Configuration and Configuration and MaintenanceMaintenance

MIB and SNMPMIB and SNMP

Week-6Week-6

IntroductionIntroduction

Configuration – How to initially setup Configuration – How to initially setup system as requiredsystem as required

Maintenance - How to keep it that Maintenance - How to keep it that way!!way!!

Systems tend towards disorder Systems tend towards disorder during useduring use

Setting PoliciesSetting Policies

DefinitionDefinition– A clear expression of goals and responsesA clear expression of goals and responses– Prepares for possible errors or problemsPrepares for possible errors or problems– Documents Intent and ProcedureDocuments Intent and Procedure

Necessary in medium to large Necessary in medium to large organisations or where many organisations or where many administrators co-operateadministrators co-operate

Helps to align system operation with Helps to align system operation with organisational objectivesorganisational objectives

System vs Application configurationSystem vs Application configuration

Modern trend toward implementing Modern trend toward implementing applications as collections of componentsapplications as collections of components

Increasingly, system configuration Increasingly, system configuration includes configuration of applications includes configuration of applications too!too!

Policies and Standards reduce variety Policies and Standards reduce variety and choice for users, but when and choice for users, but when implemented carefully, lead to implemented carefully, lead to economies of scaleeconomies of scale

System Policy includes:System Policy includes:

Organisational rights and Organisational rights and responsibilitiesresponsibilities

User rights and Account proceduresUser rights and Account procedures Network infrastructure and access Network infrastructure and access

rightsrights Application limits and responsibilitiesApplication limits and responsibilities

– FTP, eMail, Printing, Web pages, CGIFTP, eMail, Printing, Web pages, CGI Security and PrivacySecurity and Privacy

Network PolicyNetwork Policy Network structure derived fromNetwork structure derived from

– Design or Functional requirementsDesign or Functional requirements– Geography or Building constraintsGeography or Building constraints– Network Engineering constraintsNetwork Engineering constraints

Policies should relate to operational goalsPolicies should relate to operational goals– Small organisation – resource sharingSmall organisation – resource sharing

single network, repeaters/switchessingle network, repeaters/switches

– Bigger organisation – sharing & reduced Bigger organisation – sharing & reduced traffictraffic

Subnets – switches/routersSubnets – switches/routers

Network PolicyNetwork Policy

SegmentationSegmentation– Subnet addressingSubnet addressing– Logical to physical address mapping Logical to physical address mapping

(VLANs?)(VLANs?)– Port Blocking? Different on each subnet?Port Blocking? Different on each subnet?– Blocking at Firewall or Router?Blocking at Firewall or Router?

Address configurationAddress configuration– IP - Static /etc/hosts, RARP, BOOTP, DHCPIP - Static /etc/hosts, RARP, BOOTP, DHCP

Name ResolutionName Resolution– IP – DNS, WINSIP – DNS, WINS

Directory – LDAP, MS PDC, Novell NDSDirectory – LDAP, MS PDC, Novell NDS

Applications PolicyApplications Policy

TFTP/FTP – Anonymous, Read-Only ?TFTP/FTP – Anonymous, Read-Only ? SMTPSMTP

– Name aliases (eg Name aliases (eg Chris.Freeman@monash.edu.au)Chris.Freeman@monash.edu.au)

– File size and type limitations (ie attachments)File size and type limitations (ie attachments)– SPAM filteringSPAM filtering– Virus checkingVirus checking

HTTPHTTP– Content & Style guides, plagiarism, authorisation?Content & Style guides, plagiarism, authorisation?– CGI / Modules allowed? CGI / Modules allowed?

(eg Apache mod_perl, mod_ssl)(eg Apache mod_perl, mod_ssl)– Load LimitingLoad Limiting

Resource SharingResource Sharing

PrintingPrinting– Personal printing? Page count quotas?Personal printing? Page count quotas?– Colour vs MonochromeColour vs Monochrome

File SystemsFile Systems– Common/Shared directories? Read-only?Common/Shared directories? Read-only?

BackupsBackups– Global or Local?Global or Local?– Image or File?Image or File?– Archival or Incremental?Archival or Incremental?

Network SecurityNetwork Security

Physical security of Servers & Physical security of Servers & WorkstationsWorkstations

File/Directory/Resource access control listsFile/Directory/Resource access control lists– UFS, NFS, Kerberos, NIS+, PDC, NDSUFS, NFS, Kerberos, NIS+, PDC, NDS

Superuser/Administrator PasswordsSuperuser/Administrator Passwords Enforced password aging and format rulesEnforced password aging and format rules License serversLicense servers Logging and AuditingLogging and Auditing Encryption tools supported?Encryption tools supported?

some common some common Configuration and Configuration and

Maintenance activitiesMaintenance activities

Synchronisation Synchronisation

Keeping the time-of-day clocks set Keeping the time-of-day clocks set correctly on all hosts within a networkcorrectly on all hosts within a network

Many security and maintenance tasks Many security and maintenance tasks depend on time-of-day or elapsed timedepend on time-of-day or elapsed time

Hardware clock accuracy varies greatlyHardware clock accuracy varies greatly Can use UNIX script Can use UNIX script ((rshrsh command) command) Better to use NTPBetter to use NTP

((xntpdxntpd or shareware available for most OSes) or shareware available for most OSes)

Executing TasksExecuting Tasks

Most host management systems require Most host management systems require regular execution of housekeeping tasksregular execution of housekeeping tasks

This is a key feature in most configuration This is a key feature in most configuration management systemsmanagement systems

Unix Unix croncron service service– crontabcrontab command command– /etc/crontab /etc/crontab file formatfile format

Windows Windows ScheduleSchedule service service– atat command command

Unix Unix croncron service service

To edit a user To edit a user crontabcrontab: : crontab –ecrontab –e To list user To list user crontabcrontab entries: entries: crontab –l crontab –l crontabcrontab format: format:

min(0-59) hr(0-23) day(1-31) mth(1-12) weekday(Mon-Sun) min(0-59) hr(0-23) day(1-31) mth(1-12) weekday(Mon-Sun) ShellCommandShellCommand‘*’ in any position means ‘any’‘*’ in any position means ‘any’ #Run script every weekday morning Mon-Fri at 3:15am#Run script every weekday morning Mon-Fri at 3:15am15 3 * * Mon-Fri /usr/local/bin/script15 3 * * Mon-Fri /usr/local/bin/script

# The root crontab# The root crontab0 2 * * 0,4 /etc/cron.d/logchecker0 2 * * 0,4 /etc/cron.d/logchecker5 4 * * 6 /usr/lib/newsyslog5 4 * * 6 /usr/lib/newsyslog0 0 * * * /usr/local/bin/cfwrap /usr/local/bin/cfdaily0 0 * * * /usr/local/bin/cfwrap /usr/local/bin/cfdaily30 * * * * /usr/local/bin/cfwrap /usr/local/bin/cfhourly30 * * * * /usr/local/bin/cfwrap /usr/local/bin/cfhourly

AutomationAutomation

Configuring and maintaining any non-Configuring and maintaining any non-trivial network can be a heavy workload….trivial network can be a heavy workload….

Automation hides the effort required, Automation hides the effort required, increasing the “efficiency” of increasing the “efficiency” of administratorsadministrators

But may increase reliance on net servicesBut may increase reliance on net services Therefore wont work well if net Therefore wont work well if net

unreliable!!unreliable!!

Automation ToolsAutomation Tools

Most Admin tools provide one or both ofMost Admin tools provide one or both of– Administrator control interface (manual)Administrator control interface (manual)– Cloning of existing reference system (mirror)Cloning of existing reference system (mirror)

These may have friendly GUI but often These may have friendly GUI but often don’t provide autonomous activitydon’t provide autonomous activity

Allow a human manager to tweak thingsAllow a human manager to tweak things Most are management frameworks for Most are management frameworks for

executing scripts executing scripts (in shell or perl)(in shell or perl)

Automation ToolsAutomation Tools(see (see BurgessBurgess, Page 156…), Page 156…)

Examples include:Examples include:– TivoliTivoli– HP OpenViewHP OpenView– Microsoft SMSMicrosoft SMS– Sun SolsticeSun Solstice– Host FactoryHost Factory– GNU/Linux toolsGNU/Linux tools

Scripting LanguagesScripting Languagesused by Automation Toolsused by Automation Tools

Shell and CLI: native to Host OSShell and CLI: native to Host OS– Most common…Most common…

PerlPerl PythonPython PHPPHP

Monitoring ToolsMonitoring Tools Unobtrusively gather data about network or Unobtrusively gather data about network or

host behaviour (ie Audit)host behaviour (ie Audit) Usually leave analysis of data until laterUsually leave analysis of data until later When specified parameters exceed pre-When specified parameters exceed pre-

defined limits, an alarm can be raised (eg defined limits, an alarm can be raised (eg send email or SMS or pager message)send email or SMS or pager message)

Alarm may trigger maintenance activityAlarm may trigger maintenance activity In future, Neural network or Semantic analysis may In future, Neural network or Semantic analysis may

be used to interpret these logs and perform complex be used to interpret these logs and perform complex autonomous maintenanceautonomous maintenance

SNMP ToolsSNMP Tools

Useful for accessing management Useful for accessing management information from networked devicesinformation from networked devices

Require user to know MIB structureRequire user to know MIB structure Focus in message exchange syntax Focus in message exchange syntax

rather than information content….rather than information content…. snmpwalk, snmpgetsnmpwalk, snmpget Other APIs encapsulate SNMP toolsOther APIs encapsulate SNMP tools

Preventative MaintenancePreventative Maintenance

Determine system policiesDetermine system policies– Define what is expected and response to Define what is expected and response to

failurefailure SysAdmin team agreementSysAdmin team agreement Enforce policies – inspect and repairEnforce policies – inspect and repair Educate users in good and bad practiceEducate users in good and bad practice Care for special users. Care for special users. Catering to mission Catering to mission

critical or power users can save time and effort latercritical or power users can save time and effort later

Preventative Maintenance in generalPreventative Maintenance in general Don’t rely on outside support – invest in local Don’t rely on outside support – invest in local

expertiseexpertise Educate users by posting information in a clear and Educate users by posting information in a clear and

friendly wayfriendly way Make rules and structures as simple as possibleMake rules and structures as simple as possible Keep valuable information about configurations Keep valuable information about configurations

securely and readily availablesecurely and readily available Document all changes so that other who may rebuild Document all changes so that other who may rebuild

can incorporate themcan incorporate them Work defensivelyWork defensively If it ain’t broke, don’t fix itIf it ain’t broke, don’t fix it Duplication provides fallback in case of a crisisDuplication provides fallback in case of a crisis

Other Preventative measuresOther Preventative measures Garbage CollectionGarbage Collection

– Disk tidying – deleting old or temporary files, Disk tidying – deleting old or temporary files, flushing caches and out-of-date documentsflushing caches and out-of-date documents

– Process management – removing orphan Process management – removing orphan and run-away or hung processesand run-away or hung processes

Productivity or ThroughputProductivity or Throughput– Priorities and Quotas – can prevent rogue Priorities and Quotas – can prevent rogue

processes flooding disk or overloading CPU, processes flooding disk or overloading CPU, but can also interfere with legitimate short but can also interfere with legitimate short term overloads term overloads (eg compiles or compute bound process)(eg compiles or compute bound process)

CfengineCfengine

An environment for An environment for turning system policy into turning system policy into automated maintenance automated maintenance

actionsactions

CfengineCfenginesee Burgess (1see Burgess (1stst Edn Pg 158, 385) Edn Pg 158, 385)

Use Use croncron to start to start cfenginecfengine at regular intervals at regular intervals cfenginecfengine is a language used to define policies is a language used to define policies

and a run-time environment (or robot) to interpret and a run-time environment (or robot) to interpret and implement these policiesand implement these policies

cfenginecfengine is about: is about:– Defining how all hosts in network are to be configuredDefining how all hosts in network are to be configured– Writing this is a ‘program’ to be read by all hostsWriting this is a ‘program’ to be read by all hosts– Running this program on each host to check and fix its Running this program on each host to check and fix its

own configurationown configuration

cfenginecfengine capabilities capabilities

Check and configure network interfaceCheck and configure network interface Edit text files for system or usersEdit text files for system or users Make/maintain symbolic linksMake/maintain symbolic links Check and set file permissionsCheck and set file permissions Delete ‘junk’ filesDelete ‘junk’ files Automatic ‘static’ mounting of NFS filesAutomatic ‘static’ mounting of NFS files Checks for presence of important system Checks for presence of important system

filesfiles Controlled execution of user scriptsControlled execution of user scripts Process managementProcess management

cfenginecfengine programs programs cfengine.confcfengine.conf contains several contains several action-type action-type sectionssections

action-type:action-type:classes::classes::

list of actionslist of actions Sections may be in any order, but are executed Sections may be in any order, but are executed

in order set by the in order set by the actionsequenceactionsequence parameter of parameter of the the controlcontrol action-type action-type

ClassesClasses is a single or compound expression is a single or compound expression identifying:identifying:– Operating systemsOperating systems– HostsHosts– Times and daysTimes and days– A user defined stringA user defined string

Actions are only performed if the classes:: Actions are only performed if the classes:: expression is true for the current machineexpression is true for the current machine

Data Configuration & ManagementData Configuration & Management

Databases required as web back-endDatabases required as web back-end– Usually SQL basedUsually SQL based

Database used as parameter storageDatabase used as parameter storage– LDAPLDAP– Other proprietary storage (eg NDS, Other proprietary storage (eg NDS,

Active Directory)Active Directory)