Infrastructure Unit server SL5 upgrade plans and progress

See also the list of inf-unit machines

And inf-unit plans for moving to the Forum


  • barrett - KDC master - in warranty until June 2009
  • mustang - FH KDC slave - in warranty until Jan 2009
  • nautilus - KB KDC slave - in warranty until Jan 2009
  • kingsmen - BP KDC slave - in warranty until Jan 2009
  • panther - AT KDC slave - in warranty until Jan 2009

One of the slaves will be upgraded first to test SL5 kerberos operation. Thereafter, we will schedule upgrade of other slaves and, finally, master.

Timescales: We plan to upgrade one machine to SL5 by end of week 15/02/08. Ideally this should be left in place for a week before upgrading the others. kingsmen will be the first to be upgraded as it's a slave LDAP, KDC and KCA, allowing us to test all of these services with adequate redundancy.


  • franklin - LDAP master - in warranty until March 2010
  • LDAP slaves are mustang, nautilus, kingsmen and panther - they are also all slave KDCs - see Kerberos section above for warranty details.

Again, a slave will be upgraded to SL5 first, to test LDAP operation.

We want to ensure that our current openldap version (2.3.38 on franklin, at the time of writing) has been tested thoroughly under SL5 before upgrading the master.

Timescales: see Kerberos above for details on upgrading slaves. We currently (07/02/08) have a a test SL5 machine (kant) running as a syncrepl slave, used as a remote server by two proxy-caching slaves, to test basic operation.

Timescales for upgrading the LDAP master depend very much on the success of upgrading the slaves, so are difficult to accurately state. It would appear sensible to aim for mid-March.


  • calcutta - out of warranty

We should probably look at running lcfg2ldap on another machine, as it's perhaps a waste of resources having a server dedicated to running lcfg2ldap and nothing else. Should be tested under SL5 irregardless of hardware considerations.

Timescales: testing of lcfg2ldap to be completed by end of February on separate host. Thereafter, upgrading calcutta should be relatively straightforward.


  • berlin - in warranty until Jan 2009
  • osprey - in warranty until Jan 2009

One cosign server will be upgraded first, for testing.

Timescales: One server to be upgraded to SL5 by end of week 15/02/08 and should be left in place for a week.


  • nautilus
  • mustang
  • kingsmen

(see Kerberos section above for warranty information)

KCA/kx509 operation will be tested as part of testing a KDC slave on SLS.

Timescales: see Kerberos above for details


  • nautilus - sixkts server runs on a KDC slave. This slave should probably be the last to be upgraded so we can test sixkts server in isolation.

Timescales: nautilus to be last of LDAP/KDC/KCA slaves to be upgraded, probably early March.

Other auth&auth things

  • authportal (symphony) - in warranty until Jan 2009. We plan on introducing a second authportal server - this should be installed as SL5.

Timescales: A second authportal server to be introduced by end of February. symphony to be upgraded after that, according to testing results.


All machines involved are out of warranty. beziers (at AT), and at least one of exeter and roujan (at KB), will live on in their current roles until either they finally die or are replaced, so all should be upgraded. lochgelly and pembroke (at BP) and endeston (at FH) are expected to die off in the course of the building moves, but may as well be upgraded now since we're doing the job for the others. No problems anticipated.

Timescales: At 14.1.2008, beziers, exeter and roujan have been reinstalled, and are running DICE SL5. I expect to reinstall the machines at BP and FH when I can arrange a suitable time. Aspiration: by the end of February.

Completed: 12.2.2008


curlew (currently at AT) and dunlin (at KB) are both new machines, and will be retained in their monitoring roles (although dunlin will be moved to the Forum - see Both should be upgraded to SL5.

The monitoring code, its requisite packages, as well as auxiliary software (apacheconf, jnotify, remctl, etc.), will all need to be ported and tested. Timescales: Aspiration: by the end of February.

Completed: dunlin upgraded 5.3.2008; curlew upgraded 18.3.2008 (after some problems exposed by the upgrade of dunlin were sorted out.)

Network infrastructure

Routers and infrastructure servers

All the site routers and infrastructure servers at BP (other than karajan) and FH are out of warranty. The original plan was to think about leaving machines at FC5 which would be phased out as part of the move to the Forum, but as the upgrade has turned out pretty straightforward and the Forum timescales have slipped, it was decided just to do the lot. They're all done now.


Although linnaeus and darwin are long out of warranty, we're planning keeping them for now. They have both been upgraded to SL5. The dns master is now on kleiber (SL5).


The kerberos/pam/tun bug doesn't happen when Russ Allbery's pam-krb5 module is used, so levine has been upgraded.

-- GeorgeRoss - 19 Mar 2008 -- TobyBlake - 07 Feb 2008

Topic revision: r22 - 25 Mar 2008 - 10:12:10 - IanDurkacz
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies