Switching a Machine to Self-Managed

This is a guide to everything which needs to be done on a machine before it can be self-managed by a user.

BIOS

The administrator password for the BIOS must be removed so that it can be configured by the user.

Disks

ALL disks in the machine MUST be wiped using dban. The easiest way to do that is by PXE booting the machine and selecting the dban option from the menu.

Network

There are two ways a self-managed machine can be configured for networking.

  1. By default there should not be an entry for the hostname in the DNS - the machine will be allocated an address dynamically via DHCP. If there was previously a host entry in the DNS it will thus need removing.
  2. Only if a user really needs a static IP should one be allocated. If there was previously a host entry in the DNS it will thus need changing.

Depending on the location of the machine and the user requirements the relevant subnet should be selected from this list. The user may require a network port to be configured in their office or at least to be told which port in their floor box should be used. You can use netmon or netmonat to find the port information for a room.

LCFG Profile

If a self-managed machine does not have a static IP address the LCFG profile should include the dice/os/placeholder.h and relevant hardware headers and look something like this:

#include <dice/os/placeholder.h>
#include <dice/hw/hp_elitedesk800g1.h>

dhclient.mac    00:11:22:33::44::55

If a static address is required then the LCFG profile should include the dice/os/selfmanaged.h and wire headers, it should look something like this:

#include <dice/os/selfmanaged.h>
#include <dice/hw/hp_elitedesk800g1.h>
#include <live/wire_sm164.h>

dhclient.mac    00:11:22:33::44::55

Firewall Headers

If a firewall hole needs to be opened to allow access to a service on the self-managed machine the profile must also include the dice/options/ipfilter.h header. There MUST be an RT ticket and a review date for all holes. For example, opening up access to http and https can be done something like this:

#include <dice/options/ipfilter.h>
!ipfilter.export        mADD(http)
!ipfilter.export        mADD(https)
!ipfilter.RT            mADD(99999)
!ipfilter.reviewDate    mADD(16/07/2018)

Policy

Ensure the user is aware that we have policies for self-managed machines by recommending to them that they read the relevant help page - http://computing.help.inf.ed.ac.uk/self-managed-policy

-- StephenQuinney - 15 Dec 2017

Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r1 - 15 Dec 2017 - 10:18:52 - StephenQuinney
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies