unable to verify account name or password'. Fill in the details as shown above, then click 'Sign in'.
Make sure to specify your WatIAM username as the username, and use <code>mail.csclub.uwaterloo.ca</code> for the incoming/outgoing
mail servers.

[[File:Apple_mail_select_apps_to_use_with_account.png|300px]]

Finally, check 'Mail', and click 'Done'.

[[File:Apple_mail_mailboxes_button.png|200px]]

If you had an existing Mail account, you will need to click on the 'Mailboxes' button to see your CSC account. There will be a dropdown
button beside 'Inboxes' on the left hand side where you can toggle between different inboxes.

=== Windows Mail ===
Note: Windows Mail can be very slow some times. I have no idea why. If you're looking for a decent email client on Windows, I strongly suggest using Thunderbird or Evolution instead.

Open the Mail app (as of this writing, 2021-04-23, its icon is a blue envelope). Click on 'Accounts' on the left hand side, then click on the '+ Add account' button. Select 'Advanced setup':

[[File:Windows_mail_choose_account_type.PNG|300px]]

Then choose 'Internet email':

[[File:Windows_mail_advanced_setup_type.PNG|300px]]

Here are some of the settings you'll need (replace your username, address, etc.):

[[File:Windows_mail_internet_account_info_1.PNG|400px]]

Here are the rest:

[[File:Windows_mail_internet_account_info_2.PNG|400px]]

Then click 'Sign in'. It may take you a very long time to connect for the first time, especially if Windows is doing one if its dreaded updates in the background. If it's still hanging after a few hours, it might be a good idea to close the window and try again.

Once you're signed in, you should be able to see your CSC account in the Mail app on the left hand side.

=== Gmail (SMTP Relay) ===
It is possible to [https://support.google.com/mail/answer/6304825 link third-party email accounts to Gmail]. Here's one way to do it.

Login to Gmail, go to Settings, and then under 'Accounts and Import', click 'Add another email address'.

[[File:Gmail_settings_accounts_1.png|800px]]

Fill in your real name and CSC email address (should be watiam_id@csclub.uwaterloo.ca). I would suggest unchecking the 'Treat as an alias'
box unless you want your CSC and Gmail addresses to be treated the same. See more info [https://support.google.com/a/answer/1710338 here].

[[File:Gmail_add_another_email_address_you_own.png|600px]]

Fill in your CSC username and password:

[[File:Gmail_add_account_credentials.png|600px]]

Google will send a confirmation email to your CSC address. Either click on the link in the email or enter the confirmation code.

[[File:Gmail_add_address_confirmation.png|600px]]

If you return to Gmail, you should now see your CSC account under your settings. I suggest selecting the 'Reply from the same address the message was sent to'
option.

[[File:Gmail_settings_accounts_2.png|800px]]

Now, if you click on the 'Compose' button on the left hand side, you should be able to select your CSC address as the sender.

[[File:Gmail_choose_sender.png|600px]]

If you want to receive your CSC messages via Gmail, just append your Gmail address to the end of the <code>.forward</code> file in your home directory on the CSC servers (it needs to be on a new line).

=== Outlook Desktop ===

This is probably the world's most powerful email client, but you need to jump through a lot of hoops to setup your CSC email with it. Luckily I've done those for you so just follow these steps:

[[File:Ol1.png|600px]]

Open Outlook and click File at the top left.

[[File:Ol2.png|600px]]

Click Account Settings and then Manage Profiles.

[[File:Ol3.png|600px]]

Click Email accounts...

[[File:Ol4.png|600px]]

Click New...

[[File:Ol5.png|600px]]

Enter your name, CSC email and password. If you have an email alias, don't use your alias, use your QuestID@csclub.uwaterloo.ca email. Click Next >

[[File:Ol6.png|600px]]

It will start searching for your account, this can take a minute or two.

[[File:Ol7.png|600px]]

Once it finishes configuring it you'll get a test email.

[[File:Ol8.png|600px]]

Uncheck Set up Outlook Mobile on my phone (unless you want to), and check Change account settings. Then click Next >

[[File:Ol9.png|600px]]

If you have an email alias, you can now change your email to that in the Email Address field. Don't change your logon info. You can click More Settings to change your mailbox name, or click Finish (setup is complete).

[[File:Ol10.png|600px]]

You can change the name here. That's it. I've provided the other two tabs' configs below just in case anyone (including future me) needs it.

[[File:Ol11.png|600px]]
[[File:Ol12.png|600px]]

=== Gnus ===

Gnus is one of the MUAs built into GNU Emacs. Gnus is very powerful and flexible, and comes with several "backend"s out of the box for reading newsgroups, email, RSS feeds, and more. Over the years people have written many other backends for it as well.

To get started using Gnus for reading your CSC mail over IMAPS, you can start with the following simple configuration based on Gnus's <code>nnimap</code> backend:

<nowiki>
(setq mail-user-agent 'gnus-user-agent
read-mail-command 'gnus
gnus-select-method '(nnnil "")
gnus-secondary-select-methods
'((nnimap "csc"
(nnimap-stream tls)
(nnimap-address "mail.csclub.uwaterloo.ca")
(nnimap-user "abandali"))))</nowiki>

The <code>gnus-secondary-select-methods</code> variable set above is the most important bit.

For reference sake, here's how we can do client-side mail splitting in Gnus: say we want to move all messages with a <code>X-Spam-Flag</code> header of <code>YES</code> to the Junk folder; here's how we tell Gnus to do that:

<nowiki>
(setq gnus-secondary-select-methods
'((nnimap "csc"
(nnimap-stream tls)
(nnimap-address "mail.csclub.uwaterloo.ca")
(nnimap-user "abandali")
(nnimap-inbox "INBOX")
(nnimap-split-methods 'nnimap-split-fancy)
(nnimap-split-fancy
(|
;; move spam to Junk
("X-Spam-Flag" "YES" "Junk")
;; catch-all; leave everything else in inbox
"INBOX")))))</nowiki>

Gnus has a plethora of useful and complex features, and one cat get very fancy with it. But that is left as an exercise for the [https://www.gnu.org/software/emacs/manual/gnus.html interested reader]. :-)

== Technical Details ==

=== Relay Server ===
At some point IST started enforcing that everyone use their Relay server so we did, info on how we configured it can be found here; [https://uwaterloo.atlassian.net/wiki/spaces/FAST/pages/5212014152/Bulk+Automatic+Email+Configuration]

=== Mail Transfer (Incoming) ===

[http://www.postfix.org/ Postfix] is our MTA and runs on mail. Incoming mail is received inbound on smtp/25 or ssmtp/465 and goes through a sequence of filters before being delivered to users.

We are using the following filters for incoming mail, to combat spam and malware:

* zen.spamhaus.org RBL
* Greylisting with rspamd (see below)

These filters reject truckloads of spam, preventing them from reaching your inbox. Greylisting adds a delay to mail delivery from unknown servers, but after a small number of successes they will be auto-whitelisted. If that isn't good enough, ask systems-committee@csclub.uwaterloo.ca to whitelist all mail to your address.

=== Spam filtering ===
Before mail is delivered, it is sent to rspamd for spam checking. rspamd might greylist and/or add headers to the mail. rspamd WON'T reject the mail on its own. It is up to the user's filter to decide what to do based on the spam headers (usually put mails tagged as spam into a folder like Junk).

=== Mail Delivery ===

User mail is delivered by LMTP to dovecot. This is configurable by adding a comma-separated list of destinations in $HOME/.forward. See aliases(5) for more details.

Dovecot, in turn, runs the mail through user's sieve filter script (in $HOME/.maildir/sieve/ with the active filer symlink-ed to $HOME/.maildir/.dovecot.sieve). If no sieve script is found, Dovecot defaults to an internal sieve script, which pipes the mail though procmail to maintain compatibility with existing $HOME/.procmailrc scripts. You can write sieve scripts by hand, or use the graphical editor provided by https://mail.csclub.uwaterloo.ca, under Settings/Filters.

Note that procmail compatibility might be removed in the future.

==== Failures ====

If you are out of quota or another error occurs writing to your home directory, dovecot will deliver your message to /var/mail/$USER on the mail server. If that too fails, the server is probably on fire. The message will be returned to the queue where it will eventually bounce.

==== Sieve/ManageSieve ====
Dovecot also allows editing sieve scripts via ManageSieve protocol on 4190.

==== Forwarding ====

Place the following in $HOME/.forward to keep a local copy of your mail as well as forward it to some other email account. Replace ctdalek with your CSC username, but make sure the backslash stays.

<nowiki>
\ctdalek
calumt@dalek.com</nowiki>

=== Mail Retrieval ===

We run [http://www.dovecot.org Dovecot], an IMAP server. It reads messages from $HOME/.maildir, so if you have procmail deliver your mail elsewhere you will be unable to retrieve your mail using IMAP.

=== Mail Submission (Outgoing) ===

On the mail container, outgoing mail is submitted directly to Postfix via the sendmail(1) wrapper or on submission/587. Submitted mail is then queued for delivery to its destination. The other systems have no MTA and instead run sSMTP, which relays mail through the mail container immediately without any queue or daemon.

[[Category:Software]]

Nextcloud

2025-08-04T18:24:45Z

S23adhik:

= General Administration Notes =

* To use the admin account, use https://files.csclub.uwaterloo.ca/login?direct=1&noredir=1 with the admin credentials found in syscom machine.


= Storage setup =

NFS mount. Add this to <code>/etc/fstab</code>.

<pre>fs00.csclub.uwaterloo.ca:/nextcloud /var/lib/machines/nextcloud/data nfs bg,vers=3,sec=sys,nosuid,nodev 0 0
</pre>

= Container setup =

See https://wiki.csclub.uwaterloo.ca/Systemd-nspawn .


= Inside the container =

Use <code>machinectl shell nextcloud</code> to obtain a root shell inside the container.


== Network configuration ==

Add IPv4 and IPv6 address to <code>/etc/network/interfaces</code> as usual.


== Install server software ==

Grab the essentials first.

<syntaxhighlight lang="bash">apt install apt-transport-https curl unzip
</syntaxhighlight>
Nextcloud recommends PHP 8.0 (have JIT support, performance go brrr), but debian bullseye doesn't have it in official repository. So add a thrid-party repository.

Create <code>/etc/apt/sources.list.d/sury-php.list</code>.

<pre>deb https://packages.sury.org/php/ bullseye main
</pre>
And obtain the repository signing key.

<syntaxhighlight lang="bash">curl -O /etc/apt/trusted.gpg.d/sury-php.gpg https://packages.sury.org/php/apt.gpg
</syntaxhighlight>
Finally we can install server software packages.

<syntaxhighlight lang="bash">apt install nginx php8.0-fpm php8.0-curl php8.0-dom php8.0-gd php8.0-mbstring php8.0-zip php8.0-mysql php8.0-bz2 php8.0-intl php8.0-redis php8.0-imagick ffmpeg php8.0-bcmath php8.0-ldap php8.0-apcu libmagickcore-6.q16-6-extra/stable
</syntaxhighlight>

== Setup Nginx ==

See full configuration at https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html. Change the PHP upstream to this:

<syntaxhighlight lang="nginx">upstream php-handler {
server unix:/var/run/php/php8.0-fpm.sock;
}
</syntaxhighlight>
Also change <code>root</code> to <code>/var/www/nextcloud</code>.

We will use the Mozilla intermediate SSL configuration. See https://ssl-config.mozilla.org/. As of SSL certificate, we will use our wildcard <code>csclub.uwaterloo.ca</code> certificate. Copy them from xylitol.


== Database setup ==

We'll use the MariaDB instance at coffee. Create a db user and database for nextcloud there. Make sure it will allow connection from ip address of the nextcloud container.


== Install Nextcloud ==

Download zip from https://nextcloud.com/install/ (find the Archive version). Extract to <code>/var/www/nextcloud</code>. Change owner of the folder to <code>www-data:www-data</code>.

The DNS should be configured by now. Go to https://files.csclub.uwaterloo.ca. Installation page should be up. Fill in the details to finish the installation.


== Setup cron job ==

We goes the <code>systemd</code> approach. See https://docs.nextcloud.com/server/24/admin_manual/configuration_server/background_jobs_configuration.html#systemd.

Basically, setup a service and a timer. Enable the timer.


= LDAP and OIDC setup =

In our setup, OIDC will be used for SSO (Single Sign On) only. User and group information will then be handled via the LDAP plugin. This ensures user can sign in with their WatIM credential (just like Quest and Learn), and their group information is correctly assigned in Nextcloud.

First setup LDAP plugin. Enable <code>LDAP/AD integration</code> in Apps, then navigate to Settings-Administration-LDAP/AD integration (must be admin). Fill in the information as follows:

* Server
** ldaps://ldap1.csclub.uwaterloo.ca 636
** User DN && Password: blank
** Base DN: dc=csclub,dc=uwaterloo,dc=ca
* User
** LDAP Query: (&(objectClass=member)(!(shadowExpire=1)))
* Login attributes
** LDAP Query: (&(|(objectclass=member))(uid=%uid))
* Group
** LDAP Query: (&(objectClass=posixGroup)(uniqueMember=*))
* Advanced
** Backup (Replica) Host: ldaps://ldap2.csclub.uwaterloo.ca
** Base User Tree: ou=People,dc=csclub,dc=uwaterloo,dc=ca
** Base Group Tree: ou=Group,dc=csclub,dc=uwaterloo,dc=ca
** Group-Member association: uniqueMember
** Special Attributes: mailLocalAddress
** Internal Username: uid

If things goes okay, csc users should appear in Nextcloud's user list.


== OIDC setup ==

We use https://github.com/pulsejet/nextcloud-oidc-login for OIDC integration with KeyCloak.

First setup Keycloak. See https://github.com/pulsejet/nextcloud-oidc-login#usage-with-keycloak.

Then install this plugin in Nextcloud. Then, edit Nextcloud's config file at <code>/var/www/nextcloud/config/config.php</code>. Here're some highlights.

<syntaxhighlight lang="php">'oidc_login_client_id' => 'nextcloud',
'oidc_login_client_secret' => 'REDACTED',
'oidc_login_provider_url' => 'https://keycloak.csclub.uwaterloo.ca/auth/realms/csc',
'oidc_login_end_session_redirect' => true,
'oidc_login_logout_url' => 'https://files.csclub.uwaterloo.ca/apps/oidc_login/oidc',
'oidc_login_auto_redirect' => true,
'oidc_login_redir_fallback' => true,
'oidc_login_attributes' =>
array (
'id' => 'preferred_username',
'mail' => 'email',
'ldap_uid' => 'preferred_username',
),
'oidc_login_webdav_enabled' => true,
'oidc_login_disable_registration' => false,
'oidc_login_proxy_ldap' => true,
</syntaxhighlight>

= ''Speed'' =


== Memory caching ==

<code>redis</code> and <code>APCu</code> are used for caching. See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/caching_configuration.html. Note that since it's a local setup, we use a UNIX socket to connect to Redis.


== Dedicated push notification server ==

There's a dedicated nextcloud client push notification server available, which should drastically reduce server load if a lot of people are using the Nextcloud client.

See https://github.com/nextcloud/notify_push. To set it up:

# Install "Client Push" app from Nextcloud app store
# Create and enable a systemd service
# Add reverse proxy configuration to nextcloud's Nginx config file

You should test the setup, use https://github.com/nextcloud/notify_push/tree/main/test_client. To those who are unfamiliar with Rust, just clone it and run <code>cargo build --release</code>. You'll find the binary at <code>target/release</code>.


= Miscellaneous =

* Email setup
** Just fill it in admin panel.
* Theme
** We use https://github.com/mwalbeck/nextcloud-breeze-dark for some KDE vibe. Oh, change the icon too.

=== Common Issues ===

==== 409: Resource in conflict, when auto-uploading ====
Normally caused by Nextcloud not being able to create a folder for whatever, you can just manually create the folder

Past Executive

2025-07-28T00:53:10Z

S23adhik: /* Summer */

Data sources for this exec list have been: CSC records, MathNEWS.
According to the warrior wiki dudes, there was an article about the CSC being founded in the chevron: ''This week on campus''. The Chevron. January 5 1968. Page 16. -- somebody should get a copy of that.

= Definitions =
#define PR President
#define VP Vice-president
#define TR Treasurer
#define SE Secretary
#define AV Assistant Vice-president
#define SA Sysadmin
#define OF Office Manager
#define LI Librarian
#define WW Webmaster

#ifdef __HISTORICAL__
#define FL Flasher
#define DE Deity
#define SE-TR Secretary-Treasurer (Position was split)
#define FR Fridge Regent (IMAPd)
#endif /* __HISTORICAL__ */

<div style="float:right;margin-left: 1em;">__TOC__</div>

=Founding 1967=

Sponsor - J. Peter Sprung
PR: K. Rugger
VP: R. Jaques
SE-TR: G. Sutherland

Founding Members:
B. Kindree
R. Melen
V. Neglia
R. Charney
R. Truman
Glenn Berry
D. Meek

===Fall===

PR: Bill Kindred
VP: Rick Jacques
SE-TR: Graham Sutherland

Committee members: R. Stallwerthy, C. de Vries

=1968=

===Winter===

PR: Bill Kindred
VP: Rick Jacques
SE-TR: Graham Sutherland

===Fall===

SE-TR: Glenn Berry

=1969=

Unknown, only one letter found in the folder 'ACM History' addressed to Glenn Berry, which makes it likely that he was SE-TR once again. May be indicated in membership lists. The club appears to have died this academic year.

=1970=

===A note on ACM affiliation===

The first attempt at joining the ACM was started with an informal inquiry Dec 5, 1967. This lead to a series of constitution edits (working towards affiliation) in Winter 1968. There was a break for the spring (no correspondence found, I presume we were waiting on a reply). In the fall records indicate that our constitution and chartering was rejected, further correspondence was sent in Fall 1968 by Glenn Berry. A new inquiry, seemingly unaware of the first was sent Dec 7, 1970

===Fall===

PR: Rick Beach
VP: Lee Santon
TR: Randy Melen
SE: Vic Neglia

=1971=

===Spring===

VP: James H. "Jim" Finch and James W. Welch both signed letters as VP.

===Fall===

VP: James W. Welch

=1972=

It appears we visited Western and Western visited us this year (there is some reference to a similar occurrence the year previous). Documents from 1973 indicate a termly exec structure, this probably goes back to 1972.

===Winter===

PR: Mike Campbell
VP: Edgar Hew
SE-TR: Doug Lacy

There is also stuff from James W. Welch without a position.

===Fall===

PR: Ian McIntosh

=1973=

Faculty Sponsor: Morven Gentleman

===Winter===

SE: Douglas E. Lacy

===Spring===

PR: Jim Parry

===Fall===

PR: Jim Parry
VP: Ray Walden
TR: Slavko Stemberger
SE: Mario Festival

=1974=

===Fall===

PR: Russell Crook

=1975-1977=

Faculty Sponsor: Morven Gentleman??

Peter Raynham reports (first hand account): president for at least 2 or 3 terms in this period.
Sylvia Eng: 1975/6 as some position.
Dave Buckingham: a VP at some point
Allison Nolan: 1977 time
Peter Stevens: 1977
Russel Crook???

Dennis Ritchie came. So did Jeffrey D. Ullman.

=1976=

===Fall===
<code>Progcom: Peter Stevens</code>

=1977=

===Winter===

Progcom: Allison Nowlan

===Spring===

PR: Peter Stevens
Progcom: Allison Nowlan

===Fall===

PR: Andrzej Jan Taramina
Progcom: Allison Nowlan

=1978=

===Winter===

PR: Peter Stevens

===Spring===

TR: K.G. Dykes
SE: Kandry Mutheardy

Brian Kernighan gave a talk this term. So did Ken Thompson.

=1979=

===Spring===

PR: Robert Biddle
=1987=

===Fall===

PR: Jim Boritz
VP: Ted Timar
TR: Gayla Boritz
SE: Edwin Hoogerbeets

=1988=

Tim Timar - cc'd on memos/mentioned on mathsoc minutes in 1987/88.
The Sysadmin and Office Manager positions seem to have been created somewhere in here. The 'Record Management Profile' that Rob*n Stewart did as an assignment in 1991-1992 for some class at UBC
indicates the existence of both positions. We acquired an HP-9000 in the summer of 1988 and as this was our first "real" computer (previously we had an IBM PC and terminal), the sysadmin position was created, starting with the Fall 1988 term.

===Winter===
PR: Jim Boritz
(Source: https://csclub.uwaterloo.ca/misc/procedure.pdf)

===Fall===

SA: Wade Richards

=1989=

===Winter===

https://mirror.csclub.uwaterloo.ca/csclub/bill-gates-1989-big.jpg

Left to right: Jim Boritz (bottom), Wade Richards (top), Ted Timar, ???, Keven Smith, Bill Gates (not exec), Angela Chambers, Ross Ridge (top), Sean Goggin (bottom), ???

PR: Barry W. Smith
VP: Angela Chambers
SE: Sean Goggin
SA: Wade Richards / Ross Ridge

(President Kevin Smith confirmed: https://csclub.uwaterloo.ca/misc/procedure.pdf)

===Spring===

PR: Jim Thornton
VP: Gayla Boritz
TR: David Fenger
SE: Kivi Shapiro
SA: Reid Pinchback

Assistance to sysadmin: Jim Boritz.

===Fall===

PR: James Boritz
VP: Edmond Bourne
SA: Ross Ridge

=1990=

===Winter===

TR: Jim Thornton

===Spring===

TR: Karen Smith
SE: Rob*n Stewart
Robyn/Robin signed her emails as Rob*n and requested to be listed as such on this page.

===Fall===
PR: Wade Richards
TR: Carolyn Duke
SE: Rob*n Stewart - attended mathsoc meeting on our behalf.
Kivi Shapiro - attended mathsoc meeting on our behalf.
- Censured by mathsoc for his actions during the election.
Shannon Mann - attended mathsoc meeting on our behalf.

=1991=

===Winter===
VP: Edmond Bourne
TR: Carolyn Duke
SE: Rob*n Stewart
Shannon Mann - attended mathsoc meeting on our behalf.

John McCarthy came this term.

===Spring===
TR: Rob Leitman
Jason Knell - attended mathsoc meeting on our and PMC's behalf.

===Fall===
TR: Mike Van Lingen
Wiktor Wiewiorowski - attended mathsoc meeting on our behalf this term.
=1992=

===Winter===
TR: Norm Ross
SE: Brent Williams

===Spring===
PR: Dale Wick
TR: Stephen A. Mills

===Fall===
TR: Mark Plumb
=1993=

===Winter===
TR: Rob Leitman
VP: Tim Prime
OF: Dave Ebbo
LI: Norm Ross

Other exec for this term: Ellen Hsiang, Sam Coulombe, Peter Gray

===Spring===
TR: Mark Tompsett

===Fall===

PR: Ian Goldberg

=1994=

===Winter===
PR: Ian Goldberg
TR: Mark Tompsett
SE: Tom Rathbourne
LI: Michael Van Biesbrouck
Norm Ross assisted with finances.

===Spring===
PR: Dale Wick (?)
TR: Steve Mills
SA: Ian Goldberg (?)
Norm Ross assisted with finances.

===Fall===
PR: Ross Ridge
VP: Tom Rathbourne (?)
TR: Rob Leitman
SA: Zygo Blaxell
LI: Michael Van Biesbrouck
=1995=

===Winter===
TR: Sharlene Schmeichel
Amy Brown and Rob Ridge purchased books.

===Spring===
TR: Steve Mills

===Fall===
PR: Amy Brown (arbrown)
VP: Christina Norman (cbnorman)
TR: Steven Mills (samills)
SE: Allyson Graham (akgraham)
SA: Gavin Peters
=1996=

===Winter===
PR: Nikita Borisov (nborisov)
VP: Joseph Deu Ngoc (dtdeungo)
TR: Stephen Mills (samills)
SE: Sharlene Schmeichel (saschmei)
SA: Dave Brown (dagbrown)
OF: Somsack Tsai (stsai)
LI: Devin Carless (dccarles)
FL: Allyson Graham (akgraham)
DE: Ian Goldberg (iagoldbe)

===Spring===
PR: Blake Winton (bwinton)
VP: Nick Harvey (njaharve)
TR: Nikita Borisov (nborisov)
SE: Viet-Trung Luu (vluu)
SA: Drew Hamilton (awhamilt)
OF: Jillian Arnott (jarnott)
LI: Ross Ridge (rridge)
FL: Devin Carless (dccarles)

=== Fall ===
PR: Shannon Mann (sjbmann)
VP: Joe "Frosh" Deu Ngoc (jtdeungo) resigned (heavy workload)
TR: Michal Van Biesbrouck (mlvanbie)
SE: Nikita Borisov (nborisov)
SA: Chris Rovers
OF: Dax Hutcheon (ddhutche) became VP upon jtduengo's resignation
LI: Aliz Csenki (acsenki)
FL: Aaron Chmielowiec (archmiel)
DE: Skuld (no uwuserid yet...)
=1997=

===Winter===
PR: Dima Brodsky
VP: Nikita Borisov (nborisov)
TR: Stephen Mills (samills)
SE: Evan Jones (ejones)
SA: Alex Brodsky
OF: Chris Doherty
LI: Matt Corks
FL: Paul Prescod

=== Fall ===
PR: Chris Rovers (cdrovers)
VP: Michael van Biesbrouck (mlvanbie)
TR: Somsack Tsai (stsai)
SE: Matt Corks (mvcorks)
SA: Lennart Sorensen (lsorense)
LI: Chmielowiec (archmiel)
OF: Devin Carless (dccarles)
FL: Aaron Chmielowiec (archmiel)
= 1998 =

=== Winter ===
PR: Suresh Naidu
VP: Viet-Trung Luu
TR: Tim Coleman
SE: Dax Hutcheon
LI: Dax Hutcheon
Flasher: Dax Hutcheon
WW: Dax Hutcheon
SA: Robin Powell
OF: Aaron Chmielowiec

=== Spring ===

Position Name You might call them...
President roconnor Russell O'Connor
Vice-president trwcolem Tim Coleman
Treasurer knzarysk Karl Zaryski
Secretary (bwinton) (Blake Winton)
Sysadmin wbiggs Billy Biggs
Librarian snaidu Suresh Naidu
Flasher pechrysl Paul Chrysler
Office Manager dccarles Devin Carless
WWWW trwcolem Tim Coleman

=== Fall ===

President Joe Deu Ngoc jtdeungo
Vice-President Wai Ling Yee wlyee
Treasurer Fjord j2lynn
Secretary Matt Corks mvcorks
Sysadmin Andrew Hamilton awhamilt

World Wide Web Wench Dax Hutcheon ddhutche
Office Manager Richard Bell rlbell
Librarian Damian Gryski dgryski
Flasher Paul Chrysler pechrysl
Official Deity Ian Goldberg iagoldbe
Official Chairbeing Calum T. Dalek calum
=1999=

=== Winter ===
PR: geduggan
=2000=

=== Winter ===
PR: Will Chartrand (wgchartr)
VP: Gavin Duggan (geduggan)
SA: Lennart Sorensen (lsorense)

=== Fall ===
PR: geduggan
SA: bioster
=2001=

=== Winter ===
PR: geduggan

=== Spring ===
PR: geduggan

=2002=

https://web.archive.org/web/20130715012002/http://www.mathnews.uwaterloo.ca/Issues/mn8902/cscflash.php

=== Winter ===
PR: Billy Biggs
VP: Stefanus Du Toit
TR: Melissa Basinger
SE: James Perry
SA: Barry Genova
LI: Ryan Golbeck
WW: Jonathan Beverley
Office Manager: Sayan Li

=== Spring ===
PR: Alex Pop
VP: Melissa Basinger
TR: Siyan Li
SE: James A Morrison
SA: Jonathan Beverley
WW: Stefanus Du Toit

=== Fall ===
PR: James A. Morrison
VP: Stefanus Du Toit
TR: James Perry
SE: Michael Biggs
SA: Ryan Golbeck
LI: Mark Sherry, Cassandra Schopf
WW: Stefanus Du Toit
=2003=

=== Winter ===
PR: Kannan Vijayan (kvijayan)
VP: Meg Darragh (m2darrag)
TR: James Perry (jeperry)
SE: Wojciech Kosnik (wkosnik)
SA: Stefanus Du Toit (sjdutoit)
LI: Simon Law (sfllaw)
WM: Julie Lavoie (jlavoie)

===Fall===
PR: Stefanus Du Toit (sjdutoit)
VP: Meg Darragh (m2darrag)
TR: Tor Myklebust (tmyklebu)
SE: James Perry (jeperry)
SA: Simon Law (sfllaw)
=2004=

===Winter===
PR: Simon Law (sfllaw)
VP: fspacek
TR: ljain
SE: Julie Lavoie (jlavoie)
SA: Tor Myklebust(tmyklebu)

===Spring===
PR: dnmorton ?
VP: Tim Loach (tloach)
TR: Michael Biggs (mbiggs)
SE: Lesley Northam (lanortha)

===Fall ===
PR: jeperry
VP: mtsay
TR: Mark Sherry (mdsherry)
SE: Tor Myklebust (tmyklebu)
SA: jlavoie
=2005=

===Winter===

PR: mtsay
VP: Lesley Northam (lanortha)
TR: Holden Karau (hkarau)
SE: domorton
SA: Tor Myklebust (tmyklebu)

===Spring===

PR: Mark Sherry (mdsherry)
VP: Martin Kess (mdkess)
TR: Ali Piccioni (apiccion)
SE: Michael Biggs (mbiggs)
SA: Tor Myklebust (tmyklebu)

===Fall===

PR: Tim Loach (tloach)
VP: Lesley Northam (lanortha)
TR: Caelyn McAulay (cmcaulay)
SE: The Professor
SA: Holden Karau (hkarau)
=2006=

===Winter===

PR: Tor Myklebust (tmyklebu)
VP: Michael Druker (mdruker)
TR: Caelyn McAulay (cmcaulay)
SE: Mark Sherry (mdsherry)
SA: William O'Connor (woconnor)

===Spring===
PR: David Bartley (dtbartle)
VP: David Belanger (dbelange)
TR: David Tenty (daltenty)
SE: Chris Evensen (cevensen)
SA: Holden Karau (hkarau)

===Fall===

PR: Martin Kess (mdkess)
VP: Mark Sherry (mdsherry)
TR: Sylvan L. Mably (slmably)
SE: Caelyn McAulay (cmcaulay)
SA: William O'Connor (woconnor)
=2007=

===Winter===
PR: David Bartley (dtbartle)
VP: David Belanger (dbelange)
TR: Caelyn McAulay (cmcaulay)
SE: David Tenty (daltenty)
SA: Holden Karau (hkarau)
WW: jnopporn

===Spring===
PR: Gaelan D'costa (gdcosta)
VP: Kyle Larose (kmlarose)
TR: Kyle Spaans (kspaans)
SE: Erik Louie (elouie)
SA: Michael Spang (mspang)
LI: David Tenty (daltenty)

===Fall ===
PR: Holden Karau (hkarau)
VP: Alex McCausland (amccausl)
TR: Dominik Chlobowski (dchlobow)
SE: Sean Cumming (sgcummin)
SA: David Tenty (daltenty)
WW: dtbartle / jnopporn
=2008=

===Winter ===
PR: Sean Cumming (sgcummin)
VP: Matt Lawrence (m3lawren)
TR: Mateusz Tarkowski (mtarkows)
SE: Edgar Bering (ebering)
SA: Jordan Saunders (jmsaunde)

===Summer ===
PR: Brennan Taylor (b4taylor)
VP: Qifan Xi (qxi)
TR: Matt Lawrence (m3lawren)
SE: Nick Guenther (nguenthe)

===Fall ===
PR: Matthew Lawrence (m3lawren)
VP: Edgar Bering (ebering)
TR: Michael Gregson (mgregson)
SE: James Simpson (j2simpso) resigned for medical reasons, replaced by Dominik 'Domo' Chłobowski
SA: Kyle Spaans (kspaans)
=2009=

===Winter===
PR: Michael Gregson (mgregson)
VP: Edgar Bering (ebering)
TR: Brennan Taylor (b4taylor)
SE: James Simpson (j2simpso) resigned for business reasons, replaced by Rebecca Putinski (rjputins)
SA: Jacob Parker (j3parker)
OF: XinChi Yang / Sapphyre Gervais (x23yang / sagervai) (both)

===Spring ===
PR: Michael Spang (mspang)
VP: Jacob Parker (j3parker)
TR: Sapphyre Gervais (sagervai)
SE: Matthew McPherrin (mimcpher)
SA: Anthony Brennan (a2brenna)

===Fall===
PR: Jacob Parker (j3parker)
VP: Edgar Bering (ebering)
TR: Michael Spang (mspang)
SE: Brennan Taylor (b4taylor)
SA: Michael Ellis (m2ellis)
OF: Rebecca Putinski (rjputins)
=2010=

===Winter===
PR: Kyle Spaans (kspaans)
VP: Edgar Bering (ebering)
TR: Sapphyre Gervais (sagervai)
SE: Ajnu Jacob (ajacob)
SA: Matthew Thiffault (mthiffau)
OF: Jacob Parker (j3parker)
Keyed office staffers: j3camero, jdonland, m2ellis, mimcpher, nsasherr

===Spring===
PR: Jeff Cameron (j3camero)
VP: Brennan Taylor (b4taylor)
TR: Vardhan Mudunuru (vmudunur)
SE: Matthew Lawrence (m3lawren)
SA: Michael Ellis (m2ellis)
OF: Edgar Bering (ebering)

===Fall===
PR: Jacob Parker (j3parker)
VP: Edgar Bering (ebering)
TR: Rebecca Putinski (rjputins)
SE: Kyle Spaans (kspaans)
SA: Jeremy Roman (jbroman)
OF: Amir Sayed Khader (askhader)
=2011=

===Winter===
PR: Edgar Bering (ebering)
VP: Jennifer "Emily" Wong (jy2wong)
TR: Kyle Spaans (kspaans)
SE: Elana "Alana" Hashman (ehashman)
SA: Peter "Bofh" Barfuss (pbarfuss)
OF: Marc Burns (Marc Burns)

===Spring===
PR: Matthew Thiffault (mthiffau)
VP: Matthew McPherrin (mimcpher)
TR: Kyle Spaans (kspaans)
SE: Kwame Andrew Ansong (kansong)
SA: Jeremy Brandon Roman (jbroman)
OF: Jennifer "Emily" Wong (jy2wong)

===Fall===
PR: Marc Burns (m4burns)
VP: Katharine Hyatt (kshyatt)
TR: Jacob Parker (j3parker)
SE: Elana Hashman (ehashman)
SA: Anthony "hatguy/hotgay" Brennan (a2brenna)
OF: Kyle Spaans (kspaans)
LI: Edgar Bering (ebering)
=2012=

===Winter===
PR: Marc Burns (m4burns)
VP: Elana Hashman (ehashman)
TR: Jacob Parker (j3parker)
SE: Matthew McPherrin (mimcpher)
SA: Jeremy Roman (jbroman)
OF: Luqman Aden (laden)
LI: Jennifer "Emily" Wong (jy2wong)

===Summer===
PR: Anthony Brennan (a2brenna)
VP: Luqman Aden (laden)
TR: Matthew McPherrin (mimcpher)
SE: Elana Hashman (ehashman)
SA: Sarah Harvey (sharvey)
OF: Marc Burns (m4burns)
LI: John Ladan (jladan)

===Fall===
PR: Marc Burns (m4burns)
VP: Salem Talha (satalha)
TR: Jennifer Wong (jy2wong)
SE: Elana Hashman (ehashman), resigned
SA: Jeremy Roman (jbroman)
OF: Luqman Aden (laden)
LI: John Ladan (jladan)
=2013=

===Winter===
PR: Anthony Brennan (a2brenna)
VP: Marc Burns (m4burns)
TR: John Mumford (jsmumfor)
SE: Matt Olechnowicz (mgolechn)
SA: Sarah Harvey (sharvey)
OF: Bryan Coutts (b2coutts)
LI: Matthew McPherrin (mimcpher)

===Spring===
PR: Shane Robert Creighton-Young (srcreigh)
VP: Visishta Vijayanand (vvijayan)
TR: Dominik Chlobowski (dchlobow)
SE: Youn Jin Kim (yj7kim)
SA: Anthony Brennan (a2brenna)
OF: Marc Burns (m4burns)
FR: Dominik Chlobowski (dchlobow)

===Fall===
PR: Elana Hashman (ehashman)
VP: Marc Burns (m4burns)
TR: Dominik Chlobowski (dchlobow)
SE: Edward Lee (e45lee)
SA: Jeremy Roman (jbroman)
OF: Alexis Hunt (aechunt)
= 2014 =

=== Winter ===
PR: Bryan Coutts (b2coutts)
VP: Visishta Vijayanand (vvijayan)
TR: Marc Burns (m4burns)
SE: Mark Farrell (m4farrel)
SA: Murphy Berzish (mtrberzi)
OF: Nicholas Black (nablack)

=== Spring ===
PR: Youn Jin Kim (yj7kim)
VP: Luke Franceschini (l3france)
TR: Joseph Chouinard (jchouina)
SE: Ifaz Kabir (ikabir)
SA: Murphy Berzish (mtrberzi)
OF: Matthew Thiffault (mthiffau)

=== Fall ===
PR: Youn Jin Kim (yj7kim)
VP: Theodor Belaire (tbelaire)
TR: Jonathan Jerel Bailey (jj2baile)
SE: Shane Robert Creighton-Young (srcreigh)
SA: Alexis Hunt (aechunt)
OF: Mark Farrell (m4farrel)
LI: Gianni Leonardo Gambetti (glgambet)

= 2015 =

=== Winter ===
PR: Gianni Leonardo Gambetti (glgambet)
VP: Luke Franceschini (l3france)
TR: Edward Lee (e45lee)
SE: Patrick James Melanson (pj2melan)
SA: Murphy Berzish (mtrberzi)
OF: Shikhar Singh (s285sing)
LI: Aishwarya Gupta (a72gupta)
=== Spring ===
PR: Luqman Aden (laden)
VP: Patrick Melanson (pj2melan)
TR: Jonathan Bailey (jj2baile)
SE: Keri Warr (kpwarr)
SA: Nik Black (nablack)
OF: Ilia Chtcherbakov (ischtche)
LI: Yomna Nasser (ynasser)
=== Fall ===
PR: Simone Hu (ss2hu)
VP: Theo Belaire (tbelaire)
TR: Jordan Taylore Upiter (jtupiter)
SE: Daniel Marin (dmarin)
SA: Jordan Xavier Pryde (jxpryde)
OF: Ilia Chtcherbakov (ischtche)
= 2016 =

=== Winter ===
PR: Patrick Melanson (pj2melan)
VP: Patrick Melanson (pj2melan)
Acting VP, progcom chair: Theo Belaire (tbelaire)
TR: Luqman Aden (laden)
SE: Naomi Koo (m3koo)
SA: Zachary Seguin (ztseguin)
OF: Reila Zheng (wy2zheng)
LI: Felix Bauckholt (fbauckho)
FR: Marc Mailhot (mnmailho)

=== Spring ===
PR: Luqman Aden (laden)
VP: Melissa Angelica Mary Tedesco (matedesc)
TR: Jonathan Jerel Bailey (jj2baile)
SE: Aditya Shivam Kothari (askothar)
SA: Jordan Xavier Pryde (jxpryde)
OF: Zachary Seguin (ztseguin)
LI: Charlie Wang (s455wang)
FR: Marc Mailhot (mnmailho)

=== Fall ===
PR: Charlie Wang (s455wang)
VP: Bryan Coutts (b2coutts)
TR: Laura Song (lhsong)
SE: Uday Barar (ubarar)
SA: Zachary Seguin (ztseguin)
OF: Jamie Sinn (j2sinn)
LI: Felix Bauckholt (fbauckho)
FR: Ilia Chtcherbakov (ischtche)

= 2017 =

=== Winter ===
PR: Wilson Cheang (wyschean)
VP: Tristan Hume (tghume)
TR: Jordan Pryde (jxpryde)
SE: Amir Fata (aafata)
SA: Zachary Seguin (ztseguin)
OF: Felix Bauckholt (fbaukcho)
LI: Connor Murphy (cfmurph)
FR: Marc Mailhot (mnmailho)

=== Spring ===

PR: Felix Bauckholt (fbauckho)
VP: Zichuan Wei (z34wei)
TR: Laura Song (lhsong)
SE: Bo Mo (bzmo)
SA: Zachary Seguin (ztseguin)
OF: Uday Barar (ubarar)
LI: Patrick Melanson (pj2melan)
FR: Uday Barar (ubarar)

=== Fall ===

PR: Melissa Tedesco (matedesc)
VP: Victor Brestoiu (vabresto)
TR: Tristan Hume (tghume)
SE: Marc Mailhot (mnmailho)
SA: Jordan Pryde (jxpryde)
OF: Zoë Laing (zlaing)
LI: Felix Bauckholt (fbauckho)
FR: Marc Mailhot (mnmailho)

= 2018 =

=== Winter ===

PR: Patrick Melanson (pj2melan)
VP: Charlie Wang (s455wang)
TR: Ashley Dewiputri Pranajaya (adpranaj)
SE: Arshia Mufti (a2mufti)
SA: Jordan Pryde (jxpryde)
OF: Zoë Laing (zlaing)
LI: Zichuan Wei (z34wei)
FR: Uday Barar (ubarar)

=== Spring ===

PR: Melissa Tedesco (matedesc)
VP: Dhruv Jauhar (djauhar)
TR: Tristan Hume (tghume)
AV: Marc Mailhot (mnmailho)
SA: Jennifer Zhou (c7zou)
OF: Aditya Thakral (a3thakra)
LI: Archer Zhang (z577zhan)
FR: Marc Mailhot (mnmailho)

=== Fall ===

PR: Zichuan Wei (z34wei)
VP: Uday Barar (ubarar)
TR: Alex Tomala (actomala)
AV: Neil Parikh (n3parikh)
SA: Jennifer Zhou (c7zou)
OF: Alexander Zvorygin (azvorygi)
LI: Neil Parikh (n3parikh)
FR:

= 2019 =

=== Winter ===

PR: Marc Mailhot (mnmailho)
VP: Victor Brestoiu (vabresto)
TR: Tristan Hume (tghume)
AV: Aditya Thakral (a3thakra)
SA: Charlie Wang (s455wang)
OF: Archer Zhang (z577zhan)
LI: Rishabh Minocha (rkminoch)
FR: Marc Mailhot (mnmailho)

=== Spring ===

PR: Uday Barar (ubarar)
VP: Rajat Malhotra (r24malho)
TR: Raghav Sethi (r5sethi)
AV: Bo Mo (bzmo)
SA: Charlie Wang (s455wang)
OF: Hannah Wong (sm7wong)
LI: Nolan Munce (nmmunce)

=== Fall ===

PR: Dhruv Jauhar (djauhar)
VP: Aditya Thakral (a3thakra)
TR: Rishabh Minocha (rkminoch)
AV: Tammy Khalaf (tekhalaf)
SA: Murphy Berzish (mtrberzi)
OF: Zihan Zhang (z577zhan)
LI: Raghav Sethi (r5sethi)

= 2020 =

=== Winter ===
The office was closed midway through this term due to the COVID-19 pandemic.

The pandemic that threw the University and rest of the world into disarray drove all CSC activity virtual. Though everyone thought the pandemic would quickly be over, the Alpha, then Delta, then Omicron variants resulted in the majority of classes being held online until February 2022.

As a result, the office would stay closed for a full 5 terms, and only reopen in W2022.

PR: Richard Shi (r27shi)
VP: Anastassia Gaikovaia (agaikova)
TR: Alex Tomala (actomala)
AV: Neil Parikh (n3parikh)
SA: Amin Bandali (abandali)
OF: Alexander Zvorygin (azvorygi)
LI: Anastassia Gaikovaia (agaikova)
FR: Richard Shi (r27shi)

=== Spring ===

PR: Neil Parikh (n3parikh)
VP: Anastassia Gaikovaia (agaikova)
SA: Amin Bandali (abandali)

=== Fall ===

PR: Mokai Xu (m92xu)
VP: Anastassia Gaikovaia (agaikova) (stepped down as of 2020-11-30)
TR: Neil Parikh (n3parikh)
AV: Edwin Yang (e37yang)
SA: Murphy Berzish (mtrberzi)

= 2021 =
In 2021, CSC rapidly expanded the Program Committee, introducing subcommittees including Design, Events, Marketing, Photography, Reps, Discord mods, and Discord bot developers. The website committee also expanded, and the terminal committee was officially repurposed to serve a syscom-in-training role (since the office remained closed and the terminals powered off).

=== Winter ===

PR: Kallen Tu (k4tu)
VP: Gordon Le (g2le)
TR: Neil Parikh (n3parikh)
AV: Nakul Vijhani (nvijhani)
SA: Max Erenberg (merenber)

=== Spring ===

PR: Kallen Tu (k4tu)
VP: Gordon Le (g2le)
TR: Neil Parikh (n3parikh)
AV: Ravindu Angammana (rbangamm)
SA: Max Erenberg (merenber)

=== Fall ===

PR: Dora Su (d43su)
VP: Jason Sang (jzsang)
TR: Yanni Wang (y3859wan)
AV: Anjing Li (a348li)
SA: Max Erenberg (merenber)
Advising: Neil Parikh (n3parikh)

= 2022 =

=== Winter ===

PR: Juthika Hoque (j3hoque)
VP: Eric Huang (e48huang)
TR: Eden Chan (e223chan)
AV: Dina Orucevic (dmorucev)
SA: Raymond Li (r389li)
WW: Amy Wang (a258wang)
OF: Neil Parikh (n3parikh)

=== Spring ===

PR: Eden Chan (e223chan)
VP: Bonnie Peng (b38peng)
TR: Sat Arora (s97arora)
AV: Haley Song (h79song)
SA: Raymond Li (r389li)
WW: Amy Wang (a258wang)
OF: Sat Arora (s97arora)
LI: Santiago Montemayor (smontema) (appointed 2022-06-02)
FR: Sat Arora (s97arora) (appointed 2022-06-23)

=== Fall ===

PR: Amy Wang (a258wang)
VP: Anna Wang (aj2wang)
TR: Simon Zeng (s33zeng)
AV: Mabel Kwok (m23kwok)
SA: Raymond Li (r389li)
WW: Shahan Nedadahandeh (snedadah)
OF: Mark Chen (m375chen) (appointed 2022-09-21)
LI: John Oss (joss) (appointed 2022-10-06)
FR: Mark Chen (m375chen) and Simon Zeng (s33zeng) (appointed 2022-09-21)

= 2023 =

=== Winter ===

PR: Sat Arora (s97arora)
VP: Ivy Lei (ihlei)
TR: Laura Nguyen (l69nguye)
AV: Adele Chen (a332chen)
SA: Leo Shen (y266shen)
WW: Shahan Nedadahandeh (snedadah)
OF: Young Wang (y3285wan)
LI: John Oss (joss)

=== Spring ===

PR: Sat Arora (s97arora)
VP: Joshua Kim (j649kim)
TR: Amy Wang (a258wang)
AV: Andrea Ma (a49ma)
SA: Raymond Li (r389li)
WW: Shahan Nedadahandeh (snedadah)
OF: Sean Zhang (q434zhan)

=== Fall ===

PR: Laura Nguyen (l69nguye)
VP: Amol Venkataraman (avenkata)
TR: Bryan Chen (b28chen)
AV: Amy Wang (a258wang)
SA: Nathan Chung (n4chung)
WW: Darren Lo (dlslo), Richard Shuai (r2shuai)
OF: Ivy Lei (ihlei), Kevin Cui (k8cui)

= 2024 =

=== Winter ===
PR: Ivy Lei (ihlei)
VP: Gordon Lin (g3lin)
TR: Andrea Ma (a49ma)
AV: Saurin Patel (sa23pate)
SA: Nathan Chung (n4chung)
WW: Darren Lo (dlslo), Richard Shuai (r2shuai)
OF: Tiger Ding (t27ding)

=== Spring ===
PR: Gordon Lin (g3lin)
VP: Justin Wang (yw2wang)
TR: Andrea Ma (a49ma)
AV: Sean Zhang (q434zhan)
SA: Nathan Chung (n4chung)
WW: Tejas Srikanth (tcsrikan)
OF: Bryan Wang (b397wang)
=== Fall ===
Nathan Chung resigned half way through the term, and an election was held to elect Ohm Patel as the new sysadmin.

Ivy Fan-Chiang also resigned half way through the term, and Tiger Ding was appointed as the new Office Manager.
PR: Iris Liao (a23liao)
VP: Siimar Leen Kaur (s32kaur)
TR: Grace Feng (g27feng)
AV: Ray Cao (r44cao)
SA: Nathan Chung (n4chung) resigned, replaced by Ohm Patel (o32patel)
WW: Tejas Srikanth (tcsrikan)
OF: Ivy Fan-Chiang (qkfanchi) resigned, replaced by Tiger Ding (t27ding)

= 2025 =

=== Winter ===

Alexandru-Andrei Stan resigned early in the term as the Office Manager, and Dundee Zhang was appointed as the new Office Manager.

Sourojeet Adhikari resigned late into the term as Club President. Enming Yang became Acting President.
PR: Sourojeet Adhikari (s23adhik) resigned 2025-03-23, replaced by Enming Yang (emyang) (Acting as of 2025-03-24)
VP: Enming Yang (emyang)
TR: Samir Sharma (s576shar)
AV: Alexandru-Andrei Stan (a2stan)
SA: Ohm Patel (o32patel)
WW: Ryan Zhu (ry3zhu)
OF: Dundee Zhang (dh2zhang) (appointed 2025-01-30)
FL: Dundee Zhang (dh2zhang)
FR: Alexandru-Andrei Stan (a2stan) (appointed 2025-01-30)
=== Summer ===
Grace Feng resigned half way through the term, and Dundee Zhang and Sourojeet Adhikari were appointed as the new Office Managers.

Dundee Zhang resigned from Flasher half way through the term.

Dundee Zhang resigned from President, and Office Manager Thursday July 24th 2025 due to lack of time and personal life issues

PR: Dundee Zhang (dh2zhang) (resigned 2025-07-24, replaced by Sourojeet Adhikari)
VP: Sourojeet Adhikari (s23adhik)
TR: Mincy Yang (m299yang)
AV: Shaurya Suri (s4suri)
SA: Ohm Patel (o32patel)
WW: Ryan Zhu (ry3zhu)
OF: Grace Feng (g27feng) resigned, replaced by Dundee Zhang (dh2zhang) and Sourojeet Adhikari (s23adhik)
FL: Dundee Zhang (dh2zhang) resigned, not replaced

New CSC Machine

2025-07-27T21:22:59Z

S23adhik: /* After Installing */

= Firmware Updates =

Vendors such as Dell provide firmware updates that should be applied before putting new machines into service. Even if the machine's warranty has expired, security updates are still made available.

It is recommended to use the following sequence when updating firmware on the Dell PowerEdge servers ([https://downloads.dell.com/solutions/general-solution-resources/White%20Papers/Recommended%20Workflow%20for%20Performing%20Firmware%20Updates%20on%20PowerEdge%20Servers.pdf]):

# iDRAC
# Lifecycle Controller
# BIOS
# Diagnostics
# OS Driver Pack
# RAID
# NIC
# PSU
# CPLD
# Other update
For consumer grade hardware, go to the motherboard vendor's website and find the way to upgrade the firmware.

= Booting =

* Put the TFTP image in place (if dist-arch pair installed before, you may skip this).
e.g. extract http://mirror.csclub.uwaterloo.ca/ubuntu/dists/oneiric/main/installer-amd64/current/images/netboot/netboot.tar.gz to caffeine:/srv/tftp/oneiric-amd64

* Force network boot in the BIOS. This may be called "Legacy LAN" or other such cryptic things. If this doesn't work, boot from CD or USB instead.

It is preferred to use the "alternate" Ubuntu installer image, based on debian-installer, instead of the Ubiquity installer. This installer supports software RAID and LVM out of the box, and will generally make your life easier. If installing Debian, this is the usual installer, so don't sweat it.

* Most of our newer servers (e.g. PowerEdge R815) need non-free firmware in order to boot. This means that if you are using a new netboot image, it is highly recommended to include the entire non-free firmware bundle in the boot image. See [https://wiki.debian.org/DebianInstaller/NetbootFirmware] for more information.
* For office terminals, create a boot USB (via dd, for example) and boot from USB.

= Installing =

== debian-installer ==

At least in expert mode, you can choose a custom mirror (top of the countries list) and give the path for mirror directly. This will make installation super-fast compared to installing from anywhere else.

Please install to LVM volumes, as this is our standard configuration on all machines where possible. It allows more flexible partitioning across available volumes. Since GRUB 2, even /boot may be on LVM; this is the preferred configuration for simplicity, except when legacy partitioning setups make this inconvenient.

You may enable unattended upgrades, but do not enable Canonical's remote management service or any such nonsense. This is mostly a straightforward Debian/Ubuntu install.

= After Installing =

Add the machine's name to ~git/public/hosts.git, and run the ansible playbook (https://git.uwaterloo.ca/csc/playbooks/blob/master/update-hosts.yml) to distribute the updated hosts file to all machines.

== Networking ==
Make sure to setup the IPMI on the mso-private VLAN (I think VLAN 520, check under networking page), and pleaseee set it up as a static IP.

Then fetch the MAC address from the normal network interface, then on Caffine there's a dhcp server running. You'll need to add it there, just look for where all the servers are, and add it there. Make sure to assign it an IP there, otherwise it ''won't'' be assigned one.

Then using IPAM give it a name and stuff, and a domain name.

== apt ==

Delete/clear the file <tt>/etc/apt/sources.list</tt> and paste something like the following into <tt>/etc/apt/sources.list.d/debian.sources</tt> (replace "bookworm" by the the current Debian stable codename):
<pre>
Types: deb
URIs: http://mirror.csclub.uwaterloo.ca/debian
Suites: bookworm bookworm-updates bookworm-backports
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

Types: deb
URIs: http://mirror.csclub.uwaterloo.ca/debian-security
Suites: bookworm-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
</pre>

Install the CSC archive signing key:
<pre>
wget -O /etc/apt/keyrings/csclub.gpg http://debian.csclub.uwaterloo.ca/csclub.gpg
</pre>

Paste the following into <tt>/etc/apt/sources.list.d/csclub.sources</tt> (or copy from another host):
<pre>
Types: deb
URIs: http://debian.csclub.uwaterloo.ca
Suites: bookworm
Components: main
Signed-By: /etc/apt/keyrings/csclub.gpg
</pre>

In order to make Debian use packages in our repository by default, set our repository to the highest priority. Create <code>/etc/apt/preferences.d/99-csclub</code>: <syntaxhighlight>
Package: *
Pin: origin debian.csclub.uwaterloo.ca
Pin-Priority: 1001
</syntaxhighlight>You should now run <tt>apt-get update</tt> to reflect these changes.

For unattended upgrades in the future, install the <tt>unattended-upgrades</tt> package and copy <tt>/etc/apt/apt.conf</tt> from another host.

== Network ==

Note that debian 11 will use NetworkManager or <code>/etc/interfaces</code> by default if you install a desktop environment, which doesn't seem to do DHCPv6 nicely. For simplicity and consistency across machines, we will use <code>systemd-networkd</code>. First stop and disable NetworkManager:<syntaxhighlight lang="bash">
systemctl disable --now NetworkManager.service networking.service
apt autoremove NetworkManager
</syntaxhighlight>Then, create a network configuration file at <code>/etc/systemd/network/10-wired.network</code>:<syntaxhighlight>
[Match]
# Check the interface name using `ip a`
Name=enp3s0

[Network]
# DHCP for IPv4 should work just fine
DHCP=ipv4
# IPv6 doesn't seem to work properly. Manually set them here
Address=ALLOCATED_IPv6_ADDRESS
Gateway=IPv6_GATEWAY
</syntaxhighlight>Then start and enable <code>systemd-networkd.service</code>. Also remember to specify the campus DNS at <code>/etc/resolve.conf</code>. You can copy it from another CSC machine.

== Kerberos keys ==

If this is a reinstall of an existing host, copy back the SSH host keys and <tt>/etc/krb5.keytab</tt> from its former incarnation. Otherwise, create a new Kerberos principal and copy the keytab over, as follows (run from the host in question):<syntaxhighlight>
kadmin -p sysadmin/admin # or any other admin principal; the password for this one is the usual root password
addprinc -randkey host/[hostname].csclub.uwaterloo.ca
ktadd host/[hostname].csclub.uwaterloo.ca
</syntaxhighlight>This will generate a new principal (you can skip this step if one already exists) and add it to the local Kerberos keytab.

== Configuration ==

=== General ===
Install packages that we will need:<syntaxhighlight lang="bash">
apt install krb5-user nfs-common nslcd sudo-ldap
# This package are automatically installed already, but we need to install our version so that NFS can connect to our crappy NetApp server
apt install --reinstall libk5crypto3
</syntaxhighlight>The following config files are needed to work in the CSC environment (examples given below for an office terminal; perhaps refer to another host if preferred).

<tt>/etc/nsswitch.conf</tt><syntaxhighlight>
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: files systemd ldap
group: files systemd ldap
shadow: files ldap
gshadow: files ldap
sudoers: files ldap

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files
</syntaxhighlight><tt>/etc/ldap/ldap.conf</tt><syntaxhighlight>
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=csclub, dc=uwaterloo, dc=ca
URI ldaps://ldap1.csclub.uwaterloo.ca ldaps://ldap2.csclub.uwaterloo.ca

SIZELIMIT 0

TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_CACERTFILE /etc/ssl/certs/ca-certificates.crt

SUDOERS_BASE ou=SUDOers,dc=csclub,dc=uwaterloo,dc=ca
</syntaxhighlight>Also make <tt>/etc/sudo-ldap.conf</tt> a symlink to the above. On debian, install <tt>sudo-ldap</tt> package too.

<tt>/etc/nslcd.conf</tt><syntaxhighlight>
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldaps://ldap1.csclub.uwaterloo.ca
uri ldaps://ldap2.csclub.uwaterloo.ca

# The search base that will be used for all queries.
base dc=csclub, dc=uwaterloo, dc=ca

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
tls_reqcert demand
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
#scope sub

map group member uniqueMember
</syntaxhighlight><tt>/etc/krb5.conf</tt><syntaxhighlight>
[libdefaults]
default_realm = CSCLUB.UWATERLOO.CA
forwardable = true
proxiable = true
dns_lookup_kdc = false
dns_lookup_realm = false
allow_weak_crypto = true

[realms]
CSCLUB.UWATERLOO.CA = {
kdc = kdc1.csclub.uwaterloo.ca
kdc = kdc2.csclub.uwaterloo.ca
admin_server = kadmin.csclub.uwaterloo.ca
}
(rest omitted for brevity, see any CSC machine)
</syntaxhighlight>Notably, <tt>allow_weak_crypto</tt> is currently needed to mount <tt>/users</tt> (/music and <tt>/scratch</tt> is sec=sys and thus will always mount, even when krb5 is down and/or broken). Otherwise, you will get a mysterious "permission denied" error (even though the server claims to have authenticated the mount successfully).

Furthermore, the lines <tt>dns_lookup_kdc</tt> and <tt>dns_lookup_realm</tt> have been added - they are needed to stop the KDC from throwing its arms in the air and giving up if IST's DNS servers ever explode - an event that has happened in the recent past far more often than I'd like it to.

Change all lines in <tt>/etc/pam.d/common-*</tt> to have <tt>minimum_uid=10000</tt> so that Kerberos won't interfere with local users. Note that pam configs are notably different on syscom-only hosts. Look at an existing syscom-only host to see the difference.

Alter <tt>/etc/default/nfs-common</tt> <syntaxhighlight>
# Alter these lines:
NEED_STATD=1
NEED_GSSD=1
# -l for gssd is to allow legacy crypto suites
RPCGSSDOPTS="-v -l"
</syntaxhighlight>to enable <tt>statd</tt>, and more importantly <tt>gssd</tt> (needed for Kerberos NFS mounts). Start <code>rpc-statd.service</code> and <code>rpc-gssd.service</code> manually for now.

Add <tt>/users</tt>, <tt>/music</tt> and <tt>/scratch</tt> to <tt>/etc/fstab</tt> (as appropriate for the machine's role), make their mount points and mount them. Note that <tt>/scratch</tt> are sec=sys whereas <tt>/music</tt> and /users is sec=krb5p (with exceptions granted on a case-by-case basis for servers only, office terminals are always sec=krb5p for security reasons).

To allow single sign-on as <tt>root</tt> (primarily useful for pushing files to all machines simultaneously), put the following in <tt>/root/.k5login</tt>:
sysadmin/admin@CSCLUB.UWATERLOO.CA

Also copy the following files from another CSC host:
* <tt>/etc/ssh/ssh_config</tt> and <tt>/etc/ssh/sshd_config</tt> (for single sign-on)
* <tt>/etc/ssh/ssh_known_hosts</tt> (to remove hostkey warnings within our network)
* <tt>/etc/hosts</tt> (for host tab completion and emergency name resolution)
* <tt>/etc/resolv.conf</tt> (to use IST's nameservers and search csclub/uwaterloo domains. Only required if you are not using <tt>/etc/network/interfaces</tt> to configure DNS)

=== Audio ===

On an office terminal, copy <tt>/etc/pulse/default.pa</tt> from another office terminal.

If this is to be the machine that actually plays audio (currently <tt>nullsleep</tt>), the setup is slightly more complicated. You'll need to set up MPD and PipeWire to receive connections, and store the PulseAudio cookie in <tt>~audio</tt>, with appropriate permissions so that only the <tt>audio</tt> group can access it. If this is a new audio machine, you'll also need to change <tt>default.pa</tt> on all office terminals to point to it.

=== Password ===
Change the root password to the specified password in the usual place under the termcom user. If it's an office terminal, change the local user's password to the one specified in the usual place.

=== Prevent suspend and hibernation (Office Terminal) ===
Set <code>AllowSuspend</code>, <code>AllowHibernation</code>, <code>AllowSuspendThenHibernate</code> and <code>AllowHybridSleep</code> all to <code>no</code> in <code>/etc/systemd/sleep.conf</code>, and reboot.

== Records ==

You probably already created the host in the University IPAM system beforehand. If not, please do so.

Please also add the host to the [[Machine List]] here on the Wiki.

== Munin (System Monitoring) ==

If the new machine is not a container, you probably want to have it participate in the Munin cluster. Run <tt>apt-get install munin-node</tt> to install the monitoring client, then
edit the file /etc/munin/munin-node.conf. Look for a line that says <tt>allow ^127\.0\.0\.1$</tt> and add the following on a new line immediately below it:
<tt>allow ^129\.97\.134\.51$</tt> (this is the IP address for munin.csclub). Save the file, then <tt>/etc/init.d/munin-node restart</tt> and <tt>update-rc.d munin-node defaults</tt>.

Then, ssh into munin.csclub and edit the file /etc/munin/munin.conf and add the following lines to the end:
<tt>

[NEW-MACHINE-NAME.csclub] 
addr 129.97.134.### 
use_node_name yes</tt>

== Prometheus (System Monitoring) ==

We are currently using Prometheus to monitor our systems. On the new machine, install <tt>prometheus-node-exporter</tt> and <tt>stunnel</tt>.

Change <tt>/etc/default/prometheus-node-exporter</tt> to this:

ARGS="--web.listen-address=localhost:9101"

and start <tt>prometheus-node-exporter.service</tt>.

Then set up stunnel. Create <tt>/etc/stunnel/prometheus-node-exporter.conf</tt> with this content:

setuid = stunnel4
setgid = stunnel4
pid = /var/run/stunnel4/exporter.pid

debug = 7

[prometheus-node-exporter]
accept = 0.0.0.0:9100
connect = 127.0.0.1:9101
CAfile = /etc/stunnel/tls/server.crt
cert = /etc/stunnel/tls/node.crt
key = /etc/stunnel/tls/node.key
verifyPeer = yes

Copy <tt>/etc/stunnel/{node.crt, node.key, server.crt}</tt> from <tt>prometheus:/opt/prometheus/tls</tt> or the same location on other machines.

Finally, start <tt>stunnel4.service</tt>.

If it's a new machine, you'll also need to add it to the list of monitoring at <tt>prometheus:/opt/prometheus/prometheus.yml</tt>. Add it under a suitable label (or create a new label) in 'node_exporter' job.

= New Distribution =

If you're adding a new distribution, there a couple of steps you'll need to take in updating the CSClub Debian repository on [[Machine_List#sodium_benzoate|sodium-benzoate/mirror]].

The steps to add a new Debian release (in the examples, jessie) is as follows, modify as necessary:

=== Step 0: Create a GPG key ===

Use "gpg --gen-key" or something like that. Skip this if you already have one.

=== Step 1: Add to Uploaders ===

The /srv/debian/conf/uploaders file on mirror contains the list of people who can upload. Add your GPG key id to this file. Use "gpg --list-secret-keys" to find out the key ID. You also need to import your key into the mirror's gpg homedir as follows:

gpg --export $KEYID | sudo env GNUPGHOME=/srv/debian/gpg gpg --import

You only need to do this step once.

=== Step 2: Add Distro ===

Add a new section to /srv/debian/conf/distributions:

Origin: CSC
Label: Debian
Codename: '''jessie'''
Architectures: alpha amd64 i386 mips mipsel sparc powerpc armel source
Components: main contrib non-free
Uploaders: uploaders
Update: dell chrome
SignWith: yes
Log: '''jessie'''.log
--changes notifier

And update the '''Allow''' line in /srv/debian/conf/incoming:

Allow: '''jessie>jessie''' oldstable>squeeze stable>wheezy lucid>lucid maverick>maverick oneiric>oneiric precise>precise quantal>quantal

=== Step 3: Update from Sources ===

Run:

sudo env GNUPGHOME=/srv/debian/gpg /srv/debian/bin/rrr-update

If all went well you should see the new distribution listed at http://debian.csclub.uwaterloo.ca/dists/

=== Step 4: CSC Packages ===

Now that we've got our new distribution set up we need to generate our packages and have them uploaded. Namely, ceo and libpam-csc. For libpam-csc:

Get the package:

git clone https://git.csclub.uwaterloo.ca/public/libpam-csc.git
cd libpam-csc

Update change log:

EMAIL=[you]@csclub.uwaterloo.ca NAME="Your Name" dch -i

Update as necessary, i.e:

libpam-csc (1.10'''jessie0''') '''jessie'''; urgency=low

* Packaging for jessie.

-- Your Name <[you]@csclub.uwaterloo.ca> Thu, 10 Oct 2013 22:08:48 -0400

Build! (You may need to install various dependencies, which it will yell at you if you don't have.)

debuild -k'''YOURKEYID'''

Yay, it built now let's upload it to the repo. The build process which create a PACKAGE.changes file in the parent directory (replace PACKAGE with the actual package name).

Copy the dupload file from corn-syrup and dupload:

mv /etc/dupload /etc/dupload.bak
scp corn-syrup:/etc/dupload /etc/dupload
dupload libpam-csc_1.10jessie0_amd64.changes

Finally, log into mirror and type "sudo /srv/debian/bin/rrr-incoming". This is supposed to happen once every few minutes however it is always faster to run it manually.

And you're done. For CEO, see https://git.csclub.uwaterloo.ca/public/pyceo/src/branch/master/PACKAGING.md

Machine List

2025-07-23T04:10:10Z

S23adhik: /* Syscom Only */

Most of our machines are in the E7, F7, G7 and H7 racks (as of Jan. 2022) in the MC 3015 server room. There is an additional rack in the DC 3558 machine room on the third floor. Our office terminals are in the CSC office, in MC 3036/3037.

= Web Server =
You are highly encouraged to avoid running anything that's not directly related to your CSC webspace on our web server. We have plenty of general-use machines; please use those instead. You can even edit web pages from any other machine--usually the only reason you'd *need* to be on caffeine is for database access.

== ''caffeine'' ==

Caffeine is the Computer Science Club's web server. It serves websites, databases for websites, and a large amount of other services.

''(Redundant active backup coming soon...)''

==== Specs ====

* LXC virtual machine hosted on [[Machine List#phosphoric-acid|phosphoric-acid]]
** 12 vCPUs
** 32GB of RAM

==== Services ====

* Club and member web sites with [https://www.apache.org/ Apache]
* [[MySQL]] databases
* [[PostgreSQL]] databases
* [[ceo]] daemon

==''mathnews''==

[[#xylitol|xylitol]] hosts a systemd-nspawn container which serves as the mathNEWS webserver. It is administered by mathNEWS, as a pilot for providing containers to select groups who have more specialized demands than the general-use infrastructure can meet.

= General-Use Servers =

These machines can be used for (nearly) anything you like (though be polite and remember that these are shared machines). Recall that when you signed the Machine Usage Agreement, you promised not to use these machines to generate profit (so no cryptocurrency mining).

For computationally-intensive jobs (CPU/memory bound) we recommend running on high-fructose-corn-syrup, carbonated-water, sorbitol, mannitol, or corn-syrup, listed in roughly decreasing order of available resources. For low-intensity interactive jobs, such as IRC clients, we recommend running on neotame. '''If you have a long-running computationally intensive job, it's good to nice[https://en.wikipedia.org/wiki/Nice_(Unix)] your process, and possibly let syscom know too.'''

== ''corn-syrup'' ==

Dell PowerEdge 2950

==== Specs ====

* 2 × Intel Xeon E5405 (2.00 GHz, 4 cores each)
* 32 GB RAM
* eth0 ("Gb0") mac addr 00:24:e8:52:41:27
* eth1 ("Gb1") mac addr 00:24:e8:52:41:29
* IPMI mac addr 00:24:e8:52:41:2b
* 3 × Western-Digital 160GB SATA hard drive (445 GB software RAID0 array)

==== Notes ====

* Use eth0/Gb0 for the mathstudentorgsnet connection

==== Services ====

* Hosts 1 TB <tt>[[scratch|/scratch]]</tt> and exports via NFS (sec=krb5)

== ''high-fructose-corn-syrup'' ==

High-fructose-corn-syrup (or hfcs) is a large SuperMicro server. It's been in CSC service since April 2012.

==== Specs ====

* 4x AMD Opteron 6272 (2.4 GHz, 16 cores each)
* 192 GB RAM
* Supermicro H8QGi+-F Motherboard Quad 1944-pin Socket [http://csclub.uwaterloo.ca/misc/manuals/motherboard-H8QGI+-F.pdf (Manual)]
* 500 GB Seagate Barracuda
* Supermicro Case Rackmount CSE-748TQ-R1400B 4U [http://csclub.uwaterloo.ca/misc/manuals/SC748.pdf (Manual)]
'''Notes'''

* Missing moba IO shield (as of January 2024)

== ''carbonated-water'' ==

carbonated-water is a Dell R815 provided by CSCF.

==== Specs ====

* 4x AMD Opteron 6176 processors (2.3 GHz, 12 cores each)
* 128GB RAM

== ''neotame'' ==

neotame is a SuperMicro server funded by MEF. It is the successor to taurine.

'''We strongly discourage running computationally-intensive jobs''' on neotame as many users run interactive applications such as IRC clients on it and any significant service degradation will be more likely to affect other users (who will probably notice right away).

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
'''Notes'''
* SSH server also listens on ports 21, 22, 53, 80, 81, 443, 8000, 8080 for your convenience.

== ''sorbitol'' ==

sorbitol is a SuperMicro server funded by MEF.

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
== ''mannitol'' ==

mannitol is a SuperMicro server funded by MEF. CUDA is available on this node.

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
* NVIDIA GeForce RTX 3050 6G

= Office Terminals =

It's possible to SSH into these machines, but we discourage you from trying to use these machines when you're not sitting in front of them. They are bounced at least every time our login manager, lightdm, throws a tantrum (which is several times a day). These are for use inside our physical office.

== ''cyanide'' ==
cyanide is a [https://support.apple.com/kb/sp710 Mac Mini (Late 2014)], identical in specification to powernap

=== Spec ===

* Intel i7-4578U (4) @ 3.500GHz
* 16GB RAM
* Intel Iris Graphics 5100
* 256GB On-board SSD

== ''suika'' ==

Suika is an office terminal built from various components donated by our members.

==== Specs ====

* AMD Ryzen 7 2700X
* 2x 8GB DDR4
* 1x Samsung 256GB SSD
* AMD Radeon RX 550 4GB

==''powernap''==
powernap is a [https://support.apple.com/kb/sp710 Mac Mini (Late 2014)].

=== Spec ===

* Intel i7-4578U (4) @ 3.500GHz
* 16GB RAM
* Intel Iris Graphics 5100
* 256GB On-board SSD

=== Speaker ===
powernap has the office speakers (a pair of nice studio monitors) currently connected to it.

=== Services ===
* MPD for playing music. Only office/termcom/syscom can log into powernap. Use `ncmpcpp` to control MPD.
** TODO: this is not the case anymore
* Bluetooth audio receiver. Only syscom can control bluetooth pairing. Use `bluetoothctl` to control bluetooth.

Music is located in `/music` on the office terminals.

= Progcom Only =
The Programme Committee has access to a VM on corn-syrup called 'progcom'. They have sudo rights in this VM so they may install and run their own software inside it. This VM should only be accessible by members of progcom or syscom.

The CI/CD stuff for the csclub.uwaterloo.ca runs on this vm (drone).

= Codey Bot Only =
Ran on CSC Cloud in a separate Cloudstack project. codey-staging, codey-dev, codey-prod.

TODO: migrating from cloudstack

= Syscom Only =

The following systems are only be accessible to members of the [[Systems Committee]] for a variety of reasons; the most common of which being that some of these machines host [[Kerberos]] authentication services for the CSC.

==''xylitol''==

xylitol is a Dell PowerEdge R815 donated by CSCF. It is primarily a container host for services previously hosted on aspartame and dextrose, including munin, rt, mathnews, auth1, and dns1. It was provisioned with the intent to replace both of those hosts.

==== Specs ====

* Dual AMD Opteron 6176 (2.3 GHz, 48 cores total)
* 128GB RAM
* 500GB volume group on RAID1 SSD (xylitol-mirrored)
* 500ish-GB volume group on RAID10 HDD (xylitol-raidten)

==''auth1''==

Container on [[#xylitol|xylitol]].

==== Services ====

*[[LDAP]] primary
*[[Kerberos]] primary

==''chat''==

Container on [[#xylitol|xylitol]].

==== Services ====

* The Lounge web IRC client (https://chat.csclub.uwaterloo.ca)

==''phosphoric-acid''==

phosphoric-acid is a Dell PowerEdge R815 donated by CSCF and is a clone of xylitol. It may be used to provide redundant cloud services in the future.

==== Specs ====

* (clone of Xylitol)
* 4x 2TB Kingston KC3000 (ZFS Z2 [Sustain 2-failures]) (KIN-SKC3000D2048G)
** Mounted on 2x Startech Dual M.2 PCIE SSD Adapter Cards (STA-PEX8M2E2)

==== Services ====

*[[#caffeine|caffeine]]
*[[#coffee|coffee]]
*prometheus

==''coffee''==

Virtual machine running on phosphoric-acid.

==== Services ====

*[[Database#MySQL|MySQL]]
*[[Database#Postgres|Postgres]]

==''cobalamin''==

Dell PowerEdge 2950 donated to us by FEDS. Located in the Science machine room on the first floor of Physics, on Science Computing Rack 2. NICs are plugged into A1 and A2 on the adjacent rack. Acts as a backup server for many things.

TODO: should replace with another Syscom server when Science Computing clears out the rack (ETA before 09/2024)

==== Specs ====

* 1 × Intel Xeon E5420 (2.50 GHz, 4 cores)
* 16GB RAM
* Broadcom NetworkXtreme II
* 2x73GB Hard Drives, hardware RAID1
** Soon to be 2x1TB in MegaRAID1
*http://www.dell.com/support/home/ca/en/cabsdt1/product-support/servicetag/51TYRG1/configuration

==== Services ====

* Containers: [[#auth2|auth2]] (kerberos)

==== Notes ====

* '''TODO: Mega unreliable.''' (Goes down once every few weeks... due to power outages in the PHYS server room)
** It is plugged into a UPS but the UPS has dead batteries.
* The network card requires non-free drivers. Be sure to use an installation disc with non-free.

* We have separate IP ranges for cobalamin and its containers because the machine is located in a different building. They are:
** VLAN ID 506 (csc-data1): 129.97.18.16/29; gateway 129.97.18.17; mask 255.255.255.240
** VLAN ID 504 (csc-ipmi): 172.19.5.24/29; gateway 172.19.5.25; mask 255.255.255.248
* Physical access to the PHYS server rooms can be acquired by visiting Science Computing in PHYS 2006.

==''auth2''==

Container on [[#cobalamin|cobalamin]].

==== Services ====

*[[LDAP]] secondary
*[[Kerberos]] secondary

MAC Address: c2:c0:00:00:00:a2

==''mail''==

mail is the CSC's mail server. It hosts mail delivery, imap(s), smtp(s), and mailman. It is also syscom-only. It is a [[Virtualization#Linux_Containers|Linux container]] at present.

TODO: "HA"-ish configuration

==== Specs ====

* currently hosted on [[#xylitol|xylitol]]

==== Services ====

*[[Mail]] services
* mailman (web interface at [http://mailman.csclub.uwaterloo.ca/])
*[[Webmail]]
*[[ceo]] daemon

==''sodium-benzoate''==

Sodium-benzoate is our previous mirror server, funded by MEF.

It is currently sitting in the office pending repurposing. Will likely become a machine for backups in DC.

==== Specs ====

* Intel Xeon Quad Core E5405 @ 2.00 GHz
* 16GB RAM
* vg0: 228 GB block device behind DELL PERC 6/i (contains root partition)

Space disks are currently in the office underneath maltodextrin.

TODO: gone??

==''potassium-benzoate''==

potassium-benzoate is our mirror server, funded by MEF.

==== Specs ====

* 36 drive Supermicro chassis (SSG-6048R-E1CR36L)
* 2 x Intel Xeon E5-2695 v4 (18 cores, 2.10GHz)
* 64 GB (4 x 16GB) of DDR4 (2133Mhz) ECC RDIMM RAM
* 2 x 1 TB Samsung Evo 850 SSD drives
* 17 x 4 TB Western Digital Gold drives (separate funding from MEF)
* 9 x 18TB Seagate Exos X18 (8 ZFS, Z2,1 hot-spare)
* 10 Gbps SFP+ card (loaned from CSCF)
* 50 Gbps Mellanox QSFP card (from ginkgo; currently unconnected)

Spec before 2025-03-27:
* 1 x Intel Xeon E5-2630 v3 (8 cores, 2.40 GHz)

==== Network Connections ====

potassium-benzoate has two connections to our network:

* 1 Gbps to our switch (used for management)
* 2 x 10 Gbps (LACP bond) to mc-rt-3015-mso-a (for mirror)

Mirror's bandwidth is limited to 1 Gbps on each of the 4 campus internet links. Mirror's bandwidth is not limited on campus.

==== Services ====

*[[Mirror]]
*[[Talks]] mirror
*[[Debian_Repository|CSClub packages repository]]

==''munin''==

munin is a syscom-only monitoring and accounting machine. It is a [[Virtualization#Linux_Containers|Linux container]] at present.

==== Specs ====

* currently hosted on [[#xylitol|xylitol]]

==== Services ====

*[http://munin.csclub.uwaterloo.ca munin] systems monitoring daemon
TODO: Debian 9?

==''yerba-mate''==

A Dell PowerEdge 2950 donated by a CSC member.

==== Specs ====

* 2x 3.00 GHz quad core Intel Xeon 5160
* 32GB RAM
* 2x75GB 15k drives (RAID 1)

==== Services ====

* test-ipv6 (test-ipv6.csclub.uwaterloo.ca; a test-ipv6.com mirror)
'''Notes'''

* Also used for experimenting new CSC services.

* TODO: use as backup server

==''citric-acid''==
A Dell PowerEdge R815 (TODO: check model) provided by CSCF to replace [[Machine List#aspartame|aspartame]].

'''Specs'''

* 2 x AMD Opteron 6174 (12 cores, 2.20 GHz)
* 128 GB RAM

'''Services'''

* Configured for [https://pass.uwaterloo.ca pass.uwaterloo.ca], a university-wide password manager hosted by CSC as a demo service for all Nexus (ADFS) user.
* [[Plane]], an internal (CSC) project management tool.
* Minio
'''Notes'''

* Being repurposed for Termcom training and development.
* Being used for Matrix & Proxmox Testing
* UFW opened-ports: SSH, HTTP/HTTPS
* Upgraded to Podman 4.x

== ''Tahini'' ==
Server was funded via SLEF, and MEF. More info coming soon. Part of Proxmox Project, and mass migration

= Cloud =

These machines are used by [https://cloud.csclub.uwaterloo.ca cloud.csclub.uwaterloo.ca]. The machines themselves are restricted to Syscom only access.

==''chamomile''==

A Dell PowerEdge R815 provided by CSCF.

==== Specs ====

* 4x 2.20GHz 12-core processors (AMD Opteron(tm) Processor 6174)
* 128GB RAM
* 10GbE connection to core router

==== Services ====

* Cloudstack host
* TODO: cloudstack migration

==''riboflavin''==

A Dell PowerEdge R515 provided by CSCF.

==== Specs ====

* 2x 2.6 GHz 8-core processors (AMD Opteron(tm) Processor 4376 HE)
* 64GB RAM
* 10GbE connection to core router
* 2x 500GB internal SSD
* 12x Seagate 4TB SSHD
==== Services ====

* OpenStack block and object storage for csclub.cloud
* ????
'''Notes'''

* TODO: cloudstack migration

==''guayusa''==

A Dell PowerEdge 2950 donated by a CSC member.

==== Specs ====

* 2x 3.00 GHz quad core Intel Xeon 5160
* 32GB RAM
* 2TB PCI-Express Flash SSD
* 2x75GB 15k drives (RAID 1)

==== Services ====

* load-balancer-01

Was used to experiment the following then-new CSC services:

* cifs (for booting ginkgo from CD)
* caffeine-01 (testing of multi-node caffeine)
* TODO: ???
** block1.cloud
** object1.cloud
'''Notes'''

* TODO: cloudstack migration
* TODO: ditch... Currently being used to set up NextCloud.

==''ginkgo''==

Supermicro server funded by MEF for CSC web hosting. Locate in MC 3015.

==== Specs ====

* 2x Intel Xeon E5-2697 v4 @ 2.30GHz [18 cores each]
* 256GB RAM
* 2 x 1.2 TB SSD (400GB of each for RAID 1)
* 10GbE onboard, 25GbE SFP+ card (also included 50GbE SFP+ card which will probably go in mirror)

==== Services ====

* OpenStack Compute machine

No longer in use:

* controller1.cloud
* db1.cloud
* router1.cloud (NAT for cloud tenant network)
* network1.cloud

'''Notes'''
* TODO: cloudstack migration

*

= Storage =

==''fs00''==

fs00 is a '''NetApp FAS3040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====

* dual SFP connection to core switch

... TODO

==''fs01''==

fs01 is a '''NetApp FAS3040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====
... TODO

TODO: disconnected??

==''fs10''==

fs10 is a '''NetApp FAS8040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====

* FAS8040 (dual heads)
** ... TODO
* 6 DS4324 HDD shelves (24-disks each)
** 24 x 2TB HDDs (assorted brands/models)
** Dual IOM3 controllers.
** Loop 1: bottom 4 shelves
** Loop 2: top 2 shelves + SSD shelf
* 1 DS2246 SSD shelf (TODO: right model?)
** 24 Samsung SM1625 SSDs (MZ-6ER2000/0G3), 200GB (SAS 2, 2.5")

= Other =

==''mathnews''==

[[#xylitol|xylitol]] hosts a systemd-nspawn container which serves as the mathNEWS webserver. It is administered by mathNEWS, as a pilot for providing containers to select groups who have more specialized demands than the general-use infrastructure can meet.

== ps3 ==
This is just a very wide PS3, the model that supported running Linux natively before it was removed. Firmware was updated to remove this feature, however it can still be done via. homebrew.

'''Specs'''

* It's a PS3.

'''2022-10-24''' - Thermal paste replaced + firmware updated to latest supported version, also modded.

==''binaerpilot''==

This is a Gumstix Overo Tide CPU on a Tobi expansion board. It is currently attached to corn-syrup in the machine room and even more currently turned off until someone can figure out what is wrong with it.

==== Specs ====

* TI OMAP 3530 750Mhz (ARM Cortex-A8)
* 512MB RAM

==''anamanaguchi''==

This is a Gumstix Overo Tide CPU on a Chestnut43 expansion board. It is currently in the hardware drawer in the CSC.

==== Specs ====

* TI OMAP 3530 750Mhz (ARM Cortex-A8)
* 512MB RAM

'''NOTE: May have disappeared at some point'''

==''digital cutter''==

See [[Digital Cutter|here]].

= Decommissioned =

==''biloba''==

Dead, died after the poweroutage of May 9th, 2025, previously served as Cloudstack master node or wtv.

Supermicro server funded by SLEF for CSC web hosting. Located in DC 3558. TODO: rack??

==== Specs ====

* 2x Intel Xeon Gold 6140 @ 2.30GHz [18 cores each]
* 384GB RAM
* 12 3.5" Hot Swap Drive Bays
** 2 x 480 GB SSD
* 10GbE onboard, 10GbE SFP+ card (on loan from CSCF)

==== Services ====

* OpenStack Compute machine
'''Notes'''
* TODO: cloudstack migration

No longer in use:

* caffeine
* mail
* mattermost

==''aspartame''==

aspartame was a taurine clone donated by CSCF. It was once our primary file server, serving as the gateway interface to space on phlogiston. It also used to host the [[#auth1|auth1]] container, which has been temporarily moved to [[#dextrose|dextrose]]. Decomissioned in March 2021 after refusing to boot following a power outage.

==''psilodump''==

psilodump is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling phlogiston, hosted disk shelves exported as iSCSI block devices.

psilodump was plugged into aspartame. It's still installed but inaccessible.

==''phlogiston''==

phlogiston is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling psilodump, hosted disk shelves exported as iSCSI block devices.

phlogiston is turned off and should remain that way. It is misconfigured to have its drives overlap with those owned by psilodump, and if it is turned on, it will likely cause irreparable data loss.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 10GB RAM

==== Notes from before decommissioning ====

* The lxc files are still present and should not be started up, or else the two copies of auth1 will collide.
* It currently cannot route the 10.0.0.0/8 block to a misconfiguration on the NetApp. This should be fixed at some point.

==''glomag''==

Glomag hosted [[#caffeine|caffeine]]. Decommissioned April 6, 2018.

==== Specs ====

* Intel Xeon X3450 @ 2.67 GHz
* 6 GB RAM
* vg0: 465 GB software RAID1 (contains root partition):
** 750 GB Seagate Barracuda SATA hard drive
** 500 GB Western-Digital Caviar Blue SATA hard drive
* vg1: 596 GB software RAID1 (contains caffeine):
** 2 × 640 GB Western-Digital Caviar Blue SATA hard drive

==== Services ====

* Before its decommissioning, glomag hosted [[#caffeine|caffeine]], [[#mail|mail]], and [[#munin|munin]] as [[Virtualization#Linux_Container|Linux containers]]

==''Lisp machine''==

A Symbolics XL1200 Lisp machine. Donated to a new home when we couldn't get it working.

http://www.globalnerdy.com/2008/12/03/symbolics-xl1200-lisp-machine-free-to-a-good-home/ for some history on this hardware.

==== Specs ====

Currently inoperable due to (at least) a missing console cable.

==''ginseng''==

Ginseng used to be our fileserver, before aspartame and the netapp took over.

==== Specs ====

* Intel Pentium Dual Core E2180
* 8GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/s3000ah_tps_1_1.pdf Intel S3000AHV Motherboard]
* 4 × 640 GB Western-Digital Caviar Blue in [[wikipedia:Nested_RAID_levels#RAID_10_.28RAID_1.2B0.29|RAID 10]] behind a [http://www.3ware.com/products/serial_ata2-9650.asp 3ware 9650SE RAID card].
[[Category:Hardware]]

==''calum''==

Calum used to be our main server and was named after Calum T Dalek. Purchased new by the club in 1994.

==== Specs ====

* SPARCserver 10 (headless SPARCstation 10)

==''paza''==

An iMac G3 that was used as a dumb terminal.

==== Specs ====

* 233Mhz PowerPC 740/750
* 96 MB RAM

==''romana''==

Romana was a BeBox that has been in the CSC's possession since long before BeOS became defunct.

Confirmed on March 19th, 2016 to be fully functional. An SSHv1 compatible client was installed from http://www.abstrakt.ch/be/ and a compatible firewalled daemon was started on Sucrose (living in /root, prefix is /root/ssh-romana). The insecure daemon is to be used a bastion host to jump to hosts only supporting >=SSHv2. The mail daemon on the BeBox has also been configured to send mail through mail.csclub.uwaterloo.ca.

==== Specs ====

* 2 PowerPC based processors
* Stylish Blinken processor-load lights

==''sodium-citrate''==

Sodium-citrate was an SGI O2 machine.

In order to net boot you need to set /proc/sys/net/ipv4/ip_no_pmtu_disc to 1. When the O2 boots, hit F5 at the boot menu and type bootp():.

==== Specs ====
* SGI O2 MIPS processor
* 423 MB (?) RAM
* 2 × 2 GB hard drive

==''acesulfame-potassium''==

An old office terminal.

==== Specs ====
* Intel Pentium 4 2.67GHz
* 1GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/ABIT_VT7.pdf ABIT VT7] Motherboard
* ATI Radeon 7000

==''skynet''==

skynet was a Sun E6500 machine donated by Sanjay Singh. It was never fully set up.

==== Specs ====

* 15 full CPU/memory boards
** 2x UltraSPARC II 464MHz / 8MB Cache Processors
** ??? RAM?
* 1 I/O board (type=???)
** ???x disks?
* 1 CD-ROM drive

*[http://mirror.csclub.uwaterloo.ca/csclub/sun_e6500/ent6k.srvr/ e6500 documentation (hosted on mirror, currently dead link)]
*[http://docs.oracle.com/cd/E19095-01/ent6k.srvr/ e6500 documentation (backup link)]
*[http://www.e6500.com/ e6500]

==''freebsd''==

FreeBSD was a virtual machine with FreeBSD installed.

==== Services ====

* Newer software

==''rainbowdragoneyes''==

Rainbowdragoneyes was our Lemote Fuloong MIPS machine. This machine is aliased to rde.csclub.uwaterloo.ca.

==== Specs ====

* 800MHz MIPS Loongson 2f CPU

==''denardo''==

Due to some instability, general uselessness, and the acquisition of a more powerful SPARC machine from MFCF, denardo was decommissioned in February 2015.

==== Specs ====

* Sun Fire V210
* TI UltraSparc IIIi (Jalapeño)
* 2 GB RAM
* 160 GB RAID array
* ALOM on denardo-alom.csclub can be used to power machine on/off
==''artificial-flavours''==

Artificial-flavours was our secondary (backup services) server. It used to be an office terminal. It was decommissioned in February 2015 and transferred to the ownership of Women in Computer Science (WiCS).

==== Specs ====

* Intel Celeron 3.2GHz
* 2GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/Biostar_P4M80-M4.pdf Biostar P4M80-M4] Motherboard
* Western-Digital 80 GB ATA hard drive

==''potassium-citrate''==

Potassium-citrate is a dual-processor Alpha machine. It is on extended loan from pbarfuss.

It is temporarily decommissioned pending the reinstallation of a supported operating system (such as OpenBSD).

==== Specs ====
* Alphaserver CS20 (2 833MHz EV68al CPUs)
* 512MB RAM
* 36 GB Seagate SCSI hard drive

==''potassium-nitrate''==

This was a Sun Fire E2900 from a decommissioned MFCF compute cluster. It had a SPARC architecture and ran OpenBSD, unlike many of our other systems which are x86/x86-64 and Linux/Debian. After multiple unsuccessful attempts to boot a modern Linux kernel and possible hardware instability, it was determined to be non-cost-effective and non-effort-effective to put more work into running this machine. The system was reclaimed by MFCF where someone from CS had better luck running a suitable operating system (probably Solaris).

The name is from saltpetre, because sparks.

==== Specs ====

* 24 CPUs
* 90GB main memory
* 400GB scratch disk local storage in /scratch-potassium-nitrate

There is a [[Sun 2900 Strategy Guide|setup guide]] available for this machine.

See also [[Sun 2900]].

==''taurine''==

'''Note: On August 21, 2019, just before 2:30PM EDT, we were informed that taurine caught fire'''. As a result, taurine has been decommissioned as of Fall 2019.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 8GB RAM
* 136 GB LVM volume group

==== Services ====

* Virtual machines
* BitlBee IRC instant messaging gateway (localhost only)
*[[ident]] server to maintain high connection cap to freenode
* Runs ssh on ports 21,22,53,80,81,443,8000,8080 for user's convenience.

==''dextrose''==

dextrose was a [[#taurine|taurine]] clone donated by CSCF and was decommissioned in Fall 2019 after being replaced with a more powerful server.

==''sucrose''==

sucrose was a [[#taurine|taurine]] clone donated by CSCF. It was decommissioned in Fall 2019 following multiple hardware failures.

==''goto80''==
'''Note (2022-10-25): This seems to have gone missing or otherwise left our hands.'''

This was small ARM machine we picked up in order to have similar hardware to the Real Time Operating Systems (CS 452) course. It has a [[TS-7800_JTAG|JTAG]] interface. Located was the office on the top shelf above strombola.

==== Specs ====

* 500 MHz Feroceon (ARM926ej-s compatible) processor
* ARMv5TEJ architecture

Use -march=armv5te -mtune=arm926ej-s options to GCC.

For information on the TS-7800's hardware see here:
http://www.embeddedarm.com/products/board-detail.php?product=ts-7800

==''nullsleep''==

nullsleep is an [http://csclub.uwaterloo.ca/misc/manuals/ASRock_ION_330.pdf ASRock ION 330] machine given to us by CSCF and funded by MEF.

It's decommissioned on 2023-03-20 due to repeated unexpected shutdown. Replaced by [[#powernap|powernap]].

==== Specs ====

* Intel® Dual Core Atom™ 330
* 2GB RAM
* NVIDIA® ION™ graphics
* 1x 64GB SanDisk SDSSDP064G SSD
* DVD Burner

==== Speakers ====
Nullsleep has the office speakers (a pair of nice studio monitors) currently connected to it.

==== Services ====
Nullsleep runs MPD for playing music. Control of MPD is available only to users in the "audio" group.
Music is located in /music on the office terminal

== ''bit-shifter'' ==
bit-shifter was an office terminal, decommissioned April 2023 due to extended age. It was upgraded to the same specs as Strombola at an unknown point in time.

==== Specs ====

* Intel Core 2 Quad CPU Q8300
* 4GB RAM
* Nvidia GeForce GT 440
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD
* Jacob Parker's Firewire Card

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''strombola''==
Strombola was an office terminal named after Gordon Strombola. It was retired in April 2023.

==== Specs ====
* Intel Pentium G4600 2 cores @ 3.6Ghz
* 8 GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD

==== Speakers ====
Strombola used to have integrated 5.1 channel sound before we got new speakers and moved audio stuff to nullsleep.

== ''gwem'' ==
gwem was an office terminal that was created because AMD donated a graphics card. It entered CSC service in February 2012.

=== Specs ===

* AMD FX-8150 3.6GHz 8-Core CPU
* 16 GB RAM
* AMD Radeon 6870 HD 1GB GPU
*[http://csclub.uwaterloo.ca/misc/manuals/ga-990fxa-ud7_e.pdf Gigabyte GA-990FXA-UD7] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD

== ''maltodextrin'' ==
(*specs are outdated at least as of 2023-05-27*)
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
Maltodextrin was an office terminal. It was upgraded in Spring 2014 after an unidentified failure. Not operational (no video output) as of July 2022.

==== Specs ====

* Intel Core i3-4130 @ 3.40 GHz
* 8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
*[http://csclub.uwaterloo.ca/misc/manuals/E8425_H81I_PLUS.pdf ASUS H81-PLUS] Motherboard

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''natural-flavours'' ==

Natural-flavours is an office terminal; it used to be our mirror.

In Fall 2016, it received a major upgrade thanks the MathSoc's Capital Improvement Fund.

==== Specs ====

* Intel Core i7-6700k
* 2x8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
* Cup Holder (DVD drive has power, but not connected to mother board)
= UPS =

All of the machines in the MC 3015 machine room are connected to one of our UPSs.

All of our UPSs can be monitored via CSCF:

* MC3015-UPS-B2
* mc-3015-e7-ups-1.cs.uwaterloo.ca (rbc55, batteries replaced July 2014) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-e7-ups-1&var-Interval=30m)
* mc-3015-f7-ups-1.cs.uwaterloo.ca (rbc55, batteries replaced Feb 2017) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-f7-ups-1&var-Interval=30m)
* mc-3015-g7-ups-1.cs.uwaterloo.ca (su5000t, batteries replaced 2010) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-g7-ups-1&var-Interval=30m)
* mc-3015-g7-ups-2.cs.uwaterloo.ca (unknown) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-g7-ups-2&var-Interval=30m)
* mc-3015-h7-ups-1.cs.uwaterloo.ca (su5000t, batteries replaced 2004) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-h7-ups-1&var-Interval=30m)
* mc-3015-h7-ups-2.cs.uwaterloo.ca (unknown) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-h7-ups-2&var-Interval=30m)

We will receive email alerts for any issues with the UPS. Their status can be monitored via [[SNMP]].

TODO: Fix labels & verify info is correct & figure out why we can't talk to cacti.

Meeting:Termcom/Saturday 05 July 2025

2025-07-05T19:07:52Z

S23adhik: Created page with "* Nettapp talking, will get HBA card * Get NVME ssds for sorbitol to use as cache drives * Citric-Acid HBA might be dying? It kinda slow, and weird * Use citric-acid only for proxmox testing then throw out * Citric-acid gets no kerberos, and nfs for now * 100 new nettapp drives are installed, about 2tb * Get the cards from Nathan! * Kimie, Samuel help setup the new server in DC * Samuel help setup Matrix server * Add passkey via keycloak system * Signing ssh keys * Fixin..."

* Nettapp talking, will get HBA card
* Get NVME ssds for sorbitol to use as cache drives
* Citric-Acid HBA might be dying? It kinda slow, and weird
* Use citric-acid only for proxmox testing then throw out
* Citric-acid gets no kerberos, and nfs for now
* 100 new nettapp drives are installed, about 2tb
* Get the cards from Nathan!
* Kimie, Samuel help setup the new server in DC
* Samuel help setup Matrix server
* Add passkey via keycloak system
* Signing ssh keys
* Fixing office bluetooth!????
* NTP server?

Proxmox

2025-07-04T21:40:29Z

S23adhik: Created page with "== Setting up Proxmox == To setup proxmox, from `Server View`, open the `Datacenter` page. Then go to `Permissions -> Realms`. Then just make sure pam is setup lol"

== Setting up Proxmox ==
To setup proxmox, from `Server View`, open the `Datacenter` page. Then go to `Permissions -> Realms`.

Then just make sure pam is setup lol

Main Page

2025-07-04T21:15:11Z

S23adhik: /* Software Infrastructure */

This is the Wiki of the [[Computer Science Club]]. Feel free to start adding pages and information.

[[Special:AllPages]]

== Member/Club Rep Documentation ==
To access our Linux machines, see [[How to SSH]] and select one of the general-use machines from [[Machine List#General-Use Servers]].

To host a website, see [[Web Hosting]]. If you are trying to host websites for clubs, see [[Club Hosting]].

To use our VPS services (similar to Linode and Amazon EC2), see [https://docs.cloud.csclub.uwaterloo.ca/ CSC Cloud Documentation]. Note that you'll need to activate your account on one of CSC's machines before using the management panel.

To view instruction on playing music at the office, see [[Music]].

To use our Nextcloud instance (similar to Google Drive and Dropbox), go to [https://files.csclub.uwaterloo.ca CSC Files].

=== Guides ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[New Member Guide]]
* [[Club Hosting]]
* [[Web Hosting]]
* [[Git Hosting]]
* [[How to IRC]]
* [[How to SSH]]
* [[MySQL]]
* [[PostgreSQL]]
* [https://docs.cloud.csclub.uwaterloo.ca/ CSC Cloud Documentation]
</div>

=== News and Events ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Meetings]]
* [[Talks]]
* [[Projects]]
</div>

== Committees Documentation ==
=== Club Operation ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Budget Guide]]
* [[ceo]]
* [[Exec Manual]]
* [[MEF Guide]]
* [[Office Policies]]
* [[Office Staff]]
* [[Sysadmin Guide]]
* [[How to (Extra) Ban Someone]]
* [[SCS Guide]]
* [[Kerberos |Password Reset]]
* [[Keys and Fobs]]

* [[Talks Guide]]
</div>

=== Hardware Infrastructure (the bare metals) ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Disk Drive RMA Process]]
* [[Machine List]]
* [[IPMI101]]
* [[New NetApp]]
* [[Switches]]
</div>

=== Software Infrastructure ===
To see a complete list of services, where to find them and when they are updated, see [[Service List]].

<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[ADFS]]
* [[Backups]]
* [[DNS]]
* [[Debian Repository]]
* [[Firewall]]
* [[Kerberos]]
* [[MatterMost]]
* [[Load-balancer]]
* [[Proxmox]]
* [[Plane]]
* [[RT]]
* [[Keycloak]]
* [[KVM]]
* [[LDAP]]
* [[Network]]
* [[New CSC Machine]]
* [[Observability]]
* [[OID Assignment]]
* [[Podman]]
* [[Scratch]]
* [[SNMP]]
* [[SSL]]
* [[Syscom Todo]]
* [[Systemd]]
* [[Systemd-nspawn]]
* [[Two-Factor Authentication]]
* [[UID/GID Assignment]]
</div>

=== Services ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Application List]]
* [[BigBlueButton]]
* [[Mail]]
* [[Mailing Lists]]
* [[Mirror]]
* [[Music]]
* [[Nextcloud]]
* [[Printing]]
* [[Pulseaudio]]
* [[Webmail]]
</div>

=== CSC Cloud ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Ceph]]
* [[Cloud Networking]]
* [[CloudStack]]
* [[CloudStack Templates]]
* [[Kubernetes]]
</div>

== Miscellaneous ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Acronyms]]
* [[Budget]]
* [[Executive]]
* [[Past Executive]]
* [[History]]
</div>

== Historical ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Robot Arm]]
* [[Webcams]]
* [[Website]]
* [[Digital Cutter]]
* [[Electronics]]
* [[NetApp]]
* [[Frosh]]
* [[Virtualization (LXC Containers)]]
* [[Serial Connections]]
* [[Library]]
* [[MEF Proposals]]
* [[Proposed Constitution Changes]]
* [[NFS/Kerberos]]
* [[Hardware]]
* [[Imapd Guide]]
__NOTOC__

Ceo

2025-06-30T18:58:32Z

S23adhik:

[[Image:Pyceo.png|thumb|300px|right|<tt>pyceo</tt>'s main menu screen]]

ceo is the CSC member creation and administration interface. It was originally written in perl by persons of mysterious-ness, was re-written in python by Michael Spang in early 2007, and re-written again (in Python) by Syscom in 2020-2021. The source-code for ceo can be found in git: [https://git.csclub.uwaterloo.ca/public/pyceo https://git.csclub.uwaterloo.ca/public/pyceo].

= Instructions/Usage =
ceo can be accessed by running the "ceo" command from a terminal, or terminal emulator.
By default, a curses-based menu interface is presented. Use the arrow keys to navigate;
on many screens, pressing a letter will select the next menu item beginning with that letter.

=== Command-line Mode ===
Run <tt>ceo --help</tt> to see a list of command-line utilities.

== Adding a New Member ==
After a new member has paid the membership fee and signed the Machine Usage Policy forms, a new member account is added to the CSC system by selecting "New Member" in ceo and following the on-screen instructions. The new member's username is to be identical to their WatIAM username, if applicable. For WatIAM users, the name and program fields will automatically be filled after a username is provided.

== Renewing/Extending a Membership ==
A membership can be renewed or extended by selecting "Renew Membership" in the ceo interface.

== Hosted Clubs ==
Clubs are hosted free of charge. To create a new club account use the "New Club" option in the ceo interface.

=== Club Representatives ===
At this time, there is no limit to the number of representatives a club may have, but representative accounts must be registered with the "New Club Rep" option, and renewed with the "Renew Club Rep" option.

=== Other Club Features ===
For access to features beyond basic hosting (ie, databases), one of the club representatives will need to email the Systems Committee to have this set up.

= raymo's guide on how to fix things after screwing up =

== Changing a member to a nonmember (club rep) and vice-versa ==

ssh hfcs
kinit # if you don't already have [[Kerberos#raymo's guide to keytabs|keytabs]] set up
ldapvi -Y GSSAPI
Use <code>/<username></code> to search for the user in vi and change <code>term</code> to <code>nonMemberTerm</code> (or vice-versa) for the relevant terms. When you're done deleting the file should no longer contain the username. Save and quit (<code>:wq</code>) and press <code>y</code> when prompted.

== Deleting a member ==

* '''RULE: Never do this without good reason. We should NEVER delete accounts or groups that have been used before.'''

If you accidentally created a club rep as a regular member instead, see the [previous section|Ceo#Changing a member to a nonmember (club rep) and vice-versa]. For another reason that doesn't break the '''RULE''' above, first follow the steps in the change membership section above, up to and including <code>ldapvi</code>, then delete both the user and group LDAP records. These are separated by blank lines. When you're done deleting the file should no longer contain the username. Save and quit as if changing membership. Then:
ssh auth1
sudo kadmin.local
delprinc <username>
ssh phosphoric acid
sudo rm -rfI /users/<username>
Unsubscribe the user from [https://mailman.csclub.uwaterloo.ca/postorius/lists/syscom.csclub.uwaterloo.ca/members/member/ csc-general on mailman]

= Feature Requests and Ideas =

* Create a graphical and/or online version of ceo
* Add new members to fuse and plugdev groups

= Contributing to CEO =

== Preliminary Steps ==
=== Generate a GPG Key ===
In order to sign the ceo packages you will need to generate yourself a GPG key if you do not already have one. Assuming you do not run

gpg --gen-key

Choose option (2) DSA (sign only). Choose no expiration when prompted and then your full name and email when asked. It will ask you to confirm the information and then for a passphrase.

=== Add Your Key To Mirror ===
ssh mirror.csclub.uwaterloo.ca
gpg --list-keys

Locate the 8-character id string. For example "16E37635" in
/users/m2ellis/.gnupg/pubring.gpg
---------------------------------
pub 1024D/'''16E37635''' 2010-08-19
uid Michael Ellis <m2ellis@csclub.uwaterloo.ca>

Now you must add this id into the file /srv/debian/conf/uploaders on mirror
sudo vim /srv/debian/conf/uploaders

Now in another terminal run
gpg --export --armor $KEYID

Now on mirror run
sudo -s
GNUPGHOME=/srv/debian/gpg gpg --import

Then paste the output from gpg --export --armor $KEYID and end with CTRL-D. It should give you a confirmation, example
gpg: key 16E37635: public key "Michael Ellis <m2ellis@csclub.uwaterloo.ca>" imported
gpg: Total number processed: 1
gpg: imported: 1

== Making Changes ==
The source-code for ceo can be found in git: [http://git.csclub.uwaterloo.ca/?p=public/pyceo.git;a=summary csclub:/users/git/public/pyceo.git]. To checkout the code run

git clone ~git/public/pyceo.git

When you are done making your change you need to update the changelog with dch. Assuming this is a minor incremental change run

dch -i

Add a description of your change and then save and quit. Once you are sure of your changes commit them to the git repository and push them (test them first!).

Make sure to set a distribution, like distribution UNRELEASED is NOT allowed. So change it to whatever distribution you're deploying to in the <code>debian/changelog</code> file

Then you'll need to make a tar.gz file<syntaxhighlight lang="bash">
tar czf ceo_1.0.31.orig.tar.gz pyceo/
</syntaxhighlight>To build the package run debuild

debuild

This will generate the *.deb files in the parent directory.

=== Uploading Changes to Mirror ===
After you make the package, you'll need to sign it, this can be via debsign. (You can find the .changes file in the parent directory)<syntaxhighlight lang="bash">
debsign -k[GPG Key ID] [package].changes

</syntaxhighlight>

In the directory containing the *.deb and *.changes files run

=== DO NOT USE DUPLOAD, THIS IS LEGACY DOCUMENTATION, USE `dput` INSTEAD. ASK SIRACHA FOR CONFIGS ===
'''This needs to be done on high-fructose-corn-syrup because of the dupload configs'''
dupload

Then ssh to mirror and run
sudo rrr-incoming

The package should now be uploaded and you can update in the usual way with apt-get/aptitude.

== How to deploy CEO ==
Firstly, cry

Secondly, check the usual place for all the passwords, install ceo. Install ceod if needed, and edit the configs to make sure the correct servers are contacted for the relevant services. Like install ceod on the management node of cloudstack.

Then setup the kerberos tickets

Then go to `/etc/csc`, and fill in all the ceo.ini, and ceod.ini configs
[[Category:Software]]

Meeting:Termcom/Saturday 29 June 2025

2025-06-29T18:58:05Z

S23adhik:

- Will setup Proxmox on Citric-acid

- Will setup a different method of VHosts:

Kubernetes-backed ingress:

1. Create a self-managed k8s cluster in the virtualized environment (eg. rke2)

2. Configure ingress (eg. Istio)

3. Configure a software-based load balancer (eg. kube-vip, metallb) or an external load balancer (eg. from CSCF/IST)

4. Configure https://gateway-api.sigs.k8s.io/

CEO Integration: Write a custom kubernetes operator, or use a dynamic client for modifying vhost/stream configs.

vhost -> HTTPRoute, GRPCRoute
stream -> TLSRoute

- Taking out yerba-mate, and corn-syrup
- Centralising all our scripts
- Updating ansible scripts
- Standardising our configs

- Rewrite pyceo as Go - Ohm, Nathan, Jenny

Meeting:Termcom/Saturday 29 June 2025

2025-06-29T18:30:40Z

S23adhik: Created page with "- Will setup Proxmox on Citric-acid - Will setup a different method of VHosts: Kubernetes-backed ingress: 1. Create a self-managed k8s cluster in the virtualized environment (eg. rke2) 2. Configure ingress (eg. Istio) 3. Configure a software-based load balancer (eg. kube-vip, metallb) or an external load balancer (eg. from CSCF/IST) 4. Configure https://gateway-api.sigs.k8s.io/ CEO Integration: Write a custom kubernetes operator, or use a dynamic client for modifying vh..."

- Will setup Proxmox on Citric-acid
- Will setup a different method of VHosts:
Kubernetes-backed ingress:
1. Create a self-managed k8s cluster in the virtualized environment (eg. rke2)
2. Configure ingress (eg. Istio)
3. Configure a software-based load balancer (eg. kube-vip, metallb) or an external load balancer (eg. from CSCF/IST)
4. Configure https://gateway-api.sigs.k8s.io/
CEO Integration: Write a custom kubernetes operator, or use a dynamic client for modifying vhost/stream configs.

vhost -> HTTPRoute, GRPCRoute
stream -> TLSRoute

- Taking out yerba-mate, and corn-syrup
- Centralising all our scripts
- Updating ansible scripts
- Standardising our configs

- Rewrite pyceo as Go

IPMI101

2025-06-24T03:11:29Z

S23adhik: /* Citric-acid/Sorbitol */

= Guide to IPMI (IPMI 101) =

IPMI is a necessary evil. Let’s learn to make the best of it.

== Setting up IPMI ==

# Install ipmitool

<pre># apt-get install ipmitool</pre>
<ol start="2" style="list-style-type: decimal;">
<li>Load IPMI modules (they are included in most upstream kernels)</li></ol>

You may also need a kernel module specific to your motherboard’s manufacture as some BMC/LOMs do not conform to IPMI spec and thus need a translation layer.

<pre># modprobe ipmi_*</pre>
<ol start="3" style="list-style-type: decimal;">
<li>Locally connect to the <code>/dev/ipmi</code> interface</li></ol>

<pre># ipmitool shell
> help
> mc info</pre>
== Securing IPMI ==

Note that root on the machine is root on the BMC and vice versa.

# User administration

(re)set the password, rename the admin account to root and delete any extra users as they can have surprising privilege. You may have to use the BMC’s web interface delete accounts.

<pre># ipmitool shell
> user list 1
ID Name ...
2 ADMIN ...
> user set password 2
User id 2: *******
User id 2: *******
> user set username 2 root
> user disable $other_user_ids</pre>
<ol start="2" style="list-style-type: decimal;">
<li>Disable NULL password and cipher suite 0</li></ol>

Note that the $channel is usually 0 but can range from 0-10 and there can be multiple NICs and so multiple channels to fix.

<pre># ipmitool shell
> lan print $channel
> lan set $channel auth ADMIN MD5
> lan set $channel auth CALLBACK MD5
> lan set $channel auth USER MD5
> lan set $channel auth OPERATOR MD5
> lan set $channel cipher_privs XXXaXXXXXXXXXXX
> lan print $channel</pre>
== Configuring networking ==

Note once again that there are sometimes multiple channels, to find the correct channel it is helpful to use either trial and error and/or an ARP scanner to find the correct MAC address. Usually the channel is 0 but I have seen 1, 8 and 17. Especially when there are multiple NICs.

<pre># ipmitool shell
> lan print $channel
> lan set $channel ipsrc static
> lan set $channel ipaddr 10.15.134.?
> lan set $channel defgw ipaddr 10.15.134.1
> lan set $channel netmask 255.255.255.0
// if you have vlan tagging enabled on the switch port, useful for a shared NIC
> lan set $channel vlan id 520</pre>
== Configuring Serial over LAN ==

To enable serial over LAN you need to ensure that it is enabled in your BIOS or EFI setup utility and further note the baud rate. 115200 is used as an example below. Note that GRUB is the only boot loader that takes input via serial properly, in my experience. Syslinux failed horribly on corn-syrup.

Paste the following into /etc/default/grub.d/99-csclub.cfg:

<pre>
GRUB_CMDLINE_LINUX="console=tty1 console=ttyS1,115200n8"
GRUB_TERMINAL_INPUT="console serial"
GRUB_TERMINAL_OUTPUT="console serial"
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=1 --word=8 --parity=no --stop=1"
</pre>
and then run:

<pre>// on debian based distros
// Yay, Debian magic :\
# update-grub
// on upstream packages (Arch, Fedora, etc.)
# grub-mkconfig -o /boot/grub/grub.cfg

# reboot</pre>

= iDRAC =
== riboflavin ==
riboflavin is using iDRAC 6. The web console can be viewed from https://riboflavin-ipmi.csclub.uwaterloo.ca; if you are not on campus, you can use a [[How_to_SSH#SOCKS_proxy|SOCKS proxy]]. Unfortunately, the virtual console uses Java Web Start, which is now deprecated. Here's a workaround which you can use instead.

From the web UI, go to the "Console/Media" tab and click the "Launch virtual console" button. This will download a file whose name starts with "viewer.jnlp". Now go to https://www.java.com and download JRE 8; any later version will not have support for JWS (note that OpenJDK will not work; JWS was a proprietary framework from Sun/Oracle). Unpack the tarball, open jre1.8.0_391/lib/security/java.security in a text editor, and comment out the following properties (note that each property spans multiple lines):
<ul>
<li>jdk.certpath.disabledAlgorithms</li>
<li>jdk.jar.disabledAlgorithms</li>
<li>jdk.tls.disabledAlgorithms</li>
</ul>

If you are off-campus, you will need to setup some proxying so that the Java application can access ports 443 and 5900 on riboflavin-ipmi. In the example below, I am using caffeine as a jump host, but any machine on campus should do:
<pre>
ssh -L 5443:localhost:5443 -L 5900:localhost:5900 caffeine.csclub.uwaterloo.ca
</pre>

Now on caffeine, open a tmux/screen session, and run the following commands in two different panes:
<ul>
<li><code>socat TCP-LISTEN:5443,fork TCP:riboflavin-ipmi:443</code></li>
<li><code>socat TCP-LISTEN:5900,fork TCP:riboflavin-ipmi:5900</code></li>
</ul>

Back on your personal machine, open the viewer.jnlp file in a text editor and perform the following:
<ol>
<li>Replace all instances of <code>riboflavin-ipmi.csclub.uwaterloo.ca:443</code> with <code>localhost:5443</code></li>
<li>Under the <code>application-desc</code> element, the first <code>argument</code> child element should say <code>ip=riboflavin-ipmi.csclub.uwaterloo.ca</code>. Replace this with <code>ip=localhost</code></li>.
<li>Under the <code>application-desc</code> element, there are child <code>argument</code>elements for <code>user</code> and <code>passwd</code>. For some reason these are set to numbers; set these to the username and password for IPMI (username should be <code>root</code>).</li>
</ol>

Now run:
<pre>
jre1.8.0_391/bin/javaws viewer.jnlp
</pre>

If all goes well, the virtual console should eventually appear:
[[File:Riboflavin-idrac-virtual-console.png|1000px]]

== carbonated-water ==
carbonated-water is also using iDRAC 6, but seems to have some kind of TLS certificate configuration which prevents modern browsers from loading its web UI. So we're going to run an old version of Firefox inside a Podman container instead:
<pre>
podman run --name firefox -it -e DISPLAY --net=host -v $XAUTHORITY:/root/.Xauthority -v /tmp/.X11-unix:/tmp/.X11-unix debian:9-slim bash
sed -i 's/deb\.debian\.org/archive.debian.org/' /etc/apt/sources.list
sed -i 's/security\.debian\.org/archive.debian.org/' /etc/apt/sources.list
sed -i '/stretch-updates/d' /etc/apt/sources.list
apt update
apt install firefox-esr
firefox
</pre>
Next, follow the instructions here to set up a SOCKS proxy: [[How to SSH#SOCKS proxy]]

Now visit https://carbonated-water-ipmi.csclub.uwaterloo.ca from Firefox, login using the IPMI credentials, and download the JNLP file. Copy it from the Podman container to your computer (replace "viewer.jnlp" with the full file name):
<pre>
podman cp firefox:/root/Downloads/viewer.jnlp launch.jnlp
</pre>
Follow the same steps as done for riboflavin to edit the JDK settings and JNLP file. In addition, there are a few more settings which we need to tweak:
<ul>
<li>Run <code>jre1.8.0_391/bin/ControlPanel</code>, go to the Advanced tab, scroll down and check "TLS 1.0" and "TLS 1.1"</li>
<li>We also need to disable OCSP. In the same window, set "Check for signed code certificate revocation using" to "Certificate Revocation Lists (CRLs)" and set "Check for TLS certificate revocation using" to "Certificate Revocation Lists (CRLs)" (see [https://www.kunxi.org/2015/01/bypass-the-certpathvalidatorexception-caused-by-malformed-ocsp-response/ here] for the reference).</li>
</ul>
[[File:java-control-panel-advanced.png]]

Now you can launch the JNLP file as usual.

== Citric-acid/Sorbitol ==
To access them, there's a pod on xylitol that can be run with the command;<syntaxhighlight lang="bash">
podman run -d -p 5800:5800 -p 5900:5900 -e IDRAC_HOST=[url] -e IDRAC_USER=[usr] -e IDRAC_PASSWORD=[password] -v /root/vmedia:/vmedia --name citric-idrac domistyle/idrac6
</syntaxhighlight>Then you can proxy to xylitol, and just connect to that port to get ipmi console.

= Supermicro =
== ginkgo ==
To access the virtual console on ginkgo, the steps are the same as those for riboflavin, with the following changes:
<ul>
<li>In the launch.jnlp file, in the root <code><jnlp></code> tag, change the value of the <code>codebase</code> attribute from <code>https<nowiki/>://ginkgo-ipmi.csclub.uwaterloo.ca:443</code> to <code>https<nowiki/>://localhost:5443</code>. Next, in the first <code><argument></code> element under <code><application-desc></code>, replace <code>ginkgo-ipmi.csclub.uwaterloo.ca</code> with <code>localhost</code>. These are the only changes which you should make to this file (unless you are already on the campus network, in which case you do not need to modify this file at all).</li>
<li>Run <code>jre1.8.0_391/bin/ControlPanel</code>, go to the Security tab, click "Edit Site List", and add <code>https<nowiki/>://ginkgo-ipmi.csclub.uwaterloo.ca</code> as an exception.
</ul>

IPMI101

2025-06-24T03:04:12Z

S23adhik: /* iDRAC */

= Guide to IPMI (IPMI 101) =

IPMI is a necessary evil. Let’s learn to make the best of it.

== Setting up IPMI ==

# Install ipmitool

<pre># apt-get install ipmitool</pre>
<ol start="2" style="list-style-type: decimal;">
<li>Load IPMI modules (they are included in most upstream kernels)</li></ol>

You may also need a kernel module specific to your motherboard’s manufacture as some BMC/LOMs do not conform to IPMI spec and thus need a translation layer.

<pre># modprobe ipmi_*</pre>
<ol start="3" style="list-style-type: decimal;">
<li>Locally connect to the <code>/dev/ipmi</code> interface</li></ol>

<pre># ipmitool shell
> help
> mc info</pre>
== Securing IPMI ==

Note that root on the machine is root on the BMC and vice versa.

# User administration

(re)set the password, rename the admin account to root and delete any extra users as they can have surprising privilege. You may have to use the BMC’s web interface delete accounts.

<pre># ipmitool shell
> user list 1
ID Name ...
2 ADMIN ...
> user set password 2
User id 2: *******
User id 2: *******
> user set username 2 root
> user disable $other_user_ids</pre>
<ol start="2" style="list-style-type: decimal;">
<li>Disable NULL password and cipher suite 0</li></ol>

Note that the $channel is usually 0 but can range from 0-10 and there can be multiple NICs and so multiple channels to fix.

<pre># ipmitool shell
> lan print $channel
> lan set $channel auth ADMIN MD5
> lan set $channel auth CALLBACK MD5
> lan set $channel auth USER MD5
> lan set $channel auth OPERATOR MD5
> lan set $channel cipher_privs XXXaXXXXXXXXXXX
> lan print $channel</pre>
== Configuring networking ==

Note once again that there are sometimes multiple channels, to find the correct channel it is helpful to use either trial and error and/or an ARP scanner to find the correct MAC address. Usually the channel is 0 but I have seen 1, 8 and 17. Especially when there are multiple NICs.

<pre># ipmitool shell
> lan print $channel
> lan set $channel ipsrc static
> lan set $channel ipaddr 10.15.134.?
> lan set $channel defgw ipaddr 10.15.134.1
> lan set $channel netmask 255.255.255.0
// if you have vlan tagging enabled on the switch port, useful for a shared NIC
> lan set $channel vlan id 520</pre>
== Configuring Serial over LAN ==

To enable serial over LAN you need to ensure that it is enabled in your BIOS or EFI setup utility and further note the baud rate. 115200 is used as an example below. Note that GRUB is the only boot loader that takes input via serial properly, in my experience. Syslinux failed horribly on corn-syrup.

Paste the following into /etc/default/grub.d/99-csclub.cfg:

<pre>
GRUB_CMDLINE_LINUX="console=tty1 console=ttyS1,115200n8"
GRUB_TERMINAL_INPUT="console serial"
GRUB_TERMINAL_OUTPUT="console serial"
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=1 --word=8 --parity=no --stop=1"
</pre>
and then run:

<pre>// on debian based distros
// Yay, Debian magic :\
# update-grub
// on upstream packages (Arch, Fedora, etc.)
# grub-mkconfig -o /boot/grub/grub.cfg

# reboot</pre>

= iDRAC =
== riboflavin ==
riboflavin is using iDRAC 6. The web console can be viewed from https://riboflavin-ipmi.csclub.uwaterloo.ca; if you are not on campus, you can use a [[How_to_SSH#SOCKS_proxy|SOCKS proxy]]. Unfortunately, the virtual console uses Java Web Start, which is now deprecated. Here's a workaround which you can use instead.

From the web UI, go to the "Console/Media" tab and click the "Launch virtual console" button. This will download a file whose name starts with "viewer.jnlp". Now go to https://www.java.com and download JRE 8; any later version will not have support for JWS (note that OpenJDK will not work; JWS was a proprietary framework from Sun/Oracle). Unpack the tarball, open jre1.8.0_391/lib/security/java.security in a text editor, and comment out the following properties (note that each property spans multiple lines):
<ul>
<li>jdk.certpath.disabledAlgorithms</li>
<li>jdk.jar.disabledAlgorithms</li>
<li>jdk.tls.disabledAlgorithms</li>
</ul>

If you are off-campus, you will need to setup some proxying so that the Java application can access ports 443 and 5900 on riboflavin-ipmi. In the example below, I am using caffeine as a jump host, but any machine on campus should do:
<pre>
ssh -L 5443:localhost:5443 -L 5900:localhost:5900 caffeine.csclub.uwaterloo.ca
</pre>

Now on caffeine, open a tmux/screen session, and run the following commands in two different panes:
<ul>
<li><code>socat TCP-LISTEN:5443,fork TCP:riboflavin-ipmi:443</code></li>
<li><code>socat TCP-LISTEN:5900,fork TCP:riboflavin-ipmi:5900</code></li>
</ul>

Back on your personal machine, open the viewer.jnlp file in a text editor and perform the following:
<ol>
<li>Replace all instances of <code>riboflavin-ipmi.csclub.uwaterloo.ca:443</code> with <code>localhost:5443</code></li>
<li>Under the <code>application-desc</code> element, the first <code>argument</code> child element should say <code>ip=riboflavin-ipmi.csclub.uwaterloo.ca</code>. Replace this with <code>ip=localhost</code></li>.
<li>Under the <code>application-desc</code> element, there are child <code>argument</code>elements for <code>user</code> and <code>passwd</code>. For some reason these are set to numbers; set these to the username and password for IPMI (username should be <code>root</code>).</li>
</ol>

Now run:
<pre>
jre1.8.0_391/bin/javaws viewer.jnlp
</pre>

If all goes well, the virtual console should eventually appear:
[[File:Riboflavin-idrac-virtual-console.png|1000px]]

== carbonated-water ==
carbonated-water is also using iDRAC 6, but seems to have some kind of TLS certificate configuration which prevents modern browsers from loading its web UI. So we're going to run an old version of Firefox inside a Podman container instead:
<pre>
podman run --name firefox -it -e DISPLAY --net=host -v $XAUTHORITY:/root/.Xauthority -v /tmp/.X11-unix:/tmp/.X11-unix debian:9-slim bash
sed -i 's/deb\.debian\.org/archive.debian.org/' /etc/apt/sources.list
sed -i 's/security\.debian\.org/archive.debian.org/' /etc/apt/sources.list
sed -i '/stretch-updates/d' /etc/apt/sources.list
apt update
apt install firefox-esr
firefox
</pre>
Next, follow the instructions here to set up a SOCKS proxy: [[How to SSH#SOCKS proxy]]

Now visit https://carbonated-water-ipmi.csclub.uwaterloo.ca from Firefox, login using the IPMI credentials, and download the JNLP file. Copy it from the Podman container to your computer (replace "viewer.jnlp" with the full file name):
<pre>
podman cp firefox:/root/Downloads/viewer.jnlp launch.jnlp
</pre>
Follow the same steps as done for riboflavin to edit the JDK settings and JNLP file. In addition, there are a few more settings which we need to tweak:
<ul>
<li>Run <code>jre1.8.0_391/bin/ControlPanel</code>, go to the Advanced tab, scroll down and check "TLS 1.0" and "TLS 1.1"</li>
<li>We also need to disable OCSP. In the same window, set "Check for signed code certificate revocation using" to "Certificate Revocation Lists (CRLs)" and set "Check for TLS certificate revocation using" to "Certificate Revocation Lists (CRLs)" (see [https://www.kunxi.org/2015/01/bypass-the-certpathvalidatorexception-caused-by-malformed-ocsp-response/ here] for the reference).</li>
</ul>
[[File:java-control-panel-advanced.png]]

Now you can launch the JNLP file as usual.

== Citric-acid/Sorbitol ==
To access them, there's a pod on xylitol that can be run with the command;<syntaxhighlight lang="bash">
podman run -d -p 5800:5800 -p 5900:5900 -e IDRAC_HOST=[ip of ipmi stuff] -e IDRAC_USER=[user] -e IDRAC_PASSWORD=[password] -v [directory to mount]:/vmedia --name [server]-idrac domistyle/idrac6
</syntaxhighlight>Then you can proxy to xylitol, and just connect to that port to get ipmi console.

= Supermicro =
== ginkgo ==
To access the virtual console on ginkgo, the steps are the same as those for riboflavin, with the following changes:
<ul>
<li>In the launch.jnlp file, in the root <code><jnlp></code> tag, change the value of the <code>codebase</code> attribute from <code>https<nowiki/>://ginkgo-ipmi.csclub.uwaterloo.ca:443</code> to <code>https<nowiki/>://localhost:5443</code>. Next, in the first <code><argument></code> element under <code><application-desc></code>, replace <code>ginkgo-ipmi.csclub.uwaterloo.ca</code> with <code>localhost</code>. These are the only changes which you should make to this file (unless you are already on the campus network, in which case you do not need to modify this file at all).</li>
<li>Run <code>jre1.8.0_391/bin/ControlPanel</code>, go to the Security tab, click "Edit Site List", and add <code>https<nowiki/>://ginkgo-ipmi.csclub.uwaterloo.ca</code> as an exception.
</ul>

New NetApp

2025-06-19T00:05:22Z

S23adhik: /* Configuration */

At some point in 2017, CSCF and MFCF donated us their FAS'''XXXX''' NetApp filers. These filers are to replace the FAS3000 filers currently in use.

Additionally, since we were approaching maximum disk capactiy, the Math Endowment Fund funded a new 24x2TB disk shelf to go with the new filers.

== NetApp Support + Documentation ==

As the filers were decommishioned by both CSCF and MFCF, there is no support of the filers.

Official NetApp documentation is available at https://csclub.uwaterloo.ca/~syscom/netapp-docs/.

At one point, we had access to full information about the NetApp filers on the NetApp support site. At some point, unfortunately, that stopped working. The information provided includes the license keys. We have a copy of the license keys for one of the filers (FS00) but not the other. ''Someone should ask CSCF or MFCF if they have this information recorded somewhere''.

== Physical Installation ==

Both of the NetApp filers are installed in the MC 3015 machine room. One filer and two disk shelves are located in rack E. The other filer was installed in rack F.

<blockquote>For simplicity, we decided to only use of the of the filers. We haven’t decided yet what to do with the other filer.
</blockquote>
=== Networking ===

FS00 is connected via two 1gbps to mc-rt-3015-mso-a using LACP. Therefore, traffic should be balance between the two connections. If one of the connections goes down, the NetApp will continue to function with just the one connection.

=== Power ===

It is important that we keep the NetApp filer + disk shelves running as long as possible. At the time of installation, the UPS in rack E (mc-3015-e1-ups1) was dedicated for critical services (networking, network file shares and web hosting).

== Configuration ==

You can SSH into the NetApp from any CSC host running Debian stretch or lower by running <code>ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oCiphers=+3des-cbc root@fs00.csclub.uwaterloo.ca</code>.

There is a Podman container on xylitol called netapp-jumphost with a convenience script in <code>/usr/local/bin/netapp.sh</code> which invokes the SSH command above. You can simply attach to this container and run the script. You can connect to the container using <code>sudo podman exec -it netapp-jumphost /bin/bash</code>

If you need information about the NetApp, run <code>sysconfig -a</code> on the NetApp.

=== Modifying <code>/etc</code> on the NetApp ===

The easiest way to change configuration on the NetApp is to mount its system directory on a different machine (only biloba is allowed to mount it).

<pre lang="sh">mkdir /mnt/fs00
mount -t nfs -o vers=3,sec=sys fs00.csclub.uwaterloo.ca:/vol/vol0 /mnt/fs00</pre>

'''The NetApp system directory is currently mounted on dextrose, at /mnt/fs00.'''

=== Networking ===

The NetApp is configured in VLAN 530 (CSC Storage).

Here is the networking configuration in <code>etc/rc</code>:

<pre># create lacp link
ifgrp create lacp csc_storage -b ip e0a e0b
ifconfig csc_storage inet 172.19.168.35 netmask 255.255.255.224 mtusize 1500
ifconfig csc_storage inet6 fd74:6b6a:8eca:4903:c5c::35 prefixlen 64
route add default 172.19.168.33 1
route add inet6 default fd74:6b6a:8eca:4903::1 1
routed on
options dns.domainname csclub.uwaterloo.ca
options dns.enable on
options nis.enable off
savecore</pre>
The CSC DNS servers are configured in <code>etc/hosts</code>:

<pre>nameserver 2620:101:f000:4901:c5c::4
nameserver 2620:101:f000:7300:c5c::20
nameserver 129.97.134.4
nameserver 129.97.18.20
nameserver 129.97.2.1
nameserver 129.97.2.2</pre>
<blockquote>'''TODO''': The NetApp has a dedicated management port. We should take advantage of this and connect that directly to a machine which only the Systems Committee can access. Configuring this port should disable SSH via the non-management ports (this may need additional configuration).
</blockquote>
=== Disks ===

There are two disk shelves connected to the FS00 NetApp.

# 14x136GB 10 000RPM FibreChannel disks
#* This was unused from our old NetApp system and was originally used for testing.
#* (ztseguin) I can’t remember, but I don’t think all disks are present.
# DS4243: 24x2TB 7 200RPM SATA disks
#* Funded by the Math Endowment Fund (MEF)
#* Purchased from Enterasource in Winter 2018

=== Aggregates ===

All aggregates are configured with RAID-DP.

''Note: any other aggregate on the NetApp is for testing only.''

==== <code>aggr0</code> ====

NetApp system aggregate. Disks assigned to this aggregate are located on the old disk shelf.

Volumes:

* <code>vol0</code>

==== <code>aggr_users</code> ====

Aggregate dedicated to user home directories.

Volumes:

* <code>users</code>

==== <code>aggr_misc</code> ====

Aggregate for miscellaneous purposes.

Volumes:

* <code>music</code>
* <code>backup</code>

=== Volumes ===

''Note: any other volume on the NetApp is for testing only.''

==== <code>vol0</code> ====

NetApp system volume.

==== <code>users</code> ====

For user home directories. Each user is given a quota of 12GB.

Snapshots:

* 12 hourly, 4 nightly and 2 weekly

==== <code>music</code> ====

For music.

Snapshots:

* 2 nightly and 16 weekly

==== <code>backup</code> ====

For backups of LDAP, Kerberos.

Snapshots:

* 2 nightly and 16 weekly

=== Exporting Volumes ===

'''In general, <code>sec=sys</code> should only be exported to MC VLAN 530 (172.19.168.32/27, fd74:6b6a:8eca:4903::/64). This VLAN is only connected to trusted machines (NetApp, CSC servers in the MC 3015 or DC 3558 machine rooms).'''

'''All other machines should be given <code>sec=krb5p</code> permissions only.'''

The NetApp exports are stored in <code>/etc/exports</code>. If you update the exports, they can be reloaded by running <code>exportfs -r</code> on the NetApp.

=== Quotas ===

Quotas are configured on the NetApp, in <code>/etc/quotas</code>.

After updating the quotas, the NetApp must be instructed to reload them:

<pre lang="bash"># this will work for most quota changes
quota resize <volume>

# however, some changes might need a full re-initialization of quotas
# note: while re-initializing, quotas will not be enforced.
quota off <volume>
quota on <volume></pre>

==== Quota Reports ====

Users can view their current usage + quota by running <code>quota -s</code> on any machine.

The Systems Committee can run a report of everyone’s usage by running <code>quota report</code> on the NetApp.

=== Snapshots ===

Most volumes have snapshots enabled. Snapshots only use space when files change contained within them change (as it’s copy on write).

Snapshots are available in a special directory called <code>.snapshot</code>. This directory is available everywhere and will not show up in a directory listing (except at the volume root).

Current schedules can be viewed by running <code>snap sched <volume></code>.

=== inodes ===

The number of inodes can be increased with the command:

<pre>maxfiles $VOLUME $NEW_VALUE</pre>

It is not possible to decrease the number of inodes.

CloudStack

2025-06-15T06:59:08Z

S23adhik:

We are using [https://cloudstack.apache.org/ Apache CloudStack] to provide VMs-as-a-service to members. Our user documentation is here: https://docs.cloud.csclub.uwaterloo.ca

Prerequisite reading:

* [[Ceph]]
* [[Cloud Networking]]

Official CloudStack documentation: http://docs.cloudstack.apache.org/en/4.16.0.0/

== Rebooting machines ==
I'm going to start with this first because this is what future sysadmins are most interested in. If you reboot one of the CloudStack guest machines (as of this writing: biloba, ginkgo and chamomile), then I suggest you perform a live migration of all of the VMs on that host to the other other machines (see [[#Sequential reboot]]).

If this is not possible (e.g. there is not enough capacity on the other machines), then CloudStack will most likely shut down the VMs automatically. You are responsible for restarting them manually after the reboot. You will also need to manually restart any Kubernetes clusters.

Note: if the cloudstack-agent.service is having trouble reconnecting to the management servers after a reboot, just do a systemctl restart and cross your fingers.

=== Sequential reboot ===
If it is possible to reboot the machines one at a time (e.g. for a software upgrade), then it is possible to avoid having any downtime. Login to the web UI as admin, go to Infrastructure > Hosts, hover above the three-dots button for a particular host, then press the "Enable Maintenance Mode" button.
[[File:Cloudstack-enable-maintenance-mode-button.png|1000px]]
 
Wait for the VMs to be migrated to the other machines (press the Refresh button to update the table). If you see an error which says "ErrorInPrepareForMaintenance", just wait it out. If more than 20 minutes have passed and there is still no progress, take the host out of maintenance mode, and put it back into maintenance mode. If this still does not work, restart the management server.

When a host is in maintenance mode, it should look like this:
[[File:Cloudstack-host-in-maintenance-mode.png|1000px]]
 
Once all VMs have been migrated, do whatever you need to do on the physical host; once it is back up, take it back out of maintenance mode from the web UI. Repeat for any other hosts which need to be taken offline.

== Unexpected reboot ==
Sometimes a network interface fails on a machine after the switches in MC are rebooted (looking at you, riboflavin). Or a machine randomly goes offline in the middle of the night (looking at you, ginkgo). Point is, sometimes a machine needs to rebooted, or is forcefully rebooted, without preparation. Unfortunately, CloudStack is unable to recover gracefully from an unexpected reboot. This means that manual intervention is required to get the VMs back into a working state.

Once the machine has come back online, perform the following:
<ol>
<li>All of the VMs which were on that machine will eventually transition to the Stopped state. Wait for this to happen first (from the web UI).</li>
<li>Go to Infrastructure -> Management servers and make sure that both biloba and chamomile are present and running. If not, you may need to restart the management server on the machine (<code>systemctl restart cloudstack-management</code>). Watch the journald logs for any error messages.</li>
<li>Go to Infrastructure -> Hosts and make sure that all three hosts (biloba, chamomile and ginkgo) are present and running. If not, you may need to restart the agent on the machine (<code>systemctl restart cloudstack-agent</code>). Watch the journald logs for any error messages.</li>
<li>If you restart cloudstack-agent, restart virtlogd as well, just for good measure. Watch the journald logs for any error messages.</li>
<li>Restart ONE of the stopped VMs and make sure that it transitions to the Started state. If more than 20 minutes pass and it still hasn't started, restart the management servers and try again.</li>
<li>Restart the rest of the stopped VMs.</li>
</ol>

== Administration ==
To login with the admin account, use the following credentials in the web UI
<ul>
<li>Username: admin</li>
<li>Password: stored in the usual place</li>
<li>Domain: leave this empty</li>
</ul>

There is another admin account for the Members domain. This is necessary to create projects in the Members domain which regular members can access. Note that his account has fewer privileges than the root admin account above (it has the DomainAdmin role instead of the RootAdmin role).
<ul>
<li>Username: membersadmin</li>
<li>Password: stored in the usual place</li>
<li>Domain: Members
</ul>

Note that there are two management servers, one on each of biloba and chamomile (chamomile is a hot standby for biloba). If you restart one of them, you should restart the other as well.

=== CLI ===
CloudStack has a CLI called [https://github.com/apache/cloudstack-cloudmonkey cloudmonkey] which is already set up on biloba. Just run <code>cmk</code> as root to start it up.

Cloudmonkey is basically a shell for the API (https://cloudstack.apache.org/api/apidocs-4.16/). For example, to list all domains:
<pre>
listDomains details=min
</pre>
Run <code>somecommand -h</code> to see all parameters for a particular command (or browse the API documentation).
See https://github.com/apache/cloudstack-cloudmonkey for more details.

== Building packages ==
While CloudStack does provide .deb packages for Ubuntu, unfortunately these don't work on Debian (the 'qemu-kvm' dependency is a virtual package on Debian, but not on Ubuntu). So we're going to build our own packages instead.

We're going to perform the build in a Podman container to avoid polluting the host machine with unnecessary packages. There's a container called cloudstack-build on biloba which you can re-use. If you create a new container, make sure to use the same Podman image as the release for which you're building (e.g. 'debian:bullseye').

The instructions below are adapted from http://docs.cloudstack.apache.org/en/latest/installguide/building_from_source.html

Inside the container, install the dependencies:
<pre>
apt install maven openjdk-11-jdk libws-commons-util-java libcommons-codec-java libcommons-httpclient-java liblog4j1.2-java genisoimage devscripts debhelper python3-setuptools
</pre>
Install Node.js 12 as well (Debian bullseye's version happens to be 12):
<pre>
apt install nodejs npm
</pre>
Build the node-sass module (see [https://github.com/sass/node-sass/issues/1579 this issue] to see why this is necessary):
<pre>
cd ui && npm install && npm rebuild node-sass && cd ..
</pre>
The python3-mysql.connector package is not available in bullseye, so we're going to download and install it from the sid release:
<pre>
curl -LOJ http://ftp.ca.debian.org/debian/pool/main/m/mysql-connector-python/python3-mysql.connector_8.0.15-2_all.deb
apt install ./python3-mysql.connector_8.0.15-2_all.deb
</pre>
Download the CloudStack source code:
<pre>
curl -LOJ http://mirror.csclub.uwaterloo.ca/apache/cloudstack/releases/4.16.0.0/apache-cloudstack-4.16.0.0-src.tar.bz2
tar -jxvf apache-cloudstack-4.16.0.0-src.tar.bz2
cd apache-cloudstack-4.16.0.0-src
</pre>
Download the Maven dependencies:
<pre>
mvn -P deps
</pre>
Now open debian/control and perform the following changes:

* Replace 'qemu-kvm (>=2.5)' with 'qemu-system-x86 (>= 1:5.2)' in the dependencies of cloudstack-agent
* Remove dh-systemd as a build dependency of cloudstack (it's included in debhelper)

Now open debian/rules and add the following flags to the <code>mvn</code> command:
<pre>
-Dmaven.test.skip=true -Dclean.skip=true -Dcheckstyle.skip
</pre>

Now open debian/changelog and change 'unstable' to 'bullseye'.

As of this writing, there is a [https://gitlab.com/libvirt/libvirt/-/issues/161 bug in libvirt] which prevents VMs with more than 4GB of RAM from being created on hosts with cgroups2. Until that issue is fixed, we're going to need to modify the source code. Since we're already building a custom CloudStack package, it's easier to patch CloudStack than to patch libvirt, so paste something like the following into debian/patches/fix-cgroups2-cpu-weight.patch:
<pre>
Description: Workaround for libvirt trying to write a value to the cgroups v2
cpu.weight controller which is greater than the maximum (10000). The
libvirt developers are currently discussing a solution.
Forwarded: not-needed
Origin: upstream, https://gitlab.com/libvirt/libvirt/-/issues/161
Author: Max Erenberg <merenber@csclub.uwaterloo.ca>
Last-Update: 2021-12-03
Index: apache-cloudstack-4.16.0.0-src/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtVMDef.java
===================================================================
--- apache-cloudstack-4.16.0.0-src.orig/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtVMDef.java
+++ apache-cloudstack-4.16.0.0-src/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtVMDef.java
@@ -1483,6 +1483,10 @@ public class LibvirtVMDef {
static final int MAX_PERIOD = 1000000;

public void setShares(int shares) {
+ // Clamp the value to the cgroups v2 cpu.weight maximum until
+ // upstream libvirt gets fixed:
+ // https://gitlab.com/libvirt/libvirt/-/issues/161
+ shares = Math.min(shares, 10000);
_shares = shares;
}
</pre>
I think you have to manually modify that LibvirtVMDef.java file to incorporate those changes (I could be wrong on this, but that's how I did it).

Then paste the following into debian/patches/00list:
<pre>
fix-cgroup2-cpu-weight
</pre>

Finally, import your GPG key into the container (make sure to delete it afterwards!), and build the packages:
<pre>
debuild -k<YOUR_GPG_KEY_ID>
</pre>

There should already be a .dupload.conf in the /root directory in the cloudstack-build container; if you need need another copy, ask a syscom member. Open /root/.ssh/config and change the User parameter to your username. Finally, go to /root and upload the packages to potassium-benzoate (replace the version number):
<pre>
dupload cloudstack_4.16.0.0+1_amd64.changes
</pre>

== Incompatibility with Debian 12 packages ==
After upgrading ginkgo to bookworm, we discovered that libvirt 8+ was incompatible with CloudStack 4.16.0.0. See https://www.shapeblue.com/advisory-on-libvirt-8-compatibility-issues-with-cloudstack/ for details. So we built new packages from the 4.16.1.0 branch of ShapeBlue's GitHub repository. For some reason the cloudstack-management process failed with some errors from SLF4J, so we needed to download some JARs:

<pre>
wget -O /usr/share/cloudstack-management/lib/log4j-1.2.17.jar https://repo1.maven.org/maven2/log4j/log4j/1.2.17/log4j-1.2.17.jar
wget -O /usr/share/cloudstack-management/lib/slf4j-log4j12-1.6.6.jar https://repo1.maven.org/maven2/org/slf4j/slf4j-log4j12/1.6.6/slf4j-log4j12-1.6.6.jar
</pre>

See https://stackoverflow.com/a/70528383 for details.

We also encountered some kind of Java 11 -> 17 incompatibility issue, so following parameters were added to the JAVA_OPTS variable in /etc/default/cloudstack-management:

<pre>
--add-opens java.base/java.lang=ALL-UNNAMED
</pre>

See https://stackoverflow.com/a/41265267 for details. Note that this file is NOT a shell script so you cannot use variable interpolation. You must modify the value of JAVA_OPTS directly.

== Database setup ==
We are using master-master replication between two MariaDB instances on biloba and chamomile. See [https://mariadb.com/kb/en/setting-up-replication/ here] and [https://tunnelix.com/simple-master-master-replication-on-mariadb/ here] for instructions on how to set this up.

To avoid split-brain syndrome, mariadb.cloud.csclub.uwaterloo.ca points to a virtual IP shared by biloba and chamomile via keepalived. This means that only one host is actually handling requests at any moment; the other is a hot standby.

Also add the following parameters to /etc/mysql/my.cnf on the hosts running MariaDB:
<pre>
[mysqld]
innodb_rollback_on_timeout=1
innodb_lock_wait_timeout=600
max_connections=350
log-bin=mysql-bin
binlog-format = 'ROW'
</pre>
Also comment out (or remove) the following line in /etc/mysql/mariadb.conf.d/50-server.cnf:
<pre>
bind-address = 127.0.0.1
</pre>
Now restart MariaDB.

== Management server setup ==
Install the management server from our Debian repository:
<pre>
apt install cloudstack-management
</pre>

Run the database scripts:
<pre>
cloudstack-setup-databases cloud:password@localhost --deploy-as=root
</pre>
(Replace 'password' by a strong password.)

Open /etc/cloudstack/management/db.properties and replace all instances of 'localhost' by 'mariadb.cloud.csclub.uwaterloo.ca'.

Open /etc/cloudstack/management/server.properties and set 'bind-interface' to 127.0.0.1 (CloudStack is being reverse proxied behind NGINX).

