Switching a Machine to Self-Managed
This is a guide to everything which needs to be done on a machine before it can be self-managed by a user.
BIOS
The administrator password for the BIOS must be removed so that it can be configured by the user.
Disks
ALL disks in the machine
MUST be wiped using dban. The easiest way to do that is by PXE booting the machine and selecting the dban option from the menu.
For some machines dban does not work, it will freeze on boot. In this case you PXE boot to the sl7 install, as if installing a machine. Then, do not choose the "(I)nstall " option but the (S)hell one. Once in the shell check which disk you want to wipe, in case there are two. Only the DICE disk needs to be fully wiped. You can use the lsblk command
The command to fully wipe is, using sda as the disk to be wiped
dd if=/dev/zero of=/dev/sda bs=4096
the bs=4096 chooses a block, this will make it a bit faster.
Once the wipe is finished, there will be an error message, just restart.
Network
There are two ways a self-managed machine can be configured for networking.
- By default there should not be an entry for the hostname in the DNS - the machine will be allocated an address dynamically via DHCP. If there was previously a host entry in the DNS it will thus need removing.
- Only if a user really needs a static IP should one be allocated. If there was previously a host entry in the DNS it will thus need changing.
Depending on the location of the machine and the user requirements the relevant subnet should be selected from
this list. The user may require a network port to be configured in their office or at least to be told which port in their floor box should be used. You can use
netmon or
netmonat to find the port information for a room.
LCFG Profile
Dynamic IP address
If a self-managed machine does not have a static IP address the machine should
not have an LCFG profile. Any existing LCFG profile should be archived and then deleted. (INSTRUCTIONS TO COME).
The machine's inventory entry must be updated to record that the machine is self-managed, for example :-
ii edit --hostname beezer --managed_type selfdynamic
Static IP address
Please put any new selfmanaged machines on the SM164 wire.
SM197 is so full that any free addresses there should be kept for any servers that need to be on the same wire as existing cluster siblings
If a static address is required then the LCFG profile should include the
dice/os/selfmanaged.h
and
wire headers, it should look something like this:
#include <dice/os/selfmanaged.h>
#include <dice/hw/hp_elitedesk800g1.h>
#include <live/wire_sm164.h>
dhclient.mac 00:11:22:33::44::55
The machine's inventory entry must be updated to record that the machine is self-managed, for example :-
ii edit --hostname beezer --managed_type selfstatic
Firewall Headers
If a firewall hole needs to be opened to allow access to a service on the self-managed machine the profile must also include the
dice/options/ipfilter.h
header. There
MUST be an RT ticket and a review date for all holes. For example, opening up access to http and https can be done something like this:
#include <dice/options/ipfilter.h>
!ipfilter.export mADD(http)
!ipfilter.export mADD(https)
!ipfilter.RT mADD(99999)
!ipfilter.reviewDate mADD(16/07/2018)
Policy
Ensure the user is aware that we have policies for self-managed machines by instructing them that they must read the relevant help page -
http://computing.help.inf.ed.ac.uk/self-managed-policy
--
StephenQuinney - 15 Dec 2017