Switching a Machine to Self-Managed

This is a guide to everything which needs to be done on a machine before it can be self-managed by a user.

BIOS

The administrator password for the BIOS must be removed so that it can be configured by the user.

Disks

ALL disks in the machine MUST be wiped using dban. The easiest way to do that is by PXE booting the machine and selecting the dban option from the menu.

Network

There are two ways a self-managed machine can be configured for networking.

  1. By default there should not be an entry for the hostname in the DNS - the machine will be allocated an address dynamically via DHCP. If there was previously a host entry in the DNS it will thus need removing.
  2. Only if a user really needs a static IP should one be allocated. If there was previously a host entry in the DNS it will thus need changing.

Depending on the location of the machine and the user requirements the relevant subnet should be selected from this list. The user may require a network port to be configured in their office or at least to be told which port in their floor box should be used. You can use netmon or netmonat to find the port information for a room.

LCFG Profile

Dynamic IP address

If a self-managed machine does not have a static IP address the machine should not have an LCFG profile. Any existing LCFG profile should be archived and then deleted. (INSTRUCTIONS TO COME).

The machine's inventory entry must be updated to record that the machine is self-managed, for example :-

ii edit --hostname beezer --managed_type selfdynamic

Static IP address

If a static address is required then the LCFG profile should include the dice/os/selfmanaged.h and wire headers, it should look something like this:

#include <dice/os/selfmanaged.h>
#include <dice/hw/hp_elitedesk800g1.h>
#include <live/wire_sm164.h>

dhclient.mac    00:11:22:33::44::55

The machine's inventory entry must be updated to record that the machine is self-managed, for example :-

ii edit --hostname beezer --managed_type selfstatic

Firewall Headers

If a firewall hole needs to be opened to allow access to a service on the self-managed machine the profile must also include the dice/options/ipfilter.h header. There MUST be an RT ticket and a review date for all holes. For example, opening up access to http and https can be done something like this:

#include <dice/options/ipfilter.h>
!ipfilter.export        mADD(http)
!ipfilter.export        mADD(https)
!ipfilter.RT            mADD(99999)
!ipfilter.reviewDate    mADD(16/07/2018)

Policy

Ensure the user is aware that we have policies for self-managed machines by instructing them that they must read the relevant help page - http://computing.help.inf.ed.ac.uk/self-managed-policy

-- StephenQuinney - 15 Dec 2017

Topic revision: r2 - 12 Apr 2019 - 15:11:21 - AlastairScobie
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies