We are nearing the end of fall opening. We have roughly 3600 registrations, and as Pat said, things have gone quite smoothly. There were a few…er…complications which caused registration or internet access to be down for a short while but fortunately this was toward the end of the week. We got things resolved quickly when they did come up.

So as we move past getting everybody online, projects can start back up. The last major things that need to be transitioned are Mail and Webpages. I have already set most everything up on the new server, but of course, we have to do a lot of testing. Much of this cannot even be completely finalized until I actually move it. Of course, a lot of the other services were the same, and they proved in the end to work out fine. Those services were much more “critical” too. I think the last transitions will go well.

After that is all done, it is time to clean up and tighten security on the machines. This is when I will add local firewall rulesets on each of the machines. These rulesets will:

• Block spoofed (nonexistant) local addresses altogether


• Only allow connections to services from hosts we allow

So, for example, no host (not even our servers) will be able to access the dedicated MySQL server unless it needs to. Further, “nonexistant” addresses like 10.242.199.10 will not be able to access our registration server.

I will also begin restricting login access. This way, only people who have any reason to, will be able to login to our critical servers. And I will probably tighten up on certain files, home directories, etc. I might go a step further and place PortSentry or HostSentry on some boxes.

This all has to wait until I’m done moving things, for the most part, though. I don’t think it will be too long before then.

The last couple of weeks have been very busy.

Last night I made Odin-new our dedicated DB server (moving it off Kulshan). Some of the issues I ran into were annoying, but everything looks to have stabilized after a lot of MySQL hacking. This afternoon I began writing a firewall script for Odin-new to protect the DB server. Once everything is transitioned, security comes next, so I figured I would get an early start. Also this afternoon I set up authoritative DNS on Kulshan-new and made it a bit more organized than it was on Kulshan.

We’ve set up CARP on Vali and Vidar and set up a way to load balance between them using a round-robin DNS trick and CARP. Nick also set up the proxies to communicate using ICP (to check eachother’s cache) which is cool, but should also save time and bandwidth. Perhaps this evening I will get the proxy stuff fully transitioned so we make use of the load balancing and failover as soon as possible.

DHCP is basically ready to go but I’ll have to come up with a time to transition.

The public and staff websites are pretty much transitioned, but they won’t be fully active until I completely replace Kulshan with Kulshan-new which isn’t too far off. I need to configure Apache on Kulshan-new to properly serve the staff site, make all the clients use Vidar/Vali for LDAP, and finally transition Mail one evening.

The Alvis rebuild was completed a while back. That was an interesting day considering nearly everything imaginable broke, but it’s stable now and the development server is basically done. It uses it’s own databases and such, and is quite isolated from everything else. I think it was about time I got around to that…

Went to Starbucks today to get myself back in the mindset of finishing these servers… Came up with some good notes. When I got back, I started finishing up some server stuff.

Odin-new now exports /usr/ports/distfiles and /usr/backups. I created a new backup scheme based on the old one. Only this time, all of the new servers have /usr/backups mounted so they can directly write their backups to it instead of having to SCP them over with trusted keys. I think the Filters will still use `scp` as I don’t like the idea of them mounting anything.


odin-new:/usr/backups on /usr/backups (nfs)
odin-new:/usr/ports/distfiles on /usr/ports/distfiles (nfs)


I also put a new version of makeDhcpConfig in CVS (make-dhcp-config.php) and made it “live.” Vali and Vidar run it via cron every minute, and though they are not serving DHCP yet, they generate a config file pulling information from Odin-new’s database. Unfortunately Odin-new’s database is not yet being updated by anything. The new dhcpd.conf uses Vali and Vidar as the DNS servers, and points clients to a new location for wpad.dat (on Kulshan). In order for the registration process to have clean access to temporary leases, I do believe Vali and Vidar are going to end up serving the registration pages. I don’t like this solution one bit, but I also don’t like the hacky solution of scp’ing the temporary leases via cron, or making Kulshan query the hallservers.

It’s tricky planning how to have two things running in parallel, make sure they’re perfectly in sync, and then transition. I’m still debating how exactly I’m going to do this for DHCP and mail.

Modified the database backup script to upload to Odin and keep track of Success or Failure. This was necessary because /space on Kulshan is constantly at 100% capacity…

I think I finally have figured out what was up with LDAP and it’s been working on Alvis-new since I made the changes. I wrote up a short document on that here. A good little reference for me and anyone else who needs it.

Discovered another nice little security hole today. I can’t wait until everything is finished with the new servers so I don’t have to worry about that.

We got the servers moved down into Bond Hall yesterday afternoon. They’re even in the rack, with the KVM switch and a monitor. It was “interesting” making sure I had access from remote and even local…but it’s sorted out now.