Run some more scripts:
<pre>
cloudstack-setup-management
</pre>

Mount the cloudstack-secondary CephFS volume at /mnt/cloudstack-secondary:
<pre>
mkdir /mnt/cloudstack-secondary
mount -t nfs4 -o port=2049 ceph-nfs.cloud.csclub.uwaterloo.ca:/cloudstack-secondary /mnt/cloudstack-secondary
</pre>
Now download the management VM template:
<pre>
/usr/share/cloudstack-common/scripts/storage/secondary/cloud-install-sys-tmplt -m /mnt/cloudstack-secondary/ -u https://download.cloudstack.org/systemvm/4.16/systemvmtemplate-4.16.0-kvm.qcow2.bz2 -h kvm -F
</pre>

The management server will run on port 8080 by default, so reverse proxy it from NGINX:
<pre>
location / {
proxy_pass http://localhost:8080;
}
</pre>

== Compute node setup ==
Install packages:
<pre>
apt install cloudstack-agent libvirt-daemon-driver-storage-rbd qemu-block-extra
</pre>
Create a new user for CloudStack:
<pre>
useradd -s /bin/bash -d /nonexistent -M cloudstack
# set the password
passwd cloudstack
</pre>
Add the following to /etc/sudoers:
<pre>
cloudstack ALL=(ALL) NOPASSWD:ALL
Defaults:cloudstack !requiretty
</pre>
(There is a way to restrict this, but I was never able to get it to work.)

=== Network setup ===
The /etc/network/interfaces file should look something like this (taking ginkgo as an example):
<pre>
auto enp3s0f0
iface enp3s0f0 inet manual

auto ens1f0np0
iface ens1f0np0 inet manual

# csc-cloud management
auto enp3s0f0.529
iface enp3s0f0.529 inet manual

auto br529
iface br529 inet static
bridge_ports enp3s0f0.529
address 172.19.168.22/27
iface br529 inet6 static
bridge_ports enp3s0f0.529
address fd74:6b6a:8eca:4902::22/64

# csc-cloud provider
auto ens1f0np0.425
iface ens1f0np0.425 inet manual

auto br425
iface br425 inet manual
bridge_ports ens1f0np0.425

# csc server network
auto ens1f0np0.134
iface ens1f0np0.134 inet manual

auto br134
iface br134 inet static
bridge_ports ens1f0np0.134
address 129.97.134.148/24
gateway 129.97.134.1
iface br134 inet6 static
bridge_ports ens1f0np0.134
address 2620:101:f000:4901:c5c::148/64
gateway 2620:101:f000:4901::1
</pre>
Add/modify the following lines to /etc/cloudstack/agent.properties:
<pre>
private.network.device=br529
guest.network.device=br425
public.network.device=br425
host=172.19.168.23,172.19.168.24@static
</pre>

=== libvirtd setup ===
Add/modify the following lines in /etc/libvirt/libvirtd.conf:
<pre>
listen_tls = 0
listen_tcp = 1
tcp_port = "16509"
auth_tcp = "none"
mdns_adv = 0
</pre>

Uncomment the following line in /etc/default/libvirtd:
<pre>
LIBVIRTD_ARGS="--listen"
</pre>

Make sure the following lines are present in /etc/libvirt/qemu.conf:
<pre>
security_driver="none"
user="root"
group="root"
</pre>

Now run:
<pre>
systemctl mask libvirtd.socket
systemctl mask libvirtd-ro.socket
systemctl mask libvirtd-admin.socket
systemctl restart libvirtd
</pre>

== Management server setup (cont'd) ==
Now start the cloudstack-management systemd service and visit the web UI (https://cloud.csclub.uwaterloo.ca). The login credentials are 'admin' for both the username and password. Start the setup walkthrough (you will be prompted to change the password). Make sure to choose Basic Networking.

The walkthrough is almost certainly going to fail (at least, it did for me). Don't panic when this happens; just abort the walkthrough, and set up everything else manually. Once primary and secondary storage have been setup, and at least one host has been added, enable the Pod, Cluster and Zone (there should only be one of each).

=== Primary Storage ===
* Type: RBD
* IP address: ceph-mon.cloud.csclub.uwaterloo.ca
* Scope: zone
* Get the credentials which you created in [[Ceph#CloudStack_Primary_Storage]]

=== Secondary Storage ===
* Type: NFS
* Host: ceph-nfs.cloud.csclub.uwaterloo.ca:2049
* Path: /cloudstack-secondary

=== Global settings ===
Some global settings which you'll need to set from the web UI:

* ca.plugin.root.auth.strictness: false (this always caused issues for me, so I just disabled it)
* host: 172.19.168.23,172.19.168.24 (the VLAN 529 addresses of biloba and chamomile)

=== Adding a host ===
This is an extremely painful process which I am almost certainly doing wrong. It usually takes me 7-8 attempts to add a single host (that's not an exaggeration). This is what it looks like:

* Stop cloudstack-agent service
* Configure /etc/cloudstack-agent/agent.properties
* Add a host from the CloudStack UI
* Start cloudstack-agent.service

The reason why this takes several attempts is because cloudstack-agent actually overwrites your agent.properties file. If/when you notice that this happens, restart the whole process again.

=== Accessing the System VMs ===
If you need to SSH into one of the System VMs, get its link-local address from the web UI, and run e.g.
<pre>
ssh -i /var/lib/cloudstack/management/.ssh/id_rsa -p 3922 root@169.254.232.179
</pre>

=== Some more global settings ===
<pre>
allow.user.expunge.recover.vm = true
allow.user.view.destroyed.vm = true
expunge.delay = 1
expunge.interval = 1
network.securitygroups.defaultadding = false
allow.public.user.templates = false
vm.network.throttling.rate = 0
network.throttling.rate = 0
cpu.overprovisioning.factor = 4.0
allow.user.create.projects = false
max.project.cpus = 8
max.project.memory = 8192
max.project.primary.storage = 40
max.projet.secondary.storage = 20
max.account.cpus = 8
max.account.memory = 8192
max.account.primary.storage = 40
max.account.secondary.storage = 20
</pre>

NOTE: the <code>cpu.overprovisioning.factor</code> setting also needs to be set for existing clusters. Go to Infrastructure -> Clusters -> Cluster1 -> Settings and set it accordingly.

=== Firewall ===
Since we disabled certificate validation from the clients, we're going to use some iptables-fu on all of the CloudStack hosts (to make our lives easier, we're going to use the same rules on the management and agent servers):
<pre>
iptables -N CLOUDSTACK-SERVICES
iptables -A INPUT -j CLOUDSTACK-SERVICES
iptables -A CLOUDSTACK-SERVICES -i lo -j RETURN
iptables -A CLOUDSTACK-SERVICES -s 172.19.168.0/27 -j RETURN
iptables -A CLOUDSTACK-SERVICES -p tcp -m multiport --dports 16509,16514,45335,41047,8250 -j REJECT
iptables-save > /etc/iptables/rules.v4

ip6tables -N CLOUDSTACK-SERVICES
ip6tables -A INPUT -j CLOUDSTACK-SERVICES
ip6tables -A CLOUDSTACK-SERVICES -i lo -j RETURN
ip6tables -A CLOUDSTACK-SERVICES -s fd74:6b6a:8eca:4902::/64 -j RETURN
ip6tables -A CLOUDSTACK-SERVICES -p tcp -m multiport --dports 16509,16514,45335,41047,8250 -j REJECT
ip6tables-save > /etc/iptables/rules.v6
</pre>

=== LDAP authentication ===
Go to Global Settings in the UI, type 'ldap' in the search bar, and configure the parameters as needed. Make sure the mail attribute is set to 'mailLocalAddress'.

Create a new domain called 'Members'. Then go to 'LDAP Configuration', click the 'Configure LDAP +' button, and add a new LDAP config linked to the domain you just created.

[[ceo]] handles the creation of CloudStack accounts, so create an API key + secret token and add it to /etc/csc/ceod.ini on biloba.

=== Templates ===
This deserves an entire page of its own - see [[CloudStack Templates]].

=== Kubernetes ===
This deserves an entire page of its own - see [[Kubernetes]].

== Upgrading CloudStack ==
Please be extremely careful if you decide to upgrade CloudStack. The last time I tried to perform an upgrade (from 4.15 to 4.16), the agents refused to connect to the management servers (or maybe it was the other way around?), and I ended up having to wipe the entire CloudStack installation clean and start again from scratch. Therefore it is fair to say that nobody has ever managed to successfully upgrade CloudStack on our machines. Do this at your own risk.

If you decide to perform an upgrade, then at the very least, you will need to backup the MariaDB databases ('cloud' and 'cloud_usage'), as well as the /etc/cloudstack and /var/lib/cloudstack folders on each of biloba, chamomile and ginkgo. Also, good luck.

== Siracha Crash Out Notes ==
If you ever find your self in the unfourtunate position of needing to recover from a drive failure. It's JOEVER BRO TRUST ME.

Anyways this is what I've learned from the pits of hell

# Our nginx config is funny, and it redirects 9987 → gunicorn → ceod instance running on server
## If the drive dies, ask someone with a backup for just a zip file, it's not possible to recover. Trust me
# you need to reload both nginx & cloudstack to get it running
# You need the crt to get it working (stored under `/etc/csc/k8s` (I think)
#

Service List

2025-06-14T18:34:02Z

S23adhik: /* CSC Cloud */

A list of services we run and when they've been last updated.

== Infrastructure ==
=== LDAP/Kerberos ===
''See'': [[LDAP]] and [[Kerberos]]

Member information storage and authentication backend.
* Location: ''auth1'' container on [[Machine List#xylitol|xylitol]]
* Last updated: Unknown, updated alongside debian 12

=== Keycloak ===
''See'': [[Keycloak]]

SSO provider.
* Location: somewhere on k8s
* Last updated: Unknown, before Spring 2022

=== Mail ===
''See'': [[Mail]]

Postfix/Dovecot mail server
* Location: ''mail'' nspawn container on [[Machine List#xylitol|xylitol]]
* Last updated: Fall 2024
* Roundcube last updated: Spring 2025

=== mailman3 ===
''See'': [[Mailing Lists]]

Mailing list handler
* Location: ''mailman3'' nspawn container on [[Machine List#xylitol|xylitol]]
* Last update: Fall 2024, to mailman 3.10

=== prometheus ===
''See'': [[Observability]]

Also hosts ClickHouse and vector
* Location: ''qemu-2-prometheus'' VM on [[Machine List#phosphoric-acid|phosphoric-acid]]
* Last update: Unknown, updated alongside debian 12

=== NFS ===
Hosted on [[New NetApp]]
* Location: [[New NetApp]] on MC CSC rack
* Last update: 2017, pending "New New NetApp"

=== Ceph ===
''See'': [[Ceph]]

Storage backend for CSCloud.
* Location: 3 node cluster on riboflavin, ginkgo and biloba
* Last update: Unknown

== General services ==
=== Mirror ===
''See'': [[Mirror]]

Our flagship service.
* Location: [[Machine List#potassium-benzoate|potassium-benzoate]]
* Last update: Constantly by syscom

=== CSC Cloud ===
''See'': [[Main Page#CSC Cloud|CSC Cloud]]

Another flagship service.
* Location: 3 node cluster on chamomile, ginkgo and biloba
* Last update: Unknown

=== VaultWarden ===
''See'': [[Vaultwarden]]

Bitwarden-compatible password manager.
* Location: ''Where?''
* Last update: Winter 2025

=== BigBlueButton ===
''See'': [[BigBlueButton]]

Online conferencing.
* Location: ''bigbluebutton3'' nspawn container on [[Machine List#xylitol|xylitol]]
* Last update: Winter 2025

=== Plane ===
''See'': [[Plane]]

JIRA but selfhosted.
* Location: ''Where?''
* Last update: Unknown

=== IRC webchat (The Lounge) ===
''See'': [[How to IRC#The Lounge]]

* Location: ''chat'' container on [[Machine List#xylitol|xylitol]]
* Last update: Unknown

=== Mattermost ===
''See'': [[MatterMost]]
* Location: ''mattermost'' container on [[Machine List#xylitol|xylitol]]
* Last update: Unknown

=== Nextcloud ===
''See'': [[Nextcloud]]

CSC's file and calendar server.
* Location: ''nextcloud'' container on [[Machine List#guayusa|guayusa]]
* Last update: Spring 2025

=== Git ===
''See'': [[Git Hosting]]

Gitea server for various CSC projects.
* Location: [[Machine List #caffeine|caffeine]]
* Last update: Spring 2025
* CI: Drone (deprecated), Gitea Act Runner (''gitea-act-runner'' nspawn container on [[Machine List#phosphoric-acid|phosphoric-acid]])

== Web infra ==
=== Member/Club Hosting ===
''See'': [[Web Hosting]] and [[Club Hosting]]

Apache and PHP. Your regular, old-school hosting service.
* Location: ''caffeine'' VM on [[Machine List#phosphoric-acid|phosphoric-acid]]
* Last update: Winter 2025

=== MySQL/PostgreSQL ===
''See'': [[MySQL]] and [[PostgreSQL]]

Databases for hosting.
* Location: ''coffee'' VM on [[Machine List#phosphoric-acid|phosphoric-acid]]
* Last update: Unknown, still on PostgreSQL 15

Kerberos

2025-06-14T05:59:57Z

S23adhik:

'''IF YOU ARE LOOKING FOR A PASSWORD RESET, PLEASE VISIT''' https://csclub.uwaterloo.ca/ceo/pwreset '''FOR A SELF-SERVICE PORTAL FOR PASSWORD RESETS! (If you experience any issues, please contact Syscom)'''

---

We use [http://web.mit.edu/Kerberos/ MIT Kerberos 5] for authentication. Our kerberos realm is CSCLUB.UWATERLOO.CA. This realm is CASE-SENSITIVE. KDCs run on [[Machine_List#auth1|auth1]] (kdc1) and [[Machine_List#auth2|auth2]] (kdc2).

[[File:kerberos.png|frame|Kerberos, the network authentication protocol]]

= ehashman's guide to MIT Kerberos v5 on Debian =

== Preparatory Reading ==

# [http://web.mit.edu/kerberos/dialogue.html Kerberos: A Dialogue in Four Scenes] ('''''definitely''''' read this)
# [http://www.roguelynn.com/words/explain-like-im-5-kerberos/ Explain Like I'm 5: Kerberos] (less entertaining than the stage play)
# [http://www.rjsystems.nl/en/2100-d6-kerberos-master.php A very practical configuration guide to Kerberos on Debian squeeze] (things don't change much in the Debian world)
# [http://web.mit.edu/kerberos/krb5-latest/doc/admin/index.html The official Kerberos documentation]

== Set up host records ==

<ul>
<li>We will need host records to correspond to our Kerberos admin server and key distribution center, <code>kadmin.wics.uwaterloo.ca</code> and <code>kdc1.wics.uwaterloo.ca</code>. These can just be A records pointing to our auth server (currently <code>129.97.134.212</code>).</li>
<li>We can also set up [http://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html special SRV records] as well. This is recommended but not necessary. They look like this:
<pre>_kerberos._udp.wics.uwaterloo.ca SRV 0 0 88 kdc1.wics.uwaterloo.ca
_kerberos-master._udp.wics.uwaterloo.ca SRV 0 0 88 kdc1.wics.uwaterloo.ca
_kpasswd._udp.wics.uwaterloo.ca SRV 0 0 464 kdc1.wics.uwaterloo.ca</pre>
You may have guessed that the third integer is the port the service runs on.</li></ul>

== Install packages ==

<ul>
<li>First, install some common system utils that may be missing from the fresh container:
<pre># apt-get install ssh ntpdate xinetd nmap</pre></li>
<li>Do NOT install ntp on the container. Install it on the host system instead. See [[ntp|NTP]] for info on NTP servers.</li>
<li>Next, install the Kerberos server:
<pre>apt-get install krb5-{admin-server,user}</pre></li>
<li>During the install process, <code>dpkg</code> will ask you for the following three values, specified below:
<pre>Default Kerberos version 5 realm: WICS.UWATERLOO.CA
Kerberos servers for your realm: kdc1.wics.uwaterloo.ca
Administrative server for your Kerberos realm: kadmin.wics.uwaterloo.ca</pre></li>
<li>You'll encounter this lovely error, from <code>xinetd</code>:
<pre>Note: xinetd currently is not fully supported by update-inetd.
Please consult /usr/share/doc/xinetd/README.Debian and itox(8).</pre>
To solve this, we create a file <code>/etc/xinetd.d/krb_prop</code> with the following contents:
<pre>service krb_prop
{
disable = no
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/kpropd
}</pre>
And then restart <code>xinetd</code>:
<pre># service xinetd restart</pre></li>
<li>You'll also note that the <code>krb5-kdc</code> service failed to start. This is okay. > This is because the realm, EXAMPLE.COM, or rather the database file for it (<code>/var/lib/krb5kdc/principal</code>), has not yet been created. – http://www.rjsystems.nl/en/2100-d6-kerberos-master.php</li></ul>

== Configuring Kerberos ==

<ul>
<li>The first thing we'll configure is the access control list. Edit <code>/etc/krb5kdc/kadm5.acl</code> and enable/add the following line:
<pre>*/admin *</pre>
Our primary admin principal will be <code>sysadmin/admin@WICS.UWATERLOO.CA</code>, so there is no need to add a separate <code>admin</code> principal to the ACL.</li>
<li>Let's configure Kerberos client-side in [https://git.uwaterloo.ca/wics/documentation/blob/master/krb5.conf <code>/etc/krb5.conf</code>]. Consulting with the CSC's config, [[www.rjsystems.nl/en/2100-d6-kerberos-master.php#rcfg|our favoured setup guide]], and [http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html the Kerberos krb5.conf manual], we'll mostly select default settings. Notable additions include
<pre>[libdefaults]
allow_weak_crypto = false # default is currently false but hey

# If DNS breaks we don't want auth to fail
dns_lookup_kdc = false
dns_lookup_realm = false

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5.log</pre></li>
<li>We also want to ensure we're using good crypto for our Key Distribution Center, so let's set that up next in [https://git.uwaterloo.ca/wics/documentation/blob/master/kdc.conf <code>/etc/krb5kdc/kdc.conf</code>]:
<pre>[kdcdefaults]
kdc_ports = 750,88

[realms]
WICS.UWATERLOO.CA = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 12h 0m 0s
max_renewable_life = 1d 0h 0m 0s
master_key_type = aes256-cts-hmac-sha1-96
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
default_principal_flags = +preauth
}</pre></li>
<li>We didn't choose to create a new krb5 log directory but we should set up logrotate. Create a file [https://git.uwaterloo.ca/wics/documentation/blob/master/logrotate.d.krb5 <code>/etc/logrotate.d/krb5</code>] with three of the following entries (one for each log file):
<pre>/var/log/FILENAME.log {
weekly
missingok
rotate 8
compress
delaycompress
notifempty
postrotate
/etc/init.d/SERVICENAME restart > /dev/null
endscript
}</pre></li>
<li>Make sure you also create those files so the service can write to them:
<pre># touch /var/log/{krb5,krb5kdc,kadmin}.log</pre></li></ul>

== Creating the Kerberos Realm ==

<ul>
<li>Now we're going to create the realm:
<pre># krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data</pre>
The script may pause at this point until there is sufficient available entropy to generate a key. Then it will prompt for a password. USE A LONG, RANDOM ONE. THIS PASSWORD IS VERY IMPORTANT.
<pre>Initializing database '/var/lib/krb5kdc/principal' for realm
'WICS.UWATERLOO.CA',
master key name 'K/M@WICS.UWATERLOO.CA'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers. Kerberos admin
principals usually belong to a single user and end in /admin. For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.

Don't forget to set up DNS information so your clients can find your
KDC and admin servers. Doing so is documented in the administration
guide.</pre></li>
<li>We'll now configure the default and maximum ticket life for the Kerberos Ticket Granting Ticket (<code>krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA</code>):
<pre># kadmin.local
Authenticating as principal root/admin@WICS.UWATERLOO.CA with password.
kadmin.local: getprinc krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA
Principal: krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 0 days 12:00:00
Maximum renewable life: 1 day 00:00:00
Last modified: Thu Dec 03 03:59:04 UTC 2015 (db_creation@WICS.UWATERLOO.CA)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>
Let's set the max life to 4 hours and the renewable life to 10 hours, for extra security.
<pre>kadmin.local: modprinc -maxlife "4 hour" -maxrenewlife "10 hour" krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA
Principal "krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA" modified.</pre></li></ul>

== Adding Principals ==

<ul>
<li>We need some root users in our system in order to bootstrap the rest, so let's create our sysadmin user, and give them our root password for authentication:
<pre># kadmin.local
Authenticating as principal root/admin@WICS.UWATERLOO.CA with password.
kadmin.local: addprinc sysadmin/admin
WARNING: no policy specified for sysadmin/admin@WICS.UWATERLOO.CA; defaulting to no policy
Enter password for principal "sysadmin/admin@WICS.UWATERLOO.CA":
Re-enter password for principal "sysadmin/admin@WICS.UWATERLOO.CA":
Principal "sysadmin/admin@WICS.UWATERLOO.CA" created.</pre></li>
<li>Now we need to add a principal and keytab for our KDC host. While <code>addprinc -randkey</code> does add a key, we need to use <code>ktadd</code> to ensure it's copied over to the client host (in this case, auth1).

('''keytab:''' a key table file containing one or more keys. A host or service uses a keytab file in much the same way as a user uses his/her password.)

<pre>$ kadmin -p sysadmin/admin
Authenticating as principal sysadmin/admin with password.
Password for sysadmin/admin@WICS.UWATERLOO.CA:
kadmin: addprinc -randkey host/auth1.wics.uwaterloo.ca
WARNING: no policy specified for
host/auth1.wics.uwaterloo.ca@WICS.UWATERLOO.CA; defaulting to no policy
Principal "host/auth1.wics.uwaterloo.ca@WICS.UWATERLOO.CA" created.
kadmin: ktadd host/auth1.wics.uwaterloo.ca
Entry for principal host/auth1.wics.uwaterloo.ca with kvno 2, encryption type
aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/auth1.wics.uwaterloo.ca with kvno 2, encryption type
aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.</pre></li>
<li>Now we can test that the KDC can grant principals tickets:
<pre>$ kinit sysadmin/admin
Password for sysadmin/admin@WICS.UWATERLOO.CA:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sysadmin/admin@WICS.UWATERLOO.CA
Valid starting Expires Service principal
12/03/2015 05:31:38 12/03/2015 09:31:38 krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA
renew until 12/03/2015 15:31:38
$ kdestroy
$ klist
klist: Credentials cache file '/tmp/krb5cc_0' not found</pre></li>
<li>Next, we'll probably want to add principals for any users that we created in LDAP. We can do this in <code>weo</code> using the following command, and we can even test that principal after its creation:
<pre>$ python weo.py --add-krb-princ --username=ehashman
Okay, adding Kerberos principal ehashman@WICS.UWATERLOO.CA
Enter Kerberos admin password:
Enter password for principal ehashman@WICS.UWATERLOO.CA:
Retype password:
Adding Kerberos principal...
Principal ehashman@WICS.UWATERLOO.CA successfully added.
$ kinit ehashman
Password for ehashman@WICS.UWATERLOO.CA:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ehashman@WICS.UWATERLOO.CA
Valid starting Expires Service principal
15-12-03 17:36:22 15-12-03 21:36:22 krbtgt/WICS.UWATERLOO.CA@WICS.UWATERLOO.CA
renew until 15-12-04 03:36:22</pre></li>
<li>From now on, though, Kerberos principals will automatically be generated when we add new users! Like this:
<pre>$ python weo.py --adduser --username=fhboxwal --fullname="Fatema Boxwala"
Okay, adding user fhboxwal
Please enter the new user's password:
Retype password:
Enter LDAP admin password:
Enter Kerberos admin password:
Locking LDAP database...
Adding user...
Unlocked database.
Adding Kerberos principal...
User fhboxwal successfully added.</pre></li>
<li>Awesome! Now we're ready to configure Kerberos for clients.</li></ul>

== Setting Up Client Machines with SSSD ==

<ul>
<li>On your machine of choice, install the Kerberos client packages:
<pre># apt-get install krb5-user</pre></li>
<li>Now copy over your Kerberos config, [https://git.uwaterloo.ca/wics/documentation/blob/master/krb5.conf <code>krb5.conf</code>], into <code>/etc/krb5.conf</code>.</li>
<li>Next, set up a host keytab for the local machine:
<pre># kadmin -p sysadmin/admin
Authenticating as principal sysadmin/admin with password.
Password for sysadmin/admin@WICS.UWATERLOO.CA:
kadmin: addprinc -randkey host/mother-goose.wics.uwaterloo.ca
WARNING: no policy specified for host/mother-goose.wics.uwaterloo.ca@WICS.UWATERLOO.CA; defaulting to no policy
Principal "host/mother-goose.wics.uwaterloo.ca@WICS.UWATERLOO.CA" created.
kadmin: ktadd host/mother-goose.wics.uwaterloo.ca
Entry for principal host/mother-goose.wics.uwaterloo.ca with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/mother-goose.wics.uwaterloo.ca with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.</pre></li>
<li>In order to configure authentication, we'll use a package called SSSD. (It has 234823840 dependencies.) Install it and its utilities:
<pre># apt-get install sssd sssd-tools</pre></li>
<li>Next, copy over the following configs:</li>
<li>[https://git.uwaterloo.ca/wics/documentation/blob/master/ldap.conf <code>/etc/ldap/ldap.conf</code>]</li>
<li>[https://git.uwaterloo.ca/wics/documentation/blob/master/sssd.conf <code>/etc/sssd/sssd.conf</code>]</li>
<li>[https://git.uwaterloo.ca/wics/documentation/blob/master/sshd_config <code>/etc/ssh/sshd_config</code>]</li>
<li>[https://git.uwaterloo.ca/wics/documentation/blob/master/ssh_config <code>/etc/ssh/ssh_config</code>]</li>
<li>[https://git.uwaterloo.ca/wics/documentation/blob/master/hosts <code>/etc/hosts</code>] (because what the heck)</li>
<li>Restart <code>sssd</code> and <code>sshd</code>. The former can be very temperamental:
<pre># service ssh restart
# service sssd restart</pre></li>
<li>Test that this all worked by attempting to log in:
<pre># Just try logging in
$ ssh me@machine.wics.uwaterloo.ca

# Try logging in using Kerberos
$ kinit me
$ ssh -o GSSAPIAuthentication=yes me@machine.wics.uwaterloo.ca

# Test that sudo is working
machine:~$ sudo -i</pre></li></ul>

== Tools for Debugging SSSD ==

<ul>
<li>It turns out <code>sssd</code> is not the greatest at telling us things. If it starts breaking, stop it and start it in the foreground in debugging mode:
<pre># service sssd stop
# sssd -d 5 -i</pre></li>
<li>Some problems with <code>sssd</code> may be cache-related, and restarting it does not clear the cache. If you need to invalidate the cache, run
<pre>sss_cache -E</pre></li></ul>
and then reboot (or restart sssd).

= Password Resets =
To change your own password you can run passwd on any of the club's machines.

== Changing other user's passwords (new) ==
The [[ceo]] utility now has the ability to reset members' passwords, and it also takes care of expiring it. Usage:
<pre>
ceo members pwreset <username>
</pre>

== Changing other users' passwords (old) ==
* <pre>ssh auth1</pre>
* <pre>sudo kadmin.local</pre>
* <pre>cpw username</pre>
* Enter new password and confirm
* <pre>modify_principal +needchange username</pre>

[[Category:Software]]

[http://web.archive.org/web/20120202205851/http://cryptnet.net/mirrors/docs/krb5api.html API Documentation.] While not even close to enough to let you do most things that you'd want to do with Kerberos (and also being somewhat woefully out-of-date, considering it's from 1996), it's at least a start.

= Expiring Passwords =

If you are on syscom, you can force a user to change their password by doing this:
* <pre>ssh auth1</pre>
* <pre>sudo kadmin.local</pre>
* <pre>modify_principal +needchange [username]</pre>

= Suspending an Account =

If you are on syscom, you can prevent a user from logging with a Kerberos ticket by doing this:
* ssh auth1
* sudo kadmin.local
* modify_principal -allow_tix [username]
If you are seriously locking out an account, you may want to do some other things as well, including but not limited to changing the user's password (prevents password login) and changing the ownership and permissions on .ssh/authorized_keys* (prevents SSH key login). Don't do these things without a strong reason (but know how to do them when the time comes).

= Siracha's Lessons in Hell =
I died to write these, do not take the lessons on this page lightly. We cried figuring out these things

=== Connecting to auth1 ===
Get the leader's PID<syntaxhighlight lang="bash">
machinectl status auth1 | grep Leader
</syntaxhighlight>Connect to the Process using result in last command<syntaxhighlight lang="bash">
nsenter -a -t <Leader PID>
</syntaxhighlight>

= bofh's Kerberos5 cheat sheet, or "what does *that* error message mean, exactly?" =

* If GSSAPI complains about "Wrong Principal in Request", make sure there's no clockskew on the machine trying to get the service ticket and the machine running the service that you are trying to get a GSS token to. This will cause this error for some insane reason, despite there being ANOTHER message for clockskew that specifically says "your clocks are off" - it just never seems to be used in the source code anywhere (as of MIT-KRB5 1.9, at least).
* There are some "generic" errors that are hard to debug. A few possible causes: unreadable krb5.keytab, reverse resolution of a host does not match its principal.

= Replication =

auth1 replicates to auth2 using kpropd. This requires additional setup that needs to be documented here.

Occasionally, the replication results in "ulog_replay failed (Cannot allocate memory), updates not registered". To correct this, run `kproplog -R` on auth1 and start the `kpropd` server again.

= raymo's guide to keytabs =

Adapted from https://stackoverflow.com/a/55826172/9206488 and https://sfu.teamdynamix.com/TDClient/255/ITServices/KB/ArticleDet?ID=3932

You can follow this guide to never need to <code>kinit</code> or enter your password for CEO again. Note that all caps is needed for the Kerberos realm, and replace <code><user></code> with your CSC username.

ktutil
addent -password -p <user>@CSCLUB.UWATERLOO.CA -k 1 -e aes256-cts-hmac-sha1-96
# enter password at the prompt
wkt <user>.keytab
quit

Then move your keytab to a secure directory:

mkdir -m700 ~/keytabs
mv ~/$USER.keytab ~/keytabs/
chmod 600 ~/keytabs/$USER.keytab

Finally, add this line to the TOP of your <code>bashrc</code> (or before any command to disable it for non-interactive shells, unless you don't want <code>kinit</code> to be triggered when running remote commands:

kinit -kt ~/keytabs/$USER.keytab $USER@CSCLUB.UWATERLOO.CA

Alternatively, use k5start so that your tickets automatically get renewed in the background:

KEYTAB_FILE=~/keytabs/$USER.keytab
if command -v k5start >/dev/null && ! pgrep -u $USER k5start >/dev/null && [ -f $KEYTAB_FILE ]; then
k5start -K 60 -H 70 -b -f $KEYTAB_FILE
fi
unset KEYTAB_FILE

Tada! Now you'll automatically get a kerberos ticket on SSH/shell. You can test this by running

ssh hfcs@csclub.uwaterloo.ca klist

You should see a valid ticket from a second or two ago.

Ceo

2025-06-12T00:54:54Z

S23adhik:

Ceo

2025-06-11T23:09:07Z

S23adhik:

[[Image:Pyceo.png|thumb|300px|right|<tt>pyceo</tt>'s main menu screen]]

ceo is the CSC member creation and administration interface. It was originally written in perl by persons of mysterious-ness, was re-written in python by Michael Spang in early 2007, and re-written again (in Python) by Syscom in 2020-2021. The source-code for ceo can be found in git: [https://git.csclub.uwaterloo.ca/public/pyceo https://git.csclub.uwaterloo.ca/public/pyceo].

= Instructions/Usage =
ceo can be accessed by running the "ceo" command from a terminal, or terminal emulator.
By default, a curses-based menu interface is presented. Use the arrow keys to navigate;
on many screens, pressing a letter will select the next menu item beginning with that letter.

=== Command-line Mode ===
Run <tt>ceo --help</tt> to see a list of command-line utilities.

== Adding a New Member ==
After a new member has paid the membership fee and signed the Machine Usage Policy forms, a new member account is added to the CSC system by selecting "New Member" in ceo and following the on-screen instructions. The new member's username is to be identical to their WatIAM username, if applicable. For WatIAM users, the name and program fields will automatically be filled after a username is provided.

== Renewing/Extending a Membership ==
A membership can be renewed or extended by selecting "Renew Membership" in the ceo interface.

== Hosted Clubs ==
Clubs are hosted free of charge. To create a new club account use the "New Club" option in the ceo interface.

=== Club Representatives ===
At this time, there is no limit to the number of representatives a club may have, but representative accounts must be registered with the "New Club Rep" option, and renewed with the "Renew Club Rep" option.

=== Other Club Features ===
For access to features beyond basic hosting (ie, databases), one of the club representatives will need to email the Systems Committee to have this set up.

= raymo's guide on how to fix things after screwing up =

== Changing a member to a nonmember (club rep) and vice-versa ==

ssh hfcs
kinit # if you don't already have [[Kerberos#raymo's guide to keytabs|keytabs]] set up
ldapvi -Y GSSAPI
Use <code>/<username></code> to search for the user in vi and change <code>term</code> to <code>nonMemberTerm</code> (or vice-versa) for the relevant terms. When you're done deleting the file should no longer contain the username. Save and quit (<code>:wq</code>) and press <code>y</code> when prompted.

== Deleting a member ==

* '''RULE: Never do this without good reason. We should NEVER delete accounts or groups that have been used before.'''

If you accidentally created a club rep as a regular member instead, see the [previous section|Ceo#Changing a member to a nonmember (club rep) and vice-versa]. For another reason that doesn't break the '''RULE''' above, first follow the steps in the change membership section above, up to and including <code>ldapvi</code>, then delete both the user and group LDAP records. These are separated by blank lines. When you're done deleting the file should no longer contain the username. Save and quit as if changing membership. Then:
ssh auth1
sudo kadmin.local
delprinc <username>
ssh phosphoric acid
sudo rm -rfI /users/<username>
Unsubscribe the user from [https://mailman.csclub.uwaterloo.ca/postorius/lists/syscom.csclub.uwaterloo.ca/members/member/ csc-general on mailman]

= Feature Requests and Ideas =

* Create a graphical and/or online version of ceo
* Add new members to fuse and plugdev groups

= Contributing to CEO =

== Preliminary Steps ==
=== Generate a GPG Key ===
In order to sign the ceo packages you will need to generate yourself a GPG key if you do not already have one. Assuming you do not run

gpg --gen-key

Choose option (2) DSA (sign only). Choose no expiration when prompted and then your full name and email when asked. It will ask you to confirm the information and then for a passphrase.

=== Add Your Key To Mirror ===
ssh mirror.csclub.uwaterloo.ca
gpg --list-keys

Locate the 8-character id string. For example "16E37635" in
/users/m2ellis/.gnupg/pubring.gpg
---------------------------------
pub 1024D/'''16E37635''' 2010-08-19
uid Michael Ellis <m2ellis@csclub.uwaterloo.ca>

Now you must add this id into the file /srv/debian/conf/uploaders on mirror
sudo vim /srv/debian/conf/uploaders

Now in another terminal run
gpg --export --armor $KEYID

Now on mirror run
sudo -s
GNUPGHOME=/srv/debian/gpg gpg --import

Then paste the output from gpg --export --armor $KEYID and end with CTRL-D. It should give you a confirmation, example
gpg: key 16E37635: public key "Michael Ellis <m2ellis@csclub.uwaterloo.ca>" imported
gpg: Total number processed: 1
gpg: imported: 1

== Making Changes ==
The source-code for ceo can be found in git: [http://git.csclub.uwaterloo.ca/?p=public/pyceo.git;a=summary csclub:/users/git/public/pyceo.git]. To checkout the code run

git clone ~git/public/pyceo.git

When you are done making your change you need to update the changelog with dch. Assuming this is a minor incremental change run

dch -i

Add a description of your change and then save and quit. Once you are sure of your changes commit them to the git repository and push them (test them first!).

Make sure to set a distribution, like distribution UNRELEASED is NOT allowed. So change it to whatever distribution you're deploying to in the <code>debian/changelog</code> file

Then you'll need to make a tar.gz file<syntaxhighlight lang="bash">
tar czf ceo_1.0.31.orig.tar.gz pyceo/
</syntaxhighlight>To build the package run debuild

debuild

This will generate the *.deb files in the parent directory.

=== Uploading Changes to Mirror ===
After you make the package, you'll need to sign it, this can be via debsign. (You can find the .changes file in the parent directory)<syntaxhighlight lang="bash">
debsign -k[GPG Key ID] [package].changes

</syntaxhighlight>

In the directory containing the *.deb and *.changes files run

'''This needs to be done on high-fructose-corn-syrup because of the dupload configs'''
dupload

Then ssh to mirror and run
sudo rrr-incoming

The package should now be uploaded and you can update in the usual way with apt-get/aptitude.

[[Category:Software]]

Ceo

2025-06-11T22:33:01Z

S23adhik:

[[Image:Pyceo.png|thumb|300px|right|<tt>pyceo</tt>'s main menu screen]]

ceo is the CSC member creation and administration interface. It was originally written in perl by persons of mysterious-ness, was re-written in python by Michael Spang in early 2007, and re-written again (in Python) by Syscom in 2020-2021. The source-code for ceo can be found in git: [https://git.csclub.uwaterloo.ca/public/pyceo https://git.csclub.uwaterloo.ca/public/pyceo].

= Instructions/Usage =
ceo can be accessed by running the "ceo" command from a terminal, or terminal emulator.
By default, a curses-based menu interface is presented. Use the arrow keys to navigate;
on many screens, pressing a letter will select the next menu item beginning with that letter.

=== Command-line Mode ===
Run <tt>ceo --help</tt> to see a list of command-line utilities.

== Adding a New Member ==
After a new member has paid the membership fee and signed the Machine Usage Policy forms, a new member account is added to the CSC system by selecting "New Member" in ceo and following the on-screen instructions. The new member's username is to be identical to their WatIAM username, if applicable. For WatIAM users, the name and program fields will automatically be filled after a username is provided.

== Renewing/Extending a Membership ==
A membership can be renewed or extended by selecting "Renew Membership" in the ceo interface.

== Hosted Clubs ==
Clubs are hosted free of charge. To create a new club account use the "New Club" option in the ceo interface.

=== Club Representatives ===
At this time, there is no limit to the number of representatives a club may have, but representative accounts must be registered with the "New Club Rep" option, and renewed with the "Renew Club Rep" option.

=== Other Club Features ===
For access to features beyond basic hosting (ie, databases), one of the club representatives will need to email the Systems Committee to have this set up.

= raymo's guide on how to fix things after screwing up =

== Changing a member to a nonmember (club rep) and vice-versa ==

ssh hfcs
kinit # if you don't already have [[Kerberos#raymo's guide to keytabs|keytabs]] set up
ldapvi -Y GSSAPI
Use <code>/<username></code> to search for the user in vi and change <code>term</code> to <code>nonMemberTerm</code> (or vice-versa) for the relevant terms. When you're done deleting the file should no longer contain the username. Save and quit (<code>:wq</code>) and press <code>y</code> when prompted.

== Deleting a member ==

* '''RULE: Never do this without good reason. We should NEVER delete accounts or groups that have been used before.'''

If you accidentally created a club rep as a regular member instead, see the [previous section|Ceo#Changing a member to a nonmember (club rep) and vice-versa]. For another reason that doesn't break the '''RULE''' above, first follow the steps in the change membership section above, up to and including <code>ldapvi</code>, then delete both the user and group LDAP records. These are separated by blank lines. When you're done deleting the file should no longer contain the username. Save and quit as if changing membership. Then:
ssh auth1
sudo kadmin.local
delprinc <username>
ssh phosphoric acid
sudo rm -rfI /users/<username>
Unsubscribe the user from [https://mailman.csclub.uwaterloo.ca/postorius/lists/syscom.csclub.uwaterloo.ca/members/member/ csc-general on mailman]

= Feature Requests and Ideas =

* Create a graphical and/or online version of ceo
* Add new members to fuse and plugdev groups

= Contributing to CEO =

== Preliminary Steps ==
=== Generate a GPG Key ===
In order to sign the ceo packages you will need to generate yourself a GPG key if you do not already have one. Assuming you do not run

gpg --gen-key

Choose option (2) DSA (sign only). Choose no expiration when prompted and then your full name and email when asked. It will ask you to confirm the information and then for a passphrase.

=== Add Your Key To Mirror ===
ssh mirror.csclub.uwaterloo.ca
gpg --list-keys

Locate the 8-character id string. For example "16E37635" in
/users/m2ellis/.gnupg/pubring.gpg
---------------------------------
pub 1024D/'''16E37635''' 2010-08-19
uid Michael Ellis <m2ellis@csclub.uwaterloo.ca>

Now you must add this id into the file /srv/debian/conf/uploaders on mirror
sudo vim /srv/debian/conf/uploaders

Now in another terminal run
gpg --export --armor $KEYID

Now on mirror run
sudo -s
GNUPGHOME=/srv/debian/gpg gpg --import

Then paste the output from gpg --export --armor $KEYID and end with CTRL-D. It should give you a confirmation, example
gpg: key 16E37635: public key "Michael Ellis <m2ellis@csclub.uwaterloo.ca>" imported
gpg: Total number processed: 1
gpg: imported: 1

== Making Changes ==
The source-code for ceo can be found in git: [http://git.csclub.uwaterloo.ca/?p=public/pyceo.git;a=summary csclub:/users/git/public/pyceo.git]. To checkout the code run

git clone ~git/public/pyceo.git

When you are done making your change you need to update the changelog with dch. Assuming this is a minor incremental change run

dch -i

Add a description of your change and then save and quit. Once you are sure of your changes commit them to the git repository and push them (test them first!).

Make sure to set a distribution, like distribution UNRELEASED is NOT allowed. So change it to whatever distribution you're deploying to in the <code>debian/changelog</code> file

Then you'll need to make a tar.gz file<syntaxhighlight lang="bash">
tar czf ceo_1.0.31.orig.tar.gz pyceo/
</syntaxhighlight>To build the package run debuild

debuild

This will generate the *.deb files in the parent directory.

=== Uploading Changes to Mirror ===
After you make the package, you'll need to sign it, this can be via debsign. (You can find the .changes file in the parent directory)<syntaxhighlight lang="bash">
debsign -k[GPG Key ID] [package].changes

</syntaxhighlight>

In the directory containing the *.deb and *.changes files run
dupload

Then ssh to mirror and run
sudo rrr-incoming

The package should now be uploaded and you can update in the usual way with apt-get/aptitude.

[[Category:Software]]

Ceo

2025-06-11T22:20:22Z

S23adhik: Adding some info abt how to

[[Image:Pyceo.png|thumb|300px|right|<tt>pyceo</tt>'s main menu screen]]

ceo is the CSC member creation and administration interface. It was originally written in perl by persons of mysterious-ness, was re-written in python by Michael Spang in early 2007, and re-written again (in Python) by Syscom in 2020-2021. The source-code for ceo can be found in git: [https://git.csclub.uwaterloo.ca/public/pyceo https://git.csclub.uwaterloo.ca/public/pyceo].

= Instructions/Usage =
ceo can be accessed by running the "ceo" command from a terminal, or terminal emulator.
By default, a curses-based menu interface is presented. Use the arrow keys to navigate;
on many screens, pressing a letter will select the next menu item beginning with that letter.

=== Command-line Mode ===
Run <tt>ceo --help</tt> to see a list of command-line utilities.

== Adding a New Member ==
After a new member has paid the membership fee and signed the Machine Usage Policy forms, a new member account is added to the CSC system by selecting "New Member" in ceo and following the on-screen instructions. The new member's username is to be identical to their WatIAM username, if applicable. For WatIAM users, the name and program fields will automatically be filled after a username is provided.

== Renewing/Extending a Membership ==
A membership can be renewed or extended by selecting "Renew Membership" in the ceo interface.

== Hosted Clubs ==
Clubs are hosted free of charge. To create a new club account use the "New Club" option in the ceo interface.

=== Club Representatives ===
At this time, there is no limit to the number of representatives a club may have, but representative accounts must be registered with the "New Club Rep" option, and renewed with the "Renew Club Rep" option.

=== Other Club Features ===
For access to features beyond basic hosting (ie, databases), one of the club representatives will need to email the Systems Committee to have this set up.

= raymo's guide on how to fix things after screwing up =

== Changing a member to a nonmember (club rep) and vice-versa ==

ssh hfcs
kinit # if you don't already have [[Kerberos#raymo's guide to keytabs|keytabs]] set up
ldapvi -Y GSSAPI
Use <code>/<username></code> to search for the user in vi and change <code>term</code> to <code>nonMemberTerm</code> (or vice-versa) for the relevant terms. When you're done deleting the file should no longer contain the username. Save and quit (<code>:wq</code>) and press <code>y</code> when prompted.

== Deleting a member ==

* '''RULE: Never do this without good reason. We should NEVER delete accounts or groups that have been used before.'''

If you accidentally created a club rep as a regular member instead, see the [previous section|Ceo#Changing a member to a nonmember (club rep) and vice-versa]. For another reason that doesn't break the '''RULE''' above, first follow the steps in the change membership section above, up to and including <code>ldapvi</code>, then delete both the user and group LDAP records. These are separated by blank lines. When you're done deleting the file should no longer contain the username. Save and quit as if changing membership. Then:
ssh auth1
sudo kadmin.local
delprinc <username>
ssh phosphoric acid
sudo rm -rfI /users/<username>
Unsubscribe the user from [https://mailman.csclub.uwaterloo.ca/postorius/lists/syscom.csclub.uwaterloo.ca/members/member/ csc-general on mailman]

= Feature Requests and Ideas =

* Create a graphical and/or online version of ceo
* Add new members to fuse and plugdev groups

= Contributing to CEO =

== Preliminary Steps ==
=== Generate a GPG Key ===
In order to sign the ceo packages you will need to generate yourself a GPG key if you do not already have one. Assuming you do not run

gpg --gen-key

Choose option (2) DSA (sign only). Choose no expiration when prompted and then your full name and email when asked. It will ask you to confirm the information and then for a passphrase.

=== Add Your Key To Mirror ===
ssh mirror.csclub.uwaterloo.ca
gpg --list-keys

Locate the 8-character id string. For example "16E37635" in
/users/m2ellis/.gnupg/pubring.gpg
---------------------------------
pub 1024D/'''16E37635''' 2010-08-19
uid Michael Ellis <m2ellis@csclub.uwaterloo.ca>

Now you must add this id into the file /srv/debian/conf/uploaders on mirror
sudo vim /srv/debian/conf/uploaders

Now in another terminal run
gpg --export --armor $KEYID

Now on mirror run
sudo -s
GNUPGHOME=/srv/debian/gpg gpg --import

Then paste the output from gpg --export --armor $KEYID and end with CTRL-D. It should give you a confirmation, example
gpg: key 16E37635: public key "Michael Ellis <m2ellis@csclub.uwaterloo.ca>" imported
gpg: Total number processed: 1
gpg: imported: 1

== Making Changes ==
The source-code for ceo can be found in git: [http://git.csclub.uwaterloo.ca/?p=public/pyceo.git;a=summary csclub:/users/git/public/pyceo.git]. To checkout the code run

git clone ~git/public/pyceo.git

When you are done making your change you need to update the changelog with dch. Assuming this is a minor incremental change run

dch -i

Add a description of your change and then save and quit. Once you are sure of your changes commit them to the git repository and push them (test them first!). To build the package run debuild

debuild

This will generate the *.deb files in the parent directory.

=== Siracha's Notes ===
Make sure to set a distribution, like distribution UNRELEASED is NOT allowed. So change it to whatever distribution you're deploying to in the <code>debian/changelog</code> file

After you make the package, you'll need to sign it, this can be via debsign. (You can find the .changes file in the parent directory)<syntaxhighlight lang="bash">
debsign -k[GPG Key ID] [package].changes

</syntaxhighlight>

=== Uploading Changes to Mirror ===

In the directory containing the *.deb and *.changes files run
dupload

Then ssh to mirror and run
sudo rrr-incoming

The package should now be uploaded and you can update in the usual way with apt-get/aptitude.

[[Category:Software]]

Meeting:Meetings

2025-05-31T18:25:25Z

S23adhik: /* Termcom/Syscom Meetings */

==Minutes of Meetings (Executive)==
* [[Tuesday 16 September 2008]]

==General Meetings==

* [[Meetings/2025-01-13|Monday 13 January 2025]]
* [[Meetings/2024-01-11|Thursday 11 January 2024]]
* [[Tuesday 12 September 2023]]
* [[Wednesday 11 May 2023]]
* [[Meetings/2023-01-12|Thursday 12 January 2023]]
* [[Meetings/2022-09-12|Monday 12 September 2022]]
* [[Meetings/2022-05-05|Thursday 5 May 2022]]
* [[Thursday 2 October 2008]]
* [[Friday 19 October 2007]]

==Weekly All-Hands Meetings==
* [[Monday 5 December 2022]]
* [[Monday 28 November 2022]]
* [[Monday 21 November 2022]]
* [[Monday 14 November 2022]]
* [[Monday 7 November 2022]]
* [[Monday 31 October 2022]]
* [[Monday 24 October 2022]]
* [[Monday 17 October 2022]]
* [[Monday 3 October 2022]]
* [[Sunday 21 March 2021]]
* [[Sunday 14 March 2021]]
* [[Sunday 7 March 2021]]
* [[Sunday 28 February 2021]]

== Termcom/Syscom Meetings ==
* [[09 Mar 2025 Termcom Meeting]]
* [[Saturday 29 July 2023 Termcom Meeting]]
* [[Saturday 24 June 2023 Termcom Meeting]]
* [[Saturday 10 June 2023 Termcom Meeting]]
* [[Saturday 27 May 2023 Termcom Meeting]]
* [[Saturday 13 May 2023 Termcom Meeting]]
* [[Saturday 25 March 2023 Termcom Meeting]]
* [[Saturday 11 February 2023]]
* [[Saturday 31 May 2024 Termcom Meeting]]

== Source ==

* '''CSC All-hands Meeting Notes - Fall 2022''': https://docs.google.com/document/d/1Tl_E5nM3bguw9if9O2Woc4jNmeZxG7QVel5fzHdZgfQ/edit#

[[Category:Meetings]]

Machine List

2025-05-20T05:34:36Z

S23adhik: /* biloba */

Most of our machines are in the E7, F7, G7 and H7 racks (as of Jan. 2022) in the MC 3015 server room. There is an additional rack in the DC 3558 machine room on the third floor. Our office terminals are in the CSC office, in MC 3036/3037.

= Web Server =
You are highly encouraged to avoid running anything that's not directly related to your CSC webspace on our web server. We have plenty of general-use machines; please use those instead. You can even edit web pages from any other machine--usually the only reason you'd *need* to be on caffeine is for database access.

== ''caffeine'' ==

Caffeine is the Computer Science Club's web server. It serves websites, databases for websites, and a large amount of other services.

''(Redundant active backup coming soon...)''

==== Specs ====

* LXC virtual machine hosted on [[Machine List#phosphoric-acid|phosphoric-acid]]
** 12 vCPUs
** 32GB of RAM

==== Services ====

* Club and member web sites with [https://www.apache.org/ Apache]
* [[MySQL]] databases
* [[PostgreSQL]] databases
* [[ceo]] daemon

==''mathnews''==

[[#xylitol|xylitol]] hosts a systemd-nspawn container which serves as the mathNEWS webserver. It is administered by mathNEWS, as a pilot for providing containers to select groups who have more specialized demands than the general-use infrastructure can meet.

= General-Use Servers =

These machines can be used for (nearly) anything you like (though be polite and remember that these are shared machines). Recall that when you signed the Machine Usage Agreement, you promised not to use these machines to generate profit (so no cryptocurrency mining).

For computationally-intensive jobs (CPU/memory bound) we recommend running on high-fructose-corn-syrup, carbonated-water, sorbitol, mannitol, or corn-syrup, listed in roughly decreasing order of available resources. For low-intensity interactive jobs, such as IRC clients, we recommend running on neotame. '''If you have a long-running computationally intensive job, it's good to nice[https://en.wikipedia.org/wiki/Nice_(Unix)] your process, and possibly let syscom know too.'''

== ''corn-syrup'' ==

Dell PowerEdge 2950

==== Specs ====

* 2 × Intel Xeon E5405 (2.00 GHz, 4 cores each)
* 32 GB RAM
* eth0 ("Gb0") mac addr 00:24:e8:52:41:27
* eth1 ("Gb1") mac addr 00:24:e8:52:41:29
* IPMI mac addr 00:24:e8:52:41:2b
* 3 × Western-Digital 160GB SATA hard drive (445 GB software RAID0 array)

==== Notes ====

* Use eth0/Gb0 for the mathstudentorgsnet connection

==== Services ====

* Hosts 1 TB <tt>[[scratch|/scratch]]</tt> and exports via NFS (sec=krb5)

== ''high-fructose-corn-syrup'' ==

High-fructose-corn-syrup (or hfcs) is a large SuperMicro server. It's been in CSC service since April 2012.

==== Specs ====

* 4x AMD Opteron 6272 (2.4 GHz, 16 cores each)
* 192 GB RAM
* Supermicro H8QGi+-F Motherboard Quad 1944-pin Socket [http://csclub.uwaterloo.ca/misc/manuals/motherboard-H8QGI+-F.pdf (Manual)]
* 500 GB Seagate Barracuda
* Supermicro Case Rackmount CSE-748TQ-R1400B 4U [http://csclub.uwaterloo.ca/misc/manuals/SC748.pdf (Manual)]
'''Notes'''

* Missing moba IO shield (as of January 2024)

== ''carbonated-water'' ==

carbonated-water is a Dell R815 provided by CSCF.

==== Specs ====

* 4x AMD Opteron 6176 processors (2.3 GHz, 12 cores each)
* 128GB RAM

== ''neotame'' ==

neotame is a SuperMicro server funded by MEF. It is the successor to taurine.

'''We strongly discourage running computationally-intensive jobs''' on neotame as many users run interactive applications such as IRC clients on it and any significant service degradation will be more likely to affect other users (who will probably notice right away).

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
'''Notes'''
* SSH server also listens on ports 21, 22, 53, 80, 81, 443, 8000, 8080 for your convenience.

== ''sorbitol'' ==

sorbitol is a SuperMicro server funded by MEF.

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
== ''mannitol'' ==

mannitol is a SuperMicro server funded by MEF. CUDA is available on this node.

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
* NVIDIA GeForce RTX 3050 6G

= Office Terminals =

It's possible to SSH into these machines, but we discourage you from trying to use these machines when you're not sitting in front of them. They are bounced at least every time our login manager, lightdm, throws a tantrum (which is several times a day). These are for use inside our physical office.

== ''cyanide'' ==
cyanide is a [https://support.apple.com/kb/sp710 Mac Mini (Late 2014)], identical in specification to powernap

=== Spec ===

* Intel i7-4578U (4) @ 3.500GHz
* 16GB RAM
* Intel Iris Graphics 5100
* 256GB On-board SSD

== ''suika'' ==

Suika is an office terminal built from various components donated by our members.

==== Specs ====

* AMD Ryzen 7 2700X
* 2x 8GB DDR4
* 1x Samsung 256GB SSD
* AMD Radeon RX 550 4GB

==''powernap''==
powernap is a [https://support.apple.com/kb/sp710 Mac Mini (Late 2014)].

=== Spec ===

* Intel i7-4578U (4) @ 3.500GHz
* 16GB RAM
* Intel Iris Graphics 5100
* 256GB On-board SSD

=== Speaker ===
powernap has the office speakers (a pair of nice studio monitors) currently connected to it.

=== Services ===
* MPD for playing music. Only office/termcom/syscom can log into powernap. Use `ncmpcpp` to control MPD.
** TODO: this is not the case anymore
* Bluetooth audio receiver. Only syscom can control bluetooth pairing. Use `bluetoothctl` to control bluetooth.

Music is located in `/music` on the office terminals.

= Progcom Only =
The Programme Committee has access to a VM on corn-syrup called 'progcom'. They have sudo rights in this VM so they may install and run their own software inside it. This VM should only be accessible by members of progcom or syscom.

The CI/CD stuff for the csclub.uwaterloo.ca runs on this vm (drone).

= Codey Bot Only =
Ran on CSC Cloud in a separate Cloudstack project. codey-staging, codey-dev, codey-prod.

TODO: migrating from cloudstack

= Syscom Only =

The following systems are only be accessible to members of the [[Systems Committee]] for a variety of reasons; the most common of which being that some of these machines host [[Kerberos]] authentication services for the CSC.

==''xylitol''==

xylitol is a Dell PowerEdge R815 donated by CSCF. It is primarily a container host for services previously hosted on aspartame and dextrose, including munin, rt, mathnews, auth1, and dns1. It was provisioned with the intent to replace both of those hosts.

==== Specs ====

* Dual AMD Opteron 6176 (2.3 GHz, 48 cores total)
* 128GB RAM
* 500GB volume group on RAID1 SSD (xylitol-mirrored)
* 500ish-GB volume group on RAID10 HDD (xylitol-raidten)

==''auth1''==

Container on [[#xylitol|xylitol]].

==== Services ====

*[[LDAP]] primary
*[[Kerberos]] primary

==''chat''==

Container on [[#xylitol|xylitol]].

==== Services ====

* The Lounge web IRC client (https://chat.csclub.uwaterloo.ca)

==''phosphoric-acid''==

phosphoric-acid is a Dell PowerEdge R815 donated by CSCF and is a clone of xylitol. It may be used to provide redundant cloud services in the future.

==== Specs ====

* (clone of Xylitol)
* 4x 2TB Kingston KC3000 (ZFS Z2 [Sustain 2-failures]) (KIN-SKC3000D2048G)
** Mounted on 2x Startech Dual M.2 PCIE SSD Adapter Cards (STA-PEX8M2E2)

==== Services ====

*[[#caffeine|caffeine]]
*[[#coffee|coffee]]
*prometheus

==''coffee''==

Virtual machine running on phosphoric-acid.

==== Services ====

*[[Database#MySQL|MySQL]]
*[[Database#Postgres|Postgres]]

==''cobalamin''==

Dell PowerEdge 2950 donated to us by FEDS. Located in the Science machine room on the first floor of Physics, on Science Computing Rack 2. NICs are plugged into A1 and A2 on the adjacent rack. Acts as a backup server for many things.

TODO: should replace with another Syscom server when Science Computing clears out the rack (ETA before 09/2024)

==== Specs ====

* 1 × Intel Xeon E5420 (2.50 GHz, 4 cores)
* 16GB RAM
* Broadcom NetworkXtreme II
* 2x73GB Hard Drives, hardware RAID1
** Soon to be 2x1TB in MegaRAID1
*http://www.dell.com/support/home/ca/en/cabsdt1/product-support/servicetag/51TYRG1/configuration

==== Services ====

* Containers: [[#auth2|auth2]] (kerberos)

==== Notes ====

* '''TODO: Mega unreliable.''' (Goes down once every few weeks... due to power outages in the PHYS server room)
** It is plugged into a UPS but the UPS has dead batteries.
* The network card requires non-free drivers. Be sure to use an installation disc with non-free.

* We have separate IP ranges for cobalamin and its containers because the machine is located in a different building. They are:
** VLAN ID 506 (csc-data1): 129.97.18.16/29; gateway 129.97.18.17; mask 255.255.255.240
** VLAN ID 504 (csc-ipmi): 172.19.5.24/29; gateway 172.19.5.25; mask 255.255.255.248
* Physical access to the PHYS server rooms can be acquired by visiting Science Computing in PHYS 2006.

==''auth2''==

Container on [[#cobalamin|cobalamin]].

==== Services ====

*[[LDAP]] secondary
*[[Kerberos]] secondary

MAC Address: c2:c0:00:00:00:a2

==''mail''==

mail is the CSC's mail server. It hosts mail delivery, imap(s), smtp(s), and mailman. It is also syscom-only. It is a [[Virtualization#Linux_Containers|Linux container]] at present.

TODO: "HA"-ish configuration

==== Specs ====

* currently hosted on [[#xylitol|xylitol]]

==== Services ====

*[[Mail]] services
* mailman (web interface at [http://mailman.csclub.uwaterloo.ca/])
*[[Webmail]]
*[[ceo]] daemon

==''sodium-benzoate''==

Sodium-benzoate is our previous mirror server, funded by MEF.

It is currently sitting in the office pending repurposing. Will likely become a machine for backups in DC.

==== Specs ====

* Intel Xeon Quad Core E5405 @ 2.00 GHz
* 16GB RAM
* vg0: 228 GB block device behind DELL PERC 6/i (contains root partition)

Space disks are currently in the office underneath maltodextrin.

TODO: gone??

==''potassium-benzoate''==

potassium-benzoate is our mirror server, funded by MEF.

==== Specs ====

* 36 drive Supermicro chassis (SSG-6048R-E1CR36L)
* 2 x Intel Xeon E5-2695 v4 (18 cores, 2.10GHz)
* 64 GB (4 x 16GB) of DDR4 (2133Mhz) ECC RDIMM RAM
* 2 x 1 TB Samsung Evo 850 SSD drives
* 17 x 4 TB Western Digital Gold drives (separate funding from MEF)
* 9 x 18TB Seagate Exos X18 (8 ZFS, Z2,1 hot-spare)
* 10 Gbps SFP+ card (loaned from CSCF)
* 50 Gbps Mellanox QSFP card (from ginkgo; currently unconnected)

Spec before 2025-03-27:
* 1 x Intel Xeon E5-2630 v3 (8 cores, 2.40 GHz)

==== Network Connections ====

potassium-benzoate has two connections to our network:

* 1 Gbps to our switch (used for management)
* 2 x 10 Gbps (LACP bond) to mc-rt-3015-mso-a (for mirror)

Mirror's bandwidth is limited to 1 Gbps on each of the 4 campus internet links. Mirror's bandwidth is not limited on campus.

==== Services ====

*[[Mirror]]
*[[Talks]] mirror
*[[Debian_Repository|CSClub packages repository]]

==''munin''==

munin is a syscom-only monitoring and accounting machine. It is a [[Virtualization#Linux_Containers|Linux container]] at present.

==== Specs ====

* currently hosted on [[#xylitol|xylitol]]

==== Services ====

*[http://munin.csclub.uwaterloo.ca munin] systems monitoring daemon
TODO: Debian 9?

==''yerba-mate''==

A Dell PowerEdge 2950 donated by a CSC member.

==== Specs ====

* 2x 3.00 GHz quad core Intel Xeon 5160
* 32GB RAM
* 2x75GB 15k drives (RAID 1)

==== Services ====

* test-ipv6 (test-ipv6.csclub.uwaterloo.ca; a test-ipv6.com mirror)
'''Notes'''

* Also used for experimenting new CSC services.

* TODO: use as backup server

==''citric-acid''==
A Dell PowerEdge R815 (TODO: check model) provided by CSCF to replace [[Machine List#aspartame|aspartame]].

'''Specs'''

* 2 x AMD Opteron 6174 (12 cores, 2.20 GHz)
* 128 GB RAM

'''Services'''

* Configured for [https://pass.uwaterloo.ca pass.uwaterloo.ca], a university-wide password manager hosted by CSC as a demo service for all Nexus (ADFS) user.
* [[Plane]], an internal (CSC) project management tool.
* Minio
'''Notes'''

* Being repurposed for Termcom training and development.
* TODO: migrate Vaultwarden (https://pass.csclub.uwaterloo.ca/)??
* UFW opened-ports: SSH, HTTP/HTTPS
* Upgraded to Podman 4.x

= Cloud =

These machines are used by [https://cloud.csclub.uwaterloo.ca cloud.csclub.uwaterloo.ca]. The machines themselves are restricted to Syscom only access.

==''chamomile''==

A Dell PowerEdge R815 provided by CSCF.

==== Specs ====

* 4x 2.20GHz 12-core processors (AMD Opteron(tm) Processor 6174)
* 128GB RAM
* 10GbE connection to core router

==== Services ====

* Cloudstack host
* TODO: cloudstack migration

==''riboflavin''==

A Dell PowerEdge R515 provided by CSCF.

==== Specs ====

* 2x 2.6 GHz 8-core processors (AMD Opteron(tm) Processor 4376 HE)
* 64GB RAM
* 10GbE connection to core router
* 2x 500GB internal SSD
* 12x Seagate 4TB SSHD
==== Services ====

* OpenStack block and object storage for csclub.cloud
* ????
'''Notes'''

* TODO: cloudstack migration

==''guayusa''==

A Dell PowerEdge 2950 donated by a CSC member.

==== Specs ====

* 2x 3.00 GHz quad core Intel Xeon 5160
* 32GB RAM
* 2TB PCI-Express Flash SSD
* 2x75GB 15k drives (RAID 1)

==== Services ====

* load-balancer-01

Was used to experiment the following then-new CSC services:

* cifs (for booting ginkgo from CD)
* caffeine-01 (testing of multi-node caffeine)
* TODO: ???
** block1.cloud
** object1.cloud
'''Notes'''

* TODO: cloudstack migration
* TODO: ditch... Currently being used to set up NextCloud.

==''ginkgo''==

Supermicro server funded by MEF for CSC web hosting. Locate in MC 3015.

==== Specs ====

* 2x Intel Xeon E5-2697 v4 @ 2.30GHz [18 cores each]
* 256GB RAM
* 2 x 1.2 TB SSD (400GB of each for RAID 1)
* 10GbE onboard, 25GbE SFP+ card (also included 50GbE SFP+ card which will probably go in mirror)

==== Services ====

* OpenStack Compute machine

No longer in use:

* controller1.cloud
* db1.cloud
* router1.cloud (NAT for cloud tenant network)
* network1.cloud

'''Notes'''
* TODO: cloudstack migration

*

= Storage =

==''fs00''==

fs00 is a '''NetApp FAS3040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====

* dual SFP connection to core switch

... TODO

==''fs01''==

fs01 is a '''NetApp FAS3040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====
... TODO

TODO: disconnected??

==''fs10''==

fs10 is a '''NetApp FAS8040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====

* FAS8040 (dual heads)
** ... TODO
* 6 DS4324 HDD shelves (24-disks each)
** 24 x 2TB HDDs (assorted brands/models)
** Dual IOM3 controllers.
** Loop 1: bottom 4 shelves
** Loop 2: top 2 shelves + SSD shelf
* 1 DS2246 SSD shelf (TODO: right model?)
** 24 Samsung SM1625 SSDs (MZ-6ER2000/0G3), 200GB (SAS 2, 2.5")

= Other =

==''mathnews''==

[[#xylitol|xylitol]] hosts a systemd-nspawn container which serves as the mathNEWS webserver. It is administered by mathNEWS, as a pilot for providing containers to select groups who have more specialized demands than the general-use infrastructure can meet.

== ps3 ==
This is just a very wide PS3, the model that supported running Linux natively before it was removed. Firmware was updated to remove this feature, however it can still be done via. homebrew.

'''Specs'''

* It's a PS3.

'''2022-10-24''' - Thermal paste replaced + firmware updated to latest supported version, also modded.

==''binaerpilot''==

This is a Gumstix Overo Tide CPU on a Tobi expansion board. It is currently attached to corn-syrup in the machine room and even more currently turned off until someone can figure out what is wrong with it.

==== Specs ====

* TI OMAP 3530 750Mhz (ARM Cortex-A8)
* 512MB RAM

==''anamanaguchi''==

This is a Gumstix Overo Tide CPU on a Chestnut43 expansion board. It is currently in the hardware drawer in the CSC.

==== Specs ====

* TI OMAP 3530 750Mhz (ARM Cortex-A8)
* 512MB RAM

'''NOTE: May have disappeared at some point'''

==''digital cutter''==

See [[Digital Cutter|here]].

= Decommissioned =

==''biloba''==

Dead, died after the poweroutage of May 9th, 2025, previously served as Cloudstack master node or wtv.

Supermicro server funded by SLEF for CSC web hosting. Located in DC 3558. TODO: rack??

==== Specs ====

* 2x Intel Xeon Gold 6140 @ 2.30GHz [18 cores each]
* 384GB RAM
* 12 3.5" Hot Swap Drive Bays
** 2 x 480 GB SSD
* 10GbE onboard, 10GbE SFP+ card (on loan from CSCF)

==== Services ====

* OpenStack Compute machine
'''Notes'''
* TODO: cloudstack migration

No longer in use:

* caffeine
* mail
* mattermost

==''aspartame''==

aspartame was a taurine clone donated by CSCF. It was once our primary file server, serving as the gateway interface to space on phlogiston. It also used to host the [[#auth1|auth1]] container, which has been temporarily moved to [[#dextrose|dextrose]]. Decomissioned in March 2021 after refusing to boot following a power outage.

==''psilodump''==

psilodump is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling phlogiston, hosted disk shelves exported as iSCSI block devices.

psilodump was plugged into aspartame. It's still installed but inaccessible.

==''phlogiston''==

phlogiston is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling psilodump, hosted disk shelves exported as iSCSI block devices.

phlogiston is turned off and should remain that way. It is misconfigured to have its drives overlap with those owned by psilodump, and if it is turned on, it will likely cause irreparable data loss.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 10GB RAM

==== Notes from before decommissioning ====

* The lxc files are still present and should not be started up, or else the two copies of auth1 will collide.
* It currently cannot route the 10.0.0.0/8 block to a misconfiguration on the NetApp. This should be fixed at some point.

==''glomag''==

Glomag hosted [[#caffeine|caffeine]]. Decommissioned April 6, 2018.

==== Specs ====

* Intel Xeon X3450 @ 2.67 GHz
* 6 GB RAM
* vg0: 465 GB software RAID1 (contains root partition):
** 750 GB Seagate Barracuda SATA hard drive
** 500 GB Western-Digital Caviar Blue SATA hard drive
* vg1: 596 GB software RAID1 (contains caffeine):
** 2 × 640 GB Western-Digital Caviar Blue SATA hard drive

==== Services ====

* Before its decommissioning, glomag hosted [[#caffeine|caffeine]], [[#mail|mail]], and [[#munin|munin]] as [[Virtualization#Linux_Container|Linux containers]]

==''Lisp machine''==

A Symbolics XL1200 Lisp machine. Donated to a new home when we couldn't get it working.

http://www.globalnerdy.com/2008/12/03/symbolics-xl1200-lisp-machine-free-to-a-good-home/ for some history on this hardware.

==== Specs ====

Currently inoperable due to (at least) a missing console cable.

==''ginseng''==

Ginseng used to be our fileserver, before aspartame and the netapp took over.

==== Specs ====

* Intel Pentium Dual Core E2180
* 8GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/s3000ah_tps_1_1.pdf Intel S3000AHV Motherboard]
* 4 × 640 GB Western-Digital Caviar Blue in [[wikipedia:Nested_RAID_levels#RAID_10_.28RAID_1.2B0.29|RAID 10]] behind a [http://www.3ware.com/products/serial_ata2-9650.asp 3ware 9650SE RAID card].
[[Category:Hardware]]

==''calum''==

Calum used to be our main server and was named after Calum T Dalek. Purchased new by the club in 1994.

==== Specs ====

* SPARCserver 10 (headless SPARCstation 10)

==''paza''==

An iMac G3 that was used as a dumb terminal.

==== Specs ====

* 233Mhz PowerPC 740/750
* 96 MB RAM

==''romana''==

Romana was a BeBox that has been in the CSC's possession since long before BeOS became defunct.

Confirmed on March 19th, 2016 to be fully functional. An SSHv1 compatible client was installed from http://www.abstrakt.ch/be/ and a compatible firewalled daemon was started on Sucrose (living in /root, prefix is /root/ssh-romana). The insecure daemon is to be used a bastion host to jump to hosts only supporting >=SSHv2. The mail daemon on the BeBox has also been configured to send mail through mail.csclub.uwaterloo.ca.

==== Specs ====

* 2 PowerPC based processors
* Stylish Blinken processor-load lights

==''sodium-citrate''==

Sodium-citrate was an SGI O2 machine.

In order to net boot you need to set /proc/sys/net/ipv4/ip_no_pmtu_disc to 1. When the O2 boots, hit F5 at the boot menu and type bootp():.

==== Specs ====
* SGI O2 MIPS processor
* 423 MB (?) RAM
* 2 × 2 GB hard drive

==''acesulfame-potassium''==

An old office terminal.

==== Specs ====
* Intel Pentium 4 2.67GHz
* 1GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/ABIT_VT7.pdf ABIT VT7] Motherboard
* ATI Radeon 7000

==''skynet''==

skynet was a Sun E6500 machine donated by Sanjay Singh. It was never fully set up.

==== Specs ====

* 15 full CPU/memory boards
** 2x UltraSPARC II 464MHz / 8MB Cache Processors
** ??? RAM?
* 1 I/O board (type=???)
** ???x disks?
* 1 CD-ROM drive

*[http://mirror.csclub.uwaterloo.ca/csclub/sun_e6500/ent6k.srvr/ e6500 documentation (hosted on mirror, currently dead link)]
*[http://docs.oracle.com/cd/E19095-01/ent6k.srvr/ e6500 documentation (backup link)]
*[http://www.e6500.com/ e6500]

==''freebsd''==

FreeBSD was a virtual machine with FreeBSD installed.

==== Services ====

* Newer software

==''rainbowdragoneyes''==

Rainbowdragoneyes was our Lemote Fuloong MIPS machine. This machine is aliased to rde.csclub.uwaterloo.ca.

==== Specs ====

* 800MHz MIPS Loongson 2f CPU

==''denardo''==

Due to some instability, general uselessness, and the acquisition of a more powerful SPARC machine from MFCF, denardo was decommissioned in February 2015.

==== Specs ====

* Sun Fire V210
* TI UltraSparc IIIi (Jalapeño)
* 2 GB RAM
* 160 GB RAID array
* ALOM on denardo-alom.csclub can be used to power machine on/off
==''artificial-flavours''==

Artificial-flavours was our secondary (backup services) server. It used to be an office terminal. It was decommissioned in February 2015 and transferred to the ownership of Women in Computer Science (WiCS).

==== Specs ====

* Intel Celeron 3.2GHz
* 2GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/Biostar_P4M80-M4.pdf Biostar P4M80-M4] Motherboard
* Western-Digital 80 GB ATA hard drive

==''potassium-citrate''==

Potassium-citrate is a dual-processor Alpha machine. It is on extended loan from pbarfuss.

It is temporarily decommissioned pending the reinstallation of a supported operating system (such as OpenBSD).

==== Specs ====
* Alphaserver CS20 (2 833MHz EV68al CPUs)
* 512MB RAM
* 36 GB Seagate SCSI hard drive

==''potassium-nitrate''==

This was a Sun Fire E2900 from a decommissioned MFCF compute cluster. It had a SPARC architecture and ran OpenBSD, unlike many of our other systems which are x86/x86-64 and Linux/Debian. After multiple unsuccessful attempts to boot a modern Linux kernel and possible hardware instability, it was determined to be non-cost-effective and non-effort-effective to put more work into running this machine. The system was reclaimed by MFCF where someone from CS had better luck running a suitable operating system (probably Solaris).

The name is from saltpetre, because sparks.

==== Specs ====

* 24 CPUs
* 90GB main memory
* 400GB scratch disk local storage in /scratch-potassium-nitrate

There is a [[Sun 2900 Strategy Guide|setup guide]] available for this machine.

See also [[Sun 2900]].

==''taurine''==

'''Note: On August 21, 2019, just before 2:30PM EDT, we were informed that taurine caught fire'''. As a result, taurine has been decommissioned as of Fall 2019.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 8GB RAM
* 136 GB LVM volume group

==== Services ====

* Virtual machines
* BitlBee IRC instant messaging gateway (localhost only)
*[[ident]] server to maintain high connection cap to freenode
* Runs ssh on ports 21,22,53,80,81,443,8000,8080 for user's convenience.

==''dextrose''==

dextrose was a [[#taurine|taurine]] clone donated by CSCF and was decommissioned in Fall 2019 after being replaced with a more powerful server.

==''sucrose''==

sucrose was a [[#taurine|taurine]] clone donated by CSCF. It was decommissioned in Fall 2019 following multiple hardware failures.

==''goto80''==
'''Note (2022-10-25): This seems to have gone missing or otherwise left our hands.'''

This was small ARM machine we picked up in order to have similar hardware to the Real Time Operating Systems (CS 452) course. It has a [[TS-7800_JTAG|JTAG]] interface. Located was the office on the top shelf above strombola.

==== Specs ====

* 500 MHz Feroceon (ARM926ej-s compatible) processor
* ARMv5TEJ architecture

Use -march=armv5te -mtune=arm926ej-s options to GCC.

For information on the TS-7800's hardware see here:
http://www.embeddedarm.com/products/board-detail.php?product=ts-7800

==''nullsleep''==

nullsleep is an [http://csclub.uwaterloo.ca/misc/manuals/ASRock_ION_330.pdf ASRock ION 330] machine given to us by CSCF and funded by MEF.

It's decommissioned on 2023-03-20 due to repeated unexpected shutdown. Replaced by [[#powernap|powernap]].

==== Specs ====

* Intel® Dual Core Atom™ 330
* 2GB RAM
* NVIDIA® ION™ graphics
* 1x 64GB SanDisk SDSSDP064G SSD
* DVD Burner

==== Speakers ====
Nullsleep has the office speakers (a pair of nice studio monitors) currently connected to it.

==== Services ====
Nullsleep runs MPD for playing music. Control of MPD is available only to users in the "audio" group.
Music is located in /music on the office terminal

== ''bit-shifter'' ==
bit-shifter was an office terminal, decommissioned April 2023 due to extended age. It was upgraded to the same specs as Strombola at an unknown point in time.

==== Specs ====

* Intel Core 2 Quad CPU Q8300
* 4GB RAM
* Nvidia GeForce GT 440
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD
* Jacob Parker's Firewire Card

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''strombola''==
Strombola was an office terminal named after Gordon Strombola. It was retired in April 2023.

==== Specs ====
* Intel Pentium G4600 2 cores @ 3.6Ghz
* 8 GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD

==== Speakers ====
Strombola used to have integrated 5.1 channel sound before we got new speakers and moved audio stuff to nullsleep.

== ''gwem'' ==
gwem was an office terminal that was created because AMD donated a graphics card. It entered CSC service in February 2012.

=== Specs ===

* AMD FX-8150 3.6GHz 8-Core CPU
* 16 GB RAM
* AMD Radeon 6870 HD 1GB GPU
*[http://csclub.uwaterloo.ca/misc/manuals/ga-990fxa-ud7_e.pdf Gigabyte GA-990FXA-UD7] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD

== ''maltodextrin'' ==
(*specs are outdated at least as of 2023-05-27*)
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
Maltodextrin was an office terminal. It was upgraded in Spring 2014 after an unidentified failure. Not operational (no video output) as of July 2022.

==== Specs ====

* Intel Core i3-4130 @ 3.40 GHz
* 8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
*[http://csclub.uwaterloo.ca/misc/manuals/E8425_H81I_PLUS.pdf ASUS H81-PLUS] Motherboard

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''natural-flavours'' ==

Natural-flavours is an office terminal; it used to be our mirror.

In Fall 2016, it received a major upgrade thanks the MathSoc's Capital Improvement Fund.

==== Specs ====

* Intel Core i7-6700k
* 2x8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
* Cup Holder (DVD drive has power, but not connected to mother board)
= UPS =

All of the machines in the MC 3015 machine room are connected to one of our UPSs.

All of our UPSs can be monitored via CSCF:

* MC3015-UPS-B2
* mc-3015-e7-ups-1.cs.uwaterloo.ca (rbc55, batteries replaced July 2014) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-e7-ups-1&var-Interval=30m)
* mc-3015-f7-ups-1.cs.uwaterloo.ca (rbc55, batteries replaced Feb 2017) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-f7-ups-1&var-Interval=30m)
* mc-3015-g7-ups-1.cs.uwaterloo.ca (su5000t, batteries replaced 2010) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-g7-ups-1&var-Interval=30m)
* mc-3015-g7-ups-2.cs.uwaterloo.ca (unknown) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-g7-ups-2&var-Interval=30m)
* mc-3015-h7-ups-1.cs.uwaterloo.ca (su5000t, batteries replaced 2004) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-h7-ups-1&var-Interval=30m)
* mc-3015-h7-ups-2.cs.uwaterloo.ca (unknown) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-h7-ups-2&var-Interval=30m)

We will receive email alerts for any issues with the UPS. Their status can be monitored via [[SNMP]].

TODO: Fix labels & verify info is correct & figure out why we can't talk to cacti.

Ntp

2025-05-18T06:15:28Z

S23adhik:

CSC Servers require timing services, for a lot things.

yerba-mate use ntpd. Anyways our ntpd config looks like <syntaxhighlight>
# Use the University of Waterloo's NTP server
server 129.97.129.9 iburst

# Fallback to the Debian NTP pool servers
server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst

# Access control restrictions (optional but recommended)
restrict default nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1

# Drift file
driftfile /var/lib/ntp/ntp.drift

</syntaxhighlight>Neotame, corn-syrup, high-fructose-corn-syrup, carbonated-water, sorbitol, manitol uses timesyncd, Our timesyncd config looks like<syntaxhighlight>
[Time]
# ntp.uwaterloo.ca
NTP=129.97.129.9
FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org
</syntaxhighlight>

Ntp

2025-05-18T05:53:44Z

S23adhik: Updated configs

CSC Servers require timing services, for a lot things.

yerba-mate use ntpd. Anyways our ntpd config looks like <syntaxhighlight>
# Use the University of Waterloo's NTP server
server 129.97.129.9 iburst

# Fallback to the Debian NTP pool servers
server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst

# Access control restrictions (optional but recommended)
restrict default nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1

# Drift file
driftfile /var/lib/ntp/ntp.drift

</syntaxhighlight>Neotame uses timesyncd, Our timesyncd config looks like<syntaxhighlight>
[Time]
# ntp.uwaterloo.ca
NTP=129.97.129.9
FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org
</syntaxhighlight>

Keys and Fobs

2025-04-13T22:41:59Z

S23adhik:

== History of Keys/Fobs ==
* Before Spring 2017, the CSC office can only be accessed using keys provided by the School of Computer Science ([[SCS Guide|SCS]]). As the lock is never changed, people keep their keys forever and the exec team has no way of tracking those keys or getting the keys back.
* In order to improve the key situation, the execs from Winter and Spring 2017 have made an agreement with Math Dean's office to install the fob system on the door. And power of managing the fobs is transferred from SCS to the Math Dean's office

== Memorandum of Understanding with Math Dean's office ==
In Fall 2018, a Memorandum of Understanding (MOU) has been signed between the Computer Science Club, the Mathematics Society, and The Math Dean's Office. A hard copy of the MOU can be found on the top cabinet, and a PDF copy should be available in the exec email archive.

There should be about keys in total, 10 fobs, 2 physical keys. MathSoc president also has a key that opens CSC.

== Recommended Distribution of Keys and Fobs ==
* As agreed with Math Dean's Office, The President and System Administrator would each get a key.
* For the sake of continuity of service, the System Administrator should also receive a fob that extends into the upcoming term
* All other Officers should each receive a fob (if president decides so), total of six not including the one for System Administrator.
* If the exec team found the number of fobs are inadequate to keep the office open for extended time, they can request up to 5 more fobs from Math Dean's office and distribute them to office staffs.

[[Category:Office]]

Meeting:Orgcom Updates/President 2025 Winter

2025-04-03T02:08:56Z

S23adhik:

Many people call the President Siracha, his name is actually Sourojeet

Notable things done this term

* 40k from SLEF for servers, deadline is late December
* 18k from MEF for servers, deadline is late December
* Will attempt to get 96 core, 1tb for general use
* 128 core, 1.5tb for cloud
* In continued talks with mathSoc to sort out to figure out what to do with the servers long term in terms of maintenance, and usage
* Figuring out what will happen to our servers when M4 comes along
** So far our servers will be moved
** we will get rack space
** and we should be using the room's UPS
** No idea how the UPS stuff will work tho ;-;
* Began doing Exec take overs of insta again, and internal socials, and bought some books (riscv, and rust book)
* 'Borrowed' a couch from EngSoc as a prank, and their Emblem
* Celcius (energy drink) are like, super popular LOL
* Started CSC Flash again
* As of S24, we use Vault Warden for our passwords
* Mirror upgrade parts have been bought, hopfully I remember to put in when they're installed
* Started reaching out to Alumni to do Talks about their work and stuff
* I have heard via the great vine... that the wall may fall..........
* Started to prepare to buy another round of plushies
* New Thunderbolt 3/USB-4 docks (we only relised after buying that some of our laptops cant charge/use display at the same time LOL)

Past Executive

2025-03-26T04:57:42Z

S23adhik: /* Fall */

Data sources for this exec list have been: CSC records, MathNEWS.
According to the warrior wiki dudes, there was an article about the CSC being founded in the chevron: ''This week on campus''. The Chevron. January 5 1968. Page 16. -- somebody should get a copy of that.

= Definitions =
#define PR President
#define VP Vice-president
#define TR Treasurer
#define SE Secretary
#define AV Assistant Vice-president
#define SA Sysadmin
#define OF Office Manager
#define LI Librarian
#define WW Webmaster

#ifdef __HISTORICAL__
#define FL Flasher
#define DE Deity
#define SE-TR Secretary-Treasurer (Position was split)
#define FR Fridge Regent (IMAPd)
#endif /* __HISTORICAL__ */

<div style="float:right;margin-left: 1em;">__TOC__</div>

=Founding 1967=

Sponsor - J. Peter Sprung
PR: K. Rugger
VP: R. Jaques
SE-TR: G. Sutherland

Founding Members:
B. Kindree
R. Melen
V. Neglia
R. Charney
R. Truman
Glenn Berry
D. Meek

===Fall===

PR: Bill Kindred
VP: Rick Jacques
SE-TR: Graham Sutherland

Committee members: R. Stallwerthy, C. de Vries

=1968=

===Winter===

PR: Bill Kindred
VP: Rick Jacques
SE-TR: Graham Sutherland

===Fall===

SE-TR: Glenn Berry

=1969=

Unknown, only one letter found in the folder 'ACM History' addressed to Glenn Berry, which makes it likely that he was SE-TR once again. May be indicated in membership lists. The club appears to have died this academic year.

=1970=

===A note on ACM affiliation===

The first attempt at joining the ACM was started with an informal inquiry Dec 5, 1967. This lead to a series of constitution edits (working towards affiliation) in Winter 1968. There was a break for the spring (no correspondence found, I presume we were waiting on a reply). In the fall records indicate that our constitution and chartering was rejected, further correspondence was sent in Fall 1968 by Glenn Berry. A new inquiry, seemingly unaware of the first was sent Dec 7, 1970

===Fall===

PR: Rick Beach
VP: Lee Santon
TR: Randy Melen
SE: Vic Neglia

=1971=

===Spring===

VP: James H. "Jim" Finch and James W. Welch both signed letters as VP.

===Fall===

VP: James W. Welch

=1972=

It appears we visited Western and Western visited us this year (there is some reference to a similar occurrence the year previous). Documents from 1973 indicate a termly exec structure, this probably goes back to 1972.

===Winter===

PR: Mike Campbell
VP: Edgar Hew
SE-TR: Doug Lacy

There is also stuff from James W. Welch without a position.

===Fall===

PR: Ian McIntosh

=1973=

Faculty Sponsor: Morven Gentleman

===Winter===

SE: Douglas E. Lacy

===Spring===

PR: Jim Parry

===Fall===

PR: Jim Parry
VP: Ray Walden
TR: Slavko Stemberger
SE: Mario Festival

=1974=

===Fall===

PR: Russell Crook

=1975-1977=

Faculty Sponsor: Morven Gentleman??

Peter Raynham reports (first hand account): president for at least 2 or 3 terms in this period.
Sylvia Eng: 1975/6 as some position.
Dave Buckingham: a VP at some point
Allison Nolan: 1977 time
Peter Stevens: 1977
Russel Crook???

Dennis Ritchie came. So did Jeffrey D. Ullman.

=1976=

===Fall===
<code>Progcom: Peter Stevens</code>

=1977=

===Winter===

Progcom: Allison Nowlan

===Spring===

PR: Peter Stevens
Progcom: Allison Nowlan

===Fall===

PR: Andrzej Jan Taramina
Progcom: Allison Nowlan

=1978=

===Winter===

PR: Peter Stevens

===Spring===

TR: K.G. Dykes
SE: Kandry Mutheardy

Brian Kernighan gave a talk this term. So did Ken Thompson.

=1979=

===Spring===

PR: Robert Biddle
=1987=

===Fall===

PR: Jim Boritz
VP: Ted Timar
TR: Gayla Boritz
SE: Edwin Hoogerbeets

=1988=

Tim Timar - cc'd on memos/mentioned on mathsoc minutes in 1987/88.
The Sysadmin and Office Manager positions seem to have been created somewhere in here. The 'Record Management Profile' that Rob*n Stewart did as an assignment in 1991-1992 for some class at UBC
indicates the existence of both positions. We acquired an HP-9000 in the summer of 1988 and as this was our first "real" computer (previously we had an IBM PC and terminal), the sysadmin position was created, starting with the Fall 1988 term.

===Winter===
PR: Jim Boritz
(Source: https://csclub.uwaterloo.ca/misc/procedure.pdf)

===Fall===

SA: Wade Richards

=1989=

===Winter===

https://mirror.csclub.uwaterloo.ca/csclub/bill-gates-1989-big.jpg

Left to right: Jim Boritz (bottom), Wade Richards (top), Ted Timar, ???, Keven Smith, Bill Gates (not exec), Angela Chambers, Ross Ridge (top), Sean Goggin (bottom), ???

PR: Barry W. Smith
VP: Angela Chambers
SE: Sean Goggin
SA: Wade Richards / Ross Ridge

(President Kevin Smith confirmed: https://csclub.uwaterloo.ca/misc/procedure.pdf)

===Spring===

PR: Jim Thornton
VP: Gayla Boritz
TR: David Fenger
SE: Kivi Shapiro
SA: Reid Pinchback

Assistance to sysadmin: Jim Boritz.

===Fall===

PR: James Boritz
VP: Edmond Bourne
SA: Ross Ridge

=1990=

===Winter===

TR: Jim Thornton

===Spring===

TR: Karen Smith
SE: Rob*n Stewart
Robyn/Robin signed her emails as Rob*n and requested to be listed as such on this page.

===Fall===
PR: Wade Richards
TR: Carolyn Duke
SE: Rob*n Stewart - attended mathsoc meeting on our behalf.
Kivi Shapiro - attended mathsoc meeting on our behalf.
- Censured by mathsoc for his actions during the election.
Shannon Mann - attended mathsoc meeting on our behalf.

=1991=

===Winter===
VP: Edmond Bourne
TR: Carolyn Duke
SE: Rob*n Stewart
Shannon Mann - attended mathsoc meeting on our behalf.

John McCarthy came this term.

===Spring===
TR: Rob Leitman
Jason Knell - attended mathsoc meeting on our and PMC's behalf.

===Fall===
TR: Mike Van Lingen
Wiktor Wiewiorowski - attended mathsoc meeting on our behalf this term.
=1992=

===Winter===
TR: Norm Ross
SE: Brent Williams

===Spring===
PR: Dale Wick
TR: Stephen A. Mills

===Fall===
TR: Mark Plumb
=1993=

===Winter===
TR: Rob Leitman
VP: Tim Prime
OF: Dave Ebbo
LI: Norm Ross

Other exec for this term: Ellen Hsiang, Sam Coulombe, Peter Gray

===Spring===
TR: Mark Tompsett

===Fall===

PR: Ian Goldberg

=1994=

===Winter===
PR: Ian Goldberg
TR: Mark Tompsett
SE: Tom Rathbourne
LI: Michael Van Biesbrouck
Norm Ross assisted with finances.

===Spring===
PR: Dale Wick (?)
TR: Steve Mills
SA: Ian Goldberg (?)
Norm Ross assisted with finances.

===Fall===
PR: Ross Ridge
VP: Tom Rathbourne (?)
TR: Rob Leitman
SA: Zygo Blaxell
LI: Michael Van Biesbrouck
=1995=

===Winter===
TR: Sharlene Schmeichel
Amy Brown and Rob Ridge purchased books.

===Spring===
TR: Steve Mills

===Fall===
PR: Amy Brown (arbrown)
VP: Christina Norman (cbnorman)
TR: Steven Mills (samills)
SE: Allyson Graham (akgraham)
SA: Gavin Peters
=1996=

===Winter===
PR: Nikita Borisov (nborisov)
VP: Joseph Deu Ngoc (dtdeungo)
TR: Stephen Mills (samills)
SE: Sharlene Schmeichel (saschmei)
SA: Dave Brown (dagbrown)
OF: Somsack Tsai (stsai)
LI: Devin Carless (dccarles)
FL: Allyson Graham (akgraham)
DE: Ian Goldberg (iagoldbe)

===Spring===
PR: Blake Winton (bwinton)
VP: Nick Harvey (njaharve)
TR: Nikita Borisov (nborisov)
SE: Viet-Trung Luu (vluu)
SA: Drew Hamilton (awhamilt)
OF: Jillian Arnott (jarnott)
LI: Ross Ridge (rridge)
FL: Devin Carless (dccarles)

=== Fall ===
PR: Shannon Mann (sjbmann)
VP: Joe "Frosh" Deu Ngoc (jtdeungo) resigned (heavy workload)
TR: Michal Van Biesbrouck (mlvanbie)
SE: Nikita Borisov (nborisov)
SA: Chris Rovers
OF: Dax Hutcheon (ddhutche) became VP upon jtduengo's resignation
LI: Aliz Csenki (acsenki)
FL: Aaron Chmielowiec (archmiel)
DE: Skuld (no uwuserid yet...)
=1997=

===Winter===
PR: Dima Brodsky
VP: Nikita Borisov (nborisov)
TR: Stephen Mills (samills)
SE: Evan Jones (ejones)
SA: Alex Brodsky
OF: Chris Doherty
LI: Matt Corks
FL: Paul Prescod

=== Fall ===
PR: Chris Rovers (cdrovers)
VP: Michael van Biesbrouck (mlvanbie)
TR: Somsack Tsai (stsai)
SE: Matt Corks (mvcorks)
SA: Lennart Sorensen (lsorense)
LI: Chmielowiec (archmiel)
OF: Devin Carless (dccarles)
FL: Aaron Chmielowiec (archmiel)
= 1998 =

=== Winter ===
PR: Suresh Naidu
VP: Viet-Trung Luu
TR: Tim Coleman
SE: Dax Hutcheon
LI: Dax Hutcheon
Flasher: Dax Hutcheon
WW: Dax Hutcheon
SA: Robin Powell
OF: Aaron Chmielowiec

=== Spring ===

Position Name You might call them...
President roconnor Russell O'Connor
Vice-president trwcolem Tim Coleman
Treasurer knzarysk Karl Zaryski
Secretary (bwinton) (Blake Winton)
Sysadmin wbiggs Billy Biggs
Librarian snaidu Suresh Naidu
Flasher pechrysl Paul Chrysler
Office Manager dccarles Devin Carless
WWWW trwcolem Tim Coleman

=== Fall ===

President Joe Deu Ngoc jtdeungo
Vice-President Wai Ling Yee wlyee
Treasurer Fjord j2lynn
Secretary Matt Corks mvcorks
Sysadmin Andrew Hamilton awhamilt

World Wide Web Wench Dax Hutcheon ddhutche
Office Manager Richard Bell rlbell
Librarian Damian Gryski dgryski
Flasher Paul Chrysler pechrysl
Official Deity Ian Goldberg iagoldbe
Official Chairbeing Calum T. Dalek calum
=1999=

=== Winter ===
PR: geduggan
=2000=

=== Winter ===
PR: Will Chartrand (wgchartr)
VP: Gavin Duggan (geduggan)
SA: Lennart Sorensen (lsorense)

=== Fall ===
PR: geduggan
SA: bioster
=2001=

=== Winter ===
PR: geduggan

=== Spring ===
PR: geduggan

=2002=

https://web.archive.org/web/20130715012002/http://www.mathnews.uwaterloo.ca/Issues/mn8902/cscflash.php

=== Winter ===
PR: Billy Biggs
VP: Stefanus Du Toit
TR: Melissa Basinger
SE: James Perry
SA: Barry Genova
LI: Ryan Golbeck
WW: Jonathan Beverley
Office Manager: Sayan Li

=== Spring ===
PR: Alex Pop
VP: Melissa Basinger
TR: Siyan Li
SE: James A Morrison
SA: Jonathan Beverley
WW: Stefanus Du Toit

=== Fall ===
PR: James A. Morrison
VP: Stefanus Du Toit
TR: James Perry
SE: Michael Biggs
SA: Ryan Golbeck
LI: Mark Sherry, Cassandra Schopf
WW: Stefanus Du Toit
=2003=

=== Winter ===
PR: Kannan Vijayan (kvijayan)
VP: Meg Darragh (m2darrag)
TR: James Perry (jeperry)
SE: Wojciech Kosnik (wkosnik)
SA: Stefanus Du Toit (sjdutoit)
LI: Simon Law (sfllaw)
WM: Julie Lavoie (jlavoie)

===Fall===
PR: Stefanus Du Toit (sjdutoit)
VP: Meg Darragh (m2darrag)
TR: Tor Myklebust (tmyklebu)
SE: James Perry (jeperry)
SA: Simon Law (sfllaw)
=2004=

===Winter===
PR: Simon Law (sfllaw)
VP: fspacek
TR: ljain
SE: Julie Lavoie (jlavoie)
SA: Tor Myklebust(tmyklebu)

===Spring===
PR: dnmorton ?
VP: Tim Loach (tloach)
TR: Michael Biggs (mbiggs)
SE: Lesley Northam (lanortha)

===Fall ===
PR: jeperry
VP: mtsay
TR: Mark Sherry (mdsherry)
SE: Tor Myklebust (tmyklebu)
SA: jlavoie
=2005=

===Winter===

PR: mtsay
VP: Lesley Northam (lanortha)
TR: Holden Karau (hkarau)
SE: domorton
SA: Tor Myklebust (tmyklebu)

===Spring===

PR: Mark Sherry (mdsherry)
VP: Martin Kess (mdkess)
TR: Ali Piccioni (apiccion)
SE: Michael Biggs (mbiggs)
SA: Tor Myklebust (tmyklebu)

===Fall===

PR: Tim Loach (tloach)
VP: Lesley Northam (lanortha)
TR: Caelyn McAulay (cmcaulay)
SE: The Professor
SA: Holden Karau (hkarau)
=2006=

===Winter===

PR: Tor Myklebust (tmyklebu)
VP: Michael Druker (mdruker)
TR: Caelyn McAulay (cmcaulay)
SE: Mark Sherry (mdsherry)
SA: William O'Connor (woconnor)

===Spring===
PR: David Bartley (dtbartle)
VP: David Belanger (dbelange)
TR: David Tenty (daltenty)
SE: Chris Evensen (cevensen)
SA: Holden Karau (hkarau)

===Fall===

PR: Martin Kess (mdkess)
VP: Mark Sherry (mdsherry)
TR: Sylvan L. Mably (slmably)
SE: Caelyn McAulay (cmcaulay)
SA: William O'Connor (woconnor)
=2007=

===Winter===
PR: David Bartley (dtbartle)
VP: David Belanger (dbelange)
TR: Caelyn McAulay (cmcaulay)
SE: David Tenty (daltenty)
SA: Holden Karau (hkarau)
WW: jnopporn

===Spring===
PR: Gaelan D'costa (gdcosta)
VP: Kyle Larose (kmlarose)
TR: Kyle Spaans (kspaans)
SE: Erik Louie (elouie)
SA: Michael Spang (mspang)
LI: David Tenty (daltenty)

===Fall ===
PR: Holden Karau (hkarau)
VP: Alex McCausland (amccausl)
TR: Dominik Chlobowski (dchlobow)
SE: Sean Cumming (sgcummin)
SA: David Tenty (daltenty)
WW: dtbartle / jnopporn
=2008=

===Winter ===
PR: Sean Cumming (sgcummin)
VP: Matt Lawrence (m3lawren)
TR: Mateusz Tarkowski (mtarkows)
SE: Edgar Bering (ebering)
SA: Jordan Saunders (jmsaunde)

===Summer ===
PR: Brennan Taylor (b4taylor)
VP: Qifan Xi (qxi)
TR: Matt Lawrence (m3lawren)
SE: Nick Guenther (nguenthe)

===Fall ===
PR: Matthew Lawrence (m3lawren)
VP: Edgar Bering (ebering)
TR: Michael Gregson (mgregson)
SE: James Simpson (j2simpso) resigned for medical reasons, replaced by Dominik 'Domo' Chłobowski
SA: Kyle Spaans (kspaans)
=2009=

===Winter===
PR: Michael Gregson (mgregson)
VP: Edgar Bering (ebering)
TR: Brennan Taylor (b4taylor)
SE: James Simpson (j2simpso) resigned for business reasons, replaced by Rebecca Putinski (rjputins)
SA: Jacob Parker (j3parker)
OF: XinChi Yang / Sapphyre Gervais (x23yang / sagervai) (both)

===Spring ===
PR: Michael Spang (mspang)
VP: Jacob Parker (j3parker)
TR: Sapphyre Gervais (sagervai)
SE: Matthew McPherrin (mimcpher)
SA: Anthony Brennan (a2brenna)

===Fall===
PR: Jacob Parker (j3parker)
VP: Edgar Bering (ebering)
TR: Michael Spang (mspang)
SE: Brennan Taylor (b4taylor)
SA: Michael Ellis (m2ellis)
OF: Rebecca Putinski (rjputins)
=2010=

===Winter===
PR: Kyle Spaans (kspaans)
VP: Edgar Bering (ebering)
TR: Sapphyre Gervais (sagervai)
SE: Ajnu Jacob (ajacob)
SA: Matthew Thiffault (mthiffau)
OF: Jacob Parker (j3parker)
Keyed office staffers: j3camero, jdonland, m2ellis, mimcpher, nsasherr

===Spring===
PR: Jeff Cameron (j3camero)
VP: Brennan Taylor (b4taylor)
TR: Vardhan Mudunuru (vmudunur)
SE: Matthew Lawrence (m3lawren)
SA: Michael Ellis (m2ellis)
OF: Edgar Bering (ebering)

===Fall===
PR: Jacob Parker (j3parker)
VP: Edgar Bering (ebering)
TR: Rebecca Putinski (rjputins)
SE: Kyle Spaans (kspaans)
SA: Jeremy Roman (jbroman)
OF: Amir Sayed Khader (askhader)
=2011=

===Winter===
PR: Edgar Bering (ebering)
VP: Jennifer "Emily" Wong (jy2wong)
TR: Kyle Spaans (kspaans)
SE: Elana "Alana" Hashman (ehashman)
SA: Peter "Bofh" Barfuss (pbarfuss)
OF: Marc Burns (Marc Burns)

===Spring===
PR: Matthew Thiffault (mthiffau)
VP: Matthew McPherrin (mimcpher)
TR: Kyle Spaans (kspaans)
SE: Kwame Andrew Ansong (kansong)
SA: Jeremy Brandon Roman (jbroman)
OF: Jennifer "Emily" Wong (jy2wong)

===Fall===
PR: Marc Burns (m4burns)
VP: Katharine Hyatt (kshyatt)
TR: Jacob Parker (j3parker)
SE: Elana Hashman (ehashman)
SA: Anthony "hatguy/hotgay" Brennan (a2brenna)
OF: Kyle Spaans (kspaans)
LI: Edgar Bering (ebering)
=2012=

===Winter===
PR: Marc Burns (m4burns)
VP: Elana Hashman (ehashman)
TR: Jacob Parker (j3parker)
SE: Matthew McPherrin (mimcpher)
SA: Jeremy Roman (jbroman)
OF: Luqman Aden (laden)
LI: Jennifer "Emily" Wong (jy2wong)

===Summer===
PR: Anthony Brennan (a2brenna)
VP: Luqman Aden (laden)
TR: Matthew McPherrin (mimcpher)
SE: Elana Hashman (ehashman)
SA: Sarah Harvey (sharvey)
OF: Marc Burns (m4burns)
LI: John Ladan (jladan)

===Fall===
PR: Marc Burns (m4burns)
VP: Salem Talha (satalha)
TR: Jennifer Wong (jy2wong)
SE: Elana Hashman (ehashman), resigned
SA: Jeremy Roman (jbroman)
OF: Luqman Aden (laden)
LI: John Ladan (jladan)
=2013=

===Winter===
PR: Anthony Brennan (a2brenna)
VP: Marc Burns (m4burns)
TR: John Mumford (jsmumfor)
SE: Matt Olechnowicz (mgolechn)
SA: Sarah Harvey (sharvey)
OF: Bryan Coutts (b2coutts)
LI: Matthew McPherrin (mimcpher)

===Spring===
PR: Shane Robert Creighton-Young (srcreigh)
VP: Visishta Vijayanand (vvijayan)
TR: Dominik Chlobowski (dchlobow)
SE: Youn Jin Kim (yj7kim)
SA: Anthony Brennan (a2brenna)
OF: Marc Burns (m4burns)
FR: Dominik Chlobowski (dchlobow)

===Fall===
PR: Elana Hashman (ehashman)
VP: Marc Burns (m4burns)
TR: Dominik Chlobowski (dchlobow)
SE: Edward Lee (e45lee)
SA: Jeremy Roman (jbroman)
OF: Alexis Hunt (aechunt)
= 2014 =

=== Winter ===
PR: Bryan Coutts (b2coutts)
VP: Visishta Vijayanand (vvijayan)
TR: Marc Burns (m4burns)
SE: Mark Farrell (m4farrel)
SA: Murphy Berzish (mtrberzi)
OF: Nicholas Black (nablack)

=== Spring ===
PR: Youn Jin Kim (yj7kim)
VP: Luke Franceschini (l3france)
TR: Joseph Chouinard (jchouina)
SE: Ifaz Kabir (ikabir)
SA: Murphy Berzish (mtrberzi)
OF: Matthew Thiffault (mthiffau)

=== Fall ===
PR: Youn Jin Kim (yj7kim)
VP: Theodor Belaire (tbelaire)
TR: Jonathan Jerel Bailey (jj2baile)
SE: Shane Robert Creighton-Young (srcreigh)
SA: Alexis Hunt (aechunt)
OF: Mark Farrell (m4farrel)
LI: Gianni Leonardo Gambetti (glgambet)

= 2015 =

=== Winter ===
PR: Gianni Leonardo Gambetti (glgambet)
VP: Luke Franceschini (l3france)
TR: Edward Lee (e45lee)
SE: Patrick James Melanson (pj2melan)
SA: Murphy Berzish (mtrberzi)
OF: Shikhar Singh (s285sing)
LI: Aishwarya Gupta (a72gupta)
=== Spring ===
PR: Luqman Aden (laden)
VP: Patrick Melanson (pj2melan)
TR: Jonathan Bailey (jj2baile)
SE: Keri Warr (kpwarr)
SA: Nik Black (nablack)
OF: Ilia Chtcherbakov (ischtche)
LI: Yomna Nasser (ynasser)
=== Fall ===
PR: Simone Hu (ss2hu)
VP: Theo Belaire (tbelaire)
TR: Jordan Taylore Upiter (jtupiter)
SE: Daniel Marin (dmarin)
SA: Jordan Xavier Pryde (jxpryde)
OF: Ilia Chtcherbakov (ischtche)
= 2016 =

=== Winter ===
PR: Patrick Melanson (pj2melan)
VP: Patrick Melanson (pj2melan)
Acting VP, progcom chair: Theo Belaire (tbelaire)
TR: Luqman Aden (laden)
SE: Naomi Koo (m3koo)
SA: Zachary Seguin (ztseguin)
OF: Reila Zheng (wy2zheng)
LI: Felix Bauckholt (fbauckho)
FR: Marc Mailhot (mnmailho)

=== Spring ===
PR: Luqman Aden (laden)
VP: Melissa Angelica Mary Tedesco (matedesc)
TR: Jonathan Jerel Bailey (jj2baile)
SE: Aditya Shivam Kothari (askothar)
SA: Jordan Xavier Pryde (jxpryde)
OF: Zachary Seguin (ztseguin)
LI: Charlie Wang (s455wang)
FR: Marc Mailhot (mnmailho)

=== Fall ===
PR: Charlie Wang (s455wang)
VP: Bryan Coutts (b2coutts)
TR: Laura Song (lhsong)
SE: Uday Barar (ubarar)
SA: Zachary Seguin (ztseguin)
OF: Jamie Sinn (j2sinn)
LI: Felix Bauckholt (fbauckho)
FR: Ilia Chtcherbakov (ischtche)

= 2017 =

=== Winter ===
PR: Wilson Cheang (wyschean)
VP: Tristan Hume (tghume)
TR: Jordan Pryde (jxpryde)
SE: Amir Fata (aafata)
SA: Zachary Seguin (ztseguin)
OF: Felix Bauckholt (fbaukcho)
LI: Connor Murphy (cfmurph)
FR: Marc Mailhot (mnmailho)

=== Spring ===

PR: Felix Bauckholt (fbauckho)
VP: Zichuan Wei (z34wei)
TR: Laura Song (lhsong)
SE: Bo Mo (bzmo)
SA: Zachary Seguin (ztseguin)
OF: Uday Barar (ubarar)
LI: Patrick Melanson (pj2melan)
FR: Uday Barar (ubarar)

=== Fall ===

PR: Melissa Tedesco (matedesc)
VP: Victor Brestoiu (vabresto)
TR: Tristan Hume (tghume)
SE: Marc Mailhot (mnmailho)
SA: Jordan Pryde (jxpryde)
OF: Zoë Laing (zlaing)
LI: Felix Bauckholt (fbauckho)
FR: Marc Mailhot (mnmailho)

= 2018 =

=== Winter ===

PR: Patrick Melanson (pj2melan)
VP: Charlie Wang (s455wang)
TR: Ashley Dewiputri Pranajaya (adpranaj)
SE: Arshia Mufti (a2mufti)
SA: Jordan Pryde (jxpryde)
OF: Zoë Laing (zlaing)
LI: Zichuan Wei (z34wei)
FR: Uday Barar (ubarar)

=== Spring ===

PR: Melissa Tedesco (matedesc)
VP: Dhruv Jauhar (djauhar)
TR: Tristan Hume (tghume)
AV: Marc Mailhot (mnmailho)
SA: Jennifer Zhou (c7zou)
OF: Aditya Thakral (a3thakra)
LI: Archer Zhang (z577zhan)
FR: Marc Mailhot (mnmailho)

=== Fall ===

PR: Zichuan Wei (z34wei)
VP: Uday Barar (ubarar)
TR: Alex Tomala (actomala)
AV: Neil Parikh (n3parikh)
SA: Jennifer Zhou (c7zou)
OF: Alexander Zvorygin (azvorygi)
LI: Neil Parikh (n3parikh)
FR:

= 2019 =

=== Winter ===

PR: Marc Mailhot (mnmailho)
VP: Victor Brestoiu (vabresto)
TR: Tristan Hume (tghume)
AV: Aditya Thakral (a3thakra)
SA: Charlie Wang (s455wang)
OF: Archer Zhang (z577zhan)
LI: Rishabh Minocha (rkminoch)
FR: Marc Mailhot (mnmailho)

=== Spring ===

PR: Uday Barar (ubarar)
VP: Rajat Malhotra (r24malho)
TR: Raghav Sethi (r5sethi)
AV: Bo Mo (bzmo)
SA: Charlie Wang (s455wang)
OF: Hannah Wong (sm7wong)
LI: Nolan Munce (nmmunce)

=== Fall ===

PR: Dhruv Jauhar (djauhar)
VP: Aditya Thakral (a3thakra)
TR: Rishabh Minocha (rkminoch)
AV: Tammy Khalaf (tekhalaf)
SA: Murphy Berzish (mtrberzi)
OF: Zihan Zhang (z577zhan)
LI: Raghav Sethi (r5sethi)

= 2020 =

=== Winter ===
The office was closed midway through this term due to the COVID-19 pandemic.

The pandemic that threw the University and rest of the world into disarray drove all CSC activity virtual. Though everyone thought the pandemic would quickly be over, the Alpha, then Delta, then Omicron variants resulted in the majority of classes being held online until February 2022.

As a result, the office would stay closed for a full 5 terms, and only reopen in W2022.

PR: Richard Shi (r27shi)
VP: Anastassia Gaikovaia (agaikova)
TR: Alex Tomala (actomala)
AV: Neil Parikh (n3parikh)
SA: Amin Bandali (abandali)
OF: Alexander Zvorygin (azvorygi)
LI: Anastassia Gaikovaia (agaikova)
FR: Richard Shi (r27shi)

=== Spring ===

PR: Neil Parikh (n3parikh)
VP: Anastassia Gaikovaia (agaikova)
SA: Amin Bandali (abandali)

=== Fall ===

PR: Mokai Xu (m92xu)
VP: Anastassia Gaikovaia (agaikova) (stepped down as of 2020-11-30)
TR: Neil Parikh (n3parikh)
AV: Edwin Yang (e37yang)
SA: Murphy Berzish (mtrberzi)

= 2021 =
In 2021, CSC rapidly expanded the Program Committee, introducing subcommittees including Design, Events, Marketing, Photography, Reps, Discord mods, and Discord bot developers. The website committee also expanded, and the terminal committee was officially repurposed to serve a syscom-in-training role (since the office remained closed and the terminals powered off).

=== Winter ===

PR: Kallen Tu (k4tu)
VP: Gordon Le (g2le)
TR: Neil Parikh (n3parikh)
AV: Nakul Vijhani (nvijhani)
SA: Max Erenberg (merenber)

=== Spring ===

PR: Kallen Tu (k4tu)
VP: Gordon Le (g2le)
TR: Neil Parikh (n3parikh)
AV: Ravindu Angammana (rbangamm)
SA: Max Erenberg (merenber)

=== Fall ===

PR: Dora Su (d43su)
VP: Jason Sang (jzsang)
TR: Yanni Wang (y3859wan)
AV: Anjing Li (a348li)
SA: Max Erenberg (merenber)
Advising: Neil Parikh (n3parikh)

= 2022 =

=== Winter ===

PR: Juthika Hoque (j3hoque)
VP: Eric Huang (e48huang)
TR: Eden Chan (e223chan)
AV: Dina Orucevic (dmorucev)
SA: Raymond Li (r389li)
WW: Amy Wang (a258wang)
OF: Neil Parikh (n3parikh)

=== Spring ===

PR: Eden Chan (e223chan)
VP: Bonnie Peng (b38peng)
TR: Sat Arora (s97arora)
AV: Haley Song (h79song)
SA: Raymond Li (r389li)
WW: Amy Wang (a258wang)
OF: Sat Arora (s97arora)
LI: Santiago Montemayor (smontema) (appointed 2022-06-02)
FR: Sat Arora (s97arora) (appointed 2022-06-23)

=== Fall ===

PR: Amy Wang (a258wang)
VP: Anna Wang (aj2wang)
TR: Simon Zeng (s33zeng)
AV: Mabel Kwok (m23kwok)
SA: Raymond Li (r389li)
WW: Shahan Nedadahandeh (snedadah)
OF: Mark Chen (m375chen) (appointed 2022-09-21)
LI: John Oss (joss) (appointed 2022-10-06)
FR: Mark Chen (m375chen) and Simon Zeng (s33zeng) (appointed 2022-09-21)

= 2023 =

=== Winter ===

PR: Sat Arora (s97arora)
VP: Ivy Lei (ihlei)
TR: Laura Nguyen (l69nguye)
AV: Adele Chen (a332chen)
SA: Leo Shen (y266shen)
WW: Shahan Nedadahandeh (snedadah)
OF: Young Wang (y3285wan)
LI: John Oss (joss)

=== Spring ===

PR: Sat Arora (s97arora)
VP: Joshua Kim (j649kim)
TR: Amy Wang (a258wang)
AV: Andrea Ma (a49ma)
SA: Raymond Li (r389li)
WW: Shahan Nedadahandeh (snedadah)
OF: Sean Zhang (q434zhan)

=== Fall ===

PR: Laura Nguyen (l69nguye)
VP: Amol Venkataraman (avenkata)
TR: Bryan Chen (b28chen)
AV: Amy Wang (a258wang)
SA: Nathan Chung (n4chung)
WW: Darren Lo (dlslo), Richard Shuai (r2shuai)
OF: Ivy Lei (ihlei), Kevin Cui (k8cui)

= 2024 =

=== Winter ===
PR: Ivy Lei (ihlei)
VP: Gordon Lin (g3lin)
TR: Andrea Ma (a49ma)
AV: Saurin Patel (sa23pate)
SA: Nathan Chung (n4chung)
WW: Darren Lo (dlslo), Richard Shuai (r2shuai)
OF: Tiger Ding (t27ding)

=== Spring ===
PR: Gordon Lin (g3lin)
VP: Justin Wang (yw2wang)
TR: Andrea Ma (a49ma)
AV: Sean Zhang (q434zhan)
SA: Nathan Chung (n4chung)
WW: Tejas Srikanth (tcsrikan)
OF: Bryan Wang (b397wang)
=== Fall ===
Nathan Chung resigned half way through the term, and an election was held to elect Ohm Patel as the new sysadmin.

Ivy Fan-Chiang also resigned half way through the term, and Tiger Ding was appointed as the new Office Manager.
PR: Iris Liao (a23liao)
VP: Siimar Leen Kaur (s32kaur)
TR: Grace Feng (g27feng)
AV: Ray Cao (r44cao)
SA: Nathan Chung (n4chung) resigned, replaced by Ohm Patel (o32patel)
WW: Tejas Srikanth (tcsrikan)
OF: Ivy Fan-Chiang (qkfanchi) resigned, replaced by Tiger Ding (t27ding)

= 2025 =

=== Winter ===
Alexandru-Andrei Stan resigned early in the term as the Office Manager, and Dundee Zhang was appointed as the new Office Manager.

Sourojeet Adhikari resigned late into the term as Club President. Enming Yang became Acting President.
PR: Sourojeet Adhikari (s23adhik) resigned 2025-03-23, replaced by Enming Yang (emyang) (Acting as of 2025-03-24)
VP: Enming Yang (emyang)
TR: Samir Sharma (s576shar)
AV: Alexandru-Andrei Stan (a2stan)
SA: Ohm Patel (o32patel)
WW: Ryan Zhu (ry3zhu)
OF: Dundee Zhang (dh2zhang) (appointed 2025-01-30)
FL: Dundee Zhang (dh2zhang)
FR: Alexandru-Andrei Stan (a2stan) (appointed 2025-01-30)

Meeting:Orgcom Updates/President 2025 Winter

2025-03-22T19:54:48Z

S23adhik:

Many people call the President Siracha, his name is actually Sourojeet

Notable things done this term

* 40k from SLEF for servers, deadline is late December
* 18k from MEF for servers, deadline is late December
* In continued talks with mathSoc to sort out to figure out what to do with the servers long term in terms of maintenance, and usage
* Figuring out what will happen to our servers when M4 comes along
** So far our servers will be moved
** we will get rack space
** and we should be using the room's UPS
** No idea how the UPS stuff will work tho ;-;
* Began doing Exec take overs of insta again, and internal socials, and bought some books (riscv, and rust book)
* 'Borrowed' a couch from EngSoc as a prank, and their Emblem
* Celcius (energy drink) are like, super popular LOL
* Started CSC Flash again
* As of S24, we use Vault Warden for our passwords
* Mirror upgrade parts have been bought, hopfully I remember to put in when they're installed
* Started reaching out to Alumni to do Talks about their work and stuff
* I have heard via the great vine... that the wall may fall..........
* Started to prepare to buy another round of plushies
* New Thunderbolt 3/USB-4 docks (we only relised after buying that some of our laptops cant charge/use display at the same time LOL)

Meeting:Orgcom Updates/President 2025 Winter

2025-02-27T03:58:27Z

S23adhik:

Many people call the President Siracha, his name is actually Sourojeet

Notable things done this term

* 40k from SLEF for servers, deadline is late December
* In continued talks with mathSoc to sort out to figure out what to do with the servers long term in terms of maintenance, and usage
* Figuring out what will happen to our servers when M4 comes along
** So far our servers will be moved
** we will get rack space
** and we should be using the room's UPS
** No idea how the UPS stuff will work tho ;-;
* Began doing Exec take overs of insta again, and internal socials, and bought some books (riscv, and rust book)
* 'Borrowed' a couch from EngSoc as a prank, and their Emblem
* Celcius (energy drink) are like, super popular LOL
* Started CSC Flash again
* As of S24, we use Vault Warden for our passwords
* Mirror upgrade parts have been bought, hopfully I remember to put in when they're installed
* Started reaching out to Alumni to do Talks about their work and stuff
* I have heard via the great vine... that the wall may fall..........
* Started to prepare to buy another round of plushies
* New Thunderbolt 3/USB-4 docks (we only relised after buying that some of our laptops cant charge/use display at the same time LOL)

Meeting:Orgcom Updates/President 2025 Winter

2025-02-24T02:28:11Z

S23adhik: added the new info lol

Meeting:Orgcom Updates/

2025-02-24T02:14:38Z

S23adhik:

Updates in OrgCom

https://wiki.csclub.uwaterloo.ca/Orgcom_Updates/Assistant_Vice-President_2023_Fall

[[Orgcom Updates/President 2025 Winter]]

Meeting:Orgcom Updates/

2025-02-24T02:13:47Z

S23adhik: Created page with "Updates in OrgCom https://wiki.csclub.uwaterloo.ca/Orgcom_Updates/Assistant_Vice-President_2023_Fall"

Updates in OrgCom

https://wiki.csclub.uwaterloo.ca/Orgcom_Updates/Assistant_Vice-President_2023_Fall

Acronyms

2025-01-14T01:28:43Z

S23adhik:

Over the F22, W23, S23, W24, and S24 terms, many members within the office speculated what CSC stands for. Here are their postulations (in alphabetical order):

* Caffeinated Students Club
* Calculator Slaves Club
* Calcium-deficient Students Club
* Camera-Shy Club
* Canadian Sussy Club
* Can't Sleep Club
* Can't Stop CSC
* Can't Succeed Club
* Card Skills Club
* Cascading Style Club
* Celeste Strawberry Collection
* Celeste Speedrunning Club
* Celeste Streaming Club
* Chair Sleeping Club
* Charge Smartphone Club
* Chess Studies Club
* Chopin Studies Club
* City Skylines Club
* Clown Syndicate Club
* Coffee Supply Club
* Collecting Strawberries Club
* Come Seethe and Cope
* Comic Sans Club
* Committee Sacking Club
* Communal Shoe Club
* Communal Shower Club
* Complimentary Slackness Condition
* Compulsory Sadness Condition
* Compulsory Sleep Club
* Computer Stop-working Club
* Confidential Secrets Club
* Connection Sucks Club
* Constant Sacrificing Club
* Cooking Spaghetti Club
* Cool Shit Club
* Cool Students Club
* Copyright Safeguarding Club
* Cosecant
* Co-op Suckers Club
* Crazy Superglue Club
* Creature Saving Club
* Crying Students Club
* CSC Scribbling Club
* CSC Sussy Committee
* CSC Systems Committee
* Cutting Sticker Club
* Culinary Students Club
* Capital & Securities Club
* CSC Safety Committee
* Committees Sleeping Club
* Consistently Sleeping club
* Cartwheel Stumbling Club
* Camera Success Club
* in-Class Sleeping Club
* Cooked Servers Club
* Crumbling servers club
* Coup SciSoc Club
* Club of Siracha Commandeering
* Cycling Students Club
* Counter Strike club
* Cancerous Spreadsheets Club
* Camera Sawing Club
* Cannabinoid Sales Club
* Cat smuggling Club
* Collecting Sponsorships Club
* concerning security club
* Ctf Team Stealing Club
* Computer Shopping Club
* Consuming Steroids Club
* cuddly shark club
* Communist State Club
* Come Stab Club
* Can't Stream Club

History

2025-01-04T00:10:14Z

S23adhik: /* The PMC intervention */ fix date

== Creation Date ==

The Computer Science Club has been in existence since 1931. The club was not officially part of the University of Waterloo, rather was a general interest club formed by a collection of interested individuals who read Kleene, Church, and Turing's work that formed the basis of Computer Science. The club joined the University of Waterloo shortly after the founding of the University in 1957. Much of the history prior to the creation of the University is unclear, as documents dating back this far have only recently been recovered.

== The CSC Fire ==

It is believed that many of the documents describing the original club were destroyed when the original office destroyed by a fire at the then Waterloo University (now Wilfred Laurier University).

== The PMC intervention ==

At some point between 2000-2010, CSC had devloved into a bunch of very stinky nerds just playing nethack all day on the computers. The Pure Math Club (who was 2 doors down) had become appaled with the state of the club, and thus; decided to try and fix the situation. This was by Rallying together at the CSC election, electing one of their own as president, and changing the office rules to include 'No Gaming' in the office.

And thus, the people playing only NetHack 24/7 had finally left.

This rule was kept all the way till mid-way through till Winter 2022.

== CSC on Probation ==

Due to a lack of information about this event, we may be missing information about this event.

According to Winter 2022 mathsoc meeting-minutes CSC was breaking a lot of policies, and doing sketchy things like;

# Virtual gambling prizes was a red flag that could interfer with WUSA's non-profit status. They were going to get more clarification on this, but then idk.
# CSC had a paypal account, which was NOT allowed under mathsoc policy. We used a screenshot of a successful Paypal transfer as proof of payment. We refused to consider using shop.wusa.ca, because we were scared of photoshopping
# Thus the VPA motioned to (quoting from the meeting minutes);
## Whereas CSC has been using an unauthorized PayPal account; then Be it resolved that MathSoc Council directs CSC to transfer all money in their PayPal account to MathSoc; and Be it further resolved that MathSoc Council directs CSC to give the Paypal account login details to the VPF; and Be it further resolved that if CSC does not comply by 11:59 PM on February 28th, 2022, then they shall be placed under probation as outlined in MathSoc Policy 6 "Clubs Policy".
# Then it was revealed that CSC has a lot of other infractions like at least 3 notices this term by the VPI, the only thing mentioned in the notes was; not following the mathsoc policies (not showing the logo)

Putting CSC on probation was reasonable here

Then on June 10th CSC was taken off of probation

But MathSoc is uh... notorious for lack of continunity... So they forgot we were taken off of probation.

October 10th our probation was extended to the end of W22.

For reasons that shall never be known

After consulting some alumni, and members of CSC who were around this entire fiasco. Allegedly CSC had an agreement with MathSoc that allowed us to use Paypal instead of WUSA. If you ever become treasurer, you'll know why this is favourable.

But during a MathSoc transition, it was forgotten about.
[[Category:About]]

History

2025-01-03T23:41:15Z

S23adhik:

== Creation Date ==

The Computer Science Club has been in existence since 1931. The club was not officially part of the University of Waterloo, rather was a general interest club formed by a collection of interested individuals who read Kleene, Church, and Turing's work that formed the basis of Computer Science. The club joined the University of Waterloo shortly after the founding of the University in 1957. Much of the history prior to the creation of the University is unclear, as documents dating back this far have only recently been recovered.

== The CSC Fire ==

It is believed that many of the documents describing the original club were destroyed when the original office destroyed by a fire at the then Waterloo University (now Wilfred Laurier University).

== The PMC intervention ==

At some point between 2000-2010, CSC had devloved into a bunch of very stinky nerds just playing nethack all day on the computers. The Pure Math Club (who was 2 doors down) had become appaled with the state of the club, and thus; decided to try and fix the situation. This was by Rallying together at the CSC election, electing one of their own as president, and changing the office rules to include 'No Gaming' in the office.

And thus, the people playing only NetHack 24/7 had finally left.

This rule was kept all the way till mid-way through Fall 2024, where the office rules were rewritten to reflect an increasingly complicated environment, that the office has become.

== CSC on Probation ==

Due to a lack of information about this event, we may be missing information about this event.

According to Winter 2022 mathsoc meeting-minutes CSC was breaking a lot of policies, and doing sketchy things like;

# Virtual gambling prizes was a red flag that could interfer with WUSA's non-profit status. They were going to get more clarification on this, but then idk.
# CSC had a paypal account, which was NOT allowed under mathsoc policy. We used a screenshot of a successful Paypal transfer as proof of payment. We refused to consider using shop.wusa.ca, because we were scared of photoshopping
# Thus the VPA motioned to (quoting from the meeting minutes);
## Whereas CSC has been using an unauthorized PayPal account; then Be it resolved that MathSoc Council directs CSC to transfer all money in their PayPal account to MathSoc; and Be it further resolved that MathSoc Council directs CSC to give the Paypal account login details to the VPF; and Be it further resolved that if CSC does not comply by 11:59 PM on February 28th, 2022, then they shall be placed under probation as outlined in MathSoc Policy 6 "Clubs Policy".
# Then it was revealed that CSC has a lot of other infractions like at least 3 notices this term by the VPI, the only thing mentioned in the notes was; not following the mathsoc policies (not showing the logo)

Putting CSC on probation was reasonable here

Then on June 10th CSC was taken off of probation

But MathSoc is uh... notorious for lack of continunity... So they forgot we were taken off of probation.

October 10th our probation was extended to the end of W22.

For reasons that shall never be known

After consulting some alumni, and members of CSC who were around this entire fiasco. Allegedly CSC had an agreement with MathSoc that allowed us to use Paypal instead of WUSA. If you ever become treasurer, you'll know why this is favourable.

But during a MathSoc transition, it was forgotten about.
[[Category:About]]

History

2025-01-03T23:31:02Z

S23adhik: /* CSC on Probation */

== Creation Date ==

The Computer Science Club has been in existence since 1931. The club was not officially part of the University of Waterloo, rather was a general interest club formed by a collection of interested individuals who read Kleene, Church, and Turing's work that formed the basis of Computer Science. The club joined the University of Waterloo shortly after the founding of the University in 1957. Much of the history prior to the creation of the University is unclear, as documents dating back this far have only recently been recovered.

== The CSC Fire ==

It is believed that many of the documents describing the original club were destroyed when the original office destroyed by a fire at the then Waterloo University (now Wilfred Laurier University).

== CSC on Probation ==

Due to a lack of information about this event, we may be missing information about this event.

According to Winter 2022 mathsoc meeting-minutes CSC was breaking a lot of policies, and doing sketchy things like;

# Virtual gambling prizes was a red flag that could interfer with WUSA's non-profit status. They were going to get more clarification on this, but then idk.
# CSC had a paypal account, which was NOT allowed under mathsoc policy. We used a screenshot of a successful Paypal transfer as proof of payment. We refused to consider using shop.wusa.ca, because we were scared of photoshopping
# Thus the VPA motioned to (quoting from the meeting minutes);
## Whereas CSC has been using an unauthorized PayPal account; then Be it resolved that MathSoc Council directs CSC to transfer all money in their PayPal account to MathSoc; and Be it further resolved that MathSoc Council directs CSC to give the Paypal account login details to the VPF; and Be it further resolved that if CSC does not comply by 11:59 PM on February 28th, 2022, then they shall be placed under probation as outlined in MathSoc Policy 6 "Clubs Policy".
# Then it was revealed that CSC has a lot of other infractions like at least 3 notices this term by the VPI, the only thing mentioned in the notes was; not following the mathsoc policies (not showing the logo)

Putting CSC on probation was reasonable here

Then on June 10th CSC was taken off of probation

But MathSoc is uh... notorious for lack of continunity... So they forgot we were taken off of probation.

October 10th our probation was extended to the end of W22.

For reasons that shall never be known

After consulting some alumni, and members of CSC who were around this entire fiasco. Allegedly CSC had an agreement with MathSoc that allowed us to use Paypal instead of WUSA. If you ever become treasurer, you'll know why this is favourable.

But during a MathSoc transition, it was forgotten about.
[[Category:About]]

LDAP

2024-12-18T07:45:04Z

S23adhik:

We use [http://www.openldap.org/ OpenLDAP] for directory services. Our primary LDAP server is [[Machine_List#auth1|auth1]] and our secondary LDAP server is [[Machine_List#auth2|auth2]].

=== ehashman's Guide to Setting up OpenLDAP on Debian ===

Welcome to my nightmare.

==== What is LDAP? ====

<blockquote>'''LDAP:''' Lightweight Directory Access Protocol

An open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. — [https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol Wikipedia: LDAP]
</blockquote>
In this case, "directory" refers to the user directory, like on an old-school Rolodex. Many groups use LDAP to maintain their user directory, including the University (the "WatIAM" identity management system), the Computer Science Club, and even the UW Amateur Radio Club.

This is a guide documenting how to set up LDAP on a Debian Linux system.

==== First steps ====

<ul>
<li>Ensure that openldap is installed on the machine:
<pre># apt-get install slapd ldap-utils</pre></li>
<li>Debian will do a lot of magic and set up a skeleton LDAP server and get it running. We need to configure that further.</li>
<li>Let's set up logging before we forget. Create the following files in <code>/var/log</code>:
<pre># mkdir /var/log/ldap
# touch /var/log/ldap.log</pre></li>
<li>Set ownership correctly:
<pre># chown openldap:openldap /var/log/ldap</pre></li>
<li>Set up rsyslog to dump the LDAP logs into <code>/var/log/ldap.log</code> by adding the following lines:
<pre># vim /etc/rsyslog.conf
...
# Grab ldap logs, don't duplicate in syslog
local4.* /var/log/ldap.log</pre></li>
<li>Set up log rotation for these by creating the file [https://git.uwaterloo.ca/wics/documentation/blob/master/ldap/logrotate.d.ldap <code>/etc/logrotate.d/ldap</code>] with the following contents:
<pre>/var/log/ldap/*log {
weekly
missingok
rotate 1000
compress
delaycompress
notifempty
create 0640 openldap adm
postrotate
if [ -f /var/run/slapd/slapd.pid ]; then
/etc/init.d/slapd restart >/dev/null 2>&1
fi
endscript
}

/var/log/ldap.log {
weekly
missingok
rotate 24
compress
delaycompress
notifempty
}</pre></li>
<li>As of OpenLDAP 2.4, it doesn't actually create a config file for us. Apparently, this is a "feature": LDAP maintainers think we should want to set this up via dynamic queries. We don't, so the first thing we need is our [https://git.uwaterloo.ca/wics/documentation/blob/master/ldap/slapd.conf <code>slapd.conf</code>] file.</li></ul>

===== Building <code>slapd.conf</code> from scratch =====

<ul>
<li>Get a copy to work with:
<pre># scp uid@auth1.csclub.uwaterloo.ca:/etc/ldap/slapd.conf /etc/ldap/ ## you need CSC root for this</pre></li>
<li>You'll want to comment out the TLS lines, and anything referring to Kerberos and access for now. You'll also want to comment out lines specifically referring to syscom and office staff.</li>
<li>Make sure you remove the reference to <code>nonMemberTerm</code> as an index, as we're going to remove this field.</li>
<li>You'll also need to generate a root password for the LDAP to bootstrap auth, like so:
<pre># slappasswd
New password:
Re-enter new password:
{SSHA}longhash</pre></li>
<li>Add this line below <code>rootdn</code> in the <code>slapd.conf</code>:
<pre>rootpw {SSHA}longhash</pre></li>
<li>Now we want to edit all instances of "csclub" to be "wics" instead, e.g.:
<pre>suffix "dc=wics,dc=uwaterloo,dc=ca"
rootdn "cn=root,dc=wics,dc=uwaterloo,dc=ca"</pre></li>
<li>Next, we need to grab all the relevant schemas:
<pre>scp -r uid@auth1.csclub.uwaterloo.ca:/etc/ldap/schema/ /tmp/schemas</pre></li>
<li>Use the include directives to help you find the ones you need. I noticed we were missing <code>sudo.schema</code>, <code>csc.schema</code>, and <code>rfc2307bis.schema</code>.</li>
<li>Open up the [https://git.uwaterloo.ca/wics/documentation/blob/master/ldap/csc.schema <code>csc.schema</code>] for editing; we're not using it verbatim. Remove the attributes <code>studentid</code> and <code>nonMemberTerm</code> and the objectclass <code>club</code>. Also make sure you change the OID so we don't clash with the CSC. Because we didn't want to go through the process of requesting a [http://pen.iana.org/pen/PenApplication.page PEN number], we chose arbitrarily to use 26338, which belongs to IWICS Inc.</li>
<li>We also need to can the auto-generated config files, so do that:
<pre># rm -rf /etc/openldap/slapd.d/*</pre></li>
<li>Also nuke the auto-generated database:
<pre># rm /var/lib/ldap/__db.*</pre></li>
<li>Configure the database:
<pre># cp /usr/share/slapd/DB_CONFIG /var/lib/ldap/
# chown openldap:openldap /var/lib/ldap/DB_CONFIG </pre></li>
<li>Now we can generate the new configuration files:
<pre># slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/</pre></li>
<li>And ensure that the permissions are all set correctly, lest this break something:
<pre># chown -R openldap:openldap /etc/ldap/slapd.d</pre></li>
<li>If at this point you get a nasty error, such as
<pre>5657d4db hdb_db_open: database "dc=wics,dc=uwaterloo,dc=ca": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
5657d4db backend_startup_one (type=hdb, suffix="dc=wics,dc=uwaterloo,dc=ca"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)</pre>
Just try restarting slapd, and see if that fixes the problem:
<pre># service slapd stop
# service slapd start</pre></li>
<li>Congratulations! Your LDAP service is now configured and running.</li></ul>

==== Getting TLS Up and Running ====

<ul>
<li>Now that we have our LDAP service, we'll want to be able to serve encrypted traffic. This is especially important for any remote access, since binding to LDAP (i.e. sending it a password for auth) occurs over plaintext, and we don't want to leak our admin password.</li>
<li>Our first step is to copy our SSL certificates into the correct places. Public ones go into <code>/etc/ssl/certs/</code> and private ones go into <code>/etc/ssl/private/</code>.</li>
<li>Since the LDAP daemon needs to be able to read our private cert, we need to grant LDAP access to the private folder:
<pre># chgrp openldap /etc/ssl/private
# chmod g+x /etc/ssl/private</pre></li>
<li>Next, uncomment the TLS-related settings in <code>slapd.conf</code>. These are <code>TLSCertificateFile</code> (the public cert), <code>TLSCertificateKeyFile</code> (the private key), <code>TLSCACertificateFile</code> (the intermediate CA cert), and <code>TLSVerifyClient</code> (set to "allow").
<pre># enable TLS connections
TLSCertificateFile /etc/ssl/certs/wics-wildcard.crt
TLSCertificateKeyFile /etc/ssl/private/wics-wildcard.key

# enable TLS client authentication
TLSCACertificateFile /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem
TLSVerifyClient allow</pre></li>
<li>Update all your LDAP settings:
<pre># rm -rf /etc/openldap/slapd.d/*
# slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/
# chown -R openldap:openldap /etc/ldap/slapd.d</pre></li>
<li>And last, ensure that LDAP will actually serve <code>ldaps://</code> by modifying the init script variables in <code>/etc/default/</code>:
<pre># vim /etc/default/slapd
...
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
...</pre></li>
<li>Now you can restart the LDAP server:
<pre># service slapd restart</pre></li>
<li>And assuming this is successful, test to ensure LDAP is serving on port 636 for <code>ldaps://</code>:
<pre># netstat -ntaup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 22847/slapd
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 22847/slapd </pre></li></ul>

==== Populating the Database ====

Now you'll need to start adding objects to the database. While we'll want to mostly do this programmatically, there are a few entries we'll need to bootstrap.

===== Root Entries =====

<ul>
<li>Start by creating a file [https://git.uwaterloo.ca/wics/documentation/blob/master/ldap/tree.ldif <code>tree.ldif</code>] to create a few necessary "roots" in our LDAP tree, with the contents:
<pre>dn: dc=wics,dc=uwaterloo,dc=ca
objectClass: dcObject
objectClass: organization
o: Women in Computer Science
dc: wics

dn: ou=People,dc=wics,dc=uwaterloo,dc=ca
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=wics,dc=uwaterloo,dc=ca
objectClass: organizationalUnit
ou: Group</pre></li>
<li>Now attempt an LDAP add, using the password you set earlier:
<pre># ldapadd -cxWD cn=root,dc=wics,dc=uwaterloo,dc=ca -f tree.ldif
Enter LDAP Password:
adding new entry "dc=wics,dc=uwaterloo,dc=ca"

adding new entry "ou=People,dc=wics,dc=uwaterloo,dc=ca"

adding new entry "ou=Group,dc=wics,dc=uwaterloo,dc=ca"</pre></li>
<li>Test that everything turned out okay, by performing a query of the entire database:
<pre># ldapsearch -x -h localhost
# extended LDIF
#
# LDAPv3
# base <dc=wics,dc=uwaterloo,dc=ca> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# wics.uwaterloo.ca
dn: dc=wics,dc=uwaterloo,dc=ca
objectClass: dcObject
objectClass: organization
o: Women in Computer Science
dc: wics

# People, wics.uwaterloo.ca
dn: ou=People,dc=wics,dc=uwaterloo,dc=ca
objectClass: organizationalUnit
ou: People

# Group, wics.uwaterloo.ca
dn: ou=Group,dc=wics,dc=uwaterloo,dc=ca
objectClass: organizationalUnit
ou: Group

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3</pre></li></ul>

===== Users and Groups =====

<ul>
<li>Next, add users to track the current GID and UID. This will save us from querying the entire database every time we make a new user or group. Create this file, [https://git.uwaterloo.ca/wics/documentation/blob/master/ldap/nextxid.ldif <code>nextxid.ldif</code>]:
<pre>dn: uid=nextuid,ou=People,dc=wics,dc=uwaterloo,dc=ca
cn: nextuid
objectClass: account
objectClass: posixAccount
objectClass: top
uidNumber: 20000
gidNumber: 20000
homeDirectory: /dev/null

dn: cn=nextgid,ou=Group,dc=wics,dc=uwaterloo,dc=ca
objectClass: group
objectClass: posixGroup
objectClass: top
gidNumber: 10000</pre>
You'll see here that our first GID is 10000 and our first UID is 20000.</li>
<li>Now add them, like you did with the roots of the tree:
<pre># ldapadd -cxWD cn=root,dc=wics,dc=uwaterloo,dc=ca -f nextxid.ldif
Enter LDAP Password:
adding new entry "uid=nextuid,ou=People,dc=wics,dc=uwaterloo,dc=ca"

adding new entry "cn=nextgid,ou=Group,dc=wics,dc=uwaterloo,dc=ca"</pre></li></ul>

===== Special <code>sudo</code> Entries =====

<ul>
<li>We also need to add a sudoers OU with a defaults object for default sudo settings. We also need entries for syscom, such that members of the syscom group can use sudo on all hosts, and for termcom, whose members can use sudo on only the office terminals. Call this one [https://git.uwaterloo.ca/wics/documentation/blob/master/ldap/sudoers.ldif <code>sudoers.ldif</code>]:
<pre>dn: ou=SUDOers,dc=wics,dc=uwaterloo,dc=ca
objectClass: organizationalUnit
ou: SUDOers

dn: cn=defaults,ou=SUDOers,dc=wics,dc=uwaterloo,dc=ca
objectClass: top
objectClass: sudoRole
cn: defaults
sudoOption: !lecture
sudoOption: env_reset
sudoOption: listpw=never
sudoOption: mailto="wics-sys@lists.uwaterloo.ca"
sudoOption: shell_noargs

dn: cn=%syscom,ou=SUDOers,dc=wics,dc=uwaterloo,dc=ca
objectClass: top
objectClass: sudoRole
cn: %syscom
sudoUser: %syscom
sudoHost: ALL
sudoCommand: ALL
sudoRunAsUser: ALL

dn: cn=%termcom,ou=SUDOers,dc=wics,dc=uwaterloo,dc=ca
objectClass: top
objectClass: sudoRole
cn: %termcom
sudoUser: %termcom
sudoHost: honk
sudoHost: hiss
sudoHost: gosling
sudoCommand: ALL
sudoRunAsUser: ALL</pre></li>
<li>Now add them:
<pre># ldapadd -cxWD cn=root,dc=wics,dc=uwaterloo,dc=ca -f sudoers.ldif
Enter LDAP Password:
adding new entry "ou=SUDOers,dc=wics,dc=uwaterloo,dc=ca"

adding new entry "cn=defaults,ou=SUDOers,dc=wics,dc=uwaterloo,dc=ca"

adding new entry "cn=%syscom,ou=SUDOers,dc=wics,dc=uwaterloo,dc=ca"

adding new entry "cn=%termcom,ou=SUDOers,dc=wics,dc=uwaterloo,dc=ca"</pre></li>
<li>Last, add some special local groups via [https://git.uwaterloo.ca/wics/documentation/blob/master/ldap/local-groups.ldif <code>local-groups.ldif</code>]:
<pre># ldapadd -cxWD cn=root,dc=wics,dc=uwaterloo,dc=ca -f local-groups.ldif</pre>
The local groups are special because they usually are present on all systems, but we want to be able to add users to them at the LDAP level. For instance, the audio group controls access to sound equipment, and the adm group controls log read access.</li>
<li>That's all the entries we have to add manually! Now we can use software for the rest. See [[weo|<code>ceo</code>]] for more details.</li></ul>

=== Querying LDAP ===

There are many tools available for issuing LDAP queries. Queries should be issued to <tt>ldap1.csclub.uwaterloo.ca</tt>. The search base you almost certainly want is <tt>dc=csclub,dc=uwaterloo,dc=ca</tt>. Read access is available without authentication; [[Kerberos]] is used to authenticate commands which require it.

Example:

ldapsearch -x -h ldap1.csclub.uwaterloo.ca -b dc=csclub,dc=uwaterloo,dc=ca uid=ctdalek

The <tt>-x</tt> option causes <tt>ldapsearch</tt> to switch to simple authentication rather than trying to authenticate via SASL (which will fail if you do not have a Kerberos ticket).

The University LDAP server (uwldap.uwaterloo.ca) can also be queried like this. Again, use "simple authentication" as read access is available (from on campus) without authentication. SASL authentication will fail without additional parameters.

Example:

ldapsearch -x -h uwldap.uwaterloo.ca -b dc=uwaterloo,dc=ca "cn=Prabhakar Ragde"

=== Replication ===

While <tt>ldap1.csclub.uwaterloo.ca</tt> ([[Machine_List#auth1|auth1]]) is the LDAP master, an up-to-date replica is available on <tt>ldap2.csclub.uwaterloo.ca</tt> ([[Machine_List#auth2|auth2]]).

In order to replicate changes from the master, the slave maintains an authenticated connection to the master which provides it with full read access to all changes.

Specifically, <tt>/etc/systemd/system/k5start-slapd.service</tt> maintains an active Kerberos ticket for <tt>ldap/auth2.csclub.uwaterloo.ca@CSCLUB.UWATERLOO.CA</tt> in <tt>/var/run/slapd/krb5cc</tt>. This is then used to authenticate the slave to the server, who maps this principal to <tt>cn=ldap-slave,dc=csclub,dc=uwaterloo,dc=ca</tt>, which in turn has full read privileges.

In the event of master failure, all hosts should fail LDAP reads seamlessly over to the slave.

[[Category:Software]]

=== Modifying LDAP entry ===

Editing entries can be easily done with <code>ldapvi</code>. First search for the entry using <code>ldapsearch</code> like above, and change <code>ldapsearch -x</code> to <code>ldapvi -Y GSSAPI</code> to make your edits.

Note that if your <tt>EDITOR</tt> enviroment is set to something not avaliable it will give out errors like

error (misc.c line 180): No such file or directory
editor died
error (ldapvi.c line 83): No such file or directory

This can be fixed by something like

EDITOR=vi ldapvi ******

==== Changing a user's username ====

Only a member of the Systems Committee can change a user's username. '''At all times, a user's username must match the user's username in WatIAM.'''

All changes to an account MUST be done in person so that identity can be confirmed. If a member cannot attend in person, then an alternate method of identity verification may be chosen by the Systems Administrator.

# Edit entries in LDAP (<code>ldapvi -Y GSSAPI</code>)
#* Find and replace the user's old username with the new one (<code>%s/$OLD/$NEW/g</code>)
# Change the user's Kerberos principal (on auth1, <code>renprinc $OLD $NEW</code>)
# Move the user's home directory (on aspartame, <code>mv /users/$OLD /users/$NEW</code>)
# Change the user's csc-general (and csc-industry, if subscribed) email address for <code>$OLD@csclub.uwaterloo.ca</code> to <code>$NEW@csclub.uwaterloo.ca</code>
#* https://mailman.csclub.uwaterloo.ca/admin/csc-general
# If the user has vhosts on caffeine, update them to point to their new username

If the user's account has been around for a while, and they request it, forward email from their old username to their new one.

# Edit <code>/etc/aliases</code> on mail. <code>$OLD: $NEW</code>
# Run <code>newaliases</code>

Ntp

2024-12-18T07:39:43Z

S23adhik: Created page with "CSC Runs an NTP server at ntp.csclub.uwaterloo.ca, however at the time of writting, IST has been saying weird things to CSCF, which have been told to us. We've been told that keeping it up might be slightly sketchy???"

CSC Runs an NTP server at ntp.csclub.uwaterloo.ca, however at the time of writting, IST has been saying weird things to CSCF, which have been told to us. We've been told that keeping it up might be slightly sketchy???