Switching a Machine to Self-Managed

This is a guide to everything which needs to be done on a machine before it can be self-managed by a user.

BIOS

The administrator password for the BIOS must be removed so that it can be configured by the user.

Disks

ALL disks in the machine MUST be wiped using dban. The easiest way to do that is by PXE booting the machine and selecting the dban option from the menu.

For some machines dban does not work, it will freeze on boot. In this case you PXE boot to the sl7 install, as if installing a machine. Then, do not choose the "(I)nstall " option but the (S)hell one. Once in the shell check which disk you want to wipe, in case there are two. Only the DICE disk needs to be fully wiped. You can use the lsblk command The command to fully wipe is, using sda as the disk to be wiped

dd if=/dev/zero of=/dev/sda bs=4096
the bs=4096 chooses a block, this will make it a bit faster. Once the wipe is finished, there will be an error message, just restart.

Network

There are two ways a self-managed machine can be configured for networking.

  1. By default there should not be an entry for the hostname in the DNS - the machine will be allocated an address dynamically via DHCP. If there was previously a host entry in the DNS it will thus need removing.
  2. Only if a user really needs a static IP should one be allocated. If there was previously a host entry in the DNS it will thus need changing.

Depending on the location of the machine and the user requirements the relevant subnet should be selected from this list. The user may require a network port to be configured in their office or at least to be told which port in their floor box should be used. You can use netmon or netmonat to find the port information for a room.

LCFG Profile

Dynamic IP address

If a self-managed machine does not have a static IP address the machine should not have an LCFG profile. Any existing LCFG profile should be archived and then deleted. (INSTRUCTIONS TO COME).

The machine's inventory entry must be updated to record that the machine is self-managed, for example :-

ii edit --hostname beezer --managed_type selfdynamic

Static IP address

If a static address is required then the LCFG profile should include the dice/os/selfmanaged.h and wire headers, it should look something like this:

#include <dice/os/selfmanaged.h>
#include <dice/hw/hp_elitedesk800g1.h>
#include <live/wire_sm164.h>

dhclient.mac    00:11:22:33::44::55

The machine's inventory entry must be updated to record that the machine is self-managed, for example :-

ii edit --hostname beezer --managed_type selfstatic

Firewall Headers

If a firewall hole needs to be opened to allow access to a service on the self-managed machine the profile must also include the dice/options/ipfilter.h header. There MUST be an RT ticket and a review date for all holes. For example, opening up access to http and https can be done something like this:

#include <dice/options/ipfilter.h>
!ipfilter.export        mADD(http)
!ipfilter.export        mADD(https)
!ipfilter.RT            mADD(99999)
!ipfilter.reviewDate    mADD(16/07/2018)

Policy

Ensure the user is aware that we have policies for self-managed machines by instructing them that they must read the relevant help page - http://computing.help.inf.ed.ac.uk/self-managed-policy

-- StephenQuinney - 15 Dec 2017

Topic revision: r3 - 20 Sep 2019 - 11:24:09 - AdamKirylczuk
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies