configuration and maintenance mib and snmp week-6
TRANSCRIPT
IntroductionIntroduction
Configuration – How to initially setup Configuration – How to initially setup system as requiredsystem as required
Maintenance - How to keep it that Maintenance - How to keep it that way!!way!!
Systems tend towards disorder Systems tend towards disorder during useduring use
Setting PoliciesSetting Policies
DefinitionDefinition– A clear expression of goals and responsesA clear expression of goals and responses– Prepares for possible errors or problemsPrepares for possible errors or problems– Documents Intent and ProcedureDocuments Intent and Procedure
Necessary in medium to large Necessary in medium to large organisations or where many organisations or where many administrators co-operateadministrators co-operate
Helps to align system operation with Helps to align system operation with organisational objectivesorganisational objectives
System vs Application configurationSystem vs Application configuration
Modern trend toward implementing Modern trend toward implementing applications as collections of componentsapplications as collections of components
Increasingly, system configuration Increasingly, system configuration includes configuration of applications includes configuration of applications too!too!
Policies and Standards reduce variety Policies and Standards reduce variety and choice for users, but when and choice for users, but when implemented carefully, lead to implemented carefully, lead to economies of scaleeconomies of scale
System Policy includes:System Policy includes:
Organisational rights and Organisational rights and responsibilitiesresponsibilities
User rights and Account proceduresUser rights and Account procedures Network infrastructure and access Network infrastructure and access
rightsrights Application limits and responsibilitiesApplication limits and responsibilities
– FTP, eMail, Printing, Web pages, CGIFTP, eMail, Printing, Web pages, CGI Security and PrivacySecurity and Privacy
Network PolicyNetwork Policy Network structure derived fromNetwork structure derived from
– Design or Functional requirementsDesign or Functional requirements– Geography or Building constraintsGeography or Building constraints– Network Engineering constraintsNetwork Engineering constraints
Policies should relate to operational goalsPolicies should relate to operational goals– Small organisation – resource sharingSmall organisation – resource sharing
single network, repeaters/switchessingle network, repeaters/switches
– Bigger organisation – sharing & reduced Bigger organisation – sharing & reduced traffictraffic
Subnets – switches/routersSubnets – switches/routers
Network PolicyNetwork Policy
SegmentationSegmentation– Subnet addressingSubnet addressing– Logical to physical address mapping Logical to physical address mapping
(VLANs?)(VLANs?)– Port Blocking? Different on each subnet?Port Blocking? Different on each subnet?– Blocking at Firewall or Router?Blocking at Firewall or Router?
Address configurationAddress configuration– IP - Static /etc/hosts, RARP, BOOTP, DHCPIP - Static /etc/hosts, RARP, BOOTP, DHCP
Name ResolutionName Resolution– IP – DNS, WINSIP – DNS, WINS
Directory – LDAP, MS PDC, Novell NDSDirectory – LDAP, MS PDC, Novell NDS
Applications PolicyApplications Policy
TFTP/FTP – Anonymous, Read-Only ?TFTP/FTP – Anonymous, Read-Only ? SMTPSMTP
– Name aliases (eg Name aliases (eg [email protected])[email protected])
– File size and type limitations (ie attachments)File size and type limitations (ie attachments)– SPAM filteringSPAM filtering– Virus checkingVirus checking
HTTPHTTP– Content & Style guides, plagiarism, authorisation?Content & Style guides, plagiarism, authorisation?– CGI / Modules allowed? CGI / Modules allowed?
(eg Apache mod_perl, mod_ssl)(eg Apache mod_perl, mod_ssl)– Load LimitingLoad Limiting
Resource SharingResource Sharing
PrintingPrinting– Personal printing? Page count quotas?Personal printing? Page count quotas?– Colour vs MonochromeColour vs Monochrome
File SystemsFile Systems– Common/Shared directories? Read-only?Common/Shared directories? Read-only?
BackupsBackups– Global or Local?Global or Local?– Image or File?Image or File?– Archival or Incremental?Archival or Incremental?
Network SecurityNetwork Security
Physical security of Servers & Physical security of Servers & WorkstationsWorkstations
File/Directory/Resource access control listsFile/Directory/Resource access control lists– UFS, NFS, Kerberos, NIS+, PDC, NDSUFS, NFS, Kerberos, NIS+, PDC, NDS
Superuser/Administrator PasswordsSuperuser/Administrator Passwords Enforced password aging and format rulesEnforced password aging and format rules License serversLicense servers Logging and AuditingLogging and Auditing Encryption tools supported?Encryption tools supported?
some common some common Configuration and Configuration and
Maintenance activitiesMaintenance activities
Synchronisation Synchronisation
Keeping the time-of-day clocks set Keeping the time-of-day clocks set correctly on all hosts within a networkcorrectly on all hosts within a network
Many security and maintenance tasks Many security and maintenance tasks depend on time-of-day or elapsed timedepend on time-of-day or elapsed time
Hardware clock accuracy varies greatlyHardware clock accuracy varies greatly Can use UNIX script Can use UNIX script ((rshrsh command) command) Better to use NTPBetter to use NTP
((xntpdxntpd or shareware available for most OSes) or shareware available for most OSes)
Executing TasksExecuting Tasks
Most host management systems require Most host management systems require regular execution of housekeeping tasksregular execution of housekeeping tasks
This is a key feature in most configuration This is a key feature in most configuration management systemsmanagement systems
Unix Unix croncron service service– crontabcrontab command command– /etc/crontab /etc/crontab file formatfile format
Windows Windows ScheduleSchedule service service– atat command command
Unix Unix croncron service service
To edit a user To edit a user crontabcrontab: : crontab –ecrontab –e To list user To list user crontabcrontab entries: entries: crontab –l crontab –l crontabcrontab format: format:
min(0-59) hr(0-23) day(1-31) mth(1-12) weekday(Mon-Sun) min(0-59) hr(0-23) day(1-31) mth(1-12) weekday(Mon-Sun) ShellCommandShellCommand‘*’ in any position means ‘any’‘*’ in any position means ‘any’ #Run script every weekday morning Mon-Fri at 3:15am#Run script every weekday morning Mon-Fri at 3:15am15 3 * * Mon-Fri /usr/local/bin/script15 3 * * Mon-Fri /usr/local/bin/script
# The root crontab# The root crontab0 2 * * 0,4 /etc/cron.d/logchecker0 2 * * 0,4 /etc/cron.d/logchecker5 4 * * 6 /usr/lib/newsyslog5 4 * * 6 /usr/lib/newsyslog0 0 * * * /usr/local/bin/cfwrap /usr/local/bin/cfdaily0 0 * * * /usr/local/bin/cfwrap /usr/local/bin/cfdaily30 * * * * /usr/local/bin/cfwrap /usr/local/bin/cfhourly30 * * * * /usr/local/bin/cfwrap /usr/local/bin/cfhourly
AutomationAutomation
Configuring and maintaining any non-Configuring and maintaining any non-trivial network can be a heavy workload….trivial network can be a heavy workload….
Automation hides the effort required, Automation hides the effort required, increasing the “efficiency” of increasing the “efficiency” of administratorsadministrators
But may increase reliance on net servicesBut may increase reliance on net services Therefore wont work well if net Therefore wont work well if net
unreliable!!unreliable!!
Automation ToolsAutomation Tools
Most Admin tools provide one or both ofMost Admin tools provide one or both of– Administrator control interface (manual)Administrator control interface (manual)– Cloning of existing reference system (mirror)Cloning of existing reference system (mirror)
These may have friendly GUI but often These may have friendly GUI but often don’t provide autonomous activitydon’t provide autonomous activity
Allow a human manager to tweak thingsAllow a human manager to tweak things Most are management frameworks for Most are management frameworks for
executing scripts executing scripts (in shell or perl)(in shell or perl)
Automation ToolsAutomation Tools(see (see BurgessBurgess, Page 156…), Page 156…)
Examples include:Examples include:– TivoliTivoli– HP OpenViewHP OpenView– Microsoft SMSMicrosoft SMS– Sun SolsticeSun Solstice– Host FactoryHost Factory– GNU/Linux toolsGNU/Linux tools
Scripting LanguagesScripting Languagesused by Automation Toolsused by Automation Tools
Shell and CLI: native to Host OSShell and CLI: native to Host OS– Most common…Most common…
PerlPerl PythonPython PHPPHP
Monitoring ToolsMonitoring Tools Unobtrusively gather data about network or Unobtrusively gather data about network or
host behaviour (ie Audit)host behaviour (ie Audit) Usually leave analysis of data until laterUsually leave analysis of data until later When specified parameters exceed pre-When specified parameters exceed pre-
defined limits, an alarm can be raised (eg defined limits, an alarm can be raised (eg send email or SMS or pager message)send email or SMS or pager message)
Alarm may trigger maintenance activityAlarm may trigger maintenance activity In future, Neural network or Semantic analysis may In future, Neural network or Semantic analysis may
be used to interpret these logs and perform complex be used to interpret these logs and perform complex autonomous maintenanceautonomous maintenance
SNMP ToolsSNMP Tools
Useful for accessing management Useful for accessing management information from networked devicesinformation from networked devices
Require user to know MIB structureRequire user to know MIB structure Focus in message exchange syntax Focus in message exchange syntax
rather than information content….rather than information content…. snmpwalk, snmpgetsnmpwalk, snmpget Other APIs encapsulate SNMP toolsOther APIs encapsulate SNMP tools
Preventative MaintenancePreventative Maintenance
Determine system policiesDetermine system policies– Define what is expected and response to Define what is expected and response to
failurefailure SysAdmin team agreementSysAdmin team agreement Enforce policies – inspect and repairEnforce policies – inspect and repair Educate users in good and bad practiceEducate users in good and bad practice Care for special users. Care for special users. Catering to mission Catering to mission
critical or power users can save time and effort latercritical or power users can save time and effort later
Preventative Maintenance in generalPreventative Maintenance in general Don’t rely on outside support – invest in local Don’t rely on outside support – invest in local
expertiseexpertise Educate users by posting information in a clear and Educate users by posting information in a clear and
friendly wayfriendly way Make rules and structures as simple as possibleMake rules and structures as simple as possible Keep valuable information about configurations Keep valuable information about configurations
securely and readily availablesecurely and readily available Document all changes so that other who may rebuild Document all changes so that other who may rebuild
can incorporate themcan incorporate them Work defensivelyWork defensively If it ain’t broke, don’t fix itIf it ain’t broke, don’t fix it Duplication provides fallback in case of a crisisDuplication provides fallback in case of a crisis
Other Preventative measuresOther Preventative measures Garbage CollectionGarbage Collection
– Disk tidying – deleting old or temporary files, Disk tidying – deleting old or temporary files, flushing caches and out-of-date documentsflushing caches and out-of-date documents
– Process management – removing orphan Process management – removing orphan and run-away or hung processesand run-away or hung processes
Productivity or ThroughputProductivity or Throughput– Priorities and Quotas – can prevent rogue Priorities and Quotas – can prevent rogue
processes flooding disk or overloading CPU, processes flooding disk or overloading CPU, but can also interfere with legitimate short but can also interfere with legitimate short term overloads term overloads (eg compiles or compute bound process)(eg compiles or compute bound process)
CfengineCfengine
An environment for An environment for turning system policy into turning system policy into automated maintenance automated maintenance
actionsactions
CfengineCfenginesee Burgess (1see Burgess (1stst Edn Pg 158, 385) Edn Pg 158, 385)
Use Use croncron to start to start cfenginecfengine at regular intervals at regular intervals cfenginecfengine is a language used to define policies is a language used to define policies
and a run-time environment (or robot) to interpret and a run-time environment (or robot) to interpret and implement these policiesand implement these policies
cfenginecfengine is about: is about:– Defining how all hosts in network are to be configuredDefining how all hosts in network are to be configured– Writing this is a ‘program’ to be read by all hostsWriting this is a ‘program’ to be read by all hosts– Running this program on each host to check and fix its Running this program on each host to check and fix its
own configurationown configuration
cfenginecfengine capabilities capabilities
Check and configure network interfaceCheck and configure network interface Edit text files for system or usersEdit text files for system or users Make/maintain symbolic linksMake/maintain symbolic links Check and set file permissionsCheck and set file permissions Delete ‘junk’ filesDelete ‘junk’ files Automatic ‘static’ mounting of NFS filesAutomatic ‘static’ mounting of NFS files Checks for presence of important system Checks for presence of important system
filesfiles Controlled execution of user scriptsControlled execution of user scripts Process managementProcess management
cfenginecfengine programs programs cfengine.confcfengine.conf contains several contains several action-type action-type sectionssections
action-type:action-type:classes::classes::
list of actionslist of actions Sections may be in any order, but are executed Sections may be in any order, but are executed
in order set by the in order set by the actionsequenceactionsequence parameter of parameter of the the controlcontrol action-type action-type
ClassesClasses is a single or compound expression is a single or compound expression identifying:identifying:– Operating systemsOperating systems– HostsHosts– Times and daysTimes and days– A user defined stringA user defined string
Actions are only performed if the classes:: Actions are only performed if the classes:: expression is true for the current machineexpression is true for the current machine
Data Configuration & ManagementData Configuration & Management
Databases required as web back-endDatabases required as web back-end– Usually SQL basedUsually SQL based
Database used as parameter storageDatabase used as parameter storage– LDAPLDAP– Other proprietary storage (eg NDS, Other proprietary storage (eg NDS,
Active Directory)Active Directory)