Switching a Machine to Self-Managed

This is a guide to everything which needs to be done on a machine before it can be self-managed by a user.

BIOS

The administrator password for the BIOS must be removed so that it can be configured by the user.

Disks

ALL disks in the machine MUST be wiped using dban. The easiest way to do that is by PXE booting the machine and selecting the dban option from the menu.

For some machines dban does not work, it will freeze on boot. In this case you PXE boot to the sl7 install, as if installing a machine. Then, do not choose the "(I)nstall " option but the (S)hell one. Once in the shell check which disk you want to wipe, in case there are two. Only the DICE disk needs to be fully wiped. You can use the lsblk command The command to fully wipe is, using sda as the disk to be wiped

dd if=/dev/zero of=/dev/sda bs=4096

Network

There are two ways a self-managed machine can be configured for networking.

1. By default there should not be an entry for the hostname in the DNS - the machine will be allocated an address dynamically via DHCP. If there was previously a host entry in the DNS it will thus need removing.
2. Only if a user really needs a static IP should one be allocated. If there was previously a host entry in the DNS it will thus need changing.

Depending on the location of the machine and the user requirements the relevant subnet should be selected from this list. The user may require a network port to be configured in their office or at least to be told which port in their floor box should be used. You can use netmon or netmonat to find the port information for a room.

LCFG Profile

Dynamic IP address

If a self-managed machine does not have a static IP address the machine should not have an LCFG profile. Any existing LCFG profile should be archived and then deleted. (INSTRUCTIONS TO COME).

The machine's inventory entry must be updated to record that the machine is self-managed, for example :-

ii edit --hostname beezer --managed_type selfdynamic

Static IP address

Please put any new selfmanaged machines on the SM164 wire.

SM197 is so full that any free addresses there should be kept for any servers that need to be on the same wire as existing cluster siblings

If a static address is required then the LCFG profile should include the dice/os/selfmanaged.h and wire headers, it should look something like this:

#include <dice/os/selfmanaged.h>
#include <dice/hw/hp_elitedesk800g1.h>
#include <live/wire_sm164.h>

dhclient.mac    00:11:22:33::44::55

The machine's inventory entry must be updated to record that the machine is self-managed, for example :-

ii edit --hostname beezer --managed_type selfstatic

Firewall Headers

If a firewall hole needs to be opened to allow access to a service on the self-managed machine the profile must also include the dice/options/ipfilter.h header. There MUST be an RT ticket and a review date for all holes. For example, opening up access to http and https can be done something like this:

#include <dice/options/ipfilter.h>
!ipfilter.export        mADD(http)
!ipfilter.export        mADD(https)
!ipfilter.RT            mADD(99999)
!ipfilter.reviewDate    mADD(16/07/2018)

Policy

Ensure the user is aware that we have policies for self-managed machines by instructing them that they must read the relevant help page - http://computing.help.inf.ed.ac.uk/self-managed-policy

-- StephenQuinney - 15 Dec 2